Option to disable remote lapi registration (#2010)
* Allow to disable remote lapi registration * Extract method and make it extendable as a generic middleware * Change method name so it make sense to read abort remote if <config> * golint
This commit is contained in:
Laurence Jones
GitHub
parent
addf60b3ee
commit
8acce4637a
|
|
@ -202,12 +202,13 @@ func NewServer(config *csconfig.LocalApiServerCfg) (*APIServer, error) {
|
|||
router.Use(CustomRecoveryWithWriter())
|
||||
|
||||
controller := &controllers.Controller{
|
||||
DBClient: dbClient,
|
||||
Ectx: context.Background(),
|
||||
Router: router,
|
||||
Profiles: config.Profiles,
|
||||
Log: clog,
|
||||
ConsoleConfig: config.ConsoleConfig,
|
||||
DBClient: dbClient,
|
||||
Ectx: context.Background(),
|
||||
Router: router,
|
||||
Profiles: config.Profiles,
|
||||
Log: clog,
|
||||
ConsoleConfig: config.ConsoleConfig,
|
||||
DisableRemoteLapiRegistration: config.DisableRemoteLapiRegistration,
|
||||
}
|
||||
|
||||
var apiClient *apic
|
||||
|
|
|
|||
|
|
@ -16,17 +16,18 @@ import (
|
|||
)
|
||||
|
||||
type Controller struct {
|
||||
Ectx context.Context
|
||||
DBClient *database.Client
|
||||
Router *gin.Engine
|
||||
Profiles []*csconfig.ProfileCfg
|
||||
AlertsAddChan chan []*models.Alert
|
||||
DecisionDeleteChan chan []*models.Decision
|
||||
PluginChannel chan csplugin.ProfileAlert
|
||||
Log *log.Logger
|
||||
ConsoleConfig *csconfig.ConsoleConfig
|
||||
TrustedIPs []net.IPNet
|
||||
HandlerV1 *v1.Controller
|
||||
Ectx context.Context
|
||||
DBClient *database.Client
|
||||
Router *gin.Engine
|
||||
Profiles []*csconfig.ProfileCfg
|
||||
AlertsAddChan chan []*models.Alert
|
||||
DecisionDeleteChan chan []*models.Decision
|
||||
PluginChannel chan csplugin.ProfileAlert
|
||||
Log *log.Logger
|
||||
ConsoleConfig *csconfig.ConsoleConfig
|
||||
TrustedIPs []net.IPNet
|
||||
HandlerV1 *v1.Controller
|
||||
DisableRemoteLapiRegistration bool
|
||||
}
|
||||
|
||||
func (c *Controller) Init() error {
|
||||
|
|
@ -85,7 +86,7 @@ func (c *Controller) NewV1() error {
|
|||
})
|
||||
|
||||
groupV1 := c.Router.Group("/v1")
|
||||
groupV1.POST("/watchers", c.HandlerV1.CreateMachine)
|
||||
groupV1.POST("/watchers", c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine)
|
||||
groupV1.POST("/watchers/login", c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler)
|
||||
|
||||
jwtAuth := groupV1.Group("")
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package v1
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"github.com/crowdsecurity/crowdsec/pkg/database/ent"
|
||||
"github.com/gin-gonic/gin"
|
||||
|
|
@ -24,3 +25,13 @@ func getBouncerFromContext(ctx *gin.Context) (*ent.Bouncer, error) {
|
|||
|
||||
return bouncerInfo, nil
|
||||
}
|
||||
|
||||
func (c *Controller) AbortRemoteIf(option bool) gin.HandlerFunc {
|
||||
return func(gctx *gin.Context) {
|
||||
incomingIP := gctx.ClientIP()
|
||||
if option && incomingIP != "127.0.0.1" && incomingIP != "::1" {
|
||||
gctx.JSON(http.StatusForbidden, gin.H{"message": "access forbidden"})
|
||||
gctx.Abort()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -175,26 +175,27 @@ func toValidCIDR(ip string) string {
|
|||
|
||||
/*local api service configuration*/
|
||||
type LocalApiServerCfg struct {
|
||||
Enable *bool `yaml:"enable"`
|
||||
ListenURI string `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080
|
||||
TLS *TLSCfg `yaml:"tls"`
|
||||
DbConfig *DatabaseCfg `yaml:"-"`
|
||||
LogDir string `yaml:"-"`
|
||||
LogMedia string `yaml:"-"`
|
||||
OnlineClient *OnlineApiClientCfg `yaml:"online_client"`
|
||||
ProfilesPath string `yaml:"profiles_path,omitempty"`
|
||||
ConsoleConfigPath string `yaml:"console_path,omitempty"`
|
||||
ConsoleConfig *ConsoleConfig `yaml:"-"`
|
||||
Profiles []*ProfileCfg `yaml:"-"`
|
||||
LogLevel *log.Level `yaml:"log_level"`
|
||||
UseForwardedForHeaders bool `yaml:"use_forwarded_for_headers,omitempty"`
|
||||
TrustedProxies *[]string `yaml:"trusted_proxies,omitempty"`
|
||||
CompressLogs *bool `yaml:"-"`
|
||||
LogMaxSize int `yaml:"-"`
|
||||
LogMaxAge int `yaml:"-"`
|
||||
LogMaxFiles int `yaml:"-"`
|
||||
TrustedIPs []string `yaml:"trusted_ips,omitempty"`
|
||||
PapiLogLevel *log.Level `yaml:"papi_log_level"`
|
||||
Enable *bool `yaml:"enable"`
|
||||
ListenURI string `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080
|
||||
TLS *TLSCfg `yaml:"tls"`
|
||||
DbConfig *DatabaseCfg `yaml:"-"`
|
||||
LogDir string `yaml:"-"`
|
||||
LogMedia string `yaml:"-"`
|
||||
OnlineClient *OnlineApiClientCfg `yaml:"online_client"`
|
||||
ProfilesPath string `yaml:"profiles_path,omitempty"`
|
||||
ConsoleConfigPath string `yaml:"console_path,omitempty"`
|
||||
ConsoleConfig *ConsoleConfig `yaml:"-"`
|
||||
Profiles []*ProfileCfg `yaml:"-"`
|
||||
LogLevel *log.Level `yaml:"log_level"`
|
||||
UseForwardedForHeaders bool `yaml:"use_forwarded_for_headers,omitempty"`
|
||||
TrustedProxies *[]string `yaml:"trusted_proxies,omitempty"`
|
||||
CompressLogs *bool `yaml:"-"`
|
||||
LogMaxSize int `yaml:"-"`
|
||||
LogMaxAge int `yaml:"-"`
|
||||
LogMaxFiles int `yaml:"-"`
|
||||
TrustedIPs []string `yaml:"trusted_ips,omitempty"`
|
||||
PapiLogLevel *log.Level `yaml:"papi_log_level"`
|
||||
DisableRemoteLapiRegistration bool `yaml:"disable_remote_lapi_registration,omitempty"`
|
||||
}
|
||||
|
||||
type TLSCfg struct {
|
||||
|
|
|
|||
Loading…
Reference in a new issue