10.1.0

New features

• Add a health check internal route, /health, which is available only inside the Kubernetes cluster. Check that the database, Redis, and (if configured) LDAP and Firestore connections are all working. Use that as a liveness check so that Kubernetes will restart Gafaelfawr if any of those connection pools are no longer working.
• Add a health check for the Kubernetes operator that tests the Kopf infrastructure as well as the database and Redis connections. Use that as a liveness check to restart the operator if the health check starts failing.

Bug fixes

• Ensure that only one Gafaelfawr operator pod is running at a time.
• Add Kubernetes resource requests and limits for the Cloud SQL Auth Proxy sidecar container.

What's Changed

• DM-42627: Add more pointers to the Phalanx documentation by @rra in #977
• Fix construction of the Chronograf OIDC URL by @rra in #978
• Bump date-fns from 3.3.1 to 3.4.0 in /ui by @dependabot in #981
• Bump eslint from 8.56.0 to 8.57.0 in /ui by @dependabot in #975
• Bump react-datepicker from 6.1.0 to 6.3.0 in /ui by @dependabot in #982
• Bump eslint-plugin-react from 7.33.2 to 7.34.0 in /ui by @dependabot in #980
• DM-43288: Add a health check endpoint by @rra in #984
• DM-43288: Add Kopf health check by @rra in #985
• DM-43288: Use user info service for health check by @rra in #986
• DM-43288: Update dependencies by @rra in #987
• DM-43288: Fix Kopf health check by @rra in #988
• DM-43288: Don't check LDAP and Firestore from Kopf by @rra in #989
• DM-43288: Prepare 10.1.0 release by @rra in #990

Full Changelog: 10.0.1...10.1.0

10.0.1

Bug fixes

• Fix check for current database schema when starting the web application.

What's Changed

• DM-42384: Fix database schema check during startup by @rra in #973
• DM-42384: Prepare release 10.0.1 by @rra in #974

Full Changelog: 10.0.0...10.0.1

10.0.0

Upgrading to this version requires a database schema migration.

Backwards-incompatible changes

• Clients of the Gafaelfawr OpenID Connect server now must have registered return URIs as well as client IDs and secrets. Each element of the oidc-server-secrets secret must, in addition to the previous id and secret keys, contain a return_uri key that matches the return URL of authentications from that client. Those return URLs are now allowed to be at any (matching) domain and are not constrained to the same domain as Gafaelfawr.
• When acting as an OpenID Connect server, Gafaelfawr no longer exposes all claims by default. Instead, it now honors the scope parameter in the request, which must include openid and may include profile and email.
• In the reply to a successful OpenID Connect authentication, return a Gafaelfawr token of a new oidc type as the access token instead of a copy of the ID token. This oidc token will be marked as a child token of the underlying Gafaelfawr token used to authenticate the OpenID Connect login, which means it will automatically be revoked if the user logs out.
• Only accept Gafaelfawr tokens of the oidc type for the OpenID Connect server userinfo endpoint.
• Return only userinfo claims from the OpenID Connect server userinfo endpoint instead of the full set of claims that would go into an ID token. Currently, the userinfo claims are not filtered based on the requested scopes; all available userinfo claims are returned.
• Set the aud claim in OpenID Connect ID tokens issued by Gafaelfawr to the client ID of the requesting client instead of a fixed audience used for all tokens.
• OpenID Connect ID tokens issued by Gafaelfawr now inherit their expiration time from the underlying Gafaelfawr token used as the authentication basis for the ID token. Previously, OpenID Connect ID tokens would receive the full default lifetime even when issued on the basis of Gafaelfawr tokens that were about to expire.
• Require the oidcServer.issuer configuration setting use the https scheme, since this is required by the OpenID Connect 1.0 specification.

New features

• Add a new rubin scope for the OpenID Connect server that, if requested, provides a data_rights claim listing the data releases to which the user has rights. Add a new config.oidcServer.dataRightsMapping configuration option that is used to determine that list of data releases from a user's group memberships.
• Add support for a client-supplied nonce in OpenID Connect authentication with Gafaelfawr as a server. The provided nonce is passed through to the ID token following the OpenID Connect specification.
• Check the database schema at startup to ensure that it is current, and refuse to start if the schema is out of date.
• Add new gafaelfawr update-schema command that creates the database if necessary and otherwise applies any needed Alembic migrations.
• Add new gafaelfawr validate-schema command that exits non-zero if the database has not been initialized or if the schema is not up-to-date.

Bug fixes

• Include the scope used to issue the ID token in the reply from the OpenID Connect server token endpoint.
• In the response from /.well-known/openid-configuration, declare that the only supported response mode of the OpenID Connect server is query.

Other changes

• Gafaelfawr now uses Alembic to perform database migrations as needed.
• Gafaelfawr now uses uv to maintain frozen dependencies and set up a development environment.

What's Changed

• [neophile] Update dependencies by @neophile-square in #916
• [neophile] Update dependencies by @neophile-square in #918
• Bump actions/setup-python from 4 to 5 by @dependabot in #917
• Update artifact actions by @rra in #930
• Bump eslint from 8.55.0 to 8.56.0 in /ui by @dependabot in #921
• Bump gatsby from 5.12.12 to 5.13.1 in /ui by @dependabot in #927
• Bump react-datepicker from 4.24.0 to 4.25.0 in /ui by @dependabot in #925
• Bump eslint-plugin-import from 2.29.0 to 2.29.1 in /ui by @dependabot in #923
• Bump date-fns from 2.30.0 to 3.0.6 in /ui by @dependabot in #928
• [neophile] Update dependencies by @neophile-square in #926
• Bump python from 3.11.5-slim-bullseye to 3.12.1-slim-bullseye by @dependabot in #915
• Switch to Python 3.12 by @rra in #931
• Remove empty setup.cfg by @rra in #932
• [neophile] Update dependencies by @neophile-square in #934
• DM-42384: Fix protocol issues in OpenID Connect server by @rra in #936
• DM-42384: Update Python dependencies by @rra in #937
• Bump date-fns from 3.0.6 to 3.2.0 in /ui by @dependabot in #938
• DM-42384: Add support for OpenID Connect nonces in server by @rra in #940
• [neophile] Update dependencies by @neophile-square in #943
• DM-42384: Add support for data rights information by @rra in #944
• Bump styled-components from 6.1.6 to 6.1.8 in /ui by @dependabot in #942
• Bump react-icons from 4.12.0 to 5.0.1 in /ui by @dependabot in #941
• [neophile] Update dependencies by @neophile-square in #946
• Bump date-fns from 3.2.0 to 3.3.1 in /ui by @dependabot in #947
• Bump actions/cache from 3 to 4 by @dependabot in #945
• DM-42384: Add OpenID Connect return URL registration by @rra in #948
• Update pre-commit with make update-deps by @rra in #949
• Bump @babel/eslint-parser from 7.23.3 to 7.23.9 in /ui by @dependabot in #952
• Bump gatsby from 5.13.2 to 5.13.3 in /ui by @dependabot in #951
• Bump react-datepicker from 4.25.0 to 5.0.0 in /ui by @dependabot in #950
• Update dependencies by @rra in #954
• Bump react-datepicker from 5.0.0 to 6.1.0 in /ui by @dependabot in #955
• Bump @babel/eslint-parser from 7.23.9 to 7.23.10 in /ui by @dependabot in #956
• Update Python and JavaScript dependencies by @rra in #958
• Bump eslint-plugin-html from 7.1.0 to 8.0.0 in /ui by @dependabot in #962
• Bump python from 3.12.1-slim-bullseye to 3.12.2-slim-bullseye by @dependabot in #961
• Bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #960
• DM-42384: Add support for database migrations with Alembic by @rra in #959
• DM-42384: Issue oidc tokens for OIDC access tokens by @rra in #963
• DM-42384: Verify the database schema on startup by @rra in #964
• DM-42384: Improve schema handling and testing by @rra in #965
• DM-42930: Switch to uv for dependency management by @rra in #966
• Bump medyagh/setup-minikube from 0.0.14 to 0.0.15 by @dependabot in #967
• DM-42627: Remove uses of sqlalchemy.future by @rra in #968
• DM-42384: Minor improvements to OpenID Connect documentation by @rra in #969
• DM-42384: Redeem OIDC codes inside a transaction by @rra in #970
• DM-42384: Add OpenID Connect tokens to the UI by @rra in #971
• DM-42384: Prepare 10.0.0 release by @rra in #972

Full Changelog: 9.6.1...10.0.0

9.6.1

Bug fixes

• Adjust the Redis connection pool parameters to hopefully improve recovery after a Redis server restart.

What's Changed

• DM-42093: Adjust the Redis connection pool parameters by @rra in #913
• DM-42093: Prepare 9.6.1 release by @rra in #914

Full Changelog: 9.6.0...9.6.1

9.6.0

New features

• An ingress may now be restricted to a specific user by setting the username attribute in the config section of a GafaelfawrIngress, or the corresponding username query parameter to the /auth route. Any other user will receive a 403 error. The scope requiremments must also still be met.

Bug fixes

• Add an ARIA label to the icon for deleting a token in the user interface for better accessibility.

What's Changed

• [neophile] Update dependencies by @neophile-square in #897
• [neophile] Update dependencies by @neophile-square in #900
• [neophile] Update dependencies by @neophile-square in #903
• Update Python dependencies by @rra in #907
• [neophile] Update dependencies by @neophile-square in #908
• Bump eslint from 8.52.0 to 8.55.0 in /ui by @dependabot in #909
• Bump styled-components from 6.1.0 to 6.1.1 in /ui by @dependabot in #901
• Bump react-icons from 4.11.0 to 4.12.0 in /ui by @dependabot in #904
• Bump @babel/eslint-parser from 7.22.15 to 7.23.3 in /ui by @dependabot in #902
• Bump eslint-plugin-jsx-a11y from 6.7.1 to 6.8.0 in /ui by @dependabot in #898
• DM-41998: Update Python dependencies by @rra in #910
• DM-41998: Add support for per-user ingresses by @rra in #911
• DM-41998: Prepare 9.6.0 release by @rra in #912

Full Changelog: 9.5.1...9.6.0

9.5.1

Bug fixes

• Add a socket timeout, enable keepalive, and fix the retry specification for the Redis connection pool to help Gafaelfawr recover from Redis outages.
• Always mask all headers to which Gafaelfawr gives special meaning when passing requests to a service downstream of a GafaelfawrIngress, instead of only masking the ones Gafaelfawr might set in that configuration. This ensures that no service behind a GafaelfawrIngress sees, e.g., X-Auth-Request-User unless it truly is authenticated by Gafaelfawr.

What's Changed

• DM-41424: Improve Redis pool configuration by @rra in #887
• DM-41424: Always mask all Gafaelfawr response headers by @rra in #888
• DM-41424: Refactor to reduce complexity by @rra in #889
• [neophile] Update dependencies by @neophile-square in #892
• Bump actions/setup-node from 3 to 4 by @dependabot in #893
• Bump gatsby from 5.12.8 to 5.12.9 in /ui by @dependabot in #891
• Bump react-aria-modal from 5.0.0 to 5.0.2 in /ui by @dependabot in #894
• DM-41424: Prepare Gafaelfawr 9.5.1 by @rra in #895
• DM-41424: Remove blank line in changelog by @rra in #896

Full Changelog: 9.5.0...9.5.1

9.5.0

New features

• Add new /auth/cadc/userinfo route, which accepts a Gafaelfawr token and returns user metadata in the format expected by the CADC authentication code. This route is expected to be temporary and will be moved into the main token API once we decide how to handle uniqueness of the sub claim. It is therefore not currently documented outside of the autogenerated API documentation.
• Gafaelfawr now imposes a maximum run time and retention duration for its periodic maintenance jobs. These can be adjusted with the new config.maintenance.deadlineSeconds and config.maintenance.cleanupSeconds Helm settings.
• All Gafaelfawr pods now set Kubernetes resource requests and limits. The requests match the consumption of a lightly-loaded deployment using OpenID Connect and LDAP, and the limits should be generous. These can be adjusted using Helm chart values.

Bug fixes

• Log exceptions encountered while parsing OpenID Connect responses from upstream providers, not just the deduced error message. Include the body of the response from the token endpoint if it could not be parsed as JSON.

Other changes

• Include curl in the Gafaelfawr container for manual debugging of web request problems.

What's Changed

• DM-41075: Log OIDC exceptions properly by @rra in #870
• DM-41090: Document new Helm chart settings by @rra in #871
• [neophile] Update dependencies by @neophile-square in #873
• Fix typo in openid-connect.rst by @cbanek in #876
• [neophile] Update dependencies by @neophile-square in #885
• Bump eslint from 8.50.0 to 8.52.0 in /ui by @dependabot in #884
• Bump react-datepicker from 4.18.0 to 4.21.0 in /ui by @dependabot in #883
• Bump gatsby from 5.12.5 to 5.12.8 in /ui by @dependabot in #882
• Bump @babel/traverse from 7.23.0 to 7.23.2 in /ui by @dependabot in #881
• Bump styled-components from 6.0.8 to 6.1.0 in /ui by @dependabot in #878
• DM-41186: Add new route for CADC token metadata by @rra in #877
• DM-41186: Prepare 9.5.0 release by @rra in #886

New Contributors

• @cbanek made their first contribution in #876

Full Changelog: 9.4.0...9.5.0

9.4.0

New features

• Gafaelfawr now supports the common LDAP configuration of recording group membership by full user DN rather than only username. Set group_search_by_dn to search for the user by full DN in the group tree. This requires LDAP also be used for user metadata.
• Allow the Gafaelfawr log level to be specified using any case (info as well as INFO, for example).

Other changes

• Gafaelfawr now uses Pydantic v2. This should not result in any user-visible changes, but it is possible there will be some unexpected differences in data serialization or deserialization.
• Log the full contents of the upstream OIDC token before token verification if debug logging is enabled.

What's Changed

• [neophile] Update dependencies by @neophile-square in #853
• Update Python dependencies by @rra in #854
• [neophile] Update dependencies by @neophile-square in #856
• Bump gatsby from 5.12.3 to 5.12.4 in /ui by @dependabot in #850
• Bump eslint from 8.48.0 to 8.49.0 in /ui by @dependabot in #851
• Bump react-icons from 4.10.1 to 4.11.0 in /ui by @dependabot in #852
• Bump react-datepicker from 4.16.0 to 4.18.0 in /ui by @dependabot in #857
• Bump formik from 2.4.3 to 2.4.5 in /ui by @dependabot in #858
• Update dependencies and fix broken links by @rra in #859
• DM-40744: Convert to Pydantic v2 by @rra in #855
• Update dependencies by @rra in #863
• [neophile] Update dependencies by @neophile-square in #864
• Bump gatsby from 5.12.4 to 5.12.5 in /ui by @dependabot in #865
• DM-23878: Update dependencies by @rra in #866
• DM-23878: Allow the LDAP group search to be configured by @rra in #860
• DM-23878: Support specifying log level in any case by @rra in #867
• DM-23878: Refactor LDAP code to avoid duplication by @rra in #868
• DM-23878: Prepare 9.4.0 release by @rra in #869

Full Changelog: 9.3.1...9.4.0

9.3.1

Bug fixes

• Gafaelfawr previously accepted a group_mapping rule whose value was a string rather than a list of group names and interpreted it as a list of single-letter group names corresponding to the letters in the string. This configuration now produces a validation error during startup.
• The Gafaelfawr Kubernetes operator now rejects GafaelfawrIngress resources with invalid scopes and sets an error status, rather than creating an Ingress resource that will always fail.

What's Changed

• [neophile] Update dependencies by @neophile-square in #815
• Bump eslint from 8.45.0 to 8.46.0 in /ui by @dependabot in #816
• Bump eslint-config-prettier from 8.8.0 to 8.9.0 in /ui by @dependabot in #817
• Bump medyagh/setup-minikube from 0.0.13 to 0.0.14 by @dependabot in #820
• Bump eslint-plugin-import from 2.27.5 to 2.28.0 in /ui by @dependabot in #819
• Bump eslint-plugin-react from 7.33.0 to 7.33.1 in /ui by @dependabot in #818
• [neophile] Update dependencies by @neophile-square in #822
• Bump eslint-config-prettier from 8.9.0 to 9.0.0 in /ui by @dependabot in #823
• Bump formik from 2.4.2 to 2.4.3 in /ui by @dependabot in #824
• Bump styled-components from 6.0.5 to 6.0.7 in /ui by @dependabot in #825
• Bump cryptography from 41.0.2 to 41.0.3 in /requirements by @dependabot in #821
• Bump eslint from 8.46.0 to 8.47.0 in /ui by @dependabot in #827
• [neophile] Update dependencies by @neophile-square in #826
• [neophile] Update dependencies by @neophile-square in #828
• Bump eslint-plugin-react from 7.33.1 to 7.33.2 in /ui by @dependabot in #830
• Bump gatsby from 5.11.0 to 5.12.2 in /ui by @dependabot in #833
• Bump @babel/eslint-parser from 7.22.10 to 7.22.11 in /ui by @dependabot in #832
• Bump eslint from 8.47.0 to 8.48.0 in /ui by @dependabot in #831
• Bump eslint-plugin-import from 2.28.0 to 2.28.1 in /ui by @dependabot in #829
• [neophile] Update dependencies by @neophile-square in #834
• Bump python from 3.11.4-slim-bullseye to 3.11.5-slim-bullseye by @dependabot in #835
• DM-40495: Add better error reporting of linkcheck failures by @rra in #836
• DM-40567: Synchronize Ruff configuration with neophile by @rra in #837
• DM-40567: Diagnose group mappings to strings by @rra in #838
• DM-40567: Diagnose invalid GafaelfawrIngress scopes by @rra in #839
• DM-40567: Rename the scriv template by @rra in #840
• [neophile] Update dependencies by @neophile-square in #841
• Bump actions/checkout from 3 to 4 by @dependabot in #843
• Bump @babel/eslint-parser from 7.22.11 to 7.22.15 in /ui by @dependabot in #842
• DM-40567: Minor cleanups and dependency updates by @rra in #845
• DM-40567: Use new Click help function from Safir by @rra in #846
• DM-40567: Prepare 9.3.1 release by @rra in #847

Full Changelog: 9.3.0...9.3.1

9.3.0

New features

• To configure Gafaelfawr to use the cluster-internal PostgreSQL service, use the Helm chart setting config.internalDatabase rather than setting an explicit URL. Setting config.databaseUrl to the internal PostgreSQL URL will still work for existing deployments, but using config.internalDatabase instead will be required in the future for correct secrets management.
• Gafaelfawr can now listen on additional hostnames specified by setting ingress.additionalHosts in the Helm configuration. Only token authentication will be supported for ingresses using those hostnames; interactive browser authentication will not work.

Bug fixes

• Restore the newline after the output from gafaelfawr generate-session-secret and gafaelfawr generate-token, accidentally dropped in 9.2.1.

What's Changed

• [neophile] Update dependencies by @sqrbot in #771
• DM-39519: Add newline back to Gafaelfawr CI output by @rra in #773
• Bump eslint from 8.41.0 to 8.42.0 in /ui by @dependabot in #772
• [neophile] Update dependencies by @sqrbot in #774
• Bump @babel/eslint-parser from 7.21.8 to 7.22.5 in /ui by @dependabot in #776
• Bump react-aria-modal from 4.0.2 to 5.0.0 in /ui by @dependabot in #778
• Bump react-datepicker from 4.12.0 to 4.13.0 in /ui by @dependabot in #777
• Bump python from 3.11.3-slim-bullseye to 3.11.4-slim-bullseye by @dependabot in #775
• DM-39627: Run neophile from GitHub Actions by @rra in #779
• DM-39627: Fix comment on periodic workflow by @rra in #780
• [neophile] Update dependencies by @sqrbot in #781
• Bump react-datepicker from 4.13.0 to 4.15.0 in /ui by @dependabot in #790
• Bump gatsby from 5.10.0 to 5.11.0 in /ui by @dependabot in #782
• Bump formik from 2.4.1 to 2.4.2 in /ui by @dependabot in #784
• Bump react-icons from 4.9.0 to 4.10.1 in /ui by @dependabot in #787
• Bump eslint from 8.42.0 to 8.44.0 in /ui by @dependabot in #789
• DM-39919: Stop setting neophile email by @rra in #791
• [neophile] Update dependencies by @neophile-square in #792
• [neophile] Update dependencies by @neophile-square in #793
• Bump styled-components from 5.3.11 to 6.0.3 in /ui by @dependabot in #794
• Bump @babel/eslint-parser from 7.22.5 to 7.22.7 in /ui by @dependabot in #795
• DM-39989: Use tox to run neophile by @rra in #797
• DM-39989: Update dependencies by @rra in #798
• DM-39989: Use new neophile GitHub Action by @rra in #799
• DM-39989: Use new GitHub Action for Docker image by @rra in #800
• DM-40041: Switch minikube setup actions by @rra in #801
• [neophile] Update dependencies by @neophile-square in #802
• Bump eslint from 8.44.0 to 8.45.0 in /ui by @dependabot in #803
• Bump styled-components from 6.0.3 to 6.0.4 in /ui by @dependabot in #804
• Bump @babel/eslint-parser from 7.22.7 to 7.22.9 in /ui by @dependabot in #805
• Increase the timeout for periodic CI by @rra in #806
• [neophile] Update dependencies by @neophile-square in #810
• Bump styled-components from 6.0.4 to 6.0.5 in /ui by @dependabot in #808
• Bump eslint-plugin-react from 7.32.2 to 7.33.0 in /ui by @dependabot in #809
• Flesh out periodic CI check by @rra in #811
• Add docs for internalDatabase, additionalHosts by @rra in #812
• Switch to new syntax for GitHub Actions output by @rra in #813
• Prepare 9.3.0 release by @rra in #814

New Contributors

• @neophile-square made their first contribution in #792

Full Changelog: 9.2.2...9.3.0