3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-16 16:26:16 +02:00
Code Issues Projects Releases Packages Wiki Activity
Pomerium is an identity and context-aware access proxy.
3117 commits 171 branches 131 tags 110 MiB
Find a file
Kenneth Jenkins 6a24b01d28 identity: preserve session refresh schedule 
The databroker identity manager is responsible for refreshing session
records, to account for overall session expiration as well as OAuth2
access token expiration.

Refresh events are scheduled subject to a coolOffDuration (10 seconds,
by default) relative to a lastRefresh timestamp. Currently, any update
to a session record will reset the associated lastRefresh value and
reschedule any pending refresh event for that session. If an update
occurs close before a scheduled refresh event, this will push back the
scheduled refresh event to 10 seconds from that time.

This means that if a session is updated frequently enough (e.g. if there
is a steady stream of requests that cause constant updates via the
AccessTracker), the access token may expire before a refresh ever runs.

To avoid this problem, do not update the lastRefresh time upon every
session record update, but only if it hasn't yet been set. Instead,
update the lastRefresh during the refresh attempt itself.

Add unit tests to exercise these changes. There is a now() function as
part of the manager configuration (to allow unit tests to set a fake
time); update the Manager to use this function throughout.
2023-10-24 14:15:53 -07:00
.github chore(deps): bump mikefarah/yq from 4.35.1 to 4.35.2 (#4610) 2023-10-03 15:46:33 -06:00
.vscode use tlsClientConfig instead of custom dialer (#3830) 2022-12-27 09:55:36 -07:00
authenticate core/authenticate: refactor idp sign out (#4582) 2023-09-28 08:41:19 -07:00
authorize core/authorize: check for expired tokens (#4543) 2023-09-15 16:06:13 -06:00
cmd/pomerium chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 2022-10-19 09:36:59 -06:00
config config: do not add route headers to global map (#4629) 2023-10-18 13:55:48 -07:00
databroker config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
examples Docs: remove tcp example (#4616) 2023-10-03 17:47:33 -04:00
integration add integration test for https IP address route (#4476) 2023-08-18 09:32:21 -07:00
internal identity: preserve session refresh schedule 2023-10-24 14:15:53 -07:00
ospkg move directory providers (#3633) 2022-11-03 11:33:56 -06:00
pkg core/authorize: check for expired tokens (#4543) 2023-09-15 16:06:13 -06:00
proxy config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
scripts upgrade envoy to v1.28.0 (#4635) 2023-10-24 08:39:10 -07:00
ui chore(deps): bump @fontsource/dm-mono from 5.0.12 to 5.0.14 in /ui (#4619) 2023-10-04 15:53:23 -07:00
.codecov.yml development: change codecov precision 2019-07-18 16:49:37 -07:00
.dockerignore frontend: react+mui (#3004) 2022-02-07 08:47:58 -07:00
.fossa.yml rm cli code (#2824) 2021-12-15 16:25:21 -05:00
.gitattributes assets: use embed instead of statik (#1960) 2021-03-03 18:56:55 -07:00
.gitignore tls: wildcard catch-all cert must be at the end of cert list (#4119) 2023-04-21 12:37:32 -04:00
.golangci.yml config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
.pre-commit-config.yaml integration: add single-cluster integration tests (#2516) 2021-08-24 15:35:05 -06:00
.tool-versions dependencies: upgrade go and envoy (#4116) 2023-04-17 16:44:58 -06:00
3RD-PARTY dependencies: vendor base58, remove shortuuid (#2739) 2021-11-02 09:23:15 -06:00
DEBUG.MD deplyoment: add debug build / container / docs (#1513) 2020-10-13 16:54:21 -04:00
Dockerfile chore(deps): bump node from 7923c64 to 2daec43 (#4609) 2023-10-03 15:45:02 -06:00
Dockerfile.debug chore(deps): bump node from 7923c64 to 2daec43 (#4609) 2023-10-03 15:45:02 -06:00
go.mod chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#4626) 2023-10-12 08:49:39 -06:00
go.sum chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#4626) 2023-10-12 08:49:39 -06:00
LICENSE initial release 2019-01-02 12:13:36 -08:00
Makefile config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
pomerium.go fix go get, improve redis test (#2450) 2021-08-06 12:07:20 -06:00
README.md Docs: remove tcp example (#4616) 2023-10-03 17:47:33 -04:00
RELEASING.md deployment: update RELEASING.md (#3503) 2022-08-16 10:40:03 -07:00
SECURITY.md Update SECURITY.md (#4144) 2023-05-01 15:17:50 -04:00
tools.go config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00

README.md

pomerium logo

Go Report Card GoDoc LICENSE Docker Pulls

Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN.

Pomerium is:

  • Easier because you dont have to maintain a client or software.
  • Faster because its deployed directly where your apps and services are. No more expensive data backhauling.
  • Safer because every single action is verified for trusted identity, device, and context.

Its not a VPN alternative its the trusted, foolproof way to protect your business.

Docs

For comprehensive docs, and tutorials see our documentation.

Integration Tests

To run the integration tests locally, first build a local development image:

./scripts/build-dev-docker.bash

Next go to the integration/clusters folder and pick a cluster, for example google-single, then use docker-compose to start the cluster. We use an environment variable to specify the dev docker image we built earlier:

cd integration/clusters/google-single
env POMERIUM_TAG=dev docker-compose up -V

Once that's up and running you can run the integration tests from another terminal:

go test -count=1 -v ./integration/...

If you need to make a change to the clusters themselves, there's a tpl folder that contains jsonnet files. Make a change and then rebuild the clusters by running:

go run ./integration/cmd/pomerium-integration-tests/ generate-configuration