remove forward auth (#3628)

2025-07-19 01:28:51 +02:00 · 2022-11-23 15:59:28 -07:00 · 2022-11-23 15:59:28 -07:00 · fa26587f19
commit fa26587f19
parent ba07afc245
68 changed files with 302 additions and 5072 deletions
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@ -84,86 +84,9 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, domain string
 			b.buildControlPlanePathRoute("/", false),
 		)
 	}
-	// if we're the proxy and this is the forward-auth url
-	forwardAuthURL, err := options.GetForwardAuthURL()
-	if err != nil {
-		return nil, err
-	}
-	if config.IsProxy(options.Services) && hostMatchesDomain(forwardAuthURL, domain) {
-		// disable ext_authz and pass request to proxy handlers that enable authN flow
-		r, err := b.buildControlPlanePathAndQueryRoute("/verify", []string{urlutil.QueryForwardAuthURI, urlutil.QuerySessionEncrypted, urlutil.QueryRedirectURI})
-		if err != nil {
-			return nil, err
-		}
-		routes = append(routes, r)
-		r, err = b.buildControlPlanePathAndQueryRoute("/", []string{urlutil.QueryForwardAuthURI, urlutil.QuerySessionEncrypted, urlutil.QueryRedirectURI})
-		if err != nil {
-			return nil, err
-		}
-		routes = append(routes, r)
-		r, err = b.buildControlPlanePathAndQueryRoute("/", []string{urlutil.QueryForwardAuthURI})
-		if err != nil {
-			return nil, err
-		}
-		routes = append(routes, r)
-
-		// otherwise, enforce ext_authz; pass all other requests through to an upstream
-		// handler that will simply respond with http status 200 / OK indicating that
-		// the fronting forward-auth proxy can continue.
-		r, err = b.buildControlPlaneProtectedPrefixRoute("/")
-		if err != nil {
-			return nil, err
-		}
-		routes = append(routes, r)
-	}
 	return routes, nil
 }

-func (b *Builder) buildControlPlaneProtectedPrefixRoute(prefix string) (*envoy_config_route_v3.Route, error) {
-	return &envoy_config_route_v3.Route{
-		Name: "pomerium-protected-prefix-" + prefix,
-		Match: &envoy_config_route_v3.RouteMatch{
-			PathSpecifier: &envoy_config_route_v3.RouteMatch_Prefix{Prefix: prefix},
-		},
-		Action: &envoy_config_route_v3.Route_Route{
-			Route: &envoy_config_route_v3.RouteAction{
-				ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
-					Cluster: httpCluster,
-				},
-			},
-		},
-	}, nil
-}
-
-func (b *Builder) buildControlPlanePathAndQueryRoute(path string, queryparams []string) (*envoy_config_route_v3.Route, error) {
-	var queryParameterMatchers []*envoy_config_route_v3.QueryParameterMatcher
-	for _, q := range queryparams {
-		queryParameterMatchers = append(queryParameterMatchers,
-			&envoy_config_route_v3.QueryParameterMatcher{
-				Name:                         q,
-				QueryParameterMatchSpecifier: &envoy_config_route_v3.QueryParameterMatcher_PresentMatch{PresentMatch: true},
-			})
-	}
-
-	return &envoy_config_route_v3.Route{
-		Name: "pomerium-path-and-query" + path,
-		Match: &envoy_config_route_v3.RouteMatch{
-			PathSpecifier:   &envoy_config_route_v3.RouteMatch_Path{Path: path},
-			QueryParameters: queryParameterMatchers,
-		},
-		Action: &envoy_config_route_v3.Route_Route{
-			Route: &envoy_config_route_v3.RouteAction{
-				ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
-					Cluster: httpCluster,
-				},
-			},
-		},
-		TypedPerFilterConfig: map[string]*any.Any{
-			"envoy.filters.http.ext_authz": disableExtAuthz,
-		},
-	}, nil
-}
-
 func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route {
 	r := &envoy_config_route_v3.Route{
 		Name: "pomerium-path-" + path,