mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
60ab106b6741be91d0a29cda5ee436fc2ccfa153
103 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Jamil
|
b8852b3e7a |
ci: attach Windows headless client to release (#8041)
This publishes the windows headless client using the same convention set forth by the linux headless client. Docs and website changes will come in a subsequent PR. Related: #3782 Resolves: #8046 |
||
|
Thomas Eizinger
|
411c9b7899 |
ci: split installation test for GUI client into separate script (#7851)
In #7795, we optimised our CI pipeline to only test the installation of the GUI client whenever we actually upload to the draft release. This trigger has been moved to `workflow_dispatch`, meaning no CI builds neither from PRs nor `main` perform these steps. This makes it difficult to test GUI client binaries from PRs because they also no longer get uploaded to the artifacts of the CI run on the PR. To fix this, we split the testing away from the rename script and unconditionally run the rename script, which allows us to also always upload the binaries to the CI artifacts. Finally, uploading to the draft releases is only done when we explicitly trigger the workflow from `main`. This is a defense-in-depth measure: We should never publish a code to a release that hasn't been merged to `main`. |
||
|
Thomas Eizinger
|
9de1119b69 |
feat(connlib): support DNS over TCP (#6944)
At present, `connlib` only supports DNS over UDP on port 53. Responses
over UDP are size-constrained on the IP MTU and thus, not all DNS
responses fit into a UDP packet. RFC9210 therefore mandates that all DNS
resolvers must also support DNS over TCP to overcome this limitation
[0].
Handling UDP packets is easy, handling TCP streams is more difficult
because we need to effectively implement a valid TCP state machine.
Building on top of a lot of earlier work (linked in issue), this is
relatively easy because we can now simply import
`dns_over_tcp::{Client,Server}` which do the heavy lifting of sending
and receiving the correct packets for us.
The main aspects of the integration that are worth pointing out are:
- We can handle at most 10 concurrent DNS TCP connections _per defined
resolver_. The assumption here is that most applications will first
query for DNS records over UDP and only fall back to TCP if the response
is truncated. Additionally, we assume that clients will close the TCP
connections once they no longer need it.
- Errors on the TCP stream to an upstream resolver result in `SERVFAIL`
responses to the client.
- All TCP connections to upstream resolvers get reset when we roam, all
currently ongoing queries will be answered with `SERVFAIL`.
- Upon network reset (i.e. roaming), we also re-allocate new local ports
for all TCP sockets, similar to our UDP sockets.
Resolves: #6140.
[0]: https://www.ietf.org/rfc/rfc9210.html#section-3-5
|
||
|
Thomas Eizinger
|
650e31c784 |
ci: remove outdated integration tests (#6922)
Since we've added these tests, `connlib`'s test coverage has increased significantly to the point where we don't need all of them anymore. Especially pretty much everything in regards to relays is unnecessary to be tested using docker. These integration tests are sometimes flaky due to docker not starting or images failing to pull. Thus, having fewer of them is better because it increases CI reliability. Also, there are only so many jobs that GitHub will execute in parallel so having less jobs is better for that too. Resolves: #6451. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
35017537c7 |
feat(gateway): allow out-of-order allow_access requests (#6403)
Currently, the gateway requires a strict ordering of first receiving a `request_connection` message, following by multiple `allow_access` messages. Additionally, access can be granted as part of the initial `request_connection` message too. This isn't an ideal design. Setting up a new connection is infallible, all we need to do is send our ICE credentials back to the client. However, untangling that will require a bit more effort. Starting with #6335, following this strict order on the client is a more difficult. Whilst we can send them in order, it is harder to maintain those ordering guarantees across all our systems. To avoid this, we change the gateway to perform an upsert for its local ACLs for a client. In case that an `allow_access` call would somehow get to the gateway earlier, we can simply already create the `Peer` and only set up the actual connection later. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
84a981f668 |
refactor(ci): Remove browser-based integration tests (#6435)
Fixes a new issue with puppeteer, chromium 128, and Alpine 3.20 that's causing failing browser tests. See more: https://github.com/puppeteer/puppeteer/issues/12189 Failure: https://github.com/firezone/firezone/actions/runs/10549430305/job/29224528663?pr=6391 Unfortunately, puppeteer's embedded browser doesn't seem to want to run in Alpine: https://github.com/firezone/firezone/actions/runs/10563167497/job/29265175731?pr=6435#step:6:56 Fixing this is proving very difficult since we can't seem to use puppeteer with the latest Alpine images, so I questioned the need to have these in at all. These tests were added at a time where the DNS mappings were brittle, so we wanted to verify that relayed and direct connections held up as we deployed. This is no longer the case, and we also now have much more unit test coverage around these things, so given the pain of maintaining these (and the lack of a current solution to the above), they are removed. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Reactor Scram
|
5eb2bba47b |
feat(headless-client): use systemd-resolved DNS control by default (#6163)
Closes #5063, supersedes #5850 Other refactors and changes made as part of this: - Adds the ability to disable DNS control on Windows - Removes the spooky-action-at-a-distance `from_env` functions that used to be buried in `tunnel` - `FIREZONE_DNS_CONTROL` is now a regular `clap` argument again --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
dependabot[bot]
|
ab0263e85a |
build(deps): Bump puppeteer from 22.13.1 to 22.15.0 in /scripts/tests/browser (#6132)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.13.1 to 22.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.15.0</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.14.0...puppeteer-core-v22.15.0">22.15.0</a> (2024-07-31)</h2> <h3>Features</h3> <ul> <li>support AbortSignal in waitForNavigation (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12852">#12852</a>) (<a href=" |
||
|
dependabot[bot]
|
6a15d714ec |
build(deps-dev): Bump @types/node from 20.14.12 to 22.0.2 in /scripts/tests/browser (#6131)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.12 to 22.0.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Reactor Scram
|
96abc75b4d |
test(headless-client): remove sleep 3 (#6167)
This should be redundant now that we fixed the systemd notification in #6026 and cut a release. (Since compatibility tests will use the last release, not the tip of `main`) Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Andrew Dryga
|
bf06534caf |
fix(portal): Prevent races during relay selection by only using the ones connected for more than 5 seconds ago (#6111)
Closes #6099 Should push #6109 to not being needed short term. |
||
|
dependabot[bot]
|
09916dea7e |
build(deps-dev): Bump typescript from 5.5.2 to 5.5.4 in /scripts/tests/browser (#5986)
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.5.2 to 5.5.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.5.4</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.4%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.4 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.3%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.3 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a> (soon!)</li> </ul> <h2>TypeScript 5.5.3</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.3%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.3 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Reactor Scram
|
6862213cc2 |
fix(headless-client/linux): only notify systemd that we're up after Resources are available (#6026)
Closes #5912 Before this, I had the `--exit` CLI flag and the `sd_notify` call hanging off the wrong callback. |
||
|
dependabot[bot]
|
bc0dceb323 |
build(deps): Bump puppeteer from 22.12.1 to 22.13.1 in /scripts/tests/browser (#5990)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.12.1 to 22.13.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.13.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.13.0...puppeteer-core-v22.13.1">22.13.1</a> (2024-07-17)</h2> <h3>Bug Fixes</h3> <ul> <li>include Puppeteer version into utility world name (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12754">#12754</a>) (<a href=" |
||
|
dependabot[bot]
|
61fdeae8e7 |
build(deps-dev): Bump @types/node from 20.14.9 to 20.14.12 in /scripts/tests/browser (#5987)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.9 to 20.14.12. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
a8aafc9e14 |
ci: use bencher.dev for continuous benchmarking (#5915)
Currently, we have a homegrown benchmark suite that reports results of the iperf runs within CI by comparing a run on `main` with the current branch. These comments are noisy because they happen on every PR, regardless of the performance results. As a result, they tend to be skimmed over by devs and not actually considered. To properly track performance, we need to record benchmark results over time and use statistics to detect regressions. https://bencher.dev does exactly that. it supports various benchmark harnesses to automatically collect benchmarks. For our case, we simply use the generic JSON adapter to extract the relevant metrics from the iperf results and report them to the bencher backend. With these metrics in place, bencher can plot the results over time, and alert us in the case of regressions using thresholds based on statistical tests. Resolves: #5818. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Reactor Scram
|
d0f68fc133 |
test(gui-client): multi-process smoke test for GUI + IPC service (#5672)
```[tasklist] ### Tasks - [x] Check the GUI saves its settings file - [x] Check the IPC service writes the device ID to disk - [x] Check the GUI writes a log file (skipped - we already check if the exported zip has any files in it) - [x] Run the crash file through `minidump-stackwalk` - [x] Reach feature parity with the original smoke tests - [x] Ready for review - [x] Finish #5452 - [ ] Start on #5453 ``` |
||
|
Jamil
|
f4d9a204df |
ci: increase sleep for flaky integration tests due to slow GH runners (#5667)
Both of these deal with the tunnel interface being initialized, which seems to take more than 1s when we have a lot of jobs running. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
d939699e0c |
build(deps-dev): Bump @types/node from 20.14.2 to 20.14.9 in /scripts/tests/browser (#5650)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.14.2 to 20.14.9. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
7a979179a4 |
build(deps): Bump puppeteer from 22.12.0 to 22.12.1 in /scripts/tests/browser (#5649)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.12.0 to 22.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.12.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.12.0...puppeteer-core-v22.12.1">22.12.1</a> (2024-06-26)</h2> <h3>Bug Fixes</h3> <ul> <li>execution contexts might be created before previous is destroyed (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12666">#12666</a>) (<a href=" |
||
|
dependabot[bot]
|
258a7a0d74 |
build(deps-dev): Bump typescript from 5.4.5 to 5.5.2 in /scripts/tests/browser (#5648)
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.4.5 to 5.5.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.5</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.2%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=is%3Aissue+milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.5 RC</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5-rc/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for Typescript 5.5.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.1%22+is%3Aclosed+">fixed issues query for Typescript 5.5.1 (RC)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.5 Beta</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-5-beta/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.5.0%22+is%3Aclosed+">fixed issues query for Typescript 5.5.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
d3a091f90b |
ci: pre-install required tools for smoke tests (#5620)
Currently, the smoke tests rebuild the `dump_syms` and `minidump-stackwalk` tools from scratch every time which is slow, especially on Windows. We can speed this up by utilising the `taiki-e/install-action` GitHub action which discovers and downloads the latest binary releases of those projects and installs them into $PATH. I think those binaries might also be cached as part of the Rust cache action (https://github.com/Swatinem/rust-cache) so the visible speed-up is only within a few seconds and comes from the binaries not being re-built inside the script. Caching those binaries on Github still requires us to build them at least once and also rebuild them in case the cache gets invalidated. Hence I still think this is a good idea on its own. |
||
|
dependabot[bot]
|
c7fbb750be |
build(deps): Bump the npm_and_yarn group in /scripts/tests/browser with 2 updates (#5499)
Bumps the npm_and_yarn group in /scripts/tests/browser with 2 updates: [ws](https://github.com/websockets/ws) and [puppeteer](https://github.com/puppeteer/puppeteer). Updates `ws` from 8.17.0 to 8.17.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/websockets/ws/releases">ws's releases</a>.</em></p> <blockquote> <h2>8.17.1</h2> <h1>Bug fixes</h1> <ul> <li>Fixed a DoS vulnerability (<a href="https://redirect.github.com/websockets/ws/issues/2231">#2231</a>).</li> </ul> <p>A request with a number of headers exceeding the[<code>server.maxHeadersCount</code>][] threshold could be used to crash a ws server.</p> <pre lang="js"><code>const http = require('http'); const WebSocket = require('ws'); <p>const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0;</p> <p>for (let i = 0; i < chars.length; i++) { if (count === 2000) break;</p> <pre><code>for (let j = 0; j &lt; chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } </code></pre> <p>}</p> <p>headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13';</p> <p>const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port });</p> <p>request.end(); }); </code></pre></p> <p>The vulnerability was reported by <a href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a href="https://redirect.github.com/websockets/ws/issues/2230">websockets/ws#2230</a>.</p> <p>In vulnerable versions of ws, the issue can be mitigated in the following ways:</p> <ol> <li>Reduce the maximum allowed length of the request headers using the [<code>--max-http-header-size=size</code>][] and/or the [<code>maxHeaderSize</code>][] options so that no more headers than the <code>server.maxHeadersCount</code> limit can be sent.</li> </ol> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
7159ffb34b |
ci: timeout curl requests after 30s (#5537)
Currently, we rely on curl's default timeout when connecting to a resource. This is problematic because the `direct-dns` and `relayed-dns` integration tests check that a certain resource _isn't_ accessible and this test currently waits for 5 minutes to assert that. We can shorten this and thus every CI by passing a `--connect-timeout` to `curl`. See https://github.com/firezone/firezone/actions/runs/9656570163/job/26634409843#step:6:445 for an example CI run on `main`. |
||
|
Thomas Eizinger
|
eec615eddb |
refactor(connlib): drop all connections when roaming (#5308)
Currently, `snownet` tries to be very clever in how it roams connections. This is/was necessary because we associated DNS-specific state with a connection. More specifically, the assigned proxy IPs for a DNS resource are stored as part of a connection with the gateway. As a result, DNS resources would always break if the underlying connection in `snownet` failed. This is quite error prone and means, `snownet` must be very careful to never-ever fail a connection erroneously. With #5049, we no longer store any important state with a connection and thus, can implement roaming in much simpler way: Drop all connections and let the incoming packets create new ones. This is much more robust as we don't have to "patch" existing state in `snownet` as part of roaming. We test this new functionality by adding a `RoamClient` transition to `tunnel_test`. This ensures roaming works in a lot of scenarios, including relayed and non-relayed situations as well as roaming between either of them. As a result, we can delete several of the more specific test cases of `snownet`. Depends-On: #5049. Replaces: #5060. Resolves: #5080. |
||
|
Reactor Scram
|
b8f92ed812 |
test(gui-client): fix zip file export in smoke tests (#5465)
Closes #5464 These were silently broken, it was exporting an empty zip and passing the test anyway. So this PR will cause the test to fail if the zip wasn't fully exported, and then it will fix the export. |
||
|
dependabot[bot]
|
3cd724215c |
build(deps): Bump puppeteer from 22.10.0 to 22.10.1 in /scripts/tests/browser (#5316)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.10.0 to 22.10.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.10.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.10.0...puppeteer-core-v22.10.1">22.10.1</a> (2024-06-11)</h2> <h3>Bug Fixes</h3> <ul> <li>add a way to run page.$$ without the isolation (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12539">#12539</a>) (<a href=" |
||
|
dependabot[bot]
|
3e177230cd |
build(deps-dev): Bump @types/node from 20.13.0 to 20.14.2 in /scripts/tests/browser (#5317)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.13.0 to 20.14.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
41313ebc68 |
build(deps): Bump puppeteer from 22.7.1 to 22.10.0 in /scripts/tests/browser (#5172)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.7.1 to 22.10.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.10.0</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.9.0...puppeteer-core-v22.10.0">22.10.0</a> (2024-05-24)</h2> <h3>Features</h3> <ul> <li>support running Puppeteer in extensions (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12459">#12459</a>) (<a href=" |
||
|
dependabot[bot]
|
f2472c27b0 |
build(deps-dev): Bump @types/node from 20.12.7 to 20.13.0 in /scripts/tests/browser (#5173)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.12.7 to 20.13.0. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Reactor Scram
|
04fd2f9581 |
chore(gui-client): disable the Welcome screen only after the first sign-in (#5066)
Closes #5015. This way if the user opens and closes the GUI without doing anything, the Welcome screen still appears until they successfully sign in. Previously the `ran_before` flag was set after the first GUI startup. Tested on Windows once. |
||
|
Reactor Scram
|
9c143bced3 |
test: remove backwards compatibility code for older Docker images (#4993)
Closes #4951 |
||
|
Jamil
|
469e970056 |
ci: fix flaky dns-systemd test by waiting a second before running (#4962)
It [appears](https://github.com/firezone/firezone/actions/runs/9052492759/job/24870262108?pr=4961) that occasionally the test runs before DNS sentinel is applied and/or Resources updated. |
||
|
Reactor Scram
|
0ad72f00d1 |
refactor(headless-client): remove "linux-client" alias (#4933)
Is this worth it? ```[tasklist] ### Before merging - [x] Double-check docs and ask Jamil to review - [x] Would need Brian to review the terraform thing - [x] Make sure Docker compat isn't broken for existing users (shouldn't be, the image is still just `client`) - [x] Decide whether compatibility tests need to pass (if something breaks after merge we can revert this) ``` |
||
|
Reactor Scram
|
390f9de811 |
refactor(ci): use the same test framework for headless client and IPC service (#4943)
This will fix an issue with `linux-group` and `token-path` that happens when I try to split up the binaries. ```[tasklist] ### Before merging - [x] Fix linux-group. That stub-ipc-client command doesn't even exist anymore ``` |
||
|
Reactor Scram
|
42bafa898c |
chore(ci): fix debug_exit in the flaky systemd DNS test (#4934)
If these fail we shouldn't bail out since we're already bailing out and we need them to continue for debug output. Refs #4921 |
||
|
Reactor Scram
|
65064b1907 |
chore(ci): add debugging for that flaky DNS test (#4926)
Refs #4921 I'm not sure of the cause yet. This extra debugging code should narrow it down. |
||
|
Reactor Scram
|
cdebfa6901 |
chore(gui-client/linux): fix group name, firezone should be firezone-client (#4889)
Also improved the manual testing checklist a little |
||
|
Reactor Scram
|
e8b1736cb0 |
chore(gui-client/linux): show an error if the user doesn't belong to the firezone group (#4822)
Ran into this during testing. For some reason Ubuntu 20.04, maybe others, requires a reboot to add the desktop user to a group. I thought logging out and back in should be enough but it's not. <img width="527" alt="image" src="https://github.com/firezone/firezone/assets/13400041/4f7c2551-c7aa-4ecc-be55-66c6e6ac32a0"> --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Reactor Scram
|
35a802d6d9 |
chore(gui-client/linux): add install script and change group to firezone-client (#4879)
Closes #4873 |
||
|
dependabot[bot]
|
6172d6c080 |
build(deps): Bump puppeteer from 22.6.4 to 22.7.1 in /scripts/tests/browser (#4866)
Bumps [puppeteer](https://github.com/puppeteer/puppeteer) from 22.6.4 to 22.7.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puppeteer/puppeteer/releases">puppeteer's releases</a>.</em></p> <blockquote> <h2>puppeteer-core: v22.7.1</h2> <h2><a href="https://github.com/puppeteer/puppeteer/compare/puppeteer-core-v22.7.0...puppeteer-core-v22.7.1">22.7.1</a> (2024-04-25)</h2> <h3>Bug Fixes</h3> <ul> <li>roll to Chrome 124.0.6367.78 (r1274542) (<a href="https://redirect.github.com/puppeteer/puppeteer/issues/12314">#12314</a>) (<a href=" |
||
|
Reactor Scram
|
be4053f4f5 |
refactor(gui-client/linux): use the same systemd service file in CI as in production (#4832)
This will keep the files from going out of sync. This PR also checks that the IPC service creates the IPC socket with `root:firezone` as the owner and group, when running under systemd. |
||
|
Jamil
|
a43f39ae8b |
perf: increase UDP send rate for performance test (#4793)
Now that we've worked out the flakiness from the iperf tests, we should increase the UDP send rate so we have some benchmark of how many packets we can actually handle before dropping. |
||
|
Reactor Scram
|
bc940784bd |
refactor(linux-client): remove FIREZONE_ID from example systemd file (#4714)
For tests it doesn't hurt, but this will be used as a template for the systemd service we ship to production, and that can't have the ID there. So I'm also cleaning up a few other problems I noticed: - I wanted to split the service files as part of #4531, so that the GUI Client and headless Client can have separate sandbox rules. e.g, the headless Client won't be allowed to create Unix domain sockets - I'm punting more things to systemd, which allows us to tighten down the sandbox further, e.g. creating `/var/lib/dev.firezone.client` and `/run/dev.firezone.client` for us - Closes #4461 --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Jamil
|
0b83b12fd2 |
ci: bootstrap browser test harness if missing (#4767)
Should be a less brittle fix to the problem of testing release images for `compat-tests` with the browser harness. |
||
|
Reactor Scram
|
869dcfa02f |
fix(linux-client): forbid passing the token as a CLI arg (#4683)
Closes #4682 Closes #4691 ```[tasklist] # Before merging - [x] Wait for `linux-group` test to go green on `main` (#4692) - [ ] Wait for those browsers tests to get fixed - [ ] *All* compatibility tests must pass on this branch ``` --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Gabi
|
adc0bb73f7 |
test(client): add reconnection tests from a client using a headless browser (#4569)
Considered using Elixir and Rust to write the tests. For Elixir, `wallaby` doesn't seem to have a way to attach to an existing `chromium` instance, launching it each time, which makes it hard to coordinate with the relay restart. For Rust we considered `thirtyfour` which would be very nice since we could test both firefox and chrome but each time it connects to the instance it launches a new session making it hard to test the DNS cache behavior. We also considered `chrome_headless` for Rust it needs a small patch to prevent it from closing the browser after `Drop` but it still presents a problem, since it has no easy way to retrieve if loading a page has succeeded. There are some workarounds such as retrieving the title that we could have used but after some testing they are quite finnicky and we don't want that for CI. So I ended up settling for TypeScript but I'm open to other options, or a fix for the previous ones! There are some modifications still incoming for this PR, around the test name and that sleep in the middle of the test doesn't look good so I will probably add some retries, but the gist is here, will keep it in draft until we expect it to be passing. So feel free to do some initial reviews. Note: the number of lines changed is greatly exaggerated by `package.lock` --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
51089b89e7 |
feat(connlib): smoothly migrate relayed connections (#4568)
Whenever we receive a `relays_presence` message from the portal, we invalidate the candidates of all now disconnected relays and make allocations on the new ones. This triggers signalling of new candidates to the remote party and migrates the connection to the newly nominated socket. This still relies on #4613 until we have #4634. Resolves: #4548. --------- Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Reactor Scram
|
7081c71c10 |
chore(linux-client): allow custom token path (#4666)
```[tasklist] # Before merging - [x] Remove file extension `.txt` - [x] Wait for `linux-group` test to go green on `main` (#4692) - [x] *all* compatibility tests must be green on this branch ``` Closes #4664 Closes #4665 ~~The compatibility tests are expected to fail until the next release is cut, for the same reasons as in #4686~~ The compatibility test must be handled somehow, otherwise it'll turn main red. `linux-group` was moved out of integration / compatibility testing, but the DNS tests do need the whole Docker + portal setup, so that one can't move. --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Reactor Scram
|
bc22fb2bf2 |
test(linux-client): move linux-group test out of integration tests (#4692)
Closes #4669 This should stop the problem of `linux-group` failing because of trying to test an older release that doesn't have the right CLI features --------- Co-authored-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |