3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-06 19:38:09 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: refactor logAuthorizeCheck() (#5576)

Browse source 
Currently, policy evaluation and authorize logging are coupled to the
Envoy CheckRequest proto message (part of the ext_authz API). In the
context of ssh proxy authentication, we won't have a CheckRequest.
Instead, let's make the existing evaluator.Request type the source of
truth for the authorize log fields.

This way, whether we populate the evaluator.Request struct from an
ext_authz request or from an ssh proxy request, we can use the same
logAuthorizeCheck() method for logging.

Add some additional fields to evaluator.RequestHTTP for the authorize
log fields that are not currently represented in this struct.
This commit is contained in:
Kenneth Jenkins 2025-04-23 09:21:52 -07:00 committed by GitHub
parent 8738066ce4
commit 2e7d1c7f12
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 326 additions and 258 deletions
Download patch file Download diff file Expand all files Collapse all files

44
authorize/checkrequest/checkrequest.go Normal file
View file

@ -0,0 +1,44 @@
// Package checkrequest contains helper functions for working with Envoy
// ext_authz CheckRequest messages.
package checkrequest
import (
"net/url"
"strings"
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/urlutil"
)
// GetURL converts the request URL from an ext_authz CheckRequest to a [url.URL].
func GetURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
h := req.GetAttributes().GetRequest().GetHttp()
u := url.URL{
Scheme: h.GetScheme(),
Host: h.GetHost(),
}
u.Host = urlutil.GetDomainsForURL(&u, false)[0]
// envoy sends the query string as part of the path
path := h.GetPath()
if idx := strings.Index(path, "?"); idx != -1 {
u.RawPath, u.RawQuery = path[:idx], path[idx+1:]
u.RawQuery = u.Query().Encode()
} else {
u.RawPath = path
}
u.Path, _ = url.PathUnescape(u.RawPath)
return u
}
// GetHeaders returns the HTTP headers from an ext_authz CheckRequest, canonicalizing
// the header keys.
func GetHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]string {
hdrs := make(map[string]string)
ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
for k, v := range ch {
hdrs[httputil.CanonicalHeaderKey(k)] = v
}
return hdrs
}