extract peer into seperate package

2025-08-15 17:52:47 +02:00 · 2023-11-28 13:45:26 +01:00
parent a7e55cc5e3
commit a729c83b06
24 changed files with 587 additions and 399 deletions
--- a/management/server/peer.go
+++ b/management/server/peer.go
@ -2,7 +2,6 @@ package server

 import (
 	"fmt"
-	"net"
 	"strings"
 	"time"

@ -10,6 +9,7 @@ import (
 	"github.com/rs/xid"

 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"

 	log "github.com/sirupsen/logrus"
@ -17,40 +17,6 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 )

-// PeerSystemMeta is a metadata of a Peer machine system
-type PeerSystemMeta struct {
-	Hostname  string
-	GoOS      string
-	Kernel    string
-	Core      string
-	Platform  string
-	OS        string
-	WtVersion string
-	UIVersion string
-}
-
-func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
-	return p.Hostname == other.Hostname &&
-		p.GoOS == other.GoOS &&
-		p.Kernel == other.Kernel &&
-		p.Core == other.Core &&
-		p.Platform == other.Platform &&
-		p.OS == other.OS &&
-		p.WtVersion == other.WtVersion &&
-		p.UIVersion == other.UIVersion
-}
-
-type PeerStatus struct {
-	// LastSeen is the last time peer was connected to the management service
-	LastSeen time.Time
-	// Connected indicates whether peer is connected to the management service or not
-	Connected bool
-	// LoginExpired
-	LoginExpired bool
-	// RequiresApproval indicates whether peer requires approval or not
-	RequiresApproval bool
-}
-
 // PeerSync used as a data object between the gRPC API and AccountManager on Sync request.
 type PeerSync struct {
 	// WireGuardPubKey is a peers WireGuard public key
@ -64,147 +30,16 @@ type PeerLogin struct {
 	// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
 	SSHKey string
 	// Meta is the system information passed by peer, must be always present.
-	Meta PeerSystemMeta
+	Meta nbpeer.PeerSystemMeta
 	// UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required.
 	UserID string
 	// SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required.
 	SetupKey string
 }

-// Peer represents a machine connected to the network.
-// The Peer is a WireGuard peer identified by a public key
-type Peer struct {
-	// ID is an internal ID of the peer
-	ID string `gorm:"primaryKey"`
-	// AccountID is a reference to Account that this object belongs
-	AccountID string `json:"-" gorm:"index;uniqueIndex:idx_peers_account_id_ip"`
-	// WireGuard public key
-	Key string `gorm:"index"`
-	// A setup key this peer was registered with
-	SetupKey string
-	// IP address of the Peer
-	IP net.IP `gorm:"uniqueIndex:idx_peers_account_id_ip"`
-	// Meta is a Peer system meta data
-	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
-	// Name is peer's name (machine name)
-	Name string
-	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
-	// domain to the peer label. e.g. peer-dns-label.netbird.cloud
-	DNSLabel string
-	// Status peer's management connection status
-	Status *PeerStatus `gorm:"embedded;embeddedPrefix:peer_status_"`
-	// The user ID that registered the peer
-	UserID string
-	// SSHKey is a public SSH key of the peer
-	SSHKey string
-	// SSHEnabled indicates whether SSH server is enabled on the peer
-	SSHEnabled bool
-	// LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login.
-	// Works with LastLogin
-	LoginExpirationEnabled bool
-	// LastLogin the time when peer performed last login operation
-	LastLogin time.Time
-	// Indicate ephemeral peer attribute
-	Ephemeral bool
-}
-
-// AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
-func (p *Peer) AddedWithSSOLogin() bool {
-	return p.UserID != ""
-}
-
-// Copy copies Peer object
-func (p *Peer) Copy() *Peer {
-	peerStatus := p.Status
-	if peerStatus != nil {
-		peerStatus = p.Status.Copy()
-	}
-	return &Peer{
-		ID:                     p.ID,
-		AccountID:              p.AccountID,
-		Key:                    p.Key,
-		SetupKey:               p.SetupKey,
-		IP:                     p.IP,
-		Meta:                   p.Meta,
-		Name:                   p.Name,
-		DNSLabel:               p.DNSLabel,
-		Status:                 peerStatus,
-		UserID:                 p.UserID,
-		SSHKey:                 p.SSHKey,
-		SSHEnabled:             p.SSHEnabled,
-		LoginExpirationEnabled: p.LoginExpirationEnabled,
-		LastLogin:              p.LastLogin,
-		Ephemeral:              p.Ephemeral,
-	}
-}
-
-// UpdateMetaIfNew updates peer's system metadata if new information is provided
-// returns true if meta was updated, false otherwise
-func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool {
-	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
-	if meta.UIVersion == "" {
-		meta.UIVersion = p.Meta.UIVersion
-	}
-
-	if p.Meta.isEqual(meta) {
-		return false
-	}
-	p.Meta = meta
-	return true
-}
-
-// MarkLoginExpired marks peer's status expired or not
-func (p *Peer) MarkLoginExpired(expired bool) {
-	newStatus := p.Status.Copy()
-	newStatus.LoginExpired = expired
-	if expired {
-		newStatus.Connected = false
-	}
-	p.Status = newStatus
-}
-
-// LoginExpired indicates whether the peer's login has expired or not.
-// If Peer.LastLogin plus the expiresIn duration has happened already; then login has expired.
-// Return true if a login has expired, false otherwise, and time left to expiration (negative when expired).
-// Login expiration can be disabled/enabled on a Peer level via Peer.LoginExpirationEnabled property.
-// Login expiration can also be disabled/enabled globally on the Account level via Settings.PeerLoginExpirationEnabled.
-// Only peers added by interactive SSO login can be expired.
-func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration) {
-	if !p.AddedWithSSOLogin() || !p.LoginExpirationEnabled {
-		return false, 0
-	}
-	expiresAt := p.LastLogin.Add(expiresIn)
-	now := time.Now()
-	timeLeft := expiresAt.Sub(now)
-	return timeLeft <= 0, timeLeft
-}
-
-// FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
-func (p *Peer) FQDN(dnsDomain string) string {
-	if dnsDomain == "" {
-		return ""
-	}
-	return fmt.Sprintf("%s.%s", p.DNSLabel, dnsDomain)
-}
-
-// EventMeta returns activity event meta related to the peer
-func (p *Peer) EventMeta(dnsDomain string) map[string]any {
-	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP}
-}
-
-// Copy PeerStatus
-func (p *PeerStatus) Copy() *PeerStatus {
-	return &PeerStatus{
-		LastSeen:         p.LastSeen,
-		Connected:        p.Connected,
-		LoginExpired:     p.LoginExpired,
-		RequiresApproval: p.RequiresApproval,
-	}
-}
-
 // GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
 // the current user is not an admin.
-func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, error) {
+func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*nbpeer.Peer, error) {
 	account, err := am.Store.GetAccount(accountID)
 	if err != nil {
 		return nil, err
@ -215,8 +50,8 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, er
 		return nil, err
 	}

-	peers := make([]*Peer, 0)
-	peersMap := make(map[string]*Peer)
+	peers := make([]*nbpeer.Peer, 0)
+	peersMap := make(map[string]*nbpeer.Peer)
 	for _, peer := range account.Peers {
 		if !user.IsAdmin() && user.Id != peer.UserID {
 			// only display peers that belong to the current user if the current user is not an admin
@ -235,7 +70,7 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, er
 		}
 	}

-	peers = make([]*Peer, 0, len(peersMap))
+	peers = make([]*nbpeer.Peer, 0, len(peersMap))
 	for _, peer := range peersMap {
 		peers = append(peers, peer)
 	}
@ -294,7 +129,7 @@ func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected
 }

 // UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, and Peer.LoginExpirationEnabled can be updated.
-func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Peer) (*Peer, error) {
+func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@ -373,7 +208,7 @@ func (am *DefaultAccountManager) deletePeers(account *Account, peerIDs []string,

 	// the first loop is needed to ensure all peers present under the account before modifying, otherwise
 	// we might have some inconsistencies
-	peers := make([]*Peer, 0, len(peerIDs))
+	peers := make([]*nbpeer.Peer, 0, len(peerIDs))
 	for _, peerID := range peerIDs {

 		peer := account.GetPeer(peerID)
@ -465,7 +300,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error)
 // to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
-func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *NetworkMap, error) {
 	if setupKey == "" && userID == "" {
 		// no auth method provided => reject access
 		return nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
@ -554,7 +389,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		return nil, nil, err
 	}

-	newPeer := &Peer{
+	newPeer := &nbpeer.Peer{
 		ID:                     xid.New().String(),
 		Key:                    peer.Key,
 		SetupKey:               upperKey,
@ -563,7 +398,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		Name:                   peer.Meta.Hostname,
 		DNSLabel:               newLabel,
 		UserID:                 userID,
-		Status:                 &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 		SSHEnabled:             false,
 		SSHKey:                 peer.SSHKey,
 		LastLogin:              time.Now().UTC(),
@ -621,7 +456,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 }

 // SyncPeer checks whether peer is eligible for receiving NetworkMap (authenticated) and returns its NetworkMap if eligible
-func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *NetworkMap, error) {
 	account, err := am.Store.GetAccountByPeerPubKey(sync.WireGuardPubKey)
 	if err != nil {
 		if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
@ -645,7 +480,7 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, er
 		return nil, nil, status.Errorf(status.Unauthenticated, "peer is not registered")
 	}

-	validatedPeers := integrations.ValidatePeers([]*Peer{peer}, account)
+	validatedPeers := integrations.ValidatePeers([]*nbpeer.Peer{peer}, account)
 	if len(validatedPeers) == 0 {
 		return nil, nil, status.Errorf(status.PermissionDenied, "peer validation failed")
 	}
@ -663,14 +498,14 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, er

 // LoginPeer logs in or registers a peer.
 // If peer doesn't exist the function checks whether a setup key or a user is present and registers a new peer if so.
-func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*nbpeer.Peer, *NetworkMap, error) {
 	account, err := am.Store.GetAccountByPeerPubKey(login.WireGuardPubKey)

 	if err != nil {
 		if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
 			// we couldn't find this peer by its public key which can mean that peer hasn't been registered yet.
 			// Try registering it.
-			return am.AddPeer(login.SetupKey, login.UserID, &Peer{
+			return am.AddPeer(login.SetupKey, login.UserID, &nbpeer.Peer{
 				Key:    login.WireGuardPubKey,
 				Meta:   login.Meta,
 				SSHKey: login.SSHKey,
@ -740,7 +575,7 @@ func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap,
 	return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain), nil
 }

-func checkIfPeerOwnerIsBlocked(peer *Peer, account *Account) error {
+func checkIfPeerOwnerIsBlocked(peer *nbpeer.Peer, account *Account) error {
 	if peer.AddedWithSSOLogin() {
 		user, err := account.FindUser(peer.UserID)
 		if err != nil {
@ -753,7 +588,7 @@ func checkIfPeerOwnerIsBlocked(peer *Peer, account *Account) error {
 	return nil
 }

-func checkAuth(loginUserID string, peer *Peer) error {
+func checkAuth(loginUserID string, peer *nbpeer.Peer) error {
 	if loginUserID == "" {
 		// absence of a user ID indicates that JWT wasn't provided.
 		return status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
@ -765,7 +600,7 @@ func checkAuth(loginUserID string, peer *Peer) error {
 	return nil
 }

-func peerLoginExpired(peer *Peer, account *Account) bool {
+func peerLoginExpired(peer *nbpeer.Peer, account *Account) bool {
 	expired, expiresIn := peer.LoginExpired(account.Settings.PeerLoginExpiration)
 	expired = account.Settings.PeerLoginExpirationEnabled && expired
 	if expired || peer.Status.LoginExpired {
@ -775,21 +610,12 @@ func peerLoginExpired(peer *Peer, account *Account) bool {
 	return false
 }

-func updatePeerLastLogin(peer *Peer, account *Account) {
+func updatePeerLastLogin(peer *nbpeer.Peer, account *Account) {
 	peer.UpdateLastLogin()
 	account.UpdatePeer(peer)
 }

-// UpdateLastLogin and set login expired false
-func (p *Peer) UpdateLastLogin() *Peer {
-	p.LastLogin = time.Now().UTC()
-	newStatus := p.Status.Copy()
-	newStatus.LoginExpired = false
-	p.Status = newStatus
-	return p
-}
-
-func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *Peer, account *Account, newSSHKey string) (*Peer, error) {
+func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *nbpeer.Peer, account *Account, newSSHKey string) (*nbpeer.Peer, error) {
 	if len(newSSHKey) == 0 {
 		log.Debugf("no new SSH key provided for peer %s, skipping update", peer.ID)
 		return peer, nil
@ -860,7 +686,7 @@ func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string)
 }

 // GetPeer for a given accountID, peerID and userID error if not found.
-func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Peer, error) {
+func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@ -903,7 +729,7 @@ func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Pee
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peerID, accountID)
 }

-func updatePeerMeta(peer *Peer, meta PeerSystemMeta, account *Account) (*Peer, bool) {
+func updatePeerMeta(peer *nbpeer.Peer, meta nbpeer.PeerSystemMeta, account *Account) (*nbpeer.Peer, bool) {
 	if peer.UpdateMetaIfNew(meta) {
 		account.UpdatePeer(peer)
 		return peer, true