All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Prevent logging of invalid login credentials [#233]
- Integration test searching for unencrypted passwords in the cas logs [#225]
- Newly installed dogus must explicitly request the creation of a service account in the CAS via dogu.json. Further information on this can be found in the developer documentation
- Use JSON service registry [#221]
- services are read from and stored in json files instead of local config
- native implementation from CAS is used for this, which reduces custom overlay implementation
- Changed logic to create and remove service accounts [#221]
- Reading service information directly from ETCD [#221]
- Removed java classes for service creation
- Fix ServiceIdFQDN regex by changing illegal url characters [#228]
- Replicate users from delegated authentication into LDAP [#224]
- delegated authentication currently only works when using the embedded LDAP
- Disclaimer for legal_urls without protocol [#230]
- Fix configuration for delegated authentication with OIDC [#222]
- Use flat instead of nested attributes for OAuth user profile. [#219]
- OIDC- and OAuth-Dogus which relied on a flat OAuth user profile structure were unable to parse the user profile. [#219]
- Fix a bug where the watch for service accounts in the config
local.yaml
stucks because the events wasn't resetted and polled [#217]
- Add "lang"-attribute to HTML-Pages [#213]
- update CAS to 7.0.8
- Relicense to AGPL-3.0-only
- The pre-upgrade-script will no longer try to access the node_master-file for all migrations [#211]
- The access to the node_master-file has been moved to the migration where it es needed and where the node_master-file was still present.
- The post-upgrade-script would fail in a specific edge-case situation [#207]
- Affected System: Cloudogu EcoSystem 'Classic' (Pre-Multinode)
- Affected versions:
7.0.5.1-4
and7.0.5.1-5
- When an OAuth/OIDC-Dogu was installed and then uninstalled, the post-upgrade script would fail during an upgrade from CAS versions below
7.0.5.1-4
. - This means that a directory
/config/cas/service_accounts/<type>
had to exist, but be empty (where<type>
can beoauth
oroidc
). - Additionally prevent similar cases.
- Add missing data-testid to logout error messages [#203]
- Add missing translations
- In a single-node EcoSystem (Classic-CES):
- Use explicit service accounts for normal CAS service accounts in addition to implicitly reading dependencies. (#197)
- Receive logout URI as an additional argument in the
service-account-create
exposed command in addition to reading it from the dogu descriptor. (#197)
- In a multi-node EcoSystem:
- Use explicit service accounts for normal CAS service accounts instead of implicitly reading dependencies. (#197)
- Receive logout URI as an additional argument in the
service-account-create
exposed command instead of reading it from the dogu descriptor. (#197)
- Use config from mounted file when in multinode (#197)
- Upgrade java base image to
21.0.4-1
(#193) - Replace persistent state with local config (#193)
- Fix design of login mask to be more flexible
- Modify the whole cas ui to match with our new theme (#201)
- Fix throttling and avoid rendering CES unusable (#198)
- when intensely sending REST requests towards Nexus with an internal user
- migrate dogu configuration keys regarding throttling (#198)
- with CAS 7.x, throttling works way differently than before, and with different configuration keys as well
limit/max_numbers
no longer enables throttling in general- now,
limit/failure_threshold
with a value other than zero takes it place. With a default value of500
login failures / timeframe, it will receive a much higher default value though.
- now,
limit/range_seconds
is a new configuration key. It defines the timeframe in seconds and is used to build a failure rate withlimit/failure_threshold
.limit/stale_removal_interval
is a new key which configures now the interval in seconds of when a background runner runs to remove stale login failures. The interval is independent oflimit/failure_threshold
- update CAS to 7.0.5.1
- update Tomcat to 10.1.26
- remove the custom throttling implementation in favor of the original CAS 7 failure throttling implementation (#198)
- Fix OAuth/OpenID vulnerability: see https://apereo.github.io/2024/06/26/oidc-vuln/
- Fix a bug where CAS logs the password in debug log level (#195)
- Upgrade CAS to 7.0.4.1 (#189)
- CAS 7.0 contains a "weak password detection" that checks on every login if the password complies with the configured password-rules. If a password does not comply a warning is displayed and the user has to enter a new password that complies with the rules.
- Upgrade CAS to 6.6.15.1 (#190)
- Upgrade CAS to 6.6.15
- spring-security-core: CVE-2022-31692 / CVE-2023-20862
- add new volume
/logs
to avoid logging into the container file system (#173)
- generated log files now reside under
/logs
instead of/opt/apache-tomcat/logs
(#173)
- log files no longer spam the container file system which lead to resource exhaustion in the host file system (#173)
- Update CAS to 6.6.12 to fix a OpenID-Connect and OAuth vulnerability (#184)
- Update CAS to 6.6.10 to fix a OpenID-Connect and OAuth vulnerability (#182)
- Config options for resource requirements (#180)
- Update CAS to 6.6.8 (#178)
- Update Tomcat to 9.0.85
- Remove /var/lib/cas Volume
- Upgrade cas to 6.5.9.1 (#175)
- spring-framework: CVE-2023-20861
- sprint-boot: CVE-2022-22965 / CVE-2023-20873 / CVE-2022-22965 / GHSA-36p3-wjmg-h94x / CVE-2023-20873
- snakeyaml: CVE-2022-25857 / CVE-2022-38749 / CVE-2022-38749 / CVE-2022-38749 / CVE-2022-38752 / CVE-2022-41854 / CVE-2022-1471
- commons-text: CVE-2022-42889
- netty: CVE-2019-20444 / CVE-2019-20445 / CVE-2019-16869 / CVE-2021-21290 / CVE-2021-21409 / CVE-2021-43797 / CVE-2022-24823
- jackson.core: CVE-2020-36518 / CVE-2020-36518 / CVE-2022-42004 / CVE-2022-42003
- junit: CVE-2020-15250
- smart-json: CVE-2023-1370
- jose4j: GHSA-jgvc-jfgh-rjvv
- json: CVE-2022-45688
- jsoup: CVE-2022-36033
- Fix file system exhaustion from Tomcat access logs in
/opt/apache-tomcat/logs
(#173)- The access logs will be streamed to Stdout instead, t. i., the logs will be accommodated by the hosts
/var/lib/docker/cas.log
- The access logs will be streamed to Stdout instead, t. i., the logs will be accommodated by the hosts
- Upgrade cas to 6.5.8 (#171)
- Set the
ldap-min-pool-size
to zero also for the password management ldap (#136, #169)
- Make password policy configurable. For more information see docs (#167)
- When resetting the password, certain e-mail addresses are declared invalid in the original CAS code, e.g.
[email protected]
. This has now been adjusted. E-mails are now sent to all e-mail addresses (concretely: forwarded to Postfix). (#163)
- Update cas to v6.5.5 (#164)
- Update cas to v6.5.5 (#164)
- Suppress determination of an existing username via password reset function (#161)
- Previously, an error message has been displayed if a username does not exist in the system. If the username is present in the system, a confirmation that an email has been sent followed. Now a confirmation page with customised text is displayed in both cases.
- If CAS version 6.3.7-5, 6.5.2-1 or 6.5.3-1 has been used and an upgrade to a version >= 6.5.3.2 has been carried out, the migration of the service account for the LDAP from the read account to the write account is not performed. This resulted in a password change not being saved by the user and the user receiving an error message. This error has now been corrected. (#159)
- Password Reset Functionality. For more information see docs (#156)
- Forgotten password button has always been displayed. If no text has been defined in etcd, a useless default text has been displayed. (#157)
- Fix wrong translation on password reset view (#154)
- Change reset password view for better ui flow
- Enhance forgot password feature, enhance accessibility (#152)
- fix proxy ticket validation with services contain ports (#150)
- Activate password policy to allow changing password after first login (#145)
- Upgrade cas to 6.5.3 (#147)
- Upgrade cas war overlay version to 6.5.2 (#141)
- Update java base image to 11.0.14-3 (#141)
- Update all base image packages prior to building the cas app (#141)
- Upgrade spring boot to version 2.6.6 (#141)
- Upgrade cypress to version 9.5.4 for the integration tests (#141)
- Fixed german translation on login page (#138).
- Set min-width for notch to fully display floating label for username (#143)
- Update java base image to 11.0.14-2 (#139)
- Set the
ldap-min-pool-size
to zero (#136)
- The name entered at login previously has been directly transferred to the session (including upper and lower case). This has led to some problems and has now been changed to use the name and spelling from the LDAP entry. (#133)
- On the logout page, English text was displayed in the German version. The correct German text is now displayed here for the English text.
- Update cas overlay version to version 6.3.7.4 (#129)
- jndi vulnerability by updating log4j to 2.15.0 (#126, https://www.heise.de/news/Kritische-Zero-Day-Luecke-in-log4j-gefaehrdet-zahlreiche-Server-und-Apps-6291653.html) #126
- Get CAS 4 upgrade compatibility by moving upgrade steps to post-upgrade script; #123
- add testkeys in thymeleaf templates for a stable selection in integrationtests (#122)
- warning label for invalid credentials conforms to styleguide (#120)
- use equal login error messages (#118)
- correct font-stack for inputs (#116)
- update ces-theme to v0.4.0
- OIDC-client support. Now, it is possible to register OIDC clients at the CAS via a service account. For more information see docs (#114)
- OIDC-property to define an attribute that should be used as the principal id for the clients (#112)
- CAS could not handle fqdn that contain uppercase letters (#110)
- Add new configuration keys to delegate the cas authentication to a configured OIDC provider. For more information about the keys see here (#107)
- Update UI to show OIDC-Link (#108)
- Add new LDAP specific dogu configuration keys (#99)
- Re-add LDAP group resolving with internal resolvers (#99)
- Adapt the UI to the Cloudogu styling. (#91)
- Update the underlying Tomcat library to v9.0 (#36)
- Remove dependency to the ldap-mapper dogu in favour of direct LDAP connections (#99)
- The vision of abstracting LDAP connections with help of the ldap-mapper dogu still remains. This change is an intermediate step until the necessary changes to the ldap-mapper dogu and the migration towards CAS 6 are completed.
- Remove dogu configuration key
ldap/use_user_connection_to_fetch_attributes
. From now on, all connections to the LDAP to fetch user attributes are made via the system connection. (#103)
- At log level debug, the password has been output in plain text in some classes. The password is now no longer output in plain text anywhere. (#86)
- Remove dogu configuration key
logging/translation_messages
- Add autofocus attribute to username (#83)
- Improve accessibility of login mask by changing design (#80)
- Changes the positioning of alert-fields and the login button
- Changes to button and alert-dialogues on the login- and logout-page to increase accessibility
- Adds verification via OAuth to the CAS
- Return empty service account list if account directory is missing in registry
- Add own log level configuration for translation logs; #64
- Set default log level for translation related logs to ERROR; #64
- Activate Perf4J logger only if log level is INFO or DEBUG; #62
- bug where the
forgot_password_text
-key was never applied for some browsers (#60)
- Update java base image to 8u252-1
- Ability to set memory limit via
cesapp edit-config
- Ability to configure the
MaxRamPercentage
andMinRamPercentage
for the CAS process inside the container viacesapp edit-conf
(#58)
- add locales for de_DE and en_US
- change server encoding so special characters will be decoded correctly (#56)
- CAS bloated the log file after a dogu was uninstalled or marked as
absent
during a blueprint upgrade. (#54)
v4.0.7.20-9 - 2020-07-24
- Use doguctl validation for log level
- Add modular makefiles
- Add automated release flow
v4.0.7.20-8 - 2020-04-08
A new CES registry key logging/root
is evaluated to override the default root log level (#49). One of these values can be set in order to increase the log verbosity: ERROR
, WARN
, INFO
, DEBUG
.
CAS's Log4J log levels are directly applied from the root log level.
Tomcat log levels are mapped from the root log level as follows:
root log level | Tomcat log level |
---|---|
ERROR | Everything equal or above ERROR |
WARN | Everything equal or above WARNING |
INFO | Everything equal or above INFO |
DEBUG | Everything equal or above FINE |
- Under the hood we verify the Tomcat binary to spot (possibly) tampered Tomcat binaries during the build time. (#38)
- PerformanceStats are no longer logged to the container filesystem for reasons of discoverability and performance. Instead they are logged to the usual CES logging facility. (#48)
v4.0.7.20-7 - 2020-03-12
- cas config etcd key
session_tgt/max_time_to_live_in_seconds
to configure maximum session timeout - cas config etcd key
session_tgt/time_to_kill_in_seconds
to configure idle session timeout