- Fixed: The patch endpoint for school classes and work groups now accepts an empty list to clear all members (:uv🐛`57771`).
- Fixed: When restarting the OPA service, a crash was possible when the API is under high load (:uv🐛`57000`).
- Fixed a bug that would lead to misleading log messages when changing the password hashes of a user (:uv🐛`56590`).
- Swagger UI dependencies are now served statically instead of using CDNs (:uv🐛`56314`).
- Changed: The API base url, for example the portal link, now redirects to the OpenAPI docs page (:uv🐛`55556`).
- Fix: The HEAD endpoint for schools could return an outdated result due to a caching issue (Issue #108).
- Fix: The GET endpoint for schools does now return "None" for non-existing file servers instead of raising an error (Issue #137).
- The hostname for objects in the Kelvin API is no longer case sensitive (:uv🐛`54305`).
- The UCS@school Kelvin REST API UCS@school app can now only be installed if the UCS@school app is locally installed. (:uv🐛`54333`).
- Fixed a cache issue where a correct object URL could still lead to a 404 response (:uv🐛`56699`).
- Disable OPA telemetry (:uv🐛`56193`).
- Re-enable username validation checks for creation and modification of users (Issue #98).
- Remove all old school groups from user when removed from a school (:uv🐛`56121`).
- Automatically add all school groups to user when added to a school (:uv🐛`56121`).
- The UCR-V
ucsschool/validation/username/windows-checkis used during username validation (:uv🐛`56152`)
- Fix group membership when removing admins from schools (:uv🐛`55986`).
- Update upstream dependencies to fix security vulnerability (:uv🐛`56097`).
- Validate usernames to avoid Windows reserved names (:uv🐛`53519`).
- Return HTTP 404 for non existing roles, instead of 422 (Issue #83).
- Prevent logging of sensitive information, such as passwords, in the OPA log (Issue #71).
- Fix error in
udm_propertiescheck for school classes (Issue #72). - The script
update_openapi_clientno longer fails due to multiplejar-files (Issue id-broker-plugin#17). - UCS@school lib hooks were not called when the UCS@school Kelvin REST API was called. This has been fixed (Issue #61).
- Fix
h11._util.LocalProtocolError: Can't send data when our state is ERRORtraceback (:uv🐛`55730`). - General performance improvements, with focus on object existence, searches and user creation (Issue #56).
- Upgrade to Python 3.11 (Issue #56).
- Security fix in login (Issue #64).
- Unhandled exceptions are logged (:uv🐛`55114`).
- Move operations succeed, when a language header is set.
- Speed up validation when creating or changing users (:uv🐛`55384`).
- Use the LDAP client library
uldap3instead of a custom implementation to get better support and improved performance during direct LDAP calls (Issue #50).
- Compare OU names case insensitive (:uv🐛`55472`).
- Calculate group names using OU names from LDAP (:uv🐛`55456`).
- Fixed: Setting UCS@school roles with context type school in PATCH led to inconsistent UCS@school Users (Issue #47).
- Add support for arbitrary context types for users (:uv🐛`55355`).
- Added a configuration option to enable the evaluation of password policies when creating UCS@school users (:uv🐛`55408`).
- Internal: Added option to check password policies when creating or modifying users (:uv🐛`55393`).
- Added the possibility to send an Accept-Language header with each request.
- All forwarded UDM errors are now structured the same way as FastAPI validation errors (Issue #30).
- Fixed handling of role strings attribute if schools attribute is empty.
- Breaking change for UCS@school Kelvin REST API clients below ``1.7.0``: Add work group support in user resource (:uv🐛`54891`).
- Allow the creation of school classes without share (:uv🐛`54875`).
- Add a correlation ID to the headers of requests and responses. Write the ID to the log (Issue #25).
- App Center scripts were added to keep the state of UCR variables, which are set manually inside the docker container (:uv🐛`54959`).
- The request time is now added to the log file (Issue #28).
- Validation errors are logged as warnings to make filtering the log easier (Issue #895).
- Add HEAD /schools/{school_name} endpoint (Issue #24).
- Allow mapping UDM properties to work groups (:uv🐛`55259`).
- The
multipartlibrary output is not logged anymore (atDEBUGlevel), when retrieving a token (Issue #27).
- Security Issue: An error causing group shares to be created with wrong permissions has been fixed. The permissions of existing shares will be fixed during the joinscript (:uv🐛`55103`).
- Creating schools with OU names including underscores is now allowed, if the DC name is passed, too (:uv🐛`55125`).
- Remove create_share from school class objects to avoid conflicts with older Kelvin client versions (:uv🐛`54916`).
- Add work group resource (:uv🐛`54876`).
- Allow the creation of school classes without share (:uv🐛`54875`).
- Entering an invalid school URL does result in HTTP error-code 422 instead of 500 (:uv🐛`52895`).
- Enable log rotation of the Open Policy Agent (:uv🐛`54247`).
- The validation was adapted to prevent invalid school names in multi-server environments (:uv🐛`54793`).
- An error has been fixed, which was raised by invalid UCS@school roles during the validation (:uv🐛`54653`).
- Improve date validation error messages (:uv🐛`54812`).
- Added documentation for the classes resource (:uv🐛`52734`).
- Updated descriptions of variables in the Swagger UI to fit the expected values and added JSON Examples to descriptions where needed (:uv🐛`54739`).
- The valid date range is now specified (:uv🐛`54668`).
- A new App Setting was added to configure the amount CPU cores utilized by the UCS@school Kelvin REST API (:uv🐛`54575`).
- It is now possible to define multiple schools for users via PATCH and PUT requests (:uv🐛`54481`, :uv🐛`54690`).
- Fixed token requests with authorized user and wrong password leading to
HTTP 500(:uv🐛`54431`). - The user get route now uses the correct filter when searching for UDM mapped properties (:uv🐛`54474`).
- The Kelvin API can now be installed on servers with the role DC Primary and DC Backup (:uv🐛`54310`).
- The Open Policy Agent component was added to components documentation (:uv🐛`53960`).
- The log output of the Open Policy Agent is now written to
/var/log/univention/ucsschool-kelvin-rest-api/opa.log(:uv🐛`53961`). - The test suite for the
ucsschool.libcomponent was improved (:uv🐛`53962`). - Username generation counter can now be raised above 100 (:uv🐛`53987`).
- The
no_proxyenvironment variable is now honored by the Kelvin REST API when accessing the UDM REST API (:uv🐛`54066`). - The user resource now has an
expiration_dateattribute, which can be used to set the account expiration date. A user won't be able to login from that date on (:uv🐛`54126`).
- Unix homes are now set correctly for users. (:uv🐛`52926`)
- The Kelvin API now supports udm properties on all Kelvin resources except roles. (:uv🐛`53744`)
- The Kelvin API now supports UDM REST APIs using certificates, which are not signed by the UCS-CA. (:uv🐛`52766`)
- The UCS@school object validation now validate groups, schools and roles case-insensitive. (:uv🐛`53044`)
- A security error was fixed, that allowed the unrestricted use of the Kelvin API with unsigned authentication tokens. Please update as fast as possible (:uv🐛`53454`)!
- Support for hooks for objects managed by classes from the package
ucsschool.lib.modelswas added. See manual section Python hooks for pre- and post-object-modification actions for details (:uv🐛`49557`). - An error when creating usernames with templates was fixed (:uv🐛`52925`).
- No error message is logged anymore after the deletion of an object (:uv🐛`52896`).
- Repeated restarts of the Kelvin server have been fixed.
- The FastAPI framework has been updated to version
0.63.0. - Open Policy Agent was added for access control and implemented partially for the user resource.
- The Kelvin API now supports creating schools.
- It is now possible to change the roles of users. See manual section Changing a users roles for details (:uv🐛`52659`).
- Validation errors when reading malformed user objects from LDAP now produce more helpful error messages (:uv🐛`52368`).
- UCS@school user and group objects are now validated before usage, when loading them from LDAP. See manual sections Resources and Backup count of validation logging for details (:uv🐛`52309`).
- A bug setting the properties
profilepathandsambahometo empty values when creating users has been fixed (:uv🐛`52668`).
- Improve user resource search speed: find all matching users with one lookup (:uv🐛`51813`).
- Add fallback for retrieving LDAP connection settings from UCR if environment variables are not available (:uv🐛`51154`).
- Add attribute
kelvin_password_hashesto user resource. It allows overwriting the password hashes in the UCS LDAP with the ones delivered. Use only if you know what you're doing!
- The OpenAPI schema of the UDM REST API has been restricted to authenticated users. The Kelvin API now uses the updated
update_openapi_script, passing credentials to update the OpenAPI client library (:uv🐛`51072`). - The school class resource has been modified to accept class name containing only one character (:uv🐛`51363`).
- Setting and changing the
passwordattribute has been fixed (:uv🐛`51285`). - The UCS CA is now registered in the HTTP client certification verification backend to prevent SSL certification errors when communicating with the UDM REST API on the Docker host (:uv🐛`51510`).
- The
school_adminrole is now supported (:uv🐛`51509`). - Update Docker image base to Alpine 3.12, updating Python to 3.8 (:uv🐛`51768`).
- The validation of the
nameattribute of theSchoolClassresource has been fixed to allow short class names like1. - The
passwordattribute of theUserresource has been fixed. - The signatures of the
UserPyHookmethods have been adapted to be able to await asynchronous methods. - The UCS CA is now added to the
certifiSSL certification store. - Support for the
school_adminrole was added.
- The UDM REST API Python Client library has been updated to version
0.4.0, so it can handle authorized access to the UDM REST API OpenAPI schema.
- The ucsschool lib has been extended to allow for context types other than
schoolinucsschool_rolesattribute of most resources.
- Initial release.