From e25158dda6f0a540f21851a7d3db71d5bd3abbdd Mon Sep 17 00:00:00 2001
From: Jan Rotter <jan.rotter@gmail.com>
Date: Sun, 26 Sep 2021 22:13:48 +0200
Subject: [PATCH] Add a test for htpasswd-user-groups in the session

The groups configured in the `htpasswd-user-group` are not
stored in the session, resulting in unauthorized errors when
group membership is required. Please see:
https://gist.github.com/janrotter/b3d806a59292f07fe83bc52c061226e0
for instructions on reproducing the issue.
---
 oauthproxy_test.go | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index 9add52ed..001d7347 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -587,6 +587,53 @@ func (sipTest *SignInPageTest) GetEndpoint(endpoint string) (int, string) {
 	return rw.Code, rw.Body.String()
 }
 
+type AlwaysSuccessfulValidator struct {
+}
+
+func (AlwaysSuccessfulValidator) Validate(user, password string) bool {
+	return true
+}
+
+func TestManualSignInStoresUserGroupsInTheSession(t *testing.T) {
+	userGroups := []string{"somegroup", "someothergroup"}
+
+	opts := baseTestOptions()
+	opts.HtpasswdUserGroups = userGroups
+	err := validation.Validate(opts)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	proxy, err := NewOAuthProxy(opts, func(email string) bool {
+		return true
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	proxy.basicAuthValidator = AlwaysSuccessfulValidator{}
+
+	rw := httptest.NewRecorder()
+	formData := url.Values{}
+	formData.Set("username", "someuser")
+	formData.Set("password", "somepass")
+	signInReq, _ := http.NewRequest(http.MethodPost, "/oauth2/sign_in", strings.NewReader(formData.Encode()))
+	signInReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	proxy.ServeHTTP(rw, signInReq)
+
+	assert.Equal(t, http.StatusFound, rw.Code)
+
+	req, _ := http.NewRequest(http.MethodGet, "/something", strings.NewReader(formData.Encode()))
+	for _, c := range rw.Result().Cookies() {
+		req.AddCookie(c)
+	}
+
+	s, err := proxy.sessionStore.Load(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, userGroups, s.Groups)
+}
+
 func TestSignInPageIncludesTargetRedirect(t *testing.T) {
 	sipTest, err := NewSignInPageTest(false)
 	if err != nil {