forked from OpenConext/Stepup-Deploy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG
333 lines (261 loc) · 13.5 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
* Make the default locale and the available locales for the stepup applications configurable using group_vars.
See the playbook variables "default_locale" and "enabled_locales" in group_vars/all.yml. These two variables
must be added to existing environments.
* Add "lb_addresses" in group_vars/all.yml. When using a load balancer, set this variable to an array of IP addresses
of the loadbalancers. Used in nginx config and default ip(6)tables config.
Release 13.2 (hotfix)
- Hotfix for two SimpleSAMLphp vulnerabilities
- Fix Tiqr authentication from Microsoft Office 365 applications
* All Stepup components:
- Update SimpleSAMLphp with fixes for 201802-01 and 201803-01
* Stepup-tiqr
- Fix a Script error when authenticating with Tiqr from Microsoft Office 365 applications
Install:
* Deploy components:
- Stepup-Gateway 2.7.5
- Stepup-SelfService 2.7.2
- Stepup-RA 2.7.3
- Stepup-tiqr 1.1.8
Release 13.1 (hotfix)
Hotfix for matching case-insensitive identifiers
Install:
* Deploy component
- Gateway 2.7.3
Release 13
Bugfix release solving two issues:
- fix an issue with pushing institution config changes, which was broken in release 12
- fix an issue with determining an institution-specific LoA for unknown users
In addition, Kibana log retention is extended from 90 to 120 days.
Install:
* Deploy components:
- Gateway 2.7.2
- Middleware 2.6.4
- RA 2.7.1
* run manage role (for manage_keep_logs_days)
ansible-playbook site.tyml -i <inventory> -t manage -l <host>
Release 12
Add support for the SFO extension for Microsoft ADFS (https://github.com/SURFnet/ADFS-MFA-SAML2.0-Extension) to the
Setup-Gateway
* Gateway
- Add support for receiving SAML AuthnRequests using the the HTTP-POST binding
- When the ADFS specific "AuthMethod" and "Context" are present the SFO endpoint will switch to "SFO extension for ADFS"
mode:
- It adds "AuthMethod" and "Context" HTTP POST variables from the request to the response
- It returns the SAMLResponse in a HTTP POST variable "_SAMLResponse" instead of "SAMLResponse"
* Deploy
- "app" role: Added "lb_addresses" variable to specify trusted IPs for the X-Forwarded-For header. Stopped using hosts
from lb group for this purpose as the lb role is going to be removed from the playbook. If you are using the lb role
you should set "lb_addresses" variable add redeploy the app role.
Install:
* Deploy components:
- Gateway 2.7.0
* Rerun app role (for lb_addresses)
ansible-playbook site.yml -i <inventory> -t app -l <host>
Release 11
Fix for per institution LoA configuration, add GSSP though configuration, update Swiftmailer because of CVE-2016-10074,
show error when missing EPTI attribute.
* Gateway
- Fix: Update swiftmailer because of CVE-2016-10074. Exploitation requires the attacker to control the email address.
- Fix: Per IdP LoA configuration for an SP by institution ID. Institution ID's are now recognised in the loa definition of
an SP as described in https://github.com/OpenConext/Stepup-Middleware/blob/master/docs/MiddlewareConfiguration.md#service-providers
- Fix: The gateway would generate a SAML Assertion without a Subject when the Assertion from the remote IdP did not
contain a eduPersonTargetedID attribute with a NameID. Now an error is shown on the gateway when this occurs.
* Middleware, Gateway, SelfService and RA
- A new GSSP can be though configuration. The Ansible environment must be updated:
- A new parameter "stepup_enabled_generic_second_factors" was introduced
- The "stepup_enabled_factors" parameter was updated
When using the existing GSSPs "tiqr" and "biometric", the changes are minimal. The requied changes are described in
docs/add-gssf-to-stepup.md
Install:
* Deploy components:
- Middleware 2.6.0
- Gateway 2.6.0
- RA 2.7.0
- SelfService 2.7.0
Release 10
Add option to test 2nd factor in SelfService, bugfixes
* Upgrade Guzzle4 to Guzzle6
* SelfService:
- The user now has the option to test authentication with their token in the self service interface.
* Gateway:
- Fix: wrong entity added for saml:AuthenticatingAuthority
* Middleware:
- Fix: bootstrapping an identity leads to unusable identity
* Tiqr:
- Fix: no push notifications received when changing phones
- Fix: minor layout and translation issues
- Accounts are blocked after 5 authentication failures
- Improved support for browsers on mobile devices
Install:
* Deploy components:
- Middleware 2.5.0
- Gateway 2.5.0
- SelfService 2.6.2
- RA 2.6.1
- Tiqr 1.1.5
Release 9
Limit token types per institution, AuthnRequest signature validation error bug,
Mixed case schacHomeOrganization bug
* The repositories were moved from the GitHub SURFnet organization to the OpenConext organization
* Middleware:
- Fix: Error when applying an institution configuration when to institution is using a mixed case
schacHomeOrganization
- The institution configuration now requires an "allowed_second_factors" option. This option can be used
limit the available token types
* Gateway:
- Security: Use HTTPS instead of HTTP when validating a yubikey challenge at the Yubico validation service.
This makes validation more robust against attacks on the message signatures.
- Fix: Mishandeling of the URL encoding of SAML AuthnRequests causes valid signatures to be considered
invalid by the Gateway
* SelfService interface:
- The available token types that a user can select can be limited on a per institution basis
Install:
* Deploy components:
- Middleware 2.4.0
- Gateway 2.4.2
- SelfService 2.5.0
* Run database migrations
- Run "/root/01-middleware-db_migrate.sh" on an app server
Release 8
Revocation email, UI improvements
* Middleware:
- Send an email when an active second factor is revoked. Added a "second_factor_revoked" mail template to
"template/middleware/middleware-config.json.j2"
* RA interface:
- Fix: sorting the audit log fails for some fields
- Fix: no error message was shown when a user with an expired registration code was vetted
- Fix: RA's could vet users belonging to other institutions
- Added help text under the search box in the "Token Activation" screen
- Limited input in the document number field to 6 characters
- Remove text 'optional' in tokens screen
- The Manual link URL in the footer is now per language and must be set through "ra_manual_url" in
"stepup-ra.yml"
- Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"
* Selfservice interface:
- Help link URL in the footer is now per language and must be set through "ss_support_url" in
"stepup-selfservice.yml"
- Check the Issuer in the SAML Response. It must matches the saml_remote_idp_entity_id set in "paramters.yml"
Install:
* Deploy components
- Middleware 2.3.1
- Selfservice 2.3.0
- RA 2.4.0
Release 7
RA Locations, Institution configuration, Server-side session expiry
* Added per institution configuration through the middleware API of the way the RA location are shown to users in the
selfservice interface and email.
- The RAA contacts can be hidden, so only RA contacts are shown. Defaults to old behaviour (show both RA and RAA contacts)
- Instead of RA(A) contacts RA locations can be shown. When enabled the RAA of an institution can edit the list of the
RA locations through the RA interface. Defaults to old behaviour (show RA(A) contacts)
- Added an institution configuration for enabling/disabling the above two options. Configuration though the template
in <inventory>/templates/middleware/middleware-institution.json
See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
- The email template for 'registration_code' in middleware-config.json.j2 is replaced by 'registration_code_with_ras'
and 'registration_code_with_ra_locations'.
See https://github.com/SURFnet/Stepup-Middleware/blob/2.1.0/README.md for configuration format
* Added server side session timeouts based on absolute (since login) and relative (since last client interaction with the
server) through "app_session_max_duration" and "app_session_expiry_time" group_vars.
* RA interface changes
- Show the document number in the tokens overview in the RA interface (requires event replay)
- The time in the audit log is now shown in the timezone configured in the webbrowser instead of in UTC
* The Selfservice, RA and Gateway now set/update a HTTP cookie named "stepup_locale" with the current known preferred
locale of the user. The domain for which the cookie is set is configured through the "locale_cookie_domain" group_var.
* Various minor UI layout fixes/improvements.
* Fix: middleware:event:replay may fail with Middleware < 2.1.0.
* tiqr fixes
- solves a problem with iOS10 devices
- small layout en translation improvements
Install:
* Deploy components
- Middleware 2.1.0
- Gateway 2.2.0
- Selfservice 2.2.0
- RA 2.2.0
- tiqr 1.1.4
* Run database migrations
- Run "/root/01-middleware-db_migrate.sh" on an app server
* Replay eventlog
- Prevent changes during the replay by taken middleware offline (or take the SS and RA offline)
- Change to middleware directory (e.g. /opt/www/middleware.example.org)
- Run "php app/console middleware:event:replay --env=prod_event_replay" on an app server
The replay runs in a single database transaction. It replays all events en recreates the projections. This may take
some time depending on the number of events in the events table.
Release 6
Ansible 2, Second factor only (SFO) authentication, biometric authentication type
* Deploy now requires Ansible 2
* Set "serial: 1" in site.yml playbook, to deploy one host at a time, even when more than one host is targeted
* Add second factory only (SFO) authentication to the GW, disabled by default
* Add support for a "biometric" authentication type using GSSP
* Added vars for SFO: gateway_second_factor_only, stepup_uri_sfo_loa2, stepup_uri_sfo_loa3
* Added var for stepup cookie domain: locale_cookie_domain
* Service providers in the middleware configuration require two new configuration keys. To keep the current
behaviour add:
"second_factor_only": false,
"second_factor_only_nameid_patterns": [],
* Add translations for tiqr error messages, fix regression error in tiqr userId
Install:
* Run the app role from the site.yml playbook
* Deploy components
- Middleware 1.6.0
- Gateway 2.0.0
- SelfService 1.4.0
- RA 1.4.0
- tiqr 1.1.3
Release 5.2
Infrastucture changes: Read-only accounts for external access to middleware and gateway databases,
SMTP smarthost and disable IPv6
Security: Block HTTP Proxy header in haproxy and nginx (CVE-2016-5385)
* Optionally use SMTP smarthost on servers with app role. Configuration through sendmail_smarthost in group_vars/app.yml
* Optionally create gateway_ro and middleware_ro accounts for read only access to the gateway and middleware databases
Configuration in group_vars/dbcluser.yml though database_(gateway|middleware)_readonly_(user|password)
* Disable IPv6
Install:
* Run the dbcluster, lb and app roles from the site.yml playbook
* Deploy component
- none
Release 5.1 (hotfix)
Hotfixes for loadbalancer configuration (fixes issues with tiqr registration)
* Updated sysctl-local.conf to allow nonlocal binds
* Updated nginx.yml tasks and nginx.vhost.conf.j2 template to have nginx listen on dedicated IP addresses
Install:
* Run the lb role from the site.yml playbook
* Deploy component
- none
Release 5
Allow scripted / automated middleware configuration updates from remote
* Moved the 02-middleware-config.sh and 04-middleware-whitelist.sh scripts from root to /opt/scripts and made these scripts
executable by the stepup-deploy user. The scripts in /root/ are replaced by symlinks
The configuration (middleware-config.json and middleware-whitelist.json) is now stored in /opt/scripts
* Added app group_vars: app_deploy_user_ssh_key and app_deploy_user_ssh_from
* Updated push-mw-config.yml and push-mw-whitelist.yml playbooks to use the stepup-deploy user
* Added scrips/push-config.sh script
Install:
* Run the app role from the site.yml playbook
* Deploy component
- Middleware 1.4.0
Note: Do redeploy if 1.4.0 is already installed because of updates in the stepup-middleware that update the middleware
configuration scrips
Release 4
* Moved the PHP session dir from /var/lib/php/session/ to /var/lib/stepup/session/. The contents of the old directory can be removed
* Tighten PHP session configuration in php.ini. Use /dev/urandom for entropy, set session.cookie_secure = session.cookie_httponly = session.hash_function = 1;
* Added app_session_expiry_time and (currently unused app_session_max_duration group_vars
* Set session.cookie_domain and session.cookie_(gc_max)lifetime in fpm.ini
* Added stepup_enabled_factors group_var to control which 2nd factors are enabled
* A database schema for u2f was added. Added database_u2f_(name|user|password) group_vars
* Added /root/01-gateway-db_migrate.sh script
* A added a /etc/cron.d/curator job on manage node that runs "curator" to delete old logstash indexes. The manage_keep_logs_days group_var configures how many days of logs to keep
* Added stepup_enabled_factors group_var to control which 2nf factors are enabled in SS, RA and GW
* Update scripts from https://github.com/pmeulen/ansible-tools
* A deploy user for the gateway component was added with corresponding database_gateway_deploy_(user|password)
Install:
* Run site.yml playbook on all hosts
* Deploy components:
- Middleware 1.4.0
- Gateway 1.3.3
- SelfService 1.3.1
- RA 1.3.1
- Tiqr 1.1.0
- oath-service-php 1.0.1
* Run DB migrations
- /root/01-middleware-db_migrate.sh
- /root/01-gateway-db_migrate.sh