Notify policy updates to open-appsec container.

UI labels in log.
2025-08-07 01:43:33 +00:00 · 2023-12-13 21:51:43 +02:00
parent dbd78e5e03
commit ce84a865f1
13 changed files with 102 additions and 120 deletions
--- a/backend/internal/nginx-openappsec.js
+++ b/backend/internal/nginx-openappsec.js
@@ -1,3 +1,6 @@
+const util = require('util');
+const execPromise = util.promisify(require('child_process').exec);
+const { exec } = require('child_process');
 const _      = require('lodash');
 const fs     = require('fs');
 const logger = require('../logger').nginx;
@@ -100,7 +103,24 @@ const internalNginxOpenappsec = {
 				(err) => {
 					logger.error('Error generating openappsec config:', err);
 					return Promise.reject(err);
+				})
+			.then(() => {
+				// Return the notifyPolicyUpdate promise chain
+				// notify openappsec to apply the policy
+				return internalNginxOpenappsec.notifyPolicyUpdate().catch((errorMessage) => {
+					console.error('Error:', errorMessage);
+					const errorMessageForUI = `Error: Policy couldn’t be applied, open-appsec-agent container is not responding.
+									Check if open-appec-agent container is running, then apply open-appsec Configuration
+									again by clicking here: 
+									<br>Settings -> open-appsec Advanced -> Save Settings`;
+
+					return Promise.reject(new Error(errorMessageForUI));
 				});
+			})
+			.catch((err) => {
+				logger.error('Error generating openappsec config:', err);
+				throw err; // Propagate the error to the caller
+			});
 	},

 	/** 
@@ -122,9 +142,22 @@ const internalNginxOpenappsec = {
 				internalNginxOpenappsec.removeMatchingNodes(openappsecConfig, pattern);
 				fs.writeFileSync(configFilePath, yaml.dump(openappsecConfig));
 			})
-			.catch(err => {
+			.then(() => {
+				// Return the notifyPolicyUpdate promise chain
+				// notify openappsec to apply the policy
+				return internalNginxOpenappsec.notifyPolicyUpdate().catch((errorMessage) => {
+					console.error('---Error:', errorMessage);
+					const errorMessageForUI = `Error: Policy couldn’t be applied, open-appsec-agent container is not responding.
+									Check if open-appec-agent container is running, then apply open-appsec Configuration
+									again by clicking here: 
+									<br>Settings -> open-appsec Advanced -> Save Settings`;
+
+					return Promise.reject(new Error(errorMessageForUI));
+				});
+			})
+			.catch((err) => {
 				logger.error('Error deleting openappsec config:', err);
-				return Promise.reject(err);
+				throw err; // Propagate the error to the caller
 			});
 	},
 	
@@ -180,6 +213,38 @@ const internalNginxOpenappsec = {
 		}
 	},

+	notifyPolicyUpdate: async function() {
+		if (!constants.USE_NOTIFY_POLICY) {
+			console.log('USE_NOTIFY_POLICY is false');
+			return;
+		}
+		let ports = constants.PORTS;
+		console.log(`Notifying openappsec to apply the policy on ports ${ports}`);
+		let lastError = null;
+
+		for (let port of ports) {
+			try {
+				const command = `curl -s -o /dev/null -w "%{http_code}" ${constants.HOSTURL}:${port}/openappsec/apply-policy`;
+				console.log(`command: ${command}`);
+				let { stdout } = await execPromise(command);
+				if (stdout === '200') {
+					console.log(`Policy applied successfully on port ${port}`);
+					return;
+				} else {
+					console.log(`Policy Unexpected response code: ${stdout}`);
+					lastError = new Error(`Unexpected response code: ${stdout}`);
+				}
+			} catch (error) {
+				console.log(`Error notifying openappsec to apply the policy on port ${port}: ${error.message}`);
+				lastError = error;
+			}
+		}
+
+		if (lastError) {
+			throw lastError;
+		}
+	},
+
 	/**
 	 * Recursively removes nodes from a JavaScript object based on a pattern.
 	*
--- a/backend/internal/openappsec-log.js
+++ b/backend/internal/openappsec-log.js
@@ -100,7 +100,6 @@ const internalOpenappsecLog = {
 			.then(async () => {
 				const directoryPath = APPSEC_LOG_DIR;
 				let totalDataLines = await this.countTotalLines(directoryPath);
-				console.log("totalLineCount: " + totalDataLines);

 				const files = await fs.promises.readdir(directoryPath);
 				const logFiles = files.filter(file => path.extname(file).startsWith('.log'));
--- a/backend/internal/proxy-host.js
+++ b/backend/internal/proxy-host.js
@@ -95,9 +95,14 @@ const internalProxyHost = {
 					});
 			})
 			.then(row => {
-				internalNginxOpenappsec.generateConfig(access, row, data)
-									return row;
-							})
+				return internalNginxOpenappsec.generateConfig(access, row, data)
+					.then(() => {
+						return row;
+					})
+					.catch((err) => {
+						throw new error.ConfigurationError(err.message);
+					});
+			})
 			.then((row) => {
 				// Audit log
 				data.meta = _.assign({}, data.meta || {}, row.meta);
@@ -174,10 +179,14 @@ const internalProxyHost = {
 				}
 			})
 			.then(row => {
-				internalNginxOpenappsec.generateConfig(access, row, data);
-				// internalNginxOpenappsec.updateConfig(row, data)
-					return row;
-							})
+				return internalNginxOpenappsec.generateConfig(access, row, data)
+					.then(() => {
+						return row;
+					})
+					.catch((err) => {
+						throw new error.ConfigurationError(err.message);
+					});
+			})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
 				data = _.assign({}, {
@@ -316,7 +325,11 @@ const internalProxyHost = {
 					})
 					.then(() => {
 						// Delete openappsec config
-						internalNginxOpenappsec.deleteConfig(access, row);
+						return internalNginxOpenappsec.deleteConfig(access, row)
+						.catch((err) => {
+							throw new error.ConfigurationError(err.message);
+						});
+						
 					})
 					.then(() => {
 						// Delete Nginx Config
--- a/backend/lib/constants.js
+++ b/backend/lib/constants.js
@@ -2,4 +2,8 @@ module.exports = {
 	APPSEC_CONFIG_FILE_NAME: 'local_policy.yaml',
 	APPSEC_EXT_DIR: '/ext/appsec',
 	APPSEC_LOG_DIR: '/ext/appsec-logs',
+	USE_NOTIFY_POLICY: true,
+	PORTS: [7777, 7778],
+	HOSTURL: 'http://127.0.0.1',
+	POLICY_PATH: '/etc/cp/conf/local_policy.yaml',
 };
--- a/frontend/js/app/openappsec-log/list-all/item.ejs
+++ b/frontend/js/app/openappsec-log/list-all/item.ejs
@@ -1,29 +1,6 @@

-<td>
-    <%- formatDbDate(eventTime, 'D-M-YYYY, H:mm') %>
-</td>
-<td>
-    <div class="text-nowrap">
-        <% var sevirityClass = 'bg-success'; 
-        switch (eventSeverity) {
-            case 'Critical':
-                sevirityClass = 'bg-danger';
-                break;
-            case 'Warning':
-                sevirityClass = 'bg-warning';
-                break;
-            case 'Info':
-                sevirityClass = 'bg-success';
-                //sevirityClass = 'bg-info';
-                break;
-            case 'Debug':
-                sevirityClass = 'bg-success';
-                break;
-        }
-        %>  
-        <span class="status-icon <%- sevirityClass %>"></span> <%- eventSeverity %>
-    </div>
-</td>
+<td><%- formatDbDate(eventTime, 'D-M-YY, H:mm') %></td>
+<td><%- eventSeverity %></td>
 <td><%- assetName %></td>
 <td><%- securityAction %></td>
 <td><%- waapIncidentType %></td>
@@ -34,10 +11,10 @@
 <td><%- httpMethod %></td>
 <td><%- httpResponseCode %></td>
 <td><%- httpUriPath %></td>
-<td><%- protectionName %></td>
+<td><%- eventTopic %></td>
 <td><%- matchedLocation %></td>
 <td><%- matchedParameter %></td>
 <td><%- matchedSample %></td>
 <td class="text-right">
    <a href="#" class="meta btn btn-secondary btn-sm">open</a>
-</td>
+</td>
--- a/frontend/js/app/openappsec-log/list-all/main.ejs
+++ b/frontend/js/app/openappsec-log/list-all/main.ejs
@@ -11,7 +11,7 @@
    <th>HTTP Method</th>
    <th>HTTP Response Code</th>
    <th>HTTP URI Path</th>
-    <th>Protection Name</th>
+    <th>Event Topic</th>
    <th>Matched Location</th>
    <th>Matched Parameter</th>
    <th>Matched Sample</th>
--- a/frontend/js/app/openappsec-log/list-all/main.js
+++ b/frontend/js/app/openappsec-log/list-all/main.js
@@ -8,7 +8,6 @@ let TableBody = Mn.CollectionView.extend({

    initialize: function (options) {
        this.options = new Backbone.Model(options);
-        console.log("options: ", options);
        // this.page = options.page;
        // this.perPage = options.perPage;
        this.updatePage();
@@ -20,22 +19,12 @@ let TableBody = Mn.CollectionView.extend({
        let page = this.page || 1;
        let models;
        if (this.perPage && this.page) {
-            console.log('updatePage2');
            models = this.collection.models.slice((page - 1) * perPage, page * perPage);
        } else {
-            console.log('updatePage3');
-
            models = this.collection.models;
        }
        this.collection.reset(models);
    }
-
-    // updatePage: function () {
-    //     let perPage = this.perPage || this.collection.length;
-    //     let page = this.page || 1;
-    //     let models = this.collection.models.slice((page - 1) * perPage, page * perPage);
-    //     this.collection.reset(models);
-    // }
 });

 module.exports = Mn.View.extend({
--- a/frontend/js/app/openappsec-log/list-important/item.ejs
+++ b/frontend/js/app/openappsec-log/list-important/item.ejs
@@ -1,29 +1,6 @@

-<td>
-    <%- formatDbDate(eventTime, 'D-M-YY, H:mm') %>
-</td>
-<td>
-    <div class="text-nowrap">
-        <% var sevirityClass = 'bg-success'; 
-        switch (eventSeverity) {
-            case 'Critical':
-                sevirityClass = 'bg-danger';
-                break;
-            case 'Warning':
-                sevirityClass = 'bg-warning';
-                break;
-            case 'Info':
-                sevirityClass = 'bg-success';
-                //sevirityClass = 'bg-info';
-                break;
-            case 'Debug':
-                sevirityClass = 'bg-success';
-                break;
-        }
-        %>  
-        <span class="status-icon <%- sevirityClass %>"></span> <%- eventSeverity %>
-    </div>
-</td>
+<td><%- formatDbDate(eventTime, 'D-M-YY, H:mm') %></td>
+<td><%- eventSeverity %></td>
 <td><%- assetName %></td>
 <td><%- securityAction %></td>
 <td><%- waapIncidentType %></td>
@@ -34,7 +11,7 @@
 <td><%- httpMethod %></td>
 <td><%- httpResponseCode %></td>
 <td><%- httpUriPath %></td>
-<td><%- protectionName %></td>
+<td><%- eventTopic %></td>
 <td><%- matchedLocation %></td>
 <td><%- matchedParameter %></td>
 <td><%- matchedSample %></td>
--- a/frontend/js/app/openappsec-log/list-important/main.ejs
+++ b/frontend/js/app/openappsec-log/list-important/main.ejs
@@ -11,7 +11,7 @@
    <th>HTTP Method</th>
    <th>HTTP Response Code</th>
    <th>HTTP URI Path</th>
-    <th>Protection Name</th>
+    <th>Event Topic</th>
    <th>Matched Location</th>
    <th>Matched Parameter</th>
    <th>Matched Sample</th>
--- a/frontend/js/app/openappsec-log/list-important/main.js
+++ b/frontend/js/app/openappsec-log/list-important/main.js
@@ -15,7 +15,6 @@ let TableBody = Mn.CollectionView.extend({
    },

    updatePage: function () {
-        console.log('updatePage');
        let models = this.collection.models.slice((this.page - 1) * this.perPage, this.page * this.perPage);
        this.collection.reset(models);
    }
--- a/frontend/js/app/openappsec-log/list-notifications/item.ejs
+++ b/frontend/js/app/openappsec-log/list-notifications/item.ejs
@@ -1,27 +1,5 @@
-
 <td><%- formatDbDate(eventTime, 'D-M-YY, H:mm') %></td>
-<td>
-    <div class="text-nowrap">
-        <% var sevirityClass = 'bg-success'; 
-        switch (eventSeverity) {
-            case 'Critical':
-                sevirityClass = 'bg-danger';
-                break;
-            case 'Warning':
-                sevirityClass = 'bg-warning';
-                break;
-            case 'Info':
-                sevirityClass = 'bg-success';
-                //sevirityClass = 'bg-info';
-                break;
-            case 'Debug':
-                sevirityClass = 'bg-success';
-                break;
-        }
-        %>  
-        <span class="status-icon <%- sevirityClass %>"></span> <%- eventSeverity %>
-    </div>
-</td>
+<td><%- eventSeverity %></td>
 <td><%- eventPriority %></td>
 <td><%- eventTopic %></td>
 <td><%- eventName %></td>
--- a/frontend/js/app/openappsec-log/list-notifications/main.js
+++ b/frontend/js/app/openappsec-log/list-notifications/main.js
@@ -15,7 +15,6 @@ let TableBody = Mn.CollectionView.extend({
    },

    updatePage: function () {
-        console.log('updatePage');
        let models = this.collection.models.slice((this.page - 1) * this.perPage, this.page * this.perPage);
        this.collection.reset(models);
    }
--- a/frontend/js/app/openappsec-log/main.js
+++ b/frontend/js/app/openappsec-log/main.js
@@ -182,24 +182,6 @@ module.exports = Mn.View.extend({
    onTabClick: function(event) {
        event.preventDefault();
        const selectedTab = event.target.id;
-    
-        console.log("selectedTab: ", selectedTab);
-
-        // let ListView;
-        // switch (selectedTab) {
-        //     case 'tab1':
-        //         ListView = ListViewTab1;
-        //         break;
-        //     case 'tab2':
-        //         ListView = ListViewTab2;
-        //         break;
-        //     case 'tab3':
-        //         ListView = ListViewTab3;
-        //         break;
-        //     default:
-        //         ListView = ListViewTab1;
-        // }
-
        let view = this;
        let query = this.ui.query.val() || '';