resolve merge conflicts

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -31,6 +31,7 @@ body:
       label: Version
       description: What version are you running?
       options:
+        - v0.20.5
         - v0.20.4
         - v0.20.3
         - v0.20.2

README.md

@@ -16,7 +16,7 @@
 
 <p align="center">
   <a href="https://github.com/gravitl/netmaker/releases">
-    <img src="https://img.shields.io/badge/Version-0.20.4-informational?style=flat-square" />
+    <img src="https://img.shields.io/badge/Version-0.20.5-informational?style=flat-square" />
   </a>
   <a href="https://hub.docker.com/r/gravitl/netmaker/tags">
     <img src="https://img.shields.io/docker/pulls/gravitl/netmaker?label=downloads" />

compose/docker-compose.netclient.yml

@@ -3,7 +3,7 @@ version: "3.4"
 services:
   netclient:
     container_name: netclient
-    image: 'gravitl/netclient:v0.20.4'
+    image: 'gravitl/netclient:v0.20.5'
     hostname: netmaker-1
     network_mode: host
     restart: on-failure

controllers/docs.go

@@ -10,7 +10,7 @@
 //
 //	Schemes: https
 //	BasePath: /
-//	Version: 0.20.4
+//	Version: 0.20.5
 //	Host: netmaker.io
 //
 //	Consumes:

controllers/ext_client.go

@@ -420,6 +420,7 @@ func updateExtClient(w http.ResponseWriter, r *http.Request) {
 
 	var update models.CustomExtClient
 	var oldExtClient models.ExtClient
+	var sendPeerUpdate bool
 	err := json.NewDecoder(r.Body).Decode(&update)
 	if err != nil {
 		logger.Log(0, r.Header.Get("user"), "error decoding request body: ",
@@ -475,9 +476,15 @@ func updateExtClient(w http.ResponseWriter, r *http.Request) {
 			logger.Log(0, "failed to associate client", update.ClientID, "to user", oldExtClient.OwnerID)
 		}
 	}
+	if len(update.DeniedACLs) != len(oldExtClient.DeniedACLs) {
+		sendPeerUpdate = true
+		logic.SetClientACLs(&oldExtClient, update.DeniedACLs)
+	}
 	// == END PRO ==
 
-	var changedEnabled = (update.Enabled != oldExtClient.Enabled) // indicates there was a change in enablement
+	if update.Enabled != oldExtClient.Enabled {
+		sendPeerUpdate = true
+	}
 	// extra var need as logic.Update changes oldExtClient
 	currentClient := oldExtClient
 	newclient, err := logic.UpdateExtClient(&oldExtClient, &update)
@@ -489,7 +496,7 @@ func updateExtClient(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	logger.Log(0, r.Header.Get("user"), "updated ext client", update.ClientID)
-	if changedEnabled { // need to send a peer update to the ingress node as enablement of one of it's clients has changed
+	if sendPeerUpdate { // need to send a peer update to the ingress node as enablement of one of it's clients has changed
 		if ingressNode, err := logic.GetNodeByID(newclient.IngressGatewayID); err == nil {
 			if err = mq.PublishPeerUpdate(); err != nil {
 				logger.Log(1, "error setting ext peers on", ingressNode.ID.String(), ":", err.Error())

ee/logic/ext_acls.go

@@ -7,11 +7,11 @@ func DenyClientNode(ec *models.ExtClient, clientOrNodeID string) (ok bool) {
 	if ec == nil || len(clientOrNodeID) == 0 {
 		return
 	}
-	if ec.ACLs == nil {
-		ec.ACLs = map[string]struct{}{}
+	if ec.DeniedACLs == nil {
+		ec.DeniedACLs = map[string]struct{}{}
 	}
 	ok = true
-	ec.ACLs[clientOrNodeID] = struct{}{}
+	ec.DeniedACLs[clientOrNodeID] = struct{}{}
 	return
 }
 
@@ -20,22 +20,22 @@ func IsClientNodeAllowed(ec *models.ExtClient, clientOrNodeID string) bool {
 	if ec == nil || len(clientOrNodeID) == 0 {
 		return false
 	}
-	if ec.ACLs == nil {
+	if ec.DeniedACLs == nil {
 		return true
 	}
-	_, ok := ec.ACLs[clientOrNodeID]
-	return ok
+	_, ok := ec.DeniedACLs[clientOrNodeID]
+	return !ok
 }
 
 // RemoveDeniedNodeFromClient - removes a node id from set of denied nodes
 func RemoveDeniedNodeFromClient(ec *models.ExtClient, clientOrNodeID string) bool {
-	if ec.ACLs == nil {
+	if ec.DeniedACLs == nil {
 		return true
 	}
-	_, ok := ec.ACLs[clientOrNodeID]
+	_, ok := ec.DeniedACLs[clientOrNodeID]
 	if !ok {
 		return false
 	}
-	delete(ec.ACLs, clientOrNodeID)
+	delete(ec.DeniedACLs, clientOrNodeID)
 	return true
 }

k8s/client/netclient-daemonset.yaml

@@ -16,7 +16,7 @@ spec:
       hostNetwork: true
       containers:
       - name: netclient
-        image: gravitl/netclient:v0.20.4
+        image: gravitl/netclient:v0.20.5
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/client/netclient.yaml

@@ -28,7 +28,7 @@ spec:
       #           - "<node label value>"
       containers:
       - name: netclient
-        image: gravitl/netclient:v0.20.4
+        image: gravitl/netclient:v0.20.5
         env:
         - name: TOKEN
           value: "TOKEN_VALUE"

k8s/server/netmaker-ui.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: netmaker-ui
-        image: gravitl/netmaker-ui:v0.20.4
+        image: gravitl/netmaker-ui:v0.20.5
         ports:
         - containerPort: 443
         env:

logic/clients.go

@@ -10,11 +10,17 @@ import (
 
 var (
 	// DenyClientNodeAccess - function to handle adding a node to an ext client's denied node set
-	DenyClientNodeAccess = func(ec *models.ExtClient, clientOrNodeID string) bool { return true }
+	DenyClientNodeAccess = func(ec *models.ExtClient, clientOrNodeID string) bool {
+		return true
+	}
 	// IsClientNodeAllowed - function to check if an ext client's denied node set contains a node ID
-	IsClientNodeAllowed = func(ec *models.ExtClient, clientOrNodeID string) bool { return true }
+	IsClientNodeAllowed = func(ec *models.ExtClient, clientOrNodeID string) bool {
+		return true
+	}
 	// AllowClientNodeAccess - function to handle removing a node ID from ext client's denied nodes, thus allowing it
-	AllowClientNodeAccess = func(ec *models.ExtClient, clientOrNodeID string) bool { return true }
+	AllowClientNodeAccess = func(ec *models.ExtClient, clientOrNodeID string) bool {
+		return true
+	}
 )
 
 // SetClientDefaultACLs - set's a client's default ACLs based on network and nodes in network
@@ -34,6 +40,8 @@ func SetClientDefaultACLs(ec *models.ExtClient) error {
 		currNode := networkNodes[i]
 		if network.DefaultACL == "no" || currNode.DefaultACL == "no" {
 			DenyClientNodeAccess(ec, currNode.ID.String())
+		} else {
+			AllowClientNodeAccess(ec, currNode.ID.String())
 		}
 	}
 	return nil
@@ -44,7 +52,7 @@ func SetClientACLs(ec *models.ExtClient, newACLs map[string]struct{}) {
 	if ec == nil || newACLs == nil || !isEE {
 		return
 	}
-	ec.ACLs = newACLs
+	ec.DeniedACLs = newACLs
 }
 
 // IsClientNodeAllowedByID - checks if a given ext client ID + nodeID are allowed

logic/extpeers.go

@@ -3,6 +3,7 @@ package logic
 import (
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"sync"
 	"time"
 
@@ -94,6 +95,9 @@ func GetNetworkExtClients(network string) ([]models.ExtClient, error) {
 	}
 	records, err := database.FetchRecords(database.EXT_CLIENT_TABLE_NAME)
 	if err != nil {
+		if database.IsEmptyRecord(err) {
+			return extclients, nil
+		}
 		return extclients, err
 	}
 	for _, value := range records {
@@ -231,6 +235,9 @@ func UpdateExtClient(old *models.ExtClient, update *models.CustomExtClient) (*mo
 	if update.ExtraAllowedIPs != nil && StringDifference(old.ExtraAllowedIPs, update.ExtraAllowedIPs) != nil {
 		new.ExtraAllowedIPs = update.ExtraAllowedIPs
 	}
+	if update.DeniedACLs != nil && !reflect.DeepEqual(old.DeniedACLs, update.DeniedACLs) {
+		new.DeniedACLs = update.DeniedACLs
+	}
 	return new, CreateExtClient(new)
 }
 

logic/hosts.go

@@ -382,6 +382,15 @@ func DissasociateNodeFromHost(n *models.Node, h *models.Host) error {
 	} else {
 		h.Nodes = RemoveStringSlice(h.Nodes, index)
 	}
+	go func() {
+		if servercfg.Is_EE {
+			if clients, err := GetNetworkExtClients(n.Network); err != nil {
+				for i := range clients {
+					AllowClientNodeAccess(&clients[i], n.ID.String())
+				}
+			}
+		}
+	}()
 	if err := deleteNodeByID(n); err != nil {
 		return err
 	}

logic/peers.go

@@ -209,7 +209,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		var extPeers []wgtypes.PeerConfig
 		var extPeerIDAndAddrs []models.IDandAddr
 		if node.IsIngressGateway {
-			extPeers, extPeerIDAndAddrs, err = getExtPeers(&node)
+			extPeers, extPeerIDAndAddrs, err = getExtPeers(&node, &node)
 			if err == nil {
 				hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...)
 				for _, extPeerIdAndAddr := range extPeerIDAndAddrs {
@@ -291,7 +291,7 @@ func GetPeerListenPort(host *models.Host) int {
 	return peerPort
 }
 
-func getExtPeers(node *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, error) {
+func getExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, error) {
 	var peers []wgtypes.PeerConfig
 	var idsAndAddr []models.IDandAddr
 	extPeers, err := GetNetworkExtClients(node.Network)
@@ -304,6 +304,9 @@ func getExtPeers(node *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, e
 	}
 	for _, extPeer := range extPeers {
 		extPeer := extPeer
+		if !IsClientNodeAllowed(&extPeer, peer.ID.String()) {
+			continue
+		}
 		pubkey, err := wgtypes.ParseKey(extPeer.PublicKey)
 		if err != nil {
 			logger.Log(1, "error parsing ext pub key:", err.Error())
@@ -365,7 +368,7 @@ func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet
 
 	// handle ingress gateway peers
 	if peer.IsIngressGateway {
-		extPeers, _, err := getExtPeers(peer)
+		extPeers, _, err := getExtPeers(peer, node)
 		if err != nil {
 			logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
 		}
@@ -533,7 +536,7 @@ func filterNodeMapForClientACLs(publicKey, network string, nodePeerMap map[strin
 	}
 	for k := range nodePeerMap {
 		currNodePeer := nodePeerMap[k]
-		if _, ok := client.ACLs[currNodePeer.ID]; ok {
+		if _, ok := client.DeniedACLs[currNodePeer.ID]; ok {
 			delete(nodePeerMap, k)
 		}
 	}

main.go

@@ -29,7 +29,7 @@ import (
 	"golang.org/x/exp/slog"
 )
 
-var version = "v0.20.4"
+var version = "v0.20.5"
 
 // Start DB Connection and start API Request Handler
 func main() {

models/extclient.go

@@ -15,14 +15,15 @@ type ExtClient struct {
 	LastModified           int64               `json:"lastmodified" bson:"lastmodified"`
 	Enabled                bool                `json:"enabled" bson:"enabled"`
 	OwnerID                string              `json:"ownerid" bson:"ownerid"`
-	ACLs                   map[string]struct{} `json:"acls,omitempty" bson:"acls,omitempty"`
+	DeniedACLs             map[string]struct{} `json:"deniednodeacls" bson:"acls,omitempty"`
 }
 
 // CustomExtClient - struct for CustomExtClient params
 type CustomExtClient struct {
-	ClientID        string   `json:"clientid,omitempty"`
-	PublicKey       string   `json:"publickey,omitempty"`
-	DNS             string   `json:"dns,omitempty"`
-	ExtraAllowedIPs []string `json:"extraallowedips,omitempty"`
-	Enabled         bool     `json:"enabled,omitempty"`
+	ClientID        string              `json:"clientid,omitempty"`
+	PublicKey       string              `json:"publickey,omitempty"`
+	DNS             string              `json:"dns,omitempty"`
+	ExtraAllowedIPs []string            `json:"extraallowedips,omitempty"`
+	Enabled         bool                `json:"enabled,omitempty"`
+	DeniedACLs      map[string]struct{} `json:"deniednodeacls" bson:"acls,omitempty"`
 }

release.md

@@ -1,24 +1,22 @@
 
-# Netmaker v0.20.4
+# Netmaker v0.20.5
 
 ## Whats New
-- Moved to new licensing server for self-hosted
-- STUN removed from netmaker server to improve memory performance
-- Added DB caching to drastically reduce read/writes from disk
+- FreeBSD 13/14 specific binaries
+- Whitelabelling capabilities
 
 ## What's Fixed
-- Major memory leak resolved due to STUN
-- Issues with netclient ports on daemon restart
-- Windows GUI unable to find netclient backend
-- Major scalability fixes - Can now scale to hundreds of hosts with low resources
-- Resolved ACL panic
-- Reverted blocking creation of Ingress with NAT
+- Fixes for FreeBSD
+- Mac installer installs WireGuard
+- ACL rendering on UI
+- Updating Endpoint IP from UI
      
 ## known issues
+- Windows installer does not install WireGuard
 - netclient-gui (windows) will display an erroneous error dialog when joining a network (can be ignored)
 - netclient-gui will continously display error dialog if netmaker server is offline
 - Incorrect metrics against ext clients
-- Host ListenPorts set to 0 after migration from 0.17.1 -> 0.20.4
+- Host ListenPorts set to 0 after migration from 0.17.1 -> 0.20.5
 - Mac IPv6 addresses/route issues
 - Docker client can not re-join after complete deletion
 - netclient-gui network tab blank after disconnect

scripts/nm-upgrade-0-17-1-to-0-19-0.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-LATEST="v0.20.4"
+LATEST="v0.20.5"
 INSTALL_PATH="/root"
 
 trap restore_old_netmaker_instructions

swagger.yaml

@@ -704,7 +704,7 @@ info:
 
         API calls must be authenticated via a header of the format -H “Authorization: Bearer <YOUR_SECRET_KEY>” There are two methods to obtain YOUR_SECRET_KEY: 1. Using the masterkey. By default, this value is “secret key,” but you should change this on your instance and keep it secure. This value can be set via env var at startup or in a config file (config/environments/< env >.yaml). See the [Netmaker](https://docs.netmaker.org/index.html) documentation for more details. 2. Using a JWT received for a node. This can be retrieved by calling the /api/nodes/<network>/authenticate endpoint, as documented below.
     title: Netmaker
-    version: 0.20.4
+    version: 0.20.5
 paths:
     /api/dns:
         get: