3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 10:22:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: use query instead of sync for databroker data (#3377)

Browse source
This commit is contained in:
Caleb Doxsey 2022-06-01 15:40:07 -06:00 committed by GitHub
parent fd82cc7870
commit f61e7efe73
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 661 additions and 1008 deletions
Download patch file Download diff file Expand all files Collapse all files

52
authorize/log.go
View file

@ -12,9 +12,11 @@ import (
"github.com/pomerium/pomerium/internal/telemetry/requestid"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/pkg/grpc/audit"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/pomerium/pomerium/pkg/grpc/session"
"github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/grpcutil"
"github.com/pomerium/pomerium/pkg/storage"
)
func (a *Authorize) logAuthorizeCheck(
@ -39,7 +41,7 @@ func (a *Authorize) logAuthorizeCheck(
// session information
if s, ok := s.(*session.Session); ok {
evt = a.populateLogSessionDetails(evt, s)
evt = a.populateLogSessionDetails(ctx, evt, s)
}
if sa, ok := s.(*user.ServiceAccount); ok {
evt = evt.Str("service-account-id", sa.GetId())
@ -61,8 +63,6 @@ func (a *Authorize) logAuthorizeCheck(
}
evt = evt.Str("user", u.GetId())
evt = evt.Str("email", u.GetEmail())
evt = evt.Uint64("databroker_server_version", res.DataBrokerServerVersion)
evt = evt.Uint64("databroker_record_version", res.DataBrokerRecordVersion)
}
// potentially sensitive, only log if debug mode
@ -80,10 +80,6 @@ func (a *Authorize) logAuthorizeCheck(
Request: in,
Response: out,
}
if res != nil {
record.DatabrokerServerVersion = res.DataBrokerServerVersion
record.DatabrokerRecordVersion = res.DataBrokerRecordVersion
}
sealed, err := enc.Encrypt(record)
if err != nil {
log.Warn(ctx).Err(err).Msg("authorize: error encrypting audit record")
@ -96,26 +92,50 @@ func (a *Authorize) logAuthorizeCheck(
}
}
func (a *Authorize) populateLogSessionDetails(evt *zerolog.Event, s *session.Session) *zerolog.Event {
func (a *Authorize) populateLogSessionDetails(ctx context.Context, evt *zerolog.Event, s *session.Session) *zerolog.Event {
evt = evt.Str("session-id", s.GetId())
if s.GetImpersonateSessionId() == "" {
return evt
}
querier := storage.GetQuerier(ctx)
evt = evt.Str("impersonate-session-id", s.GetImpersonateSessionId())
impersonatedSession, ok := a.store.GetRecordData(
grpcutil.GetTypeURL(new(session.Session)),
s.GetImpersonateSessionId(),
).(*session.Session)
req := &databroker.QueryRequest{
Type: grpcutil.GetTypeURL(new(session.Session)),
Limit: 1,
}
req.SetFilterByID(s.GetImpersonateSessionId())
res, err := querier.Query(ctx, req)
if err != nil || len(res.GetRecords()) == 0 {
return evt
}
impersonatedSessionMsg, err := res.GetRecords()[0].GetData().UnmarshalNew()
if err != nil {
return evt
}
impersonatedSession, ok := impersonatedSessionMsg.(*session.Session)
if !ok {
return evt
}
evt = evt.Str("impersonate-user-id", impersonatedSession.GetUserId())
impersonatedUser, ok := a.store.GetRecordData(
grpcutil.GetTypeURL(new(user.User)),
impersonatedSession.GetUserId(),
).(*user.User)
req = &databroker.QueryRequest{
Type: grpcutil.GetTypeURL(new(user.User)),
Limit: 1,
}
req.SetFilterByID(impersonatedSession.GetUserId())
res, err = querier.Query(ctx, req)
if err != nil || len(res.GetRecords()) == 0 {
return evt
}
impersonatedUserMsg, err := res.GetRecords()[0].GetData().UnmarshalNew()
if err != nil {
return evt
}
impersonatedUser, ok := impersonatedUserMsg.(*user.User)
if !ok {
return evt
}