Merge pull request #2746 from wireapp/release_2022-10-04_12_20

Release 2022-10-04 - (expected chart version 4.25.0)

.hlint.yaml

@@ -1,10 +1,11 @@
 # We need quasi quotes support.
 - arguments: [ -XQuasiQuotes, --color ]
+
 # Used to enforce ormolu styling. Can be revisited if we change formatters.
 - ignore: { name: Redundant $ }
 - ignore: { name: Redundant do }
 - ignore: { name: Use newtype instead of data  }
-#
+
 # Left for the programmer to decide. See discussion at https://github.com/wireapp/wire-server/pull/2382#discussion_r871194424
 - ignore: { name: Avoid lambda }
 - ignore: { name: Avoid lambda using `infix` }
@@ -15,6 +16,11 @@
 # custom rules:
 - hint: { lhs: (() <$), rhs: void }
 - hint: { lhs: return, rhs: pure }
-## We want the latter to properly handle signals.
+
+# We want the latter function because it handles signals properly.
 - error: { name: Use shutdown, lhs: runSettings, rhs: runSettingsWithShutdown }
-- ignore: { name: Use shutdown, within: [Network.Wai.Utilities.Server, Federator.Response] }
+- ignore: { name: Use shutdown, within: [
+    Network.Wai.Utilities.Server,  # this is the implementation 'runSettingsWithShutdown'
+    Federator.Response,            # this is just a naming conincidence
+    Cannon.Run                     # we do something similar, but not identical here by hand
+  ] }

CHANGELOG.md

@@ -1,3 +1,46 @@
+# [2022-10-04] (Chart Release 4.25.0)
+
+## Release notes
+
+
+* Upgrade webapp version to 2022-10-04-production.0-v0.31.2-0-a438b30 (#2302)
+
+
+## API changes
+
+
+* Remove /legalhold/conversation alias from v2 (#2734)
+
+* Make v2 a supported version and start v3 (#2734)
+
+
+## Features
+
+
+* Allow deletion of MLS team conversations (#2733)
+
+
+## Bug fixes and other updates
+
+
+* Revert synchronous semantics of client deletion endpoint (#2737)
+
+
+## Documentation
+
+
+* JCT-146 - update outdated info
+  SER-211 - update new info regarding nodetool use (#2736)
+
+
+## Internal changes
+
+
+* Skeleton implementation of new endpoint for JWT DPoP access token generation (#2652, #2686)
+
+* Add swagger2-ui to stern (#2742 ...)
+
+
 # [2022-09-27] (Chart Release 4.24.0)
 
 ## Release notes

build/ubuntu/Dockerfile.builder

@@ -19,7 +19,7 @@ RUN cd /tmp && \
     git checkout 6370cd556f03f6834d0b8043615ffaf0044ef1fa && \
     git rev-parse HEAD
 
-RUN cd /tmp/rusty-jwt-tools && cargo build --release --target x86_64-unknown-linux-gnu
+RUN cd /tmp/rusty-jwt-tools && cargo build --features haskell --release --target x86_64-unknown-linux-gnu
 
 FROM ${prebuilder}
 

build/ubuntu/Dockerfile.deps

@@ -29,7 +29,7 @@ RUN cd /tmp && \
     git checkout 6370cd556f03f6834d0b8043615ffaf0044ef1fa && \
     git rev-parse HEAD
 
-RUN cd /tmp/rusty-jwt-tools && cargo build --release --target x86_64-unknown-linux-gnu
+RUN cd /tmp/rusty-jwt-tools && cargo build --features haskell --release --target x86_64-unknown-linux-gnu
 
 
 # Minimal dependencies for ubuntu-compiled, dynamically linked wire-server Haskell services

cabal.project

@@ -16,6 +16,7 @@ packages:
   , libs/gundeck-types/
   , libs/hscim/
   , libs/imports/
+  , libs/jwt-tools/
   , libs/metrics-core/
   , libs/metrics-wai/
   , libs/polysemy-wire-zoo/
@@ -219,6 +220,8 @@ package hscim
     ghc-options: -Werror
 package imports
     ghc-options: -Werror
+package jwt-tools
+    ghc-options: -Werror
 package metrics-core
     ghc-options: -Werror
 package metrics-wai

charts/brig/templates/configmap.yaml

@@ -287,5 +287,14 @@ data:
       {{- if .setNonceTtlSecs }}
       setNonceTtlSecs: {{ .setNonceTtlSecs }}
       {{- end }}
+      {{- if .setDpopMaxSkewSecs }}
+      setDpopMaxSkewSecs: {{ .setDpopMaxSkewSecs }}
+      {{- end }}
+      {{- if .setDpopTokenExpirationTimeSecs }}
+      setDpopTokenExpirationTimeSecs: {{ .setDpopTokenExpirationTimeSecs }}
+      {{- end }}
+      {{- if $.Values.secrets.dpopSigKeyBundle }}
+      setPublicKeyBundle: /etc/wire/brig/secrets/dpop_sig_key_bundle.pem
+      {{- end }}
     {{- end }}
   {{- end }}

charts/brig/templates/secret.yaml

@@ -25,4 +25,8 @@ data:
   {{- if (not $.Values.config.useSES) }}
   smtp-password.txt: {{ .smtpPassword | b64enc | quote }}
   {{- end }}
+  {{- if .dpopSigKeyBundle }}
+  dpop_sig_key_bundle.pem: {{ .dpopSigKeyBundle | b64enc | quote }}
   {{- end }}
+  {{- end }}
+

charts/brig/values.yaml

@@ -85,6 +85,8 @@ config:
     #   - example.com
     set2FACodeGenerationDelaySecs: 300 # 5 minutes
     setNonceTtlSecs: 300 # 5 minutes
+    setDpopMaxSkewSecs: 1
+    setDpopTokenExpirationTimeSecs: 300 # 5 minutes
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}

charts/nginz/values.yaml

@@ -484,9 +484,6 @@ nginx_conf:
     - path: /mls/public-keys
       envs:
       - all
-    - path: /nonce/clients
-      envs:
-      - all
     gundeck:
     - path: /push/api-docs$
       envs:

charts/webapp/values.yaml

@@ -9,7 +9,7 @@ resources:
     cpu: "1"
 image:
   repository: quay.io/wire/webapp
-  tag: "2022-09-20-production.0-v0.31.2-0-7f74074"
+  tag: "2022-10-04-production.0-v0.31.2-0-a438b30"
 service:
   https:
     externalPort: 443

deploy/services-demo/conf/brig.demo-docker.yaml

@@ -116,6 +116,8 @@ optSettings:
   setEmailVisibility: visible_to_self
   setFederationDomain: example.com
   setNonceTtlSecs: 300 # 5 minutes
+  setDpopMaxSkewSecs: 1
+  setDpopTokenExpirationTimeSecs: 300 # 5 minutes
 
 logLevel: Debug
 logNetStrings: false

deploy/services-demo/conf/brig.demo.yaml

@@ -117,6 +117,9 @@ optSettings:
   setEmailVisibility: visible_to_self
   setFederationDomain: example.com
   setNonceTtlSecs: 300 # 5 minutes
+  setDpopMaxSkewSecs: 1
+  setDpopTokenExpirationTimeSecs: 300 # 5 minutes
+  setPublicKeyBundle: conf/jwt/ed25519_bundle.pem
 
 logLevel: Debug
 logNetStrings: false

deploy/services-demo/conf/jwt/ed25519_bundle.pem

@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+-----END PRIVATE KEY-----
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
+-----END PUBLIC KEY-----

deploy/services-demo/conf/nginz/nginx.conf

@@ -286,11 +286,6 @@ http {
         proxy_pass http://brig;
     }
 
-    location /nonce/clients {
-      include common_response_with_zauth.conf;
-      proxy_pass http://brig;
-    }    
-
     # Cargohold Endpoints
 
     rewrite ^/api-docs/assets  /assets/api-docs?base_url=http://127.0.0.1:8080/ break;
@@ -330,7 +325,7 @@ http {
       proxy_pass http://galley;
     }
 
-    location /conversations {
+    location ~* ^(/v[0-9]+)?/conversations.* {
       include common_response_with_zauth.conf;
       proxy_pass http://galley;
     }

docs/src/developer/developer/building.md

@@ -49,6 +49,13 @@ The easiest course of action is to to remove these directories via:
 make full-clean
 ```
 
+### Cabal can't read index (Did you call checkForUpdates?)
+
+Sometimes abording cabal mid-update can corrupt its index. Deleting `~/.cabal/packages/hackage.haskell.org` will usually do the trick.
+
+As a side-note: `make c` doesn't run `cabal update`, but `make` does, so keep that in mind.
+
+
 ## How to run integration tests
 
 Integration tests require all of the haskell services (brig, galley, cannon, gundeck, proxy, cargohold, spar) to be correctly configured and running, before being able to execute e.g. the `brig-integration` binary. The test for brig also starts nginz, so make sure it has been built before.

docs/src/developer/developer/pr-guidelines.md

@@ -18,7 +18,9 @@ See `docs/legacy/developer/changelog.md` for more information.
 
 ## Schema migrations
 
-If a cassandra schema migration has been added then
+Don't delete columns that are still used by versions that are deployed. If you delete columns then the old version will fail in the deployment process. Rather than deleting keep the unused columns around and comment them as being discontinued in the schema migration code. 
+
+If a cassandra schema migration has been added then add this to the checklist:
 
  - [ ] Run **`make git-add-cassandra-schema`** to update the cassandra schema documentation
 

docs/src/how-to/administrate/backup-disaster-recovery.md

@@ -71,6 +71,9 @@ Make sure (while connected via ssh) your Cassandra installation is doing well wi
 
     nodetool status
 
+or (in newer versions)
+
+    nodetool ::FFFF:127.0.0.1 status
 
 You should see a list of nodes like this:
 

docs/src/how-to/administrate/cassandra.rst

@@ -15,6 +15,12 @@ To check the health of a Cassandra node, run the following command:
 
   ssh <ip of cassandra node> /opt/cassandra/bin/nodetool status
 
+or if you are running a newer version of wire-server (altough it should be backwards compatibile)
+
+.. code:: sh 
+
+  ssh <ip of cassandra node> /opt/cassandra/bin/nodetool ::FFFF:127.0.0.1 status
+
 You should see a list of nodes like this:
 
 .. code:: sh 
@@ -49,7 +55,7 @@ For maintenance you may need to restart the cluster.
 
 On each server one by one:
 
-1. check your cluster is healthy: ``nodetool status``
+1. check your cluster is healthy: ``nodetool status`` or ``nodetool ::FFFF:127.0.0.1 status`` (in newer versions)
 2. ``nodetool drain && systemctl stop cassandra`` (to stop accepting writes and flush data to disk; then stop the process)
 3. do any operation you need, if any
 4. Start the cassandra daemon process: ``systemctl start cassandra``

docs/src/understand/single-sign-on/main.rst

@@ -256,7 +256,7 @@ You need to configure your SCIM client to use the following mandatory SCIM attri
 
 3. The ``externalId`` attribute:
 
-   a. If you are using Wire's SAML SSO feature then set ``externalId`` attribute to the same identifier used for ``NameID`` in your SAML configuration (both fields must match case sensitively).
+   a. If you are using Wire's SAML SSO feature then set ``externalId`` attribute to the same identifier used for ``NameID`` in your SAML configuration.
 
    b. If you are using email/password authentication then set the ``externalId``
       attribute to the user's email address. The user will receive an invitation email during provisioning. Also note that the account will be set to ``"active": false`` until the user has accepted the invitation and activated the account.

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -83,6 +83,8 @@ brig:
           search_policy: full_search
       set2FACodeGenerationDelaySecs: 5
       setNonceTtlSecs: 300
+      setDpopMaxSkewSecs: 1
+      setDpopTokenExpirationTimeSecs: 300
     aws:
       sesEndpoint: http://fake-aws-ses:4569
       sqsEndpoint: http://fake-aws-sqs:4568
@@ -111,6 +113,13 @@ brig:
       key: "dummy"
       secret: "dummy"
     smtpPassword: dummy-smtp-password
+    dpopSigKeyBundle: |
+      -----BEGIN PRIVATE KEY-----
+      MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX
+      -----END PRIVATE KEY-----
+      -----BEGIN PUBLIC KEY-----
+      MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
+      -----END PUBLIC KEY-----
   tests:
     enableFederationTests: true
 cannon:

libs/brig-types/brig-types.cabal

@@ -84,6 +84,7 @@ library
     , deriving-swagger2      >=0.1.0
     , imports
     , QuickCheck             >=2.9
+    , schema-profunctor
     , servant-server         >=0.18.2
     , servant-swagger        >=1.1.10
     , string-conversions
@@ -165,6 +166,7 @@ test-suite brig-types-tests
     , QuickCheck             >=2.9
     , swagger2               >=2.5
     , tasty
+    , tasty-hunit
     , tasty-quickcheck
     , text                   >=0.11
     , time                   >=1.1