3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 11:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
3669 commits 159 branches 125 tags 103 MiB
Commit graph

175 commits

Author SHA1 Message Date
Nándor István Krácser
45fb938317
oidc: use groups claim from ID token if present (#1970) 
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
 2021-03-22 11:46:01 -06:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
ae7626df3e
authorize: set JWT to expire after 5 minutes (#1980) 
* authorize: set JWT to expire after 5 minutes

* use lesser of 5 minutes or id token expiration

* add test for expires at
 2021-03-15 07:38:32 -06:00
Caleb Doxsey
b6ec01f377
assets: use embed instead of statik (#1960) 
* assets: use embed instead of statik

* remove empty line

* maybe fix precommit
 2021-03-03 18:56:55 -07:00
Caleb Doxsey
5d60cff21e
databroker: refactor databroker to sync all changes (#1879) 
* refactor backend, implement encrypted store

* refactor in-memory store

* wip

* wip

* wip

* add syncer test

* fix redis expiry

* fix linting issues

* fix test by skipping non-config records

* fix backoff import

* fix init issues

* fix query

* wait for initial sync before starting directory sync

* add type to SyncLatest

* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest

* update sync types and tests

* add redis tests

* skip macos in github actions

* add comments to proto

* split getBackend into separate methods

* handle errors in initVersion

* return different error for not found vs other errors in get

* use exponential backoff for redis transaction retry

* rename raw to result

* use context instead of close channel

* store type urls as constants in databroker

* use timestampb instead of ptypes

* fix group merging not waiting

* change locked names

* update GetAll to return latest record version

* add method to grpcutil to get the type url for a protobuf type
 2021-02-18 15:24:33 -07:00
Caleb Doxsey
1a1cc30c67
config: support map of jwt claim headers (#1906) 
* config: support map of jwt claim headers

* fix array handling, add test

* update docs

* use separate hook, add tests
 2021-02-17 13:43:18 -07:00
Caleb Doxsey
7d236ca1af
authorize: move headers and jwt signing to rego (#1856) 
* wip

* wip

* wip

* remove SignedJWT field

* set google_cloud_serverless_authentication_service_account

* update jwt claim headers

* add mock get_google_cloud_serverless_headers for opa test

* swap issuer and audience

* add comment

* change default port in authz
 2021-02-08 10:53:21 -07:00
Caleb Doxsey
25b697a13d
authorize: allow access by user id (#1850) 2021-02-03 07:15:44 -07:00
Caleb Doxsey
7a5c4fd0f6
authorize: handle null (#1853) 2021-02-02 17:29:21 -08:00
Caleb Doxsey
74ac23c980
authorize: remove DataBrokerData input (#1847) 
* authorize: remove DataBrokerData

* add opa test

* domain, group tests

* more tests

* remove databroker data input

* update authz tests

* update dead code

* fix method name

* handle / in keys
 2021-02-02 14:27:35 -07:00
Caleb Doxsey
eed873b263
authorize: remove DataBrokerData (#1846) 
* authorize: remove DataBrokerData

* fix method name
 2021-02-02 11:40:21 -07:00
Caleb Doxsey
655951cfa1
opa: format rego files (#1845) 
* opa: format rego files

* statik
 2021-02-01 15:43:08 -07:00
Caleb Doxsey
b7f0242090
authorize: remove admin (#1833) 
* authorize: remove admin

* regen rego

* add note to upgrading
 2021-02-01 15:22:02 -07:00
Caleb Doxsey
cc85ea601d
policy: add new certificate-authority option for downstream mTLS client certificates (#1835) 
* policy: add new certificate-authority option for downstream mTLS client certificates

* update proto, docs
 2021-02-01 08:10:32 -07:00
Caleb Doxsey
84e8f6cc05
config: fix databroker policies (#1821) 2021-01-25 17:18:50 -07:00
bobby
6466efddd5
authenticate: update user info screens (#1774) 
- rename "dashboard" to userinfo to avoid confusion
- don't leak version from error page.
- fix typo in state.go
- make statik determenistic on modtime


Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-01-13 13:15:31 -08:00
Caleb Doxsey
ab4a68f56f
remove user impersonation and service account cli (#1768) 
* remove user impersonation and service account cli

* update doc

* remove user impersonation url query params

* fix flaky test
 2021-01-12 09:28:29 -07:00
Caleb Doxsey
a6bc9f492f
authorize: move impersonation into session/service account (#1765) 
* move impersonation into session/service account

* replace frontend statik

* fix data race

* move JWT filling to separate function, break up functions

* maybe fix data race

* fix code climate issue
 2021-01-11 15:40:08 -07:00
Caleb Doxsey
4f0ce4bc82
fix coverage (#1741) 
* fix coverage

* fix data races
 2021-01-06 08:30:38 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
Caleb Doxsey
4eec2ed1d5
evaluator: use impersonate groups if impersonate email is set (#1701) 2020-12-21 08:47:12 -08:00
Caleb Doxsey
ad828c6e84
add support for TCP routes (#1695) 2020-12-16 13:09:48 -07:00
Caleb Doxsey
744d4453d5
use the directory email when provided for the jwt (#1647) 2020-12-04 11:14:19 -07:00
bobby
5bbd745934
authorize: add signature algo support (RSA / EdDSA) (#1631) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 17:14:41 -08:00
Caleb Doxsey
3f7777f7e0
wait for initial sync to complete before starting control plane (#1636) 2020-11-30 15:45:12 -07:00
Caleb Doxsey
2d5690dde6
remove deprecated cache_service_url config option (#1614) 
* remove deprecated cache_service_url config option

* remove broken test

* update integration test config

* update nginx example

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-11-23 14:57:29 -07:00
Philip Wassermann
85a5961e5e
authorize: add allow_any_authenticated_user policy (#1515) 2020-11-05 11:20:50 -07:00
Caleb Doxsey
10b5c5ca0e
fix querying claim data on the dashboard (#1560) 2020-10-29 10:49:02 -06:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
Caleb Doxsey
04c582121d
add flag to enable user impersonation (#1514) 
* add flag to enable user impersonation

* fix typo
 2020-10-14 08:17:59 -06:00
Caleb Doxsey
0a6796ff71
authorize: add support for service accounts (#1374) 2020-09-04 10:37:00 -06:00
Caleb Doxsey
49d1a71ff2
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source (#1367) 2020-09-03 08:11:34 -06:00
Caleb Doxsey
0a2638e5dc
authorize: use impersonate email/groups in JWT (#1364) 2020-09-02 13:50:46 -06:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
51bdf9baae
authorize: add jti to JWT payload (#1328) 2020-08-24 15:35:16 -06:00
Cuong Manh Le
e6c78f10e9 authorize/evaluator: add test for ClearRecords 2020-08-06 21:02:20 +07:00
Cuong Manh Le
5653a398de
authorize/evaluator: add more test cases (#1198) 2020-08-04 22:43:03 +07:00
Cuong Manh Le
79b5ae7d98
authorize/evaluator: fix wrong custom policies decision (#1199) 
Test will be added in #1198
 2020-08-04 21:11:59 +07:00
Caleb Doxsey
557aef2a33
fix databroker restart versioning, handle missing sessions (#1145) 
* fix databroker restart versioning, handle missing sessions

* send empty server version to detect change

* only rebuild if there are updated records
 2020-07-29 08:45:41 -06:00
Caleb Doxsey
1ad243dfd1
directory.Group entry for groups (#1118) 
* store directory groups separate from directory users

* fix group lookup, azure display name

* remove fields restriction

* fix test

* also support email

* use Email as name for google'

* remove changed file

* show groups on dashboard

* fix test

* re-add accidentally removed code
 2020-07-22 11:28:53 -06:00
Caleb Doxsey
504197d83b
custom rego in databroker (#1124) 
* add support for sub policies

* add support for sub policies

* update authz rego policy to support sub policies
 2020-07-22 10:44:05 -06:00
Caleb Doxsey
858077b3b6
authorize: custom rego policies (#1123) 
* add support for custom rego policies

* add support for passing custom policies
 2020-07-21 12:09:26 -06:00
Caleb Doxsey
fff782e04c
authorize: add evaluator store (#1105) 
* add evaluator store

* handle arrays
 2020-07-20 07:39:34 -06:00
Cuong Manh Le
408f201d16
authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094) 
Currently, with impersonated request, the real user email/group still
has effects.

Example:

	data.route_policies as [{
	    "source": "example.com",
	    "allowed_users": ["x@example.com"]
	}] with
	input.databroker_data as {
	    "session": {
	        "user_id": "user1"
	    },
	    "user": {
	        "email": "x@example.com"
	    }
	} with
	input.http as { "url": "http://example.com" } with
	input.session as { "id": "session1", "impersonate_email": "y@example.com" }

Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.

To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.

Fixes #1091
 2020-07-17 22:07:11 +07:00
Caleb Doxsey
a70254ab76
kubernetes apiserver integration (#1063) 
* sessions: support bearer tokens in authorization

* wip

* remove dead code

* refactor signed jwt code

* use function

* update per comments

* fix test
 2020-07-14 08:33:24 -06:00
Cuong Manh Le
d40f294586
authorize: include "kid" in JWT header (#1049) 
Fixes #1046
 2020-07-09 12:39:53 +07:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Travis Groth
e27ee4dd32
authorize/evaluator/opa: set client tls cert usage explicitly (#1026) 2020-06-29 17:21:54 -04:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Cuong Manh Le
963e1c015a
authorize/evaluator/opa: use route policy object instead of array index (#1001) 
Make the code more readable, and slightly reduce memory alloc:

	opa test -v --bench --count 5 --format gobench

Output:

name                                       old alloc/op                     new alloc/op                     delta
DataPomeriumAuthzTestEmailAllowed                               109kB ± 0%                       108kB ± 0%  -0.89%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                   95.4kB ± 0%                      93.4kB ± 0%  -2.06%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                               63.6kB ± 0%                      61.6kB ± 0%  -3.09%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              103kB ± 0%                       101kB ± 0%  -1.86%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               100kB ± 0%                        98kB ± 0%  -1.64%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                           62.6kB ± 0%                      60.7kB ± 0%  -3.14%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                            64.5kB ± 0%                      62.5kB ± 0%  -3.11%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                      66.7kB ± 0%                      64.5kB ± 0%  -3.33%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                       65.8kB ± 0%                      63.3kB ± 0%  -3.92%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                  13.8kB ± 0%                      13.8kB ± 0%    ~     (p=0.167 n=5+5)
DataPomeriumAuthzTestAllowedRouteSource                         243kB ± 0%                       243kB ± 0%    ~     (p=1.000 n=5+5)
DataPomeriumAuthzTestAllowedRoutePrefix                        80.9kB ± 0%                      80.9kB ± 0%    ~     (p=0.690 n=5+5)
DataPomeriumAuthzTestAllowedRoutePath                           108kB ± 0%                       108kB ± 0%    ~     (p=0.452 n=5+5)
DataPomeriumAuthzTestAllowedRouteRegex                         90.0kB ± 0%                      89.9kB ± 0%    ~     (p=0.095 n=5+5)

name                                       old allocs/op                    new allocs/op                    delta
DataPomeriumAuthzTestEmailAllowed                               1.76k ± 0%                       1.74k ± 0%  -1.24%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                    1.54k ± 0%                       1.51k ± 0%  -2.18%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                                1.05k ± 1%                       1.01k ± 1%  -3.21%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              1.65k ± 0%                       1.63k ± 0%  -1.20%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               1.61k ± 0%                       1.58k ± 0%  -1.42%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                            1.04k ± 1%                       1.00k ± 1%  -3.27%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                             1.06k ± 1%                       1.03k ± 1%  -3.19%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                       1.14k ± 1%                       1.09k ± 0%  -3.96%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                        1.09k ± 1%                       1.05k ± 0%  -4.04%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                     222 ± 0%                         222 ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteSource                         3.66k ± 0%                       3.66k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePrefix                         1.23k ± 0%                       1.23k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePath                           1.62k ± 0%                       1.62k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteRegex                          1.36k ± 0%                       1.36k ± 0%    ~     (all equal)
 2020-06-25 21:28:54 +07:00