38ada44a0e
[management] allow impersonation via pats ( #3739 )
2025-04-25 16:40:54 +02:00
986eb8c1e0
[management] fix lastLogin on dashboard ( #3725 )
2025-04-23 15:54:49 +02:00
fd2a21c65d
[management] remove unnecessary access control middleware ( #3650 )
2025-04-11 10:43:59 +01:00
77e40f41f2
[management] refactor auth ( #3296 )
2025-02-20 20:24:40 +00:00
4cdb2e533a
[management] Refactor users to use store methods ( #2917 )
...
* Refactor setup key handling to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add lock to get account groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add check for regular user
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* get only required groups for auto-group validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add account lock and return auto groups map on validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor account peers update
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor groups to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor GetGroupByID and add NewGroupNotFoundError
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add AddPeer and RemovePeer methods to Group struct
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Preserve store engine in SqlStore transactions
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Run groups ops in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix missing group removed from setup key activity
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor posture checks to remove get and save account
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix sonar
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Change setup key log level to debug for missing group
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve modified peers once for group events
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor policy get and save account to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve policy groups and posture checks once for validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor anyGroupHasPeers to retrieve all groups once
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor dns settings to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locking and merge group deletion methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor name server groups to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add peer store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor ephemeral peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add lock for peer store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor peer handlers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor peer to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add locks and remove log
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* run peer ops in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove duplicate store method
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix peer fields updated after save
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use update strength and simplify check
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* prevent changing ruleID when not empty
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* prevent duplicate rules during updates
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor auth middleware
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor account methods and mock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor user and PAT handling
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove db query context and fix get user by id
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix database transaction locking issue
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use UTC time in test
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix prevent users from creating PATs for other users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add store locks and prevent fetching setup keys peers when retrieving user peers with empty userID
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add missing tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor test names and remove duplicate TestPostgresql_SavePeerStatus
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locks and remove redundant ephemeral check
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve all groups for peers and restrict groups for regular users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix store tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* use account object to get validated peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Improve peer performance
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Get account direct from store without buffer
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add get peer groups tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust benchmarks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust benchmarks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Update benchmark workflow (#3181 )
* update local benchmark expectations
* update cloud expectations
* Add status error for generic result error
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use integrated validator direct
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* update expectations
* update expectations
* Refactor peer scheduler to retry every 3 seconds on errors
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* fix validator
* fix validator
* fix validator
* update timeouts
* Refactor ToGroupsInfo to process slices of groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* update expectations
* update expectations
* Bump integrations version
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor GetValidatedPeers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* go mod tidy
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use peers and groups map for peers validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove mysql from api benchmark tests
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix blocked db calls on user auto groups update
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Skip user check for system initiated peer deletion
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove context in db calls
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Improve group peer/resource counting (#3192 )
* Fix sonar
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust bench expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Rename GetAccountInfoFromPAT to GetTokenInfo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove global account lock for ListUsers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* build userinfo after updating users in db
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Optimize user bulk deletion (#3315 )
* refactor building user infos
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove unused code
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor GetUsersFromAccount to return a map of UserInfo instead of a slice
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Export BuildUserInfosForAccount to account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fetch account user info once for bulk users save
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update user deletion expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Set max open conns for activity store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update bench expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com >
Co-authored-by: Pascal Fischer <pascal@netbird.io >
Co-authored-by: Pedro Costa <550684+pnmcosta@users.noreply.github.com >
2025-02-17 21:43:12 +03:00
02a3feddb8
[management] Add MySQL Support ( #3108 )
...
* Add mysql store support
* Add support to disable activity events recording
2025-01-06 13:38:30 +01:00
2bdb4cb44a
[management] Preserve jwt groups when accessing API with PAT ( #3128 )
...
* Skip JWT group sync for token-based authentication
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
2024-12-31 18:59:37 +03:00
ddc365f7a0
[client, management] Add new network concept ( #3047 )
...
---------
Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com >
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com >
2024-12-20 11:30:28 +01:00
765aba2c1c
Add context to throughout the project and update logging ( #2209 )
...
propagate context from all the API calls and log request ID, account ID and peer ID
---------
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com >
2024-07-03 11:33:02 +02:00
d8ce08d898
Extend bypass middleware with support of wildcard paths ( #1628 )
...
---------
Co-authored-by: Viktor Liu <viktor@netbird.io >
2024-02-26 17:54:58 +01:00
b7a6cbfaa5
Add account usage logic ( #1567 )
...
---------
Co-authored-by: Yury Gargay <yury.gargay@gmail.com >
2024-02-22 12:27:08 +01:00
cba3c549e9
Add JWT group-based access control for adding new peers ( #1383 )
...
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
2023-12-13 13:18:35 +03:00
d275d411aa
Enable JWT group-based user authorization ( #1368 )
...
* Extend management API to support list of allowed JWT groups (#1366 )
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Add JWT group-based user authorization (#1373 )
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Implement user access validation authentication based on JWT groups
* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version
* Refactor auth middleware and test for extracted claim handling
* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
2023-12-11 18:59:15 +03:00
d7efea74b6
add owner role support ( #1340 )
...
This PR adds support to Owner roles.
The owner role has a similar access level as the admin, but it has the power to delete the account.
Besides that, the role has the following constraints:
- The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user
- It can't be assigned to users being invited
- It can't be assigned to service users
2023-12-01 17:24:57 +01:00
63d211c698
Prepare regexps on compile time ( #1327 )
2023-11-27 13:01:00 +01:00
a40261ff7e
Log access control error ( #1299 )
2023-11-09 17:15:59 +01:00
87cc53b743
Add management-integrations ( #1227 )
2023-10-17 17:19:47 +02:00
bb40325977
Update GitHub Actions and Enhance golangci-lint ( #1075 )
...
This PR showcases the implementation of additional linter rules. I've updated the golangci-lint GitHub Actions to the latest available version. This update makes sure that the tool works the same way locally - assuming being updated regularly - and with the GitHub Actions.
I've also taken care of keeping all the GitHub Actions up to date, which helps our code stay current. But there's one part, goreleaser that's a bit tricky to test on our computers. So, it's important to take a close look at that.
To make it easier to understand what I've done, I've made separate changes for each thing that the new linters found. This should help the people reviewing the changes see what's going on more clearly. Some of the changes might not be obvious at first glance.
Things to consider for the future
CI runs on Ubuntu so the static analysis only happens for Linux. Consider running it for the rest: Darwin, Windows
2023-09-04 17:03:44 +02:00
f89c200ce9
Fix api Auth with PAT when a custom UserIDClaim is configured in management.json ( #1120 )
...
The API authentication with PATs was not considering different userIDClaim
that some of the IdPs are using.
In this PR we read the userIDClaim from the config file
instead of using the fixed default and only keep
it as a fallback if none in defined.
2023-09-01 18:09:59 +02:00
2541c78dd0
Use error level for JWT parsing error logs ( #1026 )
2023-07-22 17:56:27 +02:00
e3d2b6a408
Block user through HTTP API ( #846 )
...
The new functionality allows blocking a user in the Management service.
Blocked users lose access to the Dashboard, aren't able to modify the network map,
and all of their connected devices disconnect and are set to the "login expired" state.
Technically all above was achieved with the updated PUT /api/users endpoint,
that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
f1da4fd55d
using old isAdmin function to create account
2023-05-02 16:49:29 +02:00
6fec0c682e
Merging full service user feature into main ( #819 )
...
Merging full feature branch into main.
Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
6aba28ccb7
remove UTC from some not store related operations
2023-04-10 10:54:23 +02:00
489892553a
use UTC everywhere in server
2023-04-03 15:09:35 +02:00
d3de035961
error responses always lower case + duplicate error response fix
2023-04-01 11:04:21 +02:00
931c20c8fe
fix test name
2023-03-31 12:45:10 +02:00
2eaf4aa8d7
add test for auth middleware
2023-03-31 12:44:22 +02:00
110067c00f
change order for access control checks and aquire account lock after global lock
2023-03-31 12:03:53 +02:00
32c96c15b8
disable linter errors by comment
2023-03-31 10:30:05 +02:00
ca1dc5ac88
disable access control for token endpoint
2023-03-30 19:03:44 +02:00
f273fe9f51
revert codacy
2023-03-30 18:54:55 +02:00
e08af7fcdf
codacy
2023-03-30 17:46:21 +02:00
454240ca05
comments for codacy
2023-03-30 17:32:44 +02:00
1343a3f00e
add test + codacy
2023-03-30 16:43:39 +02:00
6c8bb60632
fix merge
2023-03-30 16:06:46 +02:00
4d7029d80c
Merge branch 'main' into feature/add_pat_middleware
...
# Conflicts:
# management/server/grpcserver.go
# management/server/http/middleware/jwt.go
2023-03-30 16:06:21 +02:00
db3a9f0aa2
refactor jwt token validation and add PAT to middleware auth
2023-03-30 10:54:09 +02:00
a27fe4326c
Add JWT middleware validation failure log ( #760 )
...
We will log the middleware log now, but in the next
releases we should provide a generic error that can be
parsed by the dashboard.
2023-03-23 18:26:41 +01:00
3ec8274b8e
Feature: add custom id claim ( #667 )
...
This feature allows using the custom claim in the JWT token as a user ID.
Refactor claims extractor with options support
Add is_current to the user API response
2023-02-03 21:47:20 +01:00
0be46c083d
Generate validation certificate from mandatory JWK fields ( #614 )
...
When there is no X5c we will use N and E fields of
a JWK to generate the public RSA and a Pem certificate
2022-12-07 22:06:43 +01:00
509d23c7cf
Replace gRPC errors in business logic with internal ones ( #558 )
2022-11-11 20:36:45 +01:00
4321b71984
Hide content based on user role ( #541 )
2022-11-05 10:24:50 +01:00
6aa7a2c5e1
Hide setup key from non-admin users ( #539 )
2022-11-03 17:02:31 +01:00
84879a356b
Extract app metrics to a separate struct ( #520 )
2022-10-22 11:50:21 +02:00
ed2214f9a9
Add HTTP request/response totals to metrics ( #519 )
2022-10-22 10:07:13 +02:00
4f1f0df7d2
Add Open-telemetry support ( #517 )
...
This PR brings open-telemetry metrics to the
Management service.
The Management service exposes new HTTP endpoint
/metrics on 8081 port by default.
The port can be changed by specifying
--metrics-port PORT flag when starting the service.
2022-10-21 16:24:13 +02:00
65069c1787
feat(ac): add access control middleware ( #321 )
2022-05-25 18:26:50 +02:00
fec3132585
Adding peer registration support to JWT ( #305 )
...
The management will validate the JWT as it does in the API
and will register the Peer to the user's account.
New fields were added to grpc messages in management
and client daemon and its clients were updated
Peer has one new field, UserID,
that will hold the id of the user that registered it
JWT middleware CheckJWT got a splitter
and renamed to support validation for non HTTP requests
Added test for adding new Peer with UserID
Lots of tests update because of a new field
2022-05-05 20:02:15 +02:00
38e3c9c062
Add cors headers ( #85 )
...
* disable EnableAuthOnOptions
* Setup basic cors headers
* feature: user cors lib
2021-08-16 11:29:57 +02:00
