3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

error message improvements

Browse source
This commit is contained in:
Joe Kralicky 2025-04-08 18:34:53 +00:00
parent f9950856cd
commit 319a801e1d
No known key found for this signature in database
GPG key ID: 75C4875F34A9FB79
3 changed files with 38 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

53
authorize/ssh_grpc.go
View file

@ -6,6 +6,7 @@ import (
"context" "context"
"crypto/sha256" "crypto/sha256"
"encoding/binary" "encoding/binary"
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -378,7 +379,7 @@ func (a *Authorize) ManageStream(
token, err := authenticator.DeviceAccessToken(ctx, deviceAuthResp, &claims) token, err := authenticator.DeviceAccessToken(ctx, deviceAuthResp, &claims)
if err != nil { if err != nil {
errC <- err errC <- status.Error(codes.Unavailable, err.Error())
return return
} }
s := sessions.NewState(idp.Id) s := sessions.NewState(idp.Id)
@ -387,7 +388,7 @@ func (a *Authorize) ManageStream(
Msg("device auth flow complete") Msg("device auth flow complete")
s.ID, err = getSessionIDForSSH(state.PublicKey) s.ID, err = getSessionIDForSSH(state.PublicKey)
if err != nil { if err != nil {
errC <- err errC <- status.Error(codes.Unavailable, err.Error())
return return
} }
fmt.Println(token) fmt.Println(token)
@ -702,9 +703,17 @@ func (a *Authorize) startContinuousAuthorization(
) { ) {
recheck := func() { recheck := func() {
// XXX: probably want to log the results of this evaluation only if it changes // XXX: probably want to log the results of this evaluation only if it changes
res, _ := a.evaluate(ctx, req, &sessions.State{ID: session.Id}) res, err := a.evaluate(ctx, req, &sessions.State{ID: session.Id})
if !res.Allow.Value || res.Deny.Value { if err != nil {
errC <- fmt.Errorf("no longer authorized") if req.Policy.ShowErrorDetails {
errC <- status.Error(codes.Unavailable, err.Error())
} else {
errC <- status.Error(codes.Unavailable, "")
}
} else {
if !res.Allow.Value || res.Deny.Value {
errC <- status.Error(codes.PermissionDenied, "no longer authorized")
}
} }
} }
@ -725,7 +734,7 @@ func (a *Authorize) startContinuousAuthorization(
for { for {
select { select {
case <-a.sessionsCacheWarmer.cache.Wait(key): case <-a.sessionsCacheWarmer.cache.Wait(key):
errC <- fmt.Errorf("session expired") errC <- status.Error(codes.PermissionDenied, "session expired")
return return
case <-ticker.C: case <-ticker.C:
recheck() recheck()
@ -1009,14 +1018,8 @@ func (a *Authorize) ServeChannel(
defer outputW.Close() defer outputW.Close()
defer inputR.Close() defer inputR.Close()
err := cmd.Execute() err := cmd.Execute()
if err != nil && !errors.Is(err, ErrHandoff) { if !errors.Is(err, ErrHandoff) {
sendC <- &extensions_ssh.ChannelControl{ errC <- err
Protocol: "ssh",
ControlAction: marshalAny(&extensions_ssh.SSHChannelControlAction_Disconnect{
ReasonCode: 11,
Description: err.Error(),
}),
}
} }
}() }()
go streamOutputToChannel(sendC, peerId, outputR) go streamOutputToChannel(sendC, peerId, outputR)
@ -1066,7 +1069,11 @@ func (a *Authorize) ServeChannel(
panic("unhandled message: " + fmt.Sprint(rawMsg[1])) panic("unhandled message: " + fmt.Sprint(rawMsg[1]))
} }
case err := <-errC: case err := <-errC:
log.Ctx(ctx).Err(err).Msg("channel error") if err != nil {
log.Ctx(ctx).Err(err).Msg("channel error")
} else {
log.Ctx(ctx).Info().Msg("channel closed")
}
return err return err
} }
} }
@ -1283,17 +1290,27 @@ func (a *Authorize) NewPortalCommand(
} }
req, err := a.getEvaluatorRequestFromSSHAuthRequest(state) req, err := a.getEvaluatorRequestFromSSHAuthRequest(state)
if err != nil { if err != nil {
return err log.Ctx(cmd.Context()).Err(err).Msg("error building evaluator request")
return status.Errorf(codes.Unavailable, "")
} }
res, err := a.evaluate(cmd.Context(), req, &sessions.State{ID: state.Session.Id}) res, err := a.evaluate(cmd.Context(), req, &sessions.State{ID: state.Session.Id})
if err != nil { if err != nil {
return err if req.Policy.ShowErrorDetails {
return status.Errorf(codes.Unavailable, err.Error())
} else {
return status.Errorf(codes.Unavailable, "")
}
} }
if res.Allow.Value && !res.Deny.Value { if res.Allow.Value && !res.Deny.Value {
a.startContinuousAuthorization(state.Context, state.ErrorC, req, state.Session) a.startContinuousAuthorization(state.Context, state.ErrorC, req, state.Session)
} else { } else {
return fmt.Errorf("not authorized") if req.Policy.ShowErrorDetails {
traces, _ := json.Marshal(res.Traces)
return status.Error(codes.PermissionDenied, string(traces))
} else {
return status.Error(codes.PermissionDenied, "")
}
} }
extensions := []*corev3.TypedExtensionConfig{} extensions := []*corev3.TypedExtensionConfig{}
if ptyInfo != nil { if ptyInfo != nil {

2
go.mod
View file

@ -54,7 +54,7 @@ require (
github.com/pires/go-proxyproto v0.8.0 github.com/pires/go-proxyproto v0.8.0
github.com/pomerium/csrf v1.7.0 github.com/pomerium/csrf v1.7.0
github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524
github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870 github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690
github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46
github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172
github.com/prometheus/client_golang v1.21.0 github.com/prometheus/client_golang v1.21.0

4
go.sum
View file

@ -548,8 +548,8 @@ github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY=
github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw= github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw=
github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis=
github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870 h1:BY+zgiOitHk1U6nJ4WhyXC/cBwsqn8QfU9YiVSitagc= github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690 h1:sNEfcUdZBlg42Z4D1EKRAzGcityBqizsWtAHGL4CfxQ=
github.com/pomerium/envoy-custom v1.33.1-0.20250401214540-6652772e4870/go.mod h1:6nr0BrchI8Y+A01k+HoPVGBhwgcpFhkJzsNJKOr9bKs= github.com/pomerium/envoy-custom v1.33.1-0.20250408182907-cdb062704690/go.mod h1:6nr0BrchI8Y+A01k+HoPVGBhwgcpFhkJzsNJKOr9bKs=
github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 h1:NRTg8JOXCxcIA1lAgD74iYud0rbshbWOB3Ou4+Huil8= github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 h1:NRTg8JOXCxcIA1lAgD74iYud0rbshbWOB3Ou4+Huil8=
github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46/go.mod h1:QqZmx6ZgPxz18va7kqoT4t/0yJtP7YFIDiT/W2n2fZ4= github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46/go.mod h1:QqZmx6ZgPxz18va7kqoT4t/0yJtP7YFIDiT/W2n2fZ4=
github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 h1:TqoPqRgXSHpn+tEJq6H72iCS5pv66j3rPprThUEZg0E= github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 h1:TqoPqRgXSHpn+tEJq6H72iCS5pv66j3rPprThUEZg0E=