[management,proxy,client] Add L4 capabilities (TLS/TCP/UDP) (#5530)

2026-04-18 00:06:38 +00:00 · 2026-03-14 01:36:44 +08:00
parent fe9b844511
commit 3e6baea405
90 changed files with 9611 additions and 1397 deletions
--- a/proxy/internal/auth/middleware.go
+++ b/proxy/internal/auth/middleware.go
@@ -44,8 +44,8 @@ type DomainConfig struct {
 	Schemes           []Scheme
 	SessionPublicKey  ed25519.PublicKey
 	SessionExpiration time.Duration
-	AccountID         string
-	ServiceID         string
+	AccountID         types.AccountID
+	ServiceID         types.ServiceID
 }

 type validationResult struct {
@@ -124,7 +124,7 @@ func (mw *Middleware) getDomainConfig(host string) (DomainConfig, bool) {

 func setCapturedIDs(r *http.Request, config DomainConfig) {
 	if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil {
-		cd.SetAccountId(types.AccountID(config.AccountID))
+		cd.SetAccountId(config.AccountID)
 		cd.SetServiceId(config.ServiceID)
 	}
 }
@@ -275,7 +275,7 @@ func wasCredentialSubmitted(r *http.Request, method auth.Method) bool {
 // session JWTs. Returns an error if the key is missing or invalid.
 // Callers must not serve the domain if this returns an error, to avoid
 // exposing an unauthenticated service.
-func (mw *Middleware) AddDomain(domain string, schemes []Scheme, publicKeyB64 string, expiration time.Duration, accountID, serviceID string) error {
+func (mw *Middleware) AddDomain(domain string, schemes []Scheme, publicKeyB64 string, expiration time.Duration, accountID types.AccountID, serviceID types.ServiceID) error {
 	if len(schemes) == 0 {
 		mw.domainsMux.Lock()
 		defer mw.domainsMux.Unlock()
--- a/proxy/internal/auth/oidc.go
+++ b/proxy/internal/auth/oidc.go
@@ -9,6 +9,7 @@ import (
 	"google.golang.org/grpc"

 	"github.com/netbirdio/netbird/proxy/auth"
+	"github.com/netbirdio/netbird/proxy/internal/types"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -17,14 +18,14 @@ type urlGenerator interface {
 }

 type OIDC struct {
-	id             string
-	accountId      string
+	id             types.ServiceID
+	accountId      types.AccountID
 	forwardedProto string
 	client         urlGenerator
 }

 // NewOIDC creates a new OIDC authentication scheme
-func NewOIDC(client urlGenerator, id, accountId, forwardedProto string) OIDC {
+func NewOIDC(client urlGenerator, id types.ServiceID, accountId types.AccountID, forwardedProto string) OIDC {
 	return OIDC{
 		id:             id,
 		accountId:      accountId,
@@ -53,8 +54,8 @@ func (o OIDC) Authenticate(r *http.Request) (string, string, error) {
 	}

 	res, err := o.client.GetOIDCURL(r.Context(), &proto.GetOIDCURLRequest{
-		Id:          o.id,
-		AccountId:   o.accountId,
+		Id:          string(o.id),
+		AccountId:   string(o.accountId),
 		RedirectUrl: redirectURL.String(),
 	})
 	if err != nil {
--- a/proxy/internal/auth/password.go
+++ b/proxy/internal/auth/password.go
@@ -5,17 +5,19 @@ import (
 	"net/http"

 	"github.com/netbirdio/netbird/proxy/auth"
+	"github.com/netbirdio/netbird/proxy/internal/types"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

 const passwordFormId = "password"

 type Password struct {
-	id, accountId string
-	client        authenticator
+	id        types.ServiceID
+	accountId types.AccountID
+	client    authenticator
 }

-func NewPassword(client authenticator, id, accountId string) Password {
+func NewPassword(client authenticator, id types.ServiceID, accountId types.AccountID) Password {
 	return Password{
 		id:        id,
 		accountId: accountId,
@@ -41,8 +43,8 @@ func (p Password) Authenticate(r *http.Request) (string, string, error) {
 	}

 	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
-		Id:        p.id,
-		AccountId: p.accountId,
+		Id:        string(p.id),
+		AccountId: string(p.accountId),
 		Request: &proto.AuthenticateRequest_Password{
 			Password: &proto.PasswordRequest{
 				Password: password,
--- a/proxy/internal/auth/pin.go
+++ b/proxy/internal/auth/pin.go
@@ -5,17 +5,19 @@ import (
 	"net/http"

 	"github.com/netbirdio/netbird/proxy/auth"
+	"github.com/netbirdio/netbird/proxy/internal/types"
 	"github.com/netbirdio/netbird/shared/management/proto"
 )

 const pinFormId = "pin"

 type Pin struct {
-	id, accountId string
-	client        authenticator
+	id        types.ServiceID
+	accountId types.AccountID
+	client    authenticator
 }

-func NewPin(client authenticator, id, accountId string) Pin {
+func NewPin(client authenticator, id types.ServiceID, accountId types.AccountID) Pin {
 	return Pin{
 		id:        id,
 		accountId: accountId,
@@ -41,8 +43,8 @@ func (p Pin) Authenticate(r *http.Request) (string, string, error) {
 	}

 	res, err := p.client.Authenticate(r.Context(), &proto.AuthenticateRequest{
-		Id:        p.id,
-		AccountId: p.accountId,
+		Id:        string(p.id),
+		AccountId: string(p.accountId),
 		Request: &proto.AuthenticateRequest_Pin{
 			Pin: &proto.PinRequest{
 				Pin: pin,