Merge branch 'develop' into fix/license

.changeset/gold-flowers-shake.md

@@ -0,0 +1,6 @@
+---
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+Added E2EE room setup header, with just limited functionality and room actions.

.changeset/grumpy-games-greet.md

@@ -0,0 +1,4 @@
+---
+'@rocket.chat/meteor': patch
+---
+Changed streaming logic to prevent hidden system messages from being broadcasted through `stream-room-messages`.

.changeset/nervous-wolves-collect.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixes the issue not allowing users without edit-room-retention-policy permission try to edit the room with the retention policy enabled

.changeset/tame-weeks-shout.md

@@ -0,0 +1,41 @@
+---
+'@rocket.chat/omnichannel-services': minor
+'rocketchat-services': minor
+'@rocket.chat/omnichannel-transcript': minor
+'@rocket.chat/authorization-service': minor
+'@rocket.chat/web-ui-registration': minor
+'@rocket.chat/stream-hub-service': minor
+'@rocket.chat/uikit-playground': minor
+'@rocket.chat/presence-service': minor
+'@rocket.chat/fuselage-ui-kit': minor
+'@rocket.chat/instance-status': minor
+'@rocket.chat/account-service': minor
+'@rocket.chat/mock-providers': minor
+'@rocket.chat/api-client': minor
+'@rocket.chat/ddp-client': minor
+'@rocket.chat/pdf-worker': minor
+'@rocket.chat/ui-theming': minor
+'@rocket.chat/core-services': minor
+'@rocket.chat/model-typings': minor
+'@rocket.chat/ui-video-conf': minor
+'@rocket.chat/core-typings': minor
+'@rocket.chat/rest-typings': minor
+'@rocket.chat/ddp-streamer': minor
+'@rocket.chat/queue-worker': minor
+'@rocket.chat/presence': minor
+'@rocket.chat/ui-composer': minor
+'@rocket.chat/ui-contexts': minor
+'@rocket.chat/license': minor
+'@rocket.chat/gazzodown': minor
+'@rocket.chat/ui-avatar': minor
+'@rocket.chat/ui-client': minor
+'@rocket.chat/livechat': minor
+'@rocket.chat/models': minor
+'@rocket.chat/ui-kit': minor
+'@rocket.chat/apps': minor
+'@rocket.chat/cron': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+New runtime for apps in the Apps-Engine based on the Deno platform

.github/actions/setup-node/action.yml

@@ -10,6 +10,10 @@ inputs:
   install:
     required: false
     type: boolean
+  deno-dir:
+    required: false
+    type: string
+    default: ~/.deno-cache
 
 outputs:
   node-version:
@@ -19,13 +23,17 @@ runs:
   using: composite
 
   steps:
+    - run: echo 'DENO_DIR=${{ inputs.deno-dir }}' >> $GITHUB_ENV
+      shell: bash
+
     - name: Cache Node Modules
       if: inputs.cache-modules
       id: cache-node-modules
       uses: actions/cache@v3
       with:
         path: |
           node_modules
+          ${{ env.DENO_DIR }}
           apps/meteor/node_modules
           apps/meteor/ee/server/services/node_modules
         key: node-modules-${{ hashFiles('yarn.lock') }}

apps/meteor/.docker/Dockerfile

@@ -13,12 +13,24 @@ RUN groupadd -g 65533 -r rocketchat \
 # --chown requires Docker 17.12 and works only on Linux
 ADD --chown=rocketchat:rocketchat . /app
 
+# needs a mongoinstance - defaults to container linking with alias 'mongo'
+ENV DEPLOY_METHOD=docker \
+    NODE_ENV=production \
+    MONGO_URL=mongodb://mongo:27017/rocketchat \
+    HOME=/tmp \
+    PORT=3000 \
+    ROOT_URL=http://localhost:3000 \
+    Accounts_AvatarStorePath=/app/uploads \
+    DENO_DIR=/usr/share/deno
+
 RUN aptMark="$(apt-mark showmanual)" \
     && apt-get install -y --no-install-recommends g++ make python3 ca-certificates \
     && cd /app/bundle/programs/server \
     && npm install \
-	&& cd npm/node_modules/isolated-vm \
-	&& npm install \
+    && cd npm/node_modules/isolated-vm \
+    && npm install \
+    && cd /app/bundle/programs/server/npm/node_modules/@rocket.chat/apps-engine/deno-runtime \
+    && ../../../deno-bin/bin/deno cache main.ts \
     && apt-mark auto '.*' > /dev/null \
     && apt-mark manual $aptMark > /dev/null \
     && find /usr/local -type f -executable -exec ldd '{}' ';' \
@@ -37,15 +49,6 @@ VOLUME /app/uploads
 
 WORKDIR /app/bundle
 
-# needs a mongoinstance - defaults to container linking with alias 'mongo'
-ENV DEPLOY_METHOD=docker \
-    NODE_ENV=production \
-    MONGO_URL=mongodb://mongo:27017/rocketchat \
-    HOME=/tmp \
-    PORT=3000 \
-    ROOT_URL=http://localhost:3000 \
-    Accounts_AvatarStorePath=/app/uploads
-
 EXPOSE 3000
 
 CMD ["node", "main.js"]

apps/meteor/.docker/Dockerfile.alpine

@@ -1,13 +1,68 @@
 FROM node:14.21.3-alpine3.16
 
-RUN apk add --no-cache ttf-dejavu
+ENV LANG=C.UTF-8
+
+# Installing glibc deps required by Deno
+# This replaces libc6-compat
+# Copied from https://github.com/Docker-Hub-frolvlad/docker-alpine-glibc, which denoland/deno:alpine-1.37.1 uses
+# NOTE: Glibc 2.35 package is broken: https://github.com/sgerrand/alpine-pkg-glibc/issues/176, so we stick to 2.34 for now
+RUN ALPINE_GLIBC_BASE_URL="https://github.com/sgerrand/alpine-pkg-glibc/releases/download" && \
+    ALPINE_GLIBC_PACKAGE_VERSION="2.34-r0" && \
+    ALPINE_GLIBC_BASE_PACKAGE_FILENAME="glibc-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
+    ALPINE_GLIBC_BIN_PACKAGE_FILENAME="glibc-bin-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
+    ALPINE_GLIBC_I18N_PACKAGE_FILENAME="glibc-i18n-$ALPINE_GLIBC_PACKAGE_VERSION.apk" && \
+    apk add --no-cache --virtual=.build-dependencies wget ca-certificates && \
+    echo \
+        "-----BEGIN PUBLIC KEY-----\
+        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApZ2u1KJKUu/fW4A25y9m\
+        y70AGEa/J3Wi5ibNVGNn1gT1r0VfgeWd0pUybS4UmcHdiNzxJPgoWQhV2SSW1JYu\
+        tOqKZF5QSN6X937PTUpNBjUvLtTQ1ve1fp39uf/lEXPpFpOPL88LKnDBgbh7wkCp\
+        m2KzLVGChf83MS0ShL6G9EQIAUxLm99VpgRjwqTQ/KfzGtpke1wqws4au0Ab4qPY\
+        KXvMLSPLUp7cfulWvhmZSegr5AdhNw5KNizPqCJT8ZrGvgHypXyiFvvAH5YRtSsc\
+        Zvo9GI2e2MaZyo9/lvb+LbLEJZKEQckqRj4P26gmASrZEPStwc+yqy1ShHLA0j6m\
+        1QIDAQAB\
+        -----END PUBLIC KEY-----" | sed 's/   */\n/g' > "/etc/apk/keys/sgerrand.rsa.pub" && \
+    wget \
+        "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_BASE_URL/$ALPINE_GLIBC_PACKAGE_VERSION/$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && \
+    mv /etc/nsswitch.conf /etc/nsswitch.conf.bak && \
+    apk add --no-cache --force-overwrite \
+        "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && \
+    \
+    mv /etc/nsswitch.conf.bak /etc/nsswitch.conf && \
+    rm "/etc/apk/keys/sgerrand.rsa.pub" && \
+    (/usr/glibc-compat/bin/localedef --force --inputfile POSIX --charmap UTF-8 "$LANG" || true) && \
+    echo "export LANG=$LANG" > /etc/profile.d/locale.sh && \
+    \
+    apk del glibc-i18n && \
+    \
+    rm "/root/.wget-hsts" && \
+    apk del .build-dependencies && \
+    rm \
+        "$ALPINE_GLIBC_BASE_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_BIN_PACKAGE_FILENAME" \
+        "$ALPINE_GLIBC_I18N_PACKAGE_FILENAME" && \
+    apk add --no-cache ttf-dejavu
 
 ADD . /app
 
 LABEL maintainer="[email protected]"
 
+# needs a mongo instance - defaults to container linking with alias 'mongo'
+ENV DEPLOY_METHOD=docker \
+    NODE_ENV=production \
+    MONGO_URL=mongodb://mongo:27017/rocketchat \
+    HOME=/tmp \
+    PORT=3000 \
+    ROOT_URL=http://localhost:3000 \
+    Accounts_AvatarStorePath=/app/uploads \
+    DENO_DIR=/usr/share/deno
+
 RUN set -x \
-    && apk add --no-cache --virtual .fetch-deps python3 make g++ libc6-compat \
+    && apk add --no-cache --virtual .fetch-deps python3 make g++ \
     && cd /app/bundle/programs/server \
     && npm install --production \
     # Start hack for sharp...
@@ -20,20 +75,14 @@ RUN set -x \
     && npm install [email protected] \
     && mv node_modules/isolated-vm npm/node_modules/isolated-vm \
     # End hack for isolated-vm
-    && cd npm \
+    # Cache Deno dependencies for Apps-Engine
+    && cd npm/node_modules/@rocket.chat/apps-engine/deno-runtime \
+    && /app/bundle/programs/server/npm/node_modules/deno-bin/bin/deno cache main.ts \
+    && cd /app/bundle/programs/server/npm \
     && npm rebuild bcrypt --build-from-source \
     && npm cache clear --force \
     && apk del .fetch-deps
 
-# needs a mongo instance - defaults to container linking with alias 'mongo'
-ENV DEPLOY_METHOD=docker \
-    NODE_ENV=production \
-    MONGO_URL=mongodb://mongo:27017/rocketchat \
-    HOME=/tmp \
-    PORT=3000 \
-    ROOT_URL=http://localhost:3000 \
-    Accounts_AvatarStorePath=/app/uploads
-
 VOLUME /app/uploads
 
 WORKDIR /app/bundle

apps/meteor/app/apps/server/bridges/commands.ts

@@ -111,8 +111,8 @@ export class AppCommandsBridge extends CommandBridge {
 			permission: command.permission,
 			callback: this._appCommandExecutor.bind(this),
 			providesPreview: command.providesPreview,
-			previewer: !command.previewer ? undefined : this._appCommandPreviewer.bind(this),
-			previewCallback: (!command.executePreviewItem ? undefined : this._appCommandPreviewExecutor.bind(this)) as
+			previewer: command.providesPreview ? this._appCommandPreviewer.bind(this) : undefined,
+			previewCallback: (command.providesPreview ? this._appCommandPreviewExecutor.bind(this) : undefined) as
 				| (typeof slashCommands.commands)[string]['previewCallback']
 				| undefined,
 		} as SlashCommand;
@@ -155,10 +155,6 @@ export class AppCommandsBridge extends CommandBridge {
 		if (typeof command.providesPreview !== 'boolean') {
 			throw new Error('Invalid Slash Command parameter provided, it must be a valid ISlashCommand object.');
 		}
-
-		if (typeof command.executor !== 'function') {
-			throw new Error('Invalid Slash Command parameter provided, it must be a valid ISlashCommand object.');
-		}
 	}
 
 	private async _appCommandExecutor({ command, message, params, triggerId, userId }: SlashCommandCallbackParams<string>): Promise<void> {

apps/meteor/app/apps/server/bridges/http.ts

@@ -72,55 +72,51 @@ export class AppHttpBridge extends HttpBridge {
 
 		this.orch.debugLog(`The App ${info.appId} is requesting from the outter webs:`, info);
 
-		try {
-			const response = await fetch(
-				url.href,
-				{
-					method,
-					body: content,
-					headers,
-					timeout,
-				},
-				(request.hasOwnProperty('strictSSL') && !request.strictSSL) ||
-					(request.hasOwnProperty('rejectUnauthorized') && request.rejectUnauthorized),
-			);
-
-			const result: IHttpResponse = {
-				url: info.url,
-				method: info.method,
-				statusCode: response.status,
-				headers: Object.fromEntries(response.headers as unknown as any),
-			};
-
-			const body = Buffer.from(await response.arrayBuffer());
-
-			if (request.encoding === null) {
-				/**
-				 * The property `content` is not appropriately typed in the
-				 * Apps-engine definition, and we can't simply change it there
-				 * as it would be a breaking change. Thus, we're left with this
-				 * type assertion.
-				 */
-				result.content = body as any;
-			} else {
-				result.content = body.toString(request.encoding as BufferEncoding);
-				result.data = ((): any => {
-					const contentType = (response.headers.get('content-type') || '').split(';')[0];
-					if (!['application/json', 'text/javascript', 'application/javascript', 'application/x-javascript'].includes(contentType)) {
-						return null;
-					}
-
-					try {
-						return JSON.parse(result.content);
-					} catch {
-						return null;
-					}
-				})();
-			}
-
-			return result;
-		} catch (e: any) {
-			return e.response;
+		const response = await fetch(
+			url.href,
+			{
+				method,
+				body: content,
+				headers,
+				timeout,
+			},
+			(request.hasOwnProperty('strictSSL') && !request.strictSSL) ||
+				(request.hasOwnProperty('rejectUnauthorized') && request.rejectUnauthorized),
+		);
+
+		const result: IHttpResponse = {
+			url: info.url,
+			method: info.method,
+			statusCode: response.status,
+			headers: Object.fromEntries(response.headers as unknown as any),
+		};
+
+		const body = Buffer.from(await response.arrayBuffer());
+
+		if (request.encoding === null) {
+			/**
+			 * The property `content` is not appropriately typed in the
+			 * Apps-engine definition, and we can't simply change it there
+			 * as it would be a breaking change. Thus, we're left with this
+			 * type assertion.
+			 */
+			result.content = body as any;
+		} else {
+			result.content = body.toString(request.encoding as BufferEncoding);
+			result.data = ((): any => {
+				const contentType = (response.headers.get('content-type') || '').split(';')[0];
+				if (!['application/json', 'text/javascript', 'application/javascript', 'application/x-javascript'].includes(contentType)) {
+					return null;
+				}
+
+				try {
+					return JSON.parse(result.content);
+				} catch {
+					return null;
+				}
+			})();
 		}
+
+		return result;
 	}
 }

apps/meteor/app/lib/server/functions/loadMessageHistory.ts

@@ -1,7 +1,8 @@
-import type { IMessage } from '@rocket.chat/core-typings';
+import type { IMessage, MessageTypesValues } from '@rocket.chat/core-typings';
 import { Messages, Rooms } from '@rocket.chat/models';
 import type { FindOptions } from 'mongodb';
 
+import { settings } from '../../../settings/server/cached';
 import { normalizeMessagesForUser } from '../../../utils/server/lib/normalizeMessagesForUser';
 import { getHiddenSystemMessages } from '../lib/getHiddenSystemMessages';
 
@@ -29,7 +30,9 @@ export async function loadMessageHistory({
 		throw new Error('error-invalid-room');
 	}
 
-	const hiddenMessageTypes = getHiddenSystemMessages(room);
+	const hiddenSystemMessages = settings.get<MessageTypesValues[]>('Hide_System_Messages');
+
+	const hiddenMessageTypes = getHiddenSystemMessages(room, hiddenSystemMessages);
 
 	const options: FindOptions<IMessage> = {
 		sort: {