3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-31 07:19:16 +02:00
Code Issues Projects Releases Packages Wiki Activity

ssh: implement authorization policy evaluation (#5665)

Browse source 
Implement the pkg/ssh.AuthInterface. Add logic for converting from the
ssh stream state to an evaluator request, and for interpreting the
results of policy evaluation. Refactor some of the existing authorize
logic to make it easier to reuse.
This commit is contained in:
Kenneth Jenkins 2025-07-01 12:04:00 -07:00 committed by GitHub
parent 9437cec21d
commit 9678e6a231
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 1013 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

19
internal/authenticateflow/authenticateflow.go
View file

@ -5,18 +5,14 @@ package authenticateflow
import (
"context"
"fmt"
"time"
oteltrace "go.opentelemetry.io/otel/trace"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/stats"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/structpb"
"github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/identity"
"github.com/pomerium/pomerium/pkg/telemetry/trace"
)
@ -25,21 +21,6 @@ var timeNow = time.Now
var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
func populateUserFromClaims(u *user.User, claims map[string]any) {
if v, ok := claims["name"]; ok {
u.Name = fmt.Sprint(v)
}
if v, ok := claims["email"]; ok {
u.Email = fmt.Sprint(v)
}
if u.Claims == nil {
u.Claims = make(map[string]*structpb.ListValue)
}
for k, vs := range identity.Claims(claims).Flatten().ToPB() {
u.Claims[k] = vs
}
}
var outboundDatabrokerTraceClientOpts = []trace.ClientStatsHandlerOption{
trace.WithStatsInterceptor(ignoreNotFoundErrors),
}

2
internal/authenticateflow/stateful.go
View file

@ -208,7 +208,7 @@ func (s *Stateful) PersistSession(
Id: sess.GetUserId(),
}
}
populateUserFromClaims(u, claims.Claims)
u.PopulateFromClaims(claims.Claims)
_, err := databroker.Put(ctx, s.dataBrokerClient, u)
if err != nil {
return fmt.Errorf("authenticate: error saving user: %w", err)

2
internal/authenticateflow/stateless.go
View file

@ -422,7 +422,7 @@ func (s *Stateless) Callback(w http.ResponseWriter, r *http.Request) error {
if err != nil {
u = &user.User{Id: ss.UserID()}
}
populateUserFromClaims(u, profile.GetClaims().AsMap())
u.PopulateFromClaims(profile.Claims.AsMap())
redirectURI, err := getRedirectURIFromValues(values)
if err != nil {