WIP: Use hll-geofence for enforce cap fight

This is a work-in-progress to demonstrate the usage of hll-geofence for
the enforce cap fight seeding automod. It uses the rconv2 protocol and
is therefore much more responsive in detecting players out of bounds.
Usually a player is notified about being out of the play-able area
within 1 second or much less.

This commit introduces a new component that is entirely written in
golang but also requires access to the configuration data in the db.
Therefore there is an added way of an internal API user, which can
authenticate to the CRCon api and use any available api without nay
explicit grants of permissions.

This is a WIP, as it will not take into account saving the seeding
automod config, yet (e.g., by restarting the enforce_cap_fight program
in supervisor). Hence, when changing the config right now, one would
need to restart the program manually.

It does also not yet remove the "offensive-point-tracking" version of
the enforce cap fight component in the python seeding automod.

Author: FlorianSW

Dockerfile

@@ -1,3 +1,10 @@
+FROM golang:1.24-bookworm AS gobuild
+
+WORKDIR /code
+
+COPY seeding/. .
+RUN go build -o app automod.go
+
 FROM python:3.12-slim
 
 WORKDIR /code
@@ -13,5 +20,6 @@ RUN chmod +x entrypoint.sh
 RUN chmod +x manage.py
 RUN chmod +x rconweb/manage.py
 ENV LOGGING_FILENAME=startup.log
+COPY --from=gobuild /code/app /code/seeding/
 
 ENTRYPOINT [ "/code/entrypoint.sh" ]

config/supervisord.conf

@@ -103,6 +103,14 @@ startretries=5
 autostart=true
 autorestart=unexpected
 
+[program:enforce_cap_fight]
+command=/code/seeding/app
+startretries=5
+autostart=true
+autorestart=unexpected
+stderror_logfile=/logs/enforce_cap_fight.log
+stdout_logfile=/logs/enforce_cap_fight.log
+
 [program:cron]
 environment=LOGGING_FILENAME=cron_%(ENV_SERVER_NUMBER)s.log
 command=/bin/bash -c "/usr/bin/crontab /config/crontab && /usr/sbin/cron -f"

rconweb/api/auth.py

@@ -1,7 +1,10 @@
 import csv
 import datetime
+import hashlib
+import hmac
 import json
 import logging
+import os
 from dataclasses import asdict, dataclass
 from functools import wraps
 from typing import Any, Sequence
@@ -18,14 +21,13 @@
 from django.db.models.signals import post_delete, post_save
 from django.http import HttpResponse, QueryDict, parse_cookie
 from django.views.decorators.csrf import csrf_exempt
+from rconweb.settings import SECRET_KEY, TAG_VERSION
 
 from rcon.audit import heartbeat, set_registered_mods
 from rcon.cache_utils import ttl_cache, invalidates
+from rcon.settings import SERVER_INFO
 from rcon.types import DjangoGroup, DjangoPermission, DjangoUserPermissions
 from rcon.user_config.rcon_server_settings import RconServerSettingsUserConfig
-from rconweb.settings import SECRET_KEY, TAG_VERSION
-
-
 from .decorators import require_content_type, require_http_methods
 from .models import DjangoAPIKey, SteamPlayer
 
@@ -289,6 +291,50 @@ def check_api_key(request):
         pass
 
 
+class InternalUser(User):
+    """
+    Represents a system-user, which uses the CRCon API internally.
+    This should only ever be used for components that cannot directly invoke the corresponding python APIs directly.
+    """
+
+    def has_perms(self, perm_list, obj=None) -> bool:
+        return True
+
+
+def check_internal_api(request):
+    """
+    Verifies if a request is coming from an internal user, such as the seeding automod in golang.
+    The user does not have password, and is not included in the standard Django API key or User list.
+    Everyone with this API key will automatically have every permission available.
+
+    The API key is automatically generated from the provided HLL server password and the backend API secret key and
+    can therefore be automatically created on the user side as well, whenever needed, in a container that shares the same
+    environment variables.
+    """
+    logger.info("Checking internal")
+    try:
+        logger.info(SECRET_KEY)
+        logger.info(SERVER_INFO.get("password"))
+        header_name, raw_api_key = request.META[HTTP_AUTHORIZATION_HEADER].split(
+            maxsplit=1
+        )
+        logger.info(header_name)
+        logger.info(raw_api_key)
+        if not header_name.upper().strip() in BEARER:
+            return
+        api_key = hmac.new(
+            SECRET_KEY.encode(),
+            msg=SERVER_INFO.get("password").encode(),
+            digestmod=hashlib.sha256
+        ).hexdigest().upper()
+        if raw_api_key == api_key:
+            request.user = InternalUser(username="system")
+
+    except (KeyError, ValueError) as e:
+        logger.error("", e)
+        pass
+
+
 def login_required():
     """Flag this endpoint as one that requires the user
     to be logged in.
@@ -297,6 +343,7 @@ def login_required():
     def decorator(func):
         @wraps(func)
         def wrapper(request, *args, **kwargs):
+            check_internal_api(request)
             # Check if API-Key is used
             check_api_key(request)
 

seeding/automod.go

@@ -0,0 +1,250 @@
+package main
+
+import (
+	"context"
+	"github.com/floriansw/go-hll-rcon/rconv2"
+	"github.com/floriansw/hll-geofences/data"
+	"github.com/floriansw/hll-geofences/worker"
+	"log/slog"
+	"os"
+	"os/signal"
+	"seeding/internal"
+	"seeding/internal/crcon"
+	"strconv"
+	"syscall"
+)
+
+var (
+	hllPassword      = os.Getenv("HLL_PASSWORD")
+	hllHost          = os.Getenv("HLL_HOST")
+	hllPort          = os.Getenv("HLL_PORT")
+	rconWebApiSecret = os.Getenv("RCONWEB_API_SECRET")
+	rconBackendUrl   = os.Getenv("RCONWEB_BACKEND_URL")
+
+	punishAfterSeconds = 10
+
+	// designates the map orientation from left to right
+	alliedToAxisHorizontalMaps = []string{"CARENTAN", "HILL 400", "HÜRTGEN FOREST", "MORTAIN"}
+	axisToAlliedHorizontalMaps = []string{"EL ALAMEIN", "OMAHA BEACH", "SAINTE-MÈRE-ÉGLISE", "STALINGRAD", "TOBRUK", "UTAH BEACH"}
+	// designates the map orientation from top to bottom
+	alliedToAxisVerticalMaps = []string{"ELSENBORN RIDGE", "KHARKOV", "KURSK", "PURPLE HEART LANE", "ST MARIE DU MONT"}
+	axisToAlliedVerticalMaps = []string{"DRIEL", "FOY", "REMAGEN"}
+
+	horizontalCaps = []string{"A", "B", "C", "D", "E", "F", "G", "H", "I", "J"}
+)
+
+func main() {
+	level := slog.LevelInfo
+	if _, ok := os.LookupEnv("DEBUG"); ok {
+		level = slog.LevelDebug
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: level}))
+
+	if rconBackendUrl == "" {
+		rconBackendUrl = "http://backend:8000"
+	}
+
+	ctx := context.Background()
+	a := internal.NewAuthentication(hllPassword, rconWebApiSecret)
+	ac, err := crcon.NewClient(rconBackendUrl, a).GetAutoModSeedingConfig(ctx)
+	if err != nil {
+		logger.Error("find-seeding-automod-config", "error", err)
+		return
+	}
+
+	// Prefilling fences for first-spawners on the server. Whenever a player joins a server, they are randomly assigned
+	// a spawn on either side (even before side selection). To not give them a warning that they are outside of the spawns
+	// during seeding, the HQ lines for each team opponent are allowlisted as well.
+	alliedFences := []data.Fence{
+		{
+			X: &horizontalCaps[0],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedHorizontalMaps,
+				},
+			},
+		},
+		{
+			X: &horizontalCaps[9],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisHorizontalMaps,
+				},
+			},
+		},
+		{
+			Y: internal.Pointer(1),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedVerticalMaps,
+				},
+			},
+		},
+		{
+			Y: internal.Pointer(10),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisVerticalMaps,
+				},
+			},
+		},
+	}
+	axisFences := []data.Fence{
+		{
+			X: &horizontalCaps[9],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedHorizontalMaps,
+				},
+			},
+		},
+		{
+			X: &horizontalCaps[0],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisHorizontalMaps,
+				},
+			},
+		},
+		{
+			Y: internal.Pointer(10),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedVerticalMaps,
+				},
+			},
+		},
+		{
+			Y: internal.Pointer(1),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisVerticalMaps,
+				},
+			},
+		},
+	}
+
+	// fill the remaining caps as configured by the user.
+	for c := range ac.EnforceCapFight.MaxCaps * 2 {
+		alliedFences = append(alliedFences, data.Fence{
+			X: &horizontalCaps[9-c],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedHorizontalMaps,
+				},
+			},
+		})
+		alliedFences = append(alliedFences, data.Fence{
+			X: &horizontalCaps[c],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisHorizontalMaps,
+				},
+			},
+		})
+
+		axisFences = append(axisFences, data.Fence{
+			X: &horizontalCaps[c],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedHorizontalMaps,
+				},
+			},
+		})
+		axisFences = append(axisFences, data.Fence{
+			X: &horizontalCaps[9-c],
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisHorizontalMaps,
+				},
+			},
+		})
+
+		alliedFences = append(alliedFences, data.Fence{
+			Y: internal.Pointer(10 - c),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedVerticalMaps,
+				},
+			},
+		})
+		alliedFences = append(alliedFences, data.Fence{
+			Y: internal.Pointer(c + 1),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisVerticalMaps,
+				},
+			},
+		})
+		axisFences = append(axisFences, data.Fence{
+			Y: internal.Pointer(c + 1),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": axisToAlliedVerticalMaps,
+				},
+			},
+		})
+		axisFences = append(axisFences, data.Fence{
+			Y: internal.Pointer(10 - c),
+			Condition: &data.Condition{
+				Equals: map[string][]string{
+					"map_name": alliedToAxisVerticalMaps,
+				},
+			},
+		})
+	}
+
+	// player count condition is always the same, same as game mode, hence adding it once only.
+	for _, fence := range axisFences {
+		fence.Condition.GreaterThan = map[string]int{
+			"player_count": ac.EnforceCapFight.MinPlayers,
+		}
+		fence.Condition.LessThan = map[string]int{
+			"player_count": ac.EnforceCapFight.MaxPlayers,
+		}
+		fence.Condition.Equals["game_mode"] = []string{"Warfare"}
+	}
+
+	if ac.Enabled == false || ac.DryRun == true {
+		logger.Info("enforce-cap-fight-disabled")
+	} else {
+		port, err := strconv.Atoi(hllPort)
+		if err != nil {
+			logger.Error("parse-port", "error", err)
+			return
+		}
+		pool, err := rconv2.NewConnectionPool(rconv2.ConnectionPoolOptions{
+			Logger:             logger,
+			Hostname:           hllHost,
+			Port:               port,
+			Password:           hllPassword,
+			MaxIdleConnections: internal.Pointer(2),
+			MaxOpenConnections: internal.Pointer(5),
+		})
+		if err != nil {
+			logger.Error("create-connection-pool", "server", hllHost, "error", err)
+			return
+		}
+		w := worker.NewWorker(logger, pool, data.Server{
+			Host:               hllHost,
+			Port:               port,
+			Password:           hllPassword,
+			PunishAfterSeconds: &punishAfterSeconds,
+			AxisFence:          axisFences,
+			AlliesFence:        alliedFences,
+			Messages: &data.Messages{
+				Warning: nil,
+				Punish:  &ac.EnforceCapFight.ViolationMessage,
+			},
+		})
+		go w.Run(ctx)
+		logger.Info("started-worker")
+	}
+
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)
+	<-stop
+
+	logger.Info("graceful-shutdown")
+}

seeding/go.mod

@@ -0,0 +1,10 @@
+module seeding
+
+go 1.24.1
+
+require (
+	github.com/floriansw/go-hll-rcon v0.0.0-20250421114312-973708b529c4
+	github.com/floriansw/hll-geofences v0.0.0-20250424221049-a62713ee5a0c
+)
+
+require gopkg.in/yaml.v3 v3.0.1 // indirect