github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Mar 26th 2023 Dev

Browse Source
This commit is contained in:
Ned Wright
2023-03-27 15:06:15 +00:00
parent 5848f1d7e3
commit 3f5a3b27a4
68 changed files with 1534 additions and 1836 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
components/security_apps/orchestration/CMakeLists.txt
View File

@@ -13,5 +13,6 @@ add_subdirectory(update_communication)
add_subdirectory(details_resolver)
add_subdirectory(health_check)
add_subdirectory(local_policy_mgmt_gen)
add_subdirectory(env_details)
add_subdirectory(orchestration_ut)

41
components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
View File

@@ -116,6 +116,47 @@ getMgmtObjName(shared_ptr<istream> file_stream)
return getMgmtObjAttr(file_stream, "name ");
}
Maybe<string>
getGWIPAddress(shared_ptr<istream> file_stream)
{
return getMgmtObjAttr(file_stream, "ipaddr ");
}
Maybe<string>
getGWHardware(shared_ptr<istream> file_stream)
{
Maybe<string> val = getMgmtObjAttr(file_stream, "appliance_type ");
if(val.ok()) {
if (val == string("software")) return string("Open server");
if (val == string("Maestro Gateway")) return string("Maestro");
}
return val;
}
Maybe<string>
getGWApplicationControlBlade(shared_ptr<istream> file_stream)
{
return getMgmtObjAttr(file_stream, "application_firewall_blade ");
}
Maybe<string>
getGWURLFilteringBlade(shared_ptr<istream> file_stream)
{
return getMgmtObjAttr(file_stream, "advanced_uf_blade ");
}
Maybe<string>
getGWIPSecVPNBlade(shared_ptr<istream> file_stream)
{
return getMgmtObjAttr(file_stream, "VPN_1 ");
}
Maybe<string>
getGWVersion(shared_ptr<istream> file_stream)
{
return getMgmtObjAttr(file_stream, "svn_version_name ");
}
Maybe<string>
getSmbObjectName(const string &command_output)
{

31
components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
View File

@@ -87,6 +87,37 @@ FILE_CONTENT_HANDLER(
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C",
getMgmtObjUid
)
FILE_CONTENT_HANDLER(
"IP Address",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWIPAddress
)
FILE_CONTENT_HANDLER(
"Hardware",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWHardware
)
FILE_CONTENT_HANDLER(
"Application Control",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWApplicationControlBlade
)
FILE_CONTENT_HANDLER(
"URL Filtering",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWURLFilteringBlade
)
FILE_CONTENT_HANDLER(
"IPSec VPN",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWIPSecVPNBlade
)
FILE_CONTENT_HANDLER(
"Version",
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myself_objects.C",
getGWVersion
)
#else // !(gaia || smb)
FILE_CONTENT_HANDLER("os_release", "/etc/os-release", getOsRelease)
#endif // gaia || smb

1
components/security_apps/orchestration/env_details/CMakeLists.txt Normal file
View File

@@ -0,0 +1 @@
add_library(env_details env_details.cc)

66
components/security_apps/orchestration/env_details/env_details.cc Normal file
View File

@@ -0,0 +1,66 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "env_details.h"
#include "config.h"
#include "debug.h"
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const string k8s_service_account = "/var/run/secrets/kubernetes.io/serviceaccount";
// LCOV_EXCL_START Reason: can't use on the pipline environment
EnvDetails::EnvDetails()
{
token = retrieveToken();
token.empty() ? env_type = EnvType::LINUX : env_type = EnvType::K8S;
}
EnvType
EnvDetails::getEnvType()
{
return env_type;
}
string
EnvDetails::getToken()
{
return token;
}
string
EnvDetails::retrieveToken()
{
return readFileContent(k8s_service_account + "/token");
}
string
EnvDetails::readFileContent(const string &file_path)
{
try {
ifstream file(file_path);
stringstream buffer;
buffer << file.rdbuf();
return buffer.str();
} catch (ifstream::failure &f) {
dbgWarning(D_LOCAL_POLICY)
<< "Cannot read the file"
<< " File: " << file_path
<< " Error: " << f.what();
return "";
}
}
// LCOV_EXCL_STOP

2
components/security_apps/orchestration/include/declarative_policy_utils.h
View File

@@ -22,6 +22,7 @@
#include "i_time_get.h"
#include "i_shell_cmd.h"
#include "i_encryptor.h"
#include "i_env_details.h"
#include "maybe_res.h"
#include "event.h"
@@ -35,6 +36,7 @@ class DeclarativePolicyUtils
:
public Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_LocalPolicyMgmtGen>,
Singleton::Consume<I_EnvDetails>,
Singleton::Consume<I_AgentDetails>,
Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_RestApi>,

2
components/security_apps/orchestration/include/hybrid_communication.h
View File

@@ -40,7 +40,7 @@
class HybridCommunication
:
public FogAuthenticator,
Singleton::Consume<I_LocalPolicyMgmtGen>
Singleton::Consume<I_EnvDetails>
{
public:
void init() override;

2
components/security_apps/orchestration/local_policy_mgmt_gen/CMakeLists.txt
View File

@@ -1,3 +1,3 @@
include_directories(include)
add_library(local_policy_mgmt_gen appsec_practice_section.cc exceptions_section.cc ingress_data.cc local_policy_mgmt_gen.cc policy_maker_utils.cc rules_config_section.cc settings_section.cc snort_section.cc triggers_section.cc trusted_sources_section.cc)
add_library(local_policy_mgmt_gen appsec_practice_section.cc exceptions_section.cc ingress_data.cc local_policy_mgmt_gen.cc policy_maker_utils.cc rules_config_section.cc settings_section.cc snort_section.cc triggers_section.cc trusted_sources_section.cc k8s_policy_utils.cc namespace_data.cc)

89
components/security_apps/orchestration/local_policy_mgmt_gen/appsec_practice_section.cc
View File

@@ -17,6 +17,10 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
static const set<string> valid_modes = {"prevent-learn", "detect-learn", "prevent", "detect", "inactive"};
static const set<string> valid_confidences = {"medium", "high", "critical"};
void
AppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in)
{
@@ -37,6 +41,9 @@ AppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<vector<AppSecWebBotsURI>>("injected-URIs", injected_uris, archive_in);
parseAppsecJSONKey<vector<AppSecWebBotsURI>>("validated-URIs", validated_uris, archive_in);
parseAppsecJSONKey<string>("override-mode", override_mode, archive_in, "Inactive");
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode;
}
}
void
@@ -106,8 +113,17 @@ AppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<AppSecWebAttackProtections>("protections", protections, archive_in);
parseAppsecJSONKey<string>("override-mode", mode, archive_in, "Unset");
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode;
}
if (getMode() == "Prevent") {
parseAppsecJSONKey<string>("minimum-confidence", minimum_confidence, archive_in, "critical");
if (valid_confidences.count(minimum_confidence) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec practice override minimum confidence invalid: "
<< minimum_confidence;
}
} else {
minimum_confidence = "Transparent";
}
@@ -163,6 +179,9 @@ AppSecPracticeSnortSignatures::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
parseAppsecJSONKey<string>("override-mode", override_mode, archive_in, "Inactive");
parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
}
}
const string &
@@ -180,9 +199,12 @@ AppSecPracticeSnortSignatures::getConfigMap() const
void
AppSecPracticeOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSecPracticeOpenSchemaAPI practice";
parseAppsecJSONKey<string>("override-mode", override_mode, archive_in, "Inactive");
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Practice OpenSchemaAPI practice";
parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseAppsecJSONKey<string>("override-mode", override_mode, archive_in, "Inactive");
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Open Schema API override mode invalid: " << override_mode;
}
}
const string &
@@ -196,7 +218,7 @@ AppSecPracticeOpenSchemaAPI::getConfigMap() const
{
return config_map;
}
// LCOV_EXCL_STOP
void
AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
{
@@ -212,6 +234,13 @@ AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("name", practice_name, archive_in);
}
void
AppSecPracticeSpec::setName(const string &_name)
{
practice_name = _name;
}
// LCOV_EXCL_START Reason: no test exist
const AppSecPracticeOpenSchemaAPI &
AppSecPracticeSpec::getOpenSchemaValidation() const
{
@@ -223,6 +252,7 @@ AppSecPracticeSpec::getSnortSignatures() const
{
return snort_signatures;
}
// LCOV_EXCL_STOP
const AppSecPracticeWebAttacks &
AppSecPracticeSpec::getWebAttacks() const
@@ -345,6 +375,9 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("assetName", asset_name),
cereal::make_nvp("ruleId", rule_id),
cereal::make_nvp("ruleName", rule_name),
cereal::make_nvp("schemaValidation", false),
cereal::make_nvp("schemaValidation_v2", disabled_str),
cereal::make_nvp("oas", empty_list),
cereal::make_nvp("triggers", triggers),
cereal::make_nvp("applicationUrls", application_urls),
cereal::make_nvp("overrides", overrides),
@@ -355,19 +388,7 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("botProtection_v2", detect_str)
);
}
const string &
WebAppSection::getPracticeId() const
{
return practice_id;
}
bool
WebAppSection::operator<(const WebAppSection &other) const
{
return getPracticeId() < other.getPracticeId();
}
// LCOV_EXCL_START Reason: no test exist
void
WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
{
@@ -396,12 +417,7 @@ WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("overrides", empty_list)
);
}
const string &
WebAPISection::getPracticeId() const
{
return practice_id;
}
// LCOV_EXCL_STOP
void
AppSecRulebase::save(cereal::JSONOutputArchive &out_ar) const
@@ -426,6 +442,9 @@ ParsedRule::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<vector<string>>("triggers", log_triggers, archive_in);
parseAppsecJSONKey<vector<string>>("practices", practices, archive_in);
parseAppsecJSONKey<string>("mode", mode, archive_in);
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Parsed Rule mode invalid: " << mode;
}
parseAppsecJSONKey<string>("custom-response", custom_response, archive_in);
parseAppsecJSONKey<string>("source-identifiers", source_identifiers, archive_in);
parseAppsecJSONKey<string>("trusted-sources", trusted_sources, archive_in);
@@ -500,11 +519,6 @@ AppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
parseAppsecJSONKey<ParsedRule>("default", default_rule, archive_in);
auto default_mode_annot =
Singleton::Consume<I_Environment>::by<AppsecPolicySpec>()->get<string>("default mode annotation");
if (default_mode_annot.ok() && !default_mode_annot.unpack().empty() && default_rule.getMode().empty()) {
default_rule.setMode(default_mode_annot.unpack());
}
default_rule.setHost("*");
parseAppsecJSONKey<vector<ParsedRule>>("specific-rules", specific_rules, archive_in);
}
@@ -521,6 +535,21 @@ AppsecPolicySpec::getSpecificRules() const
return specific_rules;
}
bool
AppsecPolicySpec::isAssetHostExist(const std::string &full_url) const
{
for (const ParsedRule &rule : specific_rules) {
if (rule.getHost() == full_url) return true;
}
return false;
}
void
AppsecPolicySpec::addSpecificRule(const ParsedRule &_rule)
{
specific_rules.push_back(_rule);
}
void
AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
{
@@ -580,4 +609,8 @@ AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
return sources_identifiers;
}
// LCOV_EXCL_STOP
void
AppsecLinuxPolicy::addSpecificRule(const ParsedRule &_rule)
{
policies.addSpecificRule(_rule);
}

20
components/security_apps/orchestration/local_policy_mgmt_gen/exceptions_section.cc
View File

@@ -18,12 +18,18 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
static const set<string> valid_actions = {"skip", "accept", "drop", "suppressLog"};
void
AppsecExceptionSpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec exception spec";
parseAppsecJSONKey<string>("name", name, archive_in);
parseAppsecJSONKey<string>("action", action, archive_in);
if (valid_actions.count(action) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec exception action invalid: " << action;
}
parseAppsecJSONKey<vector<string>>("countryCode", country_code, archive_in);
parseAppsecJSONKey<vector<string>>("countryName", country_name, archive_in);
parseAppsecJSONKey<vector<string>>("hostName", host_name, archive_in);
@@ -35,6 +41,12 @@ AppsecExceptionSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<vector<string>>("url", url, archive_in);
}
void
AppsecExceptionSpec::setName(const string &_name)
{
name = _name;
}
const string &
AppsecExceptionSpec::getName() const
{
@@ -209,12 +221,6 @@ InnerException::getBehaviorId() const
return behavior.getBehaviorId();
}
bool
InnerException::operator<(const InnerException &other) const
{
return getBehaviorId() < other.getBehaviorId();
}
ExceptionsRulebase::ExceptionsRulebase(
vector<InnerException> _exceptions)
:
@@ -251,5 +257,3 @@ ExceptionsWrapper::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("rulebase", exception_rulebase)
);
}
// LCOV_EXCL_STOP

37
components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@@ -24,12 +24,11 @@
#include "config.h"
#include "debug.h"
#include "customized_cereal_map.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
#include "triggers_section.h"
#include "exceptions_section.h"
#include "trusted_sources_section.h"
// LCOV_EXCL_START Reason: no test exist
class AppSecWebBotsURI
{
public:
@@ -129,6 +128,7 @@ public:
const AppSecPracticeWebAttacks & getWebAttacks() const;
const AppSecPracticeAntiBot & getAntiBot() const;
const std::string & getName() const;
void setName(const std::string &_name);
private:
AppSecPracticeOpenSchemaAPI openapi_schema_validation;
@@ -214,8 +214,6 @@ public:
);
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getPracticeId() const;
bool operator<(const WebAppSection &other) const;
private:
std::string application_urls;
@@ -271,8 +269,6 @@ public:
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getPracticeId() const;
private:
std::string application_urls;
std::string asset_id;
@@ -323,8 +319,10 @@ private:
class ParsedRule
{
public:
void load(cereal::JSONInputArchive &archive_in);
ParsedRule() {}
ParsedRule(const std::string &_host) : host(_host) {}
void load(cereal::JSONInputArchive &archive_in);
const std::vector<std::string> & getExceptions() const;
const std::vector<std::string> & getLogTriggers() const;
const std::vector<std::string> & getPractices() const;
@@ -354,6 +352,8 @@ public:
const ParsedRule & getDefaultRule() const;
const std::vector<ParsedRule> & getSpecificRules() const;
bool isAssetHostExist(const std::string &full_url) const;
void addSpecificRule(const ParsedRule &_rule);
private:
ParsedRule default_rule;
@@ -363,8 +363,25 @@ private:
class AppsecLinuxPolicy : Singleton::Consume<I_Environment>
{
public:
void
serialize(cereal::JSONInputArchive &archive_in);
AppsecLinuxPolicy() {}
AppsecLinuxPolicy(
const AppsecPolicySpec &_policies,
const std::vector<AppSecPracticeSpec> &_practices,
const std::vector<AppsecTriggerSpec> &_log_triggers,
const std::vector<AppSecCustomResponseSpec> &_custom_responses,
const std::vector<AppsecExceptionSpec> &_exceptions,
const std::vector<TrustedSourcesSpec> &_trusted_sources,
const std::vector<SourceIdentifierSpecWrapper> &_sources_identifiers)
:
policies(_policies),
practices(_practices),
log_triggers(_log_triggers),
custom_responses(_custom_responses),
exceptions(_exceptions),
trusted_sources(_trusted_sources),
sources_identifiers(_sources_identifiers) {}
void serialize(cereal::JSONInputArchive &archive_in);
const AppsecPolicySpec & getAppsecPolicySpec() const;
const std::vector<AppSecPracticeSpec> & getAppSecPracticeSpecs() const;
@@ -373,6 +390,7 @@ public:
const std::vector<AppsecExceptionSpec> & getAppsecExceptionSpecs() const;
const std::vector<TrustedSourcesSpec> & getAppsecTrustedSourceSpecs() const;
const std::vector<SourceIdentifierSpecWrapper> & getAppsecSourceIdentifierSpecs() const;
void addSpecificRule(const ParsedRule &_rule);
private:
AppsecPolicySpec policies;
@@ -384,5 +402,4 @@ private:
std::vector<SourceIdentifierSpecWrapper> sources_identifiers;
};
// LCOV_EXCL_STOP
#endif // __APPSEC_PRACTICE_SECTION_H__

6
components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h
View File

@@ -23,9 +23,8 @@
#include "config.h"
#include "debug.h"
#include "rest.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class AppsecExceptionSpec
{
public:
@@ -42,6 +41,7 @@ public:
const std::vector<std::string> & getSourceIdentifier() const;
const std::vector<std::string> & getSourceIp() const;
const std::vector<std::string> & getUrl() const;
void setName(const std::string &_name);
private:
std::string name;
@@ -111,7 +111,6 @@ public:
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string getBehaviorId() const;
bool operator<(const InnerException &other) const;
private:
ExceptionBehavior behavior;
@@ -150,5 +149,4 @@ public:
private:
Exception exception_rulebase;
};
// LCOV_EXCL_STOP
#endif // __EXCEPTPIONS_SECTION_H__

44
components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h
View File

@@ -22,18 +22,15 @@
#include "rest.h"
#include "cereal/archives/json.hpp"
#include <cereal/types/map.hpp>
#include "customized_cereal_map.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class IngressMetadata
{
public:
void load(cereal::JSONInputArchive &archive_in);
const std::string & getName() const;
const std::string & getResourceVersion() const;
const std::string & getNamespace() const;
const std::map<std::string, std::string> & getAnnotations() const;
private:
@@ -46,8 +43,7 @@ private:
class IngressRulePath
{
public:
void
load(cereal::JSONInputArchive &archive_in);
void load(cereal::JSONInputArchive &archive_in);
const std::string & getPath() const;
@@ -55,13 +51,6 @@ private:
std::string path;
};
inline std::ostream &
operator<<(std::ostream &os, const IngressRulePath &obj)
{
os << obj.getPath();
return os;
}
class IngressRulePathsWrapper
{
public:
@@ -86,25 +75,10 @@ private:
IngressRulePathsWrapper paths_wrapper;
};
inline std::ostream &
operator<<(std::ostream &os, const IngressDefinedRule &obj)
{
os
<< "host: "
<< obj.getHost()
<< ", paths: [" << std::endl
<< makeSeparatedStr(obj.getPathsWrapper().getRulePaths(), ",")
<< std::endl << "]";
return os;
}
class DefaultBackend
{
public:
void
load(cereal::JSONInputArchive &);
bool isExists() const;
void load(cereal::JSONInputArchive &);
private:
bool is_exists = false;
@@ -113,12 +87,9 @@ private:
class IngressSpec
{
public:
void
load(cereal::JSONInputArchive &archive_in);
void load(cereal::JSONInputArchive &archive_in);
const std::string & getIngressClassName() const;
const std::vector<IngressDefinedRule> & getRules() const;
bool isDefaultBackendExists() const;
private:
std::string ingress_class_name;
@@ -129,8 +100,7 @@ private:
class SingleIngressData
{
public:
void
load(cereal::JSONInputArchive &archive_in);
void load(cereal::JSONInputArchive &archive_in);
const IngressMetadata & getMetadata() const;
const IngressSpec & getSpec() const;
@@ -146,12 +116,10 @@ class IngressData : public ClientRest
public:
bool loadJson(const std::string &json);
const std::string & getapiVersion() const;
const std::vector<SingleIngressData> & getItems() const;
private:
std::string apiVersion;
std::vector<SingleIngressData> items;
};
// LCOV_EXCL_STOP
#endif // __INGRESS_DATA_H__

81
components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_utils.h Normal file
View File

@@ -0,0 +1,81 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __K8S_POLICY_UTILS_H__
#define __K8S_POLICY_UTILS_H__
#include <string>
#include <fstream>
#include <utility>
#include <sys/types.h>
#include <cereal/archives/json.hpp>
#include "maybe_res.h"
#include "i_orchestration_tools.h"
#include "i_shell_cmd.h"
#include "i_messaging.h"
#include "i_env_details.h"
#include "i_agent_details.h"
#include "appsec_practice_section.h"
#include "policy_maker_utils.h"
enum class AnnotationKeys { PolicyKey, OpenAppsecIo, SyslogAddressKey, SyslogPortKey, ModeKey };
class K8sPolicyUtils
:
Singleton::Consume<I_Environment>,
Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_Messaging>,
Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_EnvDetails>,
Singleton::Consume<I_AgentDetails>
{
public:
void init();
std::map<std::string, AppsecLinuxPolicy> createAppsecPoliciesFromIngresses();
bool getClusterId() const;
private:
std::map<AnnotationKeys, std::string> parseIngressAnnotations(
const std::map<std::string, std::string> &annotations
) const;
template<class T>
Maybe<T, std::string> getObjectFromCluster(const std::string &path) const;
std::map<AnnotationTypes, std::unordered_set<std::string>> extractElementsNames(
const std::vector<ParsedRule> &specific_rules,
const ParsedRule &default_rule
) const;
template<class T>
std::vector<T> extractElementsFromCluster(
const std::string &crd_plural,
const std::unordered_set<std::string> &elements_names
) const;
Maybe<AppsecLinuxPolicy> createAppsecPolicyK8s(
const std::string &policy_name,
const std::string &ingress_mode
) const;
I_EnvDetails* env_details = nullptr;
I_Messaging* messaging = nullptr;
EnvType env_type;
Flags<MessageConnConfig> conn_flags;
std::string token;
};
#endif // __K8S_POLICY_UTILS_H__

112
components/security_apps/orchestration/local_policy_mgmt_gen/include/local_policy_common.h Normal file
View File

@@ -0,0 +1,112 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __LOCAL_POLICY_COMMON_H__
#define __LOCAL_POLICY_COMMON_H__
#include <map>
#include <set>
#include <string>
#include <cereal/archives/json.hpp>
#include "config.h"
#include "debug.h"
#include "rest.h"
USE_DEBUG_FLAG(D_LOCAL_POLICY);
enum class PracticeType { WebApplication, WebAPI };
enum class TriggerType { Log, WebUserResponse };
enum class MatchType { Condition, Operator };
static const std::unordered_map<std::string, MatchType> string_to_match_type = {
{ "condition", MatchType::Condition },
{ "operator", MatchType::Operator }
};
static const std::unordered_map<std::string, PracticeType> string_to_practice_type = {
{ "WebApplication", PracticeType::WebApplication },
{ "WebAPI", PracticeType::WebAPI }
};
static const std::unordered_map<std::string, TriggerType> string_to_trigger_type = {
{ "log", TriggerType::Log },
{ "WebUserResponse", TriggerType::WebUserResponse }
};
static const std::unordered_map<std::string, std::string> key_to_practices_val = {
{ "prevent-learn", "Prevent"},
{ "detect-learn", "Detect"},
{ "prevent", "Prevent"},
{ "detect", "Detect"},
{ "inactive", "Inactive"}
};
template <typename T>
void
parseAppsecJSONKey(
const std::string &key_name,
T &value,
cereal::JSONInputArchive &archive_in,
const T &default_value = T())
{
try {
archive_in(cereal::make_nvp(key_name, value));
} catch (const cereal::Exception &e) {
archive_in.setNextName(nullptr);
value = default_value;
dbgDebug(D_LOCAL_POLICY)
<< "Could not parse the required key. Key: "
<< key_name
<< ", Error: "
<< e.what();
}
}
template <typename T>
class AppsecSpecParser : public ClientRest
{
public:
AppsecSpecParser() = default;
AppsecSpecParser(const T &_spec) : spec(_spec) {}
bool
loadJson(const std::string &json)
{
std::string modified_json = json;
modified_json.pop_back();
std::stringstream ss;
ss.str(modified_json);
try {
cereal::JSONInputArchive in_ar(ss);
in_ar(cereal::make_nvp("spec", spec));
} catch (cereal::Exception &e) {
dbgWarning(D_LOCAL_POLICY) << "Failed to load spec JSON. Error: " << e.what();
return false;
}
return true;
}
void
setName(const std::string &_name)
{
spec.setName(_name);
}
const T & getSpec() const { return spec; }
private:
T spec;
};
#endif // __LOCAL_POLICY_COMMON_H__

35
components/security_apps/orchestration/local_policy_mgmt_gen/include/namespace_data.h Normal file
View File

@@ -0,0 +1,35 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __NAMESPACE_DATA_H__
#define __NAMESPACE_DATA_H__
#include <vector>
#include <map>
#include "cereal/archives/json.hpp"
#include <cereal/types/map.hpp>
#include "rest.h"
class NamespaceData : public ClientRest
{
public:
bool loadJson(const std::string &json);
Maybe<std::string> getNamespaceUidByName(const std::string &name);
private:
std::map<std::string, std::string> ns_name_to_uid;
};
#endif // __NAMESPACE_DATA_H__

10
components/security_apps/orchestration/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@@ -29,17 +29,16 @@
#include "maybe_res.h"
#include "i_orchestration_tools.h"
#include "i_shell_cmd.h"
#include "i_messaging.h"
#include "appsec_practice_section.h"
#include "ingress_data.h"
#include "settings_section.h"
#include "triggers_section.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
#include "exceptions_section.h"
#include "rules_config_section.h"
#include "trusted_sources_section.h"
USE_DEBUG_FLAG(D_NGINX_POLICY);
enum class AnnotationTypes {
PRACTICE,
TRIGGER,
@@ -50,7 +49,6 @@ enum class AnnotationTypes {
COUNT
};
// LCOV_EXCL_START Reason: no test exist
class SecurityAppsWrapper
{
public:
@@ -93,11 +91,11 @@ private:
SettingsWrapper settings;
SecurityAppsWrapper security_apps;
};
// LCOV_EXCL_STOP
class PolicyMakerUtils
:
Singleton::Consume<I_Environment>,
Singleton::Consume<I_OrchestrationTools>,
Singleton::Consume<I_Messaging>,
Singleton::Consume<I_ShellCmd>
{
public:
@@ -113,7 +111,7 @@ public:
std::tuple<std::string, std::string, std::string> splitHostName(const std::string &host_name);
std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path) const;
std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path);
PolicyWrapper combineElementsToPolicy(const std::string &policy_version);

38
components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h
View File

@@ -23,9 +23,8 @@
#include "config.h"
#include "debug.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class AssetUrlParser
{
public:
@@ -41,13 +40,11 @@ public:
PracticeSection(
const std::string &_id,
const std::string &_type,
const std::string &_practice_name);
const std::string &_practice_name
);
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getPracticeId() const;
const std::string & getPracticeName() const;
private:
std::string id;
std::string name;
@@ -60,7 +57,6 @@ public:
ParametersSection(const std::string &_id, const std::string &_name);
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getId() const;
private:
std::string name;
@@ -74,13 +70,11 @@ public:
RulesTriggerSection(
const std::string &_name,
const std::string &_id,
const std::string &_type);
const std::string &_type
);
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getId() const;
const std::string & getName() const;
private:
std::string name;
std::string id;
@@ -99,20 +93,14 @@ public:
const std::string &_uri,
std::vector<PracticeSection> _practices,
std::vector<ParametersSection> _parameters,
std::vector<RulesTriggerSection> _triggers);
std::vector<RulesTriggerSection> _triggers
);
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getRuleId() const;
const std::string & getAssetName() const;
const std::string & getRuleName() const;
const std::string & getAssetId() const;
const std::string & getPracticeId() const;
const std::string & getPracticeName() const;
const std::string & getContext() const;
const std::vector<PracticeSection> & getPractice() const;
const std::vector<ParametersSection> & getParameters() const;
const std::vector<RulesTriggerSection> & getTriggers() const;
private:
std::string context;
@@ -130,7 +118,8 @@ public:
UsersIdentifier(
const std::string &_source_identifier,
std::vector<std::string> _identifier_values);
std::vector<std::string> _identifier_values
);
void save(cereal::JSONOutputArchive &out_ar) const;
@@ -148,8 +137,9 @@ public:
UsersIdentifiersRulebase(
const std::string &_context,
const std::string &_source_identifier,
std::vector<std::string> _identifier_values,
std::vector<UsersIdentifier> _source_identifiers);
const std::vector<std::string> &_identifier_values,
const std::vector<UsersIdentifier> &_source_identifiers
);
void save(cereal::JSONOutputArchive &out_ar) const;
@@ -165,7 +155,8 @@ class RulesRulebase
public:
RulesRulebase(
const std::vector<RulesConfigRulebase> &_rules_config,
const std::vector<UsersIdentifiersRulebase> &_users_identifiers);
const std::vector<UsersIdentifiersRulebase> &_users_identifiers
);
void save(cereal::JSONOutputArchive &out_ar) const;
@@ -192,5 +183,4 @@ public:
private:
RulesRulebase rules_config_rulebase;
};
// LCOV_EXCL_STOP
#endif // __RULES_CONFIG_SECTION_H__

2
components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h
View File

@@ -21,7 +21,7 @@
#include "config.h"
#include "debug.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class AgentSettingsSection

15
components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h
View File

@@ -21,9 +21,8 @@
#include "config.h"
#include "debug.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class LogTriggerSection
{
public:
@@ -58,7 +57,6 @@ public:
const std::string & getTriggerId() const;
const std::string & getTriggerName() const;
bool operator<(const LogTriggerSection &other) const;
private:
std::string id;
@@ -102,9 +100,6 @@ public:
void save(cereal::JSONOutputArchive &out_ar) const;
const std::string & getTriggerId() const;
const std::string & getTriggerName() const;
bool operator<(const WebUserResponseTriggerSection &other) const;
private:
std::string id;
@@ -126,6 +121,7 @@ public:
const std::string & getMessageTitle() const;
const std::string & getMode() const;
const std::string & getName() const;
void setName(const std::string &_name);
private:
int httpResponseCode;
@@ -158,9 +154,6 @@ class AppsecTriggerAccessControlLogging
public:
void load(cereal::JSONInputArchive &archive_in);
bool isAllowEvents() const;
bool isDropEvents() const;
private:
bool allow_events = false;
bool drop_events = false;
@@ -220,7 +213,6 @@ public:
void load(cereal::JSONInputArchive &archive_in);
const std::string & getAddress() const;
const std::string & getProto() const;
int getPort() const;
private:
@@ -273,8 +265,8 @@ class AppsecTriggerSpec
public:
void load(cereal::JSONInputArchive &archive_in);
const AppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
const std::string & getName() const;
void setName(const std::string &_name);
const AppsecTriggerAdditionalSuspiciousEventsLogging & getAppsecTriggerAdditionalSuspiciousEventsLogging() const;
const AppsecTriggerLogging & getAppsecTriggerLogging() const;
const AppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
@@ -300,5 +292,4 @@ public:
private:
TriggersRulebase triggers_rulebase;
};
// LCOV_EXCL_STOP
#endif // __TRIGGERS_SECTION_H__

6
components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h
View File

@@ -22,9 +22,8 @@
#include "config.h"
#include "debug.h"
#include "k8s_policy_common.h"
#include "local_policy_common.h"
// LCOV_EXCL_START Reason: no test exist
class TrustedSourcesSpec
{
public:
@@ -33,6 +32,7 @@ public:
int getMinNumOfSources() const;
const std::vector<std::string> & getSourcesIdentifiers() const;
const std::string & getName() const;
void setName(const std::string &_name);
private:
int min_num_of_sources = 0;
@@ -77,6 +77,7 @@ public:
const std::string & getName() const;
const std::vector<SourceIdentifierSpec> & getIdentifiers() const;
void setName(const std::string &_name);
private:
std::string name;
@@ -104,5 +105,4 @@ private:
int num_of_sources = 0;
std::vector<SourcesIdentifiers> sources_identifiers;
};
// LCOV_EXCL_STOP
#endif // __TRUSTED_SOURCES_SECTION_H__

43
components/security_apps/orchestration/local_policy_mgmt_gen/ingress_data.cc
View File

@@ -17,7 +17,6 @@
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
void
IngressMetadata::load(cereal::JSONInputArchive &archive_in)
{
@@ -28,24 +27,6 @@ IngressMetadata::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<map<string, string>>("annotations", annotations, archive_in);
}
const string &
IngressMetadata::getName() const
{
return name;
}
const string &
IngressMetadata::getResourceVersion() const
{
return resourceVersion;
}
const string &
IngressMetadata::getNamespace() const
{
return namespace_name;
}
const map<string, string> &
IngressMetadata::getAnnotations() const
{
@@ -105,12 +86,6 @@ DefaultBackend::load(cereal::JSONInputArchive &)
is_exists = true;
}
bool
DefaultBackend::isExists() const
{
return is_exists;
}
void
IngressSpec::load(cereal::JSONInputArchive &archive_in)
{
@@ -120,22 +95,11 @@ IngressSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<DefaultBackend>("defaultBackend", default_backend, archive_in);
}
const string &
IngressSpec::getIngressClassName() const
{
return ingress_class_name;
}
const vector<IngressDefinedRule> &
IngressSpec::getRules() const
{
return rules;
}
bool
IngressSpec::isDefaultBackendExists() const
{
return default_backend.isExists();
}
void
SingleIngressData::load(cereal::JSONInputArchive &archive_in)
@@ -178,15 +142,8 @@ IngressData::loadJson(const string &json)
return true;
}
const string &
IngressData::getapiVersion() const
{
return apiVersion;
}
const vector<SingleIngressData> &
IngressData::getItems() const
{
return items;
}
// LCOV_EXCL_STOP

343
components/security_apps/orchestration/local_policy_mgmt_gen/k8s_policy_utils.cc Normal file
View File

@@ -0,0 +1,343 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "k8s_policy_utils.h"
#include "namespace_data.h"
using namespace std;
USE_DEBUG_FLAG(D_NGINX_POLICY);
string
convertAnnotationKeysTostring(const AnnotationKeys &key)
{
switch (key) {
case AnnotationKeys::PolicyKey:
return "policy";
case AnnotationKeys::OpenAppsecIo:
return "openappsec.io/";
case AnnotationKeys::SyslogAddressKey:
return "syslog";
case AnnotationKeys::ModeKey:
return "mode";
default:
return "Irrelevant key";
}
}
void
K8sPolicyUtils::init()
{
env_details = Singleton::Consume<I_EnvDetails>::by<K8sPolicyUtils>();
env_type = env_details->getEnvType();
if (env_type == EnvType::K8S) {
token = env_details->getToken();
messaging = Singleton::Consume<I_Messaging>::by<K8sPolicyUtils>();
conn_flags.setFlag(MessageConnConfig::SECURE_CONN);
conn_flags.setFlag(MessageConnConfig::IGNORE_SSL_VALIDATION);
}
}
map<AnnotationKeys, string>
K8sPolicyUtils::parseIngressAnnotations(const map<string, string> &annotations) const
{
map<AnnotationKeys, string> annotations_values;
for (const pair<string, string> &annotation : annotations) {
string annotation_key = annotation.first;
string annotation_val = annotation.second;
if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::OpenAppsecIo)) != string::npos) {
if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::PolicyKey)) != string::npos) {
annotations_values[AnnotationKeys::PolicyKey] = annotation_val;
} else if (
annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::SyslogAddressKey)) != string::npos
) {
bool has_port = annotation_val.find(":");
annotations_values[AnnotationKeys::SyslogAddressKey] =
annotation_val.substr(0, annotation_val.find(":"));
annotations_values[AnnotationKeys::SyslogPortKey] =
has_port ? annotation_val.substr(annotation_val.find(":") + 1) : "";
} else if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::ModeKey)) != string::npos) {
annotations_values[AnnotationKeys::ModeKey] = annotation_val;
}
}
}
return annotations_values;
}
template<class T>
Maybe<T, string>
K8sPolicyUtils::getObjectFromCluster(const string &path) const
{
T object;
bool res = messaging->sendObject(
object,
I_Messaging::Method::GET,
"kubernetes.default.svc",
443,
conn_flags,
path,
"Authorization: Bearer " + token + "\nConnection: close"
);
if (res) return object;
return genError(string("Was not able to get object form k8s cluser in path: " + path));
}
map<AnnotationTypes, unordered_set<string>>
K8sPolicyUtils::extractElementsNames(const vector<ParsedRule> &specific_rules, const ParsedRule &default_rule) const
{
map<AnnotationTypes, unordered_set<string>> policy_elements_names;
for (const ParsedRule &specific_rule : specific_rules) {
policy_elements_names[AnnotationTypes::EXCEPTION].insert(
specific_rule.getExceptions().begin(),
specific_rule.getExceptions().end()
);
policy_elements_names[AnnotationTypes::PRACTICE].insert(
specific_rule.getPractices().begin(),
specific_rule.getPractices().end()
);
policy_elements_names[AnnotationTypes::TRIGGER].insert(
specific_rule.getLogTriggers().begin(),
specific_rule.getLogTriggers().end()
);
policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(specific_rule.getCustomResponse());
policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(specific_rule.getSourceIdentifiers());
policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(specific_rule.getTrustedSources());
}
policy_elements_names[AnnotationTypes::EXCEPTION].insert(
default_rule.getExceptions().begin(),
default_rule.getExceptions().end()
);
policy_elements_names[AnnotationTypes::PRACTICE].insert(
default_rule.getPractices().begin(),
default_rule.getPractices().end()
);
policy_elements_names[AnnotationTypes::TRIGGER].insert(
default_rule.getLogTriggers().begin(),
default_rule.getLogTriggers().end()
);
policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(default_rule.getCustomResponse());
policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(default_rule.getSourceIdentifiers());
policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(default_rule.getTrustedSources());
return policy_elements_names;
}
template<class T>
vector<T>
K8sPolicyUtils::extractElementsFromCluster(
const string &crd_plural,
const unordered_set<string> &elements_names) const
{
dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural;
vector<T> elements;
for (const string &element_name : elements_names) {
dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name;
auto maybe_appsec_element = getObjectFromCluster<AppsecSpecParser<T>>(
"/apis/openappsec.io/v1beta1/" + crd_plural + "/" + element_name
);
if (!maybe_appsec_element.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec element. type: "
<< crd_plural
<< ", name: "
<< element_name
<< ". Error: "
<< maybe_appsec_element.getErr();
continue;
}
AppsecSpecParser<T> appsec_element = maybe_appsec_element.unpack();
if (appsec_element.getSpec().getName() == "") {
appsec_element.setName(element_name);
}
elements.push_back(appsec_element.getSpec());
}
return elements;
}
Maybe<AppsecLinuxPolicy>
K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &ingress_mode) const
{
auto maybe_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<AppsecPolicySpec>>(
"/apis/openappsec.io/v1beta1/policies/" + policy_name
);
if (!maybe_appsec_policy_spec.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec policy. Error: "
<< maybe_appsec_policy_spec.getErr();
return genError("Failed to retrieve AppSec policy. Error: " + maybe_appsec_policy_spec.getErr());
}
AppsecSpecParser<AppsecPolicySpec> appsec_policy_spec = maybe_appsec_policy_spec.unpack();
ParsedRule default_rule = appsec_policy_spec.getSpec().getDefaultRule();
vector<ParsedRule> specific_rules = appsec_policy_spec.getSpec().getSpecificRules();
if (!ingress_mode.empty() && default_rule.getMode().empty()) {
default_rule.setMode(ingress_mode);
}
map<AnnotationTypes, unordered_set<string>> policy_elements_names = extractElementsNames(
specific_rules,
default_rule
);
vector<AppSecPracticeSpec> practices = extractElementsFromCluster<AppSecPracticeSpec>(
"practices",
policy_elements_names[AnnotationTypes::PRACTICE]
);
vector<AppsecTriggerSpec> log_triggers = extractElementsFromCluster<AppsecTriggerSpec>(
"logtriggers",
policy_elements_names[AnnotationTypes::TRIGGER]
);
vector<AppSecCustomResponseSpec> web_user_responses = extractElementsFromCluster<AppSecCustomResponseSpec>(
"customresponses",
policy_elements_names[AnnotationTypes::WEB_USER_RES]
);
vector<AppsecExceptionSpec> exceptions = extractElementsFromCluster<AppsecExceptionSpec>(
"exceptions",
policy_elements_names[AnnotationTypes::EXCEPTION]
);
vector<SourceIdentifierSpecWrapper> source_identifiers = extractElementsFromCluster<SourceIdentifierSpecWrapper>(
"sourcesidentifiers",
policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS]
);
vector<TrustedSourcesSpec> trusted_sources = extractElementsFromCluster<TrustedSourcesSpec>(
"trustedsources",
policy_elements_names[AnnotationTypes::TRUSTED_SOURCES]
);
AppsecLinuxPolicy appsec_policy = AppsecLinuxPolicy(
appsec_policy_spec.getSpec(),
practices,
log_triggers,
web_user_responses,
exceptions,
trusted_sources,
source_identifiers
);
return appsec_policy;
}
map<string, AppsecLinuxPolicy>
K8sPolicyUtils::createAppsecPoliciesFromIngresses()
{
dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses";
map<string, AppsecLinuxPolicy> policies;
auto maybe_ingress = getObjectFromCluster<IngressData>("/apis/networking.k8s.io/v1/ingresses");
if (!maybe_ingress.ok()) {
// TBD: Error handling : INXT-31444
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve K8S Ingress configurations. Error: "
<< maybe_ingress.getErr();
return policies;
}
IngressData ingress = maybe_ingress.unpack();
for (const SingleIngressData &item : ingress.getItems()) {
map<AnnotationKeys, string> annotations_values = parseIngressAnnotations(
item.getMetadata().getAnnotations()
);
if (annotations_values[AnnotationKeys::PolicyKey].empty()) {
dbgInfo(D_LOCAL_POLICY) << "No policy was found in this ingress";
continue;
}
Maybe<AppsecLinuxPolicy> maybe_appsec_policy = createAppsecPolicyK8s(
annotations_values[AnnotationKeys::PolicyKey],
annotations_values[AnnotationKeys::ModeKey]
);
if (!maybe_appsec_policy.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to create appsec policy. Error: "
<< maybe_appsec_policy.getErr();
continue;
}
AppsecLinuxPolicy appsec_policy = maybe_appsec_policy.unpack();
for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
string url = rule.getHost();
for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Host data to the specific asset set:"
<< "URL: '"
<< url
<< "' uri: '"
<< uri.getPath()
<< "'";
ParsedRule ingress_rule = ParsedRule(url + uri.getPath());
appsec_policy.addSpecificRule(ingress_rule);
}
}
}
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
}
return policies;
}
bool
isPlaygroundEnv()
{
const char *env_string = getenv("PLAYGROUND");
if (env_string == nullptr) return false;
string env_value = env_string;
transform(env_value.begin(), env_value.end(), env_value.begin(), ::tolower);
return env_value == "true";
}
bool
K8sPolicyUtils::getClusterId() const
{
string playground_uid = isPlaygroundEnv() ? "playground-" : "";
dbgTrace(D_LOCAL_POLICY) << "Getting cluster UID";
auto maybe_namespaces_data = getObjectFromCluster<NamespaceData>("/api/v1/namespaces/");
if (!maybe_namespaces_data.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve K8S namespace data. Error: "
<< maybe_namespaces_data.getErr();
return false;
}
NamespaceData namespaces_data = maybe_namespaces_data.unpack();
Maybe<string> maybe_ns_uid = namespaces_data.getNamespaceUidByName("kube-system");
if (!maybe_ns_uid.ok()) {
dbgWarning(D_LOCAL_POLICY) << maybe_ns_uid.getErr();
return false;
}
string uid = playground_uid + maybe_ns_uid.unpack();
dbgTrace(D_LOCAL_POLICY) << "Found k8s cluster UID: " << uid;
I_Environment *env = Singleton::Consume<I_Environment>::by<K8sPolicyUtils>();
env->getConfigurationContext().registerValue<string>(
"k8sClusterId",
uid,
EnvKeyAttr::LogSection::SOURCE
);
I_AgentDetails *i_agent_details = Singleton::Consume<I_AgentDetails>::by<K8sPolicyUtils>();
i_agent_details->setClusterId(uid);
return true;
}

1255
components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
View File

File diff suppressed because it is too large Load Diff

97
components/security_apps/orchestration/local_policy_mgmt_gen/namespace_data.cc Normal file
View File

@@ -0,0 +1,97 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "namespace_data.h"
#include "local_policy_common.h"
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
class NamespaceMetadata
{
public:
void
load(cereal::JSONInputArchive &archive_in)
{
dbgFlow(D_LOCAL_POLICY);
parseAppsecJSONKey<string>("name", name, archive_in);
parseAppsecJSONKey<string>("uid", uid, archive_in);
}
const string &
getName() const
{
return name;
}
const string &
getUID() const
{
return uid;
}
private:
string name;
string uid;
};
class SingleNamespaceData
{
public:
void
load(cereal::JSONInputArchive &archive_in)
{
parseAppsecJSONKey<NamespaceMetadata>("metadata", metadata, archive_in);
}
const NamespaceMetadata &
getMetadata() const
{
return metadata;
}
private:
NamespaceMetadata metadata;
};
bool
NamespaceData::loadJson(const string &json)
{
dbgFlow(D_LOCAL_POLICY);
string modified_json = json;
modified_json.pop_back();
stringstream in;
in.str(modified_json);
try {
cereal::JSONInputArchive in_ar(in);
vector<SingleNamespaceData> items;
in_ar(cereal::make_nvp("items", items));
for (const SingleNamespaceData &single_ns_data : items) {
ns_name_to_uid[single_ns_data.getMetadata().getName()] = single_ns_data.getMetadata().getUID();
}
} catch (cereal::Exception &e) {
dbgWarning(D_LOCAL_POLICY) << "Failed to load namespace data JSON. Error: " << e.what();
return false;
}
return true;
}
Maybe<string>
NamespaceData::getNamespaceUidByName(const string &name)
{
if (ns_name_to_uid.find(name) == ns_name_to_uid.end()) {
return genError("Namespace doesn't exist. Name: " + name);
}
return ns_name_to_uid.at(name);
}

107
components/security_apps/orchestration/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@@ -17,8 +17,6 @@ using namespace std;
USE_DEBUG_FLAG(D_NGINX_POLICY);
// LCOV_EXCL_START Reason: no test exist
void
SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
{
@@ -40,12 +38,16 @@ PolicyWrapper::save(cereal::JSONOutputArchive &out_ar) const
string
PolicyMakerUtils::getPolicyName(const string &policy_path)
{
string policy_name;
if (policy_path.find_last_of("/") != string::npos) {
string policy_name = policy_path.substr(policy_path.find_last_of("/") + 1);
if (policy_name.find(".") != string::npos) return policy_name.substr(0, policy_name.find("."));
return policy_name;
policy_name = policy_path.substr(policy_path.find_last_of("/") + 1);
} else {
policy_name = policy_path;
}
return policy_path;
if (policy_name.find(".") != string::npos) {
return policy_name.substr(0, policy_name.find("."));
}
return policy_name;
}
Maybe<AppsecLinuxPolicy>
@@ -83,6 +85,7 @@ PolicyMakerUtils::clearElementsMaps()
rules_config.clear();
}
// LCOV_EXCL_START Reason: no test exist - needed for NGINX config
bool
PolicyMakerUtils::startsWith(const string &str, const string &prefix)
{
@@ -95,6 +98,7 @@ PolicyMakerUtils::endsWith(const string &str, const string &suffix)
return str.size() >= suffix.size() &&
str.compare(str.size() - suffix.size(), suffix.size(), suffix) == 0;
}
// LCOV_EXCL_STOP
tuple<string, string, string>
PolicyMakerUtils::splitHostName(const string &host_name)
@@ -130,8 +134,10 @@ PolicyMakerUtils::splitHostName(const string &host_name)
}
string
PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path) const
PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path)
{
clearElementsMaps();
stringstream ss;
{
cereal::JSONOutputArchive ar(ss);
@@ -147,6 +153,7 @@ PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &po
dbgDebug(D_NGINX_POLICY) << "Error while writing new policy to " << policy_path << ", Error: " << e.what();
return "";
}
return policy_str;
}
@@ -488,6 +495,7 @@ createExceptionSection(
exception_spec.getAction() == "skip" ?
"ignore" :
exception_spec.getAction();
ExceptionBehavior exception_behavior("action", behavior);
InnerException inner_exception(exception_behavior, exception_match);
return inner_exception;
@@ -672,45 +680,55 @@ PolicyMakerUtils::createPolicyElementsByRule(
!rule_annotations[AnnotationTypes::PRACTICE].empty() &&
!web_apps.count(rule_annotations[AnnotationTypes::PRACTICE])
) {
string practice_id = "";
try {
practice_id = to_string(boost::uuids::random_generator()());
} catch (const boost::uuids::entropy_error &e) {
//TBD: return Maybe as part of future error handling
}
tuple<string, string, string> splited_host_name = splitHostName(rule.getHost());
string full_url = rule.getHost() == "*"
? "Any"
: rule.getHost();
RulesConfigRulebase rule_config = createMultiRulesSections(
std::get<0>(splited_host_name),
std::get<2>(splited_host_name),
practice_id,
rule_annotations[AnnotationTypes::PRACTICE],
"WebApplication",
rule_annotations[AnnotationTypes::TRIGGER],
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(),
"log",
rule_annotations[AnnotationTypes::WEB_USER_RES],
web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(),
"WebUserResponse",
full_url,
rule_annotations[AnnotationTypes::EXCEPTION],
inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]].getBehaviorId()
trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] =
createTrustedSourcesSection(
rule_annotations[AnnotationTypes::TRUSTED_SOURCES],
rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS],
policy
);
rules_config[rule_config.getAssetName()] = rule_config;
}
if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) {
UsersIdentifiersRulebase user_identifiers = createUserIdentifiers(
rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS],
policy,
rule_config.getContext()
);
users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers;
}
if (!rule_annotations[AnnotationTypes::PRACTICE].empty()) {
string practice_id = "";
try {
practice_id = to_string(boost::uuids::random_generator()());
} catch (const boost::uuids::entropy_error &e) {
//TBD: return Maybe as part of future error handling
}
tuple<string, string, string> splited_host_name = splitHostName(rule.getHost());
string full_url = rule.getHost() == "*"
? "Any"
: rule.getHost();
RulesConfigRulebase rule_config = createMultiRulesSections(
std::get<0>(splited_host_name),
std::get<2>(splited_host_name),
practice_id,
rule_annotations[AnnotationTypes::PRACTICE],
"WebApplication",
rule_annotations[AnnotationTypes::TRIGGER],
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(),
"log",
rule_annotations[AnnotationTypes::WEB_USER_RES],
web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(),
"WebUserResponse",
full_url,
rule_annotations[AnnotationTypes::EXCEPTION],
inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]].getBehaviorId()
);
rules_config[rule_config.getAssetName()] = rule_config;
if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) {
UsersIdentifiersRulebase user_identifiers = createUserIdentifiers(
rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS],
policy,
rule_config.getContext()
);
users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers;
}
if (!web_apps.count(rule_annotations[AnnotationTypes::PRACTICE])) {
WebAppSection web_app = WebAppSection(
full_url == "Any" ? "" : full_url,
rule_config.getAssetId(),
@@ -726,6 +744,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
);
web_apps[rule_annotations[AnnotationTypes::PRACTICE]] = web_app;
}
}
}
void
@@ -739,5 +758,3 @@ PolicyMakerUtils::createPolicyElements(
createPolicyElementsByRule(rule, default_rule, policy, policy_name);
}
}
// LCOV_EXCL_STOP

79
components/security_apps/orchestration/local_policy_mgmt_gen/rules_config_section.cc
View File

@@ -17,7 +17,6 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
AssetUrlParser
AssetUrlParser::parse(const string &uri)
{
@@ -99,18 +98,6 @@ PracticeSection::save(cereal::JSONOutputArchive &out_ar) const
);
}
const string &
PracticeSection::getPracticeId() const
{
return id;
}
const string &
PracticeSection::getPracticeName() const
{
return name;
}
ParametersSection::ParametersSection(
const string &_id,
const string &_name)
@@ -134,12 +121,6 @@ ParametersSection::save(cereal::JSONOutputArchive &out_ar) const
);
}
const string &
ParametersSection::getId() const
{
return id;
}
RulesTriggerSection::RulesTriggerSection(
const string &_name,
const string &_id,
@@ -170,18 +151,6 @@ RulesTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
);
}
const string &
RulesTriggerSection::getId() const
{
return id;
}
const string &
RulesTriggerSection::getName() const
{
return id;
}
RulesConfigRulebase::RulesConfigRulebase(
const string &_name,
const string &_url,
@@ -256,12 +225,6 @@ RulesConfigRulebase::save(cereal::JSONOutputArchive &out_ar) const
);
}
const string &
RulesConfigRulebase::getRuleId() const
{
return id;
}
const string &
RulesConfigRulebase::getContext() const
{
@@ -274,48 +237,12 @@ RulesConfigRulebase::getAssetName() const
return name;
}
const string &
RulesConfigRulebase::getRuleName() const
{
return name;
}
const string &
RulesConfigRulebase::getAssetId() const
{
return id;
}
const string &
RulesConfigRulebase::getPracticeId() const
{
return practices[0].getPracticeId();
}
const string &
RulesConfigRulebase::getPracticeName() const
{
return practices[0].getPracticeName();
}
const vector<PracticeSection> &
RulesConfigRulebase::getPractice() const
{
return practices;
}
const vector<ParametersSection> &
RulesConfigRulebase::getParameters() const
{
return parameters;
}
const vector<RulesTriggerSection> &
RulesConfigRulebase::getTriggers() const
{
return triggers;
}
UsersIdentifier::UsersIdentifier(const string &_source_identifier, vector<string> _identifier_values)
:
source_identifier(_source_identifier),
@@ -334,8 +261,8 @@ UsersIdentifier::save(cereal::JSONOutputArchive &out_ar) const
UsersIdentifiersRulebase::UsersIdentifiersRulebase(
const string &_context,
const string &_source_identifier,
vector<string> _identifier_values,
vector<UsersIdentifier> _source_identifiers)
const vector<string> &_identifier_values,
const vector<UsersIdentifier> &_source_identifiers)
:
context(_context),
source_identifier(_source_identifier),
@@ -422,5 +349,3 @@ RulesConfigWrapper::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("rulebase", rules_config_rulebase)
);
}
// LCOV_EXCL_STOP

71
components/security_apps/orchestration/local_policy_mgmt_gen/triggers_section.cc
View File

@@ -16,7 +16,11 @@
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
static const set<string> valid_modes = {"block-page", "response-code-only"};
static const set<string> valid_severities = {"high", "critical"};
static const set<string> valid_protocols = {"tcp", "udp"};
static const set<string> valid_formats = {"json", "json-formatted"};
LogTriggerSection::LogTriggerSection(
const string &_name,
@@ -119,12 +123,6 @@ LogTriggerSection::getTriggerName() const
return name;
}
bool
LogTriggerSection::operator<(const LogTriggerSection &other) const
{
return getTriggerName() < other.getTriggerName();
}
WebUserResponseTriggerSection::WebUserResponseTriggerSection(
const string &_name,
const string &_details_level,
@@ -166,24 +164,15 @@ WebUserResponseTriggerSection::getTriggerId() const
return id;
}
const string &
WebUserResponseTriggerSection::getTriggerName() const
{
return name;
}
bool
WebUserResponseTriggerSection::operator<(const WebUserResponseTriggerSection &other) const
{
return getTriggerName() < other.getTriggerName();
}
void
AppSecCustomResponseSpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec web user response spec";
parseAppsecJSONKey<int>("http-response-code", httpResponseCode, archive_in, 403);
parseAppsecJSONKey<string>("mode", mode, archive_in, "block-page");
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec web user response mode invalid: " << mode;
}
parseAppsecJSONKey<string>("name", name, archive_in);
if (mode == "block-page") {
parseAppsecJSONKey<string>(
@@ -201,6 +190,12 @@ AppSecCustomResponseSpec::load(cereal::JSONInputArchive &archive_in)
}
}
void
AppSecCustomResponseSpec::setName(const string &_name)
{
name = _name;
}
int
AppSecCustomResponseSpec::getHttpResponseCode() const
{
@@ -248,18 +243,6 @@ AppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<bool>("drop-events", drop_events, archive_in, false);
}
bool
AppsecTriggerAccessControlLogging::isAllowEvents() const
{
return allow_events;
}
bool
AppsecTriggerAccessControlLogging::isDropEvents() const
{
return drop_events;
}
void
AppsecTriggerAdditionalSuspiciousEventsLogging::load(cereal::JSONInputArchive &archive_in)
{
@@ -267,6 +250,11 @@ AppsecTriggerAdditionalSuspiciousEventsLogging::load(cereal::JSONInputArchive &a
parseAppsecJSONKey<bool>("enabled", enabled, archive_in, true);
parseAppsecJSONKey<bool>("response-body", response_body, archive_in, false);
parseAppsecJSONKey<string>("minimum-severity", minimum_severity, archive_in, "high");
if (valid_severities.count(minimum_severity) == 0) {
dbgWarning(D_LOCAL_POLICY)
<< "AppSec AppSec Trigger - Additional Suspicious Events Logging minimum severity invalid: "
<< minimum_severity;
}
}
bool
@@ -353,6 +341,10 @@ LoggingService::load(cereal::JSONInputArchive &archive_in)
{
parseAppsecJSONKey<string>("address", address, archive_in);
parseAppsecJSONKey<string>("proto", proto, archive_in);
if (valid_protocols.count(proto) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Logging Service - proto invalid: " << proto;
}
parseAppsecJSONKey<int>("port", port, archive_in, 514);
}
@@ -362,12 +354,6 @@ LoggingService::getAddress() const
return address;
}
const string &
LoggingService::getProto() const
{
return proto;
}
int
LoggingService::getPort() const
{
@@ -379,6 +365,9 @@ void
StdoutLogging::load(cereal::JSONInputArchive &archive_in)
{
parseAppsecJSONKey<string>("format", format, archive_in, "json");
if (valid_formats.count(format) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Stdout Logging - format invalid: " << format;
}
}
const string &
@@ -488,10 +477,10 @@ AppsecTriggerSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("name", name, archive_in);
}
const AppsecTriggerAccessControlLogging &
AppsecTriggerSpec::getAppsecTriggerAccessControlLogging() const
void
AppsecTriggerSpec::setName(const string &_name)
{
return access_control_logging;
name = _name;
}
const string &
@@ -531,5 +520,3 @@ TriggersWrapper::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("rulebase", triggers_rulebase)
);
}
// LCOV_EXCL_STOP

22
components/security_apps/orchestration/local_policy_mgmt_gen/trusted_sources_section.cc
View File

@@ -16,7 +16,8 @@
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
// LCOV_EXCL_START Reason: no test exist
static const set<string> valid_source_identifiers = {"headerkey", "JWTKey", "cookie", "sourceip", "x-forwarded-for"};
void
TrustedSourcesSpec::load(cereal::JSONInputArchive &archive_in)
@@ -27,6 +28,12 @@ TrustedSourcesSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("name", name, archive_in);
}
void
TrustedSourcesSpec::setName(const string &_name)
{
name = _name;
}
int
TrustedSourcesSpec::getMinNumOfSources() const
{
@@ -63,8 +70,11 @@ SourcesIdentifiers::getSourceIdent() const
void
SourceIdentifierSpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading trusted sources spec";
dbgTrace(D_LOCAL_POLICY) << "Loading source identifiers spec";
parseAppsecJSONKey<string>("sourceIdentifier", source_identifier, archive_in);
if (valid_source_identifiers.count(source_identifier) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec source identifier invalid: " << source_identifier;
}
parseAppsecJSONKey<vector<string>>("value", value, archive_in);
}
@@ -88,6 +98,12 @@ SourceIdentifierSpecWrapper::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("name", name, archive_in);
}
void
SourceIdentifierSpecWrapper::setName(const string &_name)
{
name = _name;
}
const string &
SourceIdentifierSpecWrapper::getName() const
{
@@ -134,5 +150,3 @@ AppSecTrustedSources::getSourcesIdentifiers() const
{
return sources_identifiers;
}
// LCOV_EXCL_STOP

118
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -38,6 +38,8 @@
#include "hybrid_mode_telemetry.h"
#include "telemetry.h"
#include "tenant_profile_pair.h"
#include "env_details.h"
#include "hybrid_communication.h"
using namespace std;
using namespace chrono;
@@ -1342,49 +1344,11 @@ private:
<< LogField("agentType", "Orchestration")
<< LogField("agentVersion", Version::get());
auto email = getSettingWithDefault<string>("", "email-address");
if (email == "") {
auto env_email = getenv("user_email");
if (env_email != nullptr) email = env_email;
}
if (email != "") {
dbgInfo(D_ORCHESTRATOR) << "Sending registration data";
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Offline,
// LCOV_EXCL_START Reason: to be refactored
[email] ()
{
Report registration_report(
"Local Agent Data",
Singleton::Consume<I_TimeGet>::by<OrchestrationComp>()->getWalltime(),
Type::EVENT,
Level::LOG,
LogLevel::INFO,
Audience::INTERNAL,
AudienceTeam::NONE,
Severity::INFO,
Priority::LOW,
chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId()),
Tags::ORCHESTRATOR
);
registration_report << LogField("userDefinedId", email);
LogRest registration_report_rest(registration_report);
Singleton::Consume<I_Messaging>::by<OrchestrationComp>()->sendObjectWithPersistence(
registration_report_rest,
I_Messaging::Method::POST,
"/api/v1/agents/events",
"",
true,
MessageTypeTag::REPORT
);
},
// LCOV_EXCL_STOP
"Send registration data"
);
}
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Offline,
sendRegistrationData,
"Send registration data"
);
reportAgentDetailsMetaData();
@@ -1453,6 +1417,72 @@ private:
}
}
static void
sendRegistrationData()
{
dbgInfo(D_ORCHESTRATOR) << "Sending registration data";
set<Tags> tags{ Tags::ORCHESTRATOR };
auto deployment_type = Singleton::Consume<I_EnvDetails>::by<HybridCommunication>()->getEnvType();
switch (deployment_type) {
case EnvType::LINUX: {
tags.insert(Tags::DEPLOYMENT_EMBEDDED);
break;
}
case EnvType::K8S: {
tags.insert(Tags::DEPLOYMENT_K8S);
break;
}
case EnvType::COUNT: {
dbgWarning(D_ORCHESTRATOR) << "Could not identify deployment type";
break;
}
}
string server_name = getAttribute("registered-server", "registered_server");
auto server = TagAndEnumManagement::convertStringToTag(server_name);
if (server.ok()) tags.insert(*server);
Report registration_report(
"Local Agent Data",
Singleton::Consume<I_TimeGet>::by<OrchestrationComp>()->getWalltime(),
Type::EVENT,
Level::LOG,
LogLevel::INFO,
Audience::INTERNAL,
AudienceTeam::NONE,
Severity::INFO,
Priority::LOW,
chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getAgentId()),
tags
);
auto email = getAttribute("email-address", "user_email");
if (email != "") registration_report << LogField("userDefinedId", email);
LogRest registration_report_rest(registration_report);
Singleton::Consume<I_Messaging>::by<OrchestrationComp>()->sendObjectWithPersistence(
registration_report_rest,
I_Messaging::Method::POST,
"/api/v1/agents/events",
"",
true,
MessageTypeTag::REPORT
);
}
static string
getAttribute(const string &setting, const string &env)
{
auto res = getSetting<string>(setting);
if (res.ok()) return res.unpack();
auto env_res = getenv(env.c_str());
if (env_res != nullptr) return env_res;
return "";
}
// LCOV_EXCL_START Reason: future changes will be done
void
restoreToBackup()
@@ -1672,6 +1702,7 @@ private:
OrchestrationPolicy policy;
HealthCheckStatusListener health_check_status_listener;
HybridModeMetric hybrid_mode_metric;
EnvDetails env_details;
string filesystem_prefix = "";
};
@@ -1728,6 +1759,7 @@ OrchestrationComp::preload()
registerExpectedSetting<string>("agentType");
registerExpectedSetting<string>("upgradeMode");
registerExpectedSetting<string>("email-address");
registerExpectedSetting<string>("registered-server");
registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
}

4
components/security_apps/orchestration/orchestration_ut/CMakeLists.txt
View File

@@ -5,11 +5,11 @@ link_directories(${BOOST_ROOT}/lib)
add_unit_test(
orchestration_ut
"orchestration_ut.cc"
"orchestration;rest;manifest_controller;service_controller;orchestration_downloader;agent_details;package_handler;orchestration_modules;orchestration_tools;environment;config;logging;version;shell_cmd;message;update_communication;agent_details_reporter;connkey;encryptor;metric;ip_utilities;event_is;-lcrypto;-lboost_filesystem;-lboost_regex;-lssl"
"orchestration;rest;manifest_controller;service_controller;orchestration_downloader;agent_details;package_handler;orchestration_modules;orchestration_tools;env_details;environment;config;logging;version;shell_cmd;message;update_communication;agent_details_reporter;connkey;encryptor;metric;ip_utilities;event_is;-lcrypto;-lboost_filesystem;-lboost_regex;-lssl"
)
add_unit_test(
orchestration_multitenant_ut
"orchestration_multitenant_ut.cc"
"orchestration;rest;manifest_controller;service_controller;orchestration_downloader;agent_details;package_handler;orchestration_modules;orchestration_tools;environment;config;logging;version;shell_cmd;message;update_communication;agent_details_reporter;connkey;encryptor;metric;ip_utilities;event_is;-lcrypto;-lboost_filesystem;-lboost_regex;-lssl;curl"
"orchestration;rest;manifest_controller;service_controller;orchestration_downloader;agent_details;package_handler;orchestration_modules;orchestration_tools;env_details;environment;config;logging;version;shell_cmd;message;update_communication;agent_details_reporter;connkey;encryptor;metric;ip_utilities;event_is;-lcrypto;-lboost_filesystem;-lboost_regex;-lssl;curl"
)

4
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -44,6 +44,10 @@ public:
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Configuration update registration", false)
).WillOnce(Return(0));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::Offline, _, "Send registration data", false)
).WillRepeatedly(Return(0));
config_comp.preload();
config_comp.init();

69
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -84,7 +84,6 @@ public:
mockRestCall(RestAction::SET, "agent-uninstall", _)
).WillOnce(WithArg<2>(Invoke(this, &OrchestrationTest::restHandlerAgentUninstall)));
string message_body;
EXPECT_CALL(mock_message, mockSendPersistentMessage(
false,
_,
@@ -221,6 +220,11 @@ public:
void
runRoutine()
{
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::Offline, _, "Send registration data", false)
).WillOnce(DoAll(SaveArg<1>(&sending_routine), Return(1)));
routine();
}
@@ -288,6 +292,8 @@ public:
NiceMock<MockTenantManager> tenant_manager;
OrchestrationComp orchestration_comp;
AgentDetails agent_details;
I_MainLoop::Routine sending_routine;
string message_body;
private:
bool
@@ -466,15 +472,74 @@ TEST_F(OrchestrationTest, registertion_data_config)
string config_json =
"{\n"
" \"email-address\": \"fake@example.com\"\n"
" \"email-address\": \"fake@example.com\",\n"
" \"registered-server\": \"NGINX Server\"\n"
"}";
istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
EXPECT_THAT(getSetting<string>("email-address"), IsValue("fake@example.com"));
EXPECT_THAT(getSetting<string>("registered-server"), IsValue("NGINX Server"));
env.fini();
}
TEST_F(OrchestrationTest, check_sending_registration_data)
{
EXPECT_CALL(rest, mockRestCall(_, _, _)).WillRepeatedly(Return(true));
preload();
env.init();
init();
EXPECT_CALL(mock_orchestration_tools, doesFileExist(_)).WillOnce(Return(false));
Maybe<string> response(
string(
"{\n"
" \"fog-address\": \"" + host_url + "\",\n"
" \"agent-type\": \"test\",\n"
" \"pulling-interval\": 25,\n"
" \"error-pulling-interval\": 15\n"
"}"
)
);
EXPECT_CALL(mock_orchestration_tools, readFile(_)).WillOnce(Return(response));
EXPECT_CALL(mock_service_controller, updateServiceConfiguration(_, _, _, _, _, _)).WillOnce(Return(true));
EXPECT_CALL(mock_message, setActiveFog(_, _, _, _)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(_, _)).WillRepeatedly(Return(string()));
EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_shell_cmd, getExecOutput(_, _, _)).WillRepeatedly(Return(string()));
EXPECT_CALL(mock_update_communication, authenticateAgent()).WillOnce(Return(Maybe<void>()));
EXPECT_CALL(mock_update_communication, setAddressExtenesion(_));
EXPECT_CALL(mock_status, setFogAddress(_));
EXPECT_CALL(mock_manifest_controller, loadAfterSelfUpdate()).WillOnce(Return(false));
expectDetailsResolver();
EXPECT_CALL(mock_update_communication, getUpdate(_));
EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(mock_status, setFieldStatus(_, _, _));
EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
string config_json =
"{\n"
" \"email-address\": \"fake@example.com\",\n"
" \"registered-server\": \"NGINX Server\"\n"
"}";
istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
sending_routine();
EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\""));
EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\"")));
EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
}
TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
{
waitForRestCall();

12
components/security_apps/orchestration/update_communication/declarative_policy_utils.cc
View File

@@ -35,8 +35,8 @@ DeclarativePolicyUtils::upon(const ApplyPolicyEvent &)
bool
DeclarativePolicyUtils::shouldApplyPolicy()
{
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
return env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S ? true : should_apply_policy;
auto env_type = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType();
return env_type == EnvType::K8S ? true : should_apply_policy;
}
void
@@ -49,8 +49,8 @@ Maybe<string>
DeclarativePolicyUtils::getLocalPolicyChecksum()
{
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
auto env_type = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
if (env_type == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
auto env_type = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType();
if (env_type == EnvType::K8S) {
return orchestration_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
}
@@ -121,8 +121,8 @@ DeclarativePolicyUtils::sendUpdatesToFog(
+ " --access_token " + access_token
+ " --tenant_id " + tenant_id
+ " --profile_id " + profile_id;
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<DeclarativePolicyUtils>()->getEnvType();
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S) {
auto env = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType();
if (env == EnvType::K8S) {
exec_command =
getFilesystemPathConfig()
+ "/scripts/open-appsec-cloud-mgmt-k8s"

4
components/security_apps/orchestration/update_communication/hybrid_communication.cc
View File

@@ -78,8 +78,8 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request)
string policy_response = declarative_policy_utils.getUpdate(request);
auto env = Singleton::Consume<I_LocalPolicyMgmtGen>::by<HybridCommunication>()->getEnvType();
if (env == I_LocalPolicyMgmtGen::LocalPolicyEnv::K8S && !policy_response.empty()) {
auto env = Singleton::Consume<I_EnvDetails>::by<HybridCommunication>()->getEnvType();
if (env == EnvType::K8S && !policy_response.empty()) {
dbgDebug(D_ORCHESTRATOR) << "Policy has changes, sending notification to tuning host";
I_AgentDetails *agentDetails = Singleton::Consume<I_AgentDetails>::by<HybridCommunication>();
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<HybridCommunication>();