mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-16 19:49:56 +00:00
* [agent-network] Shared proto, OpenAPI schema, and generated types * [agent-network] Management: store, manager, synthesizer, policy engine, provider catalog, HTTP/gRPC API Adds the account-scoped agent-network module: provider/policy/budget CRUD and store, the reverse-proxy service synthesizer, policy selection + limit enforcement, the provider catalog (incl. Vertex AI and AWS Bedrock entries), and the management HTTP + proxy gRPC surfaces. * [management] Fix agent-network proxy-peer fan-out on affected-peer recompute The affected-peers resolver loaded only persisted reverse-proxy services, but agent-network services are synthesized on demand and never persisted. As a result the embedded proxy peer was never folded into the affected set when a client's group changed, so the proxy received no network-map update for a newly authorised client and rejected its handshake until a full resync (restart). loadProxyServices now merges the synthesized agent-network services (injected via a registration hook to avoid an import cycle), so proxy peers learn newly authorised clients immediately. * [proxy] Reverse-proxy middleware framework, chain, and request plumbing The per-target middleware chain (slots, dispatcher, mutation gate, metadata merger), body capture, access-log terminal sink, and the proxy wiring that builds + runs chains for synthesized agent-network services. * [proxy] LLM parsers, pricing, and builtin middlewares (OpenAI, Anthropic, Vertex AI, AWS Bedrock) Request/response parsers and SSE/event-stream metering, the embedded pricing table, and the builtin middleware set: request parser, router, policy limit-check/record, cost meter, guardrail, identity inject, response parser. Includes the path-routed providers — Google Vertex AI (keyfile:: service-account OAuth minting) and AWS Bedrock (bearer auth, invoke/converse/streaming, optional /bedrock prefix) — plus the Models allowlist and unmeterable-publisher deny. * [proxy] IPv6 in-place apply and TCP accept-loop hardening on netstack listeners * [agent-network] End-to-end test suite, module docs, and deployment preset * [agent-network] Fix codespell typos and exclude false positives - labelgen word pool: vermillion -> vermilion, racoon -> raccoon. - codespell ignore list: add flate (Go compress/flate package), recordin (a test-local identifier), and unparseable (a valid alternative spelling used consistently across identifiers + a metadata-value constant). * [management] Set LastSeen on injected proxy peer in realstack test (MySQL strict-mode) The injected embedded proxy peer had a PeerStatus with a zero LastSeen, which serializes to '0000-00-00' and is rejected by MySQL in strict mode (SQLite tolerates it). Set LastSeen to a valid time so SaveAccount succeeds on both engines. * [agent-network] Remove e2e shell-script suite from this branch The end-to-end shell scripts under scripts/e2e/ are maintained in a separate testing suite and are not part of this change set. * [agent-network] Polish module docs: remove internal review scaffolding, fix links, verify diagrams Strip PR-review framing, commit references, absolute paths, and stale internal references from the agent-network module docs; fix broken relative links; verify all diagrams against the current architecture. Remove the internal AI-reviewer prompt file. * [management] Refine session expiration handling to support 3-state encoding for SSO deadlines * [agent-network] Relocate agentnetwork package to internals/modules Move management/server/agentnetwork (and its catalog/, labelgen/, types/ subpackages) to management/internals/modules/agentnetwork, alongside the reverse-proxy module, and rewrite all importers. Pure relocation: package names, the synthesizer + affectedpeers registration hook, and store access (shared store.Store) are unchanged, so no import cycle is introduced (affectedpeers still depends only on the agentnetwork/types leaf). * [agent-network] Co-locate HTTP handlers in the module (RegisterEndpoints) Move the agent-network HTTP handlers from server/http/handlers/agentnetwork into the module at internals/modules/agentnetwork/handlers (package handlers) and rename the entrypoint AddEndpoints -> RegisterEndpoints, matching the reverse-proxy module convention. Wiring in http/handler.go updated accordingly.
155 lines
4.5 KiB
Go
155 lines
4.5 KiB
Go
package accesslogs
|
|
|
|
import (
|
|
"maps"
|
|
"net"
|
|
"net/netip"
|
|
"time"
|
|
|
|
"github.com/netbirdio/netbird/management/server/peer"
|
|
"github.com/netbirdio/netbird/shared/management/http/api"
|
|
"github.com/netbirdio/netbird/shared/management/proto"
|
|
)
|
|
|
|
// AccessLogProtocol identifies the transport protocol of an access log entry.
|
|
type AccessLogProtocol string
|
|
|
|
const (
|
|
AccessLogProtocolHTTP AccessLogProtocol = "http"
|
|
AccessLogProtocolTCP AccessLogProtocol = "tcp"
|
|
AccessLogProtocolUDP AccessLogProtocol = "udp"
|
|
)
|
|
|
|
type AccessLogEntry struct {
|
|
ID string `gorm:"primaryKey"`
|
|
AccountID string `gorm:"index"`
|
|
ServiceID string `gorm:"index"`
|
|
Timestamp time.Time `gorm:"index"`
|
|
GeoLocation peer.Location `gorm:"embedded;embeddedPrefix:location_"`
|
|
SubdivisionCode string
|
|
Method string `gorm:"index"`
|
|
Host string `gorm:"index"`
|
|
Path string `gorm:"index"`
|
|
Duration time.Duration `gorm:"index"`
|
|
StatusCode int `gorm:"index"`
|
|
Reason string
|
|
UserId string `gorm:"index"`
|
|
AuthMethodUsed string `gorm:"index"`
|
|
BytesUpload int64 `gorm:"index"`
|
|
BytesDownload int64 `gorm:"index"`
|
|
Protocol AccessLogProtocol `gorm:"index"`
|
|
Metadata map[string]string `gorm:"serializer:json"`
|
|
// AgentNetwork marks the entry as emitted by a synthesised agent-network
|
|
// service. Sourced from proto.AccessLog.AgentNetwork the proxy stamps
|
|
// before shipping. Indexed so the agent-network log surface filters cheaply.
|
|
AgentNetwork bool `gorm:"index"`
|
|
}
|
|
|
|
// FromProto creates an AccessLogEntry from a proto.AccessLog
|
|
func (a *AccessLogEntry) FromProto(serviceLog *proto.AccessLog) {
|
|
a.ID = serviceLog.GetLogId()
|
|
a.ServiceID = serviceLog.GetServiceId()
|
|
a.Timestamp = serviceLog.GetTimestamp().AsTime()
|
|
a.Method = serviceLog.GetMethod()
|
|
a.Host = serviceLog.GetHost()
|
|
a.Path = serviceLog.GetPath()
|
|
a.Duration = time.Duration(serviceLog.GetDurationMs()) * time.Millisecond
|
|
a.StatusCode = int(serviceLog.GetResponseCode())
|
|
a.UserId = serviceLog.GetUserId()
|
|
a.AuthMethodUsed = serviceLog.GetAuthMechanism()
|
|
a.AccountID = serviceLog.GetAccountId()
|
|
a.BytesUpload = serviceLog.GetBytesUpload()
|
|
a.BytesDownload = serviceLog.GetBytesDownload()
|
|
a.Protocol = AccessLogProtocol(serviceLog.GetProtocol())
|
|
a.Metadata = maps.Clone(serviceLog.GetMetadata())
|
|
a.AgentNetwork = serviceLog.GetAgentNetwork()
|
|
|
|
if sourceIP := serviceLog.GetSourceIp(); sourceIP != "" {
|
|
if addr, err := netip.ParseAddr(sourceIP); err == nil {
|
|
addr = addr.Unmap()
|
|
a.GeoLocation.ConnectionIP = net.IP(addr.AsSlice())
|
|
}
|
|
}
|
|
|
|
// Only set reason for HTTP entries. L4 entries have no auth or status code.
|
|
if a.Protocol == "" || a.Protocol == AccessLogProtocolHTTP {
|
|
if !serviceLog.GetAuthSuccess() {
|
|
a.Reason = "Authentication failed"
|
|
} else if serviceLog.GetResponseCode() >= 400 {
|
|
a.Reason = "Request failed"
|
|
}
|
|
}
|
|
}
|
|
|
|
// ToAPIResponse converts an AccessLogEntry to the API ProxyAccessLog type
|
|
func (a *AccessLogEntry) ToAPIResponse() *api.ProxyAccessLog {
|
|
var sourceIP *string
|
|
if a.GeoLocation.ConnectionIP != nil {
|
|
ip := a.GeoLocation.ConnectionIP.String()
|
|
sourceIP = &ip
|
|
}
|
|
|
|
var reason *string
|
|
if a.Reason != "" {
|
|
reason = &a.Reason
|
|
}
|
|
|
|
var userID *string
|
|
if a.UserId != "" {
|
|
userID = &a.UserId
|
|
}
|
|
|
|
var authMethod *string
|
|
if a.AuthMethodUsed != "" {
|
|
authMethod = &a.AuthMethodUsed
|
|
}
|
|
|
|
var countryCode *string
|
|
if a.GeoLocation.CountryCode != "" {
|
|
countryCode = &a.GeoLocation.CountryCode
|
|
}
|
|
|
|
var cityName *string
|
|
if a.GeoLocation.CityName != "" {
|
|
cityName = &a.GeoLocation.CityName
|
|
}
|
|
|
|
var subdivisionCode *string
|
|
if a.SubdivisionCode != "" {
|
|
subdivisionCode = &a.SubdivisionCode
|
|
}
|
|
|
|
var protocol *string
|
|
if a.Protocol != "" {
|
|
p := string(a.Protocol)
|
|
protocol = &p
|
|
}
|
|
|
|
var metadata *map[string]string
|
|
if len(a.Metadata) > 0 {
|
|
metadata = &a.Metadata
|
|
}
|
|
|
|
return &api.ProxyAccessLog{
|
|
Id: a.ID,
|
|
ServiceId: a.ServiceID,
|
|
Timestamp: a.Timestamp,
|
|
Method: a.Method,
|
|
Host: a.Host,
|
|
Path: a.Path,
|
|
DurationMs: int(a.Duration.Milliseconds()),
|
|
StatusCode: a.StatusCode,
|
|
SourceIp: sourceIP,
|
|
Reason: reason,
|
|
UserId: userID,
|
|
AuthMethodUsed: authMethod,
|
|
CountryCode: countryCode,
|
|
CityName: cityName,
|
|
SubdivisionCode: subdivisionCode,
|
|
BytesUpload: a.BytesUpload,
|
|
BytesDownload: a.BytesDownload,
|
|
Protocol: protocol,
|
|
Metadata: metadata,
|
|
}
|
|
}
|