Merge pull request #27 from NewtonDer/master

fix: missing Auth header returns 400 Bad Request

Author: amvadhia

aws_jupyter_proxy/awsproxy.py

@@ -378,10 +378,21 @@ def _build_upstream_auth_info(self) -> UpstreamAuthInfo:
 
         :return: the UpstreamAuthInfo instance
         """
-        auth_header_parts = self.upstream_request.headers["Authorization"].split(" ")
 
-        signed_headers = auth_header_parts[2].strip(",").split("=")[1].split(";")
-        _, _, region, service_name, _ = auth_header_parts[1].split("=")[1].split("/")
+        try:
+            auth_header_parts = self.upstream_request.headers["Authorization"].split(
+                " "
+            )
+
+            signed_headers = auth_header_parts[2].strip(",").split("=")[1].split(";")
+            _, _, region, service_name, _ = (
+                auth_header_parts[1].split("=")[1].split("/")
+            )
+        except KeyError:
+            raise HTTPError(400, message=f"Missing Authorization header")
+        except (IndexError, ValueError):
+            raise HTTPError(400, message=f"Malformed Authorization header")
+
         return UpstreamAuthInfo(service_name, region, signed_headers)
 
 

setup.py

@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="aws_jupyter_proxy",
-    version="0.3.6",
+    version="0.3.7",
     url="https://github.com/aws/aws-jupyter-proxy",
     author="Amazon Web Services",
     description="A Jupyter server extension to proxy requests with AWS SigV4 authentication",

tests/unit/test_awsproxy.py

@@ -889,6 +889,133 @@ async def test_request_with_base_url(mock_getenv, mock_fetch, mock_session):
     assert_http_response(mock_fetch, expected)
 
 
+@pytest.mark.asyncio
+@patch("os.getenv")
+async def test_missing_authorization_header(mock_getenv, mock_session):
+    # Given
+    upstream_request = HTTPServerRequest(
+        method="HEAD",
+        uri="/awsproxy/bucket-name-1",
+        headers=HTTPHeaders(
+            {
+                "Host": "localhost:8888",
+                "X-Amz-User-Agent": "aws-sdk-js/2.507.0 promise",
+                "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                "X-Amz-Date": "20190828T173626Z",
+            }
+        ),
+        body=None,
+        host="localhost:8888",
+    )
+    mock_getenv.return_value = ""
+
+    # When
+    with pytest.raises(HTTPError) as e:
+        await AwsProxyRequest(
+            upstream_request, create_endpoint_resolver(), mock_session
+        ).execute_downstream()
+
+        # Then
+        assert 400 == e.value.code
+        assert "Missing Authorization header" == e.value.message
+
+
+@pytest.mark.asyncio
+@patch("os.getenv")
+async def test_missing_region_in_authorization_header(mock_getenv, mock_session):
+    # Given
+    upstream_request = HTTPServerRequest(
+        method="HEAD",
+        uri="/awsproxy/bucket-name-1",
+        headers=HTTPHeaders(
+            {
+                "Host": "localhost:8888",
+                "X-Amz-User-Agent": "aws-sdk-js/2.507.0 promise",
+                "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                "X-Amz-Date": "20190828T173626Z",
+                "Authorization": "AWS4-HMAC-SHA256 Credential=IGNOREDIGNO/20230317/some-service/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-user-agent;x-service-endpoint-url;x-xsrftoken, Signature=123456789",
+            }
+        ),
+        body=None,
+        host="localhost:8888",
+    )
+    mock_getenv.return_value = ""
+
+    # When
+    with pytest.raises(HTTPError) as e:
+        await AwsProxyRequest(
+            upstream_request, create_endpoint_resolver(), mock_session
+        ).execute_downstream()
+
+        # Then
+        assert 400 == e.value.code
+        assert "Malformed Authorization header" == e.value.message
+
+
+@pytest.mark.asyncio
+@patch("os.getenv")
+async def test_missing_service_in_authorization_header(mock_getenv, mock_session):
+    # Given
+    upstream_request = HTTPServerRequest(
+        method="HEAD",
+        uri="/awsproxy/bucket-name-1",
+        headers=HTTPHeaders(
+            {
+                "Host": "localhost:8888",
+                "X-Amz-User-Agent": "aws-sdk-js/2.507.0 promise",
+                "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                "X-Amz-Date": "20190828T173626Z",
+                "Authorization": "AWS4-HMAC-SHA256 Credential=IGNOREDIGNO/20230317/us-west-2/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-user-agent;x-service-endpoint-url;x-xsrftoken, Signature=123456789",
+            }
+        ),
+        body=None,
+        host="localhost:8888",
+    )
+    mock_getenv.return_value = ""
+
+    # When
+    with pytest.raises(HTTPError) as e:
+        await AwsProxyRequest(
+            upstream_request, create_endpoint_resolver(), mock_session
+        ).execute_downstream()
+
+        # Then
+        assert 400 == e.value.code
+        assert "Malformed Authorization header" == e.value.message
+
+
+@pytest.mark.asyncio
+@patch("os.getenv")
+async def test_malformed_authorization_header(mock_getenv, mock_session):
+    # Given
+    upstream_request = HTTPServerRequest(
+        method="HEAD",
+        uri="/awsproxy/bucket-name-1",
+        headers=HTTPHeaders(
+            {
+                "Host": "localhost:8888",
+                "X-Amz-User-Agent": "aws-sdk-js/2.507.0 promise",
+                "X-Amz-Content-Sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+                "X-Amz-Date": "20190828T173626Z",
+                "Authorization": "AWS4-HMAC-SHA256 malformed-content",
+            }
+        ),
+        body=None,
+        host="localhost:8888",
+    )
+    mock_getenv.return_value = ""
+
+    # When
+    with pytest.raises(HTTPError) as e:
+        await AwsProxyRequest(
+            upstream_request, create_endpoint_resolver(), mock_session
+        ).execute_downstream()
+
+        # Then
+        assert 400 == e.value.code
+        assert "Malformed Authorization header" == e.value.message
+
+
 def assert_http_response(mock_fetch, expected_http_request):
     mock_fetch.assert_awaited_once()
     actual_http_request: HTTPRequest = mock_fetch.await_args[0][0]