Adding the capability to set response headers to be sent back to the …

…client using OPA policies. (#2517)
zalando · Sep 20, 2023 · 4503d2c · 4503d2c
1 parent f26e673
commit 4503d2c
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go
@@ -1,6 +1,7 @@
 package opaauthorizerequest
 
 import (
+	ext_authz_v3_core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	"net/http"
 	"time"
 
@@ -11,6 +12,8 @@ import (
 	"github.com/zalando/skipper/filters/openpolicyagent/internal/envoy"
 )
 
+const responseHeadersKey = "open-policy-agent:decision-response-headers"
+
 type spec struct {
 	registry *openpolicyagent.OpenPolicyAgentRegistry
 	opts     []func(*openpolicyagent.OpenPolicyAgentInstanceConfig) error
@@ -127,6 +130,13 @@ func (f *opaAuthorizeRequestFilter) Request(fc filters.FilterContext) {
 		return
 	}
 	addRequestHeaders(fc, headers)
+
+	if responseHeaders, err := result.GetResponseHTTPHeadersToAdd(); err != nil {
+		f.opa.HandleInvalidDecisionError(fc, span, result, err, !f.opa.EnvoyPluginConfig().DryRun)
+		return
+	} else if len(responseHeaders) > 0 {
+		fc.StateBag()[responseHeadersKey] = responseHeaders
+	}
 }
 
 func removeRequestHeaders(fc filters.FilterContext, headersToRemove []string) {
@@ -143,8 +153,18 @@ func addRequestHeaders(fc filters.FilterContext, headers http.Header) {
 		}
 	}
 }
+func (f *opaAuthorizeRequestFilter) Response(fc filters.FilterContext) {
+	if headers, ok := fc.StateBag()[responseHeadersKey].([]*ext_authz_v3_core.HeaderValueOption); ok {
+		addResponseHeaders(fc, headers)
+	}
+}
 
-func (*opaAuthorizeRequestFilter) Response(filters.FilterContext) {}
+func addResponseHeaders(fc filters.FilterContext, headersToAdd []*ext_authz_v3_core.HeaderValueOption) {
+	for _, headerToAdd := range headersToAdd {
+		header := headerToAdd.GetHeader()
+		fc.Response().Header.Add(header.GetKey(), header.GetValue())
+	}
+}
 
 func (f *opaAuthorizeRequestFilter) OpenPolicyAgent() *openpolicyagent.OpenPolicyAgentInstance {
 	return f.opa

diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go
@@ -72,7 +72,7 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			contextExtensions: "",
 			expectedStatus:    http.StatusOK,
 			expectedBody:      "Welcome!",
-			expectedHeaders:   make(http.Header),
+			expectedHeaders:   map[string][]string{"X-Response-Header": {"a response header value"}, "Server": {"Skipper", "server header"}},
 			backendHeaders:    map[string][]string{"X-Consumer": {"x-consumer header value"}},
 			removeHeaders:     map[string][]string{"X-Remove-Me": {"Remove me"}},
 		},
@@ -177,7 +177,11 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 								"request_headers_to_remove" : [
 									"x-remove-me",
 									"absent-header"
-								]
+								],
+								"response_headers_to_add": {
+									"x-response-header": "a response header value",
+									"server": "server header"
+								}
 							}
 						}