From 9e3e723fb7f612e44c6f689577c7041fc4ef3dde Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Fri, 19 Jan 2024 12:45:52 +0100 Subject: [PATCH 1/3] ARSN-387: check for forwarded proto header --- lib/policyEvaluator/utils/conditions.ts | 2 +- lib/policyEvaluator/utils/variables.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/policyEvaluator/utils/conditions.ts b/lib/policyEvaluator/utils/conditions.ts index d99533e42..28ca93fcf 100644 --- a/lib/policyEvaluator/utils/conditions.ts +++ b/lib/policyEvaluator/utils/conditions.ts @@ -61,7 +61,7 @@ export function findConditionKey( case 'aws:referer': return headers.referer; // aws:SecureTransport – Used to check whether the request was sent // using SSL (see Boolean Condition Operators). - case 'aws:SecureTransport': return requestContext.getSslEnabled() ? 'true' : 'false'; + case 'aws:SecureTransport': return headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false'; // aws:SourceArn – Used check the source of the request, // using the ARN of the source. N/A here. case 'aws:SourceArn': return undefined; diff --git a/lib/policyEvaluator/utils/variables.ts b/lib/policyEvaluator/utils/variables.ts index 2b96faa9c..e2572e623 100644 --- a/lib/policyEvaluator/utils/variables.ts +++ b/lib/policyEvaluator/utils/variables.ts @@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string // aws:SecureTransport is boolean value that represents whether the // request was sent using SSL map.set('aws:SecureTransport', - requestContext.getSslEnabled() ? 'true' : 'false'); + headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false'); // aws:SourceIp is requester's IP address, for use with IP address // conditions map.set('aws:SourceIp', requestContext.getRequesterIp()); From 8edd2f1c0cb8575bb4642e163f3e04b2d280dee0 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Fri, 19 Jan 2024 14:09:40 +0100 Subject: [PATCH 2/3] ARSN-387: update test --- tests/unit/policyEvaluator.spec.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/unit/policyEvaluator.spec.js b/tests/unit/policyEvaluator.spec.js index 91fa9ab2d..f10bd62e3 100644 --- a/tests/unit/policyEvaluator.spec.js +++ b/tests/unit/policyEvaluator.spec.js @@ -915,7 +915,9 @@ describe('policyEvaluator', () => { () => { policy.Statement.Condition = { Bool: { 'aws:SecureTransport': 'true' } }; - const rcModifiers = { _sslEnabled: true }; + const rcModifiers = { _headers: { + 'x-forwarded-proto': 'https', + } }; check(requestContext, rcModifiers, policy, 'Allow'); }); From 0466eb4d82624796190338e8892bc3ea2c0908e5 Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Fri, 9 Feb 2024 12:34:45 +0100 Subject: [PATCH 3/3] fixup: update test --- tests/unit/policyEvaluator.spec.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/unit/policyEvaluator.spec.js b/tests/unit/policyEvaluator.spec.js index f10bd62e3..d18e5bf8b 100644 --- a/tests/unit/policyEvaluator.spec.js +++ b/tests/unit/policyEvaluator.spec.js @@ -906,7 +906,9 @@ describe('policyEvaluator', () => { () => { policy.Statement.Condition = { Bool: { 'aws:SecureTransport': 'true' } }; - const rcModifiers = { _sslEnabled: false }; + const rcModifiers = { _headers: { + 'x-forwarded-proto': 'http', + } }; check(requestContext, rcModifiers, policy, 'Neutral'); });