From 72acf24f52b6bb86c4f8f9b91a25c2987cbe1df8 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 2 Jun 2022 18:11:56 -0700
Subject: [PATCH] Management framework: expand notify_agent_hello event
 arguments

This swaps the host event argument for the Broker ID. The latter is more useful,
since the sending agent doesn't necessarily know its IP address as visible to
the controller, and the controller can pull up the full Broker context via the
ID.

It also adds an explicit argument to the event to indicate whether the agent
connected to the controller or vice versa. This simplifies the controller's
internal logic.

Also minor tweaks to logging to show Broker IDs.
---
 scripts/policy/frameworks/management/agent/api.zeek   | 11 +++++++----
 scripts/policy/frameworks/management/agent/main.zeek  |  5 +++--
 .../policy/frameworks/management/controller/main.zeek |  9 +++++----
 .../zeek.nodes.controller.stdout                      |  2 +-
 .../management/controller/agent-checkin.zeek          |  6 ++----
 5 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/scripts/policy/frameworks/management/agent/api.zeek b/scripts/policy/frameworks/management/agent/api.zeek
index 9fddaa44f1..ba9c0b22bd 100644
--- a/scripts/policy/frameworks/management/agent/api.zeek
+++ b/scripts/policy/frameworks/management/agent/api.zeek
@@ -145,17 +145,20 @@ export {
 	## The agent sends this event upon peering as a "check-in", informing
 	## the controller that an agent of the given name is now available to
 	## communicate with. It is a controller-level equivalent of
-	## `:zeek:see:`Broker::peer_added`.
+	## `:zeek:see:`Broker::peer_added` and triggered by it.
 	##
 	## instance: an instance name, really the agent's name as per
 	##    :zeek:see:`Management::Agent::get_name`.
 	##
-	## host: the IP address of the agent. (This may change in the future.)
+	## id: the Broker ID of the agent.
+	##
+	## connecting: true if this agent connected to the controller,
+	##    false if the controller connected to the agent.
 	##
 	## api_version: the API version of this agent.
 	##
-	global notify_agent_hello: event(instance: string, host: addr,
-	    api_version: count);
+	global notify_agent_hello: event(instance: string, id: string,
+	    connecting: bool, api_version: count);
 
 
 	# The following are not yet implemented.
diff --git a/scripts/policy/frameworks/management/agent/main.zeek b/scripts/policy/frameworks/management/agent/main.zeek
index 5b9912c89b..6105edb8dd 100644
--- a/scripts/policy/frameworks/management/agent/main.zeek
+++ b/scripts/policy/frameworks/management/agent/main.zeek
@@ -694,7 +694,8 @@ event Broker::peer_added(peer: Broker::EndpointInfo, msg: string)
 
 	Broker::publish(agent_topic(),
 	    Management::Agent::API::notify_agent_hello,
-	    epi$id, to_addr(epi$network$address),
+	    epi$id, Broker::node_id(),
+	    Management::Agent::controller$address != "0.0.0.0",
 	    Management::Agent::API::version);
 	}
 
@@ -736,5 +737,5 @@ event zeek_init()
 	# If the controller connects to us, it also uses this port.
 	Broker::listen(cat(epi$network$address), epi$network$bound_port);
 
-	Management::Log::info("agent is live");
+	Management::Log::info(fmt("agent is live, Broker ID %s", Broker::node_id()));
 	}
diff --git a/scripts/policy/frameworks/management/controller/main.zeek b/scripts/policy/frameworks/management/controller/main.zeek
index 4759f5774c..ccee0a6a7d 100644
--- a/scripts/policy/frameworks/management/controller/main.zeek
+++ b/scripts/policy/frameworks/management/controller/main.zeek
@@ -273,9 +273,10 @@ event Management::Controller::API::notify_agents_ready(instances: set[string])
 	send_config_to_agents(req, req$set_configuration_state$config);
 	}
 
-event Management::Agent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+event Management::Agent::API::notify_agent_hello(instance: string, id: string, connecting: bool, api_version: count)
 	{
-	Management::Log::info(fmt("rx Management::Agent::API::notify_agent_hello %s %s", instance, host));
+	Management::Log::info(fmt("rx Management::Agent::API::notify_agent_hello %s %s %s",
+	    instance, id, connecting));
 
 	# When an agent checks in with a mismatching API version, we log the
 	# fact and drop its state, if any.
@@ -283,7 +284,7 @@ event Management::Agent::API::notify_agent_hello(instance: string, host: addr, a
 		{
 		Management::Log::warning(
 		    fmt("instance %s/%s has checked in with incompatible API version %s",
-		        instance, host, api_version));
+		        instance, id, api_version));
 
 		if ( instance in g_instances )
 			drop_instance(g_instances[instance]);
@@ -882,5 +883,5 @@ event zeek_init()
 	Broker::subscribe(Management::Agent::topic_prefix);
 	Broker::subscribe(Management::Controller::topic);
 
-	Management::Log::info("controller is live");
+	Management::Log::info(fmt("controller is live, Broker ID %s", Broker::node_id()));
 	}
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.management.controller.agent-checkin/zeek.nodes.controller.stdout b/testing/btest/Baseline/scripts.policy.frameworks.management.controller.agent-checkin/zeek.nodes.controller.stdout
index 3ce8a1f373..2aa07185c6 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.management.controller.agent-checkin/zeek.nodes.controller.stdout
+++ b/testing/btest/Baseline/scripts.policy.frameworks.management.controller.agent-checkin/zeek.nodes.controller.stdout
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-notify_agent_hello agent 127.0.0.1 1
+notify_agent_hello agent 1
diff --git a/testing/btest/scripts/policy/frameworks/management/controller/agent-checkin.zeek b/testing/btest/scripts/policy/frameworks/management/controller/agent-checkin.zeek
index 3d248848c7..be0881c6ad 100644
--- a/testing/btest/scripts/policy/frameworks/management/controller/agent-checkin.zeek
+++ b/testing/btest/scripts/policy/frameworks/management/controller/agent-checkin.zeek
@@ -40,14 +40,12 @@ event zeek_init()
 		}
 	}
 
-event Management::Agent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+event Management::Agent::API::notify_agent_hello(instance: string, id: string, connecting: bool, api_version: count)
 	{
 	if ( Management::role == Management::CONTROLLER )
 		{
-		# On rare occasion it can happen that we log this twice, which'll need
-		# investigating. For now we ensure we only do so once.
 		if ( ! logged )
-			print(fmt("notify_agent_hello %s %s %s", instance, host, api_version));
+			print(fmt("notify_agent_hello %s %s", instance, api_version));
 
 		logged = T;