compare the agent name with the server URL param

chetan-rns · chetan-rns · commit 2b021b53e04f · 2025-08-27T17:41:29.000+05:30
Signed-off-by: Chetan Banavikalmutt &lt;chetanrns1997@gmail.com&gt;
diff --git a/principal/callbacks.go b/principal/callbacks.go
@@ -15,6 +15,7 @@
 package principal
 
 import (
+	"net/url"
 	"strings"
 
 	"github.com/argoproj-labs/argocd-agent/internal/event"
@@ -315,26 +316,51 @@ func (s *Server) mapAppProjectToAgents(appProject v1alpha1.AppProject) map[strin
 
 // doesAgentMatchWithProject checks if the agent name matches the given AppProject.
 // We match the agent to an AppProject if:
-// 1. The destination name is not empty and matches the agent name OR
-// 2. The destination server is a wildcard AND
+// 1. The agent name matches any one of the destination names OR
+// 2. The agent name is empty but the agent name is present in the server URL parameter AND
 // 3. The agent name is not denied by any of the destination names
 // Ref: https://github.com/argoproj/argo-cd/blob/master/pkg/apis/application/v1alpha1/app_project_types.go#L477
 func doesAgentMatchWithProject(agentName string, appProject v1alpha1.AppProject) bool {
 	destinationMatched := false
 
+	logCtx := log().WithFields(logrus.Fields{
+		"agent_name":  agentName,
+		"app_project": appProject.Name,
+	})
+
 	for _, dst := range appProject.Spec.Destinations {
-		if isDenyPattern(dst.Name) {
-			// Return immediately if the agent name is denied by any of the destination names
-			if glob.Match(dst.Name[1:], agentName) {
-				return false
+		// Return immediately if the agent name is denied by any of the destination names
+		if dst.Name != "" && isDenyPattern(dst.Name) && glob.Match(dst.Name[1:], agentName) {
+			return false
+		}
+
+		// Some AppProjects (e.g. default) may not always have a name so we need to check the server URL
+		if dst.Name == "" && dst.Server != "" {
+			if dst.Server == "*" {
+				destinationMatched = true
+				continue
+			}
+
+			// Server URL will be the resource proxy URL https://<rp-hostname>:<port>?agentName=<agent-name>
+			server, err := url.Parse(dst.Server)
+			if err != nil {
+				logCtx.WithError(err).Errorf("Invalid server URL: %s", dst.Server)
+				continue
+			}
+
+			serverAgentName := server.Query().Get("agentName")
+			if serverAgentName == "" {
+				continue
+			}
+
+			if glob.Match(serverAgentName, agentName) {
+				destinationMatched = true
 			}
-			continue
 		}
 
-		dstNameMatched := dst.Name != "" && glob.Match(dst.Name, agentName)
-		dstServerMatched := dst.Server == "*"
-		if dstNameMatched || dstServerMatched {
-			destinationMatched = true // Continue matching to look for deny patterns
+		// Match the agent name to the destination name and continue looking for deny patterns
+		if dst.Name != "" && glob.Match(dst.Name, agentName) {
+			destinationMatched = true
 		}
 	}
 
@@ -400,12 +426,22 @@ func AgentSpecificAppProject(appProject v1alpha1.AppProject, agent string) v1alp
 	// Only keep the destinations that are relevant to the given agent
 	filteredDst := []v1alpha1.ApplicationDestination{}
 	for _, dst := range appProject.Spec.Destinations {
-		dstNameMatched := dst.Name != "" && glob.Match(dst.Name, agent)
-		dstServerMatched := dst.Server == "*"
-		if dstNameMatched || dstServerMatched {
+		nameMatches := dst.Name != "" && glob.Match(dst.Name, agent)
+		serverMatches := false
+
+		// Handle server-only destinations (like default project)
+		if dst.Name == "" && dst.Server != "" {
+			if dst.Server == "*" {
+				serverMatches = true
+			} else if server, err := url.Parse(dst.Server); err == nil {
+				serverAgentName := server.Query().Get("agentName")
+				serverMatches = serverAgentName != "" && glob.Match(serverAgentName, agent)
+			}
+		}
+
+		if nameMatches || serverMatches {
 			dst.Name = "in-cluster"
 			dst.Server = "https://kubernetes.default.svc"
-
 			filteredDst = append(filteredDst, dst)
 		}
 	}
diff --git a/principal/callbacks_test.go b/principal/callbacks_test.go
@@ -539,16 +539,16 @@ func TestAgentSpecificAppProject(t *testing.T) {
 			},
 		},
 		{
-			name: "no agent name but server is wildcard",
+			name: "agent name matches wildcard destination",
 			appProject: v1alpha1.AppProject{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "empty-project",
+					Name:      "wildcard-project",
 					Namespace: "argocd",
 				},
 				Spec: v1alpha1.AppProjectSpec{
 					Destinations: []v1alpha1.ApplicationDestination{
 						{
-							Server:    "*",
+							Name:      "*",
 							Namespace: "default",
 						},
 					},
@@ -559,7 +559,7 @@ func TestAgentSpecificAppProject(t *testing.T) {
 			agent: "test-agent",
 			want: v1alpha1.AppProject{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "empty-project",
+					Name:      "wildcard-project",
 					Namespace: "argocd",
 				},
 				Spec: v1alpha1.AppProjectSpec{
@@ -677,19 +677,7 @@ func TestDoesAgentMatchWithProject(t *testing.T) {
 			},
 			want: true,
 		},
-		{
-			name:      "wildcard server with a different name",
-			agentName: "any-agent",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "different-name", Server: "*", Namespace: "default"},
-					},
-					SourceNamespaces: []string{"*"},
-				},
-			},
-			want: true, // Should match wildcard server
-		},
+
 		{
 			name:      "agent matches destination name with wildcard",
 			agentName: "agent-staging",
@@ -744,20 +732,7 @@ func TestDoesAgentMatchWithProject(t *testing.T) {
 			},
 			want: true,
 		},
-		{
-			name:      "order independence - deny first, then allow",
-			agentName: "prod-agent",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!prod-*", Namespace: "default"}, // Deny prod first
-						{Name: "*", Namespace: "default"},       // Allow all
-					},
-					SourceNamespaces: []string{"*"},
-				},
-			},
-			want: false, // Same result regardless of order
-		},
+
 		{
 			name:      "agent matches destination but not source namespace",
 			agentName: "agent-test",
@@ -771,61 +746,6 @@ func TestDoesAgentMatchWithProject(t *testing.T) {
 			},
 			want: false,
 		},
-		{
-			name:      "agent matches neither destination name nor server",
-			agentName: "agent-nomatch",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "different-name", Server: "different-server", Namespace: "default"},
-					},
-					SourceNamespaces: []string{"agent-nomatch"},
-				},
-			},
-			want: false,
-		},
-		{
-			name:      "empty destination name with non-wildcard server",
-			agentName: "any-agent",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "", Server: "https://kubernetes.default.svc", Namespace: "default"},
-					},
-					SourceNamespaces: []string{"any-agent"},
-				},
-			},
-			want: false,
-		},
-		{
-			name:      "multiple deny patterns - first match wins",
-			agentName: "prod-sensitive-agent",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!prod-*", Namespace: "default"},        // This matches first
-						{Name: "!*-sensitive-*", Namespace: "default"}, // This would also match
-						{Name: "*", Namespace: "default"},              // Allow all others
-					},
-					SourceNamespaces: []string{"*"},
-				},
-			},
-			want: false,
-		},
-		{
-			name:      "wildcard with deny pattern override",
-			agentName: "admin-user",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "", Server: "*", Namespace: "default"}, // Wildcard allow
-						{Name: "!admin-*", Namespace: "default"},      // Deny admin
-					},
-					SourceNamespaces: []string{"*"},
-				},
-			},
-			want: false, // Deny overrides wildcard
-		},
 		{
 			name:      "only deny patterns - no positive match",
 			agentName: "dev-agent",
@@ -840,76 +760,43 @@ func TestDoesAgentMatchWithProject(t *testing.T) {
 			want: false, // No positive pattern to match
 		},
 		{
-			name:      "deny pattern doesn't match - should continue to positive patterns",
-			agentName: "dev-agent",
+			name:      "server URL with exact agent name match",
+			agentName: "prod-cluster-1",
 			appProject: v1alpha1.AppProject{
 				Spec: v1alpha1.AppProjectSpec{
 					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!prod-*", Namespace: "default"}, // Deny doesn't match
-						{Name: "dev-*", Namespace: "default"},   // Positive matches
+						{Name: "", Server: "https://resource-proxy.example.com:8080?agentName=prod-cluster-1", Namespace: "default"},
 					},
 					SourceNamespaces: []string{"*"},
 				},
 			},
-			want: true, // Should match positive pattern after deny doesn't match
+			want: true, // Agent name matches extracted query parameter
 		},
 		{
-			name:      "multiple deny patterns none match - positive pattern wins",
-			agentName: "test-agent",
+			name:      "server URL with agent name pattern",
+			agentName: "prod-cluster-2",
 			appProject: v1alpha1.AppProject{
 				Spec: v1alpha1.AppProjectSpec{
 					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!prod-*", Namespace: "default"},    // Doesn't match
-						{Name: "!staging-*", Namespace: "default"}, // Doesn't match
-						{Name: "*", Namespace: "default"},          // Matches
+						{Name: "", Server: "https://resource-proxy.example.com:8080?agentName=prod-cluster-*", Namespace: "default"},
 					},
 					SourceNamespaces: []string{"*"},
 				},
 			},
-			want: true,
+			want: true, // Agent name matches extracted pattern
 		},
 		{
-			name:      "mixed destinations with deny pattern",
-			agentName: "dev-agent",
+			name:      "server URL with non-matching agent name",
+			agentName: "dev-cluster-1",
 			appProject: v1alpha1.AppProject{
 				Spec: v1alpha1.AppProjectSpec{
 					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!admin-*", Namespace: "default"},      // Name deny (doesn't match)
-						{Name: "", Server: "*", Namespace: "default"}, // Server wildcard
-						{Name: "dev-*", Namespace: "default"},         // Name allow (matches)
+						{Name: "", Server: "https://resource-proxy.example.com:8080?agentName=prod-cluster-1", Namespace: "default"},
 					},
 					SourceNamespaces: []string{"*"},
 				},
 			},
-			want: true, // Should pass deny check and match positive patterns
-		},
-
-		{
-			name:      "deny pattern in first destination, positive in second",
-			agentName: "prod-cluster",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!prod-cluster", Namespace: "default"}, // Exact deny match
-						{Name: "*", Namespace: "default"},             // Would allow all
-					},
-					SourceNamespaces: []string{"*"},
-				},
-			},
-			want: false, // Deny pattern matches exactly, should reject immediately
-		},
-		{
-			name:      "deny pattern with different namespace requirements",
-			agentName: "restricted-agent",
-			appProject: v1alpha1.AppProject{
-				Spec: v1alpha1.AppProjectSpec{
-					Destinations: []v1alpha1.ApplicationDestination{
-						{Name: "!restricted-*", Namespace: "default"}, // Deny pattern matches
-					},
-					SourceNamespaces: []string{"restricted-agent"}, // Namespace would match
-				},
-			},
-			want: false, // Should be denied even though namespace matches
+			want: false, // Agent name doesn't match extracted query parameter
 		},
 	}
 
