Modify the request 'Accept' header to behave more like a web browser,
and add an assertion to verify that Pomerium serves an HTML response for
the unauthorized error page.
Update the authentication flow integration test to verify that the
pomerium_identity_profile cookies are not present for the stateful
authentication flow.
Commit 08c186a contains a bug in the integration configuration template,
preventing the multi-stateless cluster from actually setting the
DEBUG_FORCE_AUTHENTICATE_FLOW environment variable. As a result this
cluster was not exercising the stateless authentication flow.
Fix the template so that this variable is applied as intended.
Add an integration test case to verify that the intended authentication
flow is in use: for the stateful flow, different routes should share the
same underlying session, but for the stateless flow, different routes
should receive different sessions.
Add an environment variable to allow forcing either the stateful or the
stateless authenticate flow.
Split the existing integration test clusters "single" and "multi" into
four new clusters: "single-stateful", "single-stateless",
"multi-stateful", and "multi-stateless", so that the integration tests
will run for both the stateful and the stateless authenticate flows.
(The "kubernetes" cluster is not currently being run, so I've left it
alone for now.)
An unused Redis TCP route was removed from the integration test
configuration template in commit bcddbff. Re-generate the test
configurations to incorporate this template change.
Add a utility for updating the integration test certificates. It takes
three file paths: the existing certificate, the CA certificate, and the
CA key. It will update the NotBefore and NotAfter timestamps and the
certificate signature, overwriting the existing certificate.
Example usage:
cd integration/tpl/files
go run renew-cert.go trusted.pem ca.pem ca-key.pem
Several of the integration test certificates expired today. Update these
so that they are valid for another 10 years. Also update several other
certificates that were due to expire tomorrow.
Update the integration test libsonnet templates to assign a fixed IP
address to the trusted-httpdetails service. This requires also assigning
a fixed IP subnet to the docker network.
Configure a route with a 'to' URL using https and this fixed IP address.
Add a corresponding certificate with the IP address. Finally, add a test
case that makes a request to this route.
Add an integration test case to verify properties of the Pomerium
attestation JWT:
- The 'iat' and 'exp' timestamps should be plain integers.
- The JWT should contain an issuer and audience claim.
- A JWT retrieved from the /.pomerium/jwt endpoint should contain all
the same data as a JWT from the X-Pomerium-Jwt-Assertion header.
Move downstream mTLS settings to a nested config file object, under the
key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for
these settings.
Deprecate the existing ClientCA and ClientCAFile fields in the Options
struct, but continue to honor them for now (log a warning if either is
populated).
Delete the ClientCRL and ClientCRLFile fields entirely (in current
releases these cannot be set without causing an Envoy error, so this
should not be a breaking change).
Update the Settings proto to mirror this nested structure.
Update isValidClientCertificate() to also consult the configured
certificate revocation lists. Update existing test cases and add a new
unit test to exercise the revocation support. Restore the skipped
integration test case.
Generate new test certificates and CRLs using a new `go run`-able source
file.
Partially revert #4374: do not record the peerCertificateValidated()
result as reported by Envoy, as this does not work correctly for resumed
TLS sessions. Instead always record the certificate chain as presented
by the client. Remove the corresponding ClientCertificateInfo Validated
field, and update affected code accordingly. Skip the CRL integration
test case for now.
Update the integration test templates to add a new client certificate
issued by downstream-ca-1, along with a combined CRL that revokes it.
(Setting a CRL just from downstream-ca-1 doesn't appear to work, which
surprises me.) Add a test case to verify that access is not allowed when
using the revoked certificate.
If an authorization policy requires a client certificate, but an
incoming request does not include a valid certificate, we should serve a
deny error page right away, regardless of whether the user is
authenticated via the identity provider or not. Do not redirect to the
identity provider login page in this case.
Update the existing integration tests accordingly, and add a unit test
case for this scenario.
* integration test config: add downstream mTLS routes
Add two new CA certificates for use with downstream mTLS tests, and a
client certificate/key pair issued by each CA.
Add a few routes to the policy template that require a client CA. Update
the generated output configurations.
(based on commit ed63a6a6e7)
* add downstream mTLS integration test cases
These are modeled after the tests added to v0.17 in 83957a9, but here
the expected behavior is that requests with an invalid client
certificate will receive a 495 response only after authentication.
* integration: use postgres instead of redis for tests
* add missing environment variables for kubernetes
* fix certs
* use cert in generated files
* try new keys
* fix certs
* tls: fallback to self-signed certificate
* remove unknown domain because certs are no longer valid
* update multi-deployment to use service-specific certificates
* refactor backend, implement encrypted store
* refactor in-memory store
* wip
* wip
* wip
* add syncer test
* fix redis expiry
* fix linting issues
* fix test by skipping non-config records
* fix backoff import
* fix init issues
* fix query
* wait for initial sync before starting directory sync
* add type to SyncLatest
* add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest
* update sync types and tests
* add redis tests
* skip macos in github actions
* add comments to proto
* split getBackend into separate methods
* handle errors in initVersion
* return different error for not found vs other errors in get
* use exponential backoff for redis transaction retry
* rename raw to result
* use context instead of close channel
* store type urls as constants in databroker
* use timestampb instead of ptypes
* fix group merging not waiting
* change locked names
* update GetAll to return latest record version
* add method to grpcutil to get the type url for a protobuf type
* add support for proxy protocol on HTTP listener (#1777)
* add support for proxy protocol on HTTP listener
* rename option, add doc
* reduce memory usage by handling http/2 coalescing via a lua script
* move script to file
* use wellknown
* fix integration test
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
