3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-21 13:07:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/internal/cmd/pomerium/pomerium.go
Caleb Doxsey dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
2020-06-19 07:52:44 -06:00

235 lines
6 KiB
Go
Raw Blame History

// Package pomerium houses the main pomerium CLI command.
//
package pomerium
import (
"context"
"fmt"
"net"
"os"
"os/signal"
"sync"
"syscall"
"github.com/pomerium/pomerium/internal/telemetry"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
"golang.org/x/sync/errgroup"
"github.com/pomerium/pomerium/authenticate"
"github.com/pomerium/pomerium/authorize"
"github.com/pomerium/pomerium/cache"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/controlplane"
"github.com/pomerium/pomerium/internal/envoy"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/internal/version"
"github.com/pomerium/pomerium/proxy"
)
// Run runs the main pomerium application.
func Run(ctx context.Context, configFile string) error {
opt, err := config.NewOptionsFromConfig(configFile)
if err != nil {
return err
}
var optionsUpdaters []config.OptionsUpdater
log.Info().Str("version", version.FullVersion()).Msg("cmd/pomerium")
if err := setupMetrics(ctx, opt); err != nil {
return err
}
if err := setupTracing(ctx, opt); err != nil {
return err
}
// setup the control plane
controlPlane, err := controlplane.NewServer(opt.Services)
if err != nil {
return fmt.Errorf("error creating control plane: %w", err)
}
optionsUpdaters = append(optionsUpdaters, controlPlane)
err = controlPlane.UpdateOptions(*opt)
if err != nil {
return fmt.Errorf("error updating control plane options: %w", err)
}
_, grpcPort, _ := net.SplitHostPort(controlPlane.GRPCListener.Addr().String())
_, httpPort, _ := net.SplitHostPort(controlPlane.HTTPListener.Addr().String())
log.Info().Str("port", grpcPort).Msg("gRPC server started")
log.Info().Str("port", httpPort).Msg("HTTP server started")
// create envoy server
envoyServer, err := envoy.NewServer(opt, grpcPort, httpPort)
if err != nil {
return fmt.Errorf("error creating envoy server: %w", err)
}
// add services
if err := setupAuthenticate(opt, controlPlane); err != nil {
return err
}
var authorizeServer *authorize.Authorize
if config.IsAuthorize(opt.Services) {
authorizeServer, err = setupAuthorize(opt, controlPlane, &optionsUpdaters)
if err != nil {
return err
}
}
var cacheServer *cache.Cache
if config.IsCache(opt.Services) {
cacheServer, err = setupCache(opt, controlPlane)
if err != nil {
return err
}
}
if err := setupProxy(opt, controlPlane); err != nil {
return err
}
// start the config change listener
go config.WatchChanges(configFile, opt, optionsUpdaters)
ctx, cancel := context.WithCancel(ctx)
go func(ctx context.Context) {
ch := make(chan os.Signal, 2)
defer signal.Stop(ch)
signal.Notify(ch, os.Interrupt)
signal.Notify(ch, syscall.SIGTERM)
select {
case <-ch:
case <-ctx.Done():
}
cancel()
}(ctx)
// run everything
eg, ctx := errgroup.WithContext(ctx)
eg.Go(func() error {
return controlPlane.Run(ctx)
})
eg.Go(func() error {
return envoyServer.Run(ctx)
})
if authorizeServer != nil {
eg.Go(func() error {
return authorizeServer.Run(ctx)
})
}
if cacheServer != nil {
eg.Go(func() error {
return cacheServer.Run(ctx)
})
}
return eg.Wait()
}
func setupAuthenticate(opt *config.Options, controlPlane *controlplane.Server) error {
if !config.IsAuthenticate(opt.Services) {
return nil
}
svc, err := authenticate.New(*opt)
if err != nil {
return fmt.Errorf("error creating authenticate service: %w", err)
}
host := urlutil.StripPort(opt.GetAuthenticateURL().Host)
sr := controlPlane.HTTPRouter.Host(host).Subrouter()
svc.Mount(sr)
log.Info().Str("host", host).Msg("enabled authenticate service")
return nil
}
func setupAuthorize(opt *config.Options, controlPlane *controlplane.Server, optionsUpdaters *[]config.OptionsUpdater) (*authorize.Authorize, error) {
svc, err := authorize.New(*opt)
if err != nil {
return nil, fmt.Errorf("error creating authorize service: %w", err)
}
envoy_service_auth_v2.RegisterAuthorizationServer(controlPlane.GRPCServer, svc)
log.Info().Msg("enabled authorize service")
*optionsUpdaters = append(*optionsUpdaters, svc)
err = svc.UpdateOptions(*opt)
if err != nil {
return nil, fmt.Errorf("error updating authorize options: %w", err)
}
return svc, nil
}
func setupCache(opt *config.Options, controlPlane *controlplane.Server) (*cache.Cache, error) {
svc, err := cache.New(*opt)
if err != nil {
return nil, fmt.Errorf("error creating config service: %w", err)
}
svc.Register(controlPlane.GRPCServer)
log.Info().Msg("enabled cache service")
return svc, nil
}
func setupMetrics(ctx context.Context, opt *config.Options) error {
serviceName := telemetry.ServiceName(opt.Services)
if opt.MetricsAddr != "" {
handler, err := metrics.PrometheusHandler(config.EnvoyAdminURL)
if err != nil {
return err
}
metrics.SetBuildInfo(serviceName)
metrics.RegisterInfoMetrics()
serverOpts := &httputil.ServerOptions{
Addr: opt.MetricsAddr,
Insecure: true,
Service: "metrics",
}
var wg sync.WaitGroup
srv, err := httputil.NewServer(serverOpts, handler, &wg)
if err != nil {
return err
}
go func() {
<-ctx.Done()
_ = srv.Close()
}()
}
return nil
}
func setupProxy(opt *config.Options, controlPlane *controlplane.Server) error {
if !config.IsProxy(opt.Services) {
return nil
}
svc, err := proxy.New(*opt)
if err != nil {
return fmt.Errorf("error creating proxy service: %w", err)
}
controlPlane.HTTPRouter.PathPrefix("/").Handler(svc)
return nil
}
func setupTracing(ctx context.Context, opt *config.Options) error {
traceOpts, err := config.NewTracingOptions(opt)
if err != nil {
return fmt.Errorf("error setting up tracing: %w", err)
}
if traceOpts.Enabled() {
exporter, err := trace.RegisterTracing(traceOpts)
if err != nil {
return err
}
go func() {
<-ctx.Done()
trace.UnregisterTracing(exporter)
}()
}
return nil
}
Reference in a new issue View git blame Copy permalink