3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
1737 commits 156 branches 125 tags 103 MiB
Commit graph

159 commits

Author SHA1 Message Date
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
dependabot[bot]
34b8af77d1
chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 (#2334) 
* chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0

Bumps [github.com/rs/cors](https://github.com/rs/cors) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/rs/cors/releases)
- [Commits](https://github.com/rs/cors/compare/v1.7.0...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/rs/cors
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix test to handle 204

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-07-14 10:08:03 -06:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
bobby
51655a5502
Revert "authenticate,proxy: add same site lax to cookies (#2159)" (#2203) 
This reverts commit d9cc26a2e0.
 2021-05-14 15:36:05 -07:00
Caleb Doxsey
aeece76928
databroker: store issued at timestamp with session (#2173) 2021-05-04 10:09:14 -06:00
Caleb Doxsey
d9cc26a2e0
authenticate,proxy: add same site lax to cookies (#2159) 2021-04-30 10:24:47 -06:00
Caleb Doxsey
0adbf4f24c
controlplane: save configuration events to databroker (#2153) 
* envoy: save events to databroker

* controlplane: add tests for envoy configuration events

* format imports
 2021-04-29 15:51:46 -06:00
Caleb Doxsey
b1d62bb541
config: remove validate side effects (#2109) 
* config: default shared key

* handle additional errors

* update grpc addr and grpc insecure

* update google cloud service authentication service account

* fix set response headers

* fix qps

* fix test
 2021-04-22 15:10:50 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Caleb Doxsey
6d1d2bec54
crypto: use actual bytes of shared secret, not the base64 encoded representation (#2075) 
* crypto: use actual bytes of shared secret, not the base64 encoded representation

* return errors

* return errors
 2021-04-08 20:04:01 -06:00
Caleb Doxsey
a51c7140ea
cryptutil: use bytes for hmac (#2067) 2021-04-07 14:57:24 -06:00
Caleb Doxsey
f84f7551d0
authenticate: fix default sign out url (#2061) 2021-04-06 10:35:08 -06:00
Travis Groth
0635c838c9
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out (#2048) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:16 -04:00
Caleb Doxsey
e2ebef44ef
telemetry: add installation id (#2017) 
* telemetry: add installation id

* set installation id globally

* remove unneeded changes
 2021-03-24 07:22:54 -06:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
f396c2a0f7
config: log config source changes (#1959) 
* config: log config source changes

* use internal log import
 2021-03-03 09:54:08 -07:00
Caleb Doxsey
664358dfad
config: multiple endpoints for authorize and databroker (#1957) 
* wip

* update docs

* remove dead code
 2021-03-03 09:53:19 -07:00
Caleb Doxsey
5d60cff21e
databroker: refactor databroker to sync all changes (#1879) 
* refactor backend, implement encrypted store

* refactor in-memory store

* wip

* wip

* wip

* add syncer test

* fix redis expiry

* fix linting issues

* fix test by skipping non-config records

* fix backoff import

* fix init issues

* fix query

* wait for initial sync before starting directory sync

* add type to SyncLatest

* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest

* update sync types and tests

* add redis tests

* skip macos in github actions

* add comments to proto

* split getBackend into separate methods

* handle errors in initVersion

* return different error for not found vs other errors in get

* use exponential backoff for redis transaction retry

* rename raw to result

* use context instead of close channel

* store type urls as constants in databroker

* use timestampb instead of ptypes

* fix group merging not waiting

* change locked names

* update GetAll to return latest record version

* add method to grpcutil to get the type url for a protobuf type
 2021-02-18 15:24:33 -07:00
bobby
c3e3ed9b50
authenticate: validate origin of signout (#1876) 
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-02-11 21:37:54 -08:00
Caleb Doxsey
b7f0242090
authorize: remove admin (#1833) 
* authorize: remove admin

* regen rego

* add note to upgrading
 2021-02-01 15:22:02 -07:00
Caleb Doxsey
5e3aa91f23
authenticate: delay evaluation of OIDC provider (#1802) 
* authenticate: delay evaluation of OIDC provider

* add additional error message

* address comments
 2021-01-26 09:20:56 -07:00
Caleb Doxsey
70b4497595
databroker: rename cache service (#1790) 
* rename cache folder

* rename cache service everywhere

* skip yaml in examples

* Update docs/docs/topics/data-storage.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2021-01-21 08:41:22 -07:00
bobby
6466efddd5
authenticate: update user info screens (#1774) 
- rename "dashboard" to userinfo to avoid confusion
- don't leak version from error page.
- fix typo in state.go
- make statik determenistic on modtime


Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-01-13 13:15:31 -08:00
Caleb Doxsey
ab4a68f56f
remove user impersonation and service account cli (#1768) 
* remove user impersonation and service account cli

* update doc

* remove user impersonation url query params

* fix flaky test
 2021-01-12 09:28:29 -07:00
Caleb Doxsey
b16236496b
jws: remove issuer (#1754) 2021-01-11 07:57:54 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
Philip Wassermann
2d3190c74e
authenticate: oidc frontchannel-logout endpoint (#1586) 
* authenticate: oidc frontchannel-logout endpoint
* move frontchannellogout route and extract logout process
* add frontchannel_logout_uri to wellknown handler
* authenticate: add context to logs in signout process
* docs: single sign-out topic
* gofmt, wording, refactoring method names

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-24 14:30:48 -08:00
bobby
5bbd745934
authorize: add signature algo support (RSA / EdDSA) (#1631) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 17:14:41 -08:00
Caleb Doxsey
93c257259e
databroker: add audience to session (#1557) 
* add audience to session

* update audience

* parse next url and add it to audience
 2020-10-27 14:22:26 -06:00
Caleb Doxsey
a85b3b04c1
store raw id token so it can be passed to the logout url (#1543) 2020-10-26 10:20:23 -06:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
bobby
f719d885b7
authenticate: remove unused paths, generate cipher at startup, remove qp store (#1495) 
* authenticate: remove unused paths, generate cipher on boot

- internal/httputil: add JSON renderer
- internal/httputil: remove unused query param store and references

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-19 08:09:53 -07:00
Caleb Doxsey
04c582121d
add flag to enable user impersonation (#1514) 
* add flag to enable user impersonation

* fix typo
 2020-10-14 08:17:59 -06:00
Caleb Doxsey
eb79cc0957
databroker: require JWT for access (#1503) 2020-10-09 11:08:40 -06:00
Caleb Doxsey
aa731ae068
directory: add explicit RefreshUser endpoint for faster sync (#1460) 
* directory: add explicit RefreshUser endpoint for faster sync

* add test

* implement azure

* update api call

* add test for azure User

* implement github

* implement AccessToken, gitlab

* implement okta

* implement onelogin

* fix test

* fix inconsistent test

* implement auth0
 2020-10-05 08:23:15 -06:00
Caleb Doxsey
2864859252
dashboard: format timestamps (#1468) 
* format timestamps

* fix test
 2020-09-28 16:00:42 -06:00
bobby
05d9fbb4b3
Desimone/authenticate default logout (#1390) 
* authenticate: fix unset post_logout_redirect_uri
* don't show url if does not exist
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-09 11:53:12 -07:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324) 
Fixes #1213
 2020-08-25 01:23:58 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Caleb Doxsey
882b6b54ee
authenticate: move databroker connection to state (#1292) 
* authenticate: move databroker connection to state

* re-use err

* just return

* remove nil checks
 2020-08-18 09:33:43 -06:00
Caleb Doxsey
d608526998
authenticate: move properties to atomically updated state (#1277) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct
 2020-08-14 07:53:11 -06:00
Caleb Doxsey
045c10edc6
authenticate: support reloading IDP settings (#1273) 
* identity: add name method to provider

* authenticate: support dynamically loading the provider
 2020-08-13 12:14:30 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
bobby
1b365e52f3
authorize: add databroker url check (#1228) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-07 09:31:27 -07:00
Caleb Doxsey
6e26bd204a
set session state expiry (#1215) 2020-08-05 14:04:04 -06:00
Cuong Manh Le
73abed0d21
all: update outdated comments about OptionsUpdater interface (#1207) 
In #1088, OptionsUpdater was removed, but current code still mention it.
This commit updates all comments which still mention about that
interface (authorize is exlcuded, and will be updated in #1206).
 2020-08-05 21:39:24 +07:00
Caleb Doxsey
97f85481f8
fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162) 
* fix redirect loop, remove user/session services, remove duplicate deleted_at fields

* change loop

* reuse err variable

* wrap errors, use cookie timeout

* wrap error, duplicate if
 2020-07-30 09:41:57 -06:00
Cuong Manh Le
fd544b7072
authenticate: fix wrong condition checking in VerifySession (#1146) 
The code checks session client not nil, but using databroker client in
the body instead.
 2020-07-28 21:18:39 +07:00
Caleb Doxsey
1ad243dfd1
directory.Group entry for groups (#1118) 
* store directory groups separate from directory users

* fix group lookup, azure display name

* remove fields restriction

* fix test

* also support email

* use Email as name for google'

* remove changed file

* show groups on dashboard

* fix test

* re-add accidentally removed code
 2020-07-22 11:28:53 -06:00
Cuong Manh Le
9dae633fe5
internal/frontend/assets/html: make timestamp human readable (#1107) 
Since we switch to use databroker, time in template is now protobuf
timestamp instead of time.Time, that causes it appears in raw form
instead of human-readable format.

Fix this by converting protobuf timestamp to time.Time in template.
There's still a breaking change, though. The time will now appears in
UTC instead of local time.

Fixes #1100
 2020-07-20 13:35:57 +07:00