From 7745e63d0f43813ed74ef0a40a4f24728ee6bc81 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 24 Jan 2025 09:47:17 +0100
Subject: [PATCH] www/caddy: Add copy_headers selectpicker to Auth Provider
 tab. Authorization header added. (#4496)

---
 www/caddy/Makefile                            |  3 +--
 www/caddy/pkg-descr                           |  6 ++++++
 .../OPNsense/Caddy/forms/general.xml          |  7 +++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 21 +++++++++++++++++++
 .../OPNsense/Caddy/includeAuthProvider        | 12 +++++++++--
 5 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index d876e47e5..0a03f1284 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 716a22aa4..c9583ba43 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.1
+
+* Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
+* Add: Persistent banner notification if custom imports are used (opnsense/plugins/issues/4244)
+* Cleanup: Implement reusable grid template in views (opnsense/plugins/pull/4454)
+
 1.8.0
 
 * Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 60d604eaf..ca6b843ec 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -227,6 +227,13 @@
             <type>text</type>
             <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
         </field>
+        <field>
+            <id>caddy.general.AuthCopyHeaders</id>
+            <label>Copy Headers</label>
+            <type>select_multiple</type>
+            <style>selectpicker</style>
+            <help><![CDATA[If nothing is selected, the correct default headers for the chosen provider will be used. If you change the default, you must select the required headers manually. "copy_headers" is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code.]]></help>
+        </field>
     </tab>
     <activetab>general-settings</activetab>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 70f09cc37..49bd641f3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -167,6 +167,27 @@
                 <Mask>/^(\/.*)?$/u</Mask>
                 <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
             </AuthToUri>
+            <AuthCopyHeaders type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <Authorization>Authorization</Authorization>
+                    <Remote-User>Remote-User</Remote-User>
+                    <Remote-Groups>Remote-Groups</Remote-Groups>
+                    <Remote-Name>Remote-Name</Remote-Name>
+                    <Remote-Email>Remote-Email</Remote-Email>
+                    <X-Authentik-Username>X-Authentik-Username</X-Authentik-Username>
+                    <X-Authentik-Groups>X-Authentik-Groups</X-Authentik-Groups>
+                    <X-Authentik-Email>X-Authentik-Email</X-Authentik-Email>
+                    <X-Authentik-Name>X-Authentik-Name</X-Authentik-Name>
+                    <X-Authentik-Uid>X-Authentik-Uid</X-Authentik-Uid>
+                    <X-Authentik-Jwt>X-Authentik-Jwt</X-Authentik-Jwt>
+                    <X-Authentik-Meta-Jwks>X-Authentik-Meta-Jwks</X-Authentik-Meta-Jwks>
+                    <X-Authentik-Meta-Outpost>X-Authentik-Meta-Outpost</X-Authentik-Meta-Outpost>
+                    <X-Authentik-Meta-Provider>X-Authentik-Meta-Provider</X-Authentik-Meta-Provider>
+                    <X-Authentik-Meta-App>X-Authentik-Meta-App</X-Authentik-Meta-App>
+                    <X-Authentik-Meta-Version>X-Authentik-Meta-Version</X-Authentik-Meta-Version>
+                </OptionValues>
+            </AuthCopyHeaders>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
index 8dd207f85..f179fc845 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -12,7 +12,11 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% else %}
+        copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% elif generalSettings.AuthProvider == 'authentik' %}
     reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
@@ -24,6 +28,10 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% else %}
+       copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% endif %}