Merge branch 'main' into feature/lj-appsec

Resolved conflicts in:
- config/haproxy.cfg
- internal/api/admin_handlers.go
- internal/api/worker_handlers.go
- lua/crowdsec.lua
- pkg/spoa/root.go

All AppSec functionality preserved and integrated with latest main branch changes.

Author: LaurenceJJones

config/haproxy.cfg

@@ -36,9 +36,12 @@ frontend test
     ## Set a custom header on the request for upstream services to use
     http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
-    ## Call lua script to handle the remediation (ban/captcha pages)
-    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
-    ## Note if the remediation is allow you should still call the handler incase a redirect is needed following a captcha
+    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
+    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
+    
+    ## Call lua script only for ban and captcha remediations (performance optimization)
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Handle captcha cookie management via HAProxy (new approach)
     ## Set captcha cookie when SPOA provides captcha_status (pending or valid)

internal/api/admin_handlers.go

@@ -263,6 +263,15 @@ func (a *API) handleAdminConnection(ctx context.Context, sc server.SocketConn) {
 	reader := bufio.NewReader(sc.Conn)
 
 	for {
+		// Check if context is canceled (shutdown signal)
+		select {
+		case <-ctx.Done():
+			log.Debug("Context canceled, shutting down admin connection handler")
+			return
+		default:
+			// Continue with normal processing
+		}
+
 		// Read line by line instead of fixed buffer - more efficient for admin commands
 		line, err := reader.ReadString('\n')
 		if err != nil {
@@ -322,47 +331,82 @@ func (a *API) handleAdminConnection(ctx context.Context, sc server.SocketConn) {
 	}
 }
 
-// parseAdminCommand parses admin commands - optimized version using strings.Fields
+// parseAdminCommand parses admin commands using a smart pattern-matching approach
 func (a *API) parseAdminCommand(line string) ([]string, []string, error) {
-	// Split by whitespace - much more efficient than byte-by-byte parsing
 	parts := strings.Fields(line)
 	if len(parts) == 0 {
 		return nil, nil, fmt.Errorf("empty command")
 	}
 
-	// First part is always the verb
-	verb := parts[0]
-
 	if len(parts) < 2 {
 		return nil, nil, fmt.Errorf("missing module")
 	}
 
-	// Second part is the module
-	module := parts[1]
-
-	apiCommand := []string{verb, module}
-	args := []string{}
-
-	// Handle submodule and arguments
-	if len(parts) > 2 {
-		// Check if third part could be a submodule (no spaces, reasonable length)
-		potentialSubmodule := parts[2]
-		if len(potentialSubmodule) <= 16 && !strings.Contains(potentialSubmodule, " ") {
-			// Treat as submodule if it makes sense contextually
-			if (verb == "get" || verb == "set" || verb == "del" || verb == "val") &&
-				(module == "host" && (potentialSubmodule == "session" || potentialSubmodule == "cookie" || potentialSubmodule == "captcha")) ||
-				(module == "geo" && potentialSubmodule == "iso") {
-				apiCommand = append(apiCommand, potentialSubmodule)
-				args = parts[3:] // Remaining parts are arguments
-			} else {
-				args = parts[2:] // All remaining parts are arguments
+	// For 3-part commands, we need to handle cases where arguments come between command parts
+	// e.g., "get host 127.0.0.1 session uuid key" should parse as "get:host:session"
+	if len(parts) >= 4 {
+		// Try verb:module:submodule pattern with different positions for submodule
+		verb := parts[0]
+		module := parts[1]
+
+		// Look for known submodules in the remaining parts
+		for i := 2; i < len(parts); i++ {
+			candidateCmd := fmt.Sprintf("%s:%s:%s", verb, module, parts[i])
+			if a.isValidCommand(candidateCmd) {
+				// Found valid 3-part command, collect arguments from everywhere except the command parts
+				cmdParts := []string{verb, module, parts[i]}
+				args := make([]string, 0)
+
+				// Add arguments that come before the submodule
+				args = append(args, parts[2:i]...)
+				// Add arguments that come after the submodule
+				args = append(args, parts[i+1:]...)
+
+				return cmdParts, args, nil
 			}
-		} else {
-			args = parts[2:] // All remaining parts are arguments
 		}
 	}
 
-	return apiCommand, args, nil
+	// Try standard 3-part commands (verb:module:submodule at start)
+	if len(parts) >= 3 {
+		threePartCmd := strings.Join(parts[:3], ":")
+		if a.isValidCommand(threePartCmd) {
+			return parts[:3], parts[3:], nil
+		}
+	}
+
+	// Try 2-part commands (verb:module)
+	twoPartCmd := strings.Join(parts[:2], ":")
+	if a.isValidCommand(twoPartCmd) {
+		return parts[:2], parts[2:], nil
+	}
+
+	// If no valid command found, return an explicit error
+	return nil, nil, fmt.Errorf("invalid command: %q", line)
+}
+
+// isValidCommand checks if a command string matches any of our defined APICommands
+func (a *API) isValidCommand(cmdStr string) bool {
+	cmd := messages.CommandFromString(cmdStr)
+
+	// Use the actual APICommand constants - no duplication!
+	switch cmd {
+	case messages.GetIP,
+		messages.GetCN,
+		messages.GetGeoIso,
+		messages.GetHosts,
+		messages.GetHostCookie,
+		messages.GetHostSession,
+		messages.ValHostCookie,
+		messages.ValHostCaptcha,
+		messages.SetHostSession,
+		messages.DelHostSession,
+		messages.DelHosts,
+		messages.ValHostAppSec:
+		return true
+	default:
+		return false
+	}
 }
 
 // handleAdminCommand directly dispatches admin commands using clean APICommand constants

internal/api/worker_handlers.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net"
 	"strings"
+	"time"
 
 	"github.com/crowdsecurity/crowdsec-spoa/internal/api/messages"
 	"github.com/crowdsecurity/crowdsec-spoa/internal/api/types"
@@ -40,8 +41,38 @@ func (a *API) handleWorkerConnectionEncoded(ctx context.Context, sc server.Socke
 	}()
 
 	for {
+		// Check if context is canceled (shutdown signal)
+		select {
+		case <-ctx.Done():
+			log.Debugf("Context canceled, shutting down worker connection handler for worker: %s", workerName)
+			return
+		default:
+			// Continue with normal processing
+		}
+
+		// Set short read timeout to make decode responsive to context cancellation
+		if err := sc.Conn.SetReadDeadline(time.Now().Add(10 * time.Millisecond)); err != nil {
+			log.Errorf("Failed to set read deadline for worker %s: %v", workerName, err)
+			return
+		}
+
 		var req messages.APIRequest
-		if err := sc.Decoder.Decode(&req); err != nil {
+		err := sc.Decoder.Decode(&req)
+
+		// Clear deadline immediately after decode attempt
+		if err := sc.Conn.SetReadDeadline(time.Time{}); err != nil {
+			log.Errorf("Failed to clear read deadline for worker %s: %v", workerName, err)
+			return
+		}
+
+		if err != nil {
+			// Check if it's a timeout error using errors.As for wrapped errors
+			var netErr net.Error
+			if errors.As(err, &netErr) && netErr.Timeout() {
+				// Timeout occurred - loop back to check context again
+				continue
+			}
+
 			if errors.Is(err, io.EOF) {
 				// Client closed the connection gracefully
 				break

lua/crowdsec.lua

@@ -113,14 +113,11 @@ function runtime.Handle(txn)
     reply:add_header("cache-control", "no-cache")
     reply:add_header("cache-control", "no-store")
 
+    -- NOTE: "allow" remediation with redirects is now handled natively by HAProxy
+    -- This Lua handler is only called for "captcha" and "ban" remediations
     if remediation == "allow" then
-        local redirect_uri = get_txn_var(txn, "crowdsec.redirect")
-        if redirect_uri ~= "" then
-            reply:set_status(302)
-            reply:add_header("Location", redirect_uri)
-        else
-            return
-        end
+        runtime.logger.warning("Lua handler called for 'allow' remediation - this should not happen with native redirects")
+        return
     end
 
     if remediation == "captcha" then

pkg/spoa/root.go

@@ -238,7 +238,6 @@ func (s *Spoa) extractHTTPRequestData(mes *message.Message) (*string, *string, h
 	return method, url, headers, body, nil
 }
 
-
 // handleAppSecValidation handles AppSec validation logic
 func (s *Spoa) handleAppSecValidation(mes *message.Message, host *host.Host, method, url *string, headers http.Header, body *[]byte) remediation.Remediation {
 	// Extract additional information for AppSec validation