Merge pull request #2614 from wireapp/release_2022-08-16_08_27

Release 2022-08-16 - (expected chart version 4.22.0)

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 on:
  pull_request:
  push:
- branches: [master]
+ branches: [master, develop]
 
 jobs:
  build-dev-env:
@@ -28,3 +28,34 @@ jobs:
  run: nix-build --no-out-link ./nix -A devEnv
  - name: Install the wire-server-direnv
  run: nix-env -if ./nix -A devEnv
+ build-docs:
+ name: Build docs
+ environment: cachix
+ runs-on: ubuntu-latest
+ permissions:
+ id-token: write
+ contents: read
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ submodules: true
+ - uses: cachix/[email protected]
+ - uses: cachix/cachix-action@v10
+ with:
+ name: wire-server
+ signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+ authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+ - name: Build docs
+ run: nix-build --no-out-link ./nix -A docs
+ - name: Configure AWS credentials
+ if: ${{ github.ref == 'refs/heads/develop' }}
+ uses: aws-actions/configure-aws-credentials@v1
+ with:
+ role-to-assume: arn:aws:iam::093205192929:role/gh-actions-wire-server
+ aws-region: eu-west-1
+ - name: Deploy docs
+ if: ${{ github.ref == 'refs/heads/develop' }}
+ run: |
+ docs=$(nix-build --no-out-link ./nix -A docs)
+ aws s3 sync $docs/html s3://origin-docs.wire.com/
+ aws s3 cp $docs/pdf/wire_federation.pdf s3://origin-docs.wire.com/main.pdf

CHANGELOG.md

@@ -1,3 +1,75 @@
+# [2022-08-16] (Chart Release 4.22.0)
+
+## API changes
+
+
+* Drop the deprecated member removal endpoint (#2593)
+
+
+## Features
+
+
+* charts/cannon: Ensure HSTS headers are set for all endpoints (#2574)
+
+* Expired MLS key packages are deleted from the database (#2582)
+
+* Add support for MLS Remove proposals (#2561)
+
+* Human readable names for SAML IdPs (#2565)
+
+* The `preferredLanguage` field from SCIM now maps to the user locale in BRIG and will be set and updated on post SCIM user and on update SCIM user using SAML. (#2605)
+
+* For TLS1.2, by default, remove ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256 ciphers for ingress traffic. (#2528)
+
+
+## Bug fixes and other updates
+
+
+* Allow deleting existing splash screens in `PUT /teams/:tid (see also PR#2474 in Release 4.18.0) (#2588)
+
+* Backoffice: Fix an issue where in some deployments ibis/galeb (Wire Cloud internal services) are unreachable from backoffice if deployed in a different namespace. (#2610)
+
+* Fix an issue for larger client requests on e.g. /list-users and /list-conversations, which were giving 413 errors for some users. Allow client requests of 256k by default (was 64k). (#2579)
+
+
+## Internal changes
+
+
+* Add shellcheck, libstdc++ to nix env; handle emacs auto-save files better (#2609)
+
+* Allow features to be set with HTTP method PATCH. This reflects a prior behavior
+ that is used by Ibis. Additionally, it's more consistent when all setters can be
+ called with PUT and PATCH. As this will fix calls by Ibis, the deployment order
+ doesn't matter. (#2575)
+
+* Brig Polysemization: introduce BlacklistStore and BlacklistPhonePrefixStore effects (#2590)
+
+* Add cabal-fmt development tool (#2601)
+
+* Reformat all cabal files with cabal-fmt (#2603)
+
+* Delete tools: bonanza and makedeb (#2600)
+
+* No more package.yaml / hpack, and stick with cabal files as the single (and only) source of truth (#2596)
+
+* Port Brig SearchAPI and UserRichInfo endpoints to Servant (#2580)
+
+* Added TTL data to stern feature flag GET endpoint. (#2564)
+
+* Prepare removing deprecated non-binding teams (no more used in integration tests) (#2514, #2607)
+
+* Add internal endpoint in Brig to update clients' key package refs in DB upon committing.
+ Brig should be deployed before Galley. (#2604)
+
+* Improved the resilience of provisioning new users via SAML by combining two persistence calls into one, preventing a creation failure from locking a user handle with no corresponding user. (#2526)
+
+
+## Federation changes
+
+
+* Fix TBS field in MLS Message type (#2599)
+
+
 # [2022-07-19] (Chart Release 4.21.0)
 
 ## Release notes

Makefile

@@ -61,7 +61,7 @@ endif
 
 # Usage: make c package=brig test=1
 .PHONY: c
-c:
+c: cabal-fmt
  cabal build $(WIRE_CABAL_BUILD_OPTIONS) $(package)
 ifeq ($(test), 1)
  ./hack/bin/cabal-run-tests.sh $(package) $(testargs)
@@ -75,6 +75,10 @@ endif
 ci: c
  ./hack/bin/cabal-run-integration.sh $(package)
 
+.PHONY: cabal-fmt
+cabal-fmt:
+ ./hack/bin/cabal-fmt.sh $(package)
+
 # Use ghcid to watch a particular package.
 # pass target=package:name to specify which target is watched.
 .PHONY: ghcid
@@ -536,22 +540,3 @@ kind-restart-%: .local/kind-kubeconfig
 # make helm-template-wire-server
 helm-template-%: clean-charts charts-integration
  ./hack/bin/helm-template.sh $(*)
-
-# make bonanza-deb version=$VERSION
-.PHONY: bonanza-deb
-bonanza-deb:
- makedeb --name=bonanza \
- --version=$(version) \
- --debian-dir=tools/bonanza/deb \
- --build=0 \
- --architecture=amd64 \
- --output-dir=dist
-
-# make makedeb-deb version=$VERSION
-.PHONY: makedeb-deb
-makedeb-deb:
- $(eval $@_DIR := $(shell mktemp -d -t makedeb.XXXXXXXXXX))
- cp -R -L tools/makedeb/deb $($@_DIR)
- sed -i "s/<<VERSION_NUMBER>>/$(version)/g" $($@_DIR)/deb/DEBIAN/control
- cat $($@_DIR)/deb/DEBIAN/control
- dpkg-deb -b $($@_DIR)/deb ./dist/makedeb_$(version)+0_amd64.deb

README.md

@@ -51,8 +51,6 @@ This repository contains the following source code:
 
 - **tools**
  - **api-simulations**: Run automated smoke and load tests
- - **makedeb**: Create Debian packages
- - **bonanza**: Transform and forward log data
  - **db/**: Migration tools (e.g. when new tables are added)
  - **stern/**: Backoffice tool (basic [Swagger](https://swagger.io/) based interface)
 

build/ubuntu/Dockerfile.deps

@@ -1,3 +1,12 @@
+FROM rust:1.63 as mls-test-cli-builder
+
+# compile mls-test-cli tool
+RUN cd /tmp && \
+ git clone https://github.com/wireapp/mls-test-cli && \
+ cd mls-test-cli && \
+ cargo build --release
+
+
 FROM ubuntu:20.04 as cryptobox-builder
 
 # compile cryptobox-c
@@ -10,11 +19,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
  export SODIUM_USE_PKG_CONFIG=1 && \
  cargo build --release
 
-# compile mls-test-cli tool
-RUN cd /tmp && \
- git clone https://github.com/wireapp/mls-test-cli && \
- cd mls-test-cli && \
- cargo build --release
 
 # Minimal dependencies for ubuntu-compiled, dynamically linked wire-server Haskell services
 FROM ubuntu:20.04
@@ -23,7 +27,7 @@ COPY --from=cryptobox-builder /tmp/cryptobox-c/target/release/libcryptobox.so /u
 
 # FUTUREWORK: only copy mls-test-cli executables if we are building an
 # integration test image
-COPY --from=cryptobox-builder /tmp/mls-test-cli/target/release/mls-test-cli /usr/bin
+COPY --from=mls-test-cli-builder /tmp/mls-test-cli/target/release/mls-test-cli /usr/bin
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
  apt-get update && \

build/ubuntu/Dockerfile.prebuilder

@@ -70,4 +70,4 @@ ENV PATH=/root/.ghcup/bin:/root/.cabal/bin:${PATH} \
 
 ARG CABAL_VERSION=3.6.2.0
 RUN ghcup install cabal ${CABAL_VERSION} && \
- cabal install cabal-plan
+ cabal install cabal-plan -fexe

cabal.project

@@ -41,7 +41,6 @@ packages:
  , services/proxy/
  , services/spar/
  , tools/api-simulations/
- , tools/bonanza/
  , tools/db/assets/
  , tools/db/auto-whitelist/
  , tools/db/migrate-sso-feature-flag/
@@ -50,7 +49,6 @@ packages:
  , tools/db/find-undead/
  , tools/db/move-team/
  , tools/db/repair-handles/
- , tools/makedeb/
  , tools/rex/
  , tools/stern/
 
@@ -176,8 +174,6 @@ package bilge
  ghc-options: -Werror
 package billing-team-member-backfill
  ghc-options: -Werror
-package bonanza
- ghc-options: -Werror
 package brig
  ghc-options: -Werror
 package brig-types
@@ -212,8 +208,6 @@ package hscim
  ghc-options: -Werror
 package imports
  ghc-options: -Werror
-package makedeb
- ghc-options: -Werror
 package metrics-core
  ghc-options: -Werror
 package metrics-wai

cabal.project.freeze

@@ -1153,8 +1153,6 @@ constraints: any.AC-Angle ==1.0,
  any.hourglass ==0.2.12,
  any.hourglass-orphans ==0.1.0.0,
  any.hp2pretty ==0.10,
- any.hpack ==0.34.5,
- any.hpack-dhall ==0.5.3,
  any.hpc-codecov ==0.3.0.0,
  any.hpc-lcov ==1.0.1,
  any.hprotoc ==2.4.17,

cassandra-schema.cql

@@ -1718,6 +1718,7 @@ CREATE TABLE spar_test.idp (
  idp uuid PRIMARY KEY,
  api_version int,
  extra_public_keys list<blob>,
+ handle text,
  issuer text,
  old_issuers list<text>,
  public_key blob,

charts/backoffice/templates/configmap.yaml

@@ -23,10 +23,10 @@ data:
  # Both ibis and galeb should be made optional for
  # installations where these services are not available
  galeb:
- host: galeb
+ host: {{ .Values.config.galebHost }}
  port: 8080
  ibis:
- host: ibis
+ host: {{ .Values.config.ibisHost }}
  port: 8080
  nginx.conf: |
  worker_processes 1;
@@ -127,8 +127,14 @@ data:
  ssl_session_timeout 5m;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-
+ # NOTE: These are some sane defaults (compliant to TR-02102-2), you may want to overrride them on your own installation
+ # For TR-02102-2 see https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.html
+ # As a Wire employee, for Wire-internal discussions and context see
+ # * https://wearezeta.atlassian.net/browse/FS-33
+ # * https://wearezeta.atlassian.net/browse/FS-444
+ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # for TLS 1.2
+ # FUTUREWORK: upgrade nginx used for the backoffice to support ssl_conf_command (i.e. build a new backoffice-frontend), then uncomment below
+ # ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384; # for TLS 1.3
  server {
  listen {{ .Values.service.internalPort }};
 

charts/backoffice/values.yaml

@@ -20,4 +20,6 @@ resources:
  cpu: 500m
 config:
  logLevel: Info
-baseUrl: http://localhost:8080
+ galebHost: galeb.integrations
+ ibisHost: ibis.integrations
+baseUrl: http://localhost:8080

charts/cannon/templates/conf/_nginx.conf.tpl

@@ -196,7 +196,8 @@ http {
  ssl_certificate_key /etc/wire/nginz/tls/tls.key;
 
  ssl_protocols {{ .Values.nginx_conf.tls.protocols }};
- ssl_ciphers {{ .Values.nginx_conf.tls.ciphers }};
+ ssl_ciphers {{ .Values.nginx_conf.tls.ciphers_tls12 }}; # this only sets TLS 1.2 ciphers (and has no effect if TLS 1.2 is not enabled)
+ ssl_conf_command Ciphersuites {{ .Values.nginx_conf.tls.ciphers_tls13 }}; # needed to override TLS 1.3 ciphers.
 
  # Disable session resumption. See comments in SQPIT-226 for more context and
  # discussion.
@@ -206,6 +207,8 @@ http {
  zauth_keystore {{ .Values.nginx_conf.zauth_keystore }};
  zauth_acl {{ .Values.nginx_conf.zauth_acl }};
 
+ add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload' always;
+
  location /status {
  zauth off;
  access_log off;
@@ -338,7 +341,7 @@ http {
 
  more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location';
  more_set_headers 'Request-Id: $request_id';
- more_set_headers 'Strict-Transport-Security: max-age=31536000; preload';
+ more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubdomains; preload';
  }
 
  {{- end -}}

charts/cannon/values.yaml

@@ -46,7 +46,8 @@ nginx_conf:
  # As a Wire employee, for Wire-internal discussions and context see
  # * https://wearezeta.atlassian.net/browse/FS-33
  # * https://wearezeta.atlassian.net/browse/FS-444
- ciphers: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+ ciphers_tls12: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
+ ciphers_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"
 
  # The origins from which we allow CORS requests. These are combined with
  # 'external_env_domain' to form a full url

charts/nginx-ingress-controller/values.yaml

@@ -8,7 +8,9 @@ nginx-ingress:
  # As a Wire employee, for Wire-internal discussions and context see
  # * https://wearezeta.atlassian.net/browse/FS-33
  # * https://wearezeta.atlassian.net/browse/FS-444
- ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
+ #
+ # Note/FUTUREWORK: this current ingress-controller does not yet support TLS 1.3 (and its ciphers). An upgrade/different helm chart will be provided in the future.
+ ssl-ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
  http2-max-field-size: 16k
  http2-max-header-size: 32k
  proxy-buffer-size: 16k

charts/nginz/templates/conf/_nginx.conf.tpl

@@ -283,7 +283,7 @@ http {
  {{- if (hasKey $location "body_buffer_size") }}
  client_body_buffer_size {{ $location.body_buffer_size -}};
  {{- end }}
- client_max_body_size {{ $location.max_body_size | default "64k" }};
+ client_max_body_size {{ $location.max_body_size | default $.Values.nginx_conf.default_client_max_body_size }};
 
  {{ if ($location.use_websockets) }}
  proxy_set_header Upgrade $http_upgrade;

charts/nginz/values.yaml

@@ -56,6 +56,7 @@ nginx_conf:
  - /search/top
  - /search/common
 
+ default_client_max_body_size: "256k"
  rate_limit_reqs_per_user: "10r/s"
  rate_limit_reqs_per_addr: "5r/m"
 
@@ -492,7 +493,6 @@ nginx_conf:
  - all
  spar:
  - path: /identity-providers
- max_body_size: 256k
  envs:
  - all
  - path: /i/sso

docs/.envrc

@@ -1,10 +1,8 @@
-env="$(nix-build $PWD/nix/default.nix -A env)"
+source_up
 
-PATH_add "${env}/bin"
+docs_env="$(nix-build $PWD/../nix/default.nix -A docsEnv)"
 
-# source .profile from `$env`.
-# This is only used to set things interpolated by nix. All static things should live inside here.
-[[ -f "${env}/.profile" ]] && source_env "${env}/.profile"
+PATH_add "${docs_env}/bin"
 
 # allow local .envrc overrides
 [[ -f .envrc.local ]] && source_env .envrc.local