Refactor RDP proxy handling and update related tests

2026-05-17 20:38:35 +03:00
parent 8e9402580f
commit d551e57fd5
172 changed files with 22117 additions and 2509 deletions
@@ -2,6 +2,7 @@ package mesh

 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
 	"sync"
@@ -25,6 +26,8 @@ type PeerConnectionManagerConfig struct {
 	Tracker          *PeerConnectionTracker
 	RendezvousLeases []PeerRendezvousLease
 	HTTPClient       *http.Client
+	QUICTransport    *QUICFabricTransport
+	PreferredRegion  string
 	ProbeTimeout     time.Duration
 	Now              func() time.Time
 }
@@ -35,6 +38,8 @@ type PeerConnectionManager struct {
 	tracker          *PeerConnectionTracker
 	rendezvousLeases []PeerRendezvousLease
 	httpClient       *http.Client
+	quicTransport    *QUICFabricTransport
+	preferredRegion  string
 	probeTimeout     time.Duration
 	now              func() time.Time

@@ -101,9 +106,10 @@ type PeerConnectionCandidateProbeResult struct {
 }

 type peerConnectionProbeTarget struct {
-	CandidateID string
-	Endpoint    string
-	Transport   string
+	CandidateID    string
+	Endpoint       string
+	Transport      string
+	PeerCertSHA256 string
 }

 func NewPeerConnectionManager(cfg PeerConnectionManagerConfig) *PeerConnectionManager {
@@ -132,6 +138,8 @@ func NewPeerConnectionManager(cfg PeerConnectionManagerConfig) *PeerConnectionMa
 		tracker:          cfg.Tracker,
 		rendezvousLeases: append([]PeerRendezvousLease{}, cfg.RendezvousLeases...),
 		httpClient:       httpClient,
+		quicTransport:    cfg.QUICTransport,
+		preferredRegion:  strings.TrimSpace(cfg.PreferredRegion),
 		probeTimeout:     probeTimeout,
 		now:              now,
 	}
@@ -155,6 +163,7 @@ func (m *PeerConnectionManager) ProbeOnce(ctx context.Context) PeerConnectionMan
 		PeerCache:        peerSnapshot,
 		RecoveryPlan:     recoveryPlan,
 		RendezvousLeases: rendezvousLeases,
+		PreferredRegion:  m.preferredRegion,
 		Now:              startedAt,
 	})
 	entriesByNode := map[string]PeerCacheEntry{}
@@ -215,6 +224,15 @@ func (m *PeerConnectionManager) UpdatePeerConfig(peerCache *PeerCache, rendezvou
 	m.rendezvousLeases = append([]PeerRendezvousLease{}, rendezvousLeases...)
 }

+func (m *PeerConnectionManager) UpdateQUICTransport(transport *QUICFabricTransport) {
+	if m == nil {
+		return
+	}
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.quicTransport = transport
+}
+
 func (m *PeerConnectionManager) peerConfigSnapshot() (*PeerCache, []PeerRendezvousLease) {
 	if m == nil {
 		return nil, nil
@@ -242,17 +260,18 @@ func (m *PeerConnectionManager) probeIntent(ctx context.Context, intent PeerConn
 		StartedAt:          startedAt,
 	}
 	peer := PeerCacheEntry{
-		NodeID:            intent.NodeID,
-		Endpoint:          intent.Endpoint,
-		Warm:              true,
-		WarmReason:        intent.Reason,
-		RecoverySeed:      intent.RecoverySeed,
-		BestCandidateID:   intent.BestCandidateID,
-		BestTransport:     intent.Transport,
-		RendezvousLeaseID: intent.RendezvousLeaseID,
-		RelayNodeID:       intent.RelayNodeID,
-		RelayEndpoint:     intent.RelayEndpoint,
-		RelayControl:      intent.RelayCandidate,
+		NodeID:             intent.NodeID,
+		Endpoint:           intent.Endpoint,
+		Warm:               true,
+		WarmReason:         intent.Reason,
+		RecoverySeed:       intent.RecoverySeed,
+		BestCandidateID:    intent.BestCandidateID,
+		BestTransport:      intent.Transport,
+		RendezvousLeaseID:  intent.RendezvousLeaseID,
+		RelayNodeID:        intent.RelayNodeID,
+		RelayEndpoint:      intent.RelayEndpoint,
+		RelayControl:       intent.RelayCandidate,
+		BestPeerCertSHA256: firstNonEmpty(intent.BestPeerCertSHA256, cacheEntry.BestPeerCertSHA256),
 	}
 	if intent.RequiresRendezvous {
 		result.LinkStatus = PeerConnectionProbeDeferred
@@ -282,13 +301,12 @@ func (m *PeerConnectionManager) probeIntent(ctx context.Context, intent PeerConn
 		ClusterID: m.local.ClusterID,
 		NodeID:    intent.NodeID,
 	}
-	if intent.RelayCandidate && intent.RelayNodeID != "" {
-		target.NodeID = intent.RelayNodeID
-	}
+	target.NodeID = peerConnectionProbeTargetNodeID(intent, m.local.NodeID)
 	targets := []peerConnectionProbeTarget{{
-		CandidateID: intent.BestCandidateID,
-		Endpoint:    intent.Endpoint,
-		Transport:   intent.Transport,
+		CandidateID:    intent.BestCandidateID,
+		Endpoint:       intent.Endpoint,
+		Transport:      intent.Transport,
+		PeerCertSHA256: intent.BestPeerCertSHA256,
 	}}
 	if intent.DirectCandidate {
 		targets = peerConnectionProbeTargets(intent, cacheEntry)
@@ -300,13 +318,14 @@ func (m *PeerConnectionManager) probeIntent(ctx context.Context, intent PeerConn
 		probePeer.BestCandidateID = strings.TrimSpace(probeTarget.CandidateID)
 		probePeer.BestCandidateAddr = probePeer.Endpoint
 		probePeer.BestTransport = strings.TrimSpace(probeTarget.Transport)
+		probePeer.BestPeerCertSHA256 = firstNonEmpty(probeTarget.PeerCertSHA256, probePeer.BestPeerCertSHA256)
 		if probePeer.Endpoint == "" {
 			continue
 		}
 		candidateStartedAt := normalizedNow(m.now())
 		m.tracker.BeginProbe(probePeer, candidateStartedAt)
 		probeCtx, cancel := context.WithTimeout(ctx, m.probeTimeout)
-		_, err := NewClient(probePeer.Endpoint).withHTTPClient(m.httpClient).SendHealth(probeCtx, NewHealthMessage(m.local, target))
+		err := m.probePeerTarget(probeCtx, probePeer, target)
 		cancel()
 		completedAt := normalizedNow(m.now())
 		candidateResult := PeerConnectionCandidateProbeResult{
@@ -354,47 +373,97 @@ func (m *PeerConnectionManager) probeIntent(ctx context.Context, intent PeerConn
 	return result
 }

+func peerConnectionProbeTargetNodeID(intent PeerConnectionIntent, localNodeID string) string {
+	if intent.RelayCandidate && strings.TrimSpace(intent.RelayNodeID) != "" && strings.TrimSpace(intent.RelayNodeID) != strings.TrimSpace(localNodeID) {
+		return intent.RelayNodeID
+	}
+	return intent.NodeID
+}
+
+func (m *PeerConnectionManager) probePeerTarget(ctx context.Context, probePeer PeerCacheEntry, target PeerIdentity) error {
+	endpoint := strings.TrimRight(strings.TrimSpace(probePeer.Endpoint), "/")
+	transport := strings.TrimSpace(probePeer.BestTransport)
+	if hasLegacyEndpointScheme(endpoint) {
+		return fmt.Errorf("non_quic_probe_rejected")
+	}
+	if peerConnectionTargetIsQUIC(transport, endpoint) {
+		carrier, selectedTarget, err := FabricTransportForTarget(FabricTransportTarget{
+			EndpointID:     probePeer.BestCandidateID,
+			PeerID:         target.NodeID,
+			Endpoint:       endpoint,
+			Transport:      transport,
+			Timeout:        m.probeTimeout,
+			PeerCertSHA256: strings.TrimSpace(probePeer.BestPeerCertSHA256),
+		}, m.quicTransport)
+		if err != nil {
+			return err
+		}
+		session, err := carrier.Connect(ctx, selectedTarget)
+		if err != nil {
+			return err
+		}
+		return session.Close()
+	}
+	return fmt.Errorf("non_quic_probe_rejected")
+}
+
 func peerConnectionProbeTargets(intent PeerConnectionIntent, cacheEntry PeerCacheEntry) []peerConnectionProbeTarget {
 	seen := map[string]struct{}{}
 	out := make([]peerConnectionProbeTarget, 0, len(cacheEntry.EndpointCandidates)+1)
-	add := func(candidateID, endpoint, transport string) {
+	add := func(candidateID, endpoint, transport, peerCertSHA256 string) {
 		endpoint = strings.TrimRight(strings.TrimSpace(endpoint), "/")
 		if endpoint == "" {
 			return
 		}
+		if endpointHasUnspecifiedHost(endpoint) {
+			return
+		}
 		key := candidateID + "|" + endpoint
 		if _, ok := seen[key]; ok {
 			return
 		}
 		seen[key] = struct{}{}
 		out = append(out, peerConnectionProbeTarget{
-			CandidateID: strings.TrimSpace(candidateID),
-			Endpoint:    endpoint,
-			Transport:   strings.TrimSpace(transport),
+			CandidateID:    strings.TrimSpace(candidateID),
+			Endpoint:       endpoint,
+			Transport:      strings.TrimSpace(transport),
+			PeerCertSHA256: strings.TrimSpace(peerCertSHA256),
 		})
 	}
 	for _, candidate := range cacheEntry.EndpointCandidates {
 		if !candidateUsableForDirectProbe(candidate) {
 			continue
 		}
-		add(candidate.EndpointID, candidate.Address, candidate.Transport)
+		add(candidate.EndpointID, candidate.Address, candidate.Transport, candidatePeerCertSHA256(candidate))
 	}
-	add(intent.BestCandidateID, intent.Endpoint, intent.Transport)
+	add(intent.BestCandidateID, intent.Endpoint, intent.Transport, cacheEntry.BestPeerCertSHA256)
 	return out
 }

+func peerConnectionTargetIsQUIC(transport string, endpoint string) bool {
+	return isQUICOnlyCandidateTransport(transport) || strings.HasPrefix(strings.ToLower(strings.TrimSpace(endpoint)), "quic://")
+}
+
 func candidateUsableForDirectProbe(candidate PeerEndpointCandidate) bool {
 	endpoint := strings.TrimSpace(candidate.Address)
 	if endpoint == "" || strings.HasPrefix(endpoint, "relay://") || strings.HasPrefix(endpoint, "outbound://") {
 		return false
 	}
+	if endpointHasUnspecifiedHost(endpoint) {
+		return false
+	}
 	connectivity := strings.ToLower(strings.TrimSpace(candidate.ConnectivityMode))
 	reachability := strings.ToLower(strings.TrimSpace(candidate.Reachability))
 	transport := strings.ToLower(strings.TrimSpace(candidate.Transport))
 	if connectivity == "outbound_only" || connectivity == "relay_required" || reachability == "outbound_only" || reachability == "relay" {
 		return false
 	}
-	return transport == "" || strings.Contains(transport, "direct") || transport == "wss" || strings.HasPrefix(endpoint, "http://") || strings.HasPrefix(endpoint, "https://")
+	return transport == "" ||
+		strings.Contains(transport, "direct_quic") ||
+		transport == "quic" ||
+		transport == "lan_quic" ||
+		transport == "ice_quic" ||
+		strings.HasPrefix(endpoint, "quic://")
 }

 func (m *PeerConnectionManager) connectionState(nodeID string) PeerConnectionState {