pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	dad35bcfb0	ppl: refactor authorize to evaluate PPL (#2224 ) * ppl: refactor authorize to evaluate PPL * remove opa test step * add log statement * simplify assignment * deny with forbidden if logged in * add safeEval function * create evaluator-specific config and options * embed the headers rego file directly	2021-05-21 09:50:18 -06:00
Caleb Doxsey	f365b30e02	authorize: remove log (#2122 )	2021-04-23 14:00:08 -06:00
Caleb Doxsey	762b565239	authorize: fix empty sub policy arrays (#2119 )	2021-04-23 11:00:30 -06:00
Caleb Doxsey	b1d62bb541	config: remove validate side effects (#2109 ) * config: default shared key * handle additional errors * update grpc addr and grpc insecure * update google cloud service authentication service account * fix set response headers * fix qps * fix test	2021-04-22 15:10:50 -06:00
wasaga	e0c09a0998	log context (#2107 )	2021-04-22 10:58:13 -04:00
Caleb Doxsey	d7ab817de7	authorize: add databroker server and record version to result, force sync via polling (#2024 ) * authorize: add databroker server and record version to result, force sync via polling * wrap inmem store to take read lock when grabbing databroker versions * address code review comments * reset max to 0	2021-03-31 10:09:06 -06:00
Caleb Doxsey	4218f49741	authorize: bypass data in rego for databroker data (#2041 )	2021-03-30 14:14:32 -06:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	b6ec01f377	assets: use embed instead of statik (#1960 ) * assets: use embed instead of statik * remove empty line * maybe fix precommit	2021-03-03 18:56:55 -07:00
Caleb Doxsey	7d236ca1af	authorize: move headers and jwt signing to rego (#1856 ) * wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz	2021-02-08 10:53:21 -07:00
Caleb Doxsey	74ac23c980	authorize: remove DataBrokerData input (#1847 ) * authorize: remove DataBrokerData * add opa test * domain, group tests * more tests * remove databroker data input * update authz tests * update dead code * fix method name * handle / in keys	2021-02-02 14:27:35 -07:00
Caleb Doxsey	eed873b263	authorize: remove DataBrokerData (#1846 ) * authorize: remove DataBrokerData * fix method name	2021-02-02 11:40:21 -07:00
Caleb Doxsey	b7f0242090	authorize: remove admin (#1833 ) * authorize: remove admin * regen rego * add note to upgrading	2021-02-01 15:22:02 -07:00
Caleb Doxsey	cc85ea601d	policy: add new certificate-authority option for downstream mTLS client certificates (#1835 ) * policy: add new certificate-authority option for downstream mTLS client certificates * update proto, docs	2021-02-01 08:10:32 -07:00
Caleb Doxsey	84e8f6cc05	config: fix databroker policies (#1821 )	2021-01-25 17:18:50 -07:00
Caleb Doxsey	a6bc9f492f	authorize: move impersonation into session/service account (#1765 ) * move impersonation into session/service account * replace frontend statik * fix data race * move JWT filling to separate function, break up functions * maybe fix data race * fix code climate issue	2021-01-11 15:40:08 -07:00
Caleb Doxsey	4f0ce4bc82	fix coverage (#1741 ) * fix coverage * fix data races	2021-01-06 08:30:38 -07:00
bobby	f837c92741	dev: update linter (#1728 ) - gofumpt everything - fix TLS MinVersion to be at least 1.2 - add octal syntax - remove newlines - fix potential decompression bomb in ecjson - remove implicit memory aliasing in for loops. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-12-30 09:02:57 -08:00
Caleb Doxsey	744d4453d5	use the directory email when provided for the jwt (#1647 )	2020-12-04 11:14:19 -07:00
bobby	5bbd745934	authorize: add signature algo support (RSA / EdDSA) (#1631 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-11-30 17:14:41 -08:00
Caleb Doxsey	3f7777f7e0	wait for initial sync to complete before starting control plane (#1636 )	2020-11-30 15:45:12 -07:00
Caleb Doxsey	0a6796ff71	authorize: add support for service accounts (#1374 )	2020-09-04 10:37:00 -06:00
Caleb Doxsey	0a2638e5dc	authorize: use impersonate email/groups in JWT (#1364 )	2020-09-02 13:50:46 -06:00
Caleb Doxsey	51bdf9baae	authorize: add jti to JWT payload (#1328 )	2020-08-24 15:35:16 -06:00
Cuong Manh Le	79b5ae7d98	authorize/evaluator: fix wrong custom policies decision (#1199 ) Test will be added in #1198	2020-08-04 21:11:59 +07:00
Caleb Doxsey	557aef2a33	fix databroker restart versioning, handle missing sessions (#1145 ) * fix databroker restart versioning, handle missing sessions * send empty server version to detect change * only rebuild if there are updated records	2020-07-29 08:45:41 -06:00
Caleb Doxsey	1ad243dfd1	directory.Group entry for groups (#1118 ) * store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code	2020-07-22 11:28:53 -06:00
Caleb Doxsey	858077b3b6	authorize: custom rego policies (#1123 ) * add support for custom rego policies * add support for passing custom policies	2020-07-21 12:09:26 -06:00
Caleb Doxsey	fff782e04c	authorize: add evaluator store (#1105 ) * add evaluator store * handle arrays	2020-07-20 07:39:34 -06:00
Caleb Doxsey	a70254ab76	kubernetes apiserver integration (#1063 ) * sessions: support bearer tokens in authorization * wip * remove dead code * refactor signed jwt code * use function * update per comments * fix test	2020-07-14 08:33:24 -06:00
Cuong Manh Le	d40f294586	authorize: include "kid" in JWT header (#1049 ) Fixes #1046	2020-07-09 12:39:53 +07:00
Caleb Doxsey	fae02791f5	cryptutil: move to pkg dir, add token generator (#1029 ) * cryptutil: move to pkg dir, add token generator * add gitignored files * add tests	2020-06-30 15:55:33 -06:00
Caleb Doxsey	091b71f12e	grpc: rename internal/grpc to pkg/grpc (#1010 ) * grpc: rename internal/grpc to pkg/grpc * don't ignore pkg dir * remove debug line	2020-06-26 09:17:02 -06:00
Caleb Doxsey	3ad8cbf4ec	authorize: avoid serializing databroker data map to improve performance (#995 )	2020-06-24 14:00:08 -06:00
Cuong Manh Le	4a3fb5d44b	authorize: get claims from signed jwt (#954 ) authorize: get claims from signed jwt When doing databroker refactoring, all claims information were moved to signed JWT instead of raw session JWT. But we are still looking for claims info in raw session JWT, causes all X-Pomerium-Claim-* headers being gone. Fix this by looking for information from signed JWT instead. Note that even with this fix, the X-Pomerium-Claim-Groups is still not present, but it's another bug (see #941) and will be fixed later. Fixes #936	2020-06-22 09:51:32 +07:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Caleb Doxsey	a969f33d88	authorize: refactor and add additional unit tests (#757 ) * authorize: clean up code, add test * authorize: additional test * authorize: additional test	2020-05-22 13:25:59 -06:00
Caleb Doxsey	e4832cb4ed	authorize: add client mTLS support (#751 ) * authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes	2020-05-21 16:01:07 -06:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00

41 commits