authorize: handle user-unauthenticated response for deny blocks (#3559)

* authorize: handle user-unauthenticated response for deny blocks * fix test
2025-06-05 04:13:11 +02:00 · 2022-08-22 17:09:26 -06:00 · 2022-08-22 17:09:26 -06:00 · c0ca1e1a98
commit c0ca1e1a98
parent 4d38da94dd
3 changed files with 68 additions and 19 deletions
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@ -21,8 +21,40 @@ import (
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/testutil"
+	"github.com/pomerium/pomerium/pkg/policy/criteria"
 )

+func TestAuthorize_handleResult(t *testing.T) {
+	opt := config.NewDefaultOptions()
+	opt.AuthenticateURLString = "https://authenticate.example.com"
+	opt.DataBrokerURLString = "https://databroker.example.com"
+	opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
+	a, err := New(&config.Config{Options: opt})
+	require.NoError(t, err)
+
+	t.Run("user-unauthenticated", func(t *testing.T) {
+		res, err := a.handleResult(context.Background(),
+			&envoy_service_auth_v3.CheckRequest{},
+			&evaluator.Request{},
+			&evaluator.Result{
+				Allow: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
+			},
+			false)
+		assert.NoError(t, err)
+		assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
+
+		res, err = a.handleResult(context.Background(),
+			&envoy_service_auth_v3.CheckRequest{},
+			&evaluator.Request{},
+			&evaluator.Result{
+				Deny: evaluator.NewRuleResult(false, criteria.ReasonUserUnauthenticated),
+			},
+			false)
+		assert.NoError(t, err)
+		assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
+	})
+}
+
 func TestAuthorize_okResponse(t *testing.T) {
 	opt := &config.Options{
 		AuthenticateURLString: "https://authenticate.example.com",