envoy: always set jwt claim headers even if no value is available (#2261)

* envoy: always set jwt claim headers even if no value is available * add test
2025-04-29 18:36:30 +02:00 · 2021-06-04 11:01:00 -06:00 · 2021-06-04 11:01:00 -06:00 · 2156dbc553
commit 2156dbc553
parent 699f3f461f
3 changed files with 69 additions and 14 deletions
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -203,18 +203,16 @@ google_cloud_serverless_headers = h {

 identity_headers := {key: values |
 	h1 := [["x-pomerium-jwt-assertion", signed_jwt]]
-	h2 := [[k, v] |
-		[claim_key, claim_value] := jwt_claims[_]
-		claim_value != null
-
-		# only include those headers requested by the user
+	h2 := [[header_name, header_value] |
 		some header_name
-		available := data.jwt_claim_headers[header_name]
-		available == claim_key
-
-		# create the header key and value
-		k := header_name
-		v := get_header_string_value(claim_value)
+		k := data.jwt_claim_headers[header_name]
+		header_value := array.concat(
+			[cv |
+				[ck, cv] := jwt_claims[_]
+				ck == k
+			],
+			[""]
+		)[0]
 	]

 	h3 := kubernetes_headers
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@ -478,9 +478,11 @@ func mkRouteMatch(policy *config.Policy) *envoy_config_route_v3.RouteMatch {
 func getRequestHeadersToRemove(options *config.Options, policy *config.Policy) []string {
 	requestHeadersToRemove := policy.RemoveRequestHeaders
 	if !policy.PassIdentityHeaders {
-		requestHeadersToRemove = append(requestHeadersToRemove, httputil.HeaderPomeriumJWTAssertion, httputil.HeaderPomeriumJWTAssertionFor)
-		for _, claim := range options.JWTClaimsHeaders {
-			requestHeadersToRemove = append(requestHeadersToRemove, httputil.PomeriumJWTHeaderName(claim))
+		requestHeadersToRemove = append(requestHeadersToRemove,
+			httputil.HeaderPomeriumJWTAssertion,
+			httputil.HeaderPomeriumJWTAssertionFor)
+		for headerName := range options.JWTClaimsHeaders {
+			requestHeadersToRemove = append(requestHeadersToRemove, headerName)
 		}
 	}
 	// remove these headers to prevent a user from re-proxying requests through the control plane
--- a/config/envoyconfig/routes_test.go
+++ b/config/envoyconfig/routes_test.go
@ -672,6 +672,61 @@ func Test_buildPolicyRoutes(t *testing.T) {
 		]
 	`, routes)
 	})
+
+	t.Run("remove-pomerium-headers", func(t *testing.T) {
+		routes, err := b.buildPolicyRoutes(&config.Options{
+			AuthenticateURLString:  "https://authenticate.example.com",
+			Services:               "proxy",
+			CookieName:             "pomerium",
+			DefaultUpstreamTimeout: time.Second * 3,
+			JWTClaimsHeaders: map[string]string{
+				"x-email": "email",
+			},
+			Policies: []config.Policy{
+				{
+					Source: &config.StringURL{URL: mustParseURL(t, "https://from.example.com")},
+				},
+			},
+		}, "from.example.com")
+		require.NoError(t, err)
+
+		testutil.AssertProtoJSONEqual(t, `
+			[
+				{
+					"name": "policy-0",
+					"match": {
+						"prefix": "/"
+					},
+					"metadata": {
+						"filterMetadata": {
+							"envoy.filters.http.lua": {
+								"remove_impersonate_headers": false,
+								"remove_pomerium_authorization": true,
+								"remove_pomerium_cookie": "pomerium",
+								"rewrite_response_headers": []
+							}
+						}
+					},
+					"route": {
+						"autoHostRewrite": true,
+						"cluster": "policy-12",
+						"timeout": "3s",
+						"upgradeConfigs": [
+							{ "enabled": false, "upgradeType": "websocket"},
+							{ "enabled": false, "upgradeType": "spdy/3.1"}
+						]
+					},
+					"requestHeadersToRemove": [
+						"x-pomerium-jwt-assertion",
+						"x-pomerium-jwt-assertion-for",
+						"x-email",
+						"x-pomerium-reproxy-policy",
+						"x-pomerium-reproxy-policy-hmac"
+					]
+				}
+			]
+		`, routes)
+	})
 }

 func Test_buildPolicyRoutesRewrite(t *testing.T) {