From 823ee0129509a87f12c81118f33da50ef826939e Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Mon, 9 Mar 2020 20:31:30 +0000
Subject: [PATCH] aws_request_signing: a few fixes (#10280)

There were a few things missing to make this filter work with S3:

* empty body requests (e.g.: GET) still need a sha256 content header
  (the empty string hash)
* requests for s3 shouldn't sign all headers (especially because some
  of them might change, e.g.: x-forwarded-for)
* when proxying requests to s3, HCM's host rewrite won't work so
  support it as a filter config option
* ditto for prefix rewrite

Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>

Mirrored from https://github.com/envoyproxy/envoy @ 28f33a776960dd717d4b57da73b0dbce7dbb3e85
---
 .../v2alpha/aws_request_signing.proto                 | 11 +++++++++++
 .../aws_request_signing/v3/aws_request_signing.proto  | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto b/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto
index 99e617ac..40e0bd9f 100644
--- a/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto
+++ b/envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto
@@ -29,4 +29,15 @@ message AwsRequestSigning {
   //
   // Example: us-west-2
   string region = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Indicates that before signing headers, the host header will be swapped with
+  // this value. If not set or empty, the original host header value
+  // will be used and no rewrite will happen.
+  //
+  // Note: this rewrite affects both signing and host header forwarding. However, this
+  // option shouldn't be used with
+  // :ref:`HCM host rewrite <envoy_api_field_route.RouteAction.host_rewrite>` given that the
+  // value set here would be used for signing whereas the value set in the HCM would be used
+  // for host header forwarding which is not the desired outcome.
+  string host_rewrite = 3;
 }
diff --git a/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto b/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
index 39440669..e46ef317 100644
--- a/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
+++ b/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto
@@ -31,4 +31,15 @@ message AwsRequestSigning {
   //
   // Example: us-west-2
   string region = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Indicates that before signing headers, the host header will be swapped with
+  // this value. If not set or empty, the original host header value
+  // will be used and no rewrite will happen.
+  //
+  // Note: this rewrite affects both signing and host header forwarding. However, this
+  // option shouldn't be used with
+  // :ref:`HCM host rewrite <envoy_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
+  // value set here would be used for signing whereas the value set in the HCM would be used
+  // for host header forwarding which is not the desired outcome.
+  string host_rewrite = 3;
 }