Release notes for exposure-notifications-verification-server v0.20.0

Changelog since v0.19.0

⚠️ Upgrade notes ⚠️

Deployment Notes

This version introduces both Binary Authorization and multiple new services. To help ensure a successful upgrade, operators should taint the build step before running Terraform. This will ensure new services are built and existing services are attested with the proper signatures for authorization.

terraform taint module.en.null_resource.build

Note this will increase the duration of the Terraform run to about 10 minutes. Upon a successful run, continue with the upgrade process as normal.

Key rotation

This release introduces unattended signing key rotation for both verification token and verification certificate signing.

All key rotation is done, by default, every 30 days.

Verification token key rotation

Keys are now backed by the database, seeded by the key ring that the current token signing key version is on.
Until the new rotate job runs, the legacy key version will be used for signing. Once the rotate job has been
run, there will be a new signing key used to sign new verification tokens. The legacy signing key will be honored
as long as it is still configured. v0.21.0 will move to only database-backed token signing keys.

Verification certificate key rotation

In this release, realm admins will be allowed to configure their signing keys for automatic rotation.
It is important that this realm's key server be configured to use the JWKS public key discovery document
for the health authority signing keys.

Verification signing keys are created, but not made active for at least 1 hour so that there is time
for the key server to import the public key.

Changes by Kind

Breaking changes

Potentially breaking! - Source token signing keys from the database. This completes the move of system token signing keys from environment variables to the database. This change attempts to be backward compatible, but server are encouraged to test changes in an isolated environment before upgrading production systems. (#1602, @sethvargo)

Features

Add intelligence for redirecting post-login (#1550, @sethvargo)
Add audits for saving a Token Signing Key (#1601, @sethvargo)
Add password-reset and email-verification email templates to realm settings (#1555, @whaught)
Add rotation service and schema for rotating token signing keys (#1597, @sethvargo)
Added support for Twilio messaging services (#1526, @whaught)
Adds database column for realm level auto key rotation settings. (#1594, @mikehelmick)
Adds the stats-puller service to run every hour. (#1603, @whaught)
Advanced searching is a new feature for user search that allows for more granular searching. It's backwards-compatible with the former search syntax, but now includes the ability to filter searches by fields. Specifically, you can now query like "name:foo" or "can:APIKeyWrite" to perform advanced queries. Bulk permission management is a new feature that allows people with UserWrite permissions to modify other users' permissions in bulk in their realm. (#1525, @sethvargo)
Allow JWK lookup URLs to work with region codes in addition to IDs (#1559, @sethvargo)
Allow for legacy signing key config for tokens to be used during the upgrade to DB backed tokens. (#1624, @mikehelmick)
Allow for realm admins to enable automatic verification certificate key rotation. Keys are rotated every 30 days, and given 1h soak time for upstream key servers to pull public keys via public key discovery. (#1614, @mikehelmick)
Realm stats: Slider control to select date range to display. Trend lines are shown for codes issued and codes claimed. (#1598, @mikehelmick)
Stop bulk-issue client if the Twilio SMS queue is full (#1571, @whaught)
Support testType field as input for bulk-upload (#1531, @whaught)
The bulk-uploader will skip conflict or already-succeeded lines when re-using a log csv from a previous attempt (#1530, @whaught)

General bug fixes and improvements

Add locking to stats-puller service. Refactor cleanup -> lock (#1608, @whaught)
Add optional enx-redirect tests to e2e-runner (#1585, @sethvargo)
Add tests for cleanup (#1600, @sethvargo)
Check session expiration on login (#1549, @sethvargo)
Clean up nits from verification certification rotation (#1618, @sethvargo)
Cleanup for key-server stats (#1615, @whaught)
Correct padding (#1541, @whaught)
Defensively check deleted_at fields in realm/user join tables for memberships (#1565, @sethvargo)
Delete any orphaned entries before creating foreignkey. This handles an extreme edge case where an entry was manually deleted from the database before the FK constraint existed. (#1533, @sethvargo)
Delete users who are deleted (#1566, @sethvargo)
Display realm_id in system admin event logs (#1605, @sethvargo)
Don't return http.Response when unneeded (#1586, @sethvargo)
Drop foreignkey constraints if they already exist before creating (#1534, @sethvargo)
Drop optional calculation of Daily Active Users (#1544, @sethvargo)
Fix nits from signing key cleanup (#1619, @sethvargo)
Garbage collection of references to deleted signing keys. (#1616, @mikehelmick)
I8n strings for bulk-issue (#1509, @whaught)
Log URLs and response codes in appsync errors, increase max size to 64kb (#1545, @sethvargo)
Move associated site data responses into api package (#1577, @sethvargo)
Move e2e client into internal/ (#1578, @sethvargo)
New tables for storing key-server statistics (#1599, @whaught)
Not-found and invalid for malformed realm_id in jwks request (#1557, @whaught)
Only emit an error when shouldCleanup actually fails (#1520, @sethvargo)
Remove leading slash in clients (#1547, @sethvargo)
Retry database pings in health checks (#1537, @sethvargo)
Return NotFound for invalid UUIDs (#1523, @sethvargo)
Return a success response on remote workers when no work is done (#1604, @sethvargo)
Use outer padding for bulk-uploader client (#1542, @whaught)

Infrastructure improvements

Actually delete e2e API keys and mobile apps (#1588, @sethvargo)
Add Binary Authorization enforcement for Cloud Run. Please taint the Terraform builders before running Terraform: terraform taint module.en.null_resource.build. This only needs to be done once to force the images to re-build with the proper attestations. (#1572, @sethvargo)
Add Binauthz envvars to Terraform builder (#1579, @sethvargo)
Add api/issue latency to the verification dashboard (#1576, @whaught)
App sync will run no more than once every 5 minutes, controlled via database. (#1593, @mikehelmick)
Build all cmd binaries at once in CI (#1620, @sethvargo)
Create metrics for when humans access secrets or decrypt values (#1552, @sethvargo)
DEV: Overall test coverage displayed on presubmit. (#1540, @mikehelmick)
DOCS: Add procedure for adding new ENX redirect domains. (#1570, @mikehelmick)
Document enx-redirector for realm and system admins (#1551, @sethvargo)
ENX redirect, add new sub-domains without outage. (#1561, @mikehelmick)
Ensure bin dir exists on builds (#1626, @sethvargo)
Fire alerts when humans do secret things (#1556, @sethvargo)
Give rotate job permissions to admin crypto key ring (#1617, @mikehelmick)
Monitoring: Add ClouldSchedulerJobFailed alert. (#1527, @yegle)
Move appsync warning to debug level (#1563, @sethvargo)
Restore user re-created metric and alert (#1606, @sethvargo)
Simplified alerting configuration to accommodate low-traffic services (#1535, @yuriatgoogle)
Simply shared end-to-end runner configurations (#1583, @sethvargo)
Switch modeler logs to debug (#1522, @sethvargo)
Updated exposure-notifications-sever dependency to v0.20.0 (#1627, @mikehelmick)

Dependencies

Added

Nothing has changed.

Changed

github.com/google/exposure-notifications-server: v0.19.0 → v0.20.0
github.com/jba/templatecheck: v0.4.0 → v0.5.0

Removed