feat(signature-v4): add support to override the set of unsignableHeaders

[ronak2121]

Issue #, if available:
Add support to override the set of unsignableHeaders; in cases where signing those headers (such as user-agent) would be desirable.

Description of changes:
Added a new set of signableHeaders, which is checked for inclusion before the specified header is removed for being an unsignable one.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[trivikr]

Relevant discussions from internal issue tracker below.

Findings:

• signature-v4-node extends from signature-v4 (code)
• presignRequest function is defined in SignatureV4.ts (code)
• The header "X-Amz-SignedHeaders" is set in SignatureV4.ts (code)
• The method getCanonicalHeaderList sorts the headers and joins them with ; (code)
• The method getCanonicalHeaders returns sign-able headers which are not proxy/sec headers (code)
• The header user-agent is excluded as it's in ALWAYS_UNSIGNABLE_HEADERS (code)

Proposed accepted solution:

• Pass "user-agent" as a new option in RequestSigningArguments (code)
• It can be a set, with a new parameter signableHeaders in SigningArguments.

interface RequestSigningArguments extends SigningArguments {
  /**
   * A set of strings whose members represents headers that cannot be signed.
   * All headers in the provided request will have their names converted to
   * lower case and then checked for existence in the unsignableHeaders set.
   */
  unsignableHeaders?: Set<string>;

  /**
   * A set of strings whose members represents headers that should be signed.
   * All headers in the provided request will have their names converted to
   * lower case before signing.
   */
  signableHeaders?: Set<string>;
}

[trivikr]

Other findings:

• user-agent is skipped by default because of RFC 2616
• it's legal for a proxy to modify the user agent header, so default signing it is risky

This PR provides a way for customers to explicitly opt-in to signing the user agent header

[aws-sdk-js-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.