WPB-1436 make guest link maximum lifetime configurable

changelog.d/2-features/WPB-1436

@@ -0,0 +1 @@
+The lifetime of conversation guest links is now configurable

charts/galley/templates/configmap.yaml

@@ -84,6 +84,9 @@ data:
       disabledAPIVersions: {{ .settings.disabledAPIVersions }}
       {{- end }}
       {{- if .settings.featureFlags }}
+      {{- if .settings.guestLinkTTLSeconds }}
+      guestLinkTTLSeconds: {{ .settings.guestLinkTTLSeconds }}
+      {{- end }}
       featureFlags:
         sso: {{ .settings.featureFlags.sso }}
         legalhold: {{ .settings.featureFlags.legalhold }}

charts/galley/values.yaml

@@ -51,13 +51,16 @@ config:
     # Use this only if you want to expose the instance on multiple ingresses.
     # If set it must a map from `Z-Host` to URI prefix
     # Example:
-    # multiIngress: 
+    # multiIngress:
     #    wire.example: https://accounts.wire.example/conversation-join/
     #    example.net: https://accounts.example.net/conversation-join/
     multiIngress: null
     # Disable one ore more API versions. Please make sure the configuration value is the same in all these charts:
     # brig, cannon, cargohold, galley, gundeck, proxy, spar.
     # disabledAPIVersions: [ v3 ]
+    # The lifetime of a conversation guest link in seconds. Must be a value 0 < x <= 31536000 (365 days)
+    # Default is 31536000 (365 days) if not set
+    guestLinkTTLSeconds: 31536000
     featureFlags:  # see #RefConfigOptions in `/docs/reference` (https://github.com/wireapp/wire-server/)
       appLock:
         defaults:

docs/src/developer/reference/config-options.md

@@ -425,7 +425,7 @@ federator:
     clientPrivateKey: client-key.pem
 ```
 
-## Outlook calalendar integration
+### Outlook calalendar integration
 
 This feature setting only applies to the Outlook Calendar extension for Wire. As it is an external service, it should only be configured through this feature flag and otherwise ignored by the backend.
 
@@ -439,6 +439,17 @@ outlookCalIntegration:
     lockStatus: locked
 ```
 
+### Guest Link Lifetime
+
+To set the validity duration of conversation guest links set `guestLinkTTLSeconds` to the desired number of seconds, maximum 1 year, a value ∈ (0, 31536000]. E.g.
+
+```yaml
+# galley.yaml
+config:
+  settings:
+    GuestLinkTTLSeconds: 604800
+```
+
 ## Settings in brig
 
 Some features (as of the time of writing this: only

integration/test/API/Galley.hs

@@ -416,6 +416,11 @@ getConversationCode user conv mbZHost = do
         & maybe id zHost mbZHost
     )
 
+getJoinCodeConv :: (HasCallStack, MakesValue user) => user -> String -> String -> App Response
+getJoinCodeConv u k v = do
+  req <- baseRequest u Galley Versioned (joinHttpPath ["conversations", "join"])
+  submit "GET" (req & addQueryParams [("key", k), ("code", v)])
+
 -- https://staging-nginz-https.zinfra.io/v5/api/swagger-ui/#/default/put_conversations__cnv_domain___cnv__name
 changeConversationName ::
   (HasCallStack, MakesValue user, MakesValue conv, MakesValue name) =>

integration/test/Test/Conversation.hs

@@ -764,3 +764,31 @@ testGuestCreatesConversation = do
   bindResponse (postConversation alice defProteus) $ \resp -> do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "operation-denied"
+
+testGuestLinksSuccess :: HasCallStack => App ()
+testGuestLinksSuccess = do
+  (user, _, tm : _) <- createTeam OwnDomain 2
+  conv <- postConversation user (allowGuests defProteus) >>= getJSON 201
+  (k, v) <- bindResponse (postConversationCode user conv Nothing Nothing) $ \resp -> do
+    res <- getJSON 201 resp
+    k <- res %. "data.key" & asString
+    v <- res %. "data.code" & asString
+    pure (k, v)
+  bindResponse (getJoinCodeConv tm k v) $ \resp -> do
+    resp.status `shouldMatchInt` 200
+    resp.json %. "id" `shouldMatch` objId conv
+
+testGuestLinksExpired :: HasCallStack => App ()
+testGuestLinksExpired = do
+  withModifiedBackend
+    def {galleyCfg = setField "settings.guestLinkTTLSeconds" (1 :: Int)}
+    $ \domain -> do
+      (user, _, tm : _) <- createTeam domain 2
+      conv <- postConversation user (allowGuests defProteus) >>= getJSON 201
+      (k, v) <- bindResponse (postConversationCode user conv Nothing Nothing) $ \resp -> do
+        res <- getJSON 201 resp
+        (,) <$> asString (res %. "data.key") <*> asString (res %. "data.code")
+      -- let's wait a little longer than 1 second for the guest link to expire
+      liftIO $ threadDelay (1_100_000)
+      bindResponse (getJoinCodeConv tm k v) $ \resp -> do
+        resp.status `shouldMatchInt` 404

services/galley/galley.integration.yaml

@@ -50,6 +50,7 @@ settings:
   mlsPrivateKeyPaths:
     removal:
       ed25519: test/resources/ed25519.pem
+  guestLinkTTLSeconds: 604800
 
   featureFlags:  # see #RefConfigOptions in `/docs/reference`
     sso: disabled-by-default

services/galley/src/Galley/API/Update.hs

@@ -530,7 +530,8 @@ addCode lusr mbZHost mZcon lcnv mReq = do
   key <- E.makeKey (tUnqualified lcnv)
   E.getCode key ReusableCode >>= \case
     Nothing -> do
-      code <- E.generateCode (tUnqualified lcnv) ReusableCode (Timeout 3600 * 24 * 365) -- one year FUTUREWORK: configurable
+      ttl <- realToFrac . unGuestLinkTTLSeconds . fromMaybe defGuestLinkTTLSeconds . view (settings . guestLinkTTLSeconds) <$> input
+      code <- E.generateCode (tUnqualified lcnv) ReusableCode (Timeout ttl)
       mPw <- for (mReq >>= (.password)) mkSafePassword
       E.createCode code mPw
       now <- input

services/galley/src/Galley/Options.hs

@@ -53,10 +53,14 @@ module Galley.Options
     logLevel,
     logNetStrings,
     logFormat,
+    guestLinkTTLSeconds,
+    defGuestLinkTTLSeconds,
+    GuestLinkTTLSeconds (..),
   )
 where
 
 import Control.Lens hiding (Level, (.=))
+import Data.Aeson (FromJSON (..))
 import Data.Aeson.TH (deriveFromJSON)
 import Data.Domain (Domain)
 import Data.Id (TeamId)
@@ -72,6 +76,18 @@ import Util.Options.Common
 import Wire.API.Routes.Version
 import Wire.API.Team.Member
 
+newtype GuestLinkTTLSeconds = GuestLinkTTLSeconds
+  { unGuestLinkTTLSeconds :: Int
+  }
+  deriving (Show, Generic)
+
+instance FromJSON GuestLinkTTLSeconds where
+  parseJSON x = do
+    n <- parseJSON x
+    if n > 0 && n <= 31536000
+      then pure $ GuestLinkTTLSeconds n
+      else fail "GuestLinkTTLSeconds must be in (0, 31536000]"
+
 data Settings = Settings
   { -- | Number of connections for the HTTP client pool
     _httpPoolSize :: !Int,
@@ -129,7 +145,10 @@ data Settings = Settings
     _mlsPrivateKeyPaths :: !(Maybe MLSPrivateKeyPaths),
     -- | FUTUREWORK: 'setFeatureFlags' should be renamed to 'setFeatureConfigs' in all types.
     _featureFlags :: !FeatureFlags,
-    _disabledAPIVersions :: Maybe (Set Version)
+    _disabledAPIVersions :: Maybe (Set Version),
+    -- | The lifetime of a conversation guest link in seconds with the maximum of 1 year (31536000 seconds).
+    -- If not set use the default `defGuestLinkTTLSeconds`
+    _guestLinkTTLSeconds :: !(Maybe GuestLinkTTLSeconds)
   }
   deriving (Show, Generic)
 
@@ -146,6 +165,10 @@ defDeleteConvThrottleMillis = 20
 defFanoutLimit :: Range 1 HardTruncationLimit Int32
 defFanoutLimit = unsafeRange hardTruncationLimit
 
+-- | Default guest link TTL in days. 365 days if not set.
+defGuestLinkTTLSeconds :: GuestLinkTTLSeconds
+defGuestLinkTTLSeconds = GuestLinkTTLSeconds $ 60 * 60 * 24 * 365 -- 1 year
+
 data JournalOpts = JournalOpts
   { -- | SQS queue name to send team events
     _queueName :: !Text,