zscams 2.0.1__tar.gz → 2.0.2__tar.gz

{zscams-2.0.1 → zscams-2.0.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: zscams
-Version: 2.0.1
+Version: 2.0.2
 Summary: Async TLS tunnel client with SNI routing, auto-reconnect, and health checks
 Author: OCD - Cairo Software Team
 Maintainer: OCD - Cairo Software Team
@@ -20,6 +20,7 @@ Classifier: Programming Language :: Python :: 3.13
 Requires-Dist: PyYAML
 Requires-Dist: cryptography
 Requires-Dist: psutil
+Requires-Dist: requests
 Description-Content-Type: text/markdown
 
 # Agent

{zscams-2.0.1 → zscams-2.0.2}/pyproject.toml

@@ -4,7 +4,7 @@ requires-python = "^3.9.2"
 
 [tool.poetry]
 name = "zscams"
-version = "2.0.1"
+version = "2.0.2"
 description = "Async TLS tunnel client with SNI routing, auto-reconnect, and health checks"
 authors = ["OCD - Cairo Software Team"]
 maintainers = ["OCD - Cairo Software Team"]
@@ -15,6 +15,7 @@ packages = [ { include = "zscams"}]
 PyYAML = "*"
 cryptography = "*"
 psutil = "*"
+requests = "*"
 
 [tool.poetry.scripts]
 zscams = "zscams.__main__:main"

zscams-2.0.2/zscams/__main__.py

@@ -0,0 +1,43 @@
+"""
+Main entry point for ZSCAMs Agent
+"""
+
+import asyncio
+import sys
+import os
+from zscams.agent.src.core.backend.bootstrap import bootstrap
+from zscams.agent.src.core.backend.update_machine_info import update_machine_info
+from zscams.agent.src.support.logger import get_logger
+from zscams.agent import init_parser, ensure_bootstrapped, run
+
+logger = get_logger("ZSCAMs")
+
+
+def main():
+    """Main function to run the asynchronous main."""
+    args = init_parser().parse_args()
+
+    if args.bootstrap:
+        try:
+            if os.geteuid() != 0:
+                logger.error("You are NOT running as root.")
+                sys.exit(1)
+            bootstrap()
+            sys.exit(0)
+        except Exception as exception:
+            logger.error(exception)
+            sys.exit(1)
+
+    if args.update_machine_info:
+        update_machine_info()
+        sys.exit(0)
+
+    try:
+        ensure_bootstrapped()
+        asyncio.run(run())
+    except KeyboardInterrupt:
+        logger.info("Exiting TLS Tunnel Client")
+
+
+if __name__ == "__main__":
+    main()

zscams-2.0.1/zscams/__main__.py → zscams-2.0.2/zscams/agent/__init__.py

@@ -1,37 +1,67 @@
-"""
-Main entry point for ZSCAMs Agent
-"""
-
 import os
 import asyncio
 import sys
 import argparse
-from zscams.agent.src.core.api.backend.bootstrap import bootstrap
-from zscams.agent.src.core.api.backend.update_machine_info import update_machine_info
 from zscams.agent.src.support.configuration import get_config, CONFIG_PATH
-from zscams.agent.src.support.logger import get_logger
+from zscams.agent.src.support.filesystem import is_file_exists, resolve_path
 from zscams.agent.src.core.tunnel.tls import create_ssl_context
 from zscams.agent.src.core.tunnels import start_all_tunnels
 from zscams.agent.src.core.services import start_all_services
 from zscams.agent.src.core.service_health_check import monitor_services
-from zscams.agent.src.core.api.backend.client import backend_client
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.logger import get_logger
+
 
 logger = get_logger("tls_tunnel_main")
 
 
+def init_parser():
+    parser = argparse.ArgumentParser(description="ZSCAMs Agent")
+    parser.add_argument(
+        "--bootstrap",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    parser.add_argument(
+        "--update-machine-info",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    return parser
+
+
 def ensure_bootstrapped():
     """Ensure the agent is bootstrapped with the backend."""
 
+    config = get_config()
+    remote_cfg = config["remote"]
+    config_dir = os.path.dirname(CONFIG_PATH)
+
+    files_to_ensure = [
+        resolve_path(remote_cfg.get("ca_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_key"), config_dir),
+    ]
+
+    has_missing_file = False
+
+    for file in files_to_ensure:
+        if not is_file_exists(file, logger):
+            has_missing_file = True
+            break
+
     bootstrapped = backend_client.is_bootstrapped()
-    logger.debug("Agent bootstrapped: %s", bootstrapped)
-    if not bootstrapped:
+
+    logger.debug("Agent has entry on server: %s", bootstrapped)
+
+    if not bootstrapped or has_missing_file:
         logger.error(
             "Agent is not bootstrapped. Please run `zscams --bootstrap` to start the bootstrap process.",
         )
         sys.exit(1)
 
 
-async def async_main():
+async def run():
     """Asynchronous main function to start tunnels and services."""
 
     config = get_config()
@@ -61,41 +91,3 @@ async def async_main():
 
     logger.info("[*] All tunnels and services started. Press Ctrl+C to stop.")
     await asyncio.gather(*tunnel_tasks, service_tasks, monitor_task)
-
-
-def main():
-    """Main function to run the asynchronous main."""
-    parser = argparse.ArgumentParser(description="ZSCAMs Agent")
-    parser.add_argument(
-        "--bootstrap",
-        action="store_true",
-        help="Run bootstrap process and exit",
-    )
-    parser.add_argument(
-        "--update-machine-info",
-        action="store_true",
-        help="Run bootstrap process and exit",
-    )
-    args = parser.parse_args()
-
-    if args.bootstrap:
-        try:
-            bootstrap()
-            sys.exit(0)
-        except Exception as exception:
-            logger.error(exception)
-            sys.exit(1)
-
-    if args.update_machine_info:
-        update_machine_info()
-        sys.exit(0)
-
-    try:
-        ensure_bootstrapped()
-        asyncio.run(async_main())
-    except KeyboardInterrupt:
-        logger.info("Exiting TLS Tunnel Client")
-
-
-if __name__ == "__main__":
-    main()

zscams-2.0.2/zscams/agent/config.yaml

@@ -0,0 +1,103 @@
+---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
+logging:
+  level: 10
+remote:
+  ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
+  client_cert: certificates/client.crt
+  client_key: certificates/client.key
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
+services:
+  - args: []
+    custom_port_name: reverse_port
+    health:
+      host: localhost
+      port: 22
+    name: Reverse SSH
+    params:
+      local_port: 4422
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: 10000
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports:
+        - 22
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    custom_port_name: forwarder_port
+    health:
+      host: localhost
+      port: 10001
+    name: Monitor Forwarder
+    params:
+      forwarder_port: 10001
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
+      remote_port: 530
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
+    health:
+      host: localhost
+      port: 10001
+    name: Monitor Service
+    params:
+      equipment_name: zpa-orange-swec-dev-01
+      equipment_type: zpa
+      remote_host: localhost
+      remote_port: 10001
+      service_name: Zscaler-AppConnector
+    port: 10001
+    prerequisites:
+      files: []
+      ports:
+        - 10001
+      services: []
+    script: src/services/system_monitor.py

zscams-2.0.2/zscams/agent/configuration/config.j2

@@ -0,0 +1,103 @@
+---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
+logging:
+  level: 10
+remote:
+  ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
+  client_cert: certificates/client.crt
+  client_key: certificates/client.key
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
+services:
+  - args: []
+    health:
+      host: localhost
+      port: 22
+    name: Reverse SSH
+    custom_port_name: "reverse_port"
+    params:
+      local_port: 4422
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: "{reverse_port}"
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports:
+        - 22
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Forwarder
+    custom_port_name: "forwarder_port"
+    params:
+      forwarder_port: "{forwarder_port}"
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
+      remote_port: 530
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Service
+    params:
+      equipment_name: "{equipment_name}"
+      equipment_type: "{equipment_type}"
+      remote_host: localhost
+      remote_port: "{forwarder_port}"
+      service_name: Zscaler-AppConnector
+    port: "{forwarder_port}"
+    prerequisites:
+      files: []
+      ports:
+        - "{forwarder_port}"
+      services: []
+    script: src/services/system_monitor.py

zscams-2.0.2/zscams/agent/configuration/service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=ZSCAMs Service
+After=network.target
+
+[Service]
+ExecStart={python_exec} -m zscams
+Restart=always
+User={user_to_run_as}
+Environment="PYTHONPATH={pythonpath}"
+
+[Install]
+WantedBy=multi-user.target

zscams-2.0.2/zscams/agent/src/core/backend/bootstrap.py

@@ -0,0 +1,73 @@
+import os
+from pathlib import Path
+import sysconfig
+import sys
+from typing import cast
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.configuration import reinitialize
+from zscams.agent.src.support.logger import get_logger
+from zscams.agent.src.support.os import create_system_user, install_systemd_service
+from zscams.agent.src.support.ssh import add_to_authorized_keys
+from zscams.agent.src.support.cli import prompt
+
+logger = get_logger("bootstrap")
+
+
+def bootstrap():
+    """Ensure the agent is bootstrapped with the backend."""
+
+    if backend_client.is_bootstrapped():
+        logger.info("Agent ID %s is already bootstrapped.", backend_client.agent_id)
+        return
+
+    username = input("Username: ")
+    totp = input("One Time Password (OTP): ")
+
+    backend_client.login(username, totp)
+
+    customer_name = prompt(
+        "Customer Name",
+        "Customer Name",
+        required=True,
+        startswith="",
+    )
+    connector_name = prompt(
+        "Connector Name",
+        "Connector Name [Unique name for this connector]",
+        required=True,
+        startswith="",
+    )
+    equipment_type = prompt(
+        "Equipment Type",
+        "Equipment Type [Can be ZPA|VZEN|PSE]",
+        required=True,
+        startswith="",
+    )
+    equipment_name = f"{equipment_type.lower()}-{customer_name.lower()}-{connector_name.lower()}"
+    enforced_id = prompt("Enforced ID", "Enforced Agent ID")
+    reinitialize(equipment_name=equipment_name,equipment_type=equipment_type)
+    cm_info = backend_client.bootstrap(equipment_name, enforced_id or None)
+
+    sys_user = cast(str, cm_info.get("ssh_user"))
+
+    create_system_user(sys_user)
+    add_to_authorized_keys(sys_user, cm_info.get("server_ssh_pub_key"))
+    install_zscams_systemd_service(sys_user)
+
+
+def install_zscams_systemd_service(user_to_run_as: str):
+
+    data = {
+        "pythonpath": sysconfig.get_paths()["purelib"],
+        "python_exec": sys.executable,
+        "user_to_run_as": user_to_run_as,
+    }
+    import zscams
+    BASE_DIR = Path(zscams.__file__).resolve().parent
+    template_path = f"{BASE_DIR}/agent/configuration/service.j2"
+    with open(template_path) as f:
+        template = f.read()
+
+    rendered_config = template.format(**data)
+
+    install_systemd_service("zscams.service", rendered_config)

{zscams-2.0.1/zscams/agent/src/core/api → zscams-2.0.2/zscams/agent/src/core}/backend/client.py

@@ -7,7 +7,13 @@ from typing import Optional, cast
 
 from .exceptions import AgentBootstrapError
 
-from zscams.agent.src.support.configuration import CONFIG_PATH, ROOT_PATH, get_config
+from zscams.agent.src.support.configuration import (
+    CONFIG_PATH,
+    ROOT_PATH,
+    get_config,
+    override_config,
+)
+from zscams.agent.src.support.yaml import resolve_placeholders, assert_no_placeholders_left
 from zscams.agent.src.support.mac import get_mac_address
 from zscams.agent.src.support.filesystem import resolve_path, ensure_dir, is_file_exists
 from zscams.agent.src.support.network import get_local_hostname, get_local_ip_address
@@ -68,6 +74,12 @@ class BackendClient:
 
         self.logger.info("Generated the private key at %s", private_key_path)
 
+        common_name = (
+            f"{equipment_name}.orangecyberdefense.com"
+            if equipment_name
+            else csr_info.get("default_common_name")
+        )
+
         ip = get_local_ip_address()
         csr = generate_csr_from_private_key(
             private_key_content,
@@ -75,7 +87,7 @@ class BackendClient:
             csr_info.get("state"),
             csr_info.get("locality"),
             csr_info.get("organization"),
-            csr_info.get("common_name"),
+            common_name,
         )
 
         payload = {
@@ -85,7 +97,7 @@ class BackendClient:
             "equipment_name": equipment_name,
             "csr": csr,
             "enforced_id": enforced_id,
-            "services": [service.get("name") for service in self.services_config],
+            "services": [service.get("name") for service in self.services_config if service.get("custom_port_name", None)],
             "blacklist_ports": self.bootstrap_info.get("blacklist_ports", []),
             "cert_issuer": self.bootstrap_info.get("cert_issuer", None),
         }
@@ -111,14 +123,17 @@ class BackendClient:
         self.logger.info("Signed the cert")
         self.logger.debug("Signed cert response: %s", json.dumps(res_json, indent=2))
 
-        ca_chain: list[str] = res_json.get("response", {}).get("ca_chain", [])
-        signed_cert: str = res_json.get("response", {}).get("signed_certificate", [])
+        customer_machine = res_json.get("response", {})
+        ca_chain: list[str] = customer_machine.get("ca_chain", [])
+        signed_cert: str = customer_machine.get("signed_certificate", [])
         self._write_certificates(ca_chain, signed_cert)
 
         # To cache the machine info
         self.get_machine_info(ignore_cache=True)
 
-        return res_json
+        self.__override_config_services_ports(customer_machine.get("services", []))
+
+        return customer_machine
 
     def get_machine_info(self, ignore_cache: bool = False):
         """Get machine information from the backend."""
@@ -237,6 +252,30 @@ class BackendClient:
 
     def __prepare_path(self, path):
         return f"{self.url}/{path.lstrip('/')}"
+            
+    def __override_config_services_ports(self, cm_services: list[dict]):
+        self.logger.debug("Overriding configuration services ports...")
+
+        config = get_config()
+        custom_ports = {}
+        for cm_service in cm_services:
+            for cfg_service_idx, cfg_service in enumerate(config.get("services", [])):
+                if cm_service.get("name") == cfg_service.get("name"):
+
+                    if not config["services"][cfg_service_idx]["params"]:
+                        config["services"][cfg_service_idx]["params"] = {}
+
+                    port_field_name = cfg_service.get("custom_port_name", None)
+                    if port_field_name:
+                        custom_ports[port_field_name] = cm_service.get("port")
+                        config["services"][cfg_service_idx]["params"][port_field_name] = (
+                            cm_service.get("port")
+                        )
+        resolve_placeholders(config, custom_ports)
+        assert_no_placeholders_left(config)
+        self.logger.debug("Done overriding the configurations")
+
+        return override_config(config)
 
 
 backend_client = BackendClient()

{zscams-2.0.1/zscams/agent/src/core/api → zscams-2.0.2/zscams/agent/src/core}/backend/update_machine_info.py

@@ -1,4 +1,4 @@
-from zscams.agent.src.core.api.backend.client import backend_client
+from zscams.agent.src.core.backend.client import backend_client
 from zscams.agent.src.support.logger import get_logger
 
 logger = get_logger("agent_machine_info")

zscams-2.0.2/zscams/agent/src/support/cli.py

@@ -0,0 +1,50 @@
+from typing import Optional, cast
+from zscams.agent.src.support.logger import get_logger
+
+logger = get_logger("bootstrap")
+
+
+class RequiredFieldException(Exception):
+    pass
+
+
+class InvalidFieldException(Exception):
+    pass
+
+
+def prompt(
+    name: str,
+    message: str,
+    required=False,
+    startswith: Optional[str] = None,
+    fail_on_error=False,
+    retries_count=3,
+):
+    _message = message
+    if not required:
+        _message += " (Optional)"
+
+    _message += ": "
+
+    val = input(_message)
+
+    if required and not val:
+        if fail_on_error:
+            raise RequiredFieldException(f"Missing {name}")
+        logger.error(f"{name} is required..")
+        retries_count -= 1
+        return prompt(
+            name, message, required, startswith, fail_on_error=retries_count <= 0
+        )
+
+    if startswith is not None and not val.startswith(startswith):
+        error_mesagge = f"The value has to start with {startswith}"
+        if fail_on_error:
+            raise InvalidFieldException(error_mesagge)
+        logger.error(error_mesagge)
+        retries_count -= 1
+        return prompt(
+            name, message, required, startswith, fail_on_error=retries_count <= 0
+        )
+
+    return val