config: add support for wildcard from addresses (#4131)

* config: add support for wildcards * update policy matching, header generation * remove deprecated field * fix test
2025-08-03 00:40:25 +02:00 · 2023-04-25 13:34:38 -06:00 · 2023-04-25 13:34:38 -06:00 · 18bc86d632
commit 18bc86d632
parent 949454e886
12 changed files with 445 additions and 115 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -38,6 +38,7 @@ type Request struct {
 // RequestHTTP is the HTTP field in the request.
 type RequestHTTP struct {
 	Method            string            `json:"method"`
+	Hostname          string            `json:"hostname"`
 	Path              string            `json:"path"`
 	URL               string            `json:"url"`
 	Headers           map[string]string `json:"headers"`
@ -55,6 +56,7 @@ func NewRequestHTTP(
 ) RequestHTTP {
 	return RequestHTTP{
 		Method:            method,
+		Hostname:          requestURL.Hostname(),
 		Path:              requestURL.Path,
 		URL:               requestURL.String(),
 		Headers:           headers,
@ -162,7 +164,7 @@ func (e *Evaluator) Evaluate(ctx context.Context, req *Request) (*Result, error)

 	var headersOutput *HeadersResponse
 	eg.Go(func() error {
-		headersReq := NewHeadersRequestFromPolicy(req.Policy)
+		headersReq := NewHeadersRequestFromPolicy(req.Policy, req.HTTP.Hostname)
 		headersReq.Session = req.Session
 		var err error
 		headersOutput, err = e.headersEvaluators.Evaluate(ectx, headersReq)
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -12,7 +12,6 @@ import (
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
-	"github.com/pomerium/pomerium/internal/urlutil"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )

@ -29,14 +28,12 @@ type HeadersRequest struct {
 }

 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
-func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
+func NewHeadersRequestFromPolicy(policy *config.Policy, hostname string) *HeadersRequest {
 	input := new(HeadersRequest)
 	input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
 	input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
 		policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_MAGLEV
-	if u, err := urlutil.ParseAndValidateURL(policy.From); err == nil {
-		input.Issuer = u.Hostname()
-	}
+	input.Issuer = hostname
 	input.KubernetesServiceAccountToken = policy.KubernetesServiceAccountToken
 	for _, wu := range policy.To {
 		input.ToAudience = "https://" + wu.URL.Hostname()
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -22,13 +22,13 @@ import (
 func TestNewHeadersRequestFromPolicy(t *testing.T) {
 	req := NewHeadersRequestFromPolicy(&config.Policy{
 		EnableGoogleCloudServerlessAuthentication: true,
-		From: "https://from.example.com",
+		From: "https://*.example.com",
 		To: config.WeightedURLs{
 			{
 				URL: *mustParseURL("http://to.example.com"),
 			},
 		},
-	})
+	}, "from.example.com")
 	assert.Equal(t, &HeadersRequest{
 		EnableGoogleCloudServerlessAuthentication: true,
 		Issuer:     "from.example.com",