feat: add live traffic stats (#530)

.github/workflows/chart.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 
@@ -35,7 +35,7 @@ jobs:
       # ct lint requires Python 3.x to run following packages:
       #  - yamale (https://github.com/23andMe/Yamale)
       #  - yamllint (https://github.com/adrienverge/yamllint)
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: '3.x'
 
@@ -60,7 +60,7 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:

.github/workflows/docker-publish.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

.github/workflows/pages.yml

@@ -15,11 +15,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: 3.x
 

deploy/helm/templates/deployment.yaml

@@ -8,9 +8,6 @@ spec:
   {{- with .Values.revisionHistoryLimit }}
   revisionHistoryLimit: {{ . }}
   {{- end }}
-  {{- with .Values.replicas }}
-  replicas: {{ . }}
-  {{- end }}
   {{- with .Values.strategy }}
   strategy: {{- toYaml . | nindent 4 }}
   {{- end }}

deploy/helm/templates/ingress.yaml

@@ -15,7 +15,7 @@ spec:
       http:
         paths:
           - path: {{ default "/" (urlParse (tpl .Values.config.web.external_url .)).path }}
-            pathType: {{ default "ImplementationSpecific" .Values.ingress.pathType }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
             backend:
               service:
                 name: {{ include "wg-portal.fullname" . }}

deploy/helm/templates/statefulset.yaml

@@ -8,9 +8,6 @@ spec:
   {{- with .Values.revisionHistoryLimit }}
   revisionHistoryLimit: {{ . }}
   {{- end }}
-  {{- with .Values.replicas }}
-  replicas: {{ . }}
-  {{- end }}
   {{- with .Values.strategy }}
   updateStrategy: {{- toYaml . | nindent 4 }}
   {{- end }}

internal/app/api/v0/handlers/endpoint_authentication.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/go-pkgz/routegroup"
@@ -448,17 +449,7 @@ func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {
 
 // isValidReturnUrl checks if the given return URL matches the configured external URL of the application.
 func (e AuthEndpoint) isValidReturnUrl(returnUrl string) bool {
-	expectedUrl, err := url.Parse(e.cfg.Web.ExternalUrl)
+	if !strings.HasPrefix(returnUrl, e.cfg.Web.ExternalUrl) {
-	if err != nil {
-		return false
-	}
-
-	returnUrlParsed, err := url.Parse(returnUrl)
-	if err != nil {
-		return false
-	}
-
-	if returnUrlParsed.Scheme != expectedUrl.Scheme || returnUrlParsed.Host != expectedUrl.Host {
 		return false
 	}
 

internal/app/wireguard/wireguard_interfaces.go

@@ -985,26 +985,7 @@ func (m Manager) importPeer(ctx context.Context, in *domain.Interface, p *domain
 	peer.InterfaceIdentifier = in.Identifier
 	peer.EndpointPublicKey = domain.NewConfigOption(in.PublicKey, true)
 	peer.AllowedIPsStr = domain.NewConfigOption(in.PeerDefAllowedIPsStr, true)
-
+	peer.Interface.Addresses = p.AllowedIPs // use allowed IP's as the peer IP's TODO: Should this also match server interface address' prefix length?
-	// split allowed IP's into interface addresses and extra allowed IP's
-	var interfaceAddresses []domain.Cidr
-	var extraAllowedIPs []domain.Cidr
-	for _, allowedIP := range p.AllowedIPs {
-		isHost := (allowedIP.IsV4() && allowedIP.NetLength == 32) || (!allowedIP.IsV4() && allowedIP.NetLength == 128)
-		isNetworkAddr := allowedIP.Addr == allowedIP.NetworkAddr().Addr
-
-		// Network addresses (e.g. 10.0.0.0/24) will always be extra allowed IP's.
-		// For IP addresses, such as 10.0.0.1/24, it is challenging to tell whether it is an interface address or
-		// an extra allowed IP, therefore we treat such addresses as interface addresses.
-		if !isHost && isNetworkAddr {
-			extraAllowedIPs = append(extraAllowedIPs, allowedIP)
-		} else {
-			interfaceAddresses = append(interfaceAddresses, allowedIP)
-		}
-	}
-	peer.Interface.Addresses = interfaceAddresses
-	peer.ExtraAllowedIPsStr = domain.CidrsToString(extraAllowedIPs)
-
 	peer.Interface.DnsStr = domain.NewConfigOption(in.PeerDefDnsStr, true)
 	peer.Interface.DnsSearchStr = domain.NewConfigOption(in.PeerDefDnsSearchStr, true)
 	peer.Interface.Mtu = domain.NewConfigOption(in.PeerDefMtu, true)

internal/app/wireguard/wireguard_interfaces_test.go

@@ -1,94 +0,0 @@
-package wireguard
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/h44z/wg-portal/internal/domain"
-)
-
-func TestImportPeer_AddressMapping(t *testing.T) {
-	tests := []struct {
-		name                 string
-		allowedIPs           []string
-		expectedInterface    []string
-		expectedExtraAllowed string
-	}{
-		{
-			name:                 "IPv4 host address",
-			allowedIPs:           []string{"10.0.0.1/32"},
-			expectedInterface:    []string{"10.0.0.1/32"},
-			expectedExtraAllowed: "",
-		},
-		{
-			name:                 "IPv6 host address",
-			allowedIPs:           []string{"fd00::1/128"},
-			expectedInterface:    []string{"fd00::1/128"},
-			expectedExtraAllowed: "",
-		},
-		{
-			name:                 "IPv4 network address",
-			allowedIPs:           []string{"10.0.1.0/24"},
-			expectedInterface:    []string{},
-			expectedExtraAllowed: "10.0.1.0/24",
-		},
-		{
-			name:                 "IPv4 normal address with mask",
-			allowedIPs:           []string{"10.0.1.5/24"},
-			expectedInterface:    []string{"10.0.1.5/24"},
-			expectedExtraAllowed: "",
-		},
-		{
-			name: "Mixed addresses",
-			allowedIPs: []string{
-				"10.0.0.1/32", "192.168.1.0/24", "172.16.0.5/24", "fd00::1/128", "fd00:1::/64",
-			},
-			expectedInterface:    []string{"10.0.0.1/32", "172.16.0.5/24", "fd00::1/128"},
-			expectedExtraAllowed: "192.168.1.0/24,fd00:1::/64",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			db := &mockDB{}
-			m := Manager{
-				db: db,
-			}
-
-			iface := &domain.Interface{
-				Identifier: "wg0",
-				Type:       domain.InterfaceTypeServer,
-			}
-
-			allowedIPs := make([]domain.Cidr, len(tt.allowedIPs))
-			for i, s := range tt.allowedIPs {
-				cidr, _ := domain.CidrFromString(s)
-				allowedIPs[i] = cidr
-			}
-
-			p := &domain.PhysicalPeer{
-				Identifier: "peer1",
-				KeyPair:    domain.KeyPair{PublicKey: "peer1-public-key-is-long-enough"},
-				AllowedIPs: allowedIPs,
-			}
-
-			err := m.importPeer(context.Background(), iface, p)
-			assert.NoError(t, err)
-
-			savedPeer := db.savedPeers["peer1"]
-			assert.NotNil(t, savedPeer)
-
-			// Check interface addresses
-			actualInterface := make([]string, len(savedPeer.Interface.Addresses))
-			for i, addr := range savedPeer.Interface.Addresses {
-				actualInterface[i] = addr.String()
-			}
-			assert.ElementsMatch(t, tt.expectedInterface, actualInterface)
-
-			// Check extra allowed IPs
-			assert.Equal(t, tt.expectedExtraAllowed, savedPeer.ExtraAllowedIPsStr)
-		})
-	}
-}