3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00
Code Issues Projects Releases Packages Wiki Activity
2565 commits 158 branches 125 tags 103 MiB
Commit graph

117 commits

Author SHA1 Message Date
Kenneth Jenkins
2bc2be793f
Merge pull request from GHSA-pvrc-wvj2-f59p 
* authorize: normalize URL query params

* config: enable envoy normalize_path option

* authorize: use route id from envoy for policy evaluation
 2023-05-26 13:34:21 -07:00
Caleb Doxsey
02df20f10a
authorize: performance improvements (#3723) 2022-11-04 17:09:52 -06:00
Denis Mishin
a3cfe8fa42
keep trace span context (#3724) 2022-11-04 17:52:13 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
dependabot[bot]
ec495bb682
chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 
* chore(deps): bump github.com/golangci/golangci-lint

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-10-19 09:36:59 -06:00
Caleb Doxsey
47e3176ea4
authorize: enforce service account expiration (#3661) 2022-10-13 09:28:42 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
f61e7efe73
authorize: use query instead of sync for databroker data (#3377) 2022-06-01 15:40:07 -06:00
Caleb Doxsey
c19048649a
authorize: add support for cidr lookups (#3277) 2022-04-19 16:18:34 -06:00
Caleb Doxsey
d299b42509
authorize: add name claim (#3238) 2022-04-05 12:08:00 -06:00
Caleb Doxsey
a0e64b1cf9
authorize: add request IP to rego evaluation (#3107) 2022-03-07 15:07:58 -07:00
Caleb Doxsey
99b9a3ee12
authorize: add support for passing access or id token upstream (#3047) 
* authorize: add support for passing access or id token upstream

* use an enum
 2022-02-17 09:28:31 -07:00
cfanbo
84dad4c612
remove deprecated ioutil usages (#2877) 
* fix: Fixed return description error

* config/options: Adjust the position of TracingJaegerAgentEndpoint option

* DOCS: Remove duplicate configuration items

Remove duplicate configuration items of route

* remove deprecated ioutil usages
 2021-12-30 10:02:12 -08:00
Caleb Doxsey
2d04106e6d
ppl: add support for http_path and http_method (#2813) 
* ppl: add support for http_path and http_method

* fix import ordering
 2021-12-10 07:28:51 -07:00
Caleb Doxsey
c97dcf7e0f
envoy: add hash policy and routing key for hash-based load balancers (#2791) 
* envoy: add hash policy and routing key for hash-based load balancers

* fix integration test

* fix nginx
 2021-12-01 13:42:12 -07:00
Caleb Doxsey
6e48627b4d
ppl: add support for additional data (#2696) 
* ppl: add support for additional data

* remove unused NewCriterionDeviceRule
 2021-10-22 12:32:20 -06:00
Caleb Doxsey
efffe57bf0
ppl: pass contextual information through policy (#2612) 
* ppl: pass contextual information through policy

* maybe fix nginx

* fix nginx

* pr comments

* go mod tidy
 2021-09-20 16:02:26 -06:00
Caleb Doxsey
0786c7fc45
authorize: use session.user_id in headers (#2571) 2021-09-03 14:51:09 -06:00
Caleb Doxsey
33f5190572
config: remove signature_key_algorithm (#2557) 
* config: remove signature_key_algorithm

* typo

* add more tests
 2021-09-02 11:36:43 -06:00
Caleb Doxsey
de1ed61b9a
authorize: fix google cloudrun header audience (#2558) 2021-09-02 09:55:06 -06:00
Caleb Doxsey
ef55829cb0
authorize: fix X-Pomerium-Claim-Groups (#2539) 2021-08-26 20:29:57 -06:00
Caleb Doxsey
526f946097
fix forward-auth, logging (#2509) 
* fix forward-auth, logging

* move error message
 2021-08-23 17:50:04 -06:00
Caleb Doxsey
6af0655206
protoutil: add NewAny method for deterministic serialization (#2462) 2021-08-09 17:51:57 -06:00
Caleb Doxsey
a64e5b5fa1
authorize: add sid to JWT claims (#2420) 
* authorize: add sid to JWT claims

* fix import ordering
 2021-08-02 16:11:05 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
bobby
aa0e6872de
evaluator: use cryputil to hash (#2384) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-07-22 06:15:54 -07:00
Caleb Doxsey
c7a8f11d9a
authorize: add additional tracing for rego evaluation (#2381) 2021-07-21 15:37:51 -06:00
Caleb Doxsey
cef08a1c2d
authorize: remove service account impersonate user id, email and groups (#2365) 2021-07-15 09:31:45 -06:00
Caleb Doxsey
21ffe44dff
authorize: support boolean deny results (#2338) 
* authorize: support boolean deny results

* add client certificate test

* handle different array lengths
 2021-07-06 12:52:26 -06:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
Caleb Doxsey
2156dbc553
envoy: always set jwt claim headers even if no value is available (#2261) 
* envoy: always set jwt claim headers even if no value is available

* add test
 2021-06-04 10:01:00 -07:00
wasaga
40ddc2c4b3
jwt: round timestamp (#2258) 2021-06-01 14:12:45 -07:00
wasaga
12c8bb2da4
authorize: preserve original context (#2247) 2021-06-01 11:10:35 -04:00
Caleb Doxsey
dad35bcfb0
ppl: refactor authorize to evaluate PPL (#2224) 
* ppl: refactor authorize to evaluate PPL

* remove opa test step

* add log statement

* simplify assignment

* deny with forbidden if logged in

* add safeEval function

* create evaluator-specific config and options

* embed the headers rego file directly
 2021-05-21 09:50:18 -06:00
Caleb Doxsey
c85c8b0778
authorize: refactor store locking (#2151) 
* authorize: refactor store locking

* fix nil reference panic
 2021-04-29 08:37:27 -06:00
Caleb Doxsey
f365b30e02
authorize: remove log (#2122) 2021-04-23 14:00:08 -06:00
Caleb Doxsey
762b565239
authorize: fix empty sub policy arrays (#2119) 2021-04-23 11:00:30 -06:00
Caleb Doxsey
b1d62bb541
config: remove validate side effects (#2109) 
* config: default shared key

* handle additional errors

* update grpc addr and grpc insecure

* update google cloud service authentication service account

* fix set response headers

* fix qps

* fix test
 2021-04-22 15:10:50 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Caleb Doxsey
3906b70bc5
authorize: support arbitrary jwt claims (#2102) 
* authorize: support arbitrary jwt claims

* remove dead code
 2021-04-19 14:55:08 -06:00
Caleb Doxsey
d7ab817de7
authorize: add databroker server and record version to result, force sync via polling (#2024) 
* authorize: add databroker server and record version to result, force sync via polling

* wrap inmem store to take read lock when grabbing databroker versions

* address code review comments

* reset max to 0
 2021-03-31 10:09:06 -06:00
Caleb Doxsey
4218f49741
authorize: bypass data in rego for databroker data (#2041) 2021-03-30 14:14:32 -06:00
Nándor István Krácser
45fb938317
oidc: use groups claim from ID token if present (#1970) 
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
 2021-03-22 11:46:01 -06:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
ae7626df3e
authorize: set JWT to expire after 5 minutes (#1980) 
* authorize: set JWT to expire after 5 minutes

* use lesser of 5 minutes or id token expiration

* add test for expires at
 2021-03-15 07:38:32 -06:00
Caleb Doxsey
b6ec01f377
assets: use embed instead of statik (#1960) 
* assets: use embed instead of statik

* remove empty line

* maybe fix precommit
 2021-03-03 18:56:55 -07:00
Caleb Doxsey
5d60cff21e
databroker: refactor databroker to sync all changes (#1879) 
* refactor backend, implement encrypted store

* refactor in-memory store

* wip

* wip

* wip

* add syncer test

* fix redis expiry

* fix linting issues

* fix test by skipping non-config records

* fix backoff import

* fix init issues

* fix query

* wait for initial sync before starting directory sync

* add type to SyncLatest

* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest

* update sync types and tests

* add redis tests

* skip macos in github actions

* add comments to proto

* split getBackend into separate methods

* handle errors in initVersion

* return different error for not found vs other errors in get

* use exponential backoff for redis transaction retry

* rename raw to result

* use context instead of close channel

* store type urls as constants in databroker

* use timestampb instead of ptypes

* fix group merging not waiting

* change locked names

* update GetAll to return latest record version

* add method to grpcutil to get the type url for a protobuf type
 2021-02-18 15:24:33 -07:00
Caleb Doxsey
1a1cc30c67
config: support map of jwt claim headers (#1906) 
* config: support map of jwt claim headers

* fix array handling, add test

* update docs

* use separate hook, add tests
 2021-02-17 13:43:18 -07:00
Caleb Doxsey
7d236ca1af
authorize: move headers and jwt signing to rego (#1856) 
* wip

* wip

* wip

* remove SignedJWT field

* set google_cloud_serverless_authentication_service_account

* update jwt claim headers

* add mock get_google_cloud_serverless_headers for opa test

* swap issuer and audience

* add comment

* change default port in authz
 2021-02-08 10:53:21 -07:00
Caleb Doxsey
25b697a13d
authorize: allow access by user id (#1850) 2021-02-03 07:15:44 -07:00