Add alias to GET /conversations/{cnv} endpoint for LH devices (#2682)

wireapp · Sep 9, 2022 · e5ea9bd · e5ea9bd
1 parent 40f8184
commit e5ea9bd
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 2 deletions.
diff --git a/charts/nginz/static/conf/zauth.acl b/charts/nginz/static/conf/zauth.acl
@@ -14,4 +14,5 @@ p (whitelist (path "/provider")
 la (whitelist (path "/notifications")
               (path "/assets/v3/**")
               (path "/users")
-              (path "/users/**"))
+              (path "/users/**")
+              (path "/legalhold/conversations/*"))
diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -397,6 +397,9 @@ nginx_conf:
       envs:
       - all
       doc: true
+    - path: /legalhold/conversations/(.*)
+      envs:
+      - all
     - path: /teams$
       envs:
       - all

diff --git a/deploy/services-demo/conf/nginz/nginx.conf b/deploy/services-demo/conf/nginz/nginx.conf
@@ -325,6 +325,10 @@ http {
       proxy_pass http://galley;
     }
 
+    location ~* /legalhold/conversations/(.*) {
+      include common_response_with_zauth.conf;
+      proxy_pass http://galley;
+    }
 
     location /conversations {
       include common_response_with_zauth.conf;

diff --git a/deploy/services-demo/conf/nginz/zauth_acl.txt b/deploy/services-demo/conf/nginz/zauth_acl.txt
@@ -14,4 +14,5 @@ p (whitelist (path "/provider")
 la (whitelist (path "/notifications")
               (path "/assets/v3/**")
               (path "/users")
-              (path "/users/**"))
+              (path "/users/**")
+              (path "/legalhold/conversations/*"))
diff --git a/libs/wire-api/src/Wire/API/Routes/Public/Galley.hs b/libs/wire-api/src/Wire/API/Routes/Public/Galley.hs
@@ -185,6 +185,18 @@ type ConversationAPI =
         :> Capture "cnv" ConvId
         :> Get '[Servant.JSON] Conversation
     )
+    :<|> Named
+           "get-unqualified-conversation-legalhold-alias"
+           -- This alias exists, so that it can be uniquely selected in zauth.acl
+           ( Summary "Get a conversation by ID (Legalhold alias)"
+               :> CanThrow 'ConvNotFound
+               :> CanThrow 'ConvAccessDenied
+               :> ZLocalUser
+               :> "legalhold"
+               :> "conversations"
+               :> Capture "cnv" ConvId
+               :> Get '[Servant.JSON] Conversation
+           )
     :<|> Named
            "get-conversation"
            ( Summary "Get a conversation by ID"

diff --git a/services/brig/test/integration/API/User/Auth.hs b/services/brig/test/integration/API/User/Auth.hs
@@ -46,6 +46,7 @@ import Data.Handle (Handle (Handle))
 import Data.Id
 import Data.Misc (PlainTextPassword (..))
 import Data.Proxy
+import Data.Qualified (Qualified (qUnqualified))
 import Data.Range (unsafeRange)
 import qualified Data.Text as Text
 import Data.Text.Ascii (AsciiChars (validate))
@@ -62,6 +63,7 @@ import Test.Tasty.HUnit
 import qualified Test.Tasty.HUnit as HUnit
 import UnliftIO.Async hiding (wait)
 import Util
+import Wire.API.Conversation (Conversation (..))
 import qualified Wire.API.Team.Feature as Public
 import Wire.API.User
 import qualified Wire.API.User as Public
@@ -226,6 +228,10 @@ testNginzLegalHold b g n = do
         cUsr = decodeCookie rsUsr
     pure (c, t)
 
+  qconv <-
+    fmap cnvQualifiedId . responseJsonError
+      =<< createConversation g (userId alice) [] <!! const 201 === statusCode
+
   -- ensure nginz allows passing legalhold cookies / tokens through to /access
   post (n . path "/access" . cookie c . header "Authorization" ("Bearer " <> toByteString' t)) !!! do
     const 200 === statusCode
@@ -235,6 +241,8 @@ testNginzLegalHold b g n = do
   -- ensure legal hold tokens can fetch notifications
   get (n . path "/notifications" . header "Authorization" ("Bearer " <> toByteString' t)) !!! const 200 === statusCode
 
+  get (n . paths ["legalhold", "conversations", toByteString' (qUnqualified qconv)] . header "Authorization" ("Bearer " <> toByteString' t)) !!! const 200 === statusCode
+
 -- | Corner case for 'testNginz': when upgrading a wire backend from the old behavior (setting
 -- cookie domain to eg. @*.wire.com@) to the new behavior (leaving cookie domain empty,
 -- effectively setting it to the backend host), clients may start sending two cookies for a

diff --git a/services/galley/src/Galley/API/Public/Servant.hs b/services/galley/src/Galley/API/Public/Servant.hs
@@ -47,6 +47,7 @@ servantSitemap =
   where
     conversations =
       mkNamedAPI @"get-unqualified-conversation" getUnqualifiedConversation
+        <@> mkNamedAPI @"get-unqualified-conversation-legalhold-alias" getUnqualifiedConversation
         <@> mkNamedAPI @"get-conversation" getConversation
         <@> mkNamedAPI @"get-conversation-roles" getConversationRoles
         <@> mkNamedAPI @"list-conversation-ids-unqualified" conversationIdsPageFromUnqualified