LAPI: local api unix socket support

[mmetc]

This started as https://github.com/crowdsecurity/crowdsec/pull/2213 by @cyberb but I refactored some parts first, as a consequence I could not keep a clean commit history of his contribution, of which I am very sorry.

On the plus side, the option is now implemented as a separate configuration field: .api.server.listen_socket = /path/to/unix.sock and does not interfere with TCP sockets, with or without TLS.

[github-actions[bot]]

@mmetc: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

• /kind feature
• /kind enhancement
• /kind fix
• /kind chore
• /kind dependencies

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions[bot]]

@mmetc: There are no area labels on this PR. You can add as many areas as you see fit.

• /area agent
• /area local-api
• /area cscli
• /area appsec
• /area security
• /area configuration

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 77.24868% with 43 lines in your changes are missing coverage. Please review.

Project coverage is 58.06%. Comparing base (e7ecea7) to head (228542b).

Files	Patch %	Lines
pkg/apiserver/apiserver.go	79.24%	10 Missing and 1 partial :warning:
pkg/csconfig/api.go	75.75%	6 Missing and 2 partials :warning:
pkg/apiclient/client.go	85.10%	4 Missing and 3 partials :warning:
pkg/apiserver/controllers/v1/utils.go	41.66%	6 Missing and 1 partial :warning:
pkg/apiserver/middlewares/v1/jwt.go	37.50%	4 Missing and 1 partial :warning:
pkg/apiserver/middlewares/v1/api_key.go	42.85%	2 Missing and 2 partials :warning:
cmd/crowdsec-cli/machines.go	50.00%	0 Missing and 1 partial :warning:

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2770      +/-   ##
==========================================
+ Coverage   58.00%   58.06%   +0.05%     
==========================================
  Files         240      236       -4     
  Lines       31063    30797     -266     
==========================================
- Hits        18018    17882     -136     
+ Misses      11415    11317      -98     
+ Partials     1630     1598      -32     

Flag	Coverage Δ
bats	38.12% <69.31%> (+0.18%)	:arrow_up:
unit-linux	36.48% <43.38%> (-15.85%)	:arrow_down:
unit-windows	?

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[LaurenceJJones]

When using Nginx as an upstream proxy via http://unix:/ proxy_pass directive we need to allow the user to get the remote IP from the headers. Now Gin does have a trusted_proxies function that we do use, however, when nginx passes t the unix socket the RemoteAddr is set to @ for Nil.

The Gin function does not allow @ as trusted also when it fetches the remote addr it returns an error since its not <ip>:<port>

I don't know the best way to move forward on this 🤷🏻

[mmetc]

@LaurenceJJones does this mean this PR is not useful, or that it will need changes that are not backward compatible if we fix the proxy issue later? If it's not the case, we can review/merge, test until 1.6.1 and look for a fix

[LaurenceJJones]

@LaurenceJJones does this mean this PR is not useful, or that it will need changes that are not backward compatible if we fix the proxy issue later? If it's not the case, we can review/merge, test until 1.6.1 and look for a fix

We can merge, the only issue is that machines/bouncers will not have the correct IP address if the request was from an upstream proxy

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 76.85590% with 53 lines in your changes are missing coverage. Please review.

Project coverage is 58.23%. Comparing base (2a7e838) to head (21a64aa).

Files	Patch %	Lines
pkg/apiserver/apiserver.go	83.82%	10 Missing and 1 partial :warning:
pkg/apiserver/middlewares/v1/jwt.go	31.25%	10 Missing and 1 partial :warning:
pkg/csconfig/api.go	72.22%	8 Missing and 2 partials :warning:
pkg/apiclient/client.go	86.00%	4 Missing and 3 partials :warning:
pkg/apiserver/controllers/v1/utils.go	41.66%	6 Missing and 1 partial :warning:
pkg/apiserver/middlewares/v1/api_key.go	53.84%	4 Missing and 2 partials :warning:
cmd/crowdsec-cli/machines.go	50.00%	0 Missing and 1 partial :warning:

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2770      +/-   ##
==========================================
+ Coverage   58.10%   58.23%   +0.12%     
==========================================
  Files         243      244       +1     
  Lines       31361    31499     +138     
==========================================
+ Hits        18221    18342     +121     
- Misses      11460    11479      +19     
+ Partials     1680     1678       -2     

Flag	Coverage Δ
bats	38.37% <70.30%> (+0.18%)	:arrow_up:
unit-linux	36.46% <41.04%> (-15.66%)	:arrow_down:
unit-windows	33.14% <41.30%> (-14.42%)	:arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.