Merge pull request #528 from sebadob/prepare-v0.24.1

prepare v0.24.1
sebadob · Jul 24, 2024 · 215fd36 · 215fd36
2 parents 4b34c62 + 76a46eb
commit 215fd36
Show file tree

Hide file tree

Showing 13 changed files with 77 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,15 +1,52 @@
 # Changelog
 
-## UNRELEASED
+## 0.24.1
 
-TODO
+The last weeks were mostly for updating the documentation and including all the new features that came to Rauthy in
+the last months. Some small things are still missing, but it's almost there.
+
+Apart from that, this is an important update because it fixes some security issues in external dependencies.
+
+### Security
+
+Security issues in external crates have been fixed:
+
+- moderate [matrix-sdk-crypto](https://github.com/sebadob/rauthy/security/dependabot/54)
+- moderate [openssl](https://github.com/sebadob/rauthy/security/dependabot/55)
+- low [vodozemac](https://github.com/sebadob/rauthy/security/dependabot/53)
+
+### Changes
 
 # `S3_DANGER_ACCEPT_INVALID_CERTS` renamed
 
 The config var `S3_DANGER_ACCEPT_INVALID_CERTS` has been renamed to `S3_DANGER_ALLOW_INSECURE`. This is not a breaking
 change right now, because for now Rauthy will accept both versions to not introduce a breaking change, but the
 deprecated values will be removed after v0.24.
 
+### S3 Compatibility
+
+Quite a few internal dependencies have been updated to the latest versions (where it made sense).
+
+One of them was my own [cryptr](https://github.com/sebadob/cryptr). This was using the `rusty-s3` crate beforehand,
+which is a nice one when working with S3 storages, but had 2 issues. One of them is that it is using pre-signed URLs.
+That is not a flaw in the first place, just a design decision to become network agnostic. The other one was that it
+signed the URL in a way that would make the request not compatible with [Garage](https://garagehq.deuxfleurs.fr/).  
+I migrated `cryptr` to my own [s3-simple](https://github.com/sebadob/s3-simple) which solves these issues.
+
+This update brings compatibility with the `garage` s3 storage for Rauthy's S3 backup feature.
+
+[f1eab35](https://github.com/sebadob/rauthy/commit/f1eab35dcbf195ed38d11756e1df69f42e05e7e0)
+
+### Bugfixes
+
+- Fetching the favicon (and possibly other images) was forbidden because of the new CSRF middleware from some weeks
+  ago.
+  [76cd728](https://github.com/sebadob/rauthy/commit/76cd7281fcd1493c9f0cbb208c3fa7ef93814422)
+- The UI and the backend had a difference in input validation for `given_name` and `family_name` which could make
+  some buttons in the UI get stuck. This has been fixed and the validation for these 2 is the same everywhere and at
+  least 1 single character is required now.
+  [19d512a](https://github.com/sebadob/rauthy/commit/19d512ad6ea930467f51d7b704252d3edee7ef1c)
+
 ## v0.24.0
 
 Many thousands of lines have been refactored internally to provide better maintainability in the future.

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,7 +4,7 @@ members = ["src/*"]
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.24.1-20240724"
+version = "0.24.1"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "Apache-2.0"

diff --git a/README.md b/README.md
@@ -192,7 +192,7 @@ the application yourself with docker on your localhost. Rauthy has pretty strict
 browsers treat `localhost` as being secure, therefore you should allow insecure cookies for testing locally:
 
 ```
-docker run --rm -e COOKIE_MODE=danger-insecure -p 8080:8080 ghcr.io/sebadob/rauthy:0.24.0-lite
+docker run --rm -e COOKIE_MODE=danger-insecure -p 8080:8080 ghcr.io/sebadob/rauthy:0.24.1-lite
 ```
 
 ## Contributing

diff --git a/book/src/getting_started/docker.md b/book/src/getting_started/docker.md
@@ -12,7 +12,7 @@ docker run --rm \
     -e COOKIE_MODE=danger-insecure \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 ```
 
 This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
@@ -26,7 +26,7 @@ docker run -d \
     -e DATABASE_URL=sqlite:data/rauthy.db \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 ```
 
 ```admonish note
@@ -124,7 +124,7 @@ docker run -d \
     -v $(pwd)/rauthy/data:/app/data \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 ```
 
 **6. Restrict DB files access even more**  

diff --git a/book/src/getting_started/k8s.md b/book/src/getting_started/k8s.md
@@ -208,7 +208,7 @@ spec:
         fsGroup: 10001
       containers:
         - name: rauthy
-          image: ghcr.io/sebadob/rauthy:0.24.0-lite
+          image: ghcr.io/sebadob/rauthy:0.24.1-lite
           imagePullPolicy: IfNotPresent
           securityContext:
             # User ID 10001 is actually built into the container at the creation for

diff --git a/docs/config/config.html b/docs/config/config.html
@@ -363,7 +363,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 #S3_BUCKET=my_s3_bucket_name
 #S3_ACCESS_KEY=
 #S3_ACCESS_SECRET=
-#S3_DANGER_ACCEPT_INVALID_CERTS=false
+#S3_DANGER_ALLOW_INSECURE=false
 
 # Restores the given backup
 #

diff --git a/docs/config/user_reg.html b/docs/config/user_reg.html
@@ -317,16 +317,16 @@ <h3 id="custom-frontend"><a class="header" href="#custom-frontend">Custom Fronte
     #[validate(email)]
     email: String,
     /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
-    #[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
+    #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
     family_name: String,
     /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
-    #[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
+    #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
     given_name: String,
     /// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
+    #[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
     pow: String,
     /// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
+    #[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
     redirect_uri: Option&lt;String&gt;,
 }
 <span class="boring">}</span></code></pre></pre>

diff --git a/docs/getting_started/docker.html b/docs/getting_started/docker.html
@@ -184,7 +184,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
     -e COOKIE_MODE=danger-insecure \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
 logs to see the URL and first password.</p>
@@ -194,7 +194,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
     -e DATABASE_URL=sqlite:data/rauthy.db \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <div id="admonition-note" class="admonition admonish-note">
 <div class="admonition-title">
@@ -279,7 +279,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
     -v $(pwd)/rauthy/data:/app/data \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <p><strong>6. Restrict DB files access even more</strong><br />
 After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />

diff --git a/docs/getting_started/k8s.html b/docs/getting_started/k8s.html
@@ -351,7 +351,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
         fsGroup: 10001
       containers:
         - name: rauthy
-          image: ghcr.io/sebadob/rauthy:0.24.0-lite
+          image: ghcr.io/sebadob/rauthy:0.24.1-lite
           imagePullPolicy: IfNotPresent
           securityContext:
             # User ID 10001 is actually built into the container at the creation for

diff --git a/docs/print.html b/docs/print.html
@@ -440,7 +440,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
     -e COOKIE_MODE=danger-insecure \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <p>This will start the container in interactive mode with an in-memory SQLite database. Just take a look at the log at the
 logs to see the URL and first password.</p>
@@ -450,7 +450,7 @@ <h2 id="testing--local-evaluation"><a class="header" href="#testing--local-evalu
     -e DATABASE_URL=sqlite:data/rauthy.db \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <div id="admonition-note" class="admonition admonish-note">
 <div class="admonition-title">
@@ -535,7 +535,7 @@ <h2 id="production-setup"><a class="header" href="#production-setup">Production
     -v $(pwd)/rauthy/data:/app/data \
     -p 8080:8080 \
     --name rauthy \
-    ghcr.io/sebadob/rauthy:0.24.0-lite
+    ghcr.io/sebadob/rauthy:0.24.1-lite
 </code></pre>
 <p><strong>6. Restrict DB files access even more</strong><br />
 After rauthy has done the first start, you could harden the access rights of the SQLite files even more.<br />
@@ -721,7 +721,7 @@ <h3 id="create-and-apply-the-stateful-set"><a class="header" href="#create-and-a
         fsGroup: 10001
       containers:
         - name: rauthy
-          image: ghcr.io/sebadob/rauthy:0.24.0-lite
+          image: ghcr.io/sebadob/rauthy:0.24.1-lite
           imagePullPolicy: IfNotPresent
           securityContext:
             # User ID 10001 is actually built into the container at the creation for
@@ -2218,16 +2218,16 @@ <h3 id="custom-frontend"><a class="header" href="#custom-frontend">Custom Fronte
     #[validate(email)]
     email: String,
     /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
-    #[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
+    #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
     family_name: String,
     /// Validation: `[a-zA-Z0-9À-ÿ-\\s]{1,32}`
-    #[validate(regex(path = "RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
+    #[validate(regex(path = "*RE_USER_NAME", code = "[a-zA-Z0-9À-ÿ-\\s]{1,32}"))]
     given_name: String,
     /// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
+    #[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
     pow: String,
     /// Validation: `[a-zA-Z0-9,.:/_\-&amp;?=~#!$'()*+%]+`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
+    #[validate(regex(path = "*RE_URI", code = "[a-zA-Z0-9,.:/_\\-&amp;?=~#!$'()*+%]+"))]
     redirect_uri: Option&lt;String&gt;,
 }
 <span class="boring">}</span></code></pre></pre>
@@ -3377,7 +3377,7 @@ <h2 id="rotation-event"><a class="header" href="#rotation-event">Rotation Event<
 #S3_BUCKET=my_s3_bucket_name
 #S3_ACCESS_KEY=
 #S3_ACCESS_SECRET=
-#S3_DANGER_ACCEPT_INVALID_CERTS=false
+#S3_DANGER_ALLOW_INSECURE=false
 
 # Restores the given backup
 #

diff --git a/docs/searchindex.js b/docs/searchindex.js
diff --git a/docs/searchindex.json b/docs/searchindex.json