Extend network map generation with posture checks (#1466)

* Apply posture checks to network map generation * run policy posture checks on peers to connect * Refactor and streamline policy posture check process for peers to connect. * Add posture checks testing in a network map * Remove redundant nil check in policy.go * Refactor peer validation check in policy.go * Update 'Check' function signature and use logger for version check * Refactor posture checks run on sources and updated the validation func * Update peer validation * fix tests * improved test coverage for policy posture check * Refactoring
netbirdio · Jan 22, 2024 · 3604a97 · 3604a97
1 parent 146f70f
commit 3604a97
Show file tree

Hide file tree

Showing 5 changed files with 340 additions and 15 deletions.
diff --git a/management/server/policy.go b/management/server/policy.go
@@ -11,6 +11,7 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/status"
 )
 
@@ -224,8 +225,8 @@ func (a *Account) getPeerConnectionResources(peerID string) ([]*nbpeer.Peer, []*
 				continue
 			}
 
-			sourcePeers, peerInSources := getAllPeersFromGroups(a, rule.Sources, peerID)
-			destinationPeers, peerInDestinations := getAllPeersFromGroups(a, rule.Destinations, peerID)
+			sourcePeers, peerInSources := getAllPeersFromGroups(a, rule.Sources, peerID, policy.SourcePostureChecks)
+			destinationPeers, peerInDestinations := getAllPeersFromGroups(a, rule.Destinations, peerID, nil)
 			sourcePeers = additions.ValidatePeers(sourcePeers)
 			destinationPeers = additions.ValidatePeers(destinationPeers)
 
@@ -274,6 +275,7 @@ func (a *Account) connResourcesGenerator() (func(*PolicyRule, []*nbpeer.Peer, in
 				if peer == nil {
 					continue
 				}
+
 				if _, ok := peersExists[peer.ID]; !ok {
 					peers = append(peers, peer)
 					peersExists[peer.ID] = struct{}{}
@@ -486,8 +488,12 @@ func toProtocolFirewallRules(update []*FirewallRule) []*proto.FirewallRule {
 
 // getAllPeersFromGroups for given peer ID and list of groups
 //
-// Returns list of peers and boolean indicating if peer is in any of the groups
-func getAllPeersFromGroups(account *Account, groups []string, peerID string) ([]*nbpeer.Peer, bool) {
+// Returns a list of peers from specified groups that pass specified posture checks
+// and a boolean indicating if the supplied peer ID exists within these groups.
+//
+// Important: Posture checks are applicable only to source group peers,
+// for destination group peers, call this method with an empty list of sourcePostureChecksIDs
+func getAllPeersFromGroups(account *Account, groups []string, peerID string, sourcePostureChecksIDs []string) ([]*nbpeer.Peer, bool) {
 	peerInGroups := false
 	filteredPeers := make([]*nbpeer.Peer, 0, len(groups))
 	for _, g := range groups {
@@ -502,6 +508,12 @@ func getAllPeersFromGroups(account *Account, groups []string, peerID string) ([]
 				continue
 			}
 
+			// validate the peer based on policy posture checks applied
+			isValid := account.validatePostureChecksOnPeer(sourcePostureChecksIDs, peer.ID)
+			if !isValid {
+				continue
+			}
+
 			if peer.ID == peerID {
 				peerInGroups = true
 				continue
@@ -512,3 +524,38 @@ func getAllPeersFromGroups(account *Account, groups []string, peerID string) ([]
 	}
 	return filteredPeers, peerInGroups
 }
+
+// validatePostureChecksOnPeer validates the posture checks on a peer
+func (a *Account) validatePostureChecksOnPeer(sourcePostureChecksID []string, peerID string) bool {
+	peer, ok := a.Peers[peerID]
+	if !ok && peer == nil {
+		return false
+	}
+
+	for _, postureChecksID := range sourcePostureChecksID {
+		postureChecks := getPostureChecks(a, postureChecksID)
+		if postureChecks == nil {
+			continue
+		}
+
+		for _, check := range postureChecks.Checks {
+			isValid, err := check.Check(*peer)
+			if err != nil {
+				log.Debugf("an error occurred check %s: on peer: %s :%s", check.Name(), peer.ID, err.Error())
+			}
+			if !isValid {
+				return false
+			}
+		}
+	}
+	return true
+}
+
+func getPostureChecks(account *Account, postureChecksID string) *posture.Checks {
+	for _, postureChecks := range account.PostureChecks {
+		if postureChecks.ID == postureChecksID {
+			return postureChecks
+		}
+	}
+	return nil
+}
diff --git a/management/server/policy_test.go b/management/server/policy_test.go
@@ -9,6 +9,7 @@ import (
 	"golang.org/x/exp/slices"
 
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
 )
 
 func TestAccount_getPeersByPolicy(t *testing.T) {
@@ -443,6 +444,274 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	})
 }
 
+func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peerA": {
+				ID:     "peerA",
+				IP:     net.ParseIP("100.65.14.88"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.25.9",
+				},
+			},
+			"peerB": {
+				ID:     "peerB",
+				IP:     net.ParseIP("100.65.80.39"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.23.0",
+				},
+			},
+			"peerC": {
+				ID:     "peerC",
+				IP:     net.ParseIP("100.65.254.139"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.25.8",
+				},
+			},
+			"peerD": {
+				ID:     "peerD",
+				IP:     net.ParseIP("100.65.62.5"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.25.9",
+				},
+			},
+			"peerE": {
+				ID:     "peerE",
+				IP:     net.ParseIP("100.65.32.206"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.24.0",
+				},
+			},
+			"peerF": {
+				ID:     "peerF",
+				IP:     net.ParseIP("100.65.250.202"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.25.9",
+				},
+			},
+			"peerG": {
+				ID:     "peerG",
+				IP:     net.ParseIP("100.65.13.186"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.23.2",
+				},
+			},
+			"peerH": {
+				ID:     "peerH",
+				IP:     net.ParseIP("100.65.29.55"),
+				Status: &nbpeer.PeerStatus{},
+				Meta: nbpeer.PeerSystemMeta{
+					WtVersion: "0.23.1",
+				},
+			},
+		},
+		Groups: map[string]*Group{
+			"GroupAll": {
+				ID:   "GroupAll",
+				Name: "All",
+				Peers: []string{
+					"peerB",
+					"peerA",
+					"peerD",
+					"peerC",
+					"peerF",
+					"peerG",
+					"peerH",
+				},
+			},
+			"GroupSwarm": {
+				ID:   "GroupSwarm",
+				Name: "swarm",
+				Peers: []string{
+					"peerB",
+					"peerA",
+					"peerD",
+					"peerE",
+					"peerG",
+					"peerH",
+				},
+			},
+		},
+		PostureChecks: []*posture.Checks{
+			{
+				ID:          "PostureChecksDefault",
+				Name:        "Default",
+				Description: "This is a posture checks that check if peer is running required version",
+				Checks: []posture.Check{
+					&posture.NBVersionCheck{
+						MinVersion: "0.25",
+					},
+				},
+			},
+		},
+	}
+
+	account.Policies = append(account.Policies, &Policy{
+		ID:          "PolicyPostureChecks",
+		Name:        "",
+		Description: "This is the policy with posture checks applied",
+		Enabled:     true,
+		Rules: []*PolicyRule{
+			{
+				ID:      "RuleSwarm",
+				Name:    "Swarm",
+				Enabled: true,
+				Action:  PolicyTrafficActionAccept,
+				Destinations: []string{
+					"GroupSwarm",
+				},
+				Sources: []string{
+					"GroupAll",
+				},
+				Bidirectional: false,
+				Protocol:      PolicyRuleProtocolTCP,
+				Ports:         []string{"80"},
+			},
+		},
+		SourcePostureChecks: []string{
+			"PostureChecksDefault",
+		},
+	})
+
+	t.Run("verify peer's network map with default group peer list", func(t *testing.T) {
+		// peerB doesn't fulfill the NB posture check but is included in the destination group Swarm,
+		// will establish a connection with all source peers satisfying the NB posture check.
+		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		assert.Len(t, peers, 4)
+		assert.Len(t, firewallRules, 4)
+		assert.Contains(t, peers, account.Peers["peerA"])
+		assert.Contains(t, peers, account.Peers["peerC"])
+		assert.Contains(t, peers, account.Peers["peerD"])
+		assert.Contains(t, peers, account.Peers["peerF"])
+
+		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
+		// We expect a single permissive firewall rule which all outgoing connections
+		peers, firewallRules = account.getPeerConnectionResources("peerC")
+		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
+		assert.Len(t, firewallRules, 1)
+		expectedFirewallRules := []*FirewallRule{
+			{
+				PeerIP:    "0.0.0.0",
+				Direction: firewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+		}
+		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
+
+		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
+		// all source group peers satisfying the NB posture check should establish connection
+		peers, firewallRules = account.getPeerConnectionResources("peerE")
+		assert.Len(t, peers, 4)
+		assert.Len(t, firewallRules, 4)
+		assert.Contains(t, peers, account.Peers["peerA"])
+		assert.Contains(t, peers, account.Peers["peerC"])
+		assert.Contains(t, peers, account.Peers["peerD"])
+		assert.Contains(t, peers, account.Peers["peerF"])
+	})
+
+	t.Run("verify peer's network map with modified group peer list", func(t *testing.T) {
+		//  Removing peerB as the part of destination group Swarm
+		account.Groups["GroupSwarm"].Peers = []string{"peerA", "peerD", "peerE", "peerG", "peerH"}
+
+		// peerB doesn't satisfy the NB posture check, and doesn't exist in destination group peer's
+		// no connection should be established to any peer of destination group
+		peers, firewallRules := account.getPeerConnectionResources("peerB")
+		assert.Len(t, peers, 0)
+		assert.Len(t, firewallRules, 0)
+
+		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
+		// We expect a single permissive firewall rule which all outgoing connections
+		peers, firewallRules = account.getPeerConnectionResources("peerC")
+		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
+		assert.Len(t, firewallRules, len(account.Groups["GroupSwarm"].Peers))
+
+		peerIDs := make([]string, 0, len(peers))
+		for _, peer := range peers {
+			peerIDs = append(peerIDs, peer.ID)
+		}
+		assert.ElementsMatch(t, peerIDs, account.Groups["GroupSwarm"].Peers)
+
+		// Removing peerF as the part of source group All
+		account.Groups["GroupAll"].Peers = []string{"peerB", "peerA", "peerD", "peerC", "peerG", "peerH"}
+
+		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
+		// all source group peers satisfying the NB posture check should establish connection
+		peers, firewallRules = account.getPeerConnectionResources("peerE")
+		assert.Len(t, peers, 3)
+		assert.Len(t, firewallRules, 3)
+		assert.Contains(t, peers, account.Peers["peerA"])
+		assert.Contains(t, peers, account.Peers["peerC"])
+		assert.Contains(t, peers, account.Peers["peerD"])
+
+		peers, firewallRules = account.getPeerConnectionResources("peerA")
+		assert.Len(t, peers, 5)
+		// assert peers from Group Swarm
+		assert.Contains(t, peers, account.Peers["peerD"])
+		assert.Contains(t, peers, account.Peers["peerE"])
+		assert.Contains(t, peers, account.Peers["peerG"])
+		assert.Contains(t, peers, account.Peers["peerH"])
+
+		// assert peers from Group All
+		assert.Contains(t, peers, account.Peers["peerC"])
+
+		expectedFirewallRules := []*FirewallRule{
+			{
+				PeerIP:    "100.65.62.5",
+				Direction: firewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+			{
+				PeerIP:    "100.65.32.206",
+				Direction: firewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+			{
+				PeerIP:    "100.65.13.186",
+				Direction: firewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+			{
+				PeerIP:    "100.65.29.55",
+				Direction: firewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+			{
+				PeerIP:    "100.65.254.139",
+				Direction: firewallRuleDirectionIN,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+			{
+				PeerIP:    "100.65.62.5",
+				Direction: firewallRuleDirectionIN,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "80",
+			},
+		}
+		assert.Len(t, firewallRules, len(expectedFirewallRules))
+		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
+	})
+}
+
 func sortFunc() func(a *FirewallRule, b *FirewallRule) int {
 	return func(a, b *FirewallRule) int {
 		// Concatenate PeerIP and Direction as string for comparison

diff --git a/management/server/posture/checks.go b/management/server/posture/checks.go
@@ -12,7 +12,7 @@ const (
 
 // Check represents an interface for performing a check on a peer.
 type Check interface {
-	Check(peer nbpeer.Peer) error
+	Check(peer nbpeer.Peer) (bool, error)
 	Name() string
 }