flag(server): new flag format

Author: josedonizetti

cmd/tracee-ebpf/main.go

@@ -11,7 +11,6 @@ import (
 	"github.com/aquasecurity/tracee/common/logger"
 	"github.com/aquasecurity/tracee/pkg/cmd"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
-	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
 	"github.com/aquasecurity/tracee/pkg/cmd/initialize"
 	"github.com/aquasecurity/tracee/pkg/cmd/urfave"
 )
@@ -123,7 +122,7 @@ func main() {
 				Usage: "path where tracee will install or lookup it's resources",
 			},
 			&cli.StringSliceFlag{
-				Name:  server.ServerFlag,
+				Name:  flags.ServerFlag,
 				Usage: "Configure server endpoints. Examples: http-address=:3366, metrics, healthz, pprof, pyroscope",
 			},
 			&cli.StringSliceFlag{

cmd/tracee-rules/main.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/aquasecurity/tracee/common/capabilities"
 	"github.com/aquasecurity/tracee/common/logger"
-	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
+	"github.com/aquasecurity/tracee/pkg/cmd/flags"
 	"github.com/aquasecurity/tracee/pkg/signatures/engine"
 	"github.com/aquasecurity/tracee/pkg/signatures/signature"
 	"github.com/aquasecurity/tracee/types/detect"
@@ -141,7 +141,7 @@ func main() {
 			}
 
 			// Prepare HTTP server with new unified server flags
-			serverRunner, err := server.PrepareServer(c.StringSlice(server.ServerFlag))
+			serverRunner, err := flags.PrepareServer(c.StringSlice(flags.ServerFlag))
 			if err != nil {
 				return err
 			}
@@ -196,7 +196,7 @@ func main() {
 				Usage: "print a list of events that currently loaded signatures require",
 			},
 			&cli.StringSliceFlag{
-				Name:  server.ServerFlag,
+				Name:  flags.ServerFlag,
 				Usage: "Configure server endpoints. Examples: metrics, healthz",
 			},
 			&cli.BoolFlag{

cmd/tracee/cmd/root.go

@@ -15,7 +15,6 @@ import (
 	"github.com/aquasecurity/tracee/common/logger"
 	cmdcobra "github.com/aquasecurity/tracee/pkg/cmd/cobra"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
-	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
 	"github.com/aquasecurity/tracee/pkg/cmd/initialize"
 	"github.com/aquasecurity/tracee/pkg/version"
 )
@@ -246,11 +245,11 @@ func initCmd() error {
 	// Server flags
 
 	rootCmd.Flags().StringArray(
-		server.ServerFlag,
-		[]string{server.DefaultServerFlagValue},
+		flags.ServerFlag,
+		[]string{flags.DefaultServerFlagValue},
 		`Configure server options and endpoints. Examples: http-address=:3366, grpc-address=unix:/var/run/tracee.sock, grpc (defaults to unix:/var/run/tracee.sock), metrics, healthz, pprof, pyroscope`)
 
-	err = viper.BindPFlag(server.ServerFlag, rootCmd.Flags().Lookup(server.ServerFlag))
+	err = viper.BindPFlag(flags.ServerFlag, rootCmd.Flags().Lookup(flags.ServerFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

pkg/cmd/cobra/cobra.go

@@ -11,7 +11,6 @@ import (
 	"github.com/aquasecurity/tracee/common/logger"
 	"github.com/aquasecurity/tracee/pkg/cmd"
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
-	"github.com/aquasecurity/tracee/pkg/cmd/flags/server"
 	"github.com/aquasecurity/tracee/pkg/cmd/initialize"
 	"github.com/aquasecurity/tracee/pkg/cmd/initialize/sigs"
 	"github.com/aquasecurity/tracee/pkg/cmd/printer"
@@ -329,18 +328,21 @@ func GetTraceeRunner(c *cobra.Command, version string) (cmd.Runner, error) {
 	if err != nil {
 		return runner, err
 	}
-	serverRunner, err := server.PrepareServer(serverFlag)
+	serverRunner, err := flags.PrepareServer(serverFlag)
 	if err != nil {
 		return runner, err
 	}
 
 	runner.HTTP = serverRunner.HTTP
 	runner.GRPC = serverRunner.GRPC
-	cfg.MetricsEnabled = runner.HTTP.MetricsEndpointEnabled()
 	runner.TraceeConfig = cfg
 	runner.Printer = p
 	runner.InstallPath = traceeInstallPath
 
+	if runner.HTTP != nil {
+		cfg.MetricsEnabled = runner.HTTP.IsMetricsEnabled()
+	}
+
 	noSignaturesMode := viper.GetBool("no-signatures")
 	if noSignaturesMode {
 		logger.Debugw("No-signatures mode enabled, using same signature selection as normal mode for fair comparison")

pkg/cmd/cobra/config.go

@@ -7,7 +7,7 @@ import (
 	"github.com/spf13/viper"
 
 	"github.com/aquasecurity/tracee/common/errfmt"
-	serverflag "github.com/aquasecurity/tracee/pkg/cmd/flags/server"
+	"github.com/aquasecurity/tracee/pkg/cmd/flags"
 )
 
 type cliFlagger interface {
@@ -22,7 +22,7 @@ func GetFlagsFromViper(key string) ([]string, error) {
 	rawValue := viper.Get(key)
 
 	switch key {
-	case serverflag.ServerFlag:
+	case flags.ServerFlag:
 		flagger = &ServerConfig{}
 	case "proctree":
 		flagger = &ProcTreeConfig{}
@@ -94,27 +94,27 @@ type ServerConfig struct {
 }
 
 func (s *ServerConfig) flags() []string {
-	flags := make([]string, 0)
+	f := make([]string, 0)
 
 	if s.GrpcAddress != "" {
-		flags = append(flags, fmt.Sprintf("%s=%s", serverflag.GRPCAddressFlag, s.GrpcAddress))
+		f = append(f, fmt.Sprintf("%s=%s", flags.GRPCAddressFlag, s.GrpcAddress))
 	}
 	if s.HttpAddress != "" {
-		flags = append(flags, fmt.Sprintf("%s=%s", serverflag.HTTPAddressFlag, s.HttpAddress))
+		f = append(f, fmt.Sprintf("%s=%s", flags.HTTPAddressFlag, s.HttpAddress))
 	}
 	if s.Metrics {
-		flags = append(flags, serverflag.MetricsEndpointFlag)
+		f = append(f, flags.MetricsEndpointFlag)
 	}
 	if s.Pprof {
-		flags = append(flags, serverflag.PProfEndpointFlag)
+		f = append(f, flags.PProfEndpointFlag)
 	}
 	if s.Healthz {
-		flags = append(flags, serverflag.HealthzEndpointFlag)
+		f = append(f, flags.HealthzEndpointFlag)
 	}
 	if s.Pyroscope {
-		flags = append(flags, serverflag.PyroscopeAgentEndpointFlag)
+		f = append(f, flags.PyroscopeAgentEndpointFlag)
 	}
-	return flags
+	return f
 }
 
 type SocketConfig struct {

pkg/cmd/flags/server.go

@@ -0,0 +1,193 @@
+package flags
+
+import (
+	"net"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/aquasecurity/tracee/common/errfmt"
+	"github.com/aquasecurity/tracee/pkg/server/grpc"
+	"github.com/aquasecurity/tracee/pkg/server/http"
+)
+
+const (
+	ServerFlag                 = "server"
+	HTTPAddressFlag            = "http-address"
+	GRPCAddressFlag            = "grpc-address"
+	GRPCEndpointFlag           = "grpc"
+	MetricsEndpointFlag        = "metrics"
+	HealthzEndpointFlag        = "healthz"
+	PProfEndpointFlag          = "pprof"
+	PyroscopeAgentEndpointFlag = "pyroscope"
+	DefaultServerFlagValue     = ""
+
+	defaultHTTPAddress = ":3366"
+	defaultGRPCPort    = "4466"
+	defaultGRPCPath    = "/var/run/tracee.sock"
+)
+
+type Server struct {
+	HTTP *http.Server
+	GRPC *grpc.Server
+}
+
+// PrepareServer prepares the server based on the server flags
+func PrepareServer(serverSlice []string) (*Server, error) {
+	var err error
+	var server Server
+	var (
+		enableMetrics   = false
+		enableHealthz   = false
+		enablePProf     = false
+		enablePyroscope = false
+	)
+	for _, endpoint := range serverSlice {
+		values := strings.SplitN(endpoint, "=", 2)
+		if len(values) != 2 {
+			return nil, errfmt.Errorf("invalid server flag: '%s', use 'trace man server' for more info", endpoint)
+		}
+
+		flagName := values[0]
+		flagValue := values[1]
+
+		switch flagName {
+		case HTTPAddressFlag: // http-address=<host:port>
+			err = validateHTTPAddr(flagValue)
+			if err != nil {
+				return nil, err
+			}
+			server.HTTP = http.New(flagValue)
+		case GRPCAddressFlag: // grpc-address=protocol:address
+			protocol, address, err := parseAndValidateGRPCAddr(flagValue)
+			if err != nil {
+				return nil, err
+			}
+			server.GRPC = grpc.New(protocol, address)
+		case MetricsEndpointFlag: // metrics
+			enableMetrics, err = validateAndGetBool(flagName, flagValue)
+			if err != nil {
+				return nil, err
+			}
+		case HealthzEndpointFlag: // healthz
+			enableHealthz, err = validateAndGetBool(flagName, flagValue)
+			if err != nil {
+				return nil, err
+			}
+		case PProfEndpointFlag: // pprof
+			enablePProf, err = validateAndGetBool(flagName, flagValue)
+			if err != nil {
+				return nil, err
+			}
+		case PyroscopeAgentEndpointFlag: // pyroscope
+			enablePyroscope, err = validateAndGetBool(flagName, flagValue)
+			if err != nil {
+				return nil, err
+			}
+		default:
+			return nil, errfmt.Errorf("invalid server flag: '%s', use 'trace man server' for more info", flagName)
+		}
+	}
+
+	if enableMetrics || enableHealthz || enablePProf || enablePyroscope {
+		// if a flag is set, but the server is not configured, set a default HTTP server
+		if server.HTTP == nil {
+			server.HTTP = http.New(defaultHTTPAddress)
+		}
+		if enableMetrics {
+			server.HTTP.EnableMetricsEndpoint()
+		}
+		if enableHealthz {
+			server.HTTP.EnableHealthzEndpoint()
+		}
+		if enablePProf {
+			server.HTTP.EnablePProfEndpoint()
+		}
+		if enablePyroscope {
+			err = server.HTTP.EnablePyroAgent()
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return &server, nil
+}
+
+func validateHTTPAddr(addr string) error {
+	// Split the address into host and port.
+	host, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return errfmt.Errorf("invalid http address: '%s', use 'trace man server' for more info", addr)
+	}
+
+	// If a host is specified, do basic validation
+	if host != "" {
+		// Accept IP addresses and basic hostname formats
+		// For CLI tools, we can be permissive and let network operations
+		// handle detailed validation when the server actually starts
+		if net.ParseIP(host) == nil {
+			// Basic hostname validation: no spaces, reasonable length
+			if len(host) > 253 || strings.Contains(host, " ") {
+				return errfmt.Errorf("invalid http host: '%s', use 'trace man server' for more info", host)
+			}
+		}
+	}
+
+	return validatePort(portStr)
+}
+
+func parseAndValidateGRPCAddr(addr string) (string, string, error) {
+	// Split the address into protocol and address.
+	values := strings.SplitN(addr, ":", 2)
+	protocol := values[0]
+
+	switch protocol {
+	case "tcp":
+		if len(values) == 2 {
+			port := values[1]
+			err := validatePort(port)
+			if err != nil {
+				return "", "", err
+			}
+			return protocol, port, nil
+		}
+		return protocol, defaultGRPCPort, nil
+	case "unix":
+		if len(values) == 2 {
+			path := values[1]
+			if _, err := os.Stat(path); err == nil {
+				err = os.Remove(path)
+				if err != nil {
+					return "", "", errfmt.Errorf("failed to cleanup gRPC listening address (%s): %v", path, err)
+				}
+			}
+			return protocol, path, nil
+		}
+		return protocol, defaultGRPCPath, nil
+	}
+
+	return "", "", errfmt.Errorf("invalid grpc protocol: '%s', use 'trace man server' for more info", protocol)
+}
+
+func validateAndGetBool(flagName, value string) (bool, error) {
+	switch value {
+	case "true":
+		return true, nil
+	case "false":
+		return false, nil
+	}
+
+	return false, errfmt.Errorf("invalid flag value '%s' for flag '%s', use 'trace man server' for more info", value, flagName)
+}
+
+func validatePort(port string) error {
+	portInt, err := strconv.Atoi(port)
+	if err != nil {
+		return errfmt.Errorf("invalid port number '%s', use 'trace man server' for more info", port)
+	}
+	if portInt < 0 || portInt > 65535 {
+		return errfmt.Errorf("invalid port number '%s', value must be between 0 and 65535, use 'trace man server' for more info", port)
+	}
+	return nil
+}