From 27a3c5d434b5335b928c3f9f793ac3b83b011ad2 Mon Sep 17 00:00:00 2001 From: Manu Nicolas <78699389+manu-ns@users.noreply.github.com> Date: Mon, 13 Feb 2023 16:25:36 +0100 Subject: [PATCH] Send back the logged in LDAP username to haproxy (#27) In case of successful login using the LDAP backend, the agent now sends an SPOE message containing the username of the logged in user. This commit also: - Updates the haproxy test config to write a X-Authorized-User header with the logged in username - Updates the nginx backend config to copy that header in a response header, to be able to test it - Updates TestShouldAuthenticateSuccessfullyInLDAP to test the new behavior --- internal/auth/authenticator_ldap.go | 2 +- internal/auth/messages.go | 9 +++++++++ resources/haproxy/haproxy.cfg | 2 +- resources/nginx/default.conf | 3 +++ tests/ldap_authentication_test.go | 2 +- 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/internal/auth/authenticator_ldap.go b/internal/auth/authenticator_ldap.go index d5af5d7..d9fb72c 100644 --- a/internal/auth/authenticator_ldap.go +++ b/internal/auth/authenticator_ldap.go @@ -159,5 +159,5 @@ func (la *LDAPAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio } logrus.Debug("User is authenticated") - return true, nil, nil + return true, []spoe.Action{AuthenticatedUserMessage(username)}, nil } diff --git a/internal/auth/messages.go b/internal/auth/messages.go index 1ca6706..ddeb4ae 100644 --- a/internal/auth/messages.go +++ b/internal/auth/messages.go @@ -19,3 +19,12 @@ func BuildHasErrorMessage() spoe.ActionSetVar { Value: true, } } + +// AuthenticatedUserMessage build a message containing the username of the authenticated user +func AuthenticatedUserMessage(username string) spoe.ActionSetVar { + return spoe.ActionSetVar{ + Name: "authenticated_user", + Scope: spoe.VarScopeSession, + Value: username, + } +} diff --git a/resources/haproxy/haproxy.cfg b/resources/haproxy/haproxy.cfg index f69c23a..90330ec 100644 --- a/resources/haproxy/haproxy.cfg +++ b/resources/haproxy/haproxy.cfg @@ -28,7 +28,6 @@ frontend haproxynode acl oauth2logout path_beg /oauth2/logout acl dex_domain hdr_beg(host) -i dex.example.com - # define the spoe agent filter spoe engine spoe-auth config /usr/local/etc/haproxy/spoe-auth.conf @@ -66,6 +65,7 @@ backend backend_public backend backend_app mode http balance roundrobin + http-request add-header X-Authorized-User %[var(sess.auth.authenticated_user)] server node-protected-app protected-backend:80 check diff --git a/resources/nginx/default.conf b/resources/nginx/default.conf index 368e471..f44081b 100644 --- a/resources/nginx/default.conf +++ b/resources/nginx/default.conf @@ -9,6 +9,9 @@ server { location / { add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if ($http_X_Authorized_User) { + add_header Request-X-Authorized-User $http_X_Authorized_User; + } if_modified_since off; expires off; etag off; diff --git a/tests/ldap_authentication_test.go b/tests/ldap_authentication_test.go index fb0d081..7970dce 100644 --- a/tests/ldap_authentication_test.go +++ b/tests/ldap_authentication_test.go @@ -14,7 +14,7 @@ func TestShouldAuthenticateSuccessfullyInLDAP(t *testing.T) { res, err := http.DefaultClient.Do(req) assert.NoError(t, err) - + assert.Equal(t, "john", res.Header.Get("request-x-authorized-user")) assert.Equal(t, 200, res.StatusCode) }