def cert_list(request): """ Page dedicated to show certificate list """ try: certs = SSLCertificate.objects(is_trusted_ca__ne=True) except DoesNotExist: certs = None try: trusted_ca_list = SSLCertificate.objects(is_trusted_ca=True) except DoesNotExist: trusted_ca_list = None return render_to_response('cert.html', {'certs': certs, 'trusted_ca_list': trusted_ca_list}, context_instance=RequestContext(request))
def perform_cert_options(self, zabbix_options): certificate_files = { 'chain': "{}/pki/ca_cert.crt".format(self.config_path), 'cert': "{}/pki/cert.crt".format(self.config_path), 'key': "{}/pki/cert.key".format(self.config_path), 'crl': "{}/pki/cert.crl".format(self.config_path) } # Retrieve SSLCertificate object ssl_cert = SSLCertificate.objects(id=zabbix_options.get('tls_cert')).only(*certificate_files.keys()).first() for attribute_name in certificate_files.keys(): self.write_configuration_file(certificate_files[attribute_name], getattr(ssl_cert, attribute_name)) # If CRL is not present, set the crl empty if not ssl_cert.crl: certificate_files['crl'] = "" # Replace SSLCertificate object by dict for template use zabbix_options['tls_cert_file'] = certificate_files return zabbix_options
def __init__(self, *args, **kwargs): try: self.listeners = kwargs.pop('listeners') except KeyError: pass super(ApplicationForm, self).__init__(*args, **kwargs) self = bootstrap_tooltips(self) repo_lst = BaseAbstractRepository.get_auth_repositories() auth_repo_lst = list() for rep in repo_lst: auth_repo_lst.append(( ObjectId(rep.id), rep.repo_name, )) mod_sec_choices = list() for rule in ModSecRulesSet.objects(type_rule__nin=('wlbl', )): mod_sec_choices.append((ObjectId(rule.id), rule.name)) dataset_list = list() dataset_list.append(((None), "------------------------------")) for dataset in Dataset.objects(svm_built=True).only('name', 'id'): dataset_list.append((ObjectId(dataset.id), dataset.name)) client_certificate = [('', '---------')] for cert in SSLCertificate.objects(is_trusted_ca__ne=True).only( 'id', 'cn'): client_certificate.append(("%sSSLProxyCertificateFile-%s.txt" % (settings.CONF_DIR, cert.id), cert.cn)) COOCKIE_CIPHER = ( ('rc4', 'RC4 (128 bits)'), ('aes128', 'AES 128 (128 bits)'), ('aes256', 'AES 256 (256 bits)'), ) IP_REPUTATION = [] loganalyser_rules = Cluster.objects.get( ).system_settings.loganalyser_settings.loganalyser_rules for rule in loganalyser_rules: tags = rule.tags.split(',') for tag in tags: IP_REPUTATION.append((tag, tag.capitalize())) GEOIP = [] for tag in [ "AF", "AX", "AL", "DZ", "AS", "AD", "AO", "AI", "AQ", "AG", "AR", "AM", "AW", "AU", "AT", "AZ", "BS", "BH", "BD", "BB", "BY", "BE", "BZ", "BJ", "BM", "BT", "BO", "BQ", "BA", "BW", "BV", "BR", "IO", "BN", "BG", "BF", "BI", "KH", "CM", "CA", "CV", "KY", "CF", "TD", "CL", "CN", "CX", "CC", "CO", "KM", "CG", "CD", "CK", "CR", "CI", "HR", "CU", "CW", "CY", "CZ", "DK", "DJ", "DM", "DO", "EC", "EG", "SV", "GQ", "ER", "EE", "ET", "FK", "FO", "FJ", "FI", "FR", "GF", "PF", "TF", "GA", "GM", "GE", "DE", "GH", "GI", "GR", "GL", "GD", "GP", "GU", "GT", "GG", "GN", "GW", "GY", "HT", "HM", "VA", "HN", "HK", "HU", "IS", "IN", "ID", "IR", "IQ", "IE", "IM", "IL", "IT", "JM", "JP", "JE", "JO", "KZ", "KE", "KI", "KP", "KR", "KW", "KG", "LA", "LV", "LB", "LS", "LR", "LY", "LI", "LT", "LU", "MO", "MK", "MG", "MW", "MY", "MV", "ML", "MT", "MH", "MQ", "MR", "MU", "YT", "MX", "FM", "MD", "MC", "MN", "ME", "MS", "MA", "MZ", "MM", "NA", "NR", "NP", "NL", "NC", "NZ", "NI", "NE", "NG", "NU", "NF", "MP", "NO", "OM", "PK", "PW", "PS", "PA", "PG", "PY", "PE", "PH", "PN", "PL", "PT", "PR", "QA", "RE", "RO", "RU", "RW", "BL", "SH", "KN", "LC", "MF", "PM", "VC", "WS", "SM", "ST", "SA", "SN", "RS", "SC", "SL", "SG", "SX", "SK", "SI", "SB", "SO", "ZA", "GS", "SS", "ES", "LK", "SD", "SR", "SJ", "SZ", "SE", "CH", "SY", "TW", "TJ", "TZ", "TH", "TL", "TG", "TK", "TO", "TT", "TN", "TR", "TM", "TC", "TV", "UG", "UA", "AE", "GB", "US", "UM", "UY", "UZ", "VU", "VE", "VN", "VG", "VI", "WF", "EH", "YE", "ZM", "ZW" ]: GEOIP.append((tag, tag)) self.fields['block_reputation'] = MultipleChoiceField( required=False, choices=set(IP_REPUTATION), widget=SelectMultiple(attrs={'class': 'form-control select2'})) self.fields['block_geoip'] = MultipleChoiceField( required=False, choices=set(GEOIP), widget=SelectMultiple(attrs={'class': 'form-control select2'})) self.fields['allow_geoip'] = MultipleChoiceField( required=False, choices=set(GEOIP), widget=SelectMultiple(attrs={'class': 'form-control select2'})) self.fields['template'].queryset = portalTemplate.objects.filter() self.fields['auth_backend'] = ChoiceField( choices=auth_repo_lst, required=False, widget=Select(attrs={'class': 'form-control'})) self.fields['auth_backend_fallbacks'] = MultipleChoiceField( choices=auth_repo_lst, required=False, widget=SelectMultiple(attrs={'class': 'form-control select2'})) self.fields['redirect_uri'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 1, 'class': 'form-control' })) self.fields['sso_capture_content'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 2, 'class': 'form-control' })) self.fields['sso_replace_pattern'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 40, 'rows': 2, 'class': 'form-control' })) self.fields['sso_replace_content'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 40, 'rows': 2, 'class': 'form-control' })) self.fields['sso_after_post_request'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 2, 'class': 'form-control' })) self.fields['rules_set'] = MultipleChoiceField( choices=mod_sec_choices, required=False, widget=SelectMultiple(attrs={'class': 'form-control'})) self.fields['datasets'] = ChoiceField( choices=dataset_list, required=False, widget=Select(attrs={'class': 'form-control'})) self.fields['ssl_protocol'] = ChoiceField( choices=SSL_PROTOCOLS, required=False, widget=Select(attrs={'class': 'form-control'})) self.fields['ssl_client_certificate'] = ChoiceField( choices=client_certificate, required=False, widget=Select(attrs={'class': 'form-control'})) self.fields['custom_vhost'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 15, 'class': 'form-control' })) self.fields['custom_location'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 15, 'class': 'form-control' })) self.fields['custom_proxy'] = CharField( required=False, widget=Textarea(attrs={ 'cols': 80, 'rows': 15, 'class': 'form-control' })) self.fields['cookie_cipher'] = ChoiceField( choices=COOCKIE_CIPHER, required=False, widget=Select(attrs={'class': 'form-control'})) if self.initial.get("auth_backend"): repo = BaseAbstractRepository.search_repository( self.initial.get('auth_backend')) if isinstance(repo, LDAPRepository): try: groups = [(x, x) for x in repo.get_backend().enumerate_groups()] except: groups = [] finally: self.fields['group_registration'] = ChoiceField( choices=groups, required=False, widget=Select(attrs={'class': 'form-control'}))
import os import sys sys.path.append('/home/vlt-gui/vulture') os.environ.setdefault("DJANGO_SETTINGS_MODULE", 'vulture.settings') import django django.setup() from gui.models.ssl_certificate import SSLCertificate from M2Crypto import X509 import subprocess if __name__ == '__main__': for cert in SSLCertificate.objects(issuer="LET'S ENCRYPT", status__ne="R"): print "Updating certificate {}".format(cert.cn) # Call acme-client to generate the Let's Encrypt challenge proc = subprocess.Popen( [ '/usr/local/sbin/acme.sh', '--issue', '-d', cert.cn, '--webroot', '/home/vlt-sys/Engine/conf', '--cert-home', '/usr/local/etc/ssl/acme' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE, env={ 'PATH': "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" })
def conf_has_changed(self, parameters, service_settings=None, conf_django=None): """ Test if configuration into system configuration file is same that configuration in database (from parameters var) :param parameters: A dict containing configuration parameters :param service_settings: A dict containing configuration parameters, sent to tempale.render as 'conf_service' :param conf_django: A dict containing configuration parameters, sent to template.render as 'conf_django' """ # Modify parameters according to tls/psk options if parameters.get('tls_accept') == 'cert' or parameters.get('tls_connect') == 'cert': certificate_files = { 'chain': "{}/pki/ca_cert.crt".format(self.config_path), 'cert': "{}/pki/cert.crt".format(self.config_path), 'key': "{}/pki/cert.key".format(self.config_path), 'crl': "{}/pki/cert.crl".format(self.config_path) } ssl_cert = SSLCertificate.objects(id=parameters.get('tls_cert')).only(*certificate_files.keys()).first() if not ssl_cert.crl: certificate_files['crl'] = "" parameters['tls_cert_file'] = certificate_files if parameters.get('tls_accept') == 'psk' or parameters.get('tls_connect') == 'psk': parameters['psk_file'] = "{}/pki/psk.key".format(self.config_path) global_conf_has_changed = super(ZABBIX, self).conf_has_changed(parameters, service_settings, conf_django) if global_conf_has_changed.startswith("Unable to check if conf has changed"): raise ServiceConfigError(global_conf_has_changed) # If the configuration file hasn't changed, check if certificate/psk files has changed if not global_conf_has_changed: if parameters.get('tls_accept') == 'cert' or parameters.get('tls_connect') == 'cert': for attribute_name, filename in certificate_files.items(): if not filename: continue try: with open(filename, 'r') as fd: orig_conf = fd.read() if orig_conf != getattr(ssl_cert, attribute_name): logger.info("[ZABBIX] Configuration file '{}' differs on disk".format(filename)) return True except Exception as e: # FIXME : raise Exception to say the admin "Hey, cannot read conf!" in the GUI ? logger.error("[ZABBIX] Cannot check configuration on '{}' file: ".format(filename)) logger.exception(e) # We can't read the file, but it may have been modified return True if parameters.get('tls_accept') == 'psk' or parameters.get('tls_connect') == 'psk': psk_key_path = "{}/pki/psk.key".format(self.config_path) try: with open(psk_key_path, 'r') as fd: orig_conf = fd.read() if orig_conf != parameters.get('psk_key'): logger.info("[ZABBIX] Configuration file '{}' differs on disk".format(psk_key_path)) return True except Exception as e: logger.error("[ZABBIX] Cannot check configuration on '{}' file: ".format(psk_key_path)) logger.exception(e) # We can't read the file, but it may have been modified return True # If none of the files has changed: return False return False # If the configuration file has changed, return True logger.info("[ZABBIX] Global configuration file '/usr/local/etc/zabbix4/zabbix_agentd.conf' differs on disk.") return True
__license__ = "GPLv3" __version__ = "3.0.0" __maintainer__ = "Vulture Project" __email__ = "*****@*****.**" __doc__ = """This migration script rewrite HAProxy certificates on disk """ import os import sys sys.path.append('/home/vlt-gui/vulture') os.environ.setdefault("DJANGO_SETTINGS_MODULE", 'vulture.settings') import django django.setup() from gui.models.network_settings import Loadbalancer from gui.models.ssl_certificate import SSLCertificate if __name__ == '__main__': # If HAProxy used if Loadbalancer.objects.count() == 0: print("No load-balancer configured.") sys.exit(0) for cert in SSLCertificate.objects(): cert.write_certificate() print("Cert {} reloaded".format(cert.name)) print("Certificates reloaded")
def check_status(): """ Check if rc.conf.local need updates. Update file if needed :return: True if rc.conf.local was updated, False otherwise """ listeners = [] devices = {} haproxy = False reg = re.compile("^ifconfig_([^ ]+)_alias\{\}.*") cluster = Cluster.objects.get() node = cluster.get_current_node() # We add alias number (by device) for listener in node.get_listeners(): if reg.match(listener.rc_conf): dev = reg.match(listener.rc_conf).groups()[0] if not devices.get(dev): devices[dev] = 0 cpt = devices.get(dev) rc_conf = listener.rc_conf.format(cpt) devices[dev] += 1 else: rc_conf = listener.rc_conf listeners.append(rc_conf) """ GUI-0.3 Upgrade system_settings.pf_settings may not exists in GUI-0.3 upgraded from GUI-0.2 In this case we need to initialize it with default VALUES """ system_settings = node.system_settings if system_settings.pf_settings is None: system_settings.pf_settings = PFSettings() if system_settings.ipsec_settings is None: system_settings.ipsec_settings = IPSECSettings() loadbalancers = [] for loadbalancer in Loadbalancer.objects.all(): if loadbalancer.ssl_profile and loadbalancer.ssl_profile.hpkp_enable: loadbalancer.ssl_profile.pkp = PKP.getSPKIFingerpring( loadbalancer.ssl_profile.certificate.cert) if loadbalancer.incoming_listener.is_carp: for l in loadbalancer.incoming_listener.get_related_carp_inets(): if l.get_related_node() == node: haproxy = True if loadbalancer not in loadbalancers: loadbalancers.append(loadbalancer) elif loadbalancer.incoming_listener.get_related_node() == node: if loadbalancer not in loadbalancers: loadbalancers.append(loadbalancer) haproxy = True try: pf_logs = True if system_settings.pf_settings.repository_type == 'data' else False except KeyError: pf_logs = False parameters = { 'default_ipv4_gw': node.default_ipv4_gw, 'default_ipv6_gw': node.default_ipv6_gw, 'static_route': node.static_route, 'listeners': listeners, 'pf_logs': pf_logs, 'haproxy': haproxy, 'strongswan': system_settings.ipsec_settings.enabled } # Checking if rc.conf.local differs. tpl, path_rc = tpl_utils.get_template('rc.conf.local') conf_rc = tpl.render(conf=parameters) try: with open(path_rc, 'r') as f: orig_conf = f.read() except IOError: orig_conf = "" # rc.conf.local and/or pf.conf differs => writing new version if orig_conf != conf_rc: write_in_file(path_rc, conf_rc) if node.default_ipv4_gw or node.default_ipv6_gw: proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'service', 'routing', 'restart' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.communicate() #### HAPROXY Configuration #### parameters = {'haproxy': loadbalancers} tpl, path_haproxy = tpl_utils.get_template('vlthaproxy') conf_haproxy = tpl.render(conf=parameters) if not len(loadbalancers): conf_haproxy = "" try: with open(path_haproxy, 'r') as f: orig_conf = f.read() except IOError: orig_conf = "" ## Check diff in haproxy.conf proc = subprocess.Popen([ "/usr/local/bin/sudo", "-u", "vlt-sys", "/usr/local/bin/sudo", "service", "vlthaproxy", "status" ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) res, errors = proc.communicate() haproxy_need_start = "haproxy not running" in errors.decode('utf8') if haproxy and orig_conf != conf_haproxy: write_in_file(path_haproxy, conf_haproxy) """ Delete all certificates in /home/vlt-sys/Engine/conf/haproxy """ os.system("/bin/rm %shaproxy/*" % settings.CONF_DIR) """ Write SSL-Profile certificates """ for loadbalancer in loadbalancers: if loadbalancer.enable_tls and loadbalancer.ssl_profile: loadbalancer.ssl_profile.write_HAProxy_conf() """ Store certificates so that HA-PROXY may use them """ for cert in SSLCertificate.objects(): cert.write_certificate() if not haproxy_need_start: proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'service', 'vlthaproxy', 'restart' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.communicate() else: proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'service', 'vlthaproxy', 'start' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.communicate() elif haproxy and haproxy_need_start: proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'service', 'vlthaproxy', 'start' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.communicate() elif not haproxy: write_in_file(path_haproxy, conf_haproxy) proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'service', 'vlthaproxy', 'stop' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) proc.communicate() cluster = Cluster.objects.get() node = cluster.get_current_node() ## CHECK Vulture Cluster Whitelist for Packet Filter ips = [] for listener in Listener.objects.all(): ips.append(listener.ip) ips = set(ips) proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'pfctl', '-t', 'vulture_cluster', '-T', 'show' ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) res, errors = proc.communicate() if res is False: return False res = res.decode('utf8') for ip in ips: if ip not in node.system_settings.pf_settings.pf_whitelist: node.system_settings.pf_settings.pf_whitelist = node.system_settings.pf_settings.pf_whitelist + '\n' + str( ip) node.save(bootstrap=True) res = [r.strip() for r in res.split('\n') if r != ""] for ip in ips: if ip not in res: proc = subprocess.Popen([ '/usr/local/bin/sudo', '-u', 'vlt-sys', '/usr/local/bin/sudo', 'pfctl', '-t', 'vulture_cluster', '-T', 'add', ip ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) res2, errors = proc.communicate() if res2 is False: return False return True