Release 2022-01-27 #2080

fisx · 2022-01-27T21:22:56Z

Release notes

The nginz chart now configures nginx to only allow cross-origin requests from an explicit allow list of subdomains. By default these are:
```
nginz:
  nginx_conf:
    allowlisted_origins:
    - webapp
    - teams
    - account
```
If you changed the names of these services, you must adjust those names in the nginz config as well. (charts/nginz: Add restrictive CORS headers to all URLs and explicitly… #1630)
Backend now separates conversation access control for guests and services. The old access roles are still supported but it is encouraged to upgrade clients since mapping between the old access roles and the new access roles is not isomorphic. For more details refer to the API changes below or the Swagger docs.
Old clients are fully supported; if new clients and old clients are mixed, to old clients, either guests of services may appear to be enable if they are not, which may lead to error messages (confusing but harmless). (SQSERVICES-1083 Separate Access Control For Guests And Services #2035)

API changes

Endpoints that recently have accepted access_role in their payload will now accept access_role_v2 as well which will take precedence over access_role. See Swagger docs for how values are mapped. Endpoints that recently have returned access_role in their payload will now additionally return the access_role_v2 field. (SQSERVICES-1083 Separate Access Control For Guests And Services #2035)

Features

Conversation access roles now distinguish between guests and services. (SQSERVICES-1083 Separate Access Control For Guests And Services #2035)

Bug fixes and other updates

There is now an explicit CORS allow list for all endpoints. In previous releases, all subdomains were accepted, however they must now be listed explicitly. This is a breaking change, as now only known Javascript applications may access the backend. (charts/nginz: Add restrictive CORS headers to all URLs and explicitly… #1630)
Prevent 500s when SFTs are not reachable from Backend (Fix bug: Calls config crashes when SFTs are unreachable #2077)

Internal changes

Bump hsaml2 package version (Bump hsaml2 dependency #2075)
Separate Spar.Data module into smaller Cassandra interpreters (Pull Spar.Data apart #2064)
Fix some HLint issues in libs/wire-api. (Fix (some) HLint issues in wire-api #2065)
Fix broken build process of package "old-time" for some environments (Fix broken build process for package "old-time" #2056)
Refresh license headers (Add licenses to new Spar work #2062)
Rename Spar.Sem.ScimTokenStore.GetByTeam to LookupByTeam (Spar Polysemy: Rename ScimTokenStore.GetByTeam -> ScimTokenStore.LookupByTeam #2068)
(Try syntax change in config file that breaks nginz (Fix: nginz template broken for allowlisted_origins #2073, reverted in a4a6193f9494))

Federation changes

Tag several federation tests cases for the M2 release ([FS-333] Tag Test Cases for M2 #2045)

…in certificate. (#2054) * generate cert with multiple domains in the SAN also, the subject CN has yet another value than the ones inside Subject alternative name fields. * add unit test for multi-domain cert

* cabal wrapper: define CONFIG_SHELL * add changelog

Merge release 2022-01-18 back into develop

* Tag a negative test case for X509v3 Extended Key Usage * Tag a test for remote user removal when guests disallowed - When the access is updated such that it disallows guests from accessing, all guests, both local and remote, are kicked out of the conversation. This just tags such a test case. * Tag a negative test for getting remote conversation details

* Add licenses * Changelog * Refresh headroom. * Changelog Co-authored-by: Matthias Fischmann <[email protected]>

Co-authored-by: fisx <[email protected]>

* Split up Spar.Data * make format * Fix test * changelog

…upByTeam (#2068) * Rename ScimTokenStore.GetByTeam -> ScimTokenStore.LookupByTeam * changelog * CI

Also, provide better swagger doc inspired by MultiVerb and add names to endpoints (including the public one). Use PushNotificationStream to abstract from FromSourceIO: This makes the conversion to ConduitT a bit easier to find, because it's literately written in the code. Use latest master of Servant.

There are a lot left, but these ones should be safe to not change the application's behavior.

* charts/nginz: Add restrictive CORS headers to all origins and explicitly allowlist allowed origins * charts/nginz: Set some default allowlisted origins * Update changelog * Spelling and style fixes in changelog. * charts/nginz: fix fail-open behaviour in CORS configuration. * charts/nginz: use singular "account" for consistency with other resources. Co-authored-by: Molly Miller <[email protected]>

This reverts commit cafa42f.

* Fix: nginz template broken for allowlisted_origins * changelog

Fix bug: Calls config crashes when SFTs are unreachable

charts/nginz/templates/conf/_nginx.conf.tpl

jschaul and others added 21 commits January 18, 2022 17:23

Add federator validation unit test when a certificate is a multi-doma…

499309f

…in certificate. (#2054) * generate cert with multiple domains in the SAN also, the subject CN has yet another value than the ones inside Subject alternative name fields. * add unit test for multi-domain cert

Fix broken build process for package "old-time" (#2056)

bce64cc

* cabal wrapper: define CONFIG_SHELL * add changelog

Merge pull request #2058 from wireapp/master

f063a93

Merge release 2022-01-18 back into develop

Add licenses to new Spar work (#2062)

69ec12f

* Add licenses * Changelog * Refresh headroom. * Changelog Co-authored-by: Matthias Fischmann <[email protected]>

Fix HLint issues in Gundeck (#2061)

15af92d

Separate Access Control For Guests And Services (#2035)

d1df63f

Co-authored-by: fisx <[email protected]>

Pull Spar.Data apart (#2064)

38318bf

* Split up Spar.Data * make format * Fix test * changelog

Spar Polysemy: Rename ScimTokenStore.GetByTeam -> ScimTokenStore.Look…

3af4fe2

…upByTeam (#2068) * Rename ScimTokenStore.GetByTeam -> ScimTokenStore.LookupByTeam * changelog * CI

Fix (some) HLint issues in wire-api (#2065)

a915816

There are a lot left, but these ones should be safe to not change the application's behavior.

Revert "Servantify Cannon's internal API (#2029)" (#2071)

41be805

This reverts commit cafa42f.

Bump hsaml2 dependency (#2075)

583f33b

Add failing tests

2606888

Catch HTTP exceptions

66dc4c9

changelog

ad1d00f

Fix: nginz template broken for allowlisted_origins (#2073)

5a1a409

* Fix: nginz template broken for allowlisted_origins * changelog

Adjust unit test to reflect reality

a9b5ebe

Merge pull request #2077 from wireapp/FS-266-catch-http-exceptions

12dd6a2

Fix bug: Calls config crashes when SFTs are unreachable

Changelog.

b86598f

julialongtin approved these changes Jan 27, 2022

View reviewed changes

julialongtin reviewed Jan 27, 2022

View reviewed changes

charts/nginz/templates/conf/_nginx.conf.tpl Outdated Show resolved Hide resolved

fisx added 2 commits January 28, 2022 08:56

Fix #2073 (syntax in nginz conf template).

116988c

Changelog.

0641f90

fisx force-pushed the release_2022_01_27 branch from 5890932 to 0641f90 Compare January 28, 2022 07:58

fisx merged commit 13a6a83 into master Jan 28, 2022

fisx deleted the release_2022_01_27 branch January 28, 2022 09:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release 2022-01-27 #2080

Release 2022-01-27 #2080

Uh oh!

fisx commented Jan 27, 2022 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

Release 2022-01-27 #2080

Release 2022-01-27 #2080

Uh oh!

Conversation

fisx commented Jan 27, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release notes

API changes

Features

Bug fixes and other updates

Internal changes

Federation changes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants

fisx commented Jan 27, 2022 •

edited

Loading