Merge branch 'feature/less-strict-metaHash' into test/affected-logic

Signed-off-by: Dmitri Dolguikh <dmitri.external@netbird.io>

.github/workflows/golang-test-linux.yml

@@ -579,11 +579,10 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
           CI=true \
+          GIT_BRANCH=${{ github.ref_name }} \
           go test -tags devcert -run=^$ -bench=. \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
           -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)
-        env:
-          GIT_BRANCH: ${{ github.ref_name }}
 
   api_benchmark:
     name: "Management / Benchmark (API)"
@@ -674,13 +673,12 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
           CI=true \
+          GIT_BRANCH=${{ github.ref_name }} \
           go test -tags=benchmark \
             -run=^$ \
             -bench=. \
             -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
             -timeout 20m ./management/server/http/...
-        env:
-          GIT_BRANCH: ${{ github.ref_name }}
 
   api_integration_test:
     name: "Management / Integration"

client/ui/client_ui.go

@@ -418,14 +418,7 @@ func newServiceClient(args *newServiceClientArgs) *serviceClient {
 	case args.showProfiles:
 		s.showProfilesUI()
 	case args.showQuickActions:
-		// Suppress the on-boot Quick Actions popup when the daemon
-		// reports DisableAutoConnect=true — that flag carries both the
-		// user's "Connect on Startup = off" preference AND any MDM-
-		// enforced override (applyMDMPolicy writes the policy value
-		// into the same Config field). See netbirdio/netbird#5744.
-		if !s.disableAutoConnectFromDaemon() {
-			s.showQuickActionsUI()
-		}
+		s.showQuickActionsUI()
 	case args.showUpdate:
 		s.showUpdateProgress(ctx, args.showUpdateVersion)
 	}
@@ -1345,40 +1338,6 @@ func (s *serviceClient) getFeatures() (*proto.GetFeaturesResponse, error) {
 	return features, nil
 }
 
-// disableAutoConnectFromDaemon returns true when the daemon reports
-// the active profile has DisableAutoConnect=true. Used by the
-// --quick-actions startup path to suppress the on-boot popup when the
-// user (or an MDM admin) opted out of auto-connecting; both cases
-// converge on the same Config field because applyMDMPolicy writes the
-// policy value into it. Returns false on any RPC / lookup failure so a
-// daemon hiccup does not silently swallow the popup.
-func (s *serviceClient) disableAutoConnectFromDaemon() bool {
-	activeProf, err := s.profileManager.GetActiveProfile()
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get active profile: %v", err)
-		return false
-	}
-	currUser, err := user.Current()
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get current user: %v", err)
-		return false
-	}
-	conn, err := s.getSrvClient(failFastTimeout)
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: get daemon client: %v", err)
-		return false
-	}
-	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.ID.String(),
-		Username:    currUser.Username,
-	})
-	if err != nil {
-		log.Warnf("disableAutoConnectFromDaemon: GetConfig RPC: %v", err)
-		return false
-	}
-	return srvCfg.GetDisableAutoConnect()
-}
-
 // getSrvConfig from the service to show it in the settings window.
 func (s *serviceClient) getSrvConfig() {
 	s.managementURL = profilemanager.DefaultManagementURL

management/internals/controllers/network_map/controller/controller.go

@@ -497,7 +497,7 @@ func (c *Controller) BufferUpdateAffectedPeers(ctx context.Context, accountID st
 		c.accountManagerMetrics.CountUpdateAccountPeersTriggered(string(reason.Resource), string(reason.Operation))
 	}
 
-	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s with reason %s/%s", len(peerIDs), accountID, util.GetCallerName(), reason.Operation, reason.Resource)
+	log.WithContext(ctx).Tracef("buffer updating %d affected peers for account %s from %s", len(peerIDs), accountID, util.GetCallerName())
 
 	bufUpd, _ := c.affectedPeerUpdateLocks.LoadOrStore(accountID, &bufferAffectedUpdate{
 		peerIDs: make(map[string]struct{}),

management/internals/shared/grpc/loginfilter.go

@@ -11,9 +11,9 @@ import (
 
 const (
 	reconnThreshold   = 5 * time.Minute
-	baseBlockDuration = 10 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
+	baseBlockDuration = 30 * time.Minute // Duration for which a peer is banned after exceeding the reconnection limit
 	reconnLimitForBan = 30               // Number of reconnections within the reconnTreshold that triggers a ban
-	metaChangeLimit   = 5                // Number of reconnections with different metadata that triggers a ban of one peer
+	metaChangeLimit   = 3                // Number of reconnections with different metadata that triggers a ban of one peer
 )
 
 type lfConfig struct {
@@ -142,7 +142,6 @@ func (l *loginFilter) addLogin(wgPubKey string, metaHash uint64) {
 func metaHash(meta nbpeer.PeerSystemMeta) uint64 {
 	h := fnv.New64a()
 
-	h.Write([]byte(meta.WtVersion))
 	h.Write([]byte(meta.OSVersion))
 	h.Write([]byte(meta.KernelVersion))
 	h.Write([]byte(meta.Hostname))

management/server/affected_peers_coverage_test.go

@@ -107,9 +107,7 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 			affected := resolveAffected(t, s.manager.Store, s.accountID, change)
 
 			assert.ElementsMatch(t, affected, mustContain, "expected peer to be affected")
-			for _, peerID := range mustExclude {
-				assert.NotContains(t, affected, peerID, "peer must not be affected")
-			}
+			assert.NotContains(t, affected, mustExclude, "peer must not be affected")
 		})
 	}
 }

management/server/affectedpeers/resolver.go

@@ -519,7 +519,7 @@ func (r *resolver) appendPoliciesForPostureChecks(policies []*types.Policy, post
 	}
 	ids := toSet(postureCheckIDs)
 	for _, policy := range r.policies() {
-		if !policyReferencesPostureChecks(policy, ids) || !policy.Enabled {
+		if !policyReferencesPostureChecks(policy, ids) {
 			continue
 		}
 		log.WithContext(r.ctx).Tracef("appendPoliciesForPostureChecks: policy %s (%s) references changed posture checks %v -> both-sides policy",
@@ -712,70 +712,33 @@ func (r *resolver) foldPolicySourcesForResources(resourceIDs map[string]struct{}
 	}
 }
 
-// collectFromRoutes folds, per matched route, the OPPOSITE side(s) fully and the
-// matched side's own groups only on a whole-group change (outputGroups). A route has
-// three peer sides — routing (Peer/PeerGroups), consumer (Groups) and ACL
-// (AccessControlGroups) — that each refresh the others; the changed side's own group
-// folds its siblings only when the group itself changed, never on a one-peer move.
 func (r *resolver) collectFromRoutes() {
 	for _, rt := range r.snap.routes {
 		if !rt.Enabled {
 			continue // disabled routes route to nobody; skip existing account data
 		}
-		routing := anyInSet(rt.PeerGroups, r.linkGroups) || (rt.Peer != "" && isInSet(rt.Peer, r.changedPeers))
-		consumer := anyInSet(rt.Groups, r.linkGroups)
-		acl := anyInSet(rt.AccessControlGroups, r.linkGroups)
-		if !routing && !consumer && !acl {
+		matchedByGroup := anyInSet(rt.Groups, r.linkGroups) || anyInSet(rt.PeerGroups, r.linkGroups) || anyInSet(rt.AccessControlGroups, r.linkGroups)
+		matchedByPeer := rt.Peer != "" && len(r.changedPeers) > 0 && isInSet(rt.Peer, r.changedPeers)
+		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromRoutes: route %s matched (routing=%t consumer=%t acl=%t) -> folding opposite sides; own side gated on outputGroups",
-			rt.ID, routing, consumer, acl)
-		r.foldRouteSide(rt.PeerGroups, routing)
-		r.foldRouteSide(rt.Groups, consumer)
-		r.foldRouteSide(rt.AccessControlGroups, acl)
-		// The single routing Peer folds when the routing side is the OPPOSITE of the
-		// match (consumer/acl need it), or when that very peer is the change.
-		if rt.Peer != "" && (consumer || acl || isInSet(rt.Peer, r.changedPeers)) {
+		log.WithContext(r.ctx).Tracef("collectFromRoutes: route %s matched (byGroup=%t byPeer=%t) -> folding groups=%v peerGroups=%v accessControlGroups=%v peer=%q",
+			rt.ID, matchedByGroup, matchedByPeer, rt.Groups, rt.PeerGroups, rt.AccessControlGroups, rt.Peer)
+		addAll(r.affectedGroups, rt.Groups, rt.PeerGroups, rt.AccessControlGroups)
+		if rt.Peer != "" {
 			r.affectedPeers[rt.Peer] = struct{}{}
 		}
 	}
 }
 
-// foldRouteSide folds a route side: when this side is the one that matched, fold its
-// groups only on a whole-group change (outputGroups) so siblings of a single moved
-// peer stay put; otherwise it is an opposite side and folds fully.
-func (r *resolver) foldRouteSide(groups []string, matchedHere bool) {
-	if matchedHere {
-		r.foldOutputGroups(groups)
-		return
-	}
-	addAll(r.affectedGroups, groups)
-}
-
-// foldOutputGroups folds only the groups that the caller reported as wholly changed
-// (outputGroups). Used for a matched object's OWN side, where a peer-seeded or
-// link-only group must not pull in its siblings.
-func (r *resolver) foldOutputGroups(groups ...[]string) {
-	for _, gs := range groups {
-		for _, gID := range gs {
-			if _, ok := r.outputGroups[gID]; ok {
-				r.affectedGroups[gID] = struct{}{}
-			}
-		}
-	}
-}
-
 func (r *resolver) collectFromNameServers() {
 	if len(r.linkGroups) == 0 {
 		return
 	}
 	for _, ns := range r.snap.nsGroups {
 		if anyInSet(ns.Groups, r.linkGroups) {
-			// A nameserver group has no opposite side: a peer's DNS config depends only
-			// on its own membership, so a one-peer move refreshes that peer alone (folded
-			// elsewhere). Fold the referenced groups only on a whole-group change.
-			log.WithContext(r.ctx).Tracef("collectFromNameServers: nameserver group %s references a linked group -> folding its groups %v (outputGroups only)", ns.ID, ns.Groups)
-			r.foldOutputGroups(ns.Groups)
+			log.WithContext(r.ctx).Tracef("collectFromNameServers: nameserver group %s references a changed group -> folding its groups %v", ns.ID, ns.Groups)
+			addAll(r.affectedGroups, ns.Groups)
 		}
 	}
 }
@@ -803,12 +766,9 @@ func (r *resolver) collectFromNetworkRouters() {
 		if !matchedByGroup && !matchedByPeer {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding its peerGroups=%v peer=%q (own groups on outputGroups) + sources reaching network resources",
+		log.WithContext(r.ctx).Tracef("collectFromNetworkRouters: router %s on network %s matched (byGroup=%t byPeer=%t) -> folding its peerGroups=%v peer=%q + sources reaching network resources",
 			router.ID, router.NetworkID, matchedByGroup, matchedByPeer, router.PeerGroups, router.Peer)
-		// The backing PeerGroups are the matched (own) side: fold them only on a
-		// whole-group change so a one-peer move does not wake sibling backing peers. The
-		// opposite side (policy sources reaching the network) is folded below.
-		r.foldOutputGroups(router.PeerGroups)
+		addAll(r.affectedGroups, router.PeerGroups)
 		if router.Peer != "" {
 			r.affectedPeers[router.Peer] = struct{}{}
 		}
@@ -839,7 +799,7 @@ func (r *resolver) collectFromProxyServices() {
 		if !matchedByPeer && !matchedByAccessGroup {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromProxyServices: service %s (cluster=%s) matched (byProxyOrTargetPeer=%t byAccessGroup=%t) -> folding %d proxy peers, peer targets; access groups %v on outputGroups only",
+		log.WithContext(r.ctx).Tracef("collectFromProxyServices: service %s (cluster=%s) matched (byProxyOrTargetPeer=%t byAccessGroup=%t) -> folding %d proxy peers, peer targets and access groups %v",
 			svc.ID, svc.ProxyCluster, matchedByPeer, matchedByAccessGroup, len(proxyPeers), svc.AccessGroups)
 		for _, pid := range proxyPeers {
 			r.affectedPeers[pid] = struct{}{}
@@ -852,10 +812,7 @@ func (r *resolver) collectFromProxyServices() {
 				r.affectedPeers[target.TargetId] = struct{}{}
 			}
 		}
-		// AccessGroups are the matched (own) side with no opposite to fold: a member's
-		// proxy access is self-contained, so a one-peer move refreshes that peer alone.
-		// Fold the groups only on a whole-group change.
-		r.foldOutputGroups(svc.AccessGroups)
+		addAll(r.affectedGroups, svc.AccessGroups)
 	}
 }
 

management/server/peer.go

@@ -209,14 +209,14 @@ func (am *DefaultAccountManager) resolvePeerLocation(ctx context.Context, peer *
 	if am.geo == nil || realIP == nil {
 		return nil
 	}
+	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) {
+		return nil
+	}
 	location, err := am.geo.Lookup(realIP)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed to get location for peer %s realip: [%s]: %v", peer.ID, realIP.String(), err)
 		return nil
 	}
-	if peer.Location.ConnectionIP != nil && peer.Location.ConnectionIP.Equal(realIP) && peer.Location.GeoNameID == location.City.GeonameID {
-		return nil
-	}
 	return &nbpeer.Location{
 		ConnectionIP: realIP,
 		CountryCode:  location.Country.ISOCode,
@@ -1052,7 +1052,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	}
 
 	metaDiffAffectsPosture := posture.AffectsPosture(ctx, &metaDiff, resPostureChecks)
-	if requiresPeerUpdate(ctx, isStatusChanged, sync.UpdateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, metaDiff.VersionChanged(), metaDiff.HostnameChanged()) {
+	if isStatusChanged || sync.UpdateAccountPeers || ipv6CapabilityChanged || metaDiffAffectsPosture || metaDiff.VersionChanged() || metaDiff.HostnameChanged() {
 		changedPeerIDs := []string{peer.ID}
 		affectedPeerIDs := am.syncPeerAffectedPeers(ctx, accountID, peer.ID, nmap, peerNotValid, metaDiffAffectsPosture)
 		if err = am.networkMapController.OnPeersUpdated(ctx, accountID, changedPeerIDs, affectedPeerIDs); err != nil {
@@ -1063,29 +1063,6 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	return peer, nmap, resPostureChecks, dnsFwdPort, nil
 }
 
-func requiresPeerUpdate(ctx context.Context, isStatusChanged, updateAccountPeers, ipv6CapabilityChanged, metaDiffAffectsPosture, versionChanged, hostname bool) bool {
-	var reason string
-	switch {
-	case isStatusChanged:
-		reason = "status changed"
-	case updateAccountPeers:
-		reason = "update account peers"
-	case ipv6CapabilityChanged:
-		reason = "ipv6 capability changed"
-	case metaDiffAffectsPosture:
-		reason = "meta diff affects posture"
-	case versionChanged:
-		reason = "version changed"
-	case hostname:
-		reason = "hostname changed"
-	default:
-		return false
-	}
-
-	log.WithContext(ctx).Tracef("peer update required: %s", reason)
-	return true
-}
-
 // syncPeerAffectedPeers resolves the peers affected by a SyncPeer change. The
 // peer's own validated network map is bidirectional for policy and routing
 // reachability, so when the peer stays valid and no source-posture gate is in

management/server/peer_test.go

@@ -49,7 +49,6 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -2894,141 +2893,3 @@ func TestUpdatePeer_DnsLabelUniqueName(t *testing.T) {
 	require.NoError(t, err, "renaming to unique FQDN should succeed")
 	assert.Equal(t, "api-server", updated.DNSLabel, "DNS label should be first label of FQDN")
 }
-
-// fakeGeo is a configurable geolocation.Geolocation implementation for tests. It
-// returns a record built from the configured city geoname id, or an error when set.
-type fakeGeo struct {
-	geoNameID uint
-	isoCode   string
-	cityName  string
-	err       error
-}
-
-func (g *fakeGeo) Lookup(net.IP) (*geolocation.Record, error) {
-	if g.err != nil {
-		return nil, g.err
-	}
-	record := &geolocation.Record{}
-	record.City.GeonameID = g.geoNameID
-	record.City.Names.En = g.cityName
-	record.Country.ISOCode = g.isoCode
-	return record, nil
-}
-
-func (g *fakeGeo) GetAllCountries() ([]geolocation.Country, error) { return nil, nil }
-
-func (g *fakeGeo) GetCitiesByCountry(string) ([]geolocation.City, error) { return nil, nil }
-
-func (g *fakeGeo) Stop() error { return nil }
-
-func TestResolvePeerLocation(t *testing.T) {
-	realIP := net.ParseIP("203.0.113.10")
-
-	tests := []struct {
-		name    string
-		geo     geolocation.Geolocation
-		peer    *nbpeer.Peer
-		realIP  net.IP
-		want    *nbpeer.Location
-		wantNil bool
-	}{
-		{
-			name:    "no geo configured returns nil",
-			geo:     nil,
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name:    "nil real IP returns nil",
-			geo:     &fakeGeo{geoNameID: 100},
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  nil,
-			wantNil: true,
-		},
-		{
-			name:    "lookup error returns nil",
-			geo:     &fakeGeo{err: fmt.Errorf("lookup boom")},
-			peer:    &nbpeer.Peer{ID: "p1"},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name: "same IP and same geoname returns nil",
-			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: realIP,
-					GeoNameID:    100,
-				},
-			},
-			realIP:  realIP,
-			wantNil: true,
-		},
-		{
-			name: "same IP but changed geoname returns location",
-			geo:  &fakeGeo{geoNameID: 200, isoCode: "US", cityName: "City B"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: realIP,
-					GeoNameID:    100,
-				},
-			},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City B",
-				GeoNameID:    200,
-			},
-		},
-		{
-			name: "different IP returns location",
-			geo:  &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer: &nbpeer.Peer{
-				ID: "p1",
-				Location: nbpeer.Location{
-					ConnectionIP: net.ParseIP("198.51.100.7"),
-					GeoNameID:    100,
-				},
-			},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City A",
-				GeoNameID:    100,
-			},
-		},
-		{
-			name:   "no prior location returns location",
-			geo:    &fakeGeo{geoNameID: 100, isoCode: "US", cityName: "City A"},
-			peer:   &nbpeer.Peer{ID: "p1"},
-			realIP: realIP,
-			want: &nbpeer.Location{
-				ConnectionIP: realIP,
-				CountryCode:  "US",
-				CityName:     "City A",
-				GeoNameID:    100,
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			am := &DefaultAccountManager{geo: tt.geo}
-			got := am.resolvePeerLocation(context.Background(), tt.peer, tt.realIP)
-			if tt.wantNil {
-				assert.Nil(t, got, "resolved location should be nil")
-				return
-			}
-			require.NotNil(t, got, "resolved location should not be nil")
-			assert.True(t, tt.want.ConnectionIP.Equal(got.ConnectionIP), "connection IP should match")
-			assert.Equal(t, tt.want.CountryCode, got.CountryCode, "country code should match")
-			assert.Equal(t, tt.want.CityName, got.CityName, "city name should match")
-			assert.Equal(t, tt.want.GeoNameID, got.GeoNameID, "geoname id should match")
-		})
-	}
-}