* Feat add basic support for IPv6 networks
Newly generated networks automatically generate an IPv6 prefix of size
64 within the ULA address range, devices obtain a randomly generated
address within this prefix.
Currently, this is Linux only and does not yet support all features
(routes currently cause an error).
* Fix firewall configuration for IPv6 networks
* Fix routing configuration for IPv6 networks
* Feat provide info on IPv6 support for specific client to mgmt server
* Feat allow configuration of IPv6 support through API, improve stability
* Feat add IPv6 support to new firewall implementation
* Fix peer list item response not containing IPv6 address
* Fix nftables breaking on IPv6 address change
* Fix build issues for non-linux systems
* Fix intermittent disconnections when IPv6 is enabled
* Fix test issues and make some minor revisions
* Fix some more testing issues
* Fix more CI issues due to IPv6
* Fix more testing issues
* Add inheritance of IPv6 enablement status from groups
* Fix IPv6 events not having associated messages
* Address first review comments regarding IPv6 support
* Fix IPv6 table being created even when IPv6 is disabled
Also improved stability of IPv6 route and firewall handling on client side
* Fix IPv6 routes not being removed
* Fix DNS IPv6 issues, limit IPv6 nameservers to IPv6 peers
* Improve code for IPv6 DNS server selection, add AAAA custom records
* Ensure IPv6 routes can only exist for IPv6 routing peers
* Fix IPv6 network generation randomness
* Fix a bunch of compilation issues and test failures
* Replace method calls that are unavailable in Go 1.21
* Fix nil dereference in cleanUpDefaultForwardRules6
* Fix nil pointer dereference when persisting IPv6 network in sqlite
* Clean up of client-side code changes for IPv6
* Fix nil dereference in rule mangling and compilation issues
* Add a bunch of client-side test cases for IPv6
* Fix IPv6 tests running on unsupported environments
* Fix import cycle in tests
* Add missing method SupportsIPv6() for windows
* Require IPv6 default route for IPv6 tests
* Fix panics in routemanager tests on non-linux
* Fix some more route manager tests concerning IPv6
* Add some final client-side tests
* Add IPv6 tests for management code, small fixes
* Fix linting issues
* Fix small test suite issues
* Fix linter issues and builds on macOS and Windows again
* fix builds for iOS because of IPv6 breakage
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
We allow service users with user role read-only access
to all resources so users can create service user and propagate
PATs without having to give full admin permissions.
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Extend management API to support list of allowed JWT groups (#1366)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Add JWT group-based user authorization (#1373)
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Implement user access validation authentication based on JWT groups
* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version
* Refactor auth middleware and test for extracted claim handling
* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
This PR adds `gosec` linter with the following checks disabled:
- G102: Bind to all interfaces
- G107: Url provided to HTTP request as taint input
- G112: Potential slowloris attack
- G114: Use of net/http serve function that has no support for setting timeouts
- G204: Audit use of command execution
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G404: Insecure random number source (rand)
- G501: Import blocklist: crypto/md5
- G505: Import blocklist: crypto/sha1
We have complaints related to the checks above. They have to be addressed separately.
This PR adds support to Owner roles.
The owner role has a similar access level as the admin, but it has the power to delete the account.
Besides that, the role has the following constraints:
- The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user
- It can't be assigned to users being invited
- It can't be assigned to service users
Adding support to account owners to delete an account
This will remove all users from local, and if --user-delete-from-idp is set it will remove from the remote IDP
* Add gocritic linter
`gocritic` provides diagnostics that check for bugs, performance, and style issues
We disable the following checks:
- commentFormatting
- captLocal
- deprecatedComment
This PR contains many `//nolint:gocritic` to disable `appendAssign`.
* Add non-deletable flag for service users
* fix non deletable service user created as deletable
* Exclude non deletable service users in service users api response
* Fix broken tests
* Add test for non deletable service user
* Add handling for non-deletable service users in tests
* Remove non-deletable service users when fetching all users
* Ensure non-deletable users are filtered out when fetching all user data
- dupword checks for duplicate words in the source code
- durationcheck checks for two durations multiplied together
- forbidigo forbids identifiers
- mirror reports wrong mirror patterns of bytes/strings usage
- misspell finds commonly misspelled English words in comments
- predeclared finds code that shadows one of Go's predeclared identifiers
- thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers
* extends user and group structure by introducing fields for issued and integration references
* Add integration checks to group management to prevent groups added by integration.
* Add integration checks to user management to prevent deleting user added by integration.
* Fix broken user update tests
* Initialize all user fields for testing
* Change a serializer option to embedded for IntegrationReference in user and group models
* Add issued field to user api response
* Add IntegrationReference to Group in update groups handler
* Set the default issued field for users in file store
