Fix SSH audit: lire settings DB au lieu de hardcoder user/key/suffixes

- SSH key et user lus depuis app_secrets (ssh_key_file, ssh_user) - Ajout .mpcz.fr dans DNS_SUFFIXES - Auto-detect Ed25519/RSA/ECDSA - Fallback password depuis secrets
2026-04-10 20:01:15 +02:00 · 2026-04-10 20:01:15 +02:00 · 16315ab3b5
commit 16315ab3b5
parent c2f3d669eb
1 changed files with 27 additions and 10 deletions
--- a/app/services/realtime_audit_service.py
+++ b/app/services/realtime_audit_service.py
@ -11,10 +11,24 @@ try:
 except ImportError:
    PARAMIKO_OK = False

-SSH_KEY = "/opt/patchcenter/keys/id_rsa_cybglobal.pem"
-SSH_USER = "cybsecope"
+SSH_KEY_DEFAULT = "/opt/patchcenter/keys/id_ed25519"
+SSH_USER_DEFAULT = "root"
 SSH_TIMEOUT = 12
-DNS_SUFFIXES = ["", ".sanef.groupe", ".sanef-rec.fr", ".sanef.fr"]
+DNS_SUFFIXES = ["", ".mpcz.fr", ".sanef.groupe", ".sanef-rec.fr", ".sanef.fr"]
+
+
+def _get_ssh_settings():
+    """Lit les settings SSH depuis app_secrets dans la DB."""
+    try:
+        from .secrets_service import get_secret
+        from ..database import SessionLocal
+        db = SessionLocal()
+        key_path = get_secret(db, "ssh_key_file") or SSH_KEY_DEFAULT
+        user = get_secret(db, "ssh_user") or SSH_USER_DEFAULT
+        db.close()
+        return key_path, user
+    except Exception:
+        return SSH_KEY_DEFAULT, SSH_USER_DEFAULT

 # Commandes d'audit (simplifiees pour le temps reel)
 AUDIT_CMDS = {
@ -62,14 +76,16 @@ def _connect(target):
        return None
    import os

-    # 1. Essai clé SSH
-    if os.path.exists(SSH_KEY):
-        for loader in [paramiko.RSAKey.from_private_key_file, paramiko.Ed25519Key.from_private_key_file]:
+    ssh_key, ssh_user = _get_ssh_settings()
+
+    # 1. Essai clé SSH depuis settings
+    if os.path.exists(ssh_key):
+        for loader in [paramiko.Ed25519Key.from_private_key_file, paramiko.RSAKey.from_private_key_file, paramiko.ECDSAKey.from_private_key_file]:
            try:
-                key = loader(SSH_KEY)
+                key = loader(ssh_key)
                client = paramiko.SSHClient()
                client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-                client.connect(target, port=22, username=SSH_USER, pkey=key,
+                client.connect(target, port=22, username=ssh_user, pkey=key,
                               timeout=SSH_TIMEOUT, look_for_keys=False, allow_agent=False)
                return client
            except Exception:
@ -80,7 +96,7 @@ def _connect(target):
        from .secrets_service import get_secret
        from ..database import SessionLocal
        db = SessionLocal()
-        pwd_user = get_secret(db, "ssh_pwd_default_user") or "root"
+        pwd_user = get_secret(db, "ssh_pwd_default_user") or ssh_user
        pwd_pass = get_secret(db, "ssh_pwd_default_pass") or ""
        db.close()
        if pwd_pass:
@ -138,7 +154,8 @@ def audit_single_server(hostname):
        return result

    result["status"] = "OK"
-    result["connection_method"] = f"ssh_key ({SSH_USER}@{target})"
+    ssh_key, ssh_user = _get_ssh_settings()
+    result["connection_method"] = f"ssh_key ({ssh_user}@{target})"

    for key, cmd in AUDIT_CMDS.items():
        result[key] = _run(client, cmd)