Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

v0.21.0
Compare
Choose a tag to compare
@whaught whaught released this 01 Feb 16:56
· 542 commits to main since this release
v0.21.0
This tag was signed with the committer’s verified signature. The key has expired.
whaught Weston Haught
GPG key ID: 9B55058D16F23ED6
Expired
Learn about vigilant mode.
94f0a2e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes for v0.21.0

If redis auth is not enabled, please use v0.21.1 instead

Upgrade notes

  • This release introduces the ability for the verification server to pull statistics from a key server. This functionality is off by default, and can be enabled by a realm administrator. There are new configuration values for the default key server and audience to use.

    • KEY_SERVER_URL - base URL for the key server to pull stats from, the /v1/stats path will be appended to this. You must set this value in our terraform configuration for your deployment for this functionality to work.
    • KEY_SERVER_STATS_AUDIENCE - default value is the same as default value from the exposure-notifications-server

  • Authenticated SMS

    • This is a new feature under development, it is off by default and subject to change without notice.

Changes by Kind

Statistics

Key-server stats

Verification server stats

  • Add code issue to claim age average and distribution stat (#1675, @whaught)
  • Add invalid codes and full token graphs to stats (#1641, @sethvargo)
  • Add new stats for codes_invalid and tokens to responses (#1631, @sethvargo)
  • Increment code-issue stats at the end of issuance logic. This avoids recording [known] failures. (#1638, @whaught)
  • Make codes/stats bit of seeding optional (#1628, @sethvargo)
  • Make seed script also optionally verify codes and claim tokens (#1629, @sethvargo)
  • Move API key stats into the API and display invalid claim attempts on API keys page (#1646, @sethvargo)

Authenticated SMS (new feature that is off by default)

  • Add SMS signing functionality. This functionality is off by default, as Google and Apple are still developing the necessary client-side features to support it. (#1696, @sethvargo)
  • Add database model for managed keys for signing SMS messages. (#1649, @mikehelmick)
  • Implement first pass at SMS signature algorithm package (#1650, @sethvargo)
  • Add utility for verifying SMS signatures (#1721, @sethvargo)
  • Create SMSSigning config and instantiate SMS signing key manager where needed (#1673, @sethvargo)
  • Give Admin API signer verifier permissions on the for the keyring containing SMS singing keys. (#1704, @mikehelmick)
  • Standardize response codes and add tests to SMS keys (#1672, @sethvargo)
  • Switch to short date with less base64-encoding in returned SMS signature (#1722, @sethvargo)
  • Realm admins can create/rotate SMS signing keys and enable authenticated SMS. (#1668, @mikehelmick)

Other SMS changes

  • Move SMS templates into the SMS tab (originally under codes) (#1734, @sethvargo)
  • Use the same SMS provider for all messages, cache locally for 5 minutes to improve performance (#1674, @sethvargo)
  • Display a preview of how SMSes could be split across multiple messages at 153 character boundaries. (#1737, @sethvargo)

Test coverage

Terraform changes

  • Add optional authentication to Redis. The default behavior remains unchanged, but a new Terraform variable redis_enable_auth exists to opt-in to Redis authentication. Opting in can cause downtime, so if you choose to enable it, we recommend doing it separately from a regular deployment, while the system is in maintenance mode. (#1714, @sethvargo)
  • Creates separate paging and non-paging alert mechanisms. (#1677, @yuriatgoogle)
  • Ensure distinct certificates on the redirect load balancer for root certificates. (#1643, @sethvargo)
  • Ensure permissions are applied for cleanup service in Terraform (#1690, @sethvargo)
  • Grant cleanup service permission to manage keys for cleanup (#1680, @sethvargo)
  • Make redis_auth optional, default to false for backwards compatibility (#1741, @sethvargo)
  • Make sure attestor is provisioned before building (#1653, @sethvargo)
  • Removing unneeded alert (#1662, @bschlaman)
  • Simplify key and secret management in Terraform. Note: this will cause a very large Terraform diff when applying, including deleting IAM bindings. We recommend running terraform apply twice to ensure convergence. (#1712, @sethvargo)

Debuggability and alerts

Documentation

Other

  • Fix a potential panic in internationalization when given an invalid language string (#1655, @sethvargo)
  • Ping when opening SQL connection (#1630, @sethvargo)
  • Rename certificate signing keyring to database keyring. **Upgrade note!*- Rename the
    environment variable CERTIFICATE_SIGNING_KEYRING to DB_KEYRING in your
    configurations. If you are using the Terraform configurations bundled with the project, this
    will happen automatically. (#1694, @sethvargo)

Dependencies

Added

Nothing has changed.

Changed

  • contrib.go.opencensus.io/exporter/stackdriver: v0.13.4 → v0.13.5
  • github.com/google/exposure-notifications-server: v0.20.0 → v0.21.0
  • golang.org/x/text: v0.3.4 → v0.3.5

Removed

Nothing has changed.

Assets 2
Loading