app/vmauth: add ability to read auth tokens from multiple http request headers

This is needed for VictoriaMetrics Cloud, where the same token could be passed either
via Authorization or via X-Amz-Firehose-Access-Key header - see 4487dac30b (r140500722)

This is a follow-up for 4487dac30b

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6009

app/vmauth/auth_config.go

@@ -43,7 +43,7 @@ var (
 		"This may be useful when url_prefix points to a hostname with dynamically scaled instances behind it. See https://docs.victoriametrics.com/vmauth.html#discovering-backend-ips")
 	discoverBackendIPsInterval = flag.Duration("discoverBackendIPsInterval", 10*time.Second, "The interval for re-discovering backend IPs if -discoverBackendIPs command-line flag is set. "+
 		"Too low value may lead to DNS errors")
-	httpAuthHeader = flag.String("httpAuthHeader", "Authorization", "HTTP request header to use for obtaining authorization tokens")
+	httpAuthHeader = flagutil.NewArrayString("httpAuthHeader", "HTTP request header to use for obtaining authorization tokens. By default auth tokens are read from Authorization request header")
 )
 
 // AuthConfig represents auth config.
@@ -909,19 +909,26 @@ func getHTTPAuthBasicToken(username, password string) string {
 	return "http_auth:Basic " + token64
 }
 
+var defaultHeaderNames = []string{"Authorization"}
+
 func getAuthTokensFromRequest(r *http.Request) []string {
 	var ats []string
 
-	// Obtain possible auth tokens from one of allowed auth headers
-	headerName := *httpAuthHeader
-	if ah := r.Header.Get(headerName); ah != "" {
-		if headerName == "Authorization" && strings.HasPrefix(ah, "Token ") {
-			// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
-			// See https://docs.influxdata.com/influxdb/v2.0/api/
-			ah = strings.Replace(ah, "Token", "Bearer", 1)
+	// Obtain possible auth tokens from one of the allowed auth headers
+	headerNames := *httpAuthHeader
+	if len(headerNames) == 0 {
+		headerNames = defaultHeaderNames
+	}
+	for _, headerName := range headerNames {
+		if ah := r.Header.Get(headerName); ah != "" {
+			if strings.HasPrefix(ah, "Token ") {
+				// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
+				// See https://docs.influxdata.com/influxdb/v2.0/api/
+				ah = strings.Replace(ah, "Token", "Bearer", 1)
+			}
+			at := "http_auth:" + ah
+			ats = append(ats, at)
 		}
-		at := "http_auth:" + ah
-		ats = append(ats, at)
 	}
 
 	return ats

docs/CHANGELOG.md

@@ -38,7 +38,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow discovering ip addresses for backend instances hidden behind a shared hostname, via `discover_backend_ips: true` option. This allows evenly spreading load among backend instances. See [these docs](https://docs.victoriametrics.com/vmauth/#discovering-backend-ips) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5707).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP [query args](https://en.wikipedia.org/wiki/Query_string) via `src_query_args` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP request headers via `src_headers` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends).
-* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request header. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details.
+* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request headers. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details.
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): reduce memory usage by up to 5x when aggregating over big number of unique [time series](https://docs.victoriametrics.com/keyconcepts/#time-series). The memory usage reduction is most visible when [stream deduplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) is enabled.
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): allow using `-streamAggr.dedupInterval` and `-remoteWrite.streamAggr.dedupInterval` command-line flags without the need to specify `-streamAggr.config` and `-remoteWrite.streamAggr.config`. See [these docs](https://docs.victoriametrics.com/stream-aggregation/#deduplication).
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): add `-streamAggr.dropInputLabels` command-line flag, which can be used for dropping the listed labels from input samples before applying stream [de-duplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) and aggregation. This is faster and easier to use alternative to [input_relabel_configs](https://docs.victoriametrics.com/stream-aggregation/#relabeling). See [these docs](https://docs.victoriametrics.com/stream-aggregation/#dropping-unneeded-labels).

docs/vmauth.md

@@ -635,11 +635,18 @@ See config example of using IP filters [here](https://github.com/VictoriaMetrics
 ## Reading auth tokens from other HTTP headers
 
 `vmauth` reads `username`, `password` and `bearer_token` [config values](#auth-config) from `Authorization` request header.
-It is possible to read these values from any other request header by specifying it via `-httpAuthHeader` command-line flag.
+It is possible to read these auth tokens from any other request header by specifying it via `-httpAuthHeader` command-line flag.
 For example, the following command instructs `vmauth` to read auth token from `X-Amz-Firehose-Access-Key` header:
 
 ```
-./vmauth -httpAuthHeader=X-Amz-Firehose-Access-Key
+./vmauth -httpAuthHeader='X-Amz-Firehose-Access-Key'
+```
+
+It is possible to read auth tokens from multiple headers. For example, the following command instructs `vmauth` to read auth token
+from both `Authorization` and `X-Amz-Firehose-Access-Key` headers:
+
+```
+./vmauth -httpAuthHeader='Authorization' -httpAuthHeader='X-Amz-Firehose-Access-Key'
 ```
 
 ## Auth config
@@ -1003,8 +1010,10 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
      Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path
   -httpAuth.username string
      Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password
-  -httpAuthHeader string
-     HTTP request header to use for obtaining authorization tokens (default "Authorization")
+  -httpAuthHeader array
+     HTTP request header to use for obtaining authorization tokens. By default auth tokens are read from Authorization request header
+     Supports an array of values separated by comma or specified via multiple flags.
+     Value can contain comma inside single-quoted or double-quoted string, {}, [] and () braces.
   -httpListenAddr array
      TCP address to listen for incoming http requests. See also -tls and -httpListenAddr.useProxyProtocol
      Supports an array of values separated by comma or specified via multiple flags.