Caleb Doxsey
ba0fcffe81
storage: invalidate sync querier when records are updated ( #5612 )
...
## Summary
Invalidate the sync querier when records are updated so that we fallback
to databroker querying until the sync is complete.
## Related issues
For
[ENG-2377](https://linear.app/pomerium/issue/ENG-2377/core-initial-access-with-idp-accessidentity-tokens-sometimes-fails )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-12 13:45:36 -06:00
Caleb Doxsey
f6b344fd9e
identity: add IdP access and identity token verification for OIDC ( #5614 )
...
## Summary
For the generic `oidc` provider, used by `auth0`, `cognito`, `gitlab`,
`google`, `oidc`, `okta`, `onelogin` and `ping`, add support for direct
access and identity token verification. Because Keycloak uses `oidc`
this also adds support for Keycloak.
Access tokens are verified by using the user info endpoint. If a call to
this endpoint succeeds using the access token, that access token is
considered valid and the user info claims will be returned.
Identity tokens are verified by using the jwks endpoint to retrieve the
signing key, and verifying that the identity token was signed with that
key. If the identity token is valid the claims in the JWT will be
returned.
## Related issues
-
[ENG-2312](https://linear.app/pomerium/issue/ENG-2312/core-implement-token-validation-for-keycloak )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-12 13:45:25 -06:00
Caleb Doxsey
93b8c93daa
authenticate: add support for apple identity tokens ( #5610 )
...
## Summary
Add support for IdP identity token authorization for Apple. Apple does
not appear to support access token validation.
This allows a user to pass an identity token directly as a bearer token:
```
curl -H 'Authorization: Bearer Apple-Identity-Token' ...
```
## Related issues
-
[ENG-2000](https://linear.app/pomerium/issue/ENG-2000/core-implement-token-validation-for-apple )
## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-09 11:01:34 -06:00
dependabot[bot]
c1c540f876
chore(deps): bump the go group across 1 directory with 31 updates ( #5608 )
...
* chore(deps): bump the go group across 1 directory with 31 updates
---
updated-dependencies:
- dependency-name: buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go
dependency-version: 1.36.6-20250425153114-8976f5be98c1.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: cloud.google.com/go/storage
dependency-version: 1.53.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
dependency-version: 1.29.14
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.79.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/caddyserver/certmagic
dependency-version: 0.23.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/cloudflare/circl
dependency-version: 1.6.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/coreos/go-oidc/v3
dependency-version: 3.14.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/docker/docker
dependency-version: 28.1.1+incompatible
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/exaring/otelpgx
dependency-version: 0.9.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/fsnotify/fsnotify
dependency-version: 1.9.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/gaissmai/bart
dependency-version: 0.20.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/v2
dependency-version: 2.3.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/mholt/acmez/v3
dependency-version: 3.1.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.65
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
dependency-version: 7.0.91
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.4.2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/pires/go-proxyproto
dependency-version: 0.8.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/client_golang
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/client_model
dependency-version: 0.6.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/procfs
dependency-version: 0.16.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/quic-go/quic-go
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/testcontainers/testcontainers-go
dependency-version: 0.37.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/proto/otlp
dependency-version: 1.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.uber.org/mock
dependency-version: 0.5.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: golang.org/x/crypto
dependency-version: 0.37.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/net
dependency-version: 0.39.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-version: 0.29.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/sync
dependency-version: 0.13.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/sys
dependency-version: 0.32.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/api
dependency-version: 0.230.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20250428153025-10db94c68c34
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
* hold back go-proxyproto, update protovalidate-go
The go-proxyproto module appears to have an incorrect go directive, so
hold off on this version update for now.
The bufbuild/protovalidate/protocolbuffers/go module requires a newer
version of the bufbuild/protovalidate-go module. This also introduces a
small formatting change to the validation error message in one of our
unit tests.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-05-07 10:04:03 -07:00
dependabot[bot]
881373cb08
chore(deps): bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.0 ( #5609 )
...
Bumps
[github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa )
from 1.3.0 to 1.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/open-policy-agent/opa/releases ">github.com/open-policy-agent/opa's
releases</a>.</em></p>
<blockquote>
<h2>v1.4.0</h2>
<p>This release contains a security fix addressing CVE-2025-46569.
It also includes a mix of new features, bugfixes, and dependency
updates.</p>
<h4>Security Fix: CVE-2025-46569 - OPA server Data API HTTP path
injection of Rego (<a
href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7 ">GHSA-6m8w-jc87-6cr7</a>)</h4>
<p>A vulnerability in the OPA server's <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api ">Data
API</a> allows an attacker to craft the HTTP path in a way that injects
Rego code into the query that is evaluated.<br />
The evaluation result cannot be made to return any other data than what
is generated by the requested path, but this path can be misdirected,
and the injected Rego code can be crafted to make the query succeed or
fail; opening up for oracle attacks or, given the right circumstances,
erroneous policy decision results.
Furthermore, the injected code can be crafted to be computationally
expensive, resulting in a Denial Of Service (DoS) attack.</p>
<p><strong>Users are only impacted if all of the following
apply:</strong></p>
<ul>
<li>OPA is deployed as a standalone server (rather than being used as a
Go library)</li>
<li>The OPA server is exposed outside of the local host in an untrusted
environment.</li>
<li>The configured <a
href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization ">authorization
policy</a> does not do exact matching of the input.path attribute when
deciding if the request should be allowed.</li>
</ul>
<p><strong>or, if all of the following apply:</strong></p>
<ul>
<li>OPA is deployed as a standalone server.</li>
<li>The service connecting to OPA allows 3rd parties to insert
unsanitised text into the path of the HTTP request to OPA’s Data
API.</li>
</ul>
<p>Note: With <strong>no</strong> <a
href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization ">Authorization
Policy</a> configured for restricting API access (the default
configuration), the RESTful <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api ">Data
API</a> provides access for managing Rego policies; and the RESTful <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#query-api ">Query
API</a> facilitates advanced queries.
Full access to these APIs provides both simpler, and broader access than
what the security issue describes here can facilitate.
As such, OPA servers exposed to a network are <strong>not</strong>
considered affected by the attack described here if they are knowingly
not restricting access through an Authorization Policy.</p>
<p>This issue affects all versions of OPA prior to 1.4.0.</p>
<p>See the <a
href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7 ">Security
Advisory</a> for more details.</p>
<p>Reported by <a
href="https://github.com/GamrayW "><code>@GamrayW</code></a>, <a
href="https://github.com/HyouKash "><code>@HyouKash</code></a>, <a
href="https://github.com/AdrienIT "><code>@AdrienIT</code></a>, authored
by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></p>
<h3>Runtime, Tooling, SDK</h3>
<ul>
<li>ast: Adding <code>rego_v1</code> feature to
<code>--v0-compatible</code> capabilities (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7474 ">#7474</a>)
authored by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></li>
<li>executable: Add version and icon to OPA windows executable (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/3171 ">#3171</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a
href="https://github.com/christophwille "><code>@christophwille</code></a></li>
<li>format: Don't panic on format due to unexpected comments (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/6330 ">#6330</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a href="https://github.com/sirpi "><code>@sirpi</code></a></li>
<li>format: Avoid modifying strings when formatting (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/6220 ">#6220</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a href="https://github.com/zregvart "><code>@zregvart</code></a></li>
<li>plugins/status: FIFO buffer channel for status events to prevent
slow status API blocking (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7522 ">#7522</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a></li>
</ul>
<h3>Topdown and Rego</h3>
<ul>
<li>gqlparser: Add JSON annotation in
<code>internal/gqlparser/ast</code> to Position fields (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7509 ">#7509</a>)
authored by <a
href="https://github.com/robmyersrobmyers "><code>@robmyersrobmyers</code></a></li>
<li>graphql: Cache GraphQL schema parse results (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7457 ">#7457</a>)
authored by <a
href="https://github.com/robmyersrobmyers "><code>@robmyersrobmyers</code></a></li>
<li>topdown: Handling default functions in Partial Eval (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7220 ">#7220</a>)
authored by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></li>
<li>topdown: Fix wall clock time init for <code>PartialRun()</code> (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7490 ">#7490</a>)
authored by <a
href="https://github.com/srenatus "><code>@srenatus</code></a></li>
<li>topdown: Zero alloc lower/upper unless changed (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7472 ">#7472</a>)
authored by <a
href="https://github.com/anderseknert "><code>@anderseknert</code></a></li>
</ul>
<h3>Docs, Website, Ecosystem</h3>
<ul>
<li>adopters: Cloudsmith adds support for OPA (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7498 ">#7498</a>)
authored by <a
href="https://github.com/ndouglas-cloudsmith "><code>@ndouglas-cloudsmith</code></a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md ">github.com/open-policy-agent/opa's
changelog</a>.</em></p>
<blockquote>
<h2>1.4.0</h2>
<p>This release contains a security fix addressing CVE-2025-46569.
It also includes a mix of new features, bugfixes, and dependency
updates.</p>
<h4>Security Fix: CVE-2025-46569 - OPA server Data API HTTP path
injection of Rego (<a
href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7 ">GHSA-6m8w-jc87-6cr7</a>)</h4>
<p>A vulnerability in the OPA server's <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api ">Data
API</a> allows an attacker to craft the HTTP path in a way that injects
Rego code into the query that is evaluated.<br />
The evaluation result cannot be made to return any other data than what
is generated by the requested path, but this path can be misdirected,
and the injected Rego code can be crafted to make the query succeed or
fail; opening up for oracle attacks or, given the right circumstances,
erroneous policy decision results.
Furthermore, the injected code can be crafted to be computationally
expensive, resulting in a Denial Of Service (DoS) attack.</p>
<p><strong>Users are only impacted if all of the following
apply:</strong></p>
<ul>
<li>OPA is deployed as a standalone server (rather than being used as a
Go library)</li>
<li>The OPA server is exposed outside of the local host in an untrusted
environment.</li>
<li>The configured <a
href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization ">authorization
policy</a> does not do exact matching of the input.path attribute when
deciding if the request should be allowed.</li>
</ul>
<p><strong>or, if all of the following apply:</strong></p>
<ul>
<li>OPA is deployed as a standalone server.</li>
<li>The service connecting to OPA allows 3rd parties to insert
unsanitised text into the path of the HTTP request to OPA’s Data
API.</li>
</ul>
<p>Note: With <strong>no</strong> <a
href="https://www.openpolicyagent.org/docs/latest/security/#authentication-and-authorization ">Authorization
Policy</a> configured for restricting API access (the default
configuration), the RESTful <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#data-api ">Data
API</a> provides access for managing Rego policies; and the RESTful <a
href="https://www.openpolicyagent.org/docs/latest/rest-api/#query-api ">Query
API</a> facilitates advanced queries.
Full access to these APIs provides both simpler, and broader access than
what the security issue describes here can facilitate.
As such, OPA servers exposed to a network are <strong>not</strong>
considered affected by the attack described here if they are knowingly
not restricting access through an Authorization Policy.</p>
<p>This issue affects all versions of OPA prior to 1.4.0.</p>
<p>See the <a
href="https://github.com/open-policy-agent/opa/security/advisories/GHSA-6m8w-jc87-6cr7 ">Security
Advisory</a> for more details.</p>
<p>Reported by <a
href="https://github.com/GamrayW "><code>@GamrayW</code></a>, <a
href="https://github.com/HyouKash "><code>@HyouKash</code></a>, <a
href="https://github.com/AdrienIT "><code>@AdrienIT</code></a>, authored
by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></p>
<h3>Runtime, Tooling, SDK</h3>
<ul>
<li>ast: Adding <code>rego_v1</code> feature to
<code>--v0-compatible</code> capabilities (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7474 ">#7474</a>)
authored by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></li>
<li>executable: Add version and icon to OPA windows executable (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/3171 ">#3171</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a
href="https://github.com/christophwille "><code>@christophwille</code></a></li>
<li>format: Don't panic on format due to unexpected comments (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/6330 ">#6330</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a href="https://github.com/sirpi "><code>@sirpi</code></a></li>
<li>format: Avoid modifying strings when formatting (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/6220 ">#6220</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a> reported by
<a href="https://github.com/zregvart "><code>@zregvart</code></a></li>
<li>plugins/status: FIFO buffer channel for status events to prevent
slow status API blocking (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7522 ">#7522</a>)
authored by <a
href="https://github.com/sspaink "><code>@sspaink</code></a></li>
</ul>
<h3>Topdown and Rego</h3>
<ul>
<li>gqlparser: Add JSON annotation in
<code>internal/gqlparser/ast</code> to Position fields (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7509 ">#7509</a>)
authored by <a
href="https://github.com/robmyersrobmyers "><code>@robmyersrobmyers</code></a></li>
<li>graphql: Cache GraphQL schema parse results (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7457 ">#7457</a>)
authored by <a
href="https://github.com/robmyersrobmyers "><code>@robmyersrobmyers</code></a></li>
<li>topdown: Handling default functions in Partial Eval (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7220 ">#7220</a>)
authored by <a
href="https://github.com/johanfylling "><code>@johanfylling</code></a></li>
<li>topdown: Fix wall clock time init for <code>PartialRun()</code> (<a
href="https://redirect.github.com/open-policy-agent/opa/issues/7490 ">#7490</a>)
authored by <a
href="https://github.com/srenatus "><code>@srenatus</code></a></li>
<li>topdown: Zero alloc lower/upper unless changed (<a
href="https://redirect.github.com/open-policy-agent/opa/pull/7472 ">#7472</a>)
authored by <a
href="https://github.com/anderseknert "><code>@anderseknert</code></a></li>
</ul>
<h3>Docs, Website, Ecosystem</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8b0720247ehttps://redirect.github.com/open-policy-agent/opa/issues/7541 ">#7541</a>)</li>
<li><a
href="ad2063247a24ff9cfb3ahttps://redirect.github.com/open-policy-agent/opa/issues/7525 ">#7525</a>)</li>
<li><a
href="254f3bf0b99b5f6010c0https://redirect.github.com/open-policy-agent/opa/issues/7532 ">#7532</a>)</li>
<li><a
href="e490277477https://redirect.github.com/open-policy-agent/opa/issues/7531 ">#7531</a>)</li>
<li><a
href="d65888c14feb77d10971https://redirect.github.com/open-policy-agent/opa/issues/7529 ">#7529</a>)</li>
<li><a
href="f07d604b4fhttps://redirect.github.com/open-policy-agent/opa/issues/7528 ">#7528</a>)</li>
<li><a
href="828b8cb156https://redirect.github.com/open-policy-agent/opa/issues/7524 ">#7524</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/open-policy-agent/opa/compare/v1.3.0...v1.4.0 ">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores )
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/pomerium/pomerium/network/alerts ).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-06 11:19:35 -06:00
Denis Mishin
1a19ccabd8
mcp: add global runtime flag ( #5604 )
...
## Summary
Adds global runtime flag to enable/disable MCP support. (off by
default).
```yaml
runtime_flags:
mcp: true
```
## Related issues
Fix:
https://linear.app/pomerium/issue/ENG-2367/place-mcp-support-behind-a-runtime-flag
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review
2025-05-02 16:33:42 -04:00
Caleb Doxsey
d1559eaa86
upgrade google.golang.org/grpc/health/grpc_health_v1 ( #5605 )
...
## Summary
Upgrade `google.golang.org/grpc/health/grpc_health_v1` which has a new
`List` method, so use the `UnimplementedHealthServer`.
## Related issues
- https://github.com/pomerium/ingress-controller/pull/1152
## User Explanation
<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->
## Checklist
- [ ] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-02 14:32:04 -06:00
Denis Mishin
6caf65a117
mcp: add list-routes client helper ( #5596 )
2025-05-01 15:02:28 -04:00
dependabot[bot]
d2e2f56d57
chore(deps): bump the docker group in /.github with 3 updates ( #5603 )
...
Bumps the docker group in /.github with 3 updates: busybox, distroless/base and distroless/base-debian12.
Updates `busybox` from `498a000` to `37f7b37`
Updates `distroless/base` from `74ddbf5` to `2776987`
Updates `distroless/base-debian12` from `74ddbf5` to `2776987`
---
updated-dependencies:
- dependency-name: busybox
dependency-version: latest
dependency-type: direct:production
dependency-group: docker
- dependency-name: distroless/base
dependency-version: latest
dependency-type: direct:production
dependency-group: docker
- dependency-name: distroless/base-debian12
dependency-version: latest
dependency-type: direct:production
dependency-group: docker
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-01 11:54:12 -06:00
dependabot[bot]
5984f0f1e4
chore(deps): bump the github-actions group with 5 updates ( #5600 )
...
Bumps the github-actions group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [docker/build-push-action](https://github.com/docker/build-push-action ) | `6.15.0` | `6.16.0` |
| [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action ) | `5.1.0` | `5.2.0` |
| [actions/setup-node](https://github.com/actions/setup-node ) | `4.3.0` | `4.4.0` |
| [google-github-actions/auth](https://github.com/google-github-actions/auth ) | `2.1.8` | `2.1.10` |
| [actions/setup-python](https://github.com/actions/setup-python ) | `5.5.0` | `5.6.0` |
Updates `docker/build-push-action` from 6.15.0 to 6.16.0
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](471d1dc4e0...14487ce63chttps://github.com/stefanzweifel/git-auto-commit-action/releases )
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md )
- [Commits](e348103e90...b863ae1933https://github.com/actions/setup-node/releases )
- [Commits](cdca7365b2...49933ea528https://github.com/google-github-actions/auth/releases )
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md )
- [Commits](71f986410d...ba79af0395https://github.com/actions/setup-python/releases )
- [Commits](8d9ed9ac5c...a26af69be9
2025-05-01 11:01:35 -06:00
dependabot[bot]
3b2963101e
chore(deps): bump the docker group with 2 updates ( #5597 )
...
Bumps the docker group with 2 updates: node and golang.
Updates `node` from `c7fd844` to `a1f1274`
Updates `golang` from `fa1a01d` to `79390b5`
---
updated-dependencies:
- dependency-name: node
dependency-version: lts-bookworm
dependency-type: direct:production
dependency-group: docker
- dependency-name: golang
dependency-version: 1.24-bookworm
dependency-type: direct:production
dependency-group: docker
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-01 11:00:58 -06:00
Caleb Doxsey
2d097ec2f8
add additional authorization check logs ( #5598 )
2025-05-01 10:57:28 -06:00
Denis Mishin
9d66f762e1
mcp: handle and pass upstream oauth2 tokens ( #5595 )
2025-05-01 12:42:31 -04:00
Denis Mishin
561b6040b5
mcp: redirect to upstream oauth2 for authentication ( #5594 )
2025-05-01 12:16:44 -04:00
Denis Mishin
5b024a8ada
mcp: pass access token to the upstream ( #5593 )
2025-04-29 12:13:18 -04:00
Denis Mishin
b9e3a5d301
mcp: add upstream oauth2 config types ( #5592 )
2025-04-28 19:18:44 -04:00
Denis Mishin
daaf5b8e30
mcp: authorize: load session from the access token ( #5591 )
2025-04-28 16:32:06 -04:00
Denis Mishin
0602f5e00d
mcp: token: handle authorization_code (pt2) ( #5589 )
2025-04-28 14:37:19 -04:00
Denis Mishin
7b9c392531
mcp: token: handle authorization_code request (pt1) ( #5587 )
2025-04-28 14:09:22 -04:00
Kenneth Jenkins
b7dbc8e467
storage: use a fake DNS server in TestLookup ( #5590 )
2025-04-28 09:14:01 -07:00
Denis Mishin
4dd5357fe3
mcp: extend code usage ( #5588 )
2025-04-25 14:47:11 -04:00
Denis Mishin
9e4947c62f
mcp: authorize request (pt2) ( #5586 )
2025-04-24 12:11:19 -07:00
Denis Mishin
63ccf6ab93
mcp: authorize request (pt1) ( #5585 )
2025-04-24 14:59:12 -04:00
Denis Mishin
b566661353
mcp: client registration: store to the databroker ( #5584 )
2025-04-24 14:54:31 -04:00
Denis Mishin
9f4b03f916
mcp: add rfc7591 types ( #5583 )
2025-04-24 14:46:08 -04:00
Denis Mishin
db221cb826
mcp: storage scaffolding ( #5581 )
2025-04-23 13:39:27 -04:00
Denis Mishin
f1a9401ddc
mcp: scaffolding of /.pomerium/mcp routes ( #5580 )
2025-04-23 12:36:31 -04:00
Denis Mishin
cb0e8aaf06
mcp: add oauth metadata endpoint ( #5579 )
2025-04-23 12:24:00 -04:00
Kenneth Jenkins
2e7d1c7f12
authorize: refactor logAuthorizeCheck() ( #5576 )
...
Currently, policy evaluation and authorize logging are coupled to the
Envoy CheckRequest proto message (part of the ext_authz API). In the
context of ssh proxy authentication, we won't have a CheckRequest.
Instead, let's make the existing evaluator.Request type the source of
truth for the authorize log fields.
This way, whether we populate the evaluator.Request struct from an
ext_authz request or from an ssh proxy request, we can use the same
logAuthorizeCheck() method for logging.
Add some additional fields to evaluator.RequestHTTP for the authorize
log fields that are not currently represented in this struct.
2025-04-23 09:21:52 -07:00
Caleb Doxsey
8738066ce4
storage: add sync querier ( #5570 )
...
* storage: add fallback querier
* storage: add sync querier
* storage: add typed querier
* use synced querier
2025-04-23 10:15:48 -06:00
Kenneth Jenkins
e1d84a1dde
logging: standardize on hyphens in attribute names ( #5577 )
2025-04-22 10:57:19 -07:00
Denis Mishin
e71fca76f2
mcp: add to route config, 401 when unauthenticated ( #5578 )
2025-04-22 11:47:09 -04:00
Caleb Doxsey
a10b505386
add code of conduct ( #5572 )
2025-04-14 12:53:28 -06:00
Caleb Doxsey
395541775c
add CONTRIBUTING ( #5573 )
...
* add CONTRIBUTING
* fix url
2025-04-14 11:53:20 -07:00
Caleb Doxsey
e78cfc0687
cleanup logs ( #5571 )
2025-04-14 08:20:10 -06:00
Kenneth Jenkins
62addcf2a5
API changes for multi-domain login redirects ( #5565 )
...
Add a depends_on field to the Route proto and update the to/from
conversion methods.
2025-04-11 14:56:16 -07:00
dependabot[bot]
4af9150b39
chore(deps): bump @babel/runtime from 7.24.4 to 7.26.10 in /ui ( #5522 )
...
Bumps [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime ) from 7.24.4 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-runtime )
---
updated-dependencies:
- dependency-name: "@babel/runtime"
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-11 08:02:05 -06:00
Caleb Doxsey
3891293fa7
storage: add minimum record version hint ( #5569 )
...
* storage: add minimum record version hint
* use response record version
* fix record version in query response
2025-04-10 11:15:14 -06:00
Caleb Doxsey
cd731789be
storage: support ip address indexing for the in-memory store ( #5568 )
2025-04-10 08:21:52 -06:00
Denis Mishin
c7ffb95483
add v0.29.0 release notes ( #5515 )
2025-04-08 11:34:20 -04:00
Caleb Doxsey
a1eb75a8fe
add support for pomerium.request.headers for set_request_headers ( #5563 )
...
* add support for pomerium.request.headers for set_request_headers
* add peg grammar
2025-04-07 10:32:03 -06:00
dependabot[bot]
5f95dd32db
chore(deps): bump the go group with 39 updates ( #5559 )
...
* chore(deps): bump the go group with 39 updates
Bumps the go group with 39 updates:
| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go ) | `1.50.0` | `1.51.0` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2 ) | `1.29.8` | `1.29.12` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2 ) | `1.78.0` | `1.79.0` |
| [github.com/bits-and-blooms/bitset](https://github.com/bits-and-blooms/bitset ) | `1.21.0` | `1.22.0` |
| [github.com/caddyserver/certmagic](https://github.com/caddyserver/certmagic ) | `0.21.7` | `0.22.2` |
| [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc ) | `3.12.0` | `3.13.0` |
| [github.com/docker/docker](https://github.com/docker/docker ) | `28.0.1+incompatible` | `28.0.4+incompatible` |
| [github.com/grpc-ecosystem/go-grpc-middleware/v2](https://github.com/grpc-ecosystem/go-grpc-middleware ) | `2.3.0` | `2.3.1` |
| [github.com/jackc/pgx/v5](https://github.com/jackc/pgx ) | `5.7.2` | `5.7.4` |
| [github.com/mholt/acmez/v3](https://github.com/mholt/acmez ) | `3.0.1` | `3.1.1` |
| [github.com/minio/minio-go/v7](https://github.com/minio/minio-go ) | `7.0.87` | `7.0.89` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa ) | `1.2.0` | `1.3.0` |
| [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang ) | `1.21.0` | `1.21.1` |
| [github.com/prometheus/common](https://github.com/prometheus/common ) | `0.62.0` | `0.63.0` |
| [github.com/prometheus/procfs](https://github.com/prometheus/procfs ) | `0.15.1` | `0.16.0` |
| [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go ) | `0.50.0` | `0.50.1` |
| [github.com/rs/zerolog](https://github.com/rs/zerolog ) | `1.33.0` | `1.34.0` |
| [github.com/spf13/viper](https://github.com/spf13/viper ) | `1.19.0` | `1.20.1` |
| [github.com/testcontainers/testcontainers-go](https://github.com/testcontainers/testcontainers-go ) | `0.35.0` | `0.36.0` |
| [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib ) | `0.59.0` | `0.60.0` |
| [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/metric](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go ) | `1.34.0` | `1.35.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.37.0` | `0.38.0` |
| [golang.org/x/oauth2](https://github.com/golang/oauth2 ) | `0.27.0` | `0.28.0` |
| [golang.org/x/time](https://github.com/golang/time ) | `0.10.0` | `0.11.0` |
| [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) | `0.223.0` | `0.224.0` |
| [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto ) | `0.0.0-20250219182151-9fdb1cabc7b2` | `0.0.0-20250303144028-a0af3efb3deb` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go ) | `1.71.0` | `1.71.1` |
| google.golang.org/protobuf | `1.36.5` | `1.36.6` |
Updates `cloud.google.com/go/storage` from 1.50.0 to 1.51.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases )
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.50.0...spanner/v1.51.0 )
Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.8 to 1.29.12
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.29.8...config/v1.29.12 )
Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.78.0 to 1.79.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.78.0...service/s3/v1.79.0 )
Updates `github.com/bits-and-blooms/bitset` from 1.21.0 to 1.22.0
- [Release notes](https://github.com/bits-and-blooms/bitset/releases )
- [Commits](https://github.com/bits-and-blooms/bitset/compare/v1.21.0...v1.22.0 )
Updates `github.com/caddyserver/certmagic` from 0.21.7 to 0.22.2
- [Release notes](https://github.com/caddyserver/certmagic/releases )
- [Commits](https://github.com/caddyserver/certmagic/compare/v0.21.7...v0.22.2 )
Updates `github.com/coreos/go-oidc/v3` from 3.12.0 to 3.13.0
- [Release notes](https://github.com/coreos/go-oidc/releases )
- [Commits](https://github.com/coreos/go-oidc/compare/v3.12.0...v3.13.0 )
Updates `github.com/docker/docker` from 28.0.1+incompatible to 28.0.4+incompatible
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v28.0.1...v28.0.4 )
Updates `github.com/grpc-ecosystem/go-grpc-middleware/v2` from 2.3.0 to 2.3.1
- [Release notes](https://github.com/grpc-ecosystem/go-grpc-middleware/releases )
- [Commits](https://github.com/grpc-ecosystem/go-grpc-middleware/compare/v2.3.0...v2.3.1 )
Updates `github.com/jackc/pgx/v5` from 5.7.2 to 5.7.4
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jackc/pgx/compare/v5.7.2...v5.7.4 )
Updates `github.com/mholt/acmez/v3` from 3.0.1 to 3.1.1
- [Release notes](https://github.com/mholt/acmez/releases )
- [Commits](https://github.com/mholt/acmez/compare/v3.0.1...v3.1.1 )
Updates `github.com/minio/minio-go/v7` from 7.0.87 to 7.0.89
- [Release notes](https://github.com/minio/minio-go/releases )
- [Commits](https://github.com/minio/minio-go/compare/v7.0.87...v7.0.89 )
Updates `github.com/open-policy-agent/opa` from 1.2.0 to 1.3.0
- [Release notes](https://github.com/open-policy-agent/opa/releases )
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.2.0...v1.3.0 )
Updates `github.com/prometheus/client_golang` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/prometheus/client_golang/releases )
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md )
- [Commits](https://github.com/prometheus/client_golang/compare/v1.21.0...v1.21.1 )
Updates `github.com/prometheus/common` from 0.62.0 to 0.63.0
- [Release notes](https://github.com/prometheus/common/releases )
- [Changelog](https://github.com/prometheus/common/blob/main/RELEASE.md )
- [Commits](https://github.com/prometheus/common/compare/v0.62.0...v0.63.0 )
Updates `github.com/prometheus/procfs` from 0.15.1 to 0.16.0
- [Release notes](https://github.com/prometheus/procfs/releases )
- [Commits](https://github.com/prometheus/procfs/compare/v0.15.1...v0.16.0 )
Updates `github.com/quic-go/quic-go` from 0.50.0 to 0.50.1
- [Release notes](https://github.com/quic-go/quic-go/releases )
- [Changelog](https://github.com/quic-go/quic-go/blob/master/Changelog.md )
- [Commits](https://github.com/quic-go/quic-go/compare/v0.50.0...v0.50.1 )
Updates `github.com/rs/zerolog` from 1.33.0 to 1.34.0
- [Commits](https://github.com/rs/zerolog/compare/v1.33.0...v1.34.0 )
Updates `github.com/spf13/viper` from 1.19.0 to 1.20.1
- [Release notes](https://github.com/spf13/viper/releases )
- [Commits](https://github.com/spf13/viper/compare/v1.19.0...v1.20.1 )
Updates `github.com/testcontainers/testcontainers-go` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases )
- [Commits](https://github.com/testcontainers/testcontainers-go/compare/v0.35.0...v0.36.0 )
Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.59.0 to 0.60.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.59.0...zpages/v0.60.0 )
Updates `go.opentelemetry.io/otel` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/metric` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/sdk` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/sdk/metric` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `go.opentelemetry.io/otel/trace` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.34.0...v1.35.0 )
Updates `golang.org/x/net` from 0.37.0 to 0.38.0
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0 )
Updates `golang.org/x/oauth2` from 0.27.0 to 0.28.0
- [Commits](https://github.com/golang/oauth2/compare/v0.27.0...v0.28.0 )
Updates `golang.org/x/time` from 0.10.0 to 0.11.0
- [Commits](https://github.com/golang/time/compare/v0.10.0...v0.11.0 )
Updates `google.golang.org/api` from 0.223.0 to 0.224.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.223.0...v0.224.0 )
Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250219182151-9fdb1cabc7b2 to 0.0.0-20250303144028-a0af3efb3deb
- [Commits](https://github.com/googleapis/go-genproto/commits )
Updates `google.golang.org/grpc` from 1.71.0 to 1.71.1
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.71.0...v1.71.1 )
Updates `google.golang.org/protobuf` from 1.36.5 to 1.36.6
---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
dependency-version: 1.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/config
dependency-version: 1.29.12
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.79.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/bits-and-blooms/bitset
dependency-version: 1.22.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/caddyserver/certmagic
dependency-version: 0.22.2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/coreos/go-oidc/v3
dependency-version: 3.13.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/docker/docker
dependency-version: 28.0.4+incompatible
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/grpc-ecosystem/go-grpc-middleware/v2
dependency-version: 2.3.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/jackc/pgx/v5
dependency-version: 5.7.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/mholt/acmez/v3
dependency-version: 3.1.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/minio/minio-go/v7
dependency-version: 7.0.89
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/open-policy-agent/opa
dependency-version: 1.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/client_golang
dependency-version: 1.21.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/prometheus/common
dependency-version: 0.63.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/prometheus/procfs
dependency-version: 0.16.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/quic-go/quic-go
dependency-version: 0.50.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: github.com/rs/zerolog
dependency-version: 1.34.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/spf13/viper
dependency-version: 1.20.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: github.com/testcontainers/testcontainers-go
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/contrib/propagators/autoprop
dependency-version: 0.60.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/bridge/opencensus
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/metric
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/sdk/metric
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: go.opentelemetry.io/otel/trace
dependency-version: 1.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/net
dependency-version: 0.38.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/oauth2
dependency-version: 0.28.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: golang.org/x/time
dependency-version: 0.11.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/api
dependency-version: 0.224.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
- dependency-name: google.golang.org/genproto/googleapis/rpc
dependency-version: 0.0.0-20250303144028-a0af3efb3deb
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: google.golang.org/grpc
dependency-version: 1.71.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: google.golang.org/protobuf
dependency-version: 1.36.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix build errors
* update OPA formatting in policy generator test
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-04-04 16:26:51 -07:00
Kenneth Jenkins
c848c225e8
multi-domain login redirects ( #5564 )
...
Add a new 'depends_on' route configuration option taking a list of
additional hosts to redirect through on login. Update the authorize
service and proxy service to support a chain of /.pomerium/callback
redirects. Add an integration test for this feature.
2025-04-04 13:14:30 -07:00
Caleb Doxsey
c47055bece
upgrade to go v1.24 ( #5562 )
...
* upgrade to go v1.24
* add a macOS-specific //nolint comment too
---------
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2025-04-02 15:53:09 -06:00
dependabot[bot]
8d9f1bb38e
chore(deps): bump the github-actions group with 7 updates ( #5557 )
...
Bumps the github-actions group with 7 updates:
| Package | From | To |
| --- | --- | --- |
| [docker/login-action](https://github.com/docker/login-action ) | `3.3.0` | `3.4.0` |
| [actions/setup-go](https://github.com/actions/setup-go ) | `5.3.0` | `5.4.0` |
| [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action ) | `6.5.0` | `7.0.0` |
| [actions/setup-node](https://github.com/actions/setup-node ) | `4.2.0` | `4.3.0` |
| [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) | `6.2.1` | `6.3.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact ) | `4.6.1` | `4.6.2` |
| [actions/setup-python](https://github.com/actions/setup-python ) | `5.4.0` | `5.5.0` |
Updates `docker/login-action` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](9780b0c442...74a5d14239https://github.com/actions/setup-go/releases )
- [Commits](f111f3307d...0aaccfd150https://github.com/golangci/golangci-lint-action/releases )
- [Commits](2226d7cb06...1481404843https://github.com/actions/setup-node/releases )
- [Commits](1d0ff469b7...cdca7365b2https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/v6.2.1...v6.3.0 )
Updates `actions/upload-artifact` from 4.6.1 to 4.6.2
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](4cec3d8aa0...ea165f8d65https://github.com/actions/setup-python/releases )
- [Commits](42375524e2...8d9ed9ac5c
2025-04-02 12:44:49 -06:00
Caleb Doxsey
c5716a6045
remove debug log message for directories ( #5560 )
2025-04-02 10:17:42 -06:00
dependabot[bot]
9161cac1eb
chore(deps): bump the docker group with 3 updates ( #5558 )
...
Bumps the docker group with 3 updates: node, golang and distroless/base-debian12.
Updates `node` from `f6b9c31` to `c7fd844`
Updates `golang` from `d7d795d` to `fa1a01d`
Updates `distroless/base-debian12` from `3a59a8d` to `02be006`
---
updated-dependencies:
- dependency-name: node
dependency-version: lts-bookworm
dependency-type: direct:production
dependency-group: docker
- dependency-name: golang
dependency-version: 1.24-bookworm
dependency-type: direct:production
dependency-group: docker
- dependency-name: distroless/base-debian12
dependency-version: debug
dependency-type: direct:production
dependency-group: docker
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-01 16:56:57 -06:00
Caleb Doxsey
e984d07a55
return errors according to accept header ( #5551 )
2025-04-01 08:36:00 -06:00
Kenneth Jenkins
ce46562a48
ci: build docker images for experimental/* branches ( #5552 )
2025-03-28 13:06:18 -07:00
Caleb Doxsey
1a199eb9f5
authenticate: remove /.pomerium/callback handler ( #5553 )
2025-03-28 13:04:25 -06:00
