Send back the logged in LDAP username to haproxy (#27)

In case of successful login using the LDAP backend, the agent now sends an SPOE message containing the username of the logged in user. This commit also: - Updates the haproxy test config to write a X-Authorized-User header with the logged in username - Updates the nginx backend config to copy that header in a response header, to be able to test it - Updates TestShouldAuthenticateSuccessfullyInLDAP to test the new behavior
criteo · Feb 13, 2023 · 27a3c5d · 27a3c5d
1 parent ca87a1e
commit 27a3c5d
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 3 deletions.
diff --git a/internal/auth/authenticator_ldap.go b/internal/auth/authenticator_ldap.go
@@ -159,5 +159,5 @@ func (la *LDAPAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio
 	}
 
 	logrus.Debug("User is authenticated")
-	return true, nil, nil
+	return true, []spoe.Action{AuthenticatedUserMessage(username)}, nil
 }
diff --git a/internal/auth/messages.go b/internal/auth/messages.go
@@ -19,3 +19,12 @@ func BuildHasErrorMessage() spoe.ActionSetVar {
 		Value: true,
 	}
 }
+
+// AuthenticatedUserMessage build a message containing the username of the authenticated user
+func AuthenticatedUserMessage(username string) spoe.ActionSetVar {
+	return spoe.ActionSetVar{
+		Name:  "authenticated_user",
+		Scope: spoe.VarScopeSession,
+		Value: username,
+	}
+}
diff --git a/resources/haproxy/haproxy.cfg b/resources/haproxy/haproxy.cfg
@@ -28,7 +28,6 @@ frontend haproxynode
     acl oauth2logout path_beg /oauth2/logout
 
     acl dex_domain hdr_beg(host) -i dex.example.com
-
     # define the spoe agent
     filter spoe engine spoe-auth config /usr/local/etc/haproxy/spoe-auth.conf
 
@@ -66,6 +65,7 @@ backend backend_public
 backend backend_app
     mode http
     balance roundrobin
+    http-request add-header X-Authorized-User %[var(sess.auth.authenticated_user)]
 
     server node-protected-app protected-backend:80 check
 

diff --git a/resources/nginx/default.conf b/resources/nginx/default.conf
@@ -9,6 +9,9 @@ server {
     location / {
         add_header Last-Modified $date_gmt;
         add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+        if ($http_X_Authorized_User) {
+            add_header Request-X-Authorized-User $http_X_Authorized_User;
+        }
         if_modified_since off;
         expires off;
         etag off;

diff --git a/tests/ldap_authentication_test.go b/tests/ldap_authentication_test.go
@@ -14,7 +14,7 @@ func TestShouldAuthenticateSuccessfullyInLDAP(t *testing.T) {
 
 	res, err := http.DefaultClient.Do(req)
 	assert.NoError(t, err)
-
+	assert.Equal(t, "john", res.Header.Get("request-x-authorized-user"))
 	assert.Equal(t, 200, res.StatusCode)
 }