From fbd8c8f294c24736d3a069e7110f625940c50935 Mon Sep 17 00:00:00 2001 From: bobby <1544881+desimone@users.noreply.github.com> Date: Mon, 24 Aug 2020 13:04:55 -0700 Subject: [PATCH] deployment: add goimports with path awareness (#1316) Plus fix some spelling Signed-off-by: Bobby DeSimone --- .golangci.yml | 7 ++++++- docs/docs/identity-providers/cognito.md | 4 ++-- docs/docs/topics/data-storage.md | 19 ++++++------------- docs/docs/topics/kubernetes-integration.md | 6 +++--- docs/docs/topics/programmatic-access.md | 8 +++----- integration/main_test.go | 3 ++- internal/middleware/middleware_test.go | 1 + internal/telemetry/metrics/http.go | 5 +++-- internal/telemetry/metrics/http_test.go | 3 ++- internal/telemetry/metrics/storage.go | 3 ++- pkg/storage/encrypted.go | 5 +++-- pkg/storage/encrypted_test.go | 5 +++-- pkg/storage/redis/redis_test.go | 3 ++- 13 files changed, 38 insertions(+), 34 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 159e03a8e..3d9ebd267 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -74,6 +74,10 @@ linters-settings: line-length: 160 # tab width in spaces. Default to 1. tab-width: 1 + goimports: + # put imports beginning with prefix after 3rd-party packages; + # it's a comma-separated list of prefixes + local-prefixes: github.com/pomerium/pomerium unused: # treat code as a program (not a library) and report unused exported identifiers; default is false. # XXX: if you enable this setting, unused will report a lot of false-positives in text editors: @@ -201,7 +205,7 @@ issues: exclude-rules: # Exclude some linters from running on test files. - - path: _test\.go$|^tests/|^samples/|templates\.go$ + - path: _test\.go$|^tests/|^integration/|^samples/|templates\.go$ linters: - errcheck - maligned @@ -209,6 +213,7 @@ issues: - gosec - bodyclose - unparam + - unused # erroneously thinks google api url is a cred - path: internal/identity/google.go text: "Potential hardcoded credentials" diff --git a/docs/docs/identity-providers/cognito.md b/docs/docs/identity-providers/cognito.md index f8a05da36..42754eb31 100644 --- a/docs/docs/identity-providers/cognito.md +++ b/docs/docs/identity-providers/cognito.md @@ -51,7 +51,7 @@ After this is done, go to **App client settings** (in the Side menu under **App ![AWS Cognito Side Menu](./img/cognito-side-menu.png) -In the setings for **Pomerium** app, put in the following details +In the settings for **Pomerium** app, put in the following details | **Field** | **Description** | | -------------------------- | -------------------------------------------------------------------------------------------- | @@ -95,7 +95,7 @@ data: idp_provider: oidc idp_provider_url: https://cognito-idp.${AWS-REGION}.amazonaws.com/${USER_POOL_ID} - idp_client_id: 304a12ktcc5djt9d7enj6dsjkg + idp_client_id: 304a12ktcc5djt9d7enj6dsjkg idp_client_secret: "1re5ukkv3dab6up5aefv7rru65lu60oblf04t6cv8u9s0itjbci7" idp_scopes: ["openid", "email", "profile"] kind: ConfigMap diff --git a/docs/docs/topics/data-storage.md b/docs/docs/topics/data-storage.md index 5aed751e2..c3c60b7b2 100644 --- a/docs/docs/topics/data-storage.md +++ b/docs/docs/topics/data-storage.md @@ -11,7 +11,7 @@ description: >- ## About #### Background -Pomerium keeps persistent state out of most components, but an identity-aware access proxy must maintain some data about every user's session. Historically, all user/session related data was stored in cookies, but this quickly became challenging. +Pomerium keeps persistent state out of most components, but an identity-aware access proxy must maintain some data about every user's session. Historically, all user/session related data was stored in cookies, but this quickly became challenging. - Cookie and header limits would impact large organizations and some IdPs - SPAs would break when session cookies expired @@ -19,7 +19,7 @@ Pomerium keeps persistent state out of most components, but an identity-aware ac - Group membership was fixed from session creation - Slow initial authentication flow to fetch user data -To address these limitations, the Pomerium `cache` service runs a number of internal services responsible for maintaining data and state. +To address these limitations, the Pomerium `cache` service runs a number of internal services responsible for maintaining data and state. #### Design @@ -27,7 +27,7 @@ Internal to the `cache` service, the `databroker` is responsible for providing a ## Persistence -At this time, most data stored by Pomerium is externally sourced and recoverable at startup (eg, group membership). The notable exception is user sessions. If the data hosted by the `databroker` is lost, users will need to log in through their IdP again at next session expiration. +At this time, most data stored by Pomerium is externally sourced and recoverable at startup (eg, group membership). The notable exception is user sessions. If the data hosted by the `databroker` is lost, users will need to log in through their IdP again at next session expiration. To prevent early session loss in production deployments, persistent storage backends are available for configuration in the `databroker`. Use of these is strongly encouraged, but smaller or non-production deployments can make use of an in-memory storage layer if external dependencies are not practical or justifiable. @@ -35,7 +35,7 @@ To prevent early session loss in production deployments, persistent storage back Configuration options for each backend are detailed in [cache configuration reference](/reference/#cache-service). -In all backends, Pomerium encrypts record values. This ensures security of all records at rest, regardless of data store capabilities. While this prevents many classes of attack vector, additional security measaures should always be taken to secure data in transit and minimize access to the backends themselves. +In all backends, Pomerium encrypts record values. This ensures security of all records at rest, regardless of data store capabilities. While this prevents many classes of attack vector, additional security measures should always be taken to secure data in transit and minimize access to the backends themselves. Please see Pomerium backend and upstream storage system documentation for best practices. @@ -52,7 +52,7 @@ easy deployment semantics but is not persistent or highly available. Running mo - Cache Service HA: `yes` - Data Store HA: `yes` - Data Persistence: `yes` - + The Redis based backend supports multiple `cache` instances and persistence across restarts. We recommend a dedicated redis instance for Pomerium to provide the strongest security and performance guarantees. #### High Availability @@ -66,7 +66,7 @@ Pomerium supports and strongly encourages [ACL](https://redis.io/topics/acl) bas ACL setuser pomerium on >[MYPASSWORD] ~* +@all -@scripting -@dangerous -@admin -@connection ``` -Pomerium supports and strongly encourages [TLS](https://redis.io/topics/encryption) support in Redis version 6. Both traditional and mutual TLS are supported. +Pomerium supports and strongly encourages [TLS](https://redis.io/topics/encryption) support in Redis version 6. Both traditional and mutual TLS are supported. Example secure configuration: @@ -80,10 +80,3 @@ databroker_storage_ca_file: /tls/ca.pem ::: tip the second `s` in `rediss` is intentional and turns on TLS support ::: - - - - - - - diff --git a/docs/docs/topics/kubernetes-integration.md b/docs/docs/topics/kubernetes-integration.md index 88e1ef6cf..4f293ff60 100644 --- a/docs/docs/topics/kubernetes-integration.md +++ b/docs/docs/topics/kubernetes-integration.md @@ -9,7 +9,7 @@ description: >- ## Background -Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server. While there is tremendous flexability in the core product, operators can encounter various practical challenges: +Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server. While there is tremendous flexibility in the core product, operators can encounter various practical challenges: - Cloud providers typically support only their native IAM implementation, which may not integrate with your IdP - OIDC providers may not provide group claims, requiring manual mappings to RBAC roles @@ -25,7 +25,7 @@ Similarly, Kubernetes supports native [audit logging](https://kubernetes.io/docs ## Solution -Pomerium can be leveraged as a proxy for user requests to the API Server. +Pomerium can be leveraged as a proxy for user requests to the API Server. - Any supported IdP can be supported for authentication, in any environment - Group membership is supported consistently @@ -60,7 +60,7 @@ kubectl config set-cluster via-pomerium --server=https://mycluster.pomerium.io # Add Context kubectl config set-context via-pomerium --user=via-pomerium --cluster=via-pomerium # Add credentials command -kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \ +kubectl config set-credentials via-pomerium --exec-command=pomerium-cli \ --exec-arg=k8s,exec-credential,https://mycluster.pomerium.io ``` diff --git a/docs/docs/topics/programmatic-access.md b/docs/docs/topics/programmatic-access.md index 2194ded6d..754727691 100644 --- a/docs/docs/topics/programmatic-access.md +++ b/docs/docs/topics/programmatic-access.md @@ -25,15 +25,13 @@ https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Floc ### Callback handler -It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` and `pomerium_refresh_token` query parameters. +It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` query parameters. See the python script below for example of how to start a callback server, and store the session payload. ## Handling expiration and revocation -Your application should handle token expiration. If the session expires before work is done, the identity provider issued `refresh_token` can be used to create a new valid session. - -Also, your script or application should anticipate the possibility that a granted `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID. +Your script or application should anticipate the possibility that your underlying `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID. ## High level workflow @@ -46,7 +44,7 @@ The application interacting with Pomerium must manage the following workflow. Co 1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `httpbin.corp.domain.example`) 1. Pomerium's proxy service makes a callback request to the original `redirect_uri` with the user session and as an argument. 1. The script or application is responsible for handling that http callback request, and securely handling the callback session (`pomerium_jwt`) queryparam. -1. The script or application can now make any requests as normal to the upstrream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header. +1. The script or application can now make any requests as normal to the upstream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header. ## Example Code diff --git a/integration/main_test.go b/integration/main_test.go index 212a424f2..4502641e8 100644 --- a/integration/main_test.go +++ b/integration/main_test.go @@ -10,9 +10,10 @@ import ( "time" "github.com/onsi/gocleanup" - "github.com/pomerium/pomerium/integration/internal/cluster" "github.com/rs/zerolog" "github.com/rs/zerolog/log" + + "github.com/pomerium/pomerium/integration/internal/cluster" ) var ( diff --git a/internal/middleware/middleware_test.go b/internal/middleware/middleware_test.go index f3d00a4af..4a158be2c 100644 --- a/internal/middleware/middleware_test.go +++ b/internal/middleware/middleware_test.go @@ -9,6 +9,7 @@ import ( "time" "github.com/google/go-cmp/cmp" + "github.com/pomerium/pomerium/internal/urlutil" ) diff --git a/internal/telemetry/metrics/http.go b/internal/telemetry/metrics/http.go index 58d0a935c..a553eecf2 100644 --- a/internal/telemetry/metrics/http.go +++ b/internal/telemetry/metrics/http.go @@ -4,11 +4,12 @@ import ( "fmt" "net/http" - "github.com/pomerium/pomerium/internal/log" - "github.com/pomerium/pomerium/internal/tripper" "go.opencensus.io/plugin/ochttp" "go.opencensus.io/stats/view" "go.opencensus.io/tag" + + "github.com/pomerium/pomerium/internal/log" + "github.com/pomerium/pomerium/internal/tripper" ) // HTTP Views diff --git a/internal/telemetry/metrics/http_test.go b/internal/telemetry/metrics/http_test.go index 56b407500..3f23c88d8 100644 --- a/internal/telemetry/metrics/http_test.go +++ b/internal/telemetry/metrics/http_test.go @@ -10,8 +10,9 @@ import ( "strings" "testing" - "github.com/pomerium/pomerium/internal/tripper" "go.opencensus.io/stats/view" + + "github.com/pomerium/pomerium/internal/tripper" ) func testDataRetrieval(v *view.View, t *testing.T, want string) { diff --git a/internal/telemetry/metrics/storage.go b/internal/telemetry/metrics/storage.go index 1e21d0739..af571cd6d 100644 --- a/internal/telemetry/metrics/storage.go +++ b/internal/telemetry/metrics/storage.go @@ -4,10 +4,11 @@ import ( "context" "time" - "github.com/pomerium/pomerium/internal/log" "go.opencensus.io/stats" "go.opencensus.io/stats/view" "go.opencensus.io/tag" + + "github.com/pomerium/pomerium/internal/log" ) var ( diff --git a/pkg/storage/encrypted.go b/pkg/storage/encrypted.go index e964f7f3f..fd76af60e 100644 --- a/pkg/storage/encrypted.go +++ b/pkg/storage/encrypted.go @@ -4,11 +4,12 @@ import ( "context" "crypto/cipher" - "github.com/pomerium/pomerium/pkg/cryptutil" - "github.com/pomerium/pomerium/pkg/grpc/databroker" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" + + "github.com/pomerium/pomerium/pkg/cryptutil" + "github.com/pomerium/pomerium/pkg/grpc/databroker" ) type encryptedBackend struct { diff --git a/pkg/storage/encrypted_test.go b/pkg/storage/encrypted_test.go index 5f7f6e51f..cd0feb7e8 100644 --- a/pkg/storage/encrypted_test.go +++ b/pkg/storage/encrypted_test.go @@ -5,11 +5,12 @@ import ( "errors" "testing" - "github.com/pomerium/pomerium/pkg/cryptutil" - "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/stretchr/testify/assert" "google.golang.org/protobuf/types/known/anypb" "google.golang.org/protobuf/types/known/wrapperspb" + + "github.com/pomerium/pomerium/pkg/cryptutil" + "github.com/pomerium/pomerium/pkg/grpc/databroker" ) func TestEncryptedBackend(t *testing.T) { diff --git a/pkg/storage/redis/redis_test.go b/pkg/storage/redis/redis_test.go index ff331c9e5..0d0925c87 100644 --- a/pkg/storage/redis/redis_test.go +++ b/pkg/storage/redis/redis_test.go @@ -14,10 +14,11 @@ import ( "github.com/gomodule/redigo/redis" "github.com/ory/dockertest/v3" - "github.com/pomerium/pomerium/pkg/cryptutil" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "google.golang.org/protobuf/types/known/anypb" + + "github.com/pomerium/pomerium/pkg/cryptutil" ) var db *DB