3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
1468 commits 156 branches 125 tags 103 MiB
Commit graph

83 commits

Author SHA1 Message Date
Travis Groth
c7d243d742
proxy: restrict programmatic URLs to localhost (#2049) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:49 -04:00
Travis Groth
0635c838c9
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out (#2048) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:16 -04:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
4f2bb60adb
proxy: redirect to dashboard for logout (#1944) 2021-02-24 11:52:38 -07:00
bobby
c3e3ed9b50
authenticate: validate origin of signout (#1876) 
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2021-02-11 21:37:54 -08:00
Caleb Doxsey
cc85ea601d
policy: add new certificate-authority option for downstream mTLS client certificates (#1835) 
* policy: add new certificate-authority option for downstream mTLS client certificates

* update proto, docs
 2021-02-01 08:10:32 -07:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-10-04 20:01:06 -07:00
Caleb Doxsey
852c96f22f
proxy: add support for /.pomerium/jwt (#1446) 2020-09-23 07:55:12 -06:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324) 
Fixes #1213
 2020-08-25 01:23:58 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317) 
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-08-22 10:02:12 -07:00
Cuong Manh Le
31205c0c29 proxy: fix wrong applied middleware 
Validate signature middleware must be applied for the callback
sub-router, not the whole dashboard router.

Fixes #1297
 2020-08-18 20:25:11 +07:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state (#1280) 
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
 2020-08-14 11:44:58 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029) 
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
 2020-06-30 15:55:33 -06:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545) 
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-16 10:13:47 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514) 
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-03-10 11:19:26 -07:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-02-02 11:18:22 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-12-06 11:07:45 -08:00
Bobby DeSimone
74cd9eabbb
authenticate: fix impersonation getting cleared (#411) 2019-11-30 10:54:32 -08:00
Bobby DeSimone
c8e6277a30
Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 15:02:25 -08:00
Bobby DeSimone
0f6a9d7f1d
proxy: fix forward auth, request signing 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-25 14:29:52 -08:00
Bobby DeSimone
ebee64b70b
internal/frontend : serve static assets (#392) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-22 17:46:01 -08:00
Bobby DeSimone
6743accd74
lint: bump golangci-lint 1.21.0 (#391) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-19 19:58:11 -08:00
Bobby DeSimone
00c29f4e77
authenticate: handle XHR redirect flow (#387) 
- authenticate: add cors preflight check support for sign_in endpoint
- internal/httputil: indicate responses that originate from pomerium vs the app
- proxy: detect XHR requests and do not redirect on failure.
- authenticate: removed default session duration; should be maintained out of band with rpc.
 2019-11-14 19:37:31 -08:00
Bobby DeSimone
d3d60d1055 all: support route scoped sessions 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-11-06 17:54:15 -08:00
Bobby DeSimone
7d7e997e79
proxy: verify endpoint strip added callback params (#368) 
- proxy: use distinct host route for forward-auth handlers
- proxy: have auth middleware set pomerium headers for request and response
 2019-10-15 15:36:00 -07:00
Bobby DeSimone
0e85b2b1cb
bug: fix forward-auth redirect (#364) 2019-10-13 11:09:30 -07:00
Bobby DeSimone
badd8d69af
internal/sessions: refactor how sessions loading (#351) 
These chagnes standardize how session loading is done for session
cookie, auth bearer token, and query params.

- Bearer token previously combined with session cookie.
- rearranged cookie-store to put exported methods above unexported
- added header store that implements session loader interface
- added query param store that implements session loader interface

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-06 10:47:53 -07:00
Bobby DeSimone
eaa1e7a4fb
proxy: support external access control requests (#324) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-10-03 21:22:44 -07:00
Bobby DeSimone
782ffbeb3e
proxy: use middleware to manage request flow 
proxy: remove duplicate error handling in New
proxy: remove routeConfigs in favor of using gorilla/mux
proxy: add proxy specific middleware
proxy: no longer need to use middleware / handler to check if valid route. Can use build in 404 mux.
internal/middleware: add cors bypass middleware

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-25 12:28:37 -07:00
Bobby DeSimone
cfeb5e1ef9
Merge pull request #310 from desimone/bug/262 
proxy: handle double slash in paths
 2019-09-18 19:54:38 -07:00
Bobby DeSimone
c315b62df4
Merge pull request #304 from desimone/bug/fix-group-impersonation 
proxy: fix group impersonation bug
 2019-09-18 19:54:17 -07:00
Bobby DeSimone
664fb8b0ea
proxy: remove csrf checks from proxied routes 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-18 12:47:30 -07:00
Bobby DeSimone
21e215ccea
proxy: handle double slash in paths 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-16 20:34:04 -07:00
Bobby DeSimone
decf661eb0
proxy: fix group impersonation bug 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-16 19:23:55 -07:00
Bobby DeSimone
dc12947241
all: refactor handler logic 
- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s
- all: refactor authentication stack to be checked by middleware, and accessible via request context.
- all: replace http.ServeMux with gorilla/mux’s router
- all: replace custom CSRF checks with gorilla/csrf middleware
- authenticate: extract callback path as constant.
- internal/config: implement stringer interface for policy
- internal/cryptutil: add helper func `NewBase64Key`
- internal/cryptutil: rename `GenerateKey` to `NewKey`
- internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN`
- internal/middleware: removed alice in favor of gorilla/mux
- internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret`
- internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection
- internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs
- internal/urlutil: add `ValidateURL` helper to parse URL options
- internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL.
- proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them.
- proxy: replace un-named http.ServeMux with named domain routes.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-09-16 18:01:14 -07:00
Bobby DeSimone
380d314404
authenticate: make service http only 
- Rename SessionState to State to avoid stutter.
- Simplified option validation to use a wrapper function for base64 secrets.
- Removed authenticates grpc code.
- Abstracted logic to load and validate a user's authenticate session.
- Removed instances of url.Parse in favor of urlutil's version.
- proxy: replaces grpc refresh logic with forced deadline advancement.
- internal/sessions: remove rest store; parse authorize header as part of session store.
- proxy: refactor request signer
- sessions: remove extend deadline (fixes #294)
- remove AuthenticateInternalAddr
- remove AuthenticateInternalAddrString
- omit type tag.Key from declaration of vars TagKey* it will be inferred
  from the right-hand side
- remove compatibility package xerrors
- use cloned http.DefaultTransport as base transport
 2019-09-04 16:27:08 -07:00
Bobby DeSimone
6e6ab3baa0
httputil: use http error wrapper 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-08-24 09:15:07 -07:00
Bobby DeSimone
a962877ad4
config: fix url type regression (#253) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2019-08-03 12:08:26 -07:00
Bobby DeSimone
b85f8de05f
development: use golangci-lint 2019-07-13 18:28:51 -07:00
Bobby DeSimone
7558d5b0de
internal/config: refactor option parsing 
- authorize: build whitelist from policy's URLs instead of strings.
- internal/httputil: merged httputil and https package.
- internal/config: merged config and policy packages.
- internal/metrics: removed unused measure struct.
- proxy/clients: refactor Addr fields to be urls.
- proxy: remove unused extend deadline function.
- proxy: use handler middleware for reverse proxy leg.
- proxy: change the way websocket requests are made (route based).

General improvements
- omitted value from range in several cases where for loop could be simplified.
- added error checking to many tests.
- standardize url parsing.
- remove unnecessary return statements.

- proxy: add self-signed certificate support. #179
- proxy: add skip tls certificate verification. #179
- proxy: Refactor websocket support to be route based. #204
 2019-07-07 09:39:31 -07:00
Bobby DeSimone
15ab8a61a2
proxy: add auth redirect to internal urls 2019-07-06 11:46:25 -07:00
Bobby DeSimone
4d4293fc46
internal/logs: make non error conditions less scary in logs 
internal/metrics: simplified struct definition with fmt -s.
internal/metrics: added full path to package name.
 2019-06-17 08:40:18 +02:00
Bobby DeSimone
a7637cdf49
proxy: allow custom redirect url to be set following signout 2019-06-13 21:39:29 -07:00
Bobby DeSimone
cf0f98536a
authenticate: programmatic access support 
- authenticate: added a token exchange api endpoint that converts
  an identity provider's JWT into a pomerium session.
- internal/identity: authenticate now passes context.
- internal/identity: removed extraneous GetSignInURL from okta.
- internal/sessions: add rest store
- update go.mod / go.sum depedencies.
- docs: add programmatic examples in shell and python
 2019-06-12 14:51:19 -07:00
Bobby DeSimone
554e62108f
authorize: fix headers when impersonating 
- Add user impersonation docs.
- Add navbar link to v0.0.5 docs.
 2019-06-11 15:40:28 -07:00
Travis Groth
64eb992854 Protect Options from being mutated by services 
- Change Options URLs from pointers to values

- Remove special handling for AuthenticateURL checksum

- Change Options itself to a value
 2019-06-04 22:47:07 -04:00