Minor-bugfixes

Author: hhftechnology

internal/api/handlers/allowlists.go

@@ -1,8 +1,13 @@
 package handlers
 
 import (
+	"bufio"
 	"fmt"
+	"io"
+	"net"
 	"net/http"
+	"strconv"
+	"strings"
 	"time"
 
 	"crowdsec-manager/internal/config"
@@ -343,3 +348,234 @@ func DeleteAllowlist(dockerClient *docker.Client, cfg *config.Config) gin.Handle
 		})
 	}
 }
+
+// =============================================================================
+// ALLOWLIST IMPORT
+// =============================================================================
+
+// privateIPRanges holds RFC 1918, loopback, and link-local ranges used by isPrivateIPAddr.
+var privateIPRanges = func() []*net.IPNet {
+	cidrs := []string{
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"127.0.0.0/8",
+		"::1/128",
+		"fc00::/7",
+		"fe80::/10",
+	}
+	ranges := make([]*net.IPNet, 0, len(cidrs))
+	for _, c := range cidrs {
+		_, ipNet, err := net.ParseCIDR(c)
+		if err == nil {
+			ranges = append(ranges, ipNet)
+		}
+	}
+	return ranges
+}()
+
+// isValidIPOrCIDR returns true if s is a valid IP address or CIDR notation.
+func isValidIPOrCIDR(s string) bool {
+	if net.ParseIP(s) != nil {
+		return true
+	}
+	_, _, err := net.ParseCIDR(s)
+	return err == nil
+}
+
+// isPrivateIPAddr returns true if s falls within a private/loopback address range.
+func isPrivateIPAddr(s string) bool {
+	ip := net.ParseIP(s)
+	if ip == nil {
+		// For CIDRs, check the network address
+		ip, _, _ = net.ParseCIDR(s)
+	}
+	if ip == nil {
+		return false
+	}
+	for _, r := range privateIPRanges {
+		if r.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+// parseAllowlistImportFile reads a reader and returns unique, non-empty candidate strings.
+// Entries can be separated by newlines or commas.
+func parseAllowlistImportFile(r io.Reader) []string {
+	seen := make(map[string]struct{})
+	var out []string
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		for _, part := range strings.Split(line, ",") {
+			entry := strings.TrimSpace(part)
+			if entry == "" {
+				continue
+			}
+			if _, exists := seen[entry]; !exists {
+				seen[entry] = struct{}{}
+				out = append(out, entry)
+			}
+		}
+	}
+	return out
+}
+
+// getExistingAllowlistValues fetches the current values in an allowlist for duplicate detection.
+func getExistingAllowlistValues(dockerClient *docker.Client, containerName, allowlistName string) map[string]struct{} {
+	existing := make(map[string]struct{})
+	output, err := dockerClient.ExecCommand(containerName, []string{"cscli", "allowlists", "inspect", allowlistName, "-o", "json"})
+	if err != nil {
+		return existing
+	}
+	dataBytes, err := parseCLIJSONToBytes(output)
+	if err != nil {
+		return existing
+	}
+	jsonparser.ArrayEach(dataBytes, func(itemValue []byte, _ jsonparser.ValueType, _ int, _ error) {
+		if val, err := jsonparser.GetString(itemValue, "value"); err == nil {
+			existing[val] = struct{}{}
+		}
+	}, "items")
+	return existing
+}
+
+// ImportAllowlistEntries imports a plain-text list of IPs/CIDRs into an allowlist with optional filtering.
+// Accepts multipart/form-data with fields:
+//   - file             – text file, one IP/CIDR per line (or comma-separated)
+//   - allowlist_name   – target allowlist (required)
+//   - expiration       – optional, e.g. "7d", "30d"
+//   - description      – optional note added to entries
+//   - skip_invalid     – "true"/"false" (default true)  – drop non-IP/CIDR tokens
+//   - skip_private     – "true"/"false" (default false) – drop RFC 1918 addresses
+//   - skip_duplicates  – "true"/"false" (default true)  – drop entries already in allowlist
+func ImportAllowlistEntries(dockerClient *docker.Client, cfg *config.Config) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		dockerClient = resolveDockerClient(c, dockerClient)
+
+		allowlistName := strings.TrimSpace(c.PostForm("allowlist_name"))
+		if allowlistName == "" {
+			c.JSON(http.StatusBadRequest, models.Response{
+				Success: false,
+				Error:   "allowlist_name is required",
+			})
+			return
+		}
+
+		expiration := strings.TrimSpace(c.PostForm("expiration"))
+		description := strings.TrimSpace(c.PostForm("description"))
+
+		parseBool := func(key string, defaultVal bool) bool {
+			v := strings.TrimSpace(c.PostForm(key))
+			if v == "" {
+				return defaultVal
+			}
+			b, err := strconv.ParseBool(v)
+			if err != nil {
+				return defaultVal
+			}
+			return b
+		}
+		skipInvalid := parseBool("skip_invalid", true)
+		skipPrivate := parseBool("skip_private", false)
+		skipDuplicates := parseBool("skip_duplicates", true)
+
+		file, _, err := c.Request.FormFile("file")
+		if err != nil {
+			c.JSON(http.StatusBadRequest, models.Response{
+				Success: false,
+				Error:   "file upload required: " + err.Error(),
+			})
+			return
+		}
+		defer file.Close()
+
+		candidates := parseAllowlistImportFile(file)
+
+		var (
+			skippedInvalid    int
+			skippedPrivate    int
+			skippedDuplicates int
+			toAdd             []string
+		)
+
+		var existing map[string]struct{}
+		if skipDuplicates {
+			existing = getExistingAllowlistValues(dockerClient, cfg.CrowdsecContainerName, allowlistName)
+		}
+
+		for _, entry := range candidates {
+			if skipInvalid && !isValidIPOrCIDR(entry) {
+				skippedInvalid++
+				continue
+			}
+			if skipPrivate && isPrivateIPAddr(entry) {
+				skippedPrivate++
+				continue
+			}
+			if skipDuplicates {
+				if _, exists := existing[entry]; exists {
+					skippedDuplicates++
+					continue
+				}
+			}
+			toAdd = append(toAdd, entry)
+		}
+
+		imported := 0
+		const chunkSize = 50
+		for i := 0; i < len(toAdd); i += chunkSize {
+			end := i + chunkSize
+			if end > len(toAdd) {
+				end = len(toAdd)
+			}
+			chunk := toAdd[i:end]
+
+			cmd := []string{"cscli", "allowlists", "add", allowlistName}
+			if expiration != "" {
+				cmd = append(cmd, "--expiration", expiration)
+			}
+			if description != "" {
+				cmd = append(cmd, "--description", description)
+			}
+			cmd = append(cmd, chunk...)
+
+			output, execErr := dockerClient.ExecCommand(cfg.CrowdsecContainerName, cmd)
+			if execErr != nil {
+				logger.Error("Failed to add allowlist chunk", "name", allowlistName, "error", execErr, "output", output)
+				c.JSON(http.StatusInternalServerError, models.Response{
+					Success: false,
+					Error:   fmt.Sprintf("Failed to add entries (imported %d so far): %v", imported, execErr),
+				})
+				return
+			}
+			imported += len(chunk)
+		}
+
+		logger.Info("Allowlist import completed",
+			"name", allowlistName,
+			"total_input", len(candidates),
+			"imported", imported,
+			"skipped_invalid", skippedInvalid,
+			"skipped_private", skippedPrivate,
+			"skipped_duplicates", skippedDuplicates,
+		)
+
+		c.JSON(http.StatusOK, models.Response{
+			Success: true,
+			Message: fmt.Sprintf("Imported %d entries into '%s'", imported, allowlistName),
+			Data: gin.H{
+				"total_input":        len(candidates),
+				"imported":           imported,
+				"skipped_invalid":    skippedInvalid,
+				"skipped_private":    skippedPrivate,
+				"skipped_duplicates": skippedDuplicates,
+			},
+		})
+	}
+}

internal/api/handlers/bouncers.go

@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/gin-gonic/gin"
 )
@@ -33,8 +32,9 @@ func GetBouncers(dockerClient *docker.Client, cfg *config.Config) gin.HandlerFun
 			return
 		}
 
-		// Parse and normalize CLI JSON output first, then decode typed payload.
-		dataBytes, parseErr := parseCLIJSONToBytes(output)
+		// Use parseBouncersJSON to handle multiple timestamp formats (RFC3339Nano, RFC3339)
+		// and compute status in one pass (avoids duplicate logic and silent zero-time failures).
+		bouncers, parseErr := parseBouncersJSON(output, true)
 		if parseErr != nil {
 			logger.Warn("Failed to parse bouncers JSON",
 				"error", parseErr,
@@ -47,29 +47,6 @@ func GetBouncers(dockerClient *docker.Client, cfg *config.Config) gin.HandlerFun
 			return
 		}
 
-		var bouncers []models.Bouncer
-		if err := json.Unmarshal(dataBytes, &bouncers); err != nil {
-			c.JSON(http.StatusInternalServerError, models.Response{
-				Success: false,
-				Error:   fmt.Sprintf("Failed to parse bouncers JSON: %v", err),
-			})
-			return
-		}
-
-		// Compute status for each bouncer
-		for i := range bouncers {
-			// Primary indicator: valid key + pulled within 60 minutes = connected
-			if bouncers[i].Valid && time.Since(bouncers[i].LastPull) <= 60*time.Minute {
-				bouncers[i].Status = "connected"
-			} else if bouncers[i].Valid {
-				// Valid key but hasn't pulled recently - stale but registered
-				bouncers[i].Status = "stale"
-			} else {
-				// Key is invalid/revoked - bouncer is disconnected
-				bouncers[i].Status = "disconnected"
-			}
-		}
-
 		logger.Debug("Bouncers API retrieved successfully", "count", len(bouncers))
 
 		// Return properly formatted data

internal/api/handlers/health_diagnostics.go

@@ -35,8 +35,11 @@ func parseBouncersJSON(bouncerOutput string, computeStatus bool) ([]models.Bounc
 			bouncer.Valid = valid
 		}
 		if lastPull, err := jsonparser.GetString(value, "last_pull"); err == nil {
-			if t, err := time.Parse(time.RFC3339, lastPull); err == nil {
-				bouncer.LastPull = t
+			for _, layout := range []string{time.RFC3339Nano, time.RFC3339} {
+				if t, err := time.Parse(layout, lastPull); err == nil {
+					bouncer.LastPull = t
+					break
+				}
 			}
 		}
 		if bouncerType, err := jsonparser.GetString(value, "type"); err == nil {
@@ -47,12 +50,14 @@ func parseBouncersJSON(bouncerOutput string, computeStatus bool) ([]models.Bounc
 		}
 
 		if computeStatus {
-			if bouncer.Valid && time.Since(bouncer.LastPull) <= 60*time.Minute {
+			if !bouncer.Valid {
+				bouncer.Status = "disconnected"
+			} else if bouncer.LastPull.IsZero() {
+				bouncer.Status = "pending" // valid key, never pulled yet
+			} else if time.Since(bouncer.LastPull) <= 60*time.Minute {
 				bouncer.Status = "connected"
-			} else if bouncer.Valid {
-				bouncer.Status = "stale"
 			} else {
-				bouncer.Status = "disconnected"
+				bouncer.Status = "stale"
 			}
 		}
 
@@ -172,7 +177,6 @@ func collectContainerHealth(dockerClient *docker.Client, cfg *config.Config) ([]
 	return containers, allRunning
 }
 
-
 // checkTraefikIntegrationDiagnostic checks Traefik integration for diagnostics
 func checkTraefikIntegrationDiagnostic(dockerClient *docker.Client, db *database.Database, cfg *config.Config) *models.TraefikIntegration {
 	traefikIntegration := &models.TraefikIntegration{

internal/api/routes.go

@@ -60,6 +60,7 @@ func RegisterAllowlistRoutes(router *gin.RouterGroup, dockerClient *docker.Clien
 		allowlist.GET("/inspect/:name", handlers.InspectAllowlist(dockerClient, cfg))
 		allowlist.POST("/add", handlers.AddAllowlistEntries(dockerClient, cfg))
 		allowlist.POST("/remove", handlers.RemoveAllowlistEntries(dockerClient, cfg))
+		allowlist.POST("/import", handlers.ImportAllowlistEntries(dockerClient, cfg))
 		allowlist.DELETE("/:name", handlers.DeleteAllowlist(dockerClient, cfg))
 	}
 }