From 7e5571e13597438f43f7d22da714f0d8de7e71b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Taavi=20V=C3=A4=C3=A4n=C3=A4nen?= <hi@taavi.wtf>
Date: Mon, 6 Dec 2021 16:52:47 +0200
Subject: [PATCH] fix(acl): do not validate group names from proxies

Validating the group name made sense when they were defined statically
in the configuration file. However when using a HTTP proxy to provide
group information it just causes issues.
---
 cmd/karma/acl.go | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/cmd/karma/acl.go b/cmd/karma/acl.go
index 740308ff9..aeba2f875 100644
--- a/cmd/karma/acl.go
+++ b/cmd/karma/acl.go
@@ -182,16 +182,20 @@ func newSilenceACLFromConfig(cfg config.SilenceACLRule) (*silenceACL, error) {
 	}
 
 	for _, groupName := range cfg.Scope.Groups {
-		var wasFound bool
-		for _, authGroup := range config.Config.Authorization.Groups {
-			if authGroup.Name == groupName {
-				wasFound = true
-				break
+		// Can't validate the group name if it comes dynamically from a http proxy
+		if config.Config.Authentication.Header.GroupName == "" {
+			var wasFound bool
+			for _, authGroup := range config.Config.Authorization.Groups {
+				if authGroup.Name == groupName {
+					wasFound = true
+					break
+				}
+			}
+			if !wasFound {
+				return nil, fmt.Errorf("invalid silence ACL rule, no group with name %q found in authorization.groups configuration", groupName)
 			}
 		}
-		if !wasFound {
-			return nil, fmt.Errorf("invalid silence ACL rule, no group with name %q found in authorization.groups configuration", groupName)
-		}
+
 		acl.Scope.Groups = append(acl.Scope.Groups, groupName)
 	}