3e88b7c56e
[management] Fix network map update on peer validation ( #2849 )
2024-11-07 09:50:13 +01:00
a9d06b883f
add all group to add peer affected peers network map check ( #2830 )
2024-11-01 22:09:08 +01:00
bac95ace18
[management] Add DB access duration to logs for context cancel ( #2781 )
2024-11-01 10:58:39 +01:00
4c758c6e52
[management] remove network map diff calculations ( #2820 )
2024-10-31 19:24:15 +01:00
729bcf2b01
[management] add metrics to network map diff ( #2811 )
2024-10-30 16:53:23 +01:00
39c99781cb
fix meta is equal slices ( #2807 )
2024-10-29 19:54:38 +01:00
10480eb52f
[management] Setup key improvements ( #2775 )
2024-10-28 17:52:23 +01:00
563dca705c
[management] Fix session inactivity response ( #2770 )
2024-10-23 16:40:15 +02:00
7bda385e1b
[management] Optimize network map updates ( #2718 )
...
* Skip peer update on unchanged network map (#2236 )
* Enhance network updates by skipping unchanged messages
Optimizes the network update process
by skipping updates where no changes in the peer update message received.
* Add unit tests
* add locks
* Improve concurrency and update peer message handling
* Refactor account manager network update tests
* fix test
* Fix inverted network map update condition
* Add default group and policy to test data
* Run peer updates in a separate goroutine
* Refactor
* Refactor lock
* Fix peers update by including NetworkMap and posture Checks
* go mod tidy
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Skip account peers update if no changes affect peers (#2310 )
* Remove incrementing network serial and updating peers after group deletion
* Update account peer if posture check is linked to policy
* Remove account peers update on saving setup key
* Refactor group link checking into re-usable functions
* Add HasPeers function to group
* Refactor group management
* Optimize group change effects on account peers
* Update account peers if ns group has peers
* Refactor group changes
* Optimize account peers update in DNS settings
* Optimize update of account peers on jwt groups sync
* Refactor peer account updates for efficiency
* Optimize peer update on user deletion and changes
* Remove condition check for network serial update
* Optimize account peers updates on route changes
* Remove UpdatePeerSSHKey method
* Remove unused isPolicyRuleGroupsEmpty
* Add tests for peer update behavior on posture check changes
* Add tests for peer update behavior on policy changes
* Add tests for peer update behavior on group changes
* Add tests for peer update behavior on dns settings changes
* Refactor
* Add tests for peer update behavior on name server changes
* Add tests for peer update behavior on user changes
* Add tests for peer update behavior on route changes
* fix tests
* Add tests for peer update behavior on setup key changes
* Add tests for peer update behavior on peers changes
* fix merge
* Fix tests
* go mod tidy
* Add NameServer and Route comparators
* Update network map diff logic with custom comparators
* Add tests
* Refactor duplicate diff handling logic
* fix linter
* fix tests
* Refactor policy group handling and update logic.
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update route check by checking if group has peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor posture check policy linking logic
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Simplify peer update condition in DNS management
Refactor the condition for updating account peers to remove redundant checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add posture checks tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix user and setup key tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix account and route tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix nameserver tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix routes tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix group tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* upgrade diff package
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix nameserver tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* use generic differ for netip.Addr and netip.Prefix
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* go mod tidy
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add peer tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix management suite tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix postgres tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* enable diff nil structs comparison
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* skip the update only last sent the serial is larger
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor peer and user
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* skip spell check for groupD
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor group, ns group, policy and posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* skip spell check for GroupD
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update account policy check before verifying policy status
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
* add tests missing tests for dns setting groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add tests for posture checks changes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add ns group and policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add route and group tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* increase Linux test timeout to 10 minutes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Run diff for client posture checks only
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add panic recovery and detailed logging in peer update comparison
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
2024-10-23 13:05:02 +03:00
0106a95f7a
lock account and use transaction ( #2767 )
...
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-10-22 13:29:17 +03:00
88e4fc2245
Release global lock on early error ( #2760 )
2024-10-19 18:32:17 +02:00
ccd4ae6315
Fix domain information is up to date check ( #2754 )
2024-10-17 19:21:35 +02:00
96d2207684
Fix JSON function compatibility for SQLite and PostgreSQL ( #2746 )
...
resolves the issue with json_array_length compatibility between SQLite and PostgreSQL. It adjusts the query to conditionally cast types:
PostgreSQL: Casts to json with ::json.
SQLite: Uses the text representation directly.
2024-10-16 17:55:30 +02:00
49e65109d2
Add session expire functionality based on inactivity ( #2326 )
...
Implemented inactivity expiration by checking the status of a peer: after a configurable period of time following netbird down, the peer shows login required.
2024-10-13 14:52:43 +02:00
da3a053e2b
[management] Refactor getAccountIDWithAuthorizationClaims ( #2715 )
...
This change restructures the getAccountIDWithAuthorizationClaims method to improve readability, maintainability, and performance.
- have dedicated methods to handle possible cases
- introduced Store.UpdateAccountDomainAttributes and Store.GetAccountUsers methods
- Remove GetAccount and SaveAccount dependency
- added tests
2024-10-12 08:35:51 +02:00
208a2b7169
Add billing user role ( #2714 )
2024-10-10 14:14:56 +02:00
8284ae959c
[management] Move testdata to sql files ( #2693 )
2024-10-10 12:35:03 +02:00
b79c1d64cc
[management] Make max open db conns configurable ( #2713 )
2024-10-09 20:17:25 +02:00
d4ef84fe6e
[management] Propagate error in store errors ( #2709 )
2024-10-09 14:33:58 +02:00
2c1f5e46d5
[management] Validate peer ownership during login ( #2704 )
...
* check peer ownership in login
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update error message
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-10-07 19:06:26 +03:00
dbec24b520
[management] Remove admin check on getAccountByID ( #2699 )
2024-10-06 17:01:13 +02:00
5897a48e29
fix wrong reference ( #2695 )
...
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-10-04 18:55:25 +03:00
8bf729c7b4
[management] Add AccountExists to AccountManager ( #2694 )
...
* Add AccountExists method to account manager interface
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove unused code
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-10-04 18:09:40 +03:00
7f09b39769
[management] Refactor User JWT group sync ( #2690 )
...
* Refactor GetAccountIDByUserOrAccountID
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* sync user jwt group changes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* propagate jwt group changes to peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix no jwt groups synced
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests and lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Move the account peer update outside the transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* move updateUserPeersInGroups to account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* move event store outside of transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* get user with update lock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Run jwt sync in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-10-04 17:17:01 +03:00
158936fb15
[management] Remove file store ( #2689 )
2024-10-03 15:50:35 +02:00
ff7863785f
[management, client] Add access control support to network routes ( #2100 )
2024-10-02 13:41:00 +02:00
16179db599
[management] Propagate metrics ( #2667 )
2024-09-30 22:18:10 +02:00
58ff7ab797
[management] improve zitadel idp error response detail by decoding errors ( #2634 )
...
* [management] improve zitadel idp error response detail by decoding errors
* [management] extend readZitadelError to be used for requestJWTToken
more generically parse the error returned by zitadel.
* fix lint
---------
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-09-27 22:21:34 +03:00
acb73bd64a
[management] Remove redundant get account calls in GetAccountFromToken ( #2615 )
...
* refactor access control middleware and user access by JWT groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor jwt groups extractor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor handlers to get account when necessary
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor getAccountFromToken
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor getAccountWithAuthorizationClaims
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* revert handles change
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove GetUserByID from account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor getAccountWithAuthorizationClaims to return account id
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor handlers to use GetAccountIDFromToken
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove locks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add GetGroupByName from store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add GetGroupByID from store and refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor retrieval of policy and posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor user permissions and retrieves PAT
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor route, setupkey, nameserver and dns to get record(s) from store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix add missing policy source posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add store lock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add get account
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-09-27 17:10:50 +03:00
1e4a0f77e2
Add get DB method to store ( #2650 )
2024-09-25 18:22:27 +02:00
d47be154ea
[misc] Fix ip range posture check example ( #2628 )
2024-09-23 10:02:03 +02:00
35c892aea3
[management] Restrict accessible peers to user-owned peers for non-admins ( #2618 )
...
* Restrict accessible peers to user-owned peers for non-admin users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add service user test
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* reuse account from token
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* return error when peer not found
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-09-20 12:36:58 +03:00
6c50b0c84b
[management] Add transaction to addPeer ( #2469 )
...
This PR removes the GetAccount and SaveAccount operations from the AddPeer and instead makes use of gorm.Transaction to add the new peer.
2024-09-16 15:47:03 +02:00
82739e2832
[management] fix legacy decrypting of empty values ( #2595 )
...
* allow legacy decrypting on empty values
* validate source size and padding limits
* added tests
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
2024-09-15 16:22:46 +02:00
170e842422
[management] Add accessible peers endpoint ( #2579 )
...
* move accessible peer to separate endpoint in api doc
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add endpoint to get accessible peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update management/server/http/api/openapi.yml
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
* Update management/server/http/api/openapi.yml
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
* Update management/server/http/peers_handler.go
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
2024-09-12 16:19:27 +03:00
cf6210a6f4
[management] Add GCM encryption and migrate legacy encrypted events ( #2569 )
...
* Add AES-GCM encryption
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* migrate legacy encrypted data to AES-GCM encryption
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor and use transaction when migrating data
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add events migration tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* skip migrating record on error
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Preallocate capacity for nonce to avoid allocations in Seal
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-09-11 20:09:57 +03:00
2d1bf3982d
[relay] Improve relay messages ( #2574 )
...
Co-authored-by: Zoltán Papp <zoltan.pmail@gmail.com >
2024-09-11 16:20:30 +02:00
f43a0a0177
[client] Retry on tun creation for darwin ( #2564 )
...
The interface creation on macOS seems to be asynchronus why the tun.create methode somethimes failes becasue the interface is not ready yet. To work around this issue we introduce a retry on tun.create
2024-09-09 19:02:10 +02:00
12c36312b5
[management] Auto update geolite ( #2297 )
...
introduces helper functions to fetch and verify database versions, downloads new files if outdated, and deletes old ones. It also refactors filename handling to improve clarity and consistency, adding options to disable auto-updating via a flag. The changes aim to simplify GeoLite database management for admins.
2024-09-09 18:27:42 +02:00
0c039274a4
[relay] Feature/relay integration ( #2244 )
...
This update adds new relay integration for NetBird clients. The new relay is based on web sockets and listens on a single port.
- Adds new relay implementation with websocket with single port relaying mechanism
- refactor peer connection logic, allowing upgrade and downgrade from/to P2P connection
- peer connections are faster since it connects first to relay and then upgrades to P2P
- maintains compatibility with old clients by not using the new relay
- updates infrastructure scripts with new relay service
2024-09-08 12:06:14 +02:00
a7e46bf7b1
Reduce test logs ( #2550 )
2024-09-06 16:28:19 +02:00
95174d4619
Update route API doc with max domain number ( #2516 )
2024-09-02 17:40:34 +02:00
00944bcdbf
[management] Add support to ECDSA public Keys ( #2461 )
...
Update the JWT validation logic to handle ECDSA keys in addition to the existing RSA keys
---------
Co-authored-by: Harry Kodden <harry.kodden@surf.nl >
Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com >
2024-08-27 16:37:55 +02:00
d97b03656f
[management] Refactor HTTP metrics ( #2476 )
...
* Add logging for slow SQL queries in SaveAccount and GetAccount
* Add resource count log for large accounts
* Refactor metrics middleware to simplify counters and histograms
* Update log levels and remove redundant resource count check
2024-08-23 19:42:55 +03:00
0f0415b92a
rename request buffer and update default interval ( #2459 )
2024-08-21 11:44:52 +02:00
3ed90728e6
[management] Add buffering for getAccount requests during login ( #2449 )
2024-08-20 20:06:01 +02:00
8c2d37d3fc
[management] Fix logging out peers on deletion ( #2453 )
2024-08-20 19:13:40 +02:00
049b5fb7ed
Split DB calls in peer login ( #2439 )
2024-08-19 12:50:11 +02:00
6016d2f7ce
Fix lint ( #2427 )
2024-08-14 13:30:10 +03:00
539480a713
[management] Prevent removal of All group from peers during user groups propagation ( #2410 )
...
* Prevent removal of "All" group from peers
* Prevent adding "All" group to users and setup keys
* Refactor setup key group validation
2024-08-12 13:48:05 +03:00
