3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00
Code Issues Projects Releases Packages Wiki Activity
3224 commits 157 branches 125 tags 103 MiB
Commit graph

238 commits

Author SHA1 Message Date
Kenneth Jenkins
b7896b3153
authenticateflow: move stateless flow logic (#4820) 
Consolidate all logic specific to the stateless authenticate flow into a
a new Stateless type in a new package internal/authenticateflow. This is
in preparation for adding a new Stateful type implementing the older
stateful authenticate flow (from Pomerium v0.20 and previous).

This change is intended as a pure refactoring of existing logic, with no
changes in functionality.
 2023-12-06 16:55:57 -08:00
Kenneth Jenkins
3b2bdd059a
authenticate: getUserInfoData() cleanup (#4818) 
The Authenticate.getUserInfoData() method has an error return value, but
always returns nil for this value. Let's remove this return value from
the method signature.
 2023-12-05 14:48:56 -08:00
Kenneth Jenkins
3c4b03f1d2
authenticate: remove extra UpdateUserInfo() call (#4813) 
The buildIdentityProfile() method is called only from
Authenticate.getOAuthCallback(), which has previously called
Authenticator.Authenticate(). It looks like all implementations of the
Authenticator interface already call UpdateUserInfo(), so we shouldn't
need to call UpdateUserInfo() a second time from buildIdentityProfile().

This should simplify the code a little and provide a slight performance
improvement (by avoiding one network request).
 2023-12-05 09:22:35 -08:00
Caleb Doxsey
a0c92896ef
core/authenticate: refactor idp sign out (#4582) 2023-09-28 08:41:19 -07:00
Caleb Doxsey
e5a7b994b6
core/authenticate: validate the identity profile (#4545) 2023-09-15 14:16:28 -06:00
guangwu
4674b98cfb
chore: unnecessary use of fmt.Sprintf (#4349) 
Remove fmt.Sprintf() calls where the format string contains no formatting verbs.
 2023-07-12 09:44:29 -07:00
Kenneth Jenkins
2f4005cc09
authenticate: remove extraneous error log (#4319) 
Currently the Authenticate.storeIdentityProfile() method always emits an
Error log. If there is no error from cookieChunker.SetCookie(), this
results in an empty log entry:

    {"level":"error","time":"2023-06-27T23:56:38Z"}

Refactor this method to instead return the error from SetCookie(), and
update the calling code so that it logs a message only when this error
is non-nil.

(Moving the log call to the calling method gives access to the request
context, so the log entry will include the request ID and other related
info.)
 2023-06-28 11:02:06 -07:00
Denis Mishin
2db2d66eba
authenticate: add aws cognito (#4137) 2023-05-16 12:28:12 -04:00
Caleb Doxsey
be0104b842
config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
Caleb Doxsey
facf9ab093
hpke: compress query string (#4147) 
* hpke: compress query string

* only use v2 in authenticate if v2 was used for the initial request

* fix comment
 2023-05-02 14:12:34 -06:00
Denis Mishin
0ab2057714
authenticate: add events (#4051) 2023-05-01 15:11:30 -04:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Denis Mishin
860a881fe0
authenticate: have an option to trim the contents of the callback (#4090) 2023-03-31 11:48:31 -04:00
Denis Mishin
6e39ebc189
store authenticate state on creation (#4064) 2023-03-17 18:25:29 -04:00
Caleb Doxsey
2b8d51def5
urlutil: add version to query string (#4028) 2023-02-28 14:01:13 -07:00
Caleb Doxsey
00c047b114
authenticate: fix identity provider id in encrypted query string (#4006) 
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-02-23 08:30:50 -07:00
Caleb Doxsey
be13027fe0
authenticate: don't require a session for sign_out (#4007) 
authenticate: dont require a session for sign_out
 2023-02-22 21:42:10 -07:00
Caleb Doxsey
b62efeb16c
authenticate: only use csrf none for apple (#3979) 2023-02-16 08:52:39 -07:00
Caleb Doxsey
3f2a3d6f23
authenticate: save the session cookie with a different name (#3978) 2023-02-16 08:52:18 -07:00
Mike Nestor
1d4474f7c5
Appleid (#3959) 
* appleid oauth works but probably not implemented the best

chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster (#3949)

Bumps golang from 1.19.5-buster to 1.20.0-buster.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Denis Mishin <dmishin@pomerium.com>

implemented correct expiration, refresh and revoke

chore(deps): bump golang from 1.19.5-buster to 1.20.0-buster (#3949)

Bumps golang from 1.19.5-buster to 1.20.0-buster.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Denis Mishin <dmishin@pomerium.com>

fixed lint issues and maybe ignored G101

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

* Update internal/identity/oauth/apple/apple.go

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>

---------

Co-authored-by: Caleb Doxsey <caleb@doxsey.net>
 2023-02-13 18:01:00 -07:00
Caleb Doxsey
54676afce2
authenticate: always trust the passed in idp (#3917) 2023-01-30 18:59:07 -07:00
Caleb Doxsey
bfcd15435f
authenticate: add additional error details for hmac errors (#3878) 2023-01-11 07:53:11 -07:00
Caleb Doxsey
3e892a8533
options: support multiple signing keys (#3828) 
* options: support multiple signing keys

* fix controlplane method, errors
 2022-12-22 09:31:09 -07:00
Caleb Doxsey
539fd51579
authenticate: remove databroker dependency (#3820) 2022-12-17 09:03:46 -07:00
Caleb Doxsey
c86ca6f76f
webauthn: require session when accessing /.pomerium/webauthn (#3814) 
* webauthn: require session when accessing /.pomerium/webauthn

* remove dead code

* remove unusued PomeriumDomains field
 2022-12-16 10:59:21 -07:00
Caleb Doxsey
57217af7dd
authenticate: implement hpke-based login flow (#3779) 
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
 2022-12-05 15:31:07 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
c1a522cd82
proxy: add userinfo and webauthn endpoints (#3755) 
* proxy: add userinfo and webauthn endpoints

* use TLD for RP id

* use EffectiveTLDPlusOne

* upgrade webauthn

* fix test

* Update internal/handlers/jwks.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-22 10:26:35 -07:00
Caleb Doxsey
9413123c0f
config: generate cookie secret if not set in all-in-one mode (#3742) 
* config: generate cookie secret if not set in all-in-one mode

* fix tests

* config: add warning about cookie_secret

* breakup lines
 2022-11-11 14:14:30 -07:00
Caleb Doxsey
2b319822a4
authenticate: update user info dashboard to show group info for enterprise (#3736) 
* authenticate: update user info dashboard to show group info for enterprise

* Update ui/src/components/GroupDetails.tsx

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
 2022-11-09 07:44:35 -07:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Caleb Doxsey
3f9dfbef76
device: add generic methods for working with user+session devices (#3710) 2022-10-28 08:41:12 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
Caleb Doxsey
b68dc1ff4f
controlplane: move jwks.json endpoint to control plane (#3691) 2022-10-25 08:01:33 -06:00
Caleb Doxsey
63b210e51d
httputil: remove error details (#3703) 2022-10-25 08:00:21 -06:00
Caleb Doxsey
75634dfca2
authenticate: remove ecjson (#3688) 2022-10-20 10:37:21 -06:00
Caleb Doxsey
bdd6145e91
authenticate: get/set identity provider id for all sessions (#3597) 2022-09-07 10:06:59 -06:00
Alex
fc21579e4b
Fix typos (#3575) 
typos
 2022-08-30 15:51:40 -07:00
Caleb Doxsey
5f51510e91
authenticate: add CORS headers to jwks endpoint (#3574) 2022-08-25 16:09:11 -06:00
Caleb Doxsey
e9e52d8225
authenticate: fix branding for webauthn device registration page (#3572) 2022-08-24 15:51:34 -06:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
6140ee1d88
controlplane: add well-known endpoint to the controlplane http handler (#3555) 
* controlplane: add well-known endpoint to the controlplane http handler

* add support for trailing /

* remove redundant test
 2022-08-16 09:59:39 -06:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible (#3517) 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00
Caleb Doxsey
86625a4ddb
config: support files for shared_secret, client_secret, cookie_secret and signing_key (#3453) 2022-06-29 10:44:08 -06:00
Caleb Doxsey
a938a23ea2
device enrollment: fix ip address (#3430) 2022-06-16 11:30:38 -06:00
Caleb Doxsey
464ccdf767
authenticate: fix internal service URL dashboard redirect (#3305) 2022-04-29 08:09:28 -06:00
Caleb Doxsey
9dbe12fe99
authenticate: save session for bare webauthn redirects, consider external service URL to be a pomerium url (#3280) 2022-04-19 16:03:11 -06:00
Caleb Doxsey
61ffeb837d
authenticate: fix internal service URL CORS check (#3279) 2022-04-19 10:09:47 -06:00
Caleb Doxsey
36f73fa6c7
authorize: track session and service account access date (#3220) 
* session: add accessed at date

* authorize: track session and service account access times

* Revert "databroker: add support for field masks on Put (#3210)"

This reverts commit 2dc778035d.

* add test

* fix data race in test

* add deadline for update

* track dropped accesses
 2022-03-31 09:19:04 -06:00
Caleb Doxsey
69ba511c64
authenticate: fix internal url with webauthn (#3194) 2022-03-28 06:36:48 -06:00