mb {s<ddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z m Z ddl m Z mZddlmZddlmZmZmZmZddlmZddlmZmZmZmZmZejeZ d Z!e!"d Z#e!"d Z$Gd dZ%Gdde%eZ&Gdde%eZ'GddeZ(Gdde(Z)Gdde&Z*dZ+Gdde*Z,GddeZ-de.fdZ/de efd Z0dS)!N)abstractmethod)ListOptional)Core Packaging) LicenseCLN)AbstractFeature FeatureError FeatureStatusea4_only)cPanel) OsReleaseInfo check_runrunrun_cmd_and_log os_versionzexport PATH=/opt/imunify360/venv/bin:$PATH; _els_tmp=$(mktemp) && curl -sf -o "$_els_tmp" {url} && sh "$_els_tmp" -i; rm -f "$_els_tmp";zHhttps://repo.alt.tuxcare.com/alt-php-els/install-els-alt-php-rpm-repo.sh)urlzHhttps://repo.alt.tuxcare.com/alt-php-els/install-els-alt-php-deb-repo.shc eZdZdZdZdZeddeefdZ edefdZ edZ e ede fd Zed Zede fd Zejd Zejd ZdefdZdS)SimpleInstallerMixInaThis is a mixin class implementing common case installation scenario. Installation is supposed to be through a single command cls.INSTALL_CMD. Removal is done through interpolating a space separated list of package names to remove into cls.REMOVE_CMD_TMPL. List of packages to remove is obtained by collecting all installed alt-php* packages except those we want to keep (as returned by required_packages()). z /bin/falseNenabledcdSNselfrs W/opt/imunify360/venv/lib/python3.11/site-packages/im360/subsys/features/hardened_php.py generate_repoz"SimpleInstallerMixIn.generate_repoAc KdSrrrs rpre_install_cmdz$SimpleInstallerMixIn.pre_install_cmdEs rcdSrrrs r remove_repoz SimpleInstallerMixIn.remove_repoIrrreturnc"KtS)z0Set of installed package names matching alt-php*)setrrr_list_alt_php_packagesz+SimpleInstallerMixIn._list_alt_php_packagesMsuu rcD|dp |dkp|dkS)Nzalt-php-internalzalt-php-configzalt-php-hyperscan) startswith)clspkgs r_keep_installedz$SimpleInstallerMixIn._keep_installedSs5 NN- . . *&& *)) rcrKd{V}tfd|DS)z@Set of installed alt-php packages except those we keep installedNc3FK|]}||VdSr)r-).0r,r+s r z9SimpleInstallerMixIn._feature_packages..bs6NN3S5H5H5M5MN3NNNNNNr)r(r')r+ all_alt_phps` r_feature_packagesz&SimpleInstallerMixIn._feature_packages^sO 6688888888 NNNN+NNNNNNrcK|d|dd{Vt|j|jd{VSNTr)rr!r INSTALL_CMDINSTALL_LOG_FILE_MASKr#s rinstallzSimpleInstallerMixIn.installds 4(((""4"000000000$  d8         rc VK||jdt t j|d{V}|dd{Vt||j d{VS)N Fr6) r$REMOVE_CMD_TMPLformatjoinmapshlexquoter3r!rREMOVE_LOG_FILE_MASK)rcmds rremovezSimpleInstallerMixIn.removels ")) HHSD,B,B,D,D&D&D&D&D&D&DEE F F  ""5"111111111$S$*CDDDDDDDDDrcTKt|d{VSr)boolr3r#s r_check_installed_implz*SimpleInstallerMixIn._check_installed_implus2$0022222222333rr)__name__ __module__ __qualname____doc__r7r<rrrFrr!r$ staticmethodr'r( classmethodr-r3r raise_if_shouldnt_install_nowr9raise_if_shouldnt_remove_nowrDrGrrrrr3snK"OXd^^T^^#^\  [ OOOO[O 2  32 1EE21E4T444444rrceZdZdZdZdejzZdezZdezZ e dzZ dZ dZ d Ze e d gZd Zdd eefdZd efdZdZedefdZd S)HardenedPHPCentosz(/etc/yum.repos.d/imunify360-alt-php.repo Hardened-PHP /var/log/%s%s/install-hardenedphp.log.*%s/remove-hardenedphp.log.*z; yum group mark remove alt-php; yum -y groupinstall alt-phpz0yum group mark install alt-php; yum -y remove {}zdnf config-manager --enable crbz dnf config-manager --disable crbc tj|jdS#t$rYdSt$r$t d|jYdSwxYwNzCan't delete %s)osrDLEGACY_REPO_FILEFileNotFoundErrorOSErrorloggererrorr#s r_remove_legacy_repoz%HardenedPHPCentos._remove_legacy_reposz C Id+ , , , , ,     DD C C C LL*D,A B B B B B B C A)AANrc6|dS|dSrr_rs rrzHardenedPHPCentos.generate_repos& ? F   """""rcKtdsdS|r.t|jd{VdSt|jd{VdS)N9)rr*rENABLE_CRB_CMDsplitDISABLE_CRB_CMDrs rr!z!HardenedPHPCentos.pre_install_cmds||&&s++ : F  :D/557788 8 8 8 8 8 8 8 8 8D0668899 9 9 9 9 9 9 9 9 9rc.|dSrrbr#s rr$zHardenedPHPCentos.remove_repos   """""rr%cKtgdd{V}t|S)N)rpmz-qaz --queryformatz%{NAME} alt-php*)rr'decoderf) raw_outputs rr(z(HardenedPHPCentos._list_alt_php_packagessd$ D D D        :$$&&,,..///rr)rHrIrJrZNAMErPRODUCTLOG_DIRr8rB_ELS_RPM_SETUPr7r<rergr= _CMD_LISTr_rrFrr!r$rLr'r(rrrrQrQysA Ddl*G:WD87B G HIO6N8Oo44R889ICCC##Xd^####:T::::###0#000\000rrQceZdZdZdejzZdezZdezZe dzZ dZ e e dgZ dd eefd Zd efd Zd Zed efdZdS)HardenedPHPUbunturRrSrTrUz apt-get install -y alt-phpzapt-get purge -y {}rVNrcdSrrrs rrzHardenedPHPUbuntu.generate_reporc KdSrrrs rr!z!HardenedPHPUbuntu.pre_install_cmds rcdSrrr#s rr$zHardenedPHPUbuntu.remove_reporvrr%cKtgdd{Vd}t d|DS)N)z dpkg-queryz-Wz-fz${Package} ${db:Status-Status} rk c3TK|]#}|\}}|dk|V$dS) installedN)rf)r0liner,statuss rr1z;HardenedPHPUbuntu._list_alt_php_packages..sL   $ V$$ %$$$   r)rrlstriprfr')pkgs_in_dpkg_dbs rr(z(HardenedPHPUbuntu._list_alt_php_packagess VXX UWW U4[[    '      rr)rHrIrJrnrrorpr8rB_ELS_DEB_SETUPr7r<r=rrrrFrr!r$rLr'r(rrrrtrts Ddl*G:WD87B #@@K+Oo44R889IXd^T #   \   rrtc>eZdZdZdZdZdZdZdZdZ de fdZ d S) HardenedPHPCloudLinuxz4HardenedPHP is managed by lvemanager in CloudLinuxOSemptyc K|Srrr#s rinitzHardenedPHPCloudLinux.inits  rcrKtgdd{V\}}}dtj|dk|jdiS)N)rjz-q lvemanageritemsr)r~ lve_installedmessage)rr MANAGED_BY_LVEMSG)rrc_s rr~zHardenedPHPCloudLinux.statuss[88899999999Aq '6!#q8  rc.Kt|jrr rr#s rr9zHardenedPHPCloudLinux.install48$$$rc.Kt|jrrr#s rrDzHardenedPHPCloudLinux.removerrr%c KdS)NTrr#s rrGz+HardenedPHPCloudLinux._check_installed_impls trN) rHrIrJrr8rBrr~r9rDrFrGrrrrrs| @C#"   %%%%%%TrrceZdZdZdZdS)HardenedPHPCloudLinuxSoloz1HardenedPHP is not supported in CloudLinuxOS Soloc2Kdtj|jdiS)Nr)r~r)r NOT_SUPPORTED_BY_CL_SOLOrr#s rr~z HardenedPHPCloudLinuxSolo.statuss( '@8  rN)rHrIrJrr~rrrrrs( =C     rrcjeZdZdZdejzZdezZdezZdZ dZ dZ e e gZ e dZe d Ze d efd Zdd eefd ZdZedeefdZdefdZefdZeejdZeejdZ xZ!S) EaPHPCentosz0/etc/yum.repos.d/imunify360-ea-php-hardened.reporSz%s/install-ea_php.log.*z%s/remove-ea_php.log.*z5yum -y groupremove ea-php; yum -y groupinstall ea-phpzD/opt/imunify360/venv/share/imunify360/scripts/remove_hardened_php.pyzimunify360-ea-php-hardenedctjtjtj|jSr)rYpathr>rDATADIRbasename REPO_FILE)r+s r_repo_tmpl_filepathzEaPHPCentos._repo_tmpl_filepath s-w||I-rw/?/? /N/NOOOrc\ ddfdtjD}n$#t$r}t d|d}~wwxYwt jd}||z}t j| S)N:rVc3HK|]}t|zVdSr)str)r0kseptokens rr1z-EaPHPCentos._prepare_token..sC()E!H #rz*License token can not be created by error sign) r>rVERIFY_FIELDS_V1KeyErrorr base64 b64decodeencodeurlsafe_b64encoderl)r+rfieldse sign_bytesdatars ` @r_prepare_tokenzEaPHPCentos._prepare_tokens CWW-7-HFF   @Q@@  %eFm44 }}+'--44666s.3 AAArc|rdnd} ||}nV#t$rI}|s;d}tj|}n|Yd}~nd}~wwxYwt |d5}|}| ||cdddS#1swxYwYdS)N10zunregister-token-placeholderr)rr) rr rrrrlopenrreadr=)r+rr enabled_flagrtoken_placeholder repo_templatetemplates r_prepare_repo_confzEaPHPCentos._prepare_repo_confsP%.ss3  &&u--EE    $B!0%,,..&((  #))++S 1 1 F]$))++H?? ?EE F F F F F F F F F F F F F F F F F Fs& A1?A,,A1+CCCNc|Xtj} ||j||jddk}n#t $rd}YnwxYwt j}t j}|s+|rtdt dt|jd5}| |||dddn #1swxYwYtj|jtj|jdS)NrrTz=tried to enable repo but server_id is empty (not registered?)zDserver_id is empty (not registered?) ignoring due to removal of repow) configparser ConfigParserrr REPO_NAME Exceptionr get_token get_server_idr r]warningrwriterrYchmodstatrst_mode)rrrepor server_id repo_files rrzEaPHPCentos.generate_repo1s ?,..D  $.)))t~.y9S@    $&&,..   "$ NN   $.# & & E) OOD33E7CC D D D E E E E E E E E E E E E E E E )A)A)C)C!D!D!LMMMMMs#1A AA*C99C=C=c2|ddSNFr6)rr#s rr$zEaPHPCentos.remove_repoJs 5)))))rr%cKtddd{V}|fdtdt dDS)Nz5rpm -qa --queryformat "%{NAME} %{RELEASE} " "ea-php*"T)shellc8g|]}||dzdS))namereleaser)r0iwordss r z5EaPHPCentos._query_eaphp_versions..Ts=   1X%A, 7 7   rr)rrlrfrangelen)rmrs @r_query_eaphp_versionsz!EaPHPCentos._query_eaphp_versionsMs$ D         !!##))++    1c%jj!,,    rcKtjd}|d{VD]*}||d d|dvrdS+dS)Nz ea-php\d+r cloudlinuxrTF)recompilersearch)r versioned_rer,s rrGz!EaPHPCentos._check_installed_implYsvz,// 3355555555  C##CK00< C N22tturcTKtd{VSrsuperr~r __class__s rr~zEaPHPCentos.statusc-WW^^%%%%%%%%%rcrK|dt|j|jd{VSr5)rrr7r8r#s rr9zEaPHPCentos.installgsZ 4((($  d8         rcrK|dt|j|jd{VSr)rr REMOVE_SCRIPTrBr#s rrDzEaPHPCentos.removeosZ 5)))$   9         rr)"rHrIrJrrrorpr8rBr7rrrrrMrrrFrrrr$rLrdictrrGr r~r rNr9rOrD __classcell__rs@rrrsBIdl*G5?3g=IKZM,Im,IPP[P 7 7[ 7FFFF[F"NNXd^NNNN2***  d    \  T&&&&X&2  32X 1  21X     rrzFor EL9/Ubuntu20 cpanel servers use cPanel Profile to configure harden php. More info: https://docs.cpanel.net/ea4/basics/the-ea-cpanel-tools-package-scripts/ https://docs.cpanel.net/whm/software/easyapache-4-interface/c~eZdZeZeejdZeej dZ de fdZ dS)EaPHPCentosEL9cFK|dd|jzS)NTr6z+Repo imunify360-ea-php-hardened activated. rrr#s rr9zEaPHPCentosEL9.installs, 4(((=HHrcFK|dd|jzS)NFr6z)Repo imunify360-ea-php-hardened removed. rr#s rrDzEaPHPCentosEL9.removes, 5)));dhFFrr%cKtj} ||j||jddk}n#t $rd}YnwxYw|S)NrrF)rrrrrr)rrrs rrGz$EaPHPCentosEL9._check_installed_implsn(**  IIdn % % %4>*95>21X>&&&&X&.T........rrr%c@tjdS)Nz/etc/cloudlinux-release)rYrexistsrrr _is_cloudlinux_release_installedrs 7>>3 4 44rcbtj}tjsLtjs9tjs&tjstjr=|r+ttj dkrtS|rtStStjr!tjrt St"Stjstjr%|rt)rt"St*St,SdS)z :return: AbstractFeature subclass: feature that implements Hardened PHP installation for current environment. N)r is_installedr is_centosis_rhelis_oracle_linux is_almalinux is_rockylinuxintdistro major_versionrrrQ is_cloudlinuxis_cloudlinux_solorr is_ubuntu is_debianrrrt) has_cpanels rget_hardened_php_featurers( $&&J!! %  " " %  ( * * %  % ' ' %  & ( ( %  %#f24455::! !  % $ $"$$%  + - - -, ,$$  !M$;$=$=!  %/11 -,,$ $  4r)1rrloggingrYrr@rabcrtypingrr defence360agent.contracts.configrr!defence360agent.contracts.licenser0defence360agent.subsys.features.abstract_featurer r r r $defence360agent.subsys.panels.cpanelr defence360agent.utilsrrrrr getLoggerrHr]_ELS_SETUP_TMPLr=rqrrrQrtrrrrrrrFrrrrrr#sL  !!!!!!!!<<<<<<<<888888 877777  8 $ $!'' *( !'' *(C4C4C4C4C4C4C4C4L0000000000,o000000f) ) ) ) ) ,o) ) ) XO:      5    t t t t t #t t t pD[2'.'.'.'.'.'.'.'.T5$5555(?";r