mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-17 12:09:58 +00:00
Adds a new "private" service mode for the reverse proxy: services reachable exclusively over the embedded WireGuard tunnel, gated by per-peer group membership instead of operator auth schemes. Wire contract - ProxyMapping.private (field 13): the proxy MUST call ValidateTunnelPeer and fail closed; operator schemes are bypassed. - ProxyCapabilities.private (4) + supports_private_service (5): capability gate. Management never streams private mappings to proxies that don't claim the capability; the broadcast path applies the same filter via filterMappingsForProxy. - ValidateTunnelPeer RPC: resolves an inbound tunnel IP to a peer, checks the peer's groups against service.AccessGroups, and mints a session JWT on success. checkPeerGroupAccess fails closed when a private service has empty AccessGroups. - ValidateSession/ValidateTunnelPeer responses now carry peer_group_ids + peer_group_names so the proxy can authorise policy-aware middlewares without an extra management round-trip. - ProxyInboundListener + SendStatusUpdate.inbound_listener: per-account inbound listener state surfaced to dashboards. - PathTargetOptions.direct_upstream (11): bypass the embedded NetBird client and dial the target via the proxy host's network stack for upstreams reachable without WireGuard. Data model - Service.Private (bool) + Service.AccessGroups ([]string, JSON- serialised). Validate() rejects bearer auth on private services. Copy() deep-copies AccessGroups. pgx getServices loads the columns. - DomainConfig.Private threaded into the proxy auth middleware. Request handler routes private services through forwardWithTunnelPeer and returns 403 on validation failure. - Account-level SynthesizePrivateServiceZones (synthetic DNS) and injectPrivateServicePolicies (synthetic ACL) gate on len(svc.AccessGroups) > 0. Proxy - /netbird proxy --private (embedded mode) flag; Config.Private in proxy/lifecycle.go. - Per-account inbound listener (proxy/inbound.go) binding HTTP/HTTPS on the embedded NetBird client's WireGuard tunnel netstack. - proxy/internal/auth/tunnel_cache: ValidateTunnelPeer response cache with single-flight de-duplication and per-account eviction. - Local peerstore short-circuit: when the inbound IP isn't in the account roster, deny fast without an RPC. - proxy/server.go reports SupportsPrivateService=true and redacts the full ProxyMapping JSON from info logs (auth_token + header-auth hashed values now only at debug level). Identity forwarding - ValidateSessionJWT returns user_id, email, method, groups, group_names. sessionkey.Claims carries Email + Groups + GroupNames so the proxy can stamp identity onto upstream requests without an extra management round-trip on every cookie-bearing request. - CapturedData carries userEmail / userGroups / userGroupNames; the proxy stamps X-NetBird-User and X-NetBird-Groups on r.Out from the authenticated identity (strips client-supplied values first to prevent spoofing). - AccessLog.UserGroups: access-log enrichment captures the user's group memberships at write time so the dashboard can render group context without reverse-resolving stale memberships. OpenAPI/dashboard surface - ReverseProxyService gains private + access_groups; ReverseProxyCluster gains private + supports_private. ReverseProxyTarget target_type enum gains "cluster". ServiceTargetOptions gains direct_upstream. ProxyAccessLog gains user_groups.
268 lines
6.9 KiB
Go
268 lines
6.9 KiB
Go
package proxy
|
|
|
|
import (
|
|
"context"
|
|
"maps"
|
|
"net/netip"
|
|
"sync"
|
|
|
|
"github.com/netbirdio/netbird/proxy/internal/types"
|
|
)
|
|
|
|
type requestContextKey string
|
|
|
|
const (
|
|
capturedDataKey requestContextKey = "capturedData"
|
|
)
|
|
|
|
// ResponseOrigin indicates where a response was generated.
|
|
type ResponseOrigin int
|
|
|
|
const (
|
|
// OriginBackend means the response came from the backend service.
|
|
OriginBackend ResponseOrigin = iota
|
|
// OriginNoRoute means the proxy had no matching host or path.
|
|
OriginNoRoute
|
|
// OriginProxyError means the proxy failed to reach the backend.
|
|
OriginProxyError
|
|
// OriginAuth means the proxy intercepted the request for authentication.
|
|
OriginAuth
|
|
)
|
|
|
|
func (o ResponseOrigin) String() string {
|
|
switch o {
|
|
case OriginNoRoute:
|
|
return "no_route"
|
|
case OriginProxyError:
|
|
return "proxy_error"
|
|
case OriginAuth:
|
|
return "auth"
|
|
default:
|
|
return "backend"
|
|
}
|
|
}
|
|
|
|
// CapturedData is a mutable struct that allows downstream handlers
|
|
// to pass data back up the middleware chain.
|
|
type CapturedData struct {
|
|
mu sync.RWMutex
|
|
requestID string
|
|
serviceID types.ServiceID
|
|
accountID types.AccountID
|
|
origin ResponseOrigin
|
|
clientIP netip.Addr
|
|
userID string
|
|
userEmail string
|
|
userGroups []string
|
|
// userGroupNames pairs positionally with userGroups; populated from
|
|
// the JWT's group_names claim or from ValidateSession/Tunnel
|
|
// responses. Slice may be shorter than userGroups for tokens minted
|
|
// before names were resolvable.
|
|
userGroupNames []string
|
|
authMethod string
|
|
metadata map[string]string
|
|
}
|
|
|
|
// NewCapturedData creates a CapturedData with the given request ID.
|
|
func NewCapturedData(requestID string) *CapturedData {
|
|
return &CapturedData{requestID: requestID}
|
|
}
|
|
|
|
// GetRequestID returns the request ID.
|
|
func (c *CapturedData) GetRequestID() string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.requestID
|
|
}
|
|
|
|
// SetServiceID sets the service ID.
|
|
func (c *CapturedData) SetServiceID(serviceID types.ServiceID) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.serviceID = serviceID
|
|
}
|
|
|
|
// GetServiceID returns the service ID.
|
|
func (c *CapturedData) GetServiceID() types.ServiceID {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.serviceID
|
|
}
|
|
|
|
// SetAccountID sets the account ID.
|
|
func (c *CapturedData) SetAccountID(accountID types.AccountID) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.accountID = accountID
|
|
}
|
|
|
|
// GetAccountID returns the account ID.
|
|
func (c *CapturedData) GetAccountID() types.AccountID {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.accountID
|
|
}
|
|
|
|
// SetOrigin sets the response origin.
|
|
func (c *CapturedData) SetOrigin(origin ResponseOrigin) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.origin = origin
|
|
}
|
|
|
|
// GetOrigin returns the response origin.
|
|
func (c *CapturedData) GetOrigin() ResponseOrigin {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.origin
|
|
}
|
|
|
|
// SetClientIP sets the resolved client IP.
|
|
func (c *CapturedData) SetClientIP(ip netip.Addr) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.clientIP = ip
|
|
}
|
|
|
|
// GetClientIP returns the resolved client IP.
|
|
func (c *CapturedData) GetClientIP() netip.Addr {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.clientIP
|
|
}
|
|
|
|
// SetUserID sets the authenticated user ID.
|
|
func (c *CapturedData) SetUserID(userID string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.userID = userID
|
|
}
|
|
|
|
// GetUserID returns the authenticated user ID.
|
|
func (c *CapturedData) GetUserID() string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.userID
|
|
}
|
|
|
|
// SetUserEmail records the authenticated user's email address. Used by
|
|
// policy-aware middlewares to stamp identity onto upstream requests
|
|
// (e.g. x-litellm-end-user-id) without a management round-trip.
|
|
func (c *CapturedData) SetUserEmail(email string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.userEmail = email
|
|
}
|
|
|
|
// GetUserEmail returns the authenticated user's email address. Returns
|
|
// the empty string when the auth path didn't carry an email (e.g.
|
|
// non-OIDC schemes or legacy JWTs minted before the email claim).
|
|
func (c *CapturedData) GetUserEmail() string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.userEmail
|
|
}
|
|
|
|
// SetUserGroups records the authenticated user's group memberships so
|
|
// downstream policy-aware middlewares can authorise the request without
|
|
// an additional management round-trip. The auth middleware populates this
|
|
// from ValidateSessionResponse / ValidateTunnelPeerResponse and from the
|
|
// session JWT's groups claim on cookie-bearing requests.
|
|
func (c *CapturedData) SetUserGroups(groups []string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
if len(groups) == 0 {
|
|
c.userGroups = nil
|
|
return
|
|
}
|
|
c.userGroups = append(c.userGroups[:0], groups...)
|
|
}
|
|
|
|
// GetUserGroups returns a copy of the authenticated user's group
|
|
// memberships.
|
|
func (c *CapturedData) GetUserGroups() []string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
if len(c.userGroups) == 0 {
|
|
return nil
|
|
}
|
|
out := make([]string, len(c.userGroups))
|
|
copy(out, c.userGroups)
|
|
return out
|
|
}
|
|
|
|
// SetUserGroupNames records the human-readable display names for the
|
|
// user's groups, ordered identically to UserGroups (positional
|
|
// pairing). Stamped onto upstream requests as X-NetBird-Groups so
|
|
// downstream services can read names rather than opaque ids.
|
|
func (c *CapturedData) SetUserGroupNames(names []string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
if len(names) == 0 {
|
|
c.userGroupNames = nil
|
|
return
|
|
}
|
|
c.userGroupNames = append(c.userGroupNames[:0], names...)
|
|
}
|
|
|
|
// GetUserGroupNames returns a copy of the authenticated user's group
|
|
// display names. Position i pairs with UserGroups[i]. May be shorter
|
|
// than UserGroups for tokens minted before names were resolvable; the
|
|
// consumer should fall back to ids for missing positions.
|
|
func (c *CapturedData) GetUserGroupNames() []string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
if len(c.userGroupNames) == 0 {
|
|
return nil
|
|
}
|
|
out := make([]string, len(c.userGroupNames))
|
|
copy(out, c.userGroupNames)
|
|
return out
|
|
}
|
|
|
|
// SetAuthMethod sets the authentication method used.
|
|
func (c *CapturedData) SetAuthMethod(method string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
c.authMethod = method
|
|
}
|
|
|
|
// GetAuthMethod returns the authentication method used.
|
|
func (c *CapturedData) GetAuthMethod() string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return c.authMethod
|
|
}
|
|
|
|
// SetMetadata sets a key-value pair in the metadata map.
|
|
func (c *CapturedData) SetMetadata(key, value string) {
|
|
c.mu.Lock()
|
|
defer c.mu.Unlock()
|
|
if c.metadata == nil {
|
|
c.metadata = make(map[string]string)
|
|
}
|
|
c.metadata[key] = value
|
|
}
|
|
|
|
// GetMetadata returns a copy of the metadata map.
|
|
func (c *CapturedData) GetMetadata() map[string]string {
|
|
c.mu.RLock()
|
|
defer c.mu.RUnlock()
|
|
return maps.Clone(c.metadata)
|
|
}
|
|
|
|
// WithCapturedData adds a CapturedData struct to the context.
|
|
func WithCapturedData(ctx context.Context, data *CapturedData) context.Context {
|
|
return context.WithValue(ctx, capturedDataKey, data)
|
|
}
|
|
|
|
// CapturedDataFromContext retrieves the CapturedData from context.
|
|
func CapturedDataFromContext(ctx context.Context) *CapturedData {
|
|
v := ctx.Value(capturedDataKey)
|
|
data, ok := v.(*CapturedData)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
return data
|
|
}
|