Pascal Fischer
60ee31df3e
[management] Add API of new network concept ( #3012 )
2024-12-11 12:58:45 +01:00
Bethuel Mmbaga
f118d81d32
[management] Refactor policy to use store methods ( #2878 )
2024-11-26 10:46:05 +01:00
Pascal Fischer
4c758c6e52
[management] remove network map diff calculations ( #2820 )
2024-10-31 19:24:15 +01:00
Bethuel Mmbaga
7bda385e1b
[management] Optimize network map updates ( #2718 )
...
* Skip peer update on unchanged network map (#2236 )
* Enhance network updates by skipping unchanged messages
Optimizes the network update process
by skipping updates where no changes in the peer update message received.
* Add unit tests
* add locks
* Improve concurrency and update peer message handling
* Refactor account manager network update tests
* fix test
* Fix inverted network map update condition
* Add default group and policy to test data
* Run peer updates in a separate goroutine
* Refactor
* Refactor lock
* Fix peers update by including NetworkMap and posture Checks
* go mod tidy
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* [management] Skip account peers update if no changes affect peers (#2310 )
* Remove incrementing network serial and updating peers after group deletion
* Update account peer if posture check is linked to policy
* Remove account peers update on saving setup key
* Refactor group link checking into re-usable functions
* Add HasPeers function to group
* Refactor group management
* Optimize group change effects on account peers
* Update account peers if ns group has peers
* Refactor group changes
* Optimize account peers update in DNS settings
* Optimize update of account peers on jwt groups sync
* Refactor peer account updates for efficiency
* Optimize peer update on user deletion and changes
* Remove condition check for network serial update
* Optimize account peers updates on route changes
* Remove UpdatePeerSSHKey method
* Remove unused isPolicyRuleGroupsEmpty
* Add tests for peer update behavior on posture check changes
* Add tests for peer update behavior on policy changes
* Add tests for peer update behavior on group changes
* Add tests for peer update behavior on dns settings changes
* Refactor
* Add tests for peer update behavior on name server changes
* Add tests for peer update behavior on user changes
* Add tests for peer update behavior on route changes
* fix tests
* Add tests for peer update behavior on setup key changes
* Add tests for peer update behavior on peers changes
* fix merge
* Fix tests
* go mod tidy
* Add NameServer and Route comparators
* Update network map diff logic with custom comparators
* Add tests
* Refactor duplicate diff handling logic
* fix linter
* fix tests
* Refactor policy group handling and update logic.
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Update route check by checking if group has peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor posture check policy linking logic
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Simplify peer update condition in DNS management
Refactor the condition for updating account peers to remove redundant checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add posture checks tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix user and setup key tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix account and route tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix nameserver tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix routes tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix group tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* upgrade diff package
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix nameserver tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* use generic differ for netip.Addr and netip.Prefix
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* go mod tidy
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add peer tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix management suite tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix postgres tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* enable diff nil structs comparison
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* skip the update only last sent the serial is larger
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor peer and user
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* skip spell check for groupD
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor group, ns group, policy and posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* skip spell check for GroupD
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* update account policy check before verifying policy status
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Update management/server/route_test.go
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* add tests missing tests for dns setting groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add tests for posture checks changes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add ns group and policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add route and group tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* increase Linux test timeout to 10 minutes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Run diff for client posture checks only
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add panic recovery and detailed logging in peer update comparison
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
2024-10-23 13:05:02 +03:00
pascal-fischer
765aba2c1c
Add context to throughout the project and update logging ( #2209 )
...
propagate context from all the API calls and log request ID, account ID and peer ID
---------
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
2024-07-03 11:33:02 +02:00
Zoltan Papp
2d76b058fc
Feature/peer validator ( #1553 )
...
Follow up management-integrations changes
move groups to separated packages to avoid circle dependencies
save location information in Login action
2024-03-27 18:48:48 +01:00
Yury Gargay
9bc7b9e897
Add initial support of device posture checks ( #1540 )
...
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
2024-02-20 09:59:56 +01:00
Yury Gargay
db3cba5e0f
Remove Account.Rules from Store engines ( #1528 )
2024-02-19 17:17:36 +01:00
pascal-fischer
5de4acf2fe
Integrate Rosenpass ( #1153 )
...
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
2024-01-08 12:25:35 +01:00
Pascal Fischer
08733ed8d5
update tests
2023-12-06 15:02:10 +01:00
Pascal Fischer
a729c83b06
extract peer into seperate package
2023-11-28 13:45:26 +01:00
Fabio Fantoni
c99ae6f009
fix some typo spotted with codespell ( #1278 )
...
Fixed spelling typos on logs, comments and command help text
2023-11-01 17:11:16 +01:00
Givi Khojanashvili
e69ec6ab6a
Optimize ACL performance ( #994 )
...
* Optimize rules with All groups
* Use IP sets in ACLs (nftables implementation)
* Fix squash rule when we receive optimized rules list from management
2023-07-18 13:12:50 +04:00
Givi Khojanashvili
ba7a39a4fc
Feat linux firewall support ( #805 )
...
Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
2023-05-29 16:00:18 +02:00
Givi Khojanashvili
5dc0ff42a5
Fix broken auto-generated Rego rule ( #769 )
...
Default Rego policy generated from the rules in some cases is broken.
This change fixes the Rego template for rules to generate policies.
Also, file store load constantly regenerates policy objects from rules.
It allows updating/fixing of the default Rego template during releases.
2023-04-01 12:02:08 +02:00
Givi Khojanashvili
3bfa26b13b
Feat rego default policy ( #700 )
...
Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
2023-03-13 18:14:18 +04:00