Feature flag for exposing invite URLs to team admins [SQPIT-1368] (#2684)

This flag is generally locked and disabled. To be able to unlock/enable it, the team id must be added to the list of eligible teams. 

The invitation URLs are meant to be used in automatized onboarding processes; e.g. rendering them as QR codes.

N.B. getting hold of the invitation URLs makes it possible to impersonate as someone else. That's why there's this two-configs solution: To make sure it's only activated when absolutely needed (and not accidentally.)

Co-authored-by: Sven Tennie <[email protected]>
Co-authored-by: Molly Miller <[email protected]>
Co-authored-by: Matthias Fischmann <[email protected]>

Author: 3 people

cassandra-schema.cql

@@ -128,6 +128,7 @@ CREATE TABLE galley_test.team_features (
     app_lock_status int,
     conference_calling int,
     digital_signatures int,
+    expose_invitation_urls_to_team_admin int,
     file_sharing int,
     file_sharing_lock_status int,
     guest_links_lock_status int,

changelog.d/2-features/registration-url-in-invitation

@@ -0,0 +1 @@
+Optionally add invitation urls to the body of `/teams/{tid}/invitations`. This allows further processing; e.g. to send those links with custom emails or distribute them as QR codes. See [docs](https://docs.wire.com/developer/reference/config-options.html#expose-invitation-urls-to-team-admin) for details and privacy implications.

charts/galley/templates/configmap.yaml

@@ -54,6 +54,9 @@ data:
       {{- if .settings.maxFanoutSize }}
       maxFanoutSize: {{ .settings.maxFanoutSize }}
       {{- end }}
+      {{- if .settings.exposeInvitationURLsTeamAllowlist }}
+      exposeInvitationURLsTeamAllowlist: {{ .settings.exposeInvitationURLsTeamAllowlist }}
+      {{- end }}
       conversationCodeURI: {{ .settings.conversationCodeURI | quote }}
       {{- if .settings.enableIndexedBillingTeamMembers }}
       enableIndexedBillingTeamMembers: {{ .settings.enableIndexedBillingTeamMembers }}
@@ -92,15 +95,15 @@ data:
         {{- if .settings.featureFlags.appLock }}
         appLock:
           {{- toYaml .settings.featureFlags.appLock | nindent 10 }}
-        {{- end }}        
+        {{- end }}
         {{- if .settings.featureFlags.conferenceCalling }}
         conferenceCalling:
           {{- toYaml .settings.featureFlags.conferenceCalling | nindent 10 }}
-        {{- end }}        
+        {{- end }}
         {{- if .settings.featureFlags.selfDeletingMessages }}
         selfDeletingMessages:
           {{- toYaml .settings.featureFlags.selfDeletingMessages | nindent 10 }}
-        {{- end }}        
+        {{- end }}
         {{- if .settings.featureFlags.conversationGuestLinks }}
         conversationGuestLinks:
           {{- toYaml .settings.featureFlags.conversationGuestLinks | nindent 10 }}

charts/galley/values.yaml

@@ -26,6 +26,7 @@ config:
   settings:
     httpPoolSize: 128
     maxTeamSize: 10000
+    exposeInvitationURLsTeamAllowlist: []
     maxConvSize: 500
     # Before making indexedBillingTeamMember true while upgrading, please
     # refer to notes here: https://github.com/wireapp/wire-server-deploy/releases/tag/v2020-05-15
@@ -79,7 +80,7 @@ config:
       validateSAMLemails:
         defaults:
           status: enabled
- 
+
   aws:
     region: "eu-west-1"
   proxy: {}

docs/src/developer/reference/config-options.md

@@ -99,6 +99,53 @@ IMPORTANT: If you switch this back to `disabled-permanently` from
 that have created them while it was allowed.  This may change in the
 future.
 
+### Expose invitation URLs to team admin
+
+For further processing (e.g. sending custom emails or rendering the URLs as QR
+codes), team invitation URLs can be made part of the result of
+`GET /teams/{tid}/invitations`.
+
+```json
+{
+    "has_more": false,
+    "invitations": [
+        {
+            "created_at": "2022-09-15T15:47:28.577Z",
+            "created_by": "375f56fe-7f12-4c0c-aed8-d48c0326d1fb",
+            "email": "[email protected]",
+            "id": "4decf7f8-bdd4-43b3-aaf2-e912e2c0c46f",
+            "name": null,
+            "phone": null,
+            "role": "member",
+            "team": "51612209-3b61-49b0-8c55-d21ae65efc1a",
+            "url": "http://127.0.0.1:8080/register?team=51612209-3b61-49b0-8c55-d21ae65efc1a&team_code=RpxGkK_yjw8ZBegJuFQO0hha-2Tneajp"
+        }
+    ]
+}
+```
+
+This can be a privacy issue as it allows the team admin to impersonate as
+another team member. The feature is disabled by default.
+
+To activate this feature two steps are needed. First, the team id (tid) has to
+be added to the list of teams for which this feature *can* be enabled
+(`exposeInvitationURLsTeamAllowlist`). This is done in `galley`'s `values.yaml`:
+
+```yaml
+settings:
+  exposeInvitationURLsTeamAllowlist: ["51612209-3b61-49b0-8c55-d21ae65efc1a", ...]
+```
+
+Then, the feature can be set for the team by enabling the
+`exposeInvitationURLsToTeamAdmin` flag. This is done by making a `PUT` request
+to `/teams/{tid}/features/exposeInvitationURLsToTeamAdmin` with the body:
+
+```json
+{
+    "status": "enabled"
+}
+```
+
 ### Team searchVisibility
 
 The team flag `searchVisibility` affects the outbound search of user

libs/wire-api/src/Wire/API/Routes/Public/Galley.hs

@@ -1136,6 +1136,8 @@ type FeatureAPI =
     :<|> FeatureStatusPut '() SndFactorPasswordChallengeConfig
     :<|> FeatureStatusGet MLSConfig
     :<|> FeatureStatusPut '() MLSConfig
+    :<|> FeatureStatusGet ExposeInvitationURLsToTeamAdminConfig
+    :<|> FeatureStatusPut '() ExposeInvitationURLsToTeamAdminConfig
     :<|> FeatureStatusGet SearchVisibilityInboundConfig
     :<|> FeatureStatusPut '() SearchVisibilityInboundConfig
     :<|> AllFeatureConfigsUserGet

libs/wire-api/src/Wire/API/Team/Feature.hs

@@ -67,6 +67,7 @@ module Wire.API.Team.Feature
     DigitalSignaturesConfig (..),
     ConferenceCallingConfig (..),
     GuestLinksConfig (..),
+    ExposeInvitationURLsToTeamAdminConfig (..),
     SndFactorPasswordChallengeConfig (..),
     SearchVisibilityInboundConfig (..),
     ClassifiedDomainsConfig (..),
@@ -579,6 +580,7 @@ allFeatureModels =
     withStatusNoLockModel @SndFactorPasswordChallengeConfig,
     withStatusNoLockModel @SearchVisibilityInboundConfig,
     withStatusNoLockModel @MLSConfig,
+    withStatusNoLockModel @ExposeInvitationURLsToTeamAdminConfig,
     withStatusModel @LegalholdConfig,
     withStatusModel @SSOConfig,
     withStatusModel @SearchVisibilityAvailableConfig,
@@ -592,7 +594,8 @@ allFeatureModels =
     withStatusModel @GuestLinksConfig,
     withStatusModel @SndFactorPasswordChallengeConfig,
     withStatusModel @SearchVisibilityInboundConfig,
-    withStatusModel @MLSConfig
+    withStatusModel @MLSConfig,
+    withStatusModel @ExposeInvitationURLsToTeamAdminConfig
   ]
     <> catMaybes
       [ configModel @LegalholdConfig,
@@ -608,7 +611,8 @@ allFeatureModels =
         configModel @GuestLinksConfig,
         configModel @SndFactorPasswordChallengeConfig,
         configModel @SearchVisibilityInboundConfig,
-        configModel @MLSConfig
+        configModel @MLSConfig,
+        configModel @ExposeInvitationURLsToTeamAdminConfig
       ]
 
 --------------------------------------------------------------------------------
@@ -939,6 +943,24 @@ instance IsFeatureConfig MLSConfig where
       Doc.property "allowedCipherSuites" (Doc.array Doc.int32') $ Doc.description "cipher suite numbers,  See https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#table-5"
       Doc.property "defaultCipherSuite" Doc.int32' $ Doc.description "cipher suite number. See https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#table-5"
 
+----------------------------------------------------------------------
+-- ExposeInvitationURLsToTeamAdminConfig
+
+data ExposeInvitationURLsToTeamAdminConfig = ExposeInvitationURLsToTeamAdminConfig
+  deriving stock (Show, Eq, Generic)
+  deriving (Arbitrary) via (GenericUniform ExposeInvitationURLsToTeamAdminConfig)
+
+instance IsFeatureConfig ExposeInvitationURLsToTeamAdminConfig where
+  type FeatureSymbol ExposeInvitationURLsToTeamAdminConfig = "exposeInvitationURLsToTeamAdmin"
+  defFeatureStatus = withStatus FeatureStatusDisabled LockStatusLocked ExposeInvitationURLsToTeamAdminConfig FeatureTTLUnlimited
+  objectSchema = pure ExposeInvitationURLsToTeamAdminConfig
+
+instance ToSchema ExposeInvitationURLsToTeamAdminConfig where
+  schema = object "ExposeInvitationURLsToTeamAdminConfig" objectSchema
+
+instance FeatureTrivialConfig ExposeInvitationURLsToTeamAdminConfig where
+  trivialConfig = ExposeInvitationURLsToTeamAdminConfig
+
 ----------------------------------------------------------------------
 -- FeatureStatus
 
@@ -1007,7 +1029,8 @@ data AllFeatureConfigs = AllFeatureConfigs
     afcSelfDeletingMessages :: WithStatus SelfDeletingMessagesConfig,
     afcGuestLink :: WithStatus GuestLinksConfig,
     afcSndFactorPasswordChallenge :: WithStatus SndFactorPasswordChallengeConfig,
-    afcMLS :: WithStatus MLSConfig
+    afcMLS :: WithStatus MLSConfig,
+    afcExposeInvitationURLsToTeamAdmin :: WithStatus ExposeInvitationURLsToTeamAdminConfig
   }
   deriving stock (Eq, Show)
   deriving (FromJSON, ToJSON, S.ToSchema) via (Schema AllFeatureConfigs)
@@ -1030,6 +1053,7 @@ instance ToSchema AllFeatureConfigs where
         <*> afcGuestLink .= featureField
         <*> afcSndFactorPasswordChallenge .= featureField
         <*> afcMLS .= featureField
+        <*> afcExposeInvitationURLsToTeamAdmin .= featureField
     where
       featureField ::
         forall cfg.
@@ -1054,5 +1078,6 @@ instance Arbitrary AllFeatureConfigs where
       <*> arbitrary
       <*> arbitrary
       <*> arbitrary
+      <*> arbitrary
 
 makeLenses ''ImplicitLockStatus

libs/wire-api/src/Wire/API/Team/Invitation.hs

@@ -34,6 +34,7 @@ import Data.Id
 import Data.Json.Util
 import qualified Data.Swagger.Build.Api as Doc
 import Imports
+import URI.ByteString
 import Wire.API.Team.Role (Role, defaultRole, typeRole)
 import Wire.API.User.Identity (Email, Phone)
 import Wire.API.User.Profile (Locale, Name)
@@ -104,7 +105,8 @@ data Invitation = Invitation
     inCreatedBy :: Maybe UserId,
     inInviteeEmail :: Email,
     inInviteeName :: Maybe Name,
-    inInviteePhone :: Maybe Phone
+    inInviteePhone :: Maybe Phone,
+    inInviteeUrl :: Maybe (URIRef Absolute)
   }
   deriving stock (Eq, Show, Generic)
   deriving (Arbitrary) via (GenericUniform Invitation)
@@ -134,6 +136,9 @@ modelTeamInvitation = Doc.defineModel "TeamInvitation" $ do
   Doc.property "phone" Doc.string' $ do
     Doc.description "Phone number of the invitee, in the E.164 format"
     Doc.optional
+  Doc.property "url" Doc.string' $ do
+    Doc.description "URL of the invitation link to be sent to the invitee"
+    Doc.optional
 
 instance ToJSON Invitation where
   toJSON i =
@@ -145,7 +150,8 @@ instance ToJSON Invitation where
         "created_by" .= inCreatedBy i,
         "email" .= inInviteeEmail i,
         "name" .= inInviteeName i,
-        "phone" .= inInviteePhone i
+        "phone" .= inInviteePhone i,
+        "url" .= inInviteeUrl i
       ]
 
 instance FromJSON Invitation where
@@ -160,6 +166,7 @@ instance FromJSON Invitation where
       <*> o .: "email"
       <*> o .:? "name"
       <*> o .:? "phone"
+      <*> o .:? "url"
 
 --------------------------------------------------------------------------------
 -- InvitationList