def import_application(conn, headerid, modlog_dict, modssl_dict):
"""
import all applications from sqlite3
:param conn: sqlite3 connector
:param headerid: dict to retrieve sqlite3 id of header generated in previous method
:param modlog_dict: dict to retrieve sqlite3 id of modlog generated in previous method
:param modssl_dict: dict to retrieve sqlite3 id of ssl profile generated in previous method
"""
appid_application = dict()
app_log = dict()
appid_logid = dict()
appid_headerid = dict()
appid_intfid = dict()
listenertolistenaddress = dict()
appid_interfaceid = dict()
cluster = Cluster.objects.get()
node = cluster.get_current_node()
# select the first interface which is em0
# FIXME: ask user on which interface to bind all the listeners
# FIXME : Obsolet method
em = node.get_interfaces()[0].id
# generate list for every table in sqlite database
intf = conn.cursor()
intf.execute("SELECT * FROM intf")
intf_sql = intf.fetchall()
app = conn.cursor()
app.execute("SELECT * FROM app")
application_sql = app.fetchall()
app_intf = conn.cursor()
app_intf.execute("SELECT * FROM app_intf")
app_intf_sql = app_intf.fetchall()
log = conn.cursor()
log.execute("SELECT * FROM log")
log_sql = log.fetchall()
header = conn.cursor()
header.execute("SELECT * FROM header")
header_sql = header.fetchall()
plugincontent = conn.cursor()
plugincontent.execute("SELECT * FROM plugincontent")
plugincontent_sql = plugincontent.fetchall()
pluginheader = conn.cursor()
pluginheader.execute("SELECT * FROM pluginheader")
pluginheader_sql = pluginheader.fetchall()
logger.info("Importing network interfaces")
# Retrieve index in database of each name fields of "app_intf" table
col_name_list_app_intf = [tuple[0] for tuple in app_intf.description]
app_intf_id = col_name_list_app_intf.index("id")
app_intf_app_id = col_name_list_app_intf.index("app_id")
app_intf_intf_id = col_name_list_app_intf.index("intf_id")
# Retrieve index in database of each name fields of "intf" table
col_name_list_intf = [tuple[0] for tuple in intf.description]
intf_id = col_name_list_intf.index("id")
intf_name = col_name_list_intf.index("name")
intf_ip = col_name_list_intf.index("ip")
intf_port = col_name_list_intf.index("port")
intf_log_id = col_name_list_intf.index("log_id")
# Retrieve index in database of each name fields of "app" table
col_name_list_app = [tuple[0] for tuple in app.description]
app_id = col_name_list_app.index("id")
app_friendly_name = col_name_list_app.index("friendly_name")
app_name = col_name_list_app.index("name")
app_url = col_name_list_app.index("url")
app_log_id = col_name_list_app.index("log_id")
app_logon_url = col_name_list_app.index("logon_url")
app_auth_id = col_name_list_app.index("auth_id")
app_auth_url = col_name_list_app.index("auth_url")
app_Balancer_Name = col_name_list_app.index("Balancer_Name")
app_Balancer_Node = col_name_list_app.index("Balancer_Node")
app_enable_ssl = col_name_list_app.index("enable_ssl")
app_ssl_configuration_id = col_name_list_app.index("ssl_configuration_id")
# Retrieve index in database of each name fields of "log" table
col_name_list_log = [tuple[0] for tuple in log.description]
logs_id = col_name_list_log.index("id")
logs_name = col_name_list_log.index("name")
logs_level = col_name_list_log.index("level")
logs_format = col_name_list_log.index("format")
# Retrieve index in database of each name fields of "header" table
col_name_list_header = [tuple[0] for tuple in header.description]
header_id = col_name_list_header.index("id")
header_name = col_name_list_header.index("name")
header_type = col_name_list_header.index("type")
header_value = col_name_list_header.index("value")
header_app_id = col_name_list_header.index("app_id")
# Retrieve index in database of each name fields of "pluginheader" table
col_name_list_plugin_header = [tuple[0] for tuple in pluginheader.description]
pluginheader_id = col_name_list_plugin_header.index("id")
pluginheader_app_id = col_name_list_plugin_header.index("app_id")
pluginheader_pattern = col_name_list_plugin_header.index("pattern")
pluginheader_type = col_name_list_plugin_header.index("type")
pluginheader_options = col_name_list_plugin_header.index("options")
pluginheader_options1= col_name_list_plugin_header.index("options1")
# Retrieve index in database of each name fields of "plugincontent" table
col_name_list_plugin_content = [tuple[0] for tuple in plugincontent.description]
plugincontent_id = col_name_list_plugin_content.index("id")
plugincontent_app_id = col_name_list_plugin_content.index("app_id")
plugincontent_pattern = col_name_list_plugin_content.index("pattern")
plugincontent_type = col_name_list_plugin_content.index("type")
plugincontent_options = col_name_list_plugin_content.index("options")
plugincontent_options1 = col_name_list_plugin_content.index("options1")
for i in app_intf_sql:
appid_interfaceid[i[app_intf_app_id]] = i[app_intf_intf_id]
# generate every listener on the current node
for i in intf_sql:
logger.info("Listener " + str(i[intf_name]))
node = cluster.get_current_node()
listener = Listener()
listener.alias = str(i[intf_name])
listener.ip = str(i[intf_ip])
listener.version = "4"
listener.prefixlen = "255.255.255.0"
listener.is_carp = False
listener.is_physical = False
listener.is_gui = False
listener.is_ghost = False
listener.save()
# dictionary to link listener to listen address
listenertolistenaddress[i[intf_id]] = listener
logger.info("Creating listener " + str(listener.alias))
selected_intf = Interface.objects.with_id(em)
selected_intf.inet_addresses.append(listener) # append the listen address in the interface
selected_intf.save()
listener.deploy_inet()
node.interfaces[intf_id] = selected_intf # add the interface modified into the node
node.save()
appid_listenaddress = dict()
logger.info("End of network interfaces import process")
logger.info("Importing applications")
for app in application_sql:
application = Application()
outgoing_headers = []
content_rules = []
headers_in = []
public_dir = ""
# Retrieve fqdn and public_dir from app[app_friendly_name]
tmp = app[app_friendly_name].split("/")
fqdn = tmp[0]
public_dir = app[app_friendly_name].replace(fqdn, "")
if not public_dir.endswith('/'):
public_dir = public_dir + '/'
# if there's an authentication portal (app[app_logon_url]) then auth = True
if app[app_logon_url] is None:
need_auth = False
else:
need_auth = True
# retrieve type of application
if app[app_url].split(":")[0] == "balancer": # if the url start with "balancer://" , app_type=balanced
app_type = "balanced"
# [app_Balancer_Name] = balancer uri
application.proxy_balancer = ProxyBalancer.objects.get(name=app[app_Balancer_Name])
else:
app_type = app[app_url].split(":")[0] # otherwise; filetype is before ":" (http,https,ftp...)
# retrieve log profile linked to this app (we generated the profile earlier, now we find it back)
for j in log_sql:
if app[app_log_id] == j[logs_id]: # if app[app_log_id] =logs_id of the application match => link
app_log[app[app_friendly_name]] = j[logs_level] # link appname -> log_level found
appid_logid[app[app_id]] = j[logs_id]
# generate a listen_address for this app based on the interface generated earlier
for j in intf_sql:
if appid_interfaceid[app[app_id]] == j[intf_id]: # find link between interface and app_id
interface_id = j[intf_id]
intf.execute("SELECT * FROM intf WHERE id =?", (interface_id,)) # select interface in db with link
interface = intf.fetchone()
appid_intfid[app[app_id]] = interface[0] # appid_interfaceid appid:interfaceid
listen_address = ListenAddress()
# apprend address of listener to current listen address
listen_address.address = listenertolistenaddress[j[intf_id]]
listen_address.port = str(j[intf_port])
listen_address.redirect = False
listen_address.redirect_port = ""
# if this app uses a specific SSL profile, then load it
if app[app_enable_ssl] == 1:
listen_address.ssl_profile = modssl_dict[app[app_ssl_configuration_id]]
listen_address.save()
appid_listenaddress[app[app_id]] = listen_address
# Retrieve all request headers except SSL headers (not managed in vulture3)
for j in header_sql:
if app[app_id] == j[header_app_id]:
if j[header_name] != "SSL_CLIENT_S_DN_CN" and \
j[header_name] != "SSL_CLIENT_S_DN_O" and j[header_name] != "SSL_CLIENT_S_DN_OU":
appid_headerid[str(app[app_id])] = j[header_id]
headers_in.append(headerid[j[header_id]])
# Retrieve headers in "pluginheader" table
for j in pluginheader_sql:
if j[pluginheader_app_id] == app[app_id]:
headerin = HeaderIn()
headerin.name = j[pluginheader_pattern]
headerin.action = "edit"
headerin.value = j[pluginheader_options]
headerin.replacement = j[pluginheader_options1]
headerin.condition = "always"
headerin.save()
headers_in.append(headerin)
""" generate each type of header out and contentrule. Stored in the same table "plugincontent"
with non consistent fields."""
for i in plugincontent_sql:
if i[plugincontent_type] == "Rewrite Content" and i[plugincontent_app_id] == app[app_id]:
content_rule = ContentRule()
content_rule.path_type = "files"
content_rule.path = ""
content_rule.types = ""
content_rule.flags = ""
content_rule.deflate = True
content_rule.inflate = False
content_rule.pattern = i[plugincontent_pattern]
content_rule.replacement = i[plugincontent_options]
content_rule.save()
content_rules.append(content_rule)
if i[plugincontent_type] == "Rewrite Link" and i[plugincontent_app_id] == app[app_id]:
headerout = HeaderOut()
headerout.name = "Link"
headerout.value = i[plugincontent_options]
headerout.replacement = i[plugincontent_pattern]
headerout.action = "edit"
headerout.condition = "always"
headerout.save()
outgoing_headers.append(headerout)
if i[plugincontent_type] == "Location" and i[plugincontent_app_id] == app[app_id]:
headerout = HeaderOut()
headerout.name = i[plugincontent_pattern]
headerout.value = i[plugincontent_options1]
headerout.replacement = i[plugincontent_options]
headerout.action = "edit"
headerout.condition = "always"
headerout.save()
outgoing_headers.append(headerout)
# retrieve the Vulture Internal Database repository for authentication.
repo_list = BaseAbstractRepository.get_auth_repositories()
for repo in repo_list:
if repo.is_internal and isinstance(repo.get_backend(), MongoEngineBackend):
auth_backend = repo
# select the default worker
worker = Worker.objects.first()
# auth_backend = ""
# populate each field of app generated before
application.name = app[app_friendly_name]
application.type = app_type
application.public_name = fqdn
application.private_uri = app[app_url]
application.public_dir = public_dir
application.proxy_add_header = False
application.access_mode = []
# retrieve log profile generated that have a link with this app
for j in log_sql:
application.log_custom = modlog_dict[appid_logid[app[app_id]]]
tmp = application.log_custom.format
tmp = tmp.replace("\\", "") # remove escaping chars from mongo
application.log_custom.format = tmp
application.log_level = app_log[app[app_friendly_name]]
application.headers_in = headers_in
application.headers_out = outgoing_headers
application.content_rules = content_rules
application.listeners.append(appid_listenaddress[app[app_id]])
application.force_tls = False
application.worker = worker
application.methods = "HEAD,GET,POST"
application.enable_h2 = False
application.enable_rpc = False
application.need_auth = need_auth
if need_auth:
application.auth_type = "basic"
application.auth_backend = str(auth_backend)
application.auth_backend_fallback = str(auth_backend)
application.auth_portal = str(application.private_uri + app[app_logon_url])
application.auth_timeout = "900"
application.auth_timeout_restart = True
application.sso_enabled = False
if application.sso_enabled:
application.sso_forward = "form"
application.sso_forward_basic_mode = "autologon"
application.sso_forward_only_login = False
application.sso_forward_basic_url = "http=//your_internal_app/action.do?what=login"
application.sso_forward_follow_redirect = False
application.sso_forward_return_post = False
application.sso_forward_content_type = "default"
application.sso_url = "http://your_internal_app/action.do?what=login"
application.sso_vulture_agent = False
application.sso_capture_content_enabled = False
application.sso_capture_content = ""
application.sso_replace_content_enabled = False
application.sso_replace_content = "By previously captured '$1'/"
application.sso_after_post_request_enabled = False
application.sso_after_post_request = "http://My_Responsive_App.com/Default.aspx"
application.sso_after_post_replace_content_enabled = False
application.sso_after_post_replace_content = ""
logger.info("Saving application: " + str(application))
application.save()
appid_application[app[app_id]] = application.id
logger.info("End of applications import process")
return appid_application
def edit(request, object_id=None):
""" View dedicated to application management
:param object_id: MongoDB object_id of application
:param request: Django request object
"""
# Retrieving application configuration
application = Application.objects.with_id(ObjectId(object_id))
specific_rules_set = []
incoming_headers = []
outgoing_headers = []
content_rules = []
listeners = []
listeners_ips = []
svms = []
activated_svms = []
# Application doesn"'t exist ==> We want to create a new one
# Fix some default values
if not application and request.method != 'POST':
application = Application(name="My App",
type="http",
public_name="www.example.com",
public_alias="www.ex_1.fr",
public_dir="/",
private_uri="https://192.168.1.1/owa/")
# Fix default security rules
incoming_headers.append(
HeaderOut(True, 'unset', '^X-Forwarded-', '', '', 'always', ''))
# outgoing_headers.append(HeaderOut ('set', 'Content-Security-Policy', 'default-src \'self\'', '', 'always', ''))
outgoing_headers.append(
HeaderOut(True, 'set', 'X-Frame-Options', 'SAMEORIGIN', '',
'always', ''))
outgoing_headers.append(
HeaderOut(True, 'set', 'X-Content-Type-Options', 'nosniff', '',
'always', ''))
outgoing_headers.append(
HeaderOut(True, 'set', 'X-XSS-Protection', '1; mode=block', '',
'always', ''))
application.headers_in = incoming_headers
application.headers_out = outgoing_headers
# Check if request are valid - and populate arrays with form values
if request.method == 'POST':
dataPosted = request.POST
dataPostedRaw = str(request.body).split("&")
has_listener = False
dataPosted_length = len(dataPostedRaw)
if application and not "enabled=on" in dataPostedRaw:
application.delete_listeners()
for data in dataPostedRaw:
if data.startswith("address_"):
# Listener management
for cpt in range(dataPosted_length):
if data.startswith("address_" + str(cpt) + "="):
inet = None
port = None
redirect_port = None
try:
listener_id = dataPosted['address_' + str(cpt)]
inet = Listener.objects.with_id(
ObjectId(listener_id))
except Exception as e:
pass
try:
port = dataPosted['port_' + str(cpt)]
except Exception as e:
pass
try:
redirect_port = dataPosted['redirect_port_' +
str(cpt)]
except Exception as e:
pass
try:
ssl_profile = ModSSL.objects.with_id(
ObjectId(dataPosted['ssl_profile_' +
str(cpt)]))
except Exception as e:
ssl_profile = None
pass
if (inet and port):
address = ListenAddress(
address=inet,
port=port,
ssl_profile=ssl_profile,
redirect_port=redirect_port)
""" Add '1' because we don't want to save yet the listener """
address.related_node = address.get_related_node(1)
listeners.append(address)
listeners_ips.append(
(address.related_node, inet.ip, port))
has_listener = True
dataPosted_length -= 4
if data.startswith("SpecificRS_url_"):
for cpt in range(dataPosted_length):
if data.startswith("SpecificRS_url_" + str(cpt) + "="):
# Force default values to prevent injection or any problem
specific_rs_url = dataPosted.get(
'SpecificRS_url_' + str(cpt), '/login/')
try:
specific_rs_rs = ModSecRulesSet.objects.with_id(
ObjectId(
dataPosted.get(
'modsec_specific_rs_select' + str(cpt),
None)))
except:
specific_rs_rs = ModSecRulesSet.objects.first()
specific_rs = ModSecSpecificRulesSet(
url=specific_rs_url, rs=specific_rs_rs)
specific_rules_set.append(specific_rs)
cpt -= 2
# Incoming header management
if data.startswith("header_action_"):
for cpt in range(dataPosted_length):
if data.startswith("header_action_" + str(cpt) + "="):
# Force harmless default values to prevent any injection or jQuery problem
header_enable = (dataPosted.get(
'header_enable_' + str(cpt), 'off') == 'on')
header_action = dataPosted.get(
'header_action_' + str(cpt), 'add')
header_name = dataPosted.get('header_name_' + str(cpt),
'Vulture')
header_value = dataPosted.get(
'header_value_' + str(cpt), '')
header_replacement = dataPosted.get(
'header_replacement_' + str(cpt), '')
header_condition = dataPosted.get(
'header_condition_' + str(cpt), 'always')
header_condition_v = dataPosted.get(
'header_condition_v_' + str(cpt), '')
# FIXME: Coherence control
header = HeaderIn(header_enable, header_action,
header_name, header_value,
header_replacement, header_condition,
header_condition_v)
incoming_headers.append(header)
dataPosted_length -= 7
# Outgoing header management
if data.startswith("header_out_action_"):
for cpt in range(dataPosted_length):
if data.startswith("header_out_action_" + str(cpt) + "="):
# Force harmless default values to prevent any injection or jQuery problem
header_enable = (dataPosted.get(
'header_out_enable_' + str(cpt), 'off') == 'on')
header_action = dataPosted.get(
'header_out_action_' + str(cpt), 'add')
header_name = dataPosted.get(
'header_out_name_' + str(cpt), 'Vulture')
header_value = dataPosted.get(
'header_out_value_' + str(cpt), '')
header_replacement = dataPosted.get(
'header_out_replacement_' + str(cpt), '')
header_condition = dataPosted.get(
'header_out_condition_' + str(cpt), 'always')
header_condition_v = dataPosted.get(
'header_out_condition_v_' + str(cpt), '')
# FIXME: Coherence control
header = HeaderOut(header_enable, header_action,
header_name, header_value,
header_replacement,
header_condition,
header_condition_v)
outgoing_headers.append(header)
dataPosted_length -= 7
# # Content rules management
if data.startswith("content_types_"):
for cpt in range(dataPosted_length):
if data.startswith("content_types_" + str(cpt) + "="):
# Force harmless default values to prevent any injection
# or jQuery problem
content_enable = True if dataPosted.get(
'content_enable_' +
str(cpt), 'off') == 'on' else False
content_types = dataPosted.get(
'content_types_' + str(cpt), 'text/html')
content_condition = dataPosted.get(
'condition_' + str(cpt), '')
content_deflate = True if dataPosted.get(
'content_deflate_' +
str(cpt), 'off') == 'on' else False
content_inflate = True if dataPosted.get(
'content_inflate_' +
str(cpt), 'off') == 'on' else False
content_pattern = dataPosted.get(
'content_pattern_' + str(cpt), '')
content_replacement = dataPosted.get(
'content_replacement_' + str(cpt), '')
content_replacement_flags = dataPosted.get(
'content_replacement_flags_' + str(cpt), '')
# FIXME: Coherence control
rule = ContentRule(content_enable, content_types,
content_condition, content_deflate,
content_inflate, content_pattern,
content_replacement,
content_replacement_flags)
content_rules.append(rule)
dataPosted_length -= 8
# SVMs management
if data.startswith("checkbox_chart_uri_analysis_"):
m = re.match('checkbox_chart_uri_analysis_([0-9|a-f]+)', data)
if m:
dataset_id_ = m.group(1)
# Force harmless default values to prevent any injection or jQuery problem
svm_enable = False
try:
svm_enable = True if dataPosted.get(
'checkbox_chart_uri_analysis_' +
dataset_id_) == 'on' else False
if svm_enable:
svm = SVM.objects(dataset_used=dataset_id_,
algo_used="Levenstein")[0]
activated_svms.append(str(svm.id))
logger.debug(
"Activated SVM with id '{}' for application saved"
.format(str(svm.id)))
except KeyError:
pass
except Exception as e:
logger.error(
"Unable to retrieve activated SVM - Dataset_id:{}, algo_used:Levenstein - Exception: {}"
.format(dataset_id_, str(e)))
if data.startswith("checkbox_chart_uri_analysis_2_"):
m = re.match('checkbox_chart_uri_analysis_2_([0-9|a-f]+)',
data)
if m:
dataset_id_ = m.group(1)
# Force harmless default values to prevent any injection or jQuery problem
svm_enable = False
try:
svm_enable = True if dataPosted.get(
'checkbox_chart_uri_analysis_2_' +
dataset_id_) == 'on' else False
if svm_enable:
svm = SVM.objects(dataset_used=dataset_id_,
algo_used="Levenstein2")[0]
activated_svms.append(str(svm.id))
logger.debug(
"Activated SVM with id '{}' for application saved"
.format(str(svm.id)))
except KeyError:
pass
except Exception as e:
logger.error(
"Unable to retrieve activated SVM - Dataset_id:{}, algo_used:Levenstein2 - Exception: {}"
.format(dataset_id_, str(e)))
if data.startswith("checkbox_chart_bytes_received_"):
m = re.match('checkbox_chart_bytes_received_([0-9|a-f]+)',
data)
if m:
dataset_id_ = m.group(1)
# Force harmless default values to prevent any injection or jQuery problem
svm_enable = False
try:
svm_enable = True if dataPosted.get(
'checkbox_chart_bytes_received_' +
dataset_id_) == 'on' else False
if svm_enable:
svm = SVM.objects(
dataset_used=dataset_id_,
algo_used="HTTPcode_bytes_received")[0]
activated_svms.append(str(svm.id))
logger.debug(
"Activated SVM with id '{}' for application saved"
.format(str(svm.id)))
except KeyError:
pass
except Exception as e:
logger.error(
"Unable to retrieve activated SVM - Dataset_id:{}, algo_used:HTTPcode_bytes_received - Exception: {}"
.format(dataset_id_, str(e)))
if data.startswith("checkbox_chart_ratio_"):
m = re.match('checkbox_chart_ratio_([0-9|a-f]+)', data)
if m:
dataset_id_ = m.group(1)
# Force harmless default values to prevent any injection or jQuery problem
svm_enable = False
try:
svm_enable = True if dataPosted.get(
'checkbox_chart_ratio_' +
dataset_id_) == 'on' else False
if svm_enable:
svm = SVM.objects(dataset_used=dataset_id_,
algo_used="Ratio")[0]
activated_svms.append(str(svm.id))
logger.debug(
"Activated SVM with id '{}' for application saved"
.format(str(svm.id)))
except KeyError:
pass
except Exception as e:
logger.error(
"Unable to retrieve activated SVM - Dataset_id:{}, algo_used:Ratio - Exception: {}"
.format(dataset_id_, str(e)))
form = ApplicationForm(request.POST,
instance=application,
listeners=listeners)
else:
if not object_id:
try:
rulesset_vulture = [
ModSecRulesSet.objects.get(name="Vulture RS").id
]
except ModSecRulesSet.DoesNotExist:
rulesset_vulture = []
form = ApplicationForm(initial={
"rules_set":
rulesset_vulture,
"modsec_policy":
ModSec.objects.get(name="Default Policy")
},
instance=application)
else:
form = ApplicationForm(
initial={'rules_set': [x.id for x in application.rules_set]},
instance=application)
incoming_headers = application.headers_in
outgoing_headers = application.headers_out
content_rules = application.content_rules
specific_rules_set = list()
for i in application.specific_rules_set:
specific_rules_set.append(
ModSecSpecificRulesSet(url=re.sub('^' + application.public_dir,
'', i.url),
rs=i.rs))
# We replace '\' by '\\' in strings because they're interpreted by templates
for tmp_rule in content_rules:
tmp_rule.pattern = tmp_rule.pattern.replace("\\", "\\\\")
tmp_rule.replacement = tmp_rule.replacement.replace("\\", "\\\\")
listeners = application.listeners
svms = [
SVM.objects(id=ObjectId(svm_id)).no_dereference().only(
'dataset_used', 'algo_used', 'id').first()
for svm_id in application.activated_svms
]
# Saving information into database and redirect to application list
if request.method == 'POST' and form.is_valid():
# Listener is mandatory
if has_listener:
old_app = Application.objects.with_id(ObjectId(object_id))
# 1) Remove old listeners, headers and content rules
if old_app and old_app.listeners:
for listener in old_app.listeners:
ip = listener.address.ip
port = listener.port
n = listener.related_node
""" Stop the listener if there is only this app running on it """
if (n, ip, port) not in listeners_ips:
logger.info("Stopping listener {}:{}".format(ip, port))
listener.stop()
listener.delete()
if old_app and old_app.headers_in:
for header in old_app.headers_in:
header.delete()
if old_app and old_app.headers_out:
for header in old_app.headers_out:
header.delete()
if old_app and old_app.content_rules:
for rule in old_app.content_rules:
rule.delete()
if old_app and old_app.specific_rules_set:
for ruleset in old_app.specific_rules_set:
ruleset.delete()
old_cookie_encryption = False
old_cookie_cipher = None
if old_app:
application.wl_bl_rules = old_app.wl_bl_rules
old_cookie_encryption = old_app.cookie_encryption
old_cookie_cipher = old_app.cookie_cipher
old_cookie_cipher_key = old_app.cookie_cipher_key
old_cookie_cipher_iv = old_app.cookie_cipher_iv
# 2) Create new listeners, headers and content rules
for listener in listeners:
listener.save()
for header in incoming_headers:
header.save()
for header in outgoing_headers:
header.save()
for rule in content_rules:
rule.save()
# 3) Assign listeners, headers and content rules
auth_backend = form.cleaned_data.get('auth_backend')
auth_backend_fallbacks = form.cleaned_data.get(
'auth_backend_fallbacks')
application = form.save(commit=False)
if auth_backend:
application.auth_backend = auth_backend
else:
application.auth_backend = None
if auth_backend_fallbacks:
application.auth_backend_fallbacks = auth_backend_fallbacks
else:
application.auth_backend_fallbacks = None
application.listeners = listeners
application.headers_in = incoming_headers
application.headers_out = outgoing_headers
application.specific_rules_set = specific_rules_set
application.content_rules = content_rules
application.activated_svms = activated_svms
if application.cookie_encryption:
if not old_cookie_encryption or not old_cookie_cipher or application.cookie_cipher != old_cookie_cipher:
application.cookie_cipher_key = get_random_string(
32
) if application.cookie_cipher == 'aes256' else get_random_string(
16)
application.cookie_cipher_iv = get_random_string(
32
) if application.cookie_cipher == 'aes256' else get_random_string(
16)
else:
application.cookie_cipher_key = old_cookie_cipher_key
application.cookie_cipher_iv = old_cookie_cipher_iv
# 4) Save application
if not application.public_dir.endswith('/'):
application.public_dir += '/'
if application.auth_portal and not application.auth_portal.endswith(
'/'):
application.auth_portal += '/'
if application.private_uri and not application.private_uri.endswith(
'/'):
application.private_uri += '/'
for ruleset in specific_rules_set:
ruleset.url = os.path.normpath(
str(application.public_dir) + '/' + str(ruleset.url))
ruleset.save()
if not object_id:
# Create BlackList/WhiteList ModSecRuleSet
modsec_wl_bl = ModSecRulesSet(
name="{} whitelist/blacklist".format(application.name),
type_rule="wlbl")
modsec_wl_bl.save()
modsec_wl_bl.conf = modsec_wl_bl.get_conf()
modsec_wl_bl.save()
application.wl_bl_rules = modsec_wl_bl
else:
# If the application is modified, modify the name of the RS references
application.wl_bl_rules.name = "{} whitelist/blacklist".format(
form.cleaned_data.get('name'))
application.wl_bl_rules.save()
for modsec_ruleset in ModSecRulesSet.objects.filter(
name="Learning {} WL"):
modsec_ruleset.name = form.cleaned_data.get('name')
modsec_ruleset.save()
if application.type == "balanced":
application.private_uri = "{}://{}".format(
application.proxy_balancer.members[0].uri_type,
application.proxy_balancer.members[0].uri)
# Check if api_call to reload rsyslogd is needed
if old_app:
if application.log_custom != old_app.log_custom or application.log_level != old_app.log_level or application.learning != old_app.learning:
application.save()
else:
application.save(no_apicall=True)
else:
application.save()
return HttpResponseRedirect('/application/')
inets = Listener.objects()
address_list = list()
vhid_list = list()
# List and categorize inet (carp or not) to render them in template
for inet in inets:
listener = dict()
if inet.is_carp:
listener['inet'] = inet
listener['id'] = getattr(inet, 'id')
vhid_list.append(inet.carp_vhid)
elif inet.carp_vhid in vhid_list:
continue
else:
listener['inet'] = inet
listener['id'] = getattr(inet, 'id')
address_list.append(listener)
ssl_profile_list = ModSSL.objects()
rules_set_list = ModSecRulesSet.objects.filter(
type_rule__in=['crs', 'trustwave', 'vulture', 'custom'])
return render_to_response('application_edit.html', {
'form': form,
'object_id': object_id,
'headers_in': incoming_headers,
'headers_out': outgoing_headers,
'content_rules': content_rules,
'listeners': listeners,
'address_list': address_list,
'ssl_profile_list': ssl_profile_list,
'application': application,
'svms': svms,
'rules_set_list': rules_set_list,
'specific_rules_set': specific_rules_set
},
context_instance=RequestContext(request))