do all header modifications in Build()

Signed-off-by: Jay Wineinger <jawineinger@spscommerce.com>
open-policy-agent · Dec 19, 2022 · febf55d · febf55d
1 parent bd37102
commit febf55d
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/internal/providers/aws/signing_v4a.go b/internal/providers/aws/signing_v4a.go
@@ -183,12 +183,17 @@ func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Val
 	}
 }
 
+// Build modifies the Request attribute of the httpSigner, adding an Authorization header
 func (s *httpSigner) Build() (signedRequest, error) {
 	req := s.Request
 
 	query := req.URL.Query()
 	headers := req.Header
 
+	// seemingly required by S3/MRAP -- 403 Forbidden otherwise
+	headers.Set("host", req.URL.Host)
+	headers.Set("x-amz-content-sha256", s.PayloadHash)
+
 	s.setRequiredSigningFields(headers, query)
 
 	// Sort Each Query Key's Values
@@ -278,8 +283,7 @@ func (s *httpSigner) buildCanonicalHeaders(host string, rule v4Internal.Rule, he
 	signed = make(http.Header)
 
 	const hostHeader = "host"
-	headers := []string{hostHeader}
-	signed[hostHeader] = append(signed[hostHeader], host)
+	headers := make([]string, 0)
 
 	if length > 0 {
 		const contentLengthHeader = "content-length"
@@ -388,10 +392,6 @@ func SignV4a(headers map[string][]string, method string, theURL *url.URL, body [
 	req, _ := http.NewRequest(method, theURL.String(), bodyReader)
 	req.Header = headers
 
-	// seemingly required by S3/MRAP -- 400 Bad Request otherwise
-	req.Header.Set("host", theURL.Host)
-	req.Header.Set("x-amz-content-sha256", bodyHexHash)
-
 	signer := &httpSigner{
 		Request:     req,
 		PayloadHash: bodyHexHash,