caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard
verified publisher icon greenpau

question: App expects roles to be comma-separated

Open daniel-trnk opened this issue 6 months ago β€’ 7 comments

Hi. I am using Caddy Security (via the authcrunch container image) as a TLS and Auth Portal with LDAP authentication against FreeIPA for a local KeepHQ deployment.

This works, except that Keep expects the roles forwarded via header_up x-forwarded-groups {http.auth.user.roles} to be comma-separated. However Caddy-Security proved them space-separated.

So expected: "admin, noc" Provided: "admin noc"

Is there a way to transform this?

Thank you for any advice.

daniel-trnk avatar Jul 09 '25 13:07 daniel-trnk

@daniel-trnk , once a request passes through β€œauthorize” plugin, you will have roles as part of the request context, i.e. they are seen by the subsequent plugins in the chain.

What comes to mind is caddy replacer and string manipulator. Perhaps there is a way to do it like that. Try checking with Caddy community.

greenpau avatar Jul 09 '25 13:07 greenpau

You need something that would rewrite the value of x-header and would allow for doing replacements.

greenpau avatar Jul 09 '25 13:07 greenpau

Alternatively, you could submit PR to allow for the configurable separator.

greenpau avatar Jul 09 '25 13:07 greenpau

The changes would be here:

https://github.com/greenpau/caddy-security/blob/83609dec14a46dfd5749dea0b08a03c283bd1114/plugin_authz.go#L127-L131

       roles := ar.Response.User["roles"].(string)

     // if custom separator, replace whitespace with the separator.
     // roles = strings.ReplaceAll ....

	u := caddyauth.User{
		Metadata: map[string]string{
			"roles": roles,
		},
	}

greenpau avatar Jul 09 '25 13:07 greenpau

The configuration options should be added here:

https://github.com/greenpau/caddy-security/blob/83609dec14a46dfd5749dea0b08a03c283bd1114/caddyfile_authz_misc.go#L26

For example the option would be:

authorization policy foo {
  with comma role separator
}

https://github.com/greenpau/caddy-security/blob/83609dec14a46dfd5749dea0b08a03c283bd1114/caddyfile_authz_misc.go#L106-L117

greenpau avatar Jul 09 '25 13:07 greenpau

Thanks for looking into this. I didn't find a way to do this with the standard Caddy replace functions. My ugly workaround for now is to just append the "," to the role name in the LDAP-group-to-role mapping. But that just is to get me unblocked for further testing. I'll see if I can get working what you suggested and report back.

daniel-trnk avatar Jul 09 '25 17:07 daniel-trnk

I'll see if I can get working what you suggested and report back.

@daniel-trnk , that is your best bet really. Lots of learning on the way. If you ever stuck, please do not hesitate to reach out. We can do screen sharing to unblock you.

greenpau avatar Jul 09 '25 17:07 greenpau