mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-28 08:27:26 +02:00
authorize: refactor logAuthorizeCheck() (#5576)
Currently, policy evaluation and authorize logging are coupled to the Envoy CheckRequest proto message (part of the ext_authz API). In the context of ssh proxy authentication, we won't have a CheckRequest. Instead, let's make the existing evaluator.Request type the source of truth for the authorize log fields. This way, whether we populate the evaluator.Request struct from an ext_authz request or from an ssh proxy request, we can use the same logAuthorizeCheck() method for logging. Add some additional fields to evaluator.RequestHTTP for the authorize log fields that are not currently represented in this struct.
This commit is contained in:
parent
8738066ce4
commit
2e7d1c7f12
10 changed files with 326 additions and 258 deletions
|
@ -2,26 +2,23 @@ package authorize
|
|||
|
||||
import (
|
||||
"context"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
"google.golang.org/protobuf/types/known/structpb"
|
||||
|
||||
"github.com/pomerium/pomerium/authorize/checkrequest"
|
||||
"github.com/pomerium/pomerium/authorize/evaluator"
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/config/envoyconfig"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/contextutil"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/databroker"
|
||||
"github.com/pomerium/pomerium/pkg/grpc/user"
|
||||
|
@ -80,7 +77,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
|
|||
if err != nil {
|
||||
log.Ctx(ctx).Error().Err(err).Str("request-id", requestID).Msg("grpc check ext_authz_error")
|
||||
}
|
||||
a.logAuthorizeCheck(ctx, in, res, s, u)
|
||||
a.logAuthorizeCheck(ctx, req, res, s, u)
|
||||
return resp, err
|
||||
}
|
||||
|
||||
|
@ -138,18 +135,10 @@ func (a *Authorize) getEvaluatorRequestFromCheckRequest(
|
|||
ctx context.Context,
|
||||
in *envoy_service_auth_v3.CheckRequest,
|
||||
) (*evaluator.Request, error) {
|
||||
requestURL := getCheckRequestURL(in)
|
||||
attrs := in.GetAttributes()
|
||||
clientCertMetadata := attrs.GetMetadataContext().GetFilterMetadata()["com.pomerium.client-certificate-info"]
|
||||
req := &evaluator.Request{
|
||||
IsInternal: envoyconfig.ExtAuthzContextExtensionsIsInternal(attrs.GetContextExtensions()),
|
||||
HTTP: evaluator.NewRequestHTTP(
|
||||
attrs.GetRequest().GetHttp().GetMethod(),
|
||||
requestURL,
|
||||
getCheckRequestHeaders(in),
|
||||
getClientCertificateInfo(ctx, clientCertMetadata),
|
||||
attrs.GetSource().GetAddress().GetSocketAddress().GetAddress(),
|
||||
),
|
||||
HTTP: evaluator.RequestHTTPFromCheckRequest(ctx, in),
|
||||
}
|
||||
req.Policy = a.getMatchingPolicy(envoyconfig.ExtAuthzContextExtensionsRouteID(attrs.GetContextExtensions()))
|
||||
return req, nil
|
||||
|
@ -185,7 +174,7 @@ func (a *Authorize) withQuerierForCheckRequest(ctx context.Context) context.Cont
|
|||
|
||||
func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *http.Request {
|
||||
hattrs := req.GetAttributes().GetRequest().GetHttp()
|
||||
u := getCheckRequestURL(req)
|
||||
u := checkrequest.GetURL(req)
|
||||
hreq := &http.Request{
|
||||
Method: hattrs.GetMethod(),
|
||||
URL: &u,
|
||||
|
@ -208,57 +197,3 @@ func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]
|
|||
}
|
||||
return hdrs
|
||||
}
|
||||
|
||||
func getCheckRequestURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
|
||||
h := req.GetAttributes().GetRequest().GetHttp()
|
||||
u := url.URL{
|
||||
Scheme: h.GetScheme(),
|
||||
Host: h.GetHost(),
|
||||
}
|
||||
u.Host = urlutil.GetDomainsForURL(&u, false)[0]
|
||||
// envoy sends the query string as part of the path
|
||||
path := h.GetPath()
|
||||
if idx := strings.Index(path, "?"); idx != -1 {
|
||||
u.RawPath, u.RawQuery = path[:idx], path[idx+1:]
|
||||
u.RawQuery = u.Query().Encode()
|
||||
} else {
|
||||
u.RawPath = path
|
||||
}
|
||||
u.Path, _ = url.PathUnescape(u.RawPath)
|
||||
return u
|
||||
}
|
||||
|
||||
// getClientCertificateInfo translates from the client certificate Envoy
|
||||
// metadata to the ClientCertificateInfo type.
|
||||
func getClientCertificateInfo(
|
||||
ctx context.Context, metadata *structpb.Struct,
|
||||
) evaluator.ClientCertificateInfo {
|
||||
var c evaluator.ClientCertificateInfo
|
||||
if metadata == nil {
|
||||
return c
|
||||
}
|
||||
c.Presented = metadata.Fields["presented"].GetBoolValue()
|
||||
escapedChain := metadata.Fields["chain"].GetStringValue()
|
||||
if escapedChain == "" {
|
||||
// No validated client certificate.
|
||||
return c
|
||||
}
|
||||
|
||||
chain, err := url.QueryUnescape(escapedChain)
|
||||
if err != nil {
|
||||
log.Ctx(ctx).Error().Str("chain", escapedChain).Err(err).
|
||||
Msg(`received unexpected client certificate "chain" value`)
|
||||
return c
|
||||
}
|
||||
|
||||
// Split the chain into the leaf and any intermediate certificates.
|
||||
p, rest := pem.Decode([]byte(chain))
|
||||
if p == nil {
|
||||
log.Ctx(ctx).Error().Str("chain", escapedChain).
|
||||
Msg(`received unexpected client certificate "chain" value (no PEM block found)`)
|
||||
return c
|
||||
}
|
||||
c.Leaf = string(pem.EncodeToMemory(p))
|
||||
c.Intermediates = string(rest)
|
||||
return c
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue