From ff88d9316c5be66cb78eb179c795d321b3badfb7 Mon Sep 17 00:00:00 2001
From: Samuel Padgett <spadgett@redhat.com>
Date: Mon, 3 Feb 2020 11:39:42 -0500
Subject: [PATCH] Bug 1787504: include `system:authenticated` when
 impersonating groups

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1787504
---
 pkg/proxy/proxy.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index 8d7f93e39f0..f89e48ba4c4 100644
--- a/pkg/proxy/proxy.go
+++ b/pkg/proxy/proxy.go
@@ -107,6 +107,12 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		r.Header.Del(h)
 	}
 
+	// Include `system:authenticated` when impersonating groups so that basic requests that all
+	// users can run like self-subject access reviews work.
+	if len(r.Header["Impersonate-Group"]) > 0 {
+		r.Header.Add("Impersonate-Group", "system:authenticated")
+	}
+
 	r.Host = p.config.Endpoint.Host
 	r.URL.Host = p.config.Endpoint.Host
 	r.URL.Scheme = p.config.Endpoint.Scheme