3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

deployment: add goimports with path awareness (#1316)

Browse source 
Plus fix some spelling

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby 2020-08-24 13:04:55 -07:00 committed by GitHub
parent ffaceadfdd
commit fbd8c8f294
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 38 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.golangci.yml
View file

@ -74,6 +74,10 @@ linters-settings:
line-length: 160
# tab width in spaces. Default to 1.
tab-width: 1
goimports:
# put imports beginning with prefix after 3rd-party packages;
# it's a comma-separated list of prefixes
local-prefixes: github.com/pomerium/pomerium
unused:
# treat code as a program (not a library) and report unused exported identifiers; default is false.
# XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
@ -201,7 +205,7 @@ issues:
exclude-rules:
# Exclude some linters from running on test files.
- path: _test\.go$|^tests/|^samples/|templates\.go$
- path: _test\.go$|^tests/|^integration/|^samples/|templates\.go$
linters:
- errcheck
- maligned
@ -209,6 +213,7 @@ issues:
- gosec
- bodyclose
- unparam
- unused
# erroneously thinks google api url is a cred
- path: internal/identity/google.go
text: "Potential hardcoded credentials"

4
docs/docs/identity-providers/cognito.md
View file

@ -51,7 +51,7 @@ After this is done, go to **App client settings** (in the Side menu under **App
![AWS Cognito Side Menu](./img/cognito-side-menu.png)
In the setings for **Pomerium** app, put in the following details
In the settings for **Pomerium** app, put in the following details
| **Field** | **Description** |
| -------------------------- | -------------------------------------------------------------------------------------------- |
@ -95,7 +95,7 @@ data:
idp_provider: oidc
idp_provider_url: https://cognito-idp.${AWS-REGION}.amazonaws.com/${USER_POOL_ID}
idp_client_id: 304a12ktcc5djt9d7enj6dsjkg
idp_client_id: 304a12ktcc5djt9d7enj6dsjkg
idp_client_secret: "1re5ukkv3dab6up5aefv7rru65lu60oblf04t6cv8u9s0itjbci7"
idp_scopes: ["openid", "email", "profile"]
kind: ConfigMap

19
docs/docs/topics/data-storage.md
View file

@ -11,7 +11,7 @@ description: >-
## About
#### Background
Pomerium keeps persistent state out of most components, but an identity-aware access proxy must maintain some data about every user's session. Historically, all user/session related data was stored in cookies, but this quickly became challenging.
Pomerium keeps persistent state out of most components, but an identity-aware access proxy must maintain some data about every user's session. Historically, all user/session related data was stored in cookies, but this quickly became challenging.
- Cookie and header limits would impact large organizations and some IdPs
- SPAs would break when session cookies expired
@ -19,7 +19,7 @@ Pomerium keeps persistent state out of most components, but an identity-aware ac
- Group membership was fixed from session creation
- Slow initial authentication flow to fetch user data
To address these limitations, the Pomerium `cache` service runs a number of internal services responsible for maintaining data and state.
To address these limitations, the Pomerium `cache` service runs a number of internal services responsible for maintaining data and state.
#### Design
@ -27,7 +27,7 @@ Internal to the `cache` service, the `databroker` is responsible for providing a
## Persistence
At this time, most data stored by Pomerium is externally sourced and recoverable at startup (eg, group membership). The notable exception is user sessions. If the data hosted by the `databroker` is lost, users will need to log in through their IdP again at next session expiration.
At this time, most data stored by Pomerium is externally sourced and recoverable at startup (eg, group membership). The notable exception is user sessions. If the data hosted by the `databroker` is lost, users will need to log in through their IdP again at next session expiration.
To prevent early session loss in production deployments, persistent storage backends are available for configuration in the `databroker`. Use of these is strongly encouraged, but smaller or non-production deployments can make use of an in-memory storage layer if external dependencies are not practical or justifiable.
@ -35,7 +35,7 @@ To prevent early session loss in production deployments, persistent storage back
Configuration options for each backend are detailed in [cache configuration reference](/reference/#cache-service).
In all backends, Pomerium encrypts record values. This ensures security of all records at rest, regardless of data store capabilities. While this prevents many classes of attack vector, additional security measaures should always be taken to secure data in transit and minimize access to the backends themselves.
In all backends, Pomerium encrypts record values. This ensures security of all records at rest, regardless of data store capabilities. While this prevents many classes of attack vector, additional security measures should always be taken to secure data in transit and minimize access to the backends themselves.
Please see Pomerium backend and upstream storage system documentation for best practices.
@ -52,7 +52,7 @@ easy deployment semantics but is not persistent or highly available. Running mo
- Cache Service HA: `yes`
- Data Store HA: `yes`
- Data Persistence: `yes`
The Redis based backend supports multiple `cache` instances and persistence across restarts. We recommend a dedicated redis instance for Pomerium to provide the strongest security and performance guarantees.
#### High Availability
@ -66,7 +66,7 @@ Pomerium supports and strongly encourages [ACL](https://redis.io/topics/acl) bas
ACL setuser pomerium on >[MYPASSWORD] ~* +@all -@scripting -@dangerous -@admin -@connection
```
Pomerium supports and strongly encourages [TLS](https://redis.io/topics/encryption) support in Redis version 6. Both traditional and mutual TLS are supported.
Pomerium supports and strongly encourages [TLS](https://redis.io/topics/encryption) support in Redis version 6. Both traditional and mutual TLS are supported.
Example secure configuration:
@ -80,10 +80,3 @@ databroker_storage_ca_file: /tls/ca.pem
::: tip
the second `s` in `rediss` is intentional and turns on TLS support
:::

6
docs/docs/topics/kubernetes-integration.md
View file

@ -9,7 +9,7 @@ description: >-
## Background
Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server. While there is tremendous flexability in the core product, operators can encounter various practical challenges:
Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server. While there is tremendous flexibility in the core product, operators can encounter various practical challenges:
- Cloud providers typically support only their native IAM implementation, which may not integrate with your IdP
- OIDC providers may not provide group claims, requiring manual mappings to RBAC roles
@ -25,7 +25,7 @@ Similarly, Kubernetes supports native [audit logging](https://kubernetes.io/docs
## Solution
Pomerium can be leveraged as a proxy for user requests to the API Server.
Pomerium can be leveraged as a proxy for user requests to the API Server.
- Any supported IdP can be supported for authentication, in any environment
- Group membership is supported consistently
@ -60,7 +60,7 @@ kubectl config set-cluster via-pomerium --server=https://mycluster.pomerium.io
# Add Context
kubectl config set-context via-pomerium --user=via-pomerium --cluster=via-pomerium
# Add credentials command
kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \
kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \
--exec-arg=k8s,exec-credential,https://mycluster.pomerium.io
```

8
docs/docs/topics/programmatic-access.md
View file

@ -25,15 +25,13 @@ https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Floc
### Callback handler
It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` and `pomerium_refresh_token` query parameters.
It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` query parameters.
See the python script below for example of how to start a callback server, and store the session payload.
## Handling expiration and revocation
Your application should handle token expiration. If the session expires before work is done, the identity provider issued `refresh_token` can be used to create a new valid session.
Also, your script or application should anticipate the possibility that a granted `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID.
Your script or application should anticipate the possibility that your underlying `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID.
## High level workflow
@ -46,7 +44,7 @@ The application interacting with Pomerium must manage the following workflow. Co
1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `httpbin.corp.domain.example`)
1. Pomerium's proxy service makes a callback request to the original `redirect_uri` with the user session and as an argument.
1. The script or application is responsible for handling that http callback request, and securely handling the callback session (`pomerium_jwt`) queryparam.
1. The script or application can now make any requests as normal to the upstrream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header.
1. The script or application can now make any requests as normal to the upstream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header.
## Example Code

3
integration/main_test.go
View file

@ -10,9 +10,10 @@ import (
"time"
"github.com/onsi/gocleanup"
"github.com/pomerium/pomerium/integration/internal/cluster"
"github.com/rs/zerolog"
"github.com/rs/zerolog/log"
"github.com/pomerium/pomerium/integration/internal/cluster"
)
var (

1
internal/middleware/middleware_test.go
View file

@ -9,6 +9,7 @@ import (
"time"
"github.com/google/go-cmp/cmp"
"github.com/pomerium/pomerium/internal/urlutil"
)

5
internal/telemetry/metrics/http.go
View file

@ -4,11 +4,12 @@ import (
"fmt"
"net/http"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/tripper"
"go.opencensus.io/plugin/ochttp"
"go.opencensus.io/stats/view"
"go.opencensus.io/tag"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/tripper"
)
// HTTP Views

3
internal/telemetry/metrics/http_test.go
View file

@ -10,8 +10,9 @@ import (
"strings"
"testing"
"github.com/pomerium/pomerium/internal/tripper"
"go.opencensus.io/stats/view"
"github.com/pomerium/pomerium/internal/tripper"
)
func testDataRetrieval(v *view.View, t *testing.T, want string) {

3
internal/telemetry/metrics/storage.go
View file

@ -4,10 +4,11 @@ import (
"context"
"time"
"github.com/pomerium/pomerium/internal/log"
"go.opencensus.io/stats"
"go.opencensus.io/stats/view"
"go.opencensus.io/tag"
"github.com/pomerium/pomerium/internal/log"
)
var (

5
pkg/storage/encrypted.go
View file

@ -4,11 +4,12 @@ import (
"context"
"crypto/cipher"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
)
type encryptedBackend struct {

5
pkg/storage/encrypted_test.go
View file

@ -5,11 +5,12 @@ import (
"errors"
"testing"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
"github.com/stretchr/testify/assert"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
)
func TestEncryptedBackend(t *testing.T) {

3
pkg/storage/redis/redis_test.go
View file

@ -14,10 +14,11 @@ import (
"github.com/gomodule/redigo/redis"
"github.com/ory/dockertest/v3"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/anypb"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
var db *DB