Skip to content

Latest commit

 

History

History
87 lines (65 loc) · 7.11 KB

CHANGELOG.md

File metadata and controls

87 lines (65 loc) · 7.11 KB

Pomerium Changelog

vUNRELEASED

NEW

  • Add user dashboard containing information about the current user's session. [GH-123]
  • Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. [GH-73]
  • Add Administrator (super user) account support (ADMINISTRATORS). [GH-110]
  • Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. [GH-110]
  • Add docker images and builds for ARM. [GH-95]
  • Add support for public, unauthenticated routes. [GH-129]

CHANGED

  • Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. [GH-153]
  • User state is now maintained and scoped at the domain level vs at the route level. [GH-128]
  • Error pages contain a link to sign out from the current user session. [GH-100]
  • Removed LifetimeDeadline from sessions.SessionState.
  • Removed favicon specific request handling. [GH-131]
  • Headers are now configurable via the HEADERS configuration variable. [GH-108]
  • Refactored proxy and authenticate services to share the same session state cookie. [GH-131]
  • Removed instances of extraneous session state saves. [GH-131]
  • Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.[GH-131]
  • Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. [GH-116]
  • Changed docker images to be built from distroless. This fixed an issue with nsswitch [GH-97], includes ca-certificates and limits the attack surface area of our images. [GH-101]
  • Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. [GH-103]
  • Content-Security-Policy hash updated to match new UI assets.

FIXED

  • Fixed an issue where policy and routes were being pre-processed incorrectly. [GH-132]
  • Fixed an issue where golint was not being found in our docker image. [GH-121]

v0.0.4

CHANGED

  • HTTP Strict Transport Security is included by default and set to one year. [GH-92]
  • HTTP now redirects to HTTPS. [GH-92]
  • Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no publica http handlers, only a gRPC service endpoint. [GH-93]
  • Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83]
  • Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). [GH-83]

FIXED

  • Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack [GH-81]

DOCUMENTATION

v0.0.3

FEATURES

  • Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.

  • Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:

    • Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
    • Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
    • Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
    • Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.

  • WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.

CHANGED

  • Added LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74]
  • Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. [GH-74]
  • Updated generate_wildcard_cert.sh to generate a elliptic curve 256 cert by default.
  • Updated env.example to include a POLICY setting example.
  • Added IDP_SERVICE_ACCOUNT to env.example .
  • Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
  • Removed ROUTES settings which has been replaced by POLICY.
  • Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
  • Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
  • Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
  • Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
  • Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
  • Session expiration times are truncated at the second.
  • Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
  • Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.

FIXED

  • http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. [GH-58]