github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add support for visability mode

Browse Source
This commit is contained in:
David Gambarin
2022-12-26 11:04:51 +02:00
parent 9ec8858a15
commit 27d1d00379
26 changed files with 1014 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
components/security_apps/orchestration/include/declarative_policy_utils.h Normal file
View File

@@ -0,0 +1,83 @@
#ifndef __DECLARATIVE_POLICY_UTILS_H__
#define __DECLARATIVE_POLICY_UTILS_H__
#include <chrono>
#include <functional>
#include <tuple>
#include <vector>
#include "cereal/archives/json.hpp"
#include "singleton.h"
#include "i_update_communication.h"
#include "fog_authenticator.h"
#include "i_local_policy_mgmt_gen.h"
#include "i_orchestration_tools.h"
#include "i_agent_details.h"
#include "i_orchestration_status.h"
#include "i_messaging.h"
#include "i_mainloop.h"
#include "i_encryptor.h"
#include "i_details_resolver.h"
#include "i_rest_api.h"
#include "i_time_get.h"
#include "i_shell_cmd.h"
#include "i_encryptor.h"
#include "maybe_res.h"
#include "event.h"
class ApplyPolicyEvent : public Event<ApplyPolicyEvent>
{
public:
ApplyPolicyEvent() {}
};
class DeclarativePolicyUtils
:
public Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_LocalPolicyMgmtGen>,
Singleton::Consume<I_AgentDetails>,
Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_RestApi>,
public Listener<ApplyPolicyEvent>
{
public:
class ApplyPolicyRest : public ServerRest
{
public:
// LCOV_EXCL_START Reason: no test exist
void
doCall() override
{
ApplyPolicyEvent().notify();
}
// LCOV_EXCL_STOP
};
void init();
Maybe<std::string> getLocalPolicyChecksum();
std::string getPolicyChecksum();
void updateCurrentPolicy(const std::string &policy_checksum);
void sendUpdatesToFog(
const std::string &access_token,
const std::string &tenant_id,
const std::string &profile_id,
const std::string &fog_address
);
std::string getUpdate(CheckUpdateRequest &request);
bool shouldApplyPolicy();
void turnOffApplyPolicyFlag();
std::string getCurrVersion() { return curr_version; }
std::string getCurrPolicy() { return curr_policy; }
void upon(const ApplyPolicyEvent &event) override;
private:
std::string getCleanChecksum(const std::string &unclean_checksum);
std::string curr_version;
std::string curr_policy;
bool should_apply_policy;
};
#endif // __DECLARATIVE_POLICY_UTILS_H__

5
components/security_apps/orchestration/include/fog_communication.h
View File

@@ -33,13 +33,18 @@
#include "i_time_get.h"
#include "i_encryptor.h"
#include "maybe_res.h"
#include "declarative_policy_utils.h"
class FogCommunication : public FogAuthenticator
{
public:
void init() override;
Maybe<void> getUpdate(CheckUpdateRequest &request) override;
Maybe<std::string> downloadAttributeFile(const GetResourceFile &resourse_file) override;
Maybe<void> sendPolicyVersion(const std::string &policy_version) const override;
private:
DeclarativePolicyUtils declarative_policy_utils;
};
#endif // __FOG_COMMUNICATION_H__

7
components/security_apps/orchestration/include/hybrid_communication.h
View File

@@ -35,6 +35,7 @@
#include "i_time_get.h"
#include "i_encryptor.h"
#include "maybe_res.h"
#include "declarative_policy_utils.h"
class HybridCommunication
:
@@ -42,17 +43,15 @@ class HybridCommunication
Singleton::Consume<I_LocalPolicyMgmtGen>
{
public:
virtual void init() override;
void init() override;
Maybe<void> getUpdate(CheckUpdateRequest &request) override;
Maybe<std::string> downloadAttributeFile(const GetResourceFile &resourse_file) override;
Maybe<void> sendPolicyVersion(const std::string &policy_version) const override;
std::string getChecksum(const std::string &policy_version);
private:
Maybe<std::string> getNewVersion();
std::string curr_version;
std::string curr_policy;
DeclarativePolicyUtils declarative_policy_utils;
};
#endif // __HYBRID_COMMUNICATION_H__

30
components/security_apps/orchestration/include/update_policy_notification.h Executable file
View File

@@ -0,0 +1,30 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __UPDATE_POLICY_NOTIFICATION__H__
#define __UPDATE_POLICY_NOTIFICATION__H__
#include <string>
#include <ostream>
#include "rest.h"
class UpdatePolicyCrdObject : public ClientRest
{
public:
UpdatePolicyCrdObject(const std::string &_policy_version) : policy_version(_policy_version) {}
private:
C2S_LABEL_PARAM(std::string, policy_version, "policyVersion");
};
#endif //__UPDATE_POLICY_NOTIFICATION__H__

8
components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@@ -31,7 +31,7 @@
#include "trusted_sources_section.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class AppSecWebBotsURI
{
public:
@@ -700,9 +700,9 @@ public:
const std::string & getMode() const { return mode; }
void setHost(const std::string &_host) { host = _host; };
void setHost(const std::string &_host) { host = _host; }
void setMode(const std::string &_mode) { mode = _mode; };
void setMode(const std::string &_mode) { mode = _mode; }
const std::string & getCustomResponse() const { return custom_response; }
@@ -827,5 +827,5 @@ operator<<(std::ostream &os, const AppsecPolicySpec &obj)
<< std::endl << "]";
return os;
}
// LCOV_EXCL_STOP
#endif // __APPSEC_PRACTICE_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h
View File

@@ -26,7 +26,7 @@
#include "k8s_policy_common.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class AppsecExceptionSpec
{
public:
@@ -309,5 +309,5 @@ public:
private:
Exception exception_rulebase;
};
// LCOV_EXCL_STOP
#endif // __EXCEPTPIONS_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h
View File

@@ -23,7 +23,7 @@
#include "cereal/archives/json.hpp"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class IngressMetadata
{
public:
@@ -220,5 +220,5 @@ private:
std::string apiVersion;
std::vector<SingleIngressData> items;
};
// LCOV_EXCL_STOP
#endif // __INGRESS_DATA_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h
View File

@@ -24,7 +24,7 @@
#include "rest.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
enum class PracticeType { WebApplication, WebAPI };
enum class TriggerType { Log, WebUserResponse };
enum class MatchType { Condition, Operator };
@@ -102,5 +102,5 @@ public:
private:
T spec;
};
// LCOV_EXCL_STOP
#endif // __K8S_POLICY_COMMON_H__

6
components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h
View File

@@ -26,7 +26,7 @@
#include "k8s_policy_common.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class AssetUrlParser
{
public:
@@ -227,7 +227,7 @@ public:
triggers(_triggers)
{
try {
id = to_string(boost::uuids::random_generator()());
id = _url+_uri;
bool any = _name == "Any" && _url == "Any" && _uri == "Any";
if (_uri != "/") {
context = any ? "All()" : "Any("
@@ -387,5 +387,5 @@ public:
private:
RulesConfig rules_config_rulebase;
};
// LCOV_EXCL_STOP
#endif // __RULES_CONFIG_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h
View File

@@ -24,7 +24,7 @@
#include "k8s_policy_common.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class AgentSettingsSection
{
public:
@@ -117,5 +117,5 @@ private:
std::string name = "Kubernetes Agents";
SettingsRulebase agent;
};
// LCOV_EXCL_STOP
#endif // __SETTINGS_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h
View File

@@ -23,7 +23,7 @@
#include "debug.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class AgentSettingsSection
{
public:
@@ -75,5 +75,5 @@ public:
private:
std::vector<AgentSettingsSection> agentSettings;
};
// LCOV_EXCL_STOP
#endif // __SNORT_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h
View File

@@ -24,7 +24,7 @@
#include "k8s_policy_common.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class LogTriggerSection
{
public:
@@ -633,5 +633,5 @@ public:
private:
TriggersRulebase triggers_rulebase;
};
// LCOV_EXCL_STOP
#endif // __TRIGGERS_SECTION_H__

4
components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h
View File

@@ -25,7 +25,7 @@
#include "k8s_policy_common.h"
USE_DEBUG_FLAG(D_K8S_POLICY);
// LCOV_EXCL_START Reason: no test exist
class TrustedSourcesSpec
{
public:
@@ -218,5 +218,5 @@ private:
int num_of_sources;
std::vector<SourcesIdentifiers> sources_identifiers;
};
// LCOV_EXCL_STOP
#endif // __TRUSTED_SOURCES_SECTION_H__

19
components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
View File

@@ -56,7 +56,7 @@ const static string policy_key = "policy";
const static string syslog_key = "syslog";
const static string mode_key = "mode";
const static string local_mgmt_policy_path = "/conf/local_policy.yaml";
// LCOV_EXCL_START Reason: no test exist
class SecurityAppsWrapper
{
public:
@@ -719,8 +719,16 @@ public:
default_rule.getTrustedSources() :
parsed_rule.getTrustedSources();
string url = asset_name.substr(0, asset_name.find("/"));
string uri = asset_name.substr(asset_name.find("/"));
auto pos = asset_name.find("/");
string url;
string uri;
if (pos != string::npos) {
url = asset_name.substr(0, asset_name.find("/"));
uri = asset_name.substr(asset_name.find("/"));
} else {
url = asset_name;
uri = "";
}
if (specific_assets_from_ingress.find({url, uri}) != specific_assets_from_ingress.end()) {
// Erasing the current asset from the specific assets, because it won't have default policy
specific_assets_from_ingress.erase({url, uri});
@@ -1247,7 +1255,8 @@ private:
uid,
EnvKeyAttr::LogSection::SOURCE
);
Singleton::Consume<I_AgentDetails>::by<LocalPolicyMgmtGenerator::Impl>()->setClusterId(playground_uid + uid);
auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<LocalPolicyMgmtGenerator::Impl>();
i_agent_details->setClusterId(playground_uid + uid);
return true;
}
}
@@ -1688,4 +1697,4 @@ LocalPolicyMgmtGenerator::init()
void
LocalPolicyMgmtGenerator::preload()
{}
// LCOV_EXCL_STOP

3
components/security_apps/orchestration/update_communication/CMakeLists.txt
View File

@@ -1,3 +1,2 @@
add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc)
add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc declarative_policy_utils.cc)
add_subdirectory(update_communication_ut)

172
components/security_apps/orchestration/update_communication/declarative_policy_utils.cc Executable file
View File

@@ -0,0 +1,172 @@
#include "declarative_policy_utils.h"
#include "rest.h"
#include "config.h"
#include "log_generator.h"
#include "agent_details.h"
#include "version.h"
#include <algorithm>
#include <map>
#include <vector>
using namespace std;
USE_DEBUG_FLAG(D_ORCHESTRATOR);
void
DeclarativePolicyUtils::init()
{
should_apply_policy = true;
Singleton::Consume<I_RestApi>::by<DeclarativePolicyUtils>()->addRestCall<ApplyPolicyRest>(
RestAction::SET, "apply-policy"
);
registerListener();
}
// LCOV_EXCL_START Reason: no test exist
void
DeclarativePolicyUtils::upon(const ApplyPolicyEvent &)
{
dbgTrace(D_ORCHESTRATOR) << "Apply policy event";
should_apply_policy = true;
}
// LCOV_EXCL_STOP
bool
DeclarativePolicyUtils::shouldApplyPolicy()
{
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
return env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S ? true : should_apply_policy;
}
void
DeclarativePolicyUtils::turnOffApplyPolicyFlag()
{
should_apply_policy = false;
}
Maybe<string>
DeclarativePolicyUtils::getLocalPolicyChecksum()
{
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
if (env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
}
string policy_path = getConfigurationFlagWithDefault(
getFilesystemPathConfig() + "/conf/local_policy.yaml",
"local_mgmt_policy"
);
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
policy_path
);
if (!file_checksum.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr();
return genError(file_checksum.getErr());
}
return file_checksum.unpack();
}
string
DeclarativePolicyUtils::getCleanChecksum(const string &unclean_checksum)
{
string clean_checksum = unclean_checksum;
if (!clean_checksum.empty() && clean_checksum[clean_checksum.size() - 1] == '\n') {
clean_checksum.erase(clean_checksum.size() - 1);
}
return clean_checksum;
}
void
DeclarativePolicyUtils::updateCurrentPolicy(const string &policy_checksum)
{
string clean_policy_checksum = getCleanChecksum(policy_checksum);
curr_policy = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->parsePolicy(
clean_policy_checksum
);
}
string
DeclarativePolicyUtils::getPolicyChecksum()
{
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getPolicyPath()
);
if (!file_checksum.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed policy checksum calculation";
return "";
}
return file_checksum.unpack();
}
void
DeclarativePolicyUtils::sendUpdatesToFog(
const string &access_token,
const string &tenant_id,
const string &profile_id,
const string &fog_address)
{
auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<DeclarativePolicyUtils>();
string exec_command =
getFilesystemPathConfig()
+ "/scripts/open-appsec-cloud-mgmt --upload_policy_only"
+ " --access_token " + access_token
+ " --tenant_id " + tenant_id
+ " --profile_id " + profile_id;
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
exec_command =
getFilesystemPathConfig()
+ "/scripts/open-appsec-cloud-mgmt-k8s"
+ " --access_token " + access_token;
}
if (fog_address != "") exec_command = exec_command + " --fog https://" + fog_address;
auto maybe_cmd_output = shell_cmd->getExecOutput(
exec_command,
300000,
false
);
if (maybe_cmd_output.ok()) {
dbgTrace(D_ORCHESTRATOR) << "Successfully send policy updates to the fog";
} else {
dbgError(D_ORCHESTRATOR) << "Failed to send policy updates to the fog. Error: " << maybe_cmd_output.getErr();
}
}
string
DeclarativePolicyUtils::getUpdate(CheckUpdateRequest &request)
{
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in declarative policy";
string policy_response = "";
auto policy_checksum = request.getPolicy();
auto maybe_new_version = getLocalPolicyChecksum();
if (!maybe_new_version.ok() || maybe_new_version == curr_version) {
dbgDebug(D_ORCHESTRATOR) << "No new version is currently available";
return "";
}
updateCurrentPolicy(maybe_new_version.unpack());
string offline_policy_checksum = getPolicyChecksum();
if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) {
dbgTrace(D_ORCHESTRATOR) << "Update policy checksum";
policy_response = offline_policy_checksum;
}
dbgDebug(D_ORCHESTRATOR)
<< "Local update response, "
<< "policy: "
<< (policy_response.empty() ? "has no change," : "has new update," );
curr_version = maybe_new_version.unpack();
return policy_response;
}

48
components/security_apps/orchestration/update_communication/fog_communication.cc
View File

@@ -31,9 +31,17 @@ using HTTPMethod = I_Messaging::Method;
USE_DEBUG_FLAG(D_ORCHESTRATOR);
void
FogCommunication::init()
{
FogAuthenticator::init();
declarative_policy_utils.init();
}
Maybe<void>
FogCommunication::getUpdate(CheckUpdateRequest &request)
{
dbgTrace(D_ORCHESTRATOR) << "Getting updates - fog Communication";
if (!access_token.ok()) return genError("Acccess Token not available.");
auto unpacked_access_token = access_token.unpack().getToken();
@@ -49,6 +57,41 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
dbgDebug(D_ORCHESTRATOR) << "Failed to get response after check update request.";
return genError("Failed to request updates");
}
string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
dbgTrace(D_ORCHESTRATOR) << "Profile managed mode: " << policy_mgmt_mode;
if (policy_mgmt_mode == "declarative") {
Maybe<string> maybe_new_manifest = request.getManifest();
string manifest_checksum = maybe_new_manifest.ok() ? maybe_new_manifest.unpack() : "";
Maybe<string> maybe_new_settings = request.getSettings();
string settings_checksum = maybe_new_settings.ok() ? maybe_new_settings.unpack() : "";
Maybe<string> maybe_new_data = request.getData();
string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : "";
if (declarative_policy_utils.shouldApplyPolicy()) {
string policy_response = declarative_policy_utils.getUpdate(request);
if (!policy_response.empty()) {
dbgTrace(D_ORCHESTRATOR) << "Apply policy - declarative mode";
auto agent_details = Singleton::Consume<I_AgentDetails>::by<DeclarativePolicyUtils>();
auto maybe_fog_address = agent_details->getFogDomain();
string fog_address = maybe_fog_address.ok() ? maybe_fog_address.unpack() : "";
declarative_policy_utils.sendUpdatesToFog(
unpacked_access_token,
agent_details->getTenantId(),
agent_details->getProfileId(),
fog_address
);
}
request = CheckUpdateRequest(manifest_checksum, policy_response, settings_checksum, data_checksum, "", "");
declarative_policy_utils.turnOffApplyPolicyFlag();
} else {
request = CheckUpdateRequest(manifest_checksum, "", settings_checksum, data_checksum, "", "");
}
}
dbgDebug(D_ORCHESTRATOR) << "Got response after check update request.";
return Maybe<void>();
}
@@ -60,6 +103,11 @@ FogCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
auto unpacked_access_token = access_token.unpack().getToken();
string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
if (policy_mgmt_mode == "declarative" && resourse_file.getFileName() =="policy") {
dbgDebug(D_ORCHESTRATOR) << "Download policy on declarative mode - returnig the local policy";
return declarative_policy_utils.getCurrPolicy();
}
static const string file_attribute_str = "/api/v2/agents/resources/";
Maybe<string> attribute_file = Singleton::Consume<I_Messaging>::by<FogCommunication>()->downloadFile(
resourse_file,

119
components/security_apps/orchestration/update_communication/hybrid_communication.cc
View File

@@ -12,6 +12,7 @@
// limitations under the License.
#include "hybrid_communication.h"
#include "update_policy_notification.h"
#include "rest.h"
#include "config.h"
#include "log_generator.h"
@@ -30,10 +31,14 @@ using HTTPMethod = I_Messaging::Method;
USE_DEBUG_FLAG(D_ORCHESTRATOR);
#define TUNING_HOST_ENV_NAME "TUNING_HOST"
static const string defaultTuningHost = "appsec-tuning-svc";
void
HybridCommunication::init()
{
FogAuthenticator::init();
declarative_policy_utils.init();
dbgTrace(D_ORCHESTRATOR) << "Initializing the Hybrid Communication Component";
if (getConfigurationFlag("otp") != "") {
otp = getConfigurationFlag("otp");
@@ -42,56 +47,6 @@ HybridCommunication::init()
}
}
string
HybridCommunication::getChecksum(const string &policy_version)
{
string clean_plicy_version = policy_version;
if (!clean_plicy_version.empty() && clean_plicy_version[clean_plicy_version.size() - 1] == '\n') {
clean_plicy_version.erase(clean_plicy_version.size() - 1);
}
curr_policy = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->parsePolicy(clean_plicy_version);
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<FogAuthenticator>();
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getPolicyPath()
);
if (!file_checksum.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed the policy checksum calculation";
return "";
}
return file_checksum.unpack();
}
Maybe<string>
HybridCommunication::getNewVersion()
{
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<FogAuthenticator>();
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getEnvType();
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
}
string policy_path = getConfigurationFlagWithDefault(
getFilesystemPathConfig() + "/conf/local_policy.yaml",
"local_mgmt_policy"
);
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
policy_path
);
if (!file_checksum.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr();
return genError(file_checksum.getErr());
}
return file_checksum.unpack();
}
Maybe<void>
HybridCommunication::getUpdate(CheckUpdateRequest &request)
{
@@ -117,32 +72,61 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request)
dbgWarning(D_ORCHESTRATOR) << "Acccess Token not available.";
}
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication";
auto maybe_new_version = getNewVersion();
if (!maybe_new_version.ok() || maybe_new_version == curr_version) {
if (!declarative_policy_utils.shouldApplyPolicy()) {
request = CheckUpdateRequest(manifest_checksum, "", "", "", "", "");
dbgDebug(D_ORCHESTRATOR) << "No new version is currently available";
return Maybe<void>();
}
auto policy_checksum = request.getPolicy();
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication";
auto offline_policy_checksum = getChecksum(maybe_new_version.unpack());
string policy_response = declarative_policy_utils.getUpdate(request);
string policy_response = "";
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getEnvType();
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S && !policy_response.empty()) {
dbgDebug(D_ORCHESTRATOR) << "Policy has changes, sending notification to tuning host";
I_AgentDetails *agentDetails = Singleton::Consume<I_AgentDetails>::by<HybridCommunication>();
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<HybridCommunication>();
if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) {
policy_response = offline_policy_checksum;
UpdatePolicyCrdObject policy_change_object(policy_response);
Flags<MessageConnConfig> conn_flags;
conn_flags.setFlag(MessageConnConfig::EXTERNAL);
string tenant_header = "X-Tenant-Id: " + agentDetails->getTenantId();
auto get_tuning_host = []()
{
static string tuning_host;
if (tuning_host != "") return tuning_host;
char* tuning_host_env = getenv(TUNING_HOST_ENV_NAME);
if (tuning_host_env != NULL) {
tuning_host = string(tuning_host_env);
return tuning_host;
}
dbgWarning(D_ORCHESTRATOR) << "tuning host is not set. using default";
tuning_host = defaultTuningHost;
return tuning_host;
};
bool ok = messaging->sendNoReplyObject(
policy_change_object,
I_Messaging::Method::POST,
get_tuning_host(),
80,
conn_flags,
"/api/update-policy-crd",
tenant_header
);
dbgDebug(D_ORCHESTRATOR) << "sent tuning policy update notification ok: " << ok;
if (!ok) {
dbgWarning(D_ORCHESTRATOR) << "failed to send tuning notification";
}
}
dbgDebug(D_ORCHESTRATOR)
<< "Local update response: "
<< " policy: "
<< (policy_response.empty() ? "has no change," : "has new update," );
request = CheckUpdateRequest(manifest_checksum, policy_response, "", "", "", "");
curr_version = *maybe_new_version;
declarative_policy_utils.turnOffApplyPolicyFlag();
return Maybe<void>();
}
@@ -155,10 +139,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
<< resourse_file.getFileName();
if (resourse_file.getFileName() == "policy") {
return curr_policy;
return declarative_policy_utils.getCurrPolicy();
}
if (resourse_file.getFileName() == "manifest") {
if (!access_token.ok()) return genError("Acccess Token not available.");

1
components/security_apps/orchestration/update_communication/update_communication.cc
View File

@@ -50,6 +50,7 @@ public:
void
preload()
{
registerExpectedSetting<string>("profileManagedMode");
FogAuthenticator::preload();
LocalCommunication::preload();
}

2
components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt
View File

@@ -3,5 +3,5 @@ link_directories(${BOOST_ROOT}/lib)
add_unit_test(
update_communication_ut
"local_communication_ut.cc"
"rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;"
"rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;"
)