Merge remote-tracking branch 'origin/main' into feat/byod-proxy

# Conflicts: # management/internals/modules/reverseproxy/domain/manager/manager.go # management/internals/modules/reverseproxy/proxy/manager.go # management/internals/modules/reverseproxy/proxy/manager/manager.go # management/internals/modules/reverseproxy/proxy/manager_mock.go # management/internals/shared/grpc/proxy.go # management/server/store/sql_store.go # proxy/management_integration_test.go
2026-04-22 02:06:39 +00:00 · 2026-04-13 17:02:24 +03:00
parent de3cb06067 13539543af
commit e62521132c
229 changed files with 22569 additions and 2567 deletions
--- a/management/internals/modules/reverseproxy/service/manager/l4_port_test.go
+++ b/management/internals/modules/reverseproxy/service/manager/l4_port_test.go
@@ -75,16 +75,18 @@ func setupL4Test(t *testing.T, customPortsSupported *bool) (*Manager, store.Stor
 	require.NoError(t, err)

 	mockCtrl := proxy.NewMockController(ctrl)
-	mockCtrl.EXPECT().ClusterSupportsCustomPorts(gomock.Any()).Return(customPortsSupported).AnyTimes()
-	mockCtrl.EXPECT().ClusterRequireSubdomain(gomock.Any()).Return((*bool)(nil)).AnyTimes()
 	mockCtrl.EXPECT().SendServiceUpdateToCluster(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
 	mockCtrl.EXPECT().GetOIDCValidationConfig().Return(proxy.OIDCValidationConfig{}).AnyTimes()

+	mockCaps := proxy.NewMockManager(ctrl)
+	mockCaps.EXPECT().ClusterSupportsCustomPorts(gomock.Any(), testCluster).Return(customPortsSupported).AnyTimes()
+	mockCaps.EXPECT().ClusterRequireSubdomain(gomock.Any(), testCluster).Return((*bool)(nil)).AnyTimes()
+
 	accountMgr := &mock_server.MockAccountManager{
 		StoreEventFunc:         func(_ context.Context, _, _, _ string, _ activity.ActivityDescriber, _ map[string]any) {},
 		UpdateAccountPeersFunc: func(_ context.Context, _ string) {},
-		GetGroupByNameFunc: func(ctx context.Context, accountID, groupName string) (*types.Group, error) {
-			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, groupName, accountID)
+		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
+			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, accountID, groupName)
 		},
 	}

@@ -93,6 +95,7 @@ func setupL4Test(t *testing.T, customPortsSupported *bool) (*Manager, store.Stor
 		accountManager:     accountMgr,
 		permissionsManager: permissions.NewManager(testStore),
 		proxyController:    mockCtrl,
+		capabilities:       mockCaps,
 		clusterDeriver:     &testClusterDeriver{domains: []string{"test.netbird.io"}},
 	}
 	mgr.exposeReaper = &exposeReaper{manager: mgr}
--- a/management/internals/modules/reverseproxy/service/manager/manager.go
+++ b/management/internals/modules/reverseproxy/service/manager/manager.go
@@ -75,22 +75,30 @@ type ClusterDeriver interface {
 	GetClusterDomains() []string
 }

+// CapabilityProvider queries proxy cluster capabilities from the database.
+type CapabilityProvider interface {
+	ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool
+	ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool
+}
+
 type Manager struct {
 	store              store.Store
 	accountManager     account.Manager
 	permissionsManager permissions.Manager
 	proxyController    proxy.Controller
+	capabilities       CapabilityProvider
 	clusterDeriver     ClusterDeriver
 	exposeReaper       *exposeReaper
 }

 // NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyController proxy.Controller, clusterDeriver ClusterDeriver) *Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyController proxy.Controller, capabilities CapabilityProvider, clusterDeriver ClusterDeriver) *Manager {
 	mgr := &Manager{
 		store:              store,
 		accountManager:     accountManager,
 		permissionsManager: permissionsManager,
 		proxyController:    proxyController,
+		capabilities:       capabilities,
 		clusterDeriver:     clusterDeriver,
 	}
 	mgr.exposeReaper = &exposeReaper{manager: mgr}
@@ -237,7 +245,7 @@ func (m *Manager) initializeServiceForCreate(ctx context.Context, accountID stri
 		}
 		service.ProxyCluster = proxyCluster

-		if err := m.validateSubdomainRequirement(service.Domain, proxyCluster); err != nil {
+		if err := m.validateSubdomainRequirement(ctx, service.Domain, proxyCluster); err != nil {
 			return err
 		}
 	}
@@ -268,11 +276,11 @@ func (m *Manager) initializeServiceForCreate(ctx context.Context, accountID stri
 // validateSubdomainRequirement checks whether the domain can be used bare
 // (without a subdomain label) on the given cluster. If the cluster reports
 // require_subdomain=true and the domain equals the cluster domain, it rejects.
-func (m *Manager) validateSubdomainRequirement(domain, cluster string) error {
+func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, cluster string) error {
 	if domain != cluster {
 		return nil
 	}
-	requireSub := m.proxyController.ClusterRequireSubdomain(cluster)
+	requireSub := m.capabilities.ClusterRequireSubdomain(ctx, cluster)
 	if requireSub != nil && *requireSub {
 		return status.Errorf(status.InvalidArgument, "domain %s requires a subdomain label", domain)
 	}
@@ -280,6 +288,8 @@ func (m *Manager) validateSubdomainRequirement(domain, cluster string) error {
 }

 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
+	customPorts := m.clusterCustomPorts(ctx, svc)
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -287,7 +297,7 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			}
 		}

-		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
 			return err
 		}

@@ -307,12 +317,23 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 	})
 }

-// ensureL4Port auto-assigns a listen port when needed and validates cluster support.
-func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service) error {
+// clusterCustomPorts queries whether the cluster supports custom ports.
+// Must be called before entering a transaction: the underlying query uses
+// the main DB handle, which deadlocks when called inside a transaction
+// that already holds the connection.
+func (m *Manager) clusterCustomPorts(ctx context.Context, svc *service.Service) *bool {
+	if !service.IsL4Protocol(svc.Mode) {
+		return nil
+	}
+	return m.capabilities.ClusterSupportsCustomPorts(ctx, svc.ProxyCluster)
+}
+
+// ensureL4Port auto-assigns a listen port when needed and validates cluster support.
+// customPorts must be pre-computed via clusterCustomPorts before entering a transaction.
+func (m *Manager) ensureL4Port(ctx context.Context, tx store.Store, svc *service.Service, customPorts *bool) error {
 	if !service.IsL4Protocol(svc.Mode) {
 		return nil
 	}
-	customPorts := m.proxyController.ClusterSupportsCustomPorts(svc.ProxyCluster)
 	if service.IsPortBasedProtocol(svc.Mode) && svc.ListenPort > 0 && (customPorts == nil || !*customPorts) {
 		if svc.Source != service.SourceEphemeral {
 			return status.Errorf(status.InvalidArgument, "custom ports not supported on cluster %s", svc.ProxyCluster)
@@ -396,12 +417,14 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 // The count and exists queries use FOR UPDATE locking to serialize concurrent creates
 // for the same peer, preventing the per-peer limit from being bypassed.
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
+	customPorts := m.clusterCustomPorts(ctx, svc)
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
 		}

-		if err := m.ensureL4Port(ctx, transaction, svc); err != nil {
+		if err := m.ensureL4Port(ctx, transaction, svc, customPorts); err != nil {
 			return err
 		}

@@ -504,21 +527,58 @@ type serviceUpdateInfo struct {
 }

 func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, service *service.Service) (*serviceUpdateInfo, error) {
+	effectiveCluster, err := m.resolveEffectiveCluster(ctx, accountID, service)
+	if err != nil {
+		return nil, err
+	}
+
+	svcForCaps := *service
+	svcForCaps.ProxyCluster = effectiveCluster
+	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)
+
 	var updateInfo serviceUpdateInfo

-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo)
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
 	})

 	return &updateInfo, err
 }

-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo) error {
+// resolveEffectiveCluster determines the cluster that will be used after the update.
+// It reads the existing service without locking and derives the new cluster if the domain changed.
+func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string, svc *service.Service) (string, error) {
+	existing, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, svc.ID)
+	if err != nil {
+		return "", err
+	}
+
+	if existing.Domain == svc.Domain {
+		return existing.ProxyCluster, nil
+	}
+
+	if m.clusterDeriver != nil {
+		derived, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
+		} else {
+			return derived, nil
+		}
+	}
+
+	return existing.ProxyCluster, nil
+}
+
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
 	}

+	if existingService.Terminated {
+		return status.Errorf(status.PermissionDenied, "service is terminated and cannot be updated")
+	}
+
 	if err := validateProtocolChange(existingService.Mode, service.Mode); err != nil {
 		return err
 	}
@@ -534,7 +594,7 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 		service.ProxyCluster = existingService.ProxyCluster
 	}

-	if err := m.validateSubdomainRequirement(service.Domain, service.ProxyCluster); err != nil {
+	if err := m.validateSubdomainRequirement(ctx, service.Domain, service.ProxyCluster); err != nil {
 		return err
 	}

@@ -546,7 +606,7 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	m.preserveListenPort(service, existingService)
 	updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled

-	if err := m.ensureL4Port(ctx, transaction, service); err != nil {
+	if err := m.ensureL4Port(ctx, transaction, service, customPorts); err != nil {
 		return err
 	}
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {
@@ -1063,7 +1123,7 @@ func (m *Manager) getGroupIDsFromNames(ctx context.Context, accountID string, gr
 	}
 	groupIDs := make([]string, 0, len(groupNames))
 	for _, groupName := range groupNames {
-		g, err := m.accountManager.GetGroupByName(ctx, groupName, accountID)
+		g, err := m.accountManager.GetGroupByName(ctx, groupName, accountID, activity.SystemInitiator)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get group by name %s: %w", groupName, err)
 		}
--- a/management/internals/modules/reverseproxy/service/manager/manager_test.go
+++ b/management/internals/modules/reverseproxy/service/manager/manager_test.go
@@ -698,8 +698,8 @@ func setupIntegrationTest(t *testing.T) (*Manager, store.Store) {
 	accountMgr := &mock_server.MockAccountManager{
 		StoreEventFunc:         func(_ context.Context, _, _, _ string, _ activity.ActivityDescriber, _ map[string]any) {},
 		UpdateAccountPeersFunc: func(_ context.Context, _ string) {},
-		GetGroupByNameFunc: func(ctx context.Context, accountID, groupName string) (*types.Group, error) {
-			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, groupName, accountID)
+		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
+			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, accountID, groupName)
 		},
 	}

@@ -1324,11 +1324,11 @@ func TestValidateSubdomainRequirement(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			ctrl := gomock.NewController(t)

-			mockCtrl := proxy.NewMockController(ctrl)
-			mockCtrl.EXPECT().ClusterRequireSubdomain(tc.cluster).Return(tc.requireSubdomain).AnyTimes()
+			mockCaps := proxy.NewMockManager(ctrl)
+			mockCaps.EXPECT().ClusterRequireSubdomain(gomock.Any(), tc.cluster).Return(tc.requireSubdomain).AnyTimes()

-			mgr := &Manager{proxyController: mockCtrl}
-			err := mgr.validateSubdomainRequirement(tc.domain, tc.cluster)
+			mgr := &Manager{capabilities: mockCaps}
+			err := mgr.validateSubdomainRequirement(context.Background(), tc.domain, tc.cluster)
 			if tc.wantErr {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), "requires a subdomain label")
--- a/management/internals/modules/reverseproxy/service/service.go
+++ b/management/internals/modules/reverseproxy/service/service.go
@@ -184,6 +184,7 @@ type Service struct {
 	ProxyCluster      string    `gorm:"index"`
 	Targets           []*Target `gorm:"foreignKey:ServiceID;constraint:OnDelete:CASCADE"`
 	Enabled           bool
+	Terminated        bool
 	PassHostHeader    bool
 	RewriteRedirects  bool
 	Auth              AuthConfig         `gorm:"serializer:json"`
@@ -256,7 +257,7 @@ func (s *Service) ToAPIResponse() *api.Service {
 			Protocol:   api.ServiceTargetProtocol(target.Protocol),
 			TargetId:   target.TargetId,
 			TargetType: api.ServiceTargetTargetType(target.TargetType),
-			Enabled:    target.Enabled,
+			Enabled:    target.Enabled && !s.Terminated,
 		}
 		opts := targetOptionsToAPI(target.Options)
 		if opts == nil {
@@ -286,7 +287,8 @@ func (s *Service) ToAPIResponse() *api.Service {
 		Name:               s.Name,
 		Domain:             s.Domain,
 		Targets:            apiTargets,
-		Enabled:            s.Enabled,
+		Enabled:            s.Enabled && !s.Terminated,
+		Terminated:         &s.Terminated,
 		PassHostHeader:     &s.PassHostHeader,
 		RewriteRedirects:   &s.RewriteRedirects,
 		Auth:               authConfig,
@@ -785,6 +787,11 @@ func (s *Service) validateHTTPTargets() error {
 }

 func (s *Service) validateL4Target(target *Target) error {
+	// L4 services have a single target; per-target disable is meaningless
+	// (use the service-level Enabled flag instead). Force it on so that
+	// buildPathMappings always includes the target in the proto.
+	target.Enabled = true
+
 	if target.Port == 0 {
 		return errors.New("target port is required for L4 services")
 	}
@@ -850,7 +857,7 @@ func IsPortBasedProtocol(mode string) bool {
 }

 const (
-	maxCustomHeaders = 16
+	maxCustomHeaders  = 16
 	maxHeaderKeyLen   = 128
 	maxHeaderValueLen = 4096
 )
@@ -947,7 +954,6 @@ func containsCRLF(s string) bool {
 }

 func validateHeaderAuths(headers []*HeaderAuthConfig) error {
-	seen := make(map[string]struct{})
 	for i, h := range headers {
 		if h == nil || !h.Enabled {
 			continue
@@ -968,10 +974,6 @@ func validateHeaderAuths(headers []*HeaderAuthConfig) error {
 		if canonical == "Host" {
 			return fmt.Errorf("header_auths[%d]: Host header cannot be used for auth", i)
 		}
-		if _, dup := seen[canonical]; dup {
-			return fmt.Errorf("header_auths[%d]: duplicate header %q (same canonical form already configured)", i, h.Header)
-		}
-		seen[canonical] = struct{}{}
 		if len(h.Value) > maxHeaderValueLen {
 			return fmt.Errorf("header_auths[%d]: value exceeds maximum length of %d", i, maxHeaderValueLen)
 		}
@@ -1130,6 +1132,7 @@ func (s *Service) Copy() *Service {
 		ProxyCluster:      s.ProxyCluster,
 		Targets:           targets,
 		Enabled:           s.Enabled,
+		Terminated:        s.Terminated,
 		PassHostHeader:    s.PassHostHeader,
 		RewriteRedirects:  s.RewriteRedirects,
 		Auth:              authCopy,
--- a/management/internals/modules/reverseproxy/service/service_test.go
+++ b/management/internals/modules/reverseproxy/service/service_test.go
@@ -935,3 +935,107 @@ func TestExposeServiceRequest_Validate_HTTPAllowsAuth(t *testing.T) {
 	req := ExposeServiceRequest{Port: 8080, Mode: "http", Pin: "123456"}
 	require.NoError(t, req.Validate())
 }
+
+func TestValidate_HeaderAuths(t *testing.T) {
+	t.Run("single valid header", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "X-API-Key", Value: "secret"},
+			},
+		}
+		require.NoError(t, rp.Validate())
+	})
+
+	t.Run("multiple headers same canonical name allowed", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "Authorization", Value: "Bearer token-1"},
+				{Enabled: true, Header: "Authorization", Value: "Bearer token-2"},
+			},
+		}
+		require.NoError(t, rp.Validate())
+	})
+
+	t.Run("multiple headers different case same canonical allowed", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "x-api-key", Value: "key-1"},
+				{Enabled: true, Header: "X-Api-Key", Value: "key-2"},
+			},
+		}
+		require.NoError(t, rp.Validate())
+	})
+
+	t.Run("multiple different headers allowed", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "Authorization", Value: "Bearer tok"},
+				{Enabled: true, Header: "X-API-Key", Value: "key"},
+			},
+		}
+		require.NoError(t, rp.Validate())
+	})
+
+	t.Run("empty header name rejected", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "", Value: "val"},
+			},
+		}
+		err := rp.Validate()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "header name is required")
+	})
+
+	t.Run("hop-by-hop header rejected", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "Connection", Value: "val"},
+			},
+		}
+		err := rp.Validate()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "hop-by-hop")
+	})
+
+	t.Run("host header rejected", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "Host", Value: "val"},
+			},
+		}
+		err := rp.Validate()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "Host header cannot be used")
+	})
+
+	t.Run("disabled entries skipped", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: false, Header: "", Value: ""},
+				{Enabled: true, Header: "X-Key", Value: "val"},
+			},
+		}
+		require.NoError(t, rp.Validate())
+	})
+
+	t.Run("value too long rejected", func(t *testing.T) {
+		rp := validProxy()
+		rp.Auth = AuthConfig{
+			HeaderAuths: []*HeaderAuthConfig{
+				{Enabled: true, Header: "X-Key", Value: strings.Repeat("a", maxHeaderValueLen+1)},
+			},
+		}
+		err := rp.Validate()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "exceeds maximum length")
+	})
+}