[client,management] Feature/client service expose (#5411)

CLI: new expose command to publish a local port with flags for PIN, password, user groups, custom domain, name prefix and protocol (HTTP default). Management/API: create/renew/stop expose sessions (streamed status), automatic naming/domain, TTL renewals, background expiration, new management RPCs and client methods. UI/API: account settings now include peer_expose_enabled and peer_expose_groups; new activity codes for peer expose events.
2026-04-19 08:46:38 +00:00 · 2026-02-24 10:02:16 +01:00
parent 37f025c966
commit 63c83aa8d2
44 changed files with 3867 additions and 422 deletions
--- a/management/internals/modules/reverseproxy/manager/manager.go
+++ b/management/internals/modules/reverseproxy/manager/manager.go
@@ -3,10 +3,14 @@ package manager
 import (
 	"context"
 	"fmt"
+	"math/rand/v2"
 	"time"

+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	log "github.com/sirupsen/logrus"

+	"slices"
+
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
@@ -15,6 +19,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
+	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -25,22 +30,25 @@ const unknownHostPlaceholder = "unknown"
 // ClusterDeriver derives the proxy cluster from a domain.
 type ClusterDeriver interface {
 	DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error)
+	GetClusterDomains() []string
 }

 type managerImpl struct {
 	store              store.Store
 	accountManager     account.Manager
 	permissionsManager permissions.Manager
+	settingsManager    settings.Manager
 	proxyGRPCServer    *nbgrpc.ProxyServiceServer
 	clusterDeriver     ClusterDeriver
 }

 // NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, settingsManager settings.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
 	return &managerImpl{
 		store:              store,
 		accountManager:     accountManager,
 		permissionsManager: permissionsManager,
+		settingsManager:    settingsManager,
 		proxyGRPCServer:    proxyGRPCServer,
 		clusterDeriver:     clusterDeriver,
 	}
@@ -475,7 +483,8 @@ func (m *managerImpl) SetCertificateIssuedAt(ctx context.Context, accountID, ser
 			return fmt.Errorf("failed to get service: %w", err)
 		}

-		service.Meta.CertificateIssuedAt = time.Now()
+		now := time.Now()
+		service.Meta.CertificateIssuedAt = &now

 		if err = transaction.UpdateService(ctx, service); err != nil {
 			return fmt.Errorf("failed to update service certificate timestamp: %w", err)
@@ -607,3 +616,179 @@ func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID stri

 	return target.ServiceID, nil
 }
+
+// ValidateExposePermission checks whether the peer is allowed to use the expose feature.
+// It verifies the account has peer expose enabled and that the peer belongs to an allowed group.
+func (m *managerImpl) ValidateExposePermission(ctx context.Context, accountID, peerID string) error {
+	settings, err := m.store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get account settings: %v", err)
+		return status.Errorf(status.Internal, "get account settings: %v", err)
+	}
+
+	if !settings.PeerExposeEnabled {
+		return status.Errorf(status.PermissionDenied, "peer expose is not enabled for this account")
+	}
+
+	if len(settings.PeerExposeGroups) == 0 {
+		return status.Errorf(status.PermissionDenied, "no group is set for peer expose")
+	}
+
+	peerGroupIDs, err := m.store.GetPeerGroupIDs(ctx, store.LockingStrengthNone, accountID, peerID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to get peer group IDs: %v", err)
+		return status.Errorf(status.Internal, "get peer groups: %v", err)
+	}
+
+	for _, pg := range peerGroupIDs {
+		if slices.Contains(settings.PeerExposeGroups, pg) {
+			return nil
+		}
+	}
+
+	return status.Errorf(status.PermissionDenied, "peer is not in an allowed expose group")
+}
+
+// CreateServiceFromPeer creates a service initiated by a peer expose request.
+// It skips user permission checks since authorization is done at the gRPC handler level.
+func (m *managerImpl) CreateServiceFromPeer(ctx context.Context, accountID, peerID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
+	service.Source = reverseproxy.SourceEphemeral
+
+	if service.Domain == "" {
+		domain, err := m.buildRandomDomain(service.Name)
+		if err != nil {
+			return nil, fmt.Errorf("build random domain for service %s: %w", service.Name, err)
+		}
+		service.Domain = domain
+	}
+
+	if service.Auth.BearerAuth != nil && service.Auth.BearerAuth.Enabled {
+		groupIDs, err := m.getGroupIDsFromNames(ctx, accountID, service.Auth.BearerAuth.DistributionGroups)
+		if err != nil {
+			return nil, fmt.Errorf("get group ids for service %s: %w", service.ID, err)
+		}
+		service.Auth.BearerAuth.DistributionGroups = groupIDs
+	}
+
+	if err := m.initializeServiceForCreate(ctx, accountID, service); err != nil {
+		return nil, err
+	}
+
+	peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
+	if err != nil {
+		return nil, err
+	}
+
+	now := time.Now()
+	service.Meta.LastRenewedAt = &now
+	service.SourcePeer = peerID
+
+	if err := m.persistNewService(ctx, accountID, service); err != nil {
+		return nil, err
+	}
+
+	meta := addPeerInfoToEventMeta(service.EventMeta(), peer)
+
+	m.accountManager.StoreEvent(ctx, peerID, service.ID, accountID, activity.PeerServiceExposed, meta)
+
+	if err := m.replaceHostByLookup(ctx, accountID, service); err != nil {
+		return nil, fmt.Errorf("replace host by lookup for service %s: %w", service.ID, err)
+	}
+
+	m.sendServiceUpdate(service, reverseproxy.Create, service.ProxyCluster, "")
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return service, nil
+}
+
+func (m *managerImpl) getGroupIDsFromNames(ctx context.Context, accountID string, groupNames []string) ([]string, error) {
+	if len(groupNames) == 0 {
+		return []string{}, fmt.Errorf("no group names provided")
+	}
+	groupIDs := make([]string, 0, len(groupNames))
+	for _, groupName := range groupNames {
+		g, err := m.accountManager.GetGroupByName(ctx, groupName, accountID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get group by name %s: %w", groupName, err)
+		}
+		groupIDs = append(groupIDs, g.ID)
+	}
+	return groupIDs, nil
+}
+
+func (m *managerImpl) buildRandomDomain(name string) (string, error) {
+	clusterDomains := m.clusterDeriver.GetClusterDomains()
+	if len(clusterDomains) == 0 {
+		return "", fmt.Errorf("no cluster domains found for service %s", name)
+	}
+	index := rand.IntN(len(clusterDomains))
+	domain := name + "." + clusterDomains[index]
+	return domain, nil
+}
+
+// DeleteServiceFromPeer deletes a peer-initiated service.
+// It validates that the service was created by a peer to prevent deleting API-created services.
+func (m *managerImpl) DeleteServiceFromPeer(ctx context.Context, accountID, peerID, serviceID string) error {
+	return m.deletePeerService(ctx, accountID, peerID, serviceID, activity.PeerServiceUnexposed)
+}
+
+// ExpireServiceFromPeer deletes a peer-initiated service that was not renewed within the TTL.
+func (m *managerImpl) ExpireServiceFromPeer(ctx context.Context, accountID, peerID, serviceID string) error {
+	return m.deletePeerService(ctx, accountID, peerID, serviceID, activity.PeerServiceExposeExpired)
+}
+
+func (m *managerImpl) deletePeerService(ctx context.Context, accountID, peerID, serviceID string, activityCode activity.Activity) error {
+	var service *reverseproxy.Service
+	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		var err error
+		service, err = transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
+		if err != nil {
+			return err
+		}
+
+		if service.Source != reverseproxy.SourceEphemeral {
+			return status.Errorf(status.PermissionDenied, "cannot delete API-created service via peer expose")
+		}
+
+		if service.SourcePeer != peerID {
+			return status.Errorf(status.PermissionDenied, "cannot delete service exposed by another peer")
+		}
+
+		if err = transaction.DeleteService(ctx, accountID, serviceID); err != nil {
+			return fmt.Errorf("delete service: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
+	if err != nil {
+		log.WithContext(ctx).Debugf("failed to get peer %s for event metadata: %v", peerID, err)
+		peer = nil
+	}
+
+	meta := addPeerInfoToEventMeta(service.EventMeta(), peer)
+
+	m.accountManager.StoreEvent(ctx, peerID, serviceID, accountID, activityCode, meta)
+
+	m.sendServiceUpdate(service, reverseproxy.Delete, service.ProxyCluster, "")
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func addPeerInfoToEventMeta(meta map[string]any, peer *nbpeer.Peer) map[string]any {
+	if peer == nil {
+		return meta
+	}
+	meta["peer_name"] = peer.Name
+	if peer.IP != nil {
+		meta["peer_ip"] = peer.IP.String()
+	}
+	return meta
+}