fix early return on affectsPosture

management/internals/controllers/network_map/controller/controller.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime/debug"
 	"slices"
 	"strconv"
 	"sync"
@@ -177,6 +178,10 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 		return fmt.Errorf("failed to get account zones: %v", err)
 	}
 
+	if reason.Operation == types.UpdateOperationUpdate && reason.Resource == types.UpdateResourceUser {
+		log.WithContext(ctx).Tracef("got an user update, stack: %s", debug.Stack())
+	}
+
 	for _, peer := range account.Peers {
 		if !c.peersUpdateManager.HasChannel(peer.ID) {
 			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
@@ -244,6 +249,7 @@ func (c *Controller) UpdateAccountPeers(ctx context.Context, accountID string, r
 
 // UpdateAffectedPeers updates only the specified peers that belong to an account.
 func (c *Controller) UpdateAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
+	log.WithContext(ctx).Tracef("UpdateAccountPeers: account %s, %d affected peers (caller: %s)", accountID, len(peerIDs), util.GetCallerName())
 	if len(peerIDs) == 0 {
 		return nil
 	}
@@ -251,7 +257,7 @@ func (c *Controller) UpdateAffectedPeers(ctx context.Context, accountID string,
 }
 
 func (c *Controller) sendUpdateForAffectedPeers(ctx context.Context, accountID string, peerIDs []string) error {
-	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: account %s, %d affected peers: %v (caller: %s)", accountID, len(peerIDs), peerIDs, util.GetCallerName())
+	log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: account %s, %d affected peers (caller: %s)", accountID, len(peerIDs), util.GetCallerName())
 
 	if !c.hasConnectedPeers(peerIDs) {
 		log.WithContext(ctx).Tracef("sendUpdateForAffectedPeers: no connected peers among %v, skipping", peerIDs)
@@ -497,7 +503,11 @@ func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID st
 		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
 	}
 
-	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s", len(peerIDs), accountID, util.GetCallerName())
+	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s with reason %s/%s", len(peerIDs), accountID, util.GetCallerName(), reason.Operation, reason.Resource)
+
+	if reason.Operation == types.UpdateOperationUpdate && reason.Resource == types.UpdateResourceUser {
+		log.WithContext(ctx).Tracef("got an user update, stack: %s", debug.Stack())
+	}
 
 	bufUpd, _ := c.affectedPeerUpdateLocks.LoadOrStore(accountID, &bufferAffectedUpdate{
 		peerIDs: make(map[string]struct{}),

management/server/peer.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/netbirdio/netbird/util"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
@@ -200,14 +201,14 @@ func (am *DefaultAccountManager) resolvePeerLocation(ctx context.Context, peer *
 	if am.geo == nil || realIP == nil {
 		return nil
 	}
-	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) {
-		return nil
-	}
 	location, err := am.geo.Lookup(realIP)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
 		return nil
 	}
+	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) && peer.Location.GeoNameID == location.City.GeonameID {
+		return nil
+	}
 	return &nbpeer.Location{
 		ConnectionIP: realIP,
 		CountryCode:  location.Country.ISOCode,
@@ -1042,8 +1043,8 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 		return nil, nil, nil, 0, err
 	}
 
-	metaDiffAffectsPosture := posture.AffectsPosture(&metaDiff, resPostureChecks)
-	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || metaDiffAffectsPosture || metaDiff.VersionChanged || metaDiff.Hostname {
+	metaDiffAffectsPosture := posture.AffectsPosture(ctx, &metaDiff, resPostureChecks)
+	if requiresPeerUpdate(ctx, isStatusChanged, sync.UpdateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, metaDiff.VersionChanged, metaDiff.Hostname) {
 		changedPeerIDs := []string{peer.ID}
 		affectedPeerIDs := am.syncPeerAffectedPeers(ctx, accountID, peer.ID, nmap, peerNotValid, metaDiffAffectsPosture)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
@@ -1054,6 +1055,29 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	return peer, nmap, resPostureChecks, dnsFwdPort, nil
 }
 
+func requiresPeerUpdate(ctx context.Context, isStatusChanged, updateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, versionChanged, hostname bool) bool {
+	reason := ""
+	switch {
+	case isStatusChanged:
+		reason = "status changed"
+	case updateAccountPeers:
+		reason = "update account peers"
+	case ipv6CapabilityChanged:
+		reason = "ipv6 capability changed"
+	case metaDiffAffectsPosture:
+		reason = "meta diff affects posture"
+	case versionChanged:
+		reason = "version changed"
+	case hostname:
+		reason = "hostname changed"
+	default:
+		return false
+	}
+
+	log.WithContext(ctx).Tracef("peer update required: %s", reason)
+	return true
+}
+
 // syncPeerAffectedPeers resolves the peers affected by a SyncPeer change. The
 // peer's own validated network map is bidirectional for policy and routing
 // reachability, so when the peer stays valid and no source-posture gate is in
@@ -1477,6 +1501,7 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 // UpdateAccountPeers updates all peers that belong to an account.
 // Should be called when changes have to be synced to peers.
 func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
+	log.WithContext(ctx).Tracef("update account peers for account %s from caller: %s with reason %s/%s", accountID, util.GetCallerName(), reason.Operation, reason.Resource)
 	_ = am.networkMapController.UpdateAccountPeers(ctx, accountID, reason)
 }
 
@@ -1575,6 +1600,7 @@ func (am *DefaultAccountManager) resolveAffectedPeersForPeerChanges(ctx context.
 }
 
 func (am *DefaultAccountManager) BufferUpdateAccountPeers(ctx context.Context, accountID string, reason types.UpdateReason) {
+	log.WithContext(ctx).Tracef("buffering update account peers for account %s from caller: %s with reason %s/%s", accountID, util.GetCallerName(), reason.Operation, reason.Resource)
 	_ = am.networkMapController.BufferUpdateAccountPeers(ctx, accountID, reason)
 }
 

management/server/peer_test.go

@@ -49,6 +49,7 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -2893,3 +2894,141 @@ func TestUpdatePeer_DnsLabelUniqueName(t *testing.T) {
 	require.NoError(t, err, "renaming to unique FQDN should succeed")
 	assert.Equal(t, "api-server", updated.DNSLabel, "DNS label should be first label of FQDN")
 }
+
+// fakeGeo is a configurable geolocation.Geolocation implementation for tests. It
+// returns a record built from the configured city geoname id, or an error when set.
+type fakeGeo struct {
+	geoNameID uint
+	isoCode   string
+	cityName  string
+	err       error
+}
+
+func (g *fakeGeo) Lookup(net.IP) (*geolocation.Record, error) {
+	if g.err != nil {
+		return nil, g.err
+	}
+	record := &geolocation.Record{}
+	record.City.GeonameID = g.geoNameID
+	record.City.Names.En = g.cityName
+	record.Country.ISOCode = g.isoCode
+	return record, nil
+}
+
+func (g *fakeGeo) GetAllCountries() ([]geolocation.Country, error) { return nil, nil }
+
+func (g *fakeGeo) GetCitiesByCountry(string) ([]geolocation.City, error) { return nil, nil }
+
+func (g *fakeGeo) Stop() error { return nil }
+
+func TestResolvePeerLocation(t *testing.T) {
+	realIP := net.ParseIP("203.0.113.10")
+
+	tests := []struct {
+		name    string
+		geo     geolocation.Geolocation
+		peer    *nbpeer.Peer
+		realIP  net.IP
+		want    *nbpeer.Location
+		wantNil bool
+	}{
+		{
+			name:    "no geo configured returns nil",
+			geo:     nil,
+			peer:    &nbpeer.Peer{ID: "p1"},
+			realIP:  realIP,
+			wantNil: true,
+		},
+		{
+			name:    "nil real IP returns nil",
+			geo:     &fakeGeo{geoNameID: 100},
+			peer:    &nbpeer.Peer{ID: "p1"},
+			realIP:  nil,
+			wantNil: true,
+		},
+		{
+			name:    "lookup error returns nil",
+			geo:     &fakeGeo{err: fmt.Errorf("lookup boom")},
+			peer:    &nbpeer.Peer{ID: "p1"},
+			realIP:  realIP,
+			wantNil: true,
+		},
+		{
+			name: "same IP and same geoname returns nil",
+			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
+			peer: &nbpeer.Peer{
+				ID: "p1",
+				Location: nbpeer.Location{
+					ConnectionIP: realIP,
+					GeoNameID:    100,
+				},
+			},
+			realIP:  realIP,
+			wantNil: true,
+		},
+		{
+			name: "same IP but changed geoname returns location",
+			geo:  &fakeGeo{geoNameID: 200, isoCode: "US", cityName: "City B"},
+			peer: &nbpeer.Peer{
+				ID: "p1",
+				Location: nbpeer.Location{
+					ConnectionIP: realIP,
+					GeoNameID:    100,
+				},
+			},
+			realIP: realIP,
+			want: &nbpeer.Location{
+				ConnectionIP: realIP,
+				CountryCode:  "US",
+				CityName:     "City B",
+				GeoNameID:    200,
+			},
+		},
+		{
+			name: "different IP returns location",
+			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
+			peer: &nbpeer.Peer{
+				ID: "p1",
+				Location: nbpeer.Location{
+					ConnectionIP: net.ParseIP("198.51.100.7"),
+					GeoNameID:    100,
+				},
+			},
+			realIP: realIP,
+			want: &nbpeer.Location{
+				ConnectionIP: realIP,
+				CountryCode:  "US",
+				CityName:     "City A",
+				GeoNameID:    100,
+			},
+		},
+		{
+			name:   "no prior location returns location",
+			geo:    &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
+			peer:   &nbpeer.Peer{ID: "p1"},
+			realIP: realIP,
+			want: &nbpeer.Location{
+				ConnectionIP: realIP,
+				CountryCode:  "US",
+				CityName:     "City A",
+				GeoNameID:    100,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			am := &DefaultAccountManager{geo: tt.geo}
+			got := am.resolvePeerLocation(context.Background(), tt.peer, tt.realIP)
+			if tt.wantNil {
+				assert.Nil(t, got, "resolved location should be nil")
+				return
+			}
+			require.NotNil(t, got, "resolved location should not be nil")
+			assert.True(t, tt.want.ConnectionIP.Equal(got.ConnectionIP), "connection IP should match")
+			assert.Equal(t, tt.want.CountryCode, got.CountryCode, "country code should match")
+			assert.Equal(t, tt.want.CityName, got.CityName, "city name should match")
+			assert.Equal(t, tt.want.GeoNameID, got.GeoNameID, "geoname id should match")
+		})
+	}
+}

management/server/posture/affects_test.go

@@ -0,0 +1,130 @@
+package posture
+
+import (
+	"context"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+func TestAffectsPosture(t *testing.T) {
+	processCheck := &Checks{Checks: ChecksDefinition{ProcessCheck: &ProcessCheck{}}}
+	osCheck := &Checks{Checks: ChecksDefinition{OSVersionCheck: &OSVersionCheck{}}}
+	nbCheck := &Checks{Checks: ChecksDefinition{NBVersionCheck: &NBVersionCheck{}}}
+	geoCheck := &Checks{Checks: ChecksDefinition{GeoLocationCheck: &GeoLocationCheck{}}}
+
+	privateRangeCheck := &Checks{Checks: ChecksDefinition{
+		PeerNetworkRangeCheck: &PeerNetworkRangeCheck{
+			Ranges: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
+		},
+	}}
+	publicRangeCheck := &Checks{Checks: ChecksDefinition{
+		PeerNetworkRangeCheck: &PeerNetworkRangeCheck{
+			Ranges: []netip.Prefix{netip.MustParsePrefix("203.0.113.0/24")},
+		},
+	}}
+	mixedRangeCheck := &Checks{Checks: ChecksDefinition{
+		PeerNetworkRangeCheck: &PeerNetworkRangeCheck{
+			Ranges: []netip.Prefix{
+				netip.MustParsePrefix("203.0.113.0/24"),
+				netip.MustParsePrefix("192.168.0.0/16"),
+			},
+		},
+	}}
+
+	tests := []struct {
+		name   string
+		diff   *nbpeer.MetaDiff
+		checks []*Checks
+		want   bool
+	}{
+		{
+			name:   "nil diff never affects posture",
+			diff:   nil,
+			checks: []*Checks{processCheck},
+			want:   false,
+		},
+		{
+			name:   "process check affected by files change",
+			diff:   &nbpeer.MetaDiff{Files: true},
+			checks: []*Checks{processCheck},
+			want:   true,
+		},
+		{
+			name:   "process check ignores unrelated change",
+			diff:   &nbpeer.MetaDiff{Hostname: true},
+			checks: []*Checks{processCheck},
+			want:   false,
+		},
+		{
+			name:   "os check affected by os version change",
+			diff:   &nbpeer.MetaDiff{OSVersion: true},
+			checks: []*Checks{osCheck},
+			want:   true,
+		},
+		{
+			name:   "nb check affected by wt version change",
+			diff:   &nbpeer.MetaDiff{WtVersion: true},
+			checks: []*Checks{nbCheck},
+			want:   true,
+		},
+		{
+			name:   "geo check affected by location change",
+			diff:   &nbpeer.MetaDiff{LocationChanged: true},
+			checks: []*Checks{geoCheck},
+			want:   true,
+		},
+		{
+			name:   "network range check not affected without network address or location change",
+			diff:   &nbpeer.MetaDiff{Hostname: true},
+			checks: []*Checks{privateRangeCheck},
+			want:   false,
+		},
+		{
+			name:   "private range check affected by network address change",
+			diff:   &nbpeer.MetaDiff{NetworkAddresses: true},
+			checks: []*Checks{privateRangeCheck},
+			want:   true,
+		},
+		{
+			name:   "public range check not affected by network address change alone",
+			diff:   &nbpeer.MetaDiff{NetworkAddresses: true},
+			checks: []*Checks{publicRangeCheck},
+			want:   false,
+		},
+		{
+			name:   "public range check affected by location change alone",
+			diff:   &nbpeer.MetaDiff{LocationChanged: true},
+			checks: []*Checks{publicRangeCheck},
+			want:   true,
+		},
+		{
+			name:   "private range check affected by location change alone",
+			diff:   &nbpeer.MetaDiff{LocationChanged: true},
+			checks: []*Checks{privateRangeCheck},
+			want:   true,
+		},
+		{
+			name:   "public range check affected when location also changed",
+			diff:   &nbpeer.MetaDiff{NetworkAddresses: true, LocationChanged: true},
+			checks: []*Checks{publicRangeCheck},
+			want:   true,
+		},
+		{
+			name:   "mixed ranges affected by network address change due to private range",
+			diff:   &nbpeer.MetaDiff{NetworkAddresses: true},
+			checks: []*Checks{mixedRangeCheck},
+			want:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := AffectsPosture(context.Background(), tt.diff, tt.checks)
+			assert.Equal(t, tt.want, got, "AffectsPosture result should match expectation")
+		})
+	}
+}

management/server/posture/checks.go

@@ -7,6 +7,7 @@ import (
 	"regexp"
 
 	"github.com/hashicorp/go-version"
+	log "github.com/sirupsen/logrus"
 
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -56,25 +57,38 @@ type Checks struct {
 // alter the outcome of any of the given posture checks. It maps each check kind to
 // the metadata fields it inspects, so an unrelated change (e.g. a hostname update)
 // does not force a posture re-evaluation.
-func AffectsPosture(diff *nbpeer.MetaDiff, checks []*Checks) bool {
+func AffectsPosture(ctx context.Context, diff *nbpeer.MetaDiff, checks []*Checks) bool {
 	if diff == nil {
 		return false
 	}
 	for _, c := range checks {
 		if c.Checks.ProcessCheck != nil && diff.Files {
+			log.WithContext(ctx).Tracef("posture check %s is affected by files change", c.Name)
 			return true
 		}
 		if c.Checks.OSVersionCheck != nil && (diff.OSVersion || diff.OS || diff.KernelVersion) {
+			log.WithContext(ctx).Tracef("posture check %s is affected by OS version check", c.Name)
 			return true
 		}
 		if c.Checks.NBVersionCheck != nil && diff.WtVersion {
+			log.WithContext(ctx).Tracef("posture check %s is affected by NB version change", c.Name)
 			return true
 		}
 		if c.Checks.GeoLocationCheck != nil && diff.LocationChanged {
+			log.WithContext(ctx).Tracef("posture check %s is affected by location change", c.Name)
 			return true
 		}
-		if c.Checks.PeerNetworkRangeCheck != nil && diff.NetworkAddresses {
-			return true
+		if c.Checks.PeerNetworkRangeCheck != nil && (diff.NetworkAddresses || diff.LocationChanged) {
+			if diff.LocationChanged {
+				log.WithContext(ctx).Tracef("posture check %s is affected by location change", c.Name)
+				return true
+			}
+			for _, r := range c.Checks.PeerNetworkRangeCheck.Ranges {
+				if r.Addr().IsPrivate() {
+					log.WithContext(ctx).Tracef("posture check %s is affected by network address change", c.Name)
+					return true
+				}
+			}
 		}
 	}
 	return false