error message improvements

2025-08-01 07:50:26 +02:00 · 2025-04-08 18:34:53 +00:00 · 2025-04-08 18:34:53 +00:00 · 319a801e1d
commit 319a801e1d
parent f9950856cd
3 changed files with 38 additions and 21 deletions
--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@ -6,6 +6,7 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/binary"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@ -378,7 +379,7 @@ func (a *Authorize) ManageStream(

 						token, err := authenticator.DeviceAccessToken(ctx, deviceAuthResp, &claims)
 						if err != nil {
-							errC <- err
+							errC <- status.Error(codes.Unavailable, err.Error())
 							return
 						}
 						s := sessions.NewState(idp.Id)
@ -387,7 +388,7 @@ func (a *Authorize) ManageStream(
 							Msg("device auth flow complete")
 						s.ID, err = getSessionIDForSSH(state.PublicKey)
 						if err != nil {
-							errC <- err
+							errC <- status.Error(codes.Unavailable, err.Error())
 							return
 						}
 						fmt.Println(token)
@ -702,9 +703,17 @@ func (a *Authorize) startContinuousAuthorization(
 ) {
 	recheck := func() {
 		// XXX: probably want to log the results of this evaluation only if it changes
-		res, _ := a.evaluate(ctx, req, &sessions.State{ID: session.Id})
-		if !res.Allow.Value || res.Deny.Value {
-			errC <- fmt.Errorf("no longer authorized")
+		res, err := a.evaluate(ctx, req, &sessions.State{ID: session.Id})
+		if err != nil {
+			if req.Policy.ShowErrorDetails {
+				errC <- status.Error(codes.Unavailable, err.Error())
+			} else {
+				errC <- status.Error(codes.Unavailable, "")
+			}
+		} else {
+			if !res.Allow.Value || res.Deny.Value {
+				errC <- status.Error(codes.PermissionDenied, "no longer authorized")
+			}
 		}
 	}

@ -725,7 +734,7 @@ func (a *Authorize) startContinuousAuthorization(
 		for {
 			select {
 			case <-a.sessionsCacheWarmer.cache.Wait(key):
-				errC <- fmt.Errorf("session expired")
+				errC <- status.Error(codes.PermissionDenied, "session expired")
 				return
 			case <-ticker.C:
 				recheck()
@ -1009,14 +1018,8 @@ func (a *Authorize) ServeChannel(
 						defer outputW.Close()
 						defer inputR.Close()
 						err := cmd.Execute()
-						if err != nil && !errors.Is(err, ErrHandoff) {
-							sendC <- &extensions_ssh.ChannelControl{
-								Protocol: "ssh",
-								ControlAction: marshalAny(&extensions_ssh.SSHChannelControlAction_Disconnect{
-									ReasonCode:  11,
-									Description: err.Error(),
-								}),
-							}
+						if !errors.Is(err, ErrHandoff) {
+							errC <- err
 						}
 					}()
 					go streamOutputToChannel(sendC, peerId, outputR)
@ -1066,7 +1069,11 @@ func (a *Authorize) ServeChannel(
 				panic("unhandled message: " + fmt.Sprint(rawMsg[1]))
 			}
 		case err := <-errC:
-			log.Ctx(ctx).Err(err).Msg("channel error")
+			if err != nil {
+				log.Ctx(ctx).Err(err).Msg("channel error")
+			} else {
+				log.Ctx(ctx).Info().Msg("channel closed")
+			}
 			return err
 		}
 	}
@ -1283,17 +1290,27 @@ func (a *Authorize) NewPortalCommand(
 				}
 				req, err := a.getEvaluatorRequestFromSSHAuthRequest(state)
 				if err != nil {
-					return err
+					log.Ctx(cmd.Context()).Err(err).Msg("error building evaluator request")
+					return status.Errorf(codes.Unavailable, "")
 				}
 				res, err := a.evaluate(cmd.Context(), req, &sessions.State{ID: state.Session.Id})
 				if err != nil {
-					return err
+					if req.Policy.ShowErrorDetails {
+						return status.Errorf(codes.Unavailable, err.Error())
+					} else {
+						return status.Errorf(codes.Unavailable, "")
+					}
 				}

 				if res.Allow.Value && !res.Deny.Value {
 					a.startContinuousAuthorization(state.Context, state.ErrorC, req, state.Session)
 				} else {
-					return fmt.Errorf("not authorized")
+					if req.Policy.ShowErrorDetails {
+						traces, _ := json.Marshal(res.Traces)
+						return status.Error(codes.PermissionDenied, string(traces))
+					} else {
+						return status.Error(codes.PermissionDenied, "")
+					}
 				}
 				extensions := []*corev3.TypedExtensionConfig{}
 				if ptyInfo != nil {
--- a/go.mod
+++ b/go.mod
@ -54,7 +54,7 @@ require (
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/pomerium/csrf v1.7.0
 	github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524
-	github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870
+	github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690
 	github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46
 	github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172
 	github.com/prometheus/client_golang v1.21.0
--- a/go.sum
+++ b/go.sum
@ -548,8 +548,8 @@ github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY=
 github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
-github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870 h1:BY+zgiOitHk1U6nJ4WhyXC/cBwsqn8QfU9YiVSitagc=
-github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870/go.mod h1:6nr0BrchI8Y+A01k+HoPVGBhwgcpFhkJzsNJKOr9bKs=
+github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690 h1:sNEfcUdZBlg42Z4D1EKRAzGcityBqizsWtAHGL4CfxQ=
+github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690/go.mod h1:6nr0BrchI8Y+A01k+HoPVGBhwgcpFhkJzsNJKOr9bKs=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 h1:NRTg8JOXCxcIA1lAgD74iYud0rbshbWOB3Ou4+Huil8=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46/go.mod h1:QqZmx6ZgPxz18va7kqoT4t/0yJtP7YFIDiT/W2n2fZ4=
 github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 h1:TqoPqRgXSHpn+tEJq6H72iCS5pv66j3rPprThUEZg0E=