3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

options: remove refresh_cooldown, add allow_spdy to proto (#2446)

Browse source
This commit is contained in:
Caleb Doxsey 2021-08-06 10:06:57 -06:00 committed by GitHub
parent 1931f11649
commit 63ee30d69c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 487 additions and 523 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
config/options.go
View file

@ -183,9 +183,6 @@ type Options struct {
// List of JWT claims to insert as x-pomerium-claim-* headers on proxied requests // List of JWT claims to insert as x-pomerium-claim-* headers on proxied requests
JWTClaimsHeaders JWTClaimHeaders `mapstructure:"jwt_claims_headers" yaml:"jwt_claims_headers,omitempty"` JWTClaimsHeaders JWTClaimHeaders `mapstructure:"jwt_claims_headers" yaml:"jwt_claims_headers,omitempty"`
// RefreshCooldown limits the rate a user can refresh her session
RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"`
DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"` DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`
// Address/Port to bind to for prometheus metrics // Address/Port to bind to for prometheus metrics
@ -322,7 +319,6 @@ var defaultOptions = Options{
ReadTimeout: 30 * time.Second, ReadTimeout: 30 * time.Second,
WriteTimeout: 0, // support streaming by default WriteTimeout: 0, // support streaming by default
IdleTimeout: 5 * time.Minute, IdleTimeout: 5 * time.Minute,
RefreshCooldown: 5 * time.Minute,
GRPCAddr: ":443", GRPCAddr: ":443",
GRPCClientTimeout: 10 * time.Second, // Try to withstand transient service failures for a single request GRPCClientTimeout: 10 * time.Second, // Try to withstand transient service failures for a single request
GRPCClientDNSRoundRobin: true, GRPCClientDNSRoundRobin: true,
@ -1177,9 +1173,6 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
if len(settings.JwtClaimsHeaders) > 0 { if len(settings.JwtClaimsHeaders) > 0 {
o.JWTClaimsHeaders = settings.GetJwtClaimsHeaders() o.JWTClaimsHeaders = settings.GetJwtClaimsHeaders()
} }
if settings.RefreshCooldown != nil {
o.RefreshCooldown = settings.GetRefreshCooldown().AsDuration()
}
if settings.DefaultUpstreamTimeout != nil { if settings.DefaultUpstreamTimeout != nil {
o.DefaultUpstreamTimeout = settings.GetDefaultUpstreamTimeout().AsDuration() o.DefaultUpstreamTimeout = settings.GetDefaultUpstreamTimeout().AsDuration()
} }

2
config/options_test.go
View file

@ -288,7 +288,7 @@ func Test_Checksum(t *testing.T) {
func TestOptionsFromViper(t *testing.T) { func TestOptionsFromViper(t *testing.T) {
opts := []cmp.Option{ opts := []cmp.Option{
cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "RefreshCooldown", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"), cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"),
cmpopts.IgnoreFields(Policy{}, "Source", "EnvoyOpts"), cmpopts.IgnoreFields(Policy{}, "Source", "EnvoyOpts"),
cmpOptIgnoreUnexported, cmpOptIgnoreUnexported,
} }

2
config/policy.go
View file

@ -226,6 +226,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
UpstreamTimeout: timeout, UpstreamTimeout: timeout,
IdleTimeout: idleTimeout, IdleTimeout: idleTimeout,
AllowWebsockets: pb.GetAllowWebsockets(), AllowWebsockets: pb.GetAllowWebsockets(),
AllowSPDY: pb.GetAllowSpdy(),
TLSSkipVerify: pb.GetTlsSkipVerify(), TLSSkipVerify: pb.GetTlsSkipVerify(),
TLSServerName: pb.GetTlsServerName(), TLSServerName: pb.GetTlsServerName(),
TLSCustomCA: pb.GetTlsCustomCa(), TLSCustomCA: pb.GetTlsCustomCa(),
@ -339,6 +340,7 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
Timeout: timeout, Timeout: timeout,
IdleTimeout: idleTimeout, IdleTimeout: idleTimeout,
AllowWebsockets: p.AllowWebsockets, AllowWebsockets: p.AllowWebsockets,
AllowSpdy: p.AllowSPDY,
TlsSkipVerify: p.TLSSkipVerify, TlsSkipVerify: p.TLSSkipVerify,
TlsServerName: p.TLSServerName, TlsServerName: p.TLSServerName,
TlsCustomCa: p.TLSCustomCA, TlsCustomCa: p.TLSCustomCA,

4
docs/docs/upgrading.md
View file

@ -9,9 +9,9 @@ description: >-
## Breaking ## Breaking
### Removed GRPC Server Max Connection Age Options ### Removed options
The unused `grpc_server_max_connection_age` and `grpc_server_max_connection_age_grace` options were removed. The unused `grpc_server_max_connection_age`, `grpc_server_max_connection_age_grace` and `refresh_cooldown` options were removed.
### Removed support for Ed25519 Signing Keys ### Removed support for Ed25519 Signing Keys

10
docs/reference/readme.md
View file

@ -894,16 +894,6 @@ Secure service communication can fail if the external certificate does not match
The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed. The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed.
### Refresh Cooldown
- Environmental Variable: `REFRESH_COOLDOWN`
- Config File Key: `refresh_cooldown`
- Type: [Duration](https://golang.org/pkg/time/#Duration) `string`
- Example: `10m`, `1h45m`
- Default: `5m`
Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
### X-Forwarded-For HTTP Header ### X-Forwarded-For HTTP Header
- Environmental Variable: `SKIP_XFF_APPEND` - Environmental Variable: `SKIP_XFF_APPEND`
- Config File Key: `skip_xff_append` - Config File Key: `skip_xff_append`

12
docs/reference/settings.yaml
View file

@ -1004,18 +1004,6 @@ settings:
- Default: `localhost` - Default: `localhost`
doc: | doc: |
The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed. The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed.
- name: "Refresh Cooldown"
keys: ["refresh_cooldown"]
attributes: |
- Environmental Variable: `REFRESH_COOLDOWN`
- Config File Key: `refresh_cooldown`
- Type: [Duration](https://golang.org/pkg/time/#Duration) `string`
- Example: `10m`, `1h45m`
- Default: `5m`
doc: |
Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
shortdoc: |
Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
- name: "X-Forwarded-For HTTP Header" - name: "X-Forwarded-For HTTP Header"
keys: ["skip_xff_append"] keys: ["skip_xff_append"]
attributes: | attributes: |

968
pkg/grpc/config/config.pb.go
View file

File diff suppressed because it is too large Load diff

2
pkg/grpc/config/config.proto
View file

@ -68,6 +68,7 @@ message Route {
google.protobuf.Duration timeout = 12; google.protobuf.Duration timeout = 12;
google.protobuf.Duration idle_timeout = 43; google.protobuf.Duration idle_timeout = 43;
bool allow_websockets = 13; bool allow_websockets = 13;
bool allow_spdy = 44;
bool tls_skip_verify = 14; bool tls_skip_verify = 14;
string tls_server_name = 15; string tls_server_name = 15;
@ -156,7 +157,6 @@ message Settings {
map<string, string> set_response_headers = 69; map<string, string> set_response_headers = 69;
// repeated string jwt_claims_headers = 37; // repeated string jwt_claims_headers = 37;
map<string, string> jwt_claims_headers = 63; map<string, string> jwt_claims_headers = 63;
optional google.protobuf.Duration refresh_cooldown = 38;
optional google.protobuf.Duration default_upstream_timeout = 39; optional google.protobuf.Duration default_upstream_timeout = 39;
optional string metrics_address = 40; optional string metrics_address = 40;
optional string metrics_basic_auth = 64; optional string metrics_basic_auth = 64;

3
proxy/state.go
View file

@ -5,7 +5,6 @@ import (
"encoding/base64" "encoding/base64"
"net/url" "net/url"
"sync/atomic" "sync/atomic"
"time"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/encoding" "github.com/pomerium/pomerium/internal/encoding"
@ -29,7 +28,6 @@ type proxyState struct {
encoder encoding.MarshalUnmarshaler encoder encoding.MarshalUnmarshaler
cookieSecret []byte cookieSecret []byte
refreshCooldown time.Duration
sessionStore sessions.SessionStore sessionStore sessions.SessionStore
sessionLoaders []sessions.SessionLoader sessionLoaders []sessions.SessionLoader
jwtClaimHeaders config.JWTClaimHeaders jwtClaimHeaders config.JWTClaimHeaders
@ -65,7 +63,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
return nil, err return nil, err
} }
state.refreshCooldown = cfg.Options.RefreshCooldown
state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders
// errors checked in ValidateOptions // errors checked in ValidateOptions