Refactor RDP proxy handling and update related tests

agents/rap-node-agent/internal/supervisor/supervisor_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/example/remote-access-platform/agents/rap-node-agent/internal/client"
+	"github.com/example/remote-access-platform/agents/rap-node-agent/internal/webingress"
 )
 
 func TestStubSupervisorReportsDegradedForEnabledWorkload(t *testing.T) {
@@ -73,6 +74,245 @@ func TestStubSupervisorReportsBuiltinFabricServicesRunning(t *testing.T) {
 	}
 }
 
+func TestStubSupervisorReportsVPNFabricOnlyContractsRunning(t *testing.T) {
+	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "ipv4-egress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"pool_id":       "us-los-angeles-ipv4",
+				"region":        "us-los-angeles",
+				"allowed_cidrs": []any{"0.0.0.0/0"},
+				"dns_servers":   []any{"192.168.200.210"},
+			},
+		},
+		{
+			ServiceType:  "vpn-client",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"exit_pool_id":     "us-los-angeles-ipv4",
+				"listen_tcp_ports": []any{443, "8443"},
+				"listen_udp_ports": "443,51820",
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if len(statuses) != 2 {
+		t.Fatalf("statuses length = %d", len(statuses))
+	}
+	for _, status := range statuses {
+		if status.ReportedState != "running" {
+			t.Fatalf("ReportedState = %q", status.ReportedState)
+		}
+		if status.StatusPayload["execution_mode"] != "contract_probe" {
+			t.Fatalf("execution_mode = %v", status.StatusPayload["execution_mode"])
+		}
+		if status.StatusPayload["fabric_transport"] != "quic_only" {
+			t.Fatalf("fabric_transport = %v", status.StatusPayload["fabric_transport"])
+		}
+		if status.StatusPayload["backend_relay_fallback"] != false {
+			t.Fatalf("backend_relay_fallback = %v", status.StatusPayload["backend_relay_fallback"])
+		}
+		if status.StatusPayload["legacy_protocol_compatibility"] != false {
+			t.Fatalf("legacy_protocol_compatibility = %v", status.StatusPayload["legacy_protocol_compatibility"])
+		}
+	}
+	if statuses[0].StatusPayload["role"] != "ipv4-egress" || statuses[0].StatusPayload["internet_egress"] != true {
+		t.Fatalf("ipv4 egress payload = %#v", statuses[0].StatusPayload)
+	}
+	if statuses[1].StatusPayload["role"] != "vpn-client" || statuses[1].StatusPayload["android_node_supported"] != true {
+		t.Fatalf("vpn client payload = %#v", statuses[1].StatusPayload)
+	}
+	exitBinding := statuses[0].StatusPayload["service_binding"].(map[string]any)
+	if exitBinding["type"] != "ipv4_egress" || exitBinding["accepts_from_fabric_only"] != true || exitBinding["exit_pool_id"] != "us-los-angeles-ipv4" {
+		t.Fatalf("ipv4 egress binding = %#v", exitBinding)
+	}
+	clientBinding := statuses[1].StatusPayload["service_binding"].(map[string]any)
+	if clientBinding["type"] != "local_ipv4_ingress" || clientBinding["preferred_exit_pool_id"] != "us-los-angeles-ipv4" || clientBinding["legacy_protocol_listener"] != false {
+		t.Fatalf("vpn client binding = %#v", clientBinding)
+	}
+	if got := clientBinding["listen_tcp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 8443 {
+		t.Fatalf("listen_tcp_ports = %#v", got)
+	}
+	if got := clientBinding["listen_udp_ports"].([]int); len(got) != 2 || got[0] != 443 || got[1] != 51820 {
+		t.Fatalf("listen_udp_ports = %#v", got)
+	}
+}
+
+func TestStubSupervisorReportsWebIngressContractReady(t *testing.T) {
+	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "admin-ingress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"listen_http_port":  80,
+				"listen_https_port": 443,
+				"tls_mode":          "terminate",
+				"scope":             "platform",
+				"service_classes":   []any{"platform_admin", "cluster_admin"},
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if statuses[0].ReportedState != "running" {
+		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
+	}
+	payload := statuses[0].StatusPayload
+	if payload["reason"] != "web_ingress_contract_ready" ||
+		payload["fabric_transport"] != "quic_only" ||
+		payload["http_between_fabric_nodes"] != false ||
+		payload["authority_service"] != false ||
+		payload["real_listener_start_allowed"] != false ||
+		payload["runtime_handler_ready"] != true ||
+		payload["runtime_handler_payload_status"] != "fabric_service_channel_binding_not_implemented" ||
+		payload["ports_opened_by_stub"] != false {
+		t.Fatalf("unexpected payload: %#v", payload)
+	}
+	roles, ok := payload["runtime_roles_required"].([]string)
+	if !ok || !containsString(roles, "global-admin-runtime") || !containsString(roles, "policy-authority") {
+		t.Fatalf("runtime roles = %#v", payload["runtime_roles_required"])
+	}
+}
+
+func TestStubSupervisorBlocksWebIngressRealListenerWithoutRuntimeGate(t *testing.T) {
+	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "admin-ingress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"listen_http_port":      80,
+				"listen_https_port":     443,
+				"tls_mode":              "terminate",
+				"scope":                 "platform",
+				"service_classes":       []any{"platform_admin"},
+				"real_listener_enabled": true,
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if statuses[0].ReportedState != "degraded" {
+		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
+	}
+	payload := statuses[0].StatusPayload
+	if payload["reason"] != "web_ingress_real_listener_gate_disabled" ||
+		payload["real_listener_requested"] != true ||
+		payload["real_listener_runtime_enabled"] != false ||
+		payload["real_listener_start_allowed"] != false ||
+		payload["ports_opened_by_stub"] != false {
+		t.Fatalf("unexpected payload: %#v", payload)
+	}
+}
+
+func TestStubSupervisorAllowsWebIngressRealListenerGateButDoesNotOpenPorts(t *testing.T) {
+	statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "admin-ingress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"listen_http_port":      80,
+				"listen_https_port":     443,
+				"tls_mode":              "terminate",
+				"scope":                 "platform",
+				"service_classes":       []any{"platform_admin"},
+				"real_listener_enabled": true,
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if statuses[0].ReportedState != "running" {
+		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
+	}
+	payload := statuses[0].StatusPayload
+	if payload["real_listener_requested"] != true ||
+		payload["real_listener_runtime_enabled"] != true ||
+		payload["real_listener_start_allowed"] != true ||
+		payload["ports_opened_by_stub"] != false {
+		t.Fatalf("unexpected payload: %#v", payload)
+	}
+}
+
+func TestStubSupervisorStartsWebIngressManagerWhenRealListenerAllowed(t *testing.T) {
+	manager := webingress.NewManager()
+	statuses, err := (StubSupervisor{Version: "test", WebIngressRuntimeEnabled: true, WebIngressManager: manager}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "admin-ingress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"listen_http_port":      80,
+				"listen_https_port":     443,
+				"listen_http_addr":      "127.0.0.1:0",
+				"listen_https_addr":     "127.0.0.1:0",
+				"tls_mode":              "terminate",
+				"scope":                 "platform",
+				"service_classes":       []any{"platform_admin"},
+				"real_listener_enabled": true,
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if statuses[0].ReportedState != "degraded" {
+		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
+	}
+	payload := statuses[0].StatusPayload
+	listenerStatus, ok := payload["listener_status"].(webingress.ListenerStatus)
+	if !ok {
+		t.Fatalf("listener_status = %#v", payload["listener_status"])
+	}
+	if !listenerStatus.HTTPRunning || listenerStatus.HTTPSRunning || listenerStatus.HTTPAddr == "" {
+		t.Fatalf("listener status = %+v", listenerStatus)
+	}
+	if payload["reason"] != "web_ingress_listener_partial" || payload["ports_opened_by_runtime"] != true || payload["ports_opened_by_stub"] != false {
+		t.Fatalf("payload = %#v", payload)
+	}
+	_ = manager.Stop(context.Background())
+}
+
+func TestStubSupervisorBlocksInvalidWebIngressContract(t *testing.T) {
+	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
+		{
+			ServiceType:  "public-ingress",
+			DesiredState: "enabled",
+			RuntimeMode:  "native",
+			Config: map[string]any{
+				"listen_http_port":  8080,
+				"listen_https_port": 443,
+				"scope":             "organization",
+				"service_classes":   []any{"platform_admin"},
+			},
+		},
+	})
+	if err != nil {
+		t.Fatalf("apply desired workload: %v", err)
+	}
+	if statuses[0].ReportedState != "degraded" {
+		t.Fatalf("ReportedState = %q", statuses[0].ReportedState)
+	}
+	payload := statuses[0].StatusPayload
+	if payload["reason"] != "web_ingress_contract_invalid" || payload["traffic"] != "blocked" {
+		t.Fatalf("unexpected payload: %#v", payload)
+	}
+	missing, ok := payload["missing_checks"].([]string)
+	if !ok || !containsString(missing, "listen_http_port_must_be_80") || !containsString(missing, "service_class_not_allowed:platform_admin") {
+		t.Fatalf("missing checks = %#v", payload["missing_checks"])
+	}
+}
+
 func TestStubSupervisorKeepsUnsupportedEnabledWorkloadDegraded(t *testing.T) {
 	statuses, err := (StubSupervisor{Version: "test"}).Apply(context.Background(), []client.DesiredWorkload{
 		{ServiceType: "rdp-worker", DesiredState: "enabled", RuntimeMode: "container"},