Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WPB-14306 [enterprise login] Implement common prerequisites for multiple endpoints #4364

Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
3898024
wip
battermann Dec 5, 2024
6c59264
wip: some types and dummy handler
battermann Dec 5, 2024
c0b9b2c
internal API routes types and handler stubs
battermann Dec 6, 2024
0558872
failing test
battermann Dec 6, 2024
95dd773
formatting
battermann Dec 6, 2024
a84a1dd
db migration added domain registration table
battermann Dec 6, 2024
5042a40
improve json serde and golden tests
battermann Dec 6, 2024
52c07b1
domain registration store
battermann Dec 6, 2024
794f9cc
basic enterprise login subsystem scaffold
battermann Dec 6, 2024
b1bb438
glue together interpreters - test is gree
battermann Dec 9, 2024
6d32c35
test not-found and verify response body
battermann Dec 9, 2024
08c76d8
implementation of unlock domain
battermann Dec 9, 2024
55c67c2
impl pre-authorize
battermann Dec 9, 2024
b8b3af0
implemented update domain registration
battermann Dec 9, 2024
f0418e9
added handler stub for un authorize domain
battermann Dec 9, 2024
62b3c26
unauthorize handler and some more tests
battermann Dec 10, 2024
563081b
implement delete handler
battermann Dec 10, 2024
bbe7f25
validate domain registration update
battermann Dec 10, 2024
8772e53
audit email sending
battermann Dec 10, 2024
55800ba
additional optional config option for audit logs
battermann Dec 10, 2024
f2dfcc8
improve audit logging
battermann Dec 10, 2024
c49d06a
Expose brig internal routes to stern.
fisx Dec 11, 2024
caff343
failing test [wip]
fisx Dec 11, 2024
2cf262e
replace MultiVerb1 with [Post|Put|Delete]NoContent
battermann Dec 11, 2024
4fe4f81
make stern integration test pass
battermann Dec 11, 2024
ba724f4
nix packages
battermann Dec 11, 2024
9aa6b88
refactor enterprise login API handlers in stern
battermann Dec 11, 2024
64883dc
renaming, unsued import removed
battermann Dec 11, 2024
95c6c77
changelog
battermann Dec 11, 2024
378aff2
reformatted brig chart
battermann Dec 12, 2024
9f4d960
rename auditRecipient in brig options to auditLoGEmailRecipient
battermann Dec 12, 2024
f16ffc7
moved changelog
battermann Dec 12, 2024
fe0a336
renamed schema value
battermann Dec 12, 2024
494ec1a
improve tests
battermann Dec 12, 2024
0e4e3ec
small test refactorings
battermann Dec 12, 2024
f2f88f9
small refacotring
battermann Dec 12, 2024
378b222
make mapping from stored stricter
battermann Dec 12, 2024
774cd61
send audit mail before the update is made
battermann Dec 12, 2024
29340ff
better error message and small refactoring
battermann Dec 12, 2024
34e7022
renamed brig servant client
battermann Dec 12, 2024
3d1aea2
better error handling
battermann Dec 12, 2024
c6b8ac9
better error responses
battermann Dec 12, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 31 additions & 8 deletions cassandra-schema.cql
Original file line number Diff line number Diff line change
Expand Up @@ -245,9 +245,11 @@ CREATE TABLE brig_test.mls_key_package_refs (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.excluded_phones (
prefix text PRIMARY KEY,
comment text
CREATE TABLE brig_test.oauth_client (
id uuid PRIMARY KEY,
name text,
redirect_uri blob,
secret blob
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
Expand Down Expand Up @@ -432,6 +434,24 @@ CREATE TABLE brig_test.user_keys (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.excluded_phones (
prefix text PRIMARY KEY,
comment text
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND dclocal_read_repair_chance = 0.1
AND default_time_to_live = 0
AND gc_grace_seconds = 864000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.mls_public_keys (
user uuid,
client text,
Expand Down Expand Up @@ -534,11 +554,14 @@ CREATE TABLE brig_test.federation_remote_teams (
AND read_repair_chance = 0.0
AND speculative_retry = '99PERCENTILE';

CREATE TABLE brig_test.oauth_client (
id uuid PRIMARY KEY,
name text,
redirect_uri blob,
secret blob
CREATE TABLE brig_test.domain_registration (
domain text PRIMARY KEY,
backend_url blob,
dns_verification_token ascii,
domain_redirect int,
idp_id uuid,
team uuid,
team_invite int
) WITH bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND comment = ''
Expand Down
3 changes: 3 additions & 0 deletions charts/brig/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -368,5 +368,8 @@ data:
setOAuthMaxActiveRefreshTokens: {{ .setOAuthMaxActiveRefreshTokens }}
{{- end }}
setPasswordHashingOptions: {{ toYaml .setPasswordHashingOptions | nindent 8 }}
{{- if .setAuditRecipient }}
setAuditRecipient: {{ .setAuditRecipient }}
{{- end }}
{{- end }}
{{- end }}
1 change: 1 addition & 0 deletions charts/brig/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ config:
# iterations: <iterations>
# parallelism: <paralellism>
# memory: <memory used in KiB>
# setAuditRecipient: [email protected]
smtp:
passwordFile: /etc/wire/brig/secrets/smtp-password.txt
proxy: {}
Expand Down
11 changes: 11 additions & 0 deletions docs/src/developer/reference/config-options.md
Original file line number Diff line number Diff line change
Expand Up @@ -822,6 +822,17 @@ brig:
accountPages: https://account.wire.com
```

### Enterprise Login Audit Log

Audit logs for any update (POST, PUT, DELETE) of a domain registration via the internal API are sent via email to the specified email address. If not specified no audit logs will be sent.

```yaml
brig:
config:
optSettings:
setAuditRecipient: [email protected]
battermann marked this conversation as resolved.
Show resolved Hide resolved
```

## Settings in cargohold

AWS S3 (or an alternative provider / service) is used to upload and download
Expand Down
1 change: 1 addition & 0 deletions integration/integration.cabal
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ library
Test.Conversation
Test.Demo
Test.EJPD
Test.EnterpriseLogin
Test.Errors
Test.Events
Test.ExternalPartner
Expand Down
35 changes: 35 additions & 0 deletions integration/test/API/BrigInternal.hs
Original file line number Diff line number Diff line change
Expand Up @@ -329,3 +329,38 @@ putSSOId user args = do
"subject" .= args.subject,
"tenant" .= args.tenant
]

domainRegistrationLock :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
domainRegistrationLock domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain, "lock"]
submit "POST" req

domainRegistrationUnlock :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
domainRegistrationUnlock domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain, "unlock"]
submit "POST" req

domainRegistrationPreAuthorize :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
domainRegistrationPreAuthorize domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain, "preauthorize"]
submit "POST" req

domainRegistrationUnAuthorize :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
domainRegistrationUnAuthorize domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain, "unauthorize"]
submit "POST" req

updateDomainRegistration :: (HasCallStack, MakesValue domain) => domain -> String -> Value -> App Response
updateDomainRegistration domain registrationDomain payload = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain]
submit "PUT" $ req & addJSON payload

deleteDomainRegistration :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
deleteDomainRegistration domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain]
submit "DELETE" req

getDomainRegistration :: (HasCallStack, MakesValue domain) => domain -> String -> App Response
getDomainRegistration domain registrationDomain = do
req <- baseRequest domain Brig Unversioned $ joinHttpPath ["i", "domain-registration", registrationDomain]
submit "GET" req
5 changes: 5 additions & 0 deletions integration/test/API/Common.hs
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ randomEmail = do
u <- randomName
pure $ u <> "@example.com"

randomDomain :: App String
randomDomain = do
u <- randomName
pure $ (fmap toLower u) <> ".com"

randomExternalId :: App String
randomExternalId = liftIO $ do
-- external ID has no constraints, but we only generate human-readable samples
Expand Down
Loading
Loading