diff --git a/docs/source/release_notes/1.10.rst b/docs/source/release_notes/1.10.rst new file mode 100644 index 0000000000..3931ece9cc --- /dev/null +++ b/docs/source/release_notes/1.10.rst @@ -0,0 +1,59 @@ +============ +OpenKAT 1.10 +============ + +The most visible change is that the user interface got major improvements and +uses the latest version of Manon. There are still some minor issues left that +will be fixed in upcoming releases. + +Finding types have been moved from Rocky database to Octopoes/XTDB and types are +an OOI now. Having the findings together with finding types in XTDB means that +we can query, aggregate and/or filter the findings based on findingtypes or +severity in XTDB. By doing those queries completely in XTDB we fixed several +performance issues. Finding types are added by boefjes which will also give more +flexibility adding/changing/updating finding types in the future. + +The Python version used in the container images have been updated to 3.11. +Python 3.11 is a lot faster so this should also make OpenKAT faster. Django +version has also been updated to version 4.2. + +This release also provides packages for Debian 12 (bookworm). We recommend +everyone to upgrade their machines to Debian 12 because the included Python 3.11 +will give a big performance boost. Debian 11 packages will still be provided +until December 2023 as described in :ref:`Supported distributions`. + +New Features +============ + + * Two factor auth can be disabled. We recommend that this only be used for + development/test installations or when external authentication is in use. + * External authentication support using Django's standard middleware that uses + REMOTE_USER. See :ref:`External Authentication` how to configure this. + * The used signing provider is stored alongside rawfiles to make it possible to + switch providers and still check older rawfiles. + * The task list has better filters. + +Bug fixes +========= + + * Sleeping is only done when all queues are empty. This makes it possible to + increase the boefjes/normalizer poll interval without a decrease in + throughput. + * The Fierce boefje got some fixes. + * A number of bugs in the scheduler have been fixed. + +Upgrading +========= + +Django 4.2 requires that the trusted origins for CSRF protection is set. This +can be done using the `DJANGO_CSRF_TRUSTED_ORIGINS` variable. It is a good idea +to also set `DJANGO_ALLOWED_HOSTS` to the used hostnames, detailed instructions +are written in the :ref:`Hardening` section. + +The normal instructions for upgrading :ref:`Debian packages` +or upgrading :ref:`containers ` should be followed. + +Full Changelog +============== + +The full changelog can be found on `Github `_. diff --git a/docs/source/release_notes/index.rst b/docs/source/release_notes/index.rst index abb8599651..d47bd2ec53 100644 --- a/docs/source/release_notes/index.rst +++ b/docs/source/release_notes/index.rst @@ -5,6 +5,7 @@ Release notes :maxdepth: 1 :caption: Releases + 1.10 1.9 1.8 1.7 diff --git a/docs/source/technical_design/debianinstall.rst b/docs/source/technical_design/debianinstall.rst index a7fe5d4937..ad977e1cc6 100644 --- a/docs/source/technical_design/debianinstall.rst +++ b/docs/source/technical_design/debianinstall.rst @@ -8,6 +8,16 @@ An installation of KAT can be done on a single machine or spread out on several machines for a high availability setup. This guide will take you through the steps for installing it on a single machine. +Supported distributions +======================= + +We provide Debian packages for Debian and Ubuntu. We support only Debian stable +and Ubuntu LTS releases and stop supporting the previous version 6 months after +the release. Currently this means we support Debian 11 (bullseye) and 12 +(bookworm) and Ubuntu 22.04. Debian 12 has been released on 10th of June so we +will stop providing packages for Debian 11 in December 2023. After Ubuntu 24.04 +is releases we will provide Ubuntu 22.02 packages until October 2024. + Prerequisites ============= diff --git a/docs/source/technical_design/externalauthentication.rst b/docs/source/technical_design/externalauthentication.rst new file mode 100644 index 0000000000..3280b40822 --- /dev/null +++ b/docs/source/technical_design/externalauthentication.rst @@ -0,0 +1,32 @@ +======================= +External authentication +======================= + +OpenKAT supports external authentication using Django's built-in `remote user +authentication `__. +Make sure that you read the warning in the Django documentation before you +configure this. + +Configuration of this can be done using two environments variables. The +`REMOTE_USER_HEADER` variable specifies the header that has the e-mail address +that is used as username in OpenKAT. Setting this variable will also enable the +remote user backend. The `REMOTE_USER_DEFAULT_ORGANIZATIONS` variable is +optional and is a comma separated list of "organisation:group" items and +configures which organisation every remote user get access to by default. The +value of `REMOTE_USER_DEFAULT_ORGANIZATIONS` will override any changes made and +if someone is removed from a group that is listed they will automatically be +added back the next time they use OpenKAT using remote user authentication. + +Example configuration: + +.. code-block:: sh + + REMOTE_USER_HEADER=HTTP_X_EMAIL + REMOTE_USER_DEFAULT_ORGANIZATIONS=org1:admin,org2:client + +This will use the value of `X-Email` HTTP header as the e-mail address for the +user account. Every user will be added to org1 with admin permissions and to org +with client permissions. + +An easy solution for configuring single-sign on using OAuth is `oauth2-proxy +`__. diff --git a/docs/source/technical_design/index.rst b/docs/source/technical_design/index.rst index d1ab3d27c8..695eb93041 100644 --- a/docs/source/technical_design/index.rst +++ b/docs/source/technical_design/index.rst @@ -16,3 +16,4 @@ Contains documentation for developers and contributors. nginx debuggingtroubleshooting latex + externalauthentication