wireapp · fisx · Sep 13, 2021 · Sep 8, 2021 · Sep 8, 2021 · Sep 8, 2021
@@ -0,0 +1,3 @@
+Support using a single IDP with a single EntityID (aka issuer ID) to set up two teams.
+Sets up a migration, and makes teamID + EntityID unique, rather than relying on EntityID to be unique.
+Required to support multiple teams in environments where the IDP software cannot present anything but one EntityID (E.G.: DualShield).
@@ -1513,6 +1513,7 @@ CREATE TABLE spar_test.issuer_idp (
 
 CREATE TABLE spar_test.idp (
     idp uuid PRIMARY KEY,
+    api_version int,
     extra_public_keys list<blob>,
     issuer text,
     old_issuers list<text>,
@@ -1681,6 +1682,27 @@ CREATE TABLE spar_test.team_idp (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
+CREATE TABLE spar_test.issuer_idp_v2 (
+    issuer text,
+    team uuid,
+    idp uuid,
+    PRIMARY KEY (issuer, team)
+) WITH CLUSTERING ORDER BY (team ASC)
+    AND bloom_filter_fp_chance = 0.1
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
+
 CREATE TABLE spar_test.scim_user_times (
     uid uuid PRIMARY KEY,
     created_at timestamp,

@@ -53,8 +53,10 @@ type API =
 
 type APISSO =
   "metadata" :> SAML.APIMeta
+    :<|> "metadata" :> Capture "team" TeamId :> SAML.APIMeta
     :<|> "initiate-login" :> APIAuthReqPrecheck
     :<|> "initiate-login" :> APIAuthReq
+    :<|> APIAuthRespLegacy
     :<|> APIAuthResp
     :<|> "settings" :> SsoSettingsGet
 
@@ -131,8 +133,16 @@ data DoInitiate = DoInitiateLogin | DoInitiateBind
 
 type WithSetBindCookie = Headers '[Servant.Header "Set-Cookie" SetBindCookie]
 
+type APIAuthRespLegacy =
+  "finalize-login"
+    :> Header "Cookie" ST
+    -- (SAML.APIAuthResp from here on, except for response)
+    :> MultipartForm Mem SAML.AuthnResponseBody
+    :> Post '[PlainText] Void
+
 type APIAuthResp =
   "finalize-login"
+    :> Capture "team" TeamId
     :> Header "Cookie" ST
     -- (SAML.APIAuthResp from here on, except for response)
     :> MultipartForm Mem SAML.AuthnResponseBody
@@ -156,6 +166,7 @@ type IdpGetAll = Get '[JSON] IdPList
 type IdpCreate =
   ReqBodyCustomError '[RawXML, JSON] "wai-error" IdPMetadataInfo
     :> QueryParam' '[Optional, Strict] "replaces" SAML.IdPId
+    :> QueryParam' '[Optional, Strict] "api-version" WireIdPAPIVersion
     :> PostCreated '[JSON] IdP
 
 type IdpUpdate =
@@ -176,11 +187,17 @@ type APIINTERNAL =
     :<|> "teams" :> Capture "team" TeamId :> DeleteNoContent
     :<|> "sso" :> "settings" :> ReqBody '[JSON] SsoSettings :> Put '[JSON] NoContent
 
-sparSPIssuer :: SAML.HasConfig m => m SAML.Issuer
-sparSPIssuer = SAML.Issuer <$> SAML.getSsoURI (Proxy @APISSO) (Proxy @APIAuthResp)
-
-sparResponseURI :: SAML.HasConfig m => m URI.URI
-sparResponseURI = SAML.getSsoURI (Proxy @APISSO) (Proxy @APIAuthResp)
+sparSPIssuer :: SAML.HasConfig m => Maybe TeamId -> m SAML.Issuer
+sparSPIssuer Nothing =
+  SAML.Issuer <$> SAML.getSsoURI (Proxy @APISSO) (Proxy @APIAuthRespLegacy)
+sparSPIssuer (Just tid) =
+  SAML.Issuer <$> SAML.getSsoURI' (Proxy @APISSO) (Proxy @APIAuthResp) tid
+
+sparResponseURI :: SAML.HasConfig m => Maybe TeamId -> m URI.URI
+sparResponseURI Nothing =
+  SAML.getSsoURI (Proxy @APISSO) (Proxy @APIAuthRespLegacy)
+sparResponseURI (Just tid) =
+  SAML.getSsoURI' (Proxy @APISSO) (Proxy @APIAuthResp) tid
 
 -- SCIM
 

@@ -17,10 +17,14 @@
 
 module Wire.API.User.IdentityProvider where
 
+import qualified Cassandra as Cql
 import Control.Lens (makeLenses, (.~), (?~))
 import Control.Monad.Except
 import Data.Aeson
 import Data.Aeson.TH
+import qualified Data.Attoparsec.ByteString as AP
+import qualified Data.Binary.Builder as BSB
+import qualified Data.ByteString.Conversion as BSC
 import Data.HashMap.Strict.InsOrd (InsOrdHashMap)
 import qualified Data.HashMap.Strict.InsOrd as InsOrdHashMap
 import Data.Id (TeamId)
@@ -33,6 +37,7 @@ import SAML2.WebSSO (IdPConfig)
 import qualified SAML2.WebSSO as SAML
 import SAML2.WebSSO.Types.TH (deriveJSONOptions)
 import Servant.API as Servant hiding (MkLink, URI (..))
+import Wire.API.Arbitrary (Arbitrary, GenericUniform (GenericUniform))
 import Wire.API.User.Orphans (samlSchemaOptions)
 
 -- | The identity provider type used in Spar.
@@ -43,6 +48,7 @@ data WireIdP = WireIdP
     -- | list of issuer names that this idp has replaced, most recent first.  this is used
     -- for finding users that are still stored under the old issuer, see
     -- 'findUserWithOldIssuer', 'moveUserToNewIssuer'.
+    _wiApiVersion :: Maybe WireIdPAPIVersion,
     _wiOldIssuers :: [SAML.Issuer],
     -- | the issuer that has replaced this one.  this is set iff a new issuer is created
     -- with the @"replaces"@ query parameter, and it is used to decide whether users not
@@ -51,10 +57,61 @@ data WireIdP = WireIdP
   }
   deriving (Eq, Show, Generic)
 
+data WireIdPAPIVersion
+  = -- | initial API
+    WireIdPAPIV1
+  | -- | support for different SP entityIDs per team
+    WireIdPAPIV2
+  deriving stock (Eq, Show, Enum, Bounded, Generic)
+  deriving (Arbitrary) via (GenericUniform WireIdPAPIVersion)
+
+defWireIdPAPIVersion :: WireIdPAPIVersion
+defWireIdPAPIVersion = WireIdPAPIV1
+
 makeLenses ''WireIdP
 
+deriveJSON deriveJSONOptions ''WireIdPAPIVersion
 deriveJSON deriveJSONOptions ''WireIdP
 
+instance BSC.ToByteString WireIdPAPIVersion where
+  builder =
+    BSB.fromByteString . \case
+      WireIdPAPIV1 -> "v1"
+      WireIdPAPIV2 -> "v2"
+
+instance BSC.FromByteString WireIdPAPIVersion where
+  parser =
+    (AP.string "v1" >> pure WireIdPAPIV1)
+      <|> (AP.string "v2" >> pure WireIdPAPIV2)
+
+instance FromHttpApiData WireIdPAPIVersion where
+  parseQueryParam txt = maybe err Right $ BSC.fromByteString' (cs txt)
+    where
+      err = Left $ "FromHttpApiData WireIdPAPIVersion: " <> txt
+
+instance ToHttpApiData WireIdPAPIVersion where
+  toQueryParam = cs . BSC.toByteString'
+
+instance ToParamSchema WireIdPAPIVersion where
+  toParamSchema Proxy =
+    mempty
+      { _paramSchemaDefault = Just "v2",
+        _paramSchemaType = Just SwaggerString,
+        _paramSchemaEnum = Just (String . toQueryParam <$> [(minBound :: WireIdPAPIVersion) ..])
+      }
+
+instance Cql.Cql WireIdPAPIVersion where
+  ctype = Cql.Tagged Cql.IntColumn
+
+  toCql WireIdPAPIV1 = Cql.CqlInt 1
+  toCql WireIdPAPIV2 = Cql.CqlInt 2
+
+  fromCql (Cql.CqlInt i) = case i of
+    1 -> return WireIdPAPIV1
+    2 -> return WireIdPAPIV2
+    n -> Left $ "Unexpected ClientCapability value: " ++ show n
+  fromCql _ = Left "ClientCapability value: int expected"
+
 -- | A list of 'IdP's, returned by some endpoints. Wrapped into an object to
 -- allow extensibility later on.
 data IdPList = IdPList
@@ -104,6 +161,9 @@ instance ToJSON IdPMetadataInfo where
 instance ToSchema IdPList where
   declareNamedSchema = genericDeclareNamedSchema samlSchemaOptions
 
+instance ToSchema WireIdPAPIVersion where
+  declareNamedSchema = genericDeclareNamedSchema samlSchemaOptions
+
 instance ToSchema WireIdP where
   declareNamedSchema = genericDeclareNamedSchema samlSchemaOptions
 

@@ -40,6 +40,7 @@ import qualified Wire.API.User as User
 import qualified Wire.API.User.Activation as User.Activation
 import qualified Wire.API.User.Auth as User.Auth
 import qualified Wire.API.User.Identity as User.Identity
+import qualified Wire.API.User.IdentityProvider as User.IdentityProvider
 import qualified Wire.API.User.Password as User.Password
 import qualified Wire.API.User.Profile as User.Profile
 import qualified Wire.API.User.Search as User.Search
@@ -84,7 +85,8 @@ tests =
       testRoundTrip @Team.Role.Role,
       testRoundTrip @User.Search.TeamUserSearchSortBy,
       testRoundTrip @User.Search.TeamUserSearchSortOrder,
-      testRoundTrip @User.Search.RoleFilter
+      testRoundTrip @User.Search.RoleFilter,
+      testRoundTrip @User.IdentityProvider.WireIdPAPIVersion
       -- FUTUREWORK:
       -- testCase "Call.Config.TurnUsername (doesn't have FromByteString)" ...
       -- testCase "User.Activation.ActivationTarget (doesn't have FromByteString)" ...

@@ -29,6 +29,7 @@ import qualified V11
 import qualified V12
 import qualified V13
 import qualified V14
+import qualified V15
 import qualified V2
 import qualified V3
 import qualified V4
@@ -61,7 +62,8 @@ main = do
       V11.migration,
       V12.migration,
       V13.migration,
-      V14.migration
+      V14.migration,
+      V15.migration
       -- When adding migrations here, don't forget to update
       -- 'schemaVersion' in Spar.Data
 

@@ -0,0 +1,43 @@
+-- This file is part of the Wire Server implementation.
+--
+-- Copyright (C) 2020 Wire Swiss GmbH <opensource@wire.com>
+--
+-- This program is free software: you can redistribute it and/or modify it under
+-- the terms of the GNU Affero General Public License as published by the Free
+-- Software Foundation, either version 3 of the License, or (at your option) any
+-- later version.
+--
+-- This program is distributed in the hope that it will be useful, but WITHOUT
+-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+-- details.
+--
+-- You should have received a copy of the GNU Affero General Public License along
+-- with this program. If not, see <https://www.gnu.org/licenses/>.
+
+module V15
+  ( migration,
+  )
+where
+
+import Cassandra.Schema
+import Imports
+import Text.RawString.QQ
+
+migration :: Migration
+migration = Migration 15 "Optionally index IdP by teamid (in addition to entityID); add idp api version." $ do
+  void $
+    schema'
+      [r|
+        CREATE TABLE if not exists issuer_idp_v2
+            ( issuer        text
+            , team          uuid
+            , idp           uuid
+            , PRIMARY KEY (issuer, team)
+            ) with compaction = {'class': 'LeveledCompactionStrategy'};
+        |]
+  void $
+    schema'
+      [r|
+        ALTER TABLE idp ADD api_version int;
+        |]
@@ -4,7 +4,7 @@ cabal-version: 1.12
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: 2afa3a03f475aac5d63ab87ded5843f404fee3d8506ac70390ee37dde18f22d4
+-- hash: 6a8deefc6739b8a56d89eae84bd4333254d31f2b1bf1ab22b830d7d120992bbf
 
 name:           spar
 version:        0.1
@@ -364,6 +364,7 @@ executable spar-schema
       V12
       V13
       V14
+      V15
       V2
       V3
       V4