Merge branch 'release' into 'master'

PB-39559 Set version to v4.12.0

See merge request passbolt/passbolt-ce-api!345

Author: gmougenel

CHANGELOG.md

@@ -2,6 +2,63 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.12.0] - 2025-03-12
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
+
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v5
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format
+
+### Maintenance
+- PB-39629 Set next minimum PHP version to 8.2 as passbolt v5 will not support lower PHP versions
+
+## [4.12.0-rc.1] - 2025-03-06
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
+
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format
+
+### Maintenance
+- PB-39629 Set next minimum PHP version to 8.2 as passbolt v5 will not support lower PHP versions
+
+## [4.12.0-test.1] - 2025-03-05
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
+
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format
+
 ## [4.11.1] - 2025-02-17
 ### Security
 - PB-39045 Fix empty fullBaseUrl leading to Host header injection attack

RELEASE_NOTES.md

@@ -1,9 +1,31 @@
-Release song: https://youtu.be/U16Xg_rQZkA?si=cVcmovGWluuo8oYj
+Release song: https://www.youtube.com/watch?v=pBZs_Py-1_0
 
-Passbolt is pleased to announce the immediate availability of version v4.11.1. This version is a targeted security release of the API focusing on fixing the security issue reported by a security researcher.
+Passbolt v4.12.0 introduces the final update in the version 4 series. This release completes the groundwork for version 5 and allows integrators to test the migration directly from the UI ahead of the stable release.
 
-We would like to express our appreciation to the community for their assistance in making Passbolt more secure. Further details can be found in [the incident report](https://www.passbolt.com/incidents/host-header-injection-vulnerability).
+As always, this version also addresses community-reported issues, including fixes for UI inconsistencies and multi-selection shortcuts that were not working across all environments.
 
-## [4.11.1] - 2025-02-17
-### Security
-- PB-39045 Fix empty fullBaseUrl leading to Host header injection attack
+As a final update of the v4 series, system administrators are invited to upgrade their version of PHP to meet Passbolt v5’s minimum requirements: PHP 8.2. We posted a guide in our Weblog to help you with the process:
+[Preparing for Passbolt v5: PHP 8.2 Requirement](https://www.passbolt.com/blog/preparing-for-passbolt-v5-php-8-2-requirement).
+
+Thank you to the community for your feedback and patience — we’re almost there!
+
+
+## [4.12.0] - 2025-03-12
+### Added
+- PB-39395 As an administrator I can contain permissions when upgrading folders to v5 format
+- PB-39394 As an administrator I can contain permissions when upgrading resources to v5 format
+- PB-38850 As an administrator I cannot rotate entities while two metadata keys are active
+- PB-37699 As an administrator I can upgrade folders to v5 format
+- PB-37363 As an administrator I can rotate metadata keys encrypting folders metadata
+- PB-36582 As an administrator I cannot reuse a previously deleted metadata key
+
+### Fixed
+- PB-39512 Fix during metadata upgrade process, the resource_type_id field is now updated in the database
+- PB-39399 Adds missing fields to metadata private keys in index response
+- PB-39393 Fix limit value is null in pagination header response for rotate & upgrade endpoints
+- PB-38770 Fix email subject for delete resource email when resource is v5
+- PB-38791 Fix 500 error on the duo MFA setup & verify page when duo service is unavailable
+- PB-38771 Fix unable to expire the metadata key due to expired datetime format
+
+### Maintenance
+- PB-39629 Set next minimum PHP version to 8.2 as passbolt v5 will not support lower PHP versions

config/version.php

@@ -1,11 +1,11 @@
 <?php
 return [
     'passbolt' => [
-        'version' => '4.11.1',
-        'name' => 'Rebel Rebel',
+        'version' => '4.12.0',
+        'name' => 'Rusty Cage',
     ],
     'php' => [
         'minVersion' => '7.4',
-        'nextMinVersion' => '8.1',
+        'nextMinVersion' => '8.2',
     ],
 ];

package-lock.json

@@ -24,7 +24,7 @@
     "jquery": "^3.5.1",
     "lockfile-lint": "^4.14.0",
     "openpgp": "^5.11.1",
-    "passbolt-styleguide": "^4.11.0"
+    "passbolt-styleguide": "^4.12.0"
   },
   "scripts": {
     "lint": "npm run lint:lockfile",

package.json

@@ -29,6 +29,7 @@
 use Passbolt\Metadata\Model\Rule\IsFolderV5ToV4DowngradeAllowedRule;
 use Passbolt\Metadata\Model\Rule\IsMetadataKeyTypeAllowedBySettingsRule;
 use Passbolt\Metadata\Model\Rule\IsMetadataKeyTypeSharedOnSharedItemRule;
+use Passbolt\Metadata\Model\Rule\IsSharedMetadataKeyUniqueActiveRule;
 use Passbolt\Metadata\Model\Rule\IsV4ToV5UpgradeAllowedRule;
 use Passbolt\Metadata\Model\Rule\IsValidEncryptedMetadataRule;
 use Passbolt\Metadata\Model\Rule\MetadataKeyIdExistsInRule;
@@ -127,6 +128,9 @@ public function initialize(array $config): void
                 'FoldersRelations.foreign_model' => 'Resource',
             ],
         ]);
+        $this->belongsTo('MetadataKeys', [
+            'className' => 'Passbolt/Metadata.MetadataKeys',
+        ]);
     }
 
     /**
@@ -259,9 +263,14 @@ public function buildRulesV5(RulesChecker $rules): RulesChecker
             'message' => __('The metadata key is marked as expired.'),
         ]);
 
+        $rules->add(new IsSharedMetadataKeyUniqueActiveRule(), 'isSharedMetadataKeyUniqueActive', [
+            'errorField' => 'metadata_key_id',
+            'message' => __('The shared metadata key should be unique.'),
+        ]);
+
         $rules->add(new IsValidEncryptedMetadataRule(), 'isValidEncryptedMetadata', [
             'errorField' => 'metadata',
-            'message' => __('The resource metadata provided can not be decrypted.'),
+            'message' => __('The folder metadata provided cannot be decrypted.'),
         ]);
 
         $rules->addUpdate(

plugins/PassboltCe/Folders/src/Model/Table/FoldersTable.php

@@ -21,11 +21,13 @@
 use App\Model\Table\PermissionsTable;
 use App\Model\Traits\Query\CaseInsensitiveSearchQueryTrait;
 use Cake\Database\Expression\IdentifierExpression;
+use Cake\Database\Expression\QueryExpression;
 use Cake\ORM\Query;
 use Cake\Validation\Validation;
 use InvalidArgumentException;
 use Passbolt\Folders\Model\Behavior\FolderizableBehavior;
 use Passbolt\Folders\Model\Entity\Folder;
+use Passbolt\Metadata\Model\Entity\MetadataKey;
 
 /**
  * Trait FoldersFindersTrait
@@ -154,6 +156,28 @@ public function findIndex(string $userId, ?array $options = [])
         return $query;
     }
 
+    /**
+     * Returns all folders with expired metadata key.
+     *
+     * @return \Cake\ORM\Query
+     */
+    public function findMetadataRotateKeyIndex(): Query
+    {
+        $query = $this->find();
+
+        return $query
+            ->where([
+                'Folders.metadata_key_type' => MetadataKey::TYPE_SHARED_KEY,
+                $query->newExpr()->isNotNull('Folders.metadata'),
+                $query->newExpr()->isNotNull('Folders.metadata_key_id'),
+            ])
+            ->innerJoin(['MetadataKeys' => 'metadata_keys'], [
+                'MetadataKeys.id' => new IdentifierExpression('Folders.metadata_key_id'),
+                $query->newExpr()->isNotNull('MetadataKeys.expired'),
+            ])
+            ->disableHydration();
+    }
+
     /**
      * Build the query that fetches data for folders view
      *
@@ -259,4 +283,68 @@ public function filterQueryByParentIds(Query $query, array $parentIds): Query
             return $q->where(['OR' => $conditions]);
         });
     }
+
+    /**
+     * Returns all resources in v4 format that need to be upgraded.
+     *
+     * @param array $options query options
+     * @return \Cake\ORM\Query
+     */
+    public function findMetadataUpgradeIndex(array $options): Query
+    {
+        $query = $this->find('v4')->disableHydration();
+
+        $containPermissions = (bool)($options['contain']['permissions'] ?? false);
+        if ($containPermissions) {
+            $query->contain('Permissions');
+        }
+
+        if (!isset($options['filter']['is-shared'])) {
+            return $query;
+        }
+
+        $isShared = $options['filter']['is-shared'];
+        $groupPermissionsCount = $this->Permissions->find()
+            ->select(['permissions_on_groups' => 'COUNT(*)'])
+            ->where([
+                'Permissions.aco_foreign_key' => $query->identifier('Folders.id'),
+                'Permissions.aco' => PermissionsTable::FOLDER_ACO,
+                'Permissions.aro' => PermissionsTable::GROUP_ARO,
+            ]);
+        $userPermissionsCount = $this->Permissions->find()
+            ->select(['permissions_on_users' => 'COUNT(*)'])
+            ->where([
+                'Permissions.aco_foreign_key' => $query->identifier('Folders.id'),
+                'Permissions.aco' => PermissionsTable::FOLDER_ACO,
+                'Permissions.aro' => PermissionsTable::USER_ARO,
+            ]);
+        if ($isShared === true) {
+            // Is shared if at least one permission is a group permission
+            // OR if at least two permissions are user permissions
+            $query->where(function (QueryExpression $exp) use ($groupPermissionsCount, $userPermissionsCount) {
+                return $exp->or(function (QueryExpression $or) use ($groupPermissionsCount, $userPermissionsCount) {
+                    return $or->gte($userPermissionsCount, 2)->gte($groupPermissionsCount, 1);
+                });
+            });
+        } elseif ($isShared === false) {
+            // Is not shared if no permission is a group permission
+            // AND the only permission is a user permission
+            $query->where(function (QueryExpression $exp) use ($groupPermissionsCount, $userPermissionsCount) {
+                return $exp->eq($groupPermissionsCount, 0)->eq($userPermissionsCount, 1);
+            });
+        }
+
+        return $query;
+    }
+
+    /**
+     * @param \Cake\ORM\Query $query Query
+     * @return \Cake\ORM\Query
+     */
+    public function findV4(Query $query): Query
+    {
+        return $query->where([
+            $query->newExpr()->isNull('Folders.metadata'),
+        ]);
+    }
 }

plugins/PassboltCe/Folders/src/Model/Traits/Folders/FoldersFindersTrait.php

@@ -34,6 +34,7 @@
  * @method \Passbolt\Folders\Model\Entity\Folder getEntity()
  * @method \Passbolt\Folders\Model\Entity\Folder[] getEntities()
  * @method static \Passbolt\Folders\Model\Entity\Folder get($primaryKey, array $options = [])
+ * @method static \Passbolt\Folders\Model\Entity\Folder firstOrFail($conditions = null)()
  */
 class FolderFactory extends CakephpBaseFactory
 {

plugins/PassboltCe/Folders/tests/Factory/FolderFactory.php

@@ -101,6 +101,20 @@
                 ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeResourcesPost', 'action' => 'post']
             )
             ->setMethods(['POST']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeFoldersIndex', 'action' => 'index']
+            )
+            ->setMethods(['GET']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'Upgrade', 'controller' => 'MetadataUpgradeFoldersPost', 'action' => 'post']
+            )
+            ->setMethods(['POST']);
     });
 
     /**
@@ -122,5 +136,19 @@
                 ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyResourcesPost', 'action' => 'post']
             )
             ->setMethods(['POST']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyFoldersIndex', 'action' => 'index']
+            )
+            ->setMethods(['GET']);
+
+        $routes
+            ->connect(
+                '/folders',
+                ['prefix' => 'RotateKey', 'controller' => 'MetadataRotateKeyFoldersPost', 'action' => 'post']
+            )
+            ->setMethods(['POST']);
     });
 });