diff --git a/providers/gitlab.go b/providers/gitlab.go index eb7c2ffa..18f77fe7 100644 --- a/providers/gitlab.go +++ b/providers/gitlab.go @@ -295,21 +295,13 @@ func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionS s.User = userInfo.Username s.Email = userInfo.Email - - p.addGroupsToSession(ctx, s) + for _, group := range userInfo.Groups { + s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group)) + } p.addProjectsToSession(ctx, s) return nil - -} - -// addGroupsToSession projects into session.Groups -func (p *GitLabProvider) addGroupsToSession(ctx context.Context, s *sessions.SessionState) { - // Iterate over projects, check if oauth2-proxy can get project information on behalf of the user - for _, group := range p.Groups { - s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group)) - } } // addProjectsToSession adds projects matching user access requirements into the session state groups list @@ -341,24 +333,20 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S } else { logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name) } - } else { - logger.Errorf("Warning: project %s is archived", project.Name) + continue } + logger.Errorf("Warning: project %s is archived", project.Name) } - } // PrefixAllowedGroups returns a list of allowed groups, prefixed by their `kind` value func (p *GitLabProvider) PrefixAllowedGroups() (groups []string) { - for _, val := range p.Groups { groups = append(groups, fmt.Sprintf("group:%s", val)) } - for _, val := range p.Projects { groups = append(groups, fmt.Sprintf("project:%s", val.Name)) } - return groups } diff --git a/providers/gitlab_test.go b/providers/gitlab_test.go index 3a903d02..09f6d716 100644 --- a/providers/gitlab_test.go +++ b/providers/gitlab_test.go @@ -232,11 +232,11 @@ var _ = Describe("Gitlab Provider Tests", func() { Expect(session.Groups).To(Equal(in.expectedValue)) }, Entry("project membership valid on group project", entitiesTableInput{ - expectedValue: []string{"project:my_group/my_project"}, + expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project"}, projects: []string{"my_group/my_project"}, }), Entry("project membership invalid on group project, insufficient access level level", entitiesTableInput{ - expectedValue: nil, + expectedValue: []string{"group:foo", "group:bar"}, projects: []string{"my_group/my_project=40"}, }), Entry("project membership invalid on group project, no access at all", entitiesTableInput{ @@ -244,28 +244,28 @@ var _ = Describe("Gitlab Provider Tests", func() { projects: []string{"no_access_group/no_access_project=30"}, }), Entry("project membership valid on personnal project", entitiesTableInput{ - expectedValue: []string{"project:my_profile/my_personal_project"}, + expectedValue: []string{"group:foo", "group:bar", "project:my_profile/my_personal_project"}, projects: []string{"my_profile/my_personal_project"}, }), Entry("project membership invalid on personnal project, insufficient access level", entitiesTableInput{ - expectedValue: nil, + expectedValue: []string{"group:foo", "group:bar"}, projects: []string{"my_profile/my_personal_project=40"}, }), Entry("project membership invalid", entitiesTableInput{ - expectedValue: nil, + expectedValue: []string{"group:foo", "group:bar"}, projects: []string{"my_group/my_bad_project"}, }), Entry("group membership valid", entitiesTableInput{ - expectedValue: []string{"group:foo"}, + expectedValue: []string{"group:foo", "group:bar"}, groups: []string{"foo"}, }), Entry("groups and projects", entitiesTableInput{ - expectedValue: []string{"group:foo", "group:baz", "project:my_group/my_project", "project:my_profile/my_personal_project"}, + expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project", "project:my_profile/my_personal_project"}, groups: []string{"foo", "baz"}, projects: []string{"my_group/my_project", "my_profile/my_personal_project"}, }), Entry("archived projects", entitiesTableInput{ - expectedValue: nil, + expectedValue: []string{"group:foo", "group:bar"}, groups: []string{}, projects: []string{"my_group/my_archived_project"}, }),