3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-09 07:16:02 +02:00
Code Issues Projects Releases Packages Wiki Activity
3224 commits 159 branches 126 tags 104 MiB
Commit graph

3224 commits

This branch
This branch
All branches
Author SHA1 Message Date
bobby
cfbc5c2114
autenticate: fix some typos (#939) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-21 10:23:58 -07:00
bobby
7dfa1d0a41
authorize: only log headers if debug set (#940) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-21 10:07:30 -07:00
Cuong Manh Le
c29807c391
docs: document un-supported HTTP 1.0 in 0.9.0 and higher (#932) 
docs: document un-supported HTTP 1.0 in 0.9.0 and higher

Fixes #915

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2020-06-20 01:11:00 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Cuong Manh Le
39cdb31170
internal/envoy: improve handleLogs (#929) 
The log line has a well defined structure that we can process by simple
string manipulation, instead of relying on regex.

name            old time/op    new time/op    delta
_handleLogs-12    17.3µs ±23%     1.1µs ±11%  -93.81%  (p=0.000 n=10+10)

name            old alloc/op   new alloc/op   delta
_handleLogs-12    20.1kB ± 0%     4.1kB ± 0%  -79.59%  (p=0.002 n=8+10)

name            old allocs/op  new allocs/op  delta
_handleLogs-12       141 ± 0%         1 ± 0%  -99.29%  (p=0.000 n=10+10)
 2020-06-19 09:14:10 +07:00
Cuong Manh Le
9df4dc4aca
internal/envoy: fix handleLogs causes envoy hang forever (#927) 
handleLogs uses bufio scanner to process log output from envoy. When in
debug mode, envoy produces very long log line, causing the scanner
fails, handleLogs stop processing log. But envoy continue writing to its
stdout, which is now not consumed by any process, envoy hangs there
forever.

Fixing this by switching to use bufio.Reader instead. This is also the
real fix for failed integration test, which is interpreted wrongly by
me in #910.
 2020-06-19 00:03:42 +07:00
Yuchen Ying
8fc1e9cca8
Add an option to request certificate with Must-Staple. (#697) 2020-06-17 08:29:34 -07:00
Cuong Manh Le
8856577f39
integration: fix wrong jwt assertion test (#909) 
The test intends to check "X-Pomerium-Jwt-Assertion" exists in response
header and not empty, but accidently always test for non-empty string.
 2020-06-17 21:49:39 +07:00
Cuong Manh Le
bb6c0ab725
integration: set default headers (#910) 
After commit f62bb686d8, the default
headers, which include HSTS header will be set for response. It will
break integration test due to the interact with nginx ingress.

To fix it, set default headers without the HSTS header.
 2020-06-17 21:20:24 +07:00
Cuong Manh Le
f62bb686d8
internal/controlplane: make sure options.Headers are set for response (#907) 
When switching to envoy, we forgot to adopt the middleware to set
response headers with options.Headers, which causes HSTS header is
missing in v0.9.0 release.

Fixes #901
 2020-06-17 00:56:01 +07:00
Travis Groth
ee2170f5f5
config: add a consistent route ID (#905) 2020-06-16 09:20:18 -04:00
Cuong Manh Le
34d06e521d
internal/telemetry/metrics: document concurrently using (#891) 
Document that metricRegistry is not safe for concurrently use. While at
it, remove t.Parallel() in tests which use metricRegistry, which causes
data race, caught by:

	go test -race ./internal/telemetry/metrics
 2020-06-15 23:08:03 +07:00
Cuong Manh Le
e0bdd906f9
config: change the default logging level to INFO (#902) 
config: change the default logging level to INFO

DEBUG logging level is very verbose and potentially logs sensitive data.
We should set default log level to INFO.

Updates #895
Fixes #896
 2020-06-15 22:55:18 +07:00
Cuong Manh Le
896467c4bf
internal/cmd/pomerium: fix data race in handling context (#890) 
Caught by:

	go test -race ./internal/cmd/pomerium

The ctx in Run is both read (in handle signal goroutine) and write
(when passing to errgroup context in Run), causes data race.

Fixing it, by passing the ctx to goroutine via argument instead of
accessing it directly.
 2020-06-15 22:38:45 +07:00
Bobby DeSimone
e57f92486a
envoy: bump envoy to 1.14.2 (#894) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-15 07:55:44 -07:00
Renovate Bot
97cead4d08 chore(deps): update vuepress monorepo to v1.5.2 2020-06-15 08:29:40 +00:00
Renovate Bot
d5a8fece0c chore(deps): update module caddyserver/certmagic to v0.11.2 2020-06-15 05:45:59 +00:00
Renovate Bot
e51e8c3410 chore(deps): update google.golang.org/genproto commit hash to 7676ae0 2020-06-15 03:51:56 +00:00
Bobby DeSimone
200bc7e836
controlplane: use previous preferred cipher suite (#889) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:18 -07:00
Bobby DeSimone
79d793d122
controlplane: fix missing full cert chain (#888) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:02 -07:00
Bobby DeSimone
3fbcb8ff13
frontend: fix logo fill on chrome (#893) 
- on error, if reason is empty use the status text of the http status code

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-13 13:55:01 -07:00
Travis Groth
fb2930dcc5
git: ignore additional test file types (#883) 2020-06-12 11:06:45 -04:00
Travis Groth
dbbbb2357e
authorize: reduce duplicate evaluations in opa policy (#882) 2020-06-12 11:06:28 -04:00
Travis Groth
42966ab39b
options: ensure viper ignores certificates config field (#876) 2020-06-11 16:38:13 -04:00
Yuchen Ying
b000930914
Remove unnecessary viper.New() (#849) 2020-06-11 10:26:42 -04:00
Renovate Bot
2b6b21739d Update golang.org/x/crypto commit hash to 70a84ac 2020-06-11 10:53:34 +00:00
Renovate Bot
3f359c1f38 Update module go-redis/redis/v7 to v7.4.0 2020-06-11 08:58:42 +00:00
Renovate Bot
24229a8013 Update golang.org/x/net commit hash to 627f964 2020-06-11 05:54:57 +00:00
Renovate Bot
5373a1d637 Update module google.golang.org/api to v0.26.0 2020-06-11 04:26:26 +00:00
Renovate Bot
5a22a0d6f7 Update module stretchr/testify to v1.6.1 2020-06-10 22:59:32 +00:00
Renovate Bot
89ece36d0c Update module rs/zerolog to v1.19.0 2020-06-10 21:42:18 +00:00
Renovate Bot
5baeb4ae94 Update module open-policy-agent/opa to v0.20.5 2020-06-10 20:35:03 +00:00
Renovate Bot
eecf33218a Update module contrib.go.opencensus.io/exporter/prometheus to v0.2.0 2020-06-10 20:25:14 +00:00
Renovate Bot
5aa3cbc5b9 Update module caddyserver/certmagic to v0.11.1 2020-06-10 18:20:19 +00:00
Renovate Bot
36fa986e97 Update google.golang.org/genproto commit hash to a5b850b 2020-06-10 16:40:59 +00:00
Bobby DeSimone
b00acad517
internal/controlplane: set minimum tls version (#854) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-10 09:08:05 -07:00
Bobby DeSimone
b8ccfee499
go.mod: bump required go version to 1.14 (#868) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-10 09:07:39 -07:00
Caleb Doxsey
fe2369400c
proxy: only set validation context if trusted_ca is used (#863) 
* proxy: only set validation context if trusted_ca is used

* fix test
 2020-06-09 13:45:03 -06:00
Cuong Manh Le
9e711b4612
internal/httputil: add HTTPStatsRoundTripper to DefaultClient (#828) 2020-06-08 14:34:32 -04:00
Yuchen Ying
7abe3a3b02
Remove additional indirection. (#848) 
o is already a pointer to Options struct.
 2020-06-08 07:36:24 -06:00
Aidan Steele
48912dbc33
Fix small typo (#836) 2020-06-07 07:46:47 -04:00
Travis Groth
6f938562ca
Add backport action (#829) 2020-06-06 16:19:38 -04:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Caleb Doxsey
b80a419699
xds: use ipv4 address when ipv6 is disabled (#823) 2020-06-02 13:05:44 -06:00
Bobby DeSimone
afe22fd24b
posts: 0-9-0 release notes (#820) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-01 20:29:50 -07:00
Renovate Bot
7e77a2fc9f chore(deps): update module stretchr/testify to v1.6.0 2020-06-01 19:29:46 +00:00
Renovate Bot
db2ca576fd chore(deps): update module caddyserver/certmagic to v0.11.0 2020-06-01 17:54:45 +00:00
Renovate Bot
ab00c68cc8 chore(deps): update google.golang.org/genproto commit hash to 0f60399 2020-06-01 16:47:54 +00:00
Caleb Doxsey
fca17d365a
xds: force ipv4 for localhost to workaround ipv6 issue in docker compose (#819) 2020-06-01 08:58:28 -06:00
Caleb Doxsey
12e373249b
config: strip quotes from http redirect addr (#818) 2020-06-01 08:51:56 -06:00