Merge pull request #1379 from janrotter/fix-htpasswd-user-group

Store groups from the htpasswd-user-group in the session during the manual sign in process

CHANGELOG.md

@@ -18,6 +18,7 @@
 
 ## Changes since v7.1.3
 
+- [#1379](https://github.com/oauth2-proxy/oauth2-proxy/pull/1379) Fix the manual sign in with --htpasswd-user-group switch (@janrotter)
 - [#1337](https://github.com/oauth2-proxy/oauth2-proxy/pull/1337) Changing user field type to text when using htpasswd (@pburgisser)
 - [#1239](https://github.com/oauth2-proxy/oauth2-proxy/pull/1239) Base GitLab provider implementation on OIDCProvider (@NickMeves)
 - [#1276](https://github.com/oauth2-proxy/oauth2-proxy/pull/1276) Update crypto and switched to new github.com/golang-jwt/jwt (@JVecsei)

oauthproxy.go

@@ -78,6 +78,7 @@ type OAuthProxy struct {
 	sessionStore        sessionsapi.SessionStore
 	ProxyPrefix         string
 	basicAuthValidator  basic.Validator
+	basicAuthGroups     []string
 	SkipProviderButton  bool
 	skipAuthPreflight   bool
 	skipJwtBearerTokens bool
@@ -200,6 +201,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
 		trustedIPs:          trustedIPs,
 
 		basicAuthValidator: basicAuthValidator,
+		basicAuthGroups:    opts.HtpasswdUserGroups,
 		sessionChain:       sessionChain,
 		headersChain:       headersChain,
 		preAuthChain:       preAuthChain,
@@ -534,7 +536,7 @@ func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
 	return p.trustedIPs.Has(remoteAddr)
 }
 
-// SignInPage writes the sing in template to the response
+// SignInPage writes the sign in template to the response
 func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code int) {
 	prepareNoCache(rw)
 	err := p.ClearSessionCookie(rw, req)
@@ -589,7 +591,7 @@ func (p *OAuthProxy) SignIn(rw http.ResponseWriter, req *http.Request) {
 
 	user, ok := p.ManualSignIn(req)
 	if ok {
-		session := &sessionsapi.SessionState{User: user}
+		session := &sessionsapi.SessionState{User: user, Groups: p.basicAuthGroups}
 		err = p.SaveSession(rw, req, session)
 		if err != nil {
 			logger.Printf("Error saving session: %v", err)

oauthproxy_test.go

@@ -587,6 +587,53 @@ func (sipTest *SignInPageTest) GetEndpoint(endpoint string) (int, string) {
 	return rw.Code, rw.Body.String()
 }
 
+type AlwaysSuccessfulValidator struct {
+}
+
+func (AlwaysSuccessfulValidator) Validate(user, password string) bool {
+	return true
+}
+
+func TestManualSignInStoresUserGroupsInTheSession(t *testing.T) {
+	userGroups := []string{"somegroup", "someothergroup"}
+
+	opts := baseTestOptions()
+	opts.HtpasswdUserGroups = userGroups
+	err := validation.Validate(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	proxy, err := NewOAuthProxy(opts, func(email string) bool {
+		return true
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxy.basicAuthValidator = AlwaysSuccessfulValidator{}
+
+	rw := httptest.NewRecorder()
+	formData := url.Values{}
+	formData.Set("username", "someuser")
+	formData.Set("password", "somepass")
+	signInReq, _ := http.NewRequest(http.MethodPost, "/oauth2/sign_in", strings.NewReader(formData.Encode()))
+	signInReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	proxy.ServeHTTP(rw, signInReq)
+
+	assert.Equal(t, http.StatusFound, rw.Code)
+
+	req, _ := http.NewRequest(http.MethodGet, "/something", strings.NewReader(formData.Encode()))
+	for _, c := range rw.Result().Cookies() {
+		req.AddCookie(c)
+	}
+
+	s, err := proxy.sessionStore.Load(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, userGroups, s.Groups)
+}
+
 func TestSignInPageIncludesTargetRedirect(t *testing.T) {
 	sipTest, err := NewSignInPageTest(false)
 	if err != nil {