3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-03 03:12:50 +02:00
Code Issues Projects Releases Packages Wiki Activity
3364 commits 167 branches 127 tags 105 MiB
Commit graph

3364 commits

This branch
This branch
All branches
Author SHA1 Message Date
Caleb Doxsey
23ea48815f
core/authorize: check for expired tokens (#4543) 
* core/authorize: check for expired tokens

* Update pkg/grpc/session/session.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

* lint

* fix zero timestamps

* fix

---------

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
 2023-09-15 16:06:13 -06:00
Caleb Doxsey
e5a7b994b6
core/authenticate: validate the identity profile (#4545) 2023-09-15 14:16:28 -06:00
Caleb Doxsey
723bd91e4b
core/identity: fix slow restart (#4542) 2023-09-15 12:14:24 -06:00
Kenneth Jenkins
01672528cb
cryptutil: remove unused functions (#4541) 
Remove the unused functions Sign() and Verify().
 2023-09-14 11:25:19 -07:00
dependabot[bot]
4df62bb9dc
chore(deps): bump @fontsource/dm-sans from 5.0.3 to 5.0.11 in /ui (#4508) 
Bumps [@fontsource/dm-sans](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/dm-sans) from 5.0.3 to 5.0.11.
- [Changelog](https://github.com/fontsource/font-files/blob/main/fonts/google/dm-sans/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/dm-sans)

---
updated-dependencies:
- dependency-name: "@fontsource/dm-sans"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-07 09:33:08 -06:00
dependabot[bot]
d01d0748bb
chore(deps-dev): bump ts-node from 10.4.0 to 10.9.1 in /ui (#4279) 
Bumps [ts-node](https://github.com/TypeStrong/ts-node) from 10.4.0 to 10.9.1.
- [Release notes](https://github.com/TypeStrong/ts-node/releases)
- [Changelog](https://github.com/TypeStrong/ts-node/blob/main/development-docs/release-template.md)
- [Commits](https://github.com/TypeStrong/ts-node/compare/v10.4.0...v10.9.1)

---
updated-dependencies:
- dependency-name: ts-node
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-07 09:27:49 -06:00
dependabot[bot]
5b9048a742
chore(deps): bump @fontsource/dm-mono from 4.5.2 to 5.0.11 in /ui (#4515) 
Bumps [@fontsource/dm-mono](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/dm-mono) from 4.5.2 to 5.0.11.
- [Changelog](https://github.com/fontsource/font-files/blob/main/fonts/google/dm-mono/CHANGELOG.md)
- [Commits](https://github.com/fontsource/font-files/commits/HEAD/fonts/google/dm-mono)

---
updated-dependencies:
- dependency-name: "@fontsource/dm-mono"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-07 09:26:48 -06:00
dependabot[bot]
ba5f3bf211
chore(deps): bump actions/setup-node from 3.7.0 to 3.8.1 (#4501) 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.7.0 to 3.8.1.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](e33196f742...5e21ff4d9b)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 11:27:47 -06:00
dependabot[bot]
4b02b28d3a
chore(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#4502) 
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/v4.3.0...v4.4.0)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 11:21:54 -06:00
dependabot[bot]
a810673008
chore(deps): bump mikefarah/yq from 4.34.2 to 4.35.1 (#4503) 
Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.34.2 to 4.35.1.
- [Release notes](https://github.com/mikefarah/yq/releases)
- [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt)
- [Commits](0b34c9a00d...6609ed76ec)

---
updated-dependencies:
- dependency-name: mikefarah/yq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 11:21:32 -06:00
dependabot[bot]
7be7ab37b7
chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 (#4505) 
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 1.8.2.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](b62528385c...0d49dd7211)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 11:21:14 -06:00
dependabot[bot]
9bb3eb6bc7
chore(deps): bump cloud.google.com/go/storage from 1.31.0 to 1.32.0 (#4518) 
Bumps [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) from 1.31.0 to 1.32.0.
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.31.0...pubsub/v1.32.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 12:21:03 -04:00
dependabot[bot]
014f1e94ab
chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 (#4516) 2023-09-05 22:49:26 -04:00
dependabot[bot]
cb9461f9ad
chore(deps): bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#4498) 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.9.1 to 2.10.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](4c0219f9ac...885d1462b8)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 08:26:59 -06:00
dependabot[bot]
36415cb3ef
chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (#4497) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.1 to 4.1.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](fac708d667...93397bea11)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 08:26:39 -06:00
dependabot[bot]
e65e6a8fbc
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.38.1 to 1.38.5 (#4521) 
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3

Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) from 1.38.1 to 1.38.5.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.1...service/s3/v1.38.5)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 08:25:52 -06:00
dependabot[bot]
39edabb1c0
chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.38 (#4522) 
chore(deps): bump github.com/aws/aws-sdk-go-v2/config

Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.18.32 to 1.18.38.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.32...config/v1.18.38)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 08:21:36 -06:00
dependabot[bot]
8e27a768e2
chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.1 to 0.4.2 (#4523) 2023-09-01 19:52:47 -04:00
dependabot[bot]
497dd26658
chore(deps): bump github.com/caddyserver/certmagic from 0.19.1 to 0.19.2 (#4526) 2023-09-01 19:51:44 -04:00
dependabot[bot]
160a09f32b
chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#4496) 2023-09-01 19:50:43 -04:00
dependabot[bot]
a2b92650aa
chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#4499) 2023-09-01 19:50:26 -04:00
dependabot[bot]
833622707d
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#4517) 2023-09-01 19:50:02 -04:00
dependabot[bot]
10d3d90619
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.7 to 3.23.8 (#4519) 2023-09-01 19:48:50 -04:00
Kenneth Jenkins
f1fc571208
replace ::set-output in release action (#4493) 
Update the 'Release' GitHub Action workflow to replace the deprecated
::set-output command with the newer $GITHUB_OUTPUT file mechanism.
 2023-09-01 14:12:37 -07:00
dependabot[bot]
1a396c5c5b
chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.21.0 (#4524) 
Bumps [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) from 1.20.0 to 1.21.0.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.20.0...v1.21.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:57:31 -06:00
dependabot[bot]
567f42a066
chore(deps): bump github.com/minio/minio-go/v7 from 7.0.61 to 7.0.63 (#4527) 
Bumps [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) from 7.0.61 to 7.0.63.
- [Release notes](https://github.com/minio/minio-go/releases)
- [Commits](https://github.com/minio/minio-go/compare/v7.0.61...v7.0.63)

---
updated-dependencies:
- dependency-name: github.com/minio/minio-go/v7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:56:47 -06:00
dependabot[bot]
bc855d82d2
chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.4 to 2.0.6 (#4528) 
Bumps [github.com/hashicorp/golang-lru/v2](https://github.com/hashicorp/golang-lru) from 2.0.4 to 2.0.6.
- [Release notes](https://github.com/hashicorp/golang-lru/releases)
- [Commits](https://github.com/hashicorp/golang-lru/compare/v2.0.4...v2.0.6)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/golang-lru/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:56:29 -06:00
dependabot[bot]
e77eebc7d7
chore(deps): bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 (#4530) 
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.55.0 to 0.56.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:56:08 -06:00
dependabot[bot]
3cc20f50a7
chore(deps): bump github.com/jackc/pgx/v5 from 5.4.2 to 5.4.3 (#4531) 
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.4.2 to 5.4.3.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.4.2...v5.4.3)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:48:28 -06:00
dependabot[bot]
7da1282e56
chore(deps): bump google.golang.org/api from 0.134.0 to 0.138.0 (#4532) 
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.134.0 to 0.138.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.134.0...v0.138.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:48:12 -06:00
dependabot[bot]
7ce469b137
chore(deps): bump node from 850d8e1 to f41231b (#4533) 
Bumps node from `850d8e1` to `f41231b`.

---
updated-dependencies:
- dependency-name: node
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-01 11:47:55 -06:00
Kenneth Jenkins
fd84075af1
config: remove set_authorization_header option (#4489) 
Remove the deprecated set_authorization_header option entirely. Add an
entry to the removedConfigFields map with a link to the relevant
Upgrading page section.
 2023-08-29 09:02:08 -07:00
Kenneth Jenkins
5a4acc5cd3
config: validate cookie_secure option (#4484) 
Do not allow the combination of 'cookie_same_site: none' and
'cookie_secure: false'.

Cookies with SameSite=None must also set the Secure option, see
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#none.
 2023-08-23 10:43:01 -07:00
Kenneth Jenkins
c95f1695ec
authorize: check CRLs only for leaf certificates (#4480) 
Set the Envoy option only_verify_leaf_cert_crl, to avoid a bug where
CRLs cannot be used in combination with an intermediate CA trust root.
Update the client certificate validation logic in the authorize service
to match this behavior.
 2023-08-23 09:07:32 -07:00
Caleb Doxsey
3e330bb76a
storage: add indexes for postgres (#4479) 
* storage: add indexes for postgres

* add type, version index
 2023-08-21 15:13:48 -06:00
Kenneth Jenkins
379abecab1
add integration test for https IP address route (#4476) 
Update the integration test libsonnet templates to assign a fixed IP 
address to the trusted-httpdetails service. This requires also assigning
a fixed IP subnet to the docker network.

Configure a route with a 'to' URL using https and this fixed IP address. 
Add a corresponding certificate with the IP address. Finally, add a test
case that makes a request to this route.
 2023-08-18 09:32:21 -07:00
Kenneth Jenkins
c6b7927e1c
add integration test for Pomerium JWT (#4472) 
Add an integration test case to verify properties of the Pomerium
attestation JWT:

 - The 'iat' and 'exp' timestamps should be plain integers.
 - The JWT should contain an issuer and audience claim.
 - A JWT retrieved from the /.pomerium/jwt endpoint should contain all
   the same data as a JWT from the X-Pomerium-Jwt-Assertion header.
 2023-08-17 13:23:16 -07:00
Kenneth Jenkins
e448909042
authorize: remove incorrect "valid-client-certificate" reason (#4470) 
Fix the logic around when to add the default invalid_client_certificate
rule: this should only be added if mTLS is enabled and the enforcement
mode is not set to "policy". Add a unit test for this logic.
 2023-08-17 08:13:57 -07:00
Kenneth Jenkins
a83375db7f
envoy: check for nil ssl() in client cert script (#4466) 
If Pomerium is operating in the insecure_server mode (e.g. if there is
another reverse proxy in front of Pomerium), then the ssl() Lua method
will return nil.

Add a check for this case to the set-client-certificate-metadata.lua
script, in order to avoid an error when attempting to store the client
certificate info.
 2023-08-16 12:39:20 -07:00
Kenneth Jenkins
1b3ee7ff8f
config: add decode hook for the SANMatcher type (#4464) 2023-08-16 11:05:17 -07:00
Kenneth Jenkins
a2539839d3
config: deprecate tls_downstream_client_ca (#4461) 
Log a deprecation warning for any route where tls_downstream_client_ca
or tls_downstream_client_ca_file is non-empty.
 2023-08-15 14:38:36 -07:00
Kenneth Jenkins
e8b489eb87
authorize: rework token substitution in headers (#4456) 
Currently Pomerium replaces dynamic set_request_headers tokens
sequentially. As a result, if a replacement value itself contained a
supported "$pomerium" token, Pomerium may treat that as another
replacement, resulting in incorrect output.

This is unlikely to be a problem given the current set of dynamic
tokens, but if we continue to add additional tokens, this will likely
become more of a concern.

To forestall any issues, let's perform all replacements in one pass,
using the os.Expand() method. This does require a slight change to the
syntax, as tokens containing a '.' will need to be wrapped in curly
braces, e.g. ${pomerium.id_token}.

A literal dollar sign can be included by using $$ in the input.
 2023-08-14 15:28:10 -07:00
Kenneth Jenkins
5568606f03
config: support client certificate SAN match (#4453) 
Add a new match_subject_alt_names option to the downstream_mtls settings
group. This setting can be used to further constrain the allowed client
certificates by requiring that certificates contain a Subject
Alternative Name of a particular type, matching a particular regex.

When set, populate the corresponding match_typed_subject_alt_names
setting within Envoy, and also implement a corresponding check in the
authorize service.
 2023-08-11 13:27:12 -07:00
Kenneth Jenkins
cc1ef1ae18
cryptutil: update CRL parsing (#4454) 
Move the parseCRLs() method from package 'authorize/evaluator' to
'pkg/cryptutil', replacing the existing DecodeCRL() method. This method
will parse all CRLs found in the PEM input, rather than just the first.

(This removes our usage of the deprecated method x509.ParseDERCRL.)

Update this method to return an error if there is non-PEM data found in
the input, to satisfy the existing test that raw DER-encoded CRLs are
not permitted.

Delete the CRLFromBase64() and CRLFromFile() methods, as these are no
longer used.
 2023-08-11 08:33:22 -07:00
Kenneth Jenkins
ed9a93fe5b
config: extra CA and CRL validation (#4455) 
Return an error from DownstreamMTLSSettings.validate() if both CA and
CAFile are populated, or if both CRL and CRLFile are populated.
 2023-08-10 16:15:11 -07:00
Kenneth Jenkins
50e6cf7466
config: add support for max_verify_depth (#4452) 
Add a new max_verify_depth option to the downstream_mtls settings group,
with a default value of 1 (to match the behavior of current Pomerium
releases).

Populate the corresponding setting within Envoy, and also implement a
depth check within isValidClientCertificate() in the authorize service.
 2023-08-10 10:05:48 -07:00
Kenneth Jenkins
0fcc3f16de
authorize: allow client certificate intermediates (#4451) 
Update the isValidClientCertificate() method to consider any
client-supplied intermediate certificates. Previously, in order to trust
client certificates issued by an intermediate CA, users would need to
include that intermediate CA's certificate directly in the client_ca
setting. After this change, only the trusted root CA needs to be set: as
long as the client can supply a set of certificates that chain back to
this trusted root, the client's certificate will validate successfully.

Rework the previous CRL checking logic to now consider CRLs for all
issuers in the verified chains.
 2023-08-10 09:33:29 -07:00
Kenneth Jenkins
ac475f4c5d
ppl: add new client certificate criterion (#4448) 
Add a new client_certificate criterion that accepts a "Certificate
Matcher" object. Start with two certificate match conditions:
fingerprint and SPKI hash, each of which can accept either a single
string or an array of strings.

Add new "client-certificate-ok" and "client-certificate-unauthorized"
reason strings.
 2023-08-09 09:47:23 -07:00
Kenneth Jenkins
f7e0b61c03
authorize: client cert fingerprint in set_request_headers (#4447) 
Add support for a new token $pomerium.client_cert_fingerprint in the
set_request_headers option. This token will be replaced with the SHA-256
hash of the presented leaf client certificate.
 2023-08-09 08:34:51 -07:00
Kenneth Jenkins
de68e37bc3
config: add new mTLS enforcement setting (#4443) 
Add an "enforcement" option to the new downstream mTLS configuration
settings group.

When not set, or when set to "policy_default_deny", keep the current
behavior of adding an invalid_client_certificate rule to all policies.

When the enforcement mode is set to just "policy", remove the default
invalid_client_certificate rule that would be normally added.

When the enforcement mode is set to "reject_connection", configure the
Envoy listener with the require_client_certificate setting and remove
the ACCEPT_UNTRUSTED option.

Add a corresponding field to the Settings proto.
 2023-08-09 07:53:11 -07:00