defguard
defguard copied to clipboard
DefGuard
Page crash after attempt to generate config/QR for user with no permission
Describe the bug Page crash after attempt to generate config/QR for user with no permission for that network.
To Reproduce Steps to reproduce the behavior:
- Go to location settings
- Assign a group that some user, eg 'User1', doesen't belog to, eg 'Admin'
- Make sure that 'User1' is not in group 'Admin'
- Log in as 'User1'
- Attempt to add device
- Form should crash at the end due to some JS issues
Expected behavior User should be redirected to some kind of 403 page.
Version information
- Defguard Core version: latest
- Operating system and version running the gateway: Centos, Linux 6.1.6-1.el8.elrepo.x86_64, k8s -- | --
Screenshots If applicable, add screenshots to help explain your problem.
**Additiona
@almulalic could you share any details about the configuration so we could replicate/try to. find what's wrong? If you don't want to post them here publicly you can email us at: [email protected]. We need:
- name of the VPN
- name of the device
- first, ast name & username of the user for which the device was configured
- VPN server IP
- port
- VPN network address
Also can you go to the "core" logs and post them?
Based on that we will replicate and have the ability to fix.
Sure, I can publish it here. I managed to get a video for this which I sent to support email. Most of the questions are answered in the video, however I can't share the IP and port.
However I could share my deployment info: deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: defguard
namespace: infra
spec:
replicas: 1
selector:
matchLabels:
app: defguard
template:
metadata:
labels:
app: defguard
spec:
containers:
- name: core
image: ghcr.io/defguard/defguard:sha-db61513
envFrom:
- secretRef:
name: defguard-secret
ports:
- containerPort: 8000
protocol: TCP
- containerPort: 50055
protocol: TCP
volumeMounts:
- name: ssl-certs
mountPath: /ssl
- name: proxy
image: ghcr.io/defguard/defguard-proxy:latest
envFrom:
- secretRef:
name: defguard-secret
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 50052
protocol: TCP
volumeMounts:
- name: ssl-certs
mountPath: /ssl
volumes:
- name: ssl-certs
hostPath:
path: /opt/defguard/ssl
---
apiVersion: v1
kind: Service
metadata:
name: defguard-tcp
namespace: infra
spec:
selector:
app: defguard
ports:
- name: defguard-grpc
protocol: TCP
port: 50055
targetPort: 50055
- name: defguard-proxy
protocol: TCP
port: 50052
targetPort: 50052
- name: defguard-main-ui
protocol: TCP
port: 8000
targetPort: 8000
- name: defguard-enroll-ui
protocol: TCP
port: 8080
targetPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: defguard-udp
namespace: infra
spec:
externalTrafficPolicy: Local
type: NodePort
selector:
app: defguard
ports:
- protocol: UDP
port: 50051
targetPort: 50051
name: wireguard-def
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-grpc
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`grpc.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 50055
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-main-ui
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 8000
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-proxy
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`proxy.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 50052
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: defguard-enroll-ui
namespace: infra
spec:
entryPoints:
- websecure
routes:
- match: Host(`enroll.defguard.X.cloud`)
kind: Rule
services:
- name: defguard-tcp
port: 8080
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: defguard-wireguard
namespace: infra
spec:
entryPoints:
- wireguard-def
routes:
- services:
- name: wireguard-defguard
port: 50051
weight: 9
nativeLB: true
gateway
apiVersion: apps/v1
kind: Deployment
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
replicas: 1
selector:
matchLabels:
app: defguard-homeserver-gateway
template:
metadata:
labels:
app: defguard-homeserver-gateway
spec:
containers:
- name: gateway
image: ghcr.io/defguard/gateway:latest
securityContext:
capabilities:
add:
- NET_ADMIN
ports:
- containerPort: 50051
protocol: UDP
envFrom:
- secretRef:
name: defguard-homeserver-gateway-secret
volumeMounts:
- name: ssl-certs
mountPath: /ssl
dnsPolicy: "None"
dnsConfig:
nameservers:
- 192.168.98.6
- 8.8.8.8
volumes:
- name: ssl-certs
hostPath:
path: /opt/defguard/ssl
---
apiVersion: v1
kind: Service
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
externalTrafficPolicy: Local
type: NodePort
selector:
app: defguard-homeserver-gateway
ports:
- protocol: UDP
port: 50051
targetPort: 50051
name: wireguard-def
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: defguard-homeserver-gateway
namespace: infra
spec:
entryPoints:
- wireguard-def
routes:
- services:
- name: defguard-homeserver-gateway
port: 50051
weight: 9
nativeLB: true
.env
# Databse
DEFGUARD_DB_HOST=postgresql.data.svc.cluster.local
DEFGUARD_DB_PORT=5432
DEFGUARD_DB_USER=defguard
DEFGUARD_DB_PASSWORD=X
DEFGUARD_DB_NAME=defguard
# Core
DEFGUARD_LOG_LEVEL=DEBUG
DEFGUARD_AUTH_SECRET=X
DEFGUARD_YUBIBRIDGE_SECRET=X
DEFGUARD_GATEWAY_SECRET=X
DEFGUARD_SECRET_KEY=X
DEFGUARD_URL=https://defguard.X.cloud
DEFGUARD_WEBAUTHN_RP_ID=defguard.X.cloud
DEFGUARD_COOKIE_INSECURE=false
DEFGUARD_ENROLLMENT_URL=https://enroll.defguard.X.cloud
DEFGUARD_PROXY_URL=http://defguard-tcp.infra.svc.cluster.local:50052
DEFGUARD_DEFAULT_ADMIN_PASSWORD=X
# Proxy
DEFGUARD_PROXY_GRPC_PORT=50052
DEFGUARD_PROXY_HTTP_PORT=8080
gateway .env
DEFGUARD_GRPC_URL=http://defguard-tcp.infra.svc.cluster.local:50055
DEFGUARD_STATS_PERIOD=30
DEFGUARD_TOKEN=X
POSTUP=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
POSTDOWN=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
@almulalic from what I see you are not using official release images (sha-xxx). That may be the case.
Can you user 0.9.0 image tag (latest release)?
Tried to migrate but got some SQL migration errors which are fine for now as I used this cluster for testing. I created a fresh new database with the :latest tag on core and the same issue still persists.
- Create a network
- Assign it to admin group
- Create a new user that doesen't have admin group
- Log in as the user, go to add device and go through the wizard
- Wizard will crash after the key setup
- (Optional) go back to his profile, same behaviour is present on
Show configurationoption - Go back to admin account
- Add admin group to user
- Go back to user
- Show configuration should work now and the wizard for adding new devices should complete
Also the behaviour should be present when you visit https://domain.com/add-device and refresh the page.
The code is minified so I didn't get much info from digging through references in console, but the error is same
Also, I tested out the scenario where there are 2 locations one is admin only and the other one is public so it seems that as long as there is one location that user has access to everything works.
My best guess would be that QR code generation is done under the assumption that there is at least one network/location, and then when 0 networks are returned it tries to find property netowrkId on nothing.
@j-chmielewski I've replicated this on our DEV:
- New account (not admin)
- Logged in to this account
- Added a new device
- Named the device -> NEXT
ERROR IN CONSOLE: