[client] Set up firewall rules for dns routes dynamically based on dns response (#3702)

management/domain/domain.go

@@ -1,12 +1,17 @@
 package domain
 
 import (
+	"strings"
+
 	"golang.org/x/net/idna"
 )
 
+// Domain represents a punycode-encoded domain string.
+// This should only be converted from a string when the string already is in punycode, otherwise use FromString.
 type Domain string
 
 // String converts the Domain to a non-punycode string.
+// For an infallible conversion, use SafeString.
 func (d Domain) String() (string, error) {
 	unicode, err := idna.ToUnicode(string(d))
 	if err != nil {
@@ -15,16 +20,17 @@ func (d Domain) String() (string, error) {
 	return unicode, nil
 }
 
-// SafeString converts the Domain to a non-punycode string, falling back to the original string if conversion fails.
+// SafeString converts the Domain to a non-punycode string, falling back to the punycode string if conversion fails.
 func (d Domain) SafeString() string {
 	str, err := d.String()
 	if err != nil {
-		str = string(d)
+		return string(d)
 	}
 	return str
 }
 
 // PunycodeString returns the punycode representation of the Domain.
+// This should only be used if a punycode domain is expected but only a string is supported.
 func (d Domain) PunycodeString() string {
 	return string(d)
 }
@@ -35,5 +41,5 @@ func FromString(s string) (Domain, error) {
 	if err != nil {
 		return "", err
 	}
-	return Domain(ascii), nil
+	return Domain(strings.ToLower(ascii)), nil
 }

management/domain/list.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 )
 
+// List is a slice of punycode-encoded domain strings.
 type List []Domain
 
 // ToStringList converts a List to a slice of string.
@@ -53,7 +54,7 @@ func (d List) String() (string, error) {
 func (d List) SafeString() string {
 	str, err := d.String()
 	if err != nil {
-		return strings.Join(d.ToPunycodeList(), ", ")
+		return d.PunycodeString()
 	}
 	return str
 }
@@ -101,7 +102,7 @@ func FromStringList(s []string) (List, error) {
 func FromPunycodeList(s []string) List {
 	var dl List
 	for _, domain := range s {
-		dl = append(dl, Domain(domain))
+		dl = append(dl, Domain(strings.ToLower(domain)))
 	}
 	return dl
 }

management/domain/validate.go

@@ -22,8 +22,6 @@ func ValidateDomains(domains []string) (List, error) {
 	var domainList List
 
 	for _, d := range domains {
-		d := strings.ToLower(d)
-
 		// handles length and idna conversion
 		punycode, err := FromString(d)
 		if err != nil {

management/server/types/account.go

@@ -1289,7 +1289,7 @@ func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer
 		if route.Peer != peer.Key {
 			continue
 		}
-		resourceAppliedPolicies := resourcePolicies[route.GetResourceID()]
+		resourceAppliedPolicies := resourcePolicies[string(route.GetResourceID())]
 		distributionPeers := getPoliciesSourcePeers(resourceAppliedPolicies, a.Groups)
 
 		rules := a.getRouteFirewallRules(ctx, peer.ID, resourceAppliedPolicies, route, validatedPeersMap, distributionPeers)