From 91a971777977c0343bddd7c5a51ac1925759f56a Mon Sep 17 00:00:00 2001
From: Samuel Gaist <samuel.gaist@idiap.ch>
Date: Sat, 21 Oct 2023 22:39:24 +0200
Subject: [PATCH] feat(userspace/falco): implement configuration of webserver
 listening address

Currently the webserver is listening on the hard coded 0.0.0.0. This
patch keeps this default but allows the administrator to change it.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
---
 falco.yaml                                      |  2 ++
 userspace/falco/app/actions/start_webserver.cpp |  5 ++++-
 userspace/falco/configuration.cpp               | 13 +++++++++++++
 userspace/falco/configuration.h                 |  1 +
 userspace/falco/webserver.cpp                   |  5 +++--
 userspace/falco/webserver.h                     |  1 +
 6 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/falco.yaml b/falco.yaml
index 4d7fd18f..b3f11328 100644
--- a/falco.yaml
+++ b/falco.yaml
@@ -492,6 +492,8 @@ webserver:
   # the appropriate number of threads based on the number of online cores in the system.
   threadiness: 0
   listen_port: 8765
+  # IPV4 only is supported
+  listen_address: 0.0.0.0
   k8s_healthz_endpoint: /healthz
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem
diff --git a/userspace/falco/app/actions/start_webserver.cpp b/userspace/falco/app/actions/start_webserver.cpp
index a6f5b0c3..b03f5ca0 100644
--- a/userspace/falco/app/actions/start_webserver.cpp
+++ b/userspace/falco/app/actions/start_webserver.cpp
@@ -38,7 +38,9 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 		std::string ssl_option = (s.config->m_webserver_ssl_enabled ? " (SSL)" : "");
 		falco_logger::log(LOG_INFO, "Starting health webserver with threadiness "
 			+ std::to_string(s.config->m_webserver_threadiness)
-			+ ", listening on port "
+			+ ", listening on "
+			+ s.config->m_webserver_listen_address
+			+ ":"
 			+ std::to_string(s.config->m_webserver_listen_port)
 			+ ssl_option + "\n");
 
@@ -46,6 +48,7 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 			s.offline_inspector,
 			s.config->m_webserver_threadiness,
 			s.config->m_webserver_listen_port, 
+			s.config->m_webserver_listen_address,
 			s.config->m_webserver_k8s_healthz_endpoint,
 			s.config->m_webserver_ssl_certificate, 
 			s.config->m_webserver_ssl_enabled);
diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp
index 365ebf78..1e7d1530 100644
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -31,6 +31,12 @@ limitations under the License.
 #include "configuration.h"
 #include "logger.h"
 
+#include <re2/re2.h>
+
+// Reference: https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
+static re2::RE2 ipv4_address_re("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
+
+
 falco_configuration::falco_configuration():
 	m_json_output(false),
 	m_json_include_output_property(true),
@@ -46,6 +52,7 @@ falco_configuration::falco_configuration():
 	m_webserver_enabled(false),
 	m_webserver_threadiness(0),
 	m_webserver_listen_port(8765),
+	m_webserver_listen_address("0.0.0.0"),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_syscall_evt_drop_threshold(.1),
@@ -285,6 +292,12 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	m_webserver_enabled = config.get_scalar<bool>("webserver.enabled", false);
 	m_webserver_threadiness = config.get_scalar<uint32_t>("webserver.threadiness", 0);
 	m_webserver_listen_port = config.get_scalar<uint32_t>("webserver.listen_port", 8765);
+	m_webserver_listen_address = config.get_scalar<std::string>("webserver.listen_address", "0.0.0.0");
+	if(!re2::RE2::FullMatch(m_webserver_listen_address, ipv4_address_re))
+	{
+		throw std::logic_error("Error reading config file (" + config_name + "): webserver listen address \"" + m_webserver_listen_address + "\" is not a valid IP address");
+	}
+
 	m_webserver_k8s_healthz_endpoint = config.get_scalar<std::string>("webserver.k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = config.get_scalar<bool>("webserver.ssl_enabled", false);
 	m_webserver_ssl_certificate = config.get_scalar<std::string>("webserver.ssl_certificate", "/etc/falco/falco.pem");
diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
index e53c1189..47a672f6 100644
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -85,6 +85,7 @@ public:
 	bool m_webserver_enabled;
 	uint32_t m_webserver_threadiness;
 	uint32_t m_webserver_listen_port;
+	std::string m_webserver_listen_address;
 	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
diff --git a/userspace/falco/webserver.cpp b/userspace/falco/webserver.cpp
index 36070f1f..fe6ae0ce 100644
--- a/userspace/falco/webserver.cpp
+++ b/userspace/falco/webserver.cpp
@@ -29,6 +29,7 @@ void falco_webserver::start(
         const std::shared_ptr<sinsp>& inspector,
         uint32_t threadiness,
         uint32_t listen_port,
+        std::string& listen_address,
         std::string& healthz_endpoint,
         std::string &ssl_certificate,
         bool ssl_enabled)
@@ -77,11 +78,11 @@ void falco_webserver::start(
 
     std::atomic<bool> failed;
     failed.store(false, std::memory_order_release);
-    m_server_thread = std::thread([this, listen_port, &failed]
+    m_server_thread = std::thread([this, listen_address, listen_port, &failed]
     {
         try
         {
-            this->m_server->listen("0.0.0.0", listen_port);
+            this->m_server->listen(listen_address, listen_port);
         }
         catch(std::exception &e)
         {
diff --git a/userspace/falco/webserver.h b/userspace/falco/webserver.h
index 8a2e3a2f..ad00beee 100644
--- a/userspace/falco/webserver.h
+++ b/userspace/falco/webserver.h
@@ -37,6 +37,7 @@ public:
 		const std::shared_ptr<sinsp>& inspector,
 		uint32_t threadiness,
 		uint32_t listen_port,
+		std::string& list_address,
 		std::string& healthz_endpoint,
 		std::string &ssl_certificate,
 		bool ssl_enabled);