authorize: add support for .pomerium and unauthenticated routes (#639)

* authorize: add support for .pomerium and unauthenticated routes
integration-tests: add test for forward auth dashboard urls

* proxy: fix ctx error test to return a 200 when authorize allows it

authorize/evaluator/opa/policy/authz.rego

@@ -5,10 +5,15 @@ import data.shared_key
 
 default allow = false
 
+# allow public
+allow {
+	route := first_allowed_route(input.url)
+	route_policies[route].AllowPublicUnauthenticatedAccess == true
+}
+
 # allow by email
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	token.payload.email = route_policies[route].allowed_users[_]
 	token.valid
 	count(deny)==0
@@ -16,8 +21,7 @@ allow {
 
 # allow group
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	some group
 	token.payload.groups[group] == route_policies[route].allowed_groups[_]
 	token.valid
@@ -26,8 +30,7 @@ allow {
 
 # allow by impersonate email
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	token.payload.impersonate_email = route_policies[route].allowed_users[_]
 	token.valid
 	count(deny)==0
@@ -35,8 +38,7 @@ allow {
 
 # allow by impersonate group
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	some group
 	token.payload.impersonate_groups[group] == route_policies[route].allowed_groups[_]
 	token.valid
@@ -45,8 +47,7 @@ allow {
 
 # allow by domain
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	some domain
 	email_in_domain(token.payload.email, route_policies[route].allowed_domains[domain])
 	token.valid
@@ -55,14 +56,24 @@ allow {
 
 # allow by impersonate domain
 allow {
-	some route
-	allowed_route(input.url, route_policies[route])
+	route := first_allowed_route(input.url)
 	some domain
 	email_in_domain(token.payload.impersonate_email, route_policies[route].allowed_domains[domain])
 	token.valid
 	count(deny)==0
 }
 
+# allow pomerium urls
+allow {
+	contains(input.url, "/.pomerium/")
+	not contains(input.url,"/.pomerium/admin")
+}
+
+# returns the first matching route
+first_allowed_route(input_url) = route {
+	route := [route | some route ; allowed_route(input.url, route_policies[route])][0]
+}
+
 allowed_route(input_url, policy){
 	input_url_obj := parse_url(input_url)
 	allowed_route_source(input_url_obj, policy)

authorize/evaluator/opa/policy/authz_test.rego

@@ -65,6 +65,51 @@ test_email_denied {
 	}
 }
 
+test_public_allowed {
+	allow with data.route_policies as [{
+		"source": "example.com",
+		"AllowPublicUnauthenticatedAccess": true
+	}] with input as {
+		"url": "http://example.com",
+		"host": "example.com"
+	}
+}
+test_public_denied {
+	not allow with data.route_policies as [
+		{
+			"source": "example.com",
+			"prefix": "/by-user",
+			"allowed_users": ["bob@example.com"]
+		},
+		{
+			"source": "example.com",
+			"AllowPublicUnauthenticatedAccess": true
+		}
+	] with input as {
+		"url": "http://example.com/by-user",
+		"host": "example.com"
+	}
+}
+
+test_pomerium_allowed {
+	allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"]
+	}] with input as {
+		"url": "http://example.com/.pomerium/",
+		"host": "example.com"
+	}
+}
+test_pomerium_denied {
+	not allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"]
+	}] with input as {
+		"url": "http://example.com/.pomerium/admin",
+		"host": "example.com"
+	}
+}
+
 test_parse_url {
 	url := parse_url("http://example.com/some/path?qs")
 	url.scheme == "http"