* feat: api access tokens
* revoke all user tokens
* redefine access token api routes, add auto egress option to enrollment keys
* add server settings apis, add db table for settigs
* handle server settings updates
* switch to using settings from DB
* fix sever settings migration
* revet force migration for settings
* fix server settings database write
* egress model
* fix revoked tokens to be unauthorized
* update egress model
* remove unused functions
* convert access token to sql schema
* switch access token to sql schema
* fix merge conflicts
* fix server settings types
* bypass basic auth setting for super admin
* add TODO comment
* setup api handlers for egress revamp
* use single DB, fix update nat boolean field
* extend validaiton checks for egress ranges
* add migration to convert to new egress model
* fix panic interface conversion
* publish peer update on settings update
* revoke token generated by an user
* add user token creation restriction by user role
* add forbidden check for access token creation
* revoke user token when group or role is changed
* add default group to admin users on update
* chore(go): import style changes from migration branch;
1. Singular file names for table schema.
2. No table name method.
3. Use .Model instead of .Table.
4. No unnecessary tagging.
* remove nat check on egress gateway request
* Revert "remove nat check on egress gateway request"
This reverts commit 0aff12a189.
* remove nat check on egress gateway request
* feat(go): add db middleware;
* feat(go): restore method;
* feat(go): add user access token schema;
* add inet gw status to egress model
* fetch node ids in the tag, add inet gw info clients
* add inet gw info to node from egress list
* add migration logic internet gws
* create default acl policies
* add egress info
* add egress TODO
* add egress TODO
* fix user auth api:
* add reference id to acl policy
* add egress response from DB
* publish peer update on egress changes
* re initalise oauth and email config
* set verbosity
* normalise cidr on egress req
* add egress id to acl group
* change acls to use egress id
* resolve merge conflicts
* fix egress reference errors
* move egress model to schema
* add api context to DB
* sync auto update settings with hosts
* sync auto update settings with hosts
* check acl for egress node
* check for egress policy in the acl dst groups
* fix acl rules for egress policies with new models
* add status to egress model
* fix inet node func
* mask secret and convert jwt duration to minutes
* enable egress policies on creation
* convert jwt duration to minutes
* add relevant ranges to inet egress
* skip non active egress routes
* resolve merge conflicts
* fix static check
* update gorm tag for primary key on egress model
* create user policies for egress resources
* resolve merge conflicts
* get egress info on failover apis, add egress src validation for inet gws
* add additional validation checks on egress req
* add additional validation checks on egress req
* skip all resources for inet policy
* delete associated egress acl policies
* fix failover of inetclient
* avoid setting inet client asd inet gw
* fix all resource egress policy
* fix inet gw egress rule
* check for node egress on relay req
* fix egress acl rules comms
* add new field for egress info on node
* check acl policy in failover ctx
* avoid default host to be set as inet client
* fix relayed egress node
* add valid error messaging for egress validate func
* return if inet default host
* jump port detection to 51821
* check host ports on pull
* check user access gws via acls
* add validation check for default host and failover for inet clients
* add error messaging for acl policy check
* fix inet gw status
* ignore failover req for peer using inet gw
* check for allowed egress ranges for a peer
* add egress routes to static nodes by access
* avoid setting failvoer as inet client
* fix egress error messaging
* fix extclients egress comms
* fix inet gw acting as inet client
* return formatted error on update acl validation
* add default route for static nodes on inetclient
* check relay node acting as inetclient
* move inet node info to separate field, fix all resouces policy
* remove debug logs
---------
Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
* feat: api access tokens
* revoke all user tokens
* redefine access token api routes, add auto egress option to enrollment keys
* fix revoked tokens to be unauthorized
* remove unused functions
* convert access token to sql schema
* switch access token to sql schema
* revoke token generated by an user
* add user token creation restriction by user role
* add forbidden check for access token creation
* revoke user token when group or role is changed
* add default group to admin users on update
* fix token removal on user update
* fix token removal on user update
* set default metrics port 8889
* set default metrics port 51821
* add metrics port to server config
* bind caddy only on tcp
* add var for pulling files
* add new line
* update peer update model
* check if port is not zero
* set replace peer to false on pull
* do not replace peers on failover sync
* remove debug log
* add old peer update fields for backwards compatibility
* add old json tag
* add debug log in caller trace func
* add switch for manage dns
* manage DNS sync publish
* add dns sync api
* add manageDNS field in peerUpdate
* add default dns for extClent if manage dns enabled
* add DEFAULT_DOMAIN for internal DNS lookup
* move DNSSync to peerUpdate
* fix empty host in network issue
* sync up dns when custom dns add/delete
* fix custom DNS ip4/ipv6 validator issue
* ipv6 fix for mobile apps
* simplified RAC APIs
* add response to invite api
* fix get config api
* fix middleware for auth
* add separate controller for rac apis
* Revert "ipv6 fix for mobile apps"
This reverts commit dc84d90be2.
* add ingresspersistentkeepalive and ingressmtu for extClient/RAC config
* add ingressmtu and PKA in api response
* add pka and mtu in api/nodes PUT call
* add default value for PKA and mtu for extClients
* user mgmt models
* define user roles
* define models for new user mgmt and groups
* oauth debug log
* initialize user role after db conn
* print oauth token in debug log
* user roles CRUD apis
* user groups CRUD Apis
* additional api checks
* add additional scopes
* add additional scopes url
* add additional scopes url
* rm additional scopes url
* setup middlleware permission checks
* integrate permission check into middleware
* integrate permission check into middleware
* check for headers for subjects
* refactor user role models
* refactor user groups models
* add new user to pending user via RAC login
* untracked
* allow multiple groups for an user
* change json tag
* add debug headers
* refer network controls form roles, add debug headers
* refer network controls form roles, add debug headers
* replace auth checks, add network id to role model
* nodes handler
* migration funcs
* invoke sync users migration func
* add debug logs
* comment middleware
* fix get all nodes api
* add debug logs
* fix middleware error nil check
* add new func to get username from jwt
* fix jwt parsing
* abort on error
* allow multiple network roles
* allow multiple network roles
* add migration func
* return err if jwt parsing fails
* set global check to true when accessing user apis
* set netid for acls api calls
* set netid for acls api calls
* update role and groups routes
* add validation checks
* add invite flow apis and magic links
* add invited user via oauth signup automatically
* create invited user on oauth signup, with groups in the invite
* add group validation for user invite
* update create user handler with new role mgmt
* add validation checks
* create user invites tables
* add error logging for email invite
* fix invite singup url
* debug log
* get query params from url
* get query params from url
* add query escape
* debug log
* debug log
* fix user signup via invite api
* set admin field for backward compatbility
* use new role id for user apis
* deprecate use of old admin fields
* deprecate usage of old user fields
* add user role as service user if empty
* setup email sender
* delete invite after user singup
* add plaform user role
* redirect on invite verification link
* fix invite redirect
* temporary redirect
* fix invite redirect
* point invite link to frontend
* fix query params lookup
* add resend support, configure email interface types
* fix groups and user creation
* validate user groups, add check for metrics api in middleware
* add invite url to invite model
* migrate rac apis to new user mgmt
* handle network nodes
* add platform user to default role
* fix user role migration
* add default on rag creation and cleanup after deletion
* fix rac apis
* change to invite code param
* filter nodes and hosts based on user network access
* extend create user group req to accomodate users
* filter network based on user access
* format oauth error
* move user roles and groups
* fix get user v1 api
* move user mgmt func to pro
* add user auth type to user model
* fix roles init
* remove platform role from group object
* list only platform roles
* add network roles to invite req
* create default groups and roles
* fix middleware for global access
* create default role
* fix nodes filter with global network roles
* block selfupdate of groups and network roles
* delete netID if net roles are empty
* validate user roles nd groups on update
* set extclient permission scope when rag vpn access is set
* allow deletion of roles and groups
* replace _ with - in role naming convention
* fix failover middleware mgmt
* format oauth templates
* fetch route temaplate
* return err if user wrong login type
* check user groups on rac apis
* fix rac apis
* fix resp msg
* add validation checks for admin invite
* return oauth type
* format group err msg
* fix html tag
* clean up default groups
* create default rag role
* add UI name to roles
* remove default net group from user when deleted
* reorder migration funcs
* fix duplicacy of hosts
* check old field for migration
* from pro to ce make all secondary users admins
* from pro to ce make all secondary users admins
* revert: from pro to ce make all secondary users admins
* make sure downgrades work
* fix pending users approval
* fix duplicate hosts
* fix duplicate hosts entries
* fix cache reference issue
* feat: configure FRONTEND_URL during installation
* disable user vpn access when network roles are modified
* rm vpn acces when roles or groups are deleted
* add http to frontend url
* revert crypto version
* downgrade crytpo version
* add platform id check on user invites
---------
Co-authored-by: the_aceix <aceixsmartx@gmail.com>
* add api to check if failover node existed
* remove 5 minute peerUpdate
* update peerUpdate to trigger pull
* update Action name to SignalPull
* revert the peerUpdate from SignalPull
* fix getfailover error issue
* rm acls creation for on-prem emqx
* remove use of acls
* add additional broker status field on status api
* NET-1165: Remove creation of acls on emqx (#2996)
* rm acls creation for on-prem emqx
* remove use of acls
* add additional broker status field on status api
* comment out mq reconnect logic
* configure mq conn params
* add metric_interval in ENV for publishing metrics
* add metric_interval in ENV for publishing metrics
* update PUBLISH_METRIC_INTERVAL env name
* revert the mq setttings back
* fix error nil issue
---------
Co-authored-by: abhishek9686 <abhi281342@gmail.com>
Co-authored-by: Abhishek K <32607604+abhishek9686@users.noreply.github.com>
* internet gws apis
* add validate check for inet request
* add default gw changes to peer update
* update json tag
* add OS checks for inet gws
* add set defaul gw pro func
* allow disable and enable inet gw
* add inet handlers to pro
* add fields to api node
* add inet allowed ips
* add default gw to pull
* unset node inet details on deletion
* unset internet gw on network nodes
* unset inet gw fix
* unset inet gw fix
* send default gw ip
* fix inet node endpoint
* add default gw endpoint ip to pull resp
* validate after unset gws
* add inet client peer allowedips to inet node
* validate after unset gws
* fix allowed ips for inet peer and gw node
* fix allowed ips for inet peer and gw node
* fix allowed ips for inet peer and gw node
* fix allowed ips for inet peer and gw node
* fix inet gw and relayed conflict
* fix inet gw and relayed conflict
* fix update req
* fix update inet gw api
* when inet gw is peer ignore other allowedIps
* test relay
* revert test relay
* revert inet peer update changes
* channel internet traffic of relayed node to relay's inetgw
* channel internet traffic of relayed node to relay's inetgw
* channel internet traffic of relayed node to relay's inetgw
* add check for relayed node
* add inet info to peer update
* add inet info to peer update
* fix update node to persist inet info
* fix go tests
* egress ranges with inet gw fix
* egress ranges with inet gw fix
* disallow node acting using inet gw to act as inet gw
* add check to validate inet gw
* fix typos
* add firewall check
* set inetgw on ingress req on community
* set inetgw to false on community on ingress del
* NET-655
* Updated HostPull structure to include EgressRoutes and FirewallUpdate models.
* added ServerVersion structure to hostpull model
* added ServerVersion structure to hostpull model
* removed ServerVersion structure
* removed ServerVersion structure
* added egressroute and fwupdate to hostpull handler
* add host update fallback handler
* set broker type on server cfg
* use actual host password to create emqx user
---------
Co-authored-by: Christopher Blaha <crispspiceguitar@gmail.com>
Co-authored-by: Abhishek Kondur <abhi281342@gmail.com>
* add internet gateway to client gateway
* migration func to remove internet egress range from egress gateway
* add internet gateways ranges to firewall update
* add internet gw ranges to extcleint conf
* add ipv6 internet address
* remove failover field from ingress req
* only let normal to be created on PRO (#2716)
* feat(NET-805): send internet gw props to rac
* set inet gw field on node update api
* move internet gws to EE
---------
Co-authored-by: the_aceix <aceixsmartx@gmail.com>
* feat(NET-584): wip: session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): session mgmt for RAC
* feat(NET-584): only enable if client is disabled
* feat(NET-584): check only for normal users
* feat(NET-584): fix condition
* add superadmin role, apis to create superadmin user
* apis to attach and remove user from remote access gateways
* add api to list user's remote client has gateway clients
* remove code related user groups
* remove networks and groups from user model
* refactor user CRUD operations
* fix network permission test
* add superadmin to authorize func
* remove user network and groups from cli
* api to transfer superadmin role
* add api to list users on a ingress gw
* restrict user access to resources on server
* deny request from remote access client if extclient is already created
* fix user tests
* fix static checks
* fix static checks
* add limits to extclient create handler
* set username to superadmin on if masterkey is used
* allow creation of extclients using masterkey
* add migration func to assign superadmin role for existing admin user
* check for superadmin on migration if users are present
* allowe masterkey to extcleint apis
* check ownerid
* format error, on jwt token verification failure return unauthorized rather than forbidden
* user update fix
* move user remote functionality to ee
* fix update user api
* security patch
* initalise ee user handlers
* allow user to use master key to update any user
* use slog
* fix auth user test
* table headers
* remove user role, it's covered in middleware
* setuser defaults fix
* Move ee code to ee package and unify ee status to IsPro
* Consolidate naming for paid/professional/enterprise version as "pro". Notes:
- Changes image tags
- Changes build tags
- Changes package names
- Doesn't change links to docs that mention "ee"
- Doesn't change parameters sent to PostHog that mention "ee"
* Revert docker image tag being -pro, back to -ee
* Revert go build tag being pro, back to ee
* Add build tags for some ee content
* [2] Revert go build tag being pro, back to ee
* Fix test workflow
* Add a json tag to be backwards compatible with frontend "IsEE" check
* Add a json tag for the serverconfig struct for IsEE
* Ammend json tag to Is_EE
* fix ee tags
---------
Co-authored-by: Abhishek Kondur <abhi281342@gmail.com>
* model changes
* additional fields for extclient create
* add DNS to extclient config
* extclient name checks
* update extclient
* nmctl extclient
* final tweaks
* review comments
* add extclientdns to node on ingress creation
* fix to add ingress dns to api (#2296)
---------
Co-authored-by: Aceix <aceixsmartX@gmail.com>
