v8.1.0.1: Refactor SSH and WAF modules for improved logic and readability

Refactored SSH credential handling to better support shared credentials and improve code readability. Simplified WAF mode changes by switching from hostname to server ID, enhancing reliability. Updated various templates and functions to align with these changes.
1 month ago · 96f9f71a2b
10 changed files with 47 additions and 71 deletions
--- a/app/create_db.py
+++ b/app/create_db.py
@ -680,7 +680,7 @@ def update_db_v_8_1_0_3():

 def update_ver():
 	try:
-		Version.update(version='8.1.0').execute()
+		Version.update(version='8.1.0.1').execute()
 	except Exception:
 		print('Cannot update version')

--- a/app/modules/db/cred.py
+++ b/app/modules/db/cred.py
@ -6,7 +6,8 @@ from app.modules.roxywi.exception import RoxywiResourceNotFound
 def select_ssh(**kwargs):
 	if kwargs.get("group") and kwargs.get("cred_id") and kwargs.get("not_shared"):
 		query = Cred.select().where(
-			((Cred.id == kwargs.get('cred_id')) & (Cred.group_id == kwargs.get('group')))
+			((Cred.id == kwargs.get('cred_id')) & (Cred.group_id == kwargs.get('group'))) |
+			((Cred.id == kwargs.get('cred_id')) & (Cred.shared == 1))
 		)
 	elif kwargs.get("group") and kwargs.get("cred_id"):
 		query = Cred.select().where(
--- a/app/modules/db/server.py
+++ b/app/modules/db/server.py
@ -53,15 +53,6 @@ def get_server_by_ip(server_ip: str) -> Server:
 		return out_error(e)


-def select_server_by_name(name):
-	try:
-		ip = Server.get(Server.hostname == name)
-	except Exception as e:
-		return out_error(e)
-	else:
-		return ip.ip
-
-
 def insert_system_info(
 	server_id: int, os_info: str, sys_info: dict, cpu: dict, ram: dict, network: dict, disks: dict
 ):
--- a/app/modules/db/waf.py
+++ b/app/modules/db/waf.py
@ -252,34 +252,28 @@ def select_waf_rules(serv, service):
 		& (WafRules.service == service)
 	)
 	try:
-		query_res = query.execute()
+		return query.execute()
 	except Exception as e:
 		out_error(e)
-	else:
-		return query_res


 def delete_waf_rules(serv):
-	query = WafRules.delete().where(WafRules.serv == serv)
 	try:
-		query.execute()
+		WafRules.delete().where(WafRules.serv == serv).execute()
 	except Exception as e:
 		out_error(e)


 def select_waf_rule_by_id(rule_id):
 	try:
-		query = WafRules.get(WafRules.id == rule_id)
+		return WafRules.get(WafRules.id == rule_id).rule_file
 	except Exception as e:
 		out_error(e)
-	else:
-		return query.rule_file


 def update_enable_waf_rules(rule_id, serv, en):
-	query = WafRules.update(en=en).where((WafRules.id == rule_id) & (WafRules.serv == serv))
 	try:
-		query.execute()
+		WafRules.update(en=en).where((WafRules.id == rule_id) & (WafRules.serv == serv)).execute()
 	except Exception as e:
 		out_error(e)

@ -300,20 +294,13 @@ def insert_new_waf_rule(rule_name: str, rule_file: str, rule_description: str, s


 def delete_waf_server(server_id):
-	query = Waf.delete().where(Waf.server_id == server_id)
 	try:
-		query.execute()
+		Waf.delete().where(Waf.server_id == server_id).execute()
 	except Exception as e:
 		out_error(e)


-def update_waf_metrics_enable(name, enable):
-	server_id = 0
-	try:
-		server_id = Server.get(Server.hostname == name).server_id
-	except Exception as e:
-		out_error(e)
-
+def update_waf_metrics_enable(server_id, enable):
 	try:
 		Waf.update(metrics=enable).where(Waf.server_id == server_id).execute()
 	except Exception as e:
--- a/app/modules/roxywi/waf.py
+++ b/app/modules/roxywi/waf.py
@ -52,15 +52,16 @@ def waf_overview(serv: str, waf_service: str, claims: dict) -> str:
                                 waf_process,
                                 waf_mode,
                                 metrics_en,
-                                 waf_len)
+                                 waf_len,
+                                 server[0])
            else:
                server_status = (server[1],
                                 server[2],
                                 waf_process,
                                 waf_mode,
                                 metrics_en,
-                                 waf_len)
-
+                                 waf_len,
+                                 server[0])
        returned_servers.append(server_status)

    lang = roxywi_common.get_user_lang_for_flask()
@ -69,8 +70,8 @@ def waf_overview(serv: str, waf_service: str, claims: dict) -> str:
    return render_template('ajax/overviewWaf.html', service_status=servers_sorted, role=role, waf_service=waf_service, lang=lang)


-def change_waf_mode(waf_mode: str, server_hostname: str, service: str):
-    serv = server_sql.select_server_by_name(server_hostname)
+def change_waf_mode(waf_mode: str, server_id: int, service: str):
+    serv = server_sql.get_server_by_id(server_id)

    if service == 'haproxy':
        config_dir = sql.get_setting('haproxy_dir')
@ -80,11 +81,11 @@ def change_waf_mode(waf_mode: str, server_hostname: str, service: str):
    commands = f"sudo sed -i 's/^SecRuleEngine.*/SecRuleEngine {waf_mode}/' {config_dir}/waf/modsecurity.conf"

    try:
-        server_mod.ssh_command(serv, commands)
+        server_mod.ssh_command(serv.ip, commands)
    except Exception as e:
        return str(e)

-    roxywi_common.logging(serv, f'Has been changed WAF mod to {waf_mode}', roxywi=1, login=1)
+    roxywi_common.logging(serv.hostname, f'Has been changed WAF mod to {waf_mode}', roxywi=1, login=1)


 def switch_waf_rule(serv: str, enable: int, rule_id: int):
--- a/app/modules/server/ssh.py
+++ b/app/modules/server/ssh.py
@ -11,6 +11,7 @@ import app.modules.db.group as group_sql
 import app.modules.db.server as server_sql
 import app.modules.common.common as common
 from app.modules.server import ssh_connection
+from app.modules.db.db_model import Cred
 import app.modules.roxywi.common as roxywi_common
 import app.modules.roxy_wi_tools as roxy_wi_tools
 from app.modules.roxywi.class_models import IdResponse, IdDataResponse, CredRequest
@ -212,10 +213,20 @@ def get_creds(group_id: int = None, cred_id: int = None, not_shared: bool = Fals
 		creds = cred_sql.select_ssh()

 	for cred in creds:
-		cred_dict = model_to_dict(cred)
+		if cred.shared and group_id != cred.group_id:
+			cred_dict = model_to_dict(cred, exclude={Cred.password, Cred.passphrase})
+		else:
+			cred_dict = model_to_dict(cred)
+			if cred_dict['password']:
+				try:
+					cred_dict['password'] = decrypt_password(cred_dict['password'])
+				except Exception:
+					pass
+			if cred_dict['passphrase']:
+				cred_dict['passphrase'] = decrypt_password(cred_dict['passphrase'])
 		cred_dict['name'] = cred_dict['name'].replace("'", "")

-		if cred.key_enabled == 1:
+		if cred.key_enabled == 1 and group_id == cred.group_id:
 			ssh_key_file = _return_correct_ssh_file(cred)
 			if os.path.isfile(ssh_key_file):
 				with open(ssh_key_file, 'rb') as key:
@ -224,13 +235,6 @@ def get_creds(group_id: int = None, cred_id: int = None, not_shared: bool = Fals
 				cred_dict['private_key'] = ''
 		else:
 			cred_dict['private_key'] = ''
-		if cred_dict['password']:
-			try:
-				cred_dict['password'] = decrypt_password(cred_dict['password'])
-			except Exception:
-				pass
-		if cred_dict['passphrase']:
-			cred_dict['passphrase'] = decrypt_password(cred_dict['passphrase'])
 		json_data.append(cred_dict)
 	return json_data

--- a/app/routes/waf/routes.py
+++ b/app/routes/waf/routes.py
@ -194,19 +194,13 @@ def create_rule(service, server_ip):
        return roxywi_common.handle_json_exceptions(e, 'Cannot create WAF rule', server_ip,)


-@bp.route('/<service>/mode/<server_name>/<waf_mode>')
-def change_waf_mode(service, server_name, waf_mode):
-    if service not in ('haproxy', 'nginx'):
-        return roxywi_common.handle_json_exceptions('Wrong service', '', server_name)
-
-    server_name = common.checkAjaxInput(server_name)
-    waf_mode = common.checkAjaxInput(waf_mode)
-
+@bp.route('/<any(haproxy, nginx):service>/mode/<int:server_id>/<any(On, Off, DetectionOnly):waf_mode>')
+def change_waf_mode(service, server_id, waf_mode):
    try:
-        roxy_waf.change_waf_mode(waf_mode, server_name, service)
-        return jsonify({'status': 'updated'})
+        roxy_waf.change_waf_mode(waf_mode, server_id, service)
+        return jsonify({'status': 'Ok'})
    except Exception as e:
-        return roxywi_common.handle_json_exceptions(e, 'Cannot change WAF mode', server_name)
+        return roxywi_common.handle_json_exceptions(e, 'Cannot change WAF mode', server_id)


@bp.route('/overview/<service>/<server_ip>')
@ -223,11 +217,10 @@ def overview_waf(service, server_ip):
    return roxy_waf.waf_overview(server_ip, service, claims)


-@bp.route('/metric/enable/<int:enable>/<server_name>')
-def enable_metric(enable, server_name):
-    server_name = common.checkAjaxInput(server_name)
+@bp.route('/metric/enable/<int:enable>/<int:server_id>')
+def enable_metric(enable, server_id):
    try:
-        waf_sql.update_waf_metrics_enable(server_name, enable)
+        waf_sql.update_waf_metrics_enable(server_id, enable)
        return jsonify({'status': 'updated'})
    except Exception as e:
-        return roxywi_common.handle_json_exceptions(e, 'Cannot enable WAF metrics', server_name)
+        return roxywi_common.handle_json_exceptions(e, 'Cannot enable WAF metrics', server_id)
--- a/app/static/js/waf.js
+++ b/app/static/js/waf.js
@ -33,9 +33,9 @@ function metrics_waf(name) {
 	if ($('#' + name).is(':checked')) {
 		enable = '1';
 	}
-	name = name.split('metrics')[1]
+	let server_id = name.split('-')[1]
 	$.ajax({
-		url: "/waf/metric/enable/" + enable + "/" + name,
+		url: "/waf/metric/enable/" + enable + "/" + server_id,
 		contentType: "application/json; charset=utf-8",
 		success: function (data) {
 			if (data.status === 'failed') {
@ -70,7 +70,7 @@ function installWaf(ip1) {
 	});
 }
 function changeWafMode(id) {
-	let waf_mode = $('#' + id + ' option:selected').val();
+	let waf_mode = $('#' + id).val();
 	let server_hostname = id.split('_')[0];
 	let service = cur_url[0];
 	$.ajax({
--- a/app/templates/ajax/overviewWaf.html
+++ b/app/templates/ajax/overviewWaf.html
@ -21,7 +21,6 @@
 		<span class="serverNone server-status" title="WAF {{lang.words.is}} {{lang.words.not}} {{lang.words.installed}}"></span> <span title="WAF {{lang.words.is}} {{lang.words.not}} {{lang.words.installed}}">{{ service.0 }}</span>
 	{% endif %}
 	</td>
-{{service.3}}
 	{% if service.3 == "On" or service.3 == "Off" or service.3 == "DetectionOnly" %}
 		<td>
 		{% if role <= 2 %}
@ -44,7 +43,7 @@
 		</td>
 		<td>
 		{% if role <= 2 %}
-			<select class="waf_mode" id="{{ service.0 }}_select">
+			<select class="waf_mode" id="{{ service.6 }}_select">
 				{% for waf_mode in waf_modes %}
 					{% if service.3 == waf_mode %}
 					<option value={{waf_mode}} selected="selected">{{waf_mode}}</option>
@ -60,9 +59,9 @@
 		{% if waf_service == 'haproxy' %}
 		<td class="ajaxwafstatus">
 		{% if service.4|int() == 1 %}
-			<label for="metrics{{ service.0 }}"></label><input type="checkbox" id="metrics{{ service.0 }}" checked />
+			<label for="metrics-{{ service.6 }}"></label><input type="checkbox" id="metrics-{{ service.6 }}" checked />
 		{% else %}
-			<label for="metrics{{ service.0 }}"></label><input type="checkbox" id="metrics{{ service.0 }}" />
+			<label for="metrics-{{ service.6 }}"></label><input type="checkbox" id="metrics-{{ service.6 }}" />
 		{% endif %}
 		</td>
 		{% endif %}
@ -94,7 +93,7 @@
 		$( ".waf_mode" ).on('selectmenuchange',function() {
 			var id = $(this).attr('id');
 			changeWafMode(id)
-		});	
+		});
 		$( ".ajaxwafstatus input" ).change(function() {
 			var id = $(this).attr('id');
 			metrics_waf(id);
--- a/app/templates/waf.html
+++ b/app/templates/waf.html
@ -155,7 +155,7 @@
 	{% if servers_all|length == 0 %}
 		{% include 'include/getstarted.html' %}
 	{% else %}
-	<table class="overview">
+	<table class="overview" id="waf_servers_table">
 		<tr class="overviewHead">
 			<td class="padding10 first-collumn">{{lang.words.server|title()}}</td>
 			<td>{{lang.words.actions|title()}}</td>