-
Notifications
You must be signed in to change notification settings - Fork 0
/
README_UPDATE_EN
382 lines (358 loc) · 15.3 KB
/
README_UPDATE_EN
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
<h1>Changelog</h1>
<h2>v1.10.2 (2024-10-07)</h2>
<ul>
<li>Fixed: When restarting the OPA service, a crash was possible when the API is under high load (Bug #57000).</li>
</ul>
<h2>v1.10.1 (2024-07-25)</h2>
<ul>
<li>Fixed a bug that would lead to misleading log messages when changing the password hashes of a user (Bug #56590).</li>
<li>Swagger UI dependencies are now served statically instead of using CDNs (Bug #56314).</li>
</ul>
<h2>v1.10.0 (2024-03-05)</h2>
<ul>
<li>Changed: The API base url, for example the portal link, now redirects to the OpenAPI docs page (Bug #55556).</li>
<li>Fix: The HEAD endpoint for schools could return an outdated result due to a caching issue (Issue #108).</li>
<li>Fix: The GET endpoint for schools does now return "None" for non-existing file servers instead of raising an error (Issue #137).</li>
</ul>
<h2>v1.9.0 (2023-10-17)</h2>
<ul>
<li>The hostname for objects in the Kelvin API is no longer case sensitive (Bug #54305).</li>
<li>The UCS@school Kelvin REST API UCS@school app can now only be installed if the UCS@school app is locally installed. (Bug #54333).</li>
<li>Fixed a cache issue where a correct object URL could still lead to a 404 response (Bug #56699).</li>
<li>Disable OPA telemetry (Bug #56193).</li>
</ul>
<h2>v1.8.10 (2023-08-24)</h2>
<ul>
<li>Re-enable username validation checks for creation and modification of users (Issue #98).</li>
<li>Remove all old school groups from user when removed from a school (Bug #56121).</li>
<li>Automatically add all school groups to user when added to a school (Bug #56121).</li>
<li>The UCR-V <code>ucsschool/validation/username/windows-check</code> is used during username validation (Bug #56152)</li>
</ul>
<h2>v1.8.9 (2023-05-19)</h2>
<ul>
<li>Fix group membership when removing admins from schools (Bug #55986).</li>
<li>Update upstream dependencies to fix security vulnerability (Bug #56097).</li>
</ul>
<h2>v1.8.8 (2023-05-04)</h2>
<ul>
<li>Validate usernames to avoid Windows reserved names (Bug #53519).</li>
<li>Return HTTP 404 for non existing roles, instead of 422 (Issue #83).</li>
</ul>
<h2>v1.8.7 (2023-03-30)</h2>
<ul>
<li>Prevent logging of sensitive information, such as passwords, in the OPA log (Issue #71).</li>
</ul>
<h2>v1.8.6 (2023-03-07)</h2>
<ul>
<li>Fix error in <code>udm_properties</code> check for school classes (Issue #72).</li>
<li>The script <code>update_openapi_client</code> no longer fails due to multiple <code>jar</code>-files.</li>
<li>UCS@school lib hooks were not called when the UCS@school Kelvin REST API was called. This has been fixed (Issue #61).</li>
</ul>
<h2>v1.8.5 (2023-02-22)</h2>
<ul>
<li>Fix <code>h11._util.LocalProtocolError: Can't send data when our state is ERROR</code> traceback (Bug #55730).</li>
<li>General performance improvements, with focus on object existence, searches and user creation (Issue #56).</li>
<li>Upgrade to Python 3.11 (Issue #56).</li>
</ul>
<h2>v1.8.4 (2023-02-16)</h2>
<ul>
<li>A critical security vulnerability was fixed (CVSS 9.1): The vulnerability allows to access the API as any valid user without knowing their passwords. This leads to full access for attackers to UCS@school data provided by the Kelvin API.</li>
</ul>
<h2>v1.8.3 (2023-01-16)</h2>
<ul>
<li>Unhandled exceptions are logged (Bug #55114).</li>
<li>Internal: The <code>udm-rest-client</code> version was updated.</li>
</ul>
<h2>v1.8.2 (2022-12-20)</h2>
<ul>
<li>Speed up validation when creating or changing users (Bug #55384).</li>
<li>Use the LDAP client library <code>uldap3</code> instead of a custom implementation
to improved performance during direct LDAP calls (Issue #50).</li>
</ul>
<h2>v1.8.1 (2022-12-07)</h2>
<ul>
<li>Compare OU names case insensitive (Bug #55472).</li>
<li>Calculate group names using OU names from LDAP (Bug #55456).</li>
<li>Bugfix: Setting UCS@school roles with context type school in PATCH led to inconsistent UCS@school Users (Issue #47).</li>
</ul>
<h2>v1.8.0 (2022-11-09)</h2>
<ul>
<li>
Add support for arbitrary context types in UCS@school roles for users (Bug #55355).
</li>
<li>
Add configuration option <code>evaluate_password_policies</code> (default <code>false</code>) to enable the evaluation of password policies when creating UCS@school users, see <a href="https://docs.software-univention.de/ucsschool-import/5.0/de/configuration/format.html#konfiguration-des-benutzerimports">configuration options in UCS@school import manual</a> (Bug #55408).
</li>
<li>
Internal: Added option to check password policies when creating or modifying UCS@school users (Bug #55393).
</li>
<li>
Added the possibility to send an Accept-Language header with each request.
</li>
<li>
Added the possibility to set additional <code>ucsschool_roles</code> strings via PATCH, PUT and POST for user objects. All role strings with context type <code>school</code> are ignored (Issue #39).
</li>
<li>
All forwarded UDM errors are now structured the same way as FastAPI validation errors (Issue #30).
</li>
<li>
Fixed handling of role strings attribute if schools attribute is empty.
</li>
</ul>
<h2>v1.7.0 (2022-07-18)</h2>
<ul>
<li>
<b>Breaking change for UCS@school Kelvin REST API clients below <code>1.7.0</code></b>: Add work group support in user resource (Bug #54891).
</li>
<li>
Allow the creation of school classes without share (Bug #54875).
</li>
<li>
Add a correlation ID the headers of requests and responses. Write the ID to the log (Issue #25).
</li>
<li>
The request time is now added to the log file (Issue #28).
</li>
<li>
App Center scripts were added to keep the state of UCR variables, which are set manually inside the docker container (Bug #54959).
</li>
<li>
Validation errors are logged as warnings to make filtering the log easier (Issue #895).
</li>
<li>
Add HEAD /schools/{school_name} endpoint (Issue #24).
</li>
<li>
Allow mapping UDM properties to work groups (Bug #55259).
<li>
<li>
The <code>multipart</code> library output is not logged anymore (at <code>DEBUG</code> level), when retrieving a token (Issue #27).
</li>
</ul>
<h2>v1.6.0 (2022-08-24)</h2>
<ul>
<li>
Security Issue: An error causing group shares to be created with wrong permissions has been fixed. The permissions of existing shares will be fixed during the joinscript (Bug #55103).
</li>
<li>
Creating schools with OU names including underscores is now allowed, if the DC name is passed, too (Bug #55125).
</li>
</ul>
<h2>v1.5.6 (2022-06-30)</h2>
<ul>
<li>
Remove create_share from school class objects to avoid conflicts with Kelvin client versions older than 1.6.0 (Bug #54916).
</li>
</ul>
<h2>v1.5.5 (2022-06-23)</h2>
<ul>
<li>
Add work group resource (Bug #54876).
</li>
<li>
Allow the creation of school classes without share (Bug #54875).
</li>
<li>
Entering an invalid school URL does result in HTTP error-code 422 instead of 500 (Bug #52895).
</li>
<li>
Enable log rotation of the Open Policy Agent (Bug #54247).
</li>
<li>
The validation was adapted to prevent invalid school names in multiserver environments (Bug #54793).
</li>
<li>
An error has been fixed, which was raised by invalid UCS@school roles during the validation (Bug #54653).
</li>
<li>
The date validation error messages have been improved (Bug #54812).
</li>
<li>
Added documentation for the classes resource (Bug #52734).
</li>
<li>
Updated descriptions of variables in the Swagger UI to fit the expected values and added JSON Examples to descriptions where needed (Bug #54739).
</li>
</ul>
<h2>v1.5.4 (2022-04-27)</h2>
<ul>
<li>
The valid date range is now specified (Bug #54668).
</li>
<li>
A new App Setting was added to configure the amount CPU cores utilized by the UCS@school Kelvin REST API (Bug #54575).
</li>
<li>
It is now possible to define multiple schools for users via PATCH and PUT requests (Bug #54481, Bug #54690).
</li>
</ul>
<h2>v1.5.3 (2022-02-08)</h2>
<ul>
<li>
Fixed token requests with authorized user and wrong password leading to <code>HTTP 500</code> (Bug #54431).
</li>
<li>
The user get route now uses the correct filter when searching for UDM mapped properties (Bug #54474).
</li>
</ul>
<h2>v1.5.2 (2022-01-07)</h2>
<ul>
<li>
The Kelvin API can now be installed on servers with the role DC Primary and DC Backup (Bug #54310).
</li>
</ul>
<h2>v1.5.1 (2021-11-30)</h2>
<ul>
<li>
The Open Policy Agent component was added to components documentation (Bug #53960).
</li>
<li>
The log output of the Open Policy Agent is now written to <code>/var/log/univention/ucsschool-kelvin-rest-api/opa.log</code> (Bug #53961).
</li>
<li>
The test suite for the ``ucsschool.lib`` component was improved (Bug #53962).
</li>
<li>
Username generation counter can now be raised above 100 (Bug #53987).
</li>
<li>
The <code>no_proxy</code> environment variable is now honored by the Kelvin REST API when accessing the UDM REST API (Bug #54066).
</li>
<li>
The user resource now has an <code>expiration_date</code> attribute, which can be used to set the account expiration date. A user won't be able to login from that date on (Bug #54126).
</li>
</ul>
<h2>v1.5.0 (2021-09-10)</h2>
<ul>
<li>
Unixhomes are now set correctly for users. (Bug #52926)
</li>
<li>
The Kelvin API now supports udm properties on all Kelvin resources except roles. (Bug #53744)
Be advised that a new restriction was added that also applies to the udm_properties in the users resource and
slightly alters the possible udm properties that can be configured. Please consult the manual section
<a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/installation-configuration.html#udm-properties">UDM Properties</a>
for details.
</li>
</ul>
<h2>v1.4.4 (2021-06-29)</h2>
<ul>
<li>
The Kelvin API now supports UDM REST APIs using certificates, which are not signed by the UCS-CA. (Bug #52766)
</li>
<li>
The UCS@school object validation now validate groups, schools and roles case-insensitive. (Bug #53044)
</li>
</ul>
<h2>v1.4.3 (2021-06-16)</h2>
<ul>
<li>
A security error was fixed, that allowed the unrestricted use of the Kelvin API with unsigned authentication tokens.
Please update as fast as possible (Bug #53454)!
</li>
</ul>
<h2>v1.4.2 (2021-05-26)</h2>
<ul>
<li>
Support for hooks for objects managed by classes from the package ``ucsschool.lib.models`` was added. See manual section <a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/installation-configuration.html#python-hooks-for-pre-and-post-object-modification-actions">Python hooks for pre- and post-object-modification actions</a> for details (Bug #49557).
</li>
<li>
An error when creating usernames with templates was fixed (Bug #52925).
</li>
</ul>
<h2>v1.4.1 (2021-05-03)</h2>
<ul>
<li>
No error message is logged anymore after the deletion of an object (Bug #52896).
</li>
<li>
Repeated restarts of the Kelvin server have been fixed.
</li>
</ul>
<h2>v1.4.0 (2021-04-20)</h2>
<ul>
<li>
The FastAPI framework has been updated to version <code>0.63.0</code>.
</li>
<li>
Open Policy Agent was added for access control and implemented partially for the user resource.
</li>
<li>
The Kelvin API now supports creating schools (<a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/resource-schools.html#create">manual</a>).
</li>
</ul>
<h2>v1.3.0 (2021-02-18)</h2>
<ul>
<li>
<p>It is now possible to change the roles of users. See manual section <a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/resource-users.html#changing-a-users-roles">Changing a users roles</a> for details.</p>
<p>This feature depends on changes in the UDM REST API and thus the app requires <a href="https://errata.software-univention.de/#/?erratum=4.4x892">UCS 4.4-7 errata892</a> on the host system.</p>
</li>
<li>
Validation errors when reading malformed user objects from LDAP now produce more helpful error messages.
</li>
<li>
Internal improvement: A fallback for retrieving LDAP connection settings from UCR has been added for the case that that the environment variables are not available.
</li>
<li>
UCS@school user and group objects are now validated before usage, when loading them from LDAP. See manual sections <a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/resources.html#resources">Resources</a> and <a href="https://docs.software-univention.de/ucsschool-kelvin-rest-api/installation-configuration.html#backup-count-of-validation-logging">Backup count of validation logging</a> for details.
</li>
</ul>
<h2>v1.2.0 (2020-11-12)</h2>
<ul>
<li>
The attribute <code>kelvin_password_hashes</code> has been added to the user resource. It allows overwriting the password hashes in the UCS LDAP with the ones delivered. Use only if you know what you're doing!
</li>
<li>
The user resource search speed has been improved: all matching users are now found with one LDAP lookup.
</li>
<li>
Internal improvement: A fallback for retrieving LDAP connection settings from UCR has been added for the case that that the environment variables are not available.
</li>
</ul>
<h2>v1.1.2 (2020-08-05)</h2>
<ul>
<li>
The following UCR variables are now copied into the Kelvin App Container via the joinscript:
ucsschool/import/set/netlogon/script/path
ucsschool/import/set/homedrive
ucsschool/import/set/sambahome
ucsschool/singlemaster
ucsschool/import/set/serverprofile/path
To sync the variables after they are changed on the host system the joinscript 50ucsschool-kelvin-rest-api
has to be executed manually.
</li>
</ul>
<h2>v1.1.1 (2020-06-15)</h2>
<ul>
<li>
The validation of the "name" attribute of the "SchoolClass" resource has been fixed to allow short class names like "1".
</li>
<li>
The "password" attribute of the "User" resource has been fixed.
</li>
<li>
The signatures of the "UserPyHook" methods have been adapted to be able to "await" async methods.
</li>
<li>
The UCS CA is now added to the ``certifi`` SSL certification store.
</li>
<li>
Support for the ``school_admin`` role was added.
</li>
</ul>
<h2>v1.1.0 (2020-04-15)</h2>
<ul>
<li>
The UDM REST API Python Client library has been updated to version "0.4.0", so it can handle authorized access to the UDM REST API OpenAPI schema.
</li>
</ul>
<h2>v1.0.1 (2020-02-17)</h2>
<ul>
<li>The ucsschool lib has been extended to allow for context types other than "school" in "ucsschool_roles" attribute of most resources.
</li>
</ul>
<h2>v1.0.0 (2020-01-20)</h2>
<ul>
<li>Initial release.
</li>
</ul>