Merge pull request #2358 from tpurschke/develop

Develop hotfix - accidental demo device deletion
CactuseSecurity · Mar 18, 2024 · c4df3e7 · c4df3e7
2 parents d2239e4 + a008136
commit c4df3e7
Show file tree

Hide file tree

Showing 11 changed files with 75 additions and 88 deletions.
diff --git a/documentation/developer-docs/csharp/blazor/blazorTable/README.md b/documentation/developer-docs/csharp/blazor/blazorTable/README.md
@@ -1,2 +1,8 @@
 -  [Github Site](https://github.com/IvanJosipovic/BlazorTable)
 -  [Feature Site](https://blazortable.netlify.app/)
+- adding a project to the solution
+
+            tim@acantha22:~/dev/firewall-orchestrator/roles$ dotnet sln FWO.sln add lib/files/FWO.Encryption/FWO.Encryption.csproj
+            Project `lib/files/FWO.Encryption/FWO.Encryption.csproj` added to the solution.
+            tim@acantha22:~/dev/firewall-orchestrator/roles$ 
+            
diff --git a/documentation/revision-history-develop.md b/documentation/revision-history-develop.md
@@ -180,5 +180,5 @@ bugfix release:
 - iconify modelling
 - add missing config values
 
-# 8.0.2 - 29.02.2024 DEVELOP
-- adding firewall importer support for NSX
+# 8.0.2 - 11.03.2024 DEVELOP
+- first version of NSX import module
diff --git a/roles/importer/files/importer/checkpointR8x/cp_getter.py b/roles/importer/files/importer/checkpointR8x/cp_getter.py
@@ -1,6 +1,5 @@
 # library for API get functions
 from asyncio.log import logger
-# from distutils.log import debug
 import json
 import re
 import requests, requests.packages

diff --git a/roles/importer/files/importer/fwo_api.py b/roles/importer/files/importer/fwo_api.py
@@ -1,6 +1,5 @@
 # library for FWORCH API calls
 from asyncio.log import logger
-# from distutils.log import debug
 import re
 import traceback
 from sqlite3 import Timestamp

diff --git a/roles/lib/files/FWO.Api.Client/APIcalls/device/updateCredential.graphql b/roles/lib/files/FWO.Api.Client/APIcalls/device/updateCredential.graphql
@@ -2,7 +2,7 @@ mutation updateCredential(
   $id: Int!
   $username: String!
   $secret: String!
-  $sshPublicKey: String!
+  $sshPublicKey: String
   $credential_name: String!
   $isKeyPair: Boolean
   $cloudClientId: String

diff --git a/roles/lib/files/FWO.Api.Client/Data/GlobalConstants.cs b/roles/lib/files/FWO.Api.Client/Data/GlobalConstants.cs
@@ -5,6 +5,9 @@ namespace FWO.Api.Data
     /// </summary>
     public struct GlobalConst
     {
+        public const string kFwoBaseDir = "/usr/local/fworch";
+        public const string kMainKeyFile = kFwoBaseDir + "/etc/secrets/main_key";
+
         public const string kEnglish = "English";
 
         public const int kSidebarLeftWidth = 300;
@@ -25,5 +28,8 @@ public struct GlobalConst
         public const string kManual = "manual";
         public const string kModellerGroup = "ModellerGroup_";
         public const string kImportChangeNotify = "importChangeNotify";
+
+        public const string kLdapInternalPostfix = "dc=fworch,dc=internal";
+
     }
 }
diff --git a/roles/sample-data/tasks/create-devices.yml b/roles/sample-data/tasks/create-devices.yml
@@ -5,6 +5,15 @@
     importer_hostname: "{{ hostvars[inventory_hostname].ansible_hostname }}"
   when: importer_hostname == 'localhost'
 
+- name: default credential id = -1 (test)
+  set_fact:
+    credential_id: -1
+
+- name: pick the correct credential id
+  set_fact:
+    credential_id: 0
+  when: sample_role_purpose is not match('test')
+
 - block: # demo & test
 
     - name: insert sample fortiOS management
@@ -14,7 +23,7 @@
           DO $do$ BEGIN 
           IF NOT EXISTS (SELECT * FROM management WHERE mgm_name='{{ sample_fortigate_name }}') THEN 
           insert into management (dev_typ_id,mgm_name,import_credential_id,ssh_hostname,do_not_import,importer_hostname) 
-          VALUES (24,'{{ sample_fortigate_name }}',-1,'{{ demo_fos_uri }}',false,'{{ importer_hostname }}'); 
+          VALUES (24,'{{ sample_fortigate_name }}',{{ credential_id }},'{{ demo_fos_uri }}',false,'{{ importer_hostname }}'); 
           END IF; END $do$ 
 
     - name: insert sample fortiOS gateway
@@ -40,7 +49,7 @@
             IF NOT EXISTS (SELECT * FROM management WHERE mgm_name='{{ sample_checkpoint_name }}') THEN 
               insert into management 
                 (dev_typ_id,mgm_name,import_credential_id,ssh_hostname,do_not_import,importer_hostname) 
-                VALUES (9,'{{ sample_checkpoint_name }}',-1,'{{ demo_cpr8x_uri }}',false,'{{ importer_hostname }}'); 
+                VALUES (9,'{{ sample_checkpoint_name }}',{{ credential_id }},'{{ demo_cpr8x_uri }}',false,'{{ importer_hostname }}'); 
             END IF;
           END $do$ 
 
@@ -66,7 +75,7 @@
           DO $do$ BEGIN 
           IF NOT EXISTS (SELECT * FROM management WHERE mgm_name='{{ sample_checkpoint_name }}') THEN 
           insert into management (dev_typ_id,mgm_name,import_credential_id,ssh_hostname,do_not_import,importer_hostname) 
-          VALUES (9,'{{ sample_checkpoint_name }}',-1,'{{ sample_checkpoint_uri }}',false,'dummy importer hostname'); 
+          VALUES (9,'{{ sample_checkpoint_name }}',{{ credential_id }},'{{ sample_checkpoint_uri }}',false,'dummy importer hostname'); 
           END IF; END $do$ 
 
     - name: insert test check point R8x gateway {{ sample_checkpoint_name }}

diff --git a/roles/test/handlers/main.yml b/roles/test/handlers/main.yml
@@ -15,24 +15,6 @@
   listen: "test importer handler"
 
 - block:
-  - name: delete test fortinet gateway
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
-      query: >
-        DO $do$ BEGIN 
-        DELETE FROM device WHERE dev_name='{{ test_fortigate_name }}'; 
-        END $do$ 
-    listen: "test importer handler"
-
-  - name: delete test fortinet management
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
-      query: >
-        DO $do$ BEGIN 
-        DELETE FROM management WHERE mgm_name='{{ test_fortigate_name }}'; 
-        END $do$
-    listen: "test importer handler"
-
   - name: delete test checkpoint R8x credentials cascading to deletion of mgmt and gw 
     postgresql_query:
       db: "{{ fworch_db_name }}"
@@ -42,30 +24,12 @@
         END $do$ 
     listen: "test importer handler"
 
-  - name: delete tenant tenant1
-    postgresql_query:
-      db: "{{ fworch_db_name }}"
-      query: >
-        DO $do$ BEGIN 
-        DELETE FROM tenant WHERE tenant_name='tenant1{{ sample_postfix }}'; 
-        END $do$
-    listen: "test importer handler"
-
-  # - name: delete devices for tenant tenant1
-  #   postgresql_query:
-  #     db: "{{ fworch_db_name }}"
-  #     query: >
-  #       DO $do$ BEGIN 
-  #       DELETE FROM tenant_to_device WHERE tenant_id=(SELECT tenant_id FROM tenant WHERE tenant_name='tenant1{{ sample_postfix }}'); 
-  #       END $do$
-  #   listen: "test importer handler"
-
-  - name: delete tenant tenant2
+  - name: delete tenants tenant1_test and tenant2_test
     postgresql_query:
       db: "{{ fworch_db_name }}"
       query: >
         DO $do$ BEGIN 
-        DELETE FROM tenant WHERE tenant_name='tenant2{{ sample_postfix }}'; 
+        DELETE FROM tenant WHERE tenant_name='tenant1{{ test_postfix }}' OR tenant_name='tenant2{{ test_postfix }}'; 
         END $do$
     listen: "test importer handler"
 

diff --git a/roles/test/tasks/test-importer.yml b/roles/test/tasks/test-importer.yml
@@ -24,7 +24,6 @@
   become_user: "{{ fworch_user }}"
   environment: "{{ proxy_env }}"
 
-
 - name: make test fortigate import
   command: "python3 ./import-mgm.py -f -s -m{{ test_fortigate_mgm_id.query_result.0.mgm_id }}"
   args:

diff --git a/roles/ui/files/FWO.UI/Shared/SettingsLayout.razor b/roles/ui/files/FWO.UI/Shared/SettingsLayout.razor
@@ -142,9 +142,12 @@
                 <h5>@(userConfig.GetText("personal"))</h5>
             </li>
             <li class="nav-item px-2">
-                <NavLink class="nav-link" href="settings/password">
-                    <span class="@Icons.Login"></span> @(userConfig.GetText("password"))
-                </NavLink>
+                @if (userConfig.User.Dn.EndsWith(GlobalConst.kLdapInternalPostfix))
+                {
+                    <NavLink class="nav-link" href="settings/password">
+                        <span class="@Icons.Login"></span> @(userConfig.GetText("password"))
+                    </NavLink>
+                }
                 <NavLink class="nav-link" href="settings/language">
                     <span class="@Icons.Language"></span> @(userConfig.GetText("language"))
                 </NavLink>

diff --git a/scripts/customizing/modelling/convertNwObjDataExample.py b/scripts/customizing/modelling/convertNwObjDataExample.py
@@ -120,44 +120,46 @@ def extractSocketInfo(asset, services):
     normSubnetData = { "subnets": {}, "zones": {}, "areas": {} }
     snId = 0
     for subnet in subnetAr:
-        naId = subnet['Subnetzname'][2:4]
-        subnetIp = subnet['Subnetzadresse']
-        netmask = subnet['Subnetzmaske']
-        cidr = str(ipaddress.ip_network(subnetIp + '/' + netmask))
-
-        nameParts = subnet['Subnetzname'].split('.')
-        zoneName = nameParts[1]
-        if len(nameParts)>=3:
-            subnetName = nameParts[2]
-        else:
-            subnetName = ""
-
-        zoneNamePartsDots = nameParts[0].split('.')
-
-        zoneNamePartsUnderscore = zoneNamePartsDots[0].split('_')
-        zoneId = zoneNamePartsUnderscore[0][2:7]
-        areaName = '_'.join(zoneNamePartsUnderscore[1:])
-        normSubnet = {
-            "na-id": naId,
-            "na-name": areaName,
-            "zone-id": zoneId,
-            "zone-name": zoneName,
-            "ip": cidr,
-            "name": subnetName
-        }
-        normSubnetData['subnets'].update({ snId: normSubnet})
-        snId += 1;
-
-        # filling areas
-        if not naId in normSubnetData['areas']:
-            normSubnetData['areas'].update({ naId: {"area-name": areaName, "area-id": naId, "subnets": [], "zones": [] }})
-        normSubnetData['areas'][naId]['subnets'].append({"ip": cidr, "name": subnetName })
-        normSubnetData['areas'][naId]['zones'].append({"zone-id": zoneId, "zone-name": zoneName })
-
-        # filling zones
-        if not zoneId in normSubnetData['zones']:
-            normSubnetData['zones'].update({ zoneId: { "zone-name": zoneName, "subnets": [] }})
-        normSubnetData['zones'][zoneId]['subnets'].append({"ip": cidr, "name": subnetName })
+        # ignore all "reserved" subnets whose name starts with "RES"
+        if not subnet['Subnetzname'].startswith('RES'):
+            naId = subnet['Subnetzname'][2:4]
+            subnetIp = subnet['Subnetzadresse']
+            netmask = subnet['Subnetzmaske']
+            cidr = str(ipaddress.ip_network(subnetIp + '/' + netmask))
+
+            nameParts = subnet['Subnetzname'].split('.')
+            zoneName = nameParts[1]
+            if len(nameParts)>=3:
+                subnetName = nameParts[2]
+            else:
+                subnetName = ""
+
+            zoneNamePartsDots = nameParts[0].split('.')
+
+            zoneNamePartsUnderscore = zoneNamePartsDots[0].split('_')
+            zoneId = zoneNamePartsUnderscore[0][2:7]
+            areaName = '_'.join(zoneNamePartsUnderscore[1:])
+            normSubnet = {
+                "na-id": naId,
+                "na-name": areaName,
+                "zone-id": zoneId,
+                "zone-name": zoneName,
+                "ip": cidr,
+                "name": subnetName
+            }
+            normSubnetData['subnets'].update({ snId: normSubnet})
+            snId += 1;
+
+            # filling areas
+            if not naId in normSubnetData['areas']:
+                normSubnetData['areas'].update({ naId: {"area-name": areaName, "area-id": naId, "subnets": [], "zones": [] }})
+            normSubnetData['areas'][naId]['subnets'].append({"ip": cidr, "name": subnetName })
+            normSubnetData['areas'][naId]['zones'].append({"zone-id": zoneId, "zone-name": zoneName })
+
+            # filling zones
+            if not zoneId in normSubnetData['zones']:
+                normSubnetData['zones'].update({ zoneId: { "zone-name": zoneName, "subnets": [] }})
+            normSubnetData['zones'][zoneId]['subnets'].append({"ip": cidr, "name": subnetName })
 
     # transform output
     transfSubnetData = { "areas": [] }