Adds a minimal supervision tree for making DB changes from the
`FzHttp.Release` module. This allows the `bin/create-or-reset-admin` and
`bin/create-api-token` commands to be with `docker compose exec` or
`docker compose run --rm` indiscriminately.
Starting the FzHttp.Repo directly is more involved it's not compiled
into the release as an OTP app.
The migration is edited in place. Otherwise, the users that partially
upgraded to 0.7 won't be able to proceed.
Another migration is added to add default values for every table that
did not have it to make things consistent and make sure that both users
that have failed migration executed and the ones that executed it
successfully will end up with the same schema.
Closes#1295
1. The test data is taken from tests, you can override attributes by
adding keyword params to `doc` macro;
2. Additionally, you can add a section title using a `@moduledoc` in a
controller and a controller action title using `@doc` on a controller
function. (It will be added to all instances of its usage).
3. To make parameters nice a helper was added to build it using
`DocHelper`, you can find an example in UserController.
Overall, the code is messy, I'll need to revisit it, but was doing it in
a rush so hope it's good enough for v0.
Results you can see at https://firezone.docs.apiary.io/.
To generate it locally run `DOC=1 mix test
test/fz_http_web/controllers/json`.
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
Adds a mechanism for generating API tokens from the CLI. Requires the
default admin user to be present. From there the token can be used to
create additional admins. In the future, we could allow specifying a
user's email to generate the token for.
Generate like so:
```
docker compose run --rm firezone bin/create-api-token
```
Expose the most commonly-used SSL client options to our OIDC and
ConnectivityChecks HTTP clients. Resolves some lingering issues some
users were facing with OIDC where they needed a custom TLS version
enforced or cacert file used to fetch the `discovery_document` and
resulting keys.
SSL misconfiguration can be a security concern, so we intentionally puke
when an unexpected key is passed. This should result in a new GitHub
issue being opened and dialog created to learn more about the use-case.
Fixes#996
### TODO
- [x] "/v0"
- [x] Double-check migration order; re-timestamp if necessary
- [x] Move `sites` fields to `configurations` so they can be updated
from API
- [x] #1240 -- it introduces possible race conditions for API requests
- [x] #1249
- [ ] #1008
- [ ] Final review
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
This PR also moves to `yarn` for docs package management for improved
speed, security, and developer experience. Docusaurus prefers yarn.
Refs firezone/marketing#126
Client configs will be generated based on runtime configuration
stored in the `sites` table, while server configuration (which
requires a restart of the server) will be configurable via ENV vars.
Refs #1270
* Remove _build folders for umbrella apps
For umbrella apps everything goes into /_build directory so there no need to ignore directories that should never be created
* Change mix aliases to be more aligned with what OS community would expect
1. We want ecto.create and ecto.migrate to be run on each tests, this will simplify setup steps (no need to run migrations manually)
2. ecto.remigrate is not needed because now you can just run ecto.drop and on tests migrations would be executed anyways.
* Rename docker-compose step name in CONTRIBUTING.md
The step was renamed here: dd67baf629 (diff-67a4805fdcc6145d7b3ada2a6099a9b2e91c9d0fd108c22f95d2f01d219793d1R10)
* Remove .devcontainer
This an is opinionated change. Right now devcontainer doesn't work but should be easy to fix (with renaming step name), but at the same time it forces developers that use VS code to have unified development environment (including plugins for the editor itself).
I feel like it's not a good path to go for OS and for small team - everyone should be allowed to use setup they like. Especially for people like me that tend to recompile ls-elixir for Elixir plugin from master branch.
Plus it's yet another thing to maintain while nobody on the team is using it, which means it will be always causing issues.
* Make fz_http mix.exs aliases aligned with umbrella app ones
* Redirect stderr to stdout in a command called from dev.exs
Otherwise I'm getting this on my MacOS (that has a `route` implementation that doesn't show interfaces) when `mix phx.server` is executed:
```
usage: route [-dnqtv] command [[modifiers] args]
```
* Fix race condition due to static device field values
Both public_key and name are unique and we should not use static values for field covered by unique index, otherwise deadlocks and slow tests are expected.
* Remove unwanted transaction block
The changeset code doesn't have any code that accesses the database and individual Ecto.SQL commands are already wrapped in transactions by default, so there is no need to start it manually and hold for longer than expected (while irrelevant Elixir code is running).
* Use netstat to identify egress interface on MacOS
* Rename uninstall.sh to omnibus-uninstall.sh
* Fix uninstall path in omnibus_build.yml
* fix: disallow netmasks in devices' ip to prevent overlaps in firewall
/32 is still allowed for ipv4 and /128 is still allowed for ipv6.
No migration is needed since netmasks for devices ips were broken
before-hand.
* chore: rename `validate_single_ip` function and reword its error message
* Update pre-commit to allow slash
* fix restore cache
* Refactor a bit
* Fix clobbered restore-keys
* Break cache
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com>
This commit has the exact same rationale as cc280dae, just for a
different extension that I unfortunately missed the first time around.
This time I searched the repo for occurrences of `CREATE EXTENSION`
instead of the name of the extension causing the error, so hopefully I
did not miss anything else.
The CREATE EXTENSION query requires superuser privileges, which means
that the Firezone container may not be allowed to execute it when
accessing an externally hosted database, resulting in the database
failing to initialise properly.
One potential workaround to this problem is to have the database admin
ascertain that the pgcrypto extension is already present and ready for
use, prior to starting the Firezone container for the first time.
Unfortunately, however, this currently fails in the following manner:
14:42:44.731 [info] execute "CREATE EXTENSION pgcrypto"
** (Postgrex.Error) ERROR 42710 (duplicate_object) extension "pgcrypto" already exists
Adding the IF NOT EXISTS condition to the CREATE EXTENSION query should
allow it to succeed.
* fix: use caddy in host network_mode and make sure urls have a scheme
* fix: remove unnecesary exposed ports
* fix: remove support for hostnames begining with // since caddy doesn't support it
* Fix schemeless external URLs; error on invalid ones (#1090)
* Fix schemeless external URLs; error on invalid ones
* use different dockerfile for linux vs non-linux
* Use conditional EXTERNAL_URL defaults
* suppress empty warning
* postgres volume location
* Use inline Caddyfile
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
* 0.6.0
* Make OIDC and SAML user provisioning configurable per-provider (#1015)
* Got ugly migration to work
* Move auto_create_users to per-provider config
* Update deps to bust cache
* Update Process sleep
* Update docs with Auto create users
* working migration script (#1013)
* Add telem for Docker and SAML (#1020)
* Add telem for Docker and SAML
* Omit unneeded format
