ifms-pti/server/src/lib/paloalto.js

// Ref.: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api.html

import axios from 'axios'
import https from 'https'
import { isIPv4 } from 'net'
import qs from 'qs'
import { subMinutes } from 'date-fns'
import { logError, logSuccess } from './logger'
import { AES, enc } from 'crypto-js'
import ip from 'ip'
import { performance } from 'perf_hooks'

import prisma from '../prisma'

const MAP_TIMEOUT_IN_MINUTES = process.env.MAPPING_TIMEOUT || '360' // 6 horas
const CIDR_RE = /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/
const REQUEST_TIMEOUT_IN_MS = 20000

const httpsAgent = new https.Agent({
  rejectUnauthorized: false
})

async function getDevicesWithUser() {
  const now = new Date()
  const timeoutThreshold = subMinutes(now, MAP_TIMEOUT_IN_MINUTES)

  const wifiDevices = await prisma.wifiDevice.findMany({
    where: {
      userId: { not: null },
      status: 'ONLINE',
      lastSeen: { gt: timeoutThreshold }
    },
    select: {
      ip: true,
      user: { select: { sAMAccountName: true, displayName: true } }
    }
  })
  return wifiDevices
}

function createCommand(devices) {
  const entries = devices.reduce(
    (entries, device) =>
      entries +
      `<entry name="ifms\\${device.user.sAMAccountName}" ip="${device.ip}" timeout="${MAP_TIMEOUT_IN_MINUTES}"/>\n`,
    ''
  )

  return `
    <uid-message> 
    <version>1.0</version> 
    <type>update</type> 
    <payload> 
      <login>
          ${entries}
      </login> 
    </payload>
    </uid-message>`
}

const isWorking = []

function clearWorkingState() {
  isWorking.length = 0
}

setInterval(clearWorkingState, 3600000)

async function updateUserIdMappings() {
  const allDevices = await getDevicesWithUser()

  const pAHosts = await prisma.pAHost.findMany()

  const jobs = pAHosts.map(async pAHost => {
    if (isWorking.includes(pAHost.id))
      return `Última execução para ${pAHost.description} ainda em andamento`

    const startTime = performance.now()

    const net = ip.cidrSubnet(pAHost.cidr)

    const devices = allDevices.filter(
      ({ ip }) => isIPv4(ip) && net.contains(ip)
    )

    try {
      if (devices.length == 0)
        return `Nenhum dispositivo encontrado para ${pAHost.description}`

      isWorking.push(pAHost.id)

      const cmd = createCommand(devices)

      await axios({
        url: `https://${pAHost.cidr.split('/')[0]}/api/`,
        method: 'POST',
        params: { type: 'user-id', key: decryptKey(pAHost.encryptedKey) },
        data: qs.stringify({ cmd }),
        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
        timeout: REQUEST_TIMEOUT_IN_MS,
        httpsAgent
      })

      const endTime = performance.now()

      logSuccess({
        tags: ['paloalto', 'user-id'],
        message: `Foram mapeados ${devices.length} user-ids em ${
          pAHost.description || pAHost.cidr
        } em ${((endTime - startTime) / 1000).toFixed(2)}s.`,
        data: devices
      })

      return devices.length
    } catch (e) {
      logError({
        tags: ['paloalto', 'user-id'],
        message: `Erro atualizando user-id mappings em ${
          pAHost.description || pAHost.cidr
        }: ${e.message}`
      })

      //console.log(e) // Do not add e to log DB for security reasons...

      return 'Não foi possível atualizar. Veja o log do servidor'
    } finally {
      const index = isWorking.indexOf(pAHost.id)
      if (index > -1) isWorking.splice(index, 1)
    }
  })

  return Promise.allSettled(jobs)
}

async function getUserKey({ ipAddr, user, password }) {
  try {
    const result = await axios({
      url: `https://${ipAddr}/api/`,
      method: 'POST',
      params: { type: 'keygen', user, password },
      httpsAgent
    })

    return result.data.split('<key>')[1].split('</key>')[0]
  } catch (e) {
    throw new Error(e.message)
  }
}

function encryptKey(key) {
  return AES.encrypt(key, process.env.CRYPT_SECRET).toString()
}

function decryptKey(encryptedKey) {
  return AES.decrypt(encryptedKey, process.env.CRYPT_SECRET).toString(enc.Utf8)
}

async function addHost({ cidr, user, password, description, note, owner }) {
  if (!CIDR_RE.test(cidr)) throw new Error('Este não é um CIDR válido')

  const ipAddr = cidr.split('/')[0]

  if (!isIPv4(ipAddr)) throw new Error('Este não é um IPv4 válido')
  const net = ip.cidrSubnet(cidr)

  if (net.subnetMaskLength > 32 || net.networkAddress == '0.0.0.0')
    throw new Error('Esta não é uma combinação de IP/máscara IPv4 válida')

  const pAHosts = await prisma.pAHost.findMany()

  try {
    const key = await getUserKey({ ipAddr, user, password })

    const encryptedKey = encryptKey(key)

    const id = pAHosts.find(pAHost => pAHost.cidr.split('/')[0] == ipAddr)?.id

    const pAHost = {
      cidr,
      encryptedKey,
      user,
      description,
      note,
      owner: {
        connect: {
          sAMAccountName: owner.sAMAccountName
        }
      }
    }

    const host = id
      ? await prisma.pAHost.update({ where: { id }, data: pAHost })
      : await prisma.pAHost.create({ data: pAHost })

    return {
      ...host,
      key: `${key.slice(0, 5)}`
    }
  } catch (e) {
    logError({
      message: `Não foi possível adicionar o host ${cidr}. ${e?.message}`,
      tags: ['paloalto']
    })
    throw new Error(e.message)
  }
}

export { updateUserIdMappings, addHost, decryptKey }
Clean unused variables 2020-12-10 23:56:05 +00:00			`// Ref.: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api.html`

Initial support for user-id mappings 2020-12-02 15:20:27 +00:00			`import axios from 'axios'`
			`import https from 'https'`
Add PA Host OK 2021-01-14 19:12:37 +00:00			`import { isIPv4 } from 'net'`
Improve Palo Alto user-id mapping using a single POST req 2020-12-10 20:29:14 +00:00			`import qs from 'qs'`
Remove unused var 2021-01-14 20:22:15 +00:00			`import { subMinutes } from 'date-fns'`
Added logger 2020-12-18 18:33:34 +00:00			`import { logError, logSuccess } from './logger'`
Initial PanOS db support 2021-01-14 17:04:41 +00:00			`import { AES, enc } from 'crypto-js'`
Add PA Host OK 2021-01-14 19:12:37 +00:00			`import ip from 'ip'`
Added performance hooks 2021-11-03 15:59:23 +00:00			`import { performance } from 'perf_hooks'`
Add PA Host OK 2021-01-14 19:12:37 +00:00
			`import prisma from '../prisma'`
Initial support for user-id mappings 2020-12-02 15:20:27 +00:00
Clear working state every hour 2022-02-07 18:25:56 +00:00			`const MAP_TIMEOUT_IN_MINUTES = process.env.MAPPING_TIMEOUT \|\| '360' // 6 horas`
Add PA Host OK 2021-01-14 19:12:37 +00:00			`const CIDR_RE = /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]\|[1-2][0-9]\|3[0-2]))?$/`
Add request timeout 2022-02-08 12:57:36 +00:00			`const REQUEST_TIMEOUT_IN_MS = 20000`
Better filtering 2020-12-17 12:57:38 +00:00
Improve Palo Alto user-id mapping using a single POST req 2020-12-10 20:29:14 +00:00			`const httpsAgent = new https.Agent({`
Initial support for user-id mappings 2020-12-02 15:20:27 +00:00			`rejectUnauthorized: false`
			`})`

Remove unused vars 2021-01-15 19:33:09 +00:00			`async function getDevicesWithUser() {`
Better filtering 2020-12-17 12:57:38 +00:00			`const now = new Date()`
Clear working state every hour 2022-02-07 18:25:56 +00:00			`const timeoutThreshold = subMinutes(now, MAP_TIMEOUT_IN_MINUTES)`
Better filtering 2020-12-17 12:57:38 +00:00
Refactor 2021-01-14 14:07:29 +00:00			`const wifiDevices = await prisma.wifiDevice.findMany({`
			`where: {`
			`userId: { not: null },`
			`status: 'ONLINE',`
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`lastSeen: { gt: timeoutThreshold }`
Refactor 2021-01-14 14:07:29 +00:00			`},`
			`select: {`
			`ip: true,`
Improve hints 2021-01-19 16:46:52 +00:00			`user: { select: { sAMAccountName: true, displayName: true } }`
Refactor 2021-01-14 14:07:29 +00:00			`}`
			`})`
			`return wifiDevices`
			`}`

			`function createCommand(devices) {`
			`const entries = devices.reduce(`
			`(entries, device) =>`
			`entries +`
Clear working state every hour 2022-02-07 18:25:56 +00:00			`<entry name="ifms\\${device.user.sAMAccountName}" ip="${device.ip}" timeout="${MAP_TIMEOUT_IN_MINUTES}"/>\n`,
Refactor 2021-01-14 14:07:29 +00:00			`''`
			`)`

			return `
			`<uid-message>`
			`<version>1.0</version>`
			`<type>update</type>`
			`<payload>`
			`<login>`
			`${entries}`
			`</login>`
			`</payload>`
			</uid-message>`
			`}`
Initial support for user-id mappings 2020-12-02 15:20:27 +00:00
Run user-id updates independently 2021-01-19 16:32:39 +00:00			`const isWorking = []`

Clear working state every hour 2022-02-07 18:25:56 +00:00			`function clearWorkingState() {`
			`isWorking.length = 0`
			`}`

			`setInterval(clearWorkingState, 3600000)`

Refactor 2021-01-14 14:07:29 +00:00			`async function updateUserIdMappings() {`
Remove unused vars 2021-01-15 19:33:09 +00:00			`const allDevices = await getDevicesWithUser()`
Handle the zero device case 2020-12-17 17:04:38 +00:00
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`const pAHosts = await prisma.pAHost.findMany()`
Initial support for user-id mappings 2020-12-02 15:20:27 +00:00
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`const jobs = pAHosts.map(async pAHost => {`
Clear working state every hour 2022-02-07 18:25:56 +00:00			`if (isWorking.includes(pAHost.id))`
			return `Última execução para ${pAHost.description} ainda em andamento`
Run user-id updates independently 2021-01-19 16:32:39 +00:00
Added performance hooks 2021-11-03 15:59:23 +00:00			`const startTime = performance.now()`

Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`const net = ip.cidrSubnet(pAHost.cidr)`
Improve Palo Alto user-id mapping using a single POST req 2020-12-10 20:29:14 +00:00
Bugfix: verify ip before net.contains 2021-04-06 12:56:33 +00:00			`const devices = allDevices.filter(`
			`({ ip }) => isIPv4(ip) && net.contains(ip)`
			`)`
Improve Palo Alto user-id mapping using a single POST req 2020-12-10 20:29:14 +00:00
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`try {`
Clear working state every hour 2022-02-07 18:25:56 +00:00			`if (devices.length == 0)`
			return `Nenhum dispositivo encontrado para ${pAHost.description}`
Added logger 2020-12-18 18:33:34 +00:00
Fix working state 2021-01-19 20:44:53 +00:00			`isWorking.push(pAHost.id)`

Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`const cmd = createCommand(devices)`
Replaced all console.log with new logger function 2020-12-18 16:07:33 +00:00
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`await axios({`
			url: `https://${pAHost.cidr.split('/')[0]}/api/`,
			`method: 'POST',`
			`params: { type: 'user-id', key: decryptKey(pAHost.encryptedKey) },`
			`data: qs.stringify({ cmd }),`
			`headers: { 'Content-Type': 'application/x-www-form-urlencoded' },`
Add request timeout 2022-02-08 12:57:36 +00:00			`timeout: REQUEST_TIMEOUT_IN_MS,`
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`httpsAgent`
			`})`

Added performance hooks 2021-11-03 15:59:23 +00:00			`const endTime = performance.now()`

Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`logSuccess({`
Run user-id updates independently 2021-01-19 16:32:39 +00:00			`tags: ['paloalto', 'user-id'],`
OK... That's a lot of changes... 2022-06-14 13:26:01 +00:00			message: `Foram mapeados ${devices.length} user-ids em ${
			`pAHost.description \|\| pAHost.cidr`
			} em ${((endTime - startTime) / 1000).toFixed(2)}s.`,
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`data: devices`
			`})`

			`return devices.length`
			`} catch (e) {`
			`logError({`
			`tags: ['paloalto', 'user-id'],`
OK... That's a lot of changes... 2022-06-14 13:26:01 +00:00			message: `Erro atualizando user-id mappings em ${
			`pAHost.description \|\| pAHost.cidr`
			}: ${e.message}`
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`})`

Ommit log 2022-04-27 18:32:43 +00:00			`//console.log(e) // Do not add e to log DB for security reasons...`
Improved security on PA routines 2021-10-27 16:41:22 +00:00
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`return 'Não foi possível atualizar. Veja o log do servidor'`
Run user-id updates independently 2021-01-19 16:32:39 +00:00			`} finally {`
			`const index = isWorking.indexOf(pAHost.id)`
			`if (index > -1) isWorking.splice(index, 1)`
Switch basic auth with key auth and use DB for PA hosts 2021-01-14 20:18:17 +00:00			`}`
			`})`

			`return Promise.allSettled(jobs)`
Initial support for user-id mappings 2020-12-02 15:20:27 +00:00			`}`

Add PA Host OK 2021-01-14 19:12:37 +00:00			`async function getUserKey({ ipAddr, user, password }) {`
			`try {`
			`const result = await axios({`
			url: `https://${ipAddr}/api/`,
			`method: 'POST',`
			`params: { type: 'keygen', user, password },`
			`httpsAgent`
			`})`

			`return result.data.split('<key>')[1].split('</key>')[0]`
			`} catch (e) {`
			`throw new Error(e.message)`
			`}`
			`}`

			`function encryptKey(key) {`
			`return AES.encrypt(key, process.env.CRYPT_SECRET).toString()`
			`}`
Initial PanOS db support 2021-01-14 17:04:41 +00:00
Add PA Host OK 2021-01-14 19:12:37 +00:00			`function decryptKey(encryptedKey) {`
			`return AES.decrypt(encryptedKey, process.env.CRYPT_SECRET).toString(enc.Utf8)`
Initial PanOS db support 2021-01-14 17:04:41 +00:00			`}`

Added PA host owner 2021-01-18 20:03:08 +00:00			`async function addHost({ cidr, user, password, description, note, owner }) {`
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`if (!CIDR_RE.test(cidr)) throw new Error('Este não é um CIDR válido')`
Add PA Host OK 2021-01-14 19:12:37 +00:00
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`const ipAddr = cidr.split('/')[0]`
Add PA Host OK 2021-01-14 19:12:37 +00:00
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`if (!isIPv4(ipAddr)) throw new Error('Este não é um IPv4 válido')`
			`const net = ip.cidrSubnet(cidr)`
Add PA Host OK 2021-01-14 19:12:37 +00:00
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`if (net.subnetMaskLength > 32 \|\| net.networkAddress == '0.0.0.0')`
			`throw new Error('Esta não é uma combinação de IP/máscara IPv4 válida')`
Add PA Host OK 2021-01-14 19:12:37 +00:00
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`const pAHosts = await prisma.pAHost.findMany()`
Add PA Host OK 2021-01-14 19:12:37 +00:00
Upsert PA host OK 2021-01-14 19:51:40 +00:00			`try {`
Add PA Host OK 2021-01-14 19:12:37 +00:00			`const key = await getUserKey({ ipAddr, user, password })`

			`const encryptedKey = encryptKey(key)`

Upsert PA host OK 2021-01-14 19:51:40 +00:00			`const id = pAHosts.find(pAHost => pAHost.cidr.split('/')[0] == ipAddr)?.id`

Add PA Host OK 2021-01-14 19:12:37 +00:00			`const pAHost = {`
			`cidr,`
			`encryptedKey,`
			`user,`
			`description,`
Added PA host owner 2021-01-18 20:03:08 +00:00			`note,`
			`owner: {`
			`connect: {`
			`sAMAccountName: owner.sAMAccountName`
			`}`
			`}`
Add PA Host OK 2021-01-14 19:12:37 +00:00			`}`

Upsert PA host OK 2021-01-14 19:51:40 +00:00			`const host = id`
			`? await prisma.pAHost.update({ where: { id }, data: pAHost })`
			`: await prisma.pAHost.create({ data: pAHost })`
Initial PanOS db support 2021-01-14 17:04:41 +00:00
			`return {`
			`...host,`
Add PA Host OK 2021-01-14 19:12:37 +00:00			key: `${key.slice(0, 5)}`
Initial PanOS db support 2021-01-14 17:04:41 +00:00			`}`
			`} catch (e) {`
			`logError({`
Add PA Host OK 2021-01-14 19:12:37 +00:00			message: `Não foi possível adicionar o host ${cidr}. ${e?.message}`,
Initial PanOS db support 2021-01-14 17:04:41 +00:00			`tags: ['paloalto']`
			`})`
			`throw new Error(e.message)`
			`}`
			`}`

Added pAHosts query 2021-01-14 23:20:01 +00:00			`export { updateUserIdMappings, addHost, decryptKey }`