Merge branch 'wireapp:develop' into develop

cassandra-schema.cql

@@ -1207,6 +1207,7 @@ CREATE TABLE galley_test.team_features (
     guest_links_status int,
     legalhold_status int,
     limited_event_fanout_status int,
+    migration_state int,
     mls_allowed_ciphersuites set<int>,
     mls_default_ciphersuite int,
     mls_default_protocol int,
@@ -1516,6 +1517,29 @@ CREATE TABLE galley_test.legalhold_service (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
+CREATE TABLE galley_test.team_features_dyn (
+    team uuid,
+    feature text,
+    config text,
+    lock_status int,
+    status int,
+    PRIMARY KEY (team, feature)
+) WITH CLUSTERING ORDER BY (feature ASC)
+    AND bloom_filter_fp_chance = 0.1
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.LeveledCompactionStrategy'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
+
 CREATE TABLE galley_test.conversation_codes (
     key ascii,
     scope int,

changelog.d/0-release-notes/simplify-feature-table

@@ -0,0 +1 @@
+This release introduces a new data storage format for team features and a corresponding migration. While the migration is running, team features are going to operate in read-only mode for the team that is currently being migrated. After migration, the new storage is going to be used. No special action should be required on the part of instance operators.

changelog.d/2-features/rate-limit-password-hashing

@@ -0,0 +1 @@
+Rate limit password hashing operations

changelog.d/5-internal/avoid-unnecessary-rehashing-of-passwords

@@ -0,0 +1 @@
+Avoid rehashing Scrypt hashed passwords if the backend config is to keep passwords as Scrypt hashed.

changelog.d/5-internal/simplify-feature-table

@@ -0,0 +1 @@
+Introduce a new feature table in Cassandra: `team_features_dyn`. This table has a fixed number of fields, as opposed to the ever-growing collection of all the fields of all the features that we were using before.

charts/brig/templates/configmap.yaml

@@ -378,6 +378,7 @@ data:
       setOAuthMaxActiveRefreshTokens: {{ .setOAuthMaxActiveRefreshTokens }}
       {{- end }}
       setPasswordHashingOptions: {{ toYaml .setPasswordHashingOptions | nindent 8 }}
+      setPasswordHashingRateLimit: {{ toYaml .setPasswordHashingRateLimit | nindent 8 }}
       {{- if .setAuditLogEmailRecipient }}
       setAuditLogEmailRecipient: {{ .setAuditLogEmailRecipient }}
       {{- end }}

charts/brig/values.yaml

@@ -156,7 +156,22 @@ config:
       # iterations: <iterations>
       # parallelism: <paralellism>
       # memory: <memory used in KiB>
+    setPasswordHashingRateLimit:
+      ipAddrLimit:
+        burst: 5
+        inverseRate: 300000000 # 5 mins, makes it 12 reqs/hour
+      userLimit:
+        burst: 5
+        inverseRate: 60000000 # 1 min, makes it 60 req/hour
+      internalLimit:
+        burst: 10
+        inverseRate: 0 # No rate limiting for internal use
+      ipv4CidrBlock: 32 # Only block individual IP addresses
+      ipv6CidrBlock: 64 # Block /64 range at a time.
+      ipAddressExceptions: []
+      maxRateLimitedKeys: 100000 # Estimated memory usage: 4 MB
     # setAuditLogEmailRecipient: security@wire.com
+
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}

charts/galley/templates/configmap.yaml

@@ -100,6 +100,7 @@ data:
       guestLinkTTLSeconds: {{ .settings.guestLinkTTLSeconds }}
       {{- end }}
       passwordHashingOptions: {{ toYaml .settings.passwordHashingOptions | nindent 8 }}
+      passwordHashingRateLimit: {{ toYaml .settings.passwordHashingRateLimit | nindent 8 }}
       featureFlags:
         sso: {{ .settings.featureFlags.sso }}
         legalhold: {{ .settings.featureFlags.legalhold }}

charts/galley/values.yaml

@@ -76,6 +76,20 @@ config:
       # iterations: <iterations>
       # parallelism: <paralellism>
       # memory: <memory used in KiB>
+    passwordHashingRateLimit:
+      ipAddrLimit:
+        burst: 5
+        inverseRate: 300000000 # 5 mins, makes it 12 reqs/hour
+      userLimit:
+        burst: 5
+        inverseRate: 60000000 # 1 min, makes it 60 req/hour
+      internalLimit:
+        burst: 10
+        inverseRate: 0 # No rate limiting for internal use
+      ipv4CidrBlock: 32 # Only block individual IP addresses
+      ipv6CidrBlock: 64 # Block /64 range at a time.
+      ipAddressExceptions: []
+      maxRateLimitedKeys: 100000 # Estimated memory usage: 4 MB
 
     # To disable proteus for new federated conversations:
     # federationProtocols: ["mls"]

docs/src/developer/reference/config-options.md

@@ -772,6 +772,60 @@ however the users will still be able to use them to login.
 **NOTE** It is highly recommended to move to argon2id as it will be made the
   only available choice for the `algorithm` config option in future.
 
+Due to the performance implications, password hashing has to be rate limited
+more than other operations. To allow this, the rate limiting happens at a deeper
+level than nginx. It can be configured using these options:
+
+```yaml
+brig:
+  optSettings:
+    setPasswordHashingRateLimit:
+      ipAddrLimit:
+        burst: 5
+        inverseRate: 300000000 # 5 mins, makes it 12 reqs/hour
+      userLimit:
+        burst: 5
+        inverseRate: 60000000 # 1 min, makes it 60 req/hour
+      internalLimit:
+        burst: 10
+        inverseRate: 0 # No rate limiting for internal use
+      ipv4CidrBlock: 32 # Only block individual IP addresses
+      ipv6CidrBlock: 64 # Block /64 range at a time.
+      ipAddressExceptions: []
+      maxRateLimitedKeys: 100000 # Estimated memory usage: 4 MB
+galley:
+  settings:
+    passwordHashingRateLimit:
+      ipAddrLimit:
+        burst: 5
+        inverseRate: 300000000 # 5 mins, makes it 12 reqs/hour
+      userLimit:
+        burst: 5
+        inverseRate: 60000000 # 1 min, makes it 60 req/hour
+      internalLimit:
+        burst: 10
+        inverseRate: 0 # No rate limiting for internal use
+      ipv4CidrBlock: 32 # Only block individual IP addresses
+      ipv6CidrBlock: 64 # Block /64 range at a time.
+      ipAddressExceptions: []
+      maxRateLimitedKeys: 100000 # Estimated memory usage: 4 MB
+```
+
+The above are the default values.
+
+The rate limiting happens using the [Token Bucket
+Algorithm](https://en.wikipedia.org/wiki/Token_bucket). The parameters can be
+separately configured for:
+1. IP Addresses to be used in case of unauthenticated requests using
+   `ipAddrLimit`.
+2. Users and providers using `userLimit`.
+3. Internal usages (like calls from backoffice) using `internalLimit`.
+
+The `ipAddressExceptions` have to be CIDR blocks which can be specified like
+`"127.0.0.0/8"` to allow any IP address from `127.0.0.0` to `127.255.255.255` to
+by pass the rate limits. To limit one particular IP address, it can be specified
+as `127.0.0.1/32`.
+
 #### Disabling API versions
 
 It is possible to disable one ore more API versions. When an API version is disabled it won't be advertised on the `GET /api-version` endpoint, neither in the `supported`, nor in the `development` section. Requests made to any endpoint of a disabled API version will result in the same error response as a request made to an API version that does not exist.

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -135,13 +135,18 @@ brig:
       setOAuthEnabled: true
       setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks
       setOAuthMaxActiveRefreshTokens: 10
+
       # These values are insecure, against anyone getting hold of the hash,
       # but its not a concern for the integration tests.
       setPasswordHashingOptions:
         algorithm: argon2id
         iterations: 1
         parallelism: 4
         memory: 32 # This needs to be at least 8 * parallelism.
+      setPasswordHashingRateLimit:
+        ipAddressExceptions:
+        - 127.0.0.1/8
+
     aws:
       sesEndpoint: http://fake-aws-ses:4569
       sqsEndpoint: http://fake-aws-sqs:4568
@@ -292,6 +297,9 @@ galley:
         iterations: 1
         parallelism: 4
         memory: 32 # This needs to be at least 8 * parallelism.
+      passwordHashingRateLimit:
+        ipAddressExceptions:
+        - 127.0.0.1/8
 
       featureFlags:
         sso: disabled-by-default  # this needs to be the default; tests can enable it when needed.

integration/integration.cabal

@@ -108,6 +108,7 @@ library
     Test.AccessUpdate
     Test.AssetDownload
     Test.AssetUpload
+    Test.Auth
     Test.B2B
     Test.Bot
     Test.Brig