Releases: pomerium/pomerium
v0.2.1
v0.2.1
SECURITY
- Fixes vulnerabilities fixed in Go 1.12.8 including CVE-2019-9512, CVE-2019-9514 and CVE-2019-14809.
v0.2.0
New
Telemetry [GH-35]
-
Tracing [GH-230] aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.
-
Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.
-
Add informational metrics. [GH-227]
-
GRPC Metrics Implementation. [GH-218]
- Additional GRPC server metrics and request sizes
- Improved GRPC metrics implementation internals
- The GRPC method label is now 'grpc_method' and GRPC status is now
grpc_client_status
andgrpc_server_status
-
HTTP Metrics Implementation. [GH-220]
- Support HTTP request sizes on client and server side of proxy
- Improved HTTP metrics implementation internals
- The HTTP method label is now
http_method
, and HTTP status label is nowhttp_status
-
Changed
- GRPC version upgraded to v1.22 [GH-219]
- Add support for large cookie sessions by chunking. [GH-211]
- Prefer curve X25519 to P256 for TLS connections. [GH-233]
- Pomerium and its services will gracefully shutdown on interrupt signal. [GH-230]
- Google now prompts the user to select a user account (by adding
select_account
to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.
FIXED
- Fixed potential race condition when signing requests. [GH-240]
v0.1.0
PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!
v0.1.0
NEW
- Add programmatic authentication support. [GH-177]
- Add Prometheus format metrics endpoint. [GH-35]
- Add policy setting to enable self-signed certificate support. [GH-179]
- Add policy setting to skip tls certificate verification. [GH-179]
CHANGED
- Policy
to
andfrom
settings must be set to valid HTTP URLs including schemes and hostnames (e.g.http.corp.domain.example
should now behttps://http.corp.domain.example
). - Proxy's sign out handler
{}/.pomerium/sign_out
now accepts an optionalredirect_uri
parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. [GH-183] - Policy configuration can now be empty at startup. [GH-190]
- Websocket support is now set per-route instead of globally. [GH-204]
- Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. [GH-212]
FIXED
- Fixed HEADERS environment variable parsing. [GH-188]
- Fixed Azure group lookups. [GH-190]
- If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. [GH-211]
- Internal URLs like dashboard now start auth process to login a user if no session is found. [GH-205].
- When set,
CookieDomain
lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. [GH-181]
v0.0.5
PLEASE REVIEW THE UPGRADE GUIDE BEFORE UPDATING!
v0.0.5
NEW
- Add ability to detect changes and reload policy configuration files. [GH-150]
- Add user dashboard containing information about the current user's session. [GH-123]
- Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (
REFRESH_COOLDOWN
) which defaults to five minutes. [GH-73] - Add Administrator (super user) account support (
ADMINISTRATORS
). [GH-110] - Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. [GH-110]
- Add docker images and builds for ARM. [GH-95]
- Add support for public, unauthenticated routes. [GH-129]
CHANGED
- Add Request ID to error pages. [GH-144]
- Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.[GH-115]
- Changed config
AUTHENTICATE_INTERNAL_URL
to be a URL containing both a valid hostname and schema. [GH-153] - User state is now maintained and scoped at the domain level vs at the route level. [GH-128]
- Error pages contain a link to sign out from the current user session. [GH-100]
- Removed
LifetimeDeadline
fromsessions.SessionState
. - Removed favicon specific request handling. [GH-131]
- Headers are now configurable via the
HEADERS
configuration variable. [GH-108] - Refactored proxy and authenticate services to share the same session state cookie. [GH-131]
- Removed instances of extraneous session state saves. [GH-131]
- Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.[GH-131]
- Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. [GH-116]
- Changed docker images to be built from distroless. This fixed an issue with
nsswitch
[GH-97], includesca-certificates
and limits the attack surface area of our images. [GH-101] - Changed HTTP to HTTPS redirect server to be user configurable via
HTTP_REDIRECT_ADDR
. [GH-103] Content-Security-Policy
hash updated to match new UI assets.
FIXED
- Fixed websocket support. [GH-151]
- Fixed an issue where policy and routes were being pre-processed incorrectly. [GH-132]
- Fixed an issue where
golint
was not being found in our docker image. [GH-121]
Since 0.0.4
This page contains the list of deprecations and important or breaking changes for pomerium v0.0.4
compared to v0.0.5
. Please read it carefully.
Breaking: POLICY_FILE removed
Usage of the POLICY_FILE envvar is no longer supported. Support for file based policy configuration has been shifted into the new unified config file.
Important: Configuration file support added
-
Pomerium now supports an optional -config flag. This flag specifies a file from which to read all configuration options. It supports yaml, json, toml and properties formats.
-
All options which can be specified via MY_SETTING style envvars can now be specified within your configuration file as key/value. The key is generally the same as the envvar name, but lower cased. See Reference Documentation for exact names.
-
Options precedence is
environmental variables
>configuration file
>defaults
-
The options file supports a policy key, which contains policy in the same format as
POLICY_FILE
. To convert an existing policy.yaml into a config.yaml, just move your policy under a policy key.Old:
- from: httpbin.corp.beyondperimeter.com to: http://httpbin allowed_domains: - pomerium.io cors_allow_preflight: true timeout: 30s
New:
policy: - from: httpbin.corp.beyondperimeter.com to: http://httpbin allowed_domains: - pomerium.io cors_allow_preflight: true timeout: 30s
Authenticate Internal Service Address
The configuration variable Authenticate Internal Service URL must now be a valid URL type and contain both a hostname and valid https
schema.
v0.0.4
v0.0.4
CHANGED
- HTTP Strict Transport Security is included by default and set to one year. [GH-92]
- HTTP now redirects to HTTPS. [GH-92]
- Removed extraneous
AUTHORIZE_INTERNAL_URL
config option since authorization has no publica http handlers, only a gRPC service endpoint. [GH-93] - Removed
PROXY_ROOT_DOMAIN
config option which is now inferred fromAUTHENTICATE_SERVICE_URL
. Only callback requests originating from a URL on the same sub-domain are permitted. [GH-83] - Removed
REDIRECT_URL
config option which is now inferred fromAUTHENTICATE_SERVICE_URL
(e.g.https://$AUTHENTICATE_SERVICE_URL/oauth2/callback
). [GH-83]
FIXED
- Fixed a bug in the Google provider implementation where the
refresh_token
. Updated the google implementation to use the newprompt=consent
oauth2 parameters. Reported and fixed by @chemhack [GH-81]
DOCUMENTATION
- Added synology tutorial. [GH-96]
- Added certificates documentation. [GH-79]
v0.0.3
FEATURES:
-
Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy:
allowed_users
,allowed_groups
, andallowed_domains
. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. -
Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs. A brief summary of the requirements for each IdP are as follows:
- Google requires the Admin SDK to enabled, a service account with properly delegated access, and
IDP_SERVICE_ACCOUNT
to be set to the base64 encoded value of the service account's key file. - Okta requires a
groups
claim to be added to both theid_token
andaccess_token
. No additional API calls are made. - Microsoft Azure Active Directory requires the application be given an additional API permission,
Directory.Read.All
. - Onelogin requires the groups was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint.
- Google requires the Admin SDK to enabled, a service account with properly delegated access, and
-
WebSocket Support : With Go 1.12 pomerium automatically proxies WebSocket requests.
CHANGED:
- Add
LOG_LEVEL
config setting that allows for setting the desired minimum log level for an event to be logged. [GH-74] - Changed
POMERIUM_DEBUG
config setting to just do console-pretty printing. No longer sets log level. [GH-74] - Updated
generate_wildcard_cert.sh
to generate a elliptic curve 256 cert by default. - Updated
env.example
to include aPOLICY
setting example. - Added
IDP_SERVICE_ACCOUNT
toenv.example
. - Removed
PROXY_ROOT_DOMAIN
settings which has been replaced byPOLICY
. - Removed
ALLOWED_DOMAINS
settings which has been replaced byPOLICY
. Authorization is now handled by the authorization service and is defined in the policy configuration files. - Removed
ROUTES
settings which has been replaced byPOLICY
. - Add refresh endpoint
${url}/.pomerium/refresh
which forces a token refresh and responds with the json result. - Group membership added to proxy headers (
x-pomerium-authenticated-user-groups
) and (x-pomerium-jwt-assertion
). - Default Cookie lifetime (
COOKIE_EXPIRE
) changed from 7 days to 14 hours ~ roughly one business day. - Moved identity (
authenticate/providers
) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes. - Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
- Session expiration times are truncated at the second.
- Removed gitlab provider. We can't support groups until this gitlab bug is fixed.
- Request context is now maintained throughout request-flow via the context package enabling timeouts, request tracing, and cancellation.
FIXED:
http.Server
andhttputil.NewSingleHostReverseProxy
now uses pomerium's logging package instead of the standard library's built in one. [GH-58]