Skip to content

Database refactor #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 39 commits into
base: main
Choose a base branch
from
Open

Database refactor #123

wants to merge 39 commits into from

Conversation

gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Jun 18, 2025
edited
Loading

Fixes: NethServer/nethsecurity#1300

This pull request introduces significant changes to the API and VPN container.
The focus is on improving overall security.

Main changes

  • Dropped SQLite database, move user accounts and units VPN configuration inside Timescale database under the existing report database: the database is has not been renamed to avoid issues on migration. The vpn container now read and writes directly to the database: this also replaces VPN configuration via CCD files.
  • 2FA keys and units credentials are now stored encrypted with AES inside the database
  • JWT tokens are now stored in memory to avoid prevent access from filesystem
  • On startup the API server automatically migrated all status and configuration files to the database. Only VPN certificates are still kept inside the filesystem
  • Any user inside the database can be promoted to administrator: administrators are the only accounts that can manage units, unit groups and users
  • Added user authorizations limitations using unit groups: by default a new non-admin user can't access any unit. The user must be associated to a unit group to gain access to units.
  • Updated the vpn container: bump Alpine and OpenVPN (now on 2.6.x)
  • Combining the options ALLOWED_IPS, PUBLIC_ENDPOINTS and LISTEN_ADDRESS is now possible to restrict the controller access for security reasons: only the /register public endpoint can be public, units can then be modified to push all traffic through the VPN

API changes

  • Added new endpoints for managing unit groups, including GET, POST, PUT, and DELETE operations to create, update, list, and delete unit groups.
  • Introduced /platform for retrieving NS8 information than can be exposed inside the UI
  • Added /auth endpoint to check API server status, this can be used by podman to restart the controller if in faulty state
  • Added /auth/<unit_id> endpoint with basic authentication, it can be used to forward authentication from other middleware like traefik, it returns 200 if the user can access the unit
  • Add vpn_address and api_port inside the /register response payload: these new fields can be used to configure the unit to push data inside the VPN

Configuration updates

  • Replaced LISTEN_ADDRESS with a comma-separated list to support multiple listen addresses: with a minor change inside the /register
  • Added support for the new ENCRYPTION_KEY and PLATFORM_INFO environment variables for sensitive data encryption and platform metadata storage.
  • Added ALLOWED_IPS option, a comma-separated list of allowed IPs, if empty, all IPs are allowed, default is empty
  • Added PUBLIC_ENDPOINTS option, a comma-separated list of public endpoints, that can be accessed even if ALLOWED_IPS is set, default is empty
    If ALLOWED_IPS is set, the public endpoints should allow registration and ingestions from units, a good value should be: /api/ingest,/api/units/register

Breaking changes ⚠️

  • The PUT /account API now requires unit groups and can't be used to change the account passoword: the controller UI must ber refactored to follow new rules

Deprecations

  • Marked several configuration fields (OpenVPNStatusDir, CredentialsDir, SecretsDir) as deprecated, signaling their removal in future versions.
  • Removed unused directories (tokens, credentials).

Dependency Changes

  • Replaced dgryski/dgoogauth with pquerna/otp for OTP functionality and added google/uuid for UUID generation.

Grafana authentication integration (this WILL NOT be implemented)

If Grafana authentication is integrated with the controller, all users must be created inside the controller itself, including guest users. To support guest users the following changes are needed:

  • add a role inside the user table
  • prevent access to the controller for guest users
  • allow authentication to /auth controller API for non-admin users
  • when creating a guest user, also create a dedicated team inside Grafana (see APIs)
  • configure Grafana and Promethes authentication forwarding, see grafana commit and prometheus commit

Changes to other parts (not implemented yet)

@gsanchietti gsanchietti force-pushed the user_refactor branch 15 times, most recently from 9a4e9a6 to 1770889 Compare June 24, 2025 13:02
@gsanchietti gsanchietti changed the title User refactor Database refactor Jun 24, 2025
@gsanchietti gsanchietti force-pushed the user_refactor branch 3 times, most recently from 16122a9 to 66ad62a Compare June 25, 2025 06:04
@gsanchietti gsanchietti mentioned this pull request Jun 25, 2025
Open
@gsanchietti gsanchietti force-pushed the user_refactor branch 10 times, most recently from f50a3c3 to e81764f Compare June 26, 2025 15:17
@gsanchietti
feat(vpn,api): remove ccd files
4033bd8 
Avoid misalignment between VPN configuration and
database: now the database is the source of truth for
the VPN config
@gsanchietti
chore(vpn): bump Alpine and OpenVPN
4436f35 
Resolve some known CVEs
@gsanchietti
chore(build): cleanup container_ui
22fcce5
@gsanchietti gsanchietti marked this pull request as ready for review July 4, 2025 08:01
@gsanchietti gsanchietti requested review from DavidePrincipi, edospadoni and Tbaile and removed request for DavidePrincipi July 4, 2025 08:01
@gsanchietti
fix(api): update password on UpdateAccount
b0fa344 
The update password part was removed, but
it's still used by the UI
@gsanchietti
fix(api): don't fail if SECRETS_DIR is not defined
a69a923 
The SECRETES_DIR env var is not required anymore
@gsanchietti gsanchietti force-pushed the user_refactor branch 2 times, most recently from f21ea82 to 03e37fb Compare July 7, 2025 09:55
@gsanchietti gsanchietti force-pushed the user_refactor branch 4 times, most recently from ba9d36d to d7d07c0 Compare July 9, 2025 07:26
@gsanchietti
feat(dev): setup env for UI development
9e11a0c
@gsanchietti
fix(api): sync access to active tokens
297452f 
Make sure that concurrent access to active tokens is safe
@gsanchietti
chore(api): add comments to db sql
21125c8
@gsanchietti
chore(api): AddUnit, log errors
fcc1d4c 
Ease troubleshooting if easyresa fails
@gsanchietti
feat(api): units, return also groups
0d54c8f 
This info can be used inside the UI to show if a unit
belongs to a group
@gsanchietti
fix(api): test, improve platform check
402c2d0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@edospadoni edospadoni edospadoni approved these changes

@Tbaile Tbaile Awaiting requested review from Tbaile

Assignees

@gsanchietti gsanchietti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Controller: hardening and database refactor
2 participants
@gsanchietti @edospadoni