netbird/management/server/config.go

package server

import (
	"net/url"

	"github.com/netbirdio/netbird/management/server/idp"
	"github.com/netbirdio/netbird/util"
)

type Protocol string
type Provider string

const (
	UDP   Protocol = "udp"
	DTLS  Protocol = "dtls"
	TCP   Protocol = "tcp"
	HTTP  Protocol = "http"
	HTTPS Protocol = "https"
	AUTH0 Provider = "auth0"
)

// Config of the Management service
type Config struct {
	Stuns      []*Host
	TURNConfig *TURNConfig
	Signal     *Host

	Datadir string

	HttpConfig *HttpServerConfig

	IdpManagerConfig *idp.Config

	DeviceAuthorizationFlow *DeviceAuthorizationFlow
}

// TURNConfig is a config of the TURNCredentialsManager
type TURNConfig struct {
	TimeBasedCredentials bool
	CredentialsTTL       util.Duration
	Secret               string
	Turns                []*Host
}

// HttpServerConfig is a config of the HTTP Management service server
type HttpServerConfig struct {
	LetsEncryptDomain string
	//CertFile is the location of the certificate
	CertFile string
	//CertKey is the location of the certificate private key
	CertKey string
	Address string
	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
	AuthAudience string
	// AuthIssuer identifies principal that issued the JWT.
	AuthIssuer string
	// AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT
	AuthKeysLocation string
}

// Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)
type Host struct {
	Proto Protocol
	// URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
	URI      string
	Username string
	Password string
}

// DeviceAuthorizationFlow represents Device Authorization Flow information
// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow
// see https://datatracker.ietf.org/doc/html/rfc8628
type DeviceAuthorizationFlow struct {
	Provider       string
	ProviderConfig ProviderConfig
}

// ProviderConfig has all attributes needed to initiate a device authorization flow
type ProviderConfig struct {
	// ClientID An IDP application client id
	ClientID string
	// ClientSecret An IDP application client secret
	ClientSecret string
	// Domain An IDP API domain
	Domain string
	// Audience An Audience for to authorization validation
	Audience string
}

// validateURL validates input http url
func validateURL(httpURL string) bool {
	_, err := url.ParseRequestURI(httpURL)
	return err == nil
}
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00			`package server`

Turn credentials generation (#102) * abstract peer channel * remove wip code * refactor NewServer with Peer updates channel * feature: add TURN credentials manager * hmac logic * example test function * test: add TimeBasedAuthSecretsManager_GenerateCredentials test * test: make tests for now with hardcoded secret * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_CancelRefresh test * feature: extract TURNConfig to the management config * feature: return hash based TURN credentials only on initial sync * feature: make TURN time based secret credentials optional Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> 2021-09-02 14:41:54 +02:00			`import (`
Rename management from Wiretrustee to Netbird (#311) Rename documentation and goreleaser build names Added a migration function for when the old path exists and the new one doesn't updated the configure.sh to generate the docker-compose with a new path only if no pre-existing volume with old name exists 2022-05-13 14:11:21 +02:00			`"net/url"`

Rename module to netbirdio/netbird (#288) rename the go module to netbirdio/netbird as part of our rebranding. 2022-03-26 12:08:54 +01:00			`"github.com/netbirdio/netbird/management/server/idp"`
			`"github.com/netbirdio/netbird/util"`
Turn credentials generation (#102) * abstract peer channel * remove wip code * refactor NewServer with Peer updates channel * feature: add TURN credentials manager * hmac logic * example test function * test: add TimeBasedAuthSecretsManager_GenerateCredentials test * test: make tests for now with hardcoded secret * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_CancelRefresh test * feature: extract TURNConfig to the management config * feature: return hash based TURN credentials only on initial sync * feature: make TURN time based secret credentials optional Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> 2021-09-02 14:41:54 +02:00			`)`

Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00			`type Protocol string`
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow 2022-05-08 11:04:57 +02:00			`type Provider string`
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00
			`const (`
			`UDP Protocol = "udp"`
			`DTLS Protocol = "dtls"`
			`TCP Protocol = "tcp"`
			`HTTP Protocol = "http"`
			`HTTPS Protocol = "https"`
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow 2022-05-08 11:04:57 +02:00			`AUTH0 Provider = "auth0"`
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00			`)`

			`// Config of the Management service`
			`type Config struct {`
Turn credentials generation (#102) * abstract peer channel * remove wip code * refactor NewServer with Peer updates channel * feature: add TURN credentials manager * hmac logic * example test function * test: add TimeBasedAuthSecretsManager_GenerateCredentials test * test: make tests for now with hardcoded secret * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_CancelRefresh test * feature: extract TURNConfig to the management config * feature: return hash based TURN credentials only on initial sync * feature: make TURN time based secret credentials optional Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> 2021-09-02 14:41:54 +02:00			`Stuns []*Host`
			`TURNConfig *TURNConfig`
			`Signal *Host`
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00
refactor: move LetsEncryptDomain to HttpServer config 2021-08-07 13:35:52 +02:00			`Datadir string`
feature: basic auth0 support (#78) * feature: basic auth0 support * refactor: improve auth flow * refactor: extract HttpServer config * feature: merge HTTP API layer with Let's Encrypt 2021-08-07 12:26:07 +02:00
			`HttpConfig *HttpServerConfig`
Link account id with the external user store (#184) * get account id from access token claim * use GetOrCreateAccountByUser and add test * correct account id claim * remove unused account * Idp manager interface * auth0 idp manager * use if instead of switch case * remove unnecessary lock * NewAuth0Manager * move idpmanager to its own package * update metadata when accountId is not supplied * update tests with idpmanager field * format * new idp manager and config support * validate if we fetch the interface before converting to string * split getJWTToken * improve tests * proper json fields and handle defer body close * fix ci lint notes * documentation and proper defer position * UpdateUserAppMetadata tests * update documentation * ManagerCredentials interface * Marshal and Unmarshal functions * fix tests * ManagerHelper and ManagerHTTPClient * further tests with mocking * rename package and custom http client * sync local packages * remove idp suffix 2022-01-24 11:21:30 +01:00
			`IdpManagerConfig *idp.Config`
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow 2022-05-08 11:04:57 +02:00
			`DeviceAuthorizationFlow *DeviceAuthorizationFlow`
feature: basic auth0 support (#78) * feature: basic auth0 support * refactor: improve auth flow * refactor: extract HttpServer config * feature: merge HTTP API layer with Let's Encrypt 2021-08-07 12:26:07 +02:00			`}`

Turn credentials generation (#102) * abstract peer channel * remove wip code * refactor NewServer with Peer updates channel * feature: add TURN credentials manager * hmac logic * example test function * test: add TimeBasedAuthSecretsManager_GenerateCredentials test * test: make tests for now with hardcoded secret * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_CancelRefresh test * feature: extract TURNConfig to the management config * feature: return hash based TURN credentials only on initial sync * feature: make TURN time based secret credentials optional Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> 2021-09-02 14:41:54 +02:00			`// TURNConfig is a config of the TURNCredentialsManager`
			`type TURNConfig struct {`
			`TimeBasedCredentials bool`
			`CredentialsTTL util.Duration`
client update of TURNs and STUNs (#106) * feature: update STUNs and TURNs in engine * fix: setup TURN credentials request only when refresh enabled * feature: update TURNs and STUNs in teh client app on Management update * chore: disable peer reflexive candidates in ICE * chore: relocate management.json * chore: make TURN secret and pwd plain text in config 2021-09-03 17:47:40 +02:00			`Secret string`
Turn credentials generation (#102) * abstract peer channel * remove wip code * refactor NewServer with Peer updates channel * feature: add TURN credentials manager * hmac logic * example test function * test: add TimeBasedAuthSecretsManager_GenerateCredentials test * test: make tests for now with hardcoded secret * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_SetupRefresh test * test: add TimeBasedAuthSecretsManager_CancelRefresh test * feature: extract TURNConfig to the management config * feature: return hash based TURN credentials only on initial sync * feature: make TURN time based secret credentials optional Co-authored-by: mlsmaycon <mlsmaycon@gmail.com> 2021-09-02 14:41:54 +02:00			`Turns []*Host`
			`}`

refactor: move LetsEncryptDomain to HttpServer config 2021-08-07 13:35:52 +02:00			`// HttpServerConfig is a config of the HTTP Management service server`
feature: basic auth0 support (#78) * feature: basic auth0 support * refactor: improve auth flow * refactor: extract HttpServer config * feature: merge HTTP API layer with Let's Encrypt 2021-08-07 12:26:07 +02:00			`type HttpServerConfig struct {`
refactor: move LetsEncryptDomain to HttpServer config 2021-08-07 13:35:52 +02:00			`LetsEncryptDomain string`
management/support cert from file (#122) * feature: support cert file in management service * docs: add new management commands 2021-09-25 19:22:49 +02:00			`//CertFile is the location of the certificate`
			`CertFile string`
			`//CertKey is the location of the certificate private key`
			`CertKey string`
			`Address string`
peer management HTTP API (#81) * feature: create account for a newly registered user * feature: finalize user auth flow * feature: create protected API with JWT * chore: cleanup http server * feature: add UI assets * chore: update react UI * refactor: move account not exists -> create to AccountManager * chore: update UI * chore: return only peers on peers endpoint * chore: add UI path to the config * chore: remove ui from management * chore: remove unused Docker comamnds * docs: update management config sample * fix: store creation * feature: introduce peer response to the HTTP api * fix: lint errors * feature: add setup-keys HTTP endpoint * fix: return empty json arrays in HTTP API * feature: add new peer response fields 2021-08-12 12:49:10 +02:00			`// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)`
			`AuthAudience string`
			`// AuthIssuer identifies principal that issued the JWT.`
			`AuthIssuer string`
			`// AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT`
			`AuthKeysLocation string`
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00			`}`

			`// Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)`
			`type Host struct {`
			`Proto Protocol`
			`// URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000`
			`URI string`
			`Username string`
client update of TURNs and STUNs (#106) * feature: update STUNs and TURNs in engine * fix: setup TURN credentials request only when refresh enabled * feature: update TURNs and STUNs in teh client app on Management update * chore: disable peer reflexive candidates in ICE * chore: relocate management.json * chore: make TURN secret and pwd plain text in config 2021-09-03 17:47:40 +02:00			`Password string`
Peer configuration management (#69) * feature: add config properties to the SyncResponse of the management gRpc service * fix: lint errors * chore: modify management protocol according to the review notes * fix: management proto fields sequence * feature: add proper peer configuration to be synced * chore: minor changes * feature: finalize peer config management * fix: lint errors * feature: add management server config file * refactor: extract hosts-config to a separate file * refactor: review notes applied to correct file_store usage * refactor: extract management service configuration to a file * refactor: simplify management config 2021-07-30 17:46:38 +02:00			`}`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00
Get Device Authorization Flow information from management (#308) We will configure the device authorization flow information and a client will retrieve it and initiate a device authorization gran flow 2022-05-08 11:04:57 +02:00			`// DeviceAuthorizationFlow represents Device Authorization Flow information`
			`// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow`
			`// see https://datatracker.ietf.org/doc/html/rfc8628`
			`type DeviceAuthorizationFlow struct {`
			`Provider string`
			`ProviderConfig ProviderConfig`
			`}`

			`// ProviderConfig has all attributes needed to initiate a device authorization flow`
			`type ProviderConfig struct {`
			`// ClientID An IDP application client id`
			`ClientID string`
			`// ClientSecret An IDP application client secret`
			`ClientSecret string`
			`// Domain An IDP API domain`
			`Domain string`
			`// Audience An Audience for to authorization validation`
			`Audience string`
			`}`

Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`// validateURL validates input http url`
			`func validateURL(httpURL string) bool {`
			`_, err := url.ParseRequestURI(httpURL)`
Client Login via device authorization flow (#309) UI and CLI Clients are now able to use SSO login by default we will check if the management has configured or supports SSO providers daemon will handle fetching and waiting for an access token Oauth package was moved to internal to avoid one extra package at this stage Secrets were removed from OAuth CLI clients have less and better output 2 new status were introduced, NeedsLogin and FailedLogin for better messaging With NeedsLogin we no longer have endless login attempts 2022-05-12 11:17:24 +02:00			`return err == nil`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`}`