Merge pull request #2080 from wireapp/release_2022_01_27

Author: fisx

.headroom.yaml

@@ -12,7 +12,7 @@ variables:
   organization: Wire Swiss GmbH
   email: [email protected]
   project: This file is part of the Wire Server implementation.
-  year: '2020'
+  year: '2022'
 license-headers:
   haskell:
     file-extensions: ["hs", "hsc"]

CHANGELOG.md

@@ -1,5 +1,52 @@
 <!-- if you're not the release manager, do your edits to changelog under CHANGELOG.d/ -->
 
+# [2022-01-27]
+
+## Release notes
+
+* The `nginz` chart now configures nginx to only allow cross-origin requests from an explicit allow list of subdomains. By default these are:
+
+  ```yaml
+  nginz:
+    nginx_conf:
+      allowlisted_origins:
+      - webapp
+      - teams
+      - account
+  ```
+
+  If you changed the names of these services, you must adjust those names in the nginz config as well. (#1630, #2073, 116988c62732)
+
+* Backend now separates conversation access control for guests and services. The old access roles are still supported but it is encouraged to upgrade clients since mapping between the old access roles and the new access roles is not isomorphic. For more details refer to the API changes below or the Swagger docs.
+  Old clients are fully supported; if new clients and old clients are mixed, to old clients, either guests of services may appear to be enable if they are not, which may lead to error messages (confusing but harmless). (#2035)
+
+## API changes
+
+* Endpoints that recently have accepted `access_role` in their payload will now accept `access_role_v2` as well which will take precedence over `access_role`. See Swagger docs for how values are mapped. Endpoints that recently have returned `access_role` in their payload will now additionally return the `access_role_v2` field. (#2035)
+
+## Features
+
+* Conversation access roles now distinguish between guests and services. (#2035)
+
+## Bug fixes and other updates
+
+* There is now an explicit CORS allow list for *all* endpoints. In previous releases, all subdomains were accepted, however they must now be listed explicitly. This is a **breaking change**, as now only known Javascript applications may access the backend. (#1630, #2073, 116988c62732)
+* Prevent 500s when SFTs are not reachable from Backend (#2077)
+
+## Internal changes
+
+* Bump hsaml2 package version (#2075)
+* Separate Spar.Data module into smaller Cassandra interpreters (#2064)
+* Fix some HLint issues in libs/wire-api. (#2065)
+* Fix broken build process of package "old-time" for some environments (#2056)
+* Refresh license headers (#2062)
+* Rename Spar.Sem.ScimTokenStore.GetByTeam to LookupByTeam (#2068)
+
+## Federation changes
+
+* Tag several federation tests cases for the M2 release (#2045)
+
+
 # [2022-01-18]
 
 ## Release notes

charts/nginz/templates/conf/_nginx.conf.tpl

@@ -125,7 +125,9 @@ http {
 
   map $http_origin $cors_header {
       default "";
-      "~^https://([^/]+\.)?{{ .Values.nginx_conf.external_env_domain | replace "." "\\." }}(:[0-9]{2,5})?$" "$http_origin";
+    {{ range $origin := .Values.nginx_conf.allowlisted_origins }}
+      "https://{{ $origin }}.{{ $.Values.nginx_conf.external_env_domain}}" "$http_origin";
+    {{ end }}
   }
 
 
@@ -293,11 +295,7 @@ http {
         more_set_headers 'Access-Control-Allow-Credentials: true';
             {{ end -}}
 
-            {{ if ($location.restrict_whitelisted_origin) -}}
         more_set_headers 'Access-Control-Allow-Origin: $cors_header';
-            {{- else }}
-        more_set_headers 'Access-Control-Allow-Origin: $http_origin';
-            {{- end }}
 
         more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location';
         more_set_headers 'Request-Id: $request_id';

charts/nginz/values.yaml

@@ -52,6 +52,11 @@ nginx_conf:
   - ~* ^/conversations/([^/]*)/call/state
   - /search/top
   - /search/common
+  # -- The origins from which we allow CORS requests. These are combined with 'external_env_domain' to form a full url
+  allowlisted_origins:
+    - webapp
+    - teams
+    - account
   upstreams:
     cargohold:
     - path: ~* ^/conversations/([^/]*)/assets
@@ -79,7 +84,6 @@ nginx_conf:
       envs:
       - all
       allow_credentials: true
-      restrict_whitelisted_origin: true
       max_body_size: "0"
       disable_request_buffering: true
     brig:
@@ -149,7 +153,6 @@ nginx_conf:
       envs:
       - all
       allow_credentials: true
-      restrict_whitelisted_origin: true
     - path: /bot/self
       envs:
       - all
@@ -170,13 +173,11 @@ nginx_conf:
       envs:
       - all
       allow_credentials: true
-      restrict_whitelisted_origin: true
       disable_zauth: true
     - path: /activate
       envs:
       - all
       allow_credentials: true
-      restrict_whitelisted_origin: true
       disable_zauth: true
     - path: /delete
       envs:
@@ -238,7 +239,6 @@ nginx_conf:
       - all
       disable_zauth: true
       allow_credentials: true
-      restrict_whitelisted_origin: true
       unlimited_requests_endpoint: true
     - path: /login
       envs:

dev-packages.nix

@@ -159,6 +159,7 @@ let
     export LIBRARY_PATH="${compile-deps}/lib"
     export PKG_CONFIG_PATH="${compile-deps}/lib/pkgconfig"
     export PATH="${compile-deps}/bin"
+    export CONFIG_SHELL="${compile-deps}/bin/sh"
     exec "${pkgs.cabal-install}/bin/cabal" "$@"
   '';
 in

docs/reference/cassandra-schema.cql

@@ -227,6 +227,7 @@ CREATE TABLE galley_test.conversation (
     conv uuid PRIMARY KEY,
     access set<int>,
     access_role int,
+    access_roles_v2 set<int>,
     creator uuid,
     deleted boolean,
     message_timer bigint,

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -194,6 +194,8 @@ nginz:
   nginx_conf:
     env: staging
     external_env_domain: zinfra.io
+    # NOTE: Web apps are disabled by default
+    allowlisted_origins: []
   secrets:
     basicAuth: "whatever"
     zAuth:

libs/api-bot/src/Network/Wire/Bot.hs

@@ -1,6 +1,6 @@
 -- This file is part of the Wire Server implementation.
 --
--- Copyright (C) 2020 Wire Swiss GmbH <[email protected]>
+-- Copyright (C) 2022 Wire Swiss GmbH <[email protected]>
 --
 -- This program is free software: you can redistribute it and/or modify it under
 -- the terms of the GNU Affero General Public License as published by the Free

libs/api-bot/src/Network/Wire/Bot/Assert.hs

@@ -3,7 +3,7 @@
 
 -- This file is part of the Wire Server implementation.
 --
--- Copyright (C) 2020 Wire Swiss GmbH <[email protected]>
+-- Copyright (C) 2022 Wire Swiss GmbH <[email protected]>
 --
 -- This program is free software: you can redistribute it and/or modify it under
 -- the terms of the GNU Affero General Public License as published by the Free

libs/api-bot/src/Network/Wire/Bot/Cache.hs

@@ -2,7 +2,7 @@
 
 -- This file is part of the Wire Server implementation.
 --
--- Copyright (C) 2020 Wire Swiss GmbH <[email protected]>
+-- Copyright (C) 2022 Wire Swiss GmbH <[email protected]>
 --
 -- This program is free software: you can redistribute it and/or modify it under
 -- the terms of the GNU Affero General Public License as published by the Free