authorize: add support for .pomerium and unauthenticated routes (#639)

* authorize: add support for .pomerium and unauthenticated routes integration-tests: add test for forward auth dashboard urls * proxy: fix ctx error test to return a 200 when authorize allows it
2025-07-30 23:09:23 +02:00 · 2020-04-29 10:55:46 -06:00 · 2020-04-29 10:55:46 -06:00 · b1d3bbaf56
commit b1d3bbaf56
parent e5c7c5b27e
11 changed files with 158 additions and 69 deletions
--- a/authorize/evaluator/opa/policy/authz_test.rego
+++ b/authorize/evaluator/opa/policy/authz_test.rego
@ -65,6 +65,51 @@ test_email_denied {
 	}
 }

+test_public_allowed {
+	allow with data.route_policies as [{
+		"source": "example.com",
+		"AllowPublicUnauthenticatedAccess": true
+	}] with input as {
+		"url": "http://example.com",
+		"host": "example.com"
+	}
+}
+test_public_denied {
+	not allow with data.route_policies as [
+		{
+			"source": "example.com",
+			"prefix": "/by-user",
+			"allowed_users": ["bob@example.com"]
+		},
+		{
+			"source": "example.com",
+			"AllowPublicUnauthenticatedAccess": true
+		}
+	] with input as {
+		"url": "http://example.com/by-user",
+		"host": "example.com"
+	}
+}
+
+test_pomerium_allowed {
+	allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"]
+	}] with input as {
+		"url": "http://example.com/.pomerium/",
+		"host": "example.com"
+	}
+}
+test_pomerium_denied {
+	not allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"]
+	}] with input as {
+		"url": "http://example.com/.pomerium/admin",
+		"host": "example.com"
+	}
+}
+
 test_parse_url {
 	url := parse_url("http://example.com/some/path?qs")
 	url.scheme == "http"