3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-02 02:42:57 +02:00
Code Issues Projects Releases Packages Wiki Activity
3525 commits 169 branches 127 tags 105 MiB
Commit graph

319 commits

Author SHA1 Message Date
Kenneth Jenkins
5459e6940a
authorize: do not redirect if invalid client cert (#4344) 
If an authorization policy requires a client certificate, but an
incoming request does not include a valid certificate, we should serve a
deny error page right away, regardless of whether the user is
authenticated via the identity provider or not. Do not redirect to the
identity provider login page in this case.

Update the existing integration tests accordingly, and add a unit test
case for this scenario.
 2023-07-10 16:39:26 -07:00
Kenneth Jenkins
74e648630f
authorize: remove JWT timestamp format workaround (#4321) 
Update OPA to v0.54.0, which changes the JSON serialization behavior for
large integers. Remove the formatting workaround and the unit test that
verified that the workaround was still needed.
 2023-06-30 11:54:46 -07:00
Kenneth Jenkins
e7703a1891
add JWT timestamp formatting workaround (#4270) 
Rego will sometimes serialize integers to JSON with a decimal point and
exponent. I don't completely understand this behavior.

Add a workaround to headers.rego to convert the JWT "iat" and "exp"
timestamps to a string and back to an integer. This appears to cause
Rego to serialize these values as plain integers.

Add a unit test to verify this behavior. Also add a unit test that will
fail if the Rego behavior changes, making this workaround unnecessary.
 2023-06-16 10:36:00 -07:00
Caleb Doxsey
5be322e2ef
config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers (#4219) 
* config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers

* lint

* Update authorize/evaluator/headers_evaluator_test.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

* fix spelling

---------

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-06-01 16:00:02 -06:00
Kenneth Jenkins
6df4fba832
authorize: populate issuer even when policy is nil (#4211) 2023-05-30 17:07:27 -07:00
Caleb Doxsey
d315e68335
Merge pull request from GHSA-pvrc-wvj2-f59p 
* authorize: use route id from envoy for policy evaluation

* authorize: normalize URL query params

* config: enable envoy normalize_path option

* fix tests

---------

Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
 2023-05-26 13:34:21 -07:00
Caleb Doxsey
18bc86d632
config: add support for wildcard from addresses (#4131) 
* config: add support for wildcards

* update policy matching, header generation

* remove deprecated field

* fix test
 2023-04-25 13:34:38 -06:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues (#4118) 
* remove source, remove deadcode, fix linting issues

* use github action for lint

* fix missing envoy
 2023-04-21 17:25:11 -06:00
Denis Mishin
ccf15f8f3d
move hpke public key handler out of internal (#4065) 2023-03-20 10:37:00 -04:00
Caleb Doxsey
1dee325b72
authorize: move sign out and jwks urls to route, update issuer for JWT (#4046) 
* authorize: move sign out and jwks urls to route, update issuer for JWT

* fix test
 2023-03-08 12:40:15 -07:00
Caleb Doxsey
0f295d4a63
hpke: move published public keys to a new endpoint (#4044) 2023-03-08 09:17:04 -07:00
Caleb Doxsey
2b8d51def5
urlutil: add version to query string (#4028) 2023-02-28 14:01:13 -07:00
Caleb Doxsey
76a7ce3a6f
authorize: allow access to /.pomerium/webauthn when policy denies access (#4015) 2023-02-27 09:49:06 -07:00
Denis Mishin
62ca7ffaa2
authenticate: fix authenticate_internal_service_url for all in one (#4003) 2023-02-22 10:42:27 -05:00
Caleb Doxsey
6b3e34c39f
fix webauthn url (#3983) 2023-02-17 06:58:43 -07:00
Caleb Doxsey
da46b4a47d
config: use insecure skip verify if derived certificates are not used (#3861) 2023-01-11 13:50:51 -07:00
Denis Mishin
e728991bf1
authorize: log check() error (#3846) 2023-01-03 11:05:25 -05:00
Caleb Doxsey
271b0787a8
config: add support for extended TCP route URLs (#3845) 
* config: add support for extended TCP route URLs

* nevermind, add duplicate names
 2022-12-27 12:50:33 -07:00
Denis Mishin
a49f86d023
use tlsClientConfig instead of custom dialer (#3830) 
* use tlsClientConfig instead of custom dialer

* rm debug log
 2022-12-27 09:55:36 -07:00
Caleb Doxsey
3e892a8533
options: support multiple signing keys (#3828) 
* options: support multiple signing keys

* fix controlplane method, errors
 2022-12-22 09:31:09 -07:00
Caleb Doxsey
57217af7dd
authenticate: implement hpke-based login flow (#3779) 
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
 2022-12-05 15:31:07 -07:00
Caleb Doxsey
1848a9737f
upgrade to golang-lru v2 (#3771) 2022-12-02 09:25:52 -07:00
Denis Mishin
fa0ba60aee
bump envoy to v1.24.0 (#3767) 2022-11-28 09:32:31 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
e1f881f82b
authorize: fix user caching (#3734) 2022-11-08 08:23:41 -07:00
Caleb Doxsey
02df20f10a
authorize: performance improvements (#3723) 2022-11-04 17:09:52 -06:00
Denis Mishin
a3cfe8fa42
keep trace span context (#3724) 2022-11-04 17:52:13 -04:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Caleb Doxsey
30bdae3d9e
sessions: check idp id to detect provider changes to force session invalidation (#3707) 
* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test
 2022-10-25 16:20:32 -06:00
dependabot[bot]
ec495bb682
chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 
* chore(deps): bump github.com/golangci/golangci-lint

Bumps [github.com/golangci/golangci-lint](https://github.com/golangci/golangci-lint) from 1.48.0 to 1.50.0.
- [Release notes](https://github.com/golangci/golangci-lint/releases)
- [Changelog](https://github.com/golangci/golangci-lint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/golangci/golangci-lint/compare/v1.48.0...v1.50.0)

---
updated-dependencies:
- dependency-name: github.com/golangci/golangci-lint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* lint

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2022-10-19 09:36:59 -06:00
Caleb Doxsey
47e3176ea4
authorize: enforce service account expiration (#3661) 2022-10-13 09:28:42 -06:00
Caleb Doxsey
c0ca1e1a98
authorize: handle user-unauthenticated response for deny blocks (#3559) 
* authorize: handle user-unauthenticated response for deny blocks

* fix test
 2022-08-22 17:09:26 -06:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
b5ac7dbc76
sets: convert set types to generics (#3519) 
* sets: convert set types to generics

* sets: use internal sets package
 2022-07-29 12:32:17 -06:00
Caleb Doxsey
0ac7e45a21
atomicutil: use atomicutil.Value wherever possible (#3517) 
* atomicutil: use atomicutil.Value wherever possible

* fix test

* fix mux router
 2022-07-28 15:38:38 -06:00
Caleb Doxsey
89a105c8e6
authorize: add request id to context (#3497) 
* authorize: add request id to context

* fix context keys
 2022-07-26 14:34:48 -06:00
Caleb Doxsey
fe61a74e1b
authorize: fix device synchronization (#3482) 2022-07-15 17:27:06 -06:00
Caleb Doxsey
bc078f8bd2
authorize: fix x-forwarded-uri (#3479) 
* authorize: fix x-forwarded-uri

* fix raw path
 2022-07-14 09:32:48 -06:00
Caleb Doxsey
ca8db7b619
authorize: show plain text error page for traefik and nginx (#3477) 2022-07-13 08:36:18 -06:00
Caleb Doxsey
86625a4ddb
config: support files for shared_secret, client_secret, cookie_secret and signing_key (#3453) 2022-06-29 10:44:08 -06:00
Caleb Doxsey
15e3b3a431
authorize: allow missing user for authorization (#3421) 2022-06-14 05:44:34 -06:00
Caleb Doxsey
493148b13f
authorize: fix not found check (#3410) 2022-06-08 09:15:57 -06:00
Caleb Doxsey
f61e7efe73
authorize: use query instead of sync for databroker data (#3377) 2022-06-01 15:40:07 -06:00
Seena Fallah
a2d2f34e24
fix: close the ticker after opened (#3318) 
This may cause a high cpu usage on each call

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
 2022-05-04 09:55:25 -06:00
Caleb Doxsey
f73c5c615f
databroker: add support for putting multiple records (#3291) 
* databroker: add support for putting multiple records

* add OptimumPutRequestsFromRecords function

* replace GetAll with SyncLatest

* fix stream when there are no records
 2022-04-26 16:41:38 -06:00
Caleb Doxsey
74310b3de3
authorize: pass idp id for webauthn url, allow unauthenticated access to static files (#3282) 2022-04-20 11:07:09 -06:00
Caleb Doxsey
c19048649a
authorize: add support for cidr lookups (#3277) 2022-04-19 16:18:34 -06:00
Caleb Doxsey
761c17b8ac
grpc: wait for connect to be ready before making calls (#3253) 
* grpc: wait for connect to be ready before making calls

* make sure to stop the ticker
 2022-04-08 12:18:52 -06:00
Caleb Doxsey
d299b42509
authorize: add name claim (#3238) 2022-04-05 12:08:00 -06:00