* Add method to retrieve peer's applied posture checks
* Add posture checks in server response and update proto messages
* Refactor
* Extends peer metadata synchronization through SyncRequest and propagate posture changes on syncResponse
* Remove account lock
* Pass system info on sync
* Fix tests
* Refactor
* resolve merge
* Evaluate process check on client (#1749)
* implement server and client sync peer meta alongside mocks
* wip: add check file and process
* Add files to peer metadata for process check
* wip: update peer meta on first sync
* Add files to peer's metadata
* Evaluate process check using files from peer metadata
* Fix panic and append windows path to files
* Fix check network address and files equality
* Evaluate active process on darwin
* Evaluate active process on linux
* Skip processing processes if no paths are set
* Return network map on peer meta-sync and update account peer's
* Update client network map on meta sync
* Get system info with applied checks
* Add windows package
* Remove a network map from sync meta-response
* Update checks proto message
* Keep client checks state and sync meta on checks change
* Evaluate a running process
* skip build for android and ios
* skip check file and process for android and ios
* bump gopsutil version
* fix tests
* move process check to separate os file
* refactor
* evaluate info with checks on receiving management events
* skip meta-update for an old client with no meta-sync support
* Check if peer meta is empty without reflection
using the login expired issue could cause problems with ticker used in the scheduler
This change makes 1s the minimum number returned when rescheduling the peer expiration task
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
In some cases, when the refresh cache fails, we should try to get the cache from the external cache obj.
This may happen if the IDP is not responsive between storing metadata and refreshing the cache
We allow service users with user role read-only access
to all resources so users can create service user and propagate
PATs without having to give full admin permissions.
Some IdPs might have eventual consistency for their API calls, and refreshing the cache with its data may return the deleted user as part of the account
Introduce a new account manager method, removeUserFromCache, to remove the user from the local cache without refresh
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Extend management API to support list of allowed JWT groups (#1366)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Add JWT group-based user authorization (#1373)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Implement user access validation authentication based on JWT groups
* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version
* Refactor auth middleware and test for extracted claim handling
* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
This PR adds support to Owner roles.
The owner role has a similar access level as the admin, but it has the power to delete the account.
Besides that, the role has the following constraints:
- The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user
- It can't be assigned to users being invited
- It can't be assigned to service users
Adding support to account owners to delete an account
This will remove all users from local, and if --user-delete-from-idp is set it will remove from the remote IDP
* Add gocritic linter
`gocritic` provides diagnostics that check for bugs, performance, and style issues
We disable the following checks:
- commentFormatting
- captLocal
- deprecatedComment
This PR contains many `//nolint:gocritic` to disable `appendAssign`.
* Add non-deletable flag for service users
* fix non deletable service user created as deletable
* Exclude non deletable service users in service users api response
* Fix broken tests
* Add test for non deletable service user
* Add handling for non-deletable service users in tests
* Remove non-deletable service users when fetching all users
* Ensure non-deletable users are filtered out when fetching all user data
