pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-29 00:47:17 +02:00

Author	SHA1	Message	Date
Joe Kralicky	4f0ff35b4c	Decouple audience claim value from issuer format (#5345 )	2024-10-25 16:21:19 -04:00
Joe Kralicky	e1880ba20f	Add new request header variable 'pomerium.jwt' (#5339 )	2024-10-25 14:35:42 -04:00
Caleb Doxsey	bf1d228131	core/authorize: use uuid for jti, current time for iat and exp (#5147 ) * core/authorize: use uuid for jti, current time for iat and exp * exclude the jtis * Update authorize/evaluator/headers_evaluator_test.go Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> --------- Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>	2024-06-25 11:31:00 -06:00
Caleb Doxsey	8b3a79152b	core/kubernetes: fix impersonate group header (#5090 ) * core/kubernetes: fix impersonate group header * formatting	2024-04-26 15:26:41 -06:00
Caleb Doxsey	24b04bed35	core/opa: update for rego 1.0 (#4895 ) * core/opa: update headers rego script * core/opa: update ppl * further updates	2024-01-16 09:43:35 -07:00
Kenneth Jenkins	fd84075af1	config: remove set_authorization_header option (#4489 ) Remove the deprecated set_authorization_header option entirely. Add an entry to the removedConfigFields map with a link to the relevant Upgrading page section.	2023-08-29 09:02:08 -07:00
Kenneth Jenkins	e8b489eb87	authorize: rework token substitution in headers (#4456 ) Currently Pomerium replaces dynamic set_request_headers tokens sequentially. As a result, if a replacement value itself contained a supported "$pomerium" token, Pomerium may treat that as another replacement, resulting in incorrect output. This is unlikely to be a problem given the current set of dynamic tokens, but if we continue to add additional tokens, this will likely become more of a concern. To forestall any issues, let's perform all replacements in one pass, using the os.Expand() method. This does require a slight change to the syntax, as tokens containing a '.' will need to be wrapped in curly braces, e.g. ${pomerium.id_token}. A literal dollar sign can be included by using $$ in the input.	2023-08-14 15:28:10 -07:00
Kenneth Jenkins	f7e0b61c03	authorize: client cert fingerprint in set_request_headers (#4447 ) Add support for a new token $pomerium.client_cert_fingerprint in the set_request_headers option. This token will be replaced with the SHA-256 hash of the presented leaf client certificate.	2023-08-09 08:34:51 -07:00
Kenneth Jenkins	74e648630f	authorize: remove JWT timestamp format workaround (#4321 ) Update OPA to v0.54.0, which changes the JSON serialization behavior for large integers. Remove the formatting workaround and the unit test that verified that the workaround was still needed.	2023-06-30 11:54:46 -07:00
Kenneth Jenkins	e7703a1891	add JWT timestamp formatting workaround (#4270 ) Rego will sometimes serialize integers to JSON with a decimal point and exponent. I don't completely understand this behavior. Add a workaround to headers.rego to convert the JWT "iat" and "exp" timestamps to a string and back to an integer. This appears to cause Rego to serialize these values as plain integers. Add a unit test to verify this behavior. Also add a unit test that will fail if the Rego behavior changes, making this workaround unnecessary.	2023-06-16 10:36:00 -07:00
Caleb Doxsey	5be322e2ef	config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers (#4219 ) * config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers * lint * Update authorize/evaluator/headers_evaluator_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * fix spelling --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>	2023-06-01 16:00:02 -06:00
Caleb Doxsey	1dee325b72	authorize: move sign out and jwks urls to route, update issuer for JWT (#4046 ) * authorize: move sign out and jwks urls to route, update issuer for JWT * fix test	2023-03-08 12:40:15 -07:00
Caleb Doxsey	c178819875	move directory providers (#3633 ) * remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test	2022-11-03 11:33:56 -06:00
dependabot[bot]	ec495bb682	chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667 ) * chore(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * lint Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>	2022-10-19 09:36:59 -06:00
Caleb Doxsey	d299b42509	authorize: add name claim (#3238 )	2022-04-05 12:08:00 -06:00
Caleb Doxsey	99b9a3ee12	authorize: add support for passing access or id token upstream (#3047 ) * authorize: add support for passing access or id token upstream * use an enum	2022-02-17 09:28:31 -07:00
Caleb Doxsey	c97dcf7e0f	envoy: add hash policy and routing key for hash-based load balancers (#2791 ) * envoy: add hash policy and routing key for hash-based load balancers * fix integration test * fix nginx	2021-12-01 13:42:12 -07:00
Caleb Doxsey	0786c7fc45	authorize: use session.user_id in headers (#2571 )	2021-09-03 14:51:09 -06:00
Caleb Doxsey	ef55829cb0	authorize: fix X-Pomerium-Claim-Groups (#2539 )	2021-08-26 20:29:57 -06:00
Caleb Doxsey	a64e5b5fa1	authorize: add sid to JWT claims (#2420 ) * authorize: add sid to JWT claims * fix import ordering	2021-08-02 16:11:05 -06:00
Caleb Doxsey	1a95036b8c	sessions: add impersonate_session_id, remove legacy impersonation (#2407 ) * sessions: add impersonate_session_id, remove legacy impersonation * show impersonated user details * fix headers * address feedback * only check impersonate id on non-nil pbSession * Revert "only check impersonate id on non-nil pbSession" This reverts commit `a6f7ca5abd`.	2021-07-30 08:42:36 -06:00
Caleb Doxsey	2156dbc553	envoy: always set jwt claim headers even if no value is available (#2261 ) * envoy: always set jwt claim headers even if no value is available * add test	2021-06-04 10:01:00 -07:00
wasaga	40ddc2c4b3	jwt: round timestamp (#2258 )	2021-06-01 14:12:45 -07:00
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
Caleb Doxsey	762b565239	authorize: fix empty sub policy arrays (#2119 )	2021-04-23 11:00:30 -06:00
Caleb Doxsey	3906b70bc5	authorize: support arbitrary jwt claims (#2102 ) * authorize: support arbitrary jwt claims * remove dead code	2021-04-19 14:55:08 -06:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	4218f49741	authorize: bypass data in rego for databroker data (#2041 )	2021-03-30 14:14:32 -06:00
Nándor István Krácser	45fb938317	oidc: use groups claim from ID token if present (#1970 ) Signed-off-by: Nandor Kracser <bonifaido@gmail.com>	2021-03-22 11:46:01 -06:00
Caleb Doxsey	ae7626df3e	authorize: set JWT to expire after 5 minutes (#1980 ) * authorize: set JWT to expire after 5 minutes * use lesser of 5 minutes or id token expiration * add test for expires at	2021-03-15 07:38:32 -06:00
Caleb Doxsey	b6ec01f377	assets: use embed instead of statik (#1960 ) * assets: use embed instead of statik * remove empty line * maybe fix precommit	2021-03-03 18:56:55 -07:00
Caleb Doxsey	1a1cc30c67	config: support map of jwt claim headers (#1906 ) * config: support map of jwt claim headers * fix array handling, add test * update docs * use separate hook, add tests	2021-02-17 13:43:18 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	25b697a13d	authorize: allow access by user id (#1850 )	2021-02-03 07:15:44 -07:00
Caleb Doxsey	7a5c4fd0f6	authorize: handle null (#1853 )	2021-02-02 17:29:21 -08:00
Caleb Doxsey	74ac23c980	authorize: remove DataBrokerData input (#1847 ) * authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys	2021-02-02 14:27:35 -07:00
Caleb Doxsey	655951cfa1	opa: format rego files (#1845 ) * opa: format rego files * statik	2021-02-01 15:43:08 -07:00
Caleb Doxsey	b7f0242090	authorize: remove admin (#1833 ) * authorize: remove admin * regen rego * add note to upgrading	2021-02-01 15:22:02 -07:00
bobby	6466efddd5	authenticate: update user info screens (#1774 ) - rename "dashboard" to userinfo to avoid confusion - don't leak version from error page. - fix typo in state.go - make statik determenistic on modtime Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-01-13 13:15:31 -08:00
Caleb Doxsey	ab4a68f56f	remove user impersonation and service account cli (#1768 ) * remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test	2021-01-12 09:28:29 -07:00
Caleb Doxsey	a6bc9f492f	authorize: move impersonation into session/service account (#1765 ) * move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue	2021-01-11 15:40:08 -07:00
Caleb Doxsey	4eec2ed1d5	evaluator: use impersonate groups if impersonate email is set (#1701 )	2020-12-21 08:47:12 -08:00
Caleb Doxsey	ad828c6e84	add support for TCP routes (#1695 )	2020-12-16 13:09:48 -07:00
Caleb Doxsey	2d5690dde6	remove deprecated cache_service_url config option (#1614 ) * remove deprecated cache_service_url config option * remove broken test * update integration test config * update nginx example Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>	2020-11-23 14:57:29 -07:00
Philip Wassermann	85a5961e5e	authorize: add allow_any_authenticated_user policy (#1515 )	2020-11-05 11:20:50 -07:00
Caleb Doxsey	10b5c5ca0e	fix querying claim data on the dashboard (#1560 )	2020-10-29 10:49:02 -06:00
Caleb Doxsey	153e438eb6	authorize: implement allowed_idp_claims (#1542 ) * add arbitrary claims to session * add support for maps * update flattened claims * fix eol * fix trailing whitespace * fix tests	2020-10-23 14:05:37 -06:00
Caleb Doxsey	04c582121d	add flag to enable user impersonation (#1514 ) * add flag to enable user impersonation * fix typo	2020-10-14 08:17:59 -06:00
Caleb Doxsey	4fb90fabe8	config: support explicit prefix and regex path rewriting (#1363 ) * config: support explicity prefix and regex path rewriting * add rewrite tests	2020-09-02 13:48:19 -06:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00

1 2

77 commits