Merge develop into mls-olaf

.envrc

@@ -37,3 +37,7 @@ path_add "PYTHONPATH" "./hack/python"
 # Locale
 export LC_ALL=en_US.UTF-8
 export LANG=en_US.UTF-8
+
+# RabbitMQ
+export RABBITMQ_USERNAME=guest
+export RABBITMQ_PASSWORD=alpaca-grapefruit

Makefile

@@ -99,11 +99,11 @@ endif
 ci: c db-migrate
 ifeq ("$(package)", "all")
     ifneq ("$(suite)", "new")
-		echo ./hack/bin/cabal-run-integration.sh all
+		./hack/bin/cabal-run-integration.sh all
     endif
     ifneq ("$(suite)", "old")
 		make c package=integration
-		echo ./hack/bin/cabal-run-integration.sh integration
+		./hack/bin/cabal-run-integration.sh integration
     endif
 else
   ifeq ("$(package)", "integration")
@@ -306,17 +306,13 @@ ifeq ($(package), all)
 	./dist/galley-schema --keyspace galley_test --replication-factor 1 --reset
 	./dist/gundeck-schema --keyspace gundeck_test --replication-factor 1 --reset
 	./dist/spar-schema --keyspace spar_test --replication-factor 1 --reset
-ifeq ($(INTEGRATION_FEDERATION_TESTS), 1)
 	./dist/brig-schema --keyspace brig_test2 --replication-factor 1 --reset
 	./dist/galley-schema --keyspace galley_test2 --replication-factor 1 --reset
 	./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 --reset
 	./dist/spar-schema --keyspace spar_test2 --replication-factor 1 --reset
-endif
 else
 	$(EXE_SCHEMA) --keyspace $(package)_test --replication-factor 1 --reset
-ifeq ($(INTEGRATION_FEDERATION_TESTS), 1)
 	$(EXE_SCHEMA) --keyspace $(package)_test2 --replication-factor 1 --reset
-endif
 endif
 	./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 > /dev/null
 	./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 > /dev/null
@@ -334,12 +330,10 @@ db-migrate: c
 	./dist/galley-schema --keyspace galley_test --replication-factor 1 > /dev/null
 	./dist/gundeck-schema --keyspace gundeck_test --replication-factor 1 > /dev/null
 	./dist/spar-schema --keyspace spar_test --replication-factor 1 > /dev/null
-ifeq ($(INTEGRATION_FEDERATION_TESTS), 1)
 	./dist/brig-schema --keyspace brig_test2 --replication-factor 1 > /dev/null
 	./dist/galley-schema --keyspace galley_test2 --replication-factor 1 > /dev/null
 	./dist/gundeck-schema --keyspace gundeck_test2 --replication-factor 1 > /dev/null
 	./dist/spar-schema --keyspace spar_test2 --replication-factor 1 > /dev/null
-endif
 	./dist/brig-index reset --elasticsearch-index-prefix directory --elasticsearch-server http://localhost:9200 > /dev/null
 	./dist/brig-index reset --elasticsearch-index-prefix directory2 --elasticsearch-server http://localhost:9200 > /dev/null
 
@@ -402,16 +396,6 @@ kube-integration-teardown:
 kube-integration-e2e-telepresence:
 	./services/brig/federation-tests.sh $(NAMESPACE)
 
-.PHONY: kube-integration-setup-sans-federation
-kube-integration-setup-sans-federation: guard-tag charts-integration
-	# by default "test-<your computer username> is used as namespace
-	# you can override the default by setting the NAMESPACE environment variable
-	export NAMESPACE=$(NAMESPACE); ./hack/bin/integration-setup.sh
-
-.PHONY: kube-integration-teardown-sans-federation
-kube-integration-teardown-sans-federation:
-	export NAMESPACE=$(NAMESPACE); ./hack/bin/integration-teardown.sh
-
 .PHONY: kube-restart-%
 kube-restart-%:
 	kubectl delete pod -n $(NAMESPACE) -l app=$(*)

README.md

@@ -85,7 +85,7 @@ will, eventually, have built a range of docker images. Make sure to [give Docker
 
 See the `Makefile`s and `Dockerfile`s, as well as [build/ubuntu/README.md](build/ubuntu/README.md) for details.
 
-#### 2. Use nix-provided build environment 
+#### 2. Use nix-provided build environment
 
 This is suitable only for local development and testing. See [build instructions](./docs/src/developer/developer/building.md) in the developer documentation.
 

cabal.project

@@ -31,6 +31,7 @@ packages:
   , libs/wire-api-federation/
   , libs/wire-message-proto-lens/
   , libs/zauth/
+  , services/background-worker/
   , services/brig/
   , services/cannon/
   , services/cargohold/
@@ -66,6 +67,8 @@ package assets
     ghc-options: -Werror
 package auto-whitelist
     ghc-options: -Werror
+package background-worker
+    ghc-options: -Werror
 package bilge
     ghc-options: -Werror
 package billing-team-member-backfill

changelog.d/0-release-notes/background-worker

@@ -0,0 +1,38 @@
+This release introduces a new component: background-worker. This is currently
+only used to forward notifications to federated backends. Enabling federation in
+the wire-server helm chart automatically installs this component.
+
+When federation is enabled, wire-server will require running RabbitMQ. The helm
+chart in `rabbitmq` can be used to install RabbitMQ. Please refer to the
+documentation at https://docs.wire.com to install RabbitMQ in Kubernetes. These
+new configurations are required:
+
+```yaml
+brig:
+  config:
+    rabbitmq:
+      host: rabbitmq
+      port: 5672
+      vHost: /
+  secrets:
+    rabbitmq:
+      username: <YOUR_USERNAME>
+      password: <YOUR_PASSWORD>
+background-worker:
+  config:
+    rabbitmq:
+      host: rabbitmq
+      port: 5672
+      vHost: /
+    remoteDomains: []
+  secrets:
+    rabbitmq:
+      username: <YOUR_USERNAME>
+      password: <YOUR_PASSWORD>
+```
+
+The above are the default values (except for secrets, which do not have
+defaults), if they work they are not required to be configured.
+`background-worker.config.remoteDomains` should contain all the remote domains
+with which the wire-server instance allows federating. This change is
+incompatible with open-federation.

changelog.d/1-api-changes/FS-1467

@@ -0,0 +1 @@
+Updating conversation meta-data APIs to be fault tolerant of unavailable federation servers.

changelog.d/2-features/coturn-federation-dtls-helm-chart

@@ -0,0 +1 @@
+Add federation options to the `coturn` Helm chart including DTLS support. The options themselves are strongly inspired by the `restund` Helm chart.

changelog.d/3-bug-fixes/pr-3281

@@ -0,0 +1 @@
+Fixed `/i/user/meta-info` in backoffice/stern

changelog.d/5-internal/feature-singletons

@@ -0,0 +1,2 @@
+Use feature singletons in TeamFeatureStore
+

changelog.d/5-internal/integration-qol

@@ -0,0 +1,4 @@
+- Add convenience getJSON and getBody functions
+- baseRequest now adds Z headers automatically
+- Add liftIO versions of putStrLn etc
+- Add Show instances for MLSState

changelog.d/5-internal/list-tests

@@ -0,0 +1 @@
+Implement test listing

changelog.d/5-internal/mls-integration

@@ -0,0 +1 @@
+Port MLS test framework to new integration suite

changelog.d/5-internal/pr-3305

@@ -0,0 +1 @@
+Register/Update OAuth client via backoffice/stern

changelog.d/5-internal/ptests

@@ -0,0 +1 @@
+Add parametrised tests

changelog.d/6-federation/failed-to-process

@@ -0,0 +1 @@
+Several federation Galley endpoints have a breaking change in their response types: "leave-conversation", "update-conversation" and "send-mls-message". They have been extended with information related to unreachable users.

charts/background-worker/templates/deployment.yaml

@@ -9,12 +9,11 @@ metadata:
     heritage: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicaCount }}
-  # TODO(elland): Review this
   strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 0
-      maxSurge: {{ .Values.replicaCount }}
+    # Ensures only one version of the background worker is running at any given
+    # moment. This means small downtime, but the background workers should be
+    # able to catch up.
+    type: Recreate
   selector:
     matchLabels:
       app: background-worker

charts/background-worker/values.yaml

@@ -9,12 +9,11 @@ resources:
     cpu: "100m"
   limits:
     memory: "512Mi"
-# TODO(elland): Create issue for a metrics endpoint
+# FUTUREWORK: Implement metrics
 # metrics:
 #   serviceMonitor:
 #     enabled: false
 config:
-  # TODO(elland): Proper logging
   logLevel: Info
   logFormat: StructuredJSON
   rabbitmq:

charts/brig/templates/tests/brig-integration.yaml

@@ -80,10 +80,6 @@ spec:
       value: "dummy"
     - name: AWS_REGION
       value: "eu-west-1"
-    {{- if .Values.tests.enableFederationTests }}
-    - name: INTEGRATION_FEDERATION_TESTS
-      value: "1"
-    {{- end }}
     {{- if .Values.config.enableFederation }}
     - name: RABBITMQ_USERNAME
       value: "guest"

charts/brig/values.yaml

@@ -123,8 +123,6 @@ turn:
   # baseDomain: turn.example.com # Must be configured if serversSource is dns
   discoveryIntervalSeconds: 10 # Used only if serversSource is dns
 
-tests:
-  enableFederationTests: false
 serviceAccount:
   # When setting this to 'false', either make sure that a service account named
   # 'brig' exists or change the 'name' field to 'default'

charts/coturn/Chart.yaml

@@ -11,4 +11,4 @@ version: 0.0.42
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.6.2-wireapp.2
+appVersion: 4.6.2-federation-wireapp.10

charts/coturn/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{- define "coturn.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "coturn.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "coturn.labels" -}}
+helm.sh/chart: {{ include "coturn.chart" . }}
+{{ include "coturn.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "coturn.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "coturn.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "coturn.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/coturn/templates/configmap-coturn-conf-template.yaml

@@ -20,13 +20,15 @@ data:
     no-tls
     {{- end }}
 
+    # This is mandatory for federated DTLS
+    CA-file=/etc/ssl/certs/ca-certificates.crt
+
     ## don't turn on coturn's cli.
     no-cli
 
     ## turn, stun.
     listening-ip=__COTURN_EXT_IP__
     listening-port={{ .Values.coturnTurnListenPort }}
-    max-allocate-lifetime=3600
     relay-ip=__COTURN_EXT_IP__
     realm=dummy.io
     no-stun-backward-compatibility
@@ -82,3 +84,24 @@ data:
     zrest
     ## static authentication secrets will be added below this line when the
     ## runtime configuration is generated.
+
+    {{- if .Values.federate.enabled }}
+    ### federation setup
+    federation-listening-ip=__COTURN_EXT_IP__
+    federation-listening-port={{ .Values.federate.port }}
+    federation-no-dtls={{ not .Values.federate.dtls.enabled }}
+    {{- if .Values.federate.dtls.enabled }}
+    federation-cert=/coturn-dtls-certificate/tls.crt
+    federation-pkey=/coturn-dtls-certificate/tls.key
+    {{ if hasKey .Values.federate.dtls.tls "privateKeyPassword" }}
+    federation-pkey-pwd={{ .Values.federate.dtls.tls.privateKeyPassword }}
+    {{ end }}
+    # list of host/ip/cert common names / subject alt names, and optional issuer
+    # names to accept DTLS connections from. There can be multiple entries, each
+    # entry is formated as:
+    # <hostname>[,<issuer>]
+    {{ range $entry := .Values.federate.dtls.remoteWhitelist }}
+    federation-remote-whitelist={{ $entry.host }}{{ if hasKey $entry "issuer" }},{{ $entry.issuer }}{{end}}
+    {{ end }}
+    {{ end }}
+    {{ end }}

charts/coturn/templates/secret-or-certificate.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.federate.dtls.enabled -}}
+
+{{- if .Values.federate.dtls.tls.issuerRef -}}
+{{- if or .Values.federate.dtls.tls.key  .Values.federate.dtls.tls.crt }}
+{{- fail "issuerRef and  {crt,key} are mutually exclusive" -}}
+{{- end -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "{{ include "coturn.fullname" . }}"
+  labels:
+    {{- include "coturn.labels" . | nindent 4 }}
+    {{- if .Values.federate.dtls.tls.certificate.labels }}
+    {{- toYaml .Values.federate.dtls.tls.certificate.labels | nindent 4}}
+    {{- end }}
+spec:
+  dnsNames:
+    {{- toYaml .Values.federate.dtls.tls.certificate.dnsNames | nindent 4 }}
+  secretName: coturn-dtls-certificate
+  issuerRef:
+    {{- toYaml .Values.federate.dtls.tls.issuerRef | nindent 4 }}
+  privateKey:
+    rotationPolicy: Always
+    algorithm: ECDSA
+    size: 384
+{{- else if and .Values.federate.dtls.tls.key  .Values.federate.dtls.tls.crt }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: coturn-dtls-certificate
+  labels:
+    {{- include "coturn.labels" . | nindent 4 }}
+type: Opaque
+data:
+  tls.key: {{ .Values.federate.dtls.tls.key | b64enc }}
+  tls.crt: {{ .Values.federate.dtls.tls.crt | b64enc }}
+{{- else -}}
+{{- fail "must specify tls.key and tls.crt , or tls.issuerRef" -}}
+{{- end -}}
+
+{{- end -}}

charts/coturn/templates/statefulset.yaml

@@ -58,6 +58,11 @@ spec:
           secret:
             secretName: {{ .Values.tls.secretRef }}
         {{- end }}
+        {{- if .Values.federate.dtls.enabled }}
+        - name: coturn-dtls-certificate
+          secret:
+            secretName: coturn-dtls-certificate
+        {{- end }}
       initContainers:
         - name: get-external-ip
           image: bitnami/kubectl:1.24.12
@@ -116,6 +121,11 @@ spec:
               mountPath: /secrets-tls/
               readOnly: true
           {{- end }}
+           {{- if .Values.federate.dtls.enabled }}
+            - name: coturn-dtls-certificate
+              mountPath: /coturn-dtls-certificate/
+              readOnly: true
+           {{- end }}
           command:
             - /bin/sh
             - -c