pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	10b5c5ca0e	fix querying claim data on the dashboard (#1560 )	2020-10-29 10:49:02 -06:00
bobby	5cc65adc48	internal/frontend: resolve authN helper url (#1521 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-18 17:11:47 -07:00
Caleb Doxsey	04c582121d	add flag to enable user impersonation (#1514 ) * add flag to enable user impersonation * fix typo	2020-10-14 08:17:59 -06:00
Caleb Doxsey	2864859252	dashboard: format timestamps (#1468 ) * format timestamps * fix test	2020-09-28 16:00:42 -06:00
bobby	0c60a9404e	httputil: remove retry button (#1438 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-09-22 07:53:53 -07:00
bobby	05d9fbb4b3	Desimone/authenticate default logout (#1390 ) * authenticate: fix unset post_logout_redirect_uri * don't show url if does not exist Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-09-09 11:53:12 -07:00
Caleb Doxsey	4fb90fabe8	config: support explicit prefix and regex path rewriting (#1363 ) * config: support explicity prefix and regex path rewriting * add rewrite tests	2020-09-02 13:48:19 -06:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00
Cuong Manh Le	9dae633fe5	internal/frontend/assets/html: make timestamp human readable (#1107 ) Since we switch to use databroker, time in template is now protobuf timestamp instead of time.Time, that causes it appears in raw form instead of human-readable format. Fix this by converting protobuf timestamp to time.Time in template. There's still a breaking change, though. The time will now appears in UTC instead of local time. Fixes #1100	2020-07-20 13:35:57 +07:00
Cuong Manh Le	408f201d16	authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094 ) Currently, with impersonated request, the real user email/group still has effects. Example: data.route_policies as [{ "source": "example.com", "allowed_users": ["x@example.com"] }] with input.databroker_data as { "session": { "user_id": "user1" }, "user": { "email": "x@example.com" } } with input.http as { "url": "http://example.com" } with input.session as { "id": "session1", "impersonate_email": "y@example.com" } Here user "x@example.com" is allowed, but was impersonated as "y@example.com". As the rules indicated, the request must be denied, because it only allows "x@example.com", not "y@example.com". The current bug causes the request is still allowed. To fix it, when evaluates rules for allowed email/group/domain, we must checking that the impersonate email/groups is not set/empty. Fixes #1091	2020-07-17 22:07:11 +07:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
Cuong Manh Le	963e1c015a	authorize/evaluator/opa: use route policy object instead of array index (#1001 ) Make the code more readable, and slightly reduce memory alloc: opa test -v --bench --count 5 --format gobench Output: name old alloc/op new alloc/op delta DataPomeriumAuthzTestEmailAllowed 109kB ± 0% 108kB ± 0% -0.89% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 95.4kB ± 0% 93.4kB ± 0% -2.06% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 63.6kB ± 0% 61.6kB ± 0% -3.09% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 103kB ± 0% 101kB ± 0% -1.86% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 100kB ± 0% 98kB ± 0% -1.64% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 62.6kB ± 0% 60.7kB ± 0% -3.14% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 64.5kB ± 0% 62.5kB ± 0% -3.11% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 66.7kB ± 0% 64.5kB ± 0% -3.33% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 65.8kB ± 0% 63.3kB ± 0% -3.92% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 13.8kB ± 0% 13.8kB ± 0% ~ (p=0.167 n=5+5) DataPomeriumAuthzTestAllowedRouteSource 243kB ± 0% 243kB ± 0% ~ (p=1.000 n=5+5) DataPomeriumAuthzTestAllowedRoutePrefix 80.9kB ± 0% 80.9kB ± 0% ~ (p=0.690 n=5+5) DataPomeriumAuthzTestAllowedRoutePath 108kB ± 0% 108kB ± 0% ~ (p=0.452 n=5+5) DataPomeriumAuthzTestAllowedRouteRegex 90.0kB ± 0% 89.9kB ± 0% ~ (p=0.095 n=5+5) name old allocs/op new allocs/op delta DataPomeriumAuthzTestEmailAllowed 1.76k ± 0% 1.74k ± 0% -1.24% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 1.54k ± 0% 1.51k ± 0% -2.18% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 1.05k ± 1% 1.01k ± 1% -3.21% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 1.65k ± 0% 1.63k ± 0% -1.20% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 1.61k ± 0% 1.58k ± 0% -1.42% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 1.04k ± 1% 1.00k ± 1% -3.27% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 1.06k ± 1% 1.03k ± 1% -3.19% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 1.14k ± 1% 1.09k ± 0% -3.96% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 1.09k ± 1% 1.05k ± 0% -4.04% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 222 ± 0% 222 ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteSource 3.66k ± 0% 3.66k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePrefix 1.23k ± 0% 1.23k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePath 1.62k ± 0% 1.62k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteRegex 1.36k ± 0% 1.36k ± 0% ~ (all equal)	2020-06-25 21:28:54 +07:00
Cuong Manh Le	fb4dfaea44	authenticate: hide impersonation form from non-admin users (#979 ) Fixes #881	2020-06-23 22:09:33 +07:00
Caleb Doxsey	8362f18355	authenticate: move impersonate from proxy to authenticate (#965 )	2020-06-22 11:58:27 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Bobby DeSimone	3fbcb8ff13	frontend: fix logo fill on chrome (#893 ) - on error, if reason is empty use the status text of the http status code Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-13 13:55:01 -07:00
Caleb Doxsey	7b96d2de66	dashboard: inline svgs + css for better forward auth (#771 )	2020-05-25 11:12:40 -06:00
Caleb Doxsey	e4832cb4ed	authorize: add client mTLS support (#751 ) * authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes	2020-05-21 16:01:07 -06:00
Bobby DeSimone	4c5d2d8020	bug: fix group impersonation (#569 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-27 09:46:08 -07:00
Bobby DeSimone	c23db546fa	authorization: log audience claim failure (#553 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-22 12:06:25 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	b3d3159185	httputil : wrap handlers for additional context (#413 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-06 11:07:45 -08:00
Bobby DeSimone	74cd9eabbb	authenticate: fix impersonation getting cleared (#411 )	2019-11-30 10:54:32 -08:00
Bobby DeSimone	ebee64b70b	internal/frontend : serve static assets (#392 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-22 17:46:01 -08:00

27 commits