# Gateways
- [x] When Gateway Group is deleted all gateways should be disconnected
- [x] When Gateway Group is updated (eg. routing) broadcast to all
affected gateway to disconnect all the clients
- [x] When Gateway is deleted it should be disconnected
- [x] When Gateway Token is revoked all gateways that use it should be
disconnected
# Relays
- [x] When Relay Group is deleted all relays should be disconnected
- [x] When Relay is deleted it should be disconnected
- [x] When Relay Token is revoked all gateways that use it should be
disconnected
# Clients
- [x] Remove Delete Client button, show clients using the token on the
Actors page (#2669)
- [x] When client is deleted disconnect it
- [ ] ~When Gateway is offline broadcast to the Clients connected to it
it's status~
- [x] Persist `last_used_token_id` in Clients and show it in tokens UI
# Resources
- [x] When Resource is deleted it should be removed from all gateways
and clients
- [x] When Resource connection is removed it should be deleted from
removed gateway groups
- [x] When Resource is updated (eg. traffic filters) all it's
authorizations should removed
# Authentication
- [x] When Token is deleted related sessions are terminated
- [x] When an Actor is deleted or disabled it should be disconnected
from browser and client
- [x] When Identity is deleted it's sessions should be disconnected from
browser and client
- [x] ^ Ensure the same happens for identities during IdP sync
- [x] When IdP is disabled act like all actors for it are disabled?
- [x] When IdP is deleted act like all actors for it are deleted?
# Authorization
- [x] When Policy is created clients that gain access to a resource
should get an update
- [x] When Policy is deleted we need to all authorizations it's made
- [x] When Policy is disabled we need to all authorizations it's made
- [x] When Actor Group adds or removes a user, related policies should
be re-evaluated
- [x] ^ Ensure the same happens for identities during IdP sync
# Settings
- [x] Re-send init message to Client when DNS settings change
# Code
- [x] Crear way to see all available topics and messages, do not use
binary topics any more
---------
Co-authored-by: conectado <gabrielalejandro7@gmail.com>
Before, any user logging into via the OIDC connector would need to have
an identity created beforehand with their known `sub` id. This presented
a chicken-and-egg scenario where this was only populated in the
`Identity Providers` settings flow by an admin, preventing regular users
from signing in.
With this change, Admins can now create identities for actors and
specify an `email` address or `sub` claim value to match against for
incoming authentications to the connector.
This will allow end-users to authenticate with the configured OIDC
connector.
Fixes#3308
- [x] Introduce api_client actor type and code to create and
authenticate using it's token
- [x] Unify Tokens usage for Relays and Gateways
- [x] Unify Tokens usage for magic links
Closes#2367
Ref #2696
Why:
* There was a small bug that was preventing form errors from being shown
while entering the configuration data for OIDC/Google IDPs. It was due
to a nested changeset not having an `action` set.
Closes#3048
the way we were checking for subdomains in the gateways completely
broke, didn't detect it before because the deployed staging version for
gateways is too old.
~~Added a few CI tests so this doesn't' happen again.~~ seems like
github runners [doesn't support pinging the outside
world](https://github.com/actions/runner-images/issues/1519) so I'm
putting that off for now.
- [x] make sure that session cookie for client is stored separately from
session cookie for the portal (will close#2647 and #2032)
- [x] #2622
- [ ] #2501
- [ ] show identity tokens and allow rotating/deleting them (#2138)
- [ ] #2042
- [ ] use Tokens context for Relays and Gateways to remove duplication
- [x] #2823
- [ ] Expire LiveView sockets when subject is expired
- [ ] Service Accounts UI is ambiguous now because of token identity and
actual token shown
- [ ] Limit subject permissions based on token type
Closes#2924. Now we extend the lifetime for client tokens, but not for
browsers.
Why:
* When a new user and/or identity is created using the Email provider,
there is currently no way to notify the new user/identity automatically.
With this commit an email will now be sent to the newly added
user/identity upon successful creation. This will only be done for
identities created with the 'Email' provider.
<img width="621" alt="new_user_email"
src="https://github.com/firezone/firezone/assets/2646332/2e50baf0-34cf-4615-b7f9-30500aa58920">
---------
Signed-off-by: Brian Manifold <bmanifold@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
Docker-based gateways won't have working IPv6 (good point @AndrewDryga),
so I started testing the systemd gateways more and found some issues I
fixed.
* Update default tab order for Deploy gateways page to prefer systemd
* Update unit file to run gateway as unprivileged user
* Remove dependency on `wget` in unit file
* Fix iptables logic so rules as re-created on reboot
* Use `/var/lib/firezone` instead of `/etc/firezone` for writing runtime
files (`/etc/` is often mounted read-only on hardened systems)
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Andrew Dryga <andrew@dryga.com>
* Fix numerous typos and grammar
* Align all next/continue action buttons to the right side of the form
* Rework the Gateway deploy page to be more readable and use consistent
colors
* Link to `Troubleshooting` guide for gateway deployments
* Add spacing between `:sections` so they stand out more
* Move help paragraphs into `:help`s
* Make links consistent to `text-accent-500` to match website/docs
(buttons unchanged)
* Add `warning` style button
More to come in further PRs
---------
Co-authored-by: Brian Manifold <bmanifold@gmail.com>
This PR changes the protocol and adds support for DNS subdomains, now
when a DNS resource is added all its subdomains are automatically
tunneled too. Later we will add support for `*.domain` or `?.domain` but
currently there is an Apple split tunnel implementation limitation which
is too labor-intensive to fix right away.
Fixes#2661
Co-authored-by: Andrew Dryga <andrew@dryga.com>
Updated portal to make sure we use primary/accent/neutral in as many
places as possible.
Updated our neutral color palette to only have grayscale colors.
Also aliased the main colors (i.e. red/green/blue/yellow/orange) to use
an `fz_` prefix to allow for easier find/replace if needed, as well as
allowing easy customization of the colors later if needed.
Why:
* When using the Email Auth Provider (a.k.a. Magic Link), a mistyped
email address when adding a new identity or signing up could allow an
unauthorized person access to your Firezone account. To help prevent
this, an email confirmation field has been added during signup and
during identity creation in the portal.
Doing a first pass over documentation and minor UI cleanup. This PR
isn't meant to represent the final state of launch docs, but instead
something that will unblock #2685 and #2675Fixes#2729
Why:
* Self-hosted Relays are not going to be apart of the beta release, so
hiding the functionality in the portal will allow the user not to get
confused about a feature they aren't able to use.
Closes#2178
Updates user-facing terminology to `One-Time Password` to more
accurately reflect this sign in method and match docs more consistently
Refs #2688
Refs #2021
Why:
* As sites are created, the default behavior right now is to route
traffic through whichever path is easiest/fastest. This commit adds the
ability to allow the admin to choose a routing policy for a given site.
The only exception for this is IdP redirect URL's that must be
configured on a third-party system, we will keep using ID's for them so
that if slug changes users don't need to go and reconfigured all the
IdPs.
Why:
* The traffic filter functionality is not quite ready in the system as a
whole, so the web UI will give the ability to hide the section of the
forms to allow for a better end user experience.
