3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: return 403 on invalid sessions (#5537)

Browse source 
authorize: return 403 on invalid sessions (#5536)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
This commit is contained in:
backport-actions-token[bot] 2025-03-19 14:43:03 -06:00 committed by GitHub
parent cc22174159
commit 839bedac80
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authorize/grpc.go
View file

@ -4,6 +4,7 @@ import (
"context" "context"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt"
"io" "io"
"net/http" "net/http"
"net/url" "net/url"
@ -54,8 +55,11 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
// load the session // load the session
s, err := a.loadSession(ctx, hreq, req) s, err := a.loadSession(ctx, hreq, req)
if err != nil { if errors.Is(err, sessions.ErrInvalidSession) {
return nil, err // ENG-2172: if this is an invalid session, don't evaluate policy, return forbidden
return a.deniedResponse(ctx, in, int32(http.StatusForbidden), http.StatusText(http.StatusForbidden), nil)
} else if err != nil {
return nil, fmt.Errorf("error loading session: %w", err)
} }
// if there's a session or service account, load the user // if there's a session or service account, load the user
@ -122,6 +126,7 @@ func (a *Authorize) loadSession(
Str("request-id", requestID). Str("request-id", requestID).
Err(err). Err(err).
Msg("error creating session for incoming idp token") Msg("error creating session for incoming idp token")
return nil, err
} }
sessionState, _ := a.state.Load().sessionStore.LoadSessionStateAndCheckIDP(hreq) sessionState, _ := a.state.Load().sessionStore.LoadSessionStateAndCheckIDP(hreq)

4
config/session.go
View file

@ -202,7 +202,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
if err != nil { if err != nil {
return nil, fmt.Errorf("error verifying access token: %w", err) return nil, fmt.Errorf("error verifying access token: %w", err)
} else if !res.Valid { } else if !res.Valid {
return nil, fmt.Errorf("invalid access token") return nil, fmt.Errorf("%w: invalid access token", sessions.ErrInvalidSession)
} }
s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims) s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)
@ -265,7 +265,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
if err != nil { if err != nil {
return nil, fmt.Errorf("error verifying identity token: %w", err) return nil, fmt.Errorf("error verifying identity token: %w", err)
} else if !res.Valid { } else if !res.Valid {
return nil, fmt.Errorf("invalid identity token") return nil, fmt.Errorf("%w: invalid identity token", sessions.ErrInvalidSession)
} }
s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims) s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)

3
internal/sessions/errors.go
View file

@ -8,6 +8,9 @@ var (
// ErrNoSessionFound is the error for when no session is found. // ErrNoSessionFound is the error for when no session is found.
ErrNoSessionFound = errors.New("internal/sessions: session is not found") ErrNoSessionFound = errors.New("internal/sessions: session is not found")
// ErrInvalidSession is the error for when a session is invalid.
ErrInvalidSession = errors.New("internal/sessions: invalid session")
// ErrMalformed is the error for when a session is found but is malformed. // ErrMalformed is the error for when a session is found but is malformed.
ErrMalformed = errors.New("internal/sessions: session is malformed") ErrMalformed = errors.New("internal/sessions: session is malformed")