forward-auth: use envoy's ext_authz check (#1482)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-03 11:22:45 +02:00 · 2020-10-04 20:01:06 -07:00 · 2020-10-04 20:01:06 -07:00 · 9b39deabd8
commit 9b39deabd8
parent 155213857e
16 changed files with 248 additions and 406 deletions
--- a/proxy/handlers_test.go
+++ b/proxy/handlers_test.go
@ -11,21 +11,17 @@ import (
 	"testing"
 	"time"

-	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
-	"github.com/stretchr/testify/assert"
-
-	mstore "github.com/pomerium/pomerium/internal/sessions/mock"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
-
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
+	mstore "github.com/pomerium/pomerium/internal/sessions/mock"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/cryptutil"

 	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
 	"gopkg.in/square/go-jose.v2/jwt"
 )

@ -68,39 +64,6 @@ func TestProxy_Signout(t *testing.T) {
 	}
 }

-func TestProxy_jwt(t *testing.T) {
-	authzClient := &mockCheckClient{
-		response: &envoy_service_auth_v2.CheckResponse{
-			HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
-				OkResponse: &envoy_service_auth_v2.OkHttpResponse{
-					Headers: []*envoy_api_v2_core.HeaderValueOption{
-						{Header: &envoy_api_v2_core.HeaderValue{
-							Key:   httputil.HeaderPomeriumJWTAssertion,
-							Value: "MOCK_JWT",
-						}},
-					},
-				},
-			},
-		},
-	}
-
-	req, _ := http.NewRequest("GET", "https://www.example.com/.pomerium/jwt", nil)
-	w := httptest.NewRecorder()
-
-	proxy := &Proxy{
-		state: newAtomicProxyState(&proxyState{
-			authzClient: authzClient,
-		}),
-	}
-	err := proxy.jwtAssertion(w, req)
-	if !assert.NoError(t, err) {
-		return
-	}
-
-	assert.Equal(t, "application/jwt", w.Header().Get("Content-Type"))
-	assert.Equal(t, w.Body.String(), "MOCK_JWT")
-}
-
 func TestProxy_UserDashboard(t *testing.T) {
 	opts := testOptions(t)
 	err := ValidateOptions(opts)
@ -532,3 +495,29 @@ func TestProxy_ProgrammaticCallback(t *testing.T) {
 		})
 	}
 }
+
+func TestProxy_jwt(t *testing.T) {
+
+	// without downstream headers being set
+	req, _ := http.NewRequest("GET", "https://www.example.com/.pomerium/jwt", nil)
+	w := httptest.NewRecorder()
+
+	proxy := &Proxy{
+		state: newAtomicProxyState(&proxyState{}),
+	}
+	err := proxy.jwtAssertion(w, req)
+	if !assert.Error(t, err) {
+		return
+	}
+
+	// with downstream request headers being set
+	req, _ = http.NewRequest("GET", "https://www.example.com/.pomerium/jwt", nil)
+	w = httptest.NewRecorder()
+	req.Header.Set(httputil.HeaderPomeriumJWTAssertion, "MOCK_JWT")
+	err = proxy.jwtAssertion(w, req)
+	if !assert.NoError(t, err) {
+		return
+	}
+	assert.Equal(t, "application/jwt", w.Header().Get("Content-Type"))
+	assert.Equal(t, w.Body.String(), "MOCK_JWT")
+}