Introduce disabledAPIVersions

changelog.d/2-features/pr-2951

@@ -0,0 +1 @@
+Introduce optional disabledAPIVersions configuration setting

charts/brig/templates/configmap.yaml

@@ -299,5 +299,8 @@ data:
       {{- if .setEnableMLS }}
       setEnableMLS: {{ .setEnableMLS }}
       {{- end }}
+      {{- if .setDisabledAPIVersions }}
+      setDisabledAPIVersions: {{ .setDisabledAPIVersions }}
+      {{- end }}
     {{- end }}
   {{- end }}

charts/brig/values.yaml

@@ -87,6 +87,9 @@ config:
     setNonceTtlSecs: 300 # 5 minutes
     setDpopMaxSkewSecs: 1
     setDpopTokenExpirationTimeSecs: 300 # 5 minutes
+    # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+    # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+    # setDisabledAPIVersions: [ 3 ]
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}

charts/cannon/templates/configmap.yaml

@@ -19,6 +19,10 @@ data:
       millisecondsBetweenBatches: {{ .Values.config.drainOpts.millisecondsBetweenBatches }}
       minBatchSize: {{ .Values.config.drainOpts.minBatchSize }}
 
+    {{- if .Values.config.disabledAPIVersions }}
+    disabledAPIVersions: {{ .Values.config.disabledAPIVersions }}
+    {{- end }}
+
 kind: ConfigMap
 metadata:
   name: cannon

charts/cannon/values.yaml

@@ -22,6 +22,10 @@ config:
     millisecondsBetweenBatches: 50
     minBatchSize: 20
 
+  # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+  # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+  # disabledAPIVersions: [ 3 ]
+
 metrics:
   serviceMonitor:
     enabled: false

charts/cargohold/templates/configmap.yaml

@@ -41,7 +41,14 @@ data:
 
     settings:
       {{- with .Values.config.settings }}
-      maxTotalBytes: 5368709120
-      downloadLinkTTL: 300      # Seconds
+      {{- if .maxTotalBytes }}
+      maxTotalBytes: {{ .maxTotalBytes }}
+      {{- end }}
+      {{- if .downloadLinkTTL }}
+      downloadLinkTTL: {{ .downloadLinkTTL }}
+      {{- end }}
       federationDomain: {{ .federationDomain }}
+      {{- if .disabledAPIVersions }}
+      disabledAPIVersions: {{ .disabledAPIVersions }}
+      {{- end }}
       {{- end }}

charts/cargohold/values.yaml

@@ -23,6 +23,13 @@ config:
     region: "eu-west-1"
     s3Bucket: assets
   proxy: {}
+  settings:
+    maxTotalBytes: 5368709120
+    downloadLinkTTL: 300 # Seconds
+    # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+    # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+    # disabledAPIVersions: [ 3 ]
+
 serviceAccount:
   # When setting this to 'false', either make sure that a service account named
   # 'cargohold' exists or change the 'name' field to 'default'

charts/galley/templates/configmap.yaml

@@ -69,6 +69,9 @@ data:
           ed25519: "/etc/wire/galley/secrets/removal_ed25519.pem"
         {{- end }}
       {{- end -}}
+      {{- if .settings.disabledAPIVersions }}
+      disabledAPIVersions: {{ .settings.disabledAPIVersions }}
+      {{- end }}
       {{- if .settings.featureFlags }}
       featureFlags:
         sso: {{ .settings.featureFlags.sso }}

charts/galley/values.yaml

@@ -32,6 +32,9 @@ config:
     # Before making indexedBillingTeamMember true while upgrading, please
     # refer to notes here: https://github.com/wireapp/wire-server-deploy/releases/tag/v2020-05-15
     indexedBillingTeamMember: false
+    # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+    # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+    # disabledAPIVersions: [ 3 ]
     featureFlags:  # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
       appLock:
         defaults:

charts/gundeck/templates/configmap.yaml

@@ -53,6 +53,10 @@ data:
       {{- if hasKey . "perNativePushConcurrency" }}
       perNativePushConcurrency: {{ .perNativePushConcurrency }}
       {{- end }}
+      {{- if .disabledAPIVersions }}
+      disabledAPIVersions: {{ .disabledAPIVersions }}
+      {{- end }}
+      # disabledAPIVersions: [ 2 ]
       maxConcurrentNativePushes:
         soft: {{ .maxConcurrentNativePushes.soft }}
         {{- if hasKey .maxConcurrentNativePushes "hard" }}

charts/gundeck/values.yaml

@@ -35,6 +35,10 @@ config:
   # perNativePushConcurrency: 32
   maxConcurrentNativePushes:
     soft: 1000
+  # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+  # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+  # disabledAPIVersions: [ 3 ]
+
 serviceAccount:
   # When setting this to 'false', either make sure that a service account named
   # 'gundeck' exists or change the 'name' field to 'default'

charts/proxy/templates/configmap.yaml

@@ -7,7 +7,9 @@ data:
     logFormat: {{ .Values.config.logFormat }}
     logLevel: {{ .Values.config.logLevel }}
     logNetStrings: {{ .Values.config.logNetStrings }}
-
+    {{- if .Values.config.disabledAPIVersions }}
+    disabledAPIVersions: {{ .Values.config.disabledAPIVersions }}
+    {{- end }}
     host: 0.0.0.0
     port: {{ .Values.service.internalPort }}
     httpPoolSize: 1000

charts/proxy/values.yaml

@@ -19,3 +19,6 @@ config:
   logFormat: StructuredJSON
   logNetStrings: false
   proxy: {}
+  # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+  # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+  # disabledAPIVersions: [ 3 ]

charts/spar/templates/configmap.yaml

@@ -33,6 +33,10 @@ data:
 
     maxScimTokens: {{ .maxScimTokens }}
 
+    {{- if .disabledAPIVersions }}
+    disabledAPIVersions: {{ .disabledAPIVersions }}
+    {{- end }}
+
     saml:
       version:     SAML2.0
       logLevel:    {{ .logLevel }}
@@ -43,5 +47,5 @@ data:
       spSsoUri: {{ .ssoUri }}
 
       contacts:
-{{ toYaml .contacts | indent 12 }}
+        {{- toYaml .contacts | nindent 8 }}
 {{- end }}

charts/spar/values.yaml

@@ -25,3 +25,6 @@ config:
   maxttlAuthreq: 7200
   maxttlAuthresp: 7200
   proxy: {}
+  # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
+  # brig, cannon, cargohold, galley, gundeck, proxy, spar.
+  # disabledAPIVersions: [ 3 ]

docs/src/developer/developer/how-to.md

@@ -2,6 +2,13 @@
 
 The following assume you have a working developer environment with all the dependencies listed in [./dependencies.md](./dependencies.md) available to you.
 
+If you want to deploy to the CI kubernetes cluster (how-tos below), you need to set the `KUBECONFIG` env var, where `$cailleach_repo` is replaced by your local checkout of the `cailleach` repository.
+```
+export KUBECONFIG=$cailleach_repo/environments/kube-ci/kubeconfig.dec
+```
+Check that this file exists by running `ls $KUBECONFIG`.
+
+
 ## How to look at the swagger docs / UI locally
 
 Terminal 1:

docs/src/developer/reference/config-options.md

@@ -604,3 +604,37 @@ If there is no configuration for a domain, it's defaulted to `no_search`.
 #### `setEnableDevelopmentVersions`
 
 This options determines whether development versions should be enabled. If set to `False`, all development versions are removed from the `supported` field of the `/api-version` endpoint. Note that they are still listed in the `development` field, and continue to work normally.
+
+#### Disabling API versions
+
+It is possible to disable one ore more API versions. When an API version is disabled it won't be advertised on the `GET /api-version` endpoint, neither in the `supported`, nor in the `development` section. Requests made to any endpoint of a disabled API version will result in the same error response as a request made to an API version that does not exist.
+
+Each of the services brig, cannon, cargohold, galley, gundeck, proxy, spar should to be configured with the same set of disable API versions in each service's values.yaml config files. 
+
+
+For example to disable API version v3, you need to configure:
+
+```
+# brig's values.yaml
+config.optSettings.setDisabledAPIVersions: [ 3 ]
+
+# cannon's values.yaml
+config.disabledAPIVersions: [ 3 ]
+
+# cargohold's values.yaml
+config.settings.disabledAPIVersions: [ 3 ]
+
+# galley's values.yaml
+config.settings.disabledAPIVersions: [ 3 ]
+
+# gundecks' values.yaml
+config.disabledAPIVersions: [ 3 ]
+
+# proxy's values.yaml
+config.disabledAPIVersions: [ 3 ]
+
+# spar's values.yaml
+config.disabledAPIVersions: [ 3 ]
+```
+
+The default setting is that no API version is disabled.

hack/helmfile-single.yaml

@@ -73,3 +73,5 @@ releases:
         value: {{ .Values.federationDomain }}
       - name: galley.config.settings.federationDomain
         value: {{ .Values.federationDomain }}
+      - name: cargohold.config.settings.federationDomain
+        value: {{ .Values.federationDomain }}

libs/wire-api/src/Wire/API/Routes/Version/Wai.hs

@@ -28,12 +28,12 @@ import Network.Wai.Utilities.Response
 import Wire.API.Routes.Version
 
 -- | Strip off version prefix. Return 404 if the version is not supported.
-versionMiddleware :: Middleware
-versionMiddleware app req k = case parseVersion (removeVersionHeader req) of
+versionMiddleware :: Set Version -> Middleware
+versionMiddleware disabledAPIVersions app req k = case parseVersion (removeVersionHeader req) of
   Nothing -> app req k
   Just (req', n) -> case mkVersion n of
-    Just v -> app (addVersionHeader v req') k
-    Nothing ->
+    Just v | v `notElem` disabledAPIVersions -> app (addVersionHeader v req') k
+    _ ->
       k $
         errorRs' $
           mkError HTTP.status404 "unsupported-version" $

libs/wire-api/src/Wire/API/User/Saml.hs

@@ -38,13 +38,9 @@ import Data.Time
 import GHC.TypeLits (KnownSymbol, symbolVal)
 import GHC.Types (Symbol)
 import Imports
-import SAML2.Util (parseURI', renderURI)
-import SAML2.WebSSO (Assertion, AuthnRequest, ID, IdPId)
-import qualified SAML2.WebSSO as SAML
+import SAML2.WebSSO
 import SAML2.WebSSO.Types.TH (deriveJSONOptions)
-import System.Logger.Extended (LogFormat)
 import URI.ByteString
-import Util.Options
 import Web.Cookie
 import Wire.API.User.Orphans ()
 
@@ -87,37 +83,6 @@ substituteVar var val = substituteVar' ("$" <> var) val . substituteVar' ("%24"
 substituteVar' :: ST -> ST -> ST -> ST
 substituteVar' var val = ST.intercalate val . ST.splitOn var
 
-type Opts = Opts' DerivedOpts
-
--- FUTUREWORK: Shouldn't these types be in spar, not in wire-api?
-data Opts' a = Opts
-  { saml :: !SAML.Config,
-    brig :: !Endpoint,
-    galley :: !Endpoint,
-    cassandra :: !CassandraOpts,
-    maxttlAuthreq :: !(TTL "authreq"),
-    maxttlAuthresp :: !(TTL "authresp"),
-    -- | The maximum number of SCIM tokens that we will allow teams to have.
-    maxScimTokens :: !Int,
-    -- | The maximum size of rich info. Should be in sync with 'Brig.Types.richInfoLimit'.
-    richInfoLimit :: !Int,
-    -- | Wire/AWS specific; optional; used to discover Cassandra instance
-    -- IPs using describe-instances.
-    discoUrl :: !(Maybe Text),
-    logNetStrings :: !(Maybe (Last Bool)),
-    logFormat :: !(Maybe (Last LogFormat)),
-    -- , optSettings   :: !Settings  -- (nothing yet; see other services for what belongs in here.)
-    derivedOpts :: !a
-  }
-  deriving (Functor, Show, Generic)
-
-instance FromJSON (Opts' (Maybe ()))
-
-data DerivedOpts = DerivedOpts
-  { derivedOptsScimBaseURI :: !URI
-  }
-  deriving (Show, Generic)
-
 -- | (seconds)
 newtype TTL (tablename :: Symbol) = TTL {fromTTL :: Int32}
   deriving (Eq, Ord, Show, Num)
@@ -134,9 +99,6 @@ data TTLError = TTLTooLong String String | TTLNegative String
 ttlToNominalDiffTime :: TTL a -> NominalDiffTime
 ttlToNominalDiffTime (TTL i32) = fromIntegral i32
 
-maxttlAuthreqDiffTime :: Opts -> NominalDiffTime
-maxttlAuthreqDiffTime = ttlToNominalDiffTime . maxttlAuthreq
-
 data SsoSettings = SsoSettings
   { defaultSsoCode :: !(Maybe IdPId)
   }

services/brig/src/Brig/Options.hs

@@ -52,6 +52,7 @@ import Imports
 import qualified Network.DNS as DNS
 import System.Logger.Extended (Level, LogFormat)
 import Util.Options
+import Wire.API.Routes.Version
 import qualified Wire.API.Team.Feature as Public
 import Wire.API.User
 import Wire.API.User.Search (FederatedUserSearchPolicy)
@@ -587,8 +588,10 @@ data Settings = Settings
     setSftListAllServers :: Maybe ListAllSFTServers,
     setEnableMLS :: Maybe Bool,
     setKeyPackageMaximumLifetime :: Maybe NominalDiffTime,
-    -- | When set, development API versions are advertised to clients.
+    -- | When set, development API versions are advertised to clients as supported.
     setEnableDevelopmentVersions :: Maybe Bool,
+    -- | Disabled versions are not advertised and are completely disabled.
+    setDisabledAPIVersions :: Maybe (Set Version),
     -- | Minimum delay in seconds between consecutive attempts to generate a new verification code.
     -- use `set2FACodeGenerationDelaySecs` as the getter function which always provides a default value
     set2FACodeGenerationDelaySecsInternal :: !(Maybe Int),
@@ -859,7 +862,8 @@ Lens.makeLensesFor
     ("setFederationDomainConfigs", "federationDomainConfigs"),
     ("setEnableDevelopmentVersions", "enableDevelopmentVersions"),
     ("setRestrictUserCreation", "restrictUserCreation"),
-    ("setEnableMLS", "enableMLS")
+    ("setEnableMLS", "enableMLS"),
+    ("setDisabledAPIVersions", "disabledAPIVersions")
   ]
   ''Settings
 

services/brig/src/Brig/Run.hs

@@ -130,7 +130,8 @@ mkApp o = do
 
     middleware :: Env -> (RequestId -> Wai.Application) -> Wai.Application
     middleware e =
-      versionMiddleware -- this rewrites the request, so it must be at the top (i.e. applied last)
+      -- this rewrites the request, so it must be at the top (i.e. applied last)
+      versionMiddleware (fold (setDisabledAPIVersions (optSettings o)))
         . Metrics.servantPlusWAIPrometheusMiddleware (sitemap @BrigCanonicalEffects) (Proxy @ServantCombinedAPI)
         . GZip.gunzip
         . GZip.gzip GZip.def

services/brig/src/Brig/Version.hs

@@ -21,6 +21,7 @@ import Brig.API.Handler
 import Brig.App
 import Brig.Options
 import Control.Lens
+import qualified Data.Set as Set
 import Imports
 import Servant (ServerT)
 import Wire.API.Routes.Named
@@ -31,13 +32,16 @@ versionAPI = Named $ do
   fed <- view federator
   dom <- viewFederationDomain
   dev <- view (settings . enableDevelopmentVersions . to (fromMaybe False))
-  let supported
-        | dev = supportedVersions
-        | otherwise = supportedVersions \\ developmentVersions
+  disabledVersions <- view (settings . disabledAPIVersions . traverse)
+  let allVersions = Set.difference (Set.fromList supportedVersions) disabledVersions
+      devVersions = Set.difference (Set.fromList developmentVersions) disabledVersions
+      supported
+        | dev = allVersions
+        | otherwise = Set.difference allVersions devVersions
   pure $
     VersionInfo
-      { vinfoSupported = supported,
-        vinfoDevelopment = developmentVersions,
+      { vinfoSupported = toList supported,
+        vinfoDevelopment = toList devVersions,
         vinfoFederation = isJust fed,
         vinfoDomain = dom
       }