This change is going to be backported to v1.x.x to have a good migration path.
Bearer auth with API_CLIENTS config key is deprecated and planned to be
removed in v2.0.0.

(cherry picked from commit 917f9ecd)

The script generated a broken changelog if the current commit is tagged as
a release. That works now.

Additional improvements:
* Merge commits are ignored
* "^fixup!" commits are ignored
* Commit summaries are line-wrapped
* Authors can be merged by manually supplied name mapping
* The first release also includes a list of commits. They were originally
  excluded because the first release contains so many commits, including
  many unclean ones. But excluding those commits also means excluding the
  attribution, so it is not really an option.
* Authors are ordered by the number of their contributions in a release
  to make occasional contributors more visible.

(cherry picked from commit 328caf00)

Previously CHANGELOG had to be updated manually. This was done by downloading
the output of a CI job that used listed commits since the last release. This
made releasing a bit more complicated and led to uselsess release commits.

Now a script creates the full debian/changelog with all versions based on
git tags and git commits.

(cherry picked from commit 5c9ab56e)

Patch-version is not pinned.

Fixes: #121
Fixes: #122
Supersedes: !93

Fixes #114

Regression was introduced by 45d4598e (Replace flask_oauthlib with plain
oauthlib). Support for HTTP Basic authentication scheme for client
authentication is actually required by RFC6749.

Fixes #115

Regression was introduced by 45d4598e (Replace flask_oauthlib with plain oauthlib).

Fixes #110.

This also adds CI tests for schema upgrading/downgrading on both SQLite and
MySQL/MariaDB.

This is needed to be able to run uffd-admin db upgrade from anywhere

Fixes: #113

Use runuser instead of su, as su does not really support multiple arguments to -c

Fixes #112

Also fixed architecture of Debian packages.

Co-authored-by: nd <nd@cccv.de>

See a59ee5f3

This is just a quick fix. The verification code needs further work and
breaking changes of the config schema.

Existing links continue to work. However support for legacy links (without id)
is deprecated and will be removed in the future.

This affects mail verification and password reset links. Existing links
continue to work. However support for legacy links (without id) is
deprecated and will be removed in the future.

Existing invite links continue to work. However support for legacy links
(without id) is deprecated and will be removed in the future.

This change effectivly invalidates all existing grants/tokens.

This was forgotten in 45d4598e.

This bug was introduced by 12b0ea3d.

Fixes #83.

Many authentication-related templates shared the same markup originally
copied from the login template. The duplicated code now lives in
base_narrow.html. Alerts now always have the same width as the main content.
Vertical spacing is now more consistent. The footer is now full-width.

Fixes #104.

Replaced "group" keyword argument for login_required with "permission_check".
Most views already define a *_acl_check function that returns whether the
current user has the required permissions for use with register_navbar. The
same function can now be passed to login_required as the "permission_check"
argument.

Differenciated login and selfservice access permissions. Previously
ACL_SELFSERVICE_GROUP was required to login. Now ACL_ACCESS_GROUP is required
to login and ACL_SELFSERVICE_GROUP is required to access selfservice functions
(and to use role-granting invite links). A user with just ACL_ACCESS_GROUP can
now login, access the services overview page and authenticate with OAuth2
services he has access to, but not change his user attributes, password or
roles/permissions.

Fixes #26.

The test cases effectivly tested if the user_acl_check works which is already
covered by other test cases.

Prior to this change permission errors (i.e. the user is logged in but does
not have a required group) were reported with flash('Access denied') and a
redirect to the selfservice index page. This causes two problems: The error
is reported with HTTP status 301/200 which is difficult to check for in tests.
This can also cause redirect loops as soon as the selfservice uses more
differentiated permission checks (see #104).

With this change a dedicated error page is displayed in place the requested
page and the HTTP status 403 is returned. This is implemented with
flask's errorhandler concept for 403.

Fixes #103.

45d4598e accidentally removed the OAuth2.0 access permission check based on
Client.required_group. This change adds it again.

flask_oauthlib is no longer available in Debian Bullseye. It is only a
wrapper around oauthlib, which is still available. While this change does
increase the OAuth2 code size, it achieves compatability with both Debian
Buster and Bullseye.

Aside from error handling, this change has no noticable effects on OAuth2.0
clients. In terms of error handling, a few cases that were not properly
handled before now return appropriate error pages.

Fixes #101

Prior to this change user passwords were not validated on change aside from
their length, but validated on login/bind by ldap3 with SASLprep. Instead of
using SASLprep on password change, this change restricts passwords to 7-bit
ASCII without control characters. Control characters are forbidden by
SASLprep. Multi-byte characters are uncommon in password, especially in those
generated by password managers. This ensures that passwords are always
SASLprep-safe without implementing the rather complex SASLprep algorithm. It
also allows us to fully describe the alphabet restrictions in the relevant
forms.

Fixes #100