From a4e8647aef0ba88838e693e4b5eb2578ede456a2 Mon Sep 17 00:00:00 2001 From: Bethuel Mmbaga Date: Wed, 13 Aug 2025 00:00:40 +0300 Subject: [PATCH] [management] Enable flow groups (#4230) Adds the ability to limit traffic events logging to specific peer groups --- client/cmd/testutil_test.go | 4 +++- client/internal/engine_test.go | 4 +++- client/server/server_test.go | 4 +++- go.mod | 2 +- go.sum | 4 ++-- management/cmd/management.go | 6 +++--- management/server/groups/manager.go | 9 +++++++++ management/server/grpcserver.go | 11 ++++++++--- .../http/handlers/accounts/accounts_handler.go | 2 ++ management/server/management_proto_test.go | 4 +++- management/server/management_test.go | 4 +++- management/server/peer.go | 6 ++++-- management/server/peer_test.go | 2 +- management/server/settings/manager.go | 2 ++ management/server/token_mgr.go | 17 ++++++++++++----- management/server/token_mgr_test.go | 12 ++++++++---- management/server/types/settings.go | 15 ++++++++------- shared/management/client/client_test.go | 5 ++++- shared/management/http/api/openapi.yml | 7 +++++++ shared/management/http/api/types.gen.go | 3 +++ 20 files changed, 89 insertions(+), 34 deletions(-) diff --git a/client/cmd/testutil_test.go b/client/cmd/testutil_test.go index 47804a102..50986508d 100644 --- a/client/cmd/testutil_test.go +++ b/client/cmd/testutil_test.go @@ -11,6 +11,7 @@ import ( "go.opentelemetry.io/otel" "github.com/netbirdio/netbird/management/server/activity" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" "github.com/netbirdio/netbird/management/server/permissions" "github.com/netbirdio/netbird/management/server/settings" @@ -97,6 +98,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc settingsMockManager := settings.NewMockManager(ctrl) permissionsManagerMock := permissions.NewMockManager(ctrl) + groupsManager := groups.NewManagerMock() settingsMockManager.EXPECT(). GetSettings(gomock.Any(), gomock.Any(), gomock.Any()). @@ -108,7 +110,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc t.Fatal(err) } - secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{}) if err != nil { t.Fatal(err) diff --git a/client/internal/engine_test.go b/client/internal/engine_test.go index 0406fe6dc..4c5b87ddc 100644 --- a/client/internal/engine_test.go +++ b/client/internal/engine_test.go @@ -27,6 +27,7 @@ import ( "golang.zx2c4.com/wireguard/tun/netstack" "github.com/netbirdio/management-integrations/integrations" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/client/iface" "github.com/netbirdio/netbird/client/iface/bind" @@ -1564,13 +1565,14 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri AnyTimes() permissionsManager := permissions.NewManager(store) + groupsManager := groups.NewManagerMock() accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false) if err != nil { return nil, "", err } - secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{}) if err != nil { return nil, "", err diff --git a/client/server/server_test.go b/client/server/server_test.go index a88ca5412..8e4e0e687 100644 --- a/client/server/server_test.go +++ b/client/server/server_test.go @@ -14,6 +14,7 @@ import ( "go.opentelemetry.io/otel" "github.com/netbirdio/management-integrations/integrations" + "github.com/netbirdio/netbird/management/server/groups" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" @@ -302,13 +303,14 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve t.Cleanup(ctrl.Finish) settingsMockManager := settings.NewMockManager(ctrl) permissionsManagerMock := permissions.NewMockManager(ctrl) + groupsManager := groups.NewManagerMock() accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false) if err != nil { return nil, "", err } - secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{}) if err != nil { return nil, "", err diff --git a/go.mod b/go.mod index c6a795424..64eb1f49c 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/miekg/dns v1.1.59 github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/nadoo/ipset v0.5.0 - github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f + github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 github.com/okta/okta-sdk-golang/v2 v2.18.0 github.com/oschwald/maxminddb-golang v1.12.0 diff --git a/go.sum b/go.sum index db7918e24..ff84e0446 100644 --- a/go.sum +++ b/go.sum @@ -503,8 +503,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ= github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c= github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q= -github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f h1:YmqNWdRbeVn1lSpkLzIiFHX2cndRuaVYyynx2ibrOtg= -github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f/go.mod h1:Gi9raplYzCCyh07Olw/DVfCJTFgpr1WCXJ/Q+8TSA9Q= +github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e h1:S85laGfx1UP+nmRF9smP6/TY965kLWz41PbBK1TX8g0= +github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e/go.mod h1:Jjve0+eUjOLKL3PJtAhjfM2iJ0SxWio5elHqlV1ymP8= github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8= github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM= github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ= diff --git a/management/cmd/management.go b/management/cmd/management.go index a695767ad..cb0f57079 100644 --- a/management/cmd/management.go +++ b/management/cmd/management.go @@ -34,6 +34,7 @@ import ( "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip" "github.com/netbirdio/management-integrations/integrations" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/peers" "github.com/netbirdio/netbird/management/server/types" @@ -45,7 +46,6 @@ import ( "github.com/netbirdio/netbird/management/server/auth" nbContext "github.com/netbirdio/netbird/management/server/context" "github.com/netbirdio/netbird/management/server/geolocation" - "github.com/netbirdio/netbird/management/server/groups" nbhttp "github.com/netbirdio/netbird/management/server/http" "github.com/netbirdio/netbird/management/server/idp" "github.com/netbirdio/netbird/management/server/metrics" @@ -220,7 +220,8 @@ var ( return fmt.Errorf("build default manager: %v", err) } - secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsManager) + groupsManager := groups.NewManager(store, permissionsManager, accountManager) + secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsManager, groupsManager) trustedPeers := config.ReverseProxy.TrustedPeers defaultTrustedPeers := []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")} @@ -277,7 +278,6 @@ var ( config.GetAuthAudiences(), config.HttpConfig.IdpSignKeyRefreshEnabled) - groupsManager := groups.NewManager(store, permissionsManager, accountManager) resourcesManager := resources.NewManager(store, permissionsManager, groupsManager, accountManager) routersManager := routers.NewManager(store, permissionsManager, accountManager) networksManager := networks.NewManager(store, permissionsManager, resourcesManager, routersManager, accountManager) diff --git a/management/server/groups/manager.go b/management/server/groups/manager.go index dd11f862f..d110ab564 100644 --- a/management/server/groups/manager.go +++ b/management/server/groups/manager.go @@ -21,6 +21,7 @@ type Manager interface { AddResourceToGroup(ctx context.Context, accountID, userID, groupID string, resourceID *types.Resource) error AddResourceToGroupInTransaction(ctx context.Context, transaction store.Store, accountID, userID, groupID string, resourceID *types.Resource) (func(), error) RemoveResourceFromGroupInTransaction(ctx context.Context, transaction store.Store, accountID, userID, groupID, resourceID string) (func(), error) + GetPeerGroupIDs(ctx context.Context, accountID, peerID string) ([]string, error) } type managerImpl struct { @@ -142,6 +143,10 @@ func (m *managerImpl) GetResourceGroupsInTransaction(ctx context.Context, transa return transaction.GetResourceGroups(ctx, lockingStrength, accountID, resourceID) } +func (m *managerImpl) GetPeerGroupIDs(ctx context.Context, accountID, peerID string) ([]string, error) { + return m.store.GetPeerGroupIDs(ctx, store.LockingStrengthShare, accountID, peerID) +} + func ToGroupsInfoMap(groups []*types.Group, idCount int) map[string][]api.GroupMinimum { groupsInfoMap := make(map[string][]api.GroupMinimum, idCount) groupsChecked := make(map[string]struct{}, len(groups)) // not sure why this is needed (left over from old implementation) @@ -202,6 +207,10 @@ func (m *mockManager) RemoveResourceFromGroupInTransaction(ctx context.Context, }, nil } +func (m *mockManager) GetPeerGroupIDs(ctx context.Context, accountID, peerID string) ([]string, error) { + return []string{}, nil +} + func NewManagerMock() Manager { return &mockManager{} } diff --git a/management/server/grpcserver.go b/management/server/grpcserver.go index 782e46948..44ab583f2 100644 --- a/management/server/grpcserver.go +++ b/management/server/grpcserver.go @@ -662,7 +662,7 @@ func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, set } } -func toSyncResponse(ctx context.Context, config *types.Config, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings) *proto.SyncResponse { +func toSyncResponse(ctx context.Context, config *types.Config, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string) *proto.SyncResponse { response := &proto.SyncResponse{ PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings), NetworkMap: &proto.NetworkMap{ @@ -674,7 +674,7 @@ func toSyncResponse(ctx context.Context, config *types.Config, peer *nbpeer.Peer } nbConfig := toNetbirdConfig(config, turnCredentials, relayCredentials, extraSettings) - extendedConfig := integrationsConfig.ExtendNetBirdConfig(peer.ID, nbConfig, extraSettings) + extendedConfig := integrationsConfig.ExtendNetBirdConfig(peer.ID, peerGroups, nbConfig, extraSettings) response.NetbirdConfig = extendedConfig response.NetworkMap.PeerConfig = response.PeerConfig @@ -750,7 +750,12 @@ func (s *GRPCServer) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, p return status.Errorf(codes.Internal, "error handling request") } - plainResp := toSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.accountManager.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra) + peerGroups, err := getPeerGroupIDs(ctx, s.accountManager.GetStore(), peer.AccountID, peer.ID) + if err != nil { + return status.Errorf(codes.Internal, "failed to get peer groups %s", err) + } + + plainResp := toSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.accountManager.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups) encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp) if err != nil { diff --git a/management/server/http/handlers/accounts/accounts_handler.go b/management/server/http/handlers/accounts/accounts_handler.go index aeda61184..9f2afe29d 100644 --- a/management/server/http/handlers/accounts/accounts_handler.go +++ b/management/server/http/handlers/accounts/accounts_handler.go @@ -199,6 +199,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) { settings.Extra = &types.ExtraSettings{ PeerApprovalEnabled: req.Settings.Extra.PeerApprovalEnabled, FlowEnabled: req.Settings.Extra.NetworkTrafficLogsEnabled, + FlowGroups: req.Settings.Extra.NetworkTrafficLogsGroups, FlowPacketCounterEnabled: req.Settings.Extra.NetworkTrafficPacketCounterEnabled, } } @@ -327,6 +328,7 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A apiSettings.Extra = &api.AccountExtraSettings{ PeerApprovalEnabled: settings.Extra.PeerApprovalEnabled, NetworkTrafficLogsEnabled: settings.Extra.FlowEnabled, + NetworkTrafficLogsGroups: settings.Extra.FlowGroups, NetworkTrafficPacketCounterEnabled: settings.Extra.FlowPacketCounterEnabled, } } diff --git a/management/server/management_proto_test.go b/management/server/management_proto_test.go index c9f8b5448..f2233d49a 100644 --- a/management/server/management_proto_test.go +++ b/management/server/management_proto_test.go @@ -23,6 +23,7 @@ import ( "github.com/netbirdio/netbird/encryption" "github.com/netbirdio/netbird/formatter/hook" "github.com/netbirdio/netbird/management/server/activity" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" "github.com/netbirdio/netbird/management/server/permissions" "github.com/netbirdio/netbird/management/server/settings" @@ -446,6 +447,7 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config) Return(&types.ExtraSettings{}, nil). AnyTimes() permissionsManager := permissions.NewManager(store) + groupsManager := groups.NewManagerMock() accountManager, err := BuildManager(ctx, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false) @@ -455,7 +457,7 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config) return nil, nil, "", cleanup, err } - secretsManager := NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + secretsManager := NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) ephemeralMgr := NewEphemeralManager(store, accountManager) mgmtServer, err := NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, ephemeralMgr, nil, MockIntegratedValidator{}) diff --git a/management/server/management_test.go b/management/server/management_test.go index 1be6b377d..03f394e46 100644 --- a/management/server/management_test.go +++ b/management/server/management_test.go @@ -23,6 +23,7 @@ import ( mgmtProto "github.com/netbirdio/netbird/shared/management/proto" "github.com/netbirdio/netbird/management/server" "github.com/netbirdio/netbird/management/server/activity" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" "github.com/netbirdio/netbird/management/server/permissions" "github.com/netbirdio/netbird/management/server/settings" @@ -216,7 +217,8 @@ func startServer( t.Fatalf("failed creating an account manager: %v", err) } - secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + groupsManager := groups.NewManager(str, permissionsManager, accountManager) + secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) mgmtServer, err := server.NewServer( context.Background(), config, diff --git a/management/server/peer.go b/management/server/peer.go index a1f669f4f..979137e94 100644 --- a/management/server/peer.go +++ b/management/server/peer.go @@ -1275,8 +1275,9 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account } am.metrics.UpdateChannelMetrics().CountMergeNetworkMapDuration(time.Since(start)) + peerGroups := account.GetPeerGroups(p.ID) start = time.Now() - update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting) + update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups)) am.metrics.UpdateChannelMetrics().CountToSyncResponseDuration(time.Since(start)) am.peersUpdateManager.SendUpdate(ctx, p.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap}) @@ -1386,7 +1387,8 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI return } - update := toSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings) + peerGroups := account.GetPeerGroups(peerId) + update := toSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups)) am.peersUpdateManager.SendUpdate(ctx, peer.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap}) } diff --git a/management/server/peer_test.go b/management/server/peer_test.go index d974e7c21..50b2f2791 100644 --- a/management/server/peer_test.go +++ b/management/server/peer_test.go @@ -1164,7 +1164,7 @@ func TestToSyncResponse(t *testing.T) { } dnsCache := &DNSConfigCache{} accountSettings := &types.Settings{RoutingPeerDNSResolutionEnabled: true} - response := toSyncResponse(context.Background(), config, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil) + response := toSyncResponse(context.Background(), config, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil, []string{}) assert.NotNil(t, response) // assert peer config diff --git a/management/server/settings/manager.go b/management/server/settings/manager.go index 6d09f1786..2b2896572 100644 --- a/management/server/settings/manager.go +++ b/management/server/settings/manager.go @@ -68,6 +68,7 @@ func (m *managerImpl) GetSettings(ctx context.Context, accountID, userID string) // Once we migrate the peer approval to settings manager this merging is obsolete if settings.Extra != nil { settings.Extra.FlowEnabled = extraSettings.FlowEnabled + settings.Extra.FlowGroups = extraSettings.FlowGroups settings.Extra.FlowPacketCounterEnabled = extraSettings.FlowPacketCounterEnabled settings.Extra.FlowENCollectionEnabled = extraSettings.FlowENCollectionEnabled settings.Extra.FlowDnsCollectionEnabled = extraSettings.FlowDnsCollectionEnabled @@ -93,6 +94,7 @@ func (m *managerImpl) GetExtraSettings(ctx context.Context, accountID string) (* } settings.Extra.FlowEnabled = extraSettings.FlowEnabled + settings.Extra.FlowGroups = extraSettings.FlowGroups return settings.Extra, nil } diff --git a/management/server/token_mgr.go b/management/server/token_mgr.go index 6f6e20b48..70ded73d7 100644 --- a/management/server/token_mgr.go +++ b/management/server/token_mgr.go @@ -11,13 +11,13 @@ import ( log "github.com/sirupsen/logrus" - "github.com/netbirdio/netbird/shared/management/proto" + integrationsConfig "github.com/netbirdio/management-integrations/integrations/config" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/settings" "github.com/netbirdio/netbird/management/server/types" + "github.com/netbirdio/netbird/shared/management/proto" auth "github.com/netbirdio/netbird/shared/relay/auth/hmac" authv2 "github.com/netbirdio/netbird/shared/relay/auth/hmac/v2" - - integrationsConfig "github.com/netbirdio/management-integrations/integrations/config" ) const defaultDuration = 12 * time.Hour @@ -39,13 +39,14 @@ type TimeBasedAuthSecretsManager struct { relayHmacToken *authv2.Generator updateManager *PeersUpdateManager settingsManager settings.Manager + groupsManager groups.Manager turnCancelMap map[string]chan struct{} relayCancelMap map[string]chan struct{} } type Token auth.Token -func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, turnCfg *types.TURNConfig, relayCfg *types.Relay, settingsManager settings.Manager) *TimeBasedAuthSecretsManager { +func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, turnCfg *types.TURNConfig, relayCfg *types.Relay, settingsManager settings.Manager, groupsManager groups.Manager) *TimeBasedAuthSecretsManager { mgr := &TimeBasedAuthSecretsManager{ updateManager: updateManager, turnCfg: turnCfg, @@ -53,6 +54,7 @@ func NewTimeBasedAuthSecretsManager(updateManager *PeersUpdateManager, turnCfg * turnCancelMap: make(map[string]chan struct{}), relayCancelMap: make(map[string]chan struct{}), settingsManager: settingsManager, + groupsManager: groupsManager, } if turnCfg != nil { @@ -258,6 +260,11 @@ func (m *TimeBasedAuthSecretsManager) extendNetbirdConfig(ctx context.Context, p log.WithContext(ctx).Errorf("failed to get extra settings: %v", err) } - extendedConfig := integrationsConfig.ExtendNetBirdConfig(peerID, update.NetbirdConfig, extraSettings) + peerGroups, err := m.groupsManager.GetPeerGroupIDs(ctx, accountID, peerID) + if err != nil { + log.WithContext(ctx).Errorf("failed to get peer groups: %v", err) + } + + extendedConfig := integrationsConfig.ExtendNetBirdConfig(peerID, peerGroups, update.NetbirdConfig, extraSettings) update.NetbirdConfig = extendedConfig } diff --git a/management/server/token_mgr_test.go b/management/server/token_mgr_test.go index 8bd757565..45f6aa146 100644 --- a/management/server/token_mgr_test.go +++ b/management/server/token_mgr_test.go @@ -13,9 +13,10 @@ import ( "github.com/golang/mock/gomock" "github.com/stretchr/testify/require" - "github.com/netbirdio/netbird/shared/management/proto" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/settings" "github.com/netbirdio/netbird/management/server/types" + "github.com/netbirdio/netbird/shared/management/proto" "github.com/netbirdio/netbird/util" ) @@ -40,13 +41,14 @@ func TestTimeBasedAuthSecretsManager_GenerateCredentials(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) settingsMockManager := settings.NewMockManager(ctrl) + groupsManager := groups.NewManagerMock() tested := NewTimeBasedAuthSecretsManager(peersManager, &types.TURNConfig{ CredentialsTTL: ttl, Secret: secret, Turns: []*types.Host{TurnTestHost}, TimeBasedCredentials: true, - }, rc, settingsMockManager) + }, rc, settingsMockManager, groupsManager) turnCredentials, err := tested.GenerateTurnToken() require.NoError(t, err) @@ -91,13 +93,14 @@ func TestTimeBasedAuthSecretsManager_SetupRefresh(t *testing.T) { t.Cleanup(ctrl.Finish) settingsMockManager := settings.NewMockManager(ctrl) settingsMockManager.EXPECT().GetExtraSettings(gomock.Any(), "someAccountID").Return(&types.ExtraSettings{}, nil).AnyTimes() + groupsManager := groups.NewManagerMock() tested := NewTimeBasedAuthSecretsManager(peersManager, &types.TURNConfig{ CredentialsTTL: ttl, Secret: secret, Turns: []*types.Host{TurnTestHost}, TimeBasedCredentials: true, - }, rc, settingsMockManager) + }, rc, settingsMockManager, groupsManager) ctx, cancel := context.WithCancel(context.Background()) defer cancel() @@ -193,13 +196,14 @@ func TestTimeBasedAuthSecretsManager_CancelRefresh(t *testing.T) { ctrl := gomock.NewController(t) t.Cleanup(ctrl.Finish) settingsMockManager := settings.NewMockManager(ctrl) + groupsManager := groups.NewManagerMock() tested := NewTimeBasedAuthSecretsManager(peersManager, &types.TURNConfig{ CredentialsTTL: ttl, Secret: secret, Turns: []*types.Host{TurnTestHost}, TimeBasedCredentials: true, - }, rc, settingsMockManager) + }, rc, settingsMockManager, groupsManager) tested.SetupRefresh(context.Background(), "someAccountID", peer) if _, ok := tested.turnCancelMap[peer]; !ok { diff --git a/management/server/types/settings.go b/management/server/types/settings.go index 436eb337c..56c33da3b 100644 --- a/management/server/types/settings.go +++ b/management/server/types/settings.go @@ -2,6 +2,7 @@ package types import ( "net/netip" + "slices" "time" ) @@ -87,21 +88,21 @@ type ExtraSettings struct { // IntegratedValidatorGroups list of group IDs to be used with integrated approval configurations IntegratedValidatorGroups []string `gorm:"serializer:json"` - FlowEnabled bool `gorm:"-"` - FlowPacketCounterEnabled bool `gorm:"-"` - FlowENCollectionEnabled bool `gorm:"-"` - FlowDnsCollectionEnabled bool `gorm:"-"` + FlowEnabled bool `gorm:"-"` + FlowGroups []string `gorm:"-"` + FlowPacketCounterEnabled bool `gorm:"-"` + FlowENCollectionEnabled bool `gorm:"-"` + FlowDnsCollectionEnabled bool `gorm:"-"` } // Copy copies the ExtraSettings struct func (e *ExtraSettings) Copy() *ExtraSettings { - var cpGroup []string - return &ExtraSettings{ PeerApprovalEnabled: e.PeerApprovalEnabled, - IntegratedValidatorGroups: append(cpGroup, e.IntegratedValidatorGroups...), + IntegratedValidatorGroups: slices.Clone(e.IntegratedValidatorGroups), IntegratedValidator: e.IntegratedValidator, FlowEnabled: e.FlowEnabled, + FlowGroups: slices.Clone(e.FlowGroups), FlowPacketCounterEnabled: e.FlowPacketCounterEnabled, FlowENCollectionEnabled: e.FlowENCollectionEnabled, FlowDnsCollectionEnabled: e.FlowDnsCollectionEnabled, diff --git a/shared/management/client/client_test.go b/shared/management/client/client_test.go index 061f21d44..306a13d80 100644 --- a/shared/management/client/client_test.go +++ b/shared/management/client/client_test.go @@ -13,6 +13,7 @@ import ( "github.com/netbirdio/netbird/client/system" "github.com/netbirdio/netbird/management/server/activity" + "github.com/netbirdio/netbird/management/server/groups" "github.com/netbirdio/netbird/management/server/integrations/port_forwarding" "github.com/netbirdio/netbird/management/server/permissions" "github.com/netbirdio/netbird/management/server/settings" @@ -111,7 +112,9 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) { t.Fatal(err) } - secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager) + groupsManager := groups.NewManagerMock() + + secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager) mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, mgmt.MockIntegratedValidator{}) if err != nil { t.Fatal(err) diff --git a/shared/management/http/api/openapi.yml b/shared/management/http/api/openapi.yml index 877c68df0..0d4921556 100644 --- a/shared/management/http/api/openapi.yml +++ b/shared/management/http/api/openapi.yml @@ -162,6 +162,12 @@ components: description: Enables or disables network traffic logging. If enabled, all network traffic events from peers will be stored. type: boolean example: true + network_traffic_logs_groups: + description: Limits traffic logging to these groups. If unset all peers are enabled. + type: array + items: + type: string + example: ch8i4ug6lnn4g9hqv7m0 network_traffic_packet_counter_enabled: description: Enables or disables network traffic packet counter. If enabled, network packets and their size will be counted and reported. (This can have an slight impact on performance) type: boolean @@ -169,6 +175,7 @@ components: required: - peer_approval_enabled - network_traffic_logs_enabled + - network_traffic_logs_groups - network_traffic_packet_counter_enabled AccountRequest: type: object diff --git a/shared/management/http/api/types.gen.go b/shared/management/http/api/types.gen.go index 71aa9c830..119ed3786 100644 --- a/shared/management/http/api/types.gen.go +++ b/shared/management/http/api/types.gen.go @@ -260,6 +260,9 @@ type AccountExtraSettings struct { // NetworkTrafficLogsEnabled Enables or disables network traffic logging. If enabled, all network traffic events from peers will be stored. NetworkTrafficLogsEnabled bool `json:"network_traffic_logs_enabled"` + // NetworkTrafficLogsGroups Limits traffic logging to these groups. If unset all peers are enabled. + NetworkTrafficLogsGroups []string `json:"network_traffic_logs_groups"` + // NetworkTrafficPacketCounterEnabled Enables or disables network traffic packet counter. If enabled, network packets and their size will be counted and reported. (This can have an slight impact on performance) NetworkTrafficPacketCounterEnabled bool `json:"network_traffic_packet_counter_enabled"`