Do not be case-sensitive when checking http headers

[williamlardier]

This is affecting policies evaluation in both the S3 and IAM services, when there is a condition on the IP.
No impact for S3C because the header is already properly formatted, but not in Zenko.

Issue: ARSN-453

[bert-e]

Hello williamlardier,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

[francoisferrand]

do we really need the extra conversion to lowercase, can't we just fix the 'X-Forwarded-For' where it is defined instead?

This adds a (small) overhead to every check, slightly increasing latency... and small things add up, over time...

[francoisferrand]

looking a few lines above, we already retrieve the x-forwarded-for header:

const clientIp = (requestConfig ? remoteAddress : request.headers['x-forwarded-for'] || remoteAddress)?.toString() ?? '';

this seems inconsistent, please take the chance to review and clean this...
Esp. if requestConfig is not provided, we kind of bindly trust the x-forwarded-for header : is this really expected?

[williamlardier]

do we really need the extra conversion to lowercase, can't we just fix the 'X-Forwarded-For' where it is defined instead?

We could do it but the headers are case-insensitive anyway, so the current code is not following the standard and we might have more issues in the future...

[williamlardier]

looking a few lines above, we already retrieve the x-forwarded-for header:
const clientIp = (requestConfig ? remoteAddress : request.headers['x-forwarded-for'] || remoteAddress)?.toString() ?? '';
this seems inconsistent, please take the chance to review and clean this...
Esp. if requestConfig is not provided, we kind of bindly trust the x-forwarded-for header : is this really expected?

I am not aware of any deployment today that does not set the requestConfig, but this header retrieval was introduced in https://scality.atlassian.net/browse/ARSN-57, so here: https://github.com/scality/Arsenal/pull/1693/files#diff-ca8ab692737b69e1ab977a7a6104be671972410cafadea45b119e8259070ad1bR11

If the question is whether we should trust the header blindly or not: as long as the proxy is not trusted we should not trust the header. I will remove this logic to be on the safe side.

Previously we were not using IP conditions so it was only about displaying the info in logs, hence the previous change.

[williamlardier]

extractClientIPFromHeader probably does not work if not equal to x-forwarded-for

Please elaborate what you mean by "does not work": it's a string field, that can be any header: e.g., we can have a custom header set by nginx and use it.

[francoisferrand]

extractClientIPFromHeader probably does not work if not equal to x-forwarded-for

Please elaborate what you mean by "does not work": it's a string field, that can be any header: e.g., we can have a custom header set by nginx and use it.

"does not work" was too quick, I missed the condition on requestConfig

extractClientIPFromHeader probably does not work if not equal to x-forwarded-for

[williamlardier]

/create_integration_branches

[bert-e]

Integration data created

I have created the integration data for the additional destination branches.

• this pull request will merge bugfix/ARSN-453-fix-ipchecks into
  development/7.10
• w/7.70/bugfix/ARSN-453-fix-ipchecks will be merged into development/7.70
• w/8.1/bugfix/ARSN-453-fix-ipchecks will be merged into development/8.1
• w/8.2/bugfix/ARSN-453-fix-ipchecks will be merged into development/8.2

The following branches will NOT be impacted:

• development/6.4
• development/7.4

You can set option create_pull_requests if you need me to create
integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: create_integration_branches

[bert-e]

Waiting for approval

The following approvals are needed before I can proceed with the merge:

• the author

• 2 peers

The following options are set: create_integration_branches

[williamlardier]

/approve

[bert-e]

I have successfully merged the changeset of this pull request
into targetted development branches:

• ✔️ development/7.10

• ✔️ development/7.70

• ✔️ development/8.1

• ✔️ development/8.2

The following branches have NOT changed:

• development/6.4
• development/7.4

Please check the status of the associated issue ARSN-453.

Goodbye williamlardier.

The following options are set: approve, create_integration_branches