aligning to npm 2.12.3

aligning to 2.12.3

Author: roybarda

.version

@@ -1 +1 @@
-2.12.2
+2.12.3

Jenkinsfile

@@ -128,7 +128,7 @@ pipeline {
 					sh 'docker-compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
-					dir(path: 'testing/results') {
+					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}
@@ -161,7 +161,7 @@ pipeline {
 					sh 'docker-compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
-					dir(path: 'testing/results') {
+					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}
@@ -199,7 +199,7 @@ pipeline {
 					sh 'docker-compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
-					dir(path: 'testing/results') {
+					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}

README.md

@@ -1,4 +1,4 @@
-# open-appsec NPM Proxy Manager integration (beta)
+# open-appsec NPM Proxy Manager integration
 This is the repository for the beta release of the new integration of open-appsec WAF with NGINX Proxy Manager.
 This will allow NGINX Proxy Manager (NPM) users to protect their web applications and web APIs exposed by NGINX Proxy Manager by easily activating and configuring open-appsec protection for each of the configured Proxy Host objects in NPM directly from the NPM Web UI and also to monitor security events.
 This new integration of open-appsec WAF with NGINX Proxy Manager not only closes the security gap caused by the soon end-of-life ModSecurity WAF, but provides a modern, strong protection alternative in form of open-appsec, a preemptive, machine-learning based, fully automatic WAF that does not rely on signatures at all.

backend/internal/access-list.js

@@ -258,6 +258,7 @@ const internalAccessList = {
 					})
 					.where('access_list.is_deleted', 0)
 					.andWhere('access_list.id', data.id)
+					.groupBy('access_list.id')
 					.allowGraph('[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]')
 					.first();
 
@@ -507,8 +508,13 @@ const internalAccessList = {
 								if (typeof item.password !== 'undefined' && item.password.length) {
 									logger.info('Adding: ' + item.username);
 
-									utils.execFile('/usr/bin/htpasswd', ['-b', htpasswd_file, item.username, item.password])
-										.then((/*result*/) => {
+									utils.execFile('openssl', ['passwd', '-apr1', item.password])
+										.then((res) => {
+											try {
+												fs.appendFileSync(htpasswd_file, item.username + ':' + res + '\n', {encoding: 'utf8'});
+											} catch (err) {
+												reject(err);
+											}
 											next();
 										})
 										.catch((err) => {

backend/internal/certificate.js

@@ -313,6 +313,9 @@ const internalCertificate = {
 					.where('is_deleted', 0)
 					.andWhere('id', data.id)
 					.allowGraph('[owner]')
+					.allowGraph('[proxy_hosts]')
+					.allowGraph('[redirection_hosts]')
+					.allowGraph('[dead_hosts]')
 					.first();
 
 				if (access_data.permission_visibility !== 'all') {
@@ -464,6 +467,9 @@ const internalCertificate = {
 					.where('is_deleted', 0)
 					.groupBy('id')
 					.allowGraph('[owner]')
+					.allowGraph('[proxy_hosts]')
+					.allowGraph('[redirection_hosts]')
+					.allowGraph('[dead_hosts]')
 					.orderBy('nice_name', 'ASC');
 
 				if (access_data.permission_visibility !== 'all') {

backend/internal/stream.js

@@ -1,13 +1,15 @@
-const _                = require('lodash');
-const error            = require('../lib/error');
-const utils            = require('../lib/utils');
-const streamModel      = require('../models/stream');
-const internalNginx    = require('./nginx');
-const internalAuditLog = require('./audit-log');
-const {castJsonIfNeed} = require('../lib/helpers');
+const _                   = require('lodash');
+const error               = require('../lib/error');
+const utils               = require('../lib/utils');
+const streamModel         = require('../models/stream');
+const internalNginx       = require('./nginx');
+const internalAuditLog    = require('./audit-log');
+const internalCertificate = require('./certificate');
+const internalHost        = require('./host');
+const {castJsonIfNeed}    = require('../lib/helpers');
 
 function omissions () {
-	return ['is_deleted'];
+	return ['is_deleted', 'owner.is_deleted', 'certificate.is_deleted'];
 }
 
 const internalStream = {
@@ -18,6 +20,12 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	create: (access, data) => {
+		const create_certificate = data.certificate_id === 'new';
+
+		if (create_certificate) {
+			delete data.certificate_id;
+		}
+
 		return access.can('streams:create', data)
 			.then((/*access_data*/) => {
 				// TODO: At this point the existing ports should have been checked
@@ -27,16 +35,44 @@ const internalStream = {
 					data.meta = {};
 				}
 
+				// streams aren't routed by domain name so don't store domain names in the DB
+				let data_no_domains = structuredClone(data);
+				delete data_no_domains.domain_names;
+
 				return streamModel
 					.query()
-					.insertAndFetch(data)
+					.insertAndFetch(data_no_domains)
 					.then(utils.omitRow(omissions()));
 			})
+			.then((row) => {
+				if (create_certificate) {
+					return internalCertificate.createQuickCertificate(access, data)
+						.then((cert) => {
+							// update host with cert id
+							return internalStream.update(access, {
+								id:             row.id,
+								certificate_id: cert.id
+							});
+						})
+						.then(() => {
+							return row;
+						});
+				} else {
+					return row;
+				}
+			})
+			.then((row) => {
+				// re-fetch with cert
+				return internalStream.get(access, {
+					id:     row.id,
+					expand: ['certificate', 'owner']
+				});
+			})
 			.then((row) => {
 				// Configure nginx
 				return internalNginx.configure(streamModel, 'stream', row)
 					.then(() => {
-						return internalStream.get(access, {id: row.id, expand: ['owner']});
+						return row;
 					});
 			})
 			.then((row) => {
@@ -60,6 +96,12 @@ const internalStream = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
+		const create_certificate = data.certificate_id === 'new';
+
+		if (create_certificate) {
+			delete data.certificate_id;
+		}
+
 		return access.can('streams:update', data.id)
 			.then((/*access_data*/) => {
 				// TODO: at this point the existing streams should have been checked
@@ -71,16 +113,32 @@ const internalStream = {
 					throw new error.InternalValidationError('Stream could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
 				}
 
+				if (create_certificate) {
+					return internalCertificate.createQuickCertificate(access, {
+						domain_names: data.domain_names || row.domain_names,
+						meta:         _.assign({}, row.meta, data.meta)
+					})
+						.then((cert) => {
+							// update host with cert id
+							data.certificate_id = cert.id;
+						})
+						.then(() => {
+							return row;
+						});
+				} else {
+					return row;
+				}
+			})
+			.then((row) => {
+				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+				data = _.assign({}, {
+					domain_names: row.domain_names
+				}, data);
+
 				return streamModel
 					.query()
 					.patchAndFetchById(row.id, data)
 					.then(utils.omitRow(omissions()))
-					.then((saved_row) => {
-						return internalNginx.configure(streamModel, 'stream', saved_row)
-							.then(() => {
-								return internalStream.get(access, {id: row.id, expand: ['owner']});
-							});
-					})
 					.then((saved_row) => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
@@ -93,6 +151,17 @@ const internalStream = {
 								return saved_row;
 							});
 					});
+			})
+			.then(() => {
+				return internalStream.get(access, {id: data.id, expand: ['owner', 'certificate']})
+					.then((row) => {
+						return internalNginx.configure(streamModel, 'stream', row)
+							.then((new_meta) => {
+								row.meta = new_meta;
+								row      = internalHost.cleanRowCertificateMeta(row);
+								return _.omit(row, omissions());
+							});
+					});
 			});
 	},
 
@@ -115,7 +184,7 @@ const internalStream = {
 					.query()
 					.where('is_deleted', 0)
 					.andWhere('id', data.id)
-					.allowGraph('[owner]')
+					.allowGraph('[owner,certificate]')
 					.first();
 
 				if (access_data.permission_visibility !== 'all') {
@@ -132,6 +201,7 @@ const internalStream = {
 				if (!row || !row.id) {
 					throw new error.ItemNotFoundError(data.id);
 				}
+				row = internalHost.cleanRowCertificateMeta(row);
 				// Custom omissions
 				if (typeof data.omit !== 'undefined' && data.omit !== null) {
 					row = _.omit(row, data.omit);
@@ -197,14 +267,14 @@ const internalStream = {
 			.then(() => {
 				return internalStream.get(access, {
 					id:     data.id,
-					expand: ['owner']
+					expand: ['certificate', 'owner']
 				});
 			})
 			.then((row) => {
 				if (!row || !row.id) {
 					throw new error.ItemNotFoundError(data.id);
 				} else if (row.enabled) {
-					throw new error.ValidationError('Host is already enabled');
+					throw new error.ValidationError('Stream is already enabled');
 				}
 
 				row.enabled = 1;
@@ -250,7 +320,7 @@ const internalStream = {
 				if (!row || !row.id) {
 					throw new error.ItemNotFoundError(data.id);
 				} else if (!row.enabled) {
-					throw new error.ValidationError('Host is already disabled');
+					throw new error.ValidationError('Stream is already disabled');
 				}
 
 				row.enabled = 0;
@@ -298,7 +368,7 @@ const internalStream = {
 					.query()
 					.where('is_deleted', 0)
 					.groupBy('id')
-					.allowGraph('[owner]')
+					.allowGraph('[owner,certificate]')
 					.orderByRaw('CAST(incoming_port AS INTEGER) ASC');
 
 				if (access_data.permission_visibility !== 'all') {
@@ -317,6 +387,13 @@ const internalStream = {
 				}
 
 				return query.then(utils.omitRows(omissions()));
+			})
+			.then((rows) => {
+				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
+					return internalHost.cleanAllRowsCertificateMeta(rows);
+				}
+
+				return rows;
 			});
 	},
 

backend/migrations/20240427161436_stream_ssl.js

@@ -0,0 +1,38 @@
+const migrate_name = 'stream_ssl';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+exports.up = function (knex) {
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.table('stream', (table) => {
+		table.integer('certificate_id').notNull().unsigned().defaultTo(0);
+	})
+		.then(function () {
+			logger.info('[' + migrate_name + '] stream Table altered');
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+exports.down = function (knex) {
+	logger.info('[' + migrate_name + '] Migrating Down...');
+
+	return knex.schema.table('stream', (table) => {
+		table.dropColumn('certificate_id');
+	})
+		.then(function () {
+			logger.info('[' + migrate_name + '] stream Table altered');
+		});
+};

backend/models/certificate.js

@@ -4,7 +4,6 @@
 const db      = require('../db');
 const helpers = require('../lib/helpers');
 const Model   = require('objection').Model;
-const User    = require('./user');
 const now     = require('./now_helper');
 
 Model.knex(db);
@@ -68,6 +67,11 @@ class Certificate extends Model {
 	}
 
 	static get relationMappings () {
+		const ProxyHost       = require('./proxy_host');
+		const DeadHost        = require('./dead_host');
+		const User            = require('./user');
+		const RedirectionHost = require('./redirection_host');
+
 		return {
 			owner: {
 				relation:   Model.HasOneRelation,
@@ -79,6 +83,39 @@ class Certificate extends Model {
 				modify: function (qb) {
 					qb.where('user.is_deleted', 0);
 				}
+			},
+			proxy_hosts: {
+				relation:   Model.HasManyRelation,
+				modelClass: ProxyHost,
+				join:       {
+					from: 'certificate.id',
+					to:   'proxy_host.certificate_id'
+				},
+				modify: function (qb) {
+					qb.where('proxy_host.is_deleted', 0);
+				}
+			},
+			dead_hosts: {
+				relation:   Model.HasManyRelation,
+				modelClass: DeadHost,
+				join:       {
+					from: 'certificate.id',
+					to:   'dead_host.certificate_id'
+				},
+				modify: function (qb) {
+					qb.where('dead_host.is_deleted', 0);
+				}
+			},
+			redirection_hosts: {
+				relation:   Model.HasManyRelation,
+				modelClass: RedirectionHost,
+				join:       {
+					from: 'certificate.id',
+					to:   'redirection_host.certificate_id'
+				},
+				modify: function (qb) {
+					qb.where('redirection_host.is_deleted', 0);
+				}
 			}
 		};
 	}