3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 19:06:33 +02:00
Code Issues Projects Releases Packages Wiki Activity
777 commits 157 branches 125 tags 103 MiB
Commit graph

16 commits

Author SHA1 Message Date
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Cuong Manh Le
963e1c015a
authorize/evaluator/opa: use route policy object instead of array index (#1001) 
Make the code more readable, and slightly reduce memory alloc:

	opa test -v --bench --count 5 --format gobench

Output:

name                                       old alloc/op                     new alloc/op                     delta
DataPomeriumAuthzTestEmailAllowed                               109kB ± 0%                       108kB ± 0%  -0.89%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                   95.4kB ± 0%                      93.4kB ± 0%  -2.06%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                               63.6kB ± 0%                      61.6kB ± 0%  -3.09%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              103kB ± 0%                       101kB ± 0%  -1.86%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               100kB ± 0%                        98kB ± 0%  -1.64%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                           62.6kB ± 0%                      60.7kB ± 0%  -3.14%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                            64.5kB ± 0%                      62.5kB ± 0%  -3.11%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                      66.7kB ± 0%                      64.5kB ± 0%  -3.33%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                       65.8kB ± 0%                      63.3kB ± 0%  -3.92%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                  13.8kB ± 0%                      13.8kB ± 0%    ~     (p=0.167 n=5+5)
DataPomeriumAuthzTestAllowedRouteSource                         243kB ± 0%                       243kB ± 0%    ~     (p=1.000 n=5+5)
DataPomeriumAuthzTestAllowedRoutePrefix                        80.9kB ± 0%                      80.9kB ± 0%    ~     (p=0.690 n=5+5)
DataPomeriumAuthzTestAllowedRoutePath                           108kB ± 0%                       108kB ± 0%    ~     (p=0.452 n=5+5)
DataPomeriumAuthzTestAllowedRouteRegex                         90.0kB ± 0%                      89.9kB ± 0%    ~     (p=0.095 n=5+5)

name                                       old allocs/op                    new allocs/op                    delta
DataPomeriumAuthzTestEmailAllowed                               1.76k ± 0%                       1.74k ± 0%  -1.24%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                    1.54k ± 0%                       1.51k ± 0%  -2.18%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                                1.05k ± 1%                       1.01k ± 1%  -3.21%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              1.65k ± 0%                       1.63k ± 0%  -1.20%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               1.61k ± 0%                       1.58k ± 0%  -1.42%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                            1.04k ± 1%                       1.00k ± 1%  -3.27%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                             1.06k ± 1%                       1.03k ± 1%  -3.19%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                       1.14k ± 1%                       1.09k ± 0%  -3.96%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                        1.09k ± 1%                       1.05k ± 0%  -4.04%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                     222 ± 0%                         222 ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteSource                         3.66k ± 0%                       3.66k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePrefix                         1.23k ± 0%                       1.23k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePath                           1.62k ± 0%                       1.62k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteRegex                          1.36k ± 0%                       1.36k ± 0%    ~     (all equal)
 2020-06-25 21:28:54 +07:00
Cuong Manh Le
fb4dfaea44
authenticate: hide impersonation form from non-admin users (#979) 
Fixes #881
 2020-06-23 22:09:33 +07:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Bobby DeSimone
3fbcb8ff13
frontend: fix logo fill on chrome (#893) 
- on error, if reason is empty use the status text of the http status code

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-13 13:55:01 -07:00
Caleb Doxsey
7b96d2de66
dashboard: inline svgs + css for better forward auth (#771) 2020-05-25 11:12:40 -06:00
Caleb Doxsey
e4832cb4ed
authorize: add client mTLS support (#751) 
* authorize: add client mtls support

* authorize: better error messages for envoy

* switch from function to input

* add TrustedCa to envoy config so that users are prompted for the correct client certificate

* update documentation

* fix invalid ClientCAFile

* regenerate cache protobuf

* avoid recursion, add test

* move comment line

* use http.StatusOK

* various fixes
 2020-05-21 16:01:07 -06:00
Bobby DeSimone
4c5d2d8020
bug: fix group impersonation (#569) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-27 09:46:08 -07:00
Bobby DeSimone
c23db546fa
authorization: log audience claim failure (#553) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-22 12:06:25 -07:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545) 
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-16 10:13:47 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-06 11:07:45 -08:00
Bobby DeSimone
74cd9eabbb
authenticate: fix impersonation getting cleared (#411) 2019-11-30 10:54:32 -08:00
Bobby DeSimone
ebee64b70b
internal/frontend : serve static assets (#392) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-22 17:46:01 -08:00