pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-05-03 12:26:03 +02:00

Author	SHA1	Message	Date
Cuong Manh Le	4a3fb5d44b	authorize: get claims from signed jwt (#954 ) authorize: get claims from signed jwt When doing databroker refactoring, all claims information were moved to signed JWT instead of raw session JWT. But we are still looking for claims info in raw session JWT, causes all X-Pomerium-Claim-* headers being gone. Fix this by looking for information from signed JWT instead. Note that even with this fix, the X-Pomerium-Claim-Groups is still not present, but it's another bug (see #941) and will be fixed later. Fixes #936	2020-06-22 09:51:32 +07:00
bobby	7dfa1d0a41	authorize: only log headers if debug set (#940 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-21 10:07:30 -07:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Bobby DeSimone	3fbcb8ff13	frontend: fix logo fill on chrome (#893 ) - on error, if reason is empty use the status text of the http status code Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-06-13 13:55:01 -07:00
Travis Groth	dbbbb2357e	authorize: reduce duplicate evaluations in opa policy (#882 )	2020-06-12 11:06:28 -04:00
Travis Groth	6761cc7a14	telemetry: service label updates (#802 )	2020-05-29 15:16:22 -04:00
Caleb Doxsey	b16bc5e090	authorize: reduce log noise for empty jwt (#793 )	2020-05-27 15:34:15 -06:00
Bobby DeSimone	829280c73c	authorize: add authN validation, additional tests (#761 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-26 10:44:51 -07:00
Caleb Doxsey	f770ccfedd	config: add getters for URLs to avoid nils (#777 ) * config: add getters for URLs to avoid nils * allow nil url for cache grpc client connection in authenticate	2020-05-26 11:36:18 -06:00
Caleb Doxsey	a969f33d88	authorize: refactor and add additional unit tests (#757 ) * authorize: clean up code, add test * authorize: additional test * authorize: additional test	2020-05-22 13:25:59 -06:00
Caleb Doxsey	e4832cb4ed	authorize: add client mTLS support (#751 ) * authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes	2020-05-21 16:01:07 -06:00
Bobby DeSimone	ca499ac9be	envoy: add jwt-assertion (#727 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-19 08:34:49 -07:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Caleb Doxsey	41855e5419	envoy: use envoy request id for logging across systems with http and gRPC (#691 )	2020-05-18 17:10:10 -04:00
Caleb Doxsey	5819bf1408	authorize: return jwt claims in request headers (#688 ) * authorize: refactor session loading, implement headers and query params * authorize: fix http recorder header, use constant for pomerium authorization header * fix compile * remove dead code * authorize: return jwt claims in request headers	2020-05-18 17:10:10 -04:00
Caleb Doxsey	af649d3eb0	envoy: implement header and query param session loading (#684 ) * authorize: refactor session loading, implement headers and query params * authorize: fix http recorder header, use constant for pomerium authorization header * fix compile * remove dead code	2020-05-18 17:10:10 -04:00
Caleb Doxsey	0d9a372182	envoy: implement refresh session (#674 ) * authorize: refresh session WIP * remove upstream cookie with lua * only refresh session on expired * authorize: handle session expiration * authorize: add refresh test, fix isExpired check * proxy: implement preserve host header option * authorize: allow CORS preflight requests * proxy: add request headers * authenticate: use id token expiry	2020-05-18 17:10:10 -04:00
Caleb Doxsey	98d2f194a0	authorize: allow CORS preflight requests (#672 ) * proxy: implement preserve host header option * authorize: allow CORS preflight requests	2020-05-18 17:10:10 -04:00
Travis Groth	99e788a9b4	envoy: Initial changes	2020-05-18 17:10:10 -04:00
Travis Groth	6196278046	Fix reload panic in Authorize code (#652 )	2020-05-04 09:21:06 -04:00
Caleb Doxsey	b1d3bbaf56	authorize: add support for .pomerium and unauthenticated routes (#639 ) * authorize: add support for .pomerium and unauthenticated routes integration-tests: add test for forward auth dashboard urls * proxy: fix ctx error test to return a 200 when authorize allows it	2020-04-29 10:55:46 -06:00
Caleb Doxsey	a05bbd9ba7	authorize: remove trace statements from rego file	2020-04-21 07:19:02 -06:00
Caleb Doxsey	bc8048ff6b	authorize: regenerate statik	2020-04-20 18:25:49 -06:00
Caleb Doxsey	ea1c6efc24	authorize: fix domain check bug, rewrite url for forward auth, add dev script	2020-04-20 18:24:48 -06:00
Caleb Doxsey	a1424a54d0	authorize: more tests	2020-04-20 18:24:36 -06:00
Caleb Doxsey	19053c8f06	proxy: add additional tests for trailing slash	2020-04-20 18:24:36 -06:00
Caleb Doxsey	85a1a6d013	authorize,proxy: remove support for paths within the from parameter	2020-04-20 18:24:36 -06:00
Caleb Doxsey	5ad0e0ebdc	authorize: build full URL from gRPC request	2020-04-20 18:24:26 -06:00
Caleb Doxsey	cd6d686822	authorize: regenerate statik file	2020-04-20 18:24:26 -06:00
Caleb Doxsey	e8c8e7c688	config: use full string url instead of just the hostname for the policy options	2020-04-20 18:24:11 -06:00
Caleb Doxsey	903a2d401f	authorize: fix indentation	2020-04-20 18:24:11 -06:00
Caleb Doxsey	428dee99c4	authorize: update opa rego to support additional policy properties	2020-04-20 18:24:11 -06:00
Caleb Doxsey	d8938db6f3	authorize: fix authorization check for allowed_domains to only match current route (#624 )	2020-04-20 14:03:21 -07:00
Bobby DeSimone	c23db546fa	authorization: log audience claim failure (#553 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-22 12:06:25 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	8d1732582e	authorize: use jwt insead of state struct (#514 ) authenticate: unmarshal and verify state from jwt, instead of middleware authorize: embed opa policy using statik authorize: have IsAuthorized handle authorization for all routes authorize: if no signing key is provided, one is generated authorize: remove IsAdmin grpc endpoint authorize/client: return authorize decision struct cmd/pomerium: main logger no longer contains email and group cryptutil: add ECDSA signing methods dashboard: have impersonate form show up for all users, but have api gated by authz docs: fix typo in signed jwt header encoding/jws: remove unused es256 signer frontend: namespace static web assets internal/sessions: remove leeway to match authz policy proxy: move signing functionality to authz proxy: remove jwt attestation from proxy (authZ does now) proxy: remove non-signed headers from headers proxy: remove special handling of x-forwarded-host sessions: do not verify state in middleware sessions: remove leeway from state to match authz sessions/{all}: store jwt directly instead of state Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-10 11:19:26 -07:00
Travis Groth	e666306ef8	Remove superfluous Options.Checksum type conversions (#522 )	2020-03-06 17:59:26 -05:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	acac2cee9a	authorize: s/gprc/grpc (#443 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-30 10:48:26 -08:00
Bobby DeSimone	12bae5cc43	errors: use %w verb directive (#419 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-03 20:02:43 -08:00
Travis Groth	f3c62c10cc	Rename `internal/config` to `config` (#380 )	2019-11-09 19:53:11 -05:00
Bobby DeSimone	dc12947241	all: refactor handler logic - all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s - all: refactor authentication stack to be checked by middleware, and accessible via request context. - all: replace http.ServeMux with gorilla/mux’s router - all: replace custom CSRF checks with gorilla/csrf middleware - authenticate: extract callback path as constant. - internal/config: implement stringer interface for policy - internal/cryptutil: add helper func `NewBase64Key` - internal/cryptutil: rename `GenerateKey` to `NewKey` - internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN` - internal/middleware: removed alice in favor of gorilla/mux - internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret` - internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection - internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs - internal/urlutil: add `ValidateURL` helper to parse URL options - internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL. - proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them. - proxy: replace un-named http.ServeMux with named domain routes. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-09-16 18:01:14 -07:00
Travis Groth	790619ef01	Restore info metrics (#252 )	2019-08-03 12:58:21 -04:00
Travis Groth	30243097d2	Prevent nil pointer when reloading in single service mode	2019-08-01 22:50:21 -04:00
Bobby DeSimone	5edfa7b03f	telemetry: add tracing - telemetry/tace: add traces throughout code - telemetry/metrics: nest metrics and trace under telemetry - telemetry/tace: add service name span to HTTPMetricsHandler. - telemetry/metrics: removed chain dependency middleware_tests. - telemetry/metrics: wrap and encapsulate variatic view registration. - telemetry/tace: add jaeger support for tracing. - cmd/pomerium: move `parseOptions` to internal/config. - cmd/pomerium: offload server handling to httputil and sub pkgs. - httputil: standardize creation/shutdown of http listeners. - httputil: prefer curve X25519 to P256 when negotiating TLS. - fileutil: use standardized Getw Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-07-24 09:20:16 -07:00
Travis Groth	db63956b0e	Add info metrics	2019-07-20 08:53:35 -04:00
Bobby DeSimone	b85f8de05f	development: use golangci-lint	2019-07-13 18:28:51 -07:00
Bobby DeSimone	7558d5b0de	internal/config: refactor option parsing - authorize: build whitelist from policy's URLs instead of strings. - internal/httputil: merged httputil and https package. - internal/config: merged config and policy packages. - internal/metrics: removed unused measure struct. - proxy/clients: refactor Addr fields to be urls. - proxy: remove unused extend deadline function. - proxy: use handler middleware for reverse proxy leg. - proxy: change the way websocket requests are made (route based). General improvements - omitted value from range in several cases where for loop could be simplified. - added error checking to many tests. - standardize url parsing. - remove unnecessary return statements. - proxy: add self-signed certificate support. #179 - proxy: add skip tls certificate verification. #179 - proxy: Refactor websocket support to be route based. #204	2019-07-07 09:39:31 -07:00

1 2

62 commits