Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-652x-m2gr-hppm
* Populate session Groups from userinfo response

* Fix: gitlab tests

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
  • Loading branch information
NickMeves and Wilfried OLLIVIER committed Mar 25, 2021
1 parent 73d9f38 commit 0279fa7
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 25 deletions.
22 changes: 5 additions & 17 deletions providers/gitlab.go
Expand Up @@ -295,21 +295,13 @@ func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionS

s.User = userInfo.Username
s.Email = userInfo.Email

p.addGroupsToSession(ctx, s)
for _, group := range userInfo.Groups {
s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group))
}

p.addProjectsToSession(ctx, s)

return nil

}

// addGroupsToSession projects into session.Groups
func (p *GitLabProvider) addGroupsToSession(ctx context.Context, s *sessions.SessionState) {
// Iterate over projects, check if oauth2-proxy can get project information on behalf of the user
for _, group := range p.Groups {
s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group))
}
}

// addProjectsToSession adds projects matching user access requirements into the session state groups list
Expand Down Expand Up @@ -341,24 +333,20 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
} else {
logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)
}
} else {
logger.Errorf("Warning: project %s is archived", project.Name)
continue
}

logger.Errorf("Warning: project %s is archived", project.Name)
}

}

// PrefixAllowedGroups returns a list of allowed groups, prefixed by their `kind` value
func (p *GitLabProvider) PrefixAllowedGroups() (groups []string) {

for _, val := range p.Groups {
groups = append(groups, fmt.Sprintf("group:%s", val))
}

for _, val := range p.Projects {
groups = append(groups, fmt.Sprintf("project:%s", val.Name))
}

return groups
}
16 changes: 8 additions & 8 deletions providers/gitlab_test.go
Expand Up @@ -232,40 +232,40 @@ var _ = Describe("Gitlab Provider Tests", func() {
Expect(session.Groups).To(Equal(in.expectedValue))
},
Entry("project membership valid on group project", entitiesTableInput{
expectedValue: []string{"project:my_group/my_project"},
expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project"},
projects: []string{"my_group/my_project"},
}),
Entry("project membership invalid on group project, insufficient access level level", entitiesTableInput{
expectedValue: nil,
expectedValue: []string{"group:foo", "group:bar"},
projects: []string{"my_group/my_project=40"},
}),
Entry("project membership invalid on group project, no access at all", entitiesTableInput{
expectedValue: nil,
projects: []string{"no_access_group/no_access_project=30"},
}),
Entry("project membership valid on personnal project", entitiesTableInput{
expectedValue: []string{"project:my_profile/my_personal_project"},
expectedValue: []string{"group:foo", "group:bar", "project:my_profile/my_personal_project"},
projects: []string{"my_profile/my_personal_project"},
}),
Entry("project membership invalid on personnal project, insufficient access level", entitiesTableInput{
expectedValue: nil,
expectedValue: []string{"group:foo", "group:bar"},
projects: []string{"my_profile/my_personal_project=40"},
}),
Entry("project membership invalid", entitiesTableInput{
expectedValue: nil,
expectedValue: []string{"group:foo", "group:bar"},
projects: []string{"my_group/my_bad_project"},
}),
Entry("group membership valid", entitiesTableInput{
expectedValue: []string{"group:foo"},
expectedValue: []string{"group:foo", "group:bar"},
groups: []string{"foo"},
}),
Entry("groups and projects", entitiesTableInput{
expectedValue: []string{"group:foo", "group:baz", "project:my_group/my_project", "project:my_profile/my_personal_project"},
expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project", "project:my_profile/my_personal_project"},
groups: []string{"foo", "baz"},
projects: []string{"my_group/my_project", "my_profile/my_personal_project"},
}),
Entry("archived projects", entitiesTableInput{
expectedValue: nil,
expectedValue: []string{"group:foo", "group:bar"},
groups: []string{},
projects: []string{"my_group/my_archived_project"},
}),
Expand Down

0 comments on commit 0279fa7

Please sign in to comment.