From 9e3e723fb7f612e44c6f689577c7041fc4ef3dde Mon Sep 17 00:00:00 2001 From: Will Toozs Date: Fri, 19 Jan 2024 12:45:52 +0100 Subject: [PATCH] ARSN-387: check for forwarded proto header --- lib/policyEvaluator/utils/conditions.ts | 2 +- lib/policyEvaluator/utils/variables.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/policyEvaluator/utils/conditions.ts b/lib/policyEvaluator/utils/conditions.ts index d99533e42..28ca93fcf 100644 --- a/lib/policyEvaluator/utils/conditions.ts +++ b/lib/policyEvaluator/utils/conditions.ts @@ -61,7 +61,7 @@ export function findConditionKey( case 'aws:referer': return headers.referer; // aws:SecureTransport – Used to check whether the request was sent // using SSL (see Boolean Condition Operators). - case 'aws:SecureTransport': return requestContext.getSslEnabled() ? 'true' : 'false'; + case 'aws:SecureTransport': return headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false'; // aws:SourceArn – Used check the source of the request, // using the ARN of the source. N/A here. case 'aws:SourceArn': return undefined; diff --git a/lib/policyEvaluator/utils/variables.ts b/lib/policyEvaluator/utils/variables.ts index 2b96faa9c..e2572e623 100644 --- a/lib/policyEvaluator/utils/variables.ts +++ b/lib/policyEvaluator/utils/variables.ts @@ -38,7 +38,7 @@ function findVariable(variable: string, requestContext: RequestContext): string // aws:SecureTransport is boolean value that represents whether the // request was sent using SSL map.set('aws:SecureTransport', - requestContext.getSslEnabled() ? 'true' : 'false'); + headers?.['x-forwarded-proto'] === 'https' ? 'true' : 'false'); // aws:SourceIp is requester's IP address, for use with IP address // conditions map.set('aws:SourceIp', requestContext.getRequesterIp());