3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-02 10:52:49 +02:00
Code Issues Projects Releases Packages Wiki Activity
1033 commits 169 branches 127 tags 105 MiB
Commit graph

311 commits

Author SHA1 Message Date
Caleb Doxsey
a19e45334b
proxy: remove impersonate headers for kubernetes (#1394) 
* proxy: remove impersonate headers for kubernetes

* master on frontend/statik
 2020-09-09 15:24:39 -06:00
bobby
05d9fbb4b3
Desimone/authenticate default logout (#1390) 
* authenticate: fix unset post_logout_redirect_uri
* don't show url if does not exist
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-09 11:53:12 -07:00
Caleb Doxsey
1fcd86120b
proxy: for filter matches only include bare domain name (#1389) 2020-09-09 08:56:15 -06:00
Travis Groth
145c2cf8f5
internal/envoy: start epoch from 0 (#1387) 2020-09-09 10:25:21 -04:00
Caleb Doxsey
0a6796ff71
authorize: add support for service accounts (#1374) 2020-09-04 10:37:00 -06:00
Cuong Manh Le
eaf0dd4e67 internal/identity/manager: increase default refresh groups timeout 2020-09-04 23:17:56 +07:00
Cuong Manh Le
5895331768 internal/identity/manager: improve timeout error message 
By pointing user to configuration docs.
 2020-09-04 23:17:56 +07:00
bobby
43d37ace94
proxy/controlplane: make health checks debug level (#1368) 
- proxy: remove version from ping handler

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-04 07:31:12 -07:00
Cuong Manh Le
08a094ae93
internal/directory/okta: remove rate limiter (#1370) 
We did honor the rate limit header from okta, so don't bother to add our
rate limiter there.
 2020-09-04 18:23:14 +07:00
Caleb Doxsey
49d1a71ff2
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source (#1367) 2020-09-03 08:11:34 -06:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
a269441c34
proxy: disable control-plane robots.txt for public unauthenticated routes (#1361) 2020-09-02 07:56:15 -06:00
Caleb Doxsey
f6b622c7dc
proxy: support websocket timeouts (#1362) 2020-09-02 07:55:57 -06:00
Caleb Doxsey
e4e6abfd29
certmagic: improve logging (#1358) 
* certmagic: improve logging

* Update internal/autocert/manager.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2020-09-01 09:58:09 -06:00
Cuong Manh Le
b8584a3f46
internal/directory/okta: accept non-json service account (#1359) 
Fixes #1354
 2020-09-01 22:33:55 +07:00
Travis Groth
2e714c211e
internal/controlplane: add telemetry http handler (#1353) 2020-09-01 09:22:24 -04:00
bobby
fbd8c8f294
deployment: add goimports with path awareness (#1316) 
Plus fix some spelling

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-24 13:04:55 -07:00
Cuong Manh Le
ffaceadfdd
internal/urlutil: remove un-used constants (#1326) 2020-08-25 02:07:56 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Caleb Doxsey
79741d5345
autocert: fix locking issue (#1310) 2020-08-20 14:08:52 -06:00
Caleb Doxsey
c4c8ef8e53
azure: support deriving credentials from client id, client secret and provider url (#1300) 2020-08-18 10:17:28 -06:00
Caleb Doxsey
a1378c81f8
cache: support databroker option changes (#1294) 2020-08-18 07:27:20 -06:00
Cuong Manh Le
a4408ab6cf internal/directory/okta: fix wrong API query filter 
Okta uses space " " instead of plus sign "+" in query filter.
See https://developer.okta.com/docs/reference/api-overview/#filtering
 2020-08-18 20:24:15 +07:00
bobby
8a384985f0
autocert: fix bootstrapped cache store path (#1283) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-17 13:27:11 -07:00
Caleb Doxsey
6dee647a16
authorize: use atomic state for properties (#1290) 2020-08-17 14:24:06 -06:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state (#1280) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
 2020-08-14 11:44:58 -06:00
Cuong Manh Le
23eea09ed0 internal/directory/okta: use okta filter to get updated groups 
Okta API supports filter to get updated groups only, we can adopt that
to reduce number of requests to okta API, hence reduce chance that we
reach the rate limit.

Updates #1256
 2020-08-14 22:01:31 +07:00
Cuong Manh Le
d1c0ae730f internal/directory/okta: honor rate limit reset header 
So we can wait until the rate limit release time to continue query okta
API.

Updates #1256
 2020-08-14 22:01:31 +07:00
Cuong Manh Le
598102f587 internal/directory/okta: add limiter to query okta API 
Okta only allows 100 requests per minute, so apply the default rate
limit 1 QPS for it.

Fixes #1256
 2020-08-14 09:50:49 +07:00
Caleb Doxsey
045c10edc6
authenticate: support reloading IDP settings (#1273) 
* identity: add name method to provider

* authenticate: support dynamically loading the provider
 2020-08-13 12:14:30 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
Caleb Doxsey
2afd7b6864
envoy: add support for hot-reloading bootstrap configuration (#1259) 
* envoy: add support for hot-reloading bootstrap configuration

* use passed in log level

* fix unnecessary firstNonEmpty

* move process release to after new command start
 2020-08-12 16:13:19 -06:00
Cuong Manh Le
82b1daae50
internal/directory/okta: increase default batch size to 200 (#1264) 
See: https://developer.okta.com/docs/reference/api/groups/#list-groups-with-membership-updated-after-timestamp

Updates #1256
 2020-08-13 02:27:01 +07:00
Caleb Doxsey
bd5c784670
config: validate databroker settings (#1260) 
* config: validate databroker settings

* fix test
 2020-08-12 11:32:34 -06:00
Cuong Manh Le
4b3e07c5f5 internal/controlplane: mocking policy name in test 
We don't have to test for exact policy name, as it does not make sense
and force us to change test every new go release.
 2020-08-12 22:20:50 +07:00
Caleb Doxsey
f822c9a5d2
config: allow reloading of telemetry settings (#1255) 
* metrics: support dynamic configuration settings

* add test

* trace: update configuration when settings change

* config: allow logging options to be configured when settings change

* envoy: allow changing log settings

* fix unexpected doc change

* fix tests

* pick a port at random

* update based on review
 2020-08-12 08:14:15 -06:00
Caleb Doxsey
1285a9d91d
databroker: add support for config settings (#1253) 2020-08-11 07:50:19 -06:00
Cuong Manh Le
277e6b56e9 internal/autocert: refactoring updateAutocert 
By factor out obtain and renew certification process, return specific
error for each process if failed to contact with letsencrypt server.
 2020-08-10 23:26:35 +07:00
Cuong Manh Le
3c23164347 internal/autocert: re-use cert if renewing failed but cert not expired 
Fixes #1232
 2020-08-10 23:26:35 +07:00
Cuong Manh Le
02edbb7748
internal/databroker: make Sync send data in smaller batches (#1226) 
* internal/databroker: make Sync send data in smaller batches

GRPC streaming is better at sending multiple smaller message instead of
a big one.

Benchmark result for sending 10k messages at once vs multiple batches,
each with 100 messages:

name     old time/op  new time/op  delta
Sync-12  14.5ms ± 3%  12.4ms ± 2%  -14.40%  (p=0.000 n=10+9)

* cache: add test for databroker sync
 2020-08-07 23:12:41 +07:00
Travis Groth
7a53e6bb42
proxy: add support for spdy upgrades (#1203) 2020-08-04 13:26:14 -04:00
Cuong Manh Le
4f0d6bee68
internal/urlutil: add tests for GetDomainsForURL (#1183) 
Updates #959
 2020-08-01 09:59:40 -07:00
Cuong Manh Le
f7ebf54305
authorize: strip port from host header if necessary (#1175) 
After #1153, envoy can handle routes for `example.com` and `example.com:443`.
Authorize service should be updated to handle this case, too.

Fixes #959
 2020-07-31 21:41:58 +07:00
Cuong Manh Le
bc61206b78
pkg/storage/redis: add redis TLS support (#1163) 
Fixes #1156
 2020-07-31 19:37:23 +07:00
Travis Groth
3c4513a91e
telmetry: add databroker storage metrics and tracing (#1161) 
* telmetry: add databroker storage metrics and tracing
 2020-07-30 18:19:23 -04:00
Caleb Doxsey
29fb96a955
databroker: add encryption for records (#1168) 2020-07-30 14:04:31 -06:00
Caleb Doxsey
97f85481f8
fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162) 
* fix redirect loop, remove user/session services, remove duplicate deleted_at fields

* change loop

* reuse err variable

* wrap errors, use cookie timeout

* wrap error, duplicate if
 2020-07-30 09:41:57 -06:00
Cuong Manh Le
3039407597
pkg/storage/redis: add authentication support (#1159) 
Fixes #1157
 2020-07-29 23:08:38 +07:00
Caleb Doxsey
557aef2a33
fix databroker restart versioning, handle missing sessions (#1145) 
* fix databroker restart versioning, handle missing sessions

* send empty server version to detect change

* only rebuild if there are updated records
 2020-07-29 08:45:41 -06:00
Caleb Doxsey
a5e8abd6af
handle example.com and example.com:443 (#1153) 
* handle example.com and example.com:443

* fix domain comparisons
 2020-07-28 15:30:41 -06:00