mirror of
https://github.com/netbirdio/netbird.git
synced 2026-05-21 08:09:55 +00:00
167ee08e14
Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes. Wire contract - ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed. - ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy. - ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups. - ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip. - ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards. - PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard. Data model - Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns. - DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure. - Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0. Proxy - /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go. - Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack. - proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction. - Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC. - proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level). Identity forwarding - ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request. - CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing). - AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships. OpenAPI/dashboard surface - ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
329 lines
14 KiB
Go
329 lines
14 KiB
Go
// Code generated by MockGen. DO NOT EDIT.
|
|
// Source: ./manager.go
|
|
|
|
// Package proxy is a generated GoMock package.
|
|
package proxy
|
|
|
|
import (
|
|
context "context"
|
|
reflect "reflect"
|
|
time "time"
|
|
|
|
gomock "github.com/golang/mock/gomock"
|
|
proto "github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
// MockManager is a mock of Manager interface.
|
|
type MockManager struct {
|
|
ctrl *gomock.Controller
|
|
recorder *MockManagerMockRecorder
|
|
}
|
|
|
|
// MockManagerMockRecorder is the mock recorder for MockManager.
|
|
type MockManagerMockRecorder struct {
|
|
mock *MockManager
|
|
}
|
|
|
|
// NewMockManager creates a new mock instance.
|
|
func NewMockManager(ctrl *gomock.Controller) *MockManager {
|
|
mock := &MockManager{ctrl: ctrl}
|
|
mock.recorder = &MockManagerMockRecorder{mock}
|
|
return mock
|
|
}
|
|
|
|
// EXPECT returns an object that allows the caller to indicate expected use.
|
|
func (m *MockManager) EXPECT() *MockManagerMockRecorder {
|
|
return m.recorder
|
|
}
|
|
|
|
// CleanupStale mocks base method.
|
|
func (m *MockManager) CleanupStale(ctx context.Context, inactivityDuration time.Duration) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "CleanupStale", ctx, inactivityDuration)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// CleanupStale indicates an expected call of CleanupStale.
|
|
func (mr *MockManagerMockRecorder) CleanupStale(ctx, inactivityDuration interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanupStale", reflect.TypeOf((*MockManager)(nil).CleanupStale), ctx, inactivityDuration)
|
|
}
|
|
|
|
// ClusterSupportsCustomPorts mocks base method.
|
|
func (m *MockManager) ClusterSupportsCustomPorts(ctx context.Context, clusterAddr string) *bool {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "ClusterSupportsCustomPorts", ctx, clusterAddr)
|
|
ret0, _ := ret[0].(*bool)
|
|
return ret0
|
|
}
|
|
|
|
// ClusterSupportsCustomPorts indicates an expected call of ClusterSupportsCustomPorts.
|
|
func (mr *MockManagerMockRecorder) ClusterSupportsCustomPorts(ctx, clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterSupportsCustomPorts", reflect.TypeOf((*MockManager)(nil).ClusterSupportsCustomPorts), ctx, clusterAddr)
|
|
}
|
|
|
|
// ClusterRequireSubdomain mocks base method.
|
|
func (m *MockManager) ClusterRequireSubdomain(ctx context.Context, clusterAddr string) *bool {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "ClusterRequireSubdomain", ctx, clusterAddr)
|
|
ret0, _ := ret[0].(*bool)
|
|
return ret0
|
|
}
|
|
|
|
// ClusterRequireSubdomain indicates an expected call of ClusterRequireSubdomain.
|
|
func (mr *MockManagerMockRecorder) ClusterRequireSubdomain(ctx, clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterRequireSubdomain", reflect.TypeOf((*MockManager)(nil).ClusterRequireSubdomain), ctx, clusterAddr)
|
|
}
|
|
|
|
// ClusterSupportsCrowdSec mocks base method.
|
|
func (m *MockManager) ClusterSupportsCrowdSec(ctx context.Context, clusterAddr string) *bool {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "ClusterSupportsCrowdSec", ctx, clusterAddr)
|
|
ret0, _ := ret[0].(*bool)
|
|
return ret0
|
|
}
|
|
|
|
// ClusterSupportsCrowdSec indicates an expected call of ClusterSupportsCrowdSec.
|
|
func (mr *MockManagerMockRecorder) ClusterSupportsCrowdSec(ctx, clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterSupportsCrowdSec", reflect.TypeOf((*MockManager)(nil).ClusterSupportsCrowdSec), ctx, clusterAddr)
|
|
}
|
|
|
|
// ClusterSupportsPrivate mocks base method.
|
|
func (m *MockManager) ClusterSupportsPrivate(ctx context.Context, clusterAddr string) *bool {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "ClusterSupportsPrivate", ctx, clusterAddr)
|
|
ret0, _ := ret[0].(*bool)
|
|
return ret0
|
|
}
|
|
|
|
// ClusterSupportsPrivate indicates an expected call of ClusterSupportsPrivate.
|
|
func (mr *MockManagerMockRecorder) ClusterSupportsPrivate(ctx, clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClusterSupportsPrivate", reflect.TypeOf((*MockManager)(nil).ClusterSupportsPrivate), ctx, clusterAddr)
|
|
}
|
|
|
|
// Connect mocks base method.
|
|
func (m *MockManager) Connect(ctx context.Context, proxyID, sessionID, clusterAddress, ipAddress string, accountID *string, capabilities *Capabilities) (*Proxy, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "Connect", ctx, proxyID, sessionID, clusterAddress, ipAddress, accountID, capabilities)
|
|
ret0, _ := ret[0].(*Proxy)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
// Connect indicates an expected call of Connect.
|
|
func (mr *MockManagerMockRecorder) Connect(ctx, proxyID, sessionID, clusterAddress, ipAddress, accountID, capabilities interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Connect", reflect.TypeOf((*MockManager)(nil).Connect), ctx, proxyID, sessionID, clusterAddress, ipAddress, accountID, capabilities)
|
|
}
|
|
|
|
// Disconnect mocks base method.
|
|
func (m *MockManager) Disconnect(ctx context.Context, proxyID, sessionID string) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "Disconnect", ctx, proxyID, sessionID)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// Disconnect indicates an expected call of Disconnect.
|
|
func (mr *MockManagerMockRecorder) Disconnect(ctx, proxyID, sessionID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Disconnect", reflect.TypeOf((*MockManager)(nil).Disconnect), ctx, proxyID, sessionID)
|
|
}
|
|
|
|
// GetActiveClusterAddresses mocks base method.
|
|
func (m *MockManager) GetActiveClusterAddresses(ctx context.Context) ([]string, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "GetActiveClusterAddresses", ctx)
|
|
ret0, _ := ret[0].([]string)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
// GetActiveClusterAddresses indicates an expected call of GetActiveClusterAddresses.
|
|
func (mr *MockManagerMockRecorder) GetActiveClusterAddresses(ctx interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusterAddresses", reflect.TypeOf((*MockManager)(nil).GetActiveClusterAddresses), ctx)
|
|
}
|
|
|
|
func (m *MockManager) GetActiveClusterAddressesForAccount(ctx context.Context, accountID string) ([]string, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "GetActiveClusterAddressesForAccount", ctx, accountID)
|
|
ret0, _ := ret[0].([]string)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
func (mr *MockManagerMockRecorder) GetActiveClusterAddressesForAccount(ctx, accountID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetActiveClusterAddressesForAccount", reflect.TypeOf((*MockManager)(nil).GetActiveClusterAddressesForAccount), ctx, accountID)
|
|
}
|
|
|
|
// Heartbeat mocks base method.
|
|
func (m *MockManager) Heartbeat(ctx context.Context, p *Proxy) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "Heartbeat", ctx, p)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// Heartbeat indicates an expected call of Heartbeat.
|
|
func (mr *MockManagerMockRecorder) Heartbeat(ctx, p interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Heartbeat", reflect.TypeOf((*MockManager)(nil).Heartbeat), ctx, p)
|
|
}
|
|
|
|
// GetAccountProxy mocks base method.
|
|
func (m *MockManager) GetAccountProxy(ctx context.Context, accountID string) (*Proxy, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "GetAccountProxy", ctx, accountID)
|
|
ret0, _ := ret[0].(*Proxy)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
// GetAccountProxy indicates an expected call of GetAccountProxy.
|
|
func (mr *MockManagerMockRecorder) GetAccountProxy(ctx, accountID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountProxy", reflect.TypeOf((*MockManager)(nil).GetAccountProxy), ctx, accountID)
|
|
}
|
|
|
|
// CountAccountProxies mocks base method.
|
|
func (m *MockManager) CountAccountProxies(ctx context.Context, accountID string) (int64, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "CountAccountProxies", ctx, accountID)
|
|
ret0, _ := ret[0].(int64)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
// CountAccountProxies indicates an expected call of CountAccountProxies.
|
|
func (mr *MockManagerMockRecorder) CountAccountProxies(ctx, accountID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CountAccountProxies", reflect.TypeOf((*MockManager)(nil).CountAccountProxies), ctx, accountID)
|
|
}
|
|
|
|
// IsClusterAddressAvailable mocks base method.
|
|
func (m *MockManager) IsClusterAddressAvailable(ctx context.Context, clusterAddress, accountID string) (bool, error) {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "IsClusterAddressAvailable", ctx, clusterAddress, accountID)
|
|
ret0, _ := ret[0].(bool)
|
|
ret1, _ := ret[1].(error)
|
|
return ret0, ret1
|
|
}
|
|
|
|
// IsClusterAddressAvailable indicates an expected call of IsClusterAddressAvailable.
|
|
func (mr *MockManagerMockRecorder) IsClusterAddressAvailable(ctx, clusterAddress, accountID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsClusterAddressAvailable", reflect.TypeOf((*MockManager)(nil).IsClusterAddressAvailable), ctx, clusterAddress, accountID)
|
|
}
|
|
|
|
// DeleteAccountCluster mocks base method.
|
|
func (m *MockManager) DeleteAccountCluster(ctx context.Context, clusterAddress, accountID string) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "DeleteAccountCluster", ctx, clusterAddress, accountID)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// DeleteAccountCluster indicates an expected call of DeleteAccountCluster.
|
|
func (mr *MockManagerMockRecorder) DeleteAccountCluster(ctx, clusterAddress, accountID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteAccountCluster", reflect.TypeOf((*MockManager)(nil).DeleteAccountCluster), ctx, clusterAddress, accountID)
|
|
}
|
|
|
|
// MockController is a mock of Controller interface.
|
|
type MockController struct {
|
|
ctrl *gomock.Controller
|
|
recorder *MockControllerMockRecorder
|
|
}
|
|
|
|
// MockControllerMockRecorder is the mock recorder for MockController.
|
|
type MockControllerMockRecorder struct {
|
|
mock *MockController
|
|
}
|
|
|
|
// NewMockController creates a new mock instance.
|
|
func NewMockController(ctrl *gomock.Controller) *MockController {
|
|
mock := &MockController{ctrl: ctrl}
|
|
mock.recorder = &MockControllerMockRecorder{mock}
|
|
return mock
|
|
}
|
|
|
|
// EXPECT returns an object that allows the caller to indicate expected use.
|
|
func (m *MockController) EXPECT() *MockControllerMockRecorder {
|
|
return m.recorder
|
|
}
|
|
|
|
// GetOIDCValidationConfig mocks base method.
|
|
func (m *MockController) GetOIDCValidationConfig() OIDCValidationConfig {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "GetOIDCValidationConfig")
|
|
ret0, _ := ret[0].(OIDCValidationConfig)
|
|
return ret0
|
|
}
|
|
|
|
// GetOIDCValidationConfig indicates an expected call of GetOIDCValidationConfig.
|
|
func (mr *MockControllerMockRecorder) GetOIDCValidationConfig() *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOIDCValidationConfig", reflect.TypeOf((*MockController)(nil).GetOIDCValidationConfig))
|
|
}
|
|
|
|
// GetProxiesForCluster mocks base method.
|
|
func (m *MockController) GetProxiesForCluster(clusterAddr string) []string {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "GetProxiesForCluster", clusterAddr)
|
|
ret0, _ := ret[0].([]string)
|
|
return ret0
|
|
}
|
|
|
|
// GetProxiesForCluster indicates an expected call of GetProxiesForCluster.
|
|
func (mr *MockControllerMockRecorder) GetProxiesForCluster(clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxiesForCluster", reflect.TypeOf((*MockController)(nil).GetProxiesForCluster), clusterAddr)
|
|
}
|
|
|
|
// RegisterProxyToCluster mocks base method.
|
|
func (m *MockController) RegisterProxyToCluster(ctx context.Context, clusterAddr, proxyID string) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "RegisterProxyToCluster", ctx, clusterAddr, proxyID)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// RegisterProxyToCluster indicates an expected call of RegisterProxyToCluster.
|
|
func (mr *MockControllerMockRecorder) RegisterProxyToCluster(ctx, clusterAddr, proxyID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegisterProxyToCluster", reflect.TypeOf((*MockController)(nil).RegisterProxyToCluster), ctx, clusterAddr, proxyID)
|
|
}
|
|
|
|
// SendServiceUpdateToCluster mocks base method.
|
|
func (m *MockController) SendServiceUpdateToCluster(ctx context.Context, accountID string, update *proto.ProxyMapping, clusterAddr string) {
|
|
m.ctrl.T.Helper()
|
|
m.ctrl.Call(m, "SendServiceUpdateToCluster", ctx, accountID, update, clusterAddr)
|
|
}
|
|
|
|
// SendServiceUpdateToCluster indicates an expected call of SendServiceUpdateToCluster.
|
|
func (mr *MockControllerMockRecorder) SendServiceUpdateToCluster(ctx, accountID, update, clusterAddr interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendServiceUpdateToCluster", reflect.TypeOf((*MockController)(nil).SendServiceUpdateToCluster), ctx, accountID, update, clusterAddr)
|
|
}
|
|
|
|
// UnregisterProxyFromCluster mocks base method.
|
|
func (m *MockController) UnregisterProxyFromCluster(ctx context.Context, clusterAddr, proxyID string) error {
|
|
m.ctrl.T.Helper()
|
|
ret := m.ctrl.Call(m, "UnregisterProxyFromCluster", ctx, clusterAddr, proxyID)
|
|
ret0, _ := ret[0].(error)
|
|
return ret0
|
|
}
|
|
|
|
// UnregisterProxyFromCluster indicates an expected call of UnregisterProxyFromCluster.
|
|
func (mr *MockControllerMockRecorder) UnregisterProxyFromCluster(ctx, clusterAddr, proxyID interface{}) *gomock.Call {
|
|
mr.mock.ctrl.T.Helper()
|
|
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnregisterProxyFromCluster", reflect.TypeOf((*MockController)(nil).UnregisterProxyFromCluster), ctx, clusterAddr, proxyID)
|
|
}
|