Merge branch 'main' into vk/compare-nmaps

client/internal/auth/pkce_flow.go

@@ -192,17 +192,20 @@ func (p *PKCEAuthorizationFlow) handleRequest(req *http.Request) (*oauth2.Token,
 
 	if authError := query.Get(queryError); authError != "" {
 		authErrorDesc := query.Get(queryErrorDesc)
-		return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
+		if authErrorDesc != "" {
+			return nil, fmt.Errorf("authentication failed: %s", authErrorDesc)
+		}
+		return nil, fmt.Errorf("authentication failed: %s", authError)
 	}
 
 	// Prevent timing attacks on the state
 	if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
-		return nil, fmt.Errorf("invalid state")
+		return nil, fmt.Errorf("authentication failed: Invalid state")
 	}
 
 	code := query.Get(queryCode)
 	if code == "" {
-		return nil, fmt.Errorf("missing code")
+		return nil, fmt.Errorf("authentication failed: missing code")
 	}
 
 	return p.oAuthConfig.Exchange(
@@ -231,7 +234,7 @@ func (p *PKCEAuthorizationFlow) parseOAuthToken(token *oauth2.Token) (TokenInfo,
 	}
 
 	if err := isValidAccessToken(tokenInfo.GetTokenToUse(), audience); err != nil {
-		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+		return TokenInfo{}, fmt.Errorf("authentication failed: invalid access token - %w", err)
 	}
 
 	email, err := parseEmailFromIDToken(tokenInfo.IDToken)

client/internal/templates/pkce_auth_msg_test.go

@@ -0,0 +1,299 @@
+package templates
+
+import (
+	"html/template"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestPKCEAuthMsgTemplate(t *testing.T) {
+	tests := []struct {
+		name                 string
+		data                 map[string]string
+		outputFile           string
+		expectedTitle        string
+		expectedInContent    []string
+		notExpectedInContent []string
+	}{
+		{
+			name: "error_state",
+			data: map[string]string{
+				"Error": "authentication failed: invalid state",
+			},
+			outputFile:    "pkce-auth-error.html",
+			expectedTitle: "Login Failed",
+			expectedInContent: []string{
+				"authentication failed: invalid state",
+				"Login Failed",
+			},
+			notExpectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird",
+			},
+		},
+		{
+			name: "success_state",
+			data: map[string]string{
+				// No error field means success
+			},
+			outputFile:    "pkce-auth-success.html",
+			expectedTitle: "Login Successful",
+			expectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird. You can now close this window.",
+			},
+			notExpectedInContent: []string{
+				"Login Failed",
+			},
+		},
+		{
+			name: "error_state_timeout",
+			data: map[string]string{
+				"Error": "authentication timeout: request expired after 5 minutes",
+			},
+			outputFile:    "pkce-auth-timeout.html",
+			expectedTitle: "Login Failed",
+			expectedInContent: []string{
+				"authentication timeout: request expired after 5 minutes",
+				"Login Failed",
+			},
+			notExpectedInContent: []string{
+				"Login Successful",
+				"Your device is now registered and logged in to NetBird",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Parse the template
+			tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+			if err != nil {
+				t.Fatalf("Failed to parse template: %v", err)
+			}
+
+			// Create temp directory for this test
+			tempDir := t.TempDir()
+			outputPath := filepath.Join(tempDir, tt.outputFile)
+
+			// Create output file
+			file, err := os.Create(outputPath)
+			if err != nil {
+				t.Fatalf("Failed to create output file: %v", err)
+			}
+
+			// Execute the template
+			if err := tmpl.Execute(file, tt.data); err != nil {
+				file.Close()
+				t.Fatalf("Failed to execute template: %v", err)
+			}
+			file.Close()
+
+			t.Logf("Generated test output: %s", outputPath)
+
+			// Read the generated file
+			content, err := os.ReadFile(outputPath)
+			if err != nil {
+				t.Fatalf("Failed to read output file: %v", err)
+			}
+
+			contentStr := string(content)
+
+			// Verify file has content
+			if len(contentStr) == 0 {
+				t.Error("Output file is empty")
+			}
+
+			// Verify basic HTML structure
+			basicElements := []string{
+				"<!DOCTYPE html>",
+				"<html",
+				"<head>",
+				"<body>",
+				"NetBird",
+			}
+
+			for _, elem := range basicElements {
+				if !contains(contentStr, elem) {
+					t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+				}
+			}
+
+			// Verify expected title
+			if !contains(contentStr, tt.expectedTitle) {
+				t.Errorf("Expected HTML to contain title '%s', but it was not found", tt.expectedTitle)
+			}
+
+			// Verify expected content is present
+			for _, expected := range tt.expectedInContent {
+				if !contains(contentStr, expected) {
+					t.Errorf("Expected HTML to contain '%s', but it was not found", expected)
+				}
+			}
+
+			// Verify unexpected content is not present
+			for _, notExpected := range tt.notExpectedInContent {
+				if contains(contentStr, notExpected) {
+					t.Errorf("Expected HTML to NOT contain '%s', but it was found", notExpected)
+				}
+			}
+		})
+	}
+}
+
+func TestPKCEAuthMsgTemplateValidation(t *testing.T) {
+	// Test that the template can be parsed without errors
+	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+	if err != nil {
+		t.Fatalf("Template parsing failed: %v", err)
+	}
+
+	// Test with empty data
+	t.Run("empty_data", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "empty-data.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		if err := tmpl.Execute(file, nil); err != nil {
+			t.Errorf("Template execution with nil data failed: %v", err)
+		}
+	})
+
+	// Test with error data
+	t.Run("with_error", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "with-error.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		data := map[string]string{
+			"Error": "test error message",
+		}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Errorf("Template execution with error data failed: %v", err)
+		}
+	})
+}
+
+func TestPKCEAuthMsgTemplateContent(t *testing.T) {
+	// Test that the template contains expected elements
+	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
+	if err != nil {
+		t.Fatalf("Template parsing failed: %v", err)
+	}
+
+	t.Run("success_content", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "success.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		data := map[string]string{}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Fatalf("Template execution failed: %v", err)
+		}
+
+		// Read the file and verify it contains expected content
+		content, err := os.ReadFile(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to read output file: %v", err)
+		}
+
+		// Check for success indicators
+		contentStr := string(content)
+		if len(contentStr) == 0 {
+			t.Error("Generated HTML is empty")
+		}
+
+		// Basic HTML structure checks
+		requiredElements := []string{
+			"<!DOCTYPE html>",
+			"<html",
+			"<head>",
+			"<body>",
+			"Login Successful",
+			"NetBird",
+		}
+
+		for _, elem := range requiredElements {
+			if !contains(contentStr, elem) {
+				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+			}
+		}
+	})
+
+	t.Run("error_content", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "error.html")
+
+		file, err := os.Create(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to create output file: %v", err)
+		}
+		defer file.Close()
+
+		errorMsg := "test error message"
+		data := map[string]string{
+			"Error": errorMsg,
+		}
+		if err := tmpl.Execute(file, data); err != nil {
+			t.Fatalf("Template execution failed: %v", err)
+		}
+
+		// Read the file and verify it contains expected content
+		content, err := os.ReadFile(outputPath)
+		if err != nil {
+			t.Fatalf("Failed to read output file: %v", err)
+		}
+
+		// Check for error indicators
+		contentStr := string(content)
+		if len(contentStr) == 0 {
+			t.Error("Generated HTML is empty")
+		}
+
+		// Basic HTML structure checks
+		requiredElements := []string{
+			"<!DOCTYPE html>",
+			"<html",
+			"<head>",
+			"<body>",
+			"Login Failed",
+			errorMsg,
+		}
+
+		for _, elem := range requiredElements {
+			if !contains(contentStr, elem) {
+				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
+			}
+		}
+	})
+}
+
+func contains(s, substr string) bool {
+	return len(s) >= len(substr) && (s == substr || len(substr) == 0 ||
+		(len(s) > 0 && len(substr) > 0 && containsHelper(s, substr)))
+}
+
+func containsHelper(s, substr string) bool {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return true
+		}
+	}
+	return false
+}

management/internals/controllers/network_map/controller/controller.go

@@ -2,9 +2,11 @@ package controller
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"slices"
 	"strconv"
 	"strings"
@@ -23,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -191,7 +194,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 			var remotePeerNetworkMap *types.NetworkMap
 
 			if c.experimentalNetworkMap(accountID) {
-				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+				remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, customZone, c.accountManagerMetrics, resourcePolicies, routers)
 			} else {
 				remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics)
 			}
@@ -305,7 +308,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	var remotePeerNetworkMap *types.NetworkMap
 
 	if c.experimentalNetworkMap(accountId) {
-		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+		remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics, resourcePolicies, routers)
 	} else {
 		remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics)
 	}
@@ -434,6 +437,8 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	log.WithContext(ctx).Debugf("getPeerPostureChecks took %s", time.Since(startPosture))
 
 	customZone := account.GetPeersCustomZone(ctx, c.GetDNSDomain(account.Settings))
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
 
 	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peer.ID, account.Peers)
 	if err != nil {
@@ -444,9 +449,9 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 	var networkMap *types.NetworkMap
 
 	if c.experimentalNetworkMap(accountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics)
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, customZone, c.accountManagerMetrics, resourcePolicies, routers)
 	} else {
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), c.accountManagerMetrics)
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics)
 	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
@@ -464,6 +469,17 @@ func (c *Controller) initNetworkMapBuilderIfNeeded(account *types.Account, valid
 	account.InitNetworkMapBuilderIfNeeded(validatedPeers)
 }
 
+var filter = map[string]struct{}{
+	"cvj7n0rl0ubs73epnv00": struct{}{},
+	"d08cjrrl0ubs73cg7mng": struct{}{},
+	"d2qte4jl0ubs738s24ug": struct{}{},
+	"cvlo8fjl0ubs73clbhtg": struct{}{},
+	"d3knp53l0ubs738a3n6g": struct{}{},
+	"d184fkbl0ubs73f279q0": struct{}{},
+	"d1h9jtrl0ubs73fpjg10": struct{}{},
+	"d182c4bl0ubs73f26se0": struct{}{},
+}
+
 func (c *Controller) getPeerNetworkMapExp(
 	ctx context.Context,
 	accountId string,
@@ -471,6 +487,8 @@ func (c *Controller) getPeerNetworkMapExp(
 	validatedPeers map[string]struct{},
 	customZone nbdns.CustomZone,
 	metrics *telemetry.AccountManagerMetrics,
+	resourcePolicies map[string][]*types.Policy,
+	routers map[string]map[string]*routerTypes.NetworkRouter,
 ) *types.NetworkMap {
 	account := c.getAccountFromHolderOrInit(accountId)
 	if account == nil {
@@ -479,7 +497,59 @@ func (c *Controller) getPeerNetworkMapExp(
 			Network: &types.Network{},
 		}
 	}
-	return account.GetPeerNetworkMapExp(ctx, peerId, customZone, validatedPeers, metrics)
+	if _, ok := filter[peerId]; !ok {
+		return account.GetPeerNetworkMap(ctx, peerId, customZone, validatedPeers, resourcePolicies, routers, nil)
+	}
+
+	expMap := account.GetPeerNetworkMapExp(ctx, peerId, customZone, validatedPeers, metrics)
+
+	go func() {
+		legacyMap := account.GetPeerNetworkMap(ctx, peerId, customZone, validatedPeers, resourcePolicies, routers, nil)
+		c.compareAndSaveNetworkMaps(ctx, accountId, peerId, expMap, legacyMap)
+	}()
+
+	return expMap
+}
+
+func (c *Controller) compareAndSaveNetworkMaps(ctx context.Context, accountId, peerId string, expMap, legacyMap *types.NetworkMap) {
+	expBytes, err := json.Marshal(expMap)
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to marshal experimental network map: %v", err)
+		return
+	}
+
+	legacyBytes, err := json.Marshal(legacyMap)
+	if err != nil {
+		log.WithContext(ctx).Warnf("failed to marshal legacy network map: %v", err)
+		return
+	}
+
+	// if len(expBytes) == len(legacyBytes) || math.Abs(float64(len(expBytes)-len(legacyBytes))) < 5 {
+	// 	log.WithContext(ctx).Debugf("network maps are equal for peer %s in account %s (size: %d bytes)", peerId, accountId, len(expBytes))
+	// 	return
+	// }
+
+	timestamp := time.Now().UnixMicro()
+	baseDir := filepath.Join("debug_networkmaps", accountId, peerId)
+
+	if err := os.MkdirAll(baseDir, 0o755); err != nil {
+		log.WithContext(ctx).Warnf("failed to create debug directory %s: %v", baseDir, err)
+		return
+	}
+
+	expFile := filepath.Join(baseDir, fmt.Sprintf("exp_networkmap_%d_%d.json", expMap.Network.Serial, timestamp))
+	if err := os.WriteFile(expFile, expBytes, 0o644); err != nil {
+		log.WithContext(ctx).Warnf("failed to write experimental network map to %s: %v", expFile, err)
+		return
+	}
+
+	legacyFile := filepath.Join(baseDir, fmt.Sprintf("legacy_networkmap_%d_%d.json", legacyMap.Network.Serial, timestamp))
+	if err := os.WriteFile(legacyFile, legacyBytes, 0o644); err != nil {
+		log.WithContext(ctx).Warnf("failed to write legacy network map to %s: %v", legacyFile, err)
+		return
+	}
+
+	// log.WithContext(ctx).Infof("network maps differ for peer %s in account %s - saved to %s (exp: %d bytes, legacy: %d bytes)", peerId, accountId, baseDir, len(expBytes), len(legacyBytes))
 }
 
 func (c *Controller) onPeerAddedUpdNetworkMapCache(account *types.Account, peerId string) error {
@@ -752,6 +822,8 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 		return nil, err
 	}
 	customZone := account.GetPeersCustomZone(ctx, c.GetDNSDomain(account.Settings))
+	resourcePolicies := account.GetResourcePoliciesMap()
+	routers := account.GetResourceRoutersMap()
 
 	proxyNetworkMaps, err := c.proxyController.GetProxyNetworkMaps(ctx, account.Id, peerID, account.Peers)
 	if err != nil {
@@ -762,9 +834,9 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	var networkMap *types.NetworkMap
 
 	if c.experimentalNetworkMap(peer.AccountID) {
-		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, customZone, nil)
+		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, customZone, nil, resourcePolicies, routers)
 	} else {
-		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
+		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, resourcePolicies, routers, nil)
 	}
 
 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]

management/server/types/networkmapbuilder.go

@@ -22,10 +22,11 @@ import (
 )
 
 const (
-	allPeers = "0.0.0.0"
-	fw       = "fw:"
-	rfw      = "route-fw:"
-	nr       = "network-resource-"
+	allPeers      = "0.0.0.0"
+	allWildcard   = "0.0.0.0/0"
+	v6AllWildcard = "::/0"
+	fw            = "fw:"
+	rfw           = "route-fw:"
 )
 
 type NetworkMapCache struct {
@@ -1640,6 +1641,10 @@ func (b *NetworkMapBuilder) updateRouteFirewallRules(routesView *PeerRoutesView,
 			}
 
 			if string(rule.RouteID) == update.RuleID {
+				if hasWildcard := slices.Contains(rule.SourceRanges, allWildcard) || slices.Contains(rule.SourceRanges, v6AllWildcard); hasWildcard {
+					break
+				}
+
 				sourceIP := update.AddSourceIP
 
 				if strings.Contains(sourceIP, ":") {