pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-03 20:36:03 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	97f85481f8	fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162 ) * fix redirect loop, remove user/session services, remove duplicate deleted_at fields * change loop * reuse err variable * wrap errors, use cookie timeout * wrap error, duplicate if	2020-07-30 09:41:57 -06:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00
Cuong Manh Le	821f2e9000	config: allow setting directory sync interval and timeout (#1098 ) Updates #567	2020-07-17 23:11:27 +07:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
bobby	dbd1eac97f	identity: support custom code flow request params (#998 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-25 08:28:46 -07:00
Cuong Manh Le	99142b7293	authenticate: revoke current session oauth token before sign out (#964 ) authenticate: revoke current session oauth token before sign out After #926, we don't revoke access token before sign out anymore. It causes sign out can not work, because right after user click on sign out button, we redirect user to idp provider authenticate page with a valid access token, so user is logged in immediately again. To fix it, just revoke the access token before sign out.	2020-06-23 00:55:55 +07:00
Caleb Doxsey	b3ccdfe00f	idp: delete sessions on refresh error, handle zero times in oauth/id tokens for refresh (#961 )	2020-06-22 08:49:28 -06:00
Caleb Doxsey	fbce3dd359	idp: set github timestamps (#943 )	2020-06-21 15:50:56 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Caleb Doxsey	988477c90d	authenticate: fix user-info call for AWS cognito (#792 )	2020-05-27 15:37:42 -06:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Bobby DeSimone	18993c4293	github: fix nil pointer error (#637 ) - fixes an issue where defer clear session would not be called Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-28 07:56:42 -07:00
Ogundele Olumide	5f0c13767b	improvement: update gitlab api scope (#630 )	2020-04-23 13:26:25 -07:00
Bobby DeSimone	627a591824	identity: abstract identity providers by type (#560 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-23 10:36:24 -07:00
Ogundele Olumide	75f4dadad6	identity/provider: implement generic revoke method (#595 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-21 14:40:33 -07:00
Ogundele Olumide	53fd215148	fix retrieve group error: (#614 ) - remove hardcoded gitlab provider url - update the gitlab identity provider documentation	2020-04-16 11:51:03 -07:00
Ogundele Olumide	ae4204d42b	internal/identity: implement github provider support (#582 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-10 10:48:14 -07:00
Ogundele Olumide	3c6431e5bc	change gitlab group unique identifier from name to ID (#571 )	2020-03-28 12:45:24 -07:00
Travis Groth	799d1ad162	Use Host:port for JWT audience generation Signed-off-by: Travis Groth <travisgroth@users.noreply.github.com> (#562)	2020-03-25 22:15:15 -04:00
Ogundele Olumide	3dd9188004	feat: gitlab oidc/ oauth provider (#518 ) - implement gitlab oauth support - add documentation for the gitlab support	2020-03-16 19:58:49 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	6f4b26abe2	identity: support oidc UserInfo Response (#529 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-12 20:56:40 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	12bae5cc43	errors: use %w verb directive (#419 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-03 20:02:43 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	d3d60d1055	all: support route scoped sessions Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-06 17:54:15 -08:00
Bobby DeSimone	380d314404	authenticate: make service http only - Rename SessionState to State to avoid stutter. - Simplified option validation to use a wrapper function for base64 secrets. - Removed authenticates grpc code. - Abstracted logic to load and validate a user's authenticate session. - Removed instances of url.Parse in favor of urlutil's version. - proxy: replaces grpc refresh logic with forced deadline advancement. - internal/sessions: remove rest store; parse authorize header as part of session store. - proxy: refactor request signer - sessions: remove extend deadline (fixes #294) - remove AuthenticateInternalAddr - remove AuthenticateInternalAddrString - omit type tag.Key from declaration of vars TagKey* it will be inferred from the right-hand side - remove compatibility package xerrors - use cloned http.DefaultTransport as base transport	2019-09-04 16:27:08 -07:00
Arend Lagendijk	fe27b79b81	Don't force consent screen for every Azure AD login Signed-off-by: Arend Lagendijk <a.lagendijk@minddistrict.com>	2019-08-07 10:49:57 +02:00
Bobby DeSimone	a962877ad4	config: fix url type regression (#253 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-03 12:08:26 -07:00
Bobby DeSimone	2c1953b0ec	internal/config: pass urls by value Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-02 15:46:18 -07:00
Bobby DeSimone	5edfa7b03f	telemetry: add tracing - telemetry/tace: add traces throughout code - telemetry/metrics: nest metrics and trace under telemetry - telemetry/tace: add service name span to HTTPMetricsHandler. - telemetry/metrics: removed chain dependency middleware_tests. - telemetry/metrics: wrap and encapsulate variatic view registration. - telemetry/tace: add jaeger support for tracing. - cmd/pomerium: move `parseOptions` to internal/config. - cmd/pomerium: offload server handling to httputil and sub pkgs. - httputil: standardize creation/shutdown of http listeners. - httputil: prefer curve X25519 to P256 when negotiating TLS. - fileutil: use standardized Getw Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-07-24 09:20:16 -07:00
Bobby DeSimone	b12ecc4cba	identity/google: always show user selection. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-07-22 06:48:42 -07:00
Travis Groth	b2754fd822	internal/identity: fix bug in azure preventing group retrieval	2019-07-06 13:07:48 -04:00
Bobby DeSimone	cf0f98536a	authenticate: programmatic access support - authenticate: added a token exchange api endpoint that converts an identity provider's JWT into a pomerium session. - internal/identity: authenticate now passes context. - internal/identity: removed extraneous GetSignInURL from okta. - internal/sessions: add rest store - update go.mod / go.sum depedencies. - docs: add programmatic examples in shell and python	2019-06-12 14:51:19 -07:00
Bobby DeSimone	66b4c2d3cd	authenticate/proxy: add user impersonation, refresh, dashboard (#123 ) proxy: Add user dashboard. [GH-123] proxy/authenticate: Add manual refresh of their session. [GH-73] authorize: Add administrator (super user) account support. [GH-110] internal/policy: Allow administrators to impersonate other users. [GH-110]	2019-05-26 12:33:00 -07:00
Bobby DeSimone	06da599fbc	internal/identity: replace legacy approval_prompt=force with prompt=consent(#82 ) Fixes a bug where caused by setting both prompt=consent and approval_prompt=force.	2019-04-08 17:32:40 -07:00
Lian Duan	f54bf3f291	Force requesting refresh_token from Google Google only provide refresh_token on the first authorization from the user. If user clears cookies, re-authorization will not bring back refresh_token. A work around to this is to add prompt=consent to the OAuth redirect URL and will always return a refresh_token.	2019-04-08 16:07:51 +02:00
Bobby DeSimone	a39e84cef8	internal/identity: use email for group identifier for gsuite (#72 )	2019-03-26 20:29:57 -07:00
Bobby DeSimone	45e6a8dc57	docs: update changelog, documentaiton, and helm configurations. (#63 ) - Update changelog. - Update docs to cover authorization support. - Updates helm to support authorization, and policy file.	2019-03-19 10:55:41 -07:00
Bobby DeSimone	c13459bb88	authorize: add authorization (#59 ) * authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58	2019-03-07 12:47:07 -08:00
Bobby DeSimone	1187be2bf3	authenticator: support groups (#57 ) - authenticate/providers: add group support to azure - authenticate/providers: add group support to google - authenticate/providers: add group support to okta - authenticate/providers: add group support to onelogin - {authenticate/proxy}: change default cookie lifetime timeout to 14 hours - proxy: sign group membership - proxy: add group header - deployment: add CHANGELOG - deployment: fix where make release wasn’t including version	2019-02-28 19:34:22 -08:00

41 commits