3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
2048 commits 156 branches 125 tags 103 MiB
Commit graph

124 commits

Author SHA1 Message Date
Caleb Doxsey
2824faecbf
frontend: react+mui (#3004) 
* mui v5 wip

* wip

* wip

* wip

* use compressor for all controlplane endpoints

* wip

* wip

* add deps

* fix authenticate URL

* fix test

* fix test

* fix build

* maybe fix build

* fix integration test

* remove image asset test

* add yarn.lock
 2022-02-07 08:47:58 -07:00
Caleb Doxsey
2f328e7de0
authenticate: fix expiring user info endpoint (#2976) 
* authenticate: fix expiring user info endpoint

* add test
 2022-01-27 16:10:47 -07:00
Caleb Doxsey
95d6d97143
authenticate: support webauthn redirects to non-pomerium domains (#2936) 
* authenticate: support webauthn redirects to non-pomerium domains

* add test

* remove dead code
 2022-01-19 15:10:57 -07:00
Caleb Doxsey
b019b61ccb
authenticate: add callback endpoint (#2931) 2022-01-14 10:22:46 -07:00
Caleb Doxsey
9330f6b0ac
authenticate: add device-enrolled page (#2892) 
* authenticate: add device-enrolled page

* remove device credential id from page
 2022-01-06 10:01:12 -07:00
Caleb Doxsey
838c9e3a3d
dashboard: improve display of device credentials, allow deletion (#2829) 
* dashboard: improve display of device credentials, allow deletion

* fix test
 2021-12-20 12:19:54 -07:00
Caleb Doxsey
a5034aabae
authenticate: redirect / to /.pomerium/ (#2770) 2021-11-18 08:49:23 -07:00
Caleb Doxsey
b0f8c055ec
authenticate: always update user record on login (#2719) 
* authenticate: always update user record on login

* identity: fix user refresh

* add test for manager update

* fix time
 2021-11-01 14:18:18 -06:00
Caleb Doxsey
d390e80b30
authenticate: add databroker versions to session cookie (#2709) 
* authenticate: add databroker versions to session cookie
authorize: wait for databroker synchronization on updated sessions

* fix test
 2021-10-26 14:45:53 -06:00
Caleb Doxsey
1162585471
authenticate: add support for webauthn (#2688) 
* authenticate: add support for webauthn

* remove rfc4648 library due to missing LICENSE

* fix test

* put state function in separate function
 2021-10-20 13:18:34 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
Caleb Doxsey
aeece76928
databroker: store issued at timestamp with session (#2173) 2021-05-04 10:09:14 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Caleb Doxsey
6d1d2bec54
crypto: use actual bytes of shared secret, not the base64 encoded representation (#2075) 
* crypto: use actual bytes of shared secret, not the base64 encoded representation

* return errors

* return errors
 2021-04-08 20:04:01 -06:00
Caleb Doxsey
a51c7140ea
cryptutil: use bytes for hmac (#2067) 2021-04-07 14:57:24 -06:00
Caleb Doxsey
f84f7551d0
authenticate: fix default sign out url (#2061) 2021-04-06 10:35:08 -06:00
Travis Groth
0635c838c9
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out (#2048) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:16 -04:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
5d60cff21e
databroker: refactor databroker to sync all changes (#1879) 
* refactor backend, implement encrypted store

* refactor in-memory store

* wip

* wip

* wip

* add syncer test

* fix redis expiry

* fix linting issues

* fix test by skipping non-config records

* fix backoff import

* fix init issues

* fix query

* wait for initial sync before starting directory sync

* add type to SyncLatest

* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest

* update sync types and tests

* add redis tests

* skip macos in github actions

* add comments to proto

* split getBackend into separate methods

* handle errors in initVersion

* return different error for not found vs other errors in get

* use exponential backoff for redis transaction retry

* rename raw to result

* use context instead of close channel

* store type urls as constants in databroker

* use timestampb instead of ptypes

* fix group merging not waiting

* change locked names

* update GetAll to return latest record version

* add method to grpcutil to get the type url for a protobuf type
 2021-02-18 15:24:33 -07:00
bobby
c3e3ed9b50
authenticate: validate origin of signout (#1876) 
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-02-11 21:37:54 -08:00
Caleb Doxsey
b7f0242090
authorize: remove admin (#1833) 
* authorize: remove admin

* regen rego

* add note to upgrading
 2021-02-01 15:22:02 -07:00
Caleb Doxsey
5e3aa91f23
authenticate: delay evaluation of OIDC provider (#1802) 
* authenticate: delay evaluation of OIDC provider

* add additional error message

* address comments
 2021-01-26 09:20:56 -07:00
bobby
6466efddd5
authenticate: update user info screens (#1774) 
- rename "dashboard" to userinfo to avoid confusion
- don't leak version from error page.
- fix typo in state.go
- make statik determenistic on modtime


Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-01-13 13:15:31 -08:00
Caleb Doxsey
ab4a68f56f
remove user impersonation and service account cli (#1768) 
* remove user impersonation and service account cli

* update doc

* remove user impersonation url query params

* fix flaky test
 2021-01-12 09:28:29 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
Philip Wassermann
2d3190c74e
authenticate: oidc frontchannel-logout endpoint (#1586) 
* authenticate: oidc frontchannel-logout endpoint
* move frontchannellogout route and extract logout process
* add frontchannel_logout_uri to wellknown handler
* authenticate: add context to logs in signout process
* docs: single sign-out topic
* gofmt, wording, refactoring method names

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-24 14:30:48 -08:00
Caleb Doxsey
93c257259e
databroker: add audience to session (#1557) 
* add audience to session

* update audience

* parse next url and add it to audience
 2020-10-27 14:22:26 -06:00
Caleb Doxsey
a85b3b04c1
store raw id token so it can be passed to the logout url (#1543) 2020-10-26 10:20:23 -06:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
bobby
f719d885b7
authenticate: remove unused paths, generate cipher at startup, remove qp store (#1495) 
* authenticate: remove unused paths, generate cipher on boot

- internal/httputil: add JSON renderer
- internal/httputil: remove unused query param store and references

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-19 08:09:53 -07:00
Caleb Doxsey
04c582121d
add flag to enable user impersonation (#1514) 
* add flag to enable user impersonation

* fix typo
 2020-10-14 08:17:59 -06:00
Caleb Doxsey
aa731ae068
directory: add explicit RefreshUser endpoint for faster sync (#1460) 
* directory: add explicit RefreshUser endpoint for faster sync

* add test

* implement azure

* update api call

* add test for azure User

* implement github

* implement AccessToken, gitlab

* implement okta

* implement onelogin

* fix test

* fix inconsistent test

* implement auth0
 2020-10-05 08:23:15 -06:00
bobby
05d9fbb4b3
Desimone/authenticate default logout (#1390) 
* authenticate: fix unset post_logout_redirect_uri
* don't show url if does not exist
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-09 11:53:12 -07:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324) 
Fixes #1213
 2020-08-25 01:23:58 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Caleb Doxsey
882b6b54ee
authenticate: move databroker connection to state (#1292) 
* authenticate: move databroker connection to state

* re-use err

* just return

* remove nil checks
 2020-08-18 09:33:43 -06:00
Caleb Doxsey
d608526998
authenticate: move properties to atomically updated state (#1277) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct
 2020-08-14 07:53:11 -06:00
Caleb Doxsey
045c10edc6
authenticate: support reloading IDP settings (#1273) 
* identity: add name method to provider

* authenticate: support dynamically loading the provider
 2020-08-13 12:14:30 -06:00
Caleb Doxsey
6e26bd204a
set session state expiry (#1215) 2020-08-05 14:04:04 -06:00
Caleb Doxsey
97f85481f8
fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162) 
* fix redirect loop, remove user/session services, remove duplicate deleted_at fields

* change loop

* reuse err variable

* wrap errors, use cookie timeout

* wrap error, duplicate if
 2020-07-30 09:41:57 -06:00
Cuong Manh Le
fd544b7072
authenticate: fix wrong condition checking in VerifySession (#1146) 
The code checks session client not nil, but using databroker client in
the body instead.
 2020-07-28 21:18:39 +07:00
Caleb Doxsey
1ad243dfd1
directory.Group entry for groups (#1118) 
* store directory groups separate from directory users

* fix group lookup, azure display name

* remove fields restriction

* fix test

* also support email

* use Email as name for google'

* remove changed file

* show groups on dashboard

* fix test

* re-add accidentally removed code
 2020-07-22 11:28:53 -06:00
Cuong Manh Le
0ecdbf2db3 authenticate: fix wrong SignIn telemetry name 2020-07-04 00:46:33 +07:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Cuong Manh Le
505ff5cc5c
internal/sessions: handle claims "ver" field generally (#990) 
"ver" field is not specified by RFC 7519, so in practice, most providers
return it as string, but okta returns it as number, which cause okta
authenticate broken.

To fix it, we handle "ver" field more generally, to allow both string and
number in json payload.
 2020-06-24 22:06:17 +07:00
Caleb Doxsey
0d277cf662
azure: use OID for user id in session (#985) 2020-06-23 12:02:17 -06:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Cuong Manh Le
fb4dfaea44
authenticate: hide impersonation form from non-admin users (#979) 
Fixes #881
 2020-06-23 22:09:33 +07:00