UPDATE: A regression has been detected for this release. The bug affect users using client credentials - logs will not appear for commands such as cf push
or cf logs
.
Package Manager Installation
Installers
- Debian 64 bit / 32 bit (deb)
- Redhat 64 bit / 32 bit (rpm)
- Mac OS X 64 bit (pkg)
- Windows 64 bit / 32 bit (zip)
Binaries
Change Log
Client credentials update to address security concerns
Changes to the client credential workflow
In CF CLI v6.35.0, we added support for client-credentials
. During the implementation of the feature, the client secret was written config.json
file to allow for token refresh in a pipeline workflow. In this release, we have reimplemented this feature to not write the client secret to the config.json
.
Changes our users should expect from this change: if you are using cf auth --client-credentials
and you upgrade to the CLI v6.44.0
, you will be logged out of your session after 12 hours and be prompted to log back in.
We've decided to change this implementation because:
- Writing secrets to disk is a a security vulnerability we do not want to persist
- The default refresh token expiration is 12 hours. We believe a 12 hour refresh token should be sufficient for most pipeline-related activity and if users require a longer lived token, they can generate one using the
uaac
- see documentation here
Note: cf oauth-token
does not work with client credentials. Please reach out if there's a use case for this workflow.
Deprecation Notice for CF CLI Commands story
The following commands were deprecated because the V1 Broker API was deprecated as of January 2015. The CF CLI currently supports CC API 3.35.0/ Service Broker API Version 2.13.
create-service-auth-token
delete-service-auth-token
update-service-auth-token
service-auth-tokens
migrate-service-instances
cf files
Using client credential for setting org and space roles
This release supports setting roles for a client. Updates include:
- a new optional
--client
flag forcf set-org-role
story - a new optional
--client
flag forcf set-space-role
story cf org-users
now display the client name storycf space-users
now display the client name story
Note:
- More information about the client credentials feature: API docs, UAA docs here and here
- If you are on an older version of cf-deployment (7.9.0 or lower) the CLI does not check to see if the client exists when we set orgs and spaces. Starting with cf-deployment 7.9.0, we added specific scopes to cf deployment to allow us to validate that a provided client exists when attempting to set an org or space role for a client. story
Minimum Version Warning
Our minimum version policy changed in January 2019 to support CC API 2.100/3.35. In this release, we will start outputting a warning when users are on a unsupported version of the CC API. cf api
, cf auth
and all rewritten code will display this warning.
Built with Golang 1.12.1
Updated to Golang 1.12.1 See the Golang release summaries for details on the bug fixes. story
New Translations
New translations are included in this release - thanks to IBM who contributed updated translations of CLI output and help text. As usual, the update came in mid-release and a number of message strings may have changed since, but will be included in the next release. story
Enhancements
- A new flag
--no-plans
added tocf marketplace
to view the table without theplans
column story
Minor Enhancements
cf help
now displays a more prominentTIP
so that users can discovercf help -a
- Roles for the
set-org-role
andset-space-role
commands are case insensitive story - Piping a multi-line file to
cf login
now works as expected story - Updated the help text for
cf delete-orphaned-routes
to clarify that the command is spaced-scoped story
Bug Fixes
- Fixes a bug for
cf update-buildpack
for assigning stacks story - Fixes an issue with
cf-bind-route-service
whereby if a user does not have aorg
orspace
targeted, instead of returning a useful error, the CLI would attempt toGET
theprivate_domains
endpoint story v3-apply-manifest
now works for defining environment variables in a multi-app manifest story- Now the CLI checks the expiration time of an access token and refreshes it automatically before making a call the CF API story
Plugin Additions/Updates
- Updated html5-plugin to
1.2.0
story - Updated CF Dev to
0.0.15
story - Updated cf-puppeteer to
0.0.13
story - Updated Create-Service-Push to
1.3.1
story - Updated conduit to
0.0.7
story - Adds push-with-vault story
- Adds set-weights story
- Adds multi-apps plugin story
Contributors:
Thomas Viehman, Will Murphy, Brendan Smith, Abby Chau, Andrew Crump, Alexander Berezovsky, SAPI team (Aarti Kriplani, Alex Blease, George Blue, Georgi Lozev, Henry Stanley, Nikolay Maslarski, Will Martin) for all the services-related work, Simon Seif (thanks for the pull request!), V3 Acceleration Team, IBM (for Translations work)
Thank you to all our Community contributors, we appreciate the pull requests!
Note: The minimum version of the CC API this CF CLI release is compatible with is CC API v2.100.0 (3.35). See our minimum supported version policy for more information.