2023-01-19 07:45:50 +00:00
|
|
|
package exprhelpers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/bluele/gcache"
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/cticlient"
|
|
|
|
"github.com/crowdsecurity/crowdsec/pkg/types"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
var CTIUrl = "https://cti.api.crowdsec.net"
|
|
|
|
var CTIUrlSuffix = "/v2/smoke/"
|
|
|
|
var CTIApiKey = ""
|
|
|
|
|
|
|
|
// this is set for non-recoverable errors, such as 403 when querying API or empty API key
|
2023-10-17 08:34:53 +00:00
|
|
|
var CTIApiEnabled = false
|
2023-01-19 07:45:50 +00:00
|
|
|
|
|
|
|
// when hitting quotas or auth errors, we temporarily disable the API
|
|
|
|
var CTIBackOffUntil time.Time
|
|
|
|
var CTIBackOffDuration time.Duration = 5 * time.Minute
|
|
|
|
|
|
|
|
var ctiClient *cticlient.CrowdsecCTIClient
|
|
|
|
|
|
|
|
func InitCrowdsecCTI(Key *string, TTL *time.Duration, Size *int, LogLevel *log.Level) error {
|
2023-10-17 08:34:53 +00:00
|
|
|
if Key == nil || *Key == "" {
|
|
|
|
log.Warningf("CTI API key not set or empty, CTI will not be available")
|
|
|
|
return cticlient.ErrDisabled
|
2023-01-19 07:45:50 +00:00
|
|
|
}
|
2023-10-09 10:36:05 +00:00
|
|
|
CTIApiKey = *Key
|
2023-01-19 07:45:50 +00:00
|
|
|
if Size == nil {
|
|
|
|
Size = new(int)
|
|
|
|
*Size = 1000
|
|
|
|
}
|
|
|
|
if TTL == nil {
|
|
|
|
TTL = new(time.Duration)
|
|
|
|
*TTL = 5 * time.Minute
|
|
|
|
}
|
|
|
|
clog := log.New()
|
|
|
|
if err := types.ConfigureLogger(clog); err != nil {
|
|
|
|
return errors.Wrap(err, "while configuring datasource logger")
|
|
|
|
}
|
|
|
|
if LogLevel != nil {
|
|
|
|
clog.SetLevel(*LogLevel)
|
|
|
|
}
|
|
|
|
customLog := log.Fields{
|
|
|
|
"type": "crowdsec-cti",
|
|
|
|
}
|
|
|
|
subLogger := clog.WithFields(customLog)
|
|
|
|
CrowdsecCTIInitCache(*Size, *TTL)
|
|
|
|
ctiClient = cticlient.NewCrowdsecCTIClient(cticlient.WithAPIKey(CTIApiKey), cticlient.WithLogger(subLogger))
|
2023-10-17 08:34:53 +00:00
|
|
|
CTIApiEnabled = true
|
2023-01-19 07:45:50 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func ShutdownCrowdsecCTI() {
|
|
|
|
if CTICache != nil {
|
|
|
|
CTICache.Purge()
|
|
|
|
}
|
|
|
|
CTIApiKey = ""
|
2023-10-17 08:34:53 +00:00
|
|
|
CTIApiEnabled = false
|
2023-01-19 07:45:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Cache for responses
|
|
|
|
var CTICache gcache.Cache
|
|
|
|
var CacheExpiration time.Duration
|
|
|
|
|
|
|
|
func CrowdsecCTIInitCache(size int, ttl time.Duration) {
|
|
|
|
CTICache = gcache.New(size).LRU().Build()
|
|
|
|
CacheExpiration = ttl
|
|
|
|
}
|
|
|
|
|
2023-03-28 08:49:01 +00:00
|
|
|
// func CrowdsecCTI(ip string) (*cticlient.SmokeItem, error) {
|
|
|
|
func CrowdsecCTI(params ...any) (any, error) {
|
2023-10-17 08:34:53 +00:00
|
|
|
var ip string
|
2023-01-19 07:45:50 +00:00
|
|
|
if !CTIApiEnabled {
|
|
|
|
return &cticlient.SmokeItem{}, cticlient.ErrDisabled
|
|
|
|
}
|
2023-10-17 08:34:53 +00:00
|
|
|
var ok bool
|
|
|
|
if ip, ok = params[0].(string); !ok {
|
|
|
|
return &cticlient.SmokeItem{}, fmt.Errorf("invalid type for ip : %T", params[0])
|
2023-01-19 07:45:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if val, err := CTICache.Get(ip); err == nil && val != nil {
|
|
|
|
ctiClient.Logger.Debugf("cti cache fetch for %s", ip)
|
|
|
|
ret, ok := val.(*cticlient.SmokeItem)
|
|
|
|
if !ok {
|
|
|
|
ctiClient.Logger.Warningf("CrowdsecCTI: invalid type in cache, removing")
|
|
|
|
CTICache.Remove(ip)
|
|
|
|
} else {
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !CTIBackOffUntil.IsZero() && time.Now().Before(CTIBackOffUntil) {
|
|
|
|
//ctiClient.Logger.Warningf("Crowdsec CTI client is in backoff mode, ending in %s", time.Until(CTIBackOffUntil))
|
|
|
|
return &cticlient.SmokeItem{}, cticlient.ErrLimit
|
|
|
|
}
|
|
|
|
|
|
|
|
ctiClient.Logger.Infof("cti call for %s", ip)
|
|
|
|
before := time.Now()
|
|
|
|
ctiResp, err := ctiClient.GetIPInfo(ip)
|
|
|
|
ctiClient.Logger.Debugf("request for %s took %v", ip, time.Since(before))
|
|
|
|
if err != nil {
|
2023-12-18 08:35:28 +00:00
|
|
|
switch {
|
|
|
|
case errors.Is(err, cticlient.ErrUnauthorized):
|
2023-01-19 07:45:50 +00:00
|
|
|
CTIApiEnabled = false
|
|
|
|
ctiClient.Logger.Errorf("Invalid API key provided, disabling CTI API")
|
|
|
|
return &cticlient.SmokeItem{}, cticlient.ErrUnauthorized
|
2023-12-18 08:35:28 +00:00
|
|
|
case errors.Is(err, cticlient.ErrLimit):
|
2023-01-19 07:45:50 +00:00
|
|
|
CTIBackOffUntil = time.Now().Add(CTIBackOffDuration)
|
|
|
|
ctiClient.Logger.Errorf("CTI API is throttled, will try again in %s", CTIBackOffDuration)
|
|
|
|
return &cticlient.SmokeItem{}, cticlient.ErrLimit
|
2023-10-09 10:23:19 +00:00
|
|
|
default:
|
2023-01-19 07:45:50 +00:00
|
|
|
ctiClient.Logger.Warnf("CTI API error : %s", err)
|
|
|
|
return &cticlient.SmokeItem{}, fmt.Errorf("unexpected error : %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := CTICache.SetWithExpire(ip, ctiResp, CacheExpiration); err != nil {
|
|
|
|
ctiClient.Logger.Warningf("IpCTI : error while caching CTI : %s", err)
|
|
|
|
return &cticlient.SmokeItem{}, cticlient.ErrUnknown
|
|
|
|
}
|
|
|
|
|
|
|
|
ctiClient.Logger.Tracef("CTI response : %v", *ctiResp)
|
|
|
|
|
|
|
|
return ctiResp, nil
|
|
|
|
}
|