ARSN-387: check for forwarded proto header

Will Toozs · Will Toozs · commit 92bd028fb609 · 2024-01-19T12:45:52.000+01:00
diff --git a/lib/policyEvaluator/utils/conditions.ts b/lib/policyEvaluator/utils/conditions.ts
@@ -61,7 +61,7 @@ export function findConditionKey(
     case 'aws:referer': return headers.referer;
     // aws:SecureTransport – Used to check whether the request was sent
     // using SSL (see Boolean Condition Operators).
-    case 'aws:SecureTransport': return requestContext.getSslEnabled() ? 'true' : 'false';
+    case 'aws:SecureTransport': return headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false';
     // aws:SourceArn – Used check the source of the request,
     // using the ARN of the source. N/A here.
     case 'aws:SourceArn': return undefined;
diff --git a/lib/policyEvaluator/utils/variables.ts b/lib/policyEvaluator/utils/variables.ts
@@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string
     // aws:SecureTransport is boolean value that represents whether the
     // request was sent using SSL
     map.set('aws:SecureTransport',
-        requestContext.getSslEnabled() ? 'true' : 'false');
+        headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false');
     // aws:SourceIp is requester's IP address, for use with IP address
     // conditions
     map.set('aws:SourceIp', requestContext.getRequesterIp());
