github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
firezone/elixir/config/prod.exs
Jamil f1a5af356d fix(portal): groom resource list and flows periodically (#10005) 
Time-based policy conditions are tricky. When they authorize a flow, we
correctly tell the Gateway to remove access when the time window
expires.

However, we do nothing on the client to reset the connectivity state.
This means that whenever the window of time of access was re-entered,
the client would essentially never be able to connect to it again until
the resource was toggled.

To fix this, we add a 1-minute check in the client channel that
re-checks allowed resources, and updates the client state with the
difference. This means that policies that have time-based conditions are
only accurate to the minute, but this is how they're presented anyhow.


For good measure, we also add a periodic job that runs every minute to
delete expired Flows. This will propagate to the Gateway where, if the
access for a particular client-resource is determined to be actually
gone, will receive `reject_access`.

Zooming out a bit, this PR furthers the theme that:

- Client channels react to underlying resource / policy / membership
changes directly, while
- Gateway channels react primarily to flows being deleted, or the
downstream effects of a prior client authorization
2025-07-25 21:04:41 +00:00

64 lines
1.5 KiB
Elixir
Raw Permalink Blame History

import Config
###############################
##### Domain ##################
###############################
config :domain, Domain.Repo,
pool_size: 10,
show_sensitive_data_on_connection_error: false
###############################
##### Web #####################
###############################
config :web, Web.Endpoint,
cache_static_manifest: "priv/static/cache_manifest.json",
server: true
###############################
##### API #####################
###############################
config :api, API.Endpoint, server: true
###############################
##### Third-party configs #####
###############################
secret_keys = [
"password",
"secret",
"nonce",
"fragment",
"state",
"token",
"public_key",
"private_key",
"preshared_key",
"session",
"sessions",
"connection_opts"
]
config :phoenix, :filter_parameters, secret_keys
# Do not print debug messages in production and handle all
# other reports by Elixir Logger with JSON back-end so that.
# we can parse them in log analysis tools.
# Notice: SASL reports turned off because of their verbosity.
# Notice: Log level can be overridden on production with LOG_LEVEL environment variable.
config :logger,
handle_sasl_reports: false,
handle_otp_reports: true
config :logger_json, :config,
metadata: {:all_except, [:socket, :conn, :otel_trace_flags]},
redactors: [
{LoggerJSON.Redactors.RedactKeys, secret_keys}
]
config :logger, level: :info
config :swoosh, local: false
Reference in New Issue View Git Blame Copy Permalink