Merge pull request #32 from CoffeeITWorks/develop

version 2.2.0

2.2.0
* fix for #28 issues with dependencies and python 3.10
* python3 only supported
* breaks support for ubuntu 2004
* support ubuntu 2204
* breaks support for Redhat family 8
* Adds support for Redhat family 9
* installs from source by default
* redesign install using virtualenv
* Update to burpui_version 1.0.0
* See the breaking changes in https://burp-ui.readthedocs.io/en/latest/changelog.html#id1
* Parallel option will be added and tested on next version
* breaks compatibility with old burpui versions
* closes #12 added doc about hashpassword

.github/workflows/molecule-test.yml

@@ -19,8 +19,8 @@ jobs:
       matrix:
         # Better to use one scenario per OS for faster performance and easier debugging
         scenario:
-          - centos-8
-          - ubuntu-2004
+            - ubuntu-2204
+            - rocky9
     steps:
 
       - name: Checkout

CHANGELOG

@@ -1,3 +1,19 @@
+2.2.0
+* fix for #28 issues with dependencies and python 3.10
+* python3 only supported
+* breaks support for ubuntu 2004
+* support ubuntu 2204
+* breaks support for Redhat family 8
+* Adds support for Redhat family 9
+* installs from source by default
+* redesign install using virtualenv
+* Update to burpui_version 1.0.0
+* See the breaking changes in https://burp-ui.readthedocs.io/en/latest/changelog.html#id1
+* Parallel option will be added and tested on next version
+* breaks compatibility with old burpui versions
+* closes #12 added doc about hashpassword
+
+
 2.1.0:
 * Fixes on molecule v4 tests and latest galaxy meta compatibility
 

README.md

@@ -21,6 +21,19 @@ VARS
 
 defaults/main.yml
 
+```yaml
+# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'.
+# If you choose 'multi', you will have to declare at lease one 'Agent' section.
+# If you choose 'parallel', you need to configure the [Parallel] section.
+# If you choose either 'burp1' or 'burp2', you need to configure the [Burp]
+# section.
+# The [Burp] section is also used with the 'parallel' backend for the restoration
+# process.
+# You can also use whatever custom backend you like if it is located in the
+# 'plugins' directory and if it implements the right interface.
+burpui_backend = burp2
+```
+
 By default this role will configure nginx as proxy for gunicorn (the service that starts burpui), the variable that will expose the tcp port for burpui is: 
 
     burpui_nginx_port: "8080"
@@ -32,21 +45,31 @@ To enable users you can add a list of basic users:
 ```yaml
 # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794
 burpui_basic_enabled: false
-burpui_basic_mixed: "true"
 burpui_basic_users:
-  - { name: "admin", password: "admin" }
+  - { name: "admin", password: "plain$$admin" }
+```
+
+Use the following method to create hash passwords:
+
+    pip install --user werkzeug
+
+```python
+werkzeug.security.generate_password_hash('plainpassword', method='pbkdf2:sha256')
+
+'pbkdf2:sha256:260000$hZ7teoNFWtkS6g4J$4ff797c0f8d1d59009a8ef8d9ee1d1126fae1713d7128d66d1132005dcfe7c9a'
 ```
 
 Other optional acl for users is to use the basic acl: 
 
+Check the burp-ui docs, you can use wildcards and others special characters here.
 ```yaml
 # http://burp-ui.readthedocs.io/en/latest/usage.html#basic-acl
-burpui_basic_acl_enabled: false
+burpui_global_acl: 'basic'
 burpui_basic_acl_admins: "user1,user2"
 burpui_basic_acl_users: false
-#burpui_basic_acl_users:
-#  - { name: "user3", value: '["client4", "client5"]' }
-#  - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' }
+burpui_basic_acl_users:
+  - { name: "user3", value: '["client4", "client5"]' }
+  - { name: "user4", value: '{"agent2": ["client8"], "agent1": ["client6", "client7"]}' }
 ```
 
 ### Multi-agent mode: 
@@ -57,7 +80,7 @@ To enable the connection of burpui multi-agent mode, use these vars, example:
 
 ```yaml
 # bui-agent
-burpui_standalone: false
+burpui_backend: multi
 burpui_agents:
   - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" }
   - { name: "host2", address: "192.168.122.202", port: "5001", password: "password", ssl: "false" }
@@ -79,26 +102,19 @@ Upgrade steps are managed automatically by this role.
 Installed services
 ==================
 
-It uses http://supervisord.org/ for better management of third-party  services on the system and to be compatible with most systems (ubuntu trusty+, debian, centos, fedora, etc).
 
-supervisor is used for bui-celery
+by default systemd is used for bui-celery and gunicorn
 default service manager for the package manager of your distribution is used for gunicorn (the service responsible to start burpui) and same for nginx (the proxy configured to expose burpui)
 
-So to restart installed services/daemons you should use: 
-
-    sudo supervisorctl restart bui-celery  (depends on the service you want to restart)
-
-you can also use supervisorctl shell:
-
-    sudo supervisorctl
+Python virtualenv is used, by default you will see packages in:
 
-And then interactively use all options.
+    /venv_apps/bui/lib/python3.10/site-packages/
 
-*Logs:*
+And binaries in:
 
-Also supervisord allow proper stdout and stderror to logs redirection, so all logs are under `/var/logs/supervisor`
+    /venv_apps/bui/bin
 
-Logs are also rotated by logrotate automatically.
+You can change the variable for virtualenv, see defaults vars.
 
 Accessing burpui
 ----------------

ansible.cfg

@@ -12,6 +12,3 @@ roles_path = ../:/etc/ansible/roles
 host_key_checking = False
 
 retry_files_enabled = False
-
-[ssh_connection]
-pipelining = True 

defaults/main.yml

@@ -2,12 +2,15 @@
 # file defaults/main.yml
 
 # use syntax: https://pip.pypa.io/en/stable/reference/pip_install/#git
-burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@stable#egg=burp-ui'
-burpui_use_dev: False
+burpui_pip_burpui_dev: 'git+https://git.ziirish.me/ziirish/burp-ui.git@master#egg=burp-ui'
+burpui_use_dev: False # False to use pip version with burpui_version var.
+# workaround for https://git.ziirish.me/ziirish/burp-ui/-/issues/347#note_3770
+# This workaround only works with dev version of the package install
+# requires:
+# burpui_use_dev: True
 
 burpui_pip_burpui: "burp-ui"
-burpui_version: 0.6.6
-python_pip_executable: "pip3" # pip3 only supported option
+burpui_version: 1.0.0
 
 burpui_pip_packages:
   - { name: "{{ burpui_pip_burpui }}", version: "{{ burpui_version }}" }
@@ -18,65 +21,31 @@ burpui_pip_packages:
   - { name: "{{ burpui_pip_burpui }}[celery]", version: "{{ burpui_version }}" }
   - { name: "{{ burpui_pip_burpui }}[websocket]", version: "{{ burpui_version }}" }
 
-# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt
-burpui_pip_dev_present:
-  #- "cryptography"
-  - "redis==3.5.3"
-  #- "Flask-Migrate"
-  - "celery>=5.1.0"
-  - "cffi>=1.14.5"
-  - "gevent>=21.1.2"
-  - "ujson>=1.35"
-  - "urllib3>=1.19" # required to avoid issues with get_url module
-  # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module
-  - "pyasn1==0.4.8"
-  #- "six>=1.10.0"  # try to fix error in dependencies with requests[security]
-  - "requests[security]>=2.12"  # required to avoid issues with get_url module
-  - "Flask-Limiter==1.4"
-  - trio>=0.18.0
-  - Flask>=1.1.2
-  - Flask-Login>=0.5.0
-  - Flask-Bower>=1.3.0
-  - Flask-Babel>=2.0.0
-  - Flask-WTF>=0.14.3
-  - flask-restx>=0.3.0
-  - Flask-Caching>=1.10.1
-  - Flask-Session>=0.3.2
-  - WTForms>=2.3.3
-  - arrow>=0.14.2
-  - pluginbase>=1.0.0
-  - tzlocal>=2.1
-  - pyOpenSSL>=20.0.1
-  - configobj>=5.0.6
-  - async_generator>=1.10
-  - Click>=7.1.2
-
-burpui_pip_present:
-  #- "cryptography"
-  - "redis==3.5.3"
-  #- "Flask-Migrate"
-  - "celery>=5.1.0"
-  - "cffi>=1.14.5"
-  - "gevent>=21.1.2"
-  - "ujson>=1.35"
-  - "urllib3>=1.19" # required to avoid issues with get_url module
-  # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module
-  - "pyasn1==0.4.8"
-  #- "six>=1.10.0"  # try to fix error in dependencies with requests[security]
-  - "requests[security]>=2.12"  # required to avoid issues with get_url module
+##### --- CONFIG SECTION --- #####
 
+# burp backend to load either one of 'burp1', 'burp2', 'parallel' or 'multi'.
+# If you choose 'multi', you will have to declare at lease one 'Agent' section.
+# If you choose 'parallel', you need to configure the [Parallel] section.
+# Parallel is not yet added and tested, see issue#33
+# If you choose 'burp2', you need to configure the [Burp]
+# section.
+# The [Burp] section is also used with the 'parallel' backend for the restoration
+# process.
+# You can also use whatever custom backend you like if it is located in the
+# 'plugins' directory and if it implements the right interface.
+burpui_backend: burp2
 
 burpui_nginx_port: "8080"
 # This is to check availability and nginx template as reverse proxy
 burpui_global_port: "5000"
 
 #[Global]
 # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#configuration
-burpui_standalone: true
-burpui_global_version: "2"
-burpui_global_auth: "basic"
-burpui_global_acl: "basic"
-burpui_global_prefix: "none"
+burpui_global_version: '2'
+burpui_global_auth: 'basic'
+# use burpui_global_acl: 'basic' to enable this
+burpui_global_acl: 'none' # By default don't enable acl
+burpui_global_audit: 'none'
 burpui_global_plugins: 'none'
 #[UI]
 burpui_ui_refresh: "180"
@@ -91,10 +60,13 @@ burpui_production_cache: "redis"
 burpui_production_redis: "localhost:6379"
 burpui_production_celery: "true"
 burpui_production_database: "sqlite:////var/spool/burpui/celery.db"
-burpui_production_limiter: false
+burpui_production_limiter: "false"
+burpui_production_prefix: "none"
 # limiter ratio
 # see https://flask-limiter.readthedocs.io/en/stable/#ratelimit-string
 burpui_production_ratio: '60/minute'
+burpui_production_num_proxies: '0'
+burpui_production_proxy_fix_args: "{'x_proto': {num_proxies}, 'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}"
 #[Security]
 burpui_security_includes: "/etc/burp"
 burpui_security_enforce: "false"
@@ -120,9 +92,11 @@ burpui_backend_bconfcli: "/etc/burp/burp.conf"
 burpui_backend_bconfsrv: "/etc/burp/burp-server.conf"
 burpui_backend_tmpdir: "/tmp"
 burpui_backend_timeout: "60"
-#[LDAP]
+burpui_backend_deep_inspection: "false"
+# [Global]
+# auth = ldap
+#[LDAP:AUTH]
 # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#ldap
-burpui_ldap_enabled: false
 burpui_ldap_priority: "1"
 burpui_ldap_host: "127.0.0.1"
 burpui_ldap_port: "389"
@@ -135,43 +109,59 @@ burpui_ldap_base: '"ou=users,dc=example,dc=com"'
 burpui_ldap_binddn: '"cn=admin,dc=example,dc=com"'
 burpui_ldap_bindpw: "Sup3rS3cr3tPa$$w0rd"
 
-#[BASIC]
+#[BASIC:AUTH]
 burpui_basic_enabled: false
 burpui_basic_priority: "2"
 # Enable mixed to allow plain passwords https://git.ziirish.me/ziirish/burp-ui/issues/177#note_1794
 burpui_basic_mixed: "true"
 burpui_basic_users:
-  - { name: "admin", password: "admin" }
+  - { name: "admin", password: "plain$$adminstrongpassword" }
+
 
-#[LOCAL]
+#[LOCAL:AUTH]
 # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#local
 burpui_local_enabled: false
 burpui_local_priority: "3"
 burpui_local_users: "user1,user2"
 # Minimum uid that will be allowed to login
 burpui_local_limit: 1000
-
+#[ACL]
+burpui_acl_extended: 'true'
+burpui_acl_assume_rw: 'true'
+burpui_acl_inverse_inheritance: 'false'
+burpui_acl_implicit_link: 'true'
+burpui_acl_legacy: 'false'
 #[BASIC:ACL]
 burpui_basic_acl_enabled: false
 burpui_basic_acl_priority: 100
 burpui_basic_acl_admins: "user1,user2"
 burpui_basic_acl_users: false
 # https://burp-ui.readthedocs.io/en/stable/advanced_usage.html#basic-acl
-#burpui_basic_acl_users:
-#  - +moderator = user5,user6
-#  - @moderator = '{"agents":{"ro":["agent1"]}}'
+# burpui_basic_acl_users:
+#  - '+moderator = user5,user6'
+#  - '@moderator = '{"agents":{"ro":["agent1"]}}'
 
 # bui-agent
-# change burpui_standalone: false
 # To use multiple agents:
+# set burpui_backend: multiagent
 burpui_agents:
   - { name: "localhost", address: "127.0.0.1", port: "5001", password: "password", ssl: "false" }
 
+# TODO: Add support for parallel backend
+# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#parallel
+# burpui_parallel_host: localhost
+# burpui_parallel_port: 1111
+# burpui_parallel_timeout: 15
+# burpui_parallel_password: xxsdfsdfsf
+# burpui_parallel_ssl: true
+# burpui_parallel_concurrency: 2
+# burpui_parallel_init_wait: 15
+
 # Bui Celery
 burpui_sv_priority: "20"
 burpui_sv_directory: "/tmp"
 burpui_sv_environment: "C_FORCE_ROOT=true"
-burpui_sv_command: "/usr/local/bin/bui-celery -c /etc/burp/burpui.cfg -- --beat"
+burpui_sv_command: "{{ burpui_virtualenv_bin }}/bui-celery -c /etc/burp/burpui.cfg -- --beat"
 burpui_sv_autostart: "true"
 burpui_sv_autorestart: "true"
 burpui_sv_stdout_logfile: "/var/log/supervisor/%(program_name)s.log"
@@ -186,3 +176,47 @@ burpui_group: 'root'
 gunicorn_systemd_service: True
 bui_use_systemd: True
 gunicorn_upstart_service: False
+
+# Burpui audit basic
+# https://burp-ui.readthedocs.io/en/latest/advanced_usage.html#basic-audit
+burpui_audit_priority: '100'
+burpui_audit_level: 'WARNING'
+burpui_audit_logfile: 'none'
+burpui_audit_max_bytes: '30 * 1024 * 1024'
+burpui_audit_rotate: '5'
+
+##### --- END CONFIG SECTION --- #####
+
+##### --- PIP PACKAGES SECTION --- #####
+
+# https://git.ziirish.me/ziirish/burp-ui/-/blob/master/requirements.txt
+burpui_virtualenv: /venv_apps/bui
+burpui_virtualenv_bin: "{{ burpui_virtualenv}}/bin"
+burpui_virtualenv_python: python3
+
+# There are links in virtualenv_bin to link to /usr/local/bin
+burpui_bin_links:
+  - bui-agent-legacy
+  - bui-celery
+  - bui-manage
+  - bui-monitor
+  - burp-ui
+  - burp-ui-legacy
+  - jsonschema
+  - normalizer
+
+burpui_pip_present:
+  #- "cryptography"
+  - "redis==3.5.3"
+  #- "Flask-Migrate"
+  - "celery>=5.1.0"
+  - "cffi>=1.14.5"
+  - "gevent>=21.1.2"
+  - "ujson>=1.35"
+  - "urllib3>=1.19" # required to avoid issues with get_url module
+  # - "ndg-httpsclient>=0.4.2" # required to avoid issues with get_url module
+  - "pyasn1==0.4.8"
+  #- "six>=1.10.0"  # try to fix error in dependencies with requests[security]
+  - "requests[security]>=2.12"  # required to avoid issues with get_url module
+
+##### --------------------------- #####