tyler.durden
/
centreon-plugins
mirror of https://github.com/centreon/centreon-plugins.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

(plugin) apps::wazuh::restapi - add token authentication + harden api response (#3577)

This commit is contained in:
qgarnier 2022-04-01 15:46:17 +02:00 committed by GitHub
parent 7f5c066f1e
commit fc8311c092
2 changed files with 235 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
centreon-plugins/apps/wazuh/restapi/custom/api.pm
View File

@ -23,7 +23,9 @@ package apps::wazuh::restapi::custom::api;
use strict;
use warnings;
use centreon::plugins::http;
use centreon::plugins::statefile;
use JSON::XS;
use Digest::MD5;
sub new {
my ($class, %options) = @_;
@ -41,18 +43,23 @@ sub new {
if (!defined($options{noptions})) {
$options{options}->add_options(arguments => {
'hostname:s@' => { name => 'hostname' },
'username:s@' => { name => 'username' },
'password:s@' => { name => 'password' },
'timeout:s@' => { name => 'timeout' },
'port:s@' => { name => 'port' },
'proto:s@' => { name => 'proto' }
'hostname:s' => { name => 'hostname' },
'username:s' => { name => 'username' },
'password:s' => { name => 'password' },
'token:s' => { name => 'token' },
'timeout:s' => { name => 'timeout' },
'port:s' => { name => 'port' },
'proto:s' => { name => 'proto' },
'unknown-http-status:s' => { name => 'unknown_http_status' },
'warning-http-status:s' => { name => 'warning_http_status' },
'critical-http-status:s' => { name => 'critical_http_status' }
});
}
$options{options}->add_help(package => __PACKAGE__, sections => 'REST API OPTIONS', once => 1);
$self->{output} = $options{output};
$self->{http} = centreon::plugins::http->new(%options);
$self->{cache} = centreon::plugins::statefile->new(%options);
return $self;
}
@ -68,23 +75,35 @@ sub set_defaults {}
sub check_options {
my ($self, %options) = @_;
$self->{hostname} = (defined($self->{option_results}->{hostname})) ? shift(@{$self->{option_results}->{hostname}}) : undef;
$self->{username} = (defined($self->{option_results}->{username})) ? shift(@{$self->{option_results}->{username}}) : '';
$self->{password} = (defined($self->{option_results}->{password})) ? shift(@{$self->{option_results}->{password}}) : '';
$self->{timeout} = (defined($self->{option_results}->{timeout})) ? shift(@{$self->{option_results}->{timeout}}) : 10;
$self->{port} = (defined($self->{option_results}->{port})) ? shift(@{$self->{option_results}->{port}}) : 55000;
$self->{proto} = (defined($self->{option_results}->{proto})) ? shift(@{$self->{option_results}->{proto}}) : 'https';
$self->{hostname} = (defined($self->{option_results}->{hostname})) ? $self->{option_results}->{hostname} : '';
$self->{api_username} = (defined($self->{option_results}->{username})) ? $self->{option_results}->{username} : '';
$self->{api_password} = (defined($self->{option_results}->{password})) ? $self->{option_results}->{password} : '';
$self->{timeout} = (defined($self->{option_results}->{timeout})) ? $self->{option_results}->{timeout} : 30;
$self->{port} = (defined($self->{option_results}->{port})) ? $self->{option_results}->{port} : 55000;
$self->{proto} = (defined($self->{option_results}->{proto})) ? $self->{option_results}->{proto} : 'https';
$self->{unknown_http_status} = (defined($self->{option_results}->{unknown_http_status})) ? $self->{option_results}->{unknown_http_status} : '%{http_code} < 200 or %{http_code} >= 300';
$self->{warning_http_status} = (defined($self->{option_results}->{warning_http_status})) ? $self->{option_results}->{warning_http_status} : '';
$self->{critical_http_status} = (defined($self->{option_results}->{critical_http_status})) ? $self->{option_results}->{critical_http_status} : '';
$self->{token} = $self->{option_results}->{token};
if (!defined($self->{hostname})) {
if ($self->{hostname} eq '') {
$self->{output}->add_option_msg(short_msg => 'Need to specify hostname option.');
$self->{output}->option_exit();
}
if (!defined($self->{hostname}) ||
scalar(@{$self->{option_results}->{hostname}}) == 0) {
return 0;
if ($self->{api_username} eq '') {
$self->{output}->add_option_msg(short_msg => 'Need to specify --username option.');
$self->{output}->option_exit();
}
return 1;
if ($self->{api_password} eq '') {
$self->{output}->add_option_msg(short_msg => 'Need to specify --password option.');
$self->{output}->option_exit();
}
if (defined($self->{token})) {
$self->{cache}->check_options(option_results => $self->{option_results});
}
return 0;
}
sub get_hostname {
@ -99,45 +118,125 @@ sub get_port {
return $self->{port};
}
sub build_options_for_httplib {
my ($self, %options) = @_;
$self->{option_results}->{hostname} = $self->{hostname};
$self->{option_results}->{timeout} = $self->{timeout};
$self->{option_results}->{port} = $self->{port};
$self->{option_results}->{proto} = $self->{proto};
$self->{option_results}->{credentials} = 1;
$self->{option_results}->{basic} = 1;
$self->{option_results}->{username} = $self->{username};
$self->{option_results}->{password} = $self->{password};
if (!defined($self->{option_results}->{ssl_opt})) {
$self->{option_results}->{ssl_opt} = ['SSL_verify_mode => SSL_VERIFY_NONE'];
}
if (!defined($self->{option_results}->{curl_opt})) {
$self->{option_results}->{curl_opt} = ['CURLOPT_SSL_VERIFYPEER => 0', 'CURLOPT_SSL_VERIFYHOST => 0'];
}
}
sub settings {
my ($self, %options) = @_;
$self->build_options_for_httplib();
return if (defined($self->{settings_done}));
$self->{http}->add_header(key => 'Accept', value => 'application/json');
$self->{http}->set_options(%{$self->{option_results}});
$self->{settings_done} = 1;
}
sub get_token {
my ($self, %options) = @_;
my $has_cache_file = $self->{cache}->read(statefile => 'wazuh_api_' . Digest::MD5::md5_hex($self->{hostname} . '_' . $self->{api_username}));
my $token = $self->{cache}->get(name => 'token');
my $md5_secret_cache = $self->{cache}->get(name => 'md5_secret');
my $md5_secret = Digest::MD5::md5_hex($self->{api_username} . $self->{api_password});
if ($has_cache_file == 0 ||
!defined($token) ||
(defined($md5_secret_cache) && $md5_secret_cache ne $md5_secret)
) {
$self->settings();
my $content = $self->{http}->request(
method => 'GET',
url_path => '/security/user/authenticate',
credentials => 1,
basic => 1,
username => $self->{api_username},
password => $self->{api_password}
);
my $decoded;
eval {
$decoded = JSON::XS->new->utf8->decode($content);
};
if ($@) {
$self->{output}->add_option_msg(short_msg => "Cannot decode json response");
$self->{output}->option_exit();
}
if (!defined($decoded->{data}->{token})) {
$self->{output}->add_option_msg(short_msg => 'Cannot get token');
$self->{output}->option_exit();
}
$token = $decoded->{data}->{token};
my $datas = {
updated => time(),
token => $token,
md5_secret => $md5_secret
};
$self->{cache}->write(data => $datas);
}
return $token;
}
sub clean_token {
my ($self, %options) = @_;
my $datas = { updated => time() };
$self->{cache}->write(data => $datas);
}
sub credentials {
my ($self, %options) = @_;
my $token = $self->{token};
if (defined($self->{token})) {
$token = $self->get_token();
}
my $creds = {};
if (defined($self->{token})) {
$creds = {
header => ['Authorization: Bearer ' . $token],
unknown_status => '',
warning_status => '',
critical_status => ''
};
} else {
$creds = {
credentials => 1,
basic => 1,
username => $self->{api_username},
password => $self->{api_password},
unknown_status => $self->{unknown_http_status},
warning_status => $self->{warning_http_status},
critical_status => $self->{critical_http_status}
};
}
return $creds;
}
sub request {
my ($self, %options) = @_;
$self->settings();
my $creds = $self->credentials();
my $content = $self->{http}->request(
url_path => $options{path},
unknown_status => '', warning_status => '', critical_status => '',
%$creds
);
if ($self->{http}->get_code() != 200) {
$self->{output}->add_option_msg(short_msg => 'Connection issue : ' . $self->{http}->get_message() . ' (' . $self->{http}->get_code() . ')');
# Maybe token is invalid. so we retry
if (defined($self->{token}) && $self->{http}->get_code() < 200 || $self->{http}->get_code() >= 300) {
$self->clean_token();
$creds = $self->credentials();
$content = $self->{http}->request(
url_path => $options{path},
%$creds,
unknown_status => $self->{unknown_http_status},
warning_status => $self->{warning_http_status},
critical_status => $self->{critical_http_status}
);
}
if (!defined($content) || $content eq '') {
$self->{output}->add_option_msg(short_msg => "API returns empty content [code: '" . $self->{http}->get_code() . "'] [message: '" . $self->{http}->get_message() . "']");
$self->{output}->option_exit();
}
@ -185,9 +284,13 @@ Wazuh username.
Wazuh password.
=item B<--token>
Use token authentication.
=item B<--timeout>
Set HTTP timeout in seconds (Default: '10').
Set HTTP timeout in seconds (Default: 30).
=item B<--proto>

173
centreon-plugins/apps/wazuh/restapi/mode/manager.pm
View File

@ -25,84 +25,15 @@ use base qw(centreon::plugins::templates::counter);
use strict;
use warnings;
use Digest::MD5 qw(md5_hex);
use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold catalog_status_calc);
use centreon::plugins::templates::catalog_functions qw(catalog_status_threshold_ng);
sub custom_status_output {
my ($self, %options) = @_;
my $msg = sprintf('status: %s',
$self->{result_values}->{status},
return sprintf(
'status: %s',
$self->{result_values}->{status}
);
return $msg;
}
sub set_counters {
my ($self, %options) = @_;
$self->{maps_counters_type} = [
{ name => 'global', type => 0, cb_prefix_output => 'prefix_global_output' },
{ name => 'process', type => 1, cb_prefix_output => 'prefix_process_output', message_multiple => 'All manager processes are ok' },
{ name => 'log', type => 1, cb_prefix_output => 'prefix_log_output', message_multiple => 'All manager logs are ok' }
];
$self->{maps_counters}->{global} = [];
foreach ('stopped', 'running') {
push @{$self->{maps_counters}->{global}}, {
label => 'processes-' . $_, nlabel => 'manager.processes.' . $_ . '.count', display_ok => 0, set => {
key_values => [ { name => $_ } ],
output_template => $_ . ': %s',
perfdatas => [
{ value => $_ , template => '%s', min => 0 },
],
}
};
}
$self->{maps_counters}->{process} = [
{ label => 'process-status', threshold => 0, set => {
key_values => [ { name => 'status' }, { name => 'display' } ],
closure_custom_calc => \&catalog_status_calc,
closure_custom_output => $self->can('custom_status_output'),
closure_custom_perfdata => sub { return 0; },
closure_custom_threshold_check => \&catalog_status_threshold,
}
},
];
$self->{maps_counters}->{log} = [];
foreach ('error', 'critical', 'warning') {
push @{$self->{maps_counters}->{log}}, {
label => 'log-' . $_, nlabel => 'manager.log.' . $_ . '.count', set => {
key_values => [ { name => $_, diff => 1 } ],
output_template => $_ . ': %s',
perfdatas => [
{ value => $_ , template => '%s', min => 0 },
],
}
};
}
}
sub new {
my ($class, %options) = @_;
my $self = $class->SUPER::new(package => __PACKAGE__, %options, , statefile => 1, force_new_perfdata => 1);
bless $self, $class;
$options{options}->add_options(arguments => {
'filter-process:s' => { name => 'filter_process' },
'filter-log:s' => { name => 'filter_log' },
'warning-process-status:s' => { name => 'warning_process_status', default => '' },
'critical-process-status:s' => { name => 'critical_process_status', default => '' },
});
return $self;
}
sub check_options {
my ($self, %options) = @_;
$self->SUPER::check_options(%options);
$self->change_macros(macros => ['warning_process_status', 'critical_process_status']);
}
sub prefix_global_output {
@ -123,31 +54,107 @@ sub prefix_log_output {
return "Log '" . $options{instance_value}->{display} . "' ";
}
sub set_counters {
my ($self, %options) = @_;
$self->{maps_counters_type} = [
{ name => 'global', type => 0, cb_prefix_output => 'prefix_global_output' },
{ name => 'process', type => 1, cb_prefix_output => 'prefix_process_output', message_multiple => 'All manager processes are ok' },
{ name => 'log', type => 1, cb_prefix_output => 'prefix_log_output', message_multiple => 'All manager logs are ok' }
];
$self->{maps_counters}->{global} = [];
foreach ('stopped', 'running') {
push @{$self->{maps_counters}->{global}}, {
label => 'processes-' . $_, nlabel => 'manager.processes.' . $_ . '.count', display_ok => 0, set => {
key_values => [ { name => $_ } ],
output_template => $_ . ': %s',
perfdatas => [
{ value => $_ , template => '%s', min => 0 }
]
}
};
}
$self->{maps_counters}->{process} = [
{ label => 'process-status', type => 2, set => {
key_values => [ { name => 'status' }, { name => 'display' } ],
closure_custom_output => $self->can('custom_status_output'),
closure_custom_perfdata => sub { return 0; },
closure_custom_threshold_check => \&catalog_status_threshold_ng
}
}
];
$self->{maps_counters}->{log} = [];
foreach ('error', 'critical', 'warning') {
push @{$self->{maps_counters}->{log}}, {
label => 'log-' . $_, nlabel => 'manager.log.' . $_ . '.count', set => {
key_values => [ { name => $_, diff => 1 } ],
output_template => $_ . ': %s',
perfdatas => [
{ value => $_ , template => '%s', min => 0 }
]
}
};
}
}
sub new {
my ($class, %options) = @_;
my $self = $class->SUPER::new(package => __PACKAGE__, %options, , statefile => 1, force_new_perfdata => 1);
bless $self, $class;
$options{options}->add_options(arguments => {
'filter-process:s' => { name => 'filter_process' },
'filter-log:s' => { name => 'filter_log' }
});
return $self;
}
sub get_summary_logs {
my ($self, %options) = @_;
my $result = $options{custom}->request(path => '/manager/logs/summary');
return $result->{data} if (!defined($result->{data}->{affected_items}));
my $entries = {};
foreach my $items (@{$result->{data}->{affected_items}}) {
foreach my $name (keys %$items) {
$entries->{$name} = $items->{$name};
}
}
return $entries;
}
sub manage_selection {
my ($self, %options) = @_;
$self->{global} = { running => 0, stopped => 0 };
$self->{process} = {};
my $result = $options{custom}->request(path => '/manager/status');
foreach (keys %{$result->{data}}) {
my $entry = defined($result->{data}->{affected_items}) ? $result->{data}->{affected_items}->[0] : $result->{data};
foreach (keys %$entry) {
if (defined($self->{option_results}->{filter_process}) && $self->{option_results}->{filter_process} ne '' &&
$_ !~ /$self->{option_results}->{filter_process}/) {
$self->{output}->output_add(long_msg => "skipping process '" . $_ . "': no matching filter.", debug => 1);
next;
}
my $status = lc($result->{data}->{$_});
my $status = lc($entry->{$_});
$self->{process}->{$_} = {
display => $_,
status => $status,
status => $status
};
$self->{global}->{$status}++;
}
$result = $self->get_summary_logs(custom => $options{custom});
$self->{log} = {};
$result = $options{custom}->request(path => '/manager/logs/summary?');
foreach (keys %{$result->{data}}) {
foreach (keys %$result) {
if (defined($self->{option_results}->{filter_log}) && $self->{option_results}->{filter_log} ne '' &&
$_ !~ /$self->{option_results}->{filter_log}/) {
$self->{output}->output_add(long_msg => "skipping log '" . $_ . "': no matching filter.", debug => 1);
@ -156,10 +163,10 @@ sub manage_selection {
$self->{log}->{$_} = {
display => $_,
error => $result->{data}->{$_}->{error},
warning => $result->{data}->{$_}->{warning},
critical => $result->{data}->{$_}->{critical},
};
error => $result->{$_}->{error},
warning => $result->{$_}->{warning},
critical => $result->{$_}->{critical}
};
}
$self->{cache_name} = 'wazuh_' . $options{custom}->get_hostname() . '_' . $options{custom}->get_port() . '_' . $self->{mode} . '_' .