diff --git a/config/envoyconfig/listeners_test.go b/config/envoyconfig/listeners_test.go index 3b8cd52f9..42392d3f1 100644 --- a/config/envoyconfig/listeners_test.go +++ b/config/envoyconfig/listeners_test.go @@ -445,6 +445,16 @@ func Test_getAllDomains(t *testing.T) { assert.Equal(t, expect, actual) }) }) + + t.Run("exclude default authenticate", func(t *testing.T) { + options := config.NewDefaultOptions() + options.Policies = []config.Policy{ + {From: "https://a.example.com"}, + } + actual, err := getAllRouteableHosts(options, ":443") + require.NoError(t, err) + assert.Equal(t, []string{"a.example.com", "a.example.com:443"}, actual) + }) } func Test_urlMatchesHost(t *testing.T) { diff --git a/config/options.go b/config/options.go index 8221f14b6..7f40df320 100644 --- a/config/options.go +++ b/config/options.go @@ -325,7 +325,6 @@ var defaultOptions = Options{ GRPCAddr: ":443", GRPCClientTimeout: 10 * time.Second, // Try to withstand transient service failures for a single request GRPCClientDNSRoundRobin: true, - AuthenticateURLString: "https://authenticate.pomerium.app", AuthenticateCallbackPath: "/oauth2/callback", TracingSampleRate: 0.0001, @@ -806,17 +805,17 @@ func (o *Options) GetDeriveInternalDomain() string { // GetAuthenticateURL returns the AuthenticateURL in the options or 127.0.0.1. func (o *Options) GetAuthenticateURL() (*url.URL, error) { - rawurl := o.AuthenticateURLString - if rawurl == "" { - rawurl = "https://127.0.0.1" + rawURL := o.AuthenticateURLString + if rawURL == "" { + rawURL = "https://authenticate.pomerium.app" } - return urlutil.ParseAndValidateURL(rawurl) + return urlutil.ParseAndValidateURL(rawURL) } // GetInternalAuthenticateURL returns the internal AuthenticateURL in the options or the AuthenticateURL. func (o *Options) GetInternalAuthenticateURL() (*url.URL, error) { - rawurl := o.AuthenticateInternalURLString - if rawurl == "" { + rawURL := o.AuthenticateInternalURLString + if rawURL == "" { return o.GetAuthenticateURL() } return urlutil.ParseAndValidateURL(o.AuthenticateInternalURLString) @@ -1210,17 +1209,21 @@ func (o *Options) GetAllRouteableGRPCHosts() ([]string, error) { func (o *Options) GetAllRouteableHTTPHosts() ([]string, error) { hosts := sets.NewSorted[string]() if IsAuthenticate(o.Services) { - authenticateURL, err := o.GetInternalAuthenticateURL() - if err != nil { - return nil, err + if o.AuthenticateInternalURLString != "" { + authenticateURL, err := o.GetInternalAuthenticateURL() + if err != nil { + return nil, err + } + hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...) } - hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...) - authenticateURL, err = o.GetAuthenticateURL() - if err != nil { - return nil, err + if o.AuthenticateURLString != "" { + authenticateURL, err := o.GetAuthenticateURL() + if err != nil { + return nil, err + } + hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...) } - hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...) } // policy urls diff --git a/config/options_test.go b/config/options_test.go index bcd7021f3..c6b3ef815 100644 --- a/config/options_test.go +++ b/config/options_test.go @@ -411,7 +411,6 @@ func TestOptionsFromViper(t *testing.T) { CookieSecure: true, InsecureServer: true, CookieHTTPOnly: true, - AuthenticateURLString: "https://authenticate.pomerium.app", AuthenticateCallbackPath: "/oauth2/callback", DataBrokerStorageType: "memory", EnvoyAdminAccessLogPath: os.DevNull, @@ -425,7 +424,6 @@ func TestOptionsFromViper(t *testing.T) { &Options{ Policies: []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}}, CookieName: "_pomerium", - AuthenticateURLString: "https://authenticate.pomerium.app", AuthenticateCallbackPath: "/oauth2/callback", CookieSecure: true, CookieHTTPOnly: true, @@ -848,9 +846,7 @@ func TestOptions_DefaultURL(t *testing.T) { f func() (*url.URL, error) expectedURLStr string }{ - {"default authenticate url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"}, - {"default authorize url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"}, - {"default databroker url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"}, + {"default authenticate url", defaultOptions.GetAuthenticateURL, "https://authenticate.pomerium.app"}, {"good authenticate url", opts.GetAuthenticateURL, "https://authenticate.example.com"}, {"good authorize url", firstURL(opts.GetAuthorizeURLs), "https://authorize.example.com"}, {"good databroker url", firstURL(opts.GetDataBrokerURLs), "https://databroker.example.com"},