3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity
3698 commits 156 branches 125 tags 103 MiB
Commit graph

459 commits

Author SHA1 Message Date
Caleb Doxsey
baf964f44a
config: update logic for checking overlapping certificates (#4216) 
* config: update logic for checking overlapping certificates

* add test

* go mod tidy
 2023-06-01 09:30:46 -06:00
Caleb Doxsey
a741cce50e
config: simplify default set response headers (#4196) 2023-05-30 17:44:06 -06:00
Caleb Doxsey
d315e68335
Merge pull request from GHSA-pvrc-wvj2-f59p 
* authorize: use route id from envoy for policy evaluation

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-05-26 13:34:21 -07:00
Caleb Doxsey
083dbea392
envoy: set re2 limits very high (#4187) 
* envoy: set re2 limits very high

* fix test
 2023-05-23 08:36:17 -06:00
Caleb Doxsey
e3b2b3994c
improve certificate matching performance (#4186) 2023-05-23 07:39:02 -06:00
Denis Mishin
80ffefeafd
fix WillHaveCertificateForServerName check to be strict match for derived cert name (#4167) 2023-05-09 18:54:50 -04:00
Caleb Doxsey
3325dac4af
envoyconfig: disable validation context when no client certificates are required (#4151) 2023-05-04 15:32:14 -06:00
Caleb Doxsey
be0104b842
config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
Caleb Doxsey
498bc82e81
config: default to authenticate.pomerium.app when authenticate url is not specified (#4132) 2023-04-26 10:32:17 -06:00
Caleb Doxsey
18bc86d632
config: add support for wildcard from addresses (#4131) 
* config: add support for wildcards

* update policy matching, header generation

* remove deprecated field

* fix test
 2023-04-25 13:34:38 -06:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Denis Mishin
34c1e44c7e
tls: wildcard catch-all cert must be at the end of cert list (#4119) 2023-04-21 12:37:32 -04:00
Caleb Doxsey
681cf6fa27
config: fix set_response_headers (#4026) 
* config: fix set_response_headers

* fix disabling to support route headers when global headers are disabled
 2023-04-20 17:07:23 -06:00
Caleb Doxsey
f63945c0ad
support loading route configuration via rds (#4098) 
* support loading route configuration via rds

* fix any shadowing

* fix test

* add fully static option

* support dynamically defined rds

* fix build

* downgrade opa
 2023-04-17 11:20:12 -06:00
Caleb Doxsey
0f295d4a63
hpke: move published public keys to a new endpoint (#4044) 2023-03-08 09:17:04 -07:00
Caleb Doxsey
76a7ce3a6f
authorize: allow access to /.pomerium/webauthn when policy denies access (#4015) 2023-02-27 09:49:06 -07:00
Caleb Doxsey
d2b732243a
cryptutil: generate certificates from deriveca (#3992) 2023-02-23 08:38:56 -07:00
Denis Mishin
df54a0c603
authenticate: fix callback handler for split mode (#4008) 
fix auth handler for split mode
 2023-02-23 10:01:24 -05:00
Denis Mishin
62ca7ffaa2
authenticate: fix authenticate_internal_service_url for all in one (#4003) 2023-02-22 10:42:27 -05:00
Caleb Doxsey
513519e4be
lua: fix rewrite response headers to handle dashes in URLs (#3980) 
* lua: fix rewrite response headers to handle dashes in URLs

* fix test
 2023-02-16 08:51:53 -07:00
Denis Mishin
d0e7b88b64
envoy: optimize listener (#3952) 2023-02-11 22:44:57 -05:00
Caleb Doxsey
b50d5f3203
config: add additional dns lookup families, default to V4_PREFERRED (#3957) 2023-02-10 16:29:23 -07:00
Caleb Doxsey
e66c26c9ad
envoyconfig: preserve case of HTTP headers when using HTTP/1 (#3956) 2023-02-10 16:29:10 -07:00
Denis Mishin
ab430624f2
tls_derive: rename for consistency (#3905) 
rename for consistency with other tls options
 2023-01-17 17:04:26 -05:00
Caleb Doxsey
1e6a483ce9
config: add missing options (#3882) 
* config: add missing options

* remove _file options from protobuf

* fix

* lint
 2023-01-12 10:55:12 -07:00
Caleb Doxsey
da46b4a47d
config: use insecure skip verify if derived certificates are not used (#3861) 2023-01-11 13:50:51 -07:00
Denis Mishin
04a82813f3
explicitly list gRPC services accessible via the gRPC listener (#3879) 2023-01-11 12:38:34 -05:00
Caleb Doxsey
3f1a87727f
config: generate derived certificates instead of self-signed certificates (#3860) 2023-01-06 12:50:40 -07:00
Denis Mishin
488bcd6f72
auto tls (#3856) 2023-01-05 16:35:58 -05:00
Denis Mishin
e019885218
mTLS: allow gRPC TLS for all in one (#3854) 
* make grpc_insecure an optional bool

* use internal addresses for all in one databroker and tls
 2023-01-03 12:45:04 -05:00
Caleb Doxsey
271b0787a8
config: add support for extended TCP route URLs (#3845) 
* config: add support for extended TCP route URLs

* nevermind, add duplicate names
 2022-12-27 12:50:33 -07:00
Caleb Doxsey
67e12101fa
envoyconfig: clean up filter chain construction (#3844) 
* cleanup filter chain construction

* rename domains to server names

* rename to hosts

* fix tests

* update function name

* improved domaain matching
 2022-12-27 10:07:26 -07:00
Denis Mishin
a49f86d023
use tlsClientConfig instead of custom dialer (#3830) 
* use tlsClientConfig instead of custom dialer

* rm debug log
 2022-12-27 09:55:36 -07:00
Caleb Doxsey
3e892a8533
options: support multiple signing keys (#3828) 
* options: support multiple signing keys

* fix controlplane method, errors
 2022-12-22 09:31:09 -07:00
Caleb Doxsey
c86ca6f76f
webauthn: require session when accessing /.pomerium/webauthn (#3814) 
* webauthn: require session when accessing /.pomerium/webauthn

* remove dead code

* remove unusued PomeriumDomains field
 2022-12-16 10:59:21 -07:00
Caleb Doxsey
b375dc4896
jwt: require logged in user to return .pomerium/jwt (#3807) 
* jwt: require logged in user to return .pomerium/jwt

* fix test

* update test
 2022-12-13 13:49:36 -07:00
dependabot[bot]
8d1235a5cc
chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 (#3782) 
* chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.46.1 to 0.47.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.46.1...v0.47.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix test

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-12-05 15:07:14 -07:00
Caleb Doxsey
cef6b355ae
config: add option for tls renegotiation (#3773) 
config: add option for tls renogotiation
 2022-11-28 14:34:06 -07:00
Denis Mishin
fa0ba60aee
bump envoy to v1.24.0 (#3767) 2022-11-28 09:32:31 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
ba07afc245
hpke: add HPKE key to JWKS endpoint (#3762) 
* hpke: add HPKE key to JWKS endpoint

* fix test, add http caching headers

* fix error message

* use pointers
 2022-11-23 08:45:59 -07:00
Caleb Doxsey
9413123c0f
config: generate cookie secret if not set in all-in-one mode (#3742) 
* config: generate cookie secret if not set in all-in-one mode

* fix tests

* config: add warning about cookie_secret

* breakup lines
 2022-11-11 14:14:30 -07:00
Caleb Doxsey
2c9087f5e7
config: disable Strict-Transport-Security when using a self-signed certificate (#3743) 2022-11-10 16:01:06 -07:00
Eng Zer Jun
45ce6f693a
test: use T.TempDir to create temporary test directory (#3725) 
Prior to this commit, temporary directories in tests were created using
`filepath.Join` and `os.MkdirAll`.

This commit replaces `os.MkdirAll` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.

Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2022-11-08 09:16:32 -07:00
Denis Mishin
74a7daed4f
add config option check logging (#3722) 2022-11-05 00:25:09 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Denis Mishin
d8f4355f66
fix unused key warnings in routes (#3711) 2022-10-28 14:59:43 -04:00
Caleb Doxsey
6a9d6e45e1
config: allow blank identity providers when loading sessions for service account support (#3709) 2022-10-27 08:32:06 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
Caleb Doxsey
3f7a482815
envoyconfig: fix databroker health checks (#3706) 2022-10-25 12:37:46 -06:00