Merge branch 'unstable'

.circleci/config.yml

@@ -53,6 +53,24 @@ jobs:
           command: |
             curl -s -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=$MAX_TOKEN&suffix=tar.gz" -o GeoLite2-Country.tar.gz
             tar -xzf GeoLite2-Country.tar.gz --strip-components 1 --wildcards "*.mmdb"
+      
+      - run:
+          name: Download and Extract ARM Nebula Binary
+          command: |
+            curl -LO https://github.com/slackhq/nebula/releases/download/v1.7.2/nebula-linux-arm64.tar.gz
+            tar -xzvf nebula-linux-arm64.tar.gz
+      
+      - run:
+          name: Rename ARM Nebula Binary
+          command: |
+            mv nebula nebula-arm
+            mv nebula-cert nebula-cert-arm
+      
+      - run:
+          name: Download and Extract Nebula Binary
+          command: |
+            curl -LO https://github.com/slackhq/nebula/releases/download/v1.7.2/nebula-linux-amd64.tar.gz
+            tar -xzvf nebula-linux-amd64.tar.gz
 
       - run:
           name: Build UI

.gitignore

@@ -12,4 +12,10 @@ todo.txt
 LICENCE
 tokens.json
 .vscode
-GeoLite2-Country.mmdb
+GeoLite2-Country.mmdb
+dns-blacklist.txt
+zz_test_config
+nebula-arm
+nebula-arm-cert
+nebula
+nebula-cert

LICENCE

@@ -1,31 +1,57 @@
-“Commons Clause” License Condition v1.0
+Software: Cosmos-Server
 
-The Software is provided to you by the Licensor under the
-License, as defined below, subject to the following condition.
+License: Apache 2.0 with Commons Clause and Anti Tampering Clause
 
-Without limiting other conditions in the License, the grant
-of rights under the License will not include, and the License
-does not grant to you, the right to Sell the Software.
+Licensor: Yann Stepienik
 
-For purposes of the foregoing, “Sell” means practicing any or
-all of the rights granted to you under the License to provide
-to third parties, for a fee or other consideration (including
-without limitation fees for hosting or consulting/ support
-services related to the Software), a product or service whose
-value derives, entirely or substantially, from the functionality
-of the Software. Any license notice or attribution required by
-the License must also include this Commons Clause License
-Condition notice.
+---------------------------------------------------------------------
 
-Software: Cosmos-Server
+      “Commons Clause” License Condition v1.0
 
-License: Apache 2.0 with Commons Clause
+      The Software is provided to you by the Licensor under the
+      License, as defined below, subject to the following condition.
 
-Licensor: Yann Stepienik
+      Without limiting other conditions in the License, the grant
+      of rights under the License will not include, and the License
+      does not grant to you, the right to Sell the Software.
 
+      For purposes of the foregoing, “Sell” means practicing any or
+      all of the rights granted to you under the License to provide
+      to third parties, for a fee or other consideration (including
+      without limitation fees for hosting or consulting/ support
+      services related to the Software), a product or service whose
+      value derives, entirely or substantially, from the functionality
+      of the Software. Any license notice or attribution required by
+      the License must also include this Commons Clause License
+      Condition notice.
 
 ---------------------------------------------------------------------
 
+      "Anti Tampering Clause” License Condition v1.0
+
+      Notwithstanding any provision of the Apache License 2.0, if the User
+      (or any party receiving or distributing derivative works, services,
+      or anything of value from the User related to the Software), directly 
+      or indirectly, seeks to tamper with, alter, circumvent, or avoid
+      compliance with any subscription, paywall, feature restriction, or any 
+      other licensing mechanism built into the Software or its usage, the 
+      License granted under the Apache License 2.0 shall automatically and
+      immediately terminate, and access to the Software shall be withdrawn 
+      with immediate effect. Upon such termination, any and all rights 
+      established under the Apache License 2.0 shall be null and void.
+
+      Tampering includes but is not limited to: (a) removing, disabling,
+      or circumventing any license key or other copy protection mechanism,
+      (b) redistributing parts or all of a feature that was intended
+      to be a paid feature, without keeping the restrictions, limitations,
+      or other licensing mechanisms with it(c) disabling, circumventing, or
+      avoiding any feature of the Software that is intended to enforce usage or
+      copy restrictions, or (d) providing or distributing any information
+      or code that enables disabling, circumvention, or avoidance of any
+      feature of the Software that is intended to enforce usage or copy
+      restrictions.
+
+---------------------------------------------------------------------
 
                                  Apache License
                            Version 2.0, January 2004

build.sh

@@ -18,6 +18,7 @@ echo " ---- Build complete, copy assets ----"
 
 cp -r static build/
 cp -r GeoLite2-Country.mmdb build/
+cp nebula-arm-cert nebula-cert nebula-arm nebula build/
 cp -r Logo.png build/
 mkdir build/images
 cp client/src/assets/images/icons/cosmos_gray.png build/cosmos_gray.png

changelog.md

@@ -1,3 +1,19 @@
+<<<<<<< HEAD
+## Version 0.9.20 - 0.9.21
+ - Add option to disable CORS hardening (with empty value)
+
+=======
+## Version 0.10.0
+ - Added Constellation
+ - DNS Challenge is now used for all certificates when enabled [breaking change]
+ - Rework headers for better compatibility
+ - Improve experience for non-admin users
+ - Fix bug with redirect on logout
+ - Added OverwriteHostHeader to routes to override the host header sent to the target app
+ - Added WhitelistInboundIPs to routes to  filter incoming requests based on IP per URL
+
+ > **Note: If you use the ARM (:latest-arm) you need to manually update to using the :latest tag instead**
+ 
 ## Version 0.9.20 - 0.9.21
  - Add option to disable CORS hardening (with empty value)
 

cla.md

@@ -2,7 +2,7 @@ Cosmos Software Grant and Contributor License Agreement (“Agreement”)
 
 This agreement is based on the Apache Software Foundation Contributor License Agreement. (v r190612)
 
-Thank you for your interest in software projects stewarded by Raintank, Inc. dba Cosmos (“Cosmos”). In order to clarify the intellectual property license granted with Contributions from any person or entity, Cosmos must have a Contributor License Agreement (CLA) on file that has been agreed to by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of Cosmos and its users; it does not change your rights to use your own Contributions for any other purpose. This Agreement allows an individual to contribute to Cosmos on that individual’s own behalf, or an entity (the “Corporation”) to submit Contributions to Cosmos, to authorize Contributions submitted by its designated employees to Cosmos, and to grant copyright and patent licenses thereto.
+Thank you for your interest in  dba Cosmos (“Cosmos”). In order to clarify the intellectual property license granted with Contributions from any person or entity, Cosmos must have a Contributor License Agreement (CLA) on file that has been agreed to by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of Cosmos and its users; it does not change your rights to use your own Contributions for any other purpose. This Agreement allows an individual to contribute to Cosmos on that individual’s own behalf, or an entity (the “Corporation”) to submit Contributions to Cosmos, to authorize Contributions submitted by its designated employees to Cosmos, and to grant copyright and patent licenses thereto.
 
 You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Cosmos. Except for the license granted herein to Cosmos and recipients of software distributed by Cosmos, You reserve all right, title, and interest in and to Your Contributions.
 

client/src/api/constellation.demo.tsx

@@ -0,0 +1,131 @@
+import wrap from './wrap';
+
+function list() {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "data": [
+        {
+          "nickname": "admin",
+          "deviceName": "phone",
+          "publicKey": "-----BEGIN NEBULA X25519 PRIVATE KEY-----\naACf/...=\n-----END NEBULA X25519 PRIVATE KEY-----\n",
+          "ip": "192.168.201.4/24",
+          "isLighthouse": false,
+          "isRelay": true,
+          "publicHostname": "",
+          "port": "4242",
+          "blocked": false,
+          "fingerprint": "..."
+        },
+        {
+          "nickname": "admin",
+          "deviceName": "laptop",
+          "publicKey": "-----BEGIN NEBULA X25519 PRIVATE KEY-----\n78l4nDEB0+.../36YBQk7dkwg+.=\n-----END NEBULA X25519 PRIVATE KEY-----\n",
+          "ip": "192.168.201.5/24",
+          "isLighthouse": false,
+          "isRelay": true,
+          "publicHostname": "",
+          "port": "4242",
+          "blocked": false,
+          "fingerprint": "..."
+        },
+        {
+          "nickname": "Martha",
+          "deviceName": "pink phone",
+          "publicKey": "-----BEGIN NEBULA X25519 PRIVATE KEY-----\naACf/..=\n-----END NEBULA X25519 PRIVATE KEY-----\n",
+          "ip": "192.168.201.6/24",
+          "isLighthouse": false,
+          "isRelay": true,
+          "publicHostname": "",
+          "port": "4242",
+          "blocked": false,
+          "fingerprint": "..."
+        }
+      ],
+      "status": "OK"
+    })
+  });
+}
+
+function addDevice(device) {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "data": {
+        "CA": "-----BEGIN NEBULA CERTIFICATE-----\....\n+dfE+ikL8jUh/n+C+....\....\nZon/Dw==\n-----END NEBULA CERTIFICATE-----\n",
+        "Config": "constellation_api_key: ...\nconstellation_device_name: test\nconstellation_local_dns_overwrite: true\nconstellation_local_dns_overwrite_address: 192.168.201.1\nconstellation_public_hostname: \"\"\nfirewall:\n  conntrack:\n    default_timeout: 10m\n    tcp_timeout: 12m\n    udp_timeout: 3m\n  inbound:\n  - host: any\n    port: any\n    proto: any\n  inbound_action: drop\n  outbound:\n  - host: any\n    port: any\n    proto: any\n  outbound_action: drop\nlighthouse:\n  am_lighthouse: false\n  hosts:\n  - 192.168.201.1\n  interval: 60\nlisten:\n  host: 0.0.0.0\n  port: \"4242\"\nlogging:\n  format: text\n  level: info\npki:\n  blocklist: []\n  ca: |\n    -----BEGIN NEBULA CERTIFICATE-----\n    ...\n    +dfE+ikL8jUh/n+C+...\n    .\n    Zon/Dw==\n    -----END NEBULA CERTIFICATE-----\n  cert: |\n    -----BEGIN NEBULA CERTIFICATE-----\n    CmIKBHRlc3QSCoeSo4UMgP7//..\n    ...+QwZSiBxLdKhjkCH+.../..\n    ./hfL+....\n    ..==\n    -----END NEBULA CERTIFICATE-----\n  key: |\n    -----BEGIN NEBULA X25519 PRIVATE KEY-----\n    nS39dWX7uo1rhTvP2yl2XonGx3fWEkpk+43thNrMu7U=\n    -----END NEBULA X25519 PRIVATE KEY-----\npunchy:\n  punch: true\n  respond: true\nrelay:\n  am_relay: false\n  relays:\n  - 192.168.201.1\n  use_relays: true\nstatic_host_map:\n  192.168.201.1:\n  - vpn.domain.com:4242\ntun:\n  dev: nebula1\n  disabled: false\n  drop_local_broadcast: false\n  drop_multicast: false\n  mtu: 1300\n  routes: []\n  tx_queue: 500\n  unsafe_routes: []\n",
+        "DeviceName": "test",
+        "IP": "192.168.201.7/24",
+        "IsLighthouse": false,
+        "IsRelay": true,
+        "LighthousesList": [],
+        "Nickname": "admin",
+        "Port": "4242",
+        "PrivateKey": "-----BEGIN NEBULA CERTIFICATE-----\...//w8o3ZaFqQYwhdGFuAY6IGXmYRCr3z932Y....w\..==\n-----END NEBULA CERTIFICATE-----\n",
+        "PublicHostname": "",
+        "PublicKey": "-----BEGIN NEBULA X25519 PRIVATE KEY-----\nnS39dWX...hTvP......+43thNrMu7U=\n-----END NEBULA X25519 PRIVATE KEY-----\n"
+      },
+      "status": "OK"
+    })
+  });
+}
+
+function restart() {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "status": "ok",
+    })
+  });
+}
+
+
+function reset() {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "status": "ok",
+    })
+  });
+}
+
+function getConfig() {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "data": "pki:\n  ca: /config/ca.crt\n  cert: /config/cosmos.crt\n  key: /config/cosmos.key\n  blocklist: []\nstatic_host_map:\n  192.168.201.1:\n  - vpn.domain.com:4242\nlighthouse:\n  am_lighthouse: true\n  interval: 60\n  hosts: []\nlisten:\n  host: 0.0.0.0\n  port: 4242\npunchy:\n  punch: true\n  respond: true\nrelay:\n  am_relay: true\n  use_relays: true\n  relays: []\ntun:\n  disabled: false\n  dev: nebula1\n  drop_local_broadcast: false\n  drop_multicast: false\n  tx_queue: 500\n  mtu: 1300\n  routes: []\n  unsafe_routes: []\nlogging:\n  level: info\n  format: text\nfirewall:\n  outbound_action: drop\n  inbound_action: drop\n  conntrack:\n    tcp_timeout: 12m\n    udp_timeout: 3m\n    default_timeout: 10m\n  outbound:\n  - port: any\n    proto: any\n    host: any\n  inbound:\n  - port: any\n    proto: any\n    host: any\n",
+      "status": "OK"
+    })
+  });
+}
+
+function getLogs() {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "data": "Some logs...",
+      "status": "OK"
+    })
+  });
+}
+
+function connect(file) {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "status": "ok",
+    })
+  });
+}
+
+function block(nickname, devicename, block) {
+  return new Promise((resolve, reject) => {
+    resolve({
+      "status": "ok",
+    })
+  });
+}
+
+export {
+  list,
+  addDevice,
+  restart,
+  getConfig,
+  getLogs,
+  reset,
+  connect,
+  block,
+};

client/src/api/constellation.tsx

@@ -0,0 +1,110 @@
+import wrap from './wrap';
+
+function list() {
+  return wrap(fetch('/cosmos/api/constellation/devices', {
+    method: 'GET',
+    headers: {
+        'Content-Type': 'application/json'
+    },
+  }))
+}
+
+function addDevice(device) {
+  return wrap(fetch('/cosmos/api/constellation/devices', {
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(device),
+  }))
+}
+
+function restart() {
+  return wrap(fetch('/cosmos/api/constellation/restart', {
+    method: 'GET',
+    headers: {
+        'Content-Type': 'application/json'
+    }
+  }))
+}
+
+
+function reset() {
+  return wrap(fetch('/cosmos/api/constellation/reset', {
+    method: 'GET',
+    headers: {
+        'Content-Type': 'application/json'
+    }
+  }))
+}
+
+function getConfig() {
+  return wrap(fetch('/cosmos/api/constellation/config', {
+    method: 'GET',
+    headers: {
+        'Content-Type': 'application/json'
+    }
+  }))
+}
+
+function getLogs() {
+  return wrap(fetch('/cosmos/api/constellation/logs', {
+    method: 'GET',
+    headers: {
+        'Content-Type': 'application/json'
+    }
+  }))
+}
+
+function connect(file) {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+
+    reader.onload = () => {
+      fetch('/cosmos/api/constellation/connect', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'text/plain',
+        },
+        body: reader.result,
+      })
+      .then(response => {
+        // Add additional response handling here if needed.
+        resolve(response);
+      })
+      .catch(error => {
+        // Handle the error.
+        reject(error);
+      });
+    };
+
+    reader.onerror = () => {
+      reject(new Error('Failed to read the file.'));
+    };
+
+    reader.readAsText(file);
+  });
+}
+
+function block(nickname, devicename, block) {
+  return wrap(fetch(`/cosmos/api/constellation/block`, {
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      nickname, devicename, block
+    }),
+  }))
+}
+
+export {
+  list,
+  addDevice,
+  restart,
+  getConfig,
+  getLogs,
+  reset,
+  connect,
+  block,
+};