Option to disable remote lapi registration (#2010)

* Allow to disable remote lapi registration

* Extract method and make it extendable as a generic middleware

* Change method name so it make sense to read abort remote if <config>

* golint

pkg/apiserver/apiserver.go

@@ -202,12 +202,13 @@ func NewServer(config *csconfig.LocalApiServerCfg) (*APIServer, error) {
 	router.Use(CustomRecoveryWithWriter())
 
 	controller := &controllers.Controller{
-		DBClient:      dbClient,
-		Ectx:          context.Background(),
-		Router:        router,
-		Profiles:      config.Profiles,
-		Log:           clog,
-		ConsoleConfig: config.ConsoleConfig,
+		DBClient:                      dbClient,
+		Ectx:                          context.Background(),
+		Router:                        router,
+		Profiles:                      config.Profiles,
+		Log:                           clog,
+		ConsoleConfig:                 config.ConsoleConfig,
+		DisableRemoteLapiRegistration: config.DisableRemoteLapiRegistration,
 	}
 
 	var apiClient *apic

pkg/apiserver/controllers/controller.go

@@ -16,17 +16,18 @@ import (
 )
 
 type Controller struct {
-	Ectx               context.Context
-	DBClient           *database.Client
-	Router             *gin.Engine
-	Profiles           []*csconfig.ProfileCfg
-	AlertsAddChan      chan []*models.Alert
-	DecisionDeleteChan chan []*models.Decision
-	PluginChannel      chan csplugin.ProfileAlert
-	Log                *log.Logger
-	ConsoleConfig      *csconfig.ConsoleConfig
-	TrustedIPs         []net.IPNet
-	HandlerV1          *v1.Controller
+	Ectx                          context.Context
+	DBClient                      *database.Client
+	Router                        *gin.Engine
+	Profiles                      []*csconfig.ProfileCfg
+	AlertsAddChan                 chan []*models.Alert
+	DecisionDeleteChan            chan []*models.Decision
+	PluginChannel                 chan csplugin.ProfileAlert
+	Log                           *log.Logger
+	ConsoleConfig                 *csconfig.ConsoleConfig
+	TrustedIPs                    []net.IPNet
+	HandlerV1                     *v1.Controller
+	DisableRemoteLapiRegistration bool
 }
 
 func (c *Controller) Init() error {
@@ -85,7 +86,7 @@ func (c *Controller) NewV1() error {
 	})
 
 	groupV1 := c.Router.Group("/v1")
-	groupV1.POST("/watchers", c.HandlerV1.CreateMachine)
+	groupV1.POST("/watchers", c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine)
 	groupV1.POST("/watchers/login", c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler)
 
 	jwtAuth := groupV1.Group("")

pkg/apiserver/controllers/v1/utils.go

@@ -2,6 +2,7 @@ package v1
 
 import (
 	"fmt"
+	"net/http"
 
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent"
 	"github.com/gin-gonic/gin"
@@ -24,3 +25,13 @@ func getBouncerFromContext(ctx *gin.Context) (*ent.Bouncer, error) {
 
 	return bouncerInfo, nil
 }
+
+func (c *Controller) AbortRemoteIf(option bool) gin.HandlerFunc {
+	return func(gctx *gin.Context) {
+		incomingIP := gctx.ClientIP()
+		if option && incomingIP != "127.0.0.1" && incomingIP != "::1" {
+			gctx.JSON(http.StatusForbidden, gin.H{"message": "access forbidden"})
+			gctx.Abort()
+		}
+	}
+}

pkg/csconfig/api.go

@@ -175,26 +175,27 @@ func toValidCIDR(ip string) string {
 
 /*local api service configuration*/
 type LocalApiServerCfg struct {
-	Enable                 *bool               `yaml:"enable"`
-	ListenURI              string              `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080
-	TLS                    *TLSCfg             `yaml:"tls"`
-	DbConfig               *DatabaseCfg        `yaml:"-"`
-	LogDir                 string              `yaml:"-"`
-	LogMedia               string              `yaml:"-"`
-	OnlineClient           *OnlineApiClientCfg `yaml:"online_client"`
-	ProfilesPath           string              `yaml:"profiles_path,omitempty"`
-	ConsoleConfigPath      string              `yaml:"console_path,omitempty"`
-	ConsoleConfig          *ConsoleConfig      `yaml:"-"`
-	Profiles               []*ProfileCfg       `yaml:"-"`
-	LogLevel               *log.Level          `yaml:"log_level"`
-	UseForwardedForHeaders bool                `yaml:"use_forwarded_for_headers,omitempty"`
-	TrustedProxies         *[]string           `yaml:"trusted_proxies,omitempty"`
-	CompressLogs           *bool               `yaml:"-"`
-	LogMaxSize             int                 `yaml:"-"`
-	LogMaxAge              int                 `yaml:"-"`
-	LogMaxFiles            int                 `yaml:"-"`
-	TrustedIPs             []string            `yaml:"trusted_ips,omitempty"`
-	PapiLogLevel           *log.Level          `yaml:"papi_log_level"`
+	Enable                        *bool               `yaml:"enable"`
+	ListenURI                     string              `yaml:"listen_uri,omitempty"` // 127.0.0.1:8080
+	TLS                           *TLSCfg             `yaml:"tls"`
+	DbConfig                      *DatabaseCfg        `yaml:"-"`
+	LogDir                        string              `yaml:"-"`
+	LogMedia                      string              `yaml:"-"`
+	OnlineClient                  *OnlineApiClientCfg `yaml:"online_client"`
+	ProfilesPath                  string              `yaml:"profiles_path,omitempty"`
+	ConsoleConfigPath             string              `yaml:"console_path,omitempty"`
+	ConsoleConfig                 *ConsoleConfig      `yaml:"-"`
+	Profiles                      []*ProfileCfg       `yaml:"-"`
+	LogLevel                      *log.Level          `yaml:"log_level"`
+	UseForwardedForHeaders        bool                `yaml:"use_forwarded_for_headers,omitempty"`
+	TrustedProxies                *[]string           `yaml:"trusted_proxies,omitempty"`
+	CompressLogs                  *bool               `yaml:"-"`
+	LogMaxSize                    int                 `yaml:"-"`
+	LogMaxAge                     int                 `yaml:"-"`
+	LogMaxFiles                   int                 `yaml:"-"`
+	TrustedIPs                    []string            `yaml:"trusted_ips,omitempty"`
+	PapiLogLevel                  *log.Level          `yaml:"papi_log_level"`
+	DisableRemoteLapiRegistration bool                `yaml:"disable_remote_lapi_registration,omitempty"`
 }
 
 type TLSCfg struct {