Merge pull request #16998 from jvlcek/bz1469589_group_special_chars

Handle group names with encoded special characters (cherry picked from commit dfc9c90) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1552792
ManageIQ · Mar 7, 2018 · bec8219 · bec8219
1 parent 72f37b9
commit bec8219
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/app/models/authenticator/httpd.rb b/app/models/authenticator/httpd.rb
@@ -120,7 +120,7 @@ def user_details_from_headers(username, request)
                     :lastname  => request.headers['X-REMOTE-USER-LASTNAME'],
                     :email     => request.headers['X-REMOTE-USER-EMAIL'],
                     :domain    => request.headers['X-REMOTE-USER-DOMAIN']}
-      [user_attrs, (request.headers['X-REMOTE-USER-GROUPS'] || '').split(/[;:]/)]
+      [user_attrs, (CGI.unescape(request.headers['X-REMOTE-USER-GROUPS'] || '')).split(/[;:]/)]
     end
 
     def user_attrs_from_external_directory(username)

diff --git a/spec/models/authenticator/httpd_spec.rb b/spec/models/authenticator/httpd_spec.rb
@@ -530,6 +530,54 @@ def authenticate
           authenticate
         end
       end
+
+      context "when group names have escaped special characters" do
+        let(:config) { {:httpd_role => true} }
+        let(:headers) do
+          super().merge('X-Remote-User-Groups' => CGI.escape('spécial_char@fqdn:moré@fqdn'))
+        end
+        let(:user_attrs) do
+          { :username  => "testuser",
+            :fullname  => "Test User",
+            :firstname => "Alice",
+            :lastname  => "Aardvark",
+            :email     => "testuser@example.com",
+            :domain    => "example.com" }
+        end
+
+        it "handles group names with escaped special characters" do
+          expect(subject).to receive(:find_external_identity).with(username, user_attrs, ["spécial_char@fqdn", "moré@fqdn"])
+          authenticate
+        end
+      end
+
+      context "when there are no group names" do
+        let(:config) { {:httpd_role => true} }
+        let(:headers) do
+          {
+            'X-Remote-User'           => username,
+            'X-Remote-User-FullName'  => 'Test User',
+            'X-Remote-User-FirstName' => 'Alice',
+            'X-Remote-User-LastName'  => 'Aardvark',
+            'X-Remote-User-Email'     => 'testuser@example.com',
+            'X-Remote-User-Domain'    => 'example.com',
+            'X-Remote-User-Groups'    => nil,
+          }
+        end
+        let(:user_attrs) do
+          { :username  => "testuser",
+            :fullname  => "Test User",
+            :firstname => "Alice",
+            :lastname  => "Aardvark",
+            :email     => "testuser@example.com",
+            :domain    => "example.com" }
+        end
+
+        it "handles nil group names" do
+          expect(subject).to receive(:find_external_identity).with(username, user_attrs, [])
+          authenticate
+        end
+      end
     end
   end
 end