3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 11:56:02 +02:00
Code Issues Projects Releases Packages Wiki Activity
1228 commits 158 branches 125 tags 103 MiB
Commit graph

17 commits

Author SHA1 Message Date
Caleb Doxsey
4eec2ed1d5
evaluator: use impersonate groups if impersonate email is set (#1701) 2020-12-21 08:47:12 -08:00
Caleb Doxsey
ad828c6e84
add support for TCP routes (#1695) 2020-12-16 13:09:48 -07:00
Philip Wassermann
85a5961e5e
authorize: add allow_any_authenticated_user policy (#1515) 2020-11-05 11:20:50 -07:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
Caleb Doxsey
1ad243dfd1
directory.Group entry for groups (#1118) 
* store directory groups separate from directory users

* fix group lookup, azure display name

* remove fields restriction

* fix test

* also support email

* use Email as name for google'

* remove changed file

* show groups on dashboard

* fix test

* re-add accidentally removed code
 2020-07-22 11:28:53 -06:00
Caleb Doxsey
504197d83b
custom rego in databroker (#1124) 
* add support for sub policies

* add support for sub policies

* update authz rego policy to support sub policies
 2020-07-22 10:44:05 -06:00
Cuong Manh Le
408f201d16
authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094) 
Currently, with impersonated request, the real user email/group still
has effects.

Example:

	data.route_policies as [{
	    "source": "example.com",
	    "allowed_users": ["x@example.com"]
	}] with
	input.databroker_data as {
	    "session": {
	        "user_id": "user1"
	    },
	    "user": {
	        "email": "x@example.com"
	    }
	} with
	input.http as { "url": "http://example.com" } with
	input.session as { "id": "session1", "impersonate_email": "y@example.com" }

Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.

To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.

Fixes #1091
 2020-07-17 22:07:11 +07:00
Caleb Doxsey
3ad8cbf4ec
authorize: avoid serializing databroker data map to improve performance (#995) 2020-06-24 14:00:08 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Caleb Doxsey
98d2f194a0 authorize: allow CORS preflight requests (#672) 
* proxy: implement preserve host header option

* authorize: allow CORS preflight requests
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
b1d3bbaf56
authorize: add support for .pomerium and unauthenticated routes (#639) 
* authorize: add support for .pomerium and unauthenticated routes
integration-tests: add test for forward auth dashboard urls

* proxy: fix ctx error test to return a 200 when authorize allows it
 2020-04-29 10:55:46 -06:00
Caleb Doxsey
ea1c6efc24 authorize: fix domain check bug, rewrite url for forward auth, add dev script 2020-04-20 18:24:48 -06:00
Caleb Doxsey
a1424a54d0 authorize: more tests 2020-04-20 18:24:36 -06:00
Caleb Doxsey
19053c8f06 proxy: add additional tests for trailing slash 2020-04-20 18:24:36 -06:00
Caleb Doxsey
85a1a6d013 authorize,proxy: remove support for paths within the from parameter 2020-04-20 18:24:36 -06:00
Caleb Doxsey
903a2d401f authorize: fix indentation 2020-04-20 18:24:11 -06:00
Caleb Doxsey
428dee99c4 authorize: update opa rego to support additional policy properties 2020-04-20 18:24:11 -06:00