Merge branch 'feature/PB-44504_52-Publish-production-API' into 'master'

PB-44504 Merge release into master (v5.4.0)

See merge request passbolt/passbolt-ce-api!424

Author: cedricalfonsi

.ddev/addon-metadata/spx/manifest.yaml

@@ -0,0 +1,12 @@
+name: spx
+repository: fullfatthings/ddev-spx
+version: v0.0.2
+install_date: "2025-07-17T12:47:58+05:30"
+project_files:
+    - web-build/pre.Dockerfile.spx
+    - web-build/enable_spx
+    - web-build/disable_spx
+    - commands/web/spx
+    - php/99-spx.ini
+global_files: []
+removal_actions: []

.ddev/commands/web/spx

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+## #ddev-generated
+## Description: Enable or disable spx
+## Usage: spx on|off|enable|disable|true|false|toggle|status
+## Example: "ddev spx" (default is "on"), "ddev spx off", "ddev spx on", "ddev spx toggle", "ddev spx status"
+## ExecRaw: false
+## Flags: []
+## AutocompleteTerms: ["on","off","enable","disable","toggle","status"]
+
+if [ $# -eq 0 ]; then
+  enable_spx
+  exit
+fi
+
+case $1 in
+on | true | enable)
+  enable_spx
+  ;;
+off | false | disable)
+  disable_spx
+  ;;
+toggle)
+  status=$(php -m | grep 'spx')
+  if [ "${status}" = "spx" ]; then
+    disable_spx
+  else
+    enable_spx
+  fi
+  ;;
+status)
+  status=$(php -m | grep 'spx')
+  if [ "${status}" = "spx" ]; then
+    result="spx is enabled"
+  else
+    result="spx is disabled"
+  fi
+  echo $result
+  ;;
+*)
+  echo "Invalid argument: $1"
+  ;;
+esac
+

.ddev/config.yaml

@@ -7,36 +7,45 @@ xdebug_enabled: false
 additional_hostnames: []
 additional_fqdns: []
 database:
-  type: mariadb
-  version: "10.11"
+    type: mariadb
+    version: "10.11"
+hooks:
+    post-start:
+        - exec: sudo apt-get update
+        - exec: sh -c "if [ ! -f /var/www/html/config/app.php ]; then cp /var/www/html/config/app.default.php /var/www/html/config/app.php; fi"
+        - exec: gpg --list-keys
+mailpit_https_port: "9102"
+webimage_extra_packages: [php8.3-gnupg, php8.3-xdebug]
 use_dns_when_possible: true
 composer_version: "2"
 web_environment:
-  - DEBUG=true
-  - APP_FULL_BASE_URL=https://passbolt-pro-api.ddev.site
-  - PASSBOLT_SELENIUM_ACTIVE=true
-  - DATASOURCES_DEFAULT_HOST=db
-  - DATASOURCES_DEFAULT_USERNAME=db
-  - DATASOURCES_DEFAULT_PASSWORD=db
-  - DATASOURCES_DEFAULT_DATABASE=passbolt
-  - DATASOURCES_TEST_HOST=db
-  - DATASOURCES_TEST_USERNAME=db
-  - DATASOURCES_TEST_PASSWORD=db
-  - DATASOURCES_TEST_DATABASE=test_passbolt
-  - PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=2FC8945833C51946E937F9FED47B0811573EE67E
-  - PASSBOLT_GPG_SERVER_KEY_PRIVATE=/var/www/html/config/gpg/unsecure_private.key
-  - PASSBOLT_GPG_SERVER_KEY_PUBLIC=/var/www/html/config/gpg/unsecure.key
-  - EMAIL_TRANSPORT_DEFAULT_HOST=localhost
-  - EMAIL_TRANSPORT_DEFAULT_PORT=1025
-  - EMAIL_DEFAULT_FROM_NAME=Passbolt Local
-  - [email protected]
+    - DEBUG=true
+    - APP_FULL_BASE_URL=https://passbolt-pro-api.ddev.site
+    - PASSBOLT_SELENIUM_ACTIVE=true
+    - DATASOURCES_DEFAULT_HOST=db
+    - DATASOURCES_DEFAULT_USERNAME=db
+    - DATASOURCES_DEFAULT_PASSWORD=db
+    - DATASOURCES_DEFAULT_DATABASE=passbolt
+    - DATASOURCES_TEST_HOST=db
+    - DATASOURCES_TEST_USERNAME=db
+    - DATASOURCES_TEST_PASSWORD=db
+    - DATASOURCES_TEST_DATABASE=test_passbolt
+    - PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=2FC8945833C51946E937F9FED47B0811573EE67E
+    - PASSBOLT_GPG_SERVER_KEY_PRIVATE=/var/www/html/config/gpg/unsecure_private.key
+    - PASSBOLT_GPG_SERVER_KEY_PUBLIC=/var/www/html/config/gpg/unsecure.key
+    - EMAIL_TRANSPORT_DEFAULT_HOST=localhost
+    - EMAIL_TRANSPORT_DEFAULT_PORT=1025
+    - EMAIL_DEFAULT_FROM_NAME=Passbolt Local
+    - [email protected]
 corepack_enable: false
 disable_upload_dirs_warning: true
 
 # Key features of DDEV's config.yaml:
 
 # name: <projectname> # Name of the project, automatically provides
 #   http://projectname.ddev.site and https://projectname.ddev.site
+# If the name is omitted, the project will take the name of the enclosing directory,
+# which is useful if you want to have a copy of the project side by side with this one.
 
 # type: <projecttype>  # backdrop, cakephp, craftcms, drupal, drupal6, drupal7, drupal8, drupal9, drupal10, drupal11, generic, laravel, magento, magento2, php, shopware6, silverstripe, symfony, typo3, wordpress
 # See https://ddev.readthedocs.io/en/stable/users/quickstart/ for more
@@ -55,9 +64,9 @@ disable_upload_dirs_warning: true
 # database:
 #   type: <dbtype> # mysql, mariadb, postgres
 #   version: <version> # database version, like "10.11" or "8.0"
-#   MariaDB versions can be 5.5-10.8, 10.11, and 11.4.
-#   MySQL versions can be 5.5-8.0.
-#   PostgreSQL versions can be 9-17.
+#   MariaDB versions can be 5.5-10.8, 10.11, 11.4, 11.8
+#   MySQL versions can be 5.5-8.0, 8.4
+#   PostgreSQL versions can be 9-17
 
 # router_http_port: <port>  # Port to be used for http (defaults to global configuration, usually 80)
 # router_https_port: <port> # Port for https (defaults to global configuration, usually 443)
@@ -205,14 +214,14 @@ disable_upload_dirs_warning: true
 # unless explicitly specified.
 
 # mailpit_http_port: "8025"
-mailpit_https_port: "9102"
+# mailpit_https_port: "8026"
 # The Mailpit ports can be changed from the default 8025 and 8026
 
 # host_mailpit_port: "8025"
 # The mailpit port is not normally bound on the host at all, instead being routed
 # through ddev-router, but it can be bound directly to localhost if specified here.
 
-webimage_extra_packages: [php8.3-gnupg, php8.3-xdebug]
+# webimage_extra_packages: [php7.4-tidy, php-bcmath]
 # Extra Debian packages that are needed in the webimage can be added here
 
 # dbimage_extra_packages: [telnet,netcat]
@@ -232,7 +241,7 @@ webimage_extra_packages: [php8.3-gnupg, php8.3-xdebug]
 
 # ngrok_args: --basic-auth username:pass1234
 # Provide extra flags to the "ngrok http" command, see
-# https://ngrok.com/docs/ngrok-agent/config or run "ngrok http -h"
+# https://ngrok.com/docs/agent/config/v3/#agent-configuration or run "ngrok http -h"
 
 # disable_settings_management: false
 # If true, DDEV will not create CMS-specific settings files like
@@ -298,11 +307,8 @@ webimage_extra_packages: [php8.3-gnupg, php8.3-xdebug]
 # and you can't erase existing hooks or all environment variables.
 # However, with "override_config: true" in a particular config.*.yaml file,
 # 'use_dns_when_possible: false' can override the existing values, and
-hooks:
-  post-start:
-    - exec: "sudo apt-get update"
-    - exec: sh -c "if [ ! -f /var/www/html/config/app.php ]; then cp /var/www/html/config/app.default.php /var/www/html/config/app.php; fi"
-    - exec: "gpg --list-keys"
+# hooks:
+#   post-start: []
 # or
 # web_environment: []
 # or

.ddev/php/99-spx.ini

@@ -0,0 +1,5 @@
+#ddev-generated
+
+spx.http_enabled=1
+spx.http_key="dev"
+spx.http_ip_whitelist="*"

.ddev/web-build/disable_spx

@@ -0,0 +1,8 @@
+#!/bin/bash
+#ddev-generated
+
+phpdismod -v $DDEV_PHP_VERSION spx
+
+killall -USR2 php-fpm 2>/dev/null || true
+
+echo "Disabled SPX"

.ddev/web-build/enable_spx

@@ -0,0 +1,9 @@
+#!/bin/bash
+#ddev-generated
+
+phpenmod -v $DDEV_PHP_VERSION spx
+
+killall -USR2 php-fpm 2>/dev/null || true
+
+echo "Enabled SPX"
+

.ddev/web-build/pre.Dockerfile.spx

@@ -0,0 +1,16 @@
+#ddev-generated
+
+RUN (apt-get update || true) && DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confold" --no-install-recommends --no-install-suggests build-essential make autoconf libc-dev pkg-config php-pear php${DDEV_PHP_VERSION}-dev zlib1g-dev
+
+RUN mkdir -p /tmp/php-spx && \
+  cd /tmp/php-spx && \
+  git clone -b release/latest https://github.com/NoiseByNorthwest/php-spx.git . && \
+  phpize && \
+  ./configure && \
+  make && \
+  make install
+
+RUN echo "extension=spx.so" > /etc/php/$DDEV_PHP_VERSION/mods-available/spx.ini
+
+ADD enable_spx disable_spx /usr/local/bin/
+

CHANGELOG.md

@@ -2,6 +2,134 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.4.0] - 2025-08-12
+### Added
+- PB-43713 Translate the application in Czech
+- PB-44285 Add endpoint to help clients enable E2EE by default for new instances
+- PB-44184 As an administrator I should not be allowed to retrieve resources to migrate from v4 to v5 resource types from v4 resource types that are deleted
+- PB-44071 Add a cleanup tasks to soft-delete inactive users with same usernames
+- PB-44376 Set ECC key type as a default for new users
+- PB-44405 Add new healthcheck to notify administrators when there are no active metadata key if E2EE is enabled
+- PB-44406 Add new healthcheck to notify administrators when zero-knowledge disabled and the server does not have access to the shared metadata key
+- PB-44407 Add new healthcheck to notify administrators when server cannot validate its own shared metadata private key
+- PB-44416 Add metadata settings getting started endpoint
+- PB-38155 Add JSON schema definition to resource types migrations
+- PB-44474 Switch encrypted metadata plugin to stable
+- PB-43631 As an admin running a command as root, I should see the name of the command in the suggestion proposed by the CLI
+
+### Fixed
+- PB-43187 Retrieve user last logged data from users table instead of the log to improve application performance
+- PB-43922 Fix notification emails about a resource update
+- PB-43709 Fix enabling E2EE without a key should trigger an error
+- PB-44093 Fix a warning message in ActionLogsUsernameQueryStrategy
+- PB-44177 Fix as a user I should not be allowed to create v4 resource if the resource type is deleted
+- PB-44179 Fix as user I should not view/index v4 resource types if the resource type is deleted
+- PB-43936 Fix IsValidEncryptedMetadataPrivateKey should log, then return false and not throw an exception if isMessageForRecipient fails
+- PB-44182 Fix as user I should not be allowed to delete a v4 resource if v4 resource type is deleted
+- PB-44181 Fix as user I should not be allowed to share a v4 resource if v4 resource type is deleted
+- PB-44252 Fix as an admin I should not be able to set the role of a user to guest
+- PB-44178 Fix as a user I should not be allowed to update v4 resource if the resource type is deleted
+- PB-44180 Fix as user I should not view/index v5 resource types if the resource type is deleted
+- PB-44186 Fix as an administrator I should not be able to rotate the metadata key for resources that have a deleted resource types
+- PB-44189 Fix command line metadata commands should be loaded in debug mode only
+- PB-43936 Fix isMessageForRecipient should work if encryption is done with main key
+- PB-41818 Fix as a user setting a date as boolean the API should not return a 500 code response
+
+### Maintenance
+- PB-43524 Create a TestData plugin in plugins/PassboltCe
+- PB-44087 Remove V331 backward compatibility migration
+- PB-44267 Bump SeleniumApi plugin version
+- PB-43752 Add assertJson assertions to folders endpoints
+- PB-41818 Bump cakephp version to 5.2.6
+
+## [5.4.0-rc.1] - 2025-08-11
+### Added
+- PB-43713 Translate the application in Czech
+- PB-44285 Add endpoint to help clients enable E2EE by default for new instances
+- PB-44184 As an administrator I should not be allowed to retrieve resources to migrate from v4 to v5 resource types from v4 resource types that are deleted
+- PB-44071 Add a cleanup tasks to soft-delete inactive users with same usernames
+- PB-44376 Set ECC key type as a default for new users
+- PB-44405 Add new healthcheck to notify administrators when there are no active metadata key if E2EE is enabled
+- PB-44406 Add new healthcheck to notify administrators when zero-knowledge disabled and the server does not have access to the shared metadata key
+- PB-44407 Add new healthcheck to notify administrators when server cannot validate its own shared metadata private key
+- PB-44416 Add metadata settings getting started endpoint
+- PB-38155 Add JSON schema definition to resource types migrations
+- PB-44474 Switch encrypted metadata plugin to stable
+- PB-43631 As an admin running a command as root, I should see the name of the command in the suggestion proposed by the CLI
+
+### Fixed
+- PB-43187 Retrieve user last logged data from users table instead of the log to improve application performance
+- PB-43922 Fix notification emails about a resource update
+- PB-43709 Fix enabling E2EE without a key should trigger an error
+- PB-44093 Fix a warning message in ActionLogsUsernameQueryStrategy
+- PB-44177 Fix as a user I should not be allowed to create v4 resource if the resource type is deleted
+- PB-44179 Fix as user I should not view/index v4 resource types if the resource type is deleted
+- PB-43936 Fix IsValidEncryptedMetadataPrivateKey should log, then return false and not throw an exception if isMessageForRecipient fails
+- PB-44182 Fix as user I should not be allowed to delete a v4 resource if v4 resource type is deleted
+- PB-44181 Fix as user I should not be allowed to share a v4 resource if v4 resource type is deleted
+- PB-44252 Fix as an admin I should not be able to set the role of a user to guest
+- PB-44178 Fix as a user I should not be allowed to update v4 resource if the resource type is deleted
+- PB-44180 Fix as user I should not view/index v5 resource types if the resource type is deleted
+- PB-44186 Fix as an administrator I should not be able to rotate the metadata key for resources that have a deleted resource types
+- PB-44189 Fix command line metadata commands should be loaded in debug mode only
+- PB-43936 Fix isMessageForRecipient should work if encryption is done with main key
+- PB-41818 Fix as a user setting a date as boolean the API should not return a 500 code response
+
+### Maintenance
+- PB-43524 Create a TestData plugin in plugins/PassboltCe
+- PB-44087 Remove V331 backward compatibility migration
+- PB-44267 Bump SeleniumApi plugin version
+- PB-43752 Add assertJson assertions to folders endpoints
+- PB-41818 Bump cakephp version to 5.2.6
+
+## [5.4.0-test.3] - 2025-08-08
+### Fixed
+- PB-44573 Ensure standalone custom fields is resource type is updated irrespective of instance being installed for the first time with v5.3.0 or v5.3.1
+
+## [5.4.0-test.2] - 2025-08-07
+### Fixed
+- PB-44578 Align metadata setup settings entry point variable name with client
+
+## [5.4.0-test.1] - 2025-08-07
+### Added
+- PB-43713 Translate the application in Czech
+- PB-44285 Add endpoint to help clients enable E2EE by default for new instances
+- PB-44184 As an administrator I should not be allowed to retrieve resources to migrate from v4 to v5 resource types from v4 resource types that are deleted
+- PB-44071 Add a cleanup tasks to soft-delete inactive users with same usernames
+- PB-44376 Set ECC key type as a default for new users
+- PB-44405 Add new healthcheck to notify administrators when there are no active metadata key if E2EE is enabled
+- PB-44406 Add new healthcheck to notify administrators when zero-knowledge disabled and the server does not have access to the shared metadata key
+- PB-44407 Add new healthcheck to notify administrators when server cannot validate its own shared metadata private key
+- PB-44416 Add metadata settings getting started endpoint
+- PB-38155 Add JSON schema definition to resource types migrations
+- PB-44474 Switch encrypted metadata plugin to stable
+- PB-43631 As an admin running a command as root, I should see the name of the command in the suggestion proposed by the CLI
+
+### Fixed
+- PB-43187 Retrieve user last logged data from users table instead of the log to improve application performance
+- PB-43922 Fix notification emails about a resource update
+- PB-43709 Fix enabling E2EE without a key should trigger an error
+- PB-44093 Fix a warning message in ActionLogsUsernameQueryStrategy
+- PB-44177 Fix as a user I should not be allowed to create v4 resource if the resource type is deleted
+- PB-44179 Fix as user I should not view/index v4 resource types if the resource type is deleted
+- PB-43936 Fix IsValidEncryptedMetadataPrivateKey should log, then return false and not throw an exception if isMessageForRecipient fails
+- PB-44182 Fix as user I should not be allowed to delete a v4 resource if v4 resource type is deleted
+- PB-44181 Fix as user I should not be allowed to share a v4 resource if v4 resource type is deleted
+- PB-44252 Fix as an admin I should not be able to set the role of a user to guest
+- PB-44178 Fix as a user I should not be allowed to update v4 resource if the resource type is deleted
+- PB-44180 Fix as user I should not view/index v5 resource types if the resource type is deleted
+- PB-44186 Fix as an administrator I should not be able to rotate the metadata key for resources that have a deleted resource types
+- PB-44189 Fix command line metadata commands should be loaded in debug mode only
+- PB-43936 Fix isMessageForRecipient should work if encryption is done with main key
+- PB-41818 Fix as a user setting a date as boolean the API should not return a 500 code response
+
+### Maintenance
+- PB-43524 Create a TestData plugin in plugins/PassboltCe
+- PB-44087 Remove V331 backward compatibility migration
+- PB-44267 Bump SeleniumApi plugin version
+- PB-43752 Add assertJson assertions to folders endpoints
+- PB-41818 Bump cakephp version to 5.2.6
+
 ## [5.3.2] - 2025-07-16
 ### Fixed
 - PB-43910 As an administrator installing passbolt on postgres, the default postgres schema should be public

README.md

@@ -42,7 +42,7 @@ Passbolt is a security-first, open source password manager for teams. It helps o
 What makes passbolt different?
 - **Security:** Passbolt security model features user-owned secret keys and end-to-end encryption. It is audited multiple times annually, and [findings](https://help.passbolt.com/faq/security/code-review) are made public.
 - **Collaboration:** Securely share and audit credentials, with powerful and dependable policies for power users.
-- **Privacy:** Passbolt is headquartered in the EU,:european_union: specifically in Luxembourg. Passbolt doesn't collect personal data or telemetry, and can be deployed in an air-gapped environment.
+- **Privacy:** Passbolt is headquartered in the EU :european_union: specifically in Luxembourg. Passbolt doesn't collect personal data or telemetry, and can be deployed in an air-gapped environment.
 
 <br>