Release 3.9.0

• This version requires DB update.
• This version requires LDAP schema update.
• This version deprecates some API, which
  will be removed in the next version.

BIG CHANGES

• In LDAP we moved Facility attributes from Resource to Facility,
  where they belong.
• We push multiple new attributes to LDAP from admin roles of user above other
  entities to entitlement or resource capabilities (see LDAPc changelog).
• LDAPc can run without write access to DB for running or replicas.
• We store TaskResults for generating Tasks, so that in GUI we can see if
  service provisioning is blocked/stuck on Perun side or managed service side.
• Old attributes for files/data quotas were removed and replaced by the new
  logic.
• API methods of GeneralServiceManager and PropagationStatsReader were
  moved to ServicesManager and TasksManager respectivelly. Old API will be
  removed in release 3.10.0.
• We allow registrar to generate new logins for users (using registrar module)
  and they are editable in registratio form.
• Authorization Roles are no longer sourced from DB, but rather perun-roles.yml
  as we will be heading for dynamic authorization rules in next releases.
• We split attribute value checks method on syntax and semantics checks as it
  is required for having "state of member on resource" feature coming in next
  releases.
• Added OpenAPI definition of Perun API, so that client libraries can be
  generated from it. Its not yet complete and will be updated in next releases.

CHANGELOG

CORE

• Fixed methods with forgotten usage of attribute cache.
• Fixed authorization for group-resource attributes.
• Store TaskResult for blocked destinations.
• TaskResults stored for cancelled/stuck GEN Tasks
  are now recognized as error (just like SEND Tasks).
• Allow tag replacements in custom template for
  password reset confirmation.
• Store also organizationURL attribute from IdP.
• InternalErrorException changed to runtime.
• Added audit messages when user/group became admin of
  other entity.
• Create audit messages for removed admins of deleted
  entities.
• Methods for work with registrar notifications throws
  proper exceptions.
• Attribute vo:def:voLogoURL can hadle base64 encoded images.
• Added logging to ConsolidatorManager.
• Log when somebody was invited to register to VO/Group.
• Fixed bug in group structure synchronizations (when ext source is changed).
• Keep cookies when synchronizing between Perun instances.
• Fixed certificates reading in ExtSource for EGISSO.
• Fixed null pointer when storing UserExtSource attributes.
• Fixed null pointer in hasRole().
• Fixed getBeanName() in ExtSource object.
• Simplified code for deleting group.
• Changed entity ID for LifescienceID proxy.
• Added module for user:virt:loaFenix attribute.
• Fixed group members synchronization. Actual group members
  are not removed, if found between group members in
  external source, but their attributes can't be retrieved
  from the ext source.
  They are mentioned between skipped members and synchronization
  is considered as failed.
• Normalized unix paths in data/file quota modules now strips
  endind slash "/", since path to directory musnt end with
  it in some systems (GPFS) and it works OK with others.
• Fixed audit message resolving on user:virt:certDNs attribute, which
  prevented pusching changes in certificates to the LDAP.
• Do not use fixed version of HikariPool, bump it with Spring Boot.
• Use voPersonExternalAffiliation instead of forwardedScopedAffiliation.
• Fixed login display when adding new members to VO/Group.
• Refresh of all attributes in setRequiredAttributes.
• Forbid indirect relationships for group unions.
• Fixed leap year membership expiration calculation.
• Updated Spring and Spring Boot to their latest version.

REGISTRAR

• Mail verification was separated from auto-approval process so that
  user can verify own mail even if auto-approval fails.
• Removed requirement for POST in get* like methods of Registrar.
• Fill LoA in registration form items to support optional
  mail validation for mails from IdPs.
• Prevent concurrent run of approve/reject/delete application.
• Fixed some form items UI.

API

• Added MembersManager.createSponsoredMember() which takes
  new user name in parts.
• Added utility method unblockAllServicesOnDestination().
• Allow to delete multiple attribute definitions at once.
• Added API methods to retrieve users UserExtSources as
  RichUserExtSources, containing specified UES attributes.
• Fixed authorization in VosManager API.
• Fixed authorization in getFacilitiesByDestination and
  findCompleteRichMembers.
• Allow partial match when searching for Resource
  by attribute value in Searcher.
• Added OpenAPI definition of Perun API. It is not yet complete,
  but client side can be generated - eg. perun-cli-java
  or perun-cli-python projects.
• Added API method getResourcesWhereUserIsAdmin(Vo,User).
• Added new methods for publication management (perun-cabinet)
  in order to optimize performance.

GUI

• Working with registrar notifications will let you know
  about conflicts - existing or removed notifications etc.
• Removed sign out button from user profile, since based on
  authentication method, it can't force re-authentication on
  next access.
• Implemented GDPR agreement for administrator
  (specific to CESNET instance).
• When member status is changed between VALID and EXPIRED,
  admin is offered to update also membersip expiration value.

DISPATCHER / ENGINE

• 3 hours timeout for single service provisioning run
  is now configurable in dispatcher and engine properties.
• Removed unused properties from config files.
• Renamed default dispatcher auditer_consumer.
• Do not chown PID files in init.d script for Engine.

LDAPc

• Allow to mark LDAP attributes as deleted in LDAPc. LDAPc will clear
  their values from LDAP and it allows us to remove such attributes from
  schema in next release.
• Added many facility attributes to LDAP, facility attributes are
  no longer pushed within Resource entry, but rather own Facility
  entry.
• Push VO/Group/Facility admin roles from Perun to the LDAP.
• Fixed name of ORCID attribute for LDAP.
• LDAPc now can push Map attribute types from Perun to LDAP.
• Do not chown PID files in init.d script for LDAPc.
• Push also following attributes to LDAP: resource:capabilities,
  facility:capabilities, user:eduPersonEntitlement,
  user:eIDASPersonIdentifier a user:europeanStudentID.

CLI

• Added assignTagToResource.
• Added listOfMemberGroups.
• Added getFacilitiesByHostName.

DOCS

• Parse deprecation notice from javadoc to RPC docs.
• Fixed docs for getRichAdmins().
• Added javadoc on perun Exceptions.
• Updated RPC javadoc.

Release 3.7.0

Changelog (since 3.6.0)

• This version contains DB changes and they must be apllied
  when Perun is shut down!
• Because of changes in AuditMessage object this version requires
  equal version of all consumers - e.g LDAPc to be deployed at the
  same time.

CORE

• Reverted changes to BBMRI lifescience hostel modules.
• Ignore AlreadyMemberException in BBMRI modules.
• Split relation to perun attribute in registration form items into
  source and destination attribute. Form item value can be
  then pre-filled from different attribute than stored or doesn't
  have to be stored or pre-filled at all, based on your settings.
• Switching member to EXPIRED state will now trigger attribute
  validation (when former state is INVALID or DISABLED).
• Added "lastAccess" property to UserExtSource and display it
  in administrative GUI.
• Added suspended and suspendedTo params to Member and RichMember
  objects. They will hold suspension state of Member in the future,
  while SUSPENDED member status will be removed from the life-cycle.
  It is not used anyhwere yet, except the member object.
  Regarding deserialization, "suspendedTo" is required (null or date in
  string format), while "suspended" is a boolean flag derived from the
  current date and its relation to "suspendedTo" property.
• Added methods to set or removed new suspended state for member.
• Enabled locking of groups members during add/remove group member operations.
  It will prevent any future inconsistencies in group memberships caused by
  complex group relation structures and synchronizations and manuall changes.
• Rework of internal AuditMessage / AuditEvent handling. We now exclusivelly
  use JSON format of messages. It still contains original string data, but
  wrapping object and API has changed and required proper version of all
  consumers (eg. LDAPc).
• Removed support for sending notifications to Jabber service.
• Support group synchronization in exact times (specified as list of HH:MM rounded
  to 5 minutes).
• Store also start time of last successful group synchronization.
• Fixed unnecessary session initiation for BA/Kerberos authz.
• Fixed format of audit message for planned service propagation.
• Fixed setting authz to members group for vo managers.
• Fixed bad sql when checking security manager role for user.
• Fixed user resolving for user:virt:loa on user deletion.
• Fixed attribute module for systemUnixGroupName which prevented
  value deletion even if group was not system unix group.
• Added requestor to message body, when errors are reported
  to the mail address instead of mail.

LDAPC

• Big improvements of LDAP initialization performance in new LDAPc.
• Fixed removal of non-existent entries from LDAP during sync.
• Allow oracle driver inclusion during build of new LDAPc.

GUI

• Delete VO members using single callback for list of members.
• Fixed message in GUI when user changes mail.
• Show new settings related to the group synchronization
  in pop-up window for group sync state.

API

• Big rework of AuditMessagesManager API.
• AuditMessage now contains AuditEvent instead of simple string message.
  It is still mainly used to read audit events/messages data.
• Added getAttributes() method for resource, group and member which will
  retrieve attributes for all related entities, including facility and resource.
• Added new methods to AuthzResolver getUser/GroupRoles().

CLI

• Added CLI for listing facilities by owner.
• Support SPONSOR role in setRole unsetRole tools.
• Added tools listOfExpiredGroupMembers and
  listOfNotExpiringGroupMembers which can list members and
  show their group expiration.

OTHER

• Removed unused default oidc settings for devel.
• Removed unused auditer-exporter module.
• Removed TextFile and SvgImage deserializers. Removed GraphViz library
  responsible for drawing attribute dependencies images. It will be returned
  as a string and UI app will draw the graphs.
• Removed all references for unused auditer_subscribers table.
• Updated Spring to 5.1.8.
• Updated RPC API docs for moveGroup() and some other methods.
• Removed all custom JSON, CSV parsing, we exclusivelly use jackson library (v2).

Release 3.6.0

Changelog (since 3.5.0)

CORE

• Added new configuration options for HikariCP in jdbc.properties.
• SMTP configuration was moved and joined from notifications module
  and registrar module into core (perun.properties).
• Added AuditEvent about user becoming perun admin.
• Check also large attributes previous value before
  performing update to prevent unnecessary checks
  and hooks when value doesn't really changed.
• Allow specifying mail notification templates
  for preferred mail change and password reset
  in entityless attribtues (per namespace/language).
• Extended Group object definition in CLI.
• Fixed regex applied to elixirScopedAffiliations.
• Autocreate required namespaced attributes, supported
  namespaces can be specified in perun.properties.
• Added module for user:virt:eduPersonEntitlement which will
  gather eduPersonEntitlements from all users identities.
• Resolve user:virt:loa attribute changes when UserExtSource
  is updated so that LDAP is updated correctly.
• Removed duplicates in result of getGroupsMembersExcept*().

LDAPc

• Both old and new LDAP connectors now remove members
  from the group, if their group status in perun is not active.
  Behavior for vo status didn't change.
• Fixed handling DN of group names in new LDAPc.
• New LDAPc will now push only valid member on re-initialization.
• Added "loa" and "isCesnetEligible" attributes to the LDAP.
  LDAP schema must be updated before deploying this version!

GUI

• Do not load jQuery anonymously in GUI to prevent
  bug in Safari browser blocking it.
• Fix displaying wether group is authoritative for member synchronization.
• Inner tabs cross button (top-right corner), will perform same default action
  as do Close and Done buttons do. Eg. refresh underlaying tab after members
  were added to group.
• Fixed adding group member in GUI when user was already
  indirect member.

API

• Added method to getSponsoredRichMembers() with attributes.
• Extended getData() like methods which will automatically exclude
  expired members from the returned groups.
• Added API methods get(Rich)GroupsWhereUserIsActive(),
  which returns users groups filtered by facility or
  resource they are assigned to and also where member
  is in VALID state for both VO and Group.
• Added new method getRichGroupsAssignedToResourceWithAttributesByNames()
  with possibility to specify member and attrNames for member-group
  attributes.
• Added possibility to specify entity ID for methods
  like is[Entity]Admin().

OTHER

• Error reports from GUI can be directly send to mail address instead of
  RequestTracking system.
• Perun gathers also entitlement and assurance attributes from IDPs.
• Module for attribute user:virt:userOrganizations with mapping of
  VO names to user organizations (specified by member attribute).
• Fixed RPC docs for sendPasswordResetLink.
• Prevent possible duplicates in getAllowedUsers() when user was
  assigned through multiple resources.
• Changed login namespace for lifescience-hostel
  registrations to BBMRI namespace.
• Added CABINETADMIN role for publication management.

Release 3.5.0

Changelog (since 3.4.0)

CORE

• We now use HikariCP instead of ApacheDBCP for DB connection management.
• Fixed switching expired state for group expirations.
• Implemented logic for group membership expiration notifications.
• Added new perun-ldapc-ada module which will be used instead of
  current LDAPc in the future.
• Fixed wrong using of namespace in defaultUnixGID attribute module.
• Registrar now have configurable SMTP connection for
  sending notifications just like the core notification
  module.
• Support multi-lang links in password reset notification.
• Pass login-namespace in password reset notification links.
• Ported changes for user:virt:eduPersonScopedAffiliations, now it
  takes affiliations also from group:def:groupAffiliations.
• Removed support for user:virt:elixirBonaFideStatus, was replaced
  by new attribute user:def:elixirBonaFideStatus.
• Auditer log messages are now stored and read as JSON and
  perun-engine component use instantiated classes to distinguish
  interesting messages.
  We will remove old DB table with custom serialized objects in
  future releases.
• Reading data from DB based on large list of IDs was reworked
  to use SQL array instead of constructing long SQL with ids.
  This give us time-consistent performance on each such select.
  This change requires DB schema to be updated to version 3.1.52
• Membership expiration calculation logic now uses Java 8 Date API.

GUI

• Use locally sourced jQuery in administrative GUI
  instead of their CDN.
• Added treshold for keepAlive checker in administartive
  GUI to prevent showing annoying pup-up on unreliable
  connections.
• You can now store "reason" why member in VO was suspended.
• Support to set new SELF_VO and SELF_PUBLIC rights on attribtues.
• Password reset gui supports better theming and checks per login-namespace.

API

• Added new API method getMemberRichGroupsWithAttributesByNames().
• Support for paging in getAllRichGroupsWithAttributesByNames().
• Added utils method to API get Peruns current time
  (utils/getPerunSystemTimeInMillis).
• Allow force deletion of Facility.

OTHER

• Lifescience hostel logic moved from login module to registrar module.
• Fix usage of MemberGroupAttributeRowMapper in getRequiredAttributes().
• Ommit auditing messages about deleted attributes, if none
  was really deleted.
• We removed default loggin from PerunException. Each exception must be
  now explicitly logged in the code. As fallback specific logger was
  created, so we can still get logs the old way. This will be removed in
  future versions.
• Methods to generate provisioning data are now in serializable
  transaction isolation to make sure generated data are consistent.
• Added CLI tools to switch Users between normal, service and sponsored state.

Release 3.4.0

Changelog (since 3.3.0)

CORE

• Merged code for attribute values caching, which should greatly improve performance.
  It's disabled by default in this version and will be subject to further testing on each instance.
• Attribute modules for determining group membership expiration
  from member_group, member_resource and user_facility context.
• Fixed vo membership expiration calculation.
• Fixed vo membership expiration notifications.
• Prefer native language when sending pwd-reset link from GUI.
• Allow password reset to random value for perun admins. PDF with password
  and generic text is returned. This is used by user-support. PDF template is configurable
  per namespace (can be any XHTML document).
• Added attribute modules for storing reason, why member has been suspended.
• All attribute modules can now listen to audit log messages (previously only virtual
  attributes could).
• Remove blocked destinations from the list of destinations where perun will push data to.
• Added new role - ResourceSelfService. Such user can assign or remove group from resource,
  if he's also group manager of the group.
• Added new sub ActionTypes for the SELF roles, so some attributes can be read/written if user is
  related to the entity throught his vo membership or it supposed to be just public.
• Support for lifescience-hostel login namespace.
• Fixed group deletion when group was granting administrative role.
• Allow facility managers to read group attributes of assigned groups.
• Added modules for eduteams login namespaces (eduteams-acc-nickname, eduteams, fenix).

REGISTRAR

• Fixed use-cases for Elixir, when user continues through multiple VOs forms.
• Bigger and colorful continue button to make sure user don't miss it and doesn't close the browser.

GUI

• Manage values of entitless attributes from GUI (visible to perun admins only).
• Sort TaskResults by timestamp in reverse order (newer first).

OTHER

• Upgraded to Spring Boot Starter parent 2.1.2 / Spring 5.1.4.
• Perform CI tests on Ubuntu 16.04 and both JDKs (8, 11).
• CLI: Added tool to copyResource (with improved performance on server side).
• Cleanup parm names and order respecting attribute namespaces.
• Fixed tests on newer HSQL DB, since there was a change in compatibility mode
  regarding create index SQL command.

Release 3.3.0

Changelog (since 3.2.0)

CORE

• Gather IdP and IdPs organzation name attributes.
• Fixed comparison of TaskSchedule improves service provisioning planning.
• Fixed JSON deserialization of RichMember when synchronizing two perun instances.
• Upgrade to Spring 5.1
• Hide create VO button in GUI is configured for specific instance.
• Auto-create member:def:organization attribute.
• Check input length of user titles.
• Allow Facility deletion, even when blocked service exists.
• Move VOMS group names and roles attributes into group-resource like attributes.
• Fixed selecting UserExtSource attributes by their names.
• Smart sort hostnames in GUI (hosts, destinations, task results).
• Perun admin can switch between type of users: sponsored, service and normal users.
• Initial support for new ways of auditing (each message is an object, stored as simple json in new table).
• Support for custom template of notification send to user to reset password (by vo manager).

REGISTRAR

• Registration module for eduTEAMS nickname.
• Gather also isCesnetElegibleLastSeen attribute and use it in registration modules for Metacentrum and DU.
• Updated BBMRI registration module.

GUI

• Support for foreign proxies (show original identity IdP names) in registrar and profile.

API

• Allow un/blocking all services on facility/destination.
• Support for SCIM protocol in API.

OTHER

• Fixed compatibility with Java 11.
• Fixed running test on current Debian (broken OpenJDK).
• Fixed overall log levels.
• Add error message to listing of TaskResults for destination in CLI.

Release 3.2.0

Changelog (since 3.1.0)

CORE

• Initial support for group membership expiration.
• Support for entities with descriptions containing newlines in audit events and pushing to LDAP.
• Added possibility to generate graph of attribute dependencies.
• Recalculate attribute dependencies when new attribute is created.
• Support for alternative login names passed from original IdP, collected in user attribute.
• Fix failing on empty name when generating login.
• Changed behavior of attribute modules for elixirBonaFideStatus and eduPersonScopedAffiliations.
• Added method to get only direct members of Group.
• Allow group synchronization of groups in hierarchy (only direct members are synchronized now).
• Fixed equals on User,Candidate and Member objects.
• Fixed SQL for batch processing of more than 1000 entities by their IDs.
• Fixed getting facility by attribute value.
• Fixed passing boolean to jdbc driver on Oracle DB.
• Fixed setting From to MimeMessages in notifications.
• Fixed escaping input in XML for MU password manager.

REGISTRAR

• Fixed re-sending of registration notifications from application detail.
• Extended registration form items content to exceed 4000 chars limitation.
• Added support for group extension forms and workflow.
• Fallback on english texts on registration form if native language is not properly set.

GUI

• Fixed pre-filled mail selection pop-up is covered under other form items.
• Do not evaluate HTML in user names.
• User profile can have native and/or english descriptions for each attribute displayed on profile page.
• Link for mail validation during registration can contain "target" param which will be used to redirect user on success.
• Allow custom privacy policy link in admin gui footer.
• Fixed loading default tabs for VO managers without VO.
• Fix authorization resolving when opening group in realtion on group detail page.
• Fixed loading of Groups from proper VO when copying registration form from other VOs/Groups.

API

• Added method to get Facility or Resource attributes by names.
• Added create methods for all base entities. They take specific params instead of entity instance itself.
• Added getAllowedRichGroupsWithAttributes() method.
• Added getUserExtSourceByExtLoginAndExtSourceName() method.
• Added getResourcesWhereUser(Group)IsAdmin() method.
• Fixed authorization for fillAttribute() method.
• Added removeAttributes() for member, group and workWithUserAttributes flag.

OTHER

• Added generic web-app to create own VO.
• Added CLI to add/remove members sponsors.
• Added CLI to manage attribute R/W rights.
• Fixed javadoc and RPC API automatic generation, added missing object and examples.
• Deleted all remaining ExecService mentions and usage from code.
• To locally run perun we now use cargo maven plugin instead of tomcat7.
• Updated Spring to latest version.

Release 3.1.0

This is the first official release of Perun after many years of continuous development without official releases.