In split service mode, and during periods of inactivity, the gRPC
connections to the databroker may fall idle. Some network firewalls may
eventually time out an idle TCP connection and even start dropping
subsequent packets once connection traffic resumes. Combined with Linux
default TCP retransmission settings, this could cause a broken
connection to persist for over 15 minutes.
In an attempt to avoid this scenario, enable TCP keepalive for outbound
gRPC connections, matching the Go standard library default settings for
time & interval: 15 seconds for both. (The probe count does not appear
to be set, so it will remain at the OS default.)
Add a test case exercising the BuildClusters() method with the default
configuration options, comparing the results with a reference "golden"
file in the testdata directory. Also add an '-update' flag to make it
easier to update the reference golden when needed:
go test ./config/envoyconfig -update
Add assertions for the redirect URL in the unit test for the stateful
authentication flow Callback() method. Remove a commented-out line of
debug logging.
The identity manager expects to be able to read session ID and user ID
from any deleted databroker session records. The session.Delete()
wrapper method is not compatible with this expectation, as it calls
Put() with a record containing an empty session. The stateful
authentication flow currently calls session.Delete() from its
RevokeSession() method.
The result is that the identity manager will not correctly track
sessions deleted by the the stateful authentication flow, and will still
try to use them during session refresh and user info refresh.
Instead, let's change the stateful authentication flow RevokeSession()
method to perform deletions in a way that is compatible with the current
identity manager code. That is, include the existing session data in the
Put() call to delete the revoked session.
* core/authenticate: refactor identity authenticators to initiate redirect, use cookie for redirect url for cognito
* set secure and http only, update test
Commit b7896b3153 moved events.go from the 'authenticate' package to
'internal/authenticateflow' in order to avoid an import cycle. However
this location is not actually suitable, as the hosted authenticate
service refers to AuthEvent and AuthEventFn.
Move events.go back out from under 'internal', to a new package
'authenticate/events'. This should still avoid an import cycle between
'authenticate' and 'internal/authenticateflow', while also allowing the
hosted authenticate service to use the events types.
Add a new Stateful type implementing the stateful authentication flow
from Pomerium v0.20 and earlier.
This consists mainly of logic from authenticate/handlers.go prior to
commits 57217af and 539fd51.
One significant change is to set the default IdP ID when an IdP ID is
not provided in the request URL (e.g. when signing in directly at the
authenticate service domain). Otherwise, if session state is stored with
an empty IdP ID, it won't be valid for any route.
