3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-30 17:37:25 +02:00
Code Issues Projects Releases Packages Wiki Activity
2396 commits 163 branches 127 tags 104 MiB
Commit graph

2396 commits

This branch
This branch
All branches
Author SHA1 Message Date
Cuong Manh Le
d764981618
internal/controlplane: set envoy prefix rewrite if present (#1034) 
While at it, also refactoring buildPolicyRoutes.

Fixes #1033
Fixes #880
 2020-07-03 09:35:36 +07:00
Cuong Manh Le
846d709ba4 proxy: fix wrong forward auth request 
When proxy receives forward auth request, it should forward the request
as-is to authorize for verification. Currently, it composes the check
request with actual path, then send the request to authorize service.

It makes the request works accidently, because the composed check
request will satisfy the policy un-intentionally. Example, for forward
auth request:

	http://pomerium/?uri=https://httpbin.localhost.pomerium.io

the composed request will look like:

	&envoy_service_auth_v2.AttributeContext_HttpRequest{
		Method:   "GET",
		Headers:  map[string]string{},
		Path:     "",
		Host:     "httpbin.localhost.pomerium.io",
		Scheme:   "https",
	}

This check request has at least two problems.

First, it will make authorize.handleForwardAuth always returns false,
even though this is a real forward auth request. Because the "Host"
field in check request is not the forward auth host, which is "pomerium"
in this case.

Second, it will accidently matches rule like:

	policy:
	  - from: https://httpbin.localhost.pomerium.io
	    to: https://httpbin
	    allowed_domains:
	      - pomerium.io

If the rule contains other conditions, like "prefix", or "regex":

	policy:
	  - from: https://httpbin.localhost.pomerium.io
	    prefix: /headers
	    to: https://httpbin
	    allowed_domains:
	      - pomerium.io

Then the rule will never be triggered, because the "/headers" path can
be passed in request via "X-Forwarded-Uri" (traefik), instead of
directly from the path (nginx).

To fix this, we just pass the forward auth request as-is to authorize.

Fixes #873
 2020-07-03 00:00:20 +07:00
Cuong Manh Le
48639a48fb authorize: honor X-Forwarded-Uri in forward auth mode 
Some ingress like traefik set the X-Forwarded-Uri header instead
of passing the actual path in request, we should hornor and use
that header in forward auth mode.

While at it, refactoring the handleForwardAuth to return earlier instead
of nested condition, and add more tests to cover all cases.
 2020-07-03 00:00:20 +07:00
Renovate Bot
e482fef247 chore(deps): update module google.golang.org/protobuf to v1.25.0 2020-07-02 16:07:51 +00:00
Caleb Doxsey
09621ee263
pkg: add grpcutil package (#1032) 2020-07-01 15:21:19 -06:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Cuong Manh Le
b90885b4c1
cache: fix data race in NotifyJoin (#1028) 
In 35af5c0b91, the check for multiple
cache servers in NotifyJoin is made to be done in a goroutine. That can
lead to a data race, because the memberlist can be changed at the time
the goroutine was run. go warns about this race when test memberlist was
run with "-race".

To fix this, we pass the nil check as argument to goroutine.
 2020-07-01 00:11:40 +07:00
Travis Groth
6ab797eb0b
ci: support rc releases (#1011) 2020-06-30 11:19:49 -04:00
Cuong Manh Le
65150f2c3d
docs: document preserve_host_header with policy routes to static ip (#1024) 
Fixes #1012
 2020-06-30 14:26:08 +07:00
Travis Groth
e27ee4dd32
authorize/evaluator/opa: set client tls cert usage explicitly (#1026) 2020-06-29 17:21:54 -04:00
Renovate Bot
f8491b48ee chore(deps): update google.golang.org/genproto commit hash to ee7919e 2020-06-29 20:07:28 +00:00
Renovate Bot
a18f48b209 chore(deps): update module google.golang.org/grpc to v1.30.0 2020-06-29 17:34:09 +00:00
Cuong Manh Le
f938554968
internal/controlplane: enable envoy use remote address (#1023) 
Fixes #1013
 2020-06-29 23:06:34 +07:00
Renovate Bot
ad232bf10e chore(deps): update module prometheus/client_golang to v1.7.1 2020-06-29 06:43:00 +00:00
Renovate Bot
8e9f886818 chore(deps): update golang.org/x/sync commit hash to 6e8e738 2020-06-29 03:16:20 +00:00
Renovate Bot
0300be3ed1 chore(deps): update golang.org/x/net commit hash to 4c52546 2020-06-29 01:28:06 +00:00
Cuong Manh Le
ecdf7ee1a9
cache: add test for runMemberList (#1007) 2020-06-26 23:54:14 +07:00
Cuong Manh Le
53588396ad
Allow specify go executable in Makefile (#1008) 2020-06-26 23:53:47 +07:00
Cuong Manh Le
320d92a37e
integration: add dummy value for idp_service_account (#1009) 
After 1d1311a240, policy with groups rule
requires idp_service_account set.
 2020-06-26 12:32:51 -04:00
Caleb Doxsey
091b71f12e
grpc: rename internal/grpc to pkg/grpc (#1010) 
* grpc: rename internal/grpc to pkg/grpc

* don't ignore pkg dir

* remove debug line
 2020-06-26 09:17:02 -06:00
Jeff Hubbach
a98d39c5af
Docs: Update Istio VirtualService example (#1006) 
It's necessary to specify the destination port for Pomerium services
 2020-06-25 18:15:34 -07:00
Travis Groth
c049d87362
docs: document service account requirements (#999) 2020-06-25 19:32:36 -04:00
Travis Groth
917d8ec61b
envoy: disable idle timeouts to controlplane (#1000) 
* envoy: disable idle timeouts to controlplane to support streaming requests

* envoy: add request timeout for attack mitigation
 2020-06-25 13:14:24 -04:00
Travis Groth
b3ee4f534e
cache: fix missing parameter (#1005) 
* cache: fix missing parameter

* cache: get number of members from NumMembers()
 2020-06-25 13:13:37 -04:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
bobby
666420f4c9
config: add check to assert service account is required for policies with allowed_groups (#997) 
* depedency: bump opa v0.21.0

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* config: error if groups are used without service account

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:27:48 -07:00
Travis Groth
35af5c0b91
cache: join old memberlist cluster to warn about multiple servers (#1004) 2020-06-25 11:27:23 -04:00
Caleb Doxsey
05e3c23ea1
memberlist: use bufio reader instead of scanner (#1002) 2020-06-25 11:23:31 -04:00
Cuong Manh Le
963e1c015a
authorize/evaluator/opa: use route policy object instead of array index (#1001) 
Make the code more readable, and slightly reduce memory alloc:

	opa test -v --bench --count 5 --format gobench

Output:

name                                       old alloc/op                     new alloc/op                     delta
DataPomeriumAuthzTestEmailAllowed                               109kB ± 0%                       108kB ± 0%  -0.89%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                   95.4kB ± 0%                      93.4kB ± 0%  -2.06%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                               63.6kB ± 0%                      61.6kB ± 0%  -3.09%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              103kB ± 0%                       101kB ± 0%  -1.86%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               100kB ± 0%                        98kB ± 0%  -1.64%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                           62.6kB ± 0%                      60.7kB ± 0%  -3.14%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                            64.5kB ± 0%                      62.5kB ± 0%  -3.11%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                      66.7kB ± 0%                      64.5kB ± 0%  -3.33%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                       65.8kB ± 0%                      63.3kB ± 0%  -3.92%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                  13.8kB ± 0%                      13.8kB ± 0%    ~     (p=0.167 n=5+5)
DataPomeriumAuthzTestAllowedRouteSource                         243kB ± 0%                       243kB ± 0%    ~     (p=1.000 n=5+5)
DataPomeriumAuthzTestAllowedRoutePrefix                        80.9kB ± 0%                      80.9kB ± 0%    ~     (p=0.690 n=5+5)
DataPomeriumAuthzTestAllowedRoutePath                           108kB ± 0%                       108kB ± 0%    ~     (p=0.452 n=5+5)
DataPomeriumAuthzTestAllowedRouteRegex                         90.0kB ± 0%                      89.9kB ± 0%    ~     (p=0.095 n=5+5)

name                                       old allocs/op                    new allocs/op                    delta
DataPomeriumAuthzTestEmailAllowed                               1.76k ± 0%                       1.74k ± 0%  -1.24%  (p=0.008 n=5+5)
DataPomeriumAuthzTestExample                                    1.54k ± 0%                       1.51k ± 0%  -2.18%  (p=0.008 n=5+5)
DataPomeriumAuthzTestEmailDenied                                1.05k ± 1%                       1.01k ± 1%  -3.21%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicAllowed                              1.65k ± 0%                       1.63k ± 0%  -1.20%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPublicDenied                               1.61k ± 0%                       1.58k ± 0%  -1.42%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumAllowed                            1.04k ± 1%                       1.00k ± 1%  -3.27%  (p=0.008 n=5+5)
DataPomeriumAuthzTestPomeriumDenied                             1.06k ± 1%                       1.03k ± 1%  -3.19%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightAllowed                       1.14k ± 1%                       1.09k ± 0%  -3.96%  (p=0.008 n=5+5)
DataPomeriumAuthzTestCorsPreflightDenied                        1.09k ± 1%                       1.05k ± 0%  -4.04%  (p=0.008 n=5+5)
DataPomeriumAuthzTestParseUrl                                     222 ± 0%                         222 ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteSource                         3.66k ± 0%                       3.66k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePrefix                         1.23k ± 0%                       1.23k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRoutePath                           1.62k ± 0%                       1.62k ± 0%    ~     (all equal)
DataPomeriumAuthzTestAllowedRouteRegex                          1.36k ± 0%                       1.36k ± 0%    ~     (all equal)
 2020-06-25 21:28:54 +07:00
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
Caleb Doxsey
3ad8cbf4ec
authorize: avoid serializing databroker data map to improve performance (#995) 2020-06-24 14:00:08 -06:00
bobby
7110948296
depedency: bump opa v0.21.0 (#993) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 08:31:01 -07:00
Bobby DeSimone
e3d290bde5 depedency: bump opa v0.21.0 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 08:27:04 -07:00
Cuong Manh Le
505ff5cc5c
internal/sessions: handle claims "ver" field generally (#990) 
"ver" field is not specified by RFC 7519, so in practice, most providers
return it as string, but okta returns it as number, which cause okta
authenticate broken.

To fix it, we handle "ver" field more generally, to allow both string and
number in json payload.
 2020-06-24 22:06:17 +07:00
Cuong Manh Le
1e3c381e1e
internal/directory/okta: store directory information by user id (#991) 
Same as #988
 2020-06-24 21:56:51 +07:00
Cuong Manh Le
a042bb7b82
internal/directory/onelogin: store directory information by user id (#992) 
Same as #988
 2020-06-24 21:56:33 +07:00
Caleb Doxsey
2501463dc9
google: store directory information by user id (#988) 2020-06-23 14:41:16 -06:00
Caleb Doxsey
0d277cf662
azure: use OID for user id in session (#985) 2020-06-23 12:02:17 -06:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Travis Groth
eaa0c980d2
telemetry: add tracing spans to cache and databroker (#987) 2020-06-23 13:08:21 -04:00
Cuong Manh Le
4ca0189524
docs/docs/identity-providers: document gitlab default scopes changed (#980) 
Fixes #938
 2020-06-24 00:05:21 +07:00
Cuong Manh Le
fb4dfaea44
authenticate: hide impersonation form from non-admin users (#979) 
Fixes #881
 2020-06-23 22:09:33 +07:00
Renovate Bot
fa40ff1f77 chore(deps): update module hashicorp/memberlist to v0.2.2 2020-06-23 05:41:34 +00:00
Renovate Bot
90bd2baf80 chore(deps): update google.golang.org/genproto commit hash to fbb79ea 2020-06-23 03:54:40 +00:00
Renovate Bot
1ea3253660 chore(deps): update module go.opencensus.io to v0.22.4 2020-06-23 00:47:22 +00:00
Renovate Bot
6ccf3246aa chore(deps): update module cenkalti/backoff/v4 to v4.0.2 2020-06-22 23:14:22 +00:00
renovate[bot]
0c7faf4991
chore(deps): update module google.golang.org/api to v0.28.0 (#949) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:59:09 -06:00
renovate[bot]
b6287fcf8a
chore(deps): update module google/go-cmp to v0.5.0 (#950) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:58:35 -06:00
renovate[bot]
8ea4560fe6
chore(deps): update module prometheus/client_golang to v1.7.0 (#953) 
Co-authored-by: Renovate Bot <bot@renovateapp.com>
 2020-06-22 16:58:16 -06:00
Travis Groth
88a77c42bb
cache: add client telemetry (#975) 2020-06-22 18:18:44 -04:00