v0.6.1-alpha

0.6.1-alpha (2023-02-08)

Bug Fixes

• Header matching case-sensitivity fixed (#483) (6d31d01)
• Header value matching using wildcards fixed (#485) (cf3ed57)

v0.6.0-alpha

0.6.0-alpha (2023-01-19)

⚠ BREAKING CHANGES

• demo.enable in helm chart renamed to demo.enabled (#457)
• Metrics service configuration changed (#452)
• New type for key store configuration introduced (#434)

Features

• Helm chart supports setting of arbitrary environment variables (#444) (80de2ee)
• New service exposing CPU, memory, etc profiling information (#446) (2175273)
• Remaining validity of configured certificates exposed as metric (#432) (95b24f0)

Bug Fixes

• Helm Chart fixed and does neither expect a heimdall config file, nor check for not existing property anymore (#420) (8a0c299)
• Memory leak introduced by correlation between metrics & traces fixed (#449) (f00e0ec)

Code Refactoring

• demo.enable in helm chart renamed to demo.enabled (#457) (eb9c32e)
• Metrics service configuration changed (#452) (1b3a36e)
• New type for key store configuration introduced (#434) (b2a9e58)

v0.5.0-alpha

0.5.0-alpha (2023-01-02)

Happy New Year 🎆 everybody!!!!

⚠ BREAKING CHANGES

• Rule properties related to url matching moved to an own structure (#402)
• Templating support in redirect error handler mechanism (#395)
• Objects and functions available in templates and CEL expressions harmonized (#394)
• Configuration for keys & certificates harmonized (#392)
• Decision service returns 200 OK instead of 202 Accepted on success. (#385)
• Used HTTP status codes can be configured (#383)
• mutator renamed to unifier (#375)
• hydrator renamed to contextualizer (#374)
• pipeline config property renamed and moved into rules (#370)
• Local ECMAScript based authorizer is not supported any more (#369)
• Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367)

Features

• Key material used for TLS can be password protected (#392) (e40c0a2)
• New "local" authorizer which uses CEL expressions (#364) (d8988a8)
• Provider to load rule sets deployed in Kubernetes environments (incl. Helm Chart update) (#336) (dee229f)
• Simple helm chart (#325) (23b4d5d)
• Simpler endpoint configuration (#376) (248f483)
• Support for environment variables substitution in config file (#381) (5a6ec65)
• Support for tracing and metrics correlation, as well as more metrics for go runtime information (#359) (f34998a)
• Templating support in redirect error handler mechanism (#395) (7a0eff3)
• Used HTTP status codes can be configured (#383) (5d46322)

Bug Fixes

• request_headers error condition implementation fixed (#373) (a2d3045)
• Signer implementation fixed to take the first key from the key store if no key id was specified (#392) (e40c0a2)

Code Refactoring

• hydrator renamed to contextualizer (#374) (f20bc37)
• mutator renamed to unifier (#375) (785b956)
• pipeline config property renamed and moved into rules (#370) (4234e54)
• Configuration for keys & certificates harmonized (#392) (e40c0a2)
• Decision service returns 200 OK instead of 202 Accepted on success. (#385) (3460191)
• Local ECMAScript based authorizer is not supported any more (#369) (db7febe)
• Objects and functions available in templates and CEL expressions harmonized (#394) (4ca9a9d)
• Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367) (92e1ffa)
• Rule properties related to url matching moved to an own structure (#402) (f3bd105)

v0.4.1-alpha

0.4.1-alpha (2022-11-11)

Bug Fixes

• User for the heimdall process within the container fixed (#323) (77e36f9)

v0.4.0-alpha

0.4.0-alpha (2022-11-09)

⚠ BREAKING CHANGES

• file system provider rename (#281)
• OpenTelemetry tracing support (#246)
• Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239)
• ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured

Features

• Configuration of minimal allowed TLS version and the required cipher suites (#303) (76c02bf)
• HTTP caching according to RFC 7234 is supported by pipeline handlers and the httpendpoint provider (#307) (c5349c1)
• Made all log statements adhering to GELF format (#259) (94bf2f1)
• OpenTelemetry tracing support (#246) (c3e81fd)
• Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239) (8a73e86)
• Provider to load rule sets from cloud blobs (#283) (6eef3dc)
• Provider to load rule sets from HTTP(s) endpoints (#263) (5ff495c)
• Support for log, trace and request correlation (#254) (a543230)

Code Refactoring

• ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured (6b62b47)
• file system provider rename (#281) (04a33f2)

v0.3.0-alpha

0.3.0-alpha (2022-09-09)

⚠ BREAKING CHANGES

• Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220)
• session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200)
• jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199)

Features

• generic authenticator updated to consider ttl of the session object received from the identity_info_endpoint and to enable session validation (#201) (42b4e6c)
• jwt_authenticator updated to support X.509 certificates (incl validation) in JWKs used for JWT signature verification (#172) (19ef20d)
• oauth2_authenticator updated to optionally support token source selection, like specific header, schema, etc (#198) (e7ad797)
• If no kid is present in the JWT, the jwt_authenticator can now iterate over the received JWKS and try to verify the signature until one of the keys matches (#196) (488e46f)
• x509 certificate support in keystore (#166) (2d9af4c)

Bug Fixes

• Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220) (3bfeff1)

Code Refactoring

• jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199) (29d6bcb)
• session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200) (869d8ae)

v0.2.0-alpha

0.2.0-alpha (2022-08-12)

⚠ BREAKING CHANGES

• strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129)
• "serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125)
• Make decision endpoint being available directly on the root (/) path of the decision service (#112)
• New management service introduced, which exposes the health & jwks endpoints (#112)
• Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111)
• Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96)

Features

• Access log support (#139) (8387512)
• Configurable fallback of authenticators even if the verification of the credentials fails (#134) (1336777)
• Make decision endpoint being available directly on the root (/) path of the decision service (#112) (fa1ff5b)
• New upstream property introduced for the rule config to support reference of the upstream service for proxy mode (0436a52)
• New management service introduced, which exposes the health & jwks endpoints (0436a52)
• Not setting HTTP Server header anymore (0436a52)
• Remote authorizer optionally supports verification of responses from the remote system via a script (#117) (1ecabf0)
• Retrieval of an access token from the request body (#115) (b336ab4)
• Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96) (0436a52)
• Reverse proxy support (#90) (0436a52)
• Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111) (438932b)

Bug Fixes

• accesslog handler updated to include information about authenticated subject if present (#162) (3e286db)
• Basic Auth authenticator added to the schema and can now be configured (#133) (1336777)
• basic_auth authenticator is not responsible for the request any more if the Authorization header does not contain Basic Auth schema (#107) (96136ef)
• Bearer token based authenticators do not feel responsible for the request anymore if no "Bearer" scheme is present in the "Authorization" header (db5b773)
• Fixed usage of X-Forwarded-Uri header (0436a52)
• Handling and usage of the upstream property fixed (before this fix the proxy operation mode could not be used) (#130) (ed61e18)
• jwt authenticator to not feel responsible if the bearer token is not in the JWT format (#108) (d8945c4)
• Schema fixed to allow TLS key & cert as well as CORS max_age configuration (#122) (58b6bc3)
• trusted_proxy support added to the schema file to allow the validation of the corresponding property (#105) (556946e)

Code Refactoring

• "serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125) (e6aad0d)
• strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129) (f8a38ff)

v0.1.0-alpha

This is a very first release which supports functionality listed below.

• Decision API
• Loading rules from the file system
• Authenticator types (anonymous, basic-auth, generic, jwt, noop, oauth2 introspection, unauthorized)
• Authorizers (allow, deny, subject attributes (to evaluate available subject information by using JS) & remote (e.g. to communicate with open policy agent, ory keto, a zanzibar implementation, or any other authorization engine))
• Hydrators (generic) - to enrich the subject information retrieved from the authenticator
• Mutators (opaque cookie, opaque header, jwt in the Authorization header, noop) to transform the subject information
• Error Handlers (default, redirect, www-authenticate), which support accept type negotiation as well
• Opentracing support (jaeger & instana)
• Prometheus metrics
• Key store in pem format for rsa-pss and ecdsa keys (pkcs#1 - plain only & pkcs#8 - plain and encrypted)
• Rules URL matching
• Flexible pipeline definition: authenticators+ -> any order(authorizer*, hydrator*) -> mutator+ -> error_handler*
• Optional default rule taking effect if no rule matches
• If Default rule is configured, the actual rule definition can reuse it (less yaml code)
• Typical execution time if caches are active is around 300µs (on my laptop)
• The configuration is validated on startup. You can also validate it by making use of the "validate config" command.
• Health Probe