The new functionality allows blocking a user in the Management service.
Blocked users lose access to the Dashboard, aren't able to modify the network map,
and all of their connected devices disconnect and are set to the "login expired" state.
Technically all above was achieved with the updated PUT /api/users endpoint,
that was extended with the is_blocked field.
The Management gRPC API has too much business logic
happening while it has to be in the Account manager.
This also needs to make more requests to the store
through the account manager.
Extend HTTP API with Account endpoints to configure global peer login expiration.
GET /api/accounts
PUT /api/account/{id}/
The GET endpoint returns an array of accounts with
always one account in the list. No exceptions.
The PUT endpoint updates account settings:
PeerLoginExpiration and PeerLoginExpirationEnabled.
PeerLoginExpiration is a duration in seconds after which peers' logins will expire.
This PR adds a peer login expiration logic that requires
peers created by a user to re-authenticate (re-login) after
a certain threshold of time (24h by default).
The Account object now has a PeerLoginExpiration
property that indicates the duration after which a peer's
login will expire and a login will be required. Defaults to 24h.
There are two new properties added to the Peer object:
LastLogin that indicates the last time peer successfully used
the Login gRPC endpoint and LoginExpirationEnabled that
enables/disables peer login expiration.
The login expiration logic applies only to peers that were created
by a user and not those that were added with a setup key.
Replace Peer.Key as internal identifier with a randomly generated Peer.ID
in the Management service.
Every group now references peers by ID instead of a public key.
Every route now references peers by ID instead of a public key.
FileStore does store.json file migration on startup by generating Peer.ID and replacing
all Peer.Key identifier references .
This PR adds system activity tracking.
The management service records events like
add/remove peer, group, rule, route, etc.
The activity events are stored in the SQLite event store
and can be queried by the HTTP API.
Updated tests, API, and account manager methods
Sync routes to peers in the distribution groups
Added store upgrade by adding the All group to routes that don't have them
Add a usage_limit parameter to the API.
This limits the number of times a setup key
can be used.
usage_limit == 0 indicates the the usage is inlimited.
This PR simplifies Store and FileStore
by keeping just the Get and Save account methods.
The AccountManager operates mostly around
a single account, so it makes sense to fetch
the whole account object from the store.
This PR brings user invites logic to the Management service
via HTTP API.
The POST /users/ API endpoint creates a new user in the Idp
and then in the local storage.
Once the invited user signs ups, the account invitation is redeemed.
There are a few limitations.
This works only with an enabled IdP manager.
Users that already have a registered account can't be invited.
Add DNS package and Nameserver group objects
Add CRUD operations for Nameserver Groups to account manager
Add Routes and Nameservers to Account Copy method
Run docker tests with timeout and serial flags
* Send netmask from account network
Added the GetPeerNetwork method to account manager
Pass a copy of the network to the toPeerConfig function
to retrieve the netmask from the network instead of constant
updated methods and added test
* check if the network is the same for 2 peers
* Use expect with BeEquivalentTo
This PR adds support for SSH access through the NetBird network
without managing SSH skeys.
NetBird client app has an embedded SSH server (Linux/Mac only)
and a netbird ssh command.
Introduced an OpenAPI specification.
Updated API handlers to use the specification types.
Added patch operation for rules and groups
and methods to the account manager.
HTTP PUT operations require id, fail if not provided.
Use snake_case for HTTP request and response body
There are a few places where an account is created.
When we create a new account, there should be
some defaults set. E.g. created by and group ALL.
It makes sense to add it in one place to avoid inconsistencies.
The management will validate the JWT as it does in the API
and will register the Peer to the user's account.
New fields were added to grpc messages in management
and client daemon and its clients were updated
Peer has one new field, UserID,
that will hold the id of the user that registered it
JWT middleware CheckJWT got a splitter
and renamed to support validation for non HTTP requests
Added test for adding new Peer with UserID
Lots of tests update because of a new field
Exposes endpoint under "/users/" that returns information on users.
Calls IDP manager to get information not stored locally (email, name),
which in the case of the managed version is auth0.
* feat(management): add groups
* squash
* feat(management): add handlers for groups
* feat(management): add handlers for groups
* chore(management): add tests for the get group of the management
* chore(management): add tests for save group
* Added Domain Category field and fix store tests
* Add GetAccountByDomain method
* Add Domain Category to authorization claims
* Initial GetAccountWithAuthorizationClaims test cases
* Renamed Private Domain map and index it on saving account
* New Go build tags
* Added NewRegularUser function
* Updated restore to account for primary domain account
Also, added another test case
* Added grouping user of private domains
Also added auxiliary methods for update metadata and domain attributes
* Update http handles get account method and tests
* Fix lint and document another case
* Removed unnecessary log
* Move use cases to method and add flow comments
* Split the new user and existing logic from GetAccountWithAuthorizationClaims
* Review: minor corrections
Co-authored-by: braginini <bangvalo@gmail.com>
