From 46251a1cfbd1030bb978555560a3d08118f6279b Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 11:20:44 +0200 Subject: [PATCH 1/3] Add upgrade notes entry for auth cookie changes. --- docs/source/upgrade_notes.rst | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/source/upgrade_notes.rst b/docs/source/upgrade_notes.rst index 573e2537..5260322b 100644 --- a/docs/source/upgrade_notes.rst +++ b/docs/source/upgrade_notes.rst @@ -3,10 +3,26 @@ Upgrade Notes ============= +.. _ref-upgrade-notes-v3-5: + +|st2| v3.5 +---------- + +* API will now set ``secure`` and ``samesite=lax`` cookie attributes for then auth cookie which + is set when authenticating via auth token / API key in query parameter (this approach is + primarily used by st2web). + + If for some reason you want to change those default values, you can do that using + ``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options. + + To revert to the old behavior, you can set ``api.auth_cookie_secure = False`` and + ``api.auth_cookie_same_site = None``, but this is not recommended unless you have a valid + reason to not host StackStorm behind an HTTPs proxy such as nginx. + .. _ref-upgrade-notes-v3-4: |st2| v3.4 -------------- +---------- * Python 2 support was removed. Any packs that only support python 2 will need to be migrated to python 3. From d34422077b29c88b86103563223a4df0d63ddcff Mon Sep 17 00:00:00 2001 From: Tomaz Muraus Date: Sat, 24 Apr 2021 22:30:52 +0200 Subject: [PATCH 2/3] Fix typo, reword, add links with more info. --- docs/source/upgrade_notes.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/source/upgrade_notes.rst b/docs/source/upgrade_notes.rst index 5260322b..c0e03669 100644 --- a/docs/source/upgrade_notes.rst +++ b/docs/source/upgrade_notes.rst @@ -8,17 +8,21 @@ Upgrade Notes |st2| v3.5 ---------- -* API will now set ``secure`` and ``samesite=lax`` cookie attributes for then auth cookie which +* API will now set ``Secure`` and ``Samesite=lax`` cookie attribute for the auth cookie which is set when authenticating via auth token / API key in query parameter (this approach is primarily used by st2web). - If for some reason you want to change those default values, you can do that using + If you need to change those default values, you can do that using ``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options. To revert to the old behavior, you can set ``api.auth_cookie_secure = False`` and ``api.auth_cookie_same_site = None``, but this is not recommended unless you have a valid reason to not host StackStorm behind an HTTPs proxy such as nginx. + You can read more about those attribute on the following links: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, + https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies. + .. _ref-upgrade-notes-v3-4: |st2| v3.4 From 18756e3cb62d3cc4c33f2034e409ffcbb4ae9be4 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 28 Mar 2022 10:35:13 -0500 Subject: [PATCH 3/3] Move upgrade entry to v3.7.0 --- docs/source/upgrade_notes.rst | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/docs/source/upgrade_notes.rst b/docs/source/upgrade_notes.rst index 942376d9..cdb0c80a 100644 --- a/docs/source/upgrade_notes.rst +++ b/docs/source/upgrade_notes.rst @@ -8,6 +8,21 @@ Upgrade Notes |st2| v3.7 ---------- +* API will now set ``Secure`` and ``Samesite=lax`` cookie attribute for the auth cookie which + is set when authenticating via auth token / API key in query parameter (this approach is + primarily used by st2web). + + If you need to change those default values, you can do that using + ``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options. + + To revert to the old behavior, you can set ``api.auth_cookie_secure = False`` and + ``api.auth_cookie_same_site = None``, but this is not recommended unless you have a valid + reason to not host StackStorm behind an HTTPs proxy such as nginx. + + You can read more about those attribute on the following links: + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, + https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies. + * As part of introducing the override pack metadata functionality, the name ``_global`` is reserved, and cannot be used for pack names or pack references, to avoid conflict between the global override file and individual pack override files. @@ -48,21 +63,6 @@ Upgrade Notes |st2| v3.5 ---------- -* API will now set ``Secure`` and ``Samesite=lax`` cookie attribute for the auth cookie which - is set when authenticating via auth token / API key in query parameter (this approach is - primarily used by st2web). - - If you need to change those default values, you can do that using - ``api.auth_cookie_secure`` and ``api.auth_cookie_same_site`` config options. - - To revert to the old behavior, you can set ``api.auth_cookie_secure = False`` and - ``api.auth_cookie_same_site = None``, but this is not recommended unless you have a valid - reason to not host StackStorm behind an HTTPs proxy such as nginx. - - You can read more about those attribute on the following links: - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite, - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies. - * Node was upgraded from v10 to v14. Node 14 repository will be required to be setup, prior to upgrade of st2chatops. @@ -73,9 +73,11 @@ Upgrade Notes Upgrade requires coordination service to be setup manually. For workflows to be executed properly, setup the coordination service accordingly. + * Validation of action definitions are stricter. If an action definition has duplicate keys, |st2| will complain when ``st2ctl reload`` is performed at upgrade. Action/workflow definitions should be checked for duplicate keys before upgrade. + * ``%`` interpolation in st2 configuration parameters is no longer supported. Update your configuration parameters to fix strings if you use ``%`` interpolation to lookup keys as part of your parameter.