diff --git a/README.rst b/README.rst index c187308..d5ede91 100644 --- a/README.rst +++ b/README.rst @@ -27,6 +27,14 @@ Sync with product development Generate the documentation source and template from the product repository:: cd chevah-server - ./brink.sh documentation_integrated - cp -r build-server/docs_source ../sftpplus-docs/ - cp -r build-server/lib/python/site-packages/sftpplus_website/sphinx ../sftpplus-docs/ + ./brink.sh documentation_website + cp -r build-server/doc_source ../sftpplus-docs/ + cp -r build-server/lib/python2/7/site-packages/sftpplus_website/sphinx ../sftpplus-docs/ + +Copy any source file documented via API docs to `doc_source/chevah`. + +Update doc_source/conf.py to load local theme files:: + + templates_path = ['../sphinx'] + html_static_path = ['_static'] + html_theme_path = ['../sphinx'] diff --git a/doc_source/conf.py b/doc_source/conf.py index 80124c5..36d422a 100644 --- a/doc_source/conf.py +++ b/doc_source/conf.py @@ -3,6 +3,7 @@ extensions = [ 'sphinx.ext.intersphinx', + 'sphinx.ext.autodoc', ] suppress_warnings = ['toc.secnum'] source_suffix = '.rst' @@ -19,24 +20,24 @@ html_static_path = ['_static'] html_theme_path = ['../sphinx'] html_theme = 'integrated' -project = "SFTPPlus MFT" +project = "SFTPPlus" copyright = "ProAtria Team" html_context = { - 'robots': 'all', + 'robots': 'noindex, nofollow', 'canonical_site': 'https://www.sftpplus.com/documentation/sftpplus/latest/', } -version = "4.16.0" -release = "4.16.0" +version = "4.17.0" +release = "4.17.0" autodoc_default_flags = ['members'] primary_domain = 'py' pdf_documents = [( 'index', - u'SFTPPlus-4.16.0', + u'SFTPPlus-4.18.0.dev0', u'SFTPPlus Documentation', u'ProAtria Team', )] diff --git a/doc_source/configuration/administrators.rst b/doc_source/configuration/administrators.rst index 33e1829..6b42d13 100644 --- a/doc_source/configuration/administrators.rst +++ b/doc_source/configuration/administrators.rst @@ -134,11 +134,8 @@ enabled :Description: This option specifies whether or not this role is disabled. - When a role is disabled, the authentication is denied to all - administrators having the disabled role as the primary one. - - If a disabled role is not the primary one, its configuration - is ignored. + When a role is disabled, authentication is denied to all + administrators associated with the disabled role. name @@ -195,9 +192,6 @@ permissions This defines the permissions available to administrators associated to this role. - If the role is disabled, its permissions are not applied to an - administrator associated with it. - When this option is empty, the role has full access. The option is defined as a list of one or more definitions of permissions, diff --git a/doc_source/events/events.rst b/doc_source/events/events.rst index 9d35056..955acb3 100644 --- a/doc_source/events/events.rst +++ b/doc_source/events/events.rst @@ -18326,7 +18326,7 @@ HTTP/HTTPS protocol :Message: HTTP/HTTPS connection closed on the client-side to %(hostname)s. Session fully established: %(session_established)s -:Groups: http, session, informational, client-side +:Groups: informational, authenticated, http, client-side :From version: 3.27.0 :To version: None :Description: None @@ -18351,7 +18351,7 @@ HTTP/HTTPS protocol :Message: HTTP/HTTPS connection created on the client-side as %(hostname)s. Server certificate: %(certificate)s. Used encryption: %(encryption)s. -:Groups: http, session, informational, client-side +:Groups: informational, authenticated, http, client-side :From version: 3.27.0 :To version: None :Description: None diff --git a/doc_source/guides/ldap.rst b/doc_source/guides/ldap.rst index 9c9b729..bd8a304 100644 --- a/doc_source/guides/ldap.rst +++ b/doc_source/guides/ldap.rst @@ -163,9 +163,15 @@ An FTP authentication session using the UPN as username looks like:: Name: john.doe@ad.example.com Password: ***** -With this method, only usernames in UPN format (user@sub.domain.com) -are supported. -Down-Level Logon Name (USER\DOMAIN) is not supported. +Down-Level Logon Name / Security Account Manager (SAM) names are also supported, +as long as the domain is separated using a backslash. +Authentications should employ usernames in the format `DOMAIN\USER` or `USER`. +Configuration is done via the sAMAccountName LDAP attribute, for example:: + + [authentications/f691a41b-0eca-4135-8369-5b9f2600ebd6] + bind_dn_type = direct-username + bind_dn = cn=Users,dc=ad,dc=example,dc=com + username_attribute = sAMAccountName .. warning:: The Active Directory user logon name can be found inside the diff --git a/doc_source/known-issues.rst b/doc_source/known-issues.rst index 84cb24a..65ffcb2 100644 --- a/doc_source/known-issues.rst +++ b/doc_source/known-issues.rst @@ -4,19 +4,12 @@ Known Issues This is the list of known issues for the current release of SFTPPlus. -* [#1054] No support for non-ASCII characters in the server's installation - path. +* [#3787] No support for non-ASCII characters in the server's installation + path, on the Windows operating system. In order to ensure correct operation of SFTPPlus, please avoid using special Unicode characters in the installation folder path. -* [#1245] Events logged in Windows Event Logger are listed without - a specific Windows description. - - Events logged in Windows Event Logger are listed without a human - friendly Windows description. - Nevertheless, the data exported as XML is detailed and complete. - * Copying a Local Manager URL from within an authenticated session and pasting it in an unauthenticated session will prompt for the login page. After a successful authentication, the new session will redirect to the @@ -35,66 +28,18 @@ This is the list of known issues for the current release of SFTPPlus. The server itself and all systems with which it interacts should use ASCII domain names. -* [#1400] When the server fails to start, it will only emit the general log - event `20002` to signal that the server is stopping, without sending dedicated - `20078` events for each service that was initially started. - Service stop events are still emitted when a service is stopped at running - time from the Local Manager or when the server is stopped in a normal way. - -* [#1470] The Local Manager will not warn when adding multiple services, - accounts, and groups with the same name. - No error is generated because internally the server uses UUIDs for addressing - these items. - -* [#1588] On service start/stop the audit - entries for these actions have no field mentioning the administrator - requesting the action. - -* [#1787] HTTP Post Request log handlers accept HTTPS URLs, but do not - validate the SSL connection. - -* [#1935] In the HTTP/HTTPS file service, actions can only be triggered by - explicitly clicking on buttons. - Actions cannot be triggered using the 'Enter' keyboard key. - * [#1946] On Windows systems, the installation will not generate an install log file when running in silent mode. * [#2057] SFTP symbolic links on Windows systems only work when using absolute paths. -* When the server does not have write permissions to the configuration file and - an administrator applies changes from the Local Manager, changes are applied, - but they do not persist in the configuration. - If you fix the permissions while the server is still running, there is no - option to force a new save to the configuration file, other than making - another change and applying it. - Then, all previous changes will also be saved. - -* [#2134] On Linux, SFTPPlus cannot detect if the OpenSSL libraries provided by - the operating system support TLS 1.0 or TLS 1.1. - If you configure one of them on an OS with no support, - the configured service will start and any connections will fail. - * [#2383] On Windows systems, `execute_before`, `execute_after_success`, and `execute_after_failure` cannot be configured with a path containing space characters. Also, when any `execute_*` action is called for files containing non-ASCII characters, the passed file names are corrupted. -* [#2547] When a password is used to import a private key which is not - password-protected, the Local Manager will still inform you that the key - is password-protected. - -* [#94] FTP session reinitialization command (`REIN`) is not yet implemented. - -* [#1160] FTP zlib compression command `MODE Z` is not yet implemented. - -* [#1161] FTP cyclic redundancy check using the CRC-32 algorithm `XCRC` is not - yet implemented. - -* [#2357] FTP unique store command (`STOU`) is not yet implemented. - * [#3294] When the file was successfully transferred but failed to be removed from the source location, the transfer is considered failed but source file is archived as a success. @@ -201,33 +146,12 @@ This is the list of known issues for the current release of SFTPPlus. If changing timezone on a system running SFTPPlus you need to restart SFTPPlus in order to apply the changes. -* Updated file transfer debug configuration is applied on new connections. - You will need to disconnect and reconnect to see the - debug configuration applied for your session. - Note that when using a web browser, the HTTP connections are persisted. - You will need to close the tab or the browser to force a disconnection. - -* [#5531] Private password-protected ECDSA / Ed25519 keys are not supported - yet. - -* [#5582] When the OS authentication method is configured with `group-name` or +* [#5239] When the OS authentication method is configured with `group-name` or `group-name-with-default` the allowed source IP configuration and SSH public keys configuration are extracted from the default group. -* [#5586] SCP file transfer protocol doesn't support transfers for files with - quotes in the path or filename. - This issue doesn't affect the SFTP protocol. - -* [#5598] When a transfer is configured to copy/move a file a destination - using a temporary name and the content of the file is copied to destination - but the rename operation fails, the transfer will fail, but the log will - show the file as succeeded. - -* [#5606] The WebDAVS protocol is not supported by the `client-shell` command - line tool. - -* [#5621] The LDAPS authentication only works with IPv4. +* [#5189] The LDAPS authentication only works with IPv4. Only LDAP authentication is supported for IPv6 address literals. -* [#5672] SMB/Windows Shares authenticated via Kerberos Domain method are not +* [#5115] SMB/Windows Shares authenticated via Kerberos Domain method are not yet supported. NTLM authentication is supported. diff --git a/doc_source/operation/http.rst b/doc_source/operation/http.rst index b2fb08f..eae3c91 100644 --- a/doc_source/operation/http.rst +++ b/doc_source/operation/http.rst @@ -78,7 +78,7 @@ Latest versions of SFTPPlus include an updated web user interface that for added functionality convenience are using web browser capabilities only available in latest generation web browsers. -For legacy purpose or to avoid disrupting existing web UI file transfer +For legacy purposes or to avoid disrupting existing web UI file transfer processes, you can configure the HTTP web file manager to use an older version of the user interface:: diff --git a/doc_source/release-notes.rst b/doc_source/release-notes.rst index 5d252a1..d1ab6f8 100644 --- a/doc_source/release-notes.rst +++ b/doc_source/release-notes.rst @@ -7,6 +7,57 @@ number (not by release date). .. release-notes-start +Version 4.17.0, 2022-03-18 +-------------------------- + +Version 4.17.0rc1 was released on 2022-02-28 as a release candidate. + + +New Features +^^^^^^^^^^^^ + +* The Local Manager UI for selecting multiple component identifiers was updated + to allow selecting from a list of names. Copy-pasting identifiers is + no longer needed. [manager] [#5559] +* The file browser for HTTP(s) clients has an updated UI which is enabled by + default for all new installations. Existing installations continue to use + the old UI, but you can manually update them to show the new UI by changing + the `ui_version = ui-gen-2` configuration option. [server-side][http] [#5563] +* The LDAP authentication method now supports Security Account Manager (SAM) + usernames when connecting to an Active Directory LDAP server. This is done + using the sAMAccountName username attribute. [server-side][ldap][ad] [#5575] + + +Defect Fixes +^^^^^^^^^^^^ + +* The AS2 server can now receive encrypted files. In previous versions, the AS2 + server was only able to receive non-encrypted AS2 files. [server-side][as2] + [#5499-1] +* The user interface for configuring the AS2 MDN receipt for a location was + fixed to describe the methods as "Synchronous". In previous versions, the + description was "Asynchronous", but the configuration was always set as + synchronous. [manager][as2] [#5499] +* An administrator now fails to be authenticated when + configured with a missing role. [manager] [#5573] +* When sending files over AS2, SFTPPlus now encodes their names using + MIME encoding. + In previous versions, filenames were encoded using only UTF-8. + [client-side][as2] [#5499] +* SFTPPlus can now receive AS2 files with Unicode names encoded using the + RFC 2047 or RFC 2231 standards. + [server-side][as2] [#5499] + + +Deprecations and Removals +^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The authentication for an administrator fails if any of the roles associated + with the admin is disabled. This is a change from the previous version 4.16.0, + where the authentication was denied only for the first (primary) + associated role of an administrator. [manager] [#5573] + + Version 4.16.0, 2022-02-10 -------------------------- diff --git a/doc_source/standards/cryptography.rst b/doc_source/standards/cryptography.rst index dbe8ed8..3f53db8 100644 --- a/doc_source/standards/cryptography.rst +++ b/doc_source/standards/cryptography.rst @@ -55,7 +55,7 @@ This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak. SFTPPlus uses the OpenSSL library provided by the operating system, -with some exceptions, most notably Windows and generic Linux. +with some exceptions, most notably Windows, macOS, AIX, and generic Linux. The OpenSSL version included in your operating system might not provide all the ciphers which are required by older SSL/TLS versions of the standard. This is valid especially for cryptographic methods which in recent years were @@ -114,10 +114,15 @@ On macOS, SFTPPlus uses embedded OpenSSL 1.1.1 libraries. Please keep your SFTPPlus deployments on macOS always updated, to benefit from upstream security updates for the bundled OpenSSL libraries. +The AIX version of SFTPPlus uses embedded OpenSSL 1.0.2 libraries, +patched with latest security updates beyond the publicly-available fixes. +Please keep your SFTPPlus deployments on AIX always updated, to benefit +from upstream security updates for the bundled OpenSSL libraries. + The above list is not comprehensive and comes with no guarantee. Please check with support@proatria.com for further info. -Last updated for release 4.11.0 on April 6, 2021. +Last updated for release 4.17.0 on February 22, 2022. File formats diff --git a/doc_source/versions.js b/doc_source/versions.js index c3ef2d8..9f18dc4 100644 --- a/doc_source/versions.js +++ b/doc_source/versions.js @@ -8,6 +8,7 @@ // pavement.py:release_notes // let SFTPPLUS_RELEASED_VERSIONS = [ + '4.17.0', '4.16.0', '4.15.0', '4.14.0',