3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-04 04:46:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
2359 commits 159 branches 125 tags 104 MiB
Commit graph

232 commits

Author SHA1 Message Date
bobby
6466efddd5
authenticate: update user info screens (#1774) 
- rename "dashboard" to userinfo to avoid confusion
- don't leak version from error page.
- fix typo in state.go
- make statik determenistic on modtime


Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-01-13 13:15:31 -08:00
Caleb Doxsey
ab4a68f56f
remove user impersonation and service account cli (#1768) 
* remove user impersonation and service account cli

* update doc

* remove user impersonation url query params

* fix flaky test
 2021-01-12 09:28:29 -07:00
Caleb Doxsey
a6bc9f492f
authorize: move impersonation into session/service account (#1765) 
* move impersonation into session/service account

* replace frontend statik

* fix data race

* move JWT filling to separate function, break up functions

* maybe fix data race

* fix code climate issue
 2021-01-11 15:40:08 -07:00
Caleb Doxsey
b16236496b
jws: remove issuer (#1754) 2021-01-11 07:57:54 -07:00
Caleb Doxsey
4f0ce4bc82
fix coverage (#1741) 
* fix coverage

* fix data races
 2021-01-06 08:30:38 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
Caleb Doxsey
4eec2ed1d5
evaluator: use impersonate groups if impersonate email is set (#1701) 2020-12-21 08:47:12 -08:00
Caleb Doxsey
ad828c6e84
add support for TCP routes (#1695) 2020-12-16 13:09:48 -07:00
Caleb Doxsey
744d4453d5
use the directory email when provided for the jwt (#1647) 2020-12-04 11:14:19 -07:00
bobby
5bbd745934
authorize: add signature algo support (RSA / EdDSA) (#1631) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 17:14:41 -08:00
Caleb Doxsey
3f7777f7e0
wait for initial sync to complete before starting control plane (#1636) 2020-11-30 15:45:12 -07:00
Caleb Doxsey
aad8ac2e61
replace GetAllPages with InitialSync, improve merge performance (#1624) 
* replace GetAllPages with InitialSync, improve merge performance

* fmt proto

* add test for base64 function

* add sync test

* go mod tidy

Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 12:21:44 -07:00
Caleb Doxsey
2d5690dde6
remove deprecated cache_service_url config option (#1614) 
* remove deprecated cache_service_url config option

* remove broken test

* update integration test config

* update nginx example

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-11-23 14:57:29 -07:00
Caleb Doxsey
a41c37f9e0
add paging support to GetAll (#1601) 
* add paging support to GetAll

* fix import
 2020-11-18 17:02:57 -07:00
bobby
c199909032
forward-auth: fix special character support for nginx (#1578) 2020-11-12 13:10:57 -05:00
Philip Wassermann
85a5961e5e
authorize: add allow_any_authenticated_user policy (#1515) 2020-11-05 11:20:50 -07:00
Caleb Doxsey
10b5c5ca0e
fix querying claim data on the dashboard (#1560) 2020-10-29 10:49:02 -06:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
bobby
aadbcd23bd
fwd-auth: fix nginx-ingress forward-auth (#1505 / #1497) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-19 08:09:13 -07:00
bobby
c85b45cff6
authorize: add redirect url to debug page (#1533) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-19 08:07:51 -07:00
bobby
5cc65adc48
internal/frontend: resolve authN helper url (#1521) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-18 17:11:47 -07:00
Caleb Doxsey
04c582121d
add flag to enable user impersonation (#1514) 
* add flag to enable user impersonation

* fix typo
 2020-10-14 08:17:59 -06:00
Caleb Doxsey
eb79cc0957
databroker: require JWT for access (#1503) 2020-10-09 11:08:40 -06:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Caleb Doxsey
a19e45334b
proxy: remove impersonate headers for kubernetes (#1394) 
* proxy: remove impersonate headers for kubernetes

* master on frontend/statik
 2020-09-09 15:24:39 -06:00
Caleb Doxsey
0a6796ff71
authorize: add support for service accounts (#1374) 2020-09-04 10:37:00 -06:00
Caleb Doxsey
49d1a71ff2
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source (#1367) 2020-09-03 08:11:34 -06:00
Caleb Doxsey
0a2638e5dc
authorize: use impersonate email/groups in JWT (#1364) 2020-09-02 13:50:46 -06:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
a269441c34
proxy: disable control-plane robots.txt for public unauthenticated routes (#1361) 2020-09-02 07:56:15 -06:00
Caleb Doxsey
51bdf9baae
authorize: add jti to JWT payload (#1328) 2020-08-24 15:35:16 -06:00
bobby
45fc4ec3cc
authorize: log users and groups (#1303) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-19 08:07:30 -07:00
Caleb Doxsey
6dee647a16
authorize: use atomic state for properties (#1290) 2020-08-17 14:24:06 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
bobby
1b365e52f3
authorize: add databroker url check (#1228) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-07 09:31:27 -07:00
Cuong Manh Le
f46f124f13 authorize: add tests for get jwt claim headers 2020-08-06 21:02:20 +07:00
Cuong Manh Le
5d3b551524 authorize: increase test coverage 
- Add test cases for sync functions
 - Add test for valid JWT
 - Add session state to Test_getEvaluatorRequest
 2020-08-06 21:02:20 +07:00
Cuong Manh Le
0624658e4b authorize: move service account normalization to its own function 
This helps testing the code easier, increase coverage.
 2020-08-06 21:02:20 +07:00
Cuong Manh Le
e6c78f10e9 authorize/evaluator: add test for ClearRecords 2020-08-06 21:02:20 +07:00
Cuong Manh Le
633c25feb7
authorize: store policy evaluator on success only (#1206) 
Currently, when option changes, whether the option is good or bad, we
always store new policy evaluator.

When options is bad, policy evaluator will be nil. That can lead to panic
at runtime if a Check request were called after Authorize.OnConfigChange
ran with bad option.

We already have an error message if new policy evaluator fails, so we
must only update it on success only.
 2020-08-05 21:39:10 +07:00
Cuong Manh Le
5653a398de
authorize/evaluator: add more test cases (#1198) 2020-08-04 22:43:03 +07:00
Cuong Manh Le
351a449023
authorize: add test for denied response (#1197) 2020-08-04 21:20:30 +07:00
Cuong Manh Le
79b5ae7d98
authorize/evaluator: fix wrong custom policies decision (#1199) 
Test will be added in #1198
 2020-08-04 21:11:59 +07:00
Cuong Manh Le
fa43db80c1
authorize: derive check response message from reply message (#1193) 
* authorize: derive check response message from reply message

While at it, add tests for ok response related functions.

* authorize: more test case for ok reply with k8s svc
 2020-08-04 09:12:30 +07:00
Cuong Manh Le
f7ebf54305
authorize: strip port from host header if necessary (#1175) 
After #1153, envoy can handle routes for `example.com` and `example.com:443`.
Authorize service should be updated to handle this case, too.

Fixes #959
 2020-07-31 21:41:58 +07:00
Caleb Doxsey
97f85481f8
fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162) 
* fix redirect loop, remove user/session services, remove duplicate deleted_at fields

* change loop

* reuse err variable

* wrap errors, use cookie timeout

* wrap error, duplicate if
 2020-07-30 09:41:57 -06:00
Caleb Doxsey
557aef2a33
fix databroker restart versioning, handle missing sessions (#1145) 
* fix databroker restart versioning, handle missing sessions

* send empty server version to detect change

* only rebuild if there are updated records
 2020-07-29 08:45:41 -06:00
Caleb Doxsey
1ad243dfd1
directory.Group entry for groups (#1118) 
* store directory groups separate from directory users

* fix group lookup, azure display name

* remove fields restriction

* fix test

* also support email

* use Email as name for google'

* remove changed file

* show groups on dashboard

* fix test

* re-add accidentally removed code
 2020-07-22 11:28:53 -06:00
Caleb Doxsey
504197d83b
custom rego in databroker (#1124) 
* add support for sub policies

* add support for sub policies

* update authz rego policy to support sub policies
 2020-07-22 10:44:05 -06:00
Caleb Doxsey
858077b3b6
authorize: custom rego policies (#1123) 
* add support for custom rego policies

* add support for passing custom policies
 2020-07-21 12:09:26 -06:00