3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-29 14:39:40 +02:00
Code Issues Projects Releases Packages Wiki Activity
2062 commits 173 branches 133 tags 111 MiB
Commit graph

302 commits

Author SHA1 Message Date
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Cuong Manh Le
4ca0189524
docs/docs/identity-providers: document gitlab default scopes changed (#980) 
Fixes #938
 2020-06-24 00:05:21 +07:00
Caleb Doxsey
24b523c043
docs: update upgrading document for breaking changes (#974) 2020-06-22 15:26:42 -06:00
Caleb Doxsey
f33bf07334
docs: update service account instructions for OneLogin (#973) 2020-06-22 15:21:21 -06:00
Caleb Doxsey
ae97d280c5
docs: service account instructions for gitlab (#970) 2020-06-22 15:04:36 -06:00
Caleb Doxsey
451bdbeb0d
docs: update okta service account docs to match new format (#972) 2020-06-22 15:04:01 -06:00
Caleb Doxsey
cb08cb7a93
docs: service account instructions for azure (#969) 2020-06-22 14:15:49 -06:00
Caleb Doxsey
f11c5ba172
docs: update GitHub documentation for service account (#967) 
* docs: update GitHub documentation for service account

* add read:org permission
 2020-06-22 12:36:07 -06:00
Cuong Manh Le
5b9c09caba
docs/docs: remove extra text when resolve conflict (#955) 2020-06-22 10:38:31 +07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Cuong Manh Le
c29807c391
docs: document un-supported HTTP 1.0 in 0.9.0 and higher (#932) 
docs: document un-supported HTTP 1.0 in 0.9.0 and higher

Fixes #915

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2020-06-20 01:11:00 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Cuong Manh Le
e0bdd906f9
config: change the default logging level to INFO (#902) 
config: change the default logging level to INFO

DEBUG logging level is very verbose and potentially logs sensitive data.
We should set default log level to INFO.

Updates #895
Fixes #896
 2020-06-15 22:55:18 +07:00
Bobby DeSimone
e57f92486a
envoy: bump envoy to 1.14.2 (#894) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-15 07:55:44 -07:00
Aidan Steele
48912dbc33
Fix small typo (#836) 2020-06-07 07:46:47 -04:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Bobby DeSimone
44cf1fba1f
deployment: prepare 0.9.0 (#798) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-30 18:07:57 -07:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Caleb Doxsey
df2b09a906
docs: add note about unsupported platforms (#799) 2020-05-28 12:57:03 -06:00
Noah Stride
d85e490640
fix: docs regarding claim headers (#782) 2020-05-27 09:58:48 -04:00
Bobby DeSimone
3f1faf2e9e
authenticate: add jwks and .well-known endpoint (#745) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-21 11:46:29 -07:00
Travis Groth
3e17befff7
envoy: Enable zipkin tracing (#737) 
- Update envoy bootstrap config to protobufs
- Reorganize tracing config to avoid cyclic import
- Push down zipkin config to Envoy
- Update tracing options to provide sample rate
 2020-05-21 11:50:07 -04:00
Travis Groth
1f1e63a75b
telemetry/tracing: Add Zipkin tracing support (#723) 2020-05-18 21:57:13 -04:00
Caleb Doxsey
ef399380b7 merge master 2020-05-18 17:10:10 -04:00
Caleb Doxsey
02615b8b6c Merge remote-tracking branch 'origin/master' into feature/envoy 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
1cba3d50eb
docs: fixes to v0.8.0 docs (#696) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-13 12:38:01 -07:00
Bobby DeSimone
80166bcc40
deployment: release v0.8.0 (#686) 
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-05-12 19:10:12 -07:00
Travis Groth
b9b66ec20f
deploy: autocert documentation and defaults (#658) 
* Define AUTOCERT_DIR in dockerfiles

* Add autocert example and compose file

* Update reference docs for defaults
 2020-05-05 21:13:28 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Ogundele Olumide
5f0c13767b
improvement: update gitlab api scope (#630) 2020-04-23 13:26:25 -07:00
Caleb Doxsey
170f7f07d3 docs: add upgrading documentation for potentially breaking configuration changes 2020-04-20 18:24:36 -06:00
Bobby DeSimone
15972b9956
v0.7.5 (#625) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-20 14:10:31 -07:00
Bobby DeSimone
7fe4c5bdaf
docs: add release announcement post (#617) 
* docs: add release announcement post

- add mailchimp newsletter form
- fix wording
- fix mobile
- fix changelog links
- fix release drafter to use our format (GH-$ISSUE)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-18 11:35:14 -07:00
Bobby DeSimone
d7daf274c0
pomerium-cli: add service account docs (#613) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-16 13:28:42 -07:00
Ogundele Olumide
53fd215148
fix retrieve group error: (#614) 
- remove hardcoded gitlab provider url
 - update the gitlab identity provider documentation
 2020-04-16 11:51:03 -07:00
Bobby DeSimone
47f9765a47
docs: update changelog for v0.7.3 (#610) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-14 08:49:08 -07:00
Bobby DeSimone
b423b234e9
docs: update upgrading / changelog to v0.7.2 (#601) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-13 16:20:29 -07:00
Ogundele Olumide
e0dd6734d3
an attempt to improve the identity provider docs (#608) 2020-04-13 11:30:29 -07:00
Ogundele Olumide
ae4204d42b
internal/identity: implement github provider support (#582) 
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-10 10:48:14 -07:00
Travis Groth
789068e27a
Add configurable JWT claim headers (#596) 2020-04-09 23:41:55 -04:00
Bobby DeSimone
d780281fc0
v0.7.0 
See (#576)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-04 20:45:48 -07:00
Ogundele Olumide
3c6431e5bc
change gitlab group unique identifier from name to ID (#571) 2020-03-28 12:45:24 -07:00
İlker Göktuğ Öztürk
297b0fd6c7
docs: fix typo (#566) 2020-03-26 11:55:55 -07:00
Ogundele Olumide
3dd9188004
feat: gitlab oidc/ oauth provider (#518) 
- implement gitlab oauth support
 - add documentation for the gitlab support
 2020-03-16 19:58:49 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Bobby DeSimone
27909f22ce
docs: make from source quickstart (#519) 
- move building from so
- remove dnsmasq instructions

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-05 18:07:43 -08:00
Bobby DeSimone
8c7fdf4b80
docs: update background (#505) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-15 12:17:10 -08:00
Bobby DeSimone
dd54ce4481
v0.6.0 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-24 16:09:47 -08:00