enhance policy validation by ensuring protected policies have authentication methods and defaulting to HTTPS in external URL construction

2026-03-17 14:26:18 +00:00 · 2026-03-16 21:05:16 -03:00
parent cf4674b933
commit 8418beb482
2 changed files with 9 additions and 0 deletions
--- a/containers/auth-gateway/auth_gateway/services/policy_engine.py
+++ b/containers/auth-gateway/auth_gateway/services/policy_engine.py
@@ -52,6 +52,13 @@ def build_effective_policy(runtime_config: RuntimeConfig, policy_name: str) -> E
    if policy.policy_type != "protected":
        return effective

+    if not policy.methods:
+        return EffectivePolicy(
+            name=policy_name,
+            mode="error",
+            error_message="Policy configuration error: protected policy has no authentication methods.",
+        )
+
    for method_name in policy.methods:
        method = runtime_config.auth_methods[method_name]
        if isinstance(method, IPAddressMethodModel):
--- a/containers/auth-gateway/auth_gateway/web/dependencies.py
+++ b/containers/auth-gateway/auth_gateway/web/dependencies.py
@@ -24,6 +24,8 @@ def get_session(request: Request) -> SessionRecord | None:

 def build_external_url(request: Request, path: str, **params: str) -> str:
    proto = request.headers.get("x-forwarded-proto", request.url.scheme)
+    if proto not in ("http", "https"):
+        proto = "https"
    host = request.headers.get("host", request.url.netloc)
    prefix = request.app.state.settings.external_path.rstrip("/")
    query = urlencode({key: value for key, value in params.items() if value is not None})