Add support for security incident artifact compilation

core/Constants.py

@@ -34,6 +34,7 @@ class Constants:
     HV_PROFILE_DATA_HOME: Final[str] = f'{HV_DATA_HOME}/profiles'
 
     HV_APPLICATION_DATA_HOME: Final[str] = f'{HV_DATA_HOME}/applications'
+    HV_INCIDENT_DATA_HOME: Final[str] = f'{HV_DATA_HOME}/incidents'
     HV_RUNTIME_DATA_HOME: Final[str] = f'{HV_DATA_HOME}/runtime'
 
     HV_SESSION_STATE_HOME: Final[str] = f'{HV_STATE_HOME}/sessions'

core/controllers/ProfileController.py

@@ -249,6 +249,8 @@ class ProfileController:
         except EndpointVerificationError as error:
 
             if not EndpointVerificationError in ignore:
+
+                profile.address_security_incident()
                 raise error
 
     @staticmethod

core/models/BaseProfile.py

@@ -6,11 +6,13 @@ from core.models.session.ApplicationVersion import ApplicationVersion
 from dataclasses import dataclass, field, asdict
 from dataclasses_json import config, Exclude, dataclass_json
 from json import JSONDecodeError
+from pathlib import Path
 from typing import Optional, Self
 import json
 import os
 import re
 import shutil
+import tempfile
 
 
 @dataclass_json
@@ -27,6 +29,10 @@ class BaseProfile(ABC):
     def get_wireguard_configuration_path(self):
         pass
 
+    @abstractmethod
+    def has_wireguard_configuration(self):
+        pass
+
     def get_config_path(self):
         return BaseProfile.__get_config_path(self.id)
 
@@ -109,6 +115,21 @@ class BaseProfile(ABC):
         except FileNotFoundError:
             return None
 
+    def address_security_incident(self):
+
+        if self.has_wireguard_configuration():
+
+            wireguard_configuration_path = Path(self.get_wireguard_configuration_path())
+
+            incident_data_path = Path(Constants.HV_INCIDENT_DATA_HOME)
+            incident_data_path.mkdir(parents=True, exist_ok=True)
+
+            incident_path = Path(tempfile.mkdtemp(dir=incident_data_path, prefix=''))
+            incident_wireguard_configuration_path = f'{incident_path}/{wireguard_configuration_path.name}'
+
+            shutil.copy2(wireguard_configuration_path, incident_wireguard_configuration_path)
+            os.chmod(incident_wireguard_configuration_path, 0o664)
+
     def _get_dirty_keys(self: Self):
 
         reference = BaseProfile.find_by_id(self.id)

core/models/session/SessionProfile.py

@@ -87,6 +87,11 @@ class SessionProfile(BaseProfile):
     def has_wireguard_configuration(self):
         return os.path.isfile(f'{self.get_config_path()}/wg.conf')
 
+    def address_security_incident(self):
+
+        super().address_security_incident()
+        self.__delete_wireguard_configuration()
+
     def determine_timezone(self):
 
         time_zone = None

core/models/system/SystemProfile.py

@@ -55,6 +55,11 @@ class SystemProfile(BaseProfile):
     def has_wireguard_configuration(self):
         return os.path.isfile(f'{self.get_system_config_path()}/wg.conf')
 
+    def address_security_incident(self):
+
+        super().address_security_incident()
+        self.__delete_wireguard_configuration()
+
     def delete(self):
 
         try: