Add unix socket option to http plugin, we have to use this in conjunc…

…tion with URL parameter as we dont know which path the user wants so if they would like to communicate over unix socket they need to use both, however, the hostname can be whatever they want. We could be a little smarter and actually parse the url, however, increasing code when a user can just define it correctly make no sense (#2764)
crowdsecurity · Feb 22, 2024 · 0df8f54 · 0df8f54
1 parent 8da490f
commit 0df8f54
Showing 1 changed file with 25 additions and 17 deletions.
diff --git a/cmd/notification-http/main.go b/cmd/notification-http/main.go
@@ -7,8 +7,10 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
@@ -19,6 +21,7 @@ import (
 type PluginConfig struct {
 	Name                string            `yaml:"name"`
 	URL                 string            `yaml:"url"`
+	UnixSocket          string            `yaml:"unix_socket"`
 	Headers             map[string]string `yaml:"headers"`
 	SkipTLSVerification bool              `yaml:"skip_tls_verification"`
 	Method              string            `yaml:"method"`
@@ -66,36 +69,40 @@ func getCertPool(caPath string) (*x509.CertPool, error) {
 	return cp, nil
 }
 
-func getTLSClient(tlsVerify bool, caPath, certPath, keyPath string) (*http.Client, error) {
-	var client *http.Client
-
-	caCertPool, err := getCertPool(caPath)
+func getTLSClient(c *PluginConfig) error {
+	caCertPool, err := getCertPool(c.CAPath)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	tlsConfig := &tls.Config{
 		RootCAs:            caCertPool,
-		InsecureSkipVerify: tlsVerify,
+		InsecureSkipVerify: c.SkipTLSVerification,
 	}
 
-	if certPath != "" && keyPath != "" {
-		logger.Info(fmt.Sprintf("Using client certificate '%s' and key '%s'", certPath, keyPath))
+	if c.CertPath != "" && c.KeyPath != "" {
+		logger.Info(fmt.Sprintf("Using client certificate '%s' and key '%s'", c.CertPath, c.KeyPath))
 
-		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+		cert, err := tls.LoadX509KeyPair(c.CertPath, c.KeyPath)
 		if err != nil {
-			return nil, fmt.Errorf("unable to load client certificate '%s' and key '%s': %w", certPath, keyPath, err)
+			return fmt.Errorf("unable to load client certificate '%s' and key '%s': %w", c.CertPath, c.KeyPath, err)
 		}
 
 		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
-
-	client = &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: tlsConfig,
-		},
+	transport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+	if c.UnixSocket != "" {
+		logger.Info(fmt.Sprintf("Using socket '%s'", c.UnixSocket))
+		transport.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) {
+			return net.Dial("unix", strings.TrimSuffix(c.UnixSocket, "/"))
+		}
+	}
+	c.Client = &http.Client{
+		Transport: transport,
 	}
-	return client, err
+	return nil
 }
 
 func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notification) (*protobufs.Empty, error) {
@@ -135,6 +142,7 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		logger.Warn(fmt.Sprintf("HTTP server returned non 200 status code: %d", resp.StatusCode))
+		logger.Debug(fmt.Sprintf("HTTP server returned body: %s", string(respData)))
 		return &protobufs.Empty{}, nil
 	}
 
@@ -147,7 +155,7 @@ func (s *HTTPPlugin) Configure(ctx context.Context, config *protobufs.Config) (*
 	if err != nil {
 		return nil, err
 	}
-	d.Client, err = getTLSClient(d.SkipTLSVerification, d.CAPath, d.CertPath, d.KeyPath)
+	err = getTLSClient(&d)
 	if err != nil {
 		return nil, err
 	}