3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-01 02:12:50 +02:00
Code Issues Projects Releases Packages Wiki Activity
712 commits 165 branches 127 tags 104 MiB
Commit graph

208 commits

Author SHA1 Message Date
Cuong Manh Le
896467c4bf
internal/cmd/pomerium: fix data race in handling context (#890) 
Caught by:

	go test -race ./internal/cmd/pomerium

The ctx in Run is both read (in handle signal goroutine) and write
(when passing to errgroup context in Run), causes data race.

Fixing it, by passing the ctx to goroutine via argument instead of
accessing it directly.
 2020-06-15 22:38:45 +07:00
Bobby DeSimone
200bc7e836
controlplane: use previous preferred cipher suite (#889) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:18 -07:00
Bobby DeSimone
79d793d122
controlplane: fix missing full cert chain (#888) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-14 17:53:02 -07:00
Bobby DeSimone
3fbcb8ff13
frontend: fix logo fill on chrome (#893) 
- on error, if reason is empty use the status text of the http status code

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-13 13:55:01 -07:00
Bobby DeSimone
b00acad517
internal/controlplane: set minimum tls version (#854) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-06-10 09:08:05 -07:00
Caleb Doxsey
fe2369400c
proxy: only set validation context if trusted_ca is used (#863) 
* proxy: only set validation context if trusted_ca is used

* fix test
 2020-06-09 13:45:03 -06:00
Cuong Manh Le
9e711b4612
internal/httputil: add HTTPStatsRoundTripper to DefaultClient (#828) 2020-06-08 14:34:32 -04:00
Cuong Manh Le
4d5edb0d64
Feature/remove request headers (#822) 
* config: add RemoveRequestHeaders

Currently, we have "set_request_headers" config, which reflects envoy
route.Route.RequestHeadersToAdd. This commit add new config
"remove_request_headers", which reflects envoy RequestHeadersToRemove.

This is also a preparation for future PRs to implement disable user
identity in request headers feature.

* integration: add test for remove_request_headers
* docs: add documentation/changelog for remove_request_headers
 2020-06-03 07:46:51 -07:00
Caleb Doxsey
b80a419699
xds: use ipv4 address when ipv6 is disabled (#823) 2020-06-02 13:05:44 -06:00
Caleb Doxsey
fca17d365a
xds: force ipv4 for localhost to workaround ipv6 issue in docker compose (#819) 2020-06-01 08:58:28 -06:00
Travis Groth
f97341dcb8
Fix autocache telemetry labels (#805) 2020-05-29 17:47:45 -04:00
Travis Groth
06e3f5def5
Fix missing/incorrect grpc labels (#804) 2020-05-29 15:57:58 -04:00
Travis Groth
6761cc7a14
telemetry: service label updates (#802) 2020-05-29 15:16:22 -04:00
Caleb Doxsey
c77b2c6876
authenticate: fix insecure gRPC connection string default port (#795) 2020-05-28 07:47:41 -06:00
Caleb Doxsey
988477c90d
authenticate: fix user-info call for AWS cognito (#792) 2020-05-27 15:37:42 -06:00
Caleb Doxsey
748ab836b6
cache: fix closing too early (#791) 
* cache: fix closing too early

* fix test
 2020-05-27 11:28:08 -06:00
Caleb Doxsey
f6114c288a
xds: add catch-all for pomerium routes (#789) 2020-05-27 09:12:04 -06:00
Caleb Doxsey
17952e3ac5
xds: disable cluster validation to handle out-of-order updates (#783) 2020-05-27 08:02:29 -06:00
Caleb Doxsey
8943c7c17d
xds: lazy-load root ca bundle to avoid log in version command (#778) 2020-05-26 12:00:36 -06:00
Caleb Doxsey
f770ccfedd
config: add getters for URLs to avoid nils (#777) 
* config: add getters for URLs to avoid nils

* allow nil url for cache grpc client connection in authenticate
 2020-05-26 11:36:18 -06:00
Bobby DeSimone
39187eb305
state: infer user from subject (#772) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-26 10:31:55 -07:00
Travis Groth
aba549a70f
envoy: ensure command line args reflect the current log level (#779) 2020-05-26 11:37:10 -04:00
Caleb Doxsey
dedf4b1428
controlplane: xds unit tests (#770) 
* xds: use plain functions, add unit tests for control plane routes

* xds: add test for grpc routes

* xds: add test for pomerium http routes

* xds: add test for policy routes

* xds: use plain functions

* xds: test get all routeable domains

* xds: add build downstream tls context test

* more tests

* test for client cert

* more tests
 2020-05-25 11:14:07 -06:00
Caleb Doxsey
7b96d2de66
dashboard: inline svgs + css for better forward auth (#771) 2020-05-25 11:12:40 -06:00
Travis Groth
727d4bed9d
envoy: Tracing config improvements (#754) 2020-05-23 18:40:26 -04:00
Benoît Knecht
5c3c020508
sessions/state: Add nickname claim (#755) 
GitLab returns the user name in a `nickname` claim instead of `user`, so make
it available in `sessions.State`.

Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
 2020-05-22 11:38:27 -07:00
Travis Groth
ca5f68e371
telemetry: Refactor GRPC Server Handler (#756) 
* Refactor GRPC server stats handler location
 2020-05-22 13:36:55 -04:00
Travis Groth
e2a7149c36
telemetry: Remove 'accept-encoding' header from proxied metric requests (#750) 2020-05-22 07:47:37 -04:00
Caleb Doxsey
e4832cb4ed
authorize: add client mTLS support (#751) 
* authorize: add client mtls support

* authorize: better error messages for envoy

* switch from function to input

* add TrustedCa to envoy config so that users are prompted for the correct client certificate

* update documentation

* fix invalid ClientCAFile

* regenerate cache protobuf

* avoid recursion, add test

* move comment line

* use http.StatusOK

* various fixes
 2020-05-21 16:01:07 -06:00
Bobby DeSimone
3f1faf2e9e
authenticate: add jwks and .well-known endpoint (#745) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-21 11:46:29 -07:00
Caleb Doxsey
9b82954012
envoy: support ports in hosts for routing (#748) 
* envoy: support ports in hosts for routing

* additional domains
 2020-05-21 12:06:50 -06:00
Travis Groth
3e17befff7
envoy: Enable zipkin tracing (#737) 
- Update envoy bootstrap config to protobufs
- Reorganize tracing config to avoid cyclic import
- Push down zipkin config to Envoy
- Update tracing options to provide sample rate
 2020-05-21 11:50:07 -04:00
Travis Groth
66e4c7d7ca
envoy: Add GRPC stats handler to control plane service (#744) 
* Add GRPC stats handler to control plane service
 2020-05-20 22:26:34 -04:00
Caleb Doxsey
84378440f0
envoy: improvements to logging (#742) 2020-05-20 13:05:41 -06:00
Caleb Doxsey
d2e463e9ef
envoy: add duration and size to access log (#735) 2020-05-19 12:11:48 -06:00
Caleb Doxsey
e30e717942
main: move pomerium main code to an internal cmd package so that it can be called directly from tests (#734) 
* main: move pomerium main code to an internal cmd package so that it can be called directly from tests

* fix test
 2020-05-19 11:17:40 -06:00
Caleb Doxsey
ae0405f11e
envoy: fix lua warning (#731) 2020-05-19 10:21:50 -06:00
Caleb Doxsey
0895515833
envoy: implement various timeouts (#732) 
* envoy: implement global and route timeouts

* envoy: use the grpc client timeout for the authz service timeout

* fix test
 2020-05-19 10:01:37 -06:00
Caleb Doxsey
1859f6d06b
envoy: switch to STRICT_DNS (#733) 2020-05-19 09:17:05 -06:00
Caleb Doxsey
959c9e8225
envoy: always populate pomerium-authz cluster (#730) 2020-05-19 08:11:12 -06:00
Travis Groth
1f1e63a75b
telemetry/tracing: Add Zipkin tracing support (#723) 2020-05-18 21:57:13 -04:00
Caleb Doxsey
14c27974b9
envoy: enable TLS verification for internal services (#726) 2020-05-18 19:22:50 -06:00
Caleb Doxsey
e854cfe83b
envoy: implement policy TLS options (#724) 
* envoy: implement policy TLS options

* fix tests

* log which CAs are being used
 2020-05-18 16:52:51 -06:00
Bobby DeSimone
666fd6aa35 authenticate: save oauth2 tokens to cache (#698) 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
 2020-05-18 17:10:10 -04:00
Travis Groth
d514ec2ecf Proxy envoy metrics through control plane prometheus endpoint (#709) 
* Proxy metrics requests to envoy control plane
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
1bee3b0df9 envoy: fix sni/hostname mismatched routing for http2 connection coalescing (#703) 2020-05-18 17:10:10 -04:00
Travis Groth
65bb1501fd deployment: Envoy cross platform improvements (#701) 
* Share processgroup on all platforms

* Fix cross platform release handling
 2020-05-18 17:10:10 -04:00
Caleb Doxsey
dccec1e646 envoy: support autocert (#695) 
* envoy: support autocert

* envoy: fallback to http host routing if sni fails to match

* update comment

* envoy: renew certs when necessary

* fix tests
 2020-05-18 17:10:10 -04:00
Travis Groth
0c1ac5a575 Return an error regardless of envoy's exit status (#694) 2020-05-18 17:10:10 -04:00
Travis Groth
f5a9bad3d6 enable ipv6 grpc routing (#692) 2020-05-18 17:10:10 -04:00