From d2f2ca56f64c2c16e11fe81f86c2a5b069514086 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 4 Jul 2023 12:56:08 -0600
Subject: [PATCH] config: prefer configuration specified files

Suricata-Update was preferring the existence of "disable.conf" in
$sysconfdir over it be specified in the update.yaml.

Refactor the auto-conf to only search and apply the default
$sysconfdir files if they don't already exist in the config.

Additonally, now that the default, if not set or found will be none,
log a warning if a specific configuration file is not found instead of
silently ignoring.

Ticket: #6172
---
 suricata/update/config.py | 35 +++++++++++++++++++----------------
 suricata/update/main.py   | 36 ++++++++++++++++++++++++------------
 2 files changed, 43 insertions(+), 28 deletions(-)

diff --git a/suricata/update/config.py b/suricata/update/config.py
index a6271cb..ad95996 100644
--- a/suricata/update/config.py
+++ b/suricata/update/config.py
@@ -73,10 +73,6 @@
     ]
 
 DEFAULT_CONFIG = {
-    "disable-conf": "/etc/suricata/disable.conf",
-    "enable-conf": "/etc/suricata/enable.conf",
-    "drop-conf": "/etc/suricata/drop.conf",
-    "modify-conf": "/etc/suricata/modify.conf",
     "sources": [],
     LOCAL_CONF_KEY: [],
 
@@ -228,23 +224,30 @@ def init(args):
 
         # Fixup the default locations for Suricata-Update configuration files, but only if
         # they exist, otherwise keep the defaults.
+        conf_search_path = ["/etc"]
         if "sysconfdir" in build_info:
-            configs = (
-                ("disable-conf", "disable.conf"),
-                ("enable-conf", "enable.conf"),
-                ("drop-conf", "drop.conf"),
-                ("modify-conf", "modify.conf"),
-            )
             sysconfdir = build_info["sysconfdir"]
-            for key, filename in configs:
-                config_path = os.path.join(sysconfdir, "suricata", filename)
+            if not sysconfdir in conf_search_path:
+                conf_search_path.insert(0, sysconfdir)
+        configs = (
+            ("disable-conf", "disable.conf"),
+            ("enable-conf", "enable.conf"),
+            ("drop-conf", "drop.conf"),
+            ("modify-conf", "modify.conf"),
+        )
+        for key, filename in configs:
+            if getattr(args, key.replace("-", "_"), None) is not None:
+                continue
+            if _config.get(key) is not None:
+                continue
+            for conf_dir in conf_search_path:
+                config_path = os.path.join(conf_dir, "suricata", filename)
                 logger.debug("Looking for {}".format(config_path))
                 if os.path.exists(config_path):
                     logger.debug("Found {}".format(config_path))
-                    val = getattr(args, key.replace("-", "_"), None)
-                    if val is None:
-                        logger.debug("Changing default for {} to {}".format(key, config_path))
-                        _config[key] = config_path
+                    logger.debug("Using {} for {}".format(config_path, key))
+                    _config[key] = config_path
+                    break
 
     # If suricata-conf not provided on the command line or in the
     # configuration file, look for it.
diff --git a/suricata/update/main.py b/suricata/update/main.py
index d562ef0..4a0e7a6 100644
--- a/suricata/update/main.py
+++ b/suricata/update/main.py
@@ -1135,27 +1135,39 @@ def _main():
 
     # Load user provided disable filters.
     disable_conf_filename = config.get("disable-conf")
-    if disable_conf_filename and os.path.exists(disable_conf_filename):
-        logger.info("Loading %s.", disable_conf_filename)
-        disable_matchers += load_matchers(disable_conf_filename)
+    if disable_conf_filename:
+        if os.path.exists(disable_conf_filename):
+            logger.info("Loading %s.", disable_conf_filename)
+            disable_matchers += load_matchers(disable_conf_filename)
+        else:
+            logger.warn("disable-conf file does not exist: {}".format(disable_conf_filename))
 
     # Load user provided enable filters.
     enable_conf_filename = config.get("enable-conf")
-    if enable_conf_filename and os.path.exists(enable_conf_filename):
-        logger.info("Loading %s.", enable_conf_filename)
-        enable_matchers += load_matchers(enable_conf_filename)
+    if enable_conf_filename:
+        if os.path.exists(enable_conf_filename):
+            logger.info("Loading %s.", enable_conf_filename)
+            enable_matchers += load_matchers(enable_conf_filename)
+        else:
+            logger.warn("enable-conf file does not exist: {}".format(enable_conf_filename))
 
     # Load user provided modify filters.
     modify_conf_filename = config.get("modify-conf")
-    if modify_conf_filename and os.path.exists(modify_conf_filename):
-        logger.info("Loading %s.", modify_conf_filename)
-        modify_filters += load_filters(modify_conf_filename)
+    if modify_conf_filename:
+        if os.path.exists(modify_conf_filename):
+            logger.info("Loading %s.", modify_conf_filename)
+            modify_filters += load_filters(modify_conf_filename)
+        else:
+            logger.warn("modify-conf file does not exist: {}".format(modify_conf_filename))
 
     # Load user provided drop filters.
     drop_conf_filename = config.get("drop-conf")
-    if drop_conf_filename and os.path.exists(drop_conf_filename):
-        logger.info("Loading %s.", drop_conf_filename)
-        drop_filters += load_drop_filters(drop_conf_filename)
+    if drop_conf_filename:
+        if os.path.exists(drop_conf_filename):
+            logger.info("Loading %s.", drop_conf_filename)
+            drop_filters += load_drop_filters(drop_conf_filename)
+        else:
+            logger.warn("drop-conf file does not exist: {}".format(drop_conf_filename))
 
     # Load the Suricata configuration if we can.
     suriconf = None