Documentation ¶
Index ¶
- Constants
- func AllocatePeerIP(ipNet net.IPNet, takenIps []net.IP) (net.IP, error)
- func Hash(s string) uint32
- func ToResponseProto(configProto Protocol) proto.HostConfig_Protocol
- type Account
- func (a *Account) AddJWTGroups(userID string, groups []string) bool
- func (a *Account) Copy() *Account
- func (a *Account) DeletePeer(peerID string)
- func (a *Account) FindPeerByPubKey(peerPubKey string) (*Peer, error)
- func (a *Account) FindSetupKey(setupKey string) (*SetupKey, error)
- func (a *Account) FindUser(userID string) (*User, error)
- func (a *Account) FindUserPeers(userID string) ([]*Peer, error)
- func (a *Account) GetExpiredPeers() []*Peer
- func (a *Account) GetGroup(groupID string) *Group
- func (a *Account) GetGroupAll() (*Group, error)
- func (a *Account) GetNextPeerExpiration() (time.Duration, bool)
- func (a *Account) GetPeer(peerID string) *Peer
- func (a *Account) GetPeerByIP(peerIP string) *Peer
- func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap
- func (a *Account) GetPeers() []*Peer
- func (a *Account) GetPeersWithExpiration() []*Peer
- func (a *Account) GetRoutesByPrefix(prefix netip.Prefix) []*route.Route
- func (a *Account) UpdatePeer(update *Peer)
- func (a *Account) UpdateSettings(update *Settings) *Account
- func (a *Account) UserGroupsAddToPeers(userID string, groups ...string)
- func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string)
- type AccountManager
- type Config
- type DNSSettings
- type DefaultAccountManager
- func (am *DefaultAccountManager) AccountExists(accountID string) (*bool, error)
- func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error)
- func (am *DefaultAccountManager) CreateNameServerGroup(accountID string, name, description string, nameServerList []nbdns.NameServer, ...) (*nbdns.NameServerGroup, error)
- func (am *DefaultAccountManager) CreatePAT(accountID string, initiatorUserID string, targetUserID string, ...) (*PersonalAccessTokenGenerated, error)
- func (am *DefaultAccountManager) CreateRoute(accountID string, network, peerID, description, netID string, masquerade bool, ...) (*route.Route, error)
- func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType, ...) (*SetupKey, error)
- func (am *DefaultAccountManager) CreateUser(accountID, userID string, user *UserInfo) (*UserInfo, error)
- func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string) error
- func (am *DefaultAccountManager) DeleteNameServerGroup(accountID, nsGroupID, userID string) error
- func (am *DefaultAccountManager) DeletePAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) error
- func (am *DefaultAccountManager) DeletePeer(accountID, peerID, userID string) (*Peer, error)
- func (am *DefaultAccountManager) DeletePolicy(accountID, policyID, userID string) error
- func (am *DefaultAccountManager) DeleteRoute(accountID, routeID, userID string) error
- func (am *DefaultAccountManager) DeleteUser(accountID, initiatorUserID string, targetUserID string) error
- func (am *DefaultAccountManager) GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error)
- func (am *DefaultAccountManager) GetAccountFromPAT(token string) (*Account, *User, *PersonalAccessToken, error)
- func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error)
- func (am *DefaultAccountManager) GetAllPATs(accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error)
- func (am *DefaultAccountManager) GetDNSDomain() string
- func (am *DefaultAccountManager) GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
- func (am *DefaultAccountManager) GetEvents(accountID, userID string) ([]*activity.Event, error)
- func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error)
- func (am *DefaultAccountManager) GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error)
- func (am *DefaultAccountManager) GetNetworkMap(peerID string) (*NetworkMap, error)
- func (am *DefaultAccountManager) GetOrCreateAccountByUser(userID, domain string) (*Account, error)
- func (am *DefaultAccountManager) GetPAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error)
- func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Peer, error)
- func (am *DefaultAccountManager) GetPeerByIP(accountID string, peerIP string) (*Peer, error)
- func (am *DefaultAccountManager) GetPeerByKey(peerPubKey string) (*Peer, error)
- func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error)
- func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, error)
- func (am *DefaultAccountManager) GetPolicy(accountID, policyID, userID string) (*Policy, error)
- func (am *DefaultAccountManager) GetRoute(accountID, routeID, userID string) (*route.Route, error)
- func (am *DefaultAccountManager) GetSetupKey(accountID, userID, keyID string) (*SetupKey, error)
- func (am *DefaultAccountManager) GetUser(claims jwtclaims.AuthorizationClaims) (*User, error)
- func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error)
- func (am *DefaultAccountManager) GroupAddPeer(accountID, groupID, peerID string) error
- func (am *DefaultAccountManager) GroupDeletePeer(accountID, groupID, peerKey string) error
- func (am *DefaultAccountManager) GroupListPeers(accountID, groupID string) ([]*Peer, error)
- func (am *DefaultAccountManager) InviteUser(accountID string, initiatorUserID string, targetUserID string) error
- func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)
- func (am *DefaultAccountManager) ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error)
- func (am *DefaultAccountManager) ListPolicies(accountID, userID string) ([]*Policy, error)
- func (am *DefaultAccountManager) ListRoutes(accountID, userID string) ([]*route.Route, error)
- func (am *DefaultAccountManager) ListSetupKeys(accountID, userID string) ([]*SetupKey, error)
- func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error)
- func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error
- func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected bool) error
- func (am *DefaultAccountManager) SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
- func (am *DefaultAccountManager) SaveGroup(accountID, userID string, newGroup *Group) error
- func (am *DefaultAccountManager) SaveNameServerGroup(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
- func (am *DefaultAccountManager) SavePolicy(accountID, userID string, policy *Policy) error
- func (am *DefaultAccountManager) SaveRoute(accountID, userID string, routeToSave *route.Route) error
- func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey, userID string) (*SetupKey, error)
- func (am *DefaultAccountManager) SaveUser(accountID, initiatorUserID string, update *User) (*UserInfo, error)
- func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error)
- func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error)
- func (am *DefaultAccountManager) UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
- func (am *DefaultAccountManager) UpdateNameServerGroup(accountID, nsGroupID, userID string, ...) (*nbdns.NameServerGroup, error)
- func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Peer) (*Peer, error)
- func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string) error
- func (am *DefaultAccountManager) UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
- type DefaultScheduler
- type DeviceAuthorizationFlow
- type FileStore
- func (s *FileStore) AcquireAccountLock(accountID string) (unlock func())
- func (s *FileStore) AcquireGlobalLock() (unlock func())
- func (s *FileStore) Close() error
- func (s *FileStore) DeleteHashedPAT2TokenIDIndex(hashedToken string) error
- func (s *FileStore) DeleteTokenID2UserIDIndex(tokenID string) error
- func (s *FileStore) GetAccount(accountID string) (*Account, error)
- func (s *FileStore) GetAccountByPeerID(peerID string) (*Account, error)
- func (s *FileStore) GetAccountByPeerPubKey(peerKey string) (*Account, error)
- func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error)
- func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error)
- func (s *FileStore) GetAccountByUser(userID string) (*Account, error)
- func (s *FileStore) GetAllAccounts() (all []*Account)
- func (s *FileStore) GetInstallationID() string
- func (s *FileStore) GetTokenIDByHashedToken(token string) (string, error)
- func (s *FileStore) GetUserByTokenID(tokenID string) (*User, error)
- func (s *FileStore) SaveAccount(account *Account) error
- func (s *FileStore) SaveInstallationID(ID string) error
- func (s *FileStore) SavePeerStatus(accountID, peerID string, peerStatus PeerStatus) error
- type FirewallRule
- type GRPCServer
- func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
- func (s *GRPCServer) GetPKCEAuthorizationFlow(_ context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
- func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error)
- func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty, error)
- func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
- func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error
- type Group
- type GroupLinkError
- type GroupUpdateOperation
- type GroupUpdateOperationType
- type Host
- type HttpServerConfig
- type MockScheduler
- type NameServerGroupUpdateOperation
- type NameServerGroupUpdateOperationType
- type Network
- type NetworkMap
- type PKCEAuthorizationFlow
- type Peer
- func (p *Peer) AddedWithSSOLogin() bool
- func (p *Peer) Copy() *Peer
- func (p *Peer) EventMeta(dnsDomain string) map[string]any
- func (p *Peer) FQDN(dnsDomain string) string
- func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration)
- func (p *Peer) MarkLoginExpired(expired bool)
- func (p *Peer) UpdateLastLogin() *Peer
- func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool
- type PeerLogin
- type PeerStatus
- type PeerSync
- type PeerSystemMeta
- type PeersUpdateManager
- func (p *PeersUpdateManager) CloseChannel(peerID string)
- func (p *PeersUpdateManager) CloseChannels(peerIDs []string)
- func (p *PeersUpdateManager) CreateChannel(peerID string) chan *UpdateMessage
- func (p *PeersUpdateManager) GetAllConnectedPeers() map[string]struct{}
- func (p *PeersUpdateManager) SendUpdate(peerID string, update *UpdateMessage) error
- type PersonalAccessToken
- type PersonalAccessTokenGenerated
- type Policy
- type PolicyRule
- type PolicyRuleDirection
- type PolicyRuleProtocolType
- type PolicyTrafficActionType
- type PolicyUpdateOperation
- type PolicyUpdateOperationType
- type Protocol
- type Provider
- type ProviderConfig
- type RouteUpdateOperation
- type RouteUpdateOperationType
- type Rule
- type Scheduler
- type Settings
- type SetupKey
- func (key *SetupKey) Copy() *SetupKey
- func (key *SetupKey) EventMeta() map[string]any
- func (key *SetupKey) HiddenCopy(length int) *SetupKey
- func (key *SetupKey) IncrementUsage() *SetupKey
- func (key *SetupKey) IsExpired() bool
- func (key *SetupKey) IsOverUsed() bool
- func (key *SetupKey) IsRevoked() bool
- func (key *SetupKey) IsValid() bool
- type SetupKeyType
- type SetupKeyUpdateOperation
- type SetupKeyUpdateOperationType
- type Store
- type StoredAccount
- type TURNConfig
- type TURNCredentials
- type TURNCredentialsManager
- type TimeBasedAuthSecretsManager
- type TrafficFlowType
- type UpdateMessage
- type User
- type UserInfo
- type UserRole
- type UserStatus
Constants ¶
const ( PublicCategory = "public" PrivateCategory = "private" UnknownCategory = "unknown" GroupIssuedAPI = "api" GroupIssuedJWT = "jwt" CacheExpirationMax = 7 * 24 * 3600 * time.Second // 7 days CacheExpirationMin = 3 * 24 * 3600 * time.Second // 3 days DefaultPeerLoginExpiration = 24 * time.Hour )
const ( UDP Protocol = "udp" DTLS Protocol = "dtls" TCP Protocol = "tcp" HTTP Protocol = "http" HTTPS Protocol = "https" NONE Provider = "none" )
const ( // SubnetSize is a size of the subnet of the global network, e.g. 100.77.0.0/16 SubnetSize = 16 // NetSize is a global network size 100.64.0.0/10 NetSize = 10 // AllowedIPsFormat generates Wireguard AllowedIPs format (e.g. 100.64.30.1/32) AllowedIPsFormat = "%s/32" )
const ( // PATPrefix is the globally used, 4 char prefix for personal access tokens PATPrefix = "nbp_" // PATSecretLength number of characters used for the secret inside the token PATSecretLength = 30 // PATChecksumLength number of characters used for the encoded checksum of the secret inside the token PATChecksumLength = 6 // PATLength total number of characters used for the token PATLength = 40 )
const ( // PolicyTrafficActionAccept indicates that the traffic is accepted PolicyTrafficActionAccept = PolicyTrafficActionType("accept") // PolicyTrafficActionDrop indicates that the traffic is dropped PolicyTrafficActionDrop = PolicyTrafficActionType("drop") )
const ( // PolicyRuleProtocolALL type of traffic PolicyRuleProtocolALL = PolicyRuleProtocolType("all") // PolicyRuleProtocolTCP type of traffic PolicyRuleProtocolTCP = PolicyRuleProtocolType("tcp") // PolicyRuleProtocolUDP type of traffic PolicyRuleProtocolUDP = PolicyRuleProtocolType("udp") // PolicyRuleProtocolICMP type of traffic PolicyRuleProtocolICMP = PolicyRuleProtocolType("icmp") )
const ( // PolicyRuleFlowDirect allows trafic from source to destination PolicyRuleFlowDirect = PolicyRuleDirection("direct") // PolicyRuleFlowBidirect allows traffic to both directions PolicyRuleFlowBidirect = PolicyRuleDirection("bidirect") )
const ( // TrafficFlowBidirect allows traffic to both direction TrafficFlowBidirect TrafficFlowType = iota // TrafficFlowBidirectString allows traffic to both direction TrafficFlowBidirectString = "bidirect" // DefaultRuleName is a name for the Default rule that is created for every account DefaultRuleName = "Default" // DefaultRuleDescription is a description for the Default rule that is created for every account DefaultRuleDescription = "This is a default rule that allows connections between all the resources" // DefaultPolicyName is a name for the Default policy that is created for every account DefaultPolicyName = "Default" // DefaultPolicyDescription is a description for the Default policy that is created for every account DefaultPolicyDescription = "This is a default policy that allows connections between all the resources" )
const ( // SetupKeyReusable is a multi-use key (can be used for multiple machines) SetupKeyReusable SetupKeyType = "reusable" // SetupKeyOneOff is a single use key (can be used only once) SetupKeyOneOff SetupKeyType = "one-off" // DefaultSetupKeyDuration = 1 month DefaultSetupKeyDuration = 24 * 30 * time.Hour // DefaultSetupKeyName is a default name of the default setup key DefaultSetupKeyName = "Default key" // SetupKeyUnlimitedUsage indicates an unlimited usage of a setup key SetupKeyUnlimitedUsage = 0 )
const ( UserRoleAdmin UserRole = "admin" UserRoleUser UserRole = "user" UserRoleUnknown UserRole = "unknown" UserStatusActive UserStatus = "active" UserStatusDisabled UserStatus = "disabled" UserStatusInvited UserStatus = "invited" )
const ( // DefaultDeviceAuthFlowScope defines the bare minimum scope to request in the device authorization flow DefaultDeviceAuthFlowScope string = "openid" )
Variables ¶
This section is empty.
Functions ¶
func AllocatePeerIP ¶
AllocatePeerIP pics an available IP from an net.IPNet. This method considers already taken IPs and reuses IPs if there are gaps in takenIps E.g. if ipNet=100.30.0.0/16 and takenIps=[100.30.0.1, 100.30.0.4] then the result would be 100.30.0.2 or 100.30.0.3
func ToResponseProto ¶
func ToResponseProto(configProto Protocol) proto.HostConfig_Protocol
Types ¶
type Account ¶
type Account struct { Id string // User.Id it was created by CreatedBy string Domain string DomainCategory string IsDomainPrimaryAccount bool SetupKeys map[string]*SetupKey Network *Network Peers map[string]*Peer Users map[string]*User Groups map[string]*Group Rules map[string]*Rule Policies []*Policy Routes map[string]*route.Route NameServerGroups map[string]*nbdns.NameServerGroup DNSSettings *DNSSettings // Settings is a dictionary of Account settings Settings *Settings }
Account represents a unique account of the system
func (*Account) AddJWTGroups ¶ added in v0.21.8
AddJWTGroups to account and to user autoassigned groups
func (*Account) DeletePeer ¶ added in v0.10.6
DeletePeer deletes peer from the account cleaning up all the references
func (*Account) FindPeerByPubKey ¶ added in v0.10.6
FindPeerByPubKey looks for a Peer by provided WireGuard public key in the Account or returns error if it wasn't found. It will return an object copy of the peer.
func (*Account) FindSetupKey ¶ added in v0.10.8
FindSetupKey looks for a given SetupKey in the Account or returns error if it wasn't found.
func (*Account) FindUser ¶ added in v0.10.5
FindUser looks for a given user in the Account or returns error if user wasn't found.
func (*Account) FindUserPeers ¶ added in v0.13.0
FindUserPeers returns a list of peers that user owns (created)
func (*Account) GetExpiredPeers ¶ added in v0.14.2
GetExpiredPeers returns peers that have been expired
func (*Account) GetGroupAll ¶
func (*Account) GetNextPeerExpiration ¶ added in v0.14.2
GetNextPeerExpiration returns the minimum duration in which the next peer of the account will expire if it was found. If there is no peer that expires this function returns false and a duration of 0. This function only considers peers that haven't been expired yet and that are connected.
func (*Account) GetPeerByIP ¶ added in v0.13.0
GetPeerByIP returns peer by it's IP if exists under account or nil otherwise
func (*Account) GetPeerNetworkMap ¶ added in v0.14.3
func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap
GetPeerNetworkMap returns a group by ID if exists, nil otherwise
func (*Account) GetPeersWithExpiration ¶ added in v0.14.2
GetPeersWithExpiration returns a list of peers that have Peer.LoginExpirationEnabled set to true and that were added by a user
func (*Account) GetRoutesByPrefix ¶ added in v0.10.6
GetRoutesByPrefix return list of routes by account and route prefix
func (*Account) UpdatePeer ¶ added in v0.10.6
UpdatePeer saves new or replaces existing peer
func (*Account) UpdateSettings ¶ added in v0.14.0
UpdateSettings saves new account settings
func (*Account) UserGroupsAddToPeers ¶ added in v0.22.3
UserGroupsAddToPeers adds groups to all peers of user
func (*Account) UserGroupsRemoveFromPeers ¶ added in v0.22.3
UserGroupsRemoveFromPeers removes groups from all peers of user
type AccountManager ¶
type AccountManager interface { GetOrCreateAccountByUser(userId, domain string) (*Account, error) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType, expiresIn time.Duration, autoGroups []string, usageLimit int, userID string) (*SetupKey, error) SaveSetupKey(accountID string, key *SetupKey, userID string) (*SetupKey, error) CreateUser(accountID, initiatorUserID string, key *UserInfo) (*UserInfo, error) DeleteUser(accountID, initiatorUserID string, targetUserID string) error InviteUser(accountID string, initiatorUserID string, targetUserID string) error ListSetupKeys(accountID, userID string) ([]*SetupKey, error) SaveUser(accountID, initiatorUserID string, update *User) (*UserInfo, error) GetSetupKey(accountID, userID, keyID string) (*SetupKey, error) GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error) GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error) GetAccountFromPAT(pat string) (*Account, *User, *PersonalAccessToken, error) MarkPATUsed(tokenID string) error GetUser(claims jwtclaims.AuthorizationClaims) (*User, error) AccountExists(accountId string) (*bool, error) GetPeerByKey(peerKey string) (*Peer, error) GetPeers(accountID, userID string) ([]*Peer, error) MarkPeerConnected(peerKey string, connected bool) error DeletePeer(accountID, peerID, userID string) (*Peer, error) GetPeerByIP(accountId string, peerIP string) (*Peer, error) UpdatePeer(accountID, userID string, peer *Peer) (*Peer, error) GetNetworkMap(peerID string) (*NetworkMap, error) GetPeerNetwork(peerID string) (*Network, error) AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error) CreatePAT(accountID string, initiatorUserID string, targetUserID string, tokenName string, expiresIn int) (*PersonalAccessTokenGenerated, error) DeletePAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) error GetPAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error) GetAllPATs(accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error) UpdatePeerSSHKey(peerID string, sshKey string) error GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error) GetGroup(accountId, groupID string) (*Group, error) SaveGroup(accountID, userID string, group *Group) error UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error) DeleteGroup(accountId, userId, groupID string) error ListGroups(accountId string) ([]*Group, error) GroupAddPeer(accountId, groupID, peerID string) error GroupDeletePeer(accountId, groupID, peerKey string) error GroupListPeers(accountId, groupID string) ([]*Peer, error) GetPolicy(accountID, policyID, userID string) (*Policy, error) SavePolicy(accountID, userID string, policy *Policy) error DeletePolicy(accountID, policyID, userID string) error ListPolicies(accountID, userID string) ([]*Policy, error) GetRoute(accountID, routeID, userID string) (*route.Route, error) CreateRoute(accountID string, prefix, peerID, description, netID string, masquerade bool, metric int, groups []string, enabled bool, userID string) (*route.Route, error) SaveRoute(accountID, userID string, route *route.Route) error UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error) DeleteRoute(accountID, routeID, userID string) error ListRoutes(accountID, userID string) ([]*route.Route, error) GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error) CreateNameServerGroup(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string) (*nbdns.NameServerGroup, error) SaveNameServerGroup(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error UpdateNameServerGroup(accountID, nsGroupID, userID string, operations []NameServerGroupUpdateOperation) (*nbdns.NameServerGroup, error) DeleteNameServerGroup(accountID, nsGroupID, userID string) error ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error) GetDNSDomain() string GetEvents(accountID, userID string) ([]*activity.Event, error) GetDNSSettings(accountID string, userID string) (*DNSSettings, error) SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error GetPeer(accountID, peerID, userID string) (*Peer, error) UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error) LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error) // used by peer gRPC API SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error) // used by peer gRPC API }
type Config ¶
type Config struct { Stuns []*Host TURNConfig *TURNConfig Signal *Host Datadir string HttpConfig *HttpServerConfig IdpManagerConfig *idp.Config DeviceAuthorizationFlow *DeviceAuthorizationFlow PKCEAuthorizationFlow *PKCEAuthorizationFlow }
Config of the Management service
func (Config) GetAuthAudiences ¶ added in v0.15.0
GetAuthAudiences returns the audience from the http config and device authorization flow config
type DNSSettings ¶ added in v0.12.0
type DNSSettings struct { // DisabledManagementGroups groups whose DNS management is disabled DisabledManagementGroups []string }
DNSSettings defines dns settings at the account level
func (*DNSSettings) Copy ¶ added in v0.12.0
func (d *DNSSettings) Copy() *DNSSettings
Copy returns a copy of the DNS settings
type DefaultAccountManager ¶
type DefaultAccountManager struct { Store Store // contains filtered or unexported fields }
func BuildManager ¶
func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager, singleAccountModeDomain string, dnsDomain string, eventStore activity.Store, ) (*DefaultAccountManager, error)
BuildManager creates a new DefaultAccountManager with a provided Store
func (*DefaultAccountManager) AccountExists ¶
func (am *DefaultAccountManager) AccountExists(accountID string) (*bool, error)
AccountExists checks whether account exists (returns true) or not (returns false)
func (*DefaultAccountManager) AddPeer ¶
func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error)
AddPeer adds a new peer to the Store. Each Account has a list of pre-authorized SetupKey and if no Account has a given key err with a code status.PermissionDenied will be returned, meaning the setup key is invalid or not found. If a User ID is provided, it means that we passed the authentication using JWT, then we look for account by User ID and register the peer to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused). The peer property is just a placeholder for the Peer properties to pass further
func (*DefaultAccountManager) CreateNameServerGroup ¶ added in v0.9.8
func (am *DefaultAccountManager) CreateNameServerGroup(accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string) (*nbdns.NameServerGroup, error)
CreateNameServerGroup creates and saves a new nameserver group
func (*DefaultAccountManager) CreatePAT ¶ added in v0.14.6
func (am *DefaultAccountManager) CreatePAT(accountID string, initiatorUserID string, targetUserID string, tokenName string, expiresIn int) (*PersonalAccessTokenGenerated, error)
CreatePAT creates a new PAT for the given user
func (*DefaultAccountManager) CreateRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) CreateRoute(accountID string, network, peerID, description, netID string, masquerade bool, metric int, groups []string, enabled bool, userID string) (*route.Route, error)
CreateRoute creates and saves a new route
func (*DefaultAccountManager) CreateSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType, expiresIn time.Duration, autoGroups []string, usageLimit int, userID string) (*SetupKey, error)
CreateSetupKey generates a new setup key with a given name, type, list of groups IDs to auto-assign to peers registered with this key, and adds it to the specified account. A list of autoGroups IDs can be empty.
func (*DefaultAccountManager) CreateUser ¶ added in v0.9.8
func (am *DefaultAccountManager) CreateUser(accountID, userID string, user *UserInfo) (*UserInfo, error)
CreateUser creates a new user under the given account. Effectively this is a user invite.
func (*DefaultAccountManager) DeleteGroup ¶
func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string) error
DeleteGroup object of the peers
func (*DefaultAccountManager) DeleteNameServerGroup ¶ added in v0.9.8
func (am *DefaultAccountManager) DeleteNameServerGroup(accountID, nsGroupID, userID string) error
DeleteNameServerGroup deletes nameserver group with nsGroupID
func (*DefaultAccountManager) DeletePAT ¶ added in v0.14.5
func (am *DefaultAccountManager) DeletePAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) error
DeletePAT deletes a specific PAT from a user
func (*DefaultAccountManager) DeletePeer ¶
func (am *DefaultAccountManager) DeletePeer(accountID, peerID, userID string) (*Peer, error)
DeletePeer removes peer from the account by its IP
func (*DefaultAccountManager) DeletePolicy ¶ added in v0.14.5
func (am *DefaultAccountManager) DeletePolicy(accountID, policyID, userID string) error
DeletePolicy from the store
func (*DefaultAccountManager) DeleteRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) DeleteRoute(accountID, routeID, userID string) error
DeleteRoute deletes route with routeID
func (*DefaultAccountManager) DeleteUser ¶ added in v0.17.0
func (am *DefaultAccountManager) DeleteUser(accountID, initiatorUserID string, targetUserID string) error
DeleteUser deletes a user from the given account.
func (*DefaultAccountManager) GetAccountByUserOrAccountID ¶ added in v0.10.7
func (am *DefaultAccountManager) GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error)
GetAccountByUserOrAccountID looks for an account by user or accountID, if no account is provided and userID doesn't have an account associated with it, one account is created
func (*DefaultAccountManager) GetAccountFromPAT ¶ added in v0.14.5
func (am *DefaultAccountManager) GetAccountFromPAT(token string) (*Account, *User, *PersonalAccessToken, error)
GetAccountFromPAT returns Account and User associated with a personal access token
func (*DefaultAccountManager) GetAccountFromToken ¶ added in v0.9.8
func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error)
GetAccountFromToken returns an account associated with this token
func (*DefaultAccountManager) GetAllPATs ¶ added in v0.14.6
func (am *DefaultAccountManager) GetAllPATs(accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error)
GetAllPATs returns all PATs for a user
func (*DefaultAccountManager) GetDNSDomain ¶ added in v0.10.10
func (am *DefaultAccountManager) GetDNSDomain() string
GetDNSDomain returns the configured dnsDomain
func (*DefaultAccountManager) GetDNSSettings ¶ added in v0.12.0
func (am *DefaultAccountManager) GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
GetDNSSettings validates a user role and returns the DNS settings for the provided account ID
func (*DefaultAccountManager) GetEvents ¶ added in v0.12.0
func (am *DefaultAccountManager) GetEvents(accountID, userID string) ([]*activity.Event, error)
GetEvents returns a list of activity events of an account
func (*DefaultAccountManager) GetGroup ¶
func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error)
GetGroup object of the peers
func (*DefaultAccountManager) GetNameServerGroup ¶ added in v0.9.8
func (am *DefaultAccountManager) GetNameServerGroup(accountID, nsGroupID string) (*nbdns.NameServerGroup, error)
GetNameServerGroup gets a nameserver group object from account and nameserver group IDs
func (*DefaultAccountManager) GetNetworkMap ¶
func (am *DefaultAccountManager) GetNetworkMap(peerID string) (*NetworkMap, error)
GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
func (*DefaultAccountManager) GetOrCreateAccountByUser ¶
func (am *DefaultAccountManager) GetOrCreateAccountByUser(userID, domain string) (*Account, error)
GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist
func (*DefaultAccountManager) GetPAT ¶ added in v0.14.6
func (am *DefaultAccountManager) GetPAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error)
GetPAT returns a specific PAT from a user
func (*DefaultAccountManager) GetPeer ¶
func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Peer, error)
GetPeer for a given accountID, peerID and userID error if not found.
func (*DefaultAccountManager) GetPeerByIP ¶
func (am *DefaultAccountManager) GetPeerByIP(accountID string, peerIP string) (*Peer, error)
GetPeerByIP returns peer by its IP
func (*DefaultAccountManager) GetPeerByKey ¶ added in v0.13.0
func (am *DefaultAccountManager) GetPeerByKey(peerPubKey string) (*Peer, error)
GetPeerByKey looks up peer by its public WireGuard key
func (*DefaultAccountManager) GetPeerNetwork ¶ added in v0.8.0
func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error)
GetPeerNetwork returns the Network for a given peer
func (*DefaultAccountManager) GetPeers ¶ added in v0.10.5
func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, error)
GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if the current user is not an admin.
func (*DefaultAccountManager) GetPolicy ¶ added in v0.14.5
func (am *DefaultAccountManager) GetPolicy(accountID, policyID, userID string) (*Policy, error)
GetPolicy from the store
func (*DefaultAccountManager) GetRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) GetRoute(accountID, routeID, userID string) (*route.Route, error)
GetRoute gets a route object from account and route IDs
func (*DefaultAccountManager) GetSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) GetSetupKey(accountID, userID, keyID string) (*SetupKey, error)
GetSetupKey looks up a SetupKey by KeyID, returns NotFound error if not found.
func (*DefaultAccountManager) GetUser ¶ added in v0.20.0
func (am *DefaultAccountManager) GetUser(claims jwtclaims.AuthorizationClaims) (*User, error)
GetUser looks up a user by provided authorization claims. It will also create an account if didn't exist for this user before.
func (*DefaultAccountManager) GetUsersFromAccount ¶
func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error)
GetUsersFromAccount performs a batched request for users from IDP by account ID apply filter on what data to return based on provided user role.
func (*DefaultAccountManager) GroupAddPeer ¶
func (am *DefaultAccountManager) GroupAddPeer(accountID, groupID, peerID string) error
GroupAddPeer appends peer to the group
func (*DefaultAccountManager) GroupDeletePeer ¶
func (am *DefaultAccountManager) GroupDeletePeer(accountID, groupID, peerKey string) error
GroupDeletePeer removes peer from the group
func (*DefaultAccountManager) GroupListPeers ¶
func (am *DefaultAccountManager) GroupListPeers(accountID, groupID string) ([]*Peer, error)
GroupListPeers returns list of the peers from the group
func (*DefaultAccountManager) InviteUser ¶ added in v0.21.9
func (am *DefaultAccountManager) InviteUser(accountID string, initiatorUserID string, targetUserID string) error
InviteUser resend invitations to users who haven't activated their accounts prior to the expiration period.
func (*DefaultAccountManager) ListGroups ¶
func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)
ListGroups objects of the peers
func (*DefaultAccountManager) ListNameServerGroups ¶ added in v0.9.8
func (am *DefaultAccountManager) ListNameServerGroups(accountID string) ([]*nbdns.NameServerGroup, error)
ListNameServerGroups returns a list of nameserver groups from account
func (*DefaultAccountManager) ListPolicies ¶ added in v0.14.5
func (am *DefaultAccountManager) ListPolicies(accountID, userID string) ([]*Policy, error)
ListPolicies from the store
func (*DefaultAccountManager) ListRoutes ¶ added in v0.8.9
func (am *DefaultAccountManager) ListRoutes(accountID, userID string) ([]*route.Route, error)
ListRoutes returns a list of routes from account
func (*DefaultAccountManager) ListSetupKeys ¶ added in v0.9.2
func (am *DefaultAccountManager) ListSetupKeys(accountID, userID string) ([]*SetupKey, error)
ListSetupKeys returns a list of all setup keys of the account
func (*DefaultAccountManager) LoginPeer ¶ added in v0.14.3
func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error)
LoginPeer logs in or registers a peer. If peer doesn't exist the function checks whether a setup key or a user is present and registers a new peer if so.
func (*DefaultAccountManager) MarkPATUsed ¶ added in v0.15.0
func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error
MarkPATUsed marks a personal access token as used
func (*DefaultAccountManager) MarkPeerConnected ¶
func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected bool) error
MarkPeerConnected marks peer as connected (true) or disconnected (false)
func (*DefaultAccountManager) SaveDNSSettings ¶ added in v0.12.0
func (am *DefaultAccountManager) SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
SaveDNSSettings validates a user role and updates the account's DNS settings
func (*DefaultAccountManager) SaveGroup ¶
func (am *DefaultAccountManager) SaveGroup(accountID, userID string, newGroup *Group) error
SaveGroup object of the peers
func (*DefaultAccountManager) SaveNameServerGroup ¶ added in v0.9.8
func (am *DefaultAccountManager) SaveNameServerGroup(accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
SaveNameServerGroup saves nameserver group
func (*DefaultAccountManager) SavePolicy ¶ added in v0.14.5
func (am *DefaultAccountManager) SavePolicy(accountID, userID string, policy *Policy) error
SavePolicy in the store
func (*DefaultAccountManager) SaveRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) SaveRoute(accountID, userID string, routeToSave *route.Route) error
SaveRoute saves route
func (*DefaultAccountManager) SaveSetupKey ¶ added in v0.9.2
func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey, userID string) (*SetupKey, error)
SaveSetupKey saves the provided SetupKey to the database overriding the existing one. Due to the unique nature of a SetupKey certain properties must not be overwritten (e.g. the key itself, creation date, ID, etc). These properties are overwritten: Name, AutoGroups, Revoked. The rest is copied from the existing key.
func (*DefaultAccountManager) SaveUser ¶ added in v0.9.4
func (am *DefaultAccountManager) SaveUser(accountID, initiatorUserID string, update *User) (*UserInfo, error)
SaveUser saves updates to the given user. If the user doesn't exit it will throw status.NotFound error. Only User.AutoGroups, User.Role, and User.Blocked fields are allowed to be updated for now.
func (*DefaultAccountManager) SyncPeer ¶ added in v0.14.3
func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error)
SyncPeer checks whether peer is eligible for receiving NetworkMap (authenticated) and returns its NetworkMap if eligible
func (*DefaultAccountManager) UpdateAccountSettings ¶ added in v0.14.0
func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error)
UpdateAccountSettings updates Account settings. Only users with role UserRoleAdmin can update the account. User that performs the update has to belong to the account. Returns an updated Account
func (*DefaultAccountManager) UpdateGroup ¶ added in v0.7.0
func (am *DefaultAccountManager) UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation, ) (*Group, error)
UpdateGroup updates a group using a list of operations
func (*DefaultAccountManager) UpdateNameServerGroup ¶ added in v0.9.8
func (am *DefaultAccountManager) UpdateNameServerGroup(accountID, nsGroupID, userID string, operations []NameServerGroupUpdateOperation) (*nbdns.NameServerGroup, error)
UpdateNameServerGroup updates existing nameserver group with set of operations
func (*DefaultAccountManager) UpdatePeer ¶ added in v0.8.0
func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Peer) (*Peer, error)
UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, and Peer.LoginExpirationEnabled can be updated.
func (*DefaultAccountManager) UpdatePeerSSHKey ¶ added in v0.8.0
func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string) error
UpdatePeerSSHKey updates peer's public SSH key
func (*DefaultAccountManager) UpdateRoute ¶ added in v0.8.9
func (am *DefaultAccountManager) UpdateRoute(accountID, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
UpdateRoute updates existing route with set of operations
type DefaultScheduler ¶ added in v0.14.2
type DefaultScheduler struct {
// contains filtered or unexported fields
}
DefaultScheduler is a generic structure that allows to schedule jobs (functions) to run in the future and cancel them.
func NewDefaultScheduler ¶ added in v0.14.2
func NewDefaultScheduler() *DefaultScheduler
NewDefaultScheduler creates an instance of a DefaultScheduler
func (*DefaultScheduler) Cancel ¶ added in v0.14.2
func (wm *DefaultScheduler) Cancel(IDs []string)
Cancel cancels the scheduled job by ID if present. If job wasn't found the function returns false.
func (*DefaultScheduler) Schedule ¶ added in v0.14.2
func (wm *DefaultScheduler) Schedule(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool))
Schedule a job to run in some time in the future. If job returns true then it will be scheduled one more time. If job with the provided ID already exists, a new one won't be scheduled.
type DeviceAuthorizationFlow ¶
type DeviceAuthorizationFlow struct { Provider string ProviderConfig ProviderConfig }
DeviceAuthorizationFlow represents Device Authorization Flow information that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow see https://datatracker.ietf.org/doc/html/rfc8628
type FileStore ¶
type FileStore struct { Accounts map[string]*Account SetupKeyID2AccountID map[string]string `json:"-"` PeerKeyID2AccountID map[string]string `json:"-"` PeerID2AccountID map[string]string `json:"-"` UserID2AccountID map[string]string `json:"-"` PrivateDomain2AccountID map[string]string `json:"-"` HashedPAT2TokenID map[string]string `json:"-"` TokenID2UserID map[string]string `json:"-"` InstallationID string // contains filtered or unexported fields }
FileStore represents an account storage backed by a file persisted to disk
func NewFileStore ¶ added in v0.10.7
func NewFileStore(dataDir string, metrics telemetry.AppMetrics) (*FileStore, error)
NewFileStore restores a store from the file located in the datadir
func (*FileStore) AcquireAccountLock ¶ added in v0.10.7
AcquireAccountLock acquires account lock and returns a function that releases the lock
func (*FileStore) AcquireGlobalLock ¶ added in v0.10.7
func (s *FileStore) AcquireGlobalLock() (unlock func())
AcquireGlobalLock acquires global lock across all the accounts and returns a function that releases the lock
func (*FileStore) DeleteHashedPAT2TokenIDIndex ¶ added in v0.14.5
DeleteHashedPAT2TokenIDIndex removes an entry from the indexing map HashedPAT2TokenID
func (*FileStore) DeleteTokenID2UserIDIndex ¶ added in v0.14.5
DeleteTokenID2UserIDIndex removes an entry from the indexing map TokenID2UserID
func (*FileStore) GetAccount ¶
GetAccount returns an account for ID
func (*FileStore) GetAccountByPeerID ¶ added in v0.13.0
GetAccountByPeerID returns an account for a given peer ID
func (*FileStore) GetAccountByPeerPubKey ¶ added in v0.10.6
GetAccountByPeerPubKey returns an account for a given peer WireGuard public key
func (*FileStore) GetAccountByPrivateDomain ¶
GetAccountByPrivateDomain returns account by private domain
func (*FileStore) GetAccountBySetupKey ¶
GetAccountBySetupKey returns account by setup key id
func (*FileStore) GetAccountByUser ¶ added in v0.10.6
GetAccountByUser returns a user account
func (*FileStore) GetAllAccounts ¶
GetAllAccounts returns all accounts
func (*FileStore) GetInstallationID ¶ added in v0.10.0
GetInstallationID returns the installation ID from the store
func (*FileStore) GetTokenIDByHashedToken ¶ added in v0.14.5
GetTokenIDByHashedToken returns the id of a personal access token by its hashed secret
func (*FileStore) GetUserByTokenID ¶ added in v0.14.5
GetUserByTokenID returns a User object a tokenID belongs to
func (*FileStore) SaveAccount ¶
func (*FileStore) SaveInstallationID ¶ added in v0.10.0
SaveInstallationID saves the installation ID
func (*FileStore) SavePeerStatus ¶ added in v0.10.7
func (s *FileStore) SavePeerStatus(accountID, peerID string, peerStatus PeerStatus) error
SavePeerStatus stores the PeerStatus in memory. It doesn't attempt to persist data to speed up things. PeerStatus will be saved eventually when some other changes occur.
type FirewallRule ¶ added in v0.14.5
type FirewallRule struct { // PeerIP of the peer PeerIP string // Direction of the traffic Direction int // Action of the traffic Action string // Protocol of the traffic Protocol string // Port of the traffic Port string }
FirewallRule is a rule of the firewall.
type GRPCServer ¶ added in v0.8.5
type GRPCServer struct { proto.UnimplementedManagementServiceServer // contains filtered or unexported fields }
GRPCServer an instance of a Management gRPC API server
func NewServer ¶
func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager, appMetrics telemetry.AppMetrics, ) (*GRPCServer, error)
NewServer creates a new Management server
func (*GRPCServer) GetDeviceAuthorizationFlow ¶ added in v0.8.5
func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
GetDeviceAuthorizationFlow returns a device authorization flow information This is used for initiating an Oauth 2 device authorization grant flow which will be used by our clients to Login
func (*GRPCServer) GetPKCEAuthorizationFlow ¶ added in v0.22.0
func (s *GRPCServer) GetPKCEAuthorizationFlow(_ context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
GetPKCEAuthorizationFlow returns a pkce authorization flow information This is used for initiating an Oauth 2 pkce authorization grant flow which will be used by our clients to Login
func (*GRPCServer) GetServerKey ¶ added in v0.8.5
func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto.ServerKeyResponse, error)
func (*GRPCServer) Login ¶ added in v0.8.5
func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
Login endpoint first checks whether peer is registered under any account In case it is, the login is successful In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer. In case of the successful registration login is also successful
func (*GRPCServer) Sync ¶ added in v0.8.5
func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error
Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and notifies the connected peer of any updates (e.g. new peers under the same account)
type Group ¶
type Group struct { // ID of the group ID string // Name visible in the UI Name string // Issued of the group Issued string // Peers list of the group Peers []string }
Group of the peers for ACL
type GroupLinkError ¶ added in v0.21.9
func (*GroupLinkError) Error ¶ added in v0.21.9
func (e *GroupLinkError) Error() string
type GroupUpdateOperation ¶ added in v0.7.0
type GroupUpdateOperation struct { Type GroupUpdateOperationType Values []string }
GroupUpdateOperation operation object with type and values to be applied
type GroupUpdateOperationType ¶ added in v0.7.0
type GroupUpdateOperationType int
GroupUpdateOperationType operation type
const ( // UpdateGroupName indicates a name update operation UpdateGroupName GroupUpdateOperationType = iota // InsertPeersToGroup indicates insert peers to group operation InsertPeersToGroup // RemovePeersFromGroup indicates a remove peers from group operation RemovePeersFromGroup // UpdateGroupPeers indicates a replacement of group peers list UpdateGroupPeers )
type Host ¶
type Host struct { Proto Protocol // URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000 URI string Username string Password string }
Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)
type HttpServerConfig ¶
type HttpServerConfig struct { LetsEncryptDomain string // CertFile is the location of the certificate CertFile string // CertKey is the location of the certificate private key CertKey string // AuthAudience identifies the recipients that the JWT is intended for (aud in JWT) AuthAudience string // AuthIssuer identifies principal that issued the JWT AuthIssuer string // AuthUserIDClaim is the name of the claim that used as user ID AuthUserIDClaim string // AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT AuthKeysLocation string // OIDCConfigEndpoint is the endpoint of an IDP manager to get OIDC configuration OIDCConfigEndpoint string // IdpSignKeyRefreshEnabled identifies the signing key is currently being rotated or not IdpSignKeyRefreshEnabled bool }
HttpServerConfig is a config of the HTTP Management service server
type MockScheduler ¶ added in v0.14.2
type MockScheduler struct { CancelFunc func(IDs []string) ScheduleFunc func(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) }
MockScheduler is a mock implementation of Scheduler
func (*MockScheduler) Cancel ¶ added in v0.14.2
func (mock *MockScheduler) Cancel(IDs []string)
Cancel mocks the Cancel function of the Scheduler interface
type NameServerGroupUpdateOperation ¶ added in v0.9.8
type NameServerGroupUpdateOperation struct { Type NameServerGroupUpdateOperationType Values []string }
NameServerGroupUpdateOperation operation object with type and values to be applied
type NameServerGroupUpdateOperationType ¶ added in v0.9.8
type NameServerGroupUpdateOperationType int
NameServerGroupUpdateOperationType operation type
const ( // UpdateNameServerGroupName indicates a nameserver group name update operation UpdateNameServerGroupName NameServerGroupUpdateOperationType = iota // UpdateNameServerGroupDescription indicates a nameserver group description update operation UpdateNameServerGroupDescription // UpdateNameServerGroupNameServers indicates a nameserver group nameservers list update operation UpdateNameServerGroupNameServers // UpdateNameServerGroupGroups indicates a nameserver group' groups update operation UpdateNameServerGroupGroups // UpdateNameServerGroupEnabled indicates a nameserver group status update operation UpdateNameServerGroupEnabled // UpdateNameServerGroupPrimary indicates a nameserver group primary status update operation UpdateNameServerGroupPrimary // UpdateNameServerGroupDomains indicates a nameserver group' domains update operation UpdateNameServerGroupDomains )
func (NameServerGroupUpdateOperationType) String ¶ added in v0.9.8
func (t NameServerGroupUpdateOperationType) String() string
type Network ¶
type Network struct { Id string Net net.IPNet Dns string // Serial is an ID that increments by 1 when any change to the network happened (e.g. new peer has been added). // Used to synchronize state to the client apps. Serial uint64 // contains filtered or unexported fields }
func NewNetwork ¶
func NewNetwork() *Network
NewNetwork creates a new Network initializing it with a Serial=0 It takes a random /16 subnet from 100.64.0.0/10 (64 different subnets)
func (*Network) CurrentSerial ¶
CurrentSerial returns the Network.Serial of the network (latest state id)
type NetworkMap ¶
type PKCEAuthorizationFlow ¶ added in v0.22.0
type PKCEAuthorizationFlow struct {
ProviderConfig ProviderConfig
}
PKCEAuthorizationFlow represents Authorization Code Flow information that can be used by the client to login initiate a Oauth 2.0 authorization code grant flow with Proof Key for Code Exchange (PKCE). See https://datatracker.ietf.org/doc/html/rfc7636
type Peer ¶
type Peer struct { // ID is an internal ID of the peer ID string // WireGuard public key Key string // A setup key this peer was registered with SetupKey string // IP address of the Peer IP net.IP // Meta is a Peer system meta data Meta PeerSystemMeta // Name is peer's name (machine name) Name string // DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's // domain to the peer label. e.g. peer-dns-label.netbird.cloud DNSLabel string // Status peer's management connection status Status *PeerStatus // The user ID that registered the peer UserID string // SSHKey is a public SSH key of the peer SSHKey string // SSHEnabled indicates whether SSH server is enabled on the peer SSHEnabled bool // LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login. // Works with LastLogin LoginExpirationEnabled bool // LastLogin the time when peer performed last login operation LastLogin time.Time }
Peer represents a machine connected to the network. The Peer is a WireGuard peer identified by a public key
func (*Peer) AddedWithSSOLogin ¶ added in v0.14.0
AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
func (*Peer) FQDN ¶ added in v0.12.0
FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
func (*Peer) LoginExpired ¶ added in v0.14.0
LoginExpired indicates whether the peer's login has expired or not. If Peer.LastLogin plus the expiresIn duration has happened already; then login has expired. Return true if a login has expired, false otherwise, and time left to expiration (negative when expired). Login expiration can be disabled/enabled on a Peer level via Peer.LoginExpirationEnabled property. Login expiration can also be disabled/enabled globally on the Account level via Settings.PeerLoginExpirationEnabled. Only peers added by interactive SSO login can be expired.
func (*Peer) MarkLoginExpired ¶ added in v0.14.2
MarkLoginExpired marks peer's status expired or not
func (*Peer) UpdateLastLogin ¶ added in v0.14.4
UpdateLastLogin and set login expired false
func (*Peer) UpdateMetaIfNew ¶ added in v0.20.2
func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool
UpdateMetaIfNew updates peer's system metadata if new information is provided returns true if meta was updated, false otherwise
type PeerLogin ¶ added in v0.14.3
type PeerLogin struct { // WireGuardPubKey is a peers WireGuard public key WireGuardPubKey string // SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled) SSHKey string // Meta is the system information passed by peer, must be always present. Meta PeerSystemMeta // UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required. UserID string // SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required. SetupKey string }
PeerLogin used as a data object between the gRPC API and AccountManager on Login request.
type PeerStatus ¶
type PeerSync ¶ added in v0.14.3
type PeerSync struct { // WireGuardPubKey is a peers WireGuard public key WireGuardPubKey string }
PeerSync used as a data object between the gRPC API and AccountManager on Sync request.
type PeerSystemMeta ¶
type PeerSystemMeta struct { Hostname string GoOS string Kernel string Core string Platform string OS string WtVersion string UIVersion string }
PeerSystemMeta is a metadata of a Peer machine system
type PeersUpdateManager ¶
type PeersUpdateManager struct {
// contains filtered or unexported fields
}
func NewPeersUpdateManager ¶
func NewPeersUpdateManager() *PeersUpdateManager
NewPeersUpdateManager returns a new instance of PeersUpdateManager
func (*PeersUpdateManager) CloseChannel ¶
func (p *PeersUpdateManager) CloseChannel(peerID string)
CloseChannel closes updates channel of a given peer
func (*PeersUpdateManager) CloseChannels ¶ added in v0.14.2
func (p *PeersUpdateManager) CloseChannels(peerIDs []string)
CloseChannels closes updates channel for each given peer
func (*PeersUpdateManager) CreateChannel ¶
func (p *PeersUpdateManager) CreateChannel(peerID string) chan *UpdateMessage
CreateChannel creates a go channel for a given peer used to deliver updates relevant to the peer.
func (*PeersUpdateManager) GetAllConnectedPeers ¶ added in v0.10.0
func (p *PeersUpdateManager) GetAllConnectedPeers() map[string]struct{}
GetAllConnectedPeers returns a copy of the connected peers map
func (*PeersUpdateManager) SendUpdate ¶
func (p *PeersUpdateManager) SendUpdate(peerID string, update *UpdateMessage) error
SendUpdate sends update message to the peer's channel
type PersonalAccessToken ¶ added in v0.14.5
type PersonalAccessToken struct { ID string Name string HashedToken string ExpirationDate time.Time // scope could be added in future CreatedBy string CreatedAt time.Time LastUsed time.Time }
PersonalAccessToken holds all information about a PAT including a hashed version of it for verification
type PersonalAccessTokenGenerated ¶ added in v0.14.6
type PersonalAccessTokenGenerated struct { PlainToken string PersonalAccessToken }
PersonalAccessTokenGenerated holds the new PersonalAccessToken and the plain text version of it
func CreateNewPAT ¶ added in v0.14.5
func CreateNewPAT(name string, expirationInDays int, createdBy string) (*PersonalAccessTokenGenerated, error)
CreateNewPAT will generate a new PersonalAccessToken that can be assigned to a User. Additionally, it will return the token in plain text once, to give to the user and only save a hashed version
type Policy ¶ added in v0.14.5
type Policy struct { // ID of the policy ID string // Name of the Policy Name string // Description of the policy visible in the UI Description string // Enabled status of the policy Enabled bool // Rules of the policy Rules []*PolicyRule }
Policy of the Rego query
func RuleToPolicy ¶ added in v0.14.5
RuleToPolicy converts a Rule to a Policy query object
func (*Policy) EventMeta ¶ added in v0.14.5
EventMeta returns activity event meta related to this policy
func (*Policy) UpgradeAndFix ¶ added in v0.21.0
func (p *Policy) UpgradeAndFix()
UpgradeAndFix different version of policies to latest version
type PolicyRule ¶ added in v0.14.5
type PolicyRule struct { // ID of the policy rule ID string // Name of the rule visible in the UI Name string // Description of the rule visible in the UI Description string // Enabled status of rule in the system Enabled bool // Action policy accept or drops packets Action PolicyTrafficActionType // Destinations policy destination groups Destinations []string // Sources policy source groups Sources []string // Bidirectional define if the rule is applicable in both directions, sources, and destinations Bidirectional bool // Protocol type of the traffic Protocol PolicyRuleProtocolType // Ports or it ranges list Ports []string }
PolicyRule is the metadata of the policy
func (*PolicyRule) Copy ¶ added in v0.14.5
func (pm *PolicyRule) Copy() *PolicyRule
Copy returns a copy of a policy rule
func (*PolicyRule) ToRule ¶ added in v0.14.5
func (pm *PolicyRule) ToRule() *Rule
ToRule converts the PolicyRule to a legacy representation of the Rule (for backwards compatibility)
type PolicyRuleDirection ¶ added in v0.21.0
type PolicyRuleDirection string
PolicyRuleDirection direction of traffic
type PolicyRuleProtocolType ¶ added in v0.21.0
type PolicyRuleProtocolType string
PolicyRuleProtocolType type of traffic
type PolicyTrafficActionType ¶ added in v0.14.5
type PolicyTrafficActionType string
PolicyTrafficActionType action type for the firewall
type PolicyUpdateOperation ¶ added in v0.14.5
type PolicyUpdateOperation struct { Type PolicyUpdateOperationType Values []string }
PolicyUpdateOperation operation object with type and values to be applied
type PolicyUpdateOperationType ¶ added in v0.14.5
type PolicyUpdateOperationType int
PolicyUpdateOperationType operation type
type ProviderConfig ¶
type ProviderConfig struct { // ClientID An IDP application client id ClientID string // ClientSecret An IDP application client secret ClientSecret string // Domain An IDP API domain // Deprecated. Use TokenEndpoint and DeviceAuthEndpoint Domain string // Audience An Audience for to authorization validation Audience string // TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token TokenEndpoint string // DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code DeviceAuthEndpoint string // AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code AuthorizationEndpoint string // Scopes provides the scopes to be included in the token request Scope string // UseIDToken indicates if the id token should be used for authentication UseIDToken bool // RedirectURL handles authorization code from IDP manager RedirectURLs []string }
ProviderConfig has all attributes needed to initiate a device/pkce authorization flow
type RouteUpdateOperation ¶ added in v0.8.9
type RouteUpdateOperation struct { Type RouteUpdateOperationType Values []string }
RouteUpdateOperation operation object with type and values to be applied
type RouteUpdateOperationType ¶ added in v0.8.9
type RouteUpdateOperationType int
RouteUpdateOperationType operation type
const ( // UpdateRouteDescription indicates a route description update operation UpdateRouteDescription RouteUpdateOperationType = iota // UpdateRouteNetwork indicates a route IP update operation UpdateRouteNetwork // UpdateRoutePeer indicates a route peer update operation UpdateRoutePeer // UpdateRouteMetric indicates a route metric update operation UpdateRouteMetric // UpdateRouteMasquerade indicates a route masquerade update operation UpdateRouteMasquerade // UpdateRouteEnabled indicates a route enabled update operation UpdateRouteEnabled // UpdateRouteNetworkIdentifier indicates a route net ID update operation UpdateRouteNetworkIdentifier // UpdateRouteGroups indicates a group list update operation UpdateRouteGroups )
func (RouteUpdateOperationType) String ¶ added in v0.8.9
func (t RouteUpdateOperationType) String() string
type Rule ¶
type Rule struct { // ID of the rule ID string // Name of the rule visible in the UI Name string // Description of the rule visible in the UI Description string // Disabled status of rule in the system Disabled bool // Source list of groups IDs of peers Source []string // Destination list of groups IDs of peers Destination []string // Flow of the traffic allowed by the rule Flow TrafficFlowType }
Rule of ACL for groups
func (*Rule) EventMeta ¶ added in v0.12.0
EventMeta returns activity event meta related to this rule
func (*Rule) ToPolicyRule ¶ added in v0.14.5
func (r *Rule) ToPolicyRule() *PolicyRule
ToPolicyRule converts a Rule to a PolicyRule object
type Scheduler ¶ added in v0.14.2
type Scheduler interface { Cancel(IDs []string) Schedule(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) }
Scheduler is an interface which implementations can schedule and cancel jobs
type Settings ¶ added in v0.14.0
type Settings struct { // PeerLoginExpirationEnabled globally enables or disables peer login expiration PeerLoginExpirationEnabled bool // PeerLoginExpiration is a setting that indicates when peer login expires. // Applies to all peers that have Peer.LoginExpirationEnabled set to true. PeerLoginExpiration time.Duration // GroupsPropagationEnabled allows to propagate auto groups from the user to the peer GroupsPropagationEnabled bool // JWTGroupsEnabled allows extract groups from JWT claim, which name defined in the JWTGroupsClaimName // and add it to account groups. JWTGroupsEnabled bool // JWTGroupsClaimName from which we extract groups name to add it to account groups JWTGroupsClaimName string }
Settings represents Account settings structure that can be modified via API and Dashboard
type SetupKey ¶
type SetupKey struct { Id string Key string Name string Type SetupKeyType CreatedAt time.Time ExpiresAt time.Time UpdatedAt time.Time // Revoked indicates whether the key was revoked or not (we don't remove them for tracking purposes) Revoked bool // UsedTimes indicates how many times the key was used UsedTimes int // LastUsed last time the key was used for peer registration LastUsed time.Time // AutoGroups is a list of Group IDs that are auto assigned to a Peer when it uses this key to register AutoGroups []string // UsageLimit indicates the number of times this key can be used to enroll a machine. // The value of 0 indicates the unlimited usage. UsageLimit int }
SetupKey represents a pre-authorized key used to register machines (peers)
func GenerateDefaultSetupKey ¶
func GenerateDefaultSetupKey() *SetupKey
GenerateDefaultSetupKey generates a default reusable setup key with an unlimited usage and 30 days expiration
func GenerateSetupKey ¶
func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration, autoGroups []string, usageLimit int) *SetupKey
GenerateSetupKey generates a new setup key
func (*SetupKey) EventMeta ¶ added in v0.12.0
EventMeta returns activity event meta related to the setup key
func (*SetupKey) HiddenCopy ¶ added in v0.10.5
HiddenCopy returns a copy of the key with a Key value hidden with "*" and a 5 character prefix. E.g., "831F6*******************************"
func (*SetupKey) IncrementUsage ¶
IncrementUsage makes a copy of a key, increments the UsedTimes by 1 and sets LastUsed to now
func (*SetupKey) IsOverUsed ¶
IsOverUsed if the key was used too many times. SetupKey.UsageLimit == 0 indicates the unlimited usage.
type SetupKeyUpdateOperation ¶ added in v0.9.2
type SetupKeyUpdateOperation struct { Type SetupKeyUpdateOperationType Values []string }
SetupKeyUpdateOperation operation object with type and values to be applied
type SetupKeyUpdateOperationType ¶ added in v0.9.2
type SetupKeyUpdateOperationType int
SetupKeyUpdateOperationType operation type
const ( // UpdateSetupKeyName indicates a setup key name update operation UpdateSetupKeyName SetupKeyUpdateOperationType = iota // UpdateSetupKeyRevoked indicates a setup key revoked filed update operation UpdateSetupKeyRevoked // UpdateSetupKeyAutoGroups indicates a setup key auto-assign groups update operation UpdateSetupKeyAutoGroups // UpdateSetupKeyExpiresAt indicates a setup key expiration time update operation UpdateSetupKeyExpiresAt )
func (SetupKeyUpdateOperationType) String ¶ added in v0.9.2
func (t SetupKeyUpdateOperationType) String() string
type Store ¶
type Store interface { GetAllAccounts() []*Account GetAccount(accountID string) (*Account, error) GetAccountByUser(userID string) (*Account, error) GetAccountByPeerPubKey(peerKey string) (*Account, error) GetAccountByPeerID(peerID string) (*Account, error) GetAccountBySetupKey(setupKey string) (*Account, error) // todo use key hash later GetAccountByPrivateDomain(domain string) (*Account, error) GetTokenIDByHashedToken(secret string) (string, error) GetUserByTokenID(tokenID string) (*User, error) SaveAccount(account *Account) error DeleteHashedPAT2TokenIDIndex(hashedToken string) error DeleteTokenID2UserIDIndex(tokenID string) error GetInstallationID() string SaveInstallationID(ID string) error // AcquireAccountLock should attempt to acquire account lock and return a function that releases the lock AcquireAccountLock(accountID string) func() // AcquireGlobalLock should attempt to acquire a global lock and return a function that releases the lock AcquireGlobalLock() func() SavePeerStatus(accountID, peerID string, status PeerStatus) error // Close should close the store persisting all unsaved data. Close() error }
type StoredAccount ¶
type StoredAccount struct{}
type TURNConfig ¶
type TURNConfig struct { TimeBasedCredentials bool CredentialsTTL util.Duration Secret string Turns []*Host }
TURNConfig is a config of the TURNCredentialsManager
type TURNCredentials ¶
type TURNCredentialsManager ¶
type TURNCredentialsManager interface { GenerateCredentials() TURNCredentials SetupRefresh(peerKey string) CancelRefresh(peerKey string) }
TURNCredentialsManager used to manage TURN credentials
type TimeBasedAuthSecretsManager ¶
type TimeBasedAuthSecretsManager struct {
// contains filtered or unexported fields
}
TimeBasedAuthSecretsManager generates credentials with TTL and using pre-shared secret known to TURN server
func NewTimeBasedAuthSecretsManager ¶
func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, config *TURNConfig) *TimeBasedAuthSecretsManager
func (*TimeBasedAuthSecretsManager) CancelRefresh ¶
func (m *TimeBasedAuthSecretsManager) CancelRefresh(peerID string)
CancelRefresh cancels scheduled peer credentials refresh
func (*TimeBasedAuthSecretsManager) GenerateCredentials ¶
func (m *TimeBasedAuthSecretsManager) GenerateCredentials() TURNCredentials
GenerateCredentials generates new time-based secret credentials - basically username is a unix timestamp and password is a HMAC hash of a timestamp with a preshared TURN secret
func (*TimeBasedAuthSecretsManager) SetupRefresh ¶
func (m *TimeBasedAuthSecretsManager) SetupRefresh(peerID string)
SetupRefresh starts peer credentials refresh. Since credentials are expiring (TTL) it is necessary to always generate them and send to the peer. A goroutine is created and put into TimeBasedAuthSecretsManager.cancelMap. This routine should be cancelled if peer is gone.
type TrafficFlowType ¶
type TrafficFlowType int
TrafficFlowType defines allowed direction of the traffic in the rule
type UpdateMessage ¶
type UpdateMessage struct {
Update *proto.SyncResponse
}
type User ¶
type User struct { Id string Role UserRole IsServiceUser bool // ServiceUserName is only set if IsServiceUser is true ServiceUserName string // AutoGroups is a list of Group IDs to auto-assign to peers registered by this user AutoGroups []string PATs map[string]*PersonalAccessToken // Blocked indicates whether the user is blocked. Blocked users can't use the system. Blocked bool }
User represents a user of the system
func NewAdminUser ¶
NewAdminUser creates a new user with role UserRoleAdmin
func NewRegularUser ¶
NewRegularUser creates a new user with role UserRoleUser
func NewUser ¶
func NewUser(id string, role UserRole, isServiceUser bool, serviceUserName string, autoGroups []string) *User
NewUser creates a new user
func (*User) IsAdmin ¶ added in v0.10.5
IsAdmin returns true if the user is an admin, false otherwise
type UserRole ¶
type UserRole string
UserRole is the role of a User
func StrRoleToUserRole ¶ added in v0.9.5
StrRoleToUserRole returns UserRole for a given strRole or UserRoleUnknown if the specified role is unknown
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
api
Package api provides primitives to interact with the openapi HTTP API.
|
Package api provides primitives to interact with the openapi HTTP API. |
Package metrics gather anonymous information about the usage of NetBird management
|
Package metrics gather anonymous information about the usage of NetBird management |