Fix groups filtering

Author: pinepain

README.md

@@ -34,6 +34,7 @@ Example `docker-compose` setup could be found in [examples/proxy](./examples/pro
     export LDAP_BIND_PASSWORD='<bind user password>'
     export LDAP_USER_FILTER='(uid=%s)'
     export LDAP_GROUP_FILTER='(&(objectClass=groupOfNames)(member=uid=%s,ou=Users,o=<oid>,dc=jumpcloud,dc=com))'
+    export GROUP_HEADER='X-Ldap-Group'
     export HEADERS_MAP='X-LDAP-Mail:mail,X-LDAP-UID:uid,X-LDAP-CN:cn,X-LDAP-DN:dn'
 
 where `<oid>` is your organisation id.

ldap_auth_proxy.go

@@ -170,20 +170,7 @@ func (p *LDAPAuthProxy) Authenticate(w http.ResponseWriter, r *http.Request) int
 		}
 
 		filterString := r.Header.Get(p.GroupHeader)
-		rawGroup := strings.Split(filterString, ",")
-
-		for _, g := range filterGroups {
-			g = strings.TrimSpace(g)
-
-			if "*" == g {
-				filterGroups = []string{"*"}
-				break
-			}
-
-			if len(g) > 1 {
-				filterGroups = append(rawGroup, g)
-			}
-		}
+		filterGroups = extractFilterGroups(filterString)
 
 		if len(filterGroups) < 1 {
 			traceWarning(w, fmt.Sprintf("Bad groups filter string: %s", filterString))
@@ -276,3 +263,24 @@ func traceError(w http.ResponseWriter, h string) {
 	log.Warning(h)
 	w.Header().Add("X-LdapAuth-Trace", h)
 }
+
+func extractFilterGroups(filterString string) []string {
+	var filterGroups []string
+
+	rawGroup := strings.Split(filterString, ",")
+
+	for _, g := range rawGroup {
+		g = strings.TrimSpace(g)
+
+		if "*" == g {
+			// special case, we don't need any other filters with wildcard
+			return []string{"*"}
+		}
+
+		if len(g) > 1 {
+			filterGroups = append(filterGroups, g)
+		}
+	}
+
+	return filterGroups
+}

ldap_auth_proxy_test.go

@@ -0,0 +1,13 @@
+package main
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestExtractFilterGroups(t *testing.T) {
+	assert.Equal(t, []string(nil), extractFilterGroups(""))
+	assert.Equal(t, []string(nil), extractFilterGroups(","))
+	assert.Equal(t, []string{"test", "me", "please" , "foo bar"}, extractFilterGroups(",test, me,please ,,    ,foo bar"))
+	assert.Equal(t, []string{"*"}, extractFilterGroups("foo,*,bar"))
+}