CHANGELOG.md

Changelog

1.21.0 (2024-10-18)

Features

• add authn middleware for disabled authentication (c232cfe)
• add granular checks method to interface + expose BatchCheck from client (645a9fd)
• groups: add CanAssignRoles and CanAssignIdentities implementation (b5e551a)
• groups: add granular CanAssign{Identities,Roles} checks in handlers (d25b430)

Bug Fixes

• adopt disabledAuthnMiddleware to not break app when authentication disabled (963f07a)
• api base path (d83e0ab)
• avoid escaping when passing URL to template (0702053)

1.20.0 (2024-10-09)

Features

• add built verification email (5a43aef)
• add the cli command for compensating user invitation email failure (55f557e)
• add user invite email template (64743cf)
• switch to html/template for rendering context path dynamically for index.html (81f8a9c)

Bug Fixes

• local dev env for OIDC provider discovery (03f5499)
• update email template to fix issues in email clients (3f9726b)

1.19.0 (2024-09-20)

Features

• introduce hierarchy for can_relations (596b448)
• wire up all the rebac handlers (f23cc1f)

Bug Fixes

• add uri permissions converters for v1 (9e59915)
• drop ctx param from NewV1Service creation (972bef4)

1.18.0 (2024-09-16)

Features

• add github.com/wneessen/go-mail v0.4.4 dependency (5182270)
• add entitlements service by Rebac (64b8326)
• add env vars for mail client (3ab1acb)
• add interfaces + implement emailservice (b2f0ae9)
• add ResourcesService (f5a2008)
• add SendUserCreationEmail method (0cc1d3f)
• add template loading + test + TEMPORARY mail template (6c95a25)
• add the create-identity CLI (464c697)

Bug Fixes

• add filters to listPermissions store method (84b531a)
• fix the kratos admin url (4846fad)

1.17.0 (2024-09-06)

Features

• implement GroupService based on the rebac lib (709906b)
• introduce IdentityProviders v1 api (7a2719d)

Bug Fixes

• offload idp types to constant (d15ecf2)
• use correct method to invoke backend (64f68a6)
• use idp ID if passed in (023c8e3)

1.16.2 (2024-08-30)

Bug Fixes

• address empty schema id but enforce passing of the field (fa915f2)
• enforce id on idp creation, moving validation to validator object (9633937), closes #391
• initialize idps configmap.Data field if empty (fba4479), closes #392

1.16.1 (2024-08-29)

Bug Fixes

• return empty slice when no idps found (429591a), closes #388

1.16.0 (2024-08-28)

Features

• display login on 401 responses (5031b32)
• identities service implementation (b840cf4)
• log out with OIDC (4b268aa)
• return to URL that initiated login (99da50a)

Bug Fixes

• create openfga store to enhance basic client and offload core application logic (3f0465b)
• fix wrong title displayed once logged in (5ef6371)
• update tracing signature (d22fad9)

1.15.0 (2024-08-08)

Features

• add custom axios instance (722a331)
• implement RolesService for the rebac module (8835e29)

Bug Fixes

• add check for mock calls in DeleteRole (e9e3d54)
• adjust logic for pagination (e852914)
• annotate responses with the full type (1cd4b98)
• use contextual tuples for admin role (37efc1e)
• use contextual tuples to give admin access to all APIs (0e27337)

1.14.1 (2024-07-30)

Bug Fixes

• allow UI port to be set (3da1b25)
• remove login component from ui (51deb06)

1.14.0 (2024-07-19)

Features

• actual link authentication users to authorization model + tests (8063b73)
• handle case principal is not found in authorizer middleware + switch to CheckAdmin method (182e469)
• introduce UserPrincipal and ServicePrincipal + move Principal structs and logic to ad hoc file + tests (69dbeb9)

Bug Fixes

• set necessary oauth2 scopes as default (9c36e95)
• set OtelHTTPClient in context correctly (e514b37)
• ui redirection with context path (61451f6)
• use contextPath to redirect to UI (8a7540d)

1.13.1 (2024-07-16)

Bug Fixes

• add helper function for constructing assignee (cfa1a08)
• add resource creation logic to authz (c8e3588)
• fix authorizer init logic (a8fb9c3)
• remove page param (585f713)
• set cookie path to / (9c95b0b)
• sync resource creation/delation with authz (55d02df)
• use worker pool in authorizer (67bf82d)

1.13.0 (2024-07-11)

Features

• add HTTPClientFromContext + improved OtelHTTPClientFromContext func (fa1b3e8)
• add context path spec to correctly handle redirect (71aef28)
• add hydra admin url to config + add comment for env var expectation (b36e498)
• add hydra clients to OAuth2Context struct (0072078)
• add Logout function and HTTPClientInterface (98e4ec3)
• add logout handler (5ea5742)
• add logout implementation (3c435d4)
• add NextTo cookie handling to cookie manager and interface (5a5cc30)
• handle optional next parameter for FE use (1f4ca15)

Bug Fixes

• add json parsing error (8713366)
• clear cookie functions (3a1b2e4)
• improve validation error messages (c20ff4a)
• temporary fix to allow time for new solution on the frontend (6ee0ac3)
• UI serving handlers (b4070b1)

1.12.0 (2024-07-02)

Features

• add /auth/me endpoint handler to return json with principal info (9fa92a3)
• add user session cookies ttl external config (b4da23d)
• cookie + refresh token support for middleware (cab3f84)
• expand cookie manager interface + implementation for tokens cookies + tests (a026e24)
• expand on Principal attributes + improve PrincipalFromContext (4104b3a)
• set tokens cookies in callback and redirect to UI url + adjust tests (f6e8277)

Bug Fixes

• add contextual tuples to openfga (03d313d)
• always add tuples for global read and admins (992f283)
• rename admin user (2f01a27)

1.11.0 (2024-06-21)

Features

• add encrypt implementation (1a88aad)

Bug Fixes

• typo in variable name (4558fd0)
• ui use react routers base path and add tests for base path calculation (85da4c0)
• ui uses relative base path. in case /ui/ is found in the current page url, all urls and api routes use the found prefix from the path. If /ui/ is not found, fall back to / as the base path. Fixes #317 Fixes IAM-911 Fixes WD-12306 (709399c)
• unauthenticated handlers were called twice (1d7ebb9)

1.10.0 (2024-06-17)

Features

• add 2 implementations of token verifier + tests (1d1c5f9)
• add AuthCookieManager implementation (ed18cf5)
• add interfaces for oauth2 integration (684abac)
• add OAuth2 and OIDC related env vars to the Spec struct (b900cc4)
• add OAuth2 authentication middleware + tests (e054552)
• add oauth2 context to manage oauth2/oidc operations + tests (62bff44)
• add OAuth2 login handler + tests (88c29e6)
• add OAuth2Helper implementation (00c5bc1)
• adopt new oauth2 integration (912029c)
• dependencies: add coreos/go-oidc v3 dependency (fe20b2f)
• handler: add state check + improve structure/implementation (2c29251)

Bug Fixes

• add security headers to UI handler (ea3c6ba)
• rename Urn to URN (603418d)
• serve the same file for all ui routes (29ee190)
• serve ui assets under relative path (c3f21a9)
• serve UI files (9007b77)
• serve UI from root path (e5ecf42)
• use BASE_URL to add trailing slash (30b7b1b)

1.10.0 (2024-06-17)

Features

• add 2 implementations of token verifier + tests (1d1c5f9)
• add AuthCookieManager implementation (7ff91d8)
• add interfaces for oauth2 integration (684abac)
• add OAuth2 and OIDC related env vars to the Spec struct (b900cc4)
• add OAuth2 authentication middleware + tests (e054552)
• add oauth2 context to manage oauth2/oidc operations + tests (62bff44)
• add OAuth2 login handler + tests (88c29e6)
• add OAuth2Helper implementation (67430f8)
• adopt new oauth2 integration (912029c)
• dependencies: add coreos/go-oidc v3 dependency (fe20b2f)
• handler: add state check + improve structure/implementation (25f4c04)

Bug Fixes

• add security headers to UI handler (ea3c6ba)
• rename Urn to URN (603418d)
• serve the same file for all ui routes (29ee190)
• serve ui assets under relative path (c3f21a9)
• serve UI files (9007b77)
• serve UI from root path (e5ecf42)
• use BASE_URL to add trailing slash (30b7b1b)

1.9.0 (2024-05-24)

Features

• uniform rules handlers to pageToken pagination (7c70cc6)

1.8.0 (2024-05-09)

Features

• upgrade rebac-admin to 0.0.1-alpha.3 (96aca77)

1.7.0 (2024-05-06)

Features

• implement new Create{Group,Role} interface + adjust handlers (0adce3c)
• let Create{Group,Role} return newly created object (e1ba968)

1.6.1 (2024-05-06)

Bug Fixes

• role: error out when ID is passed for creation (2a46a5e)
• role: use Name field for creation (e63fdaa)

1.6.0 (2024-04-30)

Features

• add openfga_workers_total int config with default (b12ac05)
• add payload_validation_enabled config key (419b042)
• add SetTokens method + empty tokens don't get set (f165155)
• add 3rd party validator to API structs + setupValidation func + initial noop middleware (1de0006)
• add constructor for validator + use json tags for validation errors (44d7223)
• add externalized Kube config file env var (9a63fe3)
• add full validation implementation for schemas (45993ed)
• add identity provider management, add logo (48f47ec)
• add log tailing to skaffold run (a9725da)
• add login screen (1befe87)
• add pagination to clients, schemas and identity lists in ui. Add identity creation form WD-10253 (5f55463)
• add URL param validation for groups handlers (24c8d99)
• add Urn type (f7d33e2)
• add validation implementation for clients (549d985)
• add validation implementation for groups (700cf04)
• add validation middlewareonly if payload validation is enabled + reorder middleware and endpoints registration (32814e8)
• add validation setup for groups endpoint (06fb9f4)
• add validation setup for identities endpoint (b4178c9)
• add validation setup for schemas endpoint (8c5e173)
• add ValidationRegistry for API validation + instantiate in router (50f0810)
• add worker pool implementation (dbd2f9d)
• adjust identity api to accept page token (beb0d42), closes #256
• adjust pagination for schemas endpoints (e2a2df3), closes #44
• allow create-fga-model cli command to save on a k8s coonfigmap (56463bb)
• authorization middleware based on openFGA (8f2cb3e)
• create groups service (3d8d648)
• create roles service (c796135)
• create token pagination extractor (215b6cb)
• create-group: allow creator user to view group (efcaeec)
• delete-group: delete all relation for group to delete (883b513)
• enable authorization by default (6f61651)
• enhance identity provider form to cover all providers and relevant fields, hide advanced fields by default (ef62667)
• enhance ValidationRegistry with PayloadValidator and adjust in handlers + enhance Middleware + add func for ApiKey retrieval from endpoint (313617a)
• enhanced ValidationError with specific field errors and common errors (a21462c)
• handlers for groups API (63d5dc4)
• handlers for roles API (114b284)
• hook up worker pool for groups and roles API (ce83bd6)
• idp: add validation implementation (71ff661)
• implement converters for each type of API (09852b0)
• include roles and groups from ReBAC Admin (5d03914)
• introduce BatchCheck, WriteTuples, DeleteTuples and ReadTuples in openfga client (39eb195)
• introduce groups API converter to deal with authorization in the middleware (5f8875a)
• invoke setup validation on registered APIs (de16a0b)
• parse and expose link header from hydra (7c2d3f6)
• passing openfga store and model id to admin service (51f4fab)
• roles: add validation implementation (6bf72e5)
• rules: add validation implementation (c42bd45)
• separate authorization client from OpenFGA client (2cc4dab)
• upgrade openfga model (c49abd5)
• use interface instead of client pointer (3e1ac0f)
• use side panels for client and idp creation (ef798c4)
• wire up groups API (352bc45)
• wire up roles API in web application (16ba352)

Bug Fixes

• adapt serve command to changes on k8s client (e6701e2)
• add back URL Param validation from previous commit (ebe07a5)
• add command for creating an admin user (50449a9)
• add command for removing an admin user (2db3a08)
• add extra check on list schemas test for navigation (2afec86)
• add id validation to make sure it's never empty (fc7d560), closes #239
• add page tokens to the response (5a13e4e)
• add todo comment to catch issue with the user-identities sync (ed66418)
• add validation to openfga config (300201c)
• address empty IDs on schema and idp creation (e6dbf32), closes #227
• address segfault when using noop client (5265512)
• adjust openfga NoopClient setup (f253400)
• adjust page offset for oathkeeper apis (7c22e06)
• allow for k8s client to be configured using kubeconfig (136e957)
• bundle up external clients and o11y setup into config structs (a660066)
• change specs.EnvSper name for authorization model id (3eb270b)
• clients: validation and improved tests (129a8a8)
• deal with empty Data attribute in k8s configmap (56937c8), closes #254
• delete role implementation (4b71734)
• disable validation due to missing implementation of api validators (5c06b9b)
• drop non can_ relations from group entitlements (5b225ae), closes #243
• enhance cli model creation to bootstrap a store (e97fb0a)
• enhance openfga client with CreateStore and helpers to set modelID and storeID on the fly (5d62fbf)
• enhance registerValidation log message with error (ae95fa8)
• get 404 with not found role (with can view) - get 403 (without can_view) (2a22054)
• groups: validation and improved tests (255733e)
• handleDetail to return 404 on missing group for authorized users + typo (b1a1e02)
• identities: validation and improved tests (b4fa762)
• introduce uri validation for params (5eecee4)
• listing not working for user that created a role (b54d681)
• pass interface to roles API to allow for openfga noop client (6d04a3d)
• remove assignees tuples on DeleteGroup (1107165)
• remove assignees tuples on DeleteRole (5772334), closes #285
• remove page_token field in meta response (3756f0d), closes #271
• removing extra #member on assignIdentities service call (bfde070), closes #283
• removing extra #member on removeIdentities service call (74ab0ff)
• schemas: validation and improved tests (ab8652f)
• skip validation config on createFGAmodel cmd (ffd6563)
• standardize on types.Response (02cc8ce), closes #244
• standardize page token in clients api (7bdd3e7)
• switch to use WriteTuples instead of WriteTuple (ba8a624)
• update noop openfga client with newer methods (251a8a1)
• use sync.Map for race conditions (603a7e1)
• use the microk8s-hostpath storageclass to dynamically provision the persistent volume (29d8f39)
• wire up new config structs into web application bootstrap (9e5587d), closes #222

1.5.0 (2024-01-26)

Features

• use cobra-cli (8f061d3)

Bug Fixes

• add config for openfga integration (bc751e2)
• add logic for create-fga-model (7fc9a6c)
• add noop tracer (f97484c)
• add openfga module (d7d3418)
• implement version command (fe5fc83)
• introduce authorization module (28df12b)
• introduce noop logging and monitoring (09b529d)

1.4.0 (2024-01-04)

Features

• added unit tests for pkg/rules package (e36bbd3)
• implemented interface for manipulating Oathkeeper rules (e36bbd3)

Bug Fixes

• fixed issue with make dev (0d81544)
• fixed issues with make dev (0d81544)
• make rules cm file name configurable (3f05b59)

1.3.0 (2023-11-03)

Features

• add schemas endpoints (c9be3dc)
• add schemas service layer and interfaces (83917cf)
• add unit tests for default schema feature (777259a)
• added ca-certificates package to stage-packages (16f6683)
• wire up schemas pkg (513ce61)

Bug Fixes

• add default schema changes (82ba9d6)
• deps: update dependency @canonical/react-components to v0.47.0 (#94) (a2c7e03)
• deps: update dependency @canonical/react-components to v0.47.1 (7b6cec0)
• deps: update dependency sass-embedded to v1.67.0 (#106) (4a5922c)
• deps: update dependency sass-embedded to v1.69.1 (#137) (3bc1132)
• deps: update dependency sass-embedded to v1.69.2 (#141) (1533b21)
• deps: update dependency sass-embedded to v1.69.4 (d695e33)
• deps: update dependency vanilla-framework to v4 (#95) (35c21ae)
• deps: update dependency vanilla-framework to v4.3.0 (#99) (049629c)
• deps: update dependency vanilla-framework to v4.4.0 (dde2c11)
• deps: update dependency vanilla-framework to v4.5.0 (b700785)
• deps: update go deps (minor) (#101) (2f1e289)
• deps: update go deps (minor) (#127) (903ee82)
• deps: update go deps (minor) (#75) (54f9421)
• deps: update go deps to v0.28.2 (patch) (#105) (5888133)
• deps: update go deps to v0.28.3 (10422e3)
• deps: update go deps to v1.17.0 (minor) (#71) (472dc50)
• deps: update go deps to v1.18.0 (minor) (#100) (129c7ee)
• deps: update go deps to v1.19.0 (minor) (#125) (1d870ba)
• deps: update module github.com/google/uuid to v1.3.1 (#53) (840b068)
• deps: update module github.com/google/uuid to v1.4.0 (2ce70cf)
• deps: update module github.com/ory/kratos-client-go to v1 (4fefc13)
• deps: update module github.com/prometheus/client_golang to v1.17.0 (#124) (e0904d9)
• deps: update module go.opentelemetry.io/otel/exporters/stdout/stdouttrace to v1.17.0 (#72) (9fd027b)
• deps: update module go.uber.org/zap to v1.26.0 (#111) (f836ac3)
• fix renovate config (700cc51)
• fixed struct inconsistencies with the new release of kratos-client-go (3808420)
• introduce version flag to facilitate charm code (4a1b6e1)
• use version from release-please worflow (450c0bd)
• use version in /api/v0/version endpoint (cdc9297)

1.2.0 (2023-08-10)

Features

• add idp handlers (405bad3)
• add idp service (4f04546)
• wire up main and router with new dependencies (7c218d3)

Bug Fixes

• add otel tracing to hydra client (64871cd)
• create k8s coreV1 package (ff260f9)
• drop unused const (bb3bd28)
• use io pkg instead of ioutil (909459c)
• use new instead of & syntax (9908ddc)

1.1.0 (2023-07-27)

Features

• add hydra service (17a3c86)
• add identities service layer (d619daf)
• create apis for identities kratos REST endpoints (6da5dae)
• create kratos client (d009507)

Bug Fixes

• add jaeger propagator as ory components support only these spans for now (5a90f83)
• fail if HYDRA_ADMIN_URL is not provided (c9e1844)
• IAM-339 - add generic response pkg (b98a505)
• introduce otelHTTP and otelGRPC exporter for tempo (9156892)
• only print hydra debug logs on debug (15dc2b4)
• wire up new kratos endpoints (1d881a7)

1.0.0 (2023-07-07)

Features

• Add go code skeleton (10aec9d)
• add ui skeleton (ce6b51f)