3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-17 08:38:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
2857 commits 168 branches 133 tags 110 MiB
Commit graph

2857 commits

This branch
This branch
All branches
Author SHA1 Message Date
Kenneth Jenkins
02e219c9c2
Merge branch '0-22-0' into backport-4472-to-0-22-0 2023-08-17 14:37:44 -07:00
Kenneth Jenkins
2edf402803
github-actions: remove license check (#4475) 
github-actions: remove license check (#4434)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-08-17 14:37:06 -07:00
Kenneth Jenkins
89248e80c1
Merge branch '0-22-0' into backport-4472-to-0-22-0 2023-08-17 13:31:59 -07:00
Kenneth Jenkins
47ffac8006 add integration test for Pomerium JWT (#4472) 
Add an integration test case to verify properties of the Pomerium
attestation JWT:

 - The 'iat' and 'exp' timestamps should be plain integers.
 - The JWT should contain an issuer and audience claim.
 - A JWT retrieved from the /.pomerium/jwt endpoint should contain all
   the same data as a JWT from the X-Pomerium-Jwt-Assertion header.
 2023-08-17 13:27:25 -07:00
backport-actions-token[bot]
ba7d7d443d
envoy: configure upstream IP SAN match as needed (#4382) 
envoy: configure upstream IP SAN match as needed (#4380)

When building an upstream validation context for a particular URL, check
whether the hostname is an IP address. If so, configure the SAN match to
use type IP_ADDRESS rather than DNS.

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-07-21 13:40:40 -07:00
backport-actions-token[bot]
9450e48977
autocert: suppress OCSP stapling errors (#4373) 
autocert: suppress OCSP stapling errors (#4371)

* autocert: suppress OCSP stapling errors

* check level, add test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-07-19 19:59:25 +00:00
Caleb Doxsey
6011c661b2
backport (#4368) 2023-07-18 08:50:42 -06:00
backport-actions-token[bot]
4e8c923ecd
add JWT timestamp formatting workaround (#4309) 
add JWT timestamp formatting workaround (#4270)

Rego will sometimes serialize integers to JSON with a decimal point and
exponent. I don't completely understand this behavior.

Add a workaround to headers.rego to convert the JWT "iat" and "exp"
timestamps to a string and back to an integer. This appears to cause
Rego to serialize these values as plain integers.

Add a unit test to verify this behavior. Also add a unit test that will
fail if the Rego behavior changes, making this workaround unnecessary.

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-06-16 17:28:01 -07:00
Kenneth Jenkins
d8d59ddded
pin to a debian:latest image for casource base image (#4250) (#4310) 
The debian 'stable' images configure apt to install from the rolling
'stable' repository, rather than a specific Debian release. Thus even
though we pin to a specific Docker image digest, the packages installed
by 'apt-get' can change when a new Debian release is promoted to stable.

Instead, pin to an image where apt is configured to install from
repositories for a specific Debian release (in this case, bullseye).
 2023-06-16 14:20:09 -07:00
Kenneth Jenkins
cd833fcf00
ci: fix lint workflow (#4229) (#4311) 
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-06-16 13:30:28 -07:00
Caleb Doxsey
2803f3949c
config: update logic for checking overlapping certificates (#4216) (#4217) 
* config: update logic for checking overlapping certificates

* add test

* go mod tidy
 2023-06-01 10:13:40 -06:00
backport-actions-token[bot]
4a14cab50a
authorize: populate issuer even when policy is nil (#4213) 
authorize: populate issuer even when policy is nil (#4211)

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-05-31 08:59:19 -07:00
backport-actions-token[bot]
ab115b679a
config: simplify default set response headers (#4212) 
config: simplify default set response headers (#4196)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-31 09:39:14 -06:00
Caleb Doxsey
6efd1d6bc9
Merge pull request from GHSA-pvrc-wvj2-f59p 
* wip

* authorize: use route id from envoy for policy evaluation

* remove log

* handle error from route id

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-05-26 13:34:21 -07:00
backport-actions-token[bot]
4aa6960e06
databroker: fix fast forward (#4194) 
databroker: fix fast forward (#4192)

* databroker: sort configs

* databroker: fix fast-forward

* newest not oldest

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-23 15:47:07 -06:00
backport-actions-token[bot]
ca59798540
databroker: sort configs (#4191) 
databroker: sort configs (#4190)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-23 11:09:47 -06:00
backport-actions-token[bot]
73efa34698
envoy: set re2 limits very high (#4189) 
envoy: set re2 limits very high (#4187)

* envoy: set re2 limits very high

* fix test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-23 08:57:39 -06:00
backport-actions-token[bot]
45a577d736
improve certificate matching performance (#4188) 
improve certificate matching performance (#4186)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-23 13:41:48 +00:00
backport-actions-token[bot]
9b78ae9bdb
fix WillHaveCertificateForServerName check to be strict match for derived cert name (#4169) 
fix WillHaveCertificateForServerName check to be strict match for derived cert name (#4167)

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-05-09 22:57:53 +00:00
backport-actions-token[bot]
66dadf7c9f
envoyconfig: disable validation context when no client certificates are required (#4152) 
envoyconfig: disable validation context when no client certificates are required (#4151)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2023-05-04 21:35:00 +00:00
backport-actions-token[bot]
0cc9da26cf
Update SECURITY.md (#4145) 
Update SECURITY.md (#4144)

Please see our security policy as described: https://www.pomerium.com/docs/internals/security

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2023-05-01 19:19:15 +00:00
Denis Mishin
0ab2057714
authenticate: add events (#4051) 2023-05-01 15:11:30 -04:00
dependabot[bot]
b936b3653b
chore(deps): bump github.com/google/go-jsonnet from 0.19.1 to 0.20.0 (#4140) 
Bumps [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) from 0.19.1 to 0.20.0.
- [Release notes](https://github.com/google/go-jsonnet/releases)
- [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml)
- [Commits](https://github.com/google/go-jsonnet/compare/v0.19.1...v0.20.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-jsonnet
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-01 14:50:20 -04:00
Caleb Doxsey
498bc82e81
config: default to authenticate.pomerium.app when authenticate url is not specified (#4132) 2023-04-26 10:32:17 -06:00
dependabot[bot]
ab55a6c7c8
chore(deps): bump github.com/open-policy-agent/opa from 0.49.2 to 0.51.0 (#4130) 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.49.2 to 0.51.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.49.2...v0.51.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-25 22:56:41 -04:00
Caleb Doxsey
3d9322bd32
autocert: fix certmagic cache logging (#4134) 2023-04-25 14:21:13 -06:00
Caleb Doxsey
18bc86d632
config: add support for wildcard from addresses (#4131) 
* config: add support for wildcards

* update policy matching, header generation

* remove deprecated field

* fix test
 2023-04-25 13:34:38 -06:00
dependabot[bot]
949454e886
chore(deps): bump github.com/rs/zerolog from 1.29.0 to 1.29.1 (#4127) 
Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/rs/zerolog/releases)
- [Commits](https://github.com/rs/zerolog/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: github.com/rs/zerolog
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:31:27 -06:00
dependabot[bot]
64aa3afa3e
chore(deps): bump google-github-actions/auth from 1.0.0 to 1.1.0 (#4121) 
Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 1.0.0 to 1.1.0.
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](ef5d53e30b...e8df18b60c)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:30:56 -06:00
dependabot[bot]
6a9f2cc706
chore(deps): bump docker/metadata-action from 4.3.0 to 4.4.0 (#4122) 
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](507c2f2dc5...c4ee3adeed)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:30:35 -06:00
dependabot[bot]
7750fa68a3
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.21 (#4126) 
chore(deps): bump github.com/aws/aws-sdk-go-v2/config

Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.18.19 to 1.18.21.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.19...config/v1.18.21)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:30:13 -06:00
dependabot[bot]
17d2e98696
chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 (#4123) 
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](d27e3f3d7c...57ded4d7d5)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:29:54 -06:00
dependabot[bot]
0f4fc06948
chore(deps): bump coverallsapp/github-action from 2.1.0 to 2.1.2 (#4124) 
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](045a251935...f350da2c03)

---
updated-dependencies:
- dependency-name: coverallsapp/github-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:29:33 -06:00
dependabot[bot]
39a4738ef4
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.50 to 7.0.52 (#4128) 
Bumps [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) from 7.0.50 to 7.0.52.
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](https://github.com/minio/minio-go/compare/v7.0.50...v7.0.52)

---
updated-dependencies:
- dependency-name: github.com/minio/minio-go/v7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:28:58 -06:00
dependabot[bot]
951d176a45
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.2 to 3.23.3 (#4129) 
Bumps [github.com/shirou/gopsutil/v3](https://github.com/shirou/gopsutil) from 3.23.2 to 3.23.3.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v3.23.2...v3.23.3)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-24 18:28:38 -06:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Denis Mishin
34c1e44c7e
tls: wildcard catch-all cert must be at the end of cert list (#4119) 2023-04-21 12:37:32 -04:00
Caleb Doxsey
681cf6fa27
config: fix set_response_headers (#4026) 
* config: fix set_response_headers

* fix disabling to support route headers when global headers are disabled
 2023-04-20 17:07:23 -06:00
Caleb Doxsey
b7d846464c
dependencies: upgrade go and envoy (#4116) 
* dependencies: upgrade go and envoy

* upgrade go
 2023-04-17 16:44:58 -06:00
dependabot[bot]
9e960d9515
chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 (#4108) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](8f4b7f8486...8e5e7e5ab8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:47:36 -06:00
dependabot[bot]
bffca1edaf
chore(deps): bump mikefarah/yq from 4.33.1 to 4.33.3 (#4109) 
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.33.1 to 4.33.3.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](ebd1548e96...d2f1ae9db7)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:47:15 -06:00
dependabot[bot]
0bea757243
chore(deps): bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#4110) 
chore(deps): bump github.com/prometheus/client_golang

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.14.0 to 1.15.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:46:56 -06:00
dependabot[bot]
aea7afbddc
chore(deps): bump debian from d4bbca2 to 1fbdbcf (#4115) 
Bumps debian from `d4bbca2` to `1fbdbcf`.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:46:33 -06:00
dependabot[bot]
8429cfa286
chore(deps): bump github.com/ory/dockertest/v3 from 3.9.1 to 3.10.0 (#4111) 
Bumps [github.com/ory/dockertest/v3](https://github.com/ory/dockertest) from 3.9.1 to 3.10.0.
- [Release notes](https://github.com/ory/dockertest/releases)
- [Commits](https://github.com/ory/dockertest/compare/v3.9.1...v3.10.0)

---
updated-dependencies:
- dependency-name: github.com/ory/dockertest/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:46:09 -06:00
dependabot[bot]
34aad76c11
chore(deps): bump google.golang.org/api from 0.116.0 to 0.118.0 (#4112) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.116.0 to 0.118.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.116.0...v0.118.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:40:10 -06:00
dependabot[bot]
1f6e16c18a
chore(deps): bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 (#4113) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/oauth2/releases)
- [Commits](https://github.com/golang/oauth2/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:39:43 -06:00
dependabot[bot]
b6704b108a
chore(deps): bump golang from 413cd9e to 73c225b (#4114) 
Bumps golang from `413cd9e` to `73c225b`.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-17 13:39:21 -06:00
Caleb Doxsey
f63945c0ad
support loading route configuration via rds (#4098) 
* support loading route configuration via rds

* fix any shadowing

* fix test

* add fully static option

* support dynamically defined rds

* fix build

* downgrade opa
 2023-04-17 11:20:12 -06:00
dependabot[bot]
d485ca8306
chore(deps): bump coverallsapp/github-action from 2.0.0 to 2.1.0 (#4100) 
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](67662d2439...045a251935)

---
updated-dependencies:
- dependency-name: coverallsapp/github-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-10 11:52:54 -06:00
dependabot[bot]
f0dbc06f15
chore(deps): bump github.com/docker/docker from 23.0.1+incompatible to 23.0.3+incompatible (#4101) 
chore(deps): bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.1+incompatible to 23.0.3+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.1...v23.0.3)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-10 11:51:21 -06:00