pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 11:26:29 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	a0e64b1cf9	authorize: add request IP to rego evaluation (#3107 )	2022-03-07 15:07:58 -07:00
Caleb Doxsey	99b9a3ee12	authorize: add support for passing access or id token upstream (#3047 ) * authorize: add support for passing access or id token upstream * use an enum	2022-02-17 09:28:31 -07:00
cfanbo	84dad4c612	remove deprecated ioutil usages (#2877 ) * fix: Fixed return description error * config/options: Adjust the position of TracingJaegerAgentEndpoint option * DOCS: Remove duplicate configuration items Remove duplicate configuration items of route * remove deprecated ioutil usages	2021-12-30 10:02:12 -08:00
Caleb Doxsey	2d04106e6d	ppl: add support for http_path and http_method (#2813 ) * ppl: add support for http_path and http_method * fix import ordering	2021-12-10 07:28:51 -07:00
Caleb Doxsey	c97dcf7e0f	envoy: add hash policy and routing key for hash-based load balancers (#2791 ) * envoy: add hash policy and routing key for hash-based load balancers * fix integration test * fix nginx	2021-12-01 13:42:12 -07:00
Caleb Doxsey	6e48627b4d	ppl: add support for additional data (#2696 ) * ppl: add support for additional data * remove unused NewCriterionDeviceRule	2021-10-22 12:32:20 -06:00
Caleb Doxsey	efffe57bf0	ppl: pass contextual information through policy (#2612 ) * ppl: pass contextual information through policy * maybe fix nginx * fix nginx * pr comments * go mod tidy	2021-09-20 16:02:26 -06:00
Caleb Doxsey	0786c7fc45	authorize: use session.user_id in headers (#2571 )	2021-09-03 14:51:09 -06:00
Caleb Doxsey	33f5190572	config: remove signature_key_algorithm (#2557 ) * config: remove signature_key_algorithm * typo * add more tests	2021-09-02 11:36:43 -06:00
Caleb Doxsey	de1ed61b9a	authorize: fix google cloudrun header audience (#2558 )	2021-09-02 09:55:06 -06:00
Caleb Doxsey	ef55829cb0	authorize: fix X-Pomerium-Claim-Groups (#2539 )	2021-08-26 20:29:57 -06:00
Caleb Doxsey	526f946097	fix forward-auth, logging (#2509 ) * fix forward-auth, logging * move error message	2021-08-23 17:50:04 -06:00
Caleb Doxsey	6af0655206	protoutil: add NewAny method for deterministic serialization (#2462 )	2021-08-09 17:51:57 -06:00
Caleb Doxsey	a64e5b5fa1	authorize: add sid to JWT claims (#2420 ) * authorize: add sid to JWT claims * fix import ordering	2021-08-02 16:11:05 -06:00
Caleb Doxsey	1a95036b8c	sessions: add impersonate_session_id, remove legacy impersonation (#2407 ) * sessions: add impersonate_session_id, remove legacy impersonation * show impersonated user details * fix headers * address feedback * only check impersonate id on non-nil pbSession * Revert "only check impersonate id on non-nil pbSession" This reverts commit `a6f7ca5abd`.	2021-07-30 08:42:36 -06:00
bobby	aa0e6872de	evaluator: use cryputil to hash (#2384 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-07-22 06:15:54 -07:00
Caleb Doxsey	c7a8f11d9a	authorize: add additional tracing for rego evaluation (#2381 )	2021-07-21 15:37:51 -06:00
Caleb Doxsey	cef08a1c2d	authorize: remove service account impersonate user id, email and groups (#2365 )	2021-07-15 09:31:45 -06:00
Caleb Doxsey	21ffe44dff	authorize: support boolean deny results (#2338 ) * authorize: support boolean deny results * add client certificate test * handle different array lengths	2021-07-06 12:52:26 -06:00
Caleb Doxsey	f9675f61cc	deps: upgrade to go-jose v3 (#2284 )	2021-06-10 09:35:44 -06:00
Caleb Doxsey	2156dbc553	envoy: always set jwt claim headers even if no value is available (#2261 ) * envoy: always set jwt claim headers even if no value is available * add test	2021-06-04 10:01:00 -07:00
wasaga	40ddc2c4b3	jwt: round timestamp (#2258 )	2021-06-01 14:12:45 -07:00
wasaga	12c8bb2da4	authorize: preserve original context (#2247 )	2021-06-01 11:10:35 -04:00
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
Caleb Doxsey	c85c8b0778	authorize: refactor store locking (#2151 ) * authorize: refactor store locking * fix nil reference panic	2021-04-29 08:37:27 -06:00
Caleb Doxsey	f365b30e02	authorize: remove log (#2122 )	2021-04-23 14:00:08 -06:00
Caleb Doxsey	762b565239	authorize: fix empty sub policy arrays (#2119 )	2021-04-23 11:00:30 -06:00
Caleb Doxsey	b1d62bb541	config: remove validate side effects (#2109 ) * config: default shared key * handle additional errors * update grpc addr and grpc insecure * update google cloud service authentication service account * fix set response headers * fix qps * fix test	2021-04-22 15:10:50 -06:00
wasaga	e0c09a0998	log context (#2107 )	2021-04-22 10:58:13 -04:00
Caleb Doxsey	3906b70bc5	authorize: support arbitrary jwt claims (#2102 ) * authorize: support arbitrary jwt claims * remove dead code	2021-04-19 14:55:08 -06:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	4218f49741	authorize: bypass data in rego for databroker data (#2041 )	2021-03-30 14:14:32 -06:00
Nándor István Krácser	45fb938317	oidc: use groups claim from ID token if present (#1970 ) Signed-off-by: Nandor Kracser <bonifaido@gmail.com>	2021-03-22 11:46:01 -06:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	ae7626df3e	authorize: set JWT to expire after 5 minutes (#1980 ) * authorize: set JWT to expire after 5 minutes * use lesser of 5 minutes or id token expiration * add test for expires at	2021-03-15 07:38:32 -06:00
Caleb Doxsey	b6ec01f377	assets: use embed instead of statik (#1960 ) * assets: use embed instead of statik * remove empty line * maybe fix precommit	2021-03-03 18:56:55 -07:00
Caleb Doxsey	5d60cff21e	databroker: refactor databroker to sync all changes (#1879 ) * refactor backend, implement encrypted store * refactor in-memory store * wip * wip * wip * add syncer test * fix redis expiry * fix linting issues * fix test by skipping non-config records * fix backoff import * fix init issues * fix query * wait for initial sync before starting directory sync * add type to SyncLatest * add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest * update sync types and tests * add redis tests * skip macos in github actions * add comments to proto * split getBackend into separate methods * handle errors in initVersion * return different error for not found vs other errors in get * use exponential backoff for redis transaction retry * rename raw to result * use context instead of close channel * store type urls as constants in databroker * use timestampb instead of ptypes * fix group merging not waiting * change locked names * update GetAll to return latest record version * add method to grpcutil to get the type url for a protobuf type	2021-02-18 15:24:33 -07:00
Caleb Doxsey	1a1cc30c67	config: support map of jwt claim headers (#1906 ) * config: support map of jwt claim headers * fix array handling, add test * update docs * use separate hook, add tests	2021-02-17 13:43:18 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	25b697a13d	authorize: allow access by user id (#1850 )	2021-02-03 07:15:44 -07:00
Caleb Doxsey	7a5c4fd0f6	authorize: handle null (#1853 )	2021-02-02 17:29:21 -08:00
Caleb Doxsey	74ac23c980	authorize: remove DataBrokerData input (#1847 ) * authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys	2021-02-02 14:27:35 -07:00
Caleb Doxsey	eed873b263	authorize: remove DataBrokerData (#1846 ) * authorize: remove DataBrokerData * fix method name	2021-02-02 11:40:21 -07:00
Caleb Doxsey	655951cfa1	opa: format rego files (#1845 ) * opa: format rego files * statik	2021-02-01 15:43:08 -07:00
Caleb Doxsey	b7f0242090	authorize: remove admin (#1833 ) * authorize: remove admin * regen rego * add note to upgrading	2021-02-01 15:22:02 -07:00
Caleb Doxsey	cc85ea601d	policy: add new certificate-authority option for downstream mTLS client certificates (#1835 ) * policy: add new certificate-authority option for downstream mTLS client certificates * update proto, docs	2021-02-01 08:10:32 -07:00
Caleb Doxsey	84e8f6cc05	config: fix databroker policies (#1821 )	2021-01-25 17:18:50 -07:00
bobby	6466efddd5	authenticate: update user info screens (#1774 ) - rename "dashboard" to userinfo to avoid confusion - don't leak version from error page. - fix typo in state.go - make statik determenistic on modtime Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-01-13 13:15:31 -08:00
Caleb Doxsey	ab4a68f56f	remove user impersonation and service account cli (#1768 ) * remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test	2021-01-12 09:28:29 -07:00
Caleb Doxsey	a6bc9f492f	authorize: move impersonation into session/service account (#1765 ) * move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue	2021-01-11 15:40:08 -07:00

1 2 3

107 commits