Merge branch 'release-v0.99.0' into patch/db-conn-pool

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -31,6 +31,7 @@ body:
       label: Version
       description: What version are you running?
       options:
+        - v0.99.0
         - v0.90.0
         - v0.30.0
         - v0.26.0

README.md

@@ -16,7 +16,7 @@
 
 <p align="center">
   <a href="https://github.com/gravitl/netmaker/releases">
-    <img src="https://img.shields.io/badge/Version-0.90.0-informational?style=flat-square" />
+    <img src="https://img.shields.io/badge/Version-0.99.0-informational?style=flat-square" />
   </a>
   <a href="https://hub.docker.com/r/gravitl/netmaker/tags">
     <img src="https://img.shields.io/docker/pulls/gravitl/netmaker?label=downloads" />

compose/docker-compose.netclient.yml

@@ -3,7 +3,7 @@ version: "3.4"
 services:
   netclient:
     container_name: netclient
-    image: 'gravitl/netclient:v0.90.0'
+    image: 'gravitl/netclient:v0.99.0'
     hostname: netmaker-1
     network_mode: host
     restart: on-failure

controllers/user.go

@@ -710,6 +710,10 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 	if !servercfg.IsPro {
 		user.PlatformRoleID = models.AdminRole
 	}
+	if user.UserName == logic.MasterUser {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not allowed"), "badrequest"))
+		return
+	}
 
 	if user.PlatformRoleID == "" {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))

k8s/client/netclient-daemonset.yaml

@@ -16,7 +16,7 @@ spec:
       hostNetwork: true
       containers:
       - name: netclient
-        image: gravitl/netclient:v0.90.0
+        image: gravitl/netclient:v0.99.0
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/client/netclient.yaml

@@ -28,7 +28,7 @@ spec:
       #           - "<node label value>"
       containers:
       - name: netclient
-        image: gravitl/netclient:v0.90.0
+        image: gravitl/netclient:v0.99.0
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/server/netmaker-ui.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: netmaker-ui
-        image: gravitl/netmaker-ui:v0.90.0
+        image: gravitl/netmaker-ui:v0.99.0
         ports:
         - containerPort: 443
         env:

logic/auth.go

@@ -282,6 +282,10 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
 		if _, err := GetUser(userchange.UserName); err == nil {
 			return &models.User{}, errors.New("username exists already")
 		}
+		if userchange.UserName == MasterUser {
+			return &models.User{}, errors.New("username not allowed")
+		}
+
 		user.UserName = userchange.UserName
 	}
 	if userchange.Password != "" {

logic/egress.go

@@ -39,27 +39,22 @@ func ValidateEgressReq(e *schema.Egress) error {
 func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []models.Acl) bool {
 	nodeTags := maps.Clone(node.Tags)
 	nodeTags[models.TagID(node.ID.String())] = struct{}{}
+	nodeTags[models.TagID("*")] = struct{}{}
 	for _, acl := range acls {
 		if !acl.Enabled {
 			continue
 		}
 		srcVal := ConvAclTagToValueMap(acl.Src)
-		if acl.AllowedDirection == models.TrafficDirectionBi {
-			if _, ok := srcVal["*"]; ok {
-				return true
-			}
-		}
 		for _, dstI := range acl.Dst {
-
-			if dstI.ID == models.NodeTagID && dstI.Value == "*" {
-				return true
-			}
-			if dstI.ID == models.EgressID && dstI.Value == e.ID {
-				e := schema.Egress{ID: dstI.Value}
-				err := e.Get(db.WithContext(context.TODO()))
-				if err != nil {
-					continue
+			if (dstI.ID == models.EgressID && dstI.Value == e.ID) || (dstI.ID == models.NodeTagID && dstI.Value == "*") {
+				if dstI.ID == models.EgressID {
+					e := schema.Egress{ID: dstI.Value}
+					err := e.Get(db.WithContext(context.TODO()))
+					if err != nil {
+						continue
+					}
 				}
+
 				if node.IsStatic {
 					if _, ok := srcVal[node.StaticNode.ClientID]; ok {
 						return true
@@ -75,8 +70,8 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []mode
 						return true
 					}
 				}
-
 			}
+
 		}
 	}
 	return false

logic/gateway.go

@@ -190,9 +190,7 @@ func CreateIngressGateway(netid string, nodeid string, ingress models.IngressReq
 	}
 	node.IsIngressGateway = true
 	node.IsGw = true
-	if !servercfg.IsPro {
-		node.IsInternetGateway = ingress.IsInternetGateway
-	}
+	node.IsInternetGateway = ingress.IsInternetGateway
 	node.IngressGatewayRange = network.AddressRange
 	node.IngressGatewayRange6 = network.AddressRange6
 	node.IngressDNS = ingress.ExtclientDNS

logic/hosts.go

@@ -231,9 +231,9 @@ func CreateHost(h *models.Host) error {
 	h.AutoUpdate = AutoUpdateEnabled()
 
 	if GetServerSettings().ManageDNS {
-		h.DNS = "on"
+		h.DNS = "yes"
 	} else {
-		h.DNS = "off"
+		h.DNS = "no"
 	}
 	checkForZombieHosts(h)
 	return UpsertHost(h)

logic/peers.go

@@ -163,7 +163,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		HostNetworkInfo: models.HostInfoMap{},
 		ServerConfig:    GetServerInfo(),
 	}
-	if host.DNS == "off" {
+	if host.DNS == "no" {
 		hostPeerUpdate.ManageDNS = false
 	}
 	defer func() {
@@ -207,7 +207,8 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
-			(!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) {
+			(!CheckIfAnyPolicyisUniDirectional(node, acls) &&
+				!(node.EgressDetails.IsEgressGateway && len(node.EgressDetails.EgressGatewayRanges) > 0)) {
 			aclRule := models.AclRule{
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 				AllowedProtocol: models.ALL,

logic/security.go

@@ -33,17 +33,18 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
 			return
 		}
+		if username != MasterUser {
+			user, err := GetUser(username)
+			if err != nil {
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}
 
-		user, err := GetUser(username)
-		if err != nil {
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
-		}
-
-		if user.AccountDisabled {
-			err = errors.New("user account disabled")
-			ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
-			return
+			if user.AccountDisabled {
+				err = errors.New("user account disabled")
+				ReturnErrorResponse(w, r, FormatError(err, "unauthorized"))
+				return
+			}
 		}
 
 		// detect masteradmin

main.go

@@ -34,10 +34,10 @@ import (
 	"golang.org/x/exp/slog"
 )
 
-var version = "v0.90.0"
+var version = "v0.99.0"
 
 //	@title			NetMaker
-//	@version		0.90.0
+//	@version		0.99.0
 //	@description	NetMaker API Docs
 //	@tag.name	    APIUsage
 //	@tag.description.markdown

migrate/migrate.go

@@ -196,12 +196,13 @@ func updateHosts() {
 				continue
 			}
 		}
-		if host.DNS == "" {
+		if host.DNS == "" || (host.DNS != "yes" && host.DNS != "no") {
 			if logic.GetServerSettings().ManageDNS {
-				host.DNS = "on"
+				host.DNS = "yes"
 			} else {
-				host.DNS = "off"
+				host.DNS = "no"
 			}
+			logic.UpsertHost(&host)
 		}
 	}
 }
@@ -582,5 +583,8 @@ func settings() {
 	if settings.AuditLogsRetentionPeriodInDays == 0 {
 		settings.AuditLogsRetentionPeriodInDays = 30
 	}
+	if settings.DefaultDomain == "" {
+		settings.DefaultDomain = servercfg.GetDefaultDomain()
+	}
 	logic.UpsertServerSettings(settings)
 }

models/api_host.go

@@ -125,6 +125,6 @@ func (a *ApiHost) ConvertAPIHostToNMHost(currentHost *Host) *Host {
 	h.TurnEndpoint = currentHost.TurnEndpoint
 	h.PersistentKeepalive = time.Duration(a.PersistentKeepalive) * time.Second
 	h.AutoUpdate = a.AutoUpdate
-	h.DNS = a.DNS
+	h.DNS = strings.ToLower(a.DNS)
 	return &h
 }

release.md

@@ -1,20 +1,34 @@
-# Netmaker v0.90.0
+# Netmaker v0.99.0
 
 ## Whats New ✨
-- ACL Rules for Egress Ranges
-- High Availability for Egress Routes
-- Remote Access Gateways and Relays have been merged together into  "Gateways" and are now available on CE.
-- Enchanced Graph Page
-- Ability to Define Additional Nameservers in your network
-
-## What's Fixed/Improved 🛠
-- Metrics Data
-- IPv6 DNS Entries Are Not Working.
-- FailOver connection improvements.
-- Optimized Failover peer signaling.
-- Improved Connectivity Status Indicator with real-time troubleshooting help.
+
+- IDP Integration: Seamless integration with Google Workspace and Microsoft Entra ID, including automatic synchronization of users and groups
+
+- User Activity & Audit Logs: Comprehensive tracking of control plane events such as user management, node changes, ACL modifications, and user access events.
+
+- Updated Egress UI: A redesigned interface for managing egress gateways for improved usability.
+
+- User Access API Tokens: Generate and manage API tokens for user-level access and automation.
+
+- Server Settings via Dashboard: View and configure core server settings directly from the web dashboard.
+
+- ACLs on Community Edition (Beta): The new version of Access Control Lists is now available in CE as a beta feature.
+
+- New Metrics Page: Gain better insights with a revamped metrics dashboard.
+
+- Offline Node Auto-Cleanup: Automatically remove stale or inactive nodes to keep networks clean.
+
+## 🛠 Improvements & Fixes
+
+- Optimized DNS Query Handling: Faster and more efficient internal name resolution.
+
+- Improved Failover Handling: Enhanced stability and signaling for NAT traversal peer connections.
+
+- User Egress Policies: More granular control over user-level outbound traffic policies.
+
+- LAN/Private Routing Enhancements: Better detection and handling of local/private endpoint routes during peer communication.
 
 ## Known Issues 🐞
 
-- WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Remote Access Client (RAC) and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.
+- WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Netmaker Desktop, previously known as the Remote Access Client (RAC), and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.
 

scripts/nm-quick.sh

@@ -5,7 +5,8 @@ CONFIG_FILE=netmaker.env
 SCRIPT_DIR=$(dirname "$(realpath "$0")")
 CONFIG_PATH="$SCRIPT_DIR/$CONFIG_FILE"
 NM_QUICK_VERSION="0.1.1"
-LATEST=$(curl -s https://api.github.com/repos/gravitl/netmaker/releases/latest | grep "tag_name" | cut -d : -f 2,3 | tr -d [:space:],\")
+#LATEST=$(curl -s https://api.github.com/repos/gravitl/netmaker/releases/latest | grep "tag_name" | cut -d : -f 2,3 | tr -d [:space:],\")
+LATEST=v0.99.0
 BRANCH=master
 if [ $(id -u) -ne 0 ]; then
 	echo "This script must be run as root"

swagger.yaml

@@ -1511,7 +1511,7 @@ info:
   contact: {}
   description: NetMaker API Docs
   title: NetMaker
-  version: 0.90.0
+  version: 0.99.0
 paths:
   /api/dns:
     get: