update for wildcard

buzzfeed · Mar 16, 2020 · 0d80834 · 0d80834
1 parent fcc32f7
commit 0d80834
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/internal/proxy/providers/sso.go b/internal/proxy/providers/sso.go
@@ -181,7 +181,7 @@ func (p *SSOProvider) ValidateGroup(email string, allowedGroups []string, access
 
 	logger.WithUser(email).WithAllowedGroups(allowedGroups).Info("validating groups")
 	inGroups := []string{}
-	if len(allowedGroups) == 0 {
+	if len(allowedGroups) == 0 || len(allowedGroups) == 1 && allowedGroups[0] == "*" {
 		return inGroups, true, nil
 	}
 

diff --git a/internal/proxy/providers/sso_test.go b/internal/proxy/providers/sso_test.go
@@ -152,6 +152,15 @@ func TestSSOProviderGroups(t *testing.T) {
 			ExpectedInGroups: []string{},
 			ExpectError:      nil,
 		},
+		{
+			Name:             "valid group list consists of a single wildcard",
+			Email:            "michael.bland@gsa.gov",
+			Groups:           []string{},
+			ProxyGroupIds:    []string{"*"},
+			ExpectedValid:    true,
+			ExpectedInGroups: []string{},
+			ExpectError:      nil,
+		},
 		{
 			Name:             "valid when the group id exists",
 			Email:            "michael.bland@gsa.gov",
@@ -321,6 +330,17 @@ func TestSSOProviderValidateSessionState(t *testing.T) {
 			ProxyGroupIds:    []string{},
 			ExpectedValid:    true,
 		},
+		{
+			Name: "valid when group list consists of single wildcard",
+			SessionState: &sessions.SessionState{
+				AccessToken: "abc",
+				Email:       "michael.bland@gsa.gov",
+			},
+			ProviderResponse: http.StatusOK,
+			Groups:           []string{},
+			ProxyGroupIds:    []string{"*"},
+			ExpectedValid:    true,
+		},
 		{
 			Name: "invalid when response is is not 200",
 			SessionState: &sessions.SessionState{