рабочий вариант, но скороть 10 МБит

agents/rap-node-agent/internal/supervisor/supervisor.go

@@ -70,7 +70,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 			StatusPayload: payload,
 		}
 	}
-	if serviceType == "core-mesh" || serviceType == "mesh-listener" {
+	if serviceType == "core-mesh" || serviceType == "fabric-listener" {
 		payload["reason"] = "builtin_node_agent_service_ready"
 		payload["execution_mode"] = "builtin"
 		payload["traffic"] = serviceTrafficMode(serviceType)
@@ -143,7 +143,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 			StatusPayload: payload,
 		}
 	}
-	if (serviceType == "vpn-exit" || serviceType == "ipv4-egress" || serviceType == "vpn-client") && runtimeMode == "native" {
+	if (serviceType == "vpn-exit" || serviceType == "ipv4-egress" || serviceType == "vpn-client" || serviceType == "ipv4-ingress") && runtimeMode == "native" {
 		for key, value := range vpnFabricOnlyContract(serviceType, workload.Config) {
 			payload[key] = value
 		}
@@ -151,7 +151,7 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 		payload["fabric_transport"] = "quic_only"
 		payload["fabric_service_channel_required"] = true
 		payload["backend_relay_fallback"] = false
-		payload["legacy_protocol_compatibility"] = false
+		payload["compat_protocol_compatibility"] = false
 		payload["traffic"] = "fabric_service_channel_only"
 		return client.WorkloadStatusRequest{
 			ReportedState: "running",
@@ -202,8 +202,8 @@ func (s StubSupervisor) applyOne(workload client.DesiredWorkload) client.Workloa
 }
 
 func vpnFabricOnlyContract(serviceType string, config map[string]any) map[string]any {
-	role := "vpn-client"
-	reason := "vpn_client_node_contract_ready"
+	role := "ipv4-ingress"
+	reason := "ipv4_ingress_node_contract_ready"
 	serviceClass := "vpn_packets"
 	internetEgress := false
 	if serviceType == "vpn-exit" || serviceType == "ipv4-egress" {
@@ -222,7 +222,12 @@ func vpnFabricOnlyContract(serviceType string, config map[string]any) map[string
 		"allowed_cidrs":                   stringSliceConfig(config, "allowed_cidrs"),
 		"dns_servers":                     stringSliceConfig(config, "dns_servers"),
 		"client_policy_source":            stringConfig(config, "client_policy_source", "fabric_access_policy"),
-		"android_node_supported":          serviceType == "vpn-client",
+		"legacy_role_alias":               "vpn-client",
+		"node_core":                       "same_fabric_core_all_platforms",
+		"platform_adapter_scope":          "local_packet_io_only",
+		"android_node_supported":          serviceType == "vpn-client" || serviceType == "ipv4-ingress",
+		"linux_node_supported":            serviceType == "vpn-client" || serviceType == "ipv4-ingress",
+		"windows_node_supported":          serviceType == "vpn-client" || serviceType == "ipv4-ingress",
 		"ipv4_exit_supported":             internetEgress,
 		"fabric_service_channel_required": true,
 		"packet_runtime_status":           "fabric_channel_binding_pending_runtime",
@@ -237,7 +242,7 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 			"type":                         "ipv4_egress",
 			"accepts_service_class":        "vpn_packets",
 			"accepts_from_fabric_only":     true,
-			"legacy_protocol_listener":     false,
+			"compat_protocol_listener":     false,
 			"exit_pool_id":                 stringConfig(config, "pool_id", ""),
 			"region":                       stringConfig(config, "region", ""),
 			"allowed_cidrs":                stringSliceConfig(config, "allowed_cidrs"),
@@ -248,7 +253,7 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 	}
 	return map[string]any{
 		"type":                         "local_ipv4_ingress",
-		"accepts_from":                 []string{"android_vpnservice_tun", "linux_tun", "host_service_port"},
+		"accepts_from":                 []string{"android_vpnservice_tun", "linux_tun", "windows_wintun", "host_service_port"},
 		"service_class":                "vpn_packets",
 		"exit_selection":               "pool",
 		"preferred_exit_pool_id":       stringConfig(config, "exit_pool_id", ""),
@@ -256,8 +261,10 @@ func vpnServiceBindingContract(serviceType string, config map[string]any) map[st
 		"listen_udp_ports":             intSliceConfig(config, "listen_udp_ports"),
 		"tun_required":                 true,
 		"route_authority":              "fabric_farm",
-		"legacy_protocol_listener":     false,
+		"compat_protocol_listener":     false,
 		"requires_fabric_node_runtime": true,
+		"traffic_visibility":           "opaque_ipv4_packets",
+		"flow_distribution":            "opaque_packet_hash_shards",
 	}
 }
 
@@ -266,12 +273,10 @@ func webIngressListenerConfig(serviceType string, config map[string]any) webingr
 		RuntimeConfig: webingress.RuntimeConfig{
 			ServiceType:    serviceType,
 			Scope:          stringConfig(config, "scope", ""),
-			ServiceClasses: stringSliceConfig(config, "service_classes"),
+			ServiceClasses: webIngressServiceClasses(serviceType, config),
 			TLSMode:        stringConfig(config, "tls_mode", "terminate"),
-			HTTPPort:       intConfig(config, "listen_http_port", 80),
 			HTTPSPort:      intConfig(config, "listen_https_port", 443),
 		},
-		HTTPAddr:    stringConfig(config, "listen_http_addr", ":80"),
 		HTTPSAddr:   stringConfig(config, "listen_https_addr", ":443"),
 		TLSCertFile: stringConfig(config, "tls_cert_file", ""),
 		TLSKeyFile:  stringConfig(config, "tls_key_file", ""),
@@ -279,17 +284,13 @@ func webIngressListenerConfig(serviceType string, config map[string]any) webingr
 }
 
 func (s StubSupervisor) webIngressContract(serviceType string, config map[string]any) map[string]any {
-	httpPort := intConfig(config, "listen_http_port", 80)
 	httpsPort := intConfig(config, "listen_https_port", 443)
 	tlsMode := strings.TrimSpace(stringConfig(config, "tls_mode", "terminate"))
-	serviceClasses := stringSliceConfig(config, "service_classes")
+	serviceClasses := webIngressServiceClasses(serviceType, config)
 	scope := strings.TrimSpace(stringConfig(config, "scope", ""))
 	realListenerRequested := boolConfig(config, "real_listener_enabled")
 	allowedClasses := webIngressAllowedServiceClasses(serviceType)
 	missing := []string{}
-	if httpPort != 80 {
-		missing = append(missing, "listen_http_port_must_be_80")
-	}
 	if httpsPort != 443 {
 		missing = append(missing, "listen_https_port_must_be_443")
 	}
@@ -315,14 +316,13 @@ func (s StubSupervisor) webIngressContract(serviceType string, config map[string
 		"authority_service":               false,
 		"fabric_transport":                "quic_only",
 		"http_between_fabric_nodes":       false,
-		"listen_http_port":                httpPort,
 		"listen_https_port":               httpsPort,
 		"tls_mode":                        tlsMode,
 		"scope":                           scope,
 		"service_classes":                 serviceClasses,
 		"allowed_service_classes":         allowedClasses,
 		"fabric_service_channel_required": true,
-		"runtime_roles_required":          webIngressRuntimeRoles(serviceClasses),
+		"runtime_fabric_functions":        webIngressFabricFunctions(serviceType, serviceClasses),
 		"payload_forwarding":              "contract_only",
 		"real_listener_requested":         realListenerRequested,
 		"real_listener_runtime_enabled":   s.WebIngressRuntimeEnabled,
@@ -346,26 +346,41 @@ func (s StubSupervisor) webIngressContract(serviceType string, config map[string
 
 func webIngressAllowedServiceClasses(serviceType string) []string {
 	if serviceType == "admin-ingress" {
-		return []string{"platform_admin", "cluster_admin"}
+		return []string{"admin-ingress"}
 	}
-	return []string{"organization_portal", "user_portal"}
+	return []string{"public-ingress"}
 }
 
-func webIngressRuntimeRoles(serviceClasses []string) []string {
-	roles := []string{}
-	for _, serviceClass := range serviceClasses {
+func webIngressServiceClasses(serviceType string, config map[string]any) []string {
+	raw := stringSliceConfig(config, "service_classes")
+	if len(raw) == 0 {
+		return webIngressAllowedServiceClasses(serviceType)
+	}
+	out := []string{}
+	for _, serviceClass := range raw {
+		serviceClass = strings.TrimSpace(serviceClass)
 		switch serviceClass {
-		case "platform_admin":
-			roles = append(roles, "global-admin-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "cluster_admin":
-			roles = append(roles, "cluster-admin-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "organization_portal":
-			roles = append(roles, "organization-portal-runtime", "identity-runtime", "policy-authority", "audit-sink")
-		case "user_portal":
-			roles = append(roles, "user-portal-runtime", "identity-runtime", "policy-authority", "audit-sink")
+		case "admin-ingress", "public-ingress":
+			out = append(out, serviceClass)
 		}
 	}
-	return dedupeStrings(roles)
+	if len(out) == 0 {
+		return webIngressAllowedServiceClasses(serviceType)
+	}
+	return dedupeStrings(out)
+}
+
+func webIngressFabricFunctions(serviceType string, serviceClasses []string) []string {
+	functions := []string{serviceType}
+	for _, serviceClass := range serviceClasses {
+		switch serviceClass {
+		case "admin-ingress":
+			functions = append(functions, "admin-ingress")
+		case "public-ingress":
+			functions = append(functions, "public-ingress")
+		}
+	}
+	return dedupeStrings(functions)
 }
 
 func boolConfig(values map[string]any, key string) bool {
@@ -732,7 +747,7 @@ func serviceTrafficMode(serviceType string) string {
 	switch serviceType {
 	case "core-mesh":
 		return "fabric_control"
-	case "mesh-listener":
+	case "fabric-listener":
 		return "entry_listener"
 	default:
 		return "unknown"

agents/rap-node-agent/internal/supervisor/supervisor_test.go

@@ -2,7 +2,16 @@ package supervisor
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"os"
+	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/example/remote-access-platform/agents/rap-node-agent/internal/client"
 	"github.com/example/remote-access-platform/agents/rap-node-agent/internal/webingress"
@@ -56,7 +65,7 @@ func TestStubSupervisorRunsInternalSyntheticEchoWorkload(t *testing.T) {
 func TestStubSupervisorReportsBuiltinFabricServicesRunning(t *testing.T) {
 	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
 		{ServiceType: "core-mesh", DesiredState: "enabled", RuntimeMode: "container"},
-		{ServiceType: "mesh-listener", DesiredState: "enabled", RuntimeMode: "container"},
+		{ServiceType: "fabric-listener", DesiredState: "enabled", RuntimeMode: "container"},
 	})
 	if err != nil {
 		t.Fatalf("apply desired workload: %v", err)
@@ -88,7 +97,7 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
 			},
 		},
 		{
-			ServiceType:  "vpn-client",
+			ServiceType:  "ipv4-ingress",
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
@@ -117,14 +126,18 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
 		if status.StatusPayload["backend_relay_fallback"] != false {
 			t.Fatalf("backend_relay_fallback = %v", status.StatusPayload["backend_relay_fallback"])
 		}
-		if status.StatusPayload["legacy_protocol_compatibility"] != false {
-			t.Fatalf("legacy_protocol_compatibility = %v", status.StatusPayload["legacy_protocol_compatibility"])
+		if status.StatusPayload["compat_protocol_compatibility"] != false {
+			t.Fatalf("compat_protocol_compatibility = %v", status.StatusPayload["compat_protocol_compatibility"])
 		}
 	}
 	if statuses[0].StatusPayload["role"] != "ipv4-egress" || statuses[0].StatusPayload["internet_egress"] != true {
 		t.Fatalf("ipv4 egress payload = %#v", statuses[0].StatusPayload)
 	}
-	if statuses[1].StatusPayload["role"] != "vpn-client" || statuses[1].StatusPayload["android_node_supported"] != true {
+	if statuses[1].StatusPayload["role"] != "ipv4-ingress" ||
+		statuses[1].StatusPayload["legacy_role_alias"] != "vpn-client" ||
+		statuses[1].StatusPayload["android_node_supported"] != true ||
+		statuses[1].StatusPayload["linux_node_supported"] != true ||
+		statuses[1].StatusPayload["windows_node_supported"] != true {
 		t.Fatalf("vpn client payload = %#v", statuses[1].StatusPayload)
 	}
 	exitBinding := statuses[0].StatusPayload["service_binding"].(map[string]any)
@@ -132,9 +145,12 @@ func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
 		t.Fatalf("ipv4 egress binding = %#v", exitBinding)
 	}
 	clientBinding := statuses[1].StatusPayload["service_binding"].(map[string]any)
-	if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["legacy_protocol_listener"] != false {
+	if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["compat_protocol_listener"] != false {
 		t.Fatalf("vpn client binding = %#v", clientBinding)
 	}
+	if clientBinding["traffic_visibility"] != "opaque_ipv4_packets" || clientBinding["flow_distribution"] != "opaque_packet_hash_shards" {
+		t.Fatalf("ipv4 ingress binding should be opaque: %#v", clientBinding)
+	}
 	if got := clientBinding["listen_tcp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 8443 {
 		t.Fatalf("listen_tcp_ports = %#v", got)
 	}
@@ -150,11 +166,10 @@ func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
-				"listen_http_port":  80,
 				"listen_https_port": 443,
 				"tls_mode":          "terminate",
 				"scope":             "platform",
-				"service_classes":   []any{"platform_admin", "cluster_admin"},
+				"service_classes":   []any{"admin-ingress", "admin-ingress"},
 			},
 		},
 	})
@@ -175,9 +190,9 @@ func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
 		payload["ports_opened_by_stub"] != false {
 		t.Fatalf("unexpected payload: %#v", payload)
 	}
-	roles, ok := payload["runtime_roles_required"].([]string)
-	if !ok || !containsString(roles, "global-admin-runtime") || !containsString(roles, "policy-authority") {
-		t.Fatalf("runtime roles = %#v", payload["runtime_roles_required"])
+	functions, ok := payload["runtime_fabric_functions"].([]string)
+	if !ok || !containsString(functions, "admin-ingress") {
+		t.Fatalf("runtime fabric functions = %#v", payload["runtime_fabric_functions"])
 	}
 }
 
@@ -188,11 +203,10 @@ func TestStubSupervisorBlocksWebIngressRealListenerWithoutRuntimeGate(t *testing
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
-				"listen_http_port":      80,
 				"listen_https_port":     443,
 				"tls_mode":              "terminate",
 				"scope":                 "platform",
-				"service_classes":       []any{"platform_admin"},
+				"service_classes":       []any{"admin-ingress"},
 				"real_listener_enabled": true,
 			},
 		},
@@ -220,11 +234,10 @@ func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *te
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
-				"listen_http_port":      80,
 				"listen_https_port":     443,
 				"tls_mode":              "terminate",
 				"scope":                 "platform",
-				"service_classes":       []any{"platform_admin"},
+				"service_classes":       []any{"admin-ingress"},
 				"real_listener_enabled": true,
 			},
 		},
@@ -245,6 +258,8 @@ func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *te
 }
 
 func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing.T) {
+	dir := t.TempDir()
+	certFile, keyFile := writeSelfSignedCert(t, dir)
 	manager := webingress.NewManager()
 	statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true, WebIngressManager: manager}).Apply(context.Background(), []client.DesiredWorkload{
 		{
@@ -252,13 +267,13 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
-				"listen_http_port":      80,
 				"listen_https_port":     443,
-				"listen_http_addr":      "127.0.0.1:0",
 				"listen_https_addr":     "127.0.0.1:0",
 				"tls_mode":              "terminate",
+				"tls_cert_file":         certFile,
+				"tls_key_file":          keyFile,
 				"scope":                 "platform",
-				"service_classes":       []any{"platform_admin"},
+				"service_classes":       []any{"admin-ingress"},
 				"real_listener_enabled": true,
 			},
 		},
@@ -266,7 +281,7 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
 	if err != nil {
 		t.Fatalf("apply desired workload: %v", err)
 	}
-	if statuses[0].ReportedState != "degraded" {
+	if statuses[0].ReportedState != "running" {
 		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
 	}
 	payload := statuses[0].StatusPayload
@@ -274,15 +289,44 @@ func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing
 	if !ok {
 		t.Fatalf("listener_status = %#v", payload["listener_status"])
 	}
-	if !listenerStatus.HTTPRunning || listenerStatus.HTTPSRunning || listenerStatus.HTTPAddr == "" {
+	if !listenerStatus.HTTPSRunning || listenerStatus.HTTPSAddr == "" {
 		t.Fatalf("listener status = %+v", listenerStatus)
 	}
-	if payload["reason"] != "web_ingress_listener_partial" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
+	if payload["reason"] != "web_ingress_contract_ready" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
 		t.Fatalf("payload = %#v", payload)
 	}
 	_ = manager.Stop(context.Background())
 }
 
+func writeSelfSignedCert(t *testing.T, dir string) (string, string) {
+	t.Helper()
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "localhost"},
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(time.Hour),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		DNSNames:     []string{"localhost"},
+	}
+	der, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("create cert: %v", err)
+	}
+	certFile := filepath.Join(dir, "cert.pem")
+	keyFile := filepath.Join(dir, "key.pem")
+	if err := os.WriteFile(certFile, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), 0o600); err != nil {
+		t.Fatalf("write cert: %v", err)
+	}
+	if err := os.WriteFile(keyFile, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}), 0o600); err != nil {
+		t.Fatalf("write key: %v", err)
+	}
+	return certFile, keyFile
+}
+
 func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
 	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
 		{
@@ -290,10 +334,9 @@ func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
 			DesiredState: "enabled",
 			RuntimeMode:  "native",
 			Config: map[string]any{
-				"listen_http_port":  8080,
-				"listen_https_port": 443,
+				"listen_https_port": 444,
 				"scope":             "organization",
-				"service_classes":   []any{"platform_admin"},
+				"service_classes":   []any{"admin-ingress"},
 			},
 		},
 	})
@@ -308,7 +351,7 @@ func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
 		t.Fatalf("unexpected payload: %#v", payload)
 	}
 	missing, ok := payload["missing_checks"].([]string)
-	if !ok || !containsString(missing, "listen_http_port_must_be_80") || !containsString(missing, "service_class_not_allowed:platform_admin") {
+	if !ok || !containsString(missing, "listen_https_port_must_be_443") || !containsString(missing, "service_class_not_allowed:admin-ingress") {
 		t.Fatalf("missing checks = %#v", payload["missing_checks"])
 	}
 }