pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	2824faecbf	frontend: react+mui (#3004 ) * mui v5 wip * wip * wip * wip * use compressor for all controlplane endpoints * wip * wip * add deps * fix authenticate URL * fix test * fix test * fix build * maybe fix build * fix integration test * remove image asset test * add yarn.lock	2022-02-07 08:47:58 -07:00
Caleb Doxsey	5a858f5d48	config: add internal service URLs (#2801 ) * config: add internal service URLs * maybe fix integration tests * add docs * fix integration tests * for databroker connect to external name, but listen on internal name * Update docs/reference/readme.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/reference/readme.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/reference/readme.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/reference/settings.yaml Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/reference/settings.yaml Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/reference/settings.yaml Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>	2021-12-10 14:04:37 -05:00
Caleb Doxsey	b1d62bb541	config: remove validate side effects (#2109 ) * config: default shared key * handle additional errors * update grpc addr and grpc insecure * update google cloud service authentication service account * fix set response headers * fix qps * fix test	2021-04-22 15:10:50 -06:00
wasaga	e0c09a0998	log context (#2107 )	2021-04-22 10:58:13 -04:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	f396c2a0f7	config: log config source changes (#1959 ) * config: log config source changes * use internal log import	2021-03-03 09:54:08 -07:00
Caleb Doxsey	4f2bb60adb	proxy: redirect to dashboard for logout (#1944 )	2021-02-24 11:52:38 -07:00
Caleb Doxsey	84e8f6cc05	config: fix databroker policies (#1821 )	2021-01-25 17:18:50 -07:00
bobby	9b39deabd8	forward-auth: use envoy's ext_authz check (#1482 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-04 20:01:06 -07:00
Caleb Doxsey	d9a224a5e8	proxy: move properties to atomically updated state (#1280 ) * authenticate: remove cookie options * authenticate: remove shared key field * authenticate: remove shared cipher property * authenticate: move properties to separate state struct * proxy: allow local state to be updated on configuration changes * fix test * return new connection * use warn, collapse to single line * address concerns, fix tests	2020-08-14 11:44:58 -06:00
Caleb Doxsey	fbf5b403b9	config: allow dynamic configuration of cookie settings (#1267 )	2020-08-13 08:11:34 -06:00
Cuong Manh Le	73abed0d21	all: update outdated comments about OptionsUpdater interface (#1207 ) In #1088, OptionsUpdater was removed, but current code still mention it. This commit updates all comments which still mention about that interface (authorize is exlcuded, and will be updated in #1206).	2020-08-05 21:39:24 +07:00
Travis Groth	f538b29a0c	proxy: refactor handler setup code (#1205 )	2020-08-05 12:48:44 +07:00
Travis Groth	202b42f307	proxy: avoid second policy validation (#1204 )	2020-08-04 15:42:32 -04:00
Caleb Doxsey	fae02791f5	cryptutil: move to pkg dir, add token generator (#1029 ) * cryptutil: move to pkg dir, add token generator * add gitignored files * add tests	2020-06-30 15:55:33 -06:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
Travis Groth	88a77c42bb	cache: add client telemetry (#975 )	2020-06-22 18:18:44 -04:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Travis Groth	6761cc7a14	telemetry: service label updates (#802 )	2020-05-29 15:16:22 -04:00
Caleb Doxsey	f770ccfedd	config: add getters for URLs to avoid nils (#777 ) * config: add getters for URLs to avoid nils * allow nil url for cache grpc client connection in authenticate	2020-05-26 11:36:18 -06:00
Caleb Doxsey	af649d3eb0	envoy: implement header and query param session loading (#684 ) * authorize: refactor session loading, implement headers and query params * authorize: fix http recorder header, use constant for pomerium authorization header * fix compile * remove dead code	2020-05-18 17:10:10 -04:00
Travis Groth	99e788a9b4	envoy: Initial changes	2020-05-18 17:10:10 -04:00
Bobby DeSimone	bf9a6f5e97	cryptutil: add automatic certificate management (#644 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-05 12:50:19 -07:00
Travis Groth	b2e3b22f14	Update JWT headers to only be in responses from forward auth endpoint (#642 )	2020-05-04 07:26:37 -04:00
Caleb Doxsey	e1d2501a94	proxy: move warning message to config validation	2020-04-20 18:24:36 -06:00
Caleb Doxsey	c8c307be69	proxy: update warning message	2020-04-20 18:24:36 -06:00
Caleb Doxsey	85a1a6d013	authorize,proxy: remove support for paths within the from parameter	2020-04-20 18:24:36 -06:00
Caleb Doxsey	5ecfa34361	config: gofmt	2020-04-20 18:23:35 -06:00
Caleb Doxsey	7027f458dd	config: add prefix, path and regex options proxy: support prefix, path and regex options	2020-04-20 18:23:34 -06:00
branchmispredictor	0de3c431a6	forward-auth: validate using forwarded uri header (#600 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-20 10:56:30 -07:00
Travis Groth	789068e27a	Add configurable JWT claim headers (#596 )	2020-04-09 23:41:55 -04:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Travis Groth	e666306ef8	Remove superfluous Options.Checksum type conversions (#522 )	2020-03-06 17:59:26 -05:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
ohdarling88	111aa8f4d5	move set request headers before handle allow public access to fix https://github.com/pomerium/pomerium/issues/477 (#479 )	2020-02-02 11:15:13 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	8956bf4411	proxy: add preserve host header (#463 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-22 21:03:22 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	ec029c679b	authenticate/proxy: add backend refresh (#438 )	2019-12-30 10:47:54 -08:00
Bobby DeSimone	b3d3159185	httputil : wrap handlers for additional context (#413 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-06 11:07:45 -08:00
Bobby DeSimone	12bae5cc43	errors: use %w verb directive (#419 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-03 20:02:43 -08:00
Bobby DeSimone	c8e6277a30	Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 15:02:25 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	ebee64b70b	internal/frontend : serve static assets (#392 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-22 17:46:01 -08:00
Travis Groth	f20d913abe	proxy: Fix policy reload regression (#396 ) * Fix policy reload regression * Update changelog	2019-11-22 19:28:36 -05:00
Travis Groth	f3c62c10cc	Rename `internal/config` to `config` (#380 )	2019-11-09 19:53:11 -05:00
Bobby DeSimone	b9ab49c32c	internal/sessions: fix cookie clear session (#376 ) CookieStore's ClearSession now properly clears the user session cookie by setting MaxAge to -1. internal/sessions: move encoder interface to encoding package, and rename to MarshalUnmarshaler. internal/encoding: move mock to own package authenticate: use INFO log level for authZ error. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-09 10:49:24 -08:00
Bobby DeSimone	d3d60d1055	all: support route scoped sessions Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-06 17:54:15 -08:00
Bobby DeSimone	7d7e997e79	proxy: verify endpoint strip added callback params (#368 ) - proxy: use distinct host route for forward-auth handlers - proxy: have auth middleware set pomerium headers for request and response	2019-10-15 15:36:00 -07:00

1 2 3

114 commits