Merge pull request #1315 from wireapp/release_2021_01_06

Release 2021-01-06

.dockerignore

@@ -2,4 +2,5 @@
 **/dist
 **/target
 **/*.aci
+**/*.tgz
 services/nginz/src/objs

CHANGELOG.md

@@ -14,6 +14,35 @@
 
 -->
 
+# [2021-01-06]
+
+## Release Notes
+
+This release contains bugfixes and internal changes.
+
+## Bug fixes and other updates
+
+* [SCIM] Bug fix: handle is lost after registration (#1303)
+* [SCIM] Better error message (#1306)
+
+## Documentation
+
+* [SCIM] Document `validateSAMLemails` feature in docs/reference/spar-braindump.md (#1299)
+
+## Internal changes
+
+* [federation] Servantify get users by unqualified ids or handles (#1291)
+* [federation] Add endpoint to get users by qualified ids or handles (#1291)
+* Allow overriding NAMESPACE for kube-integration target (#1305)
+* Add script create_test_team_scim.sh for development (#1302)
+* Update brig helm chart: Add `setExpiredUserCleanupTimeout` (#1304)
+* Nit-picks (#1300)
+* nginz_disco: docker building consistency (#1311)
+* Add tools/db/repair-handles (#1310)
+* small speedup for 'make upload-charts' by inlining loop (#1308)
+* Cleanup stack.yaml. (#1312) (#1316)
+
+
 # [2020-12-21]
 
 ## Release Notes

Makefile

@@ -1,14 +1,19 @@
 SHELL                 := /usr/bin/env bash
 LANG                  := en_US.UTF-8
 DOCKER_USER           ?= quay.io/wire
+# kubernetes namespace for running integration tests
+NAMESPACE             ?= test-$(USER)
 # default docker image tag is your system username, you can override it via environment variable.
 DOCKER_TAG            ?= $(USER)
 # default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
 HELM_SEMVER           ?= 0.0.42
 # The list of helm charts needed for integration tests on kubernetes
 CHARTS_INTEGRATION    := wire-server databases-ephemeral fake-aws
 # The list of helm charts to publish on S3
-# FUTUREWORK: after we "inline local subcharts", i.e. move charts/brig to charts/wire-server/brig this list could be generated from the folder names under ./charts/
+# FUTUREWORK: after we "inline local subcharts",
+# (e.g. move charts/brig to charts/wire-server/brig)
+# this list could be generated from the folder names under ./charts/ like so:
+# CHARTS_RELEASE := $(shell find charts/ -maxdepth 1 -type d | xargs -n 1 basename | grep -v charts)
 CHARTS_RELEASE        := wire-server databases-ephemeral fake-aws aws-ingress backoffice calling-test demo-smtp elasticsearch-curator elasticsearch-external fluent-bit minio-external cassandra-external nginx-ingress-controller nginx-ingress-services reaper wire-server-metrics sftd
 
 default: fast
@@ -237,14 +242,15 @@ hie.yaml:
 #   - kubectl
 #   - a valid kubectl context configured (i.e. access to a kubernetes cluster)
 .PHONY: kube-integration
-kube-integration: charts
+kube-integration: charts-integration
 	# by default "test-<your computer username> is used as namespace
-	export NAMESPACE=test-$(USER); ./hack/bin/integration-setup.sh
-	export NAMESPACE=test-$(USER); ./hack/bin/integration-test.sh
+	# you can override the default by setting the NAMESPACE environment variable
+	export NAMESPACE=$(NAMESPACE); ./hack/bin/integration-setup.sh
+	export NAMESPACE=$(NAMESPACE); ./hack/bin/integration-test.sh
 
 .PHONY: kube-integration-teardown
 kube-integration-teardown:
-	export NAMESPACE=test-$(USER); ./hack/bin/integration-teardown.sh
+	export NAMESPACE=$(NAMESPACE); ./hack/bin/integration-teardown.sh
 
 .PHONY: latest-brig-tag
 latest-brig-tag:
@@ -307,4 +313,9 @@ upload-chart-%: release-chart-%
 # To uplaod all helm charts in the CHARTS_RELEASE list (see top of the time)
 # (assummption: CI sets DOCKER_TAG and HELM_SEMVER)
 .PHONY: upload-charts
-upload-charts: $(foreach chartName,$(CHARTS_RELEASE),upload-chart-$(chartName))
+upload-charts: charts-release
+	./hack/bin/upload-helm-charts-s3.sh
+
+.PHONY: echo-release-charts
+echo-release-charts:
+	@echo ${CHARTS_RELEASE}

charts/brig/templates/configmap.yaml

@@ -167,6 +167,9 @@ data:
     optSettings:
       setActivationTimeout: {{ .setActivationTimeout }}
       setTeamInvitationTimeout: {{ .setTeamInvitationTimeout }}
+      {{- if .setExpiredUserCleanupTimeout }}
+      setExpiredUserCleanupTimeout: {{ .setExpiredUserCleanupTimeout }}
+      {{- end }}
       setTwilio: /etc/wire/brig/secrets/twilio-credentials.yaml
       setNexmo: /etc/wire/brig/secrets/nexmo-credentials.yaml
       setUserMaxConnections: {{ .setUserMaxConnections }}

deploy/services-demo/create_test_team_scim.sh

@@ -0,0 +1,216 @@
+#!/usr/bin/env bash
+
+set -e
+
+BRIG_HOST="http://localhost:8082"
+SPAR_HOST="http://localhost:8088"
+
+USAGE="
+This bash script craates
+1) team
+2) team admin
+3) scim token
+4) a regular user via team invitation
+5) a scim-managed user (without IDP)
+
+Note that this uses internal brig and spar endpoints. It is not exposed over
+nginz and can only be used if you have direct access to brig and spar simultaneously.
+
+USAGE: $0
+    -h <host>: Base URI of brig. default: ${BRIG_HOST}
+    -s <host>: Base URI of spar. default: ${SPAR_HOST}
+"
+
+# Option parsing:
+# https://sookocheff.com/post/bash/parsing-bash-script-arguments-with-shopts/
+while getopts ":n:h:c" opt; do
+  case ${opt} in
+    h ) BRIG_HOST="$OPTARG"
+      ;;
+    s ) SPAR_HOST="$OPTARG"
+        ;;
+    : ) echo "-$OPTARG" requires an argument 1>&2
+        exit 1
+      ;;
+    \? ) echo "$USAGE" 1>&2
+         exit 1
+      ;;
+  esac
+done
+shift $((OPTIND -1))
+
+if [ "$#" -ne 0 ]; then
+  echo "$USAGE" 1>&2
+  exit 1
+fi
+
+
+ADMIN_EMAIL=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)"@example.com"
+ADMIN_PASSWORD=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)
+
+CURL_OUT=$(curl -i -s --show-error \
+    -XPOST "$BRIG_HOST/i/users" \
+    -H'Content-type: application/json' \
+    -d'{"email":"'"$ADMIN_EMAIL"'","password":"'"$ADMIN_PASSWORD"'","name":"demo","team":{"name":"Wire team","icon":"default"}}')
+
+ADMIN_UUID=$(echo "$CURL_OUT" | tail -1 | sed 's/.*\"id\":\"\([a-z0-9-]*\)\".*/\1/')
+TEAM_UUID=$(echo "$CURL_OUT" | tail -1 | sed 's/.*\"team\":\"\([a-z0-9-]*\)\".*/\1/')
+
+
+BEARER=$(curl -X POST \
+              --header 'Content-Type: application/json' \
+              --header 'Accept: application/json' \
+              -d '{"email":"'"$ADMIN_EMAIL"'","password":"'"$ADMIN_PASSWORD"'"}' \
+              $BRIG_HOST/login'?persist=false' | jq -r .access_token)
+
+SCIM_TOKEN_FULL=$(curl -X POST \
+                       --header "Authorization: Bearer $BEARER" \
+                       --header 'Content-Type: application/json;charset=utf-8' \
+                       --header 'Z-User: '"$ADMIN_UUID" \
+                       -d '{ "description": "test '"`date`"'", "password": "'"$ADMIN_PASSWORD"'" }' \
+                       $SPAR_HOST/scim/auth-tokens)
+
+SCIM_TOKEN=$(echo $SCIM_TOKEN_FULL | jq -r .token)
+SCIM_TOKEN_ID=$(echo $SCIM_TOKEN_FULL | jq -r .info.id)
+
+
+# Create regular user via team invitation
+
+REGULAR_USER_EMAIL=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)"@example.com"
+REGULAR_USER_PASSWORD=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)
+CURL_OUT_INVITATION=$(curl -i -s --show-error \
+                            -XPOST "$BRIG_HOST/teams/$TEAM_UUID/invitations" \
+                            -H'Content-type: application/json' \
+                            -H'Z-User: '"$ADMIN_UUID"'' \
+                            -d'{"email":"'"$REGULAR_USER_EMAIL"'","name":"Replace with name","inviter_name":"Team admin"}')
+
+INVITATION_ID=$(echo "$CURL_OUT_INVITATION" | tail -1 | sed 's/.*\"id\":\"\([a-z0-9-]*\)\".*/\1/')
+
+sleep 1
+
+if ( ( echo "$INVITATION_ID" | grep -q '"code"' ) &&
+         ( echo "$INVITATION_ID" | grep -q '"label"' ) ) ; then
+    echo "Got an error while creating $REGULAR_USER_EMAIL, aborting: $INVITATION_ID"
+    exit 1
+fi
+
+sleep 1
+
+if ( ( echo "$INVITATION_ID" | grep -q '"code"' ) &&
+            ( echo "$INVITATION_ID" | grep -q '"label"' ) ) ; then
+    echo "Got an error while creating $REGULAR_USER_EMAIL, aborting: $INVITATION_ID"
+    exit 1
+fi
+
+# Get the code
+CURL_OUT_INVITATION_CODE=$(curl -i -s --show-error \
+                                -XGET "$BRIG_HOST/i/teams/invitation-code?team=$TEAM_UUID&invitation_id=$INVITATION_ID")
+
+INVITATION_CODE=$(echo "$CURL_OUT_INVITATION_CODE" | tail -1 | sed -n -e '/"code":/ s/^.*"\(.*\)".*/\1/p')
+
+sleep 1
+
+# Create the user using that code
+CURL_OUT=$(curl -i -s --show-error \
+                -XPOST "$BRIG_HOST/i/users" \
+                -H'Content-type: application/json' \
+                -d'{"email":"'"$REGULAR_USER_EMAIL"'","password":"'"$REGULAR_USER_PASSWORD"'","name":"demo","team_code":"'"$INVITATION_CODE"'"}')
+
+REGULAR_TEAM_MEMBER_UUID=$(echo "$CURL_OUT" | tail -1 | sed 's/.*\"id\":\"\([a-z0-9-]*\)\".*/\1/')
+
+
+# Create user via SCIM invitation
+
+
+scimUserName=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)
+scimUserDisplayName="Display of $scimUserName"
+scimUserEmail="$scimUserName@example.com"
+scimUserExternalId="$scimUserEmail"
+
+SCIM_USER=$(cat <<EOF
+{
+    "UserName": "$scimUserName",
+    "Active": true,
+    "DisplayName": "$scimUserDisplayName",
+    "schemas": [
+        "urn:ietf:params:scim:schemas:core:2.0:User"
+    ],
+    "externalId": "$scimUserExternalId",
+    "name": {
+        "formatted": "Name of username $scimUserName",
+        "familyName": "Family name of username $scimUserName"
+    },
+    "emails": [
+        {
+            "Primary": true,
+            "type": "work",
+            "value": "$scimUserEmail"
+        }
+    ]
+}
+EOF
+)
+
+CURL_OUT_SCIM_POST=$(curl --location --request POST "$SPAR_HOST/scim/v2/Users" \
+    --header 'Content-Type: application/json' \
+    --header "Authorization: Bearer $SCIM_TOKEN" \
+    -d "$SCIM_USER")
+
+SCIM_USER_UUID=$(echo $CURL_OUT_SCIM_POST | jq -r .id)
+
+SCIM_USER_INVITATION_ID=$(curl --location -G "$BRIG_HOST/i/teams/invitations/by-email?" \
+    --header 'Content-Type: application/json' \
+    --header "Authorization: Bearer $SCIM_TOKEN" \
+    -d "email=$scimUserEmail" | jq -r .id)
+
+sleep 1
+
+SCIM_USER_INVITATION_CODE=$(curl --silent --show-error \
+                            --header 'Content-Type: application/json' \
+                            -XGET "$BRIG_HOST/i/teams/invitation-code?team=$TEAM_UUID&invitation_id=$SCIM_USER_INVITATION_ID" | jq -r .code
+                            )
+
+scimUserPassword=$(cat /dev/urandom | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 8)
+
+REGISTER_ACCEPT=$(cat <<EOF
+{
+   "name": "$scimUserDisplayName",
+   "email": "$scimUserEmail",
+   "password": "$scimUserPassword",
+   "team_code": "$SCIM_USER_INVITATION_CODE"
+}
+EOF
+)
+
+SCIM_USER_REGISTER_TEAM=$(curl -XPOST "$BRIG_HOST/register" \
+     --header 'Content-Type: application/json' \
+     -d "$REGISTER_ACCEPT" | jq -r .team)
+
+if [ "$SCIM_USER_REGISTER_TEAM" != "$TEAM_UUID" ]; then
+    echo "unexpected error: user got assigned to no / the wrong team?!"
+    echo ${CURL_OUT}
+    exit 1
+fi
+
+echo "Succesfully created:"
+echo ""
+echo "team: $TEAM_UUID"
+echo ""
+echo "admin: $ADMIN_UUID"
+echo "admin email: $ADMIN_EMAIL"
+echo "admin password: $ADMIN_PASSWORD"
+echo ""
+echo "scim token: $SCIM_TOKEN"
+echo "scim token uuid: $SCIM_TOKEN_ID"
+echo ""
+echo "user 1 (via team invite)"
+echo "user 1: $REGULAR_TEAM_MEMBER_UUID"
+echo "user 1 email: $REGULAR_USER_EMAIL"
+echo "user 1 password: $REGULAR_USER_PASSWORD"
+echo ""
+echo "user 2 (via SCIM + invite)"
+echo "user 2: $SCIM_USER_UUID"
+echo "user 2 handle: $scimUserName"
+echo "user 2 email: $scimUserEmail"
+echo "user 2 password: $scimUserPassword"
+echo "user 2 externalId: $scimUserExternalId"

docs/reference/spar-braindump.md

@@ -222,19 +222,12 @@ work fine.
 
 #### an email address can be one of two things
 
-the email used for saml auth is only a name, and never used for
-sending out emails, and does not show as the email address of the user
-in the team settings.
-
-RATIONALE: emails that are passed in from an external identity
-provider must be trusted, so the user cannot have them as an actual
-email address that wire is sending emails to.
-
-POSSIBLE FEATURE: we could authenticate the emails sent in from the
-identity provider in the same way we are doing that for
-password-authenticated non-team users: email receives a link
-containing a crypto token, user clicks on link if the email is
-authentic, email gets authenticated.
+When users are SAML-authenticated with an email address under NameID,
+that email address is used by wire as an opaque identifier, not to
+send actual emails.  In order to *also* assign the user that email
+address, you can enable the feature flag `validateSAMLemails`.  This
+will trigger the regular email validation flow that is also triggered
+when the user changes their email themselves.
 
 
 #### scim, provisioning, metadata

hack/bin/integration-teardown.sh

@@ -8,7 +8,7 @@ set -ex
 
 echo "NAMESPACE = $NAMESPACE"
 
-helm ls --all --namespace ${NAMESPACE} | grep "test-" | awk '{print $1}' | xargs -n 1 helm -n "$NAMESPACE" delete
+helm ls --all --namespace ${NAMESPACE} | grep -v NAME | awk '{print $1}' | xargs -n 1 helm -n "$NAMESPACE" delete
 
 sleep 10
 

hack/bin/upload-helm-charts-s3.sh

@@ -12,7 +12,6 @@
 # for more info see https://github.com/hypnoglow/helm-s3
 
 set -eo pipefail
-set -x
 
 USAGE="Upload helm charts to S3. Usage: $0 to upload all charts or $0 <chart-directory> to sync only a single one. --force-push can be used to override S3 artifacts. --reindex can be used to force a complete reindexing in case the index is malformed."
 
@@ -48,7 +47,9 @@ if [ -n "$chart_dir" ] && [ -d "$chart_dir" ]; then
     echo "only syncing $chart_name"
     charts=( "$chart_name" )
 else
-    charts=( $(find $CHART_DIR/ -maxdepth 1 -type d | sed -n "s=$CHART_DIR/\(.\+\)=\1 =p") )
+    charts=( $(make -s -C "$TOP_LEVEL_DIR" echo-release-charts) )
+    # See Makefile/ CHARTS_RELEASE FUTUREWORK
+    #charts=( $(find $CHART_DIR/ -maxdepth 1 -type d | sed -n "s=$CHART_DIR/\(.\+\)=\1 =p") )
 fi
 
 # install s3 plugin if not present
@@ -108,7 +109,7 @@ if [[ $1 == *--reindex* || $2 == *--reindex* || $3 == *--reindex* ]]; then
 else
     # update local cache with newly pushed charts
     helm repo update
-    printf "\n--> Not reindexing by default. Pass the --reindex flag in case the index.yaml is incomplete. See all wire charts using \n helm search $REPO_NAME/ -l\n\n"
+    printf "\n--> Not reindexing by default. Pass the --reindex flag in case the index.yaml is incomplete. See all wire charts using \n helm search repo $REPO_NAME/ -l\n\n"
 fi