* internal/directory/okta: add limiter to query okta API
Okta only allows 100 requests per minute, so apply the default rate
limit 1 QPS for it.
Fixes#1256
* internal/directory/okta: use okta filter to get updated groups
Okta API supports filter to get updated groups only, we can adopt that
to reduce number of requests to okta API, hence reduce chance that we
reach the rate limit.
Updates #1256
* internal/directory/okta: fix wrong API query filter
Okta uses space " " instead of plus sign "+" in query filter.
See https://developer.okta.com/docs/reference/api-overview/#filtering
* internal/directory: use default QPS setting for backport
Co-authored-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
* pkg/storage/redis: use SANs cert
Since go1.15, X.509 CommonName is deprecated, switch to a SANs
certificate for test redis TLS.
While at it, add instruction to genearte cert and build test image.
See: https://golang.org/doc/go1.15#commonname
* config: do not test for exact route id
Different go version can genearte different route id, due to the fact
that we are relying on xxhash.
* internal/controlplane: mocking policy name in test
We don't have to test for exact policy name, as it does not make sense
and force us to change test every new go release.
Co-authored-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Currently, we're doing "sync" in databroker server. If we're going to
support multiple databroker servers instance, this mechanism won't work.
This commit moves the "sync" to storage backend, by adding new Watch
method. The Watch method will return a channel for the caller. Everytime
something happens inside the storage, we notify the caller by sending a
message to this channel.
* config,docs: add databroker storage backend configuration
* cache: allow configuring which backend storage to use
Currently supported types are "memory", "redis".
* store directory groups separate from directory users
* fix group lookup, azure display name
* remove fields restriction
* fix test
* also support email
* use Email as name for google'
* remove changed file
* show groups on dashboard
* fix test
* re-add accidentally removed code
* internal/controlplane: using envoy strip host port matching
With envoy 1.15.0 release, strip host port matching setting allows
incoming request with Host "example:443" will match again route with
domains match set to "example".
Not that this is not standard HTTP behavior, but it's more convenient
for users.
Fixes#959
* docs/docs: add note about enable envoy strip host port matching
Storing server version when creating new server. After then, we can
retrieve the version from backend when server restart.
With storage backend which supports persistent, the server version
won't change after restarting.
Since we switch to use databroker, time in template is now protobuf
timestamp instead of time.Time, that causes it appears in raw form
instead of human-readable format.
Fix this by converting protobuf timestamp to time.Time in template.
There's still a breaking change, though. The time will now appears in
UTC instead of local time.
Fixes#1100
Currently, with impersonated request, the real user email/group still
has effects.
Example:
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1", "impersonate_email": "y@example.com" }
Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.
To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.
Fixes#1091
Skip group without members, so it saves us time to handle group members,
and reduce the size of groups.
While at it, also querying API with the fields we need.
Fixes#567
* add google cloud serverless support
* force ipv4 for google cloud serverless
* disable long line linting
* fix destination hostname
* add test
* add support for service accounts
* fix utc time in test
* pkg: add storage package
Which contains storage.Backend interface to initial support for multiple
backend storage.
* pkg/storage: add inmemory storage
* internal/databroker: use storage.Backend interface
Instead of implementing multiple databroker server implementation for
each kind of storage backend, we use only one databroker server
implementation, which is supported multiple storage backends, which
satisfy storage.Backend interface.
