akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
03f079ce822c77bee43574d226d809b49febef11
Charon/backend/cmd/api/main.go
GitHub Actions 739895d81e fix(security): resolve CrowdSec startup and permission issues 
Fixes CrowdSec not starting automatically on container boot and LAPI
binding failures due to permission issues.

Changes:
- Fix Dockerfile: Add charon:charon ownership for CrowdSec directories
- Move reconciliation from routes.go goroutine to main.go initialization
- Add mutex protection to prevent concurrent reconciliation
- Increase LAPI startup timeout from 30s to 60s
- Add config validation in entrypoint script

Testing:
- Backend coverage: 85.4% ( meets requirement)
- Frontend coverage: 87.01% ( exceeds requirement)
- Security: 0 Critical/High vulnerabilities ( Trivy + Go scans)
- All CrowdSec-specific tests passing ( 100%)

Technical Details:
- Reconciliation now runs synchronously during app initialization
  (after DB migrations, before HTTP server starts)
- Maintains "GUI-controlled" design philosophy per entrypoint docs
- Follows principle of least privilege (charon user, not root)
- No breaking changes to API or behavior

Documentation:
- Implementation guide: docs/implementation/crowdsec_startup_fix_COMPLETE.md
- Migration guide: docs/implementation/crowdsec_startup_fix_MIGRATION.md
- QA report: docs/reports/qa_report_crowdsec_startup_fix.md

Related: #crowdsec-startup-timeout
2025-12-23 01:59:21 +00:00

207 lines
6.1 KiB
Go
Raw Blame History

// Package main is the entry point for the Charon backend API.
package main
import (
"fmt"
"io"
"log"
"os"
"path/filepath"
"github.com/Wikid82/charon/backend/internal/api/handlers"
"github.com/Wikid82/charon/backend/internal/api/middleware"
"github.com/Wikid82/charon/backend/internal/api/routes"
"github.com/Wikid82/charon/backend/internal/config"
"github.com/Wikid82/charon/backend/internal/database"
"github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/models"
"github.com/Wikid82/charon/backend/internal/server"
"github.com/Wikid82/charon/backend/internal/services"
"github.com/Wikid82/charon/backend/internal/version"
"github.com/gin-gonic/gin"
"gopkg.in/natefinch/lumberjack.v2"
)
func main() {
// Setup logging with rotation
logDir := "/app/data/logs"
if err := os.MkdirAll(logDir, 0o755); err != nil {
// Fallback to local directory if /app/data fails (e.g. local dev)
logDir = "data/logs"
_ = os.MkdirAll(logDir, 0o755)
}
logFile := filepath.Join(logDir, "charon.log")
rotator := &lumberjack.Logger{
Filename: logFile,
MaxSize: 10, // megabytes
MaxBackups: 3,
MaxAge: 28, // days
Compress: true,
}
// Ensure legacy cpmp.log exists as symlink for compatibility (cpmp is a legacy name for Charon)
legacyLog := filepath.Join(logDir, "cpmp.log")
if _, err := os.Lstat(legacyLog); os.IsNotExist(err) {
_ = os.Symlink(logFile, legacyLog) // ignore errors
}
// Log to both stdout and file
mw := io.MultiWriter(os.Stdout, rotator)
log.SetOutput(mw)
gin.DefaultWriter = mw
// Initialize a basic logger so CLI and early code can log.
logger.Init(false, mw)
// Handle CLI commands
if len(os.Args) > 1 {
switch os.Args[1] {
case "migrate":
cfg, err := config.Load()
if err != nil {
log.Fatalf("load config: %v", err)
}
db, err := database.Connect(cfg.DatabasePath)
if err != nil {
log.Fatalf("connect database: %v", err)
}
logger.Log().Info("Running database migrations for security tables...")
if err := db.AutoMigrate(
&models.SecurityConfig{},
&models.SecurityDecision{},
&models.SecurityAudit{},
&models.SecurityRuleSet{},
&models.CrowdsecPresetEvent{},
&models.CrowdsecConsoleEnrollment{},
); err != nil {
log.Fatalf("migration failed: %v", err)
}
logger.Log().Info("Migration completed successfully")
return
case "reset-password":
if len(os.Args) != 4 {
log.Fatalf("Usage: %s reset-password <email> <new-password>", os.Args[0])
}
email := os.Args[2]
newPassword := os.Args[3]
cfg, err := config.Load()
if err != nil {
log.Fatalf("load config: %v", err)
}
db, err := database.Connect(cfg.DatabasePath)
if err != nil {
log.Fatalf("connect database: %v", err)
}
var user models.User
if err := db.Where("email = ?", email).First(&user).Error; err != nil {
log.Fatalf("user not found: %v", err)
}
if err := user.SetPassword(newPassword); err != nil {
log.Fatalf("failed to hash password: %v", err)
}
// Unlock account if locked
user.LockedUntil = nil
user.FailedLoginAttempts = 0
if err := db.Save(&user).Error; err != nil {
log.Fatalf("failed to save user: %v", err)
}
logger.Log().Infof("Password updated successfully for user %s", email)
return
}
}
logger.Log().Infof("starting %s backend on version %s", version.Name, version.Full())
cfg, err := config.Load()
if err != nil {
log.Fatalf("load config: %v", err)
}
db, err := database.Connect(cfg.DatabasePath)
if err != nil {
log.Fatalf("connect database: %v", err)
}
// Verify critical security tables exist before starting server
// This prevents silent failures in CrowdSec reconciliation
securityModels := []any{
&models.SecurityConfig{},
&models.SecurityDecision{},
&models.SecurityAudit{},
&models.SecurityRuleSet{},
&models.CrowdsecPresetEvent{},
&models.CrowdsecConsoleEnrollment{},
}
missingTables := false
for _, model := range securityModels {
if !db.Migrator().HasTable(model) {
missingTables = true
logger.Log().Warnf("Missing security table for model %T - running migration", model)
}
}
if missingTables {
logger.Log().Warn("Security tables missing - running auto-migration")
if err := db.AutoMigrate(securityModels...); err != nil {
log.Fatalf("failed to migrate security tables: %v", err)
}
logger.Log().Info("Security tables migrated successfully")
}
// Reconcile CrowdSec state after migrations, before HTTP server starts
// This ensures CrowdSec is running if user preference was to have it enabled
crowdsecBinPath := os.Getenv("CHARON_CROWDSEC_BIN")
if crowdsecBinPath == "" {
crowdsecBinPath = "/usr/local/bin/crowdsec"
}
crowdsecDataDir := os.Getenv("CHARON_CROWDSEC_DATA")
if crowdsecDataDir == "" {
crowdsecDataDir = "/app/data/crowdsec"
}
crowdsecExec := handlers.NewDefaultCrowdsecExecutor()
services.ReconcileCrowdSecOnStartup(db, crowdsecExec, crowdsecBinPath, crowdsecDataDir)
router := server.NewRouter(cfg.FrontendDir)
// Initialize structured logger with same writer as stdlib log so both capture logs
logger.Init(cfg.Debug, mw)
// Request ID middleware must run before recovery so the recover logs include the request id
router.Use(middleware.RequestID())
// Log requests with request-scoped logger
router.Use(middleware.RequestLogger())
// Attach a recovery middleware that logs stack traces when debug is enabled
router.Use(middleware.Recovery(cfg.Debug))
// Pass config to routes for auth service and certificate service
if err := routes.Register(router, db, cfg); err != nil {
log.Fatalf("register routes: %v", err)
}
// Register import handler with config dependencies
routes.RegisterImportHandler(router, db, cfg.CaddyBinary, cfg.ImportDir, cfg.ImportCaddyfile)
// Check for mounted Caddyfile on startup
if err := handlers.CheckMountedImport(db, cfg.ImportCaddyfile, cfg.CaddyBinary, cfg.ImportDir); err != nil {
logger.Log().WithError(err).Warn("WARNING: failed to process mounted Caddyfile")
}
addr := fmt.Sprintf(":%s", cfg.HTTPPort)
logger.Log().Infof("starting %s backend on %s", version.Name, addr)
if err := router.Run(addr); err != nil {
log.Fatalf("server error: %v", err)
}
}
Reference in New Issue View Git Blame Copy Permalink