mirror of
https://github.com/netbirdio/netbird.git
synced 2026-07-16 19:49:56 +00:00
* [agent-network] Shared proto, OpenAPI schema, and generated types * [agent-network] Management: store, manager, synthesizer, policy engine, provider catalog, HTTP/gRPC API Adds the account-scoped agent-network module: provider/policy/budget CRUD and store, the reverse-proxy service synthesizer, policy selection + limit enforcement, the provider catalog (incl. Vertex AI and AWS Bedrock entries), and the management HTTP + proxy gRPC surfaces. * [management] Fix agent-network proxy-peer fan-out on affected-peer recompute The affected-peers resolver loaded only persisted reverse-proxy services, but agent-network services are synthesized on demand and never persisted. As a result the embedded proxy peer was never folded into the affected set when a client's group changed, so the proxy received no network-map update for a newly authorised client and rejected its handshake until a full resync (restart). loadProxyServices now merges the synthesized agent-network services (injected via a registration hook to avoid an import cycle), so proxy peers learn newly authorised clients immediately. * [proxy] Reverse-proxy middleware framework, chain, and request plumbing The per-target middleware chain (slots, dispatcher, mutation gate, metadata merger), body capture, access-log terminal sink, and the proxy wiring that builds + runs chains for synthesized agent-network services. * [proxy] LLM parsers, pricing, and builtin middlewares (OpenAI, Anthropic, Vertex AI, AWS Bedrock) Request/response parsers and SSE/event-stream metering, the embedded pricing table, and the builtin middleware set: request parser, router, policy limit-check/record, cost meter, guardrail, identity inject, response parser. Includes the path-routed providers — Google Vertex AI (keyfile:: service-account OAuth minting) and AWS Bedrock (bearer auth, invoke/converse/streaming, optional /bedrock prefix) — plus the Models allowlist and unmeterable-publisher deny. * [proxy] IPv6 in-place apply and TCP accept-loop hardening on netstack listeners * [agent-network] End-to-end test suite, module docs, and deployment preset * [agent-network] Fix codespell typos and exclude false positives - labelgen word pool: vermillion -> vermilion, racoon -> raccoon. - codespell ignore list: add flate (Go compress/flate package), recordin (a test-local identifier), and unparseable (a valid alternative spelling used consistently across identifiers + a metadata-value constant). * [management] Set LastSeen on injected proxy peer in realstack test (MySQL strict-mode) The injected embedded proxy peer had a PeerStatus with a zero LastSeen, which serializes to '0000-00-00' and is rejected by MySQL in strict mode (SQLite tolerates it). Set LastSeen to a valid time so SaveAccount succeeds on both engines. * [agent-network] Remove e2e shell-script suite from this branch The end-to-end shell scripts under scripts/e2e/ are maintained in a separate testing suite and are not part of this change set. * [agent-network] Polish module docs: remove internal review scaffolding, fix links, verify diagrams Strip PR-review framing, commit references, absolute paths, and stale internal references from the agent-network module docs; fix broken relative links; verify all diagrams against the current architecture. Remove the internal AI-reviewer prompt file. * [management] Refine session expiration handling to support 3-state encoding for SSO deadlines * [agent-network] Relocate agentnetwork package to internals/modules Move management/server/agentnetwork (and its catalog/, labelgen/, types/ subpackages) to management/internals/modules/agentnetwork, alongside the reverse-proxy module, and rewrite all importers. Pure relocation: package names, the synthesizer + affectedpeers registration hook, and store access (shared store.Store) are unchanged, so no import cycle is introduced (affectedpeers still depends only on the agentnetwork/types leaf). * [agent-network] Co-locate HTTP handlers in the module (RegisterEndpoints) Move the agent-network HTTP handlers from server/http/handlers/agentnetwork into the module at internals/modules/agentnetwork/handlers (package handlers) and rename the entrypoint AddEndpoints -> RegisterEndpoints, matching the reverse-proxy module convention. Wiring in http/handler.go updated accordingly.
108 lines
3.6 KiB
Go
108 lines
3.6 KiB
Go
package accesslog
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/rs/xid"
|
|
|
|
"github.com/netbirdio/netbird/proxy/internal/proxy"
|
|
"github.com/netbirdio/netbird/proxy/internal/responsewriter"
|
|
"github.com/netbirdio/netbird/proxy/web"
|
|
)
|
|
|
|
// Middleware wraps an HTTP handler to log access entries and resolve client IPs.
|
|
func (l *Logger) Middleware(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Skip logging for internal proxy assets (CSS, JS, etc.)
|
|
if strings.HasPrefix(r.URL.Path, web.PathPrefix+"/") {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
// Generate request ID early so it can be used by error pages and log correlation.
|
|
requestID := xid.New().String()
|
|
|
|
l.logger.Debugf("request: request_id=%s method=%s host=%s path=%s", requestID, r.Method, r.Host, r.URL.Path)
|
|
|
|
// Use a response writer wrapper so we can access the status code later.
|
|
sw := &statusWriter{
|
|
PassthroughWriter: responsewriter.New(w),
|
|
status: http.StatusOK,
|
|
}
|
|
|
|
var bytesRead int64
|
|
if r.Body != nil {
|
|
r.Body = &bodyCounter{
|
|
ReadCloser: r.Body,
|
|
bytesRead: &bytesRead,
|
|
}
|
|
}
|
|
|
|
// Resolve the source IP using trusted proxy configuration before passing
|
|
// the request on, as the proxy will modify forwarding headers.
|
|
sourceIp := extractSourceIP(r, l.trustedProxies)
|
|
|
|
// Create a mutable struct to capture data from downstream handlers.
|
|
// We pass a pointer in the context - the pointer itself flows down immutably,
|
|
// but the struct it points to can be mutated by inner handlers.
|
|
capturedData := proxy.NewCapturedData(requestID)
|
|
capturedData.SetClientIP(sourceIp)
|
|
|
|
ctx := proxy.WithCapturedData(r.Context(), capturedData)
|
|
|
|
start := time.Now()
|
|
next.ServeHTTP(sw, r.WithContext(ctx))
|
|
duration := time.Since(start)
|
|
|
|
host, _, err := net.SplitHostPort(r.Host)
|
|
if err != nil {
|
|
// Fallback to just using the full host value.
|
|
host = r.Host
|
|
}
|
|
|
|
bytesUpload := bytesRead
|
|
bytesDownload := sw.bytesWritten
|
|
|
|
entry := logEntry{
|
|
ID: requestID,
|
|
ServiceID: capturedData.GetServiceID(),
|
|
AccountID: capturedData.GetAccountID(),
|
|
Host: host,
|
|
Path: r.URL.Path,
|
|
DurationMs: duration.Milliseconds(),
|
|
Method: r.Method,
|
|
ResponseCode: int32(sw.status),
|
|
SourceIP: sourceIp,
|
|
AuthMechanism: capturedData.GetAuthMethod(),
|
|
UserID: capturedData.GetUserID(),
|
|
AuthSuccess: sw.status != http.StatusUnauthorized && sw.status != http.StatusForbidden,
|
|
BytesUpload: bytesUpload,
|
|
BytesDownload: bytesDownload,
|
|
Protocol: ProtocolHTTP,
|
|
Metadata: capturedData.GetMetadata(),
|
|
AgentNetwork: capturedData.GetAgentNetwork(),
|
|
}
|
|
l.logger.Debugf("response: request_id=%s method=%s host=%s path=%s status=%d duration=%dms source=%s origin=%s service=%s account=%s",
|
|
requestID, r.Method, host, r.URL.Path, sw.status, duration.Milliseconds(), sourceIp, capturedData.GetOrigin(), capturedData.GetServiceID(), capturedData.GetAccountID())
|
|
|
|
// Emit the access log unless the matched target opted out
|
|
// (agent-network synth targets do this when the account's
|
|
// EnableLogCollection toggle is off). For agent-network entries we
|
|
// still ship a stripped, usage-only record even when suppressed, so
|
|
// usage/cost is collected regardless of the log-collection toggle;
|
|
// request detail and prompt capture are dropped before sending.
|
|
switch {
|
|
case !capturedData.GetSuppressAccessLog():
|
|
l.log(entry)
|
|
case entry.AgentNetwork:
|
|
l.log(stripAgentNetworkEntryForUsage(entry))
|
|
}
|
|
|
|
// Track usage for cost monitoring (upload + download) by domain
|
|
l.trackUsage(host, bytesUpload+bytesDownload)
|
|
})
|
|
}
|