From 27d1d00379de1f2cc93cf2784294951bf5b196b5 Mon Sep 17 00:00:00 2001 From: David Gambarin Date: Mon, 26 Dec 2022 11:04:51 +0200 Subject: [PATCH] Add support for visability mode --- .../include/declarative_policy_utils.h | 83 +++++ .../orchestration/include/fog_communication.h | 5 + .../include/hybrid_communication.h | 7 +- .../include/update_policy_notification.h | 30 ++ .../include/appsec_practice_section.h | 8 +- .../include/exceptions_section.h | 4 +- .../include/ingress_data.h | 4 +- .../include/k8s_policy_common.h | 4 +- .../include/rules_config_section.h | 6 +- .../include/settings_section.h | 4 +- .../include/snort_section.h | 4 +- .../include/triggers_section.h | 4 +- .../include/trusted_sources_section.h | 4 +- .../local_policy_mgmt_gen.cc | 19 +- .../update_communication/CMakeLists.txt | 3 +- .../declarative_policy_utils.cc | 172 +++++++++++ .../update_communication/fog_communication.cc | 48 +++ .../hybrid_communication.cc | 119 ++++---- .../update_communication.cc | 1 + .../update_communication_ut/CMakeLists.txt | 2 +- core/encryptor/cpnano_base64/CMakeLists.txt | 9 +- .../cpnano_base64/cpnano_base64.strip | Bin 0 -> 39136 bytes core/shell_cmd/shell_cmd.cc | 2 +- .../package/open-appsec-cloud-mgmt | 287 ++++++++++++++++++ .../package/open-appsec-cloud-mgmt-k8s | 285 +++++++++++++++++ .../package/orchestration_package.sh | 3 + 26 files changed, 1014 insertions(+), 103 deletions(-) create mode 100644 components/security_apps/orchestration/include/declarative_policy_utils.h create mode 100755 components/security_apps/orchestration/include/update_policy_notification.h create mode 100755 components/security_apps/orchestration/update_communication/declarative_policy_utils.cc create mode 100755 core/encryptor/cpnano_base64/cpnano_base64.strip create mode 100755 nodes/orchestration/package/open-appsec-cloud-mgmt create mode 100755 nodes/orchestration/package/open-appsec-cloud-mgmt-k8s diff --git a/components/security_apps/orchestration/include/declarative_policy_utils.h b/components/security_apps/orchestration/include/declarative_policy_utils.h new file mode 100644 index 0000000..0f38c4a --- /dev/null +++ b/components/security_apps/orchestration/include/declarative_policy_utils.h @@ -0,0 +1,83 @@ +#ifndef __DECLARATIVE_POLICY_UTILS_H__ +#define __DECLARATIVE_POLICY_UTILS_H__ + +#include +#include +#include +#include +#include "cereal/archives/json.hpp" + +#include "singleton.h" +#include "i_update_communication.h" +#include "fog_authenticator.h" +#include "i_local_policy_mgmt_gen.h" +#include "i_orchestration_tools.h" +#include "i_agent_details.h" +#include "i_orchestration_status.h" +#include "i_messaging.h" +#include "i_mainloop.h" +#include "i_encryptor.h" +#include "i_details_resolver.h" +#include "i_rest_api.h" +#include "i_time_get.h" +#include "i_shell_cmd.h" +#include "i_encryptor.h" +#include "maybe_res.h" +#include "event.h" + +class ApplyPolicyEvent : public Event +{ +public: + ApplyPolicyEvent() {} +}; + +class DeclarativePolicyUtils + : + public Singleton::Consume, + Singleton::Consume, + Singleton::Consume, + Singleton::Consume, + Singleton::Consume, + public Listener +{ +public: + class ApplyPolicyRest : public ServerRest + { + public: + // LCOV_EXCL_START Reason: no test exist + void + doCall() override + { + ApplyPolicyEvent().notify(); + } + // LCOV_EXCL_STOP + }; + + void init(); + Maybe getLocalPolicyChecksum(); + std::string getPolicyChecksum(); + void updateCurrentPolicy(const std::string &policy_checksum); + void sendUpdatesToFog( + const std::string &access_token, + const std::string &tenant_id, + const std::string &profile_id, + const std::string &fog_address + ); + std::string getUpdate(CheckUpdateRequest &request); + bool shouldApplyPolicy(); + void turnOffApplyPolicyFlag(); + + std::string getCurrVersion() { return curr_version; } + std::string getCurrPolicy() { return curr_policy; } + + void upon(const ApplyPolicyEvent &event) override; + +private: + std::string getCleanChecksum(const std::string &unclean_checksum); + + std::string curr_version; + std::string curr_policy; + bool should_apply_policy; +}; + +#endif // __DECLARATIVE_POLICY_UTILS_H__ diff --git a/components/security_apps/orchestration/include/fog_communication.h b/components/security_apps/orchestration/include/fog_communication.h index b93dac2..d41768b 100755 --- a/components/security_apps/orchestration/include/fog_communication.h +++ b/components/security_apps/orchestration/include/fog_communication.h @@ -33,13 +33,18 @@ #include "i_time_get.h" #include "i_encryptor.h" #include "maybe_res.h" +#include "declarative_policy_utils.h" class FogCommunication : public FogAuthenticator { public: + void init() override; Maybe getUpdate(CheckUpdateRequest &request) override; Maybe downloadAttributeFile(const GetResourceFile &resourse_file) override; Maybe sendPolicyVersion(const std::string &policy_version) const override; + +private: + DeclarativePolicyUtils declarative_policy_utils; }; #endif // __FOG_COMMUNICATION_H__ diff --git a/components/security_apps/orchestration/include/hybrid_communication.h b/components/security_apps/orchestration/include/hybrid_communication.h index a582cc1..e452354 100755 --- a/components/security_apps/orchestration/include/hybrid_communication.h +++ b/components/security_apps/orchestration/include/hybrid_communication.h @@ -35,6 +35,7 @@ #include "i_time_get.h" #include "i_encryptor.h" #include "maybe_res.h" +#include "declarative_policy_utils.h" class HybridCommunication : @@ -42,17 +43,15 @@ class HybridCommunication Singleton::Consume { public: - virtual void init() override; + void init() override; Maybe getUpdate(CheckUpdateRequest &request) override; Maybe downloadAttributeFile(const GetResourceFile &resourse_file) override; Maybe sendPolicyVersion(const std::string &policy_version) const override; - std::string getChecksum(const std::string &policy_version); private: Maybe getNewVersion(); - std::string curr_version; - std::string curr_policy; + DeclarativePolicyUtils declarative_policy_utils; }; #endif // __HYBRID_COMMUNICATION_H__ diff --git a/components/security_apps/orchestration/include/update_policy_notification.h b/components/security_apps/orchestration/include/update_policy_notification.h new file mode 100755 index 0000000..ccd4492 --- /dev/null +++ b/components/security_apps/orchestration/include/update_policy_notification.h @@ -0,0 +1,30 @@ +// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef __UPDATE_POLICY_NOTIFICATION__H__ +#define __UPDATE_POLICY_NOTIFICATION__H__ + +#include +#include +#include "rest.h" + +class UpdatePolicyCrdObject : public ClientRest +{ +public: + UpdatePolicyCrdObject(const std::string &_policy_version) : policy_version(_policy_version) {} + +private: + C2S_LABEL_PARAM(std::string, policy_version, "policyVersion"); +}; + +#endif //__UPDATE_POLICY_NOTIFICATION__H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h index 8aa7d58..c9020f1 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h @@ -31,7 +31,7 @@ #include "trusted_sources_section.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class AppSecWebBotsURI { public: @@ -700,9 +700,9 @@ public: const std::string & getMode() const { return mode; } - void setHost(const std::string &_host) { host = _host; }; + void setHost(const std::string &_host) { host = _host; } - void setMode(const std::string &_mode) { mode = _mode; }; + void setMode(const std::string &_mode) { mode = _mode; } const std::string & getCustomResponse() const { return custom_response; } @@ -827,5 +827,5 @@ operator<<(std::ostream &os, const AppsecPolicySpec &obj) << std::endl << "]"; return os; } - +// LCOV_EXCL_STOP #endif // __APPSEC_PRACTICE_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h index 8359aba..69b3196 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h @@ -26,7 +26,7 @@ #include "k8s_policy_common.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class AppsecExceptionSpec { public: @@ -309,5 +309,5 @@ public: private: Exception exception_rulebase; }; - +// LCOV_EXCL_STOP #endif // __EXCEPTPIONS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h index ece21a6..1dcece2 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h @@ -23,7 +23,7 @@ #include "cereal/archives/json.hpp" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class IngressMetadata { public: @@ -220,5 +220,5 @@ private: std::string apiVersion; std::vector items; }; - +// LCOV_EXCL_STOP #endif // __INGRESS_DATA_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h index 040be25..9e19b0e 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h @@ -24,7 +24,7 @@ #include "rest.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist enum class PracticeType { WebApplication, WebAPI }; enum class TriggerType { Log, WebUserResponse }; enum class MatchType { Condition, Operator }; @@ -102,5 +102,5 @@ public: private: T spec; }; - +// LCOV_EXCL_STOP #endif // __K8S_POLICY_COMMON_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h index 6044b13..39a2e85 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h @@ -26,7 +26,7 @@ #include "k8s_policy_common.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class AssetUrlParser { public: @@ -227,7 +227,7 @@ public: triggers(_triggers) { try { - id = to_string(boost::uuids::random_generator()()); + id = _url+_uri; bool any = _name == "Any" && _url == "Any" && _uri == "Any"; if (_uri != "/") { context = any ? "All()" : "Any(" @@ -387,5 +387,5 @@ public: private: RulesConfig rules_config_rulebase; }; - +// LCOV_EXCL_STOP #endif // __RULES_CONFIG_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h index 23b09a8..ce403b7 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h @@ -24,7 +24,7 @@ #include "k8s_policy_common.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class AgentSettingsSection { public: @@ -117,5 +117,5 @@ private: std::string name = "Kubernetes Agents"; SettingsRulebase agent; }; - +// LCOV_EXCL_STOP #endif // __SETTINGS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h index d5b7167..073b644 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h @@ -23,7 +23,7 @@ #include "debug.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class AgentSettingsSection { public: @@ -75,5 +75,5 @@ public: private: std::vector agentSettings; }; - +// LCOV_EXCL_STOP #endif // __SNORT_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h index c704937..9b91c3a 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h @@ -24,7 +24,7 @@ #include "k8s_policy_common.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class LogTriggerSection { public: @@ -633,5 +633,5 @@ public: private: TriggersRulebase triggers_rulebase; }; - +// LCOV_EXCL_STOP #endif // __TRIGGERS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h index a152bf6..4d6c020 100755 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h @@ -25,7 +25,7 @@ #include "k8s_policy_common.h" USE_DEBUG_FLAG(D_K8S_POLICY); - +// LCOV_EXCL_START Reason: no test exist class TrustedSourcesSpec { public: @@ -218,5 +218,5 @@ private: int num_of_sources; std::vector sources_identifiers; }; - +// LCOV_EXCL_STOP #endif // __TRUSTED_SOURCES_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc index 3925e30..0156a98 100644 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc +++ b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc @@ -56,7 +56,7 @@ const static string policy_key = "policy"; const static string syslog_key = "syslog"; const static string mode_key = "mode"; const static string local_mgmt_policy_path = "/conf/local_policy.yaml"; - +// LCOV_EXCL_START Reason: no test exist class SecurityAppsWrapper { public: @@ -719,8 +719,16 @@ public: default_rule.getTrustedSources() : parsed_rule.getTrustedSources(); - string url = asset_name.substr(0, asset_name.find("/")); - string uri = asset_name.substr(asset_name.find("/")); + auto pos = asset_name.find("/"); + string url; + string uri; + if (pos != string::npos) { + url = asset_name.substr(0, asset_name.find("/")); + uri = asset_name.substr(asset_name.find("/")); + } else { + url = asset_name; + uri = ""; + } if (specific_assets_from_ingress.find({url, uri}) != specific_assets_from_ingress.end()) { // Erasing the current asset from the specific assets, because it won't have default policy specific_assets_from_ingress.erase({url, uri}); @@ -1247,7 +1255,8 @@ private: uid, EnvKeyAttr::LogSection::SOURCE ); - Singleton::Consume::by()->setClusterId(playground_uid + uid); + auto i_agent_details = Singleton::Consume::by(); + i_agent_details->setClusterId(playground_uid + uid); return true; } } @@ -1688,4 +1697,4 @@ LocalPolicyMgmtGenerator::init() void LocalPolicyMgmtGenerator::preload() {} - +// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/update_communication/CMakeLists.txt b/components/security_apps/orchestration/update_communication/CMakeLists.txt index e88e689..1b7273c 100755 --- a/components/security_apps/orchestration/update_communication/CMakeLists.txt +++ b/components/security_apps/orchestration/update_communication/CMakeLists.txt @@ -1,3 +1,2 @@ -add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc) - +add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc declarative_policy_utils.cc) add_subdirectory(update_communication_ut) diff --git a/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc b/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc new file mode 100755 index 0000000..ba300e0 --- /dev/null +++ b/components/security_apps/orchestration/update_communication/declarative_policy_utils.cc @@ -0,0 +1,172 @@ +#include "declarative_policy_utils.h" +#include "rest.h" +#include "config.h" +#include "log_generator.h" +#include "agent_details.h" +#include "version.h" + +#include +#include +#include + +using namespace std; + +USE_DEBUG_FLAG(D_ORCHESTRATOR); + +void +DeclarativePolicyUtils::init() +{ + should_apply_policy = true; + Singleton::Consume::by()->addRestCall( + RestAction::SET, "apply-policy" + ); + registerListener(); +} + +// LCOV_EXCL_START Reason: no test exist +void +DeclarativePolicyUtils::upon(const ApplyPolicyEvent &) +{ + dbgTrace(D_ORCHESTRATOR) << "Apply policy event"; + should_apply_policy = true; +} +// LCOV_EXCL_STOP + +bool +DeclarativePolicyUtils::shouldApplyPolicy() +{ + auto env_type = Singleton::Consume::by()->getEnvType(); + return env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S ? true : should_apply_policy; +} + +void +DeclarativePolicyUtils::turnOffApplyPolicyFlag() +{ + should_apply_policy = false; +} + +Maybe +DeclarativePolicyUtils::getLocalPolicyChecksum() +{ + I_OrchestrationTools *orchestration_tools = Singleton::Consume::by(); + auto env_type = Singleton::Consume::by()->getEnvType(); + if (env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) { + return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger"); + } + + string policy_path = getConfigurationFlagWithDefault( + getFilesystemPathConfig() + "/conf/local_policy.yaml", + "local_mgmt_policy" + ); + + Maybe file_checksum = orchestration_tools->calculateChecksum( + I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, + policy_path + ); + + if (!file_checksum.ok()) { + dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr(); + return genError(file_checksum.getErr()); + } + + return file_checksum.unpack(); +} + +string +DeclarativePolicyUtils::getCleanChecksum(const string &unclean_checksum) +{ + string clean_checksum = unclean_checksum; + if (!clean_checksum.empty() && clean_checksum[clean_checksum.size() - 1] == '\n') { + clean_checksum.erase(clean_checksum.size() - 1); + } + return clean_checksum; +} + +void +DeclarativePolicyUtils::updateCurrentPolicy(const string &policy_checksum) +{ + string clean_policy_checksum = getCleanChecksum(policy_checksum); + curr_policy = Singleton::Consume::by()->parsePolicy( + clean_policy_checksum + ); +} + +string +DeclarativePolicyUtils::getPolicyChecksum() +{ + I_OrchestrationTools *orchestration_tools = Singleton::Consume::by(); + Maybe file_checksum = orchestration_tools->calculateChecksum( + I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, + Singleton::Consume::by()->getPolicyPath() + ); + + if (!file_checksum.ok()) { + dbgWarning(D_ORCHESTRATOR) << "Failed policy checksum calculation"; + return ""; + } + return file_checksum.unpack(); +} + +void +DeclarativePolicyUtils::sendUpdatesToFog( + const string &access_token, + const string &tenant_id, + const string &profile_id, + const string &fog_address) +{ + auto shell_cmd = Singleton::Consume::by(); + string exec_command = + getFilesystemPathConfig() + + "/scripts/open-appsec-cloud-mgmt --upload_policy_only" + + " --access_token " + access_token + + " --tenant_id " + tenant_id + + " --profile_id " + profile_id; + auto env = Singleton::Consume::by()->getEnvType(); + if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) { + exec_command = + getFilesystemPathConfig() + + "/scripts/open-appsec-cloud-mgmt-k8s" + + " --access_token " + access_token; + } + if (fog_address != "") exec_command = exec_command + " --fog https://" + fog_address; + + auto maybe_cmd_output = shell_cmd->getExecOutput( + exec_command, + 300000, + false + ); + if (maybe_cmd_output.ok()) { + dbgTrace(D_ORCHESTRATOR) << "Successfully send policy updates to the fog"; + } else { + dbgError(D_ORCHESTRATOR) << "Failed to send policy updates to the fog. Error: " << maybe_cmd_output.getErr(); + } +} + +string +DeclarativePolicyUtils::getUpdate(CheckUpdateRequest &request) +{ + dbgTrace(D_ORCHESTRATOR) << "Getting policy update in declarative policy"; + + string policy_response = ""; + auto policy_checksum = request.getPolicy(); + + auto maybe_new_version = getLocalPolicyChecksum(); + if (!maybe_new_version.ok() || maybe_new_version == curr_version) { + dbgDebug(D_ORCHESTRATOR) << "No new version is currently available"; + return ""; + } + + updateCurrentPolicy(maybe_new_version.unpack()); + string offline_policy_checksum = getPolicyChecksum(); + if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) { + dbgTrace(D_ORCHESTRATOR) << "Update policy checksum"; + policy_response = offline_policy_checksum; + } + + dbgDebug(D_ORCHESTRATOR) + << "Local update response, " + << "policy: " + << (policy_response.empty() ? "has no change," : "has new update," ); + curr_version = maybe_new_version.unpack(); + return policy_response; +} diff --git a/components/security_apps/orchestration/update_communication/fog_communication.cc b/components/security_apps/orchestration/update_communication/fog_communication.cc index 65cf396..95f673b 100755 --- a/components/security_apps/orchestration/update_communication/fog_communication.cc +++ b/components/security_apps/orchestration/update_communication/fog_communication.cc @@ -31,9 +31,17 @@ using HTTPMethod = I_Messaging::Method; USE_DEBUG_FLAG(D_ORCHESTRATOR); +void +FogCommunication::init() +{ + FogAuthenticator::init(); + declarative_policy_utils.init(); +} + Maybe FogCommunication::getUpdate(CheckUpdateRequest &request) { + dbgTrace(D_ORCHESTRATOR) << "Getting updates - fog Communication"; if (!access_token.ok()) return genError("Acccess Token not available."); auto unpacked_access_token = access_token.unpack().getToken(); @@ -49,6 +57,41 @@ FogCommunication::getUpdate(CheckUpdateRequest &request) dbgDebug(D_ORCHESTRATOR) << "Failed to get response after check update request."; return genError("Failed to request updates"); } + + string policy_mgmt_mode = getSettingWithDefault("management", "profileManagedMode"); + dbgTrace(D_ORCHESTRATOR) << "Profile managed mode: " << policy_mgmt_mode; + if (policy_mgmt_mode == "declarative") { + Maybe maybe_new_manifest = request.getManifest(); + string manifest_checksum = maybe_new_manifest.ok() ? maybe_new_manifest.unpack() : ""; + + Maybe maybe_new_settings = request.getSettings(); + string settings_checksum = maybe_new_settings.ok() ? maybe_new_settings.unpack() : ""; + + Maybe maybe_new_data = request.getData(); + string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : ""; + + if (declarative_policy_utils.shouldApplyPolicy()) { + string policy_response = declarative_policy_utils.getUpdate(request); + if (!policy_response.empty()) { + dbgTrace(D_ORCHESTRATOR) << "Apply policy - declarative mode"; + auto agent_details = Singleton::Consume::by(); + auto maybe_fog_address = agent_details->getFogDomain(); + string fog_address = maybe_fog_address.ok() ? maybe_fog_address.unpack() : ""; + + declarative_policy_utils.sendUpdatesToFog( + unpacked_access_token, + agent_details->getTenantId(), + agent_details->getProfileId(), + fog_address + ); + } + request = CheckUpdateRequest(manifest_checksum, policy_response, settings_checksum, data_checksum, "", ""); + declarative_policy_utils.turnOffApplyPolicyFlag(); + } else { + request = CheckUpdateRequest(manifest_checksum, "", settings_checksum, data_checksum, "", ""); + } + } + dbgDebug(D_ORCHESTRATOR) << "Got response after check update request."; return Maybe(); } @@ -60,6 +103,11 @@ FogCommunication::downloadAttributeFile(const GetResourceFile &resourse_file) auto unpacked_access_token = access_token.unpack().getToken(); + string policy_mgmt_mode = getSettingWithDefault("management", "profileManagedMode"); + if (policy_mgmt_mode == "declarative" && resourse_file.getFileName() =="policy") { + dbgDebug(D_ORCHESTRATOR) << "Download policy on declarative mode - returnig the local policy"; + return declarative_policy_utils.getCurrPolicy(); + } static const string file_attribute_str = "/api/v2/agents/resources/"; Maybe attribute_file = Singleton::Consume::by()->downloadFile( resourse_file, diff --git a/components/security_apps/orchestration/update_communication/hybrid_communication.cc b/components/security_apps/orchestration/update_communication/hybrid_communication.cc index 18f4e93..27598de 100755 --- a/components/security_apps/orchestration/update_communication/hybrid_communication.cc +++ b/components/security_apps/orchestration/update_communication/hybrid_communication.cc @@ -12,6 +12,7 @@ // limitations under the License. #include "hybrid_communication.h" +#include "update_policy_notification.h" #include "rest.h" #include "config.h" #include "log_generator.h" @@ -30,10 +31,14 @@ using HTTPMethod = I_Messaging::Method; USE_DEBUG_FLAG(D_ORCHESTRATOR); +#define TUNING_HOST_ENV_NAME "TUNING_HOST" +static const string defaultTuningHost = "appsec-tuning-svc"; + void HybridCommunication::init() { FogAuthenticator::init(); + declarative_policy_utils.init(); dbgTrace(D_ORCHESTRATOR) << "Initializing the Hybrid Communication Component"; if (getConfigurationFlag("otp") != "") { otp = getConfigurationFlag("otp"); @@ -42,56 +47,6 @@ HybridCommunication::init() } } -string -HybridCommunication::getChecksum(const string &policy_version) -{ - string clean_plicy_version = policy_version; - if (!clean_plicy_version.empty() && clean_plicy_version[clean_plicy_version.size() - 1] == '\n') { - clean_plicy_version.erase(clean_plicy_version.size() - 1); - } - - curr_policy = Singleton::Consume::by()->parsePolicy(clean_plicy_version); - - I_OrchestrationTools *orchestration_tools = Singleton::Consume::by(); - Maybe file_checksum = orchestration_tools->calculateChecksum( - I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, - Singleton::Consume::by()->getPolicyPath() - ); - - if (!file_checksum.ok()) { - dbgWarning(D_ORCHESTRATOR) << "Failed the policy checksum calculation"; - return ""; - } - return file_checksum.unpack(); -} - -Maybe -HybridCommunication::getNewVersion() -{ - I_OrchestrationTools *orchestration_tools = Singleton::Consume::by(); - auto env = Singleton::Consume::by()->getEnvType(); - if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) { - return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger"); - } - - string policy_path = getConfigurationFlagWithDefault( - getFilesystemPathConfig() + "/conf/local_policy.yaml", - "local_mgmt_policy" - ); - - Maybe file_checksum = orchestration_tools->calculateChecksum( - I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, - policy_path - ); - - if (!file_checksum.ok()) { - dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr(); - return genError(file_checksum.getErr()); - } - - return file_checksum.unpack(); -} - Maybe HybridCommunication::getUpdate(CheckUpdateRequest &request) { @@ -117,32 +72,61 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request) dbgWarning(D_ORCHESTRATOR) << "Acccess Token not available."; } - dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication"; - - auto maybe_new_version = getNewVersion(); - if (!maybe_new_version.ok() || maybe_new_version == curr_version) { + if (!declarative_policy_utils.shouldApplyPolicy()) { request = CheckUpdateRequest(manifest_checksum, "", "", "", "", ""); - dbgDebug(D_ORCHESTRATOR) << "No new version is currently available"; return Maybe(); } - auto policy_checksum = request.getPolicy(); + dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication"; - auto offline_policy_checksum = getChecksum(maybe_new_version.unpack()); + string policy_response = declarative_policy_utils.getUpdate(request); - string policy_response = ""; + auto env = Singleton::Consume::by()->getEnvType(); + if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S && !policy_response.empty()) { + dbgDebug(D_ORCHESTRATOR) << "Policy has changes, sending notification to tuning host"; + I_AgentDetails *agentDetails = Singleton::Consume::by(); + I_Messaging *messaging = Singleton::Consume::by(); - if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) { - policy_response = offline_policy_checksum; + UpdatePolicyCrdObject policy_change_object(policy_response); + + Flags conn_flags; + conn_flags.setFlag(MessageConnConfig::EXTERNAL); + + string tenant_header = "X-Tenant-Id: " + agentDetails->getTenantId(); + + auto get_tuning_host = []() + { + static string tuning_host; + if (tuning_host != "") return tuning_host; + + char* tuning_host_env = getenv(TUNING_HOST_ENV_NAME); + if (tuning_host_env != NULL) { + tuning_host = string(tuning_host_env); + return tuning_host; + } + dbgWarning(D_ORCHESTRATOR) << "tuning host is not set. using default"; + tuning_host = defaultTuningHost; + + return tuning_host; + }; + + bool ok = messaging->sendNoReplyObject( + policy_change_object, + I_Messaging::Method::POST, + get_tuning_host(), + 80, + conn_flags, + "/api/update-policy-crd", + tenant_header + ); + dbgDebug(D_ORCHESTRATOR) << "sent tuning policy update notification ok: " << ok; + if (!ok) { + dbgWarning(D_ORCHESTRATOR) << "failed to send tuning notification"; + } } - dbgDebug(D_ORCHESTRATOR) - << "Local update response: " - << " policy: " - << (policy_response.empty() ? "has no change," : "has new update," ); - request = CheckUpdateRequest(manifest_checksum, policy_response, "", "", "", ""); - curr_version = *maybe_new_version; + declarative_policy_utils.turnOffApplyPolicyFlag(); return Maybe(); } @@ -155,10 +139,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file) << resourse_file.getFileName(); if (resourse_file.getFileName() == "policy") { - return curr_policy; + return declarative_policy_utils.getCurrPolicy(); } - if (resourse_file.getFileName() == "manifest") { if (!access_token.ok()) return genError("Acccess Token not available."); diff --git a/components/security_apps/orchestration/update_communication/update_communication.cc b/components/security_apps/orchestration/update_communication/update_communication.cc index a5ac217..9ef4248 100755 --- a/components/security_apps/orchestration/update_communication/update_communication.cc +++ b/components/security_apps/orchestration/update_communication/update_communication.cc @@ -50,6 +50,7 @@ public: void preload() { + registerExpectedSetting("profileManagedMode"); FogAuthenticator::preload(); LocalCommunication::preload(); } diff --git a/components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt b/components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt index 997e434..ebeaffd 100755 --- a/components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt +++ b/components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt @@ -3,5 +3,5 @@ link_directories(${BOOST_ROOT}/lib) add_unit_test( update_communication_ut "local_communication_ut.cc" - "rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;" + "rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;" ) diff --git a/core/encryptor/cpnano_base64/CMakeLists.txt b/core/encryptor/cpnano_base64/CMakeLists.txt index c54eba8..1d4a0e6 100755 --- a/core/encryptor/cpnano_base64/CMakeLists.txt +++ b/core/encryptor/cpnano_base64/CMakeLists.txt @@ -2,5 +2,12 @@ add_executable(cpnano_base64 cpnano_base64.cc base64.cc) SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${GCC_COMPILE_FLAGS}") SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${GCC_LINK_FLAGS}") +add_custom_command(TARGET cpnano_base64 + POST_BUILD + COMMAND strip $ -o $.strip + COMMAND ${CMAKE_COMMAND} -E copy $.strip ${CMAKE_INSTALL_PREFIX}/bin/$.strip + COMMAND ${CMAKE_COMMAND} -E copy $.strip ${CMAKE_INSTALL_PREFIX}/orchestration/$ + COMMAND ${CMAKE_COMMAND} -E copy $.strip ${CMAKE_INSTALL_PREFIX}/wlp_standalone/$ +) + install(TARGETS cpnano_base64 DESTINATION bin/) -install(TARGETS cpnano_base64 DESTINATION orchestration/) diff --git a/core/encryptor/cpnano_base64/cpnano_base64.strip b/core/encryptor/cpnano_base64/cpnano_base64.strip new file mode 100755 index 0000000000000000000000000000000000000000..ea3883571f70ceb747b4559707d78d674d478f9f GIT binary patch literal 39136 zcmeHwdwf*I+5gE6f(Yg`T5HC$ty6^XydFJfdlU*wLw153F zu=|{Oo|$K!+dMO8&Sv*IectT&xHwIf1npvtYH7N}C)xa24IYd73bFe|wu@y;Kmt$KUY#D#fhouzGxA7qeep^6<*XOO*m# z%;E~AhdFp%g4bNeEnv71ummsCXc1nQ<3;5P3ACjQmjN#4Yd6CRhN~D}30Q?!4PG2F zS_7_qc&)|jYP?jr1{WLf+Qf((0GsgI!u6XN`T?8q%KiAicK-F07v4OWHMhGpZo{!( zS1kF_{p|NsqeT$o%u(pT0Epzw^f&-7)uY+aGS4zxRq&@!mOa zU-5?bXyruTW!DzYeW{^h{S&iaTE2Se#0Nh;XZYe#Kc81ozVwYdZryiL!lKuLr{~+o zRpyU)pzjUr9iCUJZ=6u|gDYQk-(0x$ z_b+viz3;P9-8OFQmm41Z!7t9cW#|QWoci@I4<38;=<08N``esHem^MwnNQ#NY{#6z zY0q3aWagjWss8N!#+Pm5F8<%shBe+cW$sni-L+wV=#tC={ZB_IH zf#h$N3_5hh8?KAjT>SWJwsFp+NfnQLup}|73y&=hN9uuW1>XE|1<{Pk4Y7+{hb&y8vX%H>}dF0B%x^dn_}Q6V{%7p|8fj@ZW|oE z{W~%E9EqXtD>39*8N<$Z#lTm_;6E&eoCPuT8XklHt{C>eAqM}uW8ja(@YnBR*zJ7S z=d>vCb}WWGsWI%ZAcnq6W60AQ!wzd>_^T(zxcM>o?~cKLEcCKP(bpTpo`YlXIUWPQ zA9jdl&&Oi$e;|flw5CRrlh&kY`1imk+PF0_{9YVm+}p9Zo{1IxN?wq@hw-Q!Vf?Pk zWIay;?aCPTe-4wK_*53jhBLVR>0n6szwqKWmGMuGkoZh)pUwDrSny9r`-e&;A_?}T zl7dYI@wt%}PZTBRu~Q^Ij~CmsBw4%gza;)|y!f8O_&x9o@kwKO)VTMbO7dPoqp$ClLq(QO+4E`RsMd`W(iOhf|1uIm@GR;3?ow_>9G}A;l$?xh!XCv8*41 z|EN?WAgF!o5?Q}g0mk86Q7P@~NLE5lWuXsS+|KeBTjbxt`d-BC75^=`KZs`MI_AHI?E^7H`8~_Io#lCf@i#GltG@LZi1^pB zJU4OsaflznA7new{*KD!94GY)WgTW0Wgp^-;;m(ctRuWdd6MPd#&T|9{NEUFjoUbm zXRG`lLVn_}?kmq{J}{B3N1Yg`q6U&h04dBBIc{V|TK6pj;>AKnArrj63HR&K~( z9m_w84Ws7EHqJ{wWBJp$ealce?jvmfQpOK~!6`nME|7?87+=M4W%c_})+>kQ{2{l0 z7jmXWk<-oX_p?08KI7RAH(KW1dpxg?aCBA@lEHdA73s z&t&|wJYW9F_+N6qeTe7XW|l|U;i$0lXsxo988FD^aYykyh1o^vVY?-;Ju?}9Hv4xG z`|*6n-v$LK9m`AXjCElhppH`lyx!isfk890`lXxCwu$(Gxvl(w)uQTB< zlE)e+9c-T=E98L6U*G5WIb@0FJ&d=mUtdArG_14Mc({S%b2a-to%Pzp@nBuoG@Mg3 z_{!bqo=ayF*_zY2s=Btu+2C{4`JG!DvzW^ zr!1L2x5PKi>2$AKXSdrkSGpR!Zt$%4)~qUYm-y^8p2neGP?fy~Kq#eVV(r zy3SSa(TnH0HRqBNUuK5W>8q@-UF)p!)U5JVIz9FEwe^zPp8>q<^lHJl9)tFkLSG2n z6e%mTt@pU93rn4)8BV<<+qtl03aqhYem~T5!h$ZJOD`s^`oX|%2M4#S&gJ&{)(Z_t z`CJyXHo7kEH7oTsLfNXQ4W!9U8rMc@Jk7aqZfsdgvYaJTouziCt_z*Wf3xgjz}TIl zm|RLRQ}!(JWqE4KtNxX1EP`f}TS|OW+}@i0nK!qtv7yqr(&fHN@27(xKZ0`MTq8ts zytNJB*x<=3tnvB`!_-za=*6=ameiIw$!v%=Oc5F2D_!MIS5;N58$QFVaXD9F#?`>< zK6fRl)sN{k1;*qM$Z})mfK7Q-G4WruZk@BvQ{PZqD@ zyZOSivogamc;fk{oa!#cY@6zobG&9PO;-d|q&=04{h5j-PIqnHdQ3%(z|2oJP36*T zL~`(X^o7-uhqqojHY{ifvIcvy-XmNrH96VAjMzEpY-*nZIU77a&Yd!EoV>~G8RS-P zLtSly$B3rdMjxrukD$zI@LnzWh#*IVhC{p`vXP3IGp;I`U`62dL#U}@vh_E6*)yH_ zG;^JmUM!T93pf>EWnJaQvPTQ6U2~Szto1_Qg`S4SY7Z^DZnffKv2|bNbXQ*GtZ;d& zIBXDK>%1_tFjR$?rs~yLbDh+Ym*;Ai%6X7sk;m<;truCR(2LpU)%7seTU}Q*GgC*3 z%HUNjOrty%y$4TUOu!heX<-ssizb7Z3fTqVmYrqKEcdu;%RRD&alzwcLtm^cxyV*E zjba}$rN*;XjaFL^{c^%X7ta;GKT&I`zFn!G%`3dqi*1bymMe5eS)Z!(x;l;vvZyl1 ziN-NvhH|^4 zm*~RGn2PrAYUgs9T_8~Q8WG7VBsl|?_+0bFZpB%MwRLv2ucFGes-Xnq6fVGYD92*i z*x)G_R)Fc8Sa&`3&b9TfIx4m9Z)!=dZ*4JT@i{%sH#ycuCsq8dWv$Mn;FPJL!*21f? z=BMh9oir@cSmT9Jydsa3J1e|ZRn8h2R`#iis?f#WYQ&caFNDs*x!CDR%VI|^dpcdP zD;k-j+3s|DYUtL$>8&VS+)xj>fbupt8<3)1^@X%wM9{2pRW*9RT+hbt2l~?XT8x5S zCFy=LVUq)kdsa8PswlT*vUg)-t7$4nQZ^JT2D`e%=dOjUQzAl(Br(m@D8b&}`D3J% zSZUQr<|L>Q|Jm#^VRpF2E{!H#(~pTf(_RRrqs~u?&NagSIW%#^oe#Fy)!v%IY8V=W zXVQNWsIiowwYl75q-aPjn_H*1G23EzEy5T`kES)u!U_oq+q+5+)>4Xe+W6?zrsmOg z?Q=6)MHygWiC2nyva1%fFzp5m=g~xPm6z9h8X9UV3QN3tF;ddMT8yIvY`^cZEOM!h zd1gk`v=Af4M0zwtI4OJntJ$fR)>yd=K8f(95f%~K7rFHX>4OrNb7cdT zB|791@^D~dd~!C{%Ph4bMy{8<>d}V6lz+tzD^uL?iQT!op;2TY!3rC#=sQd7qN0i} z_E5;`rQleSE9F6C@Qy}=yV%k2W=3reGCei_@g28Jzj700cG16aaSZPR?b*C|;I4*G z3gvB0c;8PM6w8XdCnBrkK8f?Tb#0)Hf>=Pqn;@E2{mk++Gfx=n*0s~Tk?0f7_Kd#E zq$%0-Y0sOMlZ|_|pv5+;F|CYg*k_|Gvv7Exstq$woPO*=5ZNc2K`?7_yft-=KI6W_ z>2s}$npd#wmN=v771Ih4-k|v6jmwEV65eNj=S)Nk70!^<0i9=cv{O%57suk_ZY$Qk zh)NbZP9Sk^rp=i-(>WzQLz^?NuwbS$Gd;_=%1ocC&0M@Vzo5`*PoE;uix;DDR(hu0 zT%`vF@%S8JJU)XMFRl_$qkl;POB9KxRtfmDDd8oSAoWTV@A#;MHdt_o7j43vF&qyh+z%wO0_QCT_e9m^ldOV>Sti6ioE>z;6?>eSupg!E|#S_m#+8dx# zpT<#MJQ+&T-ZR>h9V87v`{QF*;Ynbk_6fIN-FpW?+>dO!(0z`~eewyb0f7!cQ{c51H`l88neQP5ARn?Sm%#WD~yIgjdhbh}>(! zlV4RyYn4~zL-lNwFzfDCKH}Nk|Ri4O?a9&sN7J$yVHaxAE?r5 z!qeEQY&YRmOb~6S36H=u%5D=Lk1UPSX2K)zjdH+*A8KGVt;2-JL@>%B6CRIZjnZkt z%>7c2n>nBE?4n%sot~cs*v)|LT+Nje3NKco`sMEnmPuHbJ zoen&Dy7G-W9dz_`*^N3KaP)MIGwO7((bILBQKtiqo~}5fP6ru1UB~{Z^rZs~=x@~N z-~##^bvm$s{zjb+DxkknrvnP;Z`A2v0{R>`WtmR zaDe_soet)pzfq@y2k39q>A(T{8+AHpfc{2(tf(J5uJpHw`g=y54iuojQKy46=x@~N zU;+9YbvjUh{zjb+2%*2KBie@H&jV7&&eBA@MX5i7KgTfBpRm*)wbUQ9)bF*_w^{1V zmiiV;eWRt`XsK6Q>K;pdnWbK4sTW!5x}`qdQlDz6Pqx&@Tk2<6>LV=mVU~K5rG6ZL zj$yX{mzMe`mimX5`d=;eKUwN8Tk5~J)St1`pRm*)wbUQ9)bF*_x0&nqPYV67EqD0e zcQk#_U0gb^IjLeaQe*S5&qfiLz6aqN8gUo8e9?mHYq)SUC%s4@x7RlUskDZ!kxGYz zI#b7PLUU~&L$tqNw4X}-9h3g)@OL}*d^*Fir#Hb7_q^k^fBJ@lK@l@Z4s})tJFEVb zZ#PZ%fUGs1Tjpq*{yzO7lf(a^Z>S?MJsbGo|9l$?1JRRFP{Q3cVTa%#0T{qRyJoO+> z?;+?84Dax_2WMgOI{bTqSt2mcJN$117XbMjEe^p4iQJsD4w>EIe;%z$x!)Kh8AtOL z8;uzlak0SunHX-PrtMoYKmY^n`7Jqg_57Ax0_ZUoklLLp7;K| zZr+j?Cae~O=CPv3HqoQ`2|;h(vO+X#4>pT7#vl*Dr2k7|dMv&A>HJZH09S{~-q4+}60r(4jqOC#FwF zWh#Z%Tbb!iV4D97b8Q9JBIbIl;Oa}x7hX6rDE~PUT;Kc&qNSO-w+HY3Iuz13f8a|s zjr`;{q0r{HL>tK69$YKhd?nf_m2X2EeRIgSP%vuVwnA7=Sbjd%SIM3{y#!CFh)EBa z$Oy?17!e_p!9_`O8X9zkpv8$SJ%&{MPL{3*YqO;ba4b!7T!Y<)#nSC)`rRyj2DLO> z`m+g=>v+NSgqF7dqpzilptIT1!$g}%OHUHkk80_Qu=5F9y1PuuvK36ErC$*kVd;H@ zWS{@C7na^8LU`(hq(C6)1Ma&)^xbC)hDXS6)~L1w;2>%vm}9JWgM$qLioyaEm;{&r z0Zc>80qHr~GzK@)6~$<<0auix9DWjJEYHg`h>8CY`7s`2QiDQ&dqhCL`1eq#$bZ}# z(}yu+k^iXK*sW+e&wp6o{8j4a4q**rLO($kqPcE}po`g3jV@geFy1P zjO<$i?bMu_ftE)KEkl0&6_8mLtB6kb?{x}$l-J0%onQ@aTSlG+Hs18Eqn<%NBU z*|XGDru%!~u4M*6ju6nl{gK`qfd%UC9bpVfI)*W698aw+cYjA+kE8 zWm#C`5{SPTD(?o9oeqE5c89;H)x1mx?QM?0vfb#4ChftCAhpB42UW!HUa?-h8*C?J z0DYVF4u>?-Qel9yoj|oQs*q64WgU*@BCsTOVg;K39gqA_g&q&nPOGq-mse7#1@vIK zV~X56_>zJ@qXC=tFTSF$v!yZ0$b`K-@Wd}dp)GBxx3`63i=0d?OqMYF(Gd{at#rYJ ztqK(WHw8x$h=ZQ(!5I)^bDMAQQ?yhbNqP$JXhbF#rcT|JHw5Hak_#wsWYgYcmg;n2 zGzb}+|GN;JdTlKj0+*X3r5FkvfU2-<*>1DDddXd7yJ7ZD9_J6VRSJ}~nVj<+p_li8zVv}JgSORHXHAbqPf#WYk?==$D9=r|p)Lq(Ey&Znq)0yl?sOs%;9k}Ic z(hnv#Z9J&0n;y^)2Fecj_x$l|e~07Frp_638`Ye&aUMlRdvH9429MNdDTH=QU%NgF zg_^1l4m$FT8Yu}Qb=5#}@cd@O3^g2h!v}qMk7M31fRB}T5^yvUjs3!>VAz>}``y%S zZBWckglDJ2PDFhR)FZE3mWv5M@^Wz@B)3FlQm{g?m+@s}Qu0$J0^m;gsm1E2W+~1R zoHn-WZO{@qvuHPrFH-5V^f4|H=xWem5Fz?}(RK&gE=3Qqo=toCuU(rS2;Gl}VVjP$Qr<^@gx!BJP(X zF86c}^6#@Wqwl^7XmN-9`pzc(@j*=+AJ^863+Rsr%63ZU%ka5VN^s^U6h4pR9#-1w z0PNSb2pYBE(1U`xJ@_O9viNSn5r^_M_xo7b{SdWZ0NoXp4L0T|xk<9C1Urt3@n{)b z0SSa*oAy_lvJ3^mME}OO{f&n#A<(q(?YPt}zk0%nO#XBko38O25k?{l!AOD^b!qqT<=B0`+q>~lTN4hXgJCswg+z!okl!IJerfb z1uMGeUCvBDJ%Zpj_Dapfu|0S>b&`9fi=~F9Y@8IllE_W_Cz>=i?X3TfjaFpd8j1N3 z#C)Lj1Q2HzWbnX9R6D79t*9dV?Zfm0!_+3$?hB)w zgHbGdo;0H;=%Xxj;Y34nKN6&$meplJtc-vpx|j#Y$bVx0iilJD*XxB!w7?dz)?$%8 z6Y&$aHd}*^0NC0c@CIAf$S4uJNXR)+#Gt%`2sp%soR$u`il0G5VWak-TPhT7RiX|7 z>}dDAACHY^UrR<}%)5KC80w0tG7^l_*kOrvVJ8t$M!vv25&`xAsf-O%>K(XsmM9Ox zM&9~PzY9+nf?oz<3feyeiYWMoibFnZ)IaGmOr(UcT4)qlnLVw9lrc!2B+JwGM|$uP z=`41X5cXxD`Z(%lN|th3oc-~Mr3e&@7$rMTLQHhv@HAd-_3*KgmySswq2u{Y$iOFUb-VrxA+aMMg zm|AB*l89_Z_XWElF_p1cA4oh{v_05FD*17{*$kG=G~v06R`k(9A6`_8?bLcs8?aX`AzFK>Dyri`3@{^GPq8%0{QX=AtM z`@WDvxTpv&5Z!hw`9_4@HJLA7G6U zQ@MK^24U>(BZ(w|IjeGeYfcb?wj(e(oZIt~P1iWXfK1`EVa!+>S=b5BBxolLhs$WW z2OW+iiTfy%uze;(A1nQo28!sBfp9Wr{_}bWYe=8G+=O1HPO)?}!aas2>@a!PE`5#1 z8)nXZ6p*JfTR#vp-!$DKBcg9KVEH~VUy&&;riqY?lbbte+nW^JbXZIbB>qmMqxN7P z#x?2PS31Fk{@Ov_Fwz`{hj4`YDrX^VKPV}Q33^4OOnq~X$q`_5D4_XuI!Eh7w!k^Y z#$JscP3b{8R7-O-Rrkg@n)G1ekq-!IGPx;aIWqGvn}_4Ti}3VgQKA3O`DKOvFY`n?EHGe!0SgRR zV88+c78tO=fCUCDFkpcJ3-sRt^nDki%&)b%>Q~{bO>2A&wzc@ia9dq{?HYU~YPmKU z|0l~Y1l1;ca4o;8NOa5RK1OSsx50+*CiJXwRoN!i*7>~nK1Fc$*d~{6nCzL9ZYyTC zG~5L?Ie7Tp?W(D%_1WZ?fZ6cHkQZDazfaPJZy;RdskiwmT{SlKl`s=0sh;@-GiT|u z=Qs*4nLDp&{(|C57nYQkExK&+Dc%Ek z9-!y1p-?H{ZGb+&hX8K}EPe;_03HN<9ngUzmoETw-wTDtVEhWeivTwOE(N>~a06fu z;M;(A;fyK~p9=l?hoR6`{9VLP{uT=D1bhVWJm5bDoClclQ7BXecoyKzfU^L10G0zD z1Uw4(1z;8qm`CF8GZq8p0A2~W81QO9`W_WO;GKXec(6dfnUD_nHsI}mi8#dk8{kC1 z3_9`$EC8$otOMK%_$J_Xz(hQ|IRJP8U=Z+jz~mvC_A=l^z<7FU26!G|CEz81TLG^I z+zv=j>J9+50R{p84w#I;6Pbi3a1#NS(~~&BdcaD+9|LX$+zq%L@Lj+IfNAt#5^xb< zGVJyM;6%V(fDXXpfR%v5@mTkDz|DYT@OfDEofL6bFVy1JrNxaNIykunXT^jcgV$EX zmk7dHgT-;~S-@rCwdr6eREK!dQqpFpjJzcE)V0Z*v>Br=IA_XPX96qwF9kgCN+@I_ z1Q+7#!>a@M71W;#jde3#<#;|SzV|{;NxLzA=CDCU5D0jp)AR5ppo{O_Q1rqu{UGS` zK(_;Gie4F}9|d|j=p?^EzbZ^03cc$=Kif=S9;OpI?&{)s!cv3pu0B`OMk{-fUFek$ zdmTqSCte4sl?=tVCft(PoOJV`rop6#594HFoUynz+AIo>b34RGy)Od&6wn_w z%Msry7?7UyTbZ|meoX|u-k@&)y*mb-^dLLULms2wTuQtZlT*nEJrWMb8GQDG&j`v- z=5gF%Jt*&;33{x!qI@_K^fS%lklMXDF11 zK4xBIdGgB_p#KbX;%U&Ykn#|Hcp~yK=p)SZd0~1M=q;efir>-`&}qzh7@zvzgzLnF zNIl}$%W-U=`OvN#?HtsOen?N*<+`veZ5V4f))3-r&`r8@f<6-TSTT&R%+gK)oj&Jh z^q(E(Zv*{n$PkTgLzg_zyFlM!?oab^e+~Yz;-eV!Wb{AV+~2f@)`6Z1daO0N1#}zev(5cChR5Ft`fSkWo9XeoXdvPr zbRX!k;=3F43ee}6`(GR8pEd-)!3%n{wSwkqGWw@tP3pmQ;#El4Dh6n-ejxeSKwAtx ze?hxwIUi*4d&L{jCI@4A2r)Y)?bi6hl##b2=qa}5L_KBV%}KLTGHx8?NXcm$JSQcu zCM737B_ls&VnK?nAZ27hN?JimviR=5{ou0#d@!|*5(>r5p1%llAwKDWA=+2*OMX8@ zdowZV?Nhbx#8JOIMe9sj^4uxf{=tNKbMUCUPSt*vOxFjKllGsgy_G!bu~W6SAS_4-;sovU_@tK-wC58rk*Ll27~zVfl^XpO6zcR!z91=ITN19PQm(x* zF6n>bv_G&EhPne60~Q#tz<>n?EHGe!0SgRRV88+c78tO=fCUCD@c)Sg)c4b?@1s}W zKd-)TUfqvcA${jQ6@{l~LsW)JfCD~xp}u4M&K0sQ?(1=>z9)aQL~G*Q1lPEo6-9mj zJ)KQZ!SR78U;Z;xOBby;r9p2JXKbv61bFDfI&!B!Z*X|lvCx$k5{;mAQ0HNH4614gy`CM5Mk zbAiGi=Lmhf#UVZ2|1X_t!(sG zl~4ATGYY?GGMRq=MKrH;HB@TpljDtCy5D_`zd*mLQ_y1g+jv<)RLJRafOB zDe%jy>9|Z^Rm&F*9=Dc`pJYW<{K!yxeXaP_&2&$tv!dQr?QvF?gPW>h82t3BXPw(q z=fkhl(9fj{u1;5dy$i|^4|R>fUDaN&mkjaCR9d>bwwgXk5oy!@)F}VN;T6xFNAg5g zP~|(to7$QSr8&wys(%jmSI}l|jBAxw6nX+K%>5U0e+B8R)?DzkB%;vs19Sfk++RUk zL~ES&TIzF9#}|s!D*06&SFnQ#Dvw*`r)M~1L)Bm9c?FAk!66yRcB;S1x0eG)BCGyt z-B3`i6KEoe)&4GEDF>_mD(@;dhC3+vRXYW1(4TU;s;j)NApLzf6_TIiRPqy!%0|4% zrmDYMXB1THj2d6{SNh+?{R;r8sC7$0wa!t0TC1)7e*zq-sQ7Dns8Goh@0wcAWv#FO zZwA5K-^TqE6rYVyodLy%Crt1TT$}s16v)O3+GN#uxAt!Z#oT`<_g8R5ywO!$So=S0 z>7S;{_6lyX7(n$`TpzRaSNkFb)qY8}x6Yp@xW6H09k*mSgp@NC0b^JeB`sYzVqbPV-R*iS-_#c6if)}S9V;`A8 zfrX;tT-L(ztK|3`gjBp#f3?qaaDUY max_ms_tmout) { return genError("Provided timeout is too long, max timeout is " + to_string(max_ms_tmout)); } diff --git a/nodes/orchestration/package/open-appsec-cloud-mgmt b/nodes/orchestration/package/open-appsec-cloud-mgmt new file mode 100755 index 0000000..6a0cb71 --- /dev/null +++ b/nodes/orchestration/package/open-appsec-cloud-mgmt @@ -0,0 +1,287 @@ +#!/bin/bash + +POLICY_TEMP_PATH="/tmp/policy_temp.json" +DECLARATIVE_CONFIG_PATH="/etc/cp/conf/declarative_config.cfg" +CHANGE_AGENT_MODE=true +ra_token= +tenant_id= +agent_id= +profile_id= + +load_agent_details() +{ + tenant_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Tenant ID|TenantID|g" | /etc/cp/bin/yq -P '.TenantID') + profile_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Profile ID|ProfileID|g" | /etc/cp/bin/yq -P '.ProfileID') +} + +generate_policy() +{ + cp -f /etc/cp/conf/local_policy.yaml /tmp/tmp_local_policy.yaml + sed -i "s|\"\*\"|\"Any\"|g" /tmp/tmp_local_policy.yaml + POLICY=$(/etc/cp/bin/yq /tmp/tmp_local_policy.yaml -o json) + echo $POLICY > $POLICY_TEMP_PATH + rm -f /tmp/tmp_local_policy.yaml +} + +upload_the_policy_to_s3() +{ + echo "Uploading local policy configuration to cloud..." + + upload_res="$(curl -s -w "%{http_code}\n" --progress-bar --request PUT -T "${POLICY_TEMP_PATH}" \ + -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")" + + if test "$upload_res" != "200"; then + echo "Failed uploading policy to cloud: Failed Error code ${upload_res}" + return 1 + fi + + file_exists="$(curl -s -w "%{http_code}\n" --request GET \ + -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")" + + check_file_exists="$(echo "$file_exists" | grep 200)" + if [ -z "$check_file_exists" ]; then + echo "Failed uploading policy to cloud: Failed on checking the file. Error code ${check_file_exists}" + return 1 + fi +} + +send_notification_to_the_fog() +{ + correlation_id=$(cat /proc/sys/kernel/random/uuid) + DATE=$(date "+%FT%T.000") + upload_res=$(curl -s -w "%{http_code}\n" --request POST \ + "$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \ + --header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \ + --header "Content-Type: application/json" \ + --data "{\"logs\": [{\"log\": {\"eventTime\": \ + \"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\",\"eventSeverity\": \ + \"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\", + \"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\", + \"eventFrequency\": 0,\"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\", + \"tenantId\": \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\", + \"issuingEngine\": \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": + {\"policyVersion\": $((AGENT_POLICY+1)),\"profileId\": \"$profile_id\"}}}, + \"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}") + + if test "$upload_res" != "200"; then + sleep 5 + upload_res=$(curl -s -o /dev/null -s -w "%{http_code}\n" \ + --request POST "$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \ + --header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \ + --header "Content-Type: application/json" --data "{\"logs\": \ + [{\"log\": {\"eventTime\": \"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\", + \"eventSeverity\": \"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\", + \"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\",\"eventFrequency\": 0, + \"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\",\"tenantId\": + \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\",\"issuingEngine\": + \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": {\"policyVersion\": + $((AGENT_POLICY+1)),\"profileId\": \"$profile_id\"}}}, + \"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}") + if test "$upload_res" != "200"; then + echo "Failed to notify the FOG on the new policy: Failed Error code ${upload_res}" + return 1 + fi + fi + +} + +get_jwt() +{ + response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \ + --header "Content-Type: application/json" --request POST --data \ + "{\"authenticationData\": [{\"authenticationMethod\": \"token\", \"data\": \"$var_token\"}], \ + \"metaData\": {\"agentName\": \"K8S\", \"agentType\": \"Embedded\", \"platform\": \"linux\", \ + \"architecture\": \"x86\", \"additionalMetaData\": {\"agentVendor\": \"python\"}}}" $var_fog/agents)" + + if [ ! -z "$( echo $response | grep referenceId)" ]; then + echo "Couldn't register to the FOG" + return 1 + fi + agent_id=$(echo $response | grep -o '"agentId":"[^"]*' | grep -o '[^"]*$') + echo "agent_id=${agent_id}" > $DECLARATIVE_CONFIG_PATH + clientId=$(echo $response | grep -o '"clientId":"[^"]*' | grep -o '[^"]*$') + clientSecret=$(echo $response | grep -o '"clientSecret":"[^"]*' | grep -o '[^"]*$') + tenant_id=$(echo $response | grep -o '"tenantId":"[^"]*' | grep -o '[^"]*$') + profile_id=$(echo $response | grep -o '"profileId":"[^"]*' | grep -o '[^"]*$') + + response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \ + --header "Content-Type: application/json" -d "{\"login\":\"$clientId\", \"password\":\"$clientSecret\"}" \ + --user "$clientId:$clientSecret" --request POST --data "{}" $var_fog/oauth/token?grant_type=client_credentials)" + if [ ! -z "$( echo $response | grep referenceId)" ]; then + echo "Couldn't receive JWT" + return 1 + fi + + ra_token=$(echo $response | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') + + profile_data="$(curl -s -w "%{http_code}" --request POST $var_fog/api/v2/agents/resources/ \ + -H "X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292" --header "Authorization: Bearer $ra_token" \ + --header "user-agent: Infinity Next (a7030abf93a4c13)" --header "Content-Type: application/json" \ + --data "{\"manifest\": \"\",\"policy\": \"\",\"settings\": \"\",\"data\": \"\"}")" + if [ ! -z "$( echo $profile_data | grep referenceId)" ]; then + echo "Couldn't receive profile data" + return 1 + fi + policy_md5=$(echo $profile_data | grep -o '"policy":"[^"]*' | grep -o '[^"]*$') + if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then + echo "Couldn't receive profile md5" + return 1 + fi + policy_data="$(curl -s -w '%{http_code}\n' --request GET $var_fog/api/v2/agents/resources/policy \ + -H 'X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292' --header "Authorization: Bearer $ra_token" \ + --header 'user-agent: Infinity Next (a7030abf93a4c13)' --header 'Content-Type: application/json' \ + --data '{"policy": "$policy_md5"}')" + if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then + echo "Couldn't receive policy data" + return 1 + fi + + AGENT_POLICY="$(echo $policy_data | grep -o '"version":"[^"]*' | grep -o '[^"]*$')" + echo "AGENT_POLICY=${AGENT_POLICY}" >> $DECLARATIVE_CONFIG_PATH + return 0 +} + +poll_for_status_file() +{ + correlation_id=$(cat /proc/sys/kernel/random/uuid) + attempt_counter=0 + max_attempts=18 + + until [ ${attempt_counter} -eq ${max_attempts} ]; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + file_exists="$(curl -s -w "%{http_code}\n" --request GET -H \ + "user-agent: Infinity Next (a7030abf93a4c13)" -H \ + "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/status-$agent_id.json")" + + check_file_exists=$(echo $file_exists | grep 200) + if [ ! -z "$check_file_exists" ]; then + FAILURE=$(echo $file_exists | grep "false") + if [ ! -z "$FAILURE" ]; then + echo "Failed creating the Assets: $(echo $file_exists | cut -c27- | cut -d '"' -f 1)" + exit 1 + else + echo "." + return 0 + fi + else + echo -n '.' + attempt_counter=$(($attempt_counter+1)) + sleep 10 + fi + done + echo "Error: Status file was not generated" + exit 1 +} + +upload_policy_to_the_cloud() +{ + load_agent_details + generate_policy + STATUS="FAILURE" + if [ $CHANGE_AGENT_MODE = true ]; then + get_jwt + if [ "$?" = "1" ]; then + echo "Failed registering to the FOG" + exit 1 + fi + fi + + upload_the_policy_to_s3 + if [ "$?" = "1" ]; then + echo "Failed uploading the policy to S3" + exit 1 + fi + + send_notification_to_the_fog + if [ "$?" = "1" ]; then + echo "Failed Notifying to FOG" + exit 1 + fi + + poll_for_status_file + if [ "$?" = "0" ]; then + if [ $CHANGE_AGENT_MODE = true ]; then + open-appsec-ctl --set-mode --online_mode --token $var_token --fog $var_fog + else + sed -i "s|AGENT_POLICY=.*|AGENT_POLICY=$((AGENT_POLICY+1))|g" $DECLARATIVE_CONFIG_PATH + fi + STATUS="SUCCESS" + exit 0 + fi + if [ "$STATUS" = "FAILURE" ]; then + echo "Failed to upload policy to the cloud" + exit 1 + fi +} + +usage() +{ + echo "Usage: $0 --token [options...] ]" + echo " --token : Registration token" + echo "Options:" + echo " --namespace : Namespace with the relevant Helm Chart" + echo " --fog : Namespace with the relevant Helm Chart" + echo " --upload_policy_only : Upload policy to the fog, withput changing agent mode" + exit 255 +} + +validate_arg_value_exists() +{ + if test "$2" = "1"; then + echo "Error: The script is missing value for '$1'" + usage + exit 1 + fi +} + +while true; do + if [ "$1" = "--token" ]; then + validate_arg_value_exists "$1" "$#" + shift + var_token="$1" + elif [ "$1" = "--namespace" ]; then + validate_arg_value_exists "$1" "$#" + shift + var_namespace="$1" + elif [ "$1" = "--fog" ]; then + validate_arg_value_exists "$1" "$#" + shift + var_fog="$1" + elif [ "$1" = "--upload_policy_only" ]; then + CHANGE_AGENT_MODE=false + source $DECLARATIVE_CONFIG_PATH + elif [ "$1" = "--access_token" ] || [ "$1" = "-at" ]; then + validate_arg_value_exists "$1" "$#" + shift + ra_token="$1" + elif [ "$1" = "--tenant_id" ] || [ "$1" = "-tid" ]; then + validate_arg_value_exists "$1" "$#" + shift + tenant_id="$1" + elif [ "$1" = "--profile_id" ] || [ "$1" = "-pid" ]; then + validate_arg_value_exists "$1" "$#" + shift + profile_id="$1" + elif [ -z "$1" ]; then + break + fi + shift +done + +if [ -z "$var_fog" ]; then + var_fog="https://inext-agents.cloud.ngen.checkpoint.com" +fi + +upload_policy_to_the_cloud +if [ "$?" = "0" ]; then + echo "SUCCESS" +fi + +exit 0 diff --git a/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s b/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s new file mode 100755 index 0000000..5f4d254 --- /dev/null +++ b/nodes/orchestration/package/open-appsec-cloud-mgmt-k8s @@ -0,0 +1,285 @@ +#!/bin/bash + +POLICY_CRDS_PATH="/tmp/policy_crds.json" +APISERVER=https://kubernetes.default.svc +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount +TOKEN=$(cat ${SERVICEACCOUNT}/token) +NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) +CACERT=${SERVICEACCOUNT}/ca.crt +ra_token= +tenant_id= +agent_id= +profile_id= +cluster_id= +latest_policy_version=1 + +load_agent_details() +{ + tenant_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Tenant ID|TenantID|g" | /etc/cp/bin/yq -P '.TenantID') + agent_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Agent ID|AgentID|g" | /etc/cp/bin/yq -P '.AgentID') + profile_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Profile ID|ProfileID|g" | /etc/cp/bin/yq -P '.ProfileID') + cluster_id=$(echo $(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/ ) \ + | /etc/cp/bin/yq .items | /etc/cp/bin/yq '.[] | select(.metadata.name | contains("kube-system"))' | /etc/cp/bin/yq .metadata.uid) +} + +get_latest_policy_version() +{ + bucket_list=$(curl -s -w "%{http_code}\n" --request GET \ + -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}") + paths_list=$(echo $bucket_list | /etc/cp/bin/yq -p xml | grep "/policy") + + prefix="${tenant_id}/${profile_id}" + paths=$(echo $paths_list | tr " " "\n" | grep / ) + for path in $paths; do + new_path=$(echo ${path%/*}) + version=$(echo ${new_path##*/}) + if [[ $version =~ ^-?[0-9]+$ ]] && [ $latest_policy_version -lt $version ]; then + latest_policy_version=$version + fi + done + latest_policy_version=$((latest_policy_version+1)) + echo "Policy version: $latest_policy_version" +} + +concat_to_policy() +{ + crd_to_concat="$1" + is_first=$2 + if [ ! -z $is_first ]; then + POLICY="$POLICY \"$1\": " + else + POLICY="$POLICY, \"$1\": " + fi + CRD=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/apis/openappsec.io/v1beta1/$crd_to_concat) + CRD=$(echo $CRD|tr -d '\n') + if [ -z "$CRD" ]; then + CRD="{}" + fi + POLICY="$POLICY $CRD" +} + +generate_policy() +{ + POLICY="{ \"Policy\": {" + concat_to_policy policies true + concat_to_policy practices + concat_to_policy logtriggers + concat_to_policy customresponses + concat_to_policy exceptions + concat_to_policy sourcesidentifiers + concat_to_policy trustedsources + + POLICY="$POLICY, \"assets\": { \"items\":[ " + + FIRST="1" + all_ingresses=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/apis/networking.k8s.io/v1/ingresses) + namespaces=$(echo $all_ingresses | /etc/cp/bin/yq -P '.items[].metadata.namespace') + + for ns in ${namespaces}; do + ingress_in_ns=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses) + ingress_list=$(echo $ingress_in_ns | /etc/cp/bin/yq -P '.items[].metadata.name') + for ingress_name in ${ingress_list}; do + ingress_crd=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses/${ingress_name}) + + if echo $ingress_crd | grep -n "openappsec" 1>/dev/null; then + ingress_crd=$(echo $ingress_crd | tr -d '\n') + fi + if [ "$FIRST" = "0" ]; then + POLICY="$POLICY ," + fi + POLICY="$POLICY $ingress_crd" + FIRST="0" + done + done + + POLICY="$POLICY ] } } }" + echo $POLICY > $POLICY_CRDS_PATH +} + +upload_the_crds_to_s3() +{ + echo "Uploading local configuration to cloud..." + upload_res="$(curl -o /dev/null -s -w "%{http_code}\n" --progress-bar --request PUT -T "${POLICY_CRDS_PATH}" \ + -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$latest_policy_version/policy-$cluster_id.json")" + + if test "$upload_res" != "200"; then + echo "Failed uploading CRDs to cloud: Failed Error code ${upload_res}" + return 1 + fi + + check_file_exists="$(curl -o /dev/null -s -w "%{http_code}\n" --request GET -H "user-agent: Infinity Next (a7030abf93a4c13)" \ + -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$latest_policy_version/policy-$cluster_id.json")" + if test "$check_file_exists" != "200"; then + echo "Failed uploading CRD to cloud: Failed on checking the file. Error code ${check_file_exists}" + return 1 + fi +} + +send_notification_to_the_fog() +{ + correlation_id=$(cat /proc/sys/kernel/random/uuid) + DATE=$(date "+%FT%T.000") + upload_res=$(curl -o /dev/null -s -w "%{http_code}\n" --request POST "$var_fog/api/v1/agents/events/bulk" \ + -H "X-Trace-Id:${correlation_id}" --header "Authorization: Bearer ${ra_token}" \ + --header "user-agent: Infinity Next (a7030abf93a4c13)" --header "Content-Type: application/json" \ + --data "{\"logs\": [{\"log\": {\"eventTime\": \"$DATE\",\"eventName\": \ + \"Agent started onboarding process to cloud management\",\"eventSeverity\": \"Info\",\"eventPriority\": \ + \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\",\"eventLevel\": \"Log\",\"eventAudience\": \ + \"Internal\",\"eventAudienceTeam\": \"Agent Core\",\"eventFrequency\": 0,\"eventSource\": {\"serviceName\": \ + \"Orchestration\",\"agentId\": \"$agent_id\",\"tenantId\": \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \ + \"1.2229.123456\",\"issuingEngine\": \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": \ + {\"policyVersion\": $latest_policy_version,\"clusterId\": \"$cluster_id\",\"profileId\": \"$profile_id\"}}},\ + \"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}") + + if test "$upload_res" != "200"; then + sleep 5 + upload_res=$(curl -o /dev/null -s -w "%{http_code}\n" --request POST "$var_fog/api/v1/agents/events/bulk" \ + -H "X-Trace-Id:${correlation_id}" --header "Authorization: Bearer ${ra_token}" \ + --header "user-agent: Infinity Next (a7030abf93a4c13)" --header "Content-Type: application/json" \ + --data "{\"logs\": [{\"log\": {\"eventTime\": \"$DATE\",\"eventName\": \ + \"Agent started onboarding process to cloud management\",\"eventSeverity\": \"Info\",\"eventPriority\": \ + \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\",\"eventLevel\": \"Log\",\ + \"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\",\"eventFrequency\": 0,\"eventSource\": \ + {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\",\"tenantId\": \"$tenant_id\",\ + \"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\",\"issuingEngine\": \"onboardingInfoProvider\"},\ + \"eventData\": {\"eventObject\": {\"onboardingInfo\": {\"policyVersion\": $latest_policy_version,\ + \"clusterId\": \"$cluster_id\",\"profileId\": \"$profile_id\"}}},\"eventTags\": [\"Orchestration\"]}, \ + \"tenantId\": \"$tenant_id\", \"id\": 1}]}") + if test "$upload_res" != "200"; then + echo "Failed to notify the FOG on the new CRDs: Failed Error code ${upload_res}" + return 1 + fi + fi +} + +poll_for_status_file() +{ + correlation_id=$(cat /proc/sys/kernel/random/uuid) + + attempt_counter=0 + max_attempts=18 + + until [ ${attempt_counter} -eq ${max_attempts} ]; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + file_exists="$(curl -s -w "%{http_code}\n" --request GET -H "user-agent: Infinity Next (a7030abf93a4c13)" \ + -H "Authorization: Bearer ${ra_token}" \ + "$var_fog/agents-core/storage/$tenant_id/$profile_id/$latest_policy_version/status-$cluster_id.json")" + + check_file_exists=$(echo $file_exists | grep 200) + if [ ! -z "$check_file_exists" ]; then + FAILURE=$(echo $file_exists | grep "false") + if [ ! -z "$FAILURE" ]; then + echo "Failed creating the Assets: $(echo $file_exists | cut -c27- | cut -d '"' -f 1)" + exit 1 + else + echo "." + return 0 + fi + else + echo -n '.' + attempt_counter=$(($attempt_counter+1)) + sleep 10 + fi + done + echo "Error: Status file was not generated" + exit 1 +} + +upload_crds_to_the_cloud() +{ + STATUS="FAILURE" + load_agent_details + get_latest_policy_version + generate_policy + + upload_the_crds_to_s3 + if [ "$?" = "1" ]; then + echo "Failed uploading the CRDs to S3" + exit 1 + fi + + send_notification_to_the_fog + if [ "$?" = "1" ]; then + echo "Failed Notifying to FOG" + exit 1 + fi + + poll_for_status_file + if [ "$?" = "0" ]; then + STATUS="SUCCESS" + fi + + if [ "$STATUS" = "FAILURE" ]; then + echo "Failed to upload CRDs to the cloud" + exit 1 + fi +} + +usage() +{ + echo "Usage: $0 --token [options...] ]" + echo " --token : Registration token" + echo "Options:" + echo " --fog : Namespace with the relevant Helm Chart" + echo " --upload_policy_only : Upload policy to the fog, withput changing agent mode" + exit 255 +} + +validate_flags() +{ + if [ -z $var_token ]; then + usage + exit 1 + fi +} + +validate_arg_value_exists() +{ + if test "$2" = "1"; then + echo "Error: The script is missing value for '$1'" + usage + exit 1 + fi +} + +while true; do + if [ "$1" = "--token" ]; then + validate_arg_value_exists "$1" "$#" + shift + var_token="$1" + elif [ "$1" = "--fog" ]; then + validate_arg_value_exists "$1" "$#" + shift + var_fog="$1" + elif [ "$1" = "--access_token" ] || [ "$1" = "-at" ]; then + validate_arg_value_exists "$1" "$#" + shift + ra_token="$1" + elif [ -z "$1" ]; then + break + fi + shift +done + +if [ -z "$var_fog" ]; then + var_fog=$(cat /etc/cp/conf/agent_details.json | sed "s|Fog domain|Fogdomain|g" | /etc/cp/bin/yq -P '.Fogdomain') + var_fog="https://$var_fog" +fi + +upload_crds_to_the_cloud +if [ "$?" = "0" ]; then + echo "SUCCESS" +fi + +exit 0 diff --git a/nodes/orchestration/package/orchestration_package.sh b/nodes/orchestration/package/orchestration_package.sh index 7bde5bf..cac5578 100755 --- a/nodes/orchestration/package/orchestration_package.sh +++ b/nodes/orchestration/package/orchestration_package.sh @@ -655,6 +655,9 @@ copy_orchestration_executable() cp_print "Copying cp-nano-agent binary file to folder: ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}" $FORCE_STDOUT cp_copy "$ORCHESTRATION_EXE_SOURCE_PATH" ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME} cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}" + cp_copy open-appsec-cloud-mgmt ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-cloud-mgmt + cp_copy open-appsec-cloud-mgmt-k8s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-cloud-mgmt-k8s + cp_copy open-appsec-ctl.sh ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-ctl.sh if [ $var_hybrid_mode = true ]; then cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml fi