3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
874 commits 158 branches 125 tags 103 MiB
Commit graph

47 commits

Author SHA1 Message Date
bobby
8cae3f27bb
docs: refactor sections, consolidate examples (#1164) 2020-07-30 11:02:14 -07:00
Cuong Manh Le
3039407597
pkg/storage/redis: add authentication support (#1159) 
Fixes #1157
 2020-07-29 23:08:38 +07:00
Miguel
72b6347886
docs: Add required in cookie_secret (#1142) 2020-07-27 22:59:54 +07:00
Cuong Manh Le
1640151bc1
databroker server backend config (#1127) 
* config,docs: add databroker storage backend configuration

* cache: allow configuring which backend storage to use

Currently supported types are "memory", "redis".
 2020-07-23 10:42:43 +07:00
Travis Groth
a1b6bfec56
docs: Cloud Run / GCP Serverless (#1101) 
* Add GCP Serverless and Cloud Run docs
 2020-07-20 14:00:52 -04:00
Cuong Manh Le
821f2e9000
config: allow setting directory sync interval and timeout (#1098) 
Updates #567
 2020-07-17 23:11:27 +07:00
Cuong Manh Le
2c3c7b837d
docs/configuration: add doc for trailing slash limitation in "To" field (#1040) 
Due to the limitation of envoy, it can't handle rewriting of "From"
field without path to a destination with path.

Updates #880
Updates #1033
 2020-07-07 11:35:59 +07:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Travis Groth
c049d87362
docs: document service account requirements (#999) 2020-06-25 19:32:36 -04:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Yuchen Ying
8fc1e9cca8
Add an option to request certificate with Must-Staple. (#697) 2020-06-17 08:29:34 -07:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Joel Bastos
d67bb22342
docs: typo on configuration doc (#800) 
Correct memcached name
 2020-05-28 16:28:55 -07:00
Travis Groth
49db9867d7
docs: Expose config parameters in sidebar (#797) 2020-05-28 16:37:34 -04:00
Caleb Doxsey
f03f57980c
docs: update traefik example and add note about forwarded headers (#784) 2020-05-26 18:14:11 -06:00
Caleb Doxsey
e4832cb4ed
authorize: add client mTLS support (#751) 
* authorize: add client mtls support

* authorize: better error messages for envoy

* switch from function to input

* add TrustedCa to envoy config so that users are prompted for the correct client certificate

* update documentation

* fix invalid ClientCAFile

* regenerate cache protobuf

* avoid recursion, add test

* move comment line

* use http.StatusOK

* various fixes
 2020-05-21 16:01:07 -06:00
Bobby DeSimone
3f1faf2e9e
authenticate: add jwks and .well-known endpoint (#745) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-21 11:46:29 -07:00
Travis Groth
3e17befff7
envoy: Enable zipkin tracing (#737) 
- Update envoy bootstrap config to protobufs
- Reorganize tracing config to avoid cyclic import
- Push down zipkin config to Envoy
- Update tracing options to provide sample rate
 2020-05-21 11:50:07 -04:00
Caleb Doxsey
0895515833
envoy: implement various timeouts (#732) 
* envoy: implement global and route timeouts

* envoy: use the grpc client timeout for the authz service timeout

* fix test
 2020-05-19 10:01:37 -06:00
Travis Groth
1f1e63a75b
telemetry/tracing: Add Zipkin tracing support (#723) 2020-05-18 21:57:13 -04:00
Caleb Doxsey
ef399380b7 merge master 2020-05-18 17:10:10 -04:00
Travis Groth
96a95c5aff Update jwt_claims_headers docs (#705) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
352c2b851b envoy: add separate proxy log level option (#689) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
02615b8b6c Merge remote-tracking branch 'origin/master' into feature/envoy 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
1cba3d50eb
docs: fixes to v0.8.0 docs (#696) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-13 12:38:01 -07:00
Bobby DeSimone
80166bcc40
deployment: release v0.8.0 (#686) 
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-05-12 19:10:12 -07:00
Travis Groth
b9b66ec20f
deploy: autocert documentation and defaults (#658) 
* Define AUTOCERT_DIR in dockerfiles

* Add autocert example and compose file

* Update reference docs for defaults
 2020-05-05 21:13:28 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Caleb Doxsey
9e66471c07 docs: add additional path filtering configuration documentation 2020-04-20 18:24:36 -06:00
branchmispredictor
0de3c431a6
forward-auth: validate using forwarded uri header (#600) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-20 10:56:30 -07:00
Bobby DeSimone
b423b234e9
docs: update upgrading / changelog to v0.7.2 (#601) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-13 16:20:29 -07:00
Travis Groth
789068e27a
Add configurable JWT claim headers (#596) 2020-04-09 23:41:55 -04:00
Travis Groth
cc504362e4
Add storage metrics (#554) 
* Add cache storage metrics

- autocache client metrics
- autocache server metrics
- boltdb metrics
- redis client metrics
- refactor metrics registry to be general purpose
 2020-03-23 22:07:48 -04:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Travis Groth
3654f44384
config: Expose and set default GRPC Server Keepalive Parameters (#509) 2020-02-19 21:21:28 -05:00
Bobby DeSimone
5716113c2a
authenticate: make callback path configurable (#493) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-08 09:06:23 -08:00
nitper
6a10112ebe docs: fix cookie_domain (#472) 2020-01-28 09:35:07 -08:00
Bobby DeSimone
dd54ce4481
v0.6.0 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-24 16:09:47 -08:00
Bobby DeSimone
8956bf4411
proxy: add preserve host header (#463) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-22 21:03:22 -08:00
Bobby DeSimone
8b7f344e01
docs: s/fwdauth/forwardauth/ (#447) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-07 13:54:36 -08:00
Travis Groth
e20e1f08c5
Fix typo in forward auth nginx docs (#445) 2020-01-01 12:52:18 -05:00
Dave Anderson
86b48a2aaf Add documentation for cookie settings. (#429) 2019-12-21 14:40:31 -08:00
Bobby DeSimone
ec9607d1d5
v0.5.0 (#375) 2019-11-14 20:02:16 -08:00
Renamed from docs/docs/reference/reference.md (Browse further)