ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-04-20 17:00:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'dev' of http://10.95.0.64/zerotier/ZeroTierOne into dev

Browse Source
This commit is contained in:
Adam Ierymenko 2021-08-23 11:58:06 -04:00
commit 0e8c43cfdd
14 changed files with 331 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
OFFICIAL-RELEASE-STEPS.md
View File

@ -14,7 +14,6 @@ The version must be incremented in all of the following files:
/debian/changelog
/ext/installfiles/mac/ZeroTier One.pkgproj
/ext/installfiles/windows/ZeroTier One.aip
/windows/WinUI/AboutView.xaml
The final .AIP file can only be edited on Windows with [Advanced Installer Enterprise](http://www.advancedinstaller.com/). In addition to incrementing the version be sure that a new product code is generated. (The "upgrade code" GUID on the other hand must never change.)

8
controller/DB.cpp
View File

@ -196,6 +196,14 @@ void DB::networks(std::set<uint64_t> &networks)
networks.insert(n->first);
}
void DB::networkMemberSSOHasExpired(uint64_t nwid, int64_t now) {
std::lock_guard<std::mutex> l(_networks_l);
auto nw = _networks.find(nwid);
if (nw != _networks.end()) {
nw->second->mostRecentDeauthTime = now;
}
}
void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
{
uint64_t memberId = 0;

2
controller/DB.hpp
View File

@ -107,7 +107,9 @@ public:
virtual void eraseNetwork(const uint64_t networkId) = 0;
virtual void eraseMember(const uint64_t networkId,const uint64_t memberId) = 0;
virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
virtual std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL) { return ""; }
virtual void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
inline void addListener(DB::ChangeListener *const listener)
{

8
controller/DBMirrorSet.cpp
View File

@ -137,6 +137,14 @@ std::string DBMirrorSet::getSSOAuthURL(const nlohmann::json &member, const std::
return "";
}
void DBMirrorSet::networkMemberSSOHasExpired(uint64_t nwid, int64_t ts)
{
std::lock_guard<std::mutex> l(_dbs_l);
for(auto d=_dbs.begin();d!=_dbs.end();++d) {
(*d)->networkMemberSSOHasExpired(nwid, ts);
}
}
void DBMirrorSet::networks(std::set<uint64_t> &networks)
{
std::lock_guard<std::mutex> l(_dbs_l);

1
controller/DBMirrorSet.hpp
View File

@ -52,6 +52,7 @@ public:
virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL);
void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
inline void addDB(const std::shared_ptr<DB> &db)
{

13
controller/EmbeddedNetworkController.cpp
View File

@ -1364,16 +1364,21 @@ void EmbeddedNetworkController::_request(
if (networkSSOEnabled && !memberSSOExempt) {
authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
std::string memberId = member["id"];
fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
//fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
//fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
if (authenticationExpiryTime < now) {
if (!authenticationURL.empty()) {
_db.networkMemberSSOHasExpired(nwid, now);
onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
Dictionary<3072> authInfo;
authInfo.add("aU", authenticationURL.c_str());
fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
//fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
DB::cleanMember(member);
_db.save(member,true);
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
return;
}
@ -1479,7 +1484,7 @@ void EmbeddedNetworkController::_request(
json &memberTags = member["tags"];
json &dns = network["dns"];
fprintf(stderr, "IP Assignment Pools for Network %s: %s\n", nwids, OSUtils::jsonDump(ipAssignmentPools, 2).c_str());
//fprintf(stderr, "IP Assignment Pools for Network %s: %s\n", nwids, OSUtils::jsonDump(ipAssignmentPools, 2).c_str());
if (metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,0) <= 0) {
// Old versions with no rules engine support get an allow everything rule.

518
controller/PostgreSQL.cpp
View File

@ -24,9 +24,10 @@
#include <libpq-fe.h>
#include <sstream>
#include <climits>
#include <chrono>
#define ZT_TRACE 1
//#define ZT_TRACE 1
using json = nlohmann::json;
@ -69,6 +70,17 @@ std::string join(const std::vector<std::string> &elements, const char * const se
}
*/
std::vector<std::string> split(std::string str, char delim){
std::istringstream iss(str);
std::vector<std::string> tokens;
std::string item;
while(std::getline(iss, item, delim)) {
tokens.push_back(item);
}
return tokens;
}
} // anonymous namespace
using namespace ZeroTier;
@ -232,7 +244,6 @@ bool PostgreSQL::isReady()
bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
{
fprintf(stderr, "PostgreSQL::save\n");
bool modified = false;
try {
if (!record.is_object()) {
@ -241,7 +252,7 @@ bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
}
const std::string objtype = record["objtype"];
if (objtype == "network") {
fprintf(stderr, "network save\n");
//fprintf(stderr, "network save\n");
const uint64_t nwid = OSUtils::jsonIntHex(record["id"],0ULL);
if (nwid) {
nlohmann::json old;
@ -257,17 +268,17 @@ bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
std::string memberId = record["id"];
const uint64_t nwid = OSUtils::jsonIntHex(record["nwid"],0ULL);
const uint64_t id = OSUtils::jsonIntHex(record["id"],0ULL);
fprintf(stderr, "member save %s-%s\n", networkId.c_str(), memberId.c_str());
//fprintf(stderr, "member save %s-%s\n", networkId.c_str(), memberId.c_str());
if ((id)&&(nwid)) {
nlohmann::json network,old;
get(nwid,network,id,old);
if ((!old.is_object())||(!_compareRecords(old,record))) {
fprintf(stderr, "commit queue post\n");
//fprintf(stderr, "commit queue post\n");
record["revision"] = OSUtils::jsonInt(record["revision"],0ULL) + 1ULL;
_commitQueue.post(std::pair<nlohmann::json,bool>(record,notifyListeners));
modified = true;
} else {
fprintf(stderr, "no change\n");
//fprintf(stderr, "no change\n");
}
}
} else {
@ -336,7 +347,7 @@ std::string PostgreSQL::getSSOAuthURL(const nlohmann::json &member, const std::s
std::string memberId = member["id"];
char authenticationURL[4096] = {0};
fprintf(stderr, "PostgreSQL::updateMemberOnLoad: %s-%s\n", networkId.c_str(), memberId.c_str());
//fprintf(stderr, "PostgreSQL::updateMemberOnLoad: %s-%s\n", networkId.c_str(), memberId.c_str());
bool have_auth = false;
try {
auto c = _pool->borrow();
@ -427,120 +438,115 @@ void PostgreSQL::initializeNetworks()
try {
std::string setKey = "networks:{" + _myAddressStr + "}";
std::unordered_set<std::string> networkSet;
fprintf(stderr, "Initializing Networks...\n");
auto c = _pool->borrow();
pqxx::work w{*c->c};
pqxx::result r = w.exec_params("SELECT id, (EXTRACT(EPOCH FROM creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, capabilities, "
"enable_broadcast, (EXTRACT(EPOCH FROM last_modified AT TIME ZONE 'UTC')*1000)::bigint AS last_modified, mtu, multicast_limit, name, private, remote_trace_level, "
"remote_trace_target, revision, rules, tags, v4_assign_mode, v6_assign_mode, sso_enabled FROM ztc_network "
"WHERE deleted = false AND controller_id = $1", _myAddressStr);
for (auto row = r.begin(); row != r.end(); row++) {
char qbuf[2048] = {0};
sprintf(qbuf, "SELECT n.id, (EXTRACT(EPOCH FROM n.creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, n.capabilities, "
"n.enable_broadcast, (EXTRACT(EPOCH FROM n.last_modified AT TIME ZONE 'UTC')*1000)::bigint AS last_modified, n.mtu, n.multicast_limit, n.name, n.private, n.remote_trace_level, "
"n.remote_trace_target, n.revision, n.rules, n.tags, n.v4_assign_mode, n.v6_assign_mode, n.sso_enabled, (CASE WHEN n.sso_enabled THEN o.client_id ELSE NULL END) as client_id, "
"(CASE WHEN n.sso_enabled THEN o.authorization_endpoint ELSE NULL END) as authorization_endpoint, d.domain, d.servers, "
"ARRAY(SELECT CONCAT(host(ip_range_start),'|', host(ip_range_end)) FROM ztc_network_assignment_pool WHERE network_id = n.id) AS assignment_pool, "
"ARRAY(SELECT CONCAT(host(address),'/',bits::text,'|',COALESCE(host(via), 'NULL'))FROM ztc_network_route WHERE network_id = n.id) AS routes "
"FROM ztc_network n "
"LEFT OUTER JOIN ztc_org o "
" ON o.owner_id = n.owner_id "
"LEFT OUTER JOIN ztc_network_dns d "
" ON d.network_id = n.id "
"WHERE deleted = false AND controller_id = '%s'", _myAddressStr.c_str());
auto c = _pool->borrow();
auto c2 = _pool->borrow();
pqxx::work w{*c->c};
auto stream = pqxx::stream_from::query(w, qbuf);
std::tuple<
std::string // network ID
, std::optional<int64_t> // creationTime
, std::optional<std::string> // capabilities
, std::optional<bool> // enableBroadcast
, std::optional<uint64_t> // lastModified
, std::optional<int> // mtu
, std::optional<int> // multicastLimit
, std::optional<std::string> // name
, bool // private
, std::optional<int> // remoteTraceLevel
, std::optional<std::string> // remoteTraceTarget
, std::optional<uint64_t> // revision
, std::optional<std::string> // rules
, std::optional<std::string> // tags
, std::optional<std::string> // v4AssignMode
, std::optional<std::string> // v6AssignMode
, std::optional<bool> // ssoEnabled
, std::optional<std::string> // clientId
, std::optional<std::string> // authorizationEndpoint
, std::optional<std::string> // domain
, std::optional<std::string> // servers
, std::string // assignmentPoolString
, std::string // routeString
> row;
uint64_t count = 0;
auto tmp = std::chrono::high_resolution_clock::now();
uint64_t total = 0;
while (stream >> row) {
auto start = std::chrono::high_resolution_clock::now();
json empty;
json config;
initNetwork(config);
std::string nwid = row[0].as<std::string>();
std::string nwid = std::get<0>(row);
std::optional<int64_t> creationTime = std::get<1>(row);
std::optional<std::string> capabilities = std::get<2>(row);
std::optional<bool> enableBroadcast = std::get<3>(row);
std::optional<uint64_t> lastModified = std::get<4>(row);
std::optional<int> mtu = std::get<5>(row);
std::optional<int> multicastLimit = std::get<6>(row);
std::optional<std::string> name = std::get<7>(row);
bool isPrivate = std::get<8>(row);
std::optional<int> remoteTraceLevel = std::get<9>(row);
std::optional<std::string> remoteTraceTarget = std::get<10>(row);
std::optional<uint64_t> revision = std::get<11>(row);
std::optional<std::string> rules = std::get<12>(row);
std::optional<std::string> tags = std::get<13>(row);
std::optional<std::string> v4AssignMode = std::get<14>(row);
std::optional<std::string> v6AssignMode = std::get<15>(row);
std::optional<bool> ssoEnabled = std::get<16>(row);
std::optional<std::string> clientId = std::get<17>(row);
std::optional<std::string> authorizationEndpoint = std::get<18>(row);
std::optional<std::string> dnsDomain = std::get<19>(row);
std::optional<std::string> dnsServers = std::get<20>(row);
std::string assignmentPoolString = std::get<21>(row);
std::string routesString = std::get<22>(row);
networkSet.insert(nwid);
config["id"] = nwid;
config["nwid"] = nwid;
config["creationTime"] = creationTime.value_or(0);
config["capabilities"] = json::parse(capabilities.value_or("[]"));
config["enableBroadcast"] = enableBroadcast.value_or(false);
config["lastModified"] = lastModified.value_or(0);
config["mtu"] = mtu.value_or(2800);
config["multicastLimit"] = multicastLimit.value_or(64);
config["name"] = name.value_or("");
config["private"] = isPrivate;
config["remoteTraceLevel"] = remoteTraceLevel.value_or(0);
config["remoteTraceTarget"] = remoteTraceTarget.value_or("");
config["revision"] = revision.value_or(0);
config["rules"] = json::parse(rules.value_or("[]"));
config["tags"] = json::parse(tags.value_or("[]"));
config["v4AssignMode"] = json::parse(v4AssignMode.value_or("{}"));
config["v6AssignMode"] = json::parse(v6AssignMode.value_or("{}"));
config["ssoEnabled"] = ssoEnabled.value_or(false);
config["objtype"] = "network";
config["ipAssignmentPools"] = json::array();
config["routes"] = json::array();
config["clientId"] = clientId.value_or("");
config["authorizationEndpoint"] = authorizationEndpoint.value_or("");
config["id"] = nwid;
config["nwid"] = nwid;
if (!row[1].is_null()) {
config["creationTime"] = row[1].as<int64_t>();
} else {
config["creationTime"] = 0ULL;
}
config["capabilities"] = row[2].as<std::string>();
config["enableBroadcast"] = row[3].as<bool>();
if (!row[4].is_null()) {
config["lastModified"] = row[4].as<uint64_t>();
} else {
config["lastModified"] = 0ULL;
}
if (!row[5].is_null()) {
config["mtu"] = row[5].as<int>();
} else {
config["mtu"] = 2800;
}
if (!row[6].is_null()) {
config["multicastLimit"] = row[6].as<int>();
} else {
config["multicastLimit"] = 64;
}
config["name"] = row[7].as<std::string>();
config["private"] = row[8].as<bool>();
if (!row[9].is_null()) {
config["remoteTraceLevel"] = row[9].as<int>();
} else {
config["remoteTraceLevel"] = 0;
}
if (!row[10].is_null()) {
config["remoteTraceTarget"] = row[10].as<std::string>();
} else {
config["remoteTraceTarget"] = nullptr;
}
if (!row[11].is_null()) {
config["revision"] = row[11].as<uint64_t>();
} else {
config["revision"] = 0ULL;
//fprintf(stderr, "Error converting revision: %s\n", PQgetvalue(res, i, 11));
}
config["rules"] = json::parse(row[12].as<std::string>());
config["tags"] = json::parse(row[13].as<std::string>());
config["v4AssignMode"] = json::parse(row[14].as<std::string>());
config["v6AssignMode"] = json::parse(row[15].as<std::string>());
config["ssoEnabled"] = row[16].as<bool>();
config["objtype"] = "network";
config["ipAssignmentPools"] = json::array();
config["routes"] = json::array();
pqxx::result r2 = w.exec_params("SELECT host(ip_range_start), host(ip_range_end) FROM ztc_network_assignment_pool WHERE network_id = $1", nwid);
for (auto row2 = r2.begin(); row2 != r2.end(); row2++) {
json ip;
ip["ipRangeStart"] = row2[0].as<std::string>();
ip["ipRangeEnd"] = row2[1].as<std::string>();
config["ipAssignmentPools"].push_back(ip);
}
r2 = w.exec_params("SELECT host(address), bits, host(via) FROM ztc_network_route WHERE network_id = $1", nwid);
for (auto row2 = r2.begin(); row2 != r2.end(); row2++) {
std::string addr = row2[0].as<std::string>();
std::string bits = row2[1].as<std::string>();
json route;
route["target"] = addr + "/" + bits;
if (row[2].is_null()) {
route["via"] = nullptr;
} else {
route["via"] = row[2].as<std::string>();
}
config["routes"].push_back(route);
}
r2 = w.exec_params("SELECT domain, servers FROM ztc_network_dns WHERE network_id = $1", nwid);
if (r2.size() > 1) {
fprintf(stderr, "ERROR: invalid number of DNS configurations for network %s. Must be 0 or 1\n", nwid.c_str());
} else if (r2.size() == 1) {
auto dnsRow = r2.begin();
if (dnsDomain.has_value()) {
std::string serverList = dnsServers.value();
json obj;
std::string domain = dnsRow[0].as<std::string>();
std::string serverList = dnsRow[1].as<std::string>();
auto servers = json::array();
if (serverList.rfind("{",0) != std::string::npos) {
serverList = serverList.substr(1, serverList.size()-2);
@ -551,28 +557,53 @@ void PostgreSQL::initializeNetworks()
servers.push_back(server);
}
}
obj["domain"] = domain;
obj["domain"] = dnsDomain.value();
obj["servers"] = servers;
config["dns"] = obj;
}
r2 = w.exec_params("SELECT org.client_id, org.authorization_endpoint "
"FROM ztc_network nw "
"INNER JOIN ztc_org org "
" ON org.owner_id = nw.owner_id "
"WHERE nw.id = $1 AND nw.sso_enabled = true", nwid);
if (r2.size() == 1) {
// only one should exist
pqxx::row row = r.at(0);
config["clientId"] = row[0].as<std::string>();
config["authorizationEndpoint"] = row[1].as<std::string>();
config["ipAssignmentPools"] = json::array();
if (assignmentPoolString != "{}") {
std::string tmp = assignmentPoolString.substr(1, assignmentPoolString.size()-2);
std::vector<std::string> assignmentPools = split(tmp, ',');
for (auto it = assignmentPools.begin(); it != assignmentPools.end(); ++it) {
std::vector<std::string> r = split(*it, '|');
json ip;
ip["ipRangeStart"] = r[0];
ip["ipRangeEnd"] = r[1];
config["ipAssignmentPools"].push_back(ip);
}
}
_networkChanged(empty, config, false);
config["routes"] = json::array();
if (routesString != "{}") {
std::string tmp = routesString.substr(1, routesString.size()-2);
std::vector<std::string> routes = split(tmp, ',');
for (auto it = routes.begin(); it != routes.end(); ++it) {
std::vector<std::string> r = split(*it, '|');
json route;
route["target"] = r[0];
route["via"] = ((route["via"] == "NULL")? nullptr : r[1]);
config["routes"].push_back(route);
}
}
_networkChanged(empty, config, false);
auto end = std::chrono::high_resolution_clock::now();
auto dur = std::chrono::duration_cast<std::chrono::microseconds>(end - start);;
total += dur.count();
++count;
if (count % 10000 == 0) {
fprintf(stderr, "Averaging %llu us per network\n", (total/count));
}
}
fprintf(stderr, "Took %llu us per network to load\n", (total/count));
stream.complete();
w.commit();
_pool->unborrow(c2);
_pool->unborrow(c);
if (++this->_ready == 2) {
@ -596,150 +627,137 @@ void PostgreSQL::initializeMembers()
std::string networkId;
try {
std::unordered_map<std::string, std::string> networkMembers;
fprintf(stderr, "Initializing Members...\n");
auto c = _pool->borrow();
pqxx::work w{*c->c};
pqxx::result r = w.exec_params(
"SELECT m.id, m.network_id, m.active_bridge, m.authorized, m.capabilities, (EXTRACT(EPOCH FROM m.creation_time AT TIME ZONE 'UTC')*1000)::bigint, m.identity, "
char qbuf[2048];
sprintf(qbuf, "SELECT m.id, m.network_id, m.active_bridge, m.authorized, m.capabilities, (EXTRACT(EPOCH FROM m.creation_time AT TIME ZONE 'UTC')*1000)::bigint, m.identity, "
" (EXTRACT(EPOCH FROM m.last_authorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
" (EXTRACT(EPOCH FROM m.last_deauthorized_time AT TIME ZONE 'UTC')*1000)::bigint, "
" m.remote_trace_level, m.remote_trace_target, m.tags, m.v_major, m.v_minor, m.v_rev, m.v_proto, "
" m.no_auto_assign_ips, m.revision, sso_exempt "
" m.no_auto_assign_ips, m.revision, sso_exempt, "
" (SELECT (EXTRACT(EPOCH FROM e.authentication_expiry_time)*1000)::bigint "
" FROM ztc_sso_expiry e "
" INNER JOIN ztc_network n1 "
" ON n.id = e.network_id "
" WHERE e.network_id = m.network_id AND e.member_id = m.id AND n.sso_enabled = TRUE AND e.authentication_expiry_time IS NOT NULL "
" ORDER BY e.authentication_expiry_time DESC LIMIT 1) AS authentication_expiry_time, "
" ARRAY(SELECT DISTINCT address FROM ztc_member_ip_assignment WHERE member_id = m.id AND network_id = m.network_id) AS assigned_addresses "
"FROM ztc_member m "
"INNER JOIN ztc_network n "
" ON n.id = m.network_id "
"WHERE n.controller_id = $1 AND m.deleted = false", _myAddressStr);
"WHERE n.controller_id = '%s' AND m.deleted = false", _myAddressStr.c_str());
auto c = _pool->borrow();
auto c2 = _pool->borrow();
pqxx::work w{*c->c};
auto stream = pqxx::stream_from::query(w, qbuf);
for (auto row = r.begin(); row != r.end(); row++) {
std::tuple<
std::string // memberId
, std::string // memberId
, std::optional<bool> // activeBridge
, std::optional<bool> // authorized
, std::optional<std::string> // capabilities
, std::optional<uint64_t> // creationTime
, std::optional<std::string> // identity
, std::optional<uint64_t> // lastAuthorizedTime
, std::optional<uint64_t> // lastDeauthorizedTime
, std::optional<int> // remoteTraceLevel
, std::optional<std::string> // remoteTraceTarget
, std::optional<std::string> // tags
, std::optional<int> // vMajor
, std::optional<int> // vMinor
, std::optional<int> // vRev
, std::optional<int> // vProto
, std::optional<bool> // noAutoAssignIps
, std::optional<uint64_t> // revision
, std::optional<bool> // ssoExempt
, std::optional<uint64_t> // authenticationExpiryTime
, std::string // assignedAddresses
> row;
uint64_t count = 0;
auto tmp = std::chrono::high_resolution_clock::now();
uint64_t total = 0;
while (stream >> row) {
auto start = std::chrono::high_resolution_clock::now();
json empty;
json config;
memberId = "";
networkId = "";
initMember(config);
if (row[0].is_null()) {
fprintf(stderr, "Null memberID?!?\n");
continue;
}
if (row[1].is_null()) {
fprintf(stderr, "Null NetworkID?!?\n");
}
memberId = row[0].as<std::string>();
networkId = row[1].as<std::string>();
memberId = std::get<0>(row);
networkId = std::get<1>(row);
std::optional<bool> activeBridge = std::get<2>(row);
std::optional<bool> authorized = std::get<3>(row);
std::optional<std::string> capabilities = std::get<4>(row);
std::optional<uint64_t> creationTime = std::get<5>(row);
std::optional<std::string> identity = std::get<6>(row);
std::optional<uint64_t> lastAuthorizedTime = std::get<7>(row);
std::optional<uint64_t> lastDeauthorizedTime = std::get<8>(row);
std::optional<int> remoteTraceLevel = std::get<9>(row);
std::optional<std::string> remoteTraceTarget = std::get<10>(row);
std::optional<std::string> tags = std::get<11>(row);
std::optional<int> vMajor = std::get<12>(row);
std::optional<int> vMinor = std::get<13>(row);
std::optional<int> vRev = std::get<14>(row);
std::optional<int> vProto = std::get<15>(row);
std::optional<bool> noAutoAssignIps = std::get<16>(row);
std::optional<uint64_t> revision = std::get<17>(row);
std::optional<bool> ssoExempt = std::get<18>(row);
std::optional<uint64_t> authenticationExpiryTime = std::get<19>(row);
std::string assignedAddresses = std::get<20>(row);
config["id"] = memberId;
config["nwid"] = networkId;
config["activeBridge"] = row[2].as<bool>();
config["authorized"] = row[3].as<bool>();
if (row[4].is_null()) {
config["capabilities"] = json::array();
} else {
try {
config["capabilities"] = json::parse(row[4].as<std::string>());
} catch (std::exception &e) {
config["capabilities"] = json::array();
}
}
config["creationTime"] = row[5].as<uint64_t>();
config["identity"] = row[6].as<std::string>();
if (!row[7].is_null()) {
config["lastAuthorizedTime"] = row[7].as<uint64_t>();
} else {
config["lastAuthorizedTime"] = 0ULL;
//fprintf(stderr, "Error updating last auth time (member): %s\n", PQgetvalue(res, i, 7));
}
if (!row[8].is_null()) {
config["lastDeauthorizedTime"] = row[8].as<uint64_t>();
} else {
config["lastDeauthorizedTime"] = 0ULL;
//fprintf(stderr, "Error updating last deauth time (member): %s\n", PQgetvalue(res, i, 8));
}
if (!row[9].is_null()) {
config["remoteTraceLevel"] = row[9].as<int>();
} else {
config["remoteTraceLevel"] = 0;
}
if (!row[10].is_null()) {
config["remoteTraceTarget"] = row[10].as<std::string>();
} else {
config["remoteTraceTarget"] = "";
}
if (row[11].is_null()) {
config["tags"] = json::array();
} else {
try {
config["tags"] = json::parse(row[11].as<std::string>());
} catch (std::exception &e) {
config["tags"] = json::array();
}
}
if (!row[12].is_null()) {
config["vMajor"] = row[12].as<int>();
} else {
config["vMajor"] = -1;
}
if (!row[13].is_null()) {
config["vMinor"] = row[13].as<int>();
} else {
config["vMinor"] = -1;
}
if (!row[14].is_null()) {
config["vRev"] = row[14].as<int>();
} else {
config["vRev"] = -1;
}
if (!row[15].is_null()) {
config["vProto"] = row[15].as<int>();
} else {
config["vProto"] = -1;
}
config["noAutoAssignIps"] = row[16].as<bool>();
if (!row[17].is_null()) {
config["revision"] = row[17].as<uint64_t>();
} else {
config["revision"] = 0ULL;
}
config["ssoExempt"] = row[18].as<bool>();
config["authenticationExpiryTime"] = 0LL;
pqxx::result authRes = w.exec_params(
"SELECT (EXTRACT(EPOCH FROM e.authentication_expiry_time)*1000)::bigint "
"FROM ztc_sso_expiry e "
"INNER JOIN ztc_network n "
" ON n.id = e.network_id "
"WHERE e.network_id = $1 AND e.member_id = $2 AND n.sso_enabled = TRUE AND e.authentication_expiry_time IS NOT NULL "
"ORDER BY e.authentication_expiry_time DESC LIMIT 1", networkId, memberId);
if (authRes.size() == 1 && !authRes.at(0)[0].is_null()) {
// there is an expiry time record
config["authenticationExpiryTime"] = authRes.at(0)[0].as<int64_t>();
} else {
config["authenticationExpiryTime"] = 0;
}
config["activeBridge"] = activeBridge.value_or(false);
config["authorized"] = authorized.value_or(false);
config["capabilities"] = json::parse(capabilities.value_or("[]"));
config["creationTime"] = creationTime.value_or(0);
config["identity"] = identity.value_or("");
config["lastAuthorizedTime"] = lastAuthorizedTime.value_or(0);
config["lastDeauthorizedTime"] = lastDeauthorizedTime.value_or(0);
config["remoteTraceLevel"] = remoteTraceLevel.value_or(0);
config["remoteTraceTarget"] = remoteTraceTarget.value_or("");
config["tags"] = json::parse(tags.value_or("[]"));
config["vMajor"] = vMajor.value_or(-1);
config["vMinor"] = vMinor.value_or(-1);
config["vRev"] = vRev.value_or(-1);
config["vProto"] = vProto.value_or(-1);
config["noAutoAssignIps"] = noAutoAssignIps.value_or(false);
config["revision"] = revision.value_or(0);
config["ssoExempt"] = ssoExempt.value_or(false);
config["authenticationExpiryTime"] = authenticationExpiryTime.value_or(0);
config["objtype"] = "member";
config["ipAssignments"] = json::array();
pqxx::result r2 = w.exec_params("SELECT DISTINCT address "
"FROM ztc_member_ip_assignment "
"WHERE member_id = $1 AND network_id = $2", memberId, networkId);
for (auto row2 = r2.begin(); row2 != r2.end(); row2++) {
std::string ipaddr = row2[0].as<std::string>();
std::size_t pos = ipaddr.find('/');
if (pos != std::string::npos) {
ipaddr = ipaddr.substr(0, pos);
if (assignedAddresses != "{}") {
std::string tmp = assignedAddresses.substr(1, assignedAddresses.size()-2);
std::vector<std::string> addrs = split(tmp, ',');
for (auto it = addrs.begin(); it != addrs.end(); ++it) {
config["ipAssignments"].push_back(*it);
}
config["ipAssignments"].push_back(ipaddr);
}
_memberChanged(empty, config, false);
memberId = "";
networkId = "";
auto end = std::chrono::high_resolution_clock::now();
auto dur = std::chrono::duration_cast<std::chrono::microseconds>(end - start);;
total += dur.count();
++count;
if (count % 10000 == 0) {
fprintf(stderr, "Averaging %llu us per member\n", (total/count));
}
}
fprintf(stderr, "Took %llu us per member to load\n", (total/count));
stream.complete();
w.commit();
_pool->unborrow(c2);
_pool->unborrow(c);
if (++this->_ready == 2) {
@ -995,7 +1013,7 @@ void PostgreSQL::commitThread()
fprintf(stderr, "commitThread start\n");
std::pair<nlohmann::json,bool> qitem;
while(_commitQueue.get(qitem)&(_run == 1)) {
fprintf(stderr, "commitThread tick\n");
//fprintf(stderr, "commitThread tick\n");
if (!qitem.first.is_object()) {
fprintf(stderr, "not an object\n");
continue;
@ -1005,7 +1023,7 @@ void PostgreSQL::commitThread()
nlohmann::json *config = &(qitem.first);
const std::string objtype = (*config)["objtype"];
if (objtype == "member") {
fprintf(stderr, "commitThread: member\n");
//fprintf(stderr, "commitThread: member\n");
try {
auto c = _pool->borrow();
pqxx::work w(*c->c);
@ -1098,7 +1116,7 @@ void PostgreSQL::commitThread()
}
} else if (objtype == "network") {
try {
fprintf(stderr, "commitThread: network\n");
//fprintf(stderr, "commitThread: network\n");
auto c = _pool->borrow();
pqxx::work w(*c->c);
@ -1237,7 +1255,7 @@ void PostgreSQL::commitThread()
fprintf(stderr, "ERROR: Error updating network: %s\n", e.what());
}
} else if (objtype == "_delete_network") {
fprintf(stderr, "commitThread: delete network\n");
//fprintf(stderr, "commitThread: delete network\n");
try {
auto c = _pool->borrow();
pqxx::work w(*c->c);
@ -1254,7 +1272,7 @@ void PostgreSQL::commitThread()
}
} else if (objtype == "_delete_member") {
fprintf(stderr, "commitThread: delete member\n");
//fprintf(stderr, "commitThread: delete member\n");
try {
auto c = _pool->borrow();
pqxx::work w(*c->c);
@ -1314,7 +1332,7 @@ void PostgreSQL::onlineNotification_Postgres()
// using pqxx::stream_to would be a really nice alternative here, but
// unfortunately it doesn't support upserts.
fprintf(stderr, "online notification tick\n");
// fprintf(stderr, "online notification tick\n");
std::stringstream memberUpdate;
memberUpdate << "INSERT INTO ztc_member_status (network_id, member_id, address, last_updated) VALUES ";
bool firstRun = true;
@ -1372,11 +1390,11 @@ void PostgreSQL::onlineNotification_Postgres()
memberUpdate << " ON CONFLICT (network_id, member_id) DO UPDATE SET address = EXCLUDED.address, last_updated = EXCLUDED.last_updated;";
if (memberAdded) {
fprintf(stderr, "%s\n", memberUpdate.str().c_str());
//fprintf(stderr, "%s\n", memberUpdate.str().c_str());
pqxx::result res = w.exec0(memberUpdate.str());
w.commit();
}
fprintf(stderr, "Updated online status of %d members\n", updateCount);
// fprintf(stderr, "Updated online status of %d members\n", updateCount);
_pool->unborrow(c);
} catch (std::exception &e) {
fprintf(stderr, "%s: error in onlinenotification thread: %s\n", _myAddressStr.c_str(), e.what());

31
ext/central-controller-docker/Dockerfile
View File

@ -1,37 +1,10 @@
# Dockerfile for ZeroTier Central Controllers
FROM centos:8 as builder
FROM registry.zerotier.com/zerotier/controller-builder:latest as builder
MAINTAINER Adam Ierymekno <adam.ierymenko@zerotier.com>, Grant Limberg <grant.limberg@zerotier.com>
ARG git_branch=master
RUN yum update -y
RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
RUN dnf -qy module disable postgresql
RUN yum -y install epel-release && yum -y update && yum clean all
RUN yum groupinstall -y "Development Tools"
RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel
RUN curl -sL https://github.com/jtv/libpqxx/archive/refs/tags/6.4.5.tar.gz -o libpqxx.tar.gz
RUN tar -xzf libpqxx.tar.gz && \
pushd libpqxx-6.4.5/ && \
mkdir build && pushd build/ && \
cmake .. && \
make install -j8 && \
popd && popd
# RUN git clone http://git.int.zerotier.com/zerotier/ZeroTierOne.git
# RUN if [ "$git_branch" != "master" ]; then cd ZeroTierOne && git checkout -b $git_branch origin/$git_branch; fi
ADD . /ZeroTierOne
RUN cd ZeroTierOne && make clean && make central-controller -j8
FROM centos:8
RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
RUN dnf -qy module disable postgresql
RUN yum -y install epel-release && yum -y update && yum clean all
RUN yum install -y jemalloc jemalloc-devel postgresql10
COPY --from=builder /usr/local/lib64/libpqxx.so /usr/local/lib64/libpqxx.so
COPY --from=builder /usr/local/lib64/libpqxx.a /usr/local/lib64/libpqxx.a
FROM registry.zerotier.com/zerotier/controller-run:latest
COPY --from=builder /ZeroTierOne/zerotier-one /usr/local/bin/zerotier-one
RUN chmod a+x /usr/local/bin/zerotier-one
RUN echo "/usr/local/lib64" > /etc/ld.so.conf.d/usr-local-lib64.conf && ldconfig

12
ext/central-controller-docker/Dockerfile.builder Normal file
View File

@ -0,0 +1,12 @@
# Dockerfile for building ZeroTier Central Controllers
FROM centos:8 as builder
MAINTAINER Adam Ierymekno <adam.ierymenko@zerotier.com>, Grant Limberg <grant.limberg@zerotier.com>
ARG git_branch=master
RUN yum update -y
RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
RUN dnf -qy module disable postgresql
RUN yum -y install epel-release && yum -y update && yum clean all
RUN yum groupinstall -y "Development Tools" && yum clean all
RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel libpqxx libpqxx-devel && yum clean all

5
ext/central-controller-docker/Dockerfile.run_base Normal file
View File

@ -0,0 +1,5 @@
FROM centos:8
RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
RUN dnf -qy module disable postgresql
RUN yum -y install epel-release && yum -y update && yum clean all
RUN yum install -y jemalloc jemalloc-devel postgresql10 libpqxx && yum clean all

2
ext/installfiles/mac/ZeroTier One.pkgproj
View File

@ -701,7 +701,7 @@
<key>USE_HFS+_COMPRESSION</key>
<false/>
<key>VERSION</key>
<string>1.7.0</string>
<string>1.7.1</string>
</dict>
<key>TYPE</key>
<integer>0</integer>

1
make-linux.mk
View File

@ -266,6 +266,7 @@ ifeq ($(ZT_OFFICIAL),1)
endif
ifeq ($(ZT_CONTROLLER),1)
override CXXFLAGS+=-Wall -Wno-deprecated -std=c++17 -pthread $(INCLUDES) -DNDEBUG $(DEFS)
override LDLIBS+=-L/usr/pgsql-10/lib/ -lpqxx -lpq ext/hiredis-0.14.1/lib/centos8/libhiredis.a ext/redis-plus-plus-1.1.1/install/centos8/lib/libredis++.a
override DEFS+=-DZT_CONTROLLER_USE_LIBPQ
override INCLUDES+=-I/usr/pgsql-10/include -Iext/hiredis-0.14.1/include/ -Iext/redis-plus-plus-1.1.1/install/centos8/include/sw/

25
make-mac.mk
View File

@ -26,13 +26,6 @@ DEFS+=-DZT_BUILD_PLATFORM=$(ZT_BUILD_PLATFORM) -DZT_BUILD_ARCHITECTURE=$(ZT_BUIL
include objects.mk
ONE_OBJS+=osdep/MacEthernetTap.o osdep/MacKextEthernetTap.o osdep/MacDNSHelper.o ext/http-parser/http_parser.o
ifeq ($(ZT_CONTROLLER),1)
LIBS+=-L/usr/local/opt/libpqxx@6/lib -L/usr/local/opt/libpq/lib -L/usr/local/opt/openssl/lib/ -lpqxx -lpq -lssl -lcrypto -lgssapi_krb5 ext/redis-plus-plus-1.1.1/install/macos/lib/libredis++.a ext/hiredis-0.14.1/lib/macos/libhiredis.a
DEFS+=-DZT_CONTROLLER_USE_LIBPQ -DZT_CONTROLLER_USE_REDIS -DZT_CONTROLLER
INCLUDES+=-I/usr/local/opt/libpq/include -I/usr/local/opt/libpqxx@6/include -Iext/hiredis-0.14.1/include/ -Iext/redis-plus-plus-1.1.1/install/macos/include/sw/
endif
LIBS+=-framework CoreServices -framework SystemConfiguration -framework CoreFoundation
# Official releases are signed with our Apple cert and apply software updates by default
@ -52,10 +45,20 @@ endif
# Use fast ASM Salsa20/12 for x64 processors
DEFS+=-DZT_USE_X64_ASM_SALSA2012
CORE_OBJS+=ext/x64-salsa2012-asm/salsa2012.o
CXXFLAGS=$(CFLAGS) -std=c++11 -stdlib=libc++
# Build miniupnpc and nat-pmp as included libraries -- extra defs are required for these sources
DEFS+=-DMACOSX -DZT_USE_MINIUPNPC -DMINIUPNP_STATICLIB -D_DARWIN_C_SOURCE -DMINIUPNPC_SET_SOCKET_TIMEOUT -DMINIUPNPC_GET_SRC_ADDR -D_BSD_SOURCE -D_DEFAULT_SOURCE -DOS_STRING=\"Darwin/15.0.0\" -DMINIUPNPC_VERSION_STRING=\"2.0\" -DUPNP_VERSION_STRING=\"UPnP/1.1\" -DENABLE_STRNATPMPERR
ONE_OBJS+=ext/libnatpmp/natpmp.o ext/libnatpmp/getgateway.o ext/miniupnpc/connecthostport.o ext/miniupnpc/igd_desc_parse.o ext/miniupnpc/minisoap.o ext/miniupnpc/minissdpc.o ext/miniupnpc/miniupnpc.o ext/miniupnpc/miniwget.o ext/miniupnpc/minixml.o ext/miniupnpc/portlistingparse.o ext/miniupnpc/receivedata.o ext/miniupnpc/upnpcommands.o ext/miniupnpc/upnpdev.o ext/miniupnpc/upnperrors.o ext/miniupnpc/upnpreplyparse.o osdep/PortMapper.o
ifeq ($(ZT_CONTROLLER),1)
MACOS_VERSION_MIN=10.15
override CXXFLAGS=$(CFLAGS) -std=c++17 -stdlib=libc++
LIBS+=-L/usr/local/opt/libpqxx/lib -L/usr/local/opt/libpq/lib -L/usr/local/opt/openssl/lib/ -lpqxx -lpq -lssl -lcrypto -lgssapi_krb5 ext/redis-plus-plus-1.1.1/install/macos/lib/libredis++.a ext/hiredis-0.14.1/lib/macos/libhiredis.a
DEFS+=-DZT_CONTROLLER_USE_LIBPQ -DZT_CONTROLLER_USE_REDIS -DZT_CONTROLLER
INCLUDES+=-I/usr/local/opt/libpq/include -I/usr/local/opt/libpqxx/include -Iext/hiredis-0.14.1/include/ -Iext/redis-plus-plus-1.1.1/install/macos/include/sw/
else
MACOS_VERSION_MIN=10.13
endif
# Build with address sanitization library for advanced debugging (clang)
ifeq ($(ZT_SANITIZE),1)
@ -75,7 +78,7 @@ ifeq ($(ZT_DEBUG),1)
node/Salsa20.o node/SHA512.o node/C25519.o node/Poly1305.o: CFLAGS = -Wall -O2 -g $(INCLUDES) $(DEFS)
else
CFLAGS?=-Ofast -fstack-protector-strong
CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=10.7 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=$(MACOS_VERSION_MIN) -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
STRIP=strip
endif
@ -88,15 +91,13 @@ ifeq ($(ZT_VAULT_SUPPORT),1)
LIBS+=-lcurl
endif
CXXFLAGS=$(CFLAGS) -std=c++11 -stdlib=libc++
all: one
ext/x64-salsa2012-asm/salsa2012.o:
as -arch x86_64 -mmacosx-version-min=10.7 -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
as -arch x86_64 -mmacosx-version-min=$(MACOS_VERSION_MIN) -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
mac-agent: FORCE
$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=10.7 -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=$(MACOS_VERSION_MIN) -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
$(CODESIGN) -f --options=runtime -s $(CODESIGN_APP_CERT) MacEthernetTapAgent
osdep/MacDNSHelper.o: osdep/MacDNSHelper.mm

2
version.h
View File

@ -27,7 +27,7 @@
/**
* Revision
*/
#define ZEROTIER_ONE_VERSION_REVISION 0
#define ZEROTIER_ONE_VERSION_REVISION 1
/**
* Build version