Support traffic access token on orch proxy, integration tests

Author: sitole

packages/orchestrator/internal/proxy/proxy.go

@@ -11,6 +11,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/e2b-dev/infra/packages/orchestrator/internal/sandbox"
+	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
 	"github.com/e2b-dev/infra/packages/shared/pkg/env"
 	"github.com/e2b-dev/infra/packages/shared/pkg/logger"
 	reverseproxy "github.com/e2b-dev/infra/packages/shared/pkg/proxy"
@@ -23,6 +24,8 @@ const (
 	// Also it's a good practice to set it to higher values as you progress in the stack
 	// https://cloud.google.com/load-balancing/docs/https#timeouts_and_retries%23:~:text=The%20load%20balancer%27s%20backend%20keepalive,is%20greater%20than%20600%20seconds
 	idleTimeout = 620 * time.Second
+
+	accessTokenHeader = "x-e2b-traffic-access-token"
 )
 
 type SandboxProxy struct {
@@ -48,6 +51,22 @@ func NewSandboxProxy(meterProvider metric.MeterProvider, port uint16, sandboxes
 				return nil, reverseproxy.NewErrSandboxNotFound(sandboxId)
 			}
 
+			var accessToken *string = nil
+			if net := sbx.Config.Network; net != nil && net.GetIngress() != nil {
+				accessToken = net.GetIngress().TrafficAccessToken
+			}
+
+			// Handle traffic access token validation.
+			// We are skipping envd port as it has its own access validation mechanism.
+			if accessToken != nil && int64(port) != consts.DefaultEnvdServerPort {
+				accessTokenRaw := r.Header.Get(accessTokenHeader)
+				if accessTokenRaw == "" {
+					return nil, reverseproxy.ErrMissingTrafficAccessToken
+				} else if accessTokenRaw != *accessToken {
+					return nil, reverseproxy.ErrInvalidTrafficAccessToken
+				}
+			}
+
 			url := &url.URL{
 				Scheme: "http",
 				Host:   fmt.Sprintf("%s:%d", sbx.Slot.HostIPString(), port),

packages/shared/pkg/proxy/errors.go

@@ -1,8 +1,14 @@
 package proxy
 
-import "errors"
-
-var ErrInvalidHost = errors.New("invalid url host")
+import (
+	"errors"
+)
+
+var (
+	ErrInvalidHost               = errors.New("invalid url host")
+	ErrInvalidTrafficAccessToken = errors.New("invalid traffic access token")
+	ErrMissingTrafficAccessToken = errors.New("missing traffic access token")
+)
 
 type InvalidSandboxPortError struct {
 	Port    string

packages/shared/pkg/proxy/handler.go

@@ -58,6 +58,20 @@ func handler(p *pool.ProxyPool, getDestination func(r *http.Request) (*pool.Dest
 			return
 		}
 
+		if errors.Is(err, ErrMissingTrafficAccessToken) {
+			zap.L().Warn("traffic access token header is missing", zap.String("host", r.Host))
+			http.Error(w, "Sandbox is secured with traffic access token. Access token header is missing", http.StatusForbidden)
+
+			return
+		}
+
+		if errors.Is(err, ErrInvalidTrafficAccessToken) {
+			zap.L().Warn("traffic access token is invalid", zap.String("host", r.Host))
+			http.Error(w, "Sandbox is secured with traffic access token. Provided access token is invalid.", http.StatusForbidden)
+
+			return
+		}
+
 		if err != nil {
 			zap.L().Error("failed to route request", zap.Error(err), zap.String("host", r.Host))
 			http.Error(w, fmt.Sprintf("Unexpected error when routing request: %s", err), http.StatusInternalServerError)

tests/integration/internal/tests/proxies/traffic_access_token_test.go

@@ -0,0 +1,142 @@
+package api
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/e2b-dev/infra/packages/shared/pkg/consts"
+	"github.com/e2b-dev/infra/tests/integration/internal/api"
+	"github.com/e2b-dev/infra/tests/integration/internal/setup"
+	"github.com/e2b-dev/infra/tests/integration/internal/utils"
+)
+
+func TestSandboxWithEnabledTrafficAccessTokenButMissingHeader(t *testing.T) {
+	c := setup.GetAPIClient()
+
+	sbxNetAllowPublic := false
+	sbxNet := &api.SandboxNetworkConfig{
+		AllowPublicAccess: &sbxNetAllowPublic,
+	}
+	sbx := utils.SetupSandboxWithCleanup(t, c, utils.WithNetwork(sbxNet))
+	require.NotNil(t, sbx.TrafficAccessToken)
+
+	url, err := url.Parse(setup.EnvdProxy)
+	require.NoError(t, err)
+
+	client := &http.Client{
+		Timeout: 1000 * time.Second,
+	}
+
+	resp := waitForStatus(t, client, sbx, url, 8080, nil, http.StatusForbidden)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, http.StatusForbidden, resp.StatusCode)
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+
+	assert.Equal(t, "text/plain; charset=utf-8", resp.Header.Get("Content-Type"))
+	assert.Equal(t, "Sandbox is secured with traffic access token. Access token header is missing\n", string(body))
+}
+
+func TestSandboxWithEnabledTrafficAccessTokenButInvalidHeader(t *testing.T) {
+	c := setup.GetAPIClient()
+
+	sbxNetAllowPublic := false
+	sbxNet := &api.SandboxNetworkConfig{
+		AllowPublicAccess: &sbxNetAllowPublic,
+	}
+	sbx := utils.SetupSandboxWithCleanup(t, c, utils.WithNetwork(sbxNet))
+	require.NotNil(t, sbx.TrafficAccessToken)
+	url, err := url.Parse(setup.EnvdProxy)
+	require.NoError(t, err)
+
+	client := &http.Client{
+		Timeout: 1000 * time.Second,
+	}
+
+	headers := &http.Header{"x-e2b-traffic-access-token": []string{"abcd"}}
+	resp := waitForStatus(t, client, sbx, url, 8080, headers, http.StatusForbidden)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, http.StatusForbidden, resp.StatusCode)
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+
+	assert.Equal(t, "text/plain; charset=utf-8", resp.Header.Get("Content-Type"))
+	assert.Equal(t, "Sandbox is secured with traffic access token. Provided access token is invalid.\n", string(body))
+}
+
+func TestSandboxWithEnabledTrafficAccessToken(t *testing.T) {
+	c := setup.GetAPIClient()
+
+	sbxNetAllowPublic := false
+	sbxNet := &api.SandboxNetworkConfig{
+		AllowPublicAccess: &sbxNetAllowPublic,
+	}
+	sbx := utils.SetupSandboxWithCleanup(t, c, utils.WithNetwork(sbxNet))
+	require.NotNil(t, sbx.TrafficAccessToken)
+
+	url, err := url.Parse(setup.EnvdProxy)
+	require.NoError(t, err)
+
+	client := &http.Client{
+		Timeout: 1000 * time.Second,
+	}
+
+	port := 8080
+	headers := &http.Header{"x-e2b-traffic-access-token": []string{*sbx.TrafficAccessToken}}
+	resp := waitForStatus(t, client, sbx, url, port, headers, http.StatusBadGateway)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.Equal(t, http.StatusBadGateway, resp.StatusCode)
+
+	assert.Equal(t, "application/json; charset=utf-8", resp.Header.Get("Content-Type"))
+
+	// Parse error response
+	var errorResp struct {
+		Message   string `json:"message"`
+		SandboxID string `json:"sandboxId"`
+		Port      int    `json:"port"`
+	}
+	err = json.NewDecoder(resp.Body).Decode(&errorResp)
+	require.NoError(t, err)
+	require.NoError(t, resp.Body.Close())
+	assert.Equal(t, "The sandbox is running but port is not open", errorResp.Message)
+	assert.Equal(t, sbx.SandboxID, errorResp.SandboxID)
+	assert.Equal(t, port, errorResp.Port)
+}
+
+func TestEnvdPortIsNotAffectedByTrafficAccessToken(t *testing.T) {
+	c := setup.GetAPIClient()
+
+	sbxNetAllowPublic := false
+	sbxNet := &api.SandboxNetworkConfig{
+		AllowPublicAccess: &sbxNetAllowPublic,
+	}
+	sbx := utils.SetupSandboxWithCleanup(t, c, utils.WithNetwork(sbxNet))
+	require.NotNil(t, sbx.TrafficAccessToken)
+
+	url, err := url.Parse(setup.EnvdProxy)
+	require.NoError(t, err)
+
+	client := &http.Client{
+		Timeout: 1000 * time.Second,
+	}
+
+	resp := waitForStatus(t, client, sbx, url, int(consts.DefaultEnvdServerPort), nil, http.StatusNotFound)
+	require.NoError(t, err)
+	require.NotNil(t, resp)
+	require.NoError(t, resp.Body.Close())
+	require.Equal(t, http.StatusNotFound, resp.StatusCode)
+}