3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity
3735 commits 159 branches 125 tags 103 MiB
Commit graph

243 commits

Author SHA1 Message Date
Travis Groth
88a77c42bb
cache: add client telemetry (#975) 2020-06-22 18:18:44 -04:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Caleb Doxsey
268a7067c1
forward-auth: support x-forwarded-uri (#780) 2020-05-26 14:07:20 -06:00
Caleb Doxsey
f770ccfedd
config: add getters for URLs to avoid nils (#777) 
* config: add getters for URLs to avoid nils

* allow nil url for cache grpc client connection in authenticate
 2020-05-26 11:36:18 -06:00
Caleb Doxsey
f40fb3d2ea
envoy: forward claim and assertion headers (#739) 2020-05-20 10:02:12 -06:00
Caleb Doxsey
af649d3eb0 envoy: implement header and query param session loading (#684) 
* authorize: refactor session loading, implement headers and query params

* authorize: fix http recorder header, use constant for pomerium authorization header

* fix compile

* remove dead code
 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Travis Groth
b2e3b22f14
Update JWT headers to only be in responses from forward auth endpoint (#642) 2020-05-04 07:26:37 -04:00
Caleb Doxsey
b1d3bbaf56
authorize: add support for .pomerium and unauthenticated routes (#639) 
* authorize: add support for .pomerium and unauthenticated routes
integration-tests: add test for forward auth dashboard urls

* proxy: fix ctx error test to return a 200 when authorize allows it
 2020-04-29 10:55:46 -06:00
Caleb Doxsey
ea1c6efc24 authorize: fix domain check bug, rewrite url for forward auth, add dev script 2020-04-20 18:24:48 -06:00
Caleb Doxsey
2130a58dfb proxy: fmt code 2020-04-20 18:24:36 -06:00
Caleb Doxsey
5be8265e62 proxy: add test to confirm prefix routing behaves as expected 2020-04-20 18:24:36 -06:00
Caleb Doxsey
19053c8f06 proxy: add additional tests for trailing slash 2020-04-20 18:24:36 -06:00
Caleb Doxsey
e1d2501a94 proxy: move warning message to config validation 2020-04-20 18:24:36 -06:00
Caleb Doxsey
c8c307be69 proxy: update warning message 2020-04-20 18:24:36 -06:00
Caleb Doxsey
85a1a6d013 authorize,proxy: remove support for paths within the from parameter 2020-04-20 18:24:36 -06:00
Caleb Doxsey
e8c8e7c688 config: use full string url instead of just the hostname for the policy options 2020-04-20 18:24:11 -06:00
Caleb Doxsey
5ecfa34361 config: gofmt 2020-04-20 18:23:35 -06:00
Caleb Doxsey
d6591e4109 proxy: add additional tests for route matcher function 2020-04-20 18:23:35 -06:00
Caleb Doxsey
7027f458dd config: add prefix, path and regex options 
proxy: support prefix, path and regex options
 2020-04-20 18:23:34 -06:00
branchmispredictor
0de3c431a6
forward-auth: validate using forwarded uri header (#600) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-20 10:56:30 -07:00
Travis Groth
789068e27a
Add configurable JWT claim headers (#596) 2020-04-09 23:41:55 -04:00
Bobby DeSimone
56e3f92181
proxy: remove unused session unmarshal (#592) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-07 19:59:40 -07:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545) 
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-16 10:13:47 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Travis Groth
e666306ef8
Remove superfluous Options.Checksum type conversions (#522) 2020-03-06 17:59:26 -05:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
ohdarling88
111aa8f4d5
move set request headers before handle allow public access to fix https://github.com/pomerium/pomerium/issues/477 (#479) 2020-02-02 11:15:13 -08:00
Bobby DeSimone
e82477ea5c
deployment: throw away golanglint-ci defaults (#439) 
* deployment: throw away golanglint-ci defaults

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-26 12:33:45 -08:00
Bobby DeSimone
8956bf4411
proxy: add preserve host header (#463) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-22 21:03:22 -08:00
Bobby DeSimone
dccc7cd2ff
cache : add cache service (#457) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-20 18:25:34 -08:00
Bobby DeSimone
f0d811f2bb
proxy: fix unauthorized redirect loop (fwdauth) (#448) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-11 10:23:50 -08:00
Bobby DeSimone
ec029c679b
authenticate/proxy: add backend refresh (#438) 2019-12-30 10:47:54 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-06 11:07:45 -08:00
Bobby DeSimone
487fc655d6
authenticate: make session default match IDP (#416) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-04 22:22:10 -08:00
Bobby DeSimone
12bae5cc43
errors: use %w verb directive (#419) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-03 20:02:43 -08:00
Bobby DeSimone
74cd9eabbb
authenticate: fix impersonation getting cleared (#411) 2019-11-30 10:54:32 -08:00
Bobby DeSimone
c8e6277a30
Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 15:02:25 -08:00
Bobby DeSimone
0f6a9d7f1d
proxy: fix forward auth, request signing 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 14:29:52 -08:00
Bobby DeSimone
ebee64b70b
internal/frontend : serve static assets (#392) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-22 17:46:01 -08:00
Travis Groth
f20d913abe
proxy: Fix policy reload regression (#396) 
* Fix policy reload regression

* Update changelog
 2019-11-22 19:28:36 -05:00
Bobby DeSimone
6743accd74
lint: bump golangci-lint 1.21.0 (#391) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-19 19:58:11 -08:00
Bobby DeSimone
00c29f4e77
authenticate: handle XHR redirect flow (#387) 
- authenticate: add cors preflight check support for sign_in endpoint
- internal/httputil: indicate responses that originate from pomerium vs the app
- proxy: detect XHR requests and do not redirect on failure.
- authenticate: removed default session duration; should be maintained out of band with rpc.
 2019-11-14 19:37:31 -08:00
Bobby DeSimone
e2943b7c80
internal/sessions: fix upgrade path for new sessions (#382) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-12 13:19:08 -08:00
Travis Groth
f3c62c10cc
Rename internal/config to config (#380) 2019-11-09 19:53:11 -05:00
Bobby DeSimone
b9ab49c32c
internal/sessions: fix cookie clear session (#376) 
CookieStore's ClearSession now properly clears the user session cookie by setting MaxAge to -1.

internal/sessions: move encoder interface to encoding package, and rename to MarshalUnmarshaler.
internal/encoding: move mock to own package
authenticate: use INFO log level for authZ error.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-09 10:49:24 -08:00
Bobby DeSimone
d3d60d1055 all: support route scoped sessions 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-06 17:54:15 -08:00