From 5475a8006e73b594a6503dc9fd5c8f73e087b808 Mon Sep 17 00:00:00 2001
From: Anton Miniailo <anton@goteleport.com>
Date: Fri, 19 Apr 2024 09:42:47 -0700
Subject: [PATCH] Remove header manipulation after request has been completed.

It could lead to panic (concurrent map write and read) in case of
request cancelation.
---
 lib/auth/middleware.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
index 2ef26ce455d57..0300660a5db51 100644
--- a/lib/auth/middleware.go
+++ b/lib/auth/middleware.go
@@ -925,6 +925,8 @@ func NewImpersonatorRoundTripper(rt http.RoundTripper) *ImpersonatorRoundTripper
 // RoundTrip implements http.RoundTripper interface to include the identity
 // in the request header.
 func (r *ImpersonatorRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	req = req.Clone(req.Context())
+
 	identity, err := authz.UserFromContext(req.Context())
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -934,7 +936,6 @@ func (r *ImpersonatorRoundTripper) RoundTrip(req *http.Request) (*http.Response,
 		return nil, trace.Wrap(err)
 	}
 	req.Header.Set(TeleportImpersonateUserHeader, string(b))
-	defer req.Header.Del(TeleportImpersonateUserHeader)
 
 	clientSrcAddr, err := authz.ClientSrcAddrFromContext(req.Context())
 	if err != nil {
@@ -942,7 +943,6 @@ func (r *ImpersonatorRoundTripper) RoundTrip(req *http.Request) (*http.Response,
 	}
 
 	req.Header.Set(TeleportImpersonateIPHeader, clientSrcAddr.String())
-	defer req.Header.Del(TeleportImpersonateIPHeader)
 
 	return r.RoundTripper.RoundTrip(req)
 }