pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	d6b02441b3	authorize: return 403 on invalid sessions (#5536 )	2025-03-19 14:41:28 -06:00
Joe Kralicky	8001077706	Update to Go 1.23 (#5216 ) * Update to Go 1.23 * Update golangci-lint-action * Fix new errors from updated linter * Bump golangci-lint to v1.60.1	2024-08-14 14:12:01 -04:00
Caleb Doxsey	1a5b8b606f	core/lint: upgrade golangci-lint, replace interface{} with any (#5099 ) * core/lint: upgrade golangci-lint, replace interface{} with any * regen proto	2024-05-02 14:33:52 -06:00
Caleb Doxsey	be0104b842	config: add cookie_same_site option (#4148 )	2023-05-03 14:36:42 -06:00
Caleb Doxsey	bbed421cd8	config: remove source, remove deadcode, fix linting issues (#4118 ) * remove source, remove deadcode, fix linting issues * use github action for lint * fix missing envoy	2023-04-21 17:25:11 -06:00
Caleb Doxsey	f2a5bda162	apple: fix userinfo (#3974 )	2023-02-14 14:53:15 -07:00
Caleb Doxsey	57217af7dd	authenticate: implement hpke-based login flow (#3779 ) * urlutil: add time validation functions * authenticate: implement hpke-based login flow * fix import cycle * fix tests * log error * fix callback url * add idp param * fix test * fix test	2022-12-05 15:31:07 -07:00
Caleb Doxsey	30bdae3d9e	sessions: check idp id to detect provider changes to force session invalidation (#3707 ) * sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test	2022-10-25 16:20:32 -06:00
Caleb Doxsey	75634dfca2	authenticate: remove ecjson (#3688 )	2022-10-20 10:37:21 -06:00
Caleb Doxsey	f9b95a276b	authenticate: support for per-route client id and client secret (#3030 ) * implement dynamic provider support * authenticate: support per-route client id and secret	2022-02-16 12:31:55 -07:00
Caleb Doxsey	46c4d5fa7e	session: remove unused session state properties (#3022 ) * fix error page * share dashboard code * sessions: remove unused session state properties * remove programmatic * remove version	2022-02-09 10:59:06 -07:00
Caleb Doxsey	a8b76bd623	authorize: support X-Pomerium-Authorization in addition to Authorization (#2780 ) * authorize: support X-Pomerium-Authorization in addition to Authorization * tangentental correction Co-authored-by: alexfornuto <alex@fornuto.com>	2021-11-29 12:19:14 -07:00
Caleb Doxsey	d390e80b30	authenticate: add databroker versions to session cookie (#2709 ) * authenticate: add databroker versions to session cookie authorize: wait for databroker synchronization on updated sessions * fix test	2021-10-26 14:45:53 -06:00
Caleb Doxsey	f9675f61cc	deps: upgrade to go-jose v3 (#2284 )	2021-06-10 09:35:44 -06:00
bobby	51655a5502	Revert "authenticate,proxy: add same site lax to cookies (#2159 )" (#2203 ) This reverts commit `d9cc26a2e0`.	2021-05-14 15:36:05 -07:00
Caleb Doxsey	d9cc26a2e0	authenticate,proxy: add same site lax to cookies (#2159 )	2021-04-30 10:24:47 -06:00
Caleb Doxsey	aeb8aaf9cd	directory: remove provider from user id (#2068 )	2021-04-07 15:06:08 -06:00
bobby	6466efddd5	authenticate: update user info screens (#1774 ) - rename "dashboard" to userinfo to avoid confusion - don't leak version from error page. - fix typo in state.go - make statik determenistic on modtime Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-01-13 13:15:31 -08:00
Caleb Doxsey	ab4a68f56f	remove user impersonation and service account cli (#1768 ) * remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test	2021-01-12 09:28:29 -07:00
Caleb Doxsey	b16236496b	jws: remove issuer (#1754 )	2021-01-11 07:57:54 -07:00
bobby	f837c92741	dev: update linter (#1728 ) - gofumpt everything - fix TLS MinVersion to be at least 1.2 - add octal syntax - remove newlines - fix potential decompression bomb in ecjson - remove implicit memory aliasing in for loops. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-12-30 09:02:57 -08:00
Caleb Doxsey	fbf5b403b9	config: allow dynamic configuration of cookie settings (#1267 )	2020-08-13 08:11:34 -06:00
Caleb Doxsey	a70254ab76	kubernetes apiserver integration (#1063 ) * sessions: support bearer tokens in authorization * wip * remove dead code * refactor signed jwt code * use function * update per comments * fix test	2020-07-14 08:33:24 -06:00
Caleb Doxsey	fae02791f5	cryptutil: move to pkg dir, add token generator (#1029 ) * cryptutil: move to pkg dir, add token generator * add gitignored files * add tests	2020-06-30 15:55:33 -06:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
Cuong Manh Le	505ff5cc5c	internal/sessions: handle claims "ver" field generally (#990 ) "ver" field is not specified by RFC 7519, so in practice, most providers return it as string, but okta returns it as number, which cause okta authenticate broken. To fix it, we handle "ver" field more generally, to allow both string and number in json payload.	2020-06-24 22:06:17 +07:00
Caleb Doxsey	0d277cf662	azure: use OID for user id in session (#985 )	2020-06-23 12:02:17 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Bobby DeSimone	39187eb305	state: infer user from subject (#772 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-26 10:31:55 -07:00
Benoît Knecht	5c3c020508	sessions/state: Add nickname claim (#755 ) GitLab returns the user name in a `nickname` claim instead of `user`, so make it available in `sessions.State`. Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>	2020-05-22 11:38:27 -07:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Bobby DeSimone	f7ee08b05a	session: remove audience check (#640 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-29 15:30:47 -07:00
Bobby DeSimone	c23db546fa	authorization: log audience claim failure (#553 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-22 12:06:25 -07:00
Bobby DeSimone	4491d1b0e9	sessions: sign-out bug fixes #530 (#544 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-19 18:43:43 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	6f4b26abe2	identity: support oidc UserInfo Response (#529 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-12 20:56:40 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	ec029c679b	authenticate/proxy: add backend refresh (#438 )	2019-12-30 10:47:54 -08:00
Bobby DeSimone	487fc655d6	authenticate: make session default match IDP (#416 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-04 22:22:10 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	e2943b7c80	internal/sessions: fix upgrade path for new sessions (#382 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-12 13:19:08 -08:00
Bobby DeSimone	b9ab49c32c	internal/sessions: fix cookie clear session (#376 ) CookieStore's ClearSession now properly clears the user session cookie by setting MaxAge to -1. internal/sessions: move encoder interface to encoding package, and rename to MarshalUnmarshaler. internal/encoding: move mock to own package authenticate: use INFO log level for authZ error. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-09 10:49:24 -08:00
Bobby DeSimone	d3d60d1055	all: support route scoped sessions Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-06 17:54:15 -08:00
Bobby DeSimone	badd8d69af	internal/sessions: refactor how sessions loading (#351 ) These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-10-06 10:47:53 -07:00
Bobby DeSimone	7c755d833f	authenticate: encrypt & mac oauth2 callback state - cryptutil: add hmac & tests - cryptutil: rename cipher / encoders to be more clear - cryptutil: simplify SecureEncoder interface - cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64 - cryptutil: move key & random generators to helpers Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-09-23 19:15:52 -07:00
Bobby DeSimone	dc12947241	all: refactor handler logic - all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s - all: refactor authentication stack to be checked by middleware, and accessible via request context. - all: replace http.ServeMux with gorilla/mux’s router - all: replace custom CSRF checks with gorilla/csrf middleware - authenticate: extract callback path as constant. - internal/config: implement stringer interface for policy - internal/cryptutil: add helper func `NewBase64Key` - internal/cryptutil: rename `GenerateKey` to `NewKey` - internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN` - internal/middleware: removed alice in favor of gorilla/mux - internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret` - internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection - internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs - internal/urlutil: add `ValidateURL` helper to parse URL options - internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL. - proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them. - proxy: replace un-named http.ServeMux with named domain routes. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-09-16 18:01:14 -07:00
Bobby DeSimone	380d314404	authenticate: make service http only - Rename SessionState to State to avoid stutter. - Simplified option validation to use a wrapper function for base64 secrets. - Removed authenticates grpc code. - Abstracted logic to load and validate a user's authenticate session. - Removed instances of url.Parse in favor of urlutil's version. - proxy: replaces grpc refresh logic with forced deadline advancement. - internal/sessions: remove rest store; parse authorize header as part of session store. - proxy: refactor request signer - sessions: remove extend deadline (fixes #294) - remove AuthenticateInternalAddr - remove AuthenticateInternalAddrString - omit type tag.Key from declaration of vars TagKey* it will be inferred from the right-hand side - remove compatibility package xerrors - use cloned http.DefaultTransport as base transport	2019-09-04 16:27:08 -07:00

1 2

73 commits