pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-06-04 20:03:18 +02:00

Author	SHA1	Message	Date
Cuong Manh Le	8d0deb0732	config: add PassIdentityHeaders option (#903 ) Currently, user's identity headers are always inserted to downstream request. For privacy reason, it would be better to not insert these headers by default, and let user chose whether to include these headers per=policy basis. Fixes #702	2020-06-22 10:29:44 +07:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Yuchen Ying	8fc1e9cca8	Add an option to request certificate with Must-Staple. (#697 )	2020-06-17 08:29:34 -07:00
Travis Groth	ee2170f5f5	config: add a consistent route ID (#905 )	2020-06-16 09:20:18 -04:00
Cuong Manh Le	e0bdd906f9	config: change the default logging level to INFO (#902 ) config: change the default logging level to INFO DEBUG logging level is very verbose and potentially logs sensitive data. We should set default log level to INFO. Updates #895 Fixes #896	2020-06-15 22:55:18 +07:00
Travis Groth	42966ab39b	options: ensure viper ignores `certificates` config field (#876 )	2020-06-11 16:38:13 -04:00
Yuchen Ying	b000930914	Remove unnecessary viper.New() (#849 )	2020-06-11 10:26:42 -04:00
Yuchen Ying	7abe3a3b02	Remove additional indirection. (#848 ) o is already a pointer to Options struct.	2020-06-08 07:36:24 -06:00
Cuong Manh Le	4d5edb0d64	Feature/remove request headers (#822 ) * config: add RemoveRequestHeaders Currently, we have "set_request_headers" config, which reflects envoy route.Route.RequestHeadersToAdd. This commit add new config "remove_request_headers", which reflects envoy RequestHeadersToRemove. This is also a preparation for future PRs to implement disable user identity in request headers feature. * integration: add test for remove_request_headers * docs: add documentation/changelog for remove_request_headers	2020-06-03 07:46:51 -07:00
Caleb Doxsey	12e373249b	config: strip quotes from http redirect addr (#818 )	2020-06-01 08:51:56 -06:00
Travis Groth	6761cc7a14	telemetry: service label updates (#802 )	2020-05-29 15:16:22 -04:00
Caleb Doxsey	f770ccfedd	config: add getters for URLs to avoid nils (#777 ) * config: add getters for URLs to avoid nils * allow nil url for cache grpc client connection in authenticate	2020-05-26 11:36:18 -06:00
Bobby DeSimone	b7f4c0ce2b	config: add some cert tests (#758 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-22 13:32:34 -07:00
Caleb Doxsey	e4832cb4ed	authorize: add client mTLS support (#751 ) * authorize: add client mtls support * authorize: better error messages for envoy * switch from function to input * add TrustedCa to envoy config so that users are prompted for the correct client certificate * update documentation * fix invalid ClientCAFile * regenerate cache protobuf * avoid recursion, add test * move comment line * use http.StatusOK * various fixes	2020-05-21 16:01:07 -06:00
Travis Groth	3e17befff7	envoy: Enable zipkin tracing (#737 ) - Update envoy bootstrap config to protobufs - Reorganize tracing config to avoid cyclic import - Push down zipkin config to Envoy - Update tracing options to provide sample rate	2020-05-21 11:50:07 -04:00
Caleb Doxsey	0895515833	envoy: implement various timeouts (#732 ) * envoy: implement global and route timeouts * envoy: use the grpc client timeout for the authz service timeout * fix test	2020-05-19 10:01:37 -06:00
Travis Groth	1f1e63a75b	telemetry/tracing: Add Zipkin tracing support (#723 )	2020-05-18 21:57:13 -04:00
Caleb Doxsey	e854cfe83b	envoy: implement policy TLS options (#724 ) * envoy: implement policy TLS options * fix tests * log which CAs are being used	2020-05-18 16:52:51 -06:00
Caleb Doxsey	dccec1e646	envoy: support autocert (#695 ) * envoy: support autocert * envoy: fallback to http host routing if sni fails to match * update comment * envoy: renew certs when necessary * fix tests	2020-05-18 17:10:10 -04:00
Caleb Doxsey	352c2b851b	envoy: add separate proxy log level option (#689 )	2020-05-18 17:10:10 -04:00
Caleb Doxsey	02615b8b6c	Merge remote-tracking branch 'origin/master' into feature/envoy	2020-05-18 17:10:10 -04:00
Travis Groth	99e788a9b4	envoy: Initial changes	2020-05-18 17:10:10 -04:00
Bobby DeSimone	bf9a6f5e97	cryptutil: add automatic certificate management (#644 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-05 12:50:19 -07:00
Ogundele Olumide	75f4dadad6	identity/provider: implement generic revoke method (#595 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-21 14:40:33 -07:00
Caleb Doxsey	e1d2501a94	proxy: move warning message to config validation	2020-04-20 18:24:36 -06:00
Caleb Doxsey	e8c8e7c688	config: use full string url instead of just the hostname for the policy options	2020-04-20 18:24:11 -06:00
Caleb Doxsey	5ecfa34361	config: gofmt	2020-04-20 18:23:35 -06:00
Caleb Doxsey	7027f458dd	config: add prefix, path and regex options proxy: support prefix, path and regex options	2020-04-20 18:23:34 -06:00
Travis Groth	789068e27a	Add configurable JWT claim headers (#596 )	2020-04-09 23:41:55 -04:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Travis Groth	e666306ef8	Remove superfluous Options.Checksum type conversions (#522 )	2020-03-06 17:59:26 -05:00
Travis Groth	3654f44384	config: Expose and set default GRPC Server Keepalive Parameters (#509 )	2020-02-19 21:21:28 -05:00
Bobby DeSimone	5716113c2a	authenticate: make callback path configurable (#493 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-08 09:06:23 -08:00
Bobby DeSimone	2f13488598	authorize: use opa for policy engine (#474 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-02-02 11:18:22 -08:00
Travis Groth	2d2b16566a	Add yaml tag to Options.Policies (#475 )	2020-01-30 20:41:39 -08:00
Bobby DeSimone	e82477ea5c	deployment: throw away golanglint-ci defaults (#439 ) * deployment: throw away golanglint-ci defaults Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-26 12:33:45 -08:00
Bobby DeSimone	8956bf4411	proxy: add preserve host header (#463 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-22 21:03:22 -08:00
Bobby DeSimone	dccc7cd2ff	cache : add cache service (#457 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-01-20 18:25:34 -08:00
Bobby DeSimone	ec029c679b	authenticate/proxy: add backend refresh (#438 )	2019-12-30 10:47:54 -08:00
Y.Horie	9a330613aa	config: Remove CookieRefresh (#428 ) (#436 )	2019-12-24 11:22:55 -08:00
Travis Groth	1dfcd396fc	config: Validate that `shared_key` does not contain whitespace	2019-12-20 06:20:39 -05:00
Bobby DeSimone	12bae5cc43	errors: use %w verb directive (#419 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-12-03 20:02:43 -08:00
Bobby DeSimone	c8e6277a30	Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 15:02:25 -08:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Travis Groth	e5b13a9bf6	add yaml tags to all pointers in config (#397 )	2019-11-24 16:45:21 -05:00
Travis Groth	8164cfd85a	config: Update yaml tags (#394 ) * Add/update yaml tags for Options and Policy	2019-11-20 22:37:44 -05:00
Travis Groth	f3c62c10cc	Rename `internal/config` to `config` (#380 )	2019-11-09 19:53:11 -05:00

47 commits