Fix issue with path matching logic

Author: philipgough

authentication/oidc.go

@@ -327,25 +327,31 @@ func (a oidcAuthenticator) Middleware() Middleware {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// Check if OIDC is required for this path
+			level.Debug(a.logger).Log("msg", "OIDC middleware checking path", "path", r.URL.Path, "pathMatchers", len(a.pathMatchers))
 			if len(a.pathMatchers) > 0 {
 				shouldEnforceOIDC := false
 
 				for _, matcher := range a.pathMatchers {
 					regexMatches := matcher.Regex.MatchString(r.URL.Path)
+					level.Debug(a.logger).Log("msg", "OIDC path pattern check", "path", r.URL.Path, "operator", matcher.Operator, "pattern", matcher.Regex.String(), "matches", regexMatches)
 
 					if matcher.Operator == "=~" && regexMatches {
 						// Positive match - enforce OIDC
+						level.Debug(a.logger).Log("msg", "OIDC positive match - enforcing", "path", r.URL.Path)
 						shouldEnforceOIDC = true
 						break
 					} else if matcher.Operator == "!~" && !regexMatches {
 						// Negative match - enforce OIDC (path does NOT match pattern)
+						level.Debug(a.logger).Log("msg", "OIDC negative match - enforcing", "path", r.URL.Path)
 						shouldEnforceOIDC = true
 						break
 					}
 				}
 
+				level.Debug(a.logger).Log("msg", "OIDC enforcement decision", "path", r.URL.Path, "shouldEnforceOIDC", shouldEnforceOIDC)
 				// If no patterns matched requirements, skip OIDC enforcement
 				if !shouldEnforceOIDC {
+					level.Debug(a.logger).Log("msg", "OIDC skipping enforcement", "path", r.URL.Path)
 					next.ServeHTTP(w, r)
 					return
 				}

main.go

@@ -238,11 +238,10 @@ type tenant struct {
 		IssuerRawCA   []byte `json:"issuerCA"`
 		IssuerCAPath  string `json:"issuerCAPath"`
 		issuerCA      *x509.Certificate
-		IssuerURL     string   `json:"issuerURL"`
-		RedirectURL   string   `json:"redirectURL"`
-		UsernameClaim string   `json:"usernameClaim"`
-		Paths         []string `json:"paths"`
-		pathMatchers  []*regexp.Regexp
+		IssuerURL     string                       `json:"issuerURL"`
+		RedirectURL   string                       `json:"redirectURL"`
+		UsernameClaim string                       `json:"usernameClaim"`
+		Paths         []authentication.PathPattern `json:"paths"`
 		config        map[string]interface{}
 	} `json:"oidc"`
 	OpenShift *struct {
@@ -258,12 +257,11 @@ type tenant struct {
 	} `json:"authenticator"`
 
 	MTLS *struct {
-		RawCA        []byte   `json:"ca"`
-		CAPath       string   `json:"caPath"`
-		Paths        []string `json:"paths"`
-		cas          []*x509.Certificate
-		pathMatchers []*regexp.Regexp
-		config       map[string]interface{}
+		RawCA  []byte                       `json:"ca"`
+		CAPath string                       `json:"caPath"`
+		Paths  []authentication.PathPattern `json:"paths"`
+		cas    []*x509.Certificate
+		config map[string]interface{}
 	} `json:"mTLS"`
 	OPA *struct {
 		Query           string   `json:"query"`
@@ -368,23 +366,8 @@ func main() {
 					continue
 				}
 
-				// Compile OIDC path matchers
-				for _, pathPattern := range t.OIDC.Paths {
-					matcher, err := regexp.Compile(pathPattern)
-					if err != nil {
-						skip.Log("msg", "failed to compile OIDC path pattern", "pattern", pathPattern, "err", err, "tenant", t.Name)
-						skippedTenants.WithLabelValues(t.Name).Inc()
-						tenantsCfg.Tenants[i] = nil
-						break
-					}
-					t.OIDC.pathMatchers = append(t.OIDC.pathMatchers, matcher)
-				}
-				if tenantsCfg.Tenants[i] == nil {
-					continue
-				}
-
 				// Add path patterns to the config that will be passed to the authenticator
-				oidcConfig["pathPatterns"] = t.OIDC.Paths
+				oidcConfig["paths"] = t.OIDC.Paths
 				t.OIDC.config = oidcConfig
 			}
 
@@ -397,23 +380,8 @@ func main() {
 					continue
 				}
 
-				// Compile mTLS path matchers
-				for _, pathPattern := range t.MTLS.Paths {
-					matcher, err := regexp.Compile(pathPattern)
-					if err != nil {
-						skip.Log("msg", "failed to compile mTLS path pattern", "pattern", pathPattern, "err", err, "tenant", t.Name)
-						skippedTenants.WithLabelValues(t.Name).Inc()
-						tenantsCfg.Tenants[i] = nil
-						break
-					}
-					t.MTLS.pathMatchers = append(t.MTLS.pathMatchers, matcher)
-				}
-				if tenantsCfg.Tenants[i] == nil {
-					continue
-				}
-
 				// Add path patterns to the config that will be passed to the authenticator
-				mTLSConfig["pathPatterns"] = t.MTLS.Paths
+				mTLSConfig["paths"] = t.MTLS.Paths
 				t.MTLS.config = mTLSConfig
 			}
 
@@ -1605,7 +1573,6 @@ func tenantAuthenticatorConfig(t *tenant) (map[string]interface{}, string, error
 	}
 }
 
-
 type otelErrorHandler struct {
 	logger log.Logger
 }

test/kind/extract-config.sh

@@ -31,12 +31,15 @@ tenants:
     redirectURL: http://localhost:8080/oidc/auth-tenant/callback
     usernameClaim: email
     paths:
-    - "!^/api/(logs|metrics)/v1/auth-tenant/(loki/api/v1/push|api/v1/receive)"
+    - operator: "!~"
+      pattern: ".*(loki/api/v1/push|api/v1/receive).*"
   mTLS:
     caPath: /etc/certs/ca.crt
     paths:
-    - "^/api/metrics/v1/auth-tenant/api/v1/receive.*"
-    - "^/api/logs/v1/auth-tenant/loki/api/v1/push.*"
+    - operator: "=~"
+      pattern: ".*(api/v1/receive).*"
+    - operator: "=~"
+      pattern: ".*(loki/api/v1/push).*"
 EOF
 
 # Generate RBAC configuration

test/kind/testdata/admin-client.crt

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDdDCCAlygAwIBAgIQISXA9OIYkpj2FSjsrxRs0zANBgkqhkiG9w0BAQsFADBH
+MIIDdDCCAlygAwIBAgIQZwWAT+xXMnHkHRiyDqr1TTANBgkqhkiG9w0BAQsFADBH
 MSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0b3JpdW0xGTAX
-BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTUwNjQ3WhcNMjYwNzA4
-MTUwNjQ3WjBEMSswEwYDVQQLEwxBZG1pbiBDbGllbnQwFAYDVQQLEw1PYnNlcnZh
+BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTYxNzIwWhcNMjYwNzA4
+MTYxNzIwWjBEMSswEwYDVQQLEwxBZG1pbiBDbGllbnQwFAYDVQQLEw1PYnNlcnZh
 dG9yaXVtMRUwEwYDVQQDEwxhZG1pbi1jbGllbnQwggEiMA0GCSqGSIb3DQEBAQUA
-A4IBDwAwggEKAoIBAQDYVrY4uE7tyhhcdNkTOATicOYLbIKU742dfUYkD39eoa1o
-PZ72dd+smlzZdRfY94uyZZnaPbCa/WqdgeP2WmPQFw5pA3e3CKgYkSoo8CjgAMaJ
-PB7mcfGqyzu6otWSqTvbki6VogJqzng+oZSuNsiNEvC2ck7z/NQwkl7rvQOYttjb
-UUrEp3yGcTwja7dbrZPCIWGOL9K+voBTQ3z/mFrAx7JJBmcHLF5YmvwkIJYGRazn
-fiHNvznSO+gY7Gccpf5R6dNeV0fGMhc4+EJnza54HVUgJUk+rM16yzhictrYbXrY
-hV2tjmQwBPCEy9Kz2qPiOjU8WZ4ImDSvZrjoH6brAgMBAAGjXzBdMBMGA1UdJQQM
-MAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU4U8ywddzvSa/
-DJdyObCu+QXwip4wFwYDVR0RBBAwDoIMYWRtaW4tY2xpZW50MA0GCSqGSIb3DQEB
-CwUAA4IBAQCK46fCwAJuunj5nVUo2JAdfReZG176u6hqSd0T4XFT7B4YKLOmJXIR
-edWTpn79ooS52WRW41igfT6ko1eiZd7PjBbvMYofSajIXtgvORnX7JGxYs5Qev8r
-yxq0H4KrwUSygNWL00OXy/zAl7+VtJhzoGzdKoLf5pxi1QCxolh4URBF8caqb5/D
-u1YY7M3vlUVJFC7vObcorXr6kuPd/ywZnZALecOMMlwKds02R51xz+EakbNZnp6G
-sFCL1V3NIGkoH5dvSRkubvjUIHb1YZhaxk9iafsbxNUvYct9Glf0xyQkkQ+KlTgj
-69oWFJXWm0RJFVSMYi8oX8NgWEwifSsv
+A4IBDwAwggEKAoIBAQCxu5gX+vfEsnVKodrZNYBrIYjCJ+rK9+A4DOO8t4P4ZLjp
+oTubyRZsTNSk/UUNvlGmAhkZRdN8TqZWKoYb/F3/lljD4fGk6IhajFs9qZvUBEFZ
+F/+u8jk73pRSl2/nAgsiiRXh4kwzGniFwpO1mfQkBJZXtE0NLTMCWFG0ImHGtNQp
+/K/fPUdo69irOsqtmfYFCK0DZQ/zdtFeRAhbw/nv82OvVr16FdB4KUU7KMizjHdk
+jgoLH6EWGB7VYX3cl2p+Y6c94yfWWKhIQQ59HDwobM0t9vyFTlljI6Qm9hf8hlDZ
+PuKwK/2AIc8OLHSmUvI9t8KItguYqGmZ5o3EGbedAgMBAAGjXzBdMBMGA1UdJQQM
+MAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUoz7Q2xINENmG
+IyzlZmtAuTYAuuYwFwYDVR0RBBAwDoIMYWRtaW4tY2xpZW50MA0GCSqGSIb3DQEB
+CwUAA4IBAQCBbvc/v9jAfVW10h5NRKJe+Ppx9wwpE+eLQiK/BQs3X0KzLdwMH1nn
+tk5E2VzKmg2YlgCAx0Jf0bCEnI1PAt2HNKNmgreEYpicg/+EFr5xpaPfCvK4YCoT
+4i3lqXEa9FsosXEcXe7XsbPta6yVE2bISqi2zMM/PPdML2ws9bwDBrXSiMZ9bfCD
+zEVH4KuspLNzj2Gk0A7sTCx5kHGnHgFpikw97t9pvHL9VeaQPPxWddzLAylvUobq
+3cYLy/D5N3GmPxUm5HA9JDqgkjJRjVXygH1ZW3YIa1FTyIhEJ+Pje8yqdNPVP3hc
+V0XQe0C47IPgHPGJXUB1p+VZnJ/M+BbI
 -----END CERTIFICATE-----

test/kind/testdata/admin-client.key

@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA2Fa2OLhO7coYXHTZEzgE4nDmC2yClO+NnX1GJA9/XqGtaD2e
-9nXfrJpc2XUX2PeLsmWZ2j2wmv1qnYHj9lpj0BcOaQN3twioGJEqKPAo4ADGiTwe
-5nHxqss7uqLVkqk725IulaICas54PqGUrjbIjRLwtnJO8/zUMJJe670DmLbY21FK
-xKd8hnE8I2u3W62TwiFhji/Svr6AU0N8/5hawMeySQZnByxeWJr8JCCWBkWs534h
-zb850jvoGOxnHKX+UenTXldHxjIXOPhCZ82ueB1VICVJPqzNess4YnLa2G162IVd
-rY5kMATwhMvSs9qj4jo1PFmeCJg0r2a46B+m6wIDAQABAoIBAQCfEBJm3czatW73
-+8nngZbFz3C1EZFpZEDhfMxnkyV5NLLFJBmO6NgOlmiSUq+4DTqfbmiSuCzzqEQN
-jwVHiuo8g9dKiwwofarqdUFkXEARg0B2gsfNdBXWGBvQfA1ACkJCjNbHmhjg4vIy
-SqeA+DK41yY5Xw6CAnEZTWWROqY8T0orMOJzomTHredE9qrFGtwVgrj2e5LOuUuQ
-j+jj8AZAnCcB8916Sd4lg1YCOI/YQYi2lg50BPMhkKw9BuhNYz01NnKKPiTKULB4
-evooLet+ryRfkHyciZ5uT6Lzd51RVkkW5wcyA3bhhXyy8BKoaMMmzucqqGTf3OkZ
-ONkpfmIhAoGBAPILMH3r6BaiR6qx3qUVARbL4GtjUjjhEMGyCGJnVdo+iJWrAWm3
-mARtLycGcuMc3JFDuQunV0NuMDkz0NJdOM5FfQyUsuOqboNtn2+H4VrXhmEKrMxj
-O8Gom7HVITRzP8zSvM82IJHmMk/xbusZkwG+SAiQmIrW/QT13ExhyWppAoGBAOTQ
-FzUPChfQk3I1689Ilp1TQSELp9xu3Wi5NGxhR1MwC6pJUa08f+UVwYTdKwluSSF2
-PEyNWVtfbLHqCClE8uq/JcSFUQzA+4bo9pEASbn6vluX+qC5McQnB6QzsJ3Qvg6E
-WoolpBzqpfTdi8ahEpUl0NerV5Zq0KNfNrQgzVQzAoGBAJ9OzBDlN3HGR8NKpQ8k
-nv3hHImx6okzYXMLecdC2lf19rIDxr9NLoojTvixnuZqtaYK2/2Wm7HvEWBlAVmk
-L+JcDC0+peuA3pI0kc63sZS37GNswkUYP1l8X1WRwPQjsudeARWlO5Sr3YuOjgHB
-aGeqVQEGItCnJgugwumnJwmZAoGADVOVVnDGzLZIMCm1zz/SDd2weGU+ZJdMa/IF
-fJ550f2FYGieyjEw3b3TpJJhFE6JEdraDjdZUfoP0Zjo2sZ6Q3PYlkaRfuWqgKQG
-4FEc+ikBd0I1xbCjlmITjtu32Kk0uJG62DrzAQAlpEpW/r2Y4HjwXe9LzaXw+uLr
-w7f5XYMCgYEAjWqZMr0Kq2SkhWqErKPQedQfvjkWC/IGg0doKJ0MmijvG3drbRdF
-QCeGFPWFbs2/027tknHdqzov6EucD12p1cv04Dm2X1Gttn26rUK5pFTeim635mYI
-xxt0bT75MogZGFGv+KvNe1kR1SUuF15YgquK4ppJ/bvX3fB44iHur7c=
+MIIEogIBAAKCAQEAsbuYF/r3xLJ1SqHa2TWAayGIwifqyvfgOAzjvLeD+GS46aE7
+m8kWbEzUpP1FDb5RpgIZGUXTfE6mViqGG/xd/5ZYw+HxpOiIWoxbPamb1ARBWRf/
+rvI5O96UUpdv5wILIokV4eJMMxp4hcKTtZn0JASWV7RNDS0zAlhRtCJhxrTUKfyv
+3z1HaOvYqzrKrZn2BQitA2UP83bRXkQIW8P57/Njr1a9ehXQeClFOyjIs4x3ZI4K
+Cx+hFhge1WF93JdqfmOnPeMn1lioSEEOfRw8KGzNLfb8hU5ZYyOkJvYX/IZQ2T7i
+sCv9gCHPDix0plLyPbfCiLYLmKhpmeaNxBm3nQIDAQABAoIBACWHJNA7b8GapOWD
+U4B1qY31YLkOUKdWu4NaRWP9o+H48opyPvHf/doURvoneEM0omzZGI+bjNI8kSa0
+h+i02uwyxL9nn+xgJRppdIKKo5qa42l6hcRc5PTdRJhD3Z77cXpzU6mEbO6Fcllc
+AnBf94r7ZPtT2MkleBXQrD/K2rZn8hhHhUeNnayJjmODCnXZdoINqj589ScTyYzX
+ufEfNZwFURY2OCwSlnytoECc9eHB6veMOwjzw87J6SQS1lsC6omMy5VpTN7HLcJu
+7ZepjGxxt3f4cx/DwXRiiwQs+WwctYvfKh1bfdTxbZ0ETOM0/33jbTGATbk14pHe
+/GRbIQkCgYEA3VrfkJmfZPj4HX5PP7vtjH298HmXmWd5EPAsIrSY8dUCsC7FVrEb
+MnIUA/cq5edjccJFLP0BAAOg/ICk+gstlQdP3rwpvxsDF/L6h6DHC685MT5XaHuP
+6TdIk696bS2+0xePhZodP/VG1UqS/pDT9yhKeKrkLvSOA/rpa4gpensCgYEAzYzk
+QxFR3V2T2SAXf64AsMxw4KWkGq0gHNfjdEVIbssT+nBpeMxn51Ve+lU/g5WW7y9g
++feI/SdgFa1svGSl7fNCmoyo5u+To533iEF37iucZL0L5IuPIVKYJKe7Dg62SvIH
+wX5K6qyAbWqd+huHcNZAbNBcegJZJvw8Zesj5scCgYAy8nN6aKFTMCqLP0MmPC7U
+oyxQaOwHltU6nMzLwB1jq89OlbU92s2TssYAk6b/+13cFQau8ByG0E8BTuqp0mDP
+aDtt3IkPPzxbCsW26b5mZhIXz2120tmwp9TAiSb4cgr1svqJmYsZ6W5AMUXb6aGf
+xVo+o7aZSBhXuix3X4OMeQKBgHeBncjcjgMs/+OyA9eI+//OrSX/R/z2gQAkCKs2
+CNnZmkD2EGxaM2LNQM48uBOx6jIgErriTzQYK4YO8XRK9Cn3T9b5Rs4VpnnvQtZm
+cer4UhJD02FKPqo6EhjlqByRMy05sIav/bCZIIX9AeJDFSjmeEiLj+ij6t9+sUL0
+RkhLAoGABswJ7kNEBK46suK+gdrL8+YqDtaqMXAcaZcWWI/1yBrCAy8Pqm5Oo8k9
+PQO6Iqs/HSmgmnLpSmtZIrS9JUh1NbYTAUeM/Kwi/BCxjGyFiU1nOdaiR+lJkE3f
+pTWoJA3S5NGl5TTpJeTytRUWdiWDinLXy6GO/YgvPRxKZP9EWLs=
 -----END RSA PRIVATE KEY-----

test/kind/testdata/ca.crt

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIQeKbBOk1XnoyvsmTA2VZvWDANBgkqhkiG9w0BAQsFADBH
+MIIDdzCCAl+gAwIBAgIQBLSr/dkALdFTTl/S72cxRDANBgkqhkiG9w0BAQsFADBH
 MSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0b3JpdW0xGTAX
-BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTUwNjQyWhcNMjcwNDA5
-MTUwNjQyWjBHMSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0
+BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTYxNzE2WhcNMjcwNDA5
+MTYxNzE2WjBHMSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0
 b3JpdW0xGTAXBgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQC218YfiRVaJsFgLsR/QWpWy7LLmWYY7u6lhr7Jy5ez
-5H4ZC484TDC+YyeNm9sHufuPaoAuS0r3JaYqmjvXdVEXbXajibkjvzL7152M/aov
-yUoQ9fd5H4yHrBeFCPzcoc1wi9bUvRDlEVcDpjHDoER6DAx6vTeElYwsO8TfuRZ+
-fcd/Lbnz7hKr3y3m132OvBNCMOwDiVNFg3+Wawu6jsRux8N6XnBbe0XIpdPkIxhD
-RPYdRRNgi44VOyytV6/Diklr8I+b6fWuItIB1pMCf4RhpX0cLEXQxhxLhEhatIlP
-UW7ks94vQwApzI2OdcVkWnMNQNPVxLrvxCLuNlGN82r7AgMBAAGjXzBdMA4GA1Ud
-DwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBThTzLB13O9Jr8M
-l3I5sK75BfCKnjAbBgNVHREEFDASghBvYnNlcnZhdG9yaXVtLWNhMA0GCSqGSIb3
-DQEBCwUAA4IBAQB/McIv7+RPRDLPq2X5PYiQ4OdbLx5ciPcF3WfAcbRUMjBT9Azv
-2MYNZDYkA91YY1V/719+7xoWXTpudg5N45KKBObPJtDs7oQdaKFJ7itH38JHvowf
-C6TCGIU4oI7q/GVhUSCPTlW6z7np/8jeQDH3mlXit7V3LvsHt0T5BExifln1MbXp
-O1cnekN4mwog9FX4ooCZek5UtcXC8TBkmGdIUWI86caSNemWqDLInbDWwzi+YhGz
-2S2A5GUzCxTkkk3cLWU4PbOvBmY9s5ZgHMBCBkD3Z2+KUYzsuPry9JZc1Pjik/fK
-/VU2/JK1jb6IRWsJCW8qS17X3Bo0WXAep/ve
+AQUAA4IBDwAwggEKAoIBAQCeSLo0uKPeaUZLkqn5uPxLpTYqK/ZEWHnXFEpO7v5i
+jH3B98sn/N8tZA1uF0KZAHRaP1XHPKtD7ywOxgq2dKXc+vT0Pq/HTGGAlzjnf/hi
+0ZmyxL7pnOoZWkGuiwBQ8QNLxHc8hkvVghGpmX9+LbaYGd11QBfAAATia8PVWBQD
+/Y5qW9f8cQJ69kIpYpem1HKm+QHkR65nc+szjGrtkS3FNIMohc7ti0dqMu/PDlky
+wR1JbsWeob9E/txlwAtpmG1LvNzrPNKYCtyamO8kL286kM9WsOQr/pu3YMGWoWv4
+sQlDZrYjX/jn7l1Bn1w+e0EQs5+7mV0L+BuNarlQdB15AgMBAAGjXzBdMA4GA1Ud
+DwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSjPtDbEg0Q2YYj
+LOVma0C5NgC65jAbBgNVHREEFDASghBvYnNlcnZhdG9yaXVtLWNhMA0GCSqGSIb3
+DQEBCwUAA4IBAQBfZTvAnkq5BDoKIXuQlVLjPHHf/ie+WlNXUm22bUWn4SBn9Kvv
+3zHHEJOOj+KjVrJYde2bQfK+jU8g4nLQOundCETIGuomv4XzgaSrAW99CqdzDS4v
+XRRK9D8cxpAf45AW4riRg4tjRJoYCnJRz9LYZcmAUC2Uh1rwmjRluWiki+/5XaMf
+tuZcbN8ccTr1fwjq3ClWwPeRUtB4WEc7hvwnqifVGFmPEZ3/qkWC+OijZtmWNDmb
+Lh3Rz5cdImS6oIqhXDhiTE6/o6XvdtbBtCsqlxCqfFX6qWhXywl2KGL//qa2IB1d
+4Fst62fvGCtIOSf2DWuRfXSoKpvZpzJsy3yw
 -----END CERTIFICATE-----

test/kind/testdata/observatorium-api.yaml

@@ -15,12 +15,15 @@ data:
         redirectURL: http://localhost:8080/oidc/auth-tenant/callback
         usernameClaim: email
         paths:
-        - "!^/api/(logs|metrics)/v1/auth-tenant/(loki/api/v1/push|api/v1/receive)"
+        - operator: "!~"
+          pattern: ".*(loki/api/v1/push|api/v1/receive).*"
       mTLS:
         caPath: /etc/certs/ca.crt
         paths:
-        - "^/api/metrics/v1/auth-tenant/api/v1/receive.*"
-        - "^/api/logs/v1/auth-tenant/loki/api/v1/push.*"
+        - operator: "=~"
+          pattern: ".*(api/v1/receive).*"
+        - operator: "=~"
+          pattern: ".*(loki/api/v1/push).*"
 ---
 # CA Certificate ConfigMap
 apiVersion: v1
@@ -31,25 +34,25 @@ metadata:
 data:
   ca.crt: |
     -----BEGIN CERTIFICATE-----
-    MIIDdzCCAl+gAwIBAgIQeKbBOk1XnoyvsmTA2VZvWDANBgkqhkiG9w0BAQsFADBH
+    MIIDdzCCAl+gAwIBAgIQBLSr/dkALdFTTl/S72cxRDANBgkqhkiG9w0BAQsFADBH
     MSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0b3JpdW0xGTAX
-    BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTUwNjQyWhcNMjcwNDA5
-    MTUwNjQyWjBHMSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0
+    BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTYxNzE2WhcNMjcwNDA5
+    MTYxNzE2WjBHMSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0
     b3JpdW0xGTAXBgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwggEiMA0GCSqGSIb3DQEB
-    AQUAA4IBDwAwggEKAoIBAQC218YfiRVaJsFgLsR/QWpWy7LLmWYY7u6lhr7Jy5ez
-    5H4ZC484TDC+YyeNm9sHufuPaoAuS0r3JaYqmjvXdVEXbXajibkjvzL7152M/aov
-    yUoQ9fd5H4yHrBeFCPzcoc1wi9bUvRDlEVcDpjHDoER6DAx6vTeElYwsO8TfuRZ+
-    fcd/Lbnz7hKr3y3m132OvBNCMOwDiVNFg3+Wawu6jsRux8N6XnBbe0XIpdPkIxhD
-    RPYdRRNgi44VOyytV6/Diklr8I+b6fWuItIB1pMCf4RhpX0cLEXQxhxLhEhatIlP
-    UW7ks94vQwApzI2OdcVkWnMNQNPVxLrvxCLuNlGN82r7AgMBAAGjXzBdMA4GA1Ud
-    DwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBThTzLB13O9Jr8M
-    l3I5sK75BfCKnjAbBgNVHREEFDASghBvYnNlcnZhdG9yaXVtLWNhMA0GCSqGSIb3
-    DQEBCwUAA4IBAQB/McIv7+RPRDLPq2X5PYiQ4OdbLx5ciPcF3WfAcbRUMjBT9Azv
-    2MYNZDYkA91YY1V/719+7xoWXTpudg5N45KKBObPJtDs7oQdaKFJ7itH38JHvowf
-    C6TCGIU4oI7q/GVhUSCPTlW6z7np/8jeQDH3mlXit7V3LvsHt0T5BExifln1MbXp
-    O1cnekN4mwog9FX4ooCZek5UtcXC8TBkmGdIUWI86caSNemWqDLInbDWwzi+YhGz
-    2S2A5GUzCxTkkk3cLWU4PbOvBmY9s5ZgHMBCBkD3Z2+KUYzsuPry9JZc1Pjik/fK
-    /VU2/JK1jb6IRWsJCW8qS17X3Bo0WXAep/ve
+    AQUAA4IBDwAwggEKAoIBAQCeSLo0uKPeaUZLkqn5uPxLpTYqK/ZEWHnXFEpO7v5i
+    jH3B98sn/N8tZA1uF0KZAHRaP1XHPKtD7ywOxgq2dKXc+vT0Pq/HTGGAlzjnf/hi
+    0ZmyxL7pnOoZWkGuiwBQ8QNLxHc8hkvVghGpmX9+LbaYGd11QBfAAATia8PVWBQD
+    /Y5qW9f8cQJ69kIpYpem1HKm+QHkR65nc+szjGrtkS3FNIMohc7ti0dqMu/PDlky
+    wR1JbsWeob9E/txlwAtpmG1LvNzrPNKYCtyamO8kL286kM9WsOQr/pu3YMGWoWv4
+    sQlDZrYjX/jn7l1Bn1w+e0EQs5+7mV0L+BuNarlQdB15AgMBAAGjXzBdMA4GA1Ud
+    DwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSjPtDbEg0Q2YYj
+    LOVma0C5NgC65jAbBgNVHREEFDASghBvYnNlcnZhdG9yaXVtLWNhMA0GCSqGSIb3
+    DQEBCwUAA4IBAQBfZTvAnkq5BDoKIXuQlVLjPHHf/ie+WlNXUm22bUWn4SBn9Kvv
+    3zHHEJOOj+KjVrJYde2bQfK+jU8g4nLQOundCETIGuomv4XzgaSrAW99CqdzDS4v
+    XRRK9D8cxpAf45AW4riRg4tjRJoYCnJRz9LYZcmAUC2Uh1rwmjRluWiki+/5XaMf
+    tuZcbN8ccTr1fwjq3ClWwPeRUtB4WEc7hvwnqifVGFmPEZ3/qkWC+OijZtmWNDmb
+    Lh3Rz5cdImS6oIqhXDhiTE6/o6XvdtbBtCsqlxCqfFX6qWhXywl2KGL//qa2IB1d
+    4Fst62fvGCtIOSf2DWuRfXSoKpvZpzJsy3yw
     -----END CERTIFICATE-----
 ---
 # RBAC Configuration

test/kind/testdata/tenants.yaml

@@ -8,9 +8,12 @@ tenants:
     redirectURL: http://localhost:8080/oidc/auth-tenant/callback
     usernameClaim: email
     paths:
-    - "!^/api/(logs|metrics)/v1/auth-tenant/(loki/api/v1/push|api/v1/receive)"
+    - operator: "!~"
+      pattern: ".*(loki/api/v1/push|api/v1/receive).*"
   mTLS:
     caPath: /etc/certs/ca.crt
     paths:
-    - "^/api/metrics/v1/auth-tenant/api/v1/receive.*"
-    - "^/api/logs/v1/auth-tenant/loki/api/v1/push.*"
+    - operator: "=~"
+      pattern: ".*(api/v1/receive).*"
+    - operator: "=~"
+      pattern: ".*(loki/api/v1/push).*"

test/kind/testdata/test-client.crt

@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDcjCCAlqgAwIBAgIRAJKxqNaVNXazsC2fAVY9tBMwDQYJKoZIhvcNAQELBQAw
-RzEqMBIGA1UECxMLRGV2ZWxvcG1lbnQwFAYDVQQLEw1PYnNlcnZhdG9yaXVtMRkw
-FwYDVQQDExBPYnNlcnZhdG9yaXVtIENBMB4XDTI2MDQwOTE1MDY0N1oXDTI2MDcw
-ODE1MDY0N1owQjEqMBIGA1UECxMLVGVzdCBDbGllbnQwFAYDVQQLEw1PYnNlcnZh
-dG9yaXVtMRQwEgYDVQQDEwt0ZXN0LWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAN+0fnV58kobNeddarnEg9W2+40YpZGIvcHwlP367T8g6ISq
-197BkeBuq4po04u7z2zdJrEYYmVJ/Zm3cyVXsySanVgZS9bDvlv4net9N8T9M0lL
-jozAOnD8O4qwXZR1pwQiSqFVGCmGiiUtbSboNTapDmyF7zB/i5P3Lioj8ouv2jYc
-cgpvUcSl2qe4oTv8QKzvWy0poBl9CvZP1/wEu5qvPv2BtCMjfzMhqERqYaNiulp6
-Y3b4vQI9+0201T9dHccNcx52qLDXRviTfSseQ7A1YuMwTZC+mP5XNtVj24I09iVs
-PFGTsIHN0yE0EPHVGZnjMgZSkhqpZG6c++h64xsCAwEAAaNeMFwwEwYDVR0lBAww
-CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBThTzLB13O9Jr8M
-l3I5sK75BfCKnjAWBgNVHREEDzANggt0ZXN0LWNsaWVudDANBgkqhkiG9w0BAQsF
-AAOCAQEAOtRZ+igQ0Jm5w9vvJldU2q/uGSuznz9HfhtLTMlFvmNcoWUcdk7xtX99
-uwLzyFxH/rNdmXLNoqPcypBoAONMvq+3Egqy6fUth3P2NTtR+ofSDnz8Rbeek+uA
-KE9vD0gcybzNWNIwVqDlBCYL5B2wVY9CyWHdNOiGmbPPYI/zuotsYy2PqtER/H4T
-aIF0teorkyz5uzyNQmA5HZc8KLiDB5ngisLkvAEWHBfWz0fTdxJsZ2mqGYF3TeIF
-GwVNNR7E95etbm7UKSP431OdJm77vvSpr6HZZYx0709053GzfGbg1yOeq2LQU1UF
-2Hdis00oLyWmcehRoylE0xx6TmLrMg==
+MIIDcTCCAlmgAwIBAgIQJFBcceRaZW45e9UrLXkE5DANBgkqhkiG9w0BAQsFADBH
+MSowEgYDVQQLEwtEZXZlbG9wbWVudDAUBgNVBAsTDU9ic2VydmF0b3JpdW0xGTAX
+BgNVBAMTEE9ic2VydmF0b3JpdW0gQ0EwHhcNMjYwNDA5MTYxNzIwWhcNMjYwNzA4
+MTYxNzIwWjBCMSowEgYDVQQLEwtUZXN0IENsaWVudDAUBgNVBAsTDU9ic2VydmF0
+b3JpdW0xFDASBgNVBAMTC3Rlc3QtY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAx8HSzr+sIGGz+/17uq8sAORubGG8R80Jng/Jcx1UvrEnPyb4
+fN+DNprdtfMDjZ6LljGhRDIpF6o7jgeBI40bgG54fytZWDPq6KTox6rEiRsrH7/D
+A61M6OeULq1VAo4nT+cmonVXHs60gRL45DFdQVZX8tenFkqlOtP2BYTQYzeG9NVh
+Bliz7V7BfyktkyF5iE+guXJCri6NgG73vYM1cnKeWOS0/qP0uruG8KceKzpB96SP
+XNFbUZjlR6auQTjr4XXntOLusFd8opv+VN7c4AlXxLvYgj4/VG+1aMiS34PKpcg+
+w4qmJLH5Q5PJX/bstNdcLzHzcYVcUWc7DfY3sQIDAQABo14wXDATBgNVHSUEDDAK
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFKM+0NsSDRDZhiMs
+5WZrQLk2ALrmMBYGA1UdEQQPMA2CC3Rlc3QtY2xpZW50MA0GCSqGSIb3DQEBCwUA
+A4IBAQArIqGmXMuD5mS7agc0/684/S6z1yvfpaAOVBMT1JobqEMX6t/HWM2fQOiu
+fc0uyDD4GJtTTk20HBqyLkhEynRuHz9fJVHen482/VP9Z1RXP44vsZcqHIHPzhZj
+M7rTNA2nmTQk9QqsKL1/rRVHDdiHRV13ab/vuX34DUwXN9LOhCNhrFr1KgjCSD87
+cgHrRBtDdYiQZ89KwD04ozGPUAMsNeErxPuqgEH3fDZukCpZKVsOxcgX2e1M9lbI
+Od1MjN/vnxu5VrBvw1026gkicLSrqGQOv4reZ+/DH6dFNYdL35LdiqqGlYHYyBxs
+aHLbrSP8Atuq/V0ZHUnWiQLXrajs
 -----END CERTIFICATE-----