Merge pull request #1257 from wireapp/release_2020_11_24

Release 2020 11 24

CHANGELOG.md

@@ -1,3 +1,42 @@
+<!--
+
+# [2020-next]
+
+## Release Notes
+
+## Features
+
+## Bug fixes and other updates
+
+## Documentation
+
+## Internal changes
+
+-->
+
+# 2020-11-24
+
+## Release Notes
+
+* Allow an empty SAML contact list, which is configured at `saml.contacts` in spar's config.
+  The contact list is exposed at the `/sso/metadata` endpoint.
+
+## Features
+
+* Make Content-MD5 header optional for asset upload (#1252)
+* Add applock team feature (#1242, #1253)
+* /teams/[tid]/features endpoint
+
+## Bug fixes
+
+* Fix content-type headers in saml responses (#1241)
+
+## Internal changes
+
+* parse exposed 'tracestate' header in nginz logs if present (#1244)
+* Store SCIM tokens in hashed form (#1240)
+* better error handling (#1251)
+
 # 2020-10-28
 
 ## Features

deploy/services-demo/conf/nginz/nginx-docker.conf

@@ -288,6 +288,11 @@ http {
       proxy_pass http://galley;
     }
 
+    location ~* ^/teams/([^/]*)/features {
+        include common_response_with_zauth.conf;
+        proxy_pass http://galley;
+    }
+
     location ~* ^/teams/([^/]*)/features/([^/]*) {
       include common_response_with_zauth.conf;
       proxy_pass http://galley;

deploy/services-demo/conf/nginz/nginx.conf

@@ -285,6 +285,11 @@ http {
       proxy_pass http://galley;
     }
 
+    location ~* ^/teams/([^/]*)/features {
+        include common_response_with_zauth.conf;
+        proxy_pass http://galley;
+    }
+
     location ~* ^/teams/([^/]*)/features/([^/]*) {
       include common_response_with_zauth.conf;
       proxy_pass http://galley;

docs/reference/provisioning/scim-token.md

@@ -67,7 +67,7 @@ POST /scim/auth-tokens
 }
 ```
 
-Note that SCIM can only be used with teams that use single sign-on. If a team does not have an identity provider associated with it, `POST /scim/auth-tokens` will return status code 400 with error label `"no-single-idp"`.
+Note that SCIM can only be used with teams that have either no or exactly one SAML IdP ([internal issue](https://github.com/zinfra/backend-issues/issues/1377)).
 
 ### Listing existing tokens {#RefScimTokenList}
 

libs/galley-types/src/Galley/Types/Teams.hs

@@ -299,6 +299,7 @@ data HiddenPerm
   | ChangeLegalHoldUserSettings
   | ViewLegalHoldUserSettings
   | ViewTeamFeature TeamFeatureName
+  | ChangeTeamFeature TeamFeatureName
   | ChangeTeamSearchVisibility
   | ViewTeamSearchVisibility
   | ViewSameTeamEmails
@@ -324,7 +325,8 @@ roleHiddenPermissions role = HiddenPermissions p p
         Set.fromList
           [ ChangeLegalHoldTeamSettings,
             ChangeLegalHoldUserSettings,
-            ChangeTeamSearchVisibility
+            ChangeTeamSearchVisibility,
+            ChangeTeamFeature TeamFeatureAppLock
           ]
     roleHiddenPerms RoleMember =
       (roleHiddenPerms RoleExternalPartner <>) $
@@ -336,6 +338,7 @@ roleHiddenPermissions role = HiddenPermissions p p
           ViewTeamFeature TeamFeatureSearchVisibility,
           ViewTeamFeature TeamFeatureValidateSAMLEmails,
           ViewTeamFeature TeamFeatureDigitalSignatures,
+          ViewTeamFeature TeamFeatureAppLock,
           ViewLegalHoldUserSettings,
           ViewTeamSearchVisibility
         ]

libs/wire-api/package.yaml

@@ -26,6 +26,7 @@ library:
   - cassandra-util
   - cryptonite >=0.11
   - currency-codes >=2.0
+  - deriving-aeson >=0.2
   - email-validate >=2.0
   - errors
   - exceptions >=0.10.0

libs/wire-api/src/Wire/API/Asset/V3.hs

@@ -59,11 +59,8 @@ where
 
 import qualified Codec.MIME.Type as MIME
 import Control.Lens (makeLenses)
-import Crypto.Hash (Digest, MD5, hashlazy)
 import Data.Aeson
 import Data.Attoparsec.ByteString.Char8
-import qualified Data.ByteArray as B
-import qualified Data.ByteString.Base64 as B64
 import Data.ByteString.Builder
 import Data.ByteString.Conversion
 import qualified Data.ByteString.Lazy as LBS
@@ -185,7 +182,7 @@ buildMultipartBody sets typ bs =
 -- | Begin building a @multipart/mixed@ request body for a non-resumable upload.
 -- The returned 'Builder' can be immediately followed by the actual asset bytes.
 beginMultipartBody :: AssetSettings -> AssetHeaders -> Builder
-beginMultipartBody sets (AssetHeaders t l d) =
+beginMultipartBody sets (AssetHeaders t l) =
   byteString
     "--frontier\r\n\
     \Content-Type: application/json\r\n\
@@ -205,11 +202,7 @@ beginMultipartBody sets (AssetHeaders t l d) =
       \Content-Length: "
     <> wordDec l
     <> "\r\n\
-       \Content-MD5: "
-    <> byteString (B64.encode (B.convert d))
-    <> byteString
-      "\r\n\
-      \\r\n"
+       \\r\n"
   where
     settingsJson = encode sets
 
@@ -224,12 +217,11 @@ endMultipartBody = byteString "\r\n--frontier--\r\n"
 -- | Headers provided during upload.
 data AssetHeaders = AssetHeaders
   { hdrType :: MIME.Type,
-    hdrLength :: Word,
-    hdrMD5 :: Digest MD5
+    hdrLength :: Word
   }
 
 mkHeaders :: MIME.Type -> LByteString -> AssetHeaders
-mkHeaders t b = AssetHeaders t (fromIntegral (LBS.length b)) (hashlazy b)
+mkHeaders t b = AssetHeaders t (fromIntegral (LBS.length b))
 
 --------------------------------------------------------------------------------
 -- AssetSettings

libs/wire-api/src/Wire/API/Swagger.hs

@@ -120,7 +120,13 @@ models =
     Team.modelTeamDelete,
     Team.Conversation.modelTeamConversation,
     Team.Conversation.modelTeamConversationList,
-    Team.Feature.modelTeamFeatureStatus,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureLegalHold,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureSSO,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureSearchVisibility,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureValidateSAMLEmails,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureDigitalSignatures,
+    Team.Feature.modelForTeamFeature Team.Feature.TeamFeatureAppLock,
+    Team.Feature.modelTeamFeatureAppLockConfig,
     Team.Invitation.modelTeamInvitation,
     Team.Invitation.modelTeamInvitationList,
     Team.Invitation.modelTeamInvitationRequest,