Fulfills #3159.
This means the device ID is only tied to the Windows install instead of
the user account. I also fixed up the logs and errors for that module
real quick since I was already there.
Also refactored to extract an auth state machine. The auth logic
previously was scattered throughout the GUI module, which would make it
hard to audit. Because of the refactoring I was able to add some simple
unit tests.
the way we were checking for subdomains in the gateways completely
broke, didn't detect it before because the deployed staging version for
gateways is too old.
~~Added a few CI tests so this doesn't' happen again.~~ seems like
github runners [doesn't support pinging the outside
world](https://github.com/actions/runner-images/issues/1519) so I'm
putting that off for now.
Fulfills #3141
It took a little longer than I expected but since I'll be leaving the
client running all the time even on my dev laptop, I want to easily see
what version I built, even if I've changed branches since building it.
This isn't hooked up to the GUI yet, it's a debug subcommand.
I overheard that the other clients rebuild the tunnel when they change
networks, I think? And this might be useful for debugging the issue
where Chrome / other browsers don't flush their TCP connections when the
tunnel comes up. It's also reference code for how to use COM interfaces
in Rust. The official samples are a little sparse. So I wanted to get
this checked in.
Bumps [clap](https://github.com/clap-rs/clap) from 4.4.11 to 4.4.13.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/releases">clap's
releases</a>.</em></p>
<blockquote>
<h2>v4.4.13</h2>
<h2>[4.4.13] - 2024-01-04</h2>
<h3>Documentation</h3>
<ul>
<li>Fix link to structopt migration guide</li>
</ul>
<h2>v4.4.12</h2>
<h2>[4.4.12] - 2023-12-28</h2>
<h3>Performance</h3>
<ul>
<li>Only ask <code>TypedValueParser</code> for possible values if
needed</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's
changelog</a>.</em></p>
<blockquote>
<h2>[4.4.13] - 2024-01-04</h2>
<h3>Documentation</h3>
<ul>
<li>Fix link to structopt migration guide</li>
</ul>
<h2>[4.4.12] - 2023-12-28</h2>
<h3>Performance</h3>
<ul>
<li>Only ask <code>TypedValueParser</code> for possible values if
needed</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2ab48b295c"><code>2ab48b2</code></a>
chore: Release</li>
<li><a
href="7a06a8cd61"><code>7a06a8c</code></a>
docs: Update changelog</li>
<li><a
href="cca190efed"><code>cca190e</code></a>
docs: Correct link to StructOpt migration guide</li>
<li><a
href="5c31f453c1"><code>5c31f45</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5281">#5281</a>
from Manishearth/safety-docs</li>
<li><a
href="ddae7e6f41"><code>ddae7e6</code></a>
Correct safety docs</li>
<li><a
href="48d28aa689"><code>48d28aa</code></a>
chore: Release</li>
<li><a
href="748ce18cc2"><code>748ce18</code></a>
docs: Update changelog</li>
<li><a
href="adbe6ec4cb"><code>adbe6ec</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5278">#5278</a>
from henry-hsieh/fix-nosort</li>
<li><a
href="2b48858ba8"><code>2b48858</code></a>
fix: Skip nosort option below bash 4.4</li>
<li><a
href="777b744102"><code>777b744</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5277">#5277</a>
from clap-rs/renovate/actions-setup-python-5.x</li>
<li>Additional commits viewable in <a
href="https://github.com/clap-rs/clap/compare/v4.4.11...v4.4.13">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Related to this discussion
https://github.com/firezone/firezone/pull/2990#discussion_r1439629571
Add a dependency on the `tracing-panic` crate. This is about 100 lines
of code that adds a panic handle so app panics get a line number, file
name, etc. in the logs. No backtrace I think since we stripe symbols for
release builds. I _think_ the line numbers are baked into the panic
macro so those might still stay.
@conectado I should remove the debug command before closing it, right?
This will fix#3114 and save about 13 seconds at startup, compared to
shelling out to Powershell.
I'm not 100% sure it works for IPv6 routes - I'm setting port, flowinfo,
and scope to 0 and just assuming that it's fine.
For some reason Windows wants a socket address in this API even though I
don't think the port is used for anything.
I've also removed the 200 ms sleep I was using for debugging.
This does mean the GUI flashes through a bunch of messages when you
first open the tab. We could use a timer to hide those later on.
Bumps
[org.jetbrains.kotlin:kotlin-stdlib](https://github.com/JetBrains/kotlin)
from 1.9.21 to 1.9.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/JetBrains/kotlin/releases">org.jetbrains.kotlin:kotlin-stdlib's
releases</a>.</em></p>
<blockquote>
<h2>Kotlin 1.9.22</h2>
<h2>Changelog</h2>
<h3>JavaScript</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63719"><code>KT-63719</code></a>
KJS: Test results ignored for ES module kind</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63808"><code>KT-63808</code></a>
compileTestDevelopmentExecutableKotlinJs failed in
JsIntrinsicTransformers</li>
</ul>
<h3>Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64139"><code>KT-64139</code></a>
Weird bug with while and coroutine in Kotlin Native</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63471"><code>KT-63471</code></a>
linkDebugTestIosX64 Failed to build cache: NoSuchFileException
bitcode_deps</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63789"><code>KT-63789</code></a>
Native: Incremental compilation problem with compose</li>
</ul>
<h3>Tools. CLI</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64485"><code>KT-64485</code></a>
CLI: cache and optimize parsing of command-line arguments</li>
</ul>
<h3>Tools. Gradle</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63990"><code>KT-63990</code></a>
"Cannot query the value of property 'buildFlowServiceProperty'
because it has no value available" with Isolated Projects</li>
</ul>
<h3>Tools. Gradle. Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63363"><code>KT-63363</code></a>
Kotlin Gradle Plugin:
<code>KotlinNativeHostSpecificMetadataArtifact</code> breaks
configuration cache, implicitly includes output file as configuration
cache input</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63742"><code>KT-63742</code></a>
Gradle wrongly caches Kotlin/Native compiler flags</li>
</ul>
<h3>Tools. JPS</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64305"><code>KT-64305</code></a>
Kotlin JPS builder requests chunk rebuild with graph implementation</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64112"><code>KT-64112</code></a>
Avoid using IJ's JPS mappings in Kotlin JPS tests</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63799"><code>KT-63799</code></a>
Make plugin classpath serialization path agnostic</li>
</ul>
<h2>Checksums</h2>
<table>
<thead>
<tr>
<th>File</th>
<th>Sha256</th>
</tr>
</thead>
<tbody>
<tr>
<td>kotlin-compiler-1.9.22.zip</td>
<td>88b39213506532c816ff56348c07bbeefe0c8d18943bffbad11063cf97cac3e6</td>
</tr>
<tr>
<td>kotlin-native-linux-x86_64-1.9.22.tar.gz</td>
<td>c2b0a6481ced5401db4a7028661c039b7466996efaa554bbcc6a3d421ac5e7d4</td>
</tr>
<tr>
<td>kotlin-native-macos-x86_64-1.9.22.tar.gz</td>
<td>4646c9bc289d48a228064f565f3a968dde3dcccd7821f403717c708f6ffa8285</td>
</tr>
<tr>
<td>kotlin-native-macos-aarch64-1.9.22.tar.gz</td>
<td>8a95c0e0eb46b41b6d02a1942dc7dfe8c70082a2a26679490a77cd486f0ec8dd</td>
</tr>
<tr>
<td>kotlin-native-windows-x86_64-1.9.22.zip</td>
<td>a9d7bcf38a41a84002ba7a733b08e97b554225a39656d5158fc31dc6d0acede4</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md">org.jetbrains.kotlin:kotlin-stdlib's
changelog</a>.</em></p>
<blockquote>
<h2>1.9.22</h2>
<h3>JavaScript</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63719"><code>KT-63719</code></a>
KJS: Test results ignored for ES module kind</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63808"><code>KT-63808</code></a>
compileTestDevelopmentExecutableKotlinJs failed in
JsIntrinsicTransformers</li>
</ul>
<h3>Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64139"><code>KT-64139</code></a>
Weird bug with while and coroutine in Kotlin Native</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63471"><code>KT-63471</code></a>
linkDebugTestIosX64 Failed to build cache: NoSuchFileException
bitcode_deps</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63789"><code>KT-63789</code></a>
Native: Incremental compilation problem with compose</li>
</ul>
<h3>Tools. CLI</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64485"><code>KT-64485</code></a>
CLI: cache and optimize parsing of command-line arguments</li>
</ul>
<h3>Tools. Gradle</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63990"><code>KT-63990</code></a>
"Cannot query the value of property 'buildFlowServiceProperty'
because it has no value available" with Isolated Projects</li>
</ul>
<h3>Tools. Gradle. Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63363"><code>KT-63363</code></a>
Kotlin Gradle Plugin:
<code>KotlinNativeHostSpecificMetadataArtifact</code> breaks
configuration cache, implicitly includes output file as configuration
cache input</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63742"><code>KT-63742</code></a>
Gradle wrongly caches Kotlin/Native compiler flags</li>
</ul>
<h3>Tools. JPS</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64305"><code>KT-64305</code></a>
Kotlin JPS builder requests chunk rebuild with graph implementation</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64112"><code>KT-64112</code></a>
Avoid using IJ's JPS mappings in Kotlin JPS tests</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63799"><code>KT-63799</code></a>
Make plugin classpath serialization path agnostic</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="44ed2e94f5"><code>44ed2e9</code></a>
Add changelog for 1.9.22</li>
<li><a
href="b7b0397d2c"><code>b7b0397</code></a>
[Gradle] Made klib unpacked for native metadata compile task</li>
<li><a
href="262697dc38"><code>262697d</code></a>
[K/JS] Fix file extension inside the JS KGP to run tests with ES modules
^KT-...</li>
<li><a
href="87c8aa1037"><code>87c8aa1</code></a>
[K/JS] Fix case with boxing/unboxing inside the BlockDecomposerLowering
^KT-6...</li>
<li><a
href="316df8d032"><code>316df8d</code></a>
[CLI] Add cache for reflection lookup of CLI arguments</li>
<li><a
href="b0cc245beb"><code>b0cc245</code></a>
Avoid throwing exception when BuildFusService can't be injected</li>
<li><a
href="cfbb957e02"><code>cfbb957</code></a>
[IR] Correct handling of loops in liveness analysis</li>
<li><a
href="204cecd5d9"><code>204cecd</code></a>
[box-tests] Added a reproducer for #KT-64139</li>
<li><a
href="9c7aac2ec0"><code>9c7aac2</code></a>
[gradle] Use more fine grained directory for K/N incremental
compilation</li>
<li><a
href="9012e67fdb"><code>9012e67</code></a>
Add KotlinBuilder 'dumb mode' flag</li>
<li>Additional commits viewable in <a
href="https://github.com/JetBrains/kotlin/compare/v1.9.21...v1.9.22">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Initial version of the `firezone-connection` crate. To begin with, we
only establish a connection in a LAN, i.e. no hole-punching, no STUN or
TURN servers, just host candidates. As such, a lot of this PR is just
scaffolding for setting up the test environment and the actual
`ConnectionPool` implementation.
For the curious, I've left some TODOs where I am going to attempt
extending the implementation once we start dealing with STUN and TURN
servers.
I also extended CI to run these tests.
... and move its methods into ResourceDescription.
This was a TODO from some pull request in the last few days. I assume
the goal is to share this function between all clients if needed. It
doesn't reduce the number of lines of code, since I could have removed
ResourceDisplay and done this on-the-fly when building the systray menu,
as an alternative.
Fix for #2956 this is achieved by refreshing access to every resource
every 5 minutes.
There's still an open question for this PR:
When the gateway resolves an ip the gateway allows access to a DNS
resource it resolves the address and allow access to that ip for that
client.
Right now, until the access for that resource doesn't expire that access
isn't revoked.
We could change it so that we require the client to refresh such
access(with this PR those refresh queries are already being made every 5
minutes) every x minutes on top of the `expires_at` or we can keep
`expires_at` as to mean "allow access until `expires_at` for whatever
this resource resolves to".
cc @jamilbk @AndrewDryga
Previously, we just assumed that the domain in the query is a subdomain
of the resource but a malicious actor can hijack that field to access
domains that doesn't correspond to that resource.
With this patch we don't even resolve the address for unrelated domains.
Fixes#2470, now for linux it looks like:
```
Alpine Linux/3.19.0 (x86_64;5.15.133.1-microsoft-standard-WSL2;) connlib/1.0.0
```
For macos it looks like:
```
Mac OS/13.4.1 (arm64;22.5.0;) connlib/1.0.0
```
and this is how it looks on android:
```
Android/Unknown 6.1.23-android14-4-00257-g7e35917775b8-ab9964412 connlib/1.0.0
```
note: seems like in android emulator at least we can't get the
architecture so easily
Should fix#2880
The way I do it is after ~10 seconds dropping the
`gateway_awaiting_connection` and let the client try the connection
again, depending on upper layer, I think this is fine since the cases
where this happens is unlikely.
It's hard to test thoroughly but I'll test with bad-condition
simulators, [pumba](https://github.com/alexei-led/pumba) seems
promising. In the meantime I'm still creating the PR so that I can have
it reviewed.
Edit: Using Pumba with different % of packet loss things seems to go
well, and connections are actually established even if the packets are
loss. (Making a note that we should integrate pumba with our CI)
I found out `keyring-rs` wasn't doing "firezone/token" internally, so
our credential was just "token", which is too generic. I changed it to
use our domain so it's "dev.firezone.client/token".
Partially fixes#2920
As explained in
https://github.com/firezone/firezone/issues/2920#issuecomment-1861642550
in the future we should change the way we resolve DNS queries in the
gateway to properly handle HTTPS record types.
With this patch this is what happens to an HTTPS query while firezone is
running:
```
kdig -t HTTPS ifconfig.net
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 15773
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; ifconfig.net. IN HTTPS
;; Received 30 B
;; Time 2023-12-18 18:34:23 -03
;; From 100.100.111.1@53(UDP) in 0.6 ms
```
