Release notes
Contextual Authorization Query (CAQ) features, bug fixes, and known issues by release.
Version 1.1.0
What's new
Java support
CAQ has been upgraded to support Java 17 and Java 21, removing support for Java 11.
Spring Boot upgrade
CAQ has been upgraded to Spring Boot 3.x, replacing the previously used version 2.2, which is now end-of-life. This update ensures continued support, security, and access to the latest features and improvements in the Spring Boot framework. Also note that endpoints with and without a trailing slash are considered distinct. For example,
/authorization/constraints/
is not equivalent to/authorization/constraints
. This change may impact routing and should be considered when defining or calling endpoints.
Improvements
CAQ can run in a read-only filesystem
CAQ can now successfully run as a containerized service using a read-only filesystem, aligning with Kubernetes security best practices. This improvement allows CAQ to be deployed in cloud environments that require restricted filesystem access, enhancing compatibility and security compliance.
Fixed issues
Security fixes
Several third-party libraries were updated to address the following security vulnerabilities: CVE-2024-38821 CVE-2024-38816 CVSS 8.7 CVE-2024-38286 CVE-2024-34750 CVE-2024-22257 CVE-2024-24549 CVE-2024-23672 CVE-2024-22243 CVE-2024-22259 CVE-2024-38809 CVE-2024-22262 CVE-2024-38808 CVE-2024-47554.
Version 1.0.3
What's new
Vulnerability fixes
Internal libraries were updated to address vulnerabilities.
Fixed issues
Enhanced error handling for malformed requests
CAQ service now throws a 'malformed request' error whenever a request attribute maps to a dictionary attribute with a non-null issuer, ensuring reliable request validation.
Version 1.0.2
What's new
Online documentation updates
Documentation updates regarding the following:
Vulnerabilities report instructions
ADS documentation is now updated with instructions on how to download vulnerabilities report from S3.
Snyk for vulnerabilities check
CAQ 1.0.2 supports vulnerabilities scanning based on Snyk, an industry-leading security intelligence management solution that helps protect codes from open source risks.
Fixed issues
Runtime changes in the attributes' section of the domain issue is fixed
Changes during runtime in the dictionary of the previous version of CAQ were not taken into account. This has been fixed in CAQ 1.0.2.
CAQ returns correct attribute id in response
CAQ response was mapping an attribute identifier in the domain dictionary using the issuer value of the attribute designator. This issue is now fixed and CAQ response maps to an attribute identifier with null issuer.
Optimized Response Time
When Basic authentication was enabled, CAQ response time was slow. This issue is now resolved.
Attribute cache works for multiple attribute connector mappings
If an attribute was provided by two mappings (regions) in an attribute connector, caching only took effect for one of the mappings. This is issue is now fixed.
Improved attribute handling in requests
Fixed an issue where missing attributes in the dictionary were not being ignored during request processing, leading to inaccurate results.
Attribute Mapping Error Fix
Resolved an issue causing a 500 internal error and a null pointer exception in the logs when CAQ received a request with an attribute name that existed in the dictionary but couldn't be mapped to an XACML attribute in the policy.
Version 1.0.1
Fixed issues
CAQ domain validation no longer rejects as duplicates attributes with no issuer or empty issuer
CAQ 1.0.0 used to reject domains with attribute dictionary that contains both an attribute with no issuer and the same attribute with an issuer set to an empty string. This has been fixed in CAQ 1.0.1.
Known issues
Runtime changes in the attributes' section of the domain will not be taken into account
When CAQ service is running, changes in the dictionary will not be taken into account. So, if a missing attribute is added in the dictionary, the change will be traced but it will not affect the request and response. The added attribute will still be ignored in the request and generated in the response.
Version 1.0.0
What's new
Cloud-native Web Service
CAQ is a web-based standalone cloud-native application that provides reverse query evaluation functionality.
Contextual authorization REST API
Contextual authorization REST API allows users to POST reverse queries in JSON format for evaluation.
The response provides information on what constraints need to be satisfied to get an expected PDP decision (as defined in the request).
The CAQ supports two endpoints for reverse query evaluation that define the type of response that is sent back by the service's API. According to the Endpoint used during the request, the API's response can be one of the following:
Programmatic response
A response that uses the AST (Abstract Syntax Tree) representation to display the response in a simplified way.
Human-readable response
A response type that can be easily understood by a user that is not familiar with logical and mathematical terms.
Sensitive data provided through environment variables
CAQ now allows for sensitive data in attribute connector configurations, such as user names and passwords, to be provided through environment variables.
Java support
CAQ supports Java SE 11.
Basic authentication
By default, CAQ uses basic authentication by defining a username and a password in the authentication section of the deployment configuration file.
Swagger UI
The service includes a Swagger UI that provides neatly categorized documentation and a simple way to interact with the Reverse Query API’s resources and endpoints.
Authorization domain support
Contextual Authorization Query only supports authorization domain configuration files format version 2, based on a YAML representation.
Authorization domain configuration file retrieval
The authorization domain property in the deployment file supports the following ways of retrieving the authorization domain:
Relative or absolute file path on file system
HTTP(s) endpoint
Standalone ADM
Update of the authorization domain during runtime
The service of CAQ allows users to configure automatic update of the domain configuration during runtime by polling its source at regular intervals. This allows for the updating of policies or attribute connectors without having to stop and redeploy the service each time the domain configuration is updated.
Conditional requests when polling a domain name using HTTP(S)
When CAQ retrieves a domain by name from ADM using an HTTP(S) endpoint, it sends conditional requests to indicate to the authorization domain server which authorization domain(s) it is already in possession of.
Support for version 2 yaml based format authorization domains
CAQ supports using version 2 yaml based format authorization domains, like for example produced from ASM 7.x., that might not include a fully populated dictionary.
CAQ service and ASM 6.2.x integration
Integration with ASM 6.2.x is supported with the use of the Authorization Domain Converter (DOMCONV) tool to convert authorization domains version 1 to version 2.
Known issues
Memory-intensive operations
Requests sent to CAQ are by default memory-intensive operations. So, when using very large policies or when there are too many undefined attributes (not provided or mocked) in a request, this may result in memory related errors such as
java.lang.StackOverflowError
. User should define more attributes in the request or largely increase the memory, in order to avoid such memory-related issues.