3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity
587 commits 156 branches 125 tags 103 MiB
Commit graph

136 commits

Author SHA1 Message Date
Caleb Doxsey
af649d3eb0 envoy: implement header and query param session loading (#684) 
* authorize: refactor session loading, implement headers and query params

* authorize: fix http recorder header, use constant for pomerium authorization header

* fix compile

* remove dead code
 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Travis Groth
b2e3b22f14
Update JWT headers to only be in responses from forward auth endpoint (#642) 2020-05-04 07:26:37 -04:00
Caleb Doxsey
b1d3bbaf56
authorize: add support for .pomerium and unauthenticated routes (#639) 
* authorize: add support for .pomerium and unauthenticated routes
integration-tests: add test for forward auth dashboard urls

* proxy: fix ctx error test to return a 200 when authorize allows it
 2020-04-29 10:55:46 -06:00
Caleb Doxsey
ea1c6efc24 authorize: fix domain check bug, rewrite url for forward auth, add dev script 2020-04-20 18:24:48 -06:00
Caleb Doxsey
2130a58dfb proxy: fmt code 2020-04-20 18:24:36 -06:00
Caleb Doxsey
5be8265e62 proxy: add test to confirm prefix routing behaves as expected 2020-04-20 18:24:36 -06:00
Caleb Doxsey
19053c8f06 proxy: add additional tests for trailing slash 2020-04-20 18:24:36 -06:00
Caleb Doxsey
e1d2501a94 proxy: move warning message to config validation 2020-04-20 18:24:36 -06:00
Caleb Doxsey
c8c307be69 proxy: update warning message 2020-04-20 18:24:36 -06:00
Caleb Doxsey
85a1a6d013 authorize,proxy: remove support for paths within the from parameter 2020-04-20 18:24:36 -06:00
Caleb Doxsey
e8c8e7c688 config: use full string url instead of just the hostname for the policy options 2020-04-20 18:24:11 -06:00
Caleb Doxsey
5ecfa34361 config: gofmt 2020-04-20 18:23:35 -06:00
Caleb Doxsey
d6591e4109 proxy: add additional tests for route matcher function 2020-04-20 18:23:35 -06:00
Caleb Doxsey
7027f458dd config: add prefix, path and regex options 
proxy: support prefix, path and regex options
 2020-04-20 18:23:34 -06:00
branchmispredictor
0de3c431a6
forward-auth: validate using forwarded uri header (#600) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-20 10:56:30 -07:00
Travis Groth
789068e27a
Add configurable JWT claim headers (#596) 2020-04-09 23:41:55 -04:00
Bobby DeSimone
56e3f92181
proxy: remove unused session unmarshal (#592) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-07 19:59:40 -07:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545) 
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-16 10:13:47 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Travis Groth
e666306ef8
Remove superfluous Options.Checksum type conversions (#522) 2020-03-06 17:59:26 -05:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
ohdarling88
111aa8f4d5
move set request headers before handle allow public access to fix https://github.com/pomerium/pomerium/issues/477 (#479) 2020-02-02 11:15:13 -08:00
Bobby DeSimone
e82477ea5c
deployment: throw away golanglint-ci defaults (#439) 
* deployment: throw away golanglint-ci defaults

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-26 12:33:45 -08:00
Bobby DeSimone
8956bf4411
proxy: add preserve host header (#463) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-22 21:03:22 -08:00
Bobby DeSimone
dccc7cd2ff
cache : add cache service (#457) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-20 18:25:34 -08:00
Bobby DeSimone
f0d811f2bb
proxy: fix unauthorized redirect loop (fwdauth) (#448) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-01-11 10:23:50 -08:00
Bobby DeSimone
ec029c679b
authenticate/proxy: add backend refresh (#438) 2019-12-30 10:47:54 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-06 11:07:45 -08:00
Bobby DeSimone
487fc655d6
authenticate: make session default match IDP (#416) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-04 22:22:10 -08:00
Bobby DeSimone
12bae5cc43
errors: use %w verb directive (#419) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-03 20:02:43 -08:00
Bobby DeSimone
74cd9eabbb
authenticate: fix impersonation getting cleared (#411) 2019-11-30 10:54:32 -08:00
Bobby DeSimone
c8e6277a30
Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 15:02:25 -08:00
Bobby DeSimone
0f6a9d7f1d
proxy: fix forward auth, request signing 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 14:29:52 -08:00
Bobby DeSimone
ebee64b70b
internal/frontend : serve static assets (#392) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-22 17:46:01 -08:00
Travis Groth
f20d913abe
proxy: Fix policy reload regression (#396) 
* Fix policy reload regression

* Update changelog
 2019-11-22 19:28:36 -05:00
Bobby DeSimone
6743accd74
lint: bump golangci-lint 1.21.0 (#391) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-19 19:58:11 -08:00
Bobby DeSimone
00c29f4e77
authenticate: handle XHR redirect flow (#387) 
- authenticate: add cors preflight check support for sign_in endpoint
- internal/httputil: indicate responses that originate from pomerium vs the app
- proxy: detect XHR requests and do not redirect on failure.
- authenticate: removed default session duration; should be maintained out of band with rpc.
 2019-11-14 19:37:31 -08:00
Bobby DeSimone
e2943b7c80
internal/sessions: fix upgrade path for new sessions (#382) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-12 13:19:08 -08:00
Travis Groth
f3c62c10cc
Rename internal/config to config (#380) 2019-11-09 19:53:11 -05:00
Bobby DeSimone
b9ab49c32c
internal/sessions: fix cookie clear session (#376) 
CookieStore's ClearSession now properly clears the user session cookie by setting MaxAge to -1.

internal/sessions: move encoder interface to encoding package, and rename to MarshalUnmarshaler.
internal/encoding: move mock to own package
authenticate: use INFO log level for authZ error.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-09 10:49:24 -08:00
Bobby DeSimone
d3d60d1055 all: support route scoped sessions 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-06 17:54:15 -08:00
Bobby DeSimone
7d7e997e79
proxy: verify endpoint strip added callback params (#368) 
- proxy: use distinct host route for forward-auth handlers
- proxy: have auth middleware set pomerium headers for request and response
 2019-10-15 15:36:00 -07:00
Bobby DeSimone
0e85b2b1cb
bug: fix forward-auth redirect (#364) 2019-10-13 11:09:30 -07:00
Bobby DeSimone
badd8d69af
internal/sessions: refactor how sessions loading (#351) 
These chagnes standardize how session loading is done for session
cookie, auth bearer token, and query params.

- Bearer token previously combined with session cookie.
- rearranged cookie-store to put exported methods above unexported
- added header store that implements session loader interface
- added query param store that implements session loader interface

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-06 10:47:53 -07:00
Bobby DeSimone
a96aec57d5
proxy: add per-route request headers setting (#346) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-04 14:51:52 -07:00
Bobby DeSimone
c95a72e12a
proxy: fix dashboard path prefix (#347) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-04 08:36:36 -07:00
Bobby DeSimone
7016534d87
proxy: use custom 404 handler (#348) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-04 08:36:23 -07:00
Bobby DeSimone
eaa1e7a4fb
proxy: support external access control requests (#324) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-03 21:22:44 -07:00