Add /system/settings endpoint (SQPIT-1141) (#2903)

Currently, only brig.options.settings.setRestrictUserCreation is exposed. Please check with security before you publish more settings. Co-authored-by: fisx <[email protected]>
wireapp · Dec 21, 2022 · d438f0e · d438f0e
1 parent 9211b1b
commit d438f0e
Show file tree

Hide file tree

Showing 11 changed files with 122 additions and 1 deletion.
diff --git a/changelog.d/1-api-changes/system-settings-endpoint b/changelog.d/1-api-changes/system-settings-endpoint
@@ -0,0 +1 @@
+`GET /system/settings/unauthorized` returns a curated set of system settings from brig. The endpoint is reachable without authentication/authorization. It's meant to be used by apps to adjust their behavior (e.g. to show a registration dialog if registrations are enabled on the backend.) Currently, only the `setRestrictUserCreation` flag is exported. Other options may be added in future (in consultation with the security department.)
diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -373,6 +373,10 @@ nginx_conf:
       envs:
       - all
       disable_zauth: true
+    - path: /system/settings/unauthorized$
+      envs:
+      - all
+      disable_zauth: true
     galley:
     - path: /conversations/code-check
       disable_zauth: true

diff --git a/libs/wire-api/src/Wire/API/Routes/Public/Brig.hs b/libs/wire-api/src/Wire/API/Routes/Public/Brig.hs
@@ -57,6 +57,7 @@ import Wire.API.Routes.Public
 import Wire.API.Routes.Public.Util
 import Wire.API.Routes.QualifiedCapture
 import Wire.API.Routes.Version
+import Wire.API.SystemSettings
 import Wire.API.Team.Invitation
 import Wire.API.Team.Size
 import Wire.API.User hiding (NoIdentity)
@@ -86,6 +87,7 @@ type BrigAPI =
     :<|> AuthAPI
     :<|> CallingAPI
     :<|> TeamsAPI
+    :<|> SystemSettingsAPI
 
 brigSwagger :: Swagger
 brigSwagger = toSwagger (Proxy @BrigAPI)
@@ -1437,3 +1439,14 @@ type TeamsAPI =
                     '[JSON]
                     (Respond 200 "Number of team members" TeamSize)
            )
+
+type SystemSettingsAPI =
+  Named
+    "get-system-settings"
+    ( Summary "Returns a curated set of system configuration settings."
+        :> From 'V3
+        :> "system"
+        :> "settings"
+        :> "unauthorized"
+        :> Get '[JSON] SystemSettings
+    )
diff --git a/libs/wire-api/src/Wire/API/SystemSettings.hs b/libs/wire-api/src/Wire/API/SystemSettings.hs
@@ -0,0 +1,31 @@
+module Wire.API.SystemSettings where
+
+import Control.Lens hiding ((.=))
+import qualified Data.Aeson as A
+import Data.Schema as Schema
+import qualified Data.Swagger as S
+import Imports hiding (head)
+import Servant.Swagger.Internal.Orphans ()
+import Test.QuickCheck
+import Wire.Arbitrary
+
+-- | Subset of `Brig.Options.Settings` that is safe to be shown in public.
+--
+-- Used to expose settings via the @/system/settings/unauthorized@ endpoint.
+-- ALWAYS CHECK WITH SECURITY IF YOU WANT TO ADD SETTINGS HERE.
+data SystemSettings = SystemSettings
+  { systemSettingsSetRestrictUserCreation :: !Bool
+  }
+  deriving (Eq, Show, Generic)
+  deriving (A.ToJSON, A.FromJSON, S.ToSchema) via Schema.Schema SystemSettings
+  deriving (Arbitrary) via (GenericUniform SystemSettings)
+
+instance Schema.ToSchema SystemSettings where
+  schema =
+    Schema.object "SystemSettings" $
+      SystemSettings
+        <$> systemSettingsSetRestrictUserCreation
+          Schema..= Schema.fieldWithDocModifier
+            "setRestrictUserCreation"
+            (description ?~ "Do not allow certain user creation flows")
+            Schema.schema
diff --git a/libs/wire-api/wire-api.cabal b/libs/wire-api/wire-api.cabal
@@ -113,6 +113,7 @@ library
     Wire.API.ServantProto
     Wire.API.Swagger
     Wire.API.SwaggerHelper
+    Wire.API.SystemSettings
     Wire.API.Team
     Wire.API.Team.Conversation
     Wire.API.Team.Export

diff --git a/services/brig/brig.cabal b/services/brig/brig.cabal
@@ -445,6 +445,7 @@ executable brig-integration
     API.Search
     API.Search.Util
     API.Settings
+    API.SystemSettings
     API.Team
     API.Team.Util
     API.TeamUserSearch

diff --git a/services/brig/src/Brig/API/Public.hs b/services/brig/src/Brig/API/Public.hs
@@ -124,6 +124,7 @@ import qualified Wire.API.Routes.Public.Util as Public
 import Wire.API.Routes.Version
 import qualified Wire.API.Swagger as Public.Swagger (models)
 import Wire.API.SwaggerHelper (cleanupSwagger)
+import Wire.API.SystemSettings
 import qualified Wire.API.Team as Public
 import Wire.API.Team.LegalHold (LegalholdProtectee (..))
 import Wire.API.User (RegisterError (RegisterErrorWhitelistError))
@@ -197,6 +198,7 @@ servantSitemap =
     :<|> authAPI
     :<|> callingAPI
     :<|> Team.servantAPI
+    :<|> systemSettingsAPI
   where
     userAPI :: ServerT UserAPI (Handler r)
     userAPI =
@@ -319,6 +321,9 @@ servantSitemap =
       Named @"get-calls-config" Calling.getCallsConfig
         :<|> Named @"get-calls-config-v2" Calling.getCallsConfigV2
 
+    systemSettingsAPI :: ServerT SystemSettingsAPI (Handler r)
+    systemSettingsAPI = Named @ "get-system-settings" getSystemSettings
+
 -- Note [ephemeral user sideeffect]
 -- If the user is ephemeral and expired, it will be removed upon calling
 -- CheckUserExists[Un]Qualified, see 'Brig.API.User.userGC'.
@@ -1095,6 +1100,14 @@ sendVerificationCode req = do
       mbStatusEnabled <- lift $ liftSem $ GalleyProvider.getVerificationCodeEnabled `traverse` (Public.userTeam <$> accountUser =<< mbAccount)
       pure $ fromMaybe False mbStatusEnabled
 
+getSystemSettings :: ExceptT Brig.API.Error.Error (AppT r) SystemSettings
+getSystemSettings = do
+  optSettings <- view settings
+  pure $
+    SystemSettings
+      { systemSettingsSetRestrictUserCreation = fromMaybe False (setRestrictUserCreation optSettings)
+      }
+
 -- Deprecated
 
 deprecatedOnboarding :: UserId -> JsonValue -> (Handler r) DeprecatedMatchingResult

diff --git a/services/brig/src/Brig/Options.hs b/services/brig/src/Brig/Options.hs
@@ -857,7 +857,8 @@ Lens.makeLensesFor
     ("setSftStaticUrl", "sftStaticUrl"),
     ("setSftListAllServers", "sftListAllServers"),
     ("setFederationDomainConfigs", "federationDomainConfigs"),
-    ("setEnableDevelopmentVersions", "enableDevelopmentVersions")
+    ("setEnableDevelopmentVersions", "enableDevelopmentVersions"),
+    ("setRestrictUserCreation", "restrictUserCreation")
   ]
   ''Settings
 

diff --git a/services/brig/test/integration/API/SystemSettings.hs b/services/brig/test/integration/API/SystemSettings.hs
@@ -0,0 +1,48 @@
+module API.SystemSettings (tests) where
+
+import Bilge
+import Bilge.Assert
+import Brig.Options
+import Control.Lens
+import qualified Data.ByteString.Char8 as BS
+import Imports
+import Network.Wai.Test as WaiTest
+import Test.Tasty
+import Test.Tasty.HUnit
+import Util
+import Wire.API.Routes.Version
+import Wire.API.SystemSettings
+
+tests :: Opts -> Manager -> IO TestTree
+tests opts m = pure $ do
+  testGroup
+    "settings"
+    [ test m "GET /system/settings/unauthorized" $ testGetSettings opts
+    ]
+
+testGetSettings :: Opts -> Http ()
+testGetSettings opts = liftIO $ do
+  expectResultForSetting Nothing False
+  expectResultForSetting (Just False) False
+  expectResultForSetting (Just True) True
+  where
+    expectResultForSetting :: Maybe Bool -> Bool -> IO ()
+    expectResultForSetting restrictUserCreationSetting expectedRes = do
+      let newOpts = opts & (optionSettings . restrictUserCreation) .~ restrictUserCreationSetting
+      -- Run call in `WaiTest.Session` with an adjusted brig `Application`. I.e.
+      -- the response is created by running the brig `Application` (with
+      -- modified options) directly on the `Request`. No real HTTP request is
+      -- made. This happens due to the `MonadHttp WaiTest.Session` instance.
+      queriedSettings <- withSettingsOverrides newOpts $ getSystemSettings
+      liftIO $
+        queriedSettings @?= SystemSettings expectedRes
+
+getSystemSettings :: WaiTest.Session SystemSettings
+getSystemSettings =
+  responseJsonError
+    =<< get (path (BS.pack ("/" ++ latestVersion ++ "/system/settings/unauthorized")))
+      <!! statusCode
+        Bilge.Assert.=== const 200
+  where
+    latestVersion :: String
+    latestVersion = map toLower $ show (maxBound :: Version)
diff --git a/services/brig/test/integration/Main.hs b/services/brig/test/integration/Main.hs
@@ -28,6 +28,7 @@ import qualified API.Metrics as Metrics
 import qualified API.Provider as Provider
 import qualified API.Search as Search
 import qualified API.Settings as Settings
+import qualified API.SystemSettings as SystemSettings
 import qualified API.Team as Team
 import qualified API.TeamUserSearch as TeamUserSearch
 import qualified API.User as User
@@ -142,6 +143,7 @@ runTests iConf brigOpts otherArgs = do
   teamApis <- Team.tests brigOpts mg n b c g awsEnv
   turnApi <- Calling.tests mg b brigOpts turnFile turnFileV2
   metricsApi <- Metrics.tests mg b
+  systemSettingsApi <- SystemSettings.tests brigOpts mg
   settingsApi <- Settings.tests brigOpts mg b g
   createIndex <- Index.Create.spec brigOpts
   browseTeam <- TeamUserSearch.tests brigOpts mg g b
@@ -169,6 +171,7 @@ runTests iConf brigOpts otherArgs = do
         teamApis,
         turnApi,
         metricsApi,
+        systemSettingsApi,
         settingsApi,
         createIndex,
         userPendingActivation,

diff --git a/services/nginz/integration-test/conf/nginz/nginx.conf b/services/nginz/integration-test/conf/nginz/nginx.conf
@@ -286,6 +286,11 @@ http {
         proxy_pass http://brig;
     }
 
+    location /system/settings/unauthorized$ {
+        include common_response_no_zauth.conf;
+        proxy_pass http://brig;
+    }
+
     # Cargohold Endpoints
 
     rewrite ^/api-docs/assets  /assets/api-docs?base_url=http://127.0.0.1:8080/ break;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		`GET /system/settings/unauthorized` returns a curated set of system settings from brig. The endpoint is reachable without authentication/authorization. It's meant to be used by apps to adjust their behavior (e.g. to show a registration dialog if registrations are enabled on the backend.) Currently, only the `setRestrictUserCreation` flag is exported. Other options may be added in future (in consultation with the security department.)