Feature/peer validator (#1553)

Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action
2025-08-17 10:31:45 +02:00 · 2024-03-27 18:48:48 +01:00
parent ea2d060f93
commit 2d76b058fc
45 changed files with 790 additions and 351 deletions
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@ -8,6 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/exp/slices"

+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 )
@ -56,7 +57,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Status: &nbpeer.PeerStatus{},
 			},
 		},
-		Groups: map[string]*Group{
+		Groups: map[string]*nbgroup.Group{
 			"GroupAll": {
 				ID:   "GroupAll",
 				Name: "All",
@ -135,16 +136,21 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 		},
 	}

+	validatedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		validatedPeers[p] = struct{}{}
+	}
+
 	t.Run("check that all peers get map", func(t *testing.T) {
 		for _, p := range account.Peers {
-			peers, firewallRules := account.getPeerConnectionResources(p.ID)
+			peers, firewallRules := account.getPeerConnectionResources(p.ID, validatedPeers)
 			assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
 			assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
 		}
 	})

 	t.Run("check first peer map details", func(t *testing.T) {
-		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		peers, firewallRules := account.getPeerConnectionResources("peerB", validatedPeers)
 		assert.Len(t, peers, 7)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
@ -299,7 +305,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Status: &nbpeer.PeerStatus{},
 			},
 		},
-		Groups: map[string]*Group{
+		Groups: map[string]*nbgroup.Group{
 			"GroupAll": {
 				ID:   "GroupAll",
 				Name: "All",
@ -374,8 +380,13 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 		},
 	}

+	approvedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		approvedPeers[p] = struct{}{}
+	}
+
 	t.Run("check first peer map", func(t *testing.T) {
-		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		peers, firewallRules := account.getPeerConnectionResources("peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

 		epectedFirewallRules := []*FirewallRule{
@ -403,7 +414,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	})

 	t.Run("check second peer map", func(t *testing.T) {
-		peers, firewallRules := account.getPeerConnectionResources("peerC")
+		peers, firewallRules := account.getPeerConnectionResources("peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

 		epectedFirewallRules := []*FirewallRule{
@ -433,7 +444,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	account.Policies[1].Rules[0].Bidirectional = false

 	t.Run("check first peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		peers, firewallRules := account.getPeerConnectionResources("peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

 		epectedFirewallRules := []*FirewallRule{
@ -454,7 +465,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	})

 	t.Run("check second peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.getPeerConnectionResources("peerC")
+		peers, firewallRules := account.getPeerConnectionResources("peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

 		epectedFirewallRules := []*FirewallRule{
@ -569,7 +580,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				},
 			},
 		},
-		Groups: map[string]*Group{
+		Groups: map[string]*nbgroup.Group{
 			"GroupAll": {
 				ID:   "GroupAll",
 				Name: "All",
@ -644,10 +655,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 		},
 	})

+	approvedPeers := make(map[string]struct{})
+	for p := range account.Peers {
+		approvedPeers[p] = struct{}{}
+	}
 	t.Run("verify peer's network map with default group peer list", func(t *testing.T) {
 		// peerB doesn't fulfill the NB posture check but is included in the destination group Swarm,
 		// will establish a connection with all source peers satisfying the NB posture check.
-		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		peers, firewallRules := account.getPeerConnectionResources("peerB", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@ -657,7 +672,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.getPeerConnectionResources("peerC")
+		peers, firewallRules = account.getPeerConnectionResources("peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, 1)
 		expectedFirewallRules := []*FirewallRule{
@ -673,7 +688,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.getPeerConnectionResources("peerE")
+		peers, firewallRules = account.getPeerConnectionResources("peerE", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@ -683,7 +698,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerI doesn't fulfill the OS version posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.getPeerConnectionResources("peerI")
+		peers, firewallRules = account.getPeerConnectionResources("peerI", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@ -698,19 +713,19 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerB doesn't satisfy the NB posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		peers, firewallRules := account.getPeerConnectionResources("peerB", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerI doesn't satisfy the OS version posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules = account.getPeerConnectionResources("peerI")
+		peers, firewallRules = account.getPeerConnectionResources("peerI", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.getPeerConnectionResources("peerC")
+		peers, firewallRules = account.getPeerConnectionResources("peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, len(account.Groups["GroupSwarm"].Peers))

@ -725,14 +740,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.getPeerConnectionResources("peerE")
+		peers, firewallRules = account.getPeerConnectionResources("peerE", approvedPeers)
 		assert.Len(t, peers, 3)
 		assert.Len(t, firewallRules, 3)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
 		assert.Contains(t, peers, account.Peers["peerD"])

-		peers, firewallRules = account.getPeerConnectionResources("peerA")
+		peers, firewallRules = account.getPeerConnectionResources("peerA", approvedPeers)
 		assert.Len(t, peers, 5)
 		// assert peers from Group Swarm
 		assert.Contains(t, peers, account.Peers["peerD"])