#!/usr/local/cpanel/3rdparty/bin/perl
# cpanel - scripts/modsec_vendor Copyright 2022 cPanel, L.L.C.
# All rights reserved.
# copyright@cpanel.net http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
package scripts::modsec_vendor;
use strict;
use IO::Interactive ();
use Cpanel::CLIProgress ();
use Cpanel::Exception ();
use Cpanel::Hooks ();
use Cpanel::Locale 'lh';
use Cpanel::Logger ();
use Cpanel::HttpUtils::ApRestart::Defer ();
use Whostmgr::ModSecurity ();
use Whostmgr::ModSecurity::VendorList ();
use Whostmgr::ModSecurity::Vendor ();
# All functions in this script, including run, return true on success and false on failure.
# The conversion to exit status happens here only.
unless (caller) {
exit( run(@ARGV) ? 0 : 1 );
}
sub run {
my ( $command, @args ) = @_;
if ( !Whostmgr::ModSecurity::has_modsecurity_installed() ) {
_logger()->info( lh()->maketext(q{You do not have [asis,ModSecurity] installed. There is no work to do.}) );
return 1;
}
if ( $command eq 'list' ) {
return list(@args);
}
elsif ( $command eq 'add' ) {
return add(@args);
}
elsif ( $command eq 'remove' ) {
return remove(@args);
}
elsif ( $command eq 'update' ) {
return update(@args);
}
elsif ( $command eq 'enable' ) {
return enable(@args);
}
elsif ( $command eq 'disable' ) {
return disable(@args);
}
elsif ( $command eq 'enable-updates' ) {
return enable_updates(@args);
}
elsif ( $command eq 'disable-updates' ) {
return disable_updates(@args);
}
elsif ( $command eq 'enable-configs' ) {
return enable_configs(@args);
}
elsif ( $command eq 'disable-configs' ) {
return disable_configs(@args);
}
else {
_die_usage();
}
return 1;
}
sub list {
my @args = @_;
_die_usage() if @args;
my $vendors = Whostmgr::ModSecurity::VendorList::list_detail_and_provided();
if ( !@$vendors ) {
_logger()->info( lh()->maketext(q{There are no vendors.}) );
return 1;
}
for my $vendor_info (@$vendors) {
print _format_vendor_info($vendor_info);
}
return 1;
}
sub add {
my @args = @_;
_die_usage() if @args < 1;
my $all_ok = 1;
_trigger_hook( "pre", "modsec_vendor::add" );
for my $url (@args) {
local $@;
my $vendor_info = eval { Whostmgr::ModSecurity::VendorList::add($url); };
my $ex = $@;
if ($ex) {
_logger()->warn( lh()->maketext( q{The system failed to add the vendor from the URL “[_1]”: [_2]}, $url, _format_exception($ex) ) );
$all_ok = 0;
}
else {
_logger()->info( lh()->maketext( q{You have added the vendor “[_1]”.}, $vendor_info->{name} ) );
print "\n" . _format_vendor_info($vendor_info);
}
}
_trigger_hook( "post", "modsec_vendor::add" );
return $all_ok;
}
sub remove {
my @args = @_;
_die_usage() if @args < 1;
my $all_ok = 1;
_trigger_hook( "pre", "modsec_vendor::remove" );
for my $vendor_id (@args) {
local $@;
eval {
my $vendor = Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id );
$vendor->uninstall;
};
my $ex = $@;
if ($ex) {
_logger()->warn( lh()->maketext( q{The system failed to remove the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
$all_ok = 0;
}
else {
_logger()->info( lh()->maketext( q{You have removed the vendor “[_1]”.}, $vendor_id ) );
}
}
_trigger_hook( "post", "modsec_vendor::remove" );
return $all_ok;
}
sub update {
my @args = @_;
_die_usage() if @args != 1;
my $all_ok = 1;
_trigger_hook( "pre", "modsec_vendor::update" );
for my $to_update (@args) {
my @urls;
if ( $to_update =~ /^http:/ ) {
push @urls, $to_update;
}
elsif ( $to_update eq '--auto' ) {
_logger()->info( lh()->maketext(q{Updates are in progress for all of the installed [asis,ModSecurity] vendors with automatic updates enabled.}) );
for my $vendor_detail ( @{ Whostmgr::ModSecurity::VendorList::list_detail() } ) {
my ( $vendor_id, $update, $enabled ) = @$vendor_detail{qw(vendor_id update enabled)};
my $vendor = Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id );
if ( !$update ) {
_logger()->info( lh()->maketext( q{You have not configured the vendor “[_1]” to receive automatic updates.}, $vendor_id ) );
next;
}
if ( !$enabled ) {
_logger()->info( lh()->maketext( q{You have not enabled the vendor “[_1]”. The vendor will not receive automatic updates.}, $vendor_id ) );
next;
}
if ( $vendor->{is_pkg} ) {
push @urls, \$vendor->{is_pkg};
}
else {
push @urls, $vendor->installed_from || die lh()->maketext( q{The system could not determine the [asis,installed_from] URL for the vendor “[_1]”.}, $vendor_id ) . "\n";
}
}
}
else {
my $vendor = Whostmgr::ModSecurity::Vendor->load( vendor_id => $to_update );
if ( $vendor->{is_pkg} ) {
push @urls, \$vendor->{is_pkg};
}
else {
push @urls, $vendor->installed_from || die lh()->maketext( q{The system could not determine the [asis,installed_from] URL for the vendor “[_1]”.}, $to_update ) . "\n";
}
}
my $defer = Cpanel::HttpUtils::ApRestart::Defer->new( 'lexical' => 1 );
$defer->block_restarts();
for my $url (@urls) {
local $@;
if ( ref($url) ) {
my $pkg = ${$url};
# we disable excludes because:
# * --auto will have not added to @urls i.e. update-disabled packages won’t make it here
# * the manual direct arg is intended to allow them to update a rule set at will even if they have it disabled (i.e. a controlled update)
require Cpanel::PackMan;
$defer->allow_restarts(); # this locks httpd.conf which means universal hooks bits will wait for that lock
eval { Cpanel::PackMan->instance->sys->upgrade( $pkg => "--disableexcludes=main" ) };
warn "Failed to upgrade “$pkg”, this will need done manually.\n" if $@;
$defer->block_restarts();
next;
}
my $result = eval { Whostmgr::ModSecurity::VendorList::update( $url, 1 ); };
my $exception = $@;
if ($exception) {
if ( 'Cpanel::Exception::ModSecurity::VendorUpdateUnnecessary' eq ref $exception && '--auto' eq $to_update ) {
_logger()->info( lh()->maketext( q{The vendor “[_1]” is already up to date.}, $exception->vendor_id ) );
next;
}
$all_ok = 0;
my $err = lh()->maketext( q{The system failed to update the vendor from the URL “[_1]”: [_2]}, $url, _format_exception($exception) );
print $err . "\n"; #this is to ensure that scripts/maintenance sees the error and adds it to
_logger()->warn($err);
}
else {
my $vendor_info = $result->{vendor};
_logger()->info( lh()->maketext( q{You have updated the vendor “[_1]”.}, $vendor_info->{name} ) );
my $diagnostics = $result->{diagnostics};
if ( @{ $diagnostics->{added_configs} } ) {
_logger()->info( lh()->maketext( q{You have added the following configuration files: [_1]}, @{ $diagnostics->{added_configs} } ) );
}
if ( @{ $diagnostics->{deleted_configs} } ) {
_logger()->info( lh()->maketext( q{You have removed the following configuration files: [_1]}, @{ $diagnostics->{deleted_configs} } ) );
}
print "\n" . _format_vendor_info($vendor_info);
}
}
$defer->allow_restarts();
}
_trigger_hook( "post", "modsec_vendor::update" );
return $all_ok;
}
sub enable {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
_trigger_hook( "pre", "modsec_vendor::enable" );
local $@;
if ( eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id )->enable() } ) {
_logger()->info( lh()->maketext( q{You have enabled the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::enable" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not enable the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub disable {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
_trigger_hook( "pre", "modsec_vendor::disable" );
local $@;
if ( eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id )->disable() } ) {
_logger()->info( lh()->maketext( q{You have disabled the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::disable" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not disable the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub enable_updates {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
_trigger_hook( "pre", "modsec_vendor::enable_updates" );
local $@;
if ( eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id )->enable_updates() } ) {
_logger()->info( lh()->maketext( q{You have enabled updates for the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::enable_updates" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not enable updates for the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub disable_updates {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
_trigger_hook( "pre", "modsec_vendor::disable_updates" );
local $@;
if ( eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id )->disable_updates() } ) {
_logger()->info( lh()->maketext( q{You have disabled updates for the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::disable_updates" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not disable updates for the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub enable_configs {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
my $progress_bar = Cpanel::CLIProgress->new( width => 30 );
_trigger_hook( "pre", "modsec_vendor::enable_configs" );
local $@;
my ( $ok, $outcomes ) = eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id, progress_bar => $progress_bar )->enable_configs() };
if ($ok) {
_logger()->info( lh()->maketext( q{You have enabled all of the configuration files for the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::enable_configs" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not enable all of the configuration files for the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub disable_configs {
my @args = @_;
_die_usage() if @args != 1;
my ($vendor_id) = @args;
my $progress_bar = Cpanel::CLIProgress->new( width => 30 );
_trigger_hook( "pre", "modsec_vendor::disable_configs" );
local $@;
my ( $ok, $outcomes ) = eval { Whostmgr::ModSecurity::Vendor->load( vendor_id => $vendor_id, progress_bar => $progress_bar )->disable_configs() };
if ($ok) {
_logger()->info( lh()->maketext( q{You have disabled all of the configuration files for the vendor “[_1]”.}, $vendor_id ) );
_trigger_hook( "post", "modsec_vendor::disable_configs" );
return 1;
}
my $ex = $@;
_logger()->warn( lh()->maketext( q{The system could not disable all of the configuration files for the vendor “[_1]”: [_2]}, $vendor_id, _format_exception($ex) ) );
return 0;
}
sub _format_vendor_info {
my ($vendor_info) = @_;
my ( $vert_divider, $wrap_heading );
if ( IO::Interactive::is_interactive() ) {
$vert_divider = "\033[7m \033[m";
$wrap_heading = sub { "\033[7m" . shift . "\033[m" };
}
else {
$vert_divider = '|';
$wrap_heading = sub { shift };
}
my $output = $wrap_heading->(
sprintf(
'[%s] %s',
@$vendor_info{qw(vendor_id name)},
)
) . ( !$vendor_info->{installed} ? ' (not installed)' : '' ) . "\n";
for my $k ( sort keys %$vendor_info ) {
my $v = $vendor_info->{$k};
if ( 'ARRAY' eq ref $v ) {
$v = sprintf( "(%d)", scalar(@$v) ); # just the count
}
$output .= sprintf( "% 16s %s %s\n", $k, $vert_divider, $v );
}
$output .= "\n\n";
return $output;
}
sub _format_exception {
my $exception = shift;
chomp( $exception = Cpanel::Exception::get_string($exception) );
return $exception;
}
my $logger;
sub _logger {
$logger ||= Cpanel::Logger->new();
return $logger;
}
sub _die_usage {
die <<EOU;
usage: $0 <list | add | remove | update> ...
list
- Lists the currently-installed vendors
add <vendor metadata YAML URL>
- Installs a new vendor
remove <vendor_id>
- Removes the vendor with the specified vendor id
update <vendor_id | vendor metadata YAML URL | --auto>
- If a vendor_id is provided, this command updates the vendor specified by that id
from the same URL or package that was used to install it.
- If a URL is provided, this command updates an existing vendor from the specified URL.
The URL need not be the same as the one used to originally install the vendor.
- If --auto is specified, updates all installed vendors for which auto-update is enabled
using the URLs or packages from which they were originally installed.
enable <vendor_id>
- Enables a vendor
disable <vendor_id>
- Disables a vendor
enable-updates <vendor_id>
- Enables automatic updates for a vendor
disable-updates <vendor_id>
- Disables automatic updates for a vendor
enable-configs <vendor_id>
- Enables all configs for a vendor
disable-configs <vendor_id>
- Disables all configs for a vendor
EOU
}
#-------------------------------------------------------------------------------------------------
# Scope:
# private
# Name:
# _trigger_hook
# Desc:
# This function triggers the hook on scripts/modsec_vendor
# Arguments:
# - pre_or_post - a string that should be only "pre" or "post".
# - event - a string that is the name of the api call.
# example: modsec_vendor::add
# Returns:
# - Nothing is returned.
#-------------------------------------------------------------------------------------------------
sub _trigger_hook {
my ( $pre_or_post, $event ) = @_;
Cpanel::Hooks::hook(
{
'category' => 'scripts',
'event' => $event,
'stage' => $pre_or_post,
},
);
return;
}
1;