From c57fe7af026cc5969896783ab360b32d5b1a300e Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Mon, 10 Oct 2022 20:51:26 -0300 Subject: [PATCH 01/30] fixes for #28 --- defaults/main.yml | 5 +++++ molecule/centos-8/molecule.yml | 2 +- molecule/default/molecule.yml | 2 +- molecule/local-stable/molecule.yml | 2 +- molecule/local/converge.yml | 5 ++++- molecule/local/molecule.yml | 2 +- molecule/ubuntu-2004/molecule.yml | 2 +- tasks/workaround_python310.yml | 7 +++++++ 8 files changed, 21 insertions(+), 6 deletions(-) create mode 100644 tasks/workaround_python310.yml diff --git a/defaults/main.yml b/defaults/main.yml index 4130e22..3b5a0a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -65,6 +65,11 @@ burpui_pip_present: #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - "requests[security]>=2.12" # required to avoid issues with get_url module +# workaround for: https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +burpui_pip_workaround: + - "Flask==2.0.3" + - "pyOpenSSL>=22.1.0" + - "Werkzeug==2.0.2" burpui_nginx_port: "8080" # This is to check availability and nginx template as reverse proxy diff --git a/molecule/centos-8/molecule.yml b/molecule/centos-8/molecule.yml index 196633d..f8b7c42 100644 --- a/molecule/centos-8/molecule.yml +++ b/molecule/centos-8/molecule.yml @@ -28,7 +28,7 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks + callback_enabled: profile_tasks ssh_connection: pipelining: true ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 2e4d691..6429f52 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -28,7 +28,7 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks + callback_enabled: profile_tasks ssh_connection: pipelining: true ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local-stable/molecule.yml b/molecule/local-stable/molecule.yml index 25bf3a1..1729be5 100644 --- a/molecule/local-stable/molecule.yml +++ b/molecule/local-stable/molecule.yml @@ -43,7 +43,7 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks + callback_enabled: profile_tasks ssh_connection: pipelining: false ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local/converge.yml b/molecule/local/converge.yml index f1846a6..37e5707 100644 --- a/molecule/local/converge.yml +++ b/molecule/local/converge.yml @@ -6,8 +6,11 @@ burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: + - name: Include ansible_burp2_server + include_role: + name: coffeeitworks.burp2_server - name: Include ansible_burpui_server include_role: name: ansible_burpui_server tags: - - burpui-server \ No newline at end of file + - burpui-server diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index 35de51d..de51a3e 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -10,7 +10,7 @@ driver: platforms: - name: ansible_burpui_server-01 - image: "geerlingguy/docker-ubuntu2004-ansible:latest" + image: "geerlingguy/docker-ubuntu2204-ansible:latest" #privileged: True command: "/lib/systemd/systemd" pre_build_image: true diff --git a/molecule/ubuntu-2004/molecule.yml b/molecule/ubuntu-2004/molecule.yml index ce99657..6d16782 100644 --- a/molecule/ubuntu-2004/molecule.yml +++ b/molecule/ubuntu-2004/molecule.yml @@ -28,7 +28,7 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks + callback_enabled: profile_tasks ssh_connection: pipelining: true ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/tasks/workaround_python310.yml b/tasks/workaround_python310.yml new file mode 100644 index 0000000..9bdd5b1 --- /dev/null +++ b/tasks/workaround_python310.yml @@ -0,0 +1,7 @@ +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 + +- name: workaround | install pip requirements + pip: + name: '{{ burpui_pip_workaround }}' + state: present + executable: "{{ python3_pip }}" From d16544280d954928155eece80da7d7b5d61b02f1 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Mon, 10 Oct 2022 20:55:34 -0300 Subject: [PATCH 02/30] fixes for #28 --- tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 4e1915a..71507ed 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -30,6 +30,9 @@ - include_tasks: python3_pip.yml when: python_pip_executable == "pip3" +- include_tasks: workaround_python310.yml + when: python_pip_executable == "pip3" + - name: create burp folder file: path: /etc/burp From 008657cb86633d5259f029f57df8d84806163cec Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 07:34:01 -0300 Subject: [PATCH 03/30] fixes to the workaround #28 --- defaults/main.yml | 9 +++++---- molecule/local/converge.yml | 6 +++--- tasks/workaround_python310.yml | 6 +++++- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3b5a0a4..8171727 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,7 +3,7 @@ # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' -burpui_use_dev: False +burpui_use_dev: True burpui_pip_burpui: "burp-ui" burpui_version: 0.6.6 @@ -34,7 +34,7 @@ burpui_pip_dev_present: - "requests[security]>=2.12" # required to avoid issues with get_url module - "Flask-Limiter==1.4" - trio>=0.18.0 - - Flask>=1.1.2 + - Flask>=2.0.3 - Flask-Login>=0.5.0 - Flask-Bower>=1.3.0 - Flask-Babel>=2.0.0 @@ -43,13 +43,14 @@ burpui_pip_dev_present: - Flask-Caching>=1.10.1 - Flask-Session>=0.3.2 - WTForms>=2.3.3 - - arrow>=0.14.2 + - arrow>=1.1.1 - pluginbase>=1.0.0 - tzlocal>=2.1 - - pyOpenSSL>=20.0.1 + - pyOpenSSL>=22.1.0 - configobj>=5.0.6 - async_generator>=1.10 - Click>=7.1.2 + - "Werkzeug==2.0.2" burpui_pip_present: #- "cryptography" diff --git a/molecule/local/converge.yml b/molecule/local/converge.yml index 37e5707..3ad18af 100644 --- a/molecule/local/converge.yml +++ b/molecule/local/converge.yml @@ -6,9 +6,9 @@ burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: - - name: Include ansible_burp2_server - include_role: - name: coffeeitworks.burp2_server + # - name: Include ansible_burp2_server + # include_role: + # name: coffeeitworks.burp2_server - name: Include ansible_burpui_server include_role: name: ansible_burpui_server diff --git a/tasks/workaround_python310.yml b/tasks/workaround_python310.yml index 9bdd5b1..16af8c6 100644 --- a/tasks/workaround_python310.yml +++ b/tasks/workaround_python310.yml @@ -1,7 +1,11 @@ # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - +# This workaround only works with dev version of the package install +# requires: +# burpui_use_dev: True - name: workaround | install pip requirements pip: name: '{{ burpui_pip_workaround }}' state: present executable: "{{ python3_pip }}" + when: burpui_use_dev + notify: restart burpui services From 5e28ba916243b4209afd84e5f490505ad4474574 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 07:42:49 -0300 Subject: [PATCH 04/30] Try with lower version of pyOpenSSL --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8171727..b832f51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -46,7 +46,7 @@ burpui_pip_dev_present: - arrow>=1.1.1 - pluginbase>=1.0.0 - tzlocal>=2.1 - - pyOpenSSL>=22.1.0 + - pyOpenSSL>=22.0.0 - configobj>=5.0.6 - async_generator>=1.10 - Click>=7.1.2 @@ -69,7 +69,7 @@ burpui_pip_present: # workaround for: https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 burpui_pip_workaround: - "Flask==2.0.3" - - "pyOpenSSL>=22.1.0" + - "pyOpenSSL>=22.0.0" - "Werkzeug==2.0.2" burpui_nginx_port: "8080" From 86ad7f165a02796b0e161de1fda49072bd0bcc37 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 07:44:11 -0300 Subject: [PATCH 05/30] remove idempotence test --- .github/workflows/molecule-test.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index 35b14fc..9fcf731 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -58,9 +58,9 @@ jobs: ANSIBLE_FORCE_COLOR: '1' working-directory: "${{ github.repository }}" - - name: Run molecule idempotence - run: "molecule idempotence --scenario-name ${{ matrix.scenario }}" - env: - PY_COLORS: '1' - ANSIBLE_FORCE_COLOR: '1' - working-directory: "${{ github.repository }}" + # - name: Run molecule idempotence + # run: "molecule idempotence --scenario-name ${{ matrix.scenario }}" + # env: + # PY_COLORS: '1' + # ANSIBLE_FORCE_COLOR: '1' + # working-directory: "${{ github.repository }}" From a5e67fd6647c6096d0f410efd31d07d8d924cca3 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 21:49:05 -0300 Subject: [PATCH 06/30] simplified fixes for #28 --- defaults/main.yml | 37 ++++++++++++++++++++-------------- molecule/local/molecule.yml | 2 +- tasks/main.yml | 3 --- tasks/workaround_python310.yml | 11 ---------- 4 files changed, 23 insertions(+), 30 deletions(-) delete mode 100644 tasks/workaround_python310.yml diff --git a/defaults/main.yml b/defaults/main.yml index b832f51..05e19a2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,6 +4,10 @@ # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' burpui_use_dev: True +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +# This workaround only works with dev version of the package install +# requires: +# burpui_use_dev: True burpui_pip_burpui: "burp-ui" burpui_version: 0.6.6 @@ -20,20 +24,20 @@ burpui_pip_packages: # https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt burpui_pip_dev_present: - #- "cryptography" - - "redis==3.5.3" - #- "Flask-Migrate" - - "celery>=5.1.0" - - "cffi>=1.14.5" - - "gevent>=21.1.2" - - "ujson>=1.35" - - "urllib3>=1.19" # required to avoid issues with get_url module - # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module - - "pyasn1==0.4.8" - #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - - "requests[security]>=2.12" # required to avoid issues with get_url module - - "Flask-Limiter==1.4" + - redis==3.5.3 + #- Flask-Migrate + - celery>=5.1.0 + - cffi>=1.14.5 + - gevent>=21.1.2 + - ujson>=1.35 + - urllib3>=1.19 # required to avoid issues with get_url module + # - ndg-httpsclient>=0.4.2 # required to avoid issues with get_url module + - pyasn1==0.4.8 + #- six>=1.10.0 # try to fix error in dependencies with requests[security] + - requests[security]>=2.12 # required to avoid issues with get_url module + - Flask-Limiter==1.4 - trio>=0.18.0 + # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - Flask>=2.0.3 - Flask-Login>=0.5.0 - Flask-Bower>=1.3.0 @@ -46,11 +50,14 @@ burpui_pip_dev_present: - arrow>=1.1.1 - pluginbase>=1.0.0 - tzlocal>=2.1 - - pyOpenSSL>=22.0.0 + # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 + - pyOpenSSL>=21.0.0 - configobj>=5.0.6 - async_generator>=1.10 - Click>=7.1.2 - - "Werkzeug==2.0.2" + # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 + - Werkzeug==2.0.2 + - cryptography==36.0.2 burpui_pip_present: #- "cryptography" diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index de51a3e..fec71fd 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -28,7 +28,7 @@ provisioner: name: ansible config_options: defaults: - callback_whitelist: profile_tasks + callback_enabled: profile_tasks ssh_connection: pipelining: false ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/tasks/main.yml b/tasks/main.yml index 71507ed..4e1915a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -30,9 +30,6 @@ - include_tasks: python3_pip.yml when: python_pip_executable == "pip3" -- include_tasks: workaround_python310.yml - when: python_pip_executable == "pip3" - - name: create burp folder file: path: /etc/burp diff --git a/tasks/workaround_python310.yml b/tasks/workaround_python310.yml deleted file mode 100644 index 16af8c6..0000000 --- a/tasks/workaround_python310.yml +++ /dev/null @@ -1,11 +0,0 @@ -# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 -# This workaround only works with dev version of the package install -# requires: -# burpui_use_dev: True -- name: workaround | install pip requirements - pip: - name: '{{ burpui_pip_workaround }}' - state: present - executable: "{{ python3_pip }}" - when: burpui_use_dev - notify: restart burpui services From 465042b92ce8cb4cd690f441f24b694c1ceacbce Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 22:20:58 -0300 Subject: [PATCH 07/30] fixes #28 on ubuntu 20.04 --- defaults/main.yml | 2 +- molecule/local-stable/converge.yml | 4 ++-- molecule/local-stable/molecule.yml | 12 ++++++------ molecule/local/molecule.yml | 12 ++++++------ tasks/python3_pip.yml | 3 ++- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 05e19a2..bfdc5d5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,7 +28,7 @@ burpui_pip_dev_present: #- Flask-Migrate - celery>=5.1.0 - cffi>=1.14.5 - - gevent>=21.1.2 + - gevent>=21.12.0 - ujson>=1.35 - urllib3>=1.19 # required to avoid issues with get_url module # - ndg-httpsclient>=0.4.2 # required to avoid issues with get_url module diff --git a/molecule/local-stable/converge.yml b/molecule/local-stable/converge.yml index ee8ba1a..eae9691 100644 --- a/molecule/local-stable/converge.yml +++ b/molecule/local-stable/converge.yml @@ -3,10 +3,10 @@ hosts: all vars: burpui_standalone: True - burpui_use_dev: False + burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: name: ansible_burpui_server tags: - - burpui-server \ No newline at end of file + - burpui-server diff --git a/molecule/local-stable/molecule.yml b/molecule/local-stable/molecule.yml index 1729be5..1a73419 100644 --- a/molecule/local-stable/molecule.yml +++ b/molecule/local-stable/molecule.yml @@ -1,10 +1,10 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed driver: name: podman platforms: diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index fec71fd..3c58cfb 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -1,10 +1,10 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed driver: name: podman platforms: diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index 786f29a..3ab62c6 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -23,9 +23,10 @@ - name: pip3 | install pip dev packages pip: - name: '{{ burpui_pip_dev_present }}' + name: '{{ item }}' state: present executable: "{{ python3_pip }}" + with_items: "{{ burpui_pip_dev_present }}" when: burpui_use_dev - name: pip3 | Install pip packages by version From dd7ef28014ad1c4738cf9b653bf15387f9988908 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 22:29:50 -0300 Subject: [PATCH 08/30] fixes for ubuntu 2004 #28 and tests with 2204 --- .github/workflows/molecule-test.yml | 1 + defaults/main.yml | 2 +- molecule/ubuntu-2204/converge.yml | 13 +++++++++++ molecule/ubuntu-2204/molecule.yml | 34 +++++++++++++++++++++++++++++ molecule/ubuntu-2204/verify.yml | 9 ++++++++ 5 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 molecule/ubuntu-2204/converge.yml create mode 100644 molecule/ubuntu-2204/molecule.yml create mode 100644 molecule/ubuntu-2204/verify.yml diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index 9fcf731..e793866 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -21,6 +21,7 @@ jobs: scenario: - centos-8 - ubuntu-2004 + - ubuntu-2204 steps: - name: Checkout diff --git a/defaults/main.yml b/defaults/main.yml index bfdc5d5..4349b32 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -51,7 +51,7 @@ burpui_pip_dev_present: - pluginbase>=1.0.0 - tzlocal>=2.1 # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - - pyOpenSSL>=21.0.0 + - pyOpenSSL>=20.0.1 - configobj>=5.0.6 - async_generator>=1.10 - Click>=7.1.2 diff --git a/molecule/ubuntu-2204/converge.yml b/molecule/ubuntu-2204/converge.yml new file mode 100644 index 0000000..8533fdb --- /dev/null +++ b/molecule/ubuntu-2204/converge.yml @@ -0,0 +1,13 @@ +--- +- name: Converge + hosts: all + vars: + burpui_standalone: True + burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' + burpui_use_dev: True + tasks: + - name: Include ansible_burpui_server + include_role: + name: ansible_burpui_server + tags: + - burpui-server diff --git a/molecule/ubuntu-2204/molecule.yml b/molecule/ubuntu-2204/molecule.yml new file mode 100644 index 0000000..be50e6d --- /dev/null +++ b/molecule/ubuntu-2204/molecule.yml @@ -0,0 +1,34 @@ +--- +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +driver: + name: docker +platforms: + + - name: ansible_burpui_server-03 + image: "geerlingguy/docker-ubuntu2204-ansible:latest" + privileged: True + command: /sbin/init + pre_build_image: true + capabilities: + - SYS_ADMIN + tmpfs: + - /run + - /tmp + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - use_pip_package + +provisioner: + name: ansible + config_options: + defaults: + callback_enabled: profile_tasks + ssh_connection: + pipelining: true + ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/ubuntu-2204/verify.yml b/molecule/ubuntu-2204/verify.yml new file mode 100644 index 0000000..a82dd6f --- /dev/null +++ b/molecule/ubuntu-2204/verify.yml @@ -0,0 +1,9 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + tasks: + - name: Example assertion + assert: + that: true From d044141fa207aa4050ef0e77fd2baa870fa14131 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 11 Oct 2022 22:49:28 -0300 Subject: [PATCH 09/30] remove support for ubuntu 2004 --- .github/workflows/molecule-test.yml | 1 - CHANGELOG | 5 +++++ molecule/ubuntu-2004/converge.yml | 13 ----------- molecule/ubuntu-2004/molecule.yml | 34 ----------------------------- molecule/ubuntu-2004/verify.yml | 9 -------- 5 files changed, 5 insertions(+), 57 deletions(-) delete mode 100644 molecule/ubuntu-2004/converge.yml delete mode 100644 molecule/ubuntu-2004/molecule.yml delete mode 100644 molecule/ubuntu-2004/verify.yml diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index e793866..733d400 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -20,7 +20,6 @@ jobs: # Better to use one scenario per OS for faster performance and easier debugging scenario: - centos-8 - - ubuntu-2004 - ubuntu-2204 steps: diff --git a/CHANGELOG b/CHANGELOG index 1c6286c..17972b5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,8 @@ +2.2.0 +* workaround for #28 issues with dependencies and python 3.10 +* breaks support for ubuntu 2004 +* support ubuntu 2204 +* installs from source by default 2.1.0: * Fixes on molecule v4 tests and latest galaxy meta compatibility diff --git a/molecule/ubuntu-2004/converge.yml b/molecule/ubuntu-2004/converge.yml deleted file mode 100644 index 8533fdb..0000000 --- a/molecule/ubuntu-2004/converge.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Converge - hosts: all - vars: - burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' - burpui_use_dev: True - tasks: - - name: Include ansible_burpui_server - include_role: - name: ansible_burpui_server - tags: - - burpui-server diff --git a/molecule/ubuntu-2004/molecule.yml b/molecule/ubuntu-2004/molecule.yml deleted file mode 100644 index 6d16782..0000000 --- a/molecule/ubuntu-2004/molecule.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed -driver: - name: docker -platforms: - - - name: ansible_burpui_server-03 - image: "geerlingguy/docker-ubuntu2004-ansible" - privileged: True - command: /sbin/init - pre_build_image: true - capabilities: - - SYS_ADMIN - tmpfs: - - /run - - /tmp - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:ro" - groups: - - use_pip_package - -provisioner: - name: ansible - config_options: - defaults: - callback_enabled: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/ubuntu-2004/verify.yml b/molecule/ubuntu-2004/verify.yml deleted file mode 100644 index a82dd6f..0000000 --- a/molecule/ubuntu-2004/verify.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - tasks: - - name: Example assertion - assert: - that: true From ab3687f00a3f8247dcad1559eb5c75180d598969 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 13 Oct 2022 22:16:43 -0300 Subject: [PATCH 10/30] Testing with modified version of burp-ui --- defaults/main.yml | 5 +++-- meta/main.yml | 8 +++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4349b32..015949a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,7 +2,8 @@ # file defaults/main.yml # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git -burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' +# burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' +burpui_pip_burpui_dev: 'git+https://git.ziirish.me/pablodav/burp-ui.git@stable_workaround#egg=burp-ui' burpui_use_dev: True # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 # This workaround only works with dev version of the package install @@ -38,7 +39,7 @@ burpui_pip_dev_present: - Flask-Limiter==1.4 - trio>=0.18.0 # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - - Flask>=2.0.3 + - Flask>=1.1.4 - Flask-Login>=0.5.0 - Flask-Bower>=1.3.0 - Flask-Babel>=2.0.0 diff --git a/meta/main.yml b/meta/main.yml index a878927..12b9f05 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,7 +18,7 @@ galaxy_info: # - CC-BY license: MIT - min_ansible_version: 2.0 + min_ansible_version: 2.13 # Optionally specify the branch Galaxy will use when accessing the GitHub # repo for this role. During role install, if no tags are available, @@ -136,7 +136,8 @@ galaxy_info: # - 9.3 - name: Ubuntu versions: - - all + - jammy + - kinetic # - lucid # - maverick # - natty @@ -172,7 +173,8 @@ galaxy_info: # - any - name: Debian versions: - - all + - bullseye + - bookworm # - etch # - jessie # - lenny From b13b7725e20a823db9e8a8bcc3f9a9685d56844c Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 13 Oct 2022 22:42:04 -0300 Subject: [PATCH 11/30] test with stable modified version --- molecule/centos-8/converge.yml | 2 +- molecule/local/converge.yml | 1 - molecule/ubuntu-2204/converge.yml | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/molecule/centos-8/converge.yml b/molecule/centos-8/converge.yml index f1846a6..a35be45 100644 --- a/molecule/centos-8/converge.yml +++ b/molecule/centos-8/converge.yml @@ -3,7 +3,7 @@ hosts: all vars: burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' + # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: - name: Include ansible_burpui_server diff --git a/molecule/local/converge.yml b/molecule/local/converge.yml index 3ad18af..5a0e116 100644 --- a/molecule/local/converge.yml +++ b/molecule/local/converge.yml @@ -3,7 +3,6 @@ hosts: all vars: burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: # - name: Include ansible_burp2_server diff --git a/molecule/ubuntu-2204/converge.yml b/molecule/ubuntu-2204/converge.yml index 8533fdb..ad55c4c 100644 --- a/molecule/ubuntu-2204/converge.yml +++ b/molecule/ubuntu-2204/converge.yml @@ -3,7 +3,7 @@ hosts: all vars: burpui_standalone: True - burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' + # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: - name: Include ansible_burpui_server From de428915de1e70773ab1d868ac10235fcab74554 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 13 Oct 2022 22:48:56 -0300 Subject: [PATCH 12/30] fix #28 using unstable burp-ui from ziirish repo --- defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 015949a..df7c747 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,8 +2,7 @@ # file defaults/main.yml # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git -# burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui' -burpui_pip_burpui_dev: 'git+https://git.ziirish.me/pablodav/burp-ui.git@stable_workaround#egg=burp-ui' +burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 # This workaround only works with dev version of the package install From cb0fbe88aa34ed95ec6e5d5858715cdd82bcf925 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 25 Oct 2022 22:23:19 -0300 Subject: [PATCH 13/30] refactor to use virtualenv - refs #28 --- CHANGELOG | 2 ++ README.md | 19 +++++----------- defaults/main.yml | 46 ++++---------------------------------- files/requirements_dev.txt | 34 ++++++++++++++++++++++++++++ tasks/RedHat.yml | 4 ++-- tasks/bui-celery.yml | 6 ++--- tasks/bui-upgrade.yml | 2 +- tasks/gunicorn.yml | 35 +++++------------------------ tasks/main.yml | 34 ++++++++++++++++------------ tasks/multi_os.yml | 2 +- tasks/python3_pip.yml | 28 ++++++++++++++--------- tasks/requirements.yml | 25 +++++++++++++++------ tasks/requirements_dev.yml | 9 +++++++- vars/Debian.yml | 1 + vars/Fedora.yml | 1 + vars/RedHat.yml | 1 + 16 files changed, 125 insertions(+), 124 deletions(-) create mode 100644 files/requirements_dev.txt diff --git a/CHANGELOG b/CHANGELOG index 17972b5..fa19b66 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,8 @@ * breaks support for ubuntu 2004 * support ubuntu 2204 * installs from source by default +* redesign install using virtualenv + 2.1.0: * Fixes on molecule v4 tests and latest galaxy meta compatibility diff --git a/README.md b/README.md index b62ce95..d42516b 100644 --- a/README.md +++ b/README.md @@ -79,26 +79,19 @@ Upgrade steps are managed automatically by this role. Installed services ================== -It uses http://supervisord.org/ for better management of third-party services on the system and to be compatible with most systems (ubuntu trusty+, debian, centos, fedora, etc). -supervisor is used for bui-celery +by default systemd is used for bui-celery and gunicorn default service manager for the package manager of your distribution is used for gunicorn (the service responsible to start burpui) and same for nginx (the proxy configured to expose burpui) -So to restart installed services/daemons you should use: +Python virtualenv is used, by default you will see packages in: - sudo supervisorctl restart bui-celery (depends on the service you want to restart) + /venv_apps/bui/lib/python3.10/site-packages/ -you can also use supervisorctl shell: +And binaries in: - sudo supervisorctl + /venv_apps/bui/bin -And then interactively use all options. - -*Logs:* - -Also supervisord allow proper stdout and stderror to logs redirection, so all logs are under `/var/logs/supervisor` - -Logs are also rotated by logrotate automatically. +You can change the variable for virtualenv, see defaults vars. Accessing burpui ---------------- diff --git a/defaults/main.yml b/defaults/main.yml index df7c747..184f845 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,41 +23,9 @@ burpui_pip_packages: - { name: "{{ burpui_pip_burpui }}[websocket]", version: "{{ burpui_version }}" } # https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt -burpui_pip_dev_present: - - redis==3.5.3 - #- Flask-Migrate - - celery>=5.1.0 - - cffi>=1.14.5 - - gevent>=21.12.0 - - ujson>=1.35 - - urllib3>=1.19 # required to avoid issues with get_url module - # - ndg-httpsclient>=0.4.2 # required to avoid issues with get_url module - - pyasn1==0.4.8 - #- six>=1.10.0 # try to fix error in dependencies with requests[security] - - requests[security]>=2.12 # required to avoid issues with get_url module - - Flask-Limiter==1.4 - - trio>=0.18.0 - # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - - Flask>=1.1.4 - - Flask-Login>=0.5.0 - - Flask-Bower>=1.3.0 - - Flask-Babel>=2.0.0 - - Flask-WTF>=0.14.3 - - flask-restx>=0.3.0 - - Flask-Caching>=1.10.1 - - Flask-Session>=0.3.2 - - WTForms>=2.3.3 - - arrow>=1.1.1 - - pluginbase>=1.0.0 - - tzlocal>=2.1 - # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - - pyOpenSSL>=20.0.1 - - configobj>=5.0.6 - - async_generator>=1.10 - - Click>=7.1.2 - # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 - - Werkzeug==2.0.2 - - cryptography==36.0.2 +burpui_virtualenv: /venv_apps/bui +burpui_virtualenv_bin: "{{ burpui_virtualenv}}/bin" +burpui_virtualenv_python: python3 burpui_pip_present: #- "cryptography" @@ -73,12 +41,6 @@ burpui_pip_present: #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - "requests[security]>=2.12" # required to avoid issues with get_url module -# workaround for: https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 -burpui_pip_workaround: - - "Flask==2.0.3" - - "pyOpenSSL>=22.0.0" - - "Werkzeug==2.0.2" - burpui_nginx_port: "8080" # This is to check availability and nginx template as reverse proxy burpui_global_port: "5000" @@ -184,7 +146,7 @@ burpui_agents: burpui_sv_priority: "20" burpui_sv_directory: "/tmp" burpui_sv_environment: "C_FORCE_ROOT=true" -burpui_sv_command: "/usr/local/bin/bui-celery -c /etc/burp/burpui.cfg -- --beat" +burpui_sv_command: "{{ burpui_virtualenv_bin }}/bui-celery -c /etc/burp/burpui.cfg -- --beat" burpui_sv_autostart: "true" burpui_sv_autorestart: "true" burpui_sv_stdout_logfile: "/var/log/supervisor/%(program_name)s.log" diff --git a/files/requirements_dev.txt b/files/requirements_dev.txt new file mode 100644 index 0000000..4f2ceab --- /dev/null +++ b/files/requirements_dev.txt @@ -0,0 +1,34 @@ +redis==3.5.3 +#- Flask-Migrate +celery>=5.1.0 +cffi>=1.14.5 +gevent>=21.12.0 +ujson>=1.35 +urllib3>=1.19 # required to avoid issues with get_url module +# - ndg-httpsclient>=0.4.2 # required to avoid issues with get_url module +pyasn1==0.4.8 +#- six>=1.10.0 # try to fix error in dependencies with requests[security] +requests[security]>=2.12 # required to avoid issues with get_url module +Flask-Limiter==1.4 +trio>=0.18.0 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +Flask>=1.1.4 +Flask-Login>=0.5.0 +Flask-Bower>=1.3.0 +Flask-Babel>=2.0.0 +Flask-WTF>=0.14.3 +flask-restx>=0.3.0 +Flask-Caching>=1.10.1 +Flask-Session>=0.3.2 +WTForms>=2.3.3 +arrow>=1.1.1 +pluginbase>=1.0.0 +tzlocal>=2.1 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +pyOpenSSL>=20.0.1 +configobj>=5.0.6 +async_generator>=1.10 +Click>=7.1.2 +# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 +Werkzeug==2.0.2 +cryptography==36.0.2 diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index c94e06c..b413433 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,6 +1,6 @@ --- -- name: install EPEL release package for RHEL +- name: RedHat | install EPEL release package for RHEL yum: name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" state: latest @@ -8,7 +8,7 @@ delay: 2 when: ansible_distribution == 'Red Hat Enterprise Linux' -- name: redhat | install EPEL release package for Centos +- name: RedHat | install EPEL release package for Centos yum: name: "epel-release" state: present diff --git a/tasks/bui-celery.yml b/tasks/bui-celery.yml index 8140b0d..2f433b9 100644 --- a/tasks/bui-celery.yml +++ b/tasks/bui-celery.yml @@ -1,15 +1,15 @@ --- # file defaults/bui-celery.yml -- name: create burp ui folder +- name: bui-celery | create burp ui folder file: path: /var/spool/burpui state: directory -- name: include supervisord tasks [DEPRECATED] +- name: bui-celery | include supervisord tasks [DEPRECATED] include_tasks: supervisor.yml when: not bui_use_systemd -- name: include systemd tasks +- name: bui-celery | include systemd tasks include_tasks: systemd.yml when: bui_use_systemd diff --git a/tasks/bui-upgrade.yml b/tasks/bui-upgrade.yml index 91e1345..cde4f57 100644 --- a/tasks/bui-upgrade.yml +++ b/tasks/bui-upgrade.yml @@ -5,7 +5,7 @@ # name: burp-ui[sql] # state: 0.4.2 -- name: Upgrade database schema +- name: bui-upgrade | Upgrade database schema shell: LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 bui-manage -c /etc/burp/burpui.cfg db upgrade ignore_errors: yes changed_when: False diff --git a/tasks/gunicorn.yml b/tasks/gunicorn.yml index d90c308..c56efdf 100644 --- a/tasks/gunicorn.yml +++ b/tasks/gunicorn.yml @@ -1,24 +1,10 @@ --- # https://github.com/ziirish/burp-ui/blob/master/docs/gunicorn.rst -- name: set gunicorn_upstart_service true for Ubuntu 14.04 - set_fact: - gunicorn_upstart_service: True - when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int == 14 - #- name: debug see vars # debug: # msg: "distribution: {{ ansible_distribution }}, major version: {{ ansible_distribution_major_version|int }}, pip exe: {{ python_pip_executable }} " -# gunicorn system package should not be used when using python3 -- name: gunicorn | uninstall gunicorn system packages - package: - name: "{{ item }}" - state: absent - with_items: - - gunicorn - - python-gunicorn - - name: gunicorn | directory /var/log/gunicorn file: path: '/var/log/gunicorn' @@ -31,28 +17,19 @@ pip: name: gunicorn>=19.7.1 state: present - executable: "{{ python_pip_executable }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" -- name: check /usr/local/bin/gunicorn stat +- name: check "{{ burpui_virtualenv }}/gunicorn/bin/gunicorn" stat stat: - path: /usr/local/bin/gunicorn + path: "{{ burpui_virtualenv_bin }}/gunicorn" register: gunicorn_local_bin_stat -- name: set /usr/local/bin/gunicorn as gunicorn path +- name: set "{{ burpui_virtualenv }}/gunicorn/bin/gunicorn" as gunicorn path set_fact: - burpui_gunicorn_bin: /usr/local/bin/gunicorn + burpui_gunicorn_bin: "{{ burpui_virtualenv_bin }}/gunicorn" when: gunicorn_local_bin_stat.stat.exists -- name: check /usr/bin/gunicorn stat - stat: - path: /usr/bin/gunicorn - register: gunicorn_bin_stat - -- name: set /usr/bin/gunicorn as gunicorn path - set_fact: - burpui_gunicorn_bin: /usr/bin/gunicorn - when: gunicorn_bin_stat.stat.exists - - block: - name: gunicorn | Debian configure gunicorn server diff --git a/tasks/main.yml b/tasks/main.yml index 4e1915a..39a135a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,40 +2,45 @@ # file: tasks/main.yml # https://git.ziirish.me/ziirish/burp-ui/blob/master/docker/docker-burpui/assets/setup/install -- include_tasks: multi_os.yml +- name: main | include multi_os.yml + include_tasks: multi_os.yml -- include_tasks: RedHat.yml +- name: main | include RedHat.yml + include_tasks: RedHat.yml when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' -- include_tasks: requirements.yml +- name: main | include requirements.yml + include_tasks: requirements.yml -- include_tasks: requirements_dev.yml +- name: main | include requirements_dev.yml + include_tasks: requirements_dev.yml when: burpui_use_dev -- name: set gunicorn_systemd_service true for Ubuntu 16.04 and newer +- name: main | set gunicorn_systemd_service true for Ubuntu 16.04 and newer set_fact: gunicorn_systemd_service: True when: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int >= 16 -- name: set gunicorn_systemd_service true for Debian 8 and newer +- name: main | set gunicorn_systemd_service true for Debian 8 and newer set_fact: gunicorn_systemd_service: True when: ansible_distribution == 'Debian' and ansible_distribution_major_version|int >= 8 -- name: set gunicorn_systemd_service true for RedHat +- name: main | set gunicorn_systemd_service true for RedHat set_fact: gunicorn_systemd_service: True when: ansible_os_family == 'RedHat' -- include_tasks: python3_pip.yml +- name: main | include python3_pip.yml + include_tasks: python3_pip.yml when: python_pip_executable == "pip3" -- name: create burp folder +- name: main | create burp folder file: path: /etc/burp state: directory -- name: configure burpui server +- name: main | configure burpui server template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -46,14 +51,14 @@ - { src: "burpui_site.j2", dest: "{{ burpui_nginx_config_path }}" } notify: restart burpui services -- name: enable nginx site +- name: main | enable nginx site file: src: "{{ burpui_nginx_config_path }}" dest: "/etc/nginx/sites-enabled/burpui" state: link when: ansible_os_family == 'Debian' -- name: fix httproxy issue in ngnix +- name: main | fix httproxy issue in ngnix lineinfile: dest: "/etc/nginx/fastcgi_params" regexp: "{{ item.src }}" @@ -62,7 +67,8 @@ - { src: 'fastcgi_param HTTP_PROXY "";' , value: 'fastcgi_param HTTP_PROXY "";' } # include tasks for gunicorn specific -- include_tasks: gunicorn.yml +- name: main | include gunicorn.yml + include_tasks: gunicorn.yml - include_tasks: bui-celery.yml when: burpui_production_celery | bool @@ -71,7 +77,7 @@ - include_tasks: bui-upgrade.yml when: bui_pip_install.changed and not burpui_installed_check.changed -- name: ensure services are started and enabled +- name: main | ensure services are started and enabled service: name: "{{ item }}" state: started diff --git a/tasks/multi_os.yml b/tasks/multi_os.yml index 1657c93..da62af3 100644 --- a/tasks/multi_os.yml +++ b/tasks/multi_os.yml @@ -1,7 +1,7 @@ --- # file: tasks/multi_os.yml -- name: Gather OS Specific Variables +- name: multi_os | Gather OS Specific Variables include_vars: "{{ item }}" with_first_found: - "../vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index 3ab62c6..fcc8724 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -4,7 +4,8 @@ pip: name: "{{ burpui_pip_burpui }}" state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" register: burpui_installed_check check_mode: yes @@ -12,21 +13,22 @@ pip: name: 'pip>=20' state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" - name: pip3 | install pip packages pip: name: '{{ burpui_pip_present }}' state: present - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" when: not burpui_use_dev -- name: pip3 | install pip dev packages +- name: pip3 | install pip dev packages from requirements_dev.txt pip: - name: '{{ item }}' - state: present - executable: "{{ python3_pip }}" - with_items: "{{ burpui_pip_dev_present }}" + requirements: "{{ burpui_virtualenv }}/requirements_dev.txt" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" when: burpui_use_dev - name: pip3 | Install pip packages by version @@ -34,15 +36,19 @@ name: "{{ item.name }}" state: present version: "{{ item.version}}" - executable: "{{ python3_pip }}" + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" with_items: "{{ burpui_pip_packages }}" register: bui_pip_install when: not burpui_use_dev notify: restart burpui services - name: pip3 | Install pip packages by tar.gz - shell: "{{ python3_pip }} install -e {{ burpui_pip_burpui_dev }}" + pip: + name: "{{ burpui_pip_burpui_dev }}" + state: present + virtualenv: "{{ burpui_virtualenv }}" + virtualenv_python: "{{ burpui_virtualenv_python }}" register: bui_pip_install when: burpui_use_dev notify: restart burpui services - changed_when: false diff --git a/tasks/requirements.yml b/tasks/requirements.yml index ac8d609..18a8a5d 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -1,41 +1,52 @@ --- # file: tasks/requirements.yml -- name: ensure cache for apt is updated +- name: requirements | ensure cache for apt is updated apt: update_cache: yes cache_valid_time: 43200 changed_when: false when: ansible_os_family == 'Debian' -- name: install requirements for ansible pip +- name: requirements | create virtualenv dir + ansible.builtin.file: + path: "{{ burpui_virtualenv_python }}" + state: directory + owner: root + group: root + mode: '0755' + +- name: requirements | ensure install requirements for ansible pip + package: + +- name: requirements | ensure install requirements for ansible pip package: name: ['python3-setuptools'] state: present -- name: install burpui package requirements for python3 +- name: requirements | ensure install burpui package requirements for python3 package: name: "{{ burpui_py3_packages| join(',') }}" state: present when: python_pip_executable == "pip3" -- name: install role packages +- name: requirements | ensure install role packages package: name: "{{ burpui_packages| join(',') }}" state: present -- name: register /usr/local/sbin/burp path +- name: requirements | ensure register /usr/local/sbin/burp path stat: path: "/usr/local/sbin/burp" register: burp_local_sbin_path -- name: uninstall burpui package requirements for python3 +- name: requirements | ensure uninstall burpui package requirements for python3 package: name: "{{ burpui_system_absent }}" state: absent when: python_pip_executable == "pip3" -- name: change burp path var burpui_backend_burpbin +- name: requirements | ensure change burp path var burpui_backend_burpbin set_fact: burpui_backend_burpbin: /usr/local/sbin/burp when: burp_local_sbin_path.stat.exists diff --git a/tasks/requirements_dev.yml b/tasks/requirements_dev.yml index 1f7b7a9..429d527 100644 --- a/tasks/requirements_dev.yml +++ b/tasks/requirements_dev.yml @@ -1,10 +1,17 @@ --- # file: tasks/requirements_dev.yml -- name: install burpui package requirements dev +- name: requirements_dev | install burpui package requirements dev package: name: "{{ item }}" state: present with_items: - git +- name: requirements_dev | copy requirements_dev.txt file + ansible.builtin.copy: + src: 'requirements_dev.txt' + dest: "{{ burpui_virtualenv }}/" + owner: root + group: root + mode: '0755' diff --git a/vars/Debian.yml b/vars/Debian.yml index 6167668..d21bb0f 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -9,6 +9,7 @@ burpui_system_absent: burpui_py3_packages: - python3 - python3-dev + - python3-virtualenv - python3-setuptools - python3-pip - libssl-dev # dependecy of ndg-httpsclient diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 1b4227f..5d7b2f7 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -13,6 +13,7 @@ burpui_packages: burpui_py3_packages: - python3 - python3-devel + - python3-virtualenv - python3-pip - python3-setuptools - redhat-rpm-config diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 52b6911..10c0fd6 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -13,6 +13,7 @@ burpui_packages: burpui_py3_packages: - python36 - python36-devel + - python36-virtualenv - redhat-rpm-config - openssl-devel - libffi-devel From fa46fead971f1478a69bd77b4efafdd0f49bf759 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 25 Oct 2022 22:30:55 -0300 Subject: [PATCH 14/30] tweaks and fixes --- ansible.cfg | 3 --- molecule/centos-8/molecule.yml | 3 --- molecule/ubuntu-2204/molecule.yml | 3 --- tasks/bui-upgrade.yml | 2 +- 4 files changed, 1 insertion(+), 10 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index 6cc8eee..3431c0a 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,6 +12,3 @@ roles_path = ../:/etc/ansible/roles host_key_checking = False retry_files_enabled = False - -[ssh_connection] -pipelining = True diff --git a/molecule/centos-8/molecule.yml b/molecule/centos-8/molecule.yml index f8b7c42..ec62a06 100644 --- a/molecule/centos-8/molecule.yml +++ b/molecule/centos-8/molecule.yml @@ -29,6 +29,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/ubuntu-2204/molecule.yml b/molecule/ubuntu-2204/molecule.yml index be50e6d..55d067d 100644 --- a/molecule/ubuntu-2204/molecule.yml +++ b/molecule/ubuntu-2204/molecule.yml @@ -29,6 +29,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/tasks/bui-upgrade.yml b/tasks/bui-upgrade.yml index cde4f57..136a61f 100644 --- a/tasks/bui-upgrade.yml +++ b/tasks/bui-upgrade.yml @@ -6,7 +6,7 @@ # state: 0.4.2 - name: bui-upgrade | Upgrade database schema - shell: LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 bui-manage -c /etc/burp/burpui.cfg db upgrade + shell: "LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 {{ burpui_virtualenv_bin }}/bui-manage -c /etc/burp/burpui.cfg db upgrade" ignore_errors: yes changed_when: False From 108ec13ab7a65acfc89b10bdadd96399ef21cfb3 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 25 Oct 2022 22:54:26 -0300 Subject: [PATCH 15/30] more cleanups and fix celery bin path refs #28 --- tasks/bui-celery.yml | 10 ++++++++++ vars/Debian.yml | 2 -- vars/Fedora.yml | 2 -- vars/RedHat.yml | 2 -- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/tasks/bui-celery.yml b/tasks/bui-celery.yml index 2f433b9..ce5a112 100644 --- a/tasks/bui-celery.yml +++ b/tasks/bui-celery.yml @@ -10,6 +10,16 @@ include_tasks: supervisor.yml when: not bui_use_systemd +- name: bui-celery | workaround link to /bin/celery + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/celery" + dest: /bin/celery + owner: root + group: root + mode: '0755' + state: link + + - name: bui-celery | include systemd tasks include_tasks: systemd.yml when: bui_use_systemd diff --git a/vars/Debian.yml b/vars/Debian.yml index d21bb0f..4c0f0dc 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -29,11 +29,9 @@ burpui_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisor -pip_installed_exe_bin_path: '/usr/local/bin' redis_service: redis-server nginx_config_dir: '/etc/nginx/sites-available' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui' diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 5d7b2f7..321bc9d 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -24,11 +24,9 @@ burpui_py3_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisord -pip_installed_exe_bin_path: '/usr/bin' redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 10c0fd6..84fc364 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -24,11 +24,9 @@ burpui_py3_packages: burp_ui_celery_dependencies: - supervisor -python3_pip: 'pip3.6' supervisoretc_dir: "/etc/supervisor/conf.d" supervisor_ext: "conf" supervisor_service: supervisord -pip_installed_exe_bin_path: '/usr/bin' redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' From e2c03ab11ad56fa1e4ea0a9617327b84cef28de3 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 25 Oct 2022 23:01:34 -0300 Subject: [PATCH 16/30] workaround #28 for /bin/flask --- tasks/python3_pip.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index fcc8724..8049a88 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -42,6 +42,15 @@ register: bui_pip_install when: not burpui_use_dev notify: restart burpui services + +- name: pip3 | workaround link to /bin/flask + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/flask" + dest: /bin/flask + owner: root + group: root + mode: '0755' + state: link - name: pip3 | Install pip packages by tar.gz pip: From 94d329480e7b6923ad189a9999386bac52a75b1e Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 2 Nov 2022 12:01:08 -0300 Subject: [PATCH 17/30] updates for latest RedHat family, notes about config changes. --- .github/workflows/molecule-test.yml | 3 +-- molecule/local-rocky9/converge.yml | 15 +++++++++++++ molecule/local-rocky9/molecule.yml | 34 +++++++++++++++++++++++++++++ molecule/local-rocky9/verify.yml | 9 ++++++++ tasks/RedHat.yml | 20 ++++++++--------- tasks/python3_pip.yml | 6 +++++ tasks/requirements.yml | 3 --- templates/burpui.cfg.j2 | 1 + vars/Debian.yml | 2 +- vars/Fedora.yml | 2 +- vars/RedHat.yml | 8 +++---- 11 files changed, 82 insertions(+), 21 deletions(-) create mode 100644 molecule/local-rocky9/converge.yml create mode 100644 molecule/local-rocky9/molecule.yml create mode 100644 molecule/local-rocky9/verify.yml diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index 733d400..9fab0c2 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -19,8 +19,7 @@ jobs: matrix: # Better to use one scenario per OS for faster performance and easier debugging scenario: - - centos-8 - - ubuntu-2204 + - ubuntu-2204 steps: - name: Checkout diff --git a/molecule/local-rocky9/converge.yml b/molecule/local-rocky9/converge.yml new file mode 100644 index 0000000..5a0e116 --- /dev/null +++ b/molecule/local-rocky9/converge.yml @@ -0,0 +1,15 @@ +--- +- name: Converge + hosts: all + vars: + burpui_standalone: True + burpui_use_dev: True + tasks: + # - name: Include ansible_burp2_server + # include_role: + # name: coffeeitworks.burp2_server + - name: Include ansible_burpui_server + include_role: + name: ansible_burpui_server + tags: + - burpui-server diff --git a/molecule/local-rocky9/molecule.yml b/molecule/local-rocky9/molecule.yml new file mode 100644 index 0000000..f09deb8 --- /dev/null +++ b/molecule/local-rocky9/molecule.yml @@ -0,0 +1,34 @@ +--- +# dependency: +# name: galaxy +# options: +# ignore-certs: True +# ignore-errors: True +# role-file: dev_requirements.yml # this file is at the root of the git project same place as molecule is executed +driver: + name: podman +platforms: + + - name: ansible_burpui_rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" + #privileged: True + command: "/lib/systemd/systemd" + pre_build_image: true + capabilities: + - SYS_ADMIN + tmpfs: + - /run + - /tmp + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - group1 + +provisioner: + name: ansible + config_options: + defaults: + callback_enabled: profile_tasks + ssh_connection: + pipelining: false + ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local-rocky9/verify.yml b/molecule/local-rocky9/verify.yml new file mode 100644 index 0000000..a82dd6f --- /dev/null +++ b/molecule/local-rocky9/verify.yml @@ -0,0 +1,9 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + tasks: + - name: Example assertion + assert: + that: true diff --git a/tasks/RedHat.yml b/tasks/RedHat.yml index b413433..054aee3 100644 --- a/tasks/RedHat.yml +++ b/tasks/RedHat.yml @@ -1,17 +1,17 @@ --- -- name: RedHat | install EPEL release package for RHEL - yum: - name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" - state: latest - retries: 2 - delay: 2 - when: ansible_distribution == 'Red Hat Enterprise Linux' +# - name: RedHat | install EPEL release package for RHEL +# yum: +# name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" +# state: latest +# retries: 2 +# delay: 2 +# when: ansible_distribution == 'Red Hat Enterprise Linux' -- name: RedHat | install EPEL release package for Centos - yum: +- name: RedHat | install EPEL release package + dnf: name: "epel-release" state: present retries: 3 delay: 2 - when: ansible_distribution == 'CentOS' + when: ansible_os_family == 'RedHat' diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index 8049a88..3298858 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -1,5 +1,11 @@ --- +- name: pip3 | install virtualenv from pip3 + pip: + name: "virtualenv>=20.16.6" + state: present + executable: "pip3" + - name: pip3 | check only if burpui is installed pip: name: "{{ burpui_pip_burpui }}" diff --git a/tasks/requirements.yml b/tasks/requirements.yml index 18a8a5d..74233f9 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -16,9 +16,6 @@ group: root mode: '0755' -- name: requirements | ensure install requirements for ansible pip - package: - - name: requirements | ensure install requirements for ansible pip package: name: ['python3-setuptools'] diff --git a/templates/burpui.cfg.j2 b/templates/burpui.cfg.j2 index f2d224c..484475c 100644 --- a/templates/burpui.cfg.j2 +++ b/templates/burpui.cfg.j2 @@ -27,6 +27,7 @@ acl = {{ burpui_global_acl }} # You can also configure your reverse-proxy to announce the prefix through the # 'X-Script-Name' header. In this case, the bellow prefix will be ignored in # favour of the one announced by your reverse-proxy +# prefix option should be moved to Production section in 0.7.0+ prefix = {{ burpui_global_prefix }} plugins = {{ burpui_global_plugins }} diff --git a/vars/Debian.yml b/vars/Debian.yml index 4c0f0dc..b3f8d33 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -9,7 +9,7 @@ burpui_system_absent: burpui_py3_packages: - python3 - python3-dev - - python3-virtualenv + # - python3-virtualenv # Install with pip now - python3-setuptools - python3-pip - libssl-dev # dependecy of ndg-httpsclient diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 321bc9d..288c02e 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -13,7 +13,7 @@ burpui_packages: burpui_py3_packages: - python3 - python3-devel - - python3-virtualenv + # - python3-virtualenv # Install with pip now - python3-pip - python3-setuptools - redhat-rpm-config diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 84fc364..9fec885 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,16 +4,16 @@ --- burpui_system_absent: - - python36-cryptography + - python3-cryptography burpui_packages: - redis - nginx burpui_py3_packages: - - python36 - - python36-devel - - python36-virtualenv + - python3 + - python3-devel + # - python3-virtualenv # Install with pip now - redhat-rpm-config - openssl-devel - libffi-devel From 054bb159c0914304847b2a95d49a2c350f97c819 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 2 Nov 2022 12:17:04 -0300 Subject: [PATCH 18/30] just ensure redis service is enabled before starting bui-celery --- tasks/requirements.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/requirements.yml b/tasks/requirements.yml index 74233f9..c46ec94 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -32,6 +32,12 @@ name: "{{ burpui_packages| join(',') }}" state: present +- name: requirements | redis started + service: + name: "{{ redis_service }}" + state: started + enabled: yes + - name: requirements | ensure register /usr/local/sbin/burp path stat: path: "/usr/local/sbin/burp" From 4c9dc1925050cfaf09e589ef87a2886f7a2d0db9 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 2 Nov 2022 12:18:41 -0300 Subject: [PATCH 19/30] add automatic test for rocky9 --- molecule/{centos-8 => rocky9}/converge.yml | 0 molecule/{centos-8 => rocky9}/molecule.yml | 4 ++-- molecule/{centos-8 => rocky9}/verify.yml | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename molecule/{centos-8 => rocky9}/converge.yml (100%) rename molecule/{centos-8 => rocky9}/molecule.yml (84%) rename molecule/{centos-8 => rocky9}/verify.yml (100%) diff --git a/molecule/centos-8/converge.yml b/molecule/rocky9/converge.yml similarity index 100% rename from molecule/centos-8/converge.yml rename to molecule/rocky9/converge.yml diff --git a/molecule/centos-8/molecule.yml b/molecule/rocky9/molecule.yml similarity index 84% rename from molecule/centos-8/molecule.yml rename to molecule/rocky9/molecule.yml index ec62a06..917bcd2 100644 --- a/molecule/centos-8/molecule.yml +++ b/molecule/rocky9/molecule.yml @@ -9,8 +9,8 @@ driver: name: docker platforms: - - name: ansible_burpui_server-04 - image: "geerlingguy/docker-centos8-ansible" + - name: ansible_burpui_server-rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" command: /sbin/init privileged: True pre_build_image: true diff --git a/molecule/centos-8/verify.yml b/molecule/rocky9/verify.yml similarity index 100% rename from molecule/centos-8/verify.yml rename to molecule/rocky9/verify.yml From fd7f1de909887f0616f860d0721306e473eab295 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 2 Nov 2022 12:19:35 -0300 Subject: [PATCH 20/30] test rocky9 --- .github/workflows/molecule-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index 9fab0c2..c08d74a 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -20,6 +20,7 @@ jobs: # Better to use one scenario per OS for faster performance and easier debugging scenario: - ubuntu-2204 + - rocky9 steps: - name: Checkout From bc6484b0362ee7b572b554e5cae1a4671fac8539 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sat, 12 Nov 2022 22:22:28 -0300 Subject: [PATCH 21/30] fix #28 final burpui_version 1.0.0 --- CHANGELOG | 5 ++++- defaults/main.yml | 5 ++--- molecule/default/molecule.yml | 3 --- molecule/local-rocky9/molecule.yml | 3 --- molecule/local-stable/molecule.yml | 3 --- molecule/local/molecule.yml | 3 --- tasks/main.yml | 1 - tasks/requirements.yml | 2 -- 8 files changed, 6 insertions(+), 19 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index fa19b66..4965e95 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,9 +1,12 @@ 2.2.0 -* workaround for #28 issues with dependencies and python 3.10 +* fix for #28 issues with dependencies and python 3.10 +* python3 only supported * breaks support for ubuntu 2004 * support ubuntu 2204 * installs from source by default * redesign install using virtualenv +* Update to burpui_version 1.0.0 + 2.1.0: * Fixes on molecule v4 tests and latest galaxy meta compatibility diff --git a/defaults/main.yml b/defaults/main.yml index 184f845..1b338a0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,15 +3,14 @@ # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' -burpui_use_dev: True +burpui_use_dev: False # False to use pip version with burpui_version var. # workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770 # This workaround only works with dev version of the package install # requires: # burpui_use_dev: True burpui_pip_burpui: "burp-ui" -burpui_version: 0.6.6 -python_pip_executable: "pip3" # pip3 only supported option +burpui_version: 1.0.0 burpui_pip_packages: - { name: "{{ burpui_pip_burpui }}", version: "{{ burpui_version }}" } diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 6429f52..84b35a2 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -29,6 +29,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: true - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local-rocky9/molecule.yml b/molecule/local-rocky9/molecule.yml index f09deb8..2bd64b9 100644 --- a/molecule/local-rocky9/molecule.yml +++ b/molecule/local-rocky9/molecule.yml @@ -29,6 +29,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: false - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local-stable/molecule.yml b/molecule/local-stable/molecule.yml index 1a73419..14ea3b2 100644 --- a/molecule/local-stable/molecule.yml +++ b/molecule/local-stable/molecule.yml @@ -44,6 +44,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: false - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index 3c58cfb..0eef09c 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -29,6 +29,3 @@ provisioner: config_options: defaults: callback_enabled: profile_tasks - ssh_connection: - pipelining: false - ssh_args: -o ControlMaster=auto -o ControlPersist=60s diff --git a/tasks/main.yml b/tasks/main.yml index 39a135a..3188648 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -33,7 +33,6 @@ - name: main | include python3_pip.yml include_tasks: python3_pip.yml - when: python_pip_executable == "pip3" - name: main | create burp folder file: diff --git a/tasks/requirements.yml b/tasks/requirements.yml index c46ec94..1c28910 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -25,7 +25,6 @@ package: name: "{{ burpui_py3_packages| join(',') }}" state: present - when: python_pip_executable == "pip3" - name: requirements | ensure install role packages package: @@ -47,7 +46,6 @@ package: name: "{{ burpui_system_absent }}" state: absent - when: python_pip_executable == "pip3" - name: requirements | ensure change burp path var burpui_backend_burpbin set_fact: From 2a004f69559f9b1e3adc66bc4f220f5adc3c6ea4 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sat, 12 Nov 2022 23:09:10 -0300 Subject: [PATCH 22/30] Updates in changelog and local-stable tests --- CHANGELOG | 2 ++ molecule/local-rocky9/converge.yml | 1 - molecule/local-stable/converge.yml | 1 - molecule/local-stable/molecule.yml | 10 +++++----- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4965e95..b05a611 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,8 @@ * python3 only supported * breaks support for ubuntu 2004 * support ubuntu 2204 +* breaks support for Redhat family 8 +* Adds support for Redhat family 9 * installs from source by default * redesign install using virtualenv * Update to burpui_version 1.0.0 diff --git a/molecule/local-rocky9/converge.yml b/molecule/local-rocky9/converge.yml index 5a0e116..a6f0e4c 100644 --- a/molecule/local-rocky9/converge.yml +++ b/molecule/local-rocky9/converge.yml @@ -3,7 +3,6 @@ hosts: all vars: burpui_standalone: True - burpui_use_dev: True tasks: # - name: Include ansible_burp2_server # include_role: diff --git a/molecule/local-stable/converge.yml b/molecule/local-stable/converge.yml index eae9691..ccfd2d5 100644 --- a/molecule/local-stable/converge.yml +++ b/molecule/local-stable/converge.yml @@ -3,7 +3,6 @@ hosts: all vars: burpui_standalone: True - burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: diff --git a/molecule/local-stable/molecule.yml b/molecule/local-stable/molecule.yml index 14ea3b2..7f2fb73 100644 --- a/molecule/local-stable/molecule.yml +++ b/molecule/local-stable/molecule.yml @@ -9,8 +9,8 @@ driver: name: podman platforms: - - name: ansible_burpui_stable_server-01 - image: "geerlingguy/docker-ubuntu2004-ansible:latest" + - name: ansible_burpui_rocky9 + image: "docker.io/geerlingguy/docker-rockylinux9-ansible:latest" #privileged: True command: "/lib/systemd/systemd" pre_build_image: true @@ -24,10 +24,10 @@ platforms: groups: - group1 - - name: ansible_burpui_stable_server-04 - image: "geerlingguy/docker-centos8-ansible" - command: /usr/sbin/init + - name: ansible_burpui_server-03 + image: "geerlingguy/docker-ubuntu2204-ansible:latest" #privileged: True + command: /sbin/init pre_build_image: true capabilities: - SYS_ADMIN From 8be55233680c033eef9f458c7e7cfa3cb38d12ff Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 14:12:43 -0300 Subject: [PATCH 23/30] closes #12 - documented hashpasswords- also added more config options in 1.0.0 --- CHANGELOG | 4 + README.md | 27 +++++- defaults/main.yml | 117 ++++++++++++++++++------- tasks/python3_pip.yml | 10 +++ templates/burpui.cfg.j2 | 183 +++++++++++++++++++++------------------- vars/Debian.yml | 2 + vars/Fedora.yml | 2 + vars/RedHat.yml | 2 + 8 files changed, 227 insertions(+), 120 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b05a611..c9b7d6b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,10 @@ * installs from source by default * redesign install using virtualenv * Update to burpui_version 1.0.0 +* See the breaking changes in https://burp-ui.readthedocs.io/en/latest/changelog.html#id1 +* Parallel option will be added and tested on next version +* breaks compatibility with old burpui versions +* closes #12 added doc about hashpassword 2.1.0: diff --git a/README.md b/README.md index d42516b..5c98c14 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,19 @@ VARS defaults/main.yml +```yaml +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# If you choose either 'burp1' or 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +burpui_backend = burp2 +``` + By default this role will configure nginx as proxy for gunicorn (the service that starts burpui), the variable that will expose the tcp port for burpui is: burpui_nginx_port: "8080" @@ -34,7 +47,17 @@ To enable users you can add a list of basic users: burpui_basic_enabled: false burpui_basic_mixed: "true" burpui_basic_users: - - { name: "admin", password: "admin" } + - { name: "admin", password: "plain$$admin" } +``` + +Use the following method to create hash passwords: + + pip install --user werkzeug + +```python +werkzeug.security.generate_password_hash('plainpassword', method='pbkdf2:sha256') + +'pbkdf2:sha256:260000$hZ7teoNFWtkS6g4J$4ff797c0f8d1d59009a8ef8d9ee1d1126fae1713d7128d66d1132005dcfe7c9a' ``` Other optional acl for users is to use the basic acl: @@ -57,7 +80,7 @@ To enable the connection of burpui multi-agent mode, use these vars, example: ```yaml # bui-agent -burpui_standalone: false +burpui_backend: multi burpui_agents: - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" } - { name: "host2", address: "192.168.122.202", port: "5001", password: "password", ssl: "false" } diff --git a/defaults/main.yml b/defaults/main.yml index 1b338a0..e227135 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,24 +21,19 @@ burpui_pip_packages: - { name: "{{ burpui_pip_burpui }}[celery]", version: "{{ burpui_version }}" } - { name: "{{ burpui_pip_burpui }}[websocket]", version: "{{ burpui_version }}" } -# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt -burpui_virtualenv: /venv_apps/bui -burpui_virtualenv_bin: "{{ burpui_virtualenv}}/bin" -burpui_virtualenv_python: python3 +##### --- CONFIG SECTION --- ##### -burpui_pip_present: - #- "cryptography" - - "redis==3.5.3" - #- "Flask-Migrate" - - "celery>=5.1.0" - - "cffi>=1.14.5" - - "gevent>=21.1.2" - - "ujson>=1.35" - - "urllib3>=1.19" # required to avoid issues with get_url module - # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module - - "pyasn1==0.4.8" - #- "six>=1.10.0" # try to fix error in dependencies with requests[security] - - "requests[security]>=2.12" # required to avoid issues with get_url module +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# Parallel is not yet added and tested, see issue#33 +# If you choose 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +burpui_backend: burp2 burpui_nginx_port: "8080" # This is to check availability and nginx template as reverse proxy @@ -46,11 +41,10 @@ burpui_global_port: "5000" #[Global] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#configuration -burpui_standalone: true -burpui_global_version: "2" -burpui_global_auth: "basic" -burpui_global_acl: "basic" -burpui_global_prefix: "none" +burpui_global_version: '2' +burpui_global_auth: 'basic' +burpui_global_acl: 'basic' +burpui_global_audit: 'none' burpui_global_plugins: 'none' #[UI] burpui_ui_refresh: "180" @@ -65,10 +59,13 @@ burpui_production_cache: "redis" burpui_production_redis: "localhost:6379" burpui_production_celery: "true" burpui_production_database: "sqlite:////var/spool/burpui/celery.db" -burpui_production_limiter: false +burpui_production_limiter: "false" +burpui_production_prefix: "none" # limiter ratio # see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string burpui_production_ratio: '60/minute' +burpui_production_num_proxies: '0' +burpui_production_proxy_fix_args: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}" #[Security] burpui_security_includes: "/etc/burp" burpui_security_enforce: "false" @@ -94,9 +91,11 @@ burpui_backend_bconfcli: "/etc/burp/burp.conf" burpui_backend_bconfsrv: "/etc/burp/burp-server.conf" burpui_backend_tmpdir: "/tmp" burpui_backend_timeout: "60" -#[LDAP] +burpui_backend_deep_inspection: "false" +# [Global] +# auth = ldap +#[LDAP:AUTH] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#ldap -burpui_ldap_enabled: false burpui_ldap_priority: "1" burpui_ldap_host: "127.0.0.1" burpui_ldap_port: "389" @@ -115,7 +114,8 @@ burpui_basic_priority: "2" # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794 burpui_basic_mixed: "true" burpui_basic_users: - - { name: "admin", password: "admin" } + - { name: "admin", password: "plain$$adminstrongpassword" } + #[LOCAL] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#local @@ -131,16 +131,26 @@ burpui_basic_acl_priority: 100 burpui_basic_acl_admins: "user1,user2" burpui_basic_acl_users: false # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#basic-acl -#burpui_basic_acl_users: -# - +moderator = user5,user6 -# - @moderator = '{"agents":{"ro":["agent1"]}}' +# burpui_basic_acl_users: +# - '+moderator = user5,user6' +# - '@moderator = '{"agents":{"ro":["agent1"]}}' # bui-agent -# change burpui_standalone: false # To use multiple agents: +# set burpui_backend: multiagent burpui_agents: - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" } +# TODO: Add support for parallel backend +# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#parallel +# burpui_parallel_host: localhost +# burpui_parallel_port: 1111 +# burpui_parallel_timeout: 15 +# burpui_parallel_password: xxsdfsdfsf +# burpui_parallel_ssl: true +# burpui_parallel_concurrency: 2 +# burpui_parallel_init_wait: 15 + # Bui Celery burpui_sv_priority: "20" burpui_sv_directory: "/tmp" @@ -160,3 +170,50 @@ burpui_group: 'root' gunicorn_systemd_service: True bui_use_systemd: True gunicorn_upstart_service: False + +# Burpui audit basic +# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#basic-audit +burpui_audit_priority: '100' +burpui_audit_level: 'WARNING' +burpui_audit_logfile: 'none' +burpui_audit_max_bytes: '30 * 1024 * 1024' +burpui_audit_rotate: '5' + +##### --- END CONFIG SECTION --- ##### + +##### --- PIP PACKAGES SECTION --- ##### + +# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt +burpui_virtualenv: /venv_apps/bui +burpui_virtualenv_bin: "{{ burpui_virtualenv}}/bin" +burpui_virtualenv_python: python3 + +# There are links in virtualenv_bin to link to /usr/local/bin +burpui_bin_links: + - alembic + - bui-agent-legacy + - bui-celery + - bui-manage + - bui-monitor + - burp-ui + - burp-ui-legacy + - gunicorn + - jsonschema + - mako-render + - normalizer + +burpui_pip_present: + #- "cryptography" + - "redis==3.5.3" + #- "Flask-Migrate" + - "celery>=5.1.0" + - "cffi>=1.14.5" + - "gevent>=21.1.2" + - "ujson>=1.35" + - "urllib3>=1.19" # required to avoid issues with get_url module + # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module + - "pyasn1==0.4.8" + #- "six>=1.10.0" # try to fix error in dependencies with requests[security] + - "requests[security]>=2.12" # required to avoid issues with get_url module + +##### --------------------------- ##### diff --git a/tasks/python3_pip.yml b/tasks/python3_pip.yml index 3298858..0959921 100644 --- a/tasks/python3_pip.yml +++ b/tasks/python3_pip.yml @@ -67,3 +67,13 @@ register: bui_pip_install when: burpui_use_dev notify: restart burpui services + +- name: bui-celery | links to /usr/local/bin + ansible.builtin.file: + src: "{{ burpui_virtualenv_bin }}/{{ item }}" + dest: "{{ burpui_local_bin }}/{{ item }}" + owner: root + group: root + mode: '0755' + state: link + with_items: "{{ burpui_bin_links }}" diff --git a/templates/burpui.cfg.j2 b/templates/burpui.cfg.j2 index 484475c..9a4b330 100644 --- a/templates/burpui.cfg.j2 +++ b/templates/burpui.cfg.j2 @@ -2,16 +2,16 @@ # @version@ - 0.6.0 # @release@ - stable [Global] -# burp server version 1 or 2 -version = {{ burpui_global_version }} -# Handle multiple bui-servers or not -# If set to 'false', you will need to declare at least one 'Agent' section (see -# bellow) -{% if burpui_standalone %} -single = true -{% else %} -single = false -{% endif %} +# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'. +# If you choose 'multi', you will have to declare at lease one 'Agent' section. +# If you choose 'parallel', you need to configure the [Parallel] section. +# If you choose either 'burp1' or 'burp2', you need to configure the [Burp] +# section. +# The [Burp] section is also used with the 'parallel' backend for the restoration +# process. +# You can also use whatever custom backend you like if it is located in the +# 'plugins' directory and if it implements the right interface. +backend = {{ burpui_backend }} # authentication plugin (mandatory) # list the misc/auth directory to see the available backends # to disable authentication you can set "auth = none" @@ -22,13 +22,10 @@ auth = {{ burpui_global_auth }} # list misc/acl directory to see the available backends # default is no ACL acl = {{ burpui_global_acl }} -# You can change the prefix if you are behind a reverse-proxy under a custom -# root path. For example: /burpui -# You can also configure your reverse-proxy to announce the prefix through the -# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in -# favour of the one announced by your reverse-proxy -# prefix option should be moved to Production section in 0.7.0+ -prefix = {{ burpui_global_prefix }} +# audit logger plugin (chainable, see 'auth' plugin option) +# list the misc/audit directory to see the available backends +# default is no audit log +audit = {{ burpui_global_audit }} plugins = {{ burpui_global_plugins }} [UI] @@ -44,6 +41,8 @@ liverefresh = {{ burpui_ui_liverefresh }} # storage backend for session and cache # may be either 'default' or 'redis' storage = {{ burpui_production_storage }} +# redis server to connect to +redis = {{ burpui_production_redis }} # session database to use # may also be a backend url like: redis://localhost:6379/0 # if set to 'redis', the backend url defaults to: @@ -58,8 +57,6 @@ session = {{ burpui_production_session }} # where is the host part, and is the port part of # the below "redis" setting cache = {{ burpui_production_cache }} -# redis server to connect to -redis = {{ burpui_production_redis }} # whether to use celery or not # may also be a broker url like: redis://localhost:6379/0 # if set to "true", the broker url defaults to: @@ -67,11 +64,6 @@ redis = {{ burpui_production_redis }} # where is the host part, and is the port part of # the above "redis" setting celery = {{ burpui_production_celery }} -# database url to store some persistent data -# none or a connect string supported by SQLAlchemy: -# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls -# example: sqlite:////var/lib/burpui/store.db -database = {{ burpui_production_database }} # whether to rate limit the API or not # may also be a redis url like: redis://localhost:6379/0 # if set to "true" or "redis" or "default", the url defaults to: @@ -83,7 +75,54 @@ limiter = {{ burpui_production_limiter }} # limiter ratio # see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string ratio = {{ burpui_production_ratio }} +# database url to store some persistent data +# none or a connect string supported by SQLAlchemy: +# http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls +# example: sqlite:////var/lib/burpui/store.db +database = {{ burpui_production_database }} +# You can change the prefix if you are behind a reverse-proxy under a custom +# root path. For example: /burpui +# You can also configure your reverse-proxy to announce the prefix through the +# 'X-Script-Name' header. In this case, the bellow prefix will be ignored in +# favour of the one announced by your reverse-proxy +# prefix option should be moved to Production section in 0.7.0+ +prefix = {{ burpui_production_prefix }} +# ProxyFix +# number of reverse-proxy to trust in order to retrieve some HTTP headers +# All the details can be found here: +# https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix +num_proxies = "{{ burpui_production_num_proxies }}" +# alternatively, you can specify your own ProxyFix args. +# The default is: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}" +# if num_proxies > 0, else it defaults to ProxyFix defaults +proxy_fix_args = {{ burpui_production_proxy_fix_args }} +## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket +[WebSocket] +## This section contains WebSocket server specific options. +# whether to enable websocket or not +enabled = {{ burpui_websocket_enabled }} +# whether to embed the websocket server or not +# if set to "true", you should have only *one* gunicorn worker +# see here for details: +# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server +embedded = {{ burpui_websocket_embedded }} +# what broker to use to interact between websocket servers +# may be a redis url like: redis://localhost:6379/0 +# if set to "true" or "redis" or "default", the url defaults to: +# redis://:/4 +# where is the host part, and is the port part of +# the above "redis" setting +# set this to none to disable the broker +broker = {{ burpui_websocket_broker }} +# if you choose to run a dedicated websocket server (with embedded = false) +# you can specify here the websocket url. You'll need to double quote your +# string though. +# example: +# url = "document.domain + ':5001'" +url = {{ burpui_websocket_url }} +# whether to enable verbose websocket server logs or not (for development) +debug = {{ burpui_websocket_debug }} [Security] ## This section contains some security options. Make sure you understand the @@ -111,32 +150,6 @@ scookie = {{ burpui_security_scookie }} # /!\ YOU CANNOT USE THE MAGIC 'random' VALUE WHEN USING GUNICORN /!\ appsecret = {{ burpui_security_appsecret }} -## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket -[WebSocket] -## This section contains WebSocket server specific options. -# whether to enable websocket or not -enabled = {{ burpui_websocket_enabled }} -# whether to embed the websocket server or not -# if set to "true", you should have only *one* gunicorn worker -# see here for details: -# https://flask-socketio.readthedocs.io/en/latest/#gunicorn-web-server -embedded = {{ burpui_websocket_embedded }} -# what broker to use to interact between websocket servers -# may be a redis url like: redis://localhost:6379/0 -# if set to "true" or "redis" or "default", the url defaults to: -# redis://:/4 -# where is the host part, and is the port part of -# the above "redis" setting -# set this to none to disable the broker -broker = {{ burpui_websocket_broker }} -# if you choose to run a dedicated websocket server (with embedded = false) -# you can specify here the websocket url. You'll need to double quote your -# string though. -# example: -# url = "document.domain + ':5001'" -url = {{ burpui_websocket_url }} -# whether to enable verbose websocket server logs or not (for development) -debug = {{ burpui_websocket_debug }} [Experimental] ## This section contains some experimental features that have not been deeply @@ -146,7 +159,7 @@ debug = {{ burpui_websocket_debug }} # commands on Unix (the InfoZIP utilities) don’t support these extensions. » zip64 = {{ burpui_experimental_zip64 }} -{% if burpui_standalone %} +{% if burpui_backend == 'burp2' or burpui_backend == 'burp1' %} ## burp specific options [Burp] # burp status address (can only be '127.0.0.1' or '::1') @@ -165,12 +178,21 @@ bconfsrv = {{ burpui_backend_bconfsrv }} tmpdir = {{ burpui_backend_tmpdir }} ## how many time to wait for the monitor to answer (in seconds) timeout = {{ burpui_backend_timeout }} +# since burp-2.1.10, timestamps have local offsets, if we detect a burp-server +# version greater than 2.1.10 we'll suppose every backup was made with that +# version. If this is not the case, you may end-up with wrongly computed backup +# dates in the clients overview. For that reason, you can enable the +# 'deep_inspection' option which will check every backup logs in order to +# find out which server version was used. +# The drawback is this process requires some extra work that may slow-down +# burp-ui. +deep_inspection = {{ burpui_backend_deep_inspection }} {% endif %} -{% if burpui_ldap_enabled %} +{% if burpui_global_auth == 'ldap' %} ## https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#ldap ## ldapauth specific options -[LDAP] +[LDAP:AUTH] ## Backend priority. Higher is first priority = {{ burpui_ldap_priority }} ## LDAP host @@ -214,12 +236,11 @@ bindpw = {{ burpui_ldap_bindpw }} ## basicauth specific options ## Note: in case you leave this section commented, the default login/password ## is admin/admin -[BASIC] +[BASIC:AUTH] ## Backend priority. Higher is first priority = {{ burpui_basic_priority }} ## Allow both plain and hashed passwords ## WARNING: This will defaults to false in 0.4.0 -mixed = {{ burpui_basic_mixed }} {% for item in burpui_basic_users %} {{ item.name }} = {{ item.password }} {% endfor %} @@ -229,7 +250,7 @@ mixed = {{ burpui_basic_mixed }} ## localauth specific options ## Note: if not running as root, then burp-ui must be run as group 'shadow' to ## allow PAM to work -[LOCAL] +[LOCAL:AUTH] ## Backend priority. Higher is first priority = {{ burpui_local_priority }} ## List of local users allowed to login. If you don't set this setting, every @@ -249,42 +270,12 @@ limit = {{ burpui_local_limit }} # Backend priority. Higher is first priority = {{ burpui_basic_acl_priority }} admin = {{ burpui_basic_acl_admins }} -# List of moderators. Users listed here will inherit the grants of the -# group '@moderator' -+moderator = user5,user6 -@moderator = '{"agents":{"ro":["agent1"]}}' -# NOTE: if you are running single-agent mode, you should specify the ro/rw -# rights of the moderators using this special 'local' agent name: -# NOTE: this is the default when running single-agent mode if you don't -# specify anything else -#@moderator = '{"agents": {"rw": "local"}}' -# Please note the double-quotes and single-quotes on the following lines are -# mandatory! -# You can also overwrite the default behavior by specifying which clients a -# user can access -# Suppose you are running single-agent mode (the default), you only need to -# specify a list of clients a user can access: -user3 = '{"clients": {"ro": ["prod*"], "rw": ["dev*", "test1"]}}' -# In case you are not in a single mode, you can also specify which clients -# a user can access on a specific Agent -user4 = '{"agents": {"agent1": ["client6", "client7"], "agent2": ["client8"]}}' -# You can define read-only and/or read-write grants using: -user5 = '{"agents": {"www*": {"ro": ["desk*"], "rw": ["desk1"]}}}' -# Finally, you can define groups using the syntax "@groupname" and adding -# members using "+groupname". Note: groups can inherit groups! -@group1 = '{"agents": {"ro": ["*"]}}' -@group2 = '{"clients": {"rw": ["dev*"]}}' -+group1 = @group2 -+group2 = user5 -# As a result, user5 will be granted the following rights: -# '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}} - {% for item in burpui_basic_acl_users %} {{ item }} {% endfor %} {% endif %} -{% if not burpui_standalone %} +{% if burpui_backend == 'multi' %} ## If you set standalone to 'false', add at least one section like this per ## bui-agent {% for item in burpui_agents %} @@ -294,4 +285,20 @@ port = {{ item.port }} password = {{ item.password }} ssl = {{ item.ssl }} {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} + +{% if burpui_global_audit == 'basic' %} +# Basic audit backend options +[BASIC:AUDIT] +# Backend priority. Higher is first +priority = {{ burpui_audit_priority }} +# debug level (CRITICAL, ERROR, WARNING, INFO, DEBUG) +# the default is the same as your global application level +level = {{ burpui_audit_level }} +# path to a file to log into +logfile = {{ burpui_audit_logfile }} +# maximum logfile size +max_bytes = {{ burpui_audit_max_bytes }} +# number of files to keep +rotate = {{ burpui_audit_rotate }} +{% endif %} diff --git a/vars/Debian.yml b/vars/Debian.yml index b3f8d33..8e198b2 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -35,3 +35,5 @@ supervisor_service: supervisor redis_service: redis-server nginx_config_dir: '/etc/nginx/sites-available' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui' + +burpui_local_bin: "/usr/local/bin" diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 288c02e..a234b34 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -30,3 +30,5 @@ supervisor_service: supervisord redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' + +burpui_local_bin: "/usr/local/bin" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 9fec885..c75f063 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -30,3 +30,5 @@ supervisor_service: supervisord redis_service: redis nginx_config_dir: '/etc/nginx/conf.d' burpui_nginx_config_path: '{{ nginx_config_dir }}/burpui.conf' + +burpui_local_bin: "/usr/local/bin" From a836886affda2f66ba53b0c6c6d01b816c7053da Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 14:13:57 -0300 Subject: [PATCH 24/30] sync changes in tests --- molecule/default/converge.yml | 1 - molecule/local-rocky9/converge.yml | 2 -- molecule/local-stable/converge.yml | 2 -- molecule/local/converge.yml | 1 - molecule/rocky9/converge.yml | 1 - molecule/ubuntu-2204/converge.yml | 1 - 6 files changed, 8 deletions(-) diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index f1846a6..7934bb2 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - burpui_standalone: True burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: diff --git a/molecule/local-rocky9/converge.yml b/molecule/local-rocky9/converge.yml index a6f0e4c..ccfc714 100644 --- a/molecule/local-rocky9/converge.yml +++ b/molecule/local-rocky9/converge.yml @@ -1,8 +1,6 @@ --- - name: Converge hosts: all - vars: - burpui_standalone: True tasks: # - name: Include ansible_burp2_server # include_role: diff --git a/molecule/local-stable/converge.yml b/molecule/local-stable/converge.yml index ccfd2d5..c60152c 100644 --- a/molecule/local-stable/converge.yml +++ b/molecule/local-stable/converge.yml @@ -1,8 +1,6 @@ --- - name: Converge hosts: all - vars: - burpui_standalone: True tasks: - name: Include ansible_burpui_server include_role: diff --git a/molecule/local/converge.yml b/molecule/local/converge.yml index 5a0e116..69d1548 100644 --- a/molecule/local/converge.yml +++ b/molecule/local/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - burpui_standalone: True burpui_use_dev: True tasks: # - name: Include ansible_burp2_server diff --git a/molecule/rocky9/converge.yml b/molecule/rocky9/converge.yml index a35be45..23fbbc6 100644 --- a/molecule/rocky9/converge.yml +++ b/molecule/rocky9/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - burpui_standalone: True # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: diff --git a/molecule/ubuntu-2204/converge.yml b/molecule/ubuntu-2204/converge.yml index ad55c4c..ded5f3c 100644 --- a/molecule/ubuntu-2204/converge.yml +++ b/molecule/ubuntu-2204/converge.yml @@ -2,7 +2,6 @@ - name: Converge hosts: all vars: - burpui_standalone: True # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' burpui_use_dev: True tasks: From 8f622cd1a82a3f066f3694beab2d5a0e93b9fd9c Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 17:16:27 -0300 Subject: [PATCH 25/30] latest updates to config --- README.md | 10 +++++----- defaults/main.yml | 14 ++++++++++---- templates/burpui.cfg.j2 | 37 +++++++++++++++++++++++++++++++++---- 3 files changed, 48 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 5c98c14..e4b6ab2 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,6 @@ To enable users you can add a list of basic users: ```yaml # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794 burpui_basic_enabled: false -burpui_basic_mixed: "true" burpui_basic_users: - { name: "admin", password: "plain$$admin" } ``` @@ -62,14 +61,15 @@ werkzeug.security.generate_password_hash('plainpassword', method='pbkdf2:sha256' Other optional acl for users is to use the basic acl: +Check the burp-ui docs, you can use wildcards and others special characters here. ```yaml # http://burp-ui.readthedocs.io/en/latest/usage.html#basic-acl -burpui_basic_acl_enabled: false +burpui_global_acl: 'basic' burpui_basic_acl_admins: "user1,user2" burpui_basic_acl_users: false -#burpui_basic_acl_users: -# - { name: "user3", value: '["client4", "client5"]' } -# - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' } +burpui_basic_acl_users: + - { name: "user3", value: '["client4", "client5"]' } + - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' } ``` ### Multi-agent mode: diff --git a/defaults/main.yml b/defaults/main.yml index e227135..abb0afc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,8 @@ burpui_global_port: "5000" # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#configuration burpui_global_version: '2' burpui_global_auth: 'basic' -burpui_global_acl: 'basic' +# use burpui_global_acl: 'basic' to enable this +burpui_global_acl: 'none' # By default don't enable acl burpui_global_audit: 'none' burpui_global_plugins: 'none' #[UI] @@ -108,7 +109,7 @@ burpui_ldap_base: '"ou=users,dc=example,dc=com"' burpui_ldap_binddn: '"cn=admin,dc=example,dc=com"' burpui_ldap_bindpw: "Sup3rS3cr3tPa$$w0rd" -#[BASIC] +#[BASIC:AUTH] burpui_basic_enabled: false burpui_basic_priority: "2" # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794 @@ -117,14 +118,19 @@ burpui_basic_users: - { name: "admin", password: "plain$$adminstrongpassword" } -#[LOCAL] +#[LOCAL:AUTH] # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#local burpui_local_enabled: false burpui_local_priority: "3" burpui_local_users: "user1,user2" # Minimum uid that will be allowed to login burpui_local_limit: 1000 - +#[ACL] +burpui_acl_extended: 'true' +burpui_acl_assume_rw: 'true' +burpui_acl_inverse_inheritance: 'false' +burpui_acl_implicit_link: 'true' +burpui_acl_legacy: 'false' #[BASIC:ACL] burpui_basic_acl_enabled: false burpui_basic_acl_priority: 100 diff --git a/templates/burpui.cfg.j2 b/templates/burpui.cfg.j2 index 9a4b330..0f4b8cc 100644 --- a/templates/burpui.cfg.j2 +++ b/templates/burpui.cfg.j2 @@ -87,15 +87,15 @@ database = {{ burpui_production_database }} # favour of the one announced by your reverse-proxy # prefix option should be moved to Production section in 0.7.0+ prefix = {{ burpui_production_prefix }} -# ProxyFix +# ProxyFix - Not yet implemented in 1.0.0 # number of reverse-proxy to trust in order to retrieve some HTTP headers # All the details can be found here: # https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/#module-werkzeug.middleware.proxy_fix -num_proxies = "{{ burpui_production_num_proxies }}" +# num_proxies = "{{ burpui_production_num_proxies }}" # alternatively, you can specify your own ProxyFix args. # The default is: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}" # if num_proxies > 0, else it defaults to ProxyFix defaults -proxy_fix_args = {{ burpui_production_proxy_fix_args }} +# proxy_fix_args = {{ burpui_production_proxy_fix_args }} ## http://burp-ui.readthedocs.io/en/latest/advanced_usage.html#websocket [WebSocket] @@ -260,7 +260,36 @@ users = {{ burpui_local_users }} limit = {{ burpui_local_limit }} {% endif %} -{% if burpui_basic_acl_enabled %} +{% if burpui_global_acl == 'basic' %} +# acl engine global options +[ACL] +# Enable extended matching rules (enabled by default) +# If the rule is a string like 'user1 = desk*', it will match any client that +# matches 'desk*' no mater what agent it is attached to. +# If it is a coma separated list of strings like 'user1 = desk*,laptop*' it +# will match the first matching rule no mater what agent it is attached to. +# If it is a dict like: +# user1 = '{"agents": ["srv*", "www*"], "clients": ["desk*", "laptop*"]}' +# It will also validate against the agent name. +extended = {{ burpui_acl_extended }} +# If you don't explicitly specify ro/rw grants, what should we assume? +assume_rw = {{ burpui_acl_assume_rw }} +# The inheritance order maters, it means depending the order you choose, +# the ACL engine won't handle the grants the same way. +# By default, ACL inherited by groups will have lower priority, unless you +# choose otherwise +inverse_inheritance = {{ burpui_acl_inverse_inheritance }} +# If you specify agents and clients separately, should we link them implicitly? +# For instance, '{"agents": ["agent1", "agent2"], "clients": ["client1", "client2"]}' +# will become: '{"agents": {"agent1": ["client1", "client2"], "agent2": ["client1", "client2"]}}' +implicit_link = {{ burpui_acl_implicit_link }} +# Enable 'legacy' behavior +# Since v0.6.0, if you don't specify the agents name explicitly, users will be +# granted on every agents where a client matches user's ACL. If you enable the +# 'legacy' behavior, you will need to specify the agents explicitly. +# Note: enabling this option will also disable the extended mode +legacy = {{ burpui_acl_legacy }} + ## basicacl specific options ## Note: in case you leave this section commented, the user 'admin' will have ## access to all clients whereas other users will only see the client that have From bd198046c90abdb027bcf490beb835bb5fde9472 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 17:26:40 -0300 Subject: [PATCH 26/30] just adding required files for future bui-monitor config --- tasks/bui-monitor.yml | 2 ++ templates/bui-monitor.cfg.j2 | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 tasks/bui-monitor.yml create mode 100644 templates/bui-monitor.cfg.j2 diff --git a/tasks/bui-monitor.yml b/tasks/bui-monitor.yml new file mode 100644 index 0000000..363bd8d --- /dev/null +++ b/tasks/bui-monitor.yml @@ -0,0 +1,2 @@ +# https://burp-ui.readthedocs.io/en/latest/buimonitor.html#architecture +# TODO: Implement this. \ No newline at end of file diff --git a/templates/bui-monitor.cfg.j2 b/templates/bui-monitor.cfg.j2 new file mode 100644 index 0000000..d7fa47c --- /dev/null +++ b/templates/bui-monitor.cfg.j2 @@ -0,0 +1,27 @@ +# Burp-UI monitor configuration file +[Global] +# On which port is the application listening +port = 11111 +# On which address is the application listening +# '::1' is the default for local IPv6 +# set it to '127.0.0.1' if you want to listen on local IPv4 address +bind = ::1 +# Pool size: number of 'burp -a m' process to load +pool = 5 +# enable SSL +ssl = true +# ssl cert +sslcert = /var/lib/burp/ssl/server/ssl_cert-server.pem +# ssl key +sslkey = /var/lib/burp/ssl/server/ssl_cert-server.key +# monitor password +password = password123456 + +# burp backend specific options +[Burp] +# burp binary +burpbin = /usr/sbin/burp +# burp client configuration file used for the restoration +bconfcli = /etc/burp/burp.conf +# how many time to wait for the monitor to answer (in seconds) +timeout = 15 From acd5fc9e218bf72e2bd0f9e674c12f4d7716c3af Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 17:29:16 -0300 Subject: [PATCH 27/30] removing some links that will be created by gunicorn install --- defaults/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index abb0afc..62a113d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -196,16 +196,13 @@ burpui_virtualenv_python: python3 # There are links in virtualenv_bin to link to /usr/local/bin burpui_bin_links: - - alembic - bui-agent-legacy - bui-celery - bui-manage - bui-monitor - burp-ui - burp-ui-legacy - - gunicorn - jsonschema - - mako-render - normalizer burpui_pip_present: From 38c4380cd84790fc58925f9f69733cac38ac4def Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 17:38:56 -0300 Subject: [PATCH 28/30] fix mistype on virtualenv dir --- tasks/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/requirements.yml b/tasks/requirements.yml index 1c28910..5cf9a26 100644 --- a/tasks/requirements.yml +++ b/tasks/requirements.yml @@ -10,7 +10,7 @@ - name: requirements | create virtualenv dir ansible.builtin.file: - path: "{{ burpui_virtualenv_python }}" + path: "{{ burpui_virtualenv }}" state: directory owner: root group: root From a2ea0209901df62b9240eb7683d5dbfb61e068e8 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 17:57:16 -0300 Subject: [PATCH 29/30] Add idempotence tests back --- .github/workflows/molecule-test.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/molecule-test.yml b/.github/workflows/molecule-test.yml index c08d74a..7a0907e 100644 --- a/.github/workflows/molecule-test.yml +++ b/.github/workflows/molecule-test.yml @@ -58,9 +58,9 @@ jobs: ANSIBLE_FORCE_COLOR: '1' working-directory: "${{ github.repository }}" - # - name: Run molecule idempotence - # run: "molecule idempotence --scenario-name ${{ matrix.scenario }}" - # env: - # PY_COLORS: '1' - # ANSIBLE_FORCE_COLOR: '1' - # working-directory: "${{ github.repository }}" + - name: Run molecule idempotence + run: "molecule idempotence --scenario-name ${{ matrix.scenario }}" + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + working-directory: "${{ github.repository }}" From 6e8acff497482f6932fbf07ee5d30d5502a320b9 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 13 Nov 2022 18:08:58 -0300 Subject: [PATCH 30/30] not use dev to allow idempotence tests --- molecule/rocky9/converge.yml | 2 +- molecule/ubuntu-2204/converge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/rocky9/converge.yml b/molecule/rocky9/converge.yml index 23fbbc6..d2671ff 100644 --- a/molecule/rocky9/converge.yml +++ b/molecule/rocky9/converge.yml @@ -3,7 +3,7 @@ hosts: all vars: # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' - burpui_use_dev: True + # burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: diff --git a/molecule/ubuntu-2204/converge.yml b/molecule/ubuntu-2204/converge.yml index ded5f3c..ff2efe1 100644 --- a/molecule/ubuntu-2204/converge.yml +++ b/molecule/ubuntu-2204/converge.yml @@ -3,7 +3,7 @@ hosts: all vars: # burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui' - burpui_use_dev: True + # burpui_use_dev: True tasks: - name: Include ansible_burpui_server include_role: