auth: Disable the Authorization header for ECR redirects.

[gdlg]

Why the changes in this PR are needed?

I am attempting to address https://github.com/open-policy-agent/opa/issues/6580

ECR serves OCI blobs by redirecting to S3 using pre-signed URLs. Currently, OPA adds the ECR auth header to the S3 request in addition to the pre-signed parameter, and S3 returns a 400 Bad Request:

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

What are the changes in this PR?

I removed the auth header from the redirects to S3.

I hesitated between checking whether the request is generated by a 307 redirect, or whether the request host matches the host specified in the OPA OCI config. I went for the second option because http auth is usually tied to a specific origin, and should not be shared across origin. The Prepare function adds the auth header only if the host matches, and returns early if doesn’t.

[ashutosh-narkar]

@gdlg the changes look fine. Have you tested this with an actual ECR-S3 scenario as described in https://github.com/open-policy-agent/opa/issues/6580?

[gdlg]

@ashutosh-narkar Yes, I have tested ECR with the S3 redirection. As far as I am aware, ECR always does a redirection to S3. For testing, we also ported this change to opa-envoy-plugin and deployed it as a K8s sidecar and it is working as expected.