MLS flag in brig (#2913)

* Introduce option to enable MLS on brig

* Add utilities for asserting that MLS is enabled

* Fail on MLS endpoint if MLS is not enabled

* Enable MLS in helm_vars

* Update install docs

* Add CHANGELOG entry

changelog.d/1-api-changes/mls-flag-galley

@@ -0,0 +1 @@
+Introduce a flag in brig to enable MLS explicitly. When this flag is set to false or absent, MLS functionality is completely disabled and all MLS endpoints fail immediately.

charts/brig/templates/configmap.yaml

@@ -296,5 +296,8 @@ data:
       {{- if $.Values.secrets.dpopSigKeyBundle }}
       setPublicKeyBundle: /etc/wire/brig/secrets/dpop_sig_key_bundle.pem
       {{- end }}
+      {{- if .setEnableMLS }}
+      setEnableMLS: {{ .setEnableMLS }}
+      {{- end }}
     {{- end }}
   {{- end }}

docs/src/developer/reference/config-options.md

@@ -562,6 +562,10 @@ optSettings:
 
 ### MLS settings
 
+#### `setEnableMLS`
+
+This option determines whether MLS is supported on this backend. When set to false (or absent), MLS endpoints will fail without performing any action.
+
 #### `setKeyPackageMaximumLifetime`
 
 This option specifies the maximum accepted lifetime of a key package from the moment it is uploaded, in seconds. For example, when brig is configured as follows:

docs/src/how-to/install/mls.md

@@ -36,7 +36,18 @@ This is a sensitive configuration value. Consider using Helm/Helmfile's support
 for managing secrets instead of putting this value in plaintext in a
 `values.yaml` file.
 
-Additionally, the web applications need to be made aware of *MLS*. This is done by
+Next, MLS needs to be explictly enabled in brig. This can be configured at
+`brig.config.optSettings.setEnableMLS`, for example:
+
+```yaml
+# values.yaml
+brig:
+  config:
+    optSettings:
+      enableMLS: true
+```
+
+Finally, the web applications need to be made aware of *MLS*. This is done by
 setting the following environment variable for the web application:
 
 ```yaml

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -85,6 +85,7 @@ brig:
       setNonceTtlSecs: 300
       setDpopMaxSkewSecs: 1
       setDpopTokenExpirationTimeSecs: 300
+      setEnableMLS: true
     aws:
       sesEndpoint: http://fake-aws-ses:4569
       sqsEndpoint: http://fake-aws-sqs:4568

libs/wire-api/src/Wire/API/Error/Brig.hs

@@ -51,6 +51,7 @@ data BrigError
   | InvalidActivationCodeWrongUser
   | InvalidActivationCodeWrongCode
   | TooManyTeamMembers
+  | MLSNotEnabled
   | MLSIdentityMismatch
   | MLSProtocolError
   | MLSDuplicatePublicKey
@@ -156,6 +157,13 @@ type instance MapError 'InvalidActivationCodeWrongCode = 'StaticError 404 "inval
 
 type instance MapError 'TooManyTeamMembers = 'StaticError 403 "too-many-team-members" "Too many members in this team."
 
+type instance
+  MapError 'MLSNotEnabled =
+    'StaticError
+      400
+      "mls-not-enabled"
+      "MLS is not configured on this backend. See docs.wire.com for instructions on how to enable it"
+
 type instance
   MapError 'MLSIdentityMismatch =
     'StaticError

services/brig/brig.cabal

@@ -29,6 +29,7 @@ library
     Brig.API.Internal
     Brig.API.MLS.KeyPackages
     Brig.API.MLS.KeyPackages.Validation
+    Brig.API.MLS.Util
     Brig.API.Properties
     Brig.API.Public
     Brig.API.Public.Swagger

services/brig/brig.integration.yaml

@@ -192,6 +192,7 @@ optSettings:
   setDpopMaxSkewSecs: 1
   setDpopTokenExpirationTimeSecs: 300 # 5 minutes
   setPublicKeyBundle: test/resources/jwt/ed25519_bundle.pem
+  setEnableMLS: true
 
 logLevel: Warn
 # ^ NOTE: We log too much in brig, if we set this to Info like other services, running tests

services/brig/src/Brig/API/Error.hs

@@ -210,6 +210,7 @@ clientDataError MalformedPrekeys = StdError (errorToWai @'E.MalformedPrekeys)
 clientDataError MLSPublicKeyDuplicate = StdError (errorToWai @'E.MLSDuplicatePublicKey)
 clientDataError KeyPackageDecodingError = StdError (errorToWai @'E.KeyPackageDecodingError)
 clientDataError InvalidKeyPackageRef = StdError (errorToWai @'E.InvalidKeyPackageRef)
+clientDataError MLSNotEnabled = StdError (errorToWai @'E.MLSNotEnabled)
 
 deleteUserError :: DeleteUserError -> Error
 deleteUserError DeleteUserInvalid = StdError (errorToWai @'E.InvalidUser)

services/brig/src/Brig/API/MLS/KeyPackages.hs

@@ -26,6 +26,7 @@ where
 import Brig.API.Error
 import Brig.API.Handler
 import Brig.API.MLS.KeyPackages.Validation
+import Brig.API.MLS.Util
 import Brig.API.Types
 import Brig.App
 import qualified Brig.Data.Client as Data
@@ -48,6 +49,7 @@ import Wire.API.User.Client
 
 uploadKeyPackages :: Local UserId -> ClientId -> KeyPackageUpload -> Handler r ()
 uploadKeyPackages lusr cid (kpuKeyPackages -> kps) = do
+  assertMLSEnabled
   let identity = mkClientIdentity (tUntagged lusr) cid
   kps' <- traverse (validateKeyPackage identity) kps
   lift . wrapClient $ Data.insertKeyPackages (tUnqualified lusr) cid kps'
@@ -57,7 +59,8 @@ claimKeyPackages ::
   Qualified UserId ->
   Maybe ClientId ->
   Handler r KeyPackageBundle
-claimKeyPackages lusr target skipOwn =
+claimKeyPackages lusr target skipOwn = do
+  assertMLSEnabled
   foldQualified
     lusr
     (withExceptT clientError . claimLocalKeyPackages (tUntagged lusr) skipOwn)
@@ -131,7 +134,8 @@ claimRemoteKeyPackages lusr target = do
     handleFailure = maybe (throwE (ClientUserNotFound (tUnqualified target))) pure
 
 countKeyPackages :: Local UserId -> ClientId -> Handler r KeyPackageCount
-countKeyPackages lusr c =
+countKeyPackages lusr c = do
+  assertMLSEnabled
   lift $
     KeyPackageCount . fromIntegral
       <$> wrapClient (Data.countKeyPackages lusr c)

services/brig/src/Brig/API/MLS/Util.hs

@@ -0,0 +1,35 @@
+-- This file is part of the Wire Server implementation.
+--
+-- Copyright (C) 2022 Wire Swiss GmbH <opensource@wire.com>
+--
+-- This program is free software: you can redistribute it and/or modify it under
+-- the terms of the GNU Affero General Public License as published by the Free
+-- Software Foundation, either version 3 of the License, or (at your option) any
+-- later version.
+--
+-- This program is distributed in the hope that it will be useful, but WITHOUT
+-- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+-- FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+-- details.
+--
+-- You should have received a copy of the GNU Affero General Public License along
+-- with this program. If not, see <https://www.gnu.org/licenses/>.
+
+module Brig.API.MLS.Util where
+
+import Brig.API.Error
+import Brig.API.Handler
+import Brig.App
+import Brig.Data.Client
+import Brig.Options
+import Control.Error
+import Control.Lens (view)
+import Imports
+
+isMLSEnabled :: Handler r Bool
+isMLSEnabled = fromMaybe False . setEnableMLS <$> view settings
+
+assertMLSEnabled :: Handler r ()
+assertMLSEnabled =
+  unlessM isMLSEnabled $
+    throwE (clientDataError MLSNotEnabled)

services/brig/src/Brig/Data/Client.hs

@@ -97,6 +97,7 @@ data ClientDataError
   | ClientMissingAuth
   | MalformedPrekeys
   | MLSPublicKeyDuplicate
+  | MLSNotEnabled
   | KeyPackageDecodingError
   | InvalidKeyPackageRef
 

services/brig/src/Brig/Options.hs

@@ -585,6 +585,7 @@ data Settings = Settings
     -- field. The default setting is to exclude and omit the field from the
     -- response.
     setSftListAllServers :: Maybe ListAllSFTServers,
+    setEnableMLS :: Maybe Bool,
     setKeyPackageMaximumLifetime :: Maybe NominalDiffTime,
     -- | When set, development API versions are advertised to clients.
     setEnableDevelopmentVersions :: Maybe Bool,