diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index a61058770..3ec15cf8e 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -202,12 +202,13 @@ func NewServer(config *csconfig.LocalApiServerCfg) (*APIServer, error) { router.Use(CustomRecoveryWithWriter()) controller := &controllers.Controller{ - DBClient: dbClient, - Ectx: context.Background(), - Router: router, - Profiles: config.Profiles, - Log: clog, - ConsoleConfig: config.ConsoleConfig, + DBClient: dbClient, + Ectx: context.Background(), + Router: router, + Profiles: config.Profiles, + Log: clog, + ConsoleConfig: config.ConsoleConfig, + DisableRemoteLapiRegistration: config.DisableRemoteLapiRegistration, } var apiClient *apic diff --git a/pkg/apiserver/controllers/controller.go b/pkg/apiserver/controllers/controller.go index 3e2f98184..e0a1656e7 100644 --- a/pkg/apiserver/controllers/controller.go +++ b/pkg/apiserver/controllers/controller.go @@ -16,17 +16,18 @@ import ( ) type Controller struct { - Ectx context.Context - DBClient *database.Client - Router *gin.Engine - Profiles []*csconfig.ProfileCfg - AlertsAddChan chan []*models.Alert - DecisionDeleteChan chan []*models.Decision - PluginChannel chan csplugin.ProfileAlert - Log *log.Logger - ConsoleConfig *csconfig.ConsoleConfig - TrustedIPs []net.IPNet - HandlerV1 *v1.Controller + Ectx context.Context + DBClient *database.Client + Router *gin.Engine + Profiles []*csconfig.ProfileCfg + AlertsAddChan chan []*models.Alert + DecisionDeleteChan chan []*models.Decision + PluginChannel chan csplugin.ProfileAlert + Log *log.Logger + ConsoleConfig *csconfig.ConsoleConfig + TrustedIPs []net.IPNet + HandlerV1 *v1.Controller + DisableRemoteLapiRegistration bool } func (c *Controller) Init() error { @@ -85,7 +86,7 @@ func (c *Controller) NewV1() error { }) groupV1 := c.Router.Group("/v1") - groupV1.POST("/watchers", c.HandlerV1.CreateMachine) + groupV1.POST("/watchers", c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine) groupV1.POST("/watchers/login", c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler) jwtAuth := groupV1.Group("") diff --git a/pkg/apiserver/controllers/v1/utils.go b/pkg/apiserver/controllers/v1/utils.go index b7c413d4d..8edce5898 100644 --- a/pkg/apiserver/controllers/v1/utils.go +++ b/pkg/apiserver/controllers/v1/utils.go @@ -2,6 +2,7 @@ package v1 import ( "fmt" + "net/http" "github.com/crowdsecurity/crowdsec/pkg/database/ent" "github.com/gin-gonic/gin" @@ -24,3 +25,13 @@ func getBouncerFromContext(ctx *gin.Context) (*ent.Bouncer, error) { return bouncerInfo, nil } + +func (c *Controller) AbortRemoteIf(option bool) gin.HandlerFunc { + return func(gctx *gin.Context) { + incomingIP := gctx.ClientIP() + if option && incomingIP != "127.0.0.1" && incomingIP != "::1" { + gctx.JSON(http.StatusForbidden, gin.H{"message": "access forbidden"}) + gctx.Abort() + } + } +} diff --git a/pkg/csconfig/api.go b/pkg/csconfig/api.go index 039141fb9..80a235e2c 100644 --- a/pkg/csconfig/api.go +++ b/pkg/csconfig/api.go @@ -175,26 +175,27 @@ func toValidCIDR(ip string) string { /*local api service configuration*/ type LocalApiServerCfg struct { - Enable *bool `yaml:"enable"` - ListenURI string `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080 - TLS *TLSCfg `yaml:"tls"` - DbConfig *DatabaseCfg `yaml:"-"` - LogDir string `yaml:"-"` - LogMedia string `yaml:"-"` - OnlineClient *OnlineApiClientCfg `yaml:"online_client"` - ProfilesPath string `yaml:"profiles_path,omitempty"` - ConsoleConfigPath string `yaml:"console_path,omitempty"` - ConsoleConfig *ConsoleConfig `yaml:"-"` - Profiles []*ProfileCfg `yaml:"-"` - LogLevel *log.Level `yaml:"log_level"` - UseForwardedForHeaders bool `yaml:"use_forwarded_for_headers,omitempty"` - TrustedProxies *[]string `yaml:"trusted_proxies,omitempty"` - CompressLogs *bool `yaml:"-"` - LogMaxSize int `yaml:"-"` - LogMaxAge int `yaml:"-"` - LogMaxFiles int `yaml:"-"` - TrustedIPs []string `yaml:"trusted_ips,omitempty"` - PapiLogLevel *log.Level `yaml:"papi_log_level"` + Enable *bool `yaml:"enable"` + ListenURI string `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080 + TLS *TLSCfg `yaml:"tls"` + DbConfig *DatabaseCfg `yaml:"-"` + LogDir string `yaml:"-"` + LogMedia string `yaml:"-"` + OnlineClient *OnlineApiClientCfg `yaml:"online_client"` + ProfilesPath string `yaml:"profiles_path,omitempty"` + ConsoleConfigPath string `yaml:"console_path,omitempty"` + ConsoleConfig *ConsoleConfig `yaml:"-"` + Profiles []*ProfileCfg `yaml:"-"` + LogLevel *log.Level `yaml:"log_level"` + UseForwardedForHeaders bool `yaml:"use_forwarded_for_headers,omitempty"` + TrustedProxies *[]string `yaml:"trusted_proxies,omitempty"` + CompressLogs *bool `yaml:"-"` + LogMaxSize int `yaml:"-"` + LogMaxAge int `yaml:"-"` + LogMaxFiles int `yaml:"-"` + TrustedIPs []string `yaml:"trusted_ips,omitempty"` + PapiLogLevel *log.Level `yaml:"papi_log_level"` + DisableRemoteLapiRegistration bool `yaml:"disable_remote_lapi_registration,omitempty"` } type TLSCfg struct {