h5 dZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZddlmZmZmZddlmZmZddlmZdd lmZdd lmZdd lmZdd l m!Z!dd l"m#Z#m$Z$m%Z%ddl&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ej-e.Z/dZ0dZ1dZ2de3fdZ4dZ5dZ6dZ7dZ8dZ9dee:ee e;e fffdZd!e;d"ee;d#eej?fd$Z@d%ZAd&e;deBfd'ZCde;fd(ZDdS)*u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict)Path)AnyDictIterableListLiteralSetTuple)datetime timedeltatimezone)Casefn) hosting_panel)get_results_iterable_expression) to_thread)AnalystCleanupRequest)AnalystCleanupAPI)MalwareHitStatusMalwareScanResourceTypeQueuedScanState) MalwareHit MalwareScan) is_crontab) CloudwaysUserc ddddddddddd S)Nr) userhomeinfected infected_db_infected_totalscan_id scan_date scan_statuscleanup_statusanalyst_statusr(T/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/utils/user_list.py stub_entryr+4s/   r)c#KtjD](}t}|j|d<|j|d<|V)dS)z Get all system users and initialize a dict for them. If a user has leftover config files after being deleted then the panel API might treat him as existent. This is resolved by checking that a system user is a panel user. rrN)pwdgetpwallr+pw_namepw_dir)entryus r* system_usersr3CsQ LLM& L&  r)cKtjd{VfdtDS)Nc(g|]}|dv |Srr().0r2userss r* zpanel_users..Us' < < .Zs%555da! 555r))allitemsr+) user_listkwargsr2s @r*getrFXsY  5555fllnn555 6 6 HHH  <<r)cFd|D}d}tjtjtjdtjtjtj j kz tj}tjtjtjdtjtjtj j kz tj}d|D}d|D}t||}|D]U}t||j} || dd | d<t"jj | d <|j| d <V|D]\} } t|| } | | d<|D]} | d| dz| d <dS)Ncg|] }|d Srr(r7r2s r*r9z7update_infected_count_and_last_scan..a * * *1QvY * * *r)ctjtjtjtjtjtjtjtjk tj |}|SN) rselectscanid completedpathgroup_byhavingrMaxwherein_)_homesqs r*exprz1update_infected_count_and_last_scan..exprcs  "K$9;;K  Xk& ' ' VK)RVK4I-J-JJ K K U;#''// 0 0 r)r r!c(i|]}|j|jSr()rr r7r1s r* z7update_infected_count_and_last_scan..sNNNU^NNNr)c(i|]}|j|jSr()rr!r[s r*r\z7update_infected_count_and_last_scan..s,*/ E%r)rIrrr%r#r6r")rrNrrCOUNTaliasrU is_infected resource_typerFILEvaluerRDBrrFrQrstoppedrOrC) rDhomesrY grouped_hitsgrouped_db_hitsgrouped_hits_dictgrouped_db_hits_dict actual_scansr1r2rr!s r*#update_infected_count_and_last_scanrl`s" * * * * *E    */28::+;+;J+G+GHH   " $ $'+B+G+MM O   */ " "  */28::+;+;M+J+JKK   " $ $'+B+E+KK M   */ " " ONNNN3B34??L$$   + + +)--ai;;* *28-|) 17799''k   % % %&- @@ }q/?? @@r)cd|D}||D]4\}}t||j}|j|d<||d<|j|d<5dS)Ncg|] }|d SrIr(rJs r*r9z.update_running_scan_status..rKr)rIr#r% scan_type)rFrQrOro)rD get_scanspathsscanstatusr2s r*update_running_scan_statusrtsr * * * * *E! %(((( f   * * *{) !-+ ((r)cd|D}dtttdffd}t||D]\}}t ||}||d<dS)a Updates cleanup status for the list of panel users If at least on cleanup is running for user then status is 'running' Else if there are any finished cleanups then status is 'stopped' If no started and finished cleanups then status is not set :param user_list: cg|] }|d Sr6r(rJs r*r9z)update_cleanup_status..rKr)r=)runningreNc tdtjtjtjfdffd}tdtjtjtjfdffd}tj tj tdtj |dkdftj |dkdff dtj |tj }|S)z Returns a list of (user, cleanup_status) tuples where `cleanup_status` can take one of the values: "running", "stopped", or None Nrrwrer&)rrrsrVrCLEANUP_PENDINGCLEANUP_STARTED CLEANUP_DONECLEANUP_REMOVEDrNrrSumr_rUrRtuples)r8 case_running case_stoppedquerys r* expressionz)update_cleanup_status..expressionsQ  %)),<,<      %)),9,<       --19= --19= %())  U:?&&u-- . . Xjo & & ||~~r)r6r&N)r strr rrF)rDr8rrrsr2s r*update_cleanup_statusrs + * * * *E1U30J(K#KL1111f8 EJJ%% f   % % %$ %%r)cd}tt}|D]#}||d|$t|t|D]}||jD] }|j|d< dS)Nchtjtjtjtj|tjtjtj tjkSrM) rrNrQrPrUrVrRrSrrT)rfs r*rz)update_last_scan_date..expressionsm  {/1F G G U;#''.. / / Xk& ' ' VK)RVK4I-J-JJ K K  r)rr$)rlistappendrrQrP)rDr home_to_usersrrrs r*update_last_scan_daters    %%M11d6l#**40000/D''//"$), / /D $D   ///r)cb|sdStjtjt dz d|D}fd}t ||}i}|D]1}|j|vr||jj|jkr'|||j<2|D] }|d}||vr||}|j|d<!dS)a Updates cleanup analyst status for the list of panel users. Checks if users have active cleanup requests (pending or in_progress) or recently completed requests (within the last 3 days). :param user_list: List of user dictionaries to update N)daysc.g|]}|d |dSr6r(rJs r*r9z1update_cleanup_analyst_status..s%;;;q6;6;;;r)ctjtjtjtjtjtj|tjddgtjdktjkzzztj S)z Returns a query to fetch active cleanup requests and recently completed requests for the specified users. pending in_progressrP) rrNusernamers last_updated created_atrUrVorder_bydesc)r8three_days_agos r*rz1update_cleanup_analyst_status..expressions " (%.%,%2%0    U&/33E::.488& 6 /5D1>-. "X+6;;== > >1 r)rr') r nowrutcr rrrrs) rD usernamesrrequestsuser_to_requestrequestr2rrs @r*update_cleanup_analyst_statusrs \(,//)2C2C2CCN<;I;;;I     B/z9EEHO44   / / 01< !! ,3())11V9  & &%h/G").A  11r)ctKtd{V}t|trtjd|dnUt|t r,tjdd|dntjdfd|D}t||fS)Nz.*z^(|z)$cJg|]}|d| Sr6match)r7r2patterns r*r9z%get_matched_users..Ds.FFF1W]]1V9-E-EFQFFFr))r< isinstancerrecompilerjoinlen)rrD matched_usersrs @r*get_matched_usersr<s!mm######I%#*^%^^^,, E8 $ $#*5#((5//55566*T""FFFF FFFM y>>= ((r)rcKt|d{V\}}t|t||t|t |t jd{Vrt|||fSrM)rrlrtrrrcheck_cleanup_allowedr)rpr max_countrDs r*fetch_user_listrHs!25!9!9999999Iy' 222y)444)$$$)$$$  4 6 66666661%i000 i r)r"Tcfd}|||dkr|D]}|d|S)Ncdvrtnt}|turtdnd}|}||}|S)N)r r!r"r$r)intrchrrF)element field_typemin_valrcfields r*getterzsort..getterTscJKK C  '#--#a&&&1 E"" =E r))keyreverser")sortpop)rDrrrrs ` r*rrSsk     NNvtN,,, !!! ( (D HH& ' ' ' ' r)rQusers_from_panelpw_allcKtj|}|jx}x}}|jx}}t |} |dkrNt | r?|D];} | j| jkr)| j|vr| j| j| j}}}| j x}}nz&get_username_by_uid..s199 S(8(8(8(8(8(899r))rrr-r.next)rrs` r*get_username_by_uidrs_ c((CS\** * * * * * *F 9999f999   r))r"T)E__doc__rloggingrr-r collectionsrpathlibrtypingrrrrr r r r r rpeeweerrdefence360agent.subsys.panelsrdefence360agent.utilsrdefence360agent.utils.threadsr%defence360agent.model.analyst_cleanupr*defence360agent.api.server.analyst_cleanuprimav.malwarelib.configrrrimav.malwarelib.modelrrimav.malwarelib.scan.crontabrimav.malwarelib.utils.cloudwaysr getLogger__name__loggerr+r3r<dictrFrlrtrrrrrrrr struct_passwdrrboolrrr(r)r*rs<*  ######AAAAAAAAAAAAAAAAAA2222222222777777AAAAAA333333GGGGGGHHHHHH :9999999333333999999  8 $ $      === 2@2@2@j(((@%@%@%F///&E1E1E1P )eCd38n1E,E&F ) ) ) )/3     *&( &(!$S&(378I3J&(&(&(&(R0STcr)