(cherry picked from commit 3b58028c)

Change the mechanism of the reset password token to not reset it at each
verification code check, but only when the password is actually reset,
and when its lifetime expired.
Also provide a mandatory document initializer for the
ResetPasswordRequest xclass.

Change a bit more the logic: if the token lifetime configuration is set
to 0 (which was the default) then we automatically remove the reset
password request xobject at first wrong attempt (bad verification code):
it will prevent any bruteforce attack. Then if there's a token lifetime
configuration set, we don't remove the xobject when a bad attempt is
performed: user might have used the wrong mail for example. But we do
remove the xobject when it's expired. And if it's expired, or if the
code was wrong, in both cases we immediately return an error.

Move ResetPasswordIT and ForgotUserNameIT from
administration-test-docker to a new module
security-authentication-test-docker since it's related to
security-authentication module now.

---------

Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>
(cherry picked from commit b410dad4)

(cherry picked from commit b759f2dc)

* Add a new method `getRequiredRight` to `MacroPermissionPolicy` and implement it for the different script macros
* Introduce a RequiredRightAnalyzer role to analyze the rights that are required by a document, macro or XObject
* Add generic analyzers for macros and objects
* Add generic script macro support
* Add an analyzer for XWiki.RequiredRightClass
* Add an analyzer for skin extensions
* Add a component for printing the content of an XObject
* Add a component for printing macro parameters and content.
* Introduce RequiredRightsEditConfirmationChecker
* Introduce RequiredRightsAddedFilter to filter results according to the document author
* package the UI by default in xwiki-platform-distribution-flavor-common
* Minimal docker test + Page objects
* Introduce a configuration to enable the required right analysis, disabled by default as long as it is incomplete and not polished
---------

Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>

* Replace the xwikiHost configuration with xwikiURI in order to allow specifying the scheme/protocol and port number besides the domain name or IP address.

XWIKI-21170: Improve the error message shown when the PDF export size limit is exceeded
XWIKI-20881: Don't enforce the size limit on single page PDF exports

* Cache failures
* Properly dispose the caches
* Only send requests to trusted domains
* Only embed actual images
* Limit responses to 1MB
* Introduce configuration options for timeout, maximum size and if the
  feature is enabled at all
* Add a UI test that checks that attachment embedding is working in
  general
* Move to httpclient5
* Expose the cookie domains configuration in AuthenticationConfiguration

  * Remove the property from xwiki.properties.vm and the only usage of
    it in XWiki.java
  * Move all deprecated APIs that are no longer used to legacy
  * Add revapi ignores related to aspectj bug (see:
    https://github.com/eclipse-aspectj/aspectj/issues/246)

  * Move code and components for live email notifications with
    post-filtering to legacy modules
  * Deprecate configuration method related that check if prefiltering is
    enabled as it's now the standard
  * Remove the configuration from xwiki.properties to turn off
    prefiltering
  * Move deprecated NotificationManager to legacy
  * Move the API NotificationConfiguration#isEventPrefilteringEnabled to legacy and every implementations relying on it too

Co-authored-by: Thomas Mortagne <thomas.mortagne@xwiki.com>

XWIKI-21011: Mail resender script service API resends all mails when called from a subwiki
XWIKI-21015: Missing legacy instance APIs in distribution
* Also add missing EM categories
* Fix typo in MailResender.xml (in the "from" test)
* Make the resender scheduer job execute as XWiki.superadmin
* Male the MailResender.xml document customizable instead of demo to avoid deleting it (it's now an official feature)
* Add debug logs when resending mail
* Fix mail resender scheduler typo in description

Previous work was about introducing strategies to group events for creating
composite events. This work is about strategies for chosing how many
mails should be sent for each composite event to notify by email.
Historically the strategy was hardcoded and consisted in putting all
composite events in the same email. Here we provide different
strategies: the previous one, but also a strategy allowing to send one
email per composite event, and another one allowing to send a separate
email specifically for mentions.

That work also improves previous API to use a clear UserReference
instead of a String which is vague.

Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>
Co-authored-by: Thomas Mortagne <thomas.mortagne@xwiki.com>

XWIKI-20937: Add support for configuring an user property to be displayed as hint by the user picker

* update documentation

* Add the What's New extension to XS

* Update link to allowed HTML tags (and attributes, to keep them in
  sync) in the configuration.

* Fix error (thanks Thomas for checking)

This reverts commits
  * d56fd930
  * 1ea01e4c
  * f1393f94

  * re-apply changes previously done
  * Add missing quoting during URI parsing to avoid parse errors.
  * Provide new API to obtain a safe URI based on a string
  * Fix since and doc

Co-authored-by: Michael Hamann <michael.hamann@xwiki.com>

This reverts commit 5b1c3e6a.

- Provide two implementations of the tag selection
- Introduce the tag.rightCheckStrategy.hint property to select the active implementation
- Improve the Livetable result template to prevent re-computing the tagcloud with the same parameters twice

  * Define a new API in URLSecurityManager to check trustfulness of an
    URI
  * Use that API in XWikiServletResponse#redirect
  * Define a new script service API to perform same check in scripts
  * Add new configurations to be able to define the URI schemes
    supported for trusted URIs
  * Improve a bit documentation and add some more unit tests
  * Move the new script service to a dedicated URLSecurityScriptService
  * Simplify some code by removing unnecessary property
  * Add test to the new script service method

* Make it more clear

* Add a new configuration option.
* Migrate tests to JUnit 5 and add a new test.

* reduce default maximum attachment size to 1MB
* add missing xwiki.properties entry

- Offer a generic interface to validate attachments
- Integration server side on file upload through the UI + on the rest API
- Integration client side on the file upload pane + on CKEditor image upload
- Introduce a new xwiki:actions:beforeUpload javascript event to add additional client side attachment validations

XWIKI-20189: Allow delegating the creation of database/schema/user to an infra admin when creating a new subwiki

- Introduce getHiddenMacroCategories in RenderingScriptService
- Use getHiddenMacroCategories in the CKEditor macro dialog implementation
- Document rendering.transformation.macro.hiddenCategories in xwiki.properties.vm

  * Provide some more properties for mail sending during migration

  - Provide a new API for sending text based email
  - Provide a migration and a listener for informing users about it

* Deprecate translation key `help.macroList.category` and introduce `help.macroList.categories`
* Update `XWikiSyntaxMacrosList` to display the list of categories of the macros (possibly overridden)
* Improve `XWikiSyntaxMacrosList` translations
* Introduce `getMacroCategories` in `RendringScriptService`
* Update the outdated documentation for the wiki macro categories override in `xwiki.properties`

* Add configuration options for the HTML sanitizer.