github
/
haproxy-wi
mirror of https://github.com/Aidaho12/haproxy-wi
1
0
Fork 0
Code Issues Releases Wiki Activity

v8.0: Update credential endpoints and proxy settings 

Replaced hostname lookups with unified server object retrieval in metrics and credential management endpoints. Added proxy environment variables to ModSecurity download tasks and improved error handling across various modules.
pull/399/head
Aidaho 2024-08-30 17:25:31 +03:00
parent 03597fbeb5
commit c6e6988209
8 changed files with 54 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/modules/db/server.py
View File

@ -36,15 +36,6 @@ def update_server(hostname, ip, group, type_ip, enable, master, server_id, cred,
out_error(e) out_error(e)
def get_hostname_by_server_ip(server_ip):
try:
hostname = Server.get(Server.ip == server_ip)
except Exception as e:
return out_error(e)
else:
return hostname.hostname
def get_server_by_id(server_id: int) -> Server: def get_server_by_id(server_id: int) -> Server:
try: try:
return Server.get(Server.server_id == server_id) return Server.get(Server.server_id == server_id)

8
app/modules/roxywi/common.py
View File

@ -166,6 +166,7 @@ def keep_action_history(service: str, action: str, server_ip: str, login: str, u
hostname = ha_sql.select_cluster_name(int(server_id)) hostname = ha_sql.select_cluster_name(int(server_id))
except Exception as e: except Exception as e:
logging('Roxy-WI server', f'Cannot get info about cluster {server_ip} for history: {e}', roxywi=1) logging('Roxy-WI server', f'Cannot get info about cluster {server_ip} for history: {e}', roxywi=1)
return
elif service == 'UDP listener': elif service == 'UDP listener':
try: try:
server_id = int(server_ip) server_id = int(server_ip)
@ -173,12 +174,15 @@ def keep_action_history(service: str, action: str, server_ip: str, login: str, u
hostname = listener.name hostname = listener.name
except Exception as e: except Exception as e:
logging('Roxy-WI server', f'Cannot get info about Listener {server_ip} for history: {e}', roxywi=1) logging('Roxy-WI server', f'Cannot get info about Listener {server_ip} for history: {e}', roxywi=1)
return
else: else:
try: try:
server_id = server_sql.select_server_id_by_ip(server_ip=server_ip) server = server_sql.get_server_by_ip(server_ip)
hostname = server_sql.get_hostname_by_server_ip(server_ip) server_id = server.server_id
hostname = server.hostname
except Exception as e: except Exception as e:
logging('Roxy-WI server', f'Cannot get info about {server_ip} for history: {e}', roxywi=1) logging('Roxy-WI server', f'Cannot get info about {server_ip} for history: {e}', roxywi=1)
return
try: try:
history_sql.insert_action_history(service, action, server_id, user_id, user_ip, server_ip, hostname) history_sql.insert_action_history(service, action, server_id, user_id, user_ip, server_ip, hostname)

7
app/modules/service/installation.py
View File

@ -348,12 +348,17 @@ def _install_ansible_collections():
old_ansible_server = '' old_ansible_server = ''
collections = ('community.general', 'ansible.posix', 'community.docker', 'community.grafana', 'ansible.netcommon') collections = ('community.general', 'ansible.posix', 'community.docker', 'community.grafana', 'ansible.netcommon')
trouble_link = 'Read <a href="https://roxy-wi.org/troubleshooting#ansible_collection" target="_blank" class="link">troubleshooting</a>' trouble_link = 'Read <a href="https://roxy-wi.org/troubleshooting#ansible_collection" target="_blank" class="link">troubleshooting</a>'
proxy = sql.get_setting('proxy')
proxy_cmd = ''
if proxy is not None and proxy != '' and proxy != 'None':
proxy_cmd = f'HTTPS_PROXY={proxy} &&'
for collection in collections: for collection in collections:
if not os.path.isdir(f'/usr/share/httpd/.ansible/collections/ansible_collections/{collection.replace(".", "/")}'): if not os.path.isdir(f'/usr/share/httpd/.ansible/collections/ansible_collections/{collection.replace(".", "/")}'):
try: try:
if version.parse(ansible.__version__) < version.parse('2.13.9'): if version.parse(ansible.__version__) < version.parse('2.13.9'):
old_ansible_server = '--server https://old-galaxy.ansible.com/' old_ansible_server = '--server https://old-galaxy.ansible.com/'
exit_code = os.system(f'ansible-galaxy collection install {collection} {old_ansible_server}') exit_code = os.system(f'{proxy_cmd} ansible-galaxy collection install {collection} {old_ansible_server}')
except Exception as e: except Exception as e:
roxywi_common.handle_exceptions(e, roxywi_common.handle_exceptions(e,
'Roxy-WI server', 'Roxy-WI server',

15
app/modules/tools/alerting.py
View File

@ -52,9 +52,12 @@ def send_message_to_rabbit(message: str, **kwargs) -> None:
def alert_routing( def alert_routing(
server_ip: str, service_id: int, group_id: int, level: str, mes: str, alert_type: str server_ip: str, service_id: int, group_id: int, level: str, mes: str, alert_type: str
) -> None: ) -> None:
subject: str = level + ': ' + mes try:
server_id: int = server_sql.select_server_id_by_ip(server_ip) subject: str = level + ': ' + mes
checker_settings = checker_sql.select_checker_settings_for_server(service_id, server_id) server_id: int = server_sql.select_server_id_by_ip(server_ip)
checker_settings = checker_sql.select_checker_settings_for_server(service_id, server_id)
except Exception as e:
raise Exception(f'Cannot get settings: {e}')
try: try:
json_for_sending = {"user_group": group_id, "message": subject} json_for_sending = {"user_group": group_id, "message": subject}
@ -254,11 +257,13 @@ def pd_send_mess(mess, level, server_ip=None, service_id=None, alert_type=None,
try: try:
proxy = sql.get_setting('proxy') proxy = sql.get_setting('proxy')
session = pdpyras.EventsAPISession(token) session = pdpyras.EventsAPISession(token)
dedup_key = f'{server_ip} {service_id} {alert_type}' if server_ip:
dedup_key = f'{server_ip} {service_id} {alert_type}'
else:
dedup_key = f'{level}: {mess}'
except Exception as e: except Exception as e:
roxywi_common.logging('Roxy-WI server', str(e), roxywi=1) roxywi_common.logging('Roxy-WI server', str(e), roxywi=1)
raise Exception(e) raise Exception(e)
if proxy is not None and proxy != '' and proxy != 'None': if proxy is not None and proxy != '' and proxy != 'None':
proxies = dict(https=proxy, http=proxy) proxies = dict(https=proxy, http=proxy)
session.proxies.update(proxies) session.proxies.update(proxies)

10
app/routes/metric/routes.py
View File

@ -101,13 +101,13 @@ def table_metrics(service):
@bp.post('/<service>/<server_ip>') @bp.post('/<service>/<server_ip>')
def show_metric(service, server_ip): def show_metric(service, server_ip):
server_ip = common.is_ip_or_dns(server_ip) server_ip = common.is_ip_or_dns(server_ip)
hostname = server_sql.get_hostname_by_server_ip(server_ip) server = server_sql.get_server_by_ip(server_ip)
time_range = common.checkAjaxInput(request.form.get('time_range')) time_range = common.checkAjaxInput(request.form.get('time_range'))
if service in ('nginx', 'apache', 'waf'): if service in ('nginx', 'apache', 'waf'):
return jsonify(metric.service_metrics(server_ip, hostname, service, time_range)) return jsonify(metric.service_metrics(server_ip, server.hostname, service, time_range))
elif service == 'haproxy': elif service == 'haproxy':
return jsonify(metric.haproxy_metrics(server_ip, hostname, time_range)) return jsonify(metric.haproxy_metrics(server_ip, server.hostname, time_range))
return 'error: Wrong service' return 'error: Wrong service'
@ -116,11 +116,11 @@ def show_metric(service, server_ip):
@check_services @check_services
def show_http_metric(service, server_ip): def show_http_metric(service, server_ip):
server_ip = common.is_ip_or_dns(server_ip) server_ip = common.is_ip_or_dns(server_ip)
hostname = server_sql.get_hostname_by_server_ip(server_ip) server = server_sql.get_server_by_ip(server_ip)
time_range = common.checkAjaxInput(request.form.get('time_range')) time_range = common.checkAjaxInput(request.form.get('time_range'))
if service == 'haproxy': if service == 'haproxy':
return jsonify(metric.haproxy_http_metrics(server_ip, hostname, time_range)) return jsonify(metric.haproxy_http_metrics(server_ip, server.hostname, time_range))
return 'error: Wrong service' return 'error: Wrong service'

2
app/routes/server/routes.py
View File

@ -26,7 +26,7 @@ def register_api(view, endpoint, url, pk='listener_id', pk_type='int'):
register_api(ServerView, 'server', '', 'server_id') register_api(ServerView, 'server', '', 'server_id')
register_api(ServerGroupView, 'group', '/group', 'group_id') register_api(ServerGroupView, 'group', '/group', 'group_id')
register_api(CredView, 'cred', '/cred', 'creds_id') register_api(CredView, 'cred', '/cred', 'cred_id')
bp.add_url_rule('/groups', view_func=ServerGroupsView.as_view('groups'), methods=['GET']) bp.add_url_rule('/groups', view_func=ServerGroupsView.as_view('groups'), methods=['GET'])
bp.add_url_rule('/creds', view_func=CredsView.as_view('creds'), methods=['GET']) bp.add_url_rule('/creds', view_func=CredsView.as_view('creds'), methods=['GET'])

12
app/scripts/ansible/roles/waf/tasks/main.yml
View File

@ -111,6 +111,9 @@
url: "https://github.com/SpiderLabs/ModSecurity/releases/download/v{{ modsec_ver }}/modsecurity-{{ modsec_ver }}.tar.gz" url: "https://github.com/SpiderLabs/ModSecurity/releases/download/v{{ modsec_ver }}/modsecurity-{{ modsec_ver }}.tar.gz"
dest: /tmp/modsecurity.tar.gz dest: /tmp/modsecurity.tar.gz
owner: "{{ ansible_user }}" owner: "{{ ansible_user }}"
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Create HAProxy directory - name: Create HAProxy directory
become: false become: false
@ -192,6 +195,9 @@
get_url: get_url:
url: https://github.com/SpiderLabs/ModSecurity/raw/v2/master/modsecurity.conf-recommended url: https://github.com/SpiderLabs/ModSecurity/raw/v2/master/modsecurity.conf-recommended
dest: "{{ SERVICE_PATH }}/waf/modsecurity.conf" dest: "{{ SERVICE_PATH }}/waf/modsecurity.conf"
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Insert Modsec rules - name: Insert Modsec rules
blockinfile: blockinfile:
@ -237,11 +243,17 @@
get_url: get_url:
url: https://github.com/SpiderLabs/ModSecurity/raw/v2/master/unicode.mapping url: https://github.com/SpiderLabs/ModSecurity/raw/v2/master/unicode.mapping
dest: "{{ SERVICE_PATH }}/waf/unicode.mapping" dest: "{{ SERVICE_PATH }}/waf/unicode.mapping"
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Download owasp-modsecurity-crs - name: Download owasp-modsecurity-crs
get_url: get_url:
url: https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz url: https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz
dest: /tmp/owasp.tar.gz dest: /tmp/owasp.tar.gz
environment:
http_proxy: "{{PROXY}}"
https_proxy: "{{PROXY}}"
- name: Create owasp directory - name: Create owasp directory
file: file:

33
app/views/server/cred_views.py
View File

@ -82,11 +82,6 @@ class CredView(MethodView):
tags: tags:
- SSH credentials - SSH credentials
parameters: parameters:
- in: 'path'
name: 'creds_id'
description: 'ID of the credential to retrieve'
required: true
type: 'integer'
- in: body - in: body
name: body name: body
schema: schema:
@ -124,7 +119,7 @@ class CredView(MethodView):
return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot create new cred') return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot create new cred')
@validate(body=CredRequest) @validate(body=CredRequest)
def put(self, creds_id: int, body: CredRequest): def put(self, cred_id: int, body: CredRequest):
""" """
Update a credential entry Update a credential entry
--- ---
@ -132,7 +127,7 @@ class CredView(MethodView):
- SSH credentials - SSH credentials
parameters: parameters:
- in: 'path' - in: 'path'
name: 'creds_id' name: 'cred_id'
description: 'ID of the credential to retrieve' description: 'ID of the credential to retrieve'
required: true required: true
type: 'integer' type: 'integer'
@ -167,17 +162,17 @@ class CredView(MethodView):
""" """
group_id = SupportClass.return_group_id(body) group_id = SupportClass.return_group_id(body)
try: try:
self._check_is_correct_group(creds_id) self._check_is_correct_group(cred_id)
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, ''), 404 return roxywi_common.handler_exceptions_for_json_data(e, ''), 404
try: try:
ssh_mod.update_ssh_key(creds_id, body.name, body.password, body.key_enabled, body.username, group_id) ssh_mod.update_ssh_key(cred_id, body.name, body.password, body.key_enabled, body.username, group_id)
return BaseResponse().model_dump(mode='json'), 201 return BaseResponse().model_dump(mode='json'), 201
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot update SSH key') return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot update SSH key')
def delete(self, creds_id: int): def delete(self, cred_id: int):
""" """
Delete a credential entry Delete a credential entry
--- ---
@ -185,7 +180,7 @@ class CredView(MethodView):
- SSH credentials - SSH credentials
parameters: parameters:
- in: 'path' - in: 'path'
name: 'creds_id' name: 'cred_id'
description: 'ID of the credential to retrieve' description: 'ID of the credential to retrieve'
required: true required: true
type: 'integer' type: 'integer'
@ -194,18 +189,18 @@ class CredView(MethodView):
description: Credential deletion successful description: Credential deletion successful
""" """
try: try:
self._check_is_correct_group(creds_id) self._check_is_correct_group(cred_id)
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, ''), 404 return roxywi_common.handler_exceptions_for_json_data(e, ''), 404
try: try:
ssh_mod.delete_ssh_key(creds_id) ssh_mod.delete_ssh_key(cred_id)
return BaseResponse().model_dump(mode='json'), 204 return BaseResponse().model_dump(mode='json'), 204
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot delete SSH key') return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot delete SSH key')
@validate(body=CredUploadRequest) @validate(body=CredUploadRequest)
def patch(self, creds_id: int, body: CredUploadRequest): def patch(self, cred_id: int, body: CredUploadRequest):
""" """
Upload an SSH private key Upload an SSH private key
--- ---
@ -213,7 +208,7 @@ class CredView(MethodView):
- SSH credentials - SSH credentials
parameters: parameters:
- in: 'path' - in: 'path'
name: 'creds_id' name: 'cred_id'
description: 'ID of the credential to retrieve' description: 'ID of the credential to retrieve'
required: true required: true
type: 'integer' type: 'integer'
@ -236,7 +231,7 @@ class CredView(MethodView):
description: SSH key upload successful description: SSH key upload successful
""" """
try: try:
self._check_is_correct_group(creds_id) self._check_is_correct_group(cred_id)
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, ''), 404 return roxywi_common.handler_exceptions_for_json_data(e, ''), 404
try: try:
@ -244,17 +239,17 @@ class CredView(MethodView):
except Exception: except Exception:
pass pass
try: try:
ssh_mod.upload_ssh_key(creds_id, body.private_key, body.passphrase) ssh_mod.upload_ssh_key(cred_id, body.private_key, body.passphrase)
return BaseResponse().model_dump(mode='json'), 201 return BaseResponse().model_dump(mode='json'), 201
except Exception as e: except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot upload SSH key') return roxywi_common.handler_exceptions_for_json_data(e, 'Cannot upload SSH key')
@staticmethod @staticmethod
def _check_is_correct_group(creds_id: int): def _check_is_correct_group(cred_id: int):
if g.user_params['role'] == 1: if g.user_params['role'] == 1:
return True return True
try: try:
ssh = cred_sql.get_ssh(creds_id) ssh = cred_sql.get_ssh(cred_id)
except RoxywiResourceNotFound: except RoxywiResourceNotFound:
raise RoxywiResourceNotFound raise RoxywiResourceNotFound
if ssh.group_id != g.user_params['group_id']: if ssh.group_id != g.user_params['group_id']: