Pass X-Openrun-User and X-Openrun-Perm headers in proxy

Author: akclace

internal/app/app.go

@@ -87,8 +87,9 @@ type App struct {
 	lastRequestTime atomic.Int64
 	secretEvalFunc  func([][]string, string, string) (string, error)
 	auditInsert     func(*types.AuditEvent) error
-	AppRunPath      string               // path to the app run directory
-	authorizer      types.AuthorizerFunc // the authorizer function to use, can be null
+	AppRunPath      string                // path to the app run directory
+	authorizer      types.AuthorizerFunc  // the authorizer function to use, can be null
+	customPermsFunc types.CustomPermsFunc // the custom permissions function to use, can be null
 }
 
 type starlarkCacheEntry struct {
@@ -105,19 +106,21 @@ func NewApp(sourceFS *appfs.SourceFs, workFS *appfs.WorkFs, logger *types.Logger
 	appEntry *types.AppEntry, systemConfig *types.SystemConfig,
 	plugins map[string]types.PluginSettings, appConfig types.AppConfig, notifyClose chan<- types.AppPathDomain,
 	secretEvalFunc func([][]string, string, string) (string, error),
-	auditInsert func(*types.AuditEvent) error, serverConfig *types.ServerConfig, authorizer types.AuthorizerFunc) (*App, error) {
+	auditInsert func(*types.AuditEvent) error, serverConfig *types.ServerConfig,
+	authorizer types.AuthorizerFunc, customPermsFunc types.CustomPermsFunc) (*App, error) {
 	newApp := &App{
-		sourceFS:       sourceFS,
-		Logger:         logger,
-		AppEntry:       appEntry,
-		systemConfig:   systemConfig,
-		starlarkCache:  map[string]*starlarkCacheEntry{},
-		notifyClose:    notifyClose,
-		secretEvalFunc: secretEvalFunc,
-		appStyle:       &dev.AppStyle{},
-		auditInsert:    auditInsert,
-		serverConfig:   serverConfig,
-		authorizer:     authorizer,
+		sourceFS:        sourceFS,
+		Logger:          logger,
+		AppEntry:        appEntry,
+		systemConfig:    systemConfig,
+		starlarkCache:   map[string]*starlarkCacheEntry{},
+		notifyClose:     notifyClose,
+		secretEvalFunc:  secretEvalFunc,
+		appStyle:        &dev.AppStyle{},
+		auditInsert:     auditInsert,
+		serverConfig:    serverConfig,
+		authorizer:      authorizer,
+		customPermsFunc: customPermsFunc,
 	}
 	newApp.plugins = NewAppPlugins(newApp, plugins, appEntry.Metadata.Accounts)
 	newApp.AppConfig = appConfig

internal/app/setup.go

@@ -853,6 +853,29 @@ func (a *App) addProxyConfig(count int, router *chi.Mux, proxyDef *starlarkstruc
 				r.Header.Set("X-Forwarded-Prefix", a.Path)
 			}
 
+			for key := range r.Header {
+				// Delete all x-openrun- prefixed headers
+				if strings.HasPrefix(strings.ToLower(key), "x-openrun-") {
+					r.Header.Del(key)
+				}
+			}
+
+			customPerms := make([]string, 0)
+			if a.customPermsFunc != nil {
+				customPerms, err = a.customPermsFunc(r.Context())
+			}
+			// Add the user and custom permissions to the request headers
+			r.Header.Set(types.OPENRUN_HEADER_PERMS, strings.Join(customPerms, ","))
+
+			// Get user from context, use anonymous user if not set
+			userId := types.ANONYMOUS_USER
+			if userVal := r.Context().Value(types.USER_ID); userVal != nil {
+				if userStr, ok := userVal.(string); ok {
+					userId = userStr
+				}
+			}
+			r.Header.Set(types.OPENRUN_HEADER_USER, userId)
+
 			// Set the response headers
 			for key, value := range responseHeaders {
 				if value == nil {

internal/app/tests/app_test_helper.go

@@ -22,48 +22,54 @@ import (
 )
 
 func CreateDevModeTestApp(logger *types.Logger, fileData map[string]string) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, true, nil, nil, nil, "app_dev_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/test", fileData, true, nil, nil, nil, "app_dev_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateTestApp(logger *types.Logger, fileData map[string]string) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateTestAppConfig(logger *types.Logger, fileData map[string]string, appConfig types.AppConfig) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, &appConfig)
+	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, &appConfig, nil, nil)
 }
 
 func CreateTestAppParams(logger *types.Logger, fileData map[string]string, params map[string]string) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, params, nil)
+	return CreateTestAppInt(logger, "/test", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, params, nil, nil, nil)
 }
 
 func CreateTestAppRoot(logger *types.Logger, fileData map[string]string) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/", fileData, false, nil, nil, nil, "app_prd_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateTestAppPlugin(logger *types.Logger, fileData map[string]string,
 	plugins []string, permissions []types.Permission, pluginConfig map[string]types.PluginSettings) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, false, plugins, permissions, pluginConfig, "app_prd_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/test", fileData, false, plugins, permissions, pluginConfig, "app_prd_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateTestAppPluginRoot(logger *types.Logger, fileData map[string]string,
 	plugins []string, permissions []types.Permission, pluginConfig map[string]types.PluginSettings) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/", fileData, false, plugins, permissions, pluginConfig, "app_prd_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/", fileData, false, plugins, permissions, pluginConfig, "app_prd_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateDevAppPlugin(logger *types.Logger, fileData map[string]string, plugins []string,
 	permissions []types.Permission, pluginConfig map[string]types.PluginSettings) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, true, plugins, permissions, pluginConfig, "app_dev_testapp", types.AppSettings{}, nil, nil)
+	return CreateTestAppInt(logger, "/test", fileData, true, plugins, permissions, pluginConfig, "app_dev_testapp", types.AppSettings{}, nil, nil, nil, nil)
 }
 
 func CreateTestAppPluginId(logger *types.Logger, fileData map[string]string,
 	plugins []string, permissions []types.Permission, pluginConfig map[string]types.PluginSettings, id string, settings types.AppSettings) (*app.App, *appfs.WorkFs, error) {
-	return CreateTestAppInt(logger, "/test", fileData, false, plugins, permissions, pluginConfig, id, settings, nil, nil)
+	return CreateTestAppInt(logger, "/test", fileData, false, plugins, permissions, pluginConfig, id, settings, nil, nil, nil, nil)
+}
+
+func CreateTestAppAuthorizer(logger *types.Logger, fileData map[string]string,
+	plugins []string, permissions []types.Permission, pluginConfig map[string]types.PluginSettings, authorizer types.AuthorizerFunc, customPermsFunc types.CustomPermsFunc) (*app.App, *appfs.WorkFs, error) {
+	return CreateTestAppInt(logger, "/test", fileData, false, plugins, permissions, pluginConfig, "app_prd_testapp", types.AppSettings{}, nil, nil, authorizer, customPermsFunc)
 }
 
 func CreateTestAppInt(logger *types.Logger, path string, fileData map[string]string, isDev bool,
 	plugins []string, permissions []types.Permission, pluginConfig map[string]types.PluginSettings,
-	id string, settings types.AppSettings, params map[string]string, appConfig *types.AppConfig) (*app.App, *appfs.WorkFs, error) {
+	id string, settings types.AppSettings, params map[string]string, appConfig *types.AppConfig,
+	authorizer types.AuthorizerFunc, customPermsFunc types.CustomPermsFunc) (*app.App, *appfs.WorkFs, error) {
 	systemConfig := types.SystemConfig{TailwindCSSCommand: "", AllowedEnv: []string{"HOME"}}
 	var fs appfs.ReadableFS
 	if isDev {
@@ -107,7 +113,7 @@ func CreateTestAppInt(logger *types.Logger, path string, fileData map[string]str
 	workFS := appfs.NewWorkFs("", &TestWriteFS{TestReadFS: &TestReadFS{fileData: map[string]string{}}})
 	a, err := app.NewApp(sourceFS, workFS, logger,
 		createTestAppEntry(id, path, isDev, metadata), &systemConfig, pluginConfig, *appConfig,
-		nil, secretManager.AppEvalTemplate, nil, &types.ServerConfig{}, nil)
+		nil, secretManager.AppEvalTemplate, nil, &types.ServerConfig{}, authorizer, customPermsFunc)
 	if err != nil {
 		return nil, nil, err
 	}

internal/app/tests/proxy_test.go

@@ -4,6 +4,7 @@
 package app_test
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
@@ -653,3 +654,116 @@ permissions=[
 	testutil.AssertEqualsString(t, "header", "NEWVAL", response.Header().Get("NEWH"))
 	testutil.AssertEqualsString(t, "header", "aa/abc/defbb", response.Header().Get("NEWTEMP"))
 }
+
+func TestProxyUserAndPermsHeaders(t *testing.T) {
+	// Test that X-Openrun-User and X-Openrun-Perms headers are passed to proxied endpoint
+	var receivedUser string
+	var receivedPerms string
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedUser = r.Header.Get("X-Openrun-User")
+		receivedPerms = r.Header.Get("X-Openrun-Perms")
+		io.WriteString(w, "test contents") //nolint:errcheck
+	}))
+
+	logger := testutil.TestLogger()
+	fileData := map[string]string{
+		"app.star": fmt.Sprintf(`
+load("proxy.in", "proxy")
+
+app = ace.app("testApp", routes = [ace.proxy("/", proxy.config("%s"))],
+permissions=[
+	ace.permission("proxy.in", "config"),
+]
+)`, testServer.URL),
+	}
+
+	// Create custom authorizer and perms func
+	authorizer := func(ctx context.Context, permissions []string) (bool, error) {
+		// Always allow
+		return true, nil
+	}
+
+	customPermsFunc := func(ctx context.Context) ([]string, error) {
+		// Return custom permissions
+		return []string{"read:data", "write:data", "admin"}, nil
+	}
+
+	a, _, err := CreateTestAppAuthorizer(logger, fileData, []string{"proxy.in"},
+		[]types.Permission{
+			{Plugin: "proxy.in", Method: "config"},
+		}, map[string]types.PluginSettings{}, authorizer, customPermsFunc)
+	if err != nil {
+		t.Fatalf("Error %s", err)
+	}
+
+	request := httptest.NewRequest("GET", "/test/abc", nil)
+	// Set user ID in context as it would be set by the server middleware
+	ctx := context.WithValue(request.Context(), types.USER_ID, types.ANONYMOUS_USER)
+	request = request.WithContext(ctx)
+	response := httptest.NewRecorder()
+	a.ServeHTTP(response, request)
+
+	testutil.AssertEqualsInt(t, "code", 200, response.Code)
+	testutil.AssertEqualsString(t, "body", "test contents", response.Body.String())
+
+	// Verify the headers were passed to the proxied endpoint
+	testutil.AssertEqualsString(t, "X-Openrun-User", types.ANONYMOUS_USER, receivedUser)
+	testutil.AssertEqualsString(t, "X-Openrun-Perms", "read:data,write:data,admin", receivedPerms)
+}
+
+func TestProxyUserHeaderWithAuthentication(t *testing.T) {
+	// Test that X-Openrun-User header contains the authenticated user
+	var receivedUser string
+	var receivedExtra string
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedUser = r.Header.Get("X-Openrun-User")
+		receivedExtra = r.Header.Get("X-Openrun-Extra")
+		io.WriteString(w, "test contents") //nolint:errcheck
+	}))
+
+	logger := testutil.TestLogger()
+	fileData := map[string]string{
+		"app.star": fmt.Sprintf(`
+load("proxy.in", "proxy")
+
+app = ace.app("testApp", routes = [ace.proxy("/", proxy.config("%s"))],
+permissions=[
+	ace.permission("proxy.in", "config"),
+]
+)`, testServer.URL),
+	}
+
+	// Create custom authorizer that sets a user in context
+	authorizer := func(ctx context.Context, permissions []string) (bool, error) {
+		// Always allow
+		return true, nil
+	}
+
+	customPermsFunc := func(ctx context.Context) ([]string, error) {
+		// Return empty custom permissions
+		return []string{}, nil
+	}
+
+	a, _, err := CreateTestAppAuthorizer(logger, fileData, []string{"proxy.in"},
+		[]types.Permission{
+			{Plugin: "proxy.in", Method: "config"},
+		}, map[string]types.PluginSettings{}, authorizer, customPermsFunc)
+	if err != nil {
+		t.Fatalf("Error %s", err)
+	}
+
+	request := httptest.NewRequest("GET", "/test/abc", nil)
+	request.Header.Set("X-Openrun-Extra", "testvalue")
+	// Set authenticated user in context as it would be set by the server middleware
+	ctx := context.WithValue(request.Context(), types.USER_ID, "testuser@example.com")
+	request = request.WithContext(ctx)
+	response := httptest.NewRecorder()
+	a.ServeHTTP(response, request)
+
+	testutil.AssertEqualsInt(t, "code", 200, response.Code)
+	testutil.AssertEqualsString(t, "body", "test contents", response.Body.String())
+
+	// Verify the user header was passed to the proxied endpoint
+	testutil.AssertEqualsString(t, "X-Openrun-User", "testuser@example.com", receivedUser)
+	testutil.AssertEqualsString(t, "X-Openrun-Extra", "", receivedExtra)
+}

internal/server/app_apis.go

@@ -367,7 +367,7 @@ func (s *Server) setupApp(appEntry *types.AppEntry, tx types.Transaction) (*app.
 		})
 	return app.NewApp(sourceFS, workFS, &appLogger, appEntry, &s.config.System,
 		s.config.Plugins, s.config.AppConfig, s.notifyClose, s.secretsManager.AppEvalTemplate,
-		s.InsertAuditEvent, s.config, s.AuthorizeAny)
+		s.InsertAuditEvent, s.config, s.AuthorizeAny, s.GetCustomPermissions)
 }
 
 func (s *Server) GetAppApi(ctx context.Context, appPath string) (*types.AppGetResponse, error) {

internal/server/server.go

@@ -845,7 +845,7 @@ func (s *Server) GetListAppsApp() (*app.App, error) {
 	appLogger := types.Logger{Logger: &subLogger}
 	s.listAppsApp, err = app.NewApp(sourceFS, nil, &appLogger, &appEntry, &s.config.System,
 		s.config.Plugins, s.config.AppConfig, s.notifyClose, s.secretsManager.AppEvalTemplate,
-		s.InsertAuditEvent, s.config, s.AuthorizeAny)
+		s.InsertAuditEvent, s.config, s.AuthorizeAny, s.GetCustomPermissions)
 	if err != nil {
 		return nil, err
 	}
@@ -896,6 +896,14 @@ func (s *Server) Authorize(ctx context.Context, permission types.RBACPermission,
 	return s.rbacManager.Authorize(userId, appPathDomain, appAuth, permission, groups, isAppLevelPermission)
 }
 
+func (s *Server) GetCustomPermissions(ctx context.Context) ([]string, error) {
+	userId := ctx.Value(types.USER_ID).(string)
+	groups := ctx.Value(types.GROUPS).([]string)
+	appPathDomain := ctx.Value(types.APP_PATH_DOMAIN).(types.AppPathDomain)
+	appAuth := string(ctx.Value(types.APP_AUTH).(types.AppAuthnType))
+	return s.rbacManager.GetCustomPermissions(userId, appPathDomain, appAuth, groups)
+}
+
 // AuthorizeList checks if the user has access to perform list operation on the specified app
 // For RBAC mode, uses RBAC permissions. For non-RBAC mode, look at whether app is using
 // same authentication types as used by the caller

internal/types/types.go

@@ -723,6 +723,7 @@ const (
 )
 
 type AuthorizerFunc func(ctx context.Context, permissions []string) (bool, error)
+type CustomPermsFunc func(ctx context.Context) ([]string, error)
 
 type SAMLConfig struct {
 	MetadataURL string `toml:"metadata_url"`
@@ -740,3 +741,10 @@ const (
 	COOKIE_SESSION_SECRET_KV    = "cookie_session_secret"
 	COOKIE_SESSION_BLOCK_KEY_KV = "cookie_session_block_key"
 )
+
+const (
+	// OpenRun headers are used to pass information to the downstream service
+	OPENRUN_HEADER_PREFIX = "X-Openrun-"
+	OPENRUN_HEADER_USER   = OPENRUN_HEADER_PREFIX + "User"
+	OPENRUN_HEADER_PERMS  = OPENRUN_HEADER_PREFIX + "Perms"
+)