security/crowdsec-firewall-bouncer: update to v0.0.28

Changelog: https://github.com/crowdsecurity/cs-firewall-bouncer/releases/tag/v0.0.28 PR: 274213
freebsd · Oct 4, 2023 · 714e7fb · 714e7fb
1 parent 00b97f0
commit 714e7fb
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 35 deletions.
diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile
@@ -1,8 +1,6 @@
 PORTNAME=	crowdsec-firewall-bouncer
 DISTVERSIONPREFIX=	v
-DISTVERSION=	0.0.27
-PORTREVISION=	2
-DISTVERSIONSUFFIX=	-freebsd
+DISTVERSION=	0.0.28
 CATEGORIES=	security
 
 MAINTAINER=	marco@crowdsec.net
@@ -12,42 +10,42 @@ WWW=		https://github.com/crowdsecurity/cs-firewall-bouncer
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
-BUILD_DEPENDS=	git:devel/git@lite
-
-USES=		gmake go:no_targets
-
-USE_GITHUB=	yes
-GH_ACCOUNT=	crowdsecurity
-GH_PROJECT=	cs-firewall-bouncer
-_BUILD_TAG=	f1f8b379
+USES=		go:modules
+_COMMIT=	af6e7e2
+_BUILD_DATE=	$$(date -u "+%F_%T")
 USE_RC_SUBR=	crowdsec_firewall
 
-MAKE_ARGS=	BUILD_VERSION="${DISTVERSIONFULL}" \
-		BUILD_TAG="${_BUILD_TAG}" \
-		BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw"
+GO_MODULE=	github.com/crowdsecurity/cs-firewall-bouncer
+GO_TARGET=	${PORTNAME}:./${PORTNAME}
+GO_BUILDFLAGS=	-trimpath -tags netgo \
+		-ldflags="\
+		-a -s -w -extldflags '-static' \
+		-X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \
+		-X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \
+		-X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT}"
 
-SUB_FILES=	pkg-deinstall pkg-install pkg-message
+CGO_ENABLED=	0
 
-ETCDIR=		${PREFIX}/etc/crowdsec/bouncers
+SUB_FILES=	pkg-deinstall \
+		pkg-install \
+		pkg-message
 
-post-patch:
-	${REINPLACE_CMD} 's,$${BACKEND},pf,g' \
-		${WRKSRC}/config/crowdsec-firewall-bouncer.yaml
+ETCDIR=		${PREFIX}/etc/crowdsec/bouncers
 
 do-install:
 	#
 	# Binaries
 	#
 
-	${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-firewall-bouncer \
-		${STAGEDIR}${PREFIX}/bin/crowdsec-firewall-bouncer
+	${INSTALL_PROGRAM} ${WRKDIR}/bin/${PORTNAME} \
+		${STAGEDIR}${PREFIX}/bin/${PORTNAME}
 
 	#
 	# Configuration
 	#
 
 	@${MKDIR} ${STAGEDIR}${ETCDIR}
-	${INSTALL_DATA} ${WRKSRC}/config/crowdsec-firewall-bouncer.yaml \
-		${STAGEDIR}${ETCDIR}/crowdsec-firewall-bouncer.yaml.sample
+	${INSTALL_DATA} ${WRKSRC}/config/${PORTNAME}.yaml \
+		${STAGEDIR}${ETCDIR}/${PORTNAME}.yaml.sample
 
 .include <bsd.port.mk>
diff --git a/security/crowdsec-firewall-bouncer/distinfo b/security/crowdsec-firewall-bouncer/distinfo
@@ -1,3 +1,5 @@
-TIMESTAMP = 1684281311
-SHA256 (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 1dba0604d0ff7d9035e2e2adcff42cddf7d0b63f23dd973ce692b6e18ee65126
-SIZE (crowdsecurity-cs-firewall-bouncer-v0.0.27-freebsd_GH0.tar.gz) = 2600838
+TIMESTAMP = 1696243362
+SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 8da878a2e78081ce7fd2b81f210eb146f87fa77f4c0b5b3857d1e6a4551dd048
+SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.mod) = 2632
+SHA256 (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 6aeaa00beee415f68b2f7a4d98e6b3c83c239f3fe8b1e8be93f34b13e77c940e
+SIZE (go/security_crowdsec-firewall-bouncer/crowdsec-firewall-bouncer-v0.0.28/v0.0.28.zip) = 181050
diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
@@ -11,6 +11,8 @@
 #					Default is "NO"
 # crowdsec_firewall_config (str):	Set the bouncer config path.
 #					Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml"
+# crowdsec_firewall_name (str):		Name of the bouncer to register.
+#					Default is dynamically generated.
 # crowdsec_firewall_flags (str):	extra flags to run bouncer.
 #					Default is ""
 
@@ -20,39 +22,77 @@ name=crowdsec_firewall
 desc="Crowdsec Firewall"
 rcvar=crowdsec_firewall_enable
 
-load_rc_config $name
+load_rc_config "$name"
 
 : "${crowdsec_firewall_enable:=NO}"
 : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"
+: "${crowdsec_firewall_name:=cs-firewall-bouncer-$(date +%s)}"
 : "${crowdsec_firewall_flags:=}"
 
 pidfile=/var/run/${name}.pid
 required_files="$crowdsec_firewall_config"
 command="%%PREFIX%%/bin/crowdsec-firewall-bouncer"
 start_cmd="${name}_start"
+stop_cmd="${name}_stop"
 start_precmd="${name}_precmd"
+configtest_cmd="${name}_configtest"
+extra_commands="configtest"
 
 crowdsec_firewall_precmd() {
     CSCLI=%%PREFIX%%/bin/cscli
-    orig_line="api_key: \${API_KEY}"
+    # there might be quotes
+    orig_line="api_key: .*\${API_KEY}.*"
     # IF the bouncer is not configured
     if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then
-        BOUNCER="cs-firewall-bouncer-$(date +%s)"
         # AND crowdsec is installed..
         if command -v "$CSCLI" >/dev/null; then
             # THEN, register it to the local API
-            API_KEY=$($CSCLI bouncers add "${BOUNCER}" -o raw)
+            API_KEY=$($CSCLI bouncers add "${crowdsec_firewall_name}" -o raw)
             if [ -n "$API_KEY" ]; then
-                sed -i "" "s/^${orig_line}/api_key: ${API_KEY}     # ${BOUNCER}/" "${crowdsec_firewall_config}"
-                echo "Registered: ${BOUNCER}"
+                sed -i "" "s|^${orig_line}|api_key: ${API_KEY}     # ${crowdsec_firewall_name}|" "${crowdsec_firewall_config}"
+                echo "Registered: ${crowdsec_firewall_name}"
             fi
         fi
     fi
 }
 
+crowdsec_firewall_stop()
+{
+    if [ ! -f "$pidfile" ]; then
+        echo "${name} is not running."
+        return
+    fi
+    pid=$(cat "$pidfile")
+    if kill -0 "$pid" >/dev/null 2>&1; then
+        echo "Stopping ${name}."
+        kill -s TERM "$pid" >/dev/null 2>&1
+        # shellcheck disable=SC2034
+        for i in $(seq 1 20); do
+            sleep 1
+            if ! kill -0 "$pid" >/dev/null 2>&1; then
+                rm -f "$pidfile"
+                return
+            fi
+        done
+        echo "Timeout, terminating ${name} with SIGKILL."
+        kill -s KILL "$pid" >/dev/null 2>&1
+        rm -f "$pidfile"
+    else
+        echo "${name} is not running."
+    fi
+}
+
 crowdsec_firewall_start() {
-    /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \
-        ${command} -c "${crowdsec_firewall_config}" ${crowdsec_firewall_flags}
+    /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
+        "$command" -c "$crowdsec_firewall_config" ${crowdsec_firewall_flags}
+}
+
+crowdsec_firewall_configtest()
+{
+    echo "Performing sanity check on ${name} configuration."
+    if "$command" -c "$crowdsec_firewall_config" -t; then
+        echo "Configuration test OK"
+    fi
 }
 
 run_rc_command "$1"
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in b/security/crowdsec-firewall-bouncer/files/pkg-deinstall.in
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-install.in b/security/crowdsec-firewall-bouncer/files/pkg-install.in
diff --git a/security/crowdsec-firewall-bouncer/files/pkg-message.in b/security/crowdsec-firewall-bouncer/files/pkg-message.in
@@ -4,10 +4,15 @@
 
 crowdsec-firewall-bouncer is installed.
 
+Note: If you are using OPNsense or pfSense, ignore the following instructions and use the settings page of the
+CrowdSec plugin.
+
+-----
+
 If you are running crowdsec on this machine, the bouncer will register itself with
 the Local API when it's started the first time.
 
-If the LAPI is on another machine, you need to manually register the bouncer
+If the LAPI is on a different machine, you need to manually register the bouncer
 and fill api_key and api_url in %%ETCDIR%%/crowdsec-firewall-bouncer.yaml before
 starting the service.