Releases: warp-tech/warpgate
Releases · warp-tech/warpgate
v0.23.3
Security fixes
GHSA-rj86-hm3r-c275
- Verify SSO state parameter in #1891
This vulnerability allowed an authorized Warpgate user A to share their SSO return link with another authorized Warpgate user B, potentially misleading B into getting logged in as A and subsequently sharing confidential information through user A's session.
Fixes
Full Changelog: v0.23.2...v0.23.3
What's Changed
- Verify state parameter by @Eugeny in #1891
- fix #1883 - re-normalize options.auth field for database targets by @Eugeny in #1892
Full Changelog: v0.23.2...v0.23.3
Contributors
Eugeny
Assets 10
v0.23.2
Fixes
Full Changelog: v0.23.1...v0.23.2
What's Changed
- Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @dependabot[bot] in #1867
- fix #1854 - PG timestamp types by @Eugeny in #1877
- Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #1870
Full Changelog: v0.23.1...v0.23.2
What's Changed
- Bump follow-redirects from 1.15.11 to 1.16.0 in /warpgate-web by @dependabot[bot] in #1867
- fix #1854 - PG timestamp types by @Eugeny in #1877
- Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #1870
Full Changelog: v0.23.1...v0.23.2
Contributors
Eugeny and dependabot
Assets 10
v0.23.1
Security fixes
GHSA-f5v4-2wr6-hqmg
This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition on a Warpgate instance if keyboard-interactive authentication is enabled. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to Warpgate to be killed by the OOM killer.
v0.23.0
Changes
-
- New "Admin roles" let you grant users granular permisssions to the admin UI, for example to manage targets/users/roles/tickets. These are separate from the existing "Access roles".
- Migration notes:
- The admin UI is no longer its own "target" but rather a link on the top of the Warpgate landing page
- Any user with an admin role assigned to them is now able to access the admin UI - with the corresponding restrictions
- Existing users that are assigned to the
warpgate:adminrole will have awarpgate:adminsuperuser admin role assigned to them, so that there is no change in access after the update. - You can delete the old
warpgate:adminaccess role if you have never used it for anything other than admin UI access.
-
Added support for disabling the injected menu by @LarsSven in #1852
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
/@warpgateto switch targets.
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
-
AWS IAM auth in #1859
- Experimental support for AWS IAM role authentication for SSH (EC2), EKS (Kubernetes) and MySQL and Postgres (RDS) targets.
-
Automatically generate client certificate when using kubernetes targets by @LarsSven in #1795
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
kubeconfigfile for the user, including the credentials.
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
-
Rich audit logs in #1832
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
audit_retentionconfig option controls a separate retention period for these log entries (12 months default).
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
-
feat: add user role assignment expiry and history tracking by @mrmm in #1816
- The new "edit" icon next to an active role assignment lets you add an expiry date.
-
Add support for allowed_ip_range for users by @LarsSven in #1846
-
fixed #1497 - separate external host settings per protocol in #1824
-
Extend target search to include descriptions. Closes #1784 by @cvhariharan in #1791
-
feat: Add HTTPRoute template to Helm chart by @solidassassin in #1756
Fixes
- fixed #1087 - detect port knocking in #1862
- fix(http): prioritize ?warpgate-target= query param over host-based domain binding by @aav in #1868
- fixed #1835 - support kubectl logs and portforward in #1875
- fix(ui): resolve config page layout regression caused by flex on main by @mrmm in #1851
- streamline x-forwarded header checks in #1858
- Use constant time comparison for admin tokens by @LarsSven in #1853
- perf(ui): improve admin log page with virtualization, buffer cap, and calmer polling by @pandeysambhi in #1838
- Send messages to SSH terminal synchronously by @LarsSven in #1830
- update Ticket model to use ID relations to user and target in #1839
- improvements(helm chart): fix setup job command line argument parsing failure due to trailing backslash and other improvements by @SachinMaharana in #1819
- fixed #1483 - apply SSH timeout settings to the SSH client as well in #1813
- #1414 - parse warpgate_roles claim from the token itself if present in #1811
- fixed #1785 - log queries fail on PostgreSQL in #1807
- Google sso role mapping fix by @SteezyCougar in #1712
- Warpgate should use subdomain if subdomain binding is enabled by @SteezyCougar in #1777
Misc
- OIDC integration tests in #1766
- ci: add Helm chart publish workflow by @SachinMaharana in #1794
- Dependency bumps & time crate migration in #1840
- Add database migration compatibility tests for PostgreSQL and MySQL by @Copilot in #1863
New Contributors
- @cvhariharan made their first contribution in #1791
- @solidassassin made their first contribution in #1756
- @SachinMaharana made their first contribution in #1794
- @pandeysambhi made their first contribution in #1838
- @aav made their first contribution in #1868
Full Changelog: v0.22.1...v0.23.0
Contributors
aav, mrmm, and 6 other contributors
Assets 10
v0.22.0-beta.6
Changes
-
Add support for disabling the injected menu by @LarsSven in #1852
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
/@warpgateto switch targets.
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
-
- Experimental support for AWS IAM role authentication for SSH (EC2), EKS (Kubernetes) and MySQL and Postgres (RDS) targets.
Fixes
- fix(ui): resolve config page layout regression caused by flex on main by @mrmm in #1851
- streamline x-forwarded header checks by @Eugeny in #1858
- Use constant time comparison for admin tokens by @LarsSven in #1853
Full Changelog: v0.22.0-beta.5...0.22.0-beta.6
Contributors
Eugeny, mrmm, and LarsSven
Assets 10
v0.22.0-beta.5
Changes
-
Automatically generate client certificate when using kubernetes targets by @LarsSven in #1795
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
kubeconfigfile for the user, including the credentials.
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
-
Rich audit logs by @Eugeny in #1832
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
audit_retentionconfig option controls a separate retention period for these log entries (12 months default).
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
-
feat: add user role assignment expiry and history tracking by @mrmm in #1816
- The new "edit" icon next to an active role assignment lets you add an expiry date.
Fixes
- perf(ui): improve admin log page with virtualization, buffer cap, and calmer polling by @pandeysambhi in #1838
- Send messages to SSH terminal synchronously by @LarsSven in #1830
- Dependency bumps & time crate migration by @Eugeny in #1840
- update Ticket model to use ID relations to user and target by @Eugeny in #1839
New Contributors
- @pandeysambhi made their first contribution in #1838
Full Changelog: v0.22.0-beta.3...v0.22.0-beta.5
Contributors
Eugeny, mrmm, and 2 other contributors
Assets 10
v0.22.0-beta.3
Changes
Fixes
- improvements(helm chart): fix setup job command line argument parsing failure due to trailing backslash and other improvements by @SachinMaharana in #1819
- fixed #1483 - apply SSH timeout settings to the SSH client as well by @Eugeny in #1813
- #1414 - parse warpgate_roles claim from the token itself if present by @Eugeny in #1811
- fixed #1785 - log queries fail on PostgreSQL by @Eugeny in #1807
- ci: add Helm chart publish workflow by @SachinMaharana in #1794
New Contributors
- @SachinMaharana made their first contribution in #1794
Full Changelog: v0.22.0-beta.2...v0.22.0-beta.3
Contributors
Eugeny and SachinMaharana
Assets 10
v0.22.0-beta.2
Changes
- Polish some Kubernetes UI elements by @LarsSven in #1770
- Extend target search to include descriptions. Closes #1784 by @cvhariharan in #1791
- bump russh to 0.58 by @Eugeny in #1798
- Warpgate should use subdomain if subdomain binding is enabled by @SteezyCougar in #1777
- feat: Add HTTPRoute template to Helm chart by @solidassassin in #1756
Fixes
- Google sso role mapping fix by @SteezyCougar in #1712
New Contributors
- @cvhariharan made their first contribution in #1791
- @solidassassin made their first contribution in #1756
Full Changelog: v0.22.0-beta.1...v0.22.0-beta.2
Contributors
Eugeny, cvhariharan, and 3 other contributors
Assets 10
v0.22.0-beta.1
Changes
-
fixed #1499 - admin roles by @Eugeny in #1783
- New "Admin roles" let you grant users granular permisssions to the admin UI, for example to manage targets/users/roles/tickets. These are separate from the existing "Access roles".
- Migration notes:
- The admin UI is no longer its own "target" but rather a link on the top of the Warpgate landing page
- Any user with an admin role assigned to them is now able to access the admin UI - with the corresponding restrictions
- Existing users that are assigned to the
warpgate:adminrole will have awarpgate:adminsuperuser admin role assigned to them, so that there is no change in access after the update. - You can delete the old
warpgate:adminaccess role if you have never used it for anything other than admin UI access.
Misc
Full Changelog: v0.21.1...v0.22.0-beta.1
What's Changed
Full Changelog: v0.21.1...v0.22.0-beta.1
Contributors
Eugeny