From fe60662b9305d01ad24d8c334e92821334945da5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Seux?= <g.seux@criteo.com>
Date: Wed, 23 Jan 2019 14:58:16 +0100
Subject: [PATCH] Always consider lower case groups

On ldap that are AD it is not unusual to see mixed capitalization on
groups. This patch forces every group to be lower cased

Change-Id: I40fcb541a9126bdf1f26d13452d1d360ef7807a1
---
 src/authorizations.spec.ts | 37 +++++++++++++++++++++++++++++++++++++
 src/authorizations.ts      |  4 ++--
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/authorizations.spec.ts b/src/authorizations.spec.ts
index 4b1c34f6..ea1d2d20 100644
--- a/src/authorizations.spec.ts
+++ b/src/authorizations.spec.ts
@@ -1,8 +1,45 @@
 import { expect } from 'chai';
 import { FilterTaskAdmins } from './authorizations';
+import { CheckUserAuthorizations } from './authorizations';
 
 describe('authorizations', function() {
 
+  describe('CheckUserAuthorizations', function() {
+    describe('when groups are matching', function() {
+      it('should authorize', function(done) {
+        const userCN = 'foo';
+        const userLdapGroups = ['CN=bar', 'CN=agroup'];
+        const admins_constraints = [['bar'], ['agroup']];
+        const superAdmins = ['superadmingroup'];
+
+        const promise = CheckUserAuthorizations(userCN, userLdapGroups, admins_constraints, superAdmins);
+        promise.then(() => done(), done);
+      });
+    });
+    describe('when groups are not matching', function() {
+      it('should authorize', function(done) {
+        const userCN = 'foo';
+        const userLdapGroups = ['CN=bar'];
+        const admins_constraints = [['bar'], ['agroup']];
+        const superAdmins = ['superadmingroup'];
+
+        const promise = CheckUserAuthorizations(userCN, userLdapGroups, admins_constraints, superAdmins);
+        promise.then(() => done('Should not authorize'), (err) => done());
+      });
+    });
+    describe('when capitalization is different', function() {
+      it('should authorize anyway', function(done) {
+        const userCN = 'foo';
+        const userLdapGroups = ['CN=bar', 'CN=aGroupWithCap'];
+        const admins_constraints = [['bar'], ['agroupwithcap']];
+        const superAdmins = ['superadmingroup'];
+
+        const promise = CheckUserAuthorizations(userCN, userLdapGroups, admins_constraints, superAdmins);
+        promise.then(() => done(), done);
+      });
+    });
+  });
+
   describe('FilterTaskAdmins', function() {
     describe('per app admins is disabled', function() {
       it('should return empty array', function() {
diff --git a/src/authorizations.ts b/src/authorizations.ts
index 5428aefe..a675d0f9 100644
--- a/src/authorizations.ts
+++ b/src/authorizations.ts
@@ -22,7 +22,7 @@ function extractCN(groups: string[]): string[] {
   return groups.map((m: string) => {
     const matches = m.match(/^(CN|cn)=([a-zA-Z0-9_-]+)/m);
     return (matches.length > 1) ? matches[2] : undefined;
-  }).filter(m => m !== undefined);
+  }).filter(m => m !== undefined).map(m => m.toLowerCase());
 }
 
 // TODO: integrate all public methods in one authorizer class
@@ -47,7 +47,7 @@ export function CheckUserAuthorizations(
   userCN: string,
   userLdapGroups: string[],
   admins_constraints: string[][],
-  superAdmins: string[]) {
+  superAdmins: string[]): Bluebird<void> {
 
   const userGroups = extractCN(userLdapGroups);
   const userAndGroups = [userCN].concat(userGroups);