Lemur

~~~~~~~~~~~~~~~~~~~~
Added support for Python 3.10, Postgres 15, and Ubuntu 22.04.
Removed support for Postgres 10 and Ubuntu 18.04.

Python 3.11 is known not to work with the current version of Flask.

All combinations tested via GitHub Actions are listed below:

.. list-table:: Version Support Matrix
:header-rows: 1

* - Python
- Postgres
- Ubuntu
* - 3.8
- 12
- 20.04
* - 3.8
- 15
- 20.04
* - 3.9
- 12
- 20.04
* - 3.9
- 15
- 20.04
* - 3.9
- 15
- 20.04
* - 3.10
- 12
- 22.04
* - 3.10
- 15
- 22.04

Added additional validation and logging for destinations.
Destination labels are now limited to 32 characters, and s3
prefixes can no longer begin with /.
S3 destination path prefixes now default to "" instead of "None/"

Enforce case consistency in authority signing algorithms. Specifically, this renames SHA384withECDSA -> sha384WithECDSA
and SHA512withECDSA -> sha512WithECDSA. Notably, the backend schema will still accept the uppercase equivalents to
maintain backwards compatibility.

~~~~~~~~~~~~~~~~~~~~
This release contains a fix for a security vulnerability.

~~~~~~~~~~~~~~~~~~~~
This release contains no changes.

~~~~~~~~~~~~~~~~~~~~
This release contains many dependency updates, and numerous added or improved features over the last year.

Some of the notable changes in this release are:

- Removal of AWS S3 destinations and the respetive resources via the UI
- No fine-grained authz for role global_cert_issuer
- De-activate endpoint (Entrust Plugin)
- Remove unsafe paginate method and replace with sort_and_page
- Move to github workflows for tests
- Detect duplicate certs
- Metrics for certificate expiry
- Sync source: handling idle/invalidated connection
- Sync endpoint: capture error and continue
- Domain-level fine-grained authz
- Handle and report authz warmup exception
- Ensure secondary certificates are not removed when rotating AWS endpoints
- Improved metric around expired endpoints
- Change pkg_resources call in plugin loading to use resolve rather than load
- Log when an expiring deployed certificate is detected
- NS1 DNS ACME Plugin
- Add a new endpoint that allows updating a certificate owner
- Support rotating endpoints with non-unique names via CLI
- Restrict multiple accounts on a certificate, by plugin
- Moving to dependabot's auto versioning strategy

Special thanks to all who contributed to this release, notably:

- `Neil Schelly <https://github.com/neilschelly>`_
- `Mitch Cail <https://github.com/mitchcail>`_
- `Bob Shannon <https://github.com/bobmshannon>`_
- `alwaysjolley <https://github.com/alwaysjolley>`_

~~~~~~~~~~~~~~~~~~~~

This release fixes a vulnerability where creating an authority automatically granted the selected owner role to the
authority creator, which allowed users to grant themselves to arbitrary roles. The owner role is no longer auto-assigned
when creating an authority.

Additionally, all authorities now receive a unique role upon creation. Previously, authorities using the same issuer
plugin would always share a role (for example, Entrust authorities always used the role "entrust"). Now, authorities
are associated with a unique role named in the format `issuerPlugin_authority_name_admin`. The creator will not be
automatically added to this role.

Other notable changes:
- The Endpoints UI page now displays endpoint source and allows filtering by source

~~~~~~~~~~~~~~~~~~~~

Introducing new Plugins AuthorizationPlugin(Plugin) and DomainAuthorizationPlugin(AuthorizationPlugin).
One can implement a DomainAuthorizationPlugin to check if caller is authorized to issue a certificate
for a given Common Name and Subject Alternative Name (SAN) of type DNSName (PR `3889 <https://github.com/Netflix/lemur/pull/3889>`_)

Related to the above change (PR `3889 <https://github.com/Netflix/lemur/pull/3889>`_), a new column `application_name`
is added to the `api_keys` table. Null values are allowed making sure this change is backward compatible.

Other notable changes:
- A task name is fixed from `identity_expiring_deployed_certificates` -> `identify_expiring_deployed_certificates`. The
old task name with typo is marked as deprecated and will be removed in future release flagging it as a breaking change.
(Thanks to `Bob Shannon <https://github.com/bobmshannon>`_)
- ID filter on certificates UI requires a numeric value.