Move all models, views, cli commands and templates into corresponding
top-level folders. Detailed changes:

- uffd/<NAME>/models.py -> uffd/models/<NAME>.py
- uffd/<NAME>/cli.py -> uffd/commands/<NAME>.py
- uffd/<NAME>/views.py -> uffd/views/<NAME>.py
- uffd/<NAME>/templates/* -> uffd/templates/
- uffd/ratelimit.py -> uffd/models/ratelimit.py (it contains models)
- gendevcert from uffd/__init__.py -> uffd/commands/gendevcert.py
- profile from uffd/__init__.py -> uffd/commands/profile.py
- cleanup from uffd/tasks.py -> uffd/commands/cleanup.py
- roles-update-all from uffd/role/views.py -> uffd/commands/...
- Views from uffd/__init__.py -> uffd/views/__init__.py
- All models can/should be imported from uffd.models
- flask shell auto-imports all models instead of only a few

The old structure was meant to keep the code modular and related
code/resources close to each other. However, the modules turned out to
be heavily interdependent and not very modular. Also importing was fragile
due to ordering issues.

With the new structure the dependency tree is much simpler: Infrastructure
code (top-level *.py files) has no internal dependencies. Models only
depend on infrastructure and other models. Views and cli commands depend
on infrastructure, models and other views/commands.

Going forward there is still some restructuring to do, e.g.:

- Move mfa setup views to selfservice views
- Move mfa auth views to session views
- Move utility code from views to infrastructure (e.g. login_required)
- In most cases views should not need to import from other views
- Reorganize infrastructure code

With this feature, uffd can be configured to hide mail addresses of users
from certain services while still allowing the services to send mails to the
users.

To these services uffd returns special remailer addresses instead of the real
mail addresses. When a service sends an email to a remailer address the mail
server queries uffd's API and replaces the remailer address with the real mail
address in both envelope and headers.

This feature requires additional mail server configuration (Postfix
canonical_maps) and support in uffd-socketmapd.

When the "new invite" page was submitted with e.g. an invalid "Valid Until"
value, uffd displayed an error and reset the whole form. This was confusing
to users.

Now the form content is preserved on errors. Also the "Valid Until" field now
has min/max attributes to prevent submitting the form with invalid values.

Fixes #134

The group and role update subcommands set the description to an empty string
if the "--description" option was ommitted.

Fixes #156

Closes #152

Co-authored-by: davidc

Closes #150

When the service overview was introduced, it was meant to be optional. Thus
if the SERVICES config option was empty (the default), uffd returned 404.

Commit fa67bde0 (Migrate OAuth2 and API clients to database) introduced the
regression that accessing the service overview page when no services are
visible based on the permissions of the current user (or guest if not logged
in), 404 is returned.

This change fixes the regression and further changes the behavior to improve
consistency. Since fa67bde0, the page is relevant to admin users regardless of
the SERVICES config option. Therefore uffd asks for login or reports missing
permissions in all cases it originally returned 404.

Added guard to first v2 migration in order to prevent accidental upgrades.
Extended the upgrade instructions and moved them from the README to a
standalone file.

The original change completely broke single logout support.

The migration now uses the correct hashing algorithm (unsalted SHA512 instead
of salted SHA512) for OAuth2/API secrets/passwords.

The migration originally failed to convert the passwords/secrets to the
format expected by PasswordHash resulting in invalid password hashes. With
this change, the migration works correctly.

Also fixes minor template bug.

Also adds a shallow Service model that coexists with the config-defined
services to group multiple OAuth2 and API clients together.

Clients defined in the config with OAUTH2_CLIENTS and API_CLIENTS_2 are
imported by the database migrations.

Removes support for complex values for the OAuth2 client group_required option.
Only simple group names are supported, not (nested) lists of groups previously
interpreted as AND/OR conjunctions. Also removes support for the login_message
parameter of OAuth2 clients.

The generation now happens in a subquery inside the INSERT statement instead
of separate client-managed query. This should also reduce the risk of race
conditions.

Service and non-service users may now use the same UID range.

The command replaces all existing mechanisms for deleting expired objects. It
should run at least daily. The Debian package includes a corresponding cron
job.

Ratelimit events now use UTC timestamps instead of localtime. On upgrade all
past ratelimit events are cleared.

Calling op.get_bind outside a callback broke "flask db history".

Argon2 is a modern password hashing algorithm. It is significantly more secure
than the previous algorithm (salted SHA512). User logins with Argon2 are
relativly slow and cause significant spikes in CPU and memory (100MB) usage.

Existing passwords are gradually migrated to Argon2 on login.

Previously User used salted SHA512 with OpenLDAP-style prefix syntax and
Signup used crypt. Both models had their own hashing and verification
code. Now both use OpenLDAP-style syntax with support for all traditional
formats including crypt. Salted SHA512 is used for new User and Signup
passwords.

Existing Signup objects are migrated to the new format and remain functional.
User passwords now support gradual migration to another hash algorithm when
it is changed in the future.

This code is planned to be used for database-stored API and OAuth2 client
secrets.

Previously the getmails API endpoint did not match "receive_address" values
case-insensitivly like it did pre-v2. To solve this independent of database
collations, all existing mail receive addresses are converted to lower-case
and new/changed receive addresses are constraint to ASCII lower-case letters,
digits and symbols.

The options were introduced to cleanly handle LDAP user connections. Since
LDAP support is now gone and hence user connections are gone too, these
options are no longer necessary. While the options may be useful in other
cases, we cannot continuously test them and so we are removing them for now.