3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-07 06:16:18 +02:00
Code Issues Projects Releases Packages Wiki Activity
2359 commits 159 branches 125 tags 104 MiB
Commit graph

618 commits

Author SHA1 Message Date
Travis Groth
1f1e63a75b
telemetry/tracing: Add Zipkin tracing support (#723) 2020-05-18 21:57:13 -04:00
Caleb Doxsey
14c27974b9
envoy: enable TLS verification for internal services (#726) 2020-05-18 19:22:50 -06:00
Caleb Doxsey
e854cfe83b
envoy: implement policy TLS options (#724) 
* envoy: implement policy TLS options

* fix tests

* log which CAs are being used
 2020-05-18 16:52:51 -06:00
Bobby DeSimone
666fd6aa35 authenticate: save oauth2 tokens to cache (#698) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-18 17:10:10 -04:00
Travis Groth
d514ec2ecf Proxy envoy metrics through control plane prometheus endpoint (#709) 
* Proxy metrics requests to envoy control plane
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
1bee3b0df9 envoy: fix sni/hostname mismatched routing for http2 connection coalescing (#703) 2020-05-18 17:10:10 -04:00
Travis Groth
65bb1501fd deployment: Envoy cross platform improvements (#701) 
* Share processgroup on all platforms

* Fix cross platform release handling
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
dccec1e646 envoy: support autocert (#695) 
* envoy: support autocert

* envoy: fallback to http host routing if sni fails to match

* update comment

* envoy: renew certs when necessary

* fix tests
 2020-05-18 17:10:10 -04:00
Travis Groth
0c1ac5a575 Return an error regardless of envoy's exit status (#694) 2020-05-18 17:10:10 -04:00
Travis Groth
f5a9bad3d6 enable ipv6 grpc routing (#692) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
41855e5419 envoy: use envoy request id for logging across systems with http and gRPC (#691) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
593c47f8ac proxy: remove pomerium cookie and authorization from upstream requests (#687) 
* proxy: remove pomerium cookie and authorization from upstream requests

* fix typo
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
352c2b851b envoy: add separate proxy log level option (#689) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
af649d3eb0 envoy: implement header and query param session loading (#684) 
* authorize: refactor session loading, implement headers and query params

* authorize: fix http recorder header, use constant for pomerium authorization header

* fix compile

* remove dead code
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
0d9a372182 envoy: implement refresh session (#674) 
* authorize: refresh session WIP

* remove upstream cookie with lua

* only refresh session on expired

* authorize: handle session expiration

* authorize: add refresh test, fix isExpired check

* proxy: implement preserve host header option

* authorize: allow CORS preflight requests

* proxy: add request headers

* authenticate: use id token expiry
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
ae3049baca envoy: implement set_request_headers (#673) 
* proxy: implement preserve host header option

* authorize: allow CORS preflight requests

* proxy: add request headers
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
98d2f194a0 authorize: allow CORS preflight requests (#672) 
* proxy: implement preserve host header option

* authorize: allow CORS preflight requests
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
d92ee8d2a0 proxy: implement preserve host header option (#671) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
3879fe2f2a proxy: add websocket support (#670) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
02615b8b6c Merge remote-tracking branch 'origin/master' into feature/envoy 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Bobby DeSimone
f7ee08b05a
session: remove audience check (#640) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-29 15:30:47 -07:00
Bobby DeSimone
18993c4293
github: fix nil pointer error (#637) 
- fixes an issue where defer clear session would not be called

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-28 07:56:42 -07:00
Ogundele Olumide
5f0c13767b
improvement: update gitlab api scope (#630) 2020-04-23 13:26:25 -07:00
Bobby DeSimone
627a591824
identity: abstract identity providers by type (#560) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-23 10:36:24 -07:00
Ogundele Olumide
75f4dadad6
identity/provider: implement generic revoke method (#595) 
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-21 14:40:33 -07:00
Ogundele Olumide
53fd215148
fix retrieve group error: (#614) 
- remove hardcoded gitlab provider url
 - update the gitlab identity provider documentation
 2020-04-16 11:51:03 -07:00
Ogundele Olumide
ae4204d42b
internal/identity: implement github provider support (#582) 
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-10 10:48:14 -07:00
Bobby DeSimone
8111a3d1b5
grpcutil: remove unused pkg (#593) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-08 15:10:48 -07:00
Ogundele Olumide
3c6431e5bc
change gitlab group unique identifier from name to ID (#571) 2020-03-28 12:45:24 -07:00
Bobby DeSimone
4c5d2d8020
bug: fix group impersonation (#569) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-27 09:46:08 -07:00
İlker Göktuğ Öztürk
297b0fd6c7
docs: fix typo (#566) 2020-03-26 11:55:55 -07:00
Travis Groth
799d1ad162
Use Host:port for JWT audience generation 
Signed-off-by: Travis Groth <travisgroth@users.noreply.github.com> (#562)
 2020-03-25 22:15:15 -04:00
Travis Groth
cc504362e4
Add storage metrics (#554) 
* Add cache storage metrics

- autocache client metrics
- autocache server metrics
- boltdb metrics
- redis client metrics
- refactor metrics registry to be general purpose
 2020-03-23 22:07:48 -04:00
Bobby DeSimone
c23db546fa
authorization: log audience claim failure (#553) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-22 12:06:25 -07:00
Bobby DeSimone
4491d1b0e9
sessions: sign-out bug fixes #530 (#544) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-19 18:43:43 -07:00
Ogundele Olumide
3dd9188004
feat: gitlab oidc/ oauth provider (#518) 
- implement gitlab oauth support
 - add documentation for the gitlab support
 2020-03-16 19:58:49 -07:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545) 
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-16 10:13:47 -07:00
Bobby DeSimone
6f4b26abe2
identity: support oidc UserInfo Response (#529) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-12 20:56:40 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Bobby DeSimone
855860136c
depedency: use go mod versioned redis (#528) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-08 10:48:53 -07:00
Travis Groth
e666306ef8
Remove superfluous Options.Checksum type conversions (#522) 2020-03-06 17:59:26 -05:00
Travis Groth
87d3d8c798
Ensure service name is passed to grpc metrics handlers (#510) 2020-02-21 06:25:43 -05:00
Travis Groth
3654f44384
config: Expose and set default GRPC Server Keepalive Parameters (#509) 2020-02-19 21:21:28 -05:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
Bobby DeSimone
06433e0d53
internal/cryptutil: standardize leeway to 5 mins (#476) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-01 09:32:43 -08:00
Bobby DeSimone
e82477ea5c
deployment: throw away golanglint-ci defaults (#439) 
* deployment: throw away golanglint-ci defaults

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-26 12:33:45 -08:00
Bobby DeSimone
8956bf4411
proxy: add preserve host header (#463) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-22 21:03:22 -08:00
Bobby DeSimone
dccc7cd2ff
cache : add cache service (#457) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-20 18:25:34 -08:00