Skip to content

Update PUT /agents/group/{group}/restart response for groups with no agents#8123

Merged
davidjiglesias merged 2 commits into4.2from
fix/8001-bad-request-restart-group
Apr 7, 2021
Merged

Update PUT /agents/group/{group}/restart response for groups with no agents#8123
davidjiglesias merged 2 commits into4.2from
fix/8001-bad-request-restart-group

Conversation

@mcarmona99
Copy link
Contributor

@mcarmona99 mcarmona99 commented Apr 6, 2021

Related issue
#8001

Hi team,

This PR closes #8001.

We are raising the 1755 error code and message before calling the restart_agents function from the SDK, in the dapi.py.

When we try to do the distributed master call (in distribute_function), we call the function forward_request. This function uses get_solver_node to get the nodes the agents belonging to the specific group are reporting to.

If len(agents) == 0, we raise the error mentioned above:

wazuh/framework/wazuh/core/cluster/dapi/dapi.py

Lines 544 to 554 in fd4ac51

elif 'group_id' in self.f_kwargs:
common.rbac.set(self.rbac_permissions)
agents = agent.get_agents_in_group(group_list=[self.f_kwargs['group_id']], select=select_node,
sort={'fields': ['node_name'], 'order': 'desc'}).affected_items
if len(agents) == 0:
raise WazuhError(1755)
del self.f_kwargs['group_id']
node_name = {k: list(map(operator.itemgetter('id'), g)) for k, g in
itertools.groupby(agents, key=operator.itemgetter('node_name'))}
return node_name

In this PR, I have removed the group_id check in get_solver_node (in dapi.py) used to indicate if the API call was PUT /agents/group/default/restart.

Now the agent controller function restart_agents_by_group gets the agents that belong to the specific group. If the agent list size is 0, we return a json response with status 200 and 0 failed and affected items.

I have also updated unittest and API integration tests.

Manual tests:

default: group with 1 agent assigned
group1: unexistant group
group2: group with no agents assigned

Group with agents:

2021/04/06 10:45:59 INFO: wazuh 172.20.0.1 "PUT /agents/group/default/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 1.594s: 200

{
  "data": {
    "affected_items": [
      "001"
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Restart command was sent to all agents",
  "error": 0
}

Group without agents:

2021/04/06 10:44:42 INFO: wazuh 172.20.0.1 "PUT /agents/group/group2/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 38.726s: 200

{
  "data": {
    "affected_items": [],
    "total_affected_items": 0,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Restart command was not sent to any agent",
  "error": 0
}

Unexistant group:

2021/04/06 12:26:32 INFO: wazuh 172.20.0.1 "PUT /agents/group/group1/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 2.475s: 404

{
  "title": "Resource Not Found",
  "detail": "The group does not exist",
  "remediation": "Please, use `GET /agents/groups` to find all available groups",
  "dapi_errors": {
    "master-node": {
      "error": "The group does not exist"
    }
  },
  "error": 1710
}

With both group:read and agent:read denied (SAME FOR group:read denied and agent:read allowed):

2021/04/06 12:34:04 INFO: manuel 172.20.0.1 "PUT /agents/group/default/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.025s: 403
2021/04/06 12:34:08 INFO: manuel 172.20.0.1 "PUT /agents/group/group1/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.026s: 403
2021/04/06 12:34:12 INFO: manuel 172.20.0.1 "PUT /agents/group/group2/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.024s: 403

The 3 responses were:

{
  "title": "Permission Denied",
  "detail": "Permission denied: Resource type: group:id",
  "remediation": "Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/4.3/user-manual/api/rbac/configuration.html",
  "dapi_errors": {
    "unknown-node": {
      "error": "Permission denied: Resource type: group:id"
    }
  },
  "error": 4000
}

With group:read allowed and agent:read denied:

"roles": [
          {
            "id": 100,
            "name": "read_group",
            "policies": [
              {
                "id": 5,
                "name": "agents_read_groups",
                "policy": {
                  "actions": [
                    "group:read"
                  ],
                  "resources": [
                    "group:id:*"
                  ],
                  "effect": "allow"
                }
              }
            ],
            ...

Groups with agents:

2021/04/06 13:22:38 INFO: manuel 172.20.0.1 "PUT /agents/group/default/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.039s: 200

{
  "data": {
    "affected_items": [],
    "total_affected_items": 0,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Restart command was not sent to any agent",
  "error": 0
}

Unexistant group:

2021/04/06 13:23:10 INFO: manuel 172.20.0.1 "PUT /agents/group/group1/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.036s: 404

{
  "title": "Resource Not Found",
  "detail": "The group does not exist",
  "remediation": "Please, use `GET /agents/groups` to find all available groups",
  "dapi_errors": {
    "unknown-node": {
      "error": "The group does not exist"
    }
  },
  "error": 1710
}

Group with no agents:

2021/04/06 13:23:47 INFO: manuel 172.20.0.1 "PUT /agents/group/group2/restart" with parameters {"pretty": "true", "wait_for_complete": "true"} and body {} done in 0.042s: 200

{
  "data": {
    "affected_items": [],
    "total_affected_items": 0,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Restart command was not sent to any agent",
  "error": 0
}

Unittest results:

pytest framework/wazuh/core/cluster/dapi/tests/
======================== 23 passed, 9 warnings in 0.57s ========================

Rest of unittests passing.

API integration test results:

test_agent_PUT_endpoints.tavern.yaml 
	 9 passed, 11 warnings
	 
test_rbac_white_agent_endpoints.tavern.yaml 
	 40 passed, 42 warnings

test_rbac_black_agent_endpoints.tavern.yaml 
	 40 passed, 42 warnings

Regards,
Manuel.

@mcarmona99 mcarmona99 self-assigned this Apr 6, 2021
@mcarmona99 mcarmona99 linked an issue Apr 6, 2021 that may be closed by this pull request
Trying to restart agents in a group without agents assigned returns "Bad request" message #8001
Closed
@davidjiglesias davidjiglesias merged commit 9cb37d9 into 4.2 Apr 7, 2021
@davidjiglesias davidjiglesias deleted the fix/8001-bad-request-restart-group branch April 7, 2021 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidjiglesias davidjiglesias davidjiglesias approved these changes

Assignees

@mcarmona99 mcarmona99

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trying to restart agents in a group without agents assigned returns "Bad request" message

2 participants

@mcarmona99 @davidjiglesias