add temporary peers and automatic policy cleanup

2026-04-24 03:06:38 +00:00 · 2025-09-01 21:45:49 +02:00
parent cf6cb817b8
commit 3271f6cb49
13 changed files with 594 additions and 480 deletions
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -998,8 +998,20 @@ func (a *Account) GetPeerConnectionResources(ctx context.Context, peer *nbpeer.P
 				continue
 			}

-			sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peer.ID, policy.SourcePostureChecks, validatedPeersMap)
-			destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peer.ID, nil, validatedPeersMap)
+			var sourcePeers, destinationPeers []*nbpeer.Peer
+			var peerInSources, peerInDestinations bool
+
+			if rule.SourceResource.Type == ResourceTypePeer && rule.SourceResource.ID != "" {
+				sourcePeers, peerInSources = a.getPeerFromResource(rule.SourceResource, peer.ID)
+			} else {
+				sourcePeers, peerInSources = a.getAllPeersFromGroups(ctx, rule.Sources, peer.ID, policy.SourcePostureChecks, validatedPeersMap)
+			}
+
+			if rule.DestinationResource.Type == ResourceTypePeer && rule.DestinationResource.ID != "" {
+				destinationPeers, peerInDestinations = a.getPeerFromResource(rule.DestinationResource, peer.ID)
+			} else {
+				destinationPeers, peerInDestinations = a.getAllPeersFromGroups(ctx, rule.Destinations, peer.ID, nil, validatedPeersMap)
+			}

 			if rule.Bidirectional {
 				if peerInSources {
@@ -1121,6 +1133,15 @@ func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, pe
 	return filteredPeers, peerInGroups
 }

+func (a *Account) getPeerFromResource(resource Resource, peerID string) ([]*nbpeer.Peer, bool) {
+	peer := a.GetPeer(resource.ID)
+	if peer == nil {
+		return []*nbpeer.Peer{}, false
+	}
+
+	return []*nbpeer.Peer{peer}, resource.ID == peerID
+}
+
 // validatePostureChecksOnPeer validates the posture checks on a peer
 func (a *Account) validatePostureChecksOnPeer(ctx context.Context, sourcePostureChecksID []string, peerID string) bool {
 	peer, ok := a.Peers[peerID]
--- a/management/server/types/peer.go
+++ b/management/server/types/peer.go
@@ -21,6 +21,8 @@ type PeerSync struct {
 type PeerLogin struct {
 	// WireGuardPubKey is a peers WireGuard public key
 	WireGuardPubKey string
+	// AccountID is the account ID the peer is trying to log in to
+	AccountID string
 	// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
 	SSHKey string
 	// Meta is the system information passed by peer, must be always present.
--- a/management/server/types/resource.go
+++ b/management/server/types/resource.go
@@ -4,9 +4,18 @@ import (
 	"github.com/netbirdio/netbird/shared/management/http/api"
 )

+type ResourceType string
+
+const (
+	ResourceTypePeer   ResourceType = "peer"
+	ResourceTypeDomain ResourceType = "domain"
+	ResourceTypeHost   ResourceType = "host"
+	ResourceTypeSubnet ResourceType = "subnet"
+)
+
 type Resource struct {
 	ID   string
-	Type string
+	Type ResourceType
 }

 func (r *Resource) ToAPIResponse() *api.Resource {
@@ -26,5 +35,5 @@ func (r *Resource) FromAPIRequest(req *api.Resource) {
 	}

 	r.ID = req.Id
-	r.Type = string(req.Type)
+	r.Type = ResourceType(req.Type)
 }