3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-05 05:16:04 +02:00
Code Issues Projects Releases Packages Wiki Activity
2883 commits 159 branches 125 tags 104 MiB
Commit graph

123 commits

Author SHA1 Message Date
Kenneth Jenkins
6df4fba832
authorize: populate issuer even when policy is nil (#4211) 2023-05-30 17:07:27 -07:00
Caleb Doxsey
d315e68335
Merge pull request from GHSA-pvrc-wvj2-f59p 
* authorize: use route id from envoy for policy evaluation

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-05-26 13:34:21 -07:00
Caleb Doxsey
18bc86d632
config: add support for wildcard from addresses (#4131) 
* config: add support for wildcards

* update policy matching, header generation

* remove deprecated field

* fix test
 2023-04-25 13:34:38 -06:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Caleb Doxsey
1dee325b72
authorize: move sign out and jwks urls to route, update issuer for JWT (#4046) 
* authorize: move sign out and jwks urls to route, update issuer for JWT

* fix test
 2023-03-08 12:40:15 -07:00
Caleb Doxsey
3e892a8533
options: support multiple signing keys (#3828) 
* options: support multiple signing keys

* fix controlplane method, errors
 2022-12-22 09:31:09 -07:00
Caleb Doxsey
1848a9737f
upgrade to golang-lru v2 (#3771) 2022-12-02 09:25:52 -07:00
Caleb Doxsey
02df20f10a
authorize: performance improvements (#3723) 2022-11-04 17:09:52 -06:00
Denis Mishin
a3cfe8fa42
keep trace span context (#3724) 2022-11-04 17:52:13 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
dependabot[bot]
ec495bb682
chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 
* chore(deps): bump github.com/golangci/golangci-lint

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-10-19 09:36:59 -06:00
Caleb Doxsey
47e3176ea4
authorize: enforce service account expiration (#3661) 2022-10-13 09:28:42 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
f61e7efe73
authorize: use query instead of sync for databroker data (#3377) 2022-06-01 15:40:07 -06:00
Caleb Doxsey
c19048649a
authorize: add support for cidr lookups (#3277) 2022-04-19 16:18:34 -06:00
Caleb Doxsey
d299b42509
authorize: add name claim (#3238) 2022-04-05 12:08:00 -06:00
Caleb Doxsey
a0e64b1cf9
authorize: add request IP to rego evaluation (#3107) 2022-03-07 15:07:58 -07:00
Caleb Doxsey
99b9a3ee12
authorize: add support for passing access or id token upstream (#3047) 
* authorize: add support for passing access or id token upstream

* use an enum
 2022-02-17 09:28:31 -07:00
cfanbo
84dad4c612
remove deprecated ioutil usages (#2877) 
* fix: Fixed return description error

* config/options: Adjust the position of TracingJaegerAgentEndpoint option

* DOCS: Remove duplicate configuration items

Remove duplicate configuration items of route

* remove deprecated ioutil usages
 2021-12-30 10:02:12 -08:00
Caleb Doxsey
2d04106e6d
ppl: add support for http_path and http_method (#2813) 
* ppl: add support for http_path and http_method

* fix import ordering
 2021-12-10 07:28:51 -07:00
Caleb Doxsey
c97dcf7e0f
envoy: add hash policy and routing key for hash-based load balancers (#2791) 
* envoy: add hash policy and routing key for hash-based load balancers

* fix integration test

* fix nginx
 2021-12-01 13:42:12 -07:00
Caleb Doxsey
6e48627b4d
ppl: add support for additional data (#2696) 
* ppl: add support for additional data

* remove unused NewCriterionDeviceRule
 2021-10-22 12:32:20 -06:00
Caleb Doxsey
efffe57bf0
ppl: pass contextual information through policy (#2612) 
* ppl: pass contextual information through policy

* maybe fix nginx

* fix nginx

* pr comments

* go mod tidy
 2021-09-20 16:02:26 -06:00
Caleb Doxsey
0786c7fc45
authorize: use session.user_id in headers (#2571) 2021-09-03 14:51:09 -06:00
Caleb Doxsey
33f5190572
config: remove signature_key_algorithm (#2557) 
* config: remove signature_key_algorithm

* typo

* add more tests
 2021-09-02 11:36:43 -06:00
Caleb Doxsey
de1ed61b9a
authorize: fix google cloudrun header audience (#2558) 2021-09-02 09:55:06 -06:00
Caleb Doxsey
ef55829cb0
authorize: fix X-Pomerium-Claim-Groups (#2539) 2021-08-26 20:29:57 -06:00
Caleb Doxsey
526f946097
fix forward-auth, logging (#2509) 
* fix forward-auth, logging

* move error message
 2021-08-23 17:50:04 -06:00
Caleb Doxsey
6af0655206
protoutil: add NewAny method for deterministic serialization (#2462) 2021-08-09 17:51:57 -06:00
Caleb Doxsey
a64e5b5fa1
authorize: add sid to JWT claims (#2420) 
* authorize: add sid to JWT claims

* fix import ordering
 2021-08-02 16:11:05 -06:00
Caleb Doxsey
1a95036b8c
sessions: add impersonate_session_id, remove legacy impersonation (#2407) 
* sessions: add impersonate_session_id, remove legacy impersonation

* show impersonated user details

* fix headers

* address feedback

* only check impersonate id on non-nil pbSession

* Revert "only check impersonate id on non-nil pbSession"

This reverts commit a6f7ca5abd.
 2021-07-30 08:42:36 -06:00
bobby
aa0e6872de
evaluator: use cryputil to hash (#2384) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-07-22 06:15:54 -07:00
Caleb Doxsey
c7a8f11d9a
authorize: add additional tracing for rego evaluation (#2381) 2021-07-21 15:37:51 -06:00
Caleb Doxsey
cef08a1c2d
authorize: remove service account impersonate user id, email and groups (#2365) 2021-07-15 09:31:45 -06:00
Caleb Doxsey
21ffe44dff
authorize: support boolean deny results (#2338) 
* authorize: support boolean deny results

* add client certificate test

* handle different array lengths
 2021-07-06 12:52:26 -06:00
Caleb Doxsey
f9675f61cc
deps: upgrade to go-jose v3 (#2284) 2021-06-10 09:35:44 -06:00
Caleb Doxsey
2156dbc553
envoy: always set jwt claim headers even if no value is available (#2261) 
* envoy: always set jwt claim headers even if no value is available

* add test
 2021-06-04 10:01:00 -07:00
wasaga
40ddc2c4b3
jwt: round timestamp (#2258) 2021-06-01 14:12:45 -07:00
wasaga
12c8bb2da4
authorize: preserve original context (#2247) 2021-06-01 11:10:35 -04:00
Caleb Doxsey
dad35bcfb0
ppl: refactor authorize to evaluate PPL (#2224) 
* ppl: refactor authorize to evaluate PPL

* remove opa test step

* add log statement

* simplify assignment

* deny with forbidden if logged in

* add safeEval function

* create evaluator-specific config and options

* embed the headers rego file directly
 2021-05-21 09:50:18 -06:00
Caleb Doxsey
c85c8b0778
authorize: refactor store locking (#2151) 
* authorize: refactor store locking

* fix nil reference panic
 2021-04-29 08:37:27 -06:00
Caleb Doxsey
f365b30e02
authorize: remove log (#2122) 2021-04-23 14:00:08 -06:00
Caleb Doxsey
762b565239
authorize: fix empty sub policy arrays (#2119) 2021-04-23 11:00:30 -06:00
Caleb Doxsey
b1d62bb541
config: remove validate side effects (#2109) 
* config: default shared key

* handle additional errors

* update grpc addr and grpc insecure

* update google cloud service authentication service account

* fix set response headers

* fix qps

* fix test
 2021-04-22 15:10:50 -06:00
wasaga
e0c09a0998
log context (#2107) 2021-04-22 10:58:13 -04:00
Caleb Doxsey
3906b70bc5
authorize: support arbitrary jwt claims (#2102) 
* authorize: support arbitrary jwt claims

* remove dead code
 2021-04-19 14:55:08 -06:00
Caleb Doxsey
d7ab817de7
authorize: add databroker server and record version to result, force sync via polling (#2024) 
* authorize: add databroker server and record version to result, force sync via polling

* wrap inmem store to take read lock when grabbing databroker versions

* address code review comments

* reset max to 0
 2021-03-31 10:09:06 -06:00
Caleb Doxsey
4218f49741
authorize: bypass data in rego for databroker data (#2041) 2021-03-30 14:14:32 -06:00
Nándor István Krácser
45fb938317
oidc: use groups claim from ID token if present (#1970) 
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
 2021-03-22 11:46:01 -06:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00