haproxy-wi/app/routes/waf/routes.py

import os

from flask import render_template, request
from flask_login import login_required

from app.routes.waf import bp
import app.modules.db.sql as sql
import app.modules.common.common as common
import app.modules.roxy_wi_tools as roxy_wi_tools
import app.modules.roxywi.waf as roxy_waf
import app.modules.roxywi.auth as roxywi_auth
import app.modules.roxywi.common as roxywi_common
import app.modules.config.config as config_mod

get_config = roxy_wi_tools.GetConfigVar()
time_zone = sql.get_setting('time_zone')
get_date = roxy_wi_tools.GetDate(time_zone)


@bp.before_request
@login_required
def before_request():
    """ Protect all of the admin endpoints. """
    pass


@bp.route('/<service>')
def waf(service):
    roxywi_auth.page_for_admin(level=2)

    manage_rules = ''
    waf_rule_id = ''
    config_file_name = ''
    waf_rule_file = ''
    config_read = ''
    rules = ''
    serv = ''
    cfg = ''
    user_params = roxywi_common.get_users_params()

    if service == 'nginx':
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)
        servers = roxywi_common.get_dick_permit(nginx=1)
    else:
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)
        servers = user_params['servers']

    title = "Web application firewall"
    servers_waf = sql.select_waf_servers_metrics(user_params['user_uuid'])
    autorefresh = 1

    return render_template(
        'waf.html', title=title, autorefresh=autorefresh, role=user_params['role'], user=user_params['user'], serv=serv,
        servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,
        user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=waf_rule_id,
        config=config_read, cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service,
        lang=user_params['lang']
    )


@bp.route('/<service>/<server_ip>/rules')
def waf_rules(service, server_ip):
    roxywi_auth.page_for_admin(level=2)
    roxywi_common.check_is_server_in_group(server_ip)

    manage_rules = '1'
    waf_rule_id = ''
    config_file_name = ''
    waf_rule_file = ''
    servers_waf = ''
    config_read = ''
    servers = ''
    cfg = ''
    user_params = roxywi_common.get_users_params()
    title = "Manage rules - Web application firewall"
    rules = sql.select_waf_rules(server_ip, service)

    if service == 'nginx':
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)
    else:
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)

    return render_template(
        'waf.html', title=title, autorefresh=0, role=user_params['role'], user=user_params['user'], serv=server_ip,
        servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,
        user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=waf_rule_id,
        config=config_read, cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service,
        lang=user_params['lang']
    )


@bp.route('/<service>/<server_ip>/rule/<rule_id>')
def waf_rule_edit(service, server_ip, rule_id):
    roxywi_auth.page_for_admin(level=2)
    roxywi_common.check_is_server_in_group(server_ip)

    manage_rules = ''
    servers_waf = ''
    config_read = ''
    servers = ''
    user_params = roxywi_common.get_users_params()
    rules = sql.select_waf_rules(server_ip, service)

    if service == 'nginx':
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)
        config_path = sql.get_setting('nginx_dir')
    else:
        roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)
        config_path = sql.get_setting('haproxy_dir')

    title = 'Edit a WAF rule'
    waf_rule_file = sql.select_waf_rule_by_id(rule_id)
    configs_dir = sql.get_setting('tmp_config_path')
    cfg = f"{configs_dir}{server_ip}-{get_date.return_date('config')}-{waf_rule_file}"
    error = config_mod.get_config(server_ip, cfg, waf=service, waf_rule_file=waf_rule_file)
    config_file_name = common.return_nice_path(config_path) + 'waf/rules/' + waf_rule_file

    try:
        conf = open(cfg, "r")
        config_read = conf.read()
        conf.close()
    except IOError:
        print('Cannot read imported config file')

    return render_template(
        'waf.html', title=title, autorefresh=0, role=user_params['role'], user=user_params['user'], serv=server_ip,
        servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,
        user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=rule_id, config=config_read,
        cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service, lang=user_params['lang']
    )


@bp.route('/<service>/<server_ip>/rule/<rule_id>/save', methods=['POST'])
def waf_save_config(service, server_ip, rule_id):
    roxywi_auth.page_for_admin(level=2)
    roxywi_common.check_is_server_in_group(server_ip)

    configs_dir = sql.get_setting('tmp_config_path')
    cfg = f"{configs_dir}{server_ip}-{get_date.return_date('config')}"
    config_file_name = request.form.get('config_file_name')
    config = request.form.get('config')
    oldcfg = request.form.get('oldconfig')
    save = request.form.get('save')

    try:
        with open(cfg, "a") as conf:
            conf.write(config)
    except IOError:
        print("error: Cannot read imported config file")

    stderr = config_mod.master_slave_upload_and_restart(server_ip, cfg, save, 'waf', oldcfg=oldcfg, config_file_name=config_file_name)

    config_mod.diff_config(oldcfg, cfg)

    try:
        os.system(f"/bin/rm -f {configs_dir}*.old")
    except Exception as e:
        return f'error: {e}'

    if stderr:
        return stderr

    return


@bp.route('/<server_ip>/rule/<int:rule_id>/<int:enable>')
def enable_rule(server_ip, rule_id, enable):
    server_ip = common.is_ip_or_dns(server_ip)

    return roxy_waf.switch_waf_rule(server_ip, enable, rule_id)


@bp.route('/<service>/<server_ip>/rule/create', methods=['POST'])
def create_rule(service, server_ip):
    if service not in ('haproxy', 'nginx'):
        return 'error: Wrong service'

    server_ip = common.is_ip_or_dns(server_ip)

    return roxy_waf.create_waf_rule(server_ip, service)


@bp.route('/<service>/mode/<server_name>/<waf_mode>')
def change_waf_mode(service, server_name, waf_mode):
    if service not in ('haproxy', 'nginx'):
        return 'error: Wrong service'

    server_name = common.checkAjaxInput(server_name)
    waf_mode = common.checkAjaxInput(waf_mode)

    return roxy_waf.change_waf_mode(waf_mode, server_name, service)


@bp.route('/overview/<service>/<server_ip>')
def overview_waf(service, server_ip):
    server_ip = common.is_ip_or_dns(server_ip)

    if service not in ('haproxy', 'nginx'):
        return 'error: Wrong service'

    return roxy_waf.waf_overview(server_ip, service)


@bp.route('/metric/enable/<int:enable>/<server_name>')
def enable_metric(enable, server_name):
    server_name = common.checkAjaxInput(server_name)
    return sql.update_waf_metrics_enable(server_name, enable)
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-30 09:10:23 +00:00			`import os`

v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`from flask import render_template, request`
			`from flask_login import login_required`

			`from app.routes.waf import bp`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-30 08:48:54 +00:00			`import app.modules.db.sql as sql`
			`import app.modules.common.common as common`
			`import app.modules.roxy_wi_tools as roxy_wi_tools`
			`import app.modules.roxywi.waf as roxy_waf`
			`import app.modules.roxywi.auth as roxywi_auth`
			`import app.modules.roxywi.common as roxywi_common`
			`import app.modules.config.config as config_mod`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00
			`get_config = roxy_wi_tools.GetConfigVar()`
			`time_zone = sql.get_setting('time_zone')`
			`get_date = roxy_wi_tools.GetDate(time_zone)`


v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 14:34:56 +00:00			`@bp.before_request`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`@login_required`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 14:34:56 +00:00			`def before_request():`
			`""" Protect all of the admin endpoints. """`
			`pass`


			`@bp.route('/<service>')`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`def waf(service):`
			`roxywi_auth.page_for_admin(level=2)`

			`manage_rules = ''`
			`waf_rule_id = ''`
			`config_file_name = ''`
			`waf_rule_file = ''`
			`config_read = ''`
			`rules = ''`
			`serv = ''`
			`cfg = ''`
			`user_params = roxywi_common.get_users_params()`

			`if service == 'nginx':`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)`
			`servers = roxywi_common.get_dick_permit(nginx=1)`
			`else:`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)`
			`servers = user_params['servers']`

			`title = "Web application firewall"`
			`servers_waf = sql.select_waf_servers_metrics(user_params['user_uuid'])`
			`autorefresh = 1`

			`return render_template(`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-10-03 19:56:34 +00:00			`'waf.html', title=title, autorefresh=autorefresh, role=user_params['role'], user=user_params['user'], serv=serv,`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-30 21:38:22 +00:00			`servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,`
			`user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=waf_rule_id,`
			`config=config_read, cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service,`
			`lang=user_params['lang']`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`)`


			`@bp.route('/<service>/<server_ip>/rules')`
			`def waf_rules(service, server_ip):`
			`roxywi_auth.page_for_admin(level=2)`
			`roxywi_common.check_is_server_in_group(server_ip)`

			`manage_rules = '1'`
			`waf_rule_id = ''`
			`config_file_name = ''`
			`waf_rule_file = ''`
			`servers_waf = ''`
			`config_read = ''`
			`servers = ''`
			`cfg = ''`
			`user_params = roxywi_common.get_users_params()`
			`title = "Manage rules - Web application firewall"`
			`rules = sql.select_waf_rules(server_ip, service)`

			`if service == 'nginx':`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)`
			`else:`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)`

			`return render_template(`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-30 21:38:22 +00:00			`'waf.html', title=title, autorefresh=0, role=user_params['role'], user=user_params['user'], serv=server_ip,`
			`servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,`
			`user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=waf_rule_id,`
			`config=config_read, cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service,`
			`lang=user_params['lang']`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`)`


			`@bp.route('/<service>/<server_ip>/rule/<rule_id>')`
			`def waf_rule_edit(service, server_ip, rule_id):`
			`roxywi_auth.page_for_admin(level=2)`
			`roxywi_common.check_is_server_in_group(server_ip)`

			`manage_rules = ''`
			`servers_waf = ''`
			`config_read = ''`
			`servers = ''`
			`user_params = roxywi_common.get_users_params()`
			`rules = sql.select_waf_rules(server_ip, service)`

			`if service == 'nginx':`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=2)`
			`config_path = sql.get_setting('nginx_dir')`
			`else:`
			`roxywi_auth.check_login(user_params['user_uuid'], user_params['token'], service=1)`
			`config_path = sql.get_setting('haproxy_dir')`

			`title = 'Edit a WAF rule'`
			`waf_rule_file = sql.select_waf_rule_by_id(rule_id)`
			`configs_dir = sql.get_setting('tmp_config_path')`
			`cfg = f"{configs_dir}{server_ip}-{get_date.return_date('config')}-{waf_rule_file}"`
			`error = config_mod.get_config(server_ip, cfg, waf=service, waf_rule_file=waf_rule_file)`
			`config_file_name = common.return_nice_path(config_path) + 'waf/rules/' + waf_rule_file`

			`try:`
			`conf = open(cfg, "r")`
			`config_read = conf.read()`
			`conf.close()`
			`except IOError:`
			`print('Cannot read imported config file')`

			`return render_template(`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-30 21:38:22 +00:00			`'waf.html', title=title, autorefresh=0, role=user_params['role'], user=user_params['user'], serv=server_ip,`
			`servers=servers_waf, servers_all=servers, manage_rules=manage_rules, rules=rules,`
			`user_services=user_params['user_services'], waf_rule_file=waf_rule_file, waf_rule_id=rule_id, config=config_read,`
			`cfg=cfg, token=user_params['token'], config_file_name=config_file_name, service=service, lang=user_params['lang']`
v7.0.0.0 Changelog: https://roxy-wi.org/changelog#7.0.0 2023-09-17 09:42:39 +00:00			`)`


			`@bp.route('/<service>/<server_ip>/rule/<rule_id>/save', methods=['POST'])`
			`def waf_save_config(service, server_ip, rule_id):`
			`roxywi_auth.page_for_admin(level=2)`
			`roxywi_common.check_is_server_in_group(server_ip)`

			`configs_dir = sql.get_setting('tmp_config_path')`
			`cfg = f"{configs_dir}{server_ip}-{get_date.return_date('config')}"`
			`config_file_name = request.form.get('config_file_name')`
			`config = request.form.get('config')`
			`oldcfg = request.form.get('oldconfig')`
			`save = request.form.get('save')`

			`try:`
			`with open(cfg, "a") as conf:`
			`conf.write(config)`
			`except IOError:`
			`print("error: Cannot read imported config file")`

			`stderr = config_mod.master_slave_upload_and_restart(server_ip, cfg, save, 'waf', oldcfg=oldcfg, config_file_name=config_file_name)`

			`config_mod.diff_config(oldcfg, cfg)`

			`try:`
			`os.system(f"/bin/rm -f {configs_dir}*.old")`
			`except Exception as e:`
			`return f'error: {e}'`

			`if stderr:`
			`return stderr`

			`return`


			`@bp.route('/<server_ip>/rule/<int:rule_id>/<int:enable>')`
			`def enable_rule(server_ip, rule_id, enable):`
			`server_ip = common.is_ip_or_dns(server_ip)`

			`return roxy_waf.switch_waf_rule(server_ip, enable, rule_id)`


			`@bp.route('/<service>/<server_ip>/rule/create', methods=['POST'])`
			`def create_rule(service, server_ip):`
			`if service not in ('haproxy', 'nginx'):`
			`return 'error: Wrong service'`

			`server_ip = common.is_ip_or_dns(server_ip)`

			`return roxy_waf.create_waf_rule(server_ip, service)`


			`@bp.route('/<service>/mode/<server_name>/<waf_mode>')`
			`def change_waf_mode(service, server_name, waf_mode):`
			`if service not in ('haproxy', 'nginx'):`
			`return 'error: Wrong service'`

			`server_name = common.checkAjaxInput(server_name)`
			`waf_mode = common.checkAjaxInput(waf_mode)`

			`return roxy_waf.change_waf_mode(waf_mode, server_name, service)`


			`@bp.route('/overview/<service>/<server_ip>')`
			`def overview_waf(service, server_ip):`
			`server_ip = common.is_ip_or_dns(server_ip)`

			`if service not in ('haproxy', 'nginx'):`
			`return 'error: Wrong service'`

			`return roxy_waf.waf_overview(server_ip, service)`


			`@bp.route('/metric/enable/<int:enable>/<server_name>')`
			`def enable_metric(enable, server_name):`
			`server_name = common.checkAjaxInput(server_name)`
			`return sql.update_waf_metrics_enable(server_name, enable)`