Merge branch 'main' into nmap/cleanup

management/server/types/account.go

@@ -650,8 +650,8 @@ func (a *Account) Copy() *Account {
 	}
 
 	services := []*service.Service{}
-	for _, service := range a.Services {
-		services = append(services, service.Copy())
+	for _, svc := range a.Services {
+		services = append(services, svc.Copy())
 	}
 
 	return &Account{
@@ -1218,12 +1218,12 @@ func (a *Account) GetPoliciesForNetworkResource(resourceId string) []*Policy {
 	networkResourceGroups := a.getNetworkResourceGroups(resourceId)
 
 	for _, policy := range a.Policies {
-		if !policy.Enabled {
+		if policy == nil || !policy.Enabled {
 			continue
 		}
 
 		for _, rule := range policy.Rules {
-			if !rule.Enabled {
+			if rule == nil || !rule.Enabled {
 				continue
 			}
 
@@ -1409,15 +1409,18 @@ func (a *Account) InjectProxyPolicies(ctx context.Context) {
 		}
 		a.injectServiceProxyPolicies(ctx, service, proxyPeersByCluster)
 	}
+
 }
 
 func (a *Account) injectServiceProxyPolicies(ctx context.Context, service *service.Service, proxyPeersByCluster map[string][]*nbpeer.Peer) {
+	proxyPeers := proxyPeersByCluster[service.ProxyCluster]
 	for _, target := range service.Targets {
 		if !target.Enabled {
 			continue
 		}
-		a.injectTargetProxyPolicies(ctx, service, target, proxyPeersByCluster[service.ProxyCluster])
+		a.injectTargetProxyPolicies(ctx, service, target, proxyPeers)
 	}
+
 }
 
 func (a *Account) injectTargetProxyPolicies(ctx context.Context, service *service.Service, target *service.Target, proxyPeers []*nbpeer.Peer) {
@@ -1437,13 +1440,13 @@ func (a *Account) injectTargetProxyPolicies(ctx context.Context, service *servic
 	}
 }
 
-func (a *Account) resolveTargetPort(ctx context.Context, target *service.Target) (int, bool) {
+func (a *Account) resolveTargetPort(ctx context.Context, target *service.Target) (uint16, bool) {
 	if target.Port != 0 {
 		return target.Port, true
 	}
 
 	switch target.Protocol {
-	case "https":
+	case "https", "tls":
 		return 443, true
 	case "http":
 		return 80, true
@@ -1453,17 +1456,23 @@ func (a *Account) resolveTargetPort(ctx context.Context, target *service.Target)
 	}
 }
 
-func (a *Account) createProxyPolicy(service *service.Service, target *service.Target, proxyPeer *nbpeer.Peer, port int, path string) *Policy {
-	policyID := fmt.Sprintf("proxy-access-%s-%s-%s", service.ID, proxyPeer.ID, path)
+func (a *Account) createProxyPolicy(svc *service.Service, target *service.Target, proxyPeer *nbpeer.Peer, port uint16, path string) *Policy {
+	policyID := fmt.Sprintf("proxy-access-%s-%s-%s", svc.ID, proxyPeer.ID, path)
+
+	protocol := PolicyRuleProtocolTCP
+	if svc.Mode == service.ModeUDP {
+		protocol = PolicyRuleProtocolUDP
+	}
+
 	return &Policy{
 		ID:      policyID,
-		Name:    fmt.Sprintf("Proxy Access to %s", service.Name),
+		Name:    fmt.Sprintf("Proxy Access to %s", svc.Name),
 		Enabled: true,
 		Rules: []*PolicyRule{
 			{
 				ID:       policyID,
 				PolicyID: policyID,
-				Name:     fmt.Sprintf("Allow access to %s", service.Name),
+				Name:     fmt.Sprintf("Allow access to %s", svc.Name),
 				Enabled:  true,
 				SourceResource: Resource{
 					ID:   proxyPeer.ID,
@@ -1474,12 +1483,12 @@ func (a *Account) createProxyPolicy(service *service.Service, target *service.Ta
 					Type: ResourceType(target.TargetType),
 				},
 				Bidirectional: false,
-				Protocol:      PolicyRuleProtocolTCP,
+				Protocol:      protocol,
 				Action:        PolicyTrafficActionAccept,
 				PortRanges: []RulePortRange{
 					{
-						Start: uint16(port),
-						End:   uint16(port),
+						Start: port,
+						End:   port,
 					},
 				},
 			},

management/server/types/account_test.go

@@ -81,6 +81,12 @@ func setupTestAccount() *Account {
 			},
 		},
 		Groups: map[string]*Group{
+			"groupAll": {
+				ID:    "groupAll",
+				Name:  "All",
+				Peers: []string{"peer1", "peer2", "peer3", "peer11", "peer12", "peer21", "peer31", "peer32", "peer41", "peer51", "peer61"},
+				Issued: GroupIssuedAPI,
+			},
 			"group1": {
 				ID:    "group1",
 				Peers: []string{"peer11", "peer12"},

management/server/types/network.go

@@ -152,6 +152,8 @@ func (n *Network) CurrentSerial() uint64 {
 }
 
 func (n *Network) Copy() *Network {
+	n.Mu.Lock()
+	defer n.Mu.Unlock()
 	return &Network{
 		Identifier: n.Identifier,
 		Net:        n.Net,

management/server/types/settings.go

@@ -61,6 +61,10 @@ type Settings struct {
 	// AutoUpdateVersion client auto-update version
 	AutoUpdateVersion string `gorm:"default:'disabled'"`
 
+	// AutoUpdateAlways when true, updates are installed automatically in the background;
+	// when false, updates require user interaction from the UI
+	AutoUpdateAlways bool `gorm:"default:false"`
+
 	// EmbeddedIdpEnabled indicates if the embedded identity provider is enabled.
 	// This is a runtime-only field, not stored in the database.
 	EmbeddedIdpEnabled bool `gorm:"-"`
@@ -91,6 +95,7 @@ func (s *Settings) Copy() *Settings {
 		DNSDomain:                       s.DNSDomain,
 		NetworkRange:                    s.NetworkRange,
 		AutoUpdateVersion:               s.AutoUpdateVersion,
+		AutoUpdateAlways:                s.AutoUpdateAlways,
 		EmbeddedIdpEnabled:              s.EmbeddedIdpEnabled,
 		LocalAuthDisabled:               s.LocalAuthDisabled,
 	}