3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 19:06:33 +02:00
Code Issues Projects Releases Packages Wiki Activity
3224 commits 157 branches 125 tags 103 MiB
Commit graph

178 commits

Author SHA1 Message Date
Caleb Doxsey
a07d85b174
Revert "set recommended defaults (#1734)" (#1735) 
This reverts commit cd2a86afc4.
 2021-01-05 10:01:42 -07:00
Caleb Doxsey
cd2a86afc4
set recommended defaults (#1734) 
* set recommended defaults

* add comment
 2021-01-04 16:29:51 -07:00
bobby
f837c92741
dev: update linter (#1728) 
- gofumpt everything
- fix TLS MinVersion to be at least 1.2
- add octal syntax
- remove newlines
- fix potential decompression bomb in ecjson
- remove implicit memory aliasing in for loops.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-12-30 09:02:57 -08:00
Travis Groth
661005c497
internal/controlplane: 0s default timeout for tcp routes (#1716) 2020-12-23 11:09:07 -05:00
Caleb Doxsey
ad828c6e84
add support for TCP routes (#1695) 2020-12-16 13:09:48 -07:00
Caleb Doxsey
8ada0c51dd
attach version to gRPC server metadata (#1598) 
* attach version to gRPC server metadata

* fix linting
 2020-11-17 07:18:48 -07:00
Caleb Doxsey
153e438eb6
authorize: implement allowed_idp_claims (#1542) 
* add arbitrary claims to session

* add support for maps

* update flattened claims

* fix eol

* fix trailing whitespace

* fix tests
 2020-10-23 14:05:37 -06:00
Caleb Doxsey
4ed3d84632
debug: add pprof endpoints (#1504) 2020-10-09 12:40:33 -06:00
Caleb Doxsey
27d0cf180a
authenticate: protect /.pomerium/admin endpoint (#1500) 
* authenticate: protect /.pomerium/admin endpoint

* add integration test
 2020-10-08 15:44:12 -06:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Caleb Doxsey
6e385f800a
config: add support for host header rewriting (#1457) 
* config: add support for host header rewriting

* fix lint
 2020-09-25 09:36:39 -06:00
Caleb Doxsey
54d37e62e8
config: add dns_lookup_family option to customize DNS IP resolution (#1436) 2020-09-21 15:32:37 -06:00
bobby
bf937f362b
controplane: remove p-521 EC (#1420) 
* controplane: remove p-521 EC

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-18 08:18:21 -07:00
bobby
79a01bcfbb
controlplane: support P-384 / P-512 EC curves (#1409) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-16 17:35:00 -07:00
Caleb Doxsey
a19e45334b
proxy: remove impersonate headers for kubernetes (#1394) 
* proxy: remove impersonate headers for kubernetes

* master on frontend/statik
 2020-09-09 15:24:39 -06:00
Caleb Doxsey
1fcd86120b
proxy: for filter matches only include bare domain name (#1389) 2020-09-09 08:56:15 -06:00
bobby
43d37ace94
proxy/controlplane: make health checks debug level (#1368) 
- proxy: remove version from ping handler

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-09-04 07:31:12 -07:00
Caleb Doxsey
4fb90fabe8
config: support explicit prefix and regex path rewriting (#1363) 
* config: support explicity prefix and regex path rewriting

* add rewrite tests
 2020-09-02 13:48:19 -06:00
Caleb Doxsey
a269441c34
proxy: disable control-plane robots.txt for public unauthenticated routes (#1361) 2020-09-02 07:56:15 -06:00
Caleb Doxsey
f6b622c7dc
proxy: support websocket timeouts (#1362) 2020-09-02 07:55:57 -06:00
Travis Groth
2e714c211e
internal/controlplane: add telemetry http handler (#1353) 2020-09-01 09:22:24 -04:00
Cuong Manh Le
4b3e07c5f5 internal/controlplane: mocking policy name in test 
We don't have to test for exact policy name, as it does not make sense
and force us to change test every new go release.
 2020-08-12 22:20:50 +07:00
Travis Groth
7a53e6bb42
proxy: add support for spdy upgrades (#1203) 2020-08-04 13:26:14 -04:00
Cuong Manh Le
f7ebf54305
authorize: strip port from host header if necessary (#1175) 
After #1153, envoy can handle routes for `example.com` and `example.com:443`.
Authorize service should be updated to handle this case, too.

Fixes #959
 2020-07-31 21:41:58 +07:00
Caleb Doxsey
a5e8abd6af
handle example.com and example.com:443 (#1153) 
* handle example.com and example.com:443

* fix domain comparisons
 2020-07-28 15:30:41 -06:00
Travis Groth
90d95b8c10
Set ExtAuthz Cluster name to URL Host (#1132) 2020-07-23 14:10:16 -04:00
Cuong Manh Le
489cdd8b63
internal/controlplane: using envoy strip host port matching (#1126) 
* internal/controlplane: using envoy strip host port matching

With envoy 1.15.0 release, strip host port matching setting allows
incoming request with Host "example:443" will match again route with
domains match set to "example".

Not that this is not standard HTTP behavior, but it's more convenient
for users.

Fixes #959

* docs/docs: add note about enable envoy strip host port matching
 2020-07-22 23:51:57 +07:00
Cuong Manh Le
408f201d16
authorize/evaluator/opa/policy: fix allow rules with impersonate (#1094) 
Currently, with impersonated request, the real user email/group still
has effects.

Example:

	data.route_policies as [{
	    "source": "example.com",
	    "allowed_users": ["x@example.com"]
	}] with
	input.databroker_data as {
	    "session": {
	        "user_id": "user1"
	    },
	    "user": {
	        "email": "x@example.com"
	    }
	} with
	input.http as { "url": "http://example.com" } with
	input.session as { "id": "session1", "impersonate_email": "y@example.com" }

Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.

To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.

Fixes #1091
 2020-07-17 22:07:11 +07:00
Caleb Doxsey
d3a7ee38be
options refactor (#1088) 
* refactor config loading

* wip

* move autocert to its own config source

* refactor options updaters

* fix stuttering

* fix autocert validate check
 2020-07-16 14:30:15 -06:00
Caleb Doxsey
96424dac0f
implement google cloud serverless authentication (#1080) 
* add google cloud serverless support

* force ipv4 for google cloud serverless

* disable long line linting

* fix destination hostname

* add test

* add support for service accounts

* fix utc time in test
 2020-07-16 08:25:14 -06:00
Cuong Manh Le
d764981618
internal/controlplane: set envoy prefix rewrite if present (#1034) 
While at it, also refactoring buildPolicyRoutes.

Fixes #1033
Fixes #880
 2020-07-03 09:35:36 +07:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Cuong Manh Le
f938554968
internal/controlplane: enable envoy use remote address (#1023) 
Fixes #1013
 2020-06-29 23:06:34 +07:00
Travis Groth
917d8ec61b
envoy: disable idle timeouts to controlplane (#1000) 
* envoy: disable idle timeouts to controlplane to support streaming requests

* envoy: add request timeout for attack mitigation
 2020-06-25 13:14:24 -04:00
bobby
f94f45d9a2
controlplane: add robots route (#966) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-22 11:48:59 -07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Cuong Manh Le
f62bb686d8
internal/controlplane: make sure options.Headers are set for response (#907) 
When switching to envoy, we forgot to adopt the middleware to set
response headers with options.Headers, which causes HSTS header is
missing in v0.9.0 release.

Fixes #901
 2020-06-17 00:56:01 +07:00
Travis Groth
ee2170f5f5
config: add a consistent route ID (#905) 2020-06-16 09:20:18 -04:00
Bobby DeSimone
200bc7e836
controlplane: use previous preferred cipher suite (#889) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:18 -07:00
Bobby DeSimone
79d793d122
controlplane: fix missing full cert chain (#888) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:02 -07:00
Bobby DeSimone
b00acad517
internal/controlplane: set minimum tls version (#854) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-10 09:08:05 -07:00
Caleb Doxsey
fe2369400c
proxy: only set validation context if trusted_ca is used (#863) 
* proxy: only set validation context if trusted_ca is used

* fix test
 2020-06-09 13:45:03 -06:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Caleb Doxsey
b80a419699
xds: use ipv4 address when ipv6 is disabled (#823) 2020-06-02 13:05:44 -06:00
Caleb Doxsey
fca17d365a
xds: force ipv4 for localhost to workaround ipv6 issue in docker compose (#819) 2020-06-01 08:58:28 -06:00
Travis Groth
06e3f5def5
Fix missing/incorrect grpc labels (#804) 2020-05-29 15:57:58 -04:00
Caleb Doxsey
748ab836b6
cache: fix closing too early (#791) 
* cache: fix closing too early

* fix test
 2020-05-27 11:28:08 -06:00
Caleb Doxsey
f6114c288a
xds: add catch-all for pomerium routes (#789) 2020-05-27 09:12:04 -06:00
Caleb Doxsey
17952e3ac5
xds: disable cluster validation to handle out-of-order updates (#783) 2020-05-27 08:02:29 -06:00