2.6.0.16972 -> 2.6.0.17159 ========================== [UPD] waptconsole: use a TSynEdit for add audit data form. [IMP] waptwua: protect against infinite recursion when include_potentially_superseded_updates=1 * calculate the PENDING_REBOOT status instead of storing it. (return PENDING_REBOOT when waptwua.status if PENDING_UPDATES and reboot needed is True) * set waptwua.status = SCAN_NEEDED if stored status is PENDING_REBOOT and reboot needed is False. [GUI] waptconsole: display a warning icon for pending_reboot waptwua status [UPD] waptwua: set PENDING_REBOOT if install of some updates is still InProgress [UPD] reduce resolution of waptutils.bootup_time and makes it stable [UPD] waptwua: send kb download_urls to server even if waptwua is disabled on agent * some customers are using waptwua to scan and install in offline mode without actually enabling waptwua on agent. * in this case, server still need to be able to download KB files. * we are now filtering to keep only download urls ending with '.*\.exe$','.*\.cab$','.*\.msu$','.*\.psf$','.*\.wim$','.*\.msi$','.*\.esd$' so we should not have issues with streaming Urls like with previous wapt release on win11. [IMP] wapt-get ping : add --waptservice_timeout , --trycount (default 1), --retrydelay (seconds) for ping [IMP] waptconsole: when editing Org Unit package from treeview, if thera more than one package (ie diffent os or maturity), show them in Packages private Repo * else just edit the latest matching unit package [IMP] waptserver waptwua download: check again that extension of downloaded file is allowed. * added a whitelist of regexp on server : 'waptwua_allowed_download_file': [r'^.*\.exe$', r'.*\.cab$', r'.*\.msu$', r'.*\.psf$', r'.*\.wim$', r'.*\.msi$' ] * waptwua: allow .esd files too [FIX] waptself: install/uninstall package task status not updated on Card if we have switched to another user. [UPD] waptlicences.waptserver_login: add otp_code optional argument [FIX] wapt-get sign-package command missing * allow to check a signed package directory [GUI] waptconsole grids hosts for package and host for winupdates: reduced default visible columns count * increase header height. * double click on host in HostsForPackage focused filter on host in inventory [FIX] waptconsole edit Host package: package with incompatible maturity are listed * add a warning if current host package is not compatible with known target host capabilities. [IMP] waptserverconnection: allow to have a diffrent set of client ssl key in same application. * in waptconsole, if we use pywaptlicences.waptserver_login with same user as console (in update_package), we don't have the temp key password. So we have to create a different set. [IMP] wapt-get search: add install_status in output templates. [FIX] wapt-get regression (again) on useless local password input for waptservice action [IMP] wapt templates: add CSV helper * {{csv AList,";","col1","col2" }} [IMP] add template for host_audit_host_metrics_peercache [FIX] waptconsole default peercache_broadcast_timeout_ms_default = 200 and not 2000 [FIX] waptserver error 500 when trying to delete unassigned KB * when donwload_urls is None [NEW] Add win11 template to bypass requirements [IMP] wapt-get as python subsitute : handle -V and --version for pycharm * python.exe --help usage: python.exe [option] ... [-c cmd | -m mod | file | -] [arg] ... Limited python subtitute for PyScripter and VSCode. Options and arguments (and corresponding environment variables): -c cmd : program passed in as string (terminates option list) -h : print this help message and exit (also --help) -m mod : run library module as a script (terminates option list) -q : don't print version and copyright messages on interactive startup -V : print the Python version number and exit (also --version) when given twice, print more information about the build -x : skip first line of source, allowing use of non-Unix forms of #!cmd * [FIX] disable peercache_enable if cspn mode * waptwua: update list of AuthorizedDomainRE for download_url report to server * whitelist '^.*\.exe ``` ,'.*\.cab ``` ,'.*\.msu ``` ,'.*\.psf ``` ,'.*\.wim ``` ,'.*\.msi ``` too * allow download_urls to be reported in WU mode if waptwua is enabled * waptwua: fix SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess key for WU scan_mode * refactor DV Variant result * waptwua: initiproperly the variant result with VarClear * to avoid potential Access Violation [FIX] waptconsole: editing package from importing form when no matching cert found [REF][FIX] waptwua refactoring. When using MSU install trick, download only all MSU, not other files. * use same logic for download_updates and install_updates * waptwua fix regression: missing AcceptEULA for update installs. * waptwua: fix discarded in SummaryStatusDV * fix regression introduced by 7384739bc1863dab92531c7252346d15b249bf3b * causing a silent stack overflow and crash. * waptwua: Be sure ProxyPID is initialized [FIX] sogrid: loading columns from config [FIX] waptconsole: software inventory cleanup * Add peercache random time.sleep 0-2 s when peercache enable and WaptDownloadUpgrade (websocket) call Add waptdownloadupgrade when trigger_host_upgrade [FIX] use certifi bundle for websockets verify if True * as a workaround for #10336 on Linux [FIX] waptwua with MSU : download all msu, but install only msu with KB in its filename [IMP] waptconsole: edit host package allowing to save GridPackages properties * wapt core: display raw main repo url instead of calculated from rules in repr [FIX] waptconsole: repo rule grid direct edit restriction * convert sequence into int * restrict column which can be edited to 'sequence','name','repo_url' [FIX] hardened the repo_url calculation in case of rules.json corruption * fallback on raw main repo_url [UPD] waptconsole wua column image: no image if no wua status [FIX] waptconsole packages only available in maturities other than PROD are not listed when editing package dependencies * closes 10337 * waptwua: update install history: display the error description [FIX] waptconsole waptwua status text display regression * renamed waptwua_status.status to waptwua_status/status * sogrid does not interpret object path anymore. * don't retrieve waptwua_status full object for each row by default [UPD] peercache: reduce BroadcastTimeoutMS to 200ms * increase BroadcastMaxResponses to 100 [FIX] cleanup of unassigned win update when there are no urls * upgrade mormot2 with peercache foxes and logs improvements: * fixed THttpPeerCache.OnDownloaded - it should now properly handle all finishing states - new THttpPartials.DoneLocked overloaded methods - fixed eventual download success state - improved logging content - fixed HasFile() method * rewritten THttpPeerCache.OnDownloaded logic mostly about partial file switch * rewritten THttpPeerCacheThread.OnFrameReceived - mostly about log content to ease debugging * completed THttpPartials data structure - rewritten ChangeFile() method - renamed FindFile as HasFile method * [FIX] cleanup of download_urls * [SEC] synangelize: disable "CommandFile" * to disable C:\Windows\SysWOW64\waptservice\services\cmd periodic file access * [FIX] peercache: fixed THttpPartials wrong ID assumption * [FIX] peercache : netfixed THttpPeerCache.OnDownload with empty URI * https for fake wsus server to comply with audit tools * [FIX] PeerCache response on POSIX - a broadcast with proper SetBroadcast() call seems mandatory * update mormot2 for improved peercache behaviour * seems to work better in case of reuse of http connection after keep-alive timeout * [FIX] waptwua Variant array cannot be created * [FIX] Be sure to use DV lists and not Variant Arrays when converting Python objects/list to DV variants * [FIX] waptsetup: cleanup __pycache__ folders between two installs * [SEC] fix the agent websocket still able to connect to server if verify_cert is set to a bad value * don't patch enginio anymore as it now works properly with client side certificate enabled and verify_cert=False. * [FIX] waptserver: allow unrestricted access to robots.txt 2.6.0.16972 -> 2.6.0.17084 ========================== [IMP] waptwua: hardened ToVariant in case of nil array [FIX] wads: increase efi partition size to 400 [REF] waptwua refactoring to use variant instead of TDocVariantData in function results. * removed unused scan checksums [IMP] wapt-get: allow cmd commandline set-data json with hack on ' -> " for tests [FIX] db cleanup for download_urls [FIX] peercache process hardening * avoid file sharing issue when one peer try to rename partial file while another is getting the file [FIX] waptconsole: wapt setup creation with SPN option #10285 [IMP] add wapt-get reset-config-from-base64 and set-config-from-base64 [FIX] wapt-get set-config-from-url and set-config-from-file reset all when no hash is provided on command line after the url [IMP] waptconsole: wapt packages search error message [FIX] waptconsole: reporting. fix canceling the edit of a new query [FIX] filering of url tlu.dl.delivery.mp.microsoft.com [FIX] unzip in mormot2 [IMP] peercache audit log: * start / end time in iso utc * speed in kb/s * wget_audit_count paraméter to set the number of downloads audit history records on client (default to 30) [IMP] wapt peercache: add firewall rules for windows in peercache audit log * log full peercache settings too (do't convert to snakecase) * fix install_json_config_file [FIX] waptconsole: graph dependencies color for black mode [FIX] waptconsole: os deploy for linux with hostname longer than 15 chars [FIX] pywaptwua: be sure gstate is initialzed [FIX] waptlicences.waptwget: disable thread handling for linux i386 target has it hangs on PyEval_RestoreThread after python callback in PrintHook * be sure gstate is initialzed [FIX] waptconsole show MS Help on host's windows updates [FIX] waptcrypto python: deprecation warning on certificates not_before / not_after and timezone [FIX] wapt-get re.findall regular expression [REF][FIX] waptwua cleanup * use variant for waptdb.SetParam value * send wsus packages version to server in waptwua_status.rules_packages (closes issue #10169) * send specific waptwua settings in waptwua_status.settings [FIX] waptwua : Disable IsRescanNeeded waptwua. Now we always scan even if input conditions have not changed [FIX] wapt-get get-public-param [IMP] add --waitevents= * if <=0, don't wait for tasks at all. [IMP] waptconsole: handle Windows updates records deletion from waptconsole * waptwua: ban .*\.?tlu\.dl\.delivery\.mp\.microsoft\.com downloading on server and agent * as safety measure * don't send download_urls to server if waptwua disabled or scan mode = 'WU' [FIX] wapt-get: don't ask interactively for local service password * waptwua: disable download_urls collection in 'WU' online mode or when waptwua is disabled * as these are often unique streaming urls. * grid cells formatting for wuadownloads form [FIX] wapt-get reset-config : don't remove json config file in conf.d * as removing them would mean that installed config packages have no matching install json anymore. * what to do with manually added dynamic configs with wappt-get add-config-from-url for example ... there is no explicit way to distinguish them from json from config packages * reset means only reset initial wapt-get.ini config [IMP] waptwua server: concat download_urls when updating wsusupdates table * in case different scans send different urls [FIX] waptconsole: saving reporting query in some case, like renaming [FIX] wapt core : publicdb migrate from privatedb * key error 'install_by' -> 'explicit_by' * fix compilation * [IMP] wapt-core json config * don't rewrite change "verify_cert" json key when installing json config file and in ApplyJsonConfigToIniFile * set 'name' key in install_json_config when loading json configs * RemoveJsonConfig returns now the list of removed files * re-extract packages certificates and server certificates from json config at each config reload * protect the wapt-get.ini build from json with a RLock in case 2 threads detects config changes ad try to merge json at the same time [IMP] force reinstall certificates from json dynamic configurations when loading Wapt configuration from ini file. * fix potential bug in InstallJsonCerticates if ConfigName was not Default * add install_json_config_certificates waptlicences helper [FIX] waptconsole: dark mode in secondary repos errors [FIX] waptconsole: pinning certificate warning [IMP] wapt-get peercache waptwget: add audit data when file are downloaded * section "host_metrics", key "peercache": * keep last 100 downloads report for 30 days * can be disabled with "enable_wget_audit=0" in wapt-get.ini (default true) [IMP] wapt-get : add download-upgrade action in service mode [NEW] waptconsole reporting: add action "Show selected hosts in inventory" * available if a column is designated to be the host_uuid * filter the host inventory tab based on the selected uuids [FIX] Handle all property names literally in SOGrid. Don't interpret property names as SOPath * Call OnGetText when not editing cell * should now handle properly property names with wpaces or SOPath special chars * update sogrid for Fix range check error in debug mode [SEC] switch to openssl 3.4.1 [SEC] upgrade python modules * libpq 14.12 -> 14.17 * libffi 3.4.6 -> 3.4.7 * readline 8.2 -> 8.2.13 * gdbm 1.23 -> gdbm-1.24 [IMP] add netbios_domain in info [FIX] don't use client.root_dn() for setuphelpers_unix [UPD] wapt-get.py: allow --peercache switch to start peercache server * for debug purpose mainly [UPD] nginx upgrade from 1.22.1 -> 1.27.4 [IMP] local direct peercache: use url encoded arguments for cert auth and proxy instead of OnPeerCacheDirectOptions callback * was not thread safe anyway [IMP] waptconsole acls form: add _has_cert and _has_password columns * disable some actions when more than one account is selected [FIX] waptserver: use UTC timestamp for socketio connect/disconnect timestamps [FIX] update pltis_uicomponents for toolbar customization fixes * should avoid buttons mismatch [UPD] improve default html json mustache template * add a basic tasks.html template for wapttasks * use local time [FIX] wapttray show tasks * small utf8 encoding fix [UPD] reporting display: display bytes in human bytes if column ends with '*_bytes' in reorting * wapt-get: fix some utf8 encoding [FIX] GetTemplateFilename for aapplication <> current application * AAplicationName was not taken in account [IMP] force mormot TAesGcm use in pywaptlicences * instead of openssl AES-GCM of OpenSSL to circumvent issue with python ssl _load_windows_store_certs and PeerCacheProcess.HttpDirectUri [IMP] waptconsole acls users: add a search box [IMP] wapt-get server-request --data rework * hack to replace single quote to double to workaround poor command line parsing * we try to see if we have an json object like {'key':'value'} or [{'key'... * waptservice local_login: add waptselfservice group for user == computer_name$ (windows) or user uid==0 (linux) [FIX] wapt-get server-request auth for url wapt-get server-request api/v3/login?get_token=1 * waptwua: set scan_service=OFFLINE if scan_service not defined explicitly [FIX] GetPasswordAndOtpFromPassword [NEW] waptwua: add proxy_cmd parameter to start a local proxy for wsus when Wapt().waptwua(True) context is used * and kill it when exiting from python context * add pywaptwua.waptwua_params() * use cheroot for wsgi server on proxylocal.py * ban /filestreamingservice/ URLS * update mormot2 for local peercache improvements * DirectFileNameHead method * allow HEAD on THttpPeerCache local http endpoint * proxy or HEAD responses * add try_local_peer_cache argument for waptwget for local peercache tests * renamed localwget to localpeercache_args with extra args (url:str, hash:str, ca_certificate_file, certificate_file, private_key_file, ignore_certificate_errors: bool=True, http_proxy:str=None, bearer_token:str=None)->Dict * must be called to get local url and beraer, and set access arguments for the remote get. * don't start peercache server when initilizing peercache paramters with waptlicences.peercache_init . One must call waptlicences.peercache_start * wads: fix wads import host from wapt inventory * [REF] small refactor of import_host_from_inventory * [IMP] waptconsole: import hosts to wads * [IMP] update waptservice french translations * update waptservice fr translations * waptdeploy: fallback to https:///wapt/waptagent.exe for wapt/waptagent.exe if not {{ip}} and the GetLocalIpAddress returns an empty address. 2.6.0.16937 -> 2.6.0.16972 ========================== [FIX] waptself (All) categories * closes #10141 [UPD] removed flask_babel and babel from agent and server installs * basic translations in waptservice * no translation in waptserver * removed pytz requirement * gettext _ is configured and imported from waptservice_common [FIX] handle user_is_member_of for macosx [IMP] enable windows update service access if scan_service is not WSUS or OFFLINE * allow to run wua online scan and install. * fix error $8024002e, 'Access to an unmanaged server isn't allowed. in WU scan_service mode. [FIX] missing groups from function setuphelpers.get_groups() on mac [FIX] waptwua direct_download with proxy only for waptwua * if a http_proxy is defined in the [waptwua] section, use it for the wget actions of waptwua (else use the http_proxy of [global] if defined and use_http_proxy_for_repo is true) * in the python callback, if returned value for url or proxy is None, keep input value * fix FileIsDifferentOnServer when a full url with a diffrent server than actual repo server, and not only the relative one is provided. * missing import in last commit * include pysciter in python modules (but not the dlls) [IMP] use a temporary location to store the stripped down CA pem file when verify_cert=1 * this is to prevent user from using this file for cert pinning. * add a waptlicences helper to get such a pem CA file from python * clear stripped ca cache on waptconsole startup [IMP] python waptlicences: reenable python threading during lengthy operations in waptserver_login, waptserver_request, wapt_local_json_get , wapt_local_login, sz_extract_all * enable python threading in waptwget too, and be sure to habe python lock in PrintHook callback [IMP] waptwua: re- add feedback to console when scanning and installing * don't set NEED-SCAN on wsusscn2cab changes if not in offline mode * use same policy settings (ie. disable dualscan and so) for wsusscn2.cab scan mode than upsync (WSUS) mode [FIX] waptconsole: regresseion. show developper (control, setup) tabs in edit package in deiscovery mode [FIX] waptdeploy: compare relative paths case insensitive [IMP] waptservice better naming for packages to upgrade in WaptUpgrade task launch [IMP] assume user is member of waptselfservice group for local auth if user is a direct member of local administrators group in filetoken mode. [FIX] waptservice: fix packages authroization rules is None in discovery mode * fix error 500 [FIX] waptwua: fix scan with updates without kbid * error invalid collection index * fix error code range check error * explicit error for 0x80240438 * add error description for Unable to get update_history [FIX] background edit color in package wizard * waptserver: fix wuserver config read [IMP] waptconsole: agent creation with SPN domain * fix compilation [IMP] waptconsole create waptsetup : use GetTempWaptFilename for temp json filename [FIX] waptlicences: fix peercache_init parameters * add bearer_token optional argument to waptwget * allow pcoHttpDirect for peercache * add localwget helper to get a local url and bearer for local peercache * update mormot2 [IMP] wapt-get local service cred imput: don't use WAPTSERVICE_TOKEN environment variable if WAPTSERVICE_USER does not match --waptservice-user option * improve login with password * when local auth method is filetoken, and we want to login with a different user as current one, we need to ask for a password. * --waptservice-password=- (minus) force wapt-get to ask interactively for password. * allow local-request to continue even if no auth (to test auth...) [IMP] add "chr" mustache helper * add --templatestring option to wapt-get [NEW] waptwua: add a local wua proxy (wufb) * add wuserver option in server for nginx