send updates on changes

2026-04-20 01:06:45 +00:00 · 2026-02-09 17:06:04 +01:00
parent 73aa0785ba
commit 9a67a8e427
10 changed files with 214 additions and 62 deletions
--- a/management/internals/modules/reverseproxy/interface.go
+++ b/management/internals/modules/reverseproxy/interface.go
@@ -12,4 +12,9 @@ type Manager interface {
 	DeleteReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) error
 	SetCertificateIssuedAt(ctx context.Context, accountID, reverseProxyID string) error
 	SetStatus(ctx context.Context, accountID, reverseProxyID string, status ProxyStatus) error
+	ReloadAllReverseProxiesForAccount(ctx context.Context, accountID string) error
+	ReloadReverseProxy(ctx context.Context, accountID, reverseProxyID string) error
+	GetGlobalReverseProxies(ctx context.Context) ([]*ReverseProxy, error)
+	GetProxyByID(ctx context.Context, accountID, reverseProxyID string) (*ReverseProxy, error)
+	GetAccountReverseProxies(ctx context.Context, accountID string) ([]*ReverseProxy, error)
 }
--- a/management/internals/modules/reverseproxy/manager/manager.go
+++ b/management/internals/modules/reverseproxy/manager/manager.go
@@ -54,7 +54,43 @@ func (m *managerImpl) GetAllReverseProxies(ctx context.Context, accountID, userI
 		return nil, status.NewPermissionDeniedError()
 	}

-	return m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
+
+func (m *managerImpl) replaceHostByLookup(ctx context.Context, accountID string, proxy *reverseproxy.ReverseProxy) error {
+	for _, target := range proxy.Targets {
+		switch target.TargetType {
+		case reverseproxy.TargetTypePeer:
+			peer, err := m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				return fmt.Errorf("failed to get peer by id: %w", err)
+			}
+			target.Host = peer.IP.String()
+		case reverseproxy.TargetTypeHost, reverseproxy.TargetTypeDomain:
+			resource, err := m.store.GetNetworkResourceByID(ctx, store.LockingStrengthNone, accountID, target.TargetId)
+			if err != nil {
+				return fmt.Errorf("failed to get resource by id: %w", err)
+			}
+			target.Host = resource.Address
+		case reverseproxy.TargetTypeSubnet:
+			// For subnets we do not do any lookups on the resource
+		default:
+			return fmt.Errorf("unknown target type: %s", target.TargetType)
+		}
+	}
+	return nil
 }

 func (m *managerImpl) GetReverseProxy(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
@@ -66,7 +102,16 @@ func (m *managerImpl) GetReverseProxy(ctx context.Context, accountID, userID, re
 		return nil, status.NewPermissionDeniedError()
 	}

-	return m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+	return proxy, nil
 }

 func (m *managerImpl) CreateReverseProxy(ctx context.Context, accountID, userID string, reverseProxy *reverseproxy.ReverseProxy) (*reverseproxy.ReverseProxy, error) {
@@ -149,6 +194,7 @@ func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID

 	var oldCluster string
 	var domainChanged bool
+	var reverseProxyEnabledChanged bool

 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		existingReverseProxy, err := transaction.GetReverseProxyByID(ctx, store.LockingStrengthUpdate, accountID, reverseProxy.ID)
@@ -184,6 +230,7 @@ func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID
 		reverseProxy.Meta = existingReverseProxy.Meta
 		reverseProxy.SessionPrivateKey = existingReverseProxy.SessionPrivateKey
 		reverseProxy.SessionPublicKey = existingReverseProxy.SessionPublicKey
+		reverseProxyEnabledChanged = existingReverseProxy.Enabled != reverseProxy.Enabled

 		if err = validateTargetReferences(ctx, transaction, accountID, reverseProxy.Targets); err != nil {
 			return err
@@ -201,12 +248,19 @@ func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID

 	m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyUpdated, reverseProxy.EventMeta())

+	token, err := m.tokenStore.GenerateToken(accountID, reverseProxy.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
+	}
+
 	switch {
 	case domainChanged && oldCluster != reverseProxy.ProxyCluster:
 		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), oldCluster)
-		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
-	case !reverseProxy.Enabled:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+	case !reverseProxy.Enabled && reverseProxyEnabledChanged:
 		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
+	case reverseProxy.Enabled && reverseProxyEnabledChanged:
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)
 	default:
 		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(reverseProxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), reverseProxy.ProxyCluster)

@@ -217,7 +271,7 @@ func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID
 }

 // validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
-func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []reverseproxy.Target) error {
+func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
 	for _, target := range targets {
 		switch target.TargetType {
 		case reverseproxy.TargetTypePeer:
@@ -311,3 +365,86 @@ func (m *managerImpl) SetStatus(ctx context.Context, accountID, reverseProxyID s
 		return nil
 	})
 }
+
+func (m *managerImpl) ReloadReverseProxy(ctx context.Context, accountID, reverseProxyID string) error {
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+
+	m.proxyGRPCServer.SendReverseProxyUpdateToCluster(proxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), proxy.ProxyCluster)
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) ReloadAllReverseProxiesForAccount(ctx context.Context, accountID string) error {
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+		m.proxyGRPCServer.SendReverseProxyUpdateToCluster(proxy.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), proxy.ProxyCluster)
+	}
+
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
+	return nil
+}
+
+func (m *managerImpl) GetGlobalReverseProxies(ctx context.Context) ([]*reverseproxy.ReverseProxy, error) {
+	proxies, err := m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, proxy.AccountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
+
+func (m *managerImpl) GetProxyByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.ReverseProxy, error) {
+	proxy, err := m.store.GetReverseProxyByID(ctx, store.LockingStrengthNone, accountID, reverseProxyID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxy: %w", err)
+	}
+
+	err = m.replaceHostByLookup(ctx, accountID, proxy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+	}
+
+	return proxy, nil
+}
+
+func (m *managerImpl) GetAccountReverseProxies(ctx context.Context, accountID string) ([]*reverseproxy.ReverseProxy, error) {
+	proxies, err := m.store.GetAccountReverseProxies(ctx, store.LockingStrengthNone, accountID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get reverse proxies: %w", err)
+	}
+
+	for _, proxy := range proxies {
+		err = m.replaceHostByLookup(ctx, accountID, proxy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to replace host by lookup for proxy %s: %w", proxy.ID, err)
+		}
+	}
+
+	return proxies, nil
+}
--- a/management/internals/modules/reverseproxy/reverseproxy.go
+++ b/management/internals/modules/reverseproxy/reverseproxy.go
@@ -43,7 +43,7 @@ const (

 type Target struct {
 	Path       *string `json:"path,omitempty"`
-	Host       string  `json:"host"`
+	Host       string  `json:"host"` // the Host field is only used for subnet targets, otherwise ignored
 	Port       int     `json:"port"`
 	Protocol   string  `json:"protocol"`
 	TargetId   string  `json:"target_id"`
@@ -92,9 +92,9 @@ type ReverseProxy struct {
 	ID                string `gorm:"primaryKey"`
 	AccountID         string `gorm:"index"`
 	Name              string
-	Domain            string   `gorm:"index"`
-	ProxyCluster      string   `gorm:"index"`
-	Targets           []Target `gorm:"serializer:json"`
+	Domain            string    `gorm:"index"`
+	ProxyCluster      string    `gorm:"index"`
+	Targets           []*Target `gorm:"serializer:json"`
 	Enabled           bool
 	PassHostHeader    bool
 	RewriteRedirects  bool
@@ -104,7 +104,7 @@ type ReverseProxy struct {
 	SessionPublicKey  string           `gorm:"column:session_public_key"`
 }

-func NewReverseProxy(accountID, name, domain, proxyCluster string, targets []Target, enabled bool) *ReverseProxy {
+func NewReverseProxy(accountID, name, domain, proxyCluster string, targets []*Target, enabled bool) *ReverseProxy {
 	rp := &ReverseProxy{
 		AccountID:    accountID,
 		Name:         name,
@@ -157,7 +157,7 @@ func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
 	for _, target := range r.Targets {
 		apiTargets = append(apiTargets, api.ReverseProxyTarget{
 			Path:        target.Path,
-			Host:        target.Host,
+			Host:        &target.Host,
 			Port:        target.Port,
 			Protocol:    api.ReverseProxyTargetProtocol(target.Protocol),
 			TargetId:    target.TargetId,
@@ -280,19 +280,22 @@ func (r *ReverseProxy) FromAPIRequest(req *api.ReverseProxyRequest, accountID st
 	r.Domain = req.Domain
 	r.AccountID = accountID

-	targets := make([]Target, 0, len(req.Targets))
+	targets := make([]*Target, 0, len(req.Targets))
 	for _, apiTarget := range req.Targets {
 		accessLocal := apiTarget.AccessLocal != nil && *apiTarget.AccessLocal
-		targets = append(targets, Target{
+		target := &Target{
 			Path:        apiTarget.Path,
-			Host:        apiTarget.Host,
 			Port:        apiTarget.Port,
 			Protocol:    string(apiTarget.Protocol),
 			TargetId:    apiTarget.TargetId,
 			TargetType:  string(apiTarget.TargetType),
 			Enabled:     apiTarget.Enabled,
 			AccessLocal: accessLocal,
-		})
+		}
+		if apiTarget.Host != nil {
+			target.Host = *apiTarget.Host
+		}
+		targets = append(targets, target)
 	}
 	r.Targets = targets

@@ -349,8 +352,14 @@ func (r *ReverseProxy) Validate() error {

 	for i, target := range r.Targets {
 		switch target.TargetType {
-		case TargetTypePeer, TargetTypeHost, TargetTypeSubnet, TargetTypeDomain:
-			// valid resource types
+		case TargetTypePeer, TargetTypeHost, TargetTypeDomain:
+			if target.Host != "" {
+				return fmt.Errorf("target %d has host specified but target_type is %q", i, target.TargetType)
+			}
+		case TargetTypeSubnet:
+			if target.Host == "" {
+				return fmt.Errorf("target %d has empty host but target_type is %q", i, target.TargetType)
+			}
 		default:
 			return fmt.Errorf("target %d has invalid target_type %q", i, target.TargetType)
 		}
@@ -367,7 +376,7 @@ func (r *ReverseProxy) EventMeta() map[string]any {
 }

 func (r *ReverseProxy) Copy() *ReverseProxy {
-	targets := make([]Target, len(r.Targets))
+	targets := make([]*Target, len(r.Targets))
 	copy(targets, r.Targets)

 	return &ReverseProxy{