crowdsec/pkg/csconfig/api.go

package csconfig

import (
	"fmt"
	"io/ioutil"
	"net"
	"strings"

	"github.com/crowdsecurity/crowdsec/pkg/apiclient"
	"github.com/pkg/errors"
	log "github.com/sirupsen/logrus"
	"gopkg.in/yaml.v2"
)

type APICfg struct {
	Client *LocalApiClientCfg `yaml:"client"`
	Server *LocalApiServerCfg `yaml:"server"`
}

type ApiCredentialsCfg struct {
	URL      string `yaml:"url,omitempty" json:"url,omitempty"`
	Login    string `yaml:"login,omitempty" json:"login,omitempty"`
	Password string `yaml:"password,omitempty" json:"-"`
}

/*global api config (for lapi->oapi)*/
type OnlineApiClientCfg struct {
	CredentialsFilePath string             `yaml:"credentials_path,omitempty"` //credz will be edited by software, store in diff file
	Credentials         *ApiCredentialsCfg `yaml:"-"`
}

/*local api config (for crowdsec/cscli->lapi)*/
type LocalApiClientCfg struct {
	CredentialsFilePath string             `yaml:"credentials_path,omitempty"` //credz will be edited by software, store in diff file
	Credentials         *ApiCredentialsCfg `yaml:"-"`
	InsecureSkipVerify  *bool              `yaml:"insecure_skip_verify"` // check if api certificate is bad or not
}

func (o *OnlineApiClientCfg) Load() error {
	o.Credentials = new(ApiCredentialsCfg)
	fcontent, err := ioutil.ReadFile(o.CredentialsFilePath)
	if err != nil {
		return errors.Wrapf(err, "failed to read api server credentials configuration file '%s'", o.CredentialsFilePath)
	}
	err = yaml.UnmarshalStrict(fcontent, o.Credentials)
	if err != nil {
		return errors.Wrapf(err, "failed unmarshaling api server credentials configuration file '%s'", o.CredentialsFilePath)
	}
	if o.Credentials.Login == "" || o.Credentials.Password == "" || o.Credentials.URL == "" {
		log.Warningf("can't load CAPI credentials from '%s' (missing field)", o.CredentialsFilePath)
		o.Credentials = nil
	}
	return nil
}

func (l *LocalApiClientCfg) Load() error {
	fcontent, err := ioutil.ReadFile(l.CredentialsFilePath)
	if err != nil {
		return errors.Wrapf(err, "failed to read api client credential configuration file '%s'", l.CredentialsFilePath)
	}
	err = yaml.UnmarshalStrict(fcontent, &l.Credentials)
	if err != nil {
		return errors.Wrapf(err, "failed unmarshaling api client credential configuration file '%s'", l.CredentialsFilePath)
	}
	if l.Credentials != nil && l.Credentials.URL != "" {
		if !strings.HasSuffix(l.Credentials.URL, "/") {
			l.Credentials.URL = l.Credentials.URL + "/"
		}
	} else {
		log.Warningf("no credentials or URL found in api client configuration '%s'", l.CredentialsFilePath)
	}
	if l.InsecureSkipVerify == nil {
		apiclient.InsecureSkipVerify = false
	} else {
		apiclient.InsecureSkipVerify = *l.InsecureSkipVerify
	}
	return nil
}

func (lapiCfg *LocalApiServerCfg) GetTrustedIPs() ([]net.IPNet, error) {
	trustedIPs := make([]net.IPNet, 0)
	for _, ip := range lapiCfg.TrustedIPs {
		cidr := toValidCIDR(ip)
		_, ipNet, err := net.ParseCIDR(cidr)
		if err != nil {
			return nil, err
		}
		trustedIPs = append(trustedIPs, *ipNet)
	}
	return trustedIPs, nil
}

func toValidCIDR(ip string) string {
	if strings.Contains(ip, "/") {
		return ip
	}

	if strings.Contains(ip, ":") {
		return ip + "/128"
	}
	return ip + "/32"
}

/*local api service configuration*/
type LocalApiServerCfg struct {
	ListenURI              string              `yaml:"listen_uri,omitempty"` //127.0.0.1:8080
	TLS                    *TLSCfg             `yaml:"tls"`
	DbConfig               *DatabaseCfg        `yaml:"-"`
	LogDir                 string              `yaml:"-"`
	LogMedia               string              `yaml:"-"`
	OnlineClient           *OnlineApiClientCfg `yaml:"online_client"`
	ProfilesPath           string              `yaml:"profiles_path,omitempty"`
	ConsoleConfigPath      string              `yaml:"console_path,omitempty"`
	ConsoleConfig          *ConsoleConfig      `yaml:"-"`
	Profiles               []*ProfileCfg       `yaml:"-"`
	LogLevel               *log.Level          `yaml:"log_level"`
	UseForwardedForHeaders bool                `yaml:"use_forwarded_for_headers,omitempty"`
	TrustedProxies         *[]string           `yaml:"trusted_proxies,omitempty"`
	CompressLogs           *bool               `yaml:"-"`
	LogMaxSize             int                 `yaml:"-"`
	LogMaxAge              int                 `yaml:"-"`
	LogMaxFiles            int                 `yaml:"-"`
	TrustedIPs             []string            `yaml:"trusted_ips,omitempty"`
}

type TLSCfg struct {
	CertFilePath string `yaml:"cert_file"`
	KeyFilePath  string `yaml:"key_file"`
}

func (c *Config) LoadAPIServer() error {
	if c.API.Server != nil && !c.DisableAPI {
		if err := c.LoadCommon(); err != nil {
			return fmt.Errorf("loading common configuration: %s", err.Error())
		}
		c.API.Server.LogDir = c.Common.LogDir
		c.API.Server.LogMedia = c.Common.LogMedia
		c.API.Server.CompressLogs = c.Common.CompressLogs
		c.API.Server.LogMaxSize = c.Common.LogMaxSize
		c.API.Server.LogMaxAge = c.Common.LogMaxAge
		c.API.Server.LogMaxFiles = c.Common.LogMaxFiles
		if c.API.Server.UseForwardedForHeaders && c.API.Server.TrustedProxies == nil {
			c.API.Server.TrustedProxies = &[]string{"0.0.0.0/0"}
		}
		if c.API.Server.TrustedProxies != nil {
			c.API.Server.UseForwardedForHeaders = true
		}
		if err := c.API.Server.LoadProfiles(); err != nil {
			return errors.Wrap(err, "while loading profiles for LAPI")
		}
		if c.API.Server.ConsoleConfigPath == "" {
			c.API.Server.ConsoleConfigPath = DefaultConsoleConfigFilePath
		}
		if err := c.API.Server.LoadConsoleConfig(); err != nil {
			return errors.Wrap(err, "while loading console options")
		}

		if c.API.Server.OnlineClient != nil && c.API.Server.OnlineClient.CredentialsFilePath != "" {
			if err := c.API.Server.OnlineClient.Load(); err != nil {
				return errors.Wrap(err, "loading online client credentials")
			}
		}
		if c.API.Server.OnlineClient == nil || c.API.Server.OnlineClient.Credentials == nil {
			log.Printf("push and pull to Central API disabled")
		}
		if err := c.LoadDBConfig(); err != nil {
			return err
		}
	} else {
		log.Warningf("crowdsec local API is disabled")
		c.DisableAPI = true
	}

	return nil
}

func (c *Config) LoadAPIClient() error {
	if c.API != nil && c.API.Client != nil && c.API.Client.CredentialsFilePath != "" && !c.DisableAgent {
		if err := c.API.Client.Load(); err != nil {
			return err
		}
	} else {
		return fmt.Errorf("no API client section in configuration")
	}

	return nil
}
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`package csconfig`

Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`import (`
			`"fmt"`
			`"io/ioutil"`
Add trusted IPs which have admin API access (#1352) * Add trusted IPs which have admin API access 2022-03-16 16:28:34 +00:00			`"net"`
Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`"strings"`

			`"github.com/crowdsecurity/crowdsec/pkg/apiclient"`
			`"github.com/pkg/errors"`
			`log "github.com/sirupsen/logrus"`
			`"gopkg.in/yaml.v2"`
			`)`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00
			`type APICfg struct {`
			Client *LocalApiClientCfg `yaml:"client"`
			Server *LocalApiServerCfg `yaml:"server"`
			`}`

			`type ApiCredentialsCfg struct {`
			URL string `yaml:"url,omitempty" json:"url,omitempty"`
			Login string `yaml:"login,omitempty" json:"login,omitempty"`
			Password string `yaml:"password,omitempty" json:"-"`
			`}`

			`/global api config (for lapi->oapi)/`
			`type OnlineApiClientCfg struct {`
			CredentialsFilePath string `yaml:"credentials_path,omitempty"` //credz will be edited by software, store in diff file
			Credentials *ApiCredentialsCfg `yaml:"-"`
			`}`

			`/local api config (for crowdsec/cscli->lapi)/`
			`type LocalApiClientCfg struct {`
			CredentialsFilePath string `yaml:"credentials_path,omitempty"` //credz will be edited by software, store in diff file
			Credentials *ApiCredentialsCfg `yaml:"-"`
			InsecureSkipVerify *bool `yaml:"insecure_skip_verify"` // check if api certificate is bad or not
			`}`

Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`func (o *OnlineApiClientCfg) Load() error {`
			`o.Credentials = new(ApiCredentialsCfg)`
			`fcontent, err := ioutil.ReadFile(o.CredentialsFilePath)`
			`if err != nil {`
			`return errors.Wrapf(err, "failed to read api server credentials configuration file '%s'", o.CredentialsFilePath)`
			`}`
			`err = yaml.UnmarshalStrict(fcontent, o.Credentials)`
			`if err != nil {`
			`return errors.Wrapf(err, "failed unmarshaling api server credentials configuration file '%s'", o.CredentialsFilePath)`
			`}`
			`if o.Credentials.Login == "" \|\| o.Credentials.Password == "" \|\| o.Credentials.URL == "" {`
			`log.Warningf("can't load CAPI credentials from '%s' (missing field)", o.CredentialsFilePath)`
			`o.Credentials = nil`
			`}`
			`return nil`
			`}`

			`func (l *LocalApiClientCfg) Load() error {`
			`fcontent, err := ioutil.ReadFile(l.CredentialsFilePath)`
			`if err != nil {`
			`return errors.Wrapf(err, "failed to read api client credential configuration file '%s'", l.CredentialsFilePath)`
			`}`
			`err = yaml.UnmarshalStrict(fcontent, &l.Credentials)`
			`if err != nil {`
			`return errors.Wrapf(err, "failed unmarshaling api client credential configuration file '%s'", l.CredentialsFilePath)`
			`}`
			`if l.Credentials != nil && l.Credentials.URL != "" {`
			`if !strings.HasSuffix(l.Credentials.URL, "/") {`
			`l.Credentials.URL = l.Credentials.URL + "/"`
			`}`
			`} else {`
			`log.Warningf("no credentials or URL found in api client configuration '%s'", l.CredentialsFilePath)`
			`}`
			`if l.InsecureSkipVerify == nil {`
			`apiclient.InsecureSkipVerify = false`
			`} else {`
			`apiclient.InsecureSkipVerify = *l.InsecureSkipVerify`
			`}`
			`return nil`
			`}`

Add trusted IPs which have admin API access (#1352) * Add trusted IPs which have admin API access 2022-03-16 16:28:34 +00:00			`func (lapiCfg *LocalApiServerCfg) GetTrustedIPs() ([]net.IPNet, error) {`
			`trustedIPs := make([]net.IPNet, 0)`
			`for _, ip := range lapiCfg.TrustedIPs {`
			`cidr := toValidCIDR(ip)`
			`_, ipNet, err := net.ParseCIDR(cidr)`
			`if err != nil {`
			`return nil, err`
			`}`
			`trustedIPs = append(trustedIPs, *ipNet)`
			`}`
			`return trustedIPs, nil`
			`}`

			`func toValidCIDR(ip string) string {`
			`if strings.Contains(ip, "/") {`
			`return ip`
			`}`

			`if strings.Contains(ip, ":") {`
			`return ip + "/128"`
			`}`
			`return ip + "/32"`
			`}`

local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`/local api service configuration/`
			`type LocalApiServerCfg struct {`
Add use_forwarded_for_headers configuration option for LAPI (#610) * Add use_forwarded_for_headers configuration option for LAPI * update documentation 2021-02-09 18:10:14 +00:00			ListenURI string `yaml:"listen_uri,omitempty"` //127.0.0.1:8080
			TLS *TLSCfg `yaml:"tls"`
			DbConfig *DatabaseCfg `yaml:"-"`
			LogDir string `yaml:"-"`
only set logfile dir if media is file (#615) 2021-02-11 17:28:01 +00:00			LogMedia string `yaml:"-"`
Add use_forwarded_for_headers configuration option for LAPI (#610) * Add use_forwarded_for_headers configuration option for LAPI * update documentation 2021-02-09 18:10:14 +00:00			OnlineClient *OnlineApiClientCfg `yaml:"online_client"`
			ProfilesPath string `yaml:"profiles_path,omitempty"`
lapi to capi : allow push of tainted/custom/manual decisions (#1154) * add console command to control signal sharing * modify metrics endpoint to add lastpush Co-authored-by: alteredCoder <kevin@crowdsec.net> 2022-01-13 15:46:16 +00:00			ConsoleConfigPath string `yaml:"console_path,omitempty"`
			ConsoleConfig *ConsoleConfig `yaml:"-"`
Add use_forwarded_for_headers configuration option for LAPI (#610) * Add use_forwarded_for_headers configuration option for LAPI * update documentation 2021-02-09 18:10:14 +00:00			Profiles []*ProfileCfg `yaml:"-"`
			LogLevel *log.Level `yaml:"log_level"`
			UseForwardedForHeaders bool `yaml:"use_forwarded_for_headers,omitempty"`
Gin upgrade (#1174) * upgrade gin / gin-jwt, and add a new 'trusted_proxies' option to provide trusted CIDRs 2022-01-17 16:18:12 +00:00			TrustedProxies *[]string `yaml:"trusted_proxies,omitempty"`
Allow to configure log rotation (#1130) 2021-12-28 10:59:03 +00:00			CompressLogs *bool `yaml:"-"`
			LogMaxSize int `yaml:"-"`
			LogMaxAge int `yaml:"-"`
			LogMaxFiles int `yaml:"-"`
Add trusted IPs which have admin API access (#1352) * Add trusted IPs which have admin API access 2022-03-16 16:28:34 +00:00			TrustedIPs []string `yaml:"trusted_ips,omitempty"`
local api (#482) Co-authored-by: AlteredCoder Co-authored-by: erenJag 2020-11-30 09:37:17 +00:00			`}`

			`type TLSCfg struct {`
			CertFilePath string `yaml:"cert_file"`
			KeyFilePath string `yaml:"key_file"`
			`}`
Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00
			`func (c *Config) LoadAPIServer() error {`
			`if c.API.Server != nil && !c.DisableAPI {`
			`if err := c.LoadCommon(); err != nil {`
			`return fmt.Errorf("loading common configuration: %s", err.Error())`
			`}`
			`c.API.Server.LogDir = c.Common.LogDir`
			`c.API.Server.LogMedia = c.Common.LogMedia`
Allow to configure log rotation (#1130) 2021-12-28 10:59:03 +00:00			`c.API.Server.CompressLogs = c.Common.CompressLogs`
			`c.API.Server.LogMaxSize = c.Common.LogMaxSize`
			`c.API.Server.LogMaxAge = c.Common.LogMaxAge`
			`c.API.Server.LogMaxFiles = c.Common.LogMaxFiles`
Gin upgrade (#1174) * upgrade gin / gin-jwt, and add a new 'trusted_proxies' option to provide trusted CIDRs 2022-01-17 16:18:12 +00:00			`if c.API.Server.UseForwardedForHeaders && c.API.Server.TrustedProxies == nil {`
			`c.API.Server.TrustedProxies = &[]string{"0.0.0.0/0"}`
			`}`
			`if c.API.Server.TrustedProxies != nil {`
			`c.API.Server.UseForwardedForHeaders = true`
			`}`
Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`if err := c.API.Server.LoadProfiles(); err != nil {`
			`return errors.Wrap(err, "while loading profiles for LAPI")`
			`}`
lapi to capi : allow push of tainted/custom/manual decisions (#1154) * add console command to control signal sharing * modify metrics endpoint to add lastpush Co-authored-by: alteredCoder <kevin@crowdsec.net> 2022-01-13 15:46:16 +00:00			`if c.API.Server.ConsoleConfigPath == "" {`
allow Makefile to override /etc/crowdsec and /var/lib/crowdsec/data (#1221) 2022-02-01 09:34:53 +00:00			`c.API.Server.ConsoleConfigPath = DefaultConsoleConfigFilePath`
lapi to capi : allow push of tainted/custom/manual decisions (#1154) * add console command to control signal sharing * modify metrics endpoint to add lastpush Co-authored-by: alteredCoder <kevin@crowdsec.net> 2022-01-13 15:46:16 +00:00			`}`
			`if err := c.API.Server.LoadConsoleConfig(); err != nil {`
			`return errors.Wrap(err, "while loading console options")`
			`}`

Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`if c.API.Server.OnlineClient != nil && c.API.Server.OnlineClient.CredentialsFilePath != "" {`
			`if err := c.API.Server.OnlineClient.Load(); err != nil {`
			`return errors.Wrap(err, "loading online client credentials")`
			`}`
			`}`
			`if c.API.Server.OnlineClient == nil \|\| c.API.Server.OnlineClient.Credentials == nil {`
Minor changes to specific logs (#900) - Minor changes to specific logs - Fix LAPI to not push signals to CAPI when disabled #907 2021-08-25 16:30:05 +00:00			`log.Printf("push and pull to Central API disabled")`
Refactor configuration management (#698) 2021-03-24 17:16:17 +00:00			`}`
			`if err := c.LoadDBConfig(); err != nil {`
			`return err`
			`}`
			`} else {`
			`log.Warningf("crowdsec local API is disabled")`
			`c.DisableAPI = true`
			`}`

			`return nil`
			`}`

			`func (c *Config) LoadAPIClient() error {`
			`if c.API != nil && c.API.Client != nil && c.API.Client.CredentialsFilePath != "" && !c.DisableAgent {`
			`if err := c.API.Client.Load(); err != nil {`
			`return err`
			`}`
			`} else {`
			`return fmt.Errorf("no API client section in configuration")`
			`}`

			`return nil`
			`}`