The client authentication had previously been using liveview and passing
params around using URL query params. One of the issues with using
liveview for this task was that there edge case issues on certain
clients with the websocket connection. Along with that, to have even
more security during the login process, the query param values that were
passed after the client was authenticated have been moved to an HTTP
cookie with very strict flags set.
The deep link redirection now uses a new HTTP endpoint that returns a
302 with the deep link as the location, which is triggered using a
`<meta http-equiv="refresh">` tag on the client.
I wasn't aware of `set x` when I wrote this, and it looks good in the
other test scripts.
I'm not sourcing `lib.sh` yet, because I don't happen to need any
functions from it. I have other draft PRs that will probably end up
using it.
Bumps [redis](https://github.com/redis-rs/redis-rs) from 0.25.2 to
0.25.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/redis-rs/redis-rs/releases">redis's
releases</a>.</em></p>
<blockquote>
<h2>v0.25.3</h2>
<h3>0.25.3 (2024-04-04)</h3>
<ul>
<li>Handle empty results in multi-node operations (<a
href="https://redirect.github.com/redis-rs/redis-rs/pull/1099">#1099</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0db8ef7139"><code>0db8ef7</code></a>
Prepare release 0.25.3</li>
<li><a
href="0f9cb3173c"><code>0f9cb31</code></a>
Handle empty results in multi-node operations.</li>
<li>See full diff in <a
href="https://github.com/redis-rs/redis-rs/compare/redis-0.25.2...redis-0.25.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Closes#4385
```[tasklist]
### Manual test cases (f2c8f47b3 passed)
- [x] Given there is no token on disk, when you start the app, then there is no notification
- [x] Given there is a token on disk, when you start the app and it signs in, then there is 1 notification
- [x] Given the app is signed out, when you sign in, then there is 1 notification (test this in a sign-out-sign-in cycle)
- [x] Given the app is signed in, when you sign out, then there is no notification
- [x] Given the app is signed in, when you change Wi-Fi networks, then there is no notification
```
This will work on Linux once the Linux GUI comes up
This is another step towards #4548. The portal now includes a list of
relays as part of the "init" message. Any time we receive an "init", we
will now upsert those relays based on their ID. This requires us to
change our internal bookkeeping of relays from indexing them by address
to indexing by ID.
To ensure that this works correctly, the unit tests are rewritten to use
the new `upsert_relays` API.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Fixes#4488
```[tasklist]
# Before merging
- [x] There's one call site that won't compile on Linux. Make this cross-platform.
- [x] Does the rule get removed every time when you quit gracefully?
- [x] Will this NRPT rule prevent connlib from re-resolving the portal IP if it needs to?
- [x] Test network switching. Does this work worse, better, or the same?
- [ ] Is the Windows DNS cache flushed exactly when it needs to be?
```
- After connlib connects to the portal, we add an NRPT rule asking
Windows to send **all** DNS queries to our sentinels. This should also
be called whenever the interface is re-configured, which might change
the sentinel IPs
- When exiting gracefully, we delete the rule to restore normal DNS
behavior without having to back up and restore the other IPs
- We also delete the rule at startup so that if Firezone crashes or
misbehaves, restarting it should restore normal DNS
- We also flush the system-wide DNS cache whenever we claim different
routes. This may flush too often, and it may also miss some flushes that
we should do. It needs double-checking.
- There is still a gap when changing networks, DNS can leak there, but I
don't think it's worse than before.
This is needed so that we can auto-update the systemd unit file, either
manually, or with a package manager like `apt`. We don't want users
cut-and-pasting these together on every update, and we don't want
machines doing it. Making the file updatable means we can make security
fixes to it easily.
Bumps [hostname](https://github.com/svartalf/hostname) from 0.3.1 to
0.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/svartalf/hostname/blob/master/CHANGELOG.md">hostname's
changelog</a>.</em></p>
<blockquote>
<h2>[0.4.0] - 2024-04-01</h2>
<h3>Added</h3>
<ul>
<li>CI setup now covers almost all supported Tier 1 and Tier 2 platform
targets</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Minimum Supported Rust version set to <code>1.67.0</code></li>
<li>Rust edition set to "2021"</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Handle edge cases for POSIX systems (<a
href="https://redirect.github.com/svartalf/hostname/issues/14">#14</a>)</li>
<li>docs.rs documentation build</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0e311b92ea"><code>0e311b9</code></a>
Release v0.4.0</li>
<li><a
href="e96d1fde34"><code>e96d1fd</code></a>
Updating the repo to make it usable again</li>
<li><a
href="ecf28ebbf4"><code>ecf28eb</code></a>
bump version-sync: 0.8 -> 0.9 (<a
href="https://redirect.github.com/svartalf/hostname/issues/17">#17</a>)</li>
<li><a
href="4a178ed8f4"><code>4a178ed</code></a>
Handle posix hostname edge cases (<a
href="https://redirect.github.com/svartalf/hostname/issues/14">#14</a>)</li>
<li><a
href="7e930e9aca"><code>7e930e9</code></a>
Upgrade rust edition and migrate dependices(cfg_if, windows_rs) (<a
href="https://redirect.github.com/svartalf/hostname/issues/18">#18</a>)</li>
<li>See full diff in <a
href="https://github.com/svartalf/hostname/compare/v0.3.1...v0.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
refs #4602
- Removes `debug` stage building of `arm` and `arm64` binaries and
images (PRs only) -- these just get thrown away since we only test in CI
with `amd64`
- Removes `perf` builds for snownet-tests and http-test-server
- `base-base*` jobs are expected to fail since these changes haven't hit
`main` yet
-
This changes our required checks, so after approval I'll need to update
those.
Fixes the autolabeler so that changelog generation and edit process is
much less time-consuming
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
`relays` will be removed from `prepare_connection` in a few weeks after
we release a version that reads them from `init` message. Keep in mind
technically `relays` list can be empty, it would be nice if clients
would log an error or show it in such cases.
Upon receiving a SIGTERM, we immediately disconnect from the websocket
connection to the portal and set a flag that we are shutting down.
Once we are disconnected from the portal and no longer have an active
allocations, we exit with 0. A repeated SIGTERM signal will interrupt
this process and force the relay to shutdown.
Disconnecting from the portal will (eventually) trigger a message to
clients and gateways that this relay should no longer be used. Thus,
depending on the timeout our supervisor has configured after sending
SIGTERM, the relay will continue all TURN operations until the number of
allocations drops to 0.
Currently, we also allow clients to make new allocations and refreshing
existing allocations. In the future, it may make sense to implement a
dedicated status code and refuse `ALLOCATE` and `REFRESH` messages
whilst we are shutting down.
Related: #4548.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
In a prior design of the relay and the `phoenix-channel`, connecting to
the portal was a blocking operation, i.e. we weren't meant to start the
relaying operations before the portal connection succeeded.
Since then, `phoenix-channel` got refactored to have an internal
(re)-connection mechanism, meaning we don't actually need to `.await`
anything to obtain a `PhoenixChannel` instance that we can use to
initialize the `Server`. Furthermore, we changed the health-check to
return 200 OK prior to the portal connection being established in #4553.
Taking both of these into account, there is no more need to block on the
portal connection being established, which allows us to remove the use
of `phoenix_channel::init` and connect in the background whilst we
already accept STUN & TURN traffic.
Using the recent improvements made to the test harness, we can now add a
test for `reconnect` and assert that we are indeed discovering the new
interface and signaling the ICE candidate to the other party.
- Add logs export example, fixes#4051
- Use brand color palette for `pre` blocks
These have been updated to match our colorscheme.
Code blocks (\`\`\`elixir) will pull in the syntax highlighting but
these simple ones will use our color palette:
<img width="780" alt="Screenshot 2024-04-10 at 7 18 02 PM"
src="https://github.com/firezone/firezone/assets/167144/166cd5a7-c8cd-456b-a1c1-5faeab20d0f8">
