diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index c683a0e15..1af549bda 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -123,8 +123,9 @@ func (a *Application) IsAllowlisted(u *url.URL) bool { } else { testString = u.String() } - a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list") - if ur.MatchString(testString) { + match := ur.MatchString(testString) + a.log.WithField("match", match).WithField("regex", ur.String()).WithField("url", testString).Trace("Matching URL against allow list") + if match { return true } } diff --git a/internal/outpost/proxyv2/application/mode_common_test.go b/internal/outpost/proxyv2/application/mode_common_test.go new file mode 100644 index 000000000..360a2a042 --- /dev/null +++ b/internal/outpost/proxyv2/application/mode_common_test.go @@ -0,0 +1,50 @@ +package application + +import ( + "net/url" + "regexp" + "testing" + + "github.com/stretchr/testify/assert" + "goauthentik.io/api" +) + +func urlMustParse(u string) *url.URL { + ur, err := url.Parse(u) + if err != nil { + panic(err) + } + return ur +} + +func TestIsAllowlisted_Proxy_Single(t *testing.T) { + a := newTestApplication() + a.proxyConfig.Mode = api.PROXYMODE_PROXY.Ptr() + + assert.Equal(t, false, a.IsAllowlisted(urlMustParse(""))) + a.UnauthenticatedRegex = []*regexp.Regexp{ + regexp.MustCompile("^/foo"), + } + assert.Equal(t, true, a.IsAllowlisted(urlMustParse("http://some-host/foo"))) +} + +func TestIsAllowlisted_Proxy_Domain(t *testing.T) { + a := newTestApplication() + a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr() + + assert.Equal(t, false, a.IsAllowlisted(urlMustParse(""))) + a.UnauthenticatedRegex = []*regexp.Regexp{ + regexp.MustCompile("^/foo"), + } + assert.Equal(t, false, a.IsAllowlisted(urlMustParse("http://some-host/foo"))) + a.UnauthenticatedRegex = []*regexp.Regexp{ + regexp.MustCompile("^http://some-host/foo"), + } + assert.Equal(t, true, a.IsAllowlisted(urlMustParse("http://some-host/foo"))) + a.UnauthenticatedRegex = []*regexp.Regexp{ + regexp.MustCompile("https://health.domain.tld/ping/*"), + } + assert.Equal(t, false, a.IsAllowlisted(urlMustParse("http://some-host/foo"))) + assert.Equal(t, false, a.IsAllowlisted(urlMustParse("https://health.domain.tld/"))) + assert.Equal(t, true, a.IsAllowlisted(urlMustParse("https://health.domain.tld/ping/qq"))) +}