forward-auth: use envoy's ext_authz check (#1482)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-03 00:40:25 +02:00 · 2020-10-04 20:01:06 -07:00 · 2020-10-04 20:01:06 -07:00 · 9b39deabd8
commit 9b39deabd8
parent 155213857e
16 changed files with 248 additions and 406 deletions
--- a/internal/controlplane/xds_routes_test.go
+++ b/internal/controlplane/xds_routes_test.go
@ -59,7 +59,17 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 				}
 			}`
 	}
-
+	protectedRouteString := func(typ, name string) string {
+		return `{
+				"name": "pomerium-protected-` + typ + `-` + name + `",
+				"match": {
+					"` + typ + `": "` + name + `"
+				},
+				"route": {
+					"cluster": "pomerium-control-plane-http"
+				}
+			}`
+	}
 	t.Run("authenticate", func(t *testing.T) {
 		options := &config.Options{
 			Services:                 "all",
@ -70,6 +80,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 		routes := buildPomeriumHTTPRoutes(options, "authenticate.example.com")

 		testutil.AssertProtoJSONEqual(t, `[
+			`+protectedRouteString("path", "/.pomerium/jwt")+`,
 			`+routeString("path", "/ping")+`,
 			`+routeString("path", "/healthz")+`,
 			`+routeString("path", "/.pomerium")+`,
@ -96,6 +107,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 		routes := buildPomeriumHTTPRoutes(options, "from.example.com")

 		testutil.AssertProtoJSONEqual(t, `[
+			`+protectedRouteString("path", "/.pomerium/jwt")+`,
 			`+routeString("path", "/ping")+`,
 			`+routeString("path", "/healthz")+`,
 			`+routeString("path", "/.pomerium")+`,
@ -122,6 +134,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 		routes := buildPomeriumHTTPRoutes(options, "from.example.com")

 		testutil.AssertProtoJSONEqual(t, `[
+			`+protectedRouteString("path", "/.pomerium/jwt")+`,
 			`+routeString("path", "/ping")+`,
 			`+routeString("path", "/healthz")+`,
 			`+routeString("path", "/.pomerium")+`,