Mini Shell
"""
Usage /opt/imunify360/venv/bin/python3 rules_checker.py <action>
choose an action from ACTIONS map
e.g.
/opt/imunify360/venv/bin/python3 rules_checker.py recreate
Actions:
- `recreate` - recreates rules if needed and checks ipsets consistent
- `clear` - waits RulesChecker stop and destroys all rules and ipsets
Actions based on lazy_init plugin
placed in im360.utils.lazy_init
"""
import asyncio
from pathlib import Path
import os
import pickle
import sys
import time
import logging
from defence360agent.internals import logger as lg
from defence360agent.internals.global_scope import g
from defence360agent.model import instance, tls_check
from defence360agent.contracts.config import Model, Merger
from im360.contracts.config import IPSET_LISTS_PATH
from im360.files import WHITELISTS, Index
from im360.internals.core import ip_versions
from im360.internals.strategy import Strategy
from im360.utils.lazy_init import (
RulesChecker,
RealProtector,
RULES_CHECK_IN_PROGRESS,
)
from im360.subsys import smtp_blocking
logger = logging.getLogger("rules-checker")
# go-resident reads from stdout in case we have errors
handler = logging.StreamHandler(sys.stdout)
handler.setLevel(logging.INFO)
logger.addHandler(handler)
STATE = {"last_ipset_check": 0.0}
DAY = 24 * 60 * 60
REAL_PROTECTOR_STATE = Path("/var/imunify360/.realprotector.state")
RULES_CHECKER_STATE = Path("/var/imunify360/.ruleschecker.state")
SMTP_BLOCKING_STATE = Path("/var/imunify360/.smtp_blocking.state")
class RealProtectorState:
"""RealProtector state to save and restore."""
def __init__(self, _ws, _pb_dmv, _pbm, _de, _lic):
self._webshield_status = _ws
self._port_blocking_deny_mode_values = _pb_dmv
self._port_blocking_mode = _pbm
self._dos_enabled = _de
self.last_ipset_check = _lic
def __str__(self) -> str:
return (
"RealProtectorState("
f"_webshield_status={self._webshield_status}, "
f"_port_blocking_mode={self._port_blocking_mode}, "
"_port_blocking_deny_mode_values"
f"={self._port_blocking_deny_mode_values},"
f"last_ipset_check={self.last_ipset_check},"
f"_dos_enabled={self._dos_enabled})"
)
class RulesCheckerState:
def __init__(
self, interface_conf, ipset_outdated_events, outdated_ipsets, versions
):
self._interface_conf = interface_conf
self._ipsets_outdated_events = ipset_outdated_events
self.outdated_ipsets = outdated_ipsets
self.versions = versions
def __str__(self) -> str:
return (
"RulesCheckerState("
f"_interface_conf={self._interface_conf}, "
f"_ipsets_outdated_events={self._ipsets_outdated_events})"
f"outdated_ipsets={self.outdated_ipsets})"
f"versions={self.versions})"
)
class SmtpSettingsState:
def __init__(self, active_settings):
self._active_settings = active_settings
def __str__(self) -> str:
return f"SmtpSettingsState(_active_settings={self._active_settings})"
async def _check_for_config_change(rc: RulesChecker, rp: RealProtector):
"""Checking that config state is consistent with the current state."""
rp._rules_checker = rc
await rp._rules_checker.check_smtp_state_and_reset()
await rp._on_config_update_unlocked(None)
async def recreate_rules(rc: RulesChecker, rp: RealProtector):
"""Recreates rules if needed and checks ipsets consistent."""
logger.info("Checking that need to recreate rules")
# TODO: check if we need to check it too often
# for Python implementation we do it only once per day
if time.time() - STATE["last_ipset_check"] < DAY:
logger.info("Skip ipsets check")
else:
await rc._check_ipsets_consistent()
STATE["last_ipset_check"] = time.time()
await rc.recreate_rules_if_needed()
await _check_for_config_change(rc, rp)
logger.info("IP sets verification and initialization completed")
async def check_config_update(rc: RulesChecker, rp: RealProtector):
"""Checking config update."""
logger.info("Checking config update")
await _check_for_config_change(rc, rp)
logger.info("Completed")
async def check_global_whitelist_update(rc: RulesChecker, rp: RealProtector):
"""Checking config update."""
rp._rules_checker = rc
logger.info("Checking global whitelist update")
await rp.process_global_whitelist_update()
logger.info("Completed")
async def check_country_update(rc: RulesChecker, rp: RealProtector):
"""Checking config update."""
rp._rules_checker = rc
logger.info("Checking country list update")
await rp.process_country_list_update()
logger.info("Completed")
async def recreate_rules_on_strategy_change(
rc: RulesChecker, rp: RealProtector
):
"""Recreates rules if needed and checks ipsets consistent."""
logger.info("Checking that need to recreate rules on strategy change")
await rc.recreate_rules_if_needed()
logger.info(
"Firewall rules recreated due to StrategyChange %s", Strategy.current
)
async def check_ipsets_consistent(rc: RulesChecker, rp: RealProtector):
"""Check ipsets consistent."""
logger.info("Checking ipsets consistent")
await rc._check_ipsets_consistent()
STATE["last_ipset_check"] = time.time()
if any(sets for sets in rc.outdated_ipsets.values()):
await rc.recreate_rules_if_needed()
await _check_for_config_change(rc, rp)
logger.info("Completed")
async def _stop_and_wait(rc: RulesChecker):
rc.should_stop()
await rc.wait()
async def clear_everything(rc: RulesChecker, rp: RealProtector):
"""Clear rules and ipsets on stop."""
logger.info("Clear rules and ipsets")
await _stop_and_wait(rc)
await rc.clear_everything()
logger.info("Completed")
async def clear_rules(rc: RulesChecker, rp: RealProtector):
"""Clear rules on stop."""
logger.info("Clear rules")
await _stop_and_wait(rc)
await rc.clear_rules()
logger.info("Completed")
def setup_environment():
"""Setup environment for rules checker."""
lg.reconfigure()
ip_versions.init()
instance.db.init(Model.PATH)
instance.db.execute_sql("ATTACH ? AS resident", (Model.RESIDENT_PATH,))
instance.db.execute_sql("ATTACH ? AS ipsetlists", (IPSET_LISTS_PATH,))
if os.environ.get("DEBUG") == "true":
g.DEBUG = True
Index.add_type(WHITELISTS, "whitelist/v2", 0o770, 0o660, all_zip=True)
def restore_state(rp: RealProtector, rc: RulesChecker):
"""Restore RealProtector state."""
Strategy.current = Strategy.get()
try:
if REAL_PROTECTOR_STATE.exists():
with REAL_PROTECTOR_STATE.open("rb") as f:
rp_state = pickle.load(f)
rp._webshield_status = rp_state._webshield_status
rp._port_blocking_deny_mode_values = (
rp_state._port_blocking_deny_mode_values
)
rp._port_blocking_mode = rp_state._port_blocking_mode
# next is new functionality and _dos_enabled will be missing
# on startup. Since this is used to prevent adding connection
# tracking to netfilter we basically had this before set to
# True, that is why default value needs to be True
rp._dos_enabled = getattr(rp_state, '_dos_enabled', True)
STATE["last_ipset_check"] = rp_state.last_ipset_check
except Exception as e:
logger.error("Failed to restore RealProtector state: %s", e)
try:
if RULES_CHECKER_STATE.exists():
with RULES_CHECKER_STATE.open("rb") as f:
rc_state = pickle.load(f)
rc.active_interface_conf = rc_state._interface_conf
rc._ipsets_outdated_events = rc_state._ipsets_outdated_events
rc.outdated_ipsets = rc_state.outdated_ipsets
rc.versions = rc_state.versions
for version in rc.versions.keys():
rc.versions[version].running = True
except Exception as e:
logger.error("Failed to restore RulesChecker state: %s", e)
try:
if SMTP_BLOCKING_STATE.exists():
with SMTP_BLOCKING_STATE.open("rb") as f:
smtp_state = pickle.load(f)
for idx, version in enumerate(smtp_blocking.ip_versions.enabled()):
smtp_instance = smtp_blocking.SMTPBlocking(version)
smtp_instance.active_settings = smtp_state._active_settings[
idx
]
except Exception as e:
logger.error("Failed to restore SMTPBlocking state: %s", e)
return rp, rc
def save_state(rp: RealProtector, rc: RulesChecker):
"""Save RealProtector state."""
rp_state = RealProtectorState(
rp._webshield_status,
rp._port_blocking_deny_mode_values,
rp._port_blocking_mode,
rp._dos_enabled,
STATE["last_ipset_check"],
)
rc_state = RulesCheckerState(
rc.active_interface_conf,
rc._ipsets_outdated_events,
rc.outdated_ipsets,
rc.versions,
)
smtp_state = SmtpSettingsState(smtp_blocking.get_active_settings_list())
pickle.dump(rp_state, REAL_PROTECTOR_STATE.open("wb"))
pickle.dump(rc_state, RULES_CHECKER_STATE.open("wb"))
pickle.dump(smtp_state, SMTP_BLOCKING_STATE.open("wb"))
ACTIONS = {
"recreate": recreate_rules,
"clear": clear_everything,
"clear-rules": clear_rules,
"config-update": check_config_update,
"global-whitelist-update": check_global_whitelist_update,
"country-update": check_country_update,
"strategy-change": recreate_rules_on_strategy_change,
"ipsets-consistent": check_ipsets_consistent,
}
def main(action):
try:
RULES_CHECK_IN_PROGRESS.touch()
except Exception as e:
logger.error("Failed to create RULES_CHECK_IN_PROGRESS file: %s", e)
tls_check.reset()
setup_environment()
Merger.update_merged_config()
loop = asyncio.get_event_loop()
rp, rc = restore_state(RealProtector(), RulesChecker(loop))
action = ACTIONS[action]
loop.run_until_complete(action(rc, rp))
save_state(rp, rc)
logger.info("Script finished")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(
"Please provide one action as command line argument."
f" {', '.join(ACTIONS.keys())}"
)
sys.exit(1)
action = sys.argv[1]
if action not in ACTIONS:
RULES_CHECK_IN_PROGRESS.unlink(missing_ok=True)
print(
f"Invalid action: {action}. "
f"Choose from {', '.join(ACTIONS.keys())}"
)
sys.exit(1)
try:
main(action)
except Exception as e:
RULES_CHECK_IN_PROGRESS.unlink(missing_ok=True)
logger.exception("rules checker failed with unhandled error: %r", e)
sys.exit(2)
else:
RULES_CHECK_IN_PROGRESS.unlink(missing_ok=True)