pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 03:16:31 +02:00

Author	SHA1	Message	Date
bobby	c3e3ed9b50	authenticate: validate origin of signout (#1876 ) * authenticate: validate origin of signout - add a debug task to kill envoy - improve various function docs - userinfo: return "error" page if user is logged out without redirect uri set - remove front channel logout. There's little difference between it, and the signout function. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-02-11 21:37:54 -08:00
bobby	6466efddd5	authenticate: update user info screens (#1774 ) - rename "dashboard" to userinfo to avoid confusion - don't leak version from error page. - fix typo in state.go - make statik determenistic on modtime Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-01-13 13:15:31 -08:00
Caleb Doxsey	ab4a68f56f	remove user impersonation and service account cli (#1768 ) * remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test	2021-01-12 09:28:29 -07:00
Caleb Doxsey	4d3d61eaeb	unimpersonate button (#1700 ) * add Unimpersonate button when impersonating * update statik	2020-12-17 16:38:23 -07:00
Caleb Doxsey	b121e436f3	fix profile image on dashboard (#1637 )	2020-12-01 07:58:01 -07:00
Caleb Doxsey	10b5c5ca0e	fix querying claim data on the dashboard (#1560 )	2020-10-29 10:49:02 -06:00
bobby	5cc65adc48	internal/frontend: resolve authN helper url (#1521 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-18 17:11:47 -07:00
Caleb Doxsey	04c582121d	add flag to enable user impersonation (#1514 ) * add flag to enable user impersonation * fix typo	2020-10-14 08:17:59 -06:00
Caleb Doxsey	2864859252	dashboard: format timestamps (#1468 ) * format timestamps * fix test	2020-09-28 16:00:42 -06:00
bobby	0c60a9404e	httputil: remove retry button (#1438 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-09-22 07:53:53 -07:00
bobby	05d9fbb4b3	Desimone/authenticate default logout (#1390 ) * authenticate: fix unset post_logout_redirect_uri * don't show url if does not exist Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-09-09 11:53:12 -07:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00
Cuong Manh Le	9dae633fe5	internal/frontend/assets/html: make timestamp human readable (#1107 ) Since we switch to use databroker, time in template is now protobuf timestamp instead of time.Time, that causes it appears in raw form instead of human-readable format. Fix this by converting protobuf timestamp to time.Time in template. There's still a breaking change, though. The time will now appears in UTC instead of local time. Fixes #1100	2020-07-20 13:35:57 +07:00
Cuong Manh Le	fb4dfaea44	authenticate: hide impersonation form from non-admin users (#979 ) Fixes #881	2020-06-23 22:09:33 +07:00
Caleb Doxsey	8362f18355	authenticate: move impersonate from proxy to authenticate (#965 )	2020-06-22 11:58:27 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Caleb Doxsey	7b96d2de66	dashboard: inline svgs + css for better forward auth (#771 )	2020-05-25 11:12:40 -06:00
Bobby DeSimone	4c5d2d8020	bug: fix group impersonation (#569 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-27 09:46:08 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	b3d3159185	httputil : wrap handlers for additional context (#413 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-06 11:07:45 -08:00
Bobby DeSimone	74cd9eabbb	authenticate: fix impersonation getting cleared (#411 )	2019-11-30 10:54:32 -08:00
Bobby DeSimone	ebee64b70b	internal/frontend : serve static assets (#392 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-22 17:46:01 -08:00

22 commits