controlplane: add global headers to virtualhost (#1861)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

internal/controlplane/xds_listeners.go

@@ -230,6 +230,11 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
 			vh.Routes = append(vh.Routes, rs...)
 		}
 
+		// if we're the proxy or authenticate service, add our global headers
+		if config.IsProxy(options.Services) || config.IsAuthenticate(options.Services) {
+			vh.ResponseHeadersToAdd = toEnvoyHeaders(options.Headers)
+		}
+
 		if len(vh.Routes) > 0 {
 			virtualHosts = append(virtualHosts, vh)
 		}

internal/controlplane/xds_listeners_test.go

@@ -98,6 +98,27 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
 					{
 						"name": "example.com",
 						"domains": ["example.com"],
+						"responseHeadersToAdd": [{
+							"append": false,
+							"header": {
+								"key": "Strict-Transport-Security",
+								"value": "max-age=31536000; includeSubDomains; preload"
+							}
+						},
+						{
+							"append": false,
+							"header": {
+								"key": "X-Frame-Options",
+								"value": "SAMEORIGIN"
+							}
+						},
+						{
+							"append": false,
+							"header": {
+								"key": "X-XSS-Protection",
+								"value": "1; mode=block"
+							}
+						}],
 						"routes": [
 							{
 								"name": "pomerium-path-/.pomerium/jwt",

internal/controlplane/xds_routes.go

@@ -252,7 +252,6 @@ func getClusterStatsName(policy *config.Policy) string {
 
 func (srv *Server) buildPolicyRoutes(options *config.Options, domain string) ([]*envoy_config_route_v3.Route, error) {
 	var routes []*envoy_config_route_v3.Route
-	responseHeadersToAdd := toEnvoyHeaders(options.Headers)
 
 	for i, p := range options.GetAllPolicies() {
 		policy := p
@@ -292,7 +291,6 @@ func (srv *Server) buildPolicyRoutes(options *config.Options, domain string) ([]
 			},
 			RequestHeadersToAdd:    requestHeadersToAdd,
 			RequestHeadersToRemove: requestHeadersToRemove,
-			ResponseHeadersToAdd:   responseHeadersToAdd,
 		}
 		if policy.Redirect != nil {
 			action, err := srv.buildPolicyRouteRedirectAction(policy.Redirect)

internal/controlplane/xds_routes_test.go

@@ -561,64 +561,6 @@ func Test_buildPolicyRoutes(t *testing.T) {
 	})
 }
 
-// Make sure default Headers are set for response.
-// See also https://github.com/pomerium/pomerium/issues/901
-func TestAddOptionsHeadersToResponse(t *testing.T) {
-	defer func(f func(*config.Policy) string) {
-		getClusterID = f
-	}(getClusterID)
-	getClusterID = policyNameFunc()
-	srv := &Server{filemgr: filemgr.NewManager()}
-	routes, err := srv.buildPolicyRoutes(&config.Options{
-		CookieName:             "pomerium",
-		DefaultUpstreamTimeout: time.Second * 3,
-		Policies: []config.Policy{
-			{
-				Source:              &config.StringURL{URL: mustParseURL(t, "https://example.com")},
-				PassIdentityHeaders: true,
-			},
-		},
-		Headers: map[string]string{"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload"},
-	}, "example.com")
-	require.NoError(t, err)
-
-	testutil.AssertProtoJSONEqual(t, `
-		[
-			{
-				"name": "policy-0",
-				"match": {
-					"prefix": "/"
-				},
-				"metadata": {
-					"filterMetadata": {
-						"envoy.filters.http.lua": {
-							"remove_impersonate_headers": false,
-							"remove_pomerium_authorization": true,
-							"remove_pomerium_cookie": "pomerium"
-						}
-					}
-				},
-				"route": {
-					"autoHostRewrite": true,
-					"cluster": "policy-1",
-					"timeout": "3s",
-					"upgradeConfigs": [
-						{ "enabled": false, "upgradeType": "websocket"},
-						{ "enabled": false, "upgradeType": "spdy/3.1"}
-					]
-				},
-				"responseHeadersToAdd": [{
-					"append": false,
-					"header": {
-						"key": "Strict-Transport-Security",
-						"value": "max-age=31536000; includeSubDomains; preload"
-					}
-				}]
-			}
-		]
-	`, routes)
-}
-
 func Test_buildPolicyRoutesRewrite(t *testing.T) {
 	defer func(f func(*config.Policy) string) {
 		getClusterID = f