options: remove refresh_cooldown, add allow_spdy to proto (#2446)

2025-04-29 18:36:30 +02:00 · 2021-08-06 10:06:57 -06:00 · 2021-08-06 10:06:57 -06:00 · 63ee30d69c
commit 63ee30d69c
parent 1931f11649
9 changed files with 487 additions and 523 deletions
--- a/config/options.go
+++ b/config/options.go
@ -183,9 +183,6 @@ type Options struct {
 	// List of JWT claims to insert as x-pomerium-claim-* headers on proxied requests
 	JWTClaimsHeaders JWTClaimHeaders `mapstructure:"jwt_claims_headers" yaml:"jwt_claims_headers,omitempty"`

-	// RefreshCooldown limits the rate a user can refresh her session
-	RefreshCooldown time.Duration `mapstructure:"refresh_cooldown" yaml:"refresh_cooldown,omitempty"`
-
 	DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`

 	// Address/Port to bind to for prometheus metrics
@ -322,7 +319,6 @@ var defaultOptions = Options{
 	ReadTimeout:              30 * time.Second,
 	WriteTimeout:             0, // support streaming by default
 	IdleTimeout:              5 * time.Minute,
-	RefreshCooldown:          5 * time.Minute,
 	GRPCAddr:                 ":443",
 	GRPCClientTimeout:        10 * time.Second, // Try to withstand transient service failures for a single request
 	GRPCClientDNSRoundRobin:  true,
@ -1177,9 +1173,6 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
 	if len(settings.JwtClaimsHeaders) > 0 {
 		o.JWTClaimsHeaders = settings.GetJwtClaimsHeaders()
 	}
-	if settings.RefreshCooldown != nil {
-		o.RefreshCooldown = settings.GetRefreshCooldown().AsDuration()
-	}
 	if settings.DefaultUpstreamTimeout != nil {
 		o.DefaultUpstreamTimeout = settings.GetDefaultUpstreamTimeout().AsDuration()
 	}
--- a/config/options_test.go
+++ b/config/options_test.go
@ -288,7 +288,7 @@ func Test_Checksum(t *testing.T) {

 func TestOptionsFromViper(t *testing.T) {
 	opts := []cmp.Option{
-		cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "RefreshCooldown", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"),
+		cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"),
 		cmpopts.IgnoreFields(Policy{}, "Source", "EnvoyOpts"),
 		cmpOptIgnoreUnexported,
 	}
--- a/config/policy.go
+++ b/config/policy.go
@ -226,6 +226,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		UpstreamTimeout:                  timeout,
 		IdleTimeout:                      idleTimeout,
 		AllowWebsockets:                  pb.GetAllowWebsockets(),
+		AllowSPDY:                        pb.GetAllowSpdy(),
 		TLSSkipVerify:                    pb.GetTlsSkipVerify(),
 		TLSServerName:                    pb.GetTlsServerName(),
 		TLSCustomCA:                      pb.GetTlsCustomCa(),
@ -339,6 +340,7 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		Timeout:                          timeout,
 		IdleTimeout:                      idleTimeout,
 		AllowWebsockets:                  p.AllowWebsockets,
+		AllowSpdy:                        p.AllowSPDY,
 		TlsSkipVerify:                    p.TLSSkipVerify,
 		TlsServerName:                    p.TLSServerName,
 		TlsCustomCa:                      p.TLSCustomCA,
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -9,9 +9,9 @@ description: >-

 ## Breaking

-### Removed GRPC Server Max Connection Age Options
+### Removed options

-The unused `grpc_server_max_connection_age` and `grpc_server_max_connection_age_grace` options were removed.
+The unused `grpc_server_max_connection_age`, `grpc_server_max_connection_age_grace` and `refresh_cooldown` options were removed.

 ### Removed support for Ed25519 Signing Keys

--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -894,16 +894,6 @@ Secure service communication can fail if the external certificate does not match
 The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed.


-### Refresh Cooldown
- Environmental Variable: `REFRESH_COOLDOWN`
- Config File Key: `refresh_cooldown`
- Type: [Duration](https://golang.org/pkg/time/#Duration) `string`
- Example: `10m`, `1h45m`
- Default: `5m`
-
-Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
-
-
 ### X-Forwarded-For HTTP Header
 - Environmental Variable: `SKIP_XFF_APPEND`
 - Config File Key: `skip_xff_append`
--- a/docs/reference/settings.yaml
+++ b/docs/reference/settings.yaml
@ -1004,18 +1004,6 @@ settings:
          - Default: `localhost`
        doc: |
          The programmatic redirect domain whitelist is used to restrict the allowed redirect URLs when using programmatic login. By default only `localhost` URLs are allowed.
-      - name: "Refresh Cooldown"
-        keys: ["refresh_cooldown"]
-        attributes: |
-          - Environmental Variable: `REFRESH_COOLDOWN`
-          - Config File Key: `refresh_cooldown`
-          - Type: [Duration](https://golang.org/pkg/time/#Duration) `string`
-          - Example: `10m`, `1h45m`
-          - Default: `5m`
-        doc: |
-          Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
-        shortdoc: |
-          Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
      - name: "X-Forwarded-For HTTP Header"
        keys: ["skip_xff_append"]
        attributes: |
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -68,6 +68,7 @@ message Route {
  google.protobuf.Duration timeout = 12;
  google.protobuf.Duration idle_timeout = 43;
  bool allow_websockets = 13;
+  bool allow_spdy = 44;

  bool tls_skip_verify = 14;
  string tls_server_name = 15;
@ -156,7 +157,6 @@ message Settings {
  map<string, string> set_response_headers = 69;
  // repeated string jwt_claims_headers = 37;
  map<string, string> jwt_claims_headers = 63;
-  optional google.protobuf.Duration refresh_cooldown = 38;
  optional google.protobuf.Duration default_upstream_timeout = 39;
  optional string metrics_address = 40;
  optional string metrics_basic_auth = 64;
--- a/proxy/state.go
+++ b/proxy/state.go
@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"net/url"
 	"sync/atomic"
-	"time"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
@ -29,7 +28,6 @@ type proxyState struct {

 	encoder         encoding.MarshalUnmarshaler
 	cookieSecret    []byte
-	refreshCooldown time.Duration
 	sessionStore    sessions.SessionStore
 	sessionLoaders  []sessions.SessionLoader
 	jwtClaimHeaders config.JWTClaimHeaders
@ -65,7 +63,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 		return nil, err
 	}

-	state.refreshCooldown = cfg.Options.RefreshCooldown
 	state.jwtClaimHeaders = cfg.Options.JWTClaimsHeaders

 	// errors checked in ValidateOptions