55247cd46a
* Add machines prune command
* Fix scope variable for naming scheme
* Add some freshness and add new features
* Fix force and fix duration if less than 60
* Allow duration to be more readable
* Fix description
* Improve func wording and make int machines length
* No point overloading functions
* Add prune to list of commands
* Check if GID is already the group if so no need to chown
* Revert "Check if GID is already the group if so no need to chown"
This reverts commit c7cef1773e.
* change all short desc to be similar, and made it really really clear when pruning it is not recoverable
* Better examples
* Match bouncer like for like
* Fix merge error
* Dont use log. and dont return error on user input to abort
475 lines
14 KiB
Go
475 lines
14 KiB
Go
package main
|
|
|
|
import (
|
|
saferand "crypto/rand"
|
|
"encoding/csv"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"math/big"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/AlecAivazis/survey/v2"
|
|
"github.com/fatih/color"
|
|
"github.com/go-openapi/strfmt"
|
|
"github.com/google/uuid"
|
|
log "github.com/sirupsen/logrus"
|
|
"github.com/spf13/cobra"
|
|
"golang.org/x/exp/slices"
|
|
"gopkg.in/yaml.v2"
|
|
|
|
"github.com/crowdsecurity/machineid"
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
|
"github.com/crowdsecurity/crowdsec/pkg/database"
|
|
"github.com/crowdsecurity/crowdsec/pkg/database/ent"
|
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
|
|
|
"github.com/crowdsecurity/crowdsec/cmd/crowdsec-cli/require"
|
|
)
|
|
|
|
var (
|
|
passwordLength = 64
|
|
)
|
|
|
|
func generatePassword(length int) string {
|
|
upper := "ABCDEFGHIJKLMNOPQRSTUVWXY"
|
|
lower := "abcdefghijklmnopqrstuvwxyz"
|
|
digits := "0123456789"
|
|
|
|
charset := upper + lower + digits
|
|
charsetLength := len(charset)
|
|
|
|
buf := make([]byte, length)
|
|
for i := 0; i < length; i++ {
|
|
rInt, err := saferand.Int(saferand.Reader, big.NewInt(int64(charsetLength)))
|
|
if err != nil {
|
|
log.Fatalf("failed getting data from prng for password generation : %s", err)
|
|
}
|
|
buf[i] = charset[rInt.Int64()]
|
|
}
|
|
|
|
return string(buf)
|
|
}
|
|
|
|
// Returns a unique identifier for each crowdsec installation, using an
|
|
// identifier of the OS installation where available, otherwise a random
|
|
// string.
|
|
func generateIDPrefix() (string, error) {
|
|
prefix, err := machineid.ID()
|
|
if err == nil {
|
|
return prefix, nil
|
|
}
|
|
log.Debugf("failed to get machine-id with usual files: %s", err)
|
|
|
|
bId, err := uuid.NewRandom()
|
|
if err == nil {
|
|
return bId.String(), nil
|
|
}
|
|
return "", fmt.Errorf("generating machine id: %w", err)
|
|
}
|
|
|
|
// Generate a unique identifier, composed by a prefix and a random suffix.
|
|
// The prefix can be provided by a parameter to use in test environments.
|
|
func generateID(prefix string) (string, error) {
|
|
var err error
|
|
if prefix == "" {
|
|
prefix, err = generateIDPrefix()
|
|
}
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
prefix = strings.ReplaceAll(prefix, "-", "")[:32]
|
|
suffix := generatePassword(16)
|
|
return prefix + suffix, nil
|
|
}
|
|
|
|
// getLastHeartbeat returns the last heartbeat timestamp of a machine
|
|
// and a boolean indicating if the machine is considered active or not.
|
|
func getLastHeartbeat(m *ent.Machine) (string, bool) {
|
|
if m.LastHeartbeat == nil {
|
|
return "-", false
|
|
}
|
|
|
|
elapsed := time.Now().UTC().Sub(*m.LastHeartbeat)
|
|
|
|
hb := elapsed.Truncate(time.Second).String()
|
|
if elapsed > 2*time.Minute {
|
|
return hb, false
|
|
}
|
|
|
|
return hb, true
|
|
}
|
|
|
|
func getAgents(out io.Writer, dbClient *database.Client) error {
|
|
machines, err := dbClient.ListMachines()
|
|
if err != nil {
|
|
return fmt.Errorf("unable to list machines: %s", err)
|
|
}
|
|
if csConfig.Cscli.Output == "human" {
|
|
getAgentsTable(out, machines)
|
|
} else if csConfig.Cscli.Output == "json" {
|
|
enc := json.NewEncoder(out)
|
|
enc.SetIndent("", " ")
|
|
if err := enc.Encode(machines); err != nil {
|
|
return fmt.Errorf("failed to marshal")
|
|
}
|
|
return nil
|
|
} else if csConfig.Cscli.Output == "raw" {
|
|
csvwriter := csv.NewWriter(out)
|
|
err := csvwriter.Write([]string{"machine_id", "ip_address", "updated_at", "validated", "version", "auth_type", "last_heartbeat"})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to write header: %s", err)
|
|
}
|
|
for _, m := range machines {
|
|
var validated string
|
|
if m.IsValidated {
|
|
validated = "true"
|
|
} else {
|
|
validated = "false"
|
|
}
|
|
hb, _ := getLastHeartbeat(m)
|
|
err := csvwriter.Write([]string{m.MachineId, m.IpAddress, m.UpdatedAt.Format(time.RFC3339), validated, m.Version, m.AuthType, hb})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to write raw output: %w", err)
|
|
}
|
|
}
|
|
csvwriter.Flush()
|
|
} else {
|
|
log.Errorf("unknown output '%s'", csConfig.Cscli.Output)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func NewMachinesListCmd() *cobra.Command {
|
|
cmdMachinesList := &cobra.Command{
|
|
Use: "list",
|
|
Short: "list all machines in the database",
|
|
Long: `list all machines in the database with their status and last heartbeat`,
|
|
Example: `cscli machines list`,
|
|
Args: cobra.NoArgs,
|
|
DisableAutoGenTag: true,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
err := getAgents(color.Output, dbClient)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to list machines: %s", err)
|
|
}
|
|
|
|
return nil
|
|
},
|
|
}
|
|
|
|
return cmdMachinesList
|
|
}
|
|
|
|
func NewMachinesAddCmd() *cobra.Command {
|
|
cmdMachinesAdd := &cobra.Command{
|
|
Use: "add",
|
|
Short: "add a single machine to the database",
|
|
DisableAutoGenTag: true,
|
|
Long: `Register a new machine in the database. cscli should be on the same machine as LAPI.`,
|
|
Example: `
|
|
cscli machines add --auto
|
|
cscli machines add MyTestMachine --auto
|
|
cscli machines add MyTestMachine --password MyPassword
|
|
`,
|
|
RunE: runMachinesAdd,
|
|
}
|
|
|
|
flags := cmdMachinesAdd.Flags()
|
|
flags.StringP("password", "p", "", "machine password to login to the API")
|
|
flags.StringP("file", "f", "", "output file destination (defaults to "+csconfig.DefaultConfigPath("local_api_credentials.yaml")+")")
|
|
flags.StringP("url", "u", "", "URL of the local API")
|
|
flags.BoolP("interactive", "i", false, "interfactive mode to enter the password")
|
|
flags.BoolP("auto", "a", false, "automatically generate password (and username if not provided)")
|
|
flags.Bool("force", false, "will force add the machine if it already exist")
|
|
|
|
return cmdMachinesAdd
|
|
}
|
|
|
|
func runMachinesAdd(cmd *cobra.Command, args []string) error {
|
|
var dumpFile string
|
|
var err error
|
|
|
|
flags := cmd.Flags()
|
|
|
|
machinePassword, err := flags.GetString("password")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
outputFile, err := flags.GetString("file")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
apiURL, err := flags.GetString("url")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
interactive, err := flags.GetBool("interactive")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
autoAdd, err := flags.GetBool("auto")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
forceAdd, err := flags.GetBool("force")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var machineID string
|
|
|
|
// create machineID if not specified by user
|
|
if len(args) == 0 {
|
|
if !autoAdd {
|
|
printHelp(cmd)
|
|
return nil
|
|
}
|
|
machineID, err = generateID("")
|
|
if err != nil {
|
|
return fmt.Errorf("unable to generate machine id: %s", err)
|
|
}
|
|
} else {
|
|
machineID = args[0]
|
|
}
|
|
|
|
/*check if file already exists*/
|
|
if outputFile != "" {
|
|
dumpFile = outputFile
|
|
} else if csConfig.API.Client != nil && csConfig.API.Client.CredentialsFilePath != "" {
|
|
dumpFile = csConfig.API.Client.CredentialsFilePath
|
|
}
|
|
|
|
// create a password if it's not specified by user
|
|
if machinePassword == "" && !interactive {
|
|
if !autoAdd {
|
|
printHelp(cmd)
|
|
return nil
|
|
}
|
|
machinePassword = generatePassword(passwordLength)
|
|
} else if machinePassword == "" && interactive {
|
|
qs := &survey.Password{
|
|
Message: "Please provide a password for the machine",
|
|
}
|
|
survey.AskOne(qs, &machinePassword)
|
|
}
|
|
password := strfmt.Password(machinePassword)
|
|
_, err = dbClient.CreateMachine(&machineID, &password, "", true, forceAdd, types.PasswordAuthType)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to create machine: %s", err)
|
|
}
|
|
log.Infof("Machine '%s' successfully added to the local API", machineID)
|
|
|
|
if apiURL == "" {
|
|
if csConfig.API.Client != nil && csConfig.API.Client.Credentials != nil && csConfig.API.Client.Credentials.URL != "" {
|
|
apiURL = csConfig.API.Client.Credentials.URL
|
|
} else if csConfig.API.Server != nil && csConfig.API.Server.ListenURI != "" {
|
|
apiURL = "http://" + csConfig.API.Server.ListenURI
|
|
} else {
|
|
return fmt.Errorf("unable to dump an api URL. Please provide it in your configuration or with the -u parameter")
|
|
}
|
|
}
|
|
apiCfg := csconfig.ApiCredentialsCfg{
|
|
Login: machineID,
|
|
Password: password.String(),
|
|
URL: apiURL,
|
|
}
|
|
apiConfigDump, err := yaml.Marshal(apiCfg)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to marshal api credentials: %s", err)
|
|
}
|
|
if dumpFile != "" && dumpFile != "-" {
|
|
err = os.WriteFile(dumpFile, apiConfigDump, 0644)
|
|
if err != nil {
|
|
return fmt.Errorf("write api credentials in '%s' failed: %s", dumpFile, err)
|
|
}
|
|
log.Printf("API credentials dumped to '%s'", dumpFile)
|
|
} else {
|
|
fmt.Printf("%s\n", string(apiConfigDump))
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func NewMachinesDeleteCmd() *cobra.Command {
|
|
cmdMachinesDelete := &cobra.Command{
|
|
Use: "delete [machine_name]...",
|
|
Short: "delete machine(s) by name",
|
|
Example: `cscli machines delete "machine1" "machine2"`,
|
|
Args: cobra.MinimumNArgs(1),
|
|
Aliases: []string{"remove"},
|
|
DisableAutoGenTag: true,
|
|
ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
|
|
machines, err := dbClient.ListMachines()
|
|
if err != nil {
|
|
cobra.CompError("unable to list machines " + err.Error())
|
|
}
|
|
ret := make([]string, 0)
|
|
for _, machine := range machines {
|
|
if strings.Contains(machine.MachineId, toComplete) && !slices.Contains(args, machine.MachineId) {
|
|
ret = append(ret, machine.MachineId)
|
|
}
|
|
}
|
|
return ret, cobra.ShellCompDirectiveNoFileComp
|
|
},
|
|
RunE: runMachinesDelete,
|
|
}
|
|
|
|
return cmdMachinesDelete
|
|
}
|
|
|
|
func runMachinesDelete(cmd *cobra.Command, args []string) error {
|
|
for _, machineID := range args {
|
|
err := dbClient.DeleteWatcher(machineID)
|
|
if err != nil {
|
|
log.Errorf("unable to delete machine '%s': %s", machineID, err)
|
|
return nil
|
|
}
|
|
log.Infof("machine '%s' deleted successfully", machineID)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func NewMachinesPruneCmd() *cobra.Command {
|
|
var parsedDuration time.Duration
|
|
cmdMachinesPrune := &cobra.Command{
|
|
Use: "prune",
|
|
Short: "prune multiple machines from the database",
|
|
Long: `prune multiple machines that are not validated or have not connected to the local API in a given duration.`,
|
|
Example: `cscli machines prune
|
|
cscli machines prune --duration 1h
|
|
cscli machines prune --not-validated-only --force`,
|
|
Args: cobra.NoArgs,
|
|
DisableAutoGenTag: true,
|
|
PreRunE: func(cmd *cobra.Command, args []string) error {
|
|
dur, _ := cmd.Flags().GetString("duration")
|
|
var err error
|
|
parsedDuration, err = time.ParseDuration(fmt.Sprintf("-%s", dur))
|
|
if err != nil {
|
|
return fmt.Errorf("unable to parse duration '%s': %s", dur, err)
|
|
}
|
|
return nil
|
|
},
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
notValidOnly, _ := cmd.Flags().GetBool("not-validated-only")
|
|
force, _ := cmd.Flags().GetBool("force")
|
|
if parsedDuration >= 0-60*time.Second && !notValidOnly {
|
|
var answer bool
|
|
prompt := &survey.Confirm{
|
|
Message: "The duration you provided is less than or equal 60 seconds this can break installations do you want to continue ?",
|
|
Default: false,
|
|
}
|
|
if err := survey.AskOne(prompt, &answer); err != nil {
|
|
return fmt.Errorf("unable to ask about prune check: %s", err)
|
|
}
|
|
if !answer {
|
|
fmt.Println("user aborted prune no changes were made")
|
|
return nil
|
|
}
|
|
}
|
|
machines := make([]*ent.Machine, 0)
|
|
if pending, err := dbClient.QueryPendingMachine(); err == nil {
|
|
machines = append(machines, pending...)
|
|
}
|
|
if !notValidOnly {
|
|
if pending, err := dbClient.QueryLastValidatedHeartbeatLT(time.Now().UTC().Add(parsedDuration)); err == nil {
|
|
machines = append(machines, pending...)
|
|
}
|
|
}
|
|
if len(machines) == 0 {
|
|
fmt.Println("no machines to prune")
|
|
return nil
|
|
}
|
|
getAgentsTable(color.Output, machines)
|
|
if !force {
|
|
var answer bool
|
|
prompt := &survey.Confirm{
|
|
Message: "You are about to PERMANENTLY remove the above machines from the database these will NOT be recoverable, continue ?",
|
|
Default: false,
|
|
}
|
|
if err := survey.AskOne(prompt, &answer); err != nil {
|
|
return fmt.Errorf("unable to ask about prune check: %s", err)
|
|
}
|
|
if !answer {
|
|
fmt.Println("user aborted prune no changes were made")
|
|
return nil
|
|
}
|
|
}
|
|
nbDeleted, err := dbClient.BulkDeleteWatchers(machines)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to prune machines: %s", err)
|
|
}
|
|
fmt.Printf("successfully delete %d machines\n", nbDeleted)
|
|
return nil
|
|
},
|
|
}
|
|
cmdMachinesPrune.Flags().StringP("duration", "d", "10m", "duration of time since validated machine last heartbeat")
|
|
cmdMachinesPrune.Flags().Bool("not-validated-only", false, "only prune machines that are not validated")
|
|
cmdMachinesPrune.Flags().Bool("force", false, "force prune without asking for confirmation")
|
|
|
|
return cmdMachinesPrune
|
|
}
|
|
|
|
func NewMachinesValidateCmd() *cobra.Command {
|
|
cmdMachinesValidate := &cobra.Command{
|
|
Use: "validate",
|
|
Short: "validate a machine to access the local API",
|
|
Long: `validate a machine to access the local API.`,
|
|
Example: `cscli machines validate "machine_name"`,
|
|
Args: cobra.ExactArgs(1),
|
|
DisableAutoGenTag: true,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
machineID := args[0]
|
|
if err := dbClient.ValidateMachine(machineID); err != nil {
|
|
return fmt.Errorf("unable to validate machine '%s': %s", machineID, err)
|
|
}
|
|
log.Infof("machine '%s' validated successfully", machineID)
|
|
|
|
return nil
|
|
},
|
|
}
|
|
|
|
return cmdMachinesValidate
|
|
}
|
|
|
|
func NewMachinesCmd() *cobra.Command {
|
|
var cmdMachines = &cobra.Command{
|
|
Use: "machines [action]",
|
|
Short: "Manage local API machines [requires local API]",
|
|
Long: `To list/add/delete/validate/prune machines.
|
|
Note: This command requires database direct access, so is intended to be run on the local API machine.
|
|
`,
|
|
Example: `cscli machines [action]`,
|
|
DisableAutoGenTag: true,
|
|
Aliases: []string{"machine"},
|
|
PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
|
|
var err error
|
|
if err := require.LAPI(csConfig); err != nil {
|
|
return err
|
|
}
|
|
dbClient, err = database.NewClient(csConfig.DbConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to create new database client: %s", err)
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
|
|
cmdMachines.AddCommand(NewMachinesListCmd())
|
|
cmdMachines.AddCommand(NewMachinesAddCmd())
|
|
cmdMachines.AddCommand(NewMachinesDeleteCmd())
|
|
cmdMachines.AddCommand(NewMachinesValidateCmd())
|
|
cmdMachines.AddCommand(NewMachinesPruneCmd())
|
|
|
|
return cmdMachines
|
|
}
|