@matthesketh/fleet 1.6.0 → 1.7.0

package/scripts/guard/fleet-guard-execute

@@ -0,0 +1,197 @@
+#!/usr/bin/env python3
+"""
+fleet-guard-execute — executes one approved fleet-guard record.
+
+reads a single json record on stdin (the approved hold). dispatches on
+record["kind"]. on success, prints a short summary; on failure, prints
+the error to stderr and exits non-zero.
+
+supported kinds:
+  noop                    — for testing the queue
+  cf_pause_zone           — pauses a cloudflare zone (dev mode style)
+  cf_unpause_zone         — unpauses a cloudflare zone
+  cf_revert_dns_record    — restores a dns record to its snapshot value
+  cf_block_ip             — adds a custom waf rule blocking an ip
+
+creds: /etc/fleet/guard.cf.json (root:fleet-guard 640)
+snapshots: /var/lib/cf-snapshots (git-tracked, populated by cf-snapshot)
+"""
+
+import json
+import sys
+import urllib.parse
+import urllib.request
+from pathlib import Path
+
+CFG_PATH = Path("/etc/fleet/guard.cf.json")
+SNAP_DIR = Path("/var/lib/cf-snapshots")
+
+
+def load_cf():
+    cfg = json.loads(CFG_PATH.read_text())
+    if not cfg.get("apiKey") or not cfg.get("email"):
+        sys.exit("missing cloudflare creds in /etc/fleet/guard.cf.json")
+    return cfg["apiKey"], cfg["email"], cfg.get("accountId")
+
+
+def cf_request(method, path, api_key, email, body=None):
+    url = f"https://api.cloudflare.com/client/v4{path}"
+    data = json.dumps(body).encode() if body is not None else None
+    req = urllib.request.Request(url, data=data, method=method, headers={
+        "X-Auth-Email": email,
+        "X-Auth-Key": api_key,
+        "Content-Type": "application/json",
+    })
+    with urllib.request.urlopen(req, timeout=20) as r:
+        return json.loads(r.read())
+
+
+def find_zone_id(zone_name, api_key, email):
+    qs = urllib.parse.urlencode({"name": zone_name})
+    res = cf_request("GET", f"/zones?{qs}", api_key, email)
+    results = res.get("result") or []
+    if not results:
+        raise RuntimeError(f"no zone match for {zone_name}")
+    return results[0]["id"]
+
+
+def kind_noop(payload):
+    print(f"noop ok: {payload.get('note', '')}")
+    return 0
+
+
+def kind_cf_pause_zone(payload, api_key, email, account_id):
+    zone = payload["zone"]
+    zid = find_zone_id(zone, api_key, email)
+    res = cf_request("POST", f"/zones/{zid}/pause", api_key, email, body={})
+    if not res.get("success"):
+        print(json.dumps(res), file=sys.stderr)
+        return 1
+    print(f"paused {zone}")
+    return 0
+
+
+def kind_cf_unpause_zone(payload, api_key, email, account_id):
+    zone = payload["zone"]
+    zid = find_zone_id(zone, api_key, email)
+    res = cf_request("POST", f"/zones/{zid}/unpause", api_key, email, body={})
+    if not res.get("success"):
+        print(json.dumps(res), file=sys.stderr)
+        return 1
+    print(f"unpaused {zone}")
+    return 0
+
+
+def kind_cf_revert_dns_record(payload, api_key, email, account_id):
+    """payload: {zone, name, type} — restores from latest snapshot."""
+    zone = payload["zone"]
+    name = payload["name"]
+    rtype = payload["type"]
+    snap_path = SNAP_DIR / f"{zone}.json"
+    if not snap_path.exists():
+        raise RuntimeError(f"no snapshot for {zone}")
+    snap = json.loads(snap_path.read_text())
+    matches = [r for r in snap.get("records", [])
+               if r.get("type") == rtype and r.get("name") == name]
+    if not matches:
+        raise RuntimeError(f"no snapshot record for {name} {rtype}")
+    target = matches[0]
+
+    zid = find_zone_id(zone, api_key, email)
+    # find live record id, if any
+    qs = urllib.parse.urlencode({"name": name, "type": rtype})
+    live = cf_request("GET", f"/zones/{zid}/dns_records?{qs}", api_key, email)
+    live_records = live.get("result") or []
+
+    body = {
+        "type": target["type"],
+        "name": target["name"],
+        "content": target.get("content"),
+        "proxied": target.get("proxied", False),
+        "ttl": target.get("ttl", 1),
+    }
+    if target.get("priority") is not None:
+        body["priority"] = target["priority"]
+
+    if live_records:
+        rec_id = live_records[0]["id"]
+        res = cf_request("PUT", f"/zones/{zid}/dns_records/{rec_id}", api_key, email, body)
+        action = "updated"
+    else:
+        res = cf_request("POST", f"/zones/{zid}/dns_records", api_key, email, body)
+        action = "recreated"
+
+    if not res.get("success"):
+        print(json.dumps(res), file=sys.stderr)
+        return 1
+    print(f"{action} {rtype} {name} on {zone}")
+    return 0
+
+
+def kind_cf_block_ip(payload, api_key, email, account_id):
+    """payload: {zone, ip, note?} — adds a block via cf rulesets."""
+    zone = payload["zone"]
+    ip = payload["ip"]
+    note = payload.get("note") or "fleet-guard auto-block"
+    zid = find_zone_id(zone, api_key, email)
+
+    rule = {
+        "action": "block",
+        "expression": f'(ip.src eq {ip})',
+        "description": f"fleet-guard: {note}",
+        "enabled": True,
+    }
+    body = {
+        "rules": [rule],
+    }
+    # rules go into the http_request_firewall_custom phase entrypoint
+    res = cf_request(
+        "PUT",
+        f"/zones/{zid}/rulesets/phases/http_request_firewall_custom/entrypoint",
+        api_key, email, body,
+    )
+    if not res.get("success"):
+        print(json.dumps(res), file=sys.stderr)
+        return 1
+    print(f"blocked {ip} on {zone}")
+    return 0
+
+
+HANDLERS = {
+    "noop": kind_noop,
+    "cf_pause_zone": kind_cf_pause_zone,
+    "cf_unpause_zone": kind_cf_unpause_zone,
+    "cf_revert_dns_record": kind_cf_revert_dns_record,
+    "cf_block_ip": kind_cf_block_ip,
+}
+
+
+def main():
+    raw = sys.stdin.read()
+    if not raw.strip():
+        sys.exit("no record on stdin")
+    record = json.loads(raw)
+    kind = record.get("kind")
+    payload = record.get("payload") or {}
+    handler = HANDLERS.get(kind)
+    if not handler:
+        print(f"unknown kind: {kind}", file=sys.stderr)
+        return 1
+
+    if kind == "noop":
+        return handler(payload)
+
+    api_key, email, account_id = load_cf()
+    try:
+        return handler(payload, api_key, email, account_id)
+    except urllib.error.HTTPError as e:
+        body = e.read().decode("utf-8", errors="replace")[:500]
+        print(f"cf api {e.code}: {body}", file=sys.stderr)
+        return 1
+    except Exception as e:
+        print(f"executor error: {e}", file=sys.stderr)
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

package/scripts/guard/notify

@@ -0,0 +1,108 @@
+#!/usr/bin/env python3
+"""
+fan-out notifier. reads /etc/fleet/notify.json (an "adapters" list) and
+dispatches the same message to every adapter that's configured. each
+adapter failure is reported but doesn't block the others.
+
+usage: notify "title" "body"
+"""
+
+import json
+import sys
+import urllib.parse
+import urllib.request
+import uuid
+from pathlib import Path
+
+CFG = Path("/etc/fleet/notify.json")
+
+
+def md_escape(text):
+    # markdownv2 escape for telegram
+    specials = "_*[]()~`>#+-=|{}.!"
+    return "".join("\\" + c if c in specials else c for c in text)
+
+
+def send_telegram(adapter, title, body):
+    token = adapter["botToken"]
+    chat = adapter["chatId"]
+    text = "*" + md_escape(title) + "*"
+    if body:
+        text += "\n" + md_escape(body)
+    data = urllib.parse.urlencode({
+        "chat_id": chat,
+        "text": text,
+        "parse_mode": "MarkdownV2",
+        "disable_web_page_preview": "true",
+    }).encode()
+    req = urllib.request.Request(
+        f"https://api.telegram.org/bot{token}/sendMessage",
+        data=data,
+        method="POST",
+    )
+    with urllib.request.urlopen(req, timeout=15) as r:
+        return r.status == 200
+
+
+def send_bluebubbles(adapter, title, body):
+    base = adapter["serverUrl"].rstrip("/")
+    pwd = adapter["password"]
+    chat = adapter["chatGuid"]
+    text = title if not body else f"{title}\n{body}"
+    payload = json.dumps({
+        "chatGuid": chat,
+        "message": text,
+        "method": "apple-script",
+        "tempGuid": str(uuid.uuid4()),
+    }).encode()
+    headers = {
+        "Content-Type": "application/json",
+        "User-Agent": "Mozilla/5.0 (server-notify) AppleWebKit/537.36",
+    }
+    if adapter.get("cfAccessClientId"):
+        headers["CF-Access-Client-Id"] = adapter["cfAccessClientId"]
+        headers["CF-Access-Client-Secret"] = adapter["cfAccessClientSecret"]
+    url = f"{base}/api/v1/message/text?password={urllib.parse.quote(pwd)}"
+    req = urllib.request.Request(url, data=payload, headers=headers, method="POST")
+    with urllib.request.urlopen(req, timeout=45) as r:
+        return r.status == 200
+
+
+DISPATCH = {
+    "telegram": send_telegram,
+    "bluebubbles": send_bluebubbles,
+}
+
+
+def main():
+    if len(sys.argv) < 2:
+        sys.exit("usage: notify <title> [body]")
+    title = sys.argv[1]
+    body = sys.argv[2] if len(sys.argv) > 2 else ""
+
+    if not CFG.exists():
+        sys.exit(f"missing {CFG}")
+    cfg = json.loads(CFG.read_text())
+    adapters = cfg.get("adapters") or []
+    failures = []
+    for ad in adapters:
+        kind = ad.get("type")
+        fn = DISPATCH.get(kind)
+        if not fn:
+            failures.append(f"unknown adapter: {kind}")
+            continue
+        try:
+            fn(ad, title, body)
+        except Exception as e:
+            failures.append(f"{kind}: {e}")
+    if failures:
+        # write to stderr but keep going; cron mail will surface it
+        for f in failures:
+            print(f, file=sys.stderr)
+        # only fail outright if every adapter failed
+        if len(failures) == len(adapters):
+            sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()