Option to disable remote lapi registration (#2010)

* Allow to disable remote lapi registration * Extract method and make it extendable as a generic middleware * Change method name so it make sense to read abort remote if <config> * golint
2023-02-24 13:44:21 +00:00 · 2023-02-24 13:44:21 +00:00 · 8acce4637a
parent addf60b3ee
commit 8acce4637a
4 changed files with 52 additions and 38 deletions
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@ -208,6 +208,7 @@ func NewServer(config *csconfig.LocalApiServerCfg) (*APIServer, error) {
 		Profiles:                      config.Profiles,
 		Log:                           clog,
 		ConsoleConfig:                 config.ConsoleConfig,
+		DisableRemoteLapiRegistration: config.DisableRemoteLapiRegistration,
 	}

 	var apiClient *apic
--- a/pkg/apiserver/controllers/controller.go
+++ b/pkg/apiserver/controllers/controller.go
@ -27,6 +27,7 @@ type Controller struct {
 	ConsoleConfig                 *csconfig.ConsoleConfig
 	TrustedIPs                    []net.IPNet
 	HandlerV1                     *v1.Controller
+	DisableRemoteLapiRegistration bool
 }

 func (c *Controller) Init() error {
@ -85,7 +86,7 @@ func (c *Controller) NewV1() error {
 	})

 	groupV1 := c.Router.Group("/v1")
-	groupV1.POST("/watchers", c.HandlerV1.CreateMachine)
+	groupV1.POST("/watchers", c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine)
 	groupV1.POST("/watchers/login", c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler)

 	jwtAuth := groupV1.Group("")
--- a/pkg/apiserver/controllers/v1/utils.go
+++ b/pkg/apiserver/controllers/v1/utils.go
@ -2,6 +2,7 @@ package v1

 import (
 	"fmt"
+	"net/http"

 	"github.com/crowdsecurity/crowdsec/pkg/database/ent"
 	"github.com/gin-gonic/gin"
@ -24,3 +25,13 @@ func getBouncerFromContext(ctx *gin.Context) (*ent.Bouncer, error) {

 	return bouncerInfo, nil
 }
+
+func (c *Controller) AbortRemoteIf(option bool) gin.HandlerFunc {
+	return func(gctx *gin.Context) {
+		incomingIP := gctx.ClientIP()
+		if option && incomingIP != "127.0.0.1" && incomingIP != "::1" {
+			gctx.JSON(http.StatusForbidden, gin.H{"message": "access forbidden"})
+			gctx.Abort()
+		}
+	}
+}
--- a/pkg/csconfig/api.go
+++ b/pkg/csconfig/api.go
@ -195,6 +195,7 @@ type LocalApiServerCfg struct {
 	LogMaxFiles                   int                 `yaml:"-"`
 	TrustedIPs                    []string            `yaml:"trusted_ips,omitempty"`
 	PapiLogLevel                  *log.Level          `yaml:"papi_log_level"`
+	DisableRemoteLapiRegistration bool                `yaml:"disable_remote_lapi_registration,omitempty"`
 }

 type TLSCfg struct {