Handle group changes

management/server/integrated_approval.go

@@ -20,6 +20,9 @@ import (
 // Returns:
 //   - error: An error if any occurred during the process, otherwise returns nil
 func (am *DefaultAccountManager) UpdateIntegratedApprovalGroups(accountID string, userID string, groups []string) error {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
 	ok, err := am.GroupValidation(accountID, groups)
 	if err != nil {
 		log.Debugf("error validating groups: %s", err.Error())
@@ -31,9 +34,6 @@ func (am *DefaultAccountManager) UpdateIntegratedApprovalGroups(accountID string
 		return errors.New("invalid groups")
 	}
 
-	unlock := am.Store.AcquireAccountLock(accountID)
-	defer unlock()
-
 	a, err := am.Store.GetAccountByUser(userID)
 	if err != nil {
 		return err
@@ -48,6 +48,16 @@ func (am *DefaultAccountManager) UpdateIntegratedApprovalGroups(accountID string
 		a.Settings.Extra = extra
 	}
 	extra.IntegratedApprovalGroups = groups
+
+	am.cleanIntegratedApprovalFlag(a, groups)
+	err = am.updateFlags(a, groups)
+	if err != nil {
+		saveErr := am.Store.SaveAccount(a)
+		if saveErr != nil {
+			log.Errorf("failed to save account: %s", saveErr)
+		}
+		return err
+	}
 	return am.Store.SaveAccount(a)
 }
 
@@ -74,3 +84,49 @@ func (am *DefaultAccountManager) GroupValidation(accountId string, groups []stri
 
 	return true, nil
 }
+
+// updateFlags set the requiresIntegratedApproval flag to true for all peers in the account what is part of the groups, but the peer not part of the already approved list in the edr db
+func (am *DefaultAccountManager) updateFlags(a *Account, groups []string) error {
+	approvedPeers, err := am.integratedPeerValidator.ApprovedPeersList(a.Id)
+	if err != nil {
+		log.Errorf("failed to get approved peers list: %s", err)
+		return err
+	}
+
+	for peerID, peer := range a.Peers {
+		peerGroups := a.GetPeerGroupsList(peerID)
+		if !isPeerAssignedToIntegratedApprovalGroup(peerGroups, groups) {
+			continue
+		}
+
+		// set true only that case if not yet approved in the edr db
+		_, ok := approvedPeers[peerID]
+		if ok {
+			continue
+		}
+		peer.Status.RequiresIntegratedApproval = true
+	}
+	return nil
+}
+
+// cleanIntegratedApprovalFlag set the requireIntegratedApproval flag to false for all peers in the account what is not part of the groups
+func (am *DefaultAccountManager) cleanIntegratedApprovalFlag(a *Account, groups []string) {
+	for peerID, peer := range a.Peers {
+		peerGroups := a.GetPeerGroupsList(peerID)
+		if isPeerAssignedToIntegratedApprovalGroup(peerGroups, groups) {
+			continue
+		}
+		peer.Status.RequiresIntegratedApproval = false
+	}
+}
+
+func isPeerAssignedToIntegratedApprovalGroup(peersGroup []string, integratedApprovalGroups []string) bool {
+	for _, peerGroup := range peersGroup {
+		for _, ig := range integratedApprovalGroups {
+			if ig == peerGroup {
+				return true
+			}
+		}
+	}
+	return false
+}

management/server/integrated_approval/interface.go

@@ -8,6 +8,7 @@ import (
 // IntegratedApproval interface exists to avoid the circle dependencies
 type IntegratedApproval interface {
 	PreparePeer(accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *account.ExtraSettings) *nbpeer.Peer
-	IsRequiresApproval(accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *account.ExtraSettings) bool
+	IsRequiresApproval(accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *account.ExtraSettings) (bool, bool)
+	ApprovedPeersList(id string) (map[string]struct{}, error)
 	Stop()
 }

management/server/peer.go

@@ -521,9 +521,10 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *Network
 		return nil, nil, status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
 	}
 
-	requiresApproval := am.integratedPeerValidator.IsRequiresApproval(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
+	requiresApproval, requiresIntegratedApproval := am.integratedPeerValidator.IsRequiresApproval(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
-	if peer.Status.RequiresApproval != requiresApproval {
+	if peer.Status.RequiresApproval != requiresApproval || peer.Status.RequiresIntegratedApproval != requiresIntegratedApproval {
 		peer.Status.RequiresApproval = requiresApproval
+		peer.Status.RequiresIntegratedApproval = requiresIntegratedApproval
 		err = am.Store.SaveAccount(account)
 		if err != nil {
 			return nil, nil, err
@@ -596,8 +597,10 @@ func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*nbpeer.Peer, *Netw
 		am.StoreEvent(login.UserID, peer.ID, account.Id, activity.UserLoggedInPeer, peer.EventMeta(am.GetDNSDomain()))
 	}
 
-	isRequiresApproval := am.integratedPeerValidator.IsRequiresApproval(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
+	isRequiresApproval, isRequiresIntegratedApproval := am.integratedPeerValidator.IsRequiresApproval(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
-	if peer.Status.RequiresApproval != isRequiresApproval {
+	if peer.Status.RequiresApproval != isRequiresApproval || peer.Status.RequiresIntegratedApproval != isRequiresIntegratedApproval {
+		peer.Status.RequiresApproval = isRequiresApproval
+		peer.Status.RequiresIntegratedApproval = isRequiresIntegratedApproval
 		shouldStoreAccount = true
 	}
 

management/server/peer/peer.go

@@ -57,6 +57,8 @@ type PeerStatus struct { //nolint:revive
 	LoginExpired bool
 	// RequiresApproval indicates whether peer requires approval or not
 	RequiresApproval bool
+	// RequiresIntegratedApproval indicates whether peer requires integrated approval or not
+	RequiresIntegratedApproval bool
 }
 
 // Location is a geo location information of a Peer based on public connection IP
@@ -222,10 +224,11 @@ func (p *Peer) EventMeta(dnsDomain string) map[string]any {
 // Copy PeerStatus
 func (p *PeerStatus) Copy() *PeerStatus {
 	return &PeerStatus{
-		LastSeen:         p.LastSeen,
+		LastSeen:                   p.LastSeen,
-		Connected:        p.Connected,
+		Connected:                  p.Connected,
-		LoginExpired:     p.LoginExpired,
+		LoginExpired:               p.LoginExpired,
-		RequiresApproval: p.RequiresApproval,
+		RequiresApproval:           p.RequiresApproval,
+		RequiresIntegratedApproval: p.RequiresIntegratedApproval,
 	}
 }