From 8243c2d59a166911bdb39d215a1b32acadd5425a Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Sat, 8 Apr 2023 00:21:22 +0200 Subject: [PATCH 1/7] wip --- config/helper.sh | 88 ------------ ...rowdsec-firewall-bouncer-iptables.postinst | 12 +- .../crowdsec-firewall-bouncer-iptables.postrm | 11 +- ...rowdsec-firewall-bouncer-nftables.postinst | 11 +- .../crowdsec-firewall-bouncer-nftables.postrm | 13 +- debian/rules | 2 +- rpm/SPECS/crowdsec-firewall-bouncer.spec | 45 +++--- scripts/_bouncer.sh | 133 ++++++++++++++++++ scripts/install.sh | 66 +-------- scripts/uninstall.sh | 62 +------- scripts/upgrade.sh | 69 ++------- 11 files changed, 190 insertions(+), 322 deletions(-) delete mode 100755 config/helper.sh create mode 100644 scripts/_bouncer.sh diff --git a/config/helper.sh b/config/helper.sh deleted file mode 100755 index 131c323f..00000000 --- a/config/helper.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh - -set -eu - -need_api_key() { - before=$(cat "$CONFIG") - # shellcheck disable=SC2016 - after=$(envsubst '$API_KEY' < "$CONFIG") - - if [ "$before" = "$after" ]; then - exit 1 - fi - exit 0 -} - -set_api_key() { - # if we can't set the key, the user will take care of it - API_KEY="" - ret=0 - - if command -v cscli >/dev/null; then - echo "cscli/crowdsec is present, generating API key" >&2 - unique=$(date +%s) - bouncer_id="$BOUNCER_PREFIX-$unique" - API_KEY=$(cscli -oraw bouncers add "$bouncer_id") - if [ $? -eq 1 ]; then - echo "failed to create API key" >&2 - ret=1 - else - echo "API Key successfully created" >&2 - echo "$bouncer_id" > "$CONFIG.id" - fi - else - echo "cscli/crowdsec is not present, please set the API key manually" >&2 - ret=1 - fi - - ( - umask 077 - # can't use redirection while overwriting a file - before=$(cat "$CONFIG") - # shellcheck disable=SC2016 - echo "$before" | API_KEY="$API_KEY" envsubst '$API_KEY' > "$CONFIG" - ) - - exit "$ret" -} - -set_local_port() { - command -v cscli >/dev/null || return 0 - PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) - if [ "$PORT" != "" ]; then - sed -i "s/localhost:8080/127.0.0.1:$PORT/g" "$CONFIG" - sed -i "s/127.0.0.1:8080/127.0.0.1:$PORT/g" "$CONFIG" - fi -} - -cmd=$1 -shift -CONFIG=$1 -if [ "$CONFIG" = "" ]; then - echo "missing config file" >&2 - exit 1 -fi -shift - -case "$cmd" in - need-api-key) - need_api_key - ;; - set-api-key) - BOUNCER_PREFIX=$1 - shift - if [ "$BOUNCER_PREFIX" = "" ]; then - echo "missing bouncer prefix" >&2 - exit 1 - fi - set_api_key - ;; - set-local-port) - set_local_port - ;; - *) - echo "This script is not meant to be called directly." >&2 - exit 1 ;; -esac - -exit 0 diff --git a/debian/crowdsec-firewall-bouncer-iptables.postinst b/debian/crowdsec-firewall-bouncer-iptables.postinst index cafe1efc..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-iptables.postinst +++ b/debian/crowdsec-firewall-bouncer-iptables.postinst @@ -3,15 +3,15 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/helper.sh" +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 if [ "$1" = "configure" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -19,7 +19,7 @@ fi systemctl --quiet is-enabled "$SERVICE" || systemctl unmask "$SERVICE" && systemctl enable "$SERVICE" -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add ' and add it to '$CONFIG'" >&2 diff --git a/debian/crowdsec-firewall-bouncer-iptables.postrm b/debian/crowdsec-firewall-bouncer-iptables.postrm index 277c170c..870e2882 100644 --- a/debian/crowdsec-firewall-bouncer-iptables.postrm +++ b/debian/crowdsec-firewall-bouncer-iptables.postrm @@ -1,14 +1,11 @@ #!/bin/sh -set -e +set -eu BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" +#shellcheck source=scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" if [ "$1" = "purge" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi + delete_bouncer fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.postinst b/debian/crowdsec-firewall-bouncer-nftables.postinst index cafe1efc..58e33fea 100755 --- a/debian/crowdsec-firewall-bouncer-nftables.postinst +++ b/debian/crowdsec-firewall-bouncer-nftables.postinst @@ -3,15 +3,14 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/helper.sh" +. /usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh START=1 if [ "$1" = "configure" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if !set_api_key; then START=0 fi fi @@ -19,7 +18,7 @@ fi systemctl --quiet is-enabled "$SERVICE" || systemctl unmask "$SERVICE" && systemctl enable "$SERVICE" -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add ' and add it to '$CONFIG'" >&2 diff --git a/debian/crowdsec-firewall-bouncer-nftables.postrm b/debian/crowdsec-firewall-bouncer-nftables.postrm index 277c170c..0346289c 100644 --- a/debian/crowdsec-firewall-bouncer-nftables.postrm +++ b/debian/crowdsec-firewall-bouncer-nftables.postrm @@ -1,14 +1,9 @@ #!/bin/sh -set -e - -BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" +set -eu if [ "$1" = "purge" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi + BOUNCER="crowdsec-firewall-bouncer" + . /usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh + delete_bouncer fi diff --git a/debian/rules b/debian/rules index 1eebbd4c..369ce652 100755 --- a/debian/rules +++ b/debian/rules @@ -18,7 +18,7 @@ override_dh_auto_install: for BACKEND in iptables nftables; do \ PKG="$$BOUNCER-$$BACKEND"; \ install -D -m 0755 $$BOUNCER -t "debian/$$PKG/usr/bin/"; \ - install -D -m 0700 config/helper.sh -t "debian/$$PKG/usr/lib/$$PKG/"; \ + install -D -m 0600 scripts/_bouncer.sh -t "debian/$$PKG/usr/lib/$$PKG/"; \ BACKEND=$$BACKEND envsubst '$$BACKEND' < config/$$BOUNCER.yaml | install -D -m 0600 /dev/stdin "debian/$$PKG/etc/crowdsec/bouncers/$$BOUNCER.yaml"; \ BIN="/usr/bin/$$BOUNCER" CFG="/etc/crowdsec/bouncers" envsubst '$$BIN $$CFG' < "config/$$BOUNCER.service" | install -D -m 0644 /dev/stdin "debian/$$PKG/etc/systemd/system/$$BOUNCER.service"; \ done diff --git a/rpm/SPECS/crowdsec-firewall-bouncer.spec b/rpm/SPECS/crowdsec-firewall-bouncer.spec index 9a6309de..243df15c 100644 --- a/rpm/SPECS/crowdsec-firewall-bouncer.spec +++ b/rpm/SPECS/crowdsec-firewall-bouncer.spec @@ -38,7 +38,7 @@ mkdir -p %{buildroot}/etc/crowdsec/bouncers/ install -m 600 config/%{name}.yaml %{buildroot}/etc/crowdsec/bouncers/%{name}.yaml mkdir -p %{buildroot}/usr/lib/%{name}/ -install -m 700 config/helper.sh %{buildroot}/usr/lib/%{name}/helper.sh +install -m 600 config/_bouncer.sh %{buildroot}/usr/lib/%{name}/_bouncer.sh mkdir -p %{buildroot}%{_unitdir}/ BIN=%{_bindir}/%{name} CFG=/etc/crowdsec/bouncers/ envsubst '$BIN $CFG' < config/%{name}.service | install -m 0644 /dev/stdin %{buildroot}%{_unitdir}/%{name}.service @@ -62,7 +62,7 @@ rm -rf %{buildroot} %files -n crowdsec-firewall-bouncer-iptables %defattr(-,root,root,-) /usr/bin/%{name} -/usr/lib/%{name}/helper.sh +/usr/lib/%{name}/_bouncer.sh %{_unitdir}/%{name}.service %config(noreplace) /etc/crowdsec/bouncers/%{name}.yaml %config(noreplace) %{_presetdir}/80-crowdsec-firewall-bouncer.preset @@ -71,10 +71,9 @@ rm -rf %{buildroot} systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/%{name}/helper.sh" +. /usr/lib/%{name}/_bouncer.sh START=1 if grep -q '${BACKEND}' "$CONFIG"; then @@ -83,8 +82,8 @@ if grep -q '${BACKEND}' "$CONFIG"; then fi if [ "$1" = "1" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -92,7 +91,7 @@ fi %systemd_post crowdsec-firewall-bouncer.service -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, won't start the service" >&2 @@ -111,19 +110,14 @@ fi %postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" +. /usr/lib/%{name}/_bouncer.sh if [ "$1" == "0" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi + delete_bouncer else systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi - # ------------------------------------ # nftables # ------------------------------------ @@ -137,7 +131,7 @@ Requires: nftables,gettext %files -n crowdsec-firewall-bouncer-nftables %defattr(-,root,root,-) /usr/bin/%{name} -/usr/lib/%{name}/helper.sh +/usr/lib/%{name}/_bouncer.sh %{_unitdir}/%{name}.service %config(noreplace) /etc/crowdsec/bouncers/%{name}.yaml %config(noreplace) %{_presetdir}/80-crowdsec-firewall-bouncer.preset @@ -146,10 +140,9 @@ Requires: nftables,gettext systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" -SERVICE="$BOUNCER.service" +BOUNCER_PREFIX="FirewallBouncer" -helper="/usr/lib/%{name}/helper.sh" +. /usr/lib/%{name}/_bouncer.sh START=1 if grep -q '${BACKEND}' "$CONFIG"; then @@ -158,8 +151,8 @@ if grep -q '${BACKEND}' "$CONFIG"; then fi if [ "$1" = "1" ]; then - if $helper need-api-key "$CONFIG"; then - if ! $helper set-api-key "$CONFIG" "FirewallBouncer"; then + if need_api_key; then + if ! set_api_key; then START=0 fi fi @@ -167,7 +160,7 @@ fi %systemd_post crowdsec-firewall-bouncer.service -$helper set-local-port "$CONFIG" +set_local_port if [ "$START" -eq 0 ]; then echo "no api key was generated, won't start the service" >&2 @@ -186,14 +179,10 @@ fi %postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables BOUNCER="crowdsec-firewall-bouncer" -CONFIG="/etc/crowdsec/bouncers/$BOUNCER.yaml" +. /usr/lib/%{name}/_bouncer.sh if [ "$1" == "0" ]; then - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true - rm -f "$CONFIG.id" - fi + delete_bouncer else systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi diff --git a/scripts/_bouncer.sh b/scripts/_bouncer.sh new file mode 100644 index 00000000..cab61e10 --- /dev/null +++ b/scripts/_bouncer.sh @@ -0,0 +1,133 @@ +#!/bin/sh +#shellcheck disable=SC3043 + +set -eu + +# shellcheck disable=SC2034 +{ +SERVICE="$BOUNCER.service" +BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" +BIN_PATH="./$BOUNCER" +CONFIG_DIR="/etc/crowdsec/bouncers" +CONFIG_FILE="$BOUNCER.yaml" +CONFIG="$CONFIG_DIR/$CONFIG_FILE" +SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" +} + +assert_root() { + #shellcheck disable=SC2312 + if [ "$(id -u)" -ne 0 ]; then + msg warn "Please run $0 as root or with sudo" + exit 1 + fi +} + +set_colors() { + if [ ! -t 0 ]; then + # terminal is not interactive; no colors + FG_RED="" + FG_GREEN="" + FG_YELLOW="" + FG_CYAN="" + RESET="" + elif tput sgr0 >/dev/null; then + # terminfo + FG_RED=$(tput setaf 1) + FG_GREEN=$(tput setaf 2) + FG_YELLOW=$(tput setaf 3) + FG_CYAN=$(tput setaf 6) + RESET=$(tput sgr0) + else + FG_RED=$(printf '%b' '\033[31m') + FG_GREEN=$(printf '%b' '\033[32m') + FG_YELLOW=$(printf '%b' '\033[33m') + FG_CYAN=$(printf '%b' '\033[36m') + RESET=$(printf '%b' '\033[0m') + fi +} + +msg() { + set_colors + case "$1" in + info) echo "${FG_CYAN}$2${RESET}" >&2 ;; + warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; + err) echo "${FG_RED}$2${RESET}" >&2 ;; + succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; + *) echo "$1" >&2 ;; + esac +} + +need_api_key() { + local before after + before=$(cat "$CONFIG") + # shellcheck disable=SC2016 + after=$(envsubst '$API_KEY' < "$CONFIG") + + if [ "$before" = "$after" ]; then + return 1 + fi + return 0 +} + +set_api_key() { + # if we can't set the key, the user will take care of it + API_KEY="" + ret=0 + + if command -v cscli >/dev/null; then + echo "cscli/crowdsec is present, generating API key" >&2 + unique=$(date +%s) + bouncer_id="$BOUNCER_PREFIX-$unique" + API_KEY=$(cscli -oraw bouncers add "$bouncer_id") + if [ $? -eq 1 ]; then + echo "failed to create API key" >&2 + ret=1 + else + echo "API Key successfully created" >&2 + echo "$bouncer_id" > "$CONFIG.id" + fi + else + echo "cscli/crowdsec is not present, please set the API key manually" >&2 + ret=1 + fi + + ( + umask 077 + # can't use redirection while overwriting a file + before=$(cat "$CONFIG") + # shellcheck disable=SC2016 + echo "$before" | API_KEY="$API_KEY" envsubst '$API_KEY' > "$CONFIG" + ) + + return "$ret" +} + +set_local_port() { + command -v cscli >/dev/null || return 0 + PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) + if [ "$PORT" != "" ]; then + sed -i "s/localhost:8080/127.0.0.1:$PORT/g" "$CONFIG" + sed -i "s/127.0.0.1:8080/127.0.0.1:$PORT/g" "$CONFIG" + fi +} + +delete_bouncer() { + if [ -f "$CONFIG.id" ]; then + bouncer_id=$(cat "$CONFIG.id") + cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true + rm -f "$CONFIG.id" + fi +} + +upgrade_bin() { + if [ ! -f "$BIN_PATH" ]; then + msg err "$BIN_PATH not found" + return 1 + fi + if [ ! -e "$BIN_PATH_INSTALLED" ]; then + msg err "$BIN_PATH_INSTALLED is not installed" + return 1 + fi + rm "$BIN_PATH_INSTALLED" + install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED" +} diff --git a/scripts/install.sh b/scripts/install.sh index a1461f26..faab1478 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -1,61 +1,16 @@ #!/bin/sh -set -e - -set_colors() { - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} +set -eu -set_colors +BOUNCER="crowdsec-firewall-bouncer" +BOUNCER_PREFIX="cs-firewall-bouncer" -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -BOUNCER_PREFIX="cs-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -BIN_PATH="./$BOUNCER" -CONFIG_DIR="/etc/crowdsec/bouncers" -CONFIG_FILE="$BOUNCER.yaml" -CONFIG="$CONFIG_DIR/$CONFIG_FILE" -SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" - API_KEY="" install_pkg() { @@ -158,16 +113,6 @@ gen_config_file() { ) } -set_local_port() { - if command -v cscli >/dev/null; then - PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) - if [ "$PORT" != "" ]; then - sed -i "s/localhost:8080/127.0.0.1:${PORT}/g" "$CONFIG" - sed -i "s/127.0.0.1:8080/127.0.0.1:${PORT}/g" "$CONFIG" - fi - fi -} - install_bouncer() { if [ ! -f "$BIN_PATH" ]; then msg err "$BIN_PATH not found, exiting." @@ -191,7 +136,6 @@ install_bouncer() { # --------------------------------- # -set_colors install_bouncer systemctl enable "$SERVICE" diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index a0344547..f8c7e551 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,74 +1,24 @@ #!/bin/sh -set -e +set -eu -set_colors() { - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} - -set_colors +BOUNCER="crowdsec-firewall-bouncer" -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -CONFIG_DIR="/etc/crowdsec/bouncers" -CONFIG_FILE="$BOUNCER.yaml" -CONFIG="$CONFIG_DIR/$CONFIG_FILE" -LOG_FILE="/var/log/$BOUNCER.log" -SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" - uninstall() { systemctl stop "$SERVICE" - if [ -f "$CONFIG.id" ]; then - bouncer_id=$(cat "$CONFIG.id") - cscli -oraw bouncers delete "$bouncer_id" || true - rm -f "$CONFIG.id" - fi + delete_bouncer rm -f "$CONFIG" rm -f "$SYSTEMD_PATH_FILE" rm -f "$BIN_PATH_INSTALLED" - rm -f "$LOG_FILE" + rm -f "/var/log/$BOUNCER.log" } uninstall - msg succ "$BOUNCER has been successfully uninstalled" exit 0 diff --git a/scripts/upgrade.sh b/scripts/upgrade.sh index b99f0127..a481745b 100755 --- a/scripts/upgrade.sh +++ b/scripts/upgrade.sh @@ -1,73 +1,22 @@ #!/bin/sh -set -e +set -eu -set_colors() { - #shellcheck disable=SC2034 - if [ ! -t 0 ]; then - # terminal is not interactive; no colors - FG_RED="" - FG_GREEN="" - FG_YELLOW="" - FG_CYAN="" - RESET="" - elif tput sgr0 >/dev/null; then - # terminfo - FG_RED=$(tput setaf 1) - FG_GREEN=$(tput setaf 2) - FG_YELLOW=$(tput setaf 3) - FG_CYAN=$(tput setaf 6) - RESET=$(tput sgr0) - else - FG_RED=$(printf '%b' '\033[31m') - FG_GREEN=$(printf '%b' '\033[32m') - FG_YELLOW=$(printf '%b' '\033[33m') - FG_CYAN=$(printf '%b' '\033[36m') - RESET=$(printf '%b' '\033[0m') - fi -} - -set_colors - -msg() { - case "$1" in - info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; - succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; - *) echo "$1" >&2 ;; - esac -} +BOUNCER="crowdsec-firewall-bouncer" +. ./scripts/_bouncer.sh -#shellcheck disable=SC2312 -if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 -fi +assert_root # --------------------------------- # -BOUNCER="crowdsec-firewall-bouncer" -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -BIN_PATH="./$BOUNCER" +systemctl stop "$SERVICE" -upgrade_bin() { - if [ ! -f "$BIN_PATH" ]; then - msg err "$BIN_PATH not found, exiting." - exit 1 - fi - if [ ! -e "$BIN_PATH_INSTALLED" ]; then - msg err "$BIN_PATH_INSTALLED is not installed, exiting." - exit 1 - fi - rm "$BIN_PATH_INSTALLED" - install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED" -} +if ! upgrade_bin; then + msg err "failed to upgrade $BOUNCER" + exit 1 +fi -systemctl stop "$SERVICE" -upgrade_bin systemctl start "$SERVICE" || msg warn "$SERVICE failed to start, please check the systemd logs" msg succ "$BOUNCER upgraded successfully." From e37005b87a77d5b51dbacb2f6a962e30b30f1c2b Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Sat, 8 Apr 2023 01:15:30 +0200 Subject: [PATCH 2/7] wip --- debian/crowdsec-firewall-bouncer-nftables.postinst | 5 +++-- debian/crowdsec-firewall-bouncer-nftables.postrm | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/debian/crowdsec-firewall-bouncer-nftables.postinst b/debian/crowdsec-firewall-bouncer-nftables.postinst index 58e33fea..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-nftables.postinst +++ b/debian/crowdsec-firewall-bouncer-nftables.postinst @@ -5,12 +5,13 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" BOUNCER_PREFIX="FirewallBouncer" -. /usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 if [ "$1" = "configure" ]; then if need_api_key; then - if !set_api_key; then + if ! set_api_key; then START=0 fi fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.postrm b/debian/crowdsec-firewall-bouncer-nftables.postrm index 0346289c..870e2882 100644 --- a/debian/crowdsec-firewall-bouncer-nftables.postrm +++ b/debian/crowdsec-firewall-bouncer-nftables.postrm @@ -2,8 +2,10 @@ set -eu +BOUNCER="crowdsec-firewall-bouncer" +#shellcheck source=scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" + if [ "$1" = "purge" ]; then - BOUNCER="crowdsec-firewall-bouncer" - . /usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh delete_bouncer fi From 7da3ff0627bcb017d718a60ec90c769e65ae86c9 Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Sat, 8 Apr 2023 23:09:13 +0200 Subject: [PATCH 3/7] wip --- ...rowdsec-firewall-bouncer-iptables.postinst | 2 +- .../crowdsec-firewall-bouncer-iptables.postrm | 11 -- .../crowdsec-firewall-bouncer-iptables.prerm | 15 ++- ...rowdsec-firewall-bouncer-nftables.postinst | 2 +- .../crowdsec-firewall-bouncer-nftables.postrm | 11 -- .../crowdsec-firewall-bouncer-nftables.prerm | 15 ++- rpm/SPECS/crowdsec-firewall-bouncer.spec | 31 +++-- scripts/_bouncer.sh | 110 ++++++++++++------ 8 files changed, 116 insertions(+), 81 deletions(-) delete mode 100644 debian/crowdsec-firewall-bouncer-iptables.postrm delete mode 100644 debian/crowdsec-firewall-bouncer-nftables.postrm diff --git a/debian/crowdsec-firewall-bouncer-iptables.postinst b/debian/crowdsec-firewall-bouncer-iptables.postinst index 55548d64..cfe48eaa 100755 --- a/debian/crowdsec-firewall-bouncer-iptables.postinst +++ b/debian/crowdsec-firewall-bouncer-iptables.postinst @@ -5,7 +5,7 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" BOUNCER_PREFIX="FirewallBouncer" -#shellcheck source=./scripts/_bouncer.sh +#shellcheck source=_bouncer.sh . "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 diff --git a/debian/crowdsec-firewall-bouncer-iptables.postrm b/debian/crowdsec-firewall-bouncer-iptables.postrm deleted file mode 100644 index 870e2882..00000000 --- a/debian/crowdsec-firewall-bouncer-iptables.postrm +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -set -eu - -BOUNCER="crowdsec-firewall-bouncer" -#shellcheck source=scripts/_bouncer.sh -. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" - -if [ "$1" = "purge" ]; then - delete_bouncer -fi diff --git a/debian/crowdsec-firewall-bouncer-iptables.prerm b/debian/crowdsec-firewall-bouncer-iptables.prerm index 798f7092..0284a709 100644 --- a/debian/crowdsec-firewall-bouncer-iptables.prerm +++ b/debian/crowdsec-firewall-bouncer-iptables.prerm @@ -1,4 +1,15 @@ #!/bin/sh -systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" -systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" +set -eu + +BOUNCER="crowdsec-firewall-bouncer" + +#shellcheck source=./scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" + +systemctl stop "$SERVICE" || echo "cannot stop service" +systemctl disable "$SERVICE" || echo "cannot disable service" + +if [ "$1" = "purge" ]; then + delete_bouncer +fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.postinst b/debian/crowdsec-firewall-bouncer-nftables.postinst index 55548d64..cfe48eaa 100755 --- a/debian/crowdsec-firewall-bouncer-nftables.postinst +++ b/debian/crowdsec-firewall-bouncer-nftables.postinst @@ -5,7 +5,7 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" BOUNCER_PREFIX="FirewallBouncer" -#shellcheck source=./scripts/_bouncer.sh +#shellcheck source=_bouncer.sh . "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 diff --git a/debian/crowdsec-firewall-bouncer-nftables.postrm b/debian/crowdsec-firewall-bouncer-nftables.postrm deleted file mode 100644 index 870e2882..00000000 --- a/debian/crowdsec-firewall-bouncer-nftables.postrm +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -set -eu - -BOUNCER="crowdsec-firewall-bouncer" -#shellcheck source=scripts/_bouncer.sh -. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" - -if [ "$1" = "purge" ]; then - delete_bouncer -fi diff --git a/debian/crowdsec-firewall-bouncer-nftables.prerm b/debian/crowdsec-firewall-bouncer-nftables.prerm index 798f7092..795fed86 100644 --- a/debian/crowdsec-firewall-bouncer-nftables.prerm +++ b/debian/crowdsec-firewall-bouncer-nftables.prerm @@ -1,4 +1,15 @@ #!/bin/sh -systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" -systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" +set -eu + +BOUNCER="crowdsec-firewall-bouncer" + +#shellcheck source=scripts/_bouncer.sh +. "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" + +systemctl stop "$SERVICE" || echo "cannot stop service" +systemctl disable "$SERVICE" || echo "cannot disable service" + +if [ "$1" = "purge" ]; then + delete_bouncer +fi diff --git a/rpm/SPECS/crowdsec-firewall-bouncer.spec b/rpm/SPECS/crowdsec-firewall-bouncer.spec index 243df15c..086a68ca 100644 --- a/rpm/SPECS/crowdsec-firewall-bouncer.spec +++ b/rpm/SPECS/crowdsec-firewall-bouncer.spec @@ -103,18 +103,17 @@ else fi %preun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables -if [ "$1" = "0" ]; then - systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" - systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" -fi - -%postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables BOUNCER="crowdsec-firewall-bouncer" . /usr/lib/%{name}/_bouncer.sh -if [ "$1" == "0" ]; then +if [ "$1" = "0" ]; then + systemctl stop "$SERVICE" || echo "cannot stop service" + systemctl disable "$SERVICE" || echo "cannot disable service" delete_bouncer -else +fi + +%postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-iptables +if [ "$1" = "1" ]; then systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi @@ -172,18 +171,16 @@ else fi %preun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables -if [ "$1" = "0" ]; then - systemctl stop crowdsec-firewall-bouncer || echo "cannot stop service" - systemctl disable crowdsec-firewall-bouncer || echo "cannot disable service" -fi - -%postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables BOUNCER="crowdsec-firewall-bouncer" . /usr/lib/%{name}/_bouncer.sh -if [ "$1" == "0" ]; then +if [ "$1" = "0" ]; then + systemctl stop "$SERVICE" || echo "cannot stop service" + systemctl disable "$SERVICE" || echo "cannot disable service" delete_bouncer -else - systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" fi +%postun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables +if [ "$1" = "1" ]; then + systemctl restart crowdsec-firewall-bouncer || echo "cannot restart service" +fi diff --git a/scripts/_bouncer.sh b/scripts/_bouncer.sh index cab61e10..ebc3191b 100644 --- a/scripts/_bouncer.sh +++ b/scripts/_bouncer.sh @@ -1,26 +1,17 @@ #!/bin/sh #shellcheck disable=SC3043 -set -eu +# This is a library of functions that can be sourced by other scripts +# to install and configure bouncers. +# +# While not requiring bash, it is not strictly POSIX-compliant because +# it uses local variables, but it should woth with every modern shell. +# +# Since passing/parsing arguments in posix sh is tricky, we communicate +# values to the functions using environment variables. It's a matter of +# readability balance between shorter vs cleaner code. -# shellcheck disable=SC2034 -{ -SERVICE="$BOUNCER.service" -BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" -BIN_PATH="./$BOUNCER" -CONFIG_DIR="/etc/crowdsec/bouncers" -CONFIG_FILE="$BOUNCER.yaml" -CONFIG="$CONFIG_DIR/$CONFIG_FILE" -SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" -} - -assert_root() { - #shellcheck disable=SC2312 - if [ "$(id -u)" -ne 0 ]; then - msg warn "Please run $0 as root or with sudo" - exit 1 - fi -} +set -eu set_colors() { if [ ! -t 0 ]; then @@ -50,14 +41,43 @@ msg() { set_colors case "$1" in info) echo "${FG_CYAN}$2${RESET}" >&2 ;; - warn) echo "${FG_YELLOW}$2${RESET}" >&2 ;; - err) echo "${FG_RED}$2${RESET}" >&2 ;; + warn) echo "${FG_YELLOW}WARN:${RESET} $2" >&2 ;; + err) echo "${FG_RED}ERR:${RESET} $2" >&2 ;; succ) echo "${FG_GREEN}$2${RESET}" >&2 ;; *) echo "$1" >&2 ;; esac } +require() { + set | grep -q "^$1=" || { msg err "missing required variable \$$1"; exit 1; } + shift + [ "$#" -eq 0 ] || require "$@" +} + +# shellcheck disable=SC2034 +{ +require 'BOUNCER' +SERVICE="$BOUNCER.service" +BIN_PATH_INSTALLED="/usr/local/bin/$BOUNCER" +BIN_PATH="./$BOUNCER" +CONFIG_DIR="/etc/crowdsec/bouncers" +CONFIG_FILE="$BOUNCER.yaml" +CONFIG="$CONFIG_DIR/$CONFIG_FILE" +SYSTEMD_PATH_FILE="/etc/systemd/system/$SERVICE" +} + +assert_root() { + #shellcheck disable=SC2312 + if [ "$(id -u)" -ne 0 ]; then + msg warn "Please run $0 as root or with sudo" + exit 1 + fi +} + +# check if the configuration file contains the string +# "$API_KEY" and returns true if it does. need_api_key() { + require 'CONFIG' local before after before=$(cat "$CONFIG") # shellcheck disable=SC2016 @@ -70,15 +90,17 @@ need_api_key() { } set_api_key() { + require 'CONFIG' 'BOUNCER_PREFIX' + local api_key ret unique bouncer_id before # if we can't set the key, the user will take care of it - API_KEY="" + api_key="" ret=0 if command -v cscli >/dev/null; then echo "cscli/crowdsec is present, generating API key" >&2 unique=$(date +%s) bouncer_id="$BOUNCER_PREFIX-$unique" - API_KEY=$(cscli -oraw bouncers add "$bouncer_id") + api_key=$(cscli -oraw bouncers add "$bouncer_id") if [ $? -eq 1 ]; then echo "failed to create API key" >&2 ret=1 @@ -96,22 +118,45 @@ set_api_key() { # can't use redirection while overwriting a file before=$(cat "$CONFIG") # shellcheck disable=SC2016 - echo "$before" | API_KEY="$API_KEY" envsubst '$API_KEY' > "$CONFIG" + echo "$before" | API_KEY="$api_key" envsubst '$API_KEY' > "$CONFIG" ) return "$ret" } set_local_port() { + require 'CONFIG' + local port command -v cscli >/dev/null || return 0 - PORT=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) - if [ "$PORT" != "" ]; then - sed -i "s/localhost:8080/127.0.0.1:$PORT/g" "$CONFIG" - sed -i "s/127.0.0.1:8080/127.0.0.1:$PORT/g" "$CONFIG" + port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2) + if [ "$port" != "" ]; then + sed -i "s/localhost:8080/127.0.0.1:$port/g" "$CONFIG" + sed -i "s/127.0.0.1:8080/127.0.0.1:$port/g" "$CONFIG" fi } +set_local_lapi_url() { + require 'CONFIG' 'VARNAME' + local port before + # VARNAME is the name of the variable to interpolate + # in the config file with the URL of the LAPI server, + # assuming it is running on the same host as the + # bouncer. + command -v cscli >/dev/null || return 0 + port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2 || true) + if [ "$port" = "" ]; then + port=8080 + fi + ( # subshell to avoid leaking the umask + before=$(cat "$CONFIG") + umask 077 + echo "$before" | env "$VARNAME=http://127.0.0.1:$port" envsubst "\$$VARNAME" > "$CONFIG" + ) +} + delete_bouncer() { + require 'CONFIG' + local bouncer_id if [ -f "$CONFIG.id" ]; then bouncer_id=$(cat "$CONFIG.id") cscli -oraw bouncers delete "$bouncer_id" 2>/dev/null || true @@ -120,14 +165,7 @@ delete_bouncer() { } upgrade_bin() { - if [ ! -f "$BIN_PATH" ]; then - msg err "$BIN_PATH not found" - return 1 - fi - if [ ! -e "$BIN_PATH_INSTALLED" ]; then - msg err "$BIN_PATH_INSTALLED is not installed" - return 1 - fi + require 'BIN_PATH' 'BIN_PATH_INSTALLED' rm "$BIN_PATH_INSTALLED" install -v -m 0755 -D "$BIN_PATH" "$BIN_PATH_INSTALLED" } From 4bbc9f531ec7104015b195ffde9f3021fc076694 Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Mon, 10 Apr 2023 21:18:37 +0200 Subject: [PATCH 4/7] wip --- scripts/_bouncer.sh | 24 ++++++++++++------------ scripts/install.sh | 8 +++----- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/scripts/_bouncer.sh b/scripts/_bouncer.sh index ebc3191b..fac25f9b 100644 --- a/scripts/_bouncer.sh +++ b/scripts/_bouncer.sh @@ -113,13 +113,12 @@ set_api_key() { ret=1 fi - ( - umask 077 - # can't use redirection while overwriting a file - before=$(cat "$CONFIG") - # shellcheck disable=SC2016 - echo "$before" | API_KEY="$api_key" envsubst '$API_KEY' > "$CONFIG" - ) + # can't use redirection while overwriting a file + before=$(cat "$CONFIG") + # shellcheck disable=SC2016 + echo "$before" | \ + API_KEY="$api_key" envsubst '$API_KEY' | \ + install -m 0600 /dev/stdin "$CONFIG" return "$ret" } @@ -143,15 +142,16 @@ set_local_lapi_url() { # assuming it is running on the same host as the # bouncer. command -v cscli >/dev/null || return 0 + port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2 || true) if [ "$port" = "" ]; then port=8080 fi - ( # subshell to avoid leaking the umask - before=$(cat "$CONFIG") - umask 077 - echo "$before" | env "$VARNAME=http://127.0.0.1:$port" envsubst "\$$VARNAME" > "$CONFIG" - ) + + before=$(cat "$CONFIG") + echo "$before" | \ + env "$VARNAME=http://127.0.0.1:$port" envsubst "\$$VARNAME" | \ + install -m 0600 /dev/stdin "$CONFIG" } delete_bouncer() { diff --git a/scripts/install.sh b/scripts/install.sh index faab1478..d8b4ca25 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -106,11 +106,9 @@ gen_apikey() { } gen_config_file() { - ( - umask 077 - # shellcheck disable=SC2016 - API_KEY=${API_KEY} BACKEND=${FW_BACKEND} envsubst '$API_KEY $BACKEND' <"./config/$CONFIG_FILE" >"$CONFIG" - ) + # shellcheck disable=SC2016 + API_KEY=${API_KEY} BACKEND=${FW_BACKEND} envsubst '$API_KEY $BACKEND' <"./config/$CONFIG_FILE" | \ + install -D -m 0600 /dev/stdin "$CONFIG" } install_bouncer() { From f85fed61a527c2339940b35bdb981073c0dd9609 Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Mon, 10 Apr 2023 21:59:28 +0200 Subject: [PATCH 5/7] wip --- debian/crowdsec-firewall-bouncer-iptables.postinst | 2 +- debian/crowdsec-firewall-bouncer-nftables.postinst | 2 +- debian/crowdsec-firewall-bouncer-nftables.prerm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/crowdsec-firewall-bouncer-iptables.postinst b/debian/crowdsec-firewall-bouncer-iptables.postinst index cfe48eaa..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-iptables.postinst +++ b/debian/crowdsec-firewall-bouncer-iptables.postinst @@ -5,7 +5,7 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" BOUNCER_PREFIX="FirewallBouncer" -#shellcheck source=_bouncer.sh +#shellcheck source=./scripts/_bouncer.sh . "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 diff --git a/debian/crowdsec-firewall-bouncer-nftables.postinst b/debian/crowdsec-firewall-bouncer-nftables.postinst index cfe48eaa..55548d64 100755 --- a/debian/crowdsec-firewall-bouncer-nftables.postinst +++ b/debian/crowdsec-firewall-bouncer-nftables.postinst @@ -5,7 +5,7 @@ systemctl daemon-reload BOUNCER="crowdsec-firewall-bouncer" BOUNCER_PREFIX="FirewallBouncer" -#shellcheck source=_bouncer.sh +#shellcheck source=./scripts/_bouncer.sh . "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" START=1 diff --git a/debian/crowdsec-firewall-bouncer-nftables.prerm b/debian/crowdsec-firewall-bouncer-nftables.prerm index 795fed86..0284a709 100644 --- a/debian/crowdsec-firewall-bouncer-nftables.prerm +++ b/debian/crowdsec-firewall-bouncer-nftables.prerm @@ -4,7 +4,7 @@ set -eu BOUNCER="crowdsec-firewall-bouncer" -#shellcheck source=scripts/_bouncer.sh +#shellcheck source=./scripts/_bouncer.sh . "/usr/lib/$DPKG_MAINTSCRIPT_PACKAGE/_bouncer.sh" systemctl stop "$SERVICE" || echo "cannot stop service" From 7246b95fee1c96531e2357d17b998d65734e3f85 Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Mon, 10 Apr 2023 22:49:35 +0200 Subject: [PATCH 6/7] wip --- rpm/SPECS/crowdsec-firewall-bouncer.spec | 6 ++++-- scripts/_bouncer.sh | 17 +++++++++++------ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/rpm/SPECS/crowdsec-firewall-bouncer.spec b/rpm/SPECS/crowdsec-firewall-bouncer.spec index 086a68ca..362fe15a 100644 --- a/rpm/SPECS/crowdsec-firewall-bouncer.spec +++ b/rpm/SPECS/crowdsec-firewall-bouncer.spec @@ -38,7 +38,7 @@ mkdir -p %{buildroot}/etc/crowdsec/bouncers/ install -m 600 config/%{name}.yaml %{buildroot}/etc/crowdsec/bouncers/%{name}.yaml mkdir -p %{buildroot}/usr/lib/%{name}/ -install -m 600 config/_bouncer.sh %{buildroot}/usr/lib/%{name}/_bouncer.sh +install -m 600 scripts/_bouncer.sh %{buildroot}/usr/lib/%{name}/_bouncer.sh mkdir -p %{buildroot}%{_unitdir}/ BIN=%{_bindir}/%{name} CFG=/etc/crowdsec/bouncers/ envsubst '$BIN $CFG' < config/%{name}.service | install -m 0644 /dev/stdin %{buildroot}%{_unitdir}/%{name}.service @@ -162,7 +162,7 @@ fi set_local_port if [ "$START" -eq 0 ]; then - echo "no api key was generated, won't start the service" >&2 + echo "no api key was generated, you can generate one on your LAPI Server by running 'cscli bouncers add ' and add it to '/etc/crowdsec/bouncers/$BOUNCER.yaml'" >&2 else %if 0%{?fc35} systemctl enable "$SERVICE" @@ -170,6 +170,8 @@ else systemctl start "$SERVICE" fi +echo "$BOUNCER has been successfully installed" + %preun -p /usr/bin/sh -n crowdsec-firewall-bouncer-nftables BOUNCER="crowdsec-firewall-bouncer" . /usr/lib/%{name}/_bouncer.sh diff --git a/scripts/_bouncer.sh b/scripts/_bouncer.sh index fac25f9b..534d4c7a 100644 --- a/scripts/_bouncer.sh +++ b/scripts/_bouncer.sh @@ -7,8 +7,8 @@ # While not requiring bash, it is not strictly POSIX-compliant because # it uses local variables, but it should woth with every modern shell. # -# Since passing/parsing arguments in posix sh is tricky, we communicate -# values to the functions using environment variables. It's a matter of +# Since passing/parsing arguments in posix sh is tricky, we share +# some environment variables with the functions. It's a matter of # readability balance between shorter vs cleaner code. set -eu @@ -135,12 +135,17 @@ set_local_port() { } set_local_lapi_url() { - require 'CONFIG' 'VARNAME' - local port before - # VARNAME is the name of the variable to interpolate + require 'CONFIG' + local port before varname + # $varname is the name of the variable to interpolate # in the config file with the URL of the LAPI server, # assuming it is running on the same host as the # bouncer. + varname=$1 + if [ "$varname" = "" ]; then + msg err "missing required variable VARNAME" + exit 1 + fi command -v cscli >/dev/null || return 0 port=$(cscli config show --key "Config.API.Server.ListenURI" | cut -d ":" -f2 || true) @@ -150,7 +155,7 @@ set_local_lapi_url() { before=$(cat "$CONFIG") echo "$before" | \ - env "$VARNAME=http://127.0.0.1:$port" envsubst "\$$VARNAME" | \ + env "$varname=http://127.0.0.1:$port" envsubst "\$$varname" | \ install -m 0600 /dev/stdin "$CONFIG" } From 12144a45b15e28e96bcf8612266963a0376cf75d Mon Sep 17 00:00:00 2001 From: Marco Mariani Date: Mon, 10 Apr 2023 22:58:33 +0200 Subject: [PATCH 7/7] wip --- debian/control | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/control b/debian/control index 8ef551a0..a6616eac 100644 --- a/debian/control +++ b/debian/control @@ -8,6 +8,8 @@ Description: Firewall bouncer for Crowdsec (iptables+ipset) Depends: iptables, ipset, gettext-base Replaces: crowdsec-firewall-bouncer Conflicts: crowdsec-firewall-bouncer-nftables +Section: admin +Priority: optional Package: crowdsec-firewall-bouncer-nftables Architecture: any @@ -15,3 +17,5 @@ Description: Firewall bouncer for Crowdsec (nftables) Depends: nftables, gettext-base Replaces: crowdsec-firewall-bouncer Conflicts: crowdsec-firewall-bouncer-iptables +Section: admin +Priority: optional