mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 08:50:42 +02:00
dbd7f55b20
* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
89 lines
2.7 KiB
Go
89 lines
2.7 KiB
Go
// Package directory implements the user group directory service.
|
|
package directory
|
|
|
|
import (
|
|
"context"
|
|
"net/url"
|
|
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/internal/directory/azure"
|
|
"github.com/pomerium/pomerium/internal/directory/gitlab"
|
|
"github.com/pomerium/pomerium/internal/directory/google"
|
|
"github.com/pomerium/pomerium/internal/directory/okta"
|
|
"github.com/pomerium/pomerium/internal/directory/onelogin"
|
|
"github.com/pomerium/pomerium/internal/grpc/directory"
|
|
"github.com/pomerium/pomerium/internal/log"
|
|
)
|
|
|
|
// A User is a directory User.
|
|
type User = directory.User
|
|
|
|
// A Provider provides user group directory information.
|
|
type Provider interface {
|
|
UserGroups(ctx context.Context) ([]*User, error)
|
|
}
|
|
|
|
// GetProvider gets the provider for the given options.
|
|
func GetProvider(options *config.Options) Provider {
|
|
switch options.Provider {
|
|
case "azure":
|
|
serviceAccount, err := azure.ParseServiceAccount(options.ServiceAccount)
|
|
if err == nil {
|
|
return azure.New(azure.WithServiceAccount(serviceAccount))
|
|
}
|
|
|
|
log.Warn().
|
|
Str("service", "directory").
|
|
Str("provider", options.Provider).
|
|
Err(err).
|
|
Msg("invalid service account for azure directory provider")
|
|
case "gitlab":
|
|
serviceAccount, err := gitlab.ParseServiceAccount(options.ServiceAccount)
|
|
if err == nil {
|
|
return gitlab.New(gitlab.WithServiceAccount(serviceAccount))
|
|
}
|
|
log.Warn().
|
|
Str("service", "directory").
|
|
Str("provider", options.Provider).
|
|
Err(err).
|
|
Msg("invalid service account for gitlab directory provider")
|
|
case "google":
|
|
if options.ServiceAccount != "" {
|
|
return google.New(google.WithServiceAccount(options.ServiceAccount))
|
|
}
|
|
case "okta":
|
|
providerURL, _ := url.Parse(options.ProviderURL)
|
|
serviceAccount, err := okta.ParseServiceAccount(options.ServiceAccount)
|
|
if err == nil {
|
|
return okta.New(
|
|
okta.WithProviderURL(providerURL),
|
|
okta.WithServiceAccount(serviceAccount))
|
|
}
|
|
log.Warn().
|
|
Str("service", "directory").
|
|
Str("provider", options.Provider).
|
|
Err(err).
|
|
Msg("invalid service account for okta directory provider")
|
|
case "onelogin":
|
|
serviceAccount, err := onelogin.ParseServiceAccount(options.ServiceAccount)
|
|
if err == nil {
|
|
return onelogin.New(onelogin.WithServiceAccount(serviceAccount))
|
|
}
|
|
log.Warn().
|
|
Str("service", "directory").
|
|
Str("provider", options.Provider).
|
|
Err(err).
|
|
Msg("invalid service account for onelogin directory provider")
|
|
}
|
|
|
|
log.Warn().
|
|
Str("provider", options.Provider).
|
|
Msg("no directory provider implementation found, disabling support for groups")
|
|
return nullProvider{}
|
|
}
|
|
|
|
type nullProvider struct{}
|
|
|
|
func (nullProvider) UserGroups(ctx context.Context) ([]*User, error) {
|
|
return nil, nil
|
|
}
|