feat(gateway): allow out-of-order allow_access requests (#6403)

Currently, the gateway requires a strict ordering of first receiving a `request_connection` message, following by multiple `allow_access` messages. Additionally, access can be granted as part of the initial `request_connection` message too. This isn't an ideal design. Setting up a new connection is infallible, all we need to do is send our ICE credentials back to the client. However, untangling that will require a bit more effort. Starting with #6335, following this strict order on the client is a more difficult. Whilst we can send them in order, it is harder to maintain those ordering guarantees across all our systems. To avoid this, we change the gateway to perform an upsert for its local ACLs for a client. In case that an `allow_access` call would somehow get to the gateway earlier, we can simply already create the `Peer` and only set up the actual connection later. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
2026-01-27 10:18:54 +00:00 · 2024-08-28 14:10:06 +01:00
parent ea33b7868f
commit 35017537c7
9 changed files with 91 additions and 72 deletions
--- a/scripts/tests/direct-dns-two-resources.sh
+++ b/scripts/tests/direct-dns-two-resources.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# The integration tests call this to test Linux DNS control, using the `/etc/resolv.conf`
+# method which only works well inside Alpine Docker containers.
+
+source "./scripts/tests/lib.sh"
+
+RESOURCE1=dns.httpbin
+RESOURCE2=download.httpbin
+
+echo "# Try to ping httpbin as DNS resource 1"
+client_ping_resource "$RESOURCE1"
+
+echo "# Try to ping httpbin as DNS resource 2"
+client_ping_resource "$RESOURCE2"