netbird

mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 00:06:38 +00:00

Author	SHA1	Message	Date
Viktor Liu	9554934b92	Validate trusted proxies in OAuth callback getClientIP	2026-02-12 22:06:29 +08:00
pascal	ee2ae45653	add permissions validation to domain manager	2026-02-12 14:31:23 +01:00
mlsmaycon	778c223176	fix api handler path	2026-02-09 02:30:06 +01:00
mlsmaycon	09a1d5a02d	rename endpoint	2026-02-09 01:48:51 +01:00
Viktor Liu	dc26a5a436	Merge branch 'main' into prototype/reverse-proxy	2026-02-08 17:50:16 +08:00
pascal	0e00f1c8f7	Merge remote-tracking branch 'origin/prototype/reverse-proxy-clusters' into prototype/reverse-proxy # Conflicts: # management/internals/modules/reverseproxy/manager/manager.go # management/internals/modules/reverseproxy/reverseproxy.go # management/internals/server/modules.go # management/internals/shared/grpc/proxy.go # management/server/http/handler.go # management/server/http/testing/testing_tools/channel/channel.go	2026-02-05 15:19:57 +01:00
mlsmaycon	5ccce1ab3f	add debug logging for proxy connections and domain resolution - Log proxy address and cluster info when proxy connects - Log connected proxy URLs when GetConnectedProxyURLs is called - Log proxy allow list when GetDomains is called - Helps debug issues with free domains not appearing in API response	2026-02-05 02:18:38 +01:00
Alisdair MacLeod	562923c600	management OIDC implementation using pkce	2026-02-04 11:51:46 +00:00
mlsmaycon	4d89ae27ef	add clusters logic	2026-02-04 02:16:57 +01:00
Pascal Fischer	6fdc00ff41	[management] adding account id validation to accessible peers handler (#5246 )	2026-02-03 17:30:02 +01:00
Misha Bragin	3a0cf230a1	Disable local users for a smooth single-idp mode (#5226 ) Add LocalAuthDisabled option to embedded IdP configuration This adds the ability to disable local (email/password) authentication when using the embedded Dex identity provider. When disabled, users can only authenticate via external identity providers (Google, OIDC, etc.). This simplifies user login when there is only one external IdP configured. The login page will redirect directly to the IdP login page. Key changes: Added LocalAuthDisabled field to EmbeddedIdPConfig Added methods to check and toggle local auth: IsLocalAuthEnabled, HasNonLocalConnectors, DisableLocalAuth, EnableLocalAuth Validation prevents disabling local auth if no external connectors are configured Existing local users are preserved when disabled and can login again when re-enabled Operations are idempotent (disabling already disabled is a no-op)	2026-02-01 14:26:22 +01:00
pascal	8e0b7b6c25	add api for access log events	2026-01-29 14:27:57 +01:00
Alisdair MacLeod	50f42caf94	connect api to store and manager for domains	2026-01-27 15:43:54 +00:00
pascal	b7eeefc102	send proxy mapping updates	2026-01-27 16:34:00 +01:00
pascal	8dd22f3a4f	move to reverse proxy and update api	2026-01-27 15:34:01 +01:00
pascal	b71e2860cf	Merge branch 'refs/heads/main' into prototype/reverse-proxy # Conflicts: # management/server/activity/codes.go # management/server/http/handler.go # management/server/store/sql_store.go # management/server/store/store.go # shared/management/http/api/openapi.yml # shared/management/http/api/types.gen.go # shared/management/proto/management.pb.go	2026-01-27 15:21:55 +01:00
Misha Bragin	7d791620a6	Add user invite link feature for embedded IdP (#5157 )	2026-01-27 09:42:20 +01:00
pascal	2851e38a1f	add management API to store	2026-01-16 16:16:29 +01:00
Bethuel Mmbaga	067c77e49e	[management] Add custom dns zones (#4849 )	2026-01-16 12:12:05 +03:00
Misha Bragin	e586c20e36	[management, infrastructure, idp] Simplified IdP Management - Embedded IdP (#5008 ) Embed Dex as a built-in IdP to simplify self-hosting setup. Adds an embedded OIDC Identity Provider (Dex) with local user management and optional external IdP connectors (Google/GitHub/OIDC/SAML), plus device-auth flow for CLI login. Introduces instance onboarding/setup endpoints (including owner creation), field-level encryption for sensitive user data, a streamlined self-hosting provisioning script, and expanded APIs + test coverage for IdP management. more at https://github.com/netbirdio/netbird/pull/5008#issuecomment-3718987393	2026-01-07 14:52:32 +01:00
Pascal Fischer	a232cf614c	[management] record pat usage metrics (#4888 )	2025-12-02 18:31:59 +01:00
Pascal Fischer	7193bd2da7	[management] Refactor network map controller (#4789 )	2025-12-02 12:34:28 +01:00
Pascal Fischer	cc97cffff1	[management] move network map logic into new design (#4774 )	2025-11-13 12:09:46 +01:00
Pascal Fischer	48475ddc05	[management] add pat rate limiting (#4741 )	2025-11-07 15:50:18 +01:00
Pascal Fischer	986eb8c1e0	[management] fix lastLogin on dashboard (#3725 )	2025-04-23 15:54:49 +02:00
Pedro Maia Costa	4134b857b4	[management] add permissions manager to geolocation handler (#3665 )	2025-04-14 17:57:58 +01:00
Pedro Maia Costa	fd2a21c65d	[management] remove unnecessary access control middleware (#3650 )	2025-04-11 10:43:59 +01:00
Maycon Santos	c02e236196	[client,management] add netflow support to client and update management (#3414 ) adds NetFlow functionality to track and log network traffic information between peers, with features including: - Flow logging for TCP, UDP, and ICMP traffic - Integration with connection tracking system - Resource ID tracking in NetFlow events - DNS and exit node collection configuration - Flow API and Redis cache in management - Memory-based flow storage implementation - Kernel conntrack counters and userspace counters - TCP state machine improvements for more accurate tracking - Migration from net.IP to netip.Addr in the userspace firewall	2025-03-20 17:05:48 +01:00
Viktor Liu	fc1da94520	[client, management] Add port forwarding (#3275 ) Add initial support to ingress ports on the client code. - new types where added - new protocol messages and controller	2025-03-09 16:06:43 +01:00
Pedro Maia Costa	77e40f41f2	[management] refactor auth (#3296 )	2025-02-20 20:24:40 +00:00
Bethuel Mmbaga	4cdb2e533a	[management] Refactor users to use store methods (#2917 ) * Refactor setup key handling to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * add lock to get account groups Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * add check for regular user Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * get only required groups for auto-group validation Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * add account lock and return auto groups map on validation Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * refactor account peers update Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor groups to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * refactor GetGroupByID and add NewGroupNotFoundError Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add AddPeer and RemovePeer methods to Group struct Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Preserve store engine in SqlStore transactions Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Run groups ops in transaction Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix missing group removed from setup key activity Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor posture checks to remove get and save account Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix refactor Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix sonar Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Change setup key log level to debug for missing group Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Retrieve modified peers once for group events Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor policy get and save account to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Retrieve policy groups and posture checks once for validation Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix typo Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add policy tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor anyGroupHasPeers to retrieve all groups once Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor dns settings to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add account locking and merge group deletion methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor name server groups to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add peer store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor ephemeral peers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add lock for peer store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor peer handlers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor peer to use store methods Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix typo Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add locks and remove log Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * run peer ops in transaction Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * remove duplicate store method Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix peer fields updated after save Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Use update strength and simplify check Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * prevent changing ruleID when not empty Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * prevent duplicate rules during updates Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix lint Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor auth middleware Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor account methods and mock Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor user and PAT handling Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Remove db query context and fix get user by id Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix database transaction locking issue Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Use UTC time in test Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add account locks Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix prevent users from creating PATs for other users Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add store locks and prevent fetching setup keys peers when retrieving user peers with empty userID Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add missing tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor test names and remove duplicate TestPostgresql_SavePeerStatus Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add account locks and remove redundant ephemeral check Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Retrieve all groups for peers and restrict groups for regular users Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix store tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * use account object to get validated peers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Improve peer performance Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Get account direct from store without buffer Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add get peer groups tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Adjust benchmarks Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Adjust benchmarks Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * [management] Update benchmark workflow (#3181) * update local benchmark expectations * update cloud expectations * Add status error for generic result error Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Use integrated validator direct Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations * update expectations * update expectations * Refactor peer scheduler to retry every 3 seconds on errors Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations * fix validator * fix validator * fix validator * update timeouts * Refactor ToGroupsInfo to process slices of groups Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations * update expectations * update expectations * Bump integrations version Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor GetValidatedPeers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * go mod tidy Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Use peers and groups map for peers validation Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * remove mysql from api benchmark tests * Fix merge Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix blocked db calls on user auto groups update Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Skip user check for system initiated peer deletion Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Remove context in db calls Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * [management] Improve group peer/resource counting (#3192) * Fix sonar Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Adjust bench expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Rename GetAccountInfoFromPAT to GetTokenInfo Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Remove global account lock for ListUsers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * build userinfo after updating users in db Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * [management] Optimize user bulk deletion (#3315) * refactor building user infos Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * remove unused code Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor GetUsersFromAccount to return a map of UserInfo instead of a slice Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Export BuildUserInfosForAccount to account manager Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Fetch account user info once for bulk users save Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Update user deletion expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Set max open conns for activity store Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Update bench expectations Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com> Co-authored-by: Pascal Fischer <pascal@netbird.io> Co-authored-by: Pedro Costa <550684+pnmcosta@users.noreply.github.com>	2025-02-17 21:43:12 +03:00
Pascal Fischer	782e3f8853	[management] Add integration test for the setup-keys API endpoints (#2936 )	2025-01-02 13:51:01 +01:00
Viktor Liu	ddc365f7a0	[client, management] Add new network concept (#3047 ) --------- Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com> Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: Maycon Santos <mlsmaycon@gmail.com> Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>	2024-12-20 11:30:28 +01:00
Pascal Fischer	6142828a9c	[management] restructure api files (#3013 )	2024-12-10 15:59:25 +01:00
pascal-fischer	10480eb52f	[management] Setup key improvements (#2775 )	2024-10-28 17:52:23 +01:00
pascal-fischer	16179db599	[management] Propagate metrics (#2667 )	2024-09-30 22:18:10 +02:00
Bethuel Mmbaga	170e842422	[management] Add accessible peers endpoint (#2579 ) * move accessible peer to separate endpoint in api doc Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * add endpoint to get accessible peers Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Update management/server/http/api/openapi.yml Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com> * Update management/server/http/api/openapi.yml Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com> * Update management/server/http/peers_handler.go Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> Co-authored-by: pascal-fischer <32096965+pascal-fischer@users.noreply.github.com>	2024-09-12 16:19:27 +03:00
Bethuel Mmbaga	d97b03656f	[management] Refactor HTTP metrics (#2476 ) * Add logging for slow SQL queries in SaveAccount and GetAccount * Add resource count log for large accounts * Refactor metrics middleware to simplify counters and histograms * Update log levels and remove redundant resource count check	2024-08-23 19:42:55 +03:00
pascal-fischer	765aba2c1c	Add context to throughout the project and update logging (#2209 ) propagate context from all the API calls and log request ID, account ID and peer ID --------- Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>	2024-07-03 11:33:02 +02:00
Zoltan Papp	5204d07811	Pass integrated validator for API (#1814 ) Pass integrated validator for API handler	2024-04-15 12:08:38 +02:00
Zoltan Papp	2d76b058fc	Feature/peer validator (#1553 ) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action	2024-03-27 18:48:48 +01:00
Yury Gargay	0b3b50c705	Remove deprecated Rules API endpoints (#1523 )	2024-03-14 21:31:21 +01:00
Viktor Liu	b7a6cbfaa5	Add account usage logic (#1567 ) --------- Co-authored-by: Yury Gargay <yury.gargay@gmail.com>	2024-02-22 12:27:08 +01:00
Yury Gargay	9bc7b9e897	Add initial support of device posture checks (#1540 ) This PR implements the following posture checks: * Agent minimum version allowed * OS minimum version allowed * Geo-location based on connection IP For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh. The OpenAPI spec should extensively cover the life cycle of current version posture checks.	2024-02-20 09:59:56 +01:00
Bethuel Mmbaga	cba3c549e9	Add JWT group-based access control for adding new peers (#1383 ) * Added function to check user access by JWT groups in the account management mock server and account manager * Refactor auth middleware for group-based JWT access control * Add group-based JWT access control on adding new peer with JWT * Remove mapping error as the token validation error is already present in grpc error codes * use GetAccountFromToken to prevent single mode issues * handle foreground login message --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>	2023-12-13 13:18:35 +03:00
Bethuel Mmbaga	d275d411aa	Enable JWT group-based user authorization (#1368 ) * Extend management API to support list of allowed JWT groups (#1366) * Add JWTAllowGroups settings to account management * Return an empty group list if jwt allow groups is not set * Add JwtAllowGroups to account settings in handler test * Add JWT group-based user authorization (#1373) * Add JWTAllowGroups settings to account management * Return an empty group list if jwt allow groups is not set * Add JwtAllowGroups to account settings in handler test * Implement user access validation authentication based on JWT groups * Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version * Refactor auth middleware and test for extracted claim handling * Optimize JWT group check in auth middleware to cover nil and empty allowed groups	2023-12-11 18:59:15 +03:00
Maycon Santos	c2eaf8a1c0	Add account deletion endpoint (#1331 ) Adding support to account owners to delete an account This will remove all users from local, and if --user-delete-from-idp is set it will remove from the remote IDP	2023-11-28 14:23:38 +01:00
Yury Gargay	e2eef4e3fd	Pass JWT Claims Extractor to Integrations (#1258 )	2023-10-27 17:18:44 +02:00
Yury Gargay	87cc53b743	Add management-integrations (#1227 )	2023-10-17 17:19:47 +02:00
pascal-fischer	f89c200ce9	Fix api Auth with PAT when a custom UserIDClaim is configured in management.json (#1120 ) The API authentication with PATs was not considering different userIDClaim that some of the IdPs are using. In this PR we read the userIDClaim from the config file instead of using the fixed default and only keep it as a fallback if none in defined.	2023-09-01 18:09:59 +02:00

1 2

78 Commits