phase 4: connectrpc on the gateway authenticated edge

Replace the native-gRPC server bootstrap with a single `connectrpc.com/connect` HTTP/h2c listener. Connect-Go natively serves Connect, gRPC, and gRPC-Web on the same port, so browsers can now reach the authenticated surface without giving up the gRPC framing native and desktop clients may use later. The decorator stack (envelope → session → payload-hash → signature → freshness/replay → rate-limit → routing/push) is reused unchanged behind a small Connect → gRPC adapter and a `grpc.ServerStream` shim around `*connect.ServerStream`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 11:49:28 +02:00
parent 39b7b2ef29
commit 118f7c17a2
30 changed files with 1009 additions and 772 deletions
@@ -3,7 +3,6 @@ package grpcapi
 import (
 	"context"
 	"fmt"
-	"io"
 	"net"
 	"net/http"
 	"strings"
@@ -17,10 +16,9 @@ import (
 	"galaxy/gateway/internal/session"
 	gatewayv1 "galaxy/gateway/proto/galaxy/gateway/v1"

+	"connectrpc.com/connect"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )

 func TestExecuteCommandRateLimitsByIP(t *testing.T) {
@@ -41,20 +39,15 @@ func TestExecuteCommandRateLimitsByIP(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)

-	client := gatewayv1.NewEdgeGatewayClient(conn)
-
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1"))
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1")))
 	require.NoError(t, err)

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-2"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-2")))
 	require.Error(t, err)
-	assert.Equal(t, codes.ResourceExhausted, status.Code(err))
-	assert.Equal(t, "authenticated request rate limit exceeded", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeResourceExhausted, connect.CodeOf(err))
+	assert.Equal(t, "authenticated request rate limit exceeded", connectErrorMessage(t, err))
 	assert.Equal(t, 1, delegate.executeCalls)
 }

@@ -76,21 +69,16 @@ func TestExecuteCommandRateLimitsBySession(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)

-	client := gatewayv1.NewEdgeGatewayClient(conn)
-
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1"))
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1")))
 	require.NoError(t, err)

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-2"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-2")))
 	require.Error(t, err)
-	assert.Equal(t, codes.ResourceExhausted, status.Code(err))
+	assert.Equal(t, connect.CodeResourceExhausted, connect.CodeOf(err))

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-3"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-3")))
 	require.NoError(t, err)

 	assert.Equal(t, 2, delegate.executeCalls)
@@ -118,21 +106,16 @@ func TestExecuteCommandRateLimitsByUser(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)

-	client := gatewayv1.NewEdgeGatewayClient(conn)
-
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1"))
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-1", "request-1")))
 	require.NoError(t, err)

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-2"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-2", "request-2")))
 	require.Error(t, err)
-	assert.Equal(t, codes.ResourceExhausted, status.Code(err))
+	assert.Equal(t, connect.CodeResourceExhausted, connect.CodeOf(err))

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithSessionAndRequestID("device-session-3", "request-3"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithSessionAndRequestID("device-session-3", "request-3")))
 	require.NoError(t, err)

 	assert.Equal(t, 2, delegate.executeCalls)
@@ -159,21 +142,16 @@ func TestExecuteCommandRateLimitsByMessageClass(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)

-	client := gatewayv1.NewEdgeGatewayClient(conn)
-
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithMessageType("device-session-1", "request-1", "fleet.move"))
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithMessageType("device-session-1", "request-1", "fleet.move")))
 	require.NoError(t, err)

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithMessageType("device-session-2", "request-2", "fleet.move"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithMessageType("device-session-2", "request-2", "fleet.move")))
 	require.Error(t, err)
-	assert.Equal(t, codes.ResourceExhausted, status.Code(err))
+	assert.Equal(t, connect.CodeResourceExhausted, connect.CodeOf(err))

-	_, err = client.ExecuteCommand(context.Background(), newValidExecuteCommandRequestWithMessageType("device-session-2", "request-3", "fleet.rename"))
+	_, err = client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequestWithMessageType("device-session-2", "request-3", "fleet.rename")))
 	require.NoError(t, err)

 	assert.Equal(t, 2, delegate.executeCalls)
@@ -193,13 +171,8 @@ func TestAuthenticatedPolicyHookReceivesVerifiedRequest(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequest())
+	client := newEdgeClient(t, addr)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
 	require.NoError(t, err)

 	require.Len(t, policy.requests, 1)
@@ -228,16 +201,11 @@ func TestExecuteCommandPolicyRejectMapsToPermissionDenied(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequest())
+	client := newEdgeClient(t, addr)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
 	require.Error(t, err)
-	assert.Equal(t, codes.PermissionDenied, status.Code(err))
-	assert.Equal(t, "authenticated request rejected by edge policy", status.Convert(err).Message())
+	assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err))
+	assert.Equal(t, "authenticated request rejected by edge policy", connectErrorMessage(t, err))
 	assert.Zero(t, delegate.executeCalls)
 }

@@ -259,24 +227,19 @@ func TestSubscribeEventsRateLimitRejectsStream(t *testing.T) {
 	defer runGateway.stop(t)

 	addr := waitForListenAddr(t, server)
-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
+	client := newEdgeClient(t, addr)

-	client := gatewayv1.NewEdgeGatewayClient(conn)
-
-	stream, err := client.SubscribeEvents(context.Background(), newValidSubscribeEventsRequestWithSessionAndRequestID("device-session-1", "request-1"))
+	stream, err := client.SubscribeEvents(context.Background(), connect.NewRequest(newValidSubscribeEventsRequestWithSessionAndRequestID("device-session-1", "request-1")))
 	require.NoError(t, err)
 	event := recvBootstrapEvent(t, stream)
 	assertServerTimeBootstrapEvent(t, event, newTestResponseSignerPublicKey(), "request-1", "trace-123", testCurrentTime.UnixMilli())
-	_, err = stream.Recv()
-	require.ErrorIs(t, err, io.EOF)
+	require.False(t, stream.Receive())
+	require.NoError(t, stream.Err())

 	err = subscribeEventsError(t, context.Background(), client, newValidSubscribeEventsRequestWithSessionAndRequestID("device-session-2", "request-2"))
 	require.Error(t, err)
-	assert.Equal(t, codes.ResourceExhausted, status.Code(err))
-	assert.Equal(t, "authenticated request rate limit exceeded", status.Convert(err).Message())
+	assert.Equal(t, connect.CodeResourceExhausted, connect.CodeOf(err))
+	assert.Equal(t, "authenticated request rate limit exceeded", connectErrorMessage(t, err))
 	assert.Equal(t, 1, delegate.subscribeCalls)
 }

@@ -342,13 +305,8 @@ func TestAuthenticatedRateLimitsStayIsolatedFromPublicREST(t *testing.T) {
 	require.NoError(t, firstPublic.Body.Close())
 	require.NoError(t, secondPublic.Body.Close())

-	conn := dialGatewayClient(t, addr)
-	defer func() {
-		require.NoError(t, conn.Close())
-	}()
-
-	client := gatewayv1.NewEdgeGatewayClient(conn)
-	_, err := client.ExecuteCommand(context.Background(), newValidExecuteCommandRequest())
+	client := newEdgeClient(t, addr)
+	_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(newValidExecuteCommandRequest()))
 	require.NoError(t, err)
 }