[management] temporary peer access for resources

[pascal-fischer]

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• [] Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• New Features
  • Temporary access peers: create temporary access peers for networks, peers, and specific resources with resource-scoped permissions that auto-expire when disconnected.
• Documentation
  • API updated with new POST endpoints and request/response schemas to create temporary access peers for peers and network resources.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a temporary-access endpoint for network resources, injects an accountManager into the resource handler, implements CreateTemporaryAccess HTTP handler to create a temporary peer and associated temporary access policies, and updates OpenAPI and generated API types for the new route.

Changes

Cohort / File(s)	Change Summary
Resource handler & endpoints management/server/http/handlers/networks/resources_handler.go, management/server/http/handlers/networks/handler.go	Added accountManager field to resourceHandler; updated constructor and endpoint wiring to accept accountManager; added CreateTemporaryAccess HTTP handler and route wiring for /networks/{networkId}/resources/{resourceId}/temporary-access.
API specification shared/management/http/api/openapi.yml	Added POST /api/networks/{networkId}/resources/{resourceId}/temporary-access and POST /api/peers/{peerId}/temporary-access operations, referencing PeerTemporaryAccessRequest and PeerTemporaryAccessResponse, with security and error responses.
Generated API types shared/management/http/api/types.gen.go	Added exported alias PostApiNetworksNetworkIdResourcesResourceIdTemporaryAccessJSONRequestBody = PeerTemporaryAccessRequest.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant HTTP as CreateTemporaryAccess Handler
    participant Auth as Auth Validator
    participant ResMgr as Resource Manager
    participant AcctMgr as Account Manager
    participant PeerMgr as Peer Creator
    participant PolicyMgr as Policy Manager

    Client->>HTTP: POST /networks/{networkId}/resources/{resourceId}/temporary-access
    HTTP->>Auth: validate authentication/authorization
    Auth-->>HTTP: auth result
    HTTP->>ResMgr: validate networkId and resourceId, fetch resource
    ResMgr-->>HTTP: resource found
    HTTP->>HTTP: decode PeerTemporaryAccessRequest
    HTTP->>PeerMgr: create temporary peer object
    PeerMgr-->>HTTP: peer created
    HTTP->>AcctMgr: attach peer to account
    AcctMgr-->>HTTP: attachment confirmed
    HTTP->>PolicyMgr: create & persist temporary access policies per rule
    PolicyMgr-->>HTTP: policies saved
    HTTP->>Client: 200 PeerTemporaryAccessResponse

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review CreateTemporaryAccess handler flow (auth, validation, peer creation, account attachment, per-rule policy creation)
• Verify correct dependency injection of accountManager through endpoint wiring
• Confirm error handling maps to appropriate HTTP statuses and OpenAPI docs
• Inspect data persistence and cleanup semantics for temporary policies/peers

Poem

🐰 I tunneled through code to grant a small key,
A temporary hop for a resource to be,
I bind the new peer to an account with care,
Policies bloom, then vanish into air —
Hooray for short-lived access, quick and free! ✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete. The 'Describe your changes' and 'Issue ticket number and link' sections are empty, and documentation requirements are not properly addressed.	Complete the 'Describe your changes' section with a summary of the feature implementation, provide the related issue ticket number and link, and select whether documentation is needed with an explanation.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main feature being added: temporary peer access for resources, matching the implementation of CreateTemporaryAccess handlers and new API endpoints.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/temporary-access-for-resource

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f4c4d37 and 29c5184.

📒 Files selected for processing (2)

• management/server/http/handlers/networks/handler.go (1 hunks)
• shared/management/http/api/openapi.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• shared/management/http/api/openapi.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (23)

• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Client / Unit (386)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: release
• GitHub Check: release_ui_darwin
• GitHub Check: Darwin
• GitHub Check: Windows
• GitHub Check: Linux
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Android / Build

🔇 Additional comments (1)

management/server/http/handlers/networks/handler.go (1)

36-41: Account manager wiring into resource endpoints is consistent

Passing accountManager into addResourceEndpoints matches the updated AddEndpoints signature and the handler constructor, keeping dependency injection consistent across network and resource handlers. No issues spotted here.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

shared/management/http/api/openapi.yml (1)

4111-4152: Resource temporary-access path is consistent with existing temporary-access API

The new /api/networks/{networkId}/resources/{resourceId}/temporary-access POST operation looks structurally correct (params, security, request/response match the existing peer-scoped temporary-access endpoint).

One minor docs consideration: all other /api/networks/... endpoints are tagged [ Networks ], while this one is tagged [ Peers ]. If you want all network-related operations grouped together in generated docs, consider switching to [ Networks ] or adding both tags.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b77359 and f4c4d37.

📒 Files selected for processing (3)

• management/server/http/handlers/networks/resources_handler.go (2 hunks)
• shared/management/http/api/openapi.yml (1 hunks)
• shared/management/http/api/types.gen.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

management/server/http/handlers/networks/resources_handler.go (5)

management/server/context/auth.go (1)

• GetUserAuthFromContext (25-30)

shared/management/http/util/util.go (3)

• WriteError (84-120)
• WriteErrorResponse (70-80)
• WriteJSONObject (27-35)

shared/management/http/api/types.gen.go (9)

• PeerTemporaryAccessRequest (1232-1241)
• Peer (1021-1105)
• Policy (1294-1312)
• PolicyRule (1345-1380)
• Resource (1528-1532)
• ResourceTypePeer (171-171)
• ResourceType (1535-1535)
• RulePortRange (1628-1634)
• PeerTemporaryAccessResponse (1244-1253)

management/server/types/policy.go (2)

• ParseRuleString (145-180)
• PolicyTrafficActionAccept (12-12)

management/server/types/resource.go (3)

• Resource (16-19)
• ResourceTypePeer (10-10)
• ResourceType (7-7)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Client / Unit (386)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Android / Build
• GitHub Check: Linux
• GitHub Check: release
• GitHub Check: Client / Unit
• GitHub Check: release_ui_darwin
• GitHub Check: release_ui
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: JS / Lint
• GitHub Check: Client / Unit

🔇 Additional comments (3)

shared/management/http/api/types.gen.go (1)

1974-1976: New request body alias matches existing API typing pattern

The alias cleanly reuses PeerTemporaryAccessRequest for the new resource temporary-access endpoint and is consistent with the other PostApi*JSONRequestBody aliases.

management/server/http/handlers/networks/resources_handler.go (2)

21-43: Injecting accountManager into resourceHandler and wiring the new route looks consistent

Adding accountManager to resourceHandler, updating addResourceEndpoints/newResourceHandler, and wiring /networks/{networkId}/resources/{resourceId}/temporary-access through the same handler instance matches the existing DI pattern used for resourceManager/groupsManager and ensures the handler has everything it needs to create peers and policies.

---

229-314: Non-atomic behavior is the main concern; type usage and naming are correct

The handler flow is functionally sound overall. However, there is one notable design consideration:

• Non-atomic behavior / potential stray objects:
  Once AddPeer succeeds, any subsequent failure in ParseRuleString or SavePolicy will leave a temporary peer (and possibly some policies) created even though the client receives an error. If feasible, consider:
  • Parsing all req.Rules up-front before calling AddPeer, so invalid rule strings never cause a partial create after the peer exists.
  • Optionally grouping all rules into a single Policy rather than one policy per rule, reducing SavePolicy calls and making it easier to reason about rollbacks.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud