Zoltan Papp
d93dd4fc7f
[relay-server] Move the handshake logic to separated struct ( #2648 )
...
* Move the handshake logic to separated struct
- The server will response to the client after it ready to process the peer
- Preload the response messages
* Fix deprecated lint issue
* Fix error handling
* [relay-server] Relay measure auth time (#2675 )
Measure the Relay client's authentication time
2024-10-12 18:21:34 +02:00
Viktor Liu
3a88ac78ff
[client] Add table filter rules using iptables ( #2727 )
...
This specifically concerns the established/related rule since this one is not compatible with iptables-nft even if it is generated the same way by iptables-translate.
2024-10-12 10:44:48 +02:00
Maycon Santos
da3a053e2b
[management] Refactor getAccountIDWithAuthorizationClaims ( #2715 )
...
This change restructures the getAccountIDWithAuthorizationClaims method to improve readability, maintainability, and performance.
- have dedicated methods to handle possible cases
- introduced Store.UpdateAccountDomainAttributes and Store.GetAccountUsers methods
- Remove GetAccount and SaveAccount dependency
- added tests
2024-10-12 08:35:51 +02:00
Zoltan Papp
0e95f16cdd
[relay,client] Relay/fix/wg roaming ( #2691 )
...
If a peer connection switches from Relayed to ICE P2P, the Relayed proxy still consumes the data the other peer sends. Because the proxy is operating, the WireGuard switches back to the Relayed proxy automatically, thanks to the roaming feature.
Extend the Proxy implementation with pause/resume functions. Before switching to the p2p connection, pause the WireGuard proxy operation to prevent unnecessary package sources.
Consider waiting some milliseconds after the pause to be sure the WireGuard engine already processed all UDP msg in from the pipe.
2024-10-11 16:24:30 +02:00
pascal-fischer
b2379175fe
[signal] new signal dispatcher version ( #2722 )
2024-10-10 16:23:46 +02:00
Viktor Liu
09bdd271f1
[client] Improve route acl ( #2705 )
...
- Update nftables library to v0.2.0
- Mark traffic that was originally destined for local and applies the input rules in the forward chain if said traffic was redirected (e.g. by Docker)
- Add nft rules to internal map only if flush was successful
- Improve error message if handle is 0 (= not found or hasn't been refreshed)
- Add debug logging when route rules are added
- Replace nftables userdata (rule ID) with a rule hash
2024-10-10 15:54:34 +02:00
Misha Bragin
208a2b7169
Add billing user role ( #2714 )
2024-10-10 14:14:56 +02:00
pascal-fischer
8284ae959c
[management] Move testdata to sql files ( #2693 )
2024-10-10 12:35:03 +02:00
Maycon Santos
6ce09bca16
Add support to envsub go management configurations ( #2708 )
...
This change allows users to reference environment variables using Go template format, like {{ .EnvName }}
Moved the previous file test code to file_suite_test.go.
2024-10-09 20:46:23 +02:00
pascal-fischer
b79c1d64cc
[management] Make max open db conns configurable ( #2713 )
2024-10-09 20:17:25 +02:00
Misha Bragin
b1eda43f4b
Add Link to the Lawrence Systems video ( #2711 )
2024-10-09 14:56:25 +02:00
pascal-fischer
d4ef84fe6e
[management] Propagate error in store errors ( #2709 )
2024-10-09 14:33:58 +02:00
Viktor Liu
44e8107383
[client] Limit P2P attempts and restart on specific events ( #2657 )
2024-10-08 11:21:11 +02:00
Bethuel Mmbaga
2c1f5e46d5
[management] Validate peer ownership during login ( #2704 )
...
* check peer ownership in login
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* update error message
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-10-07 19:06:26 +03:00
pascal-fischer
dbec24b520
[management] Remove admin check on getAccountByID ( #2699 )
2024-10-06 17:01:13 +02:00
Carlos Hernandez
f603cd9202
[client] Check wginterface instead of engine ctx ( #2676 )
...
Moving code to ensure wgInterface is gone right after context is
cancelled/stop in the off chance that on next retry the backoff
operation is permanently cancelled and interface is abandoned without
destroying.
2024-10-04 19:15:16 +02:00
Bethuel Mmbaga
5897a48e29
fix wrong reference ( #2695 )
...
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-10-04 18:55:25 +03:00
Bethuel Mmbaga
8bf729c7b4
[management] Add AccountExists to AccountManager ( #2694 )
...
* Add AccountExists method to account manager interface
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* remove unused code
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-10-04 18:09:40 +03:00
Bethuel Mmbaga
7f09b39769
[management] Refactor User JWT group sync ( #2690 )
...
* Refactor GetAccountIDByUserOrAccountID
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* sync user jwt group changes
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* propagate jwt group changes to peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix no jwt groups synced
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests and lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Move the account peer update outside the transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* move updateUserPeersInGroups to account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* move event store outside of transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* get user with update lock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Run jwt sync in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-10-04 17:17:01 +03:00
pascal-fischer
158936fb15
[management] Remove file store ( #2689 )
2024-10-03 15:50:35 +02:00
Maycon Santos
8934453b30
Update management base docker image ( #2687 )
2024-10-02 19:29:51 +03:00
Zoltan Papp
fd67892cb4
[client] Refactor/iface pkg ( #2646 )
...
Refactor the flat code structure
2024-10-02 18:24:22 +02:00
pascal-fischer
7e5d3bdfe2
[signal] Move dummy signal message handling into dispatcher ( #2686 )
2024-10-02 15:33:38 +02:00
Maycon Santos
b7b0828133
[client] Adjust relay worker log level and message ( #2683 )
2024-10-02 15:14:09 +02:00
Bethuel Mmbaga
ff7863785f
[management, client] Add access control support to network routes ( #2100 )
2024-10-02 13:41:00 +02:00
Maycon Santos
a3a479429e
Use the pkgs to get the latest version ( #2682 )
...
* Use the pkgs to get the latest version
* disable fail fast
2024-10-02 11:48:42 +02:00
Maycon Santos
5932298ce0
Add log setting to Caddy container ( #2684 )
...
This avoids full disk on busy systems
2024-10-02 11:48:09 +02:00
Zoltan Papp
ee0ea86a0a
[relay-client] Fix Relay disconnection handling ( #2680 )
...
* Fix Relay disconnection handling
If has an active P2P connection meanwhile the Relay connection broken with the server then we removed the WireGuard peer configuration.
* Change logs
2024-10-01 16:22:18 +02:00
Simen
24c0aaa745
Install sh alpine fixes ( #2678 )
...
* Made changes to the peer install script that makes it work on alpine linux without changes
* fix small oversight with doas fix
* use try catch approach when curling binaries
2024-10-01 13:32:58 +02:00
pascal-fischer
16179db599
[management] Propagate metrics ( #2667 )
2024-09-30 22:18:10 +02:00
Maycon Santos
e27f85b317
Update docker creds ( #2677 )
2024-09-30 20:07:21 +02:00
Gianluca Boiano
2fd60b2cb4
Specify goreleaser version and update to 2 ( #2673 )
2024-09-30 16:43:34 +02:00
Zoltan Papp
3dca6099d4
Fix ebpf close function ( #2672 )
2024-09-30 10:34:57 +02:00
pascal-fischer
cfbcf507fb
propagate meter ( #2668 )
2024-09-29 20:23:34 +02:00
pascal-fischer
52ae693c9e
[signal] add context to signal-dispatcher ( #2662 )
2024-09-29 00:22:47 +02:00
adasauce
58ff7ab797
[management] improve zitadel idp error response detail by decoding errors ( #2634 )
...
* [management] improve zitadel idp error response detail by decoding errors
* [management] extend readZitadelError to be used for requestJWTToken
more generically parse the error returned by zitadel.
* fix lint
---------
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-09-27 22:21:34 +03:00
Bethuel Mmbaga
acb73bd64a
[management] Remove redundant get account calls in GetAccountFromToken ( #2615 )
...
* refactor access control middleware and user access by JWT groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor jwt groups extractor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor handlers to get account when necessary
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor getAccountFromToken
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor getAccountWithAuthorizationClaims
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* revert handles change
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* remove GetUserByID from account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor getAccountWithAuthorizationClaims to return account id
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor handlers to use GetAccountIDFromToken
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* remove locks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add GetGroupByName from store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add GetGroupByID from store and refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor retrieval of policy and posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor user permissions and retrieves PAT
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor route, setupkey, nameserver and dns to get record(s) from store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Refactor store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix add missing policy source posture checks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add store lock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add get account
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-09-27 17:10:50 +03:00
Zoltan Papp
4ebf6e1c4c
[client] Close the remote conn in proxy ( #2626 )
...
Port the conn close call to eBPF proxy
2024-09-25 18:50:10 +02:00
pascal-fischer
1e4a0f77e2
Add get DB method to store ( #2650 )
2024-09-25 18:22:27 +02:00
Viktor Liu
b51d75204b
[client] Anonymize relay address in status peers view ( #2640 )
2024-09-24 20:58:18 +02:00
Viktor Liu
e7d52c8c95
[client] Fix error count formatting ( #2641 )
2024-09-24 20:57:56 +02:00
Viktor Liu
ab82302c95
[client] Remove usage of custom dialer for localhost ( #2639 )
...
* Downgrade error log level for network monitor warnings
* Do not use custom dialer for localhost
2024-09-24 12:29:15 +02:00
pascal-fischer
d47be154ea
[misc] Fix ip range posture check example ( #2628 )
2024-09-23 10:02:03 +02:00
Bethuel Mmbaga
35c892aea3
[management] Restrict accessible peers to user-owned peers for non-admins ( #2618 )
...
* Restrict accessible peers to user-owned peers for non-admin users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* add service user test
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* reuse account from token
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* return error when peer not found
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-09-20 12:36:58 +03:00
Zoltan Papp
fc4b37f7bc
Exit from processConnResults after all tries ( #2621 )
...
* Exit from processConnResults after all tries
If all server is unavailable then the server picker never return
because we never close the result channel.
Count the number of the results and exit when we reached the
expected size
2024-09-19 13:49:28 +02:00
Zoltan Papp
6f0fd1d1b3
- Increase queue size and drop the overflowed messages ( #2617 )
...
- Explicit close the net.Conn in user space wgProxy when close the wgProxy
- Add extra logs
2024-09-19 13:49:09 +02:00
Zoltan Papp
28cbb4b70f
[client] Cancel the context of wg watcher when the go routine exit ( #2612 )
2024-09-17 12:10:17 +02:00
Zoltan Papp
1104c9c048
[client] Fix race condition while read/write conn status in peer conn ( #2607 )
2024-09-17 11:15:14 +02:00
Maycon Santos
5bc601111d
[relay] Add health check attempt threshold ( #2609 )
...
* Add health check attempt threshold for receiver
* Add health check attempt threshold for sender
2024-09-17 10:04:17 +02:00
Zoltan Papp
b74951f29e
[client] Enforce permissions on Win ( #2568 )
...
Enforce folder permission on Windows, giving only administrators and system access to the NetBird folder.
2024-09-16 22:42:37 +02:00