v0.7.0

See (#576) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-10 07:37:33 +02:00 · 2020-04-04 20:45:48 -07:00 · 2020-04-04 20:45:48 -07:00 · d780281fc0
commit d780281fc0
parent d0acad597d
13 changed files with 177 additions and 74 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-v0.6.0
+v0.7.0
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -28,10 +28,11 @@ module.exports = {
      { text: "Enterprise", link: "/enterprise/" },

      {
-        text: "🚧Dev", // current tagged version
+        text: "v0.7.x", // current tagged version
        ariaLabel: "Version menu",
        items: [
          { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" },
+          { text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" },
          { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },
          { text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" },
          { text: "v0.4.x", link: "https://0-4-0.docs.pomerium.io/docs" },
--- a/docs/.vuepress/theme/components/Home.vue
+++ b/docs/.vuepress/theme/components/Home.vue
@ -3,24 +3,36 @@
    <header class="hero">
      <div class="section">
        <div class="content">
-          <h1 v-if="data.heroText !== null" id="main-title">{{ data.heroText || $title || 'Hello' }}</h1>
+          <h1 v-if="data.heroText !== null" id="main-title">
+            {{ data.heroText || $title || "Hello" }}
+          </h1>

-          <p
-            class="description"
-          >{{ data.tagline || $description || 'Welcome to your VuePress site' }}</p>
+          <p class="description">
+            {{
+              data.tagline || $description || "Welcome to your VuePress site"
+            }}
+          </p>

          <p class="action" v-if="data.actionText && data.actionLink">
            <NavLink class="action-button" :item="actionLink" />
          </p>
        </div>

-        <video v-if="data.heroImage" class="media" autoplay loop muted playsinline>
+        <video
+          v-if="data.heroImage"
+          class="media"
+          autoplay
+          loop
+          muted
+          playsinline
+        >
          <source
            v-if="data.heroImage"
            :src="$withBase(data.heroImage)"
            :alt="data.heroAlt"
            type="video/mp4"
-          />Your browser does not support the video tag.
+          />
+          Your browser does not support the video tag.
        </video>
        <form
          v-if="data.contactForm === true"
@ -45,13 +57,19 @@
              <input name="company" class="field" />
            </label>
          </fieldset>
-          <button class="nav-link action-button" type="submit">Get in touch</button>
+          <button class="nav-link action-button" type="submit">
+            Get in touch
+          </button>
        </form>
      </div>
    </header>

    <div class v-if="data.features && data.features.length">
-      <div class="features section" v-for="(feature, index) in data.features" :key="index">
+      <div
+        class="features section"
+        v-for="(feature, index) in data.features"
+        :key="index"
+      >
        <div class="feature">
          <img class="media" :src="$withBase(feature.src)" />
          <div class="content">
@ -65,7 +83,11 @@
    <div class v-if="data.triples && data.triples.length">
      <div class="triples">
        <div class="feature">
-          <div class="content" v-for="(feature, index) in data.triples" :key="index">
+          <div
+            class="content"
+            v-for="(feature, index) in data.triples"
+            :key="index"
+          >
            <img class="media" :src="$withBase(feature.src)" />
            <h2>{{ feature.title }}</h2>
            <p>{{ feature.text }}</p>
@ -75,7 +97,14 @@
    </div>
    <Content class="theme-default-content custom" />

-    <div class="footer" v-if="data.footer">{{ data.footer }}</div>
+    <div class="footer">
+      <a href="https://www.netlify.com/">
+        <img
+          src="https://api.netlify.com/api/v1/badges/1853c996-a1f7-4545-b60c-612e8fca557c/deploy-status"
+          alt="Deploy status badge"
+        />
+      </a>
+    </div>
  </main>
 </template>

@ -358,13 +387,11 @@ export default {
      }
    }
  }
-
+}
 .footer {
-    padding: 2.5rem;
+    padding: 0.75rem;
    border-top: 1px solid $borderColor;
    text-align: center;
-    color: lighten($textColor, 25%);
-  }
  }

@media (max-width: $MQMobile) {
--- a/docs/configuration/examples/docker/basic.docker-compose.yml
+++ b/docs/configuration/examples/docker/basic.docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  pomerium:
-    image: pomerium/pomerium:latest
+    image: pomerium/pomerium:v0.7.0
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
--- a/docs/configuration/examples/docker/nginx.docker-compose.yml
+++ b/docs/configuration/examples/docker/nginx.docker-compose.yml
@ -12,7 +12,7 @@ services:
      - /var/run/docker.sock:/tmp/docker.sock:ro

  pomerium-authenticate:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authenticate
@ -39,7 +39,7 @@ services:
      - 443

  pomerium-proxy:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=proxy
@ -61,7 +61,7 @@ services:
      - 443

  pomerium-authorize:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authorize
@ -77,7 +77,7 @@ services:
      - 443

  pomerium-cache:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=cache
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -1,5 +1,79 @@
 # Changelog

+## v0.7.0
+
+### New
+
+- \*: remove import path comments @desimone (#545)
+- authenticate: make callback path configurable @desimone (#493)
+- authenticate: return 401 for some specific error codes @cuonglm (#561)
+- authorization: log audience claim failure @desimone (#553)
+- authorize: use jwt instead of state struct @desimone (#514)
+- authorize: use opa for policy engine @desimone (#474)
+- cmd: add cli to generate service accounts @desimone (#552)
+- config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
+- config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
+- config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
+- gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
+- identity: support oidc UserInfo Response @desimone (#529)
+- internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
+- metrics: Add storage metrics @travisgroth (#554)
+
+### Fixed
+
+- cache: add option validations @desimone (#468)
+- config: Add proper yaml tag to Options.Policies @travisgroth (#475)
+- ensure correct service name on GRPC related metrics @travisgroth (#510)
+- fix group impersonation @desimone (#569)
+- fix sign-out bug , fixes #530 @desimone (#544)
+- proxy: move set request headers before handle allow public access @ohdarling (#479)
+- use service port for session audiences @travisgroth (#562)
+
+### Documentation
+
+- fix `the` typo @ilgooz (#566)
+- fix kubernetes dashboard recipe docs @desimone (#504)
+- make from source quickstart @desimone (#519)
+- update background @desimone (#505)
+- update helm for v3 @desimone (#469)
+- various fixes @desimone (#478)
+- fix cookie_domain @nitper (#472)
+
+### Dependency
+
+- chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
+- chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
+- chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
+- chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
+- chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
+- chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
+- chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
+- chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
+- chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
+- chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
+- chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
+- chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
+- chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
+- chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
+- chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
+- chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
+- chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
+- chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
+- chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
+- chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
+- chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
+- chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
+- chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
+- chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
+- chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
+- chore(deps): update module yaml to v2.2.8 @renovate (#471)
+- ci: Consolidate matrix build parameters @travisgroth (#521)
+- dependency: use go mod redis @desimone (#528)
+- deployment: throw away golanglint-ci defaults @desimone (#439)
+- deployment: throw away golanglint-ci defaults @desimone (#439)
+- deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
+- Roll back grpc to v1.25.1 @travisgroth (#484)
+
 ## v0.6.0

 ### New
--- a/docs/docs/identity-providers/azure.md
+++ b/docs/docs/identity-providers/azure.md
@ -58,7 +58,7 @@ Click on **Save** and the key will be displayed. **Make sure to copy the value o

 ![Creating a Key](./img/azure-create-key.png)

-Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://authenticate.corp.beyondperimeter.com/oauth2/callback`.
+Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://${authenticate_service_url}/oauth2/callback`.

 ![Add Reply URL](./img/azure-redirect-url.png)

--- a/docs/docs/identity-providers/google.md
+++ b/docs/docs/identity-providers/google.md
@ -28,9 +28,9 @@ Click the button on the banner to go to the consent screen configuration. If all
 On the **Create [Client ID]** page, select **Web application**. In the new fields that display, set the following parameters:

 | Field        | Description                                                              |
-| ------------------------ | -------------------------------------------------------------------------- |
+| ------------ | ------------------------------------------------------------------------ |
 | Name         | The name of your web app                                                 |
-| Authorized redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) |
+| Redirect URI | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`) |

 ![Web App Credentials Configuration](./img/google-create-client-id-config.png)

--- a/docs/docs/identity-providers/okta.md
+++ b/docs/docs/identity-providers/okta.md
@ -22,10 +22,10 @@ On the **Create New Application** page, select the **Web** for your application.
 Next, provide the following information for your application settings:

 | Field                        | Description                                                               |
-| ---------------------------- | --------------------------------------------------------------------------- |
+| ---------------------------- | ------------------------------------------------------------------------- |
 | Name                         | The name of your application.                                             |
 | Base URIs (optional)         | The domain(s) of your application.                                        |
-| Login redirect URIs          | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`). |
+| Login redirect URIs          | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`). |
 | Group assignments (optional) | The user groups that can sign in to this application.                     |
 | Grant type allowed           | **You must enable Refresh Token.**                                        |

--- a/docs/docs/identity-providers/one-login.md
+++ b/docs/docs/identity-providers/one-login.md
@ -16,7 +16,7 @@ On the App Configuration page, **name the app** and **select a logo**. Select **

 ![One Login select logo](./img/one-login-select-logo.png)

-Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`.
+Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${authenticate_service_url}/oauth2/callback`.

 ![One Login set callback url](./img/one-login-callback-url.png)

--- a/docs/docs/identity-providers/readme.md
+++ b/docs/docs/identity-providers/readme.md
@ -14,7 +14,7 @@ There are a few configuration steps required for identity provider integration.

 In this guide we'll cover how to do the following for each identity provider:

-1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium.
+1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. For example, `https://${authenticate_service_url}/oauth2/callback`.
 2. Generate a **[Client ID]** and **[Client Secret]**.
 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.

--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -55,6 +55,7 @@ To see difference between releases, please refer to the changelog and upgrading
 For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example:

 - [github@master](https://master.docs.pomerium.io/)
+- [v0.7.0](https://0-7-0.docs.pomerium.io/)
 - [v0.6.0](https://0-6-0.docs.pomerium.io/)
 - [v0.5.0](https://0-5-0.docs.pomerium.io/)
 - [v0.4.0](https://0-4-0.docs.pomerium.io/)
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -5,22 +5,23 @@ description: >-
  for Pomerium. Please read it carefully.
 ---

-# Upgrade Guide
+# Since 0.6.0

-## Since 0.6.0
+## Breaking

-### Breaking
+### Getting user's identity

-#### Getting user's identity
+User detail headers ( `x-pomerium-authenticated-user-id` / `x-pomerium-authenticated-user-email` / `x-pomerium-authenticated-user-groups`) have been removed in favor of using the more secure, more data rich attestation jwt header (`x-pomerium-jwt-assertion`).

-User detail headers
-( `x-pomerium-authenticated-user-id` / `x-pomerium-authenticated-user-email` / `x-pomerium-authenticated-user-groups`) have been removed in favor of using the more secure, more data rich attestation jwt header (`x-pomerium-jwt-assertion`).
+### Non-standard port users

-## Since 0.5.0
+Non-standard port users (e.g. those not using `443`/`80` where the port _would_ be part of the client's request) will have to clear their user's session before upgrading. Starting with version v0.7.0, audience (`aud`) and issuer (`iss`) claims will be port specific.

-### Breaking
+# Since 0.5.0

-#### New cache service
+## Breaking
+
+### New cache service

 A back-end cache service was added to support session refreshing from [single-page-apps](https://en.wikipedia.org/wiki/Single-page_application).

@ -48,37 +49,37 @@ For a concrete example of the required changes, consider the following changes f

 Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see [PR438](https://github.com/pomerium/pomerium/pull/438) and [PR457](https://github.com/pomerium/pomerium/pull/457).

-## Since 0.4.0
+# Since 0.4.0

-### Breaking
+## Breaking

-#### Subdomain requirement dropped
+### Subdomain requirement dropped

 - Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).

-#### Azure AD
+### Azure AD

 - Azure Active Directory now uses the globally unique and immutable`ID` instead of `group name` to attest a user's [group membership](https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http). Please update your policies to use group `ID` instead of group name.

-#### Okta
+### Okta

 - Okta no longer uses tokens to retrieve group membership. [Group membership](https://developer.okta.com/docs/reference/api/groups/) is now fetched using Okta's API.
 - Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group `ID` instead of group name.
 - Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account).

-#### OneLogin
+### OneLogin

 - OneLogin [group membership](https://developers.onelogin.com/openid-connect/api/user-info) is now determined by the globally unique and immutable ID field. Please update your policies to use group `ID` instead of group name.

-#### Force Refresh Removed
+### Force Refresh Removed

 Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.

-#### Programmatic Access API changed
+### Programmatic Access API changed

 Previous programmatic authentication endpoints (`/api/v1/token`) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated [programmatic documentation](https://www.pomerium.io/docs/reference/programmatic-access.html) how to use the new programmatic access api.

-#### Forward-auth route change
+### Forward-auth route change

 Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key.

@ -91,14 +92,13 @@ For example, in nginx this would look like:
 -    nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
 +    nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
 +    nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com?uri=$scheme://$host$request_uri
-
 ```

-## Since 0.3.0
+# Since 0.3.0

-### Breaking
+## Breaking

-#### Authorize Service URL no longer used in all-in-one mode
+### Authorize Service URL no longer used in all-in-one mode

 Pomerium no longer handles both gRPC and HTTPS traffic from the same network listener (port). As a result, all-in-one mode configurations will default to serving gRPC traffic over loopback on port `5443` and will serve HTTPS traffic as before on port `443`. In previous versions, it was recommended to configure authorize in this mode which will now break. The error will typically look something like:

@ -108,15 +108,15 @@ rpc error: code = DeadlineExceeded desc = latest connection error: connection cl

 To upgrade, simply remove the `AUTHORIZE_SERVICE_URL` setting.

-#### Removed Authenticate Internal URL
+### Removed Authenticate Internal URL

 The authenticate service no longer uses gRPC to do back channel communication. As a result, `AUTHENTICATE_INTERNAL_URL`/`authenticate_internal_url` is no longer required.

-#### No default certificate location
+### No default certificate location

 In previous versions, if no explicit certificate pair (in base64 or file form) was set, Pomerium would make a last ditch effort to check for certificate files (`cert.key`/`privkey.pem`) in the root directory. With the introduction of insecure server configuration, we've removed that functionality. If there settings for certificates and insecure server mode are unset, pomerium will give a appropriate error instead of a failed to find/open certificate error.

-#### Authorize service health-check is non-http
+### Authorize service health-check is non-http

 The Authorize service will no longer respond to `HTTP`-based healthcheck queries when run as a distinct service (vs all-in-one). As an alternative, you can used on TCP based checks. For example, if using [Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-tcp-liveness-probe):

@ -134,31 +134,31 @@ livenessProbe:
  periodSeconds: 20
 ```

-### Non-breaking changes
+## Non-breaking changes

-#### All-in-one
+### All-in-one

 If service mode (`SERVICES`/`services`) is set to `all`, gRPC communication with the authorize service will by default occur over localhost, on port `:5443`.

-## Since 0.2.0
+# Since 0.2.0

 Pomerium `v0.3.0` has no known breaking changes compared to `v0.2.0`.

-## Since 0.1.0
+# Since 0.1.0

 Pomerium `v0.2.0` has no known breaking changes compared to `v0.1.0`.

-## Since 0.0.5
+# Since 0.0.5

 This page contains the list of deprecations and important or breaking changes for pomerium `v0.1.0` compared to `v0.0.5`. Please read it carefully.

-### Semantic versioning changes
+## Semantic versioning changes

 Starting with `v0.1.0` we've changed our [releases](https://semver.org/) are versioned (`MAJOR.MINOR.PATCH+GITHASH`). Planned, monthly releases will now bump `MINOR` and any security or stability releases required prior will bump `PATCH`.

 Please note however that we are still pre `1.0.0` so breaking changes can and will happen at any release though we will do our best to document them.

-### Breaking: Policy must be valid URLs
+## Breaking: Policy must be valid URLs

 Previously, it was allowable to define a policy without a schema (e.g. `http`/`https`). Starting with version `v0.1.0` all `to` and `from` [policy] URLS must contain valid schema and host-names. For example:

@ -186,15 +186,15 @@ policy:
    allow_public_unauthenticated_access: true
 ```

-## Since 0.0.4
+# Since 0.0.4

 This page contains the list of deprecations and important or breaking changes for pomerium `v0.0.5` compared to `v0.0.4`. Please read it carefully.

-### Breaking: POLICY_FILE removed
+## Breaking: POLICY_FILE removed

 Usage of the POLICY_FILE envvar is no longer supported. Support for file based policy configuration has been shifted into the new unified config file.

-### Important: Configuration file support added
+## Important: Configuration file support added

 - Pomerium now supports an optional -config flag. This flag specifies a file from which to read all configuration options. It supports yaml, json, toml and properties formats.
 - All options which can be specified via MY_SETTING style envvars can now be specified within your configuration file as key/value. The key is generally the same as the envvar name, but lower cased. See Reference Documentation for exact names.
@ -224,11 +224,11 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p
      timeout: 30s
  ```

-### Authenticate Internal Service Address
+## Authenticate Internal Service Address

 The configuration variable [Authenticate Internal Service URL] must now be a valid [URL](https://golang.org/pkg/net/url/#URL) type and contain both a hostname and valid `https` schema.

-[policy]: ../configuration/readme.md#policy
 [authenticate internal service url]: ../configuration/readme.md#authenticate-service-url
 [cache service docs]: ../configuration/readme.md#cache-service
+[policy]: ../configuration/readme.md#policy
 [split service example]: ../configuration/examples.md#distinct-services