3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-04 01:09:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: enforce service account expiration (#3661)

Browse source
This commit is contained in:
Caleb Doxsey 2022-10-13 09:28:42 -06:00 committed by GitHub
parent 71b1bcfac5
commit 47e3176ea4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

10
authorize/internal/store/store.go
View file

@ -5,6 +5,7 @@ import (
"context"
"encoding/json"
"fmt"
"time"
"github.com/go-jose/go-jose/v3"
"github.com/open-policy-agent/opa/ast"
@ -13,6 +14,7 @@ import (
"github.com/open-policy-agent/opa/storage/inmem"
"github.com/open-policy-agent/opa/types"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/log"
@ -131,10 +133,16 @@ func (s *Store) GetDataBrokerRecordOption() func(*rego.Rego) {
msg, _ := res.GetRecords()[0].GetData().UnmarshalNew()
if msg == nil {
if msg == nil {
return ast.NullTerm(), nil
}
// exclude expired records
if hasExpiresAt, ok := msg.(interface{ GetExpiresAt() *timestamppb.Timestamp }); ok && hasExpiresAt.GetExpiresAt() != nil {
if hasExpiresAt.GetExpiresAt().AsTime().Before(time.Now()) {
return ast.NullTerm(), nil
}
}
obj := toMap(msg)
regoValue, err := ast.InterfaceToValue(obj)