mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-11 08:31:59 -04:00
* fix(proxy): gate tunnel-peer fast-path on inbound listener marker
forwardWithTunnelPeer previously accepted any RFC1918 / ULA / CGNAT
source IP, so a public client whose address happened to fall in those
ranges could bypass the configured operator auth scheme by colliding
with a known tunnel IP. The fast-path is now gated on
TunnelLookupFromContext(r.Context()) being present — that context value
is attached only by the per-account inbound (overlay) listener, so the
host-facing listener never enters this branch.
Tests updated to reflect the new requirement: requests that don't
carry the inbound marker now fall through to the regular auth flow.
* fix(proxy): harden inbound listener resource + startup-ctx handling
Three correctness fixes on the per-account inbound path, with tests:
- Close the logrus ErrorLog PipeWriter on tearDown. WriterLevel hands
back an *io.PipeWriter backed by a pipe + scanner goroutine that the
caller owns; the two writers per account (https + plain) were never
closed, leaking the pipe and goroutine on every teardown.
- Run the post-Start hooks on context.Background(). runClientStartup
is launched in a goroutine from AddPeer and was inheriting the
caller's request-scoped ctx, so a cancelled request could abort the
inbound bring-up or fail the management status notification. The
tail is split into notifyClientReady so the contract is testable.
Tests cover the PipeWriter close behaviour and assert the readyHandler
+ NotifyStatus calls receive a non-cancelled background context.
* feat(proxy): short-circuit peer-own-target loops with 421
When a peer that hosts the target of a private service dials its own
service URL the request was being looped through the proxy and back
over WireGuard to the same peer — twice the WG round-trip for no
benefit, with no signal to the caller that something was wrong.
Add isSelfTargetLoop to ReverseProxy.ServeHTTP: when the request
arrived on the per-account overlay listener (IsOverlayOrigin) and the
source tunnel IP matches the target host, refuse the request with 421
Misdirected Request and a body pointing the operator at the backend
directly.
The gate is scoped to overlay origin so requests on the public
listener that happen to share a source IP with the target host are
forwarded normally.
* fix(management): private-service validation + tunnel-IP lookup semantics
- Require an explicit port for L4 cluster targets. validateL4Target
exempted TargetTypeCluster from the port check, but buildPathMappings
serializes every L4 target via net.JoinHostPort(host, port) — port=0
shipped a ":0" upstream. Cluster targets use the same Host/Port
fields, so the same requirement applies.
- GetPeerByIP returns NotFound on a tunnel-IP miss instead of mapping
every error to Internal. The proxy's ValidateTunnelPeer probes IPs
that legitimately aren't in the roster; the miss is expected and now
distinguishable from a real store failure.
- Thread ctx into getClusterCapability's gorm query so a cancelled
request doesn't keep the store busy.
Tests updated for the L4-cluster port requirement and the GetPeerByIP
NotFound path.
* fix(client): include offlinePeers in PeerStateByIP lookup
ReplaceOfflinePeers moves peers into d.offlinePeers but PeerStateByIP
only scanned d.peers. Callers (the local DNS filter via
localPeerConnectivity, embed.Client.IdentityForIP used by the
proxy's tunnel-peer validator) were treating known-but-offline peers
as unknown, which:
- causes the DNS filter to keep returning records pointing at peers
that have no live tunnel, AND
- makes the proxy's local-roster check deny a request from such a
peer rather than letting the cached management RPC carry the
authorisation decision.
Search both slices in PeerStateByIP. Adds a unit test for the IPv4
and IPv6 offline-match paths.
* fix(rest): reject empty Delete path params in reverse-proxy clients
ReverseProxyClustersAPI.Delete and ReverseProxyTokensAPI.Delete passed
the path parameter into url.PathEscape without an empty check.
PathEscape("") returns "" which collapses the request onto the
collection endpoint ("/api/reverse-proxies/clusters/" /
"/api/reverse-proxies/proxy-tokens/"), so a caller bug delete with no
id reached a routable URL with surprising semantics (typically 405).
Short-circuit with a typed error before the request is built. Tests
mount a handler on the collection path that fails the test if hit, so
the regression is impossible to reintroduce silently.
* chore(api,ci,docs,test): private-service schema, proto-check, fixups
Non-functional cleanups and contract/CI hardening around the
private-service work:
API schema (openapi.yml):
- Require a non-empty access_groups and mode=http when private=true,
on both Service and ServiceRequest, mirroring
validatePrivateRequirements. mode stays optional-but-constrained
(empty defaults to http server-side), matching runtime.
CI (proto-version-check.yml):
- Cover renamed .pb.go files (read base via previous_filename).
- Match protoc-gen-go-grpc version headers (optional "- " prefix and
-gen-go-grpc suffix) so grpc-generated files are in scope.
Docs / comments:
- Reword Config field docs to say defaults are applied at Server.Start
(initDefaults), not New.
- Rename the obsolete --private-inbound flag to --private across
comments and the proto doc.
Pre-existing test fixups surfaced by review:
- Repair the integration-tagged validate_session_test.go (SignToken
signature growth + new Manager interface methods).
- Fix the CI-skip boolean precedence so Windows isn't skipped
unconditionally.
- Guard the router.HTTPListener type assertion with comma-ok.
* fix(proxy): background ctx for already-started AddPeer notification
The earlier ctx fix covered the async runClientStartup path but missed
the synchronous branch: when a service is added to an already-started
client, AddPeer called NotifyStatus with the caller's request-scoped
ctx. A cancelled request/stream could drop the connected notification
to management. Use context.Background() here too, matching
notifyClientReady.
Extends TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus to
pass a pre-cancelled caller ctx and assert the notification still ran
on a non-cancelled context.
* use the cmd context for roundtripper
112 lines
4.4 KiB
YAML
112 lines
4.4 KiB
YAML
name: Proto Version Check
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- "**/*.pb.go"
|
|
|
|
jobs:
|
|
check-proto-versions:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check for proto tool version changes
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
script: |
|
|
const files = await github.paginate(github.rest.pulls.listFiles, {
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: context.issue.number,
|
|
per_page: 100,
|
|
});
|
|
|
|
// Cover renamed .pb.go files in addition to plain edits.
|
|
// Renamed entries land under the new path with previous_filename
|
|
// pointing at the base-side name, so we read the base content
|
|
// from the old path when present.
|
|
const changedPbFiles = files
|
|
.filter(f => (f.status === 'modified' || f.status === 'renamed')
|
|
&& f.filename.endsWith('.pb.go'))
|
|
.map(f => ({
|
|
headPath: f.filename,
|
|
basePath: f.previous_filename || f.filename,
|
|
}));
|
|
if (changedPbFiles.length === 0) {
|
|
console.log('No modified or renamed .pb.go files to check');
|
|
return;
|
|
}
|
|
|
|
// Matches the generator version headers protoc writes at the top
|
|
// of generated files:
|
|
// // protoc v3.21.12
|
|
// // protoc-gen-go v1.26.0
|
|
// // - protoc-gen-go-grpc v1.6.1 (grpc files prefix with "- ")
|
|
// The optional "- " prefix and the optional -gen-go / -gen-go-grpc
|
|
// suffixes keep the *_grpc.pb.go headers in scope.
|
|
const versionPattern = /^\s*\/\/\s+(?:-\s+)?protoc(?:-gen-go(?:-grpc)?)?\s+v[\d.]+/;
|
|
const baseSha = context.payload.pull_request.base.sha;
|
|
const headSha = context.payload.pull_request.head.sha;
|
|
|
|
async function getVersionHeader(path, ref) {
|
|
try {
|
|
const res = await github.rest.repos.getContent({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
path,
|
|
ref,
|
|
});
|
|
if (!res.data.content) {
|
|
return { ok: false, reason: 'no inline content (file too large)' };
|
|
}
|
|
const content = Buffer.from(res.data.content, 'base64').toString('utf8');
|
|
const lines = content
|
|
.split('\n')
|
|
.slice(0, 20)
|
|
.filter(line => versionPattern.test(line));
|
|
return { ok: true, lines };
|
|
} catch (e) {
|
|
return { ok: false, reason: e.message };
|
|
}
|
|
}
|
|
|
|
const violations = [];
|
|
for (const file of changedPbFiles) {
|
|
const [base, head] = await Promise.all([
|
|
getVersionHeader(file.basePath, baseSha),
|
|
getVersionHeader(file.headPath, headSha),
|
|
]);
|
|
if (!base.ok || !head.ok) {
|
|
core.warning(
|
|
`Skipping ${file.headPath}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
|
|
);
|
|
continue;
|
|
}
|
|
if (base.lines.join('\n') !== head.lines.join('\n')) {
|
|
violations.push({
|
|
file: file.basePath === file.headPath
|
|
? file.headPath
|
|
: `${file.basePath} → ${file.headPath}`,
|
|
base: base.lines,
|
|
head: head.lines,
|
|
});
|
|
}
|
|
}
|
|
|
|
if (violations.length > 0) {
|
|
const details = violations.map(v =>
|
|
`${v.file}:\n` +
|
|
` base:\n${v.base.map(l => ' ' + l).join('\n') || ' (none)'}\n` +
|
|
` head:\n${v.head.map(l => ' ' + l).join('\n') || ' (none)'}`
|
|
).join('\n\n');
|
|
|
|
core.setFailed(
|
|
`Proto version strings changed in generated files.\n` +
|
|
`This usually means the wrong protoc or protoc-gen-go version was used.\n` +
|
|
`Regenerate with the matching tool versions.\n\n` +
|
|
details
|
|
);
|
|
return;
|
|
}
|
|
|
|
console.log('No proto version string changes detected');
|