From 5e3b41c81d8a14bd60170de8e4cb11262e838f16 Mon Sep 17 00:00:00 2001
From: Leo6Leo <36619969+Leo6Leo@users.noreply.github.com>
Date: Mon, 6 Oct 2025 00:35:20 -0400
Subject: [PATCH] CONSOLE-4788: Backend Request Headers Updates for multi-group
 impersonation

Handle X-Console-Impersonate-Groups header by splitting comma-separated
groups into multiple Impersonate-Group headers for Kubernetes API.
---
 pkg/proxy/proxy.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index 2dd1e09c224..349fd355e26 100644
--- a/pkg/proxy/proxy.go
+++ b/pkg/proxy/proxy.go
@@ -123,6 +123,20 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		r.Header.Del(h)
 	}
 
+	// Handle X-Console-Impersonate-Groups header for multi-group impersonation
+	// The fetch() API doesn't support multiple headers with the same name,
+	// so the frontend sends a comma-separated list that we split here
+	if consoleGroups := r.Header.Get("X-Console-Impersonate-Groups"); consoleGroups != "" {
+		r.Header.Del("X-Console-Impersonate-Groups")
+		groups := strings.Split(consoleGroups, ",")
+		for _, group := range groups {
+			group = strings.TrimSpace(group)
+			if group != "" {
+				r.Header.Add("Impersonate-Group", group)
+			}
+		}
+	}
+
 	// Include `system:authenticated` when impersonating groups so that basic requests that all
 	// users can run like self-subject access reviews work.
 	if len(r.Header["Impersonate-Group"]) > 0 {