Security

• Addresses vulnerabilities fixed in go version 1.14.5. This update includes security fixes for a data race in ReverseProxy (CVE-2020-15586) and a situation where X.509 verification ignores provided EKUs on Windows (CVE-2020-15586).

Note: This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/

Changes

• ci: support rc releases @travisgroth GH-1011
• cache: add test for runMemberList @cuonglm GH-1007
• Allow specify go executable in Makefile @cuonglm GH-1008
• integration: add dummy value for idp_service_account @cuonglm GH-1009
• grpc: rename internal/grpc to pkg/grpc @calebdoxsey GH-1010
• envoy: disable idle timeouts to controlplane @travisgroth GH-1000
• cache: fix missing parameter @travisgroth GH-1005
• config: add check to assert service account is required for policies with allowed_groups @desimone GH-997
• cache: attempt to join memberlist cluster for sanity check @travisgroth GH-1004
• memberlist: use bufio reader instead of scanner @calebdoxsey GH-1002
• authorize/evaluator/opa: use route policy object instead of array index @cuonglm GH-1001
• authorize: avoid serializing databroker data map to improve performance @calebdoxsey GH-995
• internal/sessions: handle claims "ver" field generally @cuonglm GH-990
• telemetry: add tracing spans to cache and databroker @travisgroth GH-987
• authenticate: hide impersonation form from non-admin users @cuonglm GH-979
• cache: add client telemetry @travisgroth GH-975
• Sleep longer before running integration tests @cuonglm GH-968
• authenticate: move impersonate from proxy to authenticate @calebdoxsey GH-965
• authenticate: revoke current session oauth token before sign out @cuonglm GH-964
• authenticate: remove useless/duplicated code block @cuonglm GH-962

New

• identity: support custom code flow request params @desimone GH-998
• github: implement github directory provider @calebdoxsey GH-963
• google: store directory information by user id @calebdoxsey GH-988
• azure: use OID for user id in session @calebdoxsey GH-985
• internal/directory/onelogin: store directory information by user id @cuonglm GH-992
• internal/directory/okta: store directory information by user id @cuonglm GH-991
• authenticate: support hot reloaded config @cuonglm GH-984

Fixed

• controlplane: add robots route @desimone GH-966
• authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026
• internal/controlplane: enable envoy use remote address @cuonglm GH-1023

Documentation

• Docs: Update Istio VirtualService example @jeffhubLR GH-1006
• docs: update upgrading document for breaking changes @calebdoxsey GH-974
• docs: update service account instructions for OneLogin @calebdoxsey GH-973
• docs: service account instructions for gitlab @calebdoxsey GH-970
• directory: add service account struct and parsing method @calebdoxsey GH-971
• docs: update okta service account docs to match new format @calebdoxsey GH-972
• docs: service account instructions for azure @calebdoxsey GH-969
• docs: update GitHub documentation for service account @calebdoxsey GH-967
• docs: Add warnings cones around requiring IdP Service Accounts @travisgroth GH-999
• docs/docs/identity-providers: document gitlab default scopes changed @cuonglm GH-980

Dependency

• chore(deps): update google.golang.org/genproto commit hash to ee7919e @renovate GH-1019
• chore(deps): update module google.golang.org/grpc to v1.30.0 @renovate GH-1020
• chore(deps): update module prometheus/client_golang to v1.7.1 @renovate GH-1022
• chore(deps): update golang.org/x/sync commit hash to 6e8e738 @renovate GH-1018
• chore(deps): update golang.org/x/net commit hash to 4c52546 @renovate GH-1017
• depedency: bump opa v0.21.0 @desimone GH-993
• chore(deps): update module hashicorp/memberlist to v0.2.2 @renovate GH-951
• chore(deps): update google.golang.org/genproto commit hash to fbb79ea @renovate GH-945
• chore(deps): update module go.opencensus.io to v0.22.4 @renovate GH-948
• chore(deps): update module cenkalti/backoff/v4 to v4.0.2 @renovate GH-946
• chore(deps): update module google.golang.org/api to v0.28.0 @renovate GH-949
• chore(deps): update module google/go-cmp to v0.5.0 @renovate GH-950
• chore(deps): update module prometheus/client_golang to v1.7.0 @renovate GH-953
• chore(deps): update module open-policy-agent/opa to v0.21.0 @renovate GH-952
• docs: document preserve_host_header with policy routes to static ip @cuonglm GH-1024

Fixed

• internal/envoy: fix handleLogs causes envoy hang forever @cuonglm GH-927

Changes

• Remove unnecessary viper.New() @yegle GH-849
• authorize: reduce duplicate evaluations in opa policy @travisgroth GH-882
• envoy: bump envoy to 1.14.2 @desimone GH-894
• policy: Add consistent route identifier @travisgroth GH-905

Fixed

• xds: use ipv4 address when ipv6 is disabled @calebdoxsey GH-823
• proxy: only set validation context if trusted_ca is used @calebdoxsey GH-863
• config: ensure viper ignores certificates config field @travisgroth GH-876
• controlplane: use previous preferred cipher suite @desimone GH-889
• controlplane: fix missing full cert chain @desimone GH-888
• internal/controlplane: make sure options.Headers are set for response @cuonglm GH-907

Security

• envoy: fixes CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters

v0.9.0

New

• proxy: envoy is now used to handle proxying
• authenticate: add jwks and .well-known endpoint @desimone [GH-745]
• authorize: add client mTLS support @calebdoxsey [GH-751]
• envoy: Switch to distroless/base for releases @travisgroth GH-810

Fixed

• cache: fix closing too early @calebdoxsey [GH-791]
• authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
• authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
• authenticate: clear session if ctx fails @desimone [GH-806]
• telemetry: fix autocache labels @travisgroth [GH-805]
• telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
• authorize: fix authorization panic caused by logging a nil reference @desimone [[GH-704]]

Changes

• authenticate: remove authorize url validate check @calebdoxsey [GH-790]
• authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
• authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
• envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
• envoy: enable zipkin tracing @travisgroth [GH-737]
• envoy: improvements to logging @calebdoxsey [GH-742]
• envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
• envoy: support ports in hosts for routing @calebdoxsey [GH-748]
• forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
• proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
• sessions/state: add nickname claim @BenoitKnecht [GH-755]
• state: infer user (user) from subject (sub) @desimone [GH-772]
• telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
• telemetry: service label updates @travisgroth [GH-802]
• xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
• xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]

Documentation

• docs: add mTLS recipe @calebdoxsey [GH-807]
• docs: add argo recipe @calebdoxsey [GH-803]
• docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
• docs: typo on configuration doc @kintoandar [GH-800]
• docs: docs regarding claim headers @strideynet [GH-782]
• docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
• docs: add note about unsupported platforms @calebdoxsey [GH-799]
• docs: expose config parameters in sidebar @travisgroth [GH-797]
• docs: update examples @travisgroth [GH-796]

Note: an earlier release of v0.9.0 was made from 44cf1fba1f6116c9812f088e5b1cc924a3affaeb and unpublished due to packaging issues.

Changes

• state: infer user (user) from subject (sub) @desimone GH-772
• proxy/forward-auth: block expired request prior to 302 @desimone GH-773

Changelog

v0.8.2

Security

This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762]

v0.8.1

Fixed

• authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]

v0.8.0

Please see the upgrade guide for any breaking changes in this release!

To see a complete list of changes see the diff.

New

• cryptutil: add automatic certificate management @desimone [GH-644]
• implement path-based route matching @calebdoxsey [GH-615]
• internal/identity: implement github provider support @Lumexralph [GH-582]
• proxy: add configurable JWT claim headers @travisgroth (#596)
• proxy: remove extra session unmarshalling @desimone (#592)

Changes

• ci: Switch integration tests from minikube to kind @travisgroth [GH-656]
• integration-tests: add CORS test @calebdoxsey [GH-662]
• integration-tests: add websocket enabled/disabled test @calebdoxsey [GH-661]
• integration-tests: set_request_headers and preserve_host_header options @calebdoxsey [GH-668]
• pre-commit: add pre-commit configuration @calebdoxsey [GH-666]
• proxy: improve JWT header behavior @travisgroth [GH-642]

Fixed

• authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey [GH-624]
• authorize: fix unexpected panic on reload @travisgroth [GH-652]
• site: fix site on mobile @desimone [GH-597]

v0.7.6

Fixed

authorize: fix unexpected panic on reload @travisgroth [GH-652]

v0.7.5

Fixed

• authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey [GH-624]

v0.7.4

Fixed

• pomerium-cli: fix service account cli @desimone (#613)

Fixed

• Bump grpc up to 1.27.1 @travisgroth (#609)

Changes

• proxy: remove extra session unmarshalling @desimone (#592)

New

• proxy: add configurable JWT claim headers @travisgroth (#596)
• grpcutil: remove unused pkg @desimone (#593)

Fixed

• site: fix site on mobile @desimone (#597)

Documentation

• site: fix site on mobile @desimone (#597)

Dependency

• chore(deps): update vuepress monorepo to v1.4.0 @renovate (#559)

v0.7.1

New

• *: remove import path comments @desimone (#545)
• authenticate: make callback path configurable @desimone (#493)
• authenticate: return 401 for some specific error codes @cuonglm (#561)
• authorization: log audience claim failure @desimone (#553)
• authorize: use jwt instead of state struct @desimone (#514)
• authorize: use opa for policy engine @desimone (#474)
• cmd: add cli to generate service accounts @desimone (#552)
• config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
• config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
• config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
• gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
• identity: support oidc UserInfo Response @desimone (#529)
• internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
• metrics: Add storage metrics @travisgroth (#554)

Fixed

• cache: add option validations @desimone (#468)
• config: Add proper yaml tag to Options.Policies @travisgroth (#475)
• ensure correct service name on GRPC related metrics @travisgroth (#510)
• fix group impersonation @desimone (#569)
• fix sign-out bug , fixes #530 @desimone (#544)
• proxy: move set request headers before handle allow public access @ohdarling (#479)
• use service port for session audiences @travisgroth (#562)

Documentation

• fix the typo @ilgooz (#566)
• fix kubernetes dashboard recipe docs @desimone (#504)
• make from source quickstart @desimone (#519)
• update background @desimone (#505)
• update helm for v3 @desimone (#469)
• various fixes @desimone (#478)
• fix cookie_domain @nitper (#472)

Dependency

• chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
• chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
• chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
• chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
• chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
• chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
• chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
• chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
• chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
• chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
• chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
• chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
• chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
• chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
• chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
• chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
• chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
• chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
• chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
• chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
• chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
• chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
• chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
• chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
• chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
• chore(deps): update module yaml to v2.2.8 @renovate (#471)
• ci: Consolidate matrix build parameters @travisgroth (#521)
• dependency: use go mod redis @desimone (#528)
• deployment: throw away golanglint-ci defaults @desimone (#439)
• deployment: throw away golanglint-ci defaults @desimone (#439)
• deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
• Roll back grpc to v1.25.1 @travisgroth (#484)

v0.7.0

New

• *: remove import path comments @desimone (#545)
• authenticate: make callback path configurable @desimone (#493)
• authenticate: return 401 for some specific error codes @cuonglm (#561)
• authorization: log audience claim failure @desimone (#553)
• authorize: use jwt instead of state struct @desimone (#514)
• authorize: use opa for policy engine @desimone (#474)
• cmd: add cli to generate service accounts @desimone (#552)
• config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
• config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
• config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
• gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
• identity: support oidc UserInfo Response @desimone (#529)
• internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
• metrics: Add storage metrics @travisgroth (#554)

Fixed

• cache: add option validations @desimone (#468)
• config: Add proper yaml tag to Options.Policies @travisgroth (#475)
• ensure correct service name on GRPC related metrics @travisgroth (#510)
• fix group impersonation @desimone (#569)
• fix sign-out bug , fixes #530 @desimone (#544)
• proxy: move set request headers before handle allow public access @ohdarling (#479)
• use service port for session audiences @travisgroth (#562)

Documentation

• fix the typo @ilgooz (#566)
• fix kubernetes dashboard recipe docs @desimone (#504)
• make from source quickstart @desimone (#519)
• update background @desimone (#505)
• update helm for v3 @desimone (#469)
• various fixes @desimone (#478)
• fix cookie_domain @nitper (#472)

Dependency

• chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
• chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
• chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
• chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
• chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
• chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
• chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
• chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
• chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
• chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
• chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
• chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
• chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
• chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
• chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
• chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
• chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
• chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
• chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
• chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
• chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
• chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
• chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
• chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
• chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
• chore(deps): update module yaml to v2.2.8 @renovate (#471)
• ci: Consolidate matrix build parameters @travisgroth (#521)
• dependency: use go mod redis @desimone (#528)
• deployment: throw away golanglint-ci defaults @desimone (#439)
• deployment: throw away golanglint-ci defaults @desimone (#439)
• deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
• Roll back grpc to v1.25.1 @travisgroth (#484)

v0.6.3

Fixed

• sessions: signout bug , fixes #530 @desimone (#544)

This release was cut at nearly the same time as v0.6.1 please see that release for additional changes.

Changes

• internal/cryptutil: standardize leeway to 5 mins @desimone (#476)

Fixed

• proxy: move set request headers before handle allow public access @ohdarling (#479)

v0.6.1

Fixed

• cache: add option validations @desimone (#468)
• grpc: roll back grpc to v1.25.1 @travisgroth (#484)