sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 08:16:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

[management] Refactor expose feature: move business logic from gRPC to manager (#5435)

Browse Source 
Consolidate all expose business logic (validation, permission checks, TTL tracking, reaping) into the manager layer, making the gRPC layer a pure transport adapter that only handles proto conversion and authentication.

- Add ExposeServiceRequest/ExposeServiceResponse domain types with validation in the reverseproxy package
- Move expose tracker (TTL tracking, reaping, per-peer limits) from gRPC server into manager/expose_tracker.go
- Internalize tracking in CreateServiceFromPeer, RenewServiceFromPeer, and new StopServiceFromPeer so callers don't manage tracker state
- Untrack ephemeral services in DeleteService/DeleteAllServices to keep tracker in sync when services are deleted via API
- Simplify gRPC expose handlers to parse, auth, convert, delegate
- Remove tracker methods from Manager interface (internal detail)
This commit is contained in:
Maycon Santos
2026-02-24 15:09:30 +01:00
committed by GitHub
parent f8c0321aee
commit 327142837c
17 changed files with 1072 additions and 659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

229
management/internals/shared/grpc/expose_service.go
View File

@@ -2,9 +2,6 @@ package grpc
import (
"context"
"regexp"
"sync"
"time"
pb "github.com/golang/protobuf/proto" // nolint
log "github.com/sirupsen/logrus"
@@ -21,27 +18,6 @@ import (
internalStatus "github.com/netbirdio/netbird/shared/management/status"
)
var pinRegexp = regexp.MustCompile(`^\d{6}$`)
const (
exposeTTL = 90 * time.Second
exposeReapInterval = 30 * time.Second
maxExposesPerPeer = 10
)
type activeExpose struct {
mu sync.Mutex
serviceID string
domain string
accountID string
peerID string
lastRenewed time.Time
}
func exposeKey(peerID, domain string) string {
return peerID + ":" + domain
}
// CreateExpose handles a peer request to create a new expose service.
func (s *Server) CreateExpose(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
exposeReq := &proto.ExposeServiceRequest{}
@@ -58,72 +34,29 @@ func (s *Server) CreateExpose(ctx context.Context, req *proto.EncryptedMessage)
// nolint:staticcheck
ctx = context.WithValue(ctx, nbContext.AccountIDKey, accountID)
if exposeReq.Protocol != proto.ExposeProtocol_EXPOSE_HTTP && exposeReq.Protocol != proto.ExposeProtocol_EXPOSE_HTTPS {
return nil, status.Errorf(codes.InvalidArgument, "only HTTP or HTTPS protocol are supported")
}
if exposeReq.Pin != "" && !pinRegexp.MatchString(exposeReq.Pin) {
return nil, status.Errorf(codes.InvalidArgument, "invalid pin: must be exactly 6 digits")
}
for _, g := range exposeReq.UserGroups {
if g == "" {
return nil, status.Errorf(codes.InvalidArgument, "user group name cannot be empty")
}
}
reverseProxyMgr := s.getReverseProxyManager()
if reverseProxyMgr == nil {
return nil, status.Errorf(codes.Internal, "reverse proxy manager not available")
}
if err := reverseProxyMgr.ValidateExposePermission(ctx, accountID, peer.ID); err != nil {
log.WithContext(ctx).Debugf("expose permission denied for peer %s: %v", peer.ID, err)
return nil, status.Errorf(codes.PermissionDenied, "permission denied")
}
serviceName, err := reverseproxy.GenerateExposeName(exposeReq.NamePrefix)
created, err := reverseProxyMgr.CreateServiceFromPeer(ctx, accountID, peer.ID, &reverseproxy.ExposeServiceRequest{
NamePrefix: exposeReq.NamePrefix,
Port: int(exposeReq.Port),
Protocol: exposeProtocolToString(exposeReq.Protocol),
Domain: exposeReq.Domain,
Pin: exposeReq.Pin,
Password: exposeReq.Password,
UserGroups: exposeReq.UserGroups,
})
if err != nil {
return nil, status.Errorf(codes.InvalidArgument, "generate service name: %v", err)
return nil, mapExposeError(ctx, err)
}
service := reverseproxy.FromExposeRequest(exposeReq, accountID, peer.ID, serviceName)
// Serialize the count check to prevent concurrent CreateExpose calls from
// exceeding maxExposesPerPeer. The lock is held only for the check; the
// actual service creation happens outside the lock.
s.exposeCreateMu.Lock()
if s.countPeerExposes(peer.ID) >= maxExposesPerPeer {
s.exposeCreateMu.Unlock()
return nil, status.Errorf(codes.ResourceExhausted, "peer has reached the maximum number of active expose sessions (%d)", maxExposesPerPeer)
}
s.exposeCreateMu.Unlock()
created, err := reverseProxyMgr.CreateServiceFromPeer(ctx, accountID, peer.ID, service)
if err != nil {
log.WithContext(ctx).Errorf("failed to create service from peer: %v", err)
return nil, status.Errorf(codes.Internal, "create service: %v", err)
}
key := exposeKey(peer.ID, created.Domain)
if _, loaded := s.activeExposes.LoadOrStore(key, &activeExpose{
serviceID: created.ID,
domain: created.Domain,
accountID: accountID,
peerID: peer.ID,
lastRenewed: time.Now(),
}); loaded {
s.deleteExposeService(ctx, accountID, peer.ID, created)
return nil, status.Errorf(codes.AlreadyExists, "peer already has an active expose session for this domain")
}
resp := &proto.ExposeServiceResponse{
ServiceName: created.Name,
ServiceUrl: "https://" + created.Domain,
return s.encryptResponse(peerKey, &proto.ExposeServiceResponse{
ServiceName: created.ServiceName,
ServiceUrl: created.ServiceURL,
Domain: created.Domain,
}
return s.encryptResponse(peerKey, resp)
})
}
// RenewExpose extends the TTL of an active expose session.
@@ -134,21 +67,19 @@ func (s *Server) RenewExpose(ctx context.Context, req *proto.EncryptedMessage) (
return nil, err
}
_, peer, err := s.authenticateExposePeer(ctx, peerKey)
accountID, peer, err := s.authenticateExposePeer(ctx, peerKey)
if err != nil {
return nil, err
}
key := exposeKey(peer.ID, renewReq.Domain)
val, ok := s.activeExposes.Load(key)
if !ok {
return nil, status.Errorf(codes.NotFound, "no active expose session for domain %s", renewReq.Domain)
reverseProxyMgr := s.getReverseProxyManager()
if reverseProxyMgr == nil {
return nil, status.Errorf(codes.Internal, "reverse proxy manager not available")
}
expose := val.(*activeExpose)
expose.mu.Lock()
expose.lastRenewed = time.Now()
expose.mu.Unlock()
if err := reverseProxyMgr.RenewServiceFromPeer(ctx, accountID, peer.ID, renewReq.Domain); err != nil {
return nil, mapExposeError(ctx, err)
}
return s.encryptResponse(peerKey, &proto.RenewExposeResponse{})
}
@@ -161,55 +92,45 @@ func (s *Server) StopExpose(ctx context.Context, req *proto.EncryptedMessage) (*
return nil, err
}
_, peer, err := s.authenticateExposePeer(ctx, peerKey)
accountID, peer, err := s.authenticateExposePeer(ctx, peerKey)
if err != nil {
return nil, err
}
key := exposeKey(peer.ID, stopReq.Domain)
val, ok := s.activeExposes.LoadAndDelete(key)
if !ok {
return nil, status.Errorf(codes.NotFound, "no active expose session for domain %s", stopReq.Domain)
reverseProxyMgr := s.getReverseProxyManager()
if reverseProxyMgr == nil {
return nil, status.Errorf(codes.Internal, "reverse proxy manager not available")
}
expose := val.(*activeExpose)
s.cleanupExpose(expose, false)
if err := reverseProxyMgr.StopServiceFromPeer(ctx, accountID, peer.ID, stopReq.Domain); err != nil {
return nil, mapExposeError(ctx, err)
}
return s.encryptResponse(peerKey, &proto.StopExposeResponse{})
}
// StartExposeReaper starts a background goroutine that reaps expired expose sessions.
func (s *Server) StartExposeReaper(ctx context.Context) {
go func() {
ticker := time.NewTicker(exposeReapInterval)
defer ticker.Stop()
func mapExposeError(ctx context.Context, err error) error {
s, ok := internalStatus.FromError(err)
if !ok {
log.WithContext(ctx).Errorf("expose service error: %v", err)
return status.Errorf(codes.Internal, "internal error")
}
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
s.reapExpiredExposes()
}
}
}()
}
func (s *Server) reapExpiredExposes() {
s.activeExposes.Range(func(key, val any) bool {
expose := val.(*activeExpose)
expose.mu.Lock()
expired := time.Since(expose.lastRenewed) > exposeTTL
expose.mu.Unlock()
if expired {
if _, deleted := s.activeExposes.LoadAndDelete(key); deleted {
log.Infof("reaping expired expose session for peer %s, domain %s", expose.peerID, expose.domain)
s.cleanupExpose(expose, true)
}
}
return true
})
switch s.Type() {
case internalStatus.InvalidArgument:
return status.Errorf(codes.InvalidArgument, "%s", s.Message)
case internalStatus.PermissionDenied:
return status.Errorf(codes.PermissionDenied, "%s", s.Message)
case internalStatus.NotFound:
return status.Errorf(codes.NotFound, "%s", s.Message)
case internalStatus.AlreadyExists:
return status.Errorf(codes.AlreadyExists, "%s", s.Message)
case internalStatus.PreconditionFailed:
return status.Errorf(codes.ResourceExhausted, "%s", s.Message)
default:
log.WithContext(ctx).Errorf("expose service error: %v", err)
return status.Errorf(codes.Internal, "internal error")
}
}
func (s *Server) encryptResponse(peerKey wgtypes.Key, msg pb.Message) (*proto.EncryptedMessage, error) {
@@ -246,47 +167,6 @@ func (s *Server) authenticateExposePeer(ctx context.Context, peerKey wgtypes.Key
return accountID, peer, nil
}
func (s *Server) deleteExposeService(ctx context.Context, accountID, peerID string, service *reverseproxy.Service) {
reverseProxyMgr := s.getReverseProxyManager()
if reverseProxyMgr == nil {
return
}
if err := reverseProxyMgr.DeleteServiceFromPeer(ctx, accountID, peerID, service.ID); err != nil {
log.WithContext(ctx).Debugf("failed to delete expose service %s: %v", service.ID, err)
}
}
func (s *Server) cleanupExpose(expose *activeExpose, expired bool) {
bgCtx := context.Background()
reverseProxyMgr := s.getReverseProxyManager()
if reverseProxyMgr == nil {
log.Errorf("cannot cleanup exposed service %s: reverse proxy manager not available", expose.serviceID)
return
}
var err error
if expired {
err = reverseProxyMgr.ExpireServiceFromPeer(bgCtx, expose.accountID, expose.peerID, expose.serviceID)
} else {
err = reverseProxyMgr.DeleteServiceFromPeer(bgCtx, expose.accountID, expose.peerID, expose.serviceID)
}
if err != nil {
log.Errorf("failed to delete peer-exposed service %s: %v", expose.serviceID, err)
}
}
func (s *Server) countPeerExposes(peerID string) int {
count := 0
s.activeExposes.Range(func(_, val any) bool {
if expose := val.(*activeExpose); expose.peerID == peerID {
count++
}
return true
})
return count
}
func (s *Server) getReverseProxyManager() reverseproxy.Manager {
s.reverseProxyMu.RLock()
defer s.reverseProxyMu.RUnlock()
@@ -299,3 +179,14 @@ func (s *Server) SetReverseProxyManager(mgr reverseproxy.Manager) {
defer s.reverseProxyMu.Unlock()
s.reverseProxyManager = mgr
}
func exposeProtocolToString(p proto.ExposeProtocol) string {
switch p {
case proto.ExposeProtocol_EXPOSE_HTTP:
return "http"
case proto.ExposeProtocol_EXPOSE_HTTPS:
return "https"
default:
return "http"
}
}

242
management/internals/shared/grpc/expose_service_test.go
View File

@@ -1,242 +0,0 @@
package grpc
import (
"sync"
"testing"
"time"
"github.com/golang/mock/gomock"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
)
func TestPinValidation(t *testing.T) {
tests := []struct {
pin string
valid bool
}{
{"123456", true},
{"000000", true},
{"12345", false},
{"1234567", false},
{"abcdef", false},
{"12345a", false},
{"", false},
{"12 345", false},
}
for _, tt := range tests {
assert.Equal(t, tt.valid, pinRegexp.MatchString(tt.pin), "pin %q", tt.pin)
}
}
func TestExposeKey(t *testing.T) {
assert.Equal(t, "peer1:example.com", exposeKey("peer1", "example.com"))
assert.Equal(t, "peer2:other.com", exposeKey("peer2", "other.com"))
assert.NotEqual(t, exposeKey("peer1", "a.com"), exposeKey("peer1", "b.com"))
}
func TestCountPeerExposes(t *testing.T) {
s := &Server{}
// No exposes
assert.Equal(t, 0, s.countPeerExposes("peer1"))
// Add some exposes for different peers
s.activeExposes.Store("peer1:a.com", &activeExpose{peerID: "peer1"})
s.activeExposes.Store("peer1:b.com", &activeExpose{peerID: "peer1"})
s.activeExposes.Store("peer2:a.com", &activeExpose{peerID: "peer2"})
assert.Equal(t, 2, s.countPeerExposes("peer1"), "peer1 should have 2 exposes")
assert.Equal(t, 1, s.countPeerExposes("peer2"), "peer2 should have 1 expose")
assert.Equal(t, 0, s.countPeerExposes("peer3"), "peer3 should have 0 exposes")
}
func TestReapExpiredExposes(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockMgr := reverseproxy.NewMockManager(ctrl)
s := &Server{}
s.SetReverseProxyManager(mockMgr)
now := time.Now()
// Add an expired expose and a still-active one
s.activeExposes.Store("peer1:expired.com", &activeExpose{
serviceID: "svc-expired",
domain: "expired.com",
accountID: "acct1",
peerID: "peer1",
lastRenewed: now.Add(-2 * exposeTTL),
})
s.activeExposes.Store("peer1:active.com", &activeExpose{
serviceID: "svc-active",
domain: "active.com",
accountID: "acct1",
peerID: "peer1",
lastRenewed: now,
})
// Expect ExpireServiceFromPeer called only for the expired one
mockMgr.EXPECT().
ExpireServiceFromPeer(gomock.Any(), "acct1", "peer1", "svc-expired").
Return(nil)
s.reapExpiredExposes()
// Verify expired one is removed
_, exists := s.activeExposes.Load("peer1:expired.com")
assert.False(t, exists, "expired expose should be removed")
// Verify active one remains
_, exists = s.activeExposes.Load("peer1:active.com")
assert.True(t, exists, "active expose should remain")
}
func TestCleanupExpose_Delete(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockMgr := reverseproxy.NewMockManager(ctrl)
s := &Server{}
s.SetReverseProxyManager(mockMgr)
mockMgr.EXPECT().
DeleteServiceFromPeer(gomock.Any(), "acct1", "peer1", "svc1").
Return(nil)
s.cleanupExpose(&activeExpose{
serviceID: "svc1",
accountID: "acct1",
peerID: "peer1",
}, false)
}
func TestCleanupExpose_Expire(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockMgr := reverseproxy.NewMockManager(ctrl)
s := &Server{}
s.SetReverseProxyManager(mockMgr)
mockMgr.EXPECT().
ExpireServiceFromPeer(gomock.Any(), "acct1", "peer1", "svc1").
Return(nil)
s.cleanupExpose(&activeExpose{
serviceID: "svc1",
accountID: "acct1",
peerID: "peer1",
}, true)
}
func TestCleanupExpose_NilManager(t *testing.T) {
s := &Server{}
// Should not panic when reverse proxy manager is nil
s.cleanupExpose(&activeExpose{
serviceID: "svc1",
accountID: "acct1",
peerID: "peer1",
}, false)
}
func TestSetReverseProxyManager(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
s := &Server{}
// Initially nil
assert.Nil(t, s.getReverseProxyManager())
mockMgr := reverseproxy.NewMockManager(ctrl)
s.SetReverseProxyManager(mockMgr)
assert.NotNil(t, s.getReverseProxyManager())
// Can set to nil
s.SetReverseProxyManager(nil)
assert.Nil(t, s.getReverseProxyManager())
}
func TestReapExpiredExposes_ConcurrentSafety(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
mockMgr := reverseproxy.NewMockManager(ctrl)
mockMgr.EXPECT().
ExpireServiceFromPeer(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
Return(nil).
AnyTimes()
s := &Server{}
s.SetReverseProxyManager(mockMgr)
// Pre-populate with expired sessions
for i := range 20 {
peerID := "peer1"
domain := "domain-" + string(rune('a'+i))
s.activeExposes.Store(exposeKey(peerID, domain), &activeExpose{
serviceID: "svc-" + domain,
domain: domain,
accountID: "acct1",
peerID: peerID,
lastRenewed: time.Now().Add(-2 * exposeTTL),
})
}
// Run reaper concurrently with count
var wg sync.WaitGroup
wg.Add(2)
go func() {
defer wg.Done()
s.reapExpiredExposes()
}()
go func() {
defer wg.Done()
s.countPeerExposes("peer1")
}()
wg.Wait()
assert.Equal(t, 0, s.countPeerExposes("peer1"), "all expired exposes should be reaped")
}
func TestActiveExposeMutexProtectsLastRenewed(t *testing.T) {
expose := &activeExpose{
lastRenewed: time.Now().Add(-1 * time.Hour),
}
// Simulate concurrent renew and read
var wg sync.WaitGroup
wg.Add(2)
go func() {
defer wg.Done()
for range 100 {
expose.mu.Lock()
expose.lastRenewed = time.Now()
expose.mu.Unlock()
}
}()
go func() {
defer wg.Done()
for range 100 {
expose.mu.Lock()
_ = time.Since(expose.lastRenewed)
expose.mu.Unlock()
}
}()
wg.Wait()
expose.mu.Lock()
require.False(t, expose.lastRenewed.IsZero(), "lastRenewed should not be zero after concurrent access")
expose.mu.Unlock()
}

16
management/internals/shared/grpc/proxy_group_access_test.go
View File

@@ -76,21 +76,19 @@ func (m *mockReverseProxyManager) GetServiceIDByTargetID(_ context.Context, _, _
return "", nil
}
func (m *mockReverseProxyManager) ValidateExposePermission(_ context.Context, _, _ string) error {
func (m *mockReverseProxyManager) CreateServiceFromPeer(_ context.Context, _, _ string, _ *reverseproxy.ExposeServiceRequest) (*reverseproxy.ExposeServiceResponse, error) {
return &reverseproxy.ExposeServiceResponse{}, nil
}
func (m *mockReverseProxyManager) RenewServiceFromPeer(_ context.Context, _, _, _ string) error {
return nil
}
func (m *mockReverseProxyManager) CreateServiceFromPeer(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
return &reverseproxy.Service{}, nil
}
func (m *mockReverseProxyManager) DeleteServiceFromPeer(_ context.Context, _, _, _ string) error {
func (m *mockReverseProxyManager) StopServiceFromPeer(_ context.Context, _, _, _ string) error {
return nil
}
func (m *mockReverseProxyManager) ExpireServiceFromPeer(_ context.Context, _, _, _ string) error {
return nil
}
func (m *mockReverseProxyManager) StartExposeReaper(_ context.Context) {}
type mockUsersManager struct {
users map[string]*types.User

2
management/internals/shared/grpc/server.go
View File

@@ -82,8 +82,6 @@ type Server struct {
syncLimEnabled bool
syncLim int32
activeExposes sync.Map
exposeCreateMu sync.Mutex
reverseProxyManager reverseproxy.Manager
reverseProxyMu sync.RWMutex
}

18
management/internals/shared/grpc/validate_session_test.go
View File

@@ -196,7 +196,7 @@ func TestValidateSession_ProxyNotFound(t *testing.T) {
require.NoError(t, err)
assert.False(t, resp.Valid, "Unknown proxy should be denied")
assert.Equal(t, "proxy_not_found", resp.DeniedReason)
assert.Equal(t, "service_not_found", resp.DeniedReason)
}
func TestValidateSession_InvalidToken(t *testing.T) {
@@ -263,6 +263,10 @@ func (m *testValidateSessionProxyManager) DeleteService(_ context.Context, _, _,
return nil
}
func (m *testValidateSessionProxyManager) DeleteAllServices(_ context.Context, _, _ string) error {
return nil
}
func (m *testValidateSessionProxyManager) SetCertificateIssuedAt(_ context.Context, _, _ string) error {
return nil
}
@@ -295,22 +299,20 @@ func (m *testValidateSessionProxyManager) GetServiceIDByTargetID(_ context.Conte
return "", nil
}
func (m *testValidateSessionProxyManager) ValidateExposePermission(_ context.Context, _, _ string) error {
return nil
}
func (m *testValidateSessionProxyManager) CreateServiceFromPeer(_ context.Context, _, _ string, _ *reverseproxy.Service) (*reverseproxy.Service, error) {
func (m *testValidateSessionProxyManager) CreateServiceFromPeer(_ context.Context, _, _ string, _ *reverseproxy.ExposeServiceRequest) (*reverseproxy.ExposeServiceResponse, error) {
return nil, nil
}
func (m *testValidateSessionProxyManager) DeleteServiceFromPeer(_ context.Context, _, _, _ string) error {
func (m *testValidateSessionProxyManager) RenewServiceFromPeer(_ context.Context, _, _, _ string) error {
return nil
}
func (m *testValidateSessionProxyManager) ExpireServiceFromPeer(_ context.Context, _, _, _ string) error {
func (m *testValidateSessionProxyManager) StopServiceFromPeer(_ context.Context, _, _, _ string) error {
return nil
}
func (m *testValidateSessionProxyManager) StartExposeReaper(_ context.Context) {}
type testValidateSessionUsersManager struct {
store store.Store
}