extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-07 16:54:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
381447b8d6
netbird/management/server/peer.go

924 lines
28 KiB
Go
Raw Normal View History

Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
package server
import (
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
"fmt"
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks.
2024-02-20 09:59:56 +01:00
"net"
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
"strings"
"time"
Add rules for ACL (#306) Add rules HTTP endpoint for frontend - CRUD operations. Add Default rule - allow all. Send network map to peers based on rules.
2022-05-21 15:21:39 +02:00
use UTC everywhere in server
2023-04-03 15:09:35 +02:00
"github.com/rs/xid"
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
log "github.com/sirupsen/logrus"
use UTC everywhere in server
2023-04-03 15:09:35 +02:00
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
"github.com/netbirdio/netbird/management/proto"
Feat rego default policy (#700) Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
2023-03-13 15:14:18 +01:00
"github.com/netbirdio/netbird/management/server/activity"
extract peer into seperate package
2023-11-28 13:45:26 +01:00
nbpeer "github.com/netbirdio/netbird/management/server/peer"
Feat rego default policy (#700) Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
2023-03-13 15:14:18 +01:00
"github.com/netbirdio/netbird/management/server/status"
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// PeerSync used as a data object between the gRPC API and AccountManager on Sync request.
type PeerSync struct {
// WireGuardPubKey is a peers WireGuard public key
WireGuardPubKey string
Release 0.28.0 (#2092) * compile client under freebsd (#1620) Compile netbird client under freebsd and now support netstack and userspace modes. Refactoring linux specific code to share same code with FreeBSD, move to *_unix.go files. Not implemented yet: Kernel mode not supported DNS probably does not work yet Routing also probably does not work yet SSH support did not tested yet Lack of test environment for freebsd (dedicated VM for github runners under FreeBSD required) Lack of tests for freebsd specific code info reporting need to review and also implement, for example OS reported as GENERIC instead of FreeBSD (lack of FreeBSD icon in management interface) Lack of proper client setup under FreeBSD Lack of FreeBSD port/package * Add DNS routes (#1943) Given domains are resolved periodically and resolved IPs are replaced with the new ones. Unless the flag keep_route is set to true, then only new ones are added. This option is helpful if there are long-running connections that might still point to old IP addresses from changed DNS records. * Add process posture check (#1693) Introduces a process posture check to validate the existence and active status of specific binaries on peer systems. The check ensures that files are present at specified paths, and that corresponding processes are running. This check supports Linux, Windows, and macOS systems. Co-authored-by: Evgenii <mail@skillcoder.com> Co-authored-by: Pascal Fischer <pascal@netbird.io> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
2024-06-13 13:24:24 +02:00
// Meta is the system information passed by peer, must be always present
Meta nbpeer.PeerSystemMeta
// UpdateAccountPeers indicate updating account peers,
// which occurs when the peer's metadata is updated
UpdateAccountPeers bool
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
// PeerLogin used as a data object between the gRPC API and AccountManager on Login request.
type PeerLogin struct {
// WireGuardPubKey is a peers WireGuard public key
WireGuardPubKey string
// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
SSHKey string
// Meta is the system information passed by peer, must be always present.
extract peer into seperate package
2023-11-28 13:45:26 +01:00
Meta nbpeer.PeerSystemMeta
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required.
UserID string
// SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required.
SetupKey string
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
// ConnectionIP is the real IP of the peer
ConnectionIP net.IP
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
// GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
// the current user is not an admin.
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*nbpeer.Peer, error) {
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
account, err := am.Store.GetAccount(accountID)
if err != nil {
return nil, err
}
user, err := account.FindUser(userID)
if err != nil {
return nil, err
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
approvedPeersMap, err := am.GetValidatedPeers(account)
if err != nil {
return nil, err
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
peers := make([]*nbpeer.Peer, 0)
peersMap := make(map[string]*nbpeer.Peer)
Add limited dashboard view (#1738)
2024-03-27 16:11:45 +01:00
if !user.HasAdminPower() && !user.IsServiceUser && account.Settings.RegularUsersViewBlocked {
return peers, nil
}
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
for _, peer := range account.Peers {
Allow service users with user role read-only access to all resources (#1484) We allow service users with user role read-only access to all resources so users can create service user and propagate PATs without having to give full admin permissions.
2024-01-25 09:50:27 +01:00
if !(user.HasAdminPower() || user.IsServiceUser) && user.Id != peer.UserID {
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
// only display peers that belong to the current user if the current user is not an admin
continue
}
Display peers of a user that it has access to (#571) If a user has a non-admin role, display all peers that user's peers have access to when calling /peers endpoint of the HTTP API.
2022-11-21 17:45:14 +01:00
p := peer.Copy()
peers = append(peers, p)
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
peersMap[peer.ID] = p
Display peers of a user that it has access to (#571) If a user has a non-admin role, display all peers that user's peers have access to when calling /peers endpoint of the HTTP API.
2022-11-21 17:45:14 +01:00
}
// fetch all the peers that have access to the user's peers
for _, peer := range peers {
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
aclPeers, _ := account.getPeerConnectionResources(peer.ID, approvedPeersMap)
Display peers of a user that it has access to (#571) If a user has a non-admin role, display all peers that user's peers have access to when calling /peers endpoint of the HTTP API.
2022-11-21 17:45:14 +01:00
for _, p := range aclPeers {
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
peersMap[p.ID] = p
Display peers of a user that it has access to (#571) If a user has a non-admin role, display all peers that user's peers have access to when calling /peers endpoint of the HTTP API.
2022-11-21 17:45:14 +01:00
}
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
peers = make([]*nbpeer.Peer, 0, len(peersMap))
Display peers of a user that it has access to (#571) If a user has a non-admin role, display all peers that user's peers have access to when calling /peers endpoint of the HTTP API.
2022-11-21 17:45:14 +01:00
for _, peer := range peersMap {
peers = append(peers, peer)
Hide content based on user role (#541)
2022-11-05 10:24:50 +01:00
}
return peers, nil
}
Add rules for ACL (#306) Add rules HTTP endpoint for frontend - CRUD operations. Add Default rule - allow all. Send network map to peers based on rules.
2022-05-21 15:21:39 +02:00
// MarkPeerConnected marks peer as connected (true) or disconnected (false)
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected bool, realIP net.IP, account *Account) error {
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
peer, err := account.FindPeerByPubKey(peerPubKey)
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
if err != nil {
return err
}
Proactively expire peers' login per account (#698) Goals: Enable peer login expiration when adding new peer Expire peer's login when the time comes The account manager triggers peer expiration routine in future if the following conditions are true: peer expiration is enabled for the account there is at least one peer that has expiration enabled and is connected The time of the next expiration check is based on the nearest peer expiration. Account manager finds a peer with the oldest last login (auth) timestamp and calculates the time when it has to run the routine as a sum of the configured peer login expiration duration and the peer's last login time. When triggered, the expiration routine checks whether there are expired peers. The management server closes the update channel of these peers and updates network map of other peers to exclude expired peers so that the expired peers are not able to connect anywhere. The account manager can reschedule or cancel peer expiration in the following cases: when admin changes account setting (peer expiration enable/disable) when admin updates the expiration duration of the account when admin updates peer expiration (enable/disable) when peer connects (Sync) P.S. The network map calculation was updated to exclude peers that have login expired.
2023-02-27 16:44:26 +01:00
oldStatus := peer.Status.Copy()
newStatus := oldStatus
use UTC everywhere in server
2023-04-03 15:09:35 +02:00
newStatus.LastSeen = time.Now().UTC()
Save Peer Status separately in the FileStore (#554) Due to peer reconnects when restarting the Management service, there are lots of SaveStore operations to update peer status. Store.SavePeerStatus stores peer status separately and the FileStore implementation stores it in memory.
2022-11-08 10:46:12 +01:00
newStatus.Connected = connected
Update peer status when login expires (#688) Extend PeerStatus with an extra field LoginExpired, that can be stored in the database.
2023-02-15 11:27:22 +01:00
// whenever peer got connected that means that it logged in successfully
if newStatus.Connected {
newStatus.LoginExpired = false
}
Save Peer Status separately in the FileStore (#554) Due to peer reconnects when restarting the Management service, there are lots of SaveStore operations to update peer status. Store.SavePeerStatus stores peer status separately and the FileStore implementation stores it in memory.
2022-11-08 10:46:12 +01:00
peer.Status = newStatus
Add initial support of device posture checks (#1540) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks.
2024-02-20 09:59:56 +01:00
if am.geo != nil && realIP != nil {
location, err := am.geo.Lookup(realIP)
if err != nil {
log.Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
} else {
peer.Location.ConnectionIP = realIP
peer.Location.CountryCode = location.Country.ISOCode
peer.Location.CityName = location.City.Names.En
peer.Location.GeoNameID = location.City.GeonameID
err = am.Store.SavePeerLocation(account.Id, peer)
if err != nil {
log.Warnf("could not store location for peer %s: %s", peer.ID, err)
}
}
}
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
account.UpdatePeer(peer)
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
err = am.Store.SavePeerStatus(account.Id, peer.ID, *newStatus)
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
if err != nil {
return err
}
Proactively expire peers' login per account (#698) Goals: Enable peer login expiration when adding new peer Expire peer's login when the time comes The account manager triggers peer expiration routine in future if the following conditions are true: peer expiration is enabled for the account there is at least one peer that has expiration enabled and is connected The time of the next expiration check is based on the nearest peer expiration. Account manager finds a peer with the oldest last login (auth) timestamp and calculates the time when it has to run the routine as a sum of the configured peer login expiration duration and the peer's last login time. When triggered, the expiration routine checks whether there are expired peers. The management server closes the update channel of these peers and updates network map of other peers to exclude expired peers so that the expired peers are not able to connect anywhere. The account manager can reschedule or cancel peer expiration in the following cases: when admin changes account setting (peer expiration enable/disable) when admin updates the expiration duration of the account when admin updates peer expiration (enable/disable) when peer connects (Sync) P.S. The network map calculation was updated to exclude peers that have login expired.
2023-02-27 16:44:26 +01:00
if peer.AddedWithSSOLogin() && peer.LoginExpirationEnabled && account.Settings.PeerLoginExpirationEnabled {
am.checkAndSchedulePeerLoginExpiration(account)
}
if oldStatus.LoginExpired {
// we need to update other peers because when peer login expires all other peers are notified to disconnect from
Feat rego default policy (#700) Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
2023-03-13 15:14:18 +01:00
// the expired one. Here we notify them that connection is now allowed again.
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
Proactively expire peers' login per account (#698) Goals: Enable peer login expiration when adding new peer Expire peer's login when the time comes The account manager triggers peer expiration routine in future if the following conditions are true: peer expiration is enabled for the account there is at least one peer that has expiration enabled and is connected The time of the next expiration check is based on the nearest peer expiration. Account manager finds a peer with the oldest last login (auth) timestamp and calculates the time when it has to run the routine as a sum of the configured peer login expiration duration and the peer's last login time. When triggered, the expiration routine checks whether there are expired peers. The management server closes the update channel of these peers and updates network map of other peers to exclude expired peers so that the expired peers are not able to connect anywhere. The account manager can reschedule or cancel peer expiration in the following cases: when admin changes account setting (peer expiration enable/disable) when admin updates the expiration duration of the account when admin updates peer expiration (enable/disable) when peer connects (Sync) P.S. The network map calculation was updated to exclude peers that have login expired.
2023-02-27 16:44:26 +01:00
}
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
return nil
}
Add login expiration fields to peer HTTP API (#687) Return login expiration related fields in the Peer HTTP GET endpoint. Support enable/disable peer's login expiration via HTTP PUT.
2023-02-14 10:14:00 +01:00
// UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, and Peer.LoginExpirationEnabled can be updated.
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
unlock := am.Store.AcquireAccountWriteLock(accountID)
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
defer unlock()
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
account, err := am.Store.GetAccount(accountID)
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, err
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
}
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
peer := account.GetPeer(update.ID)
if peer == nil {
return nil, status.Errorf(status.NotFound, "peer %s not found", update.ID)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
update, err = am.integratedPeerValidator.ValidatePeer(update, peer, userID, accountID, am.GetDNSDomain(), account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
add signatures and frame for peer approval
2023-11-28 11:44:08 +01:00
if err != nil {
return nil, err
}
Add more activity events (#663)
2023-01-25 16:29:59 +01:00
if peer.SSHEnabled != update.SSHEnabled {
peer.SSHEnabled = update.SSHEnabled
event := activity.PeerSSHEnabled
if !update.SSHEnabled {
event = activity.PeerSSHDisabled
}
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(userID, peer.IP.String(), accountID, event, peer.EventMeta(am.GetDNSDomain()))
Add more activity events (#663)
2023-01-25 16:29:59 +01:00
}
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
Check if peer name change before update labels (#658)
2023-01-20 10:07:37 +01:00
if peer.Name != update.Name {
peer.Name = update.Name
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
Check if peer name change before update labels (#658)
2023-01-20 10:07:37 +01:00
existingLabels := account.getPeerDNSLabels()
newLabel, err := getPeerHostLabel(peer.Name, existingLabels)
if err != nil {
return nil, err
}
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
Check if peer name change before update labels (#658)
2023-01-20 10:07:37 +01:00
peer.DNSLabel = newLabel
Add more activity events (#663)
2023-01-25 16:29:59 +01:00
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(userID, peer.ID, accountID, activity.PeerRenamed, peer.EventMeta(am.GetDNSDomain()))
Check if peer name change before update labels (#658)
2023-01-20 10:07:37 +01:00
}
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
Add login expiration fields to peer HTTP API (#687) Return login expiration related fields in the Peer HTTP GET endpoint. Support enable/disable peer's login expiration via HTTP PUT.
2023-02-14 10:14:00 +01:00
if peer.LoginExpirationEnabled != update.LoginExpirationEnabled {
Reject peer login expiration update when no SSO login (#693)
2023-02-16 13:03:53 +01:00
if !peer.AddedWithSSOLogin() {
return nil, status.Errorf(status.PreconditionFailed, "this peer hasn't been added with the SSO login, therefore the login expiration can't be updated")
}
Add login expiration fields to peer HTTP API (#687) Return login expiration related fields in the Peer HTTP GET endpoint. Support enable/disable peer's login expiration via HTTP PUT.
2023-02-14 10:14:00 +01:00
peer.LoginExpirationEnabled = update.LoginExpirationEnabled
event := activity.PeerLoginExpirationEnabled
if !update.LoginExpirationEnabled {
event = activity.PeerLoginExpirationDisabled
}
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(userID, peer.IP.String(), accountID, event, peer.EventMeta(am.GetDNSDomain()))
Proactively expire peers' login per account (#698) Goals: Enable peer login expiration when adding new peer Expire peer's login when the time comes The account manager triggers peer expiration routine in future if the following conditions are true: peer expiration is enabled for the account there is at least one peer that has expiration enabled and is connected The time of the next expiration check is based on the nearest peer expiration. Account manager finds a peer with the oldest last login (auth) timestamp and calculates the time when it has to run the routine as a sum of the configured peer login expiration duration and the peer's last login time. When triggered, the expiration routine checks whether there are expired peers. The management server closes the update channel of these peers and updates network map of other peers to exclude expired peers so that the expired peers are not able to connect anywhere. The account manager can reschedule or cancel peer expiration in the following cases: when admin changes account setting (peer expiration enable/disable) when admin updates the expiration duration of the account when admin updates peer expiration (enable/disable) when peer connects (Sync) P.S. The network map calculation was updated to exclude peers that have login expired.
2023-02-27 16:44:26 +01:00
if peer.AddedWithSSOLogin() && peer.LoginExpirationEnabled && account.Settings.PeerLoginExpirationEnabled {
am.checkAndSchedulePeerLoginExpiration(account)
}
Add login expiration fields to peer HTTP API (#687) Return login expiration related fields in the Peer HTTP GET endpoint. Support enable/disable peer's login expiration via HTTP PUT.
2023-02-14 10:14:00 +01:00
}
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
account.UpdatePeer(peer)
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
err = am.Store.SaveAccount(account)
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
if err != nil {
return nil, err
}
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
return peer, nil
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
// deletePeers will delete all specified peers and send updates to the remote peers. Don't call without acquiring account lock
func (am *DefaultAccountManager) deletePeers(account *Account, peerIDs []string, userID string) error {
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
// the first loop is needed to ensure all peers present under the account before modifying, otherwise
// we might have some inconsistencies
extract peer into seperate package
2023-11-28 13:45:26 +01:00
peers := make([]*nbpeer.Peer, 0, len(peerIDs))
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
for _, peerID := range peerIDs {
Management - add serial to Network reflecting network updates (#179) * chore: [management] - add account serial ID * Fix concurrency on the client (#183) * reworked peer connection establishment logic eliminating race conditions and deadlocks while running many peers * chore: move serial to Network from Account * feature: increment Network serial ID when adding/removing peers * chore: extract network struct init to network.go * chore: add serial test when adding peer to the account * test: add ModificationID test on AddPeer and DeletePeer
2022-01-14 14:34:27 +01:00
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
peer := account.GetPeer(peerID)
if peer == nil {
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
return status.Errorf(status.NotFound, "peer %s not found", peerID)
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
}
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
peers = append(peers, peer)
}
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
// the 2nd loop performs the actual modification
for _, peer := range peers {
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
err := am.integratedPeerValidator.PeerDeleted(account.Id, peer.ID)
if err != nil {
return err
}
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
account.DeletePeer(peer.ID)
am.peersUpdateManager.SendUpdate(peer.ID,
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
&UpdateMessage{
Update: &proto.SyncResponse{
// fill those field for backward compatibility
RemotePeers: []*proto.RemotePeerConfig{},
RemotePeersIsEmpty: true,
// new field
NetworkMap: &proto.NetworkMap{
Serial: account.Network.CurrentSerial(),
RemotePeers: []*proto.RemotePeerConfig{},
RemotePeersIsEmpty: true,
FirewallRules: []*proto.FirewallRule{},
FirewallRulesIsEmpty: true,
},
},
})
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
am.peersUpdateManager.CloseChannel(peer.ID)
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(userID, peer.ID, account.Id, activity.PeerRemovedByUser, peer.EventMeta(am.GetDNSDomain()))
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
}
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
return nil
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
}
// DeletePeer removes peer from the account by its IP
func (am *DefaultAccountManager) DeletePeer(accountID, peerID, userID string) error {
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
unlock := am.Store.AcquireAccountWriteLock(accountID)
Delete user peers when deleting a user (#1186)
2023-10-01 19:51:39 +02:00
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return err
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
}
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
err = am.deletePeers(account, []string{peerID}, userID)
if err != nil {
return err
}
err = am.Store.SaveAccount(account)
if err != nil {
return err
}
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
return nil
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
func (am *DefaultAccountManager) GetNetworkMap(peerID string) (*NetworkMap, error) {
account, err := am.Store.GetAccountByPeerID(peerID)
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, err
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
peer := account.GetPeer(peerID)
if peer == nil {
return nil, status.Errorf(status.NotFound, "peer with ID %s not found", peerID)
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
groups := make(map[string][]string)
for groupID, group := range account.Groups {
groups[groupID] = group.Peers
}
validatedPeers, err := am.integratedPeerValidator.GetValidatedPeers(account.Id, account.Groups, account.Peers, account.Settings.Extra)
if err != nil {
return nil, err
}
return account.GetPeerNetworkMap(peer.ID, am.dnsDomain, validatedPeers), nil
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Send netmask from account network (#369) * Send netmask from account network Added the GetPeerNetwork method to account manager Pass a copy of the network to the toPeerConfig function to retrieve the netmask from the network instead of constant updated methods and added test * check if the network is the same for 2 peers * Use expect with BeEquivalentTo
2022-06-24 21:30:51 +02:00
// GetPeerNetwork returns the Network for a given peer
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error) {
account, err := am.Store.GetAccountByPeerID(peerID)
Send netmask from account network (#369) * Send netmask from account network Added the GetPeerNetwork method to account manager Pass a copy of the network to the toPeerConfig function to retrieve the netmask from the network instead of constant updated methods and added test * check if the network is the same for 2 peers * Use expect with BeEquivalentTo
2022-06-24 21:30:51 +02:00
if err != nil {
Replace gRPC errors in business logic with internal ones (#558)
2022-11-11 20:36:45 +01:00
return nil, err
Send netmask from account network (#369) * Send netmask from account network Added the GetPeerNetwork method to account manager Pass a copy of the network to the toPeerConfig function to retrieve the netmask from the network instead of constant updated methods and added test * check if the network is the same for 2 peers * Use expect with BeEquivalentTo
2022-06-24 21:30:51 +02:00
}
return account.Network.Copy(), err
}
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
// AddPeer adds a new peer to the Store.
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// Each Account has a list of pre-authorized SetupKey and if no Account has a given key err with a code status.PermissionDenied
// will be returned, meaning the setup key is invalid or not found.
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field
2022-05-05 20:02:15 +02:00
// If a User ID is provided, it means that we passed the authentication using JWT, then we look for account by User ID and register the peer
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
// Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
// The peer property is just a placeholder for the Peer properties to pass further
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *NetworkMap, error) {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
if setupKey == "" && userID == "" {
// no auth method provided => reject access
return nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
}
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
upperKey := strings.ToUpper(setupKey)
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
var accountID string
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
var err error
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
addedByUser := false
if len(userID) > 0 {
addedByUser = true
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
accountID, err = am.Store.GetAccountIDByUserID(userID)
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field
2022-05-05 20:02:15 +02:00
} else {
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
accountID, err = am.Store.GetAccountIDBySetupKey(setupKey)
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
}
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, status.Errorf(status.NotFound, "failed adding new peer: account not found")
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
unlock := am.Store.AcquireAccountWriteLock(accountID)
defer func() {
if unlock != nil {
unlock()
}
}()
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
var account *Account
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
// ensure that we consider modification happened meanwhile (because we were outside the account lock when we fetched the account)
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
account, err = am.Store.GetAccount(accountID)
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
}
add support for ipad as well
2023-11-16 17:01:01 +01:00
if strings.ToLower(peer.Meta.Hostname) == "iphone" || strings.ToLower(peer.Meta.Hostname) == "ipad" && userID != "" {
use idp cache instead of idp manager
2023-11-16 17:13:04 +01:00
if am.idpManager != nil {
userdata, err := am.lookupUserInCache(userID, account)
Add retry to IdP cache lookup (#1882)
2024-04-23 19:23:43 +02:00
if err == nil && userdata != nil {
use idp cache instead of idp manager
2023-11-16 17:13:04 +01:00
peer.Meta.Hostname = fmt.Sprintf("%s-%s", peer.Meta.Hostname, strings.Split(userdata.Email, "@")[0])
}
use the email address to set the iphone name for iOS 16+
2023-11-16 16:46:08 +01:00
}
}
Add comment clarifying AddPeer race check (#927)
2023-06-02 18:04:24 +02:00
// This is a handling for the case when the same machine (with the same WireGuard pub key) tries to register twice.
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
// Such case is possible when AddPeer function takes long time to finish after AcquireAccountWriteLock (e.g., database is slow)
Add comment clarifying AddPeer race check (#927)
2023-06-02 18:04:24 +02:00
// and the peer disconnects with a timeout and tries to register again.
// We just check if this machine has been registered before and reject the second registration.
// The connecting peer should be able to recover with a retry.
Reject adding peer if already exists with the pub key (#925)
2023-06-02 17:32:55 +02:00
_, err = account.FindPeerByPubKey(peer.Key)
if err == nil {
return nil, nil, status.Errorf(status.PreconditionFailed, "peer has been already registered")
}
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
opEvent := &activity.Event{
use UTC everywhere in server
2023-04-03 15:09:35 +02:00
Timestamp: time.Now().UTC(),
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
AccountID: account.Id,
}
Feature/ephemeral peers (#1100) The ephemeral manager keep the inactive ephemeral peers in a linked list. The manager schedule a cleanup procedure to the head of the linked list (to the most deprecated peer). At the end of cleanup schedule the next cleanup to the new head. If a device connect back to the server the manager will remote it from the peers list.
2023-09-04 11:37:39 +02:00
var ephemeral bool
fix map assignment
2023-12-04 13:49:46 +01:00
setupKeyName := ""
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
if !addedByUser {
// validate the setup key if adding with a key
sk, err := account.FindSetupKey(upperKey)
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
}
if !sk.IsValid() {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key is invalid")
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
}
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
account.SetupKeys[sk.Key] = sk.IncrementUsage()
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
opEvent.InitiatorID = sk.Id
opEvent.Activity = activity.PeerAddedWithSetupKey
Feature/ephemeral peers (#1100) The ephemeral manager keep the inactive ephemeral peers in a linked list. The manager schedule a cleanup procedure to the head of the linked list (to the most deprecated peer). At the end of cleanup schedule the next cleanup to the new head. If a device connect back to the server the manager will remote it from the peers list.
2023-09-04 11:37:39 +02:00
ephemeral = sk.Ephemeral
fix map assignment
2023-12-04 13:49:46 +01:00
setupKeyName = sk.Name
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
} else {
opEvent.InitiatorID = userID
opEvent.Activity = activity.PeerAddedByUser
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
takenIps := account.getTakenIPs()
existingLabels := account.getPeerDNSLabels()
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
newLabel, err := getPeerHostLabel(peer.Meta.Hostname, existingLabels)
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
}
peer.DNSLabel = newLabel
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
network := account.Network
Handle Network out of range (#347)
2022-06-02 12:56:02 +02:00
nextIp, err := AllocatePeerIP(network.Net, takenIps)
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Handle Network out of range (#347)
2022-06-02 12:56:02 +02:00
}
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
Register creation time for peer, user and account (#1654) This change register creation time for new peers, users and accounts
2024-03-02 13:49:40 +01:00
registrationTime := time.Now().UTC()
extract peer into seperate package
2023-11-28 13:45:26 +01:00
newPeer := &nbpeer.Peer{
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
ID: xid.New().String(),
Key: peer.Key,
SetupKey: upperKey,
IP: nextIp,
Meta: peer.Meta,
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
Name: peer.Meta.Hostname,
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
DNSLabel: newLabel,
UserID: userID,
Register creation time for peer, user and account (#1654) This change register creation time for new peers, users and accounts
2024-03-02 13:49:40 +01:00
Status: &nbpeer.PeerStatus{Connected: false, LastSeen: registrationTime},
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
SSHEnabled: false,
SSHKey: peer.SSHKey,
Register creation time for peer, user and account (#1654) This change register creation time for new peers, users and accounts
2024-03-02 13:49:40 +01:00
LastLogin: registrationTime,
CreatedAt: registrationTime,
Disable peer expiration of peers added with setup keys (#758)
2023-03-23 17:47:53 +01:00
LoginExpirationEnabled: addedByUser,
Feature/ephemeral peers (#1100) The ephemeral manager keep the inactive ephemeral peers in a linked list. The manager schedule a cleanup procedure to the head of the linked list (to the most deprecated peer). At the end of cleanup schedule the next cleanup to the new head. If a device connect back to the server the manager will remote it from the peers list.
2023-09-04 11:37:39 +02:00
Ephemeral: ephemeral,
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
Location: peer.Location,
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
}
add signatures and frame for peer approval
2023-11-28 11:44:08 +01:00
Add rules for ACL (#306) Add rules HTTP endpoint for frontend - CRUD operations. Add Default rule - allow all. Send network map to peers based on rules.
2022-05-21 15:21:39 +02:00
// add peer to 'All' group
group, err := account.GetGroupAll()
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Add rules for ACL (#306) Add rules HTTP endpoint for frontend - CRUD operations. Add Default rule - allow all. Send network map to peers based on rules.
2022-05-21 15:21:39 +02:00
}
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
group.Peers = append(group.Peers, newPeer.ID)
Add rules for ACL (#306) Add rules HTTP endpoint for frontend - CRUD operations. Add Default rule - allow all. Send network map to peers based on rules.
2022-05-21 15:21:39 +02:00
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
var groupsToAdd []string
if addedByUser {
groupsToAdd, err = account.getUserGroups(userID)
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
}
} else {
groupsToAdd, err = account.getSetupKeyGroups(upperKey)
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Refactor AddPeer to ensure consistency (#557)
2022-11-08 16:14:36 +01:00
}
}
Assign groups to peers when registering with the setup key (#466)
2022-09-13 13:39:46 +02:00
if len(groupsToAdd) > 0 {
for _, s := range groupsToAdd {
if g, ok := account.Groups[s]; ok && g.Name != "All" {
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
g.Peers = append(g.Peers, newPeer.ID)
Assign groups to peers when registering with the setup key (#466)
2022-09-13 13:39:46 +02:00
}
}
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
newPeer = am.integratedPeerValidator.PreparePeer(account.Id, newPeer, account.GetPeerGroupsList(newPeer.ID), account.Settings.Extra)
Update user's last login when authenticating a peer (#1437) * Update user's last login when authenticating a peer Prior to this update the user's last login only updated on dashboard authentication * use account and user methods
2024-01-06 12:57:05 +01:00
if addedByUser {
user, err := account.FindUser(userID)
if err != nil {
return nil, nil, status.Errorf(status.Internal, "couldn't find user")
}
user.updateLastLogin(newPeer.LastLogin)
}
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
account.Peers[newPeer.ID] = newPeer
Management - add serial to Network reflecting network updates (#179) * chore: [management] - add account serial ID * Fix concurrency on the client (#183) * reworked peer connection establishment logic eliminating race conditions and deadlocks while running many peers * chore: move serial to Network from Account * feature: increment Network serial ID when adding/removing peers * chore: extract network struct init to network.go * chore: add serial test when adding peer to the account * test: add ModificationID test on AddPeer and DeletePeer
2022-01-14 14:34:27 +01:00
account.Network.IncSerial()
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
err = am.Store.SaveAccount(account)
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, nil, err
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
// Account is saved, we can release the lock
unlock()
unlock = nil
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
opEvent.TargetID = newPeer.ID
opEvent.Meta = newPeer.EventMeta(am.GetDNSDomain())
fix map assignment
2023-12-04 13:49:46 +01:00
if !addedByUser {
opEvent.Meta["setup_key_name"] = setupKeyName
adding setup key name to the event meta for adding peers by setup key
2023-12-04 13:00:13 +01:00
}
extract peer preparation
2023-12-04 12:49:36 +01:00
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)
Add system activity tracking and event store (#636) This PR adds system activity tracking. The management service records events like add/remove peer, group, rule, route, etc. The activity events are stored in the SQLite event store and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
approvedPeersMap, err := am.GetValidatedPeers(account)
if err != nil {
return nil, nil, err
}
networkMap := account.GetPeerNetworkMap(newPeer.ID, am.dnsDomain, approvedPeersMap)
remove dependency cycle from prepare peer
2023-12-04 16:26:34 +01:00
return newPeer, networkMap, nil
Extend peer http endpoint (#94) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * chore: setup keys POST endpoint without ID
2021-08-23 21:43:05 +02:00
}
Store updated system info on Login to Management (#323)
2022-05-23 13:03:57 +02:00
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// SyncPeer checks whether peer is eligible for receiving NetworkMap (authenticated) and returns its NetworkMap if eligible
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
func (am *DefaultAccountManager) SyncPeer(sync PeerSync, account *Account) (*nbpeer.Peer, *NetworkMap, error) {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
peer, err := account.FindPeerByPubKey(sync.WireGuardPubKey)
if err != nil {
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
return nil, nil, status.NewPeerNotRegisteredError()
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
err = checkIfPeerOwnerIsBlocked(peer, account)
if err != nil {
return nil, nil, err
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
if peerLoginExpired(peer, account.Settings) {
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
return nil, nil, status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
Release 0.28.0 (#2092) * compile client under freebsd (#1620) Compile netbird client under freebsd and now support netstack and userspace modes. Refactoring linux specific code to share same code with FreeBSD, move to *_unix.go files. Not implemented yet: Kernel mode not supported DNS probably does not work yet Routing also probably does not work yet SSH support did not tested yet Lack of test environment for freebsd (dedicated VM for github runners under FreeBSD required) Lack of tests for freebsd specific code info reporting need to review and also implement, for example OS reported as GENERIC instead of FreeBSD (lack of FreeBSD icon in management interface) Lack of proper client setup under FreeBSD Lack of FreeBSD port/package * Add DNS routes (#1943) Given domains are resolved periodically and resolved IPs are replaced with the new ones. Unless the flag keep_route is set to true, then only new ones are added. This option is helpful if there are long-running connections that might still point to old IP addresses from changed DNS records. * Add process posture check (#1693) Introduces a process posture check to validate the existence and active status of specific binaries on peer systems. The check ensures that files are present at specified paths, and that corresponding processes are running. This check supports Linux, Windows, and macOS systems. Co-authored-by: Evgenii <mail@skillcoder.com> Co-authored-by: Pascal Fischer <pascal@netbird.io> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
2024-06-13 13:24:24 +02:00
peer, updated := updatePeerMeta(peer, sync.Meta, account)
if updated {
err = am.Store.SaveAccount(account)
if err != nil {
return nil, nil, err
}
if sync.UpdateAccountPeers {
am.updateAccountPeers(account)
}
}
Extend integrated validator with error handling (#2044)
2024-05-24 13:29:25 +02:00
peerNotValid, isStatusChanged, err := am.integratedPeerValidator.IsNotValidPeer(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
if err != nil {
return nil, nil, err
}
Rename variable (#1829)
2024-04-11 14:08:03 +02:00
if peerNotValid {
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
emptyMap := &NetworkMap{
Network: account.Network.Copy(),
}
return peer, emptyMap, nil
}
if isStatusChanged {
am.updateAccountPeers(account)
}
Rename variable (#1829)
2024-04-11 14:08:03 +02:00
validPeersMap, err := am.GetValidatedPeers(account)
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
if err != nil {
return nil, nil, err
}
Rename variable (#1829)
2024-04-11 14:08:03 +02:00
return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain, validPeersMap), nil
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
// LoginPeer logs in or registers a peer.
// If peer doesn't exist the function checks whether a setup key or a user is present and registers a new peer if so.
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*nbpeer.Peer, *NetworkMap, error) {
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
accountID, err := am.Store.GetAccountIDByPeerPubKey(login.WireGuardPubKey)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
if err != nil {
if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
// we couldn't find this peer by its public key which can mean that peer hasn't been registered yet.
// Try registering it.
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
newPeer := &nbpeer.Peer{
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
Key: login.WireGuardPubKey,
Meta: login.Meta,
SSHKey: login.SSHKey,
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
}
if am.geo != nil && login.ConnectionIP != nil {
location, err := am.geo.Lookup(login.ConnectionIP)
if err != nil {
log.Warnf("failed to get location for new peer realip: [%s]: %v", login.ConnectionIP.String(), err)
} else {
newPeer.Location.ConnectionIP = login.ConnectionIP
newPeer.Location.CountryCode = location.Country.ISOCode
newPeer.Location.CityName = location.City.Names.En
newPeer.Location.GeoNameID = location.City.GeonameID
}
}
return am.AddPeer(login.SetupKey, login.UserID, newPeer)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
log.Errorf("failed while logging in peer %s: %v", login.WireGuardPubKey, err)
return nil, nil, status.Errorf(status.Internal, "failed while logging in peer")
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
peer, err := am.Store.GetPeerByPeerPubKey(login.WireGuardPubKey)
if err != nil {
return nil, nil, status.NewPeerNotRegisteredError()
}
accSettings, err := am.Store.GetAccountSettings(accountID)
if err != nil {
return nil, nil, status.Errorf(status.Internal, "failed to get account settings: %s", err)
}
var isWriteLock bool
// duplicated logic from after the lock to have an early exit
expired := peerLoginExpired(peer, accSettings)
switch {
case expired:
if err := checkAuth(login.UserID, peer); err != nil {
return nil, nil, err
}
isWriteLock = true
log.Debugf("peer login expired, acquiring write lock")
case peer.UpdateMetaIfNew(login.Meta):
isWriteLock = true
log.Debugf("peer changed meta, acquiring write lock")
default:
isWriteLock = false
log.Debugf("peer meta is the same, acquiring read lock")
}
var unlock func()
if isWriteLock {
unlock = am.Store.AcquireAccountWriteLock(accountID)
} else {
unlock = am.Store.AcquireAccountReadLock(accountID)
}
defer func() {
if unlock != nil {
unlock()
}
}()
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// fetch the account from the store once more after acquiring lock to avoid concurrent updates inconsistencies
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
account, err := am.Store.GetAccount(accountID)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
if err != nil {
return nil, nil, err
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
peer, err = account.FindPeerByPubKey(login.WireGuardPubKey)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
if err != nil {
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
return nil, nil, status.NewPeerNotRegisteredError()
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
err = checkIfPeerOwnerIsBlocked(peer, account)
if err != nil {
return nil, nil, err
}
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
// this flag prevents unnecessary calls to the persistent store.
shouldStoreAccount := false
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
updateRemotePeers := false
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
if peerLoginExpired(peer, account.Settings) {
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
err = checkAuth(login.UserID, peer)
if err != nil {
return nil, nil, err
}
// If peer was expired before and if it reached this point, it is re-authenticated.
// UserID is present, meaning that JWT validation passed successfully in the API layer.
updatePeerLastLogin(peer, account)
updateRemotePeers = true
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
shouldStoreAccount = true
Add peer login and expiration activity events (#1090) Track the even of a user logging in their peer. Track the event of a peer login expiration.
2023-08-17 14:04:04 +02:00
Update user's last login when authenticating a peer (#1437) * Update user's last login when authenticating a peer Prior to this update the user's last login only updated on dashboard authentication * use account and user methods
2024-01-06 12:57:05 +01:00
// sync user last login with peer last login
user, err := account.FindUser(login.UserID)
if err != nil {
return nil, nil, status.Errorf(status.Internal, "couldn't find user")
}
user.updateLastLogin(peer.LastLogin)
Export account manager events store (#1295) * Expose account manager StoreEvent to integrations * Add account manager StoreEvent mock
2023-11-08 11:35:37 +01:00
am.StoreEvent(login.UserID, peer.ID, account.Id, activity.UserLoggedInPeer, peer.EventMeta(am.GetDNSDomain()))
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
Extend integrated validator with error handling (#2044)
2024-05-24 13:29:25 +02:00
isRequiresApproval, isStatusChanged, err := am.integratedPeerValidator.IsNotValidPeer(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
if err != nil {
return nil, nil, err
}
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
peer, updated := updatePeerMeta(peer, login.Meta, account)
if updated {
shouldStoreAccount = true
}
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
peer, err = am.checkAndUpdatePeerSSHKey(peer, account, login.SSHKey)
if err != nil {
return nil, nil, err
}
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
if shouldStoreAccount {
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
if !isWriteLock {
log.Errorf("account %s should be stored but is not write locked", accountID)
return nil, nil, status.Errorf(status.Internal, "account should be stored but is not write locked")
}
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
err = am.Store.SaveAccount(account)
if err != nil {
return nil, nil, err
}
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
unlock()
unlock = nil
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
if updateRemotePeers || isStatusChanged {
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
if isRequiresApproval {
emptyMap := &NetworkMap{
Network: account.Network.Copy(),
}
return peer, emptyMap, nil
}
approvedPeersMap, err := am.GetValidatedPeers(account)
if err != nil {
return nil, nil, err
}
return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain, approvedPeersMap), nil
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func checkIfPeerOwnerIsBlocked(peer *nbpeer.Peer, account *Account) error {
Block user through HTTP API (#846) The new functionality allows blocking a user in the Management service. Blocked users lose access to the Dashboard, aren't able to modify the network map, and all of their connected devices disconnect and are set to the "login expired" state. Technically all above was achieved with the updated PUT /api/users endpoint, that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
if peer.AddedWithSSOLogin() {
user, err := account.FindUser(peer.UserID)
if err != nil {
return status.Errorf(status.PermissionDenied, "user doesn't exist")
}
if user.IsBlocked() {
return status.Errorf(status.PermissionDenied, "user is blocked")
}
}
return nil
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func checkAuth(loginUserID string, peer *nbpeer.Peer) error {
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
if loginUserID == "" {
// absence of a user ID indicates that JWT wasn't provided.
return status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
}
if peer.UserID != loginUserID {
fix some typo spotted with codespell (#1278) Fixed spelling typos on logs, comments and command help text
2023-11-01 17:11:16 +01:00
log.Warnf("user mismatch when logging in peer %s: peer user %s, login user %s ", peer.ID, peer.UserID, loginUserID)
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
return status.Errorf(status.Unauthenticated, "can't login")
}
return nil
}
Improve login performance (#2061)
2024-05-31 16:41:12 +02:00
func peerLoginExpired(peer *nbpeer.Peer, settings *Settings) bool {
expired, expiresIn := peer.LoginExpired(settings.PeerLoginExpiration)
expired = settings.PeerLoginExpirationEnabled && expired
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
if expired || peer.Status.LoginExpired {
log.Debugf("peer's %s login expired %v ago", peer.ID, expiresIn)
return true
}
return false
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func updatePeerLastLogin(peer *nbpeer.Peer, account *Account) {
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
peer.UpdateLastLogin()
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
account.UpdatePeer(peer)
Send remote agents updates when peer re-authenticates (#737) When peer login expires, all remote peers are updated to exclude the peer from connecting. Once a peer re-authenticates, the remote peers are not updated. This peer fixes the behavior.
2023-03-10 17:39:29 +01:00
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *nbpeer.Peer, account *Account, newSSHKey string) (*nbpeer.Peer, error) {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
if len(newSSHKey) == 0 {
log.Debugf("no new SSH key provided for peer %s, skipping update", peer.ID)
return peer, nil
}
if peer.SSHKey == newSSHKey {
log.Debugf("same SSH key provided for peer %s, skipping update", peer.ID)
return peer, nil
}
Update peer status when login expires (#688) Extend PeerStatus with an extra field LoginExpired, that can be stored in the database.
2023-02-15 11:27:22 +01:00
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
peer.SSHKey = newSSHKey
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
account.UpdatePeer(peer)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
err := am.Store.SaveAccount(account)
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
if err != nil {
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return nil, err
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
}
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
// trigger network map update
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
Move Login business logic from gRPC API to Accountmanager (#713) The Management gRPC API has too much business logic happening while it has to be in the Account manager. This also needs to make more requests to the store through the account manager.
2023-03-03 18:35:38 +01:00
return peer, nil
Add peer login expiration (#682) This PR adds a peer login expiration logic that requires peers created by a user to re-authenticate (re-login) after a certain threshold of time (24h by default). The Account object now has a PeerLoginExpiration property that indicates the duration after which a peer's login will expire and a login will be required. Defaults to 24h. There are two new properties added to the Peer object: LastLogin that indicates the last time peer successfully used the Login gRPC endpoint and LoginExpirationEnabled that enables/disables peer login expiration. The login expiration logic applies only to peers that were created by a user and not those that were added with a setup key.
2023-02-13 12:21:02 +01:00
}
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// UpdatePeerSSHKey updates peer's public SSH key
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string) error {
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
if sshKey == "" {
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
log.Debugf("empty SSH key provided for peer %s, skipping update", peerID)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
return nil
}
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
account, err := am.Store.GetAccountByPeerID(peerID)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
if err != nil {
return err
}
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
unlock := am.Store.AcquireAccountWriteLock(account.Id)
Introduce locking on the account level (#548)
2022-11-07 17:52:23 +01:00
defer unlock()
// ensure that we consider modification happened meanwhile (because we were outside the account lock when we fetched the account)
account, err = am.Store.GetAccount(account.Id)
if err != nil {
return err
}
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
peer := account.GetPeer(peerID)
if peer == nil {
return status.Errorf(status.NotFound, "peer with ID %s not found", peerID)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
}
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
if peer.SSHKey == sshKey {
Use Peer.ID instead of Peer.Key as peer identifier (#664) Replace Peer.Key as internal identifier with a randomly generated Peer.ID in the Management service. Every group now references peers by ID instead of a public key. Every route now references peers by ID instead of a public key. FileStore does store.json file migration on startup by generating Peer.ID and replacing all Peer.Key identifier references .
2023-02-03 10:33:28 +01:00
log.Debugf("same SSH key provided for peer %s, skipping update", peerID)
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
return nil
}
peer.SSHKey = sshKey
account.UpdatePeer(peer)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
err = am.Store.SaveAccount(account)
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
if err != nil {
return err
}
// trigger network map update
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
am.updateAccountPeers(account)
return nil
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
}
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
// GetPeer for a given accountID, peerID and userID error if not found.
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error) {
Improve Sync performance (#1901)
2024-05-07 14:30:03 +02:00
unlock := am.Store.AcquireAccountWriteLock(accountID)
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
defer unlock()
account, err := am.Store.GetAccount(accountID)
if err != nil {
return nil, err
}
user, err := account.FindUser(userID)
if err != nil {
return nil, err
}
Add limited dashboard view (#1738)
2024-03-27 16:11:45 +01:00
if !user.HasAdminPower() && !user.IsServiceUser && account.Settings.RegularUsersViewBlocked {
return nil, status.Errorf(status.Internal, "user %s has no access to his own peer %s under account %s", userID, peerID, accountID)
}
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
peer := account.GetPeer(peerID)
if peer == nil {
return nil, status.Errorf(status.NotFound, "peer with %s not found under account %s", peerID, accountID)
}
// if admin or user owns this peer, return peer
Allow service users with user role read-only access to all resources (#1484) We allow service users with user role read-only access to all resources so users can create service user and propagate PATs without having to give full admin permissions.
2024-01-25 09:50:27 +01:00
if user.HasAdminPower() || user.IsServiceUser || peer.UserID == userID {
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
return peer, nil
}
// it is also possible that user doesn't own the peer but some of his peers have access to it,
// this is a valid case, show the peer as well.
userPeers, err := account.FindUserPeers(userID)
if err != nil {
return nil, err
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
approvedPeersMap, err := am.GetValidatedPeers(account)
if err != nil {
return nil, err
}
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
for _, p := range userPeers {
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
aclPeers, _ := account.getPeerConnectionResources(p.ID, approvedPeersMap)
Add GET peer HTTP API endpoint (#670)
2023-02-07 20:11:08 +01:00
for _, aclPeer := range aclPeers {
if aclPeer.ID == peerID {
return peer, nil
}
}
}
return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peerID, accountID)
}
extract peer into seperate package
2023-11-28 13:45:26 +01:00
func updatePeerMeta(peer *nbpeer.Peer, meta nbpeer.PeerSystemMeta, account *Account) (*nbpeer.Peer, bool) {
Avoid storing account if no peer meta or expiration change (#875) * Avoid storing account if no peer meta or expiration change * remove extra log * Update management/server/peer.go Co-authored-by: Misha Bragin <bangvalo@gmail.com> * Clarify why we need to skip account update --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com>
2023-05-18 19:31:35 +02:00
if peer.UpdateMetaIfNew(meta) {
account.UpdatePeer(peer)
return peer, true
}
return peer, false
Store updated system info on Login to Management (#323)
2022-05-23 13:03:57 +02:00
}
fix(acl): update each peer's network when rule,group or peer changed (#333) * fix(acl): update each peer's network when rule,group or peer changed * fix(ACL): update network test * fix(acl): cleanup indexes before update them * fix(acl): clean up rules indexes only for account
2022-06-04 22:02:22 +02:00
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// updateAccountPeers updates all peers that belong to an account.
// Should be called when changes have to be synced to peers.
Improve updateAccountPeers by bypassing AM and using account directly (#1193) Improve updateAccountPeers performance by bypassing AM and using the account directly
2023-10-04 15:08:50 +02:00
func (am *DefaultAccountManager) updateAccountPeers(account *Account) {
Simplified Store Interface (#545) This PR simplifies Store and FileStore by keeping just the Get and Save account methods. The AccountManager operates mostly around a single account, so it makes sense to fetch the whole account object from the store.
2022-11-07 12:10:56 +01:00
peers := account.GetPeers()
Send netmask from account network (#369) * Send netmask from account network Added the GetPeerNetwork method to account manager Pass a copy of the network to the toPeerConfig function to retrieve the netmask from the network instead of constant updated methods and added test * check if the network is the same for 2 peers * Use expect with BeEquivalentTo
2022-06-24 21:30:51 +02:00
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
approvedPeersMap, err := am.GetValidatedPeers(account)
if err != nil {
log.Errorf("failed send out updates to peers, failed to validate peer: %v", err)
return
}
Add routing support to management service (#424) Management will receive and store routes that are associated with a peer ID. The routes are distributed to peers according to their ACLs.
2022-08-18 18:22:15 +02:00
for _, peer := range peers {
Check if channel exist before sending network map (#1894) Check for connection channel before calculating and sending the network map
2024-04-29 18:31:52 +02:00
if !am.peersUpdateManager.HasChannel(peer.ID) {
log.Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
continue
}
Feature/peer validator (#1553) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2024-03-27 18:48:48 +01:00
remotePeerNetworkMap := account.GetPeerNetworkMap(peer.ID, am.dnsDomain, approvedPeersMap)
Release 0.28.0 (#2092) * compile client under freebsd (#1620) Compile netbird client under freebsd and now support netstack and userspace modes. Refactoring linux specific code to share same code with FreeBSD, move to *_unix.go files. Not implemented yet: Kernel mode not supported DNS probably does not work yet Routing also probably does not work yet SSH support did not tested yet Lack of test environment for freebsd (dedicated VM for github runners under FreeBSD required) Lack of tests for freebsd specific code info reporting need to review and also implement, for example OS reported as GENERIC instead of FreeBSD (lack of FreeBSD icon in management interface) Lack of proper client setup under FreeBSD Lack of FreeBSD port/package * Add DNS routes (#1943) Given domains are resolved periodically and resolved IPs are replaced with the new ones. Unless the flag keep_route is set to true, then only new ones are added. This option is helpful if there are long-running connections that might still point to old IP addresses from changed DNS records. * Add process posture check (#1693) Introduces a process posture check to validate the existence and active status of specific binaries on peer systems. The check ensures that files are present at specified paths, and that corresponding processes are running. This check supports Linux, Windows, and macOS systems. Co-authored-by: Evgenii <mail@skillcoder.com> Co-authored-by: Pascal Fischer <pascal@netbird.io> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com> Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
2024-06-13 13:24:24 +02:00
update := toSyncResponse(am, nil, peer, nil, remotePeerNetworkMap, am.GetDNSDomain())
Reorder peer deletion when deleteing a user (#1191)
2023-10-03 16:46:58 +02:00
am.peersUpdateManager.SendUpdate(peer.ID, &UpdateMessage{Update: update})
fix(acl): update each peer's network when rule,group or peer changed (#333) * fix(acl): update each peer's network when rule,group or peer changed * fix(ACL): update network test * fix(acl): cleanup indexes before update them * fix(acl): clean up rules indexes only for account
2022-06-04 22:02:22 +02:00
}
}
Reference in New Issue Copy Permalink