Releases: majewsky/portunus
Releases · majewsky/portunus
v2.1.1
v2.1.0
New features:
- The configuration variables
PORTUNUS_GROUP_NAME_REGEXandPORTUNUS_USER_NAME_REGEXhave been added to expand the
range of supported user and group names. If non-default name regexes are configured, Portunus will still enforce the
POSIX account name regex for POSIX users and POSIX groups. Also, names with characters that have special meaning in
LDAP DNs will always be rejected, regardless of what is configured. This protects against syntax injection attacks
similar to SQL injections.
Changes:
- The size of the orchestrator binary that runs with root privileges has been reduced by about 10-15% by replacing
usages of a regex engine with explicit string parsers. - Binaries can now be installed with
go installifmakeis not available for some reason.
v2.0.0
Backwards-incompatible changes:
- Portunus now links libcrypt and requires several features that are specific to libxcrypt. Most Linux distributions already use libxcrypt as their libcrypt in order to support non-ancient password hashes, so this requirement should hopefully not be too painful for Linux users. Note that Portunus must use the same libcrypt as its
slapd, otherwise both parties might disagree on how password hashes work.
New features:
- With the move to libxcrypt, Portunus supports all the same strong password hashes that libxcrypt supports (such as bcrypt and yescrypt).
- Existing user accounts with weak password hashes in your Portunus database will continue to work. After the upgrade, instruct all your users to log into the Portunus UI once. Upon successful login, Portunus will transparently upgrade their stored password hashes to a stronger hash method. To enumerate users that have not been upgraded to a stronger hash method yet, use this command:
jq -r '.users[] | select(.password | match("^\\{CRYPT\\}\\$5\\$")) | "\(.login_name) <\(.email)>"' < /var/lib/portunus/database.json
- While creating or updating a group, memberships can be adjusted (without needing to edit the individual users).
Changes:
- The core business logic was completely rewritten into a more modular design suitable for unit tests. Tests have been added to cover the logic core, including seeding and validation, the LDAP handling as well as the disk store handling. The only major gap in the automated test coverage is the UI, which is still being tested manually for the time being. At least one bug was discovered and fixed by the new test suite, and more bugs may have been fixed by accident during the rewrite. :)
v2.0.0-beta.1
v2.0.0-beta.1
This tag was signed with the committer’s verified signature.
majewsky
Stefan Majewsky
Backwards-incompatible changes:
- Portunus now links libcrypt and requires several features that are specific to libxcrypt. Most Linux distributions already use libxcrypt as their libcrypt in order to support non-ancient password hashes, so this requirement should hopefully not be too painful for Linux users. Note that Portunus must use the same libcrypt as its
slapd, otherwise both parties might disagree on how password hashes work.
New features:
- With the move to libxcrypt, Portunus supports all the same strong password hashes that libxcrypt supports (such as bcrypt and yescrypt).
- Existing user accounts with weak password hashes in your Portunus database will continue to work. After the upgrade, instruct all your users to log into the Portunus UI once. Upon successful login, Portunus will transparently upgrade their stored password hashes to a stronger hash method. To enumerate users that have not been upgraded to a stronger hash method yet, use this command:
jq -r '.users[] | select(.password | match("^\\{CRYPT\\}\\$5\\$")) | "\(.login_name) <\(.email)>"' < /var/lib/portunus/database.json
- While creating or updating a group, memberships can be adjusted (without needing to edit the individual users).
Changes:
- The core business logic was completely rewritten into a more modular design suitable for unit tests. Tests have been added to cover the logic core, including seeding and validation, the LDAP handling as well as the disk store handling. The only major gap in the automated test coverage is the UI, which is still being tested manually for the time being. At least one bug was discovered and fixed by the new test suite, and more bugs may have been fixed by accident during the rewrite. :)
v1.1.0
v1.1.0-beta.2
v1.1.0-beta.2
This tag was signed with the committer’s verified signature.
majewsky
Stefan Majewsky
New features:
- The login form now also accepts the user's e-mail address instead of their login name.
v1.1.0-beta.1
v1.1.0-beta.1
This tag was signed with the committer’s verified signature.
majewsky
Stefan Majewsky
New features:
- Add "sshPublicKey" attribute. This attribute can also be maintained by users via self-service.
- Add seeding to support statically-configured users and groups.
Changes:
- Update all Go library dependencies.
- Modernize build system to fully use Go modules. The go-bindata dependency has been removed.
v1.0.0
v1.0.0-beta.5
v1.0.0-beta.5
This tag was signed with the committer’s verified signature.
majewsky
Stefan Majewsky
New features:
- Add optional email address field to user accounts.
- Export email address to LDAP as
emailattribute.
v1.0.0-beta.4
v1.0.0-beta.4
This tag was signed with the committer’s verified signature.
majewsky
Stefan Majewsky
New features:
- Add LDAPS support.