zscams 2.0.1__py2.py3-none-any.whl → 2.0.2__py2.py3-none-any.whl

zscams/__main__.py

@@ -2,84 +2,26 @@
 Main entry point for ZSCAMs Agent
 """
 
-import os
 import asyncio
 import sys
-import argparse
-from zscams.agent.src.core.api.backend.bootstrap import bootstrap
-from zscams.agent.src.core.api.backend.update_machine_info import update_machine_info
-from zscams.agent.src.support.configuration import get_config, CONFIG_PATH
+import os
+from zscams.agent.src.core.backend.bootstrap import bootstrap
+from zscams.agent.src.core.backend.update_machine_info import update_machine_info
 from zscams.agent.src.support.logger import get_logger
-from zscams.agent.src.core.tunnel.tls import create_ssl_context
-from zscams.agent.src.core.tunnels import start_all_tunnels
-from zscams.agent.src.core.services import start_all_services
-from zscams.agent.src.core.service_health_check import monitor_services
-from zscams.agent.src.core.api.backend.client import backend_client
-
-logger = get_logger("tls_tunnel_main")
-
-
-def ensure_bootstrapped():
-    """Ensure the agent is bootstrapped with the backend."""
-
-    bootstrapped = backend_client.is_bootstrapped()
-    logger.debug("Agent bootstrapped: %s", bootstrapped)
-    if not bootstrapped:
-        logger.error(
-            "Agent is not bootstrapped. Please run `zscams --bootstrap` to start the bootstrap process.",
-        )
-        sys.exit(1)
-
-
-async def async_main():
-    """Asynchronous main function to start tunnels and services."""
-
-    config = get_config()
-    config_dir = os.path.dirname(CONFIG_PATH)
-    ssl_context = create_ssl_context(config["remote"], config_dir=config_dir)
-    remote_host = config["remote"]["host"]
-    remote_port = config["remote"]["port"]
-
-    # Start tunnels and wait for readiness
-    tunnel_tasks = await start_all_tunnels(
-        config.get("forwards", []), remote_host, remote_port, ssl_context
-    )
-
-    # Start services that depend on tunnels
-    service_tasks = asyncio.create_task(
-        start_all_services(config.get("services", []), config_dir=config_dir)
-    )
-
-    # Start health checks
-    monitor_task = asyncio.create_task(
-        monitor_services(
-            config.get("services", []),
-            config_dir=config_dir,
-            interval=config.get("general", {}).get("health_check_interval", 300),
-        )
-    )
+from zscams.agent import init_parser, ensure_bootstrapped, run
 
-    logger.info("[*] All tunnels and services started. Press Ctrl+C to stop.")
-    await asyncio.gather(*tunnel_tasks, service_tasks, monitor_task)
+logger = get_logger("ZSCAMs")
 
 
 def main():
     """Main function to run the asynchronous main."""
-    parser = argparse.ArgumentParser(description="ZSCAMs Agent")
-    parser.add_argument(
-        "--bootstrap",
-        action="store_true",
-        help="Run bootstrap process and exit",
-    )
-    parser.add_argument(
-        "--update-machine-info",
-        action="store_true",
-        help="Run bootstrap process and exit",
-    )
-    args = parser.parse_args()
+    args = init_parser().parse_args()
 
     if args.bootstrap:
         try:
+            if os.geteuid() != 0:
+                logger.error("You are NOT running as root.")
+                sys.exit(1)
             bootstrap()
             sys.exit(0)
         except Exception as exception:
@@ -92,7 +34,7 @@ def main():
 
     try:
         ensure_bootstrapped()
-        asyncio.run(async_main())
+        asyncio.run(run())
     except KeyboardInterrupt:
         logger.info("Exiting TLS Tunnel Client")
 

zscams/agent/__init__.py

@@ -0,0 +1,93 @@
+import os
+import asyncio
+import sys
+import argparse
+from zscams.agent.src.support.configuration import get_config, CONFIG_PATH
+from zscams.agent.src.support.filesystem import is_file_exists, resolve_path
+from zscams.agent.src.core.tunnel.tls import create_ssl_context
+from zscams.agent.src.core.tunnels import start_all_tunnels
+from zscams.agent.src.core.services import start_all_services
+from zscams.agent.src.core.service_health_check import monitor_services
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.logger import get_logger
+
+
+logger = get_logger("tls_tunnel_main")
+
+
+def init_parser():
+    parser = argparse.ArgumentParser(description="ZSCAMs Agent")
+    parser.add_argument(
+        "--bootstrap",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    parser.add_argument(
+        "--update-machine-info",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    return parser
+
+
+def ensure_bootstrapped():
+    """Ensure the agent is bootstrapped with the backend."""
+
+    config = get_config()
+    remote_cfg = config["remote"]
+    config_dir = os.path.dirname(CONFIG_PATH)
+
+    files_to_ensure = [
+        resolve_path(remote_cfg.get("ca_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_key"), config_dir),
+    ]
+
+    has_missing_file = False
+
+    for file in files_to_ensure:
+        if not is_file_exists(file, logger):
+            has_missing_file = True
+            break
+
+    bootstrapped = backend_client.is_bootstrapped()
+
+    logger.debug("Agent has entry on server: %s", bootstrapped)
+
+    if not bootstrapped or has_missing_file:
+        logger.error(
+            "Agent is not bootstrapped. Please run `zscams --bootstrap` to start the bootstrap process.",
+        )
+        sys.exit(1)
+
+
+async def run():
+    """Asynchronous main function to start tunnels and services."""
+
+    config = get_config()
+    config_dir = os.path.dirname(CONFIG_PATH)
+    ssl_context = create_ssl_context(config["remote"], config_dir=config_dir)
+    remote_host = config["remote"]["host"]
+    remote_port = config["remote"]["port"]
+
+    # Start tunnels and wait for readiness
+    tunnel_tasks = await start_all_tunnels(
+        config.get("forwards", []), remote_host, remote_port, ssl_context
+    )
+
+    # Start services that depend on tunnels
+    service_tasks = asyncio.create_task(
+        start_all_services(config.get("services", []), config_dir=config_dir)
+    )
+
+    # Start health checks
+    monitor_task = asyncio.create_task(
+        monitor_services(
+            config.get("services", []),
+            config_dir=config_dir,
+            interval=config.get("general", {}).get("health_check_interval", 300),
+        )
+    )
+
+    logger.info("[*] All tunnels and services started. Press Ctrl+C to stop.")
+    await asyncio.gather(*tunnel_tasks, service_tasks, monitor_task)

zscams/agent/config.yaml

@@ -1,121 +1,103 @@
 ---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
 logging:
   level: 10
-
-general:
-  health_check_interval: 30 # seconds between health checks for services
-
 remote:
-  host: 81.255.240.214 # stunnel server IP or hostname
-  port: 443 # Single TLS port on stunnel server
-  verify_cert: false # set false for self-signed certs
   ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
   client_cert: certificates/client.crt
   client_key: certificates/client.key
-  ca_chain: certificates/ca_chain.pem
-
-forwards:
-  - local_port: 4422
-    sni_hostname: ssh-tunnel
-    description: "Forward to SSH backend"
-  - local_port: 4423
-    sni_hostname: monitor-tunnel
-    description: "Forward to Seculogs"
-
-backend:
-  base_url: "http://22.0.122.40:5000/api"
-  cache_dir: ".cache"
-
-bootstrap_info:
-  csr:
-    country: "FR"
-    state: "Ile-de-France"
-    locality: "Paris"
-    common_name: "zscams-agent.example.com"
-    organization: "zscams-agent.orangecyberdefense.com"
-  cert_issuer: "ZSCAMs"
-  blacklist_ports: []
-
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
 services:
-  - name: "Reverse SSH"
-    script: "src/services/reverse_ssh.py"
-    # Its just for reference in logs but not used within the service as the
-    # actual port is passed via params (Remote Port). Im setting it to 22 as
-    # its the eventual port that will be connected to
-    port: 22
-    args: []
+  - args: []
+    custom_port_name: reverse_port
     health:
       host: localhost
-      # port that should be open if service is healthy
       port: 22
-
-    # -R [remote_listen_address:]remote_listen_port:local_host:local_port
+    name: Reverse SSH
     params:
-      remote_host: "localhost"
-      # The forwarding port on ZSCAMs server to connect to in order to create
-      # the reverse tunnel, this should match the local_port of one of the
-      # forwards above
       local_port: 4422
-      server_ssh_user: "ssh_user"
-      # Port on ZSCAMS server to forward to this agent, this port should be
-      # dynamically assigned by the server and passed to the agent via some
-      # secure means
-      reverse_port: 53612
-      # Path to private key for authentication
-      private_key: 'zscams/agent/keys/autoport.key'
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: 10000
+      server_ssh_user: ssh_user
       ssh_options:
-        - "-o LogLevel=error"
-        - "-o UserKnownHostsFile=/dev/null"
-        - "-o StrictHostKeyChecking=no"
-        - "-o ServerAliveInterval=30"
-        - "-o ServerAliveCountMax=2"
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
     prerequisites:
       files:
-        - 'zscams/agent/keys/autoport.key'
-      services: []
+        - zscams/agent/keys/autoport.key
       ports:
         - 22
-  - name: "Monitor Forwarder"
-    script: "src/services/ssh_forwarder.py"
-    port: 530
-    args: []
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    custom_port_name: forwarder_port
     health:
       host: localhost
-      # port that should be open if service is healthy
-      port: 44514
+      port: 10001
+    name: Monitor Forwarder
     params:
-      remote_host: "194.51.14.159"
+      forwarder_port: 10001
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
       remote_port: 530
-      local_port: 4423 #Stunnel port
-      forwarder_port: 44514 #Port the forwarder will listen on and forward to remote host and port
-      server_ssh_user: "ssh_user"
-      private_key: 'zscams/agent/keys/autoport.key'
+      server_ssh_user: ssh_user
       ssh_options:
-        - "-o LogLevel=error"
-        - "-o UserKnownHostsFile=/dev/null"
-        - "-o StrictHostKeyChecking=no"
-        - "-o ServerAliveInterval=30"
-        - "-o ServerAliveCountMax=2"
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
     prerequisites:
       files:
-        - 'zscams/agent/keys/autoport.key'
-      services: []
+        - zscams/agent/keys/autoport.key
       ports: []
-  - name: "Monitor Service"
-    script: "src/services/system_monitor.py"
-    port: 44514
-    args: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
     health:
       host: localhost
-      port: 44514
+      port: 10001
+    name: Monitor Service
     params:
-      remote_host: "localhost"
-      remote_port: 44514
-      equipment_name: "zpa-connector"
-      equipment_type: "zpa"
-      service_name: "Zscaler-AppConnector"
+      equipment_name: zpa-orange-swec-dev-01
+      equipment_type: zpa
+      remote_host: localhost
+      remote_port: 10001
+      service_name: Zscaler-AppConnector
+    port: 10001
     prerequisites:
       files: []
-      services: []
       ports:
-        - 44514
+        - 10001
+      services: []
+    script: src/services/system_monitor.py

zscams/agent/configuration/config.j2

@@ -0,0 +1,103 @@
+---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
+logging:
+  level: 10
+remote:
+  ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
+  client_cert: certificates/client.crt
+  client_key: certificates/client.key
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
+services:
+  - args: []
+    health:
+      host: localhost
+      port: 22
+    name: Reverse SSH
+    custom_port_name: "reverse_port"
+    params:
+      local_port: 4422
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: "{reverse_port}"
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports:
+        - 22
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Forwarder
+    custom_port_name: "forwarder_port"
+    params:
+      forwarder_port: "{forwarder_port}"
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
+      remote_port: 530
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Service
+    params:
+      equipment_name: "{equipment_name}"
+      equipment_type: "{equipment_type}"
+      remote_host: localhost
+      remote_port: "{forwarder_port}"
+      service_name: Zscaler-AppConnector
+    port: "{forwarder_port}"
+    prerequisites:
+      files: []
+      ports:
+        - "{forwarder_port}"
+      services: []
+    script: src/services/system_monitor.py

zscams/agent/configuration/service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=ZSCAMs Service
+After=network.target
+
+[Service]
+ExecStart={python_exec} -m zscams
+Restart=always
+User={user_to_run_as}
+Environment="PYTHONPATH={pythonpath}"
+
+[Install]
+WantedBy=multi-user.target

zscams/agent/src/core/backend/bootstrap.py

@@ -0,0 +1,73 @@
+import os
+from pathlib import Path
+import sysconfig
+import sys
+from typing import cast
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.configuration import reinitialize
+from zscams.agent.src.support.logger import get_logger
+from zscams.agent.src.support.os import create_system_user, install_systemd_service
+from zscams.agent.src.support.ssh import add_to_authorized_keys
+from zscams.agent.src.support.cli import prompt
+
+logger = get_logger("bootstrap")
+
+
+def bootstrap():
+    """Ensure the agent is bootstrapped with the backend."""
+
+    if backend_client.is_bootstrapped():
+        logger.info("Agent ID %s is already bootstrapped.", backend_client.agent_id)
+        return
+
+    username = input("Username: ")
+    totp = input("One Time Password (OTP): ")
+
+    backend_client.login(username, totp)
+
+    customer_name = prompt(
+        "Customer Name",
+        "Customer Name",
+        required=True,
+        startswith="",
+    )
+    connector_name = prompt(
+        "Connector Name",
+        "Connector Name [Unique name for this connector]",
+        required=True,
+        startswith="",
+    )
+    equipment_type = prompt(
+        "Equipment Type",
+        "Equipment Type [Can be ZPA|VZEN|PSE]",
+        required=True,
+        startswith="",
+    )
+    equipment_name = f"{equipment_type.lower()}-{customer_name.lower()}-{connector_name.lower()}"
+    enforced_id = prompt("Enforced ID", "Enforced Agent ID")
+    reinitialize(equipment_name=equipment_name,equipment_type=equipment_type)
+    cm_info = backend_client.bootstrap(equipment_name, enforced_id or None)
+
+    sys_user = cast(str, cm_info.get("ssh_user"))
+
+    create_system_user(sys_user)
+    add_to_authorized_keys(sys_user, cm_info.get("server_ssh_pub_key"))
+    install_zscams_systemd_service(sys_user)
+
+
+def install_zscams_systemd_service(user_to_run_as: str):
+
+    data = {
+        "pythonpath": sysconfig.get_paths()["purelib"],
+        "python_exec": sys.executable,
+        "user_to_run_as": user_to_run_as,
+    }
+    import zscams
+    BASE_DIR = Path(zscams.__file__).resolve().parent
+    template_path = f"{BASE_DIR}/agent/configuration/service.j2"
+    with open(template_path) as f:
+        template = f.read()
+
+    rendered_config = template.format(**data)
+
+    install_systemd_service("zscams.service", rendered_config)

zscams/agent/src/core/{api/backend → backend}/client.py

@@ -7,7 +7,13 @@ from typing import Optional, cast
 
 from .exceptions import AgentBootstrapError
 
-from zscams.agent.src.support.configuration import CONFIG_PATH, ROOT_PATH, get_config
+from zscams.agent.src.support.configuration import (
+    CONFIG_PATH,
+    ROOT_PATH,
+    get_config,
+    override_config,
+)
+from zscams.agent.src.support.yaml import resolve_placeholders, assert_no_placeholders_left
 from zscams.agent.src.support.mac import get_mac_address
 from zscams.agent.src.support.filesystem import resolve_path, ensure_dir, is_file_exists
 from zscams.agent.src.support.network import get_local_hostname, get_local_ip_address
@@ -68,6 +74,12 @@ class BackendClient:
 
         self.logger.info("Generated the private key at %s", private_key_path)
 
+        common_name = (
+            f"{equipment_name}.orangecyberdefense.com"
+            if equipment_name
+            else csr_info.get("default_common_name")
+        )
+
         ip = get_local_ip_address()
         csr = generate_csr_from_private_key(
             private_key_content,
@@ -75,7 +87,7 @@ class BackendClient:
             csr_info.get("state"),
             csr_info.get("locality"),
             csr_info.get("organization"),
-            csr_info.get("common_name"),
+            common_name,
         )
 
         payload = {
@@ -85,7 +97,7 @@ class BackendClient:
             "equipment_name": equipment_name,
             "csr": csr,
             "enforced_id": enforced_id,
-            "services": [service.get("name") for service in self.services_config],
+            "services": [service.get("name") for service in self.services_config if service.get("custom_port_name", None)],
             "blacklist_ports": self.bootstrap_info.get("blacklist_ports", []),
             "cert_issuer": self.bootstrap_info.get("cert_issuer", None),
         }
@@ -111,14 +123,17 @@ class BackendClient:
         self.logger.info("Signed the cert")
         self.logger.debug("Signed cert response: %s", json.dumps(res_json, indent=2))
 
-        ca_chain: list[str] = res_json.get("response", {}).get("ca_chain", [])
-        signed_cert: str = res_json.get("response", {}).get("signed_certificate", [])
+        customer_machine = res_json.get("response", {})
+        ca_chain: list[str] = customer_machine.get("ca_chain", [])
+        signed_cert: str = customer_machine.get("signed_certificate", [])
         self._write_certificates(ca_chain, signed_cert)
 
         # To cache the machine info
         self.get_machine_info(ignore_cache=True)
 
-        return res_json
+        self.__override_config_services_ports(customer_machine.get("services", []))
+
+        return customer_machine
 
     def get_machine_info(self, ignore_cache: bool = False):
         """Get machine information from the backend."""
@@ -237,6 +252,30 @@ class BackendClient:
 
     def __prepare_path(self, path):
         return f"{self.url}/{path.lstrip('/')}"
+            
+    def __override_config_services_ports(self, cm_services: list[dict]):
+        self.logger.debug("Overriding configuration services ports...")
+
+        config = get_config()
+        custom_ports = {}
+        for cm_service in cm_services:
+            for cfg_service_idx, cfg_service in enumerate(config.get("services", [])):
+                if cm_service.get("name") == cfg_service.get("name"):
+
+                    if not config["services"][cfg_service_idx]["params"]:
+                        config["services"][cfg_service_idx]["params"] = {}
+
+                    port_field_name = cfg_service.get("custom_port_name", None)
+                    if port_field_name:
+                        custom_ports[port_field_name] = cm_service.get("port")
+                        config["services"][cfg_service_idx]["params"][port_field_name] = (
+                            cm_service.get("port")
+                        )
+        resolve_placeholders(config, custom_ports)
+        assert_no_placeholders_left(config)
+        self.logger.debug("Done overriding the configurations")
+
+        return override_config(config)
 
 
 backend_client = BackendClient()

zscams/agent/src/core/{api/backend → backend}/update_machine_info.py

@@ -1,4 +1,4 @@
-from zscams.agent.src.core.api.backend.client import backend_client
+from zscams.agent.src.core.backend.client import backend_client
 from zscams.agent.src.support.logger import get_logger
 
 logger = get_logger("agent_machine_info")