release v3.18.99-rc1

Author: speed47

doc/CHANGELOG.md

@@ -1,3 +1,21 @@
+## v3.18.99-rc1 - 2025/01/03
+- feat: IPv6 support
+- chg: set ECDSA as default egress key algo for new installs
+- chg: ``groupInfo``: remove deprecated JSON fields
+- enh: 35% faster ``is_valid_ip()`` when fast=1
+- enh: ``accountInfo``: add osh-only information for accounts
+- enh: tests: add ``--skip-functional-tests`` and ``--skip-unit-tests``
+- fix: ``accountInfo``: don't attempt (and fail) to display info non-auditors don't have access to
+- fix: ``groupInfo``: don't attempt to (and fail) display the guest list when account doesn't have access to it
+- fix: deny subnets for ``nc``, ``mtr``, ``ping``, ``alive`` plugins
+- fix: is_in_any_net: support matching netblocks
+- chore: faster tests by removing grant/revoke command dance
+- chore: tests: no longer run consistency check by default
+- chore: update README
+- chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
+- chore: use ``TAP::Harness`` for unit tests
+- chore: factorize user@host:port display in ``machine_display()``
+
 ## v3.18.00 - 2024/12/10
 - feat: add assetForgetHostKey
 - fix: scp: downloads would sometimes stall (fix #486)

doc/release-notes/v3.18.99-rc1.md

@@ -0,0 +1,40 @@
+# :zap: Security
+
+- No security fixes since previous release
+- Oldest release with no known [security issue](https://github.com/ovh/the-bastion/security/advisories) is `v3.14.15` (2023-11-08)
+
+# :bulb: Highlights
+
+Will 2025 be the year of IPv6? Let's not try to answer this controversial question and just say that the main change of this pre-release is *drum roll* the official support of IPv6!
+Most of the code was already IPv6-aware, but in some places IPv4 was assumed so these all have been adjusted to work with both IP versions.
+Note that by default, IPv6 support is disabled, we've introduced the ``IPv6Allowed`` boolean option in ``bastion.conf`` that you must set to true to allow egress connections in IPv6. We've also taken this opportunity to add an ``IPv4Allowed`` option, which is enabled by default, you can set it to ``false`` should you want to have a strictly IPv6-only bastion!
+A lot of tests have been added to ensure everything works correctly with this change, but as this is still an important change, and only a few tests have been done in-the-field yet, this'll be a pre-release for a few weeks.
+
+We've also taken this opportunity to make a few other changes, such as:
+- speeding up the ``is_valid_ip`` check (35% speedup, noticeable for groups with thousands of ACLs)
+- set ``ECDSA`` as the default algorithm for generated egress keys instead of RSA, for new installs only ([defaultAccountEgressKeyAlgorithm](https://ovh.github.io/the-bastion/administration/configuration/bastion_conf.html#defaultaccountegresskeyalgorithm))
+
+Some work has also been done around the unit tests (using the more standard ``TAP::Harness``) and functional tests (speeding them up).
+
+A more complete list of changes can be found below, for an exhaustive (and boring) list, please refer to the [commit log](https://github.com/ovh/the-bastion/compare/v3.18.00...v3.18.99-rc1).
+
+# :pushpin: Changes
+- feat: IPv6 support
+- chg: set ECDSA as default egress key algo for new installs
+- chg: ``groupInfo``: remove deprecated JSON fields
+- enh: 35% faster ``is_valid_ip()`` when fast=1
+- enh: ``accountInfo``: add osh-only information for accounts
+- enh: tests: add ``--skip-functional-tests`` and ``--skip-unit-tests``
+- fix: ``accountInfo``: don't attempt (and fail) to display info non-auditors don't have access to
+- fix: ``groupInfo``: don't attempt to (and fail) display the guest list when account doesn't have access to it
+- fix: deny subnets for ``nc``, ``mtr``, ``ping``, ``alive`` plugins
+- fix: is_in_any_net: support matching subnets
+- chore: faster tests by removing grant/revoke command dance
+- chore: tests: no longer run consistency check by default
+- chore: use proper naming of 'subnet' instead of 'prefix' or 'slash'
+- chore: use ``TAP::Harness`` for unit tests
+
+# :fast_forward: Upgrading
+
+- [General upgrade instructions](https://ovh.github.io/the-bastion/installation/upgrading.html)
+- [Specific upgrade instructions for v3.18.99-rc1](https://ovh.github.io/the-bastion/installation/upgrading.html#v3-18-99-rc1-2025-01-03)

doc/sphinx/installation/upgrading.rst

@@ -27,6 +27,22 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================
 
+v3.18.99-rc1 - 2025/01/03
+*************************
+
+This release now supports IPv6, which is disabled by default unless you set ``IPv6Allowed`` to ``true``.
+
+Note that some OS versions have an ancient version of ``Net::Netmask`` that doesn't support IPv6, these will
+behave as if ``IPv6Allowed`` is always set to ``false``, even if you set it to ``true``. A message will be logged
+in the syslog if this happens on your system. Of the currently supported list of OS versions, the two following
+versions are affected: Ubuntu 18.04 and OpenSUSE Leap 15.6.
+
+Two deprecated JSON fields have been removed from the ``groupInfo`` plugin response, these were never documented
+and were duplicates of current fields, but with ancient names dating back to a version before the first public release.
+Those fields were named ``full_members`` (corresponding to the current ``members``) and
+``partial_members`` (corresponding to the current ``guests``).
+Ensure you don't happen to reference them in any system that consumes the :doc:`JSON API </using/api>`.
+
 v3.18.00 - 2024/12/10
 *********************
 

lib/perl/OVH/Bastion.pm

@@ -5,7 +5,7 @@ use common::sense;
 use Fcntl;
 use POSIX qw(strftime);
 
-our $VERSION = '3.18.00';
+our $VERSION = '3.18.99-rc1';
 
 BEGIN {
     # only used by the handler below