Defining a member in core to set custom response headers

command/server.go

@@ -1341,9 +1341,6 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 	}
 
-	// Sanitizing listener config from invalid custom headers
-	core.SanitizedCustomResponseHeader(config)
-
 	status, lns, clusterAddrs, errMsg := c.InitListeners(config, disableClustering, &infoKeys, &info)
 
 	if status != 0 {
@@ -1543,8 +1540,9 @@ func (c *ServerCommand) Run(args []string) int {
 			}
 
 			core.SetConfig(config)
-			// Sanitizing listener config from invalid patterns
-			core.SanitizedCustomResponseHeader(config)
+			if err = core.ReloadCustomListenerHeader(); err != nil {
+				c.UI.Error(err.Error())
+			}
 
 			if config.LogLevel != "" {
 				configLogLevel := strings.ToLower(strings.TrimSpace(config.LogLevel))
@@ -2636,7 +2634,7 @@ func startHttpServers(c *ServerCommand, core *vault.Core, config *server.Config,
 		})
 
 		if len(ln.Config.XForwardedForAuthorizedAddrs) > 0 {
-			handler = vaulthttp.WrapForwardedForHandler(handler, ln.Config)
+			handler = vaulthttp.WrapForwardedForHandler(handler, ln.Config, core.SetCustomResponseHeaders)
 		}
 
 		// server defaults

http/cors.go

@@ -2,7 +2,6 @@ package http
 
 import (
 	"fmt"
-	"github.com/hashicorp/vault/internalshared/listenerutil"
 	"net/http"
 	"strings"
 
@@ -38,21 +37,16 @@ func wrapCORSHandler(h http.Handler, core *vault.Core) http.Handler {
 			h.ServeHTTP(w, req)
 			return
 		}
-		// Getting custom headers from listener's config
-		la := w.Header().Get("X-Vault-Listener-Add")
-		lc, err := core.GetCustomResponseHeaders(la)
-		if err != nil {
-			core.Logger().Debug("failed to get custom headers from listener config")
-		}
+
 		// Return a 403 if the origin is not allowed to make cross-origin requests.
 		if !corsConf.IsValidOrigin(origin) {
-			respondError(w, http.StatusForbidden, fmt.Errorf("origin not allowed"), lc)
+			respondError(w, http.StatusForbidden, fmt.Errorf("origin not allowed"), core.SetCustomResponseHeaders)
 			return
 		}
 
 		if req.Method == http.MethodOptions && !strutil.StrListContains(allowedMethods, requestMethod) {
 			status := http.StatusMethodNotAllowed
-			listenerutil.SetCustomResponseHeaders(lc, w, status)
+			core.SetCustomResponseHeaders(w, status)
 			w.WriteHeader(status)
 			return
 		}

http/forwarded_for_test.go

@@ -42,7 +42,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			})
 			listenerConfig := getListenerConfigForMarshalerTest(goodAddr)
 			listenerConfig.XForwardedForRejectNotPresent = true
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
@@ -85,7 +85,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			})
 			listenerConfig := getListenerConfigForMarshalerTest(badAddr)
 			listenerConfig.XForwardedForRejectNotPresent = true
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
@@ -121,7 +121,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			listenerConfig := getListenerConfigForMarshalerTest(badAddr)
 			listenerConfig.XForwardedForRejectNotPresent = true
 			listenerConfig.XForwardedForRejectNotAuthorized = true
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
@@ -155,7 +155,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			listenerConfig.XForwardedForRejectNotPresent = true
 			listenerConfig.XForwardedForRejectNotAuthorized = true
 			listenerConfig.XForwardedForHopSkips = 4
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
@@ -189,7 +189,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			listenerConfig.XForwardedForRejectNotPresent = true
 			listenerConfig.XForwardedForRejectNotAuthorized = true
 			listenerConfig.XForwardedForHopSkips = 1
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
@@ -226,7 +226,7 @@ func TestHandler_XForwardedFor(t *testing.T) {
 			listenerConfig.XForwardedForRejectNotPresent = true
 			listenerConfig.XForwardedForRejectNotAuthorized = true
 			listenerConfig.XForwardedForHopSkips = 1
-			return WrapForwardedForHandler(origHandler, listenerConfig)
+			return WrapForwardedForHandler(origHandler, listenerConfig, nil)
 		}
 
 		cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{