diff --git a/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go b/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go index 16084029f..f2ecfd5f9 100644 --- a/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go +++ b/management/internals/modules/reverseproxy/accesslogs/accesslogentry.go @@ -39,10 +39,6 @@ type AccessLogEntry struct { BytesDownload int64 `gorm:"index"` Protocol AccessLogProtocol `gorm:"index"` Metadata map[string]string `gorm:"serializer:json"` - // UserGroups captures the group IDs the user (UserId) belonged to at - // the time the entry was written, so the dashboard can render group - // context without reverse-resolving stale memberships. - UserGroups []string `gorm:"serializer:json"` } // FromProto creates an AccessLogEntry from a proto.AccessLog @@ -129,12 +125,6 @@ func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog { metadata = &a.Metadata } - var userGroups *[]string - if len(a.UserGroups) > 0 { - groups := append([]string(nil), a.UserGroups...) - userGroups = &groups - } - return &api.ProxyAccessLog{ Id: a.ID, ServiceId: a.ServiceID, @@ -155,6 +145,5 @@ func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog { BytesDownload: a.BytesDownload, Protocol: protocol, Metadata: metadata, - UserGroups: userGroups, } } diff --git a/management/internals/modules/reverseproxy/accesslogs/manager/enrichment_test.go b/management/internals/modules/reverseproxy/accesslogs/manager/enrichment_test.go deleted file mode 100644 index 7a1a3afea..000000000 --- a/management/internals/modules/reverseproxy/accesslogs/manager/enrichment_test.go +++ /dev/null @@ -1,41 +0,0 @@ -package manager - -import ( - "context" - "testing" - - "github.com/golang/mock/gomock" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs" - "github.com/netbirdio/netbird/management/server/store" - "github.com/netbirdio/netbird/management/server/types" -) - -func TestSaveAccessLog_EnrichesUserGroups(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - - mockStore := store.NewMockStore(ctrl) - - user := &types.User{Id: "u1", AutoGroups: []string{"g1", "g2"}} - mockStore.EXPECT(). - GetUserByUserID(gomock.Any(), store.LockingStrengthNone, "u1"). - Return(user, nil) - - var captured *accesslogs.AccessLogEntry - mockStore.EXPECT(). - CreateAccessLog(gomock.Any(), gomock.Any()). - DoAndReturn(func(_ context.Context, e *accesslogs.AccessLogEntry) error { - captured = e - return nil - }) - - m := &managerImpl{store: mockStore} - entry := &accesslogs.AccessLogEntry{AccountID: "acc-1", UserId: "u1"} - require.NoError(t, m.SaveAccessLog(context.Background(), entry)) - - require.NotNil(t, captured, "CreateAccessLog must receive the entry") - assert.Equal(t, []string{"g1", "g2"}, captured.UserGroups, "UserGroups should be hydrated from the user record") -} diff --git a/management/internals/modules/reverseproxy/accesslogs/manager/manager.go b/management/internals/modules/reverseproxy/accesslogs/manager/manager.go index ef890c658..59d7704eb 100644 --- a/management/internals/modules/reverseproxy/accesslogs/manager/manager.go +++ b/management/internals/modules/reverseproxy/accesslogs/manager/manager.go @@ -47,8 +47,6 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac } } - m.enrichUserGroups(ctx, logEntry) - if err := m.store.CreateAccessLog(ctx, logEntry); err != nil { log.WithContext(ctx).WithFields(log.Fields{ "service_id": logEntry.ServiceID, @@ -63,25 +61,6 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac return nil } -// enrichUserGroups attaches the user's auto-group memberships to the entry. -// Best-effort: errors are logged at debug and never block the save. -func (m *managerImpl) enrichUserGroups(ctx context.Context, logEntry *accesslogs.AccessLogEntry) { - if logEntry.UserId == "" { - return - } - - user, err := m.store.GetUserByUserID(ctx, store.LockingStrengthNone, logEntry.UserId) - if err != nil { - log.WithContext(ctx).Debugf("access log user-group enrichment skipped for user %s: %v", logEntry.UserId, err) - return - } - if user == nil { - return - } - - logEntry.UserGroups = append([]string(nil), user.AutoGroups...) -} - // GetAllAccessLogs retrieves access logs for an account with pagination and filtering func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) { ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read) diff --git a/shared/management/http/api/openapi.yml b/shared/management/http/api/openapi.yml index 669499638..cd412ef93 100644 --- a/shared/management/http/api/openapi.yml +++ b/shared/management/http/api/openapi.yml @@ -2896,11 +2896,6 @@ components: additionalProperties: type: string description: "Extra context about the request (e.g. crowdsec_verdict)" - user_groups: - type: array - items: - type: string - description: "Group IDs the user belonged to when the entry was written" required: - id - service_id diff --git a/shared/management/http/api/types.gen.go b/shared/management/http/api/types.gen.go index fce7c60aa..fbcce9bdd 100644 --- a/shared/management/http/api/types.gen.go +++ b/shared/management/http/api/types.gen.go @@ -3786,9 +3786,6 @@ type ProxyAccessLog struct { // Timestamp Timestamp when the request was made Timestamp time.Time `json:"timestamp"` - // UserGroups Group IDs the user belonged to when the entry was written - UserGroups *[]string `json:"user_groups,omitempty"` - // UserId ID of the authenticated user, if applicable UserId *string `json:"user_id,omitempty"` }