[management] Exclude proxy from peer approval

[pascal-fischer]

Describe your changes

Issue ticket number and link

#5571

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• Bug Fixes
  • Improved proxy peer creation and approval handling to ensure proper operational configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e141a8ef-953b-4b05-a87e-65da7cde5d36

📥 Commits

Reviewing files that changed from the base of the PR and between 274d976 and 23849e4.

📒 Files selected for processing (1)

• management/internals/modules/peers/manager.go

---

📝 Walkthrough

Walkthrough

A boolean parameter in the CreateProxyPeer function's AddPeer call is changed from false to true, modifying the peer approval or creation behavior. Error handling and wrapping remain unchanged.

Changes

Cohort / File(s)	Summary
Proxy Peer Creation management/internals/modules/peers/manager.go	Changed the final boolean argument to AddPeer from false to true in CreateProxyPeer, altering the approval/creation pathway for proxy peers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• crn4
• bcmmbaga

Poem

🐰 A boolean flips from false so true,
The proxy peer now knows what to do,
From denial to approval, the path is bright,
One tiny change sets the creation right! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description follows the template structure with issue reference, checklist selections, and documentation status, though the 'Describe your changes' section is empty.	Complete the 'Describe your changes' section with technical details explaining why the parameter was changed and its impact on proxy peer approval.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly relates to the main change: excluding proxy from peer approval by modifying the AddPeer parameter from false to true in CreateProxyPeer.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/proxy-peer-approval

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@management/internals/shared/grpc/proxy_auth.go`:
- Around line 74-82: Restore the original proxy token validation in both
interceptors by calling interceptor.validateProxyToken(ctx) and handling its
error: if validateProxyToken returns an error, log the failure with
log.WithContext(ctx).Warnf("proxy auth failed: %v", err) and return the error
(preventing request handling); only when validateProxyToken succeeds set ctx =
context.WithValue(ctx, ProxyTokenContextKey, token) using the returned
*types.ProxyAccessToken. Ensure you apply this fix in both places where an empty
ProxyAccessToken was injected so failure limiting and last-used auditing
continue to work.

In `@management/server/peer.go`:
- Line 749: The call to integratedPeerValidator.PreparePeer conflates the
temporary flag with embedded-proxy semantics by passing temporary ||
newPeer.ProxyMeta.Embedded; change this to pass the embedded proxy value
explicitly so the validator can distinguish the concepts—i.e., update the
PreparePeer invocation to pass newPeer.ProxyMeta.Embedded (not ORed with
temporary) and, if needed, add a separate parameter to PreparePeer (and its
implementations) to accept an embeddedProxy bool while leaving the existing
temporary parameter semantics unchanged; ensure references using PreparePeer
(and any validator implementations) are updated accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b584d134-b461-4492-8859-80d1726bd7ea

📥 Commits

Reviewing files that changed from the base of the PR and between e50e124 and 274d976.

📒 Files selected for processing (2)

• management/internals/shared/grpc/proxy_auth.go
• management/server/peer.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== PreparePeer implementations =="
rg -n -C4 'func .*PreparePeer\(.*temporary bool' .

echo
echo "== Temporary flag usage in management server =="
rg -n -C4 '\btemporary\b' management/server -g '!**/*_test.go'

echo
echo "== PreparePeer call sites =="
rg -n -C2 'PreparePeer\(' .

Repository: netbirdio/netbird

Length of output: 20452

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== IntegratedValidator implementations (non-mock) =="
rg -n 'type.*struct' management/server/integrations/integrated_validator/ --type go
rg -n 'func.*PreparePeer' management/server/integrations/ -g '!**/*_test.go' -A 8

echo
echo "== Check if there are integrations directory implementations =="
find management/server/integrations -name '*validator*.go' -type f | grep -v _test.go

echo
echo "== Search for PreparePeer implementations more broadly =="
rg -n 'func.*PreparePeer' . -g '!**/*_test.go' -g '!**/mock*'

Repository: netbirdio/netbird

Length of output: 349

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Look for IntegratedValidator struct implementations =="
find management/server/integrations -name '*.go' -type f | grep -v _test.go | xargs cat | grep -A 20 "type.*struct" | head -60

echo
echo "== Search for files that might contain IntegratedValidator implementations =="
ls -la management/server/integrations/

echo
echo "== Check what's in integrated_validator directory =="
ls -la management/server/integrations/integrated_validator/

echo
echo "== Look for any non-mock PreparePeer implementation =="
rg 'func \(.*\) PreparePeer' management/ -g '!**/*_test.go' -g '!**/*mock*'

Repository: netbirdio/netbird

Length of output: 3197

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Check git history for IntegratedValidator to see if implementations existed before =="
git log --all --oneline -- management/server/integrations/integrated_validator/ | head -10

echo
echo "== Search for TODO or FIXME comments related to implementations =="
rg 'TODO|FIXME' management/server/integrations/integrated_validator/

echo
echo "== Check if temporary flag is documented or has comments =="
rg -B 2 -A 2 'temporary' management/server/integrations/integrated_validator/interface.go

Repository: netbirdio/netbird

Length of output: 839

---

Clarify semantics: temporary flag now conflates two unrelated concepts.

Line 749 passes temporary || newPeer.ProxyMeta.Embedded to PreparePeer, blending temporary user-added peer semantics with embedded proxy semantics into a single boolean. Currently no validator implementations exist, but the temporary flag already carries multiple meanings elsewhere (Ephemeral state, user permission validation, expiration control). Embedding proxy logic into this overloaded flag reduces clarity and makes future validator implementations more error-prone. Consider passing newPeer.ProxyMeta.Embedded directly to the validator so it can make explicit decisions about proxy handling separate from temporary peer logic.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@management/server/peer.go` at line 749, The call to
integratedPeerValidator.PreparePeer conflates the temporary flag with
embedded-proxy semantics by passing temporary || newPeer.ProxyMeta.Embedded;
change this to pass the embedded proxy value explicitly so the validator can
distinguish the concepts—i.e., update the PreparePeer invocation to pass
newPeer.ProxyMeta.Embedded (not ORed with temporary) and, if needed, add a
separate parameter to PreparePeer (and its implementations) to accept an
embeddedProxy bool while leaving the existing temporary parameter semantics
unchanged; ensure references using PreparePeer (and any validator
implementations) are updated accordingly.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud