Currently, policy evaluation and authorize logging are coupled to the
Envoy CheckRequest proto message (part of the ext_authz API). In the
context of ssh proxy authentication, we won't have a CheckRequest.
Instead, let's make the existing evaluator.Request type the source of
truth for the authorize log fields.
This way, whether we populate the evaluator.Request struct from an
ext_authz request or from an ssh proxy request, we can use the same
logAuthorizeCheck() method for logging.
Add some additional fields to evaluator.RequestHTTP for the authorize
log fields that are not currently represented in this struct.
* identity: add support for verifying access and identity tokens
* allow overriding with policy option
* authenticate: add verify endpoints
* wip
* implement session creation
* add verify test
* implement idp token login
* fix tests
* add pr permission
* make session ids route-specific
* rename method
* add test
* add access token test
* test for newUserFromIDPClaims
* more tests
* make the session id per-idp
* use type for
* add test
* remove nil checks
Update the AccessTracker, WebAuthn handlers, and identity manager
refresh loop to perform their session record updates using the
databroker Patch() method.
This should prevent any of these updates from conflicting.
Partially revert #4374: do not record the peerCertificateValidated()
result as reported by Envoy, as this does not work correctly for resumed
TLS sessions. Instead always record the certificate chain as presented
by the client. Remove the corresponding ClientCertificateInfo Validated
field, and update affected code accordingly. Skip the CRL integration
test case for now.
Configure Envoy to validate client certificates, using the union of all
relevant client CA bundles (that is, a bundle of the main client CA
setting together with all per-route client CAs). Pass the validation
status from Envoy through to the authorize service, by configuring Envoy
to use the newly-added SetClientCertificateMetadata filter, and by also
adding the relevant metadata namespace to the ExtAuthz configuration.
Remove the existing 'include_peer_certificate' setting from the ExtAuthz
configuration, as the metadata from the Lua filter will include the full
certificate chain (when it validates successfully by Envoy).
Update policy evaluation to consider the validation status from Envoy,
in addition to its own certificate chain validation. (Policy evaluation
cannot rely solely on the Envoy validation status while we still support
the per-route client CA setting.)
* session: add accessed at date
* authorize: track session and service account access times
* Revert "databroker: add support for field masks on Put (#3210)"
This reverts commit 2dc778035d.
* add test
* fix data race in test
* add deadline for update
* track dropped accesses
* wip
* wip
* handle wildcards in override name
* remove wait for ready, add comment about sync, force initial sync complete in test
* address comments
* authorize: add databroker server and record version to result, force sync via polling
* wrap inmem store to take read lock when grabbing databroker versions
* address code review comments
* reset max to 0
* refactor backend, implement encrypted store
* refactor in-memory store
* wip
* wip
* wip
* add syncer test
* fix redis expiry
* fix linting issues
* fix test by skipping non-config records
* fix backoff import
* fix init issues
* fix query
* wait for initial sync before starting directory sync
* add type to SyncLatest
* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest
* update sync types and tests
* add redis tests
* skip macos in github actions
* add comments to proto
* split getBackend into separate methods
* handle errors in initVersion
* return different error for not found vs other errors in get
* use exponential backoff for redis transaction retry
* rename raw to result
* use context instead of close channel
* store type urls as constants in databroker
* use timestampb instead of ptypes
* fix group merging not waiting
* change locked names
* update GetAll to return latest record version
* add method to grpcutil to get the type url for a protobuf type
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
In #1030, the fix was done without aware of the context that traefik
forward auth mode did allow request without the "?uri=". Previosuly,
this is done in proxy, and by converting the forward auth request to
actual request. The fix is #1030 prevent this conversion, to makre
authorize service aware of which is forward auth request.
But that causes traefik forward auth without "?uri" stop working. Fixing
it by making the authorize service also honor the forwarded uri header,
too.
Fixes#1096
Some ingress like traefik set the X-Forwarded-Uri header instead
of passing the actual path in request, we should hornor and use
that header in forward auth mode.
While at it, refactoring the handleForwardAuth to return earlier instead
of nested condition, and add more tests to cover all cases.
* databroker: add databroker, identity manager, update cache (#864)
* databroker: add databroker, identity manager, update cache
* fix cache tests
* directory service (#885)
* directory: add google and okta
* add onelogin
* add directory provider
* initialize before sync, upate google provider, remove dead code
* add azure provider
* fix azure provider
* fix gitlab
* add gitlab test, fix azure test
* hook up okta
* remove dead code
* fix tests
* fix flaky test
* authorize: use databroker data for rego policy (#904)
* wip
* add directory provider
* initialize before sync, upate google provider, remove dead code
* fix flaky test
* update authorize to use databroker data
* implement signed jwt
* wait for session and user to appear
* fix test
* directory service (#885)
* directory: add google and okta
* add onelogin
* add directory provider
* initialize before sync, upate google provider, remove dead code
* add azure provider
* fix azure provider
* fix gitlab
* add gitlab test, fix azure test
* hook up okta
* remove dead code
* fix tests
* fix flaky test
* remove log line
* only redirect when no session id exists
* prepare rego query as part of create
* return on ctx done
* retry on disconnect for sync
* move jwt signing
* use !=
* use parent ctx for wait
* remove session state, remove logs
* rename function
* add log message
* pre-allocate slice
* use errgroup
* return nil on eof for sync
* move check
* disable timeout on gRPC requests in envoy
* fix gitlab test
* use v4 backoff
* authenticate: databroker changes (#914)
* wip
* add directory provider
* initialize before sync, upate google provider, remove dead code
* fix flaky test
* update authorize to use databroker data
* implement signed jwt
* wait for session and user to appear
* fix test
* directory service (#885)
* directory: add google and okta
* add onelogin
* add directory provider
* initialize before sync, upate google provider, remove dead code
* add azure provider
* fix azure provider
* fix gitlab
* add gitlab test, fix azure test
* hook up okta
* remove dead code
* fix tests
* fix flaky test
* remove log line
* only redirect when no session id exists
* prepare rego query as part of create
* return on ctx done
* retry on disconnect for sync
* move jwt signing
* use !=
* use parent ctx for wait
* remove session state, remove logs
* rename function
* add log message
* pre-allocate slice
* use errgroup
* return nil on eof for sync
* move check
* disable timeout on gRPC requests in envoy
* fix dashboard
* delete session on logout
* permanently delete sessions once they are marked as deleted
* remove permanent delete
* fix tests
* remove groups and refresh test
* databroker: remove dead code, rename cache url, move dashboard (#925)
* wip
* add directory provider
* initialize before sync, upate google provider, remove dead code
* fix flaky test
* update authorize to use databroker data
* implement signed jwt
* wait for session and user to appear
* fix test
* directory service (#885)
* directory: add google and okta
* add onelogin
* add directory provider
* initialize before sync, upate google provider, remove dead code
* add azure provider
* fix azure provider
* fix gitlab
* add gitlab test, fix azure test
* hook up okta
* remove dead code
* fix tests
* fix flaky test
* remove log line
* only redirect when no session id exists
* prepare rego query as part of create
* return on ctx done
* retry on disconnect for sync
* move jwt signing
* use !=
* use parent ctx for wait
* remove session state, remove logs
* rename function
* add log message
* pre-allocate slice
* use errgroup
* return nil on eof for sync
* move check
* disable timeout on gRPC requests in envoy
* fix dashboard
* delete session on logout
* permanently delete sessions once they are marked as deleted
* remove permanent delete
* fix tests
* remove cache service
* remove kv
* remove refresh docs
* remove obsolete cache docs
* add databroker url option
* cache: use memberlist to detect multiple instances
* add databroker service url
* remove cache service
* remove kv
* remove refresh docs
* remove obsolete cache docs
* add databroker url option
* cache: use memberlist to detect multiple instances
* add databroker service url
* wip
* remove groups and refresh test
* fix redirect, signout
* remove databroker client from proxy
* remove unused method
* remove user dashboard test
* handle missing session ids
* session: reject sessions with no id
* sessions: invalidate old sessions via databroker server version (#930)
* session: add a version field tied to the databroker server version that can be used to invalidate sessions
* fix tests
* add log
* authenticate: create user record immediately, call "get" directly in authorize (#931)
