mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
5711807a3c187b491b34ebca593302daf21186ff
110 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
72fbe306b6 |
test: remove curl retry in favor of keep-alive (#9888)
At present, the `direct-download-roaming-network` integration test is a bit odd. It uses the `--retry` switch from `curl` to retry the download once it failed. However, what we want to show with this integration test is that a TCP connection can survive network roaming. We can show that successfully but only if we specify the `--keepalive-time` option, otherwise the download stalls. From inspecting the network logs, this is because `curl` simply waits for more data to be downloaded. After a network reset, the connection however is gone and the _client_ (in this case `curl`) needs to send at least 1 packet to re-establish the connection. By using the keep-alive option, we can send such a packet and the download completes successfully. |
||
|
Thomas Eizinger
|
cf2470ba1e |
test(iperf): install iptables rule inside of container (#9880)
In Docker environments, applying iptables rules to filter container-container traffic on the Docker bridged network is not reliable, leading to direct connections being established in our relayed tests. To fix this, we insert the rules directly from the client container itself. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
042d03af2a |
feat(gui-client): polish Linux bundling (#9181)
Tauri's `deb` and `rpm` bundler have support for configuring maintainer scripts. We can therefore just use those instead of tearing apart the `deb` file that it creates and rebuilding it ourselves. Our `rpm` packaging is currently completely broken as well. I couldn't get it to work on CentOS 9 at all due to missing dependencies, likely introduced by our move to Tauri v2. It installs fine on CentOS 10 though, assuming that the user has the EPEL repository installed which provides the WebView dependency. I extended the docs to reflect this. Hence, with this PR, we drop support for CentOS 9 and now require CentOS 10. This allows us to remove a lot of cruft from our bundling process and instead entirely rely on the Tauri provided bundler. Lastly, for consistency with other platforms, the name of the application in places like app drawers has been changed from "Firezone Client" to just "Firezone". --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
1bdba3601a |
feat(gui-client): rename IPC service to Tunnel service (#9154)
The name IPC service is not very descriptive. By nature of being separate processes, we need to use IPC to communicate between them. The important thing is that the service process has control over the tunnel. Therefore, we rename everything to "Tunnel service". The only part that is not changed are historic changelog entries. Resolves: #9048 |
||
|
Thomas Eizinger
|
a2bd667c69 |
refactor(gui-client): use existing IPC framework for deeplinks (#9047)
We already have a pretty powerful IPC framework in place to communicate between the GUI and the service process. The deeplink implemenation uses the same IPC mechanisms (UDS / pipes), yet it is effectively a re-implementation of what we already have, just with less functionality. In order to provide a more sophisticated handling of the case where Firezone is launched again while it is already running, we refactor the deeplink module to reuse the existing IPC framework. This makes it quite easy to then reuse this in order to ping the already running Firezone process that a new instance was launched. For now, this doesn't do anything other than writing a log entry. This however lays enough ground-work for us to then implement a more sophisticated handling of that case in the future, e.g. open new windows etc. One caveat here is that we are now trying to connect to an existing IPC socket on every startup, even the first one. Our IPC code has a retry loop of 10 iterations to be more resilient on Windows when connecting to pipes. Without any further changes, this would now delay the start of Firezone always by 1s because we would try to connect to the socket 10x before concluding that we are the first instance. To fix this, we make the number of attempts configurable and set it to 1 when attempting to the GUI IPC socket to avoid unnecessary delays in starting up the Client. Related: #5143. |
||
|
Thomas Eizinger
|
7d96953265 | ci: add integration test with ECN enabled (#9012) | ||
|
Jamil
|
06aa485e18 |
ci: Use search_domain for one resource in CI test (#8393)
- Adds a `search_domain` of `httpbin.test` in seeds - Updates one of our DNS resources under CI test to use this |
||
|
Jamil
|
b8852b3e7a |
ci: attach Windows headless client to release (#8041)
This publishes the windows headless client using the same convention set forth by the linux headless client. Docs and website changes will come in a subsequent PR. Related: #3782 Resolves: #8046 |
||
|
Thomas Eizinger
|
411c9b7899 |
ci: split installation test for GUI client into separate script (#7851)
In #7795, we optimised our CI pipeline to only test the installation of the GUI client whenever we actually upload to the draft release. This trigger has been moved to `workflow_dispatch`, meaning no CI builds neither from PRs nor `main` perform these steps. This makes it difficult to test GUI client binaries from PRs because they also no longer get uploaded to the artifacts of the CI run on the PR. To fix this, we split the testing away from the rename script and unconditionally run the rename script, which allows us to also always upload the binaries to the CI artifacts. Finally, uploading to the draft releases is only done when we explicitly trigger the workflow from `main`. This is a defense-in-depth measure: We should never publish a code to a release that hasn't been merged to `main`. |
||
|
Thomas Eizinger
|
9de1119b69 |
feat(connlib): support DNS over TCP (#6944)
At present, `connlib` only supports DNS over UDP on port 53. Responses
over UDP are size-constrained on the IP MTU and thus, not all DNS
responses fit into a UDP packet. RFC9210 therefore mandates that all DNS
resolvers must also support DNS over TCP to overcome this limitation
[0].
Handling UDP packets is easy, handling TCP streams is more difficult
because we need to effectively implement a valid TCP state machine.
Building on top of a lot of earlier work (linked in issue), this is
relatively easy because we can now simply import
`dns_over_tcp::{Client,Server}` which do the heavy lifting of sending
and receiving the correct packets for us.
The main aspects of the integration that are worth pointing out are:
- We can handle at most 10 concurrent DNS TCP connections _per defined
resolver_. The assumption here is that most applications will first
query for DNS records over UDP and only fall back to TCP if the response
is truncated. Additionally, we assume that clients will close the TCP
connections once they no longer need it.
- Errors on the TCP stream to an upstream resolver result in `SERVFAIL`
responses to the client.
- All TCP connections to upstream resolvers get reset when we roam, all
currently ongoing queries will be answered with `SERVFAIL`.
- Upon network reset (i.e. roaming), we also re-allocate new local ports
for all TCP sockets, similar to our UDP sockets.
Resolves: #6140.
[0]: https://www.ietf.org/rfc/rfc9210.html#section-3-5
|
||
|
Thomas Eizinger
|
650e31c784 |
ci: remove outdated integration tests (#6922)
Since we've added these tests, `connlib`'s test coverage has increased significantly to the point where we don't need all of them anymore. Especially pretty much everything in regards to relays is unnecessary to be tested using docker. These integration tests are sometimes flaky due to docker not starting or images failing to pull. Thus, having fewer of them is better because it increases CI reliability. Also, there are only so many jobs that GitHub will execute in parallel so having less jobs is better for that too. Resolves: #6451. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
35017537c7 |
feat(gateway): allow out-of-order allow_access requests (#6403)
Currently, the gateway requires a strict ordering of first receiving a `request_connection` message, following by multiple `allow_access` messages. Additionally, access can be granted as part of the initial `request_connection` message too. This isn't an ideal design. Setting up a new connection is infallible, all we need to do is send our ICE credentials back to the client. However, untangling that will require a bit more effort. Starting with #6335, following this strict order on the client is a more difficult. Whilst we can send them in order, it is harder to maintain those ordering guarantees across all our systems. To avoid this, we change the gateway to perform an upsert for its local ACLs for a client. In case that an `allow_access` call would somehow get to the gateway earlier, we can simply already create the `Peer` and only set up the actual connection later. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
84a981f668 |
refactor(ci): Remove browser-based integration tests (#6435)
Fixes a new issue with puppeteer, chromium 128, and Alpine 3.20 that's causing failing browser tests. See more: https://github.com/puppeteer/puppeteer/issues/12189 Failure: https://github.com/firezone/firezone/actions/runs/10549430305/job/29224528663?pr=6391 Unfortunately, puppeteer's embedded browser doesn't seem to want to run in Alpine: https://github.com/firezone/firezone/actions/runs/10563167497/job/29265175731?pr=6435#step:6:56 Fixing this is proving very difficult since we can't seem to use puppeteer with the latest Alpine images, so I questioned the need to have these in at all. These tests were added at a time where the DNS mappings were brittle, so we wanted to verify that relayed and direct connections held up as we deployed. This is no longer the case, and we also now have much more unit test coverage around these things, so given the pain of maintaining these (and the lack of a current solution to the above), they are removed. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Reactor Scram
|
5eb2bba47b |
feat(headless-client): use systemd-resolved DNS control by default (#6163)
Closes #5063, supersedes #5850 Other refactors and changes made as part of this: - Adds the ability to disable DNS control on Windows - Removes the spooky-action-at-a-distance `from_env` functions that used to be buried in `tunnel` - `FIREZONE_DNS_CONTROL` is now a regular `clap` argument again --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
dependabot[bot]
|
ab0263e85a |
build(deps): Bump puppeteer from 22.13.1 to 22.15.0 in /scripts/tests/browser (#6132)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.13.1 to 22.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.15.0</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.14.0...puppeteer-core-v22.15.0">22.15.0</a> (2024-07-31)</h2> <h3>Features</h3> <ul> <li>support AbortSignal in waitForNavigation (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12852">#12852</a>) (<a href=" |
||
|
dependabot[bot]
|
6a15d714ec |
build(deps-dev): Bump @types/node from 20.14.12 to 22.0.2 in /scripts/tests/browser (#6131)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.12 to 22.0.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Reactor Scram
|
96abc75b4d |
test(headless-client): remove sleep 3 (#6167)
This should be redundant now that we fixed the systemd notification in #6026 and cut a release. (Since compatibility tests will use the last release, not the tip of `main`) Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Andrew Dryga
|
bf06534caf |
fix(portal): Prevent races during relay selection by only using the ones connected for more than 5 seconds ago (#6111)
Closes #6099 Should push #6109 to not being needed short term. |
||
|
dependabot[bot]
|
09916dea7e |
build(deps-dev): Bump typescript from 5.5.2 to 5.5.4 in /scripts/tests/browser (#5986)
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.5.2 to 5.5.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.5.4</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.4%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.4 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.3%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.3 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a> (soon!)</li> </ul> <h2>TypeScript 5.5.3</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.3%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.3 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Reactor Scram
|
6862213cc2 |
fix(headless-client/linux): only notify systemd that we're up after Resources are available (#6026)
Closes #5912 Before this, I had the `--exit` CLI flag and the `sd_notify` call hanging off the wrong callback. |
||
|
dependabot[bot]
|
bc0dceb323 |
build(deps): Bump puppeteer from 22.12.1 to 22.13.1 in /scripts/tests/browser (#5990)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.12.1 to 22.13.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.13.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.13.0...puppeteer-core-v22.13.1">22.13.1</a> (2024-07-17)</h2> <h3>Bug Fixes</h3> <ul> <li>include Puppeteer version into utility world name (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12754">#12754</a>) (<a href=" |
||
|
dependabot[bot]
|
61fdeae8e7 |
build(deps-dev): Bump @types/node from 20.14.9 to 20.14.12 in /scripts/tests/browser (#5987)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.9 to 20.14.12. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
a8aafc9e14 |
ci: use bencher.dev for continuous benchmarking (#5915)
Currently, we have a homegrown benchmark suite that reports results of the iperf runs within CI by comparing a run on `main` with the current branch. These comments are noisy because they happen on every PR, regardless of the performance results. As a result, they tend to be skimmed over by devs and not actually considered. To properly track performance, we need to record benchmark results over time and use statistics to detect regressions. https://bencher.dev does exactly that. it supports various benchmark harnesses to automatically collect benchmarks. For our case, we simply use the generic JSON adapter to extract the relevant metrics from the iperf results and report them to the bencher backend. With these metrics in place, bencher can plot the results over time, and alert us in the case of regressions using thresholds based on statistical tests. Resolves: #5818. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Reactor Scram
|
d0f68fc133 |
test(gui-client): multi-process smoke test for GUI + IPC service (#5672)
```[tasklist] ### Tasks - [x] Check the GUI saves its settings file - [x] Check the IPC service writes the device ID to disk - [x] Check the GUI writes a log file (skipped - we already check if the exported zip has any files in it) - [x] Run the crash file through `minidump-stackwalk` - [x] Reach feature parity with the original smoke tests - [x] Ready for review - [x] Finish #5452 - [ ] Start on #5453 ``` |
||
|
Jamil
|
f4d9a204df |
ci: increase sleep for flaky integration tests due to slow GH runners (#5667)
Both of these deal with the tunnel interface being initialized, which seems to take more than 1s when we have a lot of jobs running. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
d939699e0c |
build(deps-dev): Bump @types/node from 20.14.2 to 20.14.9 in /scripts/tests/browser (#5650)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.2 to 20.14.9. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
7a979179a4 |
build(deps): Bump puppeteer from 22.12.0 to 22.12.1 in /scripts/tests/browser (#5649)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.12.0 to 22.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.12.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.12.0...puppeteer-core-v22.12.1">22.12.1</a> (2024-06-26)</h2> <h3>Bug Fixes</h3> <ul> <li>execution contexts might be created before previous is destroyed (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12666">#12666</a>) (<a href=" |
||
|
dependabot[bot]
|
258a7a0d74 |
build(deps-dev): Bump typescript from 5.4.5 to 5.5.2 in /scripts/tests/browser (#5648)
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.4.5 to 5.5.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.5</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.5 RC</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5-rc/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for Typescript 5.5.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for Typescript 5.5.1 (RC)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.5 Beta</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5-beta/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for Typescript 5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
d3a091f90b |
ci: pre-install required tools for smoke tests (#5620)
Currently, the smoke tests rebuild the `dump_syms` and `minidump-stackwalk` tools from scratch every time which is slow, especially on Windows. We can speed this up by utilising the `taiki-e/install-action` GitHub action which discovers and downloads the latest binary releases of those projects and installs them into $PATH. I think those binaries might also be cached as part of the Rust cache action (https://github.com/Swatinem/rust-cache) so the visible speed-up is only within a few seconds and comes from the binaries not being re-built inside the script. Caching those binaries on Github still requires us to build them at least once and also rebuild them in case the cache gets invalidated. Hence I still think this is a good idea on its own. |
||
|
dependabot[bot]
|
c7fbb750be |
build(deps): Bump the npm_and_yarn group in /scripts/tests/browser with 2 updates (#5499)
Bumps the npm_and_yarn group in /scripts/tests/browser with 2 updates: [ws](https://github.com/websockets/ws) and [puppeteer](https://github.com/puppeteer/puppeteer). Updates `ws` from 8.17.0 to 8.17.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.17.1</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a DoS vulnerability (<a href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>).</li> </ul> <p>A request with a number of headers exceeding the[<code>server.maxHeadersCount</code>][] threshold could be used to crash a ws server.</p> <pre lang="js"><code>const http = require('http'); const WebSocket = require('ws'); <p>const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0;</p> <p>for (let i = 0; i < chars.length; i++) { if (count === 2000) break;</p> <pre><code>for (let j = 0; j &lt; chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } </code></pre> <p>}</p> <p>headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13';</p> <p>const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port });</p> <p>request.end(); }); </code></pre></p> <p>The vulnerability was reported by <a href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a href="https://redirect.github.com/websockets/ws/issues/2230">websockets/ws#2230</a>.</p> <p>In vulnerable versions of ws, the issue can be mitigated in the following ways:</p> <ol> <li>Reduce the maximum allowed length of the request headers using the [<code>--max-http-header-size=size</code>][] and/or the [<code>maxHeaderSize</code>][] options so that no more headers than the <code>server.maxHeadersCount</code> limit can be sent.</li> </ol> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
7159ffb34b |
ci: timeout curl requests after 30s (#5537)
Currently, we rely on curl's default timeout when connecting to a resource. This is problematic because the `direct-dns` and `relayed-dns` integration tests check that a certain resource _isn't_ accessible and this test currently waits for 5 minutes to assert that. We can shorten this and thus every CI by passing a `--connect-timeout` to `curl`. See https://github.com/firezone/firezone/actions/runs/9656570163/job/26634409843#step:6:445 for an example CI run on `main`. |
||
|
Thomas Eizinger
|
eec615eddb |
refactor(connlib): drop all connections when roaming (#5308)
Currently, `snownet` tries to be very clever in how it roams connections. This is/was necessary because we associated DNS-specific state with a connection. More specifically, the assigned proxy IPs for a DNS resource are stored as part of a connection with the gateway. As a result, DNS resources would always break if the underlying connection in `snownet` failed. This is quite error prone and means, `snownet` must be very careful to never-ever fail a connection erroneously. With #5049, we no longer store any important state with a connection and thus, can implement roaming in much simpler way: Drop all connections and let the incoming packets create new ones. This is much more robust as we don't have to "patch" existing state in `snownet` as part of roaming. We test this new functionality by adding a `RoamClient` transition to `tunnel_test`. This ensures roaming works in a lot of scenarios, including relayed and non-relayed situations as well as roaming between either of them. As a result, we can delete several of the more specific test cases of `snownet`. Depends-On: #5049. Replaces: #5060. Resolves: #5080. |
||
|
Reactor Scram
|
b8f92ed812 |
test(gui-client): fix zip file export in smoke tests (#5465)
Closes #5464 These were silently broken, it was exporting an empty zip and passing the test anyway. So this PR will cause the test to fail if the zip wasn't fully exported, and then it will fix the export. |
||
|
dependabot[bot]
|
3cd724215c |
build(deps): Bump puppeteer from 22.10.0 to 22.10.1 in /scripts/tests/browser (#5316)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.10.0 to 22.10.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.10.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.10.0...puppeteer-core-v22.10.1">22.10.1</a> (2024-06-11)</h2> <h3>Bug Fixes</h3> <ul> <li>add a way to run page.$$ without the isolation (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12539">#12539</a>) (<a href=" |
||
|
dependabot[bot]
|
3e177230cd |
build(deps-dev): Bump @types/node from 20.13.0 to 20.14.2 in /scripts/tests/browser (#5317)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.13.0 to 20.14.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
41313ebc68 |
build(deps): Bump puppeteer from 22.7.1 to 22.10.0 in /scripts/tests/browser (#5172)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.7.1 to 22.10.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.10.0</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.9.0...puppeteer-core-v22.10.0">22.10.0</a> (2024-05-24)</h2> <h3>Features</h3> <ul> <li>support running Puppeteer in extensions (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12459">#12459</a>) (<a href=" |
||
|
dependabot[bot]
|
f2472c27b0 |
build(deps-dev): Bump @types/node from 20.12.7 to 20.13.0 in /scripts/tests/browser (#5173)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.12.7 to 20.13.0. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Reactor Scram
|
04fd2f9581 |
chore(gui-client): disable the Welcome screen only after the first sign-in (#5066)
Closes #5015. This way if the user opens and closes the GUI without doing anything, the Welcome screen still appears until they successfully sign in. Previously the `ran_before` flag was set after the first GUI startup. Tested on Windows once. |
||
|
Reactor Scram
|
9c143bced3 |
test: remove backwards compatibility code for older Docker images (#4993)
Closes #4951 |
||
|
Jamil
|
469e970056 |
ci: fix flaky dns-systemd test by waiting a second before running (#4962)
It [appears](https://github.com/firezone/firezone/actions/runs/9052492759/job/24870262108?pr=4961) that occasionally the test runs before DNS sentinel is applied and/or Resources updated. |
||
|
Reactor Scram
|
0ad72f00d1 |
refactor(headless-client): remove "linux-client" alias (#4933)
Is this worth it? ```[tasklist] ### Before merging - [x] Double-check docs and ask Jamil to review - [x] Would need Brian to review the terraform thing - [x] Make sure Docker compat isn't broken for existing users (shouldn't be, the image is still just `client`) - [x] Decide whether compatibility tests need to pass (if something breaks after merge we can revert this) ``` |
||
|
Reactor Scram
|
390f9de811 |
refactor(ci): use the same test framework for headless client and IPC service (#4943)
This will fix an issue with `linux-group` and `token-path` that happens when I try to split up the binaries. ```[tasklist] ### Before merging - [x] Fix linux-group. That stub-ipc-client command doesn't even exist anymore ``` |
||
|
Reactor Scram
|
42bafa898c |
chore(ci): fix debug_exit in the flaky systemd DNS test (#4934)
If these fail we shouldn't bail out since we're already bailing out and we need them to continue for debug output. Refs #4921 |
||
|
Reactor Scram
|
65064b1907 |
chore(ci): add debugging for that flaky DNS test (#4926)
Refs #4921 I'm not sure of the cause yet. This extra debugging code should narrow it down. |
||
|
Reactor Scram
|
cdebfa6901 |
chore(gui-client/linux): fix group name, firezone should be firezone-client (#4889)
Also improved the manual testing checklist a little |
||
|
Reactor Scram
|
e8b1736cb0 |
chore(gui-client/linux): show an error if the user doesn't belong to the firezone group (#4822)
Ran into this during testing. For some reason Ubuntu 20.04, maybe others, requires a reboot to add the desktop user to a group. I thought logging out and back in should be enough but it's not. <img width="527" alt="image" src="https://github.com/firezone/firezone/assets/13400041/4f7c2551-c7aa-4ecc-be55-66c6e6ac32a0"> --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Reactor Scram
|
35a802d6d9 |
chore(gui-client/linux): add install script and change group to firezone-client (#4879)
Closes #4873 |
||
|
dependabot[bot]
|
6172d6c080 |
build(deps): Bump puppeteer from 22.6.4 to 22.7.1 in /scripts/tests/browser (#4866)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.6.4 to 22.7.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.7.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.7.0...puppeteer-core-v22.7.1">22.7.1</a> (2024-04-25)</h2> <h3>Bug Fixes</h3> <ul> <li>roll to Chrome 124.0.6367.78 (r1274542) (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12314">#12314</a>) (<a href=" |
||
|
Reactor Scram
|
be4053f4f5 |
refactor(gui-client/linux): use the same systemd service file in CI as in production (#4832)
This will keep the files from going out of sync. This PR also checks that the IPC service creates the IPC socket with `root:firezone` as the owner and group, when running under systemd. |
||
|
Jamil
|
a43f39ae8b |
perf: increase UDP send rate for performance test (#4793)
Now that we've worked out the flakiness from the iperf tests, we should increase the UDP send rate so we have some benchmark of how many packets we can actually handle before dropping. |