extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-23 08:33:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
755ffcfc73
netbird/management/proto/management.proto

354 lines
11 KiB
Protocol Buffer
Raw Normal View History

feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
syntax = "proto3";
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
import "google/protobuf/timestamp.proto";
chore: use latest golang-grpc libs
2021-07-20 18:09:26 +02:00
option go_package = "/proto";
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
package management;
service ManagementService {
Peer management login (#83) * feature: replace RegisterPeer with Login method that does both - registration and login * test: add management login test * feature: add WiretrusteeConfig to the Login response to configure peer global config * feature: add client peer login support * fix: missing parts * chore: update go deps * feature: support Management Service gRPC endpoints [CLIENT] * feature: finalize client sync with management * fix: management store peer key lower case restore * fix: management returns peer ip without a mask * refactor: remove cmd pkg * fix: invalid tun interface name on mac * fix: timeout when calling management client * fix: tests and lint errors * fix: golang-test workflow * fix: client service tests * fix: iface build * feature: detect management scheme on startup * chore: better logs for management * fix: goreleaser * fix: lint errors * fix: signal TLS * fix: direct Wireguard connection * chore: verbose logging on direct connection
2021-08-15 16:56:26 +02:00
// Login logs in peer. In case server returns codes.PermissionDenied this endpoint can be used to register Peer providing LoginRequest.setupKey
Add client version to the client app and send it to the management service (#222) * test: WIP mocking the grpc server for testing the sending of the client information * WIP: Test_SystemMetaDataFromClient with mocks, todo: * fix: failing meta data test * test: add system meta expectation in management client test * fix: removing deprecated register function, replacing with new one * fix: removing deprecated register function from mockclient interface impl * fix: fixing interface declaration * chore: remove unused commented code Co-authored-by: braginini <bangvalo@gmail.com>
2022-02-08 18:03:27 +01:00
// Returns encrypted LoginResponse in EncryptedMessage.Body
Peer management login (#83) * feature: replace RegisterPeer with Login method that does both - registration and login * test: add management login test * feature: add WiretrusteeConfig to the Login response to configure peer global config * feature: add client peer login support * fix: missing parts * chore: update go deps * feature: support Management Service gRPC endpoints [CLIENT] * feature: finalize client sync with management * fix: management store peer key lower case restore * fix: management returns peer ip without a mask * refactor: remove cmd pkg * fix: invalid tun interface name on mac * fix: timeout when calling management client * fix: tests and lint errors * fix: golang-test workflow * fix: client service tests * fix: iface build * feature: detect management scheme on startup * chore: better logs for management * fix: goreleaser * fix: lint errors * fix: signal TLS * fix: direct Wireguard connection * chore: verbose logging on direct connection
2021-08-15 16:56:26 +02:00
rpc Login(EncryptedMessage) returns (EncryptedMessage) {}
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
// Sync enables peer synchronization. Each peer that is connected to this stream will receive updates from the server.
// For example, if a new peer has been added to an account all other connected peers will receive this peer's Wireguard public key as an update
// The initial SyncResponse contains all of the available peers so the local state can be refreshed
Add client version to the client app and send it to the management service (#222) * test: WIP mocking the grpc server for testing the sending of the client information * WIP: Test_SystemMetaDataFromClient with mocks, todo: * fix: failing meta data test * test: add system meta expectation in management client test * fix: removing deprecated register function, replacing with new one * fix: removing deprecated register function from mockclient interface impl * fix: fixing interface declaration * chore: remove unused commented code Co-authored-by: braginini <bangvalo@gmail.com>
2022-02-08 18:03:27 +01:00
// Returns encrypted SyncResponse in EncryptedMessage.Body
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
rpc Sync(EncryptedMessage) returns (stream EncryptedMessage) {}
// Exposes a Wireguard public key of the Management service.
// This key is used to support message encryption between client and server
rpc GetServerKey(Empty) returns (ServerKeyResponse) {}
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
// health check endpoint
rpc isHealthy(Empty) returns (Empty) {}
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow
2022-05-08 11:04:57 +02:00
// Exposes a device authorization flow information
// This is used for initiating a Oauth 2 device authorization grant flow
// which will be used by our clients to Login.
// EncryptedMessage of the request has a body of DeviceAuthorizationFlowRequest.
// EncryptedMessage of the response has a body of DeviceAuthorizationFlow.
rpc GetDeviceAuthorizationFlow(EncryptedMessage) returns (EncryptedMessage) {}
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers.
2023-07-27 11:31:07 +02:00
// Exposes a PKCE authorization code flow information
// This is used for initiating a Oauth 2 authorization grant flow
// with Proof Key for Code Exchange (PKCE) which will be used by our clients to Login.
// EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
// EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
rpc GetPKCEAuthorizationFlow(EncryptedMessage) returns (EncryptedMessage) {}
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
}
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
message EncryptedMessage {
// Wireguard public key
string wgPubKey = 1;
// encrypted message Body
bytes body = 2;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// Version of the Wiretrustee Management Service protocol
int32 version = 3;
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
}
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
message SyncRequest {}
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
// SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
message SyncResponse {
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
// Global config
WiretrusteeConfig wiretrusteeConfig = 1;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.PeerConfig
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
PeerConfig peerConfig = 2;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.RemotePeerConfig
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
repeated RemotePeerConfig remotePeers = 3;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// Deprecated. Use NetworkMap.remotePeersIsEmpty
Delete peer (#114) * feature: add peer deletion * feature: add peer deletion [CLIENT] * fix: lint error * test: fix sync block * test: fix management test * feature: add client stop after was deleted * chore: remove permission denied cancellation * chore: add larger signal backoff * feature: notify deleted peer of removal * fix: lint issue * chore: add 2nd default key - one off * test: fix account key check
2021-09-07 18:36:46 +02:00
bool remotePeersIsEmpty = 4;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
NetworkMap NetworkMap = 5;
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
}
Peer management login (#83) * feature: replace RegisterPeer with Login method that does both - registration and login * test: add management login test * feature: add WiretrusteeConfig to the Login response to configure peer global config * feature: add client peer login support * fix: missing parts * chore: update go deps * feature: support Management Service gRPC endpoints [CLIENT] * feature: finalize client sync with management * fix: management store peer key lower case restore * fix: management returns peer ip without a mask * refactor: remove cmd pkg * fix: invalid tun interface name on mac * fix: timeout when calling management client * fix: tests and lint errors * fix: golang-test workflow * fix: client service tests * fix: iface build * feature: detect management scheme on startup * chore: better logs for management * fix: goreleaser * fix: lint errors * fix: signal TLS * fix: direct Wireguard connection * chore: verbose logging on direct connection
2021-08-15 16:56:26 +02:00
message LoginRequest {
// Pre-authorized setup key (can be empty)
string setupKey = 1;
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
// Meta data of the peer (e.g. name, os_name, os_version,
PeerSystemMeta meta = 2;
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field
2022-05-05 20:02:15 +02:00
// SSO token (can be empty)
string jwtToken = 3;
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// Can be absent for now.
PeerKeys peerKeys = 4;
}
// PeerKeys is additional peer info like SSH pub key and WireGuard public key.
// This message is sent on Login or register requests, or when a key rotation has to happen.
message PeerKeys {
// sshPubKey represents a public SSH key of the peer. Can be absent.
bytes sshPubKey = 1;
// wgPubKey represents a public WireGuard key of the peer. Can be absent.
bytes wgPubKey = 2;
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
}
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// PeerSystemMeta is machine meta data like OS and version.
Add peer meta data (#95) * feature: add peer GET and DELETE API methods * refactor: extract peer business logic to a separate file * refactor: extract peer business logic to a separate file * feature: add peer update HTTP endpoint * chore: fill peer new fields * merge with main * refactor: HTTP methods according to standards * feature: add peer system metadata * feature: add peer status * test: fix removal
2021-08-24 11:50:19 +02:00
message PeerSystemMeta {
string hostname = 1;
string goOS = 2;
string kernel = 3;
string core = 4;
string platform = 5;
string OS = 6;
string wiretrusteeVersion = 7;
Versioning of UI and grpc-agent for passing version (#324) Send Desktop UI client version as user-agent to daemon This is sent on every login request to the management Parse the GRPC context on the system package and retrieves the user-agent Management receives the new UIVersion field and store in the Peer's system meta
2022-05-25 23:25:02 +02:00
string uiVersion = 8;
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
}
Peer management login (#83) * feature: replace RegisterPeer with Login method that does both - registration and login * test: add management login test * feature: add WiretrusteeConfig to the Login response to configure peer global config * feature: add client peer login support * fix: missing parts * chore: update go deps * feature: support Management Service gRPC endpoints [CLIENT] * feature: finalize client sync with management * fix: management store peer key lower case restore * fix: management returns peer ip without a mask * refactor: remove cmd pkg * fix: invalid tun interface name on mac * fix: timeout when calling management client * fix: tests and lint errors * fix: golang-test workflow * fix: client service tests * fix: iface build * feature: detect management scheme on startup * chore: better logs for management * fix: goreleaser * fix: lint errors * fix: signal TLS * fix: direct Wireguard connection * chore: verbose logging on direct connection
2021-08-15 16:56:26 +02:00
message LoginResponse {
// Global config
WiretrusteeConfig wiretrusteeConfig = 1;
// Peer local config
PeerConfig peerConfig = 2;
}
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
message ServerKeyResponse {
// Server's Wireguard public key
string key = 1;
// Key expiration timestamp after which the key should be fetched again by the client
google.protobuf.Timestamp expiresAt = 2;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// Version of the Wiretrustee Management Service protocol
int32 version = 3;
Extend Management to support peer changes distribution (#55) * feature: add peer sync and a server public key endpoints * test: add Management.Sync() gRpc endpoint test * feat: implement peer sync * docs: added some comments to the Management server * chore: use for loop over channel when monitoring peer updates * fix: exit infinite loop when sending updates to peers * test: add multiple concurrent peers test for management service * chore: remove unused test * fix: reduce the amount peers for a concurrent peer update test Co-authored-by: braginini <m.bragin@wiretrustee.com>
2021-07-22 10:28:00 +02:00
}
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
message Empty {}
// WiretrusteeConfig is a common configuration of any Wiretrustee peer. It contains STUN, TURN, Signal and Management servers configurations
message WiretrusteeConfig {
// a list of STUN servers
repeated HostConfig stuns = 1;
// a list of TURN servers
repeated ProtectedHostConfig turns = 2;
// a Signal server config
HostConfig signal = 3;
}
// HostConfig describes connection properties of some server (e.g. STUN, Signal, Management)
message HostConfig {
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config
2021-07-30 17:46:38 +02:00
// URI of the resource e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
string uri = 1;
Protocol protocol = 2;
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
enum Protocol {
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config
2021-07-30 17:46:38 +02:00
UDP = 0;
TCP = 1;
HTTP = 2;
HTTPS = 3;
DTLS = 4;
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
}
}
// ProtectedHostConfig is similar to HostConfig but has additional user and password
// Mostly used for TURN servers
message ProtectedHostConfig {
HostConfig hostConfig = 1;
string user = 2;
string password = 3;
}
// PeerConfig represents a configuration of a "our" peer.
// The properties are used to configure local Wireguard
message PeerConfig {
// Peer's virtual IP address within the Wiretrustee VPN (a Wireguard address config)
string address = 1;
// Wiretrustee DNS server (a Wireguard DNS config)
string dns = 2;
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// SSHConfig of the peer.
SSHConfig sshConfig = 3;
Sync peers FQDN (#584) Use stdout and stderr log path only if on Linux and attempt to create the path Update status system with FQDN fields and status command to display the domain names of remote and local peers Set some DNS logs to tracing update readme file
2022-11-26 13:29:50 +01:00
// Peer fully qualified domain name
string fqdn = 4;
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
}
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
// NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
message NetworkMap {
// Serial is an ID of the network state to be used by clients to order updates.
// The larger the Serial the newer the configuration.
// E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
uint64 Serial = 1;
// PeerConfig represents configuration of a peer
PeerConfig peerConfig = 2;
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
repeated RemotePeerConfig remotePeers = 3;
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
bool remotePeersIsEmpty = 4;
Add routing support to management service (#424) Management will receive and store routes that are associated with a peer ID. The routes are distributed to peers according to their ACLs.
2022-08-18 18:22:15 +02:00
// List of routes to be applied
repeated Route Routes = 5;
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
// DNS config to be applied
DNSConfig DNSConfig = 6;
Report offline peers to agents (#728) The peer login expiration ACL check introduced in #714 filters out peers that are expired and agents receive a network map without that expired peers. However, the agents should see those peers in status "Disconnected". This PR extends the Agent <-> Management protocol by introducing a new field OfflinePeers that contain expired peers. Agents keep track of those and display then just in the Status response.
2023-03-07 10:17:25 +01:00
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
repeated RemotePeerConfig offlinePeers = 7;
Feat linux firewall support (#805) Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
2023-05-29 16:00:18 +02:00
// FirewallRule represents a list of firewall rules to be applied to peer
repeated FirewallRule FirewallRules = 8;
Extend protocol and firewall manager to handle old management (#915) * Extend protocol and firewall manager to handle old management * Send correct empty firewall rules list when delete peer * Add extra tests for firewall manager and uspfilter * Work with inconsistent state * Review note * Update comment
2023-05-31 19:04:38 +02:00
// firewallRulesIsEmpty indicates whether FirewallRule array is empty or not to bypass protobuf null and empty array equality.
bool firewallRulesIsEmpty = 9;
Change Management Sync protocol to support incremental (serial) network changes (#191) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish
2022-01-16 17:10:36 +01:00
}
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
// RemotePeerConfig represents a configuration of a remote peer.
Report offline peers to agents (#728) The peer login expiration ACL check introduced in #714 filters out peers that are expired and agents receive a network map without that expired peers. However, the agents should see those peers in status "Disconnected". This PR extends the Agent <-> Management protocol by introducing a new field OfflinePeers that contain expired peers. Agents keep track of those and display then just in the Status response.
2023-03-07 10:17:25 +01:00
// The properties are used to configure WireGuard Peers sections
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
message RemotePeerConfig {
Report offline peers to agents (#728) The peer login expiration ACL check introduced in #714 filters out peers that are expired and agents receive a network map without that expired peers. However, the agents should see those peers in status "Disconnected". This PR extends the Agent <-> Management protocol by introducing a new field OfflinePeers that contain expired peers. Agents keep track of those and display then just in the Status response.
2023-03-07 10:17:25 +01:00
// A WireGuard public key of a remote peer
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
string wgPubKey = 1;
feature: basic management service implementation (#44) * feat: basic management service implementation [FAILING TESTS] * test: fix healthcheck test * test: #39 add peer registration endpoint test * feat: #39 add setup key handling * feat: #39 add peer management store persistence * refactor: extract config read/write to the utility package * refactor: move file contents copy to the utility package * refactor: use Accounts instead of Users in the Store * feature: add management server Docker file * refactor: introduce datadir instead of config * chore: use filepath.Join to concat filepaths instead of string concat * refactor: move stop channel to the root * refactor: move stop channel to the root * review: fix PR review notes Co-authored-by: braginini <hello@wiretrustee.com>
2021-07-17 14:38:59 +02:00
Report offline peers to agents (#728) The peer login expiration ACL check introduced in #714 filters out peers that are expired and agents receive a network map without that expired peers. However, the agents should see those peers in status "Disconnected". This PR extends the Agent <-> Management protocol by introducing a new field OfflinePeers that contain expired peers. Agents keep track of those and display then just in the Status response.
2023-03-07 10:17:25 +01:00
// WireGuard allowed IPs of a remote peer e.g. [10.30.30.1/32]
add config properties to the SyncResponse of the management gRpc service (#66) * feature: add config properties to the SyncResponse of the management gRpc service
2021-07-25 17:08:16 +02:00
repeated string allowedIps = 2;
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// SSHConfig is a SSH config of the remote peer. SSHConfig.sshPubKey should be ignored because peer knows it's SSH key.
SSHConfig sshConfig = 3;
Sync peers FQDN (#584) Use stdout and stderr log path only if on Linux and attempt to create the path Update status system with FQDN fields and status command to display the domain names of remote and local peers Set some DNS logs to tracing update readme file
2022-11-26 13:29:50 +01:00
// Peer fully qualified domain name
string fqdn = 4;
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow
2022-05-08 11:04:57 +02:00
}
NetBird SSH (#361) This PR adds support for SSH access through the NetBird network without managing SSH skeys. NetBird client app has an embedded SSH server (Linux/Mac only) and a netbird ssh command.
2022-06-23 17:04:53 +02:00
// SSHConfig represents SSH configurations of a peer.
message SSHConfig {
// sshEnabled indicates whether a SSH server is enabled on this peer
bool sshEnabled = 1;
// sshPubKey is a SSH public key of a peer to be added to authorized_hosts.
// This property should be ignore if SSHConfig comes from PeerConfig.
bytes sshPubKey = 2;
}
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow
2022-05-08 11:04:57 +02:00
// DeviceAuthorizationFlowRequest empty struct for future expansion
message DeviceAuthorizationFlowRequest {}
// DeviceAuthorizationFlow represents Device Authorization Flow information
// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow
// see https://datatracker.ietf.org/doc/html/rfc8628
message DeviceAuthorizationFlow {
// An IDP provider , (eg. Auth0)
provider Provider = 1;
ProviderConfig ProviderConfig = 2;
enum provider {
HOSTED = 0;
}
}
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers.
2023-07-27 11:31:07 +02:00
// PKCEAuthorizationFlowRequest empty struct for future expansion
message PKCEAuthorizationFlowRequest {}
// PKCEAuthorizationFlow represents Authorization Code Flow information
// that can be used by the client to login initiate a Oauth 2.0 authorization code grant flow
// with Proof Key for Code Exchange (PKCE). See https://datatracker.ietf.org/doc/html/rfc7636
message PKCEAuthorizationFlow {
ProviderConfig ProviderConfig = 1;
}
// ProviderConfig has all attributes needed to initiate a device/pkce authorization flow
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow
2022-05-08 11:04:57 +02:00
message ProviderConfig {
// An IDP application client id
string ClientID = 1;
// An IDP application client secret
string ClientSecret = 2;
// An IDP API domain
Support Generic OAuth 2.0 Device Authorization Grant (#433) Support Generic OAuth 2.0 Device Authorization Grant as per RFC specification https://www.rfc-editor.org/rfc/rfc8628. The previous version supported only Auth0 as an IDP backend. This implementation enables the Interactive SSO Login feature for any IDP compatible with the specification, e.g., Keycloak.
2022-08-23 15:46:12 +02:00
// Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
string Domain = 3;
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow
2022-05-08 11:04:57 +02:00
// An Audience for validation
string Audience = 4;
Support Generic OAuth 2.0 Device Authorization Grant (#433) Support Generic OAuth 2.0 Device Authorization Grant as per RFC specification https://www.rfc-editor.org/rfc/rfc8628. The previous version supported only Auth0 as an IDP backend. This implementation enables the Interactive SSO Login feature for any IDP compatible with the specification, e.g., Keycloak.
2022-08-23 15:46:12 +02:00
// DeviceAuthEndpoint is an endpoint to request device authentication code.
string DeviceAuthEndpoint = 5;
// TokenEndpoint is an endpoint to request auth token.
string TokenEndpoint = 6;
Support remote scope and use id token configuration (#784) Some IDP requires different scope requests and issue access tokens for different purposes This change allow for remote configurable scopes and the use of ID token
2023-04-05 17:46:34 +02:00
// Scopes provides the scopes to be included in the token request
string Scope = 7;
// UseIDToken indicates if the id token should be used for authentication
bool UseIDToken = 8;
Add PKCE authorization flow (#1012) Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL. To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers.
2023-07-27 11:31:07 +02:00
// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code.
string AuthorizationEndpoint = 9;
// RedirectURLs handles authorization code from IDP manager
repeated string RedirectURLs = 10;
Versioning of UI and grpc-agent for passing version (#324) Send Desktop UI client version as user-agent to daemon This is sent on every login request to the management Parse the GRPC context on the system package and retrieves the user-agent Management receives the new UIVersion field and store in the Peer's system meta
2022-05-25 23:25:02 +02:00
}
Add routing support to management service (#424) Management will receive and store routes that are associated with a peer ID. The routes are distributed to peers according to their ACLs.
2022-08-18 18:22:15 +02:00
// Route represents a route.Route object
message Route {
string ID = 1;
Add Network ID and rename Prefix to Network (#432) Adding network ID will allow us to group Renaming Prefix with Network will keep things more clear and Consistent
2022-08-22 14:10:24 +02:00
string Network = 2;
int64 NetworkType = 3;
Add routing support to management service (#424) Management will receive and store routes that are associated with a peer ID. The routes are distributed to peers according to their ACLs.
2022-08-18 18:22:15 +02:00
string Peer = 4;
int64 Metric = 5;
bool Masquerade = 6;
Add Network ID and rename Prefix to Network (#432) Adding network ID will allow us to group Renaming Prefix with Network will keep things more clear and Consistent
2022-08-22 14:10:24 +02:00
string NetID = 7;
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
}
// DNSConfig represents a dns.Update
message DNSConfig {
bool ServiceEnable = 1;
repeated NameServerGroup NameServerGroups = 2;
repeated CustomZone CustomZones = 3;
}
// CustomZone represents a dns.CustomZone
message CustomZone {
string Domain = 1;
repeated SimpleRecord Records = 2;
}
// SimpleRecord represents a dns.SimpleRecord
message SimpleRecord {
string Name = 1;
int64 Type = 2;
string Class = 3;
int64 TTL = 4;
string RData = 5;
}
// NameServerGroup represents a dns.NameServerGroup
message NameServerGroup {
repeated NameServer NameServers = 1;
bool Primary = 2;
repeated string Domains = 3;
Add search domains support (#1224) Supporting search domains will allow users to define match domains to also be added to a list of search domains in their systems Fix Windows registry key configuration for search domains using a key within the netbird interface path
2023-10-19 19:32:42 +02:00
bool SearchDomainsEnabled = 4;
Feature/dns protocol (#543) Added DNS update protocol message Added sync to clients Update nameserver API with new fields Added default NS groups Added new dns-name flag for the management service append to peer DNS label
2022-11-07 15:38:21 +01:00
}
// NameServer represents a dns.NameServer
message NameServer {
string IP = 1;
int64 NSType = 2;
int64 Port = 3;
Feat linux firewall support (#805) Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
2023-05-29 16:00:18 +02:00
}
// FirewallRule represents a firewall rule
message FirewallRule {
string PeerIP = 1;
direction Direction = 2;
action Action = 3;
protocol Protocol = 4;
string Port = 5;
enum direction {
IN = 0;
OUT = 1;
}
enum action {
ACCEPT = 0;
DROP = 1;
}
enum protocol {
UNKNOWN = 0;
ALL = 1;
TCP = 2;
UDP = 3;
ICMP = 4;
}
}
Reference in New Issue Copy Permalink