[client] Skip firewall ruleset rebuild when config is unchanged

ApplyFiltering rebuilt every peer and route ACL and flushed the firewall
on every sync, with no guard for an unchanged configuration. Management
re-sends the same network map far more often than it actually changes
(account-wide updates, peer meta churn), so on busy accounts this is the
dominant client-side cost of redundant syncs — especially with a large
route set and a userspace firewall.

Hash the inputs ApplyFiltering consumes (peer rules, route rules, the
empty flag and the dns-route feature flag) and skip the rebuild + flush
when the hash matches the last successfully applied update. Mirrors the
guard the DNS server already uses (previousConfigHash). The hash is only
recorded after apply and flush both succeed, so a failed update is not
skipped on the next (possibly identical) sync and gets a chance to
reconcile the firewall state.

client/internal/acl/manager.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-multierror"
+	"github.com/mitchellh/hashstructure/v2"
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -30,11 +31,13 @@ type Manager interface {
 
 // DefaultManager uses firewall manager to handle
 type DefaultManager struct {
-	firewall       firewall.Manager
-	ipsetCounter   int
-	peerRulesPairs map[id.RuleID][]firewall.Rule
-	routeRules     map[id.RuleID]struct{}
-	mutex          sync.Mutex
+	firewall           firewall.Manager
+	ipsetCounter       int
+	peerRulesPairs     map[id.RuleID][]firewall.Rule
+	routeRules         map[id.RuleID]struct{}
+	previousConfigHash uint64
+	hasAppliedConfig   bool
+	mutex              sync.Mutex
 }
 
 func NewDefaultManager(fm firewall.Manager) *DefaultManager {
@@ -57,6 +60,23 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 		return
 	}
 
+	// Skip the full rebuild + flush when the inputs that drive the firewall
+	// state are byte-for-byte identical to the last successfully applied
+	// update. Management re-sends the same network map far more often than it
+	// actually changes (account-wide updates, peer meta churn), and rebuilding
+	// every peer/route ACL and flushing the firewall on every such sync is the
+	// dominant client-side cost when nothing changed. Mirrors the same guard the
+	// DNS server already uses (previousConfigHash). Only the fields ApplyFiltering
+	// consumes participate in the hash, so an unrelated map change cannot mask a
+	// real ACL change.
+	hash, err := d.firewallConfigHash(networkMap, dnsRouteFeatureFlag)
+	if err != nil {
+		log.Errorf("unable to hash firewall configuration, applying unconditionally: %v", err)
+	} else if d.hasAppliedConfig && d.previousConfigHash == hash {
+		log.Debugf("not applying the firewall configuration update as there is nothing new")
+		return
+	}
+
 	start := time.Now()
 	defer func() {
 		total := 0
@@ -70,13 +90,47 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 
 	d.applyPeerACLs(networkMap)
 
-	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
-		log.Errorf("Failed to apply route ACLs: %v", err)
+	routeErr := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag)
+	if routeErr != nil {
+		log.Errorf("Failed to apply route ACLs: %v", routeErr)
 	}
 
-	if err := d.firewall.Flush(); err != nil {
-		log.Error("failed to flush firewall rules: ", err)
+	flushErr := d.firewall.Flush()
+	if flushErr != nil {
+		log.Error("failed to flush firewall rules: ", flushErr)
 	}
+
+	// Only remember the hash once the firewall actually reflects this config.
+	// If applying or flushing failed, leave the previous hash untouched so the
+	// next (possibly identical) update is not skipped and gets a chance to
+	// reconcile the firewall state.
+	if err == nil && routeErr == nil && flushErr == nil {
+		d.previousConfigHash = hash
+		d.hasAppliedConfig = true
+	} else {
+		d.hasAppliedConfig = false
+	}
+}
+
+// firewallConfigHash hashes exactly the inputs ApplyFiltering uses to build the
+// firewall state, so an identical hash means an identical resulting ruleset.
+func (d *DefaultManager) firewallConfigHash(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool) (uint64, error) {
+	return hashstructure.Hash(struct {
+		PeerRules           []*mgmProto.FirewallRule
+		PeerRulesIsEmpty    bool
+		RouteRules          []*mgmProto.RouteFirewallRule
+		DNSRouteFeatureFlag bool
+	}{
+		PeerRules:           networkMap.GetFirewallRules(),
+		PeerRulesIsEmpty:    networkMap.GetFirewallRulesIsEmpty(),
+		RouteRules:          networkMap.GetRoutesFirewallRules(),
+		DNSRouteFeatureFlag: dnsRouteFeatureFlag,
+	}, hashstructure.FormatV2, &hashstructure.HashOptions{
+		ZeroNil:         true,
+		IgnoreZeroValue: true,
+		SlicesAsSets:    true,
+		UseStringer:     true,
+	})
 }
 
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {

client/internal/acl/manager_test.go

@@ -485,3 +485,97 @@ func TestPortInfoEmpty(t *testing.T) {
 		})
 	}
 }
+
+// TestApplyFilteringSkipsUnchangedConfig verifies that an identical network map
+// re-applied is recognized as a no-op (hash unchanged), while a real change to
+// any firewall-relevant input forces a re-apply (hash changes). This is the
+// guard that prevents a full ruleset rebuild + flush on every redundant sync.
+func TestApplyFilteringSkipsUnchangedConfig(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, fw.Close(nil))
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+				Port:      "22",
+			},
+		},
+		FirewallRulesIsEmpty: false,
+	}
+
+	acl.ApplyFiltering(networkMap, false)
+	require.True(t, acl.hasAppliedConfig, "config should be marked applied after first apply")
+	firstHash := acl.previousConfigHash
+	require.NotZero(t, firstHash)
+
+	// Re-applying the identical map must not change the recorded hash: the
+	// expensive rebuild path was skipped.
+	acl.ApplyFiltering(networkMap, false)
+	assert.Equal(t, firstHash, acl.previousConfigHash,
+		"identical re-apply must be a no-op (hash unchanged)")
+
+	// A real change must produce a different hash and re-apply.
+	networkMap.FirewallRules[0].Action = mgmProto.RuleAction_DROP
+	acl.ApplyFiltering(networkMap, false)
+	assert.NotEqual(t, firstHash, acl.previousConfigHash,
+		"changing a rule's action must force a re-apply (hash changed)")
+
+	// The dnsRouteFeatureFlag also participates in the hash.
+	changedHash := acl.previousConfigHash
+	acl.ApplyFiltering(networkMap, true)
+	assert.NotEqual(t, changedHash, acl.previousConfigHash,
+		"flipping dnsRouteFeatureFlag must force a re-apply (hash changed)")
+}
+
+// TestFirewallConfigHashDeterministic verifies the hash is stable for equal
+// inputs and order-independent for the rule slices (management does not
+// guarantee rule order).
+func TestFirewallConfigHashDeterministic(t *testing.T) {
+	d := &DefaultManager{}
+
+	nm1 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{PeerIP: "10.0.0.1", Direction: mgmProto.RuleDirection_IN, Action: mgmProto.RuleAction_ACCEPT, Protocol: mgmProto.RuleProtocol_TCP, Port: "22"},
+			{PeerIP: "10.0.0.2", Direction: mgmProto.RuleDirection_IN, Action: mgmProto.RuleAction_DROP, Protocol: mgmProto.RuleProtocol_TCP, Port: "80"},
+		},
+	}
+	// Same rules, reversed order.
+	nm2 := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			nm1.FirewallRules[1],
+			nm1.FirewallRules[0],
+		},
+	}
+
+	h1, err := d.firewallConfigHash(nm1, false)
+	require.NoError(t, err)
+	h2, err := d.firewallConfigHash(nm2, false)
+	require.NoError(t, err)
+	assert.Equal(t, h1, h2, "hash must be order-independent for rule slices")
+}

combined/cmd/admin.go

@@ -1,91 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	admincmd "github.com/netbirdio/netbird/management/cmd/admin"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-)
-
-// newAdminCommands creates the admin command tree with combined-specific resource openers.
-func newAdminCommands() *cobra.Command {
-	cmd := admincmd.NewCommands(withAdminResources)
-	cmd.AddCommand(tokencmd.NewCommands(withAdminTokenStore))
-	return cmd
-}
-
-// withAdminResources loads the combined YAML config, initializes stores, and calls fn.
-func withAdminResources(cmd *cobra.Command, fn func(ctx context.Context, resources admincmd.Resources) error) error {
-	return withAdminStore(cmd, func(ctx context.Context, managementStore store.Store, cfg *CombinedConfig) error {
-		mgmtConfig, err := cfg.ToManagementConfig()
-		if err != nil {
-			return fmt.Errorf("create management config: %w", err)
-		}
-
-		idpStorage, err := admincmd.OpenEmbeddedIDPStorage(mgmtConfig.EmbeddedIdP)
-		if err != nil {
-			return err
-		}
-		defer func() {
-			if err := idpStorage.Close(); err != nil {
-				log.Debugf("close embedded IdP storage: %v", err)
-			}
-		}()
-
-		return fn(ctx, admincmd.Resources{Store: managementStore, IDPStorage: idpStorage})
-	})
-}
-
-// withAdminTokenStore opens only the management store for admin token commands.
-func withAdminTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	return withAdminStore(cmd, func(ctx context.Context, managementStore store.Store, _ *CombinedConfig) error {
-		return fn(ctx, managementStore)
-	})
-}
-
-func withAdminStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store, cfg *CombinedConfig) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	cfg, err := LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	if dsn := cfg.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(cfg.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-	if file := cfg.Server.Store.File; file != "" {
-		os.Setenv("NB_STORE_ENGINE_SQLITE_FILE", file)
-	}
-
-	managementStore, err := store.NewStore(ctx, types.Engine(cfg.Management.Store.Engine), cfg.Management.DataDir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := managementStore.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, managementStore, cfg)
-}

combined/cmd/root.go

@@ -64,7 +64,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "path to YAML configuration file (required)")
 	_ = rootCmd.MarkPersistentFlagRequired("config")
 
-	rootCmd.AddCommand(newAdminCommands())
+	rootCmd.AddCommand(newTokenCommands())
 }
 
 func RootCmd() *cobra.Command {

combined/cmd/token.go

@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/formatter/hook"
+	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/util"
+)
+
+// newTokenCommands creates the token command tree with combined-specific store opener.
+func newTokenCommands() *cobra.Command {
+	return tokencmd.NewCommands(withTokenStore)
+}
+
+// withTokenStore loads the combined YAML config, initializes the store, and calls fn.
+func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
+	if err := util.InitLog("error", "console"); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
+
+	cfg, err := LoadConfig(configPath)
+	if err != nil {
+		return fmt.Errorf("load config: %w", err)
+	}
+
+	if dsn := cfg.Server.Store.DSN; dsn != "" {
+		switch strings.ToLower(cfg.Server.Store.Engine) {
+		case "postgres":
+			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
+		case "mysql":
+			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
+		}
+	}
+	if file := cfg.Server.Store.File; file != "" {
+		os.Setenv("NB_STORE_ENGINE_SQLITE_FILE", file)
+	}
+
+	datadir := cfg.Management.DataDir
+	engine := types.Engine(cfg.Management.Store.Engine)
+
+	s, err := store.NewStore(ctx, engine, datadir, nil, true)
+	if err != nil {
+		return fmt.Errorf("create store: %w", err)
+	}
+	defer func() {
+		if err := s.Close(ctx); err != nil {
+			log.Debugf("close store: %v", err)
+		}
+	}()
+
+	return fn(ctx, s)
+}

management/cmd/admin.go

@@ -1,89 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"path/filepath"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	admincmd "github.com/netbirdio/netbird/management/cmd/admin"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/util"
-)
-
-var adminDatadir string
-
-// newAdminCommands creates the admin command tree with management-specific resource openers.
-func newAdminCommands() *cobra.Command {
-	cmd := admincmd.NewCommands(withAdminResources)
-	cmd.PersistentFlags().StringVar(&adminDatadir, "datadir", "", "Override the data directory from config (used for store.db and the default idp.db)")
-	cmd.AddCommand(tokencmd.NewCommands(withAdminTokenStore))
-	return cmd
-}
-
-// withAdminResources initializes logging, loads config, opens the management store
-// and embedded IdP storage, and calls fn.
-func withAdminResources(cmd *cobra.Command, fn func(ctx context.Context, resources admincmd.Resources) error) error {
-	return withAdminStore(cmd, func(ctx context.Context, managementStore store.Store, config *nbconfig.Config) error {
-		idpStorage, err := admincmd.OpenEmbeddedIDPStorage(config.EmbeddedIdP)
-		if err != nil {
-			return err
-		}
-		defer func() {
-			if err := idpStorage.Close(); err != nil {
-				log.Debugf("close embedded IdP storage: %v", err)
-			}
-		}()
-
-		return fn(ctx, admincmd.Resources{Store: managementStore, IDPStorage: idpStorage})
-	})
-}
-
-// withAdminTokenStore opens only the management store for admin token commands.
-func withAdminTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	return withAdminStore(cmd, func(ctx context.Context, managementStore store.Store, _ *nbconfig.Config) error {
-		return fn(ctx, managementStore)
-	})
-}
-
-func withAdminStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store, config *nbconfig.Config) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	config, err := LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	datadir := config.Datadir
-	if adminDatadir != "" {
-		oldDatadir := datadir
-		datadir = adminDatadir
-		if config.EmbeddedIdP != nil && config.EmbeddedIdP.Storage.Type == "sqlite3" {
-			defaultIDPFile := filepath.Join(oldDatadir, "idp.db")
-			if config.EmbeddedIdP.Storage.Config.File == "" || config.EmbeddedIdP.Storage.Config.File == defaultIDPFile {
-				config.EmbeddedIdP.Storage.Config.File = filepath.Join(datadir, "idp.db")
-			}
-		}
-	}
-
-	managementStore, err := store.NewStore(ctx, config.StoreConfig.Engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := managementStore.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, managementStore, config)
-}

management/cmd/admin/admin.go

@@ -1,441 +0,0 @@
-// Package admincmd provides reusable cobra commands for self-hosted administrator helpers.
-// Both the management and combined binaries use these commands, each providing
-// their own opener to handle config loading and storage initialization.
-package admincmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"log/slog"
-	"os"
-	"strings"
-
-	"github.com/dexidp/dex/storage"
-	"github.com/spf13/cobra"
-	"golang.org/x/crypto/bcrypt"
-
-	nbdex "github.com/netbirdio/netbird/idp/dex"
-	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-const (
-	localConnectorID           = "local"
-	dashboardClientID          = "netbird-dashboard"
-	cliClientID                = "netbird-cli"
-	defaultTOTPAuthenticatorID = "default-totp"
-)
-
-// Resources contains the storages required by the admin commands.
-type Resources struct {
-	Store      store.Store
-	IDPStorage storage.Storage
-}
-
-// Opener initializes command resources from the command context and calls fn.
-type Opener func(cmd *cobra.Command, fn func(ctx context.Context, resources Resources) error) error
-
-type userSelector struct {
-	email  string
-	userID string
-}
-
-func (s userSelector) normalized() userSelector {
-	return userSelector{
-		email:  strings.TrimSpace(s.email),
-		userID: strings.TrimSpace(s.userID),
-	}
-}
-
-func (s userSelector) validate() error {
-	s = s.normalized()
-	if (s.email == "") == (s.userID == "") {
-		return fmt.Errorf("provide exactly one of --email or --user-id")
-	}
-	return nil
-}
-
-// NewCommands creates the admin command tree with the given resource opener.
-func NewCommands(opener Opener) *cobra.Command {
-	adminCmd := &cobra.Command{
-		Use:   "admin",
-		Short: "Self-hosted administrator helpers",
-		Long:  "Administrative helpers for self-hosted deployments using the embedded identity provider.",
-	}
-
-	userCmd := &cobra.Command{
-		Use:   "user",
-		Short: "Manage local embedded IdP users",
-	}
-
-	var passwordSelector userSelector
-	var password string
-	var passwordFile string
-	passwordCmd := &cobra.Command{
-		Use:     "change-password (--email email | --user-id id) (--password password | --password-file path)",
-		Aliases: []string{"set-password"},
-		Short:   "Change a local user's password",
-		Args:    cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			newPassword, err := resolvePasswordInput(cmd, password, passwordFile)
-			if err != nil {
-				return err
-			}
-			return opener(cmd, func(ctx context.Context, resources Resources) error {
-				return runChangePassword(ctx, resources.IDPStorage, cmd.OutOrStdout(), passwordSelector, newPassword)
-			})
-		},
-	}
-	addUserSelectorFlags(passwordCmd, &passwordSelector)
-	passwordCmd.Flags().StringVar(&password, "password", "", "New password for the user")
-	passwordCmd.Flags().StringVar(&passwordFile, "password-file", "", "Read new password from file ('-' for stdin)")
-
-	var resetSelector userSelector
-	resetMFACmd := &cobra.Command{
-		Use:   "reset-mfa (--email email | --user-id id)",
-		Short: "Reset a local user's MFA enrollment",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, resources Resources) error {
-				return runResetMFA(ctx, resources.IDPStorage, cmd.OutOrStdout(), resetSelector)
-			})
-		},
-	}
-	addUserSelectorFlags(resetMFACmd, &resetSelector)
-
-	userCmd.AddCommand(passwordCmd, resetMFACmd)
-
-	mfaCmd := &cobra.Command{
-		Use:   "mfa",
-		Short: "Manage local MFA for embedded IdP users",
-	}
-
-	enableCmd := &cobra.Command{
-		Use:   "enable",
-		Short: "Enable MFA for local embedded IdP users",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, resources Resources) error {
-				return runSetMFAEnabled(ctx, resources, cmd.OutOrStdout(), true)
-			})
-		},
-	}
-
-	disableCmd := &cobra.Command{
-		Use:   "disable",
-		Short: "Disable MFA for local embedded IdP users",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, resources Resources) error {
-				return runSetMFAEnabled(ctx, resources, cmd.OutOrStdout(), false)
-			})
-		},
-	}
-
-	statusCmd := &cobra.Command{
-		Use:   "status",
-		Short: "Show local MFA status",
-		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, resources Resources) error {
-				return runMFAStatus(ctx, resources, cmd.OutOrStdout())
-			})
-		},
-	}
-
-	mfaCmd.AddCommand(enableCmd, disableCmd, statusCmd)
-	adminCmd.AddCommand(userCmd, mfaCmd)
-	return adminCmd
-}
-
-// OpenEmbeddedIDPStorage opens the Dex storage configured for the embedded IdP.
-func OpenEmbeddedIDPStorage(cfg *idp.EmbeddedIdPConfig) (storage.Storage, error) {
-	if cfg == nil || !cfg.Enabled {
-		return nil, fmt.Errorf("admin commands require the embedded IdP to be enabled")
-	}
-
-	yamlConfig, err := cfg.ToYAMLConfig()
-	if err != nil {
-		return nil, fmt.Errorf("build embedded IdP config: %w", err)
-	}
-
-	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-	st, err := yamlConfig.Storage.OpenStorage(logger)
-	if err != nil {
-		return nil, fmt.Errorf("open embedded IdP storage: %w", err)
-	}
-	return st, nil
-}
-
-func addUserSelectorFlags(cmd *cobra.Command, selector *userSelector) {
-	cmd.Flags().StringVar(&selector.email, "email", "", "User email")
-	cmd.Flags().StringVar(&selector.userID, "user-id", "", "User ID")
-}
-
-func resolvePasswordInput(cmd *cobra.Command, password, passwordFile string) (string, error) {
-	if password != "" && passwordFile != "" {
-		return "", fmt.Errorf("provide only one of --password or --password-file")
-	}
-	if passwordFile == "" {
-		return password, nil
-	}
-
-	var data []byte
-	var err error
-	if passwordFile == "-" {
-		data, err = io.ReadAll(cmd.InOrStdin())
-	} else {
-		data, err = os.ReadFile(passwordFile)
-	}
-	if err != nil {
-		return "", fmt.Errorf("read password: %w", err)
-	}
-	return strings.TrimRight(string(data), "\r\n"), nil
-}
-
-func runChangePassword(ctx context.Context, idpStorage storage.Storage, w io.Writer, selector userSelector, password string) error {
-	if idpStorage == nil {
-		return fmt.Errorf("embedded IdP storage is required")
-	}
-	selector = selector.normalized()
-	if err := selector.validate(); err != nil {
-		return err
-	}
-	if password == "" {
-		return fmt.Errorf("password is required")
-	}
-	if err := server.ValidatePassword(password); err != nil {
-		return fmt.Errorf("invalid password: %w", err)
-	}
-
-	user, err := findLocalUser(ctx, idpStorage, selector)
-	if err != nil {
-		return err
-	}
-
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		return fmt.Errorf("hash password: %w", err)
-	}
-
-	if err := idpStorage.UpdatePassword(ctx, user.Email, func(old storage.Password) (storage.Password, error) {
-		old.Hash = hash
-		return old, nil
-	}); err != nil {
-		return fmt.Errorf("update password for %s: %w", user.Email, err)
-	}
-
-	if err := deleteLocalAuthSession(ctx, idpStorage, user.UserID); err != nil {
-		return err
-	}
-
-	_, _ = fmt.Fprintf(w, "Password updated for %s.\n", user.Email)
-	return nil
-}
-
-func runResetMFA(ctx context.Context, idpStorage storage.Storage, w io.Writer, selector userSelector) error {
-	if idpStorage == nil {
-		return fmt.Errorf("embedded IdP storage is required")
-	}
-	selector = selector.normalized()
-	if err := selector.validate(); err != nil {
-		return err
-	}
-
-	user, err := findLocalUser(ctx, idpStorage, selector)
-	if err != nil {
-		return err
-	}
-
-	reset := false
-	err = idpStorage.UpdateUserIdentity(ctx, user.UserID, localConnectorID, func(old storage.UserIdentity) (storage.UserIdentity, error) {
-		reset = reset || len(old.MFASecrets) > 0 || len(old.WebAuthnCredentials) > 0
-		old.MFASecrets = map[string]*storage.MFASecret{}
-		old.WebAuthnCredentials = map[string][]storage.WebAuthnCredential{}
-		return old, nil
-	})
-	if errors.Is(err, storage.ErrNotFound) {
-		if err := deleteLocalAuthSession(ctx, idpStorage, user.UserID); err != nil {
-			return err
-		}
-		_, _ = fmt.Fprintf(w, "No MFA enrollment found for %s.\n", user.Email)
-		return nil
-	}
-	if err != nil {
-		return fmt.Errorf("reset MFA for %s: %w", user.Email, err)
-	}
-
-	if err := deleteLocalAuthSession(ctx, idpStorage, user.UserID); err != nil {
-		return err
-	}
-
-	if reset {
-		_, _ = fmt.Fprintf(w, "MFA reset for %s. The user will re-enroll at next login.\n", user.Email)
-	} else {
-		_, _ = fmt.Fprintf(w, "No MFA enrollment found for %s.\n", user.Email)
-	}
-	return nil
-}
-
-func runSetMFAEnabled(ctx context.Context, resources Resources, w io.Writer, enabled bool) error {
-	if resources.Store == nil {
-		return fmt.Errorf("management store is required")
-	}
-	if resources.IDPStorage == nil {
-		return fmt.Errorf("embedded IdP storage is required")
-	}
-
-	accounts := resources.Store.GetAllAccounts(ctx)
-	if len(accounts) != 1 {
-		return fmt.Errorf("expected exactly one account, got %d; local MFA is supported only in single-account embedded IdP deployments", len(accounts))
-	}
-
-	settings := &types.Settings{}
-	if accounts[0].Settings != nil {
-		settings = accounts[0].Settings.Copy()
-	}
-	settings.LocalMfaEnabled = enabled
-	if err := resources.Store.SaveAccountSettings(ctx, accounts[0].Id, settings); err != nil {
-		return fmt.Errorf("save local MFA account setting: %w", err)
-	}
-
-	if err := setIDPClientsMFA(ctx, resources.IDPStorage, enabled); err != nil {
-		return err
-	}
-
-	state := "disabled"
-	if enabled {
-		state = "enabled"
-	}
-	_, _ = fmt.Fprintf(w, "Local MFA %s.\n", state)
-	return nil
-}
-
-func runMFAStatus(ctx context.Context, resources Resources, w io.Writer) error {
-	if resources.Store == nil {
-		return fmt.Errorf("management store is required")
-	}
-	if resources.IDPStorage == nil {
-		return fmt.Errorf("embedded IdP storage is required")
-	}
-
-	accounts := resources.Store.GetAllAccounts(ctx)
-	accountStatus := "unknown"
-	if len(accounts) == 1 && accounts[0].Settings != nil {
-		accountStatus = "disabled"
-		if accounts[0].Settings.LocalMfaEnabled {
-			accountStatus = "enabled"
-		}
-	}
-
-	clientStatus, err := idpClientsMFAStatus(ctx, resources.IDPStorage)
-	if err != nil {
-		return err
-	}
-
-	_, _ = fmt.Fprintf(w, "Account setting: %s\n", accountStatus)
-	_, _ = fmt.Fprintf(w, "Embedded IdP clients: %s\n", clientStatus)
-	return nil
-}
-
-func findLocalUser(ctx context.Context, idpStorage storage.Storage, selector userSelector) (storage.Password, error) {
-	selector = selector.normalized()
-	if err := selector.validate(); err != nil {
-		return storage.Password{}, err
-	}
-
-	if selector.email != "" {
-		user, err := idpStorage.GetPassword(ctx, selector.email)
-		if errors.Is(err, storage.ErrNotFound) {
-			return storage.Password{}, fmt.Errorf("local user with email %q not found", selector.email)
-		}
-		if err != nil {
-			return storage.Password{}, fmt.Errorf("get local user by email %q: %w", selector.email, err)
-		}
-		return user, nil
-	}
-
-	rawUserID := selector.userID
-	if decodedUserID, _, err := nbdex.DecodeDexUserID(selector.userID); err == nil && decodedUserID != "" {
-		rawUserID = decodedUserID
-	}
-
-	users, err := idpStorage.ListPasswords(ctx)
-	if err != nil {
-		return storage.Password{}, fmt.Errorf("list local users: %w", err)
-	}
-	for _, user := range users {
-		if user.UserID == rawUserID || user.UserID == selector.userID {
-			return user, nil
-		}
-	}
-
-	return storage.Password{}, fmt.Errorf("local user with ID %q not found", selector.userID)
-}
-
-func deleteLocalAuthSession(ctx context.Context, idpStorage storage.Storage, userID string) error {
-	err := idpStorage.DeleteAuthSession(ctx, userID, localConnectorID)
-	if err == nil || errors.Is(err, storage.ErrNotFound) {
-		return nil
-	}
-	return fmt.Errorf("delete local auth session for user %s: %w", userID, err)
-}
-
-func setIDPClientsMFA(ctx context.Context, idpStorage storage.Storage, enabled bool) error {
-	var mfaChain []string
-	if enabled {
-		mfaChain = []string{defaultTOTPAuthenticatorID}
-	}
-
-	for _, clientID := range []string{cliClientID, dashboardClientID} {
-		if err := idpStorage.UpdateClient(ctx, clientID, func(old storage.Client) (storage.Client, error) {
-			old.MFAChain = mfaChain
-			return old, nil
-		}); err != nil {
-			if errors.Is(err, storage.ErrNotFound) {
-				return fmt.Errorf("embedded IdP client %q not found; start the management server once before toggling MFA", clientID)
-			}
-			return fmt.Errorf("update MFA chain on embedded IdP client %q: %w", clientID, err)
-		}
-	}
-	return nil
-}
-
-func idpClientsMFAStatus(ctx context.Context, idpStorage storage.Storage) (string, error) {
-	clientIDs := []string{cliClientID, dashboardClientID}
-	enabledCount := 0
-	for _, clientID := range clientIDs {
-		client, err := idpStorage.GetClient(ctx, clientID)
-		if errors.Is(err, storage.ErrNotFound) {
-			return "unknown", fmt.Errorf("embedded IdP client %q not found", clientID)
-		}
-		if err != nil {
-			return "unknown", fmt.Errorf("get embedded IdP client %q: %w", clientID, err)
-		}
-		if hasAuthenticator(client.MFAChain, defaultTOTPAuthenticatorID) {
-			enabledCount++
-		}
-	}
-
-	switch enabledCount {
-	case 0:
-		return "disabled", nil
-	case len(clientIDs):
-		return "enabled", nil
-	default:
-		return "partially enabled", nil
-	}
-}
-
-func hasAuthenticator(chain []string, authenticatorID string) bool {
-	for _, id := range chain {
-		if id == authenticatorID {
-			return true
-		}
-	}
-	return false
-}

management/cmd/admin/admin_test.go

@@ -1,160 +0,0 @@
-package admincmd
-
-import (
-	"bytes"
-	"context"
-	"io"
-	"log/slog"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/memory"
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/crypto/bcrypt"
-
-	nbdex "github.com/netbirdio/netbird/idp/dex"
-)
-
-func newTestIDPStorage(t *testing.T) storage.Storage {
-	t.Helper()
-
-	st := memory.New(slog.New(slog.NewTextHandler(io.Discard, nil)))
-	hash, err := bcrypt.GenerateFromPassword([]byte("OldPass1!"), bcrypt.DefaultCost)
-	require.NoError(t, err)
-
-	require.NoError(t, st.CreatePassword(context.Background(), storage.Password{
-		Email:    "user@example.com",
-		Username: "User",
-		UserID:   "user-1",
-		Hash:     hash,
-	}))
-	require.NoError(t, st.CreateUserIdentity(context.Background(), storage.UserIdentity{
-		UserID:      "user-1",
-		ConnectorID: localConnectorID,
-		MFASecrets: map[string]*storage.MFASecret{
-			defaultTOTPAuthenticatorID: {
-				AuthenticatorID: defaultTOTPAuthenticatorID,
-				Type:            "TOTP",
-				Secret:          "otpauth://totp/NetBird:user@example.com?secret=ABC",
-				Confirmed:       true,
-				CreatedAt:       time.Now(),
-			},
-		},
-		WebAuthnCredentials: map[string][]storage.WebAuthnCredential{
-			"webauthn": {{CredentialID: []byte("credential")}},
-		},
-	}))
-	require.NoError(t, st.CreateAuthSession(context.Background(), storage.AuthSession{
-		UserID:      "user-1",
-		ConnectorID: localConnectorID,
-		Nonce:       "nonce",
-	}))
-	require.NoError(t, st.CreateClient(context.Background(), storage.Client{ID: cliClientID, Name: "CLI"}))
-	require.NoError(t, st.CreateClient(context.Background(), storage.Client{ID: dashboardClientID, Name: "Dashboard"}))
-
-	return st
-}
-
-func TestRunChangePassword(t *testing.T) {
-	ctx := context.Background()
-	st := newTestIDPStorage(t)
-	var out bytes.Buffer
-
-	err := runChangePassword(ctx, st, &out, userSelector{email: "user@example.com"}, "NewPass1!")
-	require.NoError(t, err)
-	require.Contains(t, out.String(), "Password updated")
-
-	user, err := st.GetPassword(ctx, "user@example.com")
-	require.NoError(t, err)
-	require.NoError(t, bcrypt.CompareHashAndPassword(user.Hash, []byte("NewPass1!")))
-
-	_, err = st.GetAuthSession(ctx, "user-1", localConnectorID)
-	require.ErrorIs(t, err, storage.ErrNotFound)
-}
-
-func TestRunChangePasswordValidatesPassword(t *testing.T) {
-	st := newTestIDPStorage(t)
-	err := runChangePassword(context.Background(), st, io.Discard, userSelector{email: "user@example.com"}, "short")
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "invalid password")
-}
-
-func TestRunResetMFA(t *testing.T) {
-	ctx := context.Background()
-	st := newTestIDPStorage(t)
-	var out bytes.Buffer
-
-	encodedUserID := nbdex.EncodeDexUserID("user-1", localConnectorID)
-	err := runResetMFA(ctx, st, &out, userSelector{userID: encodedUserID})
-	require.NoError(t, err)
-	require.Contains(t, out.String(), "MFA reset")
-
-	identity, err := st.GetUserIdentity(ctx, "user-1", localConnectorID)
-	require.NoError(t, err)
-	require.Empty(t, identity.MFASecrets)
-	require.Empty(t, identity.WebAuthnCredentials)
-
-	_, err = st.GetAuthSession(ctx, "user-1", localConnectorID)
-	require.ErrorIs(t, err, storage.ErrNotFound)
-}
-
-func TestRunResetMFAWithoutEnrollment(t *testing.T) {
-	ctx := context.Background()
-	st := newTestIDPStorage(t)
-	require.NoError(t, st.UpdateUserIdentity(ctx, "user-1", localConnectorID, func(old storage.UserIdentity) (storage.UserIdentity, error) {
-		old.MFASecrets = nil
-		old.WebAuthnCredentials = nil
-		return old, nil
-	}))
-
-	var out bytes.Buffer
-	err := runResetMFA(ctx, st, &out, userSelector{email: "user@example.com"})
-	require.NoError(t, err)
-	require.Contains(t, out.String(), "No MFA enrollment found")
-}
-
-func TestSetIDPClientsMFA(t *testing.T) {
-	ctx := context.Background()
-	st := newTestIDPStorage(t)
-
-	require.NoError(t, setIDPClientsMFA(ctx, st, true))
-	status, err := idpClientsMFAStatus(ctx, st)
-	require.NoError(t, err)
-	require.Equal(t, "enabled", status)
-
-	require.NoError(t, setIDPClientsMFA(ctx, st, false))
-	status, err = idpClientsMFAStatus(ctx, st)
-	require.NoError(t, err)
-	require.Equal(t, "disabled", status)
-}
-
-func TestUserSelectorValidate(t *testing.T) {
-	require.NoError(t, userSelector{email: " user@example.com "}.validate())
-	require.NoError(t, userSelector{userID: "user-1"}.validate())
-	require.Error(t, userSelector{}.validate())
-	require.Error(t, userSelector{email: "user@example.com", userID: "user-1"}.validate())
-}
-
-func TestFindLocalUserNotFound(t *testing.T) {
-	st := newTestIDPStorage(t)
-	_, err := findLocalUser(context.Background(), st, userSelector{email: "missing@example.com"})
-	require.Error(t, err)
-	require.True(t, strings.Contains(err.Error(), "not found"))
-}
-
-func TestResolvePasswordInputFromStdin(t *testing.T) {
-	cmd := &cobra.Command{}
-	cmd.SetIn(strings.NewReader("NewPass1!\n"))
-
-	password, err := resolvePasswordInput(cmd, "", "-")
-	require.NoError(t, err)
-	require.Equal(t, "NewPass1!", password)
-}
-
-func TestResolvePasswordInputRejectsMultipleSources(t *testing.T) {
-	_, err := resolvePasswordInput(&cobra.Command{}, "NewPass1!", "-")
-	require.Error(t, err)
-}

management/cmd/root.go

@@ -83,7 +83,7 @@ func init() {
 
 	rootCmd.AddCommand(migrationCmd)
 
-	ac := newAdminCommands()
-	ac.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
-	rootCmd.AddCommand(ac)
+	tc := newTokenCommands()
+	tc.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
+	rootCmd.AddCommand(tc)
 }

management/cmd/token.go

@@ -0,0 +1,55 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/netbirdio/netbird/formatter/hook"
+	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/util"
+)
+
+var tokenDatadir string
+
+// newTokenCommands creates the token command tree with management-specific store opener.
+func newTokenCommands() *cobra.Command {
+	cmd := tokencmd.NewCommands(withTokenStore)
+	cmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
+	return cmd
+}
+
+// withTokenStore initializes logging, loads config, opens the store, and calls fn.
+func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
+	if err := util.InitLog("error", "console"); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
+
+	config, err := LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+	if err != nil {
+		return fmt.Errorf("load config: %w", err)
+	}
+
+	datadir := config.Datadir
+	if tokenDatadir != "" {
+		datadir = tokenDatadir
+	}
+
+	s, err := store.NewStore(ctx, config.StoreConfig.Engine, datadir, nil, true)
+	if err != nil {
+		return fmt.Errorf("create store: %w", err)
+	}
+	defer func() {
+		if err := s.Close(ctx); err != nil {
+			log.Debugf("close store: %v", err)
+		}
+	}()
+
+	return fn(ctx, s)
+}

management/server/user.go

@@ -1847,17 +1847,12 @@ func (am *DefaultAccountManager) DeleteUserInvite(ctx context.Context, accountID
 
 const minPasswordLength = 8
 
-// validatePassword checks password strength requirements.
-func validatePassword(password string) error {
-	return ValidatePassword(password)
-}
-
-// ValidatePassword checks password strength requirements:
+// validatePassword checks password strength requirements:
 // - Minimum 8 characters
 // - At least 1 digit
 // - At least 1 uppercase letter
 // - At least 1 special character
-func ValidatePassword(password string) error {
+func validatePassword(password string) error {
 	if len(password) < minPasswordLength {
 		return errors.New("password must be at least 8 characters long")
 	}