Merge branch 'wireapp:develop' into develop

offsoc · Sep 18, 2024 · 02da157 · 02da157
2 parents 8dd2482 + 95ce0d8
commit 02da157
Show file tree

Hide file tree

Showing 68 changed files with 1,046 additions and 281 deletions.
diff --git a/changelog.d/0-release-notes/WPB-10658 b/changelog.d/0-release-notes/WPB-10658
@@ -0,0 +1,2 @@
+With this release it will be possible to invite personal users to teams. In `brig`'s config, `emailSMS.team.tExistingUserInvitationUrl` is required to be set to a value that points to the correct teams/account page.
+If `emailSMS.team` is not defined at all in the current environment, the value of `externalUrls.teamSettings` (or, if not present, `externalUrls.nginz`) will be used to construct the correct url, and no configuration change is necessary.
diff --git a/changelog.d/0-release-notes/WPB-10660 b/changelog.d/0-release-notes/WPB-10660
@@ -0,0 +1 @@
+charts/wire-server: There is a new config value called `background-worker.config.enableFederation` which defaults to `false`. This must be kept in sync with `tags.federation`.
diff --git a/changelog.d/1-api-changes/WPB-10658 b/changelog.d/1-api-changes/WPB-10658
@@ -0,0 +1 @@
+A new endpoint `POST /teams/invitations/accept` allows a non-team user to accept an invitation to join a team
diff --git a/changelog.d/2-features/WPB-10658 b/changelog.d/2-features/WPB-10658
@@ -0,0 +1 @@
+Allow an existing non-team user to migrate to a team
diff --git a/changelog.d/3-bug-fixes/WBP-8790 b/changelog.d/3-bug-fixes/WBP-8790
@@ -0,0 +1 @@
+Fix handling of defaults of `mlsE2EID` feature config
diff --git a/changelog.d/4-docs/mls-test-tags b/changelog.d/4-docs/mls-test-tags
@@ -0,0 +1 @@
+Deleted proteus-specific test documentation tags and added some new tags to MLS tests
diff --git a/changelog.d/5-internal/background-worker b/changelog.d/5-internal/background-worker
@@ -0,0 +1 @@
+charts/wire-server: Deploy background-worker even when tags.federation is `false`
diff --git a/charts/background-worker/templates/configmap.yaml b/charts/background-worker/templates/configmap.yaml
@@ -26,7 +26,9 @@ data:
       host: {{ .host }}
       port: {{ .port }}
       vHost: {{ .vHost }}
+      {{- if $.Values.config.enableFederation }}
       adminPort: {{ .adminPort }}
+      {{- end }}
       enableTls: {{ .enableTls }}
       insecureSkipVerifyTls: {{ .insecureSkipVerifyTls }}
       {{- if .tlsCaSecretRef }}

diff --git a/charts/background-worker/values.yaml b/charts/background-worker/values.yaml
@@ -18,6 +18,7 @@ metrics:
 config:
   logLevel: Info
   logFormat: StructuredJSON
+  enableFederation: false # keep in sync with brig, cargohold and galley charts' config.enableFederation as well as wire-server chart's tags.federation
   rabbitmq:
     host: rabbitmq
     port: 5672

diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
@@ -179,14 +179,17 @@ data:
       team:
       {{- if .emailSMS.team }}
         tInvitationUrl: {{ .emailSMS.team.tInvitationUrl }}
+        tExistingUserInvitationUrl: {{ .emailSMS.team.tExistingUserInvitationUrl }}
         tActivationUrl: {{ .emailSMS.team.tActivationUrl }}
         tCreatorWelcomeUrl: {{ .emailSMS.team.tCreatorWelcomeUrl }}
         tMemberWelcomeUrl: {{ .emailSMS.team.tMemberWelcomeUrl }}
       {{- else }}
       {{- if .externalUrls.teamSettings }}
         tInvitationUrl: {{ .externalUrls.teamSettings }}/join/?team-code=${code}
+        tExistingUserInvitationUrl: {{ .externalUrls.teamSettings }}/accept-invitation/?team-code=${code}
       {{- else }}
         tInvitationUrl: {{ .externalUrls.nginz }}/register?team=${team}&team_code=${code}
+        tExistingUserInvitationUrl: {{ .externalUrls.nginz }}/accept-invitation/?team-code=${code}
       {{- end }}
         tActivationUrl: {{ .externalUrls.nginz }}/register?team=${team}&team_code=${code}
         tCreatorWelcomeUrl: {{ .externalUrls.teamCreatorWelcome }}

diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml
@@ -67,7 +67,7 @@ config:
   useSES: true
   multiSFT:
     enabled: false # keep multiSFT default in sync with sft chart's multiSFT.enabled
-  enableFederation: false # keep enableFederation default in sync with galley and cargohold chart's config.enableFederation as well as wire-server chart's tags.federation
+  enableFederation: false # keep in sync with background-worker, cargohold and galley charts' config.enableFederation as well as wire-server chart's tags.federation
   # Not used if enableFederation is false
   rabbitmq:
     host: rabbitmq

diff --git a/charts/cargohold/values.yaml b/charts/cargohold/values.yaml
@@ -18,7 +18,7 @@ config:
   logLevel: Info
   logFormat: StructuredJSON
   logNetStrings: false
-  enableFederation: false # keep enableFederation default in sync with brig and galley chart's config.enableFederation as well as wire-server chart's tags.federation
+  enableFederation: false # keep in sync with background-worker, brig and galley charts' config.enableFederation as well as wire-server chart's tags.federation
   aws:
     region: "eu-west-1"
     s3Bucket: assets

diff --git a/charts/galley/values.yaml b/charts/galley/values.yaml
@@ -33,7 +33,7 @@ config:
 #   tlsCaSecretRef:
 #     name: <secret-name>
 #     key: <ca-attribute>
-  enableFederation: false # keep enableFederation default in sync with brig and cargohold chart's config.enableFederation as well as wire-server chart's tags.federation
+  enableFederation: false # keep in sync with background-worker, brig and cargohold charts' config.enableFederation as well as wire-server chart's tags.federation
   # Not used if enableFederation is false
   rabbitmq:
     host: rabbitmq

diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -410,6 +410,9 @@ nginx_conf:
       envs:
       - all
       disable_zauth: true
+    - path: /teams/invitations/accept$
+      envs:
+      - all
     - path: /i/teams/invitation-code
       envs:
       - staging

diff --git a/charts/wire-server/requirements.yaml b/charts/wire-server/requirements.yaml
@@ -96,7 +96,6 @@ dependencies:
   repository: "file://../background-worker"
   tags:
     - background-worker
-    - federation
     - haskellServices
     - services
 - name: integration

diff --git a/charts/wire-server/values.yaml b/charts/wire-server/values.yaml
@@ -7,7 +7,7 @@
 
 tags:
   legalhold: false
-  federation: false # see also galley.config.enableFederation and brig.config.enableFederation
+  federation: false # see also {background-worker, brig, cargohold, galley}.config.enableFederation
   backoffice: false
   mlsstats: false
   integration: false
diff --git a/docs/src/understand/configure-federation.md b/docs/src/understand/configure-federation.md
@@ -371,7 +371,7 @@ certificate.
 Read {ref}`choose-backend-domain` again, then
 set the backend domain three times to the same value in the subcharts
 cargohold, galley and brig. You also need to set `enableFederation` to
-`true`.
+`true` in background-worker in addition to those charts.
 
 ``` yaml
 # override values for wire-server
@@ -393,6 +393,10 @@ cargohold:
     enableFederation: true
     settings:
       federationDomain: example.com # your chosen "backend domain"
+
+background-worker:
+  config:
+    enableFederation: true
 ```
 
 (configure-federation-strategy-in-brig)=

diff --git a/hack/helm_vars/wire-server/values.yaml.gotmpl b/hack/helm_vars/wire-server/values.yaml.gotmpl
@@ -6,7 +6,7 @@ tags:
   cannon: true
   cargohold: true
   spar: true
-  federation: true # also see galley.config.enableFederation and brig.config.enableFederation
+  federation: true # also see {background-worker,brig,cargohold,galley}.config.enableFederation
   backoffice: true
   proxy: false
   legalhold: false
@@ -278,6 +278,14 @@ galley:
               usersThreshold: 100
               clientsThreshold: 50
             lockStatus: locked
+        mlsE2EId:
+          defaults:
+            status: disabled
+            config:
+              verificationExpiration: 86400
+              acmeDiscoveryUrl: null
+              crlProxy: https://crlproxy.example.com
+            lockStatus: unlocked
         limitedEventFanout:
             defaults:
             status: disabled
@@ -485,6 +493,7 @@ background-worker:
     requests: {}
   imagePullPolicy: {{ .Values.imagePullPolicy }}
   config:
+    enableFederation: true
     backendNotificationPusher:
       pushBackoffMinWait: 1000 # 1ms
       pushBackoffMaxWait: 500000 # 0.5s

diff --git a/integration/integration.cabal b/integration/integration.cabal
@@ -149,6 +149,7 @@ library
     Test.Services
     Test.Spar
     Test.Swagger
+    Test.Teams
     Test.TeamSettings
     Test.User
     Test.Version

diff --git a/integration/test/API/Brig.hs b/integration/test/API/Brig.hs
@@ -434,11 +434,12 @@ putUserSupportedProtocols user ps = do
   submit "PUT" (req & addJSONObject ["supported_protocols" .= ps])
 
 data PostInvitation = PostInvitation
-  { email :: Maybe String
+  { email :: Maybe String,
+    role :: Maybe String
   }
 
 instance Default PostInvitation where
-  def = PostInvitation Nothing
+  def = PostInvitation Nothing Nothing
 
 postInvitation ::
   (HasCallStack, MakesValue user) =>
@@ -452,7 +453,7 @@ postInvitation user inv = do
       joinHttpPath ["teams", tid, "invitations"]
   email <- maybe randomEmail pure inv.email
   submit "POST" $
-    req & addJSONObject ["email" .= email]
+    req & addJSONObject (["email" .= email] <> ["role" .= r | r <- toList inv.role])
 
 getApiVersions :: (HasCallStack) => App Response
 getApiVersions = do
@@ -783,3 +784,14 @@ activate domain key code = do
   submit "GET" $
     req
       & addQueryParams [("key", key), ("code", code)]
+
+acceptTeamInvitation :: (HasCallStack, MakesValue user) => user -> String -> Maybe String -> App Response
+acceptTeamInvitation user code mPw = do
+  req <- baseRequest user Brig Versioned $ joinHttpPath ["teams", "invitations", "accept"]
+  submit "POST" $ req & addJSONObject (["code" .= code] <> maybeToList (((.=) "password") <$> mPw))
+
+-- | https://staging-nginz-https.zinfra.io/v6/api/swagger-ui/#/default/get_teams__tid__invitations
+listInvitations :: (HasCallStack, MakesValue user) => user -> String -> App Response
+listInvitations user tid = do
+  req <- baseRequest user Brig Versioned $ joinHttpPath ["teams", tid, "invitations"]
+  submit "GET" req
diff --git a/integration/test/Notifications.hs b/integration/test/Notifications.hs
@@ -175,6 +175,9 @@ isUserActivateNotif = notifTypeIsEqual "user.activate"
 isUserClientAddNotif :: (MakesValue a) => a -> App Bool
 isUserClientAddNotif = notifTypeIsEqual "user.client-add"
 
+isUserUpdatedNotif :: (MakesValue a) => a -> App Bool
+isUserUpdatedNotif = notifTypeIsEqual "user.update"
+
 isUserClientRemoveNotif :: (MakesValue a) => a -> App Bool
 isUserClientRemoveNotif = notifTypeIsEqual "user.client-remove"
 

diff --git a/integration/test/SetupHelpers.hs b/integration/test/SetupHelpers.hs
@@ -60,30 +60,18 @@ createTeamMemberWithRole ::
   String ->
   String ->
   App Value
-createTeamMemberWithRole inviter tid role = do
+createTeamMemberWithRole inviter _ role = do
   newUserEmail <- randomEmail
-  let invitationJSON = ["role" .= role, "email" .= newUserEmail]
-  invitationReq <-
-    baseRequest inviter Brig Versioned $
-      joinHttpPath ["teams", tid, "invitations"]
-  invitation <- getJSON 201 =<< submit "POST" (addJSONObject invitationJSON invitationReq)
-  invitationId <- objId invitation
-  invitationCodeReq <-
-    rawBaseRequest inviter Brig Unversioned "/i/teams/invitation-code"
-      <&> addQueryParams [("team", tid), ("invitation_id", invitationId)]
-  invitationCode <- bindResponse (submit "GET" invitationCodeReq) $ \res -> do
-    res.status `shouldMatchInt` 200
-    res.json %. "code" & asString
-  let registerJSON =
-        [ "name" .= newUserEmail,
-          "email" .= newUserEmail,
-          "password" .= defPassword,
-          "team_code" .= invitationCode
-        ]
-  registerReq <-
-    rawBaseRequest inviter Brig Versioned "/register"
-      <&> addJSONObject registerJSON
-  getJSON 201 =<< submit "POST" registerReq
+  invitation <- postInvitation inviter (PostInvitation (Just newUserEmail) (Just role)) >>= getJSON 201
+  invitationCode <- getInvitationCode inviter invitation >>= getJSON 200 >>= (%. "code") & asString
+  let body =
+        AddUser
+          { name = Just newUserEmail,
+            email = Just newUserEmail,
+            password = Just defPassword,
+            teamCode = Just invitationCode
+          }
+  addUser inviter body >>= getJSON 201
 
 connectTwoUsers ::
   ( HasCallStack,

diff --git a/integration/test/Test/AccessUpdate.hs b/integration/test/Test/AccessUpdate.hs
@@ -22,6 +22,7 @@ import API.Galley
 import Control.Monad.Codensity
 import Control.Monad.Reader
 import GHC.Stack
+import MLS.Util
 import Notifications
 import SetupHelpers
 import Testlib.Prelude
@@ -38,29 +39,55 @@ testBaz :: HasCallStack => App ()
 testBaz = pure ()
 -}
 
+data ConversationProtocol
+  = ConversationProtocolProteus
+  | ConversationProtocolMLS
+
+instance TestCases ConversationProtocol where
+  mkTestCases =
+    pure
+      [ MkTestCase "[proto=proteus]" ConversationProtocolProteus,
+        MkTestCase "[proto=mls]" ConversationProtocolMLS
+      ]
+
 -- | @SF.Federation @SF.Separation @TSFI.RESTfulAPI @S2
 --
 -- The test asserts that, among others, remote users are removed from a
 -- conversation when an access update occurs that disallows guests from
 -- accessing.
-testAccessUpdateGuestRemoved :: (HasCallStack) => App ()
-testAccessUpdateGuestRemoved = do
+testAccessUpdateGuestRemoved :: (HasCallStack) => ConversationProtocol -> App ()
+testAccessUpdateGuestRemoved proto = do
   (alice, tid, [bob]) <- createTeam OwnDomain 2
   charlie <- randomUser OwnDomain def
   dee <- randomUser OtherDomain def
   mapM_ (connectTwoUsers alice) [charlie, dee]
-  [aliceClient, bobClient, charlieClient, deeClient] <-
-    mapM
-      (\user -> objId $ bindResponse (addClient user def) $ getJSON 201)
-      [alice, bob, charlie, dee]
-  conv <-
-    postConversation
-      alice
-      defProteus
-        { qualifiedUsers = [bob, charlie, dee],
-          team = Just tid
-        }
-      >>= getJSON 201
+
+  (conv, [aliceClient, bobClient, charlieClient, deeClient]) <- case proto of
+    ConversationProtocolProteus -> do
+      clients <-
+        mapM
+          (\user -> objId $ bindResponse (addClient user def) $ getJSON 201)
+          [alice, bob, charlie, dee]
+      conv <-
+        postConversation
+          alice
+          defProteus
+            { qualifiedUsers = [bob, charlie, dee],
+              team = Just tid
+            }
+          >>= getJSON 201
+      pure (conv, clients)
+    ConversationProtocolMLS -> do
+      alice1 <- createMLSClient def alice
+      clients <- traverse (createMLSClient def) [bob, charlie, dee]
+      traverse_ uploadNewKeyPackage clients
+
+      conv <- postConversation alice1 defMLS {team = Just tid} >>= getJSON 201
+      createGroup alice1 conv
+
+      void $ createAddCommit alice1 [bob, charlie, dee] >>= sendAndConsumeCommitBundle
+      convId <- conv %. "qualified_id"
+      pure (convId, map (.client) (alice1 : clients))
 
   let update = ["access" .= ([] :: [String]), "access_role" .= ["team_member"]]
   void $ updateAccess alice conv update >>= getJSON 200

diff --git a/integration/test/Test/FeatureFlags.hs b/integration/test/Test/FeatureFlags.hs
@@ -228,7 +228,11 @@ testMlsE2EConfigCrlProxyNotRequiredInV5 = do
     resp.status `shouldMatchInt` 200
 
   -- Assert that the feature config got updated correctly
-  expectedResponse <- configWithoutCrlProxy & setField "lockStatus" "unlocked" & setField "ttl" "unlimited"
+  expectedResponse <-
+    configWithoutCrlProxy
+      & setField "lockStatus" "unlocked"
+      & setField "ttl" "unlimited"
+      & setField "config.crlProxy" "https://crlproxy.example.com"
   checkFeature "mlsE2EId" owner tid expectedResponse
 
 testSSODisabledByDefault :: (HasCallStack) => App ()
@@ -462,7 +466,8 @@ testAllFeatures = do
                     "config"
                       .= object
                         [ "verificationExpiration" .= A.Number 86400,
-                          "useProxyOnMobile" .= False
+                          "useProxyOnMobile" .= False,
+                          "crlProxy" .= "https://crlproxy.example.com"
                         ]
                   ],
               "mlsMigration"
@@ -747,7 +752,8 @@ mlsE2EIdConfig = do
           "config"
             .= object
               [ "verificationExpiration" .= A.Number 86400,
-                "useProxyOnMobile" .= False
+                "useProxyOnMobile" .= False,
+                "crlProxy" .= "https://crlproxy.example.com"
               ]
         ]
     mlsE2EIdConfig1 :: Value
@@ -1028,7 +1034,8 @@ testPatchE2EId = do
             "config"
               .= object
                 [ "verificationExpiration" .= A.Number 86400,
-                  "useProxyOnMobile" .= False
+                  "useProxyOnMobile" .= False,
+                  "crlProxy" .= "https://crlproxy.example.com"
                 ]
           ]
   _testPatch "mlsE2EId" True defCfg (object ["lockStatus" .= "locked"])
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		With this release it will be possible to invite personal users to teams. In `brig`'s config, `emailSMS.team.tExistingUserInvitationUrl` is required to be set to a value that points to the correct teams/account page.
		If `emailSMS.team` is not defined at all in the current environment, the value of `externalUrls.teamSettings` (or, if not present, `externalUrls.nginz`) will be used to construct the correct url, and no configuration change is necessary.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		charts/wire-server: There is a new config value called `background-worker.config.enableFederation` which defaults to `false`. This must be kept in sync with `tags.federation`.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		A new endpoint `POST /teams/invitations/accept` allows a non-team user to accept an invitation to join a team
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Allow an existing non-team user to migrate to a team
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Fix handling of defaults of `mlsE2EID` feature config
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Deleted proteus-specific test documentation tags and added some new tags to MLS tests
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		charts/wire-server: Deploy background-worker even when tags.federation is `false`
-Original file line number
+Diff line change
@@ Expand Up / @@ -410,6 +410,9 @@ nginx_conf: @@
           envs:
           - all
           disable_zauth: true
+        - path: /teams/invitations/accept$
+          envs:
+          - all
         - path: /i/teams/invitation-code
           envs:
           - staging
@@ Expand Down @@