feat: add allowedHeaders

renovatebot · Dec 18, 2023 · 23e79b9 · 23e79b9
1 parent 9e9d5ff
commit 23e79b9
Show file tree

Hide file tree

Showing 7 changed files with 94 additions and 3 deletions.
diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
@@ -59,6 +59,39 @@ But before you disable templating completely, try the `allowedPostUpgradeCommand
 
 ## allowScripts
 
+## allowedHeaders
+
+List of headers that are allowed to be forwarded to the HTTP request. This is useful when the `registryUrlTemplate` employs a specific authentication system. By default, all headers starting with "X-" are allowed, but you can include additional headers using this option. If declared, it will override the default "X-" allowed headers. `allowedHeaders` is an array of RegExp represented as strings due to JSON serialization
+
+```json
+{
+  "hostRules": [
+    {
+      "matchHost": "https://domain.com/all-versions",
+      "headers": {
+        "X-Auth-Token": "secret"
+      }
+    }
+  ]
+}
+```
+
+or with custom `allowedHeaders`
+
+```json
+{
+  "allowedHeaders": ["^custom-header$"],
+  "hostRules": [
+    {
+      "matchHost": "https://domain.com/all-versions",
+      "headers": {
+        "custom-header": "secret"
+      }
+    }
+  ]
+}
+```
+
 ## allowedPostUpgradeCommands
 
 A list of regular expressions that decide which commands in `postUpgradeTasks` are allowed to run.

diff --git a/lib/config/global.ts b/lib/config/global.ts
@@ -4,6 +4,7 @@ export class GlobalConfig {
   // TODO: once global config work is complete, add a test to make sure this list includes all options with globalOnly=true (#9603)
   private static readonly OPTIONS: (keyof RepoGlobalConfig)[] = [
     'allowCustomCrateRegistries',
+    'allowedHeaders',
     'allowedPostUpgradeCommands',
     'allowPlugins',
     'allowPostUpgradeCommandTemplating',

diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
@@ -5,6 +5,15 @@ import { getVersioningList } from '../../modules/versioning';
 import type { RenovateOptions } from '../types';
 
 const options: RenovateOptions[] = [
+  {
+    name: 'allowedHeaders',
+    description:
+      'List of headers that are allowed to be forwarded to http request',
+    type: 'array',
+    default: ['^X-'],
+    subType: 'string',
+    globalOnly: true,
+  },
   {
     name: 'detectGlobalManagerConfig',
     description:

diff --git a/lib/config/types.ts b/lib/config/types.ts
@@ -125,6 +125,7 @@ export interface RepoGlobalConfig {
   allowPlugins?: boolean;
   allowPostUpgradeCommandTemplating?: boolean;
   allowScripts?: boolean;
+  allowedHeaders?: (string | RegExp)[];
   allowedPostUpgradeCommands?: string[];
   binarySource?: 'docker' | 'global' | 'install' | 'hermit';
   cacheHardTtlMinutes?: number;
@@ -401,12 +402,15 @@ export interface RenovateOptionBase {
 }
 
 export interface RenovateArrayOption<
-  T extends string | number | Record<string, unknown> = Record<string, unknown>,
+  T extends string | number | RegExp | Record<string, unknown> = Record<
+    string,
+    unknown
+  >,
 > extends RenovateOptionBase {
   default?: T[] | null;
   mergeable?: boolean;
   type: 'array';
-  subType?: 'string' | 'object' | 'number';
+  subType?: 'string' | 'object' | 'number' | 'regex';
   supportedManagers?: string[] | 'all';
   supportedPlatforms?: string[] | 'all';
 }

diff --git a/lib/util/http/host-rules.ts b/lib/util/http/host-rules.ts
@@ -1,4 +1,5 @@
 import is from '@sindresorhus/is';
+import { GlobalConfig } from '../../config/global';
 import {
   BITBUCKET_API_USING_HOST_TYPES,
   GITEA_API_USING_HOST_TYPES,
@@ -9,6 +10,7 @@ import { logger } from '../../logger';
 import { hasProxy } from '../../proxy';
 import type { HostRule } from '../../types';
 import * as hostRules from '../host-rules';
+import keepFields from '../keep-fields';
 import { parseUrl } from '../url';
 import { dnsLookup } from './dns';
 import { keepAliveAgents } from './keep-alive';
@@ -163,9 +165,13 @@ export function applyHostRule<GotOptions extends HostRulesGotOptions>(
   }
 
   if (hostRule.headers) {
+    const allowedHeaders = GlobalConfig.get('allowedHeaders')?.map(
+      (h) => new RegExp(h),
+    );
+
     options.headers = {
       ...options.headers,
-      ...hostRule.headers,
+      ...keepFields(hostRule.headers, allowedHeaders),
     };
   }
 

diff --git a/lib/util/keep-fields.spec.ts b/lib/util/keep-fields.spec.ts
@@ -0,0 +1,20 @@
+import keepField from './keep-fields';
+
+describe('util/keep-fields', () => {
+  const allowedHeader = [/^X-/, 'foo'];
+  const headers = {
+    'X-Auth-Token': 'token',
+    test: 'test',
+    foo: 'bar',
+    someheader: 'value',
+  };
+
+  it('works', () => {
+    const result = keepField(headers, allowedHeader);
+
+    expect(result).toStrictEqual({
+      'X-Auth-Token': 'token',
+      foo: 'bar',
+    });
+  });
+});
diff --git a/lib/util/keep-fields.ts b/lib/util/keep-fields.ts
@@ -0,0 +1,18 @@
+export default function keepFields(
+  obj: Record<string, any>,
+  fieldsToKeep?: (string | RegExp)[],
+): Record<string, any> {
+  if (fieldsToKeep === undefined) {
+    return {};
+  }
+  return Object.fromEntries(
+    Object.entries(obj).filter(([key]) => {
+      return fieldsToKeep.some((field) => {
+        if (field instanceof RegExp) {
+          return field.test(key);
+        }
+        return key === field;
+      });
+    }),
+  );
+}