v0.23.0

Changelog

v0.23.0 (2023-08-24)

Full Changelog

New

• authorize: log id token claims separately from id token #4394 (@calebdoxsey)
• adds success colors for statuses in the 200 range #4314 (@nhayfield)
• config: add cookie_same_site option #4148 (@calebdoxsey)
• hpke: compress query string #4147 (@calebdoxsey)
• authenticate: add aws cognito #4137 (@wasaga)

Fixed

• autocert: suppress OCSP stapling errors #4371 (@calebdoxsey)
• config: validate log levels #4367 (@calebdoxsey)
• config: update logic for checking overlapping certificates #4216 (@calebdoxsey)
• databroker: fix fast forward #4192 (@calebdoxsey)
• databroker: sort configs #4190 (@calebdoxsey)
• envoy: set re2 limits very high #4187 (@calebdoxsey)
• fix WillHaveCertificateForServerName check to be strict match for derived cert name #4167 (@wasaga)
• envoyconfig: disable validation context when no client certificates are required #4151 (@calebdoxsey)

Dependency

• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.32 #4436 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.36.0 to 1.38.1 #4435 (@dependabot[bot])
• chore(deps): bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #4433 (@dependabot[bot])
• chore(deps): bump actions/setup-node from 3.6.0 to 3.7.0 #4432 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.34.1 to 4.34.2 #4431 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 2.2.0 to 2.2.1 #4430 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.6.1 to 4.7.0 #4429 (@dependabot[bot])
• chore(deps): bump node from 3801c22 to 850d8e1 #4416 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.59 to 7.0.61 #4415 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.56.1 to 1.57.0 #4411 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v5 from 5.4.1 to 5.4.2 #4409 (@dependabot[bot])
• chore(deps): bump github.com/go-chi/chi/v5 from 5.0.8 to 5.0.10 #4407 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #4406 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #4404 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.130.0 to 0.134.0 #4403 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.6 to 3.23.7 #4402 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.18.2 to 0.19.1 #4401 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.11.0 to 0.11.1 #4400 (@dependabot[bot])
• chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.2 to 3.4.0 #4399 (@dependabot[bot])
• dependencies: upgrade otel #4395 (@calebdoxsey)
• chore(deps): bump word-wrap from 1.2.3 to 1.2.4 in /ui #4369 (@dependabot[bot])
• chore(deps): bump semver from 6.3.0 to 6.3.1 in /ui #4350 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.128.0 to 0.130.0 #4348 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.18.0 to 0.18.2 #4334 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.57 to 7.0.59 #4333 (@dependabot[bot])
• chore(deps): bump cloud.google.com/go/storage from 1.30.1 to 1.31.0 #4332 (@dependabot[bot])
• chore(deps): bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #4330 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.1 to 1.0.2 #4329 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.5 to 3.23.6 #4328 (@dependabot[bot])
• chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 #4327 (@dependabot[bot])
• chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #4325 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v5 from 5.4.0 to 5.4.1 #4324 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.1 to 1.36.0 #4323 (@dependabot[bot])
• chore(deps): bump node from 05824f7 to 3801c22 #4322 (@dependabot[bot])
• chore(deps): bump @fontsource/dm-sans from 4.5.1 to 5.0.3 in /ui #4307 (@dependabot[bot])
• chore(deps): bump react-feather from 2.0.9 to 2.0.10 in /ui #4306 (@dependabot[bot])
• chore(deps): bump markdown-to-jsx from 7.1.7 to 7.2.1 in /ui #4297 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 #4296 (@dependabot[bot])
• chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 #4294 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v5 from 5.3.1 to 5.4.0 #4293 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.17.2 to 0.18.0 #4291 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.34.0 to 1.34.1 #4290 (@dependabot[bot])
• chore(deps-dev): bump typescript from 4.5.5 to 5.1.3 in /ui #4289 (@dependabot[bot])
• chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 #4287 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 #4286 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.126.0 to 0.128.0 #4283 (@dependabot[bot])
• chore(deps-dev): bump @typescript-eslint/parser from 5.10.2 to 5.59.11 in /ui #4282 (@dependabot[bot])
• chore(deps): bump github.com/klauspost/compress from 1.16.5 to 1.16.6 #4281 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.56 to 7.0.57 #4280 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.0 #4278 (@dependabot[bot])
• chore(deps): bump @emotion/styled from 11.6.0 to 11.11.0 in /ui #4277 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.10.1 to 0.11.0 #4276 (@dependabot[bot])
• chore(deps): bump docker/login-action from 2.1.0 to 2.2.0 #4274 (@dependabot[bot])
• chore(deps): bump docker/metadata-action from 4.5.0 to 4.6.0 #4273 (@dependabot[bot])
• chore(deps): bump node from f658ece to 05824f7 #4272 (@dependabot[bot])
• chore(deps): bump golang from b0f97bf to eb3f9ac #4271 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 #4268 (@dependabot[bot])
• chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.3 #4267 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.9.0 to 0.10.0 #4266 (@dependabot[bot])
• chore(deps): bump docker/build-push-action from 4.0.0 to 4.1.1 #4264 (@dependabot[bot])
• chore(deps): bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #4263 (@dependabot[bot])
• chore(deps): bump docker/setup-buildx-action from 2.5.0 to 2.7.0 #4262 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.33.0 to 1.34.0 #4260 (@dependabot[bot])
• chore(deps): bump node from df5a66e to f658ece #4252 (@dependabot[bot])
• chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.1 to 3.3.2 #4248 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #4247 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.43.0 to 0.44.0 #4244 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.55 to 7.0.56 #4243 (@dependabot[bot])
• chore(deps): bump docker/metadata-action from 4.4.0 to 4.5.0 #4242 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 2.1.2 to 2.2.0 #4241 (@dependabot[bot])
• chore(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 #4240 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.5.2 to 3.5.3 #4239 (@dependabot[bot])
• chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 #4238 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.121.0 to 0.126.0 #4236 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.1 #4235 (@dependabot[bot])
• chore(deps): bump golang from 1.20.4-buster to 1.20.5-buster #4227 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.5.0 to 3.6.0 #4226 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.4 to 3.23.5 #4225 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.121.0 to 0.125.0 #4222 (@dependabot[bot])
• chore(deps): bump cloud.google.com/go/storage from 1.29.0 to 1.30.1 #4221 (@dependabot[bot])
• dependencies: pin node to lts #4218 (@wasaga)
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.25 #4208 (@dependabot[bot])
• chore(deps): bump golang from 4cf6dc4 to 6be6011 #4207 (@dependabot[bot])
• chore(deps): bump debian from 4291be2 to cd9b6e7 #4206 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 24.0.1+incompatible to 24.0.2+incompatible #4205 (@dependabot[bot])
• chore(deps): bump github.com/peterbourgon/ff/v3 from 3.3.0 to 3.3.1 #4204 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.6.0 to 4.6.1 #4203 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.52 to 7.0.55 #4202 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.33.3 to 4.34.1 #4201 (@dependabot[bot])
• chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #4200 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.0 to 1.0.1 #4185 (@dependabot[bot])
• chore(deps): bump github.com/mholt/acmez from 1.1.0 to 1.1.1 #4184 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 23.0.6+incompatible to 24.0.1+incompatible #4183 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 #4182 (@dependabot[bot])
• chore(deps): bump github.com/rs/cors from 1.8.3 to 1.9.0 #4179 (@dependabot[bot])
• chore(deps): bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 #4178 (@dependabot[bot])
• chore(deps): bump github.com/klauspost/compress from 1.16.0 to 1.16.5 #4177 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 #4176 (@dependabot[bot])
• chore(deps): bump google-github-actions/setup-gcloud from 1.1.0 to 1.1.1 #4175 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 #4174 (@dependabot[bot])
• chore(deps): bump google-github-actions/auth from 1.1.0 to 1.1.1 #4173 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.42.0 to 0.43.0 #4172 (@dependabot[bot])
• chore(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible #4170 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 #4166 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.3 to 3.23.4 #4165 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 23.0.5+incompatible to 23.0.6+incompatible #4164 (@dependabot[bot])
• chore(deps): bump golang.org/x/sync from 0.1.0 to 0.2.0 #4163 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 #4162 (@dependabot[bot])
• chore(deps): bump golang from 1.20.3-buster to 1.20.4-buster #4161 (@dependabot[bot])
• chore(deps): bump debian from 1fbdbcf to 4291be2 #4160 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.120.0 to 0.121.0 #4159 (@dependabot[bot])
• chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #4158 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 #4157 (@dependabot[bot])
• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.2.0 to 4.2.1 #4156 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.10.1 to 1.0.0 #4155 (@dependabot[bot])
• chore(deps): bump docker/setup-buildx-action from 2.4.1 to 2.5.0 #4154 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.5.0 to 3.5.2 #4153 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.118.0 to 0.120.0 #4143 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.51.0 to 0.52.0 #4142 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 23.0.3+incompatible to 23.0.5+incompatible #4141 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.31.2 to 1.33.0 #4139 (@dependabot[bot])

Changed

• config: validate cookie_secure option #4484 (@kenjenkins)
• authorize: check CRLs only for leaf certificates #4480 (@kenjenkins)
• storage: add indexes for postgres #4479 (@calebdoxsey)
• add integration test for https IP address route #4476 (@kenjenkins)
• add integration test for Pomerium JWT #4472 (@kenjenkins)
• authorize: remove incorrect "valid-client-certificate" reason #4470 (@kenjenkins)
• envoy: check for nil ssl() in client cert script #4466 (@kenjenkins)
• config: add decode hook for the SANMatcher type #4464 (@kenjenkins)
• config: deprecate tls_downstream_client_ca #4461 (@kenjenkins)
• upgrade main #4457 (@wasaga)
• authorize: rework token substitution in headers #4456 (@kenjenkins)
• cryptutil: update CRL parsing #4454 (@kenjenkins)
• config: support client certificate SAN match #4453 (@kenjenkins)
• authorize: allow client certificate intermediates #4451 (@kenjenkins)
• config: support arbitrary nested config structs #4440 (@kenjenkins)
• authorize: implement client certificate CRL check #4439 (@kenjenkins)
• authorize: do not rely on Envoy client cert validation #4438 (@kenjenkins)
• autocert: use new OCSP error type #4437 (@kenjenkins)
• authorize: add support for logging id token #4392 (@calebdoxsey)
• logs: add ip address to access logs #4391 (@calebdoxsey)
• authorize: fix policy numbers in evaluator test #4387 (@kenjenkins)
• add integration test for client_crl setting #4384 (@kenjenkins)
• envoy: configure upstream IP SAN match as needed #4380 (@kenjenkins)
• authorize: remove a nolint directive #4375 (@kenjenkins)
• authorize: incorporate mTLS validation from Envoy #4374 (@kenjenkins)
• envoy: add a filter to store client cert info #4372 (@kenjenkins)
• envoy: separate gRPC listener configuration #4365 (@kenjenkins)
• stub out HPKE public key fetch for self-hosted authenticate #4360 (@kenjenkins)
• replace docker publish action ::set-output usage #4359 (@kenjenkins)
• chore: unnecessary use of fmt.Sprintf #4349 (@testwill)
• authorize: do not redirect if invalid client cert #4344 (@kenjenkins)
• authorize: remove JWT timestamp format workaround #4321 (@kenjenkins)
• organize go.mod #4320 (@kenjenkins)
• authenticate: remove extraneous error log #4319 (@kenjenkins)
• add JWT timestamp formatting workaround #4270 (@kenjenkins)
• ci: updates #4269 (@calebdoxsey)
• dependabot: improvements #4261 (@calebdoxsey)
• pin to a debian:latest image for casource base image #4250 (@kenjenkins)
• add downstream mTLS integration test cases (main) #4234 (@kenjenkins)
• config: simplify default set response headers #4196 (@calebdoxsey)
• improve certificate matching performance #4186 (@calebdoxsey)
• fix lint warning in pkg/envoy #4181 (@kenjenkins)
• Update README.md #4146 (@desimone)
• Update SECURITY.md #4144 (@desimone)