3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-30 09:27:19 +02:00
Code Issues Projects Releases Packages Wiki Activity
2359 commits 164 branches 127 tags 104 MiB
Commit graph

245 commits

Author SHA1 Message Date
Travis Groth
4fbbf28a16
config: fix ignored yaml fields (#1698) 2020-12-17 11:13:09 -05:00
Caleb Doxsey
ad828c6e84
add support for TCP routes (#1695) 2020-12-16 13:09:48 -07:00
bobby
5bbd745934
authorize: add signature algo support (RSA / EdDSA) (#1631) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 17:14:41 -08:00
bobby
652e8bb3d3
deps: update hashstructure v2 (#1632) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-11-30 16:53:21 -08:00
Caleb Doxsey
2d5690dde6
remove deprecated cache_service_url config option (#1614) 
* remove deprecated cache_service_url config option

* remove broken test

* update integration test config

* update nginx example

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-11-23 14:57:29 -07:00
Philip Wassermann
85a5961e5e
authorize: add allow_any_authenticated_user policy (#1515) 2020-11-05 11:20:50 -07:00
Caleb Doxsey
ccdd1e5586
use custom default http transport (#1576) 
* use custom default http transport

* Update config/http.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update config/http.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* return early

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2020-11-04 15:35:10 -07:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
Caleb Doxsey
04c582121d
add flag to enable user impersonation (#1514) 
* add flag to enable user impersonation

* fix typo
 2020-10-14 08:17:59 -06:00
Caleb Doxsey
6e385f800a
config: add support for host header rewriting (#1457) 
* config: add support for host header rewriting

* fix lint
 2020-09-25 09:36:39 -06:00
Caleb Doxsey
54d37e62e8
config: add dns_lookup_family option to customize DNS IP resolution (#1436) 2020-09-21 15:32:37 -06:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
a269441c34
proxy: disable control-plane robots.txt for public unauthenticated routes (#1361) 2020-09-02 07:56:15 -06:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324) 
Fixes #1213
 2020-08-25 01:23:58 +07:00
Caleb Doxsey
c4c8ef8e53
azure: support deriving credentials from client id, client secret and provider url (#1300) 2020-08-18 10:17:28 -06:00
Cuong Manh Le
6518aa6023 Upgrade zipkin-go to v0.2.3 
Test needs to be changed to use lowercase name, as required by zipkin
JSON API v2 spec.

See: https://github.com/openzipkin/zipkin-go/pull/166
 2020-08-17 16:48:50 +07:00
Cuong Manh Le
f356ff5581 config: add idp qps config 2020-08-14 09:50:49 +07:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
Cuong Manh Le
ddcfe7a5e9 config: do not test for exact route id 
Different go version can genearte different route id, due to the fact
that we are relying on xxhash.
 2020-08-12 22:20:50 +07:00
Caleb Doxsey
f822c9a5d2
config: allow reloading of telemetry settings (#1255) 
* metrics: support dynamic configuration settings

* add test

* trace: update configuration when settings change

* config: allow logging options to be configured when settings change

* envoy: allow changing log settings

* fix unexpected doc change

* fix tests

* pick a port at random

* update based on review
 2020-08-12 08:14:15 -06:00
Cuong Manh Le
0d611c2a40
config: warn if custom scopes set for builtin providers (#1252) 
* config: warn if custom scopes set for builtin providers

Fixes #1144

* config: make warn msg constant
 2020-08-11 23:23:34 +07:00
Caleb Doxsey
1285a9d91d
databroker: add support for config settings (#1253) 2020-08-11 07:50:19 -06:00
Travis Groth
fbb367d393
config: omit empty subpolicies in yaml/json (#1229) 2020-08-07 14:43:28 -04:00
Cuong Manh Le
f4a0e9e103 config: add more test cases for options 2020-08-07 23:03:00 +07:00
Cuong Manh Le
a4043eb049 config: add tests for policy 2020-08-07 23:03:00 +07:00
Travis Groth
6df65fe197
config: fix loading storage client cert from wrong location (#1212) 2020-08-05 12:50:10 -04:00
Cuong Manh Le
73abed0d21
all: update outdated comments about OptionsUpdater interface (#1207) 
In #1088, OptionsUpdater was removed, but current code still mention it.
This commit updates all comments which still mention about that
interface (authorize is exlcuded, and will be updated in #1206).
 2020-08-05 21:39:24 +07:00
Travis Groth
7a53e6bb42
proxy: add support for spdy upgrades (#1203) 2020-08-04 13:26:14 -04:00
Travis Groth
01d0f7de6e
config: additional kubernetes token source support (#1200) 2020-08-04 09:40:51 -04:00
Cuong Manh Le
bc61206b78
pkg/storage/redis: add redis TLS support (#1163) 
Fixes #1156
 2020-07-31 19:37:23 +07:00
Travis Groth
aab9ec413e
fix lint errors (#1171) 2020-07-31 00:00:06 -04:00
Travis Groth
aa8ba35332
config: default to google idp credentials for serverless (#1170) 2020-07-30 20:21:41 -04:00
Travis Groth
3c4513a91e
telmetry: add databroker storage metrics and tracing (#1161) 
* telmetry: add databroker storage metrics and tracing
 2020-07-30 18:19:23 -04:00
Cuong Manh Le
1640151bc1
databroker server backend config (#1127) 
* config,docs: add databroker storage backend configuration

* cache: allow configuring which backend storage to use

Currently supported types are "memory", "redis".
 2020-07-23 10:42:43 +07:00
Caleb Doxsey
504197d83b
custom rego in databroker (#1124) 
* add support for sub policies

* add support for sub policies

* update authz rego policy to support sub policies
 2020-07-22 10:44:05 -06:00
Travis Groth
75f2ed93ea
Set loopback address by ipv4 IP (#1116) 2020-07-20 22:31:48 -04:00
Caleb Doxsey
b79e73b8b8
config: add support for policies stored in the databroker (#1099) 
* wip

* always use databroker config source

* add test

* valid policy, remove debug lines
 2020-07-17 10:35:29 -06:00
Cuong Manh Le
821f2e9000
config: allow setting directory sync interval and timeout (#1098) 
Updates #567
 2020-07-17 23:11:27 +07:00
Caleb Doxsey
02b4e4b619
fix deep copy of config (#1089) 2020-07-17 10:42:24 +07:00
Caleb Doxsey
d3a7ee38be
options refactor (#1088) 
* refactor config loading

* wip

* move autocert to its own config source

* refactor options updaters

* fix stuttering

* fix autocert validate check
 2020-07-16 14:30:15 -06:00
Caleb Doxsey
96424dac0f
implement google cloud serverless authentication (#1080) 
* add google cloud serverless support

* force ipv4 for google cloud serverless

* disable long line linting

* fix destination hostname

* add test

* add support for service accounts

* fix utc time in test
 2020-07-16 08:25:14 -06:00
Dmitri Farkov
253addcad6
config: change certificates config key parsing to attempt Base64 decoding first. (#1055) 2020-07-15 21:15:57 +07:00
Caleb Doxsey
a70254ab76
kubernetes apiserver integration (#1063) 
* sessions: support bearer tokens in authorization

* wip

* remove dead code

* refactor signed jwt code

* use function

* update per comments

* fix test
 2020-07-14 08:33:24 -06:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Cuong Manh Le
65150f2c3d
docs: document preserve_host_header with policy routes to static ip (#1024) 
Fixes #1012
 2020-06-30 14:26:08 +07:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
bobby
452c9be06d
cache: remove unused metrics and options (#957) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-22 06:59:04 -07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00