From b541805dc1a7ab0dceba9959a31e4c7a06c7c6cf Mon Sep 17 00:00:00 2001
From: Lida Li <lilida@lilida.org>
Date: Fri, 22 Jan 2021 00:48:34 -0800
Subject: [PATCH] Use comma separated multiple values for header (#799)

* Use comma separated value for multiple claims

* Fix lint error

* Fix more tests

* Fix one more test

* Always flatten the headers

* Ensure we test the real multi-groups

* Only update map when necessary

* Update CHANGELOG

* Move to the right location of change log

* Fix blank line
---
 CHANGELOG.md                   |  1 +
 oauthproxy_test.go             |  2 +-
 pkg/middleware/headers.go      | 11 +++++++++++
 pkg/middleware/headers_test.go | 12 ++++++------
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f29a99d..8c0d9ff5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -67,6 +67,7 @@
 
 ## Changes since v6.1.1
 
+- [#799](https://github.com/oauth2-proxy/oauth2-proxy/pull/799) Use comma separated multiple values for header (@lilida)
 - [#903](https://github.com/oauth2-proxy/oauth2-proxy/pull/903) Add docs and generated reference for Alpha configuration (@JoelSpeed)
 - [#995](https://github.com/oauth2-proxy/oauth2-proxy/pull/995) Add Security Policy (@JoelSpeed)
 - [#964](https://github.com/oauth2-proxy/oauth2-proxy/pull/964) Require `--reverse-proxy` true to trust `X-Forwareded-*` type headers (@NickMeves)
diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index 3366ef5f..41ac81bb 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -612,7 +612,7 @@ func TestPassGroupsHeadersWithGroups(t *testing.T) {
 	rw = httptest.NewRecorder()
 	proxy.ServeHTTP(rw, req)
 
-	assert.Equal(t, groups, req.Header["X-Forwarded-Groups"])
+	assert.Equal(t, []string{"a,b"}, req.Header["X-Forwarded-Groups"])
 }
 
 type PassAccessTokenTest struct {
diff --git a/pkg/middleware/headers.go b/pkg/middleware/headers.go
index b79b547b..0e47085a 100644
--- a/pkg/middleware/headers.go
+++ b/pkg/middleware/headers.go
@@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/justinas/alice"
 	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
@@ -40,6 +41,14 @@ func newStripHeaders(headers []options.Header) alice.Constructor {
 	}
 }
 
+func flattenHeaders(headers http.Header) {
+	for name, values := range headers {
+		if len(values) > 1 {
+			headers.Set(name, strings.Join(values, ","))
+		}
+	}
+}
+
 func stripHeaders(headers []string, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		for _, header := range headers {
@@ -67,6 +76,7 @@ func injectRequestHeaders(injector header.Injector, next http.Handler) http.Hand
 		// If scope is nil, this will panic.
 		// A scope should always be injected before this handler is called.
 		injector.Inject(req.Header, scope.Session)
+		flattenHeaders(req.Header)
 		next.ServeHTTP(rw, req)
 	})
 }
@@ -98,6 +108,7 @@ func injectResponseHeaders(injector header.Injector, next http.Handler) http.Han
 		// If scope is nil, this will panic.
 		// A scope should always be injected before this handler is called.
 		injector.Inject(rw.Header(), scope.Session)
+		flattenHeaders(req.Header)
 		next.ServeHTTP(rw, req)
 	})
 }
diff --git a/pkg/middleware/headers_test.go b/pkg/middleware/headers_test.go
index a9c6d73e..4cfd0c1b 100644
--- a/pkg/middleware/headers_test.go
+++ b/pkg/middleware/headers_test.go
@@ -55,11 +55,11 @@ var _ = Describe("Headers Suite", func() {
 		Entry("with no configured headers", headersTableInput{
 			headers: []options.Header{},
 			initialHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar", "baz"},
 			},
 			session: &sessionsapi.SessionState{},
 			expectedHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar,baz"},
 			},
 			expectedErr: "",
 		}),
@@ -77,13 +77,13 @@ var _ = Describe("Headers Suite", func() {
 				},
 			},
 			initialHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar", "baz"},
 			},
 			session: &sessionsapi.SessionState{
 				IDToken: "IDToken-1234",
 			},
 			expectedHeaders: http.Header{
-				"foo":   []string{"bar", "baz"},
+				"Foo":   []string{"bar,baz"},
 				"Claim": []string{"IDToken-1234"},
 			},
 			expectedErr: "",
@@ -133,7 +133,7 @@ var _ = Describe("Headers Suite", func() {
 				IDToken: "IDToken-1234",
 			},
 			expectedHeaders: http.Header{
-				"Claim": []string{"bar", "baz", "IDToken-1234"},
+				"Claim": []string{"bar,baz,IDToken-1234"},
 			},
 			expectedErr: "",
 		}),
@@ -176,7 +176,7 @@ var _ = Describe("Headers Suite", func() {
 			},
 			session: nil,
 			expectedHeaders: http.Header{
-				"Claim": []string{"bar", "baz"},
+				"Claim": []string{"bar,baz"},
 			},
 			expectedErr: "",
 		}),