domverse/crowdsec-admin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: split LAPI auth — bouncer key for read, machine JWT for delete
All checks were successful
Deploy / deploy (push) Successful in 19s
Details

Browse Source 
LAPI does not let machine JWTs hit GET /v1/decisions even after the machine
is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key
does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty").

The webapp now holds both credentials and routes each call to the right
authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
domverse
2026-06-16 23:58:20 +02:00
parent a5971403b2
commit 5d589915f7
4 changed files with 49 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/deploy.yml
View File

@@ -6,13 +6,16 @@
# flight-radar.
#
# PREREQUISITES (one-time):
# 1. Host LAPI machine registered:
# sudo cscli machines add crowdsec-admin --password '<PW>'
# 2. Repo secrets set in Gitea → Settings → Secrets:
# 1. Host LAPI machine registered (for DELETE auth):
# sudo cscli machines add crowdsec-admin --password '<PW>' -f -
# 2. Host LAPI bouncer registered (for GET auth):
# sudo cscli bouncers add crowdsec-admin
# 3. Repo secrets set in Gitea → Settings → Secrets:
# LAPI_MACHINE_ID=crowdsec-admin
# LAPI_MACHINE_PASSWORD=<PW>
# 3. DNS: crowdsec.domverse-berlin.eu → host IP.
# 4. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
# LAPI_BOUNCER_KEY=<bouncer key from step 2>
# 4. DNS: crowdsec.domverse-berlin.eu → host IP.
# 5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
# ──────────────────────────────────────────────────────────────────────────────
name: Deploy
@@ -39,6 +42,7 @@ jobs:
cat > .env <<EOF
LAPI_MACHINE_ID=${{ secrets.LAPI_MACHINE_ID }}
LAPI_MACHINE_PASSWORD=${{ secrets.LAPI_MACHINE_PASSWORD }}
LAPI_BOUNCER_KEY=${{ secrets.LAPI_BOUNCER_KEY }}
EOF
chmod 600 .env

28
README.md
View File

@@ -16,26 +16,40 @@ Built so the admin can unban an IP without SSH when their own network routes cha
LAPI lives on the host at `0.0.0.0:8080`. Container reaches it via `host.docker.internal:host-gateway`.
LAPI `DELETE /v1/decisions` requires **machine JWT** (bouncers are read-only). App registers as machine via `cscli machines add`, logs in to `/v1/watchers/login`, caches the JWT ~13 minutes, and refreshes on 401.
**LAPI splits read vs write auth:**
| Endpoint | Auth | Notes |
|-------------------------------|-----------------------|------------------------------------------------|
| `GET /v1/decisions` | bouncer `X-Api-Key` | Machine JWT returns 403 even when validated. |
| `DELETE /v1/decisions[/{id}]` | machine `Bearer` JWT | Bouncer key returns 401 "cookie token is empty". |
So the app holds both credentials. JWT is acquired via `POST /v1/watchers/login`, cached ~13 min, auto-refreshed on 401. Bouncer key is used as-is.
## One-time setup
1. **Register the machine on the host** (needs sudo, choose a strong password and save it in `secrets.yml`):
1. **Register the LAPI machine** on the host (for DELETE). Choose a strong password and save it in `secrets.yml`. `-f -` dumps creds to stdout instead of overwriting the local agent's credentials file.
```bash
sudo cscli machines add crowdsec-admin --password '<PW>'
sudo cscli machines add crowdsec-admin --password '<PW>' -f -
```
2. **Gitea repo secrets** (Settings → Secrets and variables → Actions):
2. **Register a bouncer** on the host (for GET). Save the key in `secrets.yml`.
```bash
sudo cscli bouncers add crowdsec-admin
```
3. **Gitea repo secrets** (Settings → Secrets and variables → Actions):
- `LAPI_MACHINE_ID=crowdsec-admin`
- `LAPI_MACHINE_PASSWORD=<PW from step 1>`
- `LAPI_BOUNCER_KEY=<key from step 2>`
3. **DNS**: `crowdsec.domverse-berlin.eu` → host IP.
4. **DNS**: `crowdsec.domverse-berlin.eu` → host IP.
4. **Authentik**: nothing — the existing wildcard `forward_domain` provider covers `*.domverse-berlin.eu`, and the `authentik@docker` label in `docker-compose.yml` gates the router.
5. **Authentik**: nothing — the existing wildcard `forward_domain` provider covers `*.domverse-berlin.eu`, and the `authentik@docker` label in `docker-compose.yml` gates the router.
5. **First deploy**: push to `main` or trigger `workflow_dispatch`. Runner builds the image, brings the stack up, and reports health.
6. **First deploy**: push to `main` or trigger `workflow_dispatch`. Runner builds the image, brings the stack up, and reports health.
## Layout

29
app/app.py
View File

@@ -2,7 +2,6 @@ import os
import time
import ipaddress
import logging
from functools import wraps
import requests
from flask import Flask, render_template, request, jsonify, abort
@@ -10,9 +9,14 @@ from flask import Flask, render_template, request, jsonify, abort
LAPI_URL = os.environ["LAPI_URL"].rstrip("/")
MACHINE_ID = os.environ["LAPI_MACHINE_ID"]
MACHINE_PW = os.environ["LAPI_MACHINE_PASSWORD"]
BOUNCER_KEY = os.environ["LAPI_BOUNCER_KEY"]
TRUSTED_HOPS = int(os.environ.get("TRUSTED_PROXY_HOPS", "1"))
REQ_TIMEOUT = 5
# LAPI splits read vs write:
# GET /v1/decisions → bouncer X-Api-Key
# DELETE /v1/decisions → machine Bearer JWT (from /v1/watchers/login)
app = Flask(__name__)
logging.basicConfig(level=logging.INFO)
log = app.logger
@@ -27,10 +31,7 @@ def _login():
timeout=REQ_TIMEOUT,
)
r.raise_for_status()
data = r.json()
_token["jwt"] = data["code"] if "code" in data and isinstance(data["code"], str) else data.get("token")
if not _token["jwt"]:
_token["jwt"] = data.get("code") or data.get("token")
_token["jwt"] = r.json()["token"]
_token["exp"] = time.time() + 60 * 13
return _token["jwt"]
@@ -41,7 +42,13 @@ def _jwt():
return _token["jwt"]
def _lapi(method, path, **kw):
def _bouncer(method, path, **kw):
headers = kw.pop("headers", {})
headers["X-Api-Key"] = BOUNCER_KEY
return requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw)
def _machine(method, path, **kw):
headers = kw.pop("headers", {})
headers["Authorization"] = f"Bearer {_jwt()}"
r = requests.request(method, f"{LAPI_URL}{path}", headers=headers, timeout=REQ_TIMEOUT, **kw)
@@ -88,7 +95,7 @@ def list_decisions():
if not valid_ip(q):
return render_template("_decisions.html", error="invalid IP", decisions=[]), 400
params["ip"] = q
r = _lapi("GET", "/v1/decisions", params=params)
r = _bouncer("GET", "/v1/decisions", params=params)
if r.status_code != 200:
return render_template("_decisions.html", error=f"LAPI {r.status_code}: {r.text[:200]}", decisions=[]), 502
decisions = r.json() or []
@@ -102,11 +109,11 @@ def unban():
if decision_id:
if not decision_id.isdigit():
return "invalid id", 400
r = _lapi("DELETE", f"/v1/decisions/{decision_id}")
r = _machine("DELETE", f"/v1/decisions/{decision_id}")
elif ip:
if not valid_ip(ip):
return "invalid IP", 400
r = _lapi("DELETE", "/v1/decisions", params={"ip": ip})
r = _machine("DELETE", "/v1/decisions", params={"ip": ip})
else:
return "need id or ip", 400
if r.status_code not in (200, 204):
@@ -118,7 +125,7 @@ def unban():
@app.post("/unban-me")
def unban_me():
ip = caller_ip()
r = _lapi("DELETE", "/v1/decisions", params={"ip": ip})
r = _machine("DELETE", "/v1/decisions", params={"ip": ip})
if r.status_code not in (200, 204):
return f"LAPI {r.status_code}: {r.text[:200]}", 502
log.info("unban-me by=%s", ip)
@@ -128,7 +135,7 @@ def unban_me():
@app.get("/healthz")
def healthz():
try:
r = _lapi("GET", "/v1/decisions", params={"limit": 1})
r = _bouncer("GET", "/v1/decisions", params={"limit": 1})
return jsonify(ok=r.status_code == 200, lapi_status=r.status_code), 200 if r.status_code == 200 else 503
except Exception as e:
return jsonify(ok=False, error=str(e)), 503

1
docker-compose.yml
View File

@@ -14,6 +14,7 @@ services:
- LAPI_URL=http://host.docker.internal:8080
- LAPI_MACHINE_ID=${LAPI_MACHINE_ID}
- LAPI_MACHINE_PASSWORD=${LAPI_MACHINE_PASSWORD}
- LAPI_BOUNCER_KEY=${LAPI_BOUNCER_KEY}
- TRUSTED_PROXY_HOPS=1
labels:
- "traefik.enable=true"