yo4hT ddlZddlZddlZddlZddlZddlZddlZddlZddlZddl m cm Z ddl mZddlmZddlmZddlmZddlmZddlmZmZddlmZmZmZmZmZm Z m!Z!ddl"Z"dd l#m$Z$dd l%m&Z&m'Z'dd l(m)Z)dd l*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2dd l3m4Z4e5ej67ddZ8 dZ9edZ:dZ;dZej?dZ@eAdeBejCDZDdZEejFeGZHGddeIZJGddeIZKGddZLdZMd ZNd!eeOfd"ZPd!eQfd#ZReSd$d%ZTd&ZUd'ZVd(ZW dId*egefd+e5fd,ZXd-ZYd!eeOfd.ZZd!ee!eOfd/Z[d!e!eOfd0Z\d!e!eOfd1Z]ed2Z^d3eOd!e_fd4Z`dJd5Zae4jbe8dJd6ZcdJd7Zdd8Zed9ZfdKd;Zgd<Zhd=eQd!eeQfd>Zid?Zjd@Zke+dABdCZle1ee5ej67dDdEFGdHZmdS)LN)suppress) ContextVar) timedelta)Version)Path) check_callDEVNULL)AnyCallableListOptionalSetTupleIterable)IntegrationConfig)is_generic_panel_installedis_plesk_installed)g)async_lru_cacheatomic_rewrite check_runget_system_user_names OsReleaseInfo CheckRunError TimedCacheBACKUP_EXTENSION)webserver_gracefull_restart!IM360_GRACEFUL_RESTART_MIN_PERIODi,z*/usr/local/cpanel/scripts/restartsrv_httpdz/tmp/lshttpd/lshttpd.pid)z/usr/local/lsws/bin/lswsctrl condrestartz%/usr/local/lsws/conf/httpd_config.xmlz/usr/sbin/apache2z/usr/sbin/httpdz Server version:.*(\d+\.\d+\.\d+)c#>K|]}|VdSN)encode).0xs V/opt/imunify360/venv/lib/python3.11/site-packages/defence360agent/subsys/web_server.py r&5s*@@1AHHJJ@@@@@@apacheceZdZdZdS)NotRunningErrorz[ Error for cases when the web server is expected to be running but it is not. N__name__ __module__ __qualname____doc__r'r%r*r*;sr'r*ceZdZdZdS)ConfigInvalidErrorzO Error used to indicate that the web server config is having error(s). Nr+r0r'r%r2r2Csr'r2ceZdZdZdZdZdZdZdZdZ dZ d Z d e fd Z d e fd Zd eeeeffdZdZd efdZdS)LiteSpeedConfiguseIpInProxyHeadersecurity accessControlallowdenyrc8tj||_dSr!)ET fromstringconfig)selfcontents r%__init__zLiteSpeedConfig.__init__SsmG,, r'returnc|j|j}||js|jSt |jSr!)r?findCLIENT_IP_IN_HEADER_TAGtextCLIENT_IP_IN_HEADER_DISABLEDintr@elements r%client_ip_in_headerz#LiteSpeedConfig.client_ip_in_headerVs>+""4#?@@ ?',?4 47<   r'valuec|j|j}|3tj|j}|j|t ||_dSr!)r?rErFr=ElementappendstrrG)r@rMrKs r%set_client_ip_in_headerz'LiteSpeedConfig.set_client_ip_in_header\sX+""4#?@@ ?j!=>>G K  w ' ' '5zz r'c|jdd|j|j|jg}|*|jr#d|jDStS)N/.ch|]R}|dD]:}||dr |ddn||df;SS),TN)splitendswith)r#sitems r% z>LiteSpeedConfig.access_control_allowed_list..os}GGCLL "mmC00:crcdDMM#zCLiteSpeedConfig.set_access_control_allowed_list..xs1KKK4$q'6a3tAwKKKr'rWrTrU) r_r?rEr`rarbr=rOrPrG)r@alloweditemsrMrKaccess_controlr6s r%set_access_control_allowed_listz/LiteSpeedConfig.set_access_control_allowed_listwsLKK7KKK+"" HH%+3       ?j!@AAG![--)/N%!#D,C!D!D;++D,=>>#!z$*;<.is_generic_panel_on_apaches. % ' ' P$(}EEO Our'exeNrz#Can't determine apache bin path: %s)rrrrAPACHE2_BIN_PATHHTTPD_BIN_PATHrcr_apache_running_process_infoospathsamefiler}rr)rrr sys_usersrhttpd_process_exeexcs r%rrs#" -"66## : : < <#% " )++,,}|jVHdS)rN)z/httpdz/apache2usernamerr[)r#prs r%r&z/_apache_running_process_info..sp  u 1F5M223IJJ2F:.);;F<;;;  r')namerruidsgidsattrsN)ranger IndexErrornextr process_iter)r_s` r%rrs 1XX j ! !      #0III                        s1A''A+ .A+ ctdh}|stdtj||dd|dddS)z&Make web server user/group own *path*.rootrz5Can't find running apache process without root owner.rrrN)rr*rchown)rrs r%rrs] "& : : :D   C   HT4<?DLO44444r'c`tdtjgdDdS)z;Return path to a running nginx binary or None if not found.c3K|]k}|jd\|jddr<|jd/d|jdvr |jddk\|jdVldS)rNnginxrrr)r#rs r%r&z%find_running_nginx.. s v*F6N++G44+F5M-qve},,F:&'11 F5M2111 r')rrrrN)rrrr0r'r%find_running_nginxrsJ  (/J/J/JKKK     r' webserver_running_cb granularitycK|dksJt|D]/}|}|r|cStj||z d{V0|S)Nr)rasynciosleep)r timeout_secrrresults r%check_with_timeoutr/sz ???? ;  %%''  MMMmK+56666666666 r'c@tjdS)z8 though, available != running :return bool: z/etc/cpanel/ea4/is_ea4)rrisfiler0r'r%is_EA4_availabler?s 7>>2 3 33r'ctjt}|r|gStjtjzr#dddt j|gS|ddgS)a{ :return list: command which can be passed to check_call(..., shell=False) 'apache2 -k graceful' will not work for Ubuntu and will produce 'Invalid Mutex directory in argument file:${APACHE_LOCK_DIR}' error. https://serverfault.com/questions/558283/apache2-config-variable-is-not-defined That is why this specialization for Ubuntu graceful restart. systemctlreloadz--job-mode=replace-irreversiblyz-kgraceful) shutilwhichCPANEL_RESTART_APACHE_SCRIPTrrrrrbasename) apachectlrestartsrv_httpds r%_apache_graceful_restart_cmdrGsv|$@AA" !!!55 -   - G  Y ' '   4,,r'ctjr tjdd}|stddS|}t j|dr|Std|n*#t$rtdYnwxYwdS)Nrgraceful_restart_scriptz'graceful_restart_script option is emptyrz,Web server restart script does not exist: %sz;Integration config is missing graceful_restart_script field) rrto_dictrrrZrrKeyError)restart_scriptcmds r%+_graceful_restart_cmd_from_integration_confras!! .688F)N" =t &&((Cw~~c!f%%  NN>        NNM      " 4sB))$CCc6g}tjdx}r ||ddddgz }t}||t|zSt r|tt zSt x}r|t|zStd)z Gracefully restart a web server.z systemd-runz-pzSendSIGKILL=noz--slice=graceful_restartz--NCould not detect a web server) rrrlistrLITESPEED_RESTART_CMDrr RuntimeError)prefix systemd_runrrs r%_graceful_restart_cmdr}sFl=111{     &     6 7 7C S !!423333"$$$y@4Y???? 6 7 77r'crtr= tjdd}|r|Sn#t$rYnwxYwt x}r(t jt jzrddgS|dgStrddgStx}r|dgStd)Nrconfig_test_scriptr configtest-t lightspeedr) rrrrZrrrrrrrr)r apache_bin nginx_bins r%_configtest_cmdrs!## #' 6JKKC #yy{{" #    D $%%%z!  " "]%9 9 /. .D!!   !d##(** *!4  6 7 77s*< A A graceful_restart_caller new_configc Ktjtzfd tj}t ||sdSfd t dd{V t n=#t$r0}t d| Yd}~dSd}~wwxYwtj fd }tjt| t }t#jd }t&|j} | d{Vt&|n#t&|wxYwtd dS#t0$r/}t d | Yd}~nd}~wwxYwdS)a Update Web-server config with fallback in case of an error happens. It tries to do all the best but because of graceful_restart() the faulty config might still be applied but in practice it is barely probable (because of premature config check). 1. The new config is checked before to be applied. 2. The new config (if checked valid) is atomically applied. 3. The graceful Web-server restart is scheduled. It may hold the actual restart for some time, but it is a required workaround of a litespeed issue. 4. If the Web-server failed to restart the config is reverted. Return value: True if no errors (at least up to the server restart), False if There was an error and config was reverted. Note: It is possible that the config may be reverted even when return value is True. It is because the graceful_restart may delay the actual restart and config may be reverted on that (delayed) stage. ctt5tjddddS#1swxYwYdSr!)rFileNotFoundErrorrunlink)config_backup_pathsr% remove_backupz)safe_update_config..remove_backups ' ( ( * * I( ) ) ) * * * * * * * * * * * * * * * * * *s 8<<)backupTc tjdS#t$r&tdYdSwxYw)Nw)rrenameropenclose)r config_pathsr%revertz"safe_update_config..revertsa + I(+ 6 6 6 6 6  + + + c " " ( ( * * * * * * +s,A  A raise_exceptionNz*Failed to get graceful restart command: %sFcd}d}|s|td|t d}||t}||dSdS)Nc|sD|2td|dSdSdS)Nz'The reverted config seems to be invalidexc_info cancelled exceptionrcriticalfuts r%log_config_errorzFsafe_update_config..restart_callback..log_config_errorsb}}3==??+FOOA!$$+F+Fr'c|sD|2td|dSdSdS)Nzuncaught exceptionrrr s r%log_uncaught_exceptionzLsafe_update_config..restart_callback..log_uncaught_exceptionsa}}3==??+FOO,s}}$+F+Fr'z7Web server failed to start... Revert changes back. (%s)Tr)r r rerror create_taskradd_done_callback_graceful_restart)taskrrloopr restart_cmdrs r%restart_callbackz,safe_update_config..restart_callbacks       >>## (8(8(D MNN$$'' 4(H(H(HII&&'7888''(9+(F(FGG&&'=>>>>> r') done_callbackr:z)Successfully scheduled web server restartz Web server config is invalid: %s)rfspathrrrrrrrrrrget_running_looprcoalesce_callsGRACEFUL_RESTART_MIN_PERIODrinspectstack_graceful_restart_callerrcfunctionresetrr2) rr make_backupergraceful_restart caller_frame context_tokenrrrrrs ` @@@@@r%safe_update_configr(sh*;//2BB*****'..--K +z+ F F Ft++++++6..........  /11KK    LLEq I I I FHHH55555  '))        8 6E '7G   }q) 044\5JKK  :"";// / / / / / / / $ * *= 9 9 9 9 $ * *= 9 9 9 9 ?@@@ti  7;;;j 5s<$F+;B C%B??CE00F + G$5%GG$cKt t|p td{VtddS#t $r&}td|Yd}~dSd}~wwxYw)] Gracefully restart a web server. If web server cannot be detected, do nothing. N!Successfully restarted web server"Could not restart a Web server: %s)_log_graceful_restart_startrrrrrr)rerrs r%rrs  !!!9 >'<'>'>?????????  788888 BBB;SAAAAAAAAABs#A BA<<BcKt|}|t_ |d{V tjdS#tjdwxYw)Nweb_server_restart_task)rrr0pop)rrs r%_graceful_restart_coalescedr2s] [ ) )D $A)zzzzzz '(((('((((s <AcKtjd}t|j} t |d{V}t|n#t|wxYw|S)r*r:N)rrr rcr!r2r")rr&r'rs r%r%r%)s=??1%L,001FGGM62;???????? &&}5555 &&}5555 Ms A,,Bcptd}td|dS)Nunknownz/Performing web server graceful restart, from %s)r rrr)callers r%r-r-9s0 % ) )) 4 4F KKA6JJJJJr'ctjd}t|j} t t|n#t|wxYw ttttt ddS#t$r&}t d|Yd}~dSd}~wwxYw)zk Gracefully restart a web server synchronously. If web server cannot be detected, do nothing. r:)rstderrr+r,N)rrr rcr!r-r"rrr rrrr)r&r'r.s r%graceful_restart_syncr9>s =??1%L,001FGGM6#%%% &&}5555 &&}55559(**77KKKK  788888 BBB;SAAAAAAAAABs#A##A?(C C7C22C7FcKtd tttd{VdS#t $r8}td||rt d|Yd}~dSd}~wwxYw)z\ Check web server's config file. If web server cannot be detected, do nothing. z!Performing web server config test) raise_excNzCould not run configtest: %szFailed to check config)rrrrr2rr)rr.s r%rrSs  KK3444H))5GHHHHHHHHHHHH HHH5s;;;  H$%=>>C G H H H H H HHs(A B -BB ct|}|"t|dSt d|)Nr:z)Failed to parse apache version string: {})apache_version_regexpsearchrgroupr~r)outputmatchs r%_parse_apache_version_outputrBbsV ! ( ( 0 0E u{{1~~&&& 7 > >v F F   r'r@c>d|DS)a: Parse response of httpd -M :param output: stdout of httpd -M (with spaces before module name) Output example: Loaded Modules: core_module (static) so_module (static) http_module (static) mpm_prefork_module (shared) :return: list with installed modules cg|]H}|t|dIS)r) startswith BYTE_SPACESstriprZ)r#lines r%rgz-_parse_apache_module_list..xsS     ??; ' '  Q   r') splitlines)r@s r%_parse_apache_module_listrJls/  %%''   r'cg}|dD]L}|d}|dkr/|||dM|S)N rTr)decoderZrErPrG)dumpincludesrHindexs r%_parse_includesrQspH ##D))22 # 199 OODL..00 1 1 1 Or'ctK ttgdd{VS#t$rgcYSwxYw)N)rrz-D DUMP_INCLUDES)rQrrr0r'r% dump_includesrTsgFFFGG G G G G G G     s #( 77r:)maxsizecKt}|tdt|dgd{V}t|}t d||S)Nrz-vzApache %s version detected)rr*rrBrMrr)routversions r%apache_versionrYsy!!J5666:t,-- - - - - - -C*3::<<88G KK,g666 Nr''IMUNIFY360_APACHE_MODULES_CACHE_TIMEOUTiX)seconds) expirationcNKtdd{V}t|S)Nz-M)rrJ)rs r%apache_modulesr^s5&d++ + + + + + +F $V , ,,r')rrr!)F)nrrrologgingrrerrstringxml.etree.ElementTreeetreerqr= contextlibr contextvarsrdatetimerpackaging.versionrpathlibr subprocessrr typingr r r r rrrr$defence360agent.api.integration_confr3defence360agent.application.determine_hosting_panelrr&defence360agent.internals.global_scoperdefence360agent.utilsrrrrrrrrdefence360agent.utils.commonrrIenvironrrrrrLITESPEED_CONF_PATHrrcompiler=tupler whitespacerFr getLoggerr,rrr*r2r4rrrQrr{r frozensetrrrrrrrrrrr rzr(rrr2r%r-r9rrBrJrQrTrYr^r0r'r%rwsO  """""""""""""""%%%%%%********FFFFFFFFFFFFFFFFFF BBBBBB544444                    EDDDDD!cJNN6?? L$9::G=&"" #FGGe@@V->(?(?@@@@@   8 $ $l TTTTTTTTn999   / ////u2.7Y[['''''T(555(  "2s7+      444-tCy----4Xhsm5L88x}888868#8888(&:&?@@^c^d^^^^B 9 9 9 9,+,GHH)))IH)     KKK 999* H H H H   eU & y JNNDc J J  -----r'