somewhat working

Was missing a Querier on the context passed to Evaluate(). Add some additional debug logging.
2025-07-27 05:29:25 +02:00 · 2025-02-25 14:56:27 -08:00 · 2025-02-25 14:56:27 -08:00 · e45f11d281
commit e45f11d281
parent e69ccaae68
2 changed files with 21 additions and 3 deletions
--- a/authorize/internal/store/store.go
+++ b/authorize/internal/store/store.go
@ -186,7 +186,11 @@ func (s *Store) GetDataBrokerRecord(ctx context.Context, recordType, recordIDOrI

 	res, err := storage.GetQuerier(ctx).Query(ctx, req, grpc.WaitForReady(true))
 	if err != nil {
-		log.Ctx(ctx).Error().Err(err).Msg("authorize/store: error retrieving record")
+		log.Ctx(ctx).Error().
+			Str("record-type", recordType).
+			Str("record-id-or-index", recordIDOrIndex).
+			Err(err).
+			Msg("authorize/store: error retrieving record")
 		return nil
 	}

--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@ -23,6 +23,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/identity/manager"
 	"github.com/pomerium/pomerium/pkg/identity/oauth"
+	"github.com/pomerium/pomerium/pkg/storage"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/oauth2"
 	"golang.org/x/sync/errgroup"
@ -60,6 +61,13 @@ func (a *Authorize) ManageStream(
 		}
 	})

+	// XXX
+	querier := storage.NewCachingQuerier(
+		storage.NewQuerier(a.state.Load().dataBrokerClient),
+		a.globalCache,
+	)
+	ctx = storage.WithQuerier(ctx, querier)
+
 	eg.Go(func() error {
 		for {
 			select {
@ -243,6 +251,12 @@ func (a *Authorize) ManageStream(
 							return
 						}
 						s := sessions.NewState(idp.Id)
+						claims.Claims.Claims(&s) // XXX
+						s.ID, err = getSessionIDForSSH(state.PublicKey)
+						if err != nil {
+							errC <- err
+							return
+						}
 						fmt.Println(token)
 						err = a.PersistSession(ctx, s, claims, token)
 						if err != nil {
@ -392,7 +406,7 @@ func (a *Authorize) getEvaluatorRequestFromSSHAuthRequest(
 func handleEvaluatorResponseForSSH(
 	result *evaluator.Result, state *StreamState,
 ) *extensions_ssh.ServerMessage {
-	fmt.Println(" *** evaluator result: %+w", result)
+	fmt.Printf(" *** evaluator result: %+v\n", result)

 	// TODO: ideally there would be a way to keep this in sync with the logic in check_response.go
 	allow := result.Allow.Value && !result.Deny.Value
@ -456,7 +470,7 @@ func publicKeyAllowResponse(publicKey []byte) *extensions_ssh.PublicKeyAllowResp
 // PersistSession stores session and user data in the databroker.
 func (a *Authorize) PersistSession(
 	ctx context.Context,
-	sessionState *sessions.State,
+	sessionState *sessions.State, // XXX: consider not using this struct
 	claims identity.SessionClaims,
 	accessToken *oauth2.Token,
 ) error {