+`dhcp-router` este actualizat de endpoint-ul `POST /api/collect/dhcp-leases` când MikroTik împinge evenimente de lease de pe `192.168.2.1`.

+

+Rows are populated by the DHCP push collector endpoint `POST /api/collect/dhcp-leases`, normally called from the MikroTik `lease-script` on `192.168.2.1`.

+

+| 2026-06-10 | DHCP Lease Push Collector | [Database](development-logs/database.md#2026-06-10---dhcp-lease-push-collector) |

+

+## 2026-06-10 - DHCP Lease Push Collector

+

+Observatie: DHCP-ul de pe `192.168.2.1` este autoritatea pentru alocarea IP-urilor LAN, dar baza runtime avea doar tabela `dhcp_leases`, fara un colector operational.

+

+Decizie:

+

+- MikroTik impinge evenimentele de lease prin `lease-script` catre `POST /api/collect/dhcp-leases`

+- endpoint-ul este protejat cu `HOST_MANAGER_DHCP_PUSH_TOKEN`, separat de sesiunea OTP pentru UI

+- ingest-ul scrie doar in `dhcp_leases` si actualizeaza workerul `dhcp-router`

+- observatiile DHCP raman material de audit/propunere si nu modifica automat host registry-ul sau manifestul DNS

+

+Scop:

+

+- sa colectam lease-uri fara credential SSH pentru router in aplicatie

+- sa pastram DHCP ca sursa observata cu prioritate mare, dar fara side effect automat asupra DNS-ului local

+- `POST /api/collect/dhcp-leases` — ingest DHCP lease push, protejat cu `HOST_MANAGER_DHCP_PUSH_TOKEN`

+## Colector DHCP

+

+Routerul DHCP `192.168.2.1` împinge evenimente de lease către Madagascar Local Authority prin:

+

+```text

+POST https://hosts.madagascar.xdev.ro/api/collect/dhcp-leases

+X-DHCP-Push-Token: <HOST_MANAGER_DHCP_PUSH_TOKEN>

+```

+

+Endpoint-ul scrie doar în `dhcp_leases` și actualizează `data_workers.last_run_at`; nu modifică automat registry-ul de hosturi, `config/hosts.yaml` sau `config/local-hosts.tsv`.

+

+Scriptul RouterOS versionat este:

+

+```text

+deploy/mikrotik/dhcp-lease-push.rsc

+```

+

+Înainte de import, setează tokenul real în `/etc/xdev/host-manager.env` pe jumper și în variabila `hostManagerDhcpPushToken` din scriptul RouterOS. Scriptul setează `lease-script` pe serverele DHCP existente; dacă routerul are deja un `lease-script`, codul trebuie îmbinat manual ca să nu se piardă logica existentă.

+

+  deploy/mikrotik/dhcp-lease-push.rsc

+

+## DHCP lease push

+

+Lease-urile DHCP de pe routerul `192.168.2.1` sunt colectate prin push HTTP de pe MikroTik către:

+

+```text

+POST https://hosts.madagascar.xdev.ro/api/collect/dhcp-leases

+```

+

+Setează `HOST_MANAGER_DHCP_PUSH_TOKEN` în `/etc/xdev/host-manager.env` și același token în `deploy/mikrotik/dhcp-lease-push.rsc` înainte de importul pe router. Endpoint-ul acceptă headerul `X-DHCP-Push-Token` sau `Authorization: Bearer ...` și scrie observații în `dhcp_leases`.

+

+Scriptul RouterOS folosește `lease-script`, deci trimite evenimentele noi/modificate. Dacă routerul are deja un `lease-script`, îmbină manual codul din `deploy/mikrotik/dhcp-lease-push.rsc`.

+

+# Shared token accepted by POST /api/collect/dhcp-leases.

+# This is for the MikroTik DHCP lease push hook, not for browser login.

+HOST_MANAGER_DHCP_PUSH_TOKEN=CHANGE_ME_DHCP_PUSH_TOKEN

+# MikroTik RouterOS DHCP lease push hook for Madagascar Local Authority.

+#

+# Edit hostManagerDhcpPushToken before import. If the DHCP server already has a

+# lease-script, merge this source manually instead of overwriting it.

+

+:global hostManagerDhcpPushUrl "https://hosts.madagascar.xdev.ro/api/collect/dhcp-leases";

+:global hostManagerDhcpPushToken "CHANGE_ME_DHCP_PUSH_TOKEN";

+

+/ip dhcp-server set [find] lease-script={

+    :global hostManagerDhcpPushUrl;

+    :global hostManagerDhcpPushToken;

+

+    :local leaseName $"lease-hostname";

+    :local leaseState "unbound";

+    :if ($leaseBound = 1) do={

+        :set leaseState "bound";

+    }

+

+    :local payload ("worker_id=dhcp-router&ip_address=" . $leaseActIP . "&mac_address=" . $leaseActMAC . "&observed_name=" . $leaseName . "&lease_state=" . $leaseState . "&bound=" . $leaseBound);

+    /tool fetch url=$hostManagerDhcpPushUrl \

+        http-method=post \

+        http-header-field=("Content-Type:application/x-www-form-urlencoded,X-DHCP-Push-Token:" . $hostManagerDhcpPushToken) \

+        http-data=$payload \

+        http-percent-encoding=yes \

+        check-certificate=no \

+        keep-result=no;

+}

+  HOST_MANAGER_DHCP_PUSH_TOKEN  Token for DHCP lease push collector.

+    if ($method eq 'POST' && $path eq '/api/collect/dhcp-leases') {

+        return collect_dhcp_leases($client, \%headers, $body);

+    }

+sub collect_dhcp_leases {

+    my ($client, $headers, $body) = @_;

+    my $expected = $ENV{HOST_MANAGER_DHCP_PUSH_TOKEN} || '';

+    return send_json($client, 503, { error => 'dhcp_push_not_configured' }) unless length $expected;

+

+    my $provided = dhcp_push_token_from_headers($headers);

+    return send_json($client, 401, { error => 'invalid_dhcp_push_token' }) unless token_matches($expected, $provided);

+

+    my $payload = request_payload($headers, $body);

+    my @leases = dhcp_payload_leases($payload);

+    return send_json($client, 400, { error => 'missing_dhcp_leases' }) unless @leases;

+

+    my $dbh = dbh();

+    my $now = iso_now();

+    my $worker_id = clean_id($payload->{worker_id} || $payload->{source_id} || 'dhcp-router');

+    $worker_id ||= 'dhcp-router';

+    my @stored;

+    with_transaction($dbh, sub {

+        upsert_dhcp_worker($dbh, $worker_id, $now);

+        for my $lease (@leases) {

+            my $stored = upsert_dhcp_lease($dbh, $worker_id, $lease, $now);

+            push @stored, $stored if $stored;

+        }

+        $dbh->do(

+            'UPDATE data_workers SET last_run_at = ?, updated_at = ? WHERE worker_id = ?',

+            undef,

+            $now,

+            $now,

+            $worker_id,

+        );

+    });

+

+    return send_json($client, 200, {

+        ok => json_bool(1),

+        worker_id => $worker_id,

+        stored => scalar(@stored),

+        leases => \@stored,

+    });

+}

+

+sub dhcp_push_token_from_headers {

+    my ($headers) = @_;

+    my $token = clean_scalar($headers->{'x-dhcp-push-token'} || '');

+    return $token if length $token;

+    my $authorization = clean_scalar($headers->{authorization} || '');

+    return $1 if $authorization =~ /\ABearer\s+(.+)\z/i;

+    return '';

+}

+

+sub token_matches {

+    my ($expected, $provided) = @_;

+    return 0 unless length($expected || '') && length($provided || '');

+    return 0 unless length($expected) == length($provided);

+    my $diff = 0;

+    for my $i (0 .. length($expected) - 1) {

+        $diff |= ord(substr($expected, $i, 1)) ^ ord(substr($provided, $i, 1));

+    }

+    return $diff == 0 ? 1 : 0;

+}

+

+sub dhcp_payload_leases {

+    my ($payload) = @_;

+    return () unless ref($payload) eq 'HASH';

+    if (ref($payload->{leases}) eq 'ARRAY') {

+        return grep { ref($_) eq 'HASH' } @{ $payload->{leases} };

+    }

+    return ($payload);

+}

+

+sub upsert_dhcp_worker {

+    my ($dbh, $worker_id, $now) = @_;

+    $dbh->do(

+        'INSERT INTO data_workers (worker_id, worker_type, name, status, source, last_run_at, notes, created_at, updated_at) '

+        . "VALUES (?, 'dhcp', 'Router DHCP leases', 'active', 'push:192.168.2.1', ?, 'DHCP lease push collector source.', ?, ?) "

+        . 'ON CONFLICT(worker_id) DO UPDATE SET worker_type = excluded.worker_type, name = excluded.name, status = excluded.status, '

+        . 'source = excluded.source, last_run_at = excluded.last_run_at, notes = excluded.notes, updated_at = excluded.updated_at',

+        undef,

+        $worker_id,

+        $now,

+        $now,

+        $now,

+    );

+}

+

+sub upsert_dhcp_lease {

+    my ($dbh, $worker_id, $lease, $now) = @_;

+    my $ip = clean_ip($lease->{ip_address} || $lease->{ip} || $lease->{address} || '');

+    my $mac = clean_mac($lease->{mac_address} || $lease->{mac} || $lease->{active_mac} || '');

+    return unless length $ip || length $mac;

+

+    my $name = normalize_dhcp_name($lease->{observed_name} || $lease->{host_name} || $lease->{hostname} || $lease->{name} || '');

+    my $state = clean_scalar($lease->{lease_state} || $lease->{state} || $lease->{status} || '');

+    if (!length $state && exists $lease->{bound}) {

+        $state = ($lease->{bound} || '') eq '1' ? 'bound' : 'unbound';

+    }

+    $state ||= 'observed';

+

+    my $lease_key = length $mac ? "$worker_id|mac|$mac" : "$worker_id|ip|$ip";

+    my $host_fqdn = match_dhcp_host_fqdn($dbh, $name, $ip);

+    my $raw = json_encode($lease);

+    $dbh->do(

+        'INSERT INTO dhcp_leases (lease_key, worker_id, host_fqdn, observed_name, ip_address, mac_address, lease_state, first_seen, last_seen, raw) '

+        . 'VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) '

+        . 'ON CONFLICT(lease_key) DO UPDATE SET host_fqdn = excluded.host_fqdn, observed_name = excluded.observed_name, '

+        . 'ip_address = excluded.ip_address, mac_address = excluded.mac_address, lease_state = excluded.lease_state, '

+        . 'last_seen = excluded.last_seen, raw = excluded.raw',

+        undef,

+        $lease_key,

+        $worker_id,

+        length($host_fqdn) ? $host_fqdn : undef,

+        $name,

+        $ip,

+        $mac,

+        $state,

+        $now,

+        $now,

+        $raw,

+    );

+

+    return {

+        lease_key => $lease_key,

+        host_fqdn => $host_fqdn,

+        observed_name => $name,

+        ip_address => $ip,

+        mac_address => $mac,

+        lease_state => $state,

+    };

+}

+

+sub match_dhcp_host_fqdn {

+    my ($dbh, $name, $ip) = @_;

+    my @names;

+    $name = normalize_dns_name($name || '');

+    if (length $name) {

+        push @names, $name;

+        push @names, "$name.madagascar.xdev.ro" unless $name =~ /\./;

+    }

+    for my $candidate (unique_preserve(@names)) {

+        my ($fqdn) = $dbh->selectrow_array('SELECT fqdn FROM hosts WHERE fqdn = ? AND status <> ?', undef, $candidate, 'retired');

+        return $fqdn if $fqdn;

+        ($fqdn) = $dbh->selectrow_array('SELECT host_fqdn FROM host_aliases WHERE alias_name = ? AND status = ?', undef, $candidate, 'active');

+        return $fqdn if $fqdn;

+    }

+    if (length($ip || '')) {

+        my ($fqdn) = $dbh->selectrow_array('SELECT fqdn FROM hosts WHERE (dns_ip = ? OR hosts_ip = ?) AND status <> ? ORDER BY fqdn LIMIT 1', undef, $ip, $ip, 'retired');

+        return $fqdn if $fqdn;

+    }

+    return '';

+}

+

+sub clean_ip {

+    my ($value) = @_;

+    $value = clean_scalar($value);

+    return $value if $value =~ /\A(?:25[0-5]|2[0-4]\d|1?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|1?\d?\d)){3}\z/;

+    return '';

+}

+

+sub clean_mac {

+    my ($value) = @_;

+    $value = lc clean_scalar($value);

+    $value =~ s/-/:/g;

+    return $value if $value =~ /\A[0-9a-f]{2}(?::[0-9a-f]{2}){5}\z/;

+    return '';

+}

+

+sub normalize_dhcp_name {

+    my ($value) = @_;

+    $value = normalize_dns_name($value || '');

+    $value =~ s/[^a-z0-9_.-]+/-/g;

+    $value =~ s/^-+|-+$//g;

+    return $value;

+}

+