Add the Private Endpoint Validation Logic Meet the Tenant Metadata (#25460)

tianzhu007 · web-flow · commit be5e151eaae9 · 2025-09-16T21:43:24.000Z
Add the Private Endpoint Validation Logic Meet the Tenant Metadata. The
privateLinkEnable is true, if there is the connection details in custom
data.
diff --git a/server/routerlicious/packages/lambdas/src/nexus/networkHelper.ts b/server/routerlicious/packages/lambdas/src/nexus/networkHelper.ts
@@ -19,23 +19,37 @@ export async function checkNetworkInformation(
 ): Promise<{ message: string; shouldConnect: boolean }> {
 	const tenantId = socket?.handshake?.query?.tenantId as string | undefined;
 	const tenantInfo = await tenantManager.getTenantfromRiddler(tenantId);
-	const privateLinkEnable = tenantInfo?.customData?.privateEndpoints?.accountLinkId
-		? true
-		: false;
+	const privateLinkEnable =
+		tenantInfo?.customData?.privateEndpoints &&
+		Array.isArray(tenantInfo.customData.privateEndpoints) &&
+		tenantInfo.customData.privateEndpoints?.length > 0 &&
+		tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy?.properties
+			?.remotePrivateEndpoint?.connectionDetails &&
+		Array.isArray(
+			tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy?.properties
+				?.remotePrivateEndpoint?.connectionDetails,
+		) &&
+		tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy?.properties
+			?.remotePrivateEndpoint?.connectionDetails[0]
+			? true
+			: false;
 	const xForwardedFor: string | undefined = socket.handshake.headers["x-forwarded-for"] as
 		| string
 		| undefined;
 	const clientIPAddress = xForwardedFor?.split(",")[0];
 	if (privateLinkEnable && !clientIPAddress) {
 		return {
-			message: "Client IP address is required for private link in x-forwarded-for",
+			message: "Client ip address is required for private link in x-forwarded-for",
 			shouldConnect: false,
 		};
 	}
 	const networkInfo = getNetworkInformationFromIP(clientIPAddress);
 	if (networkInfo.isPrivateLink) {
 		if (privateLinkEnable) {
-			const accountLinkId = tenantInfo?.customData?.privateEndpoints?.accountLinkId;
+			const connectionDetail =
+				tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy
+					?.properties?.remotePrivateEndpoint?.connectionDetails[0];
+			const accountLinkId = connectionDetail?.linkIdentifier;
 			return networkInfo.privateLinkId === accountLinkId
 				? { message: "This is a private link socket connection", shouldConnect: true }
 				: {
diff --git a/server/routerlicious/packages/routerlicious-base/src/alfred/routes/api/restHelper.ts b/server/routerlicious/packages/routerlicious-base/src/alfred/routes/api/restHelper.ts
@@ -137,7 +137,7 @@ export function getDocumentUrlsfromNetworkInfo(
 	externalHistorianUrl: string,
 	externalDeltaStreamUrl: string,
 	enablePrivateLinkNetworkCheck: boolean = false,
-	isPrivateLink?: boolean | false,
+	isPrivateLink: boolean = false,
 	privateServiceHost?: string | undefined,
 ): {
 	documentOrdererUrl: string;
diff --git a/server/routerlicious/packages/services-shared/src/http.ts b/server/routerlicious/packages/services-shared/src/http.ts
@@ -56,16 +56,27 @@ export function validatePrivateLink(
 				next();
 			}
 			const tenantInfo: ITenantConfig = await tenantManager.getTenantfromRiddler(tenantId);
-			const privateLinkEnable = tenantInfo?.customData?.privateEndpoints?.accountLinkId
-				? true
-				: false;
+			const privateLinkEnable =
+				tenantInfo?.customData?.privateEndpoints &&
+				Array.isArray(tenantInfo.customData.privateEndpoints) &&
+				tenantInfo.customData.privateEndpoints?.length > 0 &&
+				tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy
+					?.properties?.remotePrivateEndpoint?.connectionDetails &&
+				Array.isArray(
+					tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy
+						?.properties?.remotePrivateEndpoint?.connectionDetails,
+				) &&
+				tenantInfo.customData.privateEndpoints[0]?.privateEndpointConnectionProxy
+					?.properties?.remotePrivateEndpoint?.connectionDetails[0]
+					? true
+					: false;
 			const clientIPAddress = req.ip ?? "";
 			if (privateLinkEnable && (!clientIPAddress || clientIPAddress.trim() === "")) {
 				return handleResponse(
 					Promise.reject(
 						new NetworkError(
 							400,
-							`Client IP address is required for private link in req.ip`,
+							`Client ip address is required for private link in req.ip`,
 						),
 					),
 					res,
@@ -74,18 +85,20 @@ export function validatePrivateLink(
 			const networkInfo = getNetworkInformationFromIP(clientIPAddress);
 			if (networkInfo.isPrivateLink) {
 				if (privateLinkEnable) {
-					const accountLinkId = tenantInfo?.customData?.privateEndpoints?.accountLinkId;
+					const connectionDetail =
+						tenantInfo?.customData?.privateEndpoints[0]?.privateEndpointConnectionProxy
+							?.properties?.remotePrivateEndpoint?.connectionDetails[0];
+					const accountLinkId = connectionDetail?.linkIdentifier;
 					if (networkInfo.privateLinkId === accountLinkId) {
-						Lumberjack.info("This is a private link request", {
+						Lumberjack.info(`This is a private link request with matching link id.`, {
 							tenantId,
-							privateLinkId: networkInfo.privateLinkId,
 						});
 					} else {
 						return handleResponse(
 							Promise.reject(
 								new NetworkError(
 									400,
-									`This private link should not be connected since the link id ${networkInfo.privateLinkId} does not match ${accountLinkId}`,
+									`This private link should not be connected since the link id mismatch`,
 								),
 							),
 							res,
