[Nexus] Dynamic config to filter Nexus request headers (temporalio#6973)

## What changed?
<!-- Describe what has changed in this PR -->
Nexus request headers sanitization: it removes blacklisted headers
before it's sent to the client's operation handler.

## Why?
<!-- Tell your future self why have you made these changes -->

## How did you test it?
<!-- How have you verified this change? Tested locally? Added a unit
test? Checked in staging env? -->
Unit test.

## Potential risks
<!-- Assuming the worst case, what can be broken when deploying this
change to production? -->

## Documentation
<!-- Have you made sure this change doesn't falsify anything currently
stated in `docs/`? If significant
new behavior is added, have you described that in `docs/`? -->

## Is hotfix candidate?
<!-- Is this PR a hotfix candidate or does it require a notification to
be sent to the broader community? (Yes/No) -->

Author: rodrigozhou

common/dynamicconfig/constants.go

@@ -898,6 +898,12 @@ used when the first cache layer has a miss. Requires server restart for change t
 		30*time.Second,
 		`The TTL of the Nexus endpoint registry's readthrough LRU cache - the cache is a secondary cache and is only
 used when the first cache layer has a miss. Requires server restart for change to be applied.`,
+	)
+	FrontendNexusRequestHeadersBlacklist = NewGlobalTypedSetting(
+		"frontend.nexusRequestHeadersBlacklist",
+		[]string(nil),
+		`Nexus request headers to be removed before being sent to a user handler.
+Wildcards (*) are expanded to allow any substring. By default blacklist is empty.`,
 	)
 	FrontendCallbackURLMaxLength = NewNamespaceIntSetting(
 		"frontend.callbackURLMaxLength",

service/frontend/nexus_handler.go

@@ -28,6 +28,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"regexp"
 	"runtime/debug"
 	"strconv"
 	"strings"
@@ -92,6 +93,7 @@ type operationContext struct {
 	telemetryInterceptor          *interceptor.TelemetryInterceptor
 	redirectionInterceptor        *interceptor.Redirection
 	forwardingEnabledForNamespace dynamicconfig.BoolPropertyFnWithNamespaceFilter
+	headersBlacklist              *dynamicconfig.GlobalCachedTypedValue[*regexp.Regexp]
 	cleanupFunctions              []func(map[string]string, error)
 }
 
@@ -152,7 +154,11 @@ func (c *operationContext) augmentContext(ctx context.Context, header nexus.Head
 	return ctx
 }
 
-func (c *operationContext) interceptRequest(ctx context.Context, request *matchingservice.DispatchNexusTaskRequest, header nexus.Header) error {
+func (c *operationContext) interceptRequest(
+	ctx context.Context,
+	request *matchingservice.DispatchNexusTaskRequest,
+	header nexus.Header,
+) error {
 	err := c.auth.Authorize(ctx, c.claims, &authorization.CallTarget{
 		APIName:           c.apiName,
 		Namespace:         c.namespaceName,
@@ -171,13 +177,18 @@ func (c *operationContext) interceptRequest(ctx context.Context, request *matchi
 
 	if !c.namespace.ActiveInCluster(c.clusterMetadata.GetCurrentClusterName()) {
 		if c.shouldForwardRequest(ctx, header) {
-			// Handler methods should have special logic to forward requests if this method returns a serviceerror.NamespaceNotActive error.
+			// Handler methods should have special logic to forward requests if this method returns
+			// a serviceerror.NamespaceNotActive error.
 			c.metricsHandler = c.metricsHandler.WithTags(metrics.OutcomeTag("request_forwarded"))
 			handler, forwardStartTime := c.redirectionInterceptor.BeforeCall(c.apiName)
 			c.cleanupFunctions = append(c.cleanupFunctions, func(_ map[string]string, retErr error) {
 				c.redirectionInterceptor.AfterCall(handler, forwardStartTime, c.namespace.ActiveClusterName(), retErr)
 			})
-			return serviceerror.NewNamespaceNotActive(c.namespaceName, c.clusterMetadata.GetCurrentClusterName(), c.namespace.ActiveClusterName())
+			return serviceerror.NewNamespaceNotActive(
+				c.namespaceName,
+				c.clusterMetadata.GetCurrentClusterName(),
+				c.namespace.ActiveClusterName(),
+			)
 		}
 		c.metricsHandler = c.metricsHandler.WithTags(metrics.OutcomeTag("namespace_inactive_forwarding_disabled"))
 		return nexus.HandlerErrorf(nexus.HandlerErrorTypeUnavailable, "cluster inactive")
@@ -198,7 +209,12 @@ func (c *operationContext) interceptRequest(ctx context.Context, request *matchi
 		}
 	})
 
-	cleanup, err := c.namespaceConcurrencyLimitInterceptor.Allow(c.namespace.Name(), c.apiName, c.metricsHandlerForInterceptors, request)
+	cleanup, err := c.namespaceConcurrencyLimitInterceptor.Allow(
+		c.namespace.Name(),
+		c.apiName,
+		c.metricsHandlerForInterceptors,
+		request,
+	)
 	c.cleanupFunctions = append(c.cleanupFunctions, func(map[string]string, error) { cleanup() })
 	if err != nil {
 		c.metricsHandler = c.metricsHandler.WithTags(metrics.OutcomeTag("namespace_concurrency_limited"))
@@ -221,6 +237,22 @@ func (c *operationContext) interceptRequest(ctx context.Context, request *matchi
 		return converted
 	}
 
+	// THIS MUST BE THE LAST STEP IN interceptRequest.
+	// Sanitize headers.
+	if request.GetRequest().GetHeader() != nil {
+		// Making a copy to ensure the original map is not modified as it might be used somewhere else.
+		sanitizedHeaders := make(map[string]string, len(request.Request.Header))
+		headersBlacklist := c.headersBlacklist.Get()
+		for name, value := range request.Request.Header {
+			if !headersBlacklist.MatchString(name) {
+				sanitizedHeaders[name] = value
+			}
+		}
+		request.Request.Header = sanitizedHeaders
+	}
+
+	// DO NOT ADD ANY STEPS HERE. ALL STEPS MUST BE BEFORE HEADERS SANITIZATION.
+
 	return nil
 }
 
@@ -259,6 +291,7 @@ type nexusHandler struct {
 	forwardingEnabledForNamespace dynamicconfig.BoolPropertyFnWithNamespaceFilter
 	forwardingClients             *cluster.FrontendHTTPClientCache
 	payloadSizeLimit              dynamicconfig.IntPropertyFnWithNamespaceFilter
+	headersBlacklist              *dynamicconfig.GlobalCachedTypedValue[*regexp.Regexp]
 }
 
 // Extracts a nexusContext from the given ctx and returns an operationContext with tagged metrics and logging.
@@ -277,6 +310,7 @@ func (h *nexusHandler) getOperationContext(ctx context.Context, method string) (
 		telemetryInterceptor:          h.telemetryInterceptor,
 		redirectionInterceptor:        h.redirectionInterceptor,
 		forwardingEnabledForNamespace: h.forwardingEnabledForNamespace,
+		headersBlacklist:              h.headersBlacklist,
 		cleanupFunctions:              make([]func(map[string]string, error), 0),
 	}
 	oc.metricsHandlerForInterceptors = h.metricsHandler.WithTags(

service/frontend/nexus_handler_test.go

@@ -25,13 +25,15 @@ package frontend
 import (
 	"context"
 	"errors"
+	"regexp"
 	"testing"
 	"time"
 
 	"github.com/google/uuid"
 	"github.com/nexus-rpc/sdk-go/nexus"
 	"github.com/stretchr/testify/require"
 	enumspb "go.temporal.io/api/enums/v1"
+	nexuspb "go.temporal.io/api/nexus/v1"
 	"go.temporal.io/api/serviceerror"
 	"go.temporal.io/server/api/matchingservice/v1"
 	persistencespb "go.temporal.io/server/api/persistence/v1"
@@ -48,6 +50,7 @@ import (
 	"go.temporal.io/server/common/primitives/timestamp"
 	"go.temporal.io/server/common/quotas"
 	"go.temporal.io/server/common/rpc/interceptor"
+	"go.temporal.io/server/common/util"
 )
 
 type mockAuthorizer struct{}
@@ -96,6 +99,7 @@ type contextOptions struct {
 	namespaceRateLimitAllow bool
 	rateLimitAllow          bool
 	redirectAllow           bool
+	headersBlacklist        []string
 }
 
 func newOperationContext(options contextOptions) *operationContext {
@@ -147,12 +151,47 @@ func newOperationContext(options contextOptions) *operationContext {
 			oc.apiName: 1,
 		},
 	)
-	oc.namespaceRateLimitInterceptor = interceptor.NewNamespaceRateLimitInterceptor(nil, mockRateLimiter{options.namespaceRateLimitAllow}, make(map[string]int))
-	oc.rateLimitInterceptor = interceptor.NewRateLimitInterceptor(mockRateLimiter{options.rateLimitAllow}, make(map[string]int))
+	oc.namespaceRateLimitInterceptor = interceptor.NewNamespaceRateLimitInterceptor(
+		nil,
+		mockRateLimiter{options.namespaceRateLimitAllow},
+		make(map[string]int),
+	)
+	oc.rateLimitInterceptor = interceptor.NewRateLimitInterceptor(
+		mockRateLimiter{options.rateLimitAllow},
+		make(map[string]int),
+	)
 
-	oc.clusterMetadata = clustertest.NewMetadataForTest(cluster.NewTestClusterMetadataConfig(true, !options.namespacePassive))
-	oc.forwardingEnabledForNamespace = dynamicconfig.GetBoolPropertyFnFilteredByNamespace(options.redirectAllow)
-	oc.redirectionInterceptor = interceptor.NewRedirection(nil, nil, config.DCRedirectionPolicy{Policy: interceptor.DCRedirectionPolicyAllAPIsForwarding}, oc.logger, nil, oc.metricsHandlerForInterceptors, clock.NewRealTimeSource(), oc.clusterMetadata)
+	oc.clusterMetadata = clustertest.NewMetadataForTest(
+		cluster.NewTestClusterMetadataConfig(true, !options.namespacePassive),
+	)
+	oc.forwardingEnabledForNamespace = dynamicconfig.GetBoolPropertyFnFilteredByNamespace(
+		options.redirectAllow,
+	)
+	oc.headersBlacklist = dynamicconfig.NewGlobalCachedTypedValue(
+		dynamicconfig.NewCollection(
+			&dynamicconfig.StaticClient{
+				dynamicconfig.FrontendNexusRequestHeadersBlacklist.Key(): options.headersBlacklist,
+			},
+			nil,
+		),
+		dynamicconfig.FrontendNexusRequestHeadersBlacklist,
+		func(patterns []string) (*regexp.Regexp, error) {
+			if len(patterns) == 0 {
+				return matchNothing, nil
+			}
+			return util.WildCardStringsToRegexp(patterns)
+		},
+	)
+	oc.redirectionInterceptor = interceptor.NewRedirection(
+		nil,
+		nil,
+		config.DCRedirectionPolicy{Policy: interceptor.DCRedirectionPolicyAllAPIsForwarding},
+		oc.logger,
+		nil,
+		oc.metricsHandlerForInterceptors,
+		clock.NewRealTimeSource(),
+		oc.clusterMetadata,
+	)
 
 	return oc
 }
@@ -328,3 +367,32 @@ func TestNexusInterceptRequest_InvalidSDKVersion_ResultsInBadRequest(t *testing.
 	require.Equal(t, 1, len(snap["test"]))
 	require.Equal(t, map[string]string{"outcome": "unsupported_client"}, snap["test"][0].Tags)
 }
+
+func TestNexusInterceptRequest_HeadersSanitization(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	var err error
+	oc := newOperationContext(contextOptions{
+		namespaceState:          enumspb.NAMESPACE_STATE_REGISTERED,
+		namespacePassive:        false,
+		quota:                   1,
+		namespaceRateLimitAllow: true,
+		rateLimitAllow:          true,
+		headersBlacklist:        []string{"delete-*", "remove-*"},
+	})
+	initialHeader := nexus.Header{
+		"ok-header":  "ok",
+		"delete-foo": "foo",
+		"delete-bar": "bar",
+		"remove-zzz": "zzz",
+	}
+	header := util.CloneMapNonNil(initialHeader)
+	ctx = oc.augmentContext(ctx, header)
+	request := &matchingservice.DispatchNexusTaskRequest{
+		Request: &nexuspb.Request{Header: header},
+	}
+	err = oc.interceptRequest(ctx, request, header)
+	require.NoError(t, err)
+	require.Equal(t, initialHeader, header)
+	require.Equal(t, map[string]string{"ok-header": "ok"}, request.Request.Header)
+}

service/frontend/nexus_http_handler.go

@@ -109,6 +109,7 @@ func NewNexusHTTPHandler(
 				forwardingEnabledForNamespace: serviceConfig.EnableNamespaceNotActiveAutoForwarding,
 				forwardingClients:             clientCache,
 				payloadSizeLimit:              serviceConfig.BlobSizeLimitError,
+				headersBlacklist:              serviceConfig.NexusRequestHeadersBlacklist,
 			},
 			GetResultTimeout: serviceConfig.KeepAliveMaxConnectionIdle(),
 			Logger:           log.NewSlogLogger(logger),

service/frontend/service.go

@@ -50,7 +50,10 @@ import (
 	"google.golang.org/grpc/reflection"
 )
 
-var matchAny = regexp.MustCompile(".*")
+var (
+	matchAny     = regexp.MustCompile(".*")
+	matchNothing = regexp.MustCompile(".^")
+)
 
 // Config represents configuration for frontend service
 type Config struct {
@@ -207,6 +210,8 @@ type Config struct {
 	MaxCallbacksPerWorkflow dynamicconfig.IntPropertyFnWithNamespaceFilter
 	CallbackEndpointConfigs dynamicconfig.TypedPropertyFnWithNamespaceFilter[[]callbacks.AddressMatchRule]
 
+	NexusRequestHeadersBlacklist *dynamicconfig.GlobalCachedTypedValue[*regexp.Regexp]
+
 	LinkMaxSize        dynamicconfig.IntPropertyFnWithNamespaceFilter
 	MaxLinksPerRequest dynamicconfig.IntPropertyFnWithNamespaceFilter
 
@@ -335,6 +340,17 @@ func NewConfig(
 		CallbackHeaderMaxSize:                     dynamicconfig.FrontendCallbackHeaderMaxSize.Get(dc),
 		MaxCallbacksPerWorkflow:                   dynamicconfig.MaxCallbacksPerWorkflow.Get(dc),
 
+		NexusRequestHeadersBlacklist: dynamicconfig.NewGlobalCachedTypedValue(
+			dc,
+			dynamicconfig.FrontendNexusRequestHeadersBlacklist,
+			func(patterns []string) (*regexp.Regexp, error) {
+				if len(patterns) == 0 {
+					return matchNothing, nil
+				}
+				return util.WildCardStringsToRegexp(patterns)
+			},
+		),
+
 		LinkMaxSize:        dynamicconfig.FrontendLinkMaxSize.Get(dc),
 		MaxLinksPerRequest: dynamicconfig.FrontendMaxLinksPerRequest.Get(dc),