pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00

Author	SHA1	Message	Date
Cuong Manh Le	9dae633fe5	internal/frontend/assets/html: make timestamp human readable (#1107 ) Since we switch to use databroker, time in template is now protobuf timestamp instead of time.Time, that causes it appears in raw form instead of human-readable format. Fix this by converting protobuf timestamp to time.Time in template. There's still a breaking change, though. The time will now appears in UTC instead of local time. Fixes #1100	2020-07-20 13:35:57 +07:00
Caleb Doxsey	d3a7ee38be	options refactor (#1088 ) * refactor config loading * wip * move autocert to its own config source * refactor options updaters * fix stuttering * fix autocert validate check	2020-07-16 14:30:15 -06:00
Cuong Manh Le	0ecdbf2db3	authenticate: fix wrong SignIn telemetry name	2020-07-04 00:46:33 +07:00
Caleb Doxsey	fae02791f5	cryptutil: move to pkg dir, add token generator (#1029 ) * cryptutil: move to pkg dir, add token generator * add gitignored files * add tests	2020-06-30 15:55:33 -06:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
bobby	dbd1eac97f	identity: support custom code flow request params (#998 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-25 08:28:46 -07:00
Cuong Manh Le	505ff5cc5c	internal/sessions: handle claims "ver" field generally (#990 ) "ver" field is not specified by RFC 7519, so in practice, most providers return it as string, but okta returns it as number, which cause okta authenticate broken. To fix it, we handle "ver" field more generally, to allow both string and number in json payload.	2020-06-24 22:06:17 +07:00
Caleb Doxsey	0d277cf662	azure: use OID for user id in session (#985 )	2020-06-23 12:02:17 -06:00
Cuong Manh Le	17ba595ced	authenticate: support hot reloaded config (#984 ) By implementinng OptionsUpdater interface. Fixes #982	2020-06-24 00:18:20 +07:00
Cuong Manh Le	fb4dfaea44	authenticate: hide impersonation form from non-admin users (#979 ) Fixes #881	2020-06-23 22:09:33 +07:00
Travis Groth	88a77c42bb	cache: add client telemetry (#975 )	2020-06-22 18:18:44 -04:00
Caleb Doxsey	8362f18355	authenticate: move impersonate from proxy to authenticate (#965 )	2020-06-22 11:58:27 -06:00
Cuong Manh Le	99142b7293	authenticate: revoke current session oauth token before sign out (#964 ) authenticate: revoke current session oauth token before sign out After #926, we don't revoke access token before sign out anymore. It causes sign out can not work, because right after user click on sign out button, we redirect user to idp provider authenticate page with a valid access token, so user is logged in immediately again. To fix it, just revoke the access token before sign out.	2020-06-23 00:55:55 +07:00
Cuong Manh Le	b2f6b42798	authenticate: remove useless/duplicated code block (#962 )	2020-06-22 22:39:09 +07:00
Caleb Doxsey	b3ccdfe00f	idp: delete sessions on refresh error, handle zero times in oauth/id tokens for refresh (#961 )	2020-06-22 08:49:28 -06:00
Caleb Doxsey	f7760c413e	directory: generate user/directory.User ID in a consistent way (#944 )	2020-06-22 07:42:57 -06:00
bobby	cfbc5c2114	autenticate: fix some typos (#939 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-21 10:23:58 -07:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Bobby DeSimone	eae217851a	authenticate: clear session if ctx fails (#806 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-29 17:25:09 -07:00
Caleb Doxsey	12d90a021c	authenticate: remove authorize url validate check (#790 ) * authenticate: remove authorize url validate check * fix test	2020-05-27 09:23:22 -06:00
Bobby DeSimone	9d7ef85687	authenticate: ensure authorize url is set (#760 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-26 10:44:20 -07:00
Caleb Doxsey	f770ccfedd	config: add getters for URLs to avoid nils (#777 ) * config: add getters for URLs to avoid nils * allow nil url for cache grpc client connection in authenticate	2020-05-26 11:36:18 -06:00
Bobby DeSimone	2d02f2dfa0	authenticate: add tests to signing endpoints (#759 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-22 14:21:24 -07:00
Bobby DeSimone	3f1faf2e9e	authenticate: add jwks and .well-known endpoint (#745 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-21 11:46:29 -07:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Caleb Doxsey	af649d3eb0	envoy: implement header and query param session loading (#684 ) * authorize: refactor session loading, implement headers and query params * authorize: fix http recorder header, use constant for pomerium authorization header * fix compile * remove dead code	2020-05-18 17:10:10 -04:00
Travis Groth	99e788a9b4	envoy: Initial changes	2020-05-18 17:10:10 -04:00
Bobby DeSimone	f7ee08b05a	session: remove audience check (#640 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-29 15:30:47 -07:00
Bobby DeSimone	18993c4293	github: fix nil pointer error (#637 ) - fixes an issue where defer clear session would not be called Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-28 07:56:42 -07:00
Bobby DeSimone	627a591824	identity: abstract identity providers by type (#560 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-23 10:36:24 -07:00
Ogundele Olumide	75f4dadad6	identity/provider: implement generic revoke method (#595 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-21 14:40:33 -07:00
Ogundele Olumide	ae4204d42b	internal/identity: implement github provider support (#582 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-10 10:48:14 -07:00
Travis Groth	799d1ad162	Use Host:port for JWT audience generation Signed-off-by: Travis Groth <travisgroth@users.noreply.github.com> (#562)	2020-03-25 22:15:15 -04:00
Cuong Manh Le	136a366e5c	authenticate: return 401 for some specific error codes (#561 ) Fixes #551	2020-03-25 18:36:03 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Mihai Todor	c14e3d8b34	Make IDP_PROVIDER env var mandatory (#536 )	2020-03-15 19:00:23 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	5716113c2a	authenticate: make callback path configurable (#493 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-08 09:06:23 -08:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	ec029c679b	authenticate/proxy: add backend refresh (#438 )	2019-12-30 10:47:54 -08:00
Bobby DeSimone	b3d3159185	httputil : wrap handlers for additional context (#413 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-06 11:07:45 -08:00
Bobby DeSimone	487fc655d6	authenticate: make session default match IDP (#416 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-04 22:22:10 -08:00
Bobby DeSimone	12bae5cc43	errors: use %w verb directive (#419 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-03 20:02:43 -08:00
Bobby DeSimone	74cd9eabbb	authenticate: fix impersonation getting cleared (#411 )	2019-11-30 10:54:32 -08:00
Bobby DeSimone	c8e6277a30	Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 15:02:25 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	ebee64b70b	internal/frontend : serve static assets (#392 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-22 17:46:01 -08:00
Bobby DeSimone	00c29f4e77	authenticate: handle XHR redirect flow (#387 ) - authenticate: add cors preflight check support for sign_in endpoint - internal/httputil: indicate responses that originate from pomerium vs the app - proxy: detect XHR requests and do not redirect on failure. - authenticate: removed default session duration; should be maintained out of band with rpc.	2019-11-14 19:37:31 -08:00

1 2 3 4 5

210 commits