3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-29 14:39:40 +02:00
Code Issues Projects Releases Packages Wiki Activity
3669 commits 173 branches 133 tags 111 MiB
Commit graph

446 commits

Author SHA1 Message Date
Caleb Doxsey
f63945c0ad
support loading route configuration via rds (#4098) 
* support loading route configuration via rds

* fix any shadowing

* fix test

* add fully static option

* support dynamically defined rds

* fix build

* downgrade opa
 2023-04-17 11:20:12 -06:00
Caleb Doxsey
0f295d4a63
hpke: move published public keys to a new endpoint (#4044) 2023-03-08 09:17:04 -07:00
Caleb Doxsey
76a7ce3a6f
authorize: allow access to /.pomerium/webauthn when policy denies access (#4015) 2023-02-27 09:49:06 -07:00
Caleb Doxsey
d2b732243a
cryptutil: generate certificates from deriveca (#3992) 2023-02-23 08:38:56 -07:00
Denis Mishin
df54a0c603
authenticate: fix callback handler for split mode (#4008) 
fix auth handler for split mode
 2023-02-23 10:01:24 -05:00
Denis Mishin
62ca7ffaa2
authenticate: fix authenticate_internal_service_url for all in one (#4003) 2023-02-22 10:42:27 -05:00
Caleb Doxsey
513519e4be
lua: fix rewrite response headers to handle dashes in URLs (#3980) 
* lua: fix rewrite response headers to handle dashes in URLs

* fix test
 2023-02-16 08:51:53 -07:00
Denis Mishin
d0e7b88b64
envoy: optimize listener (#3952) 2023-02-11 22:44:57 -05:00
Caleb Doxsey
b50d5f3203
config: add additional dns lookup families, default to V4_PREFERRED (#3957) 2023-02-10 16:29:23 -07:00
Caleb Doxsey
e66c26c9ad
envoyconfig: preserve case of HTTP headers when using HTTP/1 (#3956) 2023-02-10 16:29:10 -07:00
Denis Mishin
ab430624f2
tls_derive: rename for consistency (#3905) 
rename for consistency with other tls options
 2023-01-17 17:04:26 -05:00
Caleb Doxsey
1e6a483ce9
config: add missing options (#3882) 
* config: add missing options

* remove _file options from protobuf

* fix

* lint
 2023-01-12 10:55:12 -07:00
Caleb Doxsey
da46b4a47d
config: use insecure skip verify if derived certificates are not used (#3861) 2023-01-11 13:50:51 -07:00
Denis Mishin
04a82813f3
explicitly list gRPC services accessible via the gRPC listener (#3879) 2023-01-11 12:38:34 -05:00
Caleb Doxsey
3f1a87727f
config: generate derived certificates instead of self-signed certificates (#3860) 2023-01-06 12:50:40 -07:00
Denis Mishin
488bcd6f72
auto tls (#3856) 2023-01-05 16:35:58 -05:00
Denis Mishin
e019885218
mTLS: allow gRPC TLS for all in one (#3854) 
* make grpc_insecure an optional bool

* use internal addresses for all in one databroker and tls
 2023-01-03 12:45:04 -05:00
Caleb Doxsey
271b0787a8
config: add support for extended TCP route URLs (#3845) 
* config: add support for extended TCP route URLs

* nevermind, add duplicate names
 2022-12-27 12:50:33 -07:00
Caleb Doxsey
67e12101fa
envoyconfig: clean up filter chain construction (#3844) 
* cleanup filter chain construction

* rename domains to server names

* rename to hosts

* fix tests

* update function name

* improved domaain matching
 2022-12-27 10:07:26 -07:00
Denis Mishin
a49f86d023
use tlsClientConfig instead of custom dialer (#3830) 
* use tlsClientConfig instead of custom dialer

* rm debug log
 2022-12-27 09:55:36 -07:00
Caleb Doxsey
3e892a8533
options: support multiple signing keys (#3828) 
* options: support multiple signing keys

* fix controlplane method, errors
 2022-12-22 09:31:09 -07:00
Caleb Doxsey
c86ca6f76f
webauthn: require session when accessing /.pomerium/webauthn (#3814) 
* webauthn: require session when accessing /.pomerium/webauthn

* remove dead code

* remove unusued PomeriumDomains field
 2022-12-16 10:59:21 -07:00
Caleb Doxsey
b375dc4896
jwt: require logged in user to return .pomerium/jwt (#3807) 
* jwt: require logged in user to return .pomerium/jwt

* fix test

* update test
 2022-12-13 13:49:36 -07:00
dependabot[bot]
8d1235a5cc
chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 (#3782) 
* chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.46.1 to 0.47.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.46.1...v0.47.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix test

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-12-05 15:07:14 -07:00
Caleb Doxsey
cef6b355ae
config: add option for tls renegotiation (#3773) 
config: add option for tls renogotiation
 2022-11-28 14:34:06 -07:00
Denis Mishin
fa0ba60aee
bump envoy to v1.24.0 (#3767) 2022-11-28 09:32:31 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
ba07afc245
hpke: add HPKE key to JWKS endpoint (#3762) 
* hpke: add HPKE key to JWKS endpoint

* fix test, add http caching headers

* fix error message

* use pointers
 2022-11-23 08:45:59 -07:00
Caleb Doxsey
9413123c0f
config: generate cookie secret if not set in all-in-one mode (#3742) 
* config: generate cookie secret if not set in all-in-one mode

* fix tests

* config: add warning about cookie_secret

* breakup lines
 2022-11-11 14:14:30 -07:00
Caleb Doxsey
2c9087f5e7
config: disable Strict-Transport-Security when using a self-signed certificate (#3743) 2022-11-10 16:01:06 -07:00
Eng Zer Jun
45ce6f693a
test: use T.TempDir to create temporary test directory (#3725) 
Prior to this commit, temporary directories in tests were created using
`filepath.Join` and `os.MkdirAll`.

This commit replaces `os.MkdirAll` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.

Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2022-11-08 09:16:32 -07:00
Denis Mishin
74a7daed4f
add config option check logging (#3722) 2022-11-05 00:25:09 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Denis Mishin
d8f4355f66
fix unused key warnings in routes (#3711) 2022-10-28 14:59:43 -04:00
Caleb Doxsey
6a9d6e45e1
config: allow blank identity providers when loading sessions for service account support (#3709) 2022-10-27 08:32:06 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
Caleb Doxsey
3f7a482815
envoyconfig: fix databroker health checks (#3706) 2022-10-25 12:37:46 -06:00
Caleb Doxsey
daed2d260c
config: disable envoy admin by default, expose stats via envoy route (#3677) 2022-10-18 16:25:03 -06:00
Caleb Doxsey
71b1bcfac5
config: default to http2 (#3660) 
* config: default to http2

* fix test
 2022-10-12 14:46:06 -06:00
Caleb Doxsey
de804edc19
ppl: support special characters in claim keys (#3639) 
* ppl: support special characters in claim keys

* fix test
 2022-10-03 07:35:18 -06:00
Caleb Doxsey
8d7db85737
envoyconfig: add all routes to all filter chains (#3596) 2022-09-07 09:55:03 -06:00
Caleb Doxsey
33794ff316
envoyconfig: add virtual host domains for certificates in addition to routes (#3593) 
* envoyconfig: add virtual host domains for certificates in addition to routes

* Update pkg/cryptutil/certificates.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update pkg/cryptutil/tls.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* comments

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-08-31 10:35:45 -06:00
Alex
fc21579e4b
Fix typos (#3575) 
typos
 2022-08-30 15:51:40 -07:00
Caleb Doxsey
e5ac784cf4
autocert: add support for ACME TLS-ALPN (#3590) 
* autocert: add support for ACME TLS-ALPN

* always re-create acme tls server
 2022-08-29 16:19:20 -06:00
Caleb Doxsey
ce818b3be6
envoyconfig: add authority header to outbound gRPC requests (#3545) 2022-08-24 15:18:31 -06:00
Caleb Doxsey
4d38da94dd
envoy: upgrade to 1.23.0 (#3560) 
* envoy: upgrade to 1.23.0

* only set ipv4_compat if :: or an ipv4in6 address

* fix tests
 2022-08-22 15:03:29 -06:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
b5ac7dbc76
sets: convert set types to generics (#3519) 
* sets: convert set types to generics

* sets: use internal sets package
 2022-07-29 12:32:17 -06:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible (#3517) 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00