From 96f9f71a2b4b72628165a2a7037926cb9d135d28 Mon Sep 17 00:00:00 2001 From: Aidaho Date: Tue, 22 Oct 2024 11:13:16 +0300 Subject: [PATCH] v8.1.0.1: Refactor SSH and WAF modules for improved logic and readability Refactored SSH credential handling to better support shared credentials and improve code readability. Simplified WAF mode changes by switching from hostname to server ID, enhancing reliability. Updated various templates and functions to align with these changes. --- app/create_db.py | 2 +- app/modules/db/cred.py | 3 ++- app/modules/db/server.py | 9 --------- app/modules/db/waf.py | 25 ++++++------------------- app/modules/roxywi/waf.py | 15 ++++++++------- app/modules/server/ssh.py | 22 +++++++++++++--------- app/routes/waf/routes.py | 25 +++++++++---------------- app/static/js/waf.js | 6 +++--- app/templates/ajax/overviewWaf.html | 9 ++++----- app/templates/waf.html | 2 +- 10 files changed, 47 insertions(+), 71 deletions(-) diff --git a/app/create_db.py b/app/create_db.py index 0a2de27c..94cabd1b 100644 --- a/app/create_db.py +++ b/app/create_db.py @@ -680,7 +680,7 @@ def update_db_v_8_1_0_3(): def update_ver(): try: - Version.update(version='8.1.0').execute() + Version.update(version='8.1.0.1').execute() except Exception: print('Cannot update version') diff --git a/app/modules/db/cred.py b/app/modules/db/cred.py index 6cea6bdc..36542bc0 100644 --- a/app/modules/db/cred.py +++ b/app/modules/db/cred.py @@ -6,7 +6,8 @@ from app.modules.roxywi.exception import RoxywiResourceNotFound def select_ssh(**kwargs): if kwargs.get("group") and kwargs.get("cred_id") and kwargs.get("not_shared"): query = Cred.select().where( - ((Cred.id == kwargs.get('cred_id')) & (Cred.group_id == kwargs.get('group'))) + ((Cred.id == kwargs.get('cred_id')) & (Cred.group_id == kwargs.get('group'))) | + ((Cred.id == kwargs.get('cred_id')) & (Cred.shared == 1)) ) elif kwargs.get("group") and kwargs.get("cred_id"): query = Cred.select().where( diff --git a/app/modules/db/server.py b/app/modules/db/server.py index b24abbf0..a2b036b2 100644 --- a/app/modules/db/server.py +++ b/app/modules/db/server.py @@ -53,15 +53,6 @@ def get_server_by_ip(server_ip: str) -> Server: return out_error(e) -def select_server_by_name(name): - try: - ip = Server.get(Server.hostname == name) - except Exception as e: - return out_error(e) - else: - return ip.ip - - def insert_system_info( server_id: int, os_info: str, sys_info: dict, cpu: dict, ram: dict, network: dict, disks: dict ): diff --git a/app/modules/db/waf.py b/app/modules/db/waf.py index d33c9154..a8368fc9 100644 --- a/app/modules/db/waf.py +++ b/app/modules/db/waf.py @@ -252,34 +252,28 @@ def select_waf_rules(serv, service): & (WafRules.service == service) ) try: - query_res = query.execute() + return query.execute() except Exception as e: out_error(e) - else: - return query_res def delete_waf_rules(serv): - query = WafRules.delete().where(WafRules.serv == serv) try: - query.execute() + WafRules.delete().where(WafRules.serv == serv).execute() except Exception as e: out_error(e) def select_waf_rule_by_id(rule_id): try: - query = WafRules.get(WafRules.id == rule_id) + return WafRules.get(WafRules.id == rule_id).rule_file except Exception as e: out_error(e) - else: - return query.rule_file def update_enable_waf_rules(rule_id, serv, en): - query = WafRules.update(en=en).where((WafRules.id == rule_id) & (WafRules.serv == serv)) try: - query.execute() + WafRules.update(en=en).where((WafRules.id == rule_id) & (WafRules.serv == serv)).execute() except Exception as e: out_error(e) @@ -300,20 +294,13 @@ def insert_new_waf_rule(rule_name: str, rule_file: str, rule_description: str, s def delete_waf_server(server_id): - query = Waf.delete().where(Waf.server_id == server_id) try: - query.execute() + Waf.delete().where(Waf.server_id == server_id).execute() except Exception as e: out_error(e) -def update_waf_metrics_enable(name, enable): - server_id = 0 - try: - server_id = Server.get(Server.hostname == name).server_id - except Exception as e: - out_error(e) - +def update_waf_metrics_enable(server_id, enable): try: Waf.update(metrics=enable).where(Waf.server_id == server_id).execute() except Exception as e: diff --git a/app/modules/roxywi/waf.py b/app/modules/roxywi/waf.py index 86f6afde..e002e549 100644 --- a/app/modules/roxywi/waf.py +++ b/app/modules/roxywi/waf.py @@ -52,15 +52,16 @@ def waf_overview(serv: str, waf_service: str, claims: dict) -> str: waf_process, waf_mode, metrics_en, - waf_len) + waf_len, + server[0]) else: server_status = (server[1], server[2], waf_process, waf_mode, metrics_en, - waf_len) - + waf_len, + server[0]) returned_servers.append(server_status) lang = roxywi_common.get_user_lang_for_flask() @@ -69,8 +70,8 @@ def waf_overview(serv: str, waf_service: str, claims: dict) -> str: return render_template('ajax/overviewWaf.html', service_status=servers_sorted, role=role, waf_service=waf_service, lang=lang) -def change_waf_mode(waf_mode: str, server_hostname: str, service: str): - serv = server_sql.select_server_by_name(server_hostname) +def change_waf_mode(waf_mode: str, server_id: int, service: str): + serv = server_sql.get_server_by_id(server_id) if service == 'haproxy': config_dir = sql.get_setting('haproxy_dir') @@ -80,11 +81,11 @@ def change_waf_mode(waf_mode: str, server_hostname: str, service: str): commands = f"sudo sed -i 's/^SecRuleEngine.*/SecRuleEngine {waf_mode}/' {config_dir}/waf/modsecurity.conf" try: - server_mod.ssh_command(serv, commands) + server_mod.ssh_command(serv.ip, commands) except Exception as e: return str(e) - roxywi_common.logging(serv, f'Has been changed WAF mod to {waf_mode}', roxywi=1, login=1) + roxywi_common.logging(serv.hostname, f'Has been changed WAF mod to {waf_mode}', roxywi=1, login=1) def switch_waf_rule(serv: str, enable: int, rule_id: int): diff --git a/app/modules/server/ssh.py b/app/modules/server/ssh.py index e41deca1..7719b86c 100644 --- a/app/modules/server/ssh.py +++ b/app/modules/server/ssh.py @@ -11,6 +11,7 @@ import app.modules.db.group as group_sql import app.modules.db.server as server_sql import app.modules.common.common as common from app.modules.server import ssh_connection +from app.modules.db.db_model import Cred import app.modules.roxywi.common as roxywi_common import app.modules.roxy_wi_tools as roxy_wi_tools from app.modules.roxywi.class_models import IdResponse, IdDataResponse, CredRequest @@ -212,10 +213,20 @@ def get_creds(group_id: int = None, cred_id: int = None, not_shared: bool = Fals creds = cred_sql.select_ssh() for cred in creds: - cred_dict = model_to_dict(cred) + if cred.shared and group_id != cred.group_id: + cred_dict = model_to_dict(cred, exclude={Cred.password, Cred.passphrase}) + else: + cred_dict = model_to_dict(cred) + if cred_dict['password']: + try: + cred_dict['password'] = decrypt_password(cred_dict['password']) + except Exception: + pass + if cred_dict['passphrase']: + cred_dict['passphrase'] = decrypt_password(cred_dict['passphrase']) cred_dict['name'] = cred_dict['name'].replace("'", "") - if cred.key_enabled == 1: + if cred.key_enabled == 1 and group_id == cred.group_id: ssh_key_file = _return_correct_ssh_file(cred) if os.path.isfile(ssh_key_file): with open(ssh_key_file, 'rb') as key: @@ -224,13 +235,6 @@ def get_creds(group_id: int = None, cred_id: int = None, not_shared: bool = Fals cred_dict['private_key'] = '' else: cred_dict['private_key'] = '' - if cred_dict['password']: - try: - cred_dict['password'] = decrypt_password(cred_dict['password']) - except Exception: - pass - if cred_dict['passphrase']: - cred_dict['passphrase'] = decrypt_password(cred_dict['passphrase']) json_data.append(cred_dict) return json_data diff --git a/app/routes/waf/routes.py b/app/routes/waf/routes.py index 921cddbb..51c75b52 100644 --- a/app/routes/waf/routes.py +++ b/app/routes/waf/routes.py @@ -194,19 +194,13 @@ def create_rule(service, server_ip): return roxywi_common.handle_json_exceptions(e, 'Cannot create WAF rule', server_ip,) -@bp.route('//mode//') -def change_waf_mode(service, server_name, waf_mode): - if service not in ('haproxy', 'nginx'): - return roxywi_common.handle_json_exceptions('Wrong service', '', server_name) - - server_name = common.checkAjaxInput(server_name) - waf_mode = common.checkAjaxInput(waf_mode) - +@bp.route('//mode//') +def change_waf_mode(service, server_id, waf_mode): try: - roxy_waf.change_waf_mode(waf_mode, server_name, service) - return jsonify({'status': 'updated'}) + roxy_waf.change_waf_mode(waf_mode, server_id, service) + return jsonify({'status': 'Ok'}) except Exception as e: - return roxywi_common.handle_json_exceptions(e, 'Cannot change WAF mode', server_name) + return roxywi_common.handle_json_exceptions(e, 'Cannot change WAF mode', server_id) @bp.route('/overview//') @@ -223,11 +217,10 @@ def overview_waf(service, server_ip): return roxy_waf.waf_overview(server_ip, service, claims) -@bp.route('/metric/enable//') -def enable_metric(enable, server_name): - server_name = common.checkAjaxInput(server_name) +@bp.route('/metric/enable//') +def enable_metric(enable, server_id): try: - waf_sql.update_waf_metrics_enable(server_name, enable) + waf_sql.update_waf_metrics_enable(server_id, enable) return jsonify({'status': 'updated'}) except Exception as e: - return roxywi_common.handle_json_exceptions(e, 'Cannot enable WAF metrics', server_name) + return roxywi_common.handle_json_exceptions(e, 'Cannot enable WAF metrics', server_id) diff --git a/app/static/js/waf.js b/app/static/js/waf.js index 7d18379d..74455c96 100644 --- a/app/static/js/waf.js +++ b/app/static/js/waf.js @@ -33,9 +33,9 @@ function metrics_waf(name) { if ($('#' + name).is(':checked')) { enable = '1'; } - name = name.split('metrics')[1] + let server_id = name.split('-')[1] $.ajax({ - url: "/waf/metric/enable/" + enable + "/" + name, + url: "/waf/metric/enable/" + enable + "/" + server_id, contentType: "application/json; charset=utf-8", success: function (data) { if (data.status === 'failed') { @@ -70,7 +70,7 @@ function installWaf(ip1) { }); } function changeWafMode(id) { - let waf_mode = $('#' + id + ' option:selected').val(); + let waf_mode = $('#' + id).val(); let server_hostname = id.split('_')[0]; let service = cur_url[0]; $.ajax({ diff --git a/app/templates/ajax/overviewWaf.html b/app/templates/ajax/overviewWaf.html index ac4961fd..e2d581f9 100644 --- a/app/templates/ajax/overviewWaf.html +++ b/app/templates/ajax/overviewWaf.html @@ -21,7 +21,6 @@ {{ service.0 }} {% endif %} -{{service.3}} {% if service.3 == "On" or service.3 == "Off" or service.3 == "DetectionOnly" %} {% if role <= 2 %} @@ -44,7 +43,7 @@ {% if role <= 2 %} - {% for waf_mode in waf_modes %} {% if service.3 == waf_mode %} @@ -60,9 +59,9 @@ {% if waf_service == 'haproxy' %} {% if service.4|int() == 1 %} - + {% else %} - + {% endif %} {% endif %} @@ -94,7 +93,7 @@ $( ".waf_mode" ).on('selectmenuchange',function() { var id = $(this).attr('id'); changeWafMode(id) - }); + }); $( ".ajaxwafstatus input" ).change(function() { var id = $(this).attr('id'); metrics_waf(id); diff --git a/app/templates/waf.html b/app/templates/waf.html index c0c9711c..ad57c567 100644 --- a/app/templates/waf.html +++ b/app/templates/waf.html @@ -155,7 +155,7 @@ {% if servers_all|length == 0 %} {% include 'include/getstarted.html' %} {% else %} - +
{{lang.words.server|title()}} {{lang.words.actions|title()}}