mirrors/crowdsec
1
0
Fork 0
mirror of https://github.com/crowdsecurity/crowdsec.git synced 2025-05-11 04:15:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

use go 1.24, enable unencrypted http2 (#3470)

Browse source
This commit is contained in:
mmetc 2025-02-19 14:05:17 +01:00 committed by GitHub
parent efbb42bf9e
commit c4ff4228be
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 58 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/go-tests-windows.yml vendored
View file

@ -61,6 +61,6 @@ jobs:
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v6 uses: golangci/golangci-lint-action@v6
with: with:
version: v1.63 version: v1.64
args: --issues-exit-code=1 --timeout 10m args: --issues-exit-code=1 --timeout 10m
only-new-issues: false only-new-issues: false

2
.github/workflows/go-tests.yml vendored
View file

@ -198,6 +198,6 @@ jobs:
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v6 uses: golangci/golangci-lint-action@v6
with: with:
version: v1.63 version: v1.64
args: --issues-exit-code=1 --timeout 10m args: --issues-exit-code=1 --timeout 10m
only-new-issues: false only-new-issues: false

7
.golangci.yml
View file

@ -240,7 +240,7 @@ linters:
# #
# DEPRECATED by golangi-lint # DEPRECATED by golangi-lint
# #
- exportloopref - tenv
# #
# Redundant # Redundant
@ -493,6 +493,11 @@ issues:
text: "argument-limit: .*" text: "argument-limit: .*"
# need some cleanup first: to create db in memory and share the client, not the config # need some cleanup first: to create db in memory and share the client, not the config
- linters:
- usetesting
path: "(.+)_test.go"
text: "context.Background.*"
- linters: - linters:
- usetesting - usetesting
path: "pkg/apiserver/(.+)_test.go" path: "pkg/apiserver/(.+)_test.go"

2
Dockerfile
View file

@ -1,4 +1,4 @@
FROM docker.io/golang:1.23-alpine3.21 AS build FROM docker.io/golang:1.24-alpine3.21 AS build
ARG BUILD_VERSION ARG BUILD_VERSION

2
Dockerfile.debian
View file

@ -1,4 +1,4 @@
FROM docker.io/golang:1.23-bookworm AS build FROM docker.io/golang:1.24-bookworm AS build
ARG BUILD_VERSION ARG BUILD_VERSION

6
go.mod
View file

@ -1,10 +1,6 @@
module github.com/crowdsecurity/crowdsec module github.com/crowdsecurity/crowdsec
go 1.23.6 go 1.24.0
// Don't use the toolchain directive to avoid uncontrolled downloads during
// a build, especially in sandboxed environments (freebsd, gentoo...).
// toolchain go1.21.3
require ( require (
entgo.io/ent v0.14.2 entgo.io/ent v0.14.2

9
pkg/acquisition/modules/appsec/appsec.go
View file

@ -173,10 +173,15 @@ func (w *AppsecSource) Configure(yamlConfig []byte, logger *log.Entry, metricsLe
w.mux = http.NewServeMux() w.mux = http.NewServeMux()
w.server = &http.Server{ w.server = &http.Server{
Addr: w.config.ListenAddr, Addr: w.config.ListenAddr,
Handler: w.mux, Handler: w.mux,
Protocols: &http.Protocols{},
} }
w.server.Protocols.SetHTTP1(true)
w.server.Protocols.SetUnencryptedHTTP2(true)
w.server.Protocols.SetHTTP2(true)
w.InChan = make(chan appsec.ParsedRequest) w.InChan = make(chan appsec.ParsedRequest)
appsecCfg := appsec.AppsecConfig{Logger: w.logger.WithField("component", "appsec_config")} appsecCfg := appsec.AppsecConfig{Logger: w.logger.WithField("component", "appsec_config")}

9
pkg/acquisition/modules/http/http.go
View file

@ -372,10 +372,15 @@ func (h *HTTPSource) RunServer(out chan types.Event, t *tomb.Tomb) error {
}) })
h.Server = &http.Server{ h.Server = &http.Server{
Addr: h.Config.ListenAddr, Addr: h.Config.ListenAddr,
Handler: mux, Handler: mux,
Protocols: &http.Protocols{},
} }
h.Server.Protocols.SetHTTP1(true)
h.Server.Protocols.SetUnencryptedHTTP2(true)
h.Server.Protocols.SetHTTP2(true)
if h.Config.Timeout != nil { if h.Config.Timeout != nil {
h.Server.ReadTimeout = *h.Config.Timeout h.Server.ReadTimeout = *h.Config.Timeout
} }

10
pkg/acquisition/modules/kubernetesaudit/k8s_audit.go
View file

@ -113,10 +113,15 @@ func (ka *KubernetesAuditSource) Configure(config []byte, logger *log.Entry, met
ka.mux = http.NewServeMux() ka.mux = http.NewServeMux()
ka.server = &http.Server{ ka.server = &http.Server{
Addr: ka.addr, Addr: ka.addr,
Handler: ka.mux, Handler: ka.mux,
Protocols: &http.Protocols{},
} }
ka.server.Protocols.SetHTTP1(true)
ka.server.Protocols.SetUnencryptedHTTP2(true)
ka.server.Protocols.SetHTTP2(true)
ka.mux.HandleFunc(ka.config.WebhookPath, ka.webhookHandler) ka.mux.HandleFunc(ka.config.WebhookPath, ka.webhookHandler)
return nil return nil
@ -154,6 +159,7 @@ func (ka *KubernetesAuditSource) StreamingAcquisition(ctx context.Context, out c
}) })
<-t.Dying() <-t.Dying()
ka.logger.Infof("Stopping k8s-audit server on %s:%d%s", ka.config.ListenAddr, ka.config.ListenPort, ka.config.WebhookPath) ka.logger.Infof("Stopping k8s-audit server on %s:%d%s", ka.config.ListenAddr, ka.config.ListenPort, ka.config.WebhookPath)
if err := ka.server.Shutdown(ctx); err != nil { if err := ka.server.Shutdown(ctx); err != nil {
ka.logger.Errorf("Error shutting down k8s-audit server: %s", err.Error()) ka.logger.Errorf("Error shutting down k8s-audit server: %s", err.Error())
} }

8
pkg/apiserver/apiserver.go
View file

@ -56,8 +56,7 @@ func isBrokenConnection(maybeError any) bool {
if errors.As(err, &netOpError) { if errors.As(err, &netOpError) {
var syscallError *os.SyscallError var syscallError *os.SyscallError
if errors.As(netOpError.Err, &syscallError) { if errors.As(netOpError.Err, &syscallError) {
if strings.Contains(strings.ToLower(syscallError.Error()), "broken pipe") || if strings.Contains(strings.ToLower(syscallError.Error()), "broken pipe") || strings.Contains(strings.ToLower(syscallError.Error()), "connection reset by peer") {
strings.Contains(strings.ToLower(syscallError.Error()), "connection reset by peer") {
return true return true
} }
} }
@ -384,8 +383,13 @@ func (s *APIServer) Run(apiReady chan bool) error {
Addr: s.URL, Addr: s.URL,
Handler: s.router, Handler: s.router,
TLSConfig: tlsCfg, TLSConfig: tlsCfg,
Protocols: &http.Protocols{},
} }
s.httpServer.Protocols.SetHTTP1(true)
s.httpServer.Protocols.SetUnencryptedHTTP2(true)
s.httpServer.Protocols.SetHTTP2(true)
ctx := context.TODO() ctx := context.TODO()
if s.apic != nil { if s.apic != nil {

4
pkg/exprhelpers/debugger.go
View file

@ -149,9 +149,9 @@ func autoQuote(v any) string {
// let's avoid printing long strings. it can happen ie. when we are debugging expr with `File()` or similar helpers // let's avoid printing long strings. it can happen ie. when we are debugging expr with `File()` or similar helpers
if len(x) > 40 { if len(x) > 40 {
return fmt.Sprintf("%q", x[:40]+"...") return fmt.Sprintf("%q", x[:40]+"...")
} else {
return fmt.Sprintf("%q", x)
} }
return fmt.Sprintf("%q", x)
default: default:
return fmt.Sprintf("%v", x) return fmt.Sprintf("%v", x)
} }

18
pkg/exprhelpers/helpers.go
View file

@ -216,7 +216,8 @@ func FileInit(fileFolder string, filename string, fileType string) error {
if strings.HasPrefix(scanner.Text(), "#") { // allow comments if strings.HasPrefix(scanner.Text(), "#") { // allow comments
continue continue
} }
if scanner.Text() == "" { //skip empty lines
if scanner.Text() == "" { // skip empty lines
continue continue
} }
@ -262,7 +263,7 @@ func Distinct(params ...any) (any, error) {
} }
func FlattenDistinct(params ...any) (any, error) { func FlattenDistinct(params ...any) (any, error) {
return Distinct(flatten(nil, reflect.ValueOf(params))) //nolint:asasalint return Distinct(flatten(nil, reflect.ValueOf(params)))
} }
func Flatten(params ...any) (any, error) { func Flatten(params ...any) (any, error) {
@ -312,9 +313,11 @@ func existsInFileMaps(filename string, ftype string) (bool, error) {
func Get(params ...any) (any, error) { func Get(params ...any) (any, error) {
arr := params[0].([]string) arr := params[0].([]string)
index := params[1].(int) index := params[1].(int)
if index >= len(arr) { if index >= len(arr) {
return "", nil return "", nil
} }
return arr[index], nil return arr[index], nil
} }
@ -407,22 +410,26 @@ func PathEscape(params ...any) (any, error) {
// func PathUnescape(s string) string { // func PathUnescape(s string) string {
func PathUnescape(params ...any) (any, error) { func PathUnescape(params ...any) (any, error) {
s := params[0].(string) s := params[0].(string)
ret, err := url.PathUnescape(s) ret, err := url.PathUnescape(s)
if err != nil { if err != nil {
log.Debugf("unable to PathUnescape '%s': %+v", s, err) log.Debugf("unable to PathUnescape '%s': %+v", s, err)
return s, nil return s, nil
} }
return ret, nil return ret, nil
} }
// func QueryUnescape(s string) string { // func QueryUnescape(s string) string {
func QueryUnescape(params ...any) (any, error) { func QueryUnescape(params ...any) (any, error) {
s := params[0].(string) s := params[0].(string)
ret, err := url.QueryUnescape(s) ret, err := url.QueryUnescape(s)
if err != nil { if err != nil {
log.Debugf("unable to QueryUnescape '%s': %+v", s, err) log.Debugf("unable to QueryUnescape '%s': %+v", s, err)
return s, nil return s, nil
} }
return ret, nil return ret, nil
} }
@ -432,8 +439,10 @@ func File(params ...any) (any, error) {
if _, ok := dataFile[filename]; ok { if _, ok := dataFile[filename]; ok {
return dataFile[filename], nil return dataFile[filename], nil
} }
log.Errorf("file '%s' (type:string) not found in expr library", filename) log.Errorf("file '%s' (type:string) not found in expr library", filename)
log.Errorf("expr library : %s", spew.Sdump(dataFile)) log.Errorf("expr library : %s", spew.Sdump(dataFile))
return []string{}, nil return []string{}, nil
} }
@ -441,13 +450,16 @@ func File(params ...any) (any, error) {
func RegexpInFile(params ...any) (any, error) { func RegexpInFile(params ...any) (any, error) {
data := params[0].(string) data := params[0].(string)
filename := params[1].(string) filename := params[1].(string)
var hash uint64 var hash uint64
hasCache := false hasCache := false
matched := false matched := false
if _, ok := dataFileRegexCache[filename]; ok { if _, ok := dataFileRegexCache[filename]; ok {
hasCache = true hasCache = true
hash = xxhash.Sum64String(data) hash = xxhash.Sum64String(data)
if val, err := dataFileRegexCache[filename].Get(hash); err == nil { if val, err := dataFileRegexCache[filename].Get(hash); err == nil {
return val.(bool), nil return val.(bool), nil
} }
@ -479,9 +491,11 @@ func RegexpInFile(params ...any) (any, error) {
log.Errorf("expr library : %s", spew.Sdump(dataFileRegex)) log.Errorf("expr library : %s", spew.Sdump(dataFileRegex))
} }
} }
if hasCache { if hasCache {
dataFileRegexCache[filename].Set(hash, matched) dataFileRegexCache[filename].Set(hash, matched)
} }
return matched, nil return matched, nil
} }

2
test/bats/08_metrics_bouncer.bats
View file

@ -74,7 +74,7 @@ teardown() {
payload=$(yq -o j '.remediation_components[0].utc_startup_timestamp = "2021-09-01T00:00:00Z"' <<<"$payload") payload=$(yq -o j '.remediation_components[0].utc_startup_timestamp = "2021-09-01T00:00:00Z"' <<<"$payload")
rune -22 curl-with-key '/v1/usage-metrics' -X POST --data "$payload" rune -22 curl-with-key '/v1/usage-metrics' -X POST --data "$payload"
assert_stderr --partial "error: 400" assert_stderr --partial "error: 400"
assert_json '{message: "json: cannot unmarshal string into Go struct field AllMetrics.remediation_components of type int64"}' assert_json '{message: "json: cannot unmarshal string into Go struct field AllMetrics.remediation_components.utc_startup_timestamp of type int64"}'
payload=$(yq -o j '.remediation_components[0].utc_startup_timestamp = 1707399316' <<<"$payload") payload=$(yq -o j '.remediation_components[0].utc_startup_timestamp = 1707399316' <<<"$payload")
rune -0 curl-with-key '/v1/usage-metrics' -X POST --data "$payload" rune -0 curl-with-key '/v1/usage-metrics' -X POST --data "$payload"