Backport #792 for 3.9.4. Hide API password on requests (#796)

Author: pablotr9

CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to the Wazuh app for Splunk project will be documented in th
 - Fixed error when adding a filter with spaces. [#793](https://github.com/wazuh/wazuh-splunk/issues/793)
 - Fixed downloading tables as CSV. [#788](https://github.com/wazuh/wazuh-splunk/issues/788)
 - Fixed flick in CDB lists table when deleting a list. [#788](https://github.com/wazuh/wazuh-splunk/issues/788)
+- Hide API password from check-connection requests [#792](https://github.com/wazuh/wazuh-splunk/issues/792)
 
 ## Wazuh v3.9.3 - Splunk Enterprise v7.3.0 - Revision 34
 

SplunkAppForWazuh/appserver/controllers/manager.py

@@ -192,7 +192,12 @@ def get_apis(self, **kwargs):
         """
         try:
             apis = self.db.all()
-            result = apis
+            parsed_apis = jsonbak.loads(apis)
+            # Remove the password from the list of apis
+            for api in parsed_apis:
+                if "passapi" in api:
+                    del api["passapi"]
+            result = jsonbak.dumps(parsed_apis)
         except Exception as e:
             self.logger.error(jsonbak.dumps({"error": str(e)}))
             return jsonbak.dumps({"error": str(e)})
@@ -349,6 +354,60 @@ def check_connection(self, **kwargs):
                 return jsonbak.dumps({"status": 400, "error": "Cannot connect to the API"})
         return result
 
+    @expose_page(must_login=False, methods=['GET'])
+    def check_connection_by_id(self, **kwargs):
+        """Given an API id we check the connection.
+        
+        Parameters
+        ----------
+        kwargs : dict
+            The request's parameters
+         """
+        try:
+            opt_id = kwargs["apiId"]
+            current_api = self.get_api(apiId=opt_id)
+            current_api_json = jsonbak.loads(jsonbak.loads(current_api))
+            opt_username = str(current_api_json["data"]["userapi"])
+            opt_password = str(current_api_json["data"]["passapi"])
+            opt_base_url = str(current_api_json["data"]["url"])
+            opt_base_port = str(current_api_json["data"]["portapi"])
+            opt_cluster = False
+            if "cluster" in current_api_json["data"]:
+                opt_cluster = current_api_json["data"]["cluster"] == "true"
+            url = opt_base_url + ":" + opt_base_port
+            auth = requestsbak.auth.HTTPBasicAuth(opt_username, opt_password)
+            verify = False
+            try:
+                # Checks in the first request if the credentials are ok
+                request_manager = self.session.get(
+                    url + '/agents/000?select=name', auth=auth, timeout=20, verify=verify)
+                if request_manager.status_code == 401:
+                    self.logger.error("Cannot connect to API; Invalid credentials.")
+                    return jsonbak.dumps({"status": "400", "error": "Invalid credentials, please check the username and password."})
+                request_manager = request_manager.json()  
+                request_cluster = self.session.get(
+                    url + '/cluster/status', auth=auth, timeout=20, verify=verify).json()
+                request_cluster_name = self.session.get(
+                    url + '/cluster/node', auth=auth, timeout=20, verify=verify).json()
+            except ConnectionError as e:
+                self.logger.error("manager: Cannot connect to API : %s" % (e))
+                return jsonbak.dumps({"status": "400", "error": "Unreachable API, please check the URL and port."})
+            output = {}
+            daemons_ready = self.check_daemons(url, auth, verify, opt_cluster)
+            # Pass the cluster status instead of always False
+            if not daemons_ready:
+                raise Exception("Daemons are not ready yet.")
+            output['managerName'] = request_manager['data']
+            output['clusterMode'] = request_cluster['data']
+            output['clusterName'] = request_cluster_name['data']
+            del current_api_json["data"]["passapi"]
+            output['api'] = current_api_json
+            result = jsonbak.dumps(output)             
+        except Exception as e:
+            self.logger.error("Error when checking API connection: %s" % (e))
+            raise e
+        return result
+
     def check_wazuh_version(self, kwargs):
         """Check Wazuh version
 

SplunkAppForWazuh/appserver/static/js/run/run.js

@@ -49,7 +49,7 @@ define(['./module'], function (module) {
             if (state != 'settings.api'){
               $rootScope.$broadcast('stateChanged', 'settings')
             }
-            if (typeof err === 'string' && err.startsWith('Unexpected Wazuh version.')) {
+            if (typeof err === 'string') {
               $notificationService.showErrorToast(err)
             }
             $state.go('settings.api')

SplunkAppForWazuh/appserver/static/js/services/api-manager/apiMgrService.js

@@ -250,6 +250,37 @@ define(['../module'], function (module) {
       }
     }
 
+
+     /**
+     * Checks a connection given its ID
+     * @param {Object} api
+     */
+    const checkRawConnectionById = async id => {
+      try {
+          const checkConnectionEndpoint = `/manager/check_connection_by_id?apiId=${id}`
+          const result = await $requestService.httpReq(
+            'GET',
+            checkConnectionEndpoint
+          )
+
+           if (result.data.status === 400 || result.data.error) {
+            if (result.data.error === 3099) {
+              throw 'ERROR3099 - Wazuh not ready yet.'
+            } else {
+              throw result.data.error || 'Unreachable API.'
+            }
+          }
+          return result
+      } catch (err) {
+        if (err.status === 500) {
+          throw new Error(
+            'There was an error connecting to the api. Please check your api configuration.'
+          )
+        }
+        return Promise.reject(err)
+      }
+    }
+
     /**
      * Checks if the API has to change its filters
      * @param {Object} api
@@ -297,8 +328,8 @@ define(['../module'], function (module) {
      */
     const checkApiConnection = async id => {
       try {
-        const api = await select(id) //Before update cluster or not cluster
-        await checkRawConnection(api)
+        const connectionData = await checkRawConnectionById(id)
+        const api = connectionData.data.api.data
         const apiSaved = { ...api } //eslint-disable-line
         const updatedApi = await updateApiFilter(api)
         let equal = true
@@ -353,6 +384,7 @@ define(['../module'], function (module) {
 
     return {
       checkApiConnection: checkApiConnection,
+      checkRawConnectionById: checkRawConnectionById,
       checkPollingState: checkPollingState,
       checkSelectedApiConnection: checkSelectedApiConnection,
       getApiList: getApiList,