3.2.1

• Catch exceptions in the custom resource background thread. Retry up to ten times for Kubernetes exceptions, and crash the entire process on unknown exceptions or more than ten consecutive Kubernetes failures. This prevents a problem where the token update pod continues running and appears to be healthy, but the watcher thread has crashed so it's doing nothing.
• Switch to aioredis 2.0. Unfortuantely, this breaks mockaioredis, so only the Docker tests (which use a real Redis server) can be run for the time being.
• Update dependencies.

3.2.0

• Return HTML errors from login failures instead of JSON. The HTML is currently entirely unstyled. Add a new Helm configuration option, config.errorFooter, that is included in the HTML of any error message that is shown.
• Fail authentication and show an error if the user is not a member of any of the groups configured in config.groupMapping.
• Revoke the GitHub OAuth authorization if the login fails due to no known groups or an invalid username, since in both cases we want to force GitHub to redo the attribute release.
• HTTP headers are not guaranteed to support character sets other than ASCII, and Starlette forces them to ISO 8859-1. This interferes with correctly passing the user's full name to protected services via HTTP headers. Therefore, drop support for sending the user's full name via X-Auth-Request-Name. The name can still be retrieved from the /auth/api/v1/user-info API endpoint.

3.1.0

• Correctly handle paginated replies from GitHub for the team membership of a user.
• On explicit logout (via /logout), revoke the OAuth authorization for the user if they authenticated with GitHub. This forces a re-release of attributes on subsequent authentication, which will make it easier for users to resolve problems with incorrect attribute releases (if, for instance, they attempted to log in before their team membership was complete).
• Depend on Safir 2.x and drop remaining aiohttp dependency paths. Remove code that is now supplied by Safir. Share one httpx.AsyncClient across all requests and close it when the application is shut down.
• Fix sorting of tokens retrieved from the admin API to sort by created date before token string.

3.0.3

• Fix errors when returning existing internal or notebook tokens when two tokens were created for the same parent token due to a race between workers. In previous versions, Gafaelfawr would fail with an exception if there were more than one matching notebook or internal token for a given set of parameters.
• Update dependencies.

3.0.2

• Display expired tokens as expired in the UI instead of showing the delta of the expiration from the current time.
• Sort token lists in the UI in descending order by last used (not yet populated), then creation date, and only then by the token key.
• Add a timestamp to all log messages, since not all Kubernetes log viewers show the timestamp added by Kubernetes.
• Update dependencies.

3.0.1

• Display the token key and token type when showing token change history. Since the change history includes subtokens, not showing the type or key was confusing.
• Initialize the database if needed as part of Gafaelfawr container startup.
• Add additional startup logging at the DEBUG level.
• Improve error reporting if Gafaelfawr is unable to connect to its database.
• Update dependencies.

3.0.0

This release replaces the Kubernetes secret management approach released with 2.0.0 with a new approach based on a GafaelfawrServiceToken custom resource definition. The old configuration-based approach is no longer supported.

• Add new kubernetes-controller invocation, which reconciles all GafaelfawrServiceToken objects and then starts a watcher and processes new updates as they happen.
• Change update-service-tokens to use the custom resource approach instead of configuration plus labeled Kubernetes Secret objects.
• Use local Kubernetes configuration for Kubernetes operations if invoked outside of a Kubernetes cluster.
• Increase the timeout for outbound HTTP calls to authentication providers to 20 seconds. Some authentication providers and some Kubernetes cluster networking environments can be surprisingly slow.
• Update dependencies.

2.0.1

• Cap workers spawned by the Docker image at 10. The defaults spawned 32 workers in a GKE container, which overwhelmed the available open connections with a micro Cloud SQL server.
• Update JavaScript dependencies.

2.0.0

As of this release, Gafaelfawr now uses opaque tokens for all internal authentication and only issues JWTs as part of its OpenID Connect server support. All existing sessions and tokens will be invalidated by this upgrade and all users will have to reauthenticate.

Gafaelfawr now requires a SQL database. Its URL must be set as the config.databaseUrl Helm chart parameter.

As of this release, Gafaelfawr now uses FastAPI instead of aiohttp. OpenAPI documentation is available via the /auth/docs and /auth/redoc routes.

• Eliminate internal JWTs, including the old session and session handle system, in favor of opaque tokens.
• Add a new token API under /auth/api/v1 for creating, modifying, viewing, and deleting tokens. This is the basis of the new token management UI. API documentation is published under /auth/docs and /auth/redoc.
• Add support for several classes of tokens for different purposes. Add additional token metadata to record the purpose of a token.
• Add caching of internal and notebook tokens. Issue new internal and notebook tokens when the previous token is half-expired.
• Add support for a bootstrap token that can be used to dynamically create other tokens or configure administrators.
• Add support for maintaining Kubernetes secrets containing Gafaelfawr service tokens for applications that need to make authenticated calls on their own behalf.
• Replace the /auth/tokens UI with a new UI using React and Gatsby. Currently, it supports viewing all the tokens for a user, creating and editing user tokens, revoking tokens, viewing token information with the token change history, and searching the token change history.
• Protected applications no longer receive a copy of the user's authentication token. They must request a delegated token if they want one.
• The /auth route now supports requesting a notebook or internal delegated token for the application.
• Use FastAPI instead of aiohttp, and use httpx to make internal requests.
• Add /.well-known/openid-configuration route to provide metadata about the internal OpenID Connect server. This follows the OpenID Connect Discovery 1.0 specification.
• Enforce constraints on valid usernames matching GitHub's constraints, except without allowing capital letters.
• Be more careful in interpreting isMemberOf claims from the upstream OpenID Connect provider and discard more invalid data.
• Only document and support installing Gafaelfawr via the Helm chart.
• Update all dependencies.