Currently, we're doing "sync" in databroker server. If we're going to
support multiple databroker servers instance, this mechanism won't work.
This commit moves the "sync" to storage backend, by adding new Watch
method. The Watch method will return a channel for the caller. Everytime
something happens inside the storage, we notify the caller by sending a
message to this channel.
* config,docs: add databroker storage backend configuration
* cache: allow configuring which backend storage to use
Currently supported types are "memory", "redis".
* store directory groups separate from directory users
* fix group lookup, azure display name
* remove fields restriction
* fix test
* also support email
* use Email as name for google'
* remove changed file
* show groups on dashboard
* fix test
* re-add accidentally removed code
* internal/controlplane: using envoy strip host port matching
With envoy 1.15.0 release, strip host port matching setting allows
incoming request with Host "example:443" will match again route with
domains match set to "example".
Not that this is not standard HTTP behavior, but it's more convenient
for users.
Fixes#959
* docs/docs: add note about enable envoy strip host port matching
Storing server version when creating new server. After then, we can
retrieve the version from backend when server restart.
With storage backend which supports persistent, the server version
won't change after restarting.
* pkg/storage: add redis storage backend
* pkg/storage/redis: set record create time correctly
* pkg/storage/redis: add docs
* pkg/storage/redis: run test with redis tag only
* pkg/storage/redis: use localhost
* pkg/storage/redis: use 127.0.0.1
* pkg/storage/redis: honor REDIS_URL env
* .github/workflows: add missing config for redis service
* .github/workflows: map redis ports to host
* pkg/storage/redis: use proto marshaler instead of json one
* pkg/storage/redis: use better implementation
By using redis supported datastructure:
- Hash for storing record
- Sorted set for storing by version
- Set for storing deleted ids
List operation will be now performed in O(log(N)+M) instead of O(N) like
previous implementation.
* pkg/storage/redis: add tx to wrap redis transaction
* pkg/storage/redis: set record type in New
* pkg/storage/redis: make sure tx commands appear in right order
* pkg/storage/redis: make deletePermanentAfter as argument
* pkg/storage/redis: make sure version is incremented when deleting
* pkg/storage/redis: fix linter
* pkg/storage/redis: fix cmd construction
In #1030, the fix was done without aware of the context that traefik
forward auth mode did allow request without the "?uri=". Previosuly,
this is done in proxy, and by converting the forward auth request to
actual request. The fix is #1030 prevent this conversion, to makre
authorize service aware of which is forward auth request.
But that causes traefik forward auth without "?uri" stop working. Fixing
it by making the authorize service also honor the forwarded uri header,
too.
Fixes#1096
Since we switch to use databroker, time in template is now protobuf
timestamp instead of time.Time, that causes it appears in raw form
instead of human-readable format.
Fix this by converting protobuf timestamp to time.Time in template.
There's still a breaking change, though. The time will now appears in
UTC instead of local time.
Fixes#1100
Currently, with impersonated request, the real user email/group still
has effects.
Example:
data.route_policies as [{
"source": "example.com",
"allowed_users": ["x@example.com"]
}] with
input.databroker_data as {
"session": {
"user_id": "user1"
},
"user": {
"email": "x@example.com"
}
} with
input.http as { "url": "http://example.com" } with
input.session as { "id": "session1", "impersonate_email": "y@example.com" }
Here user "x@example.com" is allowed, but was impersonated as
"y@example.com". As the rules indicated, the request must be denied,
because it only allows "x@example.com", not "y@example.com". The current
bug causes the request is still allowed.
To fix it, when evaluates rules for allowed email/group/domain, we must checking
that the impersonate email/groups is not set/empty.
Fixes#1091
Skip group without members, so it saves us time to handle group members,
and reduce the size of groups.
While at it, also querying API with the fields we need.
Fixes#567
* add google cloud serverless support
* force ipv4 for google cloud serverless
* disable long line linting
* fix destination hostname
* add test
* add support for service accounts
* fix utc time in test
