feat: add backend patch validation function with tests

Signed-off-by: nabil salah <nabil.salah203@gmail.com>

Author: Nabil-Salah

pkg/gateway/gateway.go

@@ -12,7 +12,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	"github.com/threefoldtech/zbus"
@@ -630,15 +629,8 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 	g.domainLock.Lock()
 	defer g.domainLock.Unlock()
 
-	var errs error
-	for _, backend := range config.Backends {
-		if err := backend.Valid(config.TLSPassthrough); err != nil {
-			errs = multierror.Append(errs, errors.Wrapf(err, "failed to validate backend '%s'", backend))
-		}
-	}
-
-	if errs != nil {
-		return errs
+	if err := zos.ValidateBackends(config.Backends, config.TLSPassthrough); err != nil {
+		return err
 	}
 
 	if _, ok := g.getReservedDomain(fqdn); ok {

pkg/gateway_light/gateway.go

@@ -640,10 +640,8 @@ func (g *gatewayModule) setupRouting(ctx context.Context, wlID string, fqdn stri
 	g.domainLock.Lock()
 	defer g.domainLock.Unlock()
 
-	for _, backend := range config.Backends {
-		if err := backend.Valid(config.TLSPassthrough); err != nil {
-			return errors.Wrapf(err, "failed to validate backend '%s'", backend)
-		}
+	if err := zos.ValidateBackends(config.Backends, config.TLSPassthrough); err != nil {
+		return err
 	}
 
 	if _, ok := g.getReservedDomain(fqdn); ok {

pkg/gridtypes/zos/gw.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"strconv"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
 	"github.com/threefoldtech/zosbase/pkg/gridtypes"
 )
@@ -44,6 +45,16 @@ func (b Backend) Valid(tlsPassthrough bool) error {
 	return nil
 }
 
+func ValidateBackends(backends []Backend, tlsPassthrough bool) error {
+	var errs error
+	for _, backend := range backends {
+		if err := backend.Valid(tlsPassthrough); err != nil {
+			errs = multierror.Append(errs, errors.Wrapf(err, "failed to validate backend '%s'", backend))
+		}
+	}
+	return errs
+}
+
 func asIpPort(a string) (ip net.IP, port uint16, err error) {
 	h, p, err := net.SplitHostPort(a)
 	if err != nil {

pkg/gridtypes/zos/gw_test.go

@@ -3,6 +3,7 @@ package zos
 import (
 	"testing"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/stretchr/testify/require"
 )
 
@@ -159,3 +160,112 @@ func TestValidBackendIP6(t *testing.T) {
 		require.Error(err)
 	})
 }
+
+func TestValidateBackends(t *testing.T) {
+	require := require.New(t)
+
+	t.Run("empty backends", func(t *testing.T) {
+		backends := []Backend{
+			"",
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+
+		err = ValidateBackends(backends, false)
+		require.Error(err)
+	})
+
+	t.Run("all valid backends with tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"1.1.1.1:80",
+			"2.2.2.2:443",
+			"[2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF]:8080",
+		}
+		err := ValidateBackends(backends, true)
+		require.NoError(err)
+	})
+
+	t.Run("all valid backends with tlsPassthrough=false", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1",
+			"http://2.2.2.2:443",
+			"http://[2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF]",
+		}
+		err := ValidateBackends(backends, false)
+		require.NoError(err)
+	})
+
+	t.Run("mixed valid and invalid backends with tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"1.1.1.1:80",
+			"http://2.2.2.2:443", // invalid (should be IP:port without http://)
+			"2.2.2.2",            // invalid (missing port)
+			"3.3.3.3:port",       // invalid (non-numeric port)
+			"127.0.0.1:8080",
+			"[::1]:8080",
+			"[2001:db8::1]:8080",
+			"2001:db8::1:8080", // invalid (wrong IPv6 format)
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+	})
+
+	t.Run("mixed valid and invalid backends with tlsPassthrough=false", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1",
+			"1.1.1.1:80", // invalid (needs http://)
+			"http://2.2.2.2:443",
+			"https://3.3.3.3",  // invalid (wrong scheme)
+			"http://localhost", // invalid (loopback)
+			"http://127.0.0.1", // invalid (loopback)
+			"http://[::1]",     // invalid (loopback)
+			"http://[2001:db8::1]:8080",
+		}
+		err := ValidateBackends(backends, false)
+		require.Error(err)
+		// Check that we have the expected number of errors
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(5, len(merr.Errors))
+	})
+
+	t.Run("scheme mismatch using https when not permitted", func(t *testing.T) {
+		backends := []Backend{
+			"https://1.1.1.1",
+		}
+		err := ValidateBackends(backends, false)
+		require.Error(err)
+	})
+
+	t.Run("scheme mismatch using http when tlsPassthrough=true", func(t *testing.T) {
+		backends := []Backend{
+			"http://1.1.1.1:80",
+		}
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+	})
+
+	t.Run("all invalid backends", func(t *testing.T) {
+		backends := []Backend{
+			"invalid",
+			"1.1.1.1:port",
+			"http://invalid",
+			"ftp://1.1.1.1",
+		}
+
+		err := ValidateBackends(backends, true)
+		require.Error(err)
+		merr, ok := err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+
+		err = ValidateBackends(backends, false)
+		require.Error(err)
+		merr, ok = err.(*multierror.Error)
+		require.True(ok)
+		require.Equal(4, len(merr.Errors))
+	})
+}