Ensure Host header is signed

awslabs · Jan 16, 2025 · 4156091 · 4156091
1 parent 0c1b50d
commit 4156091
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/services/dsql/common/test/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGeneratorTest.kt b/services/dsql/common/test/aws/sdk/kotlin/services/dsql/DsqlAuthTokenGeneratorTest.kt
@@ -36,6 +36,7 @@ class DsqlAuthTokenGeneratorTest {
         assertContains(token, "peccy.dsql.us-east-1.on.aws?Action=DbConnect")
         assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request")
         assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
 
         // Token should not contain a scheme
         listOf("http://", "https://").forEach {
@@ -65,6 +66,7 @@ class DsqlAuthTokenGeneratorTest {
         assertContains(token, "peccy.dsql.us-east-1.on.aws?Action=DbConnectAdmin")
         assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Fdsql%2Faws4_request")
         assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
 
         // Token should not contain a scheme
         listOf("http://", "https://").forEach {

diff --git a/services/rds/common/test/RdsAuthTokenGeneratorTest.kt b/services/rds/common/test/RdsAuthTokenGeneratorTest.kt
@@ -41,6 +41,7 @@ class RdsAuthTokenGeneratorTest {
         assertContains(token, "prod-instance.us-east-1.rds.amazonaws.com:3306?Action=connect&DBUser=peccy")
         assertContains(token, "X-Amz-Credential=akid%2F20240827%2Fus-east-1%2Frds-db%2Faws4_request")
         assertContains(token, "X-Amz-Expires=450")
+        assertContains(token, "X-Amz-SignedHeaders=host")
 
         // Token should not contain a scheme
         listOf("http://", "https://").forEach {