Added testing and doctest

crivetimihai · crivetimihai · commit 5090875a2238 · 2025-08-08T05:30:26.000+01:00
Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
diff --git a/mcpgateway/static/admin.js b/mcpgateway/static/admin.js
@@ -2472,10 +2472,16 @@ async function editGateway(gatewayId) {
         }
 
         // Handle passthrough headers
-        const passthroughHeadersField = safeGetElement("edit-gateway-passthrough-headers");
+        const passthroughHeadersField = safeGetElement(
+            "edit-gateway-passthrough-headers",
+        );
         if (passthroughHeadersField) {
-            if (gateway.passthroughHeaders && Array.isArray(gateway.passthroughHeaders)) {
-                passthroughHeadersField.value = gateway.passthroughHeaders.join(", ");
+            if (
+                gateway.passthroughHeaders &&
+                Array.isArray(gateway.passthroughHeaders)
+            ) {
+                passthroughHeadersField.value =
+                    gateway.passthroughHeaders.join(", ");
             } else {
                 passthroughHeadersField.value = "";
             }
@@ -3778,16 +3784,24 @@ async function runToolTest() {
             "Content-Type": "application/json",
         };
 
-        const passthroughHeadersField = document.getElementById("test-passthrough-headers");
+        const passthroughHeadersField = document.getElementById(
+            "test-passthrough-headers",
+        );
         if (passthroughHeadersField && passthroughHeadersField.value.trim()) {
-            const headerLines = passthroughHeadersField.value.trim().split('\n');
+            const headerLines = passthroughHeadersField.value
+                .trim()
+                .split("\n");
             for (const line of headerLines) {
                 const trimmedLine = line.trim();
                 if (trimmedLine) {
-                    const colonIndex = trimmedLine.indexOf(':');
+                    const colonIndex = trimmedLine.indexOf(":");
                     if (colonIndex > 0) {
-                        const headerName = trimmedLine.substring(0, colonIndex).trim();
-                        const headerValue = trimmedLine.substring(colonIndex + 1).trim();
+                        const headerName = trimmedLine
+                            .substring(0, colonIndex)
+                            .trim();
+                        const headerValue = trimmedLine
+                            .substring(colonIndex + 1)
+                            .trim();
                         if (headerName && headerValue) {
                             requestHeaders[headerName] = headerValue;
                         }
@@ -4546,13 +4560,16 @@ async function handleGatewayFormSubmit(e) {
         if (passthroughHeadersString && passthroughHeadersString.trim()) {
             // Split by comma and clean up each header name
             const passthroughHeaders = passthroughHeadersString
-                .split(',')
-                .map(header => header.trim())
-                .filter(header => header.length > 0);
+                .split(",")
+                .map((header) => header.trim())
+                .filter((header) => header.length > 0);
 
             // Remove the original string and add as JSON array
             formData.delete("passthrough_headers");
-            formData.append("passthrough_headers", JSON.stringify(passthroughHeaders));
+            formData.append(
+                "passthrough_headers",
+                JSON.stringify(passthroughHeaders),
+            );
         }
 
         const response = await fetchWithTimeout(
@@ -4967,12 +4984,16 @@ async function handleEditGatewayFormSubmit(e) {
         }
 
         // Handle passthrough headers
-        const passthroughHeadersString = formData.get("passthrough_headers") || "";
+        const passthroughHeadersString =
+            formData.get("passthrough_headers") || "";
         const passthroughHeaders = passthroughHeadersString
-            .split(',')
-            .map(header => header.trim())
-            .filter(header => header.length > 0);
-        formData.append("passthrough_headers", JSON.stringify(passthroughHeaders));
+            .split(",")
+            .map((header) => header.trim())
+            .filter((header) => header.length > 0);
+        formData.append(
+            "passthrough_headers",
+            JSON.stringify(passthroughHeaders),
+        );
 
         const isInactiveCheckedBool = isInactiveChecked("gateways");
         formData.append("is_inactive_checked", isInactiveCheckedBool);
diff --git a/mcpgateway/templates/admin.html b/mcpgateway/templates/admin.html
@@ -2221,7 +2221,9 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                   >Passthrough Headers</label
                 >
                 <small class="text-gray-500 dark:text-gray-400 block mb-2">
-                  List of headers to pass through from client requests (comma-separated, e.g., "Authorization, X-Tenant-Id, X-Trace-Id"). Leave empty to use global defaults.
+                  List of headers to pass through from client requests
+                  (comma-separated, e.g., "Authorization, X-Tenant-Id,
+                  X-Trace-Id"). Leave empty to use global defaults.
                 </small>
                 <input
                   type="text"
@@ -2550,11 +2552,15 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                 </div>
                 <div class="mt-4 border-t pt-4">
                   <div>
-                    <label for="test-passthrough-headers" class="block text-sm font-medium text-gray-700 dark:text-gray-400">
+                    <label
+                      for="test-passthrough-headers"
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-400"
+                    >
                       Passthrough Headers (Optional)
                     </label>
                     <small class="text-gray-500 dark:text-gray-400 block mb-2">
-                      Additional headers to send with the request (format: "Header-Name: Value", one per line)
+                      Additional headers to send with the request (format:
+                      "Header-Name: Value", one per line)
                     </small>
                     <textarea
                       id="test-passthrough-headers"
@@ -3489,11 +3495,16 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                       </div>
                     </div>
                     <div>
-                      <label class="block text-sm font-medium text-gray-700 dark:text-gray-400"
+                      <label
+                        class="block text-sm font-medium text-gray-700 dark:text-gray-400"
                         >Passthrough Headers</label
                       >
-                      <small class="text-gray-500 dark:text-gray-400 block mb-2">
-                        List of headers to pass through from client requests (comma-separated, e.g., "Authorization, X-Tenant-Id, X-Trace-Id"). Leave empty to use global defaults.
+                      <small
+                        class="text-gray-500 dark:text-gray-400 block mb-2"
+                      >
+                        List of headers to pass through from client requests
+                        (comma-separated, e.g., "Authorization, X-Tenant-Id,
+                        X-Trace-Id"). Leave empty to use global defaults.
                       </small>
                       <input
                         type="text"
diff --git a/mcpgateway/utils/passthrough_headers.py b/mcpgateway/utils/passthrough_headers.py
@@ -1,4 +1,43 @@
 # -*- coding: utf-8 -*-
+"""HTTP Header Passthrough Utilities.
+
+Copyright 2025
+SPDX-License-Identifier: Apache-2.0
+Authors: Mihai Criveti
+
+This module provides utilities for handling HTTP header passthrough functionality
+in the MCP Gateway. It enables forwarding of specific headers from incoming
+client requests to backing MCP servers while preventing conflicts with
+existing authentication mechanisms.
+
+Key Features:
+- Global configuration support via environment variables and database
+- Per-gateway header configuration overrides
+- Intelligent conflict detection with existing authentication headers
+- Security-first approach with explicit allowlist handling
+- Comprehensive logging for debugging and monitoring
+
+The header passthrough system follows a priority hierarchy:
+1. Gateway-specific headers (highest priority)
+2. Global database configuration
+3. Environment variable defaults (lowest priority)
+
+Example Usage:
+    Basic header passthrough with global configuration:
+    >>> from unittest.mock import Mock
+    >>> mock_db = Mock()
+    >>> mock_global_config = Mock()
+    >>> mock_global_config.passthrough_headers = ["X-Tenant-Id"]
+    >>> mock_db.query.return_value.first.return_value = mock_global_config
+    >>> headers = get_passthrough_headers(
+    ...     request_headers={"x-tenant-id": "123"},
+    ...     base_headers={"Content-Type": "application/json"},
+    ...     db=mock_db
+    ... )
+    >>> sorted(headers.items())
+    [('Content-Type', 'application/json'), ('X-Tenant-Id', '123')]
+"""
+
 # Standard
 import logging
 from typing import Dict, Optional
@@ -17,14 +56,113 @@
 def get_passthrough_headers(request_headers: Dict[str, str], base_headers: Dict[str, str], db: Session, gateway: Optional[DbGateway] = None) -> Dict[str, str]:
     """Get headers that should be passed through to the target gateway.
 
+    This function implements the core logic for HTTP header passthrough in the MCP Gateway.
+    It determines which headers from incoming client requests should be forwarded to
+    backing MCP servers based on configuration settings and security policies.
+
+    Configuration Priority (highest to lowest):
+    1. Gateway-specific passthrough_headers setting
+    2. Global database configuration (GlobalConfig.passthrough_headers)
+    3. Environment variable DEFAULT_PASSTHROUGH_HEADERS
+
+    Security Features:
+    - Prevents conflicts with existing base headers (e.g., Content-Type)
+    - Blocks Authorization header conflicts with gateway authentication
+    - Logs all conflicts and skipped headers for debugging
+    - Uses case-insensitive header matching for robustness
+
     Args:
-        request_headers: Headers from the incoming request
-        base_headers: Base headers that should always be included
-        gateway: Target gateway (optional)
-        db: Database session for global config lookup
+        request_headers (Dict[str, str]): Headers from the incoming HTTP request.
+            Keys should be header names, values should be header values.
+            Example: {"Authorization": "Bearer token123", "X-Tenant-Id": "acme"}
+        base_headers (Dict[str, str]): Base headers that should always be included
+            in the final result. These take precedence over passthrough headers.
+            Example: {"Content-Type": "application/json", "User-Agent": "MCPGateway/1.0"}
+        db (Session): SQLAlchemy database session for querying global configuration.
+            Used to retrieve GlobalConfig.passthrough_headers setting.
+        gateway (Optional[DbGateway]): Target gateway instance. If provided, uses
+            gateway.passthrough_headers to override global settings. Also checks
+            gateway.auth_type to prevent Authorization header conflicts.
 
     Returns:
-        Dict of headers that should be passed through
+        Dict[str, str]: Combined dictionary of base headers plus allowed passthrough
+            headers from the request. Base headers are preserved, and passthrough
+            headers are added only if they don't conflict with security policies.
+
+    Raises:
+        No exceptions are raised. Errors are logged as warnings and processing continues.
+        Database connection issues may propagate from the db.query() call.
+
+    Examples:
+        Basic usage with global configuration:
+        >>> # Mock database and settings for doctest
+        >>> from unittest.mock import Mock, MagicMock
+        >>> mock_db = Mock()
+        >>> mock_global_config = Mock()
+        >>> mock_global_config.passthrough_headers = ["X-Tenant-Id", "X-Trace-Id"]
+        >>> mock_db.query.return_value.first.return_value = mock_global_config
+        >>>
+        >>> request_headers = {
+        ...     "authorization": "Bearer token123",
+        ...     "x-tenant-id": "acme-corp",
+        ...     "x-trace-id": "trace-456",
+        ...     "user-agent": "TestClient/1.0"
+        ... }
+        >>> base_headers = {"Content-Type": "application/json"}
+        >>>
+        >>> result = get_passthrough_headers(request_headers, base_headers, mock_db)
+        >>> sorted(result.items())
+        [('Content-Type', 'application/json'), ('X-Tenant-Id', 'acme-corp'), ('X-Trace-Id', 'trace-456')]
+
+        Gateway-specific configuration override:
+        >>> mock_gateway = Mock()
+        >>> mock_gateway.passthrough_headers = ["X-Custom-Header"]
+        >>> mock_gateway.auth_type = None
+        >>> request_headers = {
+        ...     "x-custom-header": "custom-value",
+        ...     "x-tenant-id": "should-be-ignored"
+        ... }
+        >>>
+        >>> result = get_passthrough_headers(request_headers, base_headers, mock_db, mock_gateway)
+        >>> sorted(result.items())
+        [('Content-Type', 'application/json'), ('X-Custom-Header', 'custom-value')]
+
+        Authorization header conflict with basic auth:
+        >>> mock_gateway.auth_type = "basic"
+        >>> mock_gateway.passthrough_headers = ["Authorization", "X-Tenant-Id"]
+        >>> request_headers = {
+        ...     "authorization": "Bearer should-be-blocked",
+        ...     "x-tenant-id": "acme-corp"
+        ... }
+        >>>
+        >>> result = get_passthrough_headers(request_headers, base_headers, mock_db, mock_gateway)
+        >>> sorted(result.items())  # Authorization blocked due to basic auth conflict
+        [('Content-Type', 'application/json'), ('X-Tenant-Id', 'acme-corp')]
+
+        Base header conflict prevention:
+        >>> base_headers_with_conflict = {"Content-Type": "application/json", "x-tenant-id": "from-base"}
+        >>> request_headers = {"x-tenant-id": "from-request"}
+        >>> mock_gateway.auth_type = None
+        >>> mock_gateway.passthrough_headers = ["X-Tenant-Id"]
+        >>>
+        >>> result = get_passthrough_headers(request_headers, base_headers_with_conflict, mock_db, mock_gateway)
+        >>> result["x-tenant-id"]  # Base header preserved, request header blocked
+        'from-base'
+
+        Empty allowed headers (no passthrough):
+        >>> empty_global_config = Mock()
+        >>> empty_global_config.passthrough_headers = []
+        >>> mock_db.query.return_value.first.return_value = empty_global_config
+        >>>
+        >>> request_headers = {"x-tenant-id": "should-be-ignored"}
+        >>> result = get_passthrough_headers(request_headers, {"Content-Type": "application/json"}, mock_db)
+        >>> result
+        {'Content-Type': 'application/json'}
+
+    Note:
+        Header names are matched case-insensitively but preserved in their original
+        case from the allowed_headers configuration. Request header values are
+        matched case-insensitively against the request_headers dictionary.
     """
     passthrough_headers = base_headers.copy()
 
diff --git a/tests/unit/mcpgateway/utils/test_passthrough_headers.py b/tests/unit/mcpgateway/utils/test_passthrough_headers.py
