3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
965 commits 158 branches 125 tags 103 MiB
Commit graph

285 commits

Author SHA1 Message Date
Travis Groth
c049d87362
docs: document service account requirements (#999) 2020-06-25 19:32:36 -04:00
bobby
dbd1eac97f
identity: support custom code flow request params (#998) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-25 08:28:46 -07:00
Bobby DeSimone
1d1311a240 config: error if groups are used without service account 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-24 16:01:08 -07:00
Cuong Manh Le
17ba595ced
authenticate: support hot reloaded config (#984) 
By implementinng OptionsUpdater interface.

Fixes #982
 2020-06-24 00:18:20 +07:00
Cuong Manh Le
4ca0189524
docs/docs/identity-providers: document gitlab default scopes changed (#980) 
Fixes #938
 2020-06-24 00:05:21 +07:00
Caleb Doxsey
24b523c043
docs: update upgrading document for breaking changes (#974) 2020-06-22 15:26:42 -06:00
Caleb Doxsey
f33bf07334
docs: update service account instructions for OneLogin (#973) 2020-06-22 15:21:21 -06:00
Caleb Doxsey
ae97d280c5
docs: service account instructions for gitlab (#970) 2020-06-22 15:04:36 -06:00
Caleb Doxsey
451bdbeb0d
docs: update okta service account docs to match new format (#972) 2020-06-22 15:04:01 -06:00
Caleb Doxsey
cb08cb7a93
docs: service account instructions for azure (#969) 2020-06-22 14:15:49 -06:00
Caleb Doxsey
f11c5ba172
docs: update GitHub documentation for service account (#967) 
* docs: update GitHub documentation for service account

* add read:org permission
 2020-06-22 12:36:07 -06:00
Cuong Manh Le
5b9c09caba
docs/docs: remove extra text when resolve conflict (#955) 2020-06-22 10:38:31 +07:00
Cuong Manh Le
8d0deb0732
config: add PassIdentityHeaders option (#903) 
Currently, user's identity headers are always inserted to downstream
request. For privacy reason, it would be better to not insert these
headers by default, and let user chose whether to include these headers
per=policy basis.

Fixes #702
 2020-06-22 10:29:44 +07:00
Cuong Manh Le
c29807c391
docs: document un-supported HTTP 1.0 in 0.9.0 and higher (#932) 
docs: document un-supported HTTP 1.0 in 0.9.0 and higher

Fixes #915

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
 2020-06-20 01:11:00 +07:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
 2020-06-19 07:52:44 -06:00
Yuchen Ying
8fc1e9cca8
Add an option to request certificate with Must-Staple. (#697) 2020-06-17 08:29:34 -07:00
Cuong Manh Le
e0bdd906f9
config: change the default logging level to INFO (#902) 
config: change the default logging level to INFO

DEBUG logging level is very verbose and potentially logs sensitive data.
We should set default log level to INFO.

Updates #895
Fixes #896
 2020-06-15 22:55:18 +07:00
Bobby DeSimone
e57f92486a
envoy: bump envoy to 1.14.2 (#894) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-15 07:55:44 -07:00
Aidan Steele
48912dbc33
Fix small typo (#836) 2020-06-07 07:46:47 -04:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Bobby DeSimone
afe22fd24b
posts: 0-9-0 release notes (#820) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-01 20:29:50 -07:00
Bobby DeSimone
44cf1fba1f
deployment: prepare 0.9.0 (#798) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-30 18:07:57 -07:00
Caleb Doxsey
b88a619c0d
docs: add mTLS recipe (#807) 
* docs: add mTLS recipe

* add argo and mtls to sidebar
 2020-05-29 16:10:40 -06:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Caleb Doxsey
49c323ae73
docs: add argo recipe (#803) 2020-05-29 12:05:14 -06:00
Caleb Doxsey
c1e648e0a9
docs: update dockerfiles for v0.9.0 (#801) 
* docs: update dockerfiles for v0.9.0

* docs: use latest tag for docker files
 2020-05-29 08:13:01 -06:00
Joel Bastos
d67bb22342
docs: typo on configuration doc (#800) 
Correct memcached name
 2020-05-28 16:28:55 -07:00
Travis Groth
49db9867d7
docs: Expose config parameters in sidebar (#797) 2020-05-28 16:37:34 -04:00
Caleb Doxsey
df2b09a906
docs: add note about unsupported platforms (#799) 2020-05-28 12:57:03 -06:00
Travis Groth
14432daf26
docs: Update examples (#796) 2020-05-28 10:29:10 -04:00
Noah Stride
d85e490640
fix: docs regarding claim headers (#782) 2020-05-27 09:58:48 -04:00
Caleb Doxsey
f03f57980c
docs: update traefik example and add note about forwarded headers (#784) 2020-05-26 18:14:11 -06:00
Caleb Doxsey
e4832cb4ed
authorize: add client mTLS support (#751) 
* authorize: add client mtls support

* authorize: better error messages for envoy

* switch from function to input

* add TrustedCa to envoy config so that users are prompted for the correct client certificate

* update documentation

* fix invalid ClientCAFile

* regenerate cache protobuf

* avoid recursion, add test

* move comment line

* use http.StatusOK

* various fixes
 2020-05-21 16:01:07 -06:00
Bobby DeSimone
3f1faf2e9e
authenticate: add jwks and .well-known endpoint (#745) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-21 11:46:29 -07:00
Travis Groth
3e17befff7
envoy: Enable zipkin tracing (#737) 
- Update envoy bootstrap config to protobufs
- Reorganize tracing config to avoid cyclic import
- Push down zipkin config to Envoy
- Update tracing options to provide sample rate
 2020-05-21 11:50:07 -04:00
Caleb Doxsey
0895515833
envoy: implement various timeouts (#732) 
* envoy: implement global and route timeouts

* envoy: use the grpc client timeout for the authz service timeout

* fix test
 2020-05-19 10:01:37 -06:00
Travis Groth
1f1e63a75b
telemetry/tracing: Add Zipkin tracing support (#723) 2020-05-18 21:57:13 -04:00
Caleb Doxsey
ef399380b7 merge master 2020-05-18 17:10:10 -04:00
Travis Groth
96a95c5aff Update jwt_claims_headers docs (#705) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
352c2b851b envoy: add separate proxy log level option (#689) 2020-05-18 17:10:10 -04:00
Caleb Doxsey
02615b8b6c Merge remote-tracking branch 'origin/master' into feature/envoy 2020-05-18 17:10:10 -04:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bjoern Weidlich
1a1a5a11f9
Documentation around Pomerium/Istio/Grafana (#675) 
* Added an example of how to protect Grafana with Pomerium inside of an Istio mesh
* Added relevant documentation links
 2020-05-17 22:26:09 -07:00
Bobby DeSimone
1cba3d50eb
docs: fixes to v0.8.0 docs (#696) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-13 12:38:01 -07:00
Bobby DeSimone
80166bcc40
deployment: release v0.8.0 (#686) 
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
 2020-05-12 19:10:12 -07:00
Travis Groth
b9b66ec20f
deploy: autocert documentation and defaults (#658) 
* Define AUTOCERT_DIR in dockerfiles

* Add autocert example and compose file

* Update reference docs for defaults
 2020-05-05 21:13:28 -04:00
Bobby DeSimone
bf9a6f5e97
cryptutil: add automatic certificate management (#644) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-05 12:50:19 -07:00
Ogundele Olumide
5f0c13767b
improvement: update gitlab api scope (#630) 2020-04-23 13:26:25 -07:00
Bobby DeSimone
f4868dd4dd
docs: fix favicon (#626) 
* docs: fix favicon

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-04-21 14:40:54 -07:00
Caleb Doxsey
170f7f07d3 docs: add upgrading documentation for potentially breaking configuration changes 2020-04-20 18:24:36 -06:00