3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
1918 commits 156 branches 125 tags 103 MiB
Commit graph

205 commits

Author SHA1 Message Date
Caleb Doxsey
d390e80b30
authenticate: add databroker versions to session cookie (#2709) 
* authenticate: add databroker versions to session cookie
authorize: wait for databroker synchronization on updated sessions

* fix test
 2021-10-26 14:45:53 -06:00
Caleb Doxsey
3497c39b9b
authorize: add support for webauthn device policy enforcement (#2700) 
* authorize: add support for webauthn device policy enforcement

* update docs

* group statuses
 2021-10-25 09:41:03 -06:00
Caleb Doxsey
6e48627b4d
ppl: add support for additional data (#2696) 
* ppl: add support for additional data

* remove unused NewCriterionDeviceRule
 2021-10-22 12:32:20 -06:00
Caleb Doxsey
efffe57bf0
ppl: pass contextual information through policy (#2612) 
* ppl: pass contextual information through policy

* maybe fix nginx

* fix nginx

* pr comments

* go mod tidy
 2021-09-20 16:02:26 -06:00
Caleb Doxsey
0786c7fc45
authorize: use session.user_id in headers (#2571) 2021-09-03 14:51:09 -06:00
Caleb Doxsey
33f5190572
config: remove signature_key_algorithm (#2557) 
* config: remove signature_key_algorithm

* typo

* add more tests
 2021-09-02 11:36:43 -06:00
Caleb Doxsey
de1ed61b9a
authorize: fix google cloudrun header audience (#2558) 2021-09-02 09:55:06 -06:00
Caleb Doxsey
ef55829cb0
authorize: fix X-Pomerium-Claim-Groups (#2539) 2021-08-26 20:29:57 -06:00
Caleb Doxsey
f5a558d4a0
grpc: disable gRPC connection re-use across services (#2515) 2021-08-24 11:47:16 -06:00
Caleb Doxsey
526f946097
fix forward-auth, logging (#2509) 
* fix forward-auth, logging

* move error message
 2021-08-23 17:50:04 -06:00
Caleb Doxsey
bbec2cae9f
grpc: send client traffic through envoy (#2469) 
* wip

* wip

* handle wildcards in override name

* remove wait for ready, add comment about sync, force initial sync complete in test

* address comments
 2021-08-16 16:12:22 -06:00
bobby
87c3c675d2
all: remove unused handler code (#2439) 
* - Remove unused middleware

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove unused func weightedStrings

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove unused func getJWTSetCookieHeaders

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Fix test name
 2021-08-16 16:04:39 -04:00
Caleb Doxsey
6af0655206
protoutil: add NewAny method for deterministic serialization (#2462) 2021-08-09 17:51:57 -06:00
Caleb Doxsey
a64e5b5fa1
authorize: add sid to JWT claims (#2420) 
* authorize: add sid to JWT claims

* fix import ordering
 2021-08-02 16:11:05 -06:00
Caleb Doxsey
57c0c0a1bc
authorize: log additional session details (#2419) 2021-08-02 12:08:34 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
bobby
aa0e6872de
evaluator: use cryputil to hash (#2384) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-07-22 06:15:54 -07:00
Caleb Doxsey
c7a8f11d9a
authorize: add additional tracing for rego evaluation (#2381) 2021-07-21 15:37:51 -06:00
Caleb Doxsey
cef08a1c2d
authorize: remove service account impersonate user id, email and groups (#2365) 2021-07-15 09:31:45 -06:00
Caleb Doxsey
360aa89505
authorize: allow redirects on deny (#2361) 2021-07-13 15:41:36 -06:00
Caleb Doxsey
b4b86dccb4
authorize: decode CheckRequest path for redirect (#2357) 2021-07-13 13:17:21 -06:00
Caleb Doxsey
8e155bdf61
authorize: log service account and impersonation details (#2354) 2021-07-12 14:21:37 -06:00
Caleb Doxsey
21ffe44dff
authorize: support boolean deny results (#2338) 
* authorize: support boolean deny results

* add client certificate test

* handle different array lengths
 2021-07-06 12:52:26 -06:00
wasaga
7d0db7d8ff
authorize: do not send redirects to gRPC (#2314) 2021-07-06 10:24:33 -04:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
Caleb Doxsey
2156dbc553
envoy: always set jwt claim headers even if no value is available (#2261) 
* envoy: always set jwt claim headers even if no value is available

* add test
 2021-06-04 10:01:00 -07:00
Caleb Doxsey
699f3f461f
authorize: handle grpc-web content types like json (#2268) 2021-06-04 10:12:55 -06:00
Caleb Doxsey
9dc90d02d0
authorize: only redirect for HTML pages (#2264) 
* authorize: only redirect for HTML pages

* authorize: only redirect for HTML pages
 2021-06-02 16:18:02 -06:00
wasaga
40ddc2c4b3
jwt: round timestamp (#2258) 2021-06-01 14:12:45 -07:00
wasaga
12c8bb2da4
authorize: preserve original context (#2247) 2021-06-01 11:10:35 -04:00
Caleb Doxsey
dad35bcfb0
ppl: refactor authorize to evaluate PPL (#2224) 
* ppl: refactor authorize to evaluate PPL

* remove opa test step

* add log statement

* simplify assignment

* deny with forbidden if logged in

* add safeEval function

* create evaluator-specific config and options

* embed the headers rego file directly
 2021-05-21 09:50:18 -06:00
Caleb Doxsey
0adbf4f24c
controlplane: save configuration events to databroker (#2153) 
* envoy: save events to databroker

* controlplane: add tests for envoy configuration events

* format imports
 2021-04-29 15:51:46 -06:00
Caleb Doxsey
c85c8b0778
authorize: refactor store locking (#2151) 
* authorize: refactor store locking

* fix nil reference panic
 2021-04-29 08:37:27 -06:00
bobby
9215833a0b
control plane: add request id to all error pages (#2149) 
* controlplane: add request id to all error pages

- use a single http error handler for both envoy and go control plane
- add http lib style status text for our custom statuses.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-04-28 15:04:44 -07:00
bobby
7973ab43fe
authorize: audit log had duplicate "message" key (#2141) 
* authorize: audit log had duplicate "message" key

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-04-27 15:26:16 -06:00
Caleb Doxsey
f365b30e02
authorize: remove log (#2122) 2021-04-23 14:00:08 -06:00
Caleb Doxsey
762b565239
authorize: fix empty sub policy arrays (#2119) 2021-04-23 11:00:30 -06:00
Caleb Doxsey
433831fbea
authorize: fix unsigned URL (#2118) 2021-04-22 17:33:46 -06:00
Caleb Doxsey
b1d62bb541
config: remove validate side effects (#2109) 
* config: default shared key

* handle additional errors

* update grpc addr and grpc insecure

* update google cloud service authentication service account

* fix set response headers

* fix qps

* fix test
 2021-04-22 15:10:50 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Caleb Doxsey
3906b70bc5
authorize: support arbitrary jwt claims (#2102) 
* authorize: support arbitrary jwt claims

* remove dead code
 2021-04-19 14:55:08 -06:00
Caleb Doxsey
6d1d2bec54
crypto: use actual bytes of shared secret, not the base64 encoded representation (#2075) 
* crypto: use actual bytes of shared secret, not the base64 encoded representation

* return errors

* return errors
 2021-04-08 20:04:01 -06:00
Caleb Doxsey
a51c7140ea
cryptutil: use bytes for hmac (#2067) 2021-04-07 14:57:24 -06:00
wasaga
a935c1ba30
config related metrics (#2065) 2021-04-07 12:29:36 -07:00
Caleb Doxsey
8a2af8029b
authorize: additional tracing, add benchmark for encryptor (#2059) 2021-04-05 12:55:16 -06:00
Caleb Doxsey
f4c4fe314a
authorize: audit logging (#2050) 
* authorize: add databroker server and record version to result, force sync via polling

* authorize: audit logging
 2021-04-05 09:58:55 -06:00
Caleb Doxsey
d7ab817de7
authorize: add databroker server and record version to result, force sync via polling (#2024) 
* authorize: add databroker server and record version to result, force sync via polling

* wrap inmem store to take read lock when grabbing databroker versions

* address code review comments

* reset max to 0
 2021-03-31 10:09:06 -06:00
Caleb Doxsey
4218f49741
authorize: bypass data in rego for databroker data (#2041) 2021-03-30 14:14:32 -06:00
Caleb Doxsey
e2ebef44ef
telemetry: add installation id (#2017) 
* telemetry: add installation id

* set installation id globally

* remove unneeded changes
 2021-03-24 07:22:54 -06:00
Caleb Doxsey
853d2dd478
config: use getters for certificates (#2001) 
* config: use getters for certificates

* update log message
 2021-03-23 08:02:50 -06:00