fix forward-auth, logging (#2509)

* fix forward-auth, logging * move error message
2025-08-06 10:21:05 +02:00 · 2021-08-23 17:50:04 -06:00 · 2021-08-23 17:50:04 -06:00 · 526f946097
commit 526f946097
parent 9aad155e1a
4 changed files with 10 additions and 7 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -62,7 +62,6 @@ func (a *Authorize) WaitForInitialSync(ctx context.Context) error {
 		return ctx.Err()
 	case <-a.dataBrokerInitialSync:
 	}
-	log.Info(ctx).Msg("initial sync from databroker complete")
 	return nil
 }

--- a/authorize/evaluator/google_cloud_serverless.go
+++ b/authorize/evaluator/google_cloud_serverless.go
@ -18,6 +18,8 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/sync/singleflight"
 	"google.golang.org/api/idtoken"
+
+	"github.com/pomerium/pomerium/internal/log"
 )

 // GCP pre-defined values.
@ -46,6 +48,7 @@ var (

 		headers, err := getGoogleCloudServerlessHeaders(string(serviceAccount), string(audience))
 		if err != nil {
+			log.Error(context.Background()).Err(err).Msg("error retrieving google cloud serverless headers")
 			return nil, fmt.Errorf("failed to get google cloud serverless headers: %w", err)
 		}
 		var kvs [][2]*ast.Term
@ -160,12 +163,12 @@ func getGoogleCloudServerlessTokenSource(serviceAccount, audience string) (oauth
 func getGoogleCloudServerlessHeaders(serviceAccount, audience string) (map[string]string, error) {
 	src, err := getGoogleCloudServerlessTokenSource(serviceAccount, audience)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error retrieving google cloud serverless token source: %w", err)
 	}

 	tok, err := src.Token()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error retrieving google cloud serverless token: %w", err)
 	}

 	return map[string]string{
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -81,15 +81,15 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 		return a.okResponse(res), nil
 	}

-	if isForwardAuth && hreq.URL.Path == "/verify" {
-		return a.deniedResponse(ctx, in, http.StatusUnauthorized, "Unauthenticated", nil)
-	}
-
 	// if we're logged in, don't redirect, deny with forbidden
 	if req.Session.ID != "" {
 		return a.deniedResponse(ctx, in, denyStatusCode, denyStatusText, nil)
 	}

+	if isForwardAuth && hreq.URL.Path == "/verify" {
+		return a.deniedResponse(ctx, in, http.StatusUnauthorized, "Unauthenticated", nil)
+	}
+
 	return a.requireLoginResponse(ctx, in)
 }

--- a/authorize/sync.go
+++ b/authorize/sync.go
@ -61,6 +61,7 @@ func (syncer *dataBrokerSyncer) UpdateRecords(ctx context.Context, serverVersion

 	// the first time we update records we signal the initial sync
 	syncer.signalOnce.Do(func() {
+		log.Info(ctx).Msg("initial sync from databroker complete")
 		close(syncer.authorize.dataBrokerInitialSync)
 	})
 }