Send back the logged in LDAP username to haproxy (#27)

manu-ns · web-flow · commit 27a3c5d434b5 · 2023-02-13T16:25:36.000+01:00
In case of successful login using the LDAP backend, the agent now sends
an SPOE message containing the username of the logged in user.

This commit also:
- Updates the haproxy test config to write a X-Authorized-User header
with the logged in username
- Updates the nginx backend config to copy that header in a response
header, to be able to test it
- Updates TestShouldAuthenticateSuccessfullyInLDAP to test the new
behavior
diff --git a/internal/auth/authenticator_ldap.go b/internal/auth/authenticator_ldap.go
@@ -159,5 +159,5 @@ func (la *LDAPAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio
 	}
 
 	logrus.Debug("User is authenticated")
-	return true, nil, nil
+	return true, []spoe.Action{AuthenticatedUserMessage(username)}, nil
 }
diff --git a/internal/auth/messages.go b/internal/auth/messages.go
@@ -19,3 +19,12 @@ func BuildHasErrorMessage() spoe.ActionSetVar {
 		Value: true,
 	}
 }
+
+// AuthenticatedUserMessage build a message containing the username of the authenticated user
+func AuthenticatedUserMessage(username string) spoe.ActionSetVar {
+	return spoe.ActionSetVar{
+		Name:  "authenticated_user",
+		Scope: spoe.VarScopeSession,
+		Value: username,
+	}
+}
diff --git a/resources/haproxy/haproxy.cfg b/resources/haproxy/haproxy.cfg
@@ -28,7 +28,6 @@ frontend haproxynode
     acl oauth2logout path_beg /oauth2/logout
 
     acl dex_domain hdr_beg(host) -i dex.example.com
-    
     # define the spoe agent
     filter spoe engine spoe-auth config /usr/local/etc/haproxy/spoe-auth.conf
 
@@ -66,6 +65,7 @@ backend backend_public
 backend backend_app
     mode http
     balance roundrobin
+    http-request add-header X-Authorized-User %[var(sess.auth.authenticated_user)]
 
     server node-protected-app protected-backend:80 check
 
diff --git a/resources/nginx/default.conf b/resources/nginx/default.conf
@@ -9,6 +9,9 @@ server {
     location / {
         add_header Last-Modified $date_gmt;
         add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+        if ($http_X_Authorized_User) {
+            add_header Request-X-Authorized-User $http_X_Authorized_User;
+        }
         if_modified_since off;
         expires off;
         etag off;
diff --git a/tests/ldap_authentication_test.go b/tests/ldap_authentication_test.go
@@ -14,7 +14,7 @@ func TestShouldAuthenticateSuccessfullyInLDAP(t *testing.T) {
 
 	res, err := http.DefaultClient.Do(req)
 	assert.NoError(t, err)
-
+	assert.Equal(t, "john", res.Header.Get("request-x-authorized-user"))
 	assert.Equal(t, 200, res.StatusCode)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -159,5 +159,5 @@ func (la LDAPAuthenticator) Authenticate(msg spoe.Message) (bool, []spoe.Actio`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`logrus.Debug("User is authenticated")`
`162`		`- return true, nil, nil`
	`162`	`+ return true, []spoe.Action{AuthenticatedUserMessage(username)}, nil`
`163`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,12 @@ func BuildHasErrorMessage() spoe.ActionSetVar {`
`19`	`19`	`Value: true,`
`20`	`20`	`}`
`21`	`21`	`}`
	`22`	`+`
	`23`	`+// AuthenticatedUserMessage build a message containing the username of the authenticated user`
	`24`	`+func AuthenticatedUserMessage(username string) spoe.ActionSetVar {`
	`25`	`+ return spoe.ActionSetVar{`
	`26`	`+ Name: "authenticated_user",`
	`27`	`+ Scope: spoe.VarScopeSession,`
	`28`	`+ Value: username,`
	`29`	`+ }`
	`30`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ func TestShouldAuthenticateSuccessfullyInLDAP(t *testing.T) {`
`14`	`14`
`15`	`15`	`res, err := http.DefaultClient.Do(req)`
`16`	`16`	`assert.NoError(t, err)`
`17`		`-`
	`17`	`+ assert.Equal(t, "john", res.Header.Get("request-x-authorized-user"))`
`18`	`18`	`assert.Equal(t, 200, res.StatusCode)`
`19`	`19`	`}`
`20`	`20`