authenticate: fix insecure gRPC connection string default port (#795)

internal/grpc/client.go

@@ -8,8 +8,9 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"net/url"
-	"strings"
+	"strconv"
 	"time"
 
 	"github.com/pomerium/pomerium/internal/log"
@@ -22,7 +23,10 @@ import (
 	"google.golang.org/grpc/credentials"
 )
 
-const defaultGRPCPort = 443
+const (
+	defaultGRPCSecurePort   = 443
+	defaultGRPCInsecurePort = 80
+)
 
 // Options contains options for connecting to a pomerium rpc service.
 type Options struct {
@@ -57,8 +61,12 @@ func NewGRPCClientConn(opts *Options) (*grpc.ClientConn, error) {
 	connAddr := opts.Addr.Host
 
 	// no colon exists in the connection string, assume one must be added manually
-	if !strings.Contains(connAddr, ":") {
-		connAddr = fmt.Sprintf("%s:%d", connAddr, defaultGRPCPort)
+	if _, _, err := net.SplitHostPort(connAddr); err != nil {
+		if opts.Addr.Scheme == "https" {
+			connAddr = net.JoinHostPort(connAddr, strconv.Itoa(defaultGRPCSecurePort))
+		} else {
+			connAddr = net.JoinHostPort(connAddr, strconv.Itoa(defaultGRPCInsecurePort))
+		}
 	}
 	dialOptions := []grpc.DialOption{
 		grpc.WithChainUnaryInterceptor(

internal/grpc/client_test.go

@@ -51,7 +51,8 @@ func TestNewGRPC(t *testing.T) {
 		{"empty connection", &Options{Addr: nil}, true, "proxy/authenticator: connection address required", ""},
 		{"both internal and addr empty", &Options{Addr: nil}, true, "proxy/authenticator: connection address required", ""},
 		{"addr with port", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example:8443"}}, false, "", "localhost.example:8443"},
-		{"addr without port", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example"}}, false, "", "localhost.example:443"},
+		{"secure addr without port", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example"}}, false, "", "localhost.example:443"},
+		{"insecure addr without port", &Options{Addr: &url.URL{Scheme: "http", Host: "localhost.example"}}, false, "", "localhost.example:80"},
 		{"cert override", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example:443"}, OverrideCertificateName: "*.local"}, false, "", "localhost.example:443"},
 		{"custom ca", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example:443"}, OverrideCertificateName: "*.local", CA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZrQ0ZBWHhneFg5K0hjWlBVVVBEK0laV0NGNUEvVTdNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1Ua3dNakk0TVRnMU1EQTNXaGNOTWprd01qSTFNVGcxCk1EQTNXakJGTVFzd0NRWURWUVFHRXdKQlZURVRNQkVHQTFVRUNBd0tVMjl0WlMxVGRHRjBaVEVoTUI4R0ExVUUKQ2d3WVNXNTBaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQwpBUThBTUlJQkNnS0NBUUVBOVRFMEFiaTdnMHhYeURkVUtEbDViNTBCT05ZVVVSc3F2THQrSWkwdlpjMzRRTHhOClJrT0hrOFZEVUgzcUt1N2UrNGVubUdLVVNUdzRPNFlkQktiSWRJTFpnb3o0YitNL3FVOG5adVpiN2pBVTdOYWkKajMzVDVrbXB3L2d4WHNNUzNzdUpXUE1EUDB3Z1BUZUVRK2J1bUxVWmpLdUVIaWNTL0l5dmtaVlBzRlE4NWlaUwpkNXE2a0ZGUUdjWnFXeFg0dlhDV25Sd3E3cHY3TThJd1RYc1pYSVRuNXB5Z3VTczNKb29GQkg5U3ZNTjRKU25GCmJMK0t6ekduMy9ScXFrTXpMN3FUdkMrNWxVT3UxUmNES21mZXBuVGVaN1IyVnJUQm42NndWMjVHRnBkSDIzN00KOXhJVkJrWEd1U2NvWHVPN1lDcWFrZkt6aXdoRTV4UmRaa3gweXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFCaHRWUEI0OCs4eFZyVmRxM1BIY3k5QkxtVEtrRFl6N2Q0ODJzTG1HczBuVUdGSTFZUDdmaFJPV3ZxCktCTlpkNEI5MUpwU1NoRGUrMHpoNno4WG5Ha01mYnRSYWx0NHEwZ3lKdk9hUWhqQ3ZCcSswTFk5d2NLbXpFdnMKcTRiNUZ5NXNpRUZSekJLTmZtTGwxTTF2cW1hNmFCVnNYUUhPREdzYS83dE5MalZ2ay9PYm52cFg3UFhLa0E3cQpLMTQvV0tBRFBJWm9mb00xMzB4Q1RTYXVpeXROajlnWkx1WU9leEZhblVwNCt2MHBYWS81OFFSNTk2U0ROVTlKClJaeDhwTzBTaUYvZXkxVUZXbmpzdHBjbTQzTFVQKzFwU1hFeVhZOFJrRTI2QzNvdjNaTFNKc2pMbC90aXVqUlgKZUJPOWorWDdzS0R4amdtajBPbWdpVkpIM0YrUAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="}, false, "", "localhost.example:443"},
 		{"bad ca encoding", &Options{Addr: &url.URL{Scheme: "https", Host: "localhost.example:443"}, OverrideCertificateName: "*.local", CA: "^"}, true, "", "localhost.example:443"},