[proxy] feature: bring your own proxy

2026-04-19 00:36:38 +00:00 · 2026-03-17 13:17:50 +01:00
parent 5585adce18
commit 26ba03f08e
32 changed files with 2697 additions and 94 deletions
--- a/management/internals/modules/reverseproxy/proxytoken/handler.go
+++ b/management/internals/modules/reverseproxy/proxytoken/handler.go
@@ -0,0 +1,184 @@
+package proxytoken
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/gorilla/mux"
+
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+	"github.com/netbirdio/netbird/shared/management/http/util"
+)
+
+type handler struct {
+	store              store.Store
+	permissionsManager permissions.Manager
+}
+
+func RegisterEndpoints(s store.Store, permissionsManager permissions.Manager, router *mux.Router) {
+	h := &handler{store: s, permissionsManager: permissionsManager}
+	router.HandleFunc("/reverse-proxies/proxy-tokens", h.listTokens).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/proxy-tokens", h.createToken).Methods("POST", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/proxy-tokens/{tokenId}", h.revokeToken).Methods("DELETE", "OPTIONS")
+}
+
+func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Create)
+	if err != nil {
+		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
+		return
+	}
+	if !ok {
+		util.WriteErrorResponse("permission denied", http.StatusForbidden, w)
+		return
+	}
+
+	var req api.ProxyTokenRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
+		return
+	}
+
+	if req.Name == "" || len(req.Name) > 255 {
+		util.WriteErrorResponse("name is required and must be at most 255 characters", http.StatusBadRequest, w)
+		return
+	}
+
+	var expiresIn time.Duration
+	if req.ExpiresIn != nil && *req.ExpiresIn > 0 {
+		expiresIn = time.Duration(*req.ExpiresIn) * time.Second
+	}
+
+	accountID := userAuth.AccountId
+	generated, err := types.CreateNewProxyAccessToken(req.Name, expiresIn, &accountID, userAuth.UserId)
+	if err != nil {
+		util.WriteErrorResponse("failed to generate token", http.StatusInternalServerError, w)
+		return
+	}
+
+	if err := h.store.SaveProxyAccessToken(r.Context(), &generated.ProxyAccessToken); err != nil {
+		util.WriteErrorResponse("failed to save token", http.StatusInternalServerError, w)
+		return
+	}
+
+	resp := toProxyTokenCreatedResponse(generated)
+	util.WriteJSONObject(r.Context(), w, resp)
+}
+
+func (h *handler) listTokens(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Read)
+	if err != nil {
+		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
+		return
+	}
+	if !ok {
+		util.WriteErrorResponse("permission denied", http.StatusForbidden, w)
+		return
+	}
+
+	tokens, err := h.store.GetProxyAccessTokensByAccountID(r.Context(), store.LockingStrengthNone, userAuth.AccountId)
+	if err != nil {
+		util.WriteErrorResponse("failed to list tokens", http.StatusInternalServerError, w)
+		return
+	}
+
+	resp := make([]api.ProxyToken, 0, len(tokens))
+	for _, token := range tokens {
+		resp = append(resp, toProxyTokenResponse(token))
+	}
+
+	util.WriteJSONObject(r.Context(), w, resp)
+}
+
+func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	ok, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Services, operations.Delete)
+	if err != nil {
+		util.WriteErrorResponse("failed to validate permissions", http.StatusInternalServerError, w)
+		return
+	}
+	if !ok {
+		util.WriteErrorResponse("permission denied", http.StatusForbidden, w)
+		return
+	}
+
+	tokenID := mux.Vars(r)["tokenId"]
+	if tokenID == "" {
+		util.WriteErrorResponse("token ID is required", http.StatusBadRequest, w)
+		return
+	}
+
+	token, err := h.store.GetProxyAccessTokenByID(r.Context(), store.LockingStrengthNone, tokenID)
+	if err != nil {
+		util.WriteErrorResponse("token not found", http.StatusNotFound, w)
+		return
+	}
+
+	if token.AccountID == nil || *token.AccountID != userAuth.AccountId {
+		util.WriteErrorResponse("token not found", http.StatusNotFound, w)
+		return
+	}
+
+	if err := h.store.RevokeProxyAccessToken(r.Context(), tokenID); err != nil {
+		util.WriteErrorResponse("failed to revoke token", http.StatusInternalServerError, w)
+		return
+	}
+
+	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
+}
+
+func toProxyTokenResponse(token *types.ProxyAccessToken) api.ProxyToken {
+	resp := api.ProxyToken{
+		Id:      token.ID,
+		Name:    token.Name,
+		Revoked: token.Revoked,
+	}
+	if !token.CreatedAt.IsZero() {
+		resp.CreatedAt = token.CreatedAt
+	}
+	if token.ExpiresAt != nil {
+		resp.ExpiresAt = token.ExpiresAt
+	}
+	if token.LastUsed != nil {
+		resp.LastUsed = token.LastUsed
+	}
+	return resp
+}
+
+func toProxyTokenCreatedResponse(generated *types.ProxyAccessTokenGenerated) api.ProxyTokenCreated {
+	base := toProxyTokenResponse(&generated.ProxyAccessToken)
+	plainToken := string(generated.PlainToken)
+	return api.ProxyTokenCreated{
+		Id:         base.Id,
+		Name:       base.Name,
+		CreatedAt:  base.CreatedAt,
+		ExpiresAt:  base.ExpiresAt,
+		LastUsed:   base.LastUsed,
+		Revoked:    base.Revoked,
+		PlainToken: plainToken,
+	}
+}
--- a/management/internals/modules/reverseproxy/proxytoken/handler_test.go
+++ b/management/internals/modules/reverseproxy/proxytoken/handler_test.go
@@ -0,0 +1,275 @@
+package proxytoken
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/auth"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+)
+
+func authContext(accountID, userID string) context.Context {
+	return nbcontext.SetUserAuthInContext(context.Background(), auth.UserAuth{
+		AccountId: accountID,
+		UserId:    userID,
+	})
+}
+
+func TestCreateToken_AccountScoped(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	accountID := "acc-123"
+	var savedToken *types.ProxyAccessToken
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().SaveProxyAccessToken(gomock.Any(), gomock.Any()).DoAndReturn(
+		func(_ context.Context, token *types.ProxyAccessToken) error {
+			savedToken = token
+			return nil
+		},
+	)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Create).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	body := `{"name": "my-token"}`
+	req := httptest.NewRequest("POST", "/reverse-proxies/proxy-tokens", bytes.NewBufferString(body))
+	req = req.WithContext(authContext(accountID, "user-1"))
+	w := httptest.NewRecorder()
+
+	h.createToken(w, req)
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var resp api.ProxyTokenCreated
+	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))
+
+	assert.NotEmpty(t, resp.PlainToken)
+	assert.Equal(t, "my-token", resp.Name)
+	assert.False(t, resp.Revoked)
+
+	require.NotNil(t, savedToken)
+	require.NotNil(t, savedToken.AccountID)
+	assert.Equal(t, accountID, *savedToken.AccountID)
+	assert.Equal(t, "user-1", savedToken.CreatedBy)
+}
+
+func TestCreateToken_WithExpiration(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	var savedToken *types.ProxyAccessToken
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().SaveProxyAccessToken(gomock.Any(), gomock.Any()).DoAndReturn(
+		func(_ context.Context, token *types.ProxyAccessToken) error {
+			savedToken = token
+			return nil
+		},
+	)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	body := `{"name": "expiring-token", "expires_in": 3600}`
+	req := httptest.NewRequest("POST", "/reverse-proxies/proxy-tokens", bytes.NewBufferString(body))
+	req = req.WithContext(authContext("acc-123", "user-1"))
+	w := httptest.NewRecorder()
+
+	h.createToken(w, req)
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	require.NotNil(t, savedToken)
+	require.NotNil(t, savedToken.ExpiresAt)
+	assert.True(t, savedToken.ExpiresAt.After(time.Now()))
+}
+
+func TestCreateToken_EmptyName(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(true, nil)
+
+	h := &handler{
+		permissionsManager: permsMgr,
+	}
+
+	body := `{"name": ""}`
+	req := httptest.NewRequest("POST", "/reverse-proxies/proxy-tokens", bytes.NewBufferString(body))
+	req = req.WithContext(authContext("acc-123", "user-1"))
+	w := httptest.NewRecorder()
+
+	h.createToken(w, req)
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+}
+
+func TestCreateToken_PermissionDenied(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Create).Return(false, nil)
+
+	h := &handler{
+		permissionsManager: permsMgr,
+	}
+
+	body := `{"name": "test"}`
+	req := httptest.NewRequest("POST", "/reverse-proxies/proxy-tokens", bytes.NewBufferString(body))
+	req = req.WithContext(authContext("acc-123", "user-1"))
+	w := httptest.NewRecorder()
+
+	h.createToken(w, req)
+	assert.Equal(t, http.StatusForbidden, w.Code)
+}
+
+func TestListTokens(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	accountID := "acc-123"
+	now := time.Now()
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().GetProxyAccessTokensByAccountID(gomock.Any(), store.LockingStrengthNone, accountID).Return([]*types.ProxyAccessToken{
+		{ID: "tok-1", Name: "token-1", AccountID: &accountID, CreatedAt: now, Revoked: false},
+		{ID: "tok-2", Name: "token-2", AccountID: &accountID, CreatedAt: now, Revoked: true},
+	}, nil)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Read).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	req := httptest.NewRequest("GET", "/reverse-proxies/proxy-tokens", nil)
+	req = req.WithContext(authContext(accountID, "user-1"))
+	w := httptest.NewRecorder()
+
+	h.listTokens(w, req)
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	var resp []api.ProxyToken
+	require.NoError(t, json.NewDecoder(w.Body).Decode(&resp))
+	require.Len(t, resp, 2)
+	assert.Equal(t, "tok-1", resp[0].Id)
+	assert.False(t, resp[0].Revoked)
+	assert.Equal(t, "tok-2", resp[1].Id)
+	assert.True(t, resp[1].Revoked)
+}
+
+func TestRevokeToken_Success(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	accountID := "acc-123"
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().GetProxyAccessTokenByID(gomock.Any(), store.LockingStrengthNone, "tok-1").Return(&types.ProxyAccessToken{
+		ID:        "tok-1",
+		Name:      "test-token",
+		AccountID: &accountID,
+	}, nil)
+	mockStore.EXPECT().RevokeProxyAccessToken(gomock.Any(), "tok-1").Return(nil)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), accountID, "user-1", modules.Services, operations.Delete).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	req := httptest.NewRequest("DELETE", "/reverse-proxies/proxy-tokens/tok-1", nil)
+	req = req.WithContext(authContext(accountID, "user-1"))
+	req = mux.SetURLVars(req, map[string]string{"tokenId": "tok-1"})
+	w := httptest.NewRecorder()
+
+	h.revokeToken(w, req)
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func TestRevokeToken_WrongAccount(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	otherAccount := "acc-other"
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().GetProxyAccessTokenByID(gomock.Any(), store.LockingStrengthNone, "tok-1").Return(&types.ProxyAccessToken{
+		ID:        "tok-1",
+		AccountID: &otherAccount,
+	}, nil)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	req := httptest.NewRequest("DELETE", "/reverse-proxies/proxy-tokens/tok-1", nil)
+	req = req.WithContext(authContext("acc-123", "user-1"))
+	req = mux.SetURLVars(req, map[string]string{"tokenId": "tok-1"})
+	w := httptest.NewRecorder()
+
+	h.revokeToken(w, req)
+	assert.Equal(t, http.StatusNotFound, w.Code)
+}
+
+func TestRevokeToken_ManagementWideToken(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	mockStore := store.NewMockStore(ctrl)
+	mockStore.EXPECT().GetProxyAccessTokenByID(gomock.Any(), store.LockingStrengthNone, "tok-1").Return(&types.ProxyAccessToken{
+		ID:        "tok-1",
+		AccountID: nil,
+	}, nil)
+
+	permsMgr := permissions.NewMockManager(ctrl)
+	permsMgr.EXPECT().ValidateUserPermissions(gomock.Any(), "acc-123", "user-1", modules.Services, operations.Delete).Return(true, nil)
+
+	h := &handler{
+		store:              mockStore,
+		permissionsManager: permsMgr,
+	}
+
+	req := httptest.NewRequest("DELETE", "/reverse-proxies/proxy-tokens/tok-1", nil)
+	req = req.WithContext(authContext("acc-123", "user-1"))
+	req = mux.SetURLVars(req, map[string]string{"tokenId": "tok-1"})
+	w := httptest.NewRecorder()
+
+	h.revokeToken(w, req)
+	assert.Equal(t, http.StatusNotFound, w.Code)
+}