Merge branch 'feature/PB-45554_52-Publish-production-API' into 'master'

PB-45554 Release v5.5.2

See merge request passbolt/passbolt-ce-api!443

Author: gmougenel

CHANGELOG.md

@@ -2,6 +2,14 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [5.5.2] - 2025-09-29
+### Fixed
+- PB-45439 As an administrator I can edit the metadata key settings when not editing zero-knowledge mode
+
+## [5.5.2-test.1] - 2025-09-29
+### Fixed
+- PB-45439 As an administrator I can edit the metadata key settings when not editing zero-knowledge mode  when not editing zero-knowledge mode
+
 ## [5.5.0] - 2025-09-15
 ### Added
 - PB-44639 As an administrator, when updating metadata settings from friendly mode to zero knowledge, I should see the server key dropped in DB

RELEASE_NOTES.md

@@ -1,32 +1,9 @@
-Release song: https://youtu.be/L3Wo8jcNrkQ
+Release song: https://youtu.be/RyP8hGuyknA
 
-Passbolt 5.5.0 is a feature release introducing encrypted metadata in zero-knowledge mode and SCIM provisioning (beta) for automated user management.
+Passbolt 5.5.2 resolves an issue introduced in the previous version that affected the editing of encrypted metadata settings. Due to zero-knowledge mode being required in some conditions, administrators were unable to edit the metadata key settings. This has now been fixed, restoring the ability to customize these settings.
 
-## Encrypted Metadata Zero-Knowledge Mode
-
-This mode is designed for organizations that prioritize privacy over server-side auditability. In this setup, the server never has access to the shared metadata private key.
-
-* __Key distribution__: When a new user joins, the server does not distribute the metadata key.
-Administrators are notified by email and can review which users are missing the key in the __Users & Groups workspace__. Keys must then be shared manually.
-* __User experience__: Until the key is received, the user’s actions are limited. Operations that depend on metadata, such as sharing a resource, moving a private item into a shared folder or creating resources intended to be shared are blocked.
-* __Guidance in UI__: If a restricted action is attempted, the interface provides an explanation and steps to resolve the issue.
-
-More details are available in the dedicated [blog post](https://www.passbolt.com/blog/the-road-to-passbolt-v5-encrypted-metadata-and-other-core-security-changes-2) on encrypted metadata and zero-knowledge.
-
-Several bugs reported by the community have also been fixed. As always, thank you to everyone who took the time to file issues and suggest improvements. Checkout the changelog for more information.
-
-## [5.5.0] - 2025-09-15
-### Added
-- PB-44639 As an administrator, when updating metadata settings from friendly mode to zero knowledge, I should see the server key dropped in DB
-- PB-44756 Updates metadata keys settings endpoint to accept server metadata private key
-- PB-44752 Adds a new data check for existing resources v5 encrypted with hard or soft deleted shared metadata key
+We thank the community for reporting this issue!
 
+## [5.5.2] - 2025-09-29
 ### Fixed
-- PB-45060 Fixes custom fields json schema properties type
-- PB-45062 Fixes user_setup_complete.php template in LU folder instead of AD
-- PB-44760 Fixes health check "record not found in table organization_settings" issue (GITHUB #563)
-
-### Maintenance
-- PB-44915 Changes DDEV containers names and URLs from passbolt-ce-api to passbolt-api
-- PB-44813 Updates ddev config
-- PB-44772 Speeds up continuous integration by splitting pipelines in two distinct test suites
+- PB-45439 As an administrator I can edit the metadata key settings when not editing zero-knowledge mode

config/version.php

@@ -1,8 +1,8 @@
 <?php
 return [
     'passbolt' => [
-        'version' => '5.5.0',
-        'name' => "Katip Arzuhalim",
+        'version' => '5.5.2',
+        'name' => 'Hey Boy Hey Girl',
     ],
     'php' => [
         'minVersion' => '8.2',

plugins/PassboltCe/Metadata/src/Form/MetadataKeysSettingsForm.php

@@ -16,25 +16,12 @@
  */
 namespace Passbolt\Metadata\Form;
 
-use Cake\Event\EventManager;
 use Cake\Form\Form;
 use Cake\Form\Schema;
 use Cake\Validation\Validator;
 
 class MetadataKeysSettingsForm extends Form
 {
-    private string $mode;
-
-    /**
-     * @inheritDoc
-     */
-    public function __construct(string $mode = 'create', ?EventManager $eventManager = null)
-    {
-        parent::__construct($eventManager);
-
-        $this->mode = $mode;
-    }
-
     /**
      * Email configuration schema.
      *
@@ -64,23 +51,27 @@ public function validationDefault(Validator $validator): Validator
             ->boolean('zero_knowledge_key_share', __('The setting should be a valid boolean.'))
             ->requirePresence('zero_knowledge_key_share', true, __('The setting is required.'));
 
-        if ($this->mode === 'update') {
-            $onZeroKnowledgeDisabled = function ($context) {
-                return !$context['data']['zero_knowledge_key_share'];
-            };
-
-            $validator
-                ->requirePresence('metadata_private_keys', true, __('The metadata private keys is required.')) // phpcs:ignore;
-                ->notEmptyArray('metadata_private_keys', __('The metadata private keys should not be empty.'), $onZeroKnowledgeDisabled) // phpcs:ignore;
-                ->hasAtLeast('metadata_private_keys', 1, __('Need at least one metadata private key.'), $onZeroKnowledgeDisabled) // phpcs:ignore;
-                // TODO: Accept multiple metadata private keys?
-                ->hasAtMost('metadata_private_keys', 1, __('Need at least one metadata private key.'), $onZeroKnowledgeDisabled) // phpcs:ignore;
-                ->addNestedMany('metadata_private_keys', $this->getServerMetadataPrivateKeysValidator(), null, $onZeroKnowledgeDisabled); // phpcs:ignore;
-        }
-
         return $validator;
     }
 
+    /**
+     * Default validation rules + validation for metadata private keys
+     *
+     * @param \Cake\Validation\Validator $validator validator
+     * @return \Cake\Validation\Validator
+     */
+    public function validationWithMetadataPrivateKeys(Validator $validator): Validator
+    {
+        return $this
+            ->validationDefault($validator)
+            ->requirePresence('metadata_private_keys', true, __('The metadata private keys is required.')) // phpcs:ignore;
+            ->notEmptyArray('metadata_private_keys', __('The metadata private keys should not be empty.')) // phpcs:ignore;
+            ->hasAtLeast('metadata_private_keys', 1, __('Need at least one metadata private key.')) // phpcs:ignore;
+            // TODO: Accept multiple metadata private keys?
+            ->hasAtMost('metadata_private_keys', 1, __('Need at most one metadata private key.')) // phpcs:ignore;
+            ->addNestedMany('metadata_private_keys', $this->getServerMetadataPrivateKeysValidator()); // phpcs:ignore;
+    }
+
     /**
      * @return \Cake\Validation\Validator
      */

plugins/PassboltCe/Metadata/src/Service/MetadataKeysSettingsAssertService.php

@@ -26,14 +26,15 @@ class MetadataKeysSettingsAssertService
      * Validates the setting and return them
      *
      * @param array $data untrusted input
-     * @param string $mode Mode for form to know if settings are being created or modified.
+     * @param bool $validateWithMetadataPrivateKeys flag to know if metadata private key validation should be performed
      * @return \Passbolt\Metadata\Model\Dto\MetadataKeysSettingsDto dto
      * @throws \App\Error\Exception\FormValidationException if the data does not validate
      */
-    public function assert(array $data, string $mode = 'create'): MetadataKeysSettingsDto
+    public function assert(array $data, bool $validateWithMetadataPrivateKeys = false): MetadataKeysSettingsDto
     {
-        $form = new MetadataKeysSettingsForm($mode);
-        if (!$form->execute($data)) {
+        $form = new MetadataKeysSettingsForm();
+        $validate = $validateWithMetadataPrivateKeys ? 'withMetadataPrivateKeys' : 'default';
+        if (!$form->execute($data, compact('validate'))) {
             throw new FormValidationException(__('Could not validate the settings.'), $form);
         }
 

plugins/PassboltCe/Metadata/src/Service/MetadataKeysSettingsSetService.php

@@ -46,13 +46,11 @@ public function saveSettings(UserAccessControl $uac, array $data): MetadataKeysS
     {
         $uac->assertIsAdmin();
 
-        /** @var \App\Model\Table\OrganizationSettingsTable $orgSettingsTable */
-        $orgSettingsTable = $this->fetchTable('OrganizationSettings');
-        $mode = is_null($orgSettingsTable->getByProperty(MetadataKeysSettingsGetService::ORG_SETTING_PROPERTY)) ? 'create' : 'update'; // phpcs:ignore
+        $settingsInDB = MetadataKeysSettingsGetService::getSettings();
+        $isDisablingZeroKnowledge = $this->isDisablingZeroKnowledge($data, $settingsInDB);
+        $dto = (new MetadataKeysSettingsAssertService())->assert($data, $isDisablingZeroKnowledge);
 
-        $dto = (new MetadataKeysSettingsAssertService())->assert($data, $mode);
-
-        if ($mode == 'update' && $this->shouldCreateMetadataPrivateKey($dto, $data)) {
+        if ($isDisablingZeroKnowledge && $this->shouldCreateMetadataPrivateKey($dto, $data)) {
             $service = new MetadataPrivateKeysCreateService();
             foreach ($data['metadata_private_keys'] as $i => $key) {
                 try {
@@ -65,6 +63,8 @@ public function saveSettings(UserAccessControl $uac, array $data): MetadataKeysS
             }
         }
 
+        /** @var \App\Model\Table\OrganizationSettingsTable $orgSettingsTable */
+        $orgSettingsTable = $this->fetchTable('OrganizationSettings');
         $updatedEntity = $orgSettingsTable->createOrUpdateSetting(
             MetadataKeysSettingsGetService::ORG_SETTING_PROPERTY,
             $dto->toJson(),
@@ -117,4 +117,26 @@ private function shouldCreateMetadataPrivateKey(MetadataKeysSettingsDto $setting
 
         return false;
     }
+
+    /**
+     * When updating the settings, we want to know if the zero knowledge mode is being disabled.
+     * If so, metadata private keys will be requested in the payload at a later stage.
+     *
+     * @param array $data payload
+     * @param \Passbolt\Metadata\Model\Dto\MetadataKeysSettingsDto $organizationSetting DTO of the settings currently in DB
+     * @return bool
+     */
+    private function isDisablingZeroKnowledge(array $data, MetadataKeysSettingsDto $organizationSetting): bool
+    {
+        if ($organizationSetting->isUserFriendlyMode()) {
+            // The setting is already in user-friendly mode, potentially because falling back on the default settings
+            return false;
+        }
+        if (!isset($data['zero_knowledge_key_share'])) {
+            // If not set in payload, will fail validation at a later stage
+            return false;
+        }
+
+        return !$data['zero_knowledge_key_share'];
+    }
 }

plugins/PassboltCe/Metadata/tests/TestCase/Form/MetadataKeysSettingsFormTest.php

@@ -21,6 +21,7 @@
 use App\Test\Lib\Model\FormatValidationTrait;
 use App\Utility\UuidFactory;
 use Cake\Event\EventDispatcherTrait;
+use Cake\Validation\Validator;
 use Passbolt\Metadata\Form\MetadataKeysSettingsForm;
 use Passbolt\Metadata\Model\Dto\MetadataKeysSettingsDto;
 use Passbolt\Metadata\Service\Migration\MigrateAllV4ToV5ServiceCollector;
@@ -111,8 +112,8 @@ public function testMetadataKeysSettingsForm_Error_NotBool(): void
     public function testMetadataKeysSettingsForm_Error_MetadataPrivateKeys_Empty(): void
     {
         $data = self::getDefaultData([], []);
-        $form = new MetadataKeysSettingsForm('update');
-        $result = $form->execute($data);
+        $form = new MetadataKeysSettingsForm();
+        $result = $form->execute($data, ['validate' => 'withMetadataPrivateKeys']);
         $errors = $form->getErrors();
         $this->assertFalse($result);
         $this->assertArrayHasKey('_empty', $errors['metadata_private_keys']);
@@ -136,8 +137,8 @@ public static function metadataPrivateKeysFieldsRequired(): array
     public function testMetadataKeysSettingsForm_Error_MetadataPrivateKeys_FieldsRequired(array $privateKeyData): void
     {
         $data = self::getDefaultData([], $privateKeyData);
-        $form = new MetadataKeysSettingsForm('update');
-        $result = $form->execute($data);
+        $form = new MetadataKeysSettingsForm();
+        $result = $form->execute($data, ['validate' => 'withMetadataPrivateKeys']);
         $errors = $form->getErrors();
         $this->assertFalse($result);
         $requiredFields = ['metadata_key_id', 'user_id', 'data'];
@@ -154,8 +155,8 @@ public function testMetadataKeysSettingsForm_Error_MetadataPrivateKeys_InvalidId
             'data' => $this->getEncryptedMetadataPrivateKeyForServerKey(),
         ]]);
 
-        $form = new MetadataKeysSettingsForm('update');
-        $result = $form->execute($data);
+        $form = new MetadataKeysSettingsForm();
+        $result = $form->execute($data, ['validate' => 'withMetadataPrivateKeys']);
         $errors = $form->getErrors();
 
         $this->assertFalse($result);
@@ -178,7 +179,10 @@ public function testMetadataKeysSettingsForm_Error_MetadataPrivateKeys_Data(): v
             'ascii' => self::getAsciiTestCases(),
         ];
 
-        $form = new MetadataKeysSettingsForm('update');
+        $form = new MetadataKeysSettingsForm();
+        $validator = new Validator();
+        $withMetadataPrivateKeysValidator = $form->validationWithMetadataPrivateKeys($validator);
+        $form->setValidator('default', $withMetadataPrivateKeysValidator);
         $this->assertFormFieldFormatValidation(
             $form,
             'metadata_private_keys.0.data',

plugins/PassboltCe/Metadata/tests/TestCase/Service/MetadataKeysSettingsSetServiceTest.php

@@ -78,6 +78,20 @@ public function testMetadataKeysSettingsSetService_Success_CreateUserFriendlyMod
         $this->assertEquals($data, $dto->toArray());
     }
 
+    public function testMetadataKeysSettingsSetService_Success_UpdateFromUserFriendlyMode_To_UserFriendlyMode(): void
+    {
+        $user = UserFactory::make()->admin()->persist();
+        MetadataKeysSettingsFactory::make()->persist();
+        $data = MetadataKeysSettingsFormTest::getDefaultData([
+            MetadataKeysSettingsDto::ALLOW_USAGE_OF_PERSONAL_KEYS => true,
+            MetadataKeysSettingsDto::ZERO_KNOWLEDGE_KEY_SHARE => false,
+        ]);
+        $uac = new UserAccessControl(Role::ADMIN, $user->get('id'));
+        $sut = new MetadataKeysSettingsSetService();
+        $dto = $sut->saveSettings($uac, $data);
+        $this->assertEquals($data, $dto->toArray());
+    }
+
     public function testMetadataKeysSettingsSetService_Success_EditAllowUsageOfPersonalKeys(): void
     {
         $user = UserFactory::make()->admin()->persist();