From e1eca4e97cd3a55e3b6cddee7bdcb005df5e4fb6 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Wed, 12 Mar 2025 16:13:16 -0700
Subject: [PATCH] config: fix jwt_issuer_format conversion (#5524)

Remove the previous conversion logic in NewPolicyFromProto() for the
jwt_issuer_format field. This would prevent the new "unset" state from
working correctly. Add a unit test to verify that all three values
(unset, "hostOnly" and "uri") will successfully round trip to the proto
format and back again.

Also add a test case for the Options.ApplySettings() method to verify
that an unset jwt_issuer_format will not overwrite the existing value
(if any) in the settings.
---
 config/options_test.go | 14 ++++++++++++++
 config/policy.go       |  7 -------
 config/policy_test.go  | 16 ++++++++++++++++
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/config/options_test.go b/config/options_test.go
index d69d5d1a0..06e7f24ba 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -989,6 +989,20 @@ func TestOptions_ApplySettings(t *testing.T) {
 		})
 		assert.Equal(t, NewJWTGroupsFilter([]string{"quux", "zulu"}), options.JWTGroupsFilter)
 	})
+
+	t.Run("jwt_issuer_format", func(t *testing.T) {
+		options := NewDefaultOptions()
+		assert.Equal(t, JWTIssuerFormatUnset, options.JWTIssuerFormat)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtIssuerFormat: configpb.IssuerFormat_IssuerURI.Enum(),
+		})
+		options.ApplySettings(ctx, nil, &configpb.Settings{})
+		assert.Equal(t, JWTIssuerFormatURI, options.JWTIssuerFormat)
+		options.ApplySettings(ctx, nil, &configpb.Settings{
+			JwtIssuerFormat: configpb.IssuerFormat_IssuerHostOnly.Enum(),
+		})
+		assert.Equal(t, JWTIssuerFormatHostOnly, options.JWTIssuerFormat)
+	})
 }
 
 func TestOptions_GetSetResponseHeaders(t *testing.T) {
diff --git a/config/policy.go b/config/policy.go
index 283563d5c..f73fd5965 100644
--- a/config/policy.go
+++ b/config/policy.go
@@ -389,13 +389,6 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		p.EnvoyOpts.Name = pb.Name
 	}
 
-	switch pb.GetJwtIssuerFormat() {
-	case configpb.IssuerFormat_IssuerHostOnly:
-		p.JWTIssuerFormat = JWTIssuerFormatHostOnly
-	case configpb.IssuerFormat_IssuerURI:
-		p.JWTIssuerFormat = JWTIssuerFormatURI
-	}
-
 	p.BearerTokenFormat = BearerTokenFormatFromPB(pb.BearerTokenFormat)
 
 	for _, rwh := range pb.RewriteResponseHeaders {
diff --git a/config/policy_test.go b/config/policy_test.go
index 2a20cc7ff..531398e26 100644
--- a/config/policy_test.go
+++ b/config/policy_test.go
@@ -292,6 +292,22 @@ func TestPolicy_FromToPb(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, p.Redirect.HTTPSRedirect, policyFromProto.Redirect.HTTPSRedirect)
 	})
+
+	t.Run("JWT issuer format", func(t *testing.T) {
+		for f := range knownJWTIssuerFormats {
+			p := &Policy{
+				From:            "https://pomerium.io",
+				To:              mustParseWeightedURLs(t, "http://localhost"),
+				JWTIssuerFormat: f,
+			}
+			pbPolicy, err := p.ToProto()
+			require.NoError(t, err)
+
+			policyFromPb, err := NewPolicyFromProto(pbPolicy)
+			assert.NoError(t, err)
+			assert.Equal(t, f, policyFromPb.JWTIssuerFormat)
+		}
+	})
 }
 
 func TestPolicy_Matches(t *testing.T) {