Use canonical authority when computing the Host header

Computes and use the normalized URI authority when computing the Host header, and building the request URI. This makes the implementation compliant to the URI and HTTP RFCs, and fixes the signature issue when making requests to non-default ports (#263).

Author: marcobiscaro2112

CHANGES.md

@@ -1,5 +1,9 @@
 # aws-api
 
+## DEV
+
+* Fix invalid signature for nonstandard host port [#263](https://github.com/cognitect-labs/aws-api/issues/263)
+
 ## 0.8.735 / 2025-02-26
 
 * This is the official release of the previous `0.8.730-beta01` release, see those release notes

src/cognitect/aws/client/impl.clj

@@ -33,13 +33,28 @@
       {:cognitect.anomalies/category :cognitect.anomalies/fault
        ::throwable t})))
 
-(defn ^:private with-endpoint [req {:keys [protocol hostname port path]}]
-  (cond-> (-> req
-              (assoc-in [:headers "host"] hostname)
-              (assoc :server-name hostname))
-    protocol (assoc :scheme protocol)
-    port     (assoc :server-port port)
-    path     (assoc :uri path)))
+(defn ^:private with-endpoint
+  "Updates the request map `req` with data returned by the endpoint provider.
+
+   The request map is created with reasonable defaults by `cognitect.aws.protocols/build-http-request`,
+   and the `:scheme`, `:server-port` and `:uri` may be overridden here with
+   data from the endpoint provider.
+
+   `:server-name` is always set based on the endpoint provider data.
+
+   Also computes and sets the `Host` header with the appropriate authority."
+  [req {:keys [protocol hostname port path]}]
+  (let [scheme (or protocol (:scheme req) (throw (IllegalArgumentException. "missing protocol/scheme")))
+        server-name (or hostname (throw (IllegalArgumentException. "missing hostname")))
+        server-port (or port (:server-port req) (throw (IllegalArgumentException. "missing port/server-port")))
+        uri (or path (:uri req) (throw (IllegalArgumentException. "missing path/uri")))
+        authority (http/uri-authority scheme server-name server-port)]
+    (-> req
+        (assoc-in [:headers "host"] authority)
+        (assoc :scheme scheme
+               :server-name server-name
+               :server-port server-port
+               :uri uri))))
 
 (defn ^:private put-throwable [result-ch t response-meta op-map]
   (a/put! result-ch (with-meta

src/cognitect/aws/http.clj

@@ -5,6 +5,7 @@
   "Impl, don't call directly."
   (:require [clojure.edn :as edn]
             [clojure.core.async :as a]
+            [clojure.string :as str]
             [cognitect.aws.dynaload :as dynaload]))
 
 (set! *warn-on-reflection* true)
@@ -91,3 +92,31 @@
       (throw (ex-info "not an http client" {:provided http-client-or-sym
                                             :resolved c})))
     c))
+
+(defn uri-authority
+  "Returns the normalized URI authority (RFC 3986 section 3.2) for the given URI components,
+   good for building the full request URI, signing the request, and computing the Host header,
+   according to RFC 9112 section 3.2:
+
+       A client MUST send a Host header field in all HTTP/1.1 request messages. If the target URI
+       includes an authority component, then a client MUST send a field value for Host that is identical
+       to that authority component, excluding any userinfo subcomponent and its \"@\" delimiter.
+
+   `uri-scheme` and `uri-host` are required. `uri-port` may be nil in case the default port
+   for the scheme is used.
+
+   Normalization follows RFC 9110 section 4.2.3 (default port for the scheme is omitted;
+   scheme and host are normalized to lowercase). The userinfo component of the URI is
+   always omitted as per RFC 9110 section 4.2.4.
+
+       authority = host [ \":\" port ]"
+  [uri-scheme uri-host uri-port]
+  (let [scheme (str/lower-case (name uri-scheme))
+        host (str/lower-case uri-host)
+        is-default-port (case scheme
+                          "http" (= uri-port 80)
+                          "https" (= uri-port 443)
+                          false)
+        should-include-port (and (some? uri-port)
+                                 (not is-default-port))]
+    (str host (when should-include-port (str ":" uri-port)))))

src/cognitect/aws/http/java.clj

@@ -3,14 +3,12 @@
             [clojure.core.async :as async]
             [clojure.string :as string])
   (:import [java.io IOException]
-           [java.lang.invoke MethodHandle MethodHandles MethodType]
            [java.net URI]
            [java.net.http
-            HttpClient HttpClient$Builder HttpClient$Redirect HttpRequest HttpRequest$Builder
+            HttpClient HttpClient$Redirect HttpRequest HttpRequest$Builder
             HttpRequest$BodyPublishers HttpResponse HttpResponse$BodyHandlers]
            [java.nio ByteBuffer]
            [java.time Duration]
-           [java.util.concurrent ExecutorService Executors]
            [java.util.function Function]))
 
 (set! *warn-on-reflection* true)
@@ -53,22 +51,11 @@
   "Builds and returns a java.net.URI from the request map."
   [{:keys [scheme server-name server-port uri query-string]
     :or   {scheme "https"}}]
-  (let [;; NOTE: we should only include the port if it was explicitly specified to a
-        ;; non-default value. This check is needed to ensure the HttpClient instance
-        ;; generate consistent headers with the `host` header used when signing
-        ;; the request.
-        ;; The relevant restricted headers managed by HttpClient here are the `Host`
-        ;; header for HTTP/1.1, and the `:authority` pseudo-header for HTTP/2.
-        is-default-port (if (= (name scheme) "http")
-                          (= server-port 80)
-                          (= server-port 443))
-        should-include-port (and (some? server-port)
-                                 (not is-default-port))
-        ;; NOTE: we can't use URI's constructor passing individual components, because sometimes
+  (let [;; NOTE: we can't use URI's constructor passing individual components, because sometimes
         ;;       the `:uri` part includes query params
         ;;       (e.g. on DeleteObjects op, :uri is `/bucket-name?delete`)
-        full-uri (str (name scheme) "://" server-name
-                      (when should-include-port (str ":" server-port))
+        full-uri (str (name scheme) "://"
+                      (aws-http/uri-authority scheme server-name server-port)
                       uri
                       (when query-string (str "?" query-string)))]
     (URI/create full-uri)))

test/src/cognitect/aws/http_test.clj

@@ -18,3 +18,28 @@
     (is (= true
          (io/delete-file "test/resources/cognitect_aws_http.edn" :failed))
         "Accidentally failed to delete file")))
+
+(deftest uri-authority-test
+  (testing "http scheme, default port"
+    (is (= "a-server.example.com" (aws-http/uri-authority :http "a-server.example.com" 80)))
+    (is (= "a-server.example.com" (aws-http/uri-authority :http "A-sErvEr.example.com" nil)))
+    (is (= "a-server.example.com" (aws-http/uri-authority "HTTP" "a-server.example.com" 80)))
+    (is (= "a-server.example.com" (aws-http/uri-authority "http" "a-server.example.com" nil))))
+
+  (testing "https scheme, default port"
+    (is (= "a-server.example.com" (aws-http/uri-authority :https "a-server.example.com" 443)))
+    (is (= "a-server.example.com" (aws-http/uri-authority :https "A-sErvEr.example.com" nil)))
+    (is (= "a-server.example.com" (aws-http/uri-authority "https" "a-server.example.com" 443)))
+    (is (= "a-server.example.com" (aws-http/uri-authority "HTTPs" "a-server.example.com" nil))))
+
+  (testing "http scheme, custom port"
+    (is (= "a-server.example.com:8080" (aws-http/uri-authority :http "a-server.example.com" 8080)))
+    (is (= "a-server.example.com:4080" (aws-http/uri-authority :http "a-server.example.com" 4080)))
+    (is (= "a-server.example.com:443" (aws-http/uri-authority :http "a-server.example.com" 443)))
+    (is (= "a-server.example.com:1" (aws-http/uri-authority :http "a-server.example.com" 1))))
+
+  (testing "https scheme, custom port"
+    (is (= "a-server.example.com:8080" (aws-http/uri-authority :https "a-server.example.com" 8080)))
+    (is (= "a-server.example.com:4443" (aws-http/uri-authority :https "a-server.example.com" 4443)))
+    (is (= "a-server.example.com:80" (aws-http/uri-authority :https "a-server.example.com" 80)))
+    (is (= "a-server.example.com:1" (aws-http/uri-authority :https "a-server.example.com" 1)))))