feat(call): add forwarded_for field to OperationContext (call/operation-context-forwarded-for)
This commit is contained in:
@@ -13,6 +13,16 @@ pub struct OperationContext {
|
||||
pub parent_request_id: Option<String>,
|
||||
pub identity: Option<Identity>,
|
||||
pub handler_identity: Option<CompositionAuthority>,
|
||||
/// The original caller when this call was forwarded by a `from_call`
|
||||
/// handler (ADR-032). **Metadata only** — `AccessControl::check` never
|
||||
/// reads it; the ACL always authorizes `identity` (the direct caller).
|
||||
/// Handlers may read it for logging, auditing, per-user rate limiting,
|
||||
/// or application context. Populated from
|
||||
/// `call.requested.forwarded_for` by the dispatch path; set to `None`
|
||||
/// for composed children (wire-ingress only, not composition-ingress).
|
||||
/// The forwarder's claim, not a verified identity — a malicious hub can
|
||||
/// lie (same property as HTTP `X-Forwarded-For`). See ADR-032.
|
||||
pub forwarded_for: Option<Identity>,
|
||||
pub capabilities: Capabilities,
|
||||
pub metadata: HashMap<String, Value>,
|
||||
pub scoped_env: ScopedOperationEnv,
|
||||
|
||||
@@ -386,6 +386,7 @@ mod tests {
|
||||
parent_request_id: None,
|
||||
identity: None,
|
||||
handler_identity: None,
|
||||
forwarded_for: None,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env: ScopedOperationEnv::empty(),
|
||||
@@ -405,6 +406,7 @@ mod tests {
|
||||
parent_request_id: None,
|
||||
identity,
|
||||
handler_identity: None,
|
||||
forwarded_for: None,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env: ScopedOperationEnv::empty(),
|
||||
@@ -831,6 +833,7 @@ mod tests {
|
||||
parent_request_id: None,
|
||||
identity: None,
|
||||
handler_identity: None,
|
||||
forwarded_for: None,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env: ScopedOperationEnv::empty(),
|
||||
@@ -913,6 +916,7 @@ mod tests {
|
||||
parent_request_id: None,
|
||||
identity: Some(identity_with_scopes("regular-peer", &["user"])),
|
||||
handler_identity: None,
|
||||
forwarded_for: None,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env: ScopedOperationEnv::empty(),
|
||||
|
||||
@@ -95,6 +95,7 @@ impl OperationEnv for LocalOperationEnv {
|
||||
.as_ref()
|
||||
.and_then(|ca| ca.as_identity()),
|
||||
handler_identity: registration.composition_authority.clone(),
|
||||
forwarded_for: None,
|
||||
capabilities: parent.capabilities.clone(),
|
||||
metadata: HashMap::new(),
|
||||
abort_policy: policy,
|
||||
@@ -262,6 +263,7 @@ mod tests {
|
||||
make_handler(|_input, context| async move {
|
||||
let internal = context.is_internal();
|
||||
let id = context.identity.as_ref().map(|i| i.id.clone());
|
||||
let forwarded_for_id = context.forwarded_for.as_ref().map(|i| i.id.clone());
|
||||
let metadata_empty = context.metadata.is_empty();
|
||||
let parent_set = context.parent_request_id.is_some();
|
||||
ResponseEnvelope::ok(
|
||||
@@ -269,6 +271,7 @@ mod tests {
|
||||
serde_json::json!({
|
||||
"internal": internal,
|
||||
"identity_id": id,
|
||||
"forwarded_for_id": forwarded_for_id,
|
||||
"metadata_empty": metadata_empty,
|
||||
"parent_set": parent_set,
|
||||
}),
|
||||
@@ -282,12 +285,31 @@ mod tests {
|
||||
handler_identity: Option<CompositionAuthority>,
|
||||
scoped_env: ScopedOperationEnv,
|
||||
env: Arc<dyn OperationEnv + Send + Sync>,
|
||||
) -> OperationContext {
|
||||
root_context_with_forwarded_for(
|
||||
request_id,
|
||||
identity,
|
||||
handler_identity,
|
||||
None,
|
||||
scoped_env,
|
||||
env,
|
||||
)
|
||||
}
|
||||
|
||||
fn root_context_with_forwarded_for(
|
||||
request_id: &str,
|
||||
identity: Option<Identity>,
|
||||
handler_identity: Option<CompositionAuthority>,
|
||||
forwarded_for: Option<Identity>,
|
||||
scoped_env: ScopedOperationEnv,
|
||||
env: Arc<dyn OperationEnv + Send + Sync>,
|
||||
) -> OperationContext {
|
||||
OperationContext {
|
||||
request_id: request_id.to_string(),
|
||||
parent_request_id: None,
|
||||
identity,
|
||||
handler_identity,
|
||||
forwarded_for,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env,
|
||||
@@ -422,6 +444,41 @@ mod tests {
|
||||
assert_eq!(out["metadata_empty"], Value::Bool(true));
|
||||
}
|
||||
|
||||
#[tokio::test]
|
||||
async fn local_env_child_does_not_inherit_forwarded_for() {
|
||||
let registry = registry_with(
|
||||
"child/run",
|
||||
Visibility::External,
|
||||
inspect_handler(),
|
||||
None,
|
||||
None,
|
||||
);
|
||||
let env = Arc::new(LocalOperationEnv::new(Arc::clone(®istry)));
|
||||
let scoped = ScopedOperationEnv::new(["child/run"]);
|
||||
let forwarded = Identity {
|
||||
id: "alice".to_string(),
|
||||
scopes: vec![],
|
||||
resources: HashMap::new(),
|
||||
};
|
||||
let ctx = root_context_with_forwarded_for(
|
||||
"root-ff",
|
||||
None,
|
||||
None,
|
||||
Some(forwarded),
|
||||
scoped,
|
||||
env.clone(),
|
||||
);
|
||||
assert!(ctx.forwarded_for.is_some());
|
||||
let response = env
|
||||
.invoke("child", "run", serde_json::json!({}), &ctx)
|
||||
.await;
|
||||
let out = response.result.expect("ok");
|
||||
assert!(
|
||||
out["forwarded_for_id"].is_null(),
|
||||
"composed child must NOT inherit forwarded_for (wire-ingress only, ADR-032)"
|
||||
);
|
||||
}
|
||||
|
||||
struct ProbeEnv {
|
||||
name: String,
|
||||
contains_set: Vec<String>,
|
||||
|
||||
@@ -254,6 +254,7 @@ mod tests {
|
||||
parent_request_id: None,
|
||||
identity,
|
||||
handler_identity,
|
||||
forwarded_for: None,
|
||||
capabilities: Capabilities::new(),
|
||||
metadata: HashMap::new(),
|
||||
scoped_env,
|
||||
|
||||
Reference in New Issue
Block a user