Esempio n. 1
0
def delete_conf(logger, filename):
    """ """
    # Import here to prevent circular import
    from system.error_templates.models import CONF_PATH as ERROR_TPL_PATH
    from applications.reputation_ctx.models import DATABASES_PATH as REPUTATION_CTX_DB_PATH
    from system.pki.models import CERT_PATH
    from darwin.defender_policy.models import DEFENDER_PATH
    from darwin.defender_policy.policy import HAPROXY_PATH
    from services.darwin.darwin import DARWIN_PATH
    from services.rsyslogd.rsyslog import RSYSLOG_PATH

    allowed_files_regex = [
        "{}/\w+_\d+\.html".format(ERROR_TPL_PATH),
        "{}/reputation_ctx_\d+\.mmdb".format(REPUTATION_CTX_DB_PATH),
        "{}/[\w\_\-\.]+-\d\.(chain|crt|pem|key)".format(CERT_PATH),
        "{}/defender_[0-9]+?\.conf".format(DEFENDER_PATH),
        "{}/spoe_defender_[0-9]+?\.txt".format(HAPROXY_PATH),
        "{}/backend_defender_[0-9]+?\.cfg".format(HAPROXY_PATH),
        "{}/parser_[0-9]+\.rb".format(RSYSLOG_PATH),
        "{}/f[\w-]+/f[\w-]+_[0-9]+.conf".format(DARWIN_PATH)
    ]

    allowed = False
    for regex in allowed_files_regex:
        if re_match(regex, filename):
            allowed = True
            break

    if not allowed:
        raise VultureSystemConfigError(
            "File '{}' not allowed to be deleted.".format(filename))

    try:
        cmd_res = check_output(["/bin/rm", filename],
                               stderr=PIPE).decode('utf8')

        if cmd_res:
            raise VultureSystemConfigError("'{}' : {}".format(
                filename, cmd_res.strip()),
                                           "delete config file",
                                           traceback=" ")

        return "Config'{}' successfully deleted.".format(filename)

    except CalledProcessError as e:
        """ Command raise if permission denied or file does not exist """
        stdout = e.stdout.decode('utf8')
        stderr = e.stderr.decode('utf8')
        # logger.exception("Failed to delete frontend filename '{}': {}".format(frontend_filename, stderr or stdout))
        raise VultureSystemError("'{}' : {}".format(filename,
                                                    (stderr or stdout)),
                                 "delete config file",
                                 traceback=" ")
Esempio n. 2
0
    def write_backend_conf(self):
        logger.info("write_backend_conf")
        new_conf = self.generate_haproxy_backend_conf()

        if not new_conf:
            return False

        filename = self.get_backend_filename()

        try:
            with open(filename, 'r') as conf_file:
                current_conf = conf_file.read()
        except Exception as error:
            logger.warning(error)
            current_conf = None

        # If we don't have any current configuration, or if our new configuration differs
        if current_conf is None or new_conf != current_conf:
            try:
                write_conf(logger,
                           [filename, new_conf, HAPROXY_OWNER, HAPROXY_PERMS])
                return True
            except Exception as e:
                raise VultureSystemConfigError(
                    "log viewer: error while writing haproxy configuration (backend) for DefenderPolicy"
                )

        return False
Esempio n. 3
0
 def save_conf(self):
     params = [self.get_filename(), self.rulebase, RSYSLOG_OWNER, RSYSLOG_PERMS]
     try:
         Cluster.api_request('system.config.models.write_conf', config=params)
     except Exception as e:  # e used by VultureSystemConfigError
         logger.error(e, exc_info=1)
         raise VultureSystemConfigError("on cluster.\nRequest failure to write_conf()")
Esempio n. 4
0
    def save_conf(self):
        """ Write configuration on disk
        """

        conf = self.generate_conf()

        params_ipsec = [
            '/usr/local/etc/ipsec.conf', conf['template_ipsec'],
            STRONGSWAN_OWNER, "644"
        ]
        params_secrets = [
            '/usr/local/etc/ipsec.secrets', conf['template_secrets'],
            STRONGSWAN_OWNER, "600"
        ]
        params_strongswan = [
            '/usr/local/etc/strongswan.conf', conf['template_strongswan'],
            STRONGSWAN_OWNER, "644"
        ]

        for params in (params_ipsec, params_secrets, params_strongswan):
            try:
                self.node.api_request('system.config.models.write_conf',
                                      config=params)
            except Exception as e:
                raise VultureSystemConfigError(
                    "on node '{}'.\nRequest failure.".format(self.node.name))
Esempio n. 5
0
    def save_conf(self):
        """
        :return   A message of what has been done
        """
        if not self.enable_external:
            return "No standalone portal, no need to write conf."

        params = [self.get_filename(), self.generate_conf(), HAPROXY_OWNER, HAPROXY_PERMS]
        for node in self.external_listener.get_nodes():
            try:
                api_res = node.api_request("system.config.models.write_conf", config=params)
                if not api_res.get('status'):
                    raise VultureSystemConfigError(". API request failure ", traceback=api_res.get('message'))
            except Exception:
                raise VultureSystemConfigError("API request failure.")

        return "Workflow configuration written."
Esempio n. 6
0
 def save_conf(self):
     """ Write configuration on disk
     """
     if not self.configuration:
         return
     params = [self.get_filename(), self.configuration, BACKEND_OWNER, BACKEND_PERMS]
     try:
         Cluster.api_request('system.config.models.write_conf', config=params)
     except Exception as e:  # e used by VultureSystemConfigError
         logger.error(e, exc_info=1)
         raise VultureSystemConfigError("on cluster.\nRequest failure to write_conf()")
Esempio n. 7
0
    def save_conf(self):
        """
        :return   A message of what has been done
        """
        if not self.authentication:
            return "No authentication activated, no need to write portal conf."

        params = [
            self.get_filename(),
            self.generate_conf(), WORKFLOW_OWNER, WORKFLOW_PERMS
        ]
        try:
            api_res = Cluster.api_request("system.config.models.write_conf",
                                          config=params)
            if not api_res.get('status'):
                raise VultureSystemConfigError(
                    ". API request failure ", traceback=api_res.get('message'))
        except Exception:
            raise VultureSystemConfigError("API request failure.")

        return "Workflow configuration written."
Esempio n. 8
0
 def save_conf(self):
     """ Write configuration on disk
     """
     conf = self.generate_conf()
     params = [
         '/usr/local/etc/openvpn/openvpn_client.conf',
         conf['template_client'], OPENVPN_OWNER, "644"
     ]
     try:
         self.node.api_request('system.config.models.write_conf',
                               config=params)
     except Exception as e:
         raise VultureSystemConfigError(
             "on node '{}'.\nRequest failure.".format(self.node.name))
Esempio n. 9
0
 def save_conf(self):
     """ Write configuration on disk
     """
     params = [
         self.absolute_filename,
         self.download_file(), DATABASES_OWNER, DATABASES_PERMS
     ]
     try:
         Cluster.api_request('system.config.models.write_conf',
                             config=params)
     except Exception as e:  # e used by VultureSystemConfigError
         raise VultureSystemConfigError(
             "on cluster.\n"
             "Request failure to write conf of Reputation context '{}'".
             format(self.name))
Esempio n. 10
0
 def save_policy_file(self):
     params = [
         self.get_full_filename(),
         self.generate_content(), DARWIN_OWNERS, DARWIN_PERMS
     ]
     try:
         logger.debug(
             "InspectionPolicy::save_policy_file:: calling api to save inspection policy file"
         )
         Cluster.api_request('system.config.models.write_conf',
                             config=params)
     except Exception as e:
         raise VultureSystemConfigError(
             "InspectionPolicy::save_policy_file:: failure to save inspection policy file"
         )
Esempio n. 11
0
    def delete_conf(self):
        """ Delete all format of the current certificate
        :return   True if success
        raise VultureSystemConfigError if failure
        """
        # Firstly try to delete the conf, if it fails the object will not be deleted
        extensions = self.get_extensions()

        for extension in extensions.keys():
            api_res = Cluster.api_request("system.config.models.delete_conf",
                                          self.get_base_filename() + extension)
            if not api_res.get('status'):
                raise VultureSystemConfigError(
                    ". API request failure.", traceback=api_res.get('message'))
        return True
Esempio n. 12
0
    def save_conf(self):
        """ Write cert as all formats currently supported
        This function raise VultureSystemConfigError if failure """
        extensions = self.get_extensions()

        # Retrieve and stock variable to improve loop perf
        base_filename = self.get_base_filename()
        """ For each extensions to be written """
        for extension, buffer in extensions.items():
            params = [
                base_filename + extension, buffer, CERT_OWNER, CERT_PERMS
            ]
            """ API request """
            api_res = Cluster.api_request('system.config.models.write_conf',
                                          config=params,
                                          internal=True)
            if not api_res.get('status'):
                raise VultureSystemConfigError(
                    ". API request failure ", traceback=api_res.get('message'))
Esempio n. 13
0
 def stop_vm(self):
     try:
         self.node.api_request('system.vm.vm.stop_vm', config=self.id)
     except Exception as e:
         raise VultureSystemConfigError(
             "on node '{}'.\nRequest failure.".format(self.node.name))
Esempio n. 14
0
def write_conf(logger, args):
    """ Dedicated method used to write a file on disk """
    # parse arguments because we can be called by asynchronous api
    if isinstance(args, str):
        file_path, file_content, owner, perm = literal_eval(args)
    else:
        file_path, file_content, owner, perm = args

    # Write temporary file info /tmp dir,
    #  because everybody can write onto
    temp_dir = "/var/tmp/"
    """ Create a temporary named file in {prefix} path """
    tmpfile = mktemp(prefix=temp_dir)
    logger.debug("Config::write_conf: Writing into {}".format(tmpfile))

    command = ""
    try:
        """ Try to open the tmp file - it might not raise.... """
        with open(tmpfile, "w", encoding="utf8") as f:
            f.write(str(file_content))
        """ Sudo move the file from tmp to file_path """
        logger.debug("Moving file from '{}' to '{}'".format(
            tmpfile, file_path))
        command = ['/usr/local/bin/sudo', '/bin/mv', tmpfile, file_path]
        check_output(command, stderr=PIPE)
        """ Sudo apply owner on file_path """
        logger.debug("Applying owner '{}' on file '{}'".format(
            owner, file_path))
        command = ['/usr/local/bin/sudo', '/usr/sbin/chown', owner, file_path]
        check_output(command, stderr=PIPE)
        """ Sudo apply permissions on file_path """
        logger.debug("Applying permissions '{}' on file '{}'".format(
            perm, file_path))
        command = ['/usr/local/bin/sudo', '/bin/chmod', perm, file_path]
        check_output(command, stderr=PIPE)

        logger.info("File '{}' successfully written.".format(file_path))

    except FileNotFoundError as e:
        logger.error("Failed to open file {}: {}".format(file_path, str(e)))
        raise VultureSystemConfigError(
            "The path '{}' or '{}' does not seem to exist.".format(
                temp_dir, "/".join(file_path.split('/')[:-1])))

    except PermissionError as e:
        logger.error("Failed to create/write file {}:".format(file_path))
        logger.exception(e)
        raise VultureSystemConfigError(
            "The path '{}' does not have correct permissions. \n "
            "Cannot create/write the file '{}'.".format(temp_dir, tmpfile))
    except CalledProcessError as e:
        logger.error("Failed to execute command {}: {}".format(
            command, e.stderr))
        logger.exception(e)

        # Catch sudoers failure
        if "sudo: no tty present and no askpass program specified" in e.stderr.decode(
                'utf8'):
            raise VultureSystemConfigError(
                "The file '/usr/local/etc/sudoers.d/vulture_sudoers' is not correct, "
                "cannot execute command",
                traceback=e.stderr.decode('utf8'))
        if "No such file or directory" in e.stderr.decode('utf8'):
            raise VultureSystemConfigError(
                "Directory '{}' does not seems to exists.".format('/'.join(
                    file_path.split('/')[:-1])),
                traceback=e.stderr.decode('utf8'))

        raise VultureSystemConfigError(
            "Bad permissions on directory '{}'.".format(temp_dir),
            traceback=(e.stdout or e.stderr).decode('utf8'))
    # Do NOT remove THIS ! Used to handle "service vultured stop"
    except ServiceExit:
        raise

    except Exception as e:
        logger.error("No referenced error in write_conf method : ")
        logger.exception(e)
        raise VultureSystemConfigError(
            "Unknown error occurred. \n"
            "Please see traceback for more informations.")
Esempio n. 15
0
def config_edit(request, api=False, update=False):
    config_model = Cluster.get_global_config()

    if hasattr(request, "JSON") and api:
        if update:
            request.JSON = {**config_model.to_dict(), **request.JSON}
        request_data = request.JSON
    else:
        request_data = request.POST

    # Verify if attribute has changed HERE, config_model will be modified after (at form.is_valid())
    has_customer_changed = request_data.get(
        'customer_name') != config_model.customer_name
    has_portal_cookie_name_changed = request_data.get(
        'portal_cookie_name') != config_model.portal_cookie_name
    ssh_authorized_key_changed = request_data.get(
        'ssh_authorized_key') != config_model.ssh_authorized_key
    logs_ttl_changed = request_data.get('logs_ttl') != config_model.logs_ttl

    form = ConfigForm(request_data or None,
                      instance=config_model,
                      error_class=DivErrorList)

    def render_form(**kwargs):
        save_error = kwargs.get('save_error')
        if api:
            if form.errors:
                return JsonResponse(form.errors.get_json_data(), status=400)
            if save_error:
                return JsonResponse({'error': save_error[0]}, status=500)
        return render(request, 'config/config.html', {'form': form, **kwargs})

    if request.method in ("POST", "PUT", "PATCH") and form.is_valid():
        config = form.save(commit=False)
        config.save()
        """ Write .ssh/authorized_keys if any change detected """
        if ssh_authorized_key_changed:
            params = [
                "/usr/home/vlt-adm/.ssh/authorized_keys",
                request_data.get('ssh_authorized_key'), 'vlt-adm:wheel', '600'
            ]
            for node in Node.objects.all():
                try:
                    node.api_request('system.config.models.write_conf',
                                     config=params)
                except Exception as e:
                    raise VultureSystemConfigError(
                        "on node '{}'.\nRequest failure.".format(node.name))
        """ If customer name has changed, rewrite rsyslog templates """
        error = ""
        if has_customer_changed:
            api_res = Cluster.api_request(
                "services.rsyslogd.rsyslog.configure_node")
            if not api_res.get('status'):
                error = api_res.get('message')
        if has_portal_cookie_name_changed:
            api_res = Cluster.api_request(
                "services.haproxy.haproxy.configure_node")
            if not api_res.get('status'):
                error = api_res.get('message')
        if logs_ttl_changed:
            res, mess = config_model.set_logs_ttl()
            if not res:
                return render_form(save_error=mess)
        if error:
            return render_form(save_error=error)
        if api:
            return build_response_config("system.config.api", [])

        return HttpResponseRedirect('/system/config/')

    # If request PATCH or PUT & form not valid - return error
    if api:
        logger.error("Config api form error : {}".format(
            form.errors.get_json_data()))
        return JsonResponse(form.errors.get_json_data(), status=400)

    return render_form()
Esempio n. 16
0
 def delete_snapshot(self):
     try:
         self.node.api_request('system.zfs.zfs.delete_snapshot', config=self.id)
     except Exception as e:
         raise VultureSystemConfigError("on node '{}'.\nRequest failure.".format(self.node.name))