3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 02:12:50 +02:00
Code Issues Projects Releases Packages Wiki Activity
1668 commits 165 branches 127 tags 104 MiB
Commit graph

230 commits

Author SHA1 Message Date
Jon Carl
83f998c088
update the documentation for auth0 to include group/role information (#1502) 
Signed-off-by: Jon Carl <jon.carl@auth0.com>
 2020-10-09 13:42:25 -06:00
Caleb Doxsey
88580cf2fb
auth0: implement identity provider (#1470) 
* auth0: implement identity provider

* add auth0 guide

* fix naming
 2020-09-29 09:06:58 -06:00
Travis Groth
cef1449458
deployment: Generate deb and rpm packages (#1458) 2020-09-28 13:33:35 -04:00
Shinebayar G
7c990a45b1
docs: fix grammar (#1412) 2020-09-17 08:16:22 -07:00
bobby
311dde8b61
docs: update azure docs (#1377) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-08 12:58:11 -07:00
Travis Groth
5488e6d5fa
deployment: fully split release archives and brews (#1365) 2020-09-02 17:32:52 -04:00
Robert
2dc8879583
Allow setting the shared secret via an environment variable. (#1337) 
This makes it easier to safely pass it in programmatically to a container
without cutting and pasting or putting it on the command line.
 2020-08-27 08:39:07 -06:00
bobby
fbd8c8f294
deployment: add goimports with path awareness (#1316) 
Plus fix some spelling

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-24 13:04:55 -07:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324) 
Fixes #1213
 2020-08-25 01:23:58 +07:00
Travis Groth
0c51ad0e66
docs: fix in-action video (#1268) 2020-08-12 19:34:50 -04:00
Travis Groth
6314c43f40
docs: image, sitemap and redirect fixes (#1263) 
* docs: fix image linkes for cdn

* docs: use relative top level redirect

* docs: generate sitemap under /docs/
 2020-08-12 15:22:53 -04:00
Cuong Manh Le
32745250d3
docs/docs: fix wrong okta service account field (#1251) 
The okta service account token field should be api_key not api_token

Fixes #1249
 2020-08-11 09:05:36 +07:00
bobby
bfc3fb67da
v0.10.0 (#1225) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-06 21:08:19 -07:00
roulesse
7da513f42c
Update synology.md (#1219) 2020-08-06 15:28:51 -07:00
Travis Groth
4976fe3824
docs: add installation section (#1223) 2020-08-06 16:34:01 -04:00
Travis Groth
1cafba18a5
docs: Kubernetes topic (#1222) 
* docs: kubernetes topic and installation stub
 2020-08-06 15:28:12 -04:00
Travis Groth
28230c7dc5
docs: update architecture diagrams + descriptions (#1218) 
* docs: update architecture diagrams + descriptions

* Update docs/docs/topics/production-deployment.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/docs/topics/production-deployment.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/docs/topics/production-deployment.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2020-08-06 13:40:08 -04:00
bobby
8d0cb86098
docs: fix links, fix upgrade guide (#1220) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-05 23:07:49 -07:00
Cuong Manh Le
c910196364
docs/docs: update upgrading to mention redis storage backend (#1172) 
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2020-08-01 11:20:07 -07:00
bobby
8b68079488
docs: rename docs/reference to docs/topics (#1182) 
* docs: rename docs/reference to docs/topics
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-01 10:00:14 -07:00
Travis Groth
417c2f4890
docs: Redis and stateful storage docs (#1173) 2020-07-31 11:56:01 -04:00
bobby
8cae3f27bb
docs: refactor sections, consolidate examples (#1164) 2020-07-30 11:02:14 -07:00
Cuong Manh Le
489cdd8b63
internal/controlplane: using envoy strip host port matching (#1126) 
* internal/controlplane: using envoy strip host port matching

With envoy 1.15.0 release, strip host port matching setting allows
incoming request with Host "example:443" will match again route with
domains match set to "example".

Not that this is not standard HTTP behavior, but it's more convenient
for users.

Fixes #959

* docs/docs: add note about enable envoy strip host port matching
 2020-07-22 23:51:57 +07:00
Cuong Manh Le
8e56db7830
docs/docs: add changelog for #1055 (#1084) 2020-07-16 09:57:25 +07:00
Cuong Manh Le
d40f294586
authorize: include "kid" in JWT header (#1049) 
Fixes #1046
 2020-07-09 12:39:53 +07:00
Cuong Manh Le
65150f2c3d
docs: document preserve_host_header with policy routes to static ip (#1024) 
Fixes #1012
 2020-06-30 14:26:08 +07:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Travis Groth
c049d87362
docs: document service account requirements (#999) 2020-06-25 19:32:36 -04:00
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Cuong Manh Le
4ca0189524
docs/docs/identity-providers: document gitlab default scopes changed (#980) 
Fixes #938
 2020-06-24 00:05:21 +07:00
Caleb Doxsey
24b523c043
docs: update upgrading document for breaking changes (#974) 2020-06-22 15:26:42 -06:00
Caleb Doxsey
f33bf07334
docs: update service account instructions for OneLogin (#973) 2020-06-22 15:21:21 -06:00
Caleb Doxsey
ae97d280c5
docs: service account instructions for gitlab (#970) 2020-06-22 15:04:36 -06:00
Caleb Doxsey
451bdbeb0d
docs: update okta service account docs to match new format (#972) 2020-06-22 15:04:01 -06:00
Caleb Doxsey
cb08cb7a93
docs: service account instructions for azure (#969) 2020-06-22 14:15:49 -06:00
Caleb Doxsey
f11c5ba172
docs: update GitHub documentation for service account (#967) 
* docs: update GitHub documentation for service account

* add read:org permission
 2020-06-22 12:36:07 -06:00
Cuong Manh Le
5b9c09caba
docs/docs: remove extra text when resolve conflict (#955) 2020-06-22 10:38:31 +07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Cuong Manh Le
c29807c391
docs: document un-supported HTTP 1.0 in 0.9.0 and higher (#932) 
docs: document un-supported HTTP 1.0 in 0.9.0 and higher

Fixes #915

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2020-06-20 01:11:00 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Cuong Manh Le
e0bdd906f9
config: change the default logging level to INFO (#902) 
config: change the default logging level to INFO

DEBUG logging level is very verbose and potentially logs sensitive data.
We should set default log level to INFO.

Updates #895
Fixes #896
 2020-06-15 22:55:18 +07:00
Bobby DeSimone
e57f92486a
envoy: bump envoy to 1.14.2 (#894) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-15 07:55:44 -07:00
Aidan Steele
48912dbc33
Fix small typo (#836) 2020-06-07 07:46:47 -04:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Bobby DeSimone
44cf1fba1f
deployment: prepare 0.9.0 (#798) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-30 18:07:57 -07:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Caleb Doxsey
df2b09a906
docs: add note about unsupported platforms (#799) 2020-05-28 12:57:03 -06:00
Noah Stride
d85e490640
fix: docs regarding claim headers (#782) 2020-05-27 09:58:48 -04:00
Bobby DeSimone
3f1faf2e9e
authenticate: add jwks and .well-known endpoint (#745) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-21 11:46:29 -07:00