pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	bbec2cae9f	grpc: send client traffic through envoy (#2469 ) * wip * wip * handle wildcards in override name * remove wait for ready, add comment about sync, force initial sync complete in test * address comments	2021-08-16 16:12:22 -06:00
Caleb Doxsey	b1d62bb541	config: remove validate side effects (#2109 ) * config: default shared key * handle additional errors * update grpc addr and grpc insecure * update google cloud service authentication service account * fix set response headers * fix qps * fix test	2021-04-22 15:10:50 -06:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	664358dfad	config: multiple endpoints for authorize and databroker (#1957 ) * wip * update docs * remove dead code	2021-03-03 09:53:19 -07:00
Caleb Doxsey	b7f0242090	authorize: remove admin (#1833 ) * authorize: remove admin * regen rego * add note to upgrading	2021-02-01 15:22:02 -07:00
Caleb Doxsey	70b4497595	databroker: rename cache service (#1790 ) * rename cache folder * rename cache service everywhere * skip yaml in examples * Update docs/docs/topics/data-storage.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>	2021-01-21 08:41:22 -07:00
bobby	f837c92741	dev: update linter (#1728 ) - gofumpt everything - fix TLS MinVersion to be at least 1.2 - add octal syntax - remove newlines - fix potential decompression bomb in ecjson - remove implicit memory aliasing in for loops. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-12-30 09:02:57 -08:00
Caleb Doxsey	045c10edc6	authenticate: support reloading IDP settings (#1273 ) * identity: add name method to provider * authenticate: support dynamically loading the provider	2020-08-13 12:14:30 -06:00
Caleb Doxsey	fbf5b403b9	config: allow dynamic configuration of cookie settings (#1267 )	2020-08-13 08:11:34 -06:00
Caleb Doxsey	d3a7ee38be	options refactor (#1088 ) * refactor config loading * wip * move autocert to its own config source * refactor options updaters * fix stuttering * fix autocert validate check	2020-07-16 14:30:15 -06:00
Cuong Manh Le	17ba595ced	authenticate: support hot reloaded config (#984 ) By implementinng OptionsUpdater interface. Fixes #982	2020-06-24 00:18:20 +07:00
Cuong Manh Le	fb4dfaea44	authenticate: hide impersonation form from non-admin users (#979 ) Fixes #881	2020-06-23 22:09:33 +07:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Caleb Doxsey	12d90a021c	authenticate: remove authorize url validate check (#790 ) * authenticate: remove authorize url validate check * fix test	2020-05-27 09:23:22 -06:00
Bobby DeSimone	9d7ef85687	authenticate: ensure authorize url is set (#760 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-26 10:44:20 -07:00
Bobby DeSimone	2d02f2dfa0	authenticate: add tests to signing endpoints (#759 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-22 14:21:24 -07:00
Bobby DeSimone	3f1faf2e9e	authenticate: add jwks and .well-known endpoint (#745 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-21 11:46:29 -07:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Bobby DeSimone	5716113c2a	authenticate: make callback path configurable (#493 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-08 09:06:23 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	ec029c679b	authenticate/proxy: add backend refresh (#438 )	2019-12-30 10:47:54 -08:00
Travis Groth	f3c62c10cc	Rename `internal/config` to `config` (#380 )	2019-11-09 19:53:11 -05:00
Bobby DeSimone	df822a4bae	all: support insecure mode - pomerium/authenticate: add cookie secure setting - internal/config: transport security validation moved to options - internal/config: certificate struct hydrated - internal/grpcutil: add grpc server mirroring http one - internal/grpcutil: move grpc middleware - cmd/pomerium: use run wrapper around main to pass back errors - cmd/pomerium: add waitgroup (block on) all servers http/grpc Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-10-02 18:44:19 -07:00
Travis Groth	251ab0d527	internal/config: Switch to using struct scoped viper instance (#332 ) * Switch to using struct scoped viper instance * Rename NewXXXOptions * Handle unchecked errors from viper.BindEnv	2019-10-01 18:16:36 -04:00
Bobby DeSimone	a962877ad4	config: fix url type regression (#253 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-03 12:08:26 -07:00
Bobby DeSimone	2c1953b0ec	internal/config: pass urls by value Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-02 15:46:18 -07:00
Bobby DeSimone	b85f8de05f	development: use golangci-lint	2019-07-13 18:28:51 -07:00
Bobby DeSimone	7558d5b0de	internal/config: refactor option parsing - authorize: build whitelist from policy's URLs instead of strings. - internal/httputil: merged httputil and https package. - internal/config: merged config and policy packages. - internal/metrics: removed unused measure struct. - proxy/clients: refactor Addr fields to be urls. - proxy: remove unused extend deadline function. - proxy: use handler middleware for reverse proxy leg. - proxy: change the way websocket requests are made (route based). General improvements - omitted value from range in several cases where for loop could be simplified. - added error checking to many tests. - standardize url parsing. - remove unnecessary return statements. - proxy: add self-signed certificate support. #179 - proxy: add skip tls certificate verification. #179 - proxy: Refactor websocket support to be route based. #204	2019-07-07 09:39:31 -07:00
Travis Groth	64eb992854	Protect Options from being mutated by services - Change Options URLs from pointers to values - Remove special handling for AuthenticateURL checksum - Change Options itself to a value	2019-06-04 22:47:07 -04:00
Bobby DeSimone	7487de94df	authenticate: catch missing required setting (#149 )	2019-05-30 14:20:28 -07:00
Bobby DeSimone	3eff6cce13	internal/sessions: make user state domain scoped internal/sessions: session state is domain scoped internal/sessions: infer csrf cookie, route scoped proxy & authenticate: use shared cookie name proxy & authenticate: prevent resaving unchanged session proxy & authenticate: redirect instead of error for no session on login internal/config: merge cookies proxy: remove favicon specific route proxy: use mock server for tests proxy: add tests for failures	2019-05-20 20:44:05 -07:00
Travis Groth	ebb6df6c3f	Refactor to central options struct and parsing	2019-05-18 08:17:36 -04:00
Bobby DeSimone	603e6a17b9	authenticate: infer settings from authenticate url (#83 )	2019-04-10 12:16:00 -07:00
Bobby DeSimone	c13459bb88	authorize: add authorization (#59 ) * authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58	2019-03-07 12:47:07 -08:00
Bobby DeSimone	1187be2bf3	authenticator: support groups (#57 ) - authenticate/providers: add group support to azure - authenticate/providers: add group support to google - authenticate/providers: add group support to okta - authenticate/providers: add group support to onelogin - {authenticate/proxy}: change default cookie lifetime timeout to 14 hours - proxy: sign group membership - proxy: add group header - deployment: add CHANGELOG - deployment: fix where make release wasn’t including version	2019-02-28 19:34:22 -08:00
Bobby DeSimone	dbafc691c3	all: general cleanup readying for tagged release (#48 ) - docs: add code coverage to readme - internal/sessions: refactor sessions to clarify lifetime - authenticate: simplified signin flow - deployment: update go mods - internal/testutil: removed package - internal/singleflight: removed package	2019-02-16 12:43:18 -08:00
Bobby DeSimone	c886b924e7	authenticate: use gRPC for service endpoints (#39 ) * authenticate: set cookie secure as default. * authenticate: remove single flight provider. * authenticate/providers: Rename “ProviderData” to “IdentityProvider” * authenticate/providers: Fixed an issue where scopes were not being overwritten * proxy/authenticate : http client code removed. * proxy: standardized session variable names between services. * docs: change basic docker-config to be an “all-in-one” example with no nginx load. * docs: nginx balanced docker compose example with intra-ingress settings. * license: attribution for adaptation of goji’s middleware pattern.	2019-02-08 10:10:38 -08:00
Bobby	074bc0e63c	cmd/promerium : support TLS configuration from environmental variables (#12 ) * Add ability to set TLS configuration from environmental variables. * Add support for enabling debug mode from environmental variables.	2019-01-15 15:24:05 -08:00
bdd	56c89e8653	Improve test coverage. (#8 ) * Improve test coverage. * Remove unused http status code argument from SignInPageMethod. * Removed log package in internal packages. * Add test to check https scheme is used for authorization url. * Add unit tests for global logging package.	2019-01-11 13:49:28 -10:00
Bobby DeSimone	90ab756de1	Added gif to the readme. Simplified, and de-duplicated many of the configuration settings. Removed configuration settings that could be deduced from other settings. Added some basic documentation. Removed the (duplicate?) user email domain validation check in proxy. Removed the ClientID middleware check. Added a shared key option to be used as a PSK instead of using the IDPs ClientID and ClientSecret. Removed the CookieSecure setting as we only support secure. Added a letsencrypt script to generate a wildcard certificate. Removed the argument in proxy's constructor that allowed arbitrary fucntions to be passed in as validators. Updated proxy's authenticator client to match the server implementation of just using a PSK. Moved debug-mode logging into the log package. Removed unused approval prompt setting. Fixed a bug where identity provider urls were hardcoded. Removed a bunch of unit tests. There have been so many changes many of these tests don't make sense and will need to be re-thought.	2019-01-04 18:25:03 -08:00
Bobby DeSimone	d56c889224	initial release	2019-01-02 12:13:36 -08:00

41 commits