3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
2565 commits 157 branches 125 tags 103 MiB
Commit graph

270 commits

Author SHA1 Message Date
Kenneth Jenkins
2bc2be793f
Merge pull request from GHSA-pvrc-wvj2-f59p 
* authorize: normalize URL query params

* config: enable envoy normalize_path option

* authorize: use route id from envoy for policy evaluation
 2023-05-26 13:34:21 -07:00
backport-actions-token[bot]
0b3d4f3a6f
jwt: require logged in user to return .pomerium/jwt (#3809) 
jwt: require logged in user to return .pomerium/jwt (#3807)

* jwt: require logged in user to return .pomerium/jwt

* fix test

* update test

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-12-13 14:28:37 -07:00
Caleb Doxsey
9413123c0f
config: generate cookie secret if not set in all-in-one mode (#3742) 
* config: generate cookie secret if not set in all-in-one mode

* fix tests

* config: add warning about cookie_secret

* breakup lines
 2022-11-11 14:14:30 -07:00
Caleb Doxsey
2c9087f5e7
config: disable Strict-Transport-Security when using a self-signed certificate (#3743) 2022-11-10 16:01:06 -07:00
Eng Zer Jun
45ce6f693a
test: use T.TempDir to create temporary test directory (#3725) 
Prior to this commit, temporary directories in tests were created using
`filepath.Join` and `os.MkdirAll`.

This commit replaces `os.MkdirAll` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.

Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 2022-11-08 09:16:32 -07:00
Denis Mishin
74a7daed4f
add config option check logging (#3722) 2022-11-05 00:25:09 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Denis Mishin
d8f4355f66
fix unused key warnings in routes (#3711) 2022-10-28 14:59:43 -04:00
Caleb Doxsey
6a9d6e45e1
config: allow blank identity providers when loading sessions for service account support (#3709) 2022-10-27 08:32:06 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
Caleb Doxsey
3f7a482815
envoyconfig: fix databroker health checks (#3706) 2022-10-25 12:37:46 -06:00
Caleb Doxsey
daed2d260c
config: disable envoy admin by default, expose stats via envoy route (#3677) 2022-10-18 16:25:03 -06:00
Caleb Doxsey
71b1bcfac5
config: default to http2 (#3660) 
* config: default to http2

* fix test
 2022-10-12 14:46:06 -06:00
Caleb Doxsey
de804edc19
ppl: support special characters in claim keys (#3639) 
* ppl: support special characters in claim keys

* fix test
 2022-10-03 07:35:18 -06:00
Caleb Doxsey
8d7db85737
envoyconfig: add all routes to all filter chains (#3596) 2022-09-07 09:55:03 -06:00
Caleb Doxsey
33794ff316
envoyconfig: add virtual host domains for certificates in addition to routes (#3593) 
* envoyconfig: add virtual host domains for certificates in addition to routes

* Update pkg/cryptutil/certificates.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update pkg/cryptutil/tls.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* comments

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-08-31 10:35:45 -06:00
Alex
fc21579e4b
Fix typos (#3575) 
typos
 2022-08-30 15:51:40 -07:00
Caleb Doxsey
e5ac784cf4
autocert: add support for ACME TLS-ALPN (#3590) 
* autocert: add support for ACME TLS-ALPN

* always re-create acme tls server
 2022-08-29 16:19:20 -06:00
Caleb Doxsey
ce818b3be6
envoyconfig: add authority header to outbound gRPC requests (#3545) 2022-08-24 15:18:31 -06:00
Caleb Doxsey
4d38da94dd
envoy: upgrade to 1.23.0 (#3560) 
* envoy: upgrade to 1.23.0

* only set ipv4_compat if :: or an ipv4in6 address

* fix tests
 2022-08-22 15:03:29 -06:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
b5ac7dbc76
sets: convert set types to generics (#3519) 
* sets: convert set types to generics

* sets: use internal sets package
 2022-07-29 12:32:17 -06:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible (#3517) 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00
Caleb Doxsey
1afbc6e9c4
options: fix overlapping certificate test (#3492) 2022-07-20 13:38:52 -06:00
Denis Mishin
f67b33484b
add metrics aggregation (#3452) 2022-06-30 10:52:45 -04:00
Caleb Doxsey
86625a4ddb
config: support files for shared_secret, client_secret, cookie_secret and signing_key (#3453) 2022-06-29 10:44:08 -06:00
Denis Mishin
d1037d784a
allow pomerium to be embedded as a library (#3415) 2022-06-15 20:29:19 -04:00
bobby
ebbb6a7ff2
docs: update references, remove docs dir (#3420) 
* docs: update references, remove docs dir

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* Update README.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update Docs Paths

* precommit

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* remove spellcheck

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* spell the check

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2022-06-13 16:52:52 -07:00
cfanbo
d9097b44ea
replace fmt.Sprintf with net.JoinHostPort (#3407) 2022-06-07 13:04:13 -06:00
Caleb Doxsey
fd82cc7870
authenticate: allow changing the authenticate service URL at runtime (#3378) 
* config: better change detection

* wip

* fix middleware

* add middleware before handlers

* use ctx
 2022-05-31 13:24:40 -06:00
Caleb Doxsey
1c2aad2de6
postgres: databroker storage backend (#3370) 
* wip

* storage: add filtering to SyncLatest

* don't increment the record version, so intermediate changes are requested

* databroker: add support for query filtering

* fill server and record version

* postgres: databroker storage backend

* wip

* serialize puts

* add test

* skip tests for macos

* add test

* return error from protojson

* set data

* exclude postgres from cover tests
 2022-05-25 10:23:58 -06:00
Denis Mishin
51e716ef54
add x-request-id in responses (#3366) 2022-05-16 18:22:20 -04:00
Denis Mishin
a15106ebe2
avoid null reproxy handler (#3345) 2022-05-11 12:16:59 -04:00
Caleb Doxsey
6b663ba53f
httputil/reproxy: fix policy transport (#3322) 2022-05-04 18:32:36 -06:00
Caleb Doxsey
9dbe12fe99
authenticate: save session for bare webauthn redirects, consider external service URL to be a pomerium url (#3280) 2022-04-19 16:03:11 -06:00
Caleb Doxsey
9ae5c26f42
envoy: use typed extension protocol options for static bootstrap cluster (#3268) 2022-04-12 13:13:32 -06:00
Caleb Doxsey
25a7afd6e6
ppl: support . in object_get paths (#3263) 2022-04-11 09:24:39 -06:00
Caleb Doxsey
c5550d28ed
config: fix DefaultTransport so it is still a *http.Transport (#3257) 
* config: fix DefaultTransport so it is still a *http.Transport

* remove printlns

* Update config/http.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

* remove unnecessary check

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2022-04-08 11:07:37 -06:00
Caleb Doxsey
b79f1e379f
config: add support for downstream TLS server name (#3243) 
* config: add support for downstream TLS server name

* fix whitespace

* fix whitespace

* add docs

* add tls_upstream_server_name and tls_downstream_server_name to config

* Update docs/reference/settings.yaml

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update docs/reference/readme.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* add deprecation notice

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2022-04-06 06:48:45 -07:00
Caleb Doxsey
b435f73e2b
authenticate: fix debug and metrics endpoints (#3212) 2022-03-30 09:37:37 -06:00
Caleb Doxsey
d6bd2d06ef
envoy: upgrade to 1.21.1 (#3186) 
* envoy: upgrade to 1.21.1

* envoy: upgrade to 1.21.1
 2022-03-24 10:16:07 -06:00
Caleb Doxsey
1342523cda
grpc: remove ptypes references (#3078) 2022-02-24 08:37:59 -07:00
Caleb Doxsey
efd609f6ce
config: add idp_client_id and idp_client_secret to protobuf (#3060) 2022-02-18 08:55:31 -07:00
Caleb Doxsey
908ea35ed8
config: fix httptest local certificate (#3056) 
* config: fix httptest local certificate

* config: remote unused localCert
 2022-02-17 10:44:14 -07:00
Caleb Doxsey
99b9a3ee12
authorize: add support for passing access or id token upstream (#3047) 
* authorize: add support for passing access or id token upstream

* use an enum
 2022-02-17 09:28:31 -07:00
Caleb Doxsey
f9b95a276b
authenticate: support for per-route client id and client secret (#3030) 
* implement dynamic provider support

* authenticate: support per-route client id and secret
 2022-02-16 12:31:55 -07:00
Caleb Doxsey
fbdbe9c86f
config: fix TLS config when address and grpc_address are the same (#2975) 2022-01-27 09:18:07 -07:00
Caleb Doxsey
ace5bbb89a
config: fix policy matching for regular expressions (#2966) 
* config: fix policy matching for regular expressions

* compile regex in validate, add test

* fix test
 2022-01-25 08:48:40 -07:00
Caleb Doxsey
95d6d97143
authenticate: support webauthn redirects to non-pomerium domains (#2936) 
* authenticate: support webauthn redirects to non-pomerium domains

* add test

* remove dead code
 2022-01-19 15:10:57 -07:00