more debug on icar

.gitignore

@@ -8,4 +8,5 @@ cert
 .dmypy.json
 docker/clamav
 testfiles
-samples
+samples
+ert-key

.vscode/launch.json

@@ -10,7 +10,7 @@
       "request": "launch",
       "module": "flask",
       "env": {"FLASK_APP": "avgate/avgate.py", "FLASK_DEBUG": "1"},
-      "args": ["run", "--no-debugger", "--no-reload", "--port", "5001"],
+      "args": ["run", "--no-debugger", "--port", "5001"],
       "jinja": true,
       "justMyCode": true
     },
@@ -20,7 +20,7 @@
       "request": "launch",
       "module": "flask",
       "env": {"FLASK_APP": "avgate/konnektor_mock.py", "FLASK_DEBUG": "1"},
-      "args": ["run", "--no-debugger", "--no-reload", "--host", "0.0.0.0", "--port", "5000", "--cert=adhoc"],
+      "args": ["run", "--no-debugger", "--host", "0.0.0.0", "--port", "5000", "--cert=adhoc"],
       "jinja": true,
       "justMyCode": true
     }

Dockerfile

@@ -31,3 +31,7 @@ RUN chmod u+x /app/startup.sh
 ENTRYPOINT ["/app/startup.sh"]
 
 EXPOSE 443
+
+# DEBUG
+RUN mkdir /app/dump
+RUN chown www-data:www-data /app/dump

avgate.ini

@@ -2,8 +2,8 @@
 [config]
 
 ; ICAP, if used
-icap_host = 127.0.0.1
-icap_service = icap://icap.server.net/srv_clamav
+icap_host = localhost
+icap_service = icap://icap.server.net/avscan
 ;icap_port = 1344 (default)
 ;icap_tls = false (default)
 
@@ -22,19 +22,19 @@ log_level = DEBUG
 
 ; Mapping Remote-Adresse mit Target-Port oder nur Target-Port zu Konnektor-Adresse
 [*:8400]
-konnektor = https://127.0.0.1:5000
+konnektor = https://localhost:5000
 ssl_verify = false
 
 ; Use proxy for all services to get same SSL termination
 proxy_all_services = true
 
 [*:5001]
-konnektor = https://127.0.0.1:5000
+konnektor = https://localhost:5000
 ssl_verify = false
 proxy_all_services = false
 
 ; default fallback if no other mapping is applicable
 ; is needed for running in docker
-;[default]
-;konnektor = https://minsky:5000
-;ssl_verify = false
+[default]
+konnektor = https://localhost:5000
+ssl_verify = false

avgate/avgate.py

@@ -31,6 +31,9 @@
     "TRACE",
     "PATCH",
 ]
+
+EICAR = rb"X5O!P%@AP[4\PZX54(P^)7CC)7}" + rb"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
+
 # to prevent flooding log
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
@@ -194,9 +197,12 @@ def phr_service():
             logger.debug("no new body, copying content from konnektor")
             data = upstream.content
 
-        assert (
-            b"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" not in data
-        ), "found EICAR signature"
+        # debugging only - remove after testing
+        if EICAR in data:
+            fn = f"/app/dump/{request.path.replace('/', '_')}.xml"
+            with open(fn, "wb") as f:
+                f.write(data)
+            logger.error(f"found EICAR signature - see content in file {fn}")
 
         response = create_response(data, upstream)
 
@@ -460,8 +466,8 @@ def get_malicious_content_ids(msg: EmailMessage):
             yield content_id
         else:
             logger.debug(f"scanned document {content_id} : {scan_res}")
-            if b"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" in att.get_content():
-                logger.error(f"EICAR was not detected by clamav {content_id}")
+            if EICAR in att.get_content():
+                logger.error(f"EICAR was not detected by av {content_id}")
 
 
 def extract_id(id: str) -> str:
@@ -643,8 +649,13 @@ def scan_file_icap(content):
     (first_block, second_block) = rsp.split(b"\r\n\r\n", 1)
     first_line = first_block.partition(b"\r\n")[0]
     http_response_code = second_block.partition(b"\r\n")[0]
-    # logger.debug(first_block)
-    # logger.debug(second_block[:500])
+
+    if EICAR in content:
+        logger.debug(f"Eicar ICAP REQ \n{req.encode()}{content}{footer.encode()}")
+        logger.debug(f"RESP\n{first_block}{second_block[:500]}")
+
+    # debug
+    return ["OK", None]
 
     # check icap status
     if first_line == b"ICAP/1.0 204 No modifications needed":

avgate/konnektor_mock.py

@@ -10,7 +10,7 @@ def root():
     return "up and running"
 
 
-@app.route("/soap-api/PHRService/1.3.0", methods=["POST", "GET"])
+@app.route("/ws/PHRService/1.3.0", methods=["POST", "GET"])
 def soap():
     fn = open("./samples/retrievedocument-resp_eicar", "br")
     b = io.BytesIO(fn.read().replace(b"\n", b"\r\n"))
@@ -40,7 +40,7 @@ def connector_sds():
     return response
 
 
-@app.route("/SignatureService", methods=["POST", "GET"])
+@app.route("/ws/SignatureService", methods=["POST", "GET"])
 def signature_service():
     abort(500, "will not work")
 

docker/template/nginx.conf

@@ -20,7 +20,7 @@ http {
     ssl_verify_client ${SSL_VERIFY_CLIENT};
 
     # avgate relevant urls
-    location ~ ^/(soap-api/PHRService|connector.sds|health|check) {
+    location ~ ^/(.*?/PHRService|connector.sds|health|check) {
       proxy_redirect off;
       include uwsgi_params;
       uwsgi_param HTTP_X_REAL_IP $remote_addr;

docs/develop.md

@@ -16,3 +16,30 @@ Ein lokaler icap server kann gestartet werden über
     docker build -t c-icap c-icap
     docker run -p 1344:1344 --rm --name c-icap c-icap
 ```
+
+AV-Gate als Docker
+```
+    docker build -t av-gate .
+
+    docker run --rm --name avgate -p 443:443 \
+    -e ICAP_HOST=host.docker.internal \
+    -e ICAP_SERVICE=icap://av_server/avscan \
+    -e KONNEKTOR=https://host.docker.internal:5000 \
+    -e SSL_VERIFY=false \
+    --mount type=bind,source="$(pwd)"/cert,target=/app/cert,readonly \
+    avgate
+```
+
+Für Linux zusätzlich `--add-host=host.docker.internal:host-gateway`
+
+```
+    curl -v --insecure --cert cert/kclient.cert --key cert/kclient.key "https://localhost/check"
+
+    curl -v --insecure --cert cert/kclient.cert --key cert/kclient.key "https://localhost/health"
+
+    curl -v --insecure --cert cert/kclient.cert --key cert/kclient.key "https://localhost/ws/PHRService/1.3.0" --data-binary "@samples/retrievedocument-resp"  --output - | less
+```
+
+
+
+