3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-17 11:07:18 +02:00
Code Issues Projects Releases Packages Wiki Activity
3224 commits 160 branches 126 tags 104 MiB
Commit graph

3224 commits

This branch
This branch
All branches
Author SHA1 Message Date
Travis Groth
917d8ec61b
envoy: disable idle timeouts to controlplane (#1000) 
* envoy: disable idle timeouts to controlplane to support streaming requests

* envoy: add request timeout for attack mitigation
 2020-06-25 13:14:24 -04:00
Travis Groth
b3ee4f534e
cache: fix missing parameter (#1005) 
* cache: fix missing parameter

* cache: get number of members from NumMembers()
 2020-06-25 13:13:37 -04:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
bobby
666420f4c9
config: add check to assert service account is required for policies with allowed_groups (#997) 
* depedency: bump opa v0.21.0

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* config: error if groups are used without service account

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:27:48 -07:00
Travis Groth
35af5c0b91
cache: join old memberlist cluster to warn about multiple servers (#1004) 2020-06-25 11:27:23 -04:00
Caleb Doxsey
05e3c23ea1
memberlist: use bufio reader instead of scanner (#1002) 2020-06-25 11:23:31 -04:00
Cuong Manh Le
963e1c015a
authorize/evaluator/opa: use route policy object instead of array index (#1001) 
Make the code more readable, and slightly reduce memory alloc:

	opa test -v --bench --count 5 --format gobench

Output:

name                                       old alloc/op                     new alloc/op                     delta
DataPomeriumAuthzTestEmailAllowed                               109kB ± 0%                       108kB ± 0%  -0.89%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                   95.4kB ± 0%                      93.4kB ± 0%  -2.06%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                               63.6kB ± 0%                      61.6kB ± 0%  -3.09%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              103kB ± 0%                       101kB ± 0%  -1.86%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               100kB ± 0%                        98kB ± 0%  -1.64%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                           62.6kB ± 0%                      60.7kB ± 0%  -3.14%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                            64.5kB ± 0%                      62.5kB ± 0%  -3.11%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                      66.7kB ± 0%                      64.5kB ± 0%  -3.33%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                       65.8kB ± 0%                      63.3kB ± 0%  -3.92%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                  13.8kB ± 0%                      13.8kB ± 0%    ~     (p=0.167 n=5+5)
DataPomeriumAuthzTestAllowedRouteSource                         243kB ± 0%                       243kB ± 0%    ~     (p=1.000 n=5+5)
DataPomeriumAuthzTestAllowedRoutePrefix                        80.9kB ± 0%                      80.9kB ± 0%    ~     (p=0.690 n=5+5)
DataPomeriumAuthzTestAllowedRoutePath                           108kB ± 0%                       108kB ± 0%    ~     (p=0.452 n=5+5)
DataPomeriumAuthzTestAllowedRouteRegex                         90.0kB ± 0%                      89.9kB ± 0%    ~     (p=0.095 n=5+5)

name                                       old allocs/op                    new allocs/op                    delta
DataPomeriumAuthzTestEmailAllowed                               1.76k ± 0%                       1.74k ± 0%  -1.24%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                    1.54k ± 0%                       1.51k ± 0%  -2.18%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                                1.05k ± 1%                       1.01k ± 1%  -3.21%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              1.65k ± 0%                       1.63k ± 0%  -1.20%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               1.61k ± 0%                       1.58k ± 0%  -1.42%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                            1.04k ± 1%                       1.00k ± 1%  -3.27%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                             1.06k ± 1%                       1.03k ± 1%  -3.19%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                       1.14k ± 1%                       1.09k ± 0%  -3.96%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                        1.09k ± 1%                       1.05k ± 0%  -4.04%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                     222 ± 0%                         222 ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteSource                         3.66k ± 0%                       3.66k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePrefix                         1.23k ± 0%                       1.23k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePath                           1.62k ± 0%                       1.62k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteRegex                          1.36k ± 0%                       1.36k ± 0%    ~     (all equal)
 2020-06-25 21:28:54 +07:00
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
Caleb Doxsey
3ad8cbf4ec
authorize: avoid serializing databroker data map to improve performance (#995) 2020-06-24 14:00:08 -06:00
bobby
7110948296
depedency: bump opa v0.21.0 (#993) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 08:31:01 -07:00
Bobby DeSimone
e3d290bde5 depedency: bump opa v0.21.0 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 08:27:04 -07:00
Cuong Manh Le
505ff5cc5c
internal/sessions: handle claims "ver" field generally (#990) 
"ver" field is not specified by RFC 7519, so in practice, most providers
return it as string, but okta returns it as number, which cause okta
authenticate broken.

To fix it, we handle "ver" field more generally, to allow both string and
number in json payload.
 2020-06-24 22:06:17 +07:00
Cuong Manh Le
1e3c381e1e
internal/directory/okta: store directory information by user id (#991) 
Same as #988
 2020-06-24 21:56:51 +07:00
Cuong Manh Le
a042bb7b82
internal/directory/onelogin: store directory information by user id (#992) 
Same as #988
 2020-06-24 21:56:33 +07:00
Caleb Doxsey
2501463dc9
google: store directory information by user id (#988) 2020-06-23 14:41:16 -06:00
Caleb Doxsey
0d277cf662
azure: use OID for user id in session (#985) 2020-06-23 12:02:17 -06:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Travis Groth
eaa0c980d2
telemetry: add tracing spans to cache and databroker (#987) 2020-06-23 13:08:21 -04:00
Cuong Manh Le
4ca0189524
docs/docs/identity-providers: document gitlab default scopes changed (#980) 
Fixes #938
 2020-06-24 00:05:21 +07:00
Cuong Manh Le
fb4dfaea44
authenticate: hide impersonation form from non-admin users (#979) 
Fixes #881
 2020-06-23 22:09:33 +07:00
Renovate Bot
fa40ff1f77 chore(deps): update module hashicorp/memberlist to v0.2.2 2020-06-23 05:41:34 +00:00
Renovate Bot
90bd2baf80 chore(deps): update google.golang.org/genproto commit hash to fbb79ea 2020-06-23 03:54:40 +00:00
Renovate Bot
1ea3253660 chore(deps): update module go.opencensus.io to v0.22.4 2020-06-23 00:47:22 +00:00
Renovate Bot
6ccf3246aa chore(deps): update module cenkalti/backoff/v4 to v4.0.2 2020-06-22 23:14:22 +00:00
renovate[bot]
0c7faf4991
chore(deps): update module google.golang.org/api to v0.28.0 (#949) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:59:09 -06:00
renovate[bot]
b6287fcf8a
chore(deps): update module google/go-cmp to v0.5.0 (#950) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:58:35 -06:00
renovate[bot]
8ea4560fe6
chore(deps): update module prometheus/client_golang to v1.7.0 (#953) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:58:16 -06:00
Travis Groth
88a77c42bb
cache: add client telemetry (#975) 2020-06-22 18:18:44 -04:00
Caleb Doxsey
24b523c043
docs: update upgrading document for breaking changes (#974) 2020-06-22 15:26:42 -06:00
Caleb Doxsey
f33bf07334
docs: update service account instructions for OneLogin (#973) 2020-06-22 15:21:21 -06:00
Caleb Doxsey
ae97d280c5
docs: service account instructions for gitlab (#970) 2020-06-22 15:04:36 -06:00
Caleb Doxsey
09b8d2864f
directory: add service account struct and parsing method (#971) 2020-06-22 15:04:20 -06:00
Caleb Doxsey
451bdbeb0d
docs: update okta service account docs to match new format (#972) 2020-06-22 15:04:01 -06:00
Caleb Doxsey
cb08cb7a93
docs: service account instructions for azure (#969) 2020-06-22 14:15:49 -06:00
Cuong Manh Le
2476a06c48
Sleep longer before running integration tests (#968) 2020-06-23 02:14:34 +07:00
bobby
f94f45d9a2
controlplane: add robots route (#966) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-22 11:48:59 -07:00
Caleb Doxsey
f11c5ba172
docs: update GitHub documentation for service account (#967) 
* docs: update GitHub documentation for service account

* add read:org permission
 2020-06-22 12:36:07 -06:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Cuong Manh Le
99142b7293
authenticate: revoke current session oauth token before sign out (#964) 
authenticate: revoke current session oauth token before sign out

After #926, we don't revoke access token before sign out anymore. It
causes sign out can not work, because right after user click on sign out
button, we redirect user to idp provider authenticate page with a valid
access token, so user is logged in immediately again.

To fix it, just revoke the access token before sign out.
 2020-06-23 00:55:55 +07:00
Caleb Doxsey
dbf020a532
github: implement github directory provider (#963) 
* github: implement github directory provider

* fix test
 2020-06-22 11:33:37 -06:00
Cuong Manh Le
b2f6b42798
authenticate: remove useless/duplicated code block (#962) 2020-06-22 22:39:09 +07:00
Renovate Bot
6ef74806c7 chore(deps): update module open-policy-agent/opa to v0.21.0 2020-06-22 15:29:50 +00:00
Caleb Doxsey
b3ccdfe00f
idp: delete sessions on refresh error, handle zero times in oauth/id tokens for refresh (#961) 2020-06-22 08:49:28 -06:00
bobby
452c9be06d
cache: remove unused metrics and options (#957) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-22 06:59:04 -07:00
Caleb Doxsey
f7760c413e
directory: generate user/directory.User ID in a consistent way (#944) 2020-06-22 07:42:57 -06:00
Cuong Manh Le
84dde097c7
integration: sleep for amount of time before running tests (#956) 
Most of the flaky failure due to the fact that not all pods are ready
yet. We currently check the readiness by get all deployments and
heuristic parsing the output. So let wait for another 10 seconds before
running tests.
 2020-06-22 11:16:06 +07:00
Cuong Manh Le
5b9c09caba
docs/docs: remove extra text when resolve conflict (#955) 2020-06-22 10:38:31 +07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Cuong Manh Le
4a3fb5d44b
authorize: get claims from signed jwt (#954) 
authorize: get claims from signed jwt

When doing databroker refactoring, all claims information were moved to
signed JWT instead of raw session JWT. But we are still looking for
claims info in raw session JWT, causes all X-Pomerium-Claim-* headers
being gone.

Fix this by looking for information from signed JWT instead.

Note that even with this fix, the X-Pomerium-Claim-Groups is still not
present, but it's another bug (see #941) and will be fixed later.

Fixes #936
 2020-06-22 09:51:32 +07:00
Caleb Doxsey
fbce3dd359
idp: set github timestamps (#943) 2020-06-21 15:50:56 -06:00