pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00

Author	SHA1	Message	Date
Kenneth Jenkins	fd84075af1	config: remove set_authorization_header option (#4489 ) Remove the deprecated set_authorization_header option entirely. Add an entry to the removedConfigFields map with a link to the relevant Upgrading page section.	2023-08-29 09:02:08 -07:00
Kenneth Jenkins	e8b489eb87	authorize: rework token substitution in headers (#4456 ) Currently Pomerium replaces dynamic set_request_headers tokens sequentially. As a result, if a replacement value itself contained a supported "$pomerium" token, Pomerium may treat that as another replacement, resulting in incorrect output. This is unlikely to be a problem given the current set of dynamic tokens, but if we continue to add additional tokens, this will likely become more of a concern. To forestall any issues, let's perform all replacements in one pass, using the os.Expand() method. This does require a slight change to the syntax, as tokens containing a '.' will need to be wrapped in curly braces, e.g. ${pomerium.id_token}. A literal dollar sign can be included by using $$ in the input.	2023-08-14 15:28:10 -07:00
Kenneth Jenkins	f7e0b61c03	authorize: client cert fingerprint in set_request_headers (#4447 ) Add support for a new token $pomerium.client_cert_fingerprint in the set_request_headers option. This token will be replaced with the SHA-256 hash of the presented leaf client certificate.	2023-08-09 08:34:51 -07:00
Kenneth Jenkins	74e648630f	authorize: remove JWT timestamp format workaround (#4321 ) Update OPA to v0.54.0, which changes the JSON serialization behavior for large integers. Remove the formatting workaround and the unit test that verified that the workaround was still needed.	2023-06-30 11:54:46 -07:00
Kenneth Jenkins	e7703a1891	add JWT timestamp formatting workaround (#4270 ) Rego will sometimes serialize integers to JSON with a decimal point and exponent. I don't completely understand this behavior. Add a workaround to headers.rego to convert the JWT "iat" and "exp" timestamps to a string and back to an integer. This appears to cause Rego to serialize these values as plain integers. Add a unit test to verify this behavior. Also add a unit test that will fail if the Rego behavior changes, making this workaround unnecessary.	2023-06-16 10:36:00 -07:00
Caleb Doxsey	5be322e2ef	config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers (#4219 ) * config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers * lint * Update authorize/evaluator/headers_evaluator_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> * fix spelling --------- Co-authored-by: Denis Mishin <dmishin@pomerium.com>	2023-06-01 16:00:02 -06:00
Caleb Doxsey	1dee325b72	authorize: move sign out and jwks urls to route, update issuer for JWT (#4046 ) * authorize: move sign out and jwks urls to route, update issuer for JWT * fix test	2023-03-08 12:40:15 -07:00
Caleb Doxsey	c178819875	move directory providers (#3633 ) * remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test	2022-11-03 11:33:56 -06:00
dependabot[bot]	ec495bb682	chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667 ) * chore(deps): bump github.com/golangci/golangci-lint Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0. - [Release notes](https://github.com/golangci/golangci-lint/releases) - [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md) - [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0) --- updated-dependencies: - dependency-name: github.com/golangci/golangci-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * lint Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>	2022-10-19 09:36:59 -06:00
Caleb Doxsey	d299b42509	authorize: add name claim (#3238 )	2022-04-05 12:08:00 -06:00
Caleb Doxsey	99b9a3ee12	authorize: add support for passing access or id token upstream (#3047 ) * authorize: add support for passing access or id token upstream * use an enum	2022-02-17 09:28:31 -07:00
Caleb Doxsey	c97dcf7e0f	envoy: add hash policy and routing key for hash-based load balancers (#2791 ) * envoy: add hash policy and routing key for hash-based load balancers * fix integration test * fix nginx	2021-12-01 13:42:12 -07:00
Caleb Doxsey	0786c7fc45	authorize: use session.user_id in headers (#2571 )	2021-09-03 14:51:09 -06:00
Caleb Doxsey	ef55829cb0	authorize: fix X-Pomerium-Claim-Groups (#2539 )	2021-08-26 20:29:57 -06:00
Caleb Doxsey	a64e5b5fa1	authorize: add sid to JWT claims (#2420 ) * authorize: add sid to JWT claims * fix import ordering	2021-08-02 16:11:05 -06:00
Caleb Doxsey	1a95036b8c	sessions: add impersonate_session_id, remove legacy impersonation (#2407 ) * sessions: add impersonate_session_id, remove legacy impersonation * show impersonated user details * fix headers * address feedback * only check impersonate id on non-nil pbSession * Revert "only check impersonate id on non-nil pbSession" This reverts commit `a6f7ca5abd`.	2021-07-30 08:42:36 -06:00
Caleb Doxsey	2156dbc553	envoy: always set jwt claim headers even if no value is available (#2261 ) * envoy: always set jwt claim headers even if no value is available * add test	2021-06-04 10:01:00 -07:00
wasaga	40ddc2c4b3	jwt: round timestamp (#2258 )	2021-06-01 14:12:45 -07:00
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
Caleb Doxsey	762b565239	authorize: fix empty sub policy arrays (#2119 )	2021-04-23 11:00:30 -06:00
Caleb Doxsey	3906b70bc5	authorize: support arbitrary jwt claims (#2102 ) * authorize: support arbitrary jwt claims * remove dead code	2021-04-19 14:55:08 -06:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	4218f49741	authorize: bypass data in rego for databroker data (#2041 )	2021-03-30 14:14:32 -06:00
Nándor István Krácser	45fb938317	oidc: use groups claim from ID token if present (#1970 ) Signed-off-by: Nandor Kracser <bonifaido@gmail.com>	2021-03-22 11:46:01 -06:00
Caleb Doxsey	ae7626df3e	authorize: set JWT to expire after 5 minutes (#1980 ) * authorize: set JWT to expire after 5 minutes * use lesser of 5 minutes or id token expiration * add test for expires at	2021-03-15 07:38:32 -06:00
Caleb Doxsey	b6ec01f377	assets: use embed instead of statik (#1960 ) * assets: use embed instead of statik * remove empty line * maybe fix precommit	2021-03-03 18:56:55 -07:00
Caleb Doxsey	1a1cc30c67	config: support map of jwt claim headers (#1906 ) * config: support map of jwt claim headers * fix array handling, add test * update docs * use separate hook, add tests	2021-02-17 13:43:18 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	25b697a13d	authorize: allow access by user id (#1850 )	2021-02-03 07:15:44 -07:00
Caleb Doxsey	7a5c4fd0f6	authorize: handle null (#1853 )	2021-02-02 17:29:21 -08:00
Caleb Doxsey	74ac23c980	authorize: remove DataBrokerData input (#1847 ) * authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys	2021-02-02 14:27:35 -07:00
Caleb Doxsey	655951cfa1	opa: format rego files (#1845 ) * opa: format rego files * statik	2021-02-01 15:43:08 -07:00
Caleb Doxsey	b7f0242090	authorize: remove admin (#1833 ) * authorize: remove admin * regen rego * add note to upgrading	2021-02-01 15:22:02 -07:00
bobby	6466efddd5	authenticate: update user info screens (#1774 ) - rename "dashboard" to userinfo to avoid confusion - don't leak version from error page. - fix typo in state.go - make statik determenistic on modtime Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-01-13 13:15:31 -08:00
Caleb Doxsey	ab4a68f56f	remove user impersonation and service account cli (#1768 ) * remove user impersonation and service account cli * update doc * remove user impersonation url query params * fix flaky test	2021-01-12 09:28:29 -07:00
Caleb Doxsey	a6bc9f492f	authorize: move impersonation into session/service account (#1765 ) * move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue	2021-01-11 15:40:08 -07:00
Caleb Doxsey	4eec2ed1d5	evaluator: use impersonate groups if impersonate email is set (#1701 )	2020-12-21 08:47:12 -08:00
Caleb Doxsey	ad828c6e84	add support for TCP routes (#1695 )	2020-12-16 13:09:48 -07:00
Caleb Doxsey	2d5690dde6	remove deprecated cache_service_url config option (#1614 ) * remove deprecated cache_service_url config option * remove broken test * update integration test config * update nginx example Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>	2020-11-23 14:57:29 -07:00
Philip Wassermann	85a5961e5e	authorize: add allow_any_authenticated_user policy (#1515 )	2020-11-05 11:20:50 -07:00
Caleb Doxsey	10b5c5ca0e	fix querying claim data on the dashboard (#1560 )	2020-10-29 10:49:02 -06:00
Caleb Doxsey	153e438eb6	authorize: implement allowed_idp_claims (#1542 ) * add arbitrary claims to session * add support for maps * update flattened claims * fix eol * fix trailing whitespace * fix tests	2020-10-23 14:05:37 -06:00
Caleb Doxsey	04c582121d	add flag to enable user impersonation (#1514 ) * add flag to enable user impersonation * fix typo	2020-10-14 08:17:59 -06:00
Caleb Doxsey	4fb90fabe8	config: support explicit prefix and regex path rewriting (#1363 ) * config: support explicity prefix and regex path rewriting * add rewrite tests	2020-09-02 13:48:19 -06:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00
Caleb Doxsey	504197d83b	custom rego in databroker (#1124 ) * add support for sub policies * add support for sub policies * update authz rego policy to support sub policies	2020-07-22 10:44:05 -06:00
Cuong Manh Le	408f201d16	authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094 ) Currently, with impersonated request, the real user email/group still has effects. Example: data.route_policies as [{ "source": "example.com", "allowed_users": ["x@example.com"] }] with input.databroker_data as { "session": { "user_id": "user1" }, "user": { "email": "x@example.com" } } with input.http as { "url": "http://example.com" } with input.session as { "id": "session1", "impersonate_email": "y@example.com" } Here user "x@example.com" is allowed, but was impersonated as "y@example.com". As the rules indicated, the request must be denied, because it only allows "x@example.com", not "y@example.com". The current bug causes the request is still allowed. To fix it, when evaluates rules for allowed email/group/domain, we must checking that the impersonate email/groups is not set/empty. Fixes #1091	2020-07-17 22:07:11 +07:00
Caleb Doxsey	a70254ab76	kubernetes apiserver integration (#1063 ) * sessions: support bearer tokens in authorization * wip * remove dead code * refactor signed jwt code * use function * update per comments * fix test	2020-07-14 08:33:24 -06:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
Cuong Manh Le	963e1c015a	authorize/evaluator/opa: use route policy object instead of array index (#1001 ) Make the code more readable, and slightly reduce memory alloc: opa test -v --bench --count 5 --format gobench Output: name old alloc/op new alloc/op delta DataPomeriumAuthzTestEmailAllowed 109kB ± 0% 108kB ± 0% -0.89% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 95.4kB ± 0% 93.4kB ± 0% -2.06% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 63.6kB ± 0% 61.6kB ± 0% -3.09% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 103kB ± 0% 101kB ± 0% -1.86% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 100kB ± 0% 98kB ± 0% -1.64% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 62.6kB ± 0% 60.7kB ± 0% -3.14% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 64.5kB ± 0% 62.5kB ± 0% -3.11% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 66.7kB ± 0% 64.5kB ± 0% -3.33% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 65.8kB ± 0% 63.3kB ± 0% -3.92% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 13.8kB ± 0% 13.8kB ± 0% ~ (p=0.167 n=5+5) DataPomeriumAuthzTestAllowedRouteSource 243kB ± 0% 243kB ± 0% ~ (p=1.000 n=5+5) DataPomeriumAuthzTestAllowedRoutePrefix 80.9kB ± 0% 80.9kB ± 0% ~ (p=0.690 n=5+5) DataPomeriumAuthzTestAllowedRoutePath 108kB ± 0% 108kB ± 0% ~ (p=0.452 n=5+5) DataPomeriumAuthzTestAllowedRouteRegex 90.0kB ± 0% 89.9kB ± 0% ~ (p=0.095 n=5+5) name old allocs/op new allocs/op delta DataPomeriumAuthzTestEmailAllowed 1.76k ± 0% 1.74k ± 0% -1.24% (p=0.008 n=5+5) DataPomeriumAuthzTestExample 1.54k ± 0% 1.51k ± 0% -2.18% (p=0.008 n=5+5) DataPomeriumAuthzTestEmailDenied 1.05k ± 1% 1.01k ± 1% -3.21% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicAllowed 1.65k ± 0% 1.63k ± 0% -1.20% (p=0.008 n=5+5) DataPomeriumAuthzTestPublicDenied 1.61k ± 0% 1.58k ± 0% -1.42% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumAllowed 1.04k ± 1% 1.00k ± 1% -3.27% (p=0.008 n=5+5) DataPomeriumAuthzTestPomeriumDenied 1.06k ± 1% 1.03k ± 1% -3.19% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightAllowed 1.14k ± 1% 1.09k ± 0% -3.96% (p=0.008 n=5+5) DataPomeriumAuthzTestCorsPreflightDenied 1.09k ± 1% 1.05k ± 0% -4.04% (p=0.008 n=5+5) DataPomeriumAuthzTestParseUrl 222 ± 0% 222 ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteSource 3.66k ± 0% 3.66k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePrefix 1.23k ± 0% 1.23k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRoutePath 1.62k ± 0% 1.62k ± 0% ~ (all equal) DataPomeriumAuthzTestAllowedRouteRegex 1.36k ± 0% 1.36k ± 0% ~ (all equal)	2020-06-25 21:28:54 +07:00

1 2

72 commits