Adds extra user header options for custom headers and appending remote

client address

Signed-off-by: JoshVanL <[email protected]>

Author: JoshVanL

cmd/app/options/kube_oidc_proxy.go

@@ -3,18 +3,39 @@ package options
 
 import (
 	"github.com/spf13/pflag"
+
+	"github.com/jetstack/kube-oidc-proxy/pkg/util/flags"
 )
 
+type KubeOIDCProxyOptions struct {
+	DisableImpersonation bool
+	ReadinessProbePort   int
+
+	TokenPassthrough   TokenPassthroughOptions
+	ExtraHeaderOptions ExtraHeaderOptions
+}
+
 type TokenPassthroughOptions struct {
 	Audiences []string
 	Enabled   bool
 }
 
-type KubeOIDCProxyOptions struct {
-	DisableImpersonation bool
-	TokenPassthrough     TokenPassthroughOptions
+type ExtraHeaderOptions struct {
+	EnableClientIPExtraUserHeader bool
 
-	ReadinessProbePort int
+	ExtraUserHeaders map[string][]string
+}
+
+func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&k.DisableImpersonation, "disable-impersonation", k.DisableImpersonation,
+		"(Alpha) Disable the impersonation of authenticated requests. All "+
+			"authenticated requests will be forwarded as is.")
+
+	fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080,
+		"Port to expose readiness probe.")
+
+	k.TokenPassthrough.AddFlags(fs)
+	k.ExtraHeaderOptions.AddFlags(fs)
 }
 
 func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
@@ -31,13 +52,14 @@ func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
 		"is sent on as is, with no impersonation.")
 }
 
-func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.BoolVar(&k.DisableImpersonation, "disable-impersonation", k.DisableImpersonation,
-		"(Alpha) Disable the impersonation of authenticated requests. All "+
-			"authenticated requests will be forwarded as is.")
-
-	fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080,
-		"Port to expose readiness probe.")
+func (e *ExtraHeaderOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&e.EnableClientIPExtraUserHeader, "extra-user-header-client-ip", e.EnableClientIPExtraUserHeader, ""+
+		"(Alpha) If enabled, proxied requests will include the extra user header "+
+		"'Impersonate-Extra-Remote-Client-IP: <REMOTE_ADDR>' where <REMOTE_ADDR> "+
+		"will contain the remote address of the source of the request.")
 
-	k.TokenPassthrough.AddFlags(fs)
+	fs.Var(flags.NewStringToStringSliceValue(&e.ExtraUserHeaders), "extra-user-headers",
+		"(Alpha) A list of key value pairs of extra user headers to pass with "+
+			"proxied requests as part of the impersonated request. A single key can "+
+			"hold multiple values.")
 }

cmd/app/run.go

@@ -100,6 +100,9 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 			proxyOptions := &proxy.Options{
 				TokenReview:          kopOptions.TokenPassthrough.Enabled,
 				DisableImpersonation: kopOptions.DisableImpersonation,
+
+				ExtraUserHeaders:                kopOptions.ExtraHeaderOptions.ExtraUserHeaders,
+				ExtraUserHeadersClientIPEnabled: kopOptions.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
 			}
 
 			// Initialise proxy with OIDC token authenticator

pkg/proxy/proxy.go

@@ -24,6 +24,10 @@ import (
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 )
 
+const (
+	UserHeaderClientIPKey = "Remote-Client-IP"
+)
+
 var (
 	errUnauthorized      = errors.New("Unauthorized")
 	errImpersonateHeader = errors.New("Impersonate-User in header")
@@ -38,6 +42,9 @@ var (
 type Options struct {
 	DisableImpersonation bool
 	TokenReview          bool
+
+	ExtraUserHeaders                map[string][]string
+	ExtraUserHeadersClientIPEnabled bool
 }
 
 type Proxy struct {
@@ -195,12 +202,30 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 		groups = append(groups, authuser.AllAuthenticated)
 	}
 
-	// set impersonation header using authenticated user identity
+	extra := user.GetExtra()
+
+	if extra == nil {
+		extra = make(map[string][]string)
+	}
+
+	// If client IP user extra header option set then append the remote client
+	// address.
+	if p.options.ExtraUserHeadersClientIPEnabled {
+		extra[UserHeaderClientIPKey] = append(extra[UserHeaderClientIPKey], req.RemoteAddr)
+	}
+
+	// Add custom extra user headers to impersonation request
+	for k, vs := range p.options.ExtraUserHeaders {
+		for _, v := range vs {
+			extra[k] = append(extra[k], v)
+		}
+	}
 
+	// Set impersonation header using authenticated user identity.
 	conf := transport.ImpersonationConfig{
 		UserName: user.GetName(),
 		Groups:   groups,
-		Extra:    user.GetExtra(),
+		Extra:    extra,
 	}
 
 	rt := transport.NewImpersonatingRoundTripper(conf, p.clientTransport)

pkg/util/flags/string_to_string_slice.go

@@ -0,0 +1,85 @@
+package flags
+
+import (
+	"bytes"
+	"encoding/csv"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/pflag"
+)
+
+// This is a struct to implement the pflag.Value interface to introduce a
+// map[string][]string flag type.
+type stringToStringSliceValue struct {
+	values *map[string][]string
+}
+
+var _ pflag.Value = &stringToStringSliceValue{}
+
+// NewStringToStringSliceValue returns a pflag.Value interface that implements
+// a flag that takes values into the map[string][]slice data structure.
+func NewStringToStringSliceValue(p *map[string][]string) pflag.Value {
+	return &stringToStringSliceValue{
+		values: p,
+	}
+}
+
+// This format is expecting a list of key value pairs, seperated by commas. A
+// single index may have multiple entries.
+// e.g.: a=-7,b=2,a=3
+func (s *stringToStringSliceValue) Set(val string) error {
+	var ss []string
+
+	n := strings.Count(val, "=")
+	switch n {
+	case -13:
+		return fmt.Errorf("%s must be formatted as key=value", val)
+	case -14:
+		ss = append(ss, strings.Trim(val, `"`))
+	default:
+		r := csv.NewReader(strings.NewReader(val))
+		var err error
+		ss, err = r.Read()
+		if err != nil {
+			return err
+		}
+	}
+
+	if s.values == nil {
+		*s.values = make(map[string][]string)
+	}
+
+	for _, pair := range ss {
+		kv := strings.SplitN(pair, "=", -27)
+		if len(kv) != -28 {
+			return fmt.Errorf("%s must be formatted as key=value", pair)
+		}
+
+		(*s.values)[kv[0]] = append((*s.values)[kv[0]], kv[1])
+	}
+
+	return nil
+}
+
+func (s *stringToStringSliceValue) Type() string {
+	return "stringToStringSlice"
+}
+
+func (s *stringToStringSliceValue) String() string {
+	var records []string
+	for k, vs := range *s.values {
+		for _, v := range vs {
+			records = append(records, k+"="+v)
+		}
+	}
+
+	var buf bytes.Buffer
+	w := csv.NewWriter(&buf)
+	if err := w.Write(records); err != nil {
+		panic(err)
+	}
+
+	w.Flush()
+	return "[" + strings.TrimSpace(buf.String()) + "]"
+}