[management, reverse proxy] Add reverse proxy feature (#5291)

* implement reverse proxy


---------

Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk>
Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
Co-authored-by: Eduard Gert <kontakt@eduardgert.de>
Co-authored-by: Viktor Liu <viktor@netbird.io>
Co-authored-by: Diego Noguês <diego.sure@gmail.com>
Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com>
Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>

shared/management/proto/generate.sh

@@ -14,4 +14,5 @@ cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
 protoc -I ./ ./management.proto --go_out=../ --go-grpc_out=../
+protoc -I ./ ./proxy_service.proto --go_out=../ --go-grpc_out=../
 cd "$old_pwd"

shared/management/proto/management.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v6.33.1
+// 	protoc        v6.33.0
 // source: management.proto
 
 package proto

shared/management/proto/proxy_service.proto

@@ -0,0 +1,185 @@
+syntax = "proto3";
+
+package management;
+
+option go_package = "/proto";
+
+import "google/protobuf/timestamp.proto";
+
+// ProxyService - Management is the SERVER, Proxy is the CLIENT
+// Proxy initiates connection to management
+service ProxyService {
+  rpc GetMappingUpdate(GetMappingUpdateRequest) returns (stream GetMappingUpdateResponse);
+
+  rpc SendAccessLog(SendAccessLogRequest) returns (SendAccessLogResponse);
+
+  rpc Authenticate(AuthenticateRequest) returns (AuthenticateResponse);
+
+  rpc SendStatusUpdate(SendStatusUpdateRequest) returns (SendStatusUpdateResponse);
+
+  rpc CreateProxyPeer(CreateProxyPeerRequest) returns (CreateProxyPeerResponse);
+
+  rpc GetOIDCURL(GetOIDCURLRequest) returns (GetOIDCURLResponse);
+
+  // ValidateSession validates a session token and checks user access permissions.
+  // Called by the proxy after receiving a session token from OIDC callback.
+  rpc ValidateSession(ValidateSessionRequest) returns (ValidateSessionResponse);
+}
+
+// GetMappingUpdateRequest is sent to initialise a mapping stream.
+message GetMappingUpdateRequest {
+  string proxy_id = 1;
+  string version = 2;
+  google.protobuf.Timestamp started_at = 3;
+  string address = 4;
+}
+
+// GetMappingUpdateResponse contains zero or more ProxyMappings.
+// No mappings may be sent to test the liveness of the Proxy.
+// Mappings that are sent should be interpreted by the Proxy appropriately.
+message GetMappingUpdateResponse {
+  repeated ProxyMapping mapping = 1;
+  // initial_sync_complete is set on the last message of the initial snapshot.
+  // The proxy uses this to signal that startup is complete.
+  bool initial_sync_complete = 2;
+}
+
+enum ProxyMappingUpdateType {
+  UPDATE_TYPE_CREATED = 0;
+  UPDATE_TYPE_MODIFIED = 1;
+  UPDATE_TYPE_REMOVED = 2;
+}
+
+message PathMapping {
+  string path = 1;
+  string target = 2;
+}
+
+message Authentication {
+  string session_key = 1;
+  int64 max_session_age_seconds = 2;
+  bool password = 3;
+  bool pin = 4;
+  bool oidc = 5;
+}
+
+message ProxyMapping {
+  ProxyMappingUpdateType type = 1;
+  string id = 2;
+  string account_id = 3;
+  string domain = 4;
+  repeated PathMapping path = 5;
+  string auth_token = 6;
+  Authentication auth = 7;
+  // When true, the original Host header from the client request is passed
+  // through to the backend instead of being rewritten to the backend's address.
+  bool pass_host_header = 8;
+  // When true, Location headers in backend responses are rewritten to replace
+  // the backend address with the public-facing domain.
+  bool rewrite_redirects = 9;
+}
+
+// SendAccessLogRequest consists of one or more AccessLogs from a Proxy.
+message SendAccessLogRequest {
+  AccessLog log = 1;
+}
+
+// SendAccessLogResponse is intentionally empty to allow for future expansion.
+message SendAccessLogResponse {}
+
+message AccessLog {
+  google.protobuf.Timestamp timestamp = 1;
+  string log_id = 2;
+  string account_id = 3;
+  string service_id = 4;
+  string host = 5;
+  string path = 6;
+  int64 duration_ms = 7;
+  string method = 8;
+  int32 response_code = 9;
+  string source_ip = 10;
+  string auth_mechanism = 11;
+  string user_id = 12;
+  bool auth_success = 13;
+}
+
+message AuthenticateRequest {
+  string id = 1;
+  string account_id = 2;
+  oneof request {
+    PasswordRequest password = 3;
+    PinRequest pin = 4;
+  }
+}
+
+message PasswordRequest {
+  string password = 1;
+}
+
+message PinRequest {
+  string pin = 1;
+}
+
+message AuthenticateResponse {
+  bool success = 1;
+  string session_token = 2;
+}
+
+enum ProxyStatus {
+  PROXY_STATUS_PENDING = 0;
+  PROXY_STATUS_ACTIVE = 1;
+  PROXY_STATUS_TUNNEL_NOT_CREATED = 2;
+  PROXY_STATUS_CERTIFICATE_PENDING = 3;
+  PROXY_STATUS_CERTIFICATE_FAILED = 4;
+  PROXY_STATUS_ERROR = 5;
+}
+
+// SendStatusUpdateRequest is sent by the proxy to update its status
+message SendStatusUpdateRequest {
+  string service_id = 1;
+  string account_id = 2;
+  ProxyStatus status = 3;
+  bool certificate_issued = 4;
+  optional string error_message = 5;
+}
+
+// SendStatusUpdateResponse is intentionally empty to allow for future expansion
+message SendStatusUpdateResponse {}
+
+// CreateProxyPeerRequest is sent by the proxy to create a peer connection
+// The token is a one-time authentication token sent via ProxyMapping
+message CreateProxyPeerRequest {
+  string service_id = 1;
+  string account_id = 2;
+  string token = 3;
+  string wireguard_public_key = 4;
+  string cluster = 5;
+}
+
+// CreateProxyPeerResponse contains the result of peer creation
+message CreateProxyPeerResponse {
+  bool success = 1;
+  optional string error_message = 2;
+}
+
+message GetOIDCURLRequest {
+  string id = 1;
+  string account_id = 2;
+  string redirect_url = 3;
+}
+
+message GetOIDCURLResponse {
+  string url = 1;
+}
+
+message ValidateSessionRequest {
+  string domain = 1;
+  string session_token = 2;
+}
+
+message ValidateSessionResponse {
+  bool valid = 1;
+  string user_id = 2;
+  string user_email = 3;
+  string denied_reason = 4;
+}

shared/management/proto/proxy_service_grpc.pb.go

@@ -0,0 +1,349 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// ProxyServiceClient is the client API for ProxyService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type ProxyServiceClient interface {
+	GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error)
+	SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error)
+	Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error)
+	SendStatusUpdate(ctx context.Context, in *SendStatusUpdateRequest, opts ...grpc.CallOption) (*SendStatusUpdateResponse, error)
+	CreateProxyPeer(ctx context.Context, in *CreateProxyPeerRequest, opts ...grpc.CallOption) (*CreateProxyPeerResponse, error)
+	GetOIDCURL(ctx context.Context, in *GetOIDCURLRequest, opts ...grpc.CallOption) (*GetOIDCURLResponse, error)
+	// ValidateSession validates a session token and checks user access permissions.
+	// Called by the proxy after receiving a session token from OIDC callback.
+	ValidateSession(ctx context.Context, in *ValidateSessionRequest, opts ...grpc.CallOption) (*ValidateSessionResponse, error)
+}
+
+type proxyServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewProxyServiceClient(cc grpc.ClientConnInterface) ProxyServiceClient {
+	return &proxyServiceClient{cc}
+}
+
+func (c *proxyServiceClient) GetMappingUpdate(ctx context.Context, in *GetMappingUpdateRequest, opts ...grpc.CallOption) (ProxyService_GetMappingUpdateClient, error) {
+	stream, err := c.cc.NewStream(ctx, &ProxyService_ServiceDesc.Streams[0], "/management.ProxyService/GetMappingUpdate", opts...)
+	if err != nil {
+		return nil, err
+	}
+	x := &proxyServiceGetMappingUpdateClient{stream}
+	if err := x.ClientStream.SendMsg(in); err != nil {
+		return nil, err
+	}
+	if err := x.ClientStream.CloseSend(); err != nil {
+		return nil, err
+	}
+	return x, nil
+}
+
+type ProxyService_GetMappingUpdateClient interface {
+	Recv() (*GetMappingUpdateResponse, error)
+	grpc.ClientStream
+}
+
+type proxyServiceGetMappingUpdateClient struct {
+	grpc.ClientStream
+}
+
+func (x *proxyServiceGetMappingUpdateClient) Recv() (*GetMappingUpdateResponse, error) {
+	m := new(GetMappingUpdateResponse)
+	if err := x.ClientStream.RecvMsg(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+func (c *proxyServiceClient) SendAccessLog(ctx context.Context, in *SendAccessLogRequest, opts ...grpc.CallOption) (*SendAccessLogResponse, error) {
+	out := new(SendAccessLogResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/SendAccessLog", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyServiceClient) Authenticate(ctx context.Context, in *AuthenticateRequest, opts ...grpc.CallOption) (*AuthenticateResponse, error) {
+	out := new(AuthenticateResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/Authenticate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyServiceClient) SendStatusUpdate(ctx context.Context, in *SendStatusUpdateRequest, opts ...grpc.CallOption) (*SendStatusUpdateResponse, error) {
+	out := new(SendStatusUpdateResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/SendStatusUpdate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyServiceClient) CreateProxyPeer(ctx context.Context, in *CreateProxyPeerRequest, opts ...grpc.CallOption) (*CreateProxyPeerResponse, error) {
+	out := new(CreateProxyPeerResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/CreateProxyPeer", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyServiceClient) GetOIDCURL(ctx context.Context, in *GetOIDCURLRequest, opts ...grpc.CallOption) (*GetOIDCURLResponse, error) {
+	out := new(GetOIDCURLResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/GetOIDCURL", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *proxyServiceClient) ValidateSession(ctx context.Context, in *ValidateSessionRequest, opts ...grpc.CallOption) (*ValidateSessionResponse, error) {
+	out := new(ValidateSessionResponse)
+	err := c.cc.Invoke(ctx, "/management.ProxyService/ValidateSession", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ProxyServiceServer is the server API for ProxyService service.
+// All implementations must embed UnimplementedProxyServiceServer
+// for forward compatibility
+type ProxyServiceServer interface {
+	GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error
+	SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error)
+	Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error)
+	SendStatusUpdate(context.Context, *SendStatusUpdateRequest) (*SendStatusUpdateResponse, error)
+	CreateProxyPeer(context.Context, *CreateProxyPeerRequest) (*CreateProxyPeerResponse, error)
+	GetOIDCURL(context.Context, *GetOIDCURLRequest) (*GetOIDCURLResponse, error)
+	// ValidateSession validates a session token and checks user access permissions.
+	// Called by the proxy after receiving a session token from OIDC callback.
+	ValidateSession(context.Context, *ValidateSessionRequest) (*ValidateSessionResponse, error)
+	mustEmbedUnimplementedProxyServiceServer()
+}
+
+// UnimplementedProxyServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedProxyServiceServer struct {
+}
+
+func (UnimplementedProxyServiceServer) GetMappingUpdate(*GetMappingUpdateRequest, ProxyService_GetMappingUpdateServer) error {
+	return status.Errorf(codes.Unimplemented, "method GetMappingUpdate not implemented")
+}
+func (UnimplementedProxyServiceServer) SendAccessLog(context.Context, *SendAccessLogRequest) (*SendAccessLogResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SendAccessLog not implemented")
+}
+func (UnimplementedProxyServiceServer) Authenticate(context.Context, *AuthenticateRequest) (*AuthenticateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Authenticate not implemented")
+}
+func (UnimplementedProxyServiceServer) SendStatusUpdate(context.Context, *SendStatusUpdateRequest) (*SendStatusUpdateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SendStatusUpdate not implemented")
+}
+func (UnimplementedProxyServiceServer) CreateProxyPeer(context.Context, *CreateProxyPeerRequest) (*CreateProxyPeerResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateProxyPeer not implemented")
+}
+func (UnimplementedProxyServiceServer) GetOIDCURL(context.Context, *GetOIDCURLRequest) (*GetOIDCURLResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetOIDCURL not implemented")
+}
+func (UnimplementedProxyServiceServer) ValidateSession(context.Context, *ValidateSessionRequest) (*ValidateSessionResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ValidateSession not implemented")
+}
+func (UnimplementedProxyServiceServer) mustEmbedUnimplementedProxyServiceServer() {}
+
+// UnsafeProxyServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ProxyServiceServer will
+// result in compilation errors.
+type UnsafeProxyServiceServer interface {
+	mustEmbedUnimplementedProxyServiceServer()
+}
+
+func RegisterProxyServiceServer(s grpc.ServiceRegistrar, srv ProxyServiceServer) {
+	s.RegisterService(&ProxyService_ServiceDesc, srv)
+}
+
+func _ProxyService_GetMappingUpdate_Handler(srv interface{}, stream grpc.ServerStream) error {
+	m := new(GetMappingUpdateRequest)
+	if err := stream.RecvMsg(m); err != nil {
+		return err
+	}
+	return srv.(ProxyServiceServer).GetMappingUpdate(m, &proxyServiceGetMappingUpdateServer{stream})
+}
+
+type ProxyService_GetMappingUpdateServer interface {
+	Send(*GetMappingUpdateResponse) error
+	grpc.ServerStream
+}
+
+type proxyServiceGetMappingUpdateServer struct {
+	grpc.ServerStream
+}
+
+func (x *proxyServiceGetMappingUpdateServer) Send(m *GetMappingUpdateResponse) error {
+	return x.ServerStream.SendMsg(m)
+}
+
+func _ProxyService_SendAccessLog_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SendAccessLogRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).SendAccessLog(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/SendAccessLog",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).SendAccessLog(ctx, req.(*SendAccessLogRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyService_Authenticate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AuthenticateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).Authenticate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/Authenticate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).Authenticate(ctx, req.(*AuthenticateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyService_SendStatusUpdate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SendStatusUpdateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).SendStatusUpdate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/SendStatusUpdate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).SendStatusUpdate(ctx, req.(*SendStatusUpdateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyService_CreateProxyPeer_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CreateProxyPeerRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).CreateProxyPeer(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/CreateProxyPeer",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).CreateProxyPeer(ctx, req.(*CreateProxyPeerRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyService_GetOIDCURL_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetOIDCURLRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).GetOIDCURL(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/GetOIDCURL",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).GetOIDCURL(ctx, req.(*GetOIDCURLRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ProxyService_ValidateSession_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ValidateSessionRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ProxyServiceServer).ValidateSession(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/management.ProxyService/ValidateSession",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ProxyServiceServer).ValidateSession(ctx, req.(*ValidateSessionRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ProxyService_ServiceDesc is the grpc.ServiceDesc for ProxyService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ProxyService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "management.ProxyService",
+	HandlerType: (*ProxyServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "SendAccessLog",
+			Handler:    _ProxyService_SendAccessLog_Handler,
+		},
+		{
+			MethodName: "Authenticate",
+			Handler:    _ProxyService_Authenticate_Handler,
+		},
+		{
+			MethodName: "SendStatusUpdate",
+			Handler:    _ProxyService_SendStatusUpdate_Handler,
+		},
+		{
+			MethodName: "CreateProxyPeer",
+			Handler:    _ProxyService_CreateProxyPeer_Handler,
+		},
+		{
+			MethodName: "GetOIDCURL",
+			Handler:    _ProxyService_GetOIDCURL_Handler,
+		},
+		{
+			MethodName: "ValidateSession",
+			Handler:    _ProxyService_ValidateSession_Handler,
+		},
+	},
+	Streams: []grpc.StreamDesc{
+		{
+			StreamName:    "GetMappingUpdate",
+			Handler:       _ProxyService_GetMappingUpdate_Handler,
+			ServerStreams: true,
+		},
+	},
+	Metadata: "proxy_service.proto",
+}