Files
netbird/proxy/middleware_translate.go
Maycon Santos b416063bcc [management,proxy] Agent network: per-account LLM gateway (policy, metering, multi-provider) (#6555)
* [agent-network] Shared proto, OpenAPI schema, and generated types

* [agent-network] Management: store, manager, synthesizer, policy engine, provider catalog, HTTP/gRPC API

Adds the account-scoped agent-network module: provider/policy/budget CRUD and
store, the reverse-proxy service synthesizer, policy selection + limit
enforcement, the provider catalog (incl. Vertex AI and AWS Bedrock entries),
and the management HTTP + proxy gRPC surfaces.

* [management] Fix agent-network proxy-peer fan-out on affected-peer recompute

The affected-peers resolver loaded only persisted reverse-proxy services, but
agent-network services are synthesized on demand and never persisted. As a
result the embedded proxy peer was never folded into the affected set when a
client's group changed, so the proxy received no network-map update for a newly
authorised client and rejected its handshake until a full resync (restart).

loadProxyServices now merges the synthesized agent-network services (injected
via a registration hook to avoid an import cycle), so proxy peers learn newly
authorised clients immediately.

* [proxy] Reverse-proxy middleware framework, chain, and request plumbing

The per-target middleware chain (slots, dispatcher, mutation gate, metadata
merger), body capture, access-log terminal sink, and the proxy wiring that
builds + runs chains for synthesized agent-network services.

* [proxy] LLM parsers, pricing, and builtin middlewares (OpenAI, Anthropic, Vertex AI, AWS Bedrock)

Request/response parsers and SSE/event-stream metering, the embedded pricing
table, and the builtin middleware set: request parser, router, policy
limit-check/record, cost meter, guardrail, identity inject, response parser.
Includes the path-routed providers — Google Vertex AI (keyfile:: service-account
OAuth minting) and AWS Bedrock (bearer auth, invoke/converse/streaming, optional
/bedrock prefix) — plus the Models allowlist and unmeterable-publisher deny.

* [proxy] IPv6 in-place apply and TCP accept-loop hardening on netstack listeners

* [agent-network] End-to-end test suite, module docs, and deployment preset

* [agent-network] Fix codespell typos and exclude false positives

- labelgen word pool: vermillion -> vermilion, racoon -> raccoon.
- codespell ignore list: add flate (Go compress/flate package), recordin
  (a test-local identifier), and unparseable (a valid alternative spelling used
  consistently across identifiers + a metadata-value constant).

* [management] Set LastSeen on injected proxy peer in realstack test (MySQL strict-mode)

The injected embedded proxy peer had a PeerStatus with a zero LastSeen, which
serializes to '0000-00-00' and is rejected by MySQL in strict mode (SQLite
tolerates it). Set LastSeen to a valid time so SaveAccount succeeds on both
engines.

* [agent-network] Remove e2e shell-script suite from this branch

The end-to-end shell scripts under scripts/e2e/ are maintained in a separate
testing suite and are not part of this change set.

* [agent-network] Polish module docs: remove internal review scaffolding, fix links, verify diagrams

Strip PR-review framing, commit references, absolute paths, and stale internal
references from the agent-network module docs; fix broken relative links; verify
all diagrams against the current architecture. Remove the internal AI-reviewer
prompt file.

* [management] Refine session expiration handling to support 3-state encoding for SSO deadlines

* [agent-network] Relocate agentnetwork package to internals/modules

Move management/server/agentnetwork (and its catalog/, labelgen/, types/
subpackages) to management/internals/modules/agentnetwork, alongside the
reverse-proxy module, and rewrite all importers. Pure relocation: package names,
the synthesizer + affectedpeers registration hook, and store access (shared
store.Store) are unchanged, so no import cycle is introduced (affectedpeers
still depends only on the agentnetwork/types leaf).

* [agent-network] Co-locate HTTP handlers in the module (RegisterEndpoints)

Move the agent-network HTTP handlers from server/http/handlers/agentnetwork into
the module at internals/modules/agentnetwork/handlers (package handlers) and
rename the entrypoint AddEndpoints -> RegisterEndpoints, matching the
reverse-proxy module convention. Wiring in http/handler.go updated accordingly.
2026-06-27 13:41:00 +02:00

166 lines
5.4 KiB
Go

package proxy
import (
"context"
"time"
log "github.com/sirupsen/logrus"
"github.com/netbirdio/netbird/proxy/internal/middleware"
"github.com/netbirdio/netbird/proxy/internal/middleware/bodytap"
"github.com/netbirdio/netbird/shared/management/proto"
)
// translateMiddlewareCaptureConfig builds the per-target capture
// limits used by the middleware chain. Returns nil when the options
// are nil or no capture field is set. Negative caps are normalised to
// zero; oversized caps are clamped to middleware.MaxBodyCapBytes.
func translateMiddlewareCaptureConfig(targetID string, opts *proto.PathTargetOptions) *bodytap.Config {
if opts == nil {
return nil
}
reqCap := clampMiddlewareCaptureBytes(targetID, "request", opts.GetCaptureMaxRequestBytes())
respCap := clampMiddlewareCaptureBytes(targetID, "response", opts.GetCaptureMaxResponseBytes())
types := opts.GetCaptureContentTypes()
if reqCap == 0 && respCap == 0 && len(types) == 0 {
return nil
}
return &bodytap.Config{
MaxRequestBytes: reqCap,
MaxResponseBytes: respCap,
ContentTypes: types,
}
}
func clampMiddlewareCaptureBytes(targetID, direction string, v int64) int64 {
if v < 0 {
log.Debugf("target %s %s capture cap %d clamped to 0", targetID, direction, v)
return 0
}
if v > middleware.MaxBodyCapBytes {
log.Debugf("target %s %s capture cap %d clamped to %d", targetID, direction, v, middleware.MaxBodyCapBytes)
return middleware.MaxBodyCapBytes
}
return v
}
// translateMiddlewareConfigs converts the proto MiddlewareConfig list
// into validated middleware.Spec values. The list is truncated to
// middleware.MaxMiddlewaresPerChain when the caller exceeds the cap.
// Entries with empty IDs, unknown IDs (when registry is non-nil), or
// unspecified slots are skipped with a warn log. Timeouts are clamped
// to [MinTimeout, MaxTimeout] and zero substitutes for DefaultTimeout.
// Returns nil when the resulting slice is empty so callers can leave
// PathTarget.Middlewares unset.
func translateMiddlewareConfigs(
ctx context.Context,
targetID string,
in []*proto.MiddlewareConfig,
registry *middleware.Registry,
) []middleware.Spec {
_ = ctx
if len(in) == 0 {
return nil
}
if len(in) > middleware.MaxMiddlewaresPerChain {
log.Warnf("middleware list for target %q truncated: %d entries exceeds cap of %d",
targetID, len(in), middleware.MaxMiddlewaresPerChain)
in = in[:middleware.MaxMiddlewaresPerChain]
}
out := make([]middleware.Spec, 0, len(in))
for _, cfg := range in {
spec, ok := translateMiddlewareConfig(targetID, cfg, registry)
if !ok {
continue
}
out = append(out, spec)
}
if len(out) == 0 {
return nil
}
return out
}
// translateMiddlewareConfig validates and converts a single
// MiddlewareConfig. The second return value is false when the entry
// must be dropped from the chain.
func translateMiddlewareConfig(targetID string, cfg *proto.MiddlewareConfig, registry *middleware.Registry) (middleware.Spec, bool) {
if cfg == nil {
return middleware.Spec{}, false
}
id := cfg.GetId()
if id == "" {
log.Warnf("middleware config for target %q dropped: empty middleware id", targetID)
return middleware.Spec{}, false
}
if registry != nil && !registry.IsKnown(id) {
log.Warnf("unknown middleware %q configured for target %s; dropping", id, targetID)
return middleware.Spec{}, false
}
slot, ok := protoToMiddlewareSlot(cfg.GetSlot())
if !ok {
log.Warnf("middleware %q on target %q dropped: slot is unspecified", id, targetID)
return middleware.Spec{}, false
}
var rawConfig []byte
if src := cfg.GetConfigJson(); len(src) > 0 {
rawConfig = append([]byte(nil), src...)
}
return middleware.Spec{
ID: id,
Slot: slot,
Enabled: cfg.GetEnabled(),
FailMode: protoToMiddlewareFailMode(cfg.GetFailMode()),
Timeout: clampMiddlewareTimeout(id, cfg.GetTimeout().AsDuration()),
RawConfig: rawConfig,
CanMutate: cfg.GetCanMutate(),
}, true
}
// protoToMiddlewareSlot maps the proto slot enum onto the internal
// middleware.Slot. Returns ok=false for the UNSPECIFIED value so the
// translator can drop the entry.
func protoToMiddlewareSlot(s proto.MiddlewareSlot) (middleware.Slot, bool) {
switch s {
case proto.MiddlewareSlot_MIDDLEWARE_SLOT_ON_REQUEST:
return middleware.SlotOnRequest, true
case proto.MiddlewareSlot_MIDDLEWARE_SLOT_ON_RESPONSE:
return middleware.SlotOnResponse, true
case proto.MiddlewareSlot_MIDDLEWARE_SLOT_TERMINAL:
return middleware.SlotTerminal, true
default:
return 0, false
}
}
// protoToMiddlewareFailMode maps the proto FailMode enum onto the
// internal middleware.FailMode, defaulting to FailOpen for any value
// other than FAIL_CLOSED.
func protoToMiddlewareFailMode(m proto.MiddlewareConfig_FailMode) middleware.FailMode {
if m == proto.MiddlewareConfig_FAIL_CLOSED {
return middleware.FailClosed
}
return middleware.FailOpen
}
// clampMiddlewareTimeout enforces the proxy-wide [MinTimeout, MaxTimeout]
// bounds and substitutes DefaultTimeout for zero inputs. A warn is logged
// only on an actual clamp, not when filling the default.
func clampMiddlewareTimeout(id string, d time.Duration) time.Duration {
if d <= 0 {
return middleware.DefaultTimeout
}
if d < middleware.MinTimeout {
log.Debugf("middleware %s timeout %s clamped to %s", id, d, middleware.MinTimeout)
return middleware.MinTimeout
}
if d > middleware.MaxTimeout {
log.Debugf("middleware %s timeout %s clamped to %s", id, d, middleware.MaxTimeout)
return middleware.MaxTimeout
}
return d
}