9.6.0

New features

• An ingress may now be restricted to a specific user by setting the username attribute in the config section of a GafaelfawrIngress, or the corresponding username query parameter to the /auth route. Any other user will receive a 403 error. The scope requiremments must also still be met.

Bug fixes

• Add an ARIA label to the icon for deleting a token in the user interface for better accessibility.

What's Changed

• [neophile] Update dependencies by @neophile-square in #897
• [neophile] Update dependencies by @neophile-square in #900
• [neophile] Update dependencies by @neophile-square in #903
• Update Python dependencies by @rra in #907
• [neophile] Update dependencies by @neophile-square in #908
• Bump eslint from 8.52.0 to 8.55.0 in /ui by @dependabot in #909
• Bump styled-components from 6.1.0 to 6.1.1 in /ui by @dependabot in #901
• Bump react-icons from 4.11.0 to 4.12.0 in /ui by @dependabot in #904
• Bump @babel/eslint-parser from 7.22.15 to 7.23.3 in /ui by @dependabot in #902
• Bump eslint-plugin-jsx-a11y from 6.7.1 to 6.8.0 in /ui by @dependabot in #898
• DM-41998: Update Python dependencies by @rra in #910
• DM-41998: Add support for per-user ingresses by @rra in #911
• DM-41998: Prepare 9.6.0 release by @rra in #912

Full Changelog: 9.5.1...9.6.0

9.5.1

Bug fixes

• Add a socket timeout, enable keepalive, and fix the retry specification for the Redis connection pool to help Gafaelfawr recover from Redis outages.
• Always mask all headers to which Gafaelfawr gives special meaning when passing requests to a service downstream of a GafaelfawrIngress, instead of only masking the ones Gafaelfawr might set in that configuration. This ensures that no service behind a GafaelfawrIngress sees, e.g., X-Auth-Request-User unless it truly is authenticated by Gafaelfawr.

What's Changed

• DM-41424: Improve Redis pool configuration by @rra in #887
• DM-41424: Always mask all Gafaelfawr response headers by @rra in #888
• DM-41424: Refactor to reduce complexity by @rra in #889
• [neophile] Update dependencies by @neophile-square in #892
• Bump actions/setup-node from 3 to 4 by @dependabot in #893
• Bump gatsby from 5.12.8 to 5.12.9 in /ui by @dependabot in #891
• Bump react-aria-modal from 5.0.0 to 5.0.2 in /ui by @dependabot in #894
• DM-41424: Prepare Gafaelfawr 9.5.1 by @rra in #895
• DM-41424: Remove blank line in changelog by @rra in #896

Full Changelog: 9.5.0...9.5.1

9.5.0

New features

• Add new /auth/cadc/userinfo route, which accepts a Gafaelfawr token and returns user metadata in the format expected by the CADC authentication code. This route is expected to be temporary and will be moved into the main token API once we decide how to handle uniqueness of the sub claim. It is therefore not currently documented outside of the autogenerated API documentation.
• Gafaelfawr now imposes a maximum run time and retention duration for its periodic maintenance jobs. These can be adjusted with the new config.maintenance.deadlineSeconds and config.maintenance.cleanupSeconds Helm settings.
• All Gafaelfawr pods now set Kubernetes resource requests and limits. The requests match the consumption of a lightly-loaded deployment using OpenID Connect and LDAP, and the limits should be generous. These can be adjusted using Helm chart values.

Bug fixes

• Log exceptions encountered while parsing OpenID Connect responses from upstream providers, not just the deduced error message. Include the body of the response from the token endpoint if it could not be parsed as JSON.

Other changes

• Include curl in the Gafaelfawr container for manual debugging of web request problems.

What's Changed

• DM-41075: Log OIDC exceptions properly by @rra in #870
• DM-41090: Document new Helm chart settings by @rra in #871
• [neophile] Update dependencies by @neophile-square in #873
• Fix typo in openid-connect.rst by @cbanek in #876
• [neophile] Update dependencies by @neophile-square in #885
• Bump eslint from 8.50.0 to 8.52.0 in /ui by @dependabot in #884
• Bump react-datepicker from 4.18.0 to 4.21.0 in /ui by @dependabot in #883
• Bump gatsby from 5.12.5 to 5.12.8 in /ui by @dependabot in #882
• Bump @babel/traverse from 7.23.0 to 7.23.2 in /ui by @dependabot in #881
• Bump styled-components from 6.0.8 to 6.1.0 in /ui by @dependabot in #878
• DM-41186: Add new route for CADC token metadata by @rra in #877
• DM-41186: Prepare 9.5.0 release by @rra in #886

New Contributors

• @cbanek made their first contribution in #876

Full Changelog: 9.4.0...9.5.0

9.4.0

New features

• Gafaelfawr now supports the common LDAP configuration of recording group membership by full user DN rather than only username. Set group_search_by_dn to search for the user by full DN in the group tree. This requires LDAP also be used for user metadata.
• Allow the Gafaelfawr log level to be specified using any case (info as well as INFO, for example).

Other changes

• Gafaelfawr now uses Pydantic v2. This should not result in any user-visible changes, but it is possible there will be some unexpected differences in data serialization or deserialization.
• Log the full contents of the upstream OIDC token before token verification if debug logging is enabled.

What's Changed

• [neophile] Update dependencies by @neophile-square in #853
• Update Python dependencies by @rra in #854
• [neophile] Update dependencies by @neophile-square in #856
• Bump gatsby from 5.12.3 to 5.12.4 in /ui by @dependabot in #850
• Bump eslint from 8.48.0 to 8.49.0 in /ui by @dependabot in #851
• Bump react-icons from 4.10.1 to 4.11.0 in /ui by @dependabot in #852
• Bump react-datepicker from 4.16.0 to 4.18.0 in /ui by @dependabot in #857
• Bump formik from 2.4.3 to 2.4.5 in /ui by @dependabot in #858
• Update dependencies and fix broken links by @rra in #859
• DM-40744: Convert to Pydantic v2 by @rra in #855
• Update dependencies by @rra in #863
• [neophile] Update dependencies by @neophile-square in #864
• Bump gatsby from 5.12.4 to 5.12.5 in /ui by @dependabot in #865
• DM-23878: Update dependencies by @rra in #866
• DM-23878: Allow the LDAP group search to be configured by @rra in #860
• DM-23878: Support specifying log level in any case by @rra in #867
• DM-23878: Refactor LDAP code to avoid duplication by @rra in #868
• DM-23878: Prepare 9.4.0 release by @rra in #869

Full Changelog: 9.3.1...9.4.0

9.3.1

Bug fixes

• Gafaelfawr previously accepted a group_mapping rule whose value was a string rather than a list of group names and interpreted it as a list of single-letter group names corresponding to the letters in the string. This configuration now produces a validation error during startup.
• The Gafaelfawr Kubernetes operator now rejects GafaelfawrIngress resources with invalid scopes and sets an error status, rather than creating an Ingress resource that will always fail.

What's Changed

• [neophile] Update dependencies by @neophile-square in #815
• Bump eslint from 8.45.0 to 8.46.0 in /ui by @dependabot in #816
• Bump eslint-config-prettier from 8.8.0 to 8.9.0 in /ui by @dependabot in #817
• Bump medyagh/setup-minikube from 0.0.13 to 0.0.14 by @dependabot in #820
• Bump eslint-plugin-import from 2.27.5 to 2.28.0 in /ui by @dependabot in #819
• Bump eslint-plugin-react from 7.33.0 to 7.33.1 in /ui by @dependabot in #818
• [neophile] Update dependencies by @neophile-square in #822
• Bump eslint-config-prettier from 8.9.0 to 9.0.0 in /ui by @dependabot in #823
• Bump formik from 2.4.2 to 2.4.3 in /ui by @dependabot in #824
• Bump styled-components from 6.0.5 to 6.0.7 in /ui by @dependabot in #825
• Bump cryptography from 41.0.2 to 41.0.3 in /requirements by @dependabot in #821
• Bump eslint from 8.46.0 to 8.47.0 in /ui by @dependabot in #827
• [neophile] Update dependencies by @neophile-square in #826
• [neophile] Update dependencies by @neophile-square in #828
• Bump eslint-plugin-react from 7.33.1 to 7.33.2 in /ui by @dependabot in #830
• Bump gatsby from 5.11.0 to 5.12.2 in /ui by @dependabot in #833
• Bump @babel/eslint-parser from 7.22.10 to 7.22.11 in /ui by @dependabot in #832
• Bump eslint from 8.47.0 to 8.48.0 in /ui by @dependabot in #831
• Bump eslint-plugin-import from 2.28.0 to 2.28.1 in /ui by @dependabot in #829
• [neophile] Update dependencies by @neophile-square in #834
• Bump python from 3.11.4-slim-bullseye to 3.11.5-slim-bullseye by @dependabot in #835
• DM-40495: Add better error reporting of linkcheck failures by @rra in #836
• DM-40567: Synchronize Ruff configuration with neophile by @rra in #837
• DM-40567: Diagnose group mappings to strings by @rra in #838
• DM-40567: Diagnose invalid GafaelfawrIngress scopes by @rra in #839
• DM-40567: Rename the scriv template by @rra in #840
• [neophile] Update dependencies by @neophile-square in #841
• Bump actions/checkout from 3 to 4 by @dependabot in #843
• Bump @babel/eslint-parser from 7.22.11 to 7.22.15 in /ui by @dependabot in #842
• DM-40567: Minor cleanups and dependency updates by @rra in #845
• DM-40567: Use new Click help function from Safir by @rra in #846
• DM-40567: Prepare 9.3.1 release by @rra in #847

Full Changelog: 9.3.0...9.3.1

9.3.0

New features

• To configure Gafaelfawr to use the cluster-internal PostgreSQL service, use the Helm chart setting config.internalDatabase rather than setting an explicit URL. Setting config.databaseUrl to the internal PostgreSQL URL will still work for existing deployments, but using config.internalDatabase instead will be required in the future for correct secrets management.
• Gafaelfawr can now listen on additional hostnames specified by setting ingress.additionalHosts in the Helm configuration. Only token authentication will be supported for ingresses using those hostnames; interactive browser authentication will not work.

Bug fixes

• Restore the newline after the output from gafaelfawr generate-session-secret and gafaelfawr generate-token, accidentally dropped in 9.2.1.

What's Changed

• [neophile] Update dependencies by @sqrbot in #771
• DM-39519: Add newline back to Gafaelfawr CI output by @rra in #773
• Bump eslint from 8.41.0 to 8.42.0 in /ui by @dependabot in #772
• [neophile] Update dependencies by @sqrbot in #774
• Bump @babel/eslint-parser from 7.21.8 to 7.22.5 in /ui by @dependabot in #776
• Bump react-aria-modal from 4.0.2 to 5.0.0 in /ui by @dependabot in #778
• Bump react-datepicker from 4.12.0 to 4.13.0 in /ui by @dependabot in #777
• Bump python from 3.11.3-slim-bullseye to 3.11.4-slim-bullseye by @dependabot in #775
• DM-39627: Run neophile from GitHub Actions by @rra in #779
• DM-39627: Fix comment on periodic workflow by @rra in #780
• [neophile] Update dependencies by @sqrbot in #781
• Bump react-datepicker from 4.13.0 to 4.15.0 in /ui by @dependabot in #790
• Bump gatsby from 5.10.0 to 5.11.0 in /ui by @dependabot in #782
• Bump formik from 2.4.1 to 2.4.2 in /ui by @dependabot in #784
• Bump react-icons from 4.9.0 to 4.10.1 in /ui by @dependabot in #787
• Bump eslint from 8.42.0 to 8.44.0 in /ui by @dependabot in #789
• DM-39919: Stop setting neophile email by @rra in #791
• [neophile] Update dependencies by @neophile-square in #792
• [neophile] Update dependencies by @neophile-square in #793
• Bump styled-components from 5.3.11 to 6.0.3 in /ui by @dependabot in #794
• Bump @babel/eslint-parser from 7.22.5 to 7.22.7 in /ui by @dependabot in #795
• DM-39989: Use tox to run neophile by @rra in #797
• DM-39989: Update dependencies by @rra in #798
• DM-39989: Use new neophile GitHub Action by @rra in #799
• DM-39989: Use new GitHub Action for Docker image by @rra in #800
• DM-40041: Switch minikube setup actions by @rra in #801
• [neophile] Update dependencies by @neophile-square in #802
• Bump eslint from 8.44.0 to 8.45.0 in /ui by @dependabot in #803
• Bump styled-components from 6.0.3 to 6.0.4 in /ui by @dependabot in #804
• Bump @babel/eslint-parser from 7.22.7 to 7.22.9 in /ui by @dependabot in #805
• Increase the timeout for periodic CI by @rra in #806
• [neophile] Update dependencies by @neophile-square in #810
• Bump styled-components from 6.0.4 to 6.0.5 in /ui by @dependabot in #808
• Bump eslint-plugin-react from 7.32.2 to 7.33.0 in /ui by @dependabot in #809
• Flesh out periodic CI check by @rra in #811
• Add docs for internalDatabase, additionalHosts by @rra in #812
• Switch to new syntax for GitHub Actions output by @rra in #813
• Prepare 9.3.0 release by @rra in #814

New Contributors

• @neophile-square made their first contribution in #792

Full Changelog: 9.2.2...9.3.0

9.2.2

Bug fixes

• Limit the number of connections opened by the Redis connection pool, and wait for a connection to become available if all of them are in use.
• Use the asyncio version of Redis request retrying instead of (in conflict with everything else Gafaelfawr does) the sync version.

Other changes

• Suppress logged warnings about invalid groups if they match the pattern of COmanage internal groups (start with CO:).

What's Changed

• Bump eslint from 8.40.0 to 8.41.0 in /ui by @dependabot in #761
• Bump gatsby from 5.9.1 to 5.10.0 in /ui by @dependabot in #760
• [neophile] Update dependencies by @sqrbot in #759
• [neophile] Update dependencies by @sqrbot in #762
• Bump react-icons from 4.8.0 to 4.9.0 in /ui by @dependabot in #766
• Bump styled-components from 5.3.10 to 5.3.11 in /ui by @dependabot in #765
• Bump formik from 2.2.9 to 2.4.0 in /ui by @dependabot in #764
• Bump react-datepicker from 4.11.0 to 4.12.0 in /ui by @dependabot in #763
• DM-39486: Hopefully fix Redis connection pooling by @rra in #767
• DM-39486: Use PackageLoader to load templates by @rra in #768
• DM-39486: Suppress warnings about CO: groups by @rra in #769
• DM-39486: Prepare 6.2.2 release by @rra in #770

Full Changelog: 9.2.1...9.2.2

9.2.1

Bug fixes

• TCP keepalive for Redis connections apparently caused problems with holding connections open that the Redis server wanted to close. The TCP keepalive setting has been removed, which appears to increase the stability of the Redis connections.
• Connections to Redis are now retried longer (about eight seconds instead of three seconds) in the hope of surviving a Redis restart without failures.

Other changes

• Gafaelfawr now uses the Ruff linter instead of flake8, isort, and pydocstyle.

What's Changed

• [neophile] Update dependencies by @sqrbot in #746
• Bump gatsby from 5.8.1 to 5.9.0 in /ui by @dependabot in #750
• Bump prettier from 2.8.7 to 2.8.8 in /ui by @dependabot in #749
• Bump eslint from 8.38.0 to 8.39.0 in /ui by @dependabot in #748
• Bump styled-components from 5.3.9 to 5.3.10 in /ui by @dependabot in #747
• Bump date-fns from 2.29.3 to 2.30.0 in /ui by @dependabot in #751
• Bump @babel/eslint-parser from 7.21.3 to 7.21.8 in /ui by @dependabot in #753
• Bump eslint from 8.39.0 to 8.40.0 in /ui by @dependabot in #754
• [neophile] Update dependencies by @sqrbot in #752
• [neophile] Update dependencies by @sqrbot in #756
• DM-39186: Redo Redis connection configuration by @rra in #755
• DM-39186: Convert to Ruff for linting by @rra in #757
• DM-39186: Drop aiofiles dependency by @rra in #758

Full Changelog: 9.2.0...9.2.1

9.2.0

New features

• Kerberos GSSAPI binds to authenticate to an LDAP server are now supported.
• To align with other services, the Gafaelfawr log level should now be set with config.logLevel rather than config.loglevel (note the capital L). The old setting is temporarily supported for backward compatibility but will be removed in a later release.
• Failures to deserialize or decrypt data stored in Redis are now reported to Slack if Slack alerting is enabled.
• Redis connection errors are now retried up to five times with exponential backoff before aborting with an error (for a total delay of up to about three seconds). TCP keepalive is now set on the Redis connection.

Other changes

• The Gafaelfawr change log is now maintained using scriv.
• Gafaelfawr no longer adds timestamps to each of its log messages. This was a workaround for Argo CD not displaying log timestamps, which has now been fixed.
• The documentation for running commands with tox has been updated for the new command-line syntax in tox v4. To run a local development server, use tox run -e run.
• Model API documentation is now generated with autodoc_pydantic to include proper field documentation.

What's Changed

• [neophile] Update dependencies by @sqrbot in #714
• Bump prettier from 2.8.4 to 2.8.5 in /ui by @dependabot in #715
• DM-38414: Fix error reporting when knownScopes incomplete by @rra in #716
• Bump gatsby from 5.7.0 to 5.8.0 in /ui by @dependabot in #718
• Bump prettier from 2.8.5 to 2.8.7 in /ui by @dependabot in #719
• Bump eslint-config-prettier from 8.7.0 to 8.8.0 in /ui by @dependabot in #721
• Bump react-datepicker from 4.10.0 to 4.11.0 in /ui by @dependabot in #726
• Bump gatsby from 5.8.0 to 5.8.1 in /ui by @dependabot in #725
• Bump eslint from 8.36.0 to 8.37.0 in /ui by @dependabot in #724
• Bump python from 3.11.2-slim-bullseye to 3.11.3-slim-bullseye by @dependabot in #727
• Bump eslint from 8.37.0 to 8.38.0 in /ui by @dependabot in #728
• DM-38414: Minor documentation fixes by @rra in #729
• [neophile] Update dependencies by @sqrbot in #717
• DM-38414: Update GitHub Actions configuration by @rra in #730
• DM-38414: Switch to scriv for change log managmeent by @rra in #732
• DM-38414: Tweak the application setup by @rra in #731
• [neophile] Update dependencies by @sqrbot in #733
• DM-38747: Support Kerberos GSSAPI binds to LDAP by @rra in #734
• DM-38414: Switch to Safir 4.0.0 by @rra in #735
• DM-38414: Use InputValidationError for more exceptions by @rra in #736
• DM-38414: Use separate HTTPX exceptions for providers by @rra in #737
• DM-38414: Use Redis storage layer from Safir by @rra in #738
• DM-38414: Report Redis deserialization errors to Slack by @rra in #739
• DM-38414: Enable Redis keepalive and retries by @rra in #740
• DM-38414: Document the new tox command line by @rra in #741
• DM-38414: Improve API documentation by @rra in #742
• DM-38414: Use allowlist_externals by @rra in #743
• DM-38414: Do not build on push with merge queues by @rra in #744
• DM-38414: Prepare 9.2.0 release by @rra in #745

Full Changelog: 9.1.0...9.2.0

9.1.0

New features

• Gafaelfawr now supports setting API and notebook quotas in its configuration, and calculates the quota for a given user based on their group membership. This quota information is returned by the /auth/api/v1/user-info route, but is not otherwise used by Gafaelfawr (yet).
• Server-side failures during login, such as inability to reach the authentication provider or invalid responses from the authentication provider, are now reported to Slack if a Slack webhook is configured.
• When using an OpenID Connect authentication provider, Gafaelfawr now supports looking up the GIDs of user groups in a ForgeRock Identity Management server (specifically, in the groups collection of the freeipa component).

Bug fixes

• Explicitly disable caching of enrollment redirects. Some browsers appear to cache 307 redirects and redirected the user back to enrollment the next time they logged in.
• Uniformly use Cache-Control: no-cache, no-store to disable caching of errors and redirects. Previously, Gafaelfawr also added must-revalidate (but not max-age). This appears to not be necessary or useful with modern browsers.
• Correctly expand backtraces of uncaught exceptions in Uvicorn logs.
• Diagnose and display a proper error if the OpenID Connect token from the authentication provider contains multiple usernames.
• Return a status code of 500 instead of 403 for server-side errors during login.
• Errors in querying an external source of user information, such as Firestore or LDAP, are now caught in the /auth route and only logged, not reported to Slack as uncaught exceptions. The /auth route may receive multiple requests per second and should not report every error due to a possible external outage to Slack.
• Errors in querying an external source of user information in the /auth/api/v1/user-info route are now caught, reported to Slack, and result in an orderly error message instead of an uncaught exception.
• Set a timeout on Kubernetes watches in the Kubernetes operator to work around a Kubernetes server bug where watches of unlimited duration will sometimes go silent and stop receiving events.
• Mark Kubernetes object parsing failures as Kopf permanent failures so that the same version of the object will not be retried. Mark Kubernetes API failures as temporary failures so that the retry schedule is configurable.

Other changes

• Gafaelfawr now supports camel-case in its configuration file to allow using the same names for most configuration settings and Helm chart values.
• More log messages related to retrieving user metadata, particularly those during initial login, now include the username of the user.

What's Changed

• [neophile] Update dependencies by @sqrbot in #669
• Bump gatsby from 5.3.3 to 5.4.2 in /ui by @dependabot in #676
• Bump eslint-plugin-react from 7.31.11 to 7.32.1 in /ui by @dependabot in #675
• Bump eslint from 8.31.0 to 8.32.0 in /ui by @dependabot in #674
• Bump prettier from 2.8.2 to 2.8.3 in /ui by @dependabot in #673
• Bump eslint-config-wesbos from 3.2.0 to 3.2.3 in /ui by @dependabot in #670
• [neophile] Update dependencies by @sqrbot in #677
• Bump eslint-plugin-import from 2.26.0 to 2.27.5 in /ui by @dependabot in #679
• Bump eslint-plugin-jsx-a11y from 6.6.1 to 6.7.1 in /ui by @dependabot in #678
• [neophile] Update dependencies by @sqrbot in #680
• Bump gatsby from 5.4.2 to 5.5.0 in /ui by @dependabot in #684
• Bump eslint from 8.32.0 to 8.33.0 in /ui by @dependabot in #683
• Bump eslint-plugin-react from 7.32.1 to 7.32.2 in /ui by @dependabot in #682
• Bump react-datepicker from 4.8.0 to 4.9.0 in /ui by @dependabot in #681
• DM-37833: Maintenance updates by @rra in #685
• DM-37833: Support camel-case in configuration by @rra in #686
• [neophile] Update dependencies by @sqrbot in #687
• Bump docker/build-push-action from 3 to 4 by @dependabot in #688
• [neophile] Update dependencies by @sqrbot in #689
• Bump prettier from 2.8.3 to 2.8.4 in /ui by @dependabot in #693
• Bump gatsby from 5.5.0 to 5.6.0 in /ui by @dependabot in #692
• Bump eslint from 8.33.0 to 8.34.0 in /ui by @dependabot in #691
• Bump gatsby from 5.6.0 to 5.6.1 in /ui by @dependabot in #697
• Bump python from 3.11.1-slim-bullseye to 3.11.2-slim-bullseye by @dependabot in #690
• Bump gatsby from 5.6.1 to 5.7.0 in /ui by @dependabot in #698
• Bump eslint from 8.34.0 to 8.35.0 in /ui by @dependabot in #699
• DM-37833: Add basic quota support by @rra in #695
• DM-38170: Disable caching of enrollment redirects by @rra in #700
• [neophile] Update dependencies by @sqrbot in #701
• Bump react-icons from 4.7.1 to 4.8.0 in /ui by @dependabot in #704
• Bump eslint-config-prettier from 8.6.0 to 8.7.0 in /ui by @dependabot in #703
• Bump styled-components from 5.3.6 to 5.3.8 in /ui by @dependabot in #702
• DM-38170: Update to latest Safir and catch multiple usernames by @rra in #705
• DM-38170: Update changelog, use Self type by @rra in #706
• DM-37833: Add documentation for rudimentary quota support by @rra in #708
• [neophile] Update dependencies by @sqrbot in #709
• Bump eslint from 8.35.0 to 8.36.0 in /ui by @dependabot in #710
• DM-38272: Improve logging and error reporting by @rra in #707
• DM-38376: Improve Kopf configuration and error handling by @rra in #713
• DM-38058: Add support for ForgeRock Identity Management by @rra in #712

Full Changelog: 9.0.0...9.1.0