[management] remove regex check from validateDomain()

[zvpunry]

The regex blocked labels that are allowed by rfc1035 like "x", "x1", "x--x" and possibly some more.

The regex check was also redundant because it is directly followed by dns.IsDomainName(domain)

Describe your changes

I only removed the regex check from validateDomain().

This change still requires an update to management/server/nameserver_test.go because it tests for the too strict domain validation.

Issue ticket number and link

#3996

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)
• Extended the README / documentation, if necessary

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Summary by CodeRabbit

• Bug Fixes

  • Standardized domain validation handling, improving consistency for domain inputs (supports up to 255 characters).

• Tests

  • Updated validation tests to remove outdated invalid-case checks and add a test for domains exceeding 255 characters.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

All committers have signed the CLA.

[zvpunry]

The offending tests are for the following dns records, which are expected to fail:

"*.example"
"."
"test--example.com"
"-example.com"
"example.com-"
"example?,.com"
"space .example.com"
"example.com "

But according to https://www.rfc-editor.org/rfc/rfc2181#section-11 these are valid DNS names and shouldn't result in an error.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

📝 Walkthrough

Walkthrough

Domain validation in the nameserver module was simplified: regex-based checks and matcher were removed and validateDomain() now returns invalid only when dns.IsDomainName(domain) is false. Tests were trimmed and a domain-length overflow test was added.

Changes

Cohort / File(s)	Summary
Domain validation management/server/nameserver.go, management/server/nameserver_test.go	Removed domainPattern, domainMatcher, and the regexp import; validateDomain() now relies solely on dns.IsDomainName(). Tests removed several edge-case invalid-domain cases (wildcards, leading-dot, dot-only, double hyphen, label-boundary hyphens, unicode, surrounding/trailing spaces) and added a >255-character domain test.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nibbled at patterns in the night,
Tossed the regex, let DNS hold tight.
Tests pared down, one giant domain to see,
A cleaner burrow — simple and free. 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description provides context for the change, explains the rationale, and notes the required test updates. However, the required template sections are incomplete or missing.	Complete missing template sections: expand 'Describe your changes' to fully document the changes, and fill in the 'Documentation' section with a selection and justification.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: removing a regex check from the validateDomain() function in the management package.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f4f825 and aa14700.

📒 Files selected for processing (2)

• management/server/nameserver.go (0 hunks)
• management/server/nameserver_test.go (1 hunks)

💤 Files with no reviewable changes (1)

• management/server/nameserver.go

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

management/cmd/management.go (1)

186-194: Potential race: mgmtPort may not be finalized when applyEmbeddedIdPConfig is called.

loadMgmtConfig is called from PreRunE, and mgmtPort is conditionally updated later in the same PreRunE (lines 72-79) based on TLS configuration. However, applyEmbeddedIdPConfig is called at line 146 within loadMgmtConfig, which happens before the port adjustment logic.

This means LocalAddress will be set using the initial mgmtPort value (from flags or default), not the adjusted value (80 or 443 based on TLS).

Suggested fix

Consider moving the LocalAddress assignment to after the port is finalized, or document that users must explicitly set --port when using embedded IdP with TLS:

-	// Set LocalAddress for embedded IdP if enabled, used for internal JWT validation
-	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)
+	// Note: LocalAddress uses the port from --port flag or default.
+	// When TLS is enabled and port is auto-adjusted later, this may differ.
+	// For internal JWT validation, localhost access works regardless.
+	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)

Alternatively, set LocalAddress in PreRunE after port finalization.

🤖 Fix all issues with AI agents

In `@management/server/idp/embedded.go`:
- Line 23: The embedded IDP's defaultScopes constant currently omits
"offline_access", preventing refresh tokens; update the defaultScopes (in
management/server/idp/embedded.go) to include "offline_access" (e.g., "openid
profile email offline_access") so the embedded Dex provider can issue refresh
tokens, and also reconcile or document the scopes mismatch for "groups" vs
AUTH_SUPPORTED_SCOPES (either add "groups" to defaultScopes or add a comment/doc
explaining why embedded IDP doesn't expose it). Ensure changes reference the
defaultScopes symbol and update any related docs or comments to reflect the
refresh-token requirement.

🧹 Nitpick comments (1)

management/cmd/management.go (1)

214-221: Consider using constants for hardcoded client IDs and claims.

The values "netbird-dashboard", "netbird-cli", and "sub" are defined as constants in management/server/idp/embedded.go (staticClientDashboard, staticClientCLI, defaultUserIDClaim). Using these constants here would improve maintainability and ensure consistency.

Suggested refactor

Import the constants from the idp package and use them:

+import "github.com/netbirdio/netbird/management/server/idp"
+
 // Set HttpConfig values from EmbeddedIdP
 cfg.HttpConfig.AuthIssuer = issuer
-cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
-cfg.HttpConfig.AuthUserIDClaim = "sub"
+cfg.HttpConfig.AuthAudience = idp.StaticClientDashboard  // Would need to export
+cfg.HttpConfig.CLIAuthAudience = idp.StaticClientCLI     // Would need to export
+cfg.HttpConfig.AuthUserIDClaim = idp.DefaultUserIDClaim  // Would need to export

Note: This would require exporting those constants from the idp package.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b9b5d96 and fa6492b.

📒 Files selected for processing (6)

• idp/dex/provider.go
• infrastructure_files/getting-started.sh
• management/cmd/management.go
• management/server/idp/embedded.go
• management/server/nameserver.go
• management/server/nameserver_test.go

💤 Files with no reviewable changes (1)

• management/server/nameserver.go

🚧 Files skipped from review as they are similar to previous changes (1)

• management/server/nameserver_test.go

🧰 Additional context used

🧬 Code graph analysis (1)

management/cmd/management.go (2)

idp/dex/provider.go (1)

• Config (30-38)

management/internals/server/config/config.go (2)

• Config (37-64)
• HttpServerConfig (97-120)

🔇 Additional comments (3)

infrastructure_files/getting-started.sh (1)

273-273: LGTM - Groups scope added to dashboard environment.

The addition of groups scope aligns with the OIDC connector changes in idp/dex/provider.go where insecureEnableGroups: true is now set. This enables group claim propagation from identity providers to NetBird.

Note: There's a slight inconsistency with management/server/idp/embedded.go where defaultScopes is "openid profile email" (without groups). The dashboard advertises support for groups, but the embedded IdP defaults don't include it. This should work since the dashboard is the client requesting scopes, but consider aligning the constants for clarity.

idp/dex/provider.go (1)

793-813: LGTM - Groups support enabled for OIDC connectors.

The changes correctly enable group claims:

• insecureEnableGroups: true allows Dex to pass through group claims from upstream IdPs
• Okta and PocketID get explicit groups scope since these providers require it to return group information

The "insecure" prefix in insecureEnableGroups is Dex's naming convention (not a security concern) - it simply means groups are enabled without requiring explicit per-connector configuration in Dex's main config.

management/cmd/management.go (1)

229-236: LGTM - Correctly skips external OIDC fetch when embedded IdP is enabled.

The dual guard pattern is appropriate:

1. Early return for empty endpoint (no config to fetch)
2. Skip fetch when embedded IdP is enabled (config is provided locally)

This avoids unnecessary network calls and potential startup delays when using the embedded IdP.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[zvpunry]

fixed by #5211