ory · aeneasr · Jun 23, 2022 · Apr 11, 2022 · May 9, 2022 · May 9, 2022
@@ -445,6 +445,14 @@
             "POST"
           ]
         },
+        "proxy_headers": {
+          "title": "Set Proxy HTTP Headers",
+          "type": "array",
+          "description": "Set HTTP Headers allowed to proxy to upstream.",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
         "additional_headers": {
           "title": "Set Additional HTTP Headers",
           "type": "object",
@@ -552,6 +560,14 @@
             "POST"
           ]
         },
+        "proxy_headers": {
+          "title": "Set Proxy HTTP Headers",
+          "type": "array",
+          "description": "Set HTTP Headers allowed to proxy to upstream.",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
         "additional_headers": {
           "title": "Set Additional HTTP Headers",
           "type": "object",

@@ -52,6 +52,15 @@ type MatchContext struct {
 	Method              string      `json:"method"`
 	Header              http.Header `json:"header"`
 }
+type AuthenticatorForwardConfig struct {
+	CheckSessionURL string
+	PreserveQuery   bool
+	PreservePath    bool
+	PreserveHost    bool
+	ProxyHeadersMap map[string]string
+	SetHeaders      map[string]string
+	ForceMethod     string
+}
 
 func (a *AuthenticationSession) SetHeader(key, val string) {
 	if a.Header == nil {

@@ -31,8 +31,22 @@ type AuthenticatorBearerTokenConfiguration struct {
 	PreserveHost        bool                        `json:"preserve_host"`
 	ExtraFrom           string                      `json:"extra_from"`
 	SubjectFrom         string                      `json:"subject_from"`
+	ProxyHeaders        []string                    `json:"proxy_headers"`
 	SetHeaders          map[string]string           `json:"additional_headers"`
 	ForceMethod         string                      `json:"force_method"`
+	ProxyHeadersMap     map[string]string           `json:"-"`
+}
+
+func (a *AuthenticatorBearerTokenConfiguration) ToAuthenticatorForwardConfig() *AuthenticatorForwardConfig {
+	return &AuthenticatorForwardConfig{
+		CheckSessionURL: a.CheckSessionURL,
+		PreserveQuery:   a.PreserveQuery,
+		PreservePath:    a.PreservePath,
+		PreserveHost:    a.PreserveHost,
+		ProxyHeadersMap: a.ProxyHeadersMap,
+		SetHeaders:      a.SetHeaders,
+		ForceMethod:     a.ForceMethod,
+	}
 }
 
 type AuthenticatorBearerToken struct {
@@ -71,6 +85,13 @@ func (a *AuthenticatorBearerToken) Config(config json.RawMessage) (*Authenticato
 	if len(c.SubjectFrom) == 0 {
 		c.SubjectFrom = "sub"
 	}
+	if len(c.ProxyHeaders) == 0 {
+		c.ProxyHeaders = []string{"Authorization", "Cookie"}
+	}
+
+	for _, h := range c.ProxyHeaders {
+		c.ProxyHeadersMap[h] = h
+	}
 
 	return &c, nil
 }
@@ -86,7 +107,7 @@ func (a *AuthenticatorBearerToken) Authenticate(r *http.Request, session *Authen
 		return errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
-	body, err := forwardRequestToSessionStore(r, cf.CheckSessionURL, cf.PreserveQuery, cf.PreservePath, cf.PreserveHost, cf.SetHeaders, cf.ForceMethod)
+	body, err := forwardRequestToSessionStore(r, cf.ToAuthenticatorForwardConfig())
 	if err != nil {
 		return err
 	}

@@ -96,7 +96,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_query": true}`),
+				config:    []byte(`{"preserve_query": true, "proxy_headers": ["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -113,7 +113,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "preserve_query": false}`),
+				config:    []byte(`{"preserve_path": true, "preserve_query": false, "proxy_headers": ["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -128,7 +128,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "force_method": "GET"}`),
+				config:    []byte(`{"preserve_path": true, "force_method": "GET", "proxy_headers": ["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -145,7 +145,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": false, "preserve_query": true}`),
+				config:    []byte(`{"preserve_path": false, "preserve_query": true, "proxy_headers": ["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -160,7 +160,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_path": true, "preserve_query": true, "check_session_url": "http://origin-replaced-in-test/configured/path?q=configured-query"}`),
+				config:    []byte(`{"preserve_path": true, "preserve_query": true, "check_session_url": "http://origin-replaced-in-test/configured/path?q=configured-query", "proxy_headers": ["Authorization", "X-Forwared-Host"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -176,7 +176,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_host": true}`),
+				config:    []byte(`{"preserve_host": true, "proxy_headers": ["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",
@@ -193,7 +193,7 @@ func TestAuthenticatorBearerToken(t *testing.T) {
 					w.WriteHeader(200)
 					w.Write([]byte(`{"sub": "123"}`))
 				},
-				config:    []byte(`{"preserve_host": true, "additional_headers": {"X-Foo": "bar","X-Forwarded-For": "not-some-host"}}`),
+				config:    []byte(`{"preserve_host": true, "additional_headers": {"X-Foo": "bar","X-Forwarded-For": "not-some-host"}, "proxy_headers":["Authorization"]}`),
 				expectErr: false,
 				expectSess: &AuthenticationSession{
 					Subject: "123",

@@ -35,8 +35,10 @@ type AuthenticatorCookieSessionConfiguration struct {
 	ExtraFrom       string            `json:"extra_from"`
 	SubjectFrom     string            `json:"subject_from"`
 	PreserveHost    bool              `json:"preserve_host"`
+	ProxyHeaders    []string          `json:"proxy_headers"`
 	SetHeaders      map[string]string `json:"additional_headers"`
 	ForceMethod     string            `json:"force_method"`
+	ProxyHeadersMap map[string]string `json:"-"`
 }
 
 type AuthenticatorCookieSession struct {
@@ -49,6 +51,17 @@ func NewAuthenticatorCookieSession(c configuration.Provider) *AuthenticatorCooki
 	}
 }
 
+func (a *AuthenticatorCookieSessionConfiguration) ToAuthenticatorForwardConfig() *AuthenticatorForwardConfig {
+	return &AuthenticatorForwardConfig{
+		CheckSessionURL: a.CheckSessionURL,
+		PreserveQuery:   a.PreserveQuery,
+		PreservePath:    a.PreservePath,
+		PreserveHost:    a.PreserveHost,
+		ProxyHeadersMap: a.ProxyHeadersMap,
+		SetHeaders:      a.SetHeaders,
+		ForceMethod:     a.ForceMethod,
+	}
+}
 func (a *AuthenticatorCookieSession) GetID() string {
 	return "cookie_session"
 }
@@ -75,6 +88,12 @@ func (a *AuthenticatorCookieSession) Config(config json.RawMessage) (*Authentica
 	if len(c.SubjectFrom) == 0 {
 		c.SubjectFrom = "subject"
 	}
+	if len(c.ProxyHeaders) == 0 {
+		c.ProxyHeaders = []string{"Authorization", "Cookie"}
+	}
+	for _, h := range c.ProxyHeaders {
+		c.ProxyHeadersMap[h] = h
+	}
 
 	return &c, nil
 }
@@ -89,7 +108,7 @@ func (a *AuthenticatorCookieSession) Authenticate(r *http.Request, session *Auth
 		return errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
-	body, err := forwardRequestToSessionStore(r, cf.CheckSessionURL, cf.PreserveQuery, cf.PreservePath, cf.PreserveHost, cf.SetHeaders, cf.ForceMethod)
+	body, err := forwardRequestToSessionStore(r, cf.ToAuthenticatorForwardConfig())
 	if err != nil {
 		return err
 	}
@@ -129,40 +148,42 @@ func cookieSessionResponsible(r *http.Request, only []string) bool {
 	return false
 }
 
-func forwardRequestToSessionStore(r *http.Request, checkSessionURL string, preserveQuery bool, preservePath bool, preserveHost bool, setHeaders map[string]string, m string) (json.RawMessage, error) {
-	reqUrl, err := url.Parse(checkSessionURL)
+func forwardRequestToSessionStore(r *http.Request, cf *AuthenticatorForwardConfig) (json.RawMessage, error) {
+	reqUrl, err := url.Parse(cf.CheckSessionURL)
 	if err != nil {
 		return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to parse session check URL: %s", err))
 	}
 
-	if !preservePath {
+	if !cf.PreservePath {
 		reqUrl.Path = r.URL.Path
 	}
 
-	if !preserveQuery {
+	if !cf.PreserveQuery {
 		reqUrl.RawQuery = r.URL.RawQuery
 	}
 
-	if m == "" {
-		m = r.Method
+	if cf.ForceMethod == "" {
+		cf.ForceMethod = r.Method
 	}
 
 	req := http.Request{
-		Method: m,
+		Method: cf.ForceMethod,
 		URL:    reqUrl,
 		Header: http.Header{},
 	}
 
-	// We need to make a COPY of the header, not modify r.Header!
+	// We need to copy only essential and configurable headers
 	for k, v := range r.Header {
-		req.Header[k] = v
+		if _, ok := cf.ProxyHeadersMap[k]; ok {
+			req.Header[k] = v
+		}
 	}
 
-	for k, v := range setHeaders {
+	for k, v := range cf.SetHeaders {
 		req.Header.Set(k, v)
 	}
 
-	if preserveHost {
+	if cf.PreserveHost {
 		req.Header.Set("X-Forwarded-Host", r.Host)
 	}
 
@@ -171,6 +192,8 @@ func forwardRequestToSessionStore(r *http.Request, checkSessionURL string, prese
 		return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
 	}
 
+	defer res.Body.Close()
+
 	if res.StatusCode == 200 {
 		body, err := ioutil.ReadAll(res.Body)
 		if err != nil {

@@ -2,6 +2,7 @@ package authn_test
 
 import (
 	"bytes"
+	"compress/gzip"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -246,6 +247,31 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 				Extra:   map[string]interface{}{"session": map[string]interface{}{"foo": "bar"}, "identity": map[string]interface{}{"id": "123"}},
 			}, session)
 		})
+		t.Run("description=should handle gzip requests", func(t *testing.T) {
+			responseBody := `{"identity": {"id": "123"}, "session": {"foo": "bar"}}`
+			requestRecorder := &RequestRecorder{}
+			testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				requestRecorder.requests = append(requestRecorder.requests, r)
+				requestBody, _ := ioutil.ReadAll(r.Body)
+				requestRecorder.bodies = append(requestRecorder.bodies, requestBody)
+				w.Header().Set("Content-Encoding", "gzip")
+				w.WriteHeader(http.StatusOK)
+				gz := gzip.NewWriter(w)
+				gz.Write([]byte(responseBody))
+				gz.Close()
+			}))
+			err := pipelineAuthenticator.Authenticate(
+				makeRequest("GET", "/", "", map[string]string{"sessionid": "zyx"}, ""),
+				session,
+				json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s", "subject_from": "identity.id", "extra_from": "@this"}`, testServer.URL)),
+				nil,
+			)
+			require.NoError(t, err, "%#v", errors.Cause(err))
+			assert.Equal(t, &AuthenticationSession{
+				Subject: "123",
+				Extra:   map[string]interface{}{"session": map[string]interface{}{"foo": "bar"}, "identity": map[string]interface{}{"id": "123"}},
+			}, session)
+		})
 	})
 }