From 90195c4bdc2742a4ff117f8395b1b0aa14ba57c9 Mon Sep 17 00:00:00 2001
From: Marcel Ludwig <marcel.ludwig@avenga.com>
Date: Thu, 5 Jan 2023 13:41:46 +0100
Subject: [PATCH] #654

---
 CHANGELOG.md                           |  1 +
 server/http.go                         |  1 +
 server/http_test.go                    | 30 ++++++++++++++++++++++++++
 server/mux.go                          | 18 +++++++++-------
 server/mux_test.go                     |  1 +
 server/testdata/settings/22_couper.hcl | 18 ++++++++++++++++
 6 files changed, 61 insertions(+), 8 deletions(-)
 create mode 100644 server/testdata/settings/22_couper.hcl

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f39258aed..3527eb2a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Unreleased changes are available as `avenga/couper:edge` container.
 * 
 * **Fixed**
   * [Endpoint sequences](https://docs.couper.io/configuration/block/endpoint#endpoint-sequence) not being terminated by errors (e.g. `unexpected_status`) (regression; since v1.11.0) ([#648](https://github.com/avenga/couper/pull/648))
+  * [Health route](https://docs.couper.io/observation/health) affected by [access control](https://docs.couper.io/configuration/access-control) (regression; since v1.11.0) ([#654](https://github.com/avenga/couper/pull/654))
 
 
 ## [1.11.0](https://github.com/avenga/couper/releases/tag/v1.11.0)
diff --git a/server/http.go b/server/http.go
index 9cf25ae53..a27412d0c 100644
--- a/server/http.go
+++ b/server/http.go
@@ -79,6 +79,7 @@ func New(cmdCtx, evalCtx context.Context, log logrus.FieldLogger, settings *conf
 	for host, muxOpts := range hosts {
 		mux := NewMux(muxOpts)
 		registerHandler(mux.endpointRoot, []string{http.MethodGet}, settings.HealthPath, handler.NewHealthCheck(settings.HealthPath, shutdownCh))
+		mux.RegisterConfigured()
 		muxersList[host] = mux
 
 		// TODO: refactor (hosts,muxOpts, etc) format type and usage
diff --git a/server/http_test.go b/server/http_test.go
index f56508657..7e425df91 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -913,3 +913,33 @@ func TestHTTPServer_RateLimiterBlock(t *testing.T) {
 
 	mu.Unlock()
 }
+
+func TestHTTPServer_HealthVsAccessControl(t *testing.T) {
+	helper := test.New(t)
+	client := newClient()
+
+	shutdown, _ := newCouper("testdata/settings/22_couper.hcl", helper)
+	defer shutdown()
+
+	// Call health route
+	req, err := http.NewRequest(http.MethodGet, "http://example.com:8080/healthz", nil)
+	helper.Must(err)
+
+	res, err := client.Do(req)
+	helper.Must(err)
+
+	if res.StatusCode != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", res.StatusCode)
+	}
+
+	// Call other route
+	req, err = http.NewRequest(http.MethodGet, "http://example.com:8080/foo", nil)
+	helper.Must(err)
+
+	res, err = client.Do(req)
+	helper.Must(err)
+
+	if res.StatusCode != http.StatusUnauthorized {
+		t.Errorf("Expected status 401, got %d", res.StatusCode)
+	}
+}
diff --git a/server/mux.go b/server/mux.go
index 178e2e818..417578703 100644
--- a/server/mux.go
+++ b/server/mux.go
@@ -90,20 +90,22 @@ func NewMux(options *runtime.MuxOptions) *Mux {
 		spaRoot:      gmux.NewRouter(),
 	}
 
-	for _, path := range sortedPathPatterns(opts.EndpointRoutes) {
+	return mux
+}
+
+func (m *Mux) RegisterConfigured() {
+	for _, path := range sortedPathPatterns(m.opts.EndpointRoutes) {
 		// TODO: handle method option per endpoint configuration
-		mustAddRoute(mux.endpointRoot, path, opts.EndpointRoutes[path], true)
+		mustAddRoute(m.endpointRoot, path, m.opts.EndpointRoutes[path], true)
 	}
 
-	for _, path := range sortedPathPatterns(opts.FileRoutes) {
-		mustAddRoute(mux.fileRoot, utils.JoinOpenAPIPath(path, "/**"), opts.FileRoutes[path], false)
+	for _, path := range sortedPathPatterns(m.opts.FileRoutes) {
+		mustAddRoute(m.fileRoot, utils.JoinOpenAPIPath(path, "/**"), m.opts.FileRoutes[path], false)
 	}
 
-	for _, path := range sortedPathPatterns(opts.SPARoutes) {
-		mustAddRoute(mux.spaRoot, path, opts.SPARoutes[path], true)
+	for _, path := range sortedPathPatterns(m.opts.SPARoutes) {
+		mustAddRoute(m.spaRoot, path, m.opts.SPARoutes[path], true)
 	}
-
-	return mux
 }
 
 var noDefaultMethods []string
diff --git a/server/mux_test.go b/server/mux_test.go
index bfeb23b5d..f452e2a20 100644
--- a/server/mux_test.go
+++ b/server/mux_test.go
@@ -159,6 +159,7 @@ func TestMux_FindHandler_PathParamContext(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(subT *testing.T) {
 			mux := server.NewMux(testOptions)
+			mux.RegisterConfigured()
 
 			if got := mux.FindHandler(tt.req); reflect.DeepEqual(got, tt.want) {
 				subT.Errorf("FindHandler() = %v, want %v", got, tt.want)
diff --git a/server/testdata/settings/22_couper.hcl b/server/testdata/settings/22_couper.hcl
new file mode 100644
index 000000000..d4a24cb06
--- /dev/null
+++ b/server/testdata/settings/22_couper.hcl
@@ -0,0 +1,18 @@
+server {
+  access_control = ["ba"]
+
+  api {
+    endpoint "/**" {
+      response {
+        status = 204
+      }
+    }
+  }
+}
+
+definitions {
+  basic_auth "ba" {
+    user = "u"
+    password = "p"
+  }
+}