19475484620

Committed 18 Nov 2025 05:36PM UTC coverage: 54.799% (-0.04%) from 54.843%

Build # 19475484620

Build Type

push

github

Committed by

web-flow

Commit Message

fix: databroker client updates should propagate to ssh codes (#5935)

## Summary

SSH auth code flow is causing Pomerium to not start cleanly / update
properly.

Databroker grpc client changes now propagate to the SSH code manager

## Related issues

N/A, slack thread.

## User Explanation

N/A

## Checklist

- [X] reference any related issues
- [X] updated unit tests
- [X] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [X] ready for review

Run Details

4 of 66 new or added lines in 7 files covered. (6.06%)

25 existing lines in 7 files now uncovered.

28697 of 52368 relevant lines covered (54.8%)

93.63 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/pkg/ssh/code/revoker.go

package code

import (
        "context"

        "github.com/cenkalti/backoff/v4"
        "google.golang.org/grpc/codes"
        "google.golang.org/grpc/status"
        "google.golang.org/protobuf/types/known/timestamppb"

        "github.com/pomerium/pomerium/pkg/grpc/databroker"
)

type revoker struct {
        clientB databroker.ClientGetter
}

var _ Revoker = (*revoker)(nil)

func NewRevoker(client databroker.ClientGetter) Revoker {
        return &revoker{
                clientB: client,
        }
}

func (r *revoker) RevokeCode(ctx context.Context, codeID CodeID) error {
        rec, err := r.clientB.GetDataBrokerServiceClient().
                Get(ctx, &databroker.GetRequest{
                        Type: "type.googleapis.com/session.SessionBindingRequest",
                        Id:   string(codeID),
                })

        if st, ok := status.FromError(err); ok && st.Code() == codes.NotFound {
                return nil
        } else if err != nil {
                return err
        }

        if rec.GetRecord().GetDeletedAt() != nil {
                return nil
        }

        rec.Record.DeletedAt = timestamppb.Now()

        _, err = r.clientB.GetDataBrokerServiceClient().
                Patch(ctx, &databroker.PatchRequest{
                        Records: []*databroker.Record{
                                rec.Record,
                        },
                })
        return err
}

func (r *revoker) RevokeSessionBinding(ctx context.Context, bindingID BindingID) error {
        sbResp, err := r.clientB.GetDataBrokerServiceClient().
                Get(ctx, &databroker.GetRequest{
                        Type: "type.googleapis.com/session.SessionBinding",
                        Id:   string(bindingID),
                })

        if st, ok := status.FromError(err); ok && st.Code() == codes.NotFound {
                return nil
        }
        if err != nil {
                return err
        }
        if sbResp.Record.GetDeletedAt() != nil {
                return nil
        }
        rec := sbResp.Record
        rec.DeletedAt = timestamppb.Now()
        _, err = r.clientB.GetDataBrokerServiceClient().
                Patch(ctx, &databroker.PatchRequest{
                        Records: []*databroker.Record{
                                rec,
                        },
                })
        return err
}

func (r *revoker) RevokeSessionBindingBySession(ctx context.Context, sessionID string) ([]*databroker.Record, error) {
        b := backoff.WithContext(backoff.NewExponentialBackOff(), ctx)
        recs, err := backoff.RetryWithData(func() ([]*databroker.Record, error) {
                return getSessionBindingBySession(ctx, r.clientB.GetDataBrokerServiceClient(), sessionID)
        }, b)
        if err != nil {
                return nil, err
        }
        if len(recs) == 0 {
                return []*databroker.Record{}, nil
        }
        for _, rec := range recs {
                rec.DeletedAt = timestamppb.Now()
        }
        _, err = r.clientB.GetDataBrokerServiceClient().Patch(ctx, &databroker.PatchRequest{
                Records: recs,
        })
        return recs, err
}

1	package code
2
3	import (
4	"context"
5
6	"github.com/cenkalti/backoff/v4"
7	"google.golang.org/grpc/codes"
8	"google.golang.org/grpc/status"
9	"google.golang.org/protobuf/types/known/timestamppb"
10
11	"github.com/pomerium/pomerium/pkg/grpc/databroker"
12	)
13
14	type revoker struct {
15	clientB databroker.ClientGetter
16	}
17
18	var _ Revoker = (*revoker)(nil)
19
NEW 20	func NewRevoker(client databroker.ClientGetter) Revoker {	×
21	return &revoker{	×
NEW 22	clientB: client,	×
23	}	×
24	}	×
25
26	func (r *revoker) RevokeCode(ctx context.Context, codeID CodeID) error {	×
NEW 27	rec, err := r.clientB.GetDataBrokerServiceClient().	×
NEW 28	Get(ctx, &databroker.GetRequest{	×
NEW 29	Type: "type.googleapis.com/session.SessionBindingRequest",	×
NEW 30	Id: string(codeID),	×
NEW 31	})	×
32		×
33	if st, ok := status.FromError(err); ok && st.Code() == codes.NotFound {	×
34	return nil	×
35	} else if err != nil {	×
36	return err	×
37	}	×
38
39	if rec.GetRecord().GetDeletedAt() != nil {	×
40	return nil	×
41	}	×
42
43	rec.Record.DeletedAt = timestamppb.Now()	×
44		×
NEW 45	_, err = r.clientB.GetDataBrokerServiceClient().	×
NEW 46	Patch(ctx, &databroker.PatchRequest{	×
NEW 47	Records: []*databroker.Record{	×
NEW 48	rec.Record,	×
NEW 49	},	×
NEW 50	})	×
UNCOV 51	return err	×
52	}
53
54	func (r *revoker) RevokeSessionBinding(ctx context.Context, bindingID BindingID) error {	×
NEW 55	sbResp, err := r.clientB.GetDataBrokerServiceClient().	×
NEW 56	Get(ctx, &databroker.GetRequest{	×
NEW 57	Type: "type.googleapis.com/session.SessionBinding",	×
NEW 58	Id: string(bindingID),	×
NEW 59	})	×
60		×
61	if st, ok := status.FromError(err); ok && st.Code() == codes.NotFound {	×
62	return nil	×
63	}	×
64	if err != nil {	×
65	return err	×
66	}	×
67	if sbResp.Record.GetDeletedAt() != nil {	×
68	return nil	×
69	}	×
70	rec := sbResp.Record	×
71	rec.DeletedAt = timestamppb.Now()	×
NEW 72	_, err = r.clientB.GetDataBrokerServiceClient().	×
NEW 73	Patch(ctx, &databroker.PatchRequest{	×
NEW 74	Records: []*databroker.Record{	×
NEW 75	rec,	×
NEW 76	},	×
NEW 77	})	×
UNCOV 78	return err	×
79	}
80
81	func (r revoker) RevokeSessionBindingBySession(ctx context.Context, sessionID string) ([]databroker.Record, error) {	×
82	b := backoff.WithContext(backoff.NewExponentialBackOff(), ctx)	×
83	recs, err := backoff.RetryWithData(func() ([]*databroker.Record, error) {	×
NEW 84	return getSessionBindingBySession(ctx, r.clientB.GetDataBrokerServiceClient(), sessionID)	×
85	}, b)	×
86	if err != nil {	×
87	return nil, err	×
88	}	×
89	if len(recs) == 0 {	×
90	return []*databroker.Record{}, nil	×
91	}	×
92	for _, rec := range recs {	×
93	rec.DeletedAt = timestamppb.Now()	×
94	}	×
NEW 95	_, err = r.clientB.GetDataBrokerServiceClient().Patch(ctx, &databroker.PatchRequest{	×
96	Records: recs,	×
97	})	×
98	return recs, err	×
99	}

pomerium / pomerium / 19475484620

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous