Skip to content

Latest commit

 

History

History
722 lines (599 loc) · 34.4 KB

CHANGELOG.md

File metadata and controls

722 lines (599 loc) · 34.4 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

1.12.0 - 2021-06-25

Added

  • The JWT Authenticator (authn-jwt) supports authenticating third-party vendors that utilize JWT. See design
  • Set MAX_REQUESTS_PER_CONNECTION to infinity and introduced an environment variable to allow users to set their own value, see PR for further information: cyberark/conjur#2282

Changed

  • Parsing a Conjur config with invalid YAML content now outputs a more user friendly error message without a stack trace. cyberark/conjur#2256
  • Set the Puma process explicitly to reliably restart the correct process when the Conjur configuration is reloaded. cyberark/conjur#2291

Security

  • Upgrade bindata to 2.4.10 to resolve Unspecified Issue reported by JFrog Xray cyberark/conjur#2257

1.11.7 - 2021-06-08

Added

  • Enabled authenticators can now be configured via a configuration file, or the CONJUR_AUTHENTICATORS environment variable. cyberark/conjur#2173
  • Trusted Proxies can now be configured with a configuration file or by setting the CONJUR_TRUSTED_PROXIES environment variable. cyberark/conjur#2168
  • Added conjurctl configuration show command to print the Conjur configuration values and the sources they are loaded from. cyberark/conjur#2169
  • Added conjurctl configuration apply command restart the Conjur process and pick up changes to the configuration file. cyberark/conjur#2171

Fixed

  • Fix bug where running conjurctl server or conjurctl account create with passwords that contain ,s sent via stdin raised an error. cyberark/conjur#2159
  • Update the default keepalive timeout for puma to be longer than most common proxy and load balancers. Previously, the load balancer in front of Conjur would commonly have a longer timeout than the server itself, which can lead to Conjur closing connections even as there are pending requests and the proxy returning 502 errors to the client. PR cyberark/conjur#2191

Security

1.11.6 - 2021-04-28

Fixed

  • Fix bug where running conjurctl server or conjurctl account create with non-alpha-numeric passwords sent via stdin raised an error. cyberark/conjur#2114

Changed

  • The batch secret retrieval endpoint now returns a 406 Not Acceptable instead of a 500 error when a secret with incompatible encoding is requested. cyberark/conjur#2124

Security

  • Upgrade github-pages in docs/Gemfile to resolve CVE-2021-28834 in kramdown dependency cyberark/conjur#2099
  • Bump cyberark/ubi-ruby-fips from 1.0.1 to 1.0.2 to address CVE-2021-20305. cyberark/conjur#2120

Added

1.11.5 - 2021-04-05

Fixed

  • Secrets batch request with blank variable names, now returns Error 422 Unprocessable Entity. cyberark/conjur#2083

Added

  • conjurctl server and conjurctl account create allow the operator to specify the admin user's password via STDIN by providing the --password-from-stdin switch. cyberark/conjur#2043
  • conjurctl account create now allows the operator to specify the account name via the --name flag. We recommend using this explicit flag when using the --password-from-stdin option so that commands are explicit and more readable. cyberark/conjur#2043
  • /whoami API endpoint now produces audit events. cyberark/conjur#2052
  • When a user checks permissions of a non-existing role or a non-existing resource, Conjur now audits a failure message. cyberark/conjur#2059

Changed

  • The secrets batch retrieval endpoint now refers to the Accept-Encoding header rather than Accept to determine the response encoding. cyberark/conjur#2065
  • When trying to fetch a missing or empty secret, a proper error message is now returned. cyberark/conjur#2023
  • Login and authentication error stack traces are printed to the log at the default INFO level. Previously, users had to restart their servers with CONJUR_LOG_LEVEL=debug to get meaningful log messages that diagnosed configuration or enablement errors; with this change, server logs will be clearer about login or authentication errors and will include minimal stack traces. cyberark/conjur#2080
  • Conjur base image updated to v1.0.1. PR cyberark/conjur#2088

1.11.4 - 2021-03-09

Security

1.11.3 - 2021-02-22

Fixed

  • Conjur now raises a new ServiceIdMissing error if the service-id param is missing in an authentication request for the OIDC authenticator. cyberark/conjur#2004

Changed

  • Conjur now raises a RoleNotFound error when trying to authenticate a non-existent host in authn-k8s. cyberark/conjur#2046

1.11.2 - 2021-02-02

Added

  • New edge-tagged images are published to DockerHub on every master branch build. cyberark/conjur#1617

Changed

  • Conjur images are updated to use pinned versions of the public base images. Users can now determine exactly which dependencies in the Conjur Base Image project are included in their Conjur image. cyberark/conjur#1974
  • When batch secret retrieval requests are sent with an Accept: base64 header, the secret values in the response will all be Base64-encoded. Sending requests with this header allows users to retrieve binary secrets encoded in Base64. cyberark/conjur#1962
  • Conjur now verifies that the offset parameter is a valid integer value. The GET /resources request will fail if offset is not an integer greater than or equal to 0. cyberark/conjur#1997

Fixed

  • Requests with empty body and application/json Content-Type Header will now return 400 error instead of 500 error. cyberark/conjur#1968
  • Users no longer receive 500 errors when loading policy after performing database backup and restore. cyberark/conjur#1948
  • The audit endpoint no longer incorrectly reports a 404 Not Found response when the resource ID used for retrieving audit events includes a period (.). With this change, the audit endpoint is now consistent with how other Conjur endpoints handle unencoded periods in resource IDs. cyberark/conjur#2001
  • Attempts to retrieve binary secret data in a batch secret retrieval request without using the Accept: base64 header now returns a message with the 500 response to explain that improper secret encoding is the cause of the error. cyberark/conjur#1962
  • GET /resources request with non-numeric delimiter (limit or offset) now returns Error 422 Unprocessable Entity instead of Error 500. cyberark/conjur#1997
  • POST /host_factory_tokens request with invalid ip address or CIDR range of cidr parameter now returns Error 422 Unprocessable Entity instead of Error 500. cyberark/conjur#2011

Security

  • Kubernetes authenticator certificate injection process now performs certificate verification to prevent MitM attacks. Security Bulletin

1.11.1 - 2020-11-19

Added

  • UBI-based Conjur image to support Conjur server running on OpenShift. Image will be published to RedHat Container Registry. cyberark/conjur#1883

1.11.0 - 2020-11-06

Added

  • GCP authenticator (authn-gcp) supports authenticating from Google Cloud Function (GCF) using a GCE instance identity token. See design for details. cyberark/conjur#1804

Changed

  • Conjur now raises an ExecCommandError error instead of a CertInstallationError error in case it failed to install the client certificate during authn-k8s. cyberark/conjur#1860

Fixed

  • Conjur now raises an Unauthorized error when a user attempts to rotate the API key of a nonexistent role. Previously, the operation would result in a successful rotation of the existing user's API key, with no indication that the target of the operation had changed. cybeark/conjur#1914

Security

1.10.0 - 2020-10-16

Added

  • Documentation explaining how to upgrade a Conjur server deployed in a Docker Compose environment. cyberark/conjur#1528, cyberark/conjur#1584
  • When Conjur starts, we now convert blank environment variables to nil. This ensures we treat empty environment values as if the environment variable is not present, rather than attempting to use the empty string value. cyberark/conjur#1841

Changed

  • The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to indicate that the cert injection has started but not necessarily completed. cyberark/conjur#1848

Fixed

  • Conjur now verifies that Kubernetes Authenticator variables exist and have value before retrieving them so that a proper error will be raised if they aren't. cyberark/conjur#1315

1.9.0 - 2020-08-31

Added

  • A new authenticator for applications running in Google Cloud Platform (authn-gcp), which supports authenticating from Google Compute Engines (GCE) using a GCE instance identity token. See design for details. cyberark/conjur#1711
  • New /whoami API endpoint for improved supportability and debugging for access tokens and client IP address determination. cyberark/conjur#1697
  • TRUSTED_PROXIES is validated at Conjur startup to ensure that it contains valid IP addresses and/or address ranges in CIDR notation. cyberark/conjur#1727
  • The /authenticate endpoint now returns a text/plain base64 encoded access token if the Accept-Encoding request header includes base64. cyberark/conjur#151

Changed

  • The "inject_client_cert" request now returns 202 Accepted instead of 200 OK to indicate that the cert injection has started but not necessarily completed. cyberark/conjur#1848
  • The Conjur server request logs now records the same IP address used by audit logs and network authentication filters with the restricted_to attribute. cyberark/conjur#1719
  • Conjur now only trusts 127.0.0.1 to send the X-Forwarded-For header by default. Additional trusted IP addresses may be added with the TRUSTED_PROXIES environment variable. cyberark/conjur#1725
  • Invalid CIDR notation in restricted_to now returns a policy validation error, rather than an internal server error. cyberark/conjur#1763

Fixed

  • The TRUSTED_PROXIES environment variable now works correctly again after the Rails 5 upgrade. This is to indicate trusted proxy IP addresses when using the X-Forwarded-For HTTP header to identity the true client IP address of a request. cyberark/conjur#1689
  • A new database migration step updates the fingerprints in slosilo. The FIPS compliance update in v1.8.0 caused the previous fingerprints to be invalid. cyberark/conjur#1584

Security

  • Replaces string comparison with Secure Compare to prevent timing attacks against the API authentication endpoint. Security Bulletin
  • Roles must use basic authentication to rotate their own API key, and can no longer rotate their API key using only an access token. Security Bulletin

1.8.1 - 2020-07-14

Fixed

1.8.0 - 2020-07-10

Changed

  • Use OpenSSL 1.0.2u to support FIPS compliance. cyberark/conjur#1527
  • Conjur can be configured to run in FIPS compliant or Non-FIPS compliant mode depending on requirements. FIPS Compliant mode is slightly slower then non-FIPS compliant. cyberark/conjur#1527
  • Bump conjur-rack from 4.0.0 to 4.2.0 that consumes FIPS compliant slosilo. cyberark/conjur#1527
  • Print login and authentication error to the log in INFO level. cyberark/conjur#1377
  • Print proper message when user does not exist in authn or login request with default authenticator. cyberark/conjur#1655

Added

  • Password changes (PUT /authn/:account/password) now produce audit events with message ID password. cyberark/conjur#1548
  • API key rotations (PUT /:authenticator/:account/api_key) now produce audit events with message ID api-key. cyberark/conjur#1549
  • All audit events now contain the IP address of the client that initiated the API request (e.g. [client@43868 ip="172.24.0.5"]). cyberark/conjur#1550
  • Print Conjur server FIPS mode status. cyberark/conjur#1654

Security

1.7.4 - 2020-06-17

Fixed

  • The default content type for requests is now set at the beginning of the Rack middleware chain, so that the content type is available for subsequent middleware (cyberark/conjur#1622)
  • The default content type middleware now correctly checks for the absence of the Content-Type header (cyberark/conjur#1622)

1.7.3 - 2020-06-11

Fixed

  • Host Factory Host creation no longer makes unecessary database queries, causing performance issues with large numbers of created hosts (cyberark/conjur#1605)

1.7.2 - 2020-06-08

Fixed

  • The Conjur version is now printed on server startup, after running conjurctl server (cyberark/conjur#1590)
  • Raise proper error of an authn request with a non-existing user to the authn authenticator (cyberark/conjur#1591)

1.7.1 - 2020-06-03

Added

Fixed

1.7.0 - 2020-05-29

Fixed

Changed

  • Updated the title of status page to Conjur Status from Conjur (conjurinc/dap-support) - PR.
  • Policy load API endpoints now default to the application/x-yaml content-type if no content type is provided in the request (conjurinc/dap-support#74) - PR.
  • ActiveSupport uses SHA1 instead of MD5 (cyberark/conjur#1418).
  • Authentication audit events now use separate operations for authenticate, login, and validate-status workflows (cyberark/conjur#1054).
  • Authentication workflow checks origin before credentials to insure a request can authenticate before authenticating (cyberark/conjur#1568).

Added

  • The Kubernetes authentication /inject-client-cert endpoint now generates an authentication audit event with the k8s-inject-client-cert operation (cyberark/conjur#1538).
  • Adds a CertMissingCNEntry error to improve visibility of Kubernetes authenticator failures (cyberark/conjur#1278).
  • Logs the authenticator used when the authentication-container-name annotation is missing (conjurinc/dap-support#69) - PR.

Removed

  • Images are no longer published to Quay.io.

1.6.0 - 2020-04-14

Changed

  • Use Ubuntu 18.04 LTS as the base image for Conjur to continue using Ruby 2.5 (cyberark/conjur#1456).
  • Conjur image now performs a dist-upgrade as the first image build step to ensure the image includes all available vulnerability fixes in the base OS.
  • Upgrade from Rails 4 to Rails 5

1.5.1 - 2020-03-25

Fixed

1.5.0 - 2020-03-23

Added

Changed

  • Lock rotators to prevent multiple rotations from incurring simultaneously.

Fixed

  • Fix support for using deployment as K8s authentication resource type for Kubernetes >= 1.16 (#1440)

1.4.7 - 2020-03-12

Changed

  • Improved flows and rules around user creation (#1272)
  • Kubernetes authenticator now returns 403 on unpermitted hosts instead of a 401 (#1283)
  • Conjur hosts can authenticate with authn-k8s from anywhere in the policy branch (#1189)

Fixed

  • Updated broken links on server status page (#1341)

1.4.6 - 2020-01-21

Changed

  • K8s hosts' resource restrictions is extracted from annotations or id. If it is defined in annotations it will taken from there and if not, it will be taken from the id.

1.4.5 - 2019-12-22

Added

Changed

  • The k8s host id does not use the "{@account}:host:conjur/authn-k8s/#{@service_name}/apps" prefix and takes the full host-id from the CSR. We also handle backwards-compatibility and use the prefix in case of an older client.

1.4.4 - 2019-12-19

Added

  • Early validation of account existence during OIDC authentication
  • Code coverage reporting and collection

Changed

  • Bumped puma from 3.12.0 to 3.12.2
  • Bumped rack from 1.6.11 to 1.6.12
  • Bumped excon from 0.62.0 to 0.71.0

Fixed

  • Fixed password rotation of blank password
  • Fixed bug with multi-cert CA chains in Kubernetes service accounts
  • Fixed build issues with creating namespaces with multiple values

Removed

  • Removed follower env configuration

1.4.3 - 2019-11-26

Added

  • Flattening of OSS container layers.

Changed

  • Upgraded Nokogiri to 1.10.5.
  • Upgrade base image of OSS to ubuntu:20.20.
  • Enablement work to get OSS container to work on OpenShift as-is.

1.4.2 - 2019-09-13

Fixed

  • An unset initContainer field in a deployment config pod spec will no longer cause the k8s authenticator to fail with undefined method (#1182).

1.4.1 - 2019-06-24

Fixed

  • Make sure the authentication framework only caches Role lookups for the duration of a single request. Reusing stale lookups was leading to authentication failures.

1.4.0 - 2019-04-23

Added

  • Kubernetes authentication can now work externally from Kubernetes

Changed

  • Moved changelog validation up in CI pipeline

1.3.7 - 2019-03-27

Changed

  • Updated links to Policy & Cryptography reference in API documentation
  • Updated conjur-policy-parser to v3.0.3.
  • Replaced changelog entrypoint in ci/test with a separate script. Building the conjur and conjur-test images just to be able to install and run the parse_a_changelog gem seemed a little heavyweight.
  • Renamed the old docs/ folder to design/

1.3.6 - 2019-02-19

Changed

  • Reduced IAM authentication logging
  • Refactored authentication strategies

Removed

  • Removed OIDC APIs public access

1.3.5 - 2019-02-07

Changed

  • Rails version updated to v4.2.11.
  • Updated Docker build to pre-compile Rails assets for Conjur image.

1.3.4 - 2018-12-19

Changed

Fixed

  • Fixed the authn_restricted_to.feature so that it doesn't depend on the default docker network (172.0.0.0/8).
  • Fixed Syslog formatting to properly escape the closing square bracket (]) per RFC 5424

1.3.3 - 2018-11-20

Added

  • Added support for secure LDAP connections in the LDAP authenticator.
  • Added support to configure the LDAP authenticator with policy instead of environment variables.

1.3.2 - 2018-11-14

Fixed

  • Fixed request parameter parsing when creating or deleting a host factory token.
  • Updated ffi and loofah dependencies to latest versions of each.

1.3.1 - 2018-10-19

Fixed

  • Fixed host factory 500 server response when a Role for a given host ID already exists but there is no corresponding Resource record.
  • Improved authenticator error handling and logging.

1.3.0 - 2018-10-10

Fixed

  • Previously, loading a policy with a host factory that doesn't include any layers would cause a nil runtime exception. Now this case is checked specifically and raises a policy load error with a description of the problem.
  • Added support for authenticators to implement /login in addition to /authenticate
  • Implemented /login for authn-ldap.

1.2.0 - 2018-09-18

Added

  • Added support for issuing certificates to Hosts using CAs configured as Conjur services. More details are available here.
  • Added support for Conjur CAs to use encrypted private keys
  • Implemented keyword search for Role memberships
  • Update Conjur issued certificates to include a SPIFFE SVID as a subject alternative name (SAN).

Changed

  • Change authn-k8s to expect the client cert (passed in X-SSL-Client-Certificate) to be url-escaped.
  • Update Conjur issued certificates to use the common name derived from the authenticated host, rather than use the value from the CSR.

Fixed

  • Prevent anonymous (password-less) authentication with LDAP.

1.1.2 - 2018-08-22

Fixed

  • Substantial performance improvement when loading large policy files

Security

  • Fixes a vulnerability that could allow an authn-K8s request to bypass mutual TLS authentication. All Conjur users using authn-k8s within Kubernetes or OpenShift are strongly recommended to upgrade to this version.

1.1.1 - 2018-08-10

Added

  • conjurctl export now includes the account list to support migration
  • conjurctl export allows the operator to specify the file name label using the -l or --label flag
  • Update puma to a version that understands how to handle having ipv6 disabled
  • Update puma worker timeout to allow longer requests to finish (from 1 minute to 10 minutes)

1.1.0 - 2018-07-30

Added

  • Adds conjurctl export command to provide a migration data package to Conjur EE

1.0.1 - 2018-07-23

Fixed

  • Handling of absolute user ids in policies.
  • Attempts to fetch a secret from a nonexistent resource no longer cause 500.

1.0.0 - 2018-07-16

Added

  • Audit attempts to update and fetch an invisible secret.
  • Updated license to LGPL

0.9.0 - 2018-07-11

Added

  • Adds CIDR restrictions to Host and User resources
  • Adds Kubernete authentication
  • Optimize audit database and responses, for a significant improvement of performance.

Fixed

  • start no longer fails to show Help information.

0.8.1 - 2018-06-29

Added

  • Audit events for failed variable fetches and updates.

0.8.0 - 2018-06-26

Added

  • Audit events for entitlements, variable fetches and updates, authentication and authorization.

0.7.0 - 2018-06-25

Added

  • Added AWS Secret Access Key Rotator

0.6.0 - 2018-06-25

Added

  • AWS Hosts can authenticate using their assigned AWS IAM role.
  • Added variable rotation for Postgres databases
  • Experimental audit querying engine mounted at /audit. It can be configured to work with an external audit database by using config.audit_database configuration entry.
  • API endpoints for granting and revoking role membership
  • API endpoint for the role graph
  • Paging parameters (offset and limit) for audit API endpoints

Changed

  • RolesController#index now accepts role as a query parameter. If present, resources visible to that role are listed.
  • Resources are now only visible if the user is a member of a role that owns them or has some permission on them.
  • RolesController now implements #direct_memberships to return the direct members of a role, without recursive expansion.
  • Updated Ruby version from 2.2, which is no longer supported, to version 2.5.
  • RolesController now implements #members to return a searchable, pageable collection of members of a Role.

[0.4.0] - 2018-04-10

Added

  • Policy changes now generate audit log messages. These can optionally be generated in RFC5424 format and pushed to a UNIX socket for further processing.
  • Code of Conduct

0.3.0 - 2018-01-11

Added

  • conjurctl wait command is added that can be used to check if the Conjur server is ready

Removed

0.2.0 - 2017-12-07

Added

  • Add authn-local service which issues access tokens over a Unix domain socket.

Changed

  • CTA was updated

Fixed

  • Resolved bug: Policy replace can fail when user is deleted and removed from group

0.1.1 - 2017-12-04

Changed

  • Build scripts now look at git tags to determine version and tags to use.

Fixed

  • When a policy is loaded which references a non-existant object, that error is now reported as a JSON-formatted 404 error rather than an ugly 500 error.

0.1.0 - 2017-12-04

Added

  • The first tagged version.