Skip to content

Releases: wireapp/wire-server

2024-12-30 (Chart Release 5.9.0)

30 Dec 10:43
2a8ac99
Compare
Choose a tag to compare

Release notes

  • POST /scim/auth-token request body allows you to choose an IdP UUID to associate with. If none is given, do not associate.

    WARNING: the new behavior differs from the old one when first creating a unique SAML IdP and then the SCIM token: before this release, this request would associate the two, now it doesn't. (#4349)

  • We changed the default MLS cipher suite from

    • MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519

    to

    • MLS_128_DHKEMP256_AES128GCM_SHA256_P256

    and the allowed MLS cipher suites from only

    • MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519

    to only

    • MLS_128_DHKEMP256_AES128GCM_SHA256_P256.

    ATTENTION: This breaks your MLS clients if they used the previous defaults before. This is even true if you allow several cipher suites, since current MLS clients only support one cipher suite at a time.

    Adjust the defaults in the server configuration to switch the values of defaultCipherSuite and allowedCipherSuites back to the previous defaults, 1 and [1], respectively. Once MLS clients support several cipher suites, you could even use [1,2] or a list of other cipher suites in allowedCipherSuites. Make sure that this list contains the currently used cipher suite! (#4373)

  • This release contains a new Git submodule: wire-server-enterprise. This module represents a service which contains all non-open-source features. Wire can still be deployed and run without this service. Building it without wire-server-enterprise is currently not documented, but Wire will keep providing the artefacts.

    The service can be deployed with a dedicated Helm chart (charts/wire-server-enterprise.) The required service image is not freely available (the registry is password protected.) (#4357)

API changes

  • The client_id query parameter of the GET /events endpoint is now optional. When not provided, events are returned from a temporary queue that's not bound to any specific client. The queue is deleted when the websocket disconnects. (#4360)

Features

  • You can now create both multiple SCIM peers and multiple SAML IdPs, and freely associate them with each other (team management app implementation pending). (#4349)

  • Internal API and backoffice support for managing email domains for enterprise login (#4364)

Bug fixes and other updates

  • Fix gzip filter failed to use preallocated memory alerts in nginz by upgrading (#4365)

  • Send team active event in personal user to team flow (#4380)

  • Add profile name to new team owner welcome mail (#4378)

Internal changes

  • Delete federation V0 and V1 queues after integration tests (#4374)

  • Stabilize index migration tests by fixing a race on index names. (#4382)

  • Adjust the existing Ormolu script to format the wire-server-enterprise submodule
    as well. (#4377)

  • Revive and translate old integration test (#4387, #4386)

  • Translate integration test to new suite. (#4384)

2024-12-11 (Chart Release 5.8.0)

13 Dec 14:10
2a8ac99
Compare
Choose a tag to compare

Release notes

  • [RabbitMQ events] Notifications are now also sent via RabbitMQ. Therefore RabbitMQ is now a required dependency for Cannon and Gundeck. Cassandra is now a required dependency for Cannon and Background-Worker. Both of them need access to the Gundeck keyspace. These are breaking changes for Charts. (#4272, #4358, #4340)

  • If brig's server values config has the field emailSMS.team, the correct value for the personal user to team invitation URL must be set under emailSMS.team.tExistingUserInvitationUrl. Otherwise the URL will point to a path under the account pages and therefore a value for externalUrls.accountPages is required. (#4341)

API changes

  • The endpoint POST /teams/:tid/invitations gained a new optional field allow_existing, which controls whether an existing personal user should be invited to the team (#4336)

Features

  • Welcome email for new team owner. (#4333)

  • Added inviter's email to GET /teams/invitation/info endpoint. (#4332)

Bug fixes and other updates

  • Updated nginz config for personal user to team flow (#4334)

  • Freeze API version 7, create new dev version 8. Also update checklist. (#4356, #4356)

  • Fixed config for personal user to team invitation URL template. (#4341)

  • Fixed search index after personal user creates team (#4362)

Documentation

  • Add a few more swagger descriptions and examples. (#4323)

Internal changes

  • charts/wire-server-enterprise is a Helm chart to run the wire-server-enterprise
    service. This service can only be deployed with an image pull secret (the
    registry is not open to public.) (#4359)

  • [Polysemy] Move email update and remove operations to effects (#4316, #4316)

  • Log uncaught IO exceptions in cargohold (#4352)

  • Updated email templates to v1.0.124 (#4328)

  • charts/galley: Make missing mls keys a templating error. Update MLS docs. (#4369)

  • [RabbitMQ events] New endpoint GET /events for consuming events is added (in API V8).

    • When a client misses notifications because it was offline for too long, it needs to know this information so it can do a full synchronisation. This appears as the first notification in GET /events endpoint whenever the system detects this happening. The next acknowledgement of the message makes this notification not appear anymore until the next notification is missed. (#4272)
    • New internal endpoint POST /i/users/:uid/clients/:cid/consumable-notifications is added (#4272)
    • Connection pooling in cannon (#4348)
    • Add consumers to the draining step on Cannon, in case of termination. (#4342)
    • List queues more efficiently. (#4351)

2024-11-04 (Chart Release 5.7.0)

05 Nov 08:49
bad31a7
Compare
Choose a tag to compare

Bug fixes and other updates

  • galley: Use bulk query when getting all feature configs for a team user (#4325)

Internal changes

  • Block access to assets.*/minio/ path for public access. (#4297)
  • galley: Delete unused endpoint for getting feature status for multiple teams (#4326)
  • Fix shellcheck problems in all shell scripts (#4220)

2024-10-30 (Chart Release 5.6.0)

31 Oct 10:16
0118e94
Compare
Choose a tag to compare

Release notes

  • To remove phone keys from brig's user_keys table an ad hoc data-migration can be run. See PR #4146 which contains the implementation. (#4130)

  • Because the phone column is deleted from Brig's user table in a schema
    migration, temporarily there might be 5xx errors during deployment if Wire
    server 5.4.0 was not deployed previously. To avoid these errors, please deploy
    the Wire server 5.4.0 release first. (#4130)

  • With this release it will be possible to invite personal users to teams. In brig's config, emailSMS.team.tExistingUserInvitationUrl is required to be set to a value that points to the correct teams/account page.
    If emailSMS.team is not defined at all in the current environment, the value of externalUrls.teamSettings (or, if not present, externalUrls.nginz) will be used to construct the correct url, and no configuration change is necessary. (#4229)

  • charts/wire-server: There is a new config value called background-worker.config.enableFederation which defaults to false. This must be kept in sync with tags.federation. (#4243)

  • If you are mapping an email address to the externalId field in the
    scim schema, please check the following list for items that apply to
    you and recommended steps before/during/after upgrade.

    • Situation: the emails field of in your scim user records is
      empty.

      What you need to do: change your schema mapping to contain the
      same address in externalId and (as a record with one element) in
      emails.

    • Situation: the emails field of your scim user records is
      non-empty.

      What you need to do: make sure emails contains exactly one
      entry, which is the email from externalId. If there is a
      discrepancy, the address from emails will become the new
      (unvalidated) address of the user, and the user will receive an
      email to validate it. If the email cannot be sent or is ignored
      by the recipient, the valid address will not be changed. (#4221)

  • A schema migration drops column 'phone' from Brig's 'team_invitation' table. Previous releases were still reading this column. As there is no Team Settings UI action to enter a phone number, this reading will not miss to read actual phone numbers. Therefore, during deployment this will lead to benign 5xx errors. (#4149)

  • Password hashing can now be done using argon2id instead of scrypt. The argon2id parameters can be configured using these options:

    brig:
      optSettings:
        setPasswordHashingOptions:
          algorithm: argon2id
          iterations: ...
          memory: ... # memory needed in KiB
          parallelism: ...
    galley:
      settings:
        passwordHashingOptions:
          algorithm: argon2id
          iterations: ...
          memory: ... # memory needed in KiB
          parallelism: ...

    The default option is still to use scrypt as moving to argon2id might require
    allocating more resources according to configured parameters.

    When configured to use argon2id, the DB will be migrated slowly over time as the
    users enter their passwords (either to login or to do other operations which
    require explicit password entry). This migration is NOT done in reverse,
    i.e., if a deployment started with argon2id as the algorithm then chose to move
    to scrypt, the passwords will not get rehashed automatically, instead the users
    will have to reset their passwords if that is desired.

    NOTE It is highly recommended to move to argon2id as it will be made the
    only available choice for the algorithm config option in future.

    (#4291, #4291)

  • Config value gundeck.config.bulkPush has been removed. This is purely an
    internal change, in case the value was overriden to false, operators might see
    more spiky usage of CPU and memory from gundeck due to bulk processing. (#4290)

API changes

  • A new endpoint POST /teams/invitations/accept allows a non-team user to accept an invitation to join a team (#4229)

  • Services allowlist are blocked by 409 (mls-services-not-allowed) for teams with default protocol MLS. (#4266)

  • The POST /clients and PUT /clients/:cid endpoints support a new capability "consume-notifications" (#4259)

  • New variant in API version 7 of endpoints for creating and listing SCIM tokens that support a name field. New endpoint in version 7 for updating a SCIM token name. (#4307)

  • All the phone number-based functionality is removed from the client API v6 (#4149)

  • The team CSV export endpoint has gained two extra columns: last_active and status. The streaming behaviour has also been improved. (#4293)

  • The changes to the capabilities field of the Client structure, introduced in v6, have now been postponed to v7 (#4179)

  • Finalise version 6 and introduce new development version 7 (#4179, #4179)

  • From API version 7 the GET /mls/public-key and GET /conversations/one2one/:domain/:uid endpoints now take a format query parameter which can be either raw (default, for raw base64-encoded keys) or jwk (for JWK keys) (#4216, #4224)

  • GET /conversations/one2one/:domain/:uid now returns public_keys along with the conversation containing all MLS public keys for the backend which will host this conversation (since v6). (#4224)

  • Remove the ability to set the TTL of a feature flag. Existing TTLs are still retrieved and returned as before. Note that this only applies to the conferenceCalling feature, as none of the others supported TTL anyway. (#4164)

  • Add useSFTForOneToOneCalls as a config option for the Conference Calling feature flag and make its lock status explicit. (#4164)

  • Add endpoint to upgrade a personal user to a team owner (#4251)

Features

  • DB migration for dropping phone column from user table (#4130)

  • A text status field was added to user and user profile (#4155)

  • Allow an existing non-team user to migrate to a team (#4229, #4268, #4315)

  • Makes it impossible for a user to join an MLS conversation while already under legalhold (at least pending)

    This implies two things:

    1. If a user is under legalhold they cannot ever join an MLS conversation, not even an MLS self conversation.
    2. A user has to reject to be put under legalhold when they want to join an MLS conversation (ignoring the request to be put under legalhold is not enough). (#4242)
  • Email template for inviting a personal user to a team added (#4310)

  • Clients can declare to be supporting a capability for consuming notifications (#4259)

  • New endpoint to revoke an OAuth session (#4213)

  • Adds a field which contains a list of all active sessions to each OAuth application in the response of GET /oauth/applications (#4211)

  • SCIM's emails field is now handled and the external ID is not restricted to being an email anymore (#4221)

  • Added human readable names for SCIM tokens (#4307)

  • allow subconversations for MLS 1-1 conversations (#4133)

  • Allow choosing hashing algorithm and configuring argon2id parameters (#4291, #4291)

  • Deny requests for a legalhold device for users who are part of any MLS conversations (#4245)

  • Allow setting of Kubernetes annotations for the coturn Service. (#4189)

  • Add initialConfig setting for the mls feature flag (#4262)

  • Add federationProtocols setting to galley, which can be used to disable the creation of federated conversations with a given protocol (#4278)

  • added open telemetry instrumentation for brig, galley, gundeck and cannon (#3901)

  • Send confirmation email after adding a personal user to a new team (#4253)

  • The SFT and turn usernames returned by /calls/config/v2 are now deterministically computed from the user ID (#4156)

  • Use latest stable RabbitMQ version (3.13.7) and Helm chart (14.6.9). Please
    note that this minor RabbitMQ version upgrade (3.11.x to 3.13.x) may need
    special treatment regarding existing RabbitMQ instances. See
    https://www.rabbitmq.com/docs/upgrade#rabbitmq-version-upgradability . The major
    Helm chart version upgrade may (depending on your setup/values) need attention
    as well: https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq#upgrading (#4227)

Bug fixes and other updates

  • Fixed API version check. It has now precedence over other checks like e.g. method check. (#4152)

  • Fix handling of defaults of mlsE2EID feature config (#4233)

  • Match cipher suite tag in query parameters against key packages on replacing key packages (#4158)

  • Users with SAML-SSO are allowed to delete their email address on the rest api. If they do that, the search indices are not updated correctly, and finding the user by the removed email address is still possible. (#4260)

  • Re-add accidentally removed add-bot@v6 route in nginz, fixes #4302 (#4318)

  • Exclude exception message from error response (#4153)

  • Return HTTP 400 instead of 500 when property key is not printable ASCII (#4148)

  • move cipher suite updates into the commit lock (#4151)

  • Fix feature flag default calculation for mlsMigration and enforceFileDownloadLocation (#4265)

  • Allow setting existing properties even if we have max properties (#4148)

  • removed spam from nginx (nginz) by using the new style http/2 directive (#3901)

  • brig: Make GET /services/tags work again (#4250)

  • Process bounce and complaint notifications from SES correctly. (#4301)

Documentation

  • Call graph of federated endpoints was removed from the docs (#4299)

  • Restored LegalHold internal API swagger as part of Brig. (#4191)

  • Fix: show openapi docs for blocked versions (#4309)

  • Move docs from docs.wire.com to generated helper page served by brig (#4311)

  • Deleted proteus-specific test documentation tags and added some new ...

Read more

2024-07-09 (Chart Release 5.5.0)

09 Jul 16:22
63d78de
Compare
Choose a tag to compare

Bug fixes and other updates

  • Fix names of metrics so they do not contain any dots (#4134)

2024-07-08 (Chart Release 5.4.0)

08 Jul 14:33
7bd6faf
Compare
Choose a tag to compare
  • Phone registration and login is not supported anymore. All API endpoints dealing with phone numbers and phone activation codes now fail with a 400 error. Brig options related to phone number support have now been deleted, namely:
    • setTwilio
    • setNexmo
    • setAllowlistPhonePrefixes. (#4045)

API changes

  • Internal API endpoints related to phone numbers have been removed.

    In brig:

    • iGetPhonePrefix
    • iDeletePhonePrefix
    • iPostPhonePrefix.

    In stern:

    • get-users-by-phone
    • put-phone. (#4045)

Features

  • charts/coturn: support putting coturn into 'drain' mode when terminating pods, denying new incoming client connections. This speeds up graceful coturn restarts significantly. (#4098)

  • Set SFT usernames's shared field according to team settings (#4117)

  • Updated the mlsE2EId feature config with two additional fields crlProxy and useProxyOnMobile (#4051)

  • reject MLS messages for future epochs (#4110)

  • Introduce more configuration options to the coturn helm chart (#4083)

  • Update email templates to v1.0.121. (#4064)

  • Support connecting to RabbitMQ over TLS. See "Configure RabbitMQ" section in the documentation for details. (#4094)

  • Support connecting to Redis over TLS

    It can be enabled by setting these options on the wire-server helm chart:

    gundeck:
      config:
        redis:
          enableTls: true
    
          # When custom CAs are required, one of these must be set:
          tlsCa: <PEM encoded CA certificates>
          tlsCaSecretRef:
            name: <Name of the secret>
            key: <Key in the secret containing pem encoded CA Cert>
    
          # When TLS needs to be used without verification:
          insecureSkipVerifyTls: true

    (#4016)

Bug fixes and other updates

  • fixed stern endpoint /i/users/meta-info (#4101)

  • Log password reset errors instead of propagating them (#4114)

  • Log request ids in brig. (#4086)

  • Do not set update origin "scim" in public brig api. (#4072)

  • Disabling legalhold before user's approval doesn't result in an error (#4104)

  • Make scim-delete-user idempotent. Hide information about existing users (make delete idempotent) (#4120)

  • Expose /providers/assets via nginz (#4082)

  • federator: Expect a client certificate to be the certificate chain

    Without this openssl doesn't forward to whole chain causing mTLS to not succeed. (#4089)

  • Only resend proposals once after external commit (#4103)

  • gundeck: Better tolerance for redis-cluster restarts (#4084)

  • GHC does not support repeated --with-rtsopts options, and it simply applies the last one. This means many of the baked-in options were actually not being passed, including -N for some of the services and -T for cannon. (#4118)

  • Ensure that a Request ID is logged whenever unexpected errors are caught in any service (#4059)

  • charts/coturn: use allowed dir to write PID file (#4098)

  • Make pending LH requests (with no LH devices listening yet) not throw LH policy errors. This helps eg. in cases where a LH request is issued to the wrong user by accident, and the user can clear up the mistake. (#4056)

Documentation

  • Adjust documentation for migrated helm charts (#4058)

Internal changes

  • Adapt EJPD data to current requirements. (#3945)

  • Port team feature tests to the integration package (#4063)

  • Ported flaky legalhold test to the new integration test suite (#4057)

  • Added profile update operations to the user subsystem. (#4046)

  • Introduce authentication subsystem with password reset. (#4086)

  • update nixpkgs and hence GHC version as well as some other tooling. (#4071)

  • nginz: Added allowlisted_fqdn_origins to nginx_conf value (#4087)

  • Add weeder for dead code elimination. (#4088)

  • Introduce email subsystem (#4111)

  • replace cabal.project.local template and update cabal.project (#4119)

  • Add HTTP proxy in the local setup for elasticsearch in federation-v0. This makes it possible to use a single elasticsearch instance for both the main backends and federation-v0. (#4062)

  • federator: Add metrics for garbage collections and unexpected errors that were caught (#4085)

  • federator: Simplify polysemy setup to make it similar to other services so the
    interpreter is only used for hoisting the servant application and not explicitly
    inside handler of an endpoint (#4059)

  • Added prometheus enable and datacenter size variables for k8ssandra-test-cluster helm chart. (#4011)

  • Make Handle type abstract to guarantee it always contains valid Handles. (#4076)

  • metrics-core: Delete Data.Metrics in favour of defining metrics closer to where they are being emitted (#4085)

  • add more metadata into the meta attribute of all nix derivations produced locally (#4069)

  • Do not log anything when warp kills a worker thread. (#4112)

  • Introduce VerificationCodSubsystem (#4121)

  • add tests for bots that use self-signed certs and add documentation on why we cannot test the bots to work with PKI (#4027)

2024-05-21 (Chart Release 5.3.0)

21 May 13:04
65470f7
Compare
Choose a tag to compare

API changes

  • /mls/keys use JWK instead of bare keys as MLS removal keys (#3548)

  • The cipher_suite field is not present anymore in objects corresponding to newly created conversations (#4009)

Features

  • Upgrade rusty-jwt-tools to support ecdsa_secp256r1_sha256 (#4035)

  • gundeck: Delete all APNS_VOIP and APNS_VOIP_SANDBOX push tokens (#4044)

Bug fixes and other updates

  • gundeck: Fix parsing errors for SNS ARN for VOIP Tokens (#4040)

  • Fix hardcoded ciphersuite when switching to mixed (#4048)

Internal changes

  • Add tool to determine number of phone-only users (#4024)

  • Log federator request ID on exceptions (#4037)

  • Update mls-test-cli to version 0.12 (#4039)

  • Remove inbucket helm chart. (#4032)

  • Finish servantifying galley and remove wai-routing dependency (#4018)

  • New subsystem for user management. (#3977)

  • Clean up syntax of test cases that occur in BSI audit. (#4041)

2024-04-29 (Chart Release 5.2.0)

29 Apr 08:08
65470f7
Compare
Choose a tag to compare

Important: Do not upgrade

If you're upgrading to this version, if there were users using the APNS_VOIP tokens this will cause issues with notifications to those users.

Bug fixes and other updates

  • charts/brig: Fix template for settings ES CA certs (#4022)

2024-04-25 (Chart Release 5.1.0)

25 Apr 12:26
02d3bf3
Compare
Choose a tag to compare
Pre-release

Release notes

  • There is a new optional Boolean in Brig's Helm chart, config.multiSFT.enabled,
    signalling whether calls between federated SFT servers are allowed. (#3915)

    IMPORTANT: The value of this new option needs be set to the value of
    multiSFT.enabled in SFT's Helm chart. Otherwise federated SFT servers won't
    work.

    If provided, the field is_federating in the response of /calls/config/v2
    will reflect multiSFT.enabled's value.

    Example:

    # [brig/values.yaml]
    multiSFT:
      enabled: true
    

    Also, the optional object sftToken with its fields ttl and secret define
    whether an SFT credential would be rendered in the response of
    /calls/config/v2. The field ttl determines the seconds for the credential to
    be valid and secret is the path to the secret shared with SFT to create
    credentials.

    Example:

    # [brig.yaml]
    sft:
      sftBaseDomain: sft.wire.example.com
      sftSRVServiceName: sft
      sftDiscoveryIntervalSeconds: 10
      sftListLength: 20
      sftToken:
        ttl: 120
        secret: /path/to/secret
    
  • The "addClient" internal endpoint of galley has been changed. This can cause temporary failures during upgrades if brig attempts to use this endpoint on a different version of galley. (#3904)

  • Removed the deprecated and unused field geoDb from Brig's config. (#3975)

  • Added support for 3 more MLS ciphersuites. To enable MLS, all supported signature schemes (ed25519 and the three ecdsa variants) now need to have private keys specified in galley's configuration file. (#3964)

API changes

  • Create version 6 of client-related endpoints, fixing an oddity in the serialisation of capabilities. (#3904)

  • Add gzip request support to spar and proxy (#4013)

Features

  • Backend validates display name during DPoP challenge (#3890)

  • Add Helm chart smallstep-accomp that provides a CRL endpoint proxy for federated E2EI (#3896)

  • Support for Elasticsearch password authentication (#3989, #3959, #3994, #3984, #2093, #2079)

  • Support unblocking a user in an MLS 1-to-1 conversation (#3940)

  • Add E2EI configuration setup to smallstep-accomp chart (#3944)

  • Remove Helm migrated charts webapp, team-settings, account-pages, sftd (#3927)

  • charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user (#3918)

  • Support connecting to Elasticsearch over TLS

    It can be enabled by setting these options on the wire-server helm chart (#3989):

    brig:
      config:
        elasticsearch:
          scheme: https
    
          # When custom CAs are required, one of these must be set:
          tlsCa: <PEM encoded CA certificates>
          tlsCaSecretRef:
            name: <Name of the secret>
            key: <Key in the secret containing pem encoded CA Cert>
    
          # When TLS needs to be used without verification:
          insecureSkipVerifyTls: true
    
    elasticsearch-index:
      elasticsearch:
        scheme: https
    
        # When custom CAs are required, one of these must be set:
        tlsCa: <PEM encoded CA certificates>
        tlsCaSecretRef:
          name: <Name of the secret>
          key: <Key in the secret containing pem encoded CA Cert>
    
        # When TLS needs to be used without verification:
        insecureSkipVerifyTls: true
  • Make gundeck's notificationTTL configurable. The value defines how long
    notifications are (at most) stored in the database. Decreasing this value e.g.
    helps to safe database space on test environments. (#3960)

  • charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user (#3918)

  • Support authenticating to redis (#3971)

Bug fixes and other updates

  • Send connection cancelled event to local pending connection when user gets deleted (#3861)

  • Optional apiProxy attribute added to deeplink.json in nginz chart (#3933)

  • coturn cert-reloader sidecar config: process name should not contain the path (helm chart) (#3916)

  • Prevent conflict on subsequent tries to provision a SCIM user (#3914)

  • Avoid IO Exception when querying

    GET /converations/{cnv_domain}/{cnv}/groupinfo

    with public group state not set in galley.converation. (#3939)

  • Return an actual list of other users in a remote MLS 1-to-1 conversation (#3998)

  • charts/background-worker: Fix name of the service monitor (#3913)

  • Fix crash when enqueing an empty list of notifications and federation is disabled (#PR_NOT_FOUND)

  • Add the request ID to the request's execution environment in gundeck, such that it can be logged. (#3903)

  • The AWS SNS ARN was parsed by accumulating the environment name up to the first
    dash ('-') such that parts of this name spilled over into the app name. Now, we
    accumulate up to the last dash. (#3894)

  • Fix bug where welcome notifications were generated for each client instead of for each user (#3907)

  • Do not deliver MLS one-to-one conversation messages to a user that blocked the sender (#3889, #3906)

  • Optimize getting all feature configs (#4002)

Documentation

  • adds new coding-conventions.md and talks about the decision we made for cs (#4006)

  • Distinguish UTCTime and UTCTimeMillis in swagger (#3899)

  • Patch hole in scim docs regarding wire team role manipulation. (#3897)

Internal changes

  • Create a new script (Sbom.hs) to generate the wire-server sbom (bill of material) file. (#3942)

  • port flaking LH tests to new integration and improve the ergonomics of our testing library (#3876)

  • some small refactorings to make it more clear in code what is happening when registering a scim token and an IdP (#3966)

  • In order for the CRL-proxy to function correctly, it needs to have CORS headers set.
    We are now setting the CORS headers on the ingress level. (#3956)

  • drop cs in all production code and from Imports (#4001)

  • Galley's internal DELETE /i/client/:clientID now early-exits before visiting all conversations if the client is already gone.
    Galley now reports debug logs for every call to Cassandra. (#3985)

  • move formatting and linting of haskell files to treefmt, remove some of the now unneeded rules (#4000)

  • Integration test cases for strangely behaving feature config settings. (#4007)

  • Add ldap-scim-bridge chart to the wire-server release (#3999)

  • Disable integration subchart of wire-server by default (#3682)

  • Provide password as value in elasticsearch-ephemeral. This way we can use
    different passwords on our test systems. Ensuring that the password is really
    configurable (and not accidentally hardcoded somewhere.) (#3994)

  • Upgraded fluent-bit chart to version 0.46.2
    Added example values for fluent-bit helm chart for output to syslog server (#4012)

  • Ported 2FA tests to the new integration test suite (#3986)

  • To ensure certificate revocations get active in a short time frame, disable
    caching of proxy results on client side by setting respective HTTP headers. (#3952)

  • Ensure that targets of the smallstep nginx proxy are resolved at runtime via the
    configured DNS server. This has two benefits: The target gets adjusted when it's
    changed at the DNS server. And, nginx doesn't fail to start when the target
    doesn't exist yet. (#3947)

  • Use schema-profunctor for user event serialisation and introduce golden tests (#3912)

  • Setup federation-v0 environment for use in integration tests:

    • add federation-v0 domain to test environment
    • provision integration certificates with cert-manager (#3849, #3898)
  • Add assets to output of ejpd-info end-point in stern; also:

    • [brig] now talks to carghold for profile picture extraction;
    • [integration] migrate ejpd tests;
    • [integration] enhanced shouldMatch shows a diff on failure now;
    • [integration] added shouldMatchLeniently for rule-based canonicalization of arguments (#3875)
  • Bump hsaml2, saml2-web-sso dependencies. (#3995)

  • Remove support for push token transport types APNSVoIP, APNSVoIPSandbox from gundeck. (#3967)

  • Include remote domain in federator error logs (#3919)

  • Remove remaining splinters of wai-routing, wai-predicate from brig. (#3996)

Federation changes

  • The on-conversation-updated notification is now queued instead of being sent directly. A new version of the notification has been introduced with a different JSON format for the body, mostly for testing purposes of the versioning system.

    Since the notification is now sent asynchronously, some error conditions in case of unreachable backends cannot be triggered anymore. (#3831)

  • Versioning of backend to backend notifications. Notifications are now stored in "bundles" containing a serialised payload for each supported version. The background worker then dynamically selects the best version to use and sends only the notification corresponding to that version.
    (#3831)

2024-02-12 (Chart Release 4.41.0)

13 Feb 10:42
cc5f08b
Compare
Choose a tag to compare

Release notes