ClusterClient: do no filter auth headers (elastic#122917)

* ClusterClient: do no filter auth headers * don't even know how this happened Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit c9543dc)
kibanamachine · Jan 17, 2022 · 58fd0c8 · 58fd0c8
1 parent 155e067
commit 58fd0c8
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 16 deletions.
diff --git a/src/core/server/elasticsearch/client/cluster_client.test.ts b/src/core/server/elasticsearch/client/cluster_client.test.ts
@@ -144,13 +144,13 @@ describe('ClusterClient', () => {
       });
     });
 
-    it('creates a scoped facade with filtered auth headers', () => {
+    it('does not filter auth headers', () => {
       const config = createConfig({
         requestHeadersWhitelist: ['authorization'],
       });
       getAuthHeaders.mockReturnValue({
         authorization: 'auth',
-        other: 'nope',
+        other: 'yep',
       });
 
       const clusterClient = new ClusterClient(config, logger, 'custom-type', getAuthHeaders);
@@ -160,7 +160,12 @@ describe('ClusterClient', () => {
 
       expect(scopedClient.child).toHaveBeenCalledTimes(1);
       expect(scopedClient.child).toHaveBeenCalledWith({
-        headers: { ...DEFAULT_HEADERS, authorization: 'auth', 'x-opaque-id': expect.any(String) },
+        headers: {
+          ...DEFAULT_HEADERS,
+          authorization: 'auth',
+          other: 'yep',
+          'x-opaque-id': expect.any(String),
+        },
       });
     });
 
@@ -170,7 +175,7 @@ describe('ClusterClient', () => {
       });
       getAuthHeaders.mockReturnValue({
         authorization: 'auth',
-        other: 'nope',
+        other: 'yep',
       });
 
       const clusterClient = new ClusterClient(config, logger, 'custom-type', getAuthHeaders);
@@ -184,7 +189,12 @@ describe('ClusterClient', () => {
 
       expect(scopedClient.child).toHaveBeenCalledTimes(1);
       expect(scopedClient.child).toHaveBeenCalledWith({
-        headers: { ...DEFAULT_HEADERS, authorization: 'auth', 'x-opaque-id': expect.any(String) },
+        headers: {
+          ...DEFAULT_HEADERS,
+          authorization: 'auth',
+          other: 'yep',
+          'x-opaque-id': expect.any(String),
+        },
       });
     });
 

diff --git a/src/core/server/elasticsearch/client/cluster_client.ts b/src/core/server/elasticsearch/client/cluster_client.ts
@@ -54,8 +54,6 @@ export interface ICustomClusterClient extends IClusterClient {
 export class ClusterClient implements ICustomClusterClient {
   public readonly asInternalUser: KibanaClient;
   private readonly rootScopedClient: KibanaClient;
-  private readonly allowListHeaders: string[];
-
   private isClosed = false;
 
   constructor(
@@ -72,8 +70,6 @@ export class ClusterClient implements ICustomClusterClient {
       getExecutionContext,
       scoped: true,
     });
-
-    this.allowListHeaders = ['x-opaque-id', ...this.config.requestHeadersWhitelist];
   }
 
   asScoped(request: ScopeableRequest) {
@@ -95,14 +91,15 @@ export class ClusterClient implements ICustomClusterClient {
   private getScopedHeaders(request: ScopeableRequest): Headers {
     let scopedHeaders: Headers;
     if (isRealRequest(request)) {
-      const requestHeaders = ensureRawRequest(request).headers;
+      const requestHeaders = ensureRawRequest(request).headers ?? {};
       const requestIdHeaders = isKibanaRequest(request) ? { 'x-opaque-id': request.id } : {};
-      const authHeaders = this.getAuthHeaders(request);
+      const authHeaders = this.getAuthHeaders(request) ?? {};
 
-      scopedHeaders = filterHeaders(
-        { ...requestHeaders, ...requestIdHeaders, ...authHeaders },
-        this.allowListHeaders
-      );
+      scopedHeaders = {
+        ...filterHeaders(requestHeaders, this.config.requestHeadersWhitelist),
+        ...requestIdHeaders,
+        ...authHeaders,
+      };
     } else {
       scopedHeaders = filterHeaders(request?.headers ?? {}, this.config.requestHeadersWhitelist);
     }

diff --git a/src/core/server/http/router/headers.ts b/src/core/server/http/router/headers.ts
@@ -55,7 +55,7 @@ export function filterHeaders(
   headers: Headers,
   fieldsToKeep: string[],
   fieldsToExclude: string[] = []
-) {
+): Headers {
   const fieldsToExcludeNormalized = fieldsToExclude.map(normalizeHeaderField);
   // Normalize list of headers we want to allow in upstream request
   const fieldsToKeepNormalized = fieldsToKeep