3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 10:22:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: fix layered bearer_token_format and idp_access_token_allowed_audiences (#5534)

Browse source 
config: fix layered bearer_token_format and idp_access_token_allowed_audiences (#5533)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
backport-actions-token[bot] 2025-03-19 11:00:05 -06:00 committed by GitHub
parent a078f93986
commit cc22174159
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 35 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
config/options.go
View file

@ -1509,8 +1509,6 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
if settings.IdpAccessTokenAllowedAudiences != nil { if settings.IdpAccessTokenAllowedAudiences != nil {
values := slices.Clone(settings.IdpAccessTokenAllowedAudiences.Values) values := slices.Clone(settings.IdpAccessTokenAllowedAudiences.Values)
o.IDPAccessTokenAllowedAudiences = &values o.IDPAccessTokenAllowedAudiences = &values
} else {
o.IDPAccessTokenAllowedAudiences = nil
} }
setSlice(&o.AuthorizeURLStrings, settings.AuthorizeServiceUrls) setSlice(&o.AuthorizeURLStrings, settings.AuthorizeServiceUrls)
set(&o.AuthorizeInternalURLString, settings.AuthorizeInternalServiceUrl) set(&o.AuthorizeInternalURLString, settings.AuthorizeInternalServiceUrl)
@ -1520,7 +1518,7 @@ func (o *Options) ApplySettings(ctx context.Context, certsIndex *cryptutil.Certi
set(&o.SigningKey, settings.SigningKey) set(&o.SigningKey, settings.SigningKey)
setMap(&o.SetResponseHeaders, settings.SetResponseHeaders) setMap(&o.SetResponseHeaders, settings.SetResponseHeaders)
setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders) setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders)
o.BearerTokenFormat = BearerTokenFormatFromPB(settings.BearerTokenFormat) setOptional(&o.BearerTokenFormat, BearerTokenFormatFromPB(settings.BearerTokenFormat))
if len(settings.JwtGroupsFilter) > 0 { if len(settings.JwtGroupsFilter) > 0 {
o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter) o.JWTGroupsFilter = NewJWTGroupsFilter(settings.JwtGroupsFilter)
} }

34
config/options_test.go
View file

@ -924,6 +924,8 @@ func TestOptions_GetAllRouteableHTTPHosts(t *testing.T) {
} }
func TestOptions_ApplySettings(t *testing.T) { func TestOptions_ApplySettings(t *testing.T) {
t.Parallel()
ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second) ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second)
defer clearTimeout() defer clearTimeout()
@ -1003,6 +1005,34 @@ func TestOptions_ApplySettings(t *testing.T) {
}) })
assert.Equal(t, JWTIssuerFormatHostOnly, options.JWTIssuerFormat) assert.Equal(t, JWTIssuerFormatHostOnly, options.JWTIssuerFormat)
}) })
t.Run("bearer_token_format", func(t *testing.T) {
t.Parallel()
options := NewDefaultOptions()
assert.Nil(t, options.BearerTokenFormat)
options.ApplySettings(ctx, nil, &configpb.Settings{
BearerTokenFormat: configpb.BearerTokenFormat_BEARER_TOKEN_FORMAT_DEFAULT.Enum(),
})
assert.Equal(t, ptr(BearerTokenFormatDefault), options.BearerTokenFormat)
options.ApplySettings(ctx, nil, &configpb.Settings{})
assert.Equal(t, ptr(BearerTokenFormatDefault), options.BearerTokenFormat, "should preserve existing bearer token format")
})
t.Run("idp_access_token_allowed_audiences", func(t *testing.T) {
t.Parallel()
options := NewDefaultOptions()
assert.Nil(t, options.IDPAccessTokenAllowedAudiences)
options.ApplySettings(ctx, nil, &configpb.Settings{
IdpAccessTokenAllowedAudiences: &configpb.Settings_StringList{Values: []string{"x", "y", "z"}},
})
assert.Equal(t, ptr([]string{"x", "y", "z"}), options.IDPAccessTokenAllowedAudiences)
options.ApplySettings(ctx, nil, &configpb.Settings{})
assert.Equal(t, ptr([]string{"x", "y", "z"}), options.IDPAccessTokenAllowedAudiences,
"should preserve idp access token allowed audiences")
})
} }
func TestOptions_GetSetResponseHeaders(t *testing.T) { func TestOptions_GetSetResponseHeaders(t *testing.T) {
@ -1762,3 +1792,7 @@ func must[T any](t T, err error) T {
} }
return t return t
} }
func ptr[T any](v T) *T {
return &v
}