3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-30 06:51:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: serialize errors in metav1.Status format when kubernetes user-agent is detected

Browse source
This commit is contained in:
Joe Kralicky 2024-10-22 15:51:37 -04:00
parent 298a5a94a5
commit a4867179b0
No known key found for this signature in database
GPG key ID: 75C4875F34A9FB79
1 changed files with 29 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
authorize/check_response.go
View file

@ -135,7 +135,36 @@ func (a *Authorize) deniedResponse(
respHeader := []*envoy_config_core_v3.HeaderValueOption{}
var respBody []byte
hdrs := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
userAgent := getHeader(hdrs, "User-Agent")
switch {
case strings.Contains(userAgent, "kubernetes/"):
message := reason
var statusReason string
switch code {
case http.StatusUnauthorized:
statusReason = "Unauthorized"
case http.StatusForbidden:
statusReason = "Forbidden"
case http.StatusNotFound:
statusReason = "NotFound"
case httputil.StatusDeviceUnauthorized, httputil.StatusInvalidClientCertificate:
statusReason = "Unauthorized"
message = httputil.DetailsText(int(code))
default:
statusReason = "" // StatusReasonUnknown
}
respBody, _ = json.Marshal(map[string]any{
"apiVersion": "v1",
"kind": "Status",
"status": "Failure", // one of "Success" or "Failure"
"message": message, // user-facing message
"reason": statusReason, // must correspond to k8s StatusReason strings
"code": code, // http code
})
respHeader = append(respHeader,
mkHeader("Content-Type", "application/json"))
case getCheckRequestURL(in).Path == "/robots.txt":
code = 200
respBody = []byte("User-agent: *\nDisallow: /")