PyPI - zscams - Versions diffs - 2.0.4__py3-none-any.whl - Mend

zscams 2.0.4__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

zscams/__init__.py +3 -0
zscams/__main__.py +43 -0
zscams/agent/__init__.py +93 -0
zscams/agent/certificates/.gitkeep +0 -0
zscams/agent/config.yaml +103 -0
zscams/agent/configuration/config.j2 +103 -0
zscams/agent/configuration/service.j2 +12 -0
zscams/agent/keys/autoport.key +27 -0
zscams/agent/src/__init__.py +0 -0
zscams/agent/src/core/__init__.py +1 -0
zscams/agent/src/core/backend/bootstrap.py +76 -0
zscams/agent/src/core/backend/client.py +281 -0
zscams/agent/src/core/backend/exceptions.py +10 -0
zscams/agent/src/core/backend/update_machine_info.py +16 -0
zscams/agent/src/core/prerequisites.py +36 -0
zscams/agent/src/core/service_health_check.py +49 -0
zscams/agent/src/core/services.py +86 -0
zscams/agent/src/core/tunnel/__init__.py +144 -0
zscams/agent/src/core/tunnel/tls.py +56 -0
zscams/agent/src/core/tunnels.py +55 -0
zscams/agent/src/services/__init__.py +0 -0
zscams/agent/src/services/reverse_ssh.py +73 -0
zscams/agent/src/services/ssh_forwarder.py +75 -0
zscams/agent/src/services/system_monitor.py +264 -0
zscams/agent/src/support/__init__.py +0 -0
zscams/agent/src/support/cli.py +50 -0
zscams/agent/src/support/configuration.py +86 -0
zscams/agent/src/support/filesystem.py +63 -0
zscams/agent/src/support/logger.py +88 -0
zscams/agent/src/support/mac.py +18 -0
zscams/agent/src/support/network.py +49 -0
zscams/agent/src/support/openssl.py +114 -0
zscams/agent/src/support/os.py +138 -0
zscams/agent/src/support/ssh.py +24 -0
zscams/agent/src/support/yaml.py +37 -0
zscams/deps.py +86 -0
zscams/lib/.gitkeep +0 -0
zscams-2.0.4.dist-info/METADATA +114 -0
zscams-2.0.4.dist-info/RECORD +41 -0
zscams-2.0.4.dist-info/WHEEL +4 -0
zscams-2.0.4.dist-info/entry_points.txt +3 -0

zscams/__init__.py ADDED Viewed

@@ -0,0 +1,3 @@
+from .deps import ensure_native_deps
+ensure_native_deps()

zscams/__main__.py ADDED Viewed

@@ -0,0 +1,43 @@
+"""
+Main entry point for ZSCAMs Agent
+"""
+import asyncio
+import sys
+import os
+from zscams.agent.src.core.backend.bootstrap import bootstrap
+from zscams.agent.src.core.backend.update_machine_info import update_machine_info
+from zscams.agent.src.support.logger import get_logger
+from zscams.agent import init_parser, ensure_bootstrapped, run
+logger = get_logger("ZSCAMs")
+def main():
+    """Main function to run the asynchronous main."""
+    args = init_parser().parse_args()
+    if args.bootstrap:
+        try:
+            if os.geteuid() != 0:
+                logger.error("You are NOT running as root.")
+                sys.exit(1)
+            bootstrap()
+            sys.exit(0)
+        except Exception as exception:
+            logger.error(exception)
+            sys.exit(1)
+    if args.update_machine_info:
+        update_machine_info()
+        sys.exit(0)
+    try:
+        ensure_bootstrapped()
+        asyncio.run(run())
+    except KeyboardInterrupt:
+        logger.info("Exiting TLS Tunnel Client")
+if __name__ == "__main__":
+    main()

zscams/agent/__init__.py ADDED Viewed

@@ -0,0 +1,93 @@
+import os
+import asyncio
+import sys
+import argparse
+from zscams.agent.src.support.configuration import get_config, CONFIG_PATH
+from zscams.agent.src.support.filesystem import is_file_exists, resolve_path
+from zscams.agent.src.core.tunnel.tls import create_ssl_context
+from zscams.agent.src.core.tunnels import start_all_tunnels
+from zscams.agent.src.core.services import start_all_services
+from zscams.agent.src.core.service_health_check import monitor_services
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.logger import get_logger
+logger = get_logger("tls_tunnel_main")
+def init_parser():
+    parser = argparse.ArgumentParser(description="ZSCAMs Agent")
+    parser.add_argument(
+        "--bootstrap",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    parser.add_argument(
+        "--update-machine-info",
+        action="store_true",
+        help="Run bootstrap process and exit",
+    )
+    return parser
+def ensure_bootstrapped():
+    """Ensure the agent is bootstrapped with the backend."""
+    config = get_config()
+    remote_cfg = config["remote"]
+    config_dir = os.path.dirname(CONFIG_PATH)
+    files_to_ensure = [
+        resolve_path(remote_cfg.get("ca_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_cert"), config_dir),
+        resolve_path(remote_cfg.get("client_key"), config_dir),
+    ]
+    has_missing_file = False
+    for file in files_to_ensure:
+        if not is_file_exists(file, logger):
+            has_missing_file = True
+            break
+    bootstrapped = backend_client.is_bootstrapped()
+    logger.debug("Agent has entry on server: %s", bootstrapped)
+    if not bootstrapped or has_missing_file:
+        logger.error(
+            "Agent is not bootstrapped. Please run `zscams --bootstrap` to start the bootstrap process.",
+        )
+        sys.exit(1)
+async def run():
+    """Asynchronous main function to start tunnels and services."""
+    config = get_config()
+    config_dir = os.path.dirname(CONFIG_PATH)
+    ssl_context = create_ssl_context(config["remote"], config_dir=config_dir)
+    remote_host = config["remote"]["host"]
+    remote_port = config["remote"]["port"]
+    # Start tunnels and wait for readiness
+    tunnel_tasks = await start_all_tunnels(
+        config.get("forwards", []), remote_host, remote_port, ssl_context
+    )
+    # Start services that depend on tunnels
+    service_tasks = asyncio.create_task(
+        start_all_services(config.get("services", []), config_dir=config_dir)
+    )
+    # Start health checks
+    monitor_task = asyncio.create_task(
+        monitor_services(
+            config.get("services", []),
+            config_dir=config_dir,
+            interval=config.get("general", {}).get("health_check_interval", 300),
+        )
+    )
+    logger.info("[*] All tunnels and services started. Press Ctrl+C to stop.")
+    await asyncio.gather(*tunnel_tasks, service_tasks, monitor_task)

zscams/agent/certificates/.gitkeep ADDED Viewed

File without changes

zscams/agent/config.yaml ADDED Viewed

@@ -0,0 +1,103 @@
+---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
+logging:
+  level: 10
+remote:
+  ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
+  client_cert: certificates/client.crt
+  client_key: certificates/client.key
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
+services:
+  - args: []
+    custom_port_name: reverse_port
+    health:
+      host: localhost
+      port: 22
+    name: Reverse SSH
+    params:
+      local_port: 4422
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: 10000
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports:
+        - 22
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    custom_port_name: forwarder_port
+    health:
+      host: localhost
+      port: 10001
+    name: Monitor Forwarder
+    params:
+      forwarder_port: 10001
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
+      remote_port: 530
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
+    health:
+      host: localhost
+      port: 10001
+    name: Monitor Service
+    params:
+      equipment_name: zpa-orange-swec-dev-01
+      equipment_type: zpa
+      remote_host: localhost
+      remote_port: 10001
+      service_name: Zscaler-AppConnector
+    port: 10001
+    prerequisites:
+      files: []
+      ports:
+        - 10001
+      services: []
+    script: src/services/system_monitor.py

zscams/agent/configuration/config.j2 ADDED Viewed

@@ -0,0 +1,103 @@
+---
+backend:
+  base_url: http://22.0.122.40:5000/api
+  cache_dir: .cache
+bootstrap_info:
+  blacklist_ports: []
+  cert_issuer: ZSCAMs
+  csr:
+    country: FR
+    default_common_name: zscams-agent.orangecyberdefense.com
+    locality: Paris
+    organization: zscams-agent.orangecyberdefense.com
+    state: Ile-de-France
+forwards:
+  - description: Forward to SSH backend
+    local_port: 4422
+    sni_hostname: ssh-tunnel
+  - description: Forward to Seculogs
+    local_port: 4423
+    sni_hostname: monitor-tunnel
+general:
+  health_check_interval: 30
+logging:
+  level: 10
+remote:
+  ca_cert: certificates/ca_chain.pem
+  ca_chain: certificates/ca_chain.pem
+  client_cert: certificates/client.crt
+  client_key: certificates/client.key
+  host: 81.255.240.214
+  port: 443
+  verify_cert: false
+services:
+  - args: []
+    health:
+      host: localhost
+      port: 22
+    name: Reverse SSH
+    custom_port_name: "reverse_port"
+    params:
+      local_port: 4422
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: localhost
+      reverse_port: "{reverse_port}"
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 22
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports:
+        - 22
+      services: []
+    script: src/services/reverse_ssh.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Forwarder
+    custom_port_name: "forwarder_port"
+    params:
+      forwarder_port: "{forwarder_port}"
+      local_port: 4423
+      private_key: zscams/agent/keys/autoport.key
+      remote_host: 194.51.14.159
+      remote_port: 530
+      server_ssh_user: ssh_user
+      ssh_options:
+        - -o LogLevel=error
+        - -o UserKnownHostsFile=/dev/null
+        - -o StrictHostKeyChecking=no
+        - -o ServerAliveInterval=30
+        - -o ServerAliveCountMax=2
+    port: 530
+    prerequisites:
+      files:
+        - zscams/agent/keys/autoport.key
+      ports: []
+      services: []
+    script: src/services/ssh_forwarder.py
+  - args: []
+    health:
+      host: localhost
+      port: "{forwarder_port}"
+    name: Monitor Service
+    params:
+      equipment_name: "{equipment_name}"
+      equipment_type: "{equipment_type}"
+      remote_host: localhost
+      remote_port: "{forwarder_port}"
+      service_name: Zscaler-AppConnector
+    port: "{forwarder_port}"
+    prerequisites:
+      files: []
+      ports:
+        - "{forwarder_port}"
+      services: []
+    script: src/services/system_monitor.py

zscams/agent/configuration/service.j2 ADDED Viewed

@@ -0,0 +1,12 @@
+[Unit]
+Description=ZSCAMs Service
+After=network.target
+[Service]
+ExecStart={python_exec} -m zscams
+Restart=always
+User={user_to_run_as}
+Environment="PYTHONPATH={pythonpath}"
+[Install]
+WantedBy=multi-user.target

zscams/agent/keys/autoport.key ADDED Viewed

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA4kpci9i3k9OhuYpC1+0OSQCpXVRThIjtmwl9Nl4oRSsse9zj
+vkzPShMvlZwvEzzZ/Y3hVDHLD5W3hhy63pyi75uxC9RDzb/7ckc1SdunTzj0mtAt
+FhV+cXFZfv79NfaluN/WZwrbpMO+7+uATuEFIGe/t05PgYX9CzhaagCsC355jFHt
+t2z/9Ul40mJkpMZwr+pk6BOSo/DeW7LNikFljqU8BjoZmGuwGuIHzF6ivhDA8hRz
+aKVfw3e+BuxSyOH3xWxzpHSYiZGU5x9hHk8VEbkP7lISxqYdncCw1Is0O6awfXs0
+azx7yzfUumjDdNSmrwpb5/ard30x/aE96upnRwIDAQABAoIBAQC2ghUcMWD2WDTS
+iSGaNzZTSLZQcKefeDRy23didxRxnP2WtLP2EssIymqRdtM859JFPr4igrpsymqn
+Ptq0mo6LQ/3KNZuuAQ4SwD3JYOAS9DPL/OSwMAu4ARyWYZ/lexV0AwxQNSCrRbjk
+lgL5G2FgHm0wsXdMVr2c5Al//yTDauzgOJtQfi/LzuHusnz05iHzEp0ByBfiRL8z
+xKQ9LFW7pIYUsgn4kXry5tQokH6NwDZ7vGPcjAQLD0lLDfAHF9HOiwpkQYXw8q91
+lNvhaFHxa9jyfvuG9e66Q72YCevsCGBEl8Hvmbpz5/9oBZ6Pt82BZKjSouYh7Cya
+a+JVxQcxAoGBAPSKdJdMXH6hCi5DBYhWnGSpDKvRwvxb2PgntCwajkaEZmuITj4y
+dk9IH89ryl0yAmF6q2pKLyWHOir0fVX1HsnC9m2SErhMuSrhSVpcOLiI09wFwcAM
+PRbS/6g1h/Q+MoaVuD0h9ElO8GkONBIBrmiVYqOifotXuPXjMMGT8oNpAoGBAOzk
++OSilwjwtwv/MkLOXqGFymSnG7l5zmt/KGxMCThjxY9b1DzyvXcUvojCRjFl4L0W
+OyDbKRiEJZHSH6jV1gj2N8/53b3C1ziCRvHWvix7MJ7DeDfZLp0QEYZBm6Xm7mG+
+TZ27kya0Hprev/t960UfOpwhb8+MNd1dxdgspC8vAoGBALcGpcrTyWqxZ2hGm252
+vKkOacBzyAePSu448T4NRi17TRjwtPcSV8BxD/X0DEsCcgu5f3CXQ4BIHP4nbWOX
+icqi1EQgD0jHi9OPOJKb8YwURNUpreDqiBJ8LAMexbnFj5Vxm6qNrkPsBD3s9oX/
+oiT+ogwtQ59RMcs/lq9b5yf5AoGAbPmYFXVGDXLOgdJPiLPujFdDl7HX6ybBcmn4
+ank/9JTRGPWhWLhBuDnuvHLCX48CJ3nGkYLAEOsZbU9ACSb1YwIBAsdq3hR3dSNZ
+B39F1KiG4UICV46tBsuRhDVCKLtnBcfJZLoZI0DQo2W84zA1voJzL8eh69QQI1kz
+3hILJTkCgYEAwT+XKnxX8jExNvpe71O2pm3mit6UyOHXB1KyT4Y3UuKjDxwZZ4w1
+vPp6eQ3VcI+4+mpf0qs1cgDz8w35EInt60nKy0+0hwQaM7N0EmsguASHRprESZR9
+dAPDJQ1UJlAMSJxZxFzTvMzDQHY+86GGh5mdoNwJDb0142etE7rSFUI=
+-----END RSA PRIVATE KEY-----

zscams/agent/src/__init__.py ADDED Viewed

File without changes

zscams/agent/src/core/__init__.py ADDED Viewed

	@@ -0,0 +1 @@
1	+ running_services = set()

zscams/agent/src/core/backend/bootstrap.py ADDED Viewed

@@ -0,0 +1,76 @@
+import os
+from pathlib import Path
+import sysconfig
+import sys
+from typing import cast
+from zscams.agent.src.core.backend.client import backend_client
+from zscams.agent.src.support.configuration import reinitialize
+from zscams.agent.src.support.logger import get_logger
+from zscams.agent.src.support.os import create_system_user, install_service
+from zscams.agent.src.support.ssh import add_to_authorized_keys
+from zscams.agent.src.support.cli import prompt
+logger = get_logger("bootstrap")
+def bootstrap():
+    """Ensure the agent is bootstrapped with the backend."""
+    if backend_client.is_bootstrapped():
+        logger.info("Agent ID %s is already bootstrapped.", backend_client.agent_id)
+        return
+    username = input("Username: ")
+    totp = input("One Time Password (OTP): ")
+    backend_client.login(username, totp)
+    customer_name = prompt(
+        "Customer Name",
+        "Customer Name",
+        required=True,
+        startswith="",
+    )
+    connector_name = prompt(
+        "Connector Name",
+        "Connector Name [Unique name for this connector]",
+        required=True,
+        startswith="",
+    )
+    equipment_type = prompt(
+        "Equipment Type",
+        "Equipment Type [Can be ZPA|VZEN|PSE]",
+        required=True,
+        startswith="",
+    )
+    equipment_name = (
+        f"{equipment_type.lower()}-{customer_name.lower()}-{connector_name.lower()}"
+    )
+    enforced_id = prompt("Enforced ID", "Enforced Agent ID")
+    reinitialize(equipment_name=equipment_name, equipment_type=equipment_type)
+    cm_info = backend_client.bootstrap(equipment_name, enforced_id or None)
+    sys_user = cast(str, cm_info.get("ssh_user"))
+    create_system_user(sys_user)
+    add_to_authorized_keys(sys_user, cm_info.get("server_ssh_pub_key"))
+    install_zscams_systemd_service(sys_user)
+def install_zscams_systemd_service(user_to_run_as: str):
+    data = {
+        "pythonpath": sysconfig.get_paths()["purelib"],
+        "python_exec": sys.executable,
+        "user_to_run_as": user_to_run_as,
+    }
+    import zscams
+    BASE_DIR = Path(zscams.__file__).resolve().parent
+    template_path = f"{BASE_DIR}/agent/configuration/service.j2"
+    with open(template_path) as f:
+        template = f.read()
+    rendered_config = template.format(**data)
+    install_service("zscams.service", rendered_config)