pomerium/internal
Kenneth Jenkins 8d09567fd7
authorize: incorporate mTLS validation from Envoy (#4374)
Configure Envoy to validate client certificates, using the union of all
relevant client CA bundles (that is, a bundle of the main client CA
setting together with all per-route client CAs). Pass the validation
status from Envoy through to the authorize service, by configuring Envoy
to use the newly-added SetClientCertificateMetadata filter, and by also
adding the relevant metadata namespace to the ExtAuthz configuration.

Remove the existing 'include_peer_certificate' setting from the ExtAuthz
configuration, as the metadata from the Lua filter will include the full
certificate chain (when it validates successfully by Envoy).

Update policy evaluation to consider the validation status from Envoy,
in addition to its own certificate chain validation. (Policy evaluation
cannot rely solely on the Envoy validation status while we still support
the per-route client CA setting.)
2023-07-21 12:17:01 -07:00
..
atomicutil atomicutil: use atomicutil.Value wherever possible (#3517) 2022-07-28 15:38:38 -06:00
autocert autocert: suppress OCSP stapling errors (#4371) 2023-07-19 13:56:36 -06:00
chanutil fileutil: update watcher to use fsnotify and polling (#3663) 2022-10-19 09:13:08 -06:00
contextkeys xds: only tag contexts used for UpdateRecords (#2269) 2021-06-04 14:01:25 -04:00
controlplane config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
databroker config: update logic for checking overlapping certificates (#4216) 2023-06-01 09:30:46 -06:00
deterministicecdsa config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
encoding config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
events events: remove xds configuraton update (#3792) 2022-12-06 14:46:45 -05:00
fileutil auto tls (#3856) 2023-01-05 16:35:58 -05:00
handlers config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
hashutil dev: update linter (#1728) 2020-12-30 09:02:57 -08:00
httputil authenticate: add events (#4051) 2023-05-01 15:11:30 -04:00
identity Allow clearing default Azure and Google auth code options (#4315) 2023-06-27 09:11:54 -07:00
log config: validate log levels (#4367) 2023-07-17 16:41:48 -06:00
middleware controlplane: remove gorilla handlers dependency (#3813) 2022-12-15 14:41:29 -07:00
redisutil chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 (#3667) 2022-10-19 09:36:59 -06:00
registry config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
scheduler feature/databroker: user data and session refactor project (#926) 2020-06-19 07:52:44 -06:00
sessions config: add cookie_same_site option (#4148) 2023-05-03 14:36:42 -06:00
sets Fix typos (#3575) 2022-08-30 15:51:40 -07:00
signal log context (#2107) 2021-04-22 10:58:13 -04:00
syncutil config: generate cookie secret if not set in all-in-one mode (#3742) 2022-11-11 14:14:30 -07:00
telemetry config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
tests/xdserr config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
testutil authorize: incorporate mTLS validation from Envoy (#4374) 2023-07-21 12:17:01 -07:00
tripper config: remove source, remove deadcode, fix linting issues (#4118) 2023-04-21 17:25:11 -06:00
urlutil stub out HPKE public key fetch for self-hosted authenticate (#4360) 2023-07-13 10:04:34 -07:00
version dev: update linter (#1728) 2020-12-30 09:02:57 -08:00