Update main branch

.ci/cargo-deny.toml

@@ -267,7 +267,9 @@ unknown-git = "warn"
 # if not specified. If it is specified but empty, no registries are allowed.
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
 # List of URLs for allowed Git repositories
-allow-git = []
+allow-git = [
+    "https://gitlab.com/kerkmann/leptos_oidc",
+]
 
 [sources.allow-org]
 # 1 or more github.com organizations to allow git sources for

.ci/docker/Vagrantfile

@@ -28,8 +28,9 @@ Vagrant.configure("2") do |config|
     # share the root folder from the host (relative from where the Vagrantfile is located)
     config.vm.synced_folder ".", repo_root, disabled: false, SharedFoldersEnableSymlinksCreate: false
 
-    # normal user is allowed to forward ports > 1024
+    # normal user is allowed to forward ports > 1024, restrict host_ip to localhost only (avoids publishing to all interfaces)
     config.vm.network :forwarded_port, guest: 3000, host: 3000, host_ip: "127.0.0.1"
+    config.vm.network :forwarded_port, guest: 8081, host: 8081, host_ip: "127.0.0.1"
 
     config.vm.provider "virtualbox" do |vb|
         vb.name = machine[:hostname]

.ci/docker/carl-on-host/docker-compose.yml

@@ -17,10 +17,9 @@ services:
     volumes:
       - "../../../resources/development/tls/:/etc/opendut-network/tls/:ro"
 
-    #ports:
-    #  - "127.0.0.1:8082:8080"  # traefik dashboard
     networks:
       opendutnet:
+        ipv4_address: 192.168.32.200
         aliases:
           - carl
 

.ci/docker/carl/docker-compose.yml

@@ -27,7 +27,13 @@ services:
       - OPENDUT_CARL_VPN_NETBIRD_HTTPS_ONLY=false
       - OPENDUT_CARL_VPN_NETBIRD_AUTH_SECRET=$NETBIRD_API_TOKEN
       - OPENDUT_CARL_VPN_NETBIRD_AUTH_TYPE=personal-access-token
-    # dynamically provided
+      # OIDC
+      - OPENDUT_CARL_NETWORK_OIDC_ENABLED=true
+      - OPENDUT_CARL_NETWORK_OIDC_LEA_CLIENT_ID=opendut-lea-client
+      - OPENDUT_CARL_NETWORK_OIDC_LEA_ISSUER_URL=https://keycloak/realms/opendut
+      - OPENDUT_CARL_NETWORK_OIDC_LEA_SCOPES=openid,profile,email
+
+      # dynamically provided
       - OPENDUT_DOCKER_IMAGE_NAMESPACE
       - OPENDUT_DOCKER_IMAGE_HOST
       - OPENDUT_CARL_VERSION
@@ -44,8 +50,6 @@ services:
       retries: 3
       start_period: 40s
 
-    #ports:
-    #  - "443"
     networks:
       opendutnet:
         ipv4_address: 192.168.32.200

.ci/docker/edgar/Readme.md

@@ -43,7 +43,7 @@ awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' resources/development/tls/insecure-
 ```
 docker compose build
 docker compose up -d
-docker exec -ti edgar_router /opt/wait_until_ready.sh
+docker exec -ti edgar-leader /opt/wait_until_ready.sh
 docker exec -ti edgar-peer-1 /opt/wait_until_ready.sh
 docker exec -ti edgar-peer-1 /opt/pingall.sh
 docker exec -ti edgar-peer-1 python3 /opt/delete_peers.py

.ci/docker/edgar/docker-compose.yml

@@ -2,12 +2,12 @@ version: "3.9"
 
 services:
 
-  router:
-    container_name: edgar_router  # defined DNS for the container
+  leader:
+    container_name: edgar-leader  # defined DNS for the container
     build:
       context: ../../..
       dockerfile: ./.ci/docker/edgar/Dockerfile
-    command: /opt/managed.sh router
+    command: /opt/managed.sh leader
     #command: sleep infinity
     volumes:
       - ../../../target/ci/distribution/x86_64-unknown-linux-gnu/:/opt/artifacts

.ci/docker/edgar/scripts/functions.sh

@@ -88,15 +88,15 @@ check_timeout() {
 }
 
 
-debug_show_peers_requesting_router_ip() {
+debug_show_peers_requesting_leader_ip() {
   while true; do
-    lookups=$(grep router_ip.txt logs.txt | nl | awk '{print $1}' | tail -n1)
+    lookups=$(grep leader_ip.txt logs.txt | nl | awk '{print $1}' | tail -n1)
     num_lookups=${lookups:-0}
-    echo "${num_lookups} of ${OPENDUT_EDGAR_REPLICAS} peers fetched the router_ip address."
+    echo "${num_lookups} of ${OPENDUT_EDGAR_REPLICAS} peers fetched the leader_ip address."
     if [ "${num_lookups}" == "${OPENDUT_EDGAR_REPLICAS}" ]; then
       break
     else
-      echo "Waiting for peers to fetch router_ip address."
+      echo "Waiting for peers to fetch leader_ip address."
       sleep 1
     fi
   done

.ci/docker/edgar/scripts/managed.sh

@@ -16,30 +16,30 @@ cleo_get_peer_id() {
   fi
 }
 
-cleo_count_connected_peers() {
+check_expected_number_of_connected_peers_in_cluster() {
   expected="$1"
-  RESULT=$(opendut-cleo list --output json peers | jq -r '.[].status' | grep -c Connected)
+  cluster="$2"
+  RESULT=$(opendut-cleo list --output json peers | jq --arg CLUSTER "$cluster" -r '. | map(select(.name | contains($CLUSTER))) | .[].status' | grep -c Connected)
   if [ "$RESULT" -eq "$expected" ]; then
       return 0
   else
       return 1
   fi
 }
 
-cleo_count_connected_peers_in_cluster() {
-  expected="$1"
-  cluster="$2"
-  RESULT=$(opendut-cleo list --output json peers | jq --arg CLUSTER "$cluster" -r '. | map(select(.name | contains($CLUSTER))) | .[].status' | grep -c Connected)
-  if [ "$RESULT" -eq "$expected" ]; then
-      return 0
-  else
-      return 1
+check_interface_exists() {
+  interface="$1"
+
+  ip link show dev "$interface" > /dev/null
+  EXISTS=$?
+
+  if [ $EXISTS -ne 0 ]; then
+    echo "Network interface '$interface' does not exist."
+    return 1
   fi
 }
 
 pre_flight_tasks() {
-  touch /etc/security/capability.conf
-
   if ! type opendut-cleo > /dev/null; then
     echo "Command 'opendut-cleo' not found."
     exit 1
@@ -52,8 +52,12 @@ pre_flight_tasks
 PEER_ID=$(uuidgen)
 NAME="${OPENDUT_EDGAR_CLUSTER_NAME}_$(hostname)"
 echo "Creating peer with name $NAME and id $PEER_ID"
-opendut-cleo create peer --name "$NAME" --id "$PEER_ID"
-opendut-cleo create device --peer-id "$PEER_ID" --name device-"$NAME" --interface eth0 --location "$NAME" --tags "$OPENDUT_EDGAR_CLUSTER_NAME"
+opendut-cleo create peer --name "$NAME" --id "$PEER_ID" --location "$NAME"
+
+DEVICE_INTERFACE="dut0"
+ip link add $DEVICE_INTERFACE type dummy
+ip link set dev $DEVICE_INTERFACE up
+opendut-cleo create device --peer-id "$PEER_ID" --name device-"$NAME" --interface "$DEVICE_INTERFACE" --tag "$OPENDUT_EDGAR_CLUSTER_NAME"
 
 PEER_SETUP_KEY=$(opendut-cleo generate-peer-setup --id "$PEER_ID")
 echo "Setting up peer with setup key $PEER_SETUP_KEY"
@@ -69,14 +73,15 @@ done
 
 expected_peer_count=$((OPENDUT_EDGAR_REPLICAS + 1))
 START_TIME="$(date +%s)"
-while ! cleo_count_connected_peers_in_cluster "$expected_peer_count" "$OPENDUT_EDGAR_CLUSTER_NAME"; do
+while ! check_expected_number_of_connected_peers_in_cluster "$expected_peer_count" "$OPENDUT_EDGAR_CLUSTER_NAME"; do
   check_timeout "$START_TIME" 600 || { echo "Timeout while waiting for other edgar peers in my cluster."; exit 1; }
 
   echo "Waiting for all edgar peers in my cluster ..."
   sleep 3
 done
 
-if [ "$1" == "router" ]; then
+
+if [ "$1" == "leader" ]; then
   DEVICES="$(opendut-cleo list --output=json devices | jq --arg NAME "$OPENDUT_EDGAR_CLUSTER_NAME" -r '.[] | select(.tags==$NAME).name' | xargs echo)"
   echo "Enumerating devices to join cluster: $DEVICES"
 
@@ -91,8 +96,30 @@ if [ "$1" == "router" ]; then
   CLUSTER_ID=$(echo "$RESPONSE" | jq -r '.id')
   echo "Creating cluster deployment for id=$CLUSTER_ID"
   opendut-cleo create cluster-deployment --id "$CLUSTER_ID"
-  echo "Success" | tee -a > /opt/signal/success.txt
+fi
+
+
+BRIDGE="br-opendut"  # needs to match EDGAR's default
+GRE_INTERFACE="gre-opendut0"  # needs to match EDGAR's default prefix
 
+check_edgar_interfaces_exist() {
+  check_interface_exists "$BRIDGE"
+  check_interface_exists "$GRE_INTERFACE"
+}
+
+START_TIME="$(date +%s)"
+while ! check_edgar_interfaces_exist; do
+    check_timeout "$START_TIME" 600 || { echo "Timeout while waiting for the EDGAR-managed network interfaces to exist."; exit 1; }
+    echo "Waiting for the EDGAR-managed network interfaces to exist..."
+    sleep 3
+done
+
+BRIDGE_ADDRESS=$(ip -json address show dev eth0 | jq --raw-output '.[0].addr_info[0].local' | sed --expression 's#32#33#')  # derive from existing address, by replacing '32' with '33'
+ip address add "$BRIDGE_ADDRESS/24" dev "$BRIDGE"
+
+
+if [ "$1" == "leader" ]; then
+  echo "Success" | tee -a > /opt/signal/success.txt
 fi
 
 trap die_with_success TERM

.ci/docker/edgar/scripts/pingall.sh

@@ -2,27 +2,61 @@
 
 source "$(dirname "$0")/functions.sh"
 
-ping_all_peers() {
+ping_all_netbird_peers() {
+  REQUIRED_SUCCESS="$1"
   IPS=$(netbird status --json | jq -r '.peers.details[].netbirdIp')
+
+  if [ -z "$IPS" ]; then #abort if no IPs returned
+    echo "Failed to determine IP addresses to ping."
+    return 1
+  fi
+
+  for ip in $IPS
+  do
+    if [ "$REQUIRED_SUCCESS" == "true" ]; then
+      fping --count=1 --timeout=1000 --retry=5 "$ip" || { echo "$ip did not respond"; return 1; }
+    else
+      fping --count=1 --timeout=1000 --retry=5 "$ip" || { echo "$ip did not respond"; sleep 10; }
+    fi
+  done
+}
+
+ping_all_dut_bridges() {
+  REQUIRED_SUCCESS="$1"
+  IPS=$(wg show all endpoints | grep -Eo '192.168.32.[0-9]+' | sed -e 's#32#33#')
+
+  if [ -z "$IPS" ]; then #abort if no IPs returned
+    echo "Failed to determine IP addresses to ping."
+    return 1
+  fi
+
   for ip in $IPS
   do
-    fping -c1 -t500 "$ip" || { echo "$ip did not respond"; sleep 3; }
+    if [ "$REQUIRED_SUCCESS" == "true" ]; then
+      fping --count=1 --timeout=1000 --retry=5 "$ip" || { echo "$ip did not respond"; return 1; }
+    else
+      fping --count=1 --timeout=1000 --retry=5 "$ip" || { echo "$ip did not respond"; sleep 10; }
+    fi
   done
 }
 
 
 wait_for_peers_to_connect
 
 echo "first ping may take multiple seconds"
-ping_all_peers
-ping_all_peers
+ping_all_netbird_peers "false"
+ping_all_netbird_peers "false"
 
 set -e  # exit on error
 set -x  # print each command
 
 echo "-------------------------------------------------------------------------"
 echo "Running ping test"
-ping_all_peers
+echo "Pinging NetBird peers..."
+ping_all_netbird_peers "true"
+
+echo "Pinging DUT bridges..."
+ping_all_dut_bridges "true"
 
 echo "SUCCESS"
 exit 0

.ci/docker/edgar/scripts/prepare.sh

@@ -5,38 +5,38 @@ trap die_with_error TERM
 
 
 if [ -n "$1" ] ; then
-  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --router=local
+  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --leader=local
 
   while ! netbird status | grep IP; do
     echo "Waiting for netbird to start up..."
     sleep 1
   done
-  router_ip=$(netbird status | grep IP | grep -Eo "[0-9]+.[0-9]+.[0-9]+.[0-9]+")
+  leader_ip=$(netbird status | grep IP | grep -Eo "[0-9]+.[0-9]+.[0-9]+.[0-9]+")
 
-  echo "$router_ip" > router_ip.txt
+  echo "$leader_ip" > leader_ip.txt
   python3 -m http.server 2> logs.txt &
   python3 ip_provider.py 2> provider.txt &
 
-  debug_show_peers_requesting_router_ip
+  debug_show_peers_requesting_leader_ip
   wait_for_peers_to_connect
 
-  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --router=local
+  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --leader=local
   echo setting bridge ip
   ip a a 192.168.100.1/24 dev br-opendut
 
 else
-  echo waiting for router to come up
-  while ! curl -sf "http://edgar_router:8000" --output /dev/null; do
-    echo "Waiting for router to start up..."
+  echo waiting for leader to come up
+  while ! curl -sf "http://edgar-leader:8000" --output /dev/null; do
+    echo "Waiting for leader to start up..."
     sleep 3
   done
 
-  router_ip=$(curl --silent http://edgar_router:8000/router_ip.txt)
-  echo "Using router router_ip address $router_ip"
-  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --router="$router_ip"
+  leader_ip=$(curl --silent http://edgar-leader:8000/leader_ip.txt)
+  echo "Using leader leader_ip address $leader_ip"
+  /opt/opendut-edgar/opendut-edgar setup --no-confirm unmanaged --setup-key "$NETBIRD_SETUP_KEY" --management-url "${NETBIRD_MANAGEMENT_API}" --leader="$leader_ip"
 
   echo fetching bridge_ip
-  bridge_ip=$(curl --silent http://edgar_router:5000/)
+  bridge_ip=$(curl --silent http://edgar-leader:5000/)
   bridge_ip="192.168.100.${bridge_ip}/24"
   echo "Got bridge ip ${bridge_ip}"
   ip a a "${bridge_ip}" dev br-opendut

.ci/docker/firefox/Readme.md

@@ -13,4 +13,4 @@ Following features are included:
 * Open url in remote session:
   * https://carl
   * http://netbird-ui
-  * http://keycloak
+  * https://keycloak

.ci/docker/firefox/docker-compose.yml

@@ -19,7 +19,7 @@ services:
       - OPENDUT_HOSTS
 
     volumes:
-      - /path/to/config:/config
+      - opendut_firefox:/config
     shm_size: "1gb"
     #restart: unless-stopped
     networks:
@@ -29,3 +29,6 @@ networks:
   opendutnet:
     name: opendut_network
     external: true  # Use a pre-existing network
+
+volumes:
+  opendut_firefox:

.ci/docker/firefox/postinit.sh

@@ -25,7 +25,7 @@ if [ ! -e "/config/.firstrun" ]; then
   echo "First run, opening a bunch of sites"
   touch /config/.firstrun
   # abc is the user firefox runs as
-  su - abc -c 'DISPLAY=:1 firefox http://keycloak'
+  su - abc -c 'DISPLAY=:1 firefox https://keycloak'
   su - abc -c 'DISPLAY=:1 firefox http://netbird-ui'
   su - abc -c 'DISPLAY=:1 firefox https://carl'
 fi

.ci/docker/keycloak/Dockerfile-keycloak-provision

@@ -9,12 +9,16 @@ RUN mkdir -p /mnt/rootfs
 RUN dnf remove -y subscription-manager
 RUN dnf install --installroot /mnt/rootfs curl jq --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
 #RUN find /mnt/rootfs -name '*jq*'
+COPY ./resources/development/tls/insecure-development-ca.pem /etc/pki/ca-trust/source/anchors/
+RUN update-ca-trust
+
 
 FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION
 USER root
 COPY --from=ubi-micro-build /mnt/rootfs/usr/bin/curl /usr/bin/curl
 COPY --from=ubi-micro-build /mnt/rootfs/usr/bin/jq /usr/bin/jq
 COPY --from=ubi-micro-build /mnt/rootfs/usr/lib64/ /usr/lib64/
+COPY --from=ubi-micro-build /etc/pki/ca-trust/extracted/ /etc/pki/ca-trust/extracted/
 
 COPY ./.ci/docker/keycloak/keycloak_functions.sh /keycloak_functions.sh
 COPY ./.ci/docker/keycloak/provision.sh /provision.sh

.ci/docker/keycloak/Dockerfile-keycloak-server

@@ -12,6 +12,8 @@ RUN mkdir -p /mnt/rootfs
 # Removes this warning "This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register."
 RUN dnf remove -y subscription-manager
 RUN dnf install --installroot /mnt/rootfs curl jq --releasever 9 --setopt install_weak_deps=false --nodocs -y; dnf --installroot /mnt/rootfs clean all
+COPY ./resources/development/tls/insecure-development-ca.pem /etc/pki/ca-trust/source/anchors/
+RUN update-ca-trust
 
 # Documentation:
 # https://www.keycloak.org/server/containers
@@ -23,6 +25,7 @@ USER root
 COPY --from=ubi-micro-build /mnt/rootfs/usr/bin/curl /usr/bin/curl
 COPY --from=ubi-micro-build /mnt/rootfs/usr/bin/jq /usr/bin/jq
 COPY --from=ubi-micro-build /mnt/rootfs/usr/lib64/ /usr/lib64/
+COPY --from=ubi-micro-build /etc/pki/ca-trust/extracted/ /etc/pki/ca-trust/extracted/
 
 COPY --from=extension /src/keycloak-extension-playground/github-enterprise-identity-provider/target/github-enterprise-identity-provider-1.0.0.0-SNAPSHOT.jar /opt/keycloak/providers
 RUN /opt/keycloak/bin/kc.sh build