mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-18 12:39:54 +00:00
* fix(proxy): gate tunnel-peer fast-path on inbound listener marker
forwardWithTunnelPeer previously accepted any RFC1918 / ULA / CGNAT
source IP, so a public client whose address happened to fall in those
ranges could bypass the configured operator auth scheme by colliding
with a known tunnel IP. The fast-path is now gated on
TunnelLookupFromContext(r.Context()) being present — that context value
is attached only by the per-account inbound (overlay) listener, so the
host-facing listener never enters this branch.
Tests updated to reflect the new requirement: requests that don't
carry the inbound marker now fall through to the regular auth flow.
* fix(proxy): harden inbound listener resource + startup-ctx handling
Three correctness fixes on the per-account inbound path, with tests:
- Close the logrus ErrorLog PipeWriter on tearDown. WriterLevel hands
back an *io.PipeWriter backed by a pipe + scanner goroutine that the
caller owns; the two writers per account (https + plain) were never
closed, leaking the pipe and goroutine on every teardown.
- Run the post-Start hooks on context.Background(). runClientStartup
is launched in a goroutine from AddPeer and was inheriting the
caller's request-scoped ctx, so a cancelled request could abort the
inbound bring-up or fail the management status notification. The
tail is split into notifyClientReady so the contract is testable.
Tests cover the PipeWriter close behaviour and assert the readyHandler
+ NotifyStatus calls receive a non-cancelled background context.
* feat(proxy): short-circuit peer-own-target loops with 421
When a peer that hosts the target of a private service dials its own
service URL the request was being looped through the proxy and back
over WireGuard to the same peer — twice the WG round-trip for no
benefit, with no signal to the caller that something was wrong.
Add isSelfTargetLoop to ReverseProxy.ServeHTTP: when the request
arrived on the per-account overlay listener (IsOverlayOrigin) and the
source tunnel IP matches the target host, refuse the request with 421
Misdirected Request and a body pointing the operator at the backend
directly.
The gate is scoped to overlay origin so requests on the public
listener that happen to share a source IP with the target host are
forwarded normally.
* fix(management): private-service validation + tunnel-IP lookup semantics
- Require an explicit port for L4 cluster targets. validateL4Target
exempted TargetTypeCluster from the port check, but buildPathMappings
serializes every L4 target via net.JoinHostPort(host, port) — port=0
shipped a ":0" upstream. Cluster targets use the same Host/Port
fields, so the same requirement applies.
- GetPeerByIP returns NotFound on a tunnel-IP miss instead of mapping
every error to Internal. The proxy's ValidateTunnelPeer probes IPs
that legitimately aren't in the roster; the miss is expected and now
distinguishable from a real store failure.
- Thread ctx into getClusterCapability's gorm query so a cancelled
request doesn't keep the store busy.
Tests updated for the L4-cluster port requirement and the GetPeerByIP
NotFound path.
* fix(client): include offlinePeers in PeerStateByIP lookup
ReplaceOfflinePeers moves peers into d.offlinePeers but PeerStateByIP
only scanned d.peers. Callers (the local DNS filter via
localPeerConnectivity, embed.Client.IdentityForIP used by the
proxy's tunnel-peer validator) were treating known-but-offline peers
as unknown, which:
- causes the DNS filter to keep returning records pointing at peers
that have no live tunnel, AND
- makes the proxy's local-roster check deny a request from such a
peer rather than letting the cached management RPC carry the
authorisation decision.
Search both slices in PeerStateByIP. Adds a unit test for the IPv4
and IPv6 offline-match paths.
* fix(rest): reject empty Delete path params in reverse-proxy clients
ReverseProxyClustersAPI.Delete and ReverseProxyTokensAPI.Delete passed
the path parameter into url.PathEscape without an empty check.
PathEscape("") returns "" which collapses the request onto the
collection endpoint ("/api/reverse-proxies/clusters/" /
"/api/reverse-proxies/proxy-tokens/"), so a caller bug delete with no
id reached a routable URL with surprising semantics (typically 405).
Short-circuit with a typed error before the request is built. Tests
mount a handler on the collection path that fails the test if hit, so
the regression is impossible to reintroduce silently.
* chore(api,ci,docs,test): private-service schema, proto-check, fixups
Non-functional cleanups and contract/CI hardening around the
private-service work:
API schema (openapi.yml):
- Require a non-empty access_groups and mode=http when private=true,
on both Service and ServiceRequest, mirroring
validatePrivateRequirements. mode stays optional-but-constrained
(empty defaults to http server-side), matching runtime.
CI (proto-version-check.yml):
- Cover renamed .pb.go files (read base via previous_filename).
- Match protoc-gen-go-grpc version headers (optional "- " prefix and
-gen-go-grpc suffix) so grpc-generated files are in scope.
Docs / comments:
- Reword Config field docs to say defaults are applied at Server.Start
(initDefaults), not New.
- Rename the obsolete --private-inbound flag to --private across
comments and the proto doc.
Pre-existing test fixups surfaced by review:
- Repair the integration-tagged validate_session_test.go (SignToken
signature growth + new Manager interface methods).
- Fix the CI-skip boolean precedence so Windows isn't skipped
unconditionally.
- Guard the router.HTTPListener type assertion with comma-ok.
* fix(proxy): background ctx for already-started AddPeer notification
The earlier ctx fix covered the async runClientStartup path but missed
the synchronous branch: when a service is added to an already-started
client, AddPeer called NotifyStatus with the caller's request-scoped
ctx. A cancelled request/stream could drop the connected notification
to management. Use context.Background() here too, matching
notifyClientReady.
Extends TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus to
pass a pre-cancelled caller ctx and assert the notification still ran
on a non-cancelled context.
* use the cmd context for roundtripper
424 lines
16 KiB
Go
424 lines
16 KiB
Go
package roundtrip
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/netip"
|
|
"sync"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/netbirdio/netbird/client/embed"
|
|
"github.com/netbirdio/netbird/proxy/internal/types"
|
|
"github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
type mockMgmtClient struct{}
|
|
|
|
func (m *mockMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
|
|
return &proto.CreateProxyPeerResponse{Success: true}, nil
|
|
}
|
|
|
|
type mockStatusNotifier struct {
|
|
mu sync.Mutex
|
|
statuses []statusCall
|
|
}
|
|
|
|
type statusCall struct {
|
|
accountID types.AccountID
|
|
serviceID types.ServiceID
|
|
connected bool
|
|
// ctx is captured so tests can assert the notifier received a
|
|
// fresh background context rather than an inherited request ctx.
|
|
ctx context.Context
|
|
}
|
|
|
|
func (m *mockStatusNotifier) NotifyStatus(ctx context.Context, accountID types.AccountID, serviceID types.ServiceID, connected bool) error {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
m.statuses = append(m.statuses, statusCall{accountID, serviceID, connected, ctx})
|
|
return nil
|
|
}
|
|
|
|
func (m *mockStatusNotifier) calls() []statusCall {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
return append([]statusCall{}, m.statuses...)
|
|
}
|
|
|
|
// mockNetBird creates a NetBird instance for testing without actually connecting.
|
|
// It uses an invalid management URL to prevent real connections.
|
|
func mockNetBird() *NetBird {
|
|
return NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, nil, &mockMgmtClient{})
|
|
}
|
|
|
|
func TestNetBird_AddPeer_CreatesClientForNewAccount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Initially no client exists.
|
|
assert.False(t, nb.HasClient(accountID), "should not have client before AddPeer")
|
|
assert.Equal(t, 0, nb.ServiceCount(accountID), "service count should be 0")
|
|
|
|
// Add first service - this should create a new client.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
assert.True(t, nb.HasClient(accountID), "should have client after AddPeer")
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_AddPeer_ReuseClientForSameAccount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add first service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID))
|
|
|
|
// Add second service for the same account - should reuse existing client.
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "setup-key-1", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ServiceCount(accountID), "service count should be 2 after adding second service")
|
|
|
|
// Add third service.
|
|
err = nb.AddPeer(context.Background(), accountID, "domain3.test", "setup-key-1", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 3, nb.ServiceCount(accountID), "service count should be 3 after adding third service")
|
|
|
|
// Still only one client.
|
|
assert.True(t, nb.HasClient(accountID))
|
|
}
|
|
|
|
func TestNetBird_AddPeer_SeparateClientsForDifferentAccounts(t *testing.T) {
|
|
nb := mockNetBird()
|
|
account1 := types.AccountID("account-1")
|
|
account2 := types.AccountID("account-2")
|
|
|
|
// Add service for account 1.
|
|
err := nb.AddPeer(context.Background(), account1, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Add service for account 2.
|
|
err = nb.AddPeer(context.Background(), account2, "domain2.test", "setup-key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
|
|
// Both accounts should have their own clients.
|
|
assert.True(t, nb.HasClient(account1), "account1 should have client")
|
|
assert.True(t, nb.HasClient(account2), "account2 should have client")
|
|
assert.Equal(t, 1, nb.ServiceCount(account1), "account1 service count should be 1")
|
|
assert.Equal(t, 1, nb.ServiceCount(account2), "account2 service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_KeepsClientWhenServicesRemain(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add multiple services.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "setup-key-1", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain3.test", "setup-key-1", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 3, nb.ServiceCount(accountID))
|
|
|
|
// Remove one service - client should remain.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID), "client should remain after removing one service")
|
|
assert.Equal(t, 2, nb.ServiceCount(accountID), "service count should be 2")
|
|
|
|
// Remove another service - client should still remain.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain2.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID), "client should remain after removing second service")
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "service count should be 1")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_RemovesClientWhenLastServiceRemoved(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add single service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID))
|
|
|
|
// Remove the only service - client should be removed.
|
|
_ = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
|
|
// After removing all services, client should be gone.
|
|
assert.False(t, nb.HasClient(accountID), "client should be removed after removing last service")
|
|
assert.Equal(t, 0, nb.ServiceCount(accountID), "service count should be 0")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NonExistentAccountIsNoop(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("nonexistent-account")
|
|
|
|
// Removing from non-existent account should not error.
|
|
err := nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
assert.NoError(t, err, "removing from non-existent account should not error")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NonExistentServiceIsNoop(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add one service.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "setup-key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Remove non-existent service - should not affect existing service.
|
|
err = nb.RemovePeer(context.Background(), accountID, "nonexistent.test")
|
|
require.NoError(t, err)
|
|
|
|
// Original service should still be registered.
|
|
assert.True(t, nb.HasClient(accountID))
|
|
assert.Equal(t, 1, nb.ServiceCount(accountID), "original service should remain")
|
|
}
|
|
|
|
func TestWithAccountID_AndAccountIDFromContext(t *testing.T) {
|
|
ctx := context.Background()
|
|
accountID := types.AccountID("test-account")
|
|
|
|
// Initially no account ID in context.
|
|
retrieved := AccountIDFromContext(ctx)
|
|
assert.True(t, retrieved == "", "should be empty when not set")
|
|
|
|
// Add account ID to context.
|
|
ctx = WithAccountID(ctx, accountID)
|
|
retrieved = AccountIDFromContext(ctx)
|
|
assert.Equal(t, accountID, retrieved, "should retrieve the same account ID")
|
|
}
|
|
|
|
func TestAccountIDFromContext_ReturnsEmptyForWrongType(t *testing.T) {
|
|
// Create context with wrong type for account ID key.
|
|
ctx := context.WithValue(context.Background(), accountIDContextKey{}, "wrong-type-string")
|
|
|
|
retrieved := AccountIDFromContext(ctx)
|
|
assert.True(t, retrieved == "", "should return empty for wrong type")
|
|
}
|
|
|
|
func TestNetBird_StopAll_StopsAllClients(t *testing.T) {
|
|
nb := mockNetBird()
|
|
account1 := types.AccountID("account-1")
|
|
account2 := types.AccountID("account-2")
|
|
account3 := types.AccountID("account-3")
|
|
|
|
// Add services for multiple accounts.
|
|
err := nb.AddPeer(context.Background(), account1, "domain1.test", "key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), account2, "domain2.test", "key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), account3, "domain3.test", "key-3", types.ServiceID("proxy-3"))
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, 3, nb.ClientCount(), "should have 3 clients")
|
|
|
|
// Stop all clients.
|
|
_ = nb.StopAll(context.Background())
|
|
|
|
assert.Equal(t, 0, nb.ClientCount(), "should have 0 clients after StopAll")
|
|
assert.False(t, nb.HasClient(account1), "account1 should not have client")
|
|
assert.False(t, nb.HasClient(account2), "account2 should not have client")
|
|
assert.False(t, nb.HasClient(account3), "account3 should not have client")
|
|
}
|
|
|
|
func TestNetBird_ClientCount(t *testing.T) {
|
|
nb := mockNetBird()
|
|
|
|
assert.Equal(t, 0, nb.ClientCount(), "should start with 0 clients")
|
|
|
|
// Add clients for different accounts.
|
|
err := nb.AddPeer(context.Background(), types.AccountID("account-1"), "domain1.test", "key-1", types.ServiceID("proxy-1"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 1, nb.ClientCount())
|
|
|
|
err = nb.AddPeer(context.Background(), types.AccountID("account-2"), "domain2.test", "key-2", types.ServiceID("proxy-2"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ClientCount())
|
|
|
|
// Adding service to existing account should not increase count.
|
|
err = nb.AddPeer(context.Background(), types.AccountID("account-1"), "domain1b.test", "key-1", types.ServiceID("proxy-1b"))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, 2, nb.ClientCount(), "adding service to existing account should not increase client count")
|
|
}
|
|
|
|
func TestNetBird_RoundTrip_RequiresAccountIDInContext(t *testing.T) {
|
|
nb := mockNetBird()
|
|
|
|
// Create a request without account ID in context.
|
|
req, err := http.NewRequest("GET", "http://example.com/", nil)
|
|
require.NoError(t, err)
|
|
|
|
// RoundTrip should fail because no account ID in context.
|
|
_, err = nb.RoundTrip(req) //nolint:bodyclose
|
|
require.ErrorIs(t, err, ErrNoAccountID)
|
|
}
|
|
|
|
func TestNetBird_RoundTrip_RequiresExistingClient(t *testing.T) {
|
|
nb := mockNetBird()
|
|
accountID := types.AccountID("nonexistent-account")
|
|
|
|
// Create a request with account ID but no client exists.
|
|
req, err := http.NewRequest("GET", "http://example.com/", nil)
|
|
require.NoError(t, err)
|
|
req = req.WithContext(WithAccountID(req.Context(), accountID))
|
|
|
|
// RoundTrip should fail because no client for this account.
|
|
_, err = nb.RoundTrip(req) //nolint:bodyclose // Error case, no response body
|
|
assert.Error(t, err)
|
|
assert.Contains(t, err.Error(), "no peer connection found for account")
|
|
}
|
|
|
|
func TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus(t *testing.T) {
|
|
notifier := &mockStatusNotifier{}
|
|
nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, notifier, &mockMgmtClient{})
|
|
accountID := types.AccountID("account-1")
|
|
|
|
// Add first service — creates a new client entry.
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "key-1", types.ServiceID("svc-1"))
|
|
require.NoError(t, err)
|
|
|
|
// Manually mark client as started to simulate background startup completing.
|
|
nb.clientsMux.Lock()
|
|
nb.clients[accountID].started = true
|
|
nb.clientsMux.Unlock()
|
|
|
|
// Add second service with an already-cancelled caller context —
|
|
// should notify immediately (client is started) AND the notification
|
|
// must not inherit the cancelled ctx.
|
|
cancelledCtx, cancel := context.WithCancel(context.Background())
|
|
cancel()
|
|
err = nb.AddPeer(cancelledCtx, accountID, "domain2.test", "key-1", types.ServiceID("svc-2"))
|
|
require.NoError(t, err)
|
|
|
|
calls := notifier.calls()
|
|
require.Len(t, calls, 1)
|
|
assert.Equal(t, accountID, calls[0].accountID)
|
|
assert.Equal(t, types.ServiceID("svc-2"), calls[0].serviceID)
|
|
assert.True(t, calls[0].connected)
|
|
require.NotNil(t, calls[0].ctx, "NotifyStatus must receive a context")
|
|
require.NoError(t, calls[0].ctx.Err(),
|
|
"already-started NotifyStatus must use a background ctx, not the cancelled caller ctx")
|
|
}
|
|
|
|
// TestNetBird_IdentityForIP_UnknownAccountReturnsFalse confirms that the
|
|
// public lookup short-circuits when no client has been registered for
|
|
// the queried account. The auth middleware uses ok=false as a fast deny.
|
|
func TestNetBird_IdentityForIP_UnknownAccountReturnsFalse(t *testing.T) {
|
|
nb := mockNetBird()
|
|
_, _, ok := nb.IdentityForIP("acct-missing", netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "unknown account must yield ok=false")
|
|
}
|
|
|
|
// TestClientEntry_IdentityForIP_NilClientGuard ensures the receiver
|
|
// methods stay safe when called on partially-initialized state, which
|
|
// can happen briefly during AddPeer setup or test fixtures.
|
|
func TestClientEntry_IdentityForIP_NilClientGuard(t *testing.T) {
|
|
var e *clientEntry
|
|
_, _, ok := e.IdentityForIP(netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "nil clientEntry must yield ok=false")
|
|
|
|
e = &clientEntry{}
|
|
_, _, ok = e.IdentityForIP(netip.MustParseAddr("100.64.0.10"))
|
|
assert.False(t, ok, "clientEntry with nil embed.Client must yield ok=false")
|
|
}
|
|
|
|
// TestClientEntry_IdentityForIP_InvalidIPReturnsFalse covers the input
|
|
// guard so callers don't have to repeat the check.
|
|
func TestClientEntry_IdentityForIP_InvalidIPReturnsFalse(t *testing.T) {
|
|
e := &clientEntry{}
|
|
_, _, ok := e.IdentityForIP(netip.Addr{})
|
|
assert.False(t, ok, "invalid IP must yield ok=false")
|
|
}
|
|
|
|
func TestNetBird_RemovePeer_NotifiesDisconnection(t *testing.T) {
|
|
notifier := &mockStatusNotifier{}
|
|
nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
WGPort: 0,
|
|
PreSharedKey: "",
|
|
}, nil, notifier, &mockMgmtClient{})
|
|
accountID := types.AccountID("account-1")
|
|
|
|
err := nb.AddPeer(context.Background(), accountID, "domain1.test", "key-1", types.ServiceID("svc-1"))
|
|
require.NoError(t, err)
|
|
err = nb.AddPeer(context.Background(), accountID, "domain2.test", "key-1", types.ServiceID("svc-2"))
|
|
require.NoError(t, err)
|
|
|
|
// Remove one service — client stays, but disconnection notification fires.
|
|
err = nb.RemovePeer(context.Background(), accountID, "domain1.test")
|
|
require.NoError(t, err)
|
|
assert.True(t, nb.HasClient(accountID))
|
|
|
|
calls := notifier.calls()
|
|
require.Len(t, calls, 1)
|
|
assert.Equal(t, types.ServiceID("svc-1"), calls[0].serviceID)
|
|
assert.False(t, calls[0].connected)
|
|
}
|
|
|
|
// TestNotifyClientReady_UsesBackgroundCtx pins the contract that the
|
|
// post-Start hooks (readyHandler + statusNotifier.NotifyStatus) run on
|
|
// a fresh context.Background() rather than inheriting the AddPeer
|
|
// caller's request- or stream-scoped ctx. Without this, a cancelled
|
|
// caller ctx could abort the inbound listener bring-up or cause the
|
|
// management status notification to fail spuriously and leave the
|
|
// account in a half-connected state.
|
|
func TestNotifyClientReady_UsesBackgroundCtx(t *testing.T) {
|
|
notifier := &mockStatusNotifier{}
|
|
nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
|
|
MgmtAddr: "http://invalid.test:9999",
|
|
}, nil, notifier, &mockMgmtClient{})
|
|
|
|
accountID := types.AccountID("acct-async")
|
|
// Pre-populate a client entry so notifyClientReady has something
|
|
// to mark started + something to enumerate for NotifyStatus.
|
|
nb.clientsMux.Lock()
|
|
nb.clients[accountID] = &clientEntry{
|
|
services: map[ServiceKey]serviceInfo{
|
|
DomainServiceKey("svc.example"): {serviceID: types.ServiceID("svc-1")},
|
|
},
|
|
}
|
|
nb.clientsMux.Unlock()
|
|
|
|
var capturedReadyCtx context.Context
|
|
nb.SetClientLifecycle(
|
|
func(ctx context.Context, _ types.AccountID, _ *embed.Client) any {
|
|
capturedReadyCtx = ctx
|
|
return nil
|
|
},
|
|
nil,
|
|
)
|
|
|
|
// Drive the post-Start path directly; a real client.Start would
|
|
// need a working management URL.
|
|
nb.notifyClientReady(accountID, nil)
|
|
|
|
require.NotNil(t, capturedReadyCtx, "readyHandler must have been invoked")
|
|
require.NoError(t, capturedReadyCtx.Err(),
|
|
"readyHandler must receive a background context, not an inherited cancelled one")
|
|
deadline, ok := capturedReadyCtx.Deadline()
|
|
assert.False(t, ok, "readyHandler ctx must have no deadline (background); got %v", deadline)
|
|
|
|
calls := notifier.calls()
|
|
require.Len(t, calls, 1, "NotifyStatus must be invoked once per registered service")
|
|
require.NotNil(t, calls[0].ctx, "NotifyStatus must receive a context")
|
|
require.NoError(t, calls[0].ctx.Err(),
|
|
"NotifyStatus must receive a background context, not an inherited cancelled one")
|
|
}
|