Providing a user or user group backend in configuration.php
now triggers a deprecation or warning. They are expected to
be announced in run.php, just like hooks. Authentication
attempts during a configuration.php run, while Authentication
has not been performed yet, will be also suspended now.
This ensures that the current behavior, being broken or
working, stays the same.
refs #5265
So that authentication can suspend it. There are cases,
e.g. cube, where authentication is required in run.php.
During bootstrapping loading modules is mostly required
to load libraries, register routes and hooks. Most of the
time authentication is not required for these, but if
it is, evaluation is now interrupted and continued
after authentication has actually been performed.
I don't see a real risk for any breaking change here,
since authentication happens shortly after. It actually
avoids a breaking change, since without this, cube's
Icinga DB support would break or at least malfunction.
And cube is only a single example.
refs #5265
Since authentication is now performed even for static
resources, there's no reason anymore to support implicit
authentication. This also limits authentication attempts
to a single one, previously failed attempts were repeated.
Requiring authentication during bootstrapping, i.e. before
authentication has been performed, will now throw an error.
refs #5265
It is nowadays no exception that stylesheet may be dependent
on who's using the app. So to avoid race conditions like
in #5385 authentication is an explicit step during bootstrap
now.
fixes#5385
Because the in-tree Less visitor requires `wikimedia/less.php`, that
dependency has to live in `icinga-php-thirdparty`. `icinga-php-library`
already carries Less-related code with the same dependency, so this PR
consolidates everything into `icinga-php-library` and removes the
duplicate in-tree implementation.
- Remove the in-tree `Icinga\Less\` visitor layer in favor of the shared
`ipl\Web\Less` library, which maintains modernized equivalent CSS var
replacement and light-mode functionality.
- Strip unused variable-export support from `LessCompiler`. The feature
was never used by any our modules or community modules.
- Update `LessCompiler` to delegate to `ipl\Web\Less`, assembling
sources via `@import (less)` directives; pass the `$minify` flag
directly to `render()` instead of via a separate `compress()` call.
- Modernize `LessCompiler` with PHP type declarations, short array
syntax, and tightened PHPDoc.
Here is the test summary:
The stylesheets are nearly identical. Most changes are normalization
noise introduced by the new version of the wikimedia Less parser:
- Decimal canonicalization: `.5` → `0.5`, `2.0em` → `2em`
- Hex color shortening: `#dddddd` → `#ddd`
- Hex color case kept as is: `#535353` → `#535353`, `#c4c4c4` → `#c4c4c4`
- `calc()` math preserved: `calc(14.28571429%)` → `calc(100% / 7)`
Starting with Less.php 5.0, arithmetic is no longer evaluated inside
`calc()`. This required changing one occurrence in our Less files
directly; no other changes were necessary, and no known publicly
available Icinga Web module is affected by similar changes in this
regard.
There is one functional difference: the light-mode background color
gains an extra level of indirection via a new CSS var call (because it
uses `@light-body-bg-color`):
```diff
- --body-bg-color: #f5f9fa;
+ --body-bg-color: var(--light-body-bg-color, #f5f9fa);
```
The new CSS var replacement visitor from `ipl\Web` runs independently
from the light mode call visitor, and therefore also adds var overrides
to such detached rulesets. Everything else is normalization noise.
Previously, `addLessFile` and `addModuleLessFile` called `realpath()` but
skipped the readability check, silently appending `false` when a path did
not resolve. `setTheme` and `setThemeMode` checked readability but stored
the unresolved path and swallowed errors via `Logger::error`.
`resolveReadableFile()` centralizes both steps: it calls `realpath()` and
verifies the result is a readable file, throwing a `RuntimeException` on
failure so no invalid path can be registered silently.
Starting with Less.php version 5.0, arithmetic is no longer evaluated
inside `calc()` the way this code relied on[^1]. Compute the division in
a Less variable first, then use that value in `calc()` and drop the
unnecessary escaping.
[^1]: https://gerrit.wikimedia.org/r/c/mediawiki/libs/less.php/+/1049149
Add missing PHP type declarations to properties and methods, replace long-form
`array()` syntax with short `[]` syntax, tighten PHPDoc comments, and correct
"LESS" to "Less".
Replace the in-tree `Icinga\Less\` visitor layer with its equivalents
from `ipl\Web\Less`, where the same color-variable and light-mode
functionality is maintained as a shared library.
`LessCompiler` is updated to delegate to `WikimediaLessCompiler`,
assembling source via `@import (less)` directives and accepting a
`$minify` flag directly on `render()` rather than through a separate
`compress()` call.
This reverts commit 7c58b3ced1.
Remove variable exports as they were never used in our modules or community
modules, and using this feature is discouraged.
The `monitoring` module was removed in v2.13.0 and its references
remained in the docs. Remove these references and replace them with
`icingadb` where appropriate.
Relicense Icinga Web to GPL-3.0 and add SPDX license headers to source
files:
- Replace the old license file with LICENSE.md (GPL-3.0)
- Update license references in documentation (where applicable)
- Add SPDX headers to source files
- Mark source files as GPL-3.0-or-later
To ensure compatibility with third-party dependencies under licenses
incompatible with GPL-2.0-only (such as Apache-2.0), Icinga Web and its
module ecosystem are being relicensed to GPL-3.0-only.
Source files are labeled GPL-3.0-or-later to preserve the option to
relicense under later GPL versions.
To ensure compatibility with third-party dependencies under
licenses incompatible with GPL-2.0-only (such as Apache-2.0),
Icinga Web and its module ecosystem are being relicensed to
GPL-3.0-only.
The `icinga-php-legacy` library is the successor to the standalone
`icingaweb2-module-incubator` module. Modules such as director and
vspheredb that still declare `incubator` as a dependency should load
without a separate incubator installation once `icinga-php-legacy` is
present.
`Module::getRequiredLibraries` now maps an `incubator` module
requirement to an `icinga-php-legacy` library requirement when that
library is available, and `getRequiredModules` drops `incubator` from
the list so the dependency check does not fail. `Manager::loadModule`
skips calling `register()` for the incubator module under the same
condition, folding that guard into the existing `ipl`/`reactbundle`
exclusion to avoid a double-registration.
https://github.com/Icinga/icinga-php-legacy replaces
https://github.com/Icinga/icingaweb2-module-incubator.
PHP 8.4:
- Change implicit nullable type declaration to explicit
- Only set `session.sid_bits_per_character` for PHP < 8.4
PHP 8.5:
- Remove no-op `ReflectionProperty::setAccessible()` calls
- Replace backtick operator with `shell_exec()`
- Avoid passing `null` as key in `array_key_exists()`
- Avoid passing `null` to non-nullable parameters in built-in functions
- Use `Pdo\Mysql` driver-specific constants
Other compatibility fixes:
- Avoid passing `null` as `ipl\Html` form element `$name`
- Use latest PHPUnit version
Remove errors no longer reported. Since PHP 7.x is no longer supported, remove
the 7.x baseline. It is now no longer necessary to have multiple baseline
files.
Replace deprecated `PDO::MYSQL_*` constant usage with the driver-specific
`Pdo\Mysql::ATTR_*` constants introduced in PHP 8.4.
This prepares the code for PHP 8.5, where accessing MySQL driver constants
through the generic `PDO` class is deprecated.
This change requires a compatibility shim on older PHP versions to provide
`Pdo\Mysql` for runtimes that do not expose the driver-specific class yet. The
shim is provided in `ipl-sql`. As a consequence, the required version of the
Icinga PHP library has been raised.
Forward compatibility fix: `ipl\Html` will introduce strict types, which
declares `$name` as string. Passing `null` will result in a `TypeError` once
strict types are enforced.
PHP 8.4 has deprecated `session.sid_bits_per_character` along with
`session.sid_length`, as part of a broader effort to standardize session ID
generation for improved security and interoperability.
