1

2026-05-14 23:30:34 +03:00
parent 26cb65e936
commit 04c46042d9
239 changed files with 34102 additions and 438 deletions
@@ -732,7 +732,7 @@ func TestGetVPNClientProfileEnsuresFabricVPNPacketRouteIntents(t *testing.T) {
 	if !ok {
 		t.Fatalf("missing vpn_dataplane_session in %#v", cfg)
 	}
-	if session["preferred_transport"] != "fabric_packet_quic_v1" || session["fallback_transport"] != "backend_http_packet_relay" {
+	if session["preferred_transport"] != "fabric_service_channel_v1" || session["fallback_transport"] != "none" || session["backend_relay_allowed"] != false {
 		t.Fatalf("unexpected dataplane session transports: %#v", session)
 	}
 	if session["entry_node_id"] != "entry-1" || session["exit_node_id"] != "exit-1" {
@@ -811,7 +811,7 @@ func TestGetVPNClientProfileForwardsPreferredExit(t *testing.T) {
 	}
 }

-func TestVPNDirectHTTPEntryTransportWaitsForLocalGatewayShortcutWhenEntryIsExit(t *testing.T) {
+func TestVPNDirectHTTPEntryTransportUsesFarmLocalRouteWhenEntryIsExit(t *testing.T) {
 	candidate := vpnDirectHTTPEntryTransportCandidate(vpnClientFabricRoute{
 		SelectedEntryNodeID: "node-1",
 		SelectedExitNodeID:  "node-1",
@@ -823,12 +823,12 @@ func TestVPNDirectHTTPEntryTransportWaitsForLocalGatewayShortcutWhenEntryIsExit(
 	if candidate == nil {
 		t.Fatal("candidate is nil")
 	}
-	if candidate["safe_client_switch"] != false || candidate["status"] != "available_local_gateway_shortcut_pending" {
-		t.Fatalf("unexpected local shortcut guard: %#v", candidate)
+	if candidate["safe_client_switch"] != true || candidate["status"] != "available_farm_local_route" {
+		t.Fatalf("unexpected farm local route guard: %#v", candidate)
 	}
 }

-func TestVPNDirectHTTPEntryTransportAllowsLocalGatewayShortcutWhenReported(t *testing.T) {
+func TestVPNDirectHTTPEntryTransportIgnoresLegacyLocalGatewayShortcut(t *testing.T) {
 	candidate := vpnDirectHTTPEntryTransportCandidate(vpnClientFabricRoute{
 		SelectedEntryNodeID: "node-1",
 		SelectedExitNodeID:  "node-1",
@@ -841,8 +841,8 @@ func TestVPNDirectHTTPEntryTransportAllowsLocalGatewayShortcutWhenReported(t *te
 	if candidate == nil {
 		t.Fatal("candidate is nil")
 	}
-	if candidate["safe_client_switch"] != true || candidate["status"] != "available_local_gateway_shortcut" {
-		t.Fatalf("unexpected local shortcut candidate: %#v", candidate)
+	if candidate["safe_client_switch"] != true || candidate["status"] != "available_farm_local_route" {
+		t.Fatalf("unexpected farm route candidate: %#v", candidate)
 	}
 }

@@ -3152,6 +3152,68 @@ func TestListNodeVPNAssignmentsDoesNotRequirePlatformAdmin(t *testing.T) {
 	}
 }

+func TestAcquireNodeVPNAssignmentLeaseAllowsEligibleCandidateWithoutPlatformAdmin(t *testing.T) {
+	store := &fakeRepository{
+		platformRole: "user",
+		vpnConnection: VPNConnection{
+			ID:           "vpn-1",
+			ClusterID:    "cluster-1",
+			Mode:         VPNConnectionModeSingleActive,
+			DesiredState: VPNConnectionDesiredEnabled,
+		},
+		nodeVPNAssignments: []NodeVPNAssignment{
+			{
+				VPNConnectionID:  "vpn-1",
+				ClusterID:        "cluster-1",
+				OrganizationID:   "org-1",
+				DesiredState:     VPNConnectionDesiredEnabled,
+				AssignmentReason: "eligible_candidate",
+			},
+		},
+	}
+	service := NewService(store)
+
+	lease, err := service.AcquireNodeVPNAssignmentLease(context.Background(), AcquireNodeVPNAssignmentLeaseInput{
+		ClusterID:       "cluster-1",
+		VPNConnectionID: "vpn-1",
+		OwnerNodeID:     "node-1",
+		TTL:             time.Minute,
+		Metadata:        json.RawMessage(`{"reason":"test"}`),
+	})
+	if err != nil {
+		t.Fatalf("acquire node vpn assignment lease: %v", err)
+	}
+	if lease.OwnerNodeID != "node-1" || lease.VPNConnectionID != "vpn-1" || lease.Status != VPNLeaseStatusActive {
+		t.Fatalf("unexpected lease: %+v", lease)
+	}
+}
+
+func TestAcquireNodeVPNAssignmentLeaseRejectsInvisibleAssignment(t *testing.T) {
+	store := &fakeRepository{
+		platformRole: "user",
+		vpnConnection: VPNConnection{
+			ID:           "vpn-1",
+			ClusterID:    "cluster-1",
+			Mode:         VPNConnectionModeSingleActive,
+			DesiredState: VPNConnectionDesiredEnabled,
+		},
+		nodeVPNAssignments: []NodeVPNAssignment{
+			{VPNConnectionID: "other-vpn", ClusterID: "cluster-1", AssignmentReason: "eligible_candidate"},
+		},
+	}
+	service := NewService(store)
+
+	_, err := service.AcquireNodeVPNAssignmentLease(context.Background(), AcquireNodeVPNAssignmentLeaseInput{
+		ClusterID:       "cluster-1",
+		VPNConnectionID: "vpn-1",
+		OwnerNodeID:     "node-1",
+		TTL:             time.Minute,
+	})
+	if !errors.Is(err, ErrVPNLeaseOwnerNotAllowed) {
+		t.Fatalf("err = %v, want ErrVPNLeaseOwnerNotAllowed", err)
+	}
+}
+
 func TestRenewNodeVPNAssignmentLeaseAllowsActiveOwnerWithoutPlatformAdmin(t *testing.T) {
 	store := &fakeRepository{
 		platformRole: "user",
@@ -6051,18 +6113,24 @@ func TestGetNodeSyntheticMeshConfigReportsRebuildPendingWhenNoAlternateExists(t
 	if err != nil {
 		t.Fatalf("synthetic config: %v", err)
 	}
-	if containsRouteID(cfg.Routes, "route-bad") {
-		t.Fatalf("fenced route should be withheld while rebuild is pending: %+v", cfg.Routes)
+	if !containsRouteID(cfg.Routes, "route-bad") {
+		t.Fatalf("fenced route should be retained until an alternate exists: %+v", cfg.Routes)
 	}
-	if cfg.RoutePathDecisions == nil || cfg.RoutePathDecisions.RebuildRequestCount != 1 || cfg.RoutePathDecisions.DegradedDecisionCount != 1 {
+	if cfg.RoutePathDecisions == nil || cfg.RoutePathDecisions.RebuildRequestCount != 1 || cfg.RoutePathDecisions.DegradedDecisionCount != 0 {
 		t.Fatalf("expected rebuild/degraded decision counts: %+v", cfg.RoutePathDecisions)
 	}
-	decision := cfg.RoutePathDecisions.Decisions[0]
-	if decision.DecisionSource != "service_channel_feedback_no_alternate" ||
-		decision.RebuildStatus != "pending_degraded_fallback" ||
+	var decision RoutePathDecision
+	for _, item := range cfg.RoutePathDecisions.Decisions {
+		if item.DecisionSource == "service_channel_feedback_no_alternate_keep_primary" {
+			decision = item
+			break
+		}
+	}
+	if decision.DecisionSource != "service_channel_feedback_no_alternate_keep_primary" ||
+		decision.RebuildStatus != "requested" ||
 		decision.RebuildRequestID == "" ||
 		decision.RebuildAttempt != 3 ||
-		!containsString(decision.ScoreReasons, "backend_relay_degraded_fallback_until_rebuild") {
+		!containsString(decision.ScoreReasons, "primary_route_retained_until_rebuild") {
 		t.Fatalf("unexpected rebuild decision: %+v", decision)
 	}
 }