f8fd65a65f
Merge branch 'main' into feature/port-forwarding
2025-02-25 11:37:52 +01:00
77e40f41f2
[management] refactor auth ( #3296 )
2025-02-20 20:24:40 +00:00
8755211a60
Merge branch 'main' into feature/port-forwarding
2025-02-20 11:39:06 +01:00
4cdb2e533a
[management] Refactor users to use store methods ( #2917 )
...
* Refactor setup key handling to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add lock to get account groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add check for regular user
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* get only required groups for auto-group validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add account lock and return auto groups map on validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor account peers update
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor groups to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* refactor GetGroupByID and add NewGroupNotFoundError
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add AddPeer and RemovePeer methods to Group struct
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Preserve store engine in SqlStore transactions
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Run groups ops in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix missing group removed from setup key activity
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor posture checks to remove get and save account
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix refactor
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix sonar
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Change setup key log level to debug for missing group
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve modified peers once for group events
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor policy get and save account to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve policy groups and posture checks once for validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add policy tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor anyGroupHasPeers to retrieve all groups once
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor dns settings to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locking and merge group deletion methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor name server groups to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add peer store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor ephemeral peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add lock for peer store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor peer handlers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor peer to use store methods
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix typo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add locks and remove log
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* run peer ops in transaction
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove duplicate store method
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix peer fields updated after save
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use update strength and simplify check
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* prevent changing ruleID when not empty
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* prevent duplicate rules during updates
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix lint
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor auth middleware
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor account methods and mock
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor user and PAT handling
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove db query context and fix get user by id
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix database transaction locking issue
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use UTC time in test
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix prevent users from creating PATs for other users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add store locks and prevent fetching setup keys peers when retrieving user peers with empty userID
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add missing tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor test names and remove duplicate TestPostgresql_SavePeerStatus
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add account locks and remove redundant ephemeral check
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Retrieve all groups for peers and restrict groups for regular users
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix store tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* use account object to get validated peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Improve peer performance
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Get account direct from store without buffer
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Add get peer groups tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust benchmarks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust benchmarks
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Update benchmark workflow (#3181 )
* update local benchmark expectations
* update cloud expectations
* Add status error for generic result error
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use integrated validator direct
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* update expectations
* update expectations
* Refactor peer scheduler to retry every 3 seconds on errors
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* fix validator
* fix validator
* fix validator
* update timeouts
* Refactor ToGroupsInfo to process slices of groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
* update expectations
* update expectations
* Bump integrations version
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor GetValidatedPeers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* go mod tidy
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Use peers and groups map for peers validation
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove mysql from api benchmark tests
* Fix merge
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix blocked db calls on user auto groups update
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Skip user check for system initiated peer deletion
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove context in db calls
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* update expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Improve group peer/resource counting (#3192 )
* Fix sonar
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Adjust bench expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Rename GetAccountInfoFromPAT to GetTokenInfo
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Remove global account lock for ListUsers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* build userinfo after updating users in db
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* [management] Optimize user bulk deletion (#3315 )
* refactor building user infos
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* fix tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* remove unused code
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Refactor GetUsersFromAccount to return a map of UserInfo instead of a slice
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Export BuildUserInfosForAccount to account manager
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Fetch account user info once for bulk users save
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update user deletion expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Set max open conns for activity store
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update bench expectations
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com >
Co-authored-by: Pascal Fischer <pascal@netbird.io >
Co-authored-by: Pedro Costa <550684+pnmcosta@users.noreply.github.com >
2025-02-17 21:43:12 +03:00
a85ea1ddb0
[manager] ingress ports manager support ( #3268 )
...
* add peers manager
* Extend peers manager to support retrieving all peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add network map calc
* move integrations interface
* update management-integrations
* merge main and fix
* go mod tidy
* [management] port forwarding add peer manager fix network map (#3264 )
* [management] fix testing tools (#3265 )
* Fix net.IPv4 conversion to []byte
* update test to check ipv4
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Zoltán Papp <zoltan.pmail@gmail.com >
2025-02-03 09:37:37 +01:00
782e3f8853
[management] Add integration test for the setup-keys API endpoints ( #2936 )
2025-01-02 13:51:01 +01:00
ddc365f7a0
[client, management] Add new network concept ( #3047 )
...
---------
Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com >
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com >
2024-12-20 11:30:28 +01:00
6142828a9c
[management] restructure api files ( #3013 )
2024-12-10 15:59:25 +01:00
10480eb52f
[management] Setup key improvements ( #2775 )
2024-10-28 17:52:23 +01:00
16179db599
[management] Propagate metrics ( #2667 )
2024-09-30 22:18:10 +02:00
170e842422
[management] Add accessible peers endpoint ( #2579 )
...
* move accessible peer to separate endpoint in api doc
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add endpoint to get accessible peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* Update management/server/http/api/openapi.yml
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
* Update management/server/http/api/openapi.yml
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
* Update management/server/http/peers_handler.go
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com >
2024-09-12 16:19:27 +03:00
d97b03656f
[management] Refactor HTTP metrics ( #2476 )
...
* Add logging for slow SQL queries in SaveAccount and GetAccount
* Add resource count log for large accounts
* Refactor metrics middleware to simplify counters and histograms
* Update log levels and remove redundant resource count check
2024-08-23 19:42:55 +03:00
765aba2c1c
Add context to throughout the project and update logging ( #2209 )
...
propagate context from all the API calls and log request ID, account ID and peer ID
---------
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com >
2024-07-03 11:33:02 +02:00
5204d07811
Pass integrated validator for API ( #1814 )
...
Pass integrated validator for API handler
2024-04-15 12:08:38 +02:00
2d76b058fc
Feature/peer validator ( #1553 )
...
Follow up management-integrations changes
move groups to separated packages to avoid circle dependencies
save location information in Login action
2024-03-27 18:48:48 +01:00
0b3b50c705
Remove deprecated Rules API endpoints ( #1523 )
2024-03-14 21:31:21 +01:00
b7a6cbfaa5
Add account usage logic ( #1567 )
...
---------
Co-authored-by: Yury Gargay <yury.gargay@gmail.com >
2024-02-22 12:27:08 +01:00
9bc7b9e897
Add initial support of device posture checks ( #1540 )
...
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
2024-02-20 09:59:56 +01:00
cba3c549e9
Add JWT group-based access control for adding new peers ( #1383 )
...
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
2023-12-13 13:18:35 +03:00
d275d411aa
Enable JWT group-based user authorization ( #1368 )
...
* Extend management API to support list of allowed JWT groups (#1366 )
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Add JWT group-based user authorization (#1373 )
* Add JWTAllowGroups settings to account management
* Return an empty group list if jwt allow groups is not set
* Add JwtAllowGroups to account settings in handler test
* Implement user access validation authentication based on JWT groups
* Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version
* Refactor auth middleware and test for extracted claim handling
* Optimize JWT group check in auth middleware to cover nil and empty allowed groups
2023-12-11 18:59:15 +03:00
c2eaf8a1c0
Add account deletion endpoint ( #1331 )
...
Adding support to account owners to delete an account
This will remove all users from local, and if --user-delete-from-idp is set it will remove from the remote IDP
2023-11-28 14:23:38 +01:00
e2eef4e3fd
Pass JWT Claims Extractor to Integrations ( #1258 )
2023-10-27 17:18:44 +02:00
87cc53b743
Add management-integrations ( #1227 )
2023-10-17 17:19:47 +02:00
f89c200ce9
Fix api Auth with PAT when a custom UserIDClaim is configured in management.json ( #1120 )
...
The API authentication with PATs was not considering different userIDClaim
that some of the IdPs are using.
In this PR we read the userIDClaim from the config file
instead of using the fixed default and only keep
it as a fallback if none in defined.
2023-09-01 18:09:59 +02:00
bb9f6f6d0a
Add API Endpoint for Resending User Invitations in Auth0 ( #989 )
...
* add request handler for sending invite
* add InviteUser method to account manager interface
* add InviteUser mock
* add invite user endpoint to user handler
* add InviteUserByID to manager interface
* implement InviteUserByID in all idp managers
* resend user invitation
* add invite user handler tests
* refactor
* user userID for sending invitation
* fix typo
* refactor
* pass userId in url params
2023-07-03 12:20:19 +02:00
e3d2b6a408
Block user through HTTP API ( #846 )
...
The new functionality allows blocking a user in the Management service.
Blocked users lose access to the Dashboard, aren't able to modify the network map,
and all of their connected devices disconnect and are set to the "login expired" state.
Technically all above was achieved with the updated PUT /api/users endpoint,
that was extended with the is_blocked field.
2023-05-11 18:09:36 +02:00
59372ee159
API cleanup ( #824 )
...
removed all PATCH endpoints
updated path parameters for all endpoints
removed not implemented endpoints for api doc
minor description updates
2023-05-03 00:15:25 +02:00
6fec0c682e
Merging full service user feature into main ( #819 )
...
Merging full feature branch into main.
Adding full support for service users including backend objects, persistence, verification and api endpoints.
2023-04-22 12:57:51 +02:00
db3a9f0aa2
refactor jwt token validation and add PAT to middleware auth
2023-03-30 10:54:09 +02:00
03abdfa112
return empty object on all handlers instead of empty string
2023-03-29 18:46:40 +02:00
de8608f99f
add rest endpoints and update openapi doc
2023-03-21 16:02:19 +01:00
3bfa26b13b
Feat rego default policy ( #700 )
...
Converts rules to Rego policies and allow users to write raw policies to set up connectivity and firewall on the clients.
2023-03-13 18:14:18 +04:00
60f67076b0
change methods to not link
2023-02-28 18:17:55 +01:00
c645171c40
split api code into smaller pieces
2023-02-28 18:08:02 +01:00
c26cd3b9fe
add comments for constructors and fix typo
2023-02-28 15:46:08 +01:00
9d7b515b26
changed the naming convention for all handling objects and methods to have unified way
2023-02-28 15:27:43 +01:00
f1f90807e4
changed the naming convention for all handling objects and methods to have unified way
2023-02-28 15:01:24 +01:00
fe63a64b6e
Add Account HTTP API ( #691 )
...
Extend HTTP API with Account endpoints to configure global peer login expiration.
GET /api/accounts
PUT /api/account/{id}/
The GET endpoint returns an array of accounts with
always one account in the list. No exceptions.
The PUT endpoint updates account settings:
PeerLoginExpiration and PeerLoginExpirationEnabled.
PeerLoginExpiration is a duration in seconds after which peers' logins will expire.
2023-02-16 12:00:41 +01:00
3ec8274b8e
Feature: add custom id claim ( #667 )
...
This feature allows using the custom claim in the JWT token as a user ID.
Refactor claims extractor with options support
Add is_current to the user API response
2023-02-03 21:47:20 +01:00
12ae2e93fc
Adding DNS settings for accounts ( #655 )
...
Allow users to set groups in which the DNS management is disabled
Added API, activity store, and network map sync test
2023-01-17 17:34:40 +01:00
5c0b8a46f0
Add system activity tracking and event store ( #636 )
...
This PR adds system activity tracking.
The management service records events like
add/remove peer, group, rule, route, etc.
The activity events are stored in the SQLite event store
and can be queried by the HTTP API.
2023-01-02 15:11:32 +01:00
6aa7a2c5e1
Hide setup key from non-admin users ( #539 )
2022-11-03 17:02:31 +01:00
d2cde4a040
Add IdP metrics ( #521 )
2022-10-22 13:29:39 +02:00
84879a356b
Extract app metrics to a separate struct ( #520 )
2022-10-22 11:50:21 +02:00
4f1f0df7d2
Add Open-telemetry support ( #517 )
...
This PR brings open-telemetry metrics to the
Management service.
The Management service exposes new HTTP endpoint
/metrics on 8081 port by default.
The port can be changed by specifying
--metrics-port PORT flag when starting the service.
2022-10-21 16:24:13 +02:00
06055af361
Super user invites ( #483 )
...
This PR brings user invites logic to the Management service
via HTTP API.
The POST /users/ API endpoint creates a new user in the Idp
and then in the local storage.
Once the invited user signs ups, the account invitation is redeemed.
There are a few limitations.
This works only with an enabled IdP manager.
Users that already have a registered account can't be invited.
2022-10-13 18:26:31 +02:00
b4e03f4616
Feature/add nameservers API endpoint ( #491 )
...
Add nameservers endpoint and Open API definition
updated open api generator cli
2022-10-10 11:06:54 +02:00
518a2561a2
Add auto-assign groups to the User API ( #467 )
2022-09-22 09:06:32 +02:00
be7d829858
Add SetupKey auto-groups property ( #460 )
2022-09-11 23:16:40 +02:00
000ea72aec
Add routing Rest API support ( #428 )
...
Routing API will allow us to list, create, update, and delete routes.
2022-08-20 19:11:54 +02:00
