Privacyidea

Features:
* Add custom user attributes that can be managed within privacyIDEA 680
* Extended policy conditions can match on any token attribute 2590

Enhancements:
* Allow to use Push tokens without Firebase 2720
* privacyidea-cron allow to choose retry if action failed 1179
* UI: allow token rollover e.g. for smartphone swap 2613
* pi-manage: allow configuration export and import 2467
* Allow different PIN policies for different token types 2142
* UI: Search in policy description, not only in policy action 2574
* UI: Highlight found locations of search term in web UI 2577
* UI: Allow configurable entry point for custom web UI 2592
* UI: Add more descriptive tooltip to token when assigning to machine 2516
* Import AES mode yubikeys created with Yubico Personalization tool 2594
* token janitor can export arbitrary user fields 2569
* token janitor: CSV token export can either export hex or base32 encoded seeds 2648
* token janitor: CSV token export contains token owner 2664
* Remote Token can now be configured with a privacyIDEA configuration
instead of a distinct URL 2124
* Allow additional tags like {username} in SMS token 2677
* improve privacyidea-diag 2555
* auth_cache can now cache the credentials for a certain number of usages 1059
* Policy "add_user_in_response" also checks for user-realms 2642
* Stamp the database version automatically during installation 2708
* Audit Rotation is automatically added on new installation 1427

Documentation:
* Add note about SMS text formats 2151
* Rewrite Yubikey enrollment documentation 2318

Hardening:
* Replace ecdsa module with stable pyca module 2410
* LDAP resolver supports TLS 1.3 2637
* Update dependencies / requirements 2570
* Choose more secure configuration defaults 2408

Fixes:
* Do not trigger disabled PUSH tokens 2723
* Configuration default truncate Audit log 2699
* Policy: Fix problems with extended policy conditions 2676
* UI: Remove table borders in list views 2585
* UI: Do not translate date in audit log 2579
* Remove deprecated oauth2client 1990
* Fix visibility of subscription for administrator 2609
* Remove non-existing getOTP from documentation 2636
* Remove undocumented and unused parameter aladdin_hashlib in token import 2634
* Fix visibility of token wizard 2632
* Create policy button is disabled if no scope is selected 1888
* Re-enable enroll button in case of error during token enrollment 2717
* Save fractions of seconds in the audit log 2706
* Fix pi-manage restore 2728

Fixes:
* Add serial to the request object in /ttype/ endpoint (2605)
* Fix missing audit entries missing_line and sig_check (2627)
* Fix backup on Ubuntu 20.04 (2646)
* Fix missing priority in policy import (2643)
* Fix DB migrate URI if it contains char % (2661)
* Fix long default POOLING_LOOP_TIMEOUT (2662)

Fixes:
* Fix DB migration script for update from prior of 3.3. (2582)
* Fix the internal interface of container audit module (2562)
* Add missing headers to /auth request (2599)
* Fix tokeninfo value filter with Oracle db (2602)

Features:
* 4Eyes token uses multi challenge authentication (2317)
* Require attestation certificate when enrolling
certificate token (2152)

Enhancements:
* Tokens
* Allow to update firebase_token of a Push Token (2436)
* Support WebAuthn tokens without sign_count (2361)
* PSKC import now verifies the MAC of the token secrets (2312)
* Configure length and contents of registration token via policy (2284)
* The questionnaire token can now ask several questions from the list (2137)
* Event handler:
* Choose SMS Gateway Identifier in Tokenhandler
when enrolling SMS token (2506)
* Choose SMTP Identifier in Tokenhandler
when enrolling Email token (2452)
* Increase or decrease failcounter in Tokenhandler (2402)
* Allow to set maxfail counter in event handlers (2541)
* Policies:
* Add extended conditions for tokeninfo (1947)
* Web UI
* PIN can be changed with Challlenge Response when authenticating
at the WebUI (2474)
* Hide some audit log columns for service desk users (2372)
* Allow to configure a link to a policy statement/GDPR (2325)
* Audit log now contains start time, end time and
duration of a request (2254)
* The length of the audit columns to be truncated can be
configured in pi.cfg (1756)
* Action grouping in scope authorization (2438)
* Redesign welcome message for community version (2397)
* Add usernames and serials of failed authentications
as shortlink into dashboard (2475)
* Policy to add node name in the web UI (1961)
* Make event conditions searchable (2148)
* Align search layout in event conditions and policy actions (2557)
* pi-manage: export resolver configuration (1329)
* Documentation:
* Add note about SELinux and using non-standard ports (2459)
* Explain sync_to_database for script handlers (2450)
* Add documentation for RADIUS configuration (2448)

Fixes:
* Allow equal signs in policy actions (2494)
* Challenge Response is now checked independently on the presence
of a challenge in the database (2491)
* Fix enrollment of two tokens using double click (2487)
* Fix wrong (to few) number of authentication requests
in the dashboard (2473)
* Allow setting an empty PIN in the UI (2472)
* The dashboard only displays information, which an admin is
allowed to see, without throwing errors (2456)
* Fix length of hashed password column in auth_cache table (2446)
* Fix url_decode (2345)
* Fix missing adminuser when importing policies (2340)
* Hide browser autocomplete in user search field (2292)
* Disable browser autocomple fields that clash with
search fields in the UI (2401)
* Fix challenge response with multiple FIDO2 tokens (2092)

Fixes:
* Fix the deletion of the registration token (2356)
* Add "messages" to JSON response in case of multi challenge
pin change (2346)
* Move from PBKDF2 to Argon2 for password hashes. Might want to
reset local admin passwords to use new hashing algo (2412)
* Hide dashboard for normal users (2384)
* Fix problem with missing templates in CA conncetor (2374)
* Fix missing successful authentications in dashboard (2394)
* Improve error handling in token janitor in case of
problematic user (2405)
* remove PI_PEPPER and pyCrypto (2409)
* only check for existing JWT algorithms (2407)
* Use Argon2 for PINs and local admins (2413)
* Fix error when logging in with REMOTE_USER (2423)
* Use a secure way to compare strings to avoid
theoretical side channel attacks (2415)

Features:
* Add ScriptSMSProvider, that can send SMS through external
Gateways using arbitrary scripts (2236)
* Add HTTP Resolver that can read users from web services
via JSON responses (2083)
* Add a basic dashboard as start screen in the WebUI (2177)
* Allow using dynamic 3rd party token classes (2321)
* Allow multiple consecutive challenge responses for authentication
or tasks like changing the token PIN (2361)
* PUSH token can communicate with privacyIDEA via polling
as fallback to Google Push Service or Apple Notification Service (2262)

Enhancements:
* Allow deletion of validity period via UI (2263)
* Remove marker for missing translations and allow to set a
custom marker (2223)
* Add support for Python 3.8 (2190)
* Allow hiding description field for users during
token enrollment (2173)
* Improve error message during token import (2073)
* Add Dutch translation (2314)
* Allow application to choose tokentypes in
/validate/check and /validate/triggerchallenge (2047)
* HTTPSMSProvider can now have header parameters in the
provider definition (1963)
* Events
* Add failcounter as condition in event handlers (2147)
* The script handler allows to sync the database before
running the script (2293 2302)
* Allow using user_obj in pre event handlers for
/auth event. (2303)
* Policies
* Allow to define characters for set_random_pin policy (2121)
* Add privacyIDEA nodes to policy condition (2108)
* Add new authz policy action is_authorized to basically
allow or deny access (2275)
* Allow ECDSA and other SSH key types (2274)
* pi-manage can import tokens including HOTP token counter (2285)
* Allow the token janitor to set tokenrealms (2299)
* Use our general webauthn client component in the
privacyIDEA WebUI (2273)

Fixes:
* Add missing audit data to container audit (2264)
* Add tokeninfo failsafe for LinOTP migration script (2253)
* Fix certain problems with the type of the userid
in SQL-Resolvers with Oracle DB (2219)
* Fix default empty string problems with Oracle DB (2218)
* Fix a policy issue that would require admin policies to
import tokens (2209)
* Fix inconsistent enrollment templates. Have description
field for all tokentypes (2208)
* Fix floating problems with multiple QR images in enrollment UI (2175)
* Allow to edit realms without resolver priority (2171)
* Fix empty (None) values in SQL Resolver connect string (2271)
* Fix missing options parameter in RADIUS and REMOTE token (2276)
* Use UTC for challenge timestamp (1586)
* Fix exceeding max tokens when enabling a disabled token (2215)
* splitSign setting is also applied to REMOTE_USER (1954)
* Fix privacyidea-diag and privacyidea-standalone to run with Python 3 (1874)
* Fix possible recursion error in 4eyes token (1892)
* Improve tests by fixing deprecation warnings (2298)
* Clean up the code for /validate/samlcheck
* Fix censoring of Oracle connect strings (2304)
* Treat unsupported WebAuthn attestation as None attestation (2342)
* Fix admin/scope in import/export of policies with pi-manage (2359)
* Fix url_decode (2360)
* Fix token settings for Yubikey in UI enrollment (2365, 2366)