feat: add enrollment event detection from NetBird audit events

2026-03-04 00:17:17 +02:00 · 2026-03-04 00:17:17 +02:00 · 05440ea740
commit 05440ea740
parent 376e0b5a9d
2 changed files with 118 additions and 0 deletions
--- a/src/poller/poller.test.ts
+++ b/src/poller/poller.test.ts
@ -0,0 +1,78 @@
+import { assertEquals } from "@std/assert";
+import type { NbEvent } from "../netbird/types.ts";
+import { processEnrollmentEvents } from "./poller.ts";
+
+/** Helper: build an NbEvent with sensible defaults, overridable per-field. */
+function makeEvent(overrides: Partial<NbEvent> = {}): NbEvent {
+  return {
+    id: 1,
+    timestamp: "2025-06-01T12:00:00Z",
+    activity: "peer setup key added",
+    activity_code: "peer.setupkey.add",
+    initiator_id: "init-1",
+    initiator_name: "admin",
+    target_id: "peer-1",
+    meta: { setup_key: "drone-key", name: "drone-01" },
+    ...overrides,
+  };
+}
+
+Deno.test("processEnrollmentEvents detects peer.setupkey.add", () => {
+  const events: NbEvent[] = [
+    makeEvent(), // enrollment — should match
+    makeEvent({
+      id: 2,
+      activity_code: "peer.login",
+      target_id: "peer-2",
+    }), // not an enrollment
+    makeEvent({
+      id: 3,
+      activity_code: "group.add",
+      target_id: "group-1",
+    }), // unrelated event
+  ];
+
+  const known = new Set(["drone-key"]);
+  const result = processEnrollmentEvents(events, known, null);
+
+  assertEquals(result.length, 1);
+  assertEquals(result[0].setupKeyName, "drone-key");
+  assertEquals(result[0].peerId, "peer-1");
+  assertEquals(result[0].peerHostname, "drone-01");
+  assertEquals(result[0].timestamp, "2025-06-01T12:00:00Z");
+});
+
+Deno.test("processEnrollmentEvents filters by lastTimestamp", () => {
+  const events: NbEvent[] = [
+    makeEvent({ id: 1, timestamp: "2025-06-01T10:00:00Z", target_id: "p1" }),
+    makeEvent({ id: 2, timestamp: "2025-06-01T12:00:00Z", target_id: "p2" }),
+    makeEvent({ id: 3, timestamp: "2025-06-01T14:00:00Z", target_id: "p3" }),
+  ];
+
+  const known = new Set(["drone-key"]);
+
+  // Only events strictly after the watermark should pass.
+  const result = processEnrollmentEvents(
+    events,
+    known,
+    "2025-06-01T12:00:00Z",
+  );
+
+  assertEquals(result.length, 1);
+  assertEquals(result[0].peerId, "p3");
+  assertEquals(result[0].timestamp, "2025-06-01T14:00:00Z");
+});
+
+Deno.test("processEnrollmentEvents ignores unknown keys", () => {
+  const events: NbEvent[] = [
+    makeEvent({
+      meta: { setup_key: "rogue-key", name: "rogue-host" },
+      target_id: "peer-x",
+    }),
+  ];
+
+  const known = new Set(["drone-key", "gcs-key"]);
+  const result = processEnrollmentEvents(events, known, null);
+
+  assertEquals(result.length, 0);
+});
--- a/src/poller/poller.ts
+++ b/src/poller/poller.ts
@ -0,0 +1,40 @@
+import type { NbEvent } from "../netbird/types.ts";
+
+export interface EnrollmentDetection {
+  setupKeyName: string;
+  peerId: string;
+  peerHostname: string;
+  timestamp: string;
+}
+
+/**
+ * Filters enrollment events from the full event list.
+ * Returns enrollments for peers that enrolled using a known setup key
+ * and whose timestamp is after lastTimestamp (if provided).
+ */
+export function processEnrollmentEvents(
+  events: NbEvent[],
+  knownKeyNames: Set<string>,
+  lastTimestamp: string | null,
+): EnrollmentDetection[] {
+  return events
+    .filter((e) => {
+      if (e.activity_code !== "peer.setupkey.add") return false;
+      if (lastTimestamp && e.timestamp <= lastTimestamp) return false;
+      if (!knownKeyNames.has(e.meta.setup_key)) {
+        console.log(JSON.stringify({
+          msg: "unknown_enrollment",
+          setup_key: e.meta.setup_key,
+          peer_id: e.target_id,
+        }));
+        return false;
+      }
+      return true;
+    })
+    .map((e) => ({
+      setupKeyName: e.meta.setup_key,
+      peerId: e.target_id,
+      peerHostname: e.meta.name,
+      timestamp: e.timestamp,
+    }));
+}