Release v1.0.0 (#3567)

* increase offline auto delete node time

* fix egress HA migration (#3555)

* check for node connectivity status

* NM-20: Add more refined event logs. (#3552)

* feat(go): add more refined event logs;

* feat(go): add more refined event logs;

* feat(go): add an api to validate user identity.

* feat(go): move validate-user-identity under user;

* fix(go): prevent disabling basic auth if deployed by operator; (#3561)

* NM-38: User Config Fixes (#3559)

* Build(deps): bump gorm.io/datatypes from 1.2.5 to 1.2.6

Bumps [gorm.io/datatypes](https://github.com/go-gorm/datatypes) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/go-gorm/datatypes/releases)
- [Commits](go-gorm/datatypes@v1.2.5...v1.2.6)

---
updated-dependencies:
- dependency-name: gorm.io/datatypes
  dependency-version: 1.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Build(deps): bump google.golang.org/api from 0.238.0 to 0.240.0 (#3541)

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.238.0 to 0.240.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.238.0...v0.240.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.240.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Build(deps): bump github.com/go-playground/validator/v10 (#3539)

Bumps [github.com/go-playground/validator/v10](https://github.com/go-playground/validator) from 10.26.0 to 10.27.0.
- [Release notes](https://github.com/go-playground/validator/releases)
- [Commits](go-playground/validator@v10.26.0...v10.27.0)

---
updated-dependencies:
- dependency-name: github.com/go-playground/validator/v10
  dependency-version: 10.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix(go): prevent idp user from being deleted; (#3538)

* fix(go): use correct method for pro;

fixes: User Config nodes are always reported online.

* fix(go): add device id to extclient;

* fix(go): try match device id;

* fix(go): set device id if not set;

* feat(go): return best match offline extclient;

* fix(go): match device id with owner and gateway;

* fix(go): remove check for rac id;

* fix(go): check status on get node status;

* fix(go): allow offline or unknown extclient;

* feat(go): add count db method;

* feat(go): revert change;

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Abhishek K <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Revert "NM-38: User Config Fixes (#3559)" (#3562)

This reverts commit 9d65c62.

* fix(go): usage report; (#3563)

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Vishal Dalwadi <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 3 people

controllers/server.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"encoding/json"
 	"errors"
+	"github.com/google/go-cmp/cmp"
 	"net/http"
 	"os"
 	"strings"
@@ -274,11 +275,11 @@ func updateSettings(w http.ResponseWriter, r *http.Request) {
 	currSettings := logic.GetServerSettings()
 	err := logic.UpsertServerSettings(req)
 	if err != nil {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to udpate server settings "+err.Error()), "internal"))
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to update server settings "+err.Error()), "internal"))
 		return
 	}
 	logic.LogEvent(&models.Event{
-		Action: models.Update,
+		Action: identifySettingsUpdateAction(currSettings, req),
 		Source: models.Subject{
 			ID:   r.Header.Get("user"),
 			Name: r.Header.Get("user"),
@@ -323,5 +324,88 @@ func reInit(curr, new models.ServerSettings, force bool) {
 		}
 	}
 	go mq.PublishPeerUpdate(false)
+}
+
+func identifySettingsUpdateAction(old, new models.ServerSettings) models.Action {
+	// TODO: here we are relying on the dashboard to only
+	// make singular updates, but it's possible that the
+	// API can be called to make multiple changes to the
+	// server settings. We should update it to log multiple
+	// events or create singular update APIs.
+	if old.MFAEnforced != new.MFAEnforced {
+		if new.MFAEnforced {
+			return models.EnforceMFA
+		} else {
+			return models.UnenforceMFA
+		}
+	}
+
+	if old.BasicAuth != new.BasicAuth {
+		if new.BasicAuth {
+			return models.EnableBasicAuth
+		} else {
+			return models.DisableBasicAuth
+		}
+	}
+
+	if old.Telemetry != new.Telemetry {
+		if new.Telemetry == "off" {
+			return models.DisableTelemetry
+		} else {
+			return models.EnableTelemetry
+		}
+	}
+
+	if old.NetclientAutoUpdate != new.NetclientAutoUpdate ||
+		old.RacRestrictToSingleNetwork != new.RacRestrictToSingleNetwork ||
+		old.ManageDNS != new.ManageDNS ||
+		old.DefaultDomain != new.DefaultDomain ||
+		old.EndpointDetection != new.EndpointDetection {
+		return models.UpdateClientSettings
+	}
+
+	if old.AllowedEmailDomains != new.AllowedEmailDomains ||
+		old.JwtValidityDuration != new.JwtValidityDuration {
+		return models.UpdateAuthenticationSecuritySettings
+	}
+
+	if old.Verbosity != new.Verbosity ||
+		old.MetricsPort != new.MetricsPort ||
+		old.MetricInterval != new.MetricInterval ||
+		old.AuditLogsRetentionPeriodInDays != new.AuditLogsRetentionPeriodInDays {
+		return models.UpdateMonitoringAndDebuggingSettings
+	}
+
+	if old.Theme != new.Theme {
+		return models.UpdateDisplaySettings
+	}
+
+	if old.TextSize != new.TextSize ||
+		old.ReducedMotion != new.ReducedMotion {
+		return models.UpdateAccessibilitySettings
+	}
+
+	if old.EmailSenderAddr != new.EmailSenderAddr ||
+		old.EmailSenderUser != new.EmailSenderUser ||
+		old.EmailSenderPassword != new.EmailSenderPassword ||
+		old.SmtpHost != new.SmtpHost ||
+		old.SmtpPort != new.SmtpPort {
+		return models.UpdateSMTPSettings
+	}
+
+	if old.AuthProvider != new.AuthProvider ||
+		old.OIDCIssuer != new.OIDCIssuer ||
+		old.ClientID != new.ClientID ||
+		old.ClientSecret != new.ClientSecret ||
+		old.SyncEnabled != new.SyncEnabled ||
+		old.IDPSyncInterval != new.IDPSyncInterval ||
+		old.GoogleAdminEmail != new.GoogleAdminEmail ||
+		old.GoogleSACredsJson != new.GoogleSACredsJson ||
+		old.AzureTenant != new.AzureTenant ||
+		!cmp.Equal(old.GroupFilters, new.GroupFilters) ||
+		cmp.Equal(old.UserFilters, new.UserFilters) {
+		return models.UpdateIDPSettings
+	}
 
+	return models.Update
 }

controllers/user.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/pquerna/otp"
+	"golang.org/x/crypto/bcrypt"
 	"image/png"
 	"net/http"
 	"reflect"
@@ -38,6 +39,7 @@ func userHandlers(r *mux.Router) {
 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
 		Methods(http.MethodPost)
 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
+	r.HandleFunc("/api/users/{username}/validate-identity", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(validateUserIdentity)))).Methods(http.MethodPost)
 	r.HandleFunc("/api/users/{username}/auth/init-totp", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(initiateTOTPSetup)))).Methods(http.MethodPost)
 	r.HandleFunc("/api/users/{username}/auth/complete-totp", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(completeTOTPSetup)))).Methods(http.MethodPost)
 	r.HandleFunc("/api/users/{username}/auth/verify-totp", logic.PreAuthCheck(logic.ContinueIfUserMatch(http.HandlerFunc(verifyTOTP)))).Methods(http.MethodPost)
@@ -308,38 +310,6 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
 			return
 		}
-		// log user activity
-		logic.LogEvent(&models.Event{
-			Action: models.Login,
-			Source: models.Subject{
-				ID:   user.UserName,
-				Name: user.UserName,
-				Type: models.UserSub,
-			},
-			TriggeredBy: user.UserName,
-			Target: models.Subject{
-				ID:   models.DashboardSub.String(),
-				Name: models.DashboardSub.String(),
-				Type: models.DashboardSub,
-			},
-			Origin: models.Dashboard,
-		})
-	} else {
-		logic.LogEvent(&models.Event{
-			Action: models.Login,
-			Source: models.Subject{
-				ID:   user.UserName,
-				Name: user.UserName,
-				Type: models.UserSub,
-			},
-			TriggeredBy: user.UserName,
-			Target: models.Subject{
-				ID:   models.ClientAppSub.String(),
-				Name: models.ClientAppSub.String(),
-				Type: models.ClientAppSub,
-			},
-			Origin: models.ClientApp,
-		})
 	}
 
 	username := authRequest.UserName
@@ -393,6 +363,44 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
 		return
 	}
 	logger.Log(2, username, "was authenticated")
+
+	// log user activity
+	if !user.IsMFAEnabled {
+		if val := request.Header.Get("From-Ui"); val == "true" {
+			logic.LogEvent(&models.Event{
+				Action: models.Login,
+				Source: models.Subject{
+					ID:   user.UserName,
+					Name: user.UserName,
+					Type: models.UserSub,
+				},
+				TriggeredBy: user.UserName,
+				Target: models.Subject{
+					ID:   models.DashboardSub.String(),
+					Name: models.DashboardSub.String(),
+					Type: models.DashboardSub,
+				},
+				Origin: models.Dashboard,
+			})
+		} else {
+			logic.LogEvent(&models.Event{
+				Action: models.Login,
+				Source: models.Subject{
+					ID:   user.UserName,
+					Name: user.UserName,
+					Type: models.UserSub,
+				},
+				TriggeredBy: user.UserName,
+				Target: models.Subject{
+					ID:   models.ClientAppSub.String(),
+					Name: models.ClientAppSub.String(),
+					Type: models.ClientAppSub,
+				},
+				Origin: models.ClientApp,
+			})
+		}
+	}
+
 	response.Header().Set("Content-Type", "application/json")
 	response.Write(successJSONResponse)
 
@@ -434,6 +442,43 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
 	}()
 }
 
+// @Summary     Validates a user's identity against it's token. This is used by UI before a user performing a critical operation to validate the user's identity.
+// @Router      /api/users/{username}/validate-identity [post]
+// @Tags        Auth
+// @Accept      json
+// @Param       body body models.UserIdentityValidationRequest true "User Identity Validation Request"
+// @Success     200 {object} models.SuccessResponse
+// @Failure     400 {object} models.ErrorResponse
+func validateUserIdentity(w http.ResponseWriter, r *http.Request) {
+	username := r.Header.Get("user")
+
+	var req models.UserIdentityValidationRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		logger.Log(0, "failed to decode request body: ", err.Error())
+		err = fmt.Errorf("invalid request body: %v", err)
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+
+	user, err := logic.GetUser(username)
+	if err != nil {
+		logger.Log(0, "failed to get user: ", err.Error())
+		err = fmt.Errorf("user not found: %v", err)
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+
+	var resp models.UserIdentityValidationResponse
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Password))
+	if err != nil {
+		logic.ReturnSuccessResponseWithJson(w, r, resp, "user identity validation failed")
+	} else {
+		resp.IdentityValidated = true
+		logic.ReturnSuccessResponseWithJson(w, r, resp, "user identity validated")
+	}
+}
+
 // @Summary     Initiate setting up TOTP 2FA for a user.
 // @Router      /api/users/auth/init-totp [post]
 // @Tags        Auth
@@ -557,6 +602,22 @@ func completeTOTPSetup(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		logic.LogEvent(&models.Event{
+			Action: models.EnableMFA,
+			Source: models.Subject{
+				ID:   user.UserName,
+				Name: user.UserName,
+				Type: models.UserSub,
+			},
+			TriggeredBy: user.UserName,
+			Target: models.Subject{
+				ID:   user.UserName,
+				Name: user.UserName,
+				Type: models.UserSub,
+			},
+			Origin: models.Dashboard,
+		})
+
 		logic.ReturnSuccessResponse(w, r, fmt.Sprintf("totp setup complete for user %s", username))
 	} else {
 		err = fmt.Errorf("cannot setup totp for user %s: invalid otp", username)
@@ -619,6 +680,22 @@ func verifyTOTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		logic.LogEvent(&models.Event{
+			Action: models.Login,
+			Source: models.Subject{
+				ID:   user.UserName,
+				Name: user.UserName,
+				Type: models.UserSub,
+			},
+			TriggeredBy: user.UserName,
+			Target: models.Subject{
+				ID:   models.DashboardSub.String(),
+				Name: models.DashboardSub.String(),
+				Type: models.DashboardSub,
+			},
+			Origin: models.Dashboard,
+		})
+
 		logic.ReturnSuccessResponseWithJson(w, r, models.SuccessfulUserLoginResponse{
 			UserName:  username,
 			AuthToken: jwt,
@@ -1135,8 +1212,22 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 			UserName: logic.MasterUser,
 		}
 	}
+	action := models.Update
+	// TODO: here we are relying on the dashboard to only
+	// make singular updates, but it's possible that the
+	// API can be called to make multiple changes to the
+	// user. We should update it to log multiple events
+	// or create singular update APIs.
+	if userchange.IsMFAEnabled != user.IsMFAEnabled {
+		if userchange.IsMFAEnabled {
+			// the update API won't be used to enable MFA.
+			action = models.EnableMFA
+		} else {
+			action = models.DisableMFA
+		}
+	}
 	e := models.Event{
-		Action: models.Update,
+		Action: action,
 		Source: models.Subject{
 			ID:   caller.UserName,
 			Name: caller.UserName,

logic/extpeers.go

@@ -484,7 +484,7 @@ func GetAllExtClientsWithStatus(status models.NodeStatus) ([]models.ExtClient, e
 	var validExtClients []models.ExtClient
 	for _, extClient := range extClients {
 		node := extClient.ConvertToStaticNode()
-		GetNodeCheckInStatus(&node, false)
+		GetNodeStatus(&node, false)
 
 		if node.Status == status {
 			validExtClients = append(validExtClients, extClient)

logic/settings.go

@@ -33,6 +33,11 @@ func UpsertServerSettings(s models.ServerSettings) error {
 	if s.ClientSecret == Mask() {
 		s.ClientSecret = currSettings.ClientSecret
 	}
+
+	if servercfg.DeployedByOperator() {
+		s.BasicAuth = true
+	}
+
 	data, err := json.Marshal(s)
 	if err != nil {
 		return err
@@ -317,6 +322,10 @@ func GetManageDNS() bool {
 
 // IsBasicAuthEnabled - checks if basic auth has been configured to be turned off
 func IsBasicAuthEnabled() bool {
+	if servercfg.DeployedByOperator() {
+		return true
+	}
+
 	return GetServerSettings().BasicAuth
 }
 

logic/zombie.go

@@ -139,7 +139,10 @@ func ManageZombies(ctx context.Context, peerUpdate chan *models.Node) {
 			if servercfg.IsAutoCleanUpEnabled() {
 				nodes, _ := GetAllNodes()
 				for _, node := range nodes {
-					if time.Since(node.LastCheckIn) > time.Minute*ZOMBIE_DELETE_TIME {
+					if !node.Connected {
+						continue
+					}
+					if time.Since(node.LastCheckIn) > time.Hour*2 {
 						if err := DeleteNode(&node, true); err != nil {
 							continue
 						}
@@ -168,8 +171,8 @@ func checkPendingRemovalNodes(peerUpdate chan *models.Node) {
 			peerUpdate <- &node
 			continue
 		}
-		if servercfg.IsAutoCleanUpEnabled() {
-			if time.Since(node.LastCheckIn) > time.Minute*ZOMBIE_DELETE_TIME {
+		if servercfg.IsAutoCleanUpEnabled() && node.Connected {
+			if time.Since(node.LastCheckIn) > time.Hour*2 {
 				if err := DeleteNode(&node, true); err != nil {
 					continue
 				}