base dashboard and login

2026-05-17 08:28:16 +00:00
parent 64f4f3c5d4
commit 317a7f3f13
40 changed files with 3327 additions and 72 deletions
@@ -0,0 +1,272 @@
+package config
+
+import (
+	"bufio"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"os"
+	"strconv"
+	"strings"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+const defaultConfigFile = "app_config.conf"
+
+// ConfigFile returns the active config file path.
+// Override with CONFIG_FILE env var (path only, no secrets in env).
+func ConfigFile() string {
+	if v := os.Getenv("CONFIG_FILE"); v != "" {
+		return v
+	}
+	return defaultConfigFile
+}
+
+// Config holds all runtime settings loaded from app_config.conf.
+type Config struct {
+	Port                string
+	CrowdSecAPIURL      string
+	CrowdSecAPILogin    string
+	CrowdSecAPIPassword string // sent as-is to LAPI — never hashed
+	CscliPath           string
+	UIUsername          string
+	UIPassword          string // bcrypt hash after first run
+	UISessionSecret     string
+	PollIntervalSec     int
+}
+
+// FirstRunError is returned when the config file was just created and needs editing.
+type FirstRunError struct{ Path string }
+
+func (e *FirstRunError) Error() string {
+	return fmt.Sprintf(
+		"%s created — fill in crowdsec_api_login and crowdsec_api_password, then restart",
+		e.Path,
+	)
+}
+
+// HashPassword generates a bcrypt hash suitable for use as ui_password in the config.
+func HashPassword(plaintext string) (string, error) {
+	h, err := bcrypt.GenerateFromPassword([]byte(plaintext), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(h), nil
+}
+
+// VerifyUIPassword checks plaintext against the stored ui_password (bcrypt or plaintext fallback).
+func (c *Config) VerifyUIPassword(plaintext string) bool {
+	if isBcryptHash(c.UIPassword) {
+		return bcrypt.CompareHashAndPassword([]byte(c.UIPassword), []byte(plaintext)) == nil
+	}
+	// Fallback: constant-time plaintext compare (should not happen after first startup)
+	a := []byte(plaintext)
+	b := []byte(c.UIPassword)
+	if len(a) != len(b) {
+		return false
+	}
+	var diff byte
+	for i := range a {
+		diff |= a[i] ^ b[i]
+	}
+	return diff == 0
+}
+
+// Load reads app_config.conf (or CONFIG_FILE path), creating it on first run.
+// If ui_password is plaintext, it is hashed with bcrypt and written back to the file.
+func Load() (*Config, error) {
+	path := ConfigFile()
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		if err := writeDefault(path); err != nil {
+			return nil, fmt.Errorf("create %s: %w", path, err)
+		}
+		return nil, &FirstRunError{Path: path}
+	}
+
+	vals, err := parseFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("parse %s: %w", path, err)
+	}
+
+	c := &Config{
+		Port:                strVal(vals, "port", ":8080"),
+		CrowdSecAPIURL:      strVal(vals, "crowdsec_api_url", "http://localhost:8080"),
+		CrowdSecAPILogin:    vals["crowdsec_api_login"],
+		CrowdSecAPIPassword: vals["crowdsec_api_password"],
+		CscliPath:           strVal(vals, "cscli_path", "/usr/local/bin/cscli"),
+		UIUsername:          strVal(vals, "ui_username", "admin"),
+		UIPassword:          strVal(vals, "ui_password", "changeme"),
+		UISessionSecret:     vals["ui_session_secret"],
+		PollIntervalSec:     intVal(vals, "poll_interval_sec", 15),
+	}
+
+	if c.CrowdSecAPILogin == "" {
+		return nil, fmt.Errorf("crowdsec_api_login is required in %s", path)
+	}
+	if c.CrowdSecAPIPassword == "" {
+		return nil, fmt.Errorf("crowdsec_api_password is required in %s", path)
+	}
+	if len(c.UISessionSecret) < 32 {
+		return nil, fmt.Errorf("ui_session_secret must be at least 32 characters in %s", path)
+	}
+
+	// Auto-hash ui_password if stored as plaintext.
+	if c.UIPassword != "" && !isBcryptHash(c.UIPassword) {
+		hash, err := bcrypt.GenerateFromPassword([]byte(c.UIPassword), bcrypt.DefaultCost)
+		if err != nil {
+			return nil, fmt.Errorf("hash ui_password: %w", err)
+		}
+		c.UIPassword = string(hash)
+		if err := updateConfigValue(path, "ui_password", c.UIPassword); err != nil {
+			log.Printf("[WARN] could not save hashed ui_password to %s: %v", path, err)
+		} else {
+			log.Printf("ui_password hashed and saved to %s", path)
+		}
+	}
+
+	return c, nil
+}
+
+// CscliAvailable returns true if the cscli binary exists at the configured path.
+func (c *Config) CscliAvailable() bool {
+	_, err := os.Stat(c.CscliPath)
+	return err == nil
+}
+
+func isBcryptHash(s string) bool {
+	return strings.HasPrefix(s, "$2a$") ||
+		strings.HasPrefix(s, "$2b$") ||
+		strings.HasPrefix(s, "$2y$")
+}
+
+// updateConfigValue rewrites a single key's value in the config file, preserving all other lines.
+func updateConfigValue(path, key, value string) error {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return err
+	}
+
+	lines := strings.Split(string(data), "\n")
+	updated := false
+	for i, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		if trimmed == "" || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		idx := strings.IndexByte(trimmed, '=')
+		if idx < 0 {
+			continue
+		}
+		if strings.TrimSpace(trimmed[:idx]) == key {
+			lines[i] = key + " = " + value
+			updated = true
+			break
+		}
+	}
+	if !updated {
+		return fmt.Errorf("key %q not found in %s", key, path)
+	}
+
+	return os.WriteFile(path, []byte(strings.Join(lines, "\n")), 0600)
+}
+
+// writeDefault creates the config file with a random session secret and usage notes.
+func writeDefault(path string) error {
+	secret, err := randomHex(32)
+	if err != nil {
+		return err
+	}
+
+	content := fmt.Sprintf(`# CrowdSec Dashy — Configuration
+# Auto-generated on first run. Edit required fields and restart.
+# Lines starting with # are comments.
+# ---------------------------------------------------------------
+
+# Network — address:port the web UI listens on
+port = :8080
+
+# CrowdSec Local API
+crowdsec_api_url      = http://localhost:8080
+crowdsec_api_login    =
+crowdsec_api_password =
+
+# Path to cscli binary (required for bouncers, machines, hub, metrics)
+# In Docker: bind-mount the binary into the container at this path.
+# Leave empty or point to a missing path to disable CLI features gracefully.
+cscli_path = /usr/local/bin/cscli
+
+# Web UI — HTTP Basic Auth
+# ui_password is auto-hashed with bcrypt on first startup.
+# To pre-hash a password: crowdsec-dashy -pwhash "your-password"
+ui_username = admin
+ui_password = changeme
+
+# Session signing secret — auto-generated, keep private
+ui_session_secret = %s
+
+# Dashboard live-poll interval (seconds)
+poll_interval_sec = 15
+`, secret)
+
+	return os.WriteFile(path, []byte(content), 0600)
+}
+
+// parseFile reads key = value pairs, ignoring blank lines and # comments.
+func parseFile(path string) (map[string]string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	vals := make(map[string]string)
+	scanner := bufio.NewScanner(f)
+	lineNum := 0
+	for scanner.Scan() {
+		lineNum++
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		idx := strings.IndexByte(line, '=')
+		if idx < 0 {
+			return nil, fmt.Errorf("line %d: expected key = value", lineNum)
+		}
+		key := strings.TrimSpace(line[:idx])
+		val := strings.TrimSpace(line[idx+1:])
+		if key == "" {
+			return nil, fmt.Errorf("line %d: empty key", lineNum)
+		}
+		vals[key] = val
+	}
+	return vals, scanner.Err()
+}
+
+func strVal(m map[string]string, key, def string) string {
+	if v, ok := m[key]; ok && v != "" {
+		return v
+	}
+	return def
+}
+
+func intVal(m map[string]string, key string, def int) int {
+	v, ok := m[key]
+	if !ok || v == "" {
+		return def
+	}
+	n, err := strconv.Atoi(v)
+	if err != nil || n <= 0 {
+		return def
+	}
+	return n
+}
+
+func randomHex(n int) (string, error) {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("generate random bytes: %w", err)
+	}
+	return hex.EncodeToString(b), nil
+}