Skip to content

pam: allow account credentials to be fetched more than once #4905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 20, 2025
Merged

pam: allow account credentials to be fetched more than once #4905

merged 3 commits into from
Nov 20, 2025
+60 −33

Conversation

@x032205
Copy link
Contributor

@x032205 x032205 commented Nov 19, 2025
edited
Loading

pam: allow account credentials to be fetched more than once

Creates new audit log type for specifically accessing credentials

CleanShot 2025-11-19 at 16 06 01@2x

@maidul98
Copy link
Collaborator

maidul98 commented Nov 19, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Nov 19, 2025
edited
Loading

Greptile Summary

  • Allows PAM session credentials to be fetched multiple times instead of only once, removing the previous restriction
  • Introduces new PAM_SESSION_CREDENTIALS_GET audit event to track each credential access separately from session start
  • Maintains PAM_SESSION_START audit log only for the initial credential fetch when session transitions to Active status

Confidence Score: 5/5

  • This PR is safe to merge with no security concerns.
  • The implementation correctly addresses the previous audit logging issue by separating credential fetches from session starts. The logic is sound: credentials can be fetched multiple times (tracked by PAM_SESSION_CREDENTIALS_GET), but PAM_SESSION_START only fires once when the session transitions from Starting to Active. All changes are well-structured, maintain security boundaries, and improve audit trail accuracy.
  • No files require special attention.

Important Files Changed

Filename Overview
backend/src/ee/services/pam-account/pam-account-service.ts Removes the check preventing multiple credential fetches and adds sessionStarted flag to control audit logging.
backend/src/ee/routes/v1/pam-session-router.ts Updates audit logging to emit PAM_SESSION_CREDENTIALS_GET for all fetches, and conditionally emits PAM_SESSION_START only on first fetch.

greptile-apps[bot]
greptile-apps bot reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Comments (1)

  1. backend/src/ee/services/pam-account/pam-account-service.ts, line 667-669 (link)

    logic: The security check for expired sessions doesn't consider sessions in Active state. With repeated credential fetches now allowed, there's no verification that the session hasn't been administratively terminated (Terminated status) or ended by user (Ended status) between the initial fetch and subsequent fetches.

    Attack scenario: If an admin terminates a session or user ends it, the gateway can still repeatedly fetch credentials using the old sessionId, as only endedAt and expiresAt are checked, not the status field.

    Check the session status explicitly:

1 file reviewed, 2 comments

Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format

@x032205
Copy link
Contributor Author

x032205 commented Nov 19, 2025

@greptile review this

greptile-apps[bot]
greptile-apps bot reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 files reviewed, no comments

Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format

sheensantoscapadngan
sheensantoscapadngan reviewed Nov 20, 2025
View reviewed changes
@x032205 x032205 merged commit 8eb257b into main Nov 20, 2025
9 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheensantoscapadngan sheensantoscapadngan sheensantoscapadngan approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@x032205 @maidul98 @sheensantoscapadngan