Privacyidea

Fixes:
* /token/init allows to pass otpkey AND genkey=false (793)
* Cast date to string, to fix audit search for postgresql (786)
* Optimize the LDAP Resolver Redundancy to avoid LdapServerPoolExhaustedErrors (802)
* Preset default realm in token enrollment (804)
* Fix PassOnNoUser and PassOnNoToken (798)
* Fix genkey=0 error during token enrollment (793)

Features:

* New Token-Type OCRA and DisplayTAN to support
transaction signing for online banking (767)
* Federation Handler allows to forward authentication
requests and other REST API requests to a child
privacyIDEA system (711)
* Improved Subscription Handling
* Allow to login with multiple loginnames (713)
* Authentication Cache policy (729)

Enhancements:

* !!!NOTE!!! following policies now also honor the resolvers,
which they did not previously:
(AUTH, challenge_response), (AUTH, otppin),
(AUTHZ, auth_max_success), (AUTHZ, auth_max_fail),
(AUTHZ, last_auth), (WEBUI, login_mode),
(ENROLL,losttoken_pw_contents), (ENROLL,losttoken_validity),
(ENROLL, losttoken_pw_len) (736)
* User can regenerate the QR Code during enrollment
of smartphone app (766)
* Administrator can define remote privacyIDEA servers
centrally (711)
* Events can now be ordered. This is important for the
federation handling (711)
* Specify the hash algorithm that is used to save
SQL users passwords (745)
* Add welcome dialog for administrator (716)
* Allow creating oracle DB (752)
* Event Handler can use timestamps and time offsets in
conditions (741)
* Use challenge/response token to unlock the screen of
the web UI (702)
* Support multiple challenge/response token at the same
time (722)
* GPG keys are generated during package installation and
show the GPG key in the import dialog (742)
* Failcounter clearing timeout in UI (719)
* Allow to send challenge data (like banking transaction) in
email text and SMS text.

Fixes:

* Set default loglevel from DEBUG to INFO (765)
* Fixed PIN logging, which could lead to exceptions
* Fixed unicode handling in log messages
* Make LDAP Resolver work with utf8 (738)
* User can only choose hash algo according to policy (723)
* Add time period 30/60s to rollout URI (744)
* Fix deprecation warning for flask_migrate (734)
* Allow multiple tries for challenge/response (708)
* Fix problem with certificate serial number (737)

Enhancements:

* Add "pi-manage policy load" and "pi-manage policy export". (721)
* Allow customization via pi.cfg file.
* Add {username} and {realm} as tags for the tokenhandler. (735)

Fixes:

* Fix pi-manage file permission for backup
* Fix search for resolver in audit log
* Allow to read old legacy time from validity period
* Fix wrong enddate with lost_token
* Fix typos
* Improve documentation for yubikey
* Improve documentation for cache decorator
* Improve documentation for webui policy

Features:
* Add generic User Cache to speed up authentication (670, 683)
* Support multiple challenge-response tokens with the same PIN (654)
* Restrict U2F registration based on assertion certificte (648)
* Restrict authentication with U2F devices based on assertion
certificate (648)
* Add privacyidea-token-janitor script, that can clean orphaned or
expired tokens (692)
* Add API for mutual key generation during enrollment for easy
Smartphone App development by introducing a generic
2-step-rollout process (627)
* Add /validate/radiuscheck which works with rlm_rest and only uses
HTTP return codes. (703)

Enhancements:

* Allow to unset token validity period and other tokeninfo
fields (691)
* Add a quick-resolver test for LDAP resolvers (688)
* Add additional tokeninfo tags {client_ip}, {ua_browser},
{ua_string} in token handler (687)
* Allow to set decription of U2F tokens during enrollment (685)
* Reduce the number of LDAP requests to increase authentication
performance (664, 655, 650)
* Realm administrator is only allowed to see actions on this allowed
user realms (663)
* Add audit rotation to pi-manage (657)
* Speed up Audit Log calls by adding a second index (656)
* Allow to either lock und logout the UI after timeout (653)
* Allow string format {user}, {realm}, {serial}, {surname} in
tokenlabel policy (646)
* Move to a consistent time format for validity period and all other
user specific times also containing the timezone (644)
* Add TLS certificate check to LDAP machine resolver (638)
* Make TLS certificate the default option in LDAP resolvers (639)
* Allow to use privacyIDEA ownCloud App without subscription
file with up to 50 users.

Fixes:
* Fix the datepicker for the token validity period (644 / 693)
* Fix LDAP resolver to respect all boolean configuration
options (658)
* Fix serial number in challenge response validation response (649)

Commits added in version 2.19 by:
(In the order of appearance)
* Cornelius Kölbel
* Quynh Nguyen
* Friedrich Weber
* Quoc Doan
* blinkiz
* Bernd Nicklas

Features:
* Allow to disable the WebUI (605)
* The WebUI will lock the screen after a timeout instead of
logging out the user. This allows to easily continue
configuration work. (621)
* Improve the creation and handling of local CAs (630, 632, 633)
Allow certificate template for certificates with different runtime
and x509v3 extensions.

Enhancements
Enhancements in Policies:
* Allow regular expressions in usernames in policies. (581)
* Improve Policy creation with pi-manage from JSON formatted file.
* WebUI: Add action grouping in policies.
* WebUI: Add action filter in policy view.
* Allow token specific PIN policies: The SPASS token can now
have dedicated PIN policies.
* Add PIN policies for administrators during enrollment and
during assignment.
* Add WebUI policy: only search on enter being pressed (617)

Enhancements in Event Handlers:
* Add token_validity_period condition to event handlers. (618)
* Add additional options in token handler when creating
SMS, Email or mOTP tokens.
* Allow tokenhandler to set tokeninfo field.
* Allow tokenhandler to set syncwindow.
* Add event handler condition for count_auth_success and
cound_auth_fail
* Add event handler condition for last_auth.
* Improve Audit Log for Event Handler. Each triggered action
will now also create an audit entry. (609)
* Allow the use of {current_time} in tokenevent handler. (628)

Enhancements in LDAP Resolver:
* Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP
performance in regards to redundancy and security
* LDAP Resolver: Use get_info in bind requests to avoid querying
of subschema. (585)
* LDAP Resolver: Support StartTLS over Port 389.
* Simplify LDAP Resolver: Remove username from Attribute Mapping.
* Simplefy LDAP Resolver: Remove reverse filter.

Misc Enhancements:
* Automatically add user's mobile number if tokentype is SMS.
* Add example configuration for GTX messaging SMS gateway.
* Add a script "privacyidea-get-unused-tokens" to find
unused tokens
* WebUI: Add a busy indicator spinner.
* Improve the pi-manage script in regards to backup and restore.
Let you choose whether to backup encryption key or not.
Better handling for individual pathes. (626, 623)

Fixes:
* LDAP Resolver: Verify SSL Certificate (Security)
* LDAP Resolver: Allow special characters in NTLM password
* LDAP Resolver: Allow searching for users with German umlaut
* Remove the "unsafe" notation in the QR-Code link, so that
a smartphone may import the key during HOTP/TOTP token enrollment
by clicking the link. (620)
* Use defusexml to avoid XML bombs on token import (Security)
* Replace eval with ast.literal_evel (Security)
* Add missing attributes for U2F tokens in
validate/triggerchallenge API
* Let /validate/triggerchallenge write to audit log.
* Fix mangle policy for users and realms
* Avoid logging of password in check_user_pass in debug level
(level=10)
* Set encrypted PIN on enrollment for certificate tokens (625)
* Remove unused policy action "motp_webprovision"
* Allow emailtext policy in triggerchallenge API (642)

Features
* Token Handler. Using the token handler the administrator
can defined actions in response to events, to modify tokens
like deleting, modifying, initilizing... tokens (532)
* Script Event Handler or Shell Event Handler allows to
trigger an external shell script, if some event occurs. (536)
* Add additional endpoint to trigger a challenge response
like the sending of an SMS, if the token PIN is not
available (531)
* Policy Handling to also check for secondary resolvers of
a user. This way a user can authenticate with his primary
resolver but policy will also work for secondary resolvers (543)

Enhancements
* The event handler conditions also determine a serial number
even if there is no serial number in the request:
If the user from the request only has one token assigned. (571)
* Allow event definitions to be disabled (537)
* Allow event to be addressed by a destinct name (522)
* Improving LDAP performance by addressing different functionality
of ldap3 version 1.x and 2.x. (549)
* Improve SQL Audit by adding the SQL Audit table to the schema.
Table is not created during HTTP request. (557)
* Limit audit log entry age. Users may only view audit
log entries up to a certain age. (541)
* Add checkbox to only display used actions in a policy (573)
* In event handler: Use serial number of a user's token if the
user has only one token (571)
* Download a filtered audit log (539)

Fixes
* Add missing token serial number to audit log if token is
deletes (546)
* Fix event handler saving (551)
* HttpSMSProvider accepts status codes 201 and 202 in addition
to 200 (562)
* Fix checkbox bug in NOREFERRALS of LDAP resolver (563)
* Add documentation for SMS provider (566)
* Remove 301 redirects from WebUI (576)