Notify policy updates to open-appsec container.

UI labels in log.
2025-08-07 18:03:33 +00:00 · 2023-12-13 21:51:43 +02:00
parent dbd78e5e03
commit ce84a865f1
13 changed files with 102 additions and 120 deletions
--- a/backend/internal/nginx-openappsec.js
+++ b/backend/internal/nginx-openappsec.js
@@ -1,3 +1,6 @@
+const util = require('util');
+const execPromise = util.promisify(require('child_process').exec);
+const { exec } = require('child_process');
 const _      = require('lodash');
 const fs     = require('fs');
 const logger = require('../logger').nginx;
@@ -100,7 +103,24 @@ const internalNginxOpenappsec = {
 				(err) => {
 					logger.error('Error generating openappsec config:', err);
 					return Promise.reject(err);
+				})
+			.then(() => {
+				// Return the notifyPolicyUpdate promise chain
+				// notify openappsec to apply the policy
+				return internalNginxOpenappsec.notifyPolicyUpdate().catch((errorMessage) => {
+					console.error('Error:', errorMessage);
+					const errorMessageForUI = `Error: Policy couldn’t be applied, open-appsec-agent container is not responding.
+									Check if open-appec-agent container is running, then apply open-appsec Configuration
+									again by clicking here: 
+									<br>Settings -> open-appsec Advanced -> Save Settings`;
+
+					return Promise.reject(new Error(errorMessageForUI));
 				});
+			})
+			.catch((err) => {
+				logger.error('Error generating openappsec config:', err);
+				throw err; // Propagate the error to the caller
+			});
 	},

 	/** 
@@ -122,9 +142,22 @@ const internalNginxOpenappsec = {
 				internalNginxOpenappsec.removeMatchingNodes(openappsecConfig, pattern);
 				fs.writeFileSync(configFilePath, yaml.dump(openappsecConfig));
 			})
-			.catch(err => {
+			.then(() => {
+				// Return the notifyPolicyUpdate promise chain
+				// notify openappsec to apply the policy
+				return internalNginxOpenappsec.notifyPolicyUpdate().catch((errorMessage) => {
+					console.error('---Error:', errorMessage);
+					const errorMessageForUI = `Error: Policy couldn’t be applied, open-appsec-agent container is not responding.
+									Check if open-appec-agent container is running, then apply open-appsec Configuration
+									again by clicking here: 
+									<br>Settings -> open-appsec Advanced -> Save Settings`;
+
+					return Promise.reject(new Error(errorMessageForUI));
+				});
+			})
+			.catch((err) => {
 				logger.error('Error deleting openappsec config:', err);
-				return Promise.reject(err);
+				throw err; // Propagate the error to the caller
 			});
 	},
 	
@@ -180,6 +213,38 @@ const internalNginxOpenappsec = {
 		}
 	},

+	notifyPolicyUpdate: async function() {
+		if (!constants.USE_NOTIFY_POLICY) {
+			console.log('USE_NOTIFY_POLICY is false');
+			return;
+		}
+		let ports = constants.PORTS;
+		console.log(`Notifying openappsec to apply the policy on ports ${ports}`);
+		let lastError = null;
+
+		for (let port of ports) {
+			try {
+				const command = `curl -s -o /dev/null -w "%{http_code}" ${constants.HOSTURL}:${port}/openappsec/apply-policy`;
+				console.log(`command: ${command}`);
+				let { stdout } = await execPromise(command);
+				if (stdout === '200') {
+					console.log(`Policy applied successfully on port ${port}`);
+					return;
+				} else {
+					console.log(`Policy Unexpected response code: ${stdout}`);
+					lastError = new Error(`Unexpected response code: ${stdout}`);
+				}
+			} catch (error) {
+				console.log(`Error notifying openappsec to apply the policy on port ${port}: ${error.message}`);
+				lastError = error;
+			}
+		}
+
+		if (lastError) {
+			throw lastError;
+		}
+	},
+
 	/**
 	 * Recursively removes nodes from a JavaScript object based on a pattern.
 	*
--- a/backend/internal/openappsec-log.js
+++ b/backend/internal/openappsec-log.js
@@ -100,7 +100,6 @@ const internalOpenappsecLog = {
 			.then(async () => {
 				const directoryPath = APPSEC_LOG_DIR;
 				let totalDataLines = await this.countTotalLines(directoryPath);
-				console.log("totalLineCount: " + totalDataLines);

 				const files = await fs.promises.readdir(directoryPath);
 				const logFiles = files.filter(file => path.extname(file).startsWith('.log'));
--- a/backend/internal/proxy-host.js
+++ b/backend/internal/proxy-host.js
@@ -95,9 +95,14 @@ const internalProxyHost = {
 					});
 			})
 			.then(row => {
-				internalNginxOpenappsec.generateConfig(access, row, data)
-									return row;
-							})
+				return internalNginxOpenappsec.generateConfig(access, row, data)
+					.then(() => {
+						return row;
+					})
+					.catch((err) => {
+						throw new error.ConfigurationError(err.message);
+					});
+			})
 			.then((row) => {
 				// Audit log
 				data.meta = _.assign({}, data.meta || {}, row.meta);
@@ -174,10 +179,14 @@ const internalProxyHost = {
 				}
 			})
 			.then(row => {
-				internalNginxOpenappsec.generateConfig(access, row, data);
-				// internalNginxOpenappsec.updateConfig(row, data)
-					return row;
-							})
+				return internalNginxOpenappsec.generateConfig(access, row, data)
+					.then(() => {
+						return row;
+					})
+					.catch((err) => {
+						throw new error.ConfigurationError(err.message);
+					});
+			})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
 				data = _.assign({}, {
@@ -316,7 +325,11 @@ const internalProxyHost = {
 					})
 					.then(() => {
 						// Delete openappsec config
-						internalNginxOpenappsec.deleteConfig(access, row);
+						return internalNginxOpenappsec.deleteConfig(access, row)
+						.catch((err) => {
+							throw new error.ConfigurationError(err.message);
+						});
+						
 					})
 					.then(() => {
 						// Delete Nginx Config
--- a/backend/lib/constants.js
+++ b/backend/lib/constants.js
@@ -2,4 +2,8 @@ module.exports = {
 	APPSEC_CONFIG_FILE_NAME: 'local_policy.yaml',
 	APPSEC_EXT_DIR: '/ext/appsec',
 	APPSEC_LOG_DIR: '/ext/appsec-logs',
+	USE_NOTIFY_POLICY: true,
+	PORTS: [7777, 7778],
+	HOSTURL: 'http://127.0.0.1',
+	POLICY_PATH: '/etc/cp/conf/local_policy.yaml',
 };