TODO:
- [x] Cluster formation for all API and web nodes
- [x] Injest Docker logs to Stackdriver
- [x] Fix assets building for prod
To finish later:
- [ ] Structured logging:
https://issuetracker.google.com/issues/285950891
- [ ] Better networking policy (eg. use public postmark ranges and deny
all unwanted egress)
- [ ] OpenTelemetry collector for Google Stackdriver
- [ ] LoggerJSON.Plug integration
---------
Signed-off-by: Andrew Dryga <andrew@dryga.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
We introduce dedicated types for each message that the `Server` can
handle. This allows us to make the functions public because the
type-system now guarantees that those are either parsed from bytes or
constructed with the correct data.
The latter will be useful to write tests against a richer API.
Things I've left for later to IAM:
1. Subject session expiration (to prevent session extension attacks);
2. UserPass adapter;
3. Token adapter and removal of APITokens in favor of `api_client` actor
with a Token provider;
4. Cleanup of Configurations schema and table
5. SCIM
6. Groups and Actor Profile (name, email) Sync
7. Email delivery once Web app is done with the templates
8. We might also want to persist sessions to database, to then show list
of active sessions to the user and allow to terminate some of them from
UI
9. SAML?
10. Rename `unprivileged` role name to `end_user`
11. Add `first_` and `last_name`, and sync/edit blocking logic around
it.
12. Rename Clients to Devices?
These workflows are all red which is expected as far as I understand.
I'd suggest we remove them to reduce the noise when reviewing PRs.
In case we ever wanted to bring parts of it back, Git is our best
friend.
Feel free to close if you think differently.
With this patch, the relay can parse and respond to allocation requests. I
ran some basics tests against https://icetest.info/ and implemented a
regression test as a result of the logged data.
In writing this, I also had to slightly change the design of `Server`
(as expected). Event handlers for incoming data now do not return a
message directly. Instead, the caller is responsible to drain `Command`s
from it.
When creating an allocation, we need to start listening on a new port.
This needs to happen outside the `Server` as I am going for a sans-IO
style. We emit a `Command` that instructs the main event loop to listen
on a new port. Any incoming data on that port will be forwarded to the
`Server`.
At the moment, this incoming data is just dropped. This is actually
standards-compliant because we cannot handle binding requests yet which
would allow this data to be forwarded to the client.
In some areas, the code is still a bit rough but I expect to iron those
things out as we go along.
This is an alternative to https://github.com/firezone/firezone/pull/1602
that implements the server using a library I've found called
`stun_codec`.
It already has support for parsing a variety of attributes.
The following is a nice website to test some of the functionality:
https://icetest.info/
The server is still listening on:
`ec2-3-89-112-240.compute-1.amazonaws.com:3478`.
