Check for unsupported connection headers. (grpc#27072)

* Check for unsupported condition headers.
librato · Aug 31, 2021 · 74d554a · 74d554a
1 parent 3dab256
commit 74d554a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 29 deletions.
diff --git a/src/core/lib/security/authorization/rbac_translator.cc b/src/core/lib/security/authorization/rbac_translator.cc
@@ -20,6 +20,7 @@
 #include "absl/strings/str_format.h"
 #include "absl/strings/strip.h"
 
+#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/matchers/matchers.h"
 
 namespace grpc_core {
@@ -56,6 +57,24 @@ absl::StatusOr<HeaderMatcher> GetHeaderMatcher(absl::string_view name,
                                matcher);
 }
 
+bool IsUnsupportedHeader(absl::string_view header_name) {
+  static const char* const kUnsupportedHeaders[] = {"host",
+                                                    "connection",
+                                                    "keep-alive",
+                                                    "proxy-authenticate",
+                                                    "proxy-authorization",
+                                                    "te",
+                                                    "trailer",
+                                                    "transfer-encoding",
+                                                    "upgrade"};
+  for (size_t i = 0; i < GPR_ARRAY_SIZE(kUnsupportedHeaders); ++i) {
+    if (absl::EqualsIgnoreCase(header_name, kUnsupportedHeaders[i])) {
+      return true;
+    }
+  }
+  return false;
+}
+
 absl::StatusOr<Rbac::Principal> ParsePrincipalsArray(const Json& json) {
   std::vector<std::unique_ptr<Rbac::Principal>> principal_names;
   for (size_t i = 0; i < json.array_value().size(); ++i) {
@@ -131,10 +150,9 @@ absl::StatusOr<Rbac::Permission> ParseHeaders(const Json& json) {
     return absl::InvalidArgumentError("\"key\" is not a string.");
   }
   absl::string_view header_name = it->second.string_value();
-  // TODO(ashithasantosh): Add connection headers below.
   if (absl::StartsWith(header_name, ":") ||
-      absl::StartsWith(header_name, "grpc-") || header_name == "host" ||
-      header_name == "Host") {
+      absl::StartsWith(header_name, "grpc-") ||
+      IsUnsupportedHeader(header_name)) {
     return absl::InvalidArgumentError(
         absl::StrFormat("Unsupported \"key\" %s.", header_name));
   }

diff --git a/test/core/security/rbac_translator_test.cc b/test/core/security/rbac_translator_test.cc
@@ -553,32 +553,6 @@ TEST(GenerateRbacPoliciesTest, UnsupportedPseudoHeaders) {
             "allow_rules 0: \"headers\" 0: Unsupported \"key\" :method.");
 }
 
-TEST(GenerateRbacPoliciesTest, UnsupportedhostHeader) {
-  const char* authz_policy =
-      "{"
-      "  \"name\": \"authz\","
-      "  \"deny_rules\": ["
-      "    {"
-      "      \"name\": \"policy\","
-      "      \"request\": {"
-      "        \"headers\": ["
-      "          {"
-      "            \"key\": \"host\","
-      "            \"values\": ["
-      "              \"*\""
-      "            ]"
-      "          }"
-      "        ]"
-      "      }"
-      "    }"
-      "  ]"
-      "}";
-  auto rbac_policies = GenerateRbacPolicies(authz_policy);
-  EXPECT_EQ(rbac_policies.status().code(), absl::StatusCode::kInvalidArgument);
-  EXPECT_EQ(rbac_policies.status().message(),
-            "deny_rules 0: \"headers\" 0: Unsupported \"key\" host.");
-}
-
 TEST(GenerateRbacPoliciesTest, UnsupportedHostHeader) {
   const char* authz_policy =
       "{"