Merge pull request #89 from openappsec/Dec-24-2023

Dec 24 2023
2025-06-28 16:41:02 +03:00 · 2023-12-27 12:46:53 +02:00 · 2023-12-27 12:46:53 +02:00 · 12da9547dd
commit 12da9547dd
parent 3282774432 6a7c2402a5
7 changed files with 16 additions and 9 deletions
--- a/components/security_apps/orchestration/include/declarative_policy_utils.h
+++ b/components/security_apps/orchestration/include/declarative_policy_utils.h
@ -80,6 +80,7 @@ public:
    std::string getUpdate(CheckUpdateRequest &request) override;
    bool shouldApplyPolicy() override;
    void turnOffApplyPolicyFlag() override;
+    void turnOnApplyPolicyFlag() override;

    std::string getCurrPolicy() override { return curr_policy; }

--- a/components/security_apps/orchestration/include/i_declarative_policy.h
+++ b/components/security_apps/orchestration/include/i_declarative_policy.h
@ -23,6 +23,7 @@ public:
    virtual std::string getCurrPolicy() = 0;

    virtual void turnOffApplyPolicyFlag() = 0;
+    virtual void turnOnApplyPolicyFlag() = 0;

 protected:
    virtual ~I_DeclarativePolicy() {}
--- a/components/security_apps/orchestration/orchestration_comp.cc
+++ b/components/security_apps/orchestration/orchestration_comp.cc
@ -221,10 +221,7 @@ private:
        auto update_communication = Singleton::Consume<I_UpdateCommunication>::by<OrchestrationComp>();
        auto agent_mode = getOrchestrationMode();
        auto policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
-        if (agent_mode == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative") {
-            update_communication->authenticateAgent();
-            return Maybe<void>();
-        }
+        bool declarative = agent_mode == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative";

        bool enforce_policy_flag = false;
        Maybe<OrchestrationPolicy> maybe_policy = genError("Empty policy");
@ -299,6 +296,7 @@ private:
            }
        }

+	if (declarative) Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyPolicyFlag();
        return authentication_res;
    }

--- a/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc
+++ b/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc
@ -57,6 +57,12 @@ DeclarativePolicyUtils::turnOffApplyPolicyFlag()
    should_apply_policy = false;
 }

+void
+DeclarativePolicyUtils::turnOnApplyPolicyFlag()
+{
+    should_apply_policy = true;
+}
+
 Maybe<string>
 DeclarativePolicyUtils::getLocalPolicyChecksum()
 {
--- a/components/security_apps/rate_limit/rate_limit.cc
+++ b/components/security_apps/rate_limit/rate_limit.cc
@ -114,7 +114,7 @@ public:
            }

            string application_uri = maybe_uri.unpack();
-            if (application_uri.back() == '/') application_uri.pop_back();
+            if (!application_uri.empty() && application_uri.back() == '/') application_uri.pop_back();

            for (const auto &rule : rate_limit_config.getRateLimitRules()) {
                string full_rule_uri = application_uri + rule.getRateLimitUri();
@ -227,7 +227,7 @@ public:
            << " seconds";

        string unique_key = asset_id + ":" + source_identifier + ":" + uri;
-        if (unique_key.back() == '/') unique_key.pop_back();
+        if (!unique_key.empty() && unique_key.back() == '/') unique_key.pop_back();

        auto verdict = decide(unique_key);
        if (verdict == RateLimitVedict::ACCEPT) {
--- a/components/security_apps/waap/waap_clib/Waf2Engine.cc
+++ b/components/security_apps/waap/waap_clib/Waf2Engine.cc
@ -1741,7 +1741,7 @@ Waf2Transaction::sendLog()

    static int cur_grace_logs = 0;
    bool grace_period = is_hybrid_mode && cur_grace_logs < max_grace_logs;
-    bool send_extended_log = grace_period || shouldSendExtendedLog(triggerLog);
+    bool send_extended_log = shouldSendExtendedLog(triggerLog);
    if (grace_period) {
        dbgTrace(D_WAAP)
            << "Waf2Transaction::sendLog: current grace log index: "
@ -2339,7 +2339,7 @@ bool Waf2Transaction::shouldSendExtendedLog(const std::shared_ptr<Waap::Trigger:
    ReportIS::Severity severity = Waap::Util::computeSeverityFromThreatLevel(
        autonomousSecurityDecision->getThreatLevel());

-    if (trigger_log->extendLoggingMinSeverity == "Critical")
+    if (trigger_log->extendLoggingMinSeverity == "Critical" || trigger_log->extendLoggingMinSeverity == "critical")
    {
        if (severity == ReportIS::Severity::CRITICAL)
        {
@ -2349,7 +2349,7 @@ bool Waf2Transaction::shouldSendExtendedLog(const std::shared_ptr<Waap::Trigger:
        dbgTrace(D_WAAP) << "Should not send extended logging. Min Severity Critical. Severity: " << (int) severity;
        return false;
    }
-    else if (trigger_log->extendLoggingMinSeverity == "High")
+    else if (trigger_log->extendLoggingMinSeverity == "High" || trigger_log->extendLoggingMinSeverity == "high")
    {
        if (severity == ReportIS::Severity::CRITICAL || severity == ReportIS::Severity::HIGH)
        {
--- a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc
+++ b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc
@ -577,6 +577,7 @@ public:
    {
        try {
            cereal::load(ar, streams);
+            if (streams["Output"].empty()) streams["Output"] = "STDOUT";
            if (streams["Output"] != "FOG" && streams["Output"] != "STDOUT" && streams["Output"].front() != '/') {
                streams["Output"] = log_files_path + "/" + streams["Output"];
            }