diff --git a/README.md b/README.md index 2714b04..dcfcd02 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ An example configuration file can be found in `example-config.yaml`. A breakdown - `token_auth_header`: The name of the HTTP header that should contain the token (e.g., `Authorization`). - `token_auth_header_prefix`: The prefix that should be present before the token in the HTTP header (e.g., `"Basic "`). - `token_auth_is_base64_encoded`: Boolean value indicating whether the token is Base64 encoded (`true` or `false`). - - `request_header_map_file`: This parameter specifies the location of the external JSON file containing the header definitions for per-user request header mapping (e.g., `request_header_map.json`). + - `request_header_map_file`: This parameter specifies the location of the external JSON file containing the header definitions for per-user and per-group request header mapping (e.g., `request_header_map.json`). - `request_header_map_headers`: This is a list of the names of the HTTP headers that should be set for the requests for per-user request header mapping - `tls_client_cert_file`: Path to the client certificate file that should be used for upstream authentication (mTLS) - `tls_client_key_file`: Path to the client certificate key that should be used for upstream authentication (mTLS) @@ -146,7 +146,7 @@ The JSON file specified in `request_header_map_file` should contain an object fo ```json { - "ENTER_USER_ID_HERE": { + "ENTER_USER_ID_OR_GROUP_ID_HERE": { "Authorization": "test", "X-test-Header": "another test" } @@ -155,8 +155,8 @@ The JSON file specified in `request_header_map_file` should contain an object fo In this object: -- `"ENTER_USER_ID_HERE"` should be replaced with the ID of the user for whom you're setting the headers. -- The key-value pairs inside the user's object correspond to the headers you wish to set, with the header name as the key and the header value as the value. +- `"ENTER_USER_ID_OR_GROUP_ID_HERE"` should be replaced with the ID of the user or group for whom you're setting the headers. +- The key-value pairs inside the user or group object correspond to the headers you wish to set, with the header name as the key and the header value as the value. Upon configuration, Veriflow will automatically add the requested headers to each upstream request based on the user that accesses the service. This allows for personalized and context-specific request handling. Please remember to keep your JSON file and the policy configuration secure due to the sensitive nature of header information. diff --git a/lib/authz.js b/lib/authz.js index f64691c..f2afd89 100644 --- a/lib/authz.js +++ b/lib/authz.js @@ -118,7 +118,7 @@ async function addRequestedHeaders(req, res, route, user, discoveredGroups) { } } if (route.request_header_map_headers && route.request_header_map_file) { - var requestHeaderMap = await getRequestHeaderMapConfig(user.id, route) + var requestHeaderMap = await getRequestHeaderMapConfig(user, route) if (requestHeaderMap) { for (var header of route.request_header_map_headers) { if (requestHeaderMap[header]) { @@ -129,20 +129,34 @@ async function addRequestedHeaders(req, res, route, user, discoveredGroups) { } } -async function getRequestHeaderMapConfig(userId, route) { +async function getRequestHeaderMapConfig(user, route) { + var userId = user.id + var userGroups = user.groups var requestHeaderMap = requestHeaderMapCache.get(`${userId}-${route}`) if (requestHeaderMap) { log.trace("Returning requestHeaderMap from cache") return requestHeaderMap } else { + var result = {} try { log.debug("Cache miss, returning requestHeaderMap from file " + route.request_header_map_file) var requestHeaderMap = JSON.parse(await fs.readFile(route.request_header_map_file)) + for (var group of userGroups) { + if (requestHeaderMap[group]) { + result = { + ...result, + ...requestHeaderMap[group], + } + } + } if (requestHeaderMap[userId]) { - requestHeaderMapCache.put(`${userId}-${route}`, requestHeaderMap[userId]) - return requestHeaderMap[userId] + result = { + ...result, + ...requestHeaderMap[userId], + } } - return null + requestHeaderMapCache.put(`${userId}-${route}`, result) + return result } catch (error) { log.error({ message: "Unable to get config for requestHeaderMap", context: { error: error.message, stack: error.stack, route: route } }) return null diff --git a/test/e2e/configs/header-mapping-test.json b/test/e2e/configs/header-mapping-test.json index 375db14..9e75447 100644 --- a/test/e2e/configs/header-mapping-test.json +++ b/test/e2e/configs/header-mapping-test.json @@ -2,5 +2,11 @@ "test@veriflow.dev": { "Authorization": "ThisIsATestHeaderFromTheHeaderMapping", "X-test-Header": "another test" + }, + "test-header-group": { + "TestHeaderFromGroup": "TestHeaderFromGroup" + }, + "test-header-group-absent": { + "TestAbsentHeaderFromGroup": "TestAbsentHeaderFromGroup" } } \ No newline at end of file diff --git a/test/e2e/configs/idp_output.json b/test/e2e/configs/idp_output.json index b3344a0..0ba37b6 100644 --- a/test/e2e/configs/idp_output.json +++ b/test/e2e/configs/idp_output.json @@ -7,7 +7,8 @@ "userPrincipalName": "test@veriflow.dev", "id": "test@veriflow.dev", "groups": [ - "All Users" + "All Users", + "test-header-group" ] } } \ No newline at end of file diff --git a/test/e2e/configs/veriflow.yaml b/test/e2e/configs/veriflow.yaml index c5b665e..0524519 100644 --- a/test/e2e/configs/veriflow.yaml +++ b/test/e2e/configs/veriflow.yaml @@ -68,6 +68,7 @@ policy: request_header_map_file: "/configs/header-mapping-test.json" request_header_map_headers: - Authorization + - TestHeaderFromGroup allowed_groups: - All Users diff --git a/test/e2e/tests/basic_test.js b/test/e2e/tests/basic_test.js index b5af006..8d51116 100644 --- a/test/e2e/tests/basic_test.js +++ b/test/e2e/tests/basic_test.js @@ -36,6 +36,8 @@ Scenario('Testing Header Mapping', async ({ I }) => { I.amOnPage('http://test-header-mapping.localtest.me:2080/'); I.login(); I.see("ThisIsATestHeaderFromTheHeaderMapping") + I.see("TestHeaderFromGroup") + I.dontSee("TestAbsentHeaderFromGroup") }); Scenario('Testing Token Auth', async ({ I }) => {