mirror of
https://github.com/openappsec/openappsec.git
synced 2025-09-29 19:24:26 +03:00
Add support for visability mode
This commit is contained in:
David Gambarin
@@ -1,3 +1,2 @@
|
||||
add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc)
|
||||
|
||||
add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc declarative_policy_utils.cc)
|
||||
add_subdirectory(update_communication_ut)
|
||||
|
||||
@@ -0,0 +1,172 @@
|
||||
#include "declarative_policy_utils.h"
|
||||
#include "rest.h"
|
||||
#include "config.h"
|
||||
#include "log_generator.h"
|
||||
#include "agent_details.h"
|
||||
#include "version.h"
|
||||
|
||||
#include <algorithm>
|
||||
#include <map>
|
||||
#include <vector>
|
||||
|
||||
using namespace std;
|
||||
|
||||
USE_DEBUG_FLAG(D_ORCHESTRATOR);
|
||||
|
||||
void
|
||||
DeclarativePolicyUtils::init()
|
||||
{
|
||||
should_apply_policy = true;
|
||||
Singleton::Consume<I_RestApi>::by<DeclarativePolicyUtils>()->addRestCall<ApplyPolicyRest>(
|
||||
RestAction::SET, "apply-policy"
|
||||
);
|
||||
registerListener();
|
||||
}
|
||||
|
||||
// LCOV_EXCL_START Reason: no test exist
|
||||
void
|
||||
DeclarativePolicyUtils::upon(const ApplyPolicyEvent &)
|
||||
{
|
||||
dbgTrace(D_ORCHESTRATOR) << "Apply policy event";
|
||||
should_apply_policy = true;
|
||||
}
|
||||
// LCOV_EXCL_STOP
|
||||
|
||||
bool
|
||||
DeclarativePolicyUtils::shouldApplyPolicy()
|
||||
{
|
||||
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
|
||||
return env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S ? true : should_apply_policy;
|
||||
}
|
||||
|
||||
void
|
||||
DeclarativePolicyUtils::turnOffApplyPolicyFlag()
|
||||
{
|
||||
should_apply_policy = false;
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
DeclarativePolicyUtils::getLocalPolicyChecksum()
|
||||
{
|
||||
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
|
||||
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
|
||||
if (env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
|
||||
return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
|
||||
}
|
||||
|
||||
string policy_path = getConfigurationFlagWithDefault(
|
||||
getFilesystemPathConfig() + "/conf/local_policy.yaml",
|
||||
"local_mgmt_policy"
|
||||
);
|
||||
|
||||
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
|
||||
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
|
||||
policy_path
|
||||
);
|
||||
|
||||
if (!file_checksum.ok()) {
|
||||
dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr();
|
||||
return genError(file_checksum.getErr());
|
||||
}
|
||||
|
||||
return file_checksum.unpack();
|
||||
}
|
||||
|
||||
string
|
||||
DeclarativePolicyUtils::getCleanChecksum(const string &unclean_checksum)
|
||||
{
|
||||
string clean_checksum = unclean_checksum;
|
||||
if (!clean_checksum.empty() && clean_checksum[clean_checksum.size() - 1] == '\n') {
|
||||
clean_checksum.erase(clean_checksum.size() - 1);
|
||||
}
|
||||
return clean_checksum;
|
||||
}
|
||||
|
||||
void
|
||||
DeclarativePolicyUtils::updateCurrentPolicy(const string &policy_checksum)
|
||||
{
|
||||
string clean_policy_checksum = getCleanChecksum(policy_checksum);
|
||||
curr_policy = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->parsePolicy(
|
||||
clean_policy_checksum
|
||||
);
|
||||
}
|
||||
|
||||
string
|
||||
DeclarativePolicyUtils::getPolicyChecksum()
|
||||
{
|
||||
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
|
||||
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
|
||||
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
|
||||
Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getPolicyPath()
|
||||
);
|
||||
|
||||
if (!file_checksum.ok()) {
|
||||
dbgWarning(D_ORCHESTRATOR) << "Failed policy checksum calculation";
|
||||
return "";
|
||||
}
|
||||
return file_checksum.unpack();
|
||||
}
|
||||
|
||||
void
|
||||
DeclarativePolicyUtils::sendUpdatesToFog(
|
||||
const string &access_token,
|
||||
const string &tenant_id,
|
||||
const string &profile_id,
|
||||
const string &fog_address)
|
||||
{
|
||||
auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<DeclarativePolicyUtils>();
|
||||
string exec_command =
|
||||
getFilesystemPathConfig()
|
||||
+ "/scripts/open-appsec-cloud-mgmt --upload_policy_only"
|
||||
+ " --access_token " + access_token
|
||||
+ " --tenant_id " + tenant_id
|
||||
+ " --profile_id " + profile_id;
|
||||
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
|
||||
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
|
||||
exec_command =
|
||||
getFilesystemPathConfig()
|
||||
+ "/scripts/open-appsec-cloud-mgmt-k8s"
|
||||
+ " --access_token " + access_token;
|
||||
}
|
||||
if (fog_address != "") exec_command = exec_command + " --fog https://" + fog_address;
|
||||
|
||||
auto maybe_cmd_output = shell_cmd->getExecOutput(
|
||||
exec_command,
|
||||
300000,
|
||||
false
|
||||
);
|
||||
if (maybe_cmd_output.ok()) {
|
||||
dbgTrace(D_ORCHESTRATOR) << "Successfully send policy updates to the fog";
|
||||
} else {
|
||||
dbgError(D_ORCHESTRATOR) << "Failed to send policy updates to the fog. Error: " << maybe_cmd_output.getErr();
|
||||
}
|
||||
}
|
||||
|
||||
string
|
||||
DeclarativePolicyUtils::getUpdate(CheckUpdateRequest &request)
|
||||
{
|
||||
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in declarative policy";
|
||||
|
||||
string policy_response = "";
|
||||
auto policy_checksum = request.getPolicy();
|
||||
|
||||
auto maybe_new_version = getLocalPolicyChecksum();
|
||||
if (!maybe_new_version.ok() || maybe_new_version == curr_version) {
|
||||
dbgDebug(D_ORCHESTRATOR) << "No new version is currently available";
|
||||
return "";
|
||||
}
|
||||
|
||||
updateCurrentPolicy(maybe_new_version.unpack());
|
||||
string offline_policy_checksum = getPolicyChecksum();
|
||||
if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) {
|
||||
dbgTrace(D_ORCHESTRATOR) << "Update policy checksum";
|
||||
policy_response = offline_policy_checksum;
|
||||
}
|
||||
|
||||
dbgDebug(D_ORCHESTRATOR)
|
||||
<< "Local update response, "
|
||||
<< "policy: "
|
||||
<< (policy_response.empty() ? "has no change," : "has new update," );
|
||||
curr_version = maybe_new_version.unpack();
|
||||
return policy_response;
|
||||
}
|
||||
@@ -31,9 +31,17 @@ using HTTPMethod = I_Messaging::Method;
|
||||
|
||||
USE_DEBUG_FLAG(D_ORCHESTRATOR);
|
||||
|
||||
void
|
||||
FogCommunication::init()
|
||||
{
|
||||
FogAuthenticator::init();
|
||||
declarative_policy_utils.init();
|
||||
}
|
||||
|
||||
Maybe<void>
|
||||
FogCommunication::getUpdate(CheckUpdateRequest &request)
|
||||
{
|
||||
dbgTrace(D_ORCHESTRATOR) << "Getting updates - fog Communication";
|
||||
if (!access_token.ok()) return genError("Acccess Token not available.");
|
||||
|
||||
auto unpacked_access_token = access_token.unpack().getToken();
|
||||
@@ -49,6 +57,41 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
|
||||
dbgDebug(D_ORCHESTRATOR) << "Failed to get response after check update request.";
|
||||
return genError("Failed to request updates");
|
||||
}
|
||||
|
||||
string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
|
||||
dbgTrace(D_ORCHESTRATOR) << "Profile managed mode: " << policy_mgmt_mode;
|
||||
if (policy_mgmt_mode == "declarative") {
|
||||
Maybe<string> maybe_new_manifest = request.getManifest();
|
||||
string manifest_checksum = maybe_new_manifest.ok() ? maybe_new_manifest.unpack() : "";
|
||||
|
||||
Maybe<string> maybe_new_settings = request.getSettings();
|
||||
string settings_checksum = maybe_new_settings.ok() ? maybe_new_settings.unpack() : "";
|
||||
|
||||
Maybe<string> maybe_new_data = request.getData();
|
||||
string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : "";
|
||||
|
||||
if (declarative_policy_utils.shouldApplyPolicy()) {
|
||||
string policy_response = declarative_policy_utils.getUpdate(request);
|
||||
if (!policy_response.empty()) {
|
||||
dbgTrace(D_ORCHESTRATOR) << "Apply policy - declarative mode";
|
||||
auto agent_details = Singleton::Consume<I_AgentDetails>::by<DeclarativePolicyUtils>();
|
||||
auto maybe_fog_address = agent_details->getFogDomain();
|
||||
string fog_address = maybe_fog_address.ok() ? maybe_fog_address.unpack() : "";
|
||||
|
||||
declarative_policy_utils.sendUpdatesToFog(
|
||||
unpacked_access_token,
|
||||
agent_details->getTenantId(),
|
||||
agent_details->getProfileId(),
|
||||
fog_address
|
||||
);
|
||||
}
|
||||
request = CheckUpdateRequest(manifest_checksum, policy_response, settings_checksum, data_checksum, "", "");
|
||||
declarative_policy_utils.turnOffApplyPolicyFlag();
|
||||
} else {
|
||||
request = CheckUpdateRequest(manifest_checksum, "", settings_checksum, data_checksum, "", "");
|
||||
}
|
||||
}
|
||||
|
||||
dbgDebug(D_ORCHESTRATOR) << "Got response after check update request.";
|
||||
return Maybe<void>();
|
||||
}
|
||||
@@ -60,6 +103,11 @@ FogCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
|
||||
|
||||
auto unpacked_access_token = access_token.unpack().getToken();
|
||||
|
||||
string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
|
||||
if (policy_mgmt_mode == "declarative" && resourse_file.getFileName() =="policy") {
|
||||
dbgDebug(D_ORCHESTRATOR) << "Download policy on declarative mode - returnig the local policy";
|
||||
return declarative_policy_utils.getCurrPolicy();
|
||||
}
|
||||
static const string file_attribute_str = "/api/v2/agents/resources/";
|
||||
Maybe<string> attribute_file = Singleton::Consume<I_Messaging>::by<FogCommunication>()->downloadFile(
|
||||
resourse_file,
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
// limitations under the License.
|
||||
|
||||
#include "hybrid_communication.h"
|
||||
#include "update_policy_notification.h"
|
||||
#include "rest.h"
|
||||
#include "config.h"
|
||||
#include "log_generator.h"
|
||||
@@ -30,10 +31,14 @@ using HTTPMethod = I_Messaging::Method;
|
||||
|
||||
USE_DEBUG_FLAG(D_ORCHESTRATOR);
|
||||
|
||||
#define TUNING_HOST_ENV_NAME "TUNING_HOST"
|
||||
static const string defaultTuningHost = "appsec-tuning-svc";
|
||||
|
||||
void
|
||||
HybridCommunication::init()
|
||||
{
|
||||
FogAuthenticator::init();
|
||||
declarative_policy_utils.init();
|
||||
dbgTrace(D_ORCHESTRATOR) << "Initializing the Hybrid Communication Component";
|
||||
if (getConfigurationFlag("otp") != "") {
|
||||
otp = getConfigurationFlag("otp");
|
||||
@@ -42,56 +47,6 @@ HybridCommunication::init()
|
||||
}
|
||||
}
|
||||
|
||||
string
|
||||
HybridCommunication::getChecksum(const string &policy_version)
|
||||
{
|
||||
string clean_plicy_version = policy_version;
|
||||
if (!clean_plicy_version.empty() && clean_plicy_version[clean_plicy_version.size() - 1] == '\n') {
|
||||
clean_plicy_version.erase(clean_plicy_version.size() - 1);
|
||||
}
|
||||
|
||||
curr_policy = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->parsePolicy(clean_plicy_version);
|
||||
|
||||
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<FogAuthenticator>();
|
||||
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
|
||||
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
|
||||
Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getPolicyPath()
|
||||
);
|
||||
|
||||
if (!file_checksum.ok()) {
|
||||
dbgWarning(D_ORCHESTRATOR) << "Failed the policy checksum calculation";
|
||||
return "";
|
||||
}
|
||||
return file_checksum.unpack();
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
HybridCommunication::getNewVersion()
|
||||
{
|
||||
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<FogAuthenticator>();
|
||||
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getEnvType();
|
||||
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
|
||||
return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
|
||||
}
|
||||
|
||||
string policy_path = getConfigurationFlagWithDefault(
|
||||
getFilesystemPathConfig() + "/conf/local_policy.yaml",
|
||||
"local_mgmt_policy"
|
||||
);
|
||||
|
||||
Maybe<string> file_checksum = orchestration_tools->calculateChecksum(
|
||||
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
|
||||
policy_path
|
||||
);
|
||||
|
||||
if (!file_checksum.ok()) {
|
||||
dbgWarning(D_ORCHESTRATOR) << "Policy checksum was not calculated: " << file_checksum.getErr();
|
||||
return genError(file_checksum.getErr());
|
||||
}
|
||||
|
||||
return file_checksum.unpack();
|
||||
}
|
||||
|
||||
Maybe<void>
|
||||
HybridCommunication::getUpdate(CheckUpdateRequest &request)
|
||||
{
|
||||
@@ -117,32 +72,61 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request)
|
||||
dbgWarning(D_ORCHESTRATOR) << "Acccess Token not available.";
|
||||
}
|
||||
|
||||
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication";
|
||||
|
||||
auto maybe_new_version = getNewVersion();
|
||||
if (!maybe_new_version.ok() || maybe_new_version == curr_version) {
|
||||
if (!declarative_policy_utils.shouldApplyPolicy()) {
|
||||
request = CheckUpdateRequest(manifest_checksum, "", "", "", "", "");
|
||||
dbgDebug(D_ORCHESTRATOR) << "No new version is currently available";
|
||||
return Maybe<void>();
|
||||
}
|
||||
|
||||
auto policy_checksum = request.getPolicy();
|
||||
dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication";
|
||||
|
||||
auto offline_policy_checksum = getChecksum(maybe_new_version.unpack());
|
||||
string policy_response = declarative_policy_utils.getUpdate(request);
|
||||
|
||||
string policy_response = "";
|
||||
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getEnvType();
|
||||
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S && !policy_response.empty()) {
|
||||
dbgDebug(D_ORCHESTRATOR) << "Policy has changes, sending notification to tuning host";
|
||||
I_AgentDetails *agentDetails = Singleton::Consume<I_AgentDetails>::by<HybridCommunication>();
|
||||
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<HybridCommunication>();
|
||||
|
||||
if (!policy_checksum.ok() || offline_policy_checksum != policy_checksum.unpack()) {
|
||||
policy_response = offline_policy_checksum;
|
||||
UpdatePolicyCrdObject policy_change_object(policy_response);
|
||||
|
||||
Flags<MessageConnConfig> conn_flags;
|
||||
conn_flags.setFlag(MessageConnConfig::EXTERNAL);
|
||||
|
||||
string tenant_header = "X-Tenant-Id: " + agentDetails->getTenantId();
|
||||
|
||||
auto get_tuning_host = []()
|
||||
{
|
||||
static string tuning_host;
|
||||
if (tuning_host != "") return tuning_host;
|
||||
|
||||
char* tuning_host_env = getenv(TUNING_HOST_ENV_NAME);
|
||||
if (tuning_host_env != NULL) {
|
||||
tuning_host = string(tuning_host_env);
|
||||
return tuning_host;
|
||||
}
|
||||
dbgWarning(D_ORCHESTRATOR) << "tuning host is not set. using default";
|
||||
tuning_host = defaultTuningHost;
|
||||
|
||||
return tuning_host;
|
||||
};
|
||||
|
||||
bool ok = messaging->sendNoReplyObject(
|
||||
policy_change_object,
|
||||
I_Messaging::Method::POST,
|
||||
get_tuning_host(),
|
||||
80,
|
||||
conn_flags,
|
||||
"/api/update-policy-crd",
|
||||
tenant_header
|
||||
);
|
||||
dbgDebug(D_ORCHESTRATOR) << "sent tuning policy update notification ok: " << ok;
|
||||
if (!ok) {
|
||||
dbgWarning(D_ORCHESTRATOR) << "failed to send tuning notification";
|
||||
}
|
||||
}
|
||||
|
||||
dbgDebug(D_ORCHESTRATOR)
|
||||
<< "Local update response: "
|
||||
<< " policy: "
|
||||
<< (policy_response.empty() ? "has no change," : "has new update," );
|
||||
|
||||
request = CheckUpdateRequest(manifest_checksum, policy_response, "", "", "", "");
|
||||
curr_version = *maybe_new_version;
|
||||
declarative_policy_utils.turnOffApplyPolicyFlag();
|
||||
|
||||
return Maybe<void>();
|
||||
}
|
||||
@@ -155,10 +139,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
|
||||
<< resourse_file.getFileName();
|
||||
|
||||
if (resourse_file.getFileName() == "policy") {
|
||||
return curr_policy;
|
||||
return declarative_policy_utils.getCurrPolicy();
|
||||
}
|
||||
|
||||
|
||||
if (resourse_file.getFileName() == "manifest") {
|
||||
if (!access_token.ok()) return genError("Acccess Token not available.");
|
||||
|
||||
|
||||
@@ -50,6 +50,7 @@ public:
|
||||
void
|
||||
preload()
|
||||
{
|
||||
registerExpectedSetting<string>("profileManagedMode");
|
||||
FogAuthenticator::preload();
|
||||
LocalCommunication::preload();
|
||||
}
|
||||
|
||||
@@ -3,5 +3,5 @@ link_directories(${BOOST_ROOT}/lib)
|
||||
add_unit_test(
|
||||
update_communication_ut
|
||||
"local_communication_ut.cc"
|
||||
"rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;"
|
||||
"rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;"
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user