Merge remote-tracking branch 'origin/prototype/reverse-proxy' into prototype/reverse-proxy

# Conflicts:
#	management/internals/modules/reverseproxy/reverseproxy.go
#	management/internals/server/boot.go
#	management/internals/shared/grpc/proxy.go
#	proxy/internal/auth/middleware.go
#	shared/management/proto/proxy_service.pb.go
#	shared/management/proto/proxy_service.proto
#	shared/management/proto/proxy_service_grpc.pb.go

management/internals/modules/reverseproxy/interface.go

@@ -10,4 +10,6 @@ type Manager interface {
 	CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
 	UpdateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *ReverseProxy) (*ReverseProxy, error)
 	DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error
+	SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error
+	SetStatus(ctx context.Context, accountID, reverseProxyID string, status ProxyStatus) error
 }

management/internals/modules/reverseproxy/manager/manager.go

@@ -3,6 +3,7 @@ package manager
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/rs/xid"
@@ -229,3 +230,40 @@ func (m *managerImpl) DeleteReverseProxy(ctx context.Context, accountID, userID,
 
 	return nil
 }
+
+// SetCertificateIssuedAt sets the certificate issued timestamp to the current time.
+// Call this when receiving a gRPC notification that the certificate was issued.
+func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
+		if err != nil {
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
+		}
+
+		proxy.Meta.CertificateIssuedAt = time.Now()
+
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy certificate timestamp: %w", err)
+		}
+
+		return nil
+	})
+}
+
+// SetStatus updates the status of the reverse proxy (e.g., "active", "tunnel_not_created", etc.)
+func (m *managerImpl) SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error {
+	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		proxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxyID)
+		if err != nil {
+			return fmt.Errorf("failed to get reverse proxy: %w", err)
+		}
+
+		proxy.Meta.Status = string(status)
+
+		if err = transaction.UpdateReverseProxy(ctx, proxy); err != nil {
+			return fmt.Errorf("failed to update reverse proxy status: %w", err)
+		}
+
+		return nil
+	})
+}

management/internals/modules/reverseproxy/reverseproxy.go

@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/url"
 	"strconv"
+	"time"
 
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
@@ -21,6 +22,17 @@ const (
 	Delete Operation = "delete"
 )
 
+type ProxyStatus string
+
+const (
+	StatusPending            ProxyStatus = "pending"
+	StatusActive             ProxyStatus = "active"
+	StatusTunnelNotCreated   ProxyStatus = "tunnel_not_created"
+	StatusCertificatePending ProxyStatus = "certificate_pending"
+	StatusCertificateFailed  ProxyStatus = "certificate_failed"
+	StatusError              ProxyStatus = "error"
+)
+
 type Target struct {
 	Path       *string `json:"path,omitempty"`
 	Host       string  `json:"host"`
@@ -64,6 +76,12 @@ type OIDCValidationConfig struct {
 	MaxTokenAgeSeconds int64
 }
 
+type ReverseProxyMeta struct {
+	CreatedAt           time.Time
+	CertificateIssuedAt time.Time
+	Status              string
+}
+
 type ReverseProxy struct {
 	ID        string `gorm:"primaryKey"`
 	AccountID string `gorm:"index"`
@@ -71,7 +89,8 @@ type ReverseProxy struct {
 	Domain    string   `gorm:"index"`
 	Targets   []Target `gorm:"serializer:json"`
 	Enabled   bool
-	Auth      AuthConfig `gorm:"serializer:json"`
+	Auth      AuthConfig       `gorm:"serializer:json"`
+	Meta      ReverseProxyMeta `gorm:"embedded;embeddedPrefix:meta_"`
 }
 
 func NewReverseProxy(accountID, name, domain string, targets []Target, enabled bool) *ReverseProxy {
@@ -82,6 +101,10 @@ func NewReverseProxy(accountID, name, domain string, targets []Target, enabled b
 		Domain:    domain,
 		Targets:   targets,
 		Enabled:   enabled,
+		Meta: ReverseProxyMeta{
+			CreatedAt: time.Now(),
+			Status:    string(StatusPending),
+		},
 	}
 }
 
@@ -129,6 +152,15 @@ func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
 		})
 	}
 
+	meta := api.ReverseProxyMeta{
+		CreatedAt: r.Meta.CreatedAt,
+		Status:    api.ReverseProxyMetaStatus(r.Meta.Status),
+	}
+
+	if !r.Meta.CertificateIssuedAt.IsZero() {
+		meta.CertificateIssuedAt = &r.Meta.CertificateIssuedAt
+	}
+
 	return &api.ReverseProxy{
 		Id:      r.ID,
 		Name:    r.Name,
@@ -136,6 +168,7 @@ func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
 		Targets: apiTargets,
 		Enabled: r.Enabled,
 		Auth:    authConfig,
+		Meta:    meta,
 	}
 }
 

management/internals/server/boot.go

@@ -163,6 +163,9 @@ func (s *BaseServer) GRPCServer() *grpc.Server {
 func (s *BaseServer) ReverseProxyGRPCServer() *nbgrpc.ProxyServiceServer {
 	return Create(s, func() *nbgrpc.ProxyServiceServer {
 		proxyService := nbgrpc.NewProxyServiceServer(s.Store(), s.AccountManager(), s.AccessLogsManager(), s.proxyOIDCConfig())
+		s.AfterInit(func(s *BaseServer) {
+			proxyService.SetProxyManager(s.ReverseProxyManager())
+		})
 		return proxyService
 	})
 }

management/internals/shared/grpc/proxy.go

@@ -45,6 +45,11 @@ type reverseProxyStore interface {
 	GetReverseProxyByID(ctx context.Context, lockStrength store.LockingStrength, accountID string, serviceID string) (*reverseproxy.ReverseProxy, error)
 }
 
+type reverseProxyManager interface {
+	SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error
+	SetStatus(ctx context.Context, accountID, reverseProxyID string, status reverseproxy.ProxyStatus) error
+}
+
 type keyStore interface {
 	GetGroupByName(ctx context.Context, groupName string, accountID string) (*types.Group, error)
 	CreateSetupKey(ctx context.Context, accountID string, keyName string, keyType types.SetupKeyType, expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
@@ -69,6 +74,9 @@ type ProxyServiceServer struct {
 	// Manager for access logs
 	accessLogManager accesslogs.Manager
 
+	// Manager for reverse proxy operations
+	reverseProxyManager reverseProxyManager
+
 	// OIDC configuration for proxy authentication
 	oidcConfig ProxyOIDCConfig
 
@@ -98,6 +106,10 @@ func NewProxyServiceServer(store reverseProxyStore, keys keyStore, accessLogMgr
 	}
 }
 
+func (s *ProxyServiceServer) SetProxyManager(manager reverseProxyManager) {
+	s.reverseProxyManager = manager
+}
+
 // GetMappingUpdate handles the control stream with proxy clients
 func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest, stream proto.ProxyService_GetMappingUpdateServer) error {
 	ctx := stream.Context()
@@ -328,6 +340,72 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 	}, nil
 }
 
+// SendStatusUpdate handles status updates from proxy clients
+func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.SendStatusUpdateRequest) (*proto.SendStatusUpdateResponse, error) {
+	accountID := req.GetAccountId()
+	reverseProxyID := req.GetReverseProxyId()
+	protoStatus := req.GetStatus()
+	certificateIssued := req.GetCertificateIssued()
+
+	log.WithFields(log.Fields{
+		"reverse_proxy_id":   reverseProxyID,
+		"account_id":         accountID,
+		"status":             protoStatus,
+		"certificate_issued": certificateIssued,
+		"error_message":      req.GetErrorMessage(),
+	}).Debug("Status update from proxy")
+
+	if reverseProxyID == "" || accountID == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "reverse_proxy_id and account_id are required")
+	}
+
+	if certificateIssued {
+		if err := s.reverseProxyManager.SetCertificateIssuedAt(ctx, accountID, reverseProxyID); err != nil {
+			log.WithContext(ctx).WithError(err).Error("Failed to set certificate issued timestamp")
+			return nil, status.Errorf(codes.Internal, "failed to update certificate timestamp: %v", err)
+		}
+		log.WithFields(log.Fields{
+			"reverse_proxy_id": reverseProxyID,
+			"account_id":       accountID,
+		}).Info("Certificate issued timestamp updated")
+	}
+
+	internalStatus := protoStatusToInternal(protoStatus)
+
+	if err := s.reverseProxyManager.SetStatus(ctx, accountID, reverseProxyID, internalStatus); err != nil {
+		log.WithContext(ctx).WithError(err).Error("Failed to set proxy status")
+		return nil, status.Errorf(codes.Internal, "failed to update proxy status: %v", err)
+	}
+
+	log.WithFields(log.Fields{
+		"reverse_proxy_id": reverseProxyID,
+		"account_id":       accountID,
+		"status":           internalStatus,
+	}).Info("Proxy status updated")
+
+	return &proto.SendStatusUpdateResponse{}, nil
+}
+
+// protoStatusToInternal maps proto status to internal status
+func protoStatusToInternal(protoStatus proto.ProxyStatus) reverseproxy.ProxyStatus {
+	switch protoStatus {
+	case proto.ProxyStatus_PROXY_STATUS_PENDING:
+		return reverseproxy.StatusPending
+	case proto.ProxyStatus_PROXY_STATUS_ACTIVE:
+		return reverseproxy.StatusActive
+	case proto.ProxyStatus_PROXY_STATUS_TUNNEL_NOT_CREATED:
+		return reverseproxy.StatusTunnelNotCreated
+	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_PENDING:
+		return reverseproxy.StatusCertificatePending
+	case proto.ProxyStatus_PROXY_STATUS_CERTIFICATE_FAILED:
+		return reverseproxy.StatusCertificateFailed
+	case proto.ProxyStatus_PROXY_STATUS_ERROR:
+		return reverseproxy.StatusError
+	default:
+		return reverseproxy.StatusError
+	}
+}
+
 func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCURLRequest) (*proto.GetOIDCURLResponse, error) {
 	provider, err := oidc.NewProvider(ctx, s.oidcConfig.Issuer)
 	if err != nil {