Added X-Openrun-Rbac-Enabled header to indicate whether RBAC is enabled

Author: akclace

CHANGELOG.md

@@ -7,6 +7,10 @@ This project uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Added
+
+- Support for passing `X-Openrun-Rbac-Enabled` header to the proxied downstream service. Value is true if RBAC is enabled for app, false otherwise.
+
 ## [0.15.9] - 2025-10-22
 
 ### Added

internal/app/setup.go

@@ -860,6 +860,7 @@ func (a *App) addProxyConfig(count int, router *chi.Mux, proxyDef *starlarkstruc
 				}
 			}
 
+			// Add X-Openrun- headers to request
 			customPerms := make([]string, 0)
 			if a.rbacApi != nil {
 				customPerms, err = a.rbacApi.GetCustomPermissions(r.Context())
@@ -875,6 +876,11 @@ func (a *App) addProxyConfig(count int, router *chi.Mux, proxyDef *starlarkstruc
 				}
 			}
 			r.Header.Set(types.OPENRUN_HEADER_USER, userId)
+			appRBACEnabled := false
+			if a.rbacApi != nil {
+				appRBACEnabled = a.rbacApi.IsAppRBACEnabled(r.Context())
+			}
+			r.Header.Set(types.OPENRUN_HEADER_APP_RBAC_ENABLED, strconv.FormatBool(appRBACEnabled))
 
 			// Set the response headers
 			for key, value := range responseHeaders {

internal/app/tests/proxy_test.go

@@ -32,6 +32,9 @@ func (t *testRBAC) GetCustomPermissions(ctx context.Context) ([]string, error) {
 	return t.perms, nil
 }
 
+func (t *testRBAC) IsAppRBACEnabled(ctx context.Context) bool {
+	return true
+}
 func TestProxyBasics(t *testing.T) {
 	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/abc" {
@@ -676,9 +679,11 @@ func TestProxyUserAndPermsHeaders(t *testing.T) {
 	// Test that X-Openrun-User and X-Openrun-Perms headers are passed to proxied endpoint
 	var receivedUser string
 	var receivedPerms string
+	var receivedRBACEnabled string
 	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		receivedUser = r.Header.Get("X-Openrun-User")
 		receivedPerms = r.Header.Get("X-Openrun-Perms")
+		receivedRBACEnabled = r.Header.Get("X-Openrun-Rbac-Enabled")
 		io.WriteString(w, "test contents") //nolint:errcheck
 	}))
 
@@ -694,19 +699,6 @@ permissions=[
 )`, testServer.URL),
 	}
 
-	/*
-		// Create custom authorizer and perms func
-		_ := func(ctx context.Context, permissions []string) (bool, error) {
-			// Always allow
-			return true, nil
-		}
-
-		_ := func(ctx context.Context) ([]string, error) {
-			// Return custom permissions
-			return []string{"read:data", "write:data", "admin"}, nil
-		}
-	*/
-
 	a, _, err := CreateTestAppAuthorizer(logger, fileData, []string{"proxy.in"},
 		[]types.Permission{
 			{Plugin: "proxy.in", Method: "config"},
@@ -728,6 +720,7 @@ permissions=[
 	// Verify the headers were passed to the proxied endpoint
 	testutil.AssertEqualsString(t, "X-Openrun-User", types.ANONYMOUS_USER, receivedUser)
 	testutil.AssertEqualsString(t, "X-Openrun-Perms", "read:data,write:data,admin", receivedPerms)
+	testutil.AssertEqualsString(t, "X-Openrun-Rbac-Enabled", "true", receivedRBACEnabled)
 }
 
 func TestProxyUserHeaderWithAuthentication(t *testing.T) {
@@ -752,19 +745,6 @@ permissions=[
 )`, testServer.URL),
 	}
 
-	/*
-		// Create custom authorizer that sets a user in context
-		authorizer := func(ctx context.Context, permissions []string) (bool, error) {
-			// Always allow
-			return true, nil
-		}
-
-		customPermsFunc := func(ctx context.Context) ([]string, error) {
-			// Return empty custom permissions
-			return []string{}, nil
-		}
-	*/
-
 	a, _, err := CreateTestAppAuthorizer(logger, fileData, []string{"proxy.in"},
 		[]types.Permission{
 			{Plugin: "proxy.in", Method: "config"},

internal/rbac/rbac_api.go

@@ -5,6 +5,7 @@ package rbac
 
 import (
 	"context"
+	"strings"
 
 	"github.com/openrundev/openrun/internal/types"
 )
@@ -46,10 +47,29 @@ func (h *RBACManager) GetCustomPermissions(ctx context.Context) ([]string, error
 	return h.GetCustomPermissionsInt(userId, appPathDomain, appAuth, groups)
 }
 
+// IsAppRBACEnabled checks if the RBAC is enabled for the current app
+func (h *RBACManager) IsAppRBACEnabled(ctx context.Context) bool {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	if !h.RbacConfig.Enabled {
+		// rbac is not enabled at the config level
+		return false
+	}
+
+	appAuth := string(ctx.Value(types.APP_AUTH).(types.AppAuthnType))
+	if !strings.HasPrefix(appAuth, RBAC_AUTH_PREFIX) {
+		// app auth does not have rbac enabled
+		return false
+	}
+
+	return true
+}
+
 type RBACAPI interface {
 	AuthorizeAny(ctx context.Context, permissions []string) (bool, error)
 	Authorize(ctx context.Context, permission types.RBACPermission, isAppLevelPermission bool) (bool, error)
 	GetCustomPermissions(ctx context.Context) ([]string, error)
+	IsAppRBACEnabled(ctx context.Context) bool
 }
 
 var _ RBACAPI = (*RBACManager)(nil)

internal/types/types.go

@@ -744,7 +744,8 @@ const (
 
 const (
 	// OpenRun headers are used to pass information to the downstream service
-	OPENRUN_HEADER_PREFIX = "X-Openrun-"
-	OPENRUN_HEADER_USER   = OPENRUN_HEADER_PREFIX + "User"
-	OPENRUN_HEADER_PERMS  = OPENRUN_HEADER_PREFIX + "Perms"
+	OPENRUN_HEADER_PREFIX           = "X-Openrun-"
+	OPENRUN_HEADER_USER             = OPENRUN_HEADER_PREFIX + "User"
+	OPENRUN_HEADER_PERMS            = OPENRUN_HEADER_PREFIX + "Perms"
+	OPENRUN_HEADER_APP_RBAC_ENABLED = OPENRUN_HEADER_PREFIX + "Rbac-Enabled"
 )