Merge branch 'main' into feature/bind

2026-04-16 07:16:38 +00:00 · 2023-04-11 16:06:00 +02:00
parent 3d3de0f1dd 251f2d7bc2
commit 9b9f5fb64b
33 changed files with 199 additions and 160 deletions
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -66,6 +66,7 @@ jobs:
          CI_NETBIRD_TOKEN_SOURCE: "idToken"
          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"

        run: |
          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
@@ -80,6 +81,8 @@ jobs:
          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
+          grep UseIDToken management.json | grep false

      - name: run docker compose up
        working-directory: infrastructure_files
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -59,9 +59,6 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		return err
 	}

-	statusRecorder.MarkManagementDisconnected()
-
-	statusRecorder.ClientStart()
 	defer statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
@@ -82,12 +79,12 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,

 		log.Debugf("conecting to the Management service %s", config.ManagementURL.Host)
 		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
-		mgmClient.SetConnStateListener(mgmNotifier)
-
 		if err != nil {
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
+		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
+		mgmClient.SetConnStateListener(mgmNotifier)
+
 		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
 		defer func() {
 			err = mgmClient.Close()
@@ -163,6 +160,8 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)

+		statusRecorder.ClientStart()
+
 		<-engineCtx.Done()
 		statusRecorder.ClientTeardown()

--- a/client/internal/peer/notifier.go
+++ b/client/internal/peer/notifier.go
@@ -15,7 +15,6 @@ type notifier struct {
 	serverStateLock    sync.Mutex
 	listenersLock      sync.Mutex
 	listener           Listener
-	currentServerState bool
 	currentClientState bool
 	lastNotification   int
 }
@@ -45,24 +44,14 @@ func (n *notifier) updateServerStates(mgmState bool, signalState bool) {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()

-	var newState bool
-	if mgmState && signalState {
-		newState = true
-	} else {
-		newState = false
-	}
+	calculatedState := n.calculateState(mgmState, signalState)

-	if !n.isServerStateChanged(newState) {
+	if !n.isServerStateChanged(calculatedState) {
 		return
 	}

-	n.currentServerState = newState
+	n.lastNotification = calculatedState

-	if n.lastNotification == stateDisconnecting {
-		return
-	}
-
-	n.lastNotification = n.calculateState(newState, n.currentClientState)
 	n.notify(n.lastNotification)
 }

@@ -70,7 +59,7 @@ func (n *notifier) clientStart() {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 	n.currentClientState = true
-	n.lastNotification = n.calculateState(n.currentServerState, true)
+	n.lastNotification = stateConnected
 	n.notify(n.lastNotification)
 }

@@ -78,7 +67,7 @@ func (n *notifier) clientStop() {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 	n.currentClientState = false
-	n.lastNotification = n.calculateState(n.currentServerState, false)
+	n.lastNotification = stateDisconnected
 	n.notify(n.lastNotification)
 }

@@ -90,8 +79,8 @@ func (n *notifier) clientTearDown() {
 	n.notify(n.lastNotification)
 }

-func (n *notifier) isServerStateChanged(newState bool) bool {
-	return n.currentServerState != newState
+func (n *notifier) isServerStateChanged(newState int) bool {
+	return n.lastNotification != newState
 }

 func (n *notifier) notify(state int) {
@@ -118,15 +107,19 @@ func (n *notifier) notifyListener(l Listener, state int) {
 	}()
 }

-func (n *notifier) calculateState(serverState bool, clientState bool) int {
-	if serverState && clientState {
+func (n *notifier) calculateState(managementConn, signalConn bool) int {
+	if managementConn && signalConn {
 		return stateConnected
 	}

-	if !clientState {
+	if !managementConn && !signalConn {
 		return stateDisconnected
 	}

+	if n.lastNotification == stateDisconnecting {
+		return stateDisconnecting
+	}
+
 	return stateConnecting
 }

--- a/client/internal/peer/notifier_test.go
+++ b/client/internal/peer/notifier_test.go
@@ -47,25 +47,24 @@ func Test_notifier_serverState(t *testing.T) {

 	type scenario struct {
 		name        string
-		expected    bool
+		expected    int
 		mgmState    bool
 		signalState bool
 	}
 	scenarios := []scenario{
-		{"connected", true, true, true},
-		{"mgm down", false, false, true},
-		{"signal down", false, true, false},
-		{"disconnected", false, false, false},
+		{"connected", stateConnected, true, true},
+		{"mgm down", stateConnecting, false, true},
+		{"signal down", stateConnecting, true, false},
+		{"disconnected", stateDisconnected, false, false},
 	}

 	for _, tt := range scenarios {
 		t.Run(tt.name, func(t *testing.T) {
 			n := newNotifier()
 			n.updateServerStates(tt.mgmState, tt.signalState)
-			if n.currentServerState != tt.expected {
-				t.Errorf("invalid serverstate: %t, expected: %t", n.currentServerState, tt.expected)
+			if n.lastNotification != tt.expected {
+				t.Errorf("invalid serverstate: %d, expected: %d", n.lastNotification, tt.expected)
 			}
-
 		})
 	}
 }
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -7,6 +7,7 @@ NETBIRD_MGMT_API_PORT=${NETBIRD_MGMT_API_PORT:-33073}
 # Management API endpoint address, used by the Dashboard
 NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
 # Management Certficate file path. These are generated by the Dashboard container
+NETBIRD_LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
 # Management Certficate key file path.
 NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
@@ -34,9 +35,12 @@ SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"

 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE=${NETBIRD_AUTH_DEVICE_AUTH_SCOPE:-openid}
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
+

 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
 NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}

 # exports
@@ -50,6 +54,7 @@ export NETBIRD_AUTH_JWT_CERTS
 export NETBIRD_LETSENCRYPT_EMAIL
 export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT
+export NETBIRD_LETSENCRYPT_DOMAIN
 export NETBIRD_MGMT_API_CERT_FILE
 export NETBIRD_MGMT_API_CERT_KEY_FILE
 export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER
@@ -72,4 +77,6 @@ export NETBIRD_SIGNAL_PROTOCOL
 export NETBIRD_SIGNAL_PORT
 export NETBIRD_AUTH_USER_ID_CLAIM
 export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-export NETBIRD_TOKEN_SOURCE
+export NETBIRD_TOKEN_SOURCE
+export NETBIRD_AUTH_DEVICE_AUTH_SCOPE
+export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -143,8 +143,6 @@ then
  unset NETBIRD_LETSENCRYPT_DOMAIN
  unset NETBIRD_MGMT_API_CERT_FILE
  unset NETBIRD_MGMT_API_CERT_KEY_FILE
-else
-  export NETBIRD_LETSENCRYPT_DOMAIN="$NETBIRD_DOMAIN"
 fi

 env | grep NETBIRD
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -47,7 +47,9 @@
          "Domain": "$NETBIRD_AUTH0_DOMAIN",
          "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
          "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
-          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"
+          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
+          "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
+          "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
         }
    }
 }
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -17,8 +17,11 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience for device authorization flow, you can customize here
+# Some IDPs requires different audience, scopes and to use id token for device authorization flow
+# you can customize here:
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false

 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@@ -15,4 +15,5 @@ NETBIRD_AUTH_REDIRECT_URI="/peers"
 NETBIRD_DISABLE_LETSENCRYPT=true
 NETBIRD_TOKEN_SOURCE="idToken"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
-NETBIRD_AUTH_USER_ID_CLAIM="email"
+NETBIRD_AUTH_USER_ID_CLAIM="email"
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -20,6 +20,7 @@ import (
 	"google.golang.org/grpc/keepalive"

 	"github.com/cenkalti/backoff/v4"
+
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
@@ -144,15 +145,19 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 		// blocking until error
 		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
 		if err != nil {
-			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			s, _ := gstatus.FromError(err)
+			switch s.Code() {
+			case codes.PermissionDenied:
 				return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
+			case codes.Canceled:
+				log.Debugf("management connection context has been canceled, this usually indicates shutdown")
+				return nil
+			default:
+				backOff.Reset() // reset backoff counter after successful connection
+				c.notifyDisconnected()
+				log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
+				return err
 			}
-			// we need this reset because after a successful connection and a consequent error, backoff lib doesn't
-			// reset times and next try will start with a long delay
-			backOff.Reset()
-			c.notifyDisconnected()
-			log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
-			return err
 		}

 		return nil
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1151,7 +1151,7 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 		return fmt.Errorf("token not found")
 	}

-	pat.LastUsed = time.Now()
+	pat.LastUsed = time.Now().UTC()

 	return am.Store.SaveAccount(account)
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -127,12 +127,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID1,
 					DNSLabel: peerID1,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:    userID,
-					LastLogin: time.Now().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
 				},
 				"peer-2": {
 					ID:       peerID2,
@@ -141,12 +141,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID2,
 					DNSLabel: peerID2,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: false,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now(),
+					LastLogin:              time.Now().UTC(),
 					LoginExpirationEnabled: true,
 				},
 			},
@@ -165,12 +165,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID1,
 					DNSLabel: peerID1,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin:              time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
 					LoginExpirationEnabled: true,
 				},
 				"peer-2": {
@@ -180,12 +180,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID2,
 					DNSLabel: peerID2,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin:              time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
 					LoginExpirationEnabled: true,
 				},
 			},
@@ -1288,10 +1288,10 @@ func TestAccount_Copy(t *testing.T) {
 						ID:             "pat1",
 						Name:           "First PAT",
 						HashedToken:    "SoMeHaShEdToKeN",
-						ExpirationDate: time.Now().AddDate(0, 0, 7),
+						ExpirationDate: time.Now().UTC().AddDate(0, 0, 7),
 						CreatedBy:      "user1",
-						CreatedAt:      time.Now(),
-						LastUsed:       time.Now(),
+						CreatedAt:      time.Now().UTC(),
+						LastUsed:       time.Now().UTC(),
 					},
 				},
 			},
@@ -1569,22 +1569,22 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 					ID:                     "peer-1",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().Add(-30 * time.Minute),
+					LastLogin: time.Now().UTC().Add(-30 * time.Minute),
 					UserID:    userID,
 				},
 				"peer-2": {
 					ID:                     "peer-2",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().Add(-2 * time.Hour),
+					LastLogin: time.Now().UTC().Add(-2 * time.Hour),
 					UserID:    userID,
 				},

@@ -1592,11 +1592,11 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 					ID:                     "peer-3",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now(),
+						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().Add(-1 * time.Hour),
+					LastLogin: time.Now().UTC().Add(-1 * time.Hour),
 					UserID:    userID,
 				},
 			},
@@ -1797,7 +1797,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						LoginExpired: false,
 					},
 					LoginExpirationEnabled: true,
-					LastLogin:              time.Now(),
+					LastLogin:              time.Now().UTC(),
 					UserID:                 userID,
 				},
 				"peer-2": {
--- a/management/server/activity/sqlite/sqlite_test.go
+++ b/management/server/activity/sqlite/sqlite_test.go
@@ -2,10 +2,12 @@ package sqlite

 import (
 	"fmt"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/stretchr/testify/assert"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server/activity"
 )

 func TestNewSQLiteStore(t *testing.T) {
@@ -15,13 +17,13 @@ func TestNewSQLiteStore(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-        defer store.Close() //nolint
+	defer store.Close() //nolint

 	accountID := "account_1"

 	for i := 0; i < 10; i++ {
 		_, err = store.Save(&activity.Event{
-			Timestamp:   time.Now(),
+			Timestamp:   time.Now().UTC(),
 			Activity:    activity.PeerAddedByUser,
 			InitiatorID: "user_" + fmt.Sprint(i),
 			TargetID:    "peer_" + fmt.Sprint(i),
--- a/management/server/event.go
+++ b/management/server/event.go
@@ -2,9 +2,11 @@ package server

 import (
 	"fmt"
-	"github.com/netbirdio/netbird/management/server/activity"
-	log "github.com/sirupsen/logrus"
 	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/server/activity"
 )

 // GetEvents returns a list of activity events of an account
@@ -39,7 +41,7 @@ func (am *DefaultAccountManager) storeEvent(initiatorID, targetID, accountID str

 	go func() {
 		_, err := am.eventStore.Save(&activity.Event{
-			Timestamp:   time.Now(),
+			Timestamp:   time.Now().UTC(),
 			Activity:    activityID,
 			InitiatorID: initiatorID,
 			TargetID:    targetID,
@@ -47,7 +49,7 @@ func (am *DefaultAccountManager) storeEvent(initiatorID, targetID, accountID str
 			Meta:        meta,
 		})
 		if err != nil {
-			//todo add metric
+			// todo add metric
 			log.Errorf("received an error while storing an activity event, error: %s", err)
 		}
 	}()
--- a/management/server/event_test.go
+++ b/management/server/event_test.go
@@ -1,17 +1,19 @@
 package server

 import (
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/stretchr/testify/assert"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server/activity"
 )

 func generateAndStoreEvents(t *testing.T, manager *DefaultAccountManager, typ activity.Activity, initiatorID, targetID,
 	accountID string, count int) {
 	for i := 0; i < count; i++ {
 		_, err := manager.eventStore.Save(&activity.Event{
-			Timestamp:   time.Now(),
+			Timestamp:   time.Now().UTC(),
 			Activity:    typ,
 			InitiatorID: initiatorID,
 			TargetID:    targetID,
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -173,7 +173,7 @@ func restore(file string) (*FileStore, error) {
 		for key, peer := range account.Peers {
 			// set LastLogin for the peers that were onboarded before the peer login expiration feature
 			if peer.LastLogin.IsZero() {
-				peer.LastLogin = time.Now()
+				peer.LastLogin = time.Now().UTC()
 			}
 			if peer.ID != "" {
 				continue
--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -95,7 +95,7 @@ func TestSaveAccount(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now()},
+		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}

 	// SaveAccount should trigger persist
@@ -131,7 +131,7 @@ func TestStore(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now()},
+		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}
 	account.Groups["all"] = &Group{
 		ID:    "all",
@@ -514,7 +514,7 @@ func TestFileStore_SavePeerStatus(t *testing.T) {
 	}

 	// save status of non-existing peer
-	newStatus := PeerStatus{Connected: true, LastSeen: time.Now()}
+	newStatus := PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
 	err = store.SavePeerStatus(account.Id, "non-existing-peer", newStatus)
 	assert.Error(t, err)

@@ -526,7 +526,7 @@ func TestFileStore_SavePeerStatus(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: false, LastSeen: time.Now()},
+		Status:   &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 	}

 	err = store.SaveAccount(account)
--- a/management/server/http/events_handler_test.go
+++ b/management/server/http/events_handler_test.go
@@ -54,7 +54,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	ID := uint64(1)
 	events := make([]*activity.Event, 0)
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.PeerAddedByUser,
 		ID:          ID,
 		InitiatorID: userID,
@@ -64,7 +64,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.UserJoined,
 		ID:          ID,
 		InitiatorID: userID,
@@ -74,7 +74,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.GroupCreated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -84,7 +84,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.SetupKeyUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -94,7 +94,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.SetupKeyUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -104,7 +104,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.SetupKeyRevoked,
 		ID:          ID,
 		InitiatorID: userID,
@@ -114,7 +114,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.SetupKeyOverused,
 		ID:          ID,
 		InitiatorID: userID,
@@ -124,7 +124,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.SetupKeyCreated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -134,7 +134,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.RuleAdded,
 		ID:          ID,
 		InitiatorID: userID,
@@ -144,7 +144,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.RuleRemoved,
 		ID:          ID,
 		InitiatorID: userID,
@@ -154,7 +154,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.RuleUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -164,7 +164,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now(),
+		Timestamp:   time.Now().UTC(),
 		Activity:    activity.PeerAddedWithSetupKey,
 		ID:          ID,
 		InitiatorID: userID,
--- a/management/server/http/middleware/auth_middleware_test.go
+++ b/management/server/http/middleware/auth_middleware_test.go
@@ -34,10 +34,10 @@ var testAccount = &server.Account{
 					ID:             tokenID,
 					Name:           "My first token",
 					HashedToken:    "someHash",
-					ExpirationDate: time.Now().AddDate(0, 0, 7),
+					ExpirationDate: time.Now().UTC().AddDate(0, 0, 7),
 					CreatedBy:      userID,
-					CreatedAt:      time.Now(),
-					LastUsed:       time.Now(),
+					CreatedAt:      time.Now().UTC(),
+					LastUsed:       time.Now().UTC(),
 				},
 			},
 		},
--- a/management/server/http/pat_handler_test.go
+++ b/management/server/http/pat_handler_test.go
@@ -41,19 +41,19 @@ var testAccount = &server.Account{
 					ID:             existingTokenID,
 					Name:           "My first token",
 					HashedToken:    "someHash",
-					ExpirationDate: time.Now().AddDate(0, 0, 7),
+					ExpirationDate: time.Now().UTC().AddDate(0, 0, 7),
 					CreatedBy:      existingUserID,
-					CreatedAt:      time.Now(),
-					LastUsed:       time.Now(),
+					CreatedAt:      time.Now().UTC(),
+					LastUsed:       time.Now().UTC(),
 				},
 				"token2": {
 					ID:             "token2",
 					Name:           "My second token",
 					HashedToken:    "someOtherHash",
-					ExpirationDate: time.Now().AddDate(0, 0, 7),
+					ExpirationDate: time.Now().UTC().AddDate(0, 0, 7),
 					CreatedBy:      existingUserID,
-					CreatedAt:      time.Now(),
-					LastUsed:       time.Now(),
+					CreatedAt:      time.Now().UTC(),
+					LastUsed:       time.Now().UTC(),
 				},
 			},
 		},
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -6,7 +6,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"io"
 	"net/http"
 	"net/url"
@@ -15,6 +14,8 @@ import (
 	"sync"
 	"time"

+	"github.com/netbirdio/netbird/management/server/telemetry"
+
 	"github.com/golang-jwt/jwt"
 	log "github.com/sirupsen/logrus"
 )
--- a/management/server/idp/auth0_test.go
+++ b/management/server/idp/auth0_test.go
@@ -3,14 +3,16 @@ package idp
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"strings"
 	"testing"
 	"time"

+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/telemetry"
+
 	"github.com/golang-jwt/jwt"
 	"github.com/stretchr/testify/assert"
 )
@@ -251,7 +253,7 @@ func TestAuth0_Authenticate(t *testing.T) {
 		name:             "Get Cached token",
 		inputExpireToken: time.Now().Add(30 * time.Second),
 		helper:           JsonParser{},
-		//expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
+		// expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
 		expectedCode:  200,
 		expectedToken: "",
 	}
--- a/management/server/idp/keycloak.go
+++ b/management/server/idp/keycloak.go
@@ -13,8 +13,9 @@ import (
 	"time"

 	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/management/server/telemetry"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/server/telemetry"
 )

 const (
--- a/management/server/idp/keycloak_test.go
+++ b/management/server/idp/keycloak_test.go
@@ -7,9 +7,10 @@ import (
 	"testing"
 	"time"

-	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/telemetry"
 )

 func TestNewKeycloakManager(t *testing.T) {
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -12,20 +12,23 @@ import (

 	"github.com/netbirdio/netbird/management/server/activity"

-	server "github.com/netbirdio/netbird/management/server"
 	"google.golang.org/grpc/credentials/insecure"

+	"github.com/netbirdio/netbird/management/server"
+
 	pb "github.com/golang/protobuf/proto" //nolint
-	"github.com/netbirdio/netbird/encryption"
 	log "github.com/sirupsen/logrus"

-	mgmtProto "github.com/netbirdio/netbird/management/proto"
-	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/encryption"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
+
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
+	"github.com/netbirdio/netbird/util"
 )

 const (
--- a/management/server/network.go
+++ b/management/server/network.go
@@ -1,15 +1,17 @@
 package server

 import (
-	"github.com/c-robinson/iplib"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/netbirdio/netbird/route"
-	"github.com/rs/xid"
 	"math/rand"
 	"net"
 	"sync"
 	"time"
+
+	"github.com/c-robinson/iplib"
+	"github.com/rs/xid"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/route"
 )

 const (
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -6,9 +6,10 @@ import (
 	"strings"
 	"time"

+	"github.com/rs/xid"
+
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/rs/xid"

 	log "github.com/sirupsen/logrus"

@@ -245,7 +246,7 @@ func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected

 	oldStatus := peer.Status.Copy()
 	newStatus := oldStatus
-	newStatus.LastSeen = time.Now()
+	newStatus.LastSeen = time.Now().UTC()
 	newStatus.Connected = connected
 	// whenever peer got connected that means that it logged in successfully
 	if newStatus.Connected {
@@ -477,7 +478,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 	}

 	opEvent := &activity.Event{
-		Timestamp: time.Now(),
+		Timestamp: time.Now().UTC(),
 		AccountID: account.Id,
 	}

@@ -524,10 +525,10 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		Name:                   peer.Meta.Hostname,
 		DNSLabel:               newLabel,
 		UserID:                 userID,
-		Status:                 &PeerStatus{Connected: false, LastSeen: time.Now()},
+		Status:                 &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 		SSHEnabled:             false,
 		SSHKey:                 peer.SSHKey,
-		LastLogin:              time.Now(),
+		LastLogin:              time.Now().UTC(),
 		LoginExpirationEnabled: addedByUser,
 	}

@@ -575,7 +576,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		return nil, nil, err
 	}

-	networkMap := account.GetPeerNetworkMap(peer.ID, am.dnsDomain)
+	networkMap := account.GetPeerNetworkMap(newPeer.ID, am.dnsDomain)
 	return newPeer, networkMap, nil
 }

@@ -704,7 +705,7 @@ func updatePeerLastLogin(peer *Peer, account *Account) {

 // UpdateLastLogin and set login expired false
 func (p *Peer) UpdateLastLogin() *Peer {
-	p.LastLogin = time.Now()
+	p.LastLogin = time.Now().UTC()
 	newStatus := p.Status.Copy()
 	newStatus.LoginExpired = false
 	p.Status = newStatus
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -21,7 +21,7 @@ func TestPeer_LoginExpired(t *testing.T) {
 		{
 			name:              "Peer Login Expiration Disabled. Peer Login Should Not Expire",
 			expirationEnabled: false,
-			lastLogin:         time.Now().Add(-25 * time.Hour),
+			lastLogin:         time.Now().UTC().Add(-25 * time.Hour),
 			accountSettings: &Settings{
 				PeerLoginExpirationEnabled: true,
 				PeerLoginExpiration:        time.Hour,
@@ -31,7 +31,7 @@ func TestPeer_LoginExpired(t *testing.T) {
 		{
 			name:              "Peer Login Should Expire",
 			expirationEnabled: true,
-			lastLogin:         time.Now().Add(-25 * time.Hour),
+			lastLogin:         time.Now().UTC().Add(-25 * time.Hour),
 			accountSettings: &Settings{
 				PeerLoginExpirationEnabled: true,
 				PeerLoginExpiration:        time.Hour,
@@ -41,7 +41,7 @@ func TestPeer_LoginExpired(t *testing.T) {
 		{
 			name:              "Peer Login Should Not Expire",
 			expirationEnabled: true,
-			lastLogin:         time.Now(),
+			lastLogin:         time.Now().UTC(),
 			accountSettings: &Settings{
 				PeerLoginExpirationEnabled: true,
 				PeerLoginExpiration:        time.Hour,
--- a/management/server/personal_access_token.go
+++ b/management/server/personal_access_token.go
@@ -48,7 +48,7 @@ func CreateNewPAT(name string, expirationInDays int, createdBy string) (*Persona
 	if err != nil {
 		return nil, err
 	}
-	currentTime := time.Now().UTC()
+	currentTime := time.Now()
 	return &PersonalAccessTokenGenerated{
 		PersonalAccessToken: PersonalAccessToken{
 			ID:             xid.New().String(),
--- a/management/server/setupkey.go
+++ b/management/server/setupkey.go
@@ -1,15 +1,17 @@
 package server

 import (
-	"github.com/google/uuid"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/status"
-	log "github.com/sirupsen/logrus"
 	"hash/fnv"
 	"strconv"
 	"strings"
 	"time"
 	"unicode/utf8"
+
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/status"
 )

 const (
@@ -130,7 +132,7 @@ func (key *SetupKey) HiddenCopy(length int) *SetupKey {
 func (key *SetupKey) IncrementUsage() *SetupKey {
 	c := key.Copy()
 	c.UsedTimes = c.UsedTimes + 1
-	c.LastUsed = time.Now()
+	c.LastUsed = time.Now().UTC()
 	return c
 }

@@ -171,9 +173,9 @@ func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration, autoG
 		Key:        key,
 		Name:       name,
 		Type:       t,
-		CreatedAt:  time.Now(),
-		ExpiresAt:  time.Now().Add(validFor),
-		UpdatedAt:  time.Now(),
+		CreatedAt:  time.Now().UTC(),
+		ExpiresAt:  time.Now().UTC().Add(validFor),
+		UpdatedAt:  time.Now().UTC(),
 		Revoked:    false,
 		UsedTimes:  0,
 		AutoGroups: autoGroups,
@@ -274,7 +276,7 @@ func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *Setup
 	newKey.Name = keyToSave.Name
 	newKey.AutoGroups = keyToSave.AutoGroups
 	newKey.Revoked = keyToSave.Revoked
-	newKey.UpdatedAt = time.Now()
+	newKey.UpdatedAt = time.Now().UTC()

 	account.SetupKeys[newKey.Key] = newKey

--- a/management/server/setupkey_test.go
+++ b/management/server/setupkey_test.go
@@ -2,12 +2,14 @@ package server

 import (
 	"fmt"
-	"github.com/google/uuid"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/stretchr/testify/assert"
 	"strconv"
 	"testing"
 	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server/activity"
 )

 func TestDefaultAccountManager_SaveSetupKey(t *testing.T) {
@@ -54,7 +56,7 @@ func TestDefaultAccountManager_SaveSetupKey(t *testing.T) {
 	}

 	assertKey(t, newKey, newKeyName, revoked, "reusable", 0, key.CreatedAt, key.ExpiresAt,
-		key.Id, time.Now(), autoGroups)
+		key.Id, time.Now().UTC(), autoGroups)

 	// check the corresponding events that should have been generated
 	ev := getEvent(t, account.Id, manager, activity.SetupKeyRevoked)
@@ -108,10 +110,10 @@ func TestDefaultAccountManager_CreateSetupKey(t *testing.T) {
 		expectedCreatedAt time.Time
 		expectedUpdatedAt time.Time
 		expectedExpiresAt time.Time
-		expectedFailure   bool //indicates whether key creation should fail
+		expectedFailure   bool // indicates whether key creation should fail
 	}

-	now := time.Now()
+	now := time.Now().UTC()
 	expiresIn := time.Hour
 	testCase1 := testCase{
 		name:              "Should Create Setup Key successfully",
@@ -169,9 +171,9 @@ func TestGenerateDefaultSetupKey(t *testing.T) {
 	expectedRevoke := false
 	expectedType := "reusable"
 	expectedUsedTimes := 0
-	expectedCreatedAt := time.Now()
-	expectedUpdatedAt := time.Now()
-	expectedExpiresAt := time.Now().Add(24 * 30 * time.Hour)
+	expectedCreatedAt := time.Now().UTC()
+	expectedUpdatedAt := time.Now().UTC()
+	expectedExpiresAt := time.Now().UTC().Add(24 * 30 * time.Hour)
 	var expectedAutoGroups []string

 	key := GenerateDefaultSetupKey()
@@ -186,9 +188,9 @@ func TestGenerateSetupKey(t *testing.T) {
 	expectedRevoke := false
 	expectedType := "one-off"
 	expectedUsedTimes := 0
-	expectedCreatedAt := time.Now()
-	expectedExpiresAt := time.Now().Add(time.Hour)
-	expectedUpdatedAt := time.Now()
+	expectedCreatedAt := time.Now().UTC()
+	expectedExpiresAt := time.Now().UTC().Add(time.Hour)
+	expectedUpdatedAt := time.Now().UTC()
 	var expectedAutoGroups []string

 	key := GenerateSetupKey(expectedName, SetupKeyOneOff, time.Hour, []string{}, SetupKeyUnlimitedUsage)
--- a/management/server/turncredentials.go
+++ b/management/server/turncredentials.go
@@ -5,10 +5,12 @@ import (
 	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
-	"github.com/netbirdio/netbird/management/proto"
-	log "github.com/sirupsen/logrus"
 	"sync"
 	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/proto"
 )

 // TURNCredentialsManager used to manage TURN credentials
@@ -88,7 +90,7 @@ func (m *TimeBasedAuthSecretsManager) SetupRefresh(peerID string) {
 	log.Debugf("starting turn refresh for %s", peerID)

 	go func() {
-		//we don't want to regenerate credentials right on expiration, so we do it slightly before (at 3/4 of TTL)
+		// we don't want to regenerate credentials right on expiration, so we do it slightly before (at 3/4 of TTL)
 		ticker := time.NewTicker(m.config.CredentialsTTL.Duration / 4 * 3)

 		for {
--- a/signal/client/grpc.go
+++ b/signal/client/grpc.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"io"
+	"sync"
+	"time"
+
 	"github.com/cenkalti/backoff/v4"
-	"github.com/netbirdio/netbird/encryption"
-	"github.com/netbirdio/netbird/signal/proto"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
@@ -17,9 +19,9 @@ import (
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
-	"io"
-	"sync"
-	"time"
+
+	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/signal/proto"
 )

 // ConnStateNotifier is a wrapper interface of the status recorder
@@ -155,6 +157,10 @@ func (c *GrpcClient) Receive(msgHandler func(msg *proto.Message) error) error {
 		// start receiving messages from the Signal stream (from other peers through signal)
 		err = c.receive(stream, msgHandler)
 		if err != nil {
+			if s, ok := status.FromError(err); ok && s.Code() == codes.Canceled {
+				log.Debugf("signal connection context has been canceled, this usually indicates shutdown")
+				return nil
+			}
 			// we need this reset because after a successful connection and a consequent error, backoff lib doesn't
 			// reset times and next try will start with a long delay
 			backOff.Reset()