pomerium / pomerium / 24413175781

46%

Build Type

push

github

Committed by web-flow

Commit Message

fix: validate GCS metadata identity response before using as token (#6266)

## Summary

- reject non-200 responses from the GCP metadata identity endpoint
instead of using the response body as a bearer token
- reject empty metadata tokens after trimming whitespace
- include the audience and a truncated response body in errors to
improve diagnostics
- add regression coverage around unexpected metadata responses and
header generation

## Context

While investigating an environment-specific failure mode, we found that
unexpected responses from the metadata identity endpoint could flow into
the authorization-header path. This PR hardens that code path so bad
metadata responses are treated as errors instead of token material.

This is a correctness and defense-in-depth fix. It should not be read as
a claim that this PR alone explains every aspect of the incident being
investigated.

## Test plan

- [x] success path still returns a token
- [x] non-200 metadata responses return an error
- [x] empty metadata responses return an error
- [x] header-generation path does not emit headers when token retrieval
fails
- [x] existing evaluator coverage still passes
- [x] `make build`
- [x] `make test`
- [x] `make lint`

## AI Assistance

AI helped draft the initial diagnosis and test coverage. I manually
reviewed the change, validated the behavior against a live environment,
and reran the repository validation commands.

Coverage Stats

17 of 19 new or added lines in 1 file covered. (89.47%)

33 existing lines in 7 files now uncovered.

35142 of 77319 relevant lines covered (45.45%)

114.78 hits per line