3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
3663 commits 157 branches 125 tags 103 MiB
Commit graph

205 commits

Author SHA1 Message Date
Caleb Doxsey
b9fd926618
authorize: support authenticating with idp tokens (#5484) 
* identity: add support for verifying access and identity tokens

* allow overriding with policy option

* authenticate: add verify endpoints

* wip

* implement session creation

* add verify test

* implement idp token login

* fix tests

* add pr permission

* make session ids route-specific

* rename method

* add test

* add access token test

* test for newUserFromIDPClaims

* more tests

* make the session id per-idp

* use type for

* add test

* remove nil checks
 2025-02-18 13:02:06 -07:00
Caleb Doxsey
1e9a09269b
config: add support for http3 advertise port (#5466) 2025-02-03 13:58:57 -07:00
Joe Kralicky
5e94b2f8f1
Refactor trace config to match supported otel options (#5447) 
* Refactor trace config to match supported otel options

* use duration instead of int64 for otel timeouts

* change 'trace client updated' log level to debug
 2025-01-30 11:59:19 -05:00
Joe Kralicky
396c35b6b4
New tracing system (#5388) 
* update tracing config definitions

* new tracing system

* performance improvements

* only configure tracing in envoy if it is enabled in pomerium

* [tracing] refactor to use custom extension for trace id editing (#5420)

refactor to use custom extension for trace id editing

* set default tracing sample rate to 1.0

* fix proxy service http middleware

* improve some existing auth related traces

* test fixes

* bump envoyproxy/go-control-plane

* code cleanup

* test fixes

* Fix missing spans for well-known endpoints

* import extension apis from pomerium/envoy-custom
 2025-01-21 13:26:32 -05:00
Kenneth Jenkins
832742648d
config: add new OTLP tracing fields (#5421) 
Add new tracing options fields to the Settings proto and Options struct.

Co-authored-by: Joe Kralicky <joekralicky@gmail.com>
 2025-01-17 14:56:42 -08:00
Caleb Doxsey
8bc86fe06f
config: add route name, description and logo (#5424) 
* config: add route name, description and logo

* remove name generation
 2025-01-14 14:55:14 -07:00
Caleb Doxsey
c571769adc
config: add source ppl field (#5419) 2025-01-14 10:13:56 -07:00
Kenneth Jenkins
21b9e7890c
authorize: add filter options for JWT groups (#5417) 
Add a new option for filtering to a subset of directory groups in the
Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field
to both the Options struct (for a global filter) and to the Policy
struct (for per-route filter). These will be populated only from the
config protos, and not from a config file.

If either filter is set, then for each of a user's groups, the group
name or group ID will be added to the JWT groups claim only if it is an
exact string match with one of the elements of either filter.
 2025-01-08 13:57:57 -08:00
Caleb Doxsey
4a5b737763
config: fix lost branding settings when there are multiple configuration sources (#5401) 2024-12-19 08:47:28 -07:00
Denis Mishin
2bb70258c3
authorize/log: remove audit logging (#5369) 2024-11-22 14:32:52 -05:00
Caleb Doxsey
3a8bdde211
authorize: remove wait for ready (#5376) 2024-11-22 10:17:00 -07:00
Joe Kralicky
526e2a58d6
New integration test fixtures (#5233) 
* Initial test environment implementation

* linter pass

* wip: update request latency test

* bugfixes

* Fix logic race in envoy process monitor when canceling context

* skip tests using test environment on non-linux
 2024-11-05 14:31:40 -05:00
Joe Kralicky
fe31799eb5
Fix many instances of contexts and loggers not being propagated (#5340) 
This also replaces instances where we manually write "return ctx.Err()"
with "return context.Cause(ctx)" which is functionally identical, but
will also correctly propagate cause errors if present.
 2024-10-25 14:50:56 -04:00
Joe Kralicky
a42e286637
Add new jwt issuer format route option (#5338) 2024-10-25 13:07:47 -04:00
Caleb Doxsey
d2c14cd6d2
logging: remove ctx from global log methods (#5337) 
* log: remove warn

* log: update debug

* log: update info

* remove level, log

* remove contextLogger function
 2024-10-23 14:18:52 -06:00
Caleb Doxsey
27947b19cb
core/config: add kubernetes_service_account_token_file (#5322) 
* core/config: add kubernetes_service_account_token_file

* fix loading of token file
 2024-10-10 14:53:45 -06:00
Joe Kralicky
0e13248685
Core-Zero Import (#5288) 
* initial core-zero import implementation

* Update /config/import openapi description and use PUT instead of POST

* update import ui tests

* Add 413 as a possible response for /config/import

* Options/Settings type conversion tests and related bugfixes

* Fixes for proto type conversion and tests

* Update core-zero import client

* Update core-zero import client

* Update import api and environment detection

* update go.mod

* remove old testdata

* Remove usage of deleted setting after merge

* remove extra newline from --version output
 2024-10-09 18:51:56 -04:00
Kenneth Jenkins
01d375f0bc
config: remove unused gRPC setting (#5308) 
Remove the grpc_client_dns_roundrobin option as it appears to be unused
since commit bbec2cae9f.
 2024-10-03 10:14:54 -07:00
Caleb Doxsey
9d6b656fbe
core/proxy: fix is-enterprise check (#5295) 2024-09-19 13:10:45 -06:00
Kenneth Jenkins
6171c09596
config: remove unused databroker storage settings (#5285) 
Config options concerning the TLS connection from databroker to storage
backend are now unused. TLS options for this connection can instead be
set directly in the databroker storage connection string.
 2024-09-16 11:58:57 -07:00
Caleb Doxsey
146efc1b13
core/zero: add usage reporter (#5281) 
* wip

* add response

* handle empty email

* use set, update log

* add test

* add coalesce, comments, test

* add test, fix bug

* use builtin cmp.Or

* remove wait ready call

* use api error
 2024-09-12 15:45:54 -06:00
Caleb Doxsey
dad954ae16
core/logging: change log.Error function (#5251) 
* core/logging: change log.Error function

* use request id
 2024-09-05 15:42:46 -06:00
Caleb Doxsey
d062f9d68d
core/logs: remove warnings (#5235) 
* core/logs: remove warnings

* switch to error
 2024-08-27 09:38:50 -06:00
Caleb Doxsey
556b2e0d73
core/grpc: add mock for registry service (#5243) 2024-08-26 11:30:17 -06:00
Caleb Doxsey
98cea10421
Revert "core/grpc: add IterateAll method" (#5234) 
Revert "core/grpc: add IterateAll method (#5227)"

This reverts commit 3961098681.
 2024-08-23 10:35:46 -06:00
Caleb Doxsey
3961098681
core/grpc: add IterateAll method (#5227) 
* core/grpc: add IterateAll method

* Update pkg/grpc/databroker/generic.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

---------

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2024-08-20 09:34:26 -06:00
Caleb Doxsey
0cfb1025db
core/proto: update protoc dependencies (#5218) 
* core/proto: update protoc dependencies

* cleanup

* disable unimplemented forward compatibility check

* fix mock

* add generate make command

* add .0
 2024-08-15 11:12:05 -06:00
Denis Mishin
e2251b2d57
databroker/leaser: set timeout on ReleaseLease (#5208) 2024-08-06 14:47:59 -04:00
Kenneth Jenkins
418ee79e1a
authenticate: rework session ID token handling (#5178) 
Currently, the Session proto id_token field is populated with Pomerium
session data during initial login, but with IdP ID token data after an
IdP session refresh.

Instead, store only IdP ID token data in this field.

Update the existing SetRawIDToken method to populate the structured data
fields based on the contents of the raw ID token. Remove the other code
that sets these fields (in the authenticateflow package and in
manager.sessionUnmarshaler).

Add a test for the identity manager, exercising the combined effect of
session claims unmarshaling and SetRawIDToken(), to verify that the
combined behavior is preserved unchanged.
 2024-07-29 12:43:50 -07:00
Kenneth Jenkins
9fe646f25a
session: do not invalidate based on ID token (#5182) 
Per the OIDC spec, section 2:

> NOTE: The ID Token expiration time is unrelated [to] the lifetime of
> the authenticated session between the RP and the OP.

A Pomerium session should remain valid for as long as the underlying
OAuth2 session.
 2024-07-19 16:29:06 -07:00
Caleb Doxsey
e5e6558de6
core/authorize: require new login when authenticate url changes (#5165) 2024-07-12 10:57:41 -06:00
dependabot[bot]
8f8c66e9fd
chore(deps): bump the go group with 21 updates (#5162) 
* chore(deps): bump the go group with 21 updates

Bumps the go group with 21 updates:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.41.0` | `1.42.0` |
| [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.27.0` | `1.30.1` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.27.16` | `1.27.23` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.54.3` | `1.57.1` |
| [github.com/caddyserver/certmagic](https://github.com/caddyserver/certmagic) | `0.21.2` | `0.21.3` |
| [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `1.3.8` | `1.3.9` |
| [github.com/docker/docker](https://github.com/docker/docker) | `26.1.3+incompatible` | `27.0.3+incompatible` |
| [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) | `5.0.12` | `5.1.0` |
| [github.com/gorilla/websocket](https://github.com/gorilla/websocket) | `1.5.1` | `1.5.3` |
| [github.com/klauspost/compress](https://github.com/klauspost/compress) | `1.17.8` | `1.17.9` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.70` | `7.0.72` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `0.65.0` | `0.66.0` |
| [github.com/prometheus/common](https://github.com/prometheus/common) | `0.53.0` | `0.55.0` |
| [github.com/spf13/viper](https://github.com/spf13/viper) | `1.18.2` | `1.19.0` |
| [golang.org/x/crypto](https://github.com/golang/crypto) | `0.23.0` | `0.24.0` |
| [golang.org/x/net](https://github.com/golang/net) | `0.25.0` | `0.26.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2) | `0.20.0` | `0.21.0` |
| [golang.org/x/sys](https://github.com/golang/sys) | `0.20.0` | `0.21.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.178.0` | `0.183.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20240515191416-fc5f0ca64291` | `0.0.0-20240528184218-531527333157` |
| google.golang.org/protobuf | `1.34.1` | `1.34.2` |


Updates `cloud.google.com/go/storage` from 1.41.0 to 1.42.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.41.0...spanner/v1.42.0)

Updates `github.com/aws/aws-sdk-go-v2` from 1.27.0 to 1.30.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.27.0...v1.30.1)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.16 to 1.27.23
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.16...config/v1.27.23)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.54.3 to 1.57.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.54.3...service/s3/v1.57.1)

Updates `github.com/caddyserver/certmagic` from 0.21.2 to 0.21.3
- [Release notes](https://github.com/caddyserver/certmagic/releases)
- [Commits](https://github.com/caddyserver/certmagic/compare/v0.21.2...v0.21.3)

Updates `github.com/cloudflare/circl` from 1.3.8 to 1.3.9
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.3.8...v1.3.9)

Updates `github.com/docker/docker` from 26.1.3+incompatible to 27.0.3+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v26.1.3...v27.0.3)

Updates `github.com/go-chi/chi/v5` from 5.0.12 to 5.1.0
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.0.12...v5.1.0)

Updates `github.com/gorilla/websocket` from 1.5.1 to 1.5.3
- [Release notes](https://github.com/gorilla/websocket/releases)
- [Commits](https://github.com/gorilla/websocket/compare/v1.5.1...v1.5.3)

Updates `github.com/klauspost/compress` from 1.17.8 to 1.17.9
- [Release notes](https://github.com/klauspost/compress/releases)
- [Changelog](https://github.com/klauspost/compress/blob/master/.goreleaser.yml)
- [Commits](https://github.com/klauspost/compress/compare/v1.17.8...v1.17.9)

Updates `github.com/minio/minio-go/v7` from 7.0.70 to 7.0.72
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](https://github.com/minio/minio-go/compare/v7.0.70...v7.0.72)

Updates `github.com/open-policy-agent/opa` from 0.65.0 to 0.66.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.65.0...v0.66.0)

Updates `github.com/prometheus/common` from 0.53.0 to 0.55.0
- [Release notes](https://github.com/prometheus/common/releases)
- [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md)
- [Commits](https://github.com/prometheus/common/compare/v0.53.0...v0.55.0)

Updates `github.com/spf13/viper` from 1.18.2 to 1.19.0
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.18.2...v1.19.0)

Updates `golang.org/x/crypto` from 0.23.0 to 0.24.0
- [Commits](https://github.com/golang/crypto/compare/v0.23.0...v0.24.0)

Updates `golang.org/x/net` from 0.25.0 to 0.26.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.26.0)

Updates `golang.org/x/oauth2` from 0.20.0 to 0.21.0
- [Commits](https://github.com/golang/oauth2/compare/v0.20.0...v0.21.0)

Updates `golang.org/x/sys` from 0.20.0 to 0.21.0
- [Commits](https://github.com/golang/sys/compare/v0.20.0...v0.21.0)

Updates `google.golang.org/api` from 0.178.0 to 0.183.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.178.0...v0.183.0)

Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20240515191416-fc5f0ca64291 to 0.0.0-20240528184218-531527333157
- [Commits](https://github.com/googleapis/go-genproto/commits)

Updates `google.golang.org/protobuf` from 1.34.1 to 1.34.2

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/caddyserver/certmagic
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/cloudflare/circl
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: go
- dependency-name: github.com/go-chi/chi/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/gorilla/websocket
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/klauspost/compress
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/prometheus/common
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix test

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2024-07-05 13:26:47 -06:00
Caleb Doxsey
d225288ab3
core/identity: dynamic authenticator registration (#5105) 2024-05-07 16:45:39 -06:00
Caleb Doxsey
1a5b8b606f
core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 
* core/lint: upgrade golangci-lint, replace interface{} with any

* regen proto
 2024-05-02 14:33:52 -06:00
Caleb Doxsey
fab2181be4
core/mock: switch to uber mock (#5073) 
* core/mock: switch to uber mock

* merge main
 2024-04-16 12:23:00 -06:00
Denis Mishin
e7b3d3b6e9
config: add runtime flags (#5050) 2024-04-04 17:51:04 -04:00
Caleb Doxsey
4ac06d3bbd
core/logging: less verbose logs (#5040) 2024-03-29 15:26:20 -06:00
Caleb Doxsey
513d8bf615
core/config: implement direct response (#4960) 
* implement direct response

* proto

* fix tests

* update
 2024-02-15 14:33:56 -07:00
Caleb Doxsey
4301da3648
core/telemetry: move requestid to pkg directory (#4911) 2024-01-19 13:18:16 -07:00
Caleb Doxsey
f684910ab3
core/config: remove cookie secure option (#4907) 2024-01-12 13:28:14 -07:00
Caleb Doxsey
d6221c07ce
core/config: remove debug option, always use json logs (#4857) 
* core/config: remove debug option, always use json logs

* go mod tidy
 2023-12-15 11:29:05 -07:00
Caleb Doxsey
a2fd95aae6
core/ci: update linting (#4844) 
* core/ci: update linting

* re-add exportloopref

* re-add gocheckcompilerdirectives

* re-add stylecheck

* re-add usestdlibvars

* upgrade lint

---------

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-12-14 09:07:54 -08:00
Denis Mishin
c4dd965f2d
zero/telemetry: calculate DAU and MAU (#4810) 2023-12-11 13:37:01 -05:00
Denis Mishin
7e2532f644
zero/bundle-reconciler: better code reuse (#4758) 2023-11-21 14:32:52 -05:00
Denis Mishin
15ca641b9c
databroker: changeset: prevent nil data in the deleted records (#4736) 2023-11-10 13:04:22 -07:00
Caleb Doxsey
6de9f12ac1
core/session: fix flaky test (#4730) 2023-11-09 12:36:08 -07:00
Denis Mishin
cc6592b6fd
reconciler: allow custom comparison function (#4726) 2023-11-08 20:11:49 -05:00
Kenneth Jenkins
0238a39f23
session: add unit tests for gRPC wrapper methods (#4713) 2023-11-08 15:22:47 -08:00
Caleb Doxsey
3bdbd56222
core/config: add pass_identity_headers option (#4720) 
* core/config: add pass_identity_headers option

* add to proto

* remove deprecated field
 2023-11-08 13:07:37 -07:00
Denis Mishin
bfcc970839
databroker: build config concurrently, option to bypass validation (#4655) 
* validation: option to bypass

* concurrently build config

* add regex_priority_order and route sorting

* rm mutex
 2023-11-06 13:21:29 -05:00