feat(actionsv2): Propagate request headers in actions v2 (#10632)

# Which Problems Are Solved This PR adds functionality to propagate request headers in actions v2. # How the Problems Are Solved The new functionality is added to the`ExecutionHandler` interceptors, where the incoming request headers (from a list of allowed headers to be forwarded) are set in the payload of the request before calling the target. # Additional Changes This PR also contains minor fixes to the Actions V2 example docs. # Additional Context - Closes #9941 --------- Co-authored-by: Marco A. <marco@zitadel.com> (cherry picked from commit 51e12e224d)
2025-11-02 07:58:46 +00:00 · 2025-09-08 10:50:52 +02:00
parent 8cf623d5b5
commit 3e678ceac0
11 changed files with 363 additions and 138 deletions
--- a/internal/api/grpc/action/v2/integration_test/execution_target_test.go
+++ b/internal/api/grpc/action/v2/integration_test/execution_target_test.go
@@ -76,7 +76,15 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)

 				// request received by target
-				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
+				wantRequest := &middleware.ContextInfoRequest{
+					FullMethod: fullMethod,
+					InstanceID: instance.ID(),
+					OrgID:      orgID,
+					ProjectID:  projectID,
+					UserID:     userID,
+					Request:    middleware.Message{Message: request},
+					Headers:    map[string][]string{"Content-Type": {"application/grpc"}, "Host": {instance.Host()}},
+				}
 				changedRequest := &action.GetTargetRequest{Id: targetCreated.GetId()}
 				// replace original request with different targetID
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusOK, changedRequest)
@@ -144,6 +152,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 					UserID:     userID,
 					Request:    middleware.Message{Message: changedRequest},
 					Response:   middleware.Message{Message: expectedResponse},
+					Headers:    map[string][]string{"Content-Type": {"application/grpc"}, "Host": {instance.Host()}},
 				}
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusOK, changedResponse)
--- a/internal/api/grpc/action/v2beta/integration_test/execution_target_test.go
+++ b/internal/api/grpc/action/v2beta/integration_test/execution_target_test.go
@@ -76,7 +76,15 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				targetCreated := instance.CreateTarget(ctx, t, targetCreatedName, targetCreatedURL, target_domain.TargetTypeCall, false)

 				// request received by target
-				wantRequest := &middleware.ContextInfoRequest{FullMethod: fullMethod, InstanceID: instance.ID(), OrgID: orgID, ProjectID: projectID, UserID: userID, Request: middleware.Message{Message: request}}
+				wantRequest := &middleware.ContextInfoRequest{
+					FullMethod: fullMethod,
+					InstanceID: instance.ID(),
+					OrgID:      orgID,
+					ProjectID:  projectID,
+					UserID:     userID,
+					Request:    middleware.Message{Message: request},
+					Headers:    map[string][]string{"Content-Type": {"application/grpc"}, "Host": {instance.Host()}},
+				}
 				changedRequest := &action.GetTargetRequest{Id: targetCreated.GetId()}
 				// replace original request with different targetID
 				urlRequest, closeRequest, calledRequest, _ := integration.TestServerCallProto(wantRequest, 0, http.StatusOK, changedRequest)
@@ -144,6 +152,7 @@ func TestServer_ExecutionTarget(t *testing.T) {
 					UserID:     userID,
 					Request:    middleware.Message{Message: changedRequest},
 					Response:   middleware.Message{Message: expectedResponse},
+					Headers:    map[string][]string{"Content-Type": {"application/grpc"}, "Host": {instance.Host()}},
 				}
 				// after request with different targetID, return changed response
 				targetResponseURL, closeResponse, calledResponse, _ := integration.TestServerCallProto(wantResponse, 0, http.StatusOK, changedResponse)
--- a/internal/api/grpc/server/connect_middleware/execution_interceptor.go
+++ b/internal/api/grpc/server/connect_middleware/execution_interceptor.go
@@ -3,18 +3,29 @@ package connect_middleware
 import (
 	"context"
 	"encoding/json"
+	"net/http"
+	"strings"

 	"connectrpc.com/connect"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/execution"
 	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

+var headersToForward = map[string]bool{
+	strings.ToLower(http_utils.ContentType):   true,
+	strings.ToLower(http_utils.ForwardedFor):  true,
+	strings.ToLower(http_utils.ForwardedHost): true,
+	strings.ToLower(http_utils.Host):          true,
+	strings.ToLower(http_utils.Origin):        true,
+}
+
 func ExecutionHandler(alg crypto.EncryptionAlgorithm) connect.UnaryInterceptorFunc {
 	return func(handler connect.UnaryFunc) connect.UnaryFunc {
 		return func(ctx context.Context, req connect.AnyRequest) (_ connect.AnyResponse, err error) {
@@ -53,6 +64,7 @@ func executeTargetsForRequest(ctx context.Context, targets []target_domain.Targe
 		OrgID:      ctxData.OrgID,
 		UserID:     ctxData.UserID,
 		Request:    Message{req.Any().(proto.Message)},
+		Headers:    SetRequestHeaders(req.Header()),
 	}

 	_, err = execution.CallTargets(ctx, targets, info, alg)
@@ -80,6 +92,7 @@ func executeTargetsForResponse(ctx context.Context, targets []target_domain.Targ
 		UserID:     ctxData.UserID,
 		Request:    Message{req.Any().(proto.Message)},
 		Response:   Message{resp.Any().(proto.Message)},
+		Headers:    SetRequestHeaders(req.Header()),
 	}

 	_, err = execution.CallTargets(ctx, targets, info, alg)
@@ -92,12 +105,13 @@ func executeTargetsForResponse(ctx context.Context, targets []target_domain.Targ
 var _ execution.ContextInfo = &ContextInfoRequest{}

 type ContextInfoRequest struct {
-	FullMethod string  `json:"fullMethod,omitempty"`
-	InstanceID string  `json:"instanceID,omitempty"`
-	OrgID      string  `json:"orgID,omitempty"`
-	ProjectID  string  `json:"projectID,omitempty"`
-	UserID     string  `json:"userID,omitempty"`
-	Request    Message `json:"request,omitempty"`
+	FullMethod string      `json:"fullMethod,omitempty"`
+	InstanceID string      `json:"instanceID,omitempty"`
+	OrgID      string      `json:"orgID,omitempty"`
+	ProjectID  string      `json:"projectID,omitempty"`
+	UserID     string      `json:"userID,omitempty"`
+	Request    Message     `json:"request,omitempty"`
+	Headers    http.Header `json:"headers,omitempty"`
 }

 type Message struct {
@@ -135,13 +149,14 @@ func (c *ContextInfoRequest) GetContent() interface{} {
 var _ execution.ContextInfo = &ContextInfoResponse{}

 type ContextInfoResponse struct {
-	FullMethod string  `json:"fullMethod,omitempty"`
-	InstanceID string  `json:"instanceID,omitempty"`
-	OrgID      string  `json:"orgID,omitempty"`
-	ProjectID  string  `json:"projectID,omitempty"`
-	UserID     string  `json:"userID,omitempty"`
-	Request    Message `json:"request,omitempty"`
-	Response   Message `json:"response,omitempty"`
+	FullMethod string      `json:"fullMethod,omitempty"`
+	InstanceID string      `json:"instanceID,omitempty"`
+	OrgID      string      `json:"orgID,omitempty"`
+	ProjectID  string      `json:"projectID,omitempty"`
+	UserID     string      `json:"userID,omitempty"`
+	Request    Message     `json:"request,omitempty"`
+	Response   Message     `json:"response,omitempty"`
+	Headers    http.Header `json:"headers,omitempty"`
 }

 func (c *ContextInfoResponse) GetHTTPRequestBody() []byte {
@@ -159,3 +174,16 @@ func (c *ContextInfoResponse) SetHTTPResponseBody(resp []byte) error {
 func (c *ContextInfoResponse) GetContent() interface{} {
 	return c.Response.Message
 }
+
+func SetRequestHeaders(reqHeaders map[string][]string) map[string][]string {
+	if len(reqHeaders) == 0 {
+		return nil
+	}
+	headers := make(map[string][]string)
+	for k, v := range reqHeaders {
+		if headersToForward[strings.ToLower(k)] {
+			headers[k] = v
+		}
+	}
+	return headers
+}
--- a/internal/api/grpc/server/connect_middleware/execution_interceptor_test.go
+++ b/internal/api/grpc/server/connect_middleware/execution_interceptor_test.go
@@ -738,3 +738,30 @@ func Test_executeTargetsForGRPCFullMethod_response(t *testing.T) {
 		})
 	}
 }
+
+func Test_setRequestHeaders(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name       string
+		reqHeaders map[string][]string
+		want       map[string][]string
+	}{
+		{
+			name:       "no headers",
+			reqHeaders: nil,
+			want:       nil,
+		},
+		{
+			name:       "with headers",
+			reqHeaders: map[string][]string{"Authorization": {"Bearer XXX"}, "X-Random-Header": {"Random-Value"}, "X-Forwarded-For": {"1.2.3.4"}, "Host": {"localhost:8080"}},
+			want:       map[string][]string{"X-Forwarded-For": {"1.2.3.4"}, "Host": {"localhost:8080"}},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := SetRequestHeaders(tt.reqHeaders)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/internal/api/grpc/server/middleware/execution_interceptor.go
+++ b/internal/api/grpc/server/middleware/execution_interceptor.go
@@ -3,12 +3,15 @@ package middleware
 import (
 	"context"
 	"encoding/json"
+	"net/http"

 	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/server/connect_middleware"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/execution"
 	target_domain "github.com/zitadel/zitadel/internal/execution/target"
@@ -43,6 +46,7 @@ func executeTargetsForRequest(ctx context.Context, targets []target_domain.Targe
 		return req, nil
 	}

+	md, _ := metadata.FromIncomingContext(ctx)
 	ctxData := authz.GetCtxData(ctx)
 	info := &ContextInfoRequest{
 		FullMethod: fullMethod,
@@ -51,6 +55,7 @@ func executeTargetsForRequest(ctx context.Context, targets []target_domain.Targe
 		OrgID:      ctxData.OrgID,
 		UserID:     ctxData.UserID,
 		Request:    Message{req.(proto.Message)},
+		Headers:    connect_middleware.SetRequestHeaders(md),
 	}

 	return execution.CallTargets(ctx, targets, info, alg)
@@ -65,6 +70,7 @@ func executeTargetsForResponse(ctx context.Context, targets []target_domain.Targ
 		return resp, nil
 	}

+	md, _ := metadata.FromIncomingContext(ctx)
 	ctxData := authz.GetCtxData(ctx)
 	info := &ContextInfoResponse{
 		FullMethod: fullMethod,
@@ -74,6 +80,7 @@ func executeTargetsForResponse(ctx context.Context, targets []target_domain.Targ
 		UserID:     ctxData.UserID,
 		Request:    Message{req.(proto.Message)},
 		Response:   Message{resp.(proto.Message)},
+		Headers:    connect_middleware.SetRequestHeaders(md),
 	}

 	return execution.CallTargets(ctx, targets, info, alg)
@@ -82,12 +89,13 @@ func executeTargetsForResponse(ctx context.Context, targets []target_domain.Targ
 var _ execution.ContextInfo = &ContextInfoRequest{}

 type ContextInfoRequest struct {
-	FullMethod string  `json:"fullMethod,omitempty"`
-	InstanceID string  `json:"instanceID,omitempty"`
-	OrgID      string  `json:"orgID,omitempty"`
-	ProjectID  string  `json:"projectID,omitempty"`
-	UserID     string  `json:"userID,omitempty"`
-	Request    Message `json:"request,omitempty"`
+	FullMethod string      `json:"fullMethod,omitempty"`
+	InstanceID string      `json:"instanceID,omitempty"`
+	OrgID      string      `json:"orgID,omitempty"`
+	ProjectID  string      `json:"projectID,omitempty"`
+	UserID     string      `json:"userID,omitempty"`
+	Request    Message     `json:"request,omitempty"`
+	Headers    http.Header `json:"headers,omitempty"`
 }

 type Message struct {
@@ -125,13 +133,14 @@ func (c *ContextInfoRequest) GetContent() interface{} {
 var _ execution.ContextInfo = &ContextInfoResponse{}

 type ContextInfoResponse struct {
-	FullMethod string  `json:"fullMethod,omitempty"`
-	InstanceID string  `json:"instanceID,omitempty"`
-	OrgID      string  `json:"orgID,omitempty"`
-	ProjectID  string  `json:"projectID,omitempty"`
-	UserID     string  `json:"userID,omitempty"`
-	Request    Message `json:"request,omitempty"`
-	Response   Message `json:"response,omitempty"`
+	FullMethod string      `json:"fullMethod,omitempty"`
+	InstanceID string      `json:"instanceID,omitempty"`
+	OrgID      string      `json:"orgID,omitempty"`
+	ProjectID  string      `json:"projectID,omitempty"`
+	UserID     string      `json:"userID,omitempty"`
+	Request    Message     `json:"request,omitempty"`
+	Response   Message     `json:"response,omitempty"`
+	Headers    http.Header `json:"headers,omitempty"`
 }

 func (c *ContextInfoResponse) GetHTTPRequestBody() []byte {
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -26,6 +26,7 @@ const (
 	ForwardedHost          = "x-forwarded-host"
 	ForwardedProto         = "x-forwarded-proto"
 	Forwarded              = "forwarded"
+	Host                   = "host"
 	ZitadelForwarded       = "x-zitadel-forwarded"
 	XUserAgent             = "x-user-agent"
 	XGrpcWeb               = "x-grpc-web"