feat: geo-restriction via Cloudflare WAF custom rules

Add country-based access control managed through the Settings page. Global allow-list with per-app overrides, searchable country selector, automatic sync to Cloudflare WAF on settings change / deploy / remove, plus periodic 6-hour verification. New package: internal/cloudflare/ (client, zone, waf, countries, geosync) New API: /api/geo/* (6 endpoints) + /api/stacks/{name}/geo/override Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 11:58:22 +01:00
parent 4c5d430b1a
commit e1fb85240b
15 changed files with 2091 additions and 3 deletions
@@ -0,0 +1,180 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	cf "gitea.dooplex.hu/admin/felhom-controller/internal/cloudflare"
+	"gitea.dooplex.hu/admin/felhom-controller/internal/settings"
+)
+
+func (r *Router) geoStatus(w http.ResponseWriter, _ *http.Request) {
+	geo := r.sett.GetGeoRestriction()
+
+	data := map[string]interface{}{
+		"cf_configured": r.cfg.Infrastructure.CFAPIToken != "",
+		"geo_available": r.geoSync != nil,
+	}
+
+	if geo != nil {
+		data["enabled"] = geo.Enabled
+		data["allowed_countries"] = geo.AllowedCountries
+		data["app_overrides"] = geo.AppOverrides
+		data["last_sync"] = geo.LastSync
+		data["last_sync_error"] = geo.LastSyncError
+		data["syncing"] = r.geoSync != nil && r.geoSync.IsRunning()
+	} else {
+		data["enabled"] = false
+		data["allowed_countries"] = []string{"HU"}
+	}
+
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: data})
+}
+
+func (r *Router) geoUpdateSettings(w http.ResponseWriter, req *http.Request) {
+	limitBody(w, req)
+
+	var body struct {
+		Enabled          bool     `json:"enabled"`
+		AllowedCountries []string `json:"allowed_countries"`
+	}
+	if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
+		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid request body"})
+		return
+	}
+
+	// Validate country codes
+	for _, code := range body.AllowedCountries {
+		if !cf.ValidCountryCode(code) {
+			writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid country code: " + code})
+			return
+		}
+	}
+
+	// Get existing settings to preserve app overrides and sync state
+	existing := r.sett.GetGeoRestriction()
+	geo := &settings.GeoRestriction{
+		Enabled:          body.Enabled,
+		AllowedCountries: body.AllowedCountries,
+	}
+	if existing != nil {
+		geo.AppOverrides = existing.AppOverrides
+		geo.ZoneID = existing.ZoneID
+		geo.RulesetID = existing.RulesetID
+	}
+
+	if err := r.sett.SetGeoRestriction(geo); err != nil {
+		r.logger.Printf("[API] Failed to save geo settings: %v", err)
+		writeJSON(w, http.StatusInternalServerError, apiResponse{OK: false, Error: err.Error()})
+		return
+	}
+
+	r.logger.Printf("[API] Geo settings updated: enabled=%v, countries=%v", body.Enabled, body.AllowedCountries)
+
+	// Trigger async CF sync
+	if r.geoSync != nil {
+		go func() {
+			if err := r.geoSync.Sync(context.Background()); err != nil {
+				r.logger.Printf("[API] Geo sync after settings update failed: %v", err)
+			}
+		}()
+	}
+
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Geo-korlátozás beállítva"})
+}
+
+func (r *Router) geoTriggerSync(w http.ResponseWriter, _ *http.Request) {
+	if r.geoSync == nil {
+		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "Cloudflare API nincs konfigurálva"})
+		return
+	}
+
+	go func() {
+		if err := r.geoSync.Sync(context.Background()); err != nil {
+			r.logger.Printf("[API] Manual geo sync failed: %v", err)
+		}
+	}()
+
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Szinkronizálás elindítva"})
+}
+
+func (r *Router) geoCountries(w http.ResponseWriter, _ *http.Request) {
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Data: cf.AllCountries()})
+}
+
+func (r *Router) geoSetAppOverride(w http.ResponseWriter, req *http.Request, appName string) {
+	if appName == "" {
+		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid app name"})
+		return
+	}
+	limitBody(w, req)
+
+	var body struct {
+		AllowedCountries []string `json:"allowed_countries"`
+	}
+	if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
+		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid request body"})
+		return
+	}
+
+	// Validate country codes
+	for _, code := range body.AllowedCountries {
+		if !cf.ValidCountryCode(code) {
+			writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid country code: " + code})
+			return
+		}
+	}
+
+	// Verify app exists
+	if _, ok := r.stackMgr.GetStack(appName); !ok {
+		writeJSON(w, http.StatusNotFound, apiResponse{OK: false, Error: "app not found: " + appName})
+		return
+	}
+
+	override := &settings.AppGeoOverride{AllowedCountries: body.AllowedCountries}
+	if err := r.sett.SetGeoAppOverride(appName, override); err != nil {
+		r.logger.Printf("[API] Failed to save geo override for %s: %v", appName, err)
+		writeJSON(w, http.StatusInternalServerError, apiResponse{OK: false, Error: err.Error()})
+		return
+	}
+
+	r.logger.Printf("[API] Geo override set for %s: countries=%v", appName, body.AllowedCountries)
+
+	// Trigger async CF sync
+	if r.geoSync != nil {
+		go func() {
+			if err := r.geoSync.Sync(context.Background()); err != nil {
+				r.logger.Printf("[API] Geo sync after app override failed: %v", err)
+			}
+		}()
+	}
+
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Alkalmazás geo-korlátozás beállítva"})
+}
+
+func (r *Router) geoRemoveAppOverride(w http.ResponseWriter, _ *http.Request, appName string) {
+	if appName == "" {
+		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "invalid app name"})
+		return
+	}
+
+	if err := r.sett.RemoveGeoAppOverride(appName); err != nil {
+		r.logger.Printf("[API] Failed to remove geo override for %s: %v", appName, err)
+		writeJSON(w, http.StatusInternalServerError, apiResponse{OK: false, Error: err.Error()})
+		return
+	}
+
+	r.logger.Printf("[API] Geo override removed for %s", appName)
+
+	// Trigger async CF sync
+	if r.geoSync != nil {
+		go func() {
+			if err := r.geoSync.Sync(context.Background()); err != nil {
+				r.logger.Printf("[API] Geo sync after override removal failed: %v", err)
+			}
+		}()
+	}
+
+	writeJSON(w, http.StatusOK, apiResponse{OK: true, Message: "Alkalmazás geo-korlátozás eltávolítva"})
+}