mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-21 08:09:55 +00:00
167ee08e14
Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes. Wire contract - ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed. - ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy. - ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups. - ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip. - ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards. - PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard. Data model - Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns. - DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure. - Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0. Proxy - /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go. - Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack. - proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction. - Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC. - proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level). Identity forwarding - ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request. - CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing). - AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships. OpenAPI/dashboard surface - ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
363 lines
14 KiB
Go
363 lines
14 KiB
Go
package roundtrip
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/netip"
|
|
"sync"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/netbirdio/netbird/proxy/internal/types"
|
|
"github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
type mockMgmtClient struct{}
|
|
|
|
func (m *mockMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
|
|
return &proto.CreateProxyPeerResponse{Success: true}, nil
|
|
}
|
|
|
|
type mockStatusNotifier struct {
|
|
mu sync.Mutex
|
|
statuses []statusCall
|
|
}
|
|
|
|
type statusCall struct {
|
|
accountID types.AccountID
|
|
serviceID types.ServiceID
|
|
connected bool
|
|
}
|
|
|
|
func (m *mockStatusNotifier) NotifyStatus(_ context.Context, accountID types.AccountID, serviceID types.ServiceID, connected bool) error {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
m.statuses = append(m.statuses, statusCall{accountID, serviceID, connected})
|
|
return nil
|
|
}
|
|
|
|
func (m *mockStatusNotifier) calls() []statusCall {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
return append([]statusCall{}, m.statuses...)
|
|
}
|
|
|
|
// mockNetBird creates a NetBird instance for testing without actually connecting.
|
|
// It uses an invalid management URL to prevent real connections.
|
|
func mockNetBird() *NetBird {
|
|
return NewNetBird("test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, nil, &mockMgmtClient{})
|
|
}
|
|
|
|
func TestNetBird_AddPeer_CreatesClientForNewAccount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Initially no client exists.
|
|
assert.False(t, nb.HasClient(accountID), "should not have client before AddPeer")
|
|
assert.Equal(t, 0, nb.ServiceCount(accountID), "service count should be 0")
|
|
|
|
// Add first service - this should create a new client.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
assert.True(t, nb.HasClient(accountID), "should have client after AddPeer")
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_AddPeer_ReuseClientForSameAccount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add first service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID))
|
|
|
|
// Add second service for the same account - should reuse existing client.
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "setup-key-1", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ServiceCount(accountID), "service count should be 2 after adding second service")
|
|
|
|
// Add third service.
|
|
err = nb.AddPeer(context.Background(), accountID, "domain3.test", "setup-key-1", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 3, nb.ServiceCount(accountID), "service count should be 3 after adding third service")
|
|
|
|
// Still only one client.
|
|
assert.True(t, nb.HasClient(accountID))
|
|
}
|
|
|
|
func TestNetBird_AddPeer_SeparateClientsForDifferentAccounts(t *testing.T) {
|
|
nb := mockNetBird()
|
|
account1 := types.AccountID("account-1")
|
|
account2 := types.AccountID("account-2")
|
|
|
|
// Add service for account 1.
|
|
err := nb.AddPeer(context.Background(), account1, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Add service for account 2.
|
|
err = nb.AddPeer(context.Background(), account2, "domain2.test", "setup-key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
|
|
// Both accounts should have their own clients.
|
|
assert.True(t, nb.HasClient(account1), "account1 should have client")
|
|
assert.True(t, nb.HasClient(account2), "account2 should have client")
|
|
assert.Equal(t, 1, nb.ServiceCount(account1), "account1 service count should be 1")
|
|
assert.Equal(t, 1, nb.ServiceCount(account2), "account2 service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_KeepsClientWhenServicesRemain(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add multiple services.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "setup-key-1", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain3.test", "setup-key-1", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 3, nb.ServiceCount(accountID))
|
|
|
|
// Remove one service - client should remain.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID), "client should remain after removing one service")
|
|
assert.Equal(t, 2, nb.ServiceCount(accountID), "service count should be 2")
|
|
|
|
// Remove another service - client should still remain.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain2.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID), "client should remain after removing second service")
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_RemovesClientWhenLastServiceRemoved(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add single service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID))
|
|
|
|
// Remove the only service - client should be removed.
|
|
_ = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
|
|
// After removing all services, client should be gone.
|
|
assert.False(t, nb.HasClient(accountID), "client should be removed after removing last service")
|
|
assert.Equal(t, 0, nb.ServiceCount(accountID), "service count should be 0")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NonExistentAccountIsNoop(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("nonexistent-account")
|
|
|
|
// Removing from non-existent account should not error.
|
|
err := nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
assert.NoError(t, err, "removing from non-existent account should not error")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NonExistentServiceIsNoop(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add one service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Remove non-existent service - should not affect existing service.
|
|
err = nb.RemovePeer(context.Background(), accountID, "nonexistent.test")
|
|
require.NoError(t, err)
|
|
|
|
// Original service should still be registered.
|
|
assert.True(t, nb.HasClient(accountID))
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "original service should remain")
|
|
}
|
|
|
|
func TestWithAccountID_AndAccountIDFromContext(t *testing.T) {
|
|
ctx := context.Background()
|
|
accountID := types.AccountID("test-account")
|
|
|
|
// Initially no account ID in context.
|
|
retrieved := AccountIDFromContext(ctx)
|
|
assert.True(t, retrieved == "", "should be empty when not set")
|
|
|
|
// Add account ID to context.
|
|
ctx = WithAccountID(ctx, accountID)
|
|
retrieved = AccountIDFromContext(ctx)
|
|
assert.Equal(t, accountID, retrieved, "should retrieve the same account ID")
|
|
}
|
|
|
|
func TestAccountIDFromContext_ReturnsEmptyForWrongType(t *testing.T) {
|
|
// Create context with wrong type for account ID key.
|
|
ctx := context.WithValue(context.Background(), accountIDContextKey{}, "wrong-type-string")
|
|
|
|
retrieved := AccountIDFromContext(ctx)
|
|
assert.True(t, retrieved == "", "should return empty for wrong type")
|
|
}
|
|
|
|
func TestNetBird_StopAll_StopsAllClients(t *testing.T) {
|
|
nb := mockNetBird()
|
|
account1 := types.AccountID("account-1")
|
|
account2 := types.AccountID("account-2")
|
|
account3 := types.AccountID("account-3")
|
|
|
|
// Add services for multiple accounts.
|
|
err := nb.AddPeer(context.Background(), account1, "domain1.test", "key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), account2, "domain2.test", "key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), account3, "domain3.test", "key-3", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, nb.ClientCount(), "should have 3 clients")
|
|
|
|
// Stop all clients.
|
|
_ = nb.StopAll(context.Background())
|
|
|
|
assert.Equal(t, 0, nb.ClientCount(), "should have 0 clients after StopAll")
|
|
assert.False(t, nb.HasClient(account1), "account1 should not have client")
|
|
assert.False(t, nb.HasClient(account2), "account2 should not have client")
|
|
assert.False(t, nb.HasClient(account3), "account3 should not have client")
|
|
}
|
|
|
|
func TestNetBird_ClientCount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
|
|
assert.Equal(t, 0, nb.ClientCount(), "should start with 0 clients")
|
|
|
|
// Add clients for different accounts.
|
|
err := nb.AddPeer(context.Background(), types.AccountID("account-1"), "domain1.test", "key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 1, nb.ClientCount())
|
|
|
|
err = nb.AddPeer(context.Background(), types.AccountID("account-2"), "domain2.test", "key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ClientCount())
|
|
|
|
// Adding service to existing account should not increase count.
|
|
err = nb.AddPeer(context.Background(), types.AccountID("account-1"), "domain1b.test", "key-1", types.ServiceID("proxy-1b"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ClientCount(), "adding service to existing account should not increase client count")
|
|
}
|
|
|
|
func TestNetBird_RoundTrip_RequiresAccountIDInContext(t *testing.T) {
|
|
nb := mockNetBird()
|
|
|
|
// Create a request without account ID in context.
|
|
req, err := http.NewRequest("GET", "http://example.com/", nil)
|
|
require.NoError(t, err)
|
|
|
|
// RoundTrip should fail because no account ID in context.
|
|
_, err = nb.RoundTrip(req) //nolint:bodyclose
|
|
require.ErrorIs(t, err, ErrNoAccountID)
|
|
}
|
|
|
|
func TestNetBird_RoundTrip_RequiresExistingClient(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("nonexistent-account")
|
|
|
|
// Create a request with account ID but no client exists.
|
|
req, err := http.NewRequest("GET", "http://example.com/", nil)
|
|
require.NoError(t, err)
|
|
req = req.WithContext(WithAccountID(req.Context(), accountID))
|
|
|
|
// RoundTrip should fail because no client for this account.
|
|
_, err = nb.RoundTrip(req) //nolint:bodyclose // Error case, no response body
|
|
assert.Error(t, err)
|
|
assert.Contains(t, err.Error(), "no peer connection found for account")
|
|
}
|
|
|
|
func TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus(t *testing.T) {
|
|
notifier := &mockStatusNotifier{}
|
|
nb := NewNetBird("test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, notifier, &mockMgmtClient{})
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add first service — creates a new client entry.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "key-1", types.ServiceID("svc-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Manually mark client as started to simulate background startup completing.
|
|
nb.clientsMux.Lock()
|
|
nb.clients[accountID].started = true
|
|
nb.clientsMux.Unlock()
|
|
|
|
// Add second service — should notify immediately since client is already started.
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "key-1", types.ServiceID("svc-2"))
|
|
require.NoError(t, err)
|
|
|
|
calls := notifier.calls()
|
|
require.Len(t, calls, 1)
|
|
assert.Equal(t, accountID, calls[0].accountID)
|
|
assert.Equal(t, types.ServiceID("svc-2"), calls[0].serviceID)
|
|
assert.True(t, calls[0].connected)
|
|
}
|
|
|
|
// TestNetBird_IdentityForIP_UnknownAccountReturnsFalse confirms that the
|
|
// public lookup short-circuits when no client has been registered for
|
|
// the queried account. The auth middleware uses ok=false as a fast deny.
|
|
func TestNetBird_IdentityForIP_UnknownAccountReturnsFalse(t *testing.T) {
|
|
nb := mockNetBird()
|
|
_, _, ok := nb.IdentityForIP("acct-missing", netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "unknown account must yield ok=false")
|
|
}
|
|
|
|
// TestClientEntry_IdentityForIP_NilClientGuard ensures the receiver
|
|
// methods stay safe when called on partially-initialized state, which
|
|
// can happen briefly during AddPeer setup or test fixtures.
|
|
func TestClientEntry_IdentityForIP_NilClientGuard(t *testing.T) {
|
|
var e *clientEntry
|
|
_, _, ok := e.IdentityForIP(netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "nil clientEntry must yield ok=false")
|
|
|
|
e = &clientEntry{}
|
|
_, _, ok = e.IdentityForIP(netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "clientEntry with nil embed.Client must yield ok=false")
|
|
}
|
|
|
|
// TestClientEntry_IdentityForIP_InvalidIPReturnsFalse covers the input
|
|
// guard so callers don't have to repeat the check.
|
|
func TestClientEntry_IdentityForIP_InvalidIPReturnsFalse(t *testing.T) {
|
|
e := &clientEntry{}
|
|
_, _, ok := e.IdentityForIP(netip.Addr{})
|
|
assert.False(t, ok, "invalid IP must yield ok=false")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NotifiesDisconnection(t *testing.T) {
|
|
notifier := &mockStatusNotifier{}
|
|
nb := NewNetBird("test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, notifier, &mockMgmtClient{})
|
|
accountID := types.AccountID("account-1")
|
|
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "key-1", types.ServiceID("svc-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "key-1", types.ServiceID("svc-2"))
|
|
require.NoError(t, err)
|
|
|
|
// Remove one service — client stays, but disconnection notification fires.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID))
|
|
|
|
calls := notifier.calls()
|
|
require.Len(t, calls, 1)
|
|
assert.Equal(t, types.ServiceID("svc-1"), calls[0].serviceID)
|
|
assert.False(t, calls[0].connected)
|
|
}
|