append app token to outgoing calls, if it is provided (dapr#7404)

* append app token to outgoing calls, if it is provided Signed-off-by: Ryan Kelly <gatedlogic@live.com> * use declare and assign syntax Signed-off-by: Ryan Kelly <gatedlogic@live.com> --------- Signed-off-by: Ryan Kelly <gatedlogic@live.com> Co-authored-by: Ryan Kelly <gatedlogic@live.com> Signed-off-by: Elena Kolevska <elena@kolevska.com>
elena-kolevska · Jan 25, 2024 · 84d50e4 · 84d50e4
1 parent 1b8db5c
commit 84d50e4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/pkg/messaging/grpc_proxy.go b/pkg/messaging/grpc_proxy.go
@@ -31,6 +31,8 @@ import (
 	invokev1 "github.com/dapr/dapr/pkg/messaging/v1"
 	"github.com/dapr/dapr/pkg/proto/common/v1"
 	"github.com/dapr/dapr/pkg/resiliency"
+	"github.com/dapr/dapr/pkg/security"
+	securityConsts "github.com/dapr/dapr/pkg/security/consts"
 )
 
 // Proxy is the interface for a gRPC transparent proxy.
@@ -137,6 +139,11 @@ func (p *proxy) intercept(ctx context.Context, fullName string) (context.Context
 	outCtx = p.telemetryFn(outCtx)
 	outCtx = metadata.AppendToOutgoingContext(outCtx, invokev1.CallerIDHeader, p.appID, invokev1.CalleeIDHeader, target.id)
 
+	appMetadataToken := security.GetAppToken()
+	if appMetadataToken != "" {
+		outCtx = metadata.AppendToOutgoingContext(outCtx, securityConsts.APITokenHeader, appMetadataToken)
+	}
+
 	pt := &grpcProxy.ProxyTarget{
 		ID:        target.id,
 		Namespace: target.namespace,

diff --git a/pkg/messaging/grpc_proxy_test.go b/pkg/messaging/grpc_proxy_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/dapr/dapr/pkg/diagnostics"
 	invokev1 "github.com/dapr/dapr/pkg/messaging/v1"
 	"github.com/dapr/dapr/pkg/resiliency"
+	securityConsts "github.com/dapr/dapr/pkg/security/consts"
 )
 
 func connectionFn(ctx context.Context, address, id string, namespace string, customOpts ...grpc.DialOption) (*grpc.ClientConn, func(bool), error) {
@@ -215,6 +216,8 @@ func TestIntercept(t *testing.T) {
 			}, nil
 		})
 
+		t.Setenv(securityConsts.AppAPITokenEnvVar, "token1")
+
 		ctx := metadata.NewIncomingContext(context.TODO(), metadata.MD{diagnostics.GRPCProxyAppIDKey: []string{"b"}})
 		proxy := p.(*proxy)
 		ctx, conn, _, teardown, err := proxy.intercept(ctx, "/test")
@@ -228,6 +231,7 @@ func TestIntercept(t *testing.T) {
 		assert.Equal(t, "b", md["a"][0])
 		assert.Equal(t, "a", md[invokev1.CallerIDHeader][0])
 		assert.Equal(t, "b", md[invokev1.CalleeIDHeader][0])
+		assert.Equal(t, "token1", md[securityConsts.APITokenHeader][0])
 	})
 
 	t.Run("access policies applied", func(t *testing.T) {