refactor(connlib): only store ResourceId in Peer (#4156)

In order to track the allowed resources, we only need to track the ID, not the entire resource. This avoids duplicating information about resources.
2026-01-27 10:18:54 +00:00 · 2024-03-19 07:01:13 +10:00
parent a9dfe009b7
commit 083fbd2844
2 changed files with 10 additions and 21 deletions
--- a/rust/connlib/tunnel/src/gateway.rs
+++ b/rust/connlib/tunnel/src/gateway.rs
@@ -83,7 +83,7 @@ where
        expires_at: Option<DateTime<Utc>>,
        resource: ResourceDescription,
    ) -> Result<ConnectionAccepted> {
-        let resource_addresses = match &resource {
+        let (resource_addresses, id) = match &resource {
            ResourceDescription::Dns(r) => {
                let Some(domain) = domain.clone() else {
                    return Err(Error::ControlProtocolError);
@@ -93,9 +93,9 @@ where
                    return Err(Error::InvalidResource);
                }

-                r.addresses.clone()
+                (r.addresses.clone(), r.id)
            }
-            ResourceDescription::Cidr(ref cidr) => vec![cidr.address],
+            ResourceDescription::Cidr(ref cidr) => (vec![cidr.address], cidr.id),
        };

        let answer = self.role_state.node.accept_connection(
@@ -113,13 +113,7 @@ where
            Instant::now(),
        );

-        self.new_peer(
-            ips,
-            client_id,
-            resource,
-            expires_at,
-            resource_addresses.clone(),
-        )?;
+        self.new_peer(ips, client_id, id, expires_at, resource_addresses.clone())?;

        Ok(ConnectionAccepted {
            ice_parameters: Answer {
@@ -167,7 +161,7 @@ where

        for address in &addresses {
            peer.transform
-                .add_resource(*address, resource.clone(), expires_at);
+                .add_resource(*address, resource_id, expires_at);
        }

        tracing::info!(%client, resource = %resource_id, expires = ?expires_at.map(|e| e.to_rfc3339()), "Allowing access to resource");
@@ -203,15 +197,14 @@ where
        &mut self,
        ips: Vec<IpNetwork>,
        client_id: ClientId,
-        resource: ResourceDescription,
+        resource: ResourceId,
        expires_at: Option<DateTime<Utc>>,
        resource_addresses: Vec<IpNetwork>,
    ) -> Result<()> {
        let mut peer = Peer::new(client_id, PacketTransformGateway::default(), &ips, ());

        for address in resource_addresses {
-            peer.transform
-                .add_resource(address, resource.clone(), expires_at);
+            peer.transform.add_resource(address, resource, expires_at);
        }

        self.role_state.peers.insert(peer, &ips);
--- a/rust/connlib/tunnel/src/peer.rs
+++ b/rust/connlib/tunnel/src/peer.rs
@@ -11,10 +11,9 @@ use ip_network::IpNetwork;
 use ip_network_table::IpNetworkTable;
 use pnet_packet::Packet;

-use crate::gateway::ResourceDescription;
 use crate::ip_packet::MutableIpPacket;

-type ExpiryingResource = (ResourceDescription, Option<DateTime<Utc>>);
+type ExpiryingResource = (ResourceId, Option<DateTime<Utc>>);

 // The max time a dns request can be configured to live in resolvconf
 // is 30 seconds. See resolvconf(5) timeout.
@@ -149,16 +148,13 @@ impl PacketTransformGateway {
    }

    pub(crate) fn remove_resource(&mut self, resource: &ResourceId) {
-        self.resources.retain(|_, (r, _)| match r {
-            connlib_shared::messages::ResourceDescription::Dns(r) => r.id != *resource,
-            connlib_shared::messages::ResourceDescription::Cidr(r) => r.id != *resource,
-        })
+        self.resources.retain(|_, (r, _)| r != resource)
    }

    pub(crate) fn add_resource(
        &mut self,
        ip: IpNetwork,
-        resource: ResourceDescription,
+        resource: ResourceId,
        expires_at: Option<DateTime<Utc>>,
    ) {
        self.resources.insert(ip, (resource, expires_at));