* wip: add posture checks structs
* add netbird version check
* Refactor posture checks and add version checks
* Add posture check activities (#1445)
* Integrate Endpoints for Posture Checks (#1432)
* wip: add posture checks structs
* add netbird version check
* Refactor posture checks and add version checks
* Implement posture and version checks in API models
* Refactor API models and enhance posture check functionality
* wip: add posture checks endpoints
* go mod tidy
* Reference the posture checks by id's in policy
* Add posture checks management to server
* Add posture checks management mocks
* implement posture checks handlers
* Add posture checks to account copy and fix tests
* Refactor posture checks validation
* wip: Add posture checks handler tests
* Add JSON encoding support to posture checks
* Encode posture checks to correct api response object
* Refactored posture checks implementation to align with the new API schema
* Refactor structure of `Checks` from slice to map
* Cleanup
* Add posture check activities (#1445)
* Revert map to use list of checks
* Add posture check activity events
* Refactor posture check initialization in account test
* Improve the handling of version range in posture check
* Fix tests and linter
* Remove max_version from NBVersionCheck
* Added unit tests for NBVersionCheck
* go mod tidy
* Extend policy endpoint with posture checks (#1450)
* Implement posture and version checks in API models
* go mod tidy
* Allow attaching posture checks to policy
* Update error message for linked posture check on deleting
* Refactor PostureCheck and Checks structures
* go mod tidy
* Add validation for non-existing posture checks
* fix unit tests
* use Wt version
* Remove the enabled field, as posture check will now automatically be activated by default when attaching to a policy
* wip: add posture checks structs
* add netbird version check
* Refactor posture checks and add version checks
* Add posture check activities (#1445)
* Integrate Endpoints for Posture Checks (#1432)
* wip: add posture checks structs
* add netbird version check
* Refactor posture checks and add version checks
* Implement posture and version checks in API models
* Refactor API models and enhance posture check functionality
* wip: add posture checks endpoints
* go mod tidy
* Reference the posture checks by id's in policy
* Add posture checks management to server
* Add posture checks management mocks
* implement posture checks handlers
* Add posture checks to account copy and fix tests
* Refactor posture checks validation
* wip: Add posture checks handler tests
* Add JSON encoding support to posture checks
* Encode posture checks to correct api response object
* Refactored posture checks implementation to align with the new API schema
* Refactor structure of `Checks` from slice to map
* Cleanup
* Add posture check activities (#1445)
* Revert map to use list of checks
* Add posture check activity events
* Refactor posture check initialization in account test
* Improve the handling of version range in posture check
* Fix tests and linter
* Remove max_version from NBVersionCheck
* Added unit tests for NBVersionCheck
* go mod tidy
* Extend policy endpoint with posture checks (#1450)
* Implement posture and version checks in API models
* go mod tidy
* Allow attaching posture checks to policy
* Update error message for linked posture check on deleting
* Refactor PostureCheck and Checks structures
* go mod tidy
* Add validation for non-existing posture checks
* fix unit tests
* use Wt version
* Remove the enabled field, as posture check will now automatically be activated by default when attaching to a policy
* Extend network map generation with posture checks (#1466)
* Apply posture checks to network map generation
* run policy posture checks on peers to connect
* Refactor and streamline policy posture check process for peers to connect.
* Add posture checks testing in a network map
* Remove redundant nil check in policy.go
* Refactor peer validation check in policy.go
* Update 'Check' function signature and use logger for version check
* Refactor posture checks run on sources and updated the validation func
* Update peer validation
* fix tests
* improved test coverage for policy posture check
* Refactoring
* Extend NetBird agent to collect kernel version (#1495)
* Add KernelVersion field to LoginRequest
* Add KernelVersion to system info retrieval
* Fix tests
* Remove Core field from system info
* Replace Core field with new OSVersion field in system info
* Added WMI dependency to info_windows.go
* Add OS Version posture checks (#1479)
* Initial support of Geolocation service (#1491)
* Add Geo Location posture check (#1500)
* wip: implement geolocation check
* add geo location posture checks to posture api
* Merge branch 'feature/posture-checks' into geo-posture-check
* Remove CityGeoNameID and update required fields in API
* Add geoLocation checks to posture checks handler tests
* Implement geo location-based checks for peers
* Update test values and embed location struct in peer system
* add support for country wide checks
* initialize country code regex once
* Fix peer meta core compability with older clients (#1515)
* Refactor extraction of OSVersion in grpcserver
* Ignore lint check
* Fix peer meta core compability with older management (#1532)
* Revert core field deprecation
* fix tests
* Extend peer meta with location information (#1517)
This PR uses the geolocation service to resolve IP to location.
The lookup happens once on the first connection - when a client calls the Sync func.
The location is stored as part of the peer:
* Add Locations endpoints (#1516)
* add locations endpoints
* Add sqlite3 check and database generation in geolite script
* Add SQLite storage for geolocation data
* Refactor file existence check into a separate function
* Integrate geolocation services into management application
* Refactoring
* Refactor city retrieval to include Geonames ID
* Add signature verification for GeoLite2 database download
* Change to in-memory database for geolocation store
* Merge manager to geolocation
* Update GetAllCountries to return Country name and iso code
* fix tests
* Add reload to SqliteStore
* Add geoname indexes
* move db file check to connectDB
* Add concurrency safety to SQL queries and database reloading
The commit adds mutex locks to the GetAllCountries and GetCitiesByCountry functions to ensure thread-safety during database queries. Additionally, it introduces a mechanism to safely close the old database connection before a new connection is established upon reloading, which improves the reliability of database operations. Lastly, it moves the checking of database file existence to the connectDB function.
* Add sha256 sum check to geolocation store before reload
* Use read lock
* Check SHA256 twice when reload geonames db
---------
Co-authored-by: Yury Gargay <yury.gargay@gmail.com>
* Add tests and validation for empty peer location in GeoLocationCheck (#1546)
* Disallow Geo check creation/update without configured Geo DB (#1548)
* Fix shared access to in memory copy of geonames.db (#1550)
* Trim suffix in when evaluate Min Kernel Version in OS check
* Add Valid Peer Windows Kernel version test
* Add Geolocation handler tests (#1556)
* Implement user admin checks in posture checks
* Add geolocation handler tests
* Mark initGeolocationTestData as helper func
* Add error handling to geolocation database closure
* Add cleanup function to close geolocation resources
* Simplify checks definition serialisation (#1555)
* Regenerate network map on posture check update (#1563)
* change network state and generate map on posture check update
* Refactoring
* Make city name optional (#1575)
* Do not return empty city name
* Validate action param of geo location checks (#1577)
We only support allow and deny
* Switch realip middleware to upstream (#1578)
* Be more silent in download-geolite2.sh script
* Fix geonames db reload (#1580)
* Ensure posture check name uniqueness when create (#1594)
* Enhance the management of posture checks (#1595)
* add a correct min version and kernel for os posture check example
* handle error when geo or location db is nil
* expose all peer location details in api response
* Check for nil geolocation manager only
* Validate posture check before save
* bump open api version
* add peer location fields to toPeerListItemResponse
* Feautre/extend sys meta (#1536)
* Collect network addresses
* Add Linux sys product info
* Fix peer meta comparison
* Collect sys info on mac
* Add windows sys info
* Fix test
* Fix test
* Fix grpc client
* Ignore test
* Fix test
* Collect IPv6 addresses
* Change the IP to IP + net
* fix tests
* Use netip on server side
* Serialize netip to json
* Extend Peer metadata with cloud detection (#1552)
* add cloud detection + test binary
* test windows exe
* Collect IPv6 addresses
* Change the IP to IP + net
* switch to forked cloud detect lib
* new test builds
* new GCE build
* discontinue using library but local copy instead
* fix imports
* remove openstack check
* add hierarchy to cloud check
* merge IBM and SoftLayer
* close resp bodies and use os lib for file reading
* close more resp bodies
* fix error check logic
* parallelize IBM checks
* fix response value
* go mod tidy
* include context + change kubernetes detection
* add context in info functions
* extract platform into separate field
* fix imports
* add missing wmi import
---------
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
---------
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com>
* generate proto
* remove test binaries
---------
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Yury Gargay <yury.gargay@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
In the case of disabled stub listeren the list of name servers is unordered. The solution is to configure the resolv.conf file directly instead of dbus API.
Because third-party services also can manipulate the DNS settings the agent watch the resolv.conf file and keep it up to date.
- apply file type DNS manager if in the name server list does not exist the 127.0.0.53 address
- watching the resolv.conf file with inotify service and overwrite all the time if the configuration has changed and it invalid
- fix resolv.conf generation algorithm
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Add netstack support for the agent to run it without privileges.
- use interface for tun device
- use common IPC for userspace WireGuard integration
- move udpmux creation and sharedsock to tun layer
Restructure data handling for improved performance and flexibility.
Introduce 'G'-prefixed fields to represent Gorm relations, simplifying resource management.
Eliminate complexity in lookup tables for enhanced query and write speed.
Enable independent operations on data structures, requiring adjustments in the Store interface and Account Manager.
added intergration with JumpCloud User API. Use the steps in setup.md for configuration.
Additional changes:
- Enhance compatibility for providers that lack audience support in the Authorization Code Flow and the Authorization - - Code Flow with Proof Key for Code Exchange (PKCE) using NETBIRD_DASH_AUTH_USE_AUDIENCE=falseenv
- Verify tokens by utilizing the client ID when audience support is absent in providers
In case the route management feature is not supported
then do not create unnecessary firewall and manager instances.
This can happen if the nftables nor iptables is not available on the host OS.
- Move the error handling to upper layer
- Remove fake, useless implementations of interfaces
- Update go-iptables because In Docker the old version can not
determine well the path of executable file
- update lib to 0.70
EBPF proxy between TURN (relay) and WireGuard to reduce number of used ports used by the NetBird agent.
- Separate the wg configuration from the proxy logic
- In case if eBPF type proxy has only one single proxy instance
- In case if the eBPF is not supported fallback to the original proxy Implementation
Between the signature of eBPF type proxy and original proxy has
differences so this is why the factory structure exists
* use ipset for iptables
* Update unit-tests for iptables
* Remove debug code
* Update dependencies
* Create separate sets for dPort and sPort rules
* Fix iptables tests
* Fix 0.0.0.0 processing in iptables with ipset
- wireguard/windows version update to 0.5.3
- follow up forked wireguard-go MTU related changes
- fix MTU settings on Windows
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
This PR brings support of a shared port between stun (ICE agent) and
the kernel WireGuard
It implements a single port mode for execution with kernel WireGuard
interface using a raw socket listener.
BPF filters ensure that only STUN packets hit the NetBird userspace app
Removed a lot of the proxy logic and direct mode exchange.
Now we are doing an extra hole punch to the remote WireGuard
port for best-effort cases and support to old client's direct mode.
This PR adds supports for the WireGuard userspace implementation
using Bind interface from wireguard-go.
The newly introduced ICEBind struct implements Bind with UDPMux-based
structs from pion/ice to handle hole punching using ICE.
The core implementation was taken from StdBind of wireguard-go.
The result is a single WireGuard port that is used for host and server reflexive candidates.
Relay candidates are still handled separately and will be integrated in the following PRs.
ICEBind checks the incoming packets for being STUN or WireGuard ones
and routes them to UDPMux (to handle hole punching) or to WireGuard respectively.
Default Rego policy generated from the rules in some cases is broken.
This change fixes the Rego template for rules to generate policies.
Also, file store load constantly regenerates policy objects from rules.
It allows updating/fixing of the default Rego template during releases.
Before defining if we will use direct or proxy connection we will exchange a
message with the other peer if the modes match we keep the decision
from the shouldUseProxy function otherwise we skip using direct connection.
Added a feature support message to the signal protocol
Among other improvements, it fixes a memory leak with
srfx conn channels not being closed
it also make use of new pion/transport Net interface
https://github.com/pion/ice/pull/471
Adding --external-ip-map and --dns-resolver-address to up command and shorthand option to global flags.
Refactor get and read config functions with new ConfigInput type.
updated cobra package to latest release.
This PR adds system activity tracking.
The management service records events like
add/remove peer, group, rule, route, etc.
The activity events are stored in the SQLite event store
and can be queried by the HTTP API.
Added host configurators for Linux, Windows, and macOS.
The host configurator will update the peer system configuration
directing DNS queries according to its capabilities.
Some Linux distributions don't support split (match) DNS or custom ports,
and that will be reported to our management system in another PR
This PR brings open-telemetry metrics to the
Management service.
The Management service exposes new HTTP endpoint
/metrics on 8081 port by default.
The port can be changed by specifying
--metrics-port PORT flag when starting the service.
This PR brings user invites logic to the Management service
via HTTP API.
The POST /users/ API endpoint creates a new user in the Idp
and then in the local storage.
Once the invited user signs ups, the account invitation is redeemed.
There are a few limitations.
This works only with an enabled IdP manager.
Users that already have a registered account can't be invited.
* Seticon only when status changes
This prevents a memory leak with the systray lib
when setting the icon every 2 seconds causes a large memory consumption
see https://github.com/getlantern/systray/issues/135
* Use fork with permanent fix
Handle routes updates from management
Manage routing firewall rules
Manage peer RIB table
Add get peer and get notification channel from the status recorder
Update interface peers allowed IPs
This PR is a part of an effort to use standard ports (443 or 80) that are usually allowed by default in most of the environments.
Right now Management Service runs the Let'sEncrypt manager on port 443, HTTP API server on port 33071,
and a gRPC server on port 33073. There are three separate listeners.
This PR combines these listeners into one.
With this change, the HTTP and gRPC server runs on either 443 with TLS or 80 without TLS
by default (no --port specified).
Let's Encrypt manager always runs on port 443 if enabled.
The backward compatibility server runs on port 33073 (with TLS or without).
HTTP port 33071 is obsolete and not used anymore.
Newly installed agents will connect to port 443 by default instead of port 33073 if not specified otherwise.
Right now Signal Service runs the Let'sEncrypt manager on port 80
and a gRPC server on port 10000. There are two separate listeners.
This PR combines these listeners into one with a cmux lib.
The gRPC server runs on either 443 with TLS or 80 without TLS.
Let's Encrypt manager always runs on port 80.
This PR adds support for SSH access through the NetBird network
without managing SSH skeys.
NetBird client app has an embedded SSH server (Linux/Mac only)
and a netbird ssh command.
Introduced an OpenAPI specification.
Updated API handlers to use the specification types.
Added patch operation for rules and groups
and methods to the account manager.
HTTP PUT operations require id, fail if not provided.
Use snake_case for HTTP request and response body
The peer IP allocation logic was allocating sequential peer IP from the 100.64.0.0/10
address block.
Each account is created with a random subnet from 100.64.0.0/10.
The total amount of potential subnets is 64.
The new logic allocates random peer IP
from the account subnet.
This gives us flexibility to add support for
multi subnet accounts without overlapping IPs.
UI and CLI Clients are now able to use SSO login by default
we will check if the management has configured or supports SSO providers
daemon will handle fetching and waiting for an access token
Oauth package was moved to internal to avoid one extra package at this stage
Secrets were removed from OAuth
CLI clients have less and better output
2 new status were introduced, NeedsLogin and FailedLogin for better messaging
With NeedsLogin we no longer have endless login attempts
Exposes endpoint under "/users/" that returns information on users.
Calls IDP manager to get information not stored locally (email, name),
which in the case of the managed version is auth0.
Agent systray UI has been extended with
a setting window that allows configuring
management URL, admin URL and
supports pre-shared key.
While for the Netbird managed version
the Settings are not necessary, it helps
to properly configure the self-hosted version.
Add method for rotating access token with refresh tokens
This will be useful for catching expired sessions and
offboarding users
Also added functions to handle secrets. They have to be revisited
as some tests didn't run on CI as they waited some user input, like password
* test: WIP mocking the grpc server for testing the sending of the client information
* WIP: Test_SystemMetaDataFromClient with mocks, todo:
* fix: failing meta data test
* test: add system meta expectation in management client test
* fix: removing deprecated register function, replacing with new one
* fix: removing deprecated register function from mockclient interface impl
* fix: fixing interface declaration
* chore: remove unused commented code
Co-authored-by: braginini <bangvalo@gmail.com>
* update interface tests and configuration messages
* little debug
* little debug on both errors
* print all devs
* list of devices
* debug func
* handle interface close
* debug socks
* debug socks
* if ports match
* use random assigned ports
* remove unused const
* close management client connection when stopping engine
* GracefulStop when management clients are closed
* enable workflows on PRs too
* remove iface_test debug code
