Merge branch 'release' into 'master'

PB-28831 Publish production API v4.5.0

See merge request passbolt/passbolt-ce-api!227

.gitlab-ci/jobs/style_check.yml

@@ -2,11 +2,13 @@
   stage: unit-test
   variables:
     PHP_VERSION: "7.4"
+    COMPOSER_ALLOW_SUPERUSER: 1
   image: $CI_REGISTRY_IMAGE_TEST:$PHP_VERSION
   allow_failure: false
   script:
     - composer config --global process-timeout 2000
-    - composer install --dev --no-interaction
+    - composer install --no-interaction
+    - composer validate --check-lock --no-check-publish
     - composer cs-check
     - composer stan
     - composer psalm
@@ -20,3 +22,10 @@ static-analysis:
       when: on_success
     - if: '$TEST_DISABLED == null && $CI_COMMIT_BRANCH != "master"'
       when: on_success
+
+static-analysis-js:
+  stage: unit-test
+  image: node:18
+  script:
+    - npm ci
+    - npm run lint

.npmrc

@@ -0,0 +1,4 @@
+; always amends --ignore-scripts on npm installs
+ignore-scripts=true
+; do not tag on npm version
+git-tag-version=false

CHANGELOG.md

@@ -2,6 +2,130 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.5.0] - 2024-02-08
+### Added
+- PB-23913 As a user I can see my passwords marked as expired when users lose permissions on these
+- PB-23913 As an administrator I can activate the password expiry feature
+- PB-28923 As a user I want to be able to use passbolt in Russian
+- PB-21484 As an administrator I can define Microsoft 365 and Outlook providers in SMTP settings
+- PB-19652 As an administrator I can cleanup groups with no members with the cleanup command
+- PB-27707 As administrator, with RBAC I should be able to set “can see users workspace” to “Allow if group manager”
+- PB-28716 Desktop application flag is now enabled by default
+- PB-26203 Desktop app define the account kit exportation help page
+
+### Improved
+- PB-27616 Improve resources serialization performance on GET resources.json
+
+### Security
+- PB-29148 Bump selenium API plugin version to v4.5
+- PB-29005 Upgrades phpseclib/phpseclib to fix composer audit security vulnerability
+- PB-22336 As an admin I should be able to enable/disable request group managers to add users to groups emails separately (LDAP/AD)
+- PB-28871 Mitigate supply chain attack on PR and lint lock files
+- PB-28658 Mitigate supply chain attack on post npm install script
+
+### Fixed
+- PB-29200 Fixes the recover_user command (GITHUB #504)
+- PB-29164 Fix recent InstallCommand changes breaking selenium tests
+- PB-29132 Fix composer lock file not up-to-date message when installing dependencies
+- PB-29160 Fix failing static analysis job in CI
+- PB-29137 Fix failing in UsersEditDisableControllerTest file due to purifier
+- PB-29113 Fix a typo in the email sent when admins lose their admin role
+- PB-28130 Fix invalid cookie name should not trigger a 500
+- PB-29007 Fix constantly failing test in RbacsUpdateControllerTest file
+- PB-28991 Fix email queue entries not marked as sent
+
+### Maintenance
+- PB-28857 Require phpunit-speedtrap to track down slow tests
+- PB-25516 Remove --dev from .gitlab test options, it has not effect and will break with composer v3
+- PB-28844 Improves the methods testing email content
+- PB-28845 Skip unauthenticated exception from logging
+- PB-28653 Speed-up tests by mocking the client in healthcheck relevant tests
+
+## [4.5.0-rc.1] - 2024-02-01
+### Added
+- PB-23913 As a user I can see my passwords marked as expired when users lose permissions on these
+- PB-23913 As an administrator I can activate the password expiry feature
+- PB-28923 As a user I want to be able to use passbolt in Russian
+- PB-21484 As an administrator I can define Microsoft 365 and Outlook providers in SMTP settings
+- PB-19652 As an administrator I can cleanup groups with no members with the cleanup command
+- PB-27707 As administrator, with RBAC I should be able to set “can see users workspace” to “Allow if group manager”
+- PB-28716 Desktop application flag is now enabled by default
+- PB-26203 Desktop app define the account kit exportation help page
+
+### Improved
+- PB-27616 Improve resources serialization performance on GET resources.json
+
+### Security
+- PB-29148 Bump selenium API plugin version to v4.5
+- PB-29005 Upgrades phpseclib/phpseclib to fix composer audit security vulnerability
+- PB-22336 As an admin I should be able to enable/disable request group managers to add users to groups emails separately (LDAP/AD)
+- PB-28871 Mitigate supply chain attack on PR and lint lock files
+- PB-28658 Mitigate supply chain attack on post npm install script
+
+### Fixed
+- PB-29200 Fixes the recover_user command (GITHUB #504)
+- PB-29164 Fix recent InstallCommand changes breaking selenium tests
+- PB-29132 Fix composer lock file not up-to-date message when installing dependencies
+- PB-29160 Fix failing static analysis job in CI
+- PB-29137 Fix failing in UsersEditDisableControllerTest file due to purifier
+- PB-29113 Fix a typo in the email sent when admins lose their admin role
+- PB-28130 Fix invalid cookie name should not trigger a 500
+- PB-29007 Fix constantly failing test in RbacsUpdateControllerTest file
+- PB-28991 Fix email queue entries not marked as sent
+
+### Maintenance
+- PB-28857 Require phpunit-speedtrap to track down slow tests
+- PB-25516 Remove --dev from .gitlab test options, it has not effect and will break with composer v3
+- PB-28844 Improves the methods testing email content
+- PB-28845 Skip unauthenticated exception from logging
+- PB-28653 Speed-up tests by mocking the client in healthcheck relevant tests
+
+## [4.5.0-test.1] - 2024-01-29
+### Added
+- PB-23913 As a user I can see my passwords marked as expired after a user loses permissions
+- PB-23913 As an administrator I can activate the password expiry feature
+- PB-23913 As a user I can define the expiry date of a passwor
+- PB-23913 As an administrator I can define advanced password expiry settings
+- PB-28923 As a user I want to be able to use passbolt in Russian
+- PB-21484 Add support for Microsoft 365 and Outlook providers in SMTP settings
+- PB-19652 Add cleanup task to check for groups with no members
+- PB-27707 As administrator, with RBAC I should be able to set “can see users workspace” to ‘Allow if group manager’
+- PB-28716 Enable desktop application flag by default
+- PB-26203 Desktop app define the account kit exportation help page
+
+### Improved
+- PB-27835 As signed-in user configuring MFA TOTP I can see the TOTP secret so I can use it instead of the QR code
+- PB-27616 Improve resources serialization performance on GET resources.json
+- PB-28521 Add migration to alter gpgkeys.uid column length to 769
+
+### Security
+- PB-29148 Bump selenium API plugin version to v4.5
+- PB-27760 As administrator, I can hide the administrator identity behind LDAP triggered emails
+- PB-29005 Upgrades phpseclib/phpseclib to fix composer audit security vulnerability
+- PB-22336 As an admin I should be able to enable/disable request group managers to add users to groups emails separately (LDAP/AD)
+- PB-28871 Mitigate supply chain attack on PR and lint lock files
+- PB-28658 Mitigate supply chain attack on post npm install script
+
+### Fixed
+- PB-29200 Fixes the recover_user command (GITHUB #504)
+- PB-29164 Fix recent InstallCommand changes breaking selenium tests
+- PB-29132 Fix composer lock file not up-to-date message when installing dependencies
+- PB-29160 Fix failing static analysis job in CI
+- PB-29137 Fix failing in UsersEditDisableControllerTest file due to purifier
+- PB-27788 Correct gendered language on ldap sync ignore messages
+- PB-29113 Fix a typo in the email sent when admins lose their admin role
+- PB-28130 Fix invalid cookie name should not trigger a 500
+- PB-29007 Fix constantly failing test in RbacsUpdateControllerTest file
+- PB-28991 Fix email queue entries not marked as sent
+
+### Maintenance
+- PB-28636 Speed-up cloud tests by storing avatars on local storage
+- PB-28857 Require phpunit-speedtrap to track down slow tests
+- PB-25516 Remove --dev from .gitlab test options, it has not effect and will break with composer v3
+- PB-28844 Improves the methods testing email content
+- PB-28845 Skip unauthenticated exception from logging
+- PB-28653 Speed-up tests by mocking the client in healthcheck relevant tests
+
 ## [4.4.2] - 2023-11-29
 ### Improved
 - PB-27616 As a user I should see improved performances when retrieving resources on the GET resources.json entry point

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 ## Prerequisite
 Make sure you have the developement dependencies install.
 ```
-composer install --dev
+composer install
 ```
 
 ## How do I run the unit tests

Gruntfile.js

@@ -144,6 +144,8 @@ module.exports = function(grunt) {
             'third_party/sendgrid.svg',
             'third_party/sendinblue.svg',
             'third_party/zoho.svg',
+            'third_party/outlook.svg',
+            'third_party/office365.svg',
 
             // Setup
             'illustrations/email.png',

RELEASE_NOTES.md

@@ -1,16 +1,52 @@
-Release song: https://youtu.be/6JNwqRF32ZI
+Release song: https://www.youtube.com/watch?v=HR1KH4zElcY
 
-Passbolt version 4.4.2 has been released, primarily as a maintenance update to address specific issues reported by users. This version includes two main fixes.
+Passbolt v4.5.0 named "Summer is Ending" brings a host of new features and improvements, all designed to make your password management experience more secure, efficient, and user-friendly.
 
-The first fix concerns the Time-based One-Time Password (TOTP) feature. In the previous version, there was an issue where users could accidentally delete the TOTP secret for a resource while editing its description from the sidebar. This has been corrected in the latest update.
+At the heart of this release is the introduction of the Password Expiry feature, a much-anticipated functionality that allows administrators to enable the automatic expiry policy, enhancing security by ensuring that potentially passwords are rotated when someone loses access to resources, for example by leaving a group or the organization.
 
-The second fix improves the performance of the application, specifically when users are retrieving their resources. This update is part of an ongoing effort to enhance the overall performance of the application, with further improvements planned for future releases.
+Alongside, we're excited to introduce the Russian translation, making Passbolt more accessible to a wider audience.
 
-We extend our gratitude to the community member who reported this issue.
+We've also expanded our SMTP settings to include Microsoft 365 and Outlook providers, responding to the community's feedback for more integration options. The section to help users install and configure the Windows desktop application feature is also now enabled by default.
+
+Improvements in the performance of some important API endpoints and other security enhancements and bug fixes are also part of this release.
+
+Thanks to everyone in our community for your ongoing support and contributions that made this release possible. Your feedback and involvement continue to shape Passbolt, enhancing our collective security and usability. Together, we're making password management better for everyone.
+
+## [4.5.0] - 2024-02-08
+### Added
+- PB-23913 As a user I can see my passwords marked as expired when users lose permissions on these
+- PB-23913 As an administrator I can activate the password expiry feature
+- PB-28923 As a user I want to be able to use passbolt in Russian
+- PB-21484 As an administrator I can define Microsoft 365 and Outlook providers in SMTP settings
+- PB-19652 As an administrator I can cleanup groups with no members with the cleanup command
+- PB-27707 As administrator, with RBAC I should be able to set “can see users workspace” to “Allow if group manager”
+- PB-28716 Desktop application flag is now enabled by default
+- PB-26203 Desktop app define the account kit exportation help page
 
-## [4.4.2] - 2023-11-28
 ### Improved
-- PB-27616 As a user I should see improved performances when retrieving resources on the GET resources.json entry point
+- PB-27616 Improve resources serialization performance on GET resources.json
+
+### Security
+- PB-29148 Bump selenium API plugin version to v4.5
+- PB-29005 Upgrades phpseclib/phpseclib to fix composer audit security vulnerability
+- PB-22336 As an admin I should be able to enable/disable request group managers to add users to groups emails separately (LDAP/AD)
+- PB-28871 Mitigate supply chain attack on PR and lint lock files
+- PB-28658 Mitigate supply chain attack on post npm install script
 
 ### Fixed
-- PB-28991 As a user emails should be resent if the first attempt failed
+- PB-29200 Fixes the recover_user command (GITHUB #504)
+- PB-29164 Fix recent InstallCommand changes breaking selenium tests
+- PB-29132 Fix composer lock file not up-to-date message when installing dependencies
+- PB-29160 Fix failing static analysis job in CI
+- PB-29137 Fix failing in UsersEditDisableControllerTest file due to purifier
+- PB-29113 Fix a typo in the email sent when admins lose their admin role
+- PB-28130 Fix invalid cookie name should not trigger a 500
+- PB-29007 Fix constantly failing test in RbacsUpdateControllerTest file
+- PB-28991 Fix email queue entries not marked as sent
+
+### Maintenance
+- PB-28857 Require phpunit-speedtrap to track down slow tests
+- PB-25516 Remove --dev from .gitlab test options, it has not effect and will break with composer v3
+- PB-28844 Improves the methods testing email content
+- PB-28845 Skip unauthenticated exception from logging
+- PB-28653 Speed-up tests by mocking the client in healthcheck relevant tests

composer.json

@@ -103,12 +103,13 @@
         "cakephp/bake": "^2.3.0",
         "phpunit/phpunit": "~9.5.2",
         "cakephp/cakephp-codesniffer": "^4.5",
-        "passbolt/passbolt-selenium-api": "^4.2",
+        "passbolt/passbolt-selenium-api": "^4.5",
         "passbolt/passbolt-test-data": "^4.4",
         "vierge-noire/cakephp-fixture-factories": "^v2.9.0",
         "cakephp/localized": "4.0.0",
         "vimeo/psalm": "^5.0.0",
-        "cakedc/cakephp-phpstan": "^2.0"
+        "cakedc/cakephp-phpstan": "^2.0",
+        "johnkary/phpunit-speedtrap": "^4.0"
     },
     "autoload": {
         "psr-4": {
@@ -128,6 +129,7 @@
             "Passbolt\\JwtAuthentication\\": "./plugins/PassboltCe/JwtAuthentication/src",
             "Passbolt\\Import\\": "./plugins/PassboltCe/Import/src",
             "Passbolt\\Export\\": "./plugins/PassboltCe/Export/src",
+            "Passbolt\\PasswordExpiry\\": "./plugins/PassboltCe/PasswordExpiry/src",
             "Passbolt\\ResourceTypes\\": "./plugins/PassboltCe/ResourceTypes/src",
             "Passbolt\\SmtpSettings\\": "./plugins/PassboltCe/SmtpSettings/src",
             "Passbolt\\MultiFactorAuthentication\\": "./plugins/PassboltCe/MultiFactorAuthentication/src",
@@ -153,6 +155,7 @@
             "Passbolt\\Mobile\\Test\\": "./plugins/PassboltCe/Mobile/tests",
             "Passbolt\\JwtAuthentication\\Test\\": "./plugins/PassboltCe/JwtAuthentication/tests",
             "Passbolt\\MultiFactorAuthentication\\Test\\": "./plugins/PassboltCe/MultiFactorAuthentication/tests",
+            "Passbolt\\PasswordExpiry\\Test\\": "./plugins/PassboltCe/PasswordExpiry/tests",
             "Passbolt\\SmtpSettings\\Test\\": "./plugins/PassboltCe/SmtpSettings/tests",
             "Passbolt\\SelfRegistration\\Test\\": "./plugins/PassboltCe/SelfRegistration/tests",
             "Passbolt\\ResourceTypes\\Test\\": "./plugins/PassboltCe/ResourceTypes/tests",
@@ -171,7 +174,7 @@
         "cs-check": "phpcs -d memory_limit=512M --colors -p --ignore=*.js,*/templates/* ./src ./tests ./plugins",
         "cs-fix": "phpcbf -d memory_limit=512M --colors --ignore=*.js,*/templates/* ./src ./tests ./plugins",
         "install-dev": [
-            "@composer install --dev",
+            "@composer install",
             "npm install",
             "./node_modules/.bin/grunt appjs-update",
             "./node_modules/.bin/grunt styleguide-update"