3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-06 21:04:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: return 403 on invalid sessions (#5536)

Browse source
This commit is contained in:
Caleb Doxsey 2025-03-19 14:41:28 -06:00 committed by GitHub
parent 2795cc68aa
commit d6b02441b3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 12 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
authorize/grpc.go
View file

@ -4,6 +4,7 @@ import (
"context"
"encoding/pem"
"errors"
"fmt"
"io"
"net/http"
"net/url"
@ -54,8 +55,11 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
// load the session
s, err := a.loadSession(ctx, hreq, req)
if err != nil {
return nil, err
if errors.Is(err, sessions.ErrInvalidSession) {
// ENG-2172: if this is an invalid session, don't evaluate policy, return forbidden
return a.deniedResponse(ctx, in, int32(http.StatusForbidden), http.StatusText(http.StatusForbidden), nil)
} else if err != nil {
return nil, fmt.Errorf("error loading session: %w", err)
}
// if there's a session or service account, load the user
@ -122,6 +126,7 @@ func (a *Authorize) loadSession(
Str("request-id", requestID).
Err(err).
Msg("error creating session for incoming idp token")
return nil, err
}
sessionState, _ := a.state.Load().sessionStore.LoadSessionStateAndCheckIDP(hreq)

4
config/session.go
View file

@ -202,7 +202,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
if err != nil {
return nil, fmt.Errorf("error verifying access token: %w", err)
} else if !res.Valid {
return nil, fmt.Errorf("invalid access token")
return nil, fmt.Errorf("%w: invalid access token", sessions.ErrInvalidSession)
}
s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)
@ -265,7 +265,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
if err != nil {
return nil, fmt.Errorf("error verifying identity token: %w", err)
} else if !res.Valid {
return nil, fmt.Errorf("invalid identity token")
return nil, fmt.Errorf("%w: invalid identity token", sessions.ErrInvalidSession)
}
s = c.newSessionFromIDPClaims(cfg, sessionID, res.Claims)

3
internal/sessions/errors.go
View file

@ -8,6 +8,9 @@ var (
// ErrNoSessionFound is the error for when no session is found.
ErrNoSessionFound = errors.New("internal/sessions: session is not found")
// ErrInvalidSession is the error for when a session is invalid.
ErrInvalidSession = errors.New("internal/sessions: invalid session")
// ErrMalformed is the error for when a session is found but is malformed.
ErrMalformed = errors.New("internal/sessions: session is malformed")