disallow setting Content-Type and Authorization headers

Author: AndrewChubatiuk

internal/validations/observability/outputs/validate.go

@@ -29,6 +29,8 @@ func Validate(context internalcontext.ForwarderContext) {
 			messages = append(messages, validateHttpContentTypeHeaders(out)...)
 		case obs.OutputTypeLokiStack, obs.OutputTypeOTLP:
 			messages = append(messages, ValidateTechPreviewAnnotation(out, context)...)
+		case obs.OutputTypeElasticsearch:
+			messages = append(messages, validateElasticsearchHeaders(out)...)
 		}
 		// Set condition
 		if len(messages) > 0 {

internal/validations/observability/outputs/validate_elasticsearch_headers.go

@@ -0,0 +1,26 @@
+package outputs
+
+import (
+	"fmt"
+	log "github.com/ViaQ/logerr/v2/log/static"
+	obs "github.com/openshift/cluster-logging-operator/api/observability/v1"
+	"strings"
+)
+
+// validateElasticsearchHeaders will validate Elasticsearch custom headers
+// it's not allowed to pass "Authorization" and "Content-Type" headers
+func validateElasticsearchHeaders(output obs.OutputSpec) (results []string) {
+	if output.Type == obs.OutputTypeElasticsearch && output.Elasticsearch != nil && len(output.Elasticsearch.Headers) > 0 {
+		var invalidHeaders []string
+		for headerName := range output.Elasticsearch.Headers {
+			if strings.ToLower(headerName) == "authorization" || strings.ToLower(headerName) == "content-type" {
+				invalidHeaders = append(invalidHeaders, headerName)
+			}
+			if len(invalidHeaders) > 0 {
+				log.V(3).Info("validateElasticsearchHeaders failed", "reason", "invalid headers found: ", strings.Join(invalidHeaders, ","))
+				results = append(results, fmt.Sprintf("invalid headers found: %s", strings.Join(invalidHeaders, ",")))
+			}
+		}
+	}
+	return results
+}

internal/validations/observability/outputs/validate_elasticsearch_headers_test.go

@@ -0,0 +1,55 @@
+package outputs
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/openshift/cluster-logging-operator/api/observability/v1"
+)
+
+var _ = Describe("[internal][validations] ClusterLogForwarder will validate headers in Elasticsearch Output", func() {
+	var (
+		es   *v1.Elasticsearch
+		spec v1.OutputSpec
+	)
+	BeforeEach(func() {
+		es = &v1.Elasticsearch{}
+		spec = v1.OutputSpec{
+			Name:          "esOutput",
+			Type:          v1.OutputTypeElasticsearch,
+			Elasticsearch: es,
+		}
+	})
+
+	Context("#validateElasticsearchHeaders", func() {
+
+		It("should pass validation with empty headers", func() {
+			Expect(validateElasticsearchHeaders(spec)).To(BeEmpty())
+		})
+		It("should pass validation when no invalid headers set", func() {
+			spec.Elasticsearch.Headers = map[string]string{
+				"Accept": "application/json",
+			}
+			Expect(validateElasticsearchHeaders(spec)).To(BeEmpty())
+		})
+		It("should fail validation when the Content-Type header is set", func() {
+			spec.Elasticsearch.Headers = map[string]string{
+				"Content-Type": "application/json",
+			}
+			Expect(validateElasticsearchHeaders(spec)).ToNot(BeEmpty())
+		})
+		It("should fail validation when the Authorization header is set", func() {
+			spec.Elasticsearch.Headers = map[string]string{
+				"Authorization": "test",
+			}
+			Expect(validateElasticsearchHeaders(spec)).ToNot(BeEmpty())
+		})
+		It("should pass validation when no Elasticsearch Output", func() {
+			spec = v1.OutputSpec{
+				Name:          "esOutput",
+				Type:          v1.OutputTypeElasticsearch,
+				Elasticsearch: &v1.Elasticsearch{},
+			}
+			Expect(validateElasticsearchHeaders(spec)).To(BeEmpty())
+		})
+	})
+})