3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-06 05:46:05 +02:00
Code Issues Projects Releases Packages Wiki Activity
3353 commits 159 branches 125 tags 104 MiB
Commit graph

71 commits

Author SHA1 Message Date
Caleb Doxsey
513d8bf615
core/config: implement direct response (#4960) 
* implement direct response

* proto

* fix tests

* update
 2024-02-15 14:33:56 -07:00
Caleb Doxsey
f684910ab3
core/config: remove cookie secure option (#4907) 2024-01-12 13:28:14 -07:00
Caleb Doxsey
d6221c07ce
core/config: remove debug option, always use json logs (#4857) 
* core/config: remove debug option, always use json logs

* go mod tidy
 2023-12-15 11:29:05 -07:00
Caleb Doxsey
3bdbd56222
core/config: add pass_identity_headers option (#4720) 
* core/config: add pass_identity_headers option

* add to proto

* remove deprecated field
 2023-11-08 13:07:37 -07:00
Denis Mishin
bfcc970839
databroker: build config concurrently, option to bypass validation (#4655) 
* validation: option to bypass

* concurrently build config

* add regex_priority_order and route sorting

* rm mutex
 2023-11-06 13:21:29 -05:00
Denis Mishin
45b72bc9b5
proto: add id to certificate (#4706) 2023-11-02 21:26:30 -04:00
Caleb Doxsey
53573dc046
core/config: remove version (#4653) 
* core/config: remove version

* lint

* fix
 2023-11-01 10:19:55 -06:00
Caleb Doxsey
ae420f01c6
core/config: add config version, additional telemetry (#4645) 
* core/config: add config version, additional telemetry

* typo
 2023-10-27 15:16:40 -06:00
Caleb Doxsey
818f3926bf
core/grpc: fix deprecated protobuf package, remove tools (#4643) 2023-10-26 11:38:54 -06:00
Kenneth Jenkins
fd84075af1
config: remove set_authorization_header option (#4489) 
Remove the deprecated set_authorization_header option entirely. Add an
entry to the removedConfigFields map with a link to the relevant
Upgrading page section.
 2023-08-29 09:02:08 -07:00
Kenneth Jenkins
de68e37bc3
config: add new mTLS enforcement setting (#4443) 
Add an "enforcement" option to the new downstream mTLS configuration
settings group.

When not set, or when set to "policy_default_deny", keep the current
behavior of adding an invalid_client_certificate rule to all policies.

When the enforcement mode is set to just "policy", remove the default
invalid_client_certificate rule that would be normally added.

When the enforcement mode is set to "reject_connection", configure the
Envoy listener with the require_client_certificate setting and remove
the ACCEPT_UNTRUSTED option.

Add a corresponding field to the Settings proto.
 2023-08-09 07:53:11 -07:00
Kenneth Jenkins
24b09186a4
config: move mTLS settings to new struct (#4442) 
Move downstream mTLS settings to a nested config file object, under the
key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for
these settings.

Deprecate the existing ClientCA and ClientCAFile fields in the Options
struct, but continue to honor them for now (log a warning if either is
populated).

Delete the ClientCRL and ClientCRLFile fields entirely (in current
releases these cannot be set without causing an Envoy error, so this
should not be a breaking change).

Update the Settings proto to mirror this nested structure.
 2023-08-08 10:22:48 -07:00
Caleb Doxsey
438aecd7bc
config: add customization options for logging (#4383) 
* config: add customization options for logging

* config: validate log fields

* allocate slices once
 2023-07-24 13:17:03 -06:00
Caleb Doxsey
be0104b842
config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
Caleb Doxsey
1e6a483ce9
config: add missing options (#3882) 
* config: add missing options

* remove _file options from protobuf

* fix

* lint
 2023-01-12 10:55:12 -07:00
Caleb Doxsey
cef6b355ae
config: add option for tls renegotiation (#3773) 
config: add option for tls renogotiation
 2022-11-28 14:34:06 -07:00
Caleb Doxsey
fa26587f19
remove forward auth (#3628) 2022-11-23 15:59:28 -07:00
Caleb Doxsey
c178819875
move directory providers (#3633) 
* remove directory providers and support for groups

* idp: remove directory providers

* better error messages

* fix errors

* restore postgres

* fix test
 2022-11-03 11:33:56 -06:00
Denis Mishin
2917f07dac
bump protoc to 3.21.7 (#3646) 2022-10-03 13:01:42 -04:00
Caleb Doxsey
46703b9419
config: add branding settings (#3558) 2022-08-16 14:51:47 -06:00
Caleb Doxsey
3c63b6c028
authorize: add policy error details for custom error messages (#3542) 
* authorize: add policy error details for custom error messages

* remove fmt.Println

* fix tests

* add docs
 2022-08-09 14:46:31 -06:00
Caleb Doxsey
b79f1e379f
config: add support for downstream TLS server name (#3243) 
* config: add support for downstream TLS server name

* fix whitespace

* fix whitespace

* add docs

* add tls_upstream_server_name and tls_downstream_server_name to config

* Update docs/reference/settings.yaml

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* Update docs/reference/readme.md

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>

* add deprecation notice

Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
 2022-04-06 06:48:45 -07:00
Caleb Doxsey
8fc5dbf4c5
grpc: regenerate protobuf code (#3208) 2022-03-29 15:18:10 -06:00
Caleb Doxsey
efd609f6ce
config: add idp_client_id and idp_client_secret to protobuf (#3060) 2022-02-18 08:55:31 -07:00
Caleb Doxsey
99b9a3ee12
authorize: add support for passing access or id token upstream (#3047) 
* authorize: add support for passing access or id token upstream

* use an enum
 2022-02-17 09:28:31 -07:00
Caleb Doxsey
5a858f5d48
config: add internal service URLs (#2801) 
* config: add internal service URLs

* maybe fix integration tests

* add docs

* fix integration tests

* for databroker connect to external name, but listen on internal name

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/readme.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/reference/settings.yaml

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2021-12-10 14:04:37 -05:00
Herman Slatman
7812c6985d
Add additional ACME options (#2695) 
The `autocert_ca` and `autocert_email` options have been added to be
able to configure CAs that support the ACME protocol as an alternative
to Let's Encrypt.

Fix ProtoBuf definition for additional autocert options

Fix PR comments and add ACME EAB configuration

Add configuration option for trusted CAs when talking ACME

Fix linter issues

copy edits

render updated reference to docs

Add test for autocert manager configuration

Add tests for autocert configuration options

Fix CI build issues

Don't set empty acme.EAB struct if configuration not set

Remove required email when setting custom CA

When using a non-default CA it's no longer required
to specify an email address. I required this before,
because it seemed to cause an issue in which no certificate
was issued. The root cause was something different,
rendering the hard email requirement pointless. It's
still beneficial to specify an email, though. I changed
the text in the docs to explain that.

Update generated docs

Fix failing tests by recreation of a new ACMEManager

The default ACMEManager object was reused in multiple tests,
resulting in unexpected states when tests run in parallel.
By using a new instance for every test, this is no longer
an issue.
 2021-11-02 14:44:27 -07:00
Denis Mishin
55fec9b51b
add host-rewrite options to config.proto (#2668) 2021-10-08 11:50:56 -04:00
Denis Mishin
0878315d60
bump protoc-validate (#2606) 2021-09-16 12:02:55 -04:00
Caleb Doxsey
63ee30d69c
options: remove refresh_cooldown, add allow_spdy to proto (#2446) 2021-08-06 10:06:57 -06:00
Caleb Doxsey
94eb3c1149
config: remove grpc server max connection age options (#2427) 
* config: remove grpc server max connection age options

* remove docs
 2021-08-03 09:39:48 -06:00
Caleb Doxsey
cef08a1c2d
authorize: remove service account impersonate user id, email and groups (#2365) 2021-07-15 09:31:45 -06:00
wasaga
134ca74ec9
proxy: add idle timeout (#2319) 2021-07-02 10:29:53 -04:00
Caleb Doxsey
fcb33966e2
config: add enable_google_cloud_serverless_authentication to config protobuf (#2306) 
* config: add enable_google_cloud_serverless_authentication to config protobuf

* use dependency injection for embedded envoy provider

* Revert "use dependency injection for embedded envoy provider"

This reverts commit 5c08990501.

* config: attach envoy version to Config to avoid metrics depending on envoy/files
 2021-06-21 18:00:29 -06:00
Caleb Doxsey
69576cffe4
config: add support for set_response_headers in a policy (#2171) 
* config: add support for set_response_headers in a policy

* docs: add note about precedence
 2021-05-04 09:43:52 -06:00
wasaga
129df47f9c
xds extended event (#2158) 2021-05-03 12:28:11 -04:00
Caleb Doxsey
b5b1013947
config: add client_crl (#2157) 
* config: add client_crl

* address comments

* add ignored file
 2021-04-30 14:36:32 -06:00
Caleb Doxsey
699ebf061a
config: add support for codec_type (#2156) 
* config: add support for codec_type

* add comma

* fix warning block

* fix docs
 2021-04-30 07:21:40 -06:00
Caleb Doxsey
0adbf4f24c
controlplane: save configuration events to databroker (#2153) 
* envoy: save events to databroker

* controlplane: add tests for envoy configuration events

* format imports
 2021-04-29 15:51:46 -06:00
Caleb Doxsey
636b3d6846
databroker: add options for maximum capacity (#2095) 
* databroker: add options

* implement redis

* add trace for enforce options
 2021-04-26 17:14:54 -06:00
wasaga
0e66619081
do not require project be in GOPATH/src (#2078) 2021-04-12 09:43:05 -04:00
Caleb Doxsey
f4c4fe314a
authorize: audit logging (#2050) 
* authorize: add databroker server and record version to result, force sync via polling

* authorize: audit logging
 2021-04-05 09:58:55 -06:00
Travis Groth
c7d243d742
proxy: restrict programmatic URLs to localhost (#2049) 
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2021-04-01 10:04:49 -04:00
Caleb Doxsey
e2ebef44ef
telemetry: add installation id (#2017) 
* telemetry: add installation id

* set installation id globally

* remove unneeded changes
 2021-03-24 07:22:54 -06:00
ntoofu
fee4979246
Add xff_num_trusted_hops config option (#2003) 
* Add `xff_num_trusted_hops` config option

* Fix code formatting with gofmt

* Update docs for `xff_num_trusted_hops`
 2021-03-22 10:30:20 -06:00
Caleb Doxsey
23bc3f979f
config: add headers to config proto (#1996) 2021-03-19 08:06:01 -06:00
Caleb Doxsey
46ae3cf358
add rewrite_response_headers to protobuf (#1962) 2021-03-05 13:57:27 -07:00
Caleb Doxsey
664358dfad
config: multiple endpoints for authorize and databroker (#1957) 
* wip

* update docs

* remove dead code
 2021-03-03 09:53:19 -07:00
Caleb Doxsey
a825b06014
metrics: add TLS options (#1939) 
* move metrics listener to envoy

* add metrics tls options

* add test

* update docs

* update config proto

* add function to validate metric addr

* fix validation
 2021-02-24 09:42:53 -07:00
Caleb Doxsey
8b42eb5ebd
config: add metrics_basic_auth option (#1917) 
* config: add metrics_basic_auth option

* remove println

* use constant time compare
 2021-02-22 13:37:18 -07:00