ClusterClient: do no filter auth headers (#122917) (#123117)

* ClusterClient: do no filter auth headers * don't even know how this happened Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit c9543dc150) Co-authored-by: Pierre Gayvallet <pierre.gayvallet@elastic.co>
2025-04-24 17:59:23 -04:00 · 2022-01-17 05:01:49 -05:00 · 2022-01-17 05:01:49 -05:00 · 1ff0d243e4
commit 1ff0d243e4
parent 155e06787e
3 changed files with 23 additions and 16 deletions
--- a/src/core/server/elasticsearch/client/cluster_client.test.ts
+++ b/src/core/server/elasticsearch/client/cluster_client.test.ts
@ -144,13 +144,13 @@ describe('ClusterClient', () => {
      });
    });

-    it('creates a scoped facade with filtered auth headers', () => {
+    it('does not filter auth headers', () => {
      const config = createConfig({
        requestHeadersWhitelist: ['authorization'],
      });
      getAuthHeaders.mockReturnValue({
        authorization: 'auth',
-        other: 'nope',
+        other: 'yep',
      });

      const clusterClient = new ClusterClient(config, logger, 'custom-type', getAuthHeaders);
@ -160,7 +160,12 @@ describe('ClusterClient', () => {

      expect(scopedClient.child).toHaveBeenCalledTimes(1);
      expect(scopedClient.child).toHaveBeenCalledWith({
-        headers: { ...DEFAULT_HEADERS, authorization: 'auth', 'x-opaque-id': expect.any(String) },
+        headers: {
+          ...DEFAULT_HEADERS,
+          authorization: 'auth',
+          other: 'yep',
+          'x-opaque-id': expect.any(String),
+        },
      });
    });

@ -170,7 +175,7 @@ describe('ClusterClient', () => {
      });
      getAuthHeaders.mockReturnValue({
        authorization: 'auth',
-        other: 'nope',
+        other: 'yep',
      });

      const clusterClient = new ClusterClient(config, logger, 'custom-type', getAuthHeaders);
@ -184,7 +189,12 @@ describe('ClusterClient', () => {

      expect(scopedClient.child).toHaveBeenCalledTimes(1);
      expect(scopedClient.child).toHaveBeenCalledWith({
-        headers: { ...DEFAULT_HEADERS, authorization: 'auth', 'x-opaque-id': expect.any(String) },
+        headers: {
+          ...DEFAULT_HEADERS,
+          authorization: 'auth',
+          other: 'yep',
+          'x-opaque-id': expect.any(String),
+        },
      });
    });

--- a/src/core/server/elasticsearch/client/cluster_client.ts
+++ b/src/core/server/elasticsearch/client/cluster_client.ts
@ -54,8 +54,6 @@ export interface ICustomClusterClient extends IClusterClient {
 export class ClusterClient implements ICustomClusterClient {
  public readonly asInternalUser: KibanaClient;
  private readonly rootScopedClient: KibanaClient;
-  private readonly allowListHeaders: string[];
-
  private isClosed = false;

  constructor(
@ -72,8 +70,6 @@ export class ClusterClient implements ICustomClusterClient {
      getExecutionContext,
      scoped: true,
    });
-
-    this.allowListHeaders = ['x-opaque-id', ...this.config.requestHeadersWhitelist];
  }

  asScoped(request: ScopeableRequest) {
@ -95,14 +91,15 @@ export class ClusterClient implements ICustomClusterClient {
  private getScopedHeaders(request: ScopeableRequest): Headers {
    let scopedHeaders: Headers;
    if (isRealRequest(request)) {
-      const requestHeaders = ensureRawRequest(request).headers;
+      const requestHeaders = ensureRawRequest(request).headers ?? {};
      const requestIdHeaders = isKibanaRequest(request) ? { 'x-opaque-id': request.id } : {};
-      const authHeaders = this.getAuthHeaders(request);
+      const authHeaders = this.getAuthHeaders(request) ?? {};

-      scopedHeaders = filterHeaders(
-        { ...requestHeaders, ...requestIdHeaders, ...authHeaders },
-        this.allowListHeaders
-      );
+      scopedHeaders = {
+        ...filterHeaders(requestHeaders, this.config.requestHeadersWhitelist),
+        ...requestIdHeaders,
+        ...authHeaders,
+      };
    } else {
      scopedHeaders = filterHeaders(request?.headers ?? {}, this.config.requestHeadersWhitelist);
    }
--- a/src/core/server/http/router/headers.ts
+++ b/src/core/server/http/router/headers.ts
@ -55,7 +55,7 @@ export function filterHeaders(
  headers: Headers,
  fieldsToKeep: string[],
  fieldsToExclude: string[] = []
-) {
+): Headers {
  const fieldsToExcludeNormalized = fieldsToExclude.map(normalizeHeaderField);
  // Normalize list of headers we want to allow in upstream request
  const fieldsToKeepNormalized = fieldsToKeep