Add support for centralized allowlists #3355

blotus · 2024-12-08T23:58:07Z

This PR adds a new type of allowlist that is managed by LAPI and applies to alerts, blocklists content and appsec (but not to manual decisions with cscli):

alerts are dropped (with a log message)
blocklist content matching an allowlist is ignored
appsec requests matching an allowlist are not processed

Compared to existing types of allowlists in crowdsec (in parsers, postoverflows, custom profiles or appsec hooks), they only support IPs and ranges (ie, no arbitrary expression), but they can have an optional expiration.

An alert is considered allowlisted in the following situations:

The source of the alert is an exact match with a non-expired allowlist item
The source of the alert belongs to a non-expired (range) allowlist item
The source of the alert contains a non-expired allowlisted item (eg, 1.2.3.4 is allowlisted, and an alert on 1.2.3.0/24 is generated): while this seems counter-intuitive, range alerts are rare and it would be add a lot of complexity to carve out the specific IPs that are allowlisted from the alert source (and generate multiple sub-alerts).

They can be managed with:

cscli
The console (allowlists created from the console are not editable with cscli to avoid conflict), in which case they are pulled from CAPI or PAPI.

If a local allowlist is created, and another one with the same name is created in the console, the one from the console will replace the local one.

github-actions · 2024-12-08T23:58:18Z

@blotus: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

/kind feature
/kind enhancement
/kind refactoring
/kind fix
/kind chore
/kind dependencies

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

github-actions · 2024-12-08T23:58:20Z

@blotus: There are no area labels on this PR. You can add as many areas as you see fit.

/area agent
/area local-api
/area cscli
/area appsec
/area security
/area configuration

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

blotus · 2024-12-08T23:59:08Z

/kind feature
/area local-api

codecov · 2024-12-09T00:10:59Z

Codecov Report

Attention: Patch coverage is 22.72408% with 3302 lines in your changes missing coverage. Please review.

Project coverage is 55.24%. Comparing base (bfed861) to head (9f8d286).
Report is 9 commits behind head on master.

Files with missing lines	Patch %	Lines
cmd/crowdsec-cli/cliallowlists/allowlists.go	17.52%	394 Missing and 6 partials ⚠️
pkg/database/ent/allowlistitem_query.go	12.82%	355 Missing and 12 partials ⚠️
pkg/database/ent/allowlist_query.go	23.27%	305 Missing and 18 partials ⚠️
pkg/database/ent/allowlistitem_update.go	0.00%	311 Missing ⚠️
pkg/database/ent/allowlist_update.go	18.18%	219 Missing and 6 partials ⚠️
pkg/database/ent/allowlistitem/where.go	17.60%	220 Missing ⚠️
pkg/database/ent/allowlist/where.go	2.31%	169 Missing ⚠️
pkg/database/ent/allowlistitem_create.go	35.40%	160 Missing and 6 partials ⚠️
pkg/database/ent/allowlist_create.go	27.05%	143 Missing and 8 partials ⚠️
pkg/database/allowlists.go	56.52%	92 Missing and 8 partials ⚠️
... and 23 more

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3355      +/-   ##
==========================================
- Coverage   59.35%   55.24%   -4.12%     
==========================================
  Files         362      387      +25     
  Lines       38979    43196    +4217     
==========================================
+ Hits        23137    23863     +726     
- Misses      13916    17305    +3389     
- Partials     1926     2028     +102

Flag	Coverage Δ
bats	`38.36% <10.46%> (-3.22%)`	⬇️
unit-linux	`33.15% <14.40%> (-0.50%)`	⬇️
unit-windows	`25.00% <16.54%> (-3.41%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

cmd/crowdsec-cli/cliallowlists/allowlists.go

buixor · 2025-02-04T15:15:34Z

cmd/crowdsec-cli/main.go

@@ -166,6 +168,8 @@ func (cli *cliRoot) initialize() error {
 		}
 	}

+	csConfig.DbConfig.LogLevel = ptr.Of(cli.wantedLogLevel())


unrelated change ?

pkg/apiserver/papi_cmd.go

buixor · 2025-02-04T16:13:36Z

pkg/acquisition/modules/appsec/appsec.go

@@ -31,6 +32,8 @@ const (
 )

 var DefaultAuthCacheDuration = (1 * time.Minute)
+var negativeAllowlistCacheDuration = (5 * time.Minute)
+var positiveAllowlistCacheDuration = (5 * time.Minute)


looks like a lot to me, but it depends if SE gets a force_pull via PAPI when the allowlist is updated ?

pkg/apiclient/auth_jwt.go

buixor · 2025-02-10T15:27:53Z

pkg/apiclient/auth_jwt.go

@@ -186,10 +186,6 @@ func (t *JWTTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 		}

 		resp, err = t.transport().RoundTrip(clonedReq)
-		if log.GetLevel() >= log.TraceLevel {


unrelated change ?

buixor · 2025-02-10T15:32:33Z

pkg/acquisition/modules/loki/internal/lokiclient/loki_client.go

@@ -205,6 +205,7 @@ func (lc *LokiClient) getURLFor(endpoint string, params map[string]string) strin
 func (lc *LokiClient) Ready(ctx context.Context) error {
 	tick := time.NewTicker(500 * time.Millisecond)
 	url := lc.getURLFor("ready", nil)
+	lc.Logger.Debugf("Using url: %s for ready check", url)


unrelated change?

buixor · 2025-02-10T15:34:48Z

pkg/apiserver/controllers/v1/alerts.go

@@ -154,6 +175,11 @@ func (c *Controller) CreateAlert(gctx *gin.Context) {
 			}
 		}

+		if allowlisted, reason := c.isAllowListed(ctx, alert); allowlisted {
+			log.Infof("alert source %s is allowlisted by %s, skipping", *alert.Source.Value, reason)


Let's add scenario, and if we can the allowlist name

buixor · 2025-02-10T15:38:19Z

Todo:

Add bats tests on the cscli + crowdsec part (w/ the help of @mmetc )
Add proper in-memory cache at the appsec level

github-actions bot added needs/kind needs/area labels Dec 8, 2024

github-actions bot added kind/feature area/local-api and removed needs/kind needs/area labels Dec 8, 2024

blotus force-pushed the centralized-allowlists branch from 3a34d3a to 8385b05 Compare December 9, 2024 00:19

Centralized allowlists support

dbb9adc

blotus force-pushed the centralized-allowlists branch from 8385b05 to dbb9adc Compare December 9, 2024 00:21

blotus added 15 commits December 9, 2024 01:23

conflicts

804dfc4

update allowlists before blocklists from CAPI

5af9706

ci

468c822

lint

3e08ab9

fix test mode with no LAPI running

35095f7

lint

198bc91

trim scenarios description

dc66afd

fix tests

c87b817

fix expiration date with cscli

832868d

fix allowlists for CAPI

13a9686

lint

d7f8d2b

move the allowlist check for manual decisions in cscli

28ba0c9

merge from master

809f4f5

cscli allowlist add: support days for expiration

97fac0a

lint

c9bf246

LaurenceJJones added this to the 1.6.6 milestone Jan 21, 2025

Merge branch 'master' into centralized-allowlists

85ab85d