This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
v0.21.0
Release notes for v0.21.0
If redis auth is not enabled, please use v0.21.1 instead
Upgrade notes
-
This release introduces the ability for the verification server to pull statistics from a key server. This functionality is off by default, and can be enabled by a realm administrator. There are new configuration values for the default key server and audience to use.
KEY_SERVER_URL
- base URL for the key server to pull stats from, the/v1/stats
path will be appended to this. You must set this value in our terraform configuration for your deployment for this functionality to work.KEY_SERVER_STATS_AUDIENCE
- default value is the same as default value from the exposure-notifications-server
-
Authenticated SMS
- This is a new feature under development, it is off by default and subject to change without notice.
Changes by Kind
Statistics
Key-server stats
- Add CSV format for key-server stats file (#1691, @whaught)
- Add TEK age & onset-upload distribution chart (#1669, @whaught)
- Adjustable data smoothing (#1705, @whaught)
- Average issue-claim chart (#1710, @whaught)
- Claim age distribution chart added to UI (#1709, @whaught)
- Dev seed script randomizes the issue to claim time (#1731, @whaught)
- Emit key-server stats as json for charting (#1661, @whaught)
- Gives stats puller services the correct KMS permissions. (#1686, @mikehelmick)
- Redraw all charts with window resize. Move some js to application.js (#1700, @whaught)
- Show distributions as 7 day sums (#1698, @whaught)
- Show publish requests by OS (#1665, @whaught)
- Slider tick marks for issue-claim age chart (#1719, @whaught)
- Stats - Claim age distribution chart isn't resized when the scope is changed. (#1720, @mikehelmick)
- Styling updates for statistics page & about links (#1724, @whaught)
- Use UTC time in stats-puller test (#1740, @sethvargo)
- Add random key-server stats data in dev seed script (#1651, @whaught)
- Key server histograms have better controls and don't resize as days change (#1718, @mikehelmick)
- Logic for executing the v1/stats request and storing results (#1621, @whaught)
- Padding for stats sliders (#1725, @whaught)
Verification server stats
- Add code issue to claim age average and distribution stat (#1675, @whaught)
- Add invalid codes and full token graphs to stats (#1641, @sethvargo)
- Add new stats for codes_invalid and tokens to responses (#1631, @sethvargo)
- Increment code-issue stats at the end of issuance logic. This avoids recording [known] failures. (#1638, @whaught)
- Make codes/stats bit of seeding optional (#1628, @sethvargo)
- Make seed script also optionally verify codes and claim tokens (#1629, @sethvargo)
- Move API key stats into the API and display invalid claim attempts on API keys page (#1646, @sethvargo)
Authenticated SMS (new feature that is off by default)
- Add SMS signing functionality. This functionality is off by default, as Google and Apple are still developing the necessary client-side features to support it. (#1696, @sethvargo)
- Add database model for managed keys for signing SMS messages. (#1649, @mikehelmick)
- Implement first pass at SMS signature algorithm package (#1650, @sethvargo)
- Add utility for verifying SMS signatures (#1721, @sethvargo)
- Create SMSSigning config and instantiate SMS signing key manager where needed (#1673, @sethvargo)
- Give Admin API signer verifier permissions on the for the keyring containing SMS singing keys. (#1704, @mikehelmick)
- Standardize response codes and add tests to SMS keys (#1672, @sethvargo)
- Switch to short date with less base64-encoding in returned SMS signature (#1722, @sethvargo)
- Realm admins can create/rotate SMS signing keys and enable authenticated SMS. (#1668, @mikehelmick)
Other SMS changes
- Move SMS templates into the SMS tab (originally under codes) (#1734, @sethvargo)
- Use the same SMS provider for all messages, cache locally for 5 minutes to improve performance (#1674, @sethvargo)
- Display a preview of how SMSes could be split across multiple messages at 153 character boundaries. (#1737, @sethvargo)
Test coverage
- Add more tests for cacher package (#1659, @sethvargo)
- Add more tests for routes (#1657, @sethvargo)
- Add more unit tests for internal/project package (#1656, @sethvargo)
- Fix e2e test for unknown user-agent header (#1695, @whaught)
- Add some more admin tests (#1660, @sethvargo)
- Add tests for api package (#1658, @sethvargo)
- Run e2e enx-redirector tests as part of CI (#1732, @sethvargo)
Terraform changes
- Add optional authentication to Redis. The default behavior remains unchanged, but a new Terraform variable
redis_enable_auth
exists to opt-in to Redis authentication. Opting in can cause downtime, so if you choose to enable it, we recommend doing it separately from a regular deployment, while the system is in maintenance mode. (#1714, @sethvargo) - Creates separate paging and non-paging alert mechanisms. (#1677, @yuriatgoogle)
- Ensure distinct certificates on the redirect load balancer for root certificates. (#1643, @sethvargo)
- Ensure permissions are applied for cleanup service in Terraform (#1690, @sethvargo)
- Grant cleanup service permission to manage keys for cleanup (#1680, @sethvargo)
- Make redis_auth optional, default to false for backwards compatibility (#1741, @sethvargo)
- Make sure attestor is provisioned before building (#1653, @sethvargo)
- Removing unneeded alert (#1662, @bschlaman)
- Simplify key and secret management in Terraform. Note: this will cause a very large Terraform diff when applying, including deleting IAM bindings. We recommend running
terraform apply
twice to ensure convergence. (#1712, @sethvargo)
Debuggability and alerts
- Add audits for signing keys (#1706, @sethvargo)
- Add debug logging for when distributed tasks are skipped (#1681, @sethvargo)
Documentation
- Carify error responses in documentation (#1664, @whaught)
- Clarify chaff should be on both endpoints (#1701, @sethvargo)
- DOCS: Realm admin guide, add instructions for enabling automatic signing key rotation. (#1636, @mikehelmick)
- Dev Docs: Added instructions for flag guarding features. (#1671, @mikehelmick)
- Promote statistics APIs to Generally Available (GA) (#1715, @sethvargo)
- Update architecture documentation (#1683, @sethvargo)
Other
- Fix a potential panic in internationalization when given an invalid language string (#1655, @sethvargo)
- Ping when opening SQL connection (#1630, @sethvargo)
- Rename certificate signing keyring to database keyring. **Upgrade note!*- Rename the
environment variableCERTIFICATE_SIGNING_KEYRING
toDB_KEYRING
in your
configurations. If you are using the Terraform configurations bundled with the project, this
will happen automatically. (#1694, @sethvargo)
Dependencies
Added
Nothing has changed.
Changed
- contrib.go.opencensus.io/exporter/stackdriver: v0.13.4 → v0.13.5
- github.com/google/exposure-notifications-server: v0.20.0 → v0.21.0
- golang.org/x/text: v0.3.4 → v0.3.5
Removed
Nothing has changed.