rKdZddlZddlZddlZddlZddlmZddlmZddl m Z ddlm Z m Z ddlm Z ddlmZmZdd lmZdd lmZmZmZmZmZmZmZmZmZmZmZdd lm Z dd l!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1dd l2m3Z3ddl4m5Z5ddl6m7Z7m8Z8ddl9m:Z:ddl;mZ>ddl?m@Z@ddlAmBZBmCZCmDZDmEZEmFZFmGZGmHZHddlImJZJmKZKmLZLeMZNejOePZQeFe ddZReFe ddZSeLeJjTjUZVeLeJjWjUZXdee7deeMeMeMffdZYdee7deeMeMeMffdZZdee7deeMeMeMffdZ[dZ\dZ]dZ^d Z_d!e`fd"ZaGd#d$eZbGd%d&eceZdGd'd(e7ZeGd)d*e7ZfGd+d,e7ZgGd-d.e7ZhGd/d0e7ZiGd1d2e7ZjGd3d4e7ZkGd5d6e7ZlGd7d8e7ZmGd9d:e7ZnGd;de7ZpdS)?z,DB tables related to firewall functionality.N) timedelta)Enum)reduce) IPv4Network IPv6Network)starmap)ior itemgetter)OrderBy) AnyDictIterableIteratorListOptionalSequenceTupleTypeUnionSet)Signal)JOINSQL BooleanFieldCase CharFieldCheck CompositeKey DoesNotExist FloatFieldForeignKeyField IntegerFieldPrimaryKeyField TextFieldfnprefetchField) model_to_dict)Reject)Modelinstance) ApplyOrderBy)CHUNK_SIZE_SQL_QUERYsplit_for_chunktimeit)Country)ALLTCPUDP IPNetworkpack_ip_networkunpack_ip_networkis_net)IP IPVersionNumericIPVersionz 0.0.0.0/32z::/64model packed_ip_netcb|\}}}td||f|j|kz|j|kzS)z Filters ip addresses/networks contained in ip network net. :param model: model to apply query :param packed_ip_net: tuple of integers :return: peewee expression (network_address & ?) == ?rnetmaskversionr<r=netmaskrBs I/opt/imunify360/venv/lib/python3.11/site-packages/im360/model/firewall.py_filter_ip_net_subnetsrGKsE'Cw (4+66 =D  " =G # %cb|\}}}td||f|j|kz|j|kzS)z Filters ip addresses/networks contained in ip network net. Does not includes network itself :param model: model to apply query :param packed_ip_net: tuple of integers :return: peewee expression r?r@rCs rF _filter_ip_net_subnets_exclusiverJ]sE'Cw (4+66 =4  ! =G # %rHc`|\}}}td|f|j|kz|j|kzS)z Filters ip addresses/networks that includes provided ip address/network, including network itself :param model: model to apply query :param packed_ip_net: tuple of integers :return: peewee expression z (? & netmask) == network_addressr@rCs rF_filter_ip_net_supernetsrLosC'Cw .77 =D  " =G # %rHc tj|}t|\}}}|js.|j|t ||||fzS|j|t ||||fzt||||fzS#t$r|j|cYSwxYwN) ipaddress ip_networkr5hostmaskipcontainsrLrJ ValueError)r<ip_strip_netrDrErBs rF_ip_search_conditionrWs%f---V44T7 8$$V,,/GT7+00  !!&))*53g2FGGH253g:NOOP  )))x  ((((()sB $CCcvt|\}}}t||||ft||||fzSrN)r5rLrJ)r<rVrDrErBs rF_net_search_conditionrYsO(00Cw # T7#  (dG0DEE FFrHcvtfddDr;tddd}tj|d<nadvr]tjd}t |\}}}|||dtj|d<S)Nc3 K|]}|vV dSrN).0kkwargss rF z#_add_ip_net_args..s' J J11; J J J J J JrH)network_addressrArBrarArBrR)allr6r8ip_net_to_stringadopt_to_ipvX_networkr5update)r_rRrDrErBs` rF_add_ip_net_argsrfs J J J J I J J JJJ /  $ %vi'8&:K  *2..t   %fTl 3 3,R00T7 # I I   *2..t MrHct|dttfr%t |d\|d<|d<|d<|d=|S)NrRrarArB) isinstancegetrrr5)argss rF_replace_ip_with_packed_reprrks\$((4..; "<== DJ ' '  " # O O J KrHreturncP|tjko|tjkS)zWhether expiration time passed.)IPListNEVERtime expirations rF is_expiredrss  % C* *CCrHc"eZdZdZdZdZdZdZdS) ActionTypezWhat to do with matching IPs.dropcaptcha splashscreenignoreN)__name__ __module__ __qualname____doc__DROPCAPTCHA SPLASHSCREENIGNOREr\rHrFrurus*'' DG!L FFFrHrucTeZdZdZdZeZdZeZdZeZ dZ e Z dZ e defdZd S) PurposezIPList's purposes understood by the agent. An analog of i360.model.firewall.ActionType but for the new (DEF-17989) server sync case. whitervrxrwc|jSrN)valueselfs rF__str__zPurpose.__str__s zrHpurposectjtjtjtjtjtjtjtjit|SrN) rWHITErnr~BLACKrGRAYrGRAY_SPLASHSCREEN)clsrs rFlistnamezPurpose.listnamesC M6< L&, OV[  &":  '   rHN)rzr{r|r}rrr~rvrrxrrwr classmethodstrrr\rHrFrrs~ E E D D!LLGGs[rHrc$ eZdZdZdZdZdZdZdZeeeefZ e e e e Z dZdZd ZeZeZd ZGd d Zed Zed edde gZdZeddZedZ eddZ!edZ"edZ#eddZ$e%d d Z&e%d dZ'e%dZ(e%dd Z)ed Z*ed Z+ed Z,ededededgZ-GddZ.e/de0e1de1fdZ2e/de1de1fd Z3e/d!e0e4fd"Z5e/d!e0e4de6fd#Z7e8de9e1e6ffd$Z:e8 dad%e;d&ee8fd+Z?e8 dbd%e@e1eAeBfdeZQe8dcd?ZRe8ed,fdeSe;fd@ZTe8dAZUe8dBZVe8dbdCZWdDZXe8dEZYdFZZdGZ[dbdHZ\e8d%e;de0e1fdIZ]e8dJZ^e8dKZ_e`dLZae8 dcd,d,dMd%e@ebjAebjBfdezIPList.5s3ty{{#3#3rHrr country_idr column_namez scope in ('')cDeZdZejZdZeddddZdZ dZ dS) IPList.MetaiplistrarArBr))countryF)rF)rqF)rRFresidentN rzr{r|r+dbdatabasedb_tabler primary_keyindexesschemar\rHrFMetar^sB;"l y)Z    rHrrlc 2tjjtjtjjtjtjjtjtj jtj dtji |tjS)zGiven `action_type` string return corresponding list name. Return :attr:`GRAY` for an unknown/missing `action_type`. N) rur~rrnrrrrrrri)rs rFaction_type2listnamezIPList.action_type2listnamels\ O !6<   $fk  # )6+C   #V] &+  #k6; ' '  (rHrctjtjjtjtjjtjtjji|S)z0Return action_type corresponding to iplist name.) rnrrur~rrrrrrs rFlistname2action_typezIPList.listname2action_typezs? L*// K+1  $j&=&C    rH propertiescxt||tjndS)zzGet iplist name corresponding to properties' action_type. Return GRAY for an unknown/missing action_type N)rnrri ACTION_TYPErs rFget_listname_fromzIPList.get_listname_froms< **% NN6- . . .   rHc^|r |dtjn tjS)zSGet expiration from properties Return IPList.NEVER if property not definedrr)rirnrors rFget_expiration_fromzIPList.get_expiration_froms+ JNN< 6 6 6 rHcr||}|jD]\}}||kr||fcSJd)z#Return tuple listname and priority.rz can't happen)rIP_LIST_PRIORITIES)rr _listnamepriorityrs rFget_listname_with_priority_fromz&IPList.get_listname_with_priority_froms\))*55 "%"8 * * Hh9$$))))% .  qrHrRsrcdestrr full_accessc||j|jfvs Jdt|\}}}dtt jtjtj |tj |ktj |ktj |kD\} ttj |tj |ktj |ktj |ktj| kt|||ddtj |} | tj |ktj |ktj |k} | } |D]#} |jj| |$|jj|||| S)aMove ip from src lists to dest list, as `move` used only in UI and CLI we add manual=True :param ip: ip address :param src: src lists (WHITE/BLACK/GRAY/GRAY_SPLASHSCREEN) :param dest: dst list (WHITE/BLACK) :param expiration: IPs TTL. 0 means permanent :param full_access: access to all ports :return int: items moved z"Move to GRAY list is not supportedcg|] }|j Sr\rq)r]recs rF zIPList.move..s*    N   rHTF)rrrrmanualcaptcha_passedr)rrr5rnselectr%MAXrrwhererin_rarArBdeleteexecutererrsendrri) rrRrrrrrrDrErBmax_expirationqrvrs rFmovez IPList.moves( H  !     0   -R00T7  }}RVF,=%>%>??EE##C((&#-$&')       O   $ $  "c ) Nd " Ng %   /   '))) MM!#   %##C(( ) )  GG  "c ) Nd " Ng %   YY[[ 6 6H K  $ $X" $ 5 5 5 5 t2777 rHc tt|jdit|}|jj|j||S)` :param kwargs: :raises: IntegrityError :return: model instance rr\)superrncreaterfrrrrrr_inst __class__s rFrz IPList.createsU)uVS!!(DD+;F+C+CDD t}666 rHNrc|tdttj|}|||j|k}t|tr$|tj |k}nTt|\}}}|tj |ktj |ktj |k}|}|r&|D]#} |jj| |$|S)zQDelete ip from lists if exists Return number of deleted records. Nzlistname should not be Noner)rTrnrrrrrrhrrRr5rarArBrrrr) rrRrrrrDrEver rows_deletedlsts rFdelete_from_listzIPList.delete_from_lists  :;; ; MMOO ! !&/"5"5h"?"? @ @   f,--A b#    R((AA,R00NCs&#-$&#%A yy{{  5 5 5 #(((4444rHcttj|}|r$|D]!}|jj|"|SrN) rnrrrrrrrr)r listnames num_deletedrs rF clean_listszIPList.clean_lists sy MMOO ! !&/"5"5i"@"@ A A I I K K   3% 3 3 #((2222rHctjt|z }|j|jk||z}|j|jk||z}|j|jk|jdkz||z}| ||z|z }|S)z Removes obsoleted graylist/splashscreen+blacklist[manual=False] IPs. :param num_days: expired more than num_days ago :return: int rows deleted )daysF) rpr total_secondsrrrsrrrrrr)rnum_days expiration_tsgraylist_ip_is_expiredgraysplash_ip_is_expiredblacklist_ip_is_expiredrs rFcleanup_expired_from_bglistz"IPList.cleanup_expired_from_bglists iX&>&>&>&L&L&N&NN "%,#(":cnn ? ? "  LC1 1 NN= ) )$* \SY &zU" $nn]++ ,  JJLL U&*+)* WYY rHcT|}|r||j|kz}|rHt|\}}}|tj|ktj|kztj|kzz}|| }|SrN) rsrr5rnrarArBrrr)rrrRclausesrDrErBrs rFdelete_expiredzIPList.delete_expired7s ..""  0 s|x/ /G  !0!4!4 Cw '3.>T)+>W,. G **,,$$W--5577rHc "|j|fddi|S)N skip_order_byT) _fetch_queryrr filter_argss rFfetch_as_unionzIPList.fetch_as_unionKs"s MMMMMMrHc vt|tsJ|fd|D}ttjtjtjtjtjtj tj tj tj tj tjtjtjtjt%jtjjdt0t2jtj t0jktj|t} |s| tj} || |} || !|} || j |k} |rEtE|} | r tF| fntH|f\} } | | | } |r#| t0j%|k} |2| tj &|} | S)Nc4g|]}|jjfv|Sr\)rr)r]lnrs rFrz'IPList._fetch_query.._s8ch(=>>>>>>rHscopeon)'rhlistrnrrRrrr imported_fromctimedeepcommentrrrauto_whitelistedrarArBr%ifnullr SCOPE_LOCALaliasjoinr0r LEFT_OUTERidrrrsorder_bygroup_byhavingr7rYrWcoderS) rrrrby_ipby_country_code by_commentrrrrDsearch_conditions ` rFrzIPList._fetch_queryOs:)T*****  !#I MM !$   "'& &,88>>wGG  "T'4?'*0LT N N U6?&&y11 2 2 UF%%''' ( () , & 69%%A   8$$A    A   f,--A  4--C3&,,*E2 " c ((c2233A  9 788A  !// ;;<.s,u/@I/M/M/M/M/MrHc(g|]}|jdk |Sr1r2r3s rFrz IPList.fetch..s,u/@I/M/M/M/M/MrH.)excluder)r)rr,r-r&desc list_priorityr, get_nodesrsplitrr(rir0r)rrr,r-rr.rr purpose_order others_orderordersr4nodesnoderowsrowentrys rFfetchz IPList.fetchs C Y 6 6+ 6 6    A  A  #+M#+LF'   z4C%%'''**,,1133 & G G$.*0055"GGDMM"E$))+++FFFFG F#A  C!#~>>>Eyy## N#0 1L1L1L#M#Mi KK     rHc v|s Jd t|jdi||S#t$r|cYSwxYw)z;Return matching row's field value or `default` if not foundzprovides kwargs to find by themNr\)getattrrir)rfieldrr_s rF get_fieldzIPList.get_fieldsc88888v 737,,V,,e44 4   NNN s ) 88c||j|j||j|kz|jdkz}|>|j|k}|s||jz}||}|||j|k}|S)N) rrRrrrrsrris_nullrB)rrrrBrr*s rFfetch_non_expired_queryzIPList.fetch_non_expired_querys JJsvs~ . . 4 4nn 3<8#; <" M    "_ 3F 4#/11333A   w.//ArHc#K||||} |Ed{VdS#t$rYdSwxYwrN)rLdictsiterator RuntimeError)rrrrBrs rFfetch_non_expiredzIPList.fetch_non_expiredsv  ' '+w G G wwyy))++ + + + + + + + + +    FF s,A AAc#K|tjtjtj}|tj|ktz}|||j|k}| D]'}t|d|d|dV(dS)zh Fetch listname the most efficient (though experiementally found) way possible. NrarArB) rrnrarArBrrrsrrNr6)rrrrrBs rFfetch_ipnetwork_listzIPList.fetch_ipnetwork_lists JJv-v~v~ N N GGV_0V5F5F5H5H4HH I I   f,--A7799  C#%&II      rHcf t|jS#t$rYdSwxYw)Nr)rnrirr)rrRs rF get_listnamezIPList.get_listnames@ :::$$- -    DD s " 00c0|jdk|jdz zS)*The result has to be passed to .where(...)rNrqrs rF is_expirablezIPList.is_expirables !#4)?'@@@rHc|tjkr|S||jt |pt jkzS)rW)rnrorYrrrrp)rrs rFrszIPList.is_expired"sY FL ( (##%% %!! Nc-">49;;?? ?  rHcb|tjko|jtjkp |j|kS)z@Whether the ip record lives longer than given *expiration* time.)rnrorrrrrs rF lives_longerzIPList.lives_longer+s.V\) Ov| + Kt/K rHc|tjkoJ|rG|dtjtjkp|d|kndS)zZWhether the properties for ip lives longer than given *expiration* time. rrT)rnrori)rrrrs rFlives_longer_propzIPList.lives_longer_prop1sX V\)  JNN< 6 6&, F 9~~l++j8  rHcb|jtjko|tjkp |j|kS)z>Whether the ip record lives less than given *expiration* time.)rrrnror\s rF lives_lesszIPList.lives_less>s.&,. &, & F$/J*F rHc|j}t|||}|j|jko|j|jko|j|jkS)z(Analog of 3.7+ self.ip_network.subnet_of)rPr6rBrabroadcast_address)rrDrErBabs rF subnet_ofzIPList.subnet_ofDsQ O c4 1 1 I " ;!Q%66 ;#q':: rHcd| Jd| Jdt|jpd||_t|jpd||_|j|k}||_|||_|||jj|||j|jdS)zT Update blocking properties :return tuple: real expiration Nz'expiration' must not be Nonez'deep' must not be Noner) force_insertr)rrr ) maxrrr rrsaverrr)rrrr rrprimary_key_changeds rFupdate_propertieszIPList.update_propertiesNs %%'F%%%!:do2J?? Q-- "mx7    DK 2 333 !!(t!444/I   rHct|\}}}||j|d||j|k|j|k|j |k td  d}|D] }|jcSdS)zReturn the name of highest priority list that contains the *ip*. Return None if *ip* not in any list or record expired.rr;N)r5rrr9rrrsrarArBrrr8r-)rrRrDrErBrrs rFeffective_listzIPList.effective_listks -R00T7 JJ !!##))*55  U!!!#s* t# w&  Xc*oo**,, - - U1XX   A:   trHc|jj5||||cdddS#1swxYwYdS)z.Update ip lists on CaptchaDosAlert atomically.N)_metaratomic*_blacklist_graylisted_on_captcha_dos_alert)rrRrrrs rF)blacklist_graylisted_on_captcha_dos_alertz0IPList.blacklist_graylisted_on_captcha_dos_alerts Y  & & ( (  AAJ                  sAA Act\}}}g}td}|D]H} | jtjkr;| t jrtddcS| jtjkrB| t jr| j rtddcS| jtjkrH| |s| |std| j d|cS| j kr6| |s!| | j| jfJ|D] \} } || | g} | sJ!t j||kt j|kt j|kf} t!t jj| }|d|Dz }t!j| |r&t2d d |D|tj||d t2d t9tjft9|ifd|DS)aUpdate ip lists on CaptchaDosAlert. Spec [1]: if search(ip, "WHITE"): # should not really happen return existing_black_supernets = search(ip, "BLACK") if any(n.expiration >= expiration for n in existing_black_supernets): # should not really happen return existing = search_exactly(ip, "BLACK") if existing.manual: # Do nothing if already added manually return else: # exact match with less expiration, remove it # and replace with new expiration later remove(ip, "BLACK") # it can really exist only in GRAY list for listname in ["GRAY", "GRAY_SPLASHSCREEN", "IGNORE"]: existing = search_exactly(ip, listname) if existing and existing.expiration <= expiration: remove(ip, listname) add(ip, "BLACK", expiration) [1]: https://gerrit.cloudlinux.com/#/c/61260/14/src/handbook/message_processing/local_captcha_dos.py :param ip: attackers ip :param expiration: when record will expired :return: Union[Dict, Exception] r;rqz!Don't blacklist whitelisted ips [z] on CaptchaDosAlertz*Don't blacklist manually blacklisted ips [z. is already blacklisted for long enough time: z >= c4g|]}|jtjfSr\)rRrnr)r]rns rFrzEIPList._blacklist_graylisted_on_captcha_dos_alert..s!FFF!v}-FFFrHzRemoved %s from %s listscg|]\}}|Sr\r\)r]_Ls rFrzEIPList._blacklist_graylisted_on_captcha_dos_alert..s0K0K0Ktq!0K0K0KrHF)rRrrrrrzPut %s on the BLACK listcg|] \}}|f Sr\r\)r]rxrrRs rFrzEIPList._blacklist_graylisted_on_captcha_dos_alert..s!GGGKAx"hGGGrH) blocklist unblocklist)r5rnfind_closest_ip_netsrrr]rpr)rrrarrrPr&rRr IgnoreListrabin_andrArBrrrrloggerinfordict)rrRrrrnetworkrErBr| supernetsrDip_rr is_subnetignore_subnetss ` rFrsz1IPList._blacklist_graylisted_on_captcha_dos_alerts[L"1!4!4w //q/AA $ ;$ ;C|v|++0@0@0M0M+vrr   ,,$$TY[[11-J- vrr |v|++  ,,,47NN:4N4N, " ~##C,<, F F H H  FF~FFFF !9-55777   KK*B0K0K{0K0K0K    \!      .333V\"DJ$?$?$?HGGG;GGG     rHcBt|j|j|jSrNr6rarArBrs rFrPzIPList.ip_networks"  $,    rH)rrrc,t|\}}}|t||||f} | ||} |-| |j|} | |j } || |j |k} || |} t| S)a Returns all supernets containing given network (*ip*) that are not expired by *expiration* time. :param ip: ip network to lookup :param listname: list of listnames :param limit: number of supernets to return :param expiration: seconds since the epoch or None None means "use the current time" :return: list of matching supernets, ordered by netmask (desc: from smallest to largest) ) r5rrrLrsrrrrAr8rr-r ) rrRrr-rrrrDrErBrs rFr}zIPList.find_closest_ip_nets s,-R00T7 JJLL   $S3g*> ? ?   GGS^^J/// 0 0   ((2233A JJs{'')) * *   f,--A  AAwwrHcJtdfdjDS)Ncvg|]5\}}s j|kn tdjjd|k|f6S)")rrr)r]rrrforce_no_prefixs rFrz(IPList.list_priority..4sj   'Hh +JCLH,,<!9<<<==I    rH)rr)rrs``rFr9zIPList.list_priority0sI      +.*@      rHnetworksc#Kt|ttjtjtjtjdktjtkztjdktjtkzzt |z}|.|tj tj k}n2|tj |}|ttjtjktjtjtjkztjtjkztjtjktjtjkztjtjkztjtjkzz|dn!|tjkz}t)|D] }t-|VdS)zYield networks which has lasting supernets with higher priority in db. If listname isn't provided ignore priorities (for unblock). Implemented to solve performance issue: DEF-15123 r$NTr) _TempIPListfillrnrrarArBrIPV4_HOST_MASKIPV6_HOST_MASKrsrrrrrrrror9rsettuplesr6)rrrrrrs rFfilter_ips_has_supernetszIPList.filter_ips_has_supernets?s """ MM  '       %.A%&.N*JKNa'FNn,LMO!!-000  2    6<788AA++I6677A FF ;#66/77GG-. >K$77 9$.&,>%0K4JJL", < > #-=?$!(D++--1EE'   8188:: . .G#W- - - - - . .rHc#pKt||tjtjtjttj z ttjtjktjtjkztjtjkzt tj kztj tjktj tj kztj tjkzztj tjkz}t|D] }t#|VdS)zYield exact match of ips which already recorded in db with the same priority and later expiration (so we don't need to add them) Implemented to solve performance issue: DEF-15123 rN)rrrrarArBrrnrsrrr9rrrrorrr6)rr"rrs rFfind_ips_with_later_expirationz%IPList.find_ips_with_later_expiration|sa  JJ+##   UV&&(((fm^< = = T^{'::-1LLN~)<<>++--1EEG $.&,>%0K4JJL", < > #-= ? 6188:: . .G#W- - - - - . .rHc #Kt||tjtjtjtjtjtjktjtjktjtjkztjtjkzzttjtjktj tjtjkztjtjkzt tj kztj tj ktj tj kztj tj kzz}|D]\}}}}}t|||||fVdS)aFYield - subnet (include self) with less priority (listname and less expiration), - listname of the subnet - should_unblock which is True if subnet is exact blocked network with same listname Implemented to solve performance issue: DEF-15123 rN)rrrrnrarArBrrrr9rrrrorr6)rr"rrarArBrshould_unblocks rF"find_ip_subnets_with_less_priorityz)IPList.find_ip_subnets_with_less_prioritys  JJ  " N N O%8 (FN:"2f6LLN~)<<>  $ ;#66*22;3FGG"23 >[%88 : ''))[-AA C *fl:!, 0FFH#-= ?     NXXZZ ( (     #'( ( ( ( ( ( (rH)rrrc*t|\}}}||j|j|k|j|kz|j|kz}|||}|-||j|}| |j }|||j |k}t|S)z Returns all lists containing given network (*ip*) :param ip: ip network to lookup :param listname: list of listnames :return: names of list ) r5rrrrarArBrsrrr8rr ) rrRrrrrrDrErBrs rF find_listszIPList.find_listss-R00T7 JJs| $ $ * *  C '{d" ${g% '   GGS^^J/// 0 0   ((2233A JJs|((** + +   f,--AAwwrHcPtj|it|SrNrrirkrqueryr_rs rFriz IPList.get'uww{EJ%A&%I%IJJJrHc Ptjdit|SNr\r get_or_createrkrr_rs rFrzIPList.get_or_create)$uww$LL'CF'K'KLLLrHc Ptjdit|Srr create_or_getrkrs rFrzIPList.create_or_getrrH)include_itselfr expired_byc t|\}} ||j|j|j|j|rt||| fnt||| f}|)|| }n8|tj kr(|| |}|-||j |}|||j |k} fd|DS)arReturn ip_network objects containing all *ip* entries expired by *expired_by* from lists *listname* which are members of net *ip* including itself if *include_itself* :param ip: network to lookup members for :param listname: list name :param include_itself: whether to include ip itself as a subnet [default: False] :param expired_by: expiry date as "seconds since epoch" return entries expired by given *expired_by* timestamp - IPList.NEVER :: return all entries (regardless expiration) - None :: return non-expired entries NcBg|]\}}}}t||||fSr\)r6)r]rDrErerBs rFrz+IPList.find_net_members..3sD   &T8QsD' 2 2Ha @   rH)r5rrarArrrrrGrJrsrnrorrr) rrRrrrrrDrErrBs @rFfind_net_memberszIPList.find_net_members sN0-R00T7 JJ  clCN  % M "3dG(< = = =1#T77KLL     )))**AA 6< ' 'z2233A   ((2233A   f,--A    *+((**    rHcT|j|}|j|dS)zQReturn list of iplists with less priority than list from given propertiesNIP_LISTSindexrrrs rF#lists_with_less_or_equal_prioritiesz*IPList.lists_with_less_or_equal_priorities8s*  ""8,,|EFF##rHcZ|j|}|jd|dzS)zRReturn list of iplists with greater priority than list from given listnameNr;rrs rF&lists_with_greater_or_equal_prioritiesz-IPList.lists_with_greater_or_equal_prioritiesAs. ""8,,|KeaiK((rHc,t|\}}}||j|k|j|k|j|k|j|k}|||j|k}|SrN) r5rrrrarArBrr)rrRrrrrErBrs rFremovez IPList.removeKs!0!4!4w "" LH $  7 * K4  K7 "     KK f 455E}}rHto_blockctdt||jD]L}|||||jzdMdS)NrREPLACE)rangelen BATCH_SIZE insert_many on_conflictr)rridxs rF block_manyzIPList.block_manyXsqCMM3>::  C OOHS3+?%?@ A A M M  giiii   rHctt|tddjjj}fdjjjD}j| tj ttj tj ktj tj kztjtjkztjtjkz}g}|D]-\}}}} |t%|||| f. |||S)zj Remove *ips* that are not manual from the [iplist] table. Return ips to unblock. z({})z, c38K|]}t|VdSrN)rF)r]rGrs rFr`z%IPList.remove_many..ls>  $)GC        rHr)rrrformatrrqr field_namesrrrnrrBrarArrr&r6rrr) rr"primary_key_sqlr to_remove to_unblockrarArBrs ` rF remove_manyzIPList.remove_many`s  MM$))CI$9$EFF G G      -0Y-B-N    CJ $ UFM> " " T^{'::-1LLN~)<<>+*>>@  ;D;K;K;M;M   7OWgx   %owHH     ?..y99::BBDDDrH)rFrNNN)NNNNNNF)F)vrzr{r|r}rrrrrrr  enumeratereversedrrr%rIPv4 VERSION_IP4IPv6 VERSION_IP6rrrrRrrrrror"rrr r r rrrrrrrrarArBrr staticmethodrrrrrrrrrrrr4rboolrrrrrrrrrrrr!r+ frozensetr rr'rDrHrLrQrrSrUrYrsr]r_rarfrlrortrspropertyrPrOr}r9r r rrrrrirrrrrrrrr __classcell__rs@rFrnrns ;; K E E D+ud$56Hii(:(:;;<<KK FKKJ&    By U/66uzz(7K7KLLMMNH EJ I4(((M L 33   E > ?"s)" """["H    [  %) :.:.y$sCx.01:.D>:.:.:.[:.x&.y$sCx.01&.&.&.[&.P8(y$sCx.018(8(8([8(t   s)[:KKKK[KMMMM[MMMMM[M#+ + + + + s)+  +  eIsC'( )+ + + [+ Z$$ #$$$[$)) #)))[)   S   [ $t*[$5D12$ eIsN# $$$$[$$$$$rHrnceZdZedZedZedZedZedZ eddZ GddZ e dZ e d Ze d eeeffd Zd S) rFrrTrc<eZdZejZdZeddddZdS)_TempIPList.Meta tmp_iplistrarArBrN) rzr{r|r+rrrrrr\rHrFrrs4;"l y)Z  rHrcD|jjddS)Na CREATE TEMPORARY TABLE IF NOT EXISTS tmp_iplist ( network_address INT, netmask INT, version INT, listname TXT VARCHAR(255) NOT NULL CHECK (listname in ('WHITE','BLACK','GRAY','GRAY_SPLASHSCREEN')), priority INT, expiration INT, PRIMARY KEY (network_address, netmask, version, listname)) )rqr execute_sqlrXs rF_createz_TempIPList._creates. &&  rHcR|dSrN)rrrXs rF_clearz_TempIPList._clears" rHr"c$t|dr|n|}tdt5||d|D}dddn #1swxYwY|rtdt5d}t dt||D]4}|||||z 5 ddddS#1swxYwYdSdS)Nitemszprepare tmp_iplist to fillc g|]g\}}ttgdgt|t|t|hS))rarArBrrrr)rzipr5rnrr)r]rRprops rFrz$_TempIPList.fill..s$B#,R00#CCDII#66t<<rHzfill tmp_iplistr) hasattrrr/rrrrrrr)rr"data batch_sizers rFrz_TempIPList.fills$S'22;ciikkk 0& 9 9   KKMMM JJLLL$!$%D               0  L)622 L L  CIIz::LLCOODsZ/?)?$@AAIIKKKKL L L L L L L L L L L L L L L L L L L L Ls$5A==BBADD DN)rzr{r|r"rarArBrrrrrrrrrrr rrr\rHrFrrs"l...Ol&&&Gl&&&Gye$$$H|'''HJ           [  [LuT8^,LLL[LLLrHrceZdZdZd\ZZeddZeddZ Gdd Z e d Z e d Z d S) LastSynclistzFUsed to track how up-to-date are lists synced from Correlation server.)rRhashTrrF)rrc$eZdZejZdZdZdS)LastSynclist.Meta last_synclistrN)rzr{r|r+rrrrr\rHrFrrs;"rHrc|tj|j|kdS)N) timestamp)rerprnamer)rrs rFupdate_timestampzLastSynclist.update_timestampsC TY[[ ))//D0@AAIIKKKKKrHcH||ddi\}}|jS)Nrr)rdefaults)rr)rrobjrxs rF get_timestampzLastSynclist.get_timestamps+"" Q7G"HHQ}rHN)rzr{r|r}r8HASHr rrrrrrrr\rHrFrrsPPHB a000I 9%T 2 2 2D LL[L[rHrceZdZdZGddZeZedZe dZ e dZ dS) WhitelistedCrawlerz^ Crawlers for which local alerts must not add IP to the :attr:`IPList.GRAY` list. c eZdZejZdZdS)WhitelistedCrawler.Metawhitelisted_crawlersNrzr{r|r+rrrr\rHrFrrs;)rHrFrctj5||}|D]}t || ddddS#1swxYwYdS)N) description) crawler_iddomain)r+rrrinsertrWhitelistedCrawlerDomainr)rrdomains inserted_idds rFaddzWhitelistedCrawler.adds [   ! !  ***==EEGGK  (//*10                   sA A77A;>A;c||j||}t }t ||}g}|d}|D]6}|j|jd|j Dd} | | 7||fS)NT) clear_limitcg|] }|j Sr\)r)r]r s rFrz,WhitelistedCrawler.fetch.. s>>>AH>>>rH)rrr ) rrrr-r,r r&r rr r&) rr-r,crawlers_query domains_querycrawlers_with_domains_queryr' max_countcrawleritems rFrDzWhitelistedCrawler.fetchs JJLL ! !#/ 2 2 8 8 ? ? F Fv N N 17799 &.~}&M&M#"((T(:: 2  Gj&2>>go>>>D MM$    &  rHN) rzr{r|r}rr#rr$rrr rDr\rHrFrrs ********   B)'''K[!![!!!rHrcveZdZdZGddZeZeedddZ e dZ d S) r zBDomain names used to check if IP is a :class:`WhitelistedCrawler`.c eZdZejZdZdS)WhitelistedCrawlerDomain.Metawhitelisted_crawler_domainsNrr\rHrFrrs;0rHrFCASCADEr r on_delete related_namerN) rzr{r|r}rr#rr!rrr$rr\rHrFr r sLL11111111   Bo  GYE " " "FFFrHr c eZdZdZdZdZedZeded eegZ e dd Z Gd d Z ed ed ededefdZdS)RemoteProxyGroupz9Groups multiple remote proxies together with common data.r imunify360Frzsource in ('{}', '{}')rTrc$eZdZejZdZdZdS)RemoteProxyGroup.Metaremote_proxy_group))rsourceTN)rzr{r|r+rrrrr\rHrFrr#8s;'/rHrrr&enabledrlct||}|j|krdS||_|dS)zSet group's enabled status. Group is identified by name and source. Returns True if enabled status has changed, False otherwise (it was a noop).r%FT)r rir'rj)rrr&r'rs rF set_enabledzRemoteProxyGroup.set_enabled=sG !$$$v$>> =G # #5  trHN)rzr{r|r}MANUAL IMUNIFY360rrrrr&rr'rrrrr)r\rHrFr r $sCCFJ 9% DY  E*11&*EE F F Flt444G00000000  s C $ 4   [   rHr c eZdZdZeedZedZGddZ e de e de e de e d eefd Ze d e d e d ee fdZe d e d ee fdZdS) RemoteProxyz!Remote Proxy networks in a group.Frc eZdZejZdZdS)RemoteProxy.Meta remote_proxyNrr\rHrFrr/Rs;!rHrby_group by_sourcer'rlc|tjtjtj|jt}|#|tj|k}|#|tj|k}|#|tj|k}t| tj S)zReturns a list of remote proxy networks as dicts. Results are optionally filtered by group name, source, and enabled status.) rr r&rr'rrrr rrN)rr1r2r'rs rFr zRemoteProxy.listVs JJ  #  !  $ K   $  (-9::A  (/9<==A  (0G;<>>rHrr&rct||\}}|D]R}tjt j|}t ||j}|SdS)z>Adds networks to a list of remote proxy in group name, source.r%)rgroup_idN) r rr8rcrOrPr-rrj)rrr&rrrxrDproxys rFadd_manyzRemoteProxy.add_manyosw$11tF1KKq  C%i&:3&?&?@@Ceh???E JJLLLL   rHcd|D}g}tttj|ztj|k}t|D]0}||j| 1ttttj  t tjtjdk}t|D]}| |S)zrDeletes networks from remote proxy lists. Only networks coming from groups with given source are deleted.cZg|](}tjtj|)Sr\)r8rcrOrP)r]rDs rFrz/RemoteProxy.delete_networks..s;   ?BB  4S 9 9 : :   rHr)r-rrr rrr&r r&delete_instancerrrrr%COUNTr)rr&rrrr6rs rFdelete_networkszRemoteProxy.delete_networksys=   FN       T" # # U;&(2 3 3 U#*f4 5 5 !WW $ $E NN5= ) ) )  ! ! # # # #  # #$4 5 5 T+t / / X& ' ' VBH[^,,1 2 2 !WW $ $E  ! ! # # # #rHN)rzr{r|r}r!r rr$rrrrrrrrr r7r<r\rHrFr-r-Ks*++ O,5 9 9 9EiU###G""""""""?3-?C=?$ ? d ???[?0CS [SDI[rHr-cNeZdZdZedZedZedZedZ GddZ e fdZ e fdZ e fdZe fd Ze d ed eefd Ze d eefdZxZS)r~z IP addresses from this list are not blocked by firewall. However, they still can be placed to other lists by either server or local events or by user request. Frc>eZdZejZdZedddZdZ dS)IgnoreList.Meta ignore_listrarArBrN) rzr{r|r+rrrrrrr\rHrFrr?s3; "l#4iKK rHrc Ptjdit|S)rr\rrrfrs rFrzIgnoreList.creates*uww~99 0 8 8999rHc Ptjdit|Srrrs rFrzIgnoreList.create_or_getrrHcPtj|it|SrNrrs rFrizIgnoreList.getrrHc Ptjdit|Srrrs rFrzIgnoreList.get_or_createrrHsupernetrlc#,Kt|\}}}||j||k|j|k|j|k}|D]$}t|j|j|jV%dSrN)r5rrrarrArBr6)rrFaddressrErBrrBs rFsubnetszIgnoreList.subnetss!0!:!:w JJLL    ( ( . .7 : K4  K7 "     C##S[#+      rH to_deletect|}|D]k}t|\}}}||j|k|j|k|j|kldSrN)rr5rrrarArBr)rrJuniquerrHrErBs rFrzIgnoreList.removesY  D%4T%:%: "GT7 JJLL  #w. t# w&  giiii   rH)rzr{r|r}rrRr"rarArBrrrrrirr4rrIrrrrs@rFr~r~s    B"l...Ol&&&Gl&&&G ::::[:MMMM[MKKKK[KMMMM[M y Xi-@   [ tI[rHr~c eZdZdZedZededede de dgZ edZ Gd d Z e dd Zed ZeddZd S) BlockedPortz]Port blocking configuration. Effective when `FIREWALL.port_blocking_mode == ALLOW`. Frz proto in ('z', 'rrTc(eZdZejZdZdZdZdS)BlockedPort.Meta blocked_portr)))portprotoTN rzr{r|r+rrrrrr\rHrFrrPs&;! rHrNcB|M||j|tj|z}|(|t t|}|#|t j|k}|SrN)rrrS IgnoredByPortrWr0r)rrrrrs rF_add_filter_argszBlockedPort._add_filter_argss  ! $$Z00'00<<=A  ,]EBBCCA  & 788ArHc ^||jtt jtt jtjtjk}|j |fi|}| S)Nr) rrdistinctrrVrrr0rrWr )rrrs rFr!zBlockedPort.fetch_counts JJsv   XZZ T- 1 1 T!)WZ7  !C  2 2k 2 2wwyyrHrrc ||j|j|j|jt jt jdt tj ttj t j tjk}|j |fi|}||j|jt j}d}g}tj||D]+\}}d|D} | |d<||,||||zS)N ip_commentrc fddDS)Nc"i|] }|| Sr\r\)r]keyrBs rF z8BlockedPort.fetch..group_key..-s,"%SXrH)rrRrSrr\rBs`rF group_keyz$BlockedPort.fetch..group_key,s.)K rH)r^c@g|]}|d |d|ddS)rRNr[)rRrr\)r]rRs rFrz%BlockedPort.fetch..3s=d8'$xB|,<=='''rHr")rrrRrSrrVrRrrrrr0rrWr itertoolsgroupbyrNr&) rr-r,rrrar' port_protor" ignored_ipss rFrDzBlockedPort.fetchsP JJ   %++L99   T- 1 1 T!)WZ7 " !C  2 2k 2 2 JJsxM,< = =    (0 JJJ & &OJK !,Ju  MM* % % % %fv~-..rH)NNN)rr)rzr{r|r}r"rRrrr2r3r1rSrrrrWr!rDr\rHrFrNrNs sNAA %95J    BiT"""G"l...Ol&&&Gl&&&GiT|<<.se   R $'r'9#:#:rz??; .1,4      rHcF|t|j|j|jfSrNrr`s rFrz$IPListRecord.fetch..s'%+S[#+rH)rr,r-map)rrrr,r-rs rFrDzIPListRecord.fetchs   We , ,    A  A       rHc Ttjdit|}|SrrBrs rFrzIPListRecord.creates,uww~99 0 8 899 rH)rzrNr)rzr{r|r}r"rarArBrxrrr9IPListIDrr4r~rrrr!rDrrrs@rFrtrts99"l...Ol&&&Gl&&&G %(((I        CH 9 9! 9.6 9 )  9 9 9[ 9D   h  3    [    [ [   [ 2[rHrtceZdZdZedZedZGddZe de de e de e fd Ze de d e defd Zed ede fd ZdS)rz6DB table that stores "purposes" for given iplist_id`s.Frc@eZdZejZdZeddZdZ dZ dS)IPListPurpose.Metarrrx))r1FryNrr\rHrFrrs5;""l9k:: *rHrr{purposesrlcttd||jt |jt jkt jt|k|j ttt|zS)z=Yield all distinct iplist_id for *ip_version* and *purposes*.rr)rr rrxrYrrtrrBr:rrr rr)rr{rs rFfetch_iplist_idszIPListPurpose.fetch_iplist_ids s  qMM IIbl # # XZZ T,BLL4J$JT L L U%)9*)EE*..c#x&8&8!9!9::;VXX   rHrcH||jt|jtjktjt|k|j|kz S)z9How many iplists are there for *ip_version* and *purpose*r) rrxrYrrtrrBr:rr )rr{rs rFr!zIPListPurpose.fetch_countsx IIbl # # XZZ T,BLL4J$JT L L U%)9*)EE:(*UWW rHrctjtjtjtjtjtjtjtji|S)z,Return purpose corresponding to iplist name.) rnrrrr~rrrrrs rFlistname2purposezIPListPurpose.listname2purpose(s> L'- L', K  $g&:    rHN)rzr{r|r}rrr"rxrrr9rrrrrr!rrrr\rHrFrrs @@iU###G %(((I ! -5g-> (    [   I    C    [  37\rHr)qr}rOrcloggingrpdatetimerenumr functoolsrrrroperatorr r "defence360agent.rpc_tools.validater typingr r rrrrrrrrrblinkerrpeeweerrrrrrrrr r!r"r#r$r%r&r'playhouse.shortcutsr("defence360agent.contracts.messagesr)defence360agent.modelr*r+$defence360agent.model.simplificationr,defence360agent.utilsr-r.r/im360.model.countryr0im360.utils.netr1r2r3r4r5r6r7defence360agent.utils.validater8r9r:rr getLoggerrzrrrV4rrV6rrGrJrLrWrYrfrkrrsrurrrnrrrr r r-r~rNrVrtrr\rHrFrs22 ........$$$$$$$$666666                          $.-----55555511111111======OOOOOOOOOO''''''KJJJJJJJJJ   8 $ $ \!:!:;;A> W!5!566q9$$ ;',S#s]';$ ;',S#s]';$ ;',S#s]';$&FFF"DdDDDD        c4DZZZZZUZZZz$DLDLDLDLDL%DLDLDLN50'!'!'!'!'!'!'!'!T#####u###&$$$$$u$$$NKKKKK%KKK\AAAAAAAAH^/^/^/^/^/%^/^/^/BB.B.B.B.B.EB.B.B.Juuuuu5uuup55555E55555rH