Current File : //proc/self/root/opt/imunify360/venv/share/imunify360/scripts/update_components_versions.py
#!/opt/imunify360/venv/bin/python3

"""
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
See the GNU General Public License for more details.


You should have received a copy of the GNU General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.

Copyright © 2019 Cloud Linux Software Inc.

This software is also available under ImunifyAV commercial license,
see <https://www.imunify360.com/legal/eula>


This script enables the functionality of WAF Ruleset Configurator.

AppVersionDetector is used to fill in and update the components_versions
database with the information on which CMS is used in each of the passed
document roots (or directories therein).

If the user has app_specific_rules option enabled we also use this
information to disable sets of ModSecurity rules for each directory
using tags.
"""

import argparse
import asyncio
import json
import sys
from base64 import b64encode
from codecs import encode
from subprocess import PIPE, CalledProcessError, run

from defence360agent.contracts.config import FileBasedResourceLimits, \
    ANTIVIRUS_MODE
from defence360agent.utils import resource_limits

APP_VERSION_DETECTOR_CMD = [
    "/opt/app-version-detector/app-version-detector-wrapper.sh",
    "--sqlite-db-report="
    "/var/lib/cloudlinux-app-version-detector/components_versions.sqlite3",
    "--stdin-dirs",
    "--pathes-in-base64",
    "--scan-depth=2",
    "--send-stats",
]
APP_VERSION_DETECTOR_INTENSITY_KEY = "app_version_detector"
LIST_DOCROOTS_CMD = ["imunify360-agent", "list-docroots", "--json"]
UPDATE_RULES_CMD = ["imunify360-agent", "rules", "update-app-specific-rules"]


async def update():
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '--update-modsec-rulesets',
        action='store_true',
        help='Also change ModSecurity rulesets',
    )
    args = parser.parse_args(sys.argv[1:])

    doc_roots = json.loads(
        run(
            LIST_DOCROOTS_CMD, stdout=PIPE, stderr=PIPE, check=True
        ).stdout.decode()
    )["items"]

    if not doc_roots:
        return

    stdin = b"\n".join(
        (b",".join([encode(domain, "idna"), b64encode(doc_root.encode())]))
        for doc_root, domain in doc_roots.items()
    )

    cmd = APP_VERSION_DETECTOR_CMD
    p = await resource_limits.create_subprocess(
        cmd,
        intensity_cpu=FileBasedResourceLimits.CPU,
        intensity_io=FileBasedResourceLimits.IO,
        key=APP_VERSION_DETECTOR_INTENSITY_KEY,
        stdout=PIPE,
        stderr=PIPE,
        stdin=PIPE,
    )
    out, err = await p.communicate(input=stdin)
    if p.returncode != 0:
        raise CalledProcessError(
            p.returncode, cmd, output=out, stderr=err
        )

    if args.update_modsec_rulesets and not ANTIVIRUS_MODE:
        run(
            UPDATE_RULES_CMD,
            stdout=PIPE,
            stderr=PIPE,
            check=True,
        )


async def main():
    try:
        await update()
    except CalledProcessError as e:
        sys.exit(
            f"Command {e.cmd} returned non-zero code {e.returncode},"
            f'\n\t\tStdout: {e.stdout.decode("utf-8", "backslashreplace")},'
            f'\n\t\tStderr: {e.stderr.decode("utf-8", "backslashreplace")}\n'
        )


if __name__ == "__main__":
    asyncio.run(main())