-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade main #4457
upgrade main #4457
Commits on Aug 7, 2023
-
config: support arbitrary nested config structs (#4440)
Update bindEnvs() to add support for binding nested fields of the Options struct to environment variables. The variable names are formed by joining the nested fields' mapstructure tags with underscores (after first converting to uppercase). This is in preparation for adding a new nested struct for downstream mTLS settings that will look something like this: downstream_mtls: ca_file: /path/to/CA/cert.pem enforcement: reject_connection With this change, these fields would be bound to the variables DOWNSTREAM_MTLS_CA_FILE and DOWNSTREAM_MTLS_ENFORCEMENT.
Configuration menu - View commit details
-
Copy full SHA for a16bdd9 - Browse repository at this point
Copy the full SHA a16bdd9View commit details
Commits on Aug 8, 2023
-
config: move mTLS settings to new struct (#4442)
Move downstream mTLS settings to a nested config file object, under the key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for these settings. Deprecate the existing ClientCA and ClientCAFile fields in the Options struct, but continue to honor them for now (log a warning if either is populated). Delete the ClientCRL and ClientCRLFile fields entirely (in current releases these cannot be set without causing an Envoy error, so this should not be a breaking change). Update the Settings proto to mirror this nested structure.
Configuration menu - View commit details
-
Copy full SHA for 24b0918 - Browse repository at this point
Copy the full SHA 24b0918View commit details
Commits on Aug 9, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 2220d1e - Browse repository at this point
Copy the full SHA 2220d1eView commit details -
config: add new mTLS enforcement setting (#4443)
Add an "enforcement" option to the new downstream mTLS configuration settings group. When not set, or when set to "policy_default_deny", keep the current behavior of adding an invalid_client_certificate rule to all policies. When the enforcement mode is set to just "policy", remove the default invalid_client_certificate rule that would be normally added. When the enforcement mode is set to "reject_connection", configure the Envoy listener with the require_client_certificate setting and remove the ACCEPT_UNTRUSTED option. Add a corresponding field to the Settings proto.
Configuration menu - View commit details
-
Copy full SHA for de68e37 - Browse repository at this point
Copy the full SHA de68e37View commit details -
authorize: client cert fingerprint in set_request_headers (#4447)
Add support for a new token $pomerium.client_cert_fingerprint in the set_request_headers option. This token will be replaced with the SHA-256 hash of the presented leaf client certificate.
Configuration menu - View commit details
-
Copy full SHA for f7e0b61 - Browse repository at this point
Copy the full SHA f7e0b61View commit details -
ppl: add new client certificate criterion (#4448)
Add a new client_certificate criterion that accepts a "Certificate Matcher" object. Start with two certificate match conditions: fingerprint and SPKI hash, each of which can accept either a single string or an array of strings. Add new "client-certificate-ok" and "client-certificate-unauthorized" reason strings.
Configuration menu - View commit details
-
Copy full SHA for ac475f4 - Browse repository at this point
Copy the full SHA ac475f4View commit details
Commits on Aug 10, 2023
-
authorize: allow client certificate intermediates (#4451)
Update the isValidClientCertificate() method to consider any client-supplied intermediate certificates. Previously, in order to trust client certificates issued by an intermediate CA, users would need to include that intermediate CA's certificate directly in the client_ca setting. After this change, only the trusted root CA needs to be set: as long as the client can supply a set of certificates that chain back to this trusted root, the client's certificate will validate successfully. Rework the previous CRL checking logic to now consider CRLs for all issuers in the verified chains.
Configuration menu - View commit details
-
Copy full SHA for 0fcc3f1 - Browse repository at this point
Copy the full SHA 0fcc3f1View commit details -
config: add support for max_verify_depth (#4452)
Add a new max_verify_depth option to the downstream_mtls settings group, with a default value of 1 (to match the behavior of current Pomerium releases). Populate the corresponding setting within Envoy, and also implement a depth check within isValidClientCertificate() in the authorize service.
Configuration menu - View commit details
-
Copy full SHA for 50e6cf7 - Browse repository at this point
Copy the full SHA 50e6cf7View commit details -
config: extra CA and CRL validation (#4455)
Return an error from DownstreamMTLSSettings.validate() if both CA and CAFile are populated, or if both CRL and CRLFile are populated.
Configuration menu - View commit details
-
Copy full SHA for ed9a93f - Browse repository at this point
Copy the full SHA ed9a93fView commit details
Commits on Aug 11, 2023
-
cryptutil: update CRL parsing (#4454)
Move the parseCRLs() method from package 'authorize/evaluator' to 'pkg/cryptutil', replacing the existing DecodeCRL() method. This method will parse all CRLs found in the PEM input, rather than just the first. (This removes our usage of the deprecated method x509.ParseDERCRL.) Update this method to return an error if there is non-PEM data found in the input, to satisfy the existing test that raw DER-encoded CRLs are not permitted. Delete the CRLFromBase64() and CRLFromFile() methods, as these are no longer used.
Configuration menu - View commit details
-
Copy full SHA for cc1ef1a - Browse repository at this point
Copy the full SHA cc1ef1aView commit details -
config: support client certificate SAN match (#4453)
Add a new match_subject_alt_names option to the downstream_mtls settings group. This setting can be used to further constrain the allowed client certificates by requiring that certificates contain a Subject Alternative Name of a particular type, matching a particular regex. When set, populate the corresponding match_typed_subject_alt_names setting within Envoy, and also implement a corresponding check in the authorize service.
Configuration menu - View commit details
-
Copy full SHA for 5568606 - Browse repository at this point
Copy the full SHA 5568606View commit details