Refactor Sync

When we delete a peer from an account, we save the account in the file store.
The file store maintains peerID -> accountID and peerKey -> accountID indices.
Those can't be updated when we delete a peer because the store saves the whole account
without a peer already and has no access to the removed peer.
In this PR, we dynamically check if there are stale indices when GetAccountByPeerPubKey
and GetAccountByPeerID.

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.4"
+  SIGN_PIPE_VER: "v0.0.5"
   GORELEASER_VER: "v1.14.1"
 
 jobs:

client/cmd/status.go

@@ -2,25 +2,74 @@ package cmd
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/netip"
 	"sort"
 	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+	"gopkg.in/yaml.v3"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbStatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
 )
 
+type peerStateDetailOutput struct {
+	FQDN             string           `json:"fqdn" yaml:"fqdn"`
+	IP               string           `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey           string           `json:"publicKey" yaml:"publicKey"`
+	Status           string           `json:"status" yaml:"status"`
+	LastStatusUpdate time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
+	ConnType         string           `json:"connectionType" yaml:"connectionType"`
+	Direct           bool             `json:"direct" yaml:"direct"`
+	IceCandidateType iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
+}
+
+type peersStateOutput struct {
+	Total     int                     `json:"total" yaml:"total"`
+	Connected int                     `json:"connected" yaml:"connected"`
+	Details   []peerStateDetailOutput `json:"details" yaml:"details"`
+}
+
+type signalStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+}
+
+type managementStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+}
+
+type iceCandidateType struct {
+	Local  string `json:"local" yaml:"local"`
+	Remote string `json:"remote" yaml:"remote"`
+}
+
+type statusOutputOverview struct {
+	Peers           peersStateOutput      `json:"peers" yaml:"peers"`
+	CliVersion      string                `json:"cliVersion" yaml:"cliVersion"`
+	DaemonVersion   string                `json:"daemonVersion" yaml:"daemonVersion"`
+	ManagementState managementStateOutput `json:"management" yaml:"management"`
+	SignalState     signalStateOutput     `json:"signal" yaml:"signal"`
+	IP              string                `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey          string                `json:"publicKey" yaml:"publicKey"`
+	KernelInterface bool                  `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	FQDN            string                `json:"fqdn" yaml:"fqdn"`
+}
+
 var (
 	detailFlag   bool
 	ipv4Flag     bool
+	jsonFlag     bool
+	yamlFlag     bool
 	ipsFilter    []string
 	statusFilter string
 	ipsFilterMap map[string]struct{}
@@ -29,67 +78,99 @@ var (
 var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "status of the Netbird Service",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
-
-		cmd.SetOut(cmd.OutOrStdout())
-
-		err := parseFilters()
-		if err != nil {
-			return err
-		}
-
-		err = util.InitLog(logLevel, "console")
-		if err != nil {
-			return fmt.Errorf("failed initializing log %v", err)
-		}
-
-		ctx := internal.CtxInitState(context.Background())
-
-		conn, err := DialClientGRPCServer(ctx, daemonAddr)
-		if err != nil {
-			return fmt.Errorf("failed to connect to daemon error: %v\n"+
-				"If the daemon is not running please run: "+
-				"\nnetbird service install \nnetbird service start\n", err)
-		}
-		defer conn.Close()
-
-		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
-		if err != nil {
-			return fmt.Errorf("status failed: %v", status.Convert(err).Message())
-		}
-
-		daemonStatus := fmt.Sprintf("Daemon status: %s\n", resp.GetStatus())
-		if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
-
-			cmd.Printf("%s\n"+
-				"Run UP command to log in with SSO (interactive login):\n\n"+
-				" netbird up \n\n"+
-				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n"+
-				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n"+
-				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n",
-				daemonStatus,
-			)
-			return nil
-		}
-
-		pbFullStatus := resp.GetFullStatus()
-		fullStatus := fromProtoFullStatus(pbFullStatus)
-
-		cmd.Print(parseFullStatus(fullStatus, detailFlag, daemonStatus, resp.GetDaemonVersion(), ipv4Flag))
-
-		return nil
-	},
+	RunE:  statusFunc,
 }
 
 func init() {
 	ipsFilterMap = make(map[string]struct{})
-	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information")
+	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
+	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
 	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
 	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
 }
 
+func statusFunc(cmd *cobra.Command, args []string) error {
+	SetFlagsFromEnvVars(rootCmd)
+
+	cmd.SetOut(cmd.OutOrStdout())
+
+	err := parseFilters()
+	if err != nil {
+		return err
+	}
+
+	err = util.InitLog(logLevel, "console")
+	if err != nil {
+		return fmt.Errorf("failed initializing log %v", err)
+	}
+
+	ctx := internal.CtxInitState(context.Background())
+
+	resp, _ := getStatus(ctx, cmd)
+	if err != nil {
+		return nil
+	}
+
+	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
+		cmd.Printf("Daemon status: %s\n\n"+
+			"Run UP command to log in with SSO (interactive login):\n\n"+
+			" netbird up \n\n"+
+			"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n"+
+			"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n"+
+			"More info: https://www.netbird.io/docs/overview/setup-keys\n\n",
+			resp.GetStatus(),
+		)
+		return nil
+	}
+
+	if ipv4Flag {
+		cmd.Print(parseInterfaceIP(resp.GetFullStatus().GetLocalPeerState().GetIP()))
+		return nil
+	}
+
+	outputInformationHolder := convertToStatusOutputOverview(resp)
+
+	statusOutputString := ""
+	switch {
+	case detailFlag:
+		statusOutputString = parseToFullDetailSummary(outputInformationHolder)
+	case jsonFlag:
+		statusOutputString, err = parseToJSON(outputInformationHolder)
+	case yamlFlag:
+		statusOutputString, err = parseToYAML(outputInformationHolder)
+	default:
+		statusOutputString = parseGeneralSummary(outputInformationHolder, false)
+	}
+
+	if err != nil {
+		return err
+	}
+
+	cmd.Print(statusOutputString)
+
+	return nil
+}
+
+func getStatus(ctx context.Context, cmd *cobra.Command) (*proto.StatusResponse, error) {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+	defer conn.Close()
+
+	resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
+	if err != nil {
+		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
+	}
+
+	return resp, nil
+}
+
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
 	case "", "disconnected", "connected":
@@ -109,195 +190,229 @@ func parseFilters() error {
 	return nil
 }
 
-func fromProtoFullStatus(pbFullStatus *proto.FullStatus) nbStatus.FullStatus {
-	var fullStatus nbStatus.FullStatus
+func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverview {
+	pbFullStatus := resp.GetFullStatus()
+
 	managementState := pbFullStatus.GetManagementState()
-	fullStatus.ManagementState.URL = managementState.GetURL()
-	fullStatus.ManagementState.Connected = managementState.GetConnected()
-
-	signalState := pbFullStatus.GetSignalState()
-	fullStatus.SignalState.URL = signalState.GetURL()
-	fullStatus.SignalState.Connected = signalState.GetConnected()
-
-	localPeerState := pbFullStatus.GetLocalPeerState()
-	fullStatus.LocalPeerState.IP = localPeerState.GetIP()
-	fullStatus.LocalPeerState.PubKey = localPeerState.GetPubKey()
-	fullStatus.LocalPeerState.KernelInterface = localPeerState.GetKernelInterface()
-	fullStatus.LocalPeerState.FQDN = localPeerState.GetFqdn()
-
-	var peersState []nbStatus.PeerState
-
-	for _, pbPeerState := range pbFullStatus.GetPeers() {
-		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
-		peerState := nbStatus.PeerState{
-			IP:                     pbPeerState.GetIP(),
-			PubKey:                 pbPeerState.GetPubKey(),
-			ConnStatus:             pbPeerState.GetConnStatus(),
-			ConnStatusUpdate:       timeLocal,
-			Relayed:                pbPeerState.GetRelayed(),
-			Direct:                 pbPeerState.GetDirect(),
-			LocalIceCandidateType:  pbPeerState.GetLocalIceCandidateType(),
-			RemoteIceCandidateType: pbPeerState.GetRemoteIceCandidateType(),
-			FQDN:                   pbPeerState.GetFqdn(),
-		}
-		peersState = append(peersState, peerState)
+	managementOverview := managementStateOutput{
+		URL:       managementState.GetURL(),
+		Connected: managementState.GetConnected(),
 	}
 
-	fullStatus.Peers = peersState
+	signalState := pbFullStatus.GetSignalState()
+	signalOverview := signalStateOutput{
+		URL:       signalState.GetURL(),
+		Connected: signalState.GetConnected(),
+	}
 
-	return fullStatus
+	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())
+
+	overview := statusOutputOverview{
+		Peers:           peersOverview,
+		CliVersion:      system.NetbirdVersion(),
+		DaemonVersion:   resp.GetDaemonVersion(),
+		ManagementState: managementOverview,
+		SignalState:     signalOverview,
+		IP:              pbFullStatus.GetLocalPeerState().GetIP(),
+		PubKey:          pbFullStatus.GetLocalPeerState().GetPubKey(),
+		KernelInterface: pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		FQDN:            pbFullStatus.GetLocalPeerState().GetFqdn(),
+	}
+
+	return overview
 }
 
-func parseFullStatus(fullStatus nbStatus.FullStatus, printDetail bool, daemonStatus string, daemonVersion string, flag bool) string {
+func mapPeers(peers []*proto.PeerState) peersStateOutput {
+	var peersStateDetail []peerStateDetailOutput
+	localICE := ""
+	remoteICE := ""
+	connType := ""
+	peersConnected := 0
+	for _, pbPeerState := range peers {
+		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
+		if skipDetailByFilters(pbPeerState, isPeerConnected) {
+			continue
+		}
+		if isPeerConnected {
+			peersConnected = peersConnected + 1
 
-	interfaceIP := fullStatus.LocalPeerState.IP
+			localICE = pbPeerState.GetLocalIceCandidateType()
+			remoteICE = pbPeerState.GetRemoteIceCandidateType()
+			connType = "P2P"
+			if pbPeerState.Relayed {
+				connType = "Relayed"
+			}
+		}
 
+		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
+		peerState := peerStateDetailOutput{
+			IP:               pbPeerState.GetIP(),
+			PubKey:           pbPeerState.GetPubKey(),
+			Status:           pbPeerState.GetConnStatus(),
+			LastStatusUpdate: timeLocal.UTC(),
+			ConnType:         connType,
+			Direct:           pbPeerState.GetDirect(),
+			IceCandidateType: iceCandidateType{
+				Local:  localICE,
+				Remote: remoteICE,
+			},
+			FQDN: pbPeerState.GetFqdn(),
+		}
+
+		peersStateDetail = append(peersStateDetail, peerState)
+	}
+
+	sortPeersByIP(peersStateDetail)
+
+	peersOverview := peersStateOutput{
+		Total:     len(peersStateDetail),
+		Connected: peersConnected,
+		Details:   peersStateDetail,
+	}
+	return peersOverview
+}
+
+func sortPeersByIP(peersStateDetail []peerStateDetailOutput) {
+	if len(peersStateDetail) > 0 {
+		sort.SliceStable(peersStateDetail, func(i, j int) bool {
+			iAddr, _ := netip.ParseAddr(peersStateDetail[i].IP)
+			jAddr, _ := netip.ParseAddr(peersStateDetail[j].IP)
+			return iAddr.Compare(jAddr) == -1
+		})
+	}
+}
+
+func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
 		return ""
 	}
+	return fmt.Sprintf("%s\n", ip)
+}
 
-	if ipv4Flag {
-		return fmt.Sprintf("%s\n", ip)
+func parseToJSON(overview statusOutputOverview) (string, error) {
+	jsonBytes, err := json.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("json marshal failed")
 	}
+	return string(jsonBytes), err
+}
 
-	var (
-		managementStatusURL  = ""
-		signalStatusURL      = ""
-		managementConnString = "Disconnected"
-		signalConnString     = "Disconnected"
-		interfaceTypeString  = "Userspace"
-	)
-
-	if printDetail {
-		managementStatusURL = fmt.Sprintf(" to %s", fullStatus.ManagementState.URL)
-		signalStatusURL = fmt.Sprintf(" to %s", fullStatus.SignalState.URL)
+func parseToYAML(overview statusOutputOverview) (string, error) {
+	yamlBytes, err := yaml.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("yaml marshal failed")
 	}
+	return string(yamlBytes), nil
+}
 
-	if fullStatus.ManagementState.Connected {
+func parseGeneralSummary(overview statusOutputOverview, showURL bool) string {
+
+	managementConnString := "Disconnected"
+	if overview.ManagementState.Connected {
 		managementConnString = "Connected"
+		if showURL {
+			managementConnString = fmt.Sprintf("%s to %s", managementConnString, overview.ManagementState.URL)
+		}
 	}
 
-	if fullStatus.SignalState.Connected {
+	signalConnString := "Disconnected"
+	if overview.SignalState.Connected {
 		signalConnString = "Connected"
+		if showURL {
+			signalConnString = fmt.Sprintf("%s to %s", signalConnString, overview.SignalState.URL)
+		}
 	}
 
-	if fullStatus.LocalPeerState.KernelInterface {
+	interfaceTypeString := "Userspace"
+	interfaceIP := overview.IP
+	if overview.KernelInterface {
 		interfaceTypeString = "Kernel"
-	} else if fullStatus.LocalPeerState.IP == "" {
+	} else if overview.IP == "" {
 		interfaceTypeString = "N/A"
 		interfaceIP = "N/A"
 	}
 
-	parsedPeersString, peersConnected := parsePeers(fullStatus.Peers, printDetail)
-
-	peersCountString := fmt.Sprintf("%d/%d Connected", peersConnected, len(fullStatus.Peers))
+	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)
 
 	summary := fmt.Sprintf(
 		"Daemon version: %s\n"+
 			"CLI version: %s\n"+
-			"%s"+ // daemon status
-			"Management: %s%s\n"+
-			"Signal: %s%s\n"+
-			"Domain: %s\n"+
+			"Management: %s\n"+
+			"Signal: %s\n"+
+			"FQDN: %s\n"+
 			"NetBird IP: %s\n"+
 			"Interface type: %s\n"+
 			"Peers count: %s\n",
-		daemonVersion,
+		overview.DaemonVersion,
 		system.NetbirdVersion(),
-		daemonStatus,
 		managementConnString,
-		managementStatusURL,
 		signalConnString,
-		signalStatusURL,
-		fullStatus.LocalPeerState.FQDN,
+		overview.FQDN,
 		interfaceIP,
 		interfaceTypeString,
 		peersCountString,
 	)
-
-	if printDetail {
-		return fmt.Sprintf(
-			"Peers detail:"+
-				"%s\n"+
-				"%s",
-			parsedPeersString,
-			summary,
-		)
-	}
 	return summary
 }
 
-func parsePeers(peers []nbStatus.PeerState, printDetail bool) (string, int) {
-	var (
-		peersString    = ""
-		peersConnected = 0
+func parseToFullDetailSummary(overview statusOutputOverview) string {
+	parsedPeersString := parsePeers(overview.Peers)
+	summary := parseGeneralSummary(overview, true)
+
+	return fmt.Sprintf(
+		"Peers detail:"+
+			"%s\n"+
+			"%s",
+		parsedPeersString,
+		summary,
 	)
-
-	if len(peers) > 0 {
-		sort.SliceStable(peers, func(i, j int) bool {
-			iAddr, _ := netip.ParseAddr(peers[i].IP)
-			jAddr, _ := netip.ParseAddr(peers[j].IP)
-			return iAddr.Compare(jAddr) == -1
-		})
-	}
-
-	connectedStatusString := peer.StatusConnected.String()
-
-	for _, peerState := range peers {
-		peerConnectionStatus := false
-		if peerState.ConnStatus == connectedStatusString {
-			peersConnected = peersConnected + 1
-			peerConnectionStatus = true
-		}
-
-		if printDetail {
-
-			if skipDetailByFilters(peerState, peerConnectionStatus) {
-				continue
-			}
-
-			localICE := "-"
-			remoteICE := "-"
-			connType := "-"
-
-			if peerConnectionStatus {
-				localICE = peerState.LocalIceCandidateType
-				remoteICE = peerState.RemoteIceCandidateType
-				connType = "P2P"
-				if peerState.Relayed {
-					connType = "Relayed"
-				}
-			}
-
-			peerString := fmt.Sprintf(
-				"\n %s:\n"+
-					"  NetBird IP: %s\n"+
-					"  Public key: %s\n"+
-					"  Status: %s\n"+
-					"  -- detail --\n"+
-					"  Connection type: %s\n"+
-					"  Direct: %t\n"+
-					"  ICE candidate (Local/Remote): %s/%s\n"+
-					"  Last connection update: %s\n",
-				peerState.FQDN,
-				peerState.IP,
-				peerState.PubKey,
-				peerState.ConnStatus,
-				connType,
-				peerState.Direct,
-				localICE,
-				remoteICE,
-				peerState.ConnStatusUpdate.Format("2006-01-02 15:04:05"),
-			)
-
-			peersString = peersString + peerString
-		}
-	}
-	return peersString, peersConnected
 }
 
-func skipDetailByFilters(peerState nbStatus.PeerState, isConnected bool) bool {
+func parsePeers(peers peersStateOutput) string {
+	var (
+		peersString = ""
+	)
+
+	for _, peerState := range peers.Details {
+
+		localICE := "-"
+		if peerState.IceCandidateType.Local != "" {
+			localICE = peerState.IceCandidateType.Local
+		}
+
+		remoteICE := "-"
+		if peerState.IceCandidateType.Remote != "" {
+			remoteICE = peerState.IceCandidateType.Remote
+		}
+
+		peerString := fmt.Sprintf(
+			"\n %s:\n"+
+				"  NetBird IP: %s\n"+
+				"  Public key: %s\n"+
+				"  Status: %s\n"+
+				"  -- detail --\n"+
+				"  Connection type: %s\n"+
+				"  Direct: %t\n"+
+				"  ICE candidate (Local/Remote): %s/%s\n"+
+				"  Last connection update: %s\n",
+			peerState.FQDN,
+			peerState.IP,
+			peerState.PubKey,
+			peerState.Status,
+			peerState.ConnType,
+			peerState.Direct,
+			localICE,
+			remoteICE,
+			peerState.LastStatusUpdate.Format("2006-01-02 15:04:05"),
+		)
+
+		peersString = peersString + peerString
+	}
+	return peersString
+}
+
+func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {
 	statusEval := false
 	ipEval := false
 

client/cmd/status_test.go

@@ -0,0 +1,301 @@
+package cmd
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/system"
+)
+
+var resp = &proto.StatusResponse{
+	Status: "Connected",
+	FullStatus: &proto.FullStatus{
+		Peers: []*proto.PeerState{
+			{
+				IP:                     "192.168.178.101",
+				PubKey:                 "Pubkey1",
+				Fqdn:                   "peer-1.awesome-domain.com",
+				ConnStatus:             "Connected",
+				ConnStatusUpdate:       timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
+				Relayed:                false,
+				Direct:                 true,
+				LocalIceCandidateType:  "",
+				RemoteIceCandidateType: "",
+			},
+			{
+				IP:                     "192.168.178.102",
+				PubKey:                 "Pubkey2",
+				Fqdn:                   "peer-2.awesome-domain.com",
+				ConnStatus:             "Connected",
+				ConnStatusUpdate:       timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
+				Relayed:                true,
+				Direct:                 false,
+				LocalIceCandidateType:  "relay",
+				RemoteIceCandidateType: "prflx",
+			},
+		},
+		ManagementState: &proto.ManagementState{
+			URL:       "my-awesome-management.com:443",
+			Connected: true,
+		},
+		SignalState: &proto.SignalState{
+			URL:       "my-awesome-signal.com:443",
+			Connected: true,
+		},
+		LocalPeerState: &proto.LocalPeerState{
+			IP:              "192.168.178.100/16",
+			PubKey:          "Some-Pub-Key",
+			KernelInterface: true,
+			Fqdn:            "some-localhost.awesome-domain.com",
+		},
+	},
+	DaemonVersion: "0.14.1",
+}
+
+var overview = statusOutputOverview{
+	Peers: peersStateOutput{
+		Total:     2,
+		Connected: 2,
+		Details: []peerStateDetailOutput{
+			{
+				IP:               "192.168.178.101",
+				PubKey:           "Pubkey1",
+				FQDN:             "peer-1.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
+				ConnType:         "P2P",
+				Direct:           true,
+				IceCandidateType: iceCandidateType{
+					Local:  "",
+					Remote: "",
+				},
+			},
+			{
+				IP:               "192.168.178.102",
+				PubKey:           "Pubkey2",
+				FQDN:             "peer-2.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
+				ConnType:         "Relayed",
+				Direct:           false,
+				IceCandidateType: iceCandidateType{
+					Local:  "relay",
+					Remote: "prflx",
+				},
+			},
+		},
+	},
+	CliVersion:    system.NetbirdVersion(),
+	DaemonVersion: "0.14.1",
+	ManagementState: managementStateOutput{
+		URL:       "my-awesome-management.com:443",
+		Connected: true,
+	},
+	SignalState: signalStateOutput{
+		URL:       "my-awesome-signal.com:443",
+		Connected: true,
+	},
+	IP:              "192.168.178.100/16",
+	PubKey:          "Some-Pub-Key",
+	KernelInterface: true,
+	FQDN:            "some-localhost.awesome-domain.com",
+}
+
+func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
+	convertedResult := convertToStatusOutputOverview(resp)
+
+	assert.Equal(t, overview, convertedResult)
+}
+
+func TestSortingOfPeers(t *testing.T) {
+	peers := []peerStateDetailOutput{
+		{
+			IP: "192.168.178.104",
+		},
+		{
+			IP: "192.168.178.102",
+		},
+		{
+			IP: "192.168.178.101",
+		},
+		{
+			IP: "192.168.178.105",
+		},
+		{
+			IP: "192.168.178.103",
+		},
+	}
+
+	sortPeersByIP(peers)
+
+	assert.Equal(t, peers[3].IP, "192.168.178.104")
+}
+
+func TestParsingToJSON(t *testing.T) {
+	json, _ := parseToJSON(overview)
+
+	//@formatter:off
+	expectedJSON := "{\"" +
+		"peers\":" +
+		"{" +
+		"\"total\":2," +
+		"\"connected\":2," +
+		"\"details\":" +
+		"[" +
+		"{" +
+		"\"fqdn\":\"peer-1.awesome-domain.com\"," +
+		"\"netbirdIp\":\"192.168.178.101\"," +
+		"\"publicKey\":\"Pubkey1\"," +
+		"\"status\":\"Connected\"," +
+		"\"lastStatusUpdate\":\"2001-01-01T01:01:01Z\"," +
+		"\"connectionType\":\"P2P\"," +
+		"\"direct\":true," +
+		"\"iceCandidateType\":" +
+		"{" +
+		"\"local\":\"\"," +
+		"\"remote\":\"\"" +
+		"}" +
+		"}," +
+		"{" +
+		"\"fqdn\":\"peer-2.awesome-domain.com\"," +
+		"\"netbirdIp\":\"192.168.178.102\"," +
+		"\"publicKey\":\"Pubkey2\"," +
+		"\"status\":\"Connected\"," +
+		"\"lastStatusUpdate\":\"2002-02-02T02:02:02Z\"," +
+		"\"connectionType\":\"Relayed\"," +
+		"\"direct\":false," +
+		"\"iceCandidateType\":" +
+		"{" +
+		"\"local\":\"relay\"," +
+		"\"remote\":\"prflx\"" +
+		"}" +
+		"}" +
+		"]" +
+		"}," +
+		"\"cliVersion\":\"development\"," +
+		"\"daemonVersion\":\"0.14.1\"," +
+		"\"management\":" +
+		"{" +
+		"\"url\":\"my-awesome-management.com:443\"," +
+		"\"connected\":true" +
+		"}," +
+		"\"signal\":" +
+		"{\"" +
+		"url\":\"my-awesome-signal.com:443\"," +
+		"\"connected\":true" +
+		"}," +
+		"\"netbirdIp\":\"192.168.178.100/16\"," +
+		"\"publicKey\":\"Some-Pub-Key\"," +
+		"\"usesKernelInterface\":true," +
+		"\"fqdn\":\"some-localhost.awesome-domain.com\"" +
+		"}"
+	// @formatter:on
+
+	assert.Equal(t, expectedJSON, json)
+}
+
+func TestParsingToYAML(t *testing.T) {
+	yaml, _ := parseToYAML(overview)
+
+	expectedYAML := "peers:\n" +
+		"    total: 2\n" +
+		"    connected: 2\n" +
+		"    details:\n" +
+		"        - fqdn: peer-1.awesome-domain.com\n" +
+		"          netbirdIp: 192.168.178.101\n" +
+		"          publicKey: Pubkey1\n" +
+		"          status: Connected\n" +
+		"          lastStatusUpdate: 2001-01-01T01:01:01Z\n" +
+		"          connectionType: P2P\n" +
+		"          direct: true\n" +
+		"          iceCandidateType:\n" +
+		"            local: \"\"\n" +
+		"            remote: \"\"\n" +
+		"        - fqdn: peer-2.awesome-domain.com\n" +
+		"          netbirdIp: 192.168.178.102\n" +
+		"          publicKey: Pubkey2\n" +
+		"          status: Connected\n" +
+		"          lastStatusUpdate: 2002-02-02T02:02:02Z\n" +
+		"          connectionType: Relayed\n" +
+		"          direct: false\n" +
+		"          iceCandidateType:\n" +
+		"            local: relay\n" +
+		"            remote: prflx\n" +
+		"cliVersion: development\n" +
+		"daemonVersion: 0.14.1\n" +
+		"management:\n" +
+		"    url: my-awesome-management.com:443\n" +
+		"    connected: true\n" +
+		"signal:\n" +
+		"    url: my-awesome-signal.com:443\n" +
+		"    connected: true\n" +
+		"netbirdIp: 192.168.178.100/16\n" +
+		"publicKey: Some-Pub-Key\n" +
+		"usesKernelInterface: true\n" +
+		"fqdn: some-localhost.awesome-domain.com\n"
+
+	assert.Equal(t, expectedYAML, yaml)
+}
+
+func TestParsingToDetail(t *testing.T) {
+	detail := parseToFullDetailSummary(overview)
+
+	expectedDetail := "Peers detail:\n" +
+		" peer-1.awesome-domain.com:\n" +
+		"  NetBird IP: 192.168.178.101\n" +
+		"  Public key: Pubkey1\n" +
+		"  Status: Connected\n" +
+		"  -- detail --\n" +
+		"  Connection type: P2P\n" +
+		"  Direct: true\n" +
+		"  ICE candidate (Local/Remote): -/-\n" +
+		"  Last connection update: 2001-01-01 01:01:01\n" +
+		"\n" +
+		" peer-2.awesome-domain.com:\n" +
+		"  NetBird IP: 192.168.178.102\n" +
+		"  Public key: Pubkey2\n" +
+		"  Status: Connected\n" +
+		"  -- detail --\n" +
+		"  Connection type: Relayed\n" +
+		"  Direct: false\n" +
+		"  ICE candidate (Local/Remote): relay/prflx\n" +
+		"  Last connection update: 2002-02-02 02:02:02\n" +
+		"\n" +
+		"Daemon version: 0.14.1\n" +
+		"CLI version: development\n" +
+		"Management: Connected to my-awesome-management.com:443\n" +
+		"Signal: Connected to my-awesome-signal.com:443\n" +
+		"FQDN: some-localhost.awesome-domain.com\n" +
+		"NetBird IP: 192.168.178.100/16\n" +
+		"Interface type: Kernel\n" +
+		"Peers count: 2/2 Connected\n"
+
+	assert.Equal(t, expectedDetail, detail)
+}
+
+func TestParsingToShortVersion(t *testing.T) {
+	shortVersion := parseGeneralSummary(overview, false)
+
+	expectedString := "Daemon version: 0.14.1\n" +
+		"CLI version: development\n" +
+		"Management: Connected\n" +
+		"Signal: Connected\n" +
+		"FQDN: some-localhost.awesome-domain.com\n" +
+		"NetBird IP: 192.168.178.100/16\n" +
+		"Interface type: Kernel\n" +
+		"Peers count: 2/2 Connected\n"
+
+	assert.Equal(t, expectedString, shortVersion)
+}
+
+func TestParsingOfIP(t *testing.T) {
+	InterfaceIP := "192.168.178.123/16"
+
+	parsedIP := parseInterfaceIP(InterfaceIP)
+
+	assert.Equal(t, "192.168.178.123\n", parsedIP)
+}

client/internal/config.go

@@ -242,13 +242,12 @@ func GetConfig(input ConfigInput) (*Config, error) {
 	if _, err := os.Stat(input.ConfigPath); os.IsNotExist(err) {
 		log.Infof("generating new config %s", input.ConfigPath)
 		return createNewConfig(input)
-	} else {
-		// don't overwrite pre-shared key if we receive asterisks from UI
-		if *input.PreSharedKey == "**********" {
-			input.PreSharedKey = nil
-		}
-		return ReadConfig(input)
 	}
+
+	if isPreSharedKeyHidden(input.PreSharedKey) {
+		input.PreSharedKey = nil
+	}
+	return ReadConfig(input)
 }
 
 // generateKey generates a new Wireguard private key
@@ -364,3 +363,11 @@ func isProviderConfigValid(config ProviderConfig) error {
 	}
 	return nil
 }
+
+// don't overwrite pre-shared key if we receive asterisks from UI
+func isPreSharedKeyHidden(preSharedKey *string) bool {
+	if preSharedKey != nil && *preSharedKey == "**********" {
+		return true
+	}
+	return false
+}

client/internal/config_test.go

@@ -85,3 +85,40 @@ func TestGetConfig(t *testing.T) {
 	}
 	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
 }
+
+func TestHiddenPreSharedKey(t *testing.T) {
+	hidden := "**********"
+	samplePreSharedKey := "mysecretpresharedkey"
+	tests := []struct {
+		name         string
+		preSharedKey *string
+		want         string
+	}{
+		{"nil", nil, ""},
+		{"hidden", &hidden, ""},
+		{"filled", &samplePreSharedKey, samplePreSharedKey},
+	}
+
+	// generate default cfg
+	cfgFile := filepath.Join(t.TempDir(), "config.json")
+	_, _ = GetConfig(ConfigInput{
+		ConfigPath: cfgFile,
+	})
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg, err := GetConfig(ConfigInput{
+				ConfigPath:   cfgFile,
+				PreSharedKey: tt.preSharedKey,
+			})
+
+			if err != nil {
+				t.Fatalf("failed to get cfg: %s", err)
+			}
+
+			if cfg.PreSharedKey != tt.want {
+				t.Fatalf("invalid preshared key: '%s', expected: '%s' ", cfg.PreSharedKey, tt.want)
+			}
+		})
+	}
+}

client/internal/dns/file_linux.go

@@ -3,8 +3,9 @@ package dns
 import (
 	"bytes"
 	"fmt"
-	log "github.com/sirupsen/logrus"
 	"os"
+
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -14,6 +15,7 @@ const (
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
 		fileGeneratedResolvConfSearchBeginContent + "%s\n"
 )
+
 const (
 	fileDefaultResolvConfBackupLocation = defaultResolvConfPath + ".original.netbird"
 	fileMaxLineCharsLimit               = 256
@@ -66,7 +68,7 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	var searchDomains string
 	appendedDomains := 0
 	for _, dConf := range config.domains {
-		if dConf.matchOnly {
+		if dConf.matchOnly || dConf.disabled {
 			continue
 		}
 		if appendedDomains >= fileMaxNumberOfSearchDomains {

client/internal/dns/host.go

@@ -2,8 +2,9 @@ package dns
 
 import (
 	"fmt"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"strings"
+
+	nbdns "github.com/netbirdio/netbird/dns"
 )
 
 type hostManager interface {
@@ -19,6 +20,7 @@ type hostDNSConfig struct {
 }
 
 type domainConfig struct {
+	disabled  bool
 	domain    string
 	matchOnly bool
 }
@@ -56,6 +58,9 @@ func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) hostD
 		serverPort: port,
 	}
 	for _, nsConfig := range dnsConfig.NameServerGroups {
+		if len(nsConfig.NameServers) == 0 {
+			continue
+		}
 		if nsConfig.Primary {
 			config.routeAll = true
 		}

client/internal/dns/host_darwin.go

@@ -4,11 +4,12 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
 	"os/exec"
 	"strconv"
 	"strings"
+
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -61,6 +62,9 @@ func (s *systemConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	)
 
 	for _, dConf := range config.domains {
+		if dConf.disabled {
+			continue
+		}
 		if dConf.matchOnly {
 			matchDomains = append(matchDomains, dConf.domain)
 			continue

client/internal/dns/host_windows.go

@@ -2,10 +2,11 @@ package dns
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"
-	"strings"
 )
 
 const (
@@ -63,6 +64,9 @@ func (r *registryConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	)
 
 	for _, dConf := range config.domains {
+		if dConf.disabled {
+			continue
+		}
 		if !dConf.matchOnly {
 			searchDomains = append(searchDomains, dConf.domain)
 		}

client/internal/dns/mock_test.go

@@ -1,8 +1,9 @@
 package dns
 
 import (
-	"github.com/miekg/dns"
 	"net"
+
+	"github.com/miekg/dns"
 )
 
 type mockResponseWriter struct {

client/internal/dns/network_manager_linux.go

@@ -4,14 +4,15 @@ import (
 	"context"
 	"encoding/binary"
 	"fmt"
+	"net/netip"
+	"regexp"
+	"time"
+
 	"github.com/godbus/dbus/v5"
 	"github.com/hashicorp/go-version"
 	"github.com/miekg/dns"
 	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
-	"net/netip"
-	"regexp"
-	"time"
 )
 
 const (
@@ -75,12 +76,12 @@ func newNetworkManagerDbusConfigurator(wgInterface *iface.WGIface) (hostManager,
 	}
 	defer closeConn()
 	var s string
-	err = obj.Call(networkManagerDbusGetDeviceByIPIfaceMethod, dbusDefaultFlag, wgInterface.GetName()).Store(&s)
+	err = obj.Call(networkManagerDbusGetDeviceByIPIfaceMethod, dbusDefaultFlag, wgInterface.Name()).Store(&s)
 	if err != nil {
 		return nil, err
 	}
 
-	log.Debugf("got network manager dbus Link Object: %s from net interface %s", s, wgInterface.GetName())
+	log.Debugf("got network manager dbus Link Object: %s from net interface %s", s, wgInterface.Name())
 
 	return &networkManagerDbusConfigurator{
 		dbusLinkObject: dbus.ObjectPath(s),
@@ -106,6 +107,9 @@ func (n *networkManagerDbusConfigurator) applyDNSConfig(config hostDNSConfig) er
 		matchDomains  []string
 	)
 	for _, dConf := range config.domains {
+		if dConf.disabled {
+			continue
+		}
 		if dConf.matchOnly {
 			matchDomains = append(matchDomains, "~."+dns.Fqdn(dConf.domain))
 			continue

client/internal/dns/resolvconf_linux.go

@@ -2,10 +2,11 @@ package dns
 
 import (
 	"fmt"
-	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
 	"os/exec"
 	"strings"
+
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
 )
 
 const resolvconfCommand = "resolvconf"
@@ -16,7 +17,7 @@ type resolvconf struct {
 
 func newResolvConfConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
 	return &resolvconf{
-		ifaceName: wgInterface.GetName(),
+		ifaceName: wgInterface.Name(),
 	}, nil
 }
 
@@ -33,7 +34,7 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 	var searchDomains string
 	appendedDomains := 0
 	for _, dConf := range config.domains {
-		if dConf.matchOnly {
+		if dConf.matchOnly || dConf.disabled {
 			continue
 		}
 

client/internal/dns/server.go

@@ -3,16 +3,17 @@ package dns
 import (
 	"context"
 	"fmt"
-	"github.com/miekg/dns"
-	"github.com/mitchellh/hashstructure/v2"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
 	"net"
 	"net/netip"
 	"runtime"
 	"sync"
 	"time"
+
+	"github.com/miekg/dns"
+	"github.com/mitchellh/hashstructure/v2"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -32,7 +33,8 @@ type Server interface {
 // DefaultServer dns server object
 type DefaultServer struct {
 	ctx                context.Context
-	stop               context.CancelFunc
+	ctxCancel          context.CancelFunc
+	upstreamCtxCancel  context.CancelFunc
 	mux                sync.Mutex
 	server             *dns.Server
 	dnsMux             *dns.ServeMux
@@ -45,6 +47,7 @@ type DefaultServer struct {
 	runtimePort        int
 	runtimeIP          string
 	previousConfigHash uint64
+	currentConfig      hostDNSConfig
 	customAddress      *netip.AddrPort
 }
 
@@ -79,7 +82,7 @@ func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAdd
 
 	defaultServer := &DefaultServer{
 		ctx:       ctx,
-		stop:      stop,
+		ctxCancel: stop,
 		server:    dnsServer,
 		dnsMux:    mux,
 		dnsMuxMap: make(registrationMap),
@@ -102,7 +105,6 @@ func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAdd
 
 // Start runs the listener in a go routine
 func (s *DefaultServer) Start() {
-
 	if s.customAddress != nil {
 		s.runtimeIP = s.customAddress.Addr().String()
 		s.runtimePort = int(s.customAddress.Port())
@@ -134,7 +136,7 @@ func (s *DefaultServer) Start() {
 func (s *DefaultServer) getFirstListenerAvailable() (string, int, error) {
 	ips := []string{defaultIP, customIP}
 	if runtime.GOOS != "darwin" && s.wgInterface != nil {
-		ips = append([]string{s.wgInterface.GetAddress().IP.String()}, ips...)
+		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
 	}
 	ports := []int{defaultPort, customPort}
 	for _, port := range ports {
@@ -163,7 +165,7 @@ func (s *DefaultServer) setListenerStatus(running bool) {
 func (s *DefaultServer) Stop() {
 	s.mux.Lock()
 	defer s.mux.Unlock()
-	s.stop()
+	s.ctxCancel()
 
 	err := s.hostManager.restoreHostDNS()
 	if err != nil {
@@ -209,6 +211,7 @@ func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) erro
 			ZeroNil:         true,
 			IgnoreZeroValue: true,
 			SlicesAsSets:    true,
+			UseStringer:     true,
 		})
 		if err != nil {
 			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
@@ -219,34 +222,9 @@ func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) erro
 			s.updateSerial = serial
 			return nil
 		}
-		// is the service should be disabled, we stop the listener
-		// and proceed with a regular update to clean up the handlers and records
-		if !update.ServiceEnable {
-			err := s.stopListener()
-			if err != nil {
-				log.Error(err)
-			}
-		} else if !s.listenerIsRunning {
-			s.Start()
-		}
 
-		localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
-		if err != nil {
-			return fmt.Errorf("not applying dns update, error: %v", err)
-		}
-		upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
-		if err != nil {
-			return fmt.Errorf("not applying dns update, error: %v", err)
-		}
-
-		muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
-
-		s.updateMux(muxUpdates)
-		s.updateLocalResolver(localRecords)
-
-		err = s.hostManager.applyDNSConfig(dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort))
-		if err != nil {
-			log.Error(err)
+		if err := s.applyConfiguration(update); err != nil {
+			return err
 		}
 
 		s.updateSerial = serial
@@ -256,6 +234,40 @@ func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) erro
 	}
 }
 
+func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
+	// is the service should be disabled, we stop the listener
+	// and proceed with a regular update to clean up the handlers and records
+	if !update.ServiceEnable {
+		err := s.stopListener()
+		if err != nil {
+			log.Error(err)
+		}
+	} else if !s.listenerIsRunning {
+		s.Start()
+	}
+
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+
+	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
+
+	s.updateMux(muxUpdates)
+	s.updateLocalResolver(localRecords)
+	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
+
+	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+		log.Error(err)
+	}
+
+	return nil
+}
+
 func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
 	var muxUpdates []muxUpdate
 	localRecords := make(map[string]nbdns.SimpleRecord, 0)
@@ -284,16 +296,22 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 }
 
 func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
+	// clean up the previous upstream resolver
+	if s.upstreamCtxCancel != nil {
+		s.upstreamCtxCancel()
+	}
+
 	var muxUpdates []muxUpdate
 	for _, nsGroup := range nameServerGroups {
 		if len(nsGroup.NameServers) == 0 {
-			return nil, fmt.Errorf("received a nameserver group with empty nameserver list")
-		}
-		handler := &upstreamResolver{
-			parentCTX:       s.ctx,
-			upstreamClient:  &dns.Client{},
-			upstreamTimeout: defaultUpstreamTimeout,
+			log.Warn("received a nameserver group with empty nameserver list")
+			continue
 		}
+
+		var ctx context.Context
+		ctx, s.upstreamCtxCancel = context.WithCancel(s.ctx)
+
+		handler := newUpstreamResolver(ctx)
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
 				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
@@ -308,6 +326,16 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 			continue
 		}
 
+		// when upstream fails to resolve domain several times over all it servers
+		// it will calls this hook to exclude self from the configuration and
+		// reapply DNS settings, but it not touch the original configuration and serial number
+		// because it is temporal deactivation until next try
+		//
+		// after some period defined by upstream it trys to reactivate self by calling this hook
+		// everything we need here is just to re-apply current configuration because it already
+		// contains this upstream settings (temporal deactivation not removed it)
+		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
+
 		if nsGroup.Primary {
 			muxUpdates = append(muxUpdates, muxUpdate{
 				domain:  nbdns.RootZone,
@@ -382,3 +410,63 @@ func (s *DefaultServer) registerMux(pattern string, handler dns.Handler) {
 func (s *DefaultServer) deregisterMux(pattern string) {
 	s.dnsMux.HandleRemove(pattern)
 }
+
+// upstreamCallbacks returns two functions, the first one is used to deactivate
+// the upstream resolver from the configuration, the second one is used to
+// reactivate it. Not allowed to call reactivate before deactivate.
+func (s *DefaultServer) upstreamCallbacks(
+	nsGroup *nbdns.NameServerGroup,
+	handler dns.Handler,
+) (deactivate func(), reactivate func()) {
+	var removeIndex map[string]int
+	deactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Info("temporary deactivate nameservers group due timeout")
+
+		removeIndex = make(map[string]int)
+		for _, domain := range nsGroup.Domains {
+			removeIndex[domain] = -1
+		}
+		if nsGroup.Primary {
+			removeIndex[nbdns.RootZone] = -1
+			s.currentConfig.routeAll = false
+		}
+
+		for i, item := range s.currentConfig.domains {
+			if _, found := removeIndex[item.domain]; found {
+				s.currentConfig.domains[i].disabled = true
+				s.deregisterMux(item.domain)
+				removeIndex[item.domain] = i
+			}
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
+		}
+	}
+	reactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		for domain, i := range removeIndex {
+			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
+				continue
+			}
+			s.currentConfig.domains[i].disabled = false
+			s.registerMux(domain, handler)
+		}
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Debug("reactivate temporary disabled nameserver group")
+
+		if nsGroup.Primary {
+			s.currentConfig.routeAll = true
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
+		}
+	}
+	return
+}

client/internal/dns/server_test.go

@@ -3,13 +3,15 @@ package dns
 import (
 	"context"
 	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+	"testing"
+	"time"
+
 	"github.com/miekg/dns"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
 )
 
 var zoneRecords = []nbdns.SimpleRecord{
@@ -23,7 +25,6 @@ var zoneRecords = []nbdns.SimpleRecord{
 }
 
 func TestUpdateDNSServer(t *testing.T) {
-
 	nameServers := []nbdns.NameServer{
 		{
 			IP:     netip.MustParseAddr("8.8.8.8"),
@@ -263,7 +264,6 @@ func TestUpdateDNSServer(t *testing.T) {
 }
 
 func TestDNSServerStartStop(t *testing.T) {
-
 	testCases := []struct {
 		name     string
 		addrPort string
@@ -333,6 +333,72 @@ func TestDNSServerStartStop(t *testing.T) {
 	}
 }
 
+func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
+	hostManager := &mockHostConfigurator{}
+	server := DefaultServer{
+		dnsMux: dns.DefaultServeMux,
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		hostManager: hostManager,
+		currentConfig: hostDNSConfig{
+			domains: []domainConfig{
+				{false, "domain0", false},
+				{false, "domain1", false},
+				{false, "domain2", false},
+			},
+		},
+	}
+
+	var domainsUpdate string
+	hostManager.applyDNSConfigFunc = func(config hostDNSConfig) error {
+		domains := []string{}
+		for _, item := range config.domains {
+			if item.disabled {
+				continue
+			}
+			domains = append(domains, item.domain)
+		}
+		domainsUpdate = strings.Join(domains, ",")
+		return nil
+	}
+
+	deactivate, reactivate := server.upstreamCallbacks(&nbdns.NameServerGroup{
+		Domains: []string{"domain1"},
+		NameServers: []nbdns.NameServer{
+			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
+		},
+	}, nil)
+
+	deactivate()
+	expected := "domain0,domain2"
+	domains := []string{}
+	for _, item := range server.currentConfig.domains {
+		if item.disabled {
+			continue
+		}
+		domains = append(domains, item.domain)
+	}
+	got := strings.Join(domains, ",")
+	if expected != got {
+		t.Errorf("expected domains list: %q, got %q", expected, got)
+	}
+
+	reactivate()
+	expected = "domain0,domain1,domain2"
+	domains = []string{}
+	for _, item := range server.currentConfig.domains {
+		if item.disabled {
+			continue
+		}
+		domains = append(domains, item.domain)
+	}
+	got = strings.Join(domains, ",")
+	if expected != got {
+		t.Errorf("expected domains list: %q, got %q", expected, domainsUpdate)
+	}
+}
+
 func getDefaultServerWithNoHostManager(t *testing.T, addrPort string) *DefaultServer {
 	mux := dns.NewServeMux()
 
@@ -351,11 +417,11 @@ func getDefaultServerWithNoHostManager(t *testing.T, addrPort string) *DefaultSe
 		UDPSize: 65535,
 	}
 
-	ctx, stop := context.WithCancel(context.TODO())
+	ctx, cancel := context.WithCancel(context.TODO())
 
 	return &DefaultServer{
 		ctx:       ctx,
-		stop:      stop,
+		ctxCancel: cancel,
 		server:    dnsServer,
 		dnsMux:    mux,
 		dnsMuxMap: make(registrationMap),

client/internal/dns/systemd_linux.go

@@ -3,15 +3,16 @@ package dns
 import (
 	"context"
 	"fmt"
+	"net"
+	"net/netip"
+	"time"
+
 	"github.com/godbus/dbus/v5"
 	"github.com/miekg/dns"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
-	"net"
-	"net/netip"
-	"time"
 )
 
 const (
@@ -50,7 +51,7 @@ type systemdDbusLinkDomainsInput struct {
 }
 
 func newSystemdDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
-	iface, err := net.InterfaceByName(wgInterface.GetName())
+	iface, err := net.InterfaceByName(wgInterface.Name())
 	if err != nil {
 		return nil, err
 	}
@@ -95,6 +96,9 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		domainsInput  []systemdDbusLinkDomainsInput
 	)
 	for _, dConf := range config.domains {
+		if dConf.disabled {
+			continue
+		}
 		domainsInput = append(domainsInput, systemdDbusLinkDomainsInput{
 			Domain:    dns.Fqdn(dConf.domain),
 			MatchOnly: dConf.matchOnly,

client/internal/dns/upstream.go

@@ -3,44 +3,73 @@ package dns
 import (
 	"context"
 	"errors"
+	"net"
+	"sync"
+	"sync/atomic"
+	"time"
+
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-	"net"
-	"time"
 )
 
-const defaultUpstreamTimeout = 15 * time.Second
+const (
+	failsTillDeact   = int32(3)
+	reactivatePeriod = time.Minute
+	upstreamTimeout  = 15 * time.Second
+)
 
 type upstreamResolver struct {
-	parentCTX       context.Context
-	upstreamClient  *dns.Client
-	upstreamServers []string
-	upstreamTimeout time.Duration
+	ctx              context.Context
+	upstreamClient   *dns.Client
+	upstreamServers  []string
+	disabled         bool
+	failsCount       atomic.Int32
+	failsTillDeact   int32
+	mutex            sync.Mutex
+	reactivatePeriod time.Duration
+	upstreamTimeout  time.Duration
+
+	deactivate func()
+	reactivate func()
+}
+
+func newUpstreamResolver(ctx context.Context) *upstreamResolver {
+	return &upstreamResolver{
+		ctx:              ctx,
+		upstreamClient:   &dns.Client{},
+		upstreamTimeout:  upstreamTimeout,
+		reactivatePeriod: reactivatePeriod,
+		failsTillDeact:   failsTillDeact,
+	}
 }
 
 // ServeDNS handles a DNS request
 func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	defer u.checkUpstreamFails()
 
-	log.Tracef("received an upstream question: %#v", r.Question[0])
+	log.WithField("question", r.Question[0]).Trace("received an upstream question")
 
 	select {
-	case <-u.parentCTX.Done():
+	case <-u.ctx.Done():
 		return
 	default:
 	}
 
 	for _, upstream := range u.upstreamServers {
-		ctx, cancel := context.WithTimeout(u.parentCTX, u.upstreamTimeout)
+		ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
 		rm, t, err := u.upstreamClient.ExchangeContext(ctx, r, upstream)
 
 		cancel()
 
 		if err != nil {
 			if err == context.DeadlineExceeded || isTimeout(err) {
-				log.Warnf("got an error while connecting to upstream %s, error: %v", upstream, err)
+				log.WithError(err).WithField("upstream", upstream).
+					Warn("got an error while connecting to upstream")
 				continue
 			}
-			log.Errorf("got an error while querying the upstream %s, error: %v", upstream, err)
+			u.failsCount.Add(1)
+			log.WithError(err).WithField("upstream", upstream).
+				Error("got an error while querying the upstream")
 			return
 		}
 
@@ -48,11 +77,58 @@ func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 		err = w.WriteMsg(rm)
 		if err != nil {
-			log.Errorf("got an error while writing the upstream resolver response, error: %v", err)
+			log.WithError(err).Error("got an error while writing the upstream resolver response")
 		}
+		// count the fails only if they happen sequentially
+		u.failsCount.Store(0)
 		return
 	}
-	log.Errorf("all queries to the upstream nameservers failed with timeout")
+	u.failsCount.Add(1)
+	log.Error("all queries to the upstream nameservers failed with timeout")
+}
+
+// checkUpstreamFails counts fails and disables or enables upstream resolving
+//
+// If fails count is greater that failsTillDeact, upstream resolving
+// will be disabled for reactivatePeriod, after that time period fails counter
+// will be reset and upstream will be reactivated.
+func (u *upstreamResolver) checkUpstreamFails() {
+	u.mutex.Lock()
+	defer u.mutex.Unlock()
+
+	if u.failsCount.Load() < u.failsTillDeact || u.disabled {
+		return
+	}
+
+	select {
+	case <-u.ctx.Done():
+		return
+	default:
+		log.Warnf("upstream resolving is disabled for %v", reactivatePeriod)
+		u.deactivate()
+		u.disabled = true
+		go u.waitUntilReactivation()
+	}
+}
+
+// waitUntilReactivation reset fails counter and activates upstream resolving
+func (u *upstreamResolver) waitUntilReactivation() {
+	timer := time.NewTimer(u.reactivatePeriod)
+	defer func() {
+		if !timer.Stop() {
+			<-timer.C
+		}
+	}()
+
+	select {
+	case <-u.ctx.Done():
+		return
+	case <-timer.C:
+		log.Info("upstream resolving is reactivated")
+		u.failsCount.Store(0)
+		u.reactivate()
+		u.disabled = false
+	}
 }
 
 // isTimeout returns true if the given error is a network timeout error.

client/internal/dns/upstream_test.go

@@ -23,7 +23,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			name:           "Should Resolve A Record",
 			inputMSG:       new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
 			InputServers:   []string{"8.8.8.8:53", "8.8.4.4:53"},
-			timeout:        defaultUpstreamTimeout,
+			timeout:        upstreamTimeout,
 			expectedAnswer: "1.1.1.1",
 		},
 		{
@@ -45,7 +45,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			inputMSG:            new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
 			InputServers:        []string{"8.0.0.0:53", "8.8.4.4:53"},
 			cancelCTX:           true,
-			timeout:             defaultUpstreamTimeout,
+			timeout:             upstreamTimeout,
 			responseShouldBeNil: true,
 		},
 		//{
@@ -65,12 +65,9 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver := &upstreamResolver{
-				parentCTX:       ctx,
-				upstreamClient:  &dns.Client{},
-				upstreamServers: testCase.InputServers,
-				upstreamTimeout: testCase.timeout,
-			}
+			resolver := newUpstreamResolver(ctx)
+			resolver.upstreamServers = testCase.InputServers
+			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
 				cancel()
 			} else {
@@ -108,3 +105,52 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 		})
 	}
 }
+
+func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
+	resolver := newUpstreamResolver(context.TODO())
+	resolver.upstreamServers = []string{"0.0.0.0:-1"}
+	resolver.failsTillDeact = 0
+	resolver.reactivatePeriod = time.Microsecond * 100
+
+	responseWriter := &mockResponseWriter{
+		WriteMsgFunc: func(m *dns.Msg) error { return nil },
+	}
+
+	failed := false
+	resolver.deactivate = func() {
+		failed = true
+	}
+
+	reactivated := false
+	resolver.reactivate = func() {
+		reactivated = true
+	}
+
+	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA))
+
+	if !failed {
+		t.Errorf("expected that resolving was deactivated")
+		return
+	}
+
+	if !resolver.disabled {
+		t.Errorf("resolver should be disabled")
+		return
+	}
+
+	time.Sleep(time.Millisecond * 200)
+
+	if !reactivated {
+		t.Errorf("expected that resolving was reactivated")
+		return
+	}
+
+	if resolver.failsCount.Load() != 0 {
+		t.Errorf("fails count after reactivation should be 0")
+		return
+	}
+
+	if resolver.disabled {
+		t.Errorf("should be enabled")
+	}
+}

client/internal/engine.go

@@ -157,56 +157,8 @@ func (e *Engine) Stop() error {
 	// Removing peers happens in the conn.CLose() asynchronously
 	time.Sleep(500 * time.Millisecond)
 
-	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
-	if e.wgInterface.Interface != nil {
-		err = e.wgInterface.Close()
-		if err != nil {
-			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
-			return err
-		}
-	}
-
-	if e.udpMux != nil {
-		if err := e.udpMux.Close(); err != nil {
-			log.Debugf("close udp mux: %v", err)
-		}
-	}
-
-	if e.udpMuxSrflx != nil {
-		if err := e.udpMuxSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux: %v", err)
-		}
-	}
-
-	if e.udpMuxConn != nil {
-		if err := e.udpMuxConn.Close(); err != nil {
-			log.Debugf("close udp mux connection: %v", err)
-		}
-	}
-
-	if e.udpMuxConnSrflx != nil {
-		if err := e.udpMuxConnSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux connection: %v", err)
-		}
-	}
-
-	if !isNil(e.sshServer) {
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed stopping the SSH server: %v", err)
-		}
-	}
-
-	if e.routeManager != nil {
-		e.routeManager.Stop()
-	}
-
-	if e.dnsServer != nil {
-		e.dnsServer.Stop()
-	}
-
+	e.close()
 	log.Infof("stopped Netbird Engine")
-
 	return nil
 }
 
@@ -236,12 +188,14 @@ func (e *Engine) Start() error {
 	e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
 	if err != nil {
 		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+		e.close()
 		return err
 	}
 
 	e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
 	if err != nil {
 		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+		e.close()
 		return err
 	}
 
@@ -251,12 +205,14 @@ func (e *Engine) Start() error {
 	err = e.wgInterface.Create()
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
+		e.close()
 		return err
 	}
 
 	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
 	if err != nil {
 		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
+		e.close()
 		return err
 	}
 
@@ -266,6 +222,7 @@ func (e *Engine) Start() error {
 		// todo fix custom address
 		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
 		if err != nil {
+			e.close()
 			return err
 		}
 		e.dnsServer = dnsServer
@@ -501,7 +458,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 			//nil sshServer means it has not yet been started
 			var err error
 			e.sshServer, err = e.sshServerFunc(e.config.SSHKey,
-				fmt.Sprintf("%s:%d", e.wgInterface.Address.IP.String(), nbssh.DefaultSSHPort))
+				fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort))
 			if err != nil {
 				return err
 			}
@@ -534,8 +491,8 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 }
 
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
-	if e.wgInterface.Address.String() != conf.Address {
-		oldAddr := e.wgInterface.Address.String()
+	if e.wgInterface.Address().String() != conf.Address {
+		oldAddr := e.wgInterface.Address().String()
 		log.Debugf("updating peer address from %s to %s", oldAddr, conf.Address)
 		err := e.wgInterface.UpdateAddr(conf.Address)
 		if err != nil {
@@ -1011,6 +968,55 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 	return mappedIPs
 }
 
+func (e *Engine) close() {
+	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
+	if e.wgInterface != nil {
+		if err := e.wgInterface.Close(); err != nil {
+			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)
+		}
+	}
+
+	if e.udpMux != nil {
+		if err := e.udpMux.Close(); err != nil {
+			log.Debugf("close udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxSrflx != nil {
+		if err := e.udpMuxSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxConn != nil {
+		if err := e.udpMuxConn.Close(); err != nil {
+			log.Debugf("close udp mux connection: %v", err)
+		}
+	}
+
+	if e.udpMuxConnSrflx != nil {
+		if err := e.udpMuxConnSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux connection: %v", err)
+		}
+	}
+
+	if !isNil(e.sshServer) {
+		err := e.sshServer.Stop()
+		if err != nil {
+			log.Warnf("failed stopping the SSH server: %v", err)
+		}
+	}
+
+	if e.routeManager != nil {
+		e.routeManager.Stop()
+	}
+
+	if e.dnsServer != nil {
+		e.dnsServer.Stop()
+	}
+
+}
+
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {

client/internal/engine_test.go

@@ -857,7 +857,7 @@ loop:
 	}
 	// cleanup test
 	for n, peerEngine := range engines {
-		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name, n)
+		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name(), n)
 		errStop := peerEngine.mgmClient.Close()
 		if errStop != nil {
 			log.Infoln("got error trying to close management clients from engine: ", errStop)
@@ -905,7 +905,7 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 			expectedOutput:          []string{"1.1.1.1", "8.8.8.8/" + testingIP},
 		},
 		{
-			name:                    "Only Interface Name Should Return Nil",
+			name:                    "Only Interface name Should Return Nil",
 			inputBlacklistInterface: defaultInterfaceBlacklist,
 			inputMapList:            []string{testingInterface},
 			expectedOutput:          nil,

client/internal/peer/conn.go

@@ -127,12 +127,10 @@ func interfaceFilter(blackList []string) func(string) bool {
 		wg, err := wgctrl.New()
 		if err != nil {
 			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+			return true
 		}
 		defer func() {
-			err := wg.Close()
-			if err != nil {
-				return
-			}
+			_ = wg.Close()
 		}()
 
 		_, err = wg.Device(iFace)

client/internal/routemanager/client.go

@@ -162,7 +162,7 @@ func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
 		if err != nil {
 			return err
 		}
-		err = removeFromRouteTableIfNonSystem(c.network, c.wgInterface.GetAddress().IP.String())
+		err = removeFromRouteTableIfNonSystem(c.network, c.wgInterface.Address().IP.String())
 		if err != nil {
 			return fmt.Errorf("couldn't remove route %s from system, err: %v",
 				c.network, err)
@@ -201,10 +201,10 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 			return err
 		}
 	} else {
-		err = addToRouteTableIfNoExists(c.network, c.wgInterface.GetAddress().IP.String())
+		err = addToRouteTableIfNoExists(c.network, c.wgInterface.Address().IP.String())
 		if err != nil {
 			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
-				c.network.String(), c.wgInterface.GetAddress().IP.String(), err)
+				c.network.String(), c.wgInterface.Address().IP.String(), err)
 		}
 	}
 

client/internal/routemanager/server.go

@@ -40,7 +40,7 @@ func (m *DefaultManager) removeFromServerNetwork(route *route.Route) error {
 	default:
 		m.serverRouter.mux.Lock()
 		defer m.serverRouter.mux.Unlock()
-		err := m.serverRouter.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address.String(), route))
+		err := m.serverRouter.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
 		if err != nil {
 			return err
 		}
@@ -57,7 +57,7 @@ func (m *DefaultManager) addToServerNetwork(route *route.Route) error {
 	default:
 		m.serverRouter.mux.Lock()
 		defer m.serverRouter.mux.Unlock()
-		err := m.serverRouter.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address.String(), route))
+		err := m.serverRouter.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
 		if err != nil {
 			return err
 		}

client/internal/routemanager/systemops_test.go

@@ -39,18 +39,18 @@ func TestAddRemoveRoutes(t *testing.T) {
 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")
 
-			err = addToRouteTableIfNoExists(testCase.prefix, wgInterface.GetAddress().IP.String())
+			err = addToRouteTableIfNoExists(testCase.prefix, wgInterface.Address().IP.String())
 			require.NoError(t, err, "should not return err")
 
 			prefixGateway, err := getExistingRIBRouteGateway(testCase.prefix)
 			require.NoError(t, err, "should not return err")
 			if testCase.shouldRouteToWireguard {
-				require.Equal(t, wgInterface.GetAddress().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
+				require.Equal(t, wgInterface.Address().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
 			} else {
-				require.NotEqual(t, wgInterface.GetAddress().IP.String(), prefixGateway.String(), "route should point to a different interface")
+				require.NotEqual(t, wgInterface.Address().IP.String(), prefixGateway.String(), "route should point to a different interface")
 			}
 
-			err = removeFromRouteTableIfNonSystem(testCase.prefix, wgInterface.GetAddress().IP.String())
+			err = removeFromRouteTableIfNonSystem(testCase.prefix, wgInterface.Address().IP.String())
 			require.NoError(t, err, "should not return err")
 
 			prefixGateway, err = getExistingRIBRouteGateway(testCase.prefix)

formatter/formatter.go

@@ -0,0 +1,51 @@
+package formatter
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/sirupsen/logrus"
+)
+
+// TextFormatter formats logs into text with included source code's path
+type TextFormatter struct {
+	TimestampFormat string
+	LevelDesc       []string
+}
+
+// NewTextFormatter create new MyTextFormatter instance
+func NewTextFormatter() *TextFormatter {
+	return &TextFormatter{
+		LevelDesc:       []string{"PANC", "FATL", "ERRO", "WARN", "INFO", "DEBG", "TRAC"},
+		TimestampFormat: time.RFC3339, // or RFC3339
+	}
+}
+
+// Format renders a single log entry
+func (f *TextFormatter) Format(entry *logrus.Entry) ([]byte, error) {
+	var fields string
+	keys := make([]string, 0, len(entry.Data))
+	for k, v := range entry.Data {
+		if k == "source" {
+			continue
+		}
+		keys = append(keys, fmt.Sprintf("%s: %v", k, v))
+	}
+
+	if len(keys) > 0 {
+		fields = fmt.Sprintf("[%s] ", strings.Join(keys, ", "))
+	}
+
+	level := f.parseLevel(entry.Level)
+
+	return []byte(fmt.Sprintf("%s %s %s%s: %s\n", entry.Time.Format(f.TimestampFormat), level, fields, entry.Data["source"], entry.Message)), nil
+}
+
+func (f *TextFormatter) parseLevel(level logrus.Level) string {
+	if len(f.LevelDesc) < int(level) {
+		return ""
+	}
+
+	return f.LevelDesc[level]
+}

formatter/formatter_test.go

@@ -0,0 +1,26 @@
+package formatter
+
+import (
+	"testing"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLogMessageFormat(t *testing.T) {
+
+	someEntry := &logrus.Entry{
+		Data:    logrus.Fields{"att1": 1, "att2": 2, "source": "some/fancy/path.go:46"},
+		Time:    time.Date(2021, time.Month(2), 21, 1, 10, 30, 0, time.UTC),
+		Level:   3,
+		Message: "Some Message",
+	}
+
+	formatter := NewTextFormatter()
+	result, _ := formatter.Format(someEntry)
+
+	parsedString := string(result)
+	expectedString := "^2021-02-21T01:10:30Z WARN \\[(att1: 1, att2: 2|att2: 2, att1: 1)\\] some/fancy/path.go:46: Some Message\\s+$"
+	assert.Regexp(t, expectedString, parsedString)
+}

formatter/hook.go

@@ -0,0 +1,61 @@
+package formatter
+
+import (
+	"fmt"
+	"path"
+	"runtime/debug"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+// ContextHook is a custom hook for add the source information for the entry
+type ContextHook struct {
+	goModuleName string
+}
+
+// NewContextHook instantiate a new context hook
+func NewContextHook() *ContextHook {
+	hook := &ContextHook{}
+	hook.goModuleName = hook.moduleName() + "/"
+	return hook
+}
+
+// Levels set the supported levels for this hook
+func (hook ContextHook) Levels() []logrus.Level {
+	return logrus.AllLevels
+}
+
+// Fire extend with the source information the entry.Data
+func (hook ContextHook) Fire(entry *logrus.Entry) error {
+	src := hook.parseSrc(entry.Caller.File)
+	entry.Data["source"] = fmt.Sprintf("%s:%v", src, entry.Caller.Line)
+	return nil
+}
+
+func (hook ContextHook) moduleName() string {
+	info, ok := debug.ReadBuildInfo()
+	if ok && info.Main.Path != "" {
+		return info.Main.Path
+	}
+
+	return "netbird"
+}
+
+func (hook ContextHook) parseSrc(filePath string) string {
+	netbirdPath := strings.SplitAfter(filePath, hook.goModuleName)
+	if len(netbirdPath) > 1 {
+		return netbirdPath[len(netbirdPath)-1]
+	}
+
+	// in case of forked repo
+	netbirdPath = strings.SplitAfter(filePath, "netbird/")
+	if len(netbirdPath) > 1 {
+		return netbirdPath[len(netbirdPath)-1]
+	}
+
+	// in case if log entry is come from external pkg
+	_, pkg := path.Split(path.Dir(filePath))
+	file := path.Base(filePath)
+	return fmt.Sprintf("%s/%s", pkg, file)
+}

formatter/hook_test.go

@@ -0,0 +1,39 @@
+package formatter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFilePathParsing(t *testing.T) {
+
+	testCases := []struct {
+		filePath         string
+		expectedFileName string
+	}{
+		// locally cloned repo
+		{
+			filePath:         "/Users/user/Github/Netbird/netbird/formatter/formatter.go",
+			expectedFileName: "formatter/formatter.go",
+		},
+		// locally cloned repo with duplicated name in path
+		{
+			filePath:         "/Users/user/netbird/repos/netbird/formatter/formatter.go",
+			expectedFileName: "formatter/formatter.go",
+		},
+		// locally cloned repo with renamed package root
+		{
+			filePath:         "/Users/user/Github/MyOwnNetbirdClient/formatter/formatter.go",
+			expectedFileName: "formatter/formatter.go",
+		},
+	}
+
+	hook := NewContextHook()
+
+	for _, testCase := range testCases {
+		parsedString := hook.parseSrc(testCase.filePath)
+		assert.Equal(t, testCase.expectedFileName, parsedString, "Parsed filepath does not match expected for %s", testCase.filePath)
+	}
+
+}

formatter/set.go

@@ -0,0 +1,10 @@
+package formatter
+
+import "github.com/sirupsen/logrus"
+
+// SetTextFormatter set the formatter for given logger.
+func SetTextFormatter(logger *logrus.Logger) {
+	logger.Formatter = NewTextFormatter()
+	logger.ReportCaller = true
+	logger.AddHook(NewContextHook())
+}

go.mod

@@ -8,17 +8,17 @@ require (
 	github.com/golang/protobuf v1.5.2
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
-	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 //keep this version otherwise wiretrustee up command breaks
+	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
-	github.com/pion/ice/v2 v2.2.7
+	github.com/pion/ice/v2 v2.3.0
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9
-	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8
+	golang.org/x/crypto v0.6.0
+	golang.org/x/sys v0.5.0
 	golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
 	golang.zx2c4.com/wireguard/windows v0.5.1
@@ -47,12 +47,13 @@ require (
 	github.com/prometheus/client_golang v1.13.0
 	github.com/rs/xid v1.3.0
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.1
 	go.opentelemetry.io/otel/exporters/prometheus v0.33.0
 	go.opentelemetry.io/otel/metric v0.33.0
 	go.opentelemetry.io/otel/sdk/metric v0.33.0
-	golang.org/x/net v0.0.0-20220630215102-69896b714898
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
+	golang.org/x/net v0.7.0
+	golang.org/x/term v0.5.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -90,14 +91,14 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
-	github.com/pion/dtls/v2 v2.1.5 // indirect
+	github.com/pion/dtls/v2 v2.2.6 // indirect
 	github.com/pion/logging v0.2.2 // indirect
-	github.com/pion/mdns v0.0.5 // indirect
+	github.com/pion/mdns v0.0.7 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
-	github.com/pion/stun v0.3.5 // indirect
-	github.com/pion/transport v0.13.1 // indirect
-	github.com/pion/turn/v2 v2.0.8 // indirect
-	github.com/pion/udp v0.1.1 // indirect
+	github.com/pion/stun v0.4.0 // indirect
+	github.com/pion/transport/v2 v2.0.2 // indirect
+	github.com/pion/turn/v2 v2.1.0 // indirect
+	github.com/pion/udp/v2 v2.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
@@ -107,17 +108,16 @@ require (
 	github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 // indirect
 	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
-	github.com/yuin/goldmark v1.4.1 // indirect
+	github.com/yuin/goldmark v1.4.13 // indirect
 	go.opentelemetry.io/otel v1.11.1 // indirect
 	go.opentelemetry.io/otel/sdk v1.11.1 // indirect
 	go.opentelemetry.io/otel/trace v1.11.1 // indirect
 	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf // indirect
 	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
-	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
-	golang.org/x/tools v0.1.10 // indirect
-	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/tools v0.1.12 // indirect
 	golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
@@ -125,11 +125,10 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.2.2 // indirect
 	k8s.io/apimachinery v0.23.5 // indirect
 )
 
-replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84
+replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0
 
 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c

go.sum

@@ -380,8 +380,8 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84 h1:u8kpzR9ld1uAeH/BAXsS0SfcnhooLWeO7UgHSBVPD9I=
-github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
+github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/9eEyjME5/z3nxdJlN9kfQpvWWPk32g=
+github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c h1:wK/s4nyZj/GF/kFJQjX6nqNfE0G3gcqd6hhnPCyp4sw=
 github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c/go.mod h1:AecygODWIsBquJCJFop8MEQcJbWFfw/1yWbVabNgpCM=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
@@ -412,26 +412,28 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pegasus-kv/thrift v0.13.0 h1:4ESwaNoHImfbHa9RUGJiJZ4hrxorihZHk5aarYwY8d4=
 github.com/pegasus-kv/thrift v0.13.0/go.mod h1:Gl9NT/WHG6ABm6NsrbfE8LiJN0sAyneCrvB4qN4NPqQ=
-github.com/pion/dtls/v2 v2.1.5 h1:jlh2vtIyUBShchoTDqpCCqiYCyRFJ/lvf/gQ8TALs+c=
-github.com/pion/dtls/v2 v2.1.5/go.mod h1:BqCE7xPZbPSubGasRoDFJeTsyJtdD1FanJYL0JGheqY=
-github.com/pion/ice/v2 v2.2.7 h1:kG9tux3WdYUSqqqnf+O5zKlpy41PdlvLUBlYJeV2emQ=
-github.com/pion/ice/v2 v2.2.7/go.mod h1:Ckj7cWZ717rtU01YoDQA9ntGWCk95D42uVZ8sI0EL+8=
+github.com/pion/dtls/v2 v2.2.4/go.mod h1:WGKfxqhrddne4Kg3p11FUMJrynkOY4lb25zHNO49wuw=
+github.com/pion/dtls/v2 v2.2.6 h1:yXMxKr0Skd+Ub6A8UqXTRLSywskx93ooMRHsQUtd+Z4=
+github.com/pion/dtls/v2 v2.2.6/go.mod h1:t8fWJCIquY5rlQZwA2yWxUS1+OCrAdXrhVKXB5oD/wY=
+github.com/pion/ice/v2 v2.3.0 h1:G+ysriabk1p9wbySDpdsnlD+6ZspLlDLagRduRfzJPk=
+github.com/pion/ice/v2 v2.3.0/go.mod h1:+xO/cXVnnVUr6D2ZJcCT5g9LngucUkkTvfnTMqUxKRM=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/mdns v0.0.5 h1:Q2oj/JB3NqfzY9xGZ1fPzZzK7sDSD8rZPOvcIQ10BCw=
-github.com/pion/mdns v0.0.5/go.mod h1:UgssrvdD3mxpi8tMxAXbsppL3vJ4Jipw1mTCW+al01g=
+github.com/pion/mdns v0.0.7 h1:P0UB4Sr6xDWEox0kTVxF0LmQihtCbSAdW0H2nEgkA3U=
+github.com/pion/mdns v0.0.7/go.mod h1:4iP2UbeFhLI/vWju/bw6ZfwjJzk0z8DNValjGxR/dD8=
 github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA=
 github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8=
-github.com/pion/stun v0.3.5 h1:uLUCBCkQby4S1cf6CGuR9QrVOKcvUwFeemaC865QHDg=
-github.com/pion/stun v0.3.5/go.mod h1:gDMim+47EeEtfWogA37n6qXZS88L5V6LqFcf+DZA2UA=
-github.com/pion/transport v0.12.2/go.mod h1:N3+vZQD9HlDP5GWkZ85LohxNsDcNgofQmyL6ojX5d8Q=
-github.com/pion/transport v0.13.0/go.mod h1:yxm9uXpK9bpBBWkITk13cLo1y5/ur5VQpG22ny6EP7g=
-github.com/pion/transport v0.13.1 h1:/UH5yLeQtwm2VZIPjxwnNFxjS4DFhyLfS4GlfuKUzfA=
-github.com/pion/transport v0.13.1/go.mod h1:EBxbqzyv+ZrmDb82XswEE0BjfQFtuw1Nu6sjnjWCsGg=
-github.com/pion/turn/v2 v2.0.8 h1:KEstL92OUN3k5k8qxsXHpr7WWfrdp7iJZHx99ud8muw=
-github.com/pion/turn/v2 v2.0.8/go.mod h1:+y7xl719J8bAEVpSXBXvTxStjJv3hbz9YFflvkpcGPw=
-github.com/pion/udp v0.1.1 h1:8UAPvyqmsxK8oOjloDk4wUt63TzFe9WEJkg5lChlj7o=
-github.com/pion/udp v0.1.1/go.mod h1:6AFo+CMdKQm7UiA0eUPA8/eVCTx8jBIITLZHc9DWX5M=
+github.com/pion/stun v0.4.0 h1:vgRrbBE2htWHy7l3Zsxckk7rkjnjOsSM7PHZnBwo8rk=
+github.com/pion/stun v0.4.0/go.mod h1:QPsh1/SbXASntw3zkkrIk3ZJVKz4saBY2G7S10P3wCw=
+github.com/pion/transport/v2 v2.0.0/go.mod h1:HS2MEBJTwD+1ZI2eSXSvHJx/HnzQqRy2/LXxt6eVMHc=
+github.com/pion/transport/v2 v2.0.1/go.mod h1:93OYg91+mrGxKW+Jrgzmqr80kgXqD7J0yybOrdr7w0Y=
+github.com/pion/transport/v2 v2.0.2 h1:St+8o+1PEzPT51O9bv+tH/KYYLMNR5Vwm5Z3Qkjsywg=
+github.com/pion/transport/v2 v2.0.2/go.mod h1:vrz6bUbFr/cjdwbnxq8OdDDzHf7JJfGsIRkxfpZoTA0=
+github.com/pion/turn/v2 v2.1.0 h1:5wGHSgGhJhP/RpabkUb/T9PdsAjkGLS6toYz5HNzoSI=
+github.com/pion/turn/v2 v2.1.0/go.mod h1:yrT5XbXSGX1VFSF31A3c1kCNB5bBZgk/uu5LET162qs=
+github.com/pion/udp v0.1.4/go.mod h1:G8LDo56HsFwC24LIcnT4YIDU5qcB6NepqqjP0keL2us=
+github.com/pion/udp/v2 v2.0.1 h1:xP0z6WNux1zWEjhC7onRA3EwwSliXqu1ElUZAQhUP54=
+github.com/pion/udp/v2 v2.0.1/go.mod h1:B7uvTMP00lzWdyMr/1PVZXtV3wpPIxBRd4Wl6AksXn8=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -504,16 +506,17 @@ github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
@@ -528,8 +531,9 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.3.8/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.1 h1:/vn0k+RBvwlxEmP5E7SZMqNxPhfMVFEJiykr15/0XKM=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -555,11 +559,12 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9 h1:NUzdAbFtCJSXU20AOXgeqaUwg8Ypg4MPYmL+d+rsB5c=
-golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -596,8 +601,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
-golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -636,7 +641,6 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201201195509-5d6afe98e0b7/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -656,10 +660,11 @@ golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220531201128-c960675eff93/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220630215102-69896b714898 h1:K7wO6V1IrczY9QOQ2WkVpw4JQSwCd52UsxVEirZUfiw=
-golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -678,8 +683,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -762,13 +767,18 @@ golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220608164250-635b8c9b7f68/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 h1:h+EGohizhe9XlX18rfpa8k8RAc5XyaeamM+0VHRd4lc=
-golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -778,8 +788,10 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
-golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -833,14 +845,12 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
-golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20=
-golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
+golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d h1:9+v0G0naRhLPOJEeJOL6NuXTtAHHwmkyZlgQJ0XcQ8I=
 golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=

iface/address.go

@@ -0,0 +1,29 @@
+package iface
+
+import (
+	"fmt"
+	"net"
+)
+
+// WGAddress Wireguard parsed address
+type WGAddress struct {
+	IP      net.IP
+	Network *net.IPNet
+}
+
+// parseWGAddress parse a string ("1.2.3.4/24") address to WG Address
+func parseWGAddress(address string) (WGAddress, error) {
+	ip, network, err := net.ParseCIDR(address)
+	if err != nil {
+		return WGAddress{}, err
+	}
+	return WGAddress{
+		IP:      ip,
+		Network: network,
+	}, nil
+}
+
+func (addr WGAddress) String() string {
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
+}

iface/configuration.go

@@ -1,258 +0,0 @@
-package iface
-
-import (
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"net"
-	"time"
-)
-
-// GetName returns the interface name
-func (w *WGIface) GetName() string {
-	return w.Name
-}
-
-// GetAddress returns the interface address
-func (w *WGIface) GetAddress() WGAddress {
-	return w.Address
-}
-
-// configureDevice configures the wireguard device
-func (w *WGIface) configureDevice(config wgtypes.Config) error {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	// validate if device with name exists
-	_, err = wg.Device(w.Name)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", w.Name)
-
-	return wg.ConfigureDevice(w.Name, config)
-}
-
-// Configure configures a Wireguard interface
-// The interface must exist before calling this method (e.g. call interface.Create() before)
-func (w *WGIface) Configure(privateKey string, port int) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	log.Debugf("configuring Wireguard interface %s", w.Name)
-
-	log.Debugf("adding Wireguard private key")
-	key, err := wgtypes.ParseKey(privateKey)
-	if err != nil {
-		return err
-	}
-	fwmark := 0
-	config := wgtypes.Config{
-		PrivateKey:   &key,
-		ReplacePeers: true,
-		FirewallMark: &fwmark,
-		ListenPort:   &port,
-	}
-
-	err = w.configureDevice(config)
-	if err != nil {
-		return fmt.Errorf("received error \"%v\" while configuring interface %s with port %d", err, w.Name, port)
-	}
-	return nil
-}
-
-// GetListenPort returns the listening port of the Wireguard endpoint
-func (w *WGIface) GetListenPort() (*int, error) {
-	log.Debugf("getting Wireguard listen port of interface %s", w.Name)
-
-	//discover Wireguard current configuration
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, err
-	}
-	defer wg.Close()
-
-	d, err := wg.Device(w.Name)
-	if err != nil {
-		return nil, err
-	}
-	log.Debugf("got Wireguard device listen port %s, %d", w.Name, d.ListenPort)
-
-	return &d.ListenPort, nil
-}
-
-// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional
-func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	log.Debugf("updating interface %s peer %s: endpoint %s ", w.Name, peerKey, endpoint)
-
-	//parse allowed ips
-	_, ipNet, err := net.ParseCIDR(allowedIps)
-	if err != nil {
-		return err
-	}
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-	peer := wgtypes.PeerConfig{
-		PublicKey:                   peerKeyParsed,
-		ReplaceAllowedIPs:           true,
-		AllowedIPs:                  []net.IPNet{*ipNet},
-		PersistentKeepaliveInterval: &keepAlive,
-		PresharedKey:                preSharedKey,
-		Endpoint:                    endpoint,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	err = w.configureDevice(config)
-	if err != nil {
-		return fmt.Errorf("received error \"%v\" while updating peer on interface %s with settings: allowed ips %s, endpoint %s", err, w.Name, allowedIps, endpoint.String())
-	}
-	return nil
-}
-
-// AddAllowedIP adds a prefix to the allowed IPs list of peer
-func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	log.Debugf("adding allowed IP to interface %s and peer %s: allowed IP %s ", w.Name, peerKey, allowedIP)
-
-	_, ipNet, err := net.ParseCIDR(allowedIP)
-	if err != nil {
-		return err
-	}
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-	peer := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		UpdateOnly:        true,
-		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{*ipNet},
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	err = w.configureDevice(config)
-	if err != nil {
-		return fmt.Errorf("received error \"%v\" while adding allowed Ip to peer on interface %s with settings: allowed ips %s", err, w.Name, allowedIP)
-	}
-	return nil
-}
-
-// RemoveAllowedIP removes a prefix from the allowed IPs list of peer
-func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	log.Debugf("removing allowed IP from interface %s and peer %s: allowed IP %s ", w.Name, peerKey, allowedIP)
-
-	_, ipNet, err := net.ParseCIDR(allowedIP)
-	if err != nil {
-		return err
-	}
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	existingPeer, err := getPeer(w.Name, peerKey)
-	if err != nil {
-		return err
-	}
-
-	newAllowedIPs := existingPeer.AllowedIPs
-
-	for i, existingAllowedIP := range existingPeer.AllowedIPs {
-		if existingAllowedIP.String() == ipNet.String() {
-			newAllowedIPs = append(existingPeer.AllowedIPs[:i], existingPeer.AllowedIPs[i+1:]...)
-			break
-		}
-	}
-
-	if err != nil {
-		return err
-	}
-	peer := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		UpdateOnly:        true,
-		ReplaceAllowedIPs: true,
-		AllowedIPs:        newAllowedIPs,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	err = w.configureDevice(config)
-	if err != nil {
-		return fmt.Errorf("received error \"%v\" while removing allowed IP from peer on interface %s with settings: allowed ips %s", err, w.Name, allowedIP)
-	}
-	return nil
-}
-
-func getPeer(ifaceName, peerPubKey string) (wgtypes.Peer, error) {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return wgtypes.Peer{}, err
-	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(ifaceName)
-	if err != nil {
-		return wgtypes.Peer{}, err
-	}
-	for _, peer := range wgDevice.Peers {
-		if peer.PublicKey.String() == peerPubKey {
-			return peer, nil
-		}
-	}
-	return wgtypes.Peer{}, fmt.Errorf("peer not found")
-}
-
-// RemovePeer removes a Wireguard Peer from the interface iface
-func (w *WGIface) RemovePeer(peerKey string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	log.Debugf("Removing peer %s from interface %s ", peerKey, w.Name)
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	peer := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	err = w.configureDevice(config)
-	if err != nil {
-		return fmt.Errorf("received error \"%v\" while removing peer %s from interface %s", err, peerKey, w.Name)
-	}
-	return nil
-}

iface/iface.go

@@ -3,9 +3,12 @@ package iface
 import (
 	"fmt"
 	"net"
-	"os"
-	"runtime"
 	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 const (
@@ -13,83 +16,276 @@ const (
 	DefaultWgPort = 51820
 )
 
-// WGIface represents a interface instance
-type WGIface struct {
-	Name      string
-	Port      int
-	MTU       int
-	Address   WGAddress
-	Interface NetInterface
-	mu        sync.Mutex
-}
-
-// WGAddress Wireguard parsed address
-type WGAddress struct {
-	IP      net.IP
-	Network *net.IPNet
-}
-
-func (addr *WGAddress) String() string {
-	maskSize, _ := addr.Network.Mask.Size()
-	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
-}
-
 // NetInterface represents a generic network tunnel interface
 type NetInterface interface {
 	Close() error
 }
 
+// WGIface represents a interface instance
+type WGIface struct {
+	name         string
+	address      WGAddress
+	mtu          int
+	netInterface NetInterface
+	mu           sync.Mutex
+}
+
 // NewWGIFace Creates a new Wireguard interface instance
 func NewWGIFace(iface string, address string, mtu int) (*WGIface, error) {
 	wgIface := &WGIface{
-		Name: iface,
-		MTU:  mtu,
+		name: iface,
+		mtu:  mtu,
 		mu:   sync.Mutex{},
 	}
 
-	wgAddress, err := parseAddress(address)
+	wgAddress, err := parseWGAddress(address)
 	if err != nil {
 		return wgIface, err
 	}
 
-	wgIface.Address = wgAddress
+	wgIface.address = wgAddress
 
 	return wgIface, nil
 }
 
-// parseAddress parse a string ("1.2.3.4/24") address to WG Address
-func parseAddress(address string) (WGAddress, error) {
-	ip, network, err := net.ParseCIDR(address)
-	if err != nil {
-		return WGAddress{}, err
-	}
-	return WGAddress{
-		IP:      ip,
-		Network: network,
-	}, nil
+// Name returns the interface name
+func (w *WGIface) Name() string {
+	return w.name
 }
 
-// Close closes the tunnel interface
-func (w *WGIface) Close() error {
+// Address returns the interface address
+func (w *WGIface) Address() WGAddress {
+	return w.address
+}
+
+// Configure configures a Wireguard interface
+// The interface must exist before calling this method (e.g. call interface.Create() before)
+func (w *WGIface) Configure(privateKey string, port int) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	if w.Interface == nil {
-		return nil
+
+	log.Debugf("configuring Wireguard interface %s", w.name)
+
+	log.Debugf("adding Wireguard private key")
+	key, err := wgtypes.ParseKey(privateKey)
+	if err != nil {
+		return err
 	}
-	err := w.Interface.Close()
+	fwmark := 0
+	config := wgtypes.Config{
+		PrivateKey:   &key,
+		ReplacePeers: true,
+		FirewallMark: &fwmark,
+		ListenPort:   &port,
+	}
+
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf(`received error "%w" while configuring interface %s with port %d`, err, w.name, port)
+	}
+	return nil
+}
+
+// UpdateAddr updates address of the interface
+func (w *WGIface) UpdateAddr(newAddr string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	addr, err := parseWGAddress(newAddr)
 	if err != nil {
 		return err
 	}
 
-	if runtime.GOOS != "windows" {
-		sockPath := "/var/run/wireguard/" + w.Name + ".sock"
-		if _, statErr := os.Stat(sockPath); statErr == nil {
-			statErr = os.Remove(sockPath)
-			if statErr != nil {
-				return statErr
-			}
+	w.address = addr
+	return w.assignAddr()
+}
+
+// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
+// Endpoint is optional
+func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("updating interface %s peer %s: endpoint %s ", w.name, peerKey, endpoint)
+
+	//parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:                   peerKeyParsed,
+		ReplaceAllowedIPs:           true,
+		AllowedIPs:                  []net.IPNet{*ipNet},
+		PersistentKeepaliveInterval: &keepAlive,
+		PresharedKey:                preSharedKey,
+		Endpoint:                    endpoint,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf(`received error "%w" while updating peer on interface %s with settings: allowed ips %s, endpoint %s`, err, w.name, allowedIps, endpoint.String())
+	}
+	return nil
+}
+
+// AddAllowedIP adds a prefix to the allowed IPs list of peer
+func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("adding allowed IP to interface %s and peer %s: allowed IP %s ", w.name, peerKey, allowedIP)
+
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: false,
+		AllowedIPs:        []net.IPNet{*ipNet},
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf(`received error "%w" while adding allowed Ip to peer on interface %s with settings: allowed ips %s`, err, w.name, allowedIP)
+	}
+	return nil
+}
+
+// RemoveAllowedIP removes a prefix from the allowed IPs list of peer
+func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("removing allowed IP from interface %s and peer %s: allowed IP %s ", w.name, peerKey, allowedIP)
+
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	existingPeer, err := getPeer(w.name, peerKey)
+	if err != nil {
+		return err
+	}
+
+	newAllowedIPs := existingPeer.AllowedIPs
+
+	for i, existingAllowedIP := range existingPeer.AllowedIPs {
+		if existingAllowedIP.String() == ipNet.String() {
+			newAllowedIPs = append(existingPeer.AllowedIPs[:i], existingPeer.AllowedIPs[i+1:]...)
+			break
 		}
 	}
 
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: true,
+		AllowedIPs:        newAllowedIPs,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf(`received error "%w" while removing allowed IP from peer on interface %s with settings: allowed ips %s`, err, w.name, allowedIP)
+	}
 	return nil
 }
+
+// RemovePeer removes a Wireguard Peer from the interface iface
+func (w *WGIface) RemovePeer(peerKey string) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	log.Debugf("Removing peer %s from interface %s ", peerKey, w.name)
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf(`received error "%w" while removing peer %s from interface %s`, err, peerKey, w.name)
+	}
+	return nil
+}
+
+func getPeer(ifaceName, peerPubKey string) (wgtypes.Peer, error) {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return wgtypes.Peer{}, err
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			log.Errorf("got error while closing wgctl: %v", err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		return wgtypes.Peer{}, err
+	}
+	for _, peer := range wgDevice.Peers {
+		if peer.PublicKey.String() == peerPubKey {
+			return peer, nil
+		}
+	}
+	return wgtypes.Peer{}, fmt.Errorf("peer not found")
+}
+
+// configureDevice configures the wireguard device
+func (w *WGIface) configureDevice(config wgtypes.Config) error {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return err
+	}
+	defer wg.Close()
+
+	// validate if device with name exists
+	_, err = wg.Device(w.name)
+	if err != nil {
+		return err
+	}
+	log.Debugf("got Wireguard device %s", w.name)
+
+	return wg.ConfigureDevice(w.name, config)
+}

iface/iface_darwin.go

@@ -1,8 +1,9 @@
 package iface
 
 import (
-	log "github.com/sirupsen/logrus"
 	"os/exec"
+
+	log "github.com/sirupsen/logrus"
 )
 
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
@@ -15,26 +16,17 @@ func (w *WGIface) Create() error {
 
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
 func (w *WGIface) assignAddr() error {
-	//mask,_ := w.Address.Network.Mask.Size()
-	//
-	//address := fmt.Sprintf("%s/%d",w.Address.IP.String() , mask)
-
-	cmd := exec.Command("ifconfig", w.Name, "inet", w.Address.IP.String(), w.Address.IP.String())
+	cmd := exec.Command("ifconfig", w.name, "inet", w.address.IP.String(), w.address.IP.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Infof("adding addreess command \"%v\" failed with output %s and error: ", cmd.String(), out)
+		log.Infof(`adding addreess command "%v" failed with output %s and error: `, cmd.String(), out)
 		return err
 	}
 
-	routeCmd := exec.Command("route", "add", "-net", w.Address.Network.String(), "-interface", w.Name)
+	routeCmd := exec.Command("route", "add", "-net", w.address.Network.String(), "-interface", w.name)
 	if out, err := routeCmd.CombinedOutput(); err != nil {
-		log.Printf("adding route command \"%v\" failed with output %s and error: ", routeCmd.String(), out)
+		log.Printf(`adding route command "%v" failed with output %s and error: `, routeCmd.String(), out)
 		return err
 	}
 
 	return nil
 }
-
-// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
-func WireguardModuleIsLoaded() bool {
-	return false
-}

iface/iface_linux.go

@@ -2,15 +2,12 @@ package iface
 
 import (
 	"fmt"
+	"os"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"os"
 )
 
-type NativeLink struct {
-	Link *netlink.Link
-}
-
 // Create creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
 func (w *WGIface) Create() error {
@@ -33,10 +30,10 @@ func (w *WGIface) Create() error {
 // Works for Linux and offers much better network performance
 func (w *WGIface) createWithKernel() error {
 
-	link := newWGLink(w.Name)
+	link := newWGLink(w.name)
 
 	// check if interface exists
-	l, err := netlink.LinkByName(w.Name)
+	l, err := netlink.LinkByName(w.name)
 	if err != nil {
 		switch err.(type) {
 		case netlink.LinkNotFoundError:
@@ -54,15 +51,15 @@ func (w *WGIface) createWithKernel() error {
 		}
 	}
 
-	log.Debugf("adding device: %s", w.Name)
+	log.Debugf("adding device: %s", w.name)
 	err = netlink.LinkAdd(link)
 	if os.IsExist(err) {
-		log.Infof("interface %s already exists. Will reuse.", w.Name)
+		log.Infof("interface %s already exists. Will reuse.", w.name)
 	} else if err != nil {
 		return err
 	}
 
-	w.Interface = link
+	w.netInterface = link
 
 	err = w.assignAddr()
 	if err != nil {
@@ -70,17 +67,17 @@ func (w *WGIface) createWithKernel() error {
 	}
 
 	// todo do a discovery
-	log.Debugf("setting MTU: %d interface: %s", w.MTU, w.Name)
-	err = netlink.LinkSetMTU(link, w.MTU)
+	log.Debugf("setting MTU: %d interface: %s", w.mtu, w.name)
+	err = netlink.LinkSetMTU(link, w.mtu)
 	if err != nil {
-		log.Errorf("error setting MTU on interface: %s", w.Name)
+		log.Errorf("error setting MTU on interface: %s", w.name)
 		return err
 	}
 
-	log.Debugf("bringing up interface: %s", w.Name)
+	log.Debugf("bringing up interface: %s", w.name)
 	err = netlink.LinkSetUp(link)
 	if err != nil {
-		log.Errorf("error bringing up interface: %s", w.Name)
+		log.Errorf("error bringing up interface: %s", w.name)
 		return err
 	}
 
@@ -89,7 +86,7 @@ func (w *WGIface) createWithKernel() error {
 
 // assignAddr Adds IP address to the tunnel interface
 func (w *WGIface) assignAddr() error {
-	link := newWGLink(w.Name)
+	link := newWGLink(w.name)
 
 	//delete existing addresses
 	list, err := netlink.AddrList(link, 0)
@@ -105,11 +102,11 @@ func (w *WGIface) assignAddr() error {
 		}
 	}
 
-	log.Debugf("adding address %s to interface: %s", w.Address.String(), w.Name)
-	addr, _ := netlink.ParseAddr(w.Address.String())
+	log.Debugf("adding address %s to interface: %s", w.address.String(), w.name)
+	addr, _ := netlink.ParseAddr(w.address.String())
 	err = netlink.AddrAdd(link, addr)
 	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", w.Name, w.Address.String())
+		log.Infof("interface %s already has the address: %s", w.name, w.address.String())
 	} else if err != nil {
 		return err
 	}

iface/iface_test.go

@@ -46,11 +46,11 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 			t.Error(err)
 		}
 	}()
-	port, err := iface.GetListenPort()
+	port, err := getListenPortByName(ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface.Configure(key, *port)
+	err = iface.Configure(key, port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -164,11 +164,11 @@ func Test_ConfigureInterface(t *testing.T) {
 		}
 	}()
 
-	port, err := iface.GetListenPort()
+	port, err := getListenPortByName(ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface.Configure(key, *port)
+	err = iface.Configure(key, port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -210,11 +210,11 @@ func Test_UpdatePeer(t *testing.T) {
 			t.Error(err)
 		}
 	}()
-	port, err := iface.GetListenPort()
+	port, err := getListenPortByName(ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface.Configure(key, *port)
+	err = iface.Configure(key, port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -269,11 +269,11 @@ func Test_RemovePeer(t *testing.T) {
 			t.Error(err)
 		}
 	}()
-	port, err := iface.GetListenPort()
+	port, err := getListenPortByName(ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface.Configure(key, *port)
+	err = iface.Configure(key, port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -298,12 +298,10 @@ func Test_ConnectPeers(t *testing.T) {
 	peer1ifaceName := fmt.Sprintf("utun%d", WgIntNumber+400)
 	peer1wgIP := "10.99.99.17/30"
 	peer1Key, _ := wgtypes.GeneratePrivateKey()
-	//peer1Port := WgPort + 4
 
-	peer2ifaceName := fmt.Sprintf("utun%d", 500)
+	peer2ifaceName := "utun500"
 	peer2wgIP := "10.99.99.18/30"
 	peer2Key, _ := wgtypes.GeneratePrivateKey()
-	//peer2Port := WgPort + 5
 
 	keepAlive := 1 * time.Second
 
@@ -315,11 +313,11 @@ func Test_ConnectPeers(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer1Port, err := iface1.GetListenPort()
+	peer1Port, err := getListenPortByName(peer1ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer1endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer1Port))
+	peer1endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", peer1Port))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -332,11 +330,11 @@ func Test_ConnectPeers(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer2Port, err := iface2.GetListenPort()
+	peer2Port, err := getListenPortByName(peer2ifaceName)
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer2endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer2Port))
+	peer2endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", peer2Port))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -351,11 +349,11 @@ func Test_ConnectPeers(t *testing.T) {
 		}
 	}()
 
-	err = iface1.Configure(peer1Key.String(), *peer1Port)
+	err = iface1.Configure(peer1Key.String(), peer1Port)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = iface2.Configure(peer2Key.String(), *peer2Port)
+	err = iface2.Configure(peer2Key.String(), peer2Port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -388,3 +386,18 @@ func Test_ConnectPeers(t *testing.T) {
 	}
 
 }
+
+func getListenPortByName(name string) (int, error) {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return 0, err
+	}
+	defer wg.Close()
+
+	d, err := wg.Device(name)
+	if err != nil {
+		return 0, err
+	}
+
+	return d.ListenPort, nil
+}

iface/iface_unix.go

@@ -4,23 +4,53 @@
 package iface
 
 import (
+	"net"
+	"os"
+
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
-	"net"
 )
 
-// createWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
-func (w *WGIface) createWithUserspace() error {
+// GetInterfaceGUIDString returns an interface GUID. This is useful on Windows only
+func (w *WGIface) GetInterfaceGUIDString() (string, error) {
+	return "", nil
+}
 
-	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
+// Close closes the tunnel interface
+func (w *WGIface) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.netInterface == nil {
+		return nil
+	}
+	err := w.netInterface.Close()
 	if err != nil {
 		return err
 	}
 
-	w.Interface = tunIface
+	sockPath := "/var/run/wireguard/" + w.name + ".sock"
+	if _, statErr := os.Stat(sockPath); statErr == nil {
+		statErr = os.Remove(sockPath)
+		if statErr != nil {
+			return statErr
+		}
+	}
+
+	return nil
+}
+
+// createWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
+func (w *WGIface) createWithUserspace() error {
+
+	tunIface, err := tun.CreateTUN(w.name, w.mtu)
+	if err != nil {
+		return err
+	}
+
+	w.netInterface = tunIface
 
 	// We need to create a wireguard-go device and listen to configuration requests
 	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
@@ -28,7 +58,7 @@ func (w *WGIface) createWithUserspace() error {
 	if err != nil {
 		return err
 	}
-	uapi, err := getUAPI(w.Name)
+	uapi, err := getUAPI(w.name)
 	if err != nil {
 		return err
 	}
@@ -61,22 +91,3 @@ func getUAPI(iface string) (net.Listener, error) {
 	}
 	return ipc.UAPIListen(iface, tunSock)
 }
-
-// UpdateAddr updates address of the interface
-func (w *WGIface) UpdateAddr(newAddr string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	addr, err := parseAddress(newAddr)
-	if err != nil {
-		return err
-	}
-
-	w.Address = addr
-	return w.assignAddr()
-}
-
-// GetInterfaceGUIDString returns an interface GUID. This is useful on Windows only
-func (w *WGIface) GetInterfaceGUIDString() (string, error) {
-	return "", nil
-}

iface/iface_windows.go

@@ -2,11 +2,11 @@ package iface
 
 import (
 	"fmt"
+	"net"
+
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/windows/driver"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"net"
 )
 
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
@@ -15,55 +15,27 @@ func (w *WGIface) Create() error {
 	defer w.mu.Unlock()
 
 	WintunStaticRequestedGUID, _ := windows.GenerateGUID()
-	adapter, err := driver.CreateAdapter(w.Name, "WireGuard", &WintunStaticRequestedGUID)
+	adapter, err := driver.CreateAdapter(w.name, "WireGuard", &WintunStaticRequestedGUID)
 	if err != nil {
 		err = fmt.Errorf("error creating adapter: %w", err)
 		return err
 	}
-	w.Interface = adapter
-	luid := adapter.LUID()
+	w.netInterface = adapter
 	err = adapter.SetAdapterState(driver.AdapterStateUp)
 	if err != nil {
 		return err
 	}
-	state, _ := luid.GUID()
+	state, _ := adapter.LUID().GUID()
 	log.Debugln("device guid: ", state.String())
-	return w.assignAddr(luid)
-}
-
-// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func (w *WGIface) assignAddr(luid winipcfg.LUID) error {
-
-	log.Debugf("adding address %s to interface: %s", w.Address.IP, w.Name)
-	err := luid.SetIPAddresses([]net.IPNet{{w.Address.IP, w.Address.Network.Mask}})
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// UpdateAddr updates address of the interface
-func (w *WGIface) UpdateAddr(newAddr string) error {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	luid := w.Interface.(*driver.Adapter).LUID()
-	addr, err := parseAddress(newAddr)
-	if err != nil {
-		return err
-	}
-
-	w.Address = addr
-	return w.assignAddr(luid)
+	return w.assignAddr()
 }
 
 // GetInterfaceGUIDString returns an interface GUID string
 func (w *WGIface) GetInterfaceGUIDString() (string, error) {
-	if w.Interface == nil {
+	if w.netInterface == nil {
 		return "", fmt.Errorf("interface has not been initialized yet")
 	}
-	windowsDevice := w.Interface.(*driver.Adapter)
+	windowsDevice := w.netInterface.(*driver.Adapter)
 	luid := windowsDevice.LUID()
 	guid, err := luid.GUID()
 	if err != nil {
@@ -72,7 +44,26 @@ func (w *WGIface) GetInterfaceGUIDString() (string, error) {
 	return guid.String(), nil
 }
 
-// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
-func WireguardModuleIsLoaded() bool {
-	return false
+// Close closes the tunnel interface
+func (w *WGIface) Close() error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	if w.netInterface == nil {
+		return nil
+	}
+
+	return w.netInterface.Close()
+}
+
+// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
+func (w *WGIface) assignAddr() error {
+	luid := w.netInterface.(*driver.Adapter).LUID()
+
+	log.Debugf("adding address %s to interface: %s", w.address.IP, w.name)
+	err := luid.SetIPAddresses([]net.IPNet{{w.address.IP, w.address.Network.Mask}})
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

iface/module.go

@@ -0,0 +1,9 @@
+//go:build !linux
+// +build !linux
+
+package iface
+
+// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
+func WireguardModuleIsLoaded() bool {
+	return false
+}

management/server/account.go

@@ -26,11 +26,12 @@ import (
 )
 
 const (
-	PublicCategory     = "public"
-	PrivateCategory    = "private"
-	UnknownCategory    = "unknown"
-	CacheExpirationMax = 7 * 24 * 3600 * time.Second // 7 days
-	CacheExpirationMin = 3 * 24 * 3600 * time.Second // 3 days
+	PublicCategory             = "public"
+	PrivateCategory            = "private"
+	UnknownCategory            = "unknown"
+	CacheExpirationMax         = 7 * 24 * 3600 * time.Second // 7 days
+	CacheExpirationMin         = 3 * 24 * 3600 * time.Second // 3 days
+	DefaultPeerLoginExpiration = 24 * time.Hour
 )
 
 func cacheEntryExpiration() time.Duration {
@@ -48,19 +49,20 @@ type AccountManager interface {
 	SaveUser(accountID, userID string, update *User) (*UserInfo, error)
 	GetSetupKey(accountID, userID, keyID string) (*SetupKey, error)
 	GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error)
+	GetAccountByPeerID(peerID string) (*Account, error)
 	GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error)
 	IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
 	AccountExists(accountId string) (*bool, error)
 	GetPeerByKey(peerKey string) (*Peer, error)
 	GetPeers(accountID, userID string) ([]*Peer, error)
 	MarkPeerConnected(peerKey string, connected bool) error
+	MarkPeerLoginExpired(peerPubKey string, loginExpired bool) error
 	DeletePeer(accountID, peerID, userID string) (*Peer, error)
 	GetPeerByIP(accountId string, peerIP string) (*Peer, error)
 	UpdatePeer(accountID, userID string, peer *Peer) (*Peer, error)
 	GetNetworkMap(peerID string) (*NetworkMap, error)
 	GetPeerNetwork(peerID string) (*Network, error)
 	AddPeer(setupKey, userID string, peer *Peer) (*Peer, error)
-	UpdatePeerMeta(peerID string, meta PeerSystemMeta) error
 	UpdatePeerSSHKey(peerID string, sshKey string) error
 	GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error)
 	GetGroup(accountId, groupID string) (*Group, error)
@@ -93,6 +95,9 @@ type AccountManager interface {
 	GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
 	SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
 	GetPeer(accountID, peerID, userID string) (*Peer, error)
+	UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error)
+	LoginPeer(login PeerLogin) (*Peer, error)
+	SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error)
 }
 
 type DefaultAccountManager struct {
@@ -114,7 +119,25 @@ type DefaultAccountManager struct {
 	// singleAccountModeDomain is a domain to use in singleAccountMode setup
 	singleAccountModeDomain string
 	// dnsDomain is used for peer resolution. This is appended to the peer's name
-	dnsDomain string
+	dnsDomain       string
+	peerLoginExpiry Scheduler
+}
+
+// Settings represents Account settings structure that can be modified via API and Dashboard
+type Settings struct {
+	// PeerLoginExpirationEnabled globally enables or disables peer login expiration
+	PeerLoginExpirationEnabled bool
+	// PeerLoginExpiration is a setting that indicates when peer login expires.
+	// Applies to all peers that have Peer.LoginExpirationEnabled set to true.
+	PeerLoginExpiration time.Duration
+}
+
+// Copy copies the Settings struct
+func (s *Settings) Copy() *Settings {
+	return &Settings{
+		PeerLoginExpirationEnabled: s.PeerLoginExpirationEnabled,
+		PeerLoginExpiration:        s.PeerLoginExpiration,
+	}
 }
 
 // Account represents a unique account of the system
@@ -134,6 +157,8 @@ type Account struct {
 	Routes                 map[string]*route.Route
 	NameServerGroups       map[string]*nbdns.NameServerGroup
 	DNSSettings            *DNSSettings
+	// Settings is a dictionary of Account settings
+	Settings *Settings
 }
 
 type UserInfo struct {
@@ -283,6 +308,58 @@ func (a *Account) GetGroup(groupID string) *Group {
 	return a.Groups[groupID]
 }
 
+// GetExpiredPeers returns peers that have been expired
+func (a *Account) GetExpiredPeers() []*Peer {
+	var peers []*Peer
+	for _, peer := range a.GetPeersWithExpiration() {
+		expired, _ := peer.LoginExpired(a.Settings.PeerLoginExpiration)
+		if expired {
+			peers = append(peers, peer)
+		}
+	}
+
+	return peers
+}
+
+// GetNextPeerExpiration returns the minimum duration in which the next peer of the account will expire if it was found.
+// If there is no peer that expires this function returns false and a duration of 0.
+// This function only considers peers that haven't been expired yet and that are connected.
+func (a *Account) GetNextPeerExpiration() (time.Duration, bool) {
+
+	peersWithExpiry := a.GetPeersWithExpiration()
+	if len(peersWithExpiry) == 0 {
+		return 0, false
+	}
+	var nextExpiry *time.Duration
+	for _, peer := range peersWithExpiry {
+		// consider only connected peers because others will require login on connecting to the management server
+		if peer.Status.LoginExpired || !peer.Status.Connected {
+			continue
+		}
+		_, duration := peer.LoginExpired(a.Settings.PeerLoginExpiration)
+		if nextExpiry == nil || duration < *nextExpiry {
+			nextExpiry = &duration
+		}
+	}
+
+	if nextExpiry == nil {
+		return 0, false
+	}
+
+	return *nextExpiry, true
+}
+
+// GetPeersWithExpiration returns a list of peers that have Peer.LoginExpirationEnabled set to true
+func (a *Account) GetPeersWithExpiration() []*Peer {
+	peers := make([]*Peer, 0)
+	for _, peer := range a.Peers {
+		if peer.LoginExpirationEnabled {
+			peers = append(peers, peer)
+		}
+	}
+	return peers
+}
+
 // GetPeers returns a list of all Account peers
 func (a *Account) GetPeers() []*Peer {
 	var peers []*Peer
@@ -292,6 +369,12 @@ func (a *Account) GetPeers() []*Peer {
 	return peers
 }
 
+// UpdateSettings saves new account settings
+func (a *Account) UpdateSettings(update *Settings) *Account {
+	a.Settings = update.Copy()
+	return a
+}
+
 // UpdatePeer saves new or replaces existing peer
 func (a *Account) UpdatePeer(update *Peer) {
 	a.Peers[update.ID] = update
@@ -466,7 +549,12 @@ func (a *Account) Copy() *Account {
 
 	var dnsSettings *DNSSettings
 	if a.DNSSettings != nil {
-		dnsSettings = a.DNSSettings
+		dnsSettings = a.DNSSettings.Copy()
+	}
+
+	var settings *Settings
+	if a.Settings != nil {
+		settings = a.Settings.Copy()
 	}
 
 	return &Account{
@@ -484,6 +572,7 @@ func (a *Account) Copy() *Account {
 		Routes:                 routes,
 		NameServerGroups:       nsGroups,
 		DNSSettings:            dnsSettings,
+		Settings:               settings,
 	}
 }
 
@@ -514,13 +603,14 @@ func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManage
 		cacheLoading:       map[string]chan struct{}{},
 		dnsDomain:          dnsDomain,
 		eventStore:         eventStore,
+		peerLoginExpiry:    NewDefaultScheduler(),
 	}
 	allAccounts := store.GetAllAccounts()
 	// enable single account mode only if configured by user and number of existing accounts is not grater than 1
 	am.singleAccountMode = singleAccountModeDomain != "" && len(allAccounts) <= 1
 	if am.singleAccountMode {
 		if !isDomainValid(singleAccountModeDomain) {
-			return nil, status.Errorf(status.InvalidArgument, "invalid domain \"%s\" provided for single accound mode. Please review your input for --single-account-mode-domain", singleAccountModeDomain)
+			return nil, status.Errorf(status.InvalidArgument, "invalid domain \"%s\" provided for a single account mode. Please review your input for --single-account-mode-domain", singleAccountModeDomain)
 		}
 		am.singleAccountModeDomain = singleAccountModeDomain
 		log.Infof("single account mode enabled, accounts number %d", len(allAccounts))
@@ -567,6 +657,113 @@ func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManage
 	return am, nil
 }
 
+// UpdateAccountSettings updates Account settings.
+// Only users with role UserRoleAdmin can update the account.
+// User that performs the update has to belong to the account.
+// Returns an updated Account
+func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error) {
+
+	halfYearLimit := 180 * 24 * time.Hour
+	if newSettings.PeerLoginExpiration > halfYearLimit {
+		return nil, status.Errorf(status.InvalidArgument, "peer login expiration can't be larger than 180 days")
+	}
+
+	if newSettings.PeerLoginExpiration < time.Hour {
+		return nil, status.Errorf(status.InvalidArgument, "peer login expiration can't be smaller than one hour")
+	}
+
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccountByUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if !user.IsAdmin() {
+		return nil, status.Errorf(status.PermissionDenied, "user is not allowed to update account")
+	}
+
+	oldSettings := account.Settings
+	if oldSettings.PeerLoginExpirationEnabled != newSettings.PeerLoginExpirationEnabled {
+		event := activity.AccountPeerLoginExpirationEnabled
+		if !newSettings.PeerLoginExpirationEnabled {
+			event = activity.AccountPeerLoginExpirationDisabled
+			am.peerLoginExpiry.Cancel([]string{accountID})
+		} else {
+			am.checkAndSchedulePeerLoginExpiration(account)
+		}
+		am.storeEvent(userID, accountID, accountID, event, nil)
+	}
+
+	if oldSettings.PeerLoginExpiration != newSettings.PeerLoginExpiration {
+		am.storeEvent(userID, accountID, accountID, activity.AccountPeerLoginExpirationDurationUpdated, nil)
+		am.checkAndSchedulePeerLoginExpiration(account)
+	}
+
+	updatedAccount := account.UpdateSettings(newSettings)
+
+	err = am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, err
+	}
+
+	return updatedAccount, nil
+}
+
+func (am *DefaultAccountManager) peerLoginExpirationJob(accountID string) func() (time.Duration, bool) {
+	return func() (time.Duration, bool) {
+		unlock := am.Store.AcquireAccountLock(accountID)
+		defer unlock()
+
+		account, err := am.Store.GetAccount(accountID)
+		if err != nil {
+			log.Errorf("failed getting account %s expiring peers", account.Id)
+			return account.GetNextPeerExpiration()
+		}
+
+		var peerIDs []string
+		for _, peer := range account.GetExpiredPeers() {
+			if peer.Status.LoginExpired {
+				continue
+			}
+			peerIDs = append(peerIDs, peer.ID)
+			peer.MarkLoginExpired(true)
+			account.UpdatePeer(peer)
+			err = am.Store.SavePeerStatus(account.Id, peer.ID, *peer.Status)
+			if err != nil {
+				log.Errorf("failed saving peer status while expiring peer %s", peer.ID)
+				return account.GetNextPeerExpiration()
+			}
+		}
+
+		log.Debugf("discovered %d peers to expire for account %s", len(peerIDs), account.Id)
+
+		if len(peerIDs) != 0 {
+			// this will trigger peer disconnect from the management service
+			am.peersUpdateManager.CloseChannels(peerIDs)
+			err := am.updateAccountPeers(account)
+			if err != nil {
+				log.Errorf("failed updating account peers while expiring peers for account %s", accountID)
+				return account.GetNextPeerExpiration()
+			}
+		}
+		return account.GetNextPeerExpiration()
+	}
+}
+
+func (am *DefaultAccountManager) checkAndSchedulePeerLoginExpiration(account *Account) {
+	am.peerLoginExpiry.Cancel([]string{account.Id})
+	if nextRun, ok := account.GetNextPeerExpiration(); ok {
+		go am.peerLoginExpiry.Schedule(nextRun, account.Id, am.peerLoginExpirationJob(account.Id))
+	}
+}
+
 // newAccount creates a new Account with a generated ID and generated default setup keys.
 // If ID is already in use (due to collision) we try one more time before returning error
 func (am *DefaultAccountManager) newAccount(userID, domain string) (*Account, error) {
@@ -606,6 +803,11 @@ func (am *DefaultAccountManager) warmupIDPCache() error {
 	return nil
 }
 
+// GetAccountByPeerID returns account from the store by a provided peer ID
+func (am *DefaultAccountManager) GetAccountByPeerID(peerID string) (*Account, error) {
+	return am.Store.GetAccountByPeerID(peerID)
+}
+
 // GetAccountByUserOrAccountID looks for an account by user or accountID, if no account is provided and
 // userID doesn't have an account associated with it, one account is created
 func (am *DefaultAccountManager) GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error) {
@@ -1095,6 +1297,10 @@ func newAccountWithId(accountId, userId, domain string) *Account {
 		Routes:           routes,
 		NameServerGroups: nameServersGroups,
 		DNSSettings:      dnsSettings,
+		Settings: &Settings{
+			PeerLoginExpirationEnabled: true,
+			PeerLoginExpiration:        DefaultPeerLoginExpiration,
+		},
 	}
 
 	addAllGroup(acc)

management/server/account_test.go

@@ -544,8 +544,7 @@ func TestAccountManager_AddPeer(t *testing.T) {
 
 	peer, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  expectedPeerKey,
-		Meta: PeerSystemMeta{},
-		Name: expectedPeerKey,
+		Meta: PeerSystemMeta{Hostname: expectedPeerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -613,8 +612,7 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 
 	peer, err := manager.AddPeer("", userID, &Peer{
 		Key:  expectedPeerKey,
-		Meta: PeerSystemMeta{},
-		Name: expectedPeerKey,
+		Meta: PeerSystemMeta{Hostname: expectedPeerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v, account users: %v", err, account.CreatedBy)
@@ -696,8 +694,7 @@ func TestAccountManager_NetworkUpdates(t *testing.T) {
 
 		peer, err := manager.AddPeer(setupKey.Key, "", &Peer{
 			Key:  expectedPeerKey,
-			Meta: PeerSystemMeta{},
-			Name: expectedPeerKey,
+			Meta: PeerSystemMeta{Hostname: expectedPeerKey},
 		})
 		if err != nil {
 			t.Fatalf("expecting peer1 to be added, got failure %v", err)
@@ -866,8 +863,7 @@ func TestAccountManager_DeletePeer(t *testing.T) {
 
 	peer, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey,
-		Meta: PeerSystemMeta{},
-		Name: peerKey,
+		Meta: PeerSystemMeta{Hostname: peerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -951,7 +947,7 @@ func TestGetUsersFromAccount(t *testing.T) {
 	}
 }
 
-func TestAccountManager_UpdatePeerMeta(t *testing.T) {
+/*func TestAccountManager_UpdatePeerMeta(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
@@ -1018,7 +1014,7 @@ func TestAccountManager_UpdatePeerMeta(t *testing.T) {
 	}
 
 	assert.Equal(t, newMeta, p.Meta)
-}
+}*/
 
 func TestAccount_GetPeerRules(t *testing.T) {
 
@@ -1251,7 +1247,8 @@ func TestAccount_Copy(t *testing.T) {
 				ID: "nsGroup1",
 			},
 		},
-		DNSSettings: &DNSSettings{},
+		DNSSettings: &DNSSettings{DisabledManagementGroups: []string{}},
+		Settings:    &Settings{},
 	}
 	err := hasNilField(account)
 	if err != nil {
@@ -1282,6 +1279,466 @@ func hasNilField(x interface{}) error {
 	}
 	return nil
 }
+func TestDefaultAccountManager_DefaultAccountSettings(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+
+	account, err := manager.GetAccountByUserOrAccountID(userID, "", "")
+	require.NoError(t, err, "unable to create an account")
+
+	assert.NotNil(t, account.Settings)
+	assert.Equal(t, account.Settings.PeerLoginExpirationEnabled, true)
+	assert.Equal(t, account.Settings.PeerLoginExpiration, 24*time.Hour)
+}
+func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+	account, err := manager.GetAccountByUserOrAccountID(userID, "", "")
+	require.NoError(t, err, "unable to create an account")
+
+	key, err := wgtypes.GenerateKey()
+	require.NoError(t, err, "unable to generate WireGuard key")
+	peer, err := manager.AddPeer("", userID, &Peer{
+		Key:                    key.PublicKey().String(),
+		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		LoginExpirationEnabled: true,
+	})
+	require.NoError(t, err, "unable to add peer")
+	err = manager.MarkPeerConnected(key.PublicKey().String(), true)
+	require.NoError(t, err, "unable to mark peer connected")
+	account, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour,
+		PeerLoginExpirationEnabled: true})
+	require.NoError(t, err, "expecting to update account settings successfully but got error")
+
+	wg := &sync.WaitGroup{}
+	wg.Add(2)
+	manager.peerLoginExpiry = &MockScheduler{
+		CancelFunc: func(IDs []string) {
+			wg.Done()
+		},
+		ScheduleFunc: func(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
+			wg.Done()
+		},
+	}
+
+	// disable expiration first
+	update := peer.Copy()
+	update.LoginExpirationEnabled = false
+	_, err = manager.UpdatePeer(account.Id, userID, update)
+	require.NoError(t, err, "unable to update peer")
+	// enabling expiration should trigger the routine
+	update.LoginExpirationEnabled = true
+	_, err = manager.UpdatePeer(account.Id, userID, update)
+	require.NoError(t, err, "unable to update peer")
+
+	failed := waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timeout while waiting for test to finish")
+	}
+}
+
+func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+	account, err := manager.GetAccountByUserOrAccountID(userID, "", "")
+	require.NoError(t, err, "unable to create an account")
+
+	key, err := wgtypes.GenerateKey()
+	require.NoError(t, err, "unable to generate WireGuard key")
+	_, err = manager.AddPeer("", userID, &Peer{
+		Key:                    key.PublicKey().String(),
+		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		LoginExpirationEnabled: true,
+	})
+	require.NoError(t, err, "unable to add peer")
+	_, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour,
+		PeerLoginExpirationEnabled: true})
+	require.NoError(t, err, "expecting to update account settings successfully but got error")
+
+	wg := &sync.WaitGroup{}
+	wg.Add(2)
+	manager.peerLoginExpiry = &MockScheduler{
+		CancelFunc: func(IDs []string) {
+			wg.Done()
+		},
+		ScheduleFunc: func(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
+			wg.Done()
+		},
+	}
+
+	// when we mark peer as connected, the peer login expiration routine should trigger
+	err = manager.MarkPeerConnected(key.PublicKey().String(), true)
+	require.NoError(t, err, "unable to mark peer connected")
+
+	failed := waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timeout while waiting for test to finish")
+	}
+
+}
+
+func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+	account, err := manager.GetAccountByUserOrAccountID(userID, "", "")
+	require.NoError(t, err, "unable to create an account")
+
+	key, err := wgtypes.GenerateKey()
+	require.NoError(t, err, "unable to generate WireGuard key")
+	_, err = manager.AddPeer("", userID, &Peer{
+		Key:                    key.PublicKey().String(),
+		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		LoginExpirationEnabled: true,
+	})
+	require.NoError(t, err, "unable to add peer")
+	err = manager.MarkPeerConnected(key.PublicKey().String(), true)
+	require.NoError(t, err, "unable to mark peer connected")
+
+	wg := &sync.WaitGroup{}
+	wg.Add(2)
+	manager.peerLoginExpiry = &MockScheduler{
+		CancelFunc: func(IDs []string) {
+			wg.Done()
+		},
+		ScheduleFunc: func(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
+			wg.Done()
+		},
+	}
+	// enabling PeerLoginExpirationEnabled should trigger the expiration job
+	account, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour,
+		PeerLoginExpirationEnabled: true})
+	require.NoError(t, err, "expecting to update account settings successfully but got error")
+
+	failed := waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timeout while waiting for test to finish")
+	}
+	wg.Add(1)
+
+	// disabling PeerLoginExpirationEnabled should trigger cancel
+	_, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour,
+		PeerLoginExpirationEnabled: false})
+	require.NoError(t, err, "expecting to update account settings successfully but got error")
+	failed = waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timeout while waiting for test to finish")
+	}
+}
+
+func TestDefaultAccountManager_UpdateAccountSettings(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err, "unable to create account manager")
+
+	account, err := manager.GetAccountByUserOrAccountID(userID, "", "")
+	require.NoError(t, err, "unable to create an account")
+
+	updated, err := manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour,
+		PeerLoginExpirationEnabled: false})
+	require.NoError(t, err, "expecting to update account settings successfully but got error")
+	assert.False(t, updated.Settings.PeerLoginExpirationEnabled)
+	assert.Equal(t, updated.Settings.PeerLoginExpiration, time.Hour)
+
+	account, err = manager.GetAccountByUserOrAccountID("", account.Id, "")
+	require.NoError(t, err, "unable to get account by ID")
+
+	assert.False(t, account.Settings.PeerLoginExpirationEnabled)
+	assert.Equal(t, account.Settings.PeerLoginExpiration, time.Hour)
+
+	_, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Second,
+		PeerLoginExpirationEnabled: false})
+	require.Error(t, err, "expecting to fail when providing PeerLoginExpiration less than one hour")
+
+	_, err = manager.UpdateAccountSettings(account.Id, userID, &Settings{
+		PeerLoginExpiration:        time.Hour * 24 * 181,
+		PeerLoginExpirationEnabled: false})
+	require.Error(t, err, "expecting to fail when providing PeerLoginExpiration more than 180 days")
+}
+
+func TestAccount_GetExpiredPeers(t *testing.T) {
+	type test struct {
+		name          string
+		peers         map[string]*Peer
+		expectedPeers map[string]struct{}
+	}
+	testCases := []test{
+		{
+			name: "Peers with login expiration disabled, no expired peers",
+			peers: map[string]*Peer{
+				"peer-1": {
+					LoginExpirationEnabled: false,
+				},
+				"peer-2": {
+					LoginExpirationEnabled: false,
+				},
+			},
+			expectedPeers: map[string]struct{}{},
+		},
+		{
+			name: "Two peers expired",
+			peers: map[string]*Peer{
+				"peer-1": {
+					ID:                     "peer-1",
+					LoginExpirationEnabled: true,
+					Status: &PeerStatus{
+						LastSeen:     time.Now(),
+						Connected:    true,
+						LoginExpired: false,
+					},
+					LastLogin: time.Now().Add(-30 * time.Minute),
+				},
+				"peer-2": {
+					ID:                     "peer-2",
+					LoginExpirationEnabled: true,
+					Status: &PeerStatus{
+						LastSeen:     time.Now(),
+						Connected:    true,
+						LoginExpired: false,
+					},
+					LastLogin: time.Now().Add(-2 * time.Hour),
+				},
+
+				"peer-3": {
+					ID:                     "peer-3",
+					LoginExpirationEnabled: true,
+					Status: &PeerStatus{
+						LastSeen:     time.Now(),
+						Connected:    true,
+						LoginExpired: false,
+					},
+					LastLogin: time.Now().Add(-1 * time.Hour),
+				},
+			},
+			expectedPeers: map[string]struct{}{
+				"peer-2": {},
+				"peer-3": {},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			account := &Account{
+				Peers: testCase.peers,
+				Settings: &Settings{
+					PeerLoginExpirationEnabled: true,
+					PeerLoginExpiration:        time.Hour,
+				},
+			}
+
+			expiredPeers := account.GetExpiredPeers()
+			assert.Len(t, expiredPeers, len(testCase.expectedPeers))
+			for _, peer := range expiredPeers {
+				if _, ok := testCase.expectedPeers[peer.ID]; !ok {
+					t.Fatalf("expected to have peer %s expired", peer.ID)
+				}
+			}
+		})
+	}
+
+}
+
+func TestAccount_GetPeersWithExpiration(t *testing.T) {
+	type test struct {
+		name          string
+		peers         map[string]*Peer
+		expectedPeers map[string]struct{}
+	}
+
+	testCases := []test{
+		{
+			name:          "No account peers, no peers with expiration",
+			peers:         map[string]*Peer{},
+			expectedPeers: map[string]struct{}{},
+		},
+		{
+			name: "Peers with login expiration disabled, no peers with expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					LoginExpirationEnabled: false,
+				},
+				"peer-2": {
+					LoginExpirationEnabled: false,
+				},
+			},
+			expectedPeers: map[string]struct{}{},
+		},
+		{
+			name: "Peers with login expiration enabled, return peers with expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					ID:                     "peer-1",
+					LoginExpirationEnabled: true,
+				},
+				"peer-2": {
+					LoginExpirationEnabled: false,
+				},
+			},
+			expectedPeers: map[string]struct{}{
+				"peer-1": {},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			account := &Account{
+				Peers: testCase.peers,
+			}
+
+			actual := account.GetPeersWithExpiration()
+			assert.Len(t, actual, len(testCase.expectedPeers))
+			if len(testCase.expectedPeers) > 0 {
+				for k := range testCase.expectedPeers {
+					contains := false
+					for _, peer := range actual {
+						if k == peer.ID {
+							contains = true
+						}
+					}
+					assert.True(t, contains)
+				}
+			}
+		})
+	}
+
+}
+
+func TestAccount_GetNextPeerExpiration(t *testing.T) {
+
+	type test struct {
+		name                   string
+		peers                  map[string]*Peer
+		expiration             time.Duration
+		expirationEnabled      bool
+		expectedNextRun        bool
+		expectedNextExpiration time.Duration
+	}
+
+	expectedNextExpiration := time.Minute
+	testCases := []test{
+		{
+			name:                   "No peers, no expiration",
+			peers:                  map[string]*Peer{},
+			expiration:             time.Second,
+			expirationEnabled:      false,
+			expectedNextRun:        false,
+			expectedNextExpiration: time.Duration(0),
+		},
+		{
+			name: "No connected peers, no expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					Status: &PeerStatus{
+						Connected: false,
+					},
+					LoginExpirationEnabled: true,
+				},
+				"peer-2": {
+					Status: &PeerStatus{
+						Connected: true,
+					},
+					LoginExpirationEnabled: false,
+				},
+			},
+			expiration:             time.Second,
+			expirationEnabled:      false,
+			expectedNextRun:        false,
+			expectedNextExpiration: time.Duration(0),
+		},
+		{
+			name: "Connected peers with disabled expiration, no expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					Status: &PeerStatus{
+						Connected: true,
+					},
+					LoginExpirationEnabled: false,
+				},
+				"peer-2": {
+					Status: &PeerStatus{
+						Connected: true,
+					},
+					LoginExpirationEnabled: false,
+				},
+			},
+			expiration:             time.Second,
+			expirationEnabled:      false,
+			expectedNextRun:        false,
+			expectedNextExpiration: time.Duration(0),
+		},
+		{
+			name: "Expired peers, no expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					Status: &PeerStatus{
+						Connected:    true,
+						LoginExpired: true,
+					},
+					LoginExpirationEnabled: true,
+				},
+				"peer-2": {
+					Status: &PeerStatus{
+						Connected:    true,
+						LoginExpired: true,
+					},
+					LoginExpirationEnabled: true,
+				},
+			},
+			expiration:             time.Second,
+			expirationEnabled:      false,
+			expectedNextRun:        false,
+			expectedNextExpiration: time.Duration(0),
+		},
+		{
+			name: "To be expired peer, return expiration",
+			peers: map[string]*Peer{
+				"peer-1": {
+					Status: &PeerStatus{
+						Connected:    true,
+						LoginExpired: false,
+					},
+					LoginExpirationEnabled: true,
+					LastLogin:              time.Now(),
+				},
+				"peer-2": {
+					Status: &PeerStatus{
+						Connected:    true,
+						LoginExpired: true,
+					},
+					LoginExpirationEnabled: true,
+				},
+			},
+			expiration:             time.Minute,
+			expirationEnabled:      false,
+			expectedNextRun:        true,
+			expectedNextExpiration: expectedNextExpiration,
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			account := &Account{
+				Peers:    testCase.peers,
+				Settings: &Settings{PeerLoginExpiration: testCase.expiration, PeerLoginExpirationEnabled: testCase.expirationEnabled},
+			}
+
+			expiration, ok := account.GetNextPeerExpiration()
+			assert.Equal(t, ok, testCase.expectedNextRun)
+			if testCase.expectedNextRun {
+				assert.True(t, expiration >= 0 && expiration <= testCase.expectedNextExpiration)
+			} else {
+				assert.Equal(t, expiration, testCase.expectedNextExpiration)
+			}
+
+		})
+	}
+
+}
 
 func createManager(t *testing.T) (*DefaultAccountManager, error) {
 	store, err := createStore(t)
@@ -1301,3 +1758,17 @@ func createStore(t *testing.T) (Store, error) {
 
 	return store, nil
 }
+
+func waitTimeout(wg *sync.WaitGroup, timeout time.Duration) bool {
+	c := make(chan struct{})
+	go func() {
+		defer close(c)
+		wg.Wait()
+	}()
+	select {
+	case <-c:
+		return false
+	case <-time.After(timeout):
+		return true
+	}
+}

management/server/activity/codes.go

@@ -61,12 +61,22 @@ const (
 	PeerSSHDisabled
 	// PeerRenamed indicates that a user renamed a peer
 	PeerRenamed
+	// PeerLoginExpirationEnabled indicates that a user enabled login expiration of a peer
+	PeerLoginExpirationEnabled
+	// PeerLoginExpirationDisabled indicates that a user disabled login expiration of a peer
+	PeerLoginExpirationDisabled
 	// NameserverGroupCreated indicates that a user created a nameservers group
 	NameserverGroupCreated
 	// NameserverGroupDeleted indicates that a user deleted a nameservers group
 	NameserverGroupDeleted
 	// NameserverGroupUpdated indicates that a user updated a nameservers group
 	NameserverGroupUpdated
+	// AccountPeerLoginExpirationEnabled indicates that a user enabled peer login expiration for the account
+	AccountPeerLoginExpirationEnabled
+	// AccountPeerLoginExpirationDisabled indicates that a user disabled peer login expiration for the account
+	AccountPeerLoginExpirationDisabled
+	// AccountPeerLoginExpirationDurationUpdated indicates that a user updated peer login expiration duration for the account
+	AccountPeerLoginExpirationDurationUpdated
 )
 
 const (
@@ -130,12 +140,22 @@ const (
 	PeerSSHDisabledMessage string = "Peer SSH server disabled"
 	// PeerRenamedMessage is a human-readable text message of the PeerRenamed activity
 	PeerRenamedMessage string = "Peer renamed"
+	// PeerLoginExpirationDisabledMessage is a human-readable text message of the PeerLoginExpirationDisabled activity
+	PeerLoginExpirationDisabledMessage string = "Peer login expiration disabled"
+	// PeerLoginExpirationEnabledMessage is a human-readable text message of the PeerLoginExpirationEnabled activity
+	PeerLoginExpirationEnabledMessage string = "Peer login expiration enabled"
 	// NameserverGroupCreatedMessage is a human-readable text message of the NameserverGroupCreated activity
 	NameserverGroupCreatedMessage string = "Nameserver group created"
 	// NameserverGroupDeletedMessage is a human-readable text message of the NameserverGroupDeleted activity
 	NameserverGroupDeletedMessage string = "Nameserver group deleted"
 	// NameserverGroupUpdatedMessage is a human-readable text message of the NameserverGroupUpdated activity
 	NameserverGroupUpdatedMessage string = "Nameserver group updated"
+	// AccountPeerLoginExpirationEnabledMessage is a human-readable text message of the AccountPeerLoginExpirationEnabled activity
+	AccountPeerLoginExpirationEnabledMessage string = "Peer login expiration enabled for the account"
+	// AccountPeerLoginExpirationDisabledMessage is a human-readable text message of the AccountPeerLoginExpirationDisabled activity
+	AccountPeerLoginExpirationDisabledMessage string = "Peer login expiration disabled for the account"
+	// AccountPeerLoginExpirationDurationUpdatedMessage is a human-readable text message of the AccountPeerLoginExpirationDurationUpdated activity
+	AccountPeerLoginExpirationDurationUpdatedMessage string = "Peer login expiration duration updated"
 )
 
 // Activity that triggered an Event
@@ -202,6 +222,10 @@ func (a Activity) Message() string {
 		return PeerSSHEnabledMessage
 	case PeerSSHDisabled:
 		return PeerSSHDisabledMessage
+	case PeerLoginExpirationEnabled:
+		return PeerLoginExpirationEnabledMessage
+	case PeerLoginExpirationDisabled:
+		return PeerLoginExpirationDisabledMessage
 	case PeerRenamed:
 		return PeerRenamedMessage
 	case NameserverGroupCreated:
@@ -210,6 +234,12 @@ func (a Activity) Message() string {
 		return NameserverGroupDeletedMessage
 	case NameserverGroupUpdated:
 		return NameserverGroupUpdatedMessage
+	case AccountPeerLoginExpirationEnabled:
+		return AccountPeerLoginExpirationEnabledMessage
+	case AccountPeerLoginExpirationDisabled:
+		return AccountPeerLoginExpirationDisabledMessage
+	case AccountPeerLoginExpirationDurationUpdated:
+		return AccountPeerLoginExpirationDurationUpdatedMessage
 	default:
 		return "UNKNOWN_ACTIVITY"
 	}
@@ -278,12 +308,22 @@ func (a Activity) StringCode() string {
 		return "peer.ssh.enable"
 	case PeerSSHDisabled:
 		return "peer.ssh.disable"
+	case PeerLoginExpirationDisabled:
+		return "peer.login.expiration.disable"
+	case PeerLoginExpirationEnabled:
+		return "peer.login.expiration.enable"
 	case NameserverGroupCreated:
 		return "nameserver.group.add"
 	case NameserverGroupDeleted:
 		return "nameserver.group.delete"
 	case NameserverGroupUpdated:
 		return "nameserver.group.update"
+	case AccountPeerLoginExpirationDurationUpdated:
+		return "account.setting.peer.login.expiration.update"
+	case AccountPeerLoginExpirationEnabled:
+		return "account.setting.peer.login.expiration.enable"
+	case AccountPeerLoginExpirationDisabled:
+		return "account.setting.peer.login.expiration.disable"
 	default:
 		return "UNKNOWN_ACTIVITY"
 	}

management/server/file_store.go

@@ -81,6 +81,14 @@ func restore(file string) (*FileStore, error) {
 	store.PeerID2AccountID = make(map[string]string)
 
 	for accountID, account := range store.Accounts {
+
+		if account.Settings == nil {
+			account.Settings = &Settings{
+				PeerLoginExpirationEnabled: false,
+				PeerLoginExpiration:        DefaultPeerLoginExpiration,
+			}
+		}
+
 		for setupKeyId := range account.SetupKeys {
 			store.SetupKeyID2AccountID[strings.ToUpper(setupKeyId)] = accountID
 		}
@@ -217,7 +225,6 @@ func (s *FileStore) SaveAccount(account *Account) error {
 
 	accountCopy := account.Copy()
 
-	// todo will override, handle existing keys
 	s.Accounts[accountCopy.Id] = accountCopy
 
 	// todo check that account.Id and keyId are not exist already
@@ -346,6 +353,14 @@ func (s *FileStore) GetAccountByPeerID(peerID string) (*Account, error) {
 		return nil, err
 	}
 
+	// this protection is needed because when we delete a peer, we don't really remove index peerID -> accountID.
+	// check Account.Peers for a match
+	if _, ok := account.Peers[peerID]; !ok {
+		delete(s.PeerID2AccountID, peerID)
+		log.Warnf("removed stale peerID %s to accountID %s index", peerID, accountID)
+		return nil, status.Errorf(status.NotFound, "provided peer doesn't exists %s", peerID)
+	}
+
 	return account.Copy(), nil
 }
 
@@ -364,6 +379,21 @@ func (s *FileStore) GetAccountByPeerPubKey(peerKey string) (*Account, error) {
 		return nil, err
 	}
 
+	// this protection is needed because when we delete a peer, we don't really remove index peerKey -> accountID.
+	// check Account.Peers for a match
+	stale := true
+	for _, peer := range account.Peers {
+		if peer.Key == peerKey {
+			stale = false
+			break
+		}
+	}
+	if stale {
+		delete(s.PeerKeyID2AccountID, peerKey)
+		log.Warnf("removed stale peerKey %s to accountID %s index", peerKey, accountID)
+		return nil, status.Errorf(status.NotFound, "provided peer doesn't exists %s", peerKey)
+	}
+
 	return account.Copy(), nil
 }
 

management/server/file_store_test.go

@@ -14,6 +14,44 @@ type accounts struct {
 	Accounts map[string]*Account
 }
 
+func TestStalePeerIndices(t *testing.T) {
+	storeDir := t.TempDir()
+
+	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	store, err := NewFileStore(storeDir)
+	if err != nil {
+		return
+	}
+
+	account, err := store.GetAccount("bf1c8084-ba50-4ce7-9439-34653001fc3b")
+	require.NoError(t, err)
+
+	peerID := "some_peer"
+	peerKey := "some_peer_key"
+	account.Peers[peerID] = &Peer{
+		ID:  peerID,
+		Key: peerKey,
+	}
+
+	err = store.SaveAccount(account)
+	require.NoError(t, err)
+
+	account.DeletePeer(peerID)
+
+	err = store.SaveAccount(account)
+	require.NoError(t, err)
+
+	_, err = store.GetAccountByPeerID(peerID)
+	require.Error(t, err, "expecting to get an error when found stale index")
+
+	_, err = store.GetAccountByPeerPubKey(peerKey)
+	require.Error(t, err, "expecting to get an error when found stale index")
+}
+
 func TestNewStore(t *testing.T) {
 	store := newStore(t)
 

management/server/grpcserver.go

@@ -3,6 +3,7 @@ package server
 import (
 	"context"
 	"fmt"
+	pb "github.com/golang/protobuf/proto" //nolint
 	"strings"
 	"time"
 
@@ -118,30 +119,18 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 		log.Debugf("Sync request from peer [%s] [%s]", req.WgPubKey, p.Addr.String())
 	}
 
-	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
-	if err != nil {
-		log.Warnf("error while parsing peer's Wireguard public key %s on Sync request.", peerKey.String())
-		return status.Errorf(codes.InvalidArgument, "provided wgPubKey %s is invalid", peerKey.String())
-	}
-
-	peer, err := s.accountManager.GetPeerByKey(peerKey.String())
-	if err != nil {
-		p, _ := gRPCPeer.FromContext(srv.Context())
-		msg := status.Errorf(codes.PermissionDenied, "provided peer with the key wgPubKey %s is not registered, remote addr is %s", peerKey.String(), p.Addr.String())
-		log.Debug(msg)
-		return msg
-	}
-
 	syncReq := &proto.SyncRequest{}
-	err = encryption.DecryptMessage(peerKey, s.wgKey, req.Body, syncReq)
+	peerKey, err := s.parseRequest(req, syncReq)
 	if err != nil {
-		p, _ := gRPCPeer.FromContext(srv.Context())
-		msg := status.Errorf(codes.InvalidArgument, "invalid request message from %s,remote addr is %s", peerKey.String(), p.Addr.String())
-		log.Debug(msg)
-		return msg
+		return err
 	}
 
-	err = s.sendInitialSync(peerKey, peer, srv)
+	peer, netMap, err := s.accountManager.SyncPeer(PeerSync{WireGuardPubKey: peerKey.String()})
+	if err != nil {
+		return mapError(err)
+	}
+
+	err = s.sendInitialSync(peerKey, peer, netMap, srv)
 	if err != nil {
 		log.Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
 		return err
@@ -163,6 +152,7 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 		case update, open := <-updates:
 			if !open {
 				log.Debugf("updates channel for peer %s was closed", peerKey.String())
+				s.cancelPeerRoutines(peer)
 				return nil
 			}
 			log.Debugf("recevied an update for peer %s", peerKey.String())
@@ -184,107 +174,83 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 		case <-srv.Context().Done():
 			// happens when connection drops, e.g. client disconnects
 			log.Debugf("stream of peer %s has been closed", peerKey.String())
-			s.peersUpdateManager.CloseChannel(peer.ID)
-			s.turnCredentialsManager.CancelRefresh(peerKey.String())
-			err = s.accountManager.MarkPeerConnected(peerKey.String(), false)
-			if err != nil {
-				log.Warnf("failed marking peer as disconnected %s %v", peerKey, err)
-			}
-			// todo stop turn goroutine
+			s.cancelPeerRoutines(peer)
 			return srv.Context().Err()
 		}
 	}
 }
 
-func (s *GRPCServer) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Peer, error) {
-	var (
-		reqSetupKey string
-		userID      string
-	)
+func (s *GRPCServer) cancelPeerRoutines(peer *Peer) {
+	s.peersUpdateManager.CloseChannel(peer.ID)
+	s.turnCredentialsManager.CancelRefresh(peer.ID)
+	_ = s.accountManager.MarkPeerConnected(peer.Key, false)
+}
 
-	if req.GetJwtToken() != "" {
-		log.Debugln("using jwt token to register peer")
-
-		if s.jwtMiddleware == nil {
-			return nil, status.Error(codes.Internal, "no jwt middleware set")
-		}
-
-		token, err := s.jwtMiddleware.ValidateAndParse(req.GetJwtToken())
-		if err != nil {
-			return nil, status.Errorf(codes.Internal, "invalid jwt token, err: %v", err)
-		}
-		claims := s.jwtClaimsExtractor.FromToken(token)
-		userID = claims.UserId
-		// we need to call this method because if user is new, we will automatically add it to existing or create a new account
-		_, _, err = s.accountManager.GetAccountFromToken(claims)
-		if err != nil {
-			return nil, status.Errorf(codes.Internal, "unable to fetch account with claims, err: %v", err)
-		}
-	} else {
-		log.Debugln("using setup key to register peer")
-		reqSetupKey = req.GetSetupKey()
-		userID = ""
+func (s *GRPCServer) validateToken(jwtToken string) (string, error) {
+	if s.jwtMiddleware == nil {
+		return "", status.Error(codes.Internal, "no jwt middleware set")
 	}
 
-	meta := req.GetMeta()
-	if meta == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "peer meta data was not provided")
-	}
-
-	var sshKey []byte
-	if req.GetPeerKeys() != nil {
-		sshKey = req.GetPeerKeys().GetSshPubKey()
-	}
-
-	peer, err := s.accountManager.AddPeer(reqSetupKey, userID, &Peer{
-		Key:    peerKey.String(),
-		Name:   meta.GetHostname(),
-		SSHKey: string(sshKey),
-		Meta: PeerSystemMeta{
-			Hostname:  meta.GetHostname(),
-			GoOS:      meta.GetGoOS(),
-			Kernel:    meta.GetKernel(),
-			Core:      meta.GetCore(),
-			Platform:  meta.GetPlatform(),
-			OS:        meta.GetOS(),
-			WtVersion: meta.GetWiretrusteeVersion(),
-			UIVersion: meta.GetUiVersion(),
-		},
-	})
+	token, err := s.jwtMiddleware.ValidateAndParse(jwtToken)
 	if err != nil {
-		if e, ok := internalStatus.FromError(err); ok {
-			switch e.Type() {
-			case internalStatus.PreconditionFailed:
-				return nil, status.Errorf(codes.FailedPrecondition, e.Message)
-			case internalStatus.NotFound:
-				return nil, status.Errorf(codes.NotFound, e.Message)
-			default:
-			}
-		}
-		return nil, status.Errorf(codes.Internal, "failed registering new peer")
+		return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
 	}
-
-	// todo move to DefaultAccountManager the code below
-	networkMap, err := s.accountManager.GetNetworkMap(peer.ID)
+	claims := s.jwtClaimsExtractor.FromToken(token)
+	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
+	_, _, err = s.accountManager.GetAccountFromToken(claims)
 	if err != nil {
-		return nil, status.Errorf(codes.Internal, "unable to fetch network map after registering peer, error: %v", err)
-	}
-	// notify other peers of our registration
-	for _, remotePeer := range networkMap.Peers {
-		remotePeerNetworkMap, err := s.accountManager.GetNetworkMap(remotePeer.ID)
-		if err != nil {
-			return nil, status.Errorf(codes.Internal, "unable to fetch network map after registering peer, error: %v", err)
-		}
-
-		update := toSyncResponse(s.config, remotePeer, nil, remotePeerNetworkMap, s.accountManager.GetDNSDomain())
-		err = s.peersUpdateManager.SendUpdate(remotePeer.ID, &UpdateMessage{Update: update})
-		if err != nil {
-			// todo rethink if we should keep this return
-			return nil, status.Errorf(codes.Internal, "unable to send update after registering peer, error: %v", err)
-		}
+		return "", status.Errorf(codes.Internal, "unable to fetch account with claims, err: %v", err)
 	}
 
-	return peer, nil
+	return claims.UserId, nil
+}
+
+// maps internal internalStatus.Error to gRPC status.Error
+func mapError(err error) error {
+	if e, ok := internalStatus.FromError(err); ok {
+		switch e.Type() {
+		case internalStatus.PermissionDenied:
+			return status.Errorf(codes.PermissionDenied, e.Message)
+		case internalStatus.Unauthorized:
+			return status.Errorf(codes.PermissionDenied, e.Message)
+		case internalStatus.Unauthenticated:
+			return status.Errorf(codes.PermissionDenied, e.Message)
+		case internalStatus.PreconditionFailed:
+			return status.Errorf(codes.FailedPrecondition, e.Message)
+		case internalStatus.NotFound:
+			return status.Errorf(codes.NotFound, e.Message)
+		default:
+		}
+	}
+	return status.Errorf(codes.Internal, "failed handling request")
+}
+
+func extractPeerMeta(loginReq *proto.LoginRequest) PeerSystemMeta {
+	return PeerSystemMeta{
+		Hostname:  loginReq.GetMeta().GetHostname(),
+		GoOS:      loginReq.GetMeta().GetGoOS(),
+		Kernel:    loginReq.GetMeta().GetKernel(),
+		Core:      loginReq.GetMeta().GetCore(),
+		Platform:  loginReq.GetMeta().GetPlatform(),
+		OS:        loginReq.GetMeta().GetOS(),
+		WtVersion: loginReq.GetMeta().GetWiretrusteeVersion(),
+		UIVersion: loginReq.GetMeta().GetUiVersion(),
+	}
+}
+
+func (s *GRPCServer) parseRequest(req *proto.EncryptedMessage, parsed pb.Message) (wgtypes.Key, error) {
+	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
+	if err != nil {
+		log.Warnf("error while parsing peer's WireGuard public key %s.", req.WgPubKey)
+		return wgtypes.Key{}, status.Errorf(codes.InvalidArgument, "provided wgPubKey %s is invalid", req.WgPubKey)
+	}
+
+	err = encryption.DecryptMessage(peerKey, s.wgKey, req.Body, parsed)
+	if err != nil {
+		return wgtypes.Key{}, status.Errorf(codes.InvalidArgument, "invalid request message")
+	}
+
+	return peerKey, nil
 }
 
 // Login endpoint first checks whether peer is registered under any account
@@ -300,74 +266,51 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 		log.Debugf("Login request from peer [%s] [%s]", req.WgPubKey, p.Addr.String())
 	}
 
-	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
-	if err != nil {
-		log.Warnf("error while parsing peer's Wireguard public key %s on Sync request.", req.WgPubKey)
-		return nil, status.Errorf(codes.InvalidArgument, "provided wgPubKey %s is invalid", req.WgPubKey)
-	}
-
 	loginReq := &proto.LoginRequest{}
-	err = encryption.DecryptMessage(peerKey, s.wgKey, req.Body, loginReq)
+	peerKey, err := s.parseRequest(req, loginReq)
 	if err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "invalid request message")
+		return nil, err
 	}
 
-	peer, err := s.accountManager.GetPeerByKey(peerKey.String())
-	if err != nil {
-		if errStatus, ok := internalStatus.FromError(err); ok && errStatus.Type() == internalStatus.NotFound {
-			// peer doesn't exist -> check if setup key was provided
-			if loginReq.GetJwtToken() == "" && loginReq.GetSetupKey() == "" {
-				// absent setup key or jwt -> permission denied
-				p, _ := gRPCPeer.FromContext(ctx)
-				msg := status.Errorf(codes.PermissionDenied,
-					"provided peer with the key wgPubKey %s is not registered and no setup key or jwt was provided,"+
-						" remote addr is %s", peerKey.String(), p.Addr.String())
-				log.Debug(msg)
-				return nil, msg
-			}
+	if loginReq.GetMeta() == nil {
+		msg := status.Errorf(codes.FailedPrecondition,
+			"peer system meta has to be provided to log in. Peer %s, remote addr %s", peerKey.String(),
+			p.Addr.String())
+		log.Warn(msg)
+		return nil, msg
+	}
 
-			// setup key or jwt is present -> try normal registration flow
-			peer, err = s.registerPeer(peerKey, loginReq)
-			if err != nil {
-				return nil, err
-			}
-
-		} else {
-			return nil, status.Error(codes.Internal, "internal server error")
-		}
-	} else if loginReq.GetMeta() != nil {
-		// update peer's system meta data on Login
-		err = s.accountManager.UpdatePeerMeta(peer.ID, PeerSystemMeta{
-			Hostname:  loginReq.GetMeta().GetHostname(),
-			GoOS:      loginReq.GetMeta().GetGoOS(),
-			Kernel:    loginReq.GetMeta().GetKernel(),
-			Core:      loginReq.GetMeta().GetCore(),
-			Platform:  loginReq.GetMeta().GetPlatform(),
-			OS:        loginReq.GetMeta().GetOS(),
-			WtVersion: loginReq.GetMeta().GetWiretrusteeVersion(),
-			UIVersion: loginReq.GetMeta().GetUiVersion(),
-		},
-		)
+	userID := ""
+	// JWT token is not always provided, it is fine for userID to be empty cuz it might be that peer is already registered,
+	// or it uses a setup key to register.
+	if loginReq.GetJwtToken() != "" {
+		// todo what about the case when JWT provided is expired?
+		userID, err = s.validateToken(loginReq.GetJwtToken())
 		if err != nil {
-			log.Errorf("failed updating peer system meta data %s", peerKey.String())
-			return nil, status.Error(codes.Internal, "internal server error")
+			log.Warnf("failed validating JWT token sent from peer %s", peerKey)
+			return nil, mapError(err)
 		}
 	}
-
 	var sshKey []byte
 	if loginReq.GetPeerKeys() != nil {
 		sshKey = loginReq.GetPeerKeys().GetSshPubKey()
 	}
 
-	if len(sshKey) > 0 {
-		err = s.accountManager.UpdatePeerSSHKey(peer.ID, string(sshKey))
-		if err != nil {
-			return nil, err
-		}
+	peer, err := s.accountManager.LoginPeer(PeerLogin{
+		WireGuardPubKey: peerKey.String(),
+		SSHKey:          string(sshKey),
+		Meta:            extractPeerMeta(loginReq),
+		UserID:          userID,
+		SetupKey:        loginReq.GetSetupKey(),
+	})
+	if err != nil {
+		log.Warnf("failed logging in peer %s", peerKey)
+		return nil, mapError(err)
 	}
 
 	network, err := s.accountManager.GetPeerNetwork(peer.ID)
 	if err != nil {
+		log.Warnf("failed getting peer %s network on login", peer.ID)
 		return nil, status.Errorf(codes.Internal, "failed getting peer network on login")
 	}
 
@@ -378,6 +321,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	}
 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, loginResp)
 	if err != nil {
+		log.Warnf("failed encrypting peer %s message", peer.ID)
 		return nil, status.Errorf(codes.Internal, "failed logging in peer")
 	}
 
@@ -503,13 +447,7 @@ func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Em
 }
 
 // sendInitialSync sends initial proto.SyncResponse to the peer requesting synchronization
-func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.ManagementService_SyncServer) error {
-	networkMap, err := s.accountManager.GetNetworkMap(peer.ID)
-	if err != nil {
-		log.Warnf("error getting a list of peers for a peer %s", peer.ID)
-		return err
-	}
-
+func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *Peer, networkMap *NetworkMap, srv proto.ManagementService_SyncServer) error {
 	// make secret time based TURN credentials optional
 	var turnCredentials *TURNCredentials
 	if s.config.TURNConfig.TimeBasedCredentials {

management/server/http/accounts_handler.go

@@ -0,0 +1,98 @@
+package http
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/gorilla/mux"
+
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/http/util"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/management/server/status"
+)
+
+// AccountsHandler is a handler that handles the server.Account HTTP endpoints
+type AccountsHandler struct {
+	accountManager  server.AccountManager
+	claimsExtractor *jwtclaims.ClaimsExtractor
+}
+
+// NewAccountsHandler creates a new AccountsHandler HTTP handler
+func NewAccountsHandler(accountManager server.AccountManager, authCfg AuthCfg) *AccountsHandler {
+	return &AccountsHandler{
+		accountManager: accountManager,
+		claimsExtractor: jwtclaims.NewClaimsExtractor(
+			jwtclaims.WithAudience(authCfg.Audience),
+			jwtclaims.WithUserIDClaim(authCfg.UserIDClaim),
+		),
+	}
+}
+
+// GetAllAccounts is HTTP GET handler that returns a list of accounts. Effectively returns just a single account.
+func (h *AccountsHandler) GetAllAccounts(w http.ResponseWriter, r *http.Request) {
+	claims := h.claimsExtractor.FromRequestContext(r)
+	account, user, err := h.accountManager.GetAccountFromToken(claims)
+	if err != nil {
+		util.WriteError(err, w)
+		return
+	}
+
+	if !user.IsAdmin() {
+		util.WriteError(status.Errorf(status.PermissionDenied, "the user has no permission to access account data"), w)
+		return
+	}
+
+	resp := toAccountResponse(account)
+	util.WriteJSONObject(w, []*api.Account{resp})
+}
+
+// UpdateAccount is HTTP PUT handler that updates the provided account. Updates only account settings (server.Settings)
+func (h *AccountsHandler) UpdateAccount(w http.ResponseWriter, r *http.Request) {
+	claims := h.claimsExtractor.FromRequestContext(r)
+	_, user, err := h.accountManager.GetAccountFromToken(claims)
+	if err != nil {
+		util.WriteError(err, w)
+		return
+	}
+
+	vars := mux.Vars(r)
+	accountID := vars["id"]
+	if len(accountID) == 0 {
+		util.WriteError(status.Errorf(status.InvalidArgument, "invalid accountID ID"), w)
+		return
+	}
+
+	var req api.PutApiAccountsIdJSONBody
+	err = json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
+		return
+	}
+
+	updatedAccount, err := h.accountManager.UpdateAccountSettings(accountID, user.Id, &server.Settings{
+		PeerLoginExpirationEnabled: req.Settings.PeerLoginExpirationEnabled,
+		PeerLoginExpiration:        time.Duration(float64(time.Second.Nanoseconds()) * float64(req.Settings.PeerLoginExpiration)),
+	})
+
+	if err != nil {
+		util.WriteError(err, w)
+		return
+	}
+
+	resp := toAccountResponse(updatedAccount)
+
+	util.WriteJSONObject(w, &resp)
+}
+
+func toAccountResponse(account *server.Account) *api.Account {
+	return &api.Account{
+		Id: account.Id,
+		Settings: api.AccountSettings{
+			PeerLoginExpiration:        int(account.Settings.PeerLoginExpiration.Seconds()),
+			PeerLoginExpirationEnabled: account.Settings.PeerLoginExpirationEnabled,
+		},
+	}
+}

management/server/http/accounts_handler_test.go

@@ -0,0 +1,183 @@
+package http
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/status"
+)
+
+func initAccountsTestData(account *server.Account, admin *server.User) *AccountsHandler {
+	return &AccountsHandler{
+		accountManager: &mock_server.MockAccountManager{
+			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
+				return account, admin, nil
+			},
+			UpdateAccountSettingsFunc: func(accountID, userID string, newSettings *server.Settings) (*server.Account, error) {
+				halfYearLimit := 180 * 24 * time.Hour
+				if newSettings.PeerLoginExpiration > halfYearLimit {
+					return nil, status.Errorf(status.InvalidArgument, "peer login expiration can't be larger than 180 days")
+				}
+
+				if newSettings.PeerLoginExpiration < time.Hour {
+					return nil, status.Errorf(status.InvalidArgument, "peer login expiration can't be smaller than one hour")
+				}
+
+				accCopy := account.Copy()
+				accCopy.UpdateSettings(newSettings)
+				return accCopy, nil
+
+			},
+		},
+		claimsExtractor: jwtclaims.NewClaimsExtractor(
+			jwtclaims.WithFromRequestContext(func(r *http.Request) jwtclaims.AuthorizationClaims {
+				return jwtclaims.AuthorizationClaims{
+					UserId:    "test_user",
+					Domain:    "hotmail.com",
+					AccountId: "test_account",
+				}
+			}),
+		),
+	}
+}
+
+func TestAccounts_AccountsHandler(t *testing.T) {
+
+	accountID := "test_account"
+	adminUser := server.NewAdminUser("test_user")
+
+	handler := initAccountsTestData(&server.Account{
+		Id:      accountID,
+		Domain:  "hotmail.com",
+		Network: server.NewNetwork(),
+		Users: map[string]*server.User{
+			adminUser.Id: adminUser,
+		},
+		Settings: &server.Settings{
+			PeerLoginExpirationEnabled: false,
+			PeerLoginExpiration:        time.Hour,
+		},
+	}, adminUser)
+
+	tt := []struct {
+		name             string
+		expectedStatus   int
+		expectedBody     bool
+		expectedID       string
+		expectedArray    bool
+		expectedSettings api.AccountSettings
+		requestType      string
+		requestPath      string
+		requestBody      io.Reader
+	}{
+		{
+			name:           "GetAllAccounts OK",
+			expectedBody:   true,
+			requestType:    http.MethodGet,
+			requestPath:    "/api/accounts",
+			expectedStatus: http.StatusOK,
+			expectedSettings: api.AccountSettings{
+				PeerLoginExpiration:        int(time.Hour.Seconds()),
+				PeerLoginExpirationEnabled: false,
+			},
+			expectedArray: true,
+			expectedID:    accountID,
+		},
+		{
+			name:           "PutAccount OK",
+			expectedBody:   true,
+			requestType:    http.MethodPut,
+			requestPath:    "/api/accounts/" + accountID,
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": true}}"),
+			expectedStatus: http.StatusOK,
+			expectedSettings: api.AccountSettings{
+				PeerLoginExpiration:        15552000,
+				PeerLoginExpirationEnabled: true,
+			},
+			expectedArray: false,
+			expectedID:    accountID,
+		},
+		{
+			name:           "Update account failure with high peer_login_expiration more than 180 days",
+			expectedBody:   true,
+			requestType:    http.MethodPut,
+			requestPath:    "/api/accounts/" + accountID,
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552001,\"peer_login_expiration_enabled\": true}}"),
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedArray:  false,
+		},
+		{
+			name:           "Update account failure with peer_login_expiration less than an hour",
+			expectedBody:   true,
+			requestType:    http.MethodPut,
+			requestPath:    "/api/accounts/" + accountID,
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 3599,\"peer_login_expiration_enabled\": true}}"),
+			expectedStatus: http.StatusUnprocessableEntity,
+			expectedArray:  false,
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			recorder := httptest.NewRecorder()
+			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
+
+			router := mux.NewRouter()
+			router.HandleFunc("/api/accounts", handler.GetAllAccounts).Methods("GET")
+			router.HandleFunc("/api/accounts/{id}", handler.UpdateAccount).Methods("PUT")
+			router.ServeHTTP(recorder, req)
+
+			res := recorder.Result()
+			defer res.Body.Close()
+
+			if status := recorder.Code; status != tc.expectedStatus {
+				t.Errorf("handler returned wrong status code: got %v want %v",
+					status, tc.expectedStatus)
+				return
+			}
+
+			if tc.expectedStatus != http.StatusOK {
+				return
+			}
+
+			if !tc.expectedBody {
+				return
+			}
+
+			content, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatalf("I don't know what I expected; %v", err)
+			}
+
+			var actual *api.Account
+			if tc.expectedArray {
+				var got []*api.Account
+				if err = json.Unmarshal(content, &got); err != nil {
+					t.Fatalf("Sent content is not in correct json format; %v", err)
+				}
+
+				assert.Len(t, got, 1)
+				actual = got[0]
+			} else {
+				if err = json.Unmarshal(content, &actual); err != nil {
+					t.Fatalf("Sent content is not in correct json format; %v", err)
+				}
+			}
+
+			assert.Equal(t, tc.expectedID, actual.Id)
+			assert.Equal(t, tc.expectedSettings, actual.Settings)
+		})
+	}
+}

management/server/http/api/openapi.yml

@@ -20,8 +20,31 @@ tags:
     description: Interact with and view information about DNS configuration.
   - name: Events
     description: View information about the account and network events.
+  - name: Accounts
+    description: View information about the accounts.
 components:
   schemas:
+    Account:
+      properties:
+        id:
+          description: Account ID
+          type: string
+        settings:
+          $ref: '#/components/schemas/AccountSettings'
+      required:
+        - id
+        - settings
+    AccountSettings:
+      properties:
+        peer_login_expiration_enabled:
+          description: Enables or disables peer login expiration globally. After peer's login has expired the user has to log in (authenticate). Applies only to peers that were added by a user (interactive SSO login).
+          type: boolean
+        peer_login_expiration:
+          description: Period of time after which peer login expires (seconds).
+          type: integer
+      required:
+        - peer_login_expiration_enabled
+        - peer_login_expiration
     User:
       type: object
       properties:
@@ -145,6 +168,16 @@ components:
             dns_label:
               description: Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
               type: string
+            login_expiration_enabled:
+              description: Indicates whether peer login expiration has been enabled or not
+              type: boolean
+            login_expired:
+              description: Indicates whether peer's login expired or not
+              type: boolean
+            last_login:
+              description: Last time this peer performed log in (authentication). E.g., user authenticated.
+              type: string
+              format: date-time
           required:
             - ip
             - connected
@@ -155,6 +188,9 @@ components:
             - ssh_enabled
             - hostname
             - dns_label
+            - login_expiration_enabled
+            - login_expired
+            - last_login
     SetupKey:
       type: object
       properties:
@@ -538,11 +574,11 @@ components:
                   "setupkey.peer.add", "setupkey.add", "setupkey.update", "setupkey.revoke", "setupkey.overuse",
                   "setupkey.group.delete", "setupkey.group.add",
                   "rule.add", "rule.delete", "rule.update",
-                  "group.add", "group.update", "dns.setting.disabled.management.group.add",
-                  "account.create", "dns.setting.disabled.management.group.delete",
+                  "group.add", "group.update", "dns.setting.disabled.management.group.add", "dns.setting.disabled.management.group.delete",
+                  "account.create", "account.setting.peer.login.expiration.update", "account.setting.peer.login.expiration.disable", "account.setting.peer.login.expiration.enable",
                   "route.add", "route.delete", "route.update",
                   "nameserver.group.add", "nameserver.group.delete", "nameserver.group.update",
-                  "peer.ssh.disable", "peer.ssh.enable", "peer.rename"
+                  "peer.ssh.disable", "peer.ssh.enable", "peer.rename", "peer.login.expiration.disable", "peer.login.expiration.enable"
           ]
         initiator_id:
           description: The ID of the initiator of the event. E.g., an ID of a user that triggered the event.
@@ -593,6 +629,68 @@ components:
 security:
   - BearerAuth: [ ]
 paths:
+  /api/accounts:
+    get:
+      summary: Returns a list of accounts of a user. Always returns a list of one account. Only available for admin users.
+      tags: [ Accounts ]
+      security:
+        - BearerAuth: [ ]
+      responses:
+        '200':
+          description: A JSON array of accounts
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Account'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
+  /api/accounts/{id}:
+    put:
+      summary: Update information about an account
+      tags: [ Accounts ]
+      security:
+        - BearerAuth: [ ]
+      parameters:
+        - in: path
+          name: id
+          required: true
+          schema:
+            type: string
+          description: The Account ID
+      requestBody:
+        description: update an account
+        content:
+          'application/json':
+            schema:
+              type: object
+              properties:
+                settings:
+                  $ref: '#/components/schemas/AccountSettings'
+              required:
+                - settings
+      responses:
+        '200':
+          description: An Account object
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Account'
+        '400':
+          "$ref": "#/components/responses/bad_request"
+        '401':
+          "$ref": "#/components/responses/requires_authentication"
+        '403':
+          "$ref": "#/components/responses/forbidden"
+        '500':
+          "$ref": "#/components/responses/internal_error"
   /api/users:
     get:
       summary: Returns a list of all users
@@ -741,7 +839,7 @@ paths:
             type: string
           description: The Peer ID
       requestBody:
-        description: update to peers
+        description: update a peer
         content:
           'application/json':
             schema:
@@ -751,9 +849,12 @@ paths:
                   type: string
                 ssh_enabled:
                   type: boolean
+                login_expiration_enabled:
+                  type: boolean
               required:
                 - name
                 - ssh_enabled
+                - login_expiration_enabled
       responses:
         '200':
           description: A Peer object

management/server/http/api/types.gen.go

@@ -13,37 +13,42 @@ const (
 
 // Defines values for EventActivityCode.
 const (
-	EventActivityCodeAccountCreate                           EventActivityCode = "account.create"
-	EventActivityCodeDnsSettingDisabledManagementGroupAdd    EventActivityCode = "dns.setting.disabled.management.group.add"
-	EventActivityCodeDnsSettingDisabledManagementGroupDelete EventActivityCode = "dns.setting.disabled.management.group.delete"
-	EventActivityCodeGroupAdd                                EventActivityCode = "group.add"
-	EventActivityCodeGroupUpdate                             EventActivityCode = "group.update"
-	EventActivityCodeNameserverGroupAdd                      EventActivityCode = "nameserver.group.add"
-	EventActivityCodeNameserverGroupDelete                   EventActivityCode = "nameserver.group.delete"
-	EventActivityCodeNameserverGroupUpdate                   EventActivityCode = "nameserver.group.update"
-	EventActivityCodePeerRename                              EventActivityCode = "peer.rename"
-	EventActivityCodePeerSshDisable                          EventActivityCode = "peer.ssh.disable"
-	EventActivityCodePeerSshEnable                           EventActivityCode = "peer.ssh.enable"
-	EventActivityCodeRouteAdd                                EventActivityCode = "route.add"
-	EventActivityCodeRouteDelete                             EventActivityCode = "route.delete"
-	EventActivityCodeRouteUpdate                             EventActivityCode = "route.update"
-	EventActivityCodeRuleAdd                                 EventActivityCode = "rule.add"
-	EventActivityCodeRuleDelete                              EventActivityCode = "rule.delete"
-	EventActivityCodeRuleUpdate                              EventActivityCode = "rule.update"
-	EventActivityCodeSetupkeyAdd                             EventActivityCode = "setupkey.add"
-	EventActivityCodeSetupkeyGroupAdd                        EventActivityCode = "setupkey.group.add"
-	EventActivityCodeSetupkeyGroupDelete                     EventActivityCode = "setupkey.group.delete"
-	EventActivityCodeSetupkeyOveruse                         EventActivityCode = "setupkey.overuse"
-	EventActivityCodeSetupkeyPeerAdd                         EventActivityCode = "setupkey.peer.add"
-	EventActivityCodeSetupkeyRevoke                          EventActivityCode = "setupkey.revoke"
-	EventActivityCodeSetupkeyUpdate                          EventActivityCode = "setupkey.update"
-	EventActivityCodeUserGroupAdd                            EventActivityCode = "user.group.add"
-	EventActivityCodeUserGroupDelete                         EventActivityCode = "user.group.delete"
-	EventActivityCodeUserInvite                              EventActivityCode = "user.invite"
-	EventActivityCodeUserJoin                                EventActivityCode = "user.join"
-	EventActivityCodeUserPeerAdd                             EventActivityCode = "user.peer.add"
-	EventActivityCodeUserPeerDelete                          EventActivityCode = "user.peer.delete"
-	EventActivityCodeUserRoleUpdate                          EventActivityCode = "user.role.update"
+	EventActivityCodeAccountCreate                            EventActivityCode = "account.create"
+	EventActivityCodeAccountSettingPeerLoginExpirationDisable EventActivityCode = "account.setting.peer.login.expiration.disable"
+	EventActivityCodeAccountSettingPeerLoginExpirationEnable  EventActivityCode = "account.setting.peer.login.expiration.enable"
+	EventActivityCodeAccountSettingPeerLoginExpirationUpdate  EventActivityCode = "account.setting.peer.login.expiration.update"
+	EventActivityCodeDnsSettingDisabledManagementGroupAdd     EventActivityCode = "dns.setting.disabled.management.group.add"
+	EventActivityCodeDnsSettingDisabledManagementGroupDelete  EventActivityCode = "dns.setting.disabled.management.group.delete"
+	EventActivityCodeGroupAdd                                 EventActivityCode = "group.add"
+	EventActivityCodeGroupUpdate                              EventActivityCode = "group.update"
+	EventActivityCodeNameserverGroupAdd                       EventActivityCode = "nameserver.group.add"
+	EventActivityCodeNameserverGroupDelete                    EventActivityCode = "nameserver.group.delete"
+	EventActivityCodeNameserverGroupUpdate                    EventActivityCode = "nameserver.group.update"
+	EventActivityCodePeerLoginExpirationDisable               EventActivityCode = "peer.login.expiration.disable"
+	EventActivityCodePeerLoginExpirationEnable                EventActivityCode = "peer.login.expiration.enable"
+	EventActivityCodePeerRename                               EventActivityCode = "peer.rename"
+	EventActivityCodePeerSshDisable                           EventActivityCode = "peer.ssh.disable"
+	EventActivityCodePeerSshEnable                            EventActivityCode = "peer.ssh.enable"
+	EventActivityCodeRouteAdd                                 EventActivityCode = "route.add"
+	EventActivityCodeRouteDelete                              EventActivityCode = "route.delete"
+	EventActivityCodeRouteUpdate                              EventActivityCode = "route.update"
+	EventActivityCodeRuleAdd                                  EventActivityCode = "rule.add"
+	EventActivityCodeRuleDelete                               EventActivityCode = "rule.delete"
+	EventActivityCodeRuleUpdate                               EventActivityCode = "rule.update"
+	EventActivityCodeSetupkeyAdd                              EventActivityCode = "setupkey.add"
+	EventActivityCodeSetupkeyGroupAdd                         EventActivityCode = "setupkey.group.add"
+	EventActivityCodeSetupkeyGroupDelete                      EventActivityCode = "setupkey.group.delete"
+	EventActivityCodeSetupkeyOveruse                          EventActivityCode = "setupkey.overuse"
+	EventActivityCodeSetupkeyPeerAdd                          EventActivityCode = "setupkey.peer.add"
+	EventActivityCodeSetupkeyRevoke                           EventActivityCode = "setupkey.revoke"
+	EventActivityCodeSetupkeyUpdate                           EventActivityCode = "setupkey.update"
+	EventActivityCodeUserGroupAdd                             EventActivityCode = "user.group.add"
+	EventActivityCodeUserGroupDelete                          EventActivityCode = "user.group.delete"
+	EventActivityCodeUserInvite                               EventActivityCode = "user.invite"
+	EventActivityCodeUserJoin                                 EventActivityCode = "user.join"
+	EventActivityCodeUserPeerAdd                              EventActivityCode = "user.peer.add"
+	EventActivityCodeUserPeerDelete                           EventActivityCode = "user.peer.delete"
+	EventActivityCodeUserRoleUpdate                           EventActivityCode = "user.role.update"
 )
 
 // Defines values for GroupPatchOperationOp.
@@ -132,6 +137,22 @@ const (
 	UserStatusInvited  UserStatus = "invited"
 )
 
+// Account defines model for Account.
+type Account struct {
+	// Id Account ID
+	Id       string          `json:"id"`
+	Settings AccountSettings `json:"settings"`
+}
+
+// AccountSettings defines model for AccountSettings.
+type AccountSettings struct {
+	// PeerLoginExpiration Period of time after which peer login expires (seconds).
+	PeerLoginExpiration int `json:"peer_login_expiration"`
+
+	// PeerLoginExpirationEnabled Enables or disables peer login expiration globally. After peer's login has expired the user has to log in (authenticate). Applies only to peers that were added by a user (interactive SSO login).
+	PeerLoginExpirationEnabled bool `json:"peer_login_expiration_enabled"`
+}
+
 // DNSSettings defines model for DNSSettings.
 type DNSSettings struct {
 	// DisabledManagementGroups Groups whose DNS management is disabled
@@ -326,9 +347,18 @@ type Peer struct {
 	// Ip Peer's IP address
 	Ip string `json:"ip"`
 
+	// LastLogin Last time this peer performed log in (authentication). E.g., user authenticated.
+	LastLogin time.Time `json:"last_login"`
+
 	// LastSeen Last time peer connected to Netbird's management service
 	LastSeen time.Time `json:"last_seen"`
 
+	// LoginExpirationEnabled Indicates whether peer login expiration has been enabled or not
+	LoginExpirationEnabled bool `json:"login_expiration_enabled"`
+
+	// LoginExpired Indicates whether peer's login expired or not
+	LoginExpired bool `json:"login_expired"`
+
 	// Name Peer's hostname
 	Name string `json:"name"`
 
@@ -606,6 +636,11 @@ type UserRequest struct {
 	Role string `json:"role"`
 }
 
+// PutApiAccountsIdJSONBody defines parameters for PutApiAccountsId.
+type PutApiAccountsIdJSONBody struct {
+	Settings AccountSettings `json:"settings"`
+}
+
 // PatchApiDnsNameserversIdJSONBody defines parameters for PatchApiDnsNameserversId.
 type PatchApiDnsNameserversIdJSONBody = []NameserverGroupPatchOperation
 
@@ -626,8 +661,9 @@ type PutApiGroupsIdJSONBody struct {
 
 // PutApiPeersIdJSONBody defines parameters for PutApiPeersId.
 type PutApiPeersIdJSONBody struct {
-	Name       string `json:"name"`
-	SshEnabled bool   `json:"ssh_enabled"`
+	LoginExpirationEnabled bool   `json:"login_expiration_enabled"`
+	Name                   string `json:"name"`
+	SshEnabled             bool   `json:"ssh_enabled"`
 }
 
 // PatchApiRoutesIdJSONBody defines parameters for PatchApiRoutesId.
@@ -670,6 +706,9 @@ type PutApiRulesIdJSONBody struct {
 	Sources *[]string `json:"sources,omitempty"`
 }
 
+// PutApiAccountsIdJSONRequestBody defines body for PutApiAccountsId for application/json ContentType.
+type PutApiAccountsIdJSONRequestBody PutApiAccountsIdJSONBody
+
 // PostApiDnsNameserversJSONRequestBody defines body for PostApiDnsNameservers for application/json ContentType.
 type PostApiDnsNameserversJSONRequestBody = NameserverGroupRequest
 

management/server/http/dns_settings_handler.go

@@ -4,22 +4,23 @@ import (
 	"encoding/json"
 	"net/http"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
-	log "github.com/sirupsen/logrus"
 )
 
-// DNSSettings is a handler that returns the DNS settings of the account
-type DNSSettings struct {
+// DNSSettingsHandler is a handler that returns the DNS settings of the account
+type DNSSettingsHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-// NewDNSSettings returns a new instance of DNSSettings handler
-func NewDNSSettings(accountManager server.AccountManager, authCfg AuthCfg) *DNSSettings {
-	return &DNSSettings{
+// NewDNSSettingsHandler returns a new instance of DNSSettingsHandler handler
+func NewDNSSettingsHandler(accountManager server.AccountManager, authCfg AuthCfg) *DNSSettingsHandler {
+	return &DNSSettingsHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,7 +30,7 @@ func NewDNSSettings(accountManager server.AccountManager, authCfg AuthCfg) *DNSS
 }
 
 // GetDNSSettings returns the DNS settings for the account
-func (h *DNSSettings) GetDNSSettings(w http.ResponseWriter, r *http.Request) {
+func (h *DNSSettingsHandler) GetDNSSettings(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -52,7 +53,7 @@ func (h *DNSSettings) GetDNSSettings(w http.ResponseWriter, r *http.Request) {
 }
 
 // UpdateDNSSettings handles update to DNS settings of an account
-func (h *DNSSettings) UpdateDNSSettings(w http.ResponseWriter, r *http.Request) {
+func (h *DNSSettingsHandler) UpdateDNSSettings(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/dns_settings_handler_test.go

@@ -8,11 +8,13 @@ import (
 	"net/http/httptest"
 	"testing"
 
-	"github.com/netbirdio/netbird/management/server/http/api"
-	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/stretchr/testify/assert"
 
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/status"
+
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
@@ -37,8 +39,8 @@ var testingDNSSettingsAccount = &server.Account{
 	DNSSettings: baseExistingDNSSettings,
 }
 
-func initDNSSettingsTestData() *DNSSettings {
-	return &DNSSettings{
+func initDNSSettingsTestData() *DNSSettingsHandler {
+	return &DNSSettingsHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetDNSSettingsFunc: func(accountID string, userID string) (*server.DNSSettings, error) {
 				return testingDNSSettingsAccount.DNSSettings, nil

management/server/http/events_handler.go

@@ -4,23 +4,24 @@ import (
 	"fmt"
 	"net/http"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
-	log "github.com/sirupsen/logrus"
 )
 
-// Events HTTP handler
-type Events struct {
+// EventsHandler HTTP handler
+type EventsHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-// NewEvents creates a new Events HTTP handler
-func NewEvents(accountManager server.AccountManager, authCfg AuthCfg) *Events {
-	return &Events{
+// NewEventsHandler creates a new EventsHandler HTTP handler
+func NewEventsHandler(accountManager server.AccountManager, authCfg AuthCfg) *EventsHandler {
+	return &EventsHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,8 +30,8 @@ func NewEvents(accountManager server.AccountManager, authCfg AuthCfg) *Events {
 	}
 }
 
-// GetEvents list of the given account
-func (h *Events) GetEvents(w http.ResponseWriter, r *http.Request) {
+// GetAllEvents list of the given account
+func (h *EventsHandler) GetAllEvents(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/events_handler_test.go

@@ -10,16 +10,17 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
-	"github.com/stretchr/testify/assert"
 )
 
-func initEventsTestData(account string, user *server.User, events ...*activity.Event) *Events {
-	return &Events{
+func initEventsTestData(account string, user *server.User, events ...*activity.Event) *EventsHandler {
+	return &EventsHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetEventsFunc: func(accountID, userID string) ([]*activity.Event, error) {
 				if accountID == account {
@@ -184,7 +185,7 @@ func TestEvents_GetEvents(t *testing.T) {
 		requestBody    io.Reader
 	}{
 		{
-			name:           "GetEvents OK",
+			name:           "GetAllEvents OK",
 			expectedBody:   true,
 			requestType:    http.MethodGet,
 			requestPath:    "/api/events/",
@@ -202,7 +203,7 @@ func TestEvents_GetEvents(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/events/", handler.GetEvents).Methods("GET")
+			router.HandleFunc("/api/events/", handler.GetAllEvents).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/groups_handler.go

@@ -8,22 +8,24 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"
 
+	"github.com/rs/xid"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
-	"github.com/rs/xid"
 
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 )
 
-// Groups is a handler that returns groups of the account
-type Groups struct {
+// GroupsHandler is a handler that returns groups of the account
+type GroupsHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-func NewGroups(accountManager server.AccountManager, authCfg AuthCfg) *Groups {
-	return &Groups{
+// NewGroupsHandler creates a new GroupsHandler HTTP handler
+func NewGroupsHandler(accountManager server.AccountManager, authCfg AuthCfg) *GroupsHandler {
+	return &GroupsHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -32,8 +34,8 @@ func NewGroups(accountManager server.AccountManager, authCfg AuthCfg) *Groups {
 	}
 }
 
-// GetAllGroupsHandler list for the account
-func (h *Groups) GetAllGroupsHandler(w http.ResponseWriter, r *http.Request) {
+// GetAllGroups list for the account
+func (h *GroupsHandler) GetAllGroups(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -50,8 +52,8 @@ func (h *Groups) GetAllGroupsHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, groups)
 }
 
-// UpdateGroupHandler handles update to a group identified by a given ID
-func (h *Groups) UpdateGroupHandler(w http.ResponseWriter, r *http.Request) {
+// UpdateGroup handles update to a group identified by a given ID
+func (h *GroupsHandler) UpdateGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -119,8 +121,8 @@ func (h *Groups) UpdateGroupHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, toGroupResponse(account, &group))
 }
 
-// PatchGroupHandler handles patch updates to a group identified by a given ID
-func (h *Groups) PatchGroupHandler(w http.ResponseWriter, r *http.Request) {
+// PatchGroup handles patch updates to a group identified by a given ID
+func (h *GroupsHandler) PatchGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -205,7 +207,7 @@ func (h *Groups) PatchGroupHandler(w http.ResponseWriter, r *http.Request) {
 				})
 			default:
 				util.WriteError(status.Errorf(status.InvalidArgument,
-					"invalid operation, \"%v\", for Peers field", patch.Op), w)
+					"invalid operation, \"%v\", for PeersHandler field", patch.Op), w)
 				return
 			}
 		default:
@@ -223,8 +225,8 @@ func (h *Groups) PatchGroupHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, toGroupResponse(account, group))
 }
 
-// CreateGroupHandler handles group creation request
-func (h *Groups) CreateGroupHandler(w http.ResponseWriter, r *http.Request) {
+// CreateGroup handles group creation request
+func (h *GroupsHandler) CreateGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -265,8 +267,8 @@ func (h *Groups) CreateGroupHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, toGroupResponse(account, &group))
 }
 
-// DeleteGroupHandler handles group deletion request
-func (h *Groups) DeleteGroupHandler(w http.ResponseWriter, r *http.Request) {
+// DeleteGroup handles group deletion request
+func (h *GroupsHandler) DeleteGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -301,8 +303,8 @@ func (h *Groups) DeleteGroupHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, "")
 }
 
-// GetGroupHandler returns a group
-func (h *Groups) GetGroupHandler(w http.ResponseWriter, r *http.Request) {
+// GetGroup returns a group
+func (h *GroupsHandler) GetGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/groups_handler_test.go

@@ -15,9 +15,11 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 
 	"github.com/magiconair/properties/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 )
@@ -27,8 +29,8 @@ var TestPeers = map[string]*server.Peer{
 	"B": {Key: "B", ID: "peer-B-ID", IP: net.ParseIP("200.200.200.200")},
 }
 
-func initGroupTestData(user *server.User, groups ...*server.Group) *Groups {
-	return &Groups{
+func initGroupTestData(user *server.User, groups ...*server.Group) *GroupsHandler {
+	return &GroupsHandler{
 		accountManager: &mock_server.MockAccountManager{
 			SaveGroupFunc: func(accountID, userID string, group *server.Group) error {
 				if !strings.HasPrefix(group.ID, "id-") {
@@ -134,7 +136,7 @@ func TestGetGroup(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups/{id}", p.GetGroupHandler).Methods("GET")
+			router.HandleFunc("/api/groups/{id}", p.GetGroup).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -259,7 +261,7 @@ func TestWriteGroup(t *testing.T) {
 			expectedBody:   false,
 		},
 		{
-			name:        "Write Group PATCH Peers OK",
+			name:        "Write Group PATCH PeersHandler OK",
 			requestType: http.MethodPatch,
 			requestPath: "/api/groups/id-existed",
 			requestBody: bytes.NewBuffer(
@@ -286,9 +288,9 @@ func TestWriteGroup(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups", p.CreateGroupHandler).Methods("POST")
-			router.HandleFunc("/api/groups/{id}", p.UpdateGroupHandler).Methods("PUT")
-			router.HandleFunc("/api/groups/{id}", p.PatchGroupHandler).Methods("PATCH")
+			router.HandleFunc("/api/groups", p.CreateGroup).Methods("POST")
+			router.HandleFunc("/api/groups/{id}", p.UpdateGroup).Methods("PUT")
+			router.HandleFunc("/api/groups/{id}", p.PatchGroup).Methods("PATCH")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handler.go

@@ -4,10 +4,11 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/rs/cors"
+
 	s "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/rs/cors"
 )
 
 // AuthCfg contains parameters for authentication middleware
@@ -18,6 +19,12 @@ type AuthCfg struct {
 	KeysLocation string
 }
 
+type apiHandler struct {
+	Router         *mux.Router
+	AccountManager s.AccountManager
+	AuthCfg        AuthCfg
+}
+
 // APIHandler creates the Management service HTTP API handler registering all the available endpoints.
 func APIHandler(accountManager s.AccountManager, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
 	jwtMiddleware, err := middleware.NewJwtMiddleware(
@@ -38,65 +45,27 @@ func APIHandler(accountManager s.AccountManager, appMetrics telemetry.AppMetrics
 	rootRouter := mux.NewRouter()
 	metricsMiddleware := appMetrics.HTTPMiddleware()
 
-	apiHandler := rootRouter.PathPrefix("/api").Subrouter()
-	apiHandler.Use(metricsMiddleware.Handler, corsMiddleware.Handler, jwtMiddleware.Handler, acMiddleware.Handler)
+	router := rootRouter.PathPrefix("/api").Subrouter()
+	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, jwtMiddleware.Handler, acMiddleware.Handler)
 
-	groupsHandler := NewGroups(accountManager, authCfg)
-	rulesHandler := NewRules(accountManager, authCfg)
-	peersHandler := NewPeers(accountManager, authCfg)
-	keysHandler := NewSetupKeysHandler(accountManager, authCfg)
-	userHandler := NewUserHandler(accountManager, authCfg)
-	routesHandler := NewRoutes(accountManager, authCfg)
-	nameserversHandler := NewNameservers(accountManager, authCfg)
-	eventsHandler := NewEvents(accountManager, authCfg)
-	dnsSettingsHandler := NewDNSSettings(accountManager, authCfg)
+	api := apiHandler{
+		Router:         router,
+		AccountManager: accountManager,
+		AuthCfg:        authCfg,
+	}
 
-	apiHandler.HandleFunc("/peers", peersHandler.GetPeers).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/peers/{id}", peersHandler.HandlePeer).
-		Methods("GET", "PUT", "DELETE", "OPTIONS")
-	apiHandler.HandleFunc("/users", userHandler.GetUsers).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/users/{id}", userHandler.UpdateUser).Methods("PUT", "OPTIONS")
-	apiHandler.HandleFunc("/users", userHandler.CreateUserHandler).Methods("POST", "OPTIONS")
+	api.addAccountsEndpoint()
+	api.addPeersEndpoint()
+	api.addUsersEndpoint()
+	api.addSetupKeysEndpoint()
+	api.addRulesEndpoint()
+	api.addGroupsEndpoint()
+	api.addRoutesEndpoint()
+	api.addDNSNameserversEndpoint()
+	api.addDNSSettingEndpoint()
+	api.addEventsEndpoint()
 
-	apiHandler.HandleFunc("/setup-keys", keysHandler.GetAllSetupKeysHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/setup-keys", keysHandler.CreateSetupKeyHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/setup-keys/{id}", keysHandler.GetSetupKeyHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/setup-keys/{id}", keysHandler.UpdateSetupKeyHandler).Methods("PUT", "OPTIONS")
-
-	apiHandler.HandleFunc("/rules", rulesHandler.GetAllRulesHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/rules", rulesHandler.CreateRuleHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/rules/{id}", rulesHandler.UpdateRuleHandler).Methods("PUT", "OPTIONS")
-	apiHandler.HandleFunc("/rules/{id}", rulesHandler.PatchRuleHandler).Methods("PATCH", "OPTIONS")
-	apiHandler.HandleFunc("/rules/{id}", rulesHandler.GetRuleHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/rules/{id}", rulesHandler.DeleteRuleHandler).Methods("DELETE", "OPTIONS")
-
-	apiHandler.HandleFunc("/groups", groupsHandler.GetAllGroupsHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/groups", groupsHandler.CreateGroupHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/groups/{id}", groupsHandler.UpdateGroupHandler).Methods("PUT", "OPTIONS")
-	apiHandler.HandleFunc("/groups/{id}", groupsHandler.PatchGroupHandler).Methods("PATCH", "OPTIONS")
-	apiHandler.HandleFunc("/groups/{id}", groupsHandler.GetGroupHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/groups/{id}", groupsHandler.DeleteGroupHandler).Methods("DELETE", "OPTIONS")
-
-	apiHandler.HandleFunc("/routes", routesHandler.GetAllRoutesHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/routes", routesHandler.CreateRouteHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/routes/{id}", routesHandler.UpdateRouteHandler).Methods("PUT", "OPTIONS")
-	apiHandler.HandleFunc("/routes/{id}", routesHandler.PatchRouteHandler).Methods("PATCH", "OPTIONS")
-	apiHandler.HandleFunc("/routes/{id}", routesHandler.GetRouteHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/routes/{id}", routesHandler.DeleteRouteHandler).Methods("DELETE", "OPTIONS")
-
-	apiHandler.HandleFunc("/dns/nameservers", nameserversHandler.GetAllNameserversHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/dns/nameservers", nameserversHandler.CreateNameserverGroupHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/dns/nameservers/{id}", nameserversHandler.UpdateNameserverGroupHandler).Methods("PUT", "OPTIONS")
-	apiHandler.HandleFunc("/dns/nameservers/{id}", nameserversHandler.PatchNameserverGroupHandler).Methods("PATCH", "OPTIONS")
-	apiHandler.HandleFunc("/dns/nameservers/{id}", nameserversHandler.GetNameserverGroupHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/dns/nameservers/{id}", nameserversHandler.DeleteNameserverGroupHandler).Methods("DELETE", "OPTIONS")
-
-	apiHandler.HandleFunc("/events", eventsHandler.GetEvents).Methods("GET", "OPTIONS")
-
-	apiHandler.HandleFunc("/dns/settings", dnsSettingsHandler.GetDNSSettings).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/dns/settings", dnsSettingsHandler.UpdateDNSSettings).Methods("PUT", "OPTIONS")
-
-	err = apiHandler.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
+	err = api.Router.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
 		methods, err := route.GetMethods()
 		if err != nil {
 			return err
@@ -119,3 +88,82 @@ func APIHandler(accountManager s.AccountManager, appMetrics telemetry.AppMetrics
 
 	return rootRouter, nil
 }
+
+func (apiHandler *apiHandler) addAccountsEndpoint() {
+	accountsHandler := NewAccountsHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/accounts/{id}", accountsHandler.UpdateAccount).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/accounts", accountsHandler.GetAllAccounts).Methods("GET", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addPeersEndpoint() {
+	peersHandler := NewPeersHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/peers", peersHandler.GetAllPeers).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/peers/{id}", peersHandler.HandlePeer).
+		Methods("GET", "PUT", "DELETE", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addUsersEndpoint() {
+	userHandler := NewUsersHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/users", userHandler.GetAllUsers).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/users/{id}", userHandler.UpdateUser).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/users", userHandler.CreateUser).Methods("POST", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addSetupKeysEndpoint() {
+	keysHandler := NewSetupKeysHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/setup-keys", keysHandler.GetAllSetupKeys).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/setup-keys", keysHandler.CreateSetupKey).Methods("POST", "OPTIONS")
+	apiHandler.Router.HandleFunc("/setup-keys/{id}", keysHandler.GetSetupKey).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/setup-keys/{id}", keysHandler.UpdateSetupKey).Methods("PUT", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addRulesEndpoint() {
+	rulesHandler := NewRulesHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/rules", rulesHandler.GetAllRules).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/rules", rulesHandler.CreateRule).Methods("POST", "OPTIONS")
+	apiHandler.Router.HandleFunc("/rules/{id}", rulesHandler.UpdateRule).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/rules/{id}", rulesHandler.PatchRule).Methods("PATCH", "OPTIONS")
+	apiHandler.Router.HandleFunc("/rules/{id}", rulesHandler.GetRule).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/rules/{id}", rulesHandler.DeleteRule).Methods("DELETE", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addGroupsEndpoint() {
+	groupsHandler := NewGroupsHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/groups", groupsHandler.GetAllGroups).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/groups", groupsHandler.CreateGroup).Methods("POST", "OPTIONS")
+	apiHandler.Router.HandleFunc("/groups/{id}", groupsHandler.UpdateGroup).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/groups/{id}", groupsHandler.PatchGroup).Methods("PATCH", "OPTIONS")
+	apiHandler.Router.HandleFunc("/groups/{id}", groupsHandler.GetGroup).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/groups/{id}", groupsHandler.DeleteGroup).Methods("DELETE", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addRoutesEndpoint() {
+	routesHandler := NewRoutesHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/routes", routesHandler.GetAllRoutes).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/routes", routesHandler.CreateRoute).Methods("POST", "OPTIONS")
+	apiHandler.Router.HandleFunc("/routes/{id}", routesHandler.UpdateRoute).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/routes/{id}", routesHandler.PatchRoute).Methods("PATCH", "OPTIONS")
+	apiHandler.Router.HandleFunc("/routes/{id}", routesHandler.GetRoute).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/routes/{id}", routesHandler.DeleteRoute).Methods("DELETE", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addDNSNameserversEndpoint() {
+	nameserversHandler := NewNameserversHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/dns/nameservers", nameserversHandler.GetAllNameservers).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/nameservers", nameserversHandler.CreateNameserverGroup).Methods("POST", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/nameservers/{id}", nameserversHandler.UpdateNameserverGroup).Methods("PUT", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/nameservers/{id}", nameserversHandler.PatchNameserverGroup).Methods("PATCH", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/nameservers/{id}", nameserversHandler.GetNameserverGroup).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/nameservers/{id}", nameserversHandler.DeleteNameserverGroup).Methods("DELETE", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addDNSSettingEndpoint() {
+	dnsSettingsHandler := NewDNSSettingsHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/dns/settings", dnsSettingsHandler.GetDNSSettings).Methods("GET", "OPTIONS")
+	apiHandler.Router.HandleFunc("/dns/settings", dnsSettingsHandler.UpdateDNSSettings).Methods("PUT", "OPTIONS")
+}
+
+func (apiHandler *apiHandler) addEventsEndpoint() {
+	eventsHandler := NewEventsHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
+	apiHandler.Router.HandleFunc("/events", eventsHandler.GetAllEvents).Methods("GET", "OPTIONS")
+}

management/server/http/nameservers_handler.go

@@ -6,24 +6,25 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/status"
-	log "github.com/sirupsen/logrus"
 )
 
-// Nameservers is the nameserver group handler of the account
-type Nameservers struct {
+// NameserversHandler is the nameserver group handler of the account
+type NameserversHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-// NewNameservers returns a new instance of Nameservers handler
-func NewNameservers(accountManager server.AccountManager, authCfg AuthCfg) *Nameservers {
-	return &Nameservers{
+// NewNameserversHandler returns a new instance of NameserversHandler handler
+func NewNameserversHandler(accountManager server.AccountManager, authCfg AuthCfg) *NameserversHandler {
+	return &NameserversHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -32,8 +33,8 @@ func NewNameservers(accountManager server.AccountManager, authCfg AuthCfg) *Name
 	}
 }
 
-// GetAllNameserversHandler returns the list of nameserver groups for the account
-func (h *Nameservers) GetAllNameserversHandler(w http.ResponseWriter, r *http.Request) {
+// GetAllNameservers returns the list of nameserver groups for the account
+func (h *NameserversHandler) GetAllNameservers(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -56,8 +57,8 @@ func (h *Nameservers) GetAllNameserversHandler(w http.ResponseWriter, r *http.Re
 	util.WriteJSONObject(w, apiNameservers)
 }
 
-// CreateNameserverGroupHandler handles nameserver group creation request
-func (h *Nameservers) CreateNameserverGroupHandler(w http.ResponseWriter, r *http.Request) {
+// CreateNameserverGroup handles nameserver group creation request
+func (h *NameserversHandler) CreateNameserverGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -89,8 +90,8 @@ func (h *Nameservers) CreateNameserverGroupHandler(w http.ResponseWriter, r *htt
 	util.WriteJSONObject(w, &resp)
 }
 
-// UpdateNameserverGroupHandler handles update to a nameserver group identified by a given ID
-func (h *Nameservers) UpdateNameserverGroupHandler(w http.ResponseWriter, r *http.Request) {
+// UpdateNameserverGroup handles update to a nameserver group identified by a given ID
+func (h *NameserversHandler) UpdateNameserverGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -139,8 +140,8 @@ func (h *Nameservers) UpdateNameserverGroupHandler(w http.ResponseWriter, r *htt
 	util.WriteJSONObject(w, &resp)
 }
 
-// PatchNameserverGroupHandler handles patch updates to a nameserver group identified by a given ID
-func (h *Nameservers) PatchNameserverGroupHandler(w http.ResponseWriter, r *http.Request) {
+// PatchNameserverGroup handles patch updates to a nameserver group identified by a given ID
+func (h *NameserversHandler) PatchNameserverGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -221,8 +222,8 @@ func (h *Nameservers) PatchNameserverGroupHandler(w http.ResponseWriter, r *http
 	util.WriteJSONObject(w, &resp)
 }
 
-// DeleteNameserverGroupHandler handles nameserver group deletion request
-func (h *Nameservers) DeleteNameserverGroupHandler(w http.ResponseWriter, r *http.Request) {
+// DeleteNameserverGroup handles nameserver group deletion request
+func (h *NameserversHandler) DeleteNameserverGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -245,8 +246,8 @@ func (h *Nameservers) DeleteNameserverGroupHandler(w http.ResponseWriter, r *htt
 	util.WriteJSONObject(w, "")
 }
 
-// GetNameserverGroupHandler handles a nameserver group Get request identified by ID
-func (h *Nameservers) GetNameserverGroupHandler(w http.ResponseWriter, r *http.Request) {
+// GetNameserverGroup handles a nameserver group Get request identified by ID
+func (h *NameserversHandler) GetNameserverGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/nameservers_handler_test.go

@@ -9,12 +9,14 @@ import (
 	"net/netip"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
@@ -55,8 +57,8 @@ var baseExistingNSGroup = &nbdns.NameServerGroup{
 	Enabled: true,
 }
 
-func initNameserversTestData() *Nameservers {
-	return &Nameservers{
+func initNameserversTestData() *NameserversHandler {
+	return &NameserversHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetNameServerGroupFunc: func(accountID, nsGroupID string) (*nbdns.NameServerGroup, error) {
 				if nsGroupID == existingNSGroupID {
@@ -260,11 +262,11 @@ func TestNameserversHandlers(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/dns/nameservers/{id}", p.GetNameserverGroupHandler).Methods("GET")
-			router.HandleFunc("/api/dns/nameservers", p.CreateNameserverGroupHandler).Methods("POST")
-			router.HandleFunc("/api/dns/nameservers/{id}", p.DeleteNameserverGroupHandler).Methods("DELETE")
-			router.HandleFunc("/api/dns/nameservers/{id}", p.UpdateNameserverGroupHandler).Methods("PUT")
-			router.HandleFunc("/api/dns/nameservers/{id}", p.PatchNameserverGroupHandler).Methods("PATCH")
+			router.HandleFunc("/api/dns/nameservers/{id}", p.GetNameserverGroup).Methods("GET")
+			router.HandleFunc("/api/dns/nameservers", p.CreateNameserverGroup).Methods("POST")
+			router.HandleFunc("/api/dns/nameservers/{id}", p.DeleteNameserverGroup).Methods("DELETE")
+			router.HandleFunc("/api/dns/nameservers/{id}", p.UpdateNameserverGroup).Methods("PUT")
+			router.HandleFunc("/api/dns/nameservers/{id}", p.PatchNameserverGroup).Methods("PATCH")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/peers_handler.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
@@ -13,14 +14,15 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"
 )
 
-// Peers is a handler that returns peers of the account
-type Peers struct {
+// PeersHandler is a handler that returns peers of the account
+type PeersHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-func NewPeers(accountManager server.AccountManager, authCfg AuthCfg) *Peers {
-	return &Peers{
+// NewPeersHandler creates a new PeersHandler HTTP handler
+func NewPeersHandler(accountManager server.AccountManager, authCfg AuthCfg) *PeersHandler {
+	return &PeersHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,7 +31,7 @@ func NewPeers(accountManager server.AccountManager, authCfg AuthCfg) *Peers {
 	}
 }
 
-func (h *Peers) getPeer(account *server.Account, peerID, userID string, w http.ResponseWriter) {
+func (h *PeersHandler) getPeer(account *server.Account, peerID, userID string, w http.ResponseWriter) {
 	peer, err := h.accountManager.GetPeer(account.Id, peerID, userID)
 	if err != nil {
 		util.WriteError(err, w)
@@ -39,7 +41,7 @@ func (h *Peers) getPeer(account *server.Account, peerID, userID string, w http.R
 	util.WriteJSONObject(w, toPeerResponse(peer, account, h.accountManager.GetDNSDomain()))
 }
 
-func (h *Peers) updatePeer(account *server.Account, user *server.User, peerID string, w http.ResponseWriter, r *http.Request) {
+func (h *PeersHandler) updatePeer(account *server.Account, user *server.User, peerID string, w http.ResponseWriter, r *http.Request) {
 	req := &api.PutApiPeersIdJSONBody{}
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
@@ -47,7 +49,8 @@ func (h *Peers) updatePeer(account *server.Account, user *server.User, peerID st
 		return
 	}
 
-	update := &server.Peer{ID: peerID, SSHEnabled: req.SshEnabled, Name: req.Name}
+	update := &server.Peer{ID: peerID, SSHEnabled: req.SshEnabled, Name: req.Name,
+		LoginExpirationEnabled: req.LoginExpirationEnabled}
 	peer, err := h.accountManager.UpdatePeer(account.Id, user.Id, update)
 	if err != nil {
 		util.WriteError(err, w)
@@ -57,7 +60,7 @@ func (h *Peers) updatePeer(account *server.Account, user *server.User, peerID st
 	util.WriteJSONObject(w, toPeerResponse(peer, account, dnsDomain))
 }
 
-func (h *Peers) deletePeer(accountID, userID string, peerID string, w http.ResponseWriter) {
+func (h *PeersHandler) deletePeer(accountID, userID string, peerID string, w http.ResponseWriter) {
 	_, err := h.accountManager.DeletePeer(accountID, peerID, userID)
 	if err != nil {
 		util.WriteError(err, w)
@@ -66,7 +69,8 @@ func (h *Peers) deletePeer(accountID, userID string, peerID string, w http.Respo
 	util.WriteJSONObject(w, "")
 }
 
-func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
+// HandlePeer handles all peer requests for GET, PUT and DELETE operations
+func (h *PeersHandler) HandlePeer(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -95,7 +99,8 @@ func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func (h *Peers) GetPeers(w http.ResponseWriter, r *http.Request) {
+// GetAllPeers returns a list of all peers associated with a provided account
+func (h *PeersHandler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodGet:
 		claims := h.claimsExtractor.FromRequestContext(r)
@@ -150,19 +155,23 @@ func toPeerResponse(peer *server.Peer, account *server.Account, dnsDomain string
 	if fqdn == "" {
 		fqdn = peer.DNSLabel
 	}
+
 	return &api.Peer{
-		Id:         peer.ID,
-		Name:       peer.Name,
-		Ip:         peer.IP.String(),
-		Connected:  peer.Status.Connected,
-		LastSeen:   peer.Status.LastSeen,
-		Os:         fmt.Sprintf("%s %s", peer.Meta.OS, peer.Meta.Core),
-		Version:    peer.Meta.WtVersion,
-		Groups:     groupsInfo,
-		SshEnabled: peer.SSHEnabled,
-		Hostname:   peer.Meta.Hostname,
-		UserId:     &peer.UserID,
-		UiVersion:  &peer.Meta.UIVersion,
-		DnsLabel:   fqdn,
+		Id:                     peer.ID,
+		Name:                   peer.Name,
+		Ip:                     peer.IP.String(),
+		Connected:              peer.Status.Connected,
+		LastSeen:               peer.Status.LastSeen,
+		Os:                     fmt.Sprintf("%s %s", peer.Meta.OS, peer.Meta.Core),
+		Version:                peer.Meta.WtVersion,
+		Groups:                 groupsInfo,
+		SshEnabled:             peer.SSHEnabled,
+		Hostname:               peer.Meta.Hostname,
+		UserId:                 &peer.UserID,
+		UiVersion:              &peer.Meta.UIVersion,
+		DnsLabel:               fqdn,
+		LoginExpirationEnabled: peer.LoginExpirationEnabled,
+		LastLogin:              peer.LastLogin,
+		LoginExpired:           peer.Status.LoginExpired,
 	}
 }

management/server/http/peers_handler_test.go

@@ -1,28 +1,39 @@
 package http
 
 import (
+	"bytes"
 	"encoding/json"
-	"github.com/gorilla/mux"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
+
+	"github.com/gorilla/mux"
 
 	"github.com/netbirdio/netbird/management/server/http/api"
 
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 
 	"github.com/magiconair/properties/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 )
 
 const testPeerID = "test_peer"
 
-func initTestMetaData(peers ...*server.Peer) *Peers {
-	return &Peers{
+func initTestMetaData(peers ...*server.Peer) *PeersHandler {
+	return &PeersHandler{
 		accountManager: &mock_server.MockAccountManager{
+			UpdatePeerFunc: func(accountID, userID string, update *server.Peer) (*server.Peer, error) {
+				p := peers[0].Copy()
+				p.SSHEnabled = update.SSHEnabled
+				p.LoginExpirationEnabled = update.LoginExpirationEnabled
+				p.Name = update.Name
+				return p, nil
+			},
 			GetPeerFunc: func(accountID, peerID, userID string) (*server.Peer, error) {
 				return peers[0], nil
 			},
@@ -40,6 +51,10 @@ func initTestMetaData(peers ...*server.Peer) *Peers {
 					Users: map[string]*server.User{
 						"test_user": user,
 					},
+					Settings: &server.Settings{
+						PeerLoginExpirationEnabled: true,
+						PeerLoginExpiration:        time.Hour,
+					},
 				}, user, nil
 			},
 		},
@@ -55,41 +70,18 @@ func initTestMetaData(peers ...*server.Peer) *Peers {
 	}
 }
 
-// Tests the GetPeers endpoint reachable in the route /api/peers
+// Tests the GetAllPeers endpoint reachable in the route /api/peers
 // Use the metadata generated by initTestMetaData() to check for values
 func TestGetPeers(t *testing.T) {
-	tt := []struct {
-		name           string
-		expectedStatus int
-		requestType    string
-		requestPath    string
-		requestBody    io.Reader
-		expectedArray  bool
-	}{
-		{
-			name:           "GetPeersMetaData",
-			requestType:    http.MethodGet,
-			requestPath:    "/api/peers/",
-			expectedStatus: http.StatusOK,
-			expectedArray:  true,
-		},
-		{
-			name:           "GetPeer",
-			requestType:    http.MethodGet,
-			requestPath:    "/api/peers/" + testPeerID,
-			expectedStatus: http.StatusOK,
-			expectedArray:  false,
-		},
-	}
 
-	rr := httptest.NewRecorder()
 	peer := &server.Peer{
-		ID:       testPeerID,
-		Key:      "key",
-		SetupKey: "setupkey",
-		IP:       net.ParseIP("100.64.0.1"),
-		Status:   &server.PeerStatus{},
-		Name:     "PeerName",
+		ID:                     testPeerID,
+		Key:                    "key",
+		SetupKey:               "setupkey",
+		IP:                     net.ParseIP("100.64.0.1"),
+		Status:                 &server.PeerStatus{},
+		Name:                   "PeerName",
+		LoginExpirationEnabled: false,
 		Meta: server.PeerSystemMeta{
 			Hostname:  "hostname",
 			GoOS:      "GoOS",
@@ -101,6 +93,49 @@ func TestGetPeers(t *testing.T) {
 		},
 	}
 
+	expectedUpdatedPeer := peer.Copy()
+	expectedUpdatedPeer.LoginExpirationEnabled = true
+	expectedUpdatedPeer.SSHEnabled = true
+	expectedUpdatedPeer.Name = "New Name"
+
+	tt := []struct {
+		name           string
+		expectedStatus int
+		requestType    string
+		requestPath    string
+		requestBody    io.Reader
+		expectedArray  bool
+		expectedPeer   *server.Peer
+	}{
+		{
+			name:           "GetPeersMetaData",
+			requestType:    http.MethodGet,
+			requestPath:    "/api/peers/",
+			expectedStatus: http.StatusOK,
+			expectedArray:  true,
+			expectedPeer:   peer,
+		},
+		{
+			name:           "GetPeer",
+			requestType:    http.MethodGet,
+			requestPath:    "/api/peers/" + testPeerID,
+			expectedStatus: http.StatusOK,
+			expectedArray:  false,
+			expectedPeer:   peer,
+		},
+		{
+			name:           "PutPeer",
+			requestType:    http.MethodPut,
+			requestPath:    "/api/peers/" + testPeerID,
+			expectedStatus: http.StatusOK,
+			expectedArray:  false,
+			requestBody:    bytes.NewBufferString("{\"login_expiration_enabled\":true,\"name\":\"New Name\",\"ssh_enabled\":true}"),
+			expectedPeer:   expectedUpdatedPeer,
+		},
+	}
+
+	rr := httptest.NewRecorder()
+
 	p := initTestMetaData(peer)
 
 	for _, tc := range tt {
@@ -110,8 +145,9 @@ func TestGetPeers(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/peers/", p.GetPeers).Methods("GET")
+			router.HandleFunc("/api/peers/", p.GetAllPeers).Methods("GET")
 			router.HandleFunc("/api/peers/{id}", p.HandlePeer).Methods("GET")
+			router.HandleFunc("/api/peers/{id}", p.HandlePeer).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -144,10 +180,12 @@ func TestGetPeers(t *testing.T) {
 				}
 			}
 
-			assert.Equal(t, got.Name, peer.Name)
-			assert.Equal(t, got.Version, peer.Meta.WtVersion)
-			assert.Equal(t, got.Ip, peer.IP.String())
+			assert.Equal(t, got.Name, tc.expectedPeer.Name)
+			assert.Equal(t, got.Version, tc.expectedPeer.Meta.WtVersion)
+			assert.Equal(t, got.Ip, tc.expectedPeer.IP.String())
 			assert.Equal(t, got.Os, "OS core")
+			assert.Equal(t, got.LoginExpirationEnabled, tc.expectedPeer.LoginExpirationEnabled)
+			assert.Equal(t, got.SshEnabled, tc.expectedPeer.SSHEnabled)
 		})
 	}
 }

management/server/http/routes_handler.go

@@ -6,6 +6,7 @@ import (
 	"unicode/utf8"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
@@ -14,15 +15,15 @@ import (
 	"github.com/netbirdio/netbird/route"
 )
 
-// Routes is the routes handler of the account
-type Routes struct {
+// RoutesHandler is the routes handler of the account
+type RoutesHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-// NewRoutes returns a new instance of Routes handler
-func NewRoutes(accountManager server.AccountManager, authCfg AuthCfg) *Routes {
-	return &Routes{
+// NewRoutesHandler returns a new instance of RoutesHandler handler
+func NewRoutesHandler(accountManager server.AccountManager, authCfg AuthCfg) *RoutesHandler {
+	return &RoutesHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -31,8 +32,8 @@ func NewRoutes(accountManager server.AccountManager, authCfg AuthCfg) *Routes {
 	}
 }
 
-// GetAllRoutesHandler returns the list of routes for the account
-func (h *Routes) GetAllRoutesHandler(w http.ResponseWriter, r *http.Request) {
+// GetAllRoutes returns the list of routes for the account
+func (h *RoutesHandler) GetAllRoutes(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -53,8 +54,8 @@ func (h *Routes) GetAllRoutesHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, apiRoutes)
 }
 
-// CreateRouteHandler handles route creation request
-func (h *Routes) CreateRouteHandler(w http.ResponseWriter, r *http.Request) {
+// CreateRoute handles route creation request
+func (h *RoutesHandler) CreateRoute(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -92,8 +93,8 @@ func (h *Routes) CreateRouteHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// UpdateRouteHandler handles update to a route identified by a given ID
-func (h *Routes) UpdateRouteHandler(w http.ResponseWriter, r *http.Request) {
+// UpdateRoute handles update to a route identified by a given ID
+func (h *RoutesHandler) UpdateRoute(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -158,8 +159,8 @@ func (h *Routes) UpdateRouteHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// PatchRouteHandler handles patch updates to a route identified by a given ID
-func (h *Routes) PatchRouteHandler(w http.ResponseWriter, r *http.Request) {
+// PatchRoute handles patch updates to a route identified by a given ID
+func (h *RoutesHandler) PatchRoute(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -299,8 +300,8 @@ func (h *Routes) PatchRouteHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// DeleteRouteHandler handles route deletion request
-func (h *Routes) DeleteRouteHandler(w http.ResponseWriter, r *http.Request) {
+// DeleteRoute handles route deletion request
+func (h *RoutesHandler) DeleteRoute(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -323,8 +324,8 @@ func (h *Routes) DeleteRouteHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, "")
 }
 
-// GetRouteHandler handles a route Get request identified by ID
-func (h *Routes) GetRouteHandler(w http.ResponseWriter, r *http.Request) {
+// GetRoute handles a route Get request identified by ID
+func (h *RoutesHandler) GetRoute(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/routes_handler_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/magiconair/properties/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
@@ -60,8 +61,8 @@ var testingAccount = &server.Account{
 	},
 }
 
-func initRoutesTestData() *Routes {
-	return &Routes{
+func initRoutesTestData() *RoutesHandler {
+	return &RoutesHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetRouteFunc: func(_, routeID, _ string) (*route.Route, error) {
 				if routeID == existingRouteID {
@@ -352,11 +353,11 @@ func TestRoutesHandlers(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/routes/{id}", p.GetRouteHandler).Methods("GET")
-			router.HandleFunc("/api/routes/{id}", p.DeleteRouteHandler).Methods("DELETE")
-			router.HandleFunc("/api/routes", p.CreateRouteHandler).Methods("POST")
-			router.HandleFunc("/api/routes/{id}", p.UpdateRouteHandler).Methods("PUT")
-			router.HandleFunc("/api/routes/{id}", p.PatchRouteHandler).Methods("PATCH")
+			router.HandleFunc("/api/routes/{id}", p.GetRoute).Methods("GET")
+			router.HandleFunc("/api/routes/{id}", p.DeleteRoute).Methods("DELETE")
+			router.HandleFunc("/api/routes", p.CreateRoute).Methods("POST")
+			router.HandleFunc("/api/routes/{id}", p.UpdateRoute).Methods("PUT")
+			router.HandleFunc("/api/routes/{id}", p.PatchRoute).Methods("PATCH")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/rules_handler.go

@@ -5,22 +5,24 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/rs/xid"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/rs/xid"
 )
 
-// Rules is a handler that returns rules of the account
-type Rules struct {
+// RulesHandler is a handler that returns rules of the account
+type RulesHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-func NewRules(accountManager server.AccountManager, authCfg AuthCfg) *Rules {
-	return &Rules{
+// NewRulesHandler creates a new RulesHandler HTTP handler
+func NewRulesHandler(accountManager server.AccountManager, authCfg AuthCfg) *RulesHandler {
+	return &RulesHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,8 +31,8 @@ func NewRules(accountManager server.AccountManager, authCfg AuthCfg) *Rules {
 	}
 }
 
-// GetAllRulesHandler list for the account
-func (h *Rules) GetAllRulesHandler(w http.ResponseWriter, r *http.Request) {
+// GetAllRules list for the account
+func (h *RulesHandler) GetAllRules(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -51,8 +53,8 @@ func (h *Rules) GetAllRulesHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, rules)
 }
 
-// UpdateRuleHandler handles update to a rule identified by a given ID
-func (h *Rules) UpdateRuleHandler(w http.ResponseWriter, r *http.Request) {
+// UpdateRule handles update to a rule identified by a given ID
+func (h *RulesHandler) UpdateRule(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -122,8 +124,8 @@ func (h *Rules) UpdateRuleHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// PatchRuleHandler handles patch updates to a rule identified by a given ID
-func (h *Rules) PatchRuleHandler(w http.ResponseWriter, r *http.Request) {
+// PatchRule handles patch updates to a rule identified by a given ID
+func (h *RulesHandler) PatchRule(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, _, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -265,8 +267,8 @@ func (h *Rules) PatchRuleHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// CreateRuleHandler handles rule creation request
-func (h *Rules) CreateRuleHandler(w http.ResponseWriter, r *http.Request) {
+// CreateRule handles rule creation request
+func (h *RulesHandler) CreateRule(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -324,8 +326,8 @@ func (h *Rules) CreateRuleHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, &resp)
 }
 
-// DeleteRuleHandler handles rule deletion request
-func (h *Rules) DeleteRuleHandler(w http.ResponseWriter, r *http.Request) {
+// DeleteRule handles rule deletion request
+func (h *RulesHandler) DeleteRule(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -349,8 +351,8 @@ func (h *Rules) DeleteRuleHandler(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, "")
 }
 
-// GetRuleHandler handles a group Get request identified by ID
-func (h *Rules) GetRuleHandler(w http.ResponseWriter, r *http.Request) {
+// GetRule handles a group Get request identified by ID
+func (h *RulesHandler) GetRule(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/rules_handler_test.go

@@ -13,15 +13,17 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/api"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 
 	"github.com/magiconair/properties/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 )
 
-func initRulesTestData(rules ...*server.Rule) *Rules {
-	return &Rules{
+func initRulesTestData(rules ...*server.Rule) *RulesHandler {
+	return &RulesHandler{
 		accountManager: &mock_server.MockAccountManager{
 			SaveRuleFunc: func(_, _ string, rule *server.Rule) error {
 				if !strings.HasPrefix(rule.ID, "id-") {
@@ -132,7 +134,7 @@ func TestRulesGetRule(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/rules/{id}", p.GetRuleHandler).Methods("GET")
+			router.HandleFunc("/api/rules/{id}", p.GetRule).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -278,9 +280,9 @@ func TestRulesWriteRule(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/rules", p.CreateRuleHandler).Methods("POST")
-			router.HandleFunc("/api/rules/{id}", p.UpdateRuleHandler).Methods("PUT")
-			router.HandleFunc("/api/rules/{id}", p.PatchRuleHandler).Methods("PATCH")
+			router.HandleFunc("/api/rules", p.CreateRule).Methods("POST")
+			router.HandleFunc("/api/rules/{id}", p.UpdateRule).Methods("PUT")
+			router.HandleFunc("/api/rules/{id}", p.PatchRule).Methods("PATCH")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/setupkeys_handler.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
@@ -13,14 +14,15 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"
 )
 
-// SetupKeys is a handler that returns a list of setup keys of the account
-type SetupKeys struct {
+// SetupKeysHandler is a handler that returns a list of setup keys of the account
+type SetupKeysHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-func NewSetupKeysHandler(accountManager server.AccountManager, authCfg AuthCfg) *SetupKeys {
-	return &SetupKeys{
+// NewSetupKeysHandler creates a new SetupKeysHandler HTTP handler
+func NewSetupKeysHandler(accountManager server.AccountManager, authCfg AuthCfg) *SetupKeysHandler {
+	return &SetupKeysHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,8 +31,8 @@ func NewSetupKeysHandler(accountManager server.AccountManager, authCfg AuthCfg)
 	}
 }
 
-// CreateSetupKeyHandler is a POST requests that creates a new SetupKey
-func (h *SetupKeys) CreateSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
+// CreateSetupKey is a POST requests that creates a new SetupKey
+func (h *SetupKeysHandler) CreateSetupKey(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -72,8 +74,8 @@ func (h *SetupKeys) CreateSetupKeyHandler(w http.ResponseWriter, r *http.Request
 	writeSuccess(w, setupKey)
 }
 
-// GetSetupKeyHandler is a GET request to get a SetupKey by ID
-func (h *SetupKeys) GetSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
+// GetSetupKey is a GET request to get a SetupKey by ID
+func (h *SetupKeysHandler) GetSetupKey(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -97,8 +99,8 @@ func (h *SetupKeys) GetSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
 	writeSuccess(w, key)
 }
 
-// UpdateSetupKeyHandler is a PUT request to update server.SetupKey
-func (h *SetupKeys) UpdateSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
+// UpdateSetupKey is a PUT request to update server.SetupKey
+func (h *SetupKeysHandler) UpdateSetupKey(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
@@ -144,8 +146,8 @@ func (h *SetupKeys) UpdateSetupKeyHandler(w http.ResponseWriter, r *http.Request
 	writeSuccess(w, newKey)
 }
 
-// GetAllSetupKeysHandler is a GET request that returns a list of SetupKey
-func (h *SetupKeys) GetAllSetupKeysHandler(w http.ResponseWriter, r *http.Request) {
+// GetAllSetupKeys is a GET request that returns a list of SetupKey
+func (h *SetupKeysHandler) GetAllSetupKeys(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
 	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {

management/server/http/setupkeys_handler_test.go

@@ -11,9 +11,10 @@ import (
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/status"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 
@@ -30,8 +31,8 @@ const (
 
 func initSetupKeysTestMetaData(defaultKey *server.SetupKey, newKey *server.SetupKey, updatedSetupKey *server.SetupKey,
 	user *server.User,
-) *SetupKeys {
-	return &SetupKeys{
+) *SetupKeysHandler {
+	return &SetupKeysHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
 				return &server.Account{
@@ -171,10 +172,10 @@ func TestSetupKeysHandlers(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/setup-keys", handler.GetAllSetupKeysHandler).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys", handler.CreateSetupKeyHandler).Methods("POST", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{id}", handler.GetSetupKeyHandler).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{id}", handler.UpdateSetupKeyHandler).Methods("PUT", "OPTIONS")
+			router.HandleFunc("/api/setup-keys", handler.GetAllSetupKeys).Methods("GET", "OPTIONS")
+			router.HandleFunc("/api/setup-keys", handler.CreateSetupKey).Methods("POST", "OPTIONS")
+			router.HandleFunc("/api/setup-keys/{id}", handler.GetSetupKey).Methods("GET", "OPTIONS")
+			router.HandleFunc("/api/setup-keys/{id}", handler.UpdateSetupKey).Methods("PUT", "OPTIONS")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/users_handler.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"
@@ -13,13 +14,15 @@ import (
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )
 
-type UserHandler struct {
+// UsersHandler is a handler that returns users of the account
+type UsersHandler struct {
 	accountManager  server.AccountManager
 	claimsExtractor *jwtclaims.ClaimsExtractor
 }
 
-func NewUserHandler(accountManager server.AccountManager, authCfg AuthCfg) *UserHandler {
-	return &UserHandler{
+// NewUsersHandler creates a new UsersHandler HTTP handler
+func NewUsersHandler(accountManager server.AccountManager, authCfg AuthCfg) *UsersHandler {
+	return &UsersHandler{
 		accountManager: accountManager,
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
 			jwtclaims.WithAudience(authCfg.Audience),
@@ -29,7 +32,7 @@ func NewUserHandler(accountManager server.AccountManager, authCfg AuthCfg) *User
 }
 
 // UpdateUser is a PUT requests to update User data
-func (h *UserHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
+func (h *UsersHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPut {
 		util.WriteErrorResponse("wrong HTTP method", http.StatusMethodNotAllowed, w)
 		return
@@ -74,8 +77,8 @@ func (h *UserHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(w, toUserResponse(newUser, claims.UserId))
 }
 
-// CreateUserHandler creates a User in the system with a status "invited" (effectively this is a user invite).
-func (h *UserHandler) CreateUserHandler(w http.ResponseWriter, r *http.Request) {
+// CreateUser creates a User in the system with a status "invited" (effectively this is a user invite).
+func (h *UsersHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		util.WriteErrorResponse("wrong HTTP method", http.StatusMethodNotAllowed, w)
 		return
@@ -113,9 +116,9 @@ func (h *UserHandler) CreateUserHandler(w http.ResponseWriter, r *http.Request)
 	util.WriteJSONObject(w, toUserResponse(newUser, claims.UserId))
 }
 
-// GetUsers returns a list of users of the account this user belongs to.
+// GetAllUsers returns a list of users of the account this user belongs to.
 // It also gathers additional user data (like email and name) from the IDP manager.
-func (h *UserHandler) GetUsers(w http.ResponseWriter, r *http.Request) {
+func (h *UsersHandler) GetAllUsers(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		util.WriteErrorResponse("wrong HTTP method", http.StatusMethodNotAllowed, w)
 		return

management/server/http/users_handler_test.go

@@ -8,13 +8,14 @@ import (
 	"testing"
 
 	"github.com/magiconair/properties/assert"
+
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 )
 
-func initUsers(user ...*server.User) *UserHandler {
-	return &UserHandler{
+func initUsers(user ...*server.User) *UsersHandler {
+	return &UsersHandler{
 		accountManager: &mock_server.MockAccountManager{
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
 				users := make(map[string]*server.User, 0)
@@ -72,7 +73,7 @@ func TestGetUsers(t *testing.T) {
 			req := httptest.NewRequest(tc.requestType, tc.requestPath, nil)
 			rr := httptest.NewRecorder()
 
-			userHandler.GetUsers(rr, req)
+			userHandler.GetAllUsers(rr, req)
 
 			res := rr.Result()
 			defer res.Body.Close()

management/server/management_test.go

@@ -240,7 +240,8 @@ var _ = Describe("Management service", func() {
 		Context("with an invalid setup key", func() {
 			Specify("an error is returned", func() {
 				key, _ := wgtypes.GenerateKey()
-				message, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.LoginRequest{SetupKey: "invalid setup key"})
+				message, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.LoginRequest{SetupKey: "invalid setup key",
+					Meta: &mgmtProto.PeerSystemMeta{}})
 				Expect(err).NotTo(HaveOccurred())
 
 				resp, err := client.Login(context.TODO(), &mgmtProto.EncryptedMessage{
@@ -269,7 +270,7 @@ var _ = Describe("Management service", func() {
 				Expect(regResp).NotTo(BeNil())
 
 				// just login without registration
-				message, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.LoginRequest{})
+				message, err := encryption.EncryptMessage(serverPubKey, key, &mgmtProto.LoginRequest{Meta: &mgmtProto.PeerSystemMeta{}})
 				Expect(err).NotTo(HaveOccurred())
 				loginResp, err := client.Login(context.TODO(), &mgmtProto.EncryptedMessage{
 					WgPubKey: key.PublicKey().String(),

management/server/mock_server/account_mock.go

@@ -1,14 +1,16 @@
 package mock_server
 
 import (
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/route"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"time"
 )
 
 type MockAccountManager struct {
@@ -23,6 +25,7 @@ type MockAccountManager struct {
 	GetPeerByKeyFunc                func(peerKey string) (*server.Peer, error)
 	GetPeersFunc                    func(accountID, userID string) ([]*server.Peer, error)
 	MarkPeerConnectedFunc           func(peerKey string, connected bool) error
+	MarkPeerLoginExpiredFunc        func(peerPubKey string, loginExpired bool) error
 	DeletePeerFunc                  func(accountID, peerKey, userID string) (*server.Peer, error)
 	GetPeerByIPFunc                 func(accountId string, peerIP string) (*server.Peer, error)
 	GetNetworkMapFunc               func(peerKey string) (*server.NetworkMap, error)
@@ -67,6 +70,10 @@ type MockAccountManager struct {
 	GetDNSSettingsFunc              func(accountID, userID string) (*server.DNSSettings, error)
 	SaveDNSSettingsFunc             func(accountID, userID string, dnsSettingsToSave *server.DNSSettings) error
 	GetPeerFunc                     func(accountID, peerID, userID string) (*server.Peer, error)
+	GetAccountByPeerIDFunc          func(peerID string) (*server.Account, error)
+	UpdateAccountSettingsFunc       func(accountID, userID string, newSettings *server.Settings) (*server.Account, error)
+	LoginPeerFunc                   func(login server.PeerLogin) (*server.Peer, error)
+	SyncPeerFunc                    func(sync server.PeerSync) (*server.Peer, *server.NetworkMap, error)
 }
 
 // GetUsersFromAccount mock implementation of GetUsersFromAccount from server.AccountManager interface
@@ -159,6 +166,14 @@ func (am *MockAccountManager) MarkPeerConnected(peerKey string, connected bool)
 	return status.Errorf(codes.Unimplemented, "method MarkPeerConnected is not implemented")
 }
 
+// MarkPeerLoginExpired mock implementation of MarkPeerLoginExpired from server.AccountManager interface
+func (am *MockAccountManager) MarkPeerLoginExpired(peerPubKey string, loginExpired bool) error {
+	if am.MarkPeerLoginExpiredFunc != nil {
+		return am.MarkPeerLoginExpiredFunc(peerPubKey, loginExpired)
+	}
+	return status.Errorf(codes.Unimplemented, "method MarkPeerLoginExpired is not implemented")
+}
+
 // GetPeerByIP mock implementation of GetPeerByIP from server.AccountManager interface
 func (am *MockAccountManager) GetPeerByIP(accountId string, peerIP string) (*server.Peer, error) {
 	if am.GetPeerByIPFunc != nil {
@@ -484,7 +499,7 @@ func (am *MockAccountManager) GetPeers(accountID, userID string) ([]*server.Peer
 	if am.GetAccountFromTokenFunc != nil {
 		return am.GetPeersFunc(accountID, userID)
 	}
-	return nil, status.Errorf(codes.Unimplemented, "method GetPeers is not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetAllPeers is not implemented")
 }
 
 // GetDNSDomain mocks GetDNSDomain of the AccountManager interface
@@ -500,7 +515,7 @@ func (am *MockAccountManager) GetEvents(accountID, userID string) ([]*activity.E
 	if am.GetEventsFunc != nil {
 		return am.GetEventsFunc(accountID, userID)
 	}
-	return nil, status.Errorf(codes.Unimplemented, "method GetEvents is not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetAllEvents is not implemented")
 }
 
 // GetDNSSettings mocks GetDNSSettings of the AccountManager interface
@@ -526,3 +541,35 @@ func (am *MockAccountManager) GetPeer(accountID, peerID, userID string) (*server
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method GetPeer is not implemented")
 }
+
+// GetAccountByPeerID mocks GetAccountByPeerID of the AccountManager interface
+func (am *MockAccountManager) GetAccountByPeerID(peerID string) (*server.Account, error) {
+	if am.GetAccountByPeerIDFunc != nil {
+		return am.GetAccountByPeerIDFunc(peerID)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method GetAccountByPeerID is not implemented")
+}
+
+// UpdateAccountSettings mocks UpdateAccountSettings of the AccountManager interface
+func (am *MockAccountManager) UpdateAccountSettings(accountID, userID string, newSettings *server.Settings) (*server.Account, error) {
+	if am.UpdateAccountSettingsFunc != nil {
+		return am.UpdateAccountSettingsFunc(accountID, userID, newSettings)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateAccountSettings is not implemented")
+}
+
+// LoginPeer mocks LoginPeer of the AccountManager interface
+func (am *MockAccountManager) LoginPeer(login server.PeerLogin) (*server.Peer, error) {
+	if am.LoginPeerFunc != nil {
+		return am.LoginPeerFunc(login)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method LoginPeer is not implemented")
+}
+
+// SyncPeer mocks SyncPeer of the AccountManager interface
+func (am *MockAccountManager) SyncPeer(sync server.PeerSync) (*server.Peer, *server.NetworkMap, error) {
+	if am.SyncPeerFunc != nil {
+		return am.SyncPeerFunc(sync)
+	}
+	return nil, nil, status.Errorf(codes.Unimplemented, "method SyncPeer is not implemented")
+}

management/server/peer.go

@@ -32,6 +32,28 @@ type PeerStatus struct {
 	LastSeen time.Time
 	// Connected indicates whether peer is connected to the management service or not
 	Connected bool
+	// LoginExpired
+	LoginExpired bool
+}
+
+// PeerSync used as a data object between the gRPC API and AccountManager on Sync request.
+type PeerSync struct {
+	// WireGuardPubKey is a peers WireGuard public key
+	WireGuardPubKey string
+}
+
+// PeerLogin used as a data object between the gRPC API and AccountManager on Login request.
+type PeerLogin struct {
+	// WireGuardPubKey is a peers WireGuard public key
+	WireGuardPubKey string
+	// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
+	SSHKey string
+	// Meta is the system information passed by peer, must be always present.
+	Meta PeerSystemMeta
+	// UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required.
+	UserID string
+	// SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required.
+	SetupKey string
 }
 
 // Peer represents a machine connected to the network.
@@ -58,27 +80,70 @@ type Peer struct {
 	UserID string
 	// SSHKey is a public SSH key of the peer
 	SSHKey string
-	// SSHEnabled indicated whether SSH server is enabled on the peer
+	// SSHEnabled indicates whether SSH server is enabled on the peer
 	SSHEnabled bool
+	// LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login.
+	// Works with LastLogin
+	LoginExpirationEnabled bool
+	// LastLogin the time when peer performed last login operation
+	LastLogin time.Time
+}
+
+// AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
+func (p *Peer) AddedWithSSOLogin() bool {
+	return p.UserID != ""
 }
 
 // Copy copies Peer object
 func (p *Peer) Copy() *Peer {
 	return &Peer{
-		ID:         p.ID,
-		Key:        p.Key,
-		SetupKey:   p.SetupKey,
-		IP:         p.IP,
-		Meta:       p.Meta,
-		Name:       p.Name,
-		Status:     p.Status,
-		UserID:     p.UserID,
-		SSHKey:     p.SSHKey,
-		SSHEnabled: p.SSHEnabled,
-		DNSLabel:   p.DNSLabel,
+		ID:                     p.ID,
+		Key:                    p.Key,
+		SetupKey:               p.SetupKey,
+		IP:                     p.IP,
+		Meta:                   p.Meta,
+		Name:                   p.Name,
+		Status:                 p.Status,
+		UserID:                 p.UserID,
+		SSHKey:                 p.SSHKey,
+		SSHEnabled:             p.SSHEnabled,
+		DNSLabel:               p.DNSLabel,
+		LoginExpirationEnabled: p.LoginExpirationEnabled,
+		LastLogin:              p.LastLogin,
 	}
 }
 
+// UpdateMeta updates peer's system meta data
+func (p *Peer) UpdateMeta(meta PeerSystemMeta) {
+	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
+	if meta.UIVersion == "" {
+		meta.UIVersion = p.Meta.UIVersion
+	}
+	p.Meta = meta
+}
+
+// MarkLoginExpired marks peer's status expired or not
+func (p *Peer) MarkLoginExpired(expired bool) {
+	newStatus := p.Status.Copy()
+	newStatus.LoginExpired = expired
+	if expired {
+		newStatus.Connected = false
+	}
+	p.Status = newStatus
+}
+
+// LoginExpired indicates whether the peer's login has expired or not.
+// If Peer.LastLogin plus the expiresIn duration has happened already; then login has expired.
+// Return true if a login has expired, false otherwise, and time left to expiration (negative when expired).
+// Login expiration can be disabled/enabled on a Peer level via Peer.LoginExpirationEnabled property.
+// Login expiration can also be disabled/enabled globally on the Account level via Settings.PeerLoginExpirationEnabled.
+func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration) {
+	expiresAt := p.LastLogin.Add(expiresIn)
+	now := time.Now()
+	timeLeft := expiresAt.Sub(now)
+	return p.LoginExpirationEnabled && (timeLeft <= 0), timeLeft
+}
+
 // FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
 func (p *Peer) FQDN(dnsDomain string) string {
 	if dnsDomain == "" {
@@ -95,12 +160,13 @@ func (p *Peer) EventMeta(dnsDomain string) map[string]any {
 // Copy PeerStatus
 func (p *PeerStatus) Copy() *PeerStatus {
 	return &PeerStatus{
-		LastSeen:  p.LastSeen,
-		Connected: p.Connected,
+		LastSeen:     p.LastSeen,
+		Connected:    p.Connected,
+		LoginExpired: p.LoginExpired,
 	}
 }
 
-// GetPeer looks up peer by its public WireGuard key
+// GetPeerByKey looks up peer by its public WireGuard key
 func (am *DefaultAccountManager) GetPeerByKey(peerPubKey string) (*Peer, error) {
 
 	account, err := am.Store.GetAccountByPeerPubKey(peerPubKey)
@@ -153,6 +219,49 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, er
 	return peers, nil
 }
 
+func (am *DefaultAccountManager) markPeerLoginExpired(peer *Peer, account *Account, expired bool) (*Peer, error) {
+	peer.MarkLoginExpired(expired)
+	account.UpdatePeer(peer)
+
+	err := am.Store.SavePeerStatus(account.Id, peer.ID, *peer.Status)
+	if err != nil {
+		return nil, err
+	}
+
+	return peer, nil
+}
+
+// MarkPeerLoginExpired when peer login has expired
+func (am *DefaultAccountManager) MarkPeerLoginExpired(peerPubKey string, loginExpired bool) error {
+	account, err := am.Store.GetAccountByPeerPubKey(peerPubKey)
+	if err != nil {
+		return err
+	}
+
+	unlock := am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	// ensure that we consider modification happened meanwhile (because we were outside the account lock when we fetched the account)
+	account, err = am.Store.GetAccount(account.Id)
+	if err != nil {
+		return err
+	}
+
+	peer, err := account.FindPeerByPubKey(peerPubKey)
+	if err != nil {
+		return err
+	}
+
+	peer.MarkLoginExpired(loginExpired)
+	account.UpdatePeer(peer)
+
+	err = am.Store.SavePeerStatus(account.Id, peer.ID, *peer.Status)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // MarkPeerConnected marks peer as connected (true) or disconnected (false)
 func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected bool) error {
 
@@ -175,9 +284,14 @@ func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected
 		return err
 	}
 
-	newStatus := peer.Status.Copy()
+	oldStatus := peer.Status.Copy()
+	newStatus := oldStatus
 	newStatus.LastSeen = time.Now()
 	newStatus.Connected = connected
+	// whenever peer got connected that means that it logged in successfully
+	if newStatus.Connected {
+		newStatus.LoginExpired = false
+	}
 	peer.Status = newStatus
 	account.UpdatePeer(peer)
 
@@ -185,10 +299,24 @@ func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected
 	if err != nil {
 		return err
 	}
+
+	if peer.AddedWithSSOLogin() && peer.LoginExpirationEnabled && account.Settings.PeerLoginExpirationEnabled {
+		am.checkAndSchedulePeerLoginExpiration(account)
+	}
+
+	if oldStatus.LoginExpired {
+		// we need to update other peers because when peer login expires all other peers are notified to disconnect from
+		//the expired one. Here we notify them that connection is now allowed again.
+		err = am.updateAccountPeers(account)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
-// UpdatePeer updates peer. Only Peer.Name and Peer.SSHEnabled can be updated.
+// UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, and Peer.LoginExpirationEnabled can be updated.
 func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Peer) (*Peer, error) {
 
 	unlock := am.Store.AcquireAccountLock(accountID)
@@ -228,6 +356,25 @@ func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Pe
 		am.storeEvent(userID, peer.ID, accountID, activity.PeerRenamed, peer.EventMeta(am.GetDNSDomain()))
 	}
 
+	if peer.LoginExpirationEnabled != update.LoginExpirationEnabled {
+
+		if !peer.AddedWithSSOLogin() {
+			return nil, status.Errorf(status.PreconditionFailed, "this peer hasn't been added with the SSO login, therefore the login expiration can't be updated")
+		}
+
+		peer.LoginExpirationEnabled = update.LoginExpirationEnabled
+
+		event := activity.PeerLoginExpirationEnabled
+		if !update.LoginExpirationEnabled {
+			event = activity.PeerLoginExpirationDisabled
+		}
+		am.storeEvent(userID, peer.IP.String(), accountID, event, peer.EventMeta(am.GetDNSDomain()))
+
+		if peer.AddedWithSSOLogin() && peer.LoginExpirationEnabled && account.Settings.PeerLoginExpirationEnabled {
+			am.checkAndSchedulePeerLoginExpiration(account)
+		}
+	}
+
 	account.UpdatePeer(peer)
 
 	err = am.Store.SaveAccount(account)
@@ -313,6 +460,34 @@ func (am *DefaultAccountManager) GetPeerByIP(accountID string, peerIP string) (*
 	return nil, status.Errorf(status.NotFound, "peer with IP %s not found", peerIP)
 }
 
+func (am *DefaultAccountManager) getNetworkMap(peer *Peer, account *Account) *NetworkMap {
+	aclPeers := account.getPeersByACL(peer.ID)
+	// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
+	routesUpdate := account.getRoutesToSync(peer.ID, aclPeers)
+
+	dnsManagementStatus := account.getPeerDNSManagementStatus(peer.ID)
+	dnsUpdate := nbdns.Config{
+		ServiceEnable: dnsManagementStatus,
+	}
+
+	if dnsManagementStatus {
+		var zones []nbdns.CustomZone
+		peersCustomZone := getPeersCustomZone(account, am.dnsDomain)
+		if peersCustomZone.Domain != "" {
+			zones = append(zones, peersCustomZone)
+		}
+		dnsUpdate.CustomZones = zones
+		dnsUpdate.NameServerGroups = getPeerNSGroups(account, peer.ID)
+	}
+
+	return &NetworkMap{
+		Peers:     aclPeers,
+		Network:   account.Network.Copy(),
+		Routes:    routesUpdate,
+		DNSConfig: dnsUpdate,
+	}
+}
+
 // GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
 func (am *DefaultAccountManager) GetNetworkMap(peerID string) (*NetworkMap, error) {
 
@@ -326,31 +501,7 @@ func (am *DefaultAccountManager) GetNetworkMap(peerID string) (*NetworkMap, erro
 		return nil, status.Errorf(status.NotFound, "peer with ID %s not found", peerID)
 	}
 
-	aclPeers := account.getPeersByACL(peerID)
-	// Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-	routesUpdate := account.getRoutesToSync(peerID, aclPeers)
-
-	dnsManagementStatus := account.getPeerDNSManagementStatus(peerID)
-	dnsUpdate := nbdns.Config{
-		ServiceEnable: dnsManagementStatus,
-	}
-
-	if dnsManagementStatus {
-		var zones []nbdns.CustomZone
-		peersCustomZone := getPeersCustomZone(account, am.dnsDomain)
-		if peersCustomZone.Domain != "" {
-			zones = append(zones, peersCustomZone)
-		}
-		dnsUpdate.CustomZones = zones
-		dnsUpdate.NameServerGroups = getPeerNSGroups(account, peerID)
-	}
-
-	return &NetworkMap{
-		Peers:     aclPeers,
-		Network:   account.Network.Copy(),
-		Routes:    routesUpdate,
-		DNSConfig: dnsUpdate,
-	}, err
+	return am.getNetworkMap(peer, account), nil
 }
 
 // GetPeerNetwork returns the Network for a given peer
@@ -365,13 +516,17 @@ func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error)
 }
 
 // AddPeer adds a new peer to the Store.
-// Each Account has a list of pre-authorised SetupKey and if no Account has a given key err with a code codes.Unauthenticated
-// will be returned, meaning the key is invalid
+// Each Account has a list of pre-authorized SetupKey and if no Account has a given key err with a code status.PermissionDenied
+// will be returned, meaning the setup key is invalid or not found.
 // If a User ID is provided, it means that we passed the authentication using JWT, then we look for account by User ID and register the peer
-// to it. We also add the User ID to the peer metadata to identify registrant.
+// to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
 func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*Peer, error) {
+	if setupKey == "" && userID == "" {
+		// no auth method provided => reject access
+		return nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
+	}
 
 	upperKey := strings.ToUpper(setupKey)
 	var account *Account
@@ -423,7 +578,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 	takenIps := account.getTakenIPs()
 	existingLabels := account.getPeerDNSLabels()
 
-	newLabel, err := getPeerHostLabel(peer.Name, existingLabels)
+	newLabel, err := getPeerHostLabel(peer.Meta.Hostname, existingLabels)
 	if err != nil {
 		return nil, err
 	}
@@ -436,17 +591,19 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 	}
 
 	newPeer := &Peer{
-		ID:         xid.New().String(),
-		Key:        peer.Key,
-		SetupKey:   upperKey,
-		IP:         nextIp,
-		Meta:       peer.Meta,
-		Name:       peer.Name,
-		DNSLabel:   newLabel,
-		UserID:     userID,
-		Status:     &PeerStatus{Connected: false, LastSeen: time.Now()},
-		SSHEnabled: false,
-		SSHKey:     peer.SSHKey,
+		ID:                     xid.New().String(),
+		Key:                    peer.Key,
+		SetupKey:               upperKey,
+		IP:                     nextIp,
+		Meta:                   peer.Meta,
+		Name:                   peer.Meta.Hostname,
+		DNSLabel:               newLabel,
+		UserID:                 userID,
+		Status:                 &PeerStatus{Connected: false, LastSeen: time.Now()},
+		SSHEnabled:             false,
+		SSHKey:                 peer.SSHKey,
+		LastLogin:              time.Now(),
+		LoginExpirationEnabled: true,
 	}
 
 	// add peer to 'All' group
@@ -488,9 +645,165 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 	opEvent.Meta = newPeer.EventMeta(am.GetDNSDomain())
 	am.storeEvent(opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)
 
+	err = am.updateAccountPeers(account)
+	if err != nil {
+		return nil, err
+	}
+
 	return newPeer, nil
 }
 
+func (am *DefaultAccountManager) checkPeerLoginExpiration(loginUserID string, peer *Peer, account *Account) error {
+	if peer.AddedWithSSOLogin() {
+		expired, expiresIn := peer.LoginExpired(account.Settings.PeerLoginExpiration)
+		expired = account.Settings.PeerLoginExpirationEnabled && expired
+		if expired || peer.Status.LoginExpired {
+			log.Debugf("peer %s login expired", peer.ID)
+			if loginUserID == "" {
+				// absence of a user ID indicates that JWT wasn't provided.
+				_, err := am.markPeerLoginExpired(peer, account, true)
+				if err != nil {
+					return err
+				}
+				return status.Errorf(status.PermissionDenied,
+					"peer login has expired %v ago. Please log in once more", expiresIn)
+			} else {
+				// user ID is there meaning that JWT validation passed successfully in the API layer.
+				if peer.UserID != loginUserID {
+					log.Warnf("user mismatch when loggin in peer %s: peer user %s, login user %s ", peer.ID, peer.UserID, loginUserID)
+					return status.Errorf(status.Unauthenticated, "can't login")
+				}
+				_ = am.updatePeerLastLogin(peer, account)
+			}
+		}
+	}
+
+	return nil
+}
+
+// SyncPeer checks whether peer is eligible for receiving NetworkMap (authenticated) and returns its NetworkMap if eligible
+func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error) {
+	account, err := am.Store.GetAccountByPeerPubKey(sync.WireGuardPubKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// we found the peer, and we follow a normal login flow
+	unlock := am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	// fetch the account from the store once more after acquiring lock to avoid concurrent updates inconsistencies
+	account, err = am.Store.GetAccount(account.Id)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	peer, err := account.FindPeerByPubKey(sync.WireGuardPubKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	err = am.checkPeerLoginExpiration("", peer, account)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return peer, am.getNetworkMap(peer, account), nil
+
+}
+
+// LoginPeer logs in or registers a peer.
+// If peer doesn't exist the function checks whether a setup key or a user is present and registers a new peer if so.
+func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, error) {
+
+	account, err := am.Store.GetAccountByPeerPubKey(login.WireGuardPubKey)
+	if err != nil {
+		if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
+			// we couldn't find this peer by its public key which can mean that peer hasn't been registered yet.
+			// Try registering it.
+			return am.AddPeer(login.SetupKey, login.UserID, &Peer{
+				Key:    login.WireGuardPubKey,
+				Meta:   login.Meta,
+				SSHKey: login.SSHKey,
+			})
+		}
+		log.Errorf("failed while logging in peer %s: %v", login.WireGuardPubKey, err)
+		return nil, status.Errorf(status.Internal, "failed while logging in peer")
+	}
+
+	// we found the peer, and we follow a normal login flow
+	unlock := am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	// fetch the account from the store once more after acquiring lock to avoid concurrent updates inconsistencies
+	account, err = am.Store.GetAccount(account.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	peer, err := account.FindPeerByPubKey(login.WireGuardPubKey)
+	if err != nil {
+		return nil, err
+	}
+
+	err = am.checkPeerLoginExpiration(login.UserID, peer, account)
+	if err != nil {
+		return nil, err
+	}
+
+	peer = am.updatePeerMeta(peer, peer.Meta, account)
+
+	peer, err = am.checkAndUpdatePeerSSHKey(peer, account, login.SSHKey)
+	if err != nil {
+		return nil, err
+	}
+
+	err = am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, err
+	}
+
+	return peer, nil
+
+}
+
+func (am *DefaultAccountManager) updatePeerLastLogin(peer *Peer, account *Account) *Peer {
+	peer.LastLogin = time.Now()
+	newStatus := peer.Status.Copy()
+	newStatus.LoginExpired = false
+	peer.Status = newStatus
+	account.UpdatePeer(peer)
+	return peer
+}
+
+func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *Peer, account *Account, newSshKey string) (*Peer, error) {
+	if len(newSshKey) == 0 {
+		log.Debugf("no new SSH key provided for peer %s, skipping update", peer.ID)
+		return peer, nil
+	}
+
+	if peer.SSHKey == newSshKey {
+		log.Debugf("same SSH key provided for peer %s, skipping update", peer.ID)
+		return peer, nil
+	}
+
+	peer.SSHKey = newSshKey
+	account.UpdatePeer(peer)
+
+	err := am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, err
+	}
+
+	// trigger network map update
+	err = am.updateAccountPeers(account)
+	if err != nil {
+		return nil, err
+	}
+
+	return peer, nil
+}
+
 // UpdatePeerSSHKey updates peer's public SSH key
 func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string) error {
 
@@ -580,35 +893,10 @@ func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Pee
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peerID, accountID)
 }
 
-// UpdatePeerMeta updates peer's system metadata
-func (am *DefaultAccountManager) UpdatePeerMeta(peerID string, meta PeerSystemMeta) error {
-
-	account, err := am.Store.GetAccountByPeerID(peerID)
-	if err != nil {
-		return err
-	}
-
-	unlock := am.Store.AcquireAccountLock(account.Id)
-	defer unlock()
-
-	peer := account.GetPeer(peerID)
-	if peer == nil {
-		return status.Errorf(status.NotFound, "peer with ID %s not found", peerID)
-	}
-
-	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
-	if meta.UIVersion == "" {
-		meta.UIVersion = peer.Meta.UIVersion
-	}
-
-	peer.Meta = meta
+func (am *DefaultAccountManager) updatePeerMeta(peer *Peer, meta PeerSystemMeta, account *Account) *Peer {
+	peer.UpdateMeta(meta)
 	account.UpdatePeer(peer)
-
-	err = am.Store.SaveAccount(account)
-	if err != nil {
-		return err
-	}
-	return nil
+	return peer
 }
 
 // getPeersByACL returns all peers that given peer has access to.
@@ -656,6 +944,10 @@ func (a *Account) getPeersByACL(peerID string) []*Peer {
 				)
 				continue
 			}
+			expired, _ := peer.LoginExpired(a.Settings.PeerLoginExpiration)
+			if expired {
+				continue
+			}
 			// exclude original peer
 			if _, ok := peersSet[peer.ID]; peer.ID != peerID && !ok {
 				peersSet[peer.ID] = struct{}{}

management/server/peer_test.go

@@ -3,11 +3,66 @@ package server
 import (
 	"github.com/stretchr/testify/assert"
 	"testing"
+	"time"
 
 	"github.com/rs/xid"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+func TestPeer_LoginExpired(t *testing.T) {
+
+	tt := []struct {
+		name              string
+		expirationEnabled bool
+		lastLogin         time.Time
+		expected          bool
+		accountSettings   *Settings
+	}{
+		{
+			name:              "Peer Login Expiration Disabled. Peer Login Should Not Expire",
+			expirationEnabled: false,
+			lastLogin:         time.Now().Add(-25 * time.Hour),
+			accountSettings: &Settings{
+				PeerLoginExpirationEnabled: true,
+				PeerLoginExpiration:        time.Hour,
+			},
+			expected: false,
+		},
+		{
+			name:              "Peer Login Should Expire",
+			expirationEnabled: true,
+			lastLogin:         time.Now().Add(-25 * time.Hour),
+			accountSettings: &Settings{
+				PeerLoginExpirationEnabled: true,
+				PeerLoginExpiration:        time.Hour,
+			},
+			expected: true,
+		},
+		{
+			name:              "Peer Login Should Not Expire",
+			expirationEnabled: true,
+			lastLogin:         time.Now(),
+			accountSettings: &Settings{
+				PeerLoginExpirationEnabled: true,
+				PeerLoginExpiration:        time.Hour,
+			},
+			expected: false,
+		},
+	}
+
+	for _, c := range tt {
+		t.Run(c.name, func(t *testing.T) {
+			peer := &Peer{
+				LoginExpirationEnabled: c.expirationEnabled,
+				LastLogin:              c.lastLogin,
+			}
+
+			expired, _ := peer.LoginExpired(c.accountSettings.PeerLoginExpiration)
+			assert.Equal(t, expired, c.expected)
+		})
+	}
+}
+
 func TestAccountManager_GetNetworkMap(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -37,8 +92,7 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 
 	peer1, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 
 	if err != nil {
@@ -53,8 +107,7 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 	}
 	_, err = manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 
 	if err != nil {
@@ -110,8 +163,7 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
 
 	peer1, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 
 	if err != nil {
@@ -126,8 +178,7 @@ func TestAccountManager_GetNetworkMapWithRule(t *testing.T) {
 	}
 	peer2, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 
 	if err != nil {
@@ -279,8 +330,7 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
 
 	peer1, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 
 	if err != nil {
@@ -295,8 +345,7 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
 	}
 	_, err = manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 
 	if err != nil {
@@ -348,8 +397,7 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 
 	peer1, err := manager.AddPeer("", someUser, &Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 
 	if err != nil {
@@ -366,8 +414,7 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	// the second peer added with a setup key
 	peer2, err := manager.AddPeer(setupKey.Key, "", &Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{},
-		Name: "test-peer-2",
+		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 
 	if err != nil {

management/server/scheduler.go

@@ -0,0 +1,114 @@
+package server
+
+import (
+	log "github.com/sirupsen/logrus"
+	"sync"
+	"time"
+)
+
+// Scheduler is an interface which implementations can schedule and cancel jobs
+type Scheduler interface {
+	Cancel(IDs []string)
+	Schedule(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool))
+}
+
+// MockScheduler is a mock implementation of  Scheduler
+type MockScheduler struct {
+	CancelFunc   func(IDs []string)
+	ScheduleFunc func(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool))
+}
+
+// Cancel mocks the Cancel function of the Scheduler interface
+func (mock *MockScheduler) Cancel(IDs []string) {
+	if mock.CancelFunc != nil {
+		mock.CancelFunc(IDs)
+		return
+	}
+	log.Errorf("MockScheduler doesn't have Cancel function defined ")
+}
+
+// Schedule mocks the Schedule function of the Scheduler interface
+func (mock *MockScheduler) Schedule(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
+	if mock.ScheduleFunc != nil {
+		mock.ScheduleFunc(in, ID, job)
+		return
+	}
+	log.Errorf("MockScheduler doesn't have Schedule function defined")
+}
+
+// DefaultScheduler is a generic structure that allows to schedule jobs (functions) to run in the future and cancel them.
+type DefaultScheduler struct {
+	// jobs map holds cancellation channels indexed by the job ID
+	jobs map[string]chan struct{}
+	mu   *sync.Mutex
+}
+
+// NewDefaultScheduler creates an instance of a DefaultScheduler
+func NewDefaultScheduler() *DefaultScheduler {
+	return &DefaultScheduler{
+		jobs: make(map[string]chan struct{}),
+		mu:   &sync.Mutex{},
+	}
+}
+
+func (wm *DefaultScheduler) cancel(ID string) bool {
+	cancel, ok := wm.jobs[ID]
+	if ok {
+		delete(wm.jobs, ID)
+		select {
+		case cancel <- struct{}{}:
+			log.Debugf("cancelled scheduled job %s", ID)
+		default:
+			log.Warnf("couldn't cancel job %s because there was no routine listening on the cancel event", ID)
+			return false
+		}
+
+	}
+	return ok
+}
+
+// Cancel cancels the scheduled job by ID if present.
+// If job wasn't found the function returns false.
+func (wm *DefaultScheduler) Cancel(IDs []string) {
+	wm.mu.Lock()
+	defer wm.mu.Unlock()
+
+	for _, id := range IDs {
+		wm.cancel(id)
+	}
+}
+
+// Schedule a job to run in some time in the future. If job returns true then it will be scheduled one more time.
+// If job with the provided ID already exists, a new one won't be scheduled.
+func (wm *DefaultScheduler) Schedule(in time.Duration, ID string, job func() (nextRunIn time.Duration, reschedule bool)) {
+	wm.mu.Lock()
+	defer wm.mu.Unlock()
+	cancel := make(chan struct{})
+	if _, ok := wm.jobs[ID]; ok {
+		log.Debugf("couldn't schedule a job %s because it already exists. There are %d total jobs scheduled.",
+			ID, len(wm.jobs))
+		return
+	}
+
+	wm.jobs[ID] = cancel
+	log.Debugf("scheduled a job %s to run in %s. There are %d total jobs scheduled.", ID, in.String(), len(wm.jobs))
+	go func() {
+		select {
+		case <-time.After(in):
+			log.Debugf("time to do a scheduled job %s", ID)
+			runIn, reschedule := job()
+			wm.mu.Lock()
+			defer wm.mu.Unlock()
+			delete(wm.jobs, ID)
+			if reschedule {
+				go wm.Schedule(runIn, ID, job)
+			}
+		case <-cancel:
+			log.Debugf("stopped scheduled job %s ", ID)
+			wm.mu.Lock()
+			defer wm.mu.Unlock()
+			delete(wm.jobs, ID)
+			return
+		}
+	}()
+}

management/server/scheduler_test.go

@@ -0,0 +1,94 @@
+package server
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"math/rand"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestScheduler_Performance(t *testing.T) {
+	scheduler := NewDefaultScheduler()
+	n := 500
+	wg := &sync.WaitGroup{}
+	wg.Add(n)
+	maxMs := 500
+	minMs := 50
+	for i := 0; i < n; i++ {
+		millis := time.Duration(rand.Intn(maxMs-minMs)+minMs) * time.Millisecond
+		go scheduler.Schedule(millis, fmt.Sprintf("test-scheduler-job-%d", i), func() (nextRunIn time.Duration, reschedule bool) {
+			time.Sleep(millis)
+			wg.Done()
+			return 0, false
+		})
+	}
+	failed := waitTimeout(wg, 3*time.Second)
+	if failed {
+		t.Fatal("timed out while waiting for test to finish")
+		return
+	}
+	assert.Len(t, scheduler.jobs, 0)
+}
+
+func TestScheduler_Cancel(t *testing.T) {
+	jobID1 := "test-scheduler-job-1"
+	jobID2 := "test-scheduler-job-2"
+	scheduler := NewDefaultScheduler()
+	scheduler.Schedule(2*time.Second, jobID1, func() (nextRunIn time.Duration, reschedule bool) {
+		return 0, false
+	})
+	scheduler.Schedule(2*time.Second, jobID2, func() (nextRunIn time.Duration, reschedule bool) {
+		return 0, false
+	})
+
+	assert.Len(t, scheduler.jobs, 2)
+	scheduler.Cancel([]string{jobID1})
+	assert.Len(t, scheduler.jobs, 1)
+	assert.NotNil(t, scheduler.jobs[jobID2])
+}
+
+func TestScheduler_Schedule(t *testing.T) {
+	jobID := "test-scheduler-job-1"
+	scheduler := NewDefaultScheduler()
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+	// job without reschedule should be triggered once
+	job := func() (nextRunIn time.Duration, reschedule bool) {
+		wg.Done()
+		return 0, false
+	}
+	scheduler.Schedule(300*time.Millisecond, jobID, job)
+	failed := waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timed out while waiting for test to finish")
+		return
+	}
+
+	// job with reschedule should be triggered at least twice
+	wg = &sync.WaitGroup{}
+	mx := &sync.Mutex{}
+	scheduledTimes := 0
+	wg.Add(2)
+	job = func() (nextRunIn time.Duration, reschedule bool) {
+		mx.Lock()
+		defer mx.Unlock()
+		// ensure we repeat only twice
+		if scheduledTimes < 2 {
+			wg.Done()
+			scheduledTimes++
+			return 300 * time.Millisecond, true
+		}
+		return 0, false
+	}
+
+	scheduler.Schedule(300*time.Millisecond, jobID, job)
+	failed = waitTimeout(wg, time.Second)
+	if failed {
+		t.Fatal("timed out while waiting for test to finish")
+		return
+	}
+	scheduler.cancel(jobID)
+
+}

management/server/status/error.go

@@ -31,6 +31,9 @@ const (
 
 	// BadRequest indicates that user is not authorized
 	BadRequest Type = 9
+
+	// Unauthenticated indicates that user is not authenticated due to absence of valid credentials
+	Unauthenticated Type = 10
 )
 
 // Type is a type of the Error

management/server/turncredentials.go

@@ -63,18 +63,18 @@ func (m *TimeBasedAuthSecretsManager) GenerateCredentials() TURNCredentials {
 
 }
 
-func (m *TimeBasedAuthSecretsManager) cancel(peerKey string) {
-	if channel, ok := m.cancelMap[peerKey]; ok {
+func (m *TimeBasedAuthSecretsManager) cancel(peerID string) {
+	if channel, ok := m.cancelMap[peerID]; ok {
 		close(channel)
-		delete(m.cancelMap, peerKey)
+		delete(m.cancelMap, peerID)
 	}
 }
 
 // CancelRefresh cancels scheduled peer credentials refresh
-func (m *TimeBasedAuthSecretsManager) CancelRefresh(peerKey string) {
+func (m *TimeBasedAuthSecretsManager) CancelRefresh(peerID string) {
 	m.mux.Lock()
 	defer m.mux.Unlock()
-	m.cancel(peerKey)
+	m.cancel(peerID)
 }
 
 // SetupRefresh starts peer credentials refresh. Since credentials are expiring (TTL) it is necessary to always generate them and send to the peer.
@@ -115,6 +115,7 @@ func (m *TimeBasedAuthSecretsManager) SetupRefresh(peerID string) {
 						Turns: turns,
 					},
 				}
+				log.Debugf("sending new TURN credentials to peer %s", peerID)
 				err := m.updateManager.SendUpdate(peerID, &UpdateMessage{Update: update})
 				if err != nil {
 					log.Errorf("error while sending TURN update to peer %s %v", peerID, err)

management/server/updatechannel.go

@@ -60,10 +60,7 @@ func (p *PeersUpdateManager) CreateChannel(peerID string) chan *UpdateMessage {
 	return channel
 }
 
-// CloseChannel closes updates channel of a given peer
-func (p *PeersUpdateManager) CloseChannel(peerID string) {
-	p.channelsMux.Lock()
-	defer p.channelsMux.Unlock()
+func (p *PeersUpdateManager) closeChannel(peerID string) {
 	if channel, ok := p.peerChannels[peerID]; ok {
 		delete(p.peerChannels, peerID)
 		close(channel)
@@ -72,6 +69,22 @@ func (p *PeersUpdateManager) CloseChannel(peerID string) {
 	log.Debugf("closed updates channel of a peer %s", peerID)
 }
 
+// CloseChannels closes updates channel for each given peer
+func (p *PeersUpdateManager) CloseChannels(peerIDs []string) {
+	p.channelsMux.Lock()
+	defer p.channelsMux.Unlock()
+	for _, id := range peerIDs {
+		p.closeChannel(id)
+	}
+}
+
+// CloseChannel closes updates channel of a given peer
+func (p *PeersUpdateManager) CloseChannel(peerID string) {
+	p.channelsMux.Lock()
+	defer p.channelsMux.Unlock()
+	p.closeChannel(peerID)
+}
+
 // GetAllConnectedPeers returns a copy of the connected peers map
 func (p *PeersUpdateManager) GetAllConnectedPeers() map[string]struct{} {
 	p.channelsMux.Lock()

util/file.go

@@ -11,8 +11,7 @@ import (
 // The output JSON is pretty-formatted
 func WriteJson(file string, obj interface{}) error {
 
-	configDir, configFileName := filepath.Split(file)
-	err := os.MkdirAll(configDir, 0750)
+	configDir, configFileName, err := prepareConfigFileDir(file)
 	if err != nil {
 		return err
 	}
@@ -100,3 +99,13 @@ func CopyFileContents(src, dst string) (err error) {
 	err = out.Sync()
 	return
 }
+
+func prepareConfigFileDir(file string) (string, string, error) {
+	configDir, configFileName := filepath.Split(file)
+	if configDir == "" {
+		return filepath.Dir(file), configFileName, nil
+	}
+
+	err := os.MkdirAll(configDir, 0750)
+	return configDir, configFileName, err
+}

util/file_test.go

@@ -3,11 +3,13 @@ package util_test
 import (
 	"crypto/md5"
 	"encoding/hex"
-	"github.com/netbirdio/netbird/util"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
 	"io"
 	"os"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"github.com/netbirdio/netbird/util"
 )
 
 var _ = Describe("Client", func() {
@@ -102,4 +104,23 @@ var _ = Describe("Client", func() {
 			})
 		})
 	})
+
+	Describe("Handle config file without full path", func() {
+		Context("config file handling", func() {
+			It("should be successful", func() {
+				written := &TestConfig{
+					SomeField: 123,
+				}
+				cfgFile := "test_cfg.json"
+				defer os.Remove(cfgFile)
+
+				err := util.WriteJson(cfgFile, written)
+				Expect(err).NotTo(HaveOccurred())
+
+				read, err := util.ReadJson(cfgFile, &TestConfig{})
+				Expect(err).NotTo(HaveOccurred())
+				Expect(read).NotTo(BeNil())
+			})
+		})
+	})
 })

util/log.go

@@ -1,14 +1,13 @@
 package util
 
 import (
+	"io"
+	"path/filepath"
+
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/natefinch/lumberjack.v2"
-	"io"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strconv"
-	"time"
+
+	"github.com/netbirdio/netbird/formatter"
 )
 
 // InitLog parses and sets log-level input
@@ -31,21 +30,7 @@ func InitLog(logLevel string, logPath string) error {
 		log.SetOutput(io.Writer(lumberjackLogger))
 	}
 
-	logFormatter := new(log.TextFormatter)
-	logFormatter.TimestampFormat = time.RFC3339 // or RFC3339
-	logFormatter.FullTimestamp = true
-	logFormatter.CallerPrettyfier = func(frame *runtime.Frame) (function string, file string) {
-		fileName := path.Base(frame.File) + ":" + strconv.Itoa(frame.Line)
-		//return frame.Function, fileName
-		return "", fileName
-	}
-
-	if level > log.WarnLevel {
-		log.SetReportCaller(true)
-	}
-
-	log.SetFormatter(logFormatter)
+	formatter.SetTextFormatter(log.StandardLogger())
 	log.SetLevel(level)
-
 	return nil
 }