first open-appsec support

2025-08-07 18:03:33 +00:00 · 2023-12-06 11:59:21 +02:00
parent 81a38957bf
commit f9ae99ea49
22 changed files with 440 additions and 8 deletions
--- a/backend/internal/proxy-host.js
+++ b/backend/internal/proxy-host.js
@@ -4,8 +4,12 @@ const utils               = require('../lib/utils');
 const proxyHostModel      = require('../models/proxy_host');
 const internalHost        = require('./host');
 const internalNginx       = require('./nginx');
+const internalNginxOpenappsec= require('./nginx-openappsec');
 const internalAuditLog    = require('./audit-log');
 const internalCertificate = require('./certificate');
+const fs                  = require('fs');
+const path                = require('path');
+const yaml                = require('js-yaml');

 function omissions () {
 	return ['is_deleted'];
@@ -48,9 +52,15 @@ const internalProxyHost = {
 				data.owner_user_id = access.token.getUserId(1);
 				data               = internalHost.cleanSslHstsData(data);

+				let db_data = _.assign({}, data);
+				// Remove the openappsec fields from data. they are not in the database.
+				delete db_data.use_openappsec;
+				delete db_data.openappsec_mode;
+				delete db_data.minimum_confidence;
+				
 				return proxyHostModel
 					.query()
-					.insertAndFetch(data)
+					.insertAndFetch(db_data)
 					.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
@@ -84,6 +94,10 @@ const internalProxyHost = {
 						return row;
 					});
 			})
+			.then(row => {
+				internalNginxOpenappsec.generateConfig(access, row, data)
+									return row;
+							})
 			.then((row) => {
 				// Audit log
 				data.meta = _.assign({}, data.meta || {}, row.meta);
@@ -159,6 +173,11 @@ const internalProxyHost = {
 					return row;
 				}
 			})
+			.then(row => {
+				internalNginxOpenappsec.generateConfig(access, row, data);
+				// internalNginxOpenappsec.updateConfig(row, data)
+					return row;
+							})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
 				data = _.assign({}, {
@@ -167,6 +186,11 @@ const internalProxyHost = {

 				data = internalHost.cleanSslHstsData(data, row);

+				// Remove the openappsec fields from data. they are not in the database
+				delete data.use_openappsec;
+				delete data.openappsec_mode;
+				delete data.minimum_confidence;
+
 				return proxyHostModel
 					.query()
 					.where({id: data.id})
@@ -247,6 +271,22 @@ const internalProxyHost = {
 				if (typeof data.omit !== 'undefined' && data.omit !== null) {
 					row = _.omit(row, data.omit);
 				}
+				return row;
+			})
+			.then((row) => {
+				// add openappsec fields to row
+				try {
+					const configFilePath = internalNginxOpenappsec.getConfigFilePath(access);
+					const openappsecConfig = yaml.load(fs.readFileSync(configFilePath, 'utf8'));
+					let result = internalNginxOpenappsec.getOpenappsecFields(openappsecConfig, row.id);
+					row.use_openappsec = result.use_openappsec;
+					row.openappsec_mode = result.mode;
+					row.minimum_confidence = result.minimum_confidence;
+				}
+				catch (e) {
+					console.log("Error reading openappsec config file: " + e);
+				}
+
 				return row;
 			});
 	},
@@ -274,6 +314,10 @@ const internalProxyHost = {
 					.patch({
 						is_deleted: 1
 					})
+					.then(() => {
+						// Delete openappsec config
+						internalNginxOpenappsec.deleteConfig(access, row);
+					})
 					.then(() => {
 						// Delete Nginx Config
 						return internalNginx.deleteConfig('proxy_host', row)
@@ -430,6 +474,21 @@ const internalProxyHost = {
 				return query.then(utils.omitRows(omissions()));
 			})
 			.then((rows) => {
+				// add openappsec fields to rows
+				try {
+					const configFilePath = internalNginxOpenappsec.getConfigFilePath(access);
+					const openappsecConfig = yaml.load(fs.readFileSync(configFilePath, 'utf8'));
+					rows.map(function (row, idx) {
+						let result = internalNginxOpenappsec.getOpenappsecFields(openappsecConfig, row.id);
+						rows[idx].use_openappsec = result.use_openappsec;
+						rows[idx].openappsec_mode = result.mode;
+						rows[idx].minimum_confidence = result.minimum_confidence;
+					});
+				}
+				catch (e) {
+					console.log("Error reading openappsec config file: " + e);
+				}
+				
 				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
 					return internalHost.cleanAllRowsCertificateMeta(rows);
 				}
--- a/backend/package.json
+++ b/backend/package.json
@@ -13,6 +13,7 @@
 		"express": "^4.17.3",
 		"express-fileupload": "^1.1.9",
 		"gravatar": "^1.8.0",
+		"js-yaml": "^4.1.0",
 		"json-schema-ref-parser": "^8.0.0",
 		"jsonwebtoken": "^9.0.0",
 		"knex": "2.4.2",
--- a/backend/routes/api/main.js
+++ b/backend/routes/api/main.js
@@ -29,8 +29,10 @@ router.use('/schema', require('./schema'));
 router.use('/tokens', require('./tokens'));
 router.use('/users', require('./users'));
 router.use('/audit-log', require('./audit-log'));
+router.use('/openappsec-log', require('./openappsec-log'));
 router.use('/reports', require('./reports'));
 router.use('/settings', require('./settings'));
+router.use('/openappsec-settings', require('./openappsec-settings'));
 router.use('/nginx/proxy-hosts', require('./nginx/proxy_hosts'));
 router.use('/nginx/redirection-hosts', require('./nginx/redirection_hosts'));
 router.use('/nginx/dead-hosts', require('./nginx/dead_hosts'));
--- a/backend/schema/definitions.json
+++ b/backend/schema/definitions.json
@@ -137,6 +137,18 @@
        }
      ]
    },
+    "openappsec_mode": {
+      "description": "openappsec_mode ID",
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 255
+    },
+    "minimum_confidence": {
+      "description": "minimum_confidence ID",
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 255
+    },
    "access_list_id": {
      "description": "Access List ID",
      "example": 1234,
@@ -231,6 +243,11 @@
      "example": true,
      "type": "boolean"
    },
+    "use_openappsec": {
+      "description": "Use openappsec",
+      "example": true,
+      "type": "boolean"
+    },
    "caching_enabled": {
      "description": "Should we cache assets",
      "example": true,
--- a/backend/schema/endpoints/proxy-hosts.json
+++ b/backend/schema/endpoints/proxy-hosts.json
@@ -50,6 +50,15 @@
    "block_exploits": {
      "$ref": "../definitions.json#/definitions/block_exploits"
    },
+    "use_openappsec": {
+      "$ref": "../definitions.json#/definitions/use_openappsec"
+    },
+    "openappsec_mode": {
+      "$ref": "../definitions.json#/definitions/openappsec_mode"
+    },
+    "minimum_confidence": {
+      "$ref": "../definitions.json#/definitions/minimum_confidence"
+    },
    "caching_enabled": {
      "$ref": "../definitions.json#/definitions/caching_enabled"
    },
@@ -104,6 +113,15 @@
          },
          "advanced_config": {
            "type": "string"
+          },
+          "use_openappsec": {
+            "type": "boolean"
+          },
+          "openappsec_mode": {
+            "type": "string"
+          },
+          "minimum_confidence": {
+            "type": "string"
          }
        }
      }
@@ -149,6 +167,15 @@
    "block_exploits": {
      "$ref": "#/definitions/block_exploits"
    },
+    "use_openappsec": {
+      "$ref": "#/definitions/use_openappsec"
+    },
+    "openappsec_mode": {
+      "$ref": "#/definitions/openappsec_mode"
+    },
+    "minimum_confidence": {
+      "$ref": "#/definitions/minimum_confidence"
+    },
    "caching_enabled": {
      "$ref": "#/definitions/caching_enabled"
    },
@@ -239,6 +266,15 @@
          "block_exploits": {
            "$ref": "#/definitions/block_exploits"
          },
+          "use_openappsec": {
+            "$ref": "#/definitions/use_openappsec"
+          },
+          "openappsec_mode": {
+            "$ref": "#/definitions/openappsec_mode"
+          },
+          "minimum_confidence": {
+            "$ref": "#/definitions/minimum_confidence"
+          },
          "caching_enabled": {
            "$ref": "#/definitions/caching_enabled"
          },
@@ -312,6 +348,15 @@
          "block_exploits": {
            "$ref": "#/definitions/block_exploits"
          },
+          "use_openappsec": {
+            "$ref": "#/definitions/use_openappsec"
+          },
+          "openappsec_mode": {
+            "$ref": "#/definitions/openappsec_mode"
+          },
+          "minimum_confidence": {
+            "$ref": "#/definitions/minimum_confidence"
+          },
          "caching_enabled": {
            "$ref": "#/definitions/caching_enabled"
          },