Release notes

• The .cannon.drainTimeout setting on the wire-server helm chart has been
  removed and replaced with .cannon.config.drainOpts. (#2416)

• Note for wire.com operators: deploy nginz (#2439)

API changes

• The back-office (aka stern) team feature API now accenpts an optional TTL parameter (in days), so features can be activated for a limited period. (#2417)

• Disable rate limiting for /api-version (#2439)

Features

• Drain websockets in a controlled fashion when cannon receives a SIGTERM or
  SIGINT. Instead of waiting for connections to close on their own, the websockets
  are now severed at a controlled pace. This allows for quicker rollouts of new
  versions. (#2416)

• Optionally allow to run cannon with its own nginz inside the same pod; and connect to a load balancer directly.
  This allows the cannon-slow-drain behaviour implemented in #2416 to take effect by not having other intermediate network hops which could break websocket connections all at once.
  Some (internal) context: https://wearezeta.atlassian.net/wiki/spaces/PS/pages/585564424/How+to+gracefully+drain+cannon+but+not+so+slowly
  For details on how to configure this, see docs/src/how-to/install/configuration-options.rst (#2421)

• Support running brig with GeoIP database when using helm charts (#2406)

• charts/nginz: Add upstream configuration for galeb (#2444)

• charts/nginz: Allow upstreams to be in other namespaces (#2444)

• CSV export in team management now includes the number of devices per user (#2407)

Bug fixes and other updates

• charts/nginz: Resolve collision between brig and galeb endpoints. Ensure
  /self/consent and /signatures endpoints are configured in all environments (#2457)

• When an IdP issuer (aka entity ID) is updated, the old issuer was still marked as "in use". (#2400)

• On actions that require re-authentication a password is not required if the user has SAML credentials (#2430, #2434, #2437)

• Use SCIM's preferred language as a fallback when privisioning users without a locale. (#2445)

Documentation

• Feature configs should have different swagger schema names (#2425)

Internal changes

• AllFeatureConfigs is now typed (#2403)

• Type class for default team feature status (#2404)

• charts/{redis-ephemeral,legalhold}: Use old index for bitnami repo as the new index doesn't have old versions of postgresql and redis helm charts (#2448)

• Bump haskell/zlib version to 0.6.3.0 (#2431)

• New internal brig endpoints for MLS KeyPackage -> Conversation association query/update (#2375)

• galley: refactor withSettingsOverrides (#2381)

• charts/{nginz,cannon}: Increase map_hash_bucket_size for nginx to 128 (#2443)

• charts/{cannon,nginz}: values listed in
  nginx_conf.randomport_allowlisted_origins must be full hostnames. Hostnames
  listed here will be allowlisted with and without TLS. (#2438)

• Remove binding of users to saml idps using saml (this has never been picked up by clients; use scim instead) (#2441)

• Remove golden test case generator

  (#2442)

• Convert Team CSV endpoint to Servant (#2419)

Federation changes

• Send only the raw welcome message in the Galley "mls-welcome" federation endpoint (#2412)

Release notes

• If using cert-manager, you need to have least version 1.0.0 (1.8.0 works at the time of writing) installed. Older cert-manager 0.15.X will no longer work. (#2401)

• Upgrade team-settings version to 4.9.0-v0.29.7-0-142a76f (#2180)

API changes

• Start version 2 of the public API. Main changes:

  • Asset endpoints have lost their v3 and v4 suffixes. So for example
    /assets/v3 has been replaced by /assets.
  • GET /conversations/:conv/assets/:id and GET /conversations/:conv/otr/assets/:id have been removed.
  • GET /assets/:key/v3 has been removed. Use the qualified endpoint GET /assets/:domain/:key instead.
  • DELETE /assets/:key/v3 has been removed. Use the qualified endpoint
    DELETE /assets/:domain/:key instead.
  • GET /connections has been removed. Use POST /list-connections instead.
  • POST /connections has been removed. Use POST /connections/:domain/:user instead.
  • PUT /connections/:domain/:user has been removed: use POST instead.
  • GET /conversations has been removed. Use POST /conversations/list-ids
    followed by POST /conversations/list instead.
  • POST /conversations/list/v2 has been replaced by POST /conversations/list.
  • POST /conversations/:domain/:conv/members/v2 has lost its v2 suffix, so
    it is now POST /conversations/:domain/:conv/members.
  • GET /users, GET /users/by-handle and GET /users/handles have been
    removed. Use POST /search/contacts instead.
  • GET /users/:id has been removed. Use the qualified endpoint GET /users/:domain/:id instead.
  • GET /users/:id/clients has been removed. Use the qualified endpoint GET /users/:domain/:id/clients instead.
  • GET /users/:id/clients/:client has been removed. Use the qualified
    endpoint GET /users/:domain/:id/clients/:client instead.

  Swagger documentation for the previous version of the API can be accessed at
  /v1/api/swagger-ui. (#2297)

• A new field development has been added to the object returned by GET /api-version. Versions listed there are considered in flux, meaning that the
  corresponding API contracts can change arbitrarily over time. Clients are free
  to use development versions, as long as they are also listed in supported,
  and failures due to incompatibilities are acceptable (e.g. in testing
  environments). Backends are the authoritative source on whether a development
  version can be used at all. If a development version should not be used, the
  backend will not list it among the supported versions at all. (#2297)

Features

• charts: Various new values can now be configured and some got changed

  Allow new configurations in the brig chart:

  • config.emailSMS.user.invitationUrl
  • config.emailSMS.team.tInvitationUrl
  • config.emailSMS.team.tActivationUrl
  • config.emailSMS.team.tCreatorWelcomeUrl
  • config.emailSMS.team.tMemberWelcomeUrl
  • config.setProviderSearchFilter
  • config.setWhitelist
  • config.setFeatureFlags
  • config.setCustomerExtensions

  If any values in config.emailSMS.team are specified, all must be specified.

  Allow new configurations in the gundeck chart:

  • config.perNativePushConcurrency
  • config.maxConcurrentNativePushes.soft
  • config.maxConcurrentNativePushes.hard

  Other changes:

  • Default maxTeamSize changed to 10000 from 500. (#2347)

• charts/nginx-ingress-services: Allow more fine-grained control over what services are installed. Upgrade Certificate/Issuer resources to 'cert-manager.io/v1' (#2401)

• MLS implementation progress:

  • remote key package claim is now supported (#2353)

• charts/{brig,cargohold,galley,gundeck}: Allow not configuring AWS credentials and allow using a special service account.
  This way, when operating wire in AWS cloud either instance profiles or IAM role attached to a service account can be used to communicate with AWS. (#2347)

• Implement TURN service discovery using SRV records (#2389)

Bug fixes and other updates

• When config.enablePayment and FEATURE_ENABLE_PAYMENT (envVars) were set,
  the team-settings feature flag FEATURE_ENABLE_PAYMENT was rendered two times.
  The new behavior is to give the envVars entry priority. I.e. when it's set,
  it's used instead of the config.enablePayment value. (#2332)

• Modify the nginz access control configuration to prevent clients connecting
  to listeners with PROXY protocol enabled (such as the websocket listener) from
  accessing a private metrics endpoint. (#2307)

• Verification email is sent when external id is updated via SCIM (#2374)

Documentation

• Move old /docs to /docs/legacy (leaving references). (#2328)

• Fixup for #2321 (#2323)

• Add pagination docs to POST /list-connections (#2369)

• Documentation for the 2nd factor password challenge feature (#2329)

• Documentation on how to enforce desktop application only for web app (#2334)

• Documentation on how to enforce constant bit rate for all calls (#2336)

• Documentation on how to disable media plugins for the web app (#2337)

• Documentation on how to extra entropy in the web app (#2338)

• Documentation on how to set the instance connection parameters and proxy settings (#2340)

• Merged SAML/SCIM docs with its main documentation (#2356)

Internal changes

• View and change team feature permissions apply to all features now (#2402)

• Add sed to direnv (#2319)

• Add python3 to nix development environment. It's needed by hack/bin/serve-charts.sh . (#2333)

• Add a target to the Makefile to run ShellCheck. I.e. to run a linter on shell scripts. This will be used in the CI. For now, all scripts with linter issues are excluded from this check. (#2361)

• Drop snappy support from bonanza (#2350)

• Use cabal in buildah-based builds (#2341)

• Fix flakyness of path traversal test (#2387)

• Github Actions: disable mac builds (#2355)

• Apply versionMiddleware last. This makes sure that every other middleware sees
  the rewritten (unversioned) path. In particular, the prometheus middleware will
  now only see paths it knows about, which prevents it from reporting "N/A" as the
  path. (#2316)

• Upgrade version of libzauth dependencies, notably sodiumoxide bindings to libsodium, and fix resulting errors and warnings. (#2327)

• libzauth: Update sha256 for source in nix expression (#2354)

• Log IO exceptions in Galley and Brig (#2385)

• Generalise and move the Logger effect (#2306)

• Fix a comment in a Makefile target (#2330)

• Fix flaky MLS conversation creation test (#2386)

• Fix flaky key package test (#2384)

• Fix locale variables in Nix and .envrc (#2393)

• Team Member API has been migrated to Servant (#2309)

• Integration test for edge case: change external id before account registration (#2396)

• Allow specifying 'redisAdditionalWrite' for a secondary redis to which gundeck will write in the context of a redis migration without downtime. (#2304)

• Start TURN discovery only when the app starts and not when the Env is created (#2376)

• Avoid using IN queries for fetching multiple conversations (#2397)

• Remove oromolu GH action (has been moved to concourse https://github.com/zinfra/cailleach/pull/1033) (#2320)

• Remove unused data type AllowedUserSearch (#2373)

• docs: add latex to docs and publish pdf if exists (#2321)

Federation changes

• We now fetch version information from other backends and negotiate a version to use. (#2297)

• Fix assertion in testWelcomeNoKey (#2372)

• Support remote welcome messages (#2368)

• Implement remote admin action: Update receipt mode (#2141)

Release notes

• Upgrade webapp version to 2022-05-04-production.0-v0.29.7-0-a6f2ded (#2302)

Release notes

• Note for wire.com operators: deploy nginz (#2270)

• Wire cloud operators: Update brig's ES index mapping before deploying. After deploying, run a re-index (#2213, #2220)

• Upgrade webapp version to 2022-04-21-production.0 (#2302)

• Upgrade team-settings version to 4.7.0-v0.29.7-0-74b81b8 (#2180)

Features

• [helm-charts] Allow filtering cassandra nodes by datacenter (#2273)

• MLS implementation progress:

  • commit messages containing add proposals are now processed (#2247)
  • do initial validation and forwarding of all types of messages via POST /mls/messages (#2253)
  • fixed bug where users could not be added to MLS conversations if they had non-MLS clients (#2290)
  • MLS/Proteus mismatches (e.g. sending a proteus message to an MLS conversation) are now handled (#2278)
  • the POST /mls/key-packages/claim endpoint gained a skip_own query parameter, which can be used to avoid claiming a key package for the requesting client itself (#2287)

• The user profiles that are returned by a team admin search now contain the additional fields SAML NameID, IdP Issuer, and SCIM externalId (#2213), and unvalidated email address (#2220)

• • Avoid dropping messages when redis is down. (#2295)

Bug fixes and other updates

• Add missing helm chart mapping for inbound search visibility (#2265)

• Fix bug: User search endpoint hides exact handle results in SearchVisibilityNoNameOutsideTeam setting (#2280)

• backoffice app (aka stern):

  • Suspending a non-existing user now returns 404 and does not create an empty entry in the DB (#2267)
  • Support for deleting teams with more than one member (#2275)
  • Fix update of user email (#2281)

Documentation

• Import wire-docs to docs/ (see also #2258)

Internal changes

• Migrate API routes from wai-route to servant for better Swagger (#2284, #2277, #2266, #2286, #2294, #2244)

• Update nginx to latest stable: v1.20.2 (#2289)

• Allow additional origins at random ports in nginz Helm chart. This is useful for
  testing with an HTTP proxy. It should not be used in production. (#2283)

• makdeb and bonanza: remove stack-based Makefiles (#2311)

• Add skip_reauth param to internal API for creating clients. This is intended to be used in test. (#2260)

• Removes an unused function in Brig and relocates another one (#2305)

• Print more logs while migrating data in Elasticsearch (#2279)

• Replace the base monad in Brig with the Polysemy Sem monad (#2264, #2288)

• Move the Random effect from Spar to the polysemy-wire-zoo library (#2303)

• Move the Now effect from Spar to a library (#2292)

• Improve readability of user search test cases (#2276)

• Chart/gundeck's 'bulkpush' optimization is now activated by default (after using it in production for some time) (#2293)

• Add an alpha version of a Helm chart for coturn. (#2209)

• Document error handling and simplify error logging (#2274)

• Improve speed of reindexing by increasing the batch size of processing users. (#2200)

• Fix federator integration tests (#2298)

• Switch the Haskell driver used in Gundeck to connect to Redis from 'redis-io' to 'hedis', which now supports cluster mode. (#2151)

• Various Galley MLS test improvements and cleanups (#2278)

• Flag for sending a validation email when updating a user's email address via backoffice/stern (#2301)

• Remove stack from all builder docker images (#2312)

• Make internal search-visibility endpoint available to staging environments (#2282)

• Remove TemplateHaskell as a global default extension (#2291)

Release notes

• Note for wire.com operators: deploy nginz (#2175)

• Deploy galley before brig (#2248)

• Wire cloud operators: Update brig's ES index mapping before deploying. After deploying run a reindex. (#2241)

• Upgrade webapp version to 2022-03-30-production.0-v0.29.2-0-d144552 (#2246)

API changes

• New endpoint to get the status of the guest links feature for a conversation that potentially has been created by someone from another team. (#2231)

Features

• Cross-team user search (#2208)

• restund chart: add dtls support (#2227)

• MLS implementation progress:

  • welcome messages are now being propagated (#2175)

• The bot API will be blocked if the 2nd factor authentication team feature is enabled. Please refer to /docs/reference/config-options.md#2nd-factor-password-challenge. (#2207)

• Translations for 2nd factor authentication email templates (#2235)

• Script for creating a team with owner via the public API (#2218)

Bug fixes and other updates

• Conversation rename endpoints now return 204 instead of 404 when the conversation name is unchanged (#2239)

• Revert temporary sftd bump (#2230)

Internal changes

• Remove the MonadMask instance for AppT in Brig (#2259)

• Remove the MonadUnliftIO instance for the app monad in Brig (#2233)

• Bump hsaml2 version (#2221)

• Fix: cabal-install-artefacts.sh fails if not run from root of wire-server (#2236)

• Fix: pushing to cachix not working (#2257)

• Cannon has been fully migrated to Servant (#2243)

• Refactor conversation record and conversation creation functions. This removes a lot of duplication and makes the types of protocol-specific data in a conversation tighter. (#2234)

  • Move conversation name size check to NewConv
  • Make the NewConversation record (used as input to the data
    function creating a conversation) contain a ConversationMetadata.
  • Implement all "special" conversation creation in terms of a general createConversation
  • Move protocol field from metadata to Conversation
  • Restructure MLS fields in Conversation record
  • Factor out metadata fields from Data.Conversation

• Fix Docs: real-world domain used in examples (#2238)

• The CanThrow combinator can now be used to set the corresponding error effects in polysemy handlers. (#2239)

• Most error effects in Galley are now defined at the granularity of single error values. For example, a handler throwing ConvNotFound will now directly declare ConvNotFound (as a promoted constructor) among its error effects, instead of the generic ConversationError that was used before. Correspondingly, all such fine-grained Galley errors have been moved to wire-api as constructors of a single enumerated type GalleyError, and similarly for Brig, Cannon and Cargohold. (#2239)

• Add a column for MLS clients to the Galley member table (#2245)

• Pin direnv version in nix-hls.sh script (#2232)

• nginx-ingress-services chart: allow for custom challenge solvers (#2222, #2229)

• Remove unused debian Makefile targets (#2237)

• Use local serial consistency for Cassandra lightweight transactions (#2251)

Release notes

• Upgrade webapp version to 2022-03-30-production.0-v0.29.2-0-d144552 (#2246)

Release notes

• Deploy Brig before Spar. (#2149)
• If you are in a federated network of backends, you need to update all participating instances at the same time. (#2173)

API changes

• The client JSON object now has an additional field mls_public_keys, containing an object mapping signature schemes to public keys, e.g.

  {
    ...
    "mls_public_keys": { "ed25519": "GY+t1EQu0Zsm0r/zrm6zz9UpjPcAPyT5i8L1iaY3ypM=" }
    ...
  }
  

  At the moment, ed25519 is the only supported signature scheme, corresponding to MLS ciphersuite 1.

  When creating a new client with POST /clients, the field mls_public_keys can be set, and the corresponding public keys are bound to the device identity on the backend, and will be used to verify uploaded key packages with a matching signature scheme.

  When updating a client with PUT /clients/:client, the field mls_public_keys can also be set, with a similar effect. If a given signature scheme already has a public key set for that device, the request will fail. (#2147)

• Introduce an endpoint for creating an MLS conversation (#2150)

• The /billing and /teams/.*/billing endpoints are now available on a versioned path (e.g. /v1/billing)

  (#2167)

Features

• MLS implementation progress:

  • key package refs are now mapped after being claimed (#2192)

• 2nd factor authentication via 6 digit code, sent by email:

  • for login, sent by email. The feature is disabled per default and can be enabled server or team wide. (#2142)
  • for "create SCIM token". The feature is disabled per default and can be enabled server or team wide. (#2149)
  • for "add new client" via 6 digit code, sent by email. This only happens inside the login flow (in particular, when logging in from a new device). The code obtained for logging in is used a second time for adding the device. (#2186)
  • 2nd factor authentication for "delete team" via 6 digit code, sent by email. (#2193)
  • The SndFactorPasswordChallenge team feature is locked by default. (#2205)
  • Details: /docs/reference/config-options.md#2nd-factor-password-challenge

Bug fixes and other updates

• Fix data consistency issue in import of users from TM invitation to SCIM-managed (#2201)

• Use the same context string as openmls for key package ref calculation (#2216)

• Ensure that only conversation admins can create invite links. (Until now we have relied on clients to enforce this.) (#2211)

Internal changes

• account-pages Helm chart: Add a "digest" image option (#2194)

• Add more test mappings (#2185)

• Internal endpoint for re-authentication (GET "/i/users/:uid/reauthenticate") in brig has changed in a backwards compatible way. Spar depends on this change for creating a SCIM token with 2nd password challenge. (#2149)

• Asset keys are now internally validated. (#2162)

• Spar debugging; better internal combinators (#2214)

• Remove the MonadClient instance of the Brig monad

  • Lots of functions were generalized to run in a monad constrained by
    MonadClient instead of running directly in Brig's AppIO r monad. (#2187)

Federation changes

• Refactor conversation actions to an existential type consisting of a singleton tag (identifying the action) and a dedicated type for the action itself. Previously, actions were represented by a big sum type. The new approach enables us to describe the needed effects of an action much more precisely. The existential type is initialized by the Servant endpoints in a way to mimic the previous behavior. However, the messages between services changed. Thus, all federated backends need to run the same (new) version. The deployment order itself does not matter. (#2173)

[2022-03-09]

Release notes

• Upgrade team-settings version to 4.6.2-v0.29.7-0-4f43ee4 (#2180)

Release notes

• For wire.com operators: make sure that nginz is deployed (#2166)

API changes

• Add qualified broadcast endpoint (#2166)

Bug fixes and other updates

• Always create spar credentials during SCIM provisioning when applicable (#2174)

Internal changes

• Add tests for additional information returned by GET /api-version (#2159)

• Clean up Base64ByteString implementation (#2170)

• The Event record type does not contain a type field anymore (#2160)

• Add MLS message types and corresponding deserialisers (#2145)

• Servantify POST /register and POST /i/users endpoints (#2121)

Release notes

• Upgrade webapp version to 2022-02-22-production.0-v0.29.2-0-abb34f5 (#2148)

API changes

• The api-version endpoint now returns additional information about the backend:

  • whether federation is supported (field federation);
  • the federation domain (field domain).

  Note that the federation domain is always set, even if federation is disabled. (#2146)

• Add MLS key package API (#2102)

Internal changes

• Bump aeson to v2.0.3.0 and update amazonka fork from upstream repository. (#2153, #2157, #2163)

• Add schema-profunctor instances for QueuedNotification and QueuedNotificationList (#2161)

• Dockerfile.builder: Add cabal update (#2168)

Federation changes

• Make restrictions on federated user search configurable by domain: NoSearch, ExactHandleSearch and FullSearch.
  Details about the configuration are described in config-options.md.
  There are sane defaults (deny to find any users as long as there is no other configuration for the domain), so no measures have to be taken by on-premise customers (unless the default is not the desired behavior). (#2087)

Release notes

• Upgrade team-settings version to 4.6.1-v0.29.3-0-28cbbd7 (#2106)
• Upgrade webapp version to 2022-02-08-production.0-v0.29.2-0-4d437bb (#2107)
• Change the default set of TLS ciphers (both for the client and the federation APIs) to be compliant to the recommendations of TR-02102-2. (#2112)
• For wire.com operators: make sure that nginz is deployed. (#2116, #2124)
• Optional team feature config validateSAMLEmails added to galley.yaml.
  The feature was disabled by default before this release and is now enabled by default. The server wide default can be changed in galley.yaml. Please refer to /docs/reference/config-options.md#validate-saml-emails (#2117)

API changes

• Added minimal API version support: a list of supported API versions can be found at the endpoint GET /api-version. Versions can be selected by adding a prefix of the form /vN to every route, where N is the desired version number (so for example /v1/conversations to access version 1 of the /conversations endpoint). (#2116)
• Delete GET /self/name endpoint (#2101)
• New endpoint (POST /verification-code/send) for generating and sending a verification code for 2nd factor authentication actions. (#2124)

Features

• Add freetext search results to "search-users" federation endpoint (#2085)

Bug fixes and other updates

• Ensure empty responses show up without a schema in swagger. They were shown as empty arrays before. (#2104)
• Require the guest links feature is enabled when someone joins by code. (#2084)
• Escape disallowed characters at the beginning of CSV cells to prevent CSV injection vulnerability. (#2096)
• The field icon in the body of the PUT /team/:tid endpoint is now typed to prevent potential injection attacks. (#2103)

Internal changes

• Enforce conversation access roles more tightly on the backend (was previously only enforce on client): if a guests or non-team-members are not allowed, block guest link creation (new behavior) as well as ephemeral users joining (old behavior). (#2076)
• Remove uses of servant-generics from brig (#2100, #2086)
• Migrate more API end-points to servant. (#2016, #2081, #2091)
• Introduce the row type variable in Brig monads (#2140)
• Build ubuntu20 docker images with cabal instead of stack (#2119, #2060)
• Drop managed conversations (#2125)
• To investigate issues related to push notifications, adjust Gundeck Debug leveled logs to not print the message itself. So, that it can safely be turned on in production environments. Add a log entry when a bulk notification is pushed to Cannon. (#2053)
• Add integration tests for scim/saml user creation (#2123)
• Wrap stack with NIX_BUILD_SHELL set to LD_LIBRARY_PATH compatible shell (#2105)
• Removed redundant setDefaultTemplateLocale config from the brig helm template. (#2099)
• [not done yet, please do not enable] Optional team feature config sndFactorPasswordChallenge added to galley.yaml.
  The feature is disabled by default. The server wide default can be changed in galley.yaml. Please refer to /docs/reference/config-options.md#2nd-factor-password-challenge (#2138)
• Prometheus: Ignore RawResponses (e.g. cannon's await responses) from metrics (#2108)
• Refactor internal handlers for Proteus conversation creation (#2125)
• Specify (in a test) how a message to a deleted legalhold device is refused to be sent. (#2131)

Federation changes

• Add setSftListAllServers config flag to brig (#2139)
• Revert restund to 0.4.17. (#2114)

Release notes

• Upgrade webapp version to 2022-01-27-production.0-v0.28.29-0-42c9a1e (#2078)

Features

• Allow brig's additionalWriteIndex to be on a different ElasticSearch cluster.
  This allows migrating to a new ElasticSearch cluster. (#2063)

• The file sharing team feature now has a server wide configurable lock status. For more information please refer to /docs/reference/config-options.md#file-sharing. (#2059)

Internal changes

• Remove non-existing functions from module export lists (#2095)

• Rename Spar.Sem.IdP to Spar.Sem.IdPConfigStore (#2067)

• Endpoints based on MultiVerb can now be made to return content types not listed in the Accept header (#2074)

• The lock status of the file sharing team feature can be updated via the internal API (PUT /i/teams/:tid/features/fileSharing/(un)?locked). (#2059)

• Servantify Galley Teams API (GET /teams/:tid and DELETE /teams/:tid). (#2092)

• Add explicit export lists to all Spar.Sem modules (#2070)

• Separate some Spar.Sem utility functions into their own module (#2069)

Release notes

• Bump the webapp version. (#2082)

Internal changes

• Additional integration testing for conversation access control. (#2057)

Release notes

• The nginz chart now configures nginx to only allow cross-origin requests from an explicit allow list of subdomains. By default these are:

  nginz:
    nginx_conf:
      allowlisted_origins:
      - webapp
      - teams
      - account
  

  If you changed the names of these services, you must adjust those names in the nginz config as well. (#1630)

• Backend now separates conversation access control for guests and services. The old access roles are still supported but it is encouraged to upgrade clients since mapping between the old access roles and the new access roles is not isomorphic. For more details refer to the API changes below or the Swagger docs.
  Old clients are fully supported; if new clients and old clients are mixed, to old clients, either guests of services may appear to be enable if they are not, which may lead to error messages (confusing but harmless). (#2035)

API changes

• Endpoints that recently have accepted access_role in their payload will now accept access_role_v2 as well which will take precedence over access_role. See Swagger docs for how values are mapped. Endpoints that recently have returned access_role in their payload will now additionally return the access_role_v2 field. (#2035)

Features

• Conversation access roles now distinguish between guests and services. (#2035)

Bug fixes and other updates

• There is now an explicit CORS allow list for all endpoints. In previous releases, all subdomains were accepted, however they must now be listed explicitly. This is a breaking change, as now only known Javascript applications may access the backend. (#1630)
• Prevent 500s when SFTs are not reachable from Backend (#2077)

Internal changes

• Bump hsaml2 package version (#2075)
• Separate Spar.Data module into smaller Cassandra interpreters (#2064)
• Fix some HLint issues in libs/wire-api. (#2065)
• Fix broken build process of package "old-time" for some environments (#2056)
• Refresh license headers (#2062)
• Rename Spar.Sem.ScimTokenStore.GetByTeam to LookupByTeam (#2068)
• (Try syntax change in config file that breaks nginz (#2073, reverted in a4a6193f9494))

Federation changes

• Tag several federation tests cases for the M2 release (#2045)

Changes

Release notes

• This release introduces a mandatory federationDomain configuration setting to cargohold. Please update your values/wire-server/values.yaml to set cargohold.settings.federationDomain to the same value as the corresponding option in galley (and brig). (#1990)
• The brig server config option setDefaultLocale has been replaced by setDefaultUserLocale and setDefaultTemplateLocale (see docs/reference/config-options.md for details) (#2028)
• From this release onwards, the images for haskell components (brig, galley,
  cargohold, etc.) will be using Ubuntu 20.04 as the base. The images are about
  30-35 MB larger than the previous alpine based images. (#1852)
• Wire cloud operators: Make sure #35 is applied to all SFT servers before deploying. (#2030)

API changes

• The deprecated endpoint GET /teams now ignores query parameters ids, start (#2027)
• Add qualified v4 endpoints for downloading and deleting assets. The upload API is still on the same path, but the asset object it returns now contains a domain field. (#2002)
• Remove resumable upload API (#1998)

Features

• Allow configuring setDefaultLocale in brig using helm chart (#2025)
• If the guest links team feature is disabled guest links will be revoked. (#1976)
• Revoke guest links if feature is disabled. If the guest links team feature is disabled get /conversations/join, post /conversations/:cnv/code, and get /conversations/:cnv/code will return an error. (#1980)
• Specialize setDefaultLocale to distinguish between default user locale and default template locale if the user's locale is n/a. (#2028)

Bug fixes and other updates

• Fix an issue with remote asset streaming (#2037, #2038)

Documentation

• Annotate a first batch of integration and unit tests to map them to externally-facing documentation (#1869)
• Add the description to several test cases (#1991)
• Improve documentation for stern tool and helm chart (#2032)

Internal changes

• Replace servant-generic in Galley with a custom Named combinator (#2022)
• The Swagger documentation module is not regenerated anymore if its content is unchanged (#2018)
• cabal-run-integration.sh - remove Makefile indirection (#2044)
• Fix test runner for global cabal make target (#1987)
• The cabal-install-artefacts.sh script now creates the dist directory if it does not exist (#2007)
• Set purge: false in fake-s3 chart (#1981)
• Add missing backendTwo.carghold in integration.yaml (#2039)
• Use GHC 8.10.7 and stack 2.7.3 for builds (#1852)
• Fix non-controversial HLint issues in federator to improve code quality (#2011)
• Added laws for DefaultSsoCode, Now, IdP and ScimExternalIdStore (#1940)
• Moved specifications for Spar effects out of the test suite and into the library (#2005)
• Tag integration tests for security audit. (#2000)
• Upgrade nixpkgs pin used to provision developement dependencies (#1852)
• Servantify Galley Teams API. (#2008, #2010, #2027)
• When sending an activation code, the blocked domains are checked before the whitelist. This only affects the wire SaaS staging environment (there is no whitelist configuration in prod, and blocked domains are not applicable to on-prem installations). (#2023)
• Add a helm chart that deploys restund (#2003)
• Publish restund helm chart (#2036)
• Improve optional field API in schema-profunctor (#1988)
• Migrate the public API of Cannon to Servant. (There is an internal API that is not yet migrated.) (#2024)
• sftd chart: Add multiSFT option, remove additionalArgs option (#1992)
• sftd chart: Fix quoted args for multiSFT option (#1999)
• rangedSchema does not need to be passed singletons explicitly anymore (#2017)
• Split cannon benchmarks and tests (#1986)
• Tag integration tests for certification. (#1985)
• Tag integration tests for certification. (#2001)
• New internal endpoint to configure the guest links team feature. (#1993)

Federation changes

• Make federator capable of streaming responses (#1966)
• Use Named routes for the federation API (#2033)
• Fix Brig's configmap for SFT lookups (#2015)
• SFTD chart: provide a /sft_servers_all.json url that can be used by brig to populate /calls/config/v2 (#2019)
• Allow making HTTP-only requests to SFTs via an IPv4 address (#2026)
• Replace IPv4-HTTP-only Approach to SFT Server Lookup with /sft_servers_all.json (#2030)
• Extend GET /calls/config/v2 to include all SFT servers in federation (#2012)
• Improve Brig's configuration for SFTs and fix a call to SFT servers (#2014)
• Enable downloading assets from a remote (federated) cargohold instance via the v4 API. The content of remote assets is returned as stream with content type application/octet-stream. Please refer to the Swagger API documentation for more details. (#2004)

This release includes changes from both the 2021-12-02 and 2021-12-10 versions, as 2021-12-02 was not properly released on GitHub.

Release notes

• Breaking change to the fake-aws-s3 (part of fake-aws) helm chart. We now use minio helm chart from https://charts.min.io. The options are documented here (#1944)

  Before running the upgrade, the operators must use kubectl edit deployment fake-aws-s3 and explicitly set spec.template.spec.containers[0].serviceAccount and spec.template.spec.containers[0].serviceAccountName to null. (#1944)

• Upgrade team-settings version to 4.3.0-v0.28.28-a2f11cf (#1856)

• Upgrade webapp version to 2021-12-02-production.0-v0.28.29-0-ec2fa00 (#1954)

• If you have selfDeletingMessages configured in galley.yaml, add lockStatus: unlocked. (#1963)

• Upgrade SFTD to 2.1.19. (#1983)

API changes

• A new endpoint is added to Brig (put /users/:uid/email) that allows a team owner to initiate changing/setting a user email by (re-)sending an activation email. (#1948)
• get team feature config for self deleting messages response includes lock status (#1963)
• A new public Galley endpoint was added to dis-/enable the conversation guest link feature. The feature can only be configured through the public API if the lock status is unlocked in the server config. (#1964)
• new internal endpoints for setting the lock status of self deleting messages (#1963)

Features

• By default install elasticsearch version 6.8.18 when using the elasticsearch-ephemeral chart (#1952)

• Use fluent-bit chart from fluent.github.io instead of deprecated charts.helm.sh. Previous fluent-bit values are not compatible with the new chart, the documentation for the new chart can be found here (#1952)

• Use kibana chart from helm.elastic.co instead of deprecated charts.helm.sh. Previous kibana values are not compatible with the new chart, the documentation for the new chart can be found here. This also upgrades kibana to version 6.8.18. (#1952)

• Use kube-prometheus-stack instead of prometheus-operator and update grafana dashboards for compatibility and add federation endpoints to relevant queries. (#1915)

• Add log format called 'StructuredJSON' for easier log aggregation (#1951)

• Team and server wide config for conversation guest link feature to configure feature status and lock status (#1964). If the feature is not configured on the server, the defaults will be:

    featureFlags:
      ...
      conversationGuestLinks:
        defaults:
          status: enabled
          lockStatus: unlocked
  

• Lock status for the self deleting messages feature can be set internally by ibis and customer support (#1963)

Bug fixes and other updates

• elasticsearch-ephemeral: Disable automatic creation of indices (#1949)

• Correctly detect log level when rendering logs as structured JSON (#1959)

Documentation

• Document the wire-server PR process better. (#1934)

• Remove documentation of unsupported scim end-point use case. (#1941)

• Document servant setup and combinators (#1933)

• Fix typo in swagger. (#1982)

• Proposal for API versioning system. (#1958)

• Update federation error documentation after changes to the federation API (#1956, #1975, #1978)

Internal changes

• Add in-memory interpreters for most Spar effects (#1920)

• Use minio helm chart in fake-aws-s3 from charts.min.io instead of helm.min.io, the latter seems to be down (#1944)

• Upgrade to polysemy-1.7.0.0
  (#1932)

• Replace Galley monad with polysemy's Sem throughout Galley (#1917)

• Separate VerdictFormatStore effect from AReqIdStore effect (#1925)

• Suspend/unsuspend teams in backoffice/stern. (#1977)

• Set request ID correctly in galley logs (#1967)

• Improve cabal make targets: faster installation and better support for building and testing all packages (#1979)

• sftd chart: add config key additionalArgs (#1972)

Federation changes

• The server-to-server API now uses HTTP2 directly instead of gRPC (#1930)

• Errors when leaving a conversation are now correctly handled instead of resulting in a generic federation error. (#1928)

• Add cargohold as a new federated component (#1973)

Changes

Release notes

• In case you use a multi-datacentre cassandra setup (most likely you do not), be aware that now LOCAL_QUORUM is in use as a default. (#1884)
• Deploy galley before brig. (#1857)
• Upgrade webapp version to 2021-11-01-production.0-v0.28.29-0-d919633 (#1856)

API changes

• Remove locale from publicly facing user profiles (but not from the self profile) (#1888)

Features

• End-points for configuring self-deleting messages. (#1857)

Bug fixes and other updates

• Ensure that all endpoints have a correct handler in prometheus metrics (#1919)
• Push events when AppLock or SelfDeletingMessages config change. (#1901)

Documentation

• Federation: Document how to deploy local builds (#1880)

Internal changes

• Add a 'filterNodesByDatacentre' config option useful during cassandra DC migration (#1886)
• Add ormolu to the direnv, add a GH Action to ensure formatting (#1908)
• Turn placeholder access effects into actual Polysemy effects. (#1904)
• Fix a bug in the IdP.Mem interpreter, and added law tests for IdP (#1863)
• Introduce fine-grained error types and polysemy error effects in Galley. (#1907)
• Add polysemy store effects and split off Cassandra specific functionality from the Galley.Data module hierarchy. (#1890, #1906)
• Make golden-tests in wire-api package a separate test suite (for faster feedback loop during development). (#1926)
• Separate IdPRawMetadataStore effect from IdP effect (#1924)
• Test sending message to multiple remote domains (#1899)
• Use cabal to build wire-server (opt-in) (#1853)

Federation changes

• Close GRPC client after making a request to a federator. (#1865)
• Do not fail user deletion when a remote notification fails (#1912)
• Add a one-to-one conversation test in getting conversations in the federation API (#1899)
• Notify remote participants when a user leaves a conversation because they were deleted (#1891)

Release notes

• Upgrade SFT to 2.1.15 (#1849)
• Upgrade team settings to Release: v4.2.0 and image tag: 4.2.0-v0.28.28-1e2ef7 (#1856)
• Upgrade Webapp to image tag: 20021-10-28-federation-m1 (#1856)

API changes

• Remove POST /list-conversations endpoint. (#1840)
• The member.self ID in conversation endpoints is qualified and available as
  "qualified_id". The old unqualified "id" is still available. (#1866)

Features

• Allow configuring nginz so it serve the deeplink for apps to discover the backend (#1889)
• SFT: allow using TURN discovery using 'turnDiscoveryEnabled' (#1519)

Bug fixes and other updates

• Fix an issue related to installing the SFT helm chart as a sub chart to the wire-server chart. (#1677)
• SAML columns (Issuer, NameID) in CSV files with team members. (#1828)

Internal changes

• Add a 'make flake-PATTERN' target to run a subset of tests multiple times to trigger a failure case in flaky tests (#1875)
• Avoid a flaky test to fail related to phone updates and improve failure output. (#1874)
• Brig: Delete deprecated GET /i/users/connections-status endpoint. (#1842)
• Replace shell.nix with direnv + nixpkgs.buildEnv based setup (#1876)
• Make connection DB functions work with Qualified IDs (#1819)
• Fix more Swagger validation errors. (#1841)
• Turn Galley into a polysemy monad stack. (#1881)
• Internal CI tooling improvement: decrease integration setup time by using helmfile. (#1805)
• Depend on hs-certificate master instead of our fork (#1822)
• Add internal endpoint to insert or update a 1-1 conversation. This is to be used by brig when updating the status of a connection. (#1825)
• Update helm to 3.6.3 in developer tooling (nix-shell) (#1862)
• Improve the Qualified abstraction and make local/remote tagging safer (#1839)
• Add some new Spar effects, completely isolating us from saml2-web-sso interface (#1827)
• Convert legacy POST conversations/:cnv/members endpoint to Servant (#1838)
• Simplify mock federator interface by removing unnecessary arguments. (#1870)
• Replace the Spar newtype, instead using Sem directly. (#1833)

Federation changes

• Remove remote guests as well as local ones when "Guests and services" is disabled in a group conversation, and propagate removal to remote members. (#1854)
• Check connections when adding remote users to a local conversation and local users to remote conversations. (#1842)
• Check connections when creating group and team conversations with remote members. (#1870)
• Server certificates without the "serverAuth" extended usage flag are now rejected when connecting to a remote federator. (#1855)
• Close GRPC client after making a request to a remote federator. (#1865)
• Support deleting conversations with federated users (#1861)
• Ensure that the conversation creator is included only once in notifications sent to remote users (#1879)
• Allow connecting to remote users. One to one conversations are not created yet. (#1824)
• Make federator's default log level Info (#1882)
• The creator of a conversation now appears as a member when the conversation is fetched from a remote backend (#1842)
• Include remote connections in the response to POST /list-connections (#1826)
• When a user gets deleted, notify remotes about conversations and connections in chunks of 1000 (#1872, #1883)
• Make federated requests to multiple backends in parallel. (#1860)
• Make conversation ID of RemoteConversation unqualified and move it out of the metadata record. (#1839)
• Make the conversation creator field in the on-conversation-created RPC unqualified. (#1858)
• Update One2One conversation when connection status changes (#1850)

Release notes

• Deploy brig before galley (#1811, #1818)
• The conference call initiation feature can now be configured for personal accounts in brig.yaml. enabled is the default and the previous behavior. If you want to change that, read /docs/reference/config-options.md#conference-calling-1 (#1811, #1818)
• Only if you are an early adopter of multi-team IdP issuers on release 2021-09-14: note that the query parameter for IdP creation has changed. This only affects future calls to this one end-point. (#1763)
• For wire.com cloud operators: reminder to also deploy nginz. (No special action needed for on-premise operators) (#1773)

API changes

• Add endpoint POST /connections/:domain/:userId to create a connection (#1773)
• Deprecate PUT /conversations/:cnv/access endpoint (#1807)
• Deprecate PUT /conversations/:cnv/message-timer endpoint (#1780)
• Deprecate PUT /conversations/:cnv/members/:usr endpoint (#1784)
• Deprecate PUT /conversations/:cnv/receipt-mode endpoint (#1797)
• Add endpoint GET /connections/:domain/:userId to get a single connection (#1773)
• Add POST /list-connections endpoint to get connections (#1773)
• Add qualified endpoint for updating conversation access (#1807)
• Add qualified endpoint for updating message timer (#1780)
• Add qualified endpoint for updating conversation members (#1784)
• Add qualified endpoint for updating receipt mode (#1797)
• Add endpoint PUT /connections/:domain/:userId to update a connection (#1773)

Features

• Helm charts to deploy ldap-scim-bridge (#1709)
• Per-account configuration of conference call initiation (details: /docs/reference/config-options.md#conference-calling-1) (#1811, #1818)

Bug fixes and other updates

• An attempt to create a 3rd IdP with the same issuer was triggering an exception. (#1763)
• When a user was auto-provisioned into two teams under the same pair of Issuer and NameID, they where directed into the wrong team, and not rejected. (#1763)

Documentation

• Expand documentation of conversations/list-ids endpoint (#1779)
• Add documentation of the multi-table paging abstraction (#1803)
• Document how to use IdP issuers for multiple teams (#1763)
• All named Swagger schemas are now displayed in the Swagger UI (#1802)

Internal changes

• Abstract out multi-table-pagination used in list conversation-ids endpoint (#1788)
• Testing: rewrite monadic to applicative style generators (#1782)
• Add a test checking that creating conversations of exactly the size limit is allowed (#1820)
• Rewrite the DELETE /self endpoint to Servant (#1771)
• Fix conversation generator in mapping test (#1778)
• Polysemize spar (#1806, #1787, #1793, #1814, #1792, #1781, #1786, #1810, #1816, #1815)
• Refactored a few functions dealing with conversation updates, in an attempt to
  make the conversation update code paths more uniform, and also reduce special
  cases for local and remote objects. (#1801)
• Merged http2-client fixes as mentioned in the comments of #1703 (#1809)
• Some executables now have a runtime dependency on ncurses (#1791)
• Minor changes around SAML and multi-team Issuers.
  • Change query param to not contain -, but _. (This is considered an internal change because the feature has been release in the last release, but only been documented in this one.)
  • Haddocks.
  • Simplify code.
  • Remove unnecessary calls to cassandra. (#1763)
• Clean up JSON Golden Tests (Part 6) (#1769)
• Remove explicit instantiations of ErrorDescription (#1794)
• Remove one flaky integration test about ordering of search results (#1798)
• Report all failures in JSON golden tests in a group at once (#1746)
• Convert the PUT /conversations/:cnv/access endpoint to Servant (#1807)
• Move /connections/* endpoints to Servant (#1770)
• Servantify Galley's DELETE /i/user endpoint (#1772)
• Convert the PUT /conversations/:cnv/message-timer endpoint to Servant (#1780)
• Convert the PUT /conversations/:cnv/members/:usr endpoint to Servant (#1796)
• Convert the PUT /conversations/:cnv/receipt-mode endpoint to Servant (#1797)
• Expose wire.com internal EJDP process to backoffice/stern. (#1831)
• Update configurable boolean team feature list in backoffice/stern. (#1829)
• Handle upper/lower case more consistently in scim and rich-info data. (#1754)

Federation changes

• Add value for verification depth of client certificates in federator ingress (#1812)
• Document federation API conventions and align already existing APIs (#1765)
• Notify remote users when a conversation access settings are updated (#1808)
• Notify remote users when a conversation member role is updated (#1785)
• Notify remote users when a conversation message timer is updated (#1783)
• Notify remote users when a conversation is renamed (#1767)
• Make sure that only users that are actually part of a conversation get notified about updates in the conversation metadata (#1767)
• Notify remote users when a conversation receipt mode is updated (#1801)
• Implement updates to remote members (#1785)
• Make conversation ID of the on-conversation-created RPC unqualified (#1766)
• 4 endpoints for create/update/get/list connections designed for remote users in mind. So far, the implementation only works for local users (actual implementation will come as a follow-up) (#1773)
• The returned connection object now has a qualified_to field with the domain of the (potentially remote) user. (#1773)
• Add migration for remote connection table (#1789)
• Remove a user from remote conversations upon deleting their account (#1790)
• Remove elasticsearch specific details from the search endpoint (#1768)
• Added support for updating self member status of remote conversations (#1753)

API changes

• Remove the long-deprecated message field in POST /connections (#1726)
• Add PUT /conversations/:domain/:cnv/name (#1737)
• Deprecate PUT /conversations/:cnv/name (#1737)
• Add GET & PUT /conversations/:domain/:cnv/self (#1740)
• Deprecate GET & PUT /conversations/:cnv/self (#1740)
• Remove endpoint GET /conversations/:domain/:cnv/self (#1752)
• The otr_muted field in Member and MemberUpdate has been removed. (#1751)
• Removed the ability to update one's own role (#1752)

Features

• Disallow changing phone number to a black listed phone number (#1758)
• Support using a single IDP with a single EntityID (aka issuer ID) to set up two teams. Sets up a migration, and makes teamID + EntityID unique, rather than relying on EntityID to be unique. Required to support multiple teams in environments where the IDP software cannot present anything but one EntityID (E.G.: DualShield). (#1755)

Documentation

• Added documentation of federation errors (#1674)
• Better swagger schema for the Range type (#1748)
• Add better example for Domain in swagger (#1748)

Internal changes

• Introduce new process for writing changelogs (#1749)
• Clean up JSON golden tests (Part 4, Part 5) (#1756, #1762)
• Increased timeout on certificate update tests to 10s (#1750)
• Fix for flaky test in spar (#1760)
• Rewrite the POST /connections endpoint to Servant (#1726)
• Various improvements and fixes around SAML/SCIM (#1735)

Federation changes

• Avoid remote calls to get conversation when it is not found locally (#1749)
• Federator CA store and client credentials are now automatically reloaded (#1730)
• Ensure clients only receive messages meant for them in remote convs (#1739)