From de1ed61b9a106f013f8132d5edf99c30c77755a7 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Thu, 2 Sep 2021 09:55:06 -0600
Subject: [PATCH] authorize: fix google cloudrun header audience (#2558)

---
 authorize/evaluator/headers_evaluator.go      |  2 +-
 authorize/evaluator/headers_evaluator_test.go | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/authorize/evaluator/headers_evaluator.go b/authorize/evaluator/headers_evaluator.go
index 555e0f2ea..0d7ef1002 100644
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@@ -31,7 +31,7 @@ func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
 	}
 	input.KubernetesServiceAccountToken = policy.KubernetesServiceAccountToken
 	for _, wu := range policy.To {
-		input.ToAudience = wu.URL.Hostname()
+		input.ToAudience = "https://" + wu.URL.Hostname()
 	}
 	return input
 }
diff --git a/authorize/evaluator/headers_evaluator_test.go b/authorize/evaluator/headers_evaluator_test.go
index c95efc93f..6ce40bbf1 100644
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@@ -19,6 +19,23 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
+func TestNewHeadersRequestFromPolicy(t *testing.T) {
+	req := NewHeadersRequestFromPolicy(&config.Policy{
+		EnableGoogleCloudServerlessAuthentication: true,
+		From: "https://from.example.com",
+		To: config.WeightedURLs{
+			{
+				URL: *mustParseURL("http://to.example.com"),
+			},
+		},
+	})
+	assert.Equal(t, &HeadersRequest{
+		EnableGoogleCloudServerlessAuthentication: true,
+		FromAudience: "from.example.com",
+		ToAudience:   "https://to.example.com",
+	}, req)
+}
+
 func TestHeadersEvaluator(t *testing.T) {
 	type A = []interface{}
 	type M = map[string]interface{}