Our current bespoke job system, while it's worked out well so far, has
the following shortcomings:
- No retry logic
- No robust to guarantee job isolation / uniqueness without resorting to
row-level locking
- No support for cron-based scheduling
This PR adds the boilerplate required to get started with
[Oban](https://hexdocs.pm/oban/Oban.html), the job management system for
Elixir.
There was slight API change in the way LoggerJSON's configuration is
generation, so I took the time to do a little fixing and cleanup here.
Specifically, we should be using the `new/1` callback to create the
Logger config which fixes the below exception due to missing config
keys:
```
FORMATTER CRASH: {report,[{formatter_crashed,'Elixir.LoggerJSON.Formatters.GoogleCloud'},{config,[{metadata,{all_except,[socket,conn]}},{redactors,[{'Elixir.LoggerJSON.Redactors.RedactKeys',[<<"password">>,<<"secret">>,<<"nonce">>,<<"fragment">>,<<"state">>,<<"token">>,<<"public_key">>,<<"private_key">>,<<"preshared_key">>,<<"session">>,<<"sessions">>]}]}]},{log_event,#{meta => #{line => 15,pid => <0.308.0>,time => 1744145139650804,file => "lib/logger.ex",gl => <0.281.0>,domain => [elixir],application => libcluster,mfa => {'Elixir.Cluster.Logger',info,2}},msg => {string,<<"[libcluster:default] connected to :\"web@web.cluster.local\"">>},level => info}},{reason,{error,{badmatch,[{metadata,{all_except,[socket,conn]}},{redactors,[{'Elixir.LoggerJSON.Redactors.RedactKeys',[<<"password">>,<<"secret">>,<<"nonce">>,<<"fragment">>,<<"state">>,<<"token">>,<<"public_key">>,<<"private_key">>,<<"preshared_key">>,<<"session">>,<<"sessions">>]}]}]},[{'Elixir.LoggerJSON.Formatters.GoogleCloud',format,2,[{file,"lib/logger_json/formatters/google_cloud.ex"},{line,148}]}]}}]}
```
Supersedes #8714
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Why:
* The Okta IdP sync job needs to make sure it is always using the latest
access token available. If not, there is the possibility for the job to
take too long to complete and the access token that the job started with
might time out. This commit updates the Okta API client to always check
and make sure it is using the latest access token for each request to
the Okta API.
- Attaches the Sentry Logging hook in each of [api, web, domain]
- Removes errant Sentry logging configuration in config/config.exs
- Fixes the exception logger to default to logging exceptions, use
`skip_sentry: true` to skip
Tested successfully in dev. Hopefully the cluster behaves the same way.
Fixes#8639
Bumps [sentry](https://github.com/getsentry/sentry-elixir) from 10.8.1
to 10.9.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-elixir/releases">sentry's
releases</a>.</em></p>
<blockquote>
<h2>10.9.0</h2>
<p>This release adds a bunch of new features and fixes a few papercut
bugs.</p>
<h3>New features</h3>
<ul>
<li>Add <code>:tags_from_metadata</code> option to
<code>Sentry.LoggerHandler</code>. Use this to better structure reports
that come from logs (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/840">#840</a>
by <a
href="https://github.com/icehaunter"><code>@icehaunter</code></a>).</li>
<li>Add <code>:discard_threshold</code> option to
<code>Sentry.LoggerHandler</code> to implement load shedding when the
logger gets overloaded.</li>
<li>If you want to use Elixir 1.18's new <code>JSON</code> module, now
you can (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/845">#845</a>).</li>
<li>Add <code>:in_app_otp_apps</code> configuration option. This should
replace <code>:in_app_module_allow_list</code> for most use cases,
making configuration simpler (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/854">#854</a>
by <a href="https://github.com/solnic"><code>@solnic</code></a>).</li>
<li>Add support for per-module custom options for check ins. This means
you can now configure single Oban (or Quantum) jobs with per-worker
options such as timezones and more (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/833">#833</a>
by <a
href="https://github.com/savhappy"><code>@savhappy</code></a>).</li>
<li>Add a global <code>:extra</code> config that can be set at the
<code>:sentry</code> application level (akin to <code>:tags</code>
today).</li>
<li>Improve Oban error reporting.</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>We now deduplicate identical events significantly less, reducing the
risk of not reporting events that are not duplicates.</li>
<li>When dropping breadcrumbs (because of the limit being reached), we
now retain <em>newest</em> breadcrumbs instead of older ones (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/858">#858</a>
by <a
href="https://github.com/dajinchu"><code>@dajinchu</code></a>).</li>
<li>Ensure log messages are not captured with
<code>:capture_log_messages</code> is <code>false</code> (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/865">#865</a>
by <a
href="https://github.com/joladev"><code>@joladev</code></a>).</li>
<li>Normalize Oban exception reasons for better reports.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-elixir/blob/master/CHANGELOG.md">sentry's
changelog</a>.</em></p>
<blockquote>
<h2>10.9.0</h2>
<p>This release adds a bunch of new features and fixes a few papercut
bugs.</p>
<h3>New features</h3>
<ul>
<li>Add <code>:tags_from_metadata</code> option to
<code>Sentry.LoggerHandler</code>. Use this to better structure reports
that come from logs (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/840">#840</a>
by <a
href="https://github.com/icehaunter"><code>@icehaunter</code></a>).</li>
<li>Add <code>:discard_threshold</code> option to
<code>Sentry.LoggerHandler</code> to implement load shedding when the
logger gets overloaded.</li>
<li>If you want to use Elixir 1.18's new <code>JSON</code> module, now
you can (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/845">#845</a>).</li>
<li>Add <code>:in_app_otp_apps</code> configuration option. This should
replace <code>:in_app_module_allow_list</code> for most use cases,
making configuration simpler (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/854">#854</a>
by <a href="https://github.com/solnic"><code>@solnic</code></a>).</li>
<li>Add support for per-module custom options for check ins. This means
you can now configure single Oban (or Quantum) jobs with per-worker
options such as timezones and more (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/833">#833</a>
by <a
href="https://github.com/savhappy"><code>@savhappy</code></a>).</li>
<li>Add a global <code>:extra</code> config that can be set at the
<code>:sentry</code> application level (akin to <code>:tags</code>
today).</li>
<li>Improve Oban error reporting.</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>We now deduplicate identical events significantly less, reducing the
risk of not reporting events that are not duplicates.</li>
<li>When dropping breadcrumbs (because of the limit being reached), we
now retain <em>newest</em> breadcrumbs instead of older ones (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/858">#858</a>
by <a
href="https://github.com/dajinchu"><code>@dajinchu</code></a>).</li>
<li>Ensure log messages are not captured with
<code>:capture_log_messages</code> is <code>false</code> (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/865">#865</a>
by <a
href="https://github.com/joladev"><code>@joladev</code></a>).</li>
<li>Normalize Oban exception reasons for better reports.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0711b48533"><code>0711b48</code></a>
release: 10.9.0</li>
<li><a
href="b770388e72"><code>b770388</code></a>
Normalize Oban exception reasons for better reports (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/878">#878</a>)</li>
<li><a
href="5f6a0c9986"><code>5f6a0c9</code></a>
Strengthen a flaky test (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/873">#873</a>)</li>
<li><a
href="759ed98259"><code>759ed98</code></a>
Improve Oban error reporting (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/872">#872</a>)</li>
<li><a
href="df0079f1b5"><code>df0079f</code></a>
Remove extra inspect/1 for Oban errors fingerprints (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/869">#869</a>)</li>
<li><a
href="1b20581634"><code>1b20581</code></a>
Fix invalid JSON in :message (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/867">#867</a>)</li>
<li><a
href="16229ef912"><code>16229ef</code></a>
Add global :extra config (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/866">#866</a>)</li>
<li><a
href="07d0d19752"><code>07d0d19</code></a>
Ensure log messages are not captured with capture_log_messages false (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/865">#865</a>)</li>
<li><a
href="48271100e4"><code>4827110</code></a>
Add timezone to Oban Integration (<a
href="https://redirect.github.com/getsentry/sentry-elixir/issues/862">#862</a>)</li>
<li><a
href="3b3ff64280"><code>3b3ff64</code></a>
Retain newest breadcrumbs (instead of oldest)</li>
<li>Additional commits viewable in <a
href="https://github.com/getsentry/sentry-elixir/compare/10.8.1...10.9.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tailwind](https://github.com/phoenixframework/tailwind) from
0.2.4 to 0.3.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/phoenixframework/tailwind/blob/main/CHANGELOG.md">tailwind's
changelog</a>.</em></p>
<blockquote>
<h2>v0.3.1 (2025-02-28)</h2>
<ul>
<li>Support correct target for Linux MUSL with Tailwind v3.</li>
</ul>
<h2>v0.3.0 (2025-02-26)</h2>
<ul>
<li>Support Tailwind v4+. This release assumes Tailwind v4 for new
projects.</li>
</ul>
<p>Note: v0.3.0 dropped target code for handling Linux MUSL with
Tailwind v3. Use v0.3.1+ instead.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="dec852e08d"><code>dec852e</code></a>
release v0.3.1</li>
<li><a
href="2bc2fdff38"><code>2bc2fdf</code></a>
Merge pull request <a
href="https://redirect.github.com/phoenixframework/tailwind/issues/115">#115</a>
from phoenixframework/sd-musl-target-v3v4</li>
<li><a
href="c0006e254b"><code>c0006e2</code></a>
Support Linux MUSL v3 and v4</li>
<li><a
href="08629c84b8"><code>08629c8</code></a>
release v0.3.0</li>
<li><a
href="8b3247daad"><code>8b3247d</code></a>
Merge branch 'next'</li>
<li><a
href="7e1f93b284"><code>7e1f93b</code></a>
use Tailwind 4.0.9 as latest</li>
<li><a
href="44ac9014f0"><code>44ac901</code></a>
don't mention 0.3 or Tailwind v4 in README yet</li>
<li><a
href="8ad425c2da"><code>8ad425c</code></a>
Pass url as a string into fetch_body! as URI.parse would not succeed
with a c...</li>
<li><a
href="6f45cae55d"><code>6f45cae</code></a>
Merge pull request <a
href="https://redirect.github.com/phoenixframework/tailwind/issues/97">#97</a>
from arcanemachine/main</li>
<li><a
href="22788850d2"><code>2278885</code></a>
Merge pull request <a
href="https://redirect.github.com/phoenixframework/tailwind/issues/110">#110</a>
from phoenixframework/sd-tailwind3to4</li>
<li>Additional commits viewable in <a
href="https://github.com/phoenixframework/tailwind/compare/v0.2.4...v0.3.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [bandit](https://github.com/mtrudel/bandit) from 1.6.10 to 1.6.11.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/mtrudel/bandit/blob/main/CHANGELOG.md">bandit's
changelog</a>.</em></p>
<blockquote>
<h2>1.6.11 (31 Mar 2025)</h2>
<h3>Changes</h3>
<ul>
<li>Ensure that HTTP/1 request headers are sent to the Plug in the order
they're
sent (<a
href="https://redirect.github.com/mtrudel/bandit/issues/482">#482</a>)</li>
<li>Do not populate the <code>cookies</code> header with an empty string
if no cookies were
sent in HTTP/2 (<a
href="https://redirect.github.com/mtrudel/bandit/issues/483">#483</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3b8b1a40fb"><code>3b8b1a4</code></a>
Version bump to 1.6.11</li>
<li><a
href="5b5839234a"><code>5b58392</code></a>
Order headers (<a
href="https://redirect.github.com/mtrudel/bandit/issues/483">#483</a>)</li>
<li>See full diff in <a
href="https://github.com/mtrudel/bandit/compare/1.6.10...1.6.11">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [plug_crypto](https://github.com/elixir-plug/plug_crypto) from
2.1.0 to 2.1.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-plug/plug_crypto/blob/main/CHANGELOG.md">plug_crypto's
changelog</a>.</em></p>
<blockquote>
<h2>v2.1.1 (2025-04-03)</h2>
<ul>
<li>Fall back <code>hash_equals</code> when missing OpenSSL support</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="70af9d89e6"><code>70af9d8</code></a>
Release v2.1.1</li>
<li><a
href="84130f8915"><code>84130f8</code></a>
Fallback when hash_equals fails for missing openssl support (<a
href="https://redirect.github.com/elixir-plug/plug_crypto/issues/45">#45</a>)</li>
<li><a
href="3ff0bfe9a5"><code>3ff0bfe</code></a>
Update versions in CI (<a
href="https://redirect.github.com/elixir-plug/plug_crypto/issues/43">#43</a>)</li>
<li>See full diff in <a
href="https://github.com/elixir-plug/plug_crypto/compare/v2.1.0...v2.1.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[telemetry_poller](https://github.com/beam-telemetry/telemetry_poller)
from 1.1.0 to 1.2.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/beam-telemetry/telemetry_poller/blob/main/CHANGELOG.md">telemetry_poller's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/beam-telemetry/telemetry_poller/tree/v1.2.0">1.2.0</a></h2>
<h3>Added</h3>
<ul>
<li>Support <code>persistent_term</code> measurements.</li>
<li>Require Erlang/OTP 24+.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/beam-telemetry/telemetry_poller/commits">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [observer_cli](https://github.com/zhongwencool/observer_cli) from
1.8.1 to 1.8.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/zhongwencool/observer_cli/releases">observer_cli's
releases</a>.</em></p>
<blockquote>
<h2>v1.8.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Fix unit of fullsweep_after by <a
href="https://github.com/binaryseed"><code>@binaryseed</code></a> in <a
href="https://redirect.github.com/zhongwencool/observer_cli/pull/108">zhongwencool/observer_cli#108</a></li>
<li>chore: fix typo lable -> label by <a
href="https://github.com/zmstone"><code>@zmstone</code></a> in <a
href="https://redirect.github.com/zhongwencool/observer_cli/pull/109">zhongwencool/observer_cli#109</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/binaryseed"><code>@binaryseed</code></a> made
their first contribution in <a
href="https://redirect.github.com/zhongwencool/observer_cli/pull/108">zhongwencool/observer_cli#108</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/zhongwencool/observer_cli/compare/1.8.1...v1.8.2">https://github.com/zhongwencool/observer_cli/compare/1.8.1...v1.8.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="854d5ab4fa"><code>854d5ab</code></a>
chore: bump to 1.8.2</li>
<li><a
href="d057cb3670"><code>d057cb3</code></a>
chore: fix typo lable -> label</li>
<li><a
href="13ec437b1f"><code>13ec437</code></a>
Fix unit of fullsweep_after</li>
<li>See full diff in <a
href="https://github.com/zhongwencool/observer_cli/compare/1.8.1...v1.8.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[ex_cldr_dates_times](https://github.com/elixir-cldr/cldr_dates_times)
from 2.20.3 to 2.22.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr_dates_times/releases">ex_cldr_dates_times's
releases</a>.</em></p>
<blockquote>
<h2>Cldr Dates Times version 2.22.0</h2>
<h3>Breaking Data format changes</h3>
<p>There are some changes to the underlying locale data format that will
be a breaking change for results returned from:</p>
<ul>
<li><code>Cldr.DateTime.Format.time_formats/{1,2,3}</code></li>
<li><code>MyApp.Cldr.Calendar.day_periods/{0, 1, 2}</code></li>
</ul>
<p>The data changes are summarised as:</p>
<ul>
<li>Time formats now group the <code>:default</code> and
<code>:ascii</code> alternatives.</li>
<li>Day periods used for date/time formatting now group the alternatives
for <code>am</code> and <code>pm</code> where the data is
available.</li>
<li>Day period display names now group the alternatives for
<code>am</code> and <code>pm</code> where the data is available.</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>Update to <a href="https://cldr.unicode.org/downloads/cldr-47">CLDR
47</a> data.</li>
</ul>
<h2>Cldr Dates Times version 2.21.0</h2>
<h3>Enhancements</h3>
<ul>
<li>Allow configuration of <code>ex_cldr_calendars</code> version 2.0
and later.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr_dates_times/blob/main/CHANGELOG.md">ex_cldr_dates_times's
changelog</a>.</em></p>
<blockquote>
<h2>Cldr_Dates_Times v2.22.0</h2>
<p>This is the changelog for Cldr_Dates_Times v2.22.0 released on March
18th, 2025. For older changelogs please consult the release tag on <a
href="https://github.com/elixir-cldr/cldr_cldr_dates_times/tags">GitHub</a></p>
<h3>Breaking Data format changes</h3>
<p>There are some changes to the underlying locale data format that will
be a breaking change for results returned from:</p>
<ul>
<li><code>Cldr.DateTime.Format.time_formats/{1,2,3}</code></li>
<li><code>MyApp.Cldr.Calendar.day_periods/{0, 1, 2}</code></li>
</ul>
<p>The data changes are summarised as:</p>
<ul>
<li>Time formats now group the <code>:default</code> and
<code>:ascii</code> alternatives.</li>
<li>Day periods used for date/time formatting now group the alternatives
for <code>am</code> and <code>pm</code> where the data is
available.</li>
<li>Day period display names now group the alternatives for
<code>am</code> and <code>pm</code> where the data is available.</li>
</ul>
<h3>Enhancements</h3>
<ul>
<li>Update to <a href="https://cldr.unicode.org/downloads/cldr-47">CLDR
47</a> data.</li>
</ul>
<h2>Cldr_Dates_Times v2.21.0</h2>
<p>This is the changelog for Cldr_Dates_Times v2.21.0 released on
January 31st, 2025. For older changelogs please consult the release tag
on <a
href="https://github.com/elixir-cldr/cldr_cldr_dates_times/tags">GitHub</a></p>
<h3>Enhancements</h3>
<ul>
<li>Allow configuration of <code>ex_cldr_calendars</code> version 2.0
and later.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c7042c4327"><code>c7042c4</code></a>
Update deps and changelog</li>
<li><a
href="0a0e56cd36"><code>0a0e56c</code></a>
Update version and changelog</li>
<li><a
href="b4dbc2cb55"><code>b4dbc2c</code></a>
Reflect CLDR 47 Beta 2 data</li>
<li><a
href="907fb8ef8d"><code>907fb8e</code></a>
Config test dependencies</li>
<li><a
href="930ad5686e"><code>930ad56</code></a>
Initial testing on CLDR47 Alpha 2</li>
<li><a
href="48aada48eb"><code>48aada4</code></a>
Support ex_cldr_calendars 2.0</li>
<li><a
href="04b4af8e67"><code>04b4af8</code></a>
Add back test locales</li>
<li><a
href="5a675305d6"><code>5a67530</code></a>
Merge pull request <a
href="https://redirect.github.com/elixir-cldr/cldr_dates_times/issues/53">#53</a>
from Munksgaard/fix-doc-comments</li>
<li><a
href="3a5a7c073f"><code>3a5a7c0</code></a>
Fix some doc comment warnings</li>
<li>See full diff in <a
href="https://github.com/elixir-cldr/cldr_dates_times/compare/v2.20.3...v2.22.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@fontsource/source-sans-3](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/source-sans-3)
from 5.1.1 to 5.2.6.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/fontsource/font-files/commits/HEAD/fonts/google/source-sans-3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The `flows` table currently has `ON DELETE SET NULL` behavior for many
of its foreign key constraints. The problem is that if we try to delete
any of the associated entities, setting a null here causes the DB
operation to fail with:
```
ERROR: null value in column "policy_id" of relation "flows" violates not-null constraint
```
I can understand why it was originally architected like this to preserve
connection log data, but we'll be using another approach for that that
doesn't require maintaining relational data in perpetuity.
Related: #949
The Google API will often return a missing `members` key alongside a
`200` response from their members API. The documentation here isn't
clear whether this key is expected or not, but since the sync has been
working fine up until #8608, we can only surmise that the missing key in
fact means the group has no members.
This PR updates the Google API client so that a `default_if_missing` can
be passed in which is returned if the API response is missing the JSON
key to fetch.
For the users, groups, and organization units fetches, we consider a
missing key to be an error and we return `{:error, :invalid_response}`
since this most likely indicates an API problem.
For the members endpoint, we consider the missing key to be the empty
set.
Additionally, a bug is fixed that was introduced in #8608 whereupon we
returned `{:error, :retry_later}` for newly-accounted-for API responses,
which would have caused a "sync failed" email to be sent to the admins
on the instance.
Instead, we want to return `{:error, :invalid_response}` which will stop
the sync from progressing, and log it internally.
The previous migration only accounted for soft-deleted rows that have an
active counterpart.
This fails the new unique index if multiple soft-deleted rows exist for
the same `account_id, provider_id, provider_identifier` combination.
Instead, to appease the new index, we need to delete all soft-deleted
rows where these fields exist.
Related: #8615
After merging #8608, we discovered that we receive unexpected API
responses on the regular. This adds improved logging to uncover what
exactly these unexpected API responses are.
When syncing identities from an identity, we have logic in place that
resurrects any soft-deleted identities in order to maintain their
session history, group memberships and any other relevant data. Users
can be temporarily suspended from their identity provider and then
resumed.
Groups, however, based on cursory research, can never be temporarily
suspended at the identity provider. However, this doesn't mean that we
can't see the group disappear and reappear at a later point in time.
This can happen due to a temporary sync issue, or in the upcoming Group
Filters PR: #8381.
This PR adds more robust testing to ensure we can in fact resurrect
identities as expected.
It also updates the group sync logic to similarly resurrect soft-deleted
groups if they are seen again in a subsequent sync.
To achieve this, we need to update the `UNIQUE CONSTRAINT` used in the
upsert clause during the sync. Before, it was possible for two (or more)
groups to exist with the same provider_identifier and provider_id, if
`deleted_at IS NOT NULL`. Now, we need to ensure that only one group
with the same `account_id, provider_id, provider_identifier` can exist,
since we want to resurrect and not recreate these.
To do this, we use a migration that does the following:
1. Ensures any potentially problematic data is permanently deleted
2. Drops the existing unique constraint
3. Recreates it, omitting `WHERE DELETED_AT IS NULL` from the partial
index.
Based on exploring the production DB data, this should not cause any
issues, but it would be a good idea to double-check before rolling this
out to prod.
Lastly, the final missing piece to the resurrection story is Policies.
This is saved for a future PR since we need to first define the
difference between a policy that was soft-deleted via a sync job, and a
policy that was "perma" deleted by a user.
Related: #8187
When calling the various directory sync endpoints, we had error cases
that matched a few of the possible error scenarios in an appropriate way
by returning either `{:error, :retry_later}` or the `{:error, ...}`
tuples.
However, as we've recently learned in [this
thread](https://firezonehq.slack.com/archives/C069H865MHP/p1743521884037159),
it's possible for identity provider APIs to return all kinds of bogus
data here, and we need a more defensive approach.
The specific issue this PR addresses is the case where we receive a
`2xx` response, but without the expected JSON key in the response body.
That will result in the `list*` functions returning an empty list, which
the calling code paths then use to soft-delete all existing record types
in the DB.
This is wrong. If the JSON response is missing a key we're expecting, we
instead log a warning and return `{:error, :retry_later}`. It's
currently unknown when exactly this happens and why, but with better
monitoring here we'll have a much better picture as to why.
When reading through these modules, it's helpful to know that the actual
sync data update doesn't occur more often than 10 minutes due to a
database check.
The adapter itself isn't enabled in the UI on prod, but the background
job to sync mock data was. This prevents the job from being started and
emitting log noise into production logs.
When a customer signs up for Starter or Team, we don't enable tax
calculation by default. This means customers can upgrade to Team, start
paying invoices, and we won't collect taxes.
This creates a management issue and possible tax liability since I need
to manually reconcile these.
Instead, since we have Stripe Tax configured on our account, we can
enable automatic tax calculation when the subscription is created. Any
products (Starter/Team/Enterprise) therefore in the subscription will
automatically collect tax appropriately.
In most cases in the US, the tax rate is 0. In EU transactions, for B2B
sales, the tax rate for us is also 0 (reverse charge basis). If we sell
a Team subscription to an individual, however, we need to collect VAT.
There doesn't seem to be a way to block consumer EU transactions in
Stripe, so we'll likely need to register for VAT in the EU if we cross
the reporting threshold.
A regression was introduced in d0f0de0f8d
whereupon we started using the updated policy record for broadcasting
the `delete_policy` and `expire_flows` events. This caused a security
issue because if the actor group changed from `Everyone` to `thomas`,
for example, we'd only expire flows and broadcast policy removal (i.e.
resource removal) events for `thomas`, and `Everyone` would still have
access granted by the old policy.
To fix this, we broadcast the destructive events to the old policy, so
that its `actor_group_id` and `resource_id` are used, and not the new
policy's.
Fixes#8549
After removing some of the functionality for viewing the Internet
Resource, customer was confused where to find it again.
This places an `Internet` section in the Resources index page (similar
to Sites page) with a short help text and an action button to view the
Internet Resource.
This also adds a convenient helper that allows us to route to
`/#{account}/resources/internet` for a nicer-looking URL that users can
bookmark if needed.
<img width="1423" alt="Screenshot 2025-03-19 at 11 52 31 PM"
src="https://github.com/user-attachments/assets/f2da1c31-92b2-429e-832f-73ddd0524155"
/>
Fixes#8479
Why:
* This commit will allow account admins to send a request through the
Firezone portal to schedule a deletion of their account, rather than
having the account admins email their request manually. Doing this
through the portal allows us to verify that the request actually came
from an admin of the account.
I was debugging some of this just now and realized our naming / comments
are incorrect here, so thought I'd open a PR to tidy things up for the
next person reading this.
Resource CIDRs actually occupy the `100.96.0.0/11` range (and IPv6
equivalent), but the portal doesn't generate these.
Why:
* Previously, when running a directory sync with the Google Workspace
IdP adapter, if a service account had been configured but there was a
problem getting an access token for the service account, the sync job
would fall back to using a personal access token. We no longer want to
rely on any personal access token once a service account has been
configured. This commit will make sure that if a service account is
configured there is no way to fall back to any personal access token.
Fixes#8409
When deploying a Gateway from the admin portal UI, we show various
environment variables required for setup. Until now, we've relied on the
`/var/lib/firezone` persistence method for identifying the Gateway.
However, this can cause issues on some systems that don't have writeable
access to /var/lib/firezone, or old versions of systemd that don't
support sandboxed access to this directory.
This PR updates each deployment method to use `FIREZONE_ID` instead
everywhere. Additionally, since the Docker upgrade script needs to
reinvoke the new container using the same arguments (more or less) as
the install, we need to extract the old `/var/lib/firezone/gateway_id`
file out of the existing container if it exists, and try to insert it
into the upgraded container.
Tested both scripts, including upgrades for the Docker script.
Fixes: #8471
Finishes up the Internet Resource migration by enforcing:
- No internet resources in non-internet sites
- No regular resources in internet sites
- Removing the prompt to migrate
~~I've already migrated the existing internet resources in customer's
accounts. No one that was using the internet resource hadn't already
migrated.~~
Edit: I started to head down that path, then decided doing this here in
a data migration was going to be a better approach.
Fixes#8212
[Step
2](https://cloud.google.com/sql/docs/postgres/pg-audit#set-pgaudit-flag-values)
of the pgaudit setup guide for Google Cloud SQL. It would be good to
have detailed pg audit logs on the master application instance in case
things go wrong.
Notably, this prevents erroring out when the `pgaudit` is not available,
which by default, it is. Enabling the `pgaudit` extension for our dev
instance is left as a future endeavor.
Supersedes #5442
The submit button on the settings -> dns page has a couple UX issues
with the new search domain section:
- It's ambiguous what the `Save` is actually saving
- The spacing makes it look like it's only saving upstream resolvers
This PR introduces a simple fix that address the two issues by:
- Updating the button text to `Save DNS Settings`
- Increasing spacing between submit button and form elements
- Slightly decreasing spacing between the `search domain` and `upstream
resolvers` inputs
<img width="968" alt="Screenshot 2025-03-14 at 12 06 02 AM"
src="https://github.com/user-attachments/assets/651f54c8-3b5f-4747-ad3a-e2ae32eccbf0"
/>
Related #5248
Why:
* This commit updates the 500 error page in the portal to have the same
look and feel of the 404 error page in order to be consistent within the
portal UI.
- Adds a simple text input to configure search domains ("default DNS
suffix") in the Settings -> DNS page.
- Sends the `search_domain` field as part of the client's `init` message
- Fixes a minor UI alignment inconsistency for the upstream resolvers
field so that the total form width and `New resolver` button width are
the same.
<img width="1137" alt="Screenshot 2025-03-09 at 10 56 56 PM"
src="https://github.com/user-attachments/assets/a1d5a570-8eae-4aa9-8a1c-6aaeb9f4c33a"
/>
Fixes#8365
Introduces a simple `search_domain` field embed into our existing
`Accounts.Account.Config` embedded schema. This will be sent to clients
to append to single-label DNS queries.
UI and API changes will come in subsequent PRs: this one adds field and
(lots of) validations only.
Related: #8365
- Adds more actor groups to the existing `oidc_provider`
- Configures a rand seed so our seed data is reproducible across
machines
- Formats the seeds file to allow for some refactoring a later PR
- Adds a `Mock` identity provider adapter with sync enabled
