github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix for crds upload

Browse Source
This commit is contained in:
Daniel Eisenberg 2024-07-29 15:53:23 +03:00
parent 705a5e6061
commit 286c017133
7 changed files with 50 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
View File

@ -79,6 +79,7 @@ class DefaultBackend
{ {
public: public:
void load(cereal::JSONInputArchive &); void load(cereal::JSONInputArchive &);
bool doesExist() const;
private: private:
bool is_exists = false; bool is_exists = false;
@ -90,6 +91,7 @@ public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const std::vector<IngressDefinedRule> & getRules() const; const std::vector<IngressDefinedRule> & getRules() const;
bool doesDefaultBackendExist() const;
private: private:
std::string ingress_class_name; std::string ingress_class_name;

2
components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@ -111,7 +111,7 @@ private:
SecurityAppsWrapper security_apps; SecurityAppsWrapper security_apps;
}; };
class PolicyMakerUtils class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
{ {
public: public:
std::string proccesSingleAppsecPolicy( std::string proccesSingleAppsecPolicy(

12
components/security_apps/local_policy_mgmt_gen/ingress_data.cc
View File

@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
is_exists = true; is_exists = true;
} }
bool
DefaultBackend::doesExist() const
{
return is_exists;
}
void void
IngressSpec::load(cereal::JSONInputArchive &archive_in) IngressSpec::load(cereal::JSONInputArchive &archive_in)
{ {
@ -101,6 +107,12 @@ IngressSpec::getRules() const
return rules; return rules;
} }
bool
IngressSpec::doesDefaultBackendExist() const
{
return default_backend.doesExist();
}
void void
SingleIngressData::load(cereal::JSONInputArchive &archive_in) SingleIngressData::load(cereal::JSONInputArchive &archive_in)
{ {

14
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
map<AnnotationKeys, string> &annotations_values, map<AnnotationKeys, string> &annotations_values,
const SingleIngressData &item) const const SingleIngressData &item) const
{ {
if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
}
if (item.getSpec().doesDefaultBackendExist()) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Any host rule to the specific asset set";
K ingress_rule = K("*");
policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
}
for (const IngressDefinedRule &rule : item.getSpec().getRules()) { for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
string url = rule.getHost(); string url = rule.getHost();
for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) { for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
<< uri.getPath() << uri.getPath()
<< "'"; << "'";
K ingress_rule = K(url + uri.getPath()); K ingress_rule = K(url + uri.getPath());
appsec_policy.addSpecificRule(ingress_rule); policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
} }
} }
} }
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
} }
std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>> std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
K8sPolicyUtils::createAppsecPoliciesFromIngresses() K8sPolicyUtils::createAppsecPoliciesFromIngresses()
{ {

1
components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
View File

@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in); parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
default_rule.setHost("*");
parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in); parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
} }

16
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name); createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);
// add default rule to policy // add default rule to policy
createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name); if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
}
} }
// LCOV_EXCL_START Reason: no test exist // LCOV_EXCL_START Reason: no test exist
@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
); );
// add default rule to policy // add default rule to policy
createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>( if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
default_rule, createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
default_rule, default_rule,
appsec_policy, default_rule,
policy_name); appsec_policy,
policy_name);
}
} }
// LCOV_EXCL_STOP // LCOV_EXCL_STOP

14
nodes/orchestration/package/open-appsec-cloud-mgmt-k8s
View File

@ -13,6 +13,10 @@ profile_id=
cluster_id= cluster_id=
latest_policy_version=1 latest_policy_version=1
if [ -f $POLICY_CRDS_PATH ]; then
chmod 644 $POLICY_CRDS_PATH
fi
load_agent_details() load_agent_details()
{ {
tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json) tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
@ -29,7 +33,7 @@ get_latest_policy_version()
bucket_list=$(curl -s -w "%{http_code}\n" --request GET \ bucket_list=$(curl -s -w "%{http_code}\n" --request GET \
-H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \ -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \
"$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}") "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}")
paths_list=$(echo $bucket_list | /etc/cp/bin/yq -p xml | grep "/policy") paths_list=$(echo $bucket_list | awk -F'<Key>|</Key>' '/policy-/ {for (i = 1; i <= NF; i++) if ($i ~ /policy/) print $i}')
prefix="${tenant_id}/${profile_id}" prefix="${tenant_id}/${profile_id}"
paths=$(echo $paths_list | tr " " "\n" | grep / ) paths=$(echo $paths_list | tr " " "\n" | grep / )
@ -257,6 +261,7 @@ usage()
echo "Options:" echo "Options:"
echo " --fog <fog address> : Namespace with the relevant Helm Chart" echo " --fog <fog address> : Namespace with the relevant Helm Chart"
echo " --upload_policy_only : Upload policy to the fog, withput changing agent mode" echo " --upload_policy_only : Upload policy to the fog, withput changing agent mode"
echo " --debug : Keep the debuging files"
exit 255 exit 255
} }
@ -277,6 +282,8 @@ validate_arg_value_exists()
fi fi
} }
debug_mode="false"
while true; do while true; do
if [ "$1" = "--token" ]; then if [ "$1" = "--token" ]; then
validate_arg_value_exists "$1" "$#" validate_arg_value_exists "$1" "$#"
@ -290,6 +297,8 @@ while true; do
validate_arg_value_exists "$1" "$#" validate_arg_value_exists "$1" "$#"
shift shift
ra_token="$1" ra_token="$1"
elif [ "$1" = "--debug" ]; then
debug_mode="true"
elif [ -z "$1" ]; then elif [ -z "$1" ]; then
break break
fi fi
@ -305,5 +314,8 @@ upload_crds_to_the_cloud
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo "SUCCESS" echo "SUCCESS"
fi fi
if [ "$debug_mode" = "false" ]; then
rm $POLICY_CRDS_PATH
fi
exit 0 exit 0