github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix service account tokens and unifile deployment scripts (#2900)

Browse Source
This commit is contained in:
Andrew Dryga
2023-12-13 14:45:59 -06:00
committed by GitHub
parent 34dce6f185
commit af7730337c
16 changed files with 146 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/cd.yml vendored
View File

@@ -63,20 +63,6 @@ jobs:
with:
run: ${{ steps.apply-run.outputs.run_id }}
comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
- name: Report Status
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_USERNAME: "GitHub Actions"
SLACK_COLOR: "#ff0000"
MSG_MINIMAL: "ref,actions url"
SLACK_TITLE: "Deployment Failed"
SLACK_MESSAGE:
"Automatic deployment to ${{ env.TF_WORKSPACE }} failed"
with:
status: ${{ job.status }}
notify_when: "failure"
update-release-draft:
needs: deploy-staging

2
.tool-versions
View File

@@ -3,7 +3,7 @@
nodejs 18.16.0
elixir 1.15.7-otp-26
erlang 26.1.2
terraform 1.6.5
terraform 1.6.6
# Used for static analysis
python 3.9.13

3
elixir/apps/domain/lib/domain/auth.ex
View File

@@ -7,7 +7,8 @@ defmodule Domain.Auth do
@default_session_duration_hours %{
account_admin_user: 24 * 7 - 1,
account_user: 24 * 7
account_user: 24 * 7,
service_account: 20 * 365 * 24 * 7
}
@max_session_duration_hours @default_session_duration_hours

11
elixir/apps/domain/priv/repo/migrations/20231212194048_change_account_slugs_to_citext.exs Normal file
View File

@@ -0,0 +1,11 @@
defmodule Domain.Repo.Migrations.ChangeAccountSlugsToCitext do
use Ecto.Migration
def change do
execute("CREATE EXTENSION IF NOT EXISTS citext")
alter table(:accounts) do
modify(:slug, :citext)
end
end
end

1
elixir/apps/web/lib/web/controllers/home_controller.ex
View File

@@ -24,6 +24,7 @@ defmodule Web.HomeController do
end
def redirect_to_sign_in(conn, %{"account_id_or_slug" => account_id_or_slug} = params) do
account_id_or_slug = String.downcase(account_id_or_slug)
redirect_params = take_non_empty_params(params, ["client_platform", "client_csrf_token"])
redirect(conn, to: ~p"/#{account_id_or_slug}?#{redirect_params}")

11
elixir/apps/web/lib/web/live/actors/service_accounts/new_identity.ex
View File

@@ -16,7 +16,7 @@ defmodule Web.Actors.ServiceAccounts.NewIdentity do
assign(socket,
actor: actor,
provider: provider,
identity: nil,
encoded_token: nil,
form: to_form(changeset)
)
@@ -43,7 +43,7 @@ defmodule Web.Actors.ServiceAccounts.NewIdentity do
Create <%= actor_type(@actor.type) %> Token
</:title>
<:content>
<div :if={is_nil(@identity)} class="max-w-2xl px-4 py-8 mx-auto lg:py-16">
<div :if={is_nil(@encoded_token)} class="max-w-2xl px-4 py-8 mx-auto lg:py-16">
<h2 class="mb-4 text-xl font-bold text-neutral-900">Create a Token</h2>
<.flash kind={:error} flash={@flash} />
<.form for={@form} phx-change={:change} phx-submit={:submit}>
@@ -65,13 +65,13 @@ defmodule Web.Actors.ServiceAccounts.NewIdentity do
</.form>
</div>
<div :if={not is_nil(@identity)} class="max-w-2xl px-4 py-8 mx-auto lg:py-16">
<div :if={not is_nil(@encoded_token)} class="max-w-2xl px-4 py-8 mx-auto lg:py-16">
<div class="grid gap-4 mb-4 sm:grid-cols-1 sm:gap-6 sm:mb-6">
<div class="text-xl mb-2">
Your API token (will be shown only once):
</div>
<.code_block id="code-sample-docker" class="w-full mw-1/2 rounded" phx-no-format><%= @identity.provider_virtual_state.changes.secret %></.code_block>
<.code_block id="code-sample-docker" class="w-full mw-1/2 rounded" phx-no-format><%= @encoded_token %></.code_block>
<.button icon="hero-arrow-uturn-left" navigate={~p"/#{@account}/actors/#{@actor}"}>
Back to Actor
@@ -103,7 +103,8 @@ defmodule Web.Actors.ServiceAccounts.NewIdentity do
attrs,
socket.assigns.subject
) do
{:noreply, assign(socket, identity: identity)}
{:ok, encoded_token} = Auth.create_access_token_for_identity(identity)
{:noreply, assign(socket, encoded_token: encoded_token)}
else
{:error, changeset} ->
{:noreply, assign(socket, form: to_form(changeset))}

95
elixir/apps/web/lib/web/live/relay_groups/new_token.ex
View File

@@ -70,13 +70,6 @@ defmodule Web.RelayGroups.NewToken do
phx-update="ignore"
><%= docker_command(@env) %></.code_block>
<.initial_connection_status
:if={@env}
type="relay"
navigate={~p"/#{@account}/relays/#{@group}"}
connected?={@connected?}
/>
<hr />
<p class="pl-4 mb-2 mt-4 text-xl font-semibold">
@@ -143,13 +136,6 @@ defmodule Web.RelayGroups.NewToken do
<.code_block id="code-sample-systemd6" class="w-full" phx-no-format>sudo systemctl enable firezone-relay</.code_block>
<.initial_connection_status
:if={@env}
type="relay"
navigate={~p"/#{@account}/sites/#{@group}"}
connected?={@connected?}
/>
<hr />
<p class="pl-4 mb-2 mt-4 text-xl font-semibold">
@@ -169,13 +155,28 @@ defmodule Web.RelayGroups.NewToken do
<.code_block id="code-sample-systemd8" class="w-full rounded-b" phx-no-format>sudo journalctl -u firezone-relay.service</.code_block>
</:tab>
</.tabs>
<div id="connection-status" class="flex justify-between items-center">
<p class="text-sm">
Relay not connecting? See our <.link
class="text-accent-500 hover:underline"
href="https://www.firezone.dev/kb/administer/troubleshooting#relay-not-connecting"
>relay troubleshooting guide</.link>.
</p>
<.initial_connection_status
:if={@env}
type="relay"
navigate={~p"/#{@account}/relay_groups/#{@group}"}
connected?={@connected?}
/>
</div>
</div>
</:content>
</.section>
"""
end
defp version do
defp major_minor_version do
vsn =
Application.spec(:domain)
|> Keyword.fetch!(:vsn)
@@ -197,7 +198,18 @@ defmodule Web.RelayGroups.NewToken do
{"PUBLIC_IP4_ADDR", "YOU_MUST_SET_THIS_VALUE"},
{"PUBLIC_IP6_ADDR", "YOU_MUST_SET_THIS_VALUE"},
api_url_override,
{"RUST_LOG", "warn"},
{"RUST_LOG",
Enum.join(
[
"firezone_relay=trace",
"firezone_tunnel=trace",
"connlib_shared=trace",
"tunnel_state=trace",
"phoenix_channel=debug",
"warn"
],
","
)},
{"LOG_FORMAT", "google-cloud"}
]
|> Enum.reject(&is_nil/1)
@@ -220,7 +232,7 @@ defmodule Web.RelayGroups.NewToken do
"--device=\"/dev/net/tun:/dev/net/tun\"",
Enum.map(env, fn {key, value} -> "--env #{key}=\"#{value}\"" end),
"--env FIREZONE_NAME=$(hostname)",
"#{Domain.Config.fetch_env!(:domain, :docker_registry)}/relay:#{version()}"
"#{Domain.Config.fetch_env!(:domain, :docker_registry)}/relay:#{major_minor_version()}"
]
|> List.flatten()
|> Enum.join(" \\\n ")
@@ -235,52 +247,41 @@ defmodule Web.RelayGroups.NewToken do
[Service]
Type=simple
User=firezone
Group=firezone
ExecStartPre=/bin/sh -c 'id -u firezone &>/dev/null || useradd -r -s /bin/false firezone'
#{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)}
ExecStartPre=/bin/sh -c ' \\
remote_version=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
-H "X-GitHub-Api-Version: 2022-11-28" \\
https://api.github.com/repos/firezone/firezone/releases/latest | grep -oP '"'"'(?<="tag_name": ")[^"]*'"'"'); \\
if [ -e /usr/local/bin/firezone-relay ]; then \\
current_version=$(/usr/local/bin/firezone-relay --version | awk '"'"'{print $NF}'"'"'); \\
else \\
current_version=""; \\
fi; \\
if [ ! "$current_version" = "$remote_version" ]; then \\
ExecStartPre=/bin/sh -c 'set -xue; \\
if [ ! -e /usr/local/bin/firezone-relay ]; then \\
FIREZONE_VERSION=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
-H "X-GitHub-Api-Version: 2022-11-28" \\
"https://api.github.com/repos/firezone/firezone/releases/latest" | \\
grep "\\\\"tag_name\\\\":" | sed "s/.*\\\\"tag_name\\\\": \\\\"\\([^\\\\"\\\\]*\\).*/\\1/" \\
); \\
[ "$FIREZONE_VERSION" = "" ] && echo "[Error] Can not fetch latest version, rate limited by GitHub?" && exit 1; \\
echo "Downloading Firezone Relay version $FIREZONE_VERSION"; \\
arch=$(uname -m); \\
case $arch in \\
aarch64) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/relay-arm64" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/relay-arm64" ;; \\
armv7l) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/relay-arm" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/relay-arm" ;; \\
x86_64) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/relay-x64" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/relay-x64" ;; \\
*) \\
echo "Unsupported architecture"; \\
exit 1 ;; \\
esac; \\
wget -O /usr/local/bin/firezone-relay $bin_url; \\
chmod +x /usr/local/bin/firezone-relay; \\
fi \\
mkdir -p /etc/firezone; \\
chmod 0755 /etc/firezone; \\
fi; \\
'
ExecStartPre=/usr/bin/mkdir -p /etc/firezone
ExecStartPre=/usr/bin/chown firezone:firezone /etc/firezone
ExecStartPre=/usr/bin/chmod 0755 /etc/firezone
ExecStartPre=/usr/bin/chmod +x /usr/local/bin/firezone-relay
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
PrivateTmp=true
ProtectSystem=full
ReadWritePaths=/etc/firezone
NoNewPrivileges=true
TimeoutStartSec=15s
ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-relay'
TimeoutStartSec=3s
TimeoutStopSec=15s
ExecStart=FIREZONE_NAME=$(hostname) /usr/local/bin/firezone-relay
Restart=always
RestartSec=3
RestartSec=7
[Install]
WantedBy=multi-user.target

26
elixir/apps/web/lib/web/live/relays/show.ex
View File

@@ -49,33 +49,29 @@ defmodule Web.Relays.Show do
<:value><%= @relay.name %></:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Remote IPv4</:label>
<:label>
IPv4
<p class="text-xs">Set by <code>PUBLIC_IP4_ADDR</code></p>
</:label>
<:value>
<code><%= @relay.ipv4 %></code>
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Remote IPv6</:label>
<:label>
IPv6
<p class="text-xs">Set by <code>PUBLIC_IP6_ADDR</code></p>
</:label>
<:value>
<code><%= @relay.ipv6 %></code>
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Name</:label>
<:value><%= @relay.name %></:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Status</:label>
<:value>
<.connection_status schema={@relay} />
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Location</:label>
<:value>
<.last_seen schema={@relay} />
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>
Last seen
@@ -84,6 +80,12 @@ defmodule Web.Relays.Show do
<.relative_datetime datetime={@relay.last_seen_at} />
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Remote IP</:label>
<:value>
<.last_seen schema={@relay} />
</:value>
</.vertical_table_row>
<.vertical_table_row>
<:label>Version</:label>
<:value>

76
elixir/apps/web/lib/web/live/sites/new_token.ex
View File

@@ -142,7 +142,7 @@ defmodule Web.Sites.NewToken do
"""
end
defp version do
defp major_minor_version do
vsn =
Application.spec(:domain)
|> Keyword.fetch!(:vsn)
@@ -161,9 +161,19 @@ defmodule Web.Sites.NewToken do
[
{"FIREZONE_ID", Ecto.UUID.generate()},
{"FIREZONE_TOKEN", token},
{"FIREZONE_ENABLE_MASQUERADE", "1"},
api_url_override,
{"RUST_LOG", "warn"}
{"RUST_LOG",
Enum.join(
[
"firezone_gateway=trace",
"firezone_tunnel=trace",
"connlib_shared=trace",
"tunnel_state=trace",
"phoenix_channel=debug",
"warn"
],
","
)}
]
|> Enum.reject(&is_nil/1)
end
@@ -183,9 +193,11 @@ defmodule Web.Sites.NewToken do
"--sysctl net.ipv6.conf.all.forwarding=1",
"--sysctl net.ipv6.conf.default.forwarding=1",
"--device=\"/dev/net/tun:/dev/net/tun\"",
Enum.map(env, fn {key, value} -> "--env #{key}=\"#{value}\"" end),
Enum.map(env ++ [{"FIREZONE_ENABLE_MASQUERADE", "1"}], fn {key, value} ->
"--env #{key}=\"#{value}\""
end),
"--env FIREZONE_NAME=$(hostname)",
"#{Domain.Config.fetch_env!(:domain, :docker_registry)}/gateway:#{version()}"
"#{Domain.Config.fetch_env!(:domain, :docker_registry)}/gateway:#{major_minor_version()}"
]
|> List.flatten()
|> Enum.join(" \\\n ")
@@ -200,51 +212,47 @@ defmodule Web.Sites.NewToken do
[Service]
Type=simple
ExecStartPre=/bin/sh -c 'id -u firezone &>/dev/null || useradd -r -s /bin/false firezone'
#{Enum.map_join(env, "\n", fn {key, value} -> "Environment=\"#{key}=#{value}\"" end)}
ExecStartPre=/bin/sh -c 'set -xe; \\
remote_version=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
-H "X-GitHub-Api-Version: 2022-11-28" \\
https://api.github.com/repos/firezone/firezone/releases/latest | \\
grep "\\"tag_name\\": " | sed "s/.*\\"tag_name\\": \\"\\\\([^\\\\\\"]*\\\\).*/\\\\1/"); \\
if [ -e /usr/local/bin/firezone-gateway ]; then \\
current_version=$(/usr/local/bin/firezone-gateway --version | awk '"'"'{print $NF}'"'"'); \\
else \\
current_version=""; \\
fi; \\
if [ ! "$current_version" = "${remote_version:-latest}" ]; then \\
echo "There is a new version of Firezone Gateway, downloading: ${remote_version:-latest}"; \\
ExecStartPre=/bin/sh -c 'set -xue; \\
if [ ! -e /usr/local/bin/firezone-gateway ]; then \\
FIREZONE_VERSION=$(curl -Ls \\
-H "Accept: application/vnd.github+json" \\
-H "X-GitHub-Api-Version: 2022-11-28" \\
"https://api.github.com/repos/firezone/firezone/releases/latest" | \\
grep "\\\\"tag_name\\\\":" | sed "s/.*\\\\"tag_name\\\\": \\\\"\\([^\\\\"\\\\]*\\).*/\\1/" \\
); \\
[ "$FIREZONE_VERSION" = "" ] && echo "[Error] Can not fetch latest version, rate limited by GitHub?" && exit 1; \\
echo "Downloading Firezone Gateway version $FIREZONE_VERSION"; \\
arch=$(uname -m); \\
case $arch in \\
aarch64) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/gateway-arm64" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/gateway-arm64" ;; \\
armv7l) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/gateway-arm" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/gateway-arm" ;; \\
x86_64) \\
bin_url="https://github.com/firezone/firezone/releases/download/latest/gateway-x64" ;; \\
bin_url="https://github.com/firezone/firezone/releases/download/$FIREZONE_VERSION/gateway-x64" ;; \\
*) \\
echo "Unsupported architecture"; \\
exit 1 ;; \\
esac; \\
wget -O /usr/local/bin/firezone-gateway $bin_url; \\
chmod +x /usr/local/bin/firezone-gateway; \\
fi \\
mkdir -p /etc/firezone; \\
chmod 0755 /etc/firezone; \\
iptables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
iptables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
iptables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE; \\
ip6tables-nft -A FORWARD -i tun-firezone -j ACCEPT; \\
ip6tables-nft -A FORWARD -o tun-firezone -j ACCEPT; \\
ip6tables-nft -t nat -A POSTROUTING -o eth+ -j MASQUERADE; \\
fi; \\
'
ExecStartPre=/bin/sh -c 'mkdir -p /etc/firezone'
ExecStartPre=/bin/sh -c 'chown firezone:firezone /etc/firezone'
ExecStartPre=/bin/sh -c 'chmod 0755 /etc/firezone'
ExecStartPre=/bin/sh -c 'chmod +x /usr/local/bin/firezone-gateway'
AmbientCapabilities=CAP_NET_ADMIN
PrivateTmp=true
ProtectSystem=full
ReadWritePaths=/etc/firezone
NoNewPrivileges=true
TimeoutStartSec=15s
ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); /usr/local/bin/firezone-gateway'
TimeoutStartSec=3s
TimeoutStopSec=15s
ExecStart=/bin/sh -c 'FIREZONE_NAME=$(hostname); sudo -u firezone -g firezone /usr/local/bin/firezone-gateway'
Restart=always
RestartSec=3
RestartSec=7
[Install]
WantedBy=multi-user.target

5
elixir/apps/web/test/web/controllers/home_controller_test.exs
View File

@@ -53,5 +53,10 @@ defmodule Web.HomeControllerTest do
conn = post(conn, ~p"/", %{"account_id_or_slug" => id})
assert redirected_to(conn) == ~p"/#{id}"
end
test "downcases account slug on redirect", %{conn: conn} do
conn = post(conn, ~p"/", %{"account_id_or_slug" => "FOO"})
assert redirected_to(conn) == ~p"/foo"
end
end
end

15
elixir/apps/web/test/web/live/actors/service_accounts/new_identity_test.exs
View File

@@ -128,9 +128,11 @@ defmodule Web.Live.Actors.ServiceAccounts.NewIdentityTest do
identity: identity,
conn: conn
} do
expires_at = Date.utc_today() |> Date.add(3)
attrs = %{
provider_virtual_state: %{
expires_at: Date.utc_today() |> Date.add(3) |> Date.to_iso8601()
expires_at: Date.to_iso8601(expires_at)
}
}
@@ -153,9 +155,12 @@ defmodule Web.Live.Actors.ServiceAccounts.NewIdentityTest do
remote_ip_location_lon: -120.4194
}
# TODO: assert {:ok, _token} =
Floki.find(html, "code")
|> element_to_text()
|> Domain.Auth.sign_in(context)
assert {:ok, subject} =
Floki.find(html, "code")
|> element_to_text()
|> Domain.Auth.sign_in(context)
assert subject.actor.id == actor.id
assert DateTime.to_date(subject.expires_at) == expires_at
end
end

2
elixir/apps/web/test/web/live/relay_groups/new_token_test.exs
View File

@@ -43,7 +43,7 @@ defmodule Web.Live.RelayGroups.NewTokenTest do
assert_receive %Phoenix.Socket.Broadcast{topic: "relay_groups:" <> _group_id}
assert element(lv, "#deployment-instructions")
assert element(lv, "#connection-status")
|> render() =~ "Connected, click to continue"
end

6
elixir/apps/web/test/web/live/relays/show_test.exs
View File

@@ -89,9 +89,9 @@ defmodule Web.Live.Relays.ShowTest do
assert table["instance group name"] =~ relay.group.name
assert table["last seen"]
assert table["location"] =~ to_string(relay.last_seen_remote_ip)
assert table["remote ipv4"] =~ to_string(relay.ipv4)
assert table["remote ipv6"] =~ to_string(relay.ipv6)
assert table["remote ip"] =~ to_string(relay.last_seen_remote_ip)
assert table["ipv4 set by public_ip4_addr"] =~ to_string(relay.ipv4)
assert table["ipv6 set by public_ip6_addr"] =~ to_string(relay.ipv6)
assert table["status"] =~ "Offline"
assert table["user agent"] =~ relay.last_seen_user_agent
assert table["version"] =~ relay.last_seen_version

2
terraform/environments/production/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = "1.6.5"
required_version = "1.6.6"
required_providers {
random = {

1
terraform/environments/staging/demo.tf
View File

@@ -51,7 +51,6 @@ resource "google_compute_instance" "demo" {
}
# We can install any tools we need for the demo in the startup script
# TODO: enable IPv6 for the demo VM
metadata_startup_script = <<EOT
set -xe \
&& sudo apt update -y \

2
terraform/environments/staging/versions.tf
View File

@@ -1,5 +1,5 @@
terraform {
required_version = "1.6.5"
required_version = "1.6.6"
required_providers {
random = {