1.11.0

Release date

5 July 2021

Features

• Allow a banner to be configured and displayed post-login.
• Support user preferences.
• Support system preferences.
• Support PACTFLOW_DATABASE_PORT environment variable.
• Allow API token expiry to be configured.
• Show warning in UI when API token is due to expire.
• Support database field level encryption of API tokens.
• Support ignoring specified applications when using can-i-deploy.
• Allow secrets and webhooks to be assigned to, and managed by, a specific team.
• Improve pending pacts and WIP pacts logic.
• Add pactbroker.azureDevOpsVerificationStatus webhook parameter.
• Validate that well formed JSON or YAML is used when publishing Base64 encoded provider contracts.
• Disallow the deletion of predefined roles.
• Add endpoint to reset role/permissions assignments for predefined roles.
• Deprecate system:preference:read permission. All logged in users may now read the system preferences.
• Allow team administrators to be assigned to teams. Team administrators can add and remove users and applications from teams.
• Add system_account:manage:team permission to allow team users to view/regenerate the API tokens for system account users that are assigned to their team.
• Update default permissions assigned to predefined roles to use team scoped permissions where ever applicable.
• Renamed "Test Maintainer" role to "User" for new installations.

Fixes

• Ensure the SAML provider base URL is derived correctly when the login endpoint is specified in the metadata, not an environment variable
• Correctly record which SAML provider was used to log in when multiple SAML providers are configured
• Ensure api token values are not show in debug logging

Migration notes

• If not already set, the PACTFLOW_BASE_URL should be set to mitigate cache poisoning vulnerabilities.

• The PACTFLOW_MASTER_SECRETS_ENCRYPTION_KEY environment variable has been renamed to PACTFLOW_MASTER_ENCRYPTION_KEY. The old name will continue to work, but please update your configuration to avoid warnings. Do not change the value of this key.

• Steps to enable API token database field level encryption:

  • Please read the relevant documentation for each of the following environment variables, and update your configuration with the appropriate values.

    • PACTFLOW_MASTER_ENCRYPTION_KEY - renamed from PACTFLOW_MASTER_SECRETS_ENCRYPTION_KEY. Do not change the value of this key.
    • PACTFLOW_API_TOKEN_ENCRYPTION_ENABLED - must be set to "true"
    • PACTFLOW_API_TOKEN_IV - a random value must be assigned as per the documentation.

  • Restart the PactFlow application. The API tokens will be encrypted during start up once the PACTFLOW_API_TOKEN_ENCRYPTION_ENABLED environment variable has been set to true.

  • Verify that the API tokens have been encrypted by running the SQL:

    SELECT COUNT(*) FROM saas_api_tokens;
    SELECT COUNT(*) FROM saas_api_tokens WHERE encrypted_value IS NOT NULL;

    Both counts should be the same.

  • Verify that users still have access to the API using their existing tokens executing the following curl command, or making the same request with Postman or equivalent:

    curl -v https://{YOUR_PACTFLOW_DOMAIN} \
      -H "Authorization: Bearer {EXISTING_TOKEN_VALUE}"

    The response should be a 200 OK with a JSON body.

  • Once it has been confirmed that the now-encrypted API tokens are working correctly, please clear the unencrypted values from the database using the following SQL:

    UPDATE saas_api_tokens SET value = NULL;

  • Once API token encryption has been enabled and the unencrypted values removed, encryption cannot be disabled again.