pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00

Author	SHA1	Message	Date
Denis Mishin	db221cb826	mcp: storage scaffolding (#5581 )	2025-04-23 13:39:27 -04:00
Denis Mishin	f1a9401ddc	mcp: scaffolding of /.pomerium/mcp routes (#5580 )	2025-04-23 12:36:31 -04:00
Kenneth Jenkins	c848c225e8	multi-domain login redirects (#5564 ) Add a new 'depends_on' route configuration option taking a list of additional hosts to redirect through on login. Update the authorize service and proxy service to support a chain of /.pomerium/callback redirects. Add an integration test for this feature.	2025-04-04 13:14:30 -07:00
Joe Kralicky	a96ab2fe93	move internal/telemetry/trace => pkg/telemetry/trace (#5541 )	2025-03-25 10:43:04 -04:00
Caleb Doxsey	7896ccda5c	support loading idp token sessions in the proxy service (#5488 )	2025-02-24 11:09:51 -07:00
Caleb Doxsey	97ba21b95a	proxy: add routes HTML page (#5443 ) * proxy: add route portal json * fix 405 issue * proxy: add routes HTML page	2025-01-27 12:13:55 -07:00
Caleb Doxsey	e816cef2a1	proxy: add route portal json (#5428 ) * proxy: add route portal json * fix 405 issue * add link to issue * Update proxy/portal/filter_test.go Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> --------- Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>	2025-01-22 13:45:20 -07:00
Joe Kralicky	396c35b6b4	New tracing system (#5388 ) * update tracing config definitions * new tracing system * performance improvements * only configure tracing in envoy if it is enabled in pomerium * [tracing] refactor to use custom extension for trace id editing (#5420) refactor to use custom extension for trace id editing * set default tracing sample rate to 1.0 * fix proxy service http middleware * improve some existing auth related traces * test fixes * bump envoyproxy/go-control-plane * code cleanup * test fixes * Fix missing spans for well-known endpoints * import extension apis from pomerium/envoy-custom	2025-01-21 13:26:32 -05:00
Caleb Doxsey	52d4899d4c	core/proxy: support loading sessions from headers and query string (#5291 ) * core/proxy: support loading sessions from headers and query string * update test	2024-09-19 09:23:13 -06:00
Kenneth Jenkins	014824b525	proxy: deprecate the /.pomerium/jwt endpoint (#5254 ) Disable the /.pomerium/jwt endpoint by default. Add a runtime flag to temporarily opt out of the deprecation.	2024-09-04 11:22:18 -07:00
Caleb Doxsey	55eb2fa3dc	core/authorize: result denied improvements (#4952 ) * core/authorize: result denied improvements * add authenticate robots.txt * fix tests	2024-02-01 16:16:33 -07:00
Kenneth Jenkins	b7896b3153	authenticateflow: move stateless flow logic (#4820 ) Consolidate all logic specific to the stateless authenticate flow into a a new Stateless type in a new package internal/authenticateflow. This is in preparation for adding a new Stateful type implementing the older stateful authenticate flow (from Pomerium v0.20 and previous). This change is intended as a pure refactoring of existing logic, with no changes in functionality.	2023-12-06 16:55:57 -08:00
Caleb Doxsey	2b8d51def5	urlutil: add version to query string (#4028 )	2023-02-28 14:01:13 -07:00
Caleb Doxsey	753eeff12f	proxy: fix sign out redirect (#3827 ) * proxy: fix sign out redirect * add test	2022-12-20 09:32:49 -07:00
Caleb Doxsey	b375dc4896	jwt: require logged in user to return .pomerium/jwt (#3807 ) * jwt: require logged in user to return .pomerium/jwt * fix test * update test	2022-12-13 13:49:36 -07:00
Caleb Doxsey	57217af7dd	authenticate: implement hpke-based login flow (#3779 ) * urlutil: add time validation functions * authenticate: implement hpke-based login flow * fix import cycle * fix tests * log error * fix callback url * add idp param * fix test * fix test	2022-12-05 15:31:07 -07:00
Caleb Doxsey	c1a522cd82	proxy: add userinfo and webauthn endpoints (#3755 ) * proxy: add userinfo and webauthn endpoints * use TLD for RP id * use EffectiveTLDPlusOne * upgrade webauthn * fix test * Update internal/handlers/jwks.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>	2022-11-22 10:26:35 -07:00
Caleb Doxsey	0898dd4f34	proxy: fix error page (#3020 ) * fix error page * proxy: fix error page * share dashboard code * fix test	2022-02-09 09:14:24 -07:00
Caleb Doxsey	f84f7551d0	authenticate: fix default sign out url (#2061 )	2021-04-06 10:35:08 -06:00
Travis Groth	c7d243d742	proxy: restrict programmatic URLs to localhost (#2049 ) Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>	2021-04-01 10:04:49 -04:00
Travis Groth	0635c838c9	authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out (#2048 ) Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>	2021-04-01 10:04:16 -04:00
Caleb Doxsey	3690a32855	config: use getters for authenticate, signout and forward auth urls (#2000 )	2021-03-19 14:49:25 -06:00
Caleb Doxsey	4f2bb60adb	proxy: redirect to dashboard for logout (#1944 )	2021-02-24 11:52:38 -07:00
bobby	c3e3ed9b50	authenticate: validate origin of signout (#1876 ) * authenticate: validate origin of signout - add a debug task to kill envoy - improve various function docs - userinfo: return "error" page if user is logged out without redirect uri set - remove front channel logout. There's little difference between it, and the signout function. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2021-02-11 21:37:54 -08:00
Caleb Doxsey	cc85ea601d	policy: add new certificate-authority option for downstream mTLS client certificates (#1835 ) * policy: add new certificate-authority option for downstream mTLS client certificates * update proto, docs	2021-02-01 08:10:32 -07:00
bobby	9b39deabd8	forward-auth: use envoy's ext_authz check (#1482 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-10-04 20:01:06 -07:00
Caleb Doxsey	852c96f22f	proxy: add support for /.pomerium/jwt (#1446 )	2020-09-23 07:55:12 -06:00
Cuong Manh Le	9de99d0211	all: add signout redirect url (#1324 ) Fixes #1213	2020-08-25 01:23:58 +07:00
bobby	c1b3b45d12	proxy: remove unused handlers (#1317 ) proxy: remove unused handlers authenticate: remove unused references to refresh_token Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-08-22 10:02:12 -07:00
Cuong Manh Le	31205c0c29	proxy: fix wrong applied middleware Validate signature middleware must be applied for the callback sub-router, not the whole dashboard router. Fixes #1297	2020-08-18 20:25:11 +07:00
Caleb Doxsey	d9a224a5e8	proxy: move properties to atomically updated state (#1280 ) * authenticate: remove cookie options * authenticate: remove shared key field * authenticate: remove shared cipher property * authenticate: move properties to separate state struct * proxy: allow local state to be updated on configuration changes * fix test * return new connection * use warn, collapse to single line * address concerns, fix tests	2020-08-14 11:44:58 -06:00
Caleb Doxsey	fbf5b403b9	config: allow dynamic configuration of cookie settings (#1267 )	2020-08-13 08:11:34 -06:00
Caleb Doxsey	fae02791f5	cryptutil: move to pkg dir, add token generator (#1029 ) * cryptutil: move to pkg dir, add token generator * add gitignored files * add tests	2020-06-30 15:55:33 -06:00
Caleb Doxsey	8362f18355	authenticate: move impersonate from proxy to authenticate (#965 )	2020-06-22 11:58:27 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Travis Groth	99e788a9b4	envoy: Initial changes	2020-05-18 17:10:10 -04:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Bobby DeSimone	b3d3159185	httputil : wrap handlers for additional context (#413 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-06 11:07:45 -08:00
Bobby DeSimone	74cd9eabbb	authenticate: fix impersonation getting cleared (#411 )	2019-11-30 10:54:32 -08:00
Bobby DeSimone	c8e6277a30	Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 15:02:25 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	ebee64b70b	internal/frontend : serve static assets (#392 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-22 17:46:01 -08:00
Bobby DeSimone	6743accd74	lint: bump golangci-lint 1.21.0 (#391 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-19 19:58:11 -08:00
Bobby DeSimone	00c29f4e77	authenticate: handle XHR redirect flow (#387 ) - authenticate: add cors preflight check support for sign_in endpoint - internal/httputil: indicate responses that originate from pomerium vs the app - proxy: detect XHR requests and do not redirect on failure. - authenticate: removed default session duration; should be maintained out of band with rpc.	2019-11-14 19:37:31 -08:00
Bobby DeSimone	d3d60d1055	all: support route scoped sessions Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-06 17:54:15 -08:00
Bobby DeSimone	7d7e997e79	proxy: verify endpoint strip added callback params (#368 ) - proxy: use distinct host route for forward-auth handlers - proxy: have auth middleware set pomerium headers for request and response	2019-10-15 15:36:00 -07:00
Bobby DeSimone	0e85b2b1cb	bug: fix forward-auth redirect (#364 )	2019-10-13 11:09:30 -07:00
Bobby DeSimone	badd8d69af	internal/sessions: refactor how sessions loading (#351 ) These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-10-06 10:47:53 -07:00

1 2 3

102 commits