The Management gRPC API has too much business logic
happening while it has to be in the Account manager.
This also needs to make more requests to the store
through the account manager.
Bug 1: When calculating the network map, peers added by a setup key
were falling under expiration logic while they shouldn't.
Bug 2: Peers HTTP API didn't return expired peers for non-admin users
because of the expired peer check in the ACL logic.
The fix applies peer expiration checks outside of the ACL logic.
Goals:
Enable peer login expiration when adding new peer
Expire peer's login when the time comes
The account manager triggers peer expiration routine in future if the
following conditions are true:
peer expiration is enabled for the account
there is at least one peer that has expiration enabled and is connected
The time of the next expiration check is based on the nearest peer expiration.
Account manager finds a peer with the oldest last login (auth) timestamp and
calculates the time when it has to run the routine as a sum of the configured
peer login expiration duration and the peer's last login time.
When triggered, the expiration routine checks whether there are expired peers.
The management server closes the update channel of these peers and updates
network map of other peers to exclude expired peers so that the expired peers
are not able to connect anywhere.
The account manager can reschedule or cancel peer expiration in the following cases:
when admin changes account setting (peer expiration enable/disable)
when admin updates the expiration duration of the account
when admin updates peer expiration (enable/disable)
when peer connects (Sync)
P.S. The network map calculation was updated to exclude peers that have login expired.
Extend HTTP API with Account endpoints to configure global peer login expiration.
GET /api/accounts
PUT /api/account/{id}/
The GET endpoint returns an array of accounts with
always one account in the list. No exceptions.
The PUT endpoint updates account settings:
PeerLoginExpiration and PeerLoginExpirationEnabled.
PeerLoginExpiration is a duration in seconds after which peers' logins will expire.
Replace Peer.Key as internal identifier with a randomly generated Peer.ID
in the Management service.
Every group now references peers by ID instead of a public key.
Every route now references peers by ID instead of a public key.
FileStore does store.json file migration on startup by generating Peer.ID and replacing
all Peer.Key identifier references .
This PR adds system activity tracking.
The management service records events like
add/remove peer, group, rule, route, etc.
The activity events are stored in the SQLite event store
and can be queried by the HTTP API.
Updated tests, API, and account manager methods
Sync routes to peers in the distribution groups
Added store upgrade by adding the All group to routes that don't have them
Due to peer reconnects when restarting the Management service,
there are lots of SaveStore operations to update peer status.
Store.SavePeerStatus stores peer status separately and the
FileStore implementation stores it in memory.
Added DNS update protocol message
Added sync to clients
Update nameserver API with new fields
Added default NS groups
Added new dns-name flag for the management service append to peer DNS label
This PR simplifies Store and FileStore
by keeping just the Get and Save account methods.
The AccountManager operates mostly around
a single account, so it makes sense to fetch
the whole account object from the store.
This PR brings user invites logic to the Management service
via HTTP API.
The POST /users/ API endpoint creates a new user in the Idp
and then in the local storage.
Once the invited user signs ups, the account invitation is redeemed.
There are a few limitations.
This works only with an enabled IdP manager.
Users that already have a registered account can't be invited.
There are a few places where an account is created.
When we create a new account, there should be
some defaults set. E.g. created by and group ALL.
It makes sense to add it in one place to avoid inconsistencies.
* fix(acl): update each peer's network when rule,group or peer changed
* fix(ACL): update network test
* fix(acl): cleanup indexes before update them
* fix(acl): clean up rules indexes only for account
The peer IP allocation logic was allocating sequential peer IP from the 100.64.0.0/10
address block.
Each account is created with a random subnet from 100.64.0.0/10.
The total amount of potential subnets is 64.
The new logic allocates random peer IP
from the account subnet.
This gives us flexibility to add support for
multi subnet accounts without overlapping IPs.
The management will validate the JWT as it does in the API
and will register the Peer to the user's account.
New fields were added to grpc messages in management
and client daemon and its clients were updated
Peer has one new field, UserID,
that will hold the id of the user that registered it
JWT middleware CheckJWT got a splitter
and renamed to support validation for non HTTP requests
Added test for adding new Peer with UserID
Lots of tests update because of a new field
Exposes endpoint under "/users/" that returns information on users.
Calls IDP manager to get information not stored locally (email, name),
which in the case of the managed version is auth0.
When account id supplied via claim, we should
handle change of the domain classification.
If category of domain change to private, we
should re-evaluate the private account
* Added Domain Category field and fix store tests
* Add GetAccountByDomain method
* Add Domain Category to authorization claims
* Initial GetAccountWithAuthorizationClaims test cases
* Renamed Private Domain map and index it on saving account
* New Go build tags
* Added NewRegularUser function
* Updated restore to account for primary domain account
Also, added another test case
* Added grouping user of private domains
Also added auxiliary methods for update metadata and domain attributes
* Update http handles get account method and tests
* Fix lint and document another case
* Removed unnecessary log
* Move use cases to method and add flow comments
* Split the new user and existing logic from GetAccountWithAuthorizationClaims
* Review: minor corrections
Co-authored-by: braginini <bangvalo@gmail.com>
* extract claim information from JWT
* get account function
* Store domain
* tests missing domain
* update existing account with domain
* add store domain tests
* get account id from access token claim
* use GetOrCreateAccountByUser and add test
* correct account id claim
* remove unused account
* Idp manager interface
* auth0 idp manager
* use if instead of switch case
* remove unnecessary lock
* NewAuth0Manager
* move idpmanager to its own package
* update metadata when accountId is not supplied
* update tests with idpmanager field
* format
* new idp manager and config support
* validate if we fetch the interface before converting to string
* split getJWTToken
* improve tests
* proper json fields and handle defer body close
* fix ci lint notes
* documentation and proper defer position
* UpdateUserAppMetadata tests
* update documentation
* ManagerCredentials interface
* Marshal and Unmarshal functions
* fix tests
* ManagerHelper and ManagerHTTPClient
* further tests with mocking
* rename package and custom http client
* sync local packages
* remove idp suffix
* feature: introduce NetworkMap to the management protocol with a Serial ID
* test: add Management Sync method protocol test
* test: add Management Sync method NetworkMap field check [FAILING]
* test: add Management Sync method NetworkMap field check [FAILING]
* feature: fill NetworkMap property to when Deleting peer
* feature: fill NetworkMap in the Sync protocol
* test: code review mentions - GeneratePrivateKey() in the test
* fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey()
* test: add NetworkMap test
* fix: management_proto test remove store.json on test finish
* chore: [management] - add account serial ID
* Fix concurrency on the client (#183)
* reworked peer connection establishment logic eliminating race conditions and deadlocks while running many peers
* chore: move serial to Network from Account
* feature: increment Network serial ID when adding/removing peers
* chore: extract network struct init to network.go
* chore: add serial test when adding peer to the account
* test: add ModificationID test on AddPeer and DeletePeer
* feature: add User entity to Account
* test: new file store creation test
* test: add FileStore persist-restore tests
* test: add GetOrCreateAccountByUser Accountmanager test
* refactor: rename account manager users file
* refactor: use userId instead of accountId when handling Management HTTP API
* fix: new account creation for every request
* fix: golint
* chore: add account creator to Account Entity to identify who created the account.
* chore: use xid ID generator for account IDs
* fix: test failures
* test: check that CreatedBy is stored when account is stored
* chore: add account copy method
* test: remove test for non existent GetOrCreateAccount func
* chore: add accounts conversion function
* fix: golint
* refactor: simplify admin user creation
* refactor: move migration script to a separate package
* feature: add peer GET and DELETE API methods
* refactor: extract peer business logic to a separate file
* refactor: extract peer business logic to a separate file
* feature: add peer update HTTP endpoint
* chore: fill peer new fields
* merge with main
* refactor: HTTP methods according to standards
* feature: add peer system metadata
* feature: add peer status
* test: fix removal
