Merge branch 'develop' into fix/missing-customfields-on-upload-api

.changeset/eleven-news-stare.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed issue with login via SAML not redirecting to invite link

.changeset/great-moles-rest.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': minor
+---
+
+Encrypt file descriptions in E2EE rooms

.changeset/nervous-elephants-jam.md

@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+Added a new setting to automatically disable users from LDAP that can no longer be found by the background sync

.changeset/strange-comics-camp.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed an issue where an endpoint was called before checking configuration that enables automatic translation when launching the application

apps/meteor/.meteorMocks/index.ts

@@ -0,0 +1,5 @@
+import sinon from 'sinon';
+
+export const Meteor = {
+	loginWithSamlToken: sinon.stub(),
+};

apps/meteor/app/api/server/api.helpers.ts

@@ -1,6 +1,7 @@
 import type { IUser } from '@rocket.chat/core-typings';
 
 import { hasAllPermissionAsync, hasAtLeastOnePermissionAsync } from '../../authorization/server/functions/hasPermission';
+import { apiDeprecationLogger } from '../../lib/server/lib/deprecationWarningLogger';
 
 type RequestMethod = 'GET' | 'POST' | 'PUT' | 'DELETE' | '*';
 export type PermissionsPayload = {
@@ -101,3 +102,8 @@ export function checkPermissions(options: { permissionsRequired?: PermissionsReq
 	// If reached here, options.permissionsRequired contained an invalid payload
 	return false;
 }
+
+export function parseDeprecation(methodThis: any, { alternatives, version }: { version: string; alternatives?: string[] }): void {
+	const infoMessage = alternatives?.length ? ` Please use the alternative(s): ${alternatives.join(',')}` : '';
+	apiDeprecationLogger.endpoint(methodThis.request.route, version, methodThis.response, infoMessage);
+}

apps/meteor/app/api/server/api.ts

@@ -17,12 +17,11 @@ import { isObject } from '../../../lib/utils/isObject';
 import { getRestPayload } from '../../../server/lib/logger/logPayloads';
 import { checkCodeForUser } from '../../2fa/server/code';
 import { hasPermissionAsync } from '../../authorization/server/functions/hasPermission';
-import { apiDeprecationLogger } from '../../lib/server/lib/deprecationWarningLogger';
 import { metrics } from '../../metrics/server';
 import { settings } from '../../settings/server';
 import { getDefaultUserFields } from '../../utils/server/functions/getDefaultUserFields';
 import type { PermissionsPayload } from './api.helpers';
-import { checkPermissionsForInvocation, checkPermissions } from './api.helpers';
+import { checkPermissionsForInvocation, checkPermissions, parseDeprecation } from './api.helpers';
 import type {
 	FailureResult,
 	InternalError,
@@ -588,8 +587,8 @@ export class APIClass<TBasePath extends string = ''> extends Restivus {
 						const connection = { ...generateConnection(this.requestIp, this.request.headers), token: this.token };
 
 						try {
-							if (options.deprecationVersion) {
-								apiDeprecationLogger.endpoint(this.request.route, options.deprecationVersion, this.response, options.deprecationInfo || '');
+							if (options.deprecation) {
+								parseDeprecation(this, options.deprecation);
 							}
 
 							await api.enforceRateLimit(objectForRateLimitMatch, this.request, this.response, this.userId);

apps/meteor/app/api/server/definition.ts

@@ -95,8 +95,10 @@ export type Options = (
 ) & {
 	validateParams?: ValidateFunction | { [key in Method]?: ValidateFunction };
 	authOrAnonRequired?: true;
-	deprecationVersion?: string;
-	deprecationInfo?: string;
+	deprecation?: {
+		version: string;
+		alternatives?: string[];
+	};
 };
 
 export type PartialThis = {

apps/meteor/app/api/server/v1/channels.ts

@@ -806,7 +806,14 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'channels.images',
-	{ authRequired: true, validateParams: isRoomsImagesProps, deprecationVersion: '7.0.0', deprecationInfo: 'Use /v1/rooms.images instead.' },
+	{
+		authRequired: true,
+		validateParams: isRoomsImagesProps,
+		deprecation: {
+			version: '7.0.0',
+			alternatives: ['rooms.images'],
+		},
+	},
 	{
 		async get() {
 			const room = await Rooms.findOneById<Pick<IRoom, '_id' | 't' | 'teamId' | 'prid'>>(this.queryParams.roomId, {

apps/meteor/app/api/server/v1/misc.ts

@@ -24,7 +24,6 @@ import { SystemLogger } from '../../../../server/lib/logger/system';
 import { getLogs } from '../../../../server/stream/stdout';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { passwordPolicy } from '../../../lib/server';
-import { apiDeprecationLogger } from '../../../lib/server/lib/deprecationWarningLogger';
 import { settings } from '../../../settings/server';
 import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields';
 import { getURL } from '../../../utils/server/getURL';
@@ -409,10 +408,13 @@ API.v1.addRoute(
 	{
 		authRequired: false,
 		validateParams: validateParamsPwGetPolicyRest,
+		deprecation: {
+			version: '7.0.0',
+			alternatives: ['pw.getPolicy'],
+		},
 	},
 	{
 		async get() {
-			apiDeprecationLogger.endpoint(this.request.route, '7.0.0', this.response, ' Use pw.getPolicy instead.');
 			check(
 				this.queryParams,
 				Match.ObjectIncluding({

apps/meteor/app/autotranslate/client/lib/autotranslate.ts

@@ -17,6 +17,7 @@ import {
 } from '../../../../client/views/room/MessageList/lib/autoTranslate';
 import { hasPermission } from '../../../authorization/client';
 import { Subscriptions, Messages } from '../../../models/client';
+import { settings } from '../../../settings/client';
 import { sdk } from '../../../utils/client/lib/SDKClient';
 
 let userLanguage = 'en';
@@ -102,7 +103,7 @@ export const AutoTranslate = {
 
 		Tracker.autorun(async (c) => {
 			const uid = Meteor.userId();
-			if (!uid || !hasPermission('auto-translate')) {
+			if (!settings.get('AutoTranslate_Enabled') || !uid || !hasPermission('auto-translate')) {
 				return;
 			}
 

apps/meteor/app/e2e/client/rocketchat.e2e.room.js

@@ -410,6 +410,20 @@ export class E2ERoom extends Emitter {
 		return this.encryptText(data);
 	}
 
+	encryptAttachmentDescription(description, _id) {
+		const ts = new Date();
+
+		const data = new TextEncoder('UTF-8').encode(
+			EJSON.stringify({
+				userId: this.userId,
+				text: description,
+				_id,
+				ts,
+			}),
+		);
+		return this.encryptText(data);
+	}
+
 	// Decrypt messages
 
 	async decryptMessage(message) {

apps/meteor/app/e2e/client/rocketchat.e2e.ts

@@ -2,7 +2,7 @@ import QueryString from 'querystring';
 import URL from 'url';
 
 import type { IE2EEMessage, IMessage, IRoom, ISubscription } from '@rocket.chat/core-typings';
-import { isE2EEMessage } from '@rocket.chat/core-typings';
+import { isE2EEMessage, isFileAttachment } from '@rocket.chat/core-typings';
 import { Emitter } from '@rocket.chat/emitter';
 import EJSON from 'ejson';
 import { Meteor } from 'meteor/meteor';
@@ -422,19 +422,60 @@ class E2E extends Emitter {
 
 		const data = await e2eRoom.decrypt(message.msg);
 
-		if (!data) {
-			return message;
-		}
-
 		const decryptedMessage: IE2EEMessage = {
 			...message,
-			msg: data.text,
-			e2e: 'done',
+			...(data && {
+				msg: data.text,
+				e2e: 'done',
+			}),
 		};
 
 		const decryptedMessageWithQuote = await this.parseQuoteAttachment(decryptedMessage);
 
-		return decryptedMessageWithQuote;
+		const decryptedMessageWithAttachments = await this.decryptMessageAttachments(decryptedMessageWithQuote);
+
+		return decryptedMessageWithAttachments;
+	}
+
+	async decryptMessageAttachments(message: IMessage): Promise<IMessage> {
+		const { attachments } = message;
+
+		if (!attachments || !attachments.length) {
+			return message;
+		}
+
+		const e2eRoom = await this.getInstanceByRoomId(message.rid);
+
+		if (!e2eRoom) {
+			return message;
+		}
+
+		const decryptedAttachments = await Promise.all(
+			attachments.map(async (attachment) => {
+				if (!isFileAttachment(attachment)) {
+					return attachment;
+				}
+
+				if (!attachment.description) {
+					return attachment;
+				}
+
+				const data = await e2eRoom.decrypt(attachment.description);
+
+				if (!data) {
+					return attachment;
+				}
+
+				attachment.description = data.text;
+				return attachment;
+			}),
+		);
+
+		return {
+			...message,
+			attachments: decryptedAttachments,
+			e2e: 'done',
+		};
 	}
 
 	async decryptPendingMessages(): Promise<void> {

apps/meteor/app/file-upload/server/methods/sendFileMessage.ts

@@ -1,4 +1,12 @@
-import type { MessageAttachment, FileAttachmentProps, IUser, IUpload, AtLeast, FilesAndAttachments } from '@rocket.chat/core-typings';
+import type {
+	MessageAttachment,
+	FileAttachmentProps,
+	IUser,
+	IUpload,
+	AtLeast,
+	FilesAndAttachments,
+	IMessage,
+} from '@rocket.chat/core-typings';
 import { Rooms, Uploads, Users } from '@rocket.chat/models';
 import type { ServerMethods } from '@rocket.chat/ui-contexts';
 import { Match, check } from 'meteor/check';
@@ -178,6 +186,8 @@ export const sendFileMessage = async (
 			msg: Match.Optional(String),
 			tmid: Match.Optional(String),
 			customFields: Match.Optional(String),
+			t: Match.Optional(String),
+			e2e: Match.Optional(String),
 		}),
 	);
 
@@ -189,7 +199,7 @@ export const sendFileMessage = async (
 		file: files[0],
 		files,
 		attachments,
-		...msgData,
+		...(msgData as Partial<IMessage>),
 		...(msgData?.customFields && { customFields: JSON.parse(msgData.customFields) }),
 		msg: msgData?.msg ?? '',
 		groupable: msgData?.groupable ?? false,

apps/meteor/app/importer/server/classes/ImportDataConverter.ts

@@ -502,6 +502,7 @@ export class ImportDataConverter {
 					}
 
 					const userId = await this.insertUser(data);
+					data._id = userId;
 					insertedIds.add(userId);
 
 					if (!this._options.skipDefaultChannels) {

apps/meteor/app/livechat/imports/server/rest/inquiries.ts

@@ -75,7 +75,10 @@ API.v1.addRoute(
 		authRequired: true,
 		permissionsRequired: ['view-l-room'],
 		validateParams: isGETLivechatInquiriesQueuedParams,
-		deprecationVersion: '7.0.0',
+		deprecation: {
+			version: '7.0.0',
+			alternatives: ['livechat/inquiries.queuedForUser'],
+		},
 	},
 	{
 		async get() {

apps/meteor/app/livechat/server/api/v1/room.ts

@@ -230,7 +230,7 @@ API.v1.addRoute(
 
 API.v1.addRoute(
 	'livechat/room.transfer',
-	{ validateParams: isPOSTLivechatRoomTransferParams, deprecationVersion: '7.0.0' },
+	{ validateParams: isPOSTLivechatRoomTransferParams, deprecation: { version: '7.0.0' } },
 	{
 		async post() {
 			const { rid, token, department } = this.bodyParams;
@@ -364,7 +364,9 @@ API.v1.addRoute(
 		authRequired: true,
 		permissionsRequired: ['change-livechat-room-visitor'],
 		validateParams: isPUTLivechatRoomVisitorParams,
-		deprecationVersion: '7.0.0',
+		deprecation: {
+			version: '7.0.0',
+		},
 	},
 	{
 		async put() {

apps/meteor/app/meteor-accounts-saml/server/definition/IServiceProviderOptions.ts

@@ -21,6 +21,7 @@ export interface IServiceProviderOptions {
 	metadataTemplate: string;
 	callbackUrl: string;
 
-	// The id attribute is filled midway through some operations
+	// The id and redirectUrl attributes are filled midway through some operations
 	id?: string;
+	redirectUrl?: string;
 }

apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts

@@ -54,7 +54,7 @@ export class SAML {
 			case 'sloRedirect':
 				return this.processSLORedirectAction(req, res);
 			case 'authorize':
-				return this.processAuthorizeAction(res, service, samlObject);
+				return this.processAuthorizeAction(req, res, service, samlObject);
 			case 'validate':
 				return this.processValidateAction(req, res, service, samlObject);
 			default:
@@ -378,12 +378,20 @@ export class SAML {
 	}
 
 	private static async processAuthorizeAction(
+		req: IIncomingMessage,
 		res: ServerResponse,
 		service: IServiceProviderOptions,
 		samlObject: ISAMLAction,
 	): Promise<void> {
 		service.id = samlObject.credentialToken;
 
+		// Allow redirecting to internal domains when login process is complete
+		const { referer } = req.headers;
+		const siteUrl = settings.get<string>('Site_Url');
+		if (typeof referer === 'string' && referer.startsWith(siteUrl)) {
+			service.redirectUrl = referer;
+		}
+
 		const serviceProvider = new SAMLServiceProvider(service);
 		let url: string | undefined;
 
@@ -430,7 +438,7 @@ export class SAML {
 				};
 
 				await this.storeCredential(credentialToken, loginResult);
-				const url = Meteor.absoluteUrl(SAMLUtils.getValidationActionRedirectPath(credentialToken));
+				const url = Meteor.absoluteUrl(SAMLUtils.getValidationActionRedirectPath(credentialToken, service.redirectUrl));
 				res.writeHead(302, {
 					Location: url,
 				});

apps/meteor/app/meteor-accounts-saml/server/lib/Utils.ts

@@ -131,9 +131,10 @@ export class SAMLUtils {
 		return newTemplate;
 	}
 
-	public static getValidationActionRedirectPath(credentialToken: string): string {
+	public static getValidationActionRedirectPath(credentialToken: string, redirectUrl?: string): string {
+		const redirectUrlParam = redirectUrl ? `&redirectUrl=${encodeURIComponent(redirectUrl)}` : '';
 		// the saml_idp_credentialToken param is needed by the mobile app
-		return `saml/${credentialToken}?saml_idp_credentialToken=${credentialToken}`;
+		return `saml/${credentialToken}?saml_idp_credentialToken=${credentialToken}${redirectUrlParam}`;
 	}
 
 	public static log(obj: any, ...args: Array<any>): void {