Support extracting STS host region from authorization header

CHANGELOG.md

@@ -9,19 +9,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [1.19.5] - 2023-05-16
+## [1.19.4] - 2023-06-14
 
 ### Security
 - Update bundler to 2.2.33 to remove CVE-2021-43809
   [cyberark/conjur#2804](https://github.com/cyberark/conjur/pull/2804/files)
 
 ### Fixed
+- Support Authn-IAM case where host value is missing from signed headers.
+  [cyberark/conjur#2827](https://github.com/cyberark/conjur/pull/2827)
 - AuthnJWT now supports claims that include hyphens and inline namespaces.
   [cyberark/conjur#2792](https://github.com/cyberark/conjur/pull/2792)
 - Authn-IAM now uses the host in the signed headers to determine which STS endpoint
   (global or regional) to use for validation.
-
-## [1.19.4] - 2023-05-12
+  [cyberark/conjur#2808](https://github.com/cyberark/conjur/pull/2808)
 
 ### Changed
 - OIDC tokens will now have a default ttl of 60 mins

app/domain/authentication/authn_iam/authenticator.rb

@@ -54,7 +54,27 @@ def extract_relevant_data(response)
 
       # Call to AWS STS endpoint using the provided authentication header
       def attempt_signed_request(signed_headers)
-        aws_request = URI("https://#{signed_headers['host']}/?Action=GetCallerIdentity&Version=2011-06-15")
+        sts_host = signed_headers['host'] || extract_sts_host(signed_headers)
+        aws_request = URI("https://#{sts_host}/?Action=GetCallerIdentity&Version=2011-06-15")
+        begin
+          response = @client.get_response(aws_request, signed_headers)
+          return response unless response.code.to_i == 403 && sts_host.include?('us-east-1')
+
+          # If the request to `us-east-1` failed with a 403, retry on the global endpoint
+          retry_signed_request_on_global(signed_headers)
+
+          # Handle any network failures with a generic verification error
+        rescue StandardError => e
+          raise(Errors::Authentication::AuthnIam::VerificationError.new(e))
+        end
+      end
+
+      # Retry request on AWS STS global endpoint
+      def retry_signed_request_on_global(signed_headers)
+        @logger.debug(
+          LogMessages::Authentication::AuthnIam::RetryWithGlobalEndpoint.new
+        )
+        aws_request = URI('https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15')
         begin
           @client.get_response(aws_request, signed_headers)
 
@@ -76,6 +96,14 @@ def response_from_signed_request(aws_headers)
           body.dig('ErrorResponse', 'Error', 'Message').to_s.strip
         )
       end
+
+      # Extract AWS region from the authorization header's credential string, i.e.:
+      # Credential=AKIAIOSFODNN7EXAMPLE/20220830/us-east-1/sts/aws4_request
+      def extract_sts_host(signed_headers)
+        region = signed_headers['authorization'].match(%r{Credential=[^/]+/[^/]+/([^/]+)/})&.captures&.first
+        raise(Errors::Authentication::AuthnIam::InvalidAWSHeaders, 'Failed to extract AWS region from authorization header') unless region
+        "sts.#{region}.amazonaws.com"
+      end
     end
   end
 end

app/domain/logs.rb

@@ -282,6 +282,11 @@ module AuthnIam
         code: "CONJ00036D"
       )
 
+      RetryWithGlobalEndpoint = ::Util::TrackableLogMessageClass.new(
+        msg: "Retrying IAM request signed in 'us-east-1' region with global STS endpoint.",
+        code: "CONJ00043D"
+      )
+
     end
 
     module AuthnAzure

config/environments/development.rb

@@ -15,7 +15,7 @@
   # https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
 
   # Accept multiple hosts for parallel tests
-  config.hosts << /^conjur[0-9]*$/
+  config.hosts << /conjur[0-9]*/
 
   # eager_load needed to make authentication work without the hacky
   # loading code...