Homeproj: Redmine for CESNET: Issueshttps://homeproj.cesnet.cz/https://homeproj.cesnet.cz/httpauth-login/favicon.ico?16194486082024-03-19T14:34:22ZHomeproj: Redmine for CESNET
Redmine Mentat - Support #7717 (New): Add tests for more Hawat endpointshttps://homeproj.cesnet.cz/issues/77172024-03-19T14:34:22ZJakub Judiny
<p>Most of the Hawat endpoints are not covered with tests. We should add at least basic tests using keywords.</p> Mentat - Feature #7707 (New): All fields in search form should have negationshttps://homeproj.cesnet.cz/issues/77072024-02-20T14:59:22ZJakub Judiny
<p>Now only fields that are selected have a negation option ("not_detectors" etc.), but this should also be the case for fields with user input (such as Description). These fields should also be visible for all users and not just hidden in the URL.</p>
<p>Based on input from Pavla Hlučková.</p>
<p>Example use cases:<br />- Searching for events, that do not have "Test" category.<br />- Searching for events of particular event class (or category), that are from other detectors than "detector1". This can be useful when trying to correctly set parameters of an event class, because you want to see events from all different detectors that send events labelled with this event class.<br />- Searching for events that do not have a specific description.</p> Mentat - Feature #7702 (New): CSAG should keep query parameters from formhttps://homeproj.cesnet.cz/issues/77022024-01-25T10:40:46ZJakub Judiny
<p>When using context search from within a narrowed down context (e.g., timeline of a single host address) the new search link is only constricted to the used variable and other constrictions set by the user for the initial search are ignored.</p>
<p>It would also be great if CSAG event search had explicit detect time set, because now is implicit, which is not user friendly (it is not clear that it searches only in events from last 7 days).</p> Mentat - Feature #7692 (In Progress): Better reportinghttps://homeproj.cesnet.cz/issues/76922023-11-08T14:21:43ZJakub Judiny
<p>- support for vulnerable-implementation event class (VA2AM)<br />- Event class management GUI module (mentat-inspector should create inspection rules based on information from this module)<br />- better aggregations (more aggregated fields, and aggregation by detectors, aggregations set in mentat.const, aggregate only relevant source sections)<br />- better report show view (more displayed information based on event class settings, move JSON to custom view and add syntax highlighting, better integration with events module, better UI - get rid of tabs)<br />- change report emails format to be similar to new web report view<br />- subclassing</p>
<p>Wiki: <a class="wiki-page" href="https://homeproj.cesnet.cz/projects/mentat/wiki/Reporting">Reporting</a></p> Mentat - Feature #7691 (New): Allow for configurable company identity and personal data processin...https://homeproj.cesnet.cz/issues/76912023-11-06T10:17:05ZPavel Káchaph@cesnet.cz
<p>On account registration it's usual (and nowadays necessary) to at least show some URL to personal data processing legislative verbiage/privacy policy, so the user is properly informed before providing that information. It's now solved by custom patch, however we could add some optional configuration keys, for example for instance logo, instance name (possible company name), instance info link (possible company link) and link to privacy policy.</p> Mentat - Bug #7679 (New): Disabled users are still able to use Mentathttps://homeproj.cesnet.cz/issues/76792023-08-25T11:04:09ZRajmund Hruška
<p>Tested on my local machine. It seems that if the user stays logged in after the account was disabled, they can still look around. Only when they log out, they can't log back in.</p>
<p>I haven't tested the use of API, it might be worth to check that.</p> Warden - Bug #7634 (New): authorize method doesn't check all flagshttps://homeproj.cesnet.cz/issues/76342023-03-06T12:50:16ZRajmund Hruška
<p>So, there is the following method called <code>authorize</code>:<br /><pre><code class="python syntaxhl"><span class="k">def</span> <span class="nf">authorize</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">env</span><span class="p">,</span> <span class="n">client</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">method</span><span class="p">):</span>
<span class="k">if</span> <span class="n">method</span><span class="p">.</span><span class="n">debug</span><span class="p">:</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">client</span><span class="p">.</span><span class="n">debug</span><span class="p">:</span>
<span class="bp">self</span><span class="p">.</span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"authorize: failed, client does not have debug enabled"</span><span class="p">)</span>
<span class="k">return</span> <span class="bp">None</span>
<span class="k">return</span> <span class="n">client</span>
<span class="k">if</span> <span class="n">method</span><span class="p">.</span><span class="n">read</span><span class="p">:</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">client</span><span class="p">.</span><span class="n">read</span><span class="p">:</span>
<span class="bp">self</span><span class="p">.</span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"authorize: failed, client does not have read enabled"</span><span class="p">)</span>
<span class="k">return</span> <span class="bp">None</span>
<span class="k">return</span> <span class="n">client</span>
<span class="k">if</span> <span class="n">method</span><span class="p">.</span><span class="n">write</span><span class="p">:</span>
<span class="k">if</span> <span class="ow">not</span> <span class="p">(</span><span class="n">client</span><span class="p">.</span><span class="n">write</span> <span class="ow">or</span> <span class="n">client</span><span class="p">.</span><span class="n">test</span><span class="p">):</span>
<span class="bp">self</span><span class="p">.</span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"authorize: failed, client is not allowed to write or test"</span><span class="p">)</span>
<span class="k">return</span> <span class="bp">None</span>
<span class="k">return</span> <span class="n">client</span>
</code></pre></p>
<p>And then there are a bunch of exposed methods, the following one called <code>getDebug</code> is interesting:<br /><pre><code class="python syntaxhl"><span class="o">@</span><span class="n">expose</span><span class="p">(</span><span class="n">read</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">debug</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span>
<span class="o">@</span><span class="n">json_wrapper</span>
<span class="k">def</span> <span class="nf">getDebug</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="k">return</span> <span class="p">{</span>
<span class="s">"environment"</span><span class="p">:</span> <span class="bp">self</span><span class="p">.</span><span class="n">req</span><span class="p">.</span><span class="n">env</span><span class="p">,</span>
<span class="p">...</span>
<span class="p">}</span>
</code></pre></p>
<p>If in <code>authorize</code>, <em>read</em> was checked before <em>debug</em>, it wouldn't matter what is the value of <em>debug</em> in <code>getDebug</code>, because the method would only check <em>read</em> and then return.</p>
<p>So the question is, is that a bug or a feature? I want to add another flag - <em>managed</em> - but I would need to add it at the beginning of the <code>authorize</code> method. I think it shouldn't depend on the order of checks (if statements).</p> Mentat - Bug #7570 (New): Daemons and cronjob scripts should report crasheshttps://homeproj.cesnet.cz/issues/75702022-03-22T16:43:13ZPavel Káchaph@cesnet.cz
<p>Hawat reports crashes with tracebacks to admin email. We should do the same for daemons and cronjobs (for those stderr and correct cron config is probably enough).</p> Mentat - Feature #7550 (New): A way to load additional data for IPs in 'Show event' in bulkhttps://homeproj.cesnet.cz/issues/75502022-01-27T06:26:09ZRadko Krkoškrkos@cesnet.cz
<p>Currently, only the first 20 entries in each host section are loaded in the dialog. Others have to be loaded manually one by one, not fun for events containing many addresses. The rate limiting is reasonable, but a way to load information for all the hosts would be very helpful.</p> Mentat - Bug #6861 (New): Double exception on incomplete authorisation informationhttps://homeproj.cesnet.cz/issues/68612021-01-06T16:34:13ZPavel Káchaph@cesnet.cz
<p>When Mentat does not get identity field, it throws up exceptions - which throws another.</p>
<p>Throwing exception is not itself wrong, throwing another based on the same reason from the handler is.</p>
<p>However, the problem might be legitimate (identity provider not sending attributes), so user should probably be somehow informed, instead of getting generic 500 page.</p>
<p>Also, exception handler should log some relevant info (obtained auth data or so) for admin debugging.</p>
<p>(Setting priority to low, as it is now mitigated by Shibboleth configuration on server, however we should look into it eventually.)</p>
<pre>
Message type: CRITICAL
Location: /var/mentat/venv/lib/python3.7/site-packages/vial/app.py:414
Module: app
Function: eh_internal_server_error
Time: 2020-12-04 10:40:28,374
Message:
INTERNAL SERVER ERROR
Request: /auth_env/register?
Traceback:
Traceback (most recent call last):
File "/var/mentat/venv/lib/python3.7/site-packages/hawat/blueprints/auth_env/__init__.py", line 179, in get_item
return self.get_user_from_env()
File "/var/mentat/venv/lib/python3.7/site-packages/hawat/blueprints/auth_env/__init__.py", line 126, in get_user_from_env
gettext("Unable to retrieve account login from your authentication provider.")
hawat.blueprints.auth_env.RegistrationException: Nelze získat uživatelské jméno od Vašeho poskytovatele identity.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/mentat/venv/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/var/mentat/venv/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/var/mentat/venv/lib/python3.7/site-packages/flask/views.py", line 89, in view
return self.dispatch_request(*args, **kwargs)
File "/var/mentat/venv/lib/python3.7/site-packages/vial/blueprints/auth_env/__init__.py", line 251, in dispatch_request
return super().dispatch_request()
File "/var/mentat/venv/lib/python3.7/site-packages/vial/view/__init__.py", line 1622, in dispatch_request
item = self.get_item()
File "/var/mentat/venv/lib/python3.7/site-packages/hawat/blueprints/auth_env/__init__.py", line 181, in get_item
self.abort(500, exc)
File "/var/mentat/venv/lib/python3.7/site-packages/vial/view/mixin.py", line 60, in abort
flask.abort(status_code, message)
File "/var/mentat/venv/lib/python3.7/site-packages/werkzeug/exceptions.py", line 772, in abort
return _aborter(status, *args, **kwargs)
File "/var/mentat/venv/lib/python3.7/site-packages/werkzeug/exceptions.py", line 753, in __call__
raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.InternalServerError: 500 Internal Server Error: Nelze získat uživatelské jméno od Vašeho poskytovatele identity.
</pre> Mentat - Config #4723 (New): Access permisions prevent warden-filer start after system reboothttps://homeproj.cesnet.cz/issues/47232019-02-08T11:53:48ZRadko Krkoškrkos@cesnet.cz
<p>After a machine reboot the owner of <code>/var/run/warden_filer/</code> is <code>root</code> and the user <code>mentat</code> has no write permissions there, what effectively prevents the <code>warden-filer</code> from starting correctly (the <code>receiver.pid</code> file cannot be created). Also, <code>systemctl</code> reports the process as <code>started</code> even though the log contains errors (so monitoring is probably not alerted of the issue).<br />A simple owner change of the said path to <code>mentat:mentat</code> and subsequent <code>warden_filer_receiver.service</code> restart solves the issue (permission change is probably a preferable way to fix this).<br />This was confirmed on both <code>mentat-hub</code> and <code>mentat-alt</code>.</p> Warden - Task #4587 (New): Drop support for Apache 2.2https://homeproj.cesnet.cz/issues/45872019-01-22T12:00:39ZPavel Káchaph@cesnet.cz
<p>Will probably allow dropping M2Crypto and cert parsing from server code, because Apache 2.4 provides subjectAltNames in SSL_CLIENT_SAN_DNS_XXX variables (thx Radko).</p> Warden - Feature #4579 (New): Add support for CRLhttps://homeproj.cesnet.cz/issues/45792019-01-21T13:58:28ZPavel Káchaph@cesnet.cz
<p>Add cron scripts and example configuration for Apache to obey CRL.</p>
<p>CESNET CRL is at <a class="external" href="https://crl.cesnet-ca.cz/Warden_CA.crl">https://crl.cesnet-ca.cz/Warden_CA.crl</a></p> Mentat - Feature #4273 (New): Consider/choose/implement different communication protocolhttps://homeproj.cesnet.cz/issues/42732018-08-21T09:20:38ZPavel Káchaph@cesnet.cz
<p>Filer communication protocol serves well and is simple enough. However it has its limitations and might make sense to pursue different direction, so this issue is meant for review/discussion. Also, this need not necessarily mean complete replacement, Mentat can happily support multiple protocols for different situations if that makes sense.</p>
<p>Filer protocol deficiencies:</p>
<ul>
<li>too big or too many events may hit disk and cause trashing because of interference between different daemon queues and db disk access</li>
<li>does not support inter-machine communication (ok, not easily)</li>
<li>although easy, is nonstandard</li>
</ul>
<p>New chosen protocol(s) should:</p>
<ul>
<li>be memory based to prevent potential disk trashing</li>
<li>support both efficient local and network communication</li>
<li>be at least somewhat standard</li>
<li>be comparatively performing to current solution</li>
<li>broker (if applicable/used) should be small and lightweight, based on sane language/platform</li>
</ul> BEESIP - Task #486 (New): Add support of basic PBX functions for userhttps://homeproj.cesnet.cz/issues/4862012-06-10T13:23:39ZLukáš Macuramacura@opf.slu.cz
<p>BESIP should be fully configurable for common user functions in PBX.</p>
<p>- Call forwarding on busy<br />- Call forwardinf on unreachable<br />- Call forwarding per caller number<br />- Call redirection<br />- Call blocking<br />- AntiSPIT</p>