Previously User used salted SHA512 with OpenLDAP-style prefix syntax and
Signup used crypt. Both models had their own hashing and verification
code. Now both use OpenLDAP-style syntax with support for all traditional
formats including crypt. Salted SHA512 is used for new User and Signup
passwords.

Existing Signup objects are migrated to the new format and remain functional.
User passwords now support gradual migration to another hash algorithm when
it is changed in the future.

This code is planned to be used for database-stored API and OAuth2 client
secrets.

Previously the getmails API endpoint did not match "receive_address" values
case-insensitivly like it did pre-v2. To solve this independent of database
collations, all existing mail receive addresses are converted to lower-case
and new/changed receive addresses are constraint to ASCII lower-case letters,
digits and symbols.

The options were introduced to cleanly handle LDAP user connections. Since
LDAP support is now gone and hence user connections are gone too, these
options are no longer necessary. While the options may be useful in other
cases, we cannot continuously test them and so we are removing them for now.

Previously ACL_ACCESS_GROUP defaulted to the value of ACL_SELFSERVICE_GROUP,
now it defaults to "uffd_access". Note that ACL_SELFSERVICE_GROUP has the same
default value. If you set ACL_SELFSERVICE_GROUP to a different value but not
ACL_ACCESS_GROUP, you will need to update your config.

In 32e40c47, c9873e4c, 42338bd0 the old invite, password reset and mail
verification URL schema was deprecated and replaced with a new schema
that adds a numeric id to the links. Support for the old id-less URLs
is now removed.

See 917f9ecd

Closes #127

CONFIG_FILENAME works relative to the app's instance path. While (strictly
speaking) CONFIG_FILENAME is named correctly, it is not really obvious that
it should be set to an instance-relative filename instead of a path. The
current uwsgi.ini file illustrates this problem.

Not having a way to specify an absolute config file path is a problem for
the Debian package: The actual config file /etc/uffd/uffd.cfg must be
symlinked to /usr/share/uffd/instance/config.cfg to be found. Setting
CONFIG_PATH to "/etc/uffd/uffd.cfg" simplifies this.

Since this change is part of a new major release, we can drop
CONFIG_FILENAME in favour of CONFIG_PATH.

Pylint non-deterministicly fails to detect that a method is overwritten later
and complains that the method does not exist. This is pretty annoying and
remains unfixed in the most recent version.

This change is going to be backported to v1.x.x to have a good migration path.
Bearer auth with API_CLIENTS config key is deprecated and planned to be
removed in v2.0.0.

The script generated a broken changelog if the current commit is tagged as
a release. That works now.

Additional improvements:
* Merge commits are ignored
* "^fixup!" commits are ignored
* Commit summaries are line-wrapped
* Authors can be merged by manually supplied name mapping
* The first release also includes a list of commits. They were originally
  excluded because the first release contains so many commits, including
  many unclean ones. But excluding those commits also means excluding the
  attribution, so it is not really an option.
* Authors are ordered by the number of their contributions in a release
  to make occasional contributors more visible.

Previously CHANGELOG had to be updated manually. This was done by downloading
the output of a CI job that used listed commits since the last release. This
made releasing a bit more complicated and led to uselsess release commits.

Now a script creates the full debian/changelog with all versions based on
git tags and git commits.

* Removal of ldapalchemy and LDAP mocking support
* Removal of dependency on ldap3 (except for the migration)
* Remaining "LDAP_<name>" config keys are renamed to "<name>"
* Web interface to create, edit and delete groups
* Consistent foreign key, cascading and nullable configuration on all models
* User/Group.dn is replaced with numeric User/Group.id
* User.uid is renamed to User.unix_uid (to differentiate with new User.id)
* Group.gid is renamed to Group.unix_gid (to differentiate with new Group.id)
* All User/Group/Mail related routes now use the database ids instead of uid/gid/dn
* PasswordToken/MailToken now reference users directly instead of storing loginnames

The database migration (optionally) uses the v1 config keys to connect to
an LDAP server and to import all users, groups and mail forwardings.

Patch-version is not pinned.

Fixes: #121
Fixes: #122
Supersedes: !93

Fixes #114

Regression was introduced by 45d4598e (Replace flask_oauthlib with plain
oauthlib). Support for HTTP Basic authentication scheme for client
authentication is actually required by RFC6749.

Fixes #115

Regression was introduced by 45d4598e (Replace flask_oauthlib with plain oauthlib).

Fixes #110.

This also adds CI tests for schema upgrading/downgrading on both SQLite and
MySQL/MariaDB.

This is needed to be able to run uffd-admin db upgrade from anywhere

Fixes: #113

Use runuser instead of su, as su does not really support multiple arguments to -c

Fixes #112

Also fixed architecture of Debian packages.

Co-authored-by: nd <nd@cccv.de>

See a59ee5f3

This is just a quick fix. The verification code needs further work and
breaking changes of the config schema.

Existing links continue to work. However support for legacy links (without id)
is deprecated and will be removed in the future.

This affects mail verification and password reset links. Existing links
continue to work. However support for legacy links (without id) is
deprecated and will be removed in the future.

Existing invite links continue to work. However support for legacy links
(without id) is deprecated and will be removed in the future.

This change effectivly invalidates all existing grants/tokens.

This was forgotten in 45d4598e.