Merge pull request from GHSA-652x-m2gr-hppm

* Populate session Groups from userinfo response * Fix: gitlab tests Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
2025-03-21 21:47:11 +02:00 · 2021-03-25 10:20:45 -07:00 · 2021-03-25 10:20:45 -07:00 · 0279fa7dff
commit 0279fa7dff
parent 73d9f3809e
2 changed files with 13 additions and 25 deletions
--- a/providers/gitlab.go
+++ b/providers/gitlab.go
@ -295,21 +295,13 @@ func (p *GitLabProvider) EnrichSession(ctx context.Context, s *sessions.SessionS

 	s.User = userInfo.Username
 	s.Email = userInfo.Email
-
-	p.addGroupsToSession(ctx, s)
+	for _, group := range userInfo.Groups {
+		s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group))
+	}

 	p.addProjectsToSession(ctx, s)

 	return nil
-
-}
-
-// addGroupsToSession projects into session.Groups
-func (p *GitLabProvider) addGroupsToSession(ctx context.Context, s *sessions.SessionState) {
-	// Iterate over projects, check if oauth2-proxy can get project information on behalf of the user
-	for _, group := range p.Groups {
-		s.Groups = append(s.Groups, fmt.Sprintf("group:%s", group))
-	}
 }

 // addProjectsToSession adds projects matching user access requirements into the session state groups list
@ -341,24 +333,20 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
 			} else {
 				logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)
 			}
-		} else {
+			continue
+		}
+
 		logger.Errorf("Warning: project %s is archived", project.Name)
 	}
-
-	}
-
 }

 // PrefixAllowedGroups returns a list of allowed groups, prefixed by their `kind` value
 func (p *GitLabProvider) PrefixAllowedGroups() (groups []string) {
-
 	for _, val := range p.Groups {
 		groups = append(groups, fmt.Sprintf("group:%s", val))
 	}
-
 	for _, val := range p.Projects {
 		groups = append(groups, fmt.Sprintf("project:%s", val.Name))
 	}
-
 	return groups
 }
--- a/providers/gitlab_test.go
+++ b/providers/gitlab_test.go
@ -232,11 +232,11 @@ var _ = Describe("Gitlab Provider Tests", func() {
 				Expect(session.Groups).To(Equal(in.expectedValue))
 			},
 			Entry("project membership valid on group project", entitiesTableInput{
-				expectedValue: []string{"project:my_group/my_project"},
+				expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project"},
 				projects:      []string{"my_group/my_project"},
 			}),
 			Entry("project membership invalid on group project, insufficient access level level", entitiesTableInput{
-				expectedValue: nil,
+				expectedValue: []string{"group:foo", "group:bar"},
 				projects:      []string{"my_group/my_project=40"},
 			}),
 			Entry("project membership invalid on group project, no access at all", entitiesTableInput{
@ -244,28 +244,28 @@ var _ = Describe("Gitlab Provider Tests", func() {
 				projects:      []string{"no_access_group/no_access_project=30"},
 			}),
 			Entry("project membership valid on personnal project", entitiesTableInput{
-				expectedValue: []string{"project:my_profile/my_personal_project"},
+				expectedValue: []string{"group:foo", "group:bar", "project:my_profile/my_personal_project"},
 				projects:      []string{"my_profile/my_personal_project"},
 			}),
 			Entry("project membership invalid on personnal project, insufficient access level", entitiesTableInput{
-				expectedValue: nil,
+				expectedValue: []string{"group:foo", "group:bar"},
 				projects:      []string{"my_profile/my_personal_project=40"},
 			}),
 			Entry("project membership invalid", entitiesTableInput{
-				expectedValue: nil,
+				expectedValue: []string{"group:foo", "group:bar"},
 				projects:      []string{"my_group/my_bad_project"},
 			}),
 			Entry("group membership valid", entitiesTableInput{
-				expectedValue: []string{"group:foo"},
+				expectedValue: []string{"group:foo", "group:bar"},
 				groups:        []string{"foo"},
 			}),
 			Entry("groups and projects", entitiesTableInput{
-				expectedValue: []string{"group:foo", "group:baz", "project:my_group/my_project", "project:my_profile/my_personal_project"},
+				expectedValue: []string{"group:foo", "group:bar", "project:my_group/my_project", "project:my_profile/my_personal_project"},
 				groups:        []string{"foo", "baz"},
 				projects:      []string{"my_group/my_project", "my_profile/my_personal_project"},
 			}),
 			Entry("archived projects", entitiesTableInput{
-				expectedValue: nil,
+				expectedValue: []string{"group:foo", "group:bar"},
 				groups:        []string{},
 				projects:      []string{"my_group/my_archived_project"},
 			}),