feat(http_server source): make custom auth type writable in metadata

Author: 20agbekodo

changelog.d/25391_http_server_custom_auth_write_metadata.enhancement.md

@@ -0,0 +1,6 @@
+The `custom` auth strategy for the `http_server` source now supports event enrichment via metadata
+writes. VRL programs can write `%field = value` during authentication; those values are injected
+into every successfully authenticated event. The event body (`.field`) remains read-only. Existing
+`custom` programs that do not write metadata are unaffected.
+
+authors: 20agbekodo

src/common/http/server_auth.rs

@@ -12,6 +12,7 @@ use vector_config::configurable_component;
 use vector_lib::{
     TimeZone, compile_vrl,
     event::{Event, LogEvent, VrlTarget},
+    lookup::OwnedTargetPath,
     sensitive_string::SensitiveString,
 };
 use vector_vrl_metrics::MetricsStorage;
@@ -54,9 +55,11 @@ pub enum HttpServerAuthConfig {
 
     /// Custom authentication using VRL code.
     ///
-    /// Takes in request and validates it using VRL code.
+    /// Takes in request and validates it using VRL code. The VRL program must return a boolean.
+    /// Metadata fields written via `%field = value` in the VRL program are extracted and injected
+    /// into every authenticated event.
     Custom {
-        /// The VRL boolean expression.
+        /// The VRL boolean expression. May write `%field = value` to enrich events.
         source: String,
     },
 }
@@ -151,7 +154,9 @@ impl HttpServerAuthConfig {
                 let mut config = CompileConfig::default();
                 config.set_custom(enrichment_tables.clone());
                 config.set_custom(metrics_storage.clone());
-                config.set_read_only();
+                // Lock the event body (.field) as read-only, but leave metadata (%field) writable
+                // so the VRL program can enrich authenticated events via %field = value.
+                config.set_read_only_path(OwnedTargetPath::event_root(), true);
 
                 let CompilationResult {
                     program,
@@ -182,26 +187,29 @@ impl HttpServerAuthConfig {
 pub enum HttpServerAuthMatcher {
     /// Matcher for comparing exact value of Authorization header
     AuthHeader(HeaderValue, &'static str),
-    /// Matcher for running VRL script for requests, to allow for custom validation
+    /// Matcher for running VRL script for requests, to allow for custom validation.
+    /// Metadata (`%field`) writes in the program are extracted and returned to the caller
+    /// for injection into authenticated events.
     Vrl {
         /// Compiled VRL script
         program: Program,
     },
 }
 
 impl HttpServerAuthMatcher {
-    /// Compares passed headers to the matcher
+    /// Validates the request. Returns `Ok(Some(enrichment))` when auth passes and the VRL program
+    /// wrote `%field` values; returns `Ok(None)` when auth passes with no metadata enrichment.
     pub fn handle_auth(
         &self,
         address: Option<&SocketAddr>,
         headers: &HeaderMap<HeaderValue>,
         path: &str,
-    ) -> Result<(), ErrorMessage> {
+    ) -> Result<Option<ObjectMap>, ErrorMessage> {
         match self {
             HttpServerAuthMatcher::AuthHeader(expected, err_message) => {
                 if let Some(header) = headers.get(AUTHORIZATION) {
                     if expected == header {
-                        Ok(())
+                        Ok(None)
                     } else {
                         Err(ErrorMessage::new(
                             StatusCode::UNAUTHORIZED,
@@ -227,7 +235,7 @@ impl HttpServerAuthMatcher {
         headers: &HeaderMap<HeaderValue>,
         path: &str,
         program: &Program,
-    ) -> Result<(), ErrorMessage> {
+    ) -> Result<Option<ObjectMap>, ErrorMessage> {
         let mut target = VrlTarget::new(
             Event::Log(LogEvent::from_map(
                 ObjectMap::from([
@@ -263,16 +271,22 @@ impl HttpServerAuthMatcher {
             warn!("Handling auth failed: {}", e);
             ErrorMessage::new(StatusCode::UNAUTHORIZED, "Auth failed".to_owned())
         })? {
-            vrl::core::Value::Boolean(result) => {
-                if result {
-                    Ok(())
+            vrl::core::Value::Boolean(true) => {
+                let enrichment = if let VrlTarget::LogEvent(_, metadata) = &target {
+                    metadata
+                        .value()
+                        .as_object()
+                        .filter(|m| !m.is_empty())
+                        .cloned()
                 } else {
-                    Err(ErrorMessage::new(
-                        StatusCode::UNAUTHORIZED,
-                        "Auth failed".to_owned(),
-                    ))
-                }
+                    None
+                };
+                Ok(enrichment)
             }
+            vrl::core::Value::Boolean(false) => Err(ErrorMessage::new(
+                StatusCode::UNAUTHORIZED,
+                "Auth failed".to_owned(),
+            )),
             _ => Err(ErrorMessage::new(
                 StatusCode::UNAUTHORIZED,
                 "Invalid return value".to_owned(),
@@ -643,4 +657,75 @@ mod tests {
         assert_eq!(401, error.code());
         assert_eq!("Auth failed", error.message());
     }
+
+    // Backward-compat: existing `custom` scripts that don't write metadata still work and return
+    // Ok(None) — no enrichment, no change in behavior.
+    #[test]
+    fn custom_auth_matcher_returns_none_enrichment_when_no_metadata_written() {
+        let custom_auth = HttpServerAuthConfig::Custom {
+            source: r#".headers.authorization == "Bearer token""#.to_string(),
+        };
+
+        let matcher = custom_auth
+            .build(&Default::default(), &Default::default())
+            .unwrap();
+
+        let mut headers = HeaderMap::new();
+        headers.insert(AUTHORIZATION, HeaderValue::from_static("Bearer token"));
+        let (_guard, addr) = next_addr();
+        let result = matcher.handle_auth(Some(&addr), &headers, "/");
+
+        assert!(result.is_ok());
+        assert_eq!(
+            None,
+            result.unwrap(),
+            "no metadata written => no enrichment"
+        );
+    }
+
+    // Existing `custom` scripts that write metadata via `%field = value` now enrich events.
+    #[test]
+    fn custom_auth_matcher_returns_enrichment_when_metadata_written() {
+        let custom_auth = HttpServerAuthConfig::Custom {
+            source: indoc! {r#"
+                %tenant_id = "acme"
+                true
+                "#}
+            .to_string(),
+        };
+
+        let matcher = custom_auth
+            .build(&Default::default(), &Default::default())
+            .unwrap();
+
+        let headers = HeaderMap::new();
+        let (_guard, addr) = next_addr();
+        let result = matcher.handle_auth(Some(&addr), &headers, "/");
+
+        assert!(result.is_ok());
+        let enrichment = result.unwrap().expect("expected enrichment map");
+        assert_eq!(
+            enrichment.get("tenant_id").cloned(),
+            Some(vrl::core::Value::from("acme")),
+        );
+    }
+
+    // Existing `custom` scripts still cannot mutate event body fields.
+    #[test]
+    fn custom_auth_build_fails_when_event_body_write_attempted() {
+        let custom_auth = HttpServerAuthConfig::Custom {
+            source: indoc! {r#"
+                .new_field = "value"
+                true
+                "#}
+            .to_string(),
+        };
+
+        assert!(
+            custom_auth
+                .build(&Default::default(), &Default::default())
+                .is_err(),
+            "writing to event body (.field) must be rejected at compile time"
+        );
+    }
 }

src/sources/http_server.rs

@@ -16,7 +16,7 @@ use vector_lib::{
     lookup::{lookup_v2::OptionalValuePath, owned_value_path, path},
     schema::Definition,
 };
-use vrl::value::{Kind, kind::Collection};
+use vrl::value::{Kind, ObjectMap, kind::Collection};
 use warp::http::HeaderMap;
 
 use crate::{
@@ -521,6 +521,25 @@ impl HttpSource for SimpleHttpSource {
     fn enable_source_ip(&self) -> bool {
         self.host_key.path.is_some()
     }
+
+    /// Injects `%field` enrichment from a `custom` auth VRL program into events.
+    /// Legacy namespace: inserted into the event body (no-op if key already exists).
+    /// Vector namespace: inserted into event metadata under `http_server.<field>`.
+    fn inject_auth_enrichment(&self, events: &mut [Event], enrichment: ObjectMap) {
+        for event in events.iter_mut() {
+            if let Event::Log(log) = event {
+                for (key, value) in &enrichment {
+                    self.log_namespace.insert_source_metadata(
+                        SimpleHttpConfig::NAME,
+                        log,
+                        Some(LegacyKey::InsertIfEmpty(path!(key.as_str()))),
+                        path!(key.as_str()),
+                        value.clone(),
+                    );
+                }
+            }
+        }
+    }
 }
 
 #[cfg(test)]

src/sources/util/http/prelude.rs

@@ -11,6 +11,7 @@ use vector_lib::{
     config::SourceAcknowledgementsConfig,
     event::{BatchNotifier, BatchStatus, BatchStatusReceiver, Event},
 };
+use vrl::value::ObjectMap;
 use warp::{
     Filter,
     filters::{
@@ -56,6 +57,9 @@ pub trait HttpSource: Clone + Send + Sync + 'static {
         path: &str,
     ) -> Result<Vec<Event>, ErrorMessage>;
 
+    /// Called after `enrich_events` when `custom` auth returned metadata enrichment fields.
+    fn inject_auth_enrichment(&self, _events: &mut [Event], _enrichment: ObjectMap) {}
+
     fn decode(&self, encoding_header: Option<&str>, body: Bytes) -> Result<Bytes, ErrorMessage> {
         decompress_body(encoding_header, body)
     }
@@ -132,23 +136,27 @@ pub trait HttpSource: Clone + Send + Sync + 'static {
                         let http_path = path.as_str();
                         let events = auth_matcher
                             .as_ref()
-                            .map_or(Ok(()), |a| {
+                            .map_or(Ok(None), |a| {
                                 a.handle_auth(
                                     addr.as_ref().map(|a| a.0).as_ref(),
                                     &headers,
                                     path.as_str(),
                                 )
                             })
-                            .and_then(|()| self.decode(encoding_header.as_deref(), body))
-                            .and_then(|body| {
+                            .and_then(|auth_enrichment| {
+                                self.decode(encoding_header.as_deref(), body)
+                                    .map(|body| (body, auth_enrichment))
+                            })
+                            .and_then(|(body, auth_enrichment)| {
                                 emit!(HttpBytesReceived {
                                     byte_size: body.len(),
                                     http_path,
                                     protocol,
                                 });
                                 self.build_events(body, &headers, &query_parameters, path.as_str())
+                                    .map(|events| (events, auth_enrichment))
                             })
-                            .map(|mut events| {
+                            .map(|(mut events, auth_enrichment)| {
                                 emit!(HttpEventsReceived {
                                     count: events.len(),
                                     byte_size: events.estimated_json_encoded_size_of(),
@@ -166,6 +174,10 @@ pub trait HttpSource: Clone + Send + Sync + 'static {
                                         .as_ref(),
                                 );
 
+                                if let Some(enrichment) = auth_enrichment {
+                                    self.inject_auth_enrichment(&mut events, enrichment);
+                                }
+
                                 events
                             });