Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 2020 10 05 #1214

Merged
merged 12 commits into from
Oct 5, 2020
Merged

Release 2020 10 05 #1214

merged 12 commits into from
Oct 5, 2020

Conversation

jschaul
Copy link
Member

@jschaul jschaul commented Oct 5, 2020

2020-10-05

Release Notes

With this release, the setCookieDomain configuration (under brig/config.optSettings) no longer has any effect, and can be removed.

Security improvements

  • Authentication cookies are set to the specific DNS name of the backend server (like nginz-https.example.com), instead of a wildcard domain (like *.example.com). This is achieved by leaving the domain empty in the Set-Cookie header, but changing the code to allow clients with old cookies to continue using them until they get renewed. (Leave domain empty in cookies, but account for clients with old cookies. #1102)

Bug Fixes

New Features

Internal changes

fisx and others added 12 commits September 9, 2020 13:57
@fisx @arianvp
Allow SCIM without saml (#1200)
ee47bbc 
documentation

Before this PR, scim tokens could only be added to teams that already had exactly one SAML IdP. Now, we also allow SAML-less teams to have SCIM provisioning. This is an alternative to onboarding via team-settings and produces user accounts that are authenticated with email and password. (Phone may or may not work, but is not officially supported.)

The way this works is different from team-settings: we don't send invites, but we create active users immediately the moment the SCIM user post is processed. The new thing is that the created user has neither email nor phone nor a SAML identity, nor a password.

How does this work?

email: If no SAML IdP is present, SCIM user posts must contain an externalId that is an email address. This email address is not added to the newly created user, because it has not been validated. Instead, the flow for changing an email address is triggered in brig: an email is sent to the address containing a validation key, and once the user completes the flow, brig will add the email address to the user. We had to add very little code for this in this PR, it's all an old feature.

When SCIM user gets are processed, in order to reconstruct the externalId from the user spar is retrieving from brig, we introduce a new json object for the sso_id field that looks like this: {'scim_external_id': '[email protected]'}.

In order to find users that have email addresses pending validation, we introduce a new table in spar's cassandra called scim_external_ids, in analogy to user. We have tried to use brig's internal GET /i/user&email=..., but that also finds pending email addresses, and there are corner cases when changing email addresses and waiting for the new address to be validated and the old to be removed... that made this approach seem infeasible.

password: once the user has validated their email address, they need to trigger the "forgot password" flow -- also old code.

That's the gist of it!

* New brig internal end-points.
* Support for email/password-authenticated scim users.
* Fix: spar's notion of brig's api.
- use internal end-points
- return 'UserAccount' (contains status) instead of 'User'.
- more transparent error handling.
* Fix: allow UserSSOId in brig to carry scim external ids.
* Fix: UserSSOId parsing in spar.
* Fix: store RichInfo in brig if it changes.
* Fix: do not support setting passwords in SCIM
* Fix: update sso_id in brig correctly.
* Fix: do not pull users with email pending validation.
* Refactor: functions for handler-, email-based scim user lookup.
* Give externalIds that are emails their own lookup table in spar.
* Fix: check if email address is available (even without idp).
* Fix: scim-delete if there is no saml idp.
* Refactor: reduce integration test setup time.
* Fix: do not use email address as saml subject if no uref is found.
* Add at least a few lines of docs.
* Assert that deleteUser returns 204


Co-authored-by: Arian van Putten <[email protected]>
@tiago-loureiro
Merge branch 'master' into develop
87f2c90
@fisx
Leave domain empty in cookies, but account for clients with multiple …
4acab3b 
…(old) cookies. (#1102)
@mheinzel
Cargohold: Log more about AWS errors (#1205)
d238b11 
We will probably make it less verbose again in the future, but at the
moment this is helpful for debugging issues caused by switching to
amazonka.

* cargohold: log more AWS errors

* add comments to amazonka log level mapping

Copied from other services. Might be nice to unify this?
@fisx
Move <$$>, <$$$> to default imports. (#1208)
597769a
@jschaul
cargohold compat target for testing different S3-like buckets (#1210)
8daf281 
If testing against S3, minio, and others, this allows to run

```
cd services/cargohold
make compat-minio
make compat-s3
...
```

Requires a `compat` folder (currently symlinked to a private repository containing some credentials)
@tiago-loureiro @fisx
Remove unused scim_user table (#1211)
c4f87a5 
* Remove unused scim_user table

* update cabal file.

* update cassandra dump.

* Fix test descriptions.

Co-authored-by: Matthias Fischmann <[email protected]>
@tiago-loureiro @fisx
Manage invited user by SCIM when SSO is enabled (#1207)
86c59f9 
* Added failing test

* Haddocks.

* Fix: when looking for uref fails, try email.

* Fix name.

Co-authored-by: Matthias Fischmann <[email protected]>
@akshaymankar
Upgrade GHC to 8.8.4 (#1204)
fab4983 
* Bump alpine to 3.12 for GHC

* Install GHC using ghcup

* Add ncurses-dev to prebuilder

* Parametrize builder image using the same way as others

* Upgrade to LTS 16.14, GHC 8.8.4

* Use upstream master branch of HaskelNet-SSL

* Use merge-request branch of wai-predicates

* Use merge-request branch of redis-io

* Upgrade saml2-web-sso to support GHC 8.8

* Upgrade our fork of bloodhound to support GHC 8.8

* Replace 'mapM' with 'sequence $ map ...' in bonanza tests

Bug report in GHC: https://gitlab.haskell.org/ghc/ghc/-/issues/18730

* Tidy up stack.yaml
@jschaul @akshaymankar
limit list of SFT servers to 5 (configurable), independent of the amo…
32f7adc 
…unt of servers … (#1206)

limit list of SFT servers to 6, independent of the amount of servers in the SRV record.

Co-authored-by: Akshay Mankar <[email protected]>
@tiago-loureiro @fisx
Use mutable content for non-voip notifications and update limits (#1212)
913e90e 
* Use mutable content for non-voip notifications and update limits

Co-authored-by: Matthias Fischmann <[email protected]>
@jschaul
Add changelog
28b131d
fisx
fisx approved these changes Oct 5, 2020
View reviewed changes
Copy link
Contributor

@fisx fisx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/zinfra/backend-issues/issues/1780 was indeed due to the team size limit, so this can go ahead! 👍

@jschaul
Copy link
Member Author

jschaul commented Oct 5, 2020

CI failures relate only to this flaky test: https://github.com/zinfra/backend-issues/issues/1789 (and general CI's kubernetes cluster being unwell)

@jschaul jschaul merged commit 843028c into master Oct 5, 2020
@jschaul jschaul deleted the release_2020_10_05 branch October 5, 2020 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fisx fisx fisx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jschaul @fisx @tiago-loureiro @mheinzel @akshaymankar