Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Lenient header matching #1091

Merged
merged 3 commits into from
Jun 29, 2023
Merged

Lenient header matching #1091

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6478545
Matching headers as substring
honnix Jun 28, 2023
51e6b77
Use List factory method
honnix Jun 28, 2023
836a2b7
Positive path
honnix Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions styx-service-common/src/main/java/com/spotify/styx/api/Middlewares.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.common.base.CharMatcher;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableSet;
import com.google.common.net.HttpHeaders;
import com.spotify.apollo.Request;
import com.spotify.apollo.RequestContext;
Expand All @@ -45,6 +44,7 @@
import io.opencensus.trace.Span;
import io.opencensus.trace.Tracer;
import java.net.URI;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
Expand All @@ -68,8 +68,8 @@ public final class Middlewares {

private static final Logger LOG = LoggerFactory.getLogger(Middlewares.class);

private static final Set<String> BLACKLISTED_HEADERS =
ImmutableSet.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT));
private static final List<String> BLACKLISTED_HEADERS =
List.of(HttpHeaders.AUTHORIZATION.toLowerCase(Locale.ROOT), "service-identity");

private static final String REQUEST_ID = "request-id";
private static final String X_STYX_REQUEST_ID = "X-Styx-Request-Id";
Expand Down Expand Up @@ -271,8 +271,10 @@ private static AuthContext auth(RequestContext requestContext,
private static Map<String, String> hideSensitiveHeaders(Map<String, String> headers) {
return headers.entrySet().stream()
.collect(Collectors.toMap(Map.Entry::getKey,
entry -> BLACKLISTED_HEADERS.contains(entry.getKey().toLowerCase(Locale.ROOT)) ? "<hidden>"
: entry.getValue()));
entry -> BLACKLISTED_HEADERS.stream()
.anyMatch(header -> entry.getKey().toLowerCase(Locale.ROOT).contains(header))
? "<hidden>"
: entry.getValue()));
}

public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> authenticator(
Expand Down
6 changes: 4 additions & 2 deletions styx-service-common/src/test/java/com/spotify/styx/api/MiddlewaresTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,9 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
RequestContext requestContext = mock(RequestContext.class);
Request request = Request.forUri("/", "PUT")
.withPayload(ByteString.encodeUtf8("hello"))
.withHeader(HttpHeaders.AUTHORIZATION, "Bearer s3cr3tp455w0rd");
.withHeader(HttpHeaders.AUTHORIZATION, "Bearer s3cr3tp455w0rd")
.withHeader("foo-service-identity", "Bearer s3cr3tp455w0rd")
.withHeader("foo-bar", "foo-bar");
when(requestContext.request()).thenReturn(request);

String email = "[email protected]";
Expand All @@ -556,7 +558,7 @@ public void testHttpLoggerHidesAuthHeader() throws Exception {
request.method(),
request.uri(),
email,
Map.of(HttpHeaders.AUTHORIZATION, "<hidden>"),
Map.of(HttpHeaders.AUTHORIZATION, "<hidden>", "foo-service-identity", "<hidden>", "foo-bar", "foo-bar"),
Map.of(),
request.payload().orElseThrow().utf8());
}
Expand Down