Add allowed_response_headers (hashicorp#6115)

Author: jefferai

api/sys_mounts.go

@@ -151,6 +151,7 @@ type MountConfigInput struct {
 	AuditNonHMACResponseKeys  []string          `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
 	ListingVisibility         string            `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
 	PassthroughRequestHeaders []string          `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string          `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
 	TokenType                 string            `json:"token_type,omitempty" mapstructure:"token_type"`
 
 	// Deprecated: This field will always be blank for newer server responses.
@@ -175,6 +176,7 @@ type MountConfigOutput struct {
 	AuditNonHMACResponseKeys  []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
 	ListingVisibility         string   `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
 	PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
+	AllowedResponseHeaders    []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
 	TokenType                 string   `json:"token_type,omitempty" mapstructure:"token_type"`
 
 	// Deprecated: This field will always be blank for newer server responses.

audit/format.go

@@ -373,6 +373,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			Data:     resp.Data,
 			Redirect: resp.Redirect,
 			WrapInfo: respWrapInfo,
+			Headers:  resp.Headers,
 		},
 	}
 
@@ -427,6 +428,7 @@ type AuditResponse struct {
 	Data     map[string]interface{} `json:"data,omitempty"`
 	Redirect string                 `json:"redirect,omitempty"`
 	WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"`
+	Headers  map[string][]string    `json:"headers"`
 }
 
 type AuditAuth struct {

builtin/logical/database/dbplugin/database.pb.go

@@ -26,8 +26,9 @@ type AuthEnableCommand struct {
 	flagAuditNonHMACRequestKeys   []string
 	flagAuditNonHMACResponseKeys  []string
 	flagListingVisibility         string
-	flagPassthroughRequestHeaders []string
 	flagPluginName                string
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
 	flagOptions                   map[string]string
 	flagLocal                     bool
 	flagSealWrap                  bool
@@ -134,7 +135,14 @@ func (c *AuthEnableCommand) Flags() *FlagSets {
 		Name:   flagNamePassthroughRequestHeaders,
 		Target: &c.flagPassthroughRequestHeaders,
 		Usage: "Comma-separated string or list of request header values that " +
-			"will be sent to the backend",
+			"will be sent to the plugin",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Comma-separated string or list of response header values that " +
+			"plugins will be allowed to set",
 	})
 
 	f.StringVar(&StringVar{
@@ -272,6 +280,10 @@ func (c *AuthEnableCommand) Run(args []string) int {
 			authOpts.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
 		}
 
+		if fl.Name == flagNameAllowedResponseHeaders {
+			authOpts.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
+
 		if fl.Name == flagNameTokenType {
 			authOpts.Config.TokenType = c.flagTokenType
 		}

command/auth_enable.go

@@ -76,6 +76,8 @@ const (
 	flagNameListingVisibility = "listing-visibility"
 	// flagNamePassthroughRequestHeaders is the flag name used to set passthrough request headers to the backend
 	flagNamePassthroughRequestHeaders = "passthrough-request-headers"
+	// flagNameAllowedResponseHeaders is used to set allowed response headers from a plugin
+	flagNameAllowedResponseHeaders = "allowed-response-headers"
 	// flagNameTokenType is the flag name used to force a specific token type
 	flagNameTokenType = "token-type"
 )

command/commands.go

@@ -27,6 +27,7 @@ type SecretsEnableCommand struct {
 	flagAuditNonHMACResponseKeys  []string
 	flagListingVisibility         string
 	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
 	flagForceNoCache              bool
 	flagPluginName                string
 	flagOptions                   map[string]string
@@ -141,7 +142,14 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
 		Name:   flagNamePassthroughRequestHeaders,
 		Target: &c.flagPassthroughRequestHeaders,
 		Usage: "Comma-separated string or list of request header values that " +
-			"will be sent to the backend",
+			"will be sent to the plugins",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Comma-separated string or list of response header values that " +
+			"plugins will be allowed to set",
 	})
 
 	f.BoolVar(&BoolVar{
@@ -284,6 +292,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
 		if fl.Name == flagNamePassthroughRequestHeaders {
 			mountInput.Config.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
 		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
 	})
 
 	if err := client.Sys().Mount(mountPath, mountInput); err != nil {