split networkIDs to check

Signed-off-by: Dmitri Dolguikh <dmitri.external@netbird.io>

management/server/affected_peers_coverage_test.go

@@ -41,7 +41,7 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 				_, err := s.manager.SavePolicy(ctx, s.accountID, userID, peerToResourcePolicyByGroup(s.sourceGroupID, s.resourceGroupID), true)
 				require.NoError(t, err)
 				return affectedpeers.Change{ChangedPeerIDs: []string{s.routerPeerID}},
-					[]string{s.sourcePeerID}, []string{s.unrelatedPeerID}
+					[]string{s.sourcePeerID, s.routerPeerID}, []string{s.unrelatedPeerID}
 			},
 		},
 		{
@@ -106,12 +106,8 @@ func TestAffectedPeers_DependencyCoverageMatrix(t *testing.T) {
 			change, mustContain, mustExclude := r.build(t, s, ctx)
 			affected := resolveAffected(t, s.manager.Store, s.accountID, change)
 
-			for _, id := range mustContain {
-				assert.Contains(t, affected, id, "expected peer to be affected")
-			}
-			for _, id := range mustExclude {
-				assert.NotContains(t, affected, id, "peer must not be affected")
-			}
+			assert.ElementsMatch(t, affected, mustContain, "expected peer to be affected")
+			assert.NotContains(t, affected, mustExclude, "peer must not be affected")
 		})
 	}
 }

management/server/affected_peers_test.go

@@ -96,33 +96,54 @@ func affectedGroupID(i int) string   { return fmt.Sprintf("affected-grp-%d", i)
 func affectedGroupName(i int) string { return fmt.Sprintf("AffectedGroup%d", i) }
 
 func TestCollectGroupChange_PolicyLinked(t *testing.T) {
-	manager, s, accountID, _, groupIDs := setupAffectedPeersTest(t)
+	manager, s, accountID, peerIDs, groupIDs := setupAffectedPeersTest(t)
 	ctx := context.Background()
 
 	_, err := manager.SavePolicy(ctx, accountID, userID, &types.Policy{
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:       true,
-				Sources:       []string{groupIDs[0]},
-				Destinations:  []string{groupIDs[1]},
-				Bidirectional: true,
-				Action:        types.PolicyTrafficActionAccept,
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				Destinations:        []string{groupIDs[1]},
+				SourceResource:      types.Resource{ID: peerIDs[0], Type: types.ResourceTypePeer},
+				DestinationResource: types.Resource{ID: peerIDs[1], Type: types.ResourceTypePeer},
+				Bidirectional:       true,
+				Action:              types.PolicyTrafficActionAccept,
+			},
+			{
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				Destinations:        []string{groupIDs[1]},
+				SourceResource:      types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
+				DestinationResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypeHost},
+				Bidirectional:       true,
+				Action:              types.PolicyTrafficActionAccept,
+			},
+			{
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				Destinations:        []string{groupIDs[1]},
+				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
+				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
+				Bidirectional:       true,
+				Action:              types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
-	groups, _ := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.Contains(t, groups, groupIDs[0])
-	assert.Contains(t, groups, groupIDs[1])
+	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.ElementsMatch(t, directPeers, []string{peerIDs[1]})
 
-	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
-	assert.Contains(t, groups, groupIDs[0])
-	assert.Contains(t, groups, groupIDs[1])
+	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.ElementsMatch(t, directPeers, []string{peerIDs[0]})
 
-	groups, _ = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
+	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
 	assert.Empty(t, groups)
+	assert.Empty(t, directPeers)
 }
 
 func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
@@ -133,20 +154,44 @@ func TestCollectGroupChange_PolicyWithDirectPeerResource(t *testing.T) {
 		Enabled: true,
 		Rules: []*types.PolicyRule{
 			{
-				Enabled:        true,
-				Sources:        []string{groupIDs[0]},
-				SourceResource: types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
-				Destinations:   []string{groupIDs[1]},
-				Action:         types.PolicyTrafficActionAccept,
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				SourceResource:      types.Resource{ID: peerIDs[3], Type: types.ResourceTypePeer},
+				DestinationResource: types.Resource{ID: peerIDs[4], Type: types.ResourceTypePeer},
+				Destinations:        []string{groupIDs[1]},
+				Action:              types.PolicyTrafficActionAccept,
+			},
+			{
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				SourceResource:      types.Resource{ID: peerIDs[1], Type: types.ResourceTypeHost},
+				DestinationResource: types.Resource{ID: peerIDs[2], Type: types.ResourceTypeHost},
+				Destinations:        []string{groupIDs[1]},
+				Action:              types.PolicyTrafficActionAccept,
+			},
+			{
+				Enabled:             true,
+				Sources:             []string{groupIDs[0]},
+				SourceResource:      types.Resource{ID: "", Type: types.ResourceTypePeer},
+				DestinationResource: types.Resource{ID: "", Type: types.ResourceTypePeer},
+				Destinations:        []string{groupIDs[1]},
+				Action:              types.PolicyTrafficActionAccept,
 			},
 		},
 	}, true)
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.Contains(t, groups, groupIDs[0])
-	assert.Contains(t, groups, groupIDs[1])
-	assert.Contains(t, directPeers, peerIDs[3])
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.ElementsMatch(t, directPeers, []string{peerIDs[4]})
+
+	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[1]})
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
+	assert.ElementsMatch(t, directPeers, []string{peerIDs[3]})
+
+	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[2]})
+	assert.Empty(t, groups)
+	assert.Empty(t, directPeers)
 }
 
 func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T) {
@@ -168,8 +213,7 @@ func TestCollectGroupChange_PolicyWithNonPeerResource_NoDirectPeers(t *testing.T
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.Contains(t, groups, groupIDs[0])
-	assert.Contains(t, groups, groupIDs[1])
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
 	assert.Empty(t, directPeers, "non-peer resources should not produce direct peer IDs")
 }
 
@@ -373,17 +417,11 @@ func TestCollectGroupChange_MultipleEntities(t *testing.T) {
 	require.NoError(t, err)
 
 	groups, directPeers := collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[0]})
-	assert.Contains(t, groups, groupIDs[0])
-	assert.Contains(t, groups, groupIDs[1])
-	assert.NotContains(t, groups, groupIDs[2])
-	assert.NotContains(t, groups, groupIDs[3])
+	assert.ElementsMatch(t, groups, []string{groupIDs[0], groupIDs[1]})
 	assert.Empty(t, directPeers)
 
 	groups, directPeers = collectGroupChangeAffectedGroups(ctx, s, accountID, []string{groupIDs[3]})
-	assert.Contains(t, groups, groupIDs[2])
-	assert.Contains(t, groups, groupIDs[3])
-	assert.NotContains(t, groups, groupIDs[0])
-	assert.NotContains(t, groups, groupIDs[1])
+	assert.ElementsMatch(t, groups, []string{groupIDs[2], groupIDs[3]})
 	assert.Empty(t, directPeers)
 }
 
@@ -474,7 +512,7 @@ func TestResolveAffectedPeers_PolicyThreeGroups(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2]}, result)
 }
 
 func TestResolveAffectedPeers_RoutePeerGroups(t *testing.T) {
@@ -659,9 +697,13 @@ func TestResolveAffectedPeers_PeerInMultipleGroups(t *testing.T) {
 	}, true)
 	require.NoError(t, err)
 
-	// peer0 is in group0 AND group1, so both policies apply
+	// peer0 is in group0 AND group1, so both policies apply. A peer change folds
+	// only the changed peer plus the opposite side of each rule: group2 (peer2) via
+	// the group0 policy and group3 (peer3) via the group1 policy. peer1, a co-member
+	// of group1, is a sibling of the changed peer and must NOT refresh.
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[3]}, result)
+	assert.NotContains(t, result, peerIDs[1], "co-member of the changed peer's group must not refresh")
 }
 
 func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
@@ -697,7 +739,7 @@ func TestResolveAffectedPeers_MultipleChangedPeers(t *testing.T) {
 	require.NoError(t, err)
 
 	result := manager.resolveAffectedPeersForPeerChanges(ctx, s, accountID, []string{peerIDs[0], peerIDs[2]})
-	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[1], peerIDs[2], peerIDs[3]}, result)
+	assert.ElementsMatch(t, []string{peerIDs[0], peerIDs[2], peerIDs[1], peerIDs[3]}, result)
 }
 
 func TestResolveAffectedPeers_SharedGroupAcrossPolicyAndRoute(t *testing.T) {

management/server/affectedpeers/resolver.go

@@ -221,15 +221,17 @@ func Collect(ctx context.Context, s store.Store, accountID string, c Change) (gr
 
 func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change) *resolver {
 	r := &resolver{
-		ctx:             ctx,
-		snap:            snap,
-		accountID:       accountID,
-		change:          c,
-		changedGroupSet: toSet(c.ChangedGroupIDs),
-		changedPeerSet:  toSet(c.ChangedPeerIDs),
-		groupSet:        make(map[string]struct{}),
-		peerSet:         make(map[string]struct{}),
-		networkIDs:      make(map[string]struct{}),
+		ctx:                        ctx,
+		snap:                       snap,
+		accountID:                  accountID,
+		change:                     c,
+		changedGroupSet:            toSet(c.ChangedGroupIDs),
+		changedPeerSet:             toSet(c.ChangedPeerIDs),
+		groupSet:                   make(map[string]struct{}),
+		peerSet:                    make(map[string]struct{}),
+		networkIDs:                 make(map[string]struct{}),
+		sourceOriginatedNetworkIDs: make(map[string]struct{}),
+		changedGroupIDs:            toSet(c.ChangedGroupIDs),
 	}
 	// Resolve each changed peer to its groups here so callers pass only ChangedPeerIDs.
 	r.seedChangedGroupsFromPeers()
@@ -239,6 +241,9 @@ func newResolver(ctx context.Context, snap *Snapshot, accountID string, c Change
 
 // seedChangedGroupsFromPeers adds each changed peer's groups to changedGroupSet so
 // the group-driven walkers fire for memberships, not just direct peer references.
+// These seeded groups are for MATCHING only — folding the changed entity's own
+// side is gated on changedGroupIDs (the caller-reported groups), so a seeded group
+// never folds its whole membership; only the changed peer itself folds in.
 func (r *resolver) seedChangedGroupsFromPeers() {
 	if len(r.changedPeerSet) == 0 {
 		return
@@ -292,6 +297,18 @@ type resolver struct {
 
 	matchedPolicies []*types.Policy
 	networkIDs      map[string]struct{}
+	// sourceOriginatedNetworkIDs are networks marked affected only because a
+	// source-side change targets a resource on them (bridgeSourceToRouters). Their
+	// routers must refresh, but the policy sources must not be folded back: a
+	// changed source propagates only to the opposite (router) side, never to its
+	// co-sources. Networks marked by a router/resource/network change are absent
+	// here and do fold sources, since the destination side itself changed.
+	sourceOriginatedNetworkIDs map[string]struct{}
+
+	// changedGroupIDs are the groups the caller reported as changed via
+	// Change.ChangedGroupIDs (NOT the peer-seeded ones in changedGroupSet). Only
+	// these fold their whole membership; a peer-seeded group folds the peer alone.
+	changedGroupIDs map[string]struct{}
 }
 
 func (r *resolver) policies() []*types.Policy { return r.snap.policies }
@@ -445,21 +462,88 @@ func (r *resolver) collectFromPostureChecks(postureCheckIDs []string) {
 	}
 }
 
+// collectFromPolicies folds, for every policy a changed group or peer touches:
+// the opposite side of the matching rule, the changed entity's own side (the
+// changed group itself, or the changed peer alone — never the changed side's
+// sibling groups or co-members), and records the policy for the resource<->router
+// bridge. A changed peer is mapped to its groups in changedGroupSet up front (see
+// seedChangedGroupsFromPeers); changedGroupIDs holds only the caller-reported
+// groups, so a peer-seeded group does not fold its whole membership.
 func (r *resolver) collectFromPolicies() {
 	for _, policy := range r.policies() {
-		matchedByGroup := policyReferencesGroups(policy, r.changedGroupSet)
-		matchedByPeer := len(r.changedPeerSet) > 0 && policyReferencesDirectPeers(policy, r.changedPeerSet)
-		if !matchedByGroup && !matchedByPeer {
+		if !r.collectPolicyDirectional(policy) {
 			continue
 		}
-		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched (byGroup=%t byPeer=%t) -> folding rule groups %v + direct peers",
-			policy.ID, policy.Name, matchedByGroup, matchedByPeer, policy.RuleGroups())
-		addAll(r.groupSet, policy.RuleGroups())
-		collectPolicyDirectPeers(policy, r.peerSet)
+		log.WithContext(r.ctx).Tracef("collectFromPolicies: policy %s (%s) matched directionally", policy.ID, policy.Name)
 		r.matchedPolicies = append(r.matchedPolicies, policy)
 	}
 }
 
+// collectPolicyDirectional folds one policy's affected groups/peers and reports
+// whether it matched a changed group or peer at all (so the caller can record it
+// for the bridge even when the opposite side is a resource, not a group).
+func (r *resolver) collectPolicyDirectional(policy *types.Policy) bool {
+	matched := false
+	for _, rule := range policy.Rules {
+		matched = r.foldRuleSide(rule.Sources, rule.Destinations, rule.DestinationResource) || matched
+		matched = r.foldRuleSide(rule.Destinations, rule.Sources, rule.SourceResource) || matched
+
+		if isDirectPeerInSet(rule.SourceResource, r.changedPeerSet) {
+			r.peerSet[rule.SourceResource.ID] = struct{}{}
+			addAll(r.groupSet, rule.Destinations)
+			if rule.DestinationResource.Type == types.ResourceTypePeer && rule.DestinationResource.ID != "" {
+				r.peerSet[rule.DestinationResource.ID] = struct{}{}
+			}
+			matched = true
+		}
+		if isDirectPeerInSet(rule.DestinationResource, r.changedPeerSet) {
+			r.peerSet[rule.DestinationResource.ID] = struct{}{}
+			addAll(r.groupSet, rule.Sources)
+			if rule.SourceResource.Type == types.ResourceTypePeer && rule.SourceResource.ID != "" {
+				r.peerSet[rule.SourceResource.ID] = struct{}{}
+			}
+			matched = true
+		}
+	}
+	return matched
+}
+
+// foldRuleSide handles a changed group on `near` (Sources or Destinations): it
+// folds the `far` (opposite) groups and far resource peer, the changed group(s)
+// themselves (caller-reported groups only — not seeded ones, so a changed peer's
+// group does not pull in its members), and the changed peers seeded from those
+// groups (the peer alone). Returns whether the side matched.
+func (r *resolver) foldRuleSide(near, far []string, farResource types.Resource) bool {
+	if !anyInSet(near, r.changedGroupSet) {
+		return false
+	}
+	addAll(r.groupSet, far)
+	if farResource.Type == types.ResourceTypePeer && farResource.ID != "" {
+		r.peerSet[farResource.ID] = struct{}{}
+	}
+	for _, gID := range near {
+		if _, ok := r.changedGroupIDs[gID]; ok {
+			r.groupSet[gID] = struct{}{} // changed group itself -> its members
+		}
+		r.foldChangedPeersInGroup(gID) // a changed peer in this group -> the peer alone
+	}
+	return true
+}
+
+// foldChangedPeersInGroup folds changed peers that belong to groupID directly into
+// peerSet (the peer only, never its co-members).
+func (r *resolver) foldChangedPeersInGroup(groupID string) {
+	if len(r.changedPeerSet) == 0 {
+		return
+	}
+	members := r.snap.groupPeers[groupID]
+	for pID := range r.changedPeerSet {
+		if _, ok := members[pID]; ok {
+			r.peerSet[pID] = struct{}{}
+		}
+	}
+}
+
 func (r *resolver) collectFromRoutes() {
 	for _, rt := range r.snap.routes {
 		matchedByGroup := anyInSet(rt.Groups, r.changedGroupSet) || anyInSet(rt.PeerGroups, r.changedGroupSet) || anyInSet(rt.AccessControlGroups, r.changedGroupSet)
@@ -588,6 +672,11 @@ func (r *resolver) bridgeSourceToRouters() {
 	log.WithContext(r.ctx).Tracef("bridgeSourceToRouters: targeted resources %v -> networks %v (their routers become affected via the router->source pass)",
 		setToSlice(resourceIDs), setToSlice(networkIDs))
 	for id := range networkIDs {
+		// Mark source-originated unless a router/resource/network change already
+		// marked this network directly (then it folds sources back).
+		if _, ok := r.networkIDs[id]; !ok {
+			r.sourceOriginatedNetworkIDs[id] = struct{}{}
+		}
 		r.networkIDs[id] = struct{}{}
 	}
 }
@@ -602,11 +691,19 @@ func (r *resolver) bridgeRoutersToSources() {
 
 	r.foldRoutersOnNetworks(r.networkIDs)
 
+	// Sources are folded back only for networks the destination side itself changed
+	// (router/resource/network change). Networks reached only because a source-side
+	// change targets their resource must not refresh the policy's sources — the
+	// changed source propagates to the router side, not back to its co-sources.
 	resourceIDs := make(map[string]struct{})
 	for _, resource := range r.networkResources() {
-		if _, ok := r.networkIDs[resource.NetworkID]; ok {
-			resourceIDs[resource.ID] = struct{}{}
+		if _, ok := r.networkIDs[resource.NetworkID]; !ok {
+			continue
 		}
+		if _, sourceOriginated := r.sourceOriginatedNetworkIDs[resource.NetworkID]; sourceOriginated {
+			continue
+		}
+		resourceIDs[resource.ID] = struct{}{}
 	}
 	if len(resourceIDs) == 0 {
 		return
@@ -734,24 +831,6 @@ func collectPolicySources(policy *types.Policy, groupSet, peerSet map[string]str
 	}
 }
 
-func policyReferencesGroups(policy *types.Policy, groupSet map[string]struct{}) bool {
-	for _, rule := range policy.Rules {
-		if anyInSet(rule.Sources, groupSet) || anyInSet(rule.Destinations, groupSet) {
-			return true
-		}
-	}
-	return false
-}
-
-func policyReferencesDirectPeers(policy *types.Policy, changedSet map[string]struct{}) bool {
-	for _, rule := range policy.Rules {
-		if isDirectPeerInSet(rule.SourceResource, changedSet) || isDirectPeerInSet(rule.DestinationResource, changedSet) {
-			return true
-		}
-	}
-	return false
-}
-
 func policyReferencesPostureChecks(policy *types.Policy, ids map[string]struct{}) bool {
 	for _, id := range policy.SourcePostureChecks {
 		if _, ok := ids[id]; ok {

management/server/affectedpeers/resolver_test.go

@@ -80,26 +80,6 @@ func TestChangeIsEmpty(t *testing.T) {
 	assert.False(t, Change{PostureCheckIDs: []string{"pc"}}.isEmpty())
 }
 
-func TestPolicyReferencesGroups(t *testing.T) {
-	policy := &types.Policy{Rules: []*types.PolicyRule{{Sources: []string{"g1", "g2"}, Destinations: []string{"g3"}}}}
-
-	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g1": {}}))
-	assert.True(t, policyReferencesGroups(policy, map[string]struct{}{"g3": {}}))
-	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{"g4": {}}))
-	assert.False(t, policyReferencesGroups(policy, map[string]struct{}{}))
-}
-
-func TestPolicyReferencesDirectPeers(t *testing.T) {
-	policy := &types.Policy{Rules: []*types.PolicyRule{{
-		SourceResource:      types.Resource{Type: types.ResourceTypePeer, ID: "p1"},
-		DestinationResource: types.Resource{Type: types.ResourceTypeHost, ID: "r1"},
-	}}}
-
-	assert.True(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p1": {}}))
-	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"r1": {}}))
-	assert.False(t, policyReferencesDirectPeers(policy, map[string]struct{}{"p2": {}}))
-}
-
 func TestPolicyReferencesPostureChecks(t *testing.T) {
 	policy := &types.Policy{SourcePostureChecks: []string{"pc1", "pc2"}}