boundary

Commit Graph

Author	SHA1	Message	Date
Johan Brandhorst-Satzkorn	ec0a3f964b	Worker status refactor (#5417 ) * oss: feat(proto): statistics rpc added to server coordination service * oss: feat(session): add update statistics status service * oss: feat(handlers): add Statistics method to worker service server * oss: feat(worker): add statistics ticking * oss: internal/proto: define the new RoutingInfo RPC * oss: internal/server: repository changes for RoutingInfo RPC * oss: internal/daemon: add RoutingInfo handler to worker service The new RoutingInfo RPC is used to get information from the worker that is used to make routing decisions on the controller. It also handles the initial request from the worker. * oss: feat(db): server_worker_session_info table * oss: feat(proto): session info rpc for server coordination service * oss: feat(server): worker session info request data type * oss: feat(worker): session info ticker * oss: feat(handler): server coordination handler for session info * oss: feat(session): utilize session info request time for session cleanup * oss: proto: fix some gotags comments Some of these fields were missing comments, while others had incorrectly formatted comments. * oss: worker: send connection status to server This is required for the correct tracking of orphaned connections * oss: internal/daemon/worker: add function to wait for Statistics RPC * oss: internal/daemon/worker: add routing info RPC The new RoutingInfo RPC replaces part of the Status RPC, namely the part which is used by the controller and worker to perform decisions around the establishment of new sessions and new worker connections. * oss: internal/daemon/worker: remove unnecessary error check * oss: internal/daemon/worker: lock access to config and upstreams The new confLock protects access to the conf value and to the addressReceivers slice. * oss: worker: replace Status RPC with RoutingInfo * oss: worker: deprecate the Status RPC and related types The Status RPC and related messages have been replaced by the RoutingInfo/SessionInfo/Statistics RPCs. The controller will continue to support the Status RPC until two new minor versions have been released. * oss: internal/event: add default deny for new worker RPCs * oss: internal/daemon/worker: allow RPC interval to be set The new SessionInfo/RoutingInfo/Statistics RPCs run at long intervals, which make some of our cluster tests take a long time to complete. This allows their interval to be configured in tests. * oss: all: use TestWorkerRPCInterval in slow tests This should speed up these tests significantly. * oss: internal/tests/cluster: reset sys eventer in test --------- Co-authored-by: Damian Debkowski <damian.debkowski@hashicorp.com>	1 year ago
Hugo	846c849589	Worker Domain Refactor (#5338 ) * feat(server): Refactor LookupWorkerByName to be a test method * feat(server): Split worker tags table * refact(worker): Export api and config tags * refact(server): Return worker id from UpsertWorkerStatus * refact(server): Create ListWorkerStorageBucketUpdates domain function * refact(server): Use dedicated HCPb-worker list func * refact(server): Create ConnectionRoute domain function * refact(handlers): Move worker selection logic to internal/server package This commit moves all the logic to select a worker to handle a session to the internal/server package. Most functions were moved to this package with no changes, however, there are a couple of notable exceptions: - Given that we don't use GRPC errors in repos, all errors were adjusted to use the internal/errors package instead. - StorageBucketFilterCredIdFn is now used to prevent the internal/server package from importing internal/storage/plugin, which would cause a dep cycle. Callers of SelectSessionWorkers must implement this func which is responsible for returning a storage bucket's worker filter as well as its associated credential id. - authorizeSessionWithWorkerFilter now receives an internal/server.(Repository) object when called. This is transparent to SelectSessionWorkers callers as it is handled internally. feat(server): Add FilteredWithFeatures fn and new server options * refact(server): create new list and lookup worker queries * test(server): Add WorkerList unit tests * feat(server): Implement WorkerList randomness using crypto/rand pkg * chore(db): add index to server_worker table * refact(server): prefix test method with Test * refact(server): rename Downstreamers interface to Graph * chore(server): unexport and rename method * chore: add doc string to WorkerAddress (#5420) --------- Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com> Co-authored-by: irenarindos <irena.rindos@gmail.com>	1 year ago
dani	62c41191ff	[fix] allow IPv6 controllers, workers, and targets (#5221 ) Co-authored-by: Damian Debkowski <damian.debkowski@hashicorp.com>	1 year ago
Jeff Mitchell	62d4f8453b	Don't explode grants from the DB (#5104 ) This removes the Cartesian product in the DB for GrantsForUser in favor of returning the actual grant scope information and dealing with it in application code. (cherry picked from commit `913cd53682`)	1 year ago
Jeff Mitchell	3a4ee032d9	Paginate targets in cache (#5101 ) * Update Go API to support pagination * Implement pagination of targets in cache (cherry picked from commit `cd25fad42f`)	1 year ago
Damian Debkowski	9576ed40dc	test: improve test to ensure ipv6 compatability (#5113 )	1 year ago
Hugo	903039e885	fix(daemon): Return 404 if alias interceptor ResolveRequestIds fails (#5006 )	2 years ago
Johan Brandhorst-Satzkorn	c6f3c375f3	api: remove deprecated grant_scope_id field (#4886 ) * api: remove deprecated grant_scope_id field The grant_scope_id field was deprecated in 0.15.0, so we can remove it for 0.17.0. * Fix tests * Fix more tests * Remove an option and some related code that stuck around * Fix bats tests --------- Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	2 years ago
Todd	608b6bb2b7	Add ListResolvableAliases SDK changes (#4653 ) * Add API changs for list resolvable aliases	2 years ago
Todd	55fe70e643	Change 404 errors for aliases to 401s (#4575 ) * Change 404 errors for alias resolution to 401s --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	2 years ago
Todd	868228847d	Add handler and API support for alias creation with target (#4508 ) * Add handler and API support for alias creation with target	2 years ago
Todd	305bb09c35	Treat alias values like other required fields in API and CLI (#4404 ) * Treat Alias values like other required fields in API and CLI * Fix protoc versions since we recently rebased on main which uses updated version	2 years ago
Todd	a6c96d69ae	Add TargetAliasAuthorizeSessionArgumentsHostId api options (#4397 ) * Add host id api option	2 years ago
Todd	78e10864c4	Add alias CLI CRUDL commands (#4353 ) * Add alias CLI CRUDL commands	2 years ago
Todd	3f3b624b54	Add alias resolution to target service (#4277 ) * Add aliases to target resource and alias resolution to target service * Wire up the target alias domain package to the target service handler * Adding alias resolution to target api tests	2 years ago
Todd	92181e272a	Create the alias service and resource (#4276 ) * Create the alias service and resource * Add alias generated API files and tests	2 years ago
Todd	53c95e1775	Extract out the setup of workers and targets to handle ent specific configurations (#4461 )	2 years ago
Jeff Mitchell	f5dd457b34	Multiple grant scope IDs (#4251 ) Co-authored-by: Timothy Messier <tim.messier@gmail.com> Co-authored-by: Todd <github@quaddi.com>	2 years ago
Jeff Mitchell	fff5f9506f	Migrate proxy logic to the API package (#4216 ) This allows arbitrary programs to have an easy mechanism to make connections through Boundary using Go. Internal cluster tests and test helpers have been migrated to use this package, as well as the `connect` command. --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	2 years ago
Jeff Mitchell	253d79116c	Swap id field in grants to ids since that's now standardized (#4250 ) * Swap id field in grants to ids since that's now standardized * Fix some tests I missed * Update generated resource table	2 years ago
Johan Brandhorst-Satzkorn	b7e474d277	internal/handlers: add accounts pagination	2 years ago
Michael Milton	8d50a0913f	Auth Method list pagination (#4165 ) * wip * implement list pagination for auth methods * remove unused code * update tests to fix sorting * address PR comments * simplify query, add token tests * change test name * wip sql testing * add boolean column to indicate whether auth methods should be returned to unauthenticated users, remove secrets from api response * is_active_public not null * remove secrets and unwrapping * move not null to immediately after data migration * order public_id descending * fix(db): Fix auth method migrations (#4193) * wip * fix db tests * fix failing api tests * reverse order of create time and update time in test --------- Co-authored-by: Michael Gaffney <mike@gaffney.cc>	2 years ago
Johan Brandhorst-Satzkorn	3b54611d14	api: update api listing Change from refresh token to list token	2 years ago
Johan Brandhorst-Satzkorn	4e368f154f	internal/tests: add target pagination test	2 years ago
Timothy Messier	758e7b8bf1	test(credentials): Disable rate limiting for test This test quickly polls a list endpoint, which exceeds the default rate limits before the test can complete in CI.	2 years ago
Timothy Messier	c52caae345	refact(action): Make ActionSet behave as a set instead of a list This switches the implementation of an ActionSet from a slice to a map to ensure the elements in an ActionSet are unique. This allows for other packages to perform set operations such as a union or difference without needing to account for duplicates.	2 years ago
Jeff Mitchell	92f7d8cfb2	Minor test fixes (#4004 ) * Minor test fixes The auth rotation test fix allows us to keep checking if we did not yet see the expected bytes in case the call to lookup succeeds but we are late in rotating due to parallelism. The api credentials test fix allows us to check if at _least_ one rotation has happened. That way if two rotations happen before we check again due to parallelism, this is deemed a successful result. * Add timeout to auth rotation test	2 years ago
Jeff Mitchell	a9e372930d	Revert `0bf60996c5` (#3990 ) Post-merge some issues were discovered with the ways typing is used for proto reflection. This will be reworked without moving the subtypes around.	2 years ago
guangwu	8bb6632512	chore: remove refs to deprecated io/ioutil (#3811 ) Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>	2 years ago
Jeff Mitchell	0bf60996c5	Add generic read/update/delete commands (#3967 ) * Add generic read/update/delete commands This adds three generic commands that use the resource prefix to determine the subcommand to run and pass through args over to that subcommand. Since this occurs very early on and to avoid loading essentially every internal resource package, I moved subtype definitions to globals. * Update main.go Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> * Update changelog and remove another deprecated command --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	2 years ago
Jeff Mitchell	fb4a5a98dc	Add some target fields and move some things around (#3879 ) In preparation for putting proxy code in the api package this creates some necessary fields in the target output and it pre-moves credential parsing and proxy handshake code to their new places. This will make the diff for the actual proxy code move quite a bit smaller. Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	2 years ago
Michael Li	dc912e2a86	test: Update tests to account for deprecated features in 0.14.0 (#3776 ) * chore: Fix comment typo * test(e2e): Update to use new credential library type * test(e2e): Update to use new field name * test(bats): Remove tests that use deprecated subcommand * chore: Update to 0.14.0 * test(credentiallibraries): Update to use new credential library type * doc: Add deprecation notices for 0.14.0 * fixup! doc: Add deprecation notices for 0.14.0	2 years ago
dani	a7c1876d7b	remove deprecated option application-credential-source (#3728 ) Co-authored-by: Danielle Miu <29378233+DanielleMiu@users.noreply.github.com>	2 years ago
Irena Rindos	9733a250fa	refact(event): move observability/event to event (#3704 )	2 years ago
Johan Brandhorst-Satzkorn	f89515a19c	all: avoid mutating global state in parallel tests (#3687 ) The SetupSuiteTargetFilters globally mutates the function used for logic inside the target handler service. This means that we could get inconsistent logical behavior in certain tests that were run in parallel, since the logic can change at runtime. Ensure tests that make use of this function are never run in parallel with other tests.	2 years ago
hashicorp-copywrite[bot]	29da0bcb92	[COMPLIANCE] License changes (#3567 ) * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * Update copyright file headers to BUS-1.1 * Rerun make gen This will pick up the last of the license changes * Revert "Rerun make gen" This reverts commit `dbe0968bff`. * Remove copywrite from generation script The current version of copywrite is not sophisticated enough to only apply the copywrite changes to certain subdirectories, so to avoid accidentally relicensing our api and sdk modules, we will stop running the copywrite script until such time that it can do the right thing. * License protobuf API as MPL The protobuf API files are used to generate the SDK, since we want the SDK to be MPL, the protobuf files must also be MPL. This extends to all protobuf files whose sources end up in the SDK directory, including: - internal/proto/controller/api - internal/proto/controller/custom_options - internal/proto/plugin It also includes the generated service directory in internal/gen/controller/api/services, since they are generated from the protobuf sources used for the SDK. * Change website license file name This makes the naming scheme consistent with the rest of the repository. * Add note on licensing to README * Set copywrite license to BUSL * Revert "Add note on licensing to README" This reverts commit `4d865a91a7`. --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	3 years ago
Johan Brandhorst-Satzkorn	5e78fc72c5	tests: add timeout to key version destruction test (#3537 )	3 years ago
Jeff Mitchell	c149bc4a79	Allow slashes in authorize-session when using target name (#3249 ) This requires specifying `**` as the selector in the proto, which will match any segments and simply requires that the verb is the last part of the URL, which it already is.	3 years ago
Jeff Mitchell	769a7c9e1c	Remove cleanup calls for test controller/worker (#3245 ) A previous commit added a call to t.Cleanup in the NewTestController/NewTestWorker commands; as a result these statements are no longer needed.	3 years ago
Johan Brandhorst-Satzkorn	e04438b7f8	authmethods: fix test broken by LDAP These tests were never updated for LDAP	3 years ago
Jeff Mitchell	20391e3503	Add default client port to targets and use in connect command (#2767 )	3 years ago
Jim	86192f75eb	feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912 ) * feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test	3 years ago
Jeff Mitchell	b76b24a4ad	Move prefixes for many packages into the globals package (#3069 ) This is a prerequisite for some enhancements to grant validation	3 years ago
Johan Brandhorst-Satzkorn	3c29308673	chore: Add license headers to all files	3 years ago
Hugo	e455e31f9e	fix(target): Incorrectly allowing whitespace on Target's address field (#2862 )	3 years ago
Haotian	43f0ba89cf	feat(credentiallibraries): support vault ssh certificates	3 years ago
Hugo	0bee55aa19	fix(target): Correct accounting of updated rows when deleting address (#2799 ) If an update call was made to a target that removed an address, for a target that already did not have an address, the incorrect number of rows updated was being reported. During the update the target's version was correctly being updated, resulting in one row being updated. However then the delete call would result in zero rows being deleted, since there was no address associated with the target, and this would replace the value for the returned rowsUpdated. This resulted in the target service thinking that no update happened, and it would report an error.	3 years ago
Damian Debkowski	1d3930a711	feat(handlers): Support address field on a Target	3 years ago
Hugo Vieira	c82d2efb14	feat(cli): Implement address flag for boundary targets create/update This commit adds CLI support for addresses to be attached directly to a Target, for all current types of Target (ssh and tcp). It also clarifies the relevant documentation regarding the autogen of API option functionality.	3 years ago
Irena Rindos	9135cc7668	In absence of ingress filter, use directly connected worker (#2757 ) * directly connected ingress filtering	3 years ago

1 2 3

124 Commits (efe9fe780d4094de4ac5041e7b15c24ae6104b9c)