3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-11 22:08:14 +02:00
Code Issues Projects Releases Packages Wiki Activity
3725 commits 169 branches 129 tags 110 MiB
Commit graph

134 commits

Author SHA1 Message Date
Joe Kralicky
a96ab2fe93
move internal/telemetry/trace => pkg/telemetry/trace () 2025-03-25 10:43:04 -04:00
Caleb Doxsey
bc263e3ee5
proxy: use querier cache for user info () 2025-03-20 09:50:22 -06:00
Caleb Doxsey
7896ccda5c
support loading idp token sessions in the proxy service () 2025-02-24 11:09:51 -07:00
Caleb Doxsey
3c5c7fbd31
proxy: add logo discovery () 
* proxy: add logo discovery

* use a static url for testing
 2025-01-29 12:57:26 -07:00
Joe Kralicky
396c35b6b4
New tracing system () 
* update tracing config definitions

* new tracing system

* performance improvements

* only configure tracing in envoy if it is enabled in pomerium

* [tracing] refactor to use custom extension for trace id editing ()

refactor to use custom extension for trace id editing

* set default tracing sample rate to 1.0

* fix proxy service http middleware

* improve some existing auth related traces

* test fixes

* bump envoyproxy/go-control-plane

* code cleanup

* test fixes

* Fix missing spans for well-known endpoints

* import extension apis from pomerium/envoy-custom
 2025-01-21 13:26:32 -05:00
Joe Kralicky
fe31799eb5
Fix many instances of contexts and loggers not being propagated () 
This also replaces instances where we manually write "return ctx.Err()"
with "return context.Cause(ctx)" which is functionally identical, but
will also correctly propagate cause errors if present.
 2024-10-25 14:50:56 -04:00
Caleb Doxsey
d2c14cd6d2
logging: remove ctx from global log methods () 
* log: remove warn

* log: update debug

* log: update info

* remove level, log

* remove contextLogger function
 2024-10-23 14:18:52 -06:00
Caleb Doxsey
52d4899d4c
core/proxy: support loading sessions from headers and query string () 
* core/proxy: support loading sessions from headers and query string

* update test
 2024-09-19 09:23:13 -06:00
Caleb Doxsey
dad954ae16
core/logging: change log.Error function () 
* core/logging: change log.Error function

* use request id
 2024-09-05 15:42:46 -06:00
Kenneth Jenkins
014824b525
proxy: deprecate the /.pomerium/jwt endpoint () 
Disable the /.pomerium/jwt endpoint by default. Add a runtime flag to
temporarily opt out of the deprecation.
 2024-09-04 11:22:18 -07:00
Caleb Doxsey
d062f9d68d
core/logs: remove warnings () 
* core/logs: remove warnings

* switch to error
 2024-08-27 09:38:50 -06:00
Joe Kralicky
56ba07e53e
Optimize policy iterators () 
* Optimize policy iterators (go1.23)

This modifies (*Options).GetAllPolicies() to use a go 1.23 iterator
instead of copying all policies on every call, which can be extremely
expensive. All existing usages of this function were updated as
necessary.

Additionally, a new (*Options).NumPolicies() method was added which
quickly computes the number of policies that would be given by
GetAllPolicies(), since there were several usages where only the
number of policies was needed.

* Fix race condition when assigning default envoy opts to a policy
 2024-08-20 12:35:10 -04:00
Caleb Doxsey
1a5b8b606f
core/lint: upgrade golangci-lint, replace interface{} with any () 
* core/lint: upgrade golangci-lint, replace interface{} with any

* regen proto
 2024-05-02 14:33:52 -06:00
Caleb Doxsey
55eb2fa3dc
core/authorize: result denied improvements () 
* core/authorize: result denied improvements

* add authenticate robots.txt

* fix tests
 2024-02-01 16:16:33 -07:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues () 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Caleb Doxsey
fa26587f19
remove forward auth () 2022-11-23 15:59:28 -07:00
Caleb Doxsey
c1a522cd82
proxy: add userinfo and webauthn endpoints () 
* proxy: add userinfo and webauthn endpoints

* use TLD for RP id

* use EffectiveTLDPlusOne

* upgrade webauthn

* fix test

* Update internal/handlers/jwks.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-22 10:26:35 -07:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible () 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00
Caleb Doxsey
86625a4ddb
config: support files for shared_secret, client_secret, cookie_secret and signing_key () 2022-06-29 10:44:08 -06:00
Caleb Doxsey
fd82cc7870
authenticate: allow changing the authenticate service URL at runtime () 
* config: better change detection

* wip

* fix middleware

* add middleware before handlers

* use ctx
 2022-05-31 13:24:40 -06:00
Caleb Doxsey
2824faecbf
frontend: react+mui () 
* mui v5 wip

* wip

* wip

* wip

* use compressor for all controlplane endpoints

* wip

* wip

* add deps

* fix authenticate URL

* fix test

* fix test

* fix build

* maybe fix build

* fix integration test

* remove image asset test

* add yarn.lock
 2022-02-07 08:47:58 -07:00
Caleb Doxsey
5a858f5d48
config: add internal service URLs () 
* config: add internal service URLs

* maybe fix integration tests

* add docs

* fix integration tests

* for databroker connect to external name, but listen on internal name

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2021-12-10 14:04:37 -05:00
Caleb Doxsey
b1d62bb541
config: remove validate side effects () 
* config: default shared key

* handle additional errors

* update grpc addr and grpc insecure

* update google cloud service authentication service account

* fix set response headers

* fix qps

* fix test
 2021-04-22 15:10:50 -06:00
wasaga
e0c09a0998
log context () 2021-04-22 10:58:13 -04:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls () 2021-03-19 14:49:25 -06:00
Caleb Doxsey
f396c2a0f7
config: log config source changes () 
* config: log config source changes

* use internal log import
 2021-03-03 09:54:08 -07:00
Caleb Doxsey
4f2bb60adb
proxy: redirect to dashboard for logout () 2021-02-24 11:52:38 -07:00
Caleb Doxsey
84e8f6cc05
config: fix databroker policies () 2021-01-25 17:18:50 -07:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check () 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state () 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
 2020-08-14 11:44:58 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings () 2020-08-13 08:11:34 -06:00
Cuong Manh Le
73abed0d21
all: update outdated comments about OptionsUpdater interface () 
In , OptionsUpdater was removed, but current code still mention it.
This commit updates all comments which still mention about that
interface (authorize is exlcuded, and will be updated in ).
 2020-08-05 21:39:24 +07:00
Travis Groth
f538b29a0c
proxy: refactor handler setup code () 2020-08-05 12:48:44 +07:00
Travis Groth
202b42f307
proxy: avoid second policy validation () 2020-08-04 15:42:32 -04:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator () 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc () 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Travis Groth
88a77c42bb
cache: add client telemetry () 2020-06-22 18:18:44 -04:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project () 
* databroker: add databroker, identity manager, update cache ()

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service ()

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy ()

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service ()

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes ()

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service ()

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard ()

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service ()

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version ()

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize ()
 2020-06-19 07:52:44 -06:00
Travis Groth
6761cc7a14
telemetry: service label updates () 2020-05-29 15:16:22 -04:00
Caleb Doxsey
f770ccfedd
config: add getters for URLs to avoid nils () 
* config: add getters for URLs to avoid nils

* allow nil url for cache grpc client connection in authenticate
 2020-05-26 11:36:18 -06:00
Caleb Doxsey
af649d3eb0 envoy: implement header and query param session loading () 
* authorize: refactor session loading, implement headers and query params

* authorize: fix http recorder header, use constant for pomerium authorization header

* fix compile

* remove dead code
 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management () 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Travis Groth
b2e3b22f14
Update JWT headers to only be in responses from forward auth endpoint () 2020-05-04 07:26:37 -04:00
Caleb Doxsey
e1d2501a94 proxy: move warning message to config validation 2020-04-20 18:24:36 -06:00
Caleb Doxsey
c8c307be69 proxy: update warning message 2020-04-20 18:24:36 -06:00
Caleb Doxsey
85a1a6d013 authorize,proxy: remove support for paths within the from parameter 2020-04-20 18:24:36 -06:00
Caleb Doxsey
5ecfa34361 config: gofmt 2020-04-20 18:23:35 -06:00
Caleb Doxsey
7027f458dd config: add prefix, path and regex options 
proxy: support prefix, path and regex options
 2020-04-20 18:23:34 -06:00
branchmispredictor
0de3c431a6
forward-auth: validate using forwarded uri header () 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-20 10:56:30 -07:00