mirror of
https://github.com/netbirdio/netbird.git
synced 2024-11-29 19:43:57 +01:00
51f133fdc6
* wip: add posture checks structs * add netbird version check * Refactor posture checks and add version checks * Add posture check activities (#1445) * Integrate Endpoints for Posture Checks (#1432) * wip: add posture checks structs * add netbird version check * Refactor posture checks and add version checks * Implement posture and version checks in API models * Refactor API models and enhance posture check functionality * wip: add posture checks endpoints * go mod tidy * Reference the posture checks by id's in policy * Add posture checks management to server * Add posture checks management mocks * implement posture checks handlers * Add posture checks to account copy and fix tests * Refactor posture checks validation * wip: Add posture checks handler tests * Add JSON encoding support to posture checks * Encode posture checks to correct api response object * Refactored posture checks implementation to align with the new API schema * Refactor structure of `Checks` from slice to map * Cleanup * Add posture check activities (#1445) * Revert map to use list of checks * Add posture check activity events * Refactor posture check initialization in account test * Improve the handling of version range in posture check * Fix tests and linter * Remove max_version from NBVersionCheck * Added unit tests for NBVersionCheck * go mod tidy * Extend policy endpoint with posture checks (#1450) * Implement posture and version checks in API models * go mod tidy * Allow attaching posture checks to policy * Update error message for linked posture check on deleting * Refactor PostureCheck and Checks structures * go mod tidy * Add validation for non-existing posture checks * fix unit tests * use Wt version * Remove the enabled field, as posture check will now automatically be activated by default when attaching to a policy * wip: add posture checks structs * add netbird version check * Refactor posture checks and add version checks * Add posture check activities (#1445) * Integrate Endpoints for Posture Checks (#1432) * wip: add posture checks structs * add netbird version check * Refactor posture checks and add version checks * Implement posture and version checks in API models * Refactor API models and enhance posture check functionality * wip: add posture checks endpoints * go mod tidy * Reference the posture checks by id's in policy * Add posture checks management to server * Add posture checks management mocks * implement posture checks handlers * Add posture checks to account copy and fix tests * Refactor posture checks validation * wip: Add posture checks handler tests * Add JSON encoding support to posture checks * Encode posture checks to correct api response object * Refactored posture checks implementation to align with the new API schema * Refactor structure of `Checks` from slice to map * Cleanup * Add posture check activities (#1445) * Revert map to use list of checks * Add posture check activity events * Refactor posture check initialization in account test * Improve the handling of version range in posture check * Fix tests and linter * Remove max_version from NBVersionCheck * Added unit tests for NBVersionCheck * go mod tidy * Extend policy endpoint with posture checks (#1450) * Implement posture and version checks in API models * go mod tidy * Allow attaching posture checks to policy * Update error message for linked posture check on deleting * Refactor PostureCheck and Checks structures * go mod tidy * Add validation for non-existing posture checks * fix unit tests * use Wt version * Remove the enabled field, as posture check will now automatically be activated by default when attaching to a policy * Extend network map generation with posture checks (#1466) * Apply posture checks to network map generation * run policy posture checks on peers to connect * Refactor and streamline policy posture check process for peers to connect. * Add posture checks testing in a network map * Remove redundant nil check in policy.go * Refactor peer validation check in policy.go * Update 'Check' function signature and use logger for version check * Refactor posture checks run on sources and updated the validation func * Update peer validation * fix tests * improved test coverage for policy posture check * Refactoring * Extend NetBird agent to collect kernel version (#1495) * Add KernelVersion field to LoginRequest * Add KernelVersion to system info retrieval * Fix tests * Remove Core field from system info * Replace Core field with new OSVersion field in system info * Added WMI dependency to info_windows.go * Add OS Version posture checks (#1479) * Initial support of Geolocation service (#1491) * Add Geo Location posture check (#1500) * wip: implement geolocation check * add geo location posture checks to posture api * Merge branch 'feature/posture-checks' into geo-posture-check * Remove CityGeoNameID and update required fields in API * Add geoLocation checks to posture checks handler tests * Implement geo location-based checks for peers * Update test values and embed location struct in peer system * add support for country wide checks * initialize country code regex once * Fix peer meta core compability with older clients (#1515) * Refactor extraction of OSVersion in grpcserver * Ignore lint check * Fix peer meta core compability with older management (#1532) * Revert core field deprecation * fix tests * Extend peer meta with location information (#1517) This PR uses the geolocation service to resolve IP to location. The lookup happens once on the first connection - when a client calls the Sync func. The location is stored as part of the peer: * Add Locations endpoints (#1516) * add locations endpoints * Add sqlite3 check and database generation in geolite script * Add SQLite storage for geolocation data * Refactor file existence check into a separate function * Integrate geolocation services into management application * Refactoring * Refactor city retrieval to include Geonames ID * Add signature verification for GeoLite2 database download * Change to in-memory database for geolocation store * Merge manager to geolocation * Update GetAllCountries to return Country name and iso code * fix tests * Add reload to SqliteStore * Add geoname indexes * move db file check to connectDB * Add concurrency safety to SQL queries and database reloading The commit adds mutex locks to the GetAllCountries and GetCitiesByCountry functions to ensure thread-safety during database queries. Additionally, it introduces a mechanism to safely close the old database connection before a new connection is established upon reloading, which improves the reliability of database operations. Lastly, it moves the checking of database file existence to the connectDB function. * Add sha256 sum check to geolocation store before reload * Use read lock * Check SHA256 twice when reload geonames db --------- Co-authored-by: Yury Gargay <yury.gargay@gmail.com> * Add tests and validation for empty peer location in GeoLocationCheck (#1546) * Disallow Geo check creation/update without configured Geo DB (#1548) * Fix shared access to in memory copy of geonames.db (#1550) * Trim suffix in when evaluate Min Kernel Version in OS check * Add Valid Peer Windows Kernel version test * Add Geolocation handler tests (#1556) * Implement user admin checks in posture checks * Add geolocation handler tests * Mark initGeolocationTestData as helper func * Add error handling to geolocation database closure * Add cleanup function to close geolocation resources * Simplify checks definition serialisation (#1555) * Regenerate network map on posture check update (#1563) * change network state and generate map on posture check update * Refactoring * Make city name optional (#1575) * Do not return empty city name * Validate action param of geo location checks (#1577) We only support allow and deny * Switch realip middleware to upstream (#1578) * Be more silent in download-geolite2.sh script * Fix geonames db reload (#1580) * Ensure posture check name uniqueness when create (#1594) * Enhance the management of posture checks (#1595) * add a correct min version and kernel for os posture check example * handle error when geo or location db is nil * expose all peer location details in api response * Check for nil geolocation manager only * Validate posture check before save * bump open api version * add peer location fields to toPeerListItemResponse * Feautre/extend sys meta (#1536) * Collect network addresses * Add Linux sys product info * Fix peer meta comparison * Collect sys info on mac * Add windows sys info * Fix test * Fix test * Fix grpc client * Ignore test * Fix test * Collect IPv6 addresses * Change the IP to IP + net * fix tests * Use netip on server side * Serialize netip to json * Extend Peer metadata with cloud detection (#1552) * add cloud detection + test binary * test windows exe * Collect IPv6 addresses * Change the IP to IP + net * switch to forked cloud detect lib * new test builds * new GCE build * discontinue using library but local copy instead * fix imports * remove openstack check * add hierarchy to cloud check * merge IBM and SoftLayer * close resp bodies and use os lib for file reading * close more resp bodies * fix error check logic * parallelize IBM checks * fix response value * go mod tidy * include context + change kubernetes detection * add context in info functions * extract platform into separate field * fix imports * add missing wmi import --------- Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com> --------- Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com> * generate proto * remove test binaries --------- Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Yury Gargay <yury.gargay@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
365 lines
11 KiB
Protocol Buffer
365 lines
11 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
option go_package = "/proto";
|
|
|
|
package management;
|
|
|
|
service ManagementService {
|
|
|
|
// Login logs in peer. In case server returns codes.PermissionDenied this endpoint can be used to register Peer providing LoginRequest.setupKey
|
|
// Returns encrypted LoginResponse in EncryptedMessage.Body
|
|
rpc Login(EncryptedMessage) returns (EncryptedMessage) {}
|
|
|
|
// Sync enables peer synchronization. Each peer that is connected to this stream will receive updates from the server.
|
|
// For example, if a new peer has been added to an account all other connected peers will receive this peer's Wireguard public key as an update
|
|
// The initial SyncResponse contains all of the available peers so the local state can be refreshed
|
|
// Returns encrypted SyncResponse in EncryptedMessage.Body
|
|
rpc Sync(EncryptedMessage) returns (stream EncryptedMessage) {}
|
|
|
|
// Exposes a Wireguard public key of the Management service.
|
|
// This key is used to support message encryption between client and server
|
|
rpc GetServerKey(Empty) returns (ServerKeyResponse) {}
|
|
|
|
// health check endpoint
|
|
rpc isHealthy(Empty) returns (Empty) {}
|
|
|
|
// Exposes a device authorization flow information
|
|
// This is used for initiating a Oauth 2 device authorization grant flow
|
|
// which will be used by our clients to Login.
|
|
// EncryptedMessage of the request has a body of DeviceAuthorizationFlowRequest.
|
|
// EncryptedMessage of the response has a body of DeviceAuthorizationFlow.
|
|
rpc GetDeviceAuthorizationFlow(EncryptedMessage) returns (EncryptedMessage) {}
|
|
|
|
// Exposes a PKCE authorization code flow information
|
|
// This is used for initiating a Oauth 2 authorization grant flow
|
|
// with Proof Key for Code Exchange (PKCE) which will be used by our clients to Login.
|
|
// EncryptedMessage of the request has a body of PKCEAuthorizationFlowRequest.
|
|
// EncryptedMessage of the response has a body of PKCEAuthorizationFlow.
|
|
rpc GetPKCEAuthorizationFlow(EncryptedMessage) returns (EncryptedMessage) {}
|
|
}
|
|
|
|
message EncryptedMessage {
|
|
// Wireguard public key
|
|
string wgPubKey = 1;
|
|
|
|
// encrypted message Body
|
|
bytes body = 2;
|
|
// Version of the Wiretrustee Management Service protocol
|
|
int32 version = 3;
|
|
}
|
|
|
|
message SyncRequest {}
|
|
|
|
// SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
|
|
message SyncResponse {
|
|
|
|
// Global config
|
|
WiretrusteeConfig wiretrusteeConfig = 1;
|
|
|
|
// Deprecated. Use NetworkMap.PeerConfig
|
|
PeerConfig peerConfig = 2;
|
|
|
|
// Deprecated. Use NetworkMap.RemotePeerConfig
|
|
repeated RemotePeerConfig remotePeers = 3;
|
|
|
|
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
|
|
// Deprecated. Use NetworkMap.remotePeersIsEmpty
|
|
bool remotePeersIsEmpty = 4;
|
|
|
|
NetworkMap NetworkMap = 5;
|
|
}
|
|
|
|
message LoginRequest {
|
|
// Pre-authorized setup key (can be empty)
|
|
string setupKey = 1;
|
|
// Meta data of the peer (e.g. name, os_name, os_version,
|
|
PeerSystemMeta meta = 2;
|
|
// SSO token (can be empty)
|
|
string jwtToken = 3;
|
|
// Can be absent for now.
|
|
PeerKeys peerKeys = 4;
|
|
|
|
}
|
|
// PeerKeys is additional peer info like SSH pub key and WireGuard public key.
|
|
// This message is sent on Login or register requests, or when a key rotation has to happen.
|
|
message PeerKeys {
|
|
|
|
// sshPubKey represents a public SSH key of the peer. Can be absent.
|
|
bytes sshPubKey = 1;
|
|
// wgPubKey represents a public WireGuard key of the peer. Can be absent.
|
|
bytes wgPubKey = 2;
|
|
}
|
|
|
|
// PeerSystemMeta is machine meta data like OS and version.
|
|
message PeerSystemMeta {
|
|
string hostname = 1;
|
|
string goOS = 2;
|
|
string kernel = 3;
|
|
string core = 4;
|
|
string platform = 5;
|
|
string OS = 6;
|
|
string wiretrusteeVersion = 7;
|
|
string uiVersion = 8;
|
|
string kernelVersion = 9;
|
|
string OSVersion = 10;
|
|
repeated NetworkAddress networkAddresses = 11;
|
|
string sysSerialNumber = 12;
|
|
string sysProductName = 13;
|
|
string sysManufacturer = 14;
|
|
}
|
|
|
|
message LoginResponse {
|
|
// Global config
|
|
WiretrusteeConfig wiretrusteeConfig = 1;
|
|
// Peer local config
|
|
PeerConfig peerConfig = 2;
|
|
}
|
|
|
|
message ServerKeyResponse {
|
|
// Server's Wireguard public key
|
|
string key = 1;
|
|
// Key expiration timestamp after which the key should be fetched again by the client
|
|
google.protobuf.Timestamp expiresAt = 2;
|
|
// Version of the Wiretrustee Management Service protocol
|
|
int32 version = 3;
|
|
}
|
|
|
|
message Empty {}
|
|
|
|
// WiretrusteeConfig is a common configuration of any Wiretrustee peer. It contains STUN, TURN, Signal and Management servers configurations
|
|
message WiretrusteeConfig {
|
|
// a list of STUN servers
|
|
repeated HostConfig stuns = 1;
|
|
// a list of TURN servers
|
|
repeated ProtectedHostConfig turns = 2;
|
|
|
|
// a Signal server config
|
|
HostConfig signal = 3;
|
|
}
|
|
|
|
// HostConfig describes connection properties of some server (e.g. STUN, Signal, Management)
|
|
message HostConfig {
|
|
// URI of the resource e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
|
|
string uri = 1;
|
|
Protocol protocol = 2;
|
|
|
|
enum Protocol {
|
|
UDP = 0;
|
|
TCP = 1;
|
|
HTTP = 2;
|
|
HTTPS = 3;
|
|
DTLS = 4;
|
|
}
|
|
}
|
|
// ProtectedHostConfig is similar to HostConfig but has additional user and password
|
|
// Mostly used for TURN servers
|
|
message ProtectedHostConfig {
|
|
HostConfig hostConfig = 1;
|
|
string user = 2;
|
|
string password = 3;
|
|
}
|
|
|
|
// PeerConfig represents a configuration of a "our" peer.
|
|
// The properties are used to configure local Wireguard
|
|
message PeerConfig {
|
|
// Peer's virtual IP address within the Wiretrustee VPN (a Wireguard address config)
|
|
string address = 1;
|
|
// Wiretrustee DNS server (a Wireguard DNS config)
|
|
string dns = 2;
|
|
|
|
// SSHConfig of the peer.
|
|
SSHConfig sshConfig = 3;
|
|
// Peer fully qualified domain name
|
|
string fqdn = 4;
|
|
}
|
|
|
|
// NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
|
|
message NetworkMap {
|
|
// Serial is an ID of the network state to be used by clients to order updates.
|
|
// The larger the Serial the newer the configuration.
|
|
// E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
|
|
uint64 Serial = 1;
|
|
|
|
// PeerConfig represents configuration of a peer
|
|
PeerConfig peerConfig = 2;
|
|
|
|
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
|
|
repeated RemotePeerConfig remotePeers = 3;
|
|
|
|
// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
|
|
bool remotePeersIsEmpty = 4;
|
|
|
|
// List of routes to be applied
|
|
repeated Route Routes = 5;
|
|
|
|
// DNS config to be applied
|
|
DNSConfig DNSConfig = 6;
|
|
|
|
// RemotePeerConfig represents a list of remote peers that the receiver can connect to
|
|
repeated RemotePeerConfig offlinePeers = 7;
|
|
|
|
// FirewallRule represents a list of firewall rules to be applied to peer
|
|
repeated FirewallRule FirewallRules = 8;
|
|
|
|
// firewallRulesIsEmpty indicates whether FirewallRule array is empty or not to bypass protobuf null and empty array equality.
|
|
bool firewallRulesIsEmpty = 9;
|
|
}
|
|
|
|
// RemotePeerConfig represents a configuration of a remote peer.
|
|
// The properties are used to configure WireGuard Peers sections
|
|
message RemotePeerConfig {
|
|
|
|
// A WireGuard public key of a remote peer
|
|
string wgPubKey = 1;
|
|
|
|
// WireGuard allowed IPs of a remote peer e.g. [10.30.30.1/32]
|
|
repeated string allowedIps = 2;
|
|
|
|
// SSHConfig is a SSH config of the remote peer. SSHConfig.sshPubKey should be ignored because peer knows it's SSH key.
|
|
SSHConfig sshConfig = 3;
|
|
|
|
// Peer fully qualified domain name
|
|
string fqdn = 4;
|
|
|
|
}
|
|
|
|
// SSHConfig represents SSH configurations of a peer.
|
|
message SSHConfig {
|
|
// sshEnabled indicates whether a SSH server is enabled on this peer
|
|
bool sshEnabled = 1;
|
|
|
|
// sshPubKey is a SSH public key of a peer to be added to authorized_hosts.
|
|
// This property should be ignore if SSHConfig comes from PeerConfig.
|
|
bytes sshPubKey = 2;
|
|
}
|
|
|
|
// DeviceAuthorizationFlowRequest empty struct for future expansion
|
|
message DeviceAuthorizationFlowRequest {}
|
|
// DeviceAuthorizationFlow represents Device Authorization Flow information
|
|
// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow
|
|
// see https://datatracker.ietf.org/doc/html/rfc8628
|
|
message DeviceAuthorizationFlow {
|
|
// An IDP provider , (eg. Auth0)
|
|
provider Provider = 1;
|
|
ProviderConfig ProviderConfig = 2;
|
|
|
|
enum provider {
|
|
HOSTED = 0;
|
|
}
|
|
}
|
|
|
|
// PKCEAuthorizationFlowRequest empty struct for future expansion
|
|
message PKCEAuthorizationFlowRequest {}
|
|
|
|
// PKCEAuthorizationFlow represents Authorization Code Flow information
|
|
// that can be used by the client to login initiate a Oauth 2.0 authorization code grant flow
|
|
// with Proof Key for Code Exchange (PKCE). See https://datatracker.ietf.org/doc/html/rfc7636
|
|
message PKCEAuthorizationFlow {
|
|
ProviderConfig ProviderConfig = 1;
|
|
}
|
|
|
|
// ProviderConfig has all attributes needed to initiate a device/pkce authorization flow
|
|
message ProviderConfig {
|
|
// An IDP application client id
|
|
string ClientID = 1;
|
|
// An IDP application client secret
|
|
string ClientSecret = 2;
|
|
// An IDP API domain
|
|
// Deprecated. Use a DeviceAuthEndpoint and TokenEndpoint
|
|
string Domain = 3;
|
|
// An Audience for validation
|
|
string Audience = 4;
|
|
// DeviceAuthEndpoint is an endpoint to request device authentication code.
|
|
string DeviceAuthEndpoint = 5;
|
|
// TokenEndpoint is an endpoint to request auth token.
|
|
string TokenEndpoint = 6;
|
|
// Scopes provides the scopes to be included in the token request
|
|
string Scope = 7;
|
|
// UseIDToken indicates if the id token should be used for authentication
|
|
bool UseIDToken = 8;
|
|
// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code.
|
|
string AuthorizationEndpoint = 9;
|
|
// RedirectURLs handles authorization code from IDP manager
|
|
repeated string RedirectURLs = 10;
|
|
}
|
|
|
|
// Route represents a route.Route object
|
|
message Route {
|
|
string ID = 1;
|
|
string Network = 2;
|
|
int64 NetworkType = 3;
|
|
string Peer = 4;
|
|
int64 Metric = 5;
|
|
bool Masquerade = 6;
|
|
string NetID = 7;
|
|
}
|
|
|
|
// DNSConfig represents a dns.Update
|
|
message DNSConfig {
|
|
bool ServiceEnable = 1;
|
|
repeated NameServerGroup NameServerGroups = 2;
|
|
repeated CustomZone CustomZones = 3;
|
|
}
|
|
|
|
// CustomZone represents a dns.CustomZone
|
|
message CustomZone {
|
|
string Domain = 1;
|
|
repeated SimpleRecord Records = 2;
|
|
}
|
|
|
|
// SimpleRecord represents a dns.SimpleRecord
|
|
message SimpleRecord {
|
|
string Name = 1;
|
|
int64 Type = 2;
|
|
string Class = 3;
|
|
int64 TTL = 4;
|
|
string RData = 5;
|
|
}
|
|
|
|
// NameServerGroup represents a dns.NameServerGroup
|
|
message NameServerGroup {
|
|
repeated NameServer NameServers = 1;
|
|
bool Primary = 2;
|
|
repeated string Domains = 3;
|
|
bool SearchDomainsEnabled = 4;
|
|
}
|
|
|
|
// NameServer represents a dns.NameServer
|
|
message NameServer {
|
|
string IP = 1;
|
|
int64 NSType = 2;
|
|
int64 Port = 3;
|
|
}
|
|
|
|
// FirewallRule represents a firewall rule
|
|
message FirewallRule {
|
|
string PeerIP = 1;
|
|
direction Direction = 2;
|
|
action Action = 3;
|
|
protocol Protocol = 4;
|
|
string Port = 5;
|
|
|
|
enum direction {
|
|
IN = 0;
|
|
OUT = 1;
|
|
}
|
|
enum action {
|
|
ACCEPT = 0;
|
|
DROP = 1;
|
|
}
|
|
enum protocol {
|
|
UNKNOWN = 0;
|
|
ALL = 1;
|
|
TCP = 2;
|
|
UDP = 3;
|
|
ICMP = 4;
|
|
}
|
|
}
|
|
|
|
message NetworkAddress {
|
|
string netIP = 1;
|
|
string mac = 2;
|
|
}
|