Features

• client can now upgrade itself from remote servers running 0.7.0+ (ssoca-client env update-client)
• cleanup default browser UI for better download/configuration/usage instructions
• embed version information in client (ssoca-client version)
• the server certauth setting for services is now optional, defaulting to certauth named default
• add Shimo and Viscosity to list of OS X paths used for finding an openvpn binary
• rename ssoca-client openvpn connect to ssoca-client openvpn exec (connect remains as an alias for now)
• Tunnelblick profiles are now named after environment (rather than generic openvpn, by default)
• restart openvpn connections if there are frequent, repeated authentications via management service (for cases where server has rotated credentials)
• client version is now reported in API requests for easier investigations from server logs

Fixes

• server API now returns correct Content-Type header for JSON
• custom auth success/failure pages now work correctly
• improved authentication vs authorization error handling - now using HTTP 401 Unauthorized when auth tokens are invalid (previously 403 Forbidden was used; this may break automatic reauthentication attempts in older clients)

Development

• automate builds of binaries and publishing of releases
• continue improving test coverage

Features

• redirect authentication requests to canonical hostname
• set authentication cookies with domain, path, and secure attributes
• improve error messages when temporary authentication cookies are incorrect
• avoid caching API responses in browser UI

Features

• show a warning message on authentication result pages if an outdated client is detected
• easier installation of Tunnelblick profiles with the --install option

Bug Fixes

• Tunnelblick profiles use the correct user home directory (caused errors when user did not match home path)
• Tunnelblick re-authentication prompts should not become detached from desktop interactions (caused hanging processes)

Development

• switch to vendoring with dep
• update some vendored dependencies
• refactor ssh client for easier imports

Features

• Automatically validate the connection and CA certificate to an environment when configuring it, and show confirmation to the user
• Automatically prefix environment URLs with https:// if it is not already specified for slightly shorter commands
• Show slightly more descriptive HTTP error messages when requests fail (e.g. show 403 Forbidden instead of 403)
• Rename env add to env set to clarify it can be used for updating settings as well (env add currently remains as an alias)
• Rename env info to env services, and add env info for showing the environment name, URL, and banner
• Improved auth info behaviors:
  • Additional options to show only specific pieces of data (i.e. --authenticated, --id, and --groups)
  • Now exit with an error if the user is not authenticated
• Improved openvpn create-tunnelblick-profile --install behaviors:
  • Create and secure Tunnelblick directories, if necessary, to avoid Tunnelblick needing to be installed/run beforehand
  • Preset connection profile options to: ensure automatic reconnect on certificate expiration; and avoid automatic IP change detection and prompts
  • Require Tunnelblick to not be running during install to ensure settings are applied and avoid confusion about new profiles not immediately appearing
• Show new, updated client version confirmation after using env update-client

Bug Fixes

• Fix or authorization filter to error with specific error type (avoids generic 500 internal server errors and enables automatic re-login attempts)

Features

• Add env rename command to change the name of an environment
• Build linux binaries using glibc instead of musl

Bug Fixes

• Add sanity check in openvpn Tunnelblick profile generation to possibly avoid empty files

Development

• Switch to go/1.10

Features

• Support running the server behind SSL-terminating proxy servers.

Features

• Support creating launchd services for OpenVPN services
• Support creating ONC profiles for OpenVPN services
• Support configuring auth callback bind addresses with auth.bind environment option
• Add Contains and Matches helpers for checking groups in templatized configuration values

Bug Fixes

• Restore UAA authentication support

Development

• Update to go1.11

Features

• Support overriding which UAA client prompts are required to authenticate

Bug Fixes

• Fix UAA client used for authentication to be configurable
• Fix templating of Critical Options for SSH

Features

• Log additional request data for environments running behind proxies (#6). To enable detection of proxied client IPs, you must explicitly configure your proxy server IPs or CIDRs with the server.trusted_proxies list.
• When executing openvpn, add /usr/local/sbin to the list of fallback paths to search (#9).
• Improve the get command of downloads to support sending the file to STDOUT after a successful download.
• Improve CLI options handling of the --service flag so it can be passed next to the service rather than its subcommand.
• Improve the documentation site and switch to hugo.
• Configurable robots.txt setting via server.robotstxt (defaults to disallowing all crawlers).

Bug Fixes

• Fix sudo passwords being ignored after authentication interrupts a service command (#8).
• When executing Tunnelblick’s openvpn executable on macOS, avoid using older, unsupported versions.

Development

• Switch to github.com/pkg/errors for internal error wrapping.

Development

• Update to go/1.11.5

Bug Fixes

• Build binaries with CGO_ENABLED=0 for improved compatibility.

Features

• Add /usr/sbin to fallback search path for openvpn (#11).
• Use password authentication for openvpn management interface (#14).
• Improve openvpn reconnection behavior to request a new certificate upon rapid connection failures.

Development

• Update to go/1.12.4.
• Improve the documentation site theme.
• Add resource icons to Concourse pipeline.

Enhancements

• Rename the download service to file service to clarify it as a resource rather than an action (download currently remains as an alias).
• Support using simple globs in file names with file get.
• Add file exec command to temporarily download and then execute a file.
• Improve interactive browser login prompts for Linux and Windows.
• Require all server services to have at least one access requirement defined in order to avoid accidental, public services.
• Support multiple authentication providers within a single environment.
• Updated server configuration file format (auth services should now be configured in the services section).
• Client auth login operations will now timeout with an error after no activity (default 15 minutes).

Bug Fixes

• Fix case where invalid OpenVPN static configuration files were generated after the user was automatically reauthenticated.

Development

• Significant refactoring of authentication providers and endpoints. The changes should be compatible with both old/new and new/old client/server configurations.
• Switch errors and log messages to consistently use lower case.
• Update to go/1.12.9.

Enhancements

• Add internal workaround of errors when executing openvpn with recent versions of openssl (avoids need for using --static-certificates; #13).

Development

• Configure default HTTP timeouts for clients.
• Update to go/1.13.1.

Enhancements

• Automatically restart OpenVPN client when static certificates fail (#16).
• Improve logging of static certificate fallback and handling of the deprecated CLI flag.

Development

• Update to go/1.13.3.

Internal

• Web server now includes the server version in the server response header.

Development

• Switch to Go modules.
• Update numerous dependencies.
• Update to go/1.13.6.

Internal

• Update to go/1.14.5.
• Update go module dependencies.

Bug Fix

• Re-release without +dirty version annotation.