9.2.2

Bug fixes

• Limit the number of connections opened by the Redis connection pool, and wait for a connection to become available if all of them are in use.
• Use the asyncio version of Redis request retrying instead of (in conflict with everything else Gafaelfawr does) the sync version.

Other changes

• Suppress logged warnings about invalid groups if they match the pattern of COmanage internal groups (start with CO:).

What's Changed

• Bump eslint from 8.40.0 to 8.41.0 in /ui by @dependabot in #761
• Bump gatsby from 5.9.1 to 5.10.0 in /ui by @dependabot in #760
• [neophile] Update dependencies by @sqrbot in #759
• [neophile] Update dependencies by @sqrbot in #762
• Bump react-icons from 4.8.0 to 4.9.0 in /ui by @dependabot in #766
• Bump styled-components from 5.3.10 to 5.3.11 in /ui by @dependabot in #765
• Bump formik from 2.2.9 to 2.4.0 in /ui by @dependabot in #764
• Bump react-datepicker from 4.11.0 to 4.12.0 in /ui by @dependabot in #763
• DM-39486: Hopefully fix Redis connection pooling by @rra in #767
• DM-39486: Use PackageLoader to load templates by @rra in #768
• DM-39486: Suppress warnings about CO: groups by @rra in #769
• DM-39486: Prepare 6.2.2 release by @rra in #770

Full Changelog: 9.2.1...9.2.2

9.2.1

Bug fixes

• TCP keepalive for Redis connections apparently caused problems with holding connections open that the Redis server wanted to close. The TCP keepalive setting has been removed, which appears to increase the stability of the Redis connections.
• Connections to Redis are now retried longer (about eight seconds instead of three seconds) in the hope of surviving a Redis restart without failures.

Other changes

• Gafaelfawr now uses the Ruff linter instead of flake8, isort, and pydocstyle.

What's Changed

• [neophile] Update dependencies by @sqrbot in #746
• Bump gatsby from 5.8.1 to 5.9.0 in /ui by @dependabot in #750
• Bump prettier from 2.8.7 to 2.8.8 in /ui by @dependabot in #749
• Bump eslint from 8.38.0 to 8.39.0 in /ui by @dependabot in #748
• Bump styled-components from 5.3.9 to 5.3.10 in /ui by @dependabot in #747
• Bump date-fns from 2.29.3 to 2.30.0 in /ui by @dependabot in #751
• Bump @babel/eslint-parser from 7.21.3 to 7.21.8 in /ui by @dependabot in #753
• Bump eslint from 8.39.0 to 8.40.0 in /ui by @dependabot in #754
• [neophile] Update dependencies by @sqrbot in #752
• [neophile] Update dependencies by @sqrbot in #756
• DM-39186: Redo Redis connection configuration by @rra in #755
• DM-39186: Convert to Ruff for linting by @rra in #757
• DM-39186: Drop aiofiles dependency by @rra in #758

Full Changelog: 9.2.0...9.2.1

9.2.0

New features

• Kerberos GSSAPI binds to authenticate to an LDAP server are now supported.
• To align with other services, the Gafaelfawr log level should now be set with config.logLevel rather than config.loglevel (note the capital L). The old setting is temporarily supported for backward compatibility but will be removed in a later release.
• Failures to deserialize or decrypt data stored in Redis are now reported to Slack if Slack alerting is enabled.
• Redis connection errors are now retried up to five times with exponential backoff before aborting with an error (for a total delay of up to about three seconds). TCP keepalive is now set on the Redis connection.

Other changes

• The Gafaelfawr change log is now maintained using scriv.
• Gafaelfawr no longer adds timestamps to each of its log messages. This was a workaround for Argo CD not displaying log timestamps, which has now been fixed.
• The documentation for running commands with tox has been updated for the new command-line syntax in tox v4. To run a local development server, use tox run -e run.
• Model API documentation is now generated with autodoc_pydantic to include proper field documentation.

What's Changed

• [neophile] Update dependencies by @sqrbot in #714
• Bump prettier from 2.8.4 to 2.8.5 in /ui by @dependabot in #715
• DM-38414: Fix error reporting when knownScopes incomplete by @rra in #716
• Bump gatsby from 5.7.0 to 5.8.0 in /ui by @dependabot in #718
• Bump prettier from 2.8.5 to 2.8.7 in /ui by @dependabot in #719
• Bump eslint-config-prettier from 8.7.0 to 8.8.0 in /ui by @dependabot in #721
• Bump react-datepicker from 4.10.0 to 4.11.0 in /ui by @dependabot in #726
• Bump gatsby from 5.8.0 to 5.8.1 in /ui by @dependabot in #725
• Bump eslint from 8.36.0 to 8.37.0 in /ui by @dependabot in #724
• Bump python from 3.11.2-slim-bullseye to 3.11.3-slim-bullseye by @dependabot in #727
• Bump eslint from 8.37.0 to 8.38.0 in /ui by @dependabot in #728
• DM-38414: Minor documentation fixes by @rra in #729
• [neophile] Update dependencies by @sqrbot in #717
• DM-38414: Update GitHub Actions configuration by @rra in #730
• DM-38414: Switch to scriv for change log managmeent by @rra in #732
• DM-38414: Tweak the application setup by @rra in #731
• [neophile] Update dependencies by @sqrbot in #733
• DM-38747: Support Kerberos GSSAPI binds to LDAP by @rra in #734
• DM-38414: Switch to Safir 4.0.0 by @rra in #735
• DM-38414: Use InputValidationError for more exceptions by @rra in #736
• DM-38414: Use separate HTTPX exceptions for providers by @rra in #737
• DM-38414: Use Redis storage layer from Safir by @rra in #738
• DM-38414: Report Redis deserialization errors to Slack by @rra in #739
• DM-38414: Enable Redis keepalive and retries by @rra in #740
• DM-38414: Document the new tox command line by @rra in #741
• DM-38414: Improve API documentation by @rra in #742
• DM-38414: Use allowlist_externals by @rra in #743
• DM-38414: Do not build on push with merge queues by @rra in #744
• DM-38414: Prepare 9.2.0 release by @rra in #745

Full Changelog: 9.1.0...9.2.0

9.1.0

New features

• Gafaelfawr now supports setting API and notebook quotas in its configuration, and calculates the quota for a given user based on their group membership. This quota information is returned by the /auth/api/v1/user-info route, but is not otherwise used by Gafaelfawr (yet).
• Server-side failures during login, such as inability to reach the authentication provider or invalid responses from the authentication provider, are now reported to Slack if a Slack webhook is configured.
• When using an OpenID Connect authentication provider, Gafaelfawr now supports looking up the GIDs of user groups in a ForgeRock Identity Management server (specifically, in the groups collection of the freeipa component).

Bug fixes

• Explicitly disable caching of enrollment redirects. Some browsers appear to cache 307 redirects and redirected the user back to enrollment the next time they logged in.
• Uniformly use Cache-Control: no-cache, no-store to disable caching of errors and redirects. Previously, Gafaelfawr also added must-revalidate (but not max-age). This appears to not be necessary or useful with modern browsers.
• Correctly expand backtraces of uncaught exceptions in Uvicorn logs.
• Diagnose and display a proper error if the OpenID Connect token from the authentication provider contains multiple usernames.
• Return a status code of 500 instead of 403 for server-side errors during login.
• Errors in querying an external source of user information, such as Firestore or LDAP, are now caught in the /auth route and only logged, not reported to Slack as uncaught exceptions. The /auth route may receive multiple requests per second and should not report every error due to a possible external outage to Slack.
• Errors in querying an external source of user information in the /auth/api/v1/user-info route are now caught, reported to Slack, and result in an orderly error message instead of an uncaught exception.
• Set a timeout on Kubernetes watches in the Kubernetes operator to work around a Kubernetes server bug where watches of unlimited duration will sometimes go silent and stop receiving events.
• Mark Kubernetes object parsing failures as Kopf permanent failures so that the same version of the object will not be retried. Mark Kubernetes API failures as temporary failures so that the retry schedule is configurable.

Other changes

• Gafaelfawr now supports camel-case in its configuration file to allow using the same names for most configuration settings and Helm chart values.
• More log messages related to retrieving user metadata, particularly those during initial login, now include the username of the user.

What's Changed

• [neophile] Update dependencies by @sqrbot in #669
• Bump gatsby from 5.3.3 to 5.4.2 in /ui by @dependabot in #676
• Bump eslint-plugin-react from 7.31.11 to 7.32.1 in /ui by @dependabot in #675
• Bump eslint from 8.31.0 to 8.32.0 in /ui by @dependabot in #674
• Bump prettier from 2.8.2 to 2.8.3 in /ui by @dependabot in #673
• Bump eslint-config-wesbos from 3.2.0 to 3.2.3 in /ui by @dependabot in #670
• [neophile] Update dependencies by @sqrbot in #677
• Bump eslint-plugin-import from 2.26.0 to 2.27.5 in /ui by @dependabot in #679
• Bump eslint-plugin-jsx-a11y from 6.6.1 to 6.7.1 in /ui by @dependabot in #678
• [neophile] Update dependencies by @sqrbot in #680
• Bump gatsby from 5.4.2 to 5.5.0 in /ui by @dependabot in #684
• Bump eslint from 8.32.0 to 8.33.0 in /ui by @dependabot in #683
• Bump eslint-plugin-react from 7.32.1 to 7.32.2 in /ui by @dependabot in #682
• Bump react-datepicker from 4.8.0 to 4.9.0 in /ui by @dependabot in #681
• DM-37833: Maintenance updates by @rra in #685
• DM-37833: Support camel-case in configuration by @rra in #686
• [neophile] Update dependencies by @sqrbot in #687
• Bump docker/build-push-action from 3 to 4 by @dependabot in #688
• [neophile] Update dependencies by @sqrbot in #689
• Bump prettier from 2.8.3 to 2.8.4 in /ui by @dependabot in #693
• Bump gatsby from 5.5.0 to 5.6.0 in /ui by @dependabot in #692
• Bump eslint from 8.33.0 to 8.34.0 in /ui by @dependabot in #691
• Bump gatsby from 5.6.0 to 5.6.1 in /ui by @dependabot in #697
• Bump python from 3.11.1-slim-bullseye to 3.11.2-slim-bullseye by @dependabot in #690
• Bump gatsby from 5.6.1 to 5.7.0 in /ui by @dependabot in #698
• Bump eslint from 8.34.0 to 8.35.0 in /ui by @dependabot in #699
• DM-37833: Add basic quota support by @rra in #695
• DM-38170: Disable caching of enrollment redirects by @rra in #700
• [neophile] Update dependencies by @sqrbot in #701
• Bump react-icons from 4.7.1 to 4.8.0 in /ui by @dependabot in #704
• Bump eslint-config-prettier from 8.6.0 to 8.7.0 in /ui by @dependabot in #703
• Bump styled-components from 5.3.6 to 5.3.8 in /ui by @dependabot in #702
• DM-38170: Update to latest Safir and catch multiple usernames by @rra in #705
• DM-38170: Update changelog, use Self type by @rra in #706
• DM-37833: Add documentation for rudimentary quota support by @rra in #708
• [neophile] Update dependencies by @sqrbot in #709
• Bump eslint from 8.35.0 to 8.36.0 in /ui by @dependabot in #710
• DM-38272: Improve logging and error reporting by @rra in #707
• DM-38376: Improve Kopf configuration and error handling by @rra in #713
• DM-38058: Add support for ForgeRock Identity Management by @rra in #712

Full Changelog: 9.0.0...9.1.0

9.0.0

Backwards-incompatible changes

• Gafaelfawr now takes over 403 error responses from any protected service using a Gafaelfawr-generated ingress. 403 responses generated by the service itself will be passed to the client, but the body of the response and any WWW-Authenticate headers will be lost.
• User errors from the /auth route (not syntax errors like missing parameters) now uniformly return 403, since the NGINX auth_request module can only handle 401 and 403 responses. The actual status code is put in the X-Error-Status response header, and the JSON body (if relevant) in X-Error-Body.
• All ingresses created by Gafaelfawr use an @autherror error page for 403 responses that is added to each NGINX server scope by Phalanx. This custom location uses the X-Error-Status and X-Error-Body headers to tell NGINX to generate the correct error response.
• Remove the /auth/forbidden route, since a Cache-Control header is now automatically added via ingress-nginx to all errors. The config.rewrite403 parameter to GafaelfawrIngress is still supported but does nothing, since its behavior is now the default.

New features

• Gafaelfawr now accepts tokens in either the username or password portion of HTTP Basic Auth without requiring the other field be x-oath-basic. If both components are tokens, they must match; if they do not, Gafaelfawr raises an error.

8.0.0

Backwards-incompatible changes

• All commands that took a --settings option to specify the path to the configuration file now take a --config-path option instead. This name is clearer and avoids introducing a separate "settings" term.
• The default path to the Gafaelfawr configuration file is now taken from the GAFAELFAWR_CONFIG_PATH environment variable rather than GAFAELFAWR_SETTINGS_PATH, for the same reason.
• A GafaelfawrIngress that sets config.loginRedirect to true and also sets config.authType to basic is now rejected with an error, since this combination isn't possible. Previously, the authType setting was silently ignored.

New features

• The response from the /auth now reflects Authorization and Cookie headers from the incoming request with Gafaelfawr tokens and secrets filtered out. GafaelfawrIngress resources use this to filter those secrets out of the request passed to the protected service, avoiding leaking user credentials to services. Manual ingress configurations should add Authorization and Cookie to the nginx.ingress.kubernetes.io/auth-response-headers annotation to get the benefits of this filtering.
• Add support for anonymous ingresses. If config.scopes.anonymous in a GafaelfawrIngress is set to true, no authentication or authorization will be done but Gafaelfawr will still be invoked as an auth subrequest handler solely to strip Gafaelfawr tokens and cookies from the Authorization and Cookie headers before passing the request to the protected service. This can also be configured manually using the new /auth/anonymous route.
• Add a config.delegate.useAuthorization field in GafaelfawrIngress and a use_authorization query parameter for the /auth route that, if set, also puts any delegated token in the Authorization header, as a bearer token, in the request sent to the protected service. This allows easier integration with some software that expects tokens in standard headers rather than Gafaelfawr's custom X-Auth-Request-Token header.
• Ingress resources generated from GafaelfawrIngress resources will be checked for correctness when Gafaelfawr starts, even if the GafaelfawrIngress resource has not been modified. This ensures changes to the generated Ingress due to Gafaelfawr code changes are applied to existing resources.

Bug fixes

• If a user's login was rejected because they were not a member of any known groups, invalidate the LDAP cache for that user before returning the error. The user is likely to immediately try to fix this problem, and making them wait until the LDAP cache times out to see if the fix worked is confusing.

7.1.0

New features

• Gafaelfawr now supports creating Ingress resources from GafaelfawrIngress custom resources. This provides a more convenient and simpler way of describing the Gafaelfawr configuration and shifts the tedious work of constructing the ingress-nginx annotations to Gafaelfawr, and therefore is the recommended way to create an ingress. The annotation-based configuration method may still be used (and is sometimes needed for ingresses created by third-party charts).

7.0.0

Backwards-incompatible changes

• Creation of Secret resources in Kubernetes from GafaelfawrServiceToken objects is now done with the Kopf framework. Sync status is now stored in Kubernetes attributes, and the status field of GafaelfawrServiceToken objects uses a different format.
• The gafaelfawr kubernetes-controller and gafaelfawr update-service-tokens commands to manage Kubernetes Secret resources containing service tokens have been dropped.

New features

• While the Kubernetes operator is running, all Secret objects created from GafaelfawrServiceToken objects are checked for validity every half-hour and replaced if needed.

Other changes

• Drop types from docstrings where possible and take advantage of the new support in Sphinx for type annotations when rendering internal API documentation. This produces higher-quality output in many cases.

6.2.0

New features

• Groups derived from GitHub organizations and teams can now be specified in the groupMapping configuration directly as the organization and team, rather than requiring the administrator first convert that to the internal group name used by Gafaelfawr. This can be used to make the Helm configuration easier to read. There is no change to how Gafaelfawr represents the groups internally or exposes them to applications.
• Group names from the token from an upstream OpenID Connect provider that begin with a slash are normalized to remove the starting slash. This was needed by at least one Keycloak installation.

Bug fixes

• Fix the tox -e run command to start a Gafaelfawr development server. This was broken in 4.0.0.

6.1.0

New features

• Add --fix flag to the gafaelfawr audit command, which attempts to fix discovered issues where possible. Only some discoverable issues have code to fix them.

Bug fixes

• If a delegated token is requested from the /auth route, the authenticating token now must have a remaining lifetime of at least five minutes or it is treated as if it is expired. This avoids creating delegated tokens with unusably short or zero lifetimes.

Other changes

• The documentation has been updated and restructured to use the new Rubin user guide theme.