Merge cd61532 into ffca3b3

pomerium · Nov 7, 2023 · 28f1478 · 28f1478
2 parents ffca3b3 + cd61532
commit 28f1478
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 20 deletions.
diff --git a/config/envoyconfig/listeners_test.go b/config/envoyconfig/listeners_test.go
@@ -445,6 +445,16 @@ func Test_getAllDomains(t *testing.T) {
 			assert.Equal(t, expect, actual)
 		})
 	})
+
+	t.Run("exclude default authenticate", func(t *testing.T) {
+		options := config.NewDefaultOptions()
+		options.Policies = []config.Policy{
+			{From: "https://a.example.com"},
+		}
+		actual, err := getAllRouteableHosts(options, ":443")
+		require.NoError(t, err)
+		assert.Equal(t, []string{"a.example.com", "a.example.com:443"}, actual)
+	})
 }
 
 func Test_urlMatchesHost(t *testing.T) {

diff --git a/config/options.go b/config/options.go
@@ -325,7 +325,6 @@ var defaultOptions = Options{
 	GRPCAddr:                 ":443",
 	GRPCClientTimeout:        10 * time.Second, // Try to withstand transient service failures for a single request
 	GRPCClientDNSRoundRobin:  true,
-	AuthenticateURLString:    "https://authenticate.pomerium.app",
 	AuthenticateCallbackPath: "/oauth2/callback",
 	TracingSampleRate:        0.0001,
 
@@ -806,17 +805,17 @@ func (o *Options) GetDeriveInternalDomain() string {
 
 // GetAuthenticateURL returns the AuthenticateURL in the options or 127.0.0.1.
 func (o *Options) GetAuthenticateURL() (*url.URL, error) {
-	rawurl := o.AuthenticateURLString
-	if rawurl == "" {
-		rawurl = "https://127.0.0.1"
+	rawURL := o.AuthenticateURLString
+	if rawURL == "" {
+		rawURL = "https://authenticate.pomerium.app"
 	}
-	return urlutil.ParseAndValidateURL(rawurl)
+	return urlutil.ParseAndValidateURL(rawURL)
 }
 
 // GetInternalAuthenticateURL returns the internal AuthenticateURL in the options or the AuthenticateURL.
 func (o *Options) GetInternalAuthenticateURL() (*url.URL, error) {
-	rawurl := o.AuthenticateInternalURLString
-	if rawurl == "" {
+	rawURL := o.AuthenticateInternalURLString
+	if rawURL == "" {
 		return o.GetAuthenticateURL()
 	}
 	return urlutil.ParseAndValidateURL(o.AuthenticateInternalURLString)
@@ -1210,17 +1209,21 @@ func (o *Options) GetAllRouteableGRPCHosts() ([]string, error) {
 func (o *Options) GetAllRouteableHTTPHosts() ([]string, error) {
 	hosts := sets.NewSorted[string]()
 	if IsAuthenticate(o.Services) {
-		authenticateURL, err := o.GetInternalAuthenticateURL()
-		if err != nil {
-			return nil, err
+		if o.AuthenticateInternalURLString != "" {
+			authenticateURL, err := o.GetInternalAuthenticateURL()
+			if err != nil {
+				return nil, err
+			}
+			hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...)
 		}
-		hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...)
 
-		authenticateURL, err = o.GetAuthenticateURL()
-		if err != nil {
-			return nil, err
+		if o.AuthenticateURLString != "" {
+			authenticateURL, err := o.GetAuthenticateURL()
+			if err != nil {
+				return nil, err
+			}
+			hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...)
 		}
-		hosts.Add(urlutil.GetDomainsForURL(authenticateURL)...)
 	}
 
 	// policy urls

diff --git a/config/options_test.go b/config/options_test.go
@@ -411,7 +411,6 @@ func TestOptionsFromViper(t *testing.T) {
 				CookieSecure:             true,
 				InsecureServer:           true,
 				CookieHTTPOnly:           true,
-				AuthenticateURLString:    "https://authenticate.pomerium.app",
 				AuthenticateCallbackPath: "/oauth2/callback",
 				DataBrokerStorageType:    "memory",
 				EnvoyAdminAccessLogPath:  os.DevNull,
@@ -425,7 +424,6 @@ func TestOptionsFromViper(t *testing.T) {
 			&Options{
 				Policies:                 []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
 				CookieName:               "_pomerium",
-				AuthenticateURLString:    "https://authenticate.pomerium.app",
 				AuthenticateCallbackPath: "/oauth2/callback",
 				CookieSecure:             true,
 				CookieHTTPOnly:           true,
@@ -848,9 +846,7 @@ func TestOptions_DefaultURL(t *testing.T) {
 		f              func() (*url.URL, error)
 		expectedURLStr string
 	}{
-		{"default authenticate url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"},
-		{"default authorize url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"},
-		{"default databroker url", defaultOptions.GetAuthenticateURL, "https://127.0.0.1"},
+		{"default authenticate url", defaultOptions.GetAuthenticateURL, "https://authenticate.pomerium.app"},
 		{"good authenticate url", opts.GetAuthenticateURL, "https://authenticate.example.com"},
 		{"good authorize url", firstURL(opts.GetAuthorizeURLs), "https://authorize.example.com"},
 		{"good databroker url", firstURL(opts.GetDataBrokerURLs), "https://databroker.example.com"},