resolve conflicting merge from previous commit

Jenkinsfile

@@ -1,7 +1,7 @@
 
 def failedBuild = false
-def version = "8.0-next"
-
+def minor_version = "8.0"
+def version = "${minor_version}"
 def changeUrl = env.CHANGE_URL
 def blueUrl = "${env.JOB_DISPLAY_URL}"
 def slackResponse = slackSend(channel: "ci", message: "${version} plugins - build - <"+currentBuild.absoluteUrl+"|Link> - <"+blueUrl+"|Blue>", color: "#00A8E1")
@@ -19,7 +19,7 @@ pipeline {
 
     environment {
         // TODO: automate
-        RUDDER_VERSION = "${version}"
+        RUDDER_VERSION = "${minor_version}"
         // we want it everywhere for plugins
         MAVEN_ARGS = "--update-snapshots"
     }
@@ -221,7 +221,7 @@ pipeline {
                                           // don't archive jars
                                           options: [artifactsPublisher(disabled: true)]
                                         ) {
-                                            sh script: 'make licensed-only', label: "build ${p} plugin"
+                                            sh script: 'export PATH=$MVN_CMD_DIR:$PATH && make licensed', label: "build ${p} plugin"
                                             if (changeRequest()) {
                                                 archiveArtifacts artifacts: '**/*.rpkg', fingerprint: true, onlyIfSuccessful: false, allowEmptyArchive: true
                                                 sshPublisher(publishers: [sshPublisherDesc(configName: 'publisher-01', transfers: [sshTransfer(execCommand: "/usr/local/bin/add_to_repo -r -t rpkg -v ${env.RUDDER_VERSION}-nightly -d /home/publisher/tmp/${p}-${env.RUDDER_VERSION}", remoteDirectory: "${p}-${env.RUDDER_VERSION}", sourceFiles: '**/*.rpkg')], verbose:true)])

Jenkinsfile-release

@@ -0,0 +1,107 @@
+
+def failedBuild = false
+def plugin_name = params.PLUGIN_NAME
+def version = params.PLUGIN_TAG
+def branch = params.BRANCH
+def changeUrl = env.CHANGE_URL
+def blueUrl = "${env.JOB_DISPLAY_URL}"
+def message = "Release plugin ${plugin_name} ${version}"
+def slackResponse = slackSend(channel: "ci", message: "${message} - <"+currentBuild.absoluteUrl+"|Link> - <"+blueUrl+"|Blue>", color: "#00A8E1")
+def job = ""
+def errors = []
+def running = []
+
+
+pipeline {
+    agent none
+
+
+    environment {
+        // TODO: automate
+        // we want it everywhere for plugins
+        MAVEN_ARGS = "--update-snapshots"
+    }
+
+    stages {
+        stage('Build plugin') {
+            // only publish nightly on dev branches
+            agent {
+                dockerfile {
+                    filename 'ci/plugins.Dockerfile'
+                    additionalBuildArgs "--build-arg USER_ID=${env.JENKINS_UID}"
+                    // set same timezone as some tests rely on it
+                    // and share maven cache
+                    args '-v /etc/timezone:/etc/timezone:ro -v /srv/cache/elm:/home/jenkins/.elm -v /srv/cache/maven:/home/jenkins/.m2'
+                }
+            }
+            steps {
+                script {
+                  running.add("Build")
+                  updateSlack(errors, running, slackResponse, message, changeUrl)
+
+                                    dir("${plugin_name}") {
+
+                                        withMaven(globalMavenSettingsConfig: "1bfa2e1a-afda-4cb4-8568-236c44b94dbf",
+                                          // don't archive jars
+                                          options: [artifactsPublisher(disabled: true)]
+                                        ) {
+                                            sh script: 'export PATH=$MVN_CMD_DIR:$PATH && make licensed'
+                                            archiveArtifacts artifacts: '**/*.rpkg', fingerprint: true, onlyIfSuccessful: false, allowEmptyArchive: true
+                                            sshPublisher(publishers: [sshPublisherDesc(configName: 'publisher-01', transfers: [sshTransfer(execCommand: "/usr/local/bin/add_to_repo -r -t rpkg -v ${branch} -d /home/publisher/tmp/${plugin_name}-${branch}", remoteDirectory: "${plugin_name}-${branch}", sourceFiles: '**/*.rpkg')], verbose:true)])
+                                            }
+                                        }
+                                    running.remove("Build")
+                                    }
+                                }
+            post {
+                failure {
+                    script {
+                        errors.add("Build")
+                        updateSlack(errors, running, slackResponse, message, changeUrl)
+                    }
+                }
+                cleanup {
+                    script {
+                        updateSlack(errors, running, slackResponse, message, changeUrl)
+                    }
+                }
+            }
+        }
+        stage('End') {
+            steps {
+                script {
+                    if (failedBuild) {
+                        error 'End of build'
+                    } else {
+                        echo 'End of build'
+                    }
+                }
+            }
+        }
+    }
+}
+
+def updateSlack(errors, running, slackResponse, message, changeUrl) {
+
+def blueUrl = "${env.JOB_DISPLAY_URL}"
+
+
+def msg ="*${message}* - <"+currentBuild.absoluteUrl+"|Link> - <"+blueUrl+"|Blue>"
+
+def color = "#00A8E1"
+
+if (! errors.isEmpty()) {
+    msg += "\n*Errors* :x: ("+errors.size()+")\n  • " + errors.join("\n  • ")
+    color = "#CC3421"
+}
+if (! running.isEmpty()) {
+    msg += "\n*Running* :arrow_right: ("+running.size()+")\n  • " + running.join("\n  • ")
+}
+
+if (errors.isEmpty() && running.isEmpty()) {
+    msg +=  " => All plugins built! :white_check_mark:"
+	color = "good"
+}
+
+  slackSend(channel: slackResponse.channelId, message: msg, timestamp: slackResponse.ts, color: color)
+}

api-authorizations/src/main/elm/sources/ApiAuthorizations.elm

@@ -159,7 +159,9 @@ displayCategory acl cat =
       div [class "acl-category"]
       [ input[type_ "checkbox", id toggleId, class "toggle-checkbox"][]
       , div[class "category-header"]
-        [ i [class "fa fa-caret-down"][]
+        [ label [for toggleId, class "category-toggle-caret"]
+          [ i [class "fa fa-caret-down"][]
+          ]
         , label [for toggleId]
           [ text cat.category
           , span [class ("badge badge-secondary " ++ if nbSelected <= 0 then "empty" else "")][text (String.fromInt nbSelected)]

api-authorizations/src/main/resources/toserve/apiauthorizations/media.css

@@ -68,13 +68,17 @@
 .acl-category .toggle-checkbox:not(:checked) + .category-header{
   margin-bottom: 8px;
 }
+.acl-category .category-header .category-toggle-caret{
+   flex: 0 1 40px;
+   font-size: inherit;
+}
 .acl-category .category-header label{
   margin: 0;
   text-transform: capitalize;
   font-size: 22px;
   font-weight: normal;
   flex: 1;
-  padding: 4px 0 4px 40px;
+  padding: 4px 0;
   cursor: pointer;
 }
 .acl-category .category-header > label .badge.badge-secondary{

auth-backends/README.adoc

@@ -12,8 +12,8 @@ other general information.
 
 = Authentication backends
 
-This plugins allows to use alternative authentication backends for Rudder: *OAuth 2.0*, *OpenID Connect*, and *LDAP or Active Directory (AD)*.
-The old *radius module is discountinued* as of Rudder 8.0.
+This plugin allows using alternative authentication backends for Rudder: *OAuth 2.0*, *OpenID Connect*, and *LDAP or Active Directory (AD)*.
+The old *radius module is deprecated* and will be totally removed in a future version.
 
 Each authentication method is detailed below. Users are expected to know how an authentication system works independently of Rudder to configure it in Rudder: you will likely need authentication token, URLs, and other properties provided by your company.
 
@@ -40,7 +40,7 @@ Rudder try to give you helpful information for that task:
 
 == Centralized user authorization management with OIDC
 
-In addition to alternative authentication provider, the OIDC backends allow to provide Rudder roles through the OIDC token so that you can control your Rudder user authorisation directly from your identity provider.
+In addition to alternative authentication provider, the OIDC backends allow providing Rudder roles through the OIDC token so that you can control your Rudder user authorisation directly from your identity provider.
 See OIDC chapter below for more information.
 
 == Configure login form rendering
@@ -444,10 +444,11 @@ These protocols delegate the actual authentication to an identity provider (IdP)
 
 Rudder support plain old `OAUTHv2` and `OpentID Connect`. They have several normalized scenario and Rudder supports the most common for a web application server side authentication: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authentication using Authorization Code Flow].
 
-[notice]
+[NOTE]
+
 ====
 
-We advise to use OIDC over OAuth 2.0 if possible.
+We advise using OIDC over OAuth 2.0 if possible.
 
 ====
 
@@ -605,8 +606,8 @@ You can use the log level for `auth-backends` in `/opt/rudder/etc/logback.xml`:
 
 ==== Common Oauth2/OIDC error cases
 
-It can be a bit challenging to understand what is not correct in a Oauth2 or OIDC configuration.
-Here are some guide lines to help address possible configuration problems.
+It can be a bit challenging to understand what is not correct in an Oauth2 or OIDC configuration.
+Here are some guidelines to help address possible configuration problems.
 
 *I don't see the list of Identity Provider in login form*
 
@@ -633,7 +634,7 @@ set for property `rudder.auth.oauth2.provider.${registrationKey}.client.id`
 
 *After login on Identity Provider, I get a "login error" message in Rudder login page*
 
-This can have several cause and we will need to analyse Rudder log to understand what happened.
+This can have several cause, and we will need to analyse Rudder log to understand what happened.
 
 **Bad token URL**
 
@@ -709,4 +710,3 @@ In the log, you see:
 
 It means that the value used for `rudder.auth.oauth2.provider.${registrationKey}.userNameAttributeName` was correctly returned in the profile list for the authenticated user, but that value was not found in Rudder user configuration files `/opt/rudder/etc/rudder-users.xml`.
 Check that one of the entries in that file has the corresponding value for its `name` attribute.
-

auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala

@@ -140,7 +140,7 @@ object AuthBackendsConf extends RudderPluginModule {
 
     override def allowedToUseBackend(name: String): Boolean = {
       // same behavior for all authentication backends: only depends on the plugin status
-      pluginStatusService.isEnabled
+      pluginStatusService.isEnabled()
     }
   }
 
@@ -150,7 +150,7 @@ object AuthBackendsConf extends RudderPluginModule {
     override def authenticationBackends:            Set[String] = oauthBackendNames
     override def name:                              String      =
       s"Oauth2 and OpenID Connect authentication backends provider: '${authenticationBackends.mkString("','")}"
-    override def allowedToUseBackend(name: String): Boolean     = pluginStatusService.isEnabled
+    override def allowedToUseBackend(name: String): Boolean     = pluginStatusService.isEnabled()
   })
 
   lazy val isOauthConfiguredByUser = {
@@ -507,12 +507,21 @@ trait RudderUserServerMapping[R <: OAuth2UserRequest, U <: OAuth2User, T <: Rudd
             val custom = {
               try {
                 import scala.jdk.CollectionConverters._
-                user
-                  .getAttribute[java.util.ArrayList[String]](reg.roles.attributeName)
-                  .asScala
-                  .map(r => RudderRoles.findRoleByName(r).runNow)
-                  .flatten
-                  .toSet
+                if (user.getAttributes.containsKey(reg.roles.attributeName)) {
+                  user
+                    .getAttribute[java.util.ArrayList[String]](reg.roles.attributeName)
+                    .asScala
+                    .map(r => RudderRoles.findRoleByName(r).runNow)
+                    .flatten
+                    .toSet
+                } else {
+                  AuthBackendsLogger.warn(
+                    s"User '${rudder.getUsername}' returned information does not contain an attribute '${reg.roles.attributeName}' " +
+                    s"which is the one configured for custom role provisioning (see 'rudder.auth.oauth2.provider.$${idpID}.roles.attribute'" +
+                    s" value). Please check that the attribute name is correct and that requested scope provides that attribute."
+                  )
+                  Set.empty[Role]
+                }
               } catch {
                 case ex: Exception =>
                   AuthBackendsLogger.warn(

auth-backends/src/main/scala/com/normation/plugins/authbackends/api/AuthBackendsApi.scala

@@ -39,6 +39,7 @@ package com.normation.plugins.authbackends.api
 
 import com.normation.plugins.authbackends.AuthBackendsRepository
 import com.normation.plugins.authbackends.JsonSerialization
+import com.normation.rudder.AuthorizationType
 import com.normation.rudder.api.ApiVersion
 import com.normation.rudder.api.HttpAction.GET
 import com.normation.rudder.rest.ApiModuleProvider
@@ -56,8 +57,6 @@ import com.normation.rudder.rest.lift.DefaultParams
 import com.normation.rudder.rest.lift.LiftApiModule
 import com.normation.rudder.rest.lift.LiftApiModule0
 import com.normation.rudder.rest.lift.LiftApiModuleProvider
-import com.normation.rudder.AuthorizationType
-
 import net.liftweb.http.LiftResponse
 import net.liftweb.http.Req
 import net.liftweb.json._
@@ -77,8 +76,8 @@ object AuthBackendsApi       extends ApiModuleProvider[AuthBackendsApi] {
     val description    = "Get information about current authentication configuration"
     val (action, path) = GET / "authbackends" / "current-configuration"
 
-    override def authz: List[AuthorizationType] = List(AuthorizationType.Administration.Read)
-    override def dataContainer: Option[String] = None
+    override def authz:         List[AuthorizationType] = List(AuthorizationType.Administration.Read)
+    override def dataContainer: Option[String]          = None
   }
 
   def endpoints = ca.mrvisser.sealerate.values[AuthBackendsApi].toList.sortBy(_.z)

change-validation/src/main/elm/sources/Init.elm

@@ -26,7 +26,7 @@ addToast toast conf  m =
 defaultConfig : Toasty.Config Msg
 defaultConfig =
   Toasty.Defaults.config
-    |> Toasty.delay 3.0
+    |> Toasty.delay 30000
     |> Toasty.containerAttrs
         [ style "position" "fixed"
         , style "top" "50px"

ci/plugins.Dockerfile

@@ -5,4 +5,5 @@ LABEL ci=rudder/ci/plugins.Dockerfile
 ARG USER_ID=1000
 COPY ci/user.sh .
 # For building js and python plugins
-RUN apt-get update && apt-get install -y npm python3-docopt poppler-utils curl wget unzip
+RUN ./user.sh $USER_ID && \
+    apt-get update && apt-get install -y npm python3-docopt poppler-utils curl wget unzip zip

datasources/README.adoc

@@ -172,4 +172,8 @@ You need to choose one behavior among:
 - Do not change the node property corresponding to that data source,
 - Set the node property corresponding to the data source to a configured value. You have access to a field to fill the value, where JSON is accepted. If the field is let empty, the node property is deleted (ie equivalent to first option).
 
+== Deleting a data source
 
+When a data source is deleted, the corresponding properties on nodes will also be deleted if and only if they were set by the data source (ie property
+name is data source `ID` and property `provider` is `datasources` plugin).
+If you don't want to delete properties linked to a data source, you should only disable it in place of deleting it. 

datasources/src/main/.nsprc

@@ -0,0 +1,3 @@
+{
+  "GHSA-ww39-953v-wcq6": "A DoS" 
+}

datasources/src/main/elm/sources/View.elm

@@ -29,11 +29,11 @@ view model =
           h1 [] [
             span [] [ text "Data sources" ]
           ]
-        ]
-      , div [ class "header-buttons" ] [
-          button [ class "btn btn-success", onClick NewDataSource ] [
-            text "Add data source "
-          , i [ class "add-icon ion ion-android-add-circle" ] []
+          , div [ class "header-buttons" ] [
+              button [ class "btn btn-success", onClick NewDataSource ] [
+                text "Create "
+              , i [ class "add-icon ion ion-android-add-circle" ] []
+              ]
           ]
         ]
       ]
@@ -62,7 +62,7 @@ view model =
             ]
           , p [] [
               button [ class "btn btn-success btn-lg", type_ "button", onClick NewDataSource ] [
-              text "Add data source "
+              text "Create "
             , i [ class "add-icon ion ion-android-add-circle" ] []
             ]
           ]

datasources/src/main/resources/template/dataSourceManagement.html

@@ -6,7 +6,6 @@
   </head_merge>
   <main class="rudder-template" id="datasource" ng-controller="datasourceCtrl">
   </main>
-
   <script>
     var hasWriteRights = false;
   </script>

datasources/src/main/resources/toserve/datasources/rudder-datasources.css

@@ -445,3 +445,6 @@ ul > li.rudder-form > .input-group.disabled *{
   border-radius: 4px;
   line-height: 1.6em;
 }
+.text-info {
+  margin-bottom:10px;
+}