- Lower UDP bandwidth to 50M -- this fixes intermittent file descriptor
issues because we overload iperf3 for more than 5 seconds
- Simplify iperf3 to the minimum set that makes tests reliable
Why:
* The extra assertions added to the sign-in success acceptance tests do
not behave as reliably as needed. The assertions being removed were
checking an intermediate step of the sign-in success redirect process,
so the test should not be fundamentally changed by removing them. We'll
just be checking the final state rather than the intermediate state and
the final state. The previous commit removing these assertions was only
done on the email signin tests. This commit updates the userpass and
openid_connect tests
Why:
* The extra assertions added to the sign-in success acceptance tests do
not behave as reliably as needed. The assertions being removed were
checking an intermediate step of the sign-in success redirect process,
so the test should not be fundamentally changed by removing them. We'll
just be checking the final state rather than the intermediate state and
the final state.
This prevents duplication for different Tauri jobs like building the
release packages vs testing a debug build with mock keyring.
```[tasklist]
- [ ] Fix branch protection rules for changed tests
```
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
The `from` address is already logged as part of the `decapsulate` span
in the `Node`. The `local` address isn't that interesting thus noise
most of the time.
In the relay's authentication scheme, each nonce is only valid for a
certain number of requests. This guards against replay attacks.
Currently, this is set to 10 which means all requests after 10 will
receive a "stale nonce" error. 10 turns out to be way to low and greatly
delays the setup of channels and allocations which is always a burst of
messages that end up incurring additional round trips because they all
need to be re-sent with a new nonce.
I forgot to actually call the expire resources function after the
refactor 🤦
This will be much cleaned up in a PR that I'm working on to eliminate
the `peers_by_id`/`peers_by_ip` maps.
In the mean time let's merge this asap since the gateway not expiring
resources is a security hole.
Currently, we bind a lot of TURN channels on our relays because we bind
a channel to each candidate on each relay. With every node having
usually 4 relays, that results in 16 channels per connection just for
the relay candidates.
We can bring this down optimistically by first checking if the remote's
candidate is a relay candidate and happens to be on a relay that we are
also using. In that case, we only bind the channel on that one.
That should also improve latency when data needs to be relayed because
we reduce the number of hops by 1 and don't send traffic between two
relays.
Additionally, there is no reason to bind channels for host candidates.
Why:
* On some clients, the web view that is opened to sign-in to Firezone is
left open and ends up getting stuck on the Sign In page with the
liveview loader on the top of the page also stuck and appearing as
though it is waiting for another response. This commit adds a sign-in
success page that is displayed upon successful sign-in and shows a
message to the user that lets them know they can close the window if
needed. If the client device is able to close the web view that was
opened, then the page will either very briefly be shown or will not be
visible at all due to how quickly the redirect happens.
It is still client-specific, but this was the closest place I could find
in connlib to put it.
A hypothetical GUI / .deb / systemd-involved gateway would need to be
"dev.firezone.gateway"
This was fixed at some point in the feature branch but was lost to time.
This is preventing macos from working(and might be causing some issues
in other platforms)
Previously, we would only bind channels for _established_ connections.
This caused a problem if we'd get the other parties candidates before
the offer response. Additionally, we'd often send multiple channel
bindings for the same peer which caused additional warnings in the logs.
Bumps [arboard](https://github.com/1Password/arboard) from 3.3.0 to
3.3.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/1Password/arboard/releases">arboard's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.1</h2>
<h3>Changed</h3>
<ul>
<li>Updated Windows clipboard and migrated from <code>winapi</code> to
<code>windows-sys</code>.</li>
<li>Internally migrated to Rust 2021 edition.</li>
<li>Significantly improved the crate's error documentation.</li>
<li>Updated <code>core-graphics</code> to <code>0.23</code></li>
<li>Updated <code>x11rb</code> to <code>0.13</code></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/1Password/arboard/compare/v3.3.0...v3.3.1">https://github.com/1Password/arboard/compare/v3.3.0...v3.3.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/1Password/arboard/blob/master/CHANGELOG.md">arboard's
changelog</a>.</em></p>
<blockquote>
<h2>3.3.1 on 2024-12-02</h2>
<h3>Changed</h3>
<ul>
<li>Updated Windows clipboard and migrated from <code>winapi</code> to
<code>windows-sys</code>.</li>
<li>Internally migrated to Rust 2021 edition.</li>
<li>Significantly improved the crate's error documentation.</li>
<li>Updated <code>core-graphics</code> to <code>0.23</code></li>
<li>Updated <code>x11rb</code> to <code>0.13</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="77e0e078eb"><code>77e0e07</code></a>
Release 3.3.1</li>
<li><a
href="409bd98978"><code>409bd98</code></a>
Update x11rb to 0.13 and core-graphics to 0.23</li>
<li><a
href="bd91f9c438"><code>bd91f9c</code></a>
Increase error documentation on Clipboard type</li>
<li><a
href="a648570ce9"><code>a648570</code></a>
Update CI actions</li>
<li><a
href="0d6725d97f"><code>0d6725d</code></a>
Spell check docs</li>
<li><a
href="a100f2d77c"><code>a100f2d</code></a>
Update clipboard-win to v5 and replace winapi with windows-sys (<a
href="https://redirect.github.com/1Password/arboard/issues/123">#123</a>)</li>
<li><a
href="1b8df75ee2"><code>1b8df75</code></a>
Bump to Rust 2021 edition</li>
<li><a
href="e3f54c3049"><code>e3f54c3</code></a>
Document MSRV of 1.61</li>
<li><a
href="8c475cfd14"><code>8c475cf</code></a>
Make winapi crate optional</li>
<li>See full diff in <a
href="https://github.com/1Password/arboard/compare/v3.3.0...v3.3.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Currently, we will always try to reach all relays that we are given by
the portal. That creates unnecessary warnings if we don't have
connectivity for a certain IP version.
By filtering based on the IP version of our bound sockets, we can avoid
these warnings in the logs.
---------
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Extracted out of #3391.
We don't actually need this for #3391 though because we've added a
compatibility layer during deserialization. But, it will be good to
remove that compat layer at some point which means we have to return the
addresses as plain socket addresses. Because that is a breaking change,
I decided to extract this into a different PR.
Co-authored-by: conectado <gabrielalejandro7@gmail.com>
---------
Co-authored-by: conectado <gabrielalejandro7@gmail.com>
Binding the IPv6 socket would always fail because we do it _after_ the
IPv4 socket. However, without setting the socket to `IP6_ONLY`, binding
the unspecified IPv6 address (`::`) also wants to bind to IPv4
(depending on the kernel settings). To avoid this, we need to first
configure the socket properly and then bind it to the given address.
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Bumps [ring](https://github.com/briansmith/ring) from 0.17.7 to 0.17.8.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/briansmith/ring/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The iperf3 server sometimes hangs, or takes a while to startup.
Rather than trying to reset the iperf3 state between performance tests,
this PR refactors them so they each run in their matrix job. This
ensures each performance test will run on a separate VM, unaffected by
previous test runs to eliminate the effect any residual network buffer
state can have on a particular test.
It also makes sure the server is listening with a `healthcheck`.
Currently, after the refresh timeout the gateway or client starts
looping forever, since after the refresh timeout is reached the
`poll_timeout` will always return `ALLOCATION_LIFETIME/2`(which would be
"now"), since `allocation_lifetime` is never updated.
To fix this, we need to check whether we currently have a refresh
request in flight before queuing a new one. Additionally, we need to
abort refreshing as soon as the lifetime of the allocation expires.
Related: #3617.
Related: #3631.
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [semver](https://github.com/dtolnay/semver) from 1.0.21 to 1.0.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/semver/releases">semver's
releases</a>.</em></p>
<blockquote>
<h2>1.0.22</h2>
<ul>
<li>Fix unused_imports warnings when compiled by rustc 1.78</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c8ad1bf6db"><code>c8ad1bf</code></a>
Release 1.0.22</li>
<li><a
href="f76db8d7f2"><code>f76db8d</code></a>
Resolve redundant import warning</li>
<li><a
href="f32b420f75"><code>f32b420</code></a>
Ignore incompatible_msrv clippy lint for conditionally compiled
code</li>
<li>See full diff in <a
href="https://github.com/dtolnay/semver/compare/1.0.21...1.0.22">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Why:
* On some clients, the web view that is opened to sign-in to Firezone is
left open and ends up getting stuck on the Sign In page with the
liveview loader on the top of the page also stuck and appearing as
though it is waiting for another response. This commit adds a sign-in
success page that is displayed upon successful sign-in and shows a
message to the user that lets them know they can close the window if
needed. If the client device is able to close the web view that was
opened, then the page will either very briefly be shown or will not be
visible at all due to how quickly the redirect happens.
Closes#3608
<img width="625" alt="Screenshot 2024-02-15 at 4 30 57 PM"
src="https://github.com/firezone/firezone/assets/2646332/eb6a5df6-4a4c-4e54-b57c-5da239069ea9">
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
So the cause of the flaky tests is that they aren't waiting long enough
for a connection to be established. Both the test in #3666 and the
`iperf` tests have a timeout of 10 seconds.
Connections _should_ be established **very quickly** in CI. However, I
have a few guesses as to why they might not be, essentially causing us
to have to wait for a timeout to re-initiate a connection request:
- Packets arrive out of order or too quickly for the WireGuard state
machine to establish a handshake.
- Too many ICE candidates gathered (the gateway has 3 interfaces)
This PR:
- Refactors the iperf tests to be a little easier to maintain
- Ensures `integration-tests` run for at least 30 seconds before timing
out
In any case, we can debug / optimize this further after snownet is
merged, which might just solve the problem completely.
Fixes#3330
The when the log zip file is created, it's created as an empty file in
the `logs` directory. The `logs` directory is then zipped, and written
to the zip file. The empty file remains as an artifact in the final zip
file.
This moves the location of the zip file outside of the `logs` directory,
where it will be cleaned up later.
This will prevent services from restarting out from under us during
tests.
Service restarts should be explicitly tested as integration tests.
Should fix#3666
If `FIREZONE_DNS_CONTROL` is set to `systemd-resolved`, then shell out
to `resolvectl` to request all system DNS queries to go to Firezone's
sentinel DNS server(s).
```[tasklist]
- [ ] Figure out how to stop the runner from using the Docker bridge iface
```
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Whilst debugging the performance tests in #3391, I found that we are
using a 4 year old version of `iperf` for the server. This, plus
restarting the server inbetween the performance runs resulted in flaky
tests. I am not sure how we arrived at #3303 but
[this](https://github.com/firezone/firezone/actions/runs/7926579022?pr=3391)
CI run succeeded with a big matrix using the newer iperf server and
without the restarts.
This is done to delay the candidate generation after the gateway has
already received the request.
Since we already know the candidates in most cases, an optimization in
the future to reduce the number of round-trips to the gateway we can add
the candidates to the request connection message.
