Skip to content
Merged

OAuth #2989

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
293 commits
Select commit Hold shift + click to select a range
6322e11
fix makefile
battermann Dec 23, 2022
3f00152
fix haskell-pins.nix file
battermann Dec 23, 2022
f527639
config flag
battermann Dec 12, 2022
99b4f82
check status, integration tests
battermann Dec 12, 2022
a4de2b8
changelog
battermann Dec 13, 2022
b01727d
make expiration test faster
battermann Dec 13, 2022
c4f121b
uncomment code
battermann Dec 14, 2022
0dbed7e
moved oauth types to wire-api
battermann Dec 15, 2022
21c2728
de-/encode jwt inside toschema instance
battermann Dec 15, 2022
8282ef9
servant combinator
battermann Dec 16, 2022
246d1f3
better
battermann Dec 16, 2022
d45105f
check scope in hasserver
battermann Dec 16, 2022
1b3ea4b
clean up
battermann Dec 16, 2022
94631c4
test vs nginz
battermann Dec 19, 2022
91adbbf
crude change in nginz
battermann Dec 20, 2022
a76d5fa
use Z-OAuth header for oauth
battermann Dec 21, 2022
a4d8e84
refactoring
battermann Dec 21, 2022
043008f
renaming
battermann Dec 21, 2022
6d8cf57
small refactoring of nginx module
battermann Dec 22, 2022
3765b8d
more failure tests
battermann Dec 22, 2022
84d6bbe
changelog
battermann Dec 23, 2022
50afa1b
enable oauth in nginz config
battermann Dec 23, 2022
243423e
set zauth_user in nginz only if authorized and allowed
battermann Dec 23, 2022
ba0833b
trailing whitespaces
battermann Jan 3, 2023
31ee8f6
additional checks in nginz to reduce load on brig
battermann Jan 4, 2023
4f8d114
oauth test script
battermann Jan 5, 2023
72468bb
show instance for OAuthAuthCode
battermann Jan 13, 2023
0622441
tagged token, refresh token basic impl
battermann Jan 13, 2023
45cd5a1
improve script
battermann Jan 16, 2023
2954953
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Jan 16, 2023
a595c04
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Jan 16, 2023
8477681
fixed some merge errors
battermann Jan 16, 2023
504ab63
refresh token id and info, db table, and insert logic
battermann Jan 16, 2023
7a0a844
fixed comment
battermann Jan 17, 2023
8a3bf5a
config for refresh token expiration
battermann Jan 17, 2023
a286ec4
options and integration tests
battermann Jan 17, 2023
1570eda
Merge branch 'develop' into SQSERVICES-1825-be-oauth-refresh-token-ge…
battermann Jan 18, 2023
5450d08
Update docs/src/developer/reference/config-options.md
battermann Jan 18, 2023
ea97ed1
Update docs/src/developer/reference/config-options.md
battermann Jan 18, 2023
8418020
Update docs/src/developer/reference/config-options.md
battermann Jan 18, 2023
3951c9b
Update docs/src/how-to/install/oauth.md
battermann Jan 18, 2023
50a654c
Update services/brig/brig.integration.yaml
battermann Jan 19, 2023
2dfa725
Update libs/wire-api/src/Wire/API/Routes/Public.hs
battermann Jan 19, 2023
e3aa83e
moved ToHttpApiData instance to test
battermann Jan 19, 2023
c8e943f
jwks
battermann Jan 19, 2023
43e6a81
inlined bad key for test again
battermann Jan 19, 2023
7923d27
refresh access token
battermann Jan 19, 2023
d79433f
swagger ui
battermann Jan 19, 2023
03374a4
more refresh token tests
battermann Jan 20, 2023
8ddb509
linter
battermann Jan 20, 2023
e1cbc96
API docs
battermann Jan 23, 2023
51c49e7
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Jan 24, 2023
12ab6d8
revoke token
battermann Jan 23, 2023
9ac9428
test
battermann Jan 24, 2023
fd2add5
clean up API types
battermann Jan 24, 2023
59b6327
wip
battermann Jan 24, 2023
4c803ba
error handling
battermann Jan 25, 2023
bc20aaf
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Jan 25, 2023
b688ef6
clean up
battermann Jan 26, 2023
cbefee8
get apps with account access, revoke access
battermann Jan 26, 2023
71cdf9b
clean up
battermann Jan 26, 2023
174a3ab
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Jan 26, 2023
ed8193e
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Jan 27, 2023
40babdd
Cleanup changelog.
fisx Jan 27, 2023
7643974
Update services/brig/test/integration/API/OAuth.hs
battermann Jan 27, 2023
8160d3f
Discriminate against performAction tags for CallsFed constraints (#3030)
isovector Jan 27, 2023
b68766a
Upgrade to GHC 9.2.4 (#2810)
smatting Jan 27, 2023
751ad93
check syntactic properties of auth code
battermann Jan 27, 2023
2b53bc6
clean up according to review comments
battermann Jan 27, 2023
ebcbda7
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Jan 31, 2023
e643fb0
do not redirect if url is wrong
battermann Jan 31, 2023
c9c2c49
Update charts/nginz/values.yaml
battermann Jan 31, 2023
d21d351
improve nginz module code according to PR review
battermann Feb 1, 2023
9e10441
comment
battermann Feb 1, 2023
a54578a
play with hasserver instance
battermann Feb 1, 2023
70aa9a7
...
fisx Feb 2, 2023
afdbe5c
...
fisx Feb 2, 2023
d58d78a
...
fisx Feb 2, 2023
5087280
...
fisx Feb 2, 2023
a721f44
...
fisx Feb 2, 2023
6ac782b
WIP: attempt to use checkType in OAuth logic
pcapriotti Feb 2, 2023
58b2955
...
fisx Feb 2, 2023
e7724d7
wip
battermann Feb 2, 2023
3d7d9b2
clean up
battermann Feb 3, 2023
95dde99
more clear comments
battermann Feb 3, 2023
e4b69e8
clean up
battermann Feb 3, 2023
f37c319
another cleanup
battermann Feb 3, 2023
a0549ee
conn id optional
battermann Feb 3, 2023
ed226cd
Allow single scopes and lists of scopes in routes.
fisx Feb 3, 2023
7d735c6
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1885-be-…
fisx Feb 3, 2023
a7e4cbf
instance HasSwagger (ZAuthServant ...)
fisx Feb 3, 2023
70d1f47
Fixup
fisx Feb 3, 2023
e0c9c91
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1885-be…
fisx Feb 6, 2023
d93bb7d
Tweak HasSwagger docs.
fisx Feb 6, 2023
1a6e02a
Merge branch 'SQSERVICES-1885-be-oauth-scopes-with-regard-to-calendar…
battermann Feb 6, 2023
3407a2f
support lenient, optional zoauth combinators.
fisx Feb 6, 2023
d7be8cc
Merge branch 'SQSERVICES-1885-be-oauth-scopes-with-regard-to-calendar…
battermann Feb 6, 2023
fea0a27
Fixup
fisx Feb 6, 2023
8ad2b3f
make oauth work with swagger
battermann Feb 6, 2023
15015d0
show scope(s) for each endpoint in swagger
battermann Feb 6, 2023
4eece1d
Merge branch 'SQSERVICES-1885-be-oauth-scopes-with-regard-to-calendar…
battermann Feb 6, 2023
8192d7e
fix
battermann Feb 6, 2023
0003255
fix 2
battermann Feb 6, 2023
a9f4d3e
grammar
battermann Feb 6, 2023
389fa39
make JWK available in galley
battermann Feb 7, 2023
fa47d21
oauth access to conversation create works
battermann Feb 7, 2023
26e75c5
jwk effect shared
battermann Feb 7, 2023
54a7cb2
generated local nix packages
battermann Feb 7, 2023
501a96f
setup config for secret for staging
battermann Feb 7, 2023
62da199
fix tests
battermann Feb 7, 2023
c52784c
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Feb 7, 2023
87e6dd8
enable oauth for post conversations
battermann Feb 7, 2023
9d5f5e3
renaming
battermann Feb 7, 2023
737ba2b
fix
battermann Feb 7, 2023
8d61c29
oauth scope for feature-configs
battermann Feb 8, 2023
5047395
wip
battermann Feb 8, 2023
fdff6a6
clean up
battermann Feb 8, 2023
0c14cca
update comment
battermann Feb 8, 2023
a58362e
Merge branch 'SQSERVICES-1885-be-oauth-scopes-with-regard-to-calendar…
battermann Feb 8, 2023
b2bcf97
sort ctors
battermann Feb 8, 2023
6abe0bc
make conn param optional for create code endpoint
battermann Feb 8, 2023
8d5b908
tests for write:conversation_code
battermann Feb 8, 2023
2731cce
rename jwk keypair file
battermann Feb 9, 2023
cee1b15
renamed pub jwk key file
battermann Feb 9, 2023
129fa30
rename jwk file in brig tests
battermann Feb 9, 2023
fc22595
rename jwk file in galley tests
battermann Feb 9, 2023
b960296
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Feb 10, 2023
24903c1
haddocks.
fisx Feb 10, 2023
e00c6ad
Nit-picks.
fisx Feb 10, 2023
748d7ec
Fix a lie.
fisx Feb 10, 2023
ce2b068
Give up on consolidating the two HasServer instances for now.
fisx Feb 10, 2023
f287f7a
Tweak swagger docs.
fisx Feb 10, 2023
04db869
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Feb 16, 2023
3e5066e
nix fix after develop merge
battermann Feb 16, 2023
3f9410d
rust stuff
battermann Feb 15, 2023
a216a47
rust compiles
battermann Feb 15, 2023
93083b8
rust compiles
battermann Feb 15, 2023
4e0f572
wip
battermann Feb 16, 2023
ba70964
wip
battermann Feb 16, 2023
4c292bc
wip
battermann Feb 17, 2023
47ef9f2
works
battermann Feb 17, 2023
7997155
scope access
battermann Feb 20, 2023
673003f
oauth integration tests only using nginz
battermann Feb 20, 2023
7e2a584
return a tuple
battermann Feb 21, 2023
d94918f
free oauth key mem
battermann Feb 21, 2023
37f4cf3
naming convenetions
battermann Feb 21, 2023
7de3a20
get rid of rust warnings
battermann Feb 21, 2023
341e642
formatting
battermann Feb 21, 2023
80f8409
error propagation
battermann Feb 21, 2023
0b5bcec
oauth nginz pass locally
battermann Feb 21, 2023
befeca0
nginx config for CI
battermann Feb 21, 2023
223b0fb
oauth public key for nginz CI
battermann Feb 21, 2023
8ba3108
better rust
battermann Feb 21, 2023
45418cd
remove pub keys from brig and galley, fix stuff
battermann Feb 21, 2023
4961fef
clean up
battermann Feb 22, 2023
ec955fb
commt
battermann Feb 22, 2023
367e905
set oauth_scope in template correctly
battermann Feb 22, 2023
4bc1976
script
battermann Feb 22, 2023
90cd5f1
Update services/nginz/third_party/nginx-zauth-module/zauth_module.c
battermann Feb 22, 2023
e26a03e
WIP
pcapriotti Feb 22, 2023
1b3c2ca
Merge branch 'SQSERVICES-1913-oauth-move-o-auth-authentication-to-ngi…
battermann Feb 22, 2023
bcf6715
Merge branch 'SQSERVICES-1913-oauth-move-o-auth-authentication-to-ngi…
battermann Feb 22, 2023
fc92f75
clean up
battermann Feb 22, 2023
296b30a
zauth module clean up
battermann Feb 23, 2023
924dba4
clean up
battermann Feb 23, 2023
49d1fd9
remove spaces
battermann Feb 23, 2023
626ddb1
typo in nginx.conf
battermann Feb 23, 2023
5b07b11
check for oom error
battermann Feb 23, 2023
2af8cf7
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Feb 24, 2023
3485c37
wip
battermann Feb 22, 2023
3c38d29
wip
battermann Feb 23, 2023
c6c3649
wip
battermann Feb 24, 2023
88273e4
linter
battermann Feb 24, 2023
b34a586
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Feb 24, 2023
cc23e84
nginx configs
battermann Feb 24, 2023
cfd96d6
clean up scopres, snake case to comply with standard
battermann Feb 27, 2023
71c2f62
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Feb 27, 2023
852e5b8
Update charts/galley/templates/configmap.yaml
fisx Feb 27, 2023
bf5d939
Update charts/nginz/templates/conf/_nginx.conf.tpl
fisx Feb 27, 2023
406a40f
Fixup
fisx Feb 27, 2023
413981f
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Feb 27, 2023
202e950
Fixup
fisx Feb 27, 2023
a40bf9d
Fixup
fisx Feb 27, 2023
6713680
Merge branch 'SQSERVICES-1922-oauth-documentation' into SQSERVICES-18…
battermann Feb 27, 2023
fad2b92
Explicit exports and other nit-picks.
fisx Feb 28, 2023
587d854
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Feb 28, 2023
57f1b50
Update docs/src/developer/reference/oauth.md
fisx Feb 28, 2023
4915ad3
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Feb 28, 2023
4464ced
docs wip
battermann Feb 28, 2023
a103101
Merge branch 'SQSERVICES-1825-be-oauth-refresh-token-generation' of g…
battermann Feb 28, 2023
0dc39c7
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Mar 1, 2023
29c7541
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Mar 1, 2023
eab4120
wip
battermann Mar 1, 2023
5a57f02
change libzauth-c target back to release
battermann Mar 2, 2023
22b6628
Member instead of Members
battermann Mar 2, 2023
47e4526
application name length, clean up
battermann Mar 2, 2023
7b6aac3
merge db migrations
battermann Mar 2, 2023
2a1afb2
typo
battermann Mar 2, 2023
39500e3
better test descriptions
battermann Mar 2, 2023
cb35e9b
style
battermann Mar 2, 2023
76fa2e4
rename auth to authorization
battermann Mar 2, 2023
593d041
fix up
battermann Mar 2, 2023
7d11def
fixes in docs
battermann Mar 2, 2023
4b14aad
wip
battermann Mar 3, 2023
4062594
fix diagram
battermann Mar 3, 2023
69a8501
clean-up
battermann Mar 3, 2023
14832d4
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Mar 5, 2023
8f90344
fixes
battermann Mar 6, 2023
2c96c2d
arbitrary instances and roundtrip tests
battermann Mar 6, 2023
02e2dbf
revert making conn id optional
battermann Mar 6, 2023
4d428e4
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Mar 6, 2023
72f8beb
Revert "revert making conn id optional"
battermann Mar 6, 2023
d36d704
more roundtrip tests
battermann Mar 6, 2023
8ba528e
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
battermann Mar 6, 2023
6280c6b
another roundtrip test
battermann Mar 6, 2023
7008767
removed unused tag
battermann Mar 6, 2023
cf1df77
manually update docs
battermann Mar 7, 2023
0317e56
nit-pick
fisx Mar 7, 2023
0fbdcf8
nit-pick
fisx Mar 7, 2023
9bc21c2
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Mar 7, 2023
72bc3b9
Update services/brig/src/Brig/API/OAuth.hs
fisx Mar 7, 2023
e72351b
Typo
fisx Mar 7, 2023
22e6f1b
Merge remote-tracking branch 'refs/remotes/origin/SQSERVICES-1825-be-…
fisx Mar 7, 2023
902eddc
clean up and fix
battermann Mar 7, 2023
2f3c860
docs
battermann Mar 7, 2023
52d75a3
fix
battermann Mar 7, 2023
eb98279
renaming
battermann Mar 7, 2023
0ea9812
servant combinator for oauth scope description
battermann Mar 7, 2023
191e2e7
renaming
battermann Mar 7, 2023
0230633
compare responses
battermann Mar 7, 2023
bb11eb1
clean up, fixes
battermann Mar 7, 2023
98b13f3
users can only see thier own apps
battermann Mar 7, 2023
4d76569
clean-up
battermann Mar 7, 2023
615abdb
docs last parts
battermann Mar 8, 2023
eaf51cf
hi ci
battermann Mar 8, 2023
2048c78
release notes
battermann Mar 9, 2023
13c6052
updated docs
battermann Mar 9, 2023
69888bb
Merge remote-tracking branch 'origin/develop' into SQSERVICES-1825-be…
fisx Mar 10, 2023
bc33201
tweak changelog
fisx Mar 10, 2023
3f5ccaf
Remove unused dependency in cabal file.
fisx Mar 13, 2023
49619c1
generate nix defaults.
fisx Mar 13, 2023
f424872
do not crash if oauth key is not present
battermann Mar 13, 2023
0b656c8
rename oauth keys
battermann Mar 14, 2023
49d030b
Update services/brig/brig.integration.yaml
battermann Mar 14, 2023
e85c7e5
added comment
battermann Mar 14, 2023
81eda91
added comment on jwt-simple fork
battermann Mar 14, 2023
6dd43a3
rusty_jwt_tools_ffi: assume Cargo.lock is in the repo
flokli Mar 14, 2023
6e8a1c5
libzauth[-c]: explicitly point to rust-jwt-simple git rev
flokli Mar 14, 2023
6dcff6c
Merge remote-tracking branch 'origin/develop' into develop
flokli Mar 14, 2023
3adf309
fix rust ffi test
battermann Mar 14, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
200 changes: 141 additions & 59 deletions cassandra-schema.cql
Original file line number Diff line number Diff line change
Expand Up @@ -746,6 +746,67 @@ CREATE TABLE brig_test.team_invitation_info (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.provider_keys (
key text PRIMARY KEY,
provider uuid
) WITH bloom_filter_fp_chance = 0.1
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.oauth_refresh_token (
id uuid PRIMARY KEY,
client uuid,
created_at timestamp,
scope set<text>,
user uuid
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 14515200
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.team_invitation_email (
email text,
team uuid,
code ascii,
invitation uuid,
PRIMARY KEY (email, team)
) WITH CLUSTERING ORDER BY (team ASC)
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.rich_info (
user uuid PRIMARY KEY,
json blob
Expand Down Expand Up @@ -806,12 +867,14 @@ CREATE TABLE brig_test.service_tag (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.login_codes (
user uuid PRIMARY KEY,
code text,
retries int,
timeout timestamp
) WITH bloom_filter_fp_chance = 0.01
CREATE TABLE brig_test.meta (
id int,
version int,
date timestamp,
descr text,
PRIMARY KEY (id, version)
) WITH CLUSTERING ORDER BY (version ASC)
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
Expand Down Expand Up @@ -1001,21 +1064,19 @@ CREATE TABLE brig_test.service (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.team_invitation_email (
email text,
team uuid,
code ascii,
invitation uuid,
PRIMARY KEY (email, team)
) WITH CLUSTERING ORDER BY (team ASC)
CREATE TABLE brig_test.oauth_user_refresh_token (
user uuid,
token_id uuid,
PRIMARY KEY (user, token_id)
) WITH CLUSTERING ORDER BY (token_id ASC)
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND default_time_to_live = 14515200
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
Expand Down Expand Up @@ -1165,13 +1226,35 @@ CREATE TABLE brig_test.nonce (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.provider_keys (
key text PRIMARY KEY,
provider uuid
) WITH bloom_filter_fp_chance = 0.1
CREATE TABLE brig_test.login_codes (
user uuid PRIMARY KEY,
code text,
retries int,
timeout timestamp
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.oauth_client (
id uuid PRIMARY KEY,
name text,
redirect_uri blob,
secret blob
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
Expand Down Expand Up @@ -1206,6 +1289,31 @@ CREATE TABLE brig_test.service_team (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.invitation (
inviter uuid,
id uuid,
code ascii,
created_at timestamp,
email text,
name text,
phone text,
PRIMARY KEY (inviter, id)
) WITH CLUSTERING ORDER BY (id ASC)
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.blacklist (
key text PRIMARY KEY
) WITH bloom_filter_fp_chance = 0.1
Expand Down Expand Up @@ -1397,20 +1505,20 @@ CREATE TABLE brig_test.prekeys (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.password_reset (
key ascii PRIMARY KEY,
code ascii,
retries int,
timeout timestamp,
CREATE TABLE brig_test.oauth_auth_code (
code ascii PRIMARY KEY,
client uuid,
redirect_uri blob,
scope set<text>,
user uuid
) WITH bloom_filter_fp_chance = 0.1
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND default_time_to_live = 300
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
Expand Down Expand Up @@ -1534,42 +1642,16 @@ CREATE TABLE brig_test.connection (
AND speculative_retry = '99PERCENTILE';
CREATE INDEX conn_status ON brig_test.connection (status);

CREATE TABLE brig_test.meta (
id int,
version int,
date timestamp,
descr text,
PRIMARY KEY (id, version)
) WITH CLUSTERING ORDER BY (version ASC)
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.invitation (
inviter uuid,
id uuid,
CREATE TABLE brig_test.password_reset (
key ascii PRIMARY KEY,
code ascii,
created_at timestamp,
email text,
name text,
phone text,
PRIMARY KEY (inviter, id)
) WITH CLUSTERING ORDER BY (id ASC)
AND bloom_filter_fp_chance = 0.01
retries int,
timeout timestamp,
user uuid
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
Expand Down
1 change: 1 addition & 0 deletions changelog.d/0-release-notes/pr-2989
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
If you are using OAuth (`optSettings.setOAuthEnabled: true` in brig config): before the deployment of wire-server the private and public keys for OAuth have to be provided for `brig` and `nginz` (see `docs/src/developer/reference/oauth.md` for more information)
1 change: 1 addition & 0 deletions changelog.d/2-features/pr-2989
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
OAuth support for authorization of a curated list of 3rd party applications (see <https://docs.wire.com/developer/reference/oauth.html> for details)
18 changes: 18 additions & 0 deletions charts/brig/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -302,8 +302,26 @@ data:
{{- if .setEnableMLS }}
setEnableMLS: {{ .setEnableMLS }}
{{- end }}
{{- if $.Values.secrets.oauthJwkKeyPair }}
setOAuthJwkKeyPair: /etc/wire/brig/secrets/oauth_ed25519.jwk
{{- end }}
{{- if .setOAuthAuthCodeExpirationTimeSecs }}
setOAuthAuthCodeExpirationTimeSecs: {{ .setOAuthAuthCodeExpirationTimeSecs }}
{{- end }}
{{- if .setOAuthAccessTokenExpirationTimeSecs }}
setOAuthAccessTokenExpirationTimeSecs: {{ .setOAuthAccessTokenExpirationTimeSecs }}
{{- end }}
{{- if .setOAuthEnabled }}
setOAuthEnabled: {{ .setOAuthEnabled }}
{{- end }}
{{- if .setDisabledAPIVersions }}
setDisabledAPIVersions: {{ .setDisabledAPIVersions }}
{{- end }}
{{- if .setOAuthRefreshTokenExpirationTimeSecs }}
setOAuthRefreshTokenExpirationTimeSecs: {{ .setOAuthRefreshTokenExpirationTimeSecs }}
{{- end }}
{{- if .setOAuthMaxActiveRefreshTokens }}
setOAuthMaxActiveRefreshTokens: {{ .setOAuthMaxActiveRefreshTokens }}
{{- end }}
{{- end }}
{{- end }}
3 changes: 3 additions & 0 deletions charts/brig/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,8 @@ data:
{{- if .dpopSigKeyBundle }}
dpop_sig_key_bundle.pem: {{ .dpopSigKeyBundle | b64enc | quote }}
{{- end }}
{{- if .oauthJwkKeyPair }}
oauth_ed25519.jwk: {{ .oauthJwkKeyPair | b64enc | quote }}
{{- end }}
{{- end }}

5 changes: 5 additions & 0 deletions charts/brig/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ config:
setNonceTtlSecs: 300 # 5 minutes
setDpopMaxSkewSecs: 1
setDpopTokenExpirationTimeSecs: 300 # 5 minutes
setOAuthAuthCodeExpirationTimeSecs: 300 # 5 minutes
setOAuthAccessTokenExpirationTimeSecs: 900 # 15 minutes
setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks
setOAuthEnabled: true
setOAuthMaxActiveRefreshTokens: 10
# Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
# brig, cannon, cargohold, galley, gundeck, proxy, spar.
# setDisabledAPIVersions: [ 3 ]
Expand Down
4 changes: 2 additions & 2 deletions charts/galley/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ spec:
# An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/aws-secret: {{ include (print .Template.BasePath "/aws-secret.yaml") . | sha256sum }}
checksum/mls-secret: {{ include (print .Template.BasePath "/mls-secret.yaml") . | sha256sum }}
checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
Comment thread
fisx marked this conversation as resolved.
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
volumes:
Expand All @@ -35,7 +35,7 @@ spec:
name: "galley"
- name: "galley-secrets"
secret:
secretName: "galley-mls"
secretName: "galley"
containers:
- name: galley
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: galley-mls
name: galley
labels:
app: galley
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
Expand Down
2 changes: 1 addition & 1 deletion charts/galley/templates/tests/galley-integration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ spec:
name: "galley-integration-secrets"
- name: "galley-secrets"
secret:
secretName: "galley-mls"
secretName: "galley"
containers:
- name: integration
image: "{{ .Values.image.repository }}-integration:{{ .Values.image.tag }}"
Expand Down
6 changes: 6 additions & 0 deletions charts/nginz/templates/conf/_nginx.conf.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,7 @@ http {

zauth_keystore {{ .Values.nginx_conf.zauth_keystore }};
zauth_acl {{ .Values.nginx_conf.zauth_acl }};
oauth_pub_key {{ .Values.nginx_conf.oauth_pub_key }};

location /status {
zauth off;
Expand Down Expand Up @@ -258,6 +259,10 @@ http {
{{- end }}
{{- end }}

{{- if ($location.oauth_scope) }}
oauth_scope {{ $location.oauth_scope }};
{{- end }}

{{- if hasKey $location "specific_user_rate_limit" }}
limit_req zone={{ $location.specific_user_rate_limit }}{{ if hasKey $location "specific_user_rate_limit_burst" }} burst={{ $location.specific_user_rate_limit_burst }}{{ end }} nodelay;
{{- end }}
Expand Down Expand Up @@ -345,6 +350,7 @@ http {
# we need to specify zauth_keystore etc.
zauth_keystore {{ .Values.nginx_conf.zauth_keystore }};
zauth_acl {{ .Values.nginx_conf.zauth_acl }};
oauth_pub_key {{ .Values.nginx_conf.oauth_pub_key }};

listen {{ .Values.config.http.metricsPort }};

Expand Down
1 change: 1 addition & 0 deletions charts/nginz/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,5 @@ data:
{{- with .Values.secrets }}
zauth.conf: {{ .zAuth.publicKeys | b64enc | quote }}
basic_auth.txt: {{ .basicAuth | b64enc | quote }}
oauth_ed25519_pub.jwk: {{ .oAuth.publicKeys | b64enc | quote }}
Comment thread
battermann marked this conversation as resolved.
{{- end }}
Loading