12.3.0

New features

• Allow an authenticated GafaelfawrIngress with no required scopes. This is useful for an onlyService case where the token may have any scope but must be delegated to one of the listed services.

Bug fixes

• Return a JSON-serializable object from the health probe for the Kubernetes operator.

What's Changed

• DM-47986: Fix JSON serialization of Kopf healt probe by @rra in #1181
• Bump react-icons from 5.3.0 to 5.4.0 in /ui by @dependabot in #1177
• Bump react-is from 18.3.1 to 19.0.0 in /ui by @dependabot in #1179
• DM-48088: Allow an empty list of required scopes by @rra in #1183
• Bump prettier from 3.4.1 to 3.4.2 in /ui by @dependabot in #1176
• DM-48088: Convert internal scopes representation to set by @rra in #1184
• DM-48088: Prepare Gafaelfawr 12.3.0 release by @rra in #1185

Full Changelog: 12.2.0...12.3.0

12.2.0

New features

• Allow a client to present an internal token to the /auth/openid/userinfo endpoint. CADC's authenticator finds the userinfo endpoint via OpenID Connect configuration and presents whatever token it has to that endpoint, so this allows it to use the regular userinfo endpoint.
• Add optional Sentry support. If enabled and configured with the Sentry DSN secret, telemetry information will be sent to Sentry. Every trace is sampled and no effort has been made to exclude sensitive information, so this is currently only intended to be temporarily enabled in a non-production environment while debugging a specific problem.

Bug fixes

• Avoid opening a database session in the ingress authentication path unless it is necessary to create a new delegated token.
• Avoid creating a Google Firestore client for every request, since it does authentication setup on creation. Instead, create a single client that will be used for all requests.
• Always omit the data_rights claim in OpenID Connect server tokens if the user has no data rights, rather than sometimes omitting it and sometimes setting it to the empty string.

Other changes

• Update the Gafaelfawr secrets documentation with a link to the current Phalanx secrets management documentation and mark the secrets that are autogenerated by Phalanx tooling.

What's Changed

• DM-47716: Adjust types for new Pydantic HttpUrl handling by @rra in #1159
• DM-47716: Avoid creating Firestore clients on every request by @rra in #1160
• DM-47716: Move token cache transaction management by @rra in #1157
• DM-47716: Add optional support for Sentry by @rra in #1158
• DM-47716: Move all session management to service layer by @rra in #1161
• DM-47760: Uniformly handle claim for no data rights by @rra in #1162
• DM-47716: Move auth metrics reporting to a background task by @rra in #1163
• DM-47760: Allow internal tokens on the OIDC userinfo route by @rra in #1164
• DM-47716: Update for Ruff 0.8.0 by @rra in #1166
• DM-47716: Revert "Move auth metrics reporting to a background task" by @rra in #1167
• DM-47789: Convert to the Safir pagination support by @rra in #1168
• DM-47789: Use Safir timedelta validation types by @rra in #1169
• DM-47789: Convert datetime and timedelta to Safir types by @rra in #1170
• DM-47789: Use drop_database from Safir by @rra in #1171
• DM-47789: Move IP address normalization into a type by @rra in #1172
• DM-47789: Move scopes validation into a Pydantic type by @rra in #1173
• DM-47789: Prepare 12.2.0 release by @rra in #1174

Full Changelog: 12.1.1...12.2.0

12.1.1

Bug fixes

• Avoid double slashes in the endpoint URLs returned by /.well-known/openid-configuration, fixing a bug introduced in Gafaelfawr 12.0.0.

Other changes

• Gafaelfawr no longer supports direct upgrades from versions older than 10.0.0. When upgrading from an older version, upgrade to 12.1.0 or earlier first and complete the database schema migration, and then upgrade to the latest version.

What's Changed

• Update Python and JavaScript dependencies by @rra in #1145
• DM-47646: Fix double slashes in openid-configuration URLs by @rra in #1149
• DM-47646: Move or remove model_config settings by @rra in #1151
• DM-47646: Rework Gafaelfawr schema management by @rra in #1152
• DM-47646: Remove unnecessary Black configuration by @rra in #1153
• Bump gatsby from 5.13.7 to 5.14.0 in /ui by @dependabot in #1147
• DM-47646: Update frozen dependencies by @rra in #1154
• DM-47646: Updated shared Ruff configuration file by @rra in #1155
• DM-47646: Prepare Gafaelfawr 12.1.1 by @rra in #1156

Full Changelog: 12.1.0...12.1.1

12.1.0

New features

• Add support for client_secret_basic to the token endpoint for the OpenID Connect server. This is the recommended default authentication strategy and some clients don't support negotiating client_secret_post instead.
• Add a config.baseInternalUrl Helm setting to override Gafaelfawr's understanding of its own internal URL, used when constructing Ingress resources from GafaelfawrIngress.
• Gafaelfawr now adds the app.kubernetes.io/managed-by label with value Gafaelfawr to all Ingress resources generated from GafaelfawrIngress resources.
• Separate auth metrics into auth_bot and auth_user metrics, where the former are authentications to services from bot users and the latter are authentications from non-bot users. Stop excluding mobu bot users now that they can be included in the auth_bot metric instead.

What's Changed

• DM-47011: Document config.baseInternalUrl setting by @rra in #1134
• DM-47148: Use @override annotations where appropriate by @rra in #1135
• DM-47148: Add label to Gafaelfawr-managed ingresses by @rra in #1136
• DM-47148: Add support for client_secret_basic by @rra in #1141
• Bump @babel/eslint-parser from 7.25.8 to 7.25.9 in /ui by @dependabot in #1140
• Bump eslint-config-wesbos from 4.3.1 to 4.3.2 in /ui by @dependabot in #1139
• Bump eslint-plugin-jsx-a11y from 6.10.1 to 6.10.2 in /ui by @dependabot in #1138
• Bump eslint-plugin-react from 7.37.1 to 7.37.2 in /ui by @dependabot in #1137
• DM-47148: Update dependencies by @rra in #1143
• DM-47148: Separate bot users in auth events by @rra in #1142
• DM-47148: Prepare 12.1.0 release by @rra in #1144

Full Changelog: 12.0.1...12.1.0

12.0.1

Bug fixes

• Fix startup error when metrics reporting is disabled.

What's Changed

• Bump eslint-plugin-jsx-a11y from 6.10.0 to 6.10.1 in /ui by @dependabot in #1131
• DM-47011: Fix configuration error by updating Safir by @rra in #1132
• DM-47011: Prepare 12.0.1 release by @rra in #1133

Full Changelog: 12.0.0...12.0.1

12.0.0

Backwards-incompatible changes

• The /auth and /auth/anonymous routes have moved to /ingress/auth and /ingress/anonymous and are no longer accessible outside of the cluster. These routes may only be accessed by the ingress controller via cluster-internal URLs. This prevents users from creating arbitrary internal tokens for themselves.
• Drop support and remove documentation for configuring an Ingress to use Gafaelfawr rather than using the GafaelfawrIngress custom resource.
• The /ingress/auth route now requires X-Original-URL to be set.
• Since the CADC authentication code no longer requires the sub claim be a UUID, set sub to the username in the response from /auth/cadc/userinfo. This allows the CADC TAP server to store the username in the UWS jobs table.

New features

• Add support for exporting metrics to Kafka using the new event metrics support in Safir. The initial set of events is limited to login metrics, authentications to services, and counts of active sessions and user tokens.
• GafaelfawrIngress now accepts a service parameter at the top level of the configuration and uses that to tag authentication metrics by service. This corresponds to the service query parameter to the /auth route. If delegate_to is also set (config.delegate.internal.service in GafaelfawrIngress), it must match the value of service. This parameter is currently optional but will eventually become mandatory.
• Add config.onlyServices to GafaelfawrIngress, which restricts the ingress to tokens issued to one of the listed services in addition to the other constraints.
• If a request is authenticated with an internal token, include the service associated with that token in an X-Auth-Request-Service header passed to the protected service.
• Setting config.baseUrl in a GafaelfawrIngress resource is no longer required. That value will be used if present, but only for constructing the login URL, not the /ingress/auth URL. Instead, a global default is set by the Helm chart. The config.baseUrl setting will be removed entirely in a future release.
• Add new command gafaelfawr generate-schema, which generates the SQL required to create the Gafaelfawr database schema.

Bug fixes

• If the user returns from authentication and no longer has login state in their cookie, redirect them to the destination URL without further processing instead of returning an authentication state mismatch error. The most likely cause of this state is that the user authenticated from another browser tab while this authentication is pending, so Gafaelfawr should use their existing token or restart the authentication process.
• Reset login state after an error so that any subsequent authentication attempt will generate a new, random state parameter.
• Stop including the required scopes in 403 errors when the request was rejected by a username restriction rather than a scope restriction, since the client cannot fix this problem by obtaining different scopes.
• Fix an error in configuration validation, introduced in 11.0.0, that caused validation rules to not be applied to any URL or DSN in the Gafaelfawr configuration.
• Cap the Kubernetes operator worker limit at 5 to avoid overwhelming the API server.
• Check that tokenLifetime is at least as long as twice the minimum token lifetime.

Other changes

• Honor the POSTGRES_5432_TCP_PORT, POSTGRES_HOST, REDIS_6379_TCP_PORT, and REDIS_HOST environment variables if they are set and override the configured database URL and Redis URL with them. This is required to work with the latest version of tox-docker for testing and development. These environment variables are not used inside a Phalanx deployment.

What's Changed

• DM-44567: Update dependencies, adjust for new tox-docker by @rra in #1044
• DM-45518: Update dependencies by @rra in #1060
• Bump react-datepicker from 6.9.0 to 7.3.0 in /ui by @dependabot in #1055
• Bump python from 3.12.3-slim-bookworm to 3.12.4-slim-bookworm by @dependabot in #1047
• Bump medyagh/setup-minikube from 0.0.16 to 0.0.18 by @dependabot in #1053
• DM-45518: Update Node and JavaScript dependencies by @rra in #1061
• Bump python from 3.12.4-slim-bookworm to 3.12.5-slim-bookworm by @dependabot in #1064
• DM-45518: Update dependencies by @rra in #1065
• DM-45518: Add support for OpenTelemetry metrics by @rra in #1062
• DM-45779: Undo the *String variants of Pydantic types by @rra in #1066
• DM-45779: Use new HumanTimedelta from Safir by @rra in #1067
• DM-45779: Switch to shared Ruff configuration by @rra in #1068
• DM-45779: Update GitHub Actions to match current template by @rra in #1069
• DM-45779: Exclude mobu bot users from metrics by @rra in #1070
• DM-45768: Set sub to username for CADC reply by @rra in #1071
• DM-45779: Drop unnecessary get_secret_value() by @rra in #1072
• DM-45779: Update shared Ruff configuration by @rra in #1073
• DM-45779: Improve documentation of headers by @rra in #1074
• DM-44567: Don't upload docs if they haven't changed by @rra in #1075
• DM-45858: Cap Gafaelfawr Kopf workers at five by @rra in #1076
• DM-45858: Add service parameter to the auth endpoint by @rra in #1077
• DM-45858: Update dependencies and fix broken tests by @rra in #1078
• DM-45858: Document future CRD changes by @rra in #1079
• DM-46019: Move dependencies, use universal dependencies by @rra in #1080
• DM-46019: Switch to new documenteer REST API method by @rra in #1081
• DM-46019: Document the new dependency method by @rra in #1082
• Bump eslint-config-wesbos from 3.2.3 to 4.3.1 in /ui by @dependabot in #1084
• Bump eslint-plugin-jsx-a11y from 6.9.0 to 6.10.0 in /ui by @dependabot in #1087
• Bump eslint-plugin-react from 7.35.0 to 7.35.2 in /ui by @dependabot in #1086
• Bump eslint-plugin-import from 2.29.1 to 2.30.0 in /ui by @dependabot in #1085
• Bump styled-components from 6.1.12 to 6.1.13 in /ui by @dependabot in #1083
• Update dependencies, set pytest-asyncio fixture scope by @rra in #1088
• DM-46034: Remove test for top-level gafaelfawr module by @rra in #1089
• DM-46034: Add a test that the database schema hasn't changed by @rra in #1090
• DM-46034: Convert to the new SQLAlchemy ORM syntax by @rra in #1094
• DM-46034: Update dependencies by @rra in #1095
• DM-46034: Update Alembic configuration by @rra in #1096
• DM-46310: Use uv for Docker build, verify hashes by @rra in #1097
• fix: typo in gafaelfawringress.rst by @ac6y in #1102
• DM-46034: Use Alembic support code from Safir by @rra in #1103
• Bump prettier from 2.8.8 to 3.3.3 in /ui by @dependabot in #1098
• Bump date-fns from 3.6.0 to 4.0.0 in /ui by @dependabot in #1099
• Bump eslint from 8.57.0 to 9.10.0 in /ui by @dependabot in #1100
• Bump python from 3.12.5-slim-bookworm to 3.12.6-slim-bookworm by @dependabot in #1101
• Revert eslint update by @rra in #1104
• DM-46399: Check that token lifetime is long enough by @rra in #1105
• DM-46399: Rework handling of missing state during login by @rra in #1106
• DM-46399: Overhaul requests from ingress-nginx by @rra in #1112
• Bump react-datepicker from 7.3.0 to 7.4.0 in /ui by @dependabot in #1111
• Bump date-fns from 4.0.0 to 4.1.0 in /ui by @dependabot in #1110
• Bump eslint-plugin-prettier from 4.2.1 to 5.2.1 in /ui by @dependabot in #1108
• Bump eslint-plugin-html from 8.1.1 to 8.1.2 in /ui by @dependabot in #1107
• DM-46468: Update Python, pre-commit, and JavaScript dependencies by @rra in #1113
• DM-46399: Make baseUrl optional in GafaelfawrIngress CRD by @rra in https://github.com/lsst-sqre/gafaelfaw...

11.1.1

Bug fixes

• Respect the enrollmentUrl configuration setting when CILogon is the authentication provider, fixing a problem introduced in the 11.0.0 release.
• Detect when someone attempts to mark as admin a username that is already an admin and return a 409 error instead of raising an uncaught exception.
• Return a more-correct 409 HTTP error code, instead of 422, when a user attempts to use a duplicate token name.
• When creating a new token, try to remove it from Redis if the SQL write fails. This will hopefully reduce the number of orphaned tokens created during SQL server or proxy restarts.

What's Changed

• DM-44540: Fix handling of duplicate admins by @rra in #1039
• DM-44540: Fix HTTP error code for duplicate token names by @rra in #1040
• DM-44541: Respect enrollmentUrl for CILogon by @rra in #1041
• DM-44541: Remove tokens from Redis if SQL write fails by @rra in #1042
• DM-44541: Prepare 11.1.1 release by @rra in #1043

Full Changelog: 11.1.0...11.1.1

11.1.0

New features

• Add new authCacheDuration setting to the GafaelfawrIngress Kubernetes resource, which tells Gafaelfawr to configure NGINX to cache a Gafaelfawr response for the specified length of time. The cache is invalidated if the Cookie or Authorization HTTP headers change.

Bug fixes

• Close database sessions after each execution of a Kopf Kubernetes operator. Previous versions of Gafaelfawr leaked sessions until the Kubernetes operator restarted.

What's Changed

• DM-44468: Add configuration for NGINX caching by @rra in #1035
• DM-44490: Use ParamSpec for Kubernetes exception wrapper by @rra in #1037
• DM-44490: Close async database sessions in the operator by @rra in #1036
• DM-44490: Prepare release 11.1.0 by @rra in #1038

Full Changelog: 11.0.1...11.1.0

11.0.1

Bug fixes

• Correctly parse the configuration if quota is set to an empty object.
• Reject configuration files that assign scopes in groupMapping but do not define those scopes in knownScopes.

What's Changed

• DM-44269: Fix configuration parsing of empty quota by @rra in #1032
• DM-44269: Cross-check groupMapping and knownScopes by @rra in #1033
• DM-44269: Prepare release 11.0.1 by @rra in #1034

Full Changelog: 11.0.0...11.0.1

11.0.0

Backwards-incompatible changes

• Drop support for getting user metadata from OpenID Connect token claims. LDAP, for both user metadata and group membership, is now required when using an OpenID Connect authentication, including CILogon.
• Remove support for getting group GIDs from a ForgeRock Identity Management server. LDAP support should be used instead.
• Drop support for LDAP groups without GIDs. Either Firestore GID assignment must be enabled or LDAP must contain a GID for each group. Groups without GIDs in LDAP will be ignored if Firestore is not enabled.
• Retrieval of the UID and primary GID from LDAP is now enabled by default unless Firestore is enabled.
• Replace config.tokenLifetimeMinutes with config.tokenLifetime, which accepts one or more time intervals with suffixes w, d, h, m, and s for weeks, days, hours, minutes, and seconds, respectively.
• Change the default of config.cilogon.usernameClaim to username. This is what we use for all current CILogon integrations.
• Change the default of config.ldap.groupSearchByDn to true. To preserve the previous behavior of searching by the bare username, this setting must be explicitly set to false.
• Support for config.loglevel in Helm values has been dropped. Use config.logLevel instead (note the capital L).
• Remove the /auth/analyze route. This was an old way for a user to see information about their token that has been deprecated for many releases. The output used the old JWT token claim format and was missing a great deal of useful information. /auth/api/v1/user-info and /auth/api/v1/token-info should be used instead.

New features

• Support overriding the HTTP authentication realm for WWW-Authenticate challenges by setting config.realm.
• Support overriding the OpenID Connect issuer (iss claim) and key ID (kid claim) for the internal OpenID Connect server by setting config.oidcServer.issuer and config.oidcServer.kid, respectively.

Other changes

• Drop support for running a local development instance of Gafaelfawr. This support wasn't used during development and has some maintenance cost. Integration testing of development versions of Gafaelfawr should instead be done in a development Phalanx environment.
• Move the docker-compose.yaml file, now used only for creating Alembic migrations, into the alembic subdirectory and update the documentation for creating new Alembic migraitons accordingly.

What's Changed

• DM-43689: Move more development dependencies to requirements by @rra in #996
• Bump @babel/eslint-parser from 7.23.10 to 7.24.1 in /ui by @dependabot in #994
• Bump react-datepicker from 6.3.0 to 6.6.0 in /ui by @dependabot in #993
• Bump date-fns from 3.5.0 to 3.6.0 in /ui by @dependabot in #991
• DM-43689: Update JavaScript dependencies by @rra in #997
• DM-43714: Switch to tox-uv, fix docs by @rra in #998
• DM-43714: Use frozen dependencies for tox by @rra in #1005
• Bump medyagh/setup-minikube from 0.0.15 to 0.0.16 by @dependabot in #999
• Add explicit mention of Keycloak to docs by @rra in #1006
• DM-44136: Update Docker base image by @rra in #1010
• Bump eslint-plugin-html from 8.0.0 to 8.1.1 in /ui by @dependabot in #1009
• DM-44136: Drop support for ForgeRock by @rra in #1011
• Bump gatsby from 5.13.3 to 5.13.4 in /ui by @dependabot in #1002
• Bump react-datepicker from 6.6.0 to 6.9.0 in /ui by @dependabot in #1007
• Bump react-is from 18.2.0 to 18.3.1 in /ui by @dependabot in #1008
• Bump react-icons from 5.0.1 to 5.1.0 in /ui by @dependabot in #1004
• DM-44136: Update dependencies by @rra in #1012
• DM-44136: Simplify sources of user metadata by @rra in #1013
• DM-44136: Stop importing symbols from _pytest by @rra in #1014
• DM-44136: Switch to native Pydantic camel-case support by @rra in #1015
• DM-44136: Simplify Docker container construction by @rra in #1016
• DM-44136: Use Annotated for dependencies and handlers by @rra in #1017
• Bump react-icons from 5.1.0 to 5.2.0 in /ui by @dependabot in #1018
• DM-44136: Update dependencies by @rra in #1020
• DM-44136: Move database test helper functions to module by @rra in #1021
• DM-44136: Refactor OIDC tests by @rra in #1022
• DM-44136: Add test for disabling LDAP attributes by @rra in #1023
• DM-44289: Remove /auth/analyze routes by @rra in #1024
• DM-44269: Drop support for a local development instance by @rra in #1025
• DM-44269: Remove workaround for FastAPI bug by @rra in #1026
• DM-44269: Rework the Gafaelfawr configuration layer by @rra in #1029
• Bump gatsby from 5.13.4 to 5.13.5 in /ui by @dependabot in #1030
• Bump react-icons from 5.2.0 to 5.2.1 in /ui by @dependabot in #1028
• Bump styled-components from 6.1.9 to 6.1.11 in /ui by @dependabot in #1027
• DM-44269: Prepare Gafaelfawr 11.0.0 release by @rra in #1031

Full Changelog: 10.1.0...11.0.0