Merge pull request #2217 from wireapp/release_2022-03-18_15_21

Release 2022-03-18
wireapp · Mar 21, 2022 · eea6c6f · eea6c6f
2 parents 7ddd7a5 + 662d37c
commit eea6c6f
Show file tree

Hide file tree

Showing 444 changed files with 5,825 additions and 2,742 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,83 @@
+# [2022-03-18]
+
+## Release notes
+
+* Deploy Brig before Spar. (#2149)
+* If you are in a federated network of backends (currently beta), you need to update all participating instances at the same time. (#2173)
+
+## API changes
+
+* The `client` JSON object now has an additional field `mls_public_keys`, containing an object mapping signature schemes to public keys, e.g.
+  ```
+  {
+    ...
+    "mls_public_keys": { "ed25519": "GY+t1EQu0Zsm0r/zrm6zz9UpjPcAPyT5i8L1iaY3ypM=" }
+    ...
+  }
+  ```
+  At the moment, `ed25519` is the only supported signature scheme, corresponding to MLS ciphersuite 1.
+
+  When creating a new client with `POST /clients`, the field `mls_public_keys` can be set, and the corresponding public keys are bound to the device identity on the backend, and will be used to verify uploaded key packages with a matching signature scheme.
+
+  When updating a client with `PUT /clients/:client`, the field `mls_public_keys` can also be set, with a similar effect. If a given signature scheme already has a public key set for that device, the request will fail. (#2147)
+
+* Introduce an endpoint for creating an MLS conversation (#2150)
+
+* The `/billing` and `/teams/.*/billing` endpoints are now available on a versioned path (e.g. `/v1/billing`)
+
+   (#2167)
+
+
+## Features
+
+
+* MLS implementation progress:
+
+   - key package refs are now mapped after being claimed (#2192)
+
+* 2nd factor authentication via 6 digit code, sent by email:
+   - for login, sent by email. The feature is disabled per default and can be enabled server or team wide. (#2142)
+   - for "create SCIM token". The feature is disabled per default and can be enabled server or team wide. (#2149)
+   - for "add new client" via 6 digit code, sent by email. This only happens inside the login flow (in particular, when logging in from a new device).  The code obtained for logging in is used a second time for adding the device. (#2186)
+   - 2nd factor authentication for "delete team" via 6 digit code, sent by email. (#2193)
+   - The `SndFactorPasswordChallenge` team feature is locked by default. (#2205)
+   - Details: [/docs/reference/config-options.md#2nd-factor-password-challenge](https://github.com/wireapp/wire-server/blob/develop/docs/reference/config-options.md#2nd-factor-password-challenge)
+
+## Bug fixes and other updates
+
+
+* Fix data consistency issue in import of users from TM invitation to SCIM-managed (#2201)
+
+* Use the same context string as openmls for key package ref calculation (#2216)
+
+* Ensure that only conversation admins can create invite links.  (Until now we have relied on clients to enforce this.) (#2211)
+
+
+## Internal changes
+
+
+* account-pages Helm chart: Add a "digest" image option (#2194)
+
+* Add more test mappings (#2185)
+
+* Internal endpoint for re-authentication (`GET "/i/users/:uid/reauthenticate"`) in brig has changed in a backwards compatible way. Spar depends on this change for creating a SCIM token with 2nd password challenge. (#2149)
+
+* Asset keys are now internally validated. (#2162)
+
+* Spar debugging; better internal combinators (#2214)
+
+* Remove the MonadClient instance of the Brig monad
+
+  - Lots of functions were generalized to run in a monad constrained by
+    MonadClient instead of running directly in Brig's `AppIO r` monad. (#2187)
+
+
+## Federation changes
+
+
+* Refactor conversation actions to an existential type consisting of a singleton tag (identifying the action) and a dedicated type for the action itself. Previously, actions were represented by a big sum type. The new approach enables us to describe the needed effects of an action much more precisely. The existential type is initialized by the Servant endpoints in a way to mimic the previous behavior. However, the messages between services changed. Thus, all federated backends need to run the same (new) version. The deployment order itself does not matter. (#2173)
+
+
 # [2022-03-09]
 
 ## Release notes

diff --git a/build/ubuntu/Dockerfile.deps b/build/ubuntu/Dockerfile.deps
@@ -12,6 +12,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
 
 # compile core-crypto cli tool
 RUN cd /tmp && \
+  apt-get install -y libssl-dev && \
   git clone -b cli https://github.com/wireapp/core-crypto && \
   cd core-crypto/cli && \
   cargo build --release

diff --git a/cabal.project b/cabal.project
@@ -42,6 +42,7 @@ packages:
   , services/spar/
   , tools/api-simulations/
   , tools/bonanza/
+  , tools/db/assets/
   , tools/db/auto-whitelist/
   , tools/db/migrate-sso-feature-flag/
   , tools/db/service-backfill/
@@ -177,6 +178,8 @@ package api-client
     ghc-options: -Werror
 package api-simulations
     ghc-options: -Werror
+package assets
+    ghc-options: -Werror
 package auto-whitelist
     ghc-options: -Werror
 package bilge

diff --git a/changelog.d/0-release-notes/team-settings-upgrade b/changelog.d/0-release-notes/team-settings-upgrade
diff --git a/charts/account-pages/templates/deployment.yaml b/charts/account-pages/templates/deployment.yaml
@@ -27,7 +27,11 @@ spec:
     spec:
       containers:
       - name: account-pages
+        {{- if .Values.image.digest }}
+        image: "{{ .Values.image.repository }}@{{ .Values.image.digest }}"
+        {{- else }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        {{- end }}
         env:
           - name: BACKEND_REST
             value: https://{{ .Values.config.externalUrls.backendRest }}

diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
@@ -181,6 +181,9 @@ data:
     {{- with .optSettings }}
     optSettings:
       setActivationTimeout: {{ .setActivationTimeout }}
+      {{- if .setVerificationTimeout }}
+      setVerificationTimeout: {{ .setVerificationTimeout }}
+      {{- end }}
       setTeamInvitationTimeout: {{ .setTeamInvitationTimeout }}
       {{- if .setExpiredUserCleanupTimeout }}
       setExpiredUserCleanupTimeout: {{ .setExpiredUserCleanupTimeout }}

diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml
@@ -44,7 +44,7 @@ config:
       # sndFactorPasswordChallenge:
       #   defaults:
       #     status: disabled
-      #     lockStatus: unlocked
+      #     lockStatus: locked
   aws:
     region: "eu-west-1"
   proxy: {}
diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl
@@ -224,9 +224,15 @@ http {
           {{- if or (eq $env $.Values.nginx_conf.env) (eq $env "all") -}}
 
             {{- if and (not (eq $.Values.nginx_conf.env "prod")) ($location.doc) -}}
+
     rewrite ^/api-docs{{ $location.path }}  {{ $location.path }}/api-docs?base_url=https://{{ $.Values.nginx_conf.env }}-nginz-https.{{ $.Values.nginx_conf.external_env_domain }}/ break;
             {{- end }}
 
+            {{- if $location.strip_version }}
+
+    rewrite ^/v[0-9]+({{ $location.path }}) $1;
+            {{- end }}
+
     {{- $versioned := ternary $location.versioned true (hasKey $location "versioned") -}}
     {{- $path := printf "%s%s" (ternary "(/v[0-9]+)?" "" $versioned) $location.path }}
 

diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -456,9 +456,13 @@ nginx_conf:
       envs:
       - all
       disable_zauth: true
+      versioned: false
+      strip_version: true
     - path: /teams/([^/]*)/billing(.*)
       envs:
       - all
+      versioned: false
+      strip_version: true
     calling-test:
     - path: /calling-test
       envs: