Bump github.com/quic-go/quic-go from 0.49.1 to 0.57.0

Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.49.1 to 0.57.0.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.49.1...v0.57.0)

---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
  dependency-version: 0.57.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

.goreleaser.yaml

@@ -713,8 +713,10 @@ checksum:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh
 
 release:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh

README.md

@@ -85,7 +85,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 
 **Infrastructure requirements:**
 - A Linux VM with at least **1CPU** and **2GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
 - **Public domain** name pointing to the VM.
 
 **Software requirements:**
@@ -98,7 +98,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 **Steps**
 - Download and run the installation script:
 ```bash
-export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
+export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
 - Once finished, you can manage the resources via `docker-compose`
 

go.mod

@@ -83,7 +83,7 @@ require (
 	github.com/pion/turn/v3 v3.0.1
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
-	github.com/quic-go/quic-go v0.55.0
+	github.com/quic-go/quic-go v0.57.0
 	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/xid v1.3.0
 	github.com/shirou/gopsutil/v3 v3.24.4

go.sum

@@ -487,8 +487,8 @@ github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9Z
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
 github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
-github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
-github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
+github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
+github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=

infrastructure_files/getting-started.sh

@@ -169,8 +169,7 @@ init_environment() {
 
 render_caddyfile() {
   cat <<EOF
-{
-  debug
+{  
   servers :80,:443 {
     protocols h1 h2c h2 h3
   }

management/cmd/management.go

@@ -215,6 +215,11 @@ func applyEmbeddedIdPConfig(cfg *nbconfig.Config) error {
 		cfg.HttpConfig.AuthAudience = "netbird-dashboard"
 	}
 
+	// Set CLIAuthAudience to the client app client ID
+	if cfg.HttpConfig.CLIAuthAudience == "" {
+		cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
+	}
+
 	// Set AuthUserIDClaim to "sub" (standard OIDC claim)
 	if cfg.HttpConfig.AuthUserIDClaim == "" {
 		cfg.HttpConfig.AuthUserIDClaim = "sub"

management/internals/controllers/network_map/controller/controller.go

@@ -142,7 +142,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 		err     error
 	)
 	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(accountID)
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
 	} else {
 		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
@@ -414,7 +414,7 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		err     error
 	)
 	if c.experimentalNetworkMap(accountID) {
-		account = c.getAccountFromHolderOrInit(accountID)
+		account = c.getAccountFromHolderOrInit(ctx, accountID)
 	} else {
 		account, err = c.requestBuffer.GetAccountWithBackpressure(ctx, accountID)
 		if err != nil {
@@ -475,7 +475,7 @@ func (c *Controller) getPeerNetworkMapExp(
 	customZone nbdns.CustomZone,
 	metrics *telemetry.AccountManagerMetrics,
 ) *types.NetworkMap {
-	account := c.getAccountFromHolderOrInit(accountId)
+	account := c.getAccountFromHolderOrInit(ctx, accountId)
 	if account == nil {
 		log.WithContext(ctx).Warnf("account %s not found in holder when getting peer network map", accountId)
 		return &types.NetworkMap{
@@ -547,12 +547,12 @@ func (c *Controller) getAccountFromHolder(accountID string) *types.Account {
 	return c.holder.GetAccount(accountID)
 }
 
-func (c *Controller) getAccountFromHolderOrInit(accountID string) *types.Account {
+func (c *Controller) getAccountFromHolderOrInit(ctx context.Context, accountID string) *types.Account {
 	a := c.holder.GetAccount(accountID)
 	if a != nil {
 		return a
 	}
-	account, err := c.holder.LoadOrStoreFunc(accountID, c.requestBuffer.GetAccountWithBackpressure)
+	account, err := c.holder.LoadOrStoreFunc(ctx, accountID, c.requestBuffer.GetAccountWithBackpressure)
 	if err != nil {
 		return nil
 	}

management/internals/server/config/config.go

@@ -102,6 +102,9 @@ type HttpServerConfig struct {
 	CertKey string
 	// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
 	AuthAudience string
+	// CLIAuthAudience identifies the client app recipients that the JWT is intended for (aud in JWT)
+	// Used only in conjunction with EmbeddedIdP
+	CLIAuthAudience string
 	// AuthIssuer identifies principal that issued the JWT
 	AuthIssuer string
 	// AuthUserIDClaim is the name of the claim that used as user ID

management/internals/server/server.go

@@ -129,6 +129,11 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		if s.Config.IdpManagerConfig != nil && s.Config.IdpManagerConfig.ManagerType != "" {
 			idpManager = s.Config.IdpManagerConfig.ManagerType
 		}
+
+		if s.Config.EmbeddedIdP != nil && s.Config.EmbeddedIdP.Enabled {
+			idpManager = metrics.EmbeddedType
+		}
+
 		metricsWorker := metrics.NewWorker(srvCtx, installationID, s.Store(), s.PeersUpdateManager(), idpManager)
 		go metricsWorker.Run(srvCtx)
 	}

management/internals/shared/grpc/conversion.go

@@ -428,9 +428,13 @@ func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfi
 		keysLocation = strings.TrimSuffix(issuer, "/") + "/.well-known/jwks.json"
 	}
 
+	audience := config.AuthAudience
+	if config.CLIAuthAudience != "" {
+		audience = config.CLIAuthAudience
+	}
 	return &proto.JWTConfig{
 		Issuer:       issuer,
-		Audience:     config.AuthAudience,
+		Audience:     audience,
 		KeysLocation: keysLocation,
 	}
 }

management/server/metrics/selfhosted.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-version"
+	"github.com/netbirdio/netbird/idp/dex"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/types"
@@ -28,6 +29,7 @@ const (
 	defaultPushInterval = 12 * time.Hour
 	// requestTimeout http request timeout
 	requestTimeout = 45 * time.Second
+	EmbeddedType   = "embedded"
 )
 
 type getTokenResponse struct {
@@ -206,6 +208,8 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		peerActiveVersions        []string
 		osUIClients               map[string]int
 		rosenpassEnabled          int
+		localUsers                int
+		idpUsers                  int
 	)
 	start := time.Now()
 	metricsProperties := make(properties)
@@ -266,6 +270,16 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 				serviceUsers++
 			} else {
 				users++
+				if w.idpManager == EmbeddedType {
+					_, idpID, err := dex.DecodeDexUserID(user.Id)
+					if err == nil {
+						if idpID == "local" {
+							localUsers++
+						} else {
+							idpUsers++
+						}
+					}
+				}
 			}
 			pats += len(user.PATs)
 		}
@@ -353,6 +367,8 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	metricsProperties["idp_manager"] = w.idpManager
 	metricsProperties["store_engine"] = w.dataSource.GetStoreEngine()
 	metricsProperties["rosenpass_enabled"] = rosenpassEnabled
+	metricsProperties["local_users_count"] = localUsers
+	metricsProperties["idp_users_count"] = idpUsers
 
 	for protocol, count := range rulesProtocol {
 		metricsProperties["rules_protocol_"+protocol] = count

management/server/metrics/selfhosted_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/idp/dex"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -25,6 +26,8 @@ func (mockDatasource) GetAllConnectedPeers() map[string]struct{} {
 
 // GetAllAccounts returns a list of *server.Account for use in tests with predefined information
 func (mockDatasource) GetAllAccounts(_ context.Context) []*types.Account {
+	localUserID := dex.EncodeDexUserID("10", "local")
+	idpUserID := dex.EncodeDexUserID("20", "zitadel")
 	return []*types.Account{
 		{
 			Id:       "1",
@@ -98,12 +101,14 @@ func (mockDatasource) GetAllAccounts(_ context.Context) []*types.Account {
 			},
 			Users: map[string]*types.User{
 				"1": {
+					Id:            "1",
 					IsServiceUser: true,
 					PATs: map[string]*types.PersonalAccessToken{
 						"1": {},
 					},
 				},
-				"2": {
+				localUserID: {
+					Id:            localUserID,
 					IsServiceUser: false,
 					PATs: map[string]*types.PersonalAccessToken{
 						"1": {},
@@ -162,12 +167,14 @@ func (mockDatasource) GetAllAccounts(_ context.Context) []*types.Account {
 			},
 			Users: map[string]*types.User{
 				"1": {
+					Id:            "1",
 					IsServiceUser: true,
 					PATs: map[string]*types.PersonalAccessToken{
 						"1": {},
 					},
 				},
-				"2": {
+				idpUserID: {
+					Id:            idpUserID,
 					IsServiceUser: false,
 					PATs: map[string]*types.PersonalAccessToken{
 						"1": {},
@@ -214,6 +221,7 @@ func TestGenerateProperties(t *testing.T) {
 	worker := Worker{
 		dataSource:  ds,
 		connManager: ds,
+		idpManager:  EmbeddedType,
 	}
 
 	properties := worker.generateProperties(context.Background())
@@ -327,4 +335,10 @@ func TestGenerateProperties(t *testing.T) {
 		t.Errorf("expected 1 active_users_last_day, got %d", properties["active_users_last_day"])
 	}
 
+	if properties["local_users_count"] != 1 {
+		t.Errorf("expected 1 local_users_count, got %d", properties["local_users_count"])
+	}
+	if properties["idp_users_count"] != 1 {
+		t.Errorf("expected 1 idp_users_count, got %d", properties["idp_users_count"])
+	}
 }

management/server/store/sql_store.go

@@ -3029,8 +3029,9 @@ func (s *SqlStore) ExecuteInTransaction(ctx context.Context, operation func(stor
 
 func (s *SqlStore) withTx(tx *gorm.DB) Store {
 	return &SqlStore{
-		db:          tx,
-		storeEngine: s.storeEngine,
+		db:           tx,
+		storeEngine:  s.storeEngine,
+		fieldEncrypt: s.fieldEncrypt,
 	}
 }
 

management/server/types/holder.go

@@ -32,13 +32,13 @@ func (h *Holder) AddAccount(account *Account) {
 	h.accounts[account.Id] = account
 }
 
-func (h *Holder) LoadOrStoreFunc(id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
+func (h *Holder) LoadOrStoreFunc(ctx context.Context, id string, accGetter func(context.Context, string) (*Account, error)) (*Account, error) {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 	if acc, ok := h.accounts[id]; ok {
 		return acc, nil
 	}
-	account, err := accGetter(context.Background(), id)
+	account, err := accGetter(ctx, id)
 	if err != nil {
 		return nil, err
 	}