add support for site-to-site routes via networks

2026-04-18 08:16:39 +00:00 · 2025-09-02 18:16:05 +02:00
parent 9e157c33c3
commit cbbc77852f
5 changed files with 78 additions and 21 deletions
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -389,7 +389,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		}
 		customZone := account.GetPeersCustomZone(context.Background(), "netbird.io")
-		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetResourceMap(), nil)
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -14,11 +14,11 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/shared/management/status"
 	"github.com/netbirdio/netbird/management/server/types"
 )
 // Handler is a handler that returns peers of the account
@@ -313,7 +313,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 	dnsDomain := h.accountManager.GetDNSDomain(account.Settings)
 	customZone := account.GetPeersCustomZone(r.Context(), dnsDomain)
-	netMap := account.GetPeerNetworkMap(r.Context(), peerID, customZone, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+	netMap := account.GetPeerNetworkMap(r.Context(), peerID, customZone, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetResourceMap(), nil)
 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
@@ -354,7 +354,7 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 	}
 	return &api.Peer{
-		CreatedAt:                  peer.CreatedAt,
+		CreatedAt:                   peer.CreatedAt,
 		Id:                          peer.ID,
 		Name:                        peer.Name,
 		Ip:                          peer.IP.String(),
@@ -391,7 +391,7 @@ func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dn
 	}
 	return &api.PeerBatch{
-		CreatedAt:             peer.CreatedAt,
+		CreatedAt:              peer.CreatedAt,
 		Id:                     peer.ID,
 		Name:                   peer.Name,
 		Ip:                     peer.IP.String(),
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -432,7 +432,7 @@ func (am *DefaultAccountManager) GetNetworkMap(ctx context.Context, peerID strin
 		return nil, err
 	}
-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetResourceMap(), nil)
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1054,7 +1054,7 @@ func (am *DefaultAccountManager) getValidatedPeerWithMap(ctx context.Context, is
 		return nil, nil, nil, err
 	}
-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), am.metrics.AccountManagerMetrics())
+	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetResourceMap(), am.metrics.AccountManagerMetrics())
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1220,6 +1220,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	customZone := account.GetPeersCustomZone(ctx, dnsDomain)
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 	resources := account.GetResourceMap()
 	proxyNetworkMaps, err := am.proxyController.GetProxyNetworkMapsAll(ctx, accountID, account.Peers)
 	if err != nil {
@@ -1256,7 +1257,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 			am.metrics.UpdateChannelMetrics().CountCalcPostureChecksDuration(time.Since(start))
 			start = time.Now()
-			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, resources, am.metrics.AccountManagerMetrics())
 			am.metrics.UpdateChannelMetrics().CountCalcPeerNetworkMapDuration(time.Since(start))
 			start = time.Now()
@@ -1353,6 +1354,7 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 	customZone := account.GetPeersCustomZone(ctx, dnsDomain)
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
 	resources := account.GetResourceMap()
 	postureChecks, err := am.getPeerPostureChecks(account, peerId)
 	if err != nil {
@@ -1366,7 +1368,7 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 		return
 	}
-	remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())
+	remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, resources, am.metrics.AccountManagerMetrics())
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -76,9 +76,10 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
 	am.StoreEvent(ctx, userID, policy.ID, accountID, action, policy.EventMeta())
-	if updateAccountPeers {
+	updateAccountPeers = updateAccountPeers
-		am.UpdateAccountPeers(ctx, accountID)
+	// if updateAccountPeers {
-	}
+	am.UpdateAccountPeers(ctx, accountID)
 	// }
 	return policy, nil
 }
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -254,6 +254,7 @@ func (a *Account) GetPeerNetworkMap(
 	validatedPeersMap map[string]struct{},
 	resourcePolicies map[string][]*Policy,
 	routers map[string]map[string]*routerTypes.NetworkRouter,
 	resources map[string]*resourceTypes.NetworkResource,
 	metrics *telemetry.AccountManagerMetrics,
 ) *NetworkMap {
 	start := time.Now()
@@ -286,10 +287,10 @@ func (a *Account) GetPeerNetworkMap(
 	routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect)
 	routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
-	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
+	isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers, resources)
 	var networkResourcesFirewallRules []*RouteFirewallRule
 	if isRouter {
-		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
+		networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies, routers, resources)
 	}
 	peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
@@ -1324,7 +1325,7 @@ func GetAllRoutePoliciesFromGroups(account *Account, accessControlGroups []strin
 }
 // GetPeerNetworkResourceFirewallRules gets the network resources firewall rules associated with a routing peer ID for the account.
-func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}, routes []*route.Route, resourcePolicies map[string][]*Policy) []*RouteFirewallRule {
+func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}, routes []*route.Route, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter, resources map[string]*resourceTypes.NetworkResource) []*RouteFirewallRule {
 	routesFirewallRules := make([]*RouteFirewallRule, 0)
 	for _, route := range routes {
@@ -1332,7 +1333,7 @@ func (a *Account) GetPeerNetworkResourceFirewallRules(ctx context.Context, peer
 			continue
 		}
 		resourceAppliedPolicies := resourcePolicies[string(route.GetResourceID())]
-		distributionPeers := getPoliciesSourcePeers(resourceAppliedPolicies, a.Groups)
+		distributionPeers := getPoliciesSourcePeers(resourceAppliedPolicies, a.Groups, routers, resources)
 		rules := a.getRouteFirewallRules(ctx, peer.ID, resourceAppliedPolicies, route, validatedPeersMap, distributionPeers)
 		for _, rule := range rules {
@@ -1375,7 +1376,7 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 }
 // GetNetworkResourcesRoutesToSync returns network routes for syncing with a specific peer and its ACL peers.
-func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
+func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter, resources map[string]*resourceTypes.NetworkResource) (bool, []*route.Route, map[string]struct{}) {
 	var isRoutingPeer bool
 	var routes []*route.Route
 	allSourcePeers := make(map[string]struct{}, len(a.Peers))
@@ -1398,11 +1399,32 @@ func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID st
 		addedResourceRoute := false
 		for _, policy := range resourcePolicies[resource.ID] {
 			var peers []string
-			if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
+			switch {
 			case policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "":
 				peers = []string{policy.Rules[0].SourceResource.ID}
-			} else {
+			case policy.Rules[0].SourceResource.Type != "" && policy.Rules[0].SourceResource.ID != "":
 				if sourceResource, exists := resources[policy.Rules[0].SourceResource.ID]; exists {
 					sourceRoutingPeers, exists := routers[sourceResource.NetworkID]
 					if exists {
 						for _, router := range sourceRoutingPeers {
 							if router.Peer != "" {
 								peers = append(peers, router.Peer)
 							}
 							if router.PeerGroups != nil {
 								for _, groupID := range router.PeerGroups {
 									group := a.GetGroup(groupID)
 									if group != nil {
 										peers = append(peers, group.Peers...)
 									}
 								}
 							}
 						}
 					}
 				}
 			default:
 				peers = a.getUniquePeerIDsFromGroupsIDs(ctx, policy.SourceGroups())
 			}
 			if addSourcePeers {
 				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
 					allSourcePeers[pID] = struct{}{}
@@ -1570,8 +1592,18 @@ func (a *Account) GetResourceRoutersMap() map[string]map[string]*routerTypes.Net
 	return routers
 }
 func (a *Account) GetResourceMap() map[string]*resourceTypes.NetworkResource {
 	resources := make(map[string]*resourceTypes.NetworkResource)
 	for _, resource := range a.NetworkResources {
 		resources[resource.ID] = resource
 	}
 	return resources
 }
 // getPoliciesSourcePeers collects all unique peers from the source groups defined in the given policies.
-func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group) map[string]struct{} {
+func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group, routers map[string]map[string]*routerTypes.NetworkRouter, resources map[string]*resourceTypes.NetworkResource) map[string]struct{} {
 	sourcePeers := make(map[string]struct{})
 	for _, policy := range policies {
@@ -1586,6 +1618,28 @@ func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group) map[st
 					sourcePeers[peer] = struct{}{}
 				}
 			}
 			if (rule.SourceResource.Type == ResourceTypeHost || rule.SourceResource.Type == ResourceTypeDomain || rule.SourceResource.Type == ResourceTypeSubnet) && rule.SourceResource.ID != "" {
 				if resource, ok := resources[rule.SourceResource.ID]; ok {
 					if networkRouters, exists := routers[resource.NetworkID]; exists {
 						for _, router := range networkRouters {
 							if router.Peer != "" {
 								sourcePeers[router.Peer] = struct{}{}
 							}
 							if router.PeerGroups != nil {
 								for _, groupID := range router.PeerGroups {
 									group := groups[groupID]
 									if group != nil {
 										for _, peerID := range group.Peers {
 											sourcePeers[peerID] = struct{}{}
 										}
 									}
 								}
 							}
 						}
 					}
 				}
 			}
 		}
 	}