diff --git a/.schema/config.schema.json b/.schema/config.schema.json index 28fb647df2..ab0736e053 100644 --- a/.schema/config.schema.json +++ b/.schema/config.schema.json @@ -960,6 +960,16 @@ "type": "string" } }, + "forward_request_headers_to_remote": { + "description": "A list of inbound request headers to forward to the remote authorizer.", + "title": "Allowed Inbound HTTP Headers to Forward to the Remote", + "type": "array", + "items": { + "type": "string" + }, + "uniqueItems": true, + "default": [] + }, "forward_response_headers_to_upstream": { "description": "A list of non simple headers the remote is allowed to return to mutate requests.", "title": "Allowed Remote HTTP Headers for his Responses", diff --git a/pipeline/authz/remote.go b/pipeline/authz/remote.go index a42e072e7e..86a9556fe3 100644 --- a/pipeline/authz/remote.go +++ b/pipeline/authz/remote.go @@ -31,6 +31,7 @@ import ( type AuthorizerRemoteConfiguration struct { Remote string `json:"remote"` Headers map[string]string `json:"headers"` + ForwardRequestHeadersToRemote []string `json:"forward_request_headers_to_remote"` ForwardResponseHeadersToUpstream []string `json:"forward_response_headers_to_upstream"` Retry *AuthorizerRemoteRetryConfiguration `json:"retry"` } @@ -86,6 +87,16 @@ func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.Authenticat if err != nil { return errors.WithStack(err) } + for _, name := range c.ForwardRequestHeadersToRemote { + values := r.Header.Values(name) + if len(values) == 0 { + continue + } + req.Header.Del(name) + for _, v := range values { + req.Header.Add(name, v) + } + } req.Header.Add("Content-Type", r.Header.Get("Content-Type")) authz := r.Header.Get("Authorization") if authz != "" { diff --git a/pipeline/authz/remote_test.go b/pipeline/authz/remote_test.go index 6831b1f794..84ea925cab 100644 --- a/pipeline/authz/remote_test.go +++ b/pipeline/authz/remote_test.go @@ -37,6 +37,7 @@ func TestAuthorizerRemoteAuthorize(t *testing.T) { setup func(t *testing.T) *httptest.Server session *authn.AuthenticationSession sessionHeaderMatch *http.Header + requestHeaders http.Header body string config json.RawMessage wantErr bool @@ -161,6 +162,24 @@ func TestAuthorizerRemoteAuthorize(t *testing.T) { sessionHeaderMatch: &http.Header{"X-Foo": []string{""}}, config: json.RawMessage(`{"forward_response_headers_to_upstream":["X-Foo"]}`), }, + { + name: "ok with forwarded request headers", + setup: func(t *testing.T) *httptest.Server { + return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "sig-value", r.Header.Get("X-Signature")) + assert.Equal(t, "ts-value", r.Header.Get("X-Timestamp")) + assert.Empty(t, r.Header.Get("X-Not-Forwarded")) + w.WriteHeader(http.StatusOK) + })) + }, + session: &authn.AuthenticationSession{}, + requestHeaders: http.Header{ + "X-Signature": {"sig-value"}, + "X-Timestamp": {"ts-value"}, + "X-Not-Forwarded": {"nope"}, + }, + config: json.RawMessage(`{"forward_request_headers_to_remote":["X-Signature","X-Timestamp"]}`), + }, { name: "authentication session", setup: func(t *testing.T) *httptest.Server { @@ -201,6 +220,9 @@ func TestAuthorizerRemoteAuthorize(t *testing.T) { "User-Agent": {"Fancy Browser 5.1"}, }, } + for name, values := range tt.requestHeaders { + r.Header[name] = values + } if tt.body != "" { r.Body = io.NopCloser(strings.NewReader(tt.body)) } diff --git a/spec/config.schema.json b/spec/config.schema.json index bb2bef34fe..58626369d7 100644 --- a/spec/config.schema.json +++ b/spec/config.schema.json @@ -960,6 +960,16 @@ "type": "string" } }, + "forward_request_headers_to_remote": { + "description": "A list of inbound request headers to forward to the remote authorizer.", + "title": "Allowed Inbound HTTP Headers to Forward to the Remote", + "type": "array", + "items": { + "type": "string" + }, + "uniqueItems": true, + "default": [] + }, "forward_response_headers_to_upstream": { "description": "A list of non simple headers the remote is allowed to return to mutate requests.", "title": "Allowed Remote HTTP Headers for his Responses",