[management] Support Extra DNS Labels for Peer Addressing (#3291)

[management] Support Extra DNS Labels for Peer Addressing

Author: hakansa

management/domain/validate.go

@@ -38,3 +38,28 @@ func ValidateDomains(domains []string) (List, error) {
 	}
 	return domainList, nil
 }
+
+// ValidateDomainsStrSlice checks if each domain in the list is valid
+func ValidateDomainsStrSlice(domains []string) ([]string, error) {
+	if len(domains) == 0 {
+		return nil, nil
+	}
+	if len(domains) > maxDomains {
+		return nil, fmt.Errorf("domains list exceeds maximum allowed domains: %d", maxDomains)
+	}
+
+	domainRegex := regexp.MustCompile(`^(?:\*\.)?(?:(?:xn--)?[a-zA-Z0-9_](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9])?\.)*(?:xn--)?[a-zA-Z0-9](?:[a-zA-Z0-9-_]{0,61}[a-zA-Z0-9])?$`)
+
+	var domainList []string
+
+	for _, d := range domains {
+		d := strings.ToLower(d)
+
+		if !domainRegex.MatchString(d) {
+			return domainList, fmt.Errorf("invalid domain format: %s", d)
+		}
+
+		domainList = append(domainList, d)
+	}
+	return domainList, nil
+}

management/domain/validate_test.go

@@ -1,6 +1,7 @@
 package domain
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -95,3 +96,111 @@ func TestValidateDomains(t *testing.T) {
 		})
 	}
 }
+
+// TestValidateDomainsStrSlice tests the ValidateDomainsStrSlice function.
+func TestValidateDomainsStrSlice(t *testing.T) {
+	// Generate a slice of valid domains up to maxDomains
+	validDomains := make([]string, maxDomains)
+	for i := 0; i < maxDomains; i++ {
+		validDomains[i] = fmt.Sprintf("example%d.com", i)
+	}
+
+	tests := []struct {
+		name     string
+		domains  []string
+		expected []string
+		wantErr  bool
+	}{
+		{
+			name:     "Empty list",
+			domains:  nil,
+			expected: nil,
+			wantErr:  false,
+		},
+		{
+			name:     "Single valid ASCII domain",
+			domains:  []string{"sub.ex-ample.com"},
+			expected: []string{"sub.ex-ample.com"},
+			wantErr:  false,
+		},
+		{
+			name:     "Underscores in labels",
+			domains:  []string{"_jabber._tcp.gmail.com"},
+			expected: []string{"_jabber._tcp.gmail.com"},
+			wantErr:  false,
+		},
+		{
+			// Unlike ValidateDomains (which converts to punycode),
+			// ValidateDomainsStrSlice will fail on non-ASCII domain chars.
+			name:     "Unicode domain fails (no punycode conversion)",
+			domains:  []string{"münchen.de"},
+			expected: nil,
+			wantErr:  true,
+		},
+		{
+			name:     "Invalid domain format - leading dash",
+			domains:  []string{"-example.com"},
+			expected: nil,
+			wantErr:  true,
+		},
+		{
+			name:     "Invalid domain format - trailing dash",
+			domains:  []string{"example-.com"},
+			expected: nil,
+			wantErr:  true,
+		},
+		{
+			// The function stops on the first invalid domain and returns an error,
+			// so only the first domain is definitely valid, but the second is invalid.
+			name:     "Multiple domains with a valid one, then invalid",
+			domains:  []string{"google.com", "invalid_domain.com-"},
+			expected: []string{"google.com"},
+			wantErr:  true,
+		},
+		{
+			name:     "Valid wildcard domain",
+			domains:  []string{"*.example.com"},
+			expected: []string{"*.example.com"},
+			wantErr:  false,
+		},
+		{
+			name:     "Wildcard with leading dot - invalid",
+			domains:  []string{".*.example.com"},
+			expected: nil,
+			wantErr:  true,
+		},
+		{
+			name:     "Invalid wildcard with multiple asterisks",
+			domains:  []string{"a.*.example.com"},
+			expected: nil,
+			wantErr:  true,
+		},
+		{
+			name:     "Exactly maxDomains items (valid)",
+			domains:  validDomains,
+			expected: validDomains,
+			wantErr:  false,
+		},
+		{
+			name:     "Exceeds maxDomains items",
+			domains:  append(validDomains, "extra.com"),
+			expected: nil,
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ValidateDomainsStrSlice(tt.domains)
+			// Check if we got an error where expected
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			// Compare the returned domains to what we expect
+			assert.Equal(t, tt.expected, got)
+		})
+	}
+}

management/server/account.go

@@ -63,7 +63,7 @@ type AccountManager interface {
 	GetOrCreateAccountByUser(ctx context.Context, userId, domain string) (*types.Account, error)
 	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
 	CreateSetupKey(ctx context.Context, accountID string, keyName string, keyType types.SetupKeyType, expiresIn time.Duration,
-		autoGroups []string, usageLimit int, userID string, ephemeral bool) (*types.SetupKey, error)
+		autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
 	SaveSetupKey(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
 	CreateUser(ctx context.Context, accountID, initiatorUserID string, key *types.UserInfo) (*types.UserInfo, error)
 	DeleteUser(ctx context.Context, accountID, initiatorUserID string, targetUserID string) error

management/server/account_test.go

@@ -1080,7 +1080,7 @@ func TestAccountManager_AddPeer(t *testing.T) {
 
 	serial := account.Network.CurrentSerial() // should be 0
 
-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 		return
@@ -1456,7 +1456,7 @@ func TestAccountManager_DeletePeer(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 		return
@@ -2948,7 +2948,7 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *types.Account,
 		t.Fatal(err)
 	}
 
-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 	}

management/server/grpcserver.go

@@ -481,6 +481,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 		UserID:          userID,
 		SetupKey:        loginReq.GetSetupKey(),
 		ConnectionIP:    realIP,
+		ExtraDNSLabels:  loginReq.GetDnsLabels(),
 	})
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed logging in peer %s: %s", peerKey, err)

management/server/http/api/openapi.yml

@@ -361,6 +361,12 @@ components:
               description: System serial number
               type: string
               example: "C02XJ0J0JGH7"
+            extra_dns_labels:
+              description: Extra DNS labels added to the peer
+              type: array
+              items:
+                type: string
+                example: "stage-host-1"
           required:
             - city_name
             - connected
@@ -384,6 +390,7 @@ components:
             - ui_version
             - approval_required
             - serial_number
+            - extra_dns_labels
     AccessiblePeer:
       allOf:
         - $ref: '#/components/schemas/PeerMinimum'
@@ -503,6 +510,10 @@ components:
           description: Indicate that the peer will be ephemeral or not
           type: boolean
           example: true
+        allow_extra_dns_labels:
+          description: Allow extra DNS labels to be added to the peer
+          type: boolean
+          example: true
       required:
         - id
         - key
@@ -518,6 +529,7 @@ components:
         - updated_at
         - usage_limit
         - ephemeral
+        - allow_extra_dns_labels
     SetupKeyClear:
       allOf:
         - $ref: '#/components/schemas/SetupKeyBase'
@@ -587,6 +599,10 @@ components:
           description: Indicate that the peer will be ephemeral or not
           type: boolean
           example: true
+        allow_extra_dns_labels:
+          description: Allow extra DNS labels to be added to the peer
+          type: boolean
+          example: true
       required:
         - name
         - type

management/server/http/api/types.gen.go

@@ -338,6 +338,7 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		UserId:                      peer.UserID,
 		UiVersion:                   peer.Meta.UIVersion,
 		DnsLabel:                    fqdn(peer, dnsDomain),
+		ExtraDnsLabels:              fqdnList(peer.ExtraDNSLabels, dnsDomain),
 		LoginExpirationEnabled:      peer.LoginExpirationEnabled,
 		LastLogin:                   peer.GetLastLogin(),
 		LoginExpired:                peer.Status.LoginExpired,
@@ -372,6 +373,7 @@ func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dn
 		UserId:                 peer.UserID,
 		UiVersion:              peer.Meta.UIVersion,
 		DnsLabel:               fqdn(peer, dnsDomain),
+		ExtraDnsLabels:         fqdnList(peer.ExtraDNSLabels, dnsDomain),
 		LoginExpirationEnabled: peer.LoginExpirationEnabled,
 		LastLogin:              peer.GetLastLogin(),
 		LoginExpired:           peer.Status.LoginExpired,
@@ -392,3 +394,11 @@ func fqdn(peer *nbpeer.Peer, dnsDomain string) string {
 		return fqdn
 	}
 }
+func fqdnList(extraLabels []string, dnsDomain string) []string {
+	fqdnList := make([]string, 0, len(extraLabels))
+	for _, label := range extraLabels {
+		fqdn := fmt.Sprintf("%s.%s", label, dnsDomain)
+		fqdnList = append(fqdnList, fqdn)
+	}
+	return fqdnList
+}

management/server/http/handlers/peers/peers_handler.go

@@ -3,6 +3,7 @@ package setup_keys
 import (
 	"context"
 	"encoding/json"
+
 	"net/http"
 	"time"
 
@@ -86,8 +87,13 @@ func (h *handler) createSetupKey(w http.ResponseWriter, r *http.Request) {
 		ephemeral = *req.Ephemeral
 	}
 
+	var allowExtraDNSLabels bool
+	if req.AllowExtraDnsLabels != nil {
+		allowExtraDNSLabels = *req.AllowExtraDnsLabels
+	}
+
 	setupKey, err := h.accountManager.CreateSetupKey(r.Context(), accountID, req.Name, types.SetupKeyType(req.Type), expiresIn,
-		req.AutoGroups, req.UsageLimit, userID, ephemeral)
+		req.AutoGroups, req.UsageLimit, userID, ephemeral, allowExtraDNSLabels)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -237,19 +243,20 @@ func ToResponseBody(key *types.SetupKey) *api.SetupKey {
 	}
 
 	return &api.SetupKey{
-		Id:         key.Id,
-		Key:        key.KeySecret,
-		Name:       key.Name,
-		Expires:    key.GetExpiresAt(),
-		Type:       string(key.Type),
-		Valid:      key.IsValid(),
-		Revoked:    key.Revoked,
-		UsedTimes:  key.UsedTimes,
-		LastUsed:   key.GetLastUsed(),
-		State:      state,
-		AutoGroups: key.AutoGroups,
-		UpdatedAt:  key.UpdatedAt,
-		UsageLimit: key.UsageLimit,
-		Ephemeral:  key.Ephemeral,
+		Id:                  key.Id,
+		Key:                 key.KeySecret,
+		Name:                key.Name,
+		Expires:             key.GetExpiresAt(),
+		Type:                string(key.Type),
+		Valid:               key.IsValid(),
+		Revoked:             key.Revoked,
+		UsedTimes:           key.UsedTimes,
+		LastUsed:            key.GetLastUsed(),
+		State:               state,
+		AutoGroups:          key.AutoGroups,
+		UpdatedAt:           key.UpdatedAt,
+		UsageLimit:          key.UsageLimit,
+		Ephemeral:           key.Ephemeral,
+		AllowExtraDnsLabels: key.AllowExtraDNSLabels,
 	}
 }