-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(portal): Internet resources #6299
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
021e6b9
to
b4bb6d6
Compare
Terraform Cloud Plan Output
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will test more later. Left some minor wording suggestions.
- Since this is close to shipping and we're already bumping to 1.2, should we just make >1.2.0 the requirement here? Otherwise we'll bump to 1.2 and then to 1.3 after a few days.
- Is it possible to delete the Internet Resource via the REST API?
- On that note, do we need to update REST API docs / schema for it?
elixir/apps/domain/priv/repo/migrations/20240808165513_add_internet_resources.exs
Outdated
Show resolved
Hide resolved
:drop -> :drop | ||
end | ||
cond do | ||
resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.3.0") -> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we'll roll this out with the other changes for client 1.2.0 release.
resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.3.0") -> | |
resource.type == :internet and Version.match?(client_or_gateway_version, ">= 1.2.0") -> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not do that. 1.2 is for the wildcard. Better we bump the version twice because then we will have a way to develop internet resources and deploy without breaking everything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
K, in that case I think we can release new clients today-ish and deploy prod right away, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @conectado to confirm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just realized that after merging this PR #6325 if we send the internet resource to clients currently in main it might break some clients. Since now we send the resource to the clients, some of the clients can't support the deserialization of the internet resource.
Will have a PR asap to fix this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in #6381
<fieldset class="mb-2"> | ||
<.input | ||
type="checkbox" | ||
label="Allow users to access the internet outside of Firezone" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment isn't so much around function, but more around user experience. While I was trying to create a Policy for the Internet Resource, I saw this checkbox and wasn't actually sure what it was trying to convey.
Is this saying that users have the ability to stay signed in to the Firezone client to allow them to access private resources but bypass the Internet resource?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @jamilbk that is what we discussed, this feature is really ambiguous, need much better content around it :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm yeah we may need a longer description and / or rewording here. Or we could keep this enabled behind the scenes for now and expose the option to disable it when we hear that requirement from customers. I'll give it some more thought tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd address disabling when we implement PAM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have any customer feedback around this feature? Has any customer explicitly asked one way or another for the enable/disable feature?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah so far they've just wanted to allow enabling/disabling, but I believe it has been only admins asking for the feature for their technical team (DevOps).
For the broader workforce, discovery calls from longer ago had expressed a need for this for Internet security for their workforce -- connecting from public cafes / coffee shops.
The other complication here is that, depending on the Policy that matches against your actor based which group you're in - you might be shown this flag or might not if you belong to multiple groups the Internet resource is enabled for. The portal would need a deterministic way to select policies (perhaps based on smaller group first).
Based on the above I'm reluctant to expose this option and instead just default it to true
for now and hide the UI.
WDYGT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I agree. I think setting the default to true
and not exposing the option right now is probably the way to go.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AndrewDryga bump
This is made to sync this with #6299
[Refs](#6299 (comment)) The problem right now, after #6325 we send the internet resource up to the clients. The clients expect a certain format for the resources and panic if it isn't followed. Particularly, in the case of no `address` or no `name`. To fix this, we add a name and an address for the internet resource when it is converted to the callback type. Setting the `name` at that point actually makes a lot of sense since it homogenizes the name across all platforms. But the internet resource having an address makes no sense. So in a next PR, when I do the last UI changes I plan to make `address` optional for all resources on the clients and specialize the display of the internet resource. For now I wanted to get this in so that we don't ever panic on the internet resource existing. (This was tested on all platforms and it works)
…resource (#6396) In preparation for #6299 --------- Signed-off-by: Gabi <[email protected]> Co-authored-by: Thomas Eizinger <[email protected]>
I think this is essentially ready to go, just waiting on hiding the control preventing users to disable the resource so we can approach it more deliberately later. |
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
…ernet_resources.exs Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
Co-authored-by: Jamil <[email protected]> Signed-off-by: Andrew Dryga <[email protected]>
9c84801
to
e6db9bd
Compare
@AndrewDryga Pushed a small fix for tests and merging to start testing with live Clients. |
They will be sent in the API for connlib 1.3 and above.
I think in future we can make a whole menu section called "Internet Security" which will be a specialized UI for the new resource type (and now show it in Resources list) to improve the user experience around it.
Closes #5852