3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
3621 commits 156 branches 125 tags 103 MiB
Commit graph

74 commits

Author SHA1 Message Date
Joe Kralicky
fe31799eb5
Fix many instances of contexts and loggers not being propagated (#5340) 
This also replaces instances where we manually write "return ctx.Err()"
with "return context.Cause(ctx)" which is functionally identical, but
will also correctly propagate cause errors if present.
 2024-10-25 14:50:56 -04:00
Caleb Doxsey
52d4899d4c
core/proxy: support loading sessions from headers and query string (#5291) 
* core/proxy: support loading sessions from headers and query string

* update test
 2024-09-19 09:23:13 -06:00
Kenneth Jenkins
014824b525
proxy: deprecate the /.pomerium/jwt endpoint (#5254) 
Disable the /.pomerium/jwt endpoint by default. Add a runtime flag to
temporarily opt out of the deprecation.
 2024-09-04 11:22:18 -07:00
Caleb Doxsey
55eb2fa3dc
core/authorize: result denied improvements (#4952) 
* core/authorize: result denied improvements

* add authenticate robots.txt

* fix tests
 2024-02-01 16:16:33 -07:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Caleb Doxsey
753eeff12f
proxy: fix sign out redirect (#3827) 
* proxy: fix sign out redirect

* add test
 2022-12-20 09:32:49 -07:00
Caleb Doxsey
b375dc4896
jwt: require logged in user to return .pomerium/jwt (#3807) 
* jwt: require logged in user to return .pomerium/jwt

* fix test

* update test
 2022-12-13 13:49:36 -07:00
Caleb Doxsey
57217af7dd
authenticate: implement hpke-based login flow (#3779) 
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
 2022-12-05 15:31:07 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
c1a522cd82
proxy: add userinfo and webauthn endpoints (#3755) 
* proxy: add userinfo and webauthn endpoints

* use TLD for RP id

* use EffectiveTLDPlusOne

* upgrade webauthn

* fix test

* Update internal/handlers/jwks.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-22 10:26:35 -07:00
Caleb Doxsey
63b210e51d
httputil: remove error details (#3703) 2022-10-25 08:00:21 -06:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible (#3517) 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00
Caleb Doxsey
46c4d5fa7e
session: remove unused session state properties (#3022) 
* fix error page

* share dashboard code

* sessions: remove unused session state properties

* remove programmatic

* remove version
 2022-02-09 10:59:06 -07:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Travis Groth
c7d243d742
proxy: restrict programmatic URLs to localhost (#2049) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:49 -04:00
bobby
c3e3ed9b50
authenticate: validate origin of signout (#1876) 
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-02-11 21:37:54 -08:00
Caleb Doxsey
cc85ea601d
policy: add new certificate-authority option for downstream mTLS client certificates (#1835) 
* policy: add new certificate-authority option for downstream mTLS client certificates

* update proto, docs
 2021-02-01 08:10:32 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Caleb Doxsey
852c96f22f
proxy: add support for /.pomerium/jwt (#1446) 2020-09-23 07:55:12 -06:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state (#1280) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
 2020-08-14 11:44:58 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
Bobby DeSimone
dccc7cd2ff
cache : add cache service (#457) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-20 18:25:34 -08:00
Bobby DeSimone
ec029c679b
authenticate/proxy: add backend refresh (#438) 2019-12-30 10:47:54 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-06 11:07:45 -08:00
Bobby DeSimone
0f6a9d7f1d
proxy: fix forward auth, request signing 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 14:29:52 -08:00
Travis Groth
f3c62c10cc
Rename internal/config to config (#380) 2019-11-09 19:53:11 -05:00
Bobby DeSimone
b9ab49c32c
internal/sessions: fix cookie clear session (#376) 
CookieStore's ClearSession now properly clears the user session cookie by setting MaxAge to -1.

internal/sessions: move encoder interface to encoding package, and rename to MarshalUnmarshaler.
internal/encoding: move mock to own package
authenticate: use INFO log level for authZ error.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-09 10:49:24 -08:00
Bobby DeSimone
d3d60d1055 all: support route scoped sessions 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-06 17:54:15 -08:00
Bobby DeSimone
7d7e997e79
proxy: verify endpoint strip added callback params (#368) 
- proxy: use distinct host route for forward-auth handlers
- proxy: have auth middleware set pomerium headers for request and response
 2019-10-15 15:36:00 -07:00
Bobby DeSimone
0e85b2b1cb
bug: fix forward-auth redirect (#364) 2019-10-13 11:09:30 -07:00
Bobby DeSimone
badd8d69af
internal/sessions: refactor how sessions loading (#351) 
These chagnes standardize how session loading is done for session
cookie, auth bearer token, and query params.

- Bearer token previously combined with session cookie.
- rearranged cookie-store to put exported methods above unexported
- added header store that implements session loader interface
- added query param store that implements session loader interface

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-06 10:47:53 -07:00
Bobby DeSimone
eaa1e7a4fb
proxy: support external access control requests (#324) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-03 21:22:44 -07:00
Bobby DeSimone
782ffbeb3e
proxy: use middleware to manage request flow 
proxy: remove duplicate error handling in New
proxy: remove routeConfigs in favor of using gorilla/mux
proxy: add proxy specific middleware
proxy: no longer need to use middleware / handler to check if valid route. Can use build in 404 mux.
internal/middleware: add cors bypass middleware

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-25 12:28:37 -07:00
Bobby DeSimone
7c755d833f
authenticate: encrypt & mac oauth2 callback state 
- cryptutil: add hmac & tests
- cryptutil: rename cipher / encoders to be more clear
- cryptutil: simplify SecureEncoder interface
- cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64
- cryptutil: move key & random generators to helpers

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-23 19:15:52 -07:00
Bobby DeSimone
dc12947241
all: refactor handler logic 
- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s
- all: refactor authentication stack to be checked by middleware, and accessible via request context.
- all: replace http.ServeMux with gorilla/mux’s router
- all: replace custom CSRF checks with gorilla/csrf middleware
- authenticate: extract callback path as constant.
- internal/config: implement stringer interface for policy
- internal/cryptutil: add helper func `NewBase64Key`
- internal/cryptutil: rename `GenerateKey` to `NewKey`
- internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN`
- internal/middleware: removed alice in favor of gorilla/mux
- internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret`
- internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection
- internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs
- internal/urlutil: add `ValidateURL` helper to parse URL options
- internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL.
- proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them.
- proxy: replace un-named http.ServeMux with named domain routes.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-16 18:01:14 -07:00
Bobby DeSimone
380d314404
authenticate: make service http only 
- Rename SessionState to State to avoid stutter.
- Simplified option validation to use a wrapper function for base64 secrets.
- Removed authenticates grpc code.
- Abstracted logic to load and validate a user's authenticate session.
- Removed instances of url.Parse in favor of urlutil's version.
- proxy: replaces grpc refresh logic with forced deadline advancement.
- internal/sessions: remove rest store; parse authorize header as part of session store.
- proxy: refactor request signer
- sessions: remove extend deadline (fixes #294)
- remove AuthenticateInternalAddr
- remove AuthenticateInternalAddrString
- omit type tag.Key from declaration of vars TagKey* it will be inferred
  from the right-hand side
- remove compatibility package xerrors
- use cloned http.DefaultTransport as base transport
 2019-09-04 16:27:08 -07:00
Bobby DeSimone
6e6ab3baa0
httputil: use http error wrapper 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-08-24 09:15:07 -07:00
Bobby DeSimone
a962877ad4
config: fix url type regression (#253) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-08-03 12:08:26 -07:00
Bobby DeSimone
b85f8de05f
development: use golangci-lint 2019-07-13 18:28:51 -07:00
Bobby DeSimone
7558d5b0de
internal/config: refactor option parsing 
- authorize: build whitelist from policy's URLs instead of strings.
- internal/httputil: merged httputil and https package.
- internal/config: merged config and policy packages.
- internal/metrics: removed unused measure struct.
- proxy/clients: refactor Addr fields to be urls.
- proxy: remove unused extend deadline function.
- proxy: use handler middleware for reverse proxy leg.
- proxy: change the way websocket requests are made (route based).

General improvements
- omitted value from range in several cases where for loop could be simplified.
- added error checking to many tests.
- standardize url parsing.
- remove unnecessary return statements.

- proxy: add self-signed certificate support. #179
- proxy: add skip tls certificate verification. #179
- proxy: Refactor websocket support to be route based. #204
 2019-07-07 09:39:31 -07:00