Enhance the user experience by enabling authentication to Netbird using Single Sign-On (SSO) with any Identity Provider (IDP) provider. Current client offers this capability through the Device Authorization Flow, however, is not widely supported by many IDPs, and even some that do support it do not provide a complete verification URL.
To address these challenges, this pull request enable Authorization Code Flow with Proof Key for Code Exchange (PKCE) for client logins, which is a more widely adopted and secure approach to facilitate SSO with various IDP providers.
* Extend protocol and firewall manager to handle old management
* Send correct empty firewall rules list when delete peer
* Add extra tests for firewall manager and uspfilter
* Work with inconsistent state
* Review note
* Update comment
Some IDP requires different scope requests and
issue access tokens for different purposes
This change allow for remote configurable scopes
and the use of ID token
The peer login expiration ACL check introduced in #714
filters out peers that are expired and agents receive a network map
without that expired peers.
However, the agents should see those peers in status "Disconnected".
This PR extends the Agent <-> Management protocol
by introducing a new field OfflinePeers
that contain expired peers. Agents keep track of those and display
then just in the Status response.
Use stdout and stderr log path only if on Linux and attempt to create the path
Update status system with FQDN fields and
status command to display the domain names of remote and local peers
Set some DNS logs to tracing
update readme file
Added DNS update protocol message
Added sync to clients
Update nameserver API with new fields
Added default NS groups
Added new dns-name flag for the management service append to peer DNS label
Support Generic OAuth 2.0 Device Authorization Grant
as per RFC specification https://www.rfc-editor.org/rfc/rfc8628.
The previous version supported only Auth0 as an IDP backend.
This implementation enables the Interactive SSO Login feature
for any IDP compatible with the specification, e.g., Keycloak.
This PR adds support for SSH access through the NetBird network
without managing SSH skeys.
NetBird client app has an embedded SSH server (Linux/Mac only)
and a netbird ssh command.
Send Desktop UI client version as user-agent to daemon
This is sent on every login request to the management
Parse the GRPC context on the system package and
retrieves the user-agent
Management receives the new UIVersion field and
store in the Peer's system meta
The management will validate the JWT as it does in the API
and will register the Peer to the user's account.
New fields were added to grpc messages in management
and client daemon and its clients were updated
Peer has one new field, UserID,
that will hold the id of the user that registered it
JWT middleware CheckJWT got a splitter
and renamed to support validation for non HTTP requests
Added test for adding new Peer with UserID
Lots of tests update because of a new field
* feature: introduce NetworkMap to the management protocol with a Serial ID
* test: add Management Sync method protocol test
* test: add Management Sync method NetworkMap field check [FAILING]
* test: add Management Sync method NetworkMap field check [FAILING]
* feature: fill NetworkMap property to when Deleting peer
* feature: fill NetworkMap in the Sync protocol
* test: code review mentions - GeneratePrivateKey() in the test
* fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey()
* test: add NetworkMap test
* fix: management_proto test remove store.json on test finish
* feature: add peer GET and DELETE API methods
* refactor: extract peer business logic to a separate file
* refactor: extract peer business logic to a separate file
* feature: add peer update HTTP endpoint
* chore: fill peer new fields
* merge with main
* refactor: HTTP methods according to standards
* feature: add peer system metadata
* feature: add peer status
* test: fix removal
* feature: replace RegisterPeer with Login method that does both - registration and login
* test: add management login test
* feature: add WiretrusteeConfig to the Login response to configure peer global config
* feature: add client peer login support
* fix: missing parts
* chore: update go deps
* feature: support Management Service gRPC endpoints [CLIENT]
* feature: finalize client sync with management
* fix: management store peer key lower case restore
* fix: management returns peer ip without a mask
* refactor: remove cmd pkg
* fix: invalid tun interface name on mac
* fix: timeout when calling management client
* fix: tests and lint errors
* fix: golang-test workflow
* fix: client service tests
* fix: iface build
* feature: detect management scheme on startup
* chore: better logs for management
* fix: goreleaser
* fix: lint errors
* fix: signal TLS
* fix: direct Wireguard connection
* chore: verbose logging on direct connection
* feature: add config properties to the SyncResponse of the management gRpc service
* fix: lint errors
* chore: modify management protocol according to the review notes
* fix: management proto fields sequence
* feature: add proper peer configuration to be synced
* chore: minor changes
* feature: finalize peer config management
* fix: lint errors
* feature: add management server config file
* refactor: extract hosts-config to a separate file
* refactor: review notes applied to correct file_store usage
* refactor: extract management service configuration to a file
* refactor: simplify management config
* feature: add peer sync and a server public key endpoints
* test: add Management.Sync() gRpc endpoint test
* feat: implement peer sync
* docs: added some comments to the Management server
* chore: use for loop over channel when monitoring peer updates
* fix: exit infinite loop when sending updates to peers
* test: add multiple concurrent peers test for management service
* chore: remove unused test
* fix: reduce the amount peers for a concurrent peer update test
Co-authored-by: braginini <m.bragin@wiretrustee.com>