pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	30bdae3d9e	sessions: check idp id to detect provider changes to force session invalidation (#3707 ) * sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test	2022-10-25 16:20:32 -06:00
Caleb Doxsey	c0ca1e1a98	authorize: handle user-unauthenticated response for deny blocks (#3559 ) * authorize: handle user-unauthenticated response for deny blocks * fix test	2022-08-22 17:09:26 -06:00
Caleb Doxsey	3c63b6c028	authorize: add policy error details for custom error messages (#3542 ) * authorize: add policy error details for custom error messages * remove fmt.Println * fix tests * add docs	2022-08-09 14:46:31 -06:00
Caleb Doxsey	89a105c8e6	authorize: add request id to context (#3497 ) * authorize: add request id to context * fix context keys	2022-07-26 14:34:48 -06:00
Caleb Doxsey	fe61a74e1b	authorize: fix device synchronization (#3482 )	2022-07-15 17:27:06 -06:00
Caleb Doxsey	bc078f8bd2	authorize: fix x-forwarded-uri (#3479 ) * authorize: fix x-forwarded-uri * fix raw path	2022-07-14 09:32:48 -06:00
Caleb Doxsey	15e3b3a431	authorize: allow missing user for authorization (#3421 )	2022-06-14 05:44:34 -06:00
Caleb Doxsey	f61e7efe73	authorize: use query instead of sync for databroker data (#3377 )	2022-06-01 15:40:07 -06:00
Caleb Doxsey	a0e64b1cf9	authorize: add request IP to rego evaluation (#3107 )	2022-03-07 15:07:58 -07:00
Caleb Doxsey	f9b95a276b	authenticate: support for per-route client id and client secret (#3030 ) * implement dynamic provider support * authenticate: support per-route client id and secret	2022-02-16 12:31:55 -07:00
Caleb Doxsey	5b9a981191	handle device states in deny block, fix default device type (#2919 ) * handle device states in deny block, fix default device type * fix tests	2022-01-11 11:56:54 -07:00
cfanbo	84dad4c612	remove deprecated ioutil usages (#2877 ) * fix: Fixed return description error * config/options: Adjust the position of TracingJaegerAgentEndpoint option * DOCS: Remove duplicate configuration items Remove duplicate configuration items of route * remove deprecated ioutil usages	2021-12-30 10:02:12 -08:00
Caleb Doxsey	2d04106e6d	ppl: add support for http_path and http_method (#2813 ) * ppl: add support for http_path and http_method * fix import ordering	2021-12-10 07:28:51 -07:00
Caleb Doxsey	efffe57bf0	ppl: pass contextual information through policy (#2612 ) * ppl: pass contextual information through policy * maybe fix nginx * fix nginx * pr comments * go mod tidy	2021-09-20 16:02:26 -06:00
Caleb Doxsey	526f946097	fix forward-auth, logging (#2509 ) * fix forward-auth, logging * move error message	2021-08-23 17:50:04 -06:00
Caleb Doxsey	bbec2cae9f	grpc: send client traffic through envoy (#2469 ) * wip * wip * handle wildcards in override name * remove wait for ready, add comment about sync, force initial sync complete in test * address comments	2021-08-16 16:12:22 -06:00
Caleb Doxsey	360aa89505	authorize: allow redirects on deny (#2361 )	2021-07-13 15:41:36 -06:00
Caleb Doxsey	b4b86dccb4	authorize: decode CheckRequest path for redirect (#2357 )	2021-07-13 13:17:21 -06:00
Caleb Doxsey	8e155bdf61	authorize: log service account and impersonation details (#2354 )	2021-07-12 14:21:37 -06:00
Caleb Doxsey	9dc90d02d0	authorize: only redirect for HTML pages (#2264 ) * authorize: only redirect for HTML pages * authorize: only redirect for HTML pages	2021-06-02 16:18:02 -06:00
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
Caleb Doxsey	c85c8b0778	authorize: refactor store locking (#2151 ) * authorize: refactor store locking * fix nil reference panic	2021-04-29 08:37:27 -06:00
bobby	9215833a0b	control plane: add request id to all error pages (#2149 ) * controlplane: add request id to all error pages - use a single http error handler for both envoy and go control plane - add http lib style status text for our custom statuses. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-04-28 15:04:44 -07:00
wasaga	e0c09a0998	log context (#2107 )	2021-04-22 10:58:13 -04:00
Caleb Doxsey	f4c4fe314a	authorize: audit logging (#2050 ) * authorize: add databroker server and record version to result, force sync via polling * authorize: audit logging	2021-04-05 09:58:55 -06:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	853d2dd478	config: use getters for certificates (#2001 ) * config: use getters for certificates * update log message	2021-03-23 08:02:50 -06:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	eddabc46c7	envoy: upgrade to v1.17.1 (#1993 )	2021-03-17 19:32:58 -06:00
Caleb Doxsey	5d60cff21e	databroker: refactor databroker to sync all changes (#1879 ) * refactor backend, implement encrypted store * refactor in-memory store * wip * wip * wip * add syncer test * fix redis expiry * fix linting issues * fix test by skipping non-config records * fix backoff import * fix init issues * fix query * wait for initial sync before starting directory sync * add type to SyncLatest * add more log messages, fix deadlock in in-memory store, always return server version from SyncLatest * update sync types and tests * add redis tests * skip macos in github actions * add comments to proto * split getBackend into separate methods * handle errors in initVersion * return different error for not found vs other errors in get * use exponential backoff for redis transaction retry * rename raw to result * use context instead of close channel * store type urls as constants in databroker * use timestampb instead of ptypes * fix group merging not waiting * change locked names * update GetAll to return latest record version * add method to grpcutil to get the type url for a protobuf type	2021-02-18 15:24:33 -07:00
Caleb Doxsey	eb08658cfc	logs: strip query string (#1894 )	2021-02-16 14:23:52 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	eed873b263	authorize: remove DataBrokerData (#1846 ) * authorize: remove DataBrokerData * fix method name	2021-02-02 11:40:21 -07:00
Caleb Doxsey	cc85ea601d	policy: add new certificate-authority option for downstream mTLS client certificates (#1835 ) * policy: add new certificate-authority option for downstream mTLS client certificates * update proto, docs	2021-02-01 08:10:32 -07:00
wasaga	67f6030e1e	upstream endpoints load balancer weights (#1830 )	2021-01-28 09:11:14 -05:00
Caleb Doxsey	bec98051ae	config: return errors on invalid URLs, fix linting (#1829 )	2021-01-27 07:58:30 -07:00
Caleb Doxsey	84e8f6cc05	config: fix databroker policies (#1821 )	2021-01-25 17:18:50 -07:00
Caleb Doxsey	a6bc9f492f	authorize: move impersonation into session/service account (#1765 ) * move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue	2021-01-11 15:40:08 -07:00
bobby	c199909032	forward-auth: fix special character support for nginx (#1578 )	2020-11-12 13:10:57 -05:00
bobby	aadbcd23bd	fwd-auth: fix nginx-ingress forward-auth (#1505 / #1497 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-19 08:09:13 -07:00
bobby	9b39deabd8	forward-auth: use envoy's ext_authz check (#1482 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-04 20:01:06 -07:00
Caleb Doxsey	0a6796ff71	authorize: add support for service accounts (#1374 )	2020-09-04 10:37:00 -06:00
Caleb Doxsey	a269441c34	proxy: disable control-plane robots.txt for public unauthenticated routes (#1361 )	2020-09-02 07:56:15 -06:00
bobby	45fc4ec3cc	authorize: log users and groups (#1303 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-08-19 08:07:30 -07:00
Caleb Doxsey	6dee647a16	authorize: use atomic state for properties (#1290 )	2020-08-17 14:24:06 -06:00
Cuong Manh Le	5d3b551524	authorize: increase test coverage - Add test cases for sync functions - Add test for valid JWT - Add session state to Test_getEvaluatorRequest	2020-08-06 21:02:20 +07:00
Cuong Manh Le	f7ebf54305	authorize: strip port from host header if necessary (#1175 ) After #1153, envoy can handle routes for `example.com` and `example.com:443`. Authorize service should be updated to handle this case, too. Fixes #959	2020-07-31 21:41:58 +07:00
Caleb Doxsey	97f85481f8	fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162 ) * fix redirect loop, remove user/session services, remove duplicate deleted_at fields * change loop * reuse err variable * wrap errors, use cookie timeout * wrap error, duplicate if	2020-07-30 09:41:57 -06:00
Caleb Doxsey	557aef2a33	fix databroker restart versioning, handle missing sessions (#1145 ) * fix databroker restart versioning, handle missing sessions * send empty server version to detect change * only rebuild if there are updated records	2020-07-29 08:45:41 -06:00
Caleb Doxsey	504197d83b	custom rego in databroker (#1124 ) * add support for sub policies * add support for sub policies * update authz rego policy to support sub policies	2020-07-22 10:44:05 -06:00

1 2

79 commits