mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
refactor to share more authorize check logic
should restore authorize log entries for ssh auth
This commit is contained in:
parent
3e6f4464af
commit
1da95d334c
7 changed files with 101 additions and 76 deletions
|
@ -12,6 +12,8 @@ import (
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
oteltrace "go.opentelemetry.io/otel/trace"
|
oteltrace "go.opentelemetry.io/otel/trace"
|
||||||
"golang.org/x/sync/errgroup"
|
"golang.org/x/sync/errgroup"
|
||||||
|
"google.golang.org/grpc/codes"
|
||||||
|
"google.golang.org/grpc/status"
|
||||||
|
|
||||||
"github.com/pomerium/datasource/pkg/directory"
|
"github.com/pomerium/datasource/pkg/directory"
|
||||||
"github.com/pomerium/pomerium/authorize/evaluator"
|
"github.com/pomerium/pomerium/authorize/evaluator"
|
||||||
|
@ -19,11 +21,16 @@ import (
|
||||||
"github.com/pomerium/pomerium/config"
|
"github.com/pomerium/pomerium/config"
|
||||||
"github.com/pomerium/pomerium/internal/atomicutil"
|
"github.com/pomerium/pomerium/internal/atomicutil"
|
||||||
"github.com/pomerium/pomerium/internal/log"
|
"github.com/pomerium/pomerium/internal/log"
|
||||||
|
"github.com/pomerium/pomerium/internal/sessions"
|
||||||
"github.com/pomerium/pomerium/internal/telemetry/metrics"
|
"github.com/pomerium/pomerium/internal/telemetry/metrics"
|
||||||
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
||||||
|
"github.com/pomerium/pomerium/pkg/contextutil"
|
||||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||||
|
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||||
|
"github.com/pomerium/pomerium/pkg/policy/criteria"
|
||||||
"github.com/pomerium/pomerium/pkg/storage"
|
"github.com/pomerium/pomerium/pkg/storage"
|
||||||
|
"github.com/pomerium/pomerium/pkg/telemetry/requestid"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Authorize struct holds
|
// Authorize struct holds
|
||||||
|
@ -180,3 +187,66 @@ func (a *Authorize) OnConfigChange(ctx context.Context, cfg *config.Config) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type evaluateResult struct {
|
||||||
|
// Overall allow/deny result.
|
||||||
|
Allowed bool
|
||||||
|
|
||||||
|
// Reasons for the overall result.
|
||||||
|
Reasons criteria.Reasons
|
||||||
|
|
||||||
|
// Reason detail traces. (Populated only if enabled by the policy.)
|
||||||
|
Traces []contextutil.PolicyEvaluationTrace
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Authorize) evaluate(
|
||||||
|
ctx context.Context,
|
||||||
|
req *evaluator.Request,
|
||||||
|
sessionState *sessions.State,
|
||||||
|
) (*evaluator.Result, error) {
|
||||||
|
querier := storage.NewCachingQuerier(
|
||||||
|
storage.NewQuerier(a.state.Load().dataBrokerClient),
|
||||||
|
a.globalCache,
|
||||||
|
)
|
||||||
|
ctx = storage.WithQuerier(ctx, querier)
|
||||||
|
|
||||||
|
requestID := requestid.FromContext(ctx)
|
||||||
|
|
||||||
|
state := a.state.Load()
|
||||||
|
|
||||||
|
var s sessionOrServiceAccount
|
||||||
|
var u *user.User
|
||||||
|
var err error
|
||||||
|
if sessionState != nil {
|
||||||
|
s, err = a.getDataBrokerSessionOrServiceAccount(ctx, sessionState.ID, sessionState.DatabrokerRecordVersion)
|
||||||
|
if status.Code(err) == codes.Unavailable {
|
||||||
|
log.Ctx(ctx).Debug().Str("request-id", requestID).Err(err).Msg("temporary error checking authorization: data broker unavailable")
|
||||||
|
return nil, err
|
||||||
|
} else if err != nil {
|
||||||
|
log.Ctx(ctx).Info().Err(err).Str("request-id", requestID).Msg("missing or invalid session or service account")
|
||||||
|
sessionState = nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if sessionState != nil && s != nil {
|
||||||
|
u, _ = a.getDataBrokerUser(ctx, s.GetUserId()) // ignore any missing user error
|
||||||
|
}
|
||||||
|
|
||||||
|
res, err := state.evaluator.Evaluate(ctx, req)
|
||||||
|
if err != nil {
|
||||||
|
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error during OPA evaluation")
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
a.logAuthorizeCheck(ctx, req, res, s, u)
|
||||||
|
|
||||||
|
/*result := &evaluateResult{
|
||||||
|
Allowed: res.Allow.Value && !res.Deny.Value,
|
||||||
|
}
|
||||||
|
|
||||||
|
// if show error details is enabled, attach the policy evaluation traces
|
||||||
|
if req.Policy != nil && req.Policy.ShowErrorDetails {
|
||||||
|
result.Traces = res.Traces
|
||||||
|
}*/
|
||||||
|
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
|
|
@ -38,6 +38,7 @@ type RequestHTTP struct {
|
||||||
Method string `json:"method"`
|
Method string `json:"method"`
|
||||||
Hostname string `json:"hostname"`
|
Hostname string `json:"hostname"`
|
||||||
Path string `json:"path"`
|
Path string `json:"path"`
|
||||||
|
Query string `json:"-"`
|
||||||
URL string `json:"url"`
|
URL string `json:"url"`
|
||||||
Headers map[string]string `json:"headers"`
|
Headers map[string]string `json:"headers"`
|
||||||
ClientCertificate ClientCertificateInfo `json:"client_certificate"`
|
ClientCertificate ClientCertificateInfo `json:"client_certificate"`
|
||||||
|
|
|
@ -31,6 +31,10 @@ type PolicyResponse struct {
|
||||||
Traces []contextutil.PolicyEvaluationTrace
|
Traces []contextutil.PolicyEvaluationTrace
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r *PolicyResponse) Allowed() bool {
|
||||||
|
return r.Allow.Value && !r.Deny.Value
|
||||||
|
}
|
||||||
|
|
||||||
// NewPolicyResponse creates a new PolicyResponse.
|
// NewPolicyResponse creates a new PolicyResponse.
|
||||||
func NewPolicyResponse() *PolicyResponse {
|
func NewPolicyResponse() *PolicyResponse {
|
||||||
return &PolicyResponse{
|
return &PolicyResponse{
|
||||||
|
|
|
@ -17,12 +17,7 @@ import (
|
||||||
"github.com/pomerium/pomerium/internal/log"
|
"github.com/pomerium/pomerium/internal/log"
|
||||||
"github.com/pomerium/pomerium/internal/sessions"
|
"github.com/pomerium/pomerium/internal/sessions"
|
||||||
"github.com/pomerium/pomerium/internal/urlutil"
|
"github.com/pomerium/pomerium/internal/urlutil"
|
||||||
"github.com/pomerium/pomerium/pkg/contextutil"
|
|
||||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
|
||||||
"github.com/pomerium/pomerium/pkg/storage"
|
|
||||||
"github.com/pomerium/pomerium/pkg/telemetry/requestid"
|
"github.com/pomerium/pomerium/pkg/telemetry/requestid"
|
||||||
"google.golang.org/grpc/codes"
|
|
||||||
"google.golang.org/grpc/status"
|
|
||||||
"google.golang.org/protobuf/types/known/structpb"
|
"google.golang.org/protobuf/types/known/structpb"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -31,12 +26,6 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
|
||||||
ctx, span := a.tracer.Start(ctx, "authorize.grpc.Check")
|
ctx, span := a.tracer.Start(ctx, "authorize.grpc.Check")
|
||||||
defer span.End()
|
defer span.End()
|
||||||
|
|
||||||
querier := storage.NewCachingQuerier(
|
|
||||||
storage.NewQuerier(a.state.Load().dataBrokerClient),
|
|
||||||
a.globalCache,
|
|
||||||
)
|
|
||||||
ctx = storage.WithQuerier(ctx, querier)
|
|
||||||
|
|
||||||
state := a.state.Load()
|
state := a.state.Load()
|
||||||
|
|
||||||
// convert the incoming envoy-style http request into a go-style http request
|
// convert the incoming envoy-style http request into a go-style http request
|
||||||
|
@ -46,45 +35,21 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
|
||||||
|
|
||||||
sessionState, _ := state.sessionStore.LoadSessionStateAndCheckIDP(hreq)
|
sessionState, _ := state.sessionStore.LoadSessionStateAndCheckIDP(hreq)
|
||||||
|
|
||||||
var s sessionOrServiceAccount
|
|
||||||
var u *user.User
|
|
||||||
var err error
|
|
||||||
if sessionState != nil {
|
|
||||||
s, err = a.getDataBrokerSessionOrServiceAccount(ctx, sessionState.ID, sessionState.DatabrokerRecordVersion)
|
|
||||||
if status.Code(err) == codes.Unavailable {
|
|
||||||
log.Ctx(ctx).Debug().Str("request-id", requestID).Err(err).Msg("temporary error checking authorization: data broker unavailable")
|
|
||||||
return nil, err
|
|
||||||
} else if err != nil {
|
|
||||||
log.Ctx(ctx).Info().Err(err).Str("request-id", requestID).Msg("clearing session due to missing or invalid session or service account")
|
|
||||||
sessionState = nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if sessionState != nil && s != nil {
|
|
||||||
u, _ = a.getDataBrokerUser(ctx, s.GetUserId()) // ignore any missing user error
|
|
||||||
}
|
|
||||||
|
|
||||||
req, err := a.getEvaluatorRequestFromCheckRequest(ctx, in, sessionState)
|
req, err := a.getEvaluatorRequestFromCheckRequest(ctx, in, sessionState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error building evaluator request")
|
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error building evaluator request")
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
res, err := state.evaluator.Evaluate(ctx, req)
|
res, err := a.evaluate(ctx, req, sessionState)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("error during OPA evaluation")
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// if show error details is enabled, attach the policy evaluation traces
|
|
||||||
if req.Policy != nil && req.Policy.ShowErrorDetails {
|
|
||||||
ctx = contextutil.WithPolicyEvaluationTraces(ctx, res.Traces)
|
|
||||||
}
|
|
||||||
|
|
||||||
resp, err := a.handleResult(ctx, in, req, res)
|
resp, err := a.handleResult(ctx, in, req, res)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
|
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
|
||||||
}
|
}
|
||||||
a.logAuthorizeCheck(ctx, in, res, s, u)
|
|
||||||
return resp, err
|
return resp, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2,9 +2,7 @@ package authorize
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"strings"
|
|
||||||
|
|
||||||
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
|
||||||
"github.com/go-jose/go-jose/v3/jwt"
|
"github.com/go-jose/go-jose/v3/jwt"
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"go.opentelemetry.io/otel/attribute"
|
"go.opentelemetry.io/otel/attribute"
|
||||||
|
@ -21,19 +19,19 @@ import (
|
||||||
|
|
||||||
func (a *Authorize) logAuthorizeCheck(
|
func (a *Authorize) logAuthorizeCheck(
|
||||||
ctx context.Context,
|
ctx context.Context,
|
||||||
in *envoy_service_auth_v3.CheckRequest,
|
in *evaluator.Request,
|
||||||
res *evaluator.Result, s sessionOrServiceAccount, u *user.User,
|
res *evaluator.Result, s sessionOrServiceAccount, u *user.User,
|
||||||
) {
|
) {
|
||||||
ctx, span := a.tracer.Start(ctx, "authorize.grpc.LogAuthorizeCheck")
|
ctx, span := a.tracer.Start(ctx, "authorize.grpc.LogAuthorizeCheck")
|
||||||
defer span.End()
|
defer span.End()
|
||||||
|
|
||||||
hdrs := getCheckRequestHeaders(in)
|
hdrs := in.HTTP.Headers
|
||||||
impersonateDetails := a.getImpersonateDetails(ctx, s)
|
impersonateDetails := a.getImpersonateDetails(ctx, s)
|
||||||
|
|
||||||
evt := log.Ctx(ctx).Info().Str("service", "authorize")
|
evt := log.Ctx(ctx).Info().Str("service", "authorize")
|
||||||
fields := a.currentOptions.Load().GetAuthorizeLogFields()
|
fields := a.currentOptions.Load().GetAuthorizeLogFields()
|
||||||
for _, field := range fields {
|
for _, field := range fields {
|
||||||
evt = populateLogEvent(ctx, field, evt, in, s, u, hdrs, impersonateDetails, res)
|
evt = populateLogEvent(ctx, field, evt, in, s, u, impersonateDetails, res)
|
||||||
}
|
}
|
||||||
evt = log.HTTPHeaders(evt, fields, hdrs)
|
evt = log.HTTPHeaders(evt, fields, hdrs)
|
||||||
|
|
||||||
|
@ -134,22 +132,19 @@ func populateLogEvent(
|
||||||
ctx context.Context,
|
ctx context.Context,
|
||||||
field log.AuthorizeLogField,
|
field log.AuthorizeLogField,
|
||||||
evt *zerolog.Event,
|
evt *zerolog.Event,
|
||||||
in *envoy_service_auth_v3.CheckRequest,
|
in *evaluator.Request,
|
||||||
s sessionOrServiceAccount,
|
s sessionOrServiceAccount,
|
||||||
u *user.User,
|
u *user.User,
|
||||||
hdrs map[string]string,
|
|
||||||
impersonateDetails *impersonateDetails,
|
impersonateDetails *impersonateDetails,
|
||||||
res *evaluator.Result,
|
res *evaluator.Result,
|
||||||
) *zerolog.Event {
|
) *zerolog.Event {
|
||||||
path, query, _ := strings.Cut(in.GetAttributes().GetRequest().GetHttp().GetPath(), "?")
|
|
||||||
|
|
||||||
switch field {
|
switch field {
|
||||||
case log.AuthorizeLogFieldCheckRequestID:
|
case log.AuthorizeLogFieldCheckRequestID:
|
||||||
return evt.Str(string(field), hdrs["X-Request-Id"])
|
return evt.Str(string(field), in.HTTP.Headers["X-Request-Id"])
|
||||||
case log.AuthorizeLogFieldEmail:
|
case log.AuthorizeLogFieldEmail:
|
||||||
return evt.Str(string(field), u.GetEmail())
|
return evt.Str(string(field), u.GetEmail())
|
||||||
case log.AuthorizeLogFieldHost:
|
case log.AuthorizeLogFieldHost:
|
||||||
return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost())
|
return evt.Str(string(field), in.HTTP.Hostname)
|
||||||
case log.AuthorizeLogFieldIDToken:
|
case log.AuthorizeLogFieldIDToken:
|
||||||
if s, ok := s.(*session.Session); ok {
|
if s, ok := s.(*session.Session); ok {
|
||||||
evt = evt.Str(string(field), s.GetIdToken().GetRaw())
|
evt = evt.Str(string(field), s.GetIdToken().GetRaw())
|
||||||
|
@ -180,13 +175,13 @@ func populateLogEvent(
|
||||||
}
|
}
|
||||||
return evt
|
return evt
|
||||||
case log.AuthorizeLogFieldIP:
|
case log.AuthorizeLogFieldIP:
|
||||||
return evt.Str(string(field), in.GetAttributes().GetSource().GetAddress().GetSocketAddress().GetAddress())
|
return evt.Str(string(field), in.HTTP.IP)
|
||||||
case log.AuthorizeLogFieldMethod:
|
case log.AuthorizeLogFieldMethod:
|
||||||
return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetMethod())
|
return evt.Str(string(field), in.HTTP.Method)
|
||||||
case log.AuthorizeLogFieldPath:
|
case log.AuthorizeLogFieldPath:
|
||||||
return evt.Str(string(field), path)
|
return evt.Str(string(field), in.HTTP.Path)
|
||||||
case log.AuthorizeLogFieldQuery:
|
case log.AuthorizeLogFieldQuery:
|
||||||
return evt.Str(string(field), query)
|
return evt.Str(string(field), in.HTTP.Query)
|
||||||
case log.AuthorizeLogFieldRequestID:
|
case log.AuthorizeLogFieldRequestID:
|
||||||
return evt.Str(string(field), requestid.FromContext(ctx))
|
return evt.Str(string(field), requestid.FromContext(ctx))
|
||||||
case log.AuthorizeLogFieldServiceAccountID:
|
case log.AuthorizeLogFieldServiceAccountID:
|
||||||
|
|
|
@ -6,8 +6,6 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
|
|
||||||
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
|
||||||
"github.com/rs/zerolog"
|
"github.com/rs/zerolog"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
|
||||||
|
@ -24,27 +22,18 @@ func Test_populateLogEvent(t *testing.T) {
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
ctx = requestid.WithValue(ctx, "REQUEST-ID")
|
ctx = requestid.WithValue(ctx, "REQUEST-ID")
|
||||||
|
|
||||||
checkRequest := &envoy_service_auth_v3.CheckRequest{
|
request := &evaluator.Request{
|
||||||
Attributes: &envoy_service_auth_v3.AttributeContext{
|
HTTP: evaluator.RequestHTTP{
|
||||||
Request: &envoy_service_auth_v3.AttributeContext_Request{
|
Method: "GET",
|
||||||
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
|
Hostname: "HOST",
|
||||||
Host: "HOST",
|
Path: "/some/path",
|
||||||
Path: "https://www.example.com/some/path?a=b",
|
Query: "a=b",
|
||||||
Method: "GET",
|
Headers: map[string]string{
|
||||||
},
|
"X-Request-Id": "CHECK-REQUEST-ID",
|
||||||
},
|
|
||||||
Source: &envoy_service_auth_v3.AttributeContext_Peer{
|
|
||||||
Address: &envoy_config_core_v3.Address{
|
|
||||||
Address: &envoy_config_core_v3.Address_SocketAddress{
|
|
||||||
SocketAddress: &envoy_config_core_v3.SocketAddress{
|
|
||||||
Address: "127.0.0.1",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
|
IP: "127.0.0.1",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
headers := map[string]string{"X-Request-Id": "CHECK-REQUEST-ID"}
|
|
||||||
s := &session.Session{
|
s := &session.Session{
|
||||||
Id: "SESSION-ID",
|
Id: "SESSION-ID",
|
||||||
IdToken: &session.IDToken{
|
IdToken: &session.IDToken{
|
||||||
|
@ -86,7 +75,7 @@ func Test_populateLogEvent(t *testing.T) {
|
||||||
{log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`},
|
{log.AuthorizeLogFieldImpersonateUserID, s, `{"impersonate-user-id":"IMPERSONATE-USER-ID"}`},
|
||||||
{log.AuthorizeLogFieldIP, s, `{"ip":"127.0.0.1"}`},
|
{log.AuthorizeLogFieldIP, s, `{"ip":"127.0.0.1"}`},
|
||||||
{log.AuthorizeLogFieldMethod, s, `{"method":"GET"}`},
|
{log.AuthorizeLogFieldMethod, s, `{"method":"GET"}`},
|
||||||
{log.AuthorizeLogFieldPath, s, `{"path":"https://www.example.com/some/path"}`},
|
{log.AuthorizeLogFieldPath, s, `{"path":"/some/path"}`},
|
||||||
{log.AuthorizeLogFieldQuery, s, `{"query":"a=b"}`},
|
{log.AuthorizeLogFieldQuery, s, `{"query":"a=b"}`},
|
||||||
{log.AuthorizeLogFieldRemovedGroupsCount, s, `{"removed-groups-count":42}`},
|
{log.AuthorizeLogFieldRemovedGroupsCount, s, `{"removed-groups-count":42}`},
|
||||||
{log.AuthorizeLogFieldRequestID, s, `{"request-id":"REQUEST-ID"}`},
|
{log.AuthorizeLogFieldRequestID, s, `{"request-id":"REQUEST-ID"}`},
|
||||||
|
@ -104,7 +93,7 @@ func Test_populateLogEvent(t *testing.T) {
|
||||||
var buf bytes.Buffer
|
var buf bytes.Buffer
|
||||||
log := zerolog.New(&buf)
|
log := zerolog.New(&buf)
|
||||||
evt := log.Log()
|
evt := log.Log()
|
||||||
evt = populateLogEvent(ctx, tc.field, evt, checkRequest, tc.s, u, headers, impersonateDetails, res)
|
evt = populateLogEvent(ctx, tc.field, evt, request, tc.s, u, impersonateDetails, res)
|
||||||
evt.Send()
|
evt.Send()
|
||||||
|
|
||||||
assert.Equal(t, tc.expect, strings.TrimSpace(buf.String()))
|
assert.Equal(t, tc.expect, strings.TrimSpace(buf.String()))
|
||||||
|
|
|
@ -169,7 +169,7 @@ func (a *Authorize) ManageStream(
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
res, err := a.state.Load().evaluator.Evaluate(ctx, req)
|
res, err := a.evaluate(ctx, req, &sessions.State{ID: session.Id})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -310,7 +310,7 @@ func (a *Authorize) ManageStream(
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
res, err := a.state.Load().evaluator.Evaluate(ctx, req)
|
res, err := a.evaluate(ctx, req, sessionState.Load())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -406,7 +406,7 @@ func (a *Authorize) getEvaluatorRequestFromSSHAuthRequest(
|
||||||
func handleEvaluatorResponseForSSH(
|
func handleEvaluatorResponseForSSH(
|
||||||
result *evaluator.Result, state *StreamState,
|
result *evaluator.Result, state *StreamState,
|
||||||
) *extensions_ssh.ServerMessage {
|
) *extensions_ssh.ServerMessage {
|
||||||
fmt.Printf(" *** evaluator result: %+v\n", result)
|
//fmt.Printf(" *** evaluator result: %+v\n", result)
|
||||||
|
|
||||||
// TODO: ideally there would be a way to keep this in sync with the logic in check_response.go
|
// TODO: ideally there would be a way to keep this in sync with the logic in check_response.go
|
||||||
allow := result.Allow.Value && !result.Deny.Value
|
allow := result.Allow.Value && !result.Deny.Value
|
||||||
|
@ -440,6 +440,7 @@ func handleEvaluatorResponseForSSH(
|
||||||
// XXX: do we want to send an equivalent to the "show error details" output
|
// XXX: do we want to send an equivalent to the "show error details" output
|
||||||
// in the case of a deny result?
|
// in the case of a deny result?
|
||||||
|
|
||||||
|
// XXX: this is not quite right -- needs to exactly match the last list of methods
|
||||||
methods := []string{"publickey"}
|
methods := []string{"publickey"}
|
||||||
if slices.Contains(state.MethodsAuthenticated, "keyboard-interactive") {
|
if slices.Contains(state.MethodsAuthenticated, "keyboard-interactive") {
|
||||||
methods = append(methods, "keyboard-interactive")
|
methods = append(methods, "keyboard-interactive")
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue