first open-appsec support

Author: roybarda

backend/internal/proxy-host.js

@@ -4,8 +4,12 @@ const utils               = require('../lib/utils');
 const proxyHostModel      = require('../models/proxy_host');
 const internalHost        = require('./host');
 const internalNginx       = require('./nginx');
+const internalNginxOpenappsec= require('./nginx-openappsec');
 const internalAuditLog    = require('./audit-log');
 const internalCertificate = require('./certificate');
+const fs                  = require('fs');
+const path                = require('path');
+const yaml                = require('js-yaml');
 
 function omissions () {
 	return ['is_deleted'];
@@ -48,9 +52,15 @@ const internalProxyHost = {
 				data.owner_user_id = access.token.getUserId(1);
 				data               = internalHost.cleanSslHstsData(data);
 
+				let db_data = _.assign({}, data);
+				// Remove the openappsec fields from data. they are not in the database.
+				delete db_data.use_openappsec;
+				delete db_data.openappsec_mode;
+				delete db_data.minimum_confidence;
+				
 				return proxyHostModel
 					.query()
-					.insertAndFetch(data)
+					.insertAndFetch(db_data)
 					.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
@@ -84,6 +94,10 @@ const internalProxyHost = {
 						return row;
 					});
 			})
+			.then(row => {
+				internalNginxOpenappsec.generateConfig(access, row, data)
+									return row;
+							})
 			.then((row) => {
 				// Audit log
 				data.meta = _.assign({}, data.meta || {}, row.meta);
@@ -159,6 +173,11 @@ const internalProxyHost = {
 					return row;
 				}
 			})
+			.then(row => {
+				internalNginxOpenappsec.generateConfig(access, row, data);
+				// internalNginxOpenappsec.updateConfig(row, data)
+					return row;
+							})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
 				data = _.assign({}, {
@@ -167,6 +186,11 @@ const internalProxyHost = {
 
 				data = internalHost.cleanSslHstsData(data, row);
 
+				// Remove the openappsec fields from data. they are not in the database
+				delete data.use_openappsec;
+				delete data.openappsec_mode;
+				delete data.minimum_confidence;
+
 				return proxyHostModel
 					.query()
 					.where({id: data.id})
@@ -247,6 +271,22 @@ const internalProxyHost = {
 				if (typeof data.omit !== 'undefined' && data.omit !== null) {
 					row = _.omit(row, data.omit);
 				}
+				return row;
+			})
+			.then((row) => {
+				// add openappsec fields to row
+				try {
+					const configFilePath = internalNginxOpenappsec.getConfigFilePath(access);
+					const openappsecConfig = yaml.load(fs.readFileSync(configFilePath, 'utf8'));
+					let result = internalNginxOpenappsec.getOpenappsecFields(openappsecConfig, row.id);
+					row.use_openappsec = result.use_openappsec;
+					row.openappsec_mode = result.mode;
+					row.minimum_confidence = result.minimum_confidence;
+				}
+				catch (e) {
+					console.log("Error reading openappsec config file: " + e);
+				}
+
 				return row;
 			});
 	},
@@ -274,6 +314,10 @@ const internalProxyHost = {
 					.patch({
 						is_deleted: 1
 					})
+					.then(() => {
+						// Delete openappsec config
+						internalNginxOpenappsec.deleteConfig(access, row);
+					})
 					.then(() => {
 						// Delete Nginx Config
 						return internalNginx.deleteConfig('proxy_host', row)
@@ -430,6 +474,21 @@ const internalProxyHost = {
 				return query.then(utils.omitRows(omissions()));
 			})
 			.then((rows) => {
+				// add openappsec fields to rows
+				try {
+					const configFilePath = internalNginxOpenappsec.getConfigFilePath(access);
+					const openappsecConfig = yaml.load(fs.readFileSync(configFilePath, 'utf8'));
+					rows.map(function (row, idx) {
+						let result = internalNginxOpenappsec.getOpenappsecFields(openappsecConfig, row.id);
+						rows[idx].use_openappsec = result.use_openappsec;
+						rows[idx].openappsec_mode = result.mode;
+						rows[idx].minimum_confidence = result.minimum_confidence;
+					});
+				}
+				catch (e) {
+					console.log("Error reading openappsec config file: " + e);
+				}
+				
 				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
 					return internalHost.cleanAllRowsCertificateMeta(rows);
 				}

backend/package.json

@@ -13,6 +13,7 @@
 		"express": "^4.17.3",
 		"express-fileupload": "^1.1.9",
 		"gravatar": "^1.8.0",
+		"js-yaml": "^4.1.0",
 		"json-schema-ref-parser": "^8.0.0",
 		"jsonwebtoken": "^9.0.0",
 		"knex": "2.4.2",

backend/routes/api/main.js

@@ -29,8 +29,10 @@ router.use('/schema', require('./schema'));
 router.use('/tokens', require('./tokens'));
 router.use('/users', require('./users'));
 router.use('/audit-log', require('./audit-log'));
+router.use('/openappsec-log', require('./openappsec-log'));
 router.use('/reports', require('./reports'));
 router.use('/settings', require('./settings'));
+router.use('/openappsec-settings', require('./openappsec-settings'));
 router.use('/nginx/proxy-hosts', require('./nginx/proxy_hosts'));
 router.use('/nginx/redirection-hosts', require('./nginx/redirection_hosts'));
 router.use('/nginx/dead-hosts', require('./nginx/dead_hosts'));

backend/schema/definitions.json

@@ -137,6 +137,18 @@
         }
       ]
     },
+    "openappsec_mode": {
+      "description": "openappsec_mode ID",
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 255
+    },
+    "minimum_confidence": {
+      "description": "minimum_confidence ID",
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 255
+    },
     "access_list_id": {
       "description": "Access List ID",
       "example": 1234,
@@ -231,6 +243,11 @@
       "example": true,
       "type": "boolean"
     },
+    "use_openappsec": {
+      "description": "Use openappsec",
+      "example": true,
+      "type": "boolean"
+    },
     "caching_enabled": {
       "description": "Should we cache assets",
       "example": true,

backend/schema/endpoints/proxy-hosts.json

@@ -50,6 +50,15 @@
     "block_exploits": {
       "$ref": "../definitions.json#/definitions/block_exploits"
     },
+    "use_openappsec": {
+      "$ref": "../definitions.json#/definitions/use_openappsec"
+    },
+    "openappsec_mode": {
+      "$ref": "../definitions.json#/definitions/openappsec_mode"
+    },
+    "minimum_confidence": {
+      "$ref": "../definitions.json#/definitions/minimum_confidence"
+    },
     "caching_enabled": {
       "$ref": "../definitions.json#/definitions/caching_enabled"
     },
@@ -104,6 +113,15 @@
           },
           "advanced_config": {
             "type": "string"
+          },
+          "use_openappsec": {
+            "type": "boolean"
+          },
+          "openappsec_mode": {
+            "type": "string"
+          },
+          "minimum_confidence": {
+            "type": "string"
           }
         }
       }
@@ -149,6 +167,15 @@
     "block_exploits": {
       "$ref": "#/definitions/block_exploits"
     },
+    "use_openappsec": {
+      "$ref": "#/definitions/use_openappsec"
+    },
+    "openappsec_mode": {
+      "$ref": "#/definitions/openappsec_mode"
+    },
+    "minimum_confidence": {
+      "$ref": "#/definitions/minimum_confidence"
+    },
     "caching_enabled": {
       "$ref": "#/definitions/caching_enabled"
     },
@@ -239,6 +266,15 @@
           "block_exploits": {
             "$ref": "#/definitions/block_exploits"
           },
+          "use_openappsec": {
+            "$ref": "#/definitions/use_openappsec"
+          },
+          "openappsec_mode": {
+            "$ref": "#/definitions/openappsec_mode"
+          },
+          "minimum_confidence": {
+            "$ref": "#/definitions/minimum_confidence"
+          },
           "caching_enabled": {
             "$ref": "#/definitions/caching_enabled"
           },
@@ -312,6 +348,15 @@
           "block_exploits": {
             "$ref": "#/definitions/block_exploits"
           },
+          "use_openappsec": {
+            "$ref": "#/definitions/use_openappsec"
+          },
+          "openappsec_mode": {
+            "$ref": "#/definitions/openappsec_mode"
+          },
+          "minimum_confidence": {
+            "$ref": "#/definitions/minimum_confidence"
+          },
           "caching_enabled": {
             "$ref": "#/definitions/caching_enabled"
           },

docker/docker-compose.dev.yml

@@ -33,6 +33,7 @@ services:
     volumes:
       - npm_data:/data
       - le_data:/etc/letsencrypt
+      - ../localconfig:/ext/appsec
       - ../backend:/app
       - ../frontend:/app/frontend
       - ../global:/app/global

frontend/html/partials/header.ejs

@@ -21,6 +21,7 @@
 		<meta name="msapplication-TileColor" content="#333333">
 		<meta name="msapplication-config" content="/images/favicons/browserconfig.xml">
 		<meta name="theme-color" content="#ffffff">
+		<link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@600&display=swap" rel="stylesheet">
 		<link href="/css/main.css?v=<%= version %>" rel="stylesheet">
 	</head>
 	<body>

frontend/js/app/api.js

@@ -716,6 +716,17 @@ module.exports = {
         }
     },
 
+    OpenappsecLog: {
+        /**
+         * @param   {Array}    [expand]
+         * @param   {String}   [query]
+         * @returns {Promise}
+         */
+        getAll: function (expand, query) {
+            return getAllObjects('openappsec-log', expand, query);
+        }
+    },
+
     Reports: {
 
         /**
@@ -753,5 +764,22 @@ module.exports = {
             delete data.id;
             return fetch('put', 'settings/' + id, data);
         }
+    },
+
+    OpenAppsecSettings: {
+        /**
+         * @returns {Promise}
+         */
+        get: function () {
+            return fetch('get', 'openappsec-settings');
+        },
+
+        /**
+         * @param   {Object}   data
+         * @returns {Promise}
+         */
+        save: function (data) {
+            return fetch('put', 'openappsec-settings', data);
     }
+    },
 };

frontend/js/app/controller.js

@@ -407,6 +407,34 @@ module.exports = {
         }
     },
 
+    /**
+     * openappsec Log
+     */
+    showOpenappsecLog: function () {
+        let controller = this;
+        if (Cache.User.isAdmin()) {
+            require(['./main', './openappsec-log/main'], (App, View) => {
+                controller.navigate('/openappsec-log');
+                App.UI.showAppContent(new View());
+            });
+        } else {
+            this.showDashboard();
+        }
+    },
+
+    /**
+     * openappsec Log Metadata
+     *
+     * @param model
+     */
+    showOpenappsecMeta: function (model) {
+        if (Cache.User.isAdmin()) {
+            require(['./main', './openappsec-log/meta'], function (App, View) {
+                App.UI.showModalDialog(new View({model: model}));
+            });
+        }
+    },
+
     /**
      * Settings
      */

frontend/js/app/nginx/proxy/form.ejs

@@ -72,6 +72,7 @@
                                 </label>
                             </div>
                         </div>
+                        
                         <div class="col-sm-12 col-md-12">
                             <div class="form-group">
                                 <label class="custom-switch">
@@ -90,6 +91,40 @@
                                 </select>
                             </div>
                         </div>
+
+                        <div class="col-sm-12 col-md-12">
+                            <hr class="my-3">
+
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input type="checkbox" class="custom-switch-input" name="use_openappsec" value="1"<%- use_openappsec ? ' checked' : '' %>>
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description font-weight-bold">open-appsec</span>
+                                </label>
+                            </div>
+                        </div>
+                        
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group row">
+                                <label class="col-sm-6 col-form-label <%- use_openappsec ? '' : ' text-muted' %>">Enforcement Mode</label>
+                                <select name="openappsec_mode" class="col-sm-4 form-control custom-select" placeholder="Please Select" <%- use_openappsec ? '' : ' disabled' %>>
+                                    <option value="detect-learn" <%- openappsec_mode === 'detect-learn' ? 'selected' : '' %>>Detect-Learn</option>
+                                    <option value="prevent-learn" <%- openappsec_mode === 'prevent-learn' ? 'selected' : '' %>>Prevent-Learn</option>
+                                </select>
+                            </div>
+                        </div>
+
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group row">
+                                <label class="col-sm-6 col-form-label <%- use_openappsec ? '' : ' text-muted' %>">Minimum confidence for prevent</label>
+                                <select name="minimum_confidence" class="col-sm-4 form-control custom-select" placeholder="Please Select" <%- use_openappsec ? '' : ' disabled' %>>
+                                    <option value="critical" <%- minimum_confidence === 'critical' ? 'selected' : '' %>>Critical</option>
+                                    <option value="high" <%- minimum_confidence === 'high' ? 'selected' : '' %>>High</option>
+                                    <option value="medium" <%- minimum_confidence === 'medium' ? 'selected' : '' %>>Medium</option>
+                                </select>
+                            </div>
+                        </div>
+
                     </div>
                 </div>