* Small typo in AWS bastion host was preventing unattended upgrades.
* Update all AWS modules to recreate the EC2 instance if the `user_data`
is ever changed.
Currently, only the gateway has a reconnect logic for (transient) errors
when connecting to the portal. Instead of duplicating this for the
relay, I moved the reconnect state machine to `phoenix-channel`. This
means the relay now automatically gets it too and in the future, the
clients will also benefit from it.
As a nice benefit, this also greatly simplifies the gateway's
`Eventloop` and removes a bunch of cruft with channels.
Resolves: #2915.
- [x] Confirm that the PID of the pipe client matches the PID of the
subprocess we just spawned
- [x] (redundant?) Send a unique cookie to the child process' stdin and
require it to be echoed back over the named pipe. An attacker could not
intercept the token since the stdin belongs to the subprocess we just
spawned
I didn't realize, but named pipes and CLI args are both readable by
other process, so any other process could connect to our named pipe and
do a MITM.
I don't know how Chromium protects itself from this, so I did some
research and just made something up.
After this I'll probably break it up into submodules, `ipc.rs` is about
600 lines and probably more than half is just tests.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Why:
* The previous terraform was not replacing the EC2 instance when the
`user_data` changed. This resulted in the instance only being restarted,
which meant the latest gateway image would not be pulled down. This also
highlighted the fact that the systemd unit file for the gateway was not
quite correct and if the system were to ever reboot the gateway would
not start automatically. Both issues have been corrected with this
commit.
This required making `allow_access` `async` which is ugly, but we can
fix it later like we did it with `set_peer_connection_request`, but
doing this ASAP otherwise this would block the `peers_by_ip` struct and
also block the executor a bunch of times and slow everything down.
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Why:
* The previous command that was used to start the gateway running in AWS
was not explicitly using any `sysctl` flags in the command. This ended
up causing issues with IPv6 in the container, even though the sysctl
properties on the host were set as expected. Adding the `sysctl` flags
to the command allows the container to work as expected.
Bumps [clap](https://github.com/clap-rs/clap) from 4.4.17 to 4.4.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/releases">clap's
releases</a>.</em></p>
<blockquote>
<h2>v4.4.18</h2>
<h2>[4.4.18] - 2024-01-16</h2>
<h3>Fixes</h3>
<ul>
<li><em>(error)</em> When lacking <code>usage</code> feature, ensure the
list of required arguments is unique</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's
changelog</a>.</em></p>
<blockquote>
<h2>[4.4.18] - 2024-01-16</h2>
<h3>Fixes</h3>
<ul>
<li><em>(error)</em> When lacking <code>usage</code> feature, ensure the
list of required arguments is unique</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="0134f45ff0"><code>0134f45</code></a>
chore: Release</li>
<li><a
href="995ee03277"><code>995ee03</code></a>
docs: Update changelog</li>
<li><a
href="2f1890907e"><code>2f18909</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5314">#5314</a>
from epage/required</li>
<li><a
href="0a635b9a20"><code>0a635b9</code></a>
fix(parser): Don't duplicate requireds when usage disabled</li>
<li><a
href="e648e086f3"><code>e648e08</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5311">#5311</a>
from sourcefrog/doc-exitcode</li>
<li><a
href="8c83971b8c"><code>8c83971</code></a>
docs: Link to exit code info</li>
<li><a
href="b250c0b5f5"><code>b250c0b</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5310">#5310</a>
from epage/pty</li>
<li><a
href="c742b8eb0c"><code>c742b8e</code></a>
chore(complete): Update completest-pty</li>
<li><a
href="f524d84c1d"><code>f524d84</code></a>
chore: Release</li>
<li><a
href="944fb81cf5"><code>944fb81</code></a>
docs: Update changelog</li>
<li>Additional commits viewable in <a
href="https://github.com/clap-rs/clap/compare/v4.4.17...v4.4.18">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.6.1 to 1.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/uuid-rs/uuid/releases">uuid's
releases</a>.</em></p>
<blockquote>
<h2>1.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add missing test for invalid parse_str by <a
href="https://github.com/CXWorks"><code>@CXWorks</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/723">uuid-rs/uuid#723</a></li>
<li>Upgrade borsh unstable dependency to v1.0 and make it stable by <a
href="https://github.com/bgeron"><code>@bgeron</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/724">uuid-rs/uuid#724</a></li>
<li>Reduce the package size of uuid by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/726">uuid-rs/uuid#726</a></li>
<li>Make use of newer Cargo features for specifying dependencies by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/727">uuid-rs/uuid#727</a></li>
<li>Prepare for 1.7.0 release by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/728">uuid-rs/uuid#728</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/CXWorks"><code>@CXWorks</code></a> made
their first contribution in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/723">uuid-rs/uuid#723</a></li>
<li><a href="https://github.com/bgeron"><code>@bgeron</code></a> made
their first contribution in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/724">uuid-rs/uuid#724</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0">https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cefc353334"><code>cefc353</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/728">#728</a> from
uuid-rs/cargo/1.7.0</li>
<li><a
href="3255b5414b"><code>3255b54</code></a>
prepare for 1.7.0 release</li>
<li><a
href="403bb17c1a"><code>403bb17</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/727">#727</a> from
uuid-rs/chore/cargo-cleanup</li>
<li><a
href="b7c6e26fea"><code>b7c6e26</code></a>
make use of newer Cargo features for specifying dependencies</li>
<li><a
href="ed13c73c7c"><code>ed13c73</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/726">#726</a> from
uuid-rs/chore/pkg-size</li>
<li><a
href="2e92a3d45f"><code>2e92a3d</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/724">#724</a> from
bgeron/borsh-1</li>
<li><a
href="38f01ffccf"><code>38f01ff</code></a>
rename workflow</li>
<li><a
href="eab4b85919"><code>eab4b85</code></a>
reduce the package size of uuid</li>
<li><a
href="421d752847"><code>421d752</code></a>
Make the borsh feature work by itself, without having to specify private
feat...</li>
<li><a
href="2534949aa3"><code>2534949</code></a>
Continue making feature borsh stable, as suggested by <a
href="https://github.com/KordAus"><code>@KordAus</code></a></li>
<li>Additional commits viewable in <a
href="https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[async-compression](https://github.com/Nullus157/async-compression) from
0.4.5 to 0.4.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Nullus157/async-compression/releases">async-compression's
releases</a>.</em></p>
<blockquote>
<h2>async-compression: v0.4.6</h2>
<ul>
<li>Flush available data in decoder even when there's no incoming
input.</li>
<li>Return errors instead of panicking in all encode and decode
operations.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Nullus157/async-compression/blob/main/CHANGELOG.md">async-compression's
changelog</a>.</em></p>
<blockquote>
<h2>0.4.6</h2>
<ul>
<li>Flush available data in decoder even when there's no incoming
input.</li>
<li>Return errors instead of panicking in all encode and decode
operations.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d913b2710c"><code>d913b27</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/257">#257</a>
from Nullus157/rel-046</li>
<li><a
href="ea4bb3cd22"><code>ea4bb3c</code></a>
Merge branch 'main' into rel-046</li>
<li><a
href="6e3996d821"><code>6e3996d</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/247">#247</a>
from Nullus157/fix-123</li>
<li><a
href="e323ad9c0c"><code>e323ad9</code></a>
chore: prepare release 0.4.6</li>
<li><a
href="db0d11f5f4"><code>db0d11f</code></a>
fix merge error</li>
<li><a
href="22ed0ac4ca"><code>22ed0ac</code></a>
flush data still available in the decoder when no input (<a
href="https://redirect.github.com/Nullus157/async-compression/issues/123">#123</a>)</li>
<li><a
href="7a57dfd374"><code>7a57dfd</code></a>
style: consistent use of io::Error* (<a
href="https://redirect.github.com/Nullus157/async-compression/issues/256">#256</a>)</li>
<li><a
href="5926e78444"><code>5926e78</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/255">#255</a>
from garypen/garypen/fewer-panics</li>
<li><a
href="3daaee7b7a"><code>3daaee7</code></a>
Add missing Use statements</li>
<li><a
href="cf7a1df61b"><code>cf7a1df</code></a>
Replacing panics with errors improves the usability of the crate</li>
<li>See full diff in <a
href="https://github.com/Nullus157/async-compression/compare/async-compression-v0.4.5...async-compression-v0.4.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [shlex](https://github.com/comex/rust-shlex) from 1.2.0 to 1.3.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/comex/rust-shlex/blob/master/CHANGELOG.md">shlex's
changelog</a>.</em></p>
<blockquote>
<h1>1.3.0</h1>
<ul>
<li>Full fix for the high-severity security vulnerability <a
href="https://rustsec.org/advisories/RUSTSEC-2024-0006.html">RUSTSEC-2024-0006</a>
a.k.a. <a
href="https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27">GHSA-r7qv-8r2h-pg27</a>:
<ul>
<li>Deprecates quote APIs in favor of <code>try_</code> equivalents that
complain about nul bytes.</li>
<li>Also adds a builder API, which allows re-enabling nul bytes without
using the deprecated interface, and in the future can allow other things
(as discussed in quoting_warning).</li>
<li>Adds documentation about various security risks that remain,
particularly with interactive shells.</li>
</ul>
</li>
<li>Adds explicit MSRV of 1.46.0.</li>
</ul>
<h1>1.2.1</h1>
<ul>
<li>Partial fix for the high-severity security vulnerability <a
href="https://rustsec.org/advisories/RUSTSEC-2024-0006.html">RUSTSEC-2024-0006</a>
a.k.a. <a
href="https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27">GHSA-r7qv-8r2h-pg27</a>
without bumping MSRV:
<ul>
<li>The bytes <code>{</code> and <code>\xa0</code> are now escaped by
quoting functions.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/comex/rust-shlex/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firezone/firezone/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Probably needs some refactoring and prettifying before it comes out of
drafts.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
I tested this by temporarily putting panics in `test_ipc_manager` and
`test_ipc_worker`.
It looks like, if a process crashes, Windows will clean up its named
pipe, and the process waiting on the other side of the named pipe will
get an error.
This is good but it's not air-tight - ~~We could still have a situation
where a worker process locks up, and the main process crashes, and the
worker process then leaks.~~ #3311 will fix that
For that case I'll try this
https://stackoverflow.com/questions/53208/how-do-i-automatically-destroy-child-processes-in-windows
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Bumps [wintun](https://github.com/nulldotblack/wintun) from 0.3.2 to
0.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nulldotblack/wintun/releases">wintun's
releases</a>.</em></p>
<blockquote>
<h2>v0.4.0</h2>
<h2>Added</h2>
<ul>
<li><code>Adapter::get_mtu</code>, <code>set_dns_servers</code>, and
<code>Adapter::get_active_network_interface_gateways</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/13">nulldotblack/wintun#13</a></li>
<li><code>Error::ShuttingDown</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/14">nulldotblack/wintun#14</a></li>
</ul>
<h3>Breaking Changes</h3>
<ul>
<li>Adding the <code>ShuttingDown</code> variant to
<code>wintun::Error</code> breaks exhastive matches on previous
versions. <code>wintun::Error</code> is now marked
<code>#[non_exhaustive]</code> to make future additions backwards
compatable</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nulldotblack/wintun/blob/main/CHANGELOG.md">wintun's
changelog</a>.</em></p>
<blockquote>
<h2>[0.4.0] - 2024-01-12</h2>
<h2>Added</h2>
<ul>
<li><code>Adapter::get_mtu</code>, <code>set_dns_servers</code>, and
<code>Adapter::get_active_network_interface_gateways</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/13">nulldotblack/wintun#13</a></li>
<li><code>Error::ShuttingDown</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/14">nulldotblack/wintun#14</a></li>
</ul>
<h3>Breaking Changes</h3>
<ul>
<li>Adding the <code>ShuttingDown</code> variant to
<code>wintun::Error</code> breaks exhastive matches on previous
versions. <code>wintun::Error</code> is now marked
<code>#[non_exhaustive]</code> to make future additions backwards
compatable</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/nulldotblack/wintun/commits/v0.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Before, any user logging into via the OIDC connector would need to have
an identity created beforehand with their known `sub` id. This presented
a chicken-and-egg scenario where this was only populated in the
`Identity Providers` settings flow by an admin, preventing regular users
from signing in.
With this change, Admins can now create identities for actors and
specify an `email` address or `sub` claim value to match against for
incoming authentications to the connector.
This will allow end-users to authenticate with the configured OIDC
connector.
Fixes#3308
To work around #2975 I want to run connlib in a subprocess.
We're already using Tokio' `named_pipe` module for deep links, so I made
a generic request-response IPC system with it.
This can get merged in as its own PR, and the actual moving of the
connlib `Session` will be a later PR atop this.
Bumps [h2](https://github.com/hyperium/h2) from 0.3.23 to 0.3.24.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/hyperium/h2/releases">h2's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.24</h2>
<h2>Fixed</h2>
<ul>
<li>Limit error resets for misbehaving connections.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/hyperium/h2/blob/v0.3.24/CHANGELOG.md">h2's
changelog</a>.</em></p>
<blockquote>
<h1>0.3.24 (January 17, 2024)</h1>
<ul>
<li>Limit error resets for misbehaving connections.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7243ab5854"><code>7243ab5</code></a>
Prepare v0.3.24</li>
<li><a
href="d919cd6fd8"><code>d919cd6</code></a>
streams: limit error resets for misbehaving connections</li>
<li>See full diff in <a
href="https://github.com/hyperium/h2/compare/v0.3.23...v0.3.24">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firezone/firezone/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Closes#3211
Also generally reduces our dependence on Tauri a lot, breaking some
cycles of "I need this initialized to initialize Tauri, but I need Tauri
initialized to initialize this"
Specifically deep linking had some problems:
- Passing PIPE_ID when there was no other possible valid argument
- Production use case accidentally flowed through a debug subcommand
- Unused subcommands that were ready to be removed
Why:
* The Sites edit page was toggling the routing option in the page on and
off every time a change to the page was made (i.e. every time something
was clicked or typed). This was causing the Site to not be editable in
certain situations. It ended up being because the form field value being
set was not consistently the same type. It would come back as either an
atom or a string, but the radio button input was only checking for
atoms.
Fixes: #3239
Currently, `firezone-connection` can only handle connections on a LAN.
Via the use of a STUN server, we can discover our public IP and attempt
to direct, hole-punched connection across multiple subnets.
Why:
* Previously the terraform for all of the AWS infra was created and run
outside of the mono repo. While this was very quick to setup and work
with, keeping the gateway up to date was easy to forget about. Moving
all of the AWS infra TF into the mono repo will allow everything to stay
up to date and will make sure everyone has easy access to update any of
the infra as needed.
---------
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
While working on #3288 I saw a few messages that we don't explicitly
handle from the portal.
This PR changes it so that we handle them correctly and we don't just
depend on coincidental behavior..
... ProgramData/dev.firezone.client/dumps/last_crash.dmp, in debug
builds only for now
For #3111.
I was way off on my estimated dump size. It's only about 500 KB.
Please double-check that the Linux exes are still stripped properly.
Windows, Linux, and Mac have different ways to do embedded or
non-embedded debug info, so the Windows client should still be 20 MB but
with a ~62MB pdb next to it, and the Linux client should still be 15 MB.
- [ ] Check Linux artifacts weren't accidentally affected
- [ ] Make sure connlib's panic handler doesn't interfere with this
- [ ] Later on, change CI so pdb files are saved as artifacts
- [ ] Later on, enable for release builds
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Some dns servers return NXDOMAIN for queries where the address exists
but there is no
answer for the given query type(e.g. AAAA-only records). This is not up
to spec and
musl PROPERLY assumes that means there is no record of any type. Saddly,
this happens even
with google DNS so we can expect it to happen everywhere. So we use
getaddrinfo to separate
requests for A and AAAA queries and preventing this.
Seems to work locally, though the exact situation where we have a record
that returns NXDOMAIN while it exists is easier to reproduce in staging,
we should test it after we merge.
Fixes#3215
Getting IPv6-related timeouts and flakiness. It's disabled for the
testbed and the connection tests so following suit here since we don't
have tests that use IPv6.
