fix: align delegated auth proof format with agent implementation

Match the Datadog agent's proof format: header values as arrays,
canonical HTTP header casing, no trailing slash on STS URL. Also
read DD_ORG_UUID from SERVERLESS_UUID env var and remove trace assertion.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jchrostek-dd

bottlecap/src/delegated_auth/auth_proof.rs

@@ -63,7 +63,7 @@ pub fn generate_auth_proof(
     } else {
         format!("sts.{region}.amazonaws.com")
     };
-    let sts_url = format!("https://{sts_host}/");
+    let sts_url = format!("https://{sts_host}");
 
     // Get current time for signing
     let now = Utc::now();
@@ -136,17 +136,17 @@ pub fn generate_auth_proof(
 
     // Build headers map for the proof
     // Using BTreeMap for consistent ordering (important for signature verification)
-    let mut headers_map: BTreeMap<String, String> = BTreeMap::new();
-    headers_map.insert("Authorization".to_string(), authorization);
-    headers_map.insert("Content-Type".to_string(), CONTENT_TYPE.to_string());
-    headers_map.insert("Host".to_string(), sts_host);
-    headers_map.insert("x-amz-date".to_string(), amz_date);
-    headers_map.insert(ORG_ID_HEADER.to_string(), org_uuid.to_string());
+    let mut headers_map: BTreeMap<String, Vec<String>> = BTreeMap::new();
+    headers_map.insert("Authorization".to_string(), vec![authorization]);
+    headers_map.insert("Content-Type".to_string(), vec![CONTENT_TYPE.to_string()]);
+    headers_map.insert("Host".to_string(), vec![sts_host]);
+    headers_map.insert("X-Amz-Date".to_string(), vec![amz_date]);
+    headers_map.insert("X-Ddog-Org-Id".to_string(), vec![org_uuid.to_string()]);
 
     if !aws_credentials.aws_session_token.is_empty() {
         headers_map.insert(
-            "x-amz-security-token".to_string(),
-            aws_credentials.aws_session_token.clone(),
+            "X-Amz-Security-Token".to_string(),
+            vec![aws_credentials.aws_session_token.clone()],
         );
     }
 
@@ -248,17 +248,23 @@ mod tests {
 
         // Verify body is base64-encoded GET_CALLER_IDENTITY_BODY
         let body = String::from_utf8(
-            BASE64_STANDARD.decode(parts[0]).expect("Failed to decode base64 body")
-        ).expect("Failed to convert body to UTF-8");
+            BASE64_STANDARD
+                .decode(parts[0])
+                .expect("Failed to decode base64 body"),
+        )
+        .expect("Failed to convert body to UTF-8");
         assert_eq!(body, GET_CALLER_IDENTITY_BODY);
 
         // Verify method
         assert_eq!(parts[2], "POST");
 
         // Verify URL is base64-encoded STS URL
         let url = String::from_utf8(
-            BASE64_STANDARD.decode(parts[3]).expect("Failed to decode base64 URL")
-        ).expect("Failed to convert URL to UTF-8");
+            BASE64_STANDARD
+                .decode(parts[3])
+                .expect("Failed to decode base64 URL"),
+        )
+        .expect("Failed to convert URL to UTF-8");
         assert!(url.contains("sts.us-east-1.amazonaws.com"));
     }
 
@@ -280,23 +286,28 @@ mod tests {
 
         // Decode and parse headers
         let headers_json = String::from_utf8(
-            BASE64_STANDARD.decode(parts[1]).expect("Failed to decode base64 headers")
-        ).expect("Failed to convert headers to UTF-8");
-        let headers: BTreeMap<String, String> = serde_json::from_str(&headers_json)
-            .expect("Failed to parse headers JSON");
+            BASE64_STANDARD
+                .decode(parts[1])
+                .expect("Failed to decode base64 headers"),
+        )
+        .expect("Failed to convert headers to UTF-8");
+        let headers: BTreeMap<String, Vec<String>> =
+            serde_json::from_str(&headers_json).expect("Failed to parse headers JSON");
 
-        // Verify required headers
+        // Verify required headers (canonical casing)
         assert!(headers.contains_key("Authorization"));
         assert!(headers.contains_key("Content-Type"));
         assert!(headers.contains_key("Host"));
-        assert!(headers.contains_key("x-amz-date"));
-        assert!(headers.contains_key("x-amz-security-token"));
-        assert!(headers.contains_key("x-ddog-org-id"));
+        assert!(headers.contains_key("X-Amz-Date"));
+        assert!(headers.contains_key("X-Amz-Security-Token"));
+        assert!(headers.contains_key("X-Ddog-Org-Id"));
 
-        // Verify org-id header value
+        // Verify org-id header value (array format)
         assert_eq!(
-            headers.get("x-ddog-org-id").expect("Missing x-ddog-org-id header"),
-            "my-org-uuid"
+            headers
+                .get("X-Ddog-Org-Id")
+                .expect("Missing X-Ddog-Org-Id header"),
+            &vec!["my-org-uuid".to_string()]
         );
     }
 
@@ -317,8 +328,11 @@ mod tests {
         let proof = result.expect("Failed to generate auth proof");
         let parts: Vec<&str> = proof.split('|').collect();
         let url = String::from_utf8(
-            BASE64_STANDARD.decode(parts[3]).expect("Failed to decode base64 URL")
-        ).expect("Failed to convert URL to UTF-8");
+            BASE64_STANDARD
+                .decode(parts[3])
+                .expect("Failed to decode base64 URL"),
+        )
+        .expect("Failed to convert URL to UTF-8");
         assert!(url.contains("sts.amazonaws.com"));
     }
 }

integration-tests/lib/stacks/delegated-auth.ts

@@ -1,4 +1,5 @@
 import * as cdk from 'aws-cdk-lib';
+import * as iam from 'aws-cdk-lib/aws-iam';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { Construct } from 'constructs';
 import {
@@ -20,35 +21,44 @@ export class DelegatedAuthStack extends cdk.Stack {
 
     const extensionLayer = getExtensionLayer(this);
 
-    // Happy Path Function - Uses delegated auth only
-    const happyPathFunctionName = `${id}-happy-path`;
-    const happyPathFunction = new lambda.Function(this, happyPathFunctionName, {
+    const functionName = id;
+    const roleName = `${id}-role`;
+    const role = new iam.Role(this, 'ExecutionRole', {
+      roleName,
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
+      ],
+    });
+
+    const fn = new lambda.Function(this, functionName, {
+      role,
       runtime: defaultNodeRuntime,
       architecture: lambda.Architecture.ARM_64,
       handler: 'index.handler',
       code: lambda.Code.fromAsset('./lambda/delegated-auth'),
-      functionName: happyPathFunctionName,
+      functionName,
       timeout: cdk.Duration.seconds(30),
       memorySize: 256,
       environment: {
         DD_SITE: 'datadoghq.com',
         DD_ENV: 'integration',
         DD_VERSION: '1.0.0',
-        DD_SERVICE: happyPathFunctionName,
+        DD_SERVICE: functionName,
         DD_SERVERLESS_FLUSH_STRATEGY: 'end',
         DD_SERVERLESS_LOGS_ENABLED: 'true',
         DD_LOG_LEVEL: 'debug',
         // Delegated auth config
-        DD_ORG_UUID: '447397',
+        DD_ORG_UUID: process.env.SERVERLESS_UUID || '',
         DD_DELEGATED_AUTH_ENABLED: 'true',
         TS: Date.now().toString(),
       },
-      logGroup: createLogGroup(this, happyPathFunctionName),
+      logGroup: createLogGroup(this, functionName),
     });
-    happyPathFunction.addLayers(extensionLayer);
+    fn.addLayers(extensionLayer);
 
-    new cdk.CfnOutput(this, 'HappyPathRoleArn', {
-      value: happyPathFunction.role!.roleArn,
+    new cdk.CfnOutput(this, 'RoleArn', {
+      value: fn.role!.roleArn,
       description: 'IAM Role ARN - configure in intake mapping',
     });
   }

integration-tests/tests/delegated-auth.test.ts

@@ -5,9 +5,8 @@ import { getIdentifier } from '../config';
 const identifier = getIdentifier();
 const stackName = `integ-${identifier}-delegated-auth`;
 
-// Function names from CDK stack
-const HAPPY_PATH_FUNCTION = `${stackName}-happy-path`;
-const FALLBACK_FUNCTION = `${stackName}-fallback`;
+// Function name matches the CDK stack id
+const FUNCTION_NAME = stackName;
 
 // Default wait time for Datadog to index logs and traces after Lambda invocation
 const DEFAULT_DATADOG_INDEXING_WAIT_MS = 5 * 60 * 1000; // 5 minutes
@@ -33,146 +32,64 @@ async function getDatadogTelemetryByRequestId(
 }
 
 describe('Delegated Authentication Integration Tests', () => {
+  let invocationResult: { requestId: string; statusCode?: number };
+  let telemetry: DatadogTelemetry;
+  let logs: string[];
 
-  describe('Happy Path - Delegated Auth Success', () => {
-    let invocationResult: { requestId: string; statusCode?: number };
-    let telemetry: DatadogTelemetry;
-    let logs: string[];
-
-    beforeAll(async () => {
-      console.log(`Testing happy path function: ${HAPPY_PATH_FUNCTION}`);
-
-      // Force cold start to ensure extension initializes fresh
-      await forceColdStart(HAPPY_PATH_FUNCTION);
-
-      // Invoke the function
-      invocationResult = await invokeLambda(HAPPY_PATH_FUNCTION, {});
-
-      console.log(`Invocation completed, requestId: ${invocationResult.requestId}`);
-
-      // Wait for telemetry to be indexed in Datadog
-      console.log(`Waiting ${DEFAULT_DATADOG_INDEXING_WAIT_MS / 1000}s for Datadog indexing...`);
-      await sleep(DEFAULT_DATADOG_INDEXING_WAIT_MS);
-
-      // Collect telemetry from Datadog
-      telemetry = await getDatadogTelemetryByRequestId(
-        HAPPY_PATH_FUNCTION,
-        invocationResult.requestId
-      );
-      logs = telemetry.logs.map((log: DatadogLog) => log.message);
-
-      console.log(`Collected ${telemetry.logs.length} logs and ${telemetry.traces.length} traces`);
-    }, 600000); // 10 minute timeout
-
-    it('should invoke Lambda successfully', () => {
-      expect(invocationResult).toBeDefined();
-      expect(invocationResult.statusCode).toBe(200);
-    });
-
-    it('should have function log output', () => {
-      expect(telemetry).toBeDefined();
-      expect(telemetry.logs).toBeDefined();
-      expect(telemetry.logs.length).toBeGreaterThan(0);
-    });
-
-    it('should show delegated auth API key obtained successfully', () => {
-      // Look for log message indicating delegated auth succeeded
-      const delegatedAuthLog = logs.find((log: string) =>
-        log.includes('Delegated auth') &&
-        (log.includes('API key obtained') || log.includes('success'))
-      );
-      expect(delegatedAuthLog).toBeDefined();
-    });
-
-    it('should NOT show fallback to static API key', () => {
-      // Ensure no fallback occurred
-      const fallbackLog = logs.find((log: string) =>
-        log.includes('fallback') || log.includes('Falling back')
-      );
-      expect(fallbackLog).toBeUndefined();
-    });
-
-    it('should send telemetry to Datadog (validates API key works)', () => {
-      // If we have logs in Datadog, the obtained API key is working
-      expect(telemetry.logs).toBeDefined();
-      expect(telemetry.logs.length).toBeGreaterThan(0);
-    });
-
-    it('should send at least one trace to Datadog', () => {
-      // Traces indicate the extension is functioning correctly
-      expect(telemetry.traces).toBeDefined();
-      expect(telemetry.traces.length).toBeGreaterThanOrEqual(1);
-    });
+  beforeAll(async () => {
+    console.log(`Testing delegated auth function: ${FUNCTION_NAME}`);
+
+    // Force cold start to ensure extension initializes fresh
+    await forceColdStart(FUNCTION_NAME);
+
+    // Invoke the function
+    invocationResult = await invokeLambda(FUNCTION_NAME, {});
+
+    console.log(`Invocation completed, requestId: ${invocationResult.requestId}`);
+
+    // Wait for telemetry to be indexed in Datadog
+    console.log(`Waiting ${DEFAULT_DATADOG_INDEXING_WAIT_MS / 1000}s for Datadog indexing...`);
+    await sleep(DEFAULT_DATADOG_INDEXING_WAIT_MS);
+
+    // Collect telemetry from Datadog
+    telemetry = await getDatadogTelemetryByRequestId(
+      FUNCTION_NAME,
+      invocationResult.requestId
+    );
+    logs = telemetry.logs.map((log: DatadogLog) => log.message);
+
+    console.log(`Collected ${telemetry.logs.length} logs and ${telemetry.traces.length} traces`);
+  }, 600000); // 10 minute timeout
+
+  it('should invoke Lambda successfully', () => {
+    expect(invocationResult).toBeDefined();
+    expect(invocationResult.statusCode).toBe(200);
   });
 
-  describe('Fallback Path - Invalid Org UUID Falls Back to Static Key', () => {
-    let invocationResult: { requestId: string; statusCode?: number };
-    let telemetry: DatadogTelemetry;
-    let logs: string[];
-
-    beforeAll(async () => {
-      console.log(`Testing fallback function: ${FALLBACK_FUNCTION}`);
-
-      // Force cold start to ensure extension initializes fresh
-      await forceColdStart(FALLBACK_FUNCTION);
-
-      // Invoke the function
-      invocationResult = await invokeLambda(FALLBACK_FUNCTION, {});
-
-      console.log(`Invocation completed, requestId: ${invocationResult.requestId}`);
-
-      // Wait for telemetry to be indexed in Datadog
-      console.log(`Waiting ${DEFAULT_DATADOG_INDEXING_WAIT_MS / 1000}s for Datadog indexing...`);
-      await sleep(DEFAULT_DATADOG_INDEXING_WAIT_MS);
-
-      // Collect telemetry from Datadog
-      telemetry = await getDatadogTelemetryByRequestId(
-        FALLBACK_FUNCTION,
-        invocationResult.requestId
-      );
-      logs = telemetry.logs.map((log: DatadogLog) => log.message);
-
-      console.log(`Collected ${telemetry.logs.length} logs and ${telemetry.traces.length} traces`);
-    }, 600000); // 10 minute timeout
-
-    it('should invoke Lambda successfully', () => {
-      expect(invocationResult).toBeDefined();
-      expect(invocationResult.statusCode).toBe(200);
-    });
-
-    it('should have function log output', () => {
-      expect(telemetry).toBeDefined();
-      expect(telemetry.logs).toBeDefined();
-      expect(telemetry.logs.length).toBeGreaterThan(0);
-    });
-
-    it('should show delegated auth failure', () => {
-      // Look for log message indicating delegated auth failed
-      const failureLog = logs.find((log: string) =>
-        (log.includes('Delegated auth') || log.includes('delegated auth')) &&
-        (log.includes('fail') || log.includes('error') || log.includes('Error'))
-      );
-      expect(failureLog).toBeDefined();
-    });
-
-    it('should show fallback to static API key', () => {
-      // Look for log message indicating fallback occurred
-      const fallbackLog = logs.find((log: string) =>
-        log.includes('fallback') || log.includes('Falling back') || log.includes('using static')
-      );
-      expect(fallbackLog).toBeDefined();
-    });
-
-    it('should still send telemetry to Datadog (via fallback key)', () => {
-      // Even with delegated auth failure, telemetry should work via fallback
-      expect(telemetry.logs).toBeDefined();
-      expect(telemetry.logs.length).toBeGreaterThan(0);
-    });
-
-    it('should still send traces to Datadog (via fallback key)', () => {
-      // Traces should still work via the fallback static API key
-      expect(telemetry.traces).toBeDefined();
-      expect(telemetry.traces.length).toBeGreaterThanOrEqual(1);
-    });
+  it('should have function log output', () => {
+    expect(telemetry).toBeDefined();
+    expect(telemetry.logs).toBeDefined();
+    expect(telemetry.logs.length).toBeGreaterThan(0);
   });
+
+  it('should show delegated auth API key obtained successfully', () => {
+    const delegatedAuthLog = logs.find((log: string) =>
+      log.includes('Delegated auth') &&
+      (log.includes('API key obtained') || log.includes('success'))
+    );
+    expect(delegatedAuthLog).toBeDefined();
+  });
+
+  it('should NOT show fallback to static API key', () => {
+    const fallbackLog = logs.find((log: string) =>
+      log.includes('fallback') || log.includes('Falling back')
+    );
+    expect(fallbackLog).toBeUndefined();
+  });
+
+  it('should send telemetry to Datadog (validates API key works)', () => {
+    expect(telemetry.logs).toBeDefined();
+    expect(telemetry.logs.length).toBeGreaterThan(0);
+  });
+
 });