defguard / defguard Goto Github PK

Describe the bug
Obtaining token with method:
oauth.defguard.authorize_access_token(request)
failed with an exception:

iaas-djangoserver-1  | INFO 2023-10-04 07:25:23,091 basehttp 315 140638401312448 "GET /oauth/defguard-login/ HTTP/1.1" 302 0
iaas-djangoserver-1  | INFO 2023-10-04 07:25:23,457 basehttp 315 140638401312448 "GET /oauth/redirect?error=access_denied&state=XttZHHERXW0HIv7vEG74ZvUQHMThis HTTP/1.1" 301 0
iaas-djangoserver-1  | ERROR 2023-10-04 07:25:23,722 log 315 140638401312448 Internal Server Error: /oauth/redirect/
iaas-djangoserver-1  | Traceback (most recent call last):
iaas-djangoserver-1  |   File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
iaas-djangoserver-1  |     response = get_response(request)
iaas-djangoserver-1  |   File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
iaas-djangoserver-1  |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
iaas-djangoserver-1  |   File "/server/django/oauth/views.py", line 43, in defguard_authorize
iaas-djangoserver-1  |     token = oauth.defguard.authorize_access_token(request)
iaas-djangoserver-1  |   File "/usr/local/lib/python3.8/site-packages/authlib/integrations/django_client/apps.py", line 67, in authorize_access_token
iaas-djangoserver-1  |     raise OAuthError(error=error, description=description)
iaas-djangoserver-1  | authlib.integrations.base_client.errors.OAuthError: access_denied: 
iaas-djangoserver-1  | ERROR 2023-10-04 07:25:23,724 basehttp 315 140638401312448 "GET /oauth/redirect/?error=access_denied&state=XttZHHERXW0HIv7vEG74ZvUQHMThis HTTP/1.1" 500 145

when http is used instead of https and defguard receives GET instead of POST

To Reproduce
Add defguard integration to Django application based on https://defguard.gitbook.io/defguard/features/openid-connect/django-rest-react-app#django-setup
Specify http instead of https links in configuration:

defguard = oauth.register(
    name="defguard",
    client_id=os.getenv("DEFGUARD_CLIENT_ID", "DEFGUARD_CLIENT_ID"),
    client_secret=os.getenv("DEFGUARD_CLIENT_SECRET", "DEFGUARD_CLIENT_SECRET"),
    access_token_url=os.getenv("DEFGUARD_ACCESS_TOKEN_URL", "https://defguard.teonite.net/api/v1/oauth/token"),
    access_token_params=None,
    authorize_url=os.getenv("DEFGUARD_AUTHORIZE_URL", "https://defguard.teonite.net/api/v1/oauth/authorize"),
    api_base_url=os.getenv("DEFGUARD_API_BASE_URL", "https://defguard.teonite.net/api/v1/oauth/userinfo"),
    client_kwargs={"scope": os.getenv("DEFGUARD_SCOPE", "openid email profile")},
    server_metadata_url=os.getenv("DEFGUARD_METADATA_URL",
                                  "https://defguard.teonite.net/.well-known/openid-configuration"),
)

Expected behavior
Login with defguard should work properly.

Additional context
Problem lies probably in our local network environment where haproxy redirects requests from http to https and changes POST to GET.

After configuring any of the MFA methods, send an email to a user:

-Subject: MFA method XYZ was activated in your account

• Body:

A Multi-Factor Authorisation method: Email/TOTOP/KEY has been activated in your account:

* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* Session IP Address: 10.X.Y.Z
* Device Type: IPad8,9

Add an option to choose a set of authorized groups in location editor.
When a group is selected only devices of users who belong to a given group can connect to a location.
By default the input is empty and all users are allowed to use a location.

• update network editor to include group multiselect
• update network import form to include group multiselect
• add allowed groups to network model
• only assign network IPs to allowed devices
• filter wireguard events by allowed groups

Email:

• subject: New VPN device has been added to your account
• body:

A new device has been added to your account:

- name: **Nazwa**
- public key: XZYASDQ#@RASSD
-  Szczecin: IPXYZYZ
- US: IPXUZY
- Kolejna lolakizacja: IP


* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* Session IP Address: 10.X.Y.Z
* From device: IPad8,9

1. Ability to switch instances
2. On each instance show available Locations
3. To each location Connect/Disconnect and show data the same as admin for this device

Follow-on question from this discussion:

#339

Now when the time is finished to message disappears and there is an error that the time is up. But the process was successful thus the user should see the enrollment message how long they like.

Right now just by clicking "Send support data" the support email is sent. Please add a "modal" with the following message:

Please confirm that you actually want to send support debug information. None of your private information will be sent (wireguard keys, email addresses, etc. will not be sent).

then [Cancel] [Send support data]

Is your feature request related to a problem? Please describe.
Username chars are very limited and restricted.

Describe the solution you'd like
Ability to use special chars in usernames where possible - for example @ or -
Some users may want their email to be their username. Using valid email regex might be an option https://regexr.com/3e48o

Implement 2FA using email codes.
Flow:

Two-factor authentication methods:

• Email (when SMTP is configured)

A modal popup: Enter the code that was sent by email:

Email template subject: Your Multi-Factor Authentication Activation - body:

Your are activating Multi-Factor Authentication using email verification codes.


* Your code is: **X YY ZYZ ** - use this code to complete MFA  setup.


Details about the session:

* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.42.0.0
* Device Type: IPad8,9

When user selects MFA using email send email - subject: Your Multi-Factor Authentication Code for Login - body:

* Your code is: **X YY ZYZ ** - use this code to complete logging in with defguard.



Details about the session:

* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.42.0.0
* Device Type: IPad8,9

Describe the bug
When using the click for more info on settings and then clicking the docs link you get redirected to your instance rather than the docs.

To Reproduce
Steps to reproduce the behavior:

1. Go to .../admin/settings
2. Click the "i" next to any settings
3. Click the "Read more in docs..."
4. See error - you are directed to https://instance.domain.com/admin/defguard.gitbook.io

Expected behavior
The link should open a new tab to https://defguard.gitbook.io - preferably to the relevant section.

Version information

• Defguard Core version: latest
• Edge Latest

Screenshots

Figma: https://www.figma.com/file/uoFcgpOuVWa6g7tvKwB52o/defguard?type=design&node-id=1925-3724&mode=design&t=waFxOtOyzRGoRzzN-0

https://github.com/mjmlio/mjml

• add info to documentation explaining each commands
• add to gw template + comments explaining

Describe the bug
OIDC login for min.io service via Defguard doesn't work. Error message:

Error from IDP
An error occurred, please try again
Invalid kid value <nil>

To Reproduce

1. In defguard add OIDC client for min.io.
   Redirect URL 1: https://my-minio-instance.com/oauth_callback
   Scopes: openid,profile,email

2. In min.io instance setup Defguard OIDC provider.

Go to Administrator -> Identity -> OpenID -> Create Configuration
Fill in the form:

Save and restart min.io server.

Expected behavior
Expected to be able to log into min.io service via Defguard OIDC. Instead the error is displayed after the OIDC flow:

Version information

• Defguard Core version: v0.7.0

Additional context
Possible reasons:

• min.io seems to require JWKS key rotation mechanism for OIDC while Defguard does not return kid with JWT token
• Defguard instance does not manage the keys as required. The /api/v1/oauth/discovery/keys endpoint returns emtpy key set:

{
	"keys": []
}

Should be the following list (and only this list):

• OpenID Connect
• Wireguard VPN
• Yubikey provisioning
• Webhooks

with no labels

We already support having multiple gateways for each VPN location. A UI for displaying the connection status for each of them is incoming along with support for multiple locations.
We should now add a way to name gateways so they can be displayed in a more user friendly way.

• update protos to include an optional name parameter in gateway config request
• add --name option to gateway to allow the user to set a display name
• display gateway names in location overview (fall back to IP if name is not provided)

• taby
• settings SMTP
• settings Enrollment

Gateway now identifies by IP (and additionally by name) - now it should primarily support name (and if not specified hostname that is installed on).

• Dodajemy do compose PROXY (bo tam jest api&front enrollemnt)
• Skopiować test z dodawania usera ale teraz zaznaczamy remote enrollment → Manual
• Kopiujemy token (przykład jest w MFA tokenów)
• Idziemy enrollment → podajemy token
• Ustawiamy hasło
• Wracamy do DG logujemy się nowym userem z hasłem z Enrollment

Analogicznie jak gateway - DEB i RPM oraz SYSTEMD.

Kryteria Akceptacji:

• są pakiety w release
• w dokumentacji na stronie ([defguard.gitbook.io|http://defguard.gitbook.io]/) jest informacja nt. pakietów
• w readme jest info nt. pakietów

• Invalid spacing
• Next page looks bad
• No way to close the modal (button OK)

Is your feature request related to a problem? Please describe.
User phone number should be optional.

Describe the solution you'd like
Remove required field for phone number.

Enrollent + DG korzysta z UI repo jako git submodule

• support adding and editing networks
• support import wireguard config to a specified network
• rewrite all tests

• add ability to add/edit vpn locations
• add possibility for each device to download configuration for each location - show the last screen of adding a device - so that it's possible to download the config, scan as QRCode or copy it and switch locations in that modal
• show statistics of each device per location according to design

Is your feature request related to a problem? Please describe.
A way to quickly see version of app and other useful info when reporting bugs etc.

Describe the solution you'd like
A section in settings to show useful info like version, os, env variables (secrets not included or ** out).

Describe alternatives you've considered
The side bar displaying the current version is good but more info would be great.

Scenariusz #1:

• loguje sie userem
• zmienam hasło
• wylogowuje sie
• loguje się nowym hasłem

Scenariusz #2

• loguje się adminem
• zmieniam userowi haslo
• wyloguje sie
• loguje sie userem nowy hasłem

https://github.com/cross-platform-actions/freebsd-builder
https://github.com/cross-platform-actions/action

• logujemy sie jako admin
• dodajemy usera do grupy admin
• wylogowujemy admina
• logujemy sie userem
  ** Sprawdzamy czy jestem jako usera Adminem

https://github.com/nosduco/nforwardauth

@dzania last thing that needs to be done is to obfuscate the JSON - there are passwords there...

goal

export DEFGUARD_DOMAIN=xyz.com
export DEFGUARD_VPN_NAME=....
export DEFGUARD_VPN_IP...
export DEFGUARD_ENROLMENT... # jest to jest enrollment nie ma to nie ma
export DEFGUARD_HTTPS=true # CADDY - nie ma to nie ma

curl -fsSL https://get.defguard.net | bash

result

• deployed by docker-compose defguard full stack (proxy, core, gateway)
• automatic deployment of proxy + LE SSL (caddy?)
• print URL, login, pass.... to user
• one line install to Docs & README

Email with info that login to defguard was done from new device:

Your account was just logged into from a new device:


* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9

• The device card has incorrect (according to our design) overview - now it's: Last connected from: IP, Last connected: date, Assigned IP - &but this is a general info and those information are dedicated to a location*. Instead there should be columns: Connected from: Public IP, Connected through: VPN LOCATION (Like: Szczecin/US East/.... - the VPN NAME), Connected date (when it was connected through that location)
• downloaded configuration file name should be: location-devicename.conf (but is unidentified....conf.conf)
• when clicking Show configuration on an already configured device (to download new location config for example) - the modal states Adding device - that should be only when adding, if configured should be Device configuration
• When expanding the device to see connection to each location details - when the device was never connected to that location there should be Never connected info (and not blank: last connected...)

The helm chart needs to be updated it include the enrollment service deployment (probably as an option) and make sure that all the env variables that we've added over the last few months are included in ConfigMaps

The goal is to change current mock https://github.com/DefGuard/mock-vpn to support:

• create 2 locations & gateways
• in each location automatically creating X number of users and 1-3 devices for that users
• send random statistics statistics

Implement new design of multiple gateway connection information - https://www.figma.com/file/uoFcgpOuVWa6g7tvKwB52o/defguard?type=design&mode=design

Email with info that there was a successful account login to defguard:
Subject: New login to your account

Just a quick information about new successful login to your account:

* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9

Support data should not send any user information (names, emails, etc.)

Content manager capable of basic text functionalities provided by markdown.

Available options should reflect those in markdown and the toggle ability to change from preview into raw markdown text.

Library: [https://tiptap.dev/|https://tiptap.dev/|smart-link]

Example: [https://tiptap.dev/editor|https://tiptap.dev/editor|smart-link] “

Plugin for markdown support [https://github.com/aguingand/tiptap-markdown|https://github.com/aguingand/tiptap-markdown|smart-link]

Prepare listing of available template TAGS and meaning

Email with info that login using defguard was done to a new system using OIDC (the first one - after consent):

Subject: New login to XXXX application with defguard

Your account was just logged into a system: Outline using OpenID Connect authorization:

* Date: Tuesday, August 15, 2023 at 11:16:31 AM +00:00
* IP Address: 10.X.Y.Z
* Device Type: IPad8,9
* You can deauthorize all applications that have access to your account from the web vault under (My Profile > Apps)[Link do DG MY profile]