3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
3245 commits 156 branches 125 tags 103 MiB
Commit graph

3245 commits

This branch
This branch
All branches
Author SHA1 Message Date
Caleb Doxsey
3bdbd56222
core/config: add pass_identity_headers option (#4720) 
* core/config: add pass_identity_headers option

* add to proto

* remove deprecated field
 2023-11-08 13:07:37 -07:00
Caleb Doxsey
77f9893fe5
core/config: remove unnecessary authenticate route (#4719) 2023-11-08 09:12:44 -07:00
Kenneth Jenkins
ffca3b36a9
authorize: reuse policy evaluators where possible (#4710) 
Add a parameter to evaluator.New() for the previous Evaluator (if any).
If the evaluatorConfig is the same, reuse any PolicyEvaluators for
policies that have not changed from the previous Evaluator.

Use the route IDs along with the policy checksums to determine whether a
given policy has changed. Similarly, add a new cacheKey() method to the
evaluatorConfig to compute a checksum used for determine whether the
evaluatorConfig has changed. (Store this checksum on the Evaluator.)
 2023-11-06 13:57:59 -08:00
Caleb Doxsey
1e9e51c15d
core/go: upgrade go.mod (#4711) 2023-11-06 14:40:06 -07:00
Denis Mishin
bfcc970839
databroker: build config concurrently, option to bypass validation (#4655) 
* validation: option to bypass

* concurrently build config

* add regex_priority_order and route sorting

* rm mutex
 2023-11-06 13:21:29 -05:00
Kenneth Jenkins
ab104a643a
rework session updates to use new patch method (#4705) 
Update the AccessTracker, WebAuthn handlers, and identity manager
refresh loop to perform their session record updates using the
databroker Patch() method.

This should prevent any of these updates from conflicting.
 2023-11-06 09:43:07 -08:00
Caleb Doxsey
2771a5ae87
core/config: refactor file watcher (#4702) 
* core/config: refactor file watcher

* add comments

* updates

* only use the polling watcher

* fix test

* fix test

* try to fix test again

* remove batching

* dont rely on file modification timestamp

* remove benchmark

* try fix again
 2023-11-03 15:53:20 -06:00
Denis Mishin
77bb203276
databroker: add reconciler (#4709) 2023-11-03 15:40:57 -04:00
Denis Mishin
6d5558cb97
databroker: add utility recordset and changeset (#4701) 2023-11-03 11:26:59 -04:00
Denis Mishin
45b72bc9b5
proto: add id to certificate (#4706) 2023-11-02 21:26:30 -04:00
Kenneth Jenkins
d5da872157
databroker: add patch method (#4704) 
Add a Patch() method to the databroker gRPC service.

Update the storage.Backend interface to include the Patch() method now
that all the storage.Backend implementations include it.

Add a test to exercise the patch method under concurrent usage.
 2023-11-02 15:07:37 -07:00
Kenneth Jenkins
4842002ed7
storage/postgres: implement patch operation (#4656) 
Implement the new Patch() method for the Postgres storage backend.
 2023-11-02 12:07:36 -07:00
Kenneth Jenkins
4f648e9ac1
databroker: remove redis storage backend (#4699) 
Remove the Redis databroker backend. According to
https://www.pomerium.com/docs/internals/data-storage#redis it has been
discouraged since Pomerium v0.18.

Update the config options validation to return an error if "redis" is 
set as the databroker storage backend type.
 2023-11-02 11:53:25 -07:00
Kenneth Jenkins
47890e9ee1
storage/inmemory: implement patch operation (#4654) 
Add a new Patch() method that updates specific fields of an existing
record's data, based on a field mask.

Extract some logic from the existing Get() and Put() methods so it can
be shared with the new Patch() method.
 2023-11-02 11:03:00 -07:00
Caleb Doxsey
5f4e13e130
core/events: fix flaky test (#4700) 
* core/events: use synchronous channel to fix flaky test

* switch to mutexes

* remove test
 2023-11-02 11:28:28 -06:00
Denis Mishin
0b79a28328
xds: add type url to log (#4696) 2023-11-01 16:50:59 -04:00
Caleb Doxsey
fd8cb18c44
core/filemgr: use xxhash instead of sha512 for filenames (#4697) 2023-11-01 13:52:32 -06:00
Caleb Doxsey
e0693e54f0
core/config: refactor change dispatcher (#4657) 
* core/config: refactor change dispatcher

* update test

* close listener go routine when context is canceled

* use cancel cause

* use context

* add more time

* more time
 2023-11-01 13:52:23 -06:00
Caleb Doxsey
53573dc046
core/config: remove version (#4653) 
* core/config: remove version

* lint

* fix
 2023-11-01 10:19:55 -06:00
Caleb Doxsey
6511440c2f
core/controlplane: apply configuration changes in a background thread (#4649) 
* core/controlplane: apply configuration changes in a background thread

* core/controlplane: build envoy resources in goroutines

* tracing
 2023-10-31 16:47:13 -06:00
Caleb Doxsey
a29476f61e
core/hpke: reduce memory usage from zstd (#4650) 
* core/hpke: reduce memory usage from zstd

* use default compression, use default concurrency
 2023-10-31 10:24:56 -06:00
Kenneth Jenkins
2cc82ed706
protoutil: add OverwriteMasked method (#4651) 
Add a method to copy selected fields from one proto message to another
(of the same type), using a FieldMask. This is intended for use in a new
databroker Patch method.
 2023-10-31 09:16:54 -07:00
dependabot[bot]
2472490075
chore(deps): bump github.com/docker/docker from 24.0.6+incompatible to 24.0.7+incompatible (#4646) 
chore(deps): bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.6...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-30 09:49:53 -06:00
Caleb Doxsey
ae420f01c6
core/config: add config version, additional telemetry (#4645) 
* core/config: add config version, additional telemetry

* typo
 2023-10-27 15:16:40 -06:00
Caleb Doxsey
dd7e3b993c
core/go: upgrade go (#4644) 2023-10-27 09:04:13 -06:00
Caleb Doxsey
818f3926bf
core/grpc: fix deprecated protobuf package, remove tools (#4643) 2023-10-26 11:38:54 -06:00
dependabot[bot]
5240baf202
chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#4640) 
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.58.2 to 1.58.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.58.2...v1.58.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-26 11:18:34 -04:00
Kenneth Jenkins
1d2c525b1a
identity: rework session refresh error handling (#4638) 
Currently, if a temporary error occurs while attempting to refresh an
OAuth2 token, the identity manager won't schedule another attempt.

Instead, update the session refresh logic so that it will retry after
temporary errors. Extract the bulk of this logic into a separate method
that returns a boolean indicating whether to schedule another refresh.

Update the unit test to simulate a temporary error during OAuth2 token
refresh.
 2023-10-24 15:44:51 -07:00
Kenneth Jenkins
fa7dc469a3
identity: preserve session refresh schedule (#4633) 
The databroker identity manager is responsible for refreshing session
records, to account for overall session expiration as well as OAuth2
access token expiration.

Refresh events are scheduled subject to a coolOffDuration (10 seconds,
by default) relative to a lastRefresh timestamp. Currently, any update
to a session record will reset the associated lastRefresh value and
reschedule any pending refresh event for that session. If an update
occurs close before a scheduled refresh event, this will push back the
scheduled refresh event to 10 seconds from that time.

This means that if a session is updated frequently enough (e.g. if there
is a steady stream of requests that cause constant updates via the
AccessTracker), the access token may expire before a refresh ever runs.

To avoid this problem, do not update the lastRefresh time upon every
session record update, but only if it hasn't yet been set. Instead,
update the lastRefresh during the refresh attempt itself.

Add unit tests to exercise these changes. There is a now() function as
part of the manager configuration (to allow unit tests to set a fake
time); update the Manager to use this function throughout.
 2023-10-24 14:46:33 -07:00
Kenneth Jenkins
1996550c54
upgrade envoy to v1.28.0 (#4635) 2023-10-24 08:39:10 -07:00
Kenneth Jenkins
39a477c510
identity: override TokenSource expiry behavior (#4632) 
The current session refresh loop attempts to refresh access tokens when
they are due to expire in less than one minute. However, the code to
perform the refresh relies on a TokenSource from the x/oauth2 package,
which has its own internal 'expiryDelta' threshold, with a default of
10 seconds. As a result, the first four or five attempts to refresh a
particular access token will not actually refresh the token. The refresh
will happen only when the access token is within 10 seconds of expiring.

Instead, before we obtain a new TokenSource, first clear any existing
access token. This causes the TokenSource to consider the token invalid,
triggering a refresh. This should give the refresh loop more control
over when refreshes happen.

Consolidate this logic in a new Refresh() method in the oidc package.
Add unit tests for this new method.
 2023-10-23 08:20:04 -07:00
Kenneth Jenkins
5a735264b3
config: do not add route headers to global map (#4629) 
Currently the GetSetResponseHeadersForPolicy() method may add entries to 
the global SetResponseHeaders map, which can lead to one route's headers
being applied to other routes.

Instead, make a copy of the SetResponseHeaders map before adding any 
route-specific response header entries.

Add additional unit tests for GetSetResponseHeaders() and 
GetSetResponseHeadersForPolicy().
 2023-10-18 13:55:48 -07:00
Kenneth Jenkins
5f9f46652a
upgrade envoy to v1.27.1 (#4625) 2023-10-12 08:55:18 -07:00
dependabot[bot]
a3e01fb506
chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#4626) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.15.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.15.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 08:49:39 -06:00
dependabot[bot]
3337236d7f
chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 (#4601) 
Bumps [github.com/rs/cors](https://github.com/rs/cors) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/rs/cors/releases)
- [Commits](https://github.com/rs/cors/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/rs/cors
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-05 08:15:49 -07:00
dependabot[bot]
33a955d564
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.5 to 1.40.0 (#4600) 
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3

Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.38.5 to 1.40.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.5...service/s3/v1.40.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:56:34 -07:00
dependabot[bot]
81c31e5736
chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui (#4619) 
Bumps [@fontsource/dm-mono](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/dm-mono) from 5.0.12 to 5.0.14.
- [Changelog](https://github.com/fontsource/font-files/blob/main/fonts/google/dm-mono/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/dm-mono)

---
updated-dependencies:
- dependency-name: "@fontsource/dm-mono"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:53:23 -07:00
dependabot[bot]
37d2e98636
chore(deps): bump github.com/rs/zerolog from 1.30.0 to 1.31.0 (#4598) 
Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.30.0 to 1.31.0.
- [Release notes](https://github.com/rs/zerolog/releases)
- [Commits](https://github.com/rs/zerolog/compare/v1.30.0...v1.31.0)

---
updated-dependencies:
- dependency-name: github.com/rs/zerolog
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 16:32:21 -06:00
dependabot[bot]
e5343606d1
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.40 to 1.18.42 (#4599) 
chore(deps): bump github.com/aws/aws-sdk-go-v2/config

Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.18.40 to 1.18.42.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.40...config/v1.18.42)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:55:49 -06:00
dependabot[bot]
6d914d03de
chore(deps): bump @fontsource/dm-sans from 5.0.12 to 5.0.13 in /ui (#4593) 
Bumps [@fontsource/dm-sans](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/dm-sans) from 5.0.12 to 5.0.13.
- [Changelog](https://github.com/fontsource/font-files/blob/main/fonts/google/dm-sans/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/dm-sans)

---
updated-dependencies:
- dependency-name: "@fontsource/dm-sans"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:55:10 -06:00
dependabot[bot]
1a21918cbd
chore(deps): bump github.com/prometheus/procfs from 0.11.1 to 0.12.0 (#4602) 
Bumps [github.com/prometheus/procfs](https://github.com/prometheus/procfs) from 0.11.1 to 0.12.0.
- [Release notes](https://github.com/prometheus/procfs/releases)
- [Commits](https://github.com/prometheus/procfs/compare/v0.11.1...v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/procfs
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:54:10 -06:00
dependabot[bot]
0894fdae1a
chore(deps): bump github.com/prometheus/client_golang from 1.16.0 to 1.17.0 (#4603) 
chore(deps): bump github.com/prometheus/client_golang

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.16.0...v1.17.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:53:52 -06:00
dependabot[bot]
aa4a1a0df3
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.8 to 3.23.9 (#4605) 
Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.23.8 to 3.23.9.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v3.23.8...v3.23.9)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-04 15:53:36 -06:00
dependabot[bot]
27740f6c87
chore(deps): bump google.golang.org/api from 0.141.0 to 0.143.0 (#4608) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.141.0 to 0.143.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.141.0...v0.143.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:50:23 -06:00
zachary painter
016914648b
Docs: remove tcp example (#4616) 
* updates typo on README

* removes TCP example
 2023-10-03 17:47:33 -04:00
dependabot[bot]
69def26b1c
chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 (#4610) 
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.35.1 to 4.35.2.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](6609ed76ec...a198f72367)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:46:33 -06:00
dependabot[bot]
49a1979dbf
chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#4612) 
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](0914d50df7...3beb63f4bd)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:46:14 -06:00
dependabot[bot]
58f1047611
chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 (#4611) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](3df4ab11eb...8ade135a41)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:45:43 -06:00
dependabot[bot]
3283fe6df7
chore(deps): bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 (#4606) 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.56.0 to 0.57.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.56.0...v0.57.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:45:23 -06:00
dependabot[bot]
5d6c446dac
chore(deps): bump node from 7923c64 to 2daec43 (#4609) 
Bumps node from `7923c64` to `2daec43`.

---
updated-dependencies:
- dependency-name: node
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-03 15:45:02 -06:00