3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 12:23:03 +02:00
Code Issues Projects Releases Packages Wiki Activity
1087 commits 165 branches 127 tags 105 MiB
Commit graph

331 commits

Author SHA1 Message Date
Caleb Doxsey
27d0cf180a
authenticate: protect /.pomerium/admin endpoint (#1500) 
* authenticate: protect /.pomerium/admin endpoint

* add integration test
 2020-10-08 15:44:12 -06:00
Caleb Doxsey
aa731ae068
directory: add explicit RefreshUser endpoint for faster sync (#1460) 
* directory: add explicit RefreshUser endpoint for faster sync

* add test

* implement azure

* update api call

* add test for azure User

* implement github

* implement AccessToken, gitlab

* implement okta

* implement onelogin

* fix test

* fix inconsistent test

* implement auth0
 2020-10-05 08:23:15 -06:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Jon Carl
f1daf336f6
auth0: implement directory provider (#1479) 
* add the auth0 directory provider

Signed-off-by: Jon Carl <jon.carl@auth0.com>

* fix code climate issue: context.Context should be funcs first param

Signed-off-by: Jon Carl <jon.carl@auth0.com>

* remove unused struct field

Signed-off-by: Jon Carl <jon.carl@auth0.com>

* remove vendoring

Signed-off-by: Jon Carl <jon.carl@auth0.com>

* fix auth0 imports and variable name

Signed-off-by: Jon Carl <jon.carl@auth0.com>
 2020-10-02 08:56:05 -06:00
Caleb Doxsey
697be04c6f
azure: incremental sync (#1471) 
* azure: incremental sync

* identity manager: fix directory sync timing

* on unauthorized, reset token

* support querying the user api

* update name

* pull out constants
 2020-09-30 08:18:04 -06:00
Caleb Doxsey
3e86d2f9bf
directory: additional user info (#1467) 
* directory: support additional user information

* implement github

* implement gitlab

* implement onelogin

* implement okta

* rename to display name

* implement google

* fill in properties

* fix azure email parsing

* fix tests, lint

* fix onelogin tests

* fix gitlab/github tests
 2020-09-29 09:38:16 -06:00
Caleb Doxsey
88580cf2fb
auth0: implement identity provider (#1470) 
* auth0: implement identity provider

* add auth0 guide

* fix naming
 2020-09-29 09:06:58 -06:00
Caleb Doxsey
2864859252
dashboard: format timestamps (#1468) 
* format timestamps

* fix test
 2020-09-28 16:00:42 -06:00
Caleb Doxsey
6e385f800a
config: add support for host header rewriting (#1457) 
* config: add support for host header rewriting

* fix lint
 2020-09-25 09:36:39 -06:00
Caleb Doxsey
29b2fa4e60
proxy: preserve path and query string for http->https redirect (#1456) 2020-09-24 15:12:56 -06:00
Caleb Doxsey
83415ee52f
identity manager: fix directory sync timing (#1455) 2020-09-24 13:23:43 -06:00
Caleb Doxsey
f4c61a0cdc
redis: use pubsub instead of keyspace events (#1450) 2020-09-23 14:40:05 -06:00
Caleb Doxsey
2364da14c8
databroker: add support for querying the databroker (#1443) 
* databroker: add support for querying the databroker

* remove query method, use getall so encryption works

* add test

* return early
 2020-09-22 16:01:37 -06:00
bobby
0c60a9404e
httputil: remove retry button (#1438) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-22 07:53:53 -07:00
Caleb Doxsey
54d37e62e8
config: add dns_lookup_family option to customize DNS IP resolution (#1436) 2020-09-21 15:32:37 -06:00
bobby
bf937f362b
controplane: remove p-521 EC (#1420) 
* controplane: remove p-521 EC

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-18 08:18:21 -07:00
Caleb Doxsey
0860ec3a5c
okta: handle deleted groups (#1418) 
* okta: handle deleted groups

* limit api error body read
 2020-09-18 08:10:32 -06:00
Caleb Doxsey
3b6c617784
redirect-server: add config headers to responses (#1416) 2020-09-17 13:01:45 -06:00
Caleb Doxsey
665f0f9a74
azure: add support for nested groups (#1408) 
* azure: add support for nested groups

* fix test
 2020-09-17 08:25:10 -06:00
bobby
79a01bcfbb
controlplane: support P-384 / P-512 EC curves (#1409) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-16 17:35:00 -07:00
Caleb Doxsey
a19e45334b
proxy: remove impersonate headers for kubernetes (#1394) 
* proxy: remove impersonate headers for kubernetes

* master on frontend/statik
 2020-09-09 15:24:39 -06:00
bobby
05d9fbb4b3
Desimone/authenticate default logout (#1390) 
* authenticate: fix unset post_logout_redirect_uri
* don't show url if does not exist
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-09 11:53:12 -07:00
Caleb Doxsey
1fcd86120b
proxy: for filter matches only include bare domain name (#1389) 2020-09-09 08:56:15 -06:00
Travis Groth
145c2cf8f5
internal/envoy: start epoch from 0 (#1387) 2020-09-09 10:25:21 -04:00
Caleb Doxsey
0a6796ff71
authorize: add support for service accounts (#1374) 2020-09-04 10:37:00 -06:00
Cuong Manh Le
eaf0dd4e67 internal/identity/manager: increase default refresh groups timeout 2020-09-04 23:17:56 +07:00
Cuong Manh Le
5895331768 internal/identity/manager: improve timeout error message 
By pointing user to configuration docs.
 2020-09-04 23:17:56 +07:00
bobby
43d37ace94
proxy/controlplane: make health checks debug level (#1368) 
- proxy: remove version from ping handler

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-04 07:31:12 -07:00
Cuong Manh Le
08a094ae93
internal/directory/okta: remove rate limiter (#1370) 
We did honor the rate limit header from okta, so don't bother to add our
rate limiter there.
 2020-09-04 18:23:14 +07:00
Caleb Doxsey
49d1a71ff2
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source (#1367) 2020-09-03 08:11:34 -06:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
a269441c34
proxy: disable control-plane robots.txt for public unauthenticated routes (#1361) 2020-09-02 07:56:15 -06:00
Caleb Doxsey
f6b622c7dc
proxy: support websocket timeouts (#1362) 2020-09-02 07:55:57 -06:00
Caleb Doxsey
e4e6abfd29
certmagic: improve logging (#1358) 
* certmagic: improve logging

* Update internal/autocert/manager.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2020-09-01 09:58:09 -06:00
Cuong Manh Le
b8584a3f46
internal/directory/okta: accept non-json service account (#1359) 
Fixes #1354
 2020-09-01 22:33:55 +07:00
Travis Groth
2e714c211e
internal/controlplane: add telemetry http handler (#1353) 2020-09-01 09:22:24 -04:00
bobby
fbd8c8f294
deployment: add goimports with path awareness (#1316) 
Plus fix some spelling

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-24 13:04:55 -07:00
Cuong Manh Le
ffaceadfdd
internal/urlutil: remove un-used constants (#1326) 2020-08-25 02:07:56 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Caleb Doxsey
79741d5345
autocert: fix locking issue (#1310) 2020-08-20 14:08:52 -06:00
Caleb Doxsey
c4c8ef8e53
azure: support deriving credentials from client id, client secret and provider url (#1300) 2020-08-18 10:17:28 -06:00
Caleb Doxsey
a1378c81f8
cache: support databroker option changes (#1294) 2020-08-18 07:27:20 -06:00
Cuong Manh Le
a4408ab6cf internal/directory/okta: fix wrong API query filter 
Okta uses space " " instead of plus sign "+" in query filter.
See https://developer.okta.com/docs/reference/api-overview/#filtering
 2020-08-18 20:24:15 +07:00
bobby
8a384985f0
autocert: fix bootstrapped cache store path (#1283) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-17 13:27:11 -07:00
Caleb Doxsey
6dee647a16
authorize: use atomic state for properties (#1290) 2020-08-17 14:24:06 -06:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state (#1280) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
 2020-08-14 11:44:58 -06:00
Cuong Manh Le
23eea09ed0 internal/directory/okta: use okta filter to get updated groups 
Okta API supports filter to get updated groups only, we can adopt that
to reduce number of requests to okta API, hence reduce chance that we
reach the rate limit.

Updates #1256
 2020-08-14 22:01:31 +07:00
Cuong Manh Le
d1c0ae730f internal/directory/okta: honor rate limit reset header 
So we can wait until the rate limit release time to continue query okta
API.

Updates #1256
 2020-08-14 22:01:31 +07:00
Cuong Manh Le
598102f587 internal/directory/okta: add limiter to query okta API 
Okta only allows 100 requests per minute, so apply the default rate
limit 1 QPS for it.

Fixes #1256
 2020-08-14 09:50:49 +07:00
Caleb Doxsey
045c10edc6
authenticate: support reloading IDP settings (#1273) 
* identity: add name method to provider

* authenticate: support dynamically loading the provider
 2020-08-13 12:14:30 -06:00