config

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2023 License: Apache-2.0 Imports: 61 Imported by: 7

Documentation

Overview

Package config is a configuration abstraction that facilitates enabling Pomerium settings forvarious encoding types (JSON/YAML/ENVARS) and methods.

Index

Constants

View Source 
const (
	// ServiceAll represents running all services in "all-in-one" mode
	ServiceAll = "all"
	// ServiceProxy represents running the proxy service component
	ServiceProxy = "proxy"
	// ServiceAuthorize represents running the authorize service component
	ServiceAuthorize = "authorize"
	// ServiceAuthenticate represents running the authenticate service component
	ServiceAuthenticate = "authenticate"
	// ServiceCache represents running the cache service component
	ServiceCache = "cache"
	// ServiceDataBroker represents running the databroker service component
	ServiceDataBroker = "databroker"
	// StorageRedisName is the name of the redis storage backend
	StorageRedisName = "redis"
	// StoragePostgresName is the name of the Postgres storage backend
	StoragePostgresName = "postgres"
	// StorageInMemoryName is the name of the in-memory storage backend
	StorageInMemoryName = "memory"
)
View Source 
const (
	// KeyActionWarn would result in warning to log
	KeyActionWarn = KeyAction("warn")
	// KeyActionError would result in error in log and possibly program stop
	KeyActionError = KeyAction("error")
	// UnknownFieldAction default behavior when observing an unknown field is to warn
	UnknownFieldAction = KeyActionWarn
	// FieldCheckMsgRemoved log message when field was removed
	FieldCheckMsgRemoved = FieldCheckMsg("config option was removed")
	// FieldCheckMsgUnknown log message for unrecognized / unhandled config option
	FieldCheckMsgUnknown = FieldCheckMsg("unknown config option")
)
View Source 
const (
	DNSLookupFamilyAuto   = "AUTO"
	DNSLookupFamilyV4Only = "V4_ONLY"
	DNSLookupFamilyV6Only = "V6_ONLY"
)

DNSLookupFamily values.

View Source 
const DefaultAlternativeAddr = ":5443"

DefaultAlternativeAddr is the address used is two services are competing over the same listener. Typically this is invisible to the end user (e.g. localhost) gRPC server, or is used for healthchecks (authorize only service)

View Source 
const DisableHeaderKey = "disable"

DisableHeaderKey is the key used to check whether to disable setting header

Variables

View Source 
var AllDNSLookupFamilies = []string{DNSLookupFamilyV6Only, DNSLookupFamilyV4Only, DNSLookupFamilyAuto}

AllDNSLookupFamilies are all the available DNSLookupFamily values.

View Source 
var ViperPolicyHooks = viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
	mapstructure.StringToTimeDurationHookFunc(),
	mapstructure.StringToSliceHookFunc(","),

	DecodePolicyHookFunc(),

	DecodePolicyBase64Hook(),
	decodeNullBoolHookFunc(),
	decodeJWTClaimHeadersHookFunc(),
	decodeCodecTypeHookFunc(),
	decodePPLPolicyHookFunc(),
))

ViperPolicyHooks are used to decode options and policy coming from YAML and env vars

Functions

func DecodePolicyBase64Hook added in v0.12.2 

func DecodePolicyBase64Hook() mapstructure.DecodeHookFunc

DecodePolicyBase64Hook returns a mapstructure decode hook for base64 data.

func DecodePolicyHookFunc added in v0.12.2 

func DecodePolicyHookFunc() mapstructure.DecodeHookFunc

DecodePolicyHookFunc returns a Decode Hook for mapstructure.

func GetEnvoyDNSLookupFamily added in v0.11.0 

func GetEnvoyDNSLookupFamily(value string) envoy_config_cluster_v3.Cluster_DnsLookupFamily

GetEnvoyDNSLookupFamily gets the envoy DNS lookup family.

func GetTLSClientTransport added in v0.21.0 

func GetTLSClientTransport(cfg *Config) (*http.Transport, error)

GetTLSClientTransport returns http transport accounting for custom CAs from config

func IsAll 

func IsAll(s string) bool

IsAll checks to see if we should be running all services

func IsAuthenticate 

func IsAuthenticate(s string) bool

IsAuthenticate checks to see if we should be running the authenticate service

func IsAuthorize 

func IsAuthorize(s string) bool

IsAuthorize checks to see if we should be running the authorize service

func IsDataBroker added in v0.12.2 

func IsDataBroker(s string) bool

IsDataBroker checks to see if we should be running the databroker service

func IsProxy 

func IsProxy(s string) bool

IsProxy checks to see if we should be running the proxy service

func IsRegistry added in v0.14.0 

func IsRegistry(s string) bool

IsRegistry checks if this node should run the registry service

func IsValidService 

func IsValidService(s string) bool

IsValidService checks to see if a service is a valid service mode

func NewAtomicOptions added in v0.11.0 

func NewAtomicOptions() *atomicutil.Value[*Options]

NewAtomicOptions creates a new AtomicOptions.

func NewHTTPTransport added in v0.11.0 

func NewHTTPTransport(src Source) *http.Transport

NewHTTPTransport creates a new http transport. If CA or CAFile is set, the transport will add the CA to system cert pool.

func NewPolicyHTTPTransport added in v0.14.0 

func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool) http.RoundTripper

NewPolicyHTTPTransport creates a new http RoundTripper for a policy.

func ValidateDNSLookupFamily added in v0.11.0 

func ValidateDNSLookupFamily(value string) error

ValidateDNSLookupFamily validates the value to confirm its one of the available DNS lookup families.

func ValidateMetricsAddress added in v0.14.0 

func ValidateMetricsAddress(addr string) error

ValidateMetricsAddress validates address for the metrics

Types

type AutocertOptions added in v0.10.0 

type AutocertOptions struct {
	// Enable enables fully automated certificate management including issuance
	// and renewal from LetsEncrypt. Must be used in conjunction with Folder.
	Enable bool `mapstructure:"autocert" yaml:"autocert,omitempty"`

	// CA is the directory URL of a CA supporting the ACME protocol to request
	// certificates from. This can be used to use an alternative CA than
	// Let's Encrypt. This setting overrules the UseStaging setting.
	CA string `mapstructure:"autocert_ca" yaml:"autocert_ca,omitempty"`

	// Email is the email address to use for account registration with the ACME CA.
	Email string `mapstructure:"autocert_email" yaml:"autocert_email,omitempty"`

	// UseStaging tells autocert to use Let's Encrypt's staging CA which
	// has less strict usage limits then the (default) production CA.
	//
	// https://letsencrypt.org/docs/staging-environment/
	UseStaging bool `mapstructure:"autocert_use_staging" yaml:"autocert_use_staging,omitempty"`

	// EABKeyID is an ASCII string identifier for the External Account Binding
	// key that must be used to request a new account with an ACME CA supporting
	// External Account Binding.
	EABKeyID string `mapstructure:"autocert_eab_key_id" yaml:"autocert_eab_key_id,omitempty"`

	// EABMACKey is a base64url-encoded secret key corresponding to the EABKeyID to use
	// when creating a new account with an ACME CA supporting External Account Binding.
	EABMACKey string `mapstructure:"autocert_eab_mac_key" yaml:"autocert_eab_mac_key,omitempty"`

	// MustStaple will cause autocert to request a certificate with
	// status_request extension. This will allow the TLS client (the browser)
	// to fail immediately if Pomerium failed to get an OCSP staple.
	// See also https://tools.ietf.org/html/rfc7633
	// Only used when Enable is true.
	MustStaple bool `mapstructure:"autocert_must_staple" yaml:"autocert_must_staple,omitempty"`

	// Folder specifies the location to store, and load autocert managed
	// TLS certificates.
	// defaults to $XDG_DATA_HOME/pomerium
	Folder string `mapstructure:"autocert_dir" yaml:"autocert_dir,omitempty"`

	// TrustedCA is the base64-encoded certificate (bundle) to trust when communicating with an ACME CA.
	TrustedCA string `mapstructure:"autocert_trusted_ca" yaml:"autocert_trusted_ca,omitempty"`

	// TrustedCAFile points to a file that contains the certificate (bundle) to trust when communicating with an ACME CA.
	TrustedCAFile string `mapstructure:"autocert_trusted_ca_file" yaml:"autocert_trusted_ca_file,omitempty"`
}

AutocertOptions contains the options to control the behavior of autocert.

func (*AutocertOptions) Validate added in v0.15.6 

func (o *AutocertOptions) Validate() error

Validate ensures the Options fields are valid, and hydrated.

type ChangeDispatcher added in v0.10.0 

type ChangeDispatcher struct {
	sync.Mutex
	// contains filtered or unexported fields
}

A ChangeDispatcher manages listeners on config changes.

func (*ChangeDispatcher) OnConfigChange added in v0.10.0 

func (dispatcher *ChangeDispatcher) OnConfigChange(ctx context.Context, li ChangeListener)

OnConfigChange adds a listener.

func (*ChangeDispatcher) Trigger added in v0.10.0 

func (dispatcher *ChangeDispatcher) Trigger(ctx context.Context, cfg *Config)

Trigger triggers a change.

type ChangeListener added in v0.10.0 

type ChangeListener = func(context.Context, *Config)

A ChangeListener is called when configuration changes.

type CodecType added in v0.14.0 

type CodecType string

The CodecType specifies which codec to use for downstream connections. 

const (
	CodecTypeUnset CodecType = ""
	CodecTypeAuto  CodecType = "auto"
	CodecTypeHTTP1 CodecType = "http1"
	CodecTypeHTTP2 CodecType = "http2"
)

CodecTypes

func CodecTypeFromEnvoy added in v0.14.0 

func CodecTypeFromEnvoy(envoyCodecType envoy_http_connection_manager.HttpConnectionManager_CodecType) CodecType

CodecTypeFromEnvoy converts an envoy codec type into a config codec type.

func ParseCodecType added in v0.14.0 

func ParseCodecType(raw string) (CodecType, error)

ParseCodecType parses the codec type.

func (CodecType) ToEnvoy added in v0.14.0 

func (codecType CodecType) ToEnvoy() envoy_http_connection_manager.HttpConnectionManager_CodecType

ToEnvoy converts the codec type to an envoy codec type.

type Config added in v0.10.0 

type Config struct {
	Options          *Options
	AutoCertificates []tls.Certificate
	EnvoyVersion     string

	// DerivedCertificates are TLS certificates derived from the shared secret
	DerivedCertificates []tls.Certificate
	// DerivedCAPEM is a PEM-encoded certificate authority
	// derived from the shared secret
	DerivedCAPEM []byte

	// GRPCPort is the port the gRPC server is running on.
	GRPCPort string
	// HTTPPort is the port the HTTP server is running on.
	HTTPPort string
	// OutboundPort is the port the outbound gRPC listener is running on.
	OutboundPort string
	// MetricsPort is the port the metrics listener is running on.
	MetricsPort string
	// DebugPort is the port the debug listener is running on.
	DebugPort string
	// ACMETLSPort is the port that handles the ACME TLS-ALPN challenge.
	ACMETLSALPNPort string

	// MetricsScrapeEndpoints additional metrics endpoints to scrape and provide part of metrics
	MetricsScrapeEndpoints []MetricsScrapeEndpoint
}

Config holds pomerium configuration options.

func (*Config) AllCertificateAuthoritiesPEM added in v0.21.0 

func (cfg *Config) AllCertificateAuthoritiesPEM() ([]byte, error)

AllCertificateAuthoritiesPEM returns all CAs as PEM bundle bytes

func (*Config) AllCertificates added in v0.12.2 

func (cfg *Config) AllCertificates() ([]tls.Certificate, error)

AllCertificates returns all the certificates in the config.

func (*Config) AllocatePorts added in v0.18.0 

func (cfg *Config) AllocatePorts(ports [6]string)

AllocatePorts populates

func (*Config) Checksum added in v0.14.0 

func (cfg *Config) Checksum() uint64

Checksum returns the config checksum.

func (*Config) Clone added in v0.10.0 

func (cfg *Config) Clone() *Config

Clone creates a clone of the config.

func (*Config) GetCertificateForServerName added in v0.21.0 

func (cfg *Config) GetCertificateForServerName(serverName string) (*tls.Certificate, error)

GetCertificateForServerName gets the certificate for the server name. If no certificate is found and there is a derived CA one will be generated using that CA. If no derived CA is defined a self-signed certificate will be generated.

func (*Config) GetCertificatePool added in v0.21.0 

func (cfg *Config) GetCertificatePool() (*x509.CertPool, error)

GetCertificatePool gets the certificate pool for the config.

func (*Config) GetTLSClientConfig added in v0.21.0 

func (cfg *Config) GetTLSClientConfig() (*tls.Config, error)

GetTLSClientConfig returns TLS configuration that accounts for additional CA entries

func (*Config) WillHaveCertificateForServerName added in v0.21.0 

func (cfg *Config) WillHaveCertificateForServerName(serverName string) (bool, error)

WillHaveCertificateForServerName returns true if there will be a certificate for the given server name.

type FieldCheckMsg added in v0.20.0 

type FieldCheckMsg string

FieldCheckMsg is a log message to print for a config option

type FieldMsg added in v0.20.0 

type FieldMsg struct {
	Key     string
	DocsURL string
	FieldCheckMsg
	KeyAction
}

FieldMsg returns information

func CheckUnknownConfigFields added in v0.20.0 

func CheckUnknownConfigFields(fields []string) []FieldMsg

CheckUnknownConfigFields returns list of messages to be emitted about unrecognized fields

type FileOrEnvironmentSource added in v0.10.0 

type FileOrEnvironmentSource struct {
	ChangeDispatcher
	// contains filtered or unexported fields
}

A FileOrEnvironmentSource retrieves config options from a file or the environment.

func NewFileOrEnvironmentSource added in v0.10.0 

func NewFileOrEnvironmentSource(
	configFile, envoyVersion string,
) (*FileOrEnvironmentSource, error)

NewFileOrEnvironmentSource creates a new FileOrEnvironmentSource.

func (*FileOrEnvironmentSource) GetConfig added in v0.10.0 

func (src *FileOrEnvironmentSource) GetConfig() *Config

GetConfig gets the config.

type FileWatcherSource added in v0.12.2 

type FileWatcherSource struct {
	ChangeDispatcher
	// contains filtered or unexported fields
}

FileWatcherSource is a config source which triggers a change any time a file in the options changes.

func NewFileWatcherSource added in v0.12.2 

func NewFileWatcherSource(underlying Source) *FileWatcherSource

NewFileWatcherSource creates a new FileWatcherSource

func (*FileWatcherSource) GetConfig added in v0.12.2 

func (src *FileWatcherSource) GetConfig() *Config

GetConfig gets the underlying config.

type HasWeight added in v0.12.2 

type HasWeight bool

HasWeight indicates if url group has weights assigned

type JWTClaimHeaders added in v0.14.0 

type JWTClaimHeaders map[string]string

JWTClaimHeaders are headers to add to a request based on IDP claims.

func NewJWTClaimHeaders added in v0.14.0 

func NewJWTClaimHeaders(claims ...string) JWTClaimHeaders

NewJWTClaimHeaders creates a JWTClaimHeaders map from a slice of claims.

func (*JWTClaimHeaders) UnmarshalJSON added in v0.14.0 

func (hdrs *JWTClaimHeaders) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals JSON data into the JWTClaimHeaders.

func (*JWTClaimHeaders) UnmarshalYAML added in v0.14.0 

func (hdrs *JWTClaimHeaders) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML uses UnmarshalJSON to unmarshal YAML data into the JWTClaimHeaders.

type KeyAction added in v0.20.0 

type KeyAction string

KeyAction defines the Pomerium behavior when it encounters a deprecated config field

type LayeredSource added in v0.21.0 

type LayeredSource struct {
	ChangeDispatcher
	// contains filtered or unexported fields
}

LayeredSource is an abstraction for a ConfigSource that depends on an underlying config, and uses a builder to build the relevant part of the configuration

func NewLayeredSource added in v0.21.0 

func NewLayeredSource(ctx context.Context, underlying Source, builder func(*Config) error) (*LayeredSource, error)

NewLayeredSource creates a new config source that is watching the underlying source for changes

func (*LayeredSource) GetConfig added in v0.21.0 

func (src *LayeredSource) GetConfig() *Config

GetConfig returns currently stored config

type LogManager added in v0.11.0 

type LogManager struct {
	// contains filtered or unexported fields
}

The LogManager configures logging based on options.

func NewLogManager added in v0.11.0 

func NewLogManager(ctx context.Context, src Source) *LogManager

NewLogManager creates a new LogManager.

func (*LogManager) Close added in v0.11.0 

func (mgr *LogManager) Close() error

Close closes the log manager.

func (*LogManager) OnConfigChange added in v0.11.0 

func (mgr *LogManager) OnConfigChange(ctx context.Context, cfg *Config)

OnConfigChange is called whenever configuration changes.

type MetricsManager added in v0.11.0 

type MetricsManager struct {
	// contains filtered or unexported fields
}

A MetricsManager manages metrics for a given configuration.

func NewMetricsManager added in v0.11.0 

func NewMetricsManager(ctx context.Context, src Source) *MetricsManager

NewMetricsManager creates a new MetricsManager.

func (*MetricsManager) Close added in v0.11.0 

func (mgr *MetricsManager) Close() error

Close closes any underlying http server.

func (*MetricsManager) OnConfigChange added in v0.11.0 

func (mgr *MetricsManager) OnConfigChange(ctx context.Context, cfg *Config)

OnConfigChange updates the metrics manager when configuration is changed.

func (*MetricsManager) ServeHTTP added in v0.14.0 

func (mgr *MetricsManager) ServeHTTP(w http.ResponseWriter, r *http.Request)

type MetricsScrapeEndpoint added in v0.18.0 

type MetricsScrapeEndpoint metrics.ScrapeEndpoint

MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium

type Options 

type Options struct {
	// InstallationID is used to indicate a unique installation of pomerium. Useful for telemetry.
	InstallationID string `mapstructure:"installation_id" yaml:"installation_id,omitempty"`

	// Debug outputs human-readable logs to Stdout.
	Debug bool `mapstructure:"pomerium_debug" yaml:"pomerium_debug,omitempty"`

	// LogLevel sets the global override for log level. All Loggers will use at least this value.
	// Possible options are "info","warn","debug" and "error". Defaults to "info".
	LogLevel string `mapstructure:"log_level" yaml:"log_level,omitempty"`

	// ProxyLogLevel sets the log level for the proxy service.
	// Possible options are "info","warn", and "error". Defaults to the value of `LogLevel`.
	ProxyLogLevel string `mapstructure:"proxy_log_level" yaml:"proxy_log_level,omitempty"`

	// SharedKey is the shared secret authorization key used to mutually authenticate
	// requests between services.
	SharedKey        string `mapstructure:"shared_secret" yaml:"shared_secret,omitempty"`
	SharedSecretFile string `mapstructure:"shared_secret_file" yaml:"shared_secret_file,omitempty"`

	// Services is a list enabled service mode. If none are selected, "all" is used.
	// Available options are : "all", "authenticate", "proxy".
	Services string `mapstructure:"services" yaml:"services,omitempty"`

	// Addr specifies the host and port on which the server should serve
	// HTTPS requests. If empty, ":443" (localhost:443) is used.
	Addr string `mapstructure:"address" yaml:"address,omitempty"`

	// InsecureServer when enabled disables all transport security.
	// In this mode, Pomerium is susceptible to man-in-the-middle attacks.
	// This should be used only for testing.
	InsecureServer bool `mapstructure:"insecure_server" yaml:"insecure_server,omitempty"`

	// DNSLookupFamily is the DNS IP address resolution policy.
	// If this setting is not specified, the value defaults to AUTO.
	DNSLookupFamily string `mapstructure:"dns_lookup_family" yaml:"dns_lookup_family,omitempty"`

	CertificateFiles []certificateFilePair `mapstructure:"certificates" yaml:"certificates,omitempty"`

	// Cert and Key is the x509 certificate used to create the HTTPS server.
	Cert string `mapstructure:"certificate" yaml:"certificate,omitempty"`
	Key  string `mapstructure:"certificate_key" yaml:"certificate_key,omitempty"`

	// CertFile and KeyFile is the x509 certificate used to hydrate TLSCertificate
	CertFile string `mapstructure:"certificate_file" yaml:"certificate_file,omitempty"`
	KeyFile  string `mapstructure:"certificate_key_file" yaml:"certificate_key_file,omitempty"`

	// HttpRedirectAddr, if set, specifies the host and port to run the HTTP
	// to HTTPS redirect server on. If empty, no redirect server is started.
	HTTPRedirectAddr string `mapstructure:"http_redirect_addr" yaml:"http_redirect_addr,omitempty"`

	// Timeout settings : https://github.com/pomerium/pomerium/issues/40
	ReadTimeout  time.Duration `mapstructure:"timeout_read" yaml:"timeout_read,omitempty"`
	WriteTimeout time.Duration `mapstructure:"timeout_write" yaml:"timeout_write,omitempty"`
	IdleTimeout  time.Duration `mapstructure:"timeout_idle" yaml:"timeout_idle,omitempty"`

	// Policies define per-route configuration and access control policies.
	Policies   []Policy `mapstructure:"policy"`
	PolicyFile string   `mapstructure:"policy_file" yaml:"policy_file,omitempty"`
	Routes     []Policy `mapstructure:"routes"`

	// AdditionalPolicies are any additional policies added to the options.
	AdditionalPolicies []Policy `yaml:"-"`

	// AuthenticateURL represents the externally accessible http endpoints
	// used for authentication requests and callbacks
	AuthenticateURLString         string `mapstructure:"authenticate_service_url" yaml:"authenticate_service_url,omitempty"`
	AuthenticateInternalURLString string `mapstructure:"authenticate_internal_service_url" yaml:"authenticate_internal_service_url,omitempty"`
	// SignOutRedirectURL represents the url that  user will be redirected to after signing out.
	SignOutRedirectURLString string `mapstructure:"signout_redirect_url" yaml:"signout_redirect_url,omitempty"`

	// AuthenticateCallbackPath is the path to the HTTP endpoint that will
	// receive the response from your identity provider. The value must exactly
	// match one of the authorized redirect URIs for the OAuth 2.0 client.
	// Defaults to: `/oauth2/callback`
	AuthenticateCallbackPath string `mapstructure:"authenticate_callback_path" yaml:"authenticate_callback_path,omitempty"`

	// Session/Cookie management
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
	CookieName       string        `mapstructure:"cookie_name" yaml:"cookie_name,omitempty"`
	CookieSecret     string        `mapstructure:"cookie_secret" yaml:"cookie_secret,omitempty"`
	CookieSecretFile string        `mapstructure:"cookie_secret_file" yaml:"cookie_secret_file,omitempty"`
	CookieDomain     string        `mapstructure:"cookie_domain" yaml:"cookie_domain,omitempty"`
	CookieSecure     bool          `mapstructure:"cookie_secure" yaml:"cookie_secure,omitempty"`
	CookieHTTPOnly   bool          `mapstructure:"cookie_http_only" yaml:"cookie_http_only,omitempty"`
	CookieExpire     time.Duration `mapstructure:"cookie_expire" yaml:"cookie_expire,omitempty"`

	// Identity provider configuration variables as specified by RFC6749
	// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
	ClientID         string   `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"`
	ClientSecret     string   `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"`
	ClientSecretFile string   `mapstructure:"idp_client_secret_file" yaml:"idp_client_secret_file,omitempty"`
	Provider         string   `mapstructure:"idp_provider" yaml:"idp_provider,omitempty"`
	ProviderURL      string   `mapstructure:"idp_provider_url" yaml:"idp_provider_url,omitempty"`
	Scopes           []string `mapstructure:"idp_scopes" yaml:"idp_scopes,omitempty"`

	// RequestParams are custom request params added to the signin request as
	// part of an Oauth2 code flow.
	//
	// https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
	// https://openid.net/specs/openid-connect-basic-1_0.html#RequestParameters
	RequestParams map[string]string `mapstructure:"idp_request_params" yaml:"idp_request_params,omitempty"`

	// AuthorizeURLString is the routable destination of the authorize service's
	// gRPC endpoint. NOTE: As many load balancers do not support
	// externally routed gRPC so this may be an internal location.
	AuthorizeURLString         string   `mapstructure:"authorize_service_url" yaml:"authorize_service_url,omitempty"`
	AuthorizeURLStrings        []string `mapstructure:"authorize_service_urls" yaml:"authorize_service_urls,omitempty"`
	AuthorizeInternalURLString string   `mapstructure:"authorize_internal_service_url" yaml:"authorize_internal_service_url,omitempty"`

	// Settings to enable custom behind-the-ingress service communication
	OverrideCertificateName string `mapstructure:"override_certificate_name" yaml:"override_certificate_name,omitempty"`
	CA                      string `mapstructure:"certificate_authority" yaml:"certificate_authority,omitempty"`
	CAFile                  string `mapstructure:"certificate_authority_file" yaml:"certificate_authority_file,omitempty"`

	// DeriveInternalDomainCert is an option that would derive certificate authority
	// and domain certificates from the shared key and use them for internal communication
	DeriveInternalDomainCert *string `mapstructure:"tls_derive" yaml:"tls_derive,omitempty"`

	// SigningKey is the private key used to add a JWT-signature to upstream requests.
	// https://www.pomerium.com/docs/topics/getting-users-identity.html
	SigningKey     string `mapstructure:"signing_key" yaml:"signing_key,omitempty"`
	SigningKeyFile string `mapstructure:"signing_key_file" yaml:"signing_key_file,omitempty"`

	HeadersEnv string `yaml:",omitempty"`
	// SetResponseHeaders to set on all proxied requests. Add a 'disable' key map to turn off.
	SetResponseHeaders map[string]string `yaml:",omitempty"`

	// List of JWT claims to insert as x-pomerium-claim-* headers on proxied requests
	JWTClaimsHeaders JWTClaimHeaders `mapstructure:"jwt_claims_headers" yaml:"jwt_claims_headers,omitempty"`

	DefaultUpstreamTimeout time.Duration `mapstructure:"default_upstream_timeout" yaml:"default_upstream_timeout,omitempty"`

	// Address/Port to bind to for prometheus metrics
	MetricsAddr string `mapstructure:"metrics_address" yaml:"metrics_address,omitempty"`
	// - require basic auth for prometheus metrics, base64 encoded user:pass string
	MetricsBasicAuth string `mapstructure:"metrics_basic_auth" yaml:"metrics_basic_auth,omitempty"`
	// - TLS options
	MetricsCertificate        string `mapstructure:"metrics_certificate" yaml:"metrics_certificate,omitempty"`
	MetricsCertificateKey     string `mapstructure:"metrics_certificate_key" yaml:"metrics_certificate_key,omitempty"`
	MetricsCertificateFile    string `mapstructure:"metrics_certificate_file" yaml:"metrics_certificate_file,omitempty"`
	MetricsCertificateKeyFile string `mapstructure:"metrics_certificate_key_file" yaml:"metrics_certificate_key_file,omitempty"`
	MetricsClientCA           string `mapstructure:"metrics_client_ca" yaml:"metrics_client_ca,omitempty"`
	MetricsClientCAFile       string `mapstructure:"metrics_client_ca_file" yaml:"metrics_client_ca_file,omitempty"`

	// Tracing shared settings
	TracingProvider   string  `mapstructure:"tracing_provider" yaml:"tracing_provider,omitempty"`
	TracingSampleRate float64 `mapstructure:"tracing_sample_rate" yaml:"tracing_sample_rate,omitempty"`

	// Datadog tracing address
	TracingDatadogAddress string `mapstructure:"tracing_datadog_address" yaml:"tracing_datadog_address,omitempty"`

	//  Jaeger
	//
	// CollectorEndpoint is the full url to the Jaeger HTTP Thrift collector.
	// For example, http://localhost:14268/api/traces
	TracingJaegerCollectorEndpoint string `mapstructure:"tracing_jaeger_collector_endpoint" yaml:"tracing_jaeger_collector_endpoint,omitempty"`
	// AgentEndpoint instructs exporter to send spans to jaeger-agent at this address.
	// For example, localhost:6831.
	TracingJaegerAgentEndpoint string `mapstructure:"tracing_jaeger_agent_endpoint" yaml:"tracing_jaeger_agent_endpoint,omitempty"`

	// Zipkin
	//
	// ZipkinEndpoint configures the zipkin collector URI
	// Example: http://zipkin:9411/api/v2/spans
	ZipkinEndpoint string `mapstructure:"tracing_zipkin_endpoint" yaml:"tracing_zipkin_endpoint"`

	// GRPCAddr specifies the host and port on which the server should serve
	// gRPC requests. If running in all-in-one mode, ":5443" (localhost:5443) is used.
	GRPCAddr string `mapstructure:"grpc_address" yaml:"grpc_address,omitempty"`

	// GRPCInsecure disables transport security.
	// If running in all-in-one mode, defaults to true.
	GRPCInsecure *bool `mapstructure:"grpc_insecure" yaml:"grpc_insecure,omitempty"`

	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`

	// DataBrokerURLString is the routable destination of the databroker service's gRPC endpoint.
	DataBrokerURLString         string   `mapstructure:"databroker_service_url" yaml:"databroker_service_url,omitempty"`
	DataBrokerURLStrings        []string `mapstructure:"databroker_service_urls" yaml:"databroker_service_urls,omitempty"`
	DataBrokerInternalURLString string   `mapstructure:"databroker_internal_service_url" yaml:"databroker_internal_service_url,omitempty"`
	// DataBrokerStorageType is the storage backend type that databroker will use.
	// Supported type: memory, redis
	DataBrokerStorageType string `mapstructure:"databroker_storage_type" yaml:"databroker_storage_type,omitempty"`
	// DataBrokerStorageConnectionString is the data source name for storage backend.
	DataBrokerStorageConnectionString string `mapstructure:"databroker_storage_connection_string" yaml:"databroker_storage_connection_string,omitempty"`
	DataBrokerStorageCertFile         string `mapstructure:"databroker_storage_cert_file" yaml:"databroker_storage_cert_file,omitempty"`
	DataBrokerStorageCertKeyFile      string `mapstructure:"databroker_storage_key_file" yaml:"databroker_storage_key_file,omitempty"`
	DataBrokerStorageCAFile           string `mapstructure:"databroker_storage_ca_file" yaml:"databroker_storage_ca_file,omitempty"`
	DataBrokerStorageCertSkipVerify   bool   `mapstructure:"databroker_storage_tls_skip_verify" yaml:"databroker_storage_tls_skip_verify,omitempty"`

	// ClientCA is the base64-encoded certificate authority to validate client mTLS certificates against.
	ClientCA string `mapstructure:"client_ca" yaml:"client_ca,omitempty"`
	// ClientCAFile points to a file that contains the certificate authority to validate client mTLS certificates against.
	ClientCAFile string `mapstructure:"client_ca_file" yaml:"client_ca_file,omitempty"`
	// ClientCRL is the base64-encoded certificate revocation list for client mTLS certificates.
	ClientCRL string `mapstructure:"client_crl" yaml:"client_crl,omitempty"`
	// ClientCRLFile points to a file that contains the certificate revocation list for client mTLS certificates.
	ClientCRLFile string `mapstructure:"client_crl_file" yaml:"client_crl_file,omitempty"`

	// GoogleCloudServerlessAuthenticationServiceAccount is the service account to use for GCP serverless authentication.
	// If unset, the GCP metadata server will be used to query for identity tokens.
	GoogleCloudServerlessAuthenticationServiceAccount string `` //nolint
	/* 141-byte string literal not displayed */

	// UseProxyProtocol configures the HTTP listener to require the HAProxy proxy protocol (either v1 or v2) on incoming requests.
	UseProxyProtocol bool `mapstructure:"use_proxy_protocol" yaml:"use_proxy_protocol,omitempty" json:"use_proxy_protocol,omitempty"`

	AutocertOptions `mapstructure:",squash" yaml:",inline"`

	// SkipXffAppend instructs proxy not to append its IP address to x-forwarded-for header.
	// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=skip_xff_append#x-forwarded-for
	SkipXffAppend bool `mapstructure:"skip_xff_append" yaml:"skip_xff_append,omitempty" json:"skip_xff_append,omitempty"`
	// XffNumTrustedHops determines the trusted client address from x-forwarded-for addresses.
	// see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=xff_num_trusted_hops#x-forwarded-for
	XffNumTrustedHops uint32 `mapstructure:"xff_num_trusted_hops" yaml:"xff_num_trusted_hops,omitempty" json:"xff_num_trusted_hops,omitempty"`

	// Envoy bootstrap options. These do not support dynamic updates.
	EnvoyAdminAccessLogPath      string    `mapstructure:"envoy_admin_access_log_path" yaml:"envoy_admin_access_log_path"`
	EnvoyAdminProfilePath        string    `mapstructure:"envoy_admin_profile_path" yaml:"envoy_admin_profile_path"`
	EnvoyAdminAddress            string    `mapstructure:"envoy_admin_address" yaml:"envoy_admin_address"`
	EnvoyBindConfigSourceAddress string    `mapstructure:"envoy_bind_config_source_address" yaml:"envoy_bind_config_source_address,omitempty"`
	EnvoyBindConfigFreebind      null.Bool `mapstructure:"envoy_bind_config_freebind" yaml:"envoy_bind_config_freebind,omitempty"`

	// ProgrammaticRedirectDomainWhitelist restricts the allowed redirect URLs when using programmatic login.
	ProgrammaticRedirectDomainWhitelist []string `` //nolint
	/* 165-byte string literal not displayed */

	// CodecType is the codec to use for downstream connections.
	CodecType CodecType `mapstructure:"codec_type" yaml:"codec_type"`

	AuditKey *PublicKeyEncryptionKeyOptions `mapstructure:"audit_key"`

	BrandingOptions httputil.BrandingOptions
	// contains filtered or unexported fields
}

Options are the global environmental flags used to set up pomerium's services. Use NewXXXOptions() methods for a safely initialized data structure.

func NewDefaultOptions 

func NewDefaultOptions() *Options

NewDefaultOptions returns a copy the default options. It's the caller's responsibility to do a follow up Validate call.

func (*Options) ApplySettings added in v0.11.0 

func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)

ApplySettings modifies the config options using the given protobuf settings.

func (*Options) Checksum 

func (o *Options) Checksum() uint64

Checksum returns the checksum of the current options struct

func (*Options) GetAllPolicies added in v0.12.2 

func (o *Options) GetAllPolicies() []Policy

GetAllPolicies gets all the policies in the options.

func (*Options) GetAllRouteableGRPCHosts added in v0.21.0 

func (o *Options) GetAllRouteableGRPCHosts() ([]string, error)

GetAllRouteableGRPCHosts returns all the possible gRPC hosts handled by the Pomerium options.

func (*Options) GetAllRouteableGRPCServerNames added in v0.21.0 

func (o *Options) GetAllRouteableGRPCServerNames() ([]string, error)

GetAllRouteableGRPCServerNames returns all the possible gRPC server names handled by the Pomerium options.

func (*Options) GetAllRouteableHTTPHosts added in v0.21.0 

func (o *Options) GetAllRouteableHTTPHosts() ([]string, error)

GetAllRouteableHTTPHosts returns all the possible HTTP hosts handled by the Pomerium options.

func (*Options) GetAllRouteableHTTPServerNames added in v0.21.0 

func (o *Options) GetAllRouteableHTTPServerNames() ([]string, error)

GetAllRouteableHTTPServerNames returns all the possible HTTP server names handled by the Pomerium options.

func (*Options) GetAuditKey added in v0.14.0 

func (o *Options) GetAuditKey() (*cryptutil.PublicKeyEncryptionKey, error)

GetAuditKey gets the audit key from the options. If no audit key is provided it will return (nil, nil).

func (*Options) GetAuthenticateURL added in v0.9.0 

func (o *Options) GetAuthenticateURL() (*url.URL, error)

GetAuthenticateURL returns the AuthenticateURL in the options or 127.0.0.1.

func (*Options) GetAuthorizeURLs added in v0.14.0 

func (o *Options) GetAuthorizeURLs() ([]*url.URL, error)

GetAuthorizeURLs returns the AuthorizeURLs in the options or 127.0.0.1:5443.

func (*Options) GetCertificates added in v0.14.0 

func (o *Options) GetCertificates() ([]tls.Certificate, error)

GetCertificates gets all the certificates from the options.

func (*Options) GetClientCA added in v0.14.0 

func (o *Options) GetClientCA() ([]byte, error)

GetClientCA returns the client certificate authority. If neither client_ca nor client_ca_file is specified nil will be returned.

func (*Options) GetClientSecret added in v0.18.0 

func (o *Options) GetClientSecret() (string, error)

GetClientSecret gets the client secret.

func (*Options) GetCodecType added in v0.14.0 

func (o *Options) GetCodecType() CodecType

GetCodecType gets a codec type.

func (*Options) GetCookieSecret added in v0.18.0 

func (o *Options) GetCookieSecret() ([]byte, error)

GetCookieSecret gets the decoded cookie secret.

func (*Options) GetDataBrokerCertificate added in v0.14.0 

func (o *Options) GetDataBrokerCertificate() (*tls.Certificate, error)

GetDataBrokerCertificate gets the optional databroker certificate. This method will return nil if no certificate is specified.

func (*Options) GetDataBrokerURLs added in v0.14.0 

func (o *Options) GetDataBrokerURLs() ([]*url.URL, error)

GetDataBrokerURLs returns the DataBrokerURLs in the options or 127.0.0.1:5443.

func (*Options) GetDeriveInternalDomain added in v0.21.0 

func (o *Options) GetDeriveInternalDomain() string

GetDeriveInternalDomain returns an optional internal domain name to use for gRPC endpoint

func (*Options) GetGRPCAddr added in v0.14.0 

func (o *Options) GetGRPCAddr() string

GetGRPCAddr gets the gRPC address.

func (*Options) GetGRPCInsecure added in v0.14.0 

func (o *Options) GetGRPCInsecure() bool

GetGRPCInsecure gets whether or not gRPC is insecure.

func (*Options) GetGoogleCloudServerlessAuthenticationServiceAccount added in v0.14.0 

func (o *Options) GetGoogleCloudServerlessAuthenticationServiceAccount() string

GetGoogleCloudServerlessAuthenticationServiceAccount gets the GoogleCloudServerlessAuthenticationServiceAccount.

func (*Options) GetHPKEPrivateKey added in v0.21.0 

func (o *Options) GetHPKEPrivateKey() (*hpke.PrivateKey, error)

GetHPKEPrivateKey gets the hpke.PrivateKey dervived from the shared key.

func (*Options) GetIdentityProviderForID added in v0.17.0 

func (o *Options) GetIdentityProviderForID(idpID string) (*identity.Provider, error)

GetIdentityProviderForID returns the identity provider associated with the given IDP id. If none is found the default provider is returned.

func (*Options) GetIdentityProviderForPolicy added in v0.17.0 

func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provider, error)

GetIdentityProviderForPolicy gets the identity provider associated with the given policy. If policy is nil, or changes none of the default settings, the default provider is returned.

func (*Options) GetIdentityProviderForRequestURL added in v0.20.0 

func (o *Options) GetIdentityProviderForRequestURL(requestURL string) (*identity.Provider, error)

GetIdentityProviderForRequestURL gets the identity provider associated with the given request URL.

func (*Options) GetInternalAuthenticateURL added in v0.16.0 

func (o *Options) GetInternalAuthenticateURL() (*url.URL, error)

GetInternalAuthenticateURL returns the internal AuthenticateURL in the options or the AuthenticateURL.

func (*Options) GetInternalAuthorizeURLs added in v0.16.0 

func (o *Options) GetInternalAuthorizeURLs() ([]*url.URL, error)

GetInternalAuthorizeURLs returns the internal AuthorizeURLs in the options or the AuthorizeURLs.

func (*Options) GetInternalDataBrokerURLs added in v0.16.0 

func (o *Options) GetInternalDataBrokerURLs() ([]*url.URL, error)

GetInternalDataBrokerURLs returns the internal DataBrokerURLs in the options or the DataBrokerURLs.

func (*Options) GetMetricsBasicAuth added in v0.14.0 

func (o *Options) GetMetricsBasicAuth() (username, password string, ok bool)

GetMetricsBasicAuth gets the metrics basic auth username and password.

func (*Options) GetMetricsCertificate added in v0.14.0 

func (o *Options) GetMetricsCertificate() (*tls.Certificate, error)

GetMetricsCertificate returns the metrics certificate to use for TLS. `nil` will be returned if there is no certificate.

func (*Options) GetOauthOptions added in v0.10.0 

func (o *Options) GetOauthOptions() (oauth.Options, error)

GetOauthOptions gets the oauth.Options for the given config options.

func (*Options) GetSetResponseHeaders added in v0.14.0 

func (o *Options) GetSetResponseHeaders(requireStrictTransportSecurity bool) map[string]string

GetSetResponseHeaders gets the SetResponseHeaders.

func (*Options) GetSharedKey added in v0.14.0 

func (o *Options) GetSharedKey() ([]byte, error)

GetSharedKey gets the decoded shared key.

func (*Options) GetSignOutRedirectURL added in v0.14.0 

func (o *Options) GetSignOutRedirectURL() (*url.URL, error)

GetSignOutRedirectURL gets the SignOutRedirectURL.

func (*Options) GetSigningKey added in v0.18.0 

func (o *Options) GetSigningKey() ([]byte, error)

GetSigningKey gets the signing key.

func (*Options) Validate 

func (o *Options) Validate() error

Validate ensures the Options fields are valid, and hydrated.

type PPLPolicy added in v0.15.0 

type PPLPolicy struct {
	*parser.Policy
}

PPLPolicy is a policy defined using PPL.

func (*PPLPolicy) UnmarshalJSON added in v0.15.0 

func (ppl *PPLPolicy) UnmarshalJSON(data []byte) error

UnmarshalJSON parses JSON into a PPL policy.

func (*PPLPolicy) UnmarshalYAML added in v0.15.0 

func (ppl *PPLPolicy) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML parses YAML into a PPL policy.

type Policy 

type Policy struct {
	From string       `mapstructure:"from" yaml:"from"`
	To   WeightedURLs `mapstructure:"to" yaml:"to"`

	// LbWeights are optional load balancing weights applied to endpoints specified in To
	// this field exists for compatibility with mapstructure
	LbWeights []uint32 `mapstructure:"_to_weights,omitempty" json:"-" yaml:"-"`

	// Redirect is used for a redirect action instead of `To`
	Redirect *PolicyRedirect `mapstructure:"redirect" yaml:"redirect"`

	// Identity related policy
	AllowedUsers     []string                 `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
	AllowedDomains   []string                 `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
	AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`

	Source *StringURL `yaml:",omitempty" json:"source,omitempty" hash:"ignore"`

	// Additional route matching options
	Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
	Path   string `mapstructure:"path" yaml:"path,omitempty" json:"path,omitempty"`
	Regex  string `mapstructure:"regex" yaml:"regex,omitempty" json:"regex,omitempty"`

	// Path Rewrite Options
	PrefixRewrite            string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
	RegexRewritePattern      string `mapstructure:"regex_rewrite_pattern" yaml:"regex_rewrite_pattern,omitempty" json:"regex_rewrite_pattern,omitempty"`
	RegexRewriteSubstitution string `` //nolint
	/* 129-byte string literal not displayed */

	// Host Rewrite Options
	HostRewrite                 string `mapstructure:"host_rewrite" yaml:"host_rewrite,omitempty" json:"host_rewrite,omitempty"`
	HostRewriteHeader           string `mapstructure:"host_rewrite_header" yaml:"host_rewrite_header,omitempty" json:"host_rewrite_header,omitempty"`
	HostPathRegexRewritePattern string `` //nolint
	/* 144-byte string literal not displayed */
	HostPathRegexRewriteSubstitution string `` //nolint
	/* 159-byte string literal not displayed */

	// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
	CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`

	// Allow any public request to access this route. **Bypasses authentication**
	AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`

	// Allow any authenticated user
	AllowAnyAuthenticatedUser bool `mapstructure:"allow_any_authenticated_user" yaml:"allow_any_authenticated_user,omitempty"`

	// UpstreamTimeout is the route specific timeout. Must be less than the global
	// timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout.
	UpstreamTimeout *time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`

	// IdleTimeout is distinct from UpstreamTimeout and defines period of time there may be no data over this connection
	// value of zero completely disables this setting
	// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-idle-timeout
	IdleTimeout *time.Duration `mapstructure:"idle_timeout" yaml:"idle_timeout,omitempty"`

	// Enable proxying of websocket connections by removing the default timeout handler.
	// Caution: Enabling this feature could result in abuse via DOS attacks.
	AllowWebsockets bool `mapstructure:"allow_websockets"  yaml:"allow_websockets,omitempty"`

	// AllowSPDY enables proxying of SPDY upgrade requests
	AllowSPDY bool `mapstructure:"allow_spdy" yaml:"allow_spdy,omitempty"`

	// TLSSkipVerify controls whether a client verifies the server's certificate
	// chain and host name.
	// If TLSSkipVerify is true, TLS accepts any certificate presented by the
	// server and any host name in that certificate.
	// In this mode, TLS is susceptible to man-in-the-middle attacks.
	// This should be used only for testing.
	TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`

	// TLSServerName overrides the hostname in the `to` field. This is useful
	// if your backend is an HTTPS server with a valid certificate, but you
	// want to communicate to the backend with an internal hostname (e.g.
	// Docker container name).
	TLSServerName           string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
	TLSDownstreamServerName string `mapstructure:"tls_downstream_server_name" yaml:"tls_downstream_server_name,omitempty"`
	TLSUpstreamServerName   string `mapstructure:"tls_upstream_server_name" yaml:"tls_upstream_server_name,omitempty"`

	// TLSCustomCA defines the  root certificate to use with a given
	// route when verifying server certificates.
	TLSCustomCA     string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
	TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`

	// Contains the x.509 client certificate to present to the upstream host.
	TLSClientCert     string           `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
	TLSClientKey      string           `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
	TLSClientCertFile string           `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
	TLSClientKeyFile  string           `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
	ClientCertificate *tls.Certificate `yaml:",omitempty" hash:"ignore"`

	// TLSDownstreamClientCA defines the root certificate to use with a given route to verify
	// downstream client certificates (e.g. from a user's browser).
	TLSDownstreamClientCA     string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
	TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`

	// TLSUpstreamAllowRenegotiation allows server-initiated TLS renegotiation.
	TLSUpstreamAllowRenegotiation bool `mapstructure:"tls_upstream_allow_renegotiation" yaml:"allow_renegotiation,omitempty"`

	// SetAuthorizationHeader sets the authorization request header based on the user's identity. Supported modes are
	// `pass_through`, `access_token` and `id_token`.
	SetAuthorizationHeader string `mapstructure:"set_authorization_header" yaml:"set_authorization_header,omitempty"`

	// SetRequestHeaders adds a collection of headers to the upstream request
	// in the form of key value pairs. Note bene, this will overwrite the
	// value of any existing value of a given header key.
	SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`

	// RemoveRequestHeaders removes a collection of headers from an upstream request.
	// Note that this has lower priority than `SetRequestHeaders`, if you specify `X-Custom-Header` in both
	// `SetRequestHeaders` and `RemoveRequestHeaders`, then the header won't be removed.
	RemoveRequestHeaders []string `mapstructure:"remove_request_headers" yaml:"remove_request_headers,omitempty"`

	// PreserveHostHeader disables host header rewriting.
	//
	// This option only takes affect if the destination is a DNS name. If the destination is an IP address,
	// use SetRequestHeaders to explicitly set the "Host" header.
	//
	// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
	PreserveHostHeader bool `mapstructure:"preserve_host_header" yaml:"preserve_host_header,omitempty"`

	// PassIdentityHeaders controls whether to add a user's identity headers to the upstream request.
	// These includes:
	//
	//  - X-Pomerium-Jwt-Assertion
	//  - X-Pomerium-Claim-*
	//
	PassIdentityHeaders bool `mapstructure:"pass_identity_headers" yaml:"pass_identity_headers,omitempty"`

	// KubernetesServiceAccountToken is the kubernetes token to use for upstream requests.
	KubernetesServiceAccountToken string `mapstructure:"kubernetes_service_account_token" yaml:"kubernetes_service_account_token,omitempty"`
	// KubernetesServiceAccountTokenFile contains the kubernetes token to use for upstream requests.
	KubernetesServiceAccountTokenFile string `mapstructure:"kubernetes_service_account_token_file" yaml:"kubernetes_service_account_token_file,omitempty"`

	// EnableGoogleCloudServerlessAuthentication adds "Authorization: Bearer ID_TOKEN" headers
	// to upstream requests.
	EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint

	SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`

	EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`

	// RewriteResponseHeaders rewrites response headers. This can be used to change the Location header.
	RewriteResponseHeaders []RewriteHeader `mapstructure:"rewrite_response_headers" yaml:"rewrite_response_headers,omitempty" json:"rewrite_response_headers,omitempty"` //nolint

	// SetResponseHeaders sets response headers.
	SetResponseHeaders map[string]string `mapstructure:"set_response_headers" yaml:"set_response_headers,omitempty"`

	// IDPClientID is the client id used for the identity provider.
	IDPClientID string `mapstructure:"idp_client_id" yaml:"idp_client_id,omitempty"`
	// IDPClientSecret is the client secret used for the identity provider.
	IDPClientSecret string `mapstructure:"idp_client_secret" yaml:"idp_client_secret,omitempty"`

	// ShowErrorDetails indicates whether or not additional error details should be displayed.
	ShowErrorDetails bool `mapstructure:"show_error_details" yaml:"show_error_details" json:"show_error_details"`

	Policy *PPLPolicy `mapstructure:"policy" yaml:"policy,omitempty" json:"policy,omitempty"`
	// contains filtered or unexported fields
}

Policy contains route specific configuration and access settings.

func NewPolicyFromProto added in v0.10.0 

func NewPolicyFromProto(pb *configpb.Route) (*Policy, error)

NewPolicyFromProto creates a new Policy from a protobuf policy config route.

func (*Policy) AllAllowedDomains added in v0.15.0 

func (p *Policy) AllAllowedDomains() []string

AllAllowedDomains returns all the allowed domains.

func (*Policy) AllAllowedIDPClaims added in v0.15.0 

func (p *Policy) AllAllowedIDPClaims() []identity.FlattenedClaims

AllAllowedIDPClaims returns all the allowed IDP claims.

func (*Policy) AllAllowedUsers added in v0.15.0 

func (p *Policy) AllAllowedUsers() []string

AllAllowedUsers returns all the allowed users.

func (*Policy) Checksum added in v0.9.0 

func (p *Policy) Checksum() uint64

Checksum returns the xxhash hash for the policy.

func (*Policy) GetSetAuthorizationHeader added in v0.17.0 

func (p *Policy) GetSetAuthorizationHeader() configpb.Route_AuthorizationHeaderMode

GetSetAuthorizationHeader gets the set authorization header mode.

func (*Policy) IsForKubernetes added in v0.14.0 

func (p *Policy) IsForKubernetes() bool

IsForKubernetes returns true if the policy is for kubernetes.

func (*Policy) Matches added in v0.11.0 

func (p *Policy) Matches(requestURL url.URL) bool

Matches returns true if the policy would match the given URL.

func (*Policy) RouteID added in v0.9.1 

func (p *Policy) RouteID() (uint64, error)

RouteID returns a unique identifier for a route

func (*Policy) String 

func (p *Policy) String() string

func (*Policy) ToPPL added in v0.15.0 

func (p *Policy) ToPPL() *parser.Policy

ToPPL converts a policy into Pomerium Policy Language.

func (*Policy) ToProto added in v0.10.0 

func (p *Policy) ToProto() (*configpb.Route, error)

ToProto converts the policy to a protobuf type.

func (*Policy) Validate 

func (p *Policy) Validate() error

Validate checks the validity of a policy.

type PolicyRedirect added in v0.12.2 

type PolicyRedirect struct {
	HTTPSRedirect  *bool   `mapstructure:"https_redirect" yaml:"https_redirect,omitempty" json:"https_redirect,omitempty"`
	SchemeRedirect *string `mapstructure:"scheme_redirect" yaml:"scheme_redirect,omitempty" json:"scheme_redirect,omitempty"`
	HostRedirect   *string `mapstructure:"host_redirect" yaml:"host_redirect,omitempty" json:"host_redirect,omitempty"`
	PortRedirect   *uint32 `mapstructure:"port_redirect" yaml:"port_redirect,omitempty" json:"port_redirect,omitempty"`
	PathRedirect   *string `mapstructure:"path_redirect" yaml:"path_redirect,omitempty" json:"path_redirect,omitempty"`
	PrefixRewrite  *string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
	ResponseCode   *int32  `mapstructure:"response_code" yaml:"response_code,omitempty" json:"response_code,omitempty"`
	StripQuery     *bool   `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
}

PolicyRedirect is a route redirect action.

type PublicKeyEncryptionKeyOptions added in v0.14.0 

type PublicKeyEncryptionKeyOptions struct {
	ID   string `mapstructure:"id" yaml:"id"`
	Data string `mapstructure:"data" yaml:"data"` // base64-encoded
}

A PublicKeyEncryptionKeyOptions represents options for a public key encryption key.

type RewriteHeader added in v0.14.0 

type RewriteHeader struct {
	Header string `mapstructure:"header" yaml:"header" json:"header"`
	Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
	Value  string `mapstructure:"value" yaml:"value,omitempty" json:"value,omitempty"`
}

RewriteHeader is a policy configuration option to rewrite an HTTP header.

type SessionStore added in v0.20.0 

type SessionStore struct {
	// contains filtered or unexported fields
}

A SessionStore saves and loads sessions based on the options.

func NewSessionStore added in v0.20.0 

func NewSessionStore(options *Options) (*SessionStore, error)

NewSessionStore creates a new SessionStore from the Options.

func (*SessionStore) LoadSessionState added in v0.20.0 

func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, error)

LoadSessionState loads the session state from a request.

type Source added in v0.10.0 

type Source interface {
	GetConfig() *Config
	OnConfigChange(context.Context, ChangeListener)
}

A Source gets configuration.

type StaticSource added in v0.10.0 

type StaticSource struct {
	// contains filtered or unexported fields
}

A StaticSource always returns the same config. Useful for testing.

func NewStaticSource added in v0.10.0 

func NewStaticSource(cfg *Config) *StaticSource

NewStaticSource creates a new StaticSource.

func (*StaticSource) GetConfig added in v0.10.0 

func (src *StaticSource) GetConfig() *Config

GetConfig gets the config.

func (*StaticSource) OnConfigChange added in v0.10.0 

func (src *StaticSource) OnConfigChange(ctx context.Context, li ChangeListener)

OnConfigChange is ignored for the StaticSource.

func (*StaticSource) SetConfig added in v0.11.0 

func (src *StaticSource) SetConfig(ctx context.Context, cfg *Config)

SetConfig sets the config.

type StringSlice added in v0.12.2 

type StringSlice []string

A StringSlice is a slice of strings.

func NewStringSlice added in v0.12.2 

func NewStringSlice(values ...string) StringSlice

NewStringSlice creates a new StringSlice.

func (*StringSlice) UnmarshalJSON added in v0.12.2 

func (slc *StringSlice) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals a JSON document into the string slice.

func (*StringSlice) UnmarshalYAML added in v0.12.2 

func (slc *StringSlice) UnmarshalYAML(unmarshal func(interface{}) error) error

UnmarshalYAML unmarshals a YAML document into the string slice. UnmarshalJSON is reused as the actual implementation.

type StringURL added in v0.8.0 

type StringURL struct {
	*url.URL
}

StringURL stores a URL as a string in json.

func (*StringURL) MarshalJSON added in v0.8.0 

func (su *StringURL) MarshalJSON() ([]byte, error)

MarshalJSON returns the URLs host as json.

func (*StringURL) String added in v0.12.2 

func (su *StringURL) String() string

type SubPolicy added in v0.10.0 

type SubPolicy struct {
	ID               string                   `mapstructure:"id" yaml:"id" json:"id"`
	Name             string                   `mapstructure:"name" yaml:"name" json:"name"`
	AllowedUsers     []string                 `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
	AllowedDomains   []string                 `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
	AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
	Rego             []string                 `mapstructure:"rego" yaml:"rego" json:"rego,omitempty"`

	// Explanation is the explanation for why a policy failed.
	Explanation string `mapstructure:"explanation" yaml:"explanation" json:"explanation,omitempty"`
	// Remediation are the steps a user needs to take to gain access.
	Remediation string `mapstructure:"remediation" yaml:"remediation" json:"remediation,omitempty"`
}

A SubPolicy is a protobuf Policy within a protobuf Route.

type TraceManager added in v0.11.0 

type TraceManager struct {
	// contains filtered or unexported fields
}

A TraceManager manages setting up a trace exporter based on configuration options.

func NewTraceManager added in v0.11.0 

func NewTraceManager(ctx context.Context, src Source) *TraceManager

NewTraceManager creates a new TraceManager.

func (*TraceManager) Close added in v0.11.0 

func (mgr *TraceManager) Close() error

Close closes any underlying trace exporter.

func (*TraceManager) OnConfigChange added in v0.11.0 

func (mgr *TraceManager) OnConfigChange(ctx context.Context, cfg *Config)

OnConfigChange updates the manager whenever the configuration is changed.

type TracingOptions added in v0.9.0 

type TracingOptions = trace.TracingOptions

TracingOptions are the options for tracing.

func NewTracingOptions added in v0.9.0 

func NewTracingOptions(o *Options) (*TracingOptions, error)

NewTracingOptions builds a new TracingOptions from core Options

type WeightedURL added in v0.12.2 

type WeightedURL struct {
	URL url.URL
	// LbWeight is a relative load balancer weight for this upstream URL
	// zero means not assigned
	LbWeight uint32
}

WeightedURL is a way to specify an upstream with load balancing weight attached to it

func ParseWeightedURL added in v0.12.2 

func ParseWeightedURL(dst string) (*WeightedURL, error)

ParseWeightedURL parses url that has an optional weight appended to it

func (*WeightedURL) String added in v0.12.2 

func (u *WeightedURL) String() string

String returns the WeightedURL as a string.

func (*WeightedURL) Validate added in v0.12.2 

func (u *WeightedURL) Validate() error

Validate validates that the WeightedURL is valid.

type WeightedURLs added in v0.12.2 

type WeightedURLs []WeightedURL

WeightedURLs is a slice of WeightedURLs.

func ParseWeightedUrls added in v0.12.2 

func ParseWeightedUrls(urls ...string) (WeightedURLs, error)

ParseWeightedUrls parses

func (WeightedURLs) Flatten added in v0.12.2 

func (urls WeightedURLs) Flatten() ([]string, []uint32, error)

Flatten converts weighted url array into indidual arrays of urls and weights

func (WeightedURLs) Validate added in v0.12.2 

func (urls WeightedURLs) Validate() (HasWeight, error)

Validate checks that URLs are valid, and either all or none have weights assigned

Source Files

View all Source files

Directories

Path Synopsis
Package envoyconfig contains a Builder for building Envoy configuration from Pomerium configuration.
 Package envoyconfig contains a Builder for building Envoy configuration from Pomerium configuration.
filemgr
Package filemgr defines a Manager for managing files for the controlplane.
 Package filemgr defines a Manager for managing files for the controlplane.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.