[management] Add API of new network concept (#3012)

2025-08-16 01:58:16 +02:00 · 2024-12-11 12:58:45 +01:00
parent 9f859a240e
commit 60ee31df3e
92 changed files with 5320 additions and 3562 deletions
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@ -16,7 +16,11 @@ import (
 	"time"

 	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/management/server/networks"
+
+	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -29,7 +33,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/route"
 )

@ -74,7 +80,7 @@ func (MocIntegratedValidator) SetPeerInvalidationListener(func(accountID string)
 func (MocIntegratedValidator) Stop(_ context.Context) {
 }

-func verifyCanAddPeerToAccount(t *testing.T, manager AccountManager, account *Account, userID string) {
+func verifyCanAddPeerToAccount(t *testing.T, manager AccountManager, account *types.Account, userID string) {
 	t.Helper()
 	peer := &nbpeer.Peer{
 		Key:  "BhRPtynAAYRDy08+q4HTMsos8fs4plTP4NOSh7C1ry8=",
@ -102,7 +108,7 @@ func verifyCanAddPeerToAccount(t *testing.T, manager AccountManager, account *Ac
 	}
 }

-func verifyNewAccountHasDefaultFields(t *testing.T, account *Account, createdBy string, domain string, expectedUsers []string) {
+func verifyNewAccountHasDefaultFields(t *testing.T, account *types.Account, createdBy string, domain string, expectedUsers []string) {
 	t.Helper()
 	if len(account.Peers) != 0 {
 		t.Errorf("expected account to have len(Peers) = %v, got %v", 0, len(account.Peers))
@ -157,7 +163,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 	// peerID3 := "peer-3"
 	tt := []struct {
 		name                 string
-		accountSettings      Settings
+		accountSettings      types.Settings
 		peerID               string
 		expectedPeers        []string
 		expectedOfflinePeers []string
@ -165,7 +171,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 	}{
 		{
 			name:                 "Should return ALL peers when global peer login expiration disabled",
-			accountSettings:      Settings{PeerLoginExpirationEnabled: false, PeerLoginExpiration: time.Hour},
+			accountSettings:      types.Settings{PeerLoginExpirationEnabled: false, PeerLoginExpiration: time.Hour},
 			peerID:               peerID1,
 			expectedPeers:        []string{peerID2},
 			expectedOfflinePeers: []string{},
@ -203,7 +209,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		},
 		{
 			name:                 "Should return no peers when global peer login expiration enabled and peers expired",
-			accountSettings:      Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: time.Hour},
+			accountSettings:      types.Settings{PeerLoginExpirationEnabled: true, PeerLoginExpiration: time.Hour},
 			peerID:               peerID1,
 			expectedPeers:        []string{},
 			expectedOfflinePeers: []string{peerID2},
@ -397,12 +403,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {

 	netIP := net.IP{100, 64, 0, 0}
 	netMask := net.IPMask{255, 255, 0, 0}
-	network := &Network{
+	network := &types.Network{
 		Identifier: "network",
 		Net:        net.IPNet{IP: netIP, Mask: netMask},
 		Dns:        "netbird.selfhosted",
 		Serial:     0,
-		mu:         sync.Mutex{},
+		Mu:         sync.Mutex{},
 	}

 	for _, testCase := range tt {
@ -486,12 +492,12 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 	}

 	initUnknown := defaultInitAccount
-	initUnknown.DomainCategory = UnknownCategory
+	initUnknown.DomainCategory = types.UnknownCategory
 	initUnknown.Domain = unknownDomain

 	privateInitAccount := defaultInitAccount
 	privateInitAccount.Domain = privateDomain
-	privateInitAccount.DomainCategory = PrivateCategory
+	privateInitAccount.DomainCategory = types.PrivateCategory

 	testCases := []struct {
 		name                        string
@ -501,7 +507,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		inputUpdateClaimAccount     bool
 		testingFunc                 require.ComparisonAssertionFunc
 		expectedMSG                 string
-		expectedUserRole            UserRole
+		expectedUserRole            types.UserRole
 		expectedDomainCategory      string
 		expectedDomain              string
 		expectedPrimaryDomainStatus bool
@ -513,12 +519,12 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         publicDomain,
 				UserId:         "pub-domain-user",
-				DomainCategory: PublicCategory,
+				DomainCategory: types.PublicCategory,
 			},
 			inputInitUserParams:         defaultInitAccount,
 			testingFunc:                 require.NotEqual,
 			expectedMSG:                 "account IDs shouldn't match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomainCategory:      "",
 			expectedDomain:              publicDomain,
 			expectedPrimaryDomainStatus: false,
@ -530,12 +536,12 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         unknownDomain,
 				UserId:         "unknown-domain-user",
-				DomainCategory: UnknownCategory,
+				DomainCategory: types.UnknownCategory,
 			},
 			inputInitUserParams:         initUnknown,
 			testingFunc:                 require.NotEqual,
 			expectedMSG:                 "account IDs shouldn't match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomain:              unknownDomain,
 			expectedDomainCategory:      "",
 			expectedPrimaryDomainStatus: false,
@ -547,14 +553,14 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         privateDomain,
 				UserId:         "pvt-domain-user",
-				DomainCategory: PrivateCategory,
+				DomainCategory: types.PrivateCategory,
 			},
 			inputInitUserParams:         defaultInitAccount,
 			testingFunc:                 require.NotEqual,
 			expectedMSG:                 "account IDs shouldn't match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomain:              privateDomain,
-			expectedDomainCategory:      PrivateCategory,
+			expectedDomainCategory:      types.PrivateCategory,
 			expectedPrimaryDomainStatus: true,
 			expectedCreatedBy:           "pvt-domain-user",
 			expectedUsers:               []string{"pvt-domain-user"},
@ -564,15 +570,15 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         privateDomain,
 				UserId:         "new-pvt-domain-user",
-				DomainCategory: PrivateCategory,
+				DomainCategory: types.PrivateCategory,
 			},
 			inputUpdateAttrs:            true,
 			inputInitUserParams:         privateInitAccount,
 			testingFunc:                 require.Equal,
 			expectedMSG:                 "account IDs should match",
-			expectedUserRole:            UserRoleUser,
+			expectedUserRole:            types.UserRoleUser,
 			expectedDomain:              privateDomain,
-			expectedDomainCategory:      PrivateCategory,
+			expectedDomainCategory:      types.PrivateCategory,
 			expectedPrimaryDomainStatus: true,
 			expectedCreatedBy:           defaultInitAccount.UserId,
 			expectedUsers:               []string{defaultInitAccount.UserId, "new-pvt-domain-user"},
@ -582,14 +588,14 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         defaultInitAccount.Domain,
 				UserId:         defaultInitAccount.UserId,
-				DomainCategory: PrivateCategory,
+				DomainCategory: types.PrivateCategory,
 			},
 			inputInitUserParams:         defaultInitAccount,
 			testingFunc:                 require.Equal,
 			expectedMSG:                 "account IDs should match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomain:              defaultInitAccount.Domain,
-			expectedDomainCategory:      PrivateCategory,
+			expectedDomainCategory:      types.PrivateCategory,
 			expectedPrimaryDomainStatus: true,
 			expectedCreatedBy:           defaultInitAccount.UserId,
 			expectedUsers:               []string{defaultInitAccount.UserId},
@ -599,15 +605,15 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         defaultInitAccount.Domain,
 				UserId:         defaultInitAccount.UserId,
-				DomainCategory: PrivateCategory,
+				DomainCategory: types.PrivateCategory,
 			},
 			inputUpdateClaimAccount:     true,
 			inputInitUserParams:         defaultInitAccount,
 			testingFunc:                 require.Equal,
 			expectedMSG:                 "account IDs should match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomain:              defaultInitAccount.Domain,
-			expectedDomainCategory:      PrivateCategory,
+			expectedDomainCategory:      types.PrivateCategory,
 			expectedPrimaryDomainStatus: true,
 			expectedCreatedBy:           defaultInitAccount.UserId,
 			expectedUsers:               []string{defaultInitAccount.UserId},
@ -617,12 +623,12 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			inputClaims: jwtclaims.AuthorizationClaims{
 				Domain:         "",
 				UserId:         "pvt-domain-user",
-				DomainCategory: PrivateCategory,
+				DomainCategory: types.PrivateCategory,
 			},
 			inputInitUserParams:         defaultInitAccount,
 			testingFunc:                 require.NotEqual,
 			expectedMSG:                 "account IDs shouldn't match",
-			expectedUserRole:            UserRoleOwner,
+			expectedUserRole:            types.UserRoleOwner,
 			expectedDomain:              "",
 			expectedDomainCategory:      "",
 			expectedPrimaryDomainStatus: false,
@ -752,22 +758,26 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 }

 func TestAccountManager_GetAccountFromPAT(t *testing.T) {
-	store := newStore(t)
+	store, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
+	if err != nil {
+		t.Fatalf("Error when creating store: %s", err)
+	}
+	t.Cleanup(cleanup)
 	account := newAccountWithId(context.Background(), "account_id", "testuser", "")

 	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
 	hashedToken := sha256.Sum256([]byte(token))
 	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &User{
+	account.Users["someUser"] = &types.User{
 		Id: "someUser",
-		PATs: map[string]*PersonalAccessToken{
+		PATs: map[string]*types.PersonalAccessToken{
 			"tokenId": {
 				ID:          "tokenId",
 				HashedToken: encodedHashedToken,
 			},
 		},
 	}
-	err := store.SaveAccount(context.Background(), account)
+	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
 		t.Fatalf("Error when saving account: %s", err)
 	}
@ -787,15 +797,20 @@ func TestAccountManager_GetAccountFromPAT(t *testing.T) {
 }

 func TestDefaultAccountManager_MarkPATUsed(t *testing.T) {
-	store := newStore(t)
+	store, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
+	if err != nil {
+		t.Fatalf("Error when creating store: %s", err)
+	}
+	t.Cleanup(cleanup)
+
 	account := newAccountWithId(context.Background(), "account_id", "testuser", "")

 	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
 	hashedToken := sha256.Sum256([]byte(token))
 	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &User{
+	account.Users["someUser"] = &types.User{
 		Id: "someUser",
-		PATs: map[string]*PersonalAccessToken{
+		PATs: map[string]*types.PersonalAccessToken{
 			"tokenId": {
 				ID:          "tokenId",
 				HashedToken: encodedHashedToken,
@ -803,7 +818,7 @@ func TestDefaultAccountManager_MarkPATUsed(t *testing.T) {
 			},
 		},
 	}
-	err := store.SaveAccount(context.Background(), account)
+	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
 		t.Fatalf("Error when saving account: %s", err)
 	}
@ -905,7 +920,7 @@ func TestAccountManager_GetAccountByUserID(t *testing.T) {
 		return
 	}

-	exists, err := manager.Store.AccountExists(context.Background(), LockingStrengthShare, accountID)
+	exists, err := manager.Store.AccountExists(context.Background(), store.LockingStrengthShare, accountID)
 	assert.NoError(t, err)
 	assert.True(t, exists, "expected to get existing account after creation using userid")

@ -915,7 +930,7 @@ func TestAccountManager_GetAccountByUserID(t *testing.T) {
 	}
 }

-func createAccount(am *DefaultAccountManager, accountID, userID, domain string) (*Account, error) {
+func createAccount(am *DefaultAccountManager, accountID, userID, domain string) (*types.Account, error) {
 	account := newAccountWithId(context.Background(), accountID, userID, domain)
 	err := am.Store.SaveAccount(context.Background(), account)
 	if err != nil {
@ -991,13 +1006,13 @@ func BenchmarkTest_GetAccountWithclaims(b *testing.B) {
 	claims := jwtclaims.AuthorizationClaims{
 		Domain:         "example.com",
 		UserId:         "pvt-domain-user",
-		DomainCategory: PrivateCategory,
+		DomainCategory: types.PrivateCategory,
 	}

 	publicClaims := jwtclaims.AuthorizationClaims{
 		Domain:         "test.com",
 		UserId:         "public-domain-user",
-		DomainCategory: PublicCategory,
+		DomainCategory: types.PublicCategory,
 	}

 	am, err := createManager(b)
@ -1075,13 +1090,13 @@ func BenchmarkTest_GetAccountWithclaims(b *testing.B) {

 }

-func genUsers(p string, n int) map[string]*User {
-	users := map[string]*User{}
+func genUsers(p string, n int) map[string]*types.User {
+	users := map[string]*types.User{}
 	now := time.Now()
 	for i := 0; i < n; i++ {
-		users[fmt.Sprintf("%s-%d", p, i)] = &User{
+		users[fmt.Sprintf("%s-%d", p, i)] = &types.User{
 			Id:         fmt.Sprintf("%s-%d", p, i),
-			Role:       UserRoleAdmin,
+			Role:       types.UserRoleAdmin,
 			LastLogin:  now,
 			CreatedAt:  now,
 			Issued:     "api",
@ -1106,7 +1121,7 @@ func TestAccountManager_AddPeer(t *testing.T) {

 	serial := account.Network.CurrentSerial() // should be 0

-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 		return
@ -1243,15 +1258,15 @@ func TestAccountManager_NetworkUpdates_SaveGroup(t *testing.T) {
 		return
 	}

-	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
+	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &types.Policy{
 		Enabled: true,
-		Rules: []*PolicyRule{
+		Rules: []*types.PolicyRule{
 			{
 				Enabled:       true,
 				Sources:       []string{"groupA"},
 				Destinations:  []string{"groupA"},
 				Bidirectional: true,
-				Action:        PolicyTrafficActionAccept,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	})
@ -1335,15 +1350,15 @@ func TestAccountManager_NetworkUpdates_SavePolicy(t *testing.T) {
 		}
 	}()

-	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
+	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &types.Policy{
 		Enabled: true,
-		Rules: []*PolicyRule{
+		Rules: []*types.PolicyRule{
 			{
 				Enabled:       true,
 				Sources:       []string{"groupA"},
 				Destinations:  []string{"groupA"},
 				Bidirectional: true,
-				Action:        PolicyTrafficActionAccept,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	})
@ -1368,15 +1383,15 @@ func TestAccountManager_NetworkUpdates_DeletePeer(t *testing.T) {
 		return
 	}

-	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
+	_, err := manager.SavePolicy(context.Background(), account.Id, userID, &types.Policy{
 		Enabled: true,
-		Rules: []*PolicyRule{
+		Rules: []*types.PolicyRule{
 			{
 				Enabled:       true,
 				Sources:       []string{"groupA"},
 				Destinations:  []string{"groupA"},
 				Bidirectional: true,
-				Action:        PolicyTrafficActionAccept,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	})
@ -1427,15 +1442,15 @@ func TestAccountManager_NetworkUpdates_DeleteGroup(t *testing.T) {
 		return
 	}

-	policy, err := manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
+	policy, err := manager.SavePolicy(context.Background(), account.Id, userID, &types.Policy{
 		Enabled: true,
-		Rules: []*PolicyRule{
+		Rules: []*types.PolicyRule{
 			{
 				Enabled:       true,
 				Sources:       []string{"groupA"},
 				Destinations:  []string{"groupA"},
 				Bidirectional: true,
-				Action:        PolicyTrafficActionAccept,
+				Action:        types.PolicyTrafficActionAccept,
 			},
 		},
 	})
@ -1483,7 +1498,7 @@ func TestAccountManager_DeletePeer(t *testing.T) {
 		t.Fatal(err)
 	}

-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 		return
@ -1558,7 +1573,7 @@ func TestGetUsersFromAccount(t *testing.T) {
 		t.Fatal(err)
 	}

-	users := map[string]*User{"1": {Id: "1", Role: UserRoleOwner}, "2": {Id: "2", Role: "user"}, "3": {Id: "3", Role: "user"}}
+	users := map[string]*types.User{"1": {Id: "1", Role: types.UserRoleOwner}, "2": {Id: "2", Role: "user"}, "3": {Id: "3", Role: "user"}}
 	accountId := "test_account_id"

 	account, err := createAccount(manager, accountId, users["1"].Id, "")
@ -1590,7 +1605,7 @@ func TestFileStore_GetRoutesByPrefix(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	account := &Account{
+	account := &types.Account{
 		Routes: map[route.ID]*route.Route{
 			"route-1": {
 				ID:          "route-1",
@ -1637,7 +1652,7 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	account := &Account{
+	account := &types.Account{
 		Peers: map[string]*nbpeer.Peer{
 			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
 		},
@ -1682,7 +1697,7 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 		},
 	}

-	routes := account.getRoutesToSync(context.Background(), "peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}})
+	routes := account.GetRoutesToSync(context.Background(), "peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}})

 	assert.Len(t, routes, 2)
 	routeIDs := make(map[route.ID]struct{}, 2)
@ -1692,26 +1707,26 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 	assert.Contains(t, routeIDs, route.ID("route-2"))
 	assert.Contains(t, routeIDs, route.ID("route-3"))

-	emptyRoutes := account.getRoutesToSync(context.Background(), "peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}})
+	emptyRoutes := account.GetRoutesToSync(context.Background(), "peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}})

 	assert.Len(t, emptyRoutes, 0)
 }

 func TestAccount_Copy(t *testing.T) {
-	account := &Account{
+	account := &types.Account{
 		Id:                     "account1",
 		CreatedBy:              "tester",
 		CreatedAt:              time.Now().UTC(),
 		Domain:                 "test.com",
 		DomainCategory:         "public",
 		IsDomainPrimaryAccount: true,
-		SetupKeys: map[string]*SetupKey{
+		SetupKeys: map[string]*types.SetupKey{
 			"setup1": {
 				Id:         "setup1",
 				AutoGroups: []string{"group1"},
 			},
 		},
-		Network: &Network{
+		Network: &types.Network{
 			Identifier: "net1",
 		},
 		Peers: map[string]*nbpeer.Peer{
@ -1724,12 +1739,12 @@ func TestAccount_Copy(t *testing.T) {
 				},
 			},
 		},
-		Users: map[string]*User{
+		Users: map[string]*types.User{
 			"user1": {
 				Id:         "user1",
-				Role:       UserRoleAdmin,
+				Role:       types.UserRoleAdmin,
 				AutoGroups: []string{"group1"},
-				PATs: map[string]*PersonalAccessToken{
+				PATs: map[string]*types.PersonalAccessToken{
 					"pat1": {
 						ID:             "pat1",
 						Name:           "First PAT",
@ -1748,11 +1763,11 @@ func TestAccount_Copy(t *testing.T) {
 				Peers: []string{"peer1"},
 			},
 		},
-		Policies: []*Policy{
+		Policies: []*types.Policy{
 			{
 				ID:                  "policy1",
 				Enabled:             true,
-				Rules:               make([]*PolicyRule, 0),
+				Rules:               make([]*types.PolicyRule, 0),
 				SourcePostureChecks: make([]string, 0),
 			},
 		},
@ -1772,19 +1787,19 @@ func TestAccount_Copy(t *testing.T) {
 				NameServers: []nbdns.NameServer{},
 			},
 		},
-		DNSSettings: DNSSettings{DisabledManagementGroups: []string{}},
+		DNSSettings: types.DNSSettings{DisabledManagementGroups: []string{}},
 		PostureChecks: []*posture.Checks{
 			{
 				ID: "posture Checks1",
 			},
 		},
-		Settings: &Settings{},
-		Networks: []*networks.Network{
+		Settings: &types.Settings{},
+		Networks: []*networkTypes.Network{
 			{
 				ID: "network1",
 			},
 		},
-		NetworkRouters: []*networks.NetworkRouter{
+		NetworkRouters: []*routerTypes.NetworkRouter{
 			{
 				ID:         "router1",
 				NetworkID:  "network1",
@ -1793,7 +1808,7 @@ func TestAccount_Copy(t *testing.T) {
 				Metric:     0,
 			},
 		},
-		NetworkResources: []*networks.NetworkResource{
+		NetworkResources: []*resourceTypes.NetworkResource{
 			{
 				ID:        "resource1",
 				NetworkID: "network1",
@ -1854,7 +1869,7 @@ func TestDefaultAccountManager_DefaultAccountSettings(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userID, "")
 	require.NoError(t, err, "unable to create an account")

-	settings, err := manager.Store.GetAccountSettings(context.Background(), LockingStrengthShare, accountID)
+	settings, err := manager.Store.GetAccountSettings(context.Background(), store.LockingStrengthShare, accountID)
 	require.NoError(t, err, "unable to get account settings")

 	assert.NotNil(t, settings)
@ -1887,7 +1902,7 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 	err = manager.MarkPeerConnected(context.Background(), key.PublicKey().String(), true, nil, account)
 	require.NoError(t, err, "unable to mark peer connected")

-	account, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
+	account, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
 		PeerLoginExpirationEnabled: true,
 	})
@ -1935,7 +1950,7 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 		LoginExpirationEnabled: true,
 	})
 	require.NoError(t, err, "unable to add peer")
-	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
+	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
 		PeerLoginExpirationEnabled: true,
 	})
@ -2004,7 +2019,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 		},
 	}
 	// enabling PeerLoginExpirationEnabled should trigger the expiration job
-	account, err = manager.UpdateAccountSettings(context.Background(), account.Id, userID, &Settings{
+	account, err = manager.UpdateAccountSettings(context.Background(), account.Id, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
 		PeerLoginExpirationEnabled: true,
 	})
@ -2017,7 +2032,7 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 	wg.Add(1)

 	// disabling PeerLoginExpirationEnabled should trigger cancel
-	_, err = manager.UpdateAccountSettings(context.Background(), account.Id, userID, &Settings{
+	_, err = manager.UpdateAccountSettings(context.Background(), account.Id, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
 		PeerLoginExpirationEnabled: false,
 	})
@ -2035,7 +2050,7 @@ func TestDefaultAccountManager_UpdateAccountSettings(t *testing.T) {
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userID, "")
 	require.NoError(t, err, "unable to create an account")

-	updated, err := manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
+	updated, err := manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
 		PeerLoginExpirationEnabled: false,
 	})
@ -2043,19 +2058,19 @@ func TestDefaultAccountManager_UpdateAccountSettings(t *testing.T) {
 	assert.False(t, updated.Settings.PeerLoginExpirationEnabled)
 	assert.Equal(t, updated.Settings.PeerLoginExpiration, time.Hour)

-	settings, err := manager.Store.GetAccountSettings(context.Background(), LockingStrengthShare, accountID)
+	settings, err := manager.Store.GetAccountSettings(context.Background(), store.LockingStrengthShare, accountID)
 	require.NoError(t, err, "unable to get account settings")

 	assert.False(t, settings.PeerLoginExpirationEnabled)
 	assert.Equal(t, settings.PeerLoginExpiration, time.Hour)

-	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
+	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Second,
 		PeerLoginExpirationEnabled: false,
 	})
 	require.Error(t, err, "expecting to fail when providing PeerLoginExpiration less than one hour")

-	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
+	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour * 24 * 181,
 		PeerLoginExpirationEnabled: false,
 	})
@ -2128,9 +2143,9 @@ func TestAccount_GetExpiredPeers(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers: testCase.peers,
-				Settings: &Settings{
+				Settings: &types.Settings{
 					PeerLoginExpirationEnabled: true,
 					PeerLoginExpiration:        time.Hour,
 				},
@ -2212,9 +2227,9 @@ func TestAccount_GetInactivePeers(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers: testCase.peers,
-				Settings: &Settings{
+				Settings: &types.Settings{
 					PeerInactivityExpirationEnabled: true,
 					PeerInactivityExpiration:        time.Second,
 				},
@ -2279,7 +2294,7 @@ func TestAccount_GetPeersWithExpiration(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers: testCase.peers,
 			}

@ -2348,7 +2363,7 @@ func TestAccount_GetPeersWithInactivity(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers: testCase.peers,
 			}

@ -2512,9 +2527,9 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers:    testCase.peers,
-				Settings: &Settings{PeerLoginExpiration: testCase.expiration, PeerLoginExpirationEnabled: testCase.expirationEnabled},
+				Settings: &types.Settings{PeerLoginExpiration: testCase.expiration, PeerLoginExpirationEnabled: testCase.expirationEnabled},
 			}

 			expiration, ok := account.GetNextPeerExpiration()
@ -2672,9 +2687,9 @@ func TestAccount_GetNextInactivePeerExpiration(t *testing.T) {
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			account := &Account{
+			account := &types.Account{
 				Peers:    testCase.peers,
-				Settings: &Settings{PeerInactivityExpiration: testCase.expiration, PeerInactivityExpirationEnabled: testCase.expirationEnabled},
+				Settings: &types.Settings{PeerInactivityExpiration: testCase.expiration, PeerInactivityExpirationEnabled: testCase.expirationEnabled},
 			}

 			expiration, ok := account.GetNextInactivePeerExpiration()
@ -2693,7 +2708,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	require.NoError(t, err, "unable to create account manager")

 	// create a new account
-	account := &Account{
+	account := &types.Account{
 		Id: "accountID",
 		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
@ -2705,8 +2720,8 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		Groups: map[string]*group.Group{
 			"group1": {ID: "group1", Name: "group1", Issued: group.GroupIssuedAPI, Peers: []string{}},
 		},
-		Settings: &Settings{GroupsPropagationEnabled: true, JWTGroupsEnabled: true, JWTGroupsClaimName: "groups"},
-		Users: map[string]*User{
+		Settings: &types.Settings{GroupsPropagationEnabled: true, JWTGroupsEnabled: true, JWTGroupsClaimName: "groups"},
+		Users: map[string]*types.User{
 			"user1": {Id: "user1", AccountID: "accountID"},
 			"user2": {Id: "user2", AccountID: "accountID"},
 		},
@ -2722,7 +2737,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err := manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Empty(t, user.AutoGroups, "auto groups must be empty")
 	})
@ -2735,18 +2750,18 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err := manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 0)

-		group1, err := manager.Store.GetGroupByID(context.Background(), LockingStrengthShare, "accountID", "group1")
+		group1, err := manager.Store.GetGroupByID(context.Background(), store.LockingStrengthShare, "accountID", "group1")
 		assert.NoError(t, err, "unable to get group")
 		assert.Equal(t, group1.Issued, group.GroupIssuedAPI, "group should be api issued")
 	})

 	t.Run("jwt match existing api group in user auto groups", func(t *testing.T) {
 		account.Users["user1"].AutoGroups = []string{"group1"}
-		assert.NoError(t, manager.Store.SaveUser(context.Background(), LockingStrengthUpdate, account.Users["user1"]))
+		assert.NoError(t, manager.Store.SaveUser(context.Background(), store.LockingStrengthUpdate, account.Users["user1"]))

 		claims := jwtclaims.AuthorizationClaims{
 			UserId: "user1",
@ -2755,11 +2770,11 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 1)

-		group1, err := manager.Store.GetGroupByID(context.Background(), LockingStrengthShare, "accountID", "group1")
+		group1, err := manager.Store.GetGroupByID(context.Background(), store.LockingStrengthShare, "accountID", "group1")
 		assert.NoError(t, err, "unable to get group")
 		assert.Equal(t, group1.Issued, group.GroupIssuedAPI, "group should be api issued")
 	})
@ -2772,7 +2787,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 2, "groups count should not be change")
 	})
@ -2785,7 +2800,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 2, "groups count should not be change")
 	})
@ -2798,11 +2813,11 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		groups, err := manager.Store.GetAccountGroups(context.Background(), LockingStrengthShare, "accountID")
+		groups, err := manager.Store.GetAccountGroups(context.Background(), store.LockingStrengthShare, "accountID")
 		assert.NoError(t, err)
 		assert.Len(t, groups, 3, "new group3 should be added")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user2")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user2")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 1, "new group should be added")
 	})
@ -2815,7 +2830,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

-		user, err := manager.Store.GetUserByUserID(context.Background(), LockingStrengthShare, "user1")
+		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
 		assert.NoError(t, err, "unable to get user")
 		assert.Len(t, user.AutoGroups, 1, "only non-JWT groups should remain")
 		assert.Contains(t, user.AutoGroups, "group1", " group1 should still be present")
@ -2823,7 +2838,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 }

 func TestAccount_UserGroupsAddToPeers(t *testing.T) {
-	account := &Account{
+	account := &types.Account{
 		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
 			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
@ -2836,7 +2851,7 @@ func TestAccount_UserGroupsAddToPeers(t *testing.T) {
 			"group2": {ID: "group2", Name: "group2", Issued: group.GroupIssuedAPI, Peers: []string{}},
 			"group3": {ID: "group3", Name: "group3", Issued: group.GroupIssuedAPI, Peers: []string{}},
 		},
-		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
+		Users: map[string]*types.User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
 	}

 	t.Run("add groups", func(t *testing.T) {
@ -2859,7 +2874,7 @@ func TestAccount_UserGroupsAddToPeers(t *testing.T) {
 }

 func TestAccount_UserGroupsRemoveFromPeers(t *testing.T) {
-	account := &Account{
+	account := &types.Account{
 		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
 			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
@ -2872,7 +2887,7 @@ func TestAccount_UserGroupsRemoveFromPeers(t *testing.T) {
 			"group2": {ID: "group2", Name: "group2", Issued: group.GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3", "peer4", "peer5"}},
 			"group3": {ID: "group3", Name: "group3", Issued: group.GroupIssuedAPI, Peers: []string{"peer4", "peer5"}},
 		},
-		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
+		Users: map[string]*types.User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
 	}

 	t.Run("remove groups", func(t *testing.T) {
@ -2915,10 +2930,10 @@ func createManager(t TB) (*DefaultAccountManager, error) {
 	return manager, nil
 }

-func createStore(t TB) (Store, error) {
+func createStore(t TB) (store.Store, error) {
 	t.Helper()
 	dataDir := t.TempDir()
-	store, cleanUp, err := NewTestStoreFromSQL(context.Background(), "", dataDir)
+	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "", dataDir)
 	if err != nil {
 		return nil, err
 	}
@ -2941,7 +2956,7 @@ func waitTimeout(wg *sync.WaitGroup, timeout time.Duration) bool {
 	}
 }

-func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *Account, *nbpeer.Peer, *nbpeer.Peer, *nbpeer.Peer) {
+func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *types.Account, *nbpeer.Peer, *nbpeer.Peer, *nbpeer.Peer) {
 	t.Helper()

 	manager, err := createManager(t)
@ -2954,12 +2969,12 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *Account, *nbpee
 		t.Fatal(err)
 	}

-	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", SetupKeyReusable, time.Hour, nil, 999, userID, false)
+	setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, nil, 999, userID, false)
 	if err != nil {
 		t.Fatal("error creating setup key")
 	}

-	getPeer := func(manager *DefaultAccountManager, setupKey *SetupKey) *nbpeer.Peer {
+	getPeer := func(manager *DefaultAccountManager, setupKey *types.SetupKey) *nbpeer.Peer {
 		key, err := wgtypes.GeneratePrivateKey()
 		if err != nil {
 			t.Fatal(err)