crowdsec/pkg/csconfig/config.go
Thibault "bui" Koechlin 8cca4346a5
Application Security Engine Support (#2273)
Add a new datasource that:
- Receives HTTP requests from remediation components
- Apply rules on them to determine whether they are malicious or not
- Rules can be evaluated in-band (the remediation component will block the request directly) or out-band (the RC will let the request through, but crowdsec can still process the rule matches with scenarios)

The PR also adds support for 2 new hub items:
- appsec-configs: Configure the Application Security Engine (which rules to load, in which phase)
- appsec-rules: a rule that is added in the Application Security Engine (can use either our own format, or seclang)

---------

Co-authored-by: alteredCoder <kevin@crowdsec.net>
Co-authored-by: Sebastien Blot <sebastien@crowdsec.net>
Co-authored-by: mmetc <92726601+mmetc@users.noreply.github.com>
Co-authored-by: Marco Mariani <marco@crowdsec.net>
2023-12-07 12:21:04 +01:00

178 lines
4.9 KiB
Go

// Package csconfig contains the configuration structures for crowdsec and cscli.
package csconfig
import (
"fmt"
"os"
"path/filepath"
log "github.com/sirupsen/logrus"
"gopkg.in/yaml.v2"
"github.com/crowdsecurity/go-cs-lib/csstring"
"github.com/crowdsecurity/go-cs-lib/ptr"
"github.com/crowdsecurity/go-cs-lib/yamlpatch"
)
// defaultConfigDir is the base path to all configuration files, to be overridden in the Makefile */
var defaultConfigDir = "/etc/crowdsec"
// defaultDataDir is the base path to all data files, to be overridden in the Makefile */
var defaultDataDir = "/var/lib/crowdsec/data/"
var globalConfig = Config{}
// Config contains top-level defaults -> overridden by configuration file -> overridden by CLI flags
type Config struct {
//just a path to ourselves :p
FilePath *string `yaml:"-"`
Self []byte `yaml:"-"`
Common *CommonCfg `yaml:"common,omitempty"`
Prometheus *PrometheusCfg `yaml:"prometheus,omitempty"`
Crowdsec *CrowdsecServiceCfg `yaml:"crowdsec_service,omitempty"`
Cscli *CscliCfg `yaml:"cscli,omitempty"`
DbConfig *DatabaseCfg `yaml:"db_config,omitempty"`
API *APICfg `yaml:"api,omitempty"`
ConfigPaths *ConfigurationPaths `yaml:"config_paths,omitempty"`
PluginConfig *PluginCfg `yaml:"plugin_config,omitempty"`
DisableAPI bool `yaml:"-"`
DisableAgent bool `yaml:"-"`
Hub *LocalHubCfg `yaml:"-"`
}
func NewConfig(configFile string, disableAgent bool, disableAPI bool, quiet bool) (*Config, string, error) {
patcher := yamlpatch.NewPatcher(configFile, ".local")
patcher.SetQuiet(quiet)
fcontent, err := patcher.MergedPatchContent()
if err != nil {
return nil, "", err
}
configData := csstring.StrictExpand(string(fcontent), os.LookupEnv)
cfg := Config{
FilePath: &configFile,
DisableAgent: disableAgent,
DisableAPI: disableAPI,
}
err = yaml.UnmarshalStrict([]byte(configData), &cfg)
if err != nil {
// this is actually the "merged" yaml
return nil, "", fmt.Errorf("%s: %w", configFile, err)
}
if cfg.Prometheus == nil {
cfg.Prometheus = &PrometheusCfg{}
}
if cfg.Prometheus.ListenAddr == "" {
cfg.Prometheus.ListenAddr = "127.0.0.1"
log.Debugf("prometheus.listen_addr is empty, defaulting to %s", cfg.Prometheus.ListenAddr)
}
if cfg.Prometheus.ListenPort == 0 {
cfg.Prometheus.ListenPort = 6060
log.Debugf("prometheus.listen_port is empty or zero, defaulting to %d", cfg.Prometheus.ListenPort)
}
if err = cfg.loadCommon(); err != nil {
return nil, "", err
}
if err = cfg.loadConfigurationPaths(); err != nil {
return nil, "", err
}
if err = cfg.loadHub(); err != nil {
return nil, "", err
}
if err = cfg.loadCSCLI(); err != nil {
return nil, "", err
}
globalConfig = cfg
return &cfg, configData, nil
}
func GetConfig() Config {
return globalConfig
}
func NewDefaultConfig() *Config {
logLevel := log.InfoLevel
commonCfg := CommonCfg{
Daemonize: false,
LogMedia: "stdout",
LogLevel: &logLevel,
}
prometheus := PrometheusCfg{
Enabled: true,
Level: "full",
}
configPaths := ConfigurationPaths{
ConfigDir: DefaultConfigPath("."),
DataDir: DefaultDataPath("."),
SimulationFilePath: DefaultConfigPath("simulation.yaml"),
HubDir: DefaultConfigPath("hub"),
HubIndexFile: DefaultConfigPath("hub", ".index.json"),
}
crowdsecCfg := CrowdsecServiceCfg{
AcquisitionFilePath: DefaultConfigPath("acquis.yaml"),
ParserRoutinesCount: 1,
}
cscliCfg := CscliCfg{
Output: "human",
Color: "auto",
}
apiCfg := APICfg{
Client: &LocalApiClientCfg{
CredentialsFilePath: DefaultConfigPath("lapi-secrets.yaml"),
},
Server: &LocalApiServerCfg{
ListenURI: "127.0.0.1:8080",
UseForwardedForHeaders: false,
OnlineClient: &OnlineApiClientCfg{
CredentialsFilePath: DefaultConfigPath("online_api_credentials.yaml"),
},
},
CTI: &CTICfg{
Enabled: ptr.Of(false),
},
}
dbConfig := DatabaseCfg{
Type: "sqlite",
DbPath: DefaultDataPath("crowdsec.db"),
MaxOpenConns: ptr.Of(DEFAULT_MAX_OPEN_CONNS),
}
globalCfg := Config{
Common: &commonCfg,
Prometheus: &prometheus,
Crowdsec: &crowdsecCfg,
Cscli: &cscliCfg,
API: &apiCfg,
ConfigPaths: &configPaths,
DbConfig: &dbConfig,
}
return &globalCfg
}
// DefaultConfigPath returns the default path for a configuration resource
// "elem" parameters are path components relative to the default cfg directory.
func DefaultConfigPath(elem ...string) string {
elem = append([]string{defaultConfigDir}, elem...)
return filepath.Join(elem...)
}
// DefaultDataPath returns the default path for a data resource.
// "elem" parameters are path components relative to the default data directory.
func DefaultDataPath(elem ...string) string {
elem = append([]string{defaultDataDir}, elem...)
return filepath.Join(elem...)
}