pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00

Author	SHA1	Message	Date
Denis Mishin	e71fca76f2	mcp: add to route config, 401 when unauthenticated (#5578 )	2025-04-22 11:47:09 -04:00
Caleb Doxsey	b9fd926618	authorize: support authenticating with idp tokens (#5484 ) * identity: add support for verifying access and identity tokens * allow overriding with policy option * authenticate: add verify endpoints * wip * implement session creation * add verify test * implement idp token login * fix tests * add pr permission * make session ids route-specific * rename method * add test * add access token test * test for newUserFromIDPClaims * more tests * make the session id per-idp * use type for * add test * remove nil checks	2025-02-18 13:02:06 -07:00
Caleb Doxsey	85ef08b3a0	authorize: handle gRPC requests (#5400 )	2024-12-19 08:46:53 -07:00
Joe Kralicky	82fb9cf29d	authorize: serialize errors in metav1.Status format when kubernetes user-agent is detected (#5334 ) * authorize: serialize errors in metav1.Status format when kubernetes user-agent is detected * update unit tests	2024-11-06 11:51:51 -05:00
Joe Kralicky	fe31799eb5	Fix many instances of contexts and loggers not being propagated (#5340 ) This also replaces instances where we manually write "return ctx.Err()" with "return context.Cause(ctx)" which is functionally identical, but will also correctly propagate cause errors if present.	2024-10-25 14:50:56 -04:00
Caleb Doxsey	4301da3648	core/telemetry: move requestid to pkg directory (#4911 )	2024-01-19 13:18:16 -07:00
Caleb Doxsey	803baeb9e1	core/authorize: return non-html errors on denied (#4904 )	2024-01-18 10:07:03 -07:00
Kenneth Jenkins	ffca3b36a9	authorize: reuse policy evaluators where possible (#4710 ) Add a parameter to evaluator.New() for the previous Evaluator (if any). If the evaluatorConfig is the same, reuse any PolicyEvaluators for policies that have not changed from the previous Evaluator. Use the route IDs along with the policy checksums to determine whether a given policy has changed. Similarly, add a new cacheKey() method to the evaluatorConfig to compute a checksum used for determine whether the evaluatorConfig has changed. (Store this checksum on the Evaluator.)	2023-11-06 13:57:59 -08:00
Kenneth Jenkins	8401170443	authorize: add "client-certificate-required" reason (#4389 ) Add a new reason "client-certificate-required" that will be returned by the invalid_client_certificate criterion in the case that no client certificate was provided. Determine this using the new 'presented' field populated from the Envoy metadata.	2023-07-25 10:03:51 -07:00
Kenneth Jenkins	5459e6940a	authorize: do not redirect if invalid client cert (#4344 ) If an authorization policy requires a client certificate, but an incoming request does not include a valid certificate, we should serve a deny error page right away, regardless of whether the user is authenticated via the identity provider or not. Do not redirect to the identity provider login page in this case. Update the existing integration tests accordingly, and add a unit test case for this scenario.	2023-07-10 16:39:26 -07:00
Caleb Doxsey	bbed421cd8	config: remove source, remove deadcode, fix linting issues (#4118 ) * remove source, remove deadcode, fix linting issues * use github action for lint * fix missing envoy	2023-04-21 17:25:11 -06:00
Denis Mishin	ccf15f8f3d	move hpke public key handler out of internal (#4065 )	2023-03-20 10:37:00 -04:00
Caleb Doxsey	0f295d4a63	hpke: move published public keys to a new endpoint (#4044 )	2023-03-08 09:17:04 -07:00
Caleb Doxsey	76a7ce3a6f	authorize: allow access to /.pomerium/webauthn when policy denies access (#4015 )	2023-02-27 09:49:06 -07:00
Caleb Doxsey	3e892a8533	options: support multiple signing keys (#3828 ) * options: support multiple signing keys * fix controlplane method, errors	2022-12-22 09:31:09 -07:00
Caleb Doxsey	57217af7dd	authenticate: implement hpke-based login flow (#3779 ) * urlutil: add time validation functions * authenticate: implement hpke-based login flow * fix import cycle * fix tests * log error * fix callback url * add idp param * fix test * fix test	2022-12-05 15:31:07 -07:00
Denis Mishin	fa0ba60aee	bump envoy to v1.24.0 (#3767 )	2022-11-28 09:32:31 -07:00
Caleb Doxsey	fa26587f19	remove forward auth (#3628 )	2022-11-23 15:59:28 -07:00
Caleb Doxsey	30bdae3d9e	sessions: check idp id to detect provider changes to force session invalidation (#3707 ) * sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test	2022-10-25 16:20:32 -06:00
Caleb Doxsey	c0ca1e1a98	authorize: handle user-unauthenticated response for deny blocks (#3559 ) * authorize: handle user-unauthenticated response for deny blocks * fix test	2022-08-22 17:09:26 -06:00
Caleb Doxsey	0ac7e45a21	atomicutil: use atomicutil.Value wherever possible (#3517 ) * atomicutil: use atomicutil.Value wherever possible * fix test * fix mux router	2022-07-28 15:38:38 -06:00
Caleb Doxsey	f61e7efe73	authorize: use query instead of sync for databroker data (#3377 )	2022-06-01 15:40:07 -06:00
Caleb Doxsey	c19048649a	authorize: add support for cidr lookups (#3277 )	2022-04-19 16:18:34 -06:00
Caleb Doxsey	f9b95a276b	authenticate: support for per-route client id and client secret (#3030 ) * implement dynamic provider support * authenticate: support per-route client id and secret	2022-02-16 12:31:55 -07:00
Caleb Doxsey	0898dd4f34	proxy: fix error page (#3020 ) * fix error page * proxy: fix error page * share dashboard code * fix test	2022-02-09 09:14:24 -07:00
Caleb Doxsey	2824faecbf	frontend: react+mui (#3004 ) * mui v5 wip * wip * wip * wip * use compressor for all controlplane endpoints * wip * wip * add deps * fix authenticate URL * fix test * fix test * fix build * maybe fix build * fix integration test * remove image asset test * add yarn.lock	2022-02-07 08:47:58 -07:00
Caleb Doxsey	3497c39b9b	authorize: add support for webauthn device policy enforcement (#2700 ) * authorize: add support for webauthn device policy enforcement * update docs * group statuses	2021-10-25 09:41:03 -06:00
Caleb Doxsey	efffe57bf0	ppl: pass contextual information through policy (#2612 ) * ppl: pass contextual information through policy * maybe fix nginx * fix nginx * pr comments * go mod tidy	2021-09-20 16:02:26 -06:00
Caleb Doxsey	9dc90d02d0	authorize: only redirect for HTML pages (#2264 ) * authorize: only redirect for HTML pages * authorize: only redirect for HTML pages	2021-06-02 16:18:02 -06:00
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
bobby	9215833a0b	control plane: add request id to all error pages (#2149 ) * controlplane: add request id to all error pages - use a single http error handler for both envoy and go control plane - add http lib style status text for our custom statuses. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-04-28 15:04:44 -07:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	eddabc46c7	envoy: upgrade to v1.17.1 (#1993 )	2021-03-17 19:32:58 -06:00
Caleb Doxsey	1a1cc30c67	config: support map of jwt claim headers (#1906 ) * config: support map of jwt claim headers * fix array handling, add test * update docs * use separate hook, add tests	2021-02-17 13:43:18 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	eed873b263	authorize: remove DataBrokerData (#1846 ) * authorize: remove DataBrokerData * fix method name	2021-02-02 11:40:21 -07:00
wasaga	67f6030e1e	upstream endpoints load balancer weights (#1830 )	2021-01-28 09:11:14 -05:00
Caleb Doxsey	bec98051ae	config: return errors on invalid URLs, fix linting (#1829 )	2021-01-27 07:58:30 -07:00
Caleb Doxsey	a4c7381eba	config: support multiple destination addresses (#1789 ) * config: support multiple destination addresses * use constructor for string slice * add docs * add test for multiple destinations * fix name	2021-01-20 15:18:24 -07:00
Caleb Doxsey	b16236496b	jws: remove issuer (#1754 )	2021-01-11 07:57:54 -07:00
Caleb Doxsey	a19e45334b	proxy: remove impersonate headers for kubernetes (#1394 ) * proxy: remove impersonate headers for kubernetes * master on frontend/statik	2020-09-09 15:24:39 -06:00
Caleb Doxsey	6dee647a16	authorize: use atomic state for properties (#1290 )	2020-08-17 14:24:06 -06:00
Caleb Doxsey	fbf5b403b9	config: allow dynamic configuration of cookie settings (#1267 )	2020-08-13 08:11:34 -06:00
Cuong Manh Le	5d3b551524	authorize: increase test coverage - Add test cases for sync functions - Add test for valid JWT - Add session state to Test_getEvaluatorRequest	2020-08-06 21:02:20 +07:00
Cuong Manh Le	351a449023	authorize: add test for denied response (#1197 )	2020-08-04 21:20:30 +07:00
Cuong Manh Le	fa43db80c1	authorize: derive check response message from reply message (#1193 ) * authorize: derive check response message from reply message While at it, add tests for ok response related functions. * authorize: more test case for ok reply with k8s svc	2020-08-04 09:12:30 +07:00

47 commits