diff --git a/components/include/generic_rulebase/match_query.h b/components/include/generic_rulebase/match_query.h index 787a99f..0a660a7 100755 --- a/components/include/generic_rulebase/match_query.h +++ b/components/include/generic_rulebase/match_query.h @@ -89,7 +89,9 @@ private: bool matchAttributesRegEx(const std::set &values, std::set &matched_override_keywords) const; bool matchAttributesString(const std::set &values) const; + bool matchAttributesIp(const std::set &values) const; bool isRegEx() const; + bool isIP() const; MatchType type; Operators operator_type; diff --git a/components/security_apps/layer_7_access_control/layer_7_access_control.cc b/components/security_apps/layer_7_access_control/layer_7_access_control.cc index 4149ec6..c999429 100644 --- a/components/security_apps/layer_7_access_control/layer_7_access_control.cc +++ b/components/security_apps/layer_7_access_control/layer_7_access_control.cc @@ -385,8 +385,29 @@ Layer7AccessControl::Impl::init() i_intelligence = Singleton::Consume::by(); i_mainloop = Singleton::Consume::by(); - chrono::minutes expiration( - getProfileAgentSettingWithDefault(60u, "layer7AccessControl.crowdsec.cacheExpiration") + int cache_expiration_in_seconds = 30; + string cache_expiration_env = getenv("CROWDSEC_CACHE_EXPIRATION") ? getenv("CROWDSEC_CACHE_EXPIRATION") : ""; + if (!cache_expiration_env.empty()) { + if ( + all_of(cache_expiration_env.begin(), cache_expiration_env.end(), ::isdigit) + && stoi(cache_expiration_env) > 0 + ) { + cache_expiration_in_seconds = stoi(cache_expiration_env); + dbgInfo(D_L7_ACCESS_CONTROL) + << "Successfully read cache expiration value from env: " + << cache_expiration_env; + } else { + dbgWarning(D_L7_ACCESS_CONTROL) + << "An invalid cache expiration value was provided in env: " + << cache_expiration_env; + } + } + + chrono::seconds expiration( + getProfileAgentSettingWithDefault( + cache_expiration_in_seconds, + "layer7AccessControl.crowdsec.cacheExpiration" + ) ); ip_reputation_cache.startExpiration( diff --git a/components/security_apps/orchestration/include/updates_process_event.h b/components/security_apps/orchestration/include/updates_process_event.h index 12eab13..9bf76d0 100644 --- a/components/security_apps/orchestration/include/updates_process_event.h +++ b/components/security_apps/orchestration/include/updates_process_event.h @@ -117,6 +117,7 @@ public: OrchestrationStatusResult getOrchestrationStatusResult() const; std::string parseDescription() const; + std::string getDescriptionWithoutErrors() const; private: UpdatesProcessResult result; diff --git a/components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc b/components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc index 08b870c..8d4dec8 100755 --- a/components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc +++ b/components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc @@ -556,7 +556,7 @@ TEST_F(OrchestrationStatusTest, checkErrorByRaiseEvent) "Time", "Online upgrades", fog_address, - "Failed. Reason: Registration failed. Error: " + registar_error, + "Failed. Reason: Registration failed.", "Failed. Reason: " + manifest_error ), result diff --git a/components/security_apps/orchestration/modules/orchestration_status.cc b/components/security_apps/orchestration/modules/orchestration_status.cc index 331a10b..22c440d 100755 --- a/components/security_apps/orchestration/modules/orchestration_status.cc +++ b/components/security_apps/orchestration/modules/orchestration_status.cc @@ -473,7 +473,11 @@ public: void upon(const UpdatesProcessEvent &event) override { - setFieldStatus(event.getStatusFieldType(), event.getOrchestrationStatusResult(), event.parseDescription()); + setFieldStatus( + event.getStatusFieldType(), + event.getOrchestrationStatusResult(), + event.getDescriptionWithoutErrors() + ); } private: diff --git a/components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc b/components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc index b6afa5b..d9757a8 100644 --- a/components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc +++ b/components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc @@ -122,3 +122,62 @@ UpdatesProcessEvent::parseDescription() const } return err.str(); } + +string +UpdatesProcessEvent::getDescriptionWithoutErrors() const +{ + stringstream err; + if (description.empty() || result == UpdatesProcessResult::SUCCESS) return ""; + + switch (reason) { + case UpdatesFailureReason::CHECK_UPDATE: { + err << description; + break; + } + case UpdatesFailureReason::REGISTRATION: { + err << "Registration failed."; + break; + } + case UpdatesFailureReason::GET_UPDATE_REQUEST: { + err << "Failed to get update request."; + break; + } + case UpdatesFailureReason::DOWNLOAD_FILE : { + err << "Failed to download the file " << detail; + break; + } + case UpdatesFailureReason::HANDLE_FILE : { + err << "Failed to handle the file " << detail; + break; + } + case UpdatesFailureReason::INSTALLATION_QUEUE : { + err << "Installation queue creation failed."; + break; + } + case UpdatesFailureReason::INSTALL_PACKAGE : { + err << "Failed to install the package " << detail; + break; + } + case UpdatesFailureReason::CHECKSUM_UNMATCHED : { + err << "Checksums do not match for the file: " << detail; + break; + } + case UpdatesFailureReason::POLICY_CONFIGURATION : { + err << "Failed to configure policy version: " << detail; + break; + } + case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : { + err << "Failed to configure the fog address: " << detail; + break; + } + case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : { + err << description; + break; + } + case UpdatesFailureReason::NONE : { + err << description; + break; + } + } + return err.str(); +} diff --git a/components/security_apps/waap/include/i_serialize.h b/components/security_apps/waap/include/i_serialize.h index 4723af2..ee59f5f 100755 --- a/components/security_apps/waap/include/i_serialize.h +++ b/components/security_apps/waap/include/i_serialize.h @@ -57,7 +57,6 @@ private: std::vector filesPathsList; }; - class I_Serializable { public: virtual void serialize(std::ostream& stream) = 0; diff --git a/components/security_apps/waap/waap_clib/Serializator.cc b/components/security_apps/waap/waap_clib/Serializator.cc index 5b982b9..f499cb5 100755 --- a/components/security_apps/waap/waap_clib/Serializator.cc +++ b/components/security_apps/waap/waap_clib/Serializator.cc @@ -397,7 +397,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase( const string &owner ) : SerializeToFileBase(filePath), - m_remotePath(remotePath), + m_remotePath(replaceAllCopy(remotePath, "//", "/")), m_interval(0), m_owner(owner), m_pMainLoop(nullptr), @@ -407,7 +407,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase( m_windowsCount(0), m_intervalsCounter(0), m_remoteSyncEnabled(true), - m_assetId(assetId), + m_assetId(replaceAllCopy(assetId, "/", "")), m_isAssetIdUuid(Waap::Util::isUuid(assetId)), m_shared_storage_host(genError("not set")), m_learning_host(genError("not set")) @@ -439,7 +439,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase( } if (remotePath != "") { // remote path is /// - auto parts = split(remotePath, '/'); + auto parts = split(m_remotePath, '/'); if (parts.size() > 2) { size_t offset = 0; if (parts[0].empty()) { @@ -656,8 +656,7 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker() OrchestrationMode mode = Singleton::exists() ? Singleton::Consume::by()->getOrchestrationMode() : OrchestrationMode::ONLINE; - if (mode == OrchestrationMode::OFFLINE || !m_remoteSyncEnabled || isBase() || - (mode == OrchestrationMode::ONLINE && !m_isAssetIdUuid) || !postData()) { + if (mode == OrchestrationMode::OFFLINE || !m_remoteSyncEnabled || isBase() || !postData()) { dbgDebug(D_WAAP_CONFIDENCE_CALCULATOR) << "Did not synchronize the data. for asset: " << m_assetId diff --git a/components/security_apps/waap/waap_clib/Telemetry.cc b/components/security_apps/waap/waap_clib/Telemetry.cc index c12d40c..447cc3a 100755 --- a/components/security_apps/waap/waap_clib/Telemetry.cc +++ b/components/security_apps/waap/waap_clib/Telemetry.cc @@ -37,7 +37,14 @@ WaapTelemetryBase::sendLog(const LogRest &metric_client_rest) const if (mode == OrchestrationMode::ONLINE) { return; } - auto svc_host = getConfigurationWithDefault(default_host, "Logging", "K8sSvc Log host"); + const char* host_env_var = getenv("TUNING_HOST"); + string host; + if (host_env_var != nullptr && strlen(host_env_var) > 0) { + host = string(host_env_var); + } else { + host = default_host; + } + auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host"); string fog_metric_uri = getConfigurationWithDefault("/api/v1/agents/events", "metric", "fogMetricUri"); MessageMetadata req_md(svc_host, 80); req_md.insertHeader( diff --git a/components/security_apps/waap/waap_clib/TuningDecision.cc b/components/security_apps/waap/waap_clib/TuningDecision.cc index a414500..6ff5a1e 100755 --- a/components/security_apps/waap/waap_clib/TuningDecision.cc +++ b/components/security_apps/waap/waap_clib/TuningDecision.cc @@ -15,6 +15,7 @@ #include "i_mainloop.h" #include "i_serialize.h" #include "waap.h" +#include "Waf2Util.h" using namespace std; @@ -25,7 +26,7 @@ USE_DEBUG_FLAG(D_WAAP); TuningDecision::TuningDecision(const string& remotePath) : - m_remotePath(remotePath + "/tuning"), + m_remotePath(replaceAllCopy(remotePath + "/tuning", "//", "/")), m_baseUri() { if (remotePath == "") diff --git a/components/security_apps/waap/waap_clib/Waf2Util.h b/components/security_apps/waap/waap_clib/Waf2Util.h index 5ae0a9b..d95a8ee 100755 --- a/components/security_apps/waap/waap_clib/Waf2Util.h +++ b/components/security_apps/waap/waap_clib/Waf2Util.h @@ -733,6 +733,12 @@ inline void replaceAll(std::string& str, const std::string& from, const std::str start_pos += to.length(); // In case 'to' contains 'from', like replacing 'x' with 'yx' } } + +inline std::string replaceAllCopy(std::string str, const std::string& from, const std::string& to) { + replaceAll(str, from, to); + return str; +} + inline void alignBase64Chunk (std::string &chunk) { size_t len = chunk.length() % 4; diff --git a/components/utils/generic_rulebase/match_query.cc b/components/utils/generic_rulebase/match_query.cc index ef985dc..4703c2d 100644 --- a/components/utils/generic_rulebase/match_query.cc +++ b/components/utils/generic_rulebase/match_query.cc @@ -299,7 +299,16 @@ MatchQuery::matchAttributes( { auto &type = condition_type; bool negate = type == MatchQuery::Conditions::NotEquals || type == MatchQuery::Conditions::NotIn; - bool match = isRegEx() ? matchAttributesRegEx(values, matched_override_keywords) : matchAttributesString(values); + bool match = false; + + if (isIP()) { + match = matchAttributesIp(values); + } else if (isRegEx()) { + match = matchAttributesRegEx(values, matched_override_keywords); + } else { + match = matchAttributesString(values); + } + return negate ? !match : match; } @@ -340,8 +349,26 @@ MatchQuery::matchAttributesString(const set &values) const return false; } +bool +MatchQuery::matchAttributesIp(const set &values) const +{ + for (const IPRange &rule_ip_range : ip_addr_value) { + for (const string &requested_value : values) { + IpAddress ip_addr = IPUtilities::createIpFromString(requested_value); + if (IPUtilities::isIpAddrInRange(rule_ip_range, ip_addr)) return true; + } + } + return false; +} + bool MatchQuery::isRegEx() const { return key != "protectionName"; } + +bool +MatchQuery::isIP() const +{ + return key == "sourceIP" || key == "destinationIP"; +} diff --git a/core/logging/k8s_svc_stream.cc b/core/logging/k8s_svc_stream.cc index c3286f7..081c25b 100644 --- a/core/logging/k8s_svc_stream.cc +++ b/core/logging/k8s_svc_stream.cc @@ -35,7 +35,14 @@ ContainerSvcStream::~ContainerSvcStream() void ContainerSvcStream::sendLog(const Report &log) { - auto svc_host = getConfigurationWithDefault(default_host, "Logging", "Container Log host"); + const char* host_env_var = getenv("TUNING_HOST"); + string host; + if (host_env_var != nullptr && strlen(host_env_var) > 0) { + host = string(host_env_var); + } else { + host = default_host; + } + auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host"); auto svc_log_uri = getConfigurationWithDefault(default_log_uri, "Logging", "Container Log URI"); LogRest rest(log); @@ -66,7 +73,14 @@ ContainerSvcStream::sendLog(const LogBulkRest &logs, bool persistence_only) return; } - auto svc_host = getConfigurationWithDefault(default_host, "Logging", "Container Log host"); + const char* host_env_var = getenv("TUNING_HOST"); + string host; + if (host_env_var != nullptr && strlen(host_env_var) > 0) { + host = string(host_env_var); + } else { + host = default_host; + } + auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host"); auto svc_log_uri = getConfigurationWithDefault(default_bulk_uri, "Logging", "Container Bulk Log URI"); MessageMetadata rest_req_md(svc_host, 80);