Mwdb-core

This release includes huge database migrations made for query optimization, which includes rewriting of object permission tables. **Database backup is highly recommended before upgrade.**

Also there is a long changelog ahead, so please read information about most important changes in [What's changed](https://mwdb.readthedocs.io/en/latest/whats-changed.html#v2-9-0) section before upgrade.

**Major changes:**
- Huge improvements in Web part which includes:
- Beautified login/registration pages (https://github.com/CERT-Polska/mwdb-core/pull/726)
- Usage of Vite and Rollup for building instead of Create React App and Webpack (741). If you have in-house plugins, read the [**What's changed**](https://mwdb.readthedocs.io/en/latest/whats-changed.html#important-change-changes-in-web-plugins-engine) section in documentation.
- Rewrite to TypeScript (https://github.com/CERT-Polska/mwdb-core/issues/807, kudos postrowinski!)
- Closable error messages (https://github.com/CERT-Polska/mwdb-core/pull/763)
- Search should be much much faster because of these changes:
- Counting of all results before applying actual query is optional and disabled by default as it has huge impact on performance (https://github.com/CERT-Polska/mwdb-core/pull/718)
- When user has `access_all_objects` capability, exclusive object permissions are not even considered in query (https://github.com/CERT-Polska/mwdb-core/pull/783). It also means that `access_all_objects` really gives access to all
objects in system (it's not "autosharing" of all added objects as before), so `everything` group is effectively useless and is not created by default.
- Changes in shares representation, so it's more clear who is the actual uploader of the sample. It's better described [here](https://mwdb.readthedocs.io/en/latest/whats-changed.html#important-change-changes-in-sharing-model) (https://github.com/CERT-Polska/mwdb-core/pull/717)
- `certpl/mwdb` Docker image uses gunicorn instead of uwsgi, as uwsgi project was *mostly* abandoned (https://github.com/CERT-Polska/mwdb-core/pull/735)
- v2.9.0 comes with additional small feature that enables you to ask your users for consent to share samples with 3rd party services (https://github.com/CERT-Polska/mwdb-core/pull/801)
- Karton is bumped to v5.1.0 and its producer shows in `services` tab in Karton Dashboard
- Object listing endpoints are accepting `count` parameter, so you can load them in chunks bigger than 10 (https://github.com/CERT-Polska/mwdb-core/pull/755)

**Minor changes and improvements:**

- Dedicated group is created for each OpenID Connect provider (https://github.com/CERT-Polska/mwdb-core/pull/668)
- ssdeep is replaced with pure-Python implementation - ppdeep (https://github.com/CERT-Polska/mwdb-core/pull/692)
- `sharing_objects` capability was renamed to `sharing_with_all` which better describes its real meaning (https://github.com/CERT-Polska/mwdb-core/pull/696)
- Backslashes are better handled in configuration search (https://github.com/CERT-Polska/mwdb-core/pull/690)
- Rich attributes: field can be rendered as search link using special `{{value}}` syntax (https://github.com/CERT-Polska/mwdb-core/pull/628)
- Sample preview downloads sample in obfuscated form (with negated bits) to not trigger EDR/AV solutions (https://github.com/CERT-Polska/mwdb-core/pull/721, thanks middleware99!)
- Added `access_uploader_info` capability to make users able to search for uploaders from the outside of our groups without giving powerful `sharing_with_all` capability (705)
- Rich preview in AttributeAddModal (https://github.com/CERT-Polska/mwdb-core/pull/724)
- Handle 'misc:' as a proper tag (https://github.com/CERT-Polska/mwdb-core/pull/742, thanks jasperla!)
- OAuth logout, so you can easily logout yourself from OAuth provider e.g. to switch accounts (https://github.com/CERT-Polska/mwdb-core/pull/732)
- Configurable upload size (https://github.com/CERT-Polska/mwdb-core/pull/756)
- Critical error in Web shows JS stack information (https://github.com/CERT-Polska/mwdb-core/pull/790)
- Capabilities can be changed also in User/Group view instead of only Access control page (https://github.com/CERT-Polska/mwdb-core/pull/770)
- User is warned in `Relations` tab when number of relations exceeds 1000 (https://github.com/CERT-Polska/mwdb-core/pull/791)
- `use_x_forwarded_for` option in configuration to respect `X-Forwarded-For` header, enabled by default in Docker images (https://github.com/CERT-Polska/mwdb-core/pull/845)

Bugfixes:
- `NetworkError` exceptions in Web are a bit better handled and they shouldn't crash whole application so often (https://github.com/CERT-Polska/mwdb-core/pull/846)
- OpenID Connect: fixed provider registration (https://github.com/CERT-Polska/mwdb-core/commit/4e015b66c522b517df1486227a0152f51216c8ce, thanks v-rzh!)

Special thanks to yankovs for tracking some regressions during development!

And finally thanks to development team that worked on this release: KWMORALE, Repumba, postrowinski, olivergav, nazywam.

Hopefully we'll be publishing stable releases a bit more often so the changelogs won't be that long :smiling_face_with_tear:

This release contains bugfixes related mostly with S3 object storage. Regressions were introduced by migration from py-minio to Boto3 AWS SDK which apparently wasn't tested enough.

**Bugfixes**:
- Fix: Karton re-analysis was not possible when sample was stored on S3 (https://github.com/CERT-Polska/mwdb-core/pull/695)
- Fix: AWS IAM authentication doesn't work since v2.8.0 (https://github.com/CERT-Polska/mwdb-core/pull/704)
- Fix: Unable to delete objects with comments (https://github.com/CERT-Polska/mwdb-core/pull/702)

Bugfixes:

- Fixed attribute adding in Upload view (https://github.com/CERT-Polska/mwdb-core/pull/686)

This release includes huge database migrations made for query optimization, which includes rewriting of Object and Tag tables. **Database backup is highly recommended before upgrade**.

**New features and improvements**:

- Markdown/Mustache templates for rich rendering of attribute values (https://github.com/CERT-Polska/mwdb-core/pull/602)
- Optimized model to improve query time (https://github.com/CERT-Polska/mwdb-core/pull/661)
- Range queries are allowed in JSON-like fields (for attributes and configurations - https://github.com/CERT-Polska/mwdb-core/pull/666)
- Download file as encrypted zip with "infected" password (https://github.com/CERT-Polska/mwdb-core/pull/587)
- Bumped React Router to v6, queries in URI are no longer double-escaped (https://github.com/CERT-Polska/mwdb-core/pull/612)
- Bumped Karton to v5 (https://github.com/CERT-Polska/mwdb-core/pull/648)
- `sha1` is exposed in `/api/file` listing (https://github.com/CERT-Polska/mwdb-core/pull/683, thanks DISREL!)

**Bugfixes**:

- Fixed ISE 500 on legacy file download endpoint (https://github.com/CERT-Polska/mwdb-core/pull/589)
- Fixed ISE 500 when libmagic fails with MagicException (https://github.com/CERT-Polska/mwdb-core/pull/605)
- Fixed ISE 500 on user delete with stored quick queries (https://github.com/CERT-Polska/mwdb-core/pull/665)
- Fixed failed upload when duplicated tags are passed (https://github.com/CERT-Polska/mwdb-core/pull/594)
- Fixed wrong configuration template generated by `mwdb-core configure` (https://github.com/CERT-Polska/mwdb-core/pull/595)
- Web: Fixed pagination in group member settings (https://github.com/CERT-Polska/mwdb-core/pull/598)

Thanks jvoisin and JohnConnorRF for contributions!

**New features and improvements:**
- Refactored mechanism that handles JWT tokens used for authorization (https://github.com/CERT-Polska/mwdb-core/pull/542, KWMORALE)
It's recommended to rollup your API keys after upgrade because they use slightly different format that is more compliant with [RFC7519](https://datatracker.ietf.org/doc/html/rfc7519). All previously generated API keys will be honored by further 2.x.x releases of MWDB Core.
- API key token is shown only just after creation due to security reasons (https://github.com/CERT-Polska/mwdb-core/pull/524, KWMORALE)
- Repository name shown in navbar can be set directly in MWDB configuration (https://github.com/CERT-Polska/mwdb-core/pull/521, KWMORALE)
- Added new hooks for various MWDB actions that can be intercepted in plugins (https://github.com/CERT-Polska/mwdb-core/pull/513, wklimek)
- Added configurable rate limits for specific endpoints and methods (https://github.com/CERT-Polska/mwdb-core/pull/523, wklimek)
- Karton analysis association can be removed from object (https://github.com/CERT-Polska/mwdb-core/pull/533, wklimek)
- Added relative date-time ranges in search (https://github.com/CERT-Polska/mwdb-core/pull/555, wklimek)
- Added visual indicator for non-editable groups in Administration panel (https://github.com/CERT-Polska/mwdb-core/pull/519, wklimek)
- Extendable upload form (https://github.com/CERT-Polska/mwdb-core/pull/541, thanks yankovs!)

**Bugfixes:**
- Fixed exception handling for exceptions that happen out of request context (https://github.com/CERT-Polska/mwdb-core/pull/522)
- Fixed crash in web application when user clicks "Add" in Attributes box and no attributes are available to add (https://github.com/CERT-Polska/mwdb-core/pull/539, thanks chivay!)
- Removed too short limit of field length in OpenID Connect Provider configuration (https://github.com/CERT-Polska/mwdb-core/pull/552)
- Fixed ISE 500 caused by concurrent assign of Karton analysis on the same object (https://github.com/CERT-Polska/mwdb-core/pull/576)
- Fixed remove of self-loop relationship that causes removal of all permissions to the object (https://github.com/CERT-Polska/mwdb-core/pull/579)
- Various fixes in documentation

Special thanks to wklimek for all contributions and dd8917vk for catching few regressions during development!

Bugfix release that bumps Flask and Karton dependencies. In addition, we pin `itsdangerous==2.0.1` due to `2.1.0` release that breaks installation of MWDB Core 2.6.0.

**Changes:**
- Pinned `itsdangerous` to 2.0.1
- Bumped versions of the following dependencies:
- `karton-core` from 4.2.0 to 4.3.0
- `Flask` from 1.1.2 to 2.0.2 and related dependencies to latest versions
- `Werkzeug` from 1.0.1 to 2.0.3
- `uwsgi` from 2.0.19.1 to 2.0.20