Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add app access headers rewrite #6601

Merged
merged 1 commit into from
May 6, 2021
Merged

Add app access headers rewrite #6601

merged 1 commit into from
May 6, 2021

Conversation

r0mant
Copy link
Collaborator

@r0mant r0mant commented Apr 26, 2021

This PR adds headers passthrough to applications behind app access. Users can configure headers that will be passed to applications, for example:

app_service:
  enabled: "yes"
  apps:
  - name: "dumper"
    description: "Header dumper"
    uri: http://localhost:4321
    public_addr: dumper-root.gravitational.io
    rewrite:
      headers:
      - "X-Teleport-Cluster: root"
      - "X-Teleport-Logins: {{internal.logins}}"
      - "X-Custom-Trait-Env: {{external.env}}"

This PR builds on #6540 which implements external traits passthrough to leaf clusters which is needed to be able to use {{external.xxx}} variables in leaf clusters like shown in the example above.

Fixes #4762. Needs backport to v6.

@r0mant r0mant self-assigned this Apr 26, 2021
@r0mant
Copy link
Collaborator Author

r0mant commented Apr 27, 2021

@awly @andrejtokarcik Could you folks take a look please?

@r0mant r0mant force-pushed the roman/traits branch 2 times, most recently from 8164ca7 to 71589ef Compare April 28, 2021 15:26
awly
awly reviewed Apr 28, 2021
View reviewed changes
lib/config/fileconf.go
Comment on lines +802 to +803
// Headers is a list of extra headers to inject in the request.
Headers []string `yaml:"headers,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about making this a map, so you don't have to do any parsing?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about the same during implementation but decided to keep it as a list for a couple of reasons:

  • If it was a map, scenario with adding multiple same headers would be kinda awkward.
  • This was the UX requested in the original ticket.

Shouldn't be a big deal, the parsing is pretty trivial.

lib/srv/app/transport.go Outdated
Comment on lines 189 to 198
logrus.Warnf("Failed to apply traits to %q: %v.", header.Value, err)
continue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not treat this as an error?

Copy link
Collaborator Author

@r0mant r0mant May 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be an error - the most common scenario this would fail is if there's no such trait which I imagine would be quite common so we probably don't want to make this a hard failure. We treat missing trait same way elsewhere as well, just log it.

lib/srv/app/transport.go Outdated Show resolved Hide resolved
integration/app_integration_test.go Show resolved Hide resolved
Base automatically changed from roman/traits to master April 29, 2021 16:39
andrejtokarcik
andrejtokarcik reviewed Apr 29, 2021
View reviewed changes
lib/service/cfg.go Outdated Show resolved Hide resolved
lib/config/configuration.go Show resolved Hide resolved
@r0mant r0mant requested review from andrejtokarcik and awly May 4, 2021 18:50
awly
awly approved these changes May 4, 2021
View reviewed changes
Copy link
Contributor

@awly awly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: change PR title from passthrough to rewrite

@r0mant r0mant changed the title Add app access headers passthrough Add app access headers rewrite May 5, 2021
andrejtokarcik
andrejtokarcik approved these changes May 6, 2021
View reviewed changes
lib/srv/app/transport.go
func (t *transport) rewriteHeaders(r *http.Request) {
for _, header := range t.c.rewrite.Headers {
if IsReservedHeader(header.Name) {
t.c.log.Debugf("Not rewriting Teleport header %q.", header.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be even a warning?

@r0mant r0mant enabled auto-merge (squash) May 6, 2021 18:11
russjones
russjones approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@russjones russjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot.

@r0mant r0mant merged commit db6fb57 into master May 6, 2021
@r0mant r0mant deleted the roman/headers branch May 6, 2021 18:24
r0mant added a commit that referenced this pull request May 6, 2021
@r0mant
Add app access headers rewrite (#6601)
3a52835
@r0mant r0mant mentioned this pull request May 6, 2021
Merged
@benarent benarent mentioned this pull request Oct 1, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russjones russjones russjones approved these changes

@awly awly awly approved these changes

@andrejtokarcik andrejtokarcik andrejtokarcik approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas

Assignees

@r0mant r0mant

Labels
application-access backport-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for pass through headers for application access
4 participants
@r0mant @andrejtokarcik @awly @russjones