Release Notes

• Allow an empty SAML contact list, which is configured at saml.contacts in spar's config.
  The contact list is exposed at the /sso/metadata endpoint.

Features

• Make Content-MD5 header optional for asset upload (#1252)
• Add applock team feature (#1242, #1253)
• /teams/[tid]/features endpoint

Bug fixes

• Fix content-type headers in saml responses (#1241)

Internal changes

• parse exposed 'tracestate' header in nginz logs if present (#1244)
• Store SCIM tokens in hashed form (#1240)
• better error handling (#1251)

Features

• Onboard password-auth'ed users via SCIM, via existing invitation flow (#1213)

Bug fixes and other updates

• cargohold: add compatibility mode for Scality RING S3 implementation (#1217, reverted in 4ce798e8d9db, then #1234)
• update email translations to latest (#1231)

Documentation

• [brig:docs] Add a note on feature flag: setEmailVisibility (#1235)

Internal changes

• Upgrade bonanza to geoip2 (#1236)
• Migrate rex to this repository (#1218)
• Fix stack warning about bloodhound. (#1237)
• Distinguish different places that throw the same error. (#1229)
• make fetch.py compatible with python 3 (#1230)
• add missing license headers (#1221)
• More debug logging for native push notifications. (#1220, #1226)
• add libtinfo/ncurses to docs and nix deps (#1215)
• Double memory available to cassandra in demo mode (#1216)

2020-10-05

Release Notes

With this release, the setCookieDomain configuration (under brig/config.optSettings) no longer has any effect, and can be removed.

Security improvements

• Authentication cookies are set to the specific DNS name of the backend server (like nginz-https.example.com), instead of a wildcard domain (like *.example.com). This is achieved by leaving the domain empty in the Set-Cookie header, but changing the code to allow clients with old cookies to continue using them until they get renewed. (#1102)

Bug Fixes

• Match users on email in SCIM search: Manage invited user by SCIM when SSO is enabled (#1207)

New Features

• Amount of SFT servers returned on /calls/config/v2 can be limited (default 5, configurable) (#1206)
• Allow SCIM without SAML (#1200)

Internal changes

• Cargohold: Log more about AWS errors, ease compatibility testing (#1205, #1210)
• GHC upgrade to 8.8.4 (#1204)
• Preparation for APNS notification on iOS 13 devices: Use mutable content for non-voip notifications and update limits (#1212)
• Cleanup: remove unused scim_user table (#1211)

Release Notes

Bug Fixes

• Fixed logic related to ephemeral users (#1197)

New Features

• SFT servers now exposed over /calls/config/v2 (#1177)
• First federation endpoint (#1188)

Internal changes

• ormolu upgrade to 0.1.2.0 and formatting (#1145, #1185, #1186)
• handy cqlsh make target to manually poke at the database (#1170)
• spar cleanup
• brig user name during scim user parsing (#1195)
• invitation refactor (#1196)
• SCIM users are never ephemeral (#1198)

Release Notes

• This release makes a couple of changes to the elasticsearch mapping and requires a data migration. The correct order of upgrade is:
  1. Update mapping
  2. Upgrade brig as usual
  3. Run data migration
     Search should continue to work normally during this upgrade.
• Now with cargohold using V4 signatures, the region is part of the Authorization header, so please make sure it is configured correctly. This can be provided the same way as the AWS credentials, e.g. using the AWS_REGION environment variable.

Bug Fixes

• Fix member count of suspended teams in journal events (#1171)
• Disallow team creation when setRestrictUserCreation is true (#1174)

New Features

• Pending invitations by email lookup (#1168)
• Support s3 v4 signatures (and use package amazonka instead of aws in cargohold) (#1157)
• Federation: Implement ID mapping (brig) (#1162)

Internal changes

• SCIM cleanup; drop table spar.scim_user (#1169, #1172)
• ormolu script: use ++FAILURES as it will not evaluate to 0 (#1178)
• Refactor: Simplify SRV lookup logic in federation-util (#1175)
• handy cqlsh make target to manually poke at the database (#1170)
• hscim: add license headers (#1165)
• Upgrade stack to 2.3.1 (#1166)
• gundeck: drop deprecated tables (#1163)

Release Notes

• If you are self-hosting wire on the public internet, consider changing your brig server config.
• Deploy all services except nginz.
• No migrations, no restrictions on deployment order.

New Features

• Restrict user creation in on-prem installations (#1161)
• Implement active flag in SCIM for user suspension (#1158)

Bug Fixes

• Fix setting team feature status in Stern/backoffice (#1146)
• Add missing Swagger models (#1153)
• docs/reference/elastic-search.md: fix typos (#1154)

Internal changes

• Federation: Implement ID mapping (galley) (#1134)
• Tweak cassandra container settings to get it to work on nixos. (#1155)
• Merge wireapp/subtree-hscim repository under /libs, preserving history (#1152)
• Add link to twilio message ID format (#1150)
• Run backoffice locally (#1148)
• Fix services-demo (#1149, #1156)
• Add missing license headers (#1143)
• Test sign up with invalid email (#1141)
• Fix ormolu script (source code pretty-printing) (#1142)

Release Notes

• run galley schema migrations
• no need to upgrade nginz

New Features

• Add team level flag for digital signatures (#1132)

Bug fixes

• Bump http-client (#1138)

Internal changes

• Script for finding undead users in elasticsearch (#1137)
• DB changes for federation (#1070)
• Refactor team feature tests (#1136)

Release Notes

• schema migration for cassandra_galley
• promote stern after galley
• promote spar after brig
• no need to upgrade nginz

New Features

• Validate saml emails (#1113, #1122, #1129)

Documentation

• Add a note about unused registration flow in docs (#1119)
• Update cassandra-schema.cql (#1127)

Internal changes

• Fix incomplete pattern in code checking email domain (custom extensions) (#1130)
• Enable additional GHC warnings (#1131)
• Cleanup export list; swagger names. (#1126)

Release Notes

• This release fixes a bug with searching. To get this fix, a new elasticsearch index must be used.
  The steps for doing this migration can be found in ./docs/reference/elastic-search.md
  Alternatively the same index can be recreated instead, this will cause downtime.
  The steps for the recreation can be found in ./docs/reference/elastic-search.md

New Features

• Customer Extensions (not documented, disabled by default, use at your own risk, details) (#1108)
• Upgrade emails to the latest version: small change in the footer (#1106)
• Add new "team event queue" and send MemberJoin events on it (#1097, #1115)
• Change maxTeamSize to Word32 to allow for larger teams (#1105)

Bug fixes

• Implement better prefix search for name/handle (#1052, #1124)
• Base64 encode error details in HTML presented by Spar. (#1120)
• Bump schemaVersion for Brig and Galley (#1118)

Internal Changes

• Copy swagger-ui bundle to nginz conf for integration tests (#1121)
• Use wire-api types in public endpoints (galley, brig, gundeck, cargohold) (#1114, #1116, #1117)
• wire-api: extend generic Arbitrary instances with implementation for 'shrink' (#1111)
• api-client: depend on wire-api only (#1110)
• Move and add wire-api JSON roundtrip tests (#1098)
• Spar tests cleanup (#1100)

New Features

• Add tool to migrate data for galley (#1096)
  This can be used in a more automated way than the backfill-billing-team-member.
  It should be done as a step after deployment.

Internal Changes

• More tests for OTR messages using protobuf (#1095)
• Set brig's logLevel to Warn while running integration-tests (#1099)
• Refactor: Create wire-api package for types used in the public API (#1090)

Upgrade steps (IMPORTANT)

• Deploy new version of all services as usual, make sure enableIndexedBillingTeamMember setting in galley is false.
• Run backfill using

  CASSANDRA_HOST_GALLEY=<IP Address of one of the galley cassandra instaces>
  CASSANDRA_PORT_GALLEY=<port>
  CASSANDRA_KEYSPACE_GALLEY=<GALLEY_KEYSPACE>
  docker run quay.io/wire/backfill-billing-team-members:2.81.18 \
    --cassandra-host-galley="$CASSANDRA_HOST_GALLEY" \
    --cassandra-port-galley="$CASSANDRA_PORT_GALLEY" \
    --cassandra-keyspace-galley="$CASSANDRA_KEYSPACE_GALLEY"
  

  You can also run the above using kubectl run.
• Set enableIndexedBillingTeamMember setting in galley to true and re-deploy the same version.

New Features

• Custom search visibility - limit name search (#1086)
• Add tool to backfill billing_team_member (#1089)
• Index billing team members (#1081, #1091)
• Allow team deletion on stern (#1080)
• Do not fanout very large teams (#1060, #1075)

Bug fixes

• Fix licenses of db tools (#1088)

Internal Changes

• Add docs for updating ID Provider (#1074)
• Add comments/docs about hie.yaml (#1037)
• Don't poll from SQS as often (#1082)
• Refactor: Split API modules into public/internal (#1083)
• Manage license headers with headroom instead of licensure (#1084)
• Monitor access to DynamoDB (#1077)
• Make make docker-intermediate command work again (#1079)
• Upgrade Ormolu to 0.0.5.0 (#1078)
• Add (very few) unit tests to galley (#1071)
• Pull brig-index before running the docker ephemeral setup (#1066)

New Features

• Allow for report_missing in NewOtrMessage. (#1056, #1062)
• List team members by UserId (#1048)
• Support idp update. (#1065 for issuer, #1026 for everything else)
• Support synchronous purge-deletion of idps (via query param). (#1068)

Bug fixes

• Test that custom backend domains are case-insensitive (#1051)
• Swagger improvements. (#1059, #1054)

Internal Changes

• Count team members using es (#1046)
• Make delete or downgrade team owners scale (#1029)
• services-demo/demo.sh: mkdir zauth (if not exists) (#1055)
• Use fork of bloodhound to support ES 5.2 (#1050)

Upgrade steps (IMPORTANT)

1. Update mapping in ElasticSearch (see docs/reference/elastic-search.md)
2. Upgrade brig and the other services as usual
3. Migrate data in ElasticSearch (see docs/reference/elastic-search.md)

New features

• Allow brig-index create to set ES index settings (#1023)
• Extended team invitations to have name and phone number (#1032)
• Allow team members to be searched by teammates. (#964)
• Better defaults for maxKeyLen and maxValueLen (#1034)

Bug Fixes

• Fix swagger (#1012, #1031)
• Custom backend lookup by domain is now case-insensitive (#1013)

Internal Changes

• Federation: resolve opaque IDs at the edges of galley (#1008)
• Qualify all API imports in Galley (#1006)
• types-common: write unit tests for Data.Qualified (#1011)
• Remove subv4 (#1003)
• Add federation feature flag to brig and galley (#1014)
• Add hie.yaml (#1024)
• Improve reproducibility of builds (#1027)
• Update types of some brig endpoints to be federation-aware (#1013)
• Bump to lts-14.27 (#1030)
• Add comments about which endpoints send which events to clients (#1025)

New features

• Remove autoconnect functionality; deprecate end-point. (#1005)
• Email visible to all users in same team (#999)

Bug fixes

• fix nginx permissions in docker image (#985)

Significant internal changes

• Update nginx to latest stable (#725)

Internal Changes

• ormolu.sh: make queries for options more robust (#1009)
• Run hscim azure tests (#941)
• move FUTUREWORK(federation) comment to right place
• stack snapshot 3.0. (#1004, works around 8697b57609b523905641f943d68bbbe18de110e8)
• Fix .gitignore shenanigans in Nix (#1002)
• Update types of some galley endpoints to be federation-aware (#1001)
• Cleanup (#1000)
• Compile nginx with libzauth using nix (#988)
• Move and create federation-related types (#997)
• Tweak ormolu script. (#998)
• Give handlers in gundeck, cannon stronger types (#990)
• Rename cassandra-schema.txt to cassandra-schema.cql (#992)
• Ignore dist-newstyle (#991)
• Refactor: separate HTTP handlers from app logic (galley) (#989)
• Mock federator (#986)
• Eliminate more CPP (#987)
• Cleanup compiler warnings (#984)
• Make ormolu available in builder (#983)

Hotfix

• Fix encoding bug in SAML SSO (#995)

New features

• Configure max nr of devices (#969)
• libs/federation-util: SRV resolution (#962)

Significant internal changes

• Better docs on brig integration yaml (#973)

Internal changes

• Remove unnecessary LANGUAGE CPP pragmas (#978)
• Introduce code formatting with ormolu (#974, #979)
• Soften a rarely occurring timing issue by slowing things down. (#975)
• debug spar prod (#977)
• Upgrade amazonka (abandon fork) (#976)
• remove unused imports
• Symlink local dist folders in tools to the global one (#971, similar to #904)
• Upgrade to GHC 8.6.5 (LTS 14.12) (#958)
• Refactor: separate http parsing / generation from app logic. (#967)
• spar/integration: no auth required for /sso/settings (#963)

New features

• SCIM top level extra attrs / rich info (#931)
  • Added to all endpoints under "/scim/v2"
• Create endpoint for default SSO code (#954)
  • New public endpoint:
    • GET "/sso/settings"
  • New private endpoint:
    • PUT "/i/sso/settings"

Relevant for client developers

• add docs for default sso code (#960)
• Add missing options to services-demo config files (#961)

Security fixes

• Remove verifcation code from email subject line. (#950)

Internal changes

• Whitespace (#957)

API changes (relevant client developers)

• Allow up to 256 characters as handle, dots and dashes too (#953)
  • All handles related endpoints, namely:
    • POST "/users/handles"
    • HEAD "/users/handles/:handle"
    • GET "/users/handles/:handle"
  • now accept this new format of handles
• Refuse to delete non-empty IdPs (412 precondition failed) (#875)
  • DELETE "identity-providers/:idp" will now return 412 if there are users provisioned with that IDP
• Linear onboarding feature: Provide information about custom backends (#946)
  • New public endpoint:
    • GET "/custom-backend/by-domain/:domain"
  • New interal endpoints:
    • PUT "/i/custom-backend/by-domain/:domain"
    • DELETE "/i/custom-backend/by-domain/:domain"

Relevant for self-hosters

• Handle search within team (#921)
• Fixed logic with connection checks (#930)

Relevant for client developers

• SCIM Fixes Phase 1 + 2 (#926)

Bug fixes

• Stack nix fixes (#937)

Relevant for self-hosters

• Access tokens are now sanitized on nginz logs (#920)

Relevant for client developers

• Conversation roles (#911)
  • Users joining by link are always members (#924) and (#927)

Bug fixes

• Limit batch size when adding users to conversations (#923)
• Fixed user property integration test (#922)