2.0 to master doc patch

doc/sources/admin/authcombination.rst

@@ -228,16 +228,3 @@ SSL authentication
 
 To chain SSL, you have to set "SSLRequire optional" in Apache
 configuration, else users will be authenticated by SSL only.
-
-Migrating from Multi
---------------------
-
-Old :doc:`Multiple backends stack<authmulti>`
-implemented only \`if\` and \`or\` keywords. Examples:
-
-================================================================ =====================================================
-Multi expressions                                                Combination
-================================================================ =====================================================
-``LDAP;DBI``                                                     ``[myLDAP] or [myDBI]``
-``DBI $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/`` ``if $env->{REMOTE_ADDR} then [myDBI] else [myLDAP]``
-================================================================ =====================================================

doc/sources/admin/authldap.rst

@@ -172,7 +172,7 @@ Groups
     If your LDAP countains over a thousand groups, you
     should avoid using group processing, check out
     :ref:`the performance page<performances-ldap-performances>` for
-    alternatives 
+    alternatives
 
 Password
 ~~~~~~~~

doc/sources/admin/authlinkedin.rst

@@ -30,8 +30,6 @@ Then, go in ``LinkedIn parameters``:
 -  **Authentication level**: authentication level for this module.
 -  **Client ID**: the application ID you get
 -  **Client secret**: the corresponding secret
--  **Searched fields** (deprecated): Fields requested on People endpoint
-   in v1, no more used in v2 API
 -  **Field containing user identifier**: Field that will be used as main
    user identifier in LL::NG, usually ``id`` (LinkedIn numeric
    identifer) or ``emailAddress``.

doc/sources/admin/authproxy.rst

@@ -13,6 +13,11 @@ Presentation
 LL::NG is able to transfer (trough REST or SOAP) authentication
 credentials to another LL::NG portal, like a proxy.
 
+
+.. warning::
+
+    SOAP support may be removed in LLNG 3.0
+
 The difference with :doc:`remote authentication<authremote>` is that the
 client will never be redirect to the main LL::NG portal. This
 configuration is usable if you want to expose your internal SSO portal
@@ -59,7 +64,3 @@ in your lemonldap-ng.ini:
 
    soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
 
-
-.. attention::
-
-    This needs LLNG version 2.0.8 at least

doc/sources/admin/cli_examples.rst

@@ -15,8 +15,6 @@ This page shows some examples of LL::NG Command Line Interface. See
 Save/restore configuration
 --------------------------
 
-This part requires LLNG 2.0.5 at least.
-
 Save:
 
 .. code-block:: sh
@@ -31,7 +29,7 @@ Restore:
    # Or
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - <config.json
 
-Rollback (restore previous configuration, *since 2.0.8*):
+Rollback (restore previous configuration):
 
 .. code-block:: shell
 
@@ -287,15 +285,6 @@ these commands;
 
    openssl req -new -newkey rsa:4096 -keyout saml.key -nodes  -out saml.pem -x509 -days 3650
 
-Fix the certificate key format (you can skip this step if you are
-running >= 2.0.6)
-
-::
-
-   sed -e "s/END PRIVATE/END RSA PRIVATE/" \
-       -e "s/BEGIN PRIVATE/BEGIN RSA PRIVATE/" \
-       -i saml.key
-
 Import them in configuration and activate the SAML issuer
 
 ::

doc/sources/admin/configlocation.rst

@@ -132,7 +132,7 @@ configuration.
 Manager API
 -----------
 
-Since 2.0.8, a Manager API is available for:
+Manager API is available for:
 
 -  Second factors management for users
 -  OpenID Connect RP management

doc/sources/admin/confignginx.rst

@@ -50,20 +50,8 @@ You have to include them in Nginx main configuration.
 Debian/Ubuntu
 ~~~~~~~~~~~~~
 
--  Install log format *(automatically loaded when linked in this place)*
-
-::
-
-   ln -s /etc/lemonldap-ng/nginx-lmlog.conf /etc/nginx/conf.d/llng-lmlog.conf
-
--  Install snippet for vhost configuration files:
-
-::
-
-   ln -s /etc/lemonldap-ng/nginx-lua-headers.conf /etc/nginx/snippets/llng-lua-headers.conf
-
--  Link LLNG components configuration file into ``sites-available``
-   directory (should already have been done if you used packages):
+Link files into ``sites-available`` directory (should already have been
+done if you used packages):
 
 ::
 

doc/sources/admin/contribute.rst

@@ -95,16 +95,17 @@ Import Project and using Git
    git checkout master # go to master branch
    git remote add upstream https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng.git # to connect to remote branch
    git fetch upstream  # import branch
-   git checkout v2.0 # to change branch
+   git checkout v2.1 # to change branch
    git fetch upstream
 
 *import version branch* *on linux station :*
 
 ::
 
-   git checkout v2.0
-   git fetch upstream
-   git rebase upstream/v2.0 # to align to parent project remote branch
+   git checkout v2.1
+   git fetch upstream --all
+   git rebase upstream/v2.1 # to align to parent project remote branch
+   git push # to push to working remote branch
 
 *on gitlab, create working branch, one per thematic* *on linux station
 :*
@@ -116,9 +117,9 @@ Import Project and using Git
    git status
    git commit -am "explanations (#number gitlab ticket)"
    git commit --amend file(s) # to modify a commit
-   git rebase v2.0 # align local working branch to local 2.0
+   git rebase v2.1 # align local working branch to local 2.1
    git checkout -- file(s) # revert
-   git push # to send on remote working branch ! Only after doing some commits !
+   git push # to send on remote working branch
 
 On gitlab, submit merge request when tests are corrects.
 

doc/sources/admin/error.rst

@@ -23,7 +23,7 @@ from a version older than 1.0
    Can't locate /usr/share/lemonldap-ng/configStorage.pl
 
 → When you upgrade from Debian Lenny with customized index.pl files, you
-must upgrade them. 
+must upgrade them.
 
 Lemonldap::NG::Handler
 ----------------------

doc/sources/admin/exportedvars.rst

@@ -53,36 +53,13 @@ portal:
    attributes: it can contain boolean results or any string
 -  macros can also be used to import environment variables *(these
    variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
--  groups are stored as a string with values separated by ''; ''
-   (default values separator) in the special attribute ``groups``: it
-   contains the names of groups whose rules were returned true for the
-   current user. For example:
-
-.. code-block:: perl
-
-   $groups = group3; admin
-
--  You can also get groups in ``$hGroups`` which is a Hash Reference of
-   this form:
-
-.. code-block:: perl
-
-   $hGroups = {
-             'group3' => {
-                           'description' => [
-                                              'Service 3',
-                                              'Service 3 TEST'
-                                            ],
-                           'cn' => [
-                                     'group3'
-                                   ],
-                           'name' => 'group3'
-                         },
-             'admin' => {
-                          'name' => 'admin'
-                        }
-           }
-
+-  You can check for group membership of a particular user with the
+   ``inGroup`` function, see examples below.
+-  If you need more advanced processing of the group list (filtering,
+   rewriting) you may use ``$groups``, a flat list of all the user's
+   groups, separated by ''; '' (default values separator). Or the
+   ``$hGroups`` variable which is a perl hash whose keys are the group
+   names.
 
 Example for macros:
 
@@ -107,6 +84,42 @@ Defining a group for admins
 
 Using groups in a rule
 
+.. code-block:: perl
+
+   ^/admin -> inGroup('admin')
+
+   # Advanced usage
+   ^/admin -> defined $hGroups->{'admin'}
+   ^/admin -> $groups =~ /\badmin\b/
+
+
+.. note::
+
+    Groups are computed after macros, so a group rule may involve a
+    macro value.
+
+.. warning::
+
+    Macros and groups are computed in alphanumeric order,
+    that is, in the order they are displayed in the manager. For example,
+    macro "macro1" will be computed before macro "macro2": so, expression of
+    macro2 may involve value of macro1. As same for groups: a group rule may
+    involve another, previously computed group.
+
+   # Use a boolean macro in a rule
+   ^/admin -> $isAdmin
+   # Use a string macro in a HTTP header
+   Display-Name -> $displayName
+
+Defining a group for admins
+
+.. code-block:: perl
+
+   # group
+   admin -> $uid eq 'foo' or $uid eq 'bar'
+
+Using groups in a rule
+
 .. code-block:: perl
 
    ^/admin -> $groups =~ /\badmin\b/

doc/sources/admin/extendedfunctions.rst

@@ -32,8 +32,8 @@ Inside this jail, you can access to:
   * unicode2iso_
   * iso2unicode_
   * groupMatch_
-  * listMatch_ (|new| *since 2.0.7*)
-  * inGroup_ (|new| *since 2.0.8*)
+  * listMatch_
+  * inGroup_
   * encrypt_
   * token_
   * isInNet6_
@@ -243,8 +243,6 @@ Simple usage example:
 listMatch
 ~~~~~~~~~
 
-(|image0| since 2.0.7)
-
 This function lets you test if a particular value can be found with a
 multi-valued session attribute.
 
@@ -271,8 +269,6 @@ found.
 inGroup
 ~~~~~~~
 
-(|image1| since 2.0.8)
-
 This function lets you test if the user is in a given group. It is
 case-insensitive.
 
@@ -327,10 +323,8 @@ IP address is local*:
 varIsInUri
 ~~~~~~~~~~
 
-Function to check if a variable is in requested URI (Require LL::NG >=
-2.0.7).
-
-Example *check if $uid is in /check-auth/ URI*:
+Function to check if a variable is in requested URI. Example *check if
+$uid is in /check-auth/ URI*:
 
 .. code-block:: perl
 
@@ -350,7 +344,3 @@ Example *check if $uid is in /check-auth/ URI*:
    https://test1.example.com/check-auth/rtyler/api  -> false
    https://test1.example.com/check-auth/rtyler      -> false
 
-.. |image0| image:: /documentation/new.png
-   :width: 35px
-.. |image1| image:: /documentation/new.png
-   :width: 35px

doc/sources/admin/handlerarch.rst

@@ -11,6 +11,16 @@ Handlers are build on rows of modules:
 -  library types if needed *(may inherits from Main)*
 -  Main: the main handler library
 
+Since version 2.1, wrappers are autogenerated when undefined. Generated
+code is simply:
+
+.. code:: perl
+
+   package Lemonldap::NG::Handler::Platform::Type;
+   use base 'Lemonldap::NG::Handler::Lib::Type',
+     'Lemonldap::NG::Handler::Platform::Main';
+   1;
+
 Overview of Handler packages
 ----------------------------
 

doc/sources/admin/index_protocols.rst

@@ -6,4 +6,4 @@ Standard SSO protocols
 
    samlservice
    openidconnectservice
-   
+

doc/sources/admin/installdeb.rst

@@ -95,8 +95,7 @@ Then, add the official LL::NG repository
        version
     -  Use the ``testing`` repository to get packages from next major
        version
-    -  Use the ``2.0`` repository to avoid upgrade to next major version
-
+    -  Use the ``2.1`` repository to avoid upgrade to next major version
 
 
 Finally update your APT cache:

doc/sources/admin/installrpm.rst

@@ -94,7 +94,7 @@ Run this to update packages cache:
 
     You must also install the EPEL repository for non-core
     dependencies. See :ref:`prerequisites and dependencies<prereq-yum>`
-    chapter for more. 
+    chapter for more.
 
 Manual download
 ~~~~~~~~~~~~~~~

doc/sources/admin/managertests.rst

@@ -5,7 +5,7 @@ Each time you save a configuration, Manager launch a lot of tests:
 
 -  unit tests for each key: they are declared in
    Lemonldap::NG::Manager::Attributes *(source
-   Lemonldap::NG::Manager::Build::Attributes)* 
+   Lemonldap::NG::Manager::Build::Attributes)*
 -  more advanced tests declared in Lemonldap::NG::Manager::Conf::Tests
 
 In some case *(conf overridden in INI file,...)*, you may have to ignore

doc/sources/admin/notifications.rst

@@ -356,7 +356,7 @@ Available options:
 
 -  **Server**: Enable/Disable notification server
 -  **Default condition**: Condition appended to ALL notifications
-   inserted by notification server (JSON format only)
+   inserted by notification server
 -  **Notification parameters to send**: Notifications parameters
    returned by ``GET`` method
 -  **HTTP methods**: Enable/Disable HTTP methods

doc/sources/admin/plugincustom.rst

@@ -111,17 +111,10 @@ Create for example the MyPlugin module:
 Configuration
 ~~~~~~~~~~~~~
 
-Declare the plugin in lemonldap-ng.ini:
+Declare the plugin in Manager, in General Parameters > Plugins > Custom
+Plugins.
 
-::
-
-   vi /etc/lemonldap-ng/lemonldap-ng.ini
-
-.. code-block:: perl
-
-   [portal]
-   customPlugins = Lemonldap::NG::Portal::MyPlugin
-   ;customPlugins = Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2, ...
-
-Since 2.0.7, it can also be configured in Manager, in General Parameters
-> Plugins > Custom Plugins.
+-  Modules list: for example
+   ``Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2``
+-  Additional parameters: parameters that will be available in
+   ``customPluginsParams`` configuration key

doc/sources/admin/portalcustom.rst

@@ -334,11 +334,6 @@ General
 Password Policy
 ~~~~~~~~~~~~~~~
 
-
-.. tip::
-
-    Available since version 2.0.6
-
 -  **Minimal size**: leave 0 to bypass the check
 -  **Minimal lower characters**: leave 0 to bypass the check
 -  **Minimal upper characters**: leave 0 to bypass the check

doc/sources/admin/prereq.rst

@@ -65,8 +65,8 @@ Core
 -  Regexp::Common
 -  SOAP::Lite *(optional)*
 -  String::Random
--  Text::Unidecode *(Since LemonLDAP::NG 2.0.5)*
 -  Unicode::String
+-  Text::Unidecode
 -  URI
 -  URI::Escape
 
@@ -135,11 +135,11 @@ SMTP & Reset password/certificate by mail
 Unit tests
 ~~~~~~~~~~
 
--  Authen::U2F::Tester
--  Crypt::U2F::Server
--  Test::MockObject
--  Test::Output
 -  Test::POD
+-  Test::MockObject
+-  Crypt::U2F::Server
+-  Authen::U2F::Tester
+-  Test::Output
 -  Time::Fake
 -  YAML
 

doc/sources/admin/refreshsessionapi.rst

@@ -5,8 +5,6 @@ This plugin appends an endpoint to refresh sessions by user. It provides
 ``https://portal/refreshsession`` endpoint. Protect it by webserver
 configuration.
 
-This plugin is available with LLNG ≥ 2.0.7.
-
 Usage
 -----
 

doc/sources/admin/rules_examples.rst

@@ -33,10 +33,6 @@ attribute you see there can be used in a rule!
 
    $groups =~ /\b(?:admins|su)\b/ # admins OR su
    $groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a
-
-   defined $hGroups{'administrators'}
-
-   # 2.0.8 and higher only
    inGroup('administrators')
 
 -  Combining multiple expressions

doc/sources/admin/upgrade.rst

@@ -1,2 +1,4 @@
+.. include:: upgrade_2_1_x.rst
+.. include:: upgrade_2_1.rst
 .. include:: upgrade_2_0_x.rst
 .. include:: upgrade_2_0.rst

doc/sources/admin/upgrade_2_1.rst

@@ -0,0 +1,9 @@
+Upgrade from 2.0 to 2.1
+=======================
+
+SOAP deprecation
+----------------
+
+LLNG 2.1.x will be the last major version supporting SOAP services.
+Please start migration to :doc:`REST services<restservices>` *(available
+since 2.0.0)*.

doc/sources/admin/upgrade_2_1_x.rst

@@ -0,0 +1,10 @@
+Upgrade from 2.1.x to 2.1.y
+===========================
+
+Update from one minor version to another does not require any particular
+action. Please apply general caution as you would with any software:
+have backups and a rollback plan ready!
+
+Do not forget to read the release notes of the version you are about to
+install for any specific instructions.
+

doc/sources/admin/writingrulesand_headers.rst

@@ -132,12 +132,11 @@ There are three ways to impose users a higher authentication level:
 
 -  writing a rule based on authentication level:
    ``$authenticationLevel > 3``
--  since 2.0, set a minimum level in virtual host options (default value
-   for ALL access rules)
--  since 2.0.7, a minimum authentication level can be set for each URI
-   access rule. Useful if URI are protected by different types of
-   handler (AuthBasic -> level 2, Main -> level set by authentication
-   backend).
+-  set a minimum level in virtual host options (default value for ALL
+   access rules)
+-  a minimum authentication level can be set for each URI access rule.
+   Useful if URI are protected by different types of handler (AuthBasic
+   -> level 2, Main -> level set by authentication backend).
 
 
 .. tip::
@@ -146,6 +145,24 @@ There are three ways to impose users a higher authentication level:
     to a form that explain that a higher level is required and propose to
     reauthenticate himself.
 
+Using regexp capture in rules
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If URL regexp captures something *(using parenthesis)*, you can use them
+in the corresponding rule using ``$_rulematch[1]``. Example: only user
+can access to its personal area:
+
+-  Regexp: ``/^public_html/(\w+)(/.*)?$``
+-  Rule: ``$uid eq $_rulematch[1]``
+
+$_rulematch is an array that contains all captured strings. First index
+is 1.
+
+
+.. warning::
+
+    This feature requires Perl ≥ 5.25.7
+
 .. _headers:
 
 Headers
@@ -209,8 +226,8 @@ headers:
 Wildcards in hostnames
 ----------------------
 
-|image1| Since 2.0, a wildcard can be used in virtualhost name (not in
-aliases !): ``*.example.com`` matches all hostnames that belong to
+Since 2.0, a wildcard can be used in virtualhost name (not in aliases
+!): ``*.example.com`` matches all hostnames that belong to
 ``example.com`` domain. Version 2.0.9 improves this and allows better
 wildcards such as ``test-*.example.com`` or ``test-%.example.com``. The
 ``%`` wilcard doesn't match subdomains.