mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
ad433dd58b0a4afc8db9ebc7a8a36cffed5fbe87
817 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
5d62a7d357 |
build(deps): bump ex_cldr_numbers from 2.35.0 to 2.35.1 in /elixir (#8974)
Bumps [ex_cldr_numbers](https://github.com/elixir-cldr/cldr_numbers)
from 2.35.0 to 2.35.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr_numbers/releases">ex_cldr_numbers's
releases</a>.</em></p>
<blockquote>
<h2>Cldr Numbers version 2.35.1</h2>
<h3>Bug Fixes</h3>
<ul>
<li>Fix formatting currency amounts when the currency format does not
have a digit placeholder (<code>0</code> and <code>#</code>) directly
next to the currency placeholder (<code>¤</code>). Thanks to <a
href="https://github.com/benregn"><code>@benregn</code></a> for the
report. Closes <a
href="https://redirect.github.com/elixir-cldr/cldr_numbers/issues/54">#54</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/elixir-cldr/cldr_numbers/blob/main/CHANGELOG.md">ex_cldr_numbers's
changelog</a>.</em></p>
<blockquote>
<h2>Cldr Numbers v2.35.1</h2>
<p>This is the changelog for Cldr v2.35.1 released on April 23rd, 2025.
For older changelogs please consult the release tag on <a
href="https://github.com/elixir-cldr/cldr_numbers/tags">GitHub</a></p>
<h3>Bug Fixes</h3>
<ul>
<li>Fix formatting currency amounts when the currency format does not
have a digit placeholder (<code>0</code> and <code>#</code>) directly
next to the currency placeholder (<code>¤</code>). Thanks to <a
href="https://github.com/benregn"><code>@benregn</code></a> for the
report. Closes <a
href="https://redirect.github.com/elixir-cldr/cldr_numbers/issues/54">#54</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="
|
||
|
dependabot[bot]
|
aa4f66df37 |
build(deps): bump tzdata from 1.1.2 to 1.1.3 in /elixir (#8973)
Bumps [tzdata](https://github.com/lau/tzdata) from 1.1.2 to 1.1.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/lau/tzdata/blob/master/CHANGELOG.md">tzdata's changelog</a>.</em></p> <blockquote> <h2>[1.1.3] - 2025-03-05</h2> <h3>Fixed</h3> <ul> <li>Fix Elixir compiler warnings for decreasing ranges without explicit steps (Christoph Grothaus)</li> <li>Fix various Elixir compiler warnings (Thomas Cioppettini)</li> </ul> <h3>Changed</h3> <ul> <li>Now requires Elixir 1.9 or greater instead of 1.8 or greater.</li> <li>tzdata release version shipped with this library is now 2025a instead of 2024b.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
532c26fa48 |
build(deps): bump observer_cli from 1.8.2 to 1.8.3 in /elixir (#8970)
Bumps [observer_cli](https://github.com/zhongwencool/observer_cli) from 1.8.2 to 1.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zhongwencool/observer_cli/releases">observer_cli's releases</a>.</em></p> <blockquote> <h2>1.8.3</h2> <h2>What's Changed</h2> <ul> <li>process_info(Pid, monitors) can also return {port, _} tuples by <a href="https://github.com/gomoripeti"><code>@gomoripeti</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/110">zhongwencool/observer_cli#110</a></li> <li>correct the units shown for memory data by <a href="https://github.com/gonzalobf"><code>@gonzalobf</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/111">zhongwencool/observer_cli#111</a></li> <li>Fix compile warning on OTP 27 by <a href="https://github.com/zmstone"><code>@zmstone</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/114">zhongwencool/observer_cli#114</a></li> <li>Fix mnesia crash by handling unknown storage types by <a href="https://github.com/zhongwencool"><code>@zhongwencool</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/115">zhongwencool/observer_cli#115</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/gonzalobf"><code>@gonzalobf</code></a> made their first contribution in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/111">zhongwencool/observer_cli#111</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/zhongwencool/observer_cli/compare/v1.8.2...1.8.3">https://github.com/zhongwencool/observer_cli/compare/v1.8.2...1.8.3</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
48151cb4ba |
build(deps): bump argon2_elixir from 4.1.2 to 4.1.3 in /elixir (#8966)
Bumps [argon2_elixir](https://github.com/riverrun/argon2_elixir) from 4.1.2 to 4.1.3. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
8e054f5c74 |
fix(portal): Restrict WAL streaming to domain nodes only (#8956)
The `web` and `api` application use `domain` as a dependency in their `mix.exs`. This means by default their Supervisor will start the Domain's supervision tree as well. The author did not realize this at the time of implementation, and so we now leverage the convention in place for restricting tasks to `domain` nodes, the `background_jobs_enabled` application configuration parameter. We also add an info log when the replication slot is being started so we can verify the node it's starting on. |
||
|
Jamil
|
42b2420c00 |
ci(portal): Only set GIT_SHA before main app compile (#8955)
Delaying setting the GIT_SHA until as late as possible allows us to cache more layers. Fixes #8774 Related: #8948 |
||
|
Jamil
|
c0a670d947 |
fix(portal): Restart ReplicationConnection using Supervisor (#8953)
When deploying, the cluster state diverges temporarily, which allows
more than one `ReplicationConnection` process to start on the new nodes.
(One of) the old nodes still has an active slot, and we get an "object
in use" error `(Postgrex.Error) ERROR 55006 (object_in_use) replication
slot "events_slot" is active for PID 603037`.
Rather than use ReplicationConnection's restart behavior (which logs
tons of errors with Logger.error), we can use the Supervisor here
instead, and continue to try and start the ReplicationConnection until
successful.
Note that if the process name is registered (globally) and running,
ReplicationConnection.start_link/1 simply returns `{:ok, pid}` instead
of erroring out with `:already_running`, so eventually one of the nodes
will succeed and the remaining ones will return the globally-registered
pid.
|
||
|
Jamil
|
fdd1105b10 |
fix(portal): alter db user role with replication (#8952)
We need the `replication` attribute set on the db user. This is trivially done in a migration, and with the `CURRENT_USER` specifier, we don't need to fetch the Application configuration. |
||
|
Jamil
|
1f8090c60d |
fix(portal): use existing database user for replication (#8950)
Turns out we are making replication overly complex by creating a dedicated user for it. The `web` user is already privileged and we can reuse it since the replication system operates in the same security context as the remaining app. |
||
|
Jamil
|
a98a9867af |
fix(portal): Redact entire connection_opts param (#8946)
The LoggerJSON Redactor only redacts top-level keys, so we need to redact the entire `connection_opts` param to redact its contained password. We also don't need to pass around `connection_opts` across the entire ReplicationConnection process state, only for the initial connection, so we refactor that out of the `state`. |
||
|
Jamil
|
968db2ae39 |
feat(portal): Receive WAL events (#8909)
Firezone's control plane is a realtime, distributed system that relies on a broadcast/subscribe system to function. In many cases, these events are broadcasted whenever relevant data in the DB changes, such as an actor losing access to a policy, a membership being deleted, and so forth. Today, this is handled in the application layer, typically happening at the place where the relevant DB call is made (i.e. in an `after_commit`). While this approach has worked thus far, it has several issues: 1. We have no guarantee that the DB change will issue a broadcast. If the application is deployed or the process crashes after the DB changes are made but before the broadcast happens, we will have potentially failed to update any connected clients or gateways with the changes. 2. We have no guarantee that the order of DB updates will be maintained in order for broadcasts. In other words, app server A could win its DB operation against app server B, but then proceed to lose being the first to broadcast. 3. If the cluster is in a bad state where broadcasts may return an error (i.e. https://github.com/firezone/firezone/issues/8660), we will never retry the broadcast. To fix the above issues, we introduce a WAL logical decoder that process the event stream one message at a time and performs any needed work. Serializability is guaranteed since we only process the WAL in a single, cluster-global process, `ReplicationConnection`. Durability is also guaranteed since we only ACK WAL segments after we've successfully ingested the event. This means we will only advance the position of our WAL stream after successfully broadcasting the event. This PR only introduces the WAL stream processing system but does not introduce any changes to our current broadcasting behavior - that's saved for another PR. |
||
|
Jamil
|
48319df9f0 |
revert(#8893): Revert adding wal2json dev image (#8908)
Turns out that the standard `pgoutput` plugin shipped with Postgres will do everything we need it to, and there are good examples of prior art decoding its binary output in Elixir (in production). So to avoid adding a dependency on `wal2json` here, we'll go with that. |
||
|
Brian Manifold
|
3f3f007920 |
fix(portal): Update copy to clipboard button (#8907)
Why: * The copy to clipboard button was not working at all on the API new token page due to the fact that the FlowbiteJS library expects the presence of the elements in the DOM on first render. This was not true of the API Token code block. Along with that issue the existing code blocks copy to clipboard buttons did not give any visual indication that the copy had been completed. It was also somewhat difficult to see the copy to clipboard button on those code blocks as well. This commit updates the buttons to be more visible, as well as adds a phx-hook to make sure the FlowbiteJS init functions are run on every code block even if it's inserted after the initial load of the page and adds functions that are run as a callback to toggle the button text and icon to show the text has been copied. |
||
|
Jamil
|
f6ae7559e8 |
feat(ci): Add custom postgres Dockerfile for wal2json (#8893)
In order to develop and test WAL replication, we need the wal2json module installed in our dev postgres image. The module itself builds very quickly, but I thought it would be better to have this automatically built and pushed as part of a nightly job so that CI and developers can make use of it. |
||
|
Jamil
|
1a1c812f66 |
fix(portal): Set migration_lock to advisory lock (#8902)
The migration that failed today got hung up on a global migration lock. This PR would alleviate that if we also run the index creation concurrently, which we should do in many cases. See https://hexdocs.pm/ecto_sql/Ecto.Migration.html#index/3-adding-dropping-indexes-concurrently |
||
|
Jamil
|
0a2a393d4c |
fix(portal): Prevent additional email identities per actor (#8888)
This is a UI-only change for now to serve as a stop-gap while we work to overhaul the identity domain model. Related: #6294 |
||
|
Jamil
|
8293e6c440 |
fix(portal): Don't peek groups for api_client actors (#8890)
API clients don't belong to any actor_groups and attempting to deep link into the `groups` section when viewing an actor raises a 500 error. This PR fixes that by removing the deep link into `actor_groups` from the actors index view. |
||
|
Jamil
|
0f300f2484 |
fix(portal): Prevent dupe sync adapters (#8887)
Prevents more than one sync-enabled adapter per account in order to prepare for eventually adding a unique constraint on `provider_identifier` for identities and groups per account. Related: #6294 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Brian Manifold <bmanifold@users.noreply.github.com> |
||
|
Jamil
|
d10c77c17d |
chore(portal): Drop unused table configurations (#8881)
This was left behind in a large refactor as part of #3642 and was never cleaned up. I verified on prod this table in fact has no meaningful data in it and has not changed since that PR was merged. |
||
|
dependabot[bot]
|
5d196075b6 |
build(deps): bump phoenix_live_view from 1.0.9 to 1.0.10 in /elixir (#8831)
Bumps [phoenix_live_view](https://github.com/phoenixframework/phoenix_live_view) from 1.0.9 to 1.0.10. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/phoenixframework/phoenix_live_view/blob/v1.0.10/CHANGELOG.md">phoenix_live_view's changelog</a>.</em></p> <blockquote> <h2>1.0.10 (2025-04-17)</h2> <h3>Bug fixes</h3> <ul> <li>Fix flash getting lost when falling back to a full page reload due to navigating across live sessions (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3686">#3686</a>)</li> <li>Fix edge case where locked DOM nodes were not properly patched on unlock (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3758">#3758</a>)</li> <li>Fix <code>used_input?</code> returning <code>false</code> when a form parameter value is a struct (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3757">#3757</a>)</li> <li>Catch promise rejections from <code>pushWithReply</code> (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3766">#3766</a>)</li> <li>Fix empty optgroups breaking DOM patching of other select options (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3742">#3742</a>)</li> <li>Don't shutdown sticky LiveViews when they <code>push_navigate</code> (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3612">#3612</a>)</li> </ul> <h3>Enhancements</h3> <ul> <li>Allow testing <code>phx-viewport-bottom</code> and <code>phx-viewport-top</code> with <code>Phoenix.LiveViewTest.render_hook/3</code> (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3755">#3755</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
eb16fdc11c |
build(deps-dev): bump credo from 1.7.11 to 1.7.12 in /elixir (#8836)
Bumps [credo](https://github.com/rrrene/credo) from 1.7.11 to 1.7.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rrrene/credo/releases">credo's releases</a>.</em></p> <blockquote> <h2>v1.7.12</h2> <p>Check it out on Hex: <a href="https://hex.pm/packages/credo/1.7.12">https://hex.pm/packages/credo/1.7.12</a></p> <ul> <li>Fix compatibility & compiler warnings with Elixir 1.19 (dev)</li> <li>Provide <code>:column</code> on all checks</li> <li>Fix check docs in other project's documentation</li> <li><code>Credo.Check.Refactor.DoubleBooleanNegation</code> fixed false positive</li> <li><code>Credo.Check.Readability.NestedFunctionCalls</code> fixed false positive</li> <li><code>Credo.Check.Consistency.UnusedVariableNames</code> fixed duplicate issues</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rrrene/credo/blob/master/CHANGELOG.md">credo's changelog</a>.</em></p> <blockquote> <h2>1.7.12</h2> <ul> <li>Fix compatibility & compiler warnings with Elixir 1.19 (dev)</li> <li>Provide <code>:column</code> on all checks</li> <li>Fix check docs in other project's documentation</li> <li><code>Credo.Check.Refactor.DoubleBooleanNegation</code> fixed false positive</li> <li><code>Credo.Check.Readability.NestedFunctionCalls</code> fixed false positive</li> <li><code>Credo.Check.Consistency.UnusedVariableNames</code> fixed duplicate issues</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
982009b4bb |
build(deps): bump libcluster from 3.3.3 to 3.5.0 in /elixir (#8838)
Bumps [libcluster](https://github.com/bitwalker/libcluster) from 3.3.3
to 3.5.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/bitwalker/libcluster/blob/main/CHANGELOG.md">libcluster's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>Unreleased</h2>
<ul>
<li>Add <code>kubernetes_use_cached_resources</code> option to
Kubernetes strategy</li>
</ul>
<h2>3.4.1</h2>
<ul>
<li>Use new cypher names</li>
<li>Allow Epmd strategy to reconnect after connection failures</li>
<li>Detect Self Signed Certificate Authority for Kubernetes
Strategy</li>
<li>Remove calls to deprecated <code>Logger.warn/2</code></li>
<li>Correct misspell of 'Empd' -> 'Epmd' in
<code>Cluster.Strategy.LocalEpmd</code> moduledoc</li>
</ul>
<h2>3.4.0</h2>
<h3>Added</h3>
<ul>
<li>Telemetry events added for tracking node connects and
disconnects</li>
</ul>
<h3>3.3.0</h3>
<h3>Changed</h3>
<ul>
<li>Default multicast address is now 233.252.1.32, was 230.1.1.251, <a
href="
|
||
|
dependabot[bot]
|
387dff8fad |
build(deps-dev): bump phoenix_live_reload from 1.5.3 to 1.6.0 in /elixir (#8824)
Bumps [phoenix_live_reload](https://github.com/phoenixframework/phoenix_live_reload) from 1.5.3 to 1.6.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/phoenixframework/phoenix_live_reload/blob/main/CHANGELOG.md">phoenix_live_reload's changelog</a>.</em></p> <blockquote> <h2>1.6.0 (2025-04-10)</h2> <ul> <li> <p>Enhancements</p> <ul> <li>Add support for <code>__RELATIVEFILE__</code> when invoking editors</li> <li>Change the default target window to <code>:parent</code> to not reload the whole page if a Phoenix app is shown inside an iframe. You can get the old behavior back by setting the <code>:target_window</code> option to <code>:top</code>: <pre lang="elixir"><code>config :phoenix_live_reload, MyAppWeb.Endpoint, target_window: :top, ... </code></pre> </li> </ul> </li> <li> <p>Bug fixes</p> <ul> <li>Inject iframe if web console logger is enabled but there are no patterns</li> <li>Allow web console to shutdown cleanly</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Brian Manifold
|
74ccf8e0b2 |
fix(portal): Update elixir OIDC library (#8802)
Why: * Updating the Elixir OIDC library to pick up a fix made in the library regarding EdDSA keys https://github.com/firezone/openid_connect/pull/8 |
||
|
Brian Manifold
|
4c9848453d |
refactor(portal): Add more logging around sign in errors (#8789)
Why: * To allow for more accurate and efficient troubleshooting in production. |
||
|
Jamil
|
2bbc0abc3a |
feat(portal): Add Oban (#8786)
Our current bespoke job system, while it's worked out well so far, has the following shortcomings: - No retry logic - No robust to guarantee job isolation / uniqueness without resorting to row-level locking - No support for cron-based scheduling This PR adds the boilerplate required to get started with [Oban](https://hexdocs.pm/oban/Oban.html), the job management system for Elixir. |
||
|
Jamil
|
6cd7616b5c |
refactor(portal): Expect members key to be missing when empty (#8781)
This will prevent warning spam we're currently seeing in Sentry. |
||
|
Jamil
|
2f0d2462c9 |
fix(portal): Increase directory sync timeout to 8 hours (#8771)
Large Okta directories can take a very long time (> 1 hour) to sync. This currently times out, preventing any entities from making it into the database. There are many things to address in our sync operation, but this should hopefully resolve the immediate issue with the customer. https://firezone-inc.sentry.io/issues/6537862651/?project=4508756715569152&query=is%3Aunresolved%20issue.priority%3A%5Bhigh%2C%20medium%5D%20Enum.to_list&referrer=issue-stream&stream_index=0 |
||
|
Jamil
|
649c03e290 |
chore(portal): Bump LoggerJSON to 7.0.0, fixing config (#8759)
There was slight API change in the way LoggerJSON's configuration is
generation, so I took the time to do a little fixing and cleanup here.
Specifically, we should be using the `new/1` callback to create the
Logger config which fixes the below exception due to missing config
keys:
```
FORMATTER CRASH: {report,[{formatter_crashed,'Elixir.LoggerJSON.Formatters.GoogleCloud'},{config,[{metadata,{all_except,[socket,conn]}},{redactors,[{'Elixir.LoggerJSON.Redactors.RedactKeys',[<<"password">>,<<"secret">>,<<"nonce">>,<<"fragment">>,<<"state">>,<<"token">>,<<"public_key">>,<<"private_key">>,<<"preshared_key">>,<<"session">>,<<"sessions">>]}]}]},{log_event,#{meta => #{line => 15,pid => <0.308.0>,time => 1744145139650804,file => "lib/logger.ex",gl => <0.281.0>,domain => [elixir],application => libcluster,mfa => {'Elixir.Cluster.Logger',info,2}},msg => {string,<<"[libcluster:default] connected to :\"web@web.cluster.local\"">>},level => info}},{reason,{error,{badmatch,[{metadata,{all_except,[socket,conn]}},{redactors,[{'Elixir.LoggerJSON.Redactors.RedactKeys',[<<"password">>,<<"secret">>,<<"nonce">>,<<"fragment">>,<<"state">>,<<"token">>,<<"public_key">>,<<"private_key">>,<<"preshared_key">>,<<"session">>,<<"sessions">>]}]}]},[{'Elixir.LoggerJSON.Formatters.GoogleCloud',format,2,[{file,"lib/logger_json/formatters/google_cloud.ex"},{line,148}]}]}}]}
```
Supersedes #8714
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
||
|
Brian Manifold
|
bed6a60056 |
fix(portal): Fetch latest Okta access_token before API call (#8745)
Why: * The Okta IdP sync job needs to make sure it is always using the latest access token available. If not, there is the possibility for the job to take too long to complete and the access token that the job started with might time out. This commit updates the Okta API client to always check and make sure it is using the latest access token for each request to the Okta API. |
||
|
Jamil
|
d2fd57a3b6 |
fix(portal): Attach Sentry in each umbrella app (#8749)
- Attaches the Sentry Logging hook in each of [api, web, domain] - Removes errant Sentry logging configuration in config/config.exs - Fixes the exception logger to default to logging exceptions, use `skip_sentry: true` to skip Tested successfully in dev. Hopefully the cluster behaves the same way. Fixes #8639 |
||
|
dependabot[bot]
|
8b08be15b3 |
build(deps): bump sentry from 10.8.1 to 10.9.0 in /elixir (#8704)
Bumps [sentry](https://github.com/getsentry/sentry-elixir) from 10.8.1 to 10.9.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-elixir/releases">sentry's releases</a>.</em></p> <blockquote> <h2>10.9.0</h2> <p>This release adds a bunch of new features and fixes a few papercut bugs.</p> <h3>New features</h3> <ul> <li>Add <code>:tags_from_metadata</code> option to <code>Sentry.LoggerHandler</code>. Use this to better structure reports that come from logs (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/840">#840</a> by <a href="https://github.com/icehaunter"><code>@icehaunter</code></a>).</li> <li>Add <code>:discard_threshold</code> option to <code>Sentry.LoggerHandler</code> to implement load shedding when the logger gets overloaded.</li> <li>If you want to use Elixir 1.18's new <code>JSON</code> module, now you can (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/845">#845</a>).</li> <li>Add <code>:in_app_otp_apps</code> configuration option. This should replace <code>:in_app_module_allow_list</code> for most use cases, making configuration simpler (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/854">#854</a> by <a href="https://github.com/solnic"><code>@solnic</code></a>).</li> <li>Add support for per-module custom options for check ins. This means you can now configure single Oban (or Quantum) jobs with per-worker options such as timezones and more (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/833">#833</a> by <a href="https://github.com/savhappy"><code>@savhappy</code></a>).</li> <li>Add a global <code>:extra</code> config that can be set at the <code>:sentry</code> application level (akin to <code>:tags</code> today).</li> <li>Improve Oban error reporting.</li> </ul> <h3>Bug fixes</h3> <ul> <li>We now deduplicate identical events significantly less, reducing the risk of not reporting events that are not duplicates.</li> <li>When dropping breadcrumbs (because of the limit being reached), we now retain <em>newest</em> breadcrumbs instead of older ones (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/858">#858</a> by <a href="https://github.com/dajinchu"><code>@dajinchu</code></a>).</li> <li>Ensure log messages are not captured with <code>:capture_log_messages</code> is <code>false</code> (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/865">#865</a> by <a href="https://github.com/joladev"><code>@joladev</code></a>).</li> <li>Normalize Oban exception reasons for better reports.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-elixir/blob/master/CHANGELOG.md">sentry's changelog</a>.</em></p> <blockquote> <h2>10.9.0</h2> <p>This release adds a bunch of new features and fixes a few papercut bugs.</p> <h3>New features</h3> <ul> <li>Add <code>:tags_from_metadata</code> option to <code>Sentry.LoggerHandler</code>. Use this to better structure reports that come from logs (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/840">#840</a> by <a href="https://github.com/icehaunter"><code>@icehaunter</code></a>).</li> <li>Add <code>:discard_threshold</code> option to <code>Sentry.LoggerHandler</code> to implement load shedding when the logger gets overloaded.</li> <li>If you want to use Elixir 1.18's new <code>JSON</code> module, now you can (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/845">#845</a>).</li> <li>Add <code>:in_app_otp_apps</code> configuration option. This should replace <code>:in_app_module_allow_list</code> for most use cases, making configuration simpler (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/854">#854</a> by <a href="https://github.com/solnic"><code>@solnic</code></a>).</li> <li>Add support for per-module custom options for check ins. This means you can now configure single Oban (or Quantum) jobs with per-worker options such as timezones and more (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/833">#833</a> by <a href="https://github.com/savhappy"><code>@savhappy</code></a>).</li> <li>Add a global <code>:extra</code> config that can be set at the <code>:sentry</code> application level (akin to <code>:tags</code> today).</li> <li>Improve Oban error reporting.</li> </ul> <h3>Bug fixes</h3> <ul> <li>We now deduplicate identical events significantly less, reducing the risk of not reporting events that are not duplicates.</li> <li>When dropping breadcrumbs (because of the limit being reached), we now retain <em>newest</em> breadcrumbs instead of older ones (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/858">#858</a> by <a href="https://github.com/dajinchu"><code>@dajinchu</code></a>).</li> <li>Ensure log messages are not captured with <code>:capture_log_messages</code> is <code>false</code> (<a href="https://redirect.github.com/getsentry/sentry-elixir/issues/865">#865</a> by <a href="https://github.com/joladev"><code>@joladev</code></a>).</li> <li>Normalize Oban exception reasons for better reports.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3458d7f151 |
build(deps): bump tailwind from 0.2.4 to 0.3.1 in /elixir (#8707)
Bumps [tailwind](https://github.com/phoenixframework/tailwind) from 0.2.4 to 0.3.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/phoenixframework/tailwind/blob/main/CHANGELOG.md">tailwind's changelog</a>.</em></p> <blockquote> <h2>v0.3.1 (2025-02-28)</h2> <ul> <li>Support correct target for Linux MUSL with Tailwind v3.</li> </ul> <h2>v0.3.0 (2025-02-26)</h2> <ul> <li>Support Tailwind v4+. This release assumes Tailwind v4 for new projects.</li> </ul> <p>Note: v0.3.0 dropped target code for handling Linux MUSL with Tailwind v3. Use v0.3.1+ instead.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
336b322a39 |
build(deps): bump opentelemetry_phoenix from 2.0.0 to 2.0.1 in /elixir (#8717)
Bumps [opentelemetry_phoenix](https://github.com/open-telemetry/opentelemetry-erlang-contrib) from 2.0.0 to 2.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-erlang-contrib/releases">opentelemetry_phoenix's releases</a>.</em></p> <blockquote> <h2>Opentelemetry Phoenix - v2.0.1</h2> <h2>What's Changed</h2> <ul> <li>add http.route attribute. issue <a href="https://redirect.github.com/open-telemetry/opentelemetry-erlang-contrib/issues/464">#464</a> <a href="https://github.com/sc-yan"><code>@sc-yan</code></a> (<a href="https://redirect.github.com/open-telemetry/opentelemetry-erlang-contrib/issues/465">#465</a>)</li> <li>add spec for liveview option to OpentelemetryPhoenix <a href="https://github.com/kenichi"><code>@kenichi</code></a> (<a href="https://redirect.github.com/open-telemetry/opentelemetry-erlang-contrib/issues/460">#460</a>)</li> </ul> <p>Note: <code>http.route</code> attribute was inadvertently removed and replaced with <code>url.template</code>. Apologies for any inconvenience.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
0a5ac2af2f |
build(deps): bump bandit from 1.6.10 to 1.6.11 in /elixir (#8720)
Bumps [bandit](https://github.com/mtrudel/bandit) from 1.6.10 to 1.6.11. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mtrudel/bandit/blob/main/CHANGELOG.md">bandit's changelog</a>.</em></p> <blockquote> <h2>1.6.11 (31 Mar 2025)</h2> <h3>Changes</h3> <ul> <li>Ensure that HTTP/1 request headers are sent to the Plug in the order they're sent (<a href="https://redirect.github.com/mtrudel/bandit/issues/482">#482</a>)</li> <li>Do not populate the <code>cookies</code> header with an empty string if no cookies were sent in HTTP/2 (<a href="https://redirect.github.com/mtrudel/bandit/issues/483">#483</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
093c107973 |
build(deps): bump plug_crypto from 2.1.0 to 2.1.1 in /elixir (#8723)
Bumps [plug_crypto](https://github.com/elixir-plug/plug_crypto) from 2.1.0 to 2.1.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/elixir-plug/plug_crypto/blob/main/CHANGELOG.md">plug_crypto's changelog</a>.</em></p> <blockquote> <h2>v2.1.1 (2025-04-03)</h2> <ul> <li>Fall back <code>hash_equals</code> when missing OpenSSL support</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
b9532bc243 |
revert: "Enable automatic tax calculation by default" (#8743)
This needs #8670 in order to function. Reverts firezone/firezone#8552 |
||
|
Jamil
|
05dafabbad |
fix(portal): Fix human display of geo location (#8665)
These seem to be swapped. Generally accepted is `city, country`. |
||
|
Jamil
|
8ca43300cd | chore(portal): Fix typo: counties -> countries (#8666) | ||
|
dependabot[bot]
|
e99399e316 |
build(deps): bump telemetry_poller from 1.1.0 to 1.2.0 in /elixir (#8566)
Bumps [telemetry_poller](https://github.com/beam-telemetry/telemetry_poller) from 1.1.0 to 1.2.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/beam-telemetry/telemetry_poller/blob/main/CHANGELOG.md">telemetry_poller's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/beam-telemetry/telemetry_poller/tree/v1.2.0">1.2.0</a></h2> <h3>Added</h3> <ul> <li>Support <code>persistent_term</code> measurements.</li> <li>Require Erlang/OTP 24+.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/beam-telemetry/telemetry_poller/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
3a6500162c |
build(deps): bump phoenix_live_view from 1.0.3 to 1.0.9 in /elixir (#8569)
Bumps [phoenix_live_view](https://github.com/phoenixframework/phoenix_live_view) from 1.0.3 to 1.0.9. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/phoenixframework/phoenix_live_view/blob/v1.0.9/CHANGELOG.md">phoenix_live_view's changelog</a>.</em></p> <blockquote> <h2>1.0.9 (2025-03-26)</h2> <h3>Bug fixes</h3> <ul> <li>Fix testing uploads inside nested LiveViews with LiveViewTest (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3732">#3732</a>)</li> </ul> <h2>1.0.8 (2025-03-26)</h2> <h3>Bug fixes</h3> <ul> <li>Regression: ensure <code>_target</code> is sent as <code>["undefined"]</code> when an input has no name (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3727">#3727</a>)</li> <li>Fix stream items from disconnected render not being removed when rendered inside a nested stream (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3730">#3730</a>)</li> </ul> <h3>Enhancements</h3> <ul> <li>Add <code>Phoenix.LiveViewTest.refute_redirected/1</code> to assert that no redirect took place (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3729">#3729</a>)</li> </ul> <h2>1.0.7 (2025-03-21)</h2> <h3>Bug fixes</h3> <ul> <li>Fix <code>_target</code> parameter being sent incorrectly (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3720">#3719</a>).</li> </ul> <h2>1.0.6 (2025-03-20)</h2> <h3>Bug fixes</h3> <ul> <li>Fix race condition where patches were discarded when a new navigation was already pending (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3710">#3710</a>)</li> <li>Fix phx-debounce="blur" re-sending events for subsequent blurs (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3689">#3689</a>)</li> <li>Fix <code>code_change</code> callback not returning the new channel state (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3712">#3712</a>)</li> <li>Fix LiveViews not being able to reconnect without a full page reload after a deployment that changed the router (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3715">#3715</a>)</li> </ul> <h3>Enhancements</h3> <ul> <li>Improve performance of large forms (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3696">#3696</a>)</li> <li>Ensure <code>JS.push</code> values are sent on form events (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3674">#3674</a>)</li> <li>Allow to skip persistent_id generation in <code>Phoenix.Component.inputs_for/1</code> (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3677">#3677</a>)</li> <li>Delay <code>phx-disconnected</code> binding to prevent brief flash of "Attempting to reconnect" message for short disconnects (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3680">#3680</a>). This can be configured by passing the <code>disconnectedTimeout</code> option to the LiveSocket constructor.</li> </ul> <h2>1.0.5 (2025-02-27)</h2> <h3>Bug fixes</h3> <ul> <li>Fix <code>JS.exec</code> failing when a selector is passed (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3678">#3678</a>)</li> <li>Fix race conditions when testing a live upload that redirects in the progress callback (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3676">#3676</a>)</li> <li>Fix streams in sticky LiveView being reset under some circumstances when another LiveView also contains a stream (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3681">#3681</a>)</li> <li>Fix recursively locked elements not being correctly patched on unlock (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3684">#3684</a>)</li> <li>Fix JS.show/hide/toggle behavior while also fixing JS.focus() on Mobile Safari (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3692">#3692</a>)</li> </ul> <h3>Enhancements</h3> <ul> <li>Detect infinite patch redirect loops and raise an error (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/pull/3670">#3670</a>)</li> </ul> <h2>1.0.4 (2025-02-04)</h2> <h3>Bug fixes</h3> <ul> <li>Fix elements with <code>phx-remove</code> inside sticky LiveViews being unintentionally removed on navigation (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3658">#3658</a>)</li> <li>Fix <code>phx-click-loading</code> not being removed from links in sticky LiveViews (<a href="https://redirect.github.com/phoenixframework/phoenix_live_view/issues/3656">#3656</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
57d8462527 |
build(deps): bump observer_cli from 1.8.1 to 1.8.2 in /elixir (#8572)
Bumps [observer_cli](https://github.com/zhongwencool/observer_cli) from 1.8.1 to 1.8.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zhongwencool/observer_cli/releases">observer_cli's releases</a>.</em></p> <blockquote> <h2>v1.8.2</h2> <h2>What's Changed</h2> <ul> <li>Fix unit of fullsweep_after by <a href="https://github.com/binaryseed"><code>@binaryseed</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/108">zhongwencool/observer_cli#108</a></li> <li>chore: fix typo lable -> label by <a href="https://github.com/zmstone"><code>@zmstone</code></a> in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/109">zhongwencool/observer_cli#109</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/binaryseed"><code>@binaryseed</code></a> made their first contribution in <a href="https://redirect.github.com/zhongwencool/observer_cli/pull/108">zhongwencool/observer_cli#108</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/zhongwencool/observer_cli/compare/1.8.1...v1.8.2">https://github.com/zhongwencool/observer_cli/compare/1.8.1...v1.8.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f7fbabf692 |
build(deps): bump ex_cldr_dates_times from 2.20.3 to 2.22.0 in /elixir (#8578)
Bumps [ex_cldr_dates_times](https://github.com/elixir-cldr/cldr_dates_times) from 2.20.3 to 2.22.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/elixir-cldr/cldr_dates_times/releases">ex_cldr_dates_times's releases</a>.</em></p> <blockquote> <h2>Cldr Dates Times version 2.22.0</h2> <h3>Breaking Data format changes</h3> <p>There are some changes to the underlying locale data format that will be a breaking change for results returned from:</p> <ul> <li><code>Cldr.DateTime.Format.time_formats/{1,2,3}</code></li> <li><code>MyApp.Cldr.Calendar.day_periods/{0, 1, 2}</code></li> </ul> <p>The data changes are summarised as:</p> <ul> <li>Time formats now group the <code>:default</code> and <code>:ascii</code> alternatives.</li> <li>Day periods used for date/time formatting now group the alternatives for <code>am</code> and <code>pm</code> where the data is available.</li> <li>Day period display names now group the alternatives for <code>am</code> and <code>pm</code> where the data is available.</li> </ul> <h3>Enhancements</h3> <ul> <li>Update to <a href="https://cldr.unicode.org/downloads/cldr-47">CLDR 47</a> data.</li> </ul> <h2>Cldr Dates Times version 2.21.0</h2> <h3>Enhancements</h3> <ul> <li>Allow configuration of <code>ex_cldr_calendars</code> version 2.0 and later.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/elixir-cldr/cldr_dates_times/blob/main/CHANGELOG.md">ex_cldr_dates_times's changelog</a>.</em></p> <blockquote> <h2>Cldr_Dates_Times v2.22.0</h2> <p>This is the changelog for Cldr_Dates_Times v2.22.0 released on March 18th, 2025. For older changelogs please consult the release tag on <a href="https://github.com/elixir-cldr/cldr_cldr_dates_times/tags">GitHub</a></p> <h3>Breaking Data format changes</h3> <p>There are some changes to the underlying locale data format that will be a breaking change for results returned from:</p> <ul> <li><code>Cldr.DateTime.Format.time_formats/{1,2,3}</code></li> <li><code>MyApp.Cldr.Calendar.day_periods/{0, 1, 2}</code></li> </ul> <p>The data changes are summarised as:</p> <ul> <li>Time formats now group the <code>:default</code> and <code>:ascii</code> alternatives.</li> <li>Day periods used for date/time formatting now group the alternatives for <code>am</code> and <code>pm</code> where the data is available.</li> <li>Day period display names now group the alternatives for <code>am</code> and <code>pm</code> where the data is available.</li> </ul> <h3>Enhancements</h3> <ul> <li>Update to <a href="https://cldr.unicode.org/downloads/cldr-47">CLDR 47</a> data.</li> </ul> <h2>Cldr_Dates_Times v2.21.0</h2> <p>This is the changelog for Cldr_Dates_Times v2.21.0 released on January 31st, 2025. For older changelogs please consult the release tag on <a href="https://github.com/elixir-cldr/cldr_cldr_dates_times/tags">GitHub</a></p> <h3>Enhancements</h3> <ul> <li>Allow configuration of <code>ex_cldr_calendars</code> version 2.0 and later.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a66423c25c |
build(deps): bump @fontsource/source-sans-3 from 5.1.1 to 5.2.6 in /elixir/apps/web/assets (#8599)
Bumps [@fontsource/source-sans-3](https://github.com/fontsource/font-files/tree/HEAD/fonts/google/source-sans-3) from 5.1.1 to 5.2.6. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/fontsource/font-files/commits/HEAD/fonts/google/source-sans-3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Jamil
|
6e336fc3bc |
fix(portal): Update flows fkey constraints to cascade deletes (#8645)
The `flows` table currently has `ON DELETE SET NULL` behavior for many of its foreign key constraints. The problem is that if we try to delete any of the associated entities, setting a null here causes the DB operation to fail with: ``` ERROR: null value in column "policy_id" of relation "flows" violates not-null constraint ``` I can understand why it was originally architected like this to preserve connection log data, but we'll be using another approach for that that doesn't require maintaining relational data in perpetuity. Related: #949 |
||
|
Jamil
|
fb9f132a49 |
fix(portal): Interpret missing members as empty list (#8640)
The Google API will often return a missing `members` key alongside a `200` response from their members API. The documentation here isn't clear whether this key is expected or not, but since the sync has been working fine up until #8608, we can only surmise that the missing key in fact means the group has no members. This PR updates the Google API client so that a `default_if_missing` can be passed in which is returned if the API response is missing the JSON key to fetch. For the users, groups, and organization units fetches, we consider a missing key to be an error and we return `{:error, :invalid_response}` since this most likely indicates an API problem. For the members endpoint, we consider the missing key to be the empty set. Additionally, a bug is fixed that was introduced in #8608 whereupon we returned `{:error, :retry_later}` for newly-accounted-for API responses, which would have caused a "sync failed" email to be sent to the admins on the instance. Instead, we want to return `{:error, :invalid_response}` which will stop the sync from progressing, and log it internally. |
||
|
Jamil
|
2f7598c648 |
fix(portal): Delete soft-deleted synced actor_groups (#8638)
The previous migration only accounted for soft-deleted rows that have an active counterpart. This fails the new unique index if multiple soft-deleted rows exist for the same `account_id, provider_id, provider_identifier` combination. Instead, to appease the new index, we need to delete all soft-deleted rows where these fields exist. Related: #8615 |
||
|
Jamil
|
713ff1e7de |
chore(portal): Log problematic identity api responses (#8623)
After merging #8608, we discovered that we receive unexpected API responses on the regular. This adds improved logging to uncover what exactly these unexpected API responses are. |
||
|
Jamil
|
f275bf70d9 |
fix(portal): Resurrect deleted identities and groups (#8615)
When syncing identities from an identity, we have logic in place that resurrects any soft-deleted identities in order to maintain their session history, group memberships and any other relevant data. Users can be temporarily suspended from their identity provider and then resumed. Groups, however, based on cursory research, can never be temporarily suspended at the identity provider. However, this doesn't mean that we can't see the group disappear and reappear at a later point in time. This can happen due to a temporary sync issue, or in the upcoming Group Filters PR: #8381. This PR adds more robust testing to ensure we can in fact resurrect identities as expected. It also updates the group sync logic to similarly resurrect soft-deleted groups if they are seen again in a subsequent sync. To achieve this, we need to update the `UNIQUE CONSTRAINT` used in the upsert clause during the sync. Before, it was possible for two (or more) groups to exist with the same provider_identifier and provider_id, if `deleted_at IS NOT NULL`. Now, we need to ensure that only one group with the same `account_id, provider_id, provider_identifier` can exist, since we want to resurrect and not recreate these. To do this, we use a migration that does the following: 1. Ensures any potentially problematic data is permanently deleted 2. Drops the existing unique constraint 3. Recreates it, omitting `WHERE DELETED_AT IS NULL` from the partial index. Based on exploring the production DB data, this should not cause any issues, but it would be a good idea to double-check before rolling this out to prod. Lastly, the final missing piece to the resurrection story is Policies. This is saved for a future PR since we need to first define the difference between a policy that was soft-deleted via a sync job, and a policy that was "perma" deleted by a user. Related: #8187 |
||
|
Jamil
|
88c4e723a6 |
fix(portal): Gracefully handle dir sync error responses (#8608)
When calling the various directory sync endpoints, we had error cases
that matched a few of the possible error scenarios in an appropriate way
by returning either `{:error, :retry_later}` or the `{:error, ...}`
tuples.
However, as we've recently learned in [this
thread](https://firezonehq.slack.com/archives/C069H865MHP/p1743521884037159),
it's possible for identity provider APIs to return all kinds of bogus
data here, and we need a more defensive approach.
The specific issue this PR addresses is the case where we receive a
`2xx` response, but without the expected JSON key in the response body.
That will result in the `list*` functions returning an empty list, which
the calling code paths then use to soft-delete all existing record types
in the DB.
This is wrong. If the JSON response is missing a key we're expecting, we
instead log a warning and return `{:error, :retry_later}`. It's
currently unknown when exactly this happens and why, but with better
monitoring here we'll have a much better picture as to why.
|