3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: log check() error (#3846)

Browse source
This commit is contained in:
Denis Mishin 2023-01-03 11:05:25 -05:00 committed by GitHub
parent 0e5b8bb5de
commit e728991bf1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
authorize/grpc.go
View file

@ -22,7 +22,7 @@ import (
) )
// Check implements the envoy auth server gRPC endpoint. // Check implements the envoy auth server gRPC endpoint.
func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (out *envoy_service_auth_v3.CheckResponse, err error) { func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check") ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check")
defer span.End() defer span.End()
@ -47,6 +47,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
var s sessionOrServiceAccount var s sessionOrServiceAccount
var u *user.User var u *user.User
var err error
if sessionState != nil { if sessionState != nil {
s, err = a.getDataBrokerSessionOrServiceAccount(ctx, sessionState.ID, sessionState.DatabrokerRecordVersion) s, err = a.getDataBrokerSessionOrServiceAccount(ctx, sessionState.ID, sessionState.DatabrokerRecordVersion)
if err != nil { if err != nil {
@ -72,16 +73,18 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
log.Error(ctx).Err(err).Msg("error during OPA evaluation") log.Error(ctx).Err(err).Msg("error during OPA evaluation")
return nil, err return nil, err
} }
defer func() {
a.logAuthorizeCheck(ctx, in, out, res, s, u)
}()
// if show error details is enabled, attach the policy evaluation traces // if show error details is enabled, attach the policy evaluation traces
if req.Policy != nil && req.Policy.ShowErrorDetails { if req.Policy != nil && req.Policy.ShowErrorDetails {
ctx = contextutil.WithPolicyEvaluationTraces(ctx, res.Traces) ctx = contextutil.WithPolicyEvaluationTraces(ctx, res.Traces)
} }
return a.handleResult(ctx, in, req, res) resp, err := a.handleResult(ctx, in, req, res)
if err != nil {
log.Error(ctx).Err(err).Str("request-id", requestid.FromContext(ctx)).Msg("grpc check ext_authz_error")
}
a.logAuthorizeCheck(ctx, in, resp, res, s, u)
return resp, err
} }
func (a *Authorize) getEvaluatorRequestFromCheckRequest( func (a *Authorize) getEvaluatorRequestFromCheckRequest(