def remove_role_policy(role_id, policy_ids):
"""Removes a relationship between a role and a policy
:param role_id: The new role_id
:param policy_ids: List of policies ids
:return Result of operation
"""
result = AffectedItemsWazuhResult(none_msg=f'No policy was unlinked from role {role_id[0]}',
some_msg=f'Some policies were not unlinked from role {role_id[0]}',
all_msg=f'All policies were unlinked from role {role_id[0]}')
success = False
with RolesPoliciesManager() as rpm:
for policy_id in policy_ids:
policy_id = int(policy_id)
role_policy = rpm.remove_policy_in_role(role_id=role_id[0], policy_id=policy_id)
if role_policy == SecurityError.INVALID:
result.add_failed_item(id_=policy_id, error=WazuhError(4010))
elif role_policy == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4002))
elif role_policy == SecurityError.POLICY_NOT_EXIST:
result.add_failed_item(id_=policy_id, error=WazuhError(4007))
elif role_policy == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if success:
with RolesManager() as rm:
result.affected_items.append(rm.get_role_id(role_id=role_id[0]))
role = rm.get_role_id(role_id=role_id[0])
invalid_roles_tokens(roles=[role['id']])
result.affected_items.sort(key=str)
return result
def update_role(role_id=None, name=None):
"""Updates a role in the system
:param role_id: Role id to be update
:param name: The new role name
:return Role information
"""
if name is None:
raise WazuhError(4001)
result = AffectedItemsWazuhResult(none_msg='Role was not updated',
all_msg='Role was successfully updated')
with RolesManager() as rm:
status = rm.update_role(role_id=role_id[0], name=name)
if status == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4005))
elif status == SecurityError.INVALID:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4003))
elif status == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4002))
elif status == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4008))
else:
updated = rm.get_role_id(int(role_id[0]))
result.affected_items.append(updated)
result.total_affected_items += 1
invalid_roles_tokens(roles=role_id)
return result
def remove_role_rule(role_id, rule_ids):
"""Remove a relationship between a role and one or more rules.
:param role_id: The new role_id
:param rule_ids: List of rule ids
:return Result of operation
"""
result = AffectedItemsWazuhResult(none_msg=f'No security rule was unlinked from role {role_id[0]}',
some_msg=f'Some security rules were not unlinked from role {role_id[0]}',
all_msg=f'All security rules were unlinked from role {role_id[0]}')
success = False
with RolesRulesManager() as rrm:
for rule_id in rule_ids:
role_rule = rrm.remove_rule_in_role(role_id=int(role_id[0]), rule_id=int(rule_id))
if role_rule == SecurityError.INVALID:
result.add_failed_item(id_=rule_id, error=WazuhError(4024))
elif role_rule == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4002))
elif role_rule == SecurityError.RULE_NOT_EXIST:
result.add_failed_item(id_=rule_id, error=WazuhError(4022))
elif role_rule == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(role_id[0]), error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if success:
with RolesManager() as rm:
result.affected_items.append(rm.get_role_id(role_id=role_id[0]))
# Invalidate users with auth_context
invalid_run_as_tokens()
result.affected_items.sort(key=str)
return result
def get_user_me():
"""Get the information of the current user
Returns
-------
AffectedItemsWazuhResult with the desired information
"""
result = AffectedItemsWazuhResult(all_msg='Current user information was returned')
affected_items = list()
with AuthenticationManager() as auth:
user = auth.get_user(common.current_user.get())
for index, role_id in enumerate(user['roles']):
with RolesManager() as rm:
role = rm.get_role_id(role_id=int(role_id))
role.pop('users')
for index_r, rule_id in enumerate(role['rules']):
with RulesManager() as rum:
role['rules'][index_r] = rum.get_rule(rule_id=int(rule_id))
role['rules'][index_r].pop('roles')
for index_p, policy_id in enumerate(role['policies']):
with PoliciesManager() as pm:
role['policies'][index_p] = pm.get_policy_id(policy_id=int(policy_id))
role['policies'][index_p].pop('roles')
user['roles'][index] = role
affected_items.append(user) if user else result.add_failed_item(id_=common.current_user.get(),
error=WazuhError(5001))
data = process_array(affected_items)
result.affected_items = data['items']
result.total_affected_items = data['totalItems']
return result
def remove_roles(role_ids):
"""Removes a certain role from the system
:param role_ids: List of roles ids (None for all roles)
:return Result of operation
"""
result = AffectedItemsWazuhResult(none_msg='No role was deleted',
some_msg='Some roles were not deleted',
all_msg='All specified roles were deleted')
with RolesManager() as rm:
for r_id in role_ids:
role = rm.get_role_id(int(r_id))
role_delete = rm.delete_role(int(r_id))
if role_delete == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(r_id), error=WazuhError(4008))
elif role_delete == SecurityError.RELATIONSHIP_ERROR:
result.add_failed_item(id_=int(r_id), error=WazuhError(4025))
elif not role_delete:
result.add_failed_item(id_=int(r_id), error=WazuhError(4002))
elif role:
result.affected_items.append(role)
result.total_affected_items += 1
invalid_roles_tokens(roles=[role['id'] for role in result.affected_items])
result.affected_items = sorted(result.affected_items, key=lambda i: i['id'])
return result
def remove_roles(role_ids):
"""Removes a certain role from the system
:param role_ids: List of roles ids (None for all roles)
:return Result of operation
"""
result = AffectedItemsWazuhResult(none_msg='No role were deleted',
some_msg='Some roles could not be delete',
all_msg='All specified roles were deleted')
with RolesManager() as rm:
for r_id in role_ids:
role = rm.get_role_id(int(r_id))
if role != SecurityError.ROLE_NOT_EXIST and int(r_id) not in admin_role_ids:
related_users = check_relationships([role])
role_delete = rm.delete_role(int(r_id))
if role_delete == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=r_id, error=WazuhError(4008))
elif not role_delete:
result.add_failed_item(id_=r_id, error=WazuhError(4002))
elif role:
result.affected_items.append(role)
result.total_affected_items += 1
invalid_users_tokens(users=list(related_users))
result.affected_items = sorted(result.affected_items, key=lambda i: i['id'])
return result
def get_roles(role_ids=None, offset=0, limit=common.database_limit, sort_by=None,
sort_ascending=True, search_text=None, complementary_search=False, search_in_fields=None):
"""Returns information from all system roles, does not return information from its associated policies
:param role_ids: List of roles ids (None for all roles)
:param offset: First item to return
:param limit: Maximum number of items to return
:param sort_by: Fields to sort the items by. Format: {"fields":["field1","field2"],"order":"asc|desc"}
:param sort_ascending: Sort in ascending (true) or descending (false) order
:param search_text: Text to search
:param complementary_search: Find items without the text to search
:param search_in_fields: Fields to search in
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
affected_items = list()
result = AffectedItemsWazuhResult(none_msg='No role was returned',
some_msg='Some roles were not returned',
all_msg='All specified roles were returned')
with RolesManager() as rm:
for r_id in role_ids:
role = rm.get_role_id(int(r_id))
if role != SecurityError.ROLE_NOT_EXIST:
affected_items.append(role)
else:
# Role id does not exist
result.add_failed_item(id_=int(r_id), error=WazuhError(4002))
data = process_array(affected_items, search_text=search_text, search_in_fields=search_in_fields,
complementary_search=complementary_search, sort_by=sort_by, sort_ascending=sort_ascending,
offset=offset, limit=limit)
result.affected_items = data['items']
result.total_affected_items = data['totalItems']
return result
def _expand_resource(resource):
"""This function expand a specified resource depending of its type.
Parameters
----------
resource : str
Resource to be expanded
Returns
-------
str
Result of the resource expansion.
"""
name, attribute, value = resource.split(':')
resource_type = ':'.join([name, attribute])
# This is the special case, expand_group can receive * or the name of the group. That's why it' s always called
if resource_type == 'agent:group':
return expand_group(value)
# We need to transform the wildcard * to the resource of the system
if value == '*':
if resource_type == 'agent:id':
return get_agents_info()
elif resource_type == 'group:id':
return get_groups()
elif resource_type == 'role:id':
with RolesManager() as rm:
roles = rm.get_roles()
return {str(role_id.id) for role_id in roles}
elif resource_type == 'policy:id':
with PoliciesManager() as pm:
policies = pm.get_policies()
return {str(policy_id.id) for policy_id in policies}
elif resource_type == 'user:id':
users_system = set()
with AuthenticationManager() as auth:
users = auth.get_users()
for user in users:
users_system.add(str(user['user_id']))
return users_system
elif resource_type == 'rule:id':
with RulesManager() as rum:
rules = rum.get_rules()
return {str(rule_id.id) for rule_id in rules}
elif resource_type == 'rule:file':
return expand_rules()
elif resource_type == 'decoder:file':
return expand_decoders()
elif resource_type == 'list:file':
return expand_lists()
elif resource_type == 'node:id':
return set(cluster_nodes.get())
elif resource_type == '*:*': # Resourceless
return {'*'}
return set()
# We return the value casted to set
else:
return {value}
def set_role_policy(role_id, policy_ids, position=None):
"""Create a relationship between a role and a policy
Parameters
----------
role_id : int
The new role_id
policy_ids : list of int
List of policy IDs
position : int
Position where the new role will be inserted
Returns
-------
dict
Role-Policies information
"""
result = AffectedItemsWazuhResult(
none_msg=f'No link was created to role {role_id[0]}',
some_msg=f'Some policies were not linked to role {role_id[0]}',
all_msg=f'All policies were linked to role {role_id[0]}')
success = False
with RolesPoliciesManager() as rpm:
for policy_id in policy_ids:
policy_id = int(policy_id)
role_policy = rpm.add_policy_to_role(role_id=role_id[0],
policy_id=policy_id,
position=position)
if role_policy == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=policy_id, error=WazuhError(4011))
elif role_policy == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id[0]),
error=WazuhError(4002))
elif role_policy == SecurityError.POLICY_NOT_EXIST:
result.add_failed_item(id_=policy_id, error=WazuhError(4007))
elif role_policy == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(role_id[0]),
error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if position is not None:
position += 1
if success:
with RolesManager() as rm:
result.affected_items.append(
rm.get_role_id(role_id=role_id[0]))
role = rm.get_role_id(role_id=role_id[0])
invalid_roles_tokens(roles=[role['id']])
result.affected_items.sort(key=str)
return result
def set_role_rule(role_id, rule_ids, run_as=False):
"""Create a relationship between a role and one or more rules.
Parameters
----------
role_id : int
The new role_id
rule_ids : list of int
List of rule ids
run_as : dict
Login with an authorization context or not
Returns
-------
"""
result = AffectedItemsWazuhResult(
none_msg=f'No link was created to role {role_id[0]}',
some_msg=f'Some security rules were not linked to role {role_id[0]}',
all_msg=f'All security rules were linked to role {role_id[0]}')
success = False
with RolesRulesManager() as rrm:
for rule_id in rule_ids:
role_rule = rrm.add_rule_to_role(role_id=int(role_id[0]),
rule_id=int(rule_id))
if role_rule == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=int(rule_id),
error=WazuhError(4023))
elif role_rule == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id[0]),
error=WazuhError(4002))
elif role_rule == SecurityError.RULE_NOT_EXIST:
result.add_failed_item(id_=int(rule_id),
error=WazuhError(4022))
elif role_rule == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(role_id[0]),
error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if success:
with RolesManager() as rm:
result.affected_items.append(
rm.get_role_id(role_id=role_id[0]))
# Invalidate users with auth_context
invalid_run_as_tokens()
result.affected_items.sort(key=str)
return result
def check_relationships(roles: list = None):
"""Check the users related with the specified list of roles
Parameters
----------
roles : list
List of affected roles
Returns
-------
Set with all affected users
"""
users_affected = set()
if roles:
for role in roles:
with RolesManager() as rm:
users_affected.update(set(rm.get_role_id(role)['users']))
return users_affected
def add_role(name=None):
"""Creates a role in the system
:param name: The new role name
:return Role information
"""
result = AffectedItemsWazuhResult(none_msg='Role was not created',
all_msg='Role was successfully created')
with RolesManager() as rm:
status = rm.add_role(name=name)
if status == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=name, error=WazuhError(4005))
elif status == SecurityError.INVALID:
result.add_failed_item(id_=name, error=WazuhError(4003))
else:
result.affected_items.append(rm.get_role(name=name))
result.total_affected_items += 1
return result
def set_role_rule(role_id, rule_ids):
"""Create a relationship between a role and one or more rules.
:param role_id: The new role_id
:param rule_ids: List of rule ids
:return Result of operation
"""
result = AffectedItemsWazuhResult(
none_msg=f'No link was created to role {role_id[0]}',
some_msg=f'Some security rules were not linked to role {role_id[0]}',
all_msg=f'All security rules were linked to role {role_id[0]}')
success = False
with RolesRulesManager() as rrm:
for rule_id in rule_ids:
role_rule = rrm.add_rule_to_role(role_id=role_id[0],
rule_id=rule_id)
if role_rule == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=rule_id, error=WazuhError(4023))
elif role_rule == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=role_id[0], error=WazuhError(4002))
elif role_rule == SecurityError.RULE_NOT_EXIST:
result.add_failed_item(id_=rule_id, error=WazuhError(4022))
elif role_rule == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=role_id[0], error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if success:
with RolesManager() as rm:
result.affected_items.append(
rm.get_role_id(role_id=role_id[0]))
# Invalidate users with auth_context
with AuthenticationManager() as am:
user_list = list()
for user in am.get_users():
if am.user_allow_run_as(username=user['username']):
user_list.append(user['user_id'])
invalid_users_tokens(users=user_list)
result.affected_items.sort(key=str)
return result
def get_role(role_id):
"""Return the role name of the specified role_id.
Parameters
----------
role_id : str
Role ID.
Returns
-------
role_check : bool
True if the role_id exists, False in other case.
"""
role_check = False
with RolesManager() as rm:
role_information = rm.get_role_id(int(role_id))
if role_information != SecurityError.ROLE_NOT_EXIST:
role_check = True
return role_check
def _expand_resource(resource):
"""This function expand a specified resource depending of it type.
:param resource: Resource to be expanded
:return expanded_resource: Returns the result of the resource expansion
"""
name, attribute, value = resource.split(':')
resource_type = ':'.join([name, attribute])
# This is the special case, expand_group can receive * or the name of the group. That's why it' s always called
if resource_type == 'agent:group':
return expand_group(value)
# We need to transform the wildcard * to the resource of the system
if value == '*':
if resource_type == 'agent:id':
return get_agents_info()
elif resource_type == 'group:id':
return get_groups()
elif resource_type == 'role:id':
with RolesManager() as rm:
roles = rm.get_roles()
return {str(role_id.id) for role_id in roles}
elif resource_type == 'policy:id':
with PoliciesManager() as pm:
policies = pm.get_policies()
return {str(policy_id.id) for policy_id in policies}
elif resource_type == 'user:id':
users_system = set()
with AuthenticationManager() as auth:
users = auth.get_users()
for user in users:
users_system.add(user['user_id'])
return users_system
elif resource_type == 'rule:id':
with RulesManager() as rum:
rules = rum.get_rules()
return {str(rule_id.id) for rule_id in rules}
elif resource_type == 'rule:file':
tags = ['rule_include', 'rule_exclude', 'rule_dir']
format_rules = format_rule_decoder_file(
get_ossec_conf(section='ruleset')['ruleset'], {
'status': Status.S_ALL.value,
'relative_dirname': None,
'filename': None
}, tags)
return {rule['filename'] for rule in format_rules}
elif resource_type == 'decoder:file':
tags = ['decoder_include', 'decoder_exclude', 'decoder_dir']
format_decoders = format_rule_decoder_file(
get_ossec_conf(section='ruleset')['ruleset'], {
'status': Status.S_ALL.value,
'relative_dirname': None,
'filename': None
}, tags)
return {decoder['filename'] for decoder in format_decoders}
elif resource_type == 'list:path':
return {
os.path.join(cdb_list['relative_dirname'],
cdb_list['filename'])
for cdb_list in iterate_lists(only_names=True)
}
elif resource_type == 'node:id':
return set(cluster_nodes.get())
elif resource_type == 'file:path':
return get_files()
elif resource_type == '*:*': # Resourceless
return {'*'}
return set()
# We return the value casted to set
else:
return {value}
def get_roles(role_ids=None,
offset=0,
limit=common.database_limit,
sort_by=None,
select=None,
sort_ascending=True,
search_text=None,
complementary_search=False,
search_in_fields=None):
"""Return information from all system roles, does not return information from its associated policies.
Parameters
----------
role_ids : list, optional
List of roles ids to be obtained
offset : int, optional
First item to return
limit : int, optional
Maximum number of items to return
sort_by : dict
Fields to sort the items by. Format: {"fields":["field1","field2"],"order":"asc|desc"}
sort_ascending : bool
Sort in ascending (true) or descending (false) order
search_text : str
Text to search
select : str
Select which fields to return (separated by comma)
complementary_search : bool
Find items without the text to search
search_in_fields : list
Fields to search in
Returns
-------
Roles information
"""
affected_items = list()
result = AffectedItemsWazuhResult(
none_msg='No role was returned',
some_msg='Some roles were not returned',
all_msg='All specified roles were returned')
with RolesManager() as rm:
for r_id in role_ids:
role = rm.get_role_id(int(r_id))
if role != SecurityError.ROLE_NOT_EXIST:
affected_items.append(role)
else:
# Role id does not exist
result.add_failed_item(id_=int(r_id), error=WazuhError(4002))
data = process_array(affected_items,
search_text=search_text,
search_in_fields=search_in_fields,
select=select,
complementary_search=complementary_search,
sort_by=sort_by,
sort_ascending=sort_ascending,
offset=offset,
limit=limit,
allowed_sort_fields=SORT_FIELDS,
required_fields=REQUIRED_FIELDS)
result.affected_items = data['items']
result.total_affected_items = data['totalItems']
return result
