Skip to content

Commit

Permalink
Merge pull request #528 from sebadob/prepare-v0.24.1
Browse files Browse the repository at this point in the history
prepare v0.24.1
sebadob authored Jul 24, 2024
2 parents 4b34c62 + 76a46eb commit 215fd36
Showing 13 changed files with 77 additions and 40 deletions.
41 changes: 39 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,15 +1,52 @@
# Changelog

## UNRELEASED
## 0.24.1

TODO
The last weeks were mostly for updating the documentation and including all the new features that came to Rauthy in
the last months. Some small things are still missing, but it's almost there.

Apart from that, this is an important update because it fixes some security issues in external dependencies.

### Security

Security issues in external crates have been fixed:

- moderate [matrix-sdk-crypto](https://github.com/sebadob/rauthy/security/dependabot/54)
- moderate [openssl](https://github.com/sebadob/rauthy/security/dependabot/55)
- low [vodozemac](https://github.com/sebadob/rauthy/security/dependabot/53)

### Changes

# `S3_DANGER_ACCEPT_INVALID_CERTS` renamed

The config var `S3_DANGER_ACCEPT_INVALID_CERTS` has been renamed to `S3_DANGER_ALLOW_INSECURE`. This is not a breaking
change right now, because for now Rauthy will accept both versions to not introduce a breaking change, but the
deprecated values will be removed after v0.24.

### S3 Compatibility

Quite a few internal dependencies have been updated to the latest versions (where it made sense).

One of them was my own [cryptr](https://github.com/sebadob/cryptr). This was using the `rusty-s3` crate beforehand,
which is a nice one when working with S3 storages, but had 2 issues. One of them is that it is using pre-signed URLs.
That is not a flaw in the first place, just a design decision to become network agnostic. The other one was that it
signed the URL in a way that would make the request not compatible with [Garage](https://garagehq.deuxfleurs.fr/).
I migrated `cryptr` to my own [s3-simple](https://github.com/sebadob/s3-simple) which solves these issues.

This update brings compatibility with the `garage` s3 storage for Rauthy's S3 backup feature.

[f1eab35](https://github.com/sebadob/rauthy/commit/f1eab35dcbf195ed38d11756e1df69f42e05e7e0)

### Bugfixes

- Fetching the favicon (and possibly other images) was forbidden because of the new CSRF middleware from some weeks
ago.
[76cd728](https://github.com/sebadob/rauthy/commit/76cd7281fcd1493c9f0cbb208c3fa7ef93814422)
- The UI and the backend had a difference in input validation for `given_name` and `family_name` which could make
some buttons in the UI get stuck. This has been fixed and the validation for these 2 is the same everywhere and at
least 1 single character is required now.
[19d512a](https://github.com/sebadob/rauthy/commit/19d512ad6ea930467f51d7b704252d3edee7ef1c)

## v0.24.0

Many thousands of lines have been refactored internally to provide better maintainability in the future.
24 changes: 12 additions & 12 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@ members = ["src/*"]
exclude = ["rauthy-client"]

[workspace.package]
version = "0.24.1-20240724"
version = "0.24.1"
edition = "2021"
authors = ["Sebastian Dobe <[email protected]>"]
license = "Apache-2.0"
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -192,7 +192,7 @@ the application yourself with docker on your localhost. Rauthy has pretty strict
browsers treat `localhost` as being secure, therefore you should allow insecure cookies for testing locally:

```
docker run --rm -e COOKIE_MODE=danger-insecure -p 8080:8080 ghcr.io/sebadob/rauthy:0.24.0-lite
docker run --rm -e COOKIE_MODE=danger-insecure -p 8080:8080 ghcr.io/sebadob/rauthy:0.24.1-lite
```

## Contributing
6 changes: 3 additions & 3 deletions book/src/getting_started/docker.md
Original file line number Diff line number Diff line change
@@ -12,7 +12,7 @@ docker run --rm \
-e COOKIE_MODE=danger-insecure \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
```

This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
@@ -26,7 +26,7 @@ docker run -d \
-e DATABASE_URL=sqlite:data/rauthy.db \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
```

```admonish note
@@ -124,7 +124,7 @@ docker run -d \
-v $(pwd)/rauthy/data:/app/data \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
```

**6. Restrict DB files access even more**
2 changes: 1 addition & 1 deletion book/src/getting_started/k8s.md
Original file line number Diff line number Diff line change
@@ -208,7 +208,7 @@ spec:
fsGroup: 10001
containers:
- name: rauthy
image: ghcr.io/sebadob/rauthy:0.24.0-lite
image: ghcr.io/sebadob/rauthy:0.24.1-lite
imagePullPolicy: IfNotPresent
securityContext:
# User ID 10001 is actually built into the container at the creation for
2 changes: 1 addition & 1 deletion docs/config/config.html
Original file line number Diff line number Diff line change
@@ -363,7 +363,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
#S3_BUCKET=my_s3_bucket_name
#S3_ACCESS_KEY=
#S3_ACCESS_SECRET=
#S3_DANGER_ACCEPT_INVALID_CERTS=false
#S3_DANGER_ALLOW_INSECURE=false

# Restores the given backup
#
8 changes: 4 additions & 4 deletions docs/config/user_reg.html
Original file line number Diff line number Diff line change
@@ -317,16 +317,16 @@ <h3 id="custom-frontend"><a class="header" href="#custom-frontend">Custom Fronte
#[validate(email)]
email: String,
/// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
#[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
#[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
family_name: String,
/// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
#[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
#[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
given_name: String,
/// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
#[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
#[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
pow: String,
/// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
#[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
#[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
redirect_uri: Option&lt;String&gt;,
}
<span class="boring">}</span></code></pre></pre>
6 changes: 3 additions & 3 deletions docs/getting_started/docker.html
Original file line number Diff line number Diff line change
@@ -184,7 +184,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e COOKIE_MODE=danger-insecure \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
logs to see the URL and first password.</p>
@@ -194,7 +194,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e DATABASE_URL=sqlite:data/rauthy.db \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<div id="admonition-note" class="admonition admonish-note">
<div class="admonition-title">
@@ -279,7 +279,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
-v $(pwd)/rauthy/data:/app/data \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<p><strong>6. Restrict DB files access even more</strong><br />
After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />
2 changes: 1 addition & 1 deletion docs/getting_started/k8s.html
Original file line number Diff line number Diff line change
@@ -351,7 +351,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
fsGroup: 10001
containers:
- name: rauthy
image: ghcr.io/sebadob/rauthy:0.24.0-lite
image: ghcr.io/sebadob/rauthy:0.24.1-lite
imagePullPolicy: IfNotPresent
securityContext:
# User ID 10001 is actually built into the container at the creation for
18 changes: 9 additions & 9 deletions docs/print.html
Original file line number Diff line number Diff line change
@@ -440,7 +440,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e COOKIE_MODE=danger-insecure \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
logs to see the URL and first password.</p>
@@ -450,7 +450,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
-e DATABASE_URL=sqlite:data/rauthy.db \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<div id="admonition-note" class="admonition admonish-note">
<div class="admonition-title">
@@ -535,7 +535,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
-v $(pwd)/rauthy/data:/app/data \
-p 8080:8080 \
--name rauthy \
ghcr.io/sebadob/rauthy:0.24.0-lite
ghcr.io/sebadob/rauthy:0.24.1-lite
</code></pre>
<p><strong>6. Restrict DB files access even more</strong><br />
After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />
@@ -721,7 +721,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
fsGroup: 10001
containers:
- name: rauthy
image: ghcr.io/sebadob/rauthy:0.24.0-lite
image: ghcr.io/sebadob/rauthy:0.24.1-lite
imagePullPolicy: IfNotPresent
securityContext:
# User ID 10001 is actually built into the container at the creation for
@@ -2218,16 +2218,16 @@ <h3 id="custom-frontend"><a class="header" href="#custom-frontend">Custom Fronte
#[validate(email)]
email: String,
/// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
#[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
#[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
family_name: String,
/// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
#[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
#[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
given_name: String,
/// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
#[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
#[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
pow: String,
/// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
#[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
#[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
redirect_uri: Option&lt;String&gt;,
}
<span class="boring">}</span></code></pre></pre>
@@ -3377,7 +3377,7 @@ <h2 id="rotation-event"><a class="header" href="#rotation-event">Rotation Event<
#S3_BUCKET=my_s3_bucket_name
#S3_ACCESS_KEY=
#S3_ACCESS_SECRET=
#S3_DANGER_ACCEPT_INVALID_CERTS=false
#S3_DANGER_ALLOW_INSECURE=false

# Restores the given backup
#
2 changes: 1 addition & 1 deletion docs/searchindex.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion docs/searchindex.json

Large diffs are not rendered by default.

0 comments on commit 215fd36

Please sign in to comment.