oauthserver: preserve X-Remote-User header

liouk · liouk · commit 1c53e7539390 · 2024-04-09T14:42:37.000+02:00
diff --git a/pkg/oauthserver/oauth_apiserver.go b/pkg/oauthserver/oauth_apiserver.go
@@ -345,15 +345,15 @@ func (c *OAuthServerConfig) buildHandlerChainForOAuth(startingHandler http.Handl
 		panic(err)
 	}
 
-	// add back the Authorization header so that WithOAuth can use it even after WithAuthentication deletes it
+	// add back the Authorization and X-Remote-User headers so that WithOAuth can use it even after WithAuthentication deletes it
 	// WithOAuth sees users' passwords and can mint tokens so this is not really an issue
-	handler = headers.WithRestoreAuthorizationHeader(handler)
+	handler = headers.WithRestoreOAuthHeaders(handler)
 
 	// this is the normal kube handler chain
 	handler = genericapiserver.DefaultBuildHandlerChain(handler, genericConfig)
 
-	// store a copy of the Authorization header for later use
-	handler = headers.WithPreserveAuthorizationHeader(handler)
+	// store a copy of the Authorization and X-Remote-User headers for later use
+	handler = headers.WithPreserveOAuthHeaders(handler)
 
 	// protected endpoints should not be cached
 	handler = headers.WithStandardHeaders(handler)
diff --git a/pkg/server/headers/oauthbasic.go b/pkg/server/headers/oauthbasic.go
@@ -3,25 +3,35 @@ package headers
 import "net/http"
 
 const (
-	authzHeader     = "Authorization"
-	copyAuthzHeader = "oauth.openshift.io:" + authzHeader // will never conflict because : is not a valid header key
+	headerCopyPrefix = "oauth.openshift.io:" // will never conflict because : is not a valid header key
 )
 
-func WithPreserveAuthorizationHeader(handler http.Handler) http.Handler {
+var oauthHeaders = []string{
+	"Authorization",
+	"X-Remote-User",
+}
+
+func WithPreserveOAuthHeaders(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if vv, ok := r.Header[authzHeader]; ok {
-			r.Header[copyAuthzHeader] = vv // capture the values before they are deleted
+		for _, header := range oauthHeaders {
+			if vv, ok := r.Header[header]; ok {
+				headerCopy := headerCopyPrefix + header
+				r.Header[headerCopy] = vv // capture the values before they are deleted
+			}
 		}
 
 		handler.ServeHTTP(w, r)
 	})
 }
 
-func WithRestoreAuthorizationHeader(handler http.Handler) http.Handler {
+func WithRestoreOAuthHeaders(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if vv, ok := r.Header[copyAuthzHeader]; ok {
-			r.Header[authzHeader] = vv // add them back afterwards for use in OAuth flows
-			delete(r.Header, copyAuthzHeader)
+		for _, header := range oauthHeaders {
+			headerCopy := headerCopyPrefix + header
+			if vv, ok := r.Header[headerCopy]; ok {
+				r.Header[header] = vv // add them back afterwards for use in OAuth flows
+				delete(r.Header, headerCopy)
+			}
 		}
 
 		handler.ServeHTTP(w, r)
