gateway(fix): accept nil expiration times (#3288)

Fixes #3240
2026-01-27 18:18:55 +00:00 · 2024-01-17 18:13:11 -03:00
parent 09526f497a
commit 7233ccdc0a
4 changed files with 14 additions and 12 deletions
--- a/rust/connlib/tunnel/src/control_protocol/gateway.rs
+++ b/rust/connlib/tunnel/src/control_protocol/gateway.rs
@@ -63,7 +63,7 @@ where
        peer: PeerConfig,
        relays: Vec<Relay>,
        client_id: ClientId,
-        expires_at: DateTime<Utc>,
+        expires_at: Option<DateTime<Utc>>,
        resource: ResourceDescription,
    ) -> Result<ConnectionAccepted> {
        let IceConnection {
@@ -166,7 +166,7 @@ where
        &self,
        resource: ResourceDescription,
        client_id: ClientId,
-        expires_at: DateTime<Utc>,
+        expires_at: Option<DateTime<Utc>>,
        domain: Option<Dname>,
    ) -> Option<ResourceAccepted> {
        if let Some((_, peer)) = self
@@ -220,7 +220,7 @@ where
        peer_config: PeerConfig,
        client_id: ClientId,
        resource: ResourceDescription,
-        expires_at: DateTime<Utc>,
+        expires_at: Option<DateTime<Utc>>,
        ice: Arc<RTCIceTransport>,
        resource_addresses: Vec<IpNetwork>,
    ) -> Result<()> {
--- a/rust/connlib/tunnel/src/peer.rs
+++ b/rust/connlib/tunnel/src/peer.rs
@@ -23,7 +23,7 @@ use crate::client::IpProvider;
 use crate::MAX_UDP_SIZE;
 use crate::{device_channel, ip_packet::MutableIpPacket, PeerConfig};

-type ExpiryingResource = (ResourceDescription, DateTime<Utc>);
+type ExpiryingResource = (ResourceDescription, Option<DateTime<Utc>>);

 // The max time a dns request can be configured to live in resolvconf
 // is 30 seconds. See resolvconf(5) timeout.
@@ -240,14 +240,16 @@ impl PacketTransformGateway {
    }

    pub(crate) fn expire_resources(&self) {
-        self.resources.write().retain(|_, (_, e)| *e > Utc::now());
+        self.resources
+            .write()
+            .retain(|_, (_, e)| !e.is_some_and(|e| e <= Utc::now()));
    }

    pub(crate) fn add_resource(
        &self,
        ip: IpNetwork,
        resource: ResourceDescription,
-        expires_at: DateTime<Utc>,
+        expires_at: Option<DateTime<Utc>>,
    ) {
        self.resources.write().insert(ip, (resource, expires_at));
    }
--- a/rust/gateway/src/eventloop.rs
+++ b/rust/gateway/src/eventloop.rs
@@ -167,7 +167,7 @@ impl Eventloop {
                    payload,
                    reference,
                }))) => {
-                    tracing::debug!(client = %client_id, resource = %resource.id(), expires = %expires_at.to_rfc3339() ,"Allowing access to resource");
+                    tracing::debug!(client = %client_id, resource = %resource.id(), expires = ?expires_at.map(|e| e.to_rfc3339()), "Allowing access to resource");

                    if let Some(res) = self
                        .tunnel
--- a/rust/gateway/src/messages.rs
+++ b/rust/gateway/src/messages.rs
@@ -1,4 +1,4 @@
-use chrono::{serde::ts_seconds, DateTime, Utc};
+use chrono::{serde::ts_seconds_option, DateTime, Utc};
 use connlib_shared::{
    messages::{
        ActorId, ClientId, ClientPayload, GatewayResponse, Interface, Peer, Relay,
@@ -48,8 +48,8 @@ pub struct RequestConnection {
    pub client: Client,
    #[serde(rename = "ref")]
    pub reference: String,
-    #[serde(with = "ts_seconds")]
-    pub expires_at: DateTime<Utc>,
+    #[serde(with = "ts_seconds_option")]
+    pub expires_at: Option<DateTime<Utc>>,
 }

 #[derive(Debug, Deserialize, Serialize, Clone, PartialEq, Eq)]
@@ -80,8 +80,8 @@ pub struct RemoveResource {
 pub struct AllowAccess {
    pub client_id: ClientId,
    pub resource: ResourceDescription,
-    #[serde(with = "ts_seconds")]
-    pub expires_at: DateTime<Utc>,
+    #[serde(with = "ts_seconds_option")]
+    pub expires_at: Option<DateTime<Utc>>,
    pub payload: Option<Dname>,
    #[serde(rename = "ref")]
    pub reference: String,