cscli: Add allowlist check (#3684)

LaurenceJJones · web-flow · commit 798707693c5d · 2025-07-09T13:49:27.000+02:00
diff --git a/cmd/crowdsec-cli/cliallowlists/allowlists.go b/cmd/crowdsec-cli/cliallowlists/allowlists.go
@@ -239,6 +239,7 @@ func (cli *cliAllowLists) NewCommand() *cobra.Command {
 	cmd.AddCommand(cli.newAddCmd())
 	cmd.AddCommand(cli.newRemoveCmd())
 	cmd.AddCommand(cli.newInspectCmd())
+	cmd.AddCommand(cli.newCheckCmd())
 
 	return cmd
 }
@@ -441,6 +442,20 @@ func (cli *cliAllowLists) newAddCmd() *cobra.Command {
 	return cmd
 }
 
+func (cli *cliAllowLists) newCheckCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "check [value...]",
+		Short:   "Check if a value is in an allowlist",
+		Example: `cscli allowlists check 1.2.3.4`,
+		Args:    args.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cli.check(cmd.Context(), args)
+		},
+	}
+
+	return cmd
+}
+
 func (cli *cliAllowLists) add(ctx context.Context, db *database.Client, name string, values []string, expiration time.Duration, comment string) error {
 	allowlist, err := db.GetAllowList(ctx, name, true)
 	if err != nil {
@@ -639,3 +654,50 @@ func (cli *cliAllowLists) remove(ctx context.Context, db *database.Client, name
 
 	return nil
 }
+
+func (cli *cliAllowLists) check(ctx context.Context, ips []string) error {
+	cfg := cli.cfg()
+
+	if err := require.LAPI(cfg); err != nil {
+		return err
+	}
+
+	if err := cfg.LoadAPIClient(); err != nil {
+		return fmt.Errorf("loading api client: %w", err)
+	}
+
+	apiURL, err := url.Parse(cfg.API.Client.Credentials.URL)
+	if err != nil {
+		return fmt.Errorf("parsing api url: %w", err)
+	}
+
+	client, err := apiclient.NewClient(&apiclient.Config{
+		MachineID:     cfg.API.Client.Credentials.Login,
+		Password:      strfmt.Password(cfg.API.Client.Credentials.Password),
+		URL:           apiURL,
+		VersionPrefix: "v1",
+	})
+	if err != nil {
+		return fmt.Errorf("creating api client: %w", err)
+	}
+
+	for _, ip := range ips {
+		resp, _, err := client.Allowlists.CheckIfAllowlistedWithReason(ctx, ip)
+		if err != nil {
+			return fmt.Errorf("cannot check if %s is in allowlist: %w", ip, err)
+		}
+
+		reason := ""
+		if resp.Allowlisted {
+			reason = resp.Reason
+		}
+		if reason == "" {
+			fmt.Fprintf(os.Stdout, "%s is not allowlisted\n", ip)
+			return nil
+		}
+
+		fmt.Fprintf(os.Stdout, "%s is allowlisted by item %s\n", ip, reason)
+	}
+
+	return nil
+}
diff --git a/pkg/database/allowlists.go b/pkg/database/allowlists.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sort"
 	"strings"
 	"time"
 
@@ -237,13 +238,16 @@ func (c *Client) ReplaceAllowlist(ctx context.Context, list *ent.AllowList, item
 	return added, nil
 }
 
-func (c *Client) IsAllowlistedBy(ctx context.Context, value string) ([]string, error) {
-	/*
-		Few cases:
-		- value is an IP/range directly is in allowlist
-		- value is an IP/range in a range in allowlist
-		- value is a range and an IP/range belonging to it is in allowlist
-	*/
+// IsAllowlistedBy returns a list of human-readable reasons explaining which allowlists
+// the given value (IP or CIDR) matches.
+//
+// Few cases:
+// - value is an IP/range directly is in allowlist
+// - value is an IP/range in a range in allowlist
+// - value is a range and an IP/range belonging to it is in allowlist
+//
+// The result is sorted by the name of the associated allowlist for consistent presentation.
+func (c *Client) IsAllowlistedBy(ctx context.Context, value string) (reasons []string, err error) {
 	rng, err := csnet.NewRange(value)
 	if err != nil {
 		return nil, err
@@ -320,7 +324,10 @@ func (c *Client) IsAllowlistedBy(ctx context.Context, value string) ([]string, e
 		return nil, fmt.Errorf("unable to check if value is allowlisted: %w", err)
 	}
 
-	reasons := make([]string, 0)
+	// doing this in ent is not worth the complexity
+	sort.SliceStable(items, func(i, j int) bool {
+		return items[i].Edges.Allowlist[0].Name < items[j].Edges.Allowlist[0].Name
+	})
 
 	for _, item := range items {
 		if len(item.Edges.Allowlist) == 0 {
diff --git a/test/bats/cscli-allowlists.bats b/test/bats/cscli-allowlists.bats
@@ -167,6 +167,22 @@ teardown() {
     assert_stderr --partial 'Decision successfully added'
 }
 
+@test "cscli allowlists check" {
+    rune -0 cscli allowlist create foo -d 'a foo'
+    rune -0 cscli allowlist add foo 192.168.0.0/16
+    rune -0 cscli allowlist check 192.168.0.1
+    assert_output "192.168.0.1 is allowlisted by item 192.168.0.0/16 from foo"
+    rune -0 cscli allowlist check 192.169.0.1
+    assert_output "192.169.0.1 is not allowlisted"
+    rune -0 cscli allowlist create bar -d 'a bar'
+    rune -0 cscli allowlist add bar 192.168.0.0/24
+    rune -0 cscli allowlist create Uppercase -d 'a uppercase'
+    rune -0 cscli allowlist add Uppercase 192.168.0.0/28
+    rune -0 cscli allowlist check 192.168.0.1 1.1.1.1
+    assert_line "192.168.0.1 is allowlisted by item 192.168.0.0/28 from Uppercase, 192.168.0.0/24 from bar, 192.168.0.0/16 from foo"
+    assert_line "1.1.1.1 is not allowlisted"
+    refute_stderr
+}
 @test "cscli allowlists delete" {
     rune -1 cscli allowlist delete
     assert_stderr 'Error: accepts 1 arg(s), received 0'
