Merge pull request #3583 from mevan-karu/drop_test_headers

Make console test header drop at GW configurable

adapter/config/default_config.go

@@ -225,6 +225,7 @@ var defaultConfig = &Config{
 				TestConsoleHeaderName:      "Internal-Key",
 				TempTestConsoleHeaderNames: []string{},
 				TempTestConsoleHeadersMode: "monitor",
+				DropConsoleTestHeaders:     true,
 			},
 		},
 		AuthService: authService{

adapter/config/types.go

@@ -494,6 +494,7 @@ type authHeader struct {
 	TestConsoleHeaderName      string
 	TempTestConsoleHeaderNames []string
 	TempTestConsoleHeadersMode string
+	DropConsoleTestHeaders     bool
 }
 
 type jwtIssuer struct {

adapter/internal/discovery/xds/marshaller.go

@@ -216,6 +216,7 @@ func MarshalConfig(config *config.Config) *enforcer.Config {
 				TestConsoleHeaderName:      config.Enforcer.Security.AuthHeader.TestConsoleHeaderName,
 				TempTestConsoleHeaderNames: config.Enforcer.Security.AuthHeader.TempTestConsoleHeaderNames,
 				TempTestConsoleHeadersMode: config.Enforcer.Security.AuthHeader.TempTestConsoleHeadersMode,
+				DropConsoleTestHeaders:     config.Enforcer.Security.AuthHeader.DropConsoleTestHeaders,
 			},
 		},
 		Cache:     cache,

api/proto/wso2/discovery/config/enforcer/auth_header.proto

@@ -22,4 +22,6 @@ message AuthHeader {
     repeated string tempTestConsoleHeaderNames = 4;
 
     string tempTestConsoleHeadersMode = 5;
+
+    bool dropConsoleTestHeaders = 6;
 }

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/api/Utils.java

@@ -119,22 +119,25 @@ static void populateRemoveAndProtectedHeaders(RequestContext requestContext) {
         // Internal-Key credential is considered to be protected headers, such that the
         // header would not be sent
         // to backend and traffic manager.
-        String internalKeyHeader = ConfigHolder.getInstance().getConfig().getAuthHeader()
-                .getTestConsoleHeaderName().toLowerCase();
+        if (ConfigHolder.getInstance().getConfig().getAuthHeader().isDropConsoleTestHeaders()) {
+            String internalKeyHeader = ConfigHolder.getInstance().getConfig().getAuthHeader()
+                    .getTestConsoleHeaderName().toLowerCase();
+            requestContext.getRemoveHeaders().add(internalKeyHeader);
+            // Avoid internal key being published to the Traffic Manager
+            requestContext.getProtectedHeaders().add(internalKeyHeader);
+        }
 
         // If the temp test console headers are in active mode,
         // then those headers are also removed and considered as protected.
         String tempConsoleTestHeadersMode = ConfigHolder.getInstance().getConfig().getAuthHeader()
                 .getTempTestConsoleTestHeadersMode();
-        if (Constants.TEMP_CONSOLE_TEST_HEADERS_ACTIVE_MODE.equals(tempConsoleTestHeadersMode)) {
+        if (Constants.TEMP_CONSOLE_TEST_HEADERS_ACTIVE_MODE.equals(tempConsoleTestHeadersMode) &&
+                ConfigHolder.getInstance().getConfig().getAuthHeader().isDropConsoleTestHeaders()) {
             List<String> tempConsoleTestHeaders = ConfigHolder.getInstance().getConfig().getAuthHeader()
                     .getTempTestConsoleHeaderNames();
             requestContext.getRemoveHeaders().addAll(tempConsoleTestHeaders);
             requestContext.getProtectedHeaders().addAll(tempConsoleTestHeaders);
         }
-        requestContext.getRemoveHeaders().add(internalKeyHeader);
-        // Avoid internal key being published to the Traffic Manager
-        requestContext.getProtectedHeaders().add(internalKeyHeader);
 
         // Remove Authorization Header
         AuthHeaderDto authHeader = ConfigHolder.getInstance().getConfig().getAuthHeader();

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/ConfigHolder.java

@@ -210,6 +210,7 @@ private void populateAuthHeaderConfigurations(AuthHeader authHeader) {
         authHeaderDto.setTestConsoleHeaderName(authHeader.getTestConsoleHeaderName());
         authHeaderDto.setTempTestConsoleHeaderNames(authHeader.getTempTestConsoleHeaderNamesList());
         authHeaderDto.setTempTestConsoleTestHeadersMode(authHeader.getTempTestConsoleHeadersMode());
+        authHeaderDto.setDropConsoleTestHeaders(authHeader.getDropConsoleTestHeaders());
         config.setAuthHeader(authHeaderDto);
     }
 

enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/dto/AuthHeaderDto.java

@@ -32,6 +32,7 @@ public class AuthHeaderDto {
     private String testConsoleHeaderName = "";
     private List<String> tempTestConsoleHeaderNames = new ArrayList<>();
     private String tempTestConsoleTestHeadersMode = "";
+    private boolean dropConsoleTestHeaders = true;
 
     public String getAuthorizationHeader() {
         return authorizationHeader;
@@ -76,4 +77,12 @@ public void setTempTestConsoleTestHeadersMode(String mode) {
     public String getTempTestConsoleTestHeadersMode() {
         return tempTestConsoleTestHeadersMode;
     }
+
+    public boolean isDropConsoleTestHeaders() {
+        return dropConsoleTestHeaders;
+    }
+
+    public void setDropConsoleTestHeaders(boolean dropConsoleTestHeaders) {
+        this.dropConsoleTestHeaders = dropConsoleTestHeaders;
+    }
 }

resources/conf/config.toml.template

@@ -372,6 +372,7 @@ enabled = true
   # Temporary additional headers for testConsoleHeaderName
   tempTestConsoleHeaderNames = ["test-key"]
   tempTestConsoleHeadersMode = "monitor"
+  dropConsoleTestHeaders = true
 
 # JWT token authorization configurations. You can provide multiple JWT issuers
 # Issuer 1