fix: filter empty strings from allowed groups

When parsing allowed groups from configuration (e.g., via environment variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty strings in the parsed slice when trailing commas are present (e.g., "group2," becomes ["group2", ""]). The setAllowedGroups function now filters out empty strings before adding them to the AllowedGroups map, ensuring that only valid group names are checked during authorization. Fixes #3123
2026-03-06 16:41:34 +00:00 · 2026-03-06 16:41:34 +00:00 · bdac7a6640
parent 88075737a6
commit bdac7a6640
2 changed files with 15 additions and 1 deletions
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@ -179,7 +179,9 @@ func regexpForRule(rule options.URLParameterRule) string {
 func (p *ProviderData) setAllowedGroups(groups []string) {
 	p.AllowedGroups = make(map[string]struct{}, len(groups))
 	for _, group := range groups {
-		p.AllowedGroups[group] = struct{}{}
+		if group != "" {
+			p.AllowedGroups[group] = struct{}{}
+		}
 	}
 }

--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -102,6 +102,18 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "AllowedGroupsWithEmptyString",
+			allowedGroups: []string{"group2", ""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
+		{
+			name:          "AllowedGroupsOnlyEmptyString",
+			allowedGroups: []string{""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
 	}

 	for _, tc := range testCases {