19 KiB
Changelog for unreleased (UNRELEASED)
The following sections list the changes for ocis-proxy unreleased.
Summary
- Bugfix - Fix director selection: #99
- Bugfix - Add settings API and app endpoints to example config: #93
- Change - Remove accounts caching: #100
- Enhancement - Add hello API and app endpoints to example config and builtin config: #96
- Enhancement - Add roleIDs to the access token: #95
Details
-
Bugfix - Fix director selection: #99
We fixed a bug where simultaneous requests could be executed on the wrong backend.
-
Bugfix - Add settings API and app endpoints to example config: #93
We had the ocis-settings API and app endpoints in the builtin config already, but they were missing in the example config. Added them for consistency.
-
Change - Remove accounts caching: #100
We removed the accounts cache in order to avoid problems with accounts that have been updated in the accounts service.
-
Enhancement - Add hello API and app endpoints to example config and builtin config: #96
We added the ocis-hello API and app endpoints to both the example config and the builtin config.
-
Enhancement - Add roleIDs to the access token: #95
We are using the roleIDs of the authenticated user for permission checks against ocis-settings. We added the roleIDs to the access token to have them available quickly.
Changelog for 0.7.0 (2020-08-21)
The following sections list the changes for ocis-proxy 0.7.0.
Summary
- Enhancement - Add numeric uid and gid to the access token: #89
- Enhancement - Add configuration options for the pre-signed url middleware: #91
Details
-
Enhancement - Add numeric uid and gid to the access token: #89
The eos storage driver is fetching the uid and gid of a user from the access token. This PR is using the response of the accounts service to mint them in the token.
-
Enhancement - Add configuration options for the pre-signed url middleware: #91
Added an option to define allowed http methods for pre-signed url requests. This is useful since we only want clients to GET resources and don't upload anything with presigned requests.
https://github.com/owncloud/ocis/proxy/issues/91 https://github.com/owncloud/product/issues/150
Changelog for 0.6.0 (2020-08-17)
The following sections list the changes for ocis-proxy 0.6.0.
Summary
- Bugfix - Enable new accounts by default: #79
- Bugfix - Lookup user by id for presigned URLs: #85
- Bugfix - Build docker images with alpine:latest instead of alpine:edge: #78
- Change - Add settings and ocs group routes: #81
- Change - Add route for user provisioning API in ocis-ocs: #80
Details
-
Bugfix - Enable new accounts by default: #79
When new accounts are created, they also need to be enabled to be useable.
-
Bugfix - Lookup user by id for presigned URLs: #85
Phoenix will send the
userid, not theusernameas theOC-Credentialfor presigned URLs. This PR uses the newocisidclaim in the OIDC userinfo to pass the userid to the account middleware.https://github.com/owncloud/ocis/issues/436 https://github.com/owncloud/ocis/proxy/pull/85 https://github.com/owncloud/ocis-pkg/pull/50
-
Bugfix - Build docker images with alpine:latest instead of alpine:edge: #78
ARM builds were failing when built on alpine:edge, so we switched to alpine:latest instead.
-
Change - Add settings and ocs group routes: #81
Route settings requests and ocs group related requests to new services
-
Change - Add route for user provisioning API in ocis-ocs: #80
We added a route to send requests on the user provisioning API endpoints to ocis-ocs.
Changelog for 0.5.0 (2020-07-23)
The following sections list the changes for ocis-proxy 0.5.0.
Summary
- Bugfix - Provide token configuration from config: #69
- Bugfix - Provide token configuration from config: #76
- Change - Add OIDC config flags: #66
- Change - Mint new username property in the reva token: #62
- Enhancement - Add Accounts UI routes: #65
- Enhancement - Add option to disable TLS: #71
- Enhancement - Only send create home request if an account has been migrated: #52
- Enhancement - Create a root span on proxy that propagates down to consumers: #64
- Enhancement - Support signed URLs: #73
Details
-
Bugfix - Provide token configuration from config: #69
Fixed a bug that causes the createHome middleware to crash if no configuration for the TokenManager is propagated.
-
Bugfix - Provide token configuration from config: #76
Fixed a bug that causes the createHome middleware to crash if the createHome response has no Status set
-
Change - Add OIDC config flags: #66
To authenticate requests with an oidc provider we added two environment variables: -
PROXY_OIDC_ISSUER="https://localhost:9200"and -PROXY_OIDC_INSECURE=trueThis changes ocis-proxy to now load the oidc-middleware by default, requiring a bearer token and exchanging the email in the OIDC claims for an account id at the ocis-accounts service.
Setting
PROXY_OIDC_ISSUER=""will disable the OIDC middleware. -
Change - Mint new username property in the reva token: #62
An accounts username is now taken from the on_premises_sam_account_name property instead of the preferred_name. Furthermore the group name (also from on_premises_sam_account_name property) is now minted into the token as well.
-
Enhancement - Add Accounts UI routes: #65
The accounts service has a ui that requires routing -
/api/v0/accountsand -/accounts.js -
Enhancement - Add option to disable TLS: #71
Can be used to disable TLS when the ocis-proxy is behind an TLS-Terminating reverse proxy.
Env PROXY_TLS=false or --tls=false
https://github.com/owncloud/ocis/proxy/issues/71 https://github.com/owncloud/ocis/proxy/pull/72
-
Enhancement - Only send create home request if an account has been migrated: #52
This change adds a check if an account has been migrated by getting it from the ocis-accounts service. If no account is returned it means it hasn't been migrated.
https://github.com/owncloud/ocis/proxy/issues/52 https://github.com/owncloud/ocis/proxy/pull/63
-
Enhancement - Create a root span on proxy that propagates down to consumers: #64
In order to propagate and correctly associate a span with a request we need a root span that gets sent to other services.
-
Enhancement - Support signed URLs: #73
We added a middleware that verifies signed urls as generated by the owncloud-sdk. This allows directly downloading large files with browsers instead of using
blob://urls, which eats memory ...https://github.com/owncloud/ocis/proxy/issues/73 https://github.com/owncloud/ocis/proxy/pull/75 https://github.com/owncloud/ocis-ocs/pull/18 https://github.com/owncloud/owncloud-sdk/pull/504
Changelog for 0.4.0 (2020-06-25)
The following sections list the changes for ocis-proxy 0.4.0.
Summary
- Bugfix - Accounts service response was ignored: #43
- Bugfix - Fix x-access-token in header: #41
- Change - Point /data endpoint to reva frontend: #45
- Change - Send autocreate home request to reva gateway: #51
- Change - Update to new accounts API: #39
- Enhancement - Retrieve Account UUID From User Claims: #36
- Enhancement - Create account if it doesn't exist in ocis-accounts: #55
- Enhancement - Disable keep-alive on server-side OIDC requests: #268
- Enhancement - Make jwt secret configurable: #41
- Enhancement - Respect account_enabled flag: #53
Details
-
Bugfix - Accounts service response was ignored: #43
We fixed an error in the AccountUUID middleware that was responsible for ignoring an account uuid provided by the accounts service.
-
Bugfix - Fix x-access-token in header: #41
We fixed setting the x-access-token in the request header, which was broken before.
https://github.com/owncloud/ocis/proxy/pull/41 https://github.com/owncloud/ocis/proxy/pull/46
-
Change - Point /data endpoint to reva frontend: #45
Adjusted example config files to point /data to the reva frontend.
-
Change - Send autocreate home request to reva gateway: #51
Send autocreate home request to reva gateway
-
Change - Update to new accounts API: #39
Update to new accounts API
-
Enhancement - Retrieve Account UUID From User Claims: #36
OIDC Middleware can make use of uuidFromClaims to trade claims.Email for an account's UUID. For this, a general purpose cache was added that caches on a per-request basis, meaning whenever the request parameters match a set of keys, the cached value is returned, saving a round trip to the accounts service that otherwise would happen in every single request.
-
Enhancement - Create account if it doesn't exist in ocis-accounts: #55
The accounts_uuid middleware tries to get the account from ocis-accounts. If it doens't exist there yet the proxy creates the account using the ocis-account api.
https://github.com/owncloud/ocis/proxy/issues/55 https://github.com/owncloud/ocis/proxy/issues/58
-
Enhancement - Disable keep-alive on server-side OIDC requests: #268
This should reduce file-descriptor counts
https://github.com/owncloud/ocis/issues/268 https://github.com/owncloud/ocis/proxy/pull/42 https://github.com/cs3org/reva/pull/787
-
Enhancement - Make jwt secret configurable: #41
We added a config option for the reva token manager JWTSecret. It was hardcoded before and is now configurable.
-
Enhancement - Respect account_enabled flag: #53
If the account returned by the accounts service has the account_enabled flag set to false, the proxy will return immediately with the status code unauthorized.
Changelog for 0.3.1 (2020-03-31)
The following sections list the changes for ocis-proxy 0.3.1.
Summary
- Change - Update ocis-pkg: #30
Details
-
Change - Update ocis-pkg: #30
We updated ocis-pkg from 2.0.2 to 2.2.0.
Changelog for 0.3.0 (2020-03-30)
The following sections list the changes for ocis-proxy 0.3.0.
Summary
- Change - Insecure http-requests are now redirected to https: #29
- Enhancement - Configurable OpenID Connect client: #27
- Enhancement - Add policy selectors: #4
Details
-
Change - Insecure http-requests are now redirected to https: #29
-
Enhancement - Configurable OpenID Connect client: #27
The proxy will try to authenticate every request with the configured OIDC provider.
See configs/proxy-example.oidc.json for an example-configuration.
-
Enhancement - Add policy selectors: #4
"Static-Policy" can be configured to always select a specific policy. See: config/proxy-example.json.
"Migration-Policy" selects policy depending on existence of the uid in the ocis-accounts service. See: config/proxy-example-migration.json
Changelog for 0.2.1 (2020-03-25)
The following sections list the changes for ocis-proxy 0.2.1.
Summary
- Bugfix - Set TLS-Certificate correctly: #25
Details
-
Bugfix - Set TLS-Certificate correctly: #25
Changelog for 0.2.0 (2020-03-25)
The following sections list the changes for ocis-proxy 0.2.0.
Summary
- Change - Route requests based on regex or query parameters: #21
- Enhancement - Proxy client urls in default configuration: #19
- Enhancement - Make TLS-Cert configurable: #14
Details
-
Change - Route requests based on regex or query parameters: #21
Some requests needed to be distinguished based on a pattern or a query parameter. We've implemented the functionality to route requests based on different conditions.
-
Enhancement - Proxy client urls in default configuration: #19
Proxy /status.php and index.php/*
-
Enhancement - Make TLS-Cert configurable: #14
Before a generates certificates on every start was used for dev purposes.
Changelog for 0.1.0 (2020-03-18)
The following sections list the changes for ocis-proxy 0.1.0.
Summary
Details
-
Change - Initial release of basic version: #1
Just prepared an initial basic version.
-
Enhancement - Load Proxy Policies at Runtime: #17
While a proxy without policies is of no use, the current state of ocis-proxy expects a config file either at an expected Viper location or specified via -- config-file flag. To ease deployments and ensure a working set of policies out of the box we need a series of defaults.
https://github.com/owncloud/ocis/proxy/issues/17 https://github.com/owncloud/ocis/proxy/pull/16