pomerium/CHANGELOG.md

Pomerium Changelog

vUNRELEASED

New

Changed

• GRPC Metrics Implementation [GH-218]

  • Additional GRPC server metrics and request sizes
  • Improved GRPC metrics implementation internals
  • The GRPC method label is now 'grpc_method' and GRPC status is now grpc_client_status and grpc_server_status

• GRPC version upgraded to v1.22 [GH-219]

• HTTP Metrics Implementation [GH-220]

  • Support HTTP request sizes on client and server side of proxy
  • Improved HTTP metrics implementation internals
  • The HTTP method label is now http_method, and HTTP status label is now http_status

v0.1.0

NEW

• Add programmatic authentication support. [GH-177]
• Add Prometheus format metrics endpoint. [GH-35]
• Add policy setting to enable self-signed certificate support. [GH-179]
• Add policy setting to skip tls certificate verification. [GH-179]

CHANGED

• Policy to and from settings must be set to valid HTTP URLs including schemes and hostnames (e.g. http.corp.domain.example should now be https://http.corp.domain.example).
• Proxy's sign out handler {}/.pomerium/sign_out now accepts an optional redirect_uri parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. [GH-183]
• Policy configuration can now be empty at startup. [GH-190]
• Websocket support is now set per-route instead of globally. [GH-204]
• Golint removed from amd64 container. [GH-215]
• Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. [GH-212]

FIXED

• Fixed HEADERS environment variable parsing. [GH-188]
• Fixed Azure group lookups. [GH-190]
• If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. [GH-211]
• Internal URLs like dashboard now start auth process to login a user if no session is found. [GH-205].
• When set,CookieDomain lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. [GH-181]

v0.0.5

NEW

• Add ability to detect changes and reload policy configuration files. [GH-150]
• Add user dashboard containing information about the current user's session. [GH-123]
• Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (REFRESH_COOLDOWN) which defaults to five minutes. [GH-73]
• Add Administrator (super user) account support (ADMINISTRATORS). [GH-110]
• Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. [GH-110]
• Add docker images and builds for ARM. [GH-95]
• Add support for public, unauthenticated routes. [GH-129]

CHANGED

• Add Request ID to error pages. [GH-144]
• Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.[GH-115]
• Changed config AUTHENTICATE_INTERNAL_URL to be a URL containing both a valid hostname and schema. [GH-153]
• User state is now maintained and scoped at the domain level vs at the route level. [GH-128]
• Error pages contain a link to sign out from the current user session. [GH-100]
• Removed LifetimeDeadline from sessions.SessionState.
• Removed favicon specific request handling. [GH-131]
• Headers are now configurable via the HEADERS configuration variable. [GH-108]
• Refactored proxy and authenticate services to share the same session state cookie. [GH-131]
• Removed instances of extraneous session state saves. [GH-131]
• Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.[GH-131]
• Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. [GH-116]
• Changed docker images to be built from distroless. This fixed an issue with nsswitch [GH-97], includes ca-certificates and limits the attack surface area of our images. [GH-101]
• Changed HTTP to HTTPS redirect server to be user configurable via HTTP_REDIRECT_ADDR. [GH-103]
• Content-Security-Policy hash updated to match new UI assets.

FIXED

• Fixed websocket support. [GH-151]
• Fixed an issue where policy and routes were being pre-processed incorrectly. [GH-132]
• Fixed an issue where golint was not being found in our docker image. [GH-121]

v0.0.4

CHANGED

• HTTP Strict Transport Security is included by default and set to one year. [GH-92]
• HTTP now redirects to HTTPS. [GH-92]
• Removed extraneous AUTHORIZE_INTERNAL_URL config option since authorization has no public http handlers, only a gRPC service endpoint. [GH-93]
• Removed PROXY_ROOT_DOMAIN config option which is now inferred from AUTHENTICATE_SERVICE_URL. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83]
• Removed REDIRECT_URL config option which is now inferred from AUTHENTICATE_SERVICE_URL (e.g. https://$AUTHENTICATE_SERVICE_URL/oauth2/callback). [GH-83]

FIXED

• Fixed a bug in the Google provider implementation where the refresh_token. Updated the google implementation to use the new prompt=consent oauth2 parameters. Reported and fixed by @chemhack [GH-81]

DOCUMENTATION

• Added synology tutorial. [GH-96]
• Added certificates documentation. [GH-79]

v0.0.3

FEATURES

• Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: allowed_users, allowed_groups, and allowed_domains. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.

• Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:

  • Google requires the Admin SDK to enabled, a service account with properly delegated access, and IDP_SERVICE_ACCOUNT to be set to the base64 encoded value of the service account's key file.
  • Okta requires a groups claim to be added to both the id_token and access_token. No additional API calls are made.
  • Microsoft Azure Active Directory requires the application be given an additional API permission, Directory.Read.All.
  • Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.

• WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.

CHANGED

• Added LOG_LEVEL config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74]
• Changed POMERIUM_DEBUG config setting to just do console-pretty printing. No longer sets log level. [GH-74]
• Updated generate_wildcard_cert.sh to generate a elliptic curve 256 cert by default.
• Updated env.example to include a POLICY setting example.
• Added IDP_SERVICE_ACCOUNT to env.example .
• Removed ALLOWED_DOMAINS settings which has been replaced by POLICY. Authorization is now handled by the authorization service and is defined in the policy configuration files.
• Removed ROUTES settings which has been replaced by POLICY.
• Add refresh endpoint ${url}/.pomerium/refresh which forces a token refresh and responds with the json result.
• Group membership added to proxy headers (x-pomerium-authenticated-user-groups) and (x-pomerium-jwt-assertion).
• Default Cookie lifetime (COOKIE_EXPIRE) changed from 7 days to 14 hours ~ roughly one business day.
• Moved identity (authenticate/providers) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
• Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
• Session expiration times are truncated at the second.
• Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
• Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.

FIXED

• http.Server and httputil.NewSingleHostReverseProxy now uses pomerium's logging package instead of the standard library's built in one. [GH-58]