continuous auth prototype

2025-08-03 00:40:25 +02:00 · 2025-02-27 17:19:02 -08:00 · 2025-02-27 17:19:02 -08:00 · 3b68db52a0
commit 3b68db52a0
parent 1da95d334c
1 changed files with 36 additions and 0 deletions
--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@ -174,6 +174,10 @@ func (a *Authorize) ManageStream(
 							return err
 						}
 						sendC <- handleEvaluatorResponseForSSH(res, &state)
+
+						if res.Allow.Value && !res.Deny.Value {
+							a.startContinuousAuthorization(ctx, errC, req, session.Id)
+						}
 					}

 					if session == nil && !slices.Contains(state.MethodsAuthenticated, "keyboard-interactive") {
@ -315,6 +319,10 @@ func (a *Authorize) ManageStream(
 						return err
 					}
 					sendC <- handleEvaluatorResponseForSSH(res, &state)
+
+					if res.Allow.Value && !res.Deny.Value {
+						a.startContinuousAuthorization(ctx, errC, req, sessionState.Load().ID)
+					}
 				} else {
 					resp := extensions_ssh.ServerMessage{
 						Message: &extensions_ssh.ServerMessage_AuthResponse{
@ -511,6 +519,34 @@ func (a *Authorize) PersistSession(
 	return nil
 }

+func (a *Authorize) startContinuousAuthorization(
+	ctx context.Context,
+	errC chan<- error,
+	req *evaluator.Request,
+	sessionID string,
+) {
+	recheck := func() {
+		// XXX: probably want to log the results of this evaluation only if it changes
+		res, _ := a.evaluate(ctx, req, &sessions.State{ID: sessionID})
+		if !res.Allow.Value || res.Deny.Value {
+			errC <- fmt.Errorf("no longer authorized")
+		}
+	}
+
+	ticker := time.NewTicker(time.Second)
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+				recheck()
+			case <-ctx.Done():
+				ticker.Stop()
+				return
+			}
+		}
+	}()
+}
+
 // See RFC 4254, section 5.1.
 const msgChannelOpen = 90