diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e608f77be..3fcd614c95 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Nothing should go in this section, please add to the latest unreleased version
(and update the corresponding date), or add a new version.
+## [1.19.6] - 2023-07-05
+
+### Fixed
+- Support Authn-IAM regional requests when host value is missing from signed headers.
+ [cyberark/conjur#2827](https://github.com/cyberark/conjur/pull/2827)
+
## [1.19.5] - 2023-06-29
### Security
diff --git a/app/domain/authentication/authn_iam/authenticator.rb b/app/domain/authentication/authn_iam/authenticator.rb
index 5fab2f3c89..cb83428a18 100755
--- a/app/domain/authentication/authn_iam/authenticator.rb
+++ b/app/domain/authentication/authn_iam/authenticator.rb
@@ -54,13 +54,34 @@ def extract_relevant_data(response)
# Call to AWS STS endpoint using the provided authentication header
def attempt_signed_request(signed_headers)
- aws_request = URI("https://#{signed_headers['host']}/?Action=GetCallerIdentity&Version=2011-06-15")
- begin
- @client.get_response(aws_request, signed_headers)
+ region = extract_sts_region(signed_headers)
+
+ # Attempt request using the discovered region and return immediately if successful
+ response = aws_call(region: region, headers: signed_headers)
+ return response if response.code.to_i == 200
+
+ # If the discovered region is `us-east-1`, fallback to the global endpoint
+ if region == 'us-east-1'
+ @logger.debug(LogMessages::Authentication::AuthnIam::RetryWithGlobalEndpoint.new)
+ fallback_response = aws_call(region: 'global', headers: signed_headers)
+ return fallback_response if fallback_response.code.to_i == 200
+ end
- # Handle any network failures with a generic verification error
+ return response
+ end
+
+ def aws_call(region:, headers:)
+ host = if region == 'global'
+ 'sts.amazonaws.com'
+ else
+ "sts.#{region}.amazonaws.com"
+ end
+ aws_request = URI("https://#{host}/?Action=GetCallerIdentity&Version=2011-06-15")
+ begin
+ @client.get_response(aws_request, headers)
rescue StandardError => e
- raise(Errors::Authentication::AuthnIam::VerificationError.new(e))
+ # Handle any network failures with a generic verification error
+ raise(Errors::Authentication::AuthnIam::VerificationError, e)
end
end
@@ -76,6 +97,25 @@ def response_from_signed_request(aws_headers)
body.dig('ErrorResponse', 'Error', 'Message').to_s.strip
)
end
+
+ # Extracts the STS region from the host header if it exists.
+ # If not, we use the authorization header's credential string, i.e.:
+ # Credential=AKIAIOSFODNN7EXAMPLE/20220830/us-east-1/sts/aws4_request
+ def extract_sts_region(signed_headers)
+ host = signed_headers['host']
+
+ if host == 'sts.amazonaws.com'
+ return 'global'
+ end
+
+ match = host&.match(%r{sts.([\w\-]+).amazonaws.com})
+ return match.captures.first if match
+
+ match = signed_headers['authorization']&.match(%r{Credential=[^/]+/[^/]+/([^/]+)/})
+ return match.captures.first if match
+
+ raise Errors::Authentication::AuthnIam::InvalidAWSHeaders, 'Failed to extract AWS region from authorization header'
+ end
end
end
end
diff --git a/app/domain/logs.rb b/app/domain/logs.rb
index a49d897f2a..e4d07baf4a 100644
--- a/app/domain/logs.rb
+++ b/app/domain/logs.rb
@@ -282,6 +282,11 @@ module AuthnIam
code: "CONJ00036D"
)
+ RetryWithGlobalEndpoint = ::Util::TrackableLogMessageClass.new(
+ msg: "Retrying IAM request signed in 'us-east-1' region with global STS endpoint.",
+ code: "CONJ00043D"
+ )
+
end
module AuthnAzure
diff --git a/config/environments/development.rb b/config/environments/development.rb
index d3b9a48acb..e6ba5ad073 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -15,7 +15,7 @@
# https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
# Accept multiple hosts for parallel tests
- config.hosts << /^conjur[0-9]*$/
+ config.hosts << /conjur[0-9]*/
# eager_load needed to make authentication work without the hacky
# loading code...
diff --git a/dev/start b/dev/start
index 3892ace601..7de9734fc5 100755
--- a/dev/start
+++ b/dev/start
@@ -4,10 +4,6 @@
set -ex
set -o pipefail
-# CC servers can't find it for some reason. Local shellcheck is fine.
-# shellcheck disable=SC1091
-source "../ci/oauth/keycloak/keycloak_functions.sh"
-
# SCRIPT GLOBAL STATE
# Set up VERSION file for local development
@@ -229,7 +225,14 @@ configure_oidc_authenticators() {
}
setup_keycloak() {
- # Start keycloak docker compose service
+
+ pushd "../ci"
+ # CC servers can't find it for some reason. Local shellcheck is fine.
+ # shellcheck disable=SC1091
+ source "oauth/keycloak/keycloak_functions.sh"
+ popd
+
+ # Start keycloak docker-compose service
services+=(keycloak)
docker compose up -d --no-deps "${services[@]}"
diff --git a/spec/app/domain/authentication/authn_iam/authenticator_spec.rb b/spec/app/domain/authentication/authn_iam/authenticator_spec.rb
index 0eadf4f528..e38b792544 100644
--- a/spec/app/domain/authentication/authn_iam/authenticator_spec.rb
+++ b/spec/app/domain/authentication/authn_iam/authenticator_spec.rb
@@ -9,6 +9,8 @@
# Good headers
let(:valid_global_headers) { '{"host":"sts.amazonaws.com","x-amz-date":"20230518T152525Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDcaDGV1LWNlbnRyYWwtMSJGMEQCIB7Inb5Q2L+Tu0nDM6KpYkqjXetnd6Eizw9gt3c27+okAiBJHE59aL6HuIszrEmk7/SaclqSmEZ5xUmEJ10Hla8PYyq8BQhgEAMaDDE4ODk0NTc2OTAwOCIMg1WLlzrcLY1FHaQKKpkFcEmdxNL2sGdxHOhoLv5hf0pQsOhWciwMgGhGpSUM7gXSG6Z8Rqv7q1rqgl04BjxLZshOOJYdIfUjUNccgiWBofjRYNH5SGeuLuu7XfrtmGmToPSejG5vY76PFXyef4bRNpgkB2aTRjRIg/fInQF0y2oILUSbX4nUcvcJJpss7VnpGRgGqGE+HtatAnfAn0cVoPHs/I2oZslP9y2IVVAEbCxKhYUcHniCJzrmTrppczyd8bwC36wdhcN88YtUES3Z0sS9Ho3JcLbxeAnoqkuPng1VYLAt5uELOqqYWSsdqVFwc+PJ5JoBAJSab1dyPp/YhTg+Lp8pYm/cgSR4lygqgeElL+30tI77GFuMdxdnWymk1mvXtcr0Q/eOMpAETohivAEW+m4CglAEF3VTdLQXODKCvxsiUmsN5AanX7eKGeHPfy/mcM/srWWkVNeRk//DLFNSgfiaeBQeUpzRDEgVpweA4tf5xjW8oUxp9hK9Q872dxgye07bFLNXbyqK9NPAGIcD4/7Tw73kPxYSvZ+7wajgkGdcuIz91GR973QG2k5e82PwiiROOm8qEJo7QzPX6hF5s//qSnKr0vGo4tBrewKvQVjhafdf+B0b44jgw7kIsUkAYz/1HY2PPQVvVn5DayO7VxCTTd+VrQScr22ExOucIKEw30j5hCkhRnUMS6MAjsYwclSbPuUeZ8rVvFQSEoC37SQZP13OVphFNUUFVhZJU5kYd9BvaFhPO0F54XJq1Gu/biMJFumHj2lz5TadSXxyJwSJkfqE53B9b6Sc1RB7O4AckozmH/pm46fJpD5sq7RLQg9YLA//fi+EoBwqbiskCz7WRsCh/Q2l/dmA9kAPPVatqkagVdcJKAJNl8W4Y9nm9MBhdFIw4PeYowY6sgF2td8Xkg0E4ClmQ3CoGWO+TTWmiWwN0BAcKD5prq3V9qmn3SXnzLUO02k0gC4RsdGUCSiByzNHL3mG+G7l8MEZ8TmZQ+ZCgtlnvLYsdECiT+7tcrwN8Zpiu0BKcAWSV8Mg5/D0HYfDTFAv7jgqXuL+uruLJw4xzZCoWc5Ru1Mhprl4NF8T9Am2RyEEEO9rjveQCWpzaZmyvx/MS4isoqhC2KGeJEyeulk2XE0mXO6TZz9c","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGDI4QX56/20230518/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=81b929060b45f05470c9f542a9e46cdce51d37c1d22a58d1942b7fa175079af5"}' }
let(:valid_regional_headers) { '{"host":"sts.eu-central-1.amazonaws.com","x-amz-date":"20230518T152442Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDcaDGV1LWNlbnRyYWwtMSJGMEQCIB7Inb5Q2L+Tu0nDM6KpYkqjXetnd6Eizw9gt3c27+okAiBJHE59aL6HuIszrEmk7/SaclqSmEZ5xUmEJ10Hla8PYyq8BQhgEAMaDDE4ODk0NTc2OTAwOCIMg1WLlzrcLY1FHaQKKpkFcEmdxNL2sGdxHOhoLv5hf0pQsOhWciwMgGhGpSUM7gXSG6Z8Rqv7q1rqgl04BjxLZshOOJYdIfUjUNccgiWBofjRYNH5SGeuLuu7XfrtmGmToPSejG5vY76PFXyef4bRNpgkB2aTRjRIg/fInQF0y2oILUSbX4nUcvcJJpss7VnpGRgGqGE+HtatAnfAn0cVoPHs/I2oZslP9y2IVVAEbCxKhYUcHniCJzrmTrppczyd8bwC36wdhcN88YtUES3Z0sS9Ho3JcLbxeAnoqkuPng1VYLAt5uELOqqYWSsdqVFwc+PJ5JoBAJSab1dyPp/YhTg+Lp8pYm/cgSR4lygqgeElL+30tI77GFuMdxdnWymk1mvXtcr0Q/eOMpAETohivAEW+m4CglAEF3VTdLQXODKCvxsiUmsN5AanX7eKGeHPfy/mcM/srWWkVNeRk//DLFNSgfiaeBQeUpzRDEgVpweA4tf5xjW8oUxp9hK9Q872dxgye07bFLNXbyqK9NPAGIcD4/7Tw73kPxYSvZ+7wajgkGdcuIz91GR973QG2k5e82PwiiROOm8qEJo7QzPX6hF5s//qSnKr0vGo4tBrewKvQVjhafdf+B0b44jgw7kIsUkAYz/1HY2PPQVvVn5DayO7VxCTTd+VrQScr22ExOucIKEw30j5hCkhRnUMS6MAjsYwclSbPuUeZ8rVvFQSEoC37SQZP13OVphFNUUFVhZJU5kYd9BvaFhPO0F54XJq1Gu/biMJFumHj2lz5TadSXxyJwSJkfqE53B9b6Sc1RB7O4AckozmH/pm46fJpD5sq7RLQg9YLA//fi+EoBwqbiskCz7WRsCh/Q2l/dmA9kAPPVatqkagVdcJKAJNl8W4Y9nm9MBhdFIw4PeYowY6sgF2td8Xkg0E4ClmQ3CoGWO+TTWmiWwN0BAcKD5prq3V9qmn3SXnzLUO02k0gC4RsdGUCSiByzNHL3mG+G7l8MEZ8TmZQ+ZCgtlnvLYsdECiT+7tcrwN8Zpiu0BKcAWSV8Mg5/D0HYfDTFAv7jgqXuL+uruLJw4xzZCoWc5Ru1Mhprl4NF8T9Am2RyEEEO9rjveQCWpzaZmyvx/MS4isoqhC2KGeJEyeulk2XE0mXO6TZz9c","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGDI4QX56/20230518/eu-central-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=8e0bebec9a3ce860b4595a4b27710da558a157a711e2dcbfe3a86881af99c459"}' }
+ let(:valid_global_headers_no_host) { '{"Authorization":"AWS4-HMAC-SHA256 Credential=ASIAYNRQATHTPJYFX7PM/20230613/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=e81afd905d5131d697e33ad38a5eff72789ed3e6b5e61d694212fbfe09684a73","X-Amz-Date":"20230613T204702Z","X-Amz-Security-Token":"FwoGZXIvYXdzEL7//////////wEaDG6/NsUxeWDT4wob/iKyAbExJrQ9Qr0pVX3lkwxaYwvssq/xFKk7Iu8w5uQsbsjZtqz7s8oNBfjuR/J7rRvDiFk4pyTICA9vzFEpNK1f4U3hfDslZFKhkeGgnY5jA2RLOlffE51tmvMr+KN6AJPJ+drAI5+K1Kn1G8Aiy5lsBHzEc0HR1Ji8zjujaqOWpZKYVC1MgIQt+l9eRdZTHBI/yb0fm32ZGxu/jMPZsa/kdGoDuAMd4pCZPnkaSnPgCNjJq5IoxqujpAYyLTMzCd3aidLr/ziL8UyEUbGJhglnhYEsDKp/ErjfnvoadZEuFIIpBKHbM01Igg=="}' }
+ let(:valid_regional_headers_no_host) { '{"Authorization":"AWS4-HMAC-SHA256 Credential=ASIAYNRQATHTEQFKJN2P/20230613/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=38f8b60e4cbee78d55f379646e4fde87439ce0e43cd4cae38e3d2e295ebcfc58","X-Amz-Date":"20230613T204734Z","X-Amz-Security-Token":"FwoGZXIvYXdzEL7//////////wEaDAHHPZ7NyIBlfbsv4iKyATWQ4LpJCG6fsa1UR0jYrTMF0FSxCu/otBw8qZNNljSWHaEIkh/h3GfImEJjYXytE3N92XPXahQomVErEpcyOBO3M/FDbMKZ7tlTD1V5Rr8ZgMG6tOLCL4eCKq2IbugKBZo1Bw8OxC20sjZWNL44Z/8Lt6LkOsHJBiN1wEAEtT5Wrt5Jc0Qs8oU8xV6RHpQRfOOM6V1BnqDjrnJG3cUguotSpfR2RyskUZNr+lRg+MfJOJ8o5qujpAYyLew0iNCK3nlXngTuzSo6M3rPAKQhbK1tCvKSIMk6SqrHThyfAebPucCZx/XbbA=="}' }
# Bad headers
let(:expired_headers) { '{"host":"sts.eu-central-1.amazonaws.com","x-amz-date":"20230518T152442Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDcaDGV1LWNlbnRyYWwtMSJGMEQCIB7Inb5Q2L+Tu0nDM6KpYkqjXetnd6Eizw9gt3c27+okAiBJHE59aL6HuIszrEmk7/SaclqSmEZ5xUmEJ10Hla8PYyq8BQhgEAMaDDE4ODk0NTc2OTAwOCIMg1WLlzrcLY1FHaQKKpkFcEmdxNL2sGdxHOhoLv5hf0pQsOhWciwMgGhGpSUM7gXSG6Z8Rqv7q1rqgl04BjxLZshOOJYdIfUjUNccgiWBofjRYNH5SGeuLuu7XfrtmGmToPSejG5vY76PFXyef4bRNpgkB2aTRjRIg/fInQF0y2oILUSbX4nUcvcJJpss7VnpGRgGqGE+HtatAnfAn0cVoPHs/I2oZslP9y2IVVAEbCxKhYUcHniCJzrmTrppczyd8bwC36wdhcN88YtUES3Z0sS9Ho3JcLbxeAnoqkuPng1VYLAt5uELOqqYWSsdqVFwc+PJ5JoBAJSab1dyPp/YhTg+Lp8pYm/cgSR4lygqgeElL+30tI77GFuMdxdnWymk1mvXtcr0Q/eOMpAETohivAEW+m4CglAEF3VTdLQXODKCvxsiUmsN5AanX7eKGeHPfy/mcM/srWWkVNeRk//DLFNSgfiaeBQeUpzRDEgVpweA4tf5xjW8oUxp9hK9Q872dxgye07bFLNXbyqK9NPAGIcD4/7Tw73kPxYSvZ+7wajgkGdcuIz91GR973QG2k5e82PwiiROOm8qEJo7QzPX6hF5s//qSnKr0vGo4tBrewKvQVjhafdf+B0b44jgw7kIsUkAYz/1HY2PPQVvVn5DayO7VxCTTd+VrQScr22ExOucIKEw30j5hCkhRnUMS6MAjsYwclSbPuUeZ8rVvFQSEoC37SQZP13OVphFNUUFVhZJU5kYd9BvaFhPO0F54XJq1Gu/biMJFumHj2lz5TadSXxyJwSJkfqE53B9b6Sc1RB7O4AckozmH/pm46fJpD5sq7RLQg9YLA//fi+EoBwqbiskCz7WRsCh/Q2l/dmA9kAPPVatqkagVdcJKAJNl8W4Y9nm9MBhdFIw4PeYowY6sgF2td8Xkg0E4ClmQ3CoGWO+TTWmiWwN0BAcKD5prq3V9qmn3SXnzLUO02k0gC4RsdGUCSiByzNHL3mG+G7l8MEZ8TmZQ+ZCgtlnvLYsdECiT+7tcrwN8Zpiu0BKcAWSV8Mg5/D0HYfDTFAv7jgqXuL+uruLJw4xzZCoWc5Ru1Mhprl4NF8T9Am2RyEEEO9rjveQCWpzaZmyvx/MS4isoqhC2KGeJEyeulk2XE0mXO6TZz9c","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGDI4QX56/20230518/eu-central-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=8e0bebec9a3ce860b4595a4b27710da558a157a711e2dcbfe3a86881af99c459"}' }
@@ -16,6 +18,7 @@
let(:different_signing_request_verb) { '{"host":"sts.amazonaws.com","x-amz-date":"20230518T153042Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDcaDGV1LWNlbnRyYWwtMSJGMEQCIB7Inb5Q2L+Tu0nDM6KpYkqjXetnd6Eizw9gt3c27+okAiBJHE59aL6HuIszrEmk7/SaclqSmEZ5xUmEJ10Hla8PYyq8BQhgEAMaDDE4ODk0NTc2OTAwOCIMg1WLlzrcLY1FHaQKKpkFcEmdxNL2sGdxHOhoLv5hf0pQsOhWciwMgGhGpSUM7gXSG6Z8Rqv7q1rqgl04BjxLZshOOJYdIfUjUNccgiWBofjRYNH5SGeuLuu7XfrtmGmToPSejG5vY76PFXyef4bRNpgkB2aTRjRIg/fInQF0y2oILUSbX4nUcvcJJpss7VnpGRgGqGE+HtatAnfAn0cVoPHs/I2oZslP9y2IVVAEbCxKhYUcHniCJzrmTrppczyd8bwC36wdhcN88YtUES3Z0sS9Ho3JcLbxeAnoqkuPng1VYLAt5uELOqqYWSsdqVFwc+PJ5JoBAJSab1dyPp/YhTg+Lp8pYm/cgSR4lygqgeElL+30tI77GFuMdxdnWymk1mvXtcr0Q/eOMpAETohivAEW+m4CglAEF3VTdLQXODKCvxsiUmsN5AanX7eKGeHPfy/mcM/srWWkVNeRk//DLFNSgfiaeBQeUpzRDEgVpweA4tf5xjW8oUxp9hK9Q872dxgye07bFLNXbyqK9NPAGIcD4/7Tw73kPxYSvZ+7wajgkGdcuIz91GR973QG2k5e82PwiiROOm8qEJo7QzPX6hF5s//qSnKr0vGo4tBrewKvQVjhafdf+B0b44jgw7kIsUkAYz/1HY2PPQVvVn5DayO7VxCTTd+VrQScr22ExOucIKEw30j5hCkhRnUMS6MAjsYwclSbPuUeZ8rVvFQSEoC37SQZP13OVphFNUUFVhZJU5kYd9BvaFhPO0F54XJq1Gu/biMJFumHj2lz5TadSXxyJwSJkfqE53B9b6Sc1RB7O4AckozmH/pm46fJpD5sq7RLQg9YLA//fi+EoBwqbiskCz7WRsCh/Q2l/dmA9kAPPVatqkagVdcJKAJNl8W4Y9nm9MBhdFIw4PeYowY6sgF2td8Xkg0E4ClmQ3CoGWO+TTWmiWwN0BAcKD5prq3V9qmn3SXnzLUO02k0gC4RsdGUCSiByzNHL3mG+G7l8MEZ8TmZQ+ZCgtlnvLYsdECiT+7tcrwN8Zpiu0BKcAWSV8Mg5/D0HYfDTFAv7jgqXuL+uruLJw4xzZCoWc5Ru1Mhprl4NF8T9Am2RyEEEO9rjveQCWpzaZmyvx/MS4isoqhC2KGeJEyeulk2XE0mXO6TZz9c","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGDI4QX56/20230518/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=bd7f1e549999b6854adfb7c35e344efa38d74bac1c9078fbc34f71f4ff90173b"}' }
let(:global_non_global_signer) { '{"host":"sts.amazonaws.com","x-amz-date":"20230518T155824Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDgaDGV1LWNlbnRyYWwtMSJIMEYCIQDQLBDLt5kNEEj40A2gX/kurzw9AAwYKnJIjQSrXGynmQIhAINJPoMDfHiSe6Bjzuwc9lwbe/iUPkVUUClFbUicPhNtKrwFCGEQAxoMMTg4OTQ1NzY5MDA4IgyYkP5L6wWxumObWPQqmQXd1mkF8hU1CCkhdJdc73vLVnGFvGbqru9SpzDIkbo0/syIZR7pjEoPTw/sUxFa/jYgcRrDh9bUmTBT7zU2/HDJRrwZfNgu9PPEtRGkIUOYri8muc0X8yLnHlk/5jvpwU5RY2uUoTZt+pvgm8jOHi/lkrtPx8uiQeEOeBkKe/DA2tFfHeVrC9OPkWQkjm0k9nsDggpwy9jf+RbzeSRb6Tyg4WWplDKW+a7VhBpBs1cNGGx9um590gpgpxaC93CIAtxI+iOxreH+xofhrJAPirms1yR4f5GD+glhr/mpCdclX0Eehvb+nxosnYKMh8XvlKR1GzP/PtqGCCRMpCByPmiXtotOMEQv96QGGs0/A8vdiktjJuGbjSQxKvw1UNG5Cxrb7DRqexPoILxoZAICSiFDK2vPPl2ePTWrk3MFxBKj+UK2VihhE1fpnZ7UXrVmQAUzNtDTdaaTcWy2ZTf4oAcRkUsYUl1BOIQYEcI0LmpCkqHb51ANbPO9bFxLAGTUuV9AMSRcrEojiFlxl+yiK5lPygJzrbRQBhnh3srxoHjfN5KvgVf0PqS3HUWIX/eknhBTJbhPO9d7me1/rTudqFd1dLEEiTJbN6KGF0vZvAgnahcoA4YSxLhG/EkNdOKbS/lJOUeysN/l/3L19RuWX9gd2Pc2FD7KWM6mzNAFIi8OAIChTnhZO7a6lcYZb+5uY+5N3Oh2Qthx7cc5k0DGQXX2FGYQgQKY9MWQo6s3Z2DwfNDddgYEM2clnnNPP+lNU7evdCsDb4/QPyDv+l14Tmdz2adhcsi4hkX9YGaCko6S6tdPI1fURyTkCKfUJ643ZNXyqmx4vRPupO2ukJArh7piCas8+B4FsScjD1sD3dH9aVwa2sI1tVed9zCclpmjBjqwATqNRvOZinA+mqThE4YjTVliRSaqNG6UsCq/x3f6R5/KBMacp4f0nZuXTOfvNgiFHju/m1paGf8JwylAkKummhneSOoZAbQ16dQhDu3ejZydbj5nRkTC/1VT87SFf+S+k66J8ycfIs2nkwlIvHWo+TbD36fBcTNq69BtAvluRRIH77zXg60zBK5KmmtKUbeayHVZngjZt/u3ezrRGuLu9TUCYtWMY0VVKyYUX36MykWY","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGFOUEXPF/20230518/eu-north-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=e643e2bb5d737954951f34ff67c4a11e00d022b402579f85ff9d99a5f70cbc53"}' }
let(:regional_headers_signed_for_another_region) { '{"host":"sts.us-west-1.amazonaws.com","x-amz-date":"20230518T160804Z","x-amz-security-token":"IQoJb3JpZ2luX2VjEDgaDGV1LWNlbnRyYWwtMSJIMEYCIQDQLBDLt5kNEEj40A2gX/kurzw9AAwYKnJIjQSrXGynmQIhAINJPoMDfHiSe6Bjzuwc9lwbe/iUPkVUUClFbUicPhNtKrwFCGEQAxoMMTg4OTQ1NzY5MDA4IgyYkP5L6wWxumObWPQqmQXd1mkF8hU1CCkhdJdc73vLVnGFvGbqru9SpzDIkbo0/syIZR7pjEoPTw/sUxFa/jYgcRrDh9bUmTBT7zU2/HDJRrwZfNgu9PPEtRGkIUOYri8muc0X8yLnHlk/5jvpwU5RY2uUoTZt+pvgm8jOHi/lkrtPx8uiQeEOeBkKe/DA2tFfHeVrC9OPkWQkjm0k9nsDggpwy9jf+RbzeSRb6Tyg4WWplDKW+a7VhBpBs1cNGGx9um590gpgpxaC93CIAtxI+iOxreH+xofhrJAPirms1yR4f5GD+glhr/mpCdclX0Eehvb+nxosnYKMh8XvlKR1GzP/PtqGCCRMpCByPmiXtotOMEQv96QGGs0/A8vdiktjJuGbjSQxKvw1UNG5Cxrb7DRqexPoILxoZAICSiFDK2vPPl2ePTWrk3MFxBKj+UK2VihhE1fpnZ7UXrVmQAUzNtDTdaaTcWy2ZTf4oAcRkUsYUl1BOIQYEcI0LmpCkqHb51ANbPO9bFxLAGTUuV9AMSRcrEojiFlxl+yiK5lPygJzrbRQBhnh3srxoHjfN5KvgVf0PqS3HUWIX/eknhBTJbhPO9d7me1/rTudqFd1dLEEiTJbN6KGF0vZvAgnahcoA4YSxLhG/EkNdOKbS/lJOUeysN/l/3L19RuWX9gd2Pc2FD7KWM6mzNAFIi8OAIChTnhZO7a6lcYZb+5uY+5N3Oh2Qthx7cc5k0DGQXX2FGYQgQKY9MWQo6s3Z2DwfNDddgYEM2clnnNPP+lNU7evdCsDb4/QPyDv+l14Tmdz2adhcsi4hkX9YGaCko6S6tdPI1fURyTkCKfUJ643ZNXyqmx4vRPupO2ukJArh7piCas8+B4FsScjD1sD3dH9aVwa2sI1tVed9zCclpmjBjqwATqNRvOZinA+mqThE4YjTVliRSaqNG6UsCq/x3f6R5/KBMacp4f0nZuXTOfvNgiFHju/m1paGf8JwylAkKummhneSOoZAbQ16dQhDu3ejZydbj5nRkTC/1VT87SFf+S+k66J8ycfIs2nkwlIvHWo+TbD36fBcTNq69BtAvluRRIH77zXg60zBK5KmmtKUbeayHVZngjZt/u3ezrRGuLu9TUCYtWMY0VVKyYUX36MykWY","x-amz-content-sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","authorization":"AWS4-HMAC-SHA256 Credential=ASIASX7QLUIYGFOUEXPF/20230518/eu-north-1/sts/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=bfaefe50abefa68b0081af52687885a7391006f2c8b0d80b6c20beb7da808d56"}' }
+ let(:invalid_authorization_header) { '{"Authorization":"AWS4-HMAC-SHA256 Credential=bad_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=38f8b60e4cbee78d55f379646e4fde87439ce0e43cd4cae38e3d2e295ebcfc58","X-Amz-Date":"20230613T204734Z","X-Amz-Security-Token":"FwoGZXIvYXdzEL7//////////wEaDAHHPZ7NyIBlfbsv4iKyATWQ4LpJCG6fsa1UR0jYrTMF0FSxCu/otBw8qZNNljSWHaEIkh/h3GfImEJjYXytE3N92XPXahQomVErEpcyOBO3M/FDbMKZ7tlTD1V5Rr8ZgMG6tOLCL4eCKq2IbugKBZo1Bw8OxC20sjZWNL44Z/8Lt6LkOsHJBiN1wEAEtT5Wrt5Jc0Qs8oU8xV6RHpQRfOOM6V1BnqDjrnJG3cUguotSpfR2RyskUZNr+lRg+MfJOJ8o5qujpAYyLew0iNCK3nlXngTuzSo6M3rPAKQhbK1tCvKSIMk6SqrHThyfAebPucCZx/XbbA=="}' }
describe '.valid?' do
context 'headers are valid' do
@@ -28,6 +31,14 @@
expect(authenticator.valid?(payload)).to be(true)
end
end
+ context 'with request signed by `us-east-1` and no `host` header' do
+ let(:payload) do
+ double('AuthenticationParameters', credentials: valid_global_headers_no_host, username: conjur_role)
+ end
+ it 'succeeds', vcr: 'authenticators/authn-iam/valid-global-headers-no-host' do
+ expect(authenticator.valid?(payload)).to be(true)
+ end
+ end
context 'with request signed for a non `us-east-1` region' do
let(:payload) do
double('AuthenticationParameters', credentials: global_non_global_signer, username: conjur_role)
@@ -50,6 +61,14 @@
expect(authenticator.valid?(payload)).to be(true)
end
end
+ context 'when regional endpoint request was signed for that region and no `host` header' do
+ let(:payload) do
+ double('AuthenticationParameters', credentials: valid_regional_headers_no_host, username: conjur_role)
+ end
+ it 'succeeds', vcr: 'authenticators/authn-iam/valid-regional-headers-no-host' do
+ expect(authenticator.valid?(payload)).to be(true)
+ end
+ end
context 'when regional endpoint request was signed for another region' do
let(:payload) do
double('AuthenticationParameters', credentials: regional_headers_signed_for_another_region, username: conjur_role)
@@ -103,6 +122,18 @@
end
end
end
+ context 'when the authorization header is invalid' do
+ let(:payload) do
+ double('AuthenticationParameters', credentials: invalid_authorization_header, username: conjur_role)
+ end
+ it 'fails' do
+ expect { authenticator.valid?(payload) }
+ .to raise_error(
+ Errors::Authentication::AuthnIam::InvalidAWSHeaders,
+ 'CONJ00018E Invalid or expired AWS headers: Failed to extract AWS region from authorization header'
+ )
+ end
+ end
end
context 'when an http exception occurs' do
let(:authenticator) do
diff --git a/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-global-headers-no-host.yml b/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-global-headers-no-host.yml
new file mode 100644
index 0000000000..8ee936b4e9
--- /dev/null
+++ b/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-global-headers-no-host.yml
@@ -0,0 +1,95 @@
+---
+http_interactions:
+- request:
+ method: get
+ uri: https://sts.us-east-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15
+ body:
+ encoding: US-ASCII
+ string: ''
+ headers:
+ Authorization:
+ - AWS4-HMAC-SHA256 Credential=ASIAYNRQATHTPJYFX7PM/20230613/us-east-1/sts/aws4_request,
+ SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=e81afd905d5131d697e33ad38a5eff72789ed3e6b5e61d694212fbfe09684a73
+ X-Amz-Date:
+ - 20230613T204702Z
+ X-Amz-Security-Token:
+ - FwoGZXIvYXdzEL7//////////wEaDG6/NsUxeWDT4wob/iKyAbExJrQ9Qr0pVX3lkwxaYwvssq/xFKk7Iu8w5uQsbsjZtqz7s8oNBfjuR/J7rRvDiFk4pyTICA9vzFEpNK1f4U3hfDslZFKhkeGgnY5jA2RLOlffE51tmvMr+KN6AJPJ+drAI5+K1Kn1G8Aiy5lsBHzEc0HR1Ji8zjujaqOWpZKYVC1MgIQt+l9eRdZTHBI/yb0fm32ZGxu/jMPZsa/kdGoDuAMd4pCZPnkaSnPgCNjJq5IoxqujpAYyLTMzCd3aidLr/ziL8UyEUbGJhglnhYEsDKp/ErjfnvoadZEuFIIpBKHbM01Igg==
+ Accept-Encoding:
+ - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+ Accept:
+ - "*/*"
+ User-Agent:
+ - Ruby
+ response:
+ status:
+ code: 403
+ message: Forbidden
+ headers:
+ X-Amzn-Requestid:
+ - cbe271c4-359d-4aaf-b7b2-810ec7d073ea
+ Content-Type:
+ - text/xml
+ Content-Length:
+ - '431'
+ Date:
+ - Tue, 13 Jun 2023 20:48:30 GMT
+ body:
+ encoding: UTF-8
+ string: |
+
+
+ Sender
+ SignatureDoesNotMatch
+ The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
+
+ cbe271c4-359d-4aaf-b7b2-810ec7d073ea
+
+ recorded_at: Tue, 13 Jun 2023 20:48:31 GMT
+- request:
+ method: get
+ uri: https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15
+ body:
+ encoding: US-ASCII
+ string: ''
+ headers:
+ Authorization:
+ - AWS4-HMAC-SHA256 Credential=ASIAYNRQATHTPJYFX7PM/20230613/us-east-1/sts/aws4_request,
+ SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=e81afd905d5131d697e33ad38a5eff72789ed3e6b5e61d694212fbfe09684a73
+ X-Amz-Date:
+ - 20230613T204702Z
+ X-Amz-Security-Token:
+ - FwoGZXIvYXdzEL7//////////wEaDG6/NsUxeWDT4wob/iKyAbExJrQ9Qr0pVX3lkwxaYwvssq/xFKk7Iu8w5uQsbsjZtqz7s8oNBfjuR/J7rRvDiFk4pyTICA9vzFEpNK1f4U3hfDslZFKhkeGgnY5jA2RLOlffE51tmvMr+KN6AJPJ+drAI5+K1Kn1G8Aiy5lsBHzEc0HR1Ji8zjujaqOWpZKYVC1MgIQt+l9eRdZTHBI/yb0fm32ZGxu/jMPZsa/kdGoDuAMd4pCZPnkaSnPgCNjJq5IoxqujpAYyLTMzCd3aidLr/ziL8UyEUbGJhglnhYEsDKp/ErjfnvoadZEuFIIpBKHbM01Igg==
+ Accept-Encoding:
+ - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+ Accept:
+ - "*/*"
+ User-Agent:
+ - Ruby
+ response:
+ status:
+ code: 200
+ message: OK
+ headers:
+ X-Amzn-Requestid:
+ - cfc12bee-f331-403e-b281-2b5ed0cca8bd
+ Content-Type:
+ - text/xml
+ Content-Length:
+ - '444'
+ Date:
+ - Tue, 13 Jun 2023 20:48:31 GMT
+ body:
+ encoding: UTF-8
+ string: |
+
+
+ arn:aws:sts::188945769008:assumed-role/conjur-role/i-08241b0e31fe23d20
+ AROASX7QLUIYK4AQBODTV:i-08241b0e31fe23d20
+ 188945769008
+
+
+ c025e1ba-c36b-4078-9407-fdd02eaee5aa
+
+
+ recorded_at: Tue, 13 Jun 2023 20:48:31 GMT
+recorded_with: VCR 6.1.0
diff --git a/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-regional-headers-no-host.yml b/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-regional-headers-no-host.yml
new file mode 100644
index 0000000000..82ab0d193e
--- /dev/null
+++ b/spec/fixtures/vcr_cassettes/authenticators/authn-iam/valid-regional-headers-no-host.yml
@@ -0,0 +1,50 @@
+---
+http_interactions:
+- request:
+ method: get
+ uri: https://sts.us-east-1.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15
+ body:
+ encoding: US-ASCII
+ string: ''
+ headers:
+ Authorization:
+ - AWS4-HMAC-SHA256 Credential=ASIAYNRQATHTEQFKJN2P/20230613/us-east-1/sts/aws4_request,
+ SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=38f8b60e4cbee78d55f379646e4fde87439ce0e43cd4cae38e3d2e295ebcfc58
+ X-Amz-Date:
+ - 20230613T204734Z
+ X-Amz-Security-Token:
+ - FwoGZXIvYXdzEL7//////////wEaDAHHPZ7NyIBlfbsv4iKyATWQ4LpJCG6fsa1UR0jYrTMF0FSxCu/otBw8qZNNljSWHaEIkh/h3GfImEJjYXytE3N92XPXahQomVErEpcyOBO3M/FDbMKZ7tlTD1V5Rr8ZgMG6tOLCL4eCKq2IbugKBZo1Bw8OxC20sjZWNL44Z/8Lt6LkOsHJBiN1wEAEtT5Wrt5Jc0Qs8oU8xV6RHpQRfOOM6V1BnqDjrnJG3cUguotSpfR2RyskUZNr+lRg+MfJOJ8o5qujpAYyLew0iNCK3nlXngTuzSo6M3rPAKQhbK1tCvKSIMk6SqrHThyfAebPucCZx/XbbA==
+ Accept-Encoding:
+ - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+ Accept:
+ - "*/*"
+ User-Agent:
+ - Ruby
+ response:
+ status:
+ code: 200
+ message: OK
+ headers:
+ X-Amzn-Requestid:
+ - e7b366a8-5a46-4676-9545-c28dd1b9a4ce
+ Content-Type:
+ - text/xml
+ Content-Length:
+ - '444'
+ Date:
+ - Tue, 13 Jun 2023 20:48:30 GMT
+ body:
+ encoding: UTF-8
+ string: |
+
+
+ arn:aws:sts::188945769008:assumed-role/conjur-role/i-08241b0e31fe23d20
+ AROASX7QLUIYK4AQBODTV:i-08241b0e31fe23d20
+ 188945769008
+
+
+ c025e1ba-c36b-4078-9407-fdd02eaee5aa
+
+
+ recorded_at: Tue, 13 Jun 2023 20:48:30 GMT
+recorded_with: VCR 6.1.0