3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-09 23:27:43 +02:00
Code Issues Projects Releases Packages Wiki Activity
2336 commits 160 branches 126 tags 104 MiB
Commit graph

124 commits

Author SHA1 Message Date
Caleb Doxsey
45a29ea879
databroker: add support for syncing by type (#3412) 
* databroker: add support for syncing by type

* add type url, fix query
 2022-06-13 09:52:13 -06:00
Caleb Doxsey
a2d5d8062b
postgres: use CTE and GENERATED version number instead of serialized transaction (#3408) 
* postgres: use CTE and GENERATED version number instead of serialized transaction

* update server version

* fix indexing CIDRs
 2022-06-09 12:18:20 -06:00
Caleb Doxsey
f61e7efe73
authorize: use query instead of sync for databroker data (#3377) 2022-06-01 15:40:07 -06:00
Caleb Doxsey
994faba0c8
databroker: add support for query filtering (#3369) 
* wip

* storage: add filtering to SyncLatest

* don't increment the record version, so intermediate changes are requested

* databroker: add support for query filtering

* fill server and record version

* add test checks

* add explanation to query filter error
 2022-05-19 09:07:32 -06:00
Caleb Doxsey
f73c5c615f
databroker: add support for putting multiple records (#3291) 
* databroker: add support for putting multiple records

* add OptimumPutRequestsFromRecords function

* replace GetAll with SyncLatest

* fix stream when there are no records
 2022-04-26 16:41:38 -06:00
Caleb Doxsey
761c17b8ac
grpc: wait for connect to be ready before making calls (#3253) 
* grpc: wait for connect to be ready before making calls

* make sure to stop the ticker
 2022-04-08 12:18:52 -06:00
Denis Mishin
443f4a01f5
add databroker multi lease handlers (#3255) 2022-04-08 13:31:49 -04:00
Caleb Doxsey
b79f1e379f
config: add support for downstream TLS server name (#3243) 
* config: add support for downstream TLS server name

* fix whitespace

* fix whitespace

* add docs

* add tls_upstream_server_name and tls_downstream_server_name to config

* Update docs/reference/settings.yaml

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update docs/reference/readme.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* add deprecation notice

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2022-04-06 06:48:45 -07:00
Caleb Doxsey
36f73fa6c7
authorize: track session and service account access date (#3220) 
* session: add accessed at date

* authorize: track session and service account access times

* Revert "databroker: add support for field masks on Put (#3210)"

This reverts commit 2dc778035d.

* add test

* fix data race in test

* add deadline for update

* track dropped accesses
 2022-03-31 09:19:04 -06:00
Caleb Doxsey
a243056cfa
Revert "databroker: add support for field masks on Put (#3210)" (#3217) 
This reverts commit 2dc778035d.
 2022-03-31 11:17:57 -04:00
Caleb Doxsey
2dc778035d
databroker: add support for field masks on Put (#3210) 
* databroker: add support for field masks on Put

* return errors

* clean up go.mod
 2022-03-29 16:36:40 -06:00
Caleb Doxsey
8fc5dbf4c5
grpc: regenerate protobuf code (#3208) 2022-03-29 15:18:10 -06:00
Caleb Doxsey
1342523cda
grpc: remove ptypes references (#3078) 2022-02-24 08:37:59 -07:00
Caleb Doxsey
efd609f6ce
config: add idp_client_id and idp_client_secret to protobuf (#3060) 2022-02-18 08:55:31 -07:00
Caleb Doxsey
99b9a3ee12
authorize: add support for passing access or id token upstream (#3047) 
* authorize: add support for passing access or id token upstream

* use an enum
 2022-02-17 09:28:31 -07:00
Caleb Doxsey
f9b95a276b
authenticate: support for per-route client id and client secret (#3030) 
* implement dynamic provider support

* authenticate: support per-route client id and secret
 2022-02-16 12:31:55 -07:00
Denis Mishin
ac9e086691
last known metric error (#2974) 2022-01-31 12:35:51 -05:00
Caleb Doxsey
64ee7eca5c
directory: save IDP errors to databroker, put event handling in dedicated package (#2957) 2022-01-28 15:15:32 -07:00
Caleb Doxsey
9f4fc986ee
devices: shrink credentials by removing unnecessary data (#2951) 2022-01-21 09:32:33 -07:00
Caleb Doxsey
838c9e3a3d
dashboard: improve display of device credentials, allow deletion (#2829) 
* dashboard: improve display of device credentials, allow deletion

* fix test
 2021-12-20 12:19:54 -07:00
Caleb Doxsey
5a858f5d48
config: add internal service URLs (#2801) 
* config: add internal service URLs

* maybe fix integration tests

* add docs

* fix integration tests

* for databroker connect to external name, but listen on internal name

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2021-12-10 14:04:37 -05:00
Caleb Doxsey
85bb396555
device: add type id and credential id to enrollment for easier referencing (#2749) 2021-11-05 09:48:45 -06:00
Herman Slatman
7812c6985d
Add additional ACME options (#2695) 
The `autocert_ca` and `autocert_email` options have been added to be
able to configure CAs that support the ACME protocol as an alternative
to Let's Encrypt.

Fix ProtoBuf definition for additional autocert options

Fix PR comments and add ACME EAB configuration

Add configuration option for trusted CAs when talking ACME

Fix linter issues

copy edits

render updated reference to docs

Add test for autocert manager configuration

Add tests for autocert configuration options

Fix CI build issues

Don't set empty acme.EAB struct if configuration not set

Remove required email when setting custom CA

When using a non-default CA it's no longer required
to specify an email address. I required this before,
because it seemed to cause an issue in which no certificate
was issued. The root cause was something different,
rendering the hard email requirement pointless. It's
still beneficial to specify an email, though. I changed
the text in the docs to explain that.

Update generated docs

Fix failing tests by recreation of a new ACMEManager

The default ACMEManager object was reused in multiple tests,
resulting in unexpected states when tests run in parallel.
By using a new instance for every test, this is no longer
an issue.
 2021-11-02 14:44:27 -07:00
Caleb Doxsey
500405512f
dependencies: vendor base58, remove shortuuid (#2739) 
* vendor base58

* remove shortuuid
 2021-11-02 09:23:15 -06:00
Denis Mishin
7a7d5722f8
desktop client api (#2711) 2021-10-29 10:56:48 -06:00
Caleb Doxsey
9d4ebcf871
webauthn: update session to support device credentials per type (#2699) 2021-10-22 14:33:34 -06:00
Denis Mishin
30664cd307
skip configuration updates to the most recent one (#2690) 2021-10-21 11:03:26 -04:00
Caleb Doxsey
3051ad77e0
protoc: add xds repo (#2687) 
* protoc: add xds repo

* fix protoc-gen-validate dependency
 2021-10-19 14:36:23 -06:00
Caleb Doxsey
ddccbcf631
devices: add device protobuf types (#2682) 2021-10-19 07:22:26 -06:00
Denis Mishin
55fec9b51b
add host-rewrite options to config.proto (#2668) 2021-10-08 11:50:56 -04:00
Nathan Hayfield
1f718e4ce1
add description to service accounts (#2611) 2021-09-20 14:10:12 -04:00
Denis Mishin
0878315d60
bump protoc-validate (#2606) 2021-09-16 12:02:55 -04:00
Caleb Doxsey
33f5190572
config: remove signature_key_algorithm (#2557) 
* config: remove signature_key_algorithm

* typo

* add more tests
 2021-09-02 11:36:43 -06:00
Caleb Doxsey
f5a558d4a0
grpc: disable gRPC connection re-use across services (#2515) 2021-08-24 11:47:16 -06:00
Caleb Doxsey
bbec2cae9f
grpc: send client traffic through envoy (#2469) 
* wip

* wip

* handle wildcards in override name

* remove wait for ready, add comment about sync, force initial sync complete in test

* address comments
 2021-08-16 16:12:22 -06:00
Caleb Doxsey
6af0655206
protoutil: add NewAny method for deterministic serialization (#2462) 2021-08-09 17:51:57 -06:00
Caleb Doxsey
63ee30d69c
options: remove refresh_cooldown, add allow_spdy to proto (#2446) 2021-08-06 10:06:57 -06:00
wasaga
51ab7e6226
telemetry: add nonce and make explicit ack/nack (#2434) 2021-08-04 21:08:55 -04:00
Caleb Doxsey
94eb3c1149
config: remove grpc server max connection age options (#2427) 
* config: remove grpc server max connection age options

* remove docs
 2021-08-03 09:39:48 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
Caleb Doxsey
ac8ae3ef5b
directory: add logging http client to help with debugging outbound http requests (#2385) 2021-07-22 11:58:52 -06:00
Caleb Doxsey
cef08a1c2d
authorize: remove service account impersonate user id, email and groups (#2365) 2021-07-15 09:31:45 -06:00
wasaga
134ca74ec9
proxy: add idle timeout (#2319) 2021-07-02 10:29:53 -04:00
Caleb Doxsey
fcb33966e2
config: add enable_google_cloud_serverless_authentication to config protobuf (#2306) 
* config: add enable_google_cloud_serverless_authentication to config protobuf

* use dependency injection for embedded envoy provider

* Revert "use dependency injection for embedded envoy provider"

This reverts commit 5c08990501.

* config: attach envoy version to Config to avoid metrics depending on envoy/files
 2021-06-21 18:00:29 -06:00
wasaga
744e2c7993
xds: only tag contexts used for UpdateRecords (#2269) 2021-06-04 14:01:25 -04:00
dependabot[bot]
e9ffc5fde3
chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 (#2231) 
* chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.37.1 to 1.38.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.37.1...v1.38.0)

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.37.1 to 1.38.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.37.1...v1.38.0)

Signed-off-by: dependabot[bot] <support@github.com>

* fix UpdateState method

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-05-24 09:33:53 -06:00
wasaga
c71f7dca5b
authorize: grpc health check (#2200) 2021-05-13 15:00:10 -04:00
Caleb Doxsey
94aa0b1a48
databroker: implement leases (#2172) 
* databroker: implement leases

* return error

* handle gRPC errors
 2021-05-10 13:30:25 -06:00
Caleb Doxsey
aeece76928
databroker: store issued at timestamp with session (#2173) 2021-05-04 10:09:14 -06:00
Caleb Doxsey
69576cffe4
config: add support for set_response_headers in a policy (#2171) 
* config: add support for set_response_headers in a policy

* docs: add note about precedence
 2021-05-04 09:43:52 -06:00