fix: Ensure Host header is included when signing auth tokens (#1222)

Author: lauzadis

.github/workflows/continuous-integration.yml

@@ -68,7 +68,7 @@ jobs:
           ./gradlew test jvmTest
       - name: Save Test Reports
         if: failure()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: test-reports-${{ matrix.os }}
           path: '**/build/reports'

gradle/libs.versions.toml

@@ -2,7 +2,7 @@
 kotlin-version = "2.1.0"
 dokka-version = "1.9.10"
 
-aws-kotlin-repo-tools-version = "0.4.17"
+aws-kotlin-repo-tools-version = "0.4.18"
 
 # libs
 coroutines-version = "1.9.0"

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AuthTokenGenerator.kt

@@ -6,6 +6,7 @@ package aws.smithy.kotlin.runtime.auth.awssigning
 
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig.Companion.invoke
+import aws.smithy.kotlin.runtime.http.Headers
 import aws.smithy.kotlin.runtime.http.HttpMethod
 import aws.smithy.kotlin.runtime.http.request.HttpRequest
 import aws.smithy.kotlin.runtime.net.url.Url
@@ -28,7 +29,13 @@ public class AuthTokenGenerator(
     private fun Url.trimScheme(): String = toString().removePrefix(scheme.protocolName).removePrefix("://")
 
     public suspend fun generateAuthToken(endpoint: Url, region: String, expiration: Duration): String {
-        val req = HttpRequest(HttpMethod.GET, endpoint)
+        val req = HttpRequest(
+            HttpMethod.GET,
+            endpoint,
+            headers = Headers {
+                append("Host", endpoint.hostAndPort)
+            },
+        )
 
         val config = AwsSigningConfig {
             credentials = credentialsProvider.resolve()

runtime/auth/aws-signing-common/common/test/aws/smithy/kotlin/runtime/auth/awssigning/AuthTokenGeneratorTest.kt

@@ -45,6 +45,7 @@ class AuthTokenGeneratorTest {
         assertContains(token, "X-Amz-Credential=signature") // test custom signer was invoked
         assertContains(token, "X-Amz-Expires=333") // expiration
         assertContains(token, "X-Amz-SigningDate=0") // clock
+        assertContains(token, "X-Amz-SignedHeaders=host")
 
         assertTrue(credentialsProvider.credentialsResolved)
     }
@@ -60,6 +61,7 @@ private val TEST_SIGNER = object : AwsSigner {
             put("X-Amz-Credential", "signature")
             put("X-Amz-Expires", (config.expiresAfter?.toLong(DurationUnit.SECONDS) ?: 900).toString())
             put("X-Amz-SigningDate", config.signingDate.epochSeconds.toString())
+            put("X-Amz-SignedHeaders", request.headers.names().map { it.lowercase() }.joinToString())
         }
 
         return AwsSigningResult<HttpRequest>(builder.build(), "signature".encodeToByteArray())