authorize: add support for .pomerium and unauthenticated routes (#639)

* authorize: add support for .pomerium and unauthenticated routes integration-tests: add test for forward auth dashboard urls * proxy: fix ctx error test to return a 200 when authorize allows it
2025-05-29 00:47:17 +02:00 · 2020-04-29 10:55:46 -06:00 · 2020-04-29 10:55:46 -06:00 · b1d3bbaf56
commit b1d3bbaf56
parent e5c7c5b27e
11 changed files with 158 additions and 69 deletions
--- a/integration/authorization_test.go
+++ b/integration/authorization_test.go
@ -16,8 +16,6 @@ func TestAuthorization(t *testing.T) {
 	defer clearTimeout()

 	t.Run("public", func(t *testing.T) {
-		t.Skip() // pomerium doesn't currently handle unauthenticated public routes
-
 		client := testcluster.NewHTTPClient()

 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io", nil)
@ -33,7 +31,6 @@ func TestAuthorization(t *testing.T) {

 		assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code, headers=%v", res.Header)
 	})
-
 	t.Run("domains", func(t *testing.T) {
 		t.Run("allowed", func(t *testing.T) {
 			client := testcluster.NewHTTPClient()
@ -78,7 +75,7 @@ func TestAuthorization(t *testing.T) {
 			client := testcluster.NewHTTPClient()
 			res, err := flows.Authenticate(ctx, client, mustParseURL("https://httpdetails.localhost.pomerium.io/by-group"), "joe@cats.test", []string{"user"})
 			if assert.NoError(t, err) {
-				assertDeniedAccess(t, res, "expected Forbidden for user")
+				assertDeniedAccess(t, res, "expected Forbidden for user, but got %d", res.StatusCode)
 			}
 		})
 	})
--- a/integration/dashboard_test.go
+++ b/integration/dashboard_test.go
@ -28,6 +28,23 @@ func TestDashboard(t *testing.T) {
 		}
 		defer res.Body.Close()

+		assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code")
+		assert.Equal(t, "image/svg+xml", res.Header.Get("Content-Type"))
+	})
+	t.Run("forward auth image asset", func(t *testing.T) {
+		client := testcluster.NewHTTPClient()
+
+		req, err := http.NewRequestWithContext(ctx, "GET", "https://fa-httpdetails.localhost.pomerium.io/.pomerium/assets/img/pomerium.svg", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		res, err := client.Do(req)
+		if !assert.NoError(t, err, "unexpected http error") {
+			return
+		}
+		defer res.Body.Close()
+
 		assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code")
 		assert.Equal(t, "image/svg+xml", res.Header.Get("Content-Type"))
 	})
--- a/integration/manifests/lib/pomerium.libsonnet
+++ b/integration/manifests/lib/pomerium.libsonnet
@ -1,30 +1,33 @@
 local tls = import './tls.libsonnet';

-local PomeriumPolicy = function() [
-  {
-    from: 'http://httpdetails.localhost.pomerium.io',
-    prefix: '/by-domain',
-    to: 'http://httpdetails.default.svc.cluster.local',
-    allowed_domains: ['dogs.test'],
-  },
-  {
-    from: 'http://httpdetails.localhost.pomerium.io',
-    prefix: '/by-user',
-    to: 'http://httpdetails.default.svc.cluster.local',
-    allowed_users: ['bob@dogs.test'],
-  },
-  {
-    from: 'http://httpdetails.localhost.pomerium.io',
-    prefix: '/by-group',
-    to: 'http://httpdetails.default.svc.cluster.local',
-    allowed_groups: ['admin'],
-  },
-  {
-    from: 'http://httpdetails.localhost.pomerium.io',
-    to: 'http://httpdetails.default.svc.cluster.local',
-    allow_public_unauthenticated_access: true,
-  },
-];
+local PomeriumPolicy = function() std.flattenArrays([
+  [
+    {
+      from: 'http://' + domain + '.localhost.pomerium.io',
+      prefix: '/by-domain',
+      to: 'http://' + domain + '.default.svc.cluster.local',
+      allowed_domains: ['dogs.test'],
+    },
+    {
+      from: 'http://' + domain + '.localhost.pomerium.io',
+      prefix: '/by-user',
+      to: 'http://' + domain + '.default.svc.cluster.local',
+      allowed_users: ['bob@dogs.test'],
+    },
+    {
+      from: 'http://' + domain + '.localhost.pomerium.io',
+      prefix: '/by-group',
+      to: 'http://' + domain + '.default.svc.cluster.local',
+      allowed_groups: ['admin'],
+    },
+    {
+      from: 'http://' + domain + '.localhost.pomerium.io',
+      to: 'http://' + domain + '.default.svc.cluster.local',
+      allow_public_unauthenticated_access: true,
+    },
+  ]
+  for domain in ['httpdetails', 'fa-httpdetails']
+]);

 local PomeriumPolicyHash = std.base64(std.md5(std.manifestJsonEx(PomeriumPolicy(), '')));

@ -292,20 +295,27 @@ local PomeriumForwardAuthIngress = function() {
    tls: [
      {
        hosts: [
-          'fa-httpecho.localhost.pomerium.io',
+          'fa-httpdetails.localhost.pomerium.io',
        ],
        secretName: 'pomerium-tls',
      },
    ],
    rules: [
      {
-        host: 'fa-httpecho.localhost.pomerium.io',
+        host: 'fa-httpdetails.localhost.pomerium.io',
        http: {
          paths: [
+            {
+              path: '/.pomerium/',
+              backend: {
+                serviceName: 'proxy',
+                servicePort: 'https',
+              },
+            },
            {
              path: '/',
              backend: {
-                serviceName: 'httpecho',
+                serviceName: 'httpdetails',
                servicePort: 'http',
              },
            },