config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers (#4219)

* config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers * lint * Update authorize/evaluator/headers_evaluator_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * fix spelling --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-05-20 04:27:19 +02:00 · 2023-06-01 16:00:02 -06:00 · 2023-06-01 16:00:02 -06:00 · 5be322e2ef
commit 5be322e2ef
parent eb1d6841a0
6 changed files with 104 additions and 77 deletions
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -139,4 +139,52 @@ func TestHeadersEvaluator(t *testing.T) {

 		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
 	})
+
+	t.Run("set_request_headers", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{
+				&session.Session{Id: "s1", IdToken: &session.IDToken{
+					Raw: "ID_TOKEN",
+				}, OauthToken: &session.OAuthToken{
+					AccessToken: "ACCESS_TOKEN",
+				}},
+			},
+			&HeadersRequest{
+				Issuer:     "from.example.com",
+				ToAudience: "to.example.com",
+				Session:    RequestSession{ID: "s1"},
+				SetRequestHeaders: map[string]string{
+					"X-Custom-Header": "CUSTOM_VALUE",
+					"X-ID-Token":      "$pomerium.id_token",
+					"X-Access-Token":  "$pomerium.access_token",
+				},
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "CUSTOM_VALUE", output.Headers.Get("X-Custom-Header"))
+		assert.Equal(t, "ID_TOKEN", output.Headers.Get("X-ID-Token"))
+		assert.Equal(t, "ACCESS_TOKEN", output.Headers.Get("X-Access-Token"))
+	})
+
+	t.Run("set_request_headers original behavior", func(t *testing.T) {
+		output, err := eval(t,
+			[]proto.Message{
+				&session.Session{Id: "s1", IdToken: &session.IDToken{
+					Raw: "ID_TOKEN",
+				}, OauthToken: &session.OAuthToken{
+					AccessToken: "ACCESS_TOKEN",
+				}},
+			},
+			&HeadersRequest{
+				Issuer:     "from.example.com",
+				ToAudience: "to.example.com",
+				Session:    RequestSession{ID: "s1"},
+				SetRequestHeaders: map[string]string{
+					"Authorization": "Bearer $pomerium.id_token",
+				},
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
+	})
 }