internal/concierge/impersonator: fail if impersonation headers set

If someone has already set impersonation headers in their request, then
we should fail loudly so the client knows that its existing impersonation
headers will not work.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

internal/concierge/impersonator/impersonator.go

@@ -88,6 +88,12 @@ func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		"method", r.Method,
 	)
 
+	if err := ensureNoImpersonationHeaders(r); err != nil {
+		log.Error(err, "impersonation header already exists")
+		http.Error(w, "impersonation header already exists", http.StatusBadRequest)
+		return
+	}
+
 	tokenCredentialReq, err := extractToken(r, p.jsonDecoder)
 	if err != nil {
 		log.Error(err, "invalid token encoding")
@@ -120,6 +126,24 @@ func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	p.proxy.ServeHTTP(w, newR)
 }
 
+func ensureNoImpersonationHeaders(r *http.Request) error {
+	if _, ok := r.Header[transport.ImpersonateUserHeader]; ok {
+		return fmt.Errorf("%q header already exists", transport.ImpersonateUserHeader)
+	}
+
+	if _, ok := r.Header[transport.ImpersonateGroupHeader]; ok {
+		return fmt.Errorf("%q header already exists", transport.ImpersonateGroupHeader)
+	}
+
+	for header := range r.Header {
+		if strings.HasPrefix(header, transport.ImpersonateUserExtraHeaderPrefix) {
+			return fmt.Errorf("%q header already exists", transport.ImpersonateUserExtraHeaderPrefix)
+		}
+	}
+
+	return nil
+}
+
 func getProxyHeaders(userInfo user.Info, requestHeaders http.Header) http.Header {
 	newHeaders := http.Header{}
 	newHeaders.Set("Impersonate-User", userInfo.GetName())

internal/concierge/impersonator/impersonator_test.go

@@ -127,6 +127,30 @@ func TestImpersonator(t *testing.T) {
 			},
 			wantCreationErr: "could not get in-cluster transport: using a custom transport with TLS certificate options or the insecure flag is not allowed",
 		},
+		{
+			name:           "Impersonate-User header already in request",
+			getKubeconfig:  func() (*rest.Config, error) { return &testServerKubeconfig, nil },
+			request:        newRequest(map[string][]string{"Impersonate-User": {"some-user"}}),
+			wantHTTPBody:   "impersonation header already exists\n",
+			wantHTTPStatus: http.StatusBadRequest,
+			wantLogs:       []string{"\"error\"=\"\\\"Impersonate-User\\\" header already exists\" \"msg\"=\"impersonation header already exists\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
+		},
+		{
+			name:           "Impersonate-Group header already in request",
+			getKubeconfig:  func() (*rest.Config, error) { return &testServerKubeconfig, nil },
+			request:        newRequest(map[string][]string{"Impersonate-Group": {"some-group"}}),
+			wantHTTPBody:   "impersonation header already exists\n",
+			wantHTTPStatus: http.StatusBadRequest,
+			wantLogs:       []string{"\"error\"=\"\\\"Impersonate-Group\\\" header already exists\" \"msg\"=\"impersonation header already exists\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
+		},
+		{
+			name:           "Impersonate-Extra header already in request",
+			getKubeconfig:  func() (*rest.Config, error) { return &testServerKubeconfig, nil },
+			request:        newRequest(map[string][]string{"Impersonate-Extra-something": {"something"}}),
+			wantHTTPBody:   "impersonation header already exists\n",
+			wantHTTPStatus: http.StatusBadRequest,
+			wantLogs:       []string{"\"error\"=\"\\\"Impersonate-Extra-\\\" header already exists\" \"msg\"=\"impersonation header already exists\" \"method\"=\"GET\" \"url\"=\"http://pinniped.dev/blah\""},
+		},
 		{
 			name:           "missing authorization header",
 			getKubeconfig:  func() (*rest.Config, error) { return &testServerKubeconfig, nil },