From 433c7c2d9112a10d166e28b6584001cea4187f38 Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Thu, 28 Sep 2023 13:11:47 +0000 Subject: [PATCH] Remove old files --- .../local_policy_mgmt_gen/CMakeLists.txt | 3 - .../access_control_practice.cc | 245 --- .../appsec_practice_section.cc | 691 -------- .../exceptions_section.cc | 293 ---- .../include/access_control_practice.h | 192 --- .../include/appsec_practice_section.h | 466 ------ .../include/exceptions_section.h | 154 -- .../include/ingress_data.h | 125 -- .../include/k8s_policy_common.h | 106 -- .../include/k8s_policy_utils.h | 111 -- .../include/local_policy_common.h | 144 -- .../include/namespace_data.h | 35 - .../include/new_appsec_linux_policy.h | 84 - .../include/new_appsec_policy_crd_parser.h | 82 - .../include/new_custom_response.h | 51 - .../include/new_exceptions.h | 67 - .../include/new_log_trigger.h | 172 -- .../include/new_practice.h | 395 ----- .../include/new_trusted_sources.h | 74 - .../include/policy_maker_utils.h | 246 --- .../include/rules_config_section.h | 190 --- .../include/settings_section.h | 68 - .../include/snort_section.h | 50 - .../include/triggers_section.h | 305 ---- .../include/trusted_sources_section.h | 108 -- .../local_policy_mgmt_gen/ingress_data.cc | 149 -- .../local_policy_mgmt_gen/k8s_policy_utils.cc | 573 ------- .../local_policy_mgmt_gen.cc | 158 -- .../local_policy_mgmt_gen/namespace_data.cc | 97 -- .../new_appsec_linux_policy.cc | 72 - .../new_appsec_policy_crd_parser.cc | 154 -- .../new_custom_response.cc | 99 -- .../local_policy_mgmt_gen/new_exceptions.cc | 187 --- .../local_policy_mgmt_gen/new_log_trigger.cc | 321 ---- .../local_policy_mgmt_gen/new_practice.cc | 751 --------- .../new_trusted_sources.cc | 118 -- .../policy_maker_utils.cc | 1486 ----------------- .../rules_config_section.cc | 367 ---- .../local_policy_mgmt_gen/settings_section.cc | 87 - .../local_policy_mgmt_gen/snort_section.cc | 54 - .../local_policy_mgmt_gen/triggers_section.cc | 535 ------ .../trusted_sources_section.cc | 152 -- 42 files changed, 9817 deletions(-) delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/CMakeLists.txt delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/access_control_practice.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/appsec_practice_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/exceptions_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/access_control_practice.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_utils.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/local_policy_common.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/namespace_data.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_linux_policy.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_custom_response.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_exceptions.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_log_trigger.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_practice.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/new_trusted_sources.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/policy_maker_utils.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h delete mode 100755 components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/ingress_data.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/k8s_policy_utils.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/namespace_data.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_linux_policy.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_custom_response.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_exceptions.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_log_trigger.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_practice.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/new_trusted_sources.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/policy_maker_utils.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/rules_config_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/settings_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/snort_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/triggers_section.cc delete mode 100644 components/security_apps/orchestration/local_policy_mgmt_gen/trusted_sources_section.cc diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/CMakeLists.txt b/components/security_apps/orchestration/local_policy_mgmt_gen/CMakeLists.txt deleted file mode 100644 index 08b99a7..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/CMakeLists.txt +++ /dev/null @@ -1,3 +0,0 @@ -include_directories(include) - -add_library(local_policy_mgmt_gen appsec_practice_section.cc exceptions_section.cc ingress_data.cc local_policy_mgmt_gen.cc policy_maker_utils.cc rules_config_section.cc settings_section.cc snort_section.cc triggers_section.cc trusted_sources_section.cc k8s_policy_utils.cc namespace_data.cc new_appsec_linux_policy.cc new_appsec_policy_crd_parser.cc new_custom_response.cc new_exceptions.cc new_log_trigger.cc new_practice.cc new_trusted_sources.cc access_control_practice.cc) diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/access_control_practice.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/access_control_practice.cc deleted file mode 100644 index 329a4b6..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/access_control_practice.cc +++ /dev/null @@ -1,245 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "access_control_practice.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_modes = {"prevent", "detect", "inactive"}; -static const set valid_units = {"minute", "second"}; - -static const std::unordered_map key_to_mode_val = { - { "prevent-learn", "Prevent"}, - { "detect-learn", "Detect"}, - { "prevent", "Prevent"}, - { "detect", "Detect"}, - { "inactive", "Inactive"} -}; - -static const std::unordered_map key_to_units_val = { - { "second", "Second"}, - { "minute", "Minute"} -}; - -void -RateLimitRulesTriggerSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("id", id), - cereal::make_nvp("name", name), - cereal::make_nvp("type", type) - ); -} - -const string & -RateLimitRulesTriggerSection::getName() const -{ - return name; -} - -void -RateLimitRulesSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("id", id), - cereal::make_nvp("URI", uri), - cereal::make_nvp("scope", key_to_units_val.at(scope)), - cereal::make_nvp("triggers", triggers), - cereal::make_nvp("limit", limit) - ); -} - -RateLimitSection::RateLimitSection( - const string &asset_name, - const string &url, - const string &uri, - const std::string &_mode, - const std::string &_practice_id, - const std::string &_name, - const std::vector &_rules) - : - mode(_mode), - practice_id(_practice_id), - name(_name), - rules(_rules) -{ - bool any = asset_name == "Any" && url == "Any" && uri == "Any"; - string asset_id = any ? "Any" : url+uri; - context = "assetId(" + asset_id + ")"; -} - -void -RateLimitSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("mode", key_to_mode_val.at(mode)), - cereal::make_nvp("practiceId", practice_id), - cereal::make_nvp("name", name), - cereal::make_nvp("rules", rules) - ); -} - -const string & -RateLimitSection::getId() const -{ - return practice_id; -} - -const string & -RateLimitSection::getName() const -{ - return name; -} - -const string & -RateLimitSection::getMode() const -{ - return mode; -} - -void -AccessControlRulebaseSection::save(cereal::JSONOutputArchive &out_ar) const -{ - vector empty; - out_ar( - cereal::make_nvp("accessControl", empty), - cereal::make_nvp("traditionalFirewall", empty), - cereal::make_nvp("l4firewall", empty), - cereal::make_nvp("rateLimit", rate_limit) - ); -} - -void -AccessControlRulebaseWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("rulebase", rule_base) - ); -} - -void -AccessControlRateLimiteRules::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limite rules"; - parseAppsecJSONKey("limit", limit, archive_in); - parseAppsecJSONKey("uri", uri, archive_in); - parseAppsecJSONKey("unit", unit, archive_in); - if (valid_units.count(unit) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "Access control rate limite rules units invalid: " - << unit; - } - parseAppsecJSONKey("comment", comment, archive_in); - parseAppsecJSONKey>("triggers", triggers, archive_in); -} - -const vector -AccessControlRateLimiteRules::getTriggers() const -{ - return triggers; -} - -RateLimitRulesSection -AccessControlRateLimiteRules::createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const -{ - string id = ""; - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to create random id"; - } - vector triggers_section; - string trigger_name = trigger.getName().substr(trigger.getName().find("/") + 1); - if (find(triggers.begin(), triggers.end(), trigger_name) != triggers.end()) { - triggers_section.push_back(trigger); - } - return RateLimitRulesSection( - limit, - id, - uri, - unit, - triggers_section - ); -} - -void -AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit"; - parseAppsecJSONKey("overrideMode", mode, archive_in, "Inactive"); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << mode; - } - parseAppsecJSONKey>("rules", rules, archive_in); -} - -vector -AccessControlRateLimit::createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const -{ - vector rules_section; - for (const AccessControlRateLimiteRules &rule : rules) { - rules_section.push_back(rule.createRateLimitRulesSection(trigger)); - } - return rules_section; -} - -const vector & -AccessControlRateLimit::getRules() const -{ - return rules; -} - -const string & -AccessControlRateLimit::getMode() const -{ - return mode; -} - -void -AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; - - parseAppsecJSONKey("name", practice_name, archive_in); - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey("rateLimit", rate_limit, archive_in); -} - -void -AccessControlPracticeSpec::setName(const string &_name) -{ - practice_name = _name; -} - -const AccessControlRateLimit & -AccessControlPracticeSpec::geRateLimit() const -{ - return rate_limit; -} - -const string & -AccessControlPracticeSpec::getAppSecClassName() const -{ - return appsec_class_name; -} - -const string & -AccessControlPracticeSpec::getName() const -{ - return practice_name; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/appsec_practice_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/appsec_practice_section.cc deleted file mode 100644 index 043e168..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/appsec_practice_section.cc +++ /dev/null @@ -1,691 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "appsec_practice_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_modes = {"prevent-learn", "detect-learn", "prevent", "detect", "inactive"}; -static const set valid_confidences = {"medium", "high", "critical"}; - -void -AppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots URI"; - parseAppsecJSONKey("uri", uri, archive_in); -} - -const string & -AppSecWebBotsURI::getURI() const -{ - return uri; -} - -std::vector -AppSecPracticeAntiBot::getIjectedUris() const -{ - vector injected; - for (const AppSecWebBotsURI &uri : injected_uris) { - injected.push_back(uri.getURI()); - } - return injected; -} - -std::vector -AppSecPracticeAntiBot::getValidatedUris() const -{ - vector validated; - for (const AppSecWebBotsURI &uri : validated_uris) { - validated.push_back(uri.getURI()); - } - return validated; -} - -void -AppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots"; - parseAppsecJSONKey>("injected-URIs", injected_uris, archive_in); - parseAppsecJSONKey>("validated-URIs", validated_uris, archive_in); - parseAppsecJSONKey("override-mode", override_mode, archive_in, "Inactive"); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode; - } -} - -void -AppSecPracticeAntiBot::save(cereal::JSONOutputArchive &out_ar) const -{ - vector injected; - vector validated; - for (const AppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI()); - for (const AppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI()); - out_ar( - cereal::make_nvp("injected", injected), - cereal::make_nvp("validated", validated) - ); -} - -void -AppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Attack Protections"; - parseAppsecJSONKey("csrf-enabled", csrf_protection, archive_in, "inactive"); - parseAppsecJSONKey("error-disclosure-enabled", error_disclosure, archive_in, "inactive"); - parseAppsecJSONKey("open-redirect-enabled", open_redirect, archive_in, "inactive"); - parseAppsecJSONKey("non-valid-http-methods", non_valid_http_methods, archive_in, false); -} - -const string -AppSecWebAttackProtections::getCsrfProtectionMode() const -{ - if (key_to_practices_val.find(csrf_protection) == key_to_practices_val.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << csrf_protection - << ". Setting CSRF protection to Inactive"; - return "Inactive"; - } - return key_to_practices_val.at(csrf_protection); -} - -const string & -AppSecWebAttackProtections::getErrorDisclosureMode() const -{ - return error_disclosure; -} - -bool -AppSecWebAttackProtections::getNonValidHttpMethods() const -{ - return non_valid_http_methods; -} - -const string -AppSecWebAttackProtections::getOpenRedirectMode() const -{ - if (key_to_practices_val.find(open_redirect) == key_to_practices_val.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << open_redirect - << ". Setting Open Redirect mode to Inactive"; - return "Inactive"; - } - return key_to_practices_val.at(open_redirect); -} - -void -AppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; - parseAppsecJSONKey("protections", protections, archive_in); - parseAppsecJSONKey("override-mode", mode, archive_in, "Unset"); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode; - } - - if (getMode() == "Prevent") { - parseAppsecJSONKey("minimum-confidence", minimum_confidence, archive_in, "critical"); - if (valid_confidences.count(minimum_confidence) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec practice override minimum confidence invalid: " - << minimum_confidence; - } - } else { - minimum_confidence = "Transparent"; - } - parseAppsecJSONKey("max-body-size-kb", max_body_size_kb, archive_in, 1000000); - parseAppsecJSONKey("max-header-size-bytes", max_header_size_bytes, archive_in, 102400); - parseAppsecJSONKey("max-object-depth", max_object_depth, archive_in, 40); - parseAppsecJSONKey("max-url-size-bytes", max_url_size_bytes, archive_in, 32768); -} - -int -AppSecPracticeWebAttacks::getMaxBodySizeKb() const -{ - return max_body_size_kb; -} - -int -AppSecPracticeWebAttacks::getMaxHeaderSizeBytes() const -{ - return max_header_size_bytes; -} - -int -AppSecPracticeWebAttacks::getMaxObjectDepth() const -{ - return max_object_depth; -} - -int -AppSecPracticeWebAttacks::getMaxUrlSizeBytes() const -{ - return max_url_size_bytes; -} - -const string & -AppSecPracticeWebAttacks::getMinimumConfidence() const -{ - return minimum_confidence; -} - -const string & -AppSecPracticeWebAttacks::getMode(const string &default_mode) const -{ - if (mode == "Unset" || (key_to_practices_val.find(mode) == key_to_practices_val.end())) { - dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode; - return default_mode; - } - return key_to_practices_val.at(mode); -} - -void -AppSecPracticeSnortSignatures::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice"; - parseAppsecJSONKey("override-mode", override_mode, archive_in, "Inactive"); - parseAppsecJSONKey>("configmap", config_map, archive_in); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode; - } -} - -const string & -AppSecPracticeSnortSignatures::getOverrideMode() const -{ - return override_mode; -} - -const vector & -AppSecPracticeSnortSignatures::getConfigMap() const -{ - return config_map; -} - -void -AppSecPracticeOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Practice OpenSchemaAPI practice"; - parseAppsecJSONKey>("configmap", config_map, archive_in); - parseAppsecJSONKey("override-mode", override_mode, archive_in, "Inactive"); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Open Schema API override mode invalid: " << override_mode; - } -} - -const string & -AppSecPracticeOpenSchemaAPI::getOverrideMode() const -{ - return override_mode; -} - -const vector & -AppSecPracticeOpenSchemaAPI::getConfigMap() const -{ - return config_map; -} -// LCOV_EXCL_STOP -void -AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; - parseAppsecJSONKey( - "openapi-schema-validation", - openapi_schema_validation, - archive_in - ); - parseAppsecJSONKey("snort-signatures", snort_signatures, archive_in); - parseAppsecJSONKey("web-attacks", web_attacks, archive_in); - parseAppsecJSONKey("anti-bot", anti_bot, archive_in); - parseAppsecJSONKey("name", practice_name, archive_in); -} - -void -AppSecPracticeSpec::setName(const string &_name) -{ - practice_name = _name; -} - -// LCOV_EXCL_START Reason: no test exist -const AppSecPracticeOpenSchemaAPI & -AppSecPracticeSpec::getOpenSchemaValidation() const -{ - return openapi_schema_validation; -} - -const AppSecPracticeSnortSignatures & -AppSecPracticeSpec::getSnortSignatures() const -{ - return snort_signatures; -} -// LCOV_EXCL_STOP - -const AppSecPracticeWebAttacks & -AppSecPracticeSpec::getWebAttacks() const -{ - return web_attacks; -} - -const AppSecPracticeAntiBot & -AppSecPracticeSpec::getAntiBot() const -{ - return anti_bot; -} - -const string & -AppSecPracticeSpec::getName() const -{ - return practice_name; -} - -void -PracticeAdvancedConfig::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("httpHeaderMaxSize", http_header_max_size), - cereal::make_nvp("httpIllegalMethodsAllowed", http_illegal_methods_allowed), - cereal::make_nvp("httpRequestBodyMaxSize", http_request_body_max_size), - cereal::make_nvp("jsonMaxObjectDepth", json_max_object_depth), - cereal::make_nvp("urlMaxSize", url_max_size) - ); -} - -void -TriggersInWaapSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("$triggerType", trigger_type), - cereal::make_nvp("id", id), - cereal::make_nvp("name", name), - cereal::make_nvp("log", log) - ); -} - -AppSecOverride::AppSecOverride(const SourcesIdentifiers &parsed_trusted_sources) -{ - string source_ident = parsed_trusted_sources.getSourceIdent(); - map behavior = {{"httpSourceId", source_ident}}; - parsed_behavior.push_back(behavior); - parsed_match = {{"operator", "BASIC"}, {"tag", "sourceip"}, {"value", "0.0.0.0/0"}}; -} - -void -AppSecOverride::save(cereal::JSONOutputArchive &out_ar) const -{ - string parameter_type = "TrustedSource"; - out_ar( - cereal::make_nvp("parsedBehavior", parsed_behavior), - cereal::make_nvp("parsedMatch", parsed_match) - ); -} - -void -AppsecPracticeAntiBotSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("injected", injected_uris), - cereal::make_nvp("validated", validated_uris) - ); -} - -// LCOV_EXCL_START Reason: no test exist -WebAppSection::WebAppSection( - const string &_application_urls, - const string &_asset_id, - const string &_asset_name, - const string &_rule_id, - const string &_rule_name, - const string &_practice_id, - const string &_practice_name, - const string &_context, - const AppSecPracticeSpec &parsed_appsec_spec, - const LogTriggerSection &parsed_log_trigger, - const string &default_mode, - const AppSecTrustedSources &parsed_trusted_sources) - : - application_urls(_application_urls), - asset_id(_asset_id), - asset_name(_asset_name), - rule_id(_rule_id), - rule_name(_rule_name), - practice_id(_practice_id), - practice_name(_practice_name), - context(_context), - web_attack_mitigation_severity(parsed_appsec_spec.getWebAttacks().getMinimumConfidence()), - web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)), - practice_advanced_config(parsed_appsec_spec), - anti_bots(parsed_appsec_spec.getAntiBot()), - trusted_sources({parsed_trusted_sources}) -{ - web_attack_mitigation = true; - web_attack_mitigation_action = - web_attack_mitigation_severity == "critical" ? "low" : - web_attack_mitigation_severity == "high" ? "balanced" : - web_attack_mitigation_severity == "medium" ? "high" : - "Error"; - - triggers.push_back(TriggersInWaapSection(parsed_log_trigger)); - for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) { - overrides.push_back(AppSecOverride(source_ident)); - } -} - -WebAppSection::WebAppSection( - const std::string &_application_urls, - const std::string &_asset_id, - const std::string &_asset_name, - const std::string &_rule_id, - const std::string &_rule_name, - const std::string &_practice_id, - const std::string &_practice_name, - const string &_context, - const std::string &_web_attack_mitigation_severity, - const std::string &_web_attack_mitigation_mode, - const PracticeAdvancedConfig &_practice_advanced_config, - const AppsecPracticeAntiBotSection &_anti_bots, - const LogTriggerSection &parsed_log_trigger, - const AppSecTrustedSources &parsed_trusted_sources) - : - application_urls(_application_urls), - asset_id(_asset_id), - asset_name(_asset_name), - rule_id(_rule_id), - rule_name(_rule_name), - practice_id(_practice_id), - practice_name(_practice_name), - context(_context), - web_attack_mitigation_severity(_web_attack_mitigation_severity), - web_attack_mitigation_mode(_web_attack_mitigation_mode), - practice_advanced_config(_practice_advanced_config), - anti_bots(_anti_bots), - trusted_sources({parsed_trusted_sources}) -{ - web_attack_mitigation = true; - web_attack_mitigation_action = - web_attack_mitigation_severity == "critical" ? "low" : - web_attack_mitigation_severity == "high" ? "balanced" : - web_attack_mitigation_severity == "medium" ? "high" : - "Error"; - - triggers.push_back(TriggersInWaapSection(parsed_log_trigger)); - for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) { - overrides.push_back(AppSecOverride(source_ident)); - } -} -// LCOV_EXCL_STOP - -void -WebAppSection::save(cereal::JSONOutputArchive &out_ar) const -{ - string disabled_str = "Disabled"; - string detect_str = "Detect"; - vector empty_list; - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("webAttackMitigation", web_attack_mitigation), - cereal::make_nvp("webAttackMitigationSeverity", web_attack_mitigation_severity), - cereal::make_nvp("webAttackMitigationAction", web_attack_mitigation_action), - cereal::make_nvp("webAttackMitigationMode", web_attack_mitigation_mode), - cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config), - cereal::make_nvp("csrfProtection", disabled_str), - cereal::make_nvp("openRedirect", disabled_str), - cereal::make_nvp("errorDisclosure", disabled_str), - cereal::make_nvp("practiceId", practice_id), - cereal::make_nvp("practiceName", practice_name), - cereal::make_nvp("assetId", asset_id), - cereal::make_nvp("assetName", asset_name), - cereal::make_nvp("ruleId", rule_id), - cereal::make_nvp("ruleName", rule_name), - cereal::make_nvp("schemaValidation", false), - cereal::make_nvp("schemaValidation_v2", disabled_str), - cereal::make_nvp("oas", empty_list), - cereal::make_nvp("triggers", triggers), - cereal::make_nvp("applicationUrls", application_urls), - cereal::make_nvp("overrides", overrides), - cereal::make_nvp("trustedSources", trusted_sources), - cereal::make_nvp("waapParameters", empty_list), - cereal::make_nvp("botProtection", false), - cereal::make_nvp("antiBot", anti_bots), - cereal::make_nvp("botProtection_v2", detect_str) - ); -} -// LCOV_EXCL_START Reason: no test exist -void -WebAPISection::save(cereal::JSONOutputArchive &out_ar) const -{ - string disabled_str = "Disabled"; - vector empty_list; - out_ar( - cereal::make_nvp("application_urls", application_urls), - cereal::make_nvp("asset_id", asset_id), - cereal::make_nvp("asset_name", asset_name), - cereal::make_nvp("context", context), - cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config), - cereal::make_nvp("practice_id", practice_id), - cereal::make_nvp("practice_name", practice_name), - cereal::make_nvp("ruleId", rule_id), - cereal::make_nvp("ruleName", rule_name), - cereal::make_nvp("schemaValidation", false), - cereal::make_nvp("schemaValidation_v2", disabled_str), - cereal::make_nvp("web_attack_mitigation", web_attack_mitigation), - cereal::make_nvp("web_attack_mitigation_action", web_attack_mitigation_action), - cereal::make_nvp("web_attack_mitigation_severity", web_attack_mitigation_severity), - cereal::make_nvp("web_attack_mitigation_mode", web_attack_mitigation_mode), - cereal::make_nvp("oas", empty_list), - cereal::make_nvp("trustedSources", empty_list), - cereal::make_nvp("triggers", empty_list), - cereal::make_nvp("waapParameters", empty_list), - cereal::make_nvp("overrides", empty_list) - ); -} -// LCOV_EXCL_STOP - -void -AppSecRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("WebAPISecurity", webAPIPractices), - cereal::make_nvp("WebApplicationSecurity", webApplicationPractices) - ); -} - -void -AppSecWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar(cereal::make_nvp("WAAP", app_sec_rulebase)); -} - -void -ParsedRule::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec ParsedRule"; - parseAppsecJSONKey>("exceptions", exceptions, archive_in); - parseAppsecJSONKey>("triggers", log_triggers, archive_in); - parseAppsecJSONKey>("practices", practices, archive_in); - parseAppsecJSONKey("mode", mode, archive_in); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Parsed Rule mode invalid: " << mode; - } - parseAppsecJSONKey("custom-response", custom_response, archive_in); - parseAppsecJSONKey("source-identifiers", source_identifiers, archive_in); - parseAppsecJSONKey("trusted-sources", trusted_sources, archive_in); - try { - archive_in(cereal::make_nvp("host", host)); - } catch (const cereal::Exception &e) - {} // The default ParsedRule does not hold a host, so no error handling -} - -const vector & -ParsedRule::getExceptions() const -{ - return exceptions; -} - -const vector & -ParsedRule::getLogTriggers() const -{ - return log_triggers; -} - -const vector & -ParsedRule::getPractices() const -{ - return practices; -} - -const string & -ParsedRule::getHost() const -{ - return host; -} - -const string & -ParsedRule::getMode() const -{ - return mode; -} - -void -ParsedRule::setHost(const string &_host) -{ - host = _host; -} - -void -ParsedRule::setMode(const string &_mode) -{ - mode = _mode; -} - -const string & -ParsedRule::getCustomResponse() const -{ - return custom_response; -} - -const string & -ParsedRule::getSourceIdentifiers() const -{ - return source_identifiers; -} - -const string & -ParsedRule::getTrustedSources() const -{ - return trusted_sources; -} - -void -AppsecPolicySpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec"; - parseAppsecJSONKey("default", default_rule, archive_in); - default_rule.setHost("*"); - parseAppsecJSONKey>("specific-rules", specific_rules, archive_in); -} - -const ParsedRule & -AppsecPolicySpec::getDefaultRule() const -{ - return default_rule; -} - -const vector & -AppsecPolicySpec::getSpecificRules() const -{ - return specific_rules; -} - -bool -AppsecPolicySpec::isAssetHostExist(const std::string &full_url) const -{ - for (const ParsedRule &rule : specific_rules) { - if (rule.getHost() == full_url) return true; - } - return false; -} - -void -AppsecPolicySpec::addSpecificRule(const ParsedRule &_rule) -{ - specific_rules.push_back(_rule); -} - -void -AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Appsec Linux Policy"; - parseAppsecJSONKey("policies", policies, archive_in); - parseAppsecJSONKey>("practices", practices, archive_in); - parseAppsecJSONKey>("log-triggers", log_triggers, archive_in); - parseAppsecJSONKey>("custom-responses", custom_responses, archive_in); - parseAppsecJSONKey>("exceptions", exceptions, archive_in); - parseAppsecJSONKey>("trusted-sources", trusted_sources, archive_in); - parseAppsecJSONKey>( - "source-identifiers", - sources_identifiers, - archive_in - ); -} - -const AppsecPolicySpec & -AppsecLinuxPolicy::getAppsecPolicySpec() const -{ - return policies; -} - -const vector & -AppsecLinuxPolicy::getAppSecPracticeSpecs() const -{ - return practices; -} - -const vector & -AppsecLinuxPolicy::getAppsecTriggerSpecs() const -{ - return log_triggers; -} - -const vector & -AppsecLinuxPolicy::getAppSecCustomResponseSpecs() const -{ - return custom_responses; -} - -const vector & -AppsecLinuxPolicy::getAppsecExceptionSpecs() const -{ - return exceptions; -} - -const vector & -AppsecLinuxPolicy::getAppsecTrustedSourceSpecs() const -{ - return trusted_sources; -} - -const vector & -AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const -{ - return sources_identifiers; -} - -void -AppsecLinuxPolicy::addSpecificRule(const ParsedRule &_rule) -{ - policies.addSpecificRule(_rule); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/exceptions_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/exceptions_section.cc deleted file mode 100644 index c9af836..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/exceptions_section.cc +++ /dev/null @@ -1,293 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "exceptions_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -// LCOV_EXCL_START Reason: no test exist -static const set valid_actions = {"skip", "accept", "drop", "suppressLog"}; - -void -AppsecExceptionSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec exception spec"; - parseAppsecJSONKey("name", name, archive_in); - parseAppsecJSONKey("action", action, archive_in); - if (valid_actions.count(action) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec exception action invalid: " << action; - } - - parseAppsecJSONKey>("countryCode", country_code, archive_in); - parseAppsecJSONKey>("countryName", country_name, archive_in); - parseAppsecJSONKey>("hostName", host_name, archive_in); - parseAppsecJSONKey>("paramName", param_name, archive_in); - parseAppsecJSONKey>("paramValue", param_value, archive_in); - parseAppsecJSONKey>("protectionName", protection_name, archive_in); - parseAppsecJSONKey>("sourceIdentifier", source_identifier, archive_in); - parseAppsecJSONKey>("sourceIp", source_ip, archive_in); - parseAppsecJSONKey>("url", url, archive_in); -} - -void -AppsecExceptionSpec::setName(const string &_name) -{ - name = _name; -} - -const string & -AppsecExceptionSpec::getName() const -{ - return name; -} - -const string & -AppsecExceptionSpec::getAction() const -{ - return action; -} - -const vector & -AppsecExceptionSpec::getCountryCode() const -{ - return country_code; -} - -const vector & -AppsecExceptionSpec::getCountryName() const -{ - return country_name; -} - -const vector & -AppsecExceptionSpec::getHostName() const -{ - return host_name; -} - -const vector & -AppsecExceptionSpec::getParamName() const -{ - return param_name; -} - -const vector & -AppsecExceptionSpec::getParamValue() const -{ - return param_value; -} - -const vector & -AppsecExceptionSpec::getProtectionName() const -{ - return protection_name; -} - -const vector & -AppsecExceptionSpec::getSourceIdentifier() const -{ - return source_identifier; -} - -const vector & -AppsecExceptionSpec::getSourceIp() const -{ - return source_ip; -} - -const vector & -AppsecExceptionSpec::getUrl() const -{ - return url; -} - -ExceptionMatch::ExceptionMatch(const AppsecExceptionSpec &parsed_exception) - : - match_type(MatchType::Operator), - op("and") -{ - if (!parsed_exception.getCountryCode().empty()) { - items.push_back(ExceptionMatch("countryCode", parsed_exception.getCountryCode())); - } - if (!parsed_exception.getCountryName().empty()) { - items.push_back(ExceptionMatch("countryName", parsed_exception.getCountryName())); - } - if (!parsed_exception.getHostName().empty()) { - items.push_back(ExceptionMatch("hostName", parsed_exception.getHostName())); - } - if (!parsed_exception.getParamName().empty()) { - items.push_back(ExceptionMatch("paramName", parsed_exception.getParamName())); - } - if (!parsed_exception.getParamValue().empty()) { - items.push_back(ExceptionMatch("paramValue", parsed_exception.getParamValue())); - } - if (!parsed_exception.getProtectionName().empty()) { - items.push_back(ExceptionMatch("protectionName", parsed_exception.getProtectionName())); - } - if (!parsed_exception.getSourceIdentifier().empty()) { - items.push_back(ExceptionMatch("sourceIdentifier", parsed_exception.getSourceIdentifier())); - } - if (!parsed_exception.getSourceIp().empty()) { - items.push_back(ExceptionMatch("sourceIp", parsed_exception.getSourceIp())); - } - if (!parsed_exception.getUrl().empty()) { - items.push_back(ExceptionMatch("url", parsed_exception.getUrl())); - } -} - -ExceptionMatch::ExceptionMatch(const NewAppsecException &parsed_exception) - : - match_type(MatchType::Operator), - op("and") -{ - if (!parsed_exception.getCountryCode().empty()) { - items.push_back(ExceptionMatch("countryCode", parsed_exception.getCountryCode())); - } - if (!parsed_exception.getCountryName().empty()) { - items.push_back(ExceptionMatch("countryName", parsed_exception.getCountryName())); - } - if (!parsed_exception.getHostName().empty()) { - items.push_back(ExceptionMatch("hostName", parsed_exception.getHostName())); - } - if (!parsed_exception.getParamName().empty()) { - items.push_back(ExceptionMatch("paramName", parsed_exception.getParamName())); - } - if (!parsed_exception.getParamValue().empty()) { - items.push_back(ExceptionMatch("paramValue", parsed_exception.getParamValue())); - } - if (!parsed_exception.getProtectionName().empty()) { - items.push_back(ExceptionMatch("protectionName", parsed_exception.getProtectionName())); - } - if (!parsed_exception.getSourceIdentifier().empty()) { - items.push_back(ExceptionMatch("sourceIdentifier", parsed_exception.getSourceIdentifier())); - } - if (!parsed_exception.getSourceIp().empty()) { - items.push_back(ExceptionMatch("sourceIp", parsed_exception.getSourceIp())); - } - if (!parsed_exception.getUrl().empty()) { - items.push_back(ExceptionMatch("url", parsed_exception.getUrl())); - } -} - -void -ExceptionMatch::save(cereal::JSONOutputArchive &out_ar) const -{ - switch (match_type) { - case (MatchType::Condition): { - string type_str = "condition"; - out_ar( - cereal::make_nvp("key", key), - cereal::make_nvp("op", op), - cereal::make_nvp("type", type_str), - cereal::make_nvp("value", value) - ); - break; - } - case (MatchType::Operator): { - string type_str = "operator"; - out_ar( - cereal::make_nvp("op", op), - cereal::make_nvp("type", type_str), - cereal::make_nvp("items", items) - ); - break; - } - default: { - dbgError(D_LOCAL_POLICY) << "No match for exception match type: " << static_cast(match_type); - } - } -} - -ExceptionBehavior::ExceptionBehavior( - const string &_key, - const string &_value) - : - key(_key), - value(_value) -{ - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate exception behavior UUID. Error: " << e.what(); - } -} - -void -ExceptionBehavior::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("key", key), - cereal::make_nvp("value", value), - cereal::make_nvp("id", id) - ); -} - -const string -ExceptionBehavior::getBehaviorId() const -{ - return id; -} - -void -InnerException::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("behavior", behavior), - cereal::make_nvp("match", match) - ); -} - -const string -InnerException::getBehaviorId() const -{ - return behavior.getBehaviorId(); -} - -ExceptionsRulebase::ExceptionsRulebase( - vector _exceptions) - : - exceptions(_exceptions) -{ - string context_id_str = ""; - for (const InnerException & exception : exceptions) { - string curr_id = "parameterId(" + exception.getBehaviorId() + "), "; - context_id_str += curr_id; - } - context_id_str = context_id_str.substr(0, context_id_str.size() - 2); - context = "Any(" + context_id_str + ")"; -} - -void -ExceptionsRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("exceptions", exceptions) - ); -} - -void -ExceptionsWrapper::Exception::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar(cereal::make_nvp("exception", exception)); -} - -void -ExceptionsWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("rulebase", exception_rulebase) - ); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/access_control_practice.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/access_control_practice.h deleted file mode 100644 index b8c263a..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/access_control_practice.h +++ /dev/null @@ -1,192 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __ACCESS_CONTROL_PRACTICE_H__ -#define __ACCESS_CONTROL_PRACTICE_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class RateLimitRulesTriggerSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - RateLimitRulesTriggerSection() {}; - - RateLimitRulesTriggerSection( - const std::string &_id, - const std::string &_name, - const std::string &_type - ) - : - id(_id), - name(_name), - type(_type) - {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string & getName() const; - -private: - std::string id; - std::string name; - std::string type;; -}; - -class RateLimitRulesSection -{ -public: - RateLimitRulesSection() {}; - - // LCOV_EXCL_START Reason: no test exist - RateLimitRulesSection( - const int _limit, - const std::string &_id, - const std::string &_uri, - const std::string &_scope, - const std::vector &_triggers - ) - : - limit(_limit), - id(_id), - uri(_uri), - scope(_scope), - triggers(_triggers) - {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - int limit; - std::string id; - std::string uri; - std::string scope; - std::vector triggers; -}; - -class RateLimitSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - RateLimitSection() {}; - // LCOV_EXCL_STOP - - RateLimitSection( - const std::string &asset_name, - const std::string &url, - const std::string &uri, - const std::string &_mode, - const std::string &_practice_id, - const std::string &_name, - const std::vector &_rules); - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string & getId() const; - const std::string & getName() const; - const std::string & getMode() const; - -private: - std::string context; - std::string mode; - std::string practice_id; - std::string name; - std::vector rules; -}; - -class AccessControlRulebaseSection -{ -public: - AccessControlRulebaseSection() {}; - - AccessControlRulebaseSection(const std::vector &_rate_limit) : rate_limit(_rate_limit) {}; - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector rate_limit; -}; - -class AccessControlRulebaseWrapper -{ -public: - AccessControlRulebaseWrapper() {}; - - AccessControlRulebaseWrapper( - const std::vector &rate_limits - ) - : - rule_base(AccessControlRulebaseSection(rate_limits)) - {}; - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - AccessControlRulebaseSection rule_base; -}; - -class AccessControlRateLimiteRules -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::vector getTriggers() const; - RateLimitRulesSection createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const; - -private: - int limit; - std::string uri; - std::string unit; - std::string comment; - std::vector triggers; -}; - -class AccessControlRateLimit -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::vector & getRules() const; - const std::string & getMode() const; - std::vector createRateLimitRulesSection(const RateLimitRulesTriggerSection &trigger) const; - -private: - std::string mode; - std::vector rules; -}; - -class AccessControlPracticeSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const AccessControlRateLimit & geRateLimit() const; - const std::string & getAppSecClassName() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - AccessControlRateLimit rate_limit; - std::string appsec_class_name; - std::string practice_name; -}; - -#endif // __ACCESS_CONTROL_PRACTICE_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h deleted file mode 100644 index 312f7de..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/appsec_practice_section.h +++ /dev/null @@ -1,466 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __APPSEC_PRACTICE_SECTION_H__ -#define __APPSEC_PRACTICE_SECTION_H__ - -#include -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "customized_cereal_map.h" -#include "local_policy_common.h" -#include "triggers_section.h" -#include "exceptions_section.h" -#include "trusted_sources_section.h" -#include "new_practice.h" - -class AppSecWebBotsURI -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getURI() const; - -private: - std::string uri; -}; - -class AppSecPracticeAntiBot -{ -public: - std::vector getIjectedUris() const; - std::vector getValidatedUris() const; - - void load(cereal::JSONInputArchive &archive_in); - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string override_mode; - std::vector injected_uris; - std::vector validated_uris; -}; - -class AppSecWebAttackProtections -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string getCsrfProtectionMode() const; - const std::string & getErrorDisclosureMode() const; - bool getNonValidHttpMethods() const; - const std::string getOpenRedirectMode() const; - -private: - std::string csrf_protection; - std::string open_redirect; - std::string error_disclosure; - bool non_valid_http_methods; -}; - -class AppSecPracticeWebAttacks -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getMaxBodySizeKb() const; - int getMaxHeaderSizeBytes() const; - int getMaxObjectDepth() const; - int getMaxUrlSizeBytes() const; - const std::string & getMinimumConfidence() const; - const AppSecWebAttackProtections & getprotections() const; - const std::string & getMode(const std::string &default_mode = "Inactive") const; - -private: - int max_body_size_kb; - int max_header_size_bytes; - int max_object_depth; - int max_url_size_bytes; - std::string mode; - std::string minimum_confidence; - AppSecWebAttackProtections protections; -}; - -class AppSecPracticeSnortSignatures -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getOverrideMode() const; - const std::vector & getConfigMap() const; - -private: - std::string override_mode; - std::vector config_map; -}; - -class AppSecPracticeOpenSchemaAPI -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getOverrideMode() const; - const std::vector & getConfigMap() const; - -private: - std::string override_mode; - std::vector config_map; -}; - -class AppSecPracticeSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const AppSecPracticeOpenSchemaAPI & getOpenSchemaValidation() const; - const AppSecPracticeSnortSignatures & getSnortSignatures() const; - const AppSecPracticeWebAttacks & getWebAttacks() const; - const AppSecPracticeAntiBot & getAntiBot() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - AppSecPracticeOpenSchemaAPI openapi_schema_validation; - AppSecPracticeSnortSignatures snort_signatures; - AppSecPracticeWebAttacks web_attacks; - AppSecPracticeAntiBot anti_bot; - std::string practice_name; -}; - -class PracticeAdvancedConfig -{ -public: - PracticeAdvancedConfig() {} - - PracticeAdvancedConfig(const AppSecPracticeSpec &parsed_appsec_spec) - : - http_header_max_size(parsed_appsec_spec.getWebAttacks().getMaxHeaderSizeBytes()), - http_illegal_methods_allowed(0), - http_request_body_max_size(parsed_appsec_spec.getWebAttacks().getMaxBodySizeKb()), - json_max_object_depth(parsed_appsec_spec.getWebAttacks().getMaxObjectDepth()), - url_max_size(parsed_appsec_spec.getWebAttacks().getMaxUrlSizeBytes()) - {} - - // LCOV_EXCL_START Reason: no test exist - PracticeAdvancedConfig( - int _http_header_max_size, - int _http_request_body_max_size, - int _json_max_object_depth, - int _url_max_size) - : - http_header_max_size(_http_header_max_size), - http_illegal_methods_allowed(0), - http_request_body_max_size(_http_request_body_max_size), - json_max_object_depth(_json_max_object_depth), - url_max_size(_url_max_size) - {} - // LCOV_EXCL_STOP - - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - int http_header_max_size; - int http_illegal_methods_allowed; - int http_request_body_max_size; - int json_max_object_depth; - int url_max_size; -}; - -class TriggersInWaapSection -{ -public: - TriggersInWaapSection(const LogTriggerSection &log_section) - : - trigger_type("log"), - id(log_section.getTriggerId()), - name(log_section.getTriggerName()), - log(log_section) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string trigger_type; - std::string id; - std::string name; - LogTriggerSection log; -}; - -class AppSecOverride -{ -public: - AppSecOverride(const SourcesIdentifiers &parsed_trusted_sources); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector> parsed_behavior; - std::map parsed_match; -}; - -class AppsecPracticeAntiBotSection -{ -public: - AppsecPracticeAntiBotSection() {}; - // LCOV_EXCL_START Reason: no test exist - AppsecPracticeAntiBotSection(const NewAppSecPracticeAntiBot &anti_bot) : - injected_uris(anti_bot.getIjectedUris()), - validated_uris(anti_bot.getValidatedUris()) - {}; - // LCOV_EXCL_STOP - - AppsecPracticeAntiBotSection(const AppSecPracticeAntiBot &anti_bot) : - injected_uris(anti_bot.getIjectedUris()), - validated_uris(anti_bot.getValidatedUris()) - {}; - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector injected_uris; - std::vector validated_uris; -}; - -class WebAppSection -{ -public: - WebAppSection() {} - - WebAppSection( - const std::string &_application_urls, - const std::string &_asset_id, - const std::string &_asset_name, - const std::string &_rule_id, - const std::string &_rule_name, - const std::string &_practice_id, - const std::string &_practice_name, - const std::string &_context, - const AppSecPracticeSpec &parsed_appsec_spec, - const LogTriggerSection &parsed_log_trigger, - const std::string &default_mode, - const AppSecTrustedSources &parsed_trusted_sources - ); - - WebAppSection( - const std::string &_application_urls, - const std::string &_asset_id, - const std::string &_asset_name, - const std::string &_rule_id, - const std::string &_rule_name, - const std::string &_practice_id, - const std::string &_practice_name, - const std::string &_context, - const std::string &_web_attack_mitigation_severity, - const std::string &_web_attack_mitigation_mode, - const PracticeAdvancedConfig &_practice_advanced_config, - const AppsecPracticeAntiBotSection &_anti_bots, - const LogTriggerSection &parsed_log_trigger, - const AppSecTrustedSources &parsed_trusted_sources); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string application_urls; - std::string asset_id; - std::string asset_name; - std::string rule_id; - std::string rule_name; - std::string practice_id; - std::string practice_name; - std::string context; - std::string web_attack_mitigation_action; - std::string web_attack_mitigation_severity; - std::string web_attack_mitigation_mode; - bool web_attack_mitigation; - std::vector triggers; - PracticeAdvancedConfig practice_advanced_config; - AppsecPracticeAntiBotSection anti_bots; - std::vector trusted_sources; - std::vector overrides; -}; - -class WebAPISection -{ -public: - WebAPISection( - const std::string &_application_urls, - const std::string &_asset_id, - const std::string &_asset_name, - const std::string &_rule_id, - const std::string &_rule_name, - const std::string &_practice_id, - const std::string &_practice_name, - const std::string &_web_attack_mitigation_action, - const std::string &_web_attack_mitigation_severity, - const std::string &_web_attack_mitigation_mode, - bool _web_attack_mitigation, - const PracticeAdvancedConfig &_practice_advanced_config) - : - application_urls(_application_urls), - asset_id(_asset_id), - asset_name(_asset_name), - rule_id(_rule_id), - rule_name(_rule_name), - practice_id(_practice_id), - practice_name(_practice_name), - context("practiceId(" + practice_id +")"), - web_attack_mitigation_action(_web_attack_mitigation_action), - web_attack_mitigation_severity(_web_attack_mitigation_severity), - web_attack_mitigation_mode(_web_attack_mitigation_mode), - web_attack_mitigation(_web_attack_mitigation), - practice_advanced_config(_practice_advanced_config) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string application_urls; - std::string asset_id; - std::string asset_name; - std::string rule_id; - std::string rule_name; - std::string practice_id; - std::string practice_name; - std::string context; - std::string web_attack_mitigation_action; - std::string web_attack_mitigation_severity; - std::string web_attack_mitigation_mode; - bool web_attack_mitigation; - PracticeAdvancedConfig practice_advanced_config; -}; - -class AppSecRulebase -{ -public: - AppSecRulebase( - std::vector _webApplicationPractices, - std::vector _webAPIPractices) - : - webApplicationPractices(_webApplicationPractices), - webAPIPractices(_webAPIPractices) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector webApplicationPractices; - std::vector webAPIPractices; -}; - - -class AppSecWrapper -{ -public: - AppSecWrapper(const AppSecRulebase &_app_sec) - : - app_sec_rulebase(_app_sec) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - AppSecRulebase app_sec_rulebase; -}; - -class ParsedRule -{ -public: - ParsedRule() {} - ParsedRule(const std::string &_host) : host(_host) {} - - void load(cereal::JSONInputArchive &archive_in); - const std::vector & getExceptions() const; - const std::vector & getLogTriggers() const; - const std::vector & getPractices() const; - const std::string & getHost() const; - const std::string & getMode() const; - void setHost(const std::string &_host); - void setMode(const std::string &_mode); - const std::string & getCustomResponse() const; - const std::string & getSourceIdentifiers() const; - const std::string & getTrustedSources() const; - -private: - std::vector exceptions; - std::vector log_triggers; - std::vector practices; - std::string host; - std::string mode; - std::string custom_response; - std::string source_identifiers; - std::string trusted_sources; -}; - -class AppsecPolicySpec : Singleton::Consume -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const ParsedRule & getDefaultRule() const; - const std::vector & getSpecificRules() const; - bool isAssetHostExist(const std::string &full_url) const; - void addSpecificRule(const ParsedRule &_rule); - -private: - ParsedRule default_rule; - std::vector specific_rules; -}; - -class AppsecLinuxPolicy : Singleton::Consume -{ -public: - AppsecLinuxPolicy() {} - AppsecLinuxPolicy( - const AppsecPolicySpec &_policies, - const std::vector &_practices, - const std::vector &_log_triggers, - const std::vector &_custom_responses, - const std::vector &_exceptions, - const std::vector &_trusted_sources, - const std::vector &_sources_identifiers) - : - policies(_policies), - practices(_practices), - log_triggers(_log_triggers), - custom_responses(_custom_responses), - exceptions(_exceptions), - trusted_sources(_trusted_sources), - sources_identifiers(_sources_identifiers) {} - - void serialize(cereal::JSONInputArchive &archive_in); - - const AppsecPolicySpec & getAppsecPolicySpec() const; - const std::vector & getAppSecPracticeSpecs() const; - const std::vector & getAppsecTriggerSpecs() const; - const std::vector & getAppSecCustomResponseSpecs() const; - const std::vector & getAppsecExceptionSpecs() const; - const std::vector & getAppsecTrustedSourceSpecs() const; - const std::vector & getAppsecSourceIdentifierSpecs() const; - void addSpecificRule(const ParsedRule &_rule); - -private: - AppsecPolicySpec policies; - std::vector practices; - std::vector log_triggers; - std::vector custom_responses; - std::vector exceptions; - std::vector trusted_sources; - std::vector sources_identifiers; -}; - -#endif // __APPSEC_PRACTICE_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h deleted file mode 100644 index b07b0bb..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/exceptions_section.h +++ /dev/null @@ -1,154 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __EXCEPTPIONS_SECTION_H__ -#define __EXCEPTPIONS_SECTION_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" -#include "local_policy_common.h" -#include "new_exceptions.h" - -class AppsecExceptionSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - const std::string & getAction() const; - const std::vector & getCountryCode() const; - const std::vector & getCountryName() const; - const std::vector & getHostName() const; - const std::vector & getParamName() const; - const std::vector & getParamValue() const; - const std::vector & getProtectionName() const; - const std::vector & getSourceIdentifier() const; - const std::vector & getSourceIp() const; - const std::vector & getUrl() const; - void setName(const std::string &_name); - -private: - std::string name; - std::string action; - std::vector country_code; - std::vector country_name; - std::vector host_name; - std::vector param_name; - std::vector param_value; - std::vector protection_name; - std::vector source_identifier; - std::vector source_ip; - std::vector url; -}; - -class ExceptionMatch -{ -public: - ExceptionMatch() {} - ExceptionMatch(const AppsecExceptionSpec &parsed_exception); - ExceptionMatch(const NewAppsecException &parsed_exception); - ExceptionMatch(const std::string &_key, const std::vector &_value) - : - match_type(MatchType::Condition), - key(_key), - op("in"), - value(_value) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - MatchType match_type; - std::string key; - std::string op; - std::vector value; - std::vector items; -}; - -class ExceptionBehavior -{ -public: - ExceptionBehavior() {} - ExceptionBehavior( - const std::string &_key, - const std::string &_value - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string getBehaviorId() const; - -private: - std::string key; - std::string id; - std::string value; -}; - -class InnerException -{ -public: - InnerException() {} - InnerException( - ExceptionBehavior _behavior, - ExceptionMatch _match) - : - behavior(_behavior), - match(_match) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string getBehaviorId() const; - -private: - ExceptionBehavior behavior; - ExceptionMatch match; -}; - -class ExceptionsRulebase -{ -public: - ExceptionsRulebase(std::vector _exceptions); - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string context; - std::vector exceptions; -}; - -class ExceptionsWrapper -{ -public: - class Exception - { - public: - Exception(const std::vector &_exception) : exception(_exception) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - - private: - std::vector exception; - }; - ExceptionsWrapper(const std::vector &_exception) : exception_rulebase(Exception(_exception)) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - Exception exception_rulebase; -}; -#endif // __EXCEPTPIONS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h deleted file mode 100644 index 16d7e78..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/ingress_data.h +++ /dev/null @@ -1,125 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __INGRESS_DATA_H__ -#define __INGRESS_DATA_H__ - -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" -#include "cereal/archives/json.hpp" -#include -#include "customized_cereal_map.h" - -#include "local_policy_common.h" - -class IngressMetadata -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::map & getAnnotations() const; - -private: - std::string name; - std::string resourceVersion; - std::string namespace_name; - std::map annotations; -}; - -class IngressRulePath -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getPath() const; - -private: - std::string path; -}; - -class IngressRulePathsWrapper -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::vector & getRulePaths() const; - -private: - std::vector paths; -}; - -class IngressDefinedRule -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getHost() const; - const IngressRulePathsWrapper & getPathsWrapper() const; - -private: - std::string host; - IngressRulePathsWrapper paths_wrapper; -}; - -class DefaultBackend -{ -public: - void load(cereal::JSONInputArchive &); - -private: - bool is_exists = false; -}; - -class IngressSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::vector & getRules() const; - -private: - std::string ingress_class_name; - std::vector rules; - DefaultBackend default_backend; -}; - -class SingleIngressData -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const IngressMetadata & getMetadata() const; - const IngressSpec & getSpec() const; - -private: - IngressMetadata metadata; - IngressSpec spec; -}; - - -class IngressData : public ClientRest -{ -public: - bool loadJson(const std::string &json); - - const std::vector & getItems() const; - -private: - std::string apiVersion; - std::vector items; -}; -#endif // __INGRESS_DATA_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h deleted file mode 100644 index 29d8705..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_common.h +++ /dev/null @@ -1,106 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __K8S_POLICY_COMMON_H__ -#define __K8S_POLICY_COMMON_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist -enum class PracticeType { WebApplication, WebAPI }; -enum class TriggerType { Log, WebUserResponse }; -enum class MatchType { Condition, Operator }; - -static const std::unordered_map string_to_match_type = { - { "condition", MatchType::Condition }, - { "operator", MatchType::Operator } -}; - -static const std::unordered_map string_to_practice_type = { - { "WebApplication", PracticeType::WebApplication }, - { "WebAPI", PracticeType::WebAPI } -}; - -static const std::unordered_map string_to_trigger_type = { - { "log", TriggerType::Log }, - { "WebUserResponse", TriggerType::WebUserResponse } -}; - -static const std::unordered_map key_to_practices_val = { - { "prevent-learn", "Prevent"}, - { "detect-learn", "Detect"}, - { "prevent", "Prevent"}, - { "detect", "Detect"}, - { "inactive", "Inactive"} -}; - -template -void -parseAppsecJSONKey( - const std::string &key_name, - T &value, - cereal::JSONInputArchive &archive_in, - const T &default_value = T()) -{ - try { - archive_in(cereal::make_nvp(key_name, value)); - } catch (const cereal::Exception &e) { - archive_in.setNextName(nullptr); - value = default_value; - dbgDebug(D_LOCAL_POLICY) - << "Could not parse the required key. Key: " - << key_name - << ", Error: " - << e.what(); - } -} - -template -class AppsecSpecParser : public ClientRest -{ -public: - AppsecSpecParser() = default; - AppsecSpecParser(const T &_spec) : spec(_spec) {} - - bool - loadJson(const std::string &json) - { - std::string modified_json = json; - modified_json.pop_back(); - std::stringstream ss; - ss.str(modified_json); - try { - cereal::JSONInputArchive in_ar(ss); - in_ar(cereal::make_nvp("spec", spec)); - } catch (cereal::Exception &e) { - dbgError(D_LOCAL_POLICY) << "Failed to load spec JSON. Error: " << e.what(); - return false; - } - return true; - } - - const T & getSpec() const { return spec; } - -private: - T spec; -}; -// LCOV_EXCL_STOP -#endif // __K8S_POLICY_COMMON_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_utils.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_utils.h deleted file mode 100644 index 7c5764d..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/k8s_policy_utils.h +++ /dev/null @@ -1,111 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __K8S_POLICY_UTILS_H__ -#define __K8S_POLICY_UTILS_H__ - -#include -#include -#include -#include - -#include - -#include "maybe_res.h" -#include "i_orchestration_tools.h" -#include "i_shell_cmd.h" -#include "i_messaging.h" -#include "i_env_details.h" -#include "i_agent_details.h" -#include "appsec_practice_section.h" -#include "new_appsec_linux_policy.h" -#include "policy_maker_utils.h" - -enum class AnnotationKeys { PolicyKey, OpenAppsecIo, SyslogAddressKey, SyslogPortKey, ModeKey }; - -class K8sPolicyUtils - : - Singleton::Consume, - Singleton::Consume, - Singleton::Consume, - Singleton::Consume, - Singleton::Consume, - Singleton::Consume -{ -public: - void init(); - - std::tuple, std::map> - createAppsecPoliciesFromIngresses(); - bool getClusterId() const; - -private: - std::map parseIngressAnnotations( - const std::map &annotations - ) const; - - template - Maybe getObjectFromCluster(const std::string &path) const; - - std::map> extractElementsNames( - const std::vector &specific_rules, - const ParsedRule &default_rule - ) const; - - std::map> extractElementsNamesV1beta2( - const std::vector &specific_rules, - const NewParsedRule &default_rule - ) const; - - template - std::vector extractElementsFromCluster( - const std::string &crd_plural, - const std::unordered_set &elements_names - ) const; - - template - std::vector extractV1Beta2ElementsFromCluster( - const std::string &crd_plural, - const std::unordered_set &elements_names - ) const; - - Maybe createAppsecPolicyK8sFromV1beta1Crds( - const AppsecSpecParser &appsec_policy_spe, - const std::string &ingress_mode - ) const; - - Maybe createAppsecPolicyK8sFromV1beta2Crds( - const AppsecSpecParser &appsec_policy_spe, - const std::string &ingress_mode - ) const; - - template - void createPolicy( - T &appsec_policy, - std::map &policies, - std::map &annotations_values, - const SingleIngressData &item) const; - - std::tuple, Maybe> createAppsecPolicyK8s( - const std::string &policy_name, - const std::string &ingress_mode - ) const; - - I_EnvDetails* env_details = nullptr; - I_Messaging* messaging = nullptr; - EnvType env_type; - Flags conn_flags; - std::string token; -}; - -#endif // __K8S_POLICY_UTILS_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/local_policy_common.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/local_policy_common.h deleted file mode 100644 index 2ef8b31..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/local_policy_common.h +++ /dev/null @@ -1,144 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __LOCAL_POLICY_COMMON_H__ -#define __LOCAL_POLICY_COMMON_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" -#include "cereal/archives/json.hpp" -#include -#include "customized_cereal_map.h" - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -enum class PracticeType { WebApplication, WebAPI, RateLimit }; -enum class TriggerType { Log, WebUserResponse }; -enum class MatchType { Condition, Operator }; - -static const std::unordered_map string_to_match_type = { - { "condition", MatchType::Condition }, - { "operator", MatchType::Operator } -}; - -static const std::unordered_map string_to_practice_type = { - { "WebApplication", PracticeType::WebApplication }, - { "WebAPI", PracticeType::WebAPI }, - { "RateLimit", PracticeType::RateLimit } -}; - -static const std::unordered_map string_to_trigger_type = { - { "log", TriggerType::Log }, - { "WebUserResponse", TriggerType::WebUserResponse } -}; - -static const std::unordered_map key_to_practices_val = { - { "prevent-learn", "Prevent"}, - { "detect-learn", "Detect"}, - { "prevent", "Prevent"}, - { "detect", "Detect"}, - { "inactive", "Inactive"} -}; - -template -void -parseAppsecJSONKey( - const std::string &key_name, - T &value, - cereal::JSONInputArchive &archive_in, - const T &default_value = T()) -{ - try { - archive_in(cereal::make_nvp(key_name, value)); - } catch (const cereal::Exception &e) { - archive_in.setNextName(nullptr); - value = default_value; - dbgDebug(D_LOCAL_POLICY) - << "Could not parse the required key. Key: " - << key_name - << ", Error: " - << e.what(); - } -} - -class AppsecSpecParserMetaData -{ -public: - void - load(cereal::JSONInputArchive &archive_in) - { - dbgTrace(D_LOCAL_POLICY) << "AppsecSpecParserMetaData load"; - parseAppsecJSONKey>("annotations", annotations, archive_in); - } - - const std::map & - getAnnotations() const - { - return annotations; - } - -private: - std::map annotations; -}; - -template -class AppsecSpecParser : public ClientRest -{ -public: - AppsecSpecParser() = default; - AppsecSpecParser(const T &_spec) : spec(_spec) {} - - bool - loadJson(const std::string &json) - { - std::string modified_json = json; - modified_json.pop_back(); - std::stringstream ss; - ss.str(modified_json); - try { - cereal::JSONInputArchive in_ar(ss); - in_ar(cereal::make_nvp("spec", spec)); - in_ar(cereal::make_nvp("metadata", meta_data)); - } catch (cereal::Exception &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to load spec JSON. Error: " << e.what(); - return false; - } - return true; - } - - void - setName(const std::string &_name) - { - spec.setName(_name); - } - - const AppsecSpecParserMetaData & - getMetaData() const - { - return meta_data; - } - - const T & getSpec() const { return spec; } - -private: - T spec; - AppsecSpecParserMetaData meta_data; -}; - -#endif // __LOCAL_POLICY_COMMON_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/namespace_data.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/namespace_data.h deleted file mode 100644 index a895467..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/namespace_data.h +++ /dev/null @@ -1,35 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NAMESPACE_DATA_H__ -#define __NAMESPACE_DATA_H__ - -#include -#include - -#include "cereal/archives/json.hpp" -#include - -#include "rest.h" - -class NamespaceData : public ClientRest -{ -public: - bool loadJson(const std::string &json); - Maybe getNamespaceUidByName(const std::string &name); - -private: - std::map ns_name_to_uid; -}; - -#endif // __NAMESPACE_DATA_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_linux_policy.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_linux_policy.h deleted file mode 100644 index d52c224..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_linux_policy.h +++ /dev/null @@ -1,84 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_APPSEC_LINUX_POLICY_H__ -#define __NEW_APPSEC_LINUX_POLICY_H__ - -#include -#include -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "customized_cereal_map.h" -#include "new_appsec_policy_crd_parser.h" -#include "new_custom_response.h" -#include "new_exceptions.h" -#include "new_log_trigger.h" -#include "new_practice.h" -#include "access_control_practice.h" -#include "new_trusted_sources.h" - - -class V1beta2AppsecLinuxPolicy : Singleton::Consume -{ -public: - // LCOV_EXCL_START Reason: no test exist - V1beta2AppsecLinuxPolicy() {} - - V1beta2AppsecLinuxPolicy( - const NewAppsecPolicySpec &_policies, - const std::vector &_threat_prevention_practices, - const std::vector &_access_control_practices, - const std::vector &_log_triggers, - const std::vector &_custom_responses, - const std::vector &_exceptions, - const std::vector &_trusted_sources, - const std::vector &_sources_identifiers) - : - policies(_policies), - threat_prevection_practices(_threat_prevention_practices), - access_control_practices(_access_control_practices), - log_triggers(_log_triggers), - custom_responses(_custom_responses), - exceptions(_exceptions), - trusted_sources(_trusted_sources), - sources_identifiers(_sources_identifiers) {} - // LCOV_EXCL_STOP - - const NewAppsecPolicySpec & getAppsecPolicySpec() const; - const std::vector & getAppSecPracticeSpecs() const; - const std::vector & getAccessControlPracticeSpecs() const; - const std::vector & getAppsecTriggerSpecs() const; - const std::vector & getAppSecCustomResponseSpecs() const; - const std::vector & getAppsecExceptionSpecs() const; - const std::vector & getAppsecTrustedSourceSpecs() const; - const std::vector & getAppsecSourceIdentifierSpecs() const; - void addSpecificRule(const NewParsedRule &_rule); - -private: - NewAppsecPolicySpec policies; - std::vector threat_prevection_practices; - std::vector access_control_practices; - std::vector log_triggers; - std::vector custom_responses; - std::vector exceptions; - std::vector trusted_sources; - std::vector sources_identifiers; -}; - -#endif // __NEW_APPSEC_LINUX_POLICY_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h deleted file mode 100644 index db80891..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h +++ /dev/null @@ -1,82 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_APPSEC_POLICY_CRD_PARSER_H__ -#define __NEW_APPSEC_POLICY_CRD_PARSER_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" -#include "local_policy_common.h" - -// LCOV_EXCL_START Reason: no test exist - -class NewParsedRule -{ -public: - NewParsedRule() {} - NewParsedRule(const std::string &_host) : host(_host) {} - - void load(cereal::JSONInputArchive &archive_in); - - const std::vector & getLogTriggers() const; - const std::vector & getExceptions() const; - const std::vector & getPractices() const; - const std::vector & getAccessControlPractices() const; - const std::string & getSourceIdentifiers() const; - const std::string & getCustomResponse() const; - const std::string & getTrustedSources() const; - const std::string & getHost() const; - const std::string & getMode() const; - - void setHost(const std::string &_host); - void setMode(const std::string &_mode); - -private: - std::vector log_triggers; - std::vector exceptions; - std::vector threat_prevention_practices; - std::vector access_control_practices; - std::string source_identifiers; - std::string custom_response; - std::string trusted_sources; - std::string host; - std::string mode; -}; - -class NewAppsecPolicySpec : Singleton::Consume -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const NewParsedRule & getDefaultRule() const; - const std::vector & getSpecificRules() const; - const std::string & getAppSecClassName() const; - bool isAssetHostExist(const std::string &full_url) const; - void addSpecificRule(const NewParsedRule &_rule); - -private: - std::string appsec_class_name; - NewParsedRule default_rule; - std::vector specific_rules; -}; - - -#endif // __NEW_APPSEC_POLICY_CRD_PARSER_H__ -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_custom_response.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_custom_response.h deleted file mode 100644 index 2902f5c..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_custom_response.h +++ /dev/null @@ -1,51 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_CUSTOM_RESPONSE_H__ -#define __NEW_CUSTOM_RESPONSE_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class NewAppSecCustomResponse -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getHttpResponseCode() const; - const std::string & getMessageBody() const; - const std::string & getMessageTitle() const; - const std::string & getAppSecClassName() const; - const std::string & getMode() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - bool redirect_add_x_event_id; - int http_response_code; - std::string appsec_class_name; - std::string redirect_url; - std::string message_title; - std::string message_body; - std::string mode; - std::string name; -}; - -#endif // __NEW_CUSTOM_RESPONSE_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_exceptions.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_exceptions.h deleted file mode 100644 index 9cc22db..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_exceptions.h +++ /dev/null @@ -1,67 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_EXCEPTIONS_H__ -#define __NEW_EXCEPTIONS_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "rest.h" -#include "local_policy_common.h" - -class NewAppsecExceptionCondition -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getKey() const; - const std::string & getvalue() const; - -private: - std::string key; - std::string value; -}; - -class NewAppsecException -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - const std::string & getAction() const; - const std::string & getAppSecClassName() const; - const std::vector getCountryCode() const; - const std::vector getCountryName() const; - const std::vector getHostName() const; - const std::vector getParamName() const; - const std::vector getParamValue() const; - const std::vector getProtectionName() const; - const std::vector getSourceIdentifier() const; - const std::vector getSourceIp() const; - const std::vector getUrl() const; - void setName(const std::string &_name); - -private: - std::string appsec_class_name; - std::string name; - std::string action; - std::vector conditions; -}; - -#endif // __NEW_EXCEPTIONS_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_log_trigger.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_log_trigger.h deleted file mode 100644 index 8e36138..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_log_trigger.h +++ /dev/null @@ -1,172 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_LOG_TRIGGERS_H__ -#define __NEW_LOG_TRIGGERS_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" -#include "i_agent_details.h" -#include "i_env_details.h" - -class NewAppsecTriggerAccessControlLogging -{ -public: - void load(cereal::JSONInputArchive &archive_in); - -private: - bool allow_events = false; - bool drop_events = false; -}; - -class NewAppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - bool isEnabled() const; - bool isResponseBody() const; - const std::string & getMinimumSeverity() const; - -private: - bool enabled = true; - bool response_body = false; - bool response_code = false; - std::string minimum_severity = "high"; -}; - -class NewAppsecTriggerLogging : public ClientRest -{ -public: - void - load(cereal::JSONInputArchive &archive_in); - - bool isAllWebRequests() const; - bool isDetectEvents() const; - bool isPreventEvents() const; - -private: - bool all_web_requests = false; - bool detect_events = false; - bool prevent_events = true; -}; - -class NewAppsecTriggerExtendedLogging : public ClientRest -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - bool isHttpHeaders() const; - bool isRequestBody() const; - bool isUrlPath() const; - bool isUrlQuery() const; - -private: - bool http_headers = false; - bool request_body = false; - bool url_path = false; - bool url_query = false; -}; - -class NewLoggingService -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getAddress() const; - int getPort() const; - -private: - std::string address; - std::string proto; - int port = 514; -}; - -class NewStdoutLogging -{ -public: - // LCOV_EXCL_START Reason: no test exist - NewStdoutLogging() : format("json") {} - // LCOV_EXCL_STOP - - void load(cereal::JSONInputArchive &archive_in); - const std::string & getFormat() const; - -private: - std::string format; -}; - -class NewAppsecTriggerLogDestination - : - public ClientRest, - Singleton::Consume, - Singleton::Consume -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getCefServerUdpPort() const; - int getSyslogServerUdpPort() const; - bool isAgentLocal() const; - bool shouldBeautifyLogs() const; - - bool getCloud() const; - bool isK8SNeeded() const; - bool isCefNeeded() const; - bool isSyslogNeeded() const; - const std::string & getSyslogServerIpv4Address() const; - const std::string & getCefServerIpv4Address() const; - -private: - const NewLoggingService & getSyslogServiceData() const; - const NewLoggingService & getCefServiceData() const; - - bool cloud = false; - bool k8s_service = false; - bool agent_local = true; - bool beautify_logs = true; - NewLoggingService syslog_service; - NewLoggingService cef_service; -}; - -class NewAppsecLogTrigger -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - const std::string & getAppSecClassName() const; - void setName(const std::string &_name); - const NewAppsecTriggerAdditionalSuspiciousEventsLogging & - getAppsecTriggerAdditionalSuspiciousEventsLogging() const; - const NewAppsecTriggerLogging & getAppsecTriggerLogging() const; - const NewAppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const; - const NewAppsecTriggerLogDestination & getAppsecTriggerLogDestination() const; - -private: - NewAppsecTriggerAccessControlLogging access_control_logging; - NewAppsecTriggerAdditionalSuspiciousEventsLogging additional_suspicious_events_logging; - NewAppsecTriggerLogging appsec_logging; - NewAppsecTriggerExtendedLogging extended_logging; - NewAppsecTriggerLogDestination log_destination; - std::string name; - std::string appsec_class_name; -}; - -#endif // __NEW_LOG_TRIGGERS_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_practice.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_practice.h deleted file mode 100644 index 553fb06..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_practice.h +++ /dev/null @@ -1,395 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_PRACTICE_H__ -#define __NEW_PRACTICE_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class IpsProtectionsRulesSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - IpsProtectionsRulesSection() {}; - - IpsProtectionsRulesSection( - const int _protections_from_year, - const std::string &_action, - const std::string &_confidence_level, - const std::string &_performance_impact, - const std::string &_source_identifier, - const std::string &_severity_level - ) - : - protections_from_year(_protections_from_year), - action(_action), - confidence_level(_confidence_level), - performance_impact(_performance_impact), - source_identifier(_source_identifier), - severity_level(_severity_level) - {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - int protections_from_year; - std::string action; - std::string confidence_level; - std::string performance_impact; - std::string source_identifier; - std::string severity_level; -}; - -class IpsProtectionsSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - IpsProtectionsSection() {}; - // LCOV_EXCL_STOP - - IpsProtectionsSection( - const std::string &_context, - const std::string &asset_name, - const std::string &_asset_id, - const std::string &_practice_name, - const std::string &_practice_id, - const std::string &_source_identifier, - const std::string &_mode, - const std::vector &_rules); - - std::string & getMode(); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string context; - std::string name; - std::string asset_id; - std::string practice_name; - std::string practice_id; - std::string source_identifier; - std::string mode; - std::vector rules; -}; - -class IPSSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - IPSSection() {}; - - IPSSection(const std::vector &_ips) : ips(_ips) {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector ips; -}; - -class IntrusionPreventionWrapper -{ -public: - // LCOV_EXCL_START Reason: no test exist - IntrusionPreventionWrapper() {}; - - IntrusionPreventionWrapper(const std::vector &_ips) : ips(IPSSection(_ips)) {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - IPSSection ips; -}; - -class NewIntrusionPrevention -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - std::vector createIpsRules() const; - const std::string & getMode() const; - -private: - std::string override_mode; - std::string max_performance_impact; - std::string min_severity_level; - std::string high_confidence_event_action; - std::string medium_confidence_event_action; - std::string low_confidence_event_action; - int min_cve_Year; -}; - -class FileSecurityProtectionsSection -{ -public: - // LCOV_EXCL_START Reason: no test exist - FileSecurityProtectionsSection() {}; - // LCOV_EXCL_STOP - - FileSecurityProtectionsSection( - int file_size_limit, - int archive_file_size_limit, - bool allow_files_without_name, - bool required_file_size_limit, - bool required_archive_extraction, - const std::string &context, - const std::string &name, - const std::string &asset_id, - const std::string &practice_name, - const std::string &practice_id, - const std::string &action, - const std::string &files_without_name_action, - const std::string &high_confidence_action, - const std::string &medium_confidence_action, - const std::string &low_confidence_action, - const std::string &severity_level, - const std::string &fileSize_limit_action, - const std::string &multi_level_archive_action, - const std::string &unopened_archive_actio - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - int file_size_limit; - int archive_file_size_limit; - bool allow_files_without_name; - bool required_file_size_limit; - bool required_archive_extraction; - std::string context; - std::string name; - std::string asset_id; - std::string practice_name; - std::string practice_id; - std::string action; - std::string files_without_name_action; - std::string high_confidence_action; - std::string medium_confidence_action; - std::string low_confidence_action; - std::string severity_level; - std::string file_size_limit_action; - std::string file_size_limit_unit; - std::string scan_max_file_size_unit; - std::string multi_level_archive_action; - std::string unopened_archive_action; -}; - -class FileSecuritySection -{ -public: - // LCOV_EXCL_START Reason: no test exist - FileSecuritySection() {}; - - FileSecuritySection(const std::vector &_file_security) - : - file_security(_file_security) {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector file_security; -}; - -class FileSecurityWrapper -{ -public: - // LCOV_EXCL_START Reason: no test exist - FileSecurityWrapper() {}; - - FileSecurityWrapper(const std::vector &_file_security) - : - file_security(FileSecuritySection(_file_security)) {}; - // LCOV_EXCL_STOP - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - FileSecuritySection file_security; -}; - -class NewFileSecurityArchiveInspection -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getArchiveFileSizeLimit() const; - bool getrequiredArchiveExtraction() const; - const std::string & getMultiLevelArchiveAction() const; - const std::string & getUnopenedArchiveAction() const; - -private: - int scan_max_file_size; - bool extract_archive_files; - std::string scan_max_file_size_unit; - std::string archived_files_within_archived_files; - std::string archived_files_where_content_extraction_failed; -}; - -class NewFileSecurityLargeFileInspection -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getFileSizeLimit() const; - const std::string & getFileSizeLimitAction() const; - -private: - int file_size_limit; - std::string file_size_limit_unit; - std::string files_exceeding_size_limit_action; -}; - -class NewFileSecurity -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const NewFileSecurityArchiveInspection & getArchiveInspection() const; - const NewFileSecurityLargeFileInspection & getLargeFileInspection() const; - FileSecurityProtectionsSection createFileSecurityProtectionsSection( - const std::string &context, - const std::string &asset_name, - const std::string &asset_id, - const std::string &practice_name, - const std::string &practice_id - ) const; - -private: - bool threat_emulation_enabled; - std::string override_mode; - std::string min_severity_level; - std::string high_confidence_event_action; - std::string medium_confidence_event_action; - std::string low_confidence_event_action; - std::string unnamed_files_action; - NewFileSecurityArchiveInspection archive_inspection; - NewFileSecurityLargeFileInspection large_file_inspection; -}; - -class NewSnortSignaturesAndOpenSchemaAPI -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getOverrideMode() const; - const std::vector & getConfigMap() const; - -private: - std::string override_mode; - std::vector config_map; -}; - -class NewAppSecWebBotsURI -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getURI() const; - -private: - std::string uri; -}; - -class NewAppSecPracticeAntiBot -{ -public: - std::vector getIjectedUris() const; - std::vector getValidatedUris() const; - - void load(cereal::JSONInputArchive &archive_in); - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string override_mode; - std::vector injected_uris; - std::vector validated_uris; -}; - -class NewAppSecWebAttackProtections -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string getCsrfProtectionMode() const; - const std::string & getErrorDisclosureMode() const; - bool getNonValidHttpMethods() const; - const std::string getOpenRedirectMode() const; - -private: - std::string csrf_protection; - std::string open_redirect; - std::string error_disclosure; - bool non_valid_http_methods; -}; - -class NewAppSecPracticeWebAttacks -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getMaxBodySizeKb() const; - int getMaxHeaderSizeBytes() const; - int getMaxObjectDepth() const; - int getMaxUrlSizeBytes() const; - const std::string & getMinimumConfidence() const; - const NewAppSecWebAttackProtections & getprotections() const; - const std::string & getMode(const std::string &default_mode = "Inactive") const; - -private: - int max_body_size_kb; - int max_header_size_bytes; - int max_object_depth; - int max_url_size_bytes; - std::string mode; - std::string minimum_confidence; - NewAppSecWebAttackProtections protections; -}; - -class NewAppSecPracticeSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const NewSnortSignaturesAndOpenSchemaAPI & getOpenSchemaValidation() const; - const NewSnortSignaturesAndOpenSchemaAPI & getSnortSignatures() const; - const NewAppSecPracticeWebAttacks & getWebAttacks() const; - const NewAppSecPracticeAntiBot & getAntiBot() const; - const NewIntrusionPrevention & getIntrusionPrevention() const; - const NewFileSecurity & getFileSecurity() const; - const std::string & getAppSecClassName() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - NewFileSecurity file_security; - NewIntrusionPrevention intrusion_prevention; - NewSnortSignaturesAndOpenSchemaAPI openapi_schema_validation; - NewSnortSignaturesAndOpenSchemaAPI snort_signatures; - NewAppSecPracticeWebAttacks web_attacks; - NewAppSecPracticeAntiBot anti_bot; - std::string appsec_class_name; - std::string practice_name; -}; - -#endif // __NEW_PRACTICE_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_trusted_sources.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_trusted_sources.h deleted file mode 100644 index 9566ced..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/new_trusted_sources.h +++ /dev/null @@ -1,74 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __NEW_TRUSTED_SOURCES_H__ -#define __NEW_TRUSTED_SOURCES_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class NewTrustedSourcesSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getMinNumOfSources() const; - const std::vector & getSourcesIdentifiers() const; - const std::string & getAppSecClassName() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - int min_num_of_sources = 0; - std::string name; - std::vector sources_identifiers; - std::string appsec_class_name; -}; - -class Identifier -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getIdentifier() const; - const std::vector & getValues() const; - -private: - std::string identifier; - std::vector value; -}; - -class NewSourcesIdentifiers -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - const std::string & getAppSecClassName() const; - const std::vector & getSourcesIdentifiers() const; - void setName(const std::string &_name); - -private: - std::string name; - std::string appsec_class_name; - std::vector sources_identifiers; -}; - -#endif // __NEW_TRUSTED_SOURCES_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/policy_maker_utils.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/policy_maker_utils.h deleted file mode 100644 index 1e8b9b1..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/policy_maker_utils.h +++ /dev/null @@ -1,246 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __POLICY_MAKER_UTILS_H__ -#define __POLICY_MAKER_UTILS_H__ - -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "debug.h" -#include "common.h" -#include "maybe_res.h" -#include "i_orchestration_tools.h" -#include "i_shell_cmd.h" -#include "i_messaging.h" -#include "appsec_practice_section.h" -#include "ingress_data.h" -#include "settings_section.h" -#include "triggers_section.h" -#include "local_policy_common.h" -#include "exceptions_section.h" -#include "rules_config_section.h" -#include "trusted_sources_section.h" -#include "new_appsec_linux_policy.h" -#include "access_control_practice.h" - -enum class AnnotationTypes { - PRACTICE, - THREAT_PREVENTION_PRACTICE, - ACCESS_CONTROL_PRACTICE, - TRIGGER, - EXCEPTION, - WEB_USER_RES, - SOURCE_IDENTIFIERS, - TRUSTED_SOURCES, - COUNT -}; - -class SecurityAppsWrapper -{ -public: - SecurityAppsWrapper( - const AppSecWrapper &_waap, - const TriggersWrapper &_trrigers, - const RulesConfigWrapper &_rules, - const IntrusionPreventionWrapper &_ips, - const AccessControlRulebaseWrapper &_rate_limit, - const FileSecurityWrapper &_file_security, - const ExceptionsWrapper &_exceptions, - const std::string &_policy_version) - : - waap(_waap), - trrigers(_trrigers), - rules(_rules), - ips(_ips), - rate_limit(_rate_limit), - file_security(_file_security), - exceptions(_exceptions), - policy_version(_policy_version) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - AppSecWrapper waap; - TriggersWrapper trrigers; - RulesConfigWrapper rules; - IntrusionPreventionWrapper ips; - AccessControlRulebaseWrapper rate_limit; - FileSecurityWrapper file_security; - ExceptionsWrapper exceptions; - std::string policy_version; -}; - -class PolicyWrapper -{ -public: - PolicyWrapper( - const SettingsWrapper &_settings, - const SecurityAppsWrapper &_security_apps) - : - settings(_settings), - security_apps(_security_apps) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - SettingsWrapper settings; - SecurityAppsWrapper security_apps; -}; - -class PolicyMakerUtils - : - Singleton::Consume, - Singleton::Consume, - Singleton::Consume, - Singleton::Consume -{ -public: - std::string proccesSingleAppsecPolicy( - const std::string &policy_path, - const std::string &policy_version, - const std::string &local_appsec_policy_path - ); - - template - std::string proccesMultipleAppsecPolicies( - const std::map &appsec_policies, - const std::string &policy_version, - const std::string &local_appsec_policy_path - ); - -private: - std::string getPolicyName(const std::string &policy_path); - - Maybe openPolicyAsJson(const std::string &policy_path); - - void clearElementsMaps(); - - bool startsWith(const std::string &str, const std::string &prefix); - - bool endsWith(const std::string &str, const std::string &suffix); - - std::tuple splitHostName(const std::string &host_name); - - std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path); - - PolicyWrapper combineElementsToPolicy(const std::string &policy_version); - - void - createIpsSections( - const std::string &asset_id, - const std::string &asset_name, - const std::string &practice_id, - const std::string &practice_name, - const std::string &source_identifier, - const std::string & context, - const V1beta2AppsecLinuxPolicy &policy, - std::map &rule_annotations - ); - - void - createFileSecuritySections( - const std::string &asset_id, - const std::string &asset_name, - const std::string &practice_id, - const std::string &practice_name, - const std::string & context, - const V1beta2AppsecLinuxPolicy &policy, - std::map &rule_annotations - ); - - void - createRateLimitSection( - const std::string &asset_name, - const std::string &url, - const std::string &uri, - const std::string &trigger_id, - const V1beta2AppsecLinuxPolicy &policy, - std::map &rule_annotations - ); - - void createWebAppSection( - const V1beta2AppsecLinuxPolicy &policy, - const RulesConfigRulebase& rule_config, - const std::string &practice_id, const std::string &full_url, - const std::string &default_mode, - std::map &rule_annotations - ); - - void - createThreatPreventionPracticeSections( - const std::string &asset_name, - const std::string &url, - const std::string &uri, - const std::string &default_mode, - const V1beta2AppsecLinuxPolicy &policy, - std::map &rule_annotations - ); - - template - void createPolicyElementsByRule( - const R &rule, - const R &default_rule, - const T &policy, - const std::string &policy_name - ); - - template - void createPolicyElements( - const std::vector &rules, - const R &default_rule, - const T &policy, - const std::string &policy_name - ); - - template - void createAgentPolicyFromAppsecPolicy(const std::string &policy_name, const T &appsec_policy); - - std::map log_triggers; - std::map web_user_res_triggers; - std::map inner_exceptions; - std::map web_apps; - std::map rules_config; - std::map ips; - std::map file_security; - std::map rate_limit; - std::map users_identifiers; - std::map trusted_sources; -}; - -template -std::string -PolicyMakerUtils::proccesMultipleAppsecPolicies( - const std::map &appsec_policies, - const std::string &policy_version, - const std::string &local_appsec_policy_path) -{ - for (const auto &appsec_policy : appsec_policies) { - createAgentPolicyFromAppsecPolicy(appsec_policy.first, appsec_policy.second); - } - - PolicyWrapper policy_wrapper = combineElementsToPolicy(policy_version); - return dumpPolicyToFile( - policy_wrapper, - local_appsec_policy_path - ); -} - -#endif // __POLICY_MAKER_UTILS_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h deleted file mode 100644 index 189cff4..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/rules_config_section.h +++ /dev/null @@ -1,190 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __RULES_CONFIG_SECTION_H__ -#define __RULES_CONFIG_SECTION_H__ - -#include -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class AssetUrlParser -{ -public: - AssetUrlParser() {} - - static AssetUrlParser parse(const std::string &uri); - std::string query_string, asset_uri, protocol, asset_url, port; -}; - -class PracticeSection -{ -public: - PracticeSection( - const std::string &_id, - const std::string &_type, - const std::string &_practice_name - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string id; - std::string name; - std::string type; -}; - -class ParametersSection -{ -public: - ParametersSection(const std::string &_id, const std::string &_name); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string name; - std::string id; - std::string type = "Exception"; -}; - -class RulesTriggerSection -{ -public: - RulesTriggerSection( - const std::string &_name, - const std::string &_id, - const std::string &_type - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string name; - std::string id; - std::string type; -}; - -class RulesConfigRulebase -{ -public: - RulesConfigRulebase() - {} - - RulesConfigRulebase( - const std::string &_name, - const std::string &_url, - const std::string &_uri, - std::vector _practices, - std::vector _parameters, - std::vector _triggers - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - - const std::string & getAssetName() const; - const std::string & getAssetId() const; - const std::string & getContext() const; - -private: - std::string context; - std::string id; - std::string name; - std::vector practices; - std::vector parameters; - std::vector triggers; -}; - -class UsersIdentifier -{ -public: - UsersIdentifier() {} - - UsersIdentifier( - const std::string &_source_identifier, - std::vector _identifier_values - ); - - const std::string & getIdentifier() const; - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string source_identifier; - std::vector identifier_values; -}; - -class UsersIdentifiersRulebase -{ -public: - UsersIdentifiersRulebase() - {} - - UsersIdentifiersRulebase( - const std::string &_context, - const std::string &_source_identifier, - const std::vector &_identifier_values, - const std::vector &_source_identifiers - ); - - const std::string & getIdentifier() const; - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string context; - std::string source_identifier; - std::vector identifier_values; - std::vector source_identifiers; -}; - -class RulesRulebase -{ -public: - RulesRulebase( - const std::vector &_rules_config, - const std::vector &_users_identifiers - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - static bool sortBySpecific(const RulesConfigRulebase &first, const RulesConfigRulebase &second); - static bool sortBySpecificAux(const std::string &first, const std::string &second); - - std::vector rules_config; - std::vector users_identifiers; -}; - -class RulesConfigWrapper -{ -public: - RulesConfigWrapper( - const std::vector &_rules_config, - const std::vector &_users_identifiers) - : - rules_config_rulebase(RulesRulebase(_rules_config, _users_identifiers)) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - RulesRulebase rules_config_rulebase; -}; -#endif // __RULES_CONFIG_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h deleted file mode 100644 index ebbfaee..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/settings_section.h +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __SETTINGS_SECTION_H__ -#define __SETTINGS_SECTION_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -// LCOV_EXCL_START Reason: no test exist -class AgentSettingsSection -{ -public: - AgentSettingsSection(const std::string &_key, const std::string &_value); - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string & getSettingId() const; - -private: - std::string id; - std::string key; - std::string value; -}; - -class SettingsRulebase -{ -public: - SettingsRulebase(std::vector _agentSettings) : agentSettings(_agentSettings) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector agentSettings; -}; - -class SettingsWrapper -{ -public: - SettingsWrapper(SettingsRulebase _agent); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string profileType = "agent"; - bool isToken = true; - std::string tokenType = "sameToken"; - std::string id; - std::string name = "Kubernetes Agents"; - SettingsRulebase agent; -}; -// LCOV_EXCL_STOP -#endif // __SETTINGS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h deleted file mode 100644 index 6d4c87f..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/snort_section.h +++ /dev/null @@ -1,50 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __SNORT_SECTION_H__ -#define __SNORT_SECTION_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" - -// LCOV_EXCL_START Reason: no test exist -class AgentSettingsSection -{ -public: - AgentSettingsSection(std::string _key, std::string _value); - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::string id; - std::string key; - std::string value; -}; - -class IpsSnortSigsRulebase -{ -public: - IpsSnortSigsRulebase(std::vector _agentSettings) : agentSettings(_agentSettings) {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector agentSettings; -}; -// LCOV_EXCL_STOP -#endif // __SNORT_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h deleted file mode 100644 index 5a76463..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/triggers_section.h +++ /dev/null @@ -1,305 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __TRIGGERS_SECTION_H__ -#define __TRIGGERS_SECTION_H__ - -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" -#include "i_agent_details.h" -#include "i_env_details.h" - -class LogTriggerSection -{ -public: - LogTriggerSection() - {} - - LogTriggerSection( - const std::string &_name, - const std::string &_verbosity, - const std::string &_extendloggingMinSeverity, - bool _extendlogging, - bool _logToAgent, - bool _logToCef, - bool _logToCloud, - bool _logToK8sService, - bool _logToSyslog, - bool _responseBody, - bool _tpDetect, - bool _tpPrevent, - bool _webBody, - bool _webHeaders, - bool _webRequests, - bool _webUrlPath, - bool _webUrlQuery, - int _cefPortNum, - const std::string &_cefIpAddress, - int _syslogPortNum, - const std::string &_syslogIpAddress, - bool _beautify_logs - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - - const std::string & getTriggerId() const; - const std::string & getTriggerName() const; - -private: - std::string id; - std::string name; - std::string context; - std::string verbosity; - std::string extendloggingMinSeverity; - bool extendlogging; - bool logToAgent; - bool logToCef; - bool logToCloud; - bool logToK8sService; - bool logToSyslog; - bool responseBody; - bool tpDetect; - bool tpPrevent; - bool webBody; - bool webHeaders; - bool webRequests; - bool webUrlPath; - bool webUrlQuery; - int cefPortNum; - std::string cefIpAddress; - int syslogPortNum; - std::string syslogIpAddress; - bool beautify_logs; -}; - -class WebUserResponseTriggerSection -{ -public: - WebUserResponseTriggerSection() {} - - WebUserResponseTriggerSection( - const std::string &_name, - const std::string &_details_level, - const std::string &_response_body, - int _response_code, - const std::string &_response_title - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - - const std::string & getTriggerId() const; - -private: - std::string id; - std::string name; - std::string context; - std::string details_level; - std::string response_body; - std::string response_title; - int response_code; -}; - -class AppSecCustomResponseSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getHttpResponseCode() const; - const std::string & getMessageBody() const; - const std::string & getMessageTitle() const; - const std::string & getMode() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - int httpResponseCode; - std::string messageBody; - std::string messageTitle; - std::string mode; - std::string name; -}; - -class TriggersRulebase -{ -public: - TriggersRulebase( - std::vector _logTriggers, - std::vector _webUserResponseTriggers) - : - logTriggers(_logTriggers), - webUserResponseTriggers(_webUserResponseTriggers) {} - - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - std::vector logTriggers; - std::vector webUserResponseTriggers; -}; - -class AppsecTriggerAccessControlLogging -{ -public: - void load(cereal::JSONInputArchive &archive_in); - -private: - bool allow_events = false; - bool drop_events = false; -}; - -class AppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - bool isEnabled() const; - bool isResponseBody() const; - const std::string & getMinimumSeverity() const; - -private: - bool enabled = true; - bool response_body = false; - std::string minimum_severity = "high"; -}; - -class AppsecTriggerLogging : public ClientRest -{ -public: - void - load(cereal::JSONInputArchive &archive_in); - - bool isAllWebRequests() const; - bool isDetectEvents() const; - bool isPreventEvents() const; - -private: - bool all_web_requests = false; - bool detect_events = false; - bool prevent_events = true; -}; - -class AppsecTriggerExtendedLogging : public ClientRest -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - bool isHttpHeaders() const; - bool isRequestBody() const; - bool isUrlPath() const; - bool isUrlQuery() const; - -private: - bool http_headers = false; - bool request_body = false; - bool url_path = false; - bool url_query = false; -}; - -class LoggingService -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getAddress() const; - int getPort() const; - -private: - std::string address; - std::string proto; - int port = 514; -}; - -class StdoutLogging -{ -public: - StdoutLogging() : format("json") {} - - void load(cereal::JSONInputArchive &archive_in); - const std::string & getFormat() const; - -private: - std::string format; -}; - -class AppsecTriggerLogDestination - : - public ClientRest, - Singleton::Consume, - Singleton::Consume -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getCefServerUdpPort() const; - int getSyslogServerUdpPort() const; - bool isAgentLocal() const; - bool shouldBeautifyLogs() const; - - bool getCloud() const; - bool isK8SNeeded() const; - bool isCefNeeded() const; - bool isSyslogNeeded() const; - const std::string & getSyslogServerIpv4Address() const; - const std::string & getCefServerIpv4Address() const; - -private: - const LoggingService & getSyslogServiceData() const; - const LoggingService & getCefServiceData() const; - - bool cloud = false; - bool k8s_service = false; - bool agent_local = true; - bool beautify_logs = true; - LoggingService syslog_service; - LoggingService cef_service; -}; - -class AppsecTriggerSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - void setName(const std::string &_name); - const AppsecTriggerAdditionalSuspiciousEventsLogging & getAppsecTriggerAdditionalSuspiciousEventsLogging() const; - const AppsecTriggerLogging & getAppsecTriggerLogging() const; - const AppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const; - const AppsecTriggerLogDestination & getAppsecTriggerLogDestination() const; - -private: - AppsecTriggerAccessControlLogging access_control_logging; - AppsecTriggerAdditionalSuspiciousEventsLogging additional_suspicious_events_logging; - AppsecTriggerLogging appsec_logging; - AppsecTriggerExtendedLogging extended_logging; - AppsecTriggerLogDestination log_destination; - std::string name; -}; - -class TriggersWrapper -{ -public: - TriggersWrapper(const TriggersRulebase &_triggers) : triggers_rulebase(_triggers) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - -private: - TriggersRulebase triggers_rulebase; -}; -#endif // __TRIGGERS_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h b/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h deleted file mode 100755 index 09f1dcc..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/include/trusted_sources_section.h +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#ifndef __TRUSTED_SOURCES_SECTION_H__ -#define __TRUSTED_SOURCES_SECTION_H__ - -#include -#include -#include -#include -#include - -#include "config.h" -#include "debug.h" -#include "local_policy_common.h" - -class TrustedSourcesSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - int getMinNumOfSources() const; - const std::vector & getSourcesIdentifiers() const; - const std::string & getName() const; - void setName(const std::string &_name); - -private: - int min_num_of_sources = 0; - std::string name; - std::vector sources_identifiers; -}; - -class SourcesIdentifiers -{ -public: - SourcesIdentifiers(const std::string &_source_identifier, const std::string &_value) - : - source_identifier(_source_identifier), - value(_value) - {} - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::string & getSourceIdent() const; - -private: - std::string source_identifier; - std::string value; -}; - -class SourceIdentifierSpec -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getSourceIdentifier() const; - const std::vector & getValues() const; - -private: - std::string source_identifier; - std::vector value; -}; - -class SourceIdentifierSpecWrapper -{ -public: - void load(cereal::JSONInputArchive &archive_in); - - const std::string & getName() const; - const std::vector & getIdentifiers() const; - void setName(const std::string &_name); - -private: - std::string name; - std::vector identifiers; -}; - -class AppSecTrustedSources -{ -public: - AppSecTrustedSources() - {} - - AppSecTrustedSources( - const std::string &_name, - int _num_of_sources, - const std::vector &_sources_identifiers - ); - - void save(cereal::JSONOutputArchive &out_ar) const; - const std::vector & getSourcesIdentifiers() const; - -private: - std::string id; - std::string name; - int num_of_sources = 0; - std::vector sources_identifiers; -}; -#endif // __TRUSTED_SOURCES_SECTION_H__ diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/ingress_data.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/ingress_data.cc deleted file mode 100644 index 8be6f1d..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/ingress_data.cc +++ /dev/null @@ -1,149 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "ingress_data.h" -#include "customized_cereal_map.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -void -IngressMetadata::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "IngressMetadata load"; - parseAppsecJSONKey("name", name, archive_in); - parseAppsecJSONKey("resourceVersion", resourceVersion, archive_in); - parseAppsecJSONKey("namespace", namespace_name, archive_in); - parseAppsecJSONKey>("annotations", annotations, archive_in); -} - -const map & -IngressMetadata::getAnnotations() const -{ - return annotations; -} - -void -IngressRulePath::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading ingress defined rule path"; - parseAppsecJSONKey("path", path, archive_in); -} - -const string & -IngressRulePath::getPath() const -{ - return path; -} - -void -IngressRulePathsWrapper::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading ingress defined rule path wrapper"; - parseAppsecJSONKey>("paths", paths, archive_in); -} - -const vector & -IngressRulePathsWrapper::getRulePaths() const -{ - return paths; -} - -void -IngressDefinedRule::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading ingress defined rule"; - parseAppsecJSONKey("host", host, archive_in); - parseAppsecJSONKey("http", paths_wrapper, archive_in); -} - -const string & -IngressDefinedRule::getHost() const -{ - return host; -} - -const IngressRulePathsWrapper & -IngressDefinedRule::getPathsWrapper() const -{ - return paths_wrapper; -} - -void -DefaultBackend::load(cereal::JSONInputArchive &) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Default Backend"; - is_exists = true; -} - -void -IngressSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading single ingress spec"; - parseAppsecJSONKey("ingressClassName", ingress_class_name, archive_in); - parseAppsecJSONKey>("rules", rules, archive_in); - parseAppsecJSONKey("defaultBackend", default_backend, archive_in); -} - -const vector & -IngressSpec::getRules() const -{ - return rules; -} - -void -SingleIngressData::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading single ingress data"; - parseAppsecJSONKey("metadata", metadata, archive_in); - parseAppsecJSONKey("spec", spec, archive_in); -} - -const IngressMetadata & -SingleIngressData::getMetadata() const -{ - return metadata; -} - -const IngressSpec & -SingleIngressData::getSpec() const -{ - return spec; -} - -bool -IngressData::loadJson(const string &json) -{ - string modified_json = json; - modified_json.pop_back(); - stringstream in; - in.str(modified_json); - dbgTrace(D_LOCAL_POLICY) << "Loading ingress data"; - try { - cereal::JSONInputArchive in_ar(in); - in_ar( - cereal::make_nvp("apiVersion", apiVersion), - cereal::make_nvp("items", items) - ); - } catch (cereal::Exception &e) { - dbgError(D_LOCAL_POLICY) << "Failed to load ingress data JSON. Error: " << e.what(); - return false; - } - return true; -} - -const vector & -IngressData::getItems() const -{ - return items; -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/k8s_policy_utils.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/k8s_policy_utils.cc deleted file mode 100644 index fe88182..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/k8s_policy_utils.cc +++ /dev/null @@ -1,573 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "k8s_policy_utils.h" -#include "namespace_data.h" - -using namespace std; - -USE_DEBUG_FLAG(D_NGINX_POLICY); - -string -convertAnnotationKeysTostring(const AnnotationKeys &key) -{ - switch (key) { - case AnnotationKeys::PolicyKey: - return "policy"; - case AnnotationKeys::OpenAppsecIo: - return "openappsec.io/"; - case AnnotationKeys::SyslogAddressKey: - return "syslog"; - case AnnotationKeys::ModeKey: - return "mode"; - default: - return "Irrelevant key"; - } -} - -void -K8sPolicyUtils::init() -{ - env_details = Singleton::Consume::by(); - env_type = env_details->getEnvType(); - if (env_type == EnvType::K8S) { - token = env_details->getToken(); - messaging = Singleton::Consume::by(); - conn_flags.setFlag(MessageConnConfig::SECURE_CONN); - conn_flags.setFlag(MessageConnConfig::IGNORE_SSL_VALIDATION); - } -} - -map -K8sPolicyUtils::parseIngressAnnotations(const map &annotations) const -{ - map annotations_values; - for (const auto &annotation : annotations) { - string annotation_key = annotation.first; - string annotation_val = annotation.second; - if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::OpenAppsecIo)) != string::npos) { - if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::PolicyKey)) != string::npos) { - annotations_values[AnnotationKeys::PolicyKey] = annotation_val; - } else if ( - annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::SyslogAddressKey)) != string::npos - ) { - bool has_port = annotation_val.find(":"); - annotations_values[AnnotationKeys::SyslogAddressKey] = - annotation_val.substr(0, annotation_val.find(":")); - annotations_values[AnnotationKeys::SyslogPortKey] = - has_port ? annotation_val.substr(annotation_val.find(":") + 1) : ""; - } else if (annotation_key.find(convertAnnotationKeysTostring(AnnotationKeys::ModeKey)) != string::npos) { - annotations_values[AnnotationKeys::ModeKey] = annotation_val; - } - } - } - return annotations_values; -} - -template -Maybe -K8sPolicyUtils::getObjectFromCluster(const string &path) const -{ - T object; - bool res = messaging->sendObject( - object, - I_Messaging::Method::GET, - "kubernetes.default.svc", - 443, - conn_flags, - path, - "Authorization: Bearer " + token + "\nConnection: close" - ); - - if (res) return object; - - return genError(string("Was not able to get object form k8s cluser in path: " + path)); -} - -map> -K8sPolicyUtils::extractElementsNames(const vector &specific_rules, const ParsedRule &default_rule) const -{ - map> policy_elements_names; - for (const ParsedRule &specific_rule : specific_rules) { - policy_elements_names[AnnotationTypes::EXCEPTION].insert( - specific_rule.getExceptions().begin(), - specific_rule.getExceptions().end() - ); - policy_elements_names[AnnotationTypes::PRACTICE].insert( - specific_rule.getPractices().begin(), - specific_rule.getPractices().end() - ); - policy_elements_names[AnnotationTypes::TRIGGER].insert( - specific_rule.getLogTriggers().begin(), - specific_rule.getLogTriggers().end() - ); - policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(specific_rule.getCustomResponse()); - policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(specific_rule.getSourceIdentifiers()); - policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(specific_rule.getTrustedSources()); - } - policy_elements_names[AnnotationTypes::EXCEPTION].insert( - default_rule.getExceptions().begin(), - default_rule.getExceptions().end() - ); - policy_elements_names[AnnotationTypes::PRACTICE].insert( - default_rule.getPractices().begin(), - default_rule.getPractices().end() - ); - policy_elements_names[AnnotationTypes::TRIGGER].insert( - default_rule.getLogTriggers().begin(), - default_rule.getLogTriggers().end() - ); - policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(default_rule.getCustomResponse()); - policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(default_rule.getSourceIdentifiers()); - policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(default_rule.getTrustedSources()); - - return policy_elements_names; -} - -// LCOV_EXCL_START Reason: no test exist -void -extractElementsFromNewRule( - const NewParsedRule &rule, - map> &policy_elements_names) -{ - policy_elements_names[AnnotationTypes::EXCEPTION].insert( - rule.getExceptions().begin(), - rule.getExceptions().end() - ); - policy_elements_names[AnnotationTypes::THREAT_PREVENTION_PRACTICE].insert( - rule.getPractices().begin(), - rule.getPractices().end() - ); - policy_elements_names[AnnotationTypes::ACCESS_CONTROL_PRACTICE].insert( - rule.getAccessControlPractices().begin(), - rule.getAccessControlPractices().end() - ); - policy_elements_names[AnnotationTypes::TRIGGER].insert( - rule.getLogTriggers().begin(), - rule.getLogTriggers().end() - ); - policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse()); - policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers()); - policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources()); -} - -map> -K8sPolicyUtils::extractElementsNamesV1beta2( - const vector &specific_rules, - const NewParsedRule &default_rule) const -{ - map> policy_elements_names; - for (const NewParsedRule &specific_rule : specific_rules) { - extractElementsFromNewRule(specific_rule, policy_elements_names); - } - extractElementsFromNewRule(default_rule, policy_elements_names); - - return policy_elements_names; -} - -string -getAppSecClassNameFromCluster() -{ - auto env_res = getenv("appsecClassName"); - if (env_res != nullptr) return env_res; - return ""; -} -// LCOV_EXCL_STOP - -template -vector -K8sPolicyUtils::extractElementsFromCluster( - const string &crd_plural, - const unordered_set &elements_names) const -{ - dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural; - vector elements; - for (const string &element_name : elements_names) { - dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name; - auto maybe_appsec_element = getObjectFromCluster>( - "/apis/openappsec.io/v1beta1/" + crd_plural + "/" + element_name - ); - - if (!maybe_appsec_element.ok()) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve AppSec element. type: " - << crd_plural - << ", name: " - << element_name - << ". Error: " - << maybe_appsec_element.getErr(); - continue; - } - - AppsecSpecParser appsec_element = maybe_appsec_element.unpack(); - if (appsec_element.getSpec().getName() == "") { - appsec_element.setName(element_name); - } - elements.push_back(appsec_element.getSpec()); - } - return elements; -} - -// LCOV_EXCL_START Reason: no test exist -template -vector -K8sPolicyUtils::extractV1Beta2ElementsFromCluster( - const string &crd_plural, - const unordered_set &elements_names) const -{ - dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural; - vector elements; - for (const string &element_name : elements_names) { - dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name; - auto maybe_appsec_element = getObjectFromCluster>( - "/apis/openappsec.io/v1beta2/" + crd_plural + "/" + element_name - ); - - if (!maybe_appsec_element.ok()) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve AppSec element. type: " - << crd_plural - << ", name: " - << element_name - << ". Error: " - << maybe_appsec_element.getErr(); - continue; - } - - AppsecSpecParser appsec_element = maybe_appsec_element.unpack(); - if (getAppSecClassNameFromCluster() != "" && - appsec_element.getSpec().getAppSecClassName() != getAppSecClassNameFromCluster()) { - continue; - } - - if (appsec_element.getSpec().getName() == "") { - appsec_element.setName(element_name); - } - elements.push_back(appsec_element.getSpec()); - } - return elements; -} -// LCOV_EXCL_STOP - -Maybe -K8sPolicyUtils::createAppsecPolicyK8sFromV1beta1Crds( - const AppsecSpecParser &appsec_policy_spec, - const string &ingress_mode) const -{ - ParsedRule default_rule = appsec_policy_spec.getSpec().getDefaultRule(); - vector specific_rules = appsec_policy_spec.getSpec().getSpecificRules(); - - if (!ingress_mode.empty() && default_rule.getMode().empty()) { - default_rule.setMode(ingress_mode); - } - - map> policy_elements_names = extractElementsNames( - specific_rules, - default_rule - ); - - - vector practices = extractElementsFromCluster( - "practices", - policy_elements_names[AnnotationTypes::PRACTICE] - ); - - vector log_triggers = extractElementsFromCluster( - "logtriggers", - policy_elements_names[AnnotationTypes::TRIGGER] - ); - - vector web_user_responses = extractElementsFromCluster( - "customresponses", - policy_elements_names[AnnotationTypes::WEB_USER_RES] - ); - - vector exceptions = extractElementsFromCluster( - "exceptions", - policy_elements_names[AnnotationTypes::EXCEPTION] - ); - - vector source_identifiers = extractElementsFromCluster( - "sourcesidentifiers", - policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS] - ); - - vector trusted_sources = extractElementsFromCluster( - "trustedsources", - policy_elements_names[AnnotationTypes::TRUSTED_SOURCES] - ); - - AppsecLinuxPolicy appsec_policy = AppsecLinuxPolicy( - appsec_policy_spec.getSpec(), - practices, - log_triggers, - web_user_responses, - exceptions, - trusted_sources, - source_identifiers - ); - return appsec_policy; -} - -// LCOV_EXCL_START Reason: no test exist -Maybe -K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds( - const AppsecSpecParser &appsec_policy_spec, - const string &ingress_mode) const -{ - NewParsedRule default_rule = appsec_policy_spec.getSpec().getDefaultRule(); - vector specific_rules = appsec_policy_spec.getSpec().getSpecificRules(); - string appsec_class_name = appsec_policy_spec.getSpec().getAppSecClassName(); - - if (getAppSecClassNameFromCluster() != "" && - appsec_class_name != getAppSecClassNameFromCluster()) { - return genError("Unmached appsec class name!"); - } - - if (default_rule.getMode().empty() && !ingress_mode.empty()) { - default_rule.setMode(ingress_mode); - } - - map> policy_elements_names = extractElementsNamesV1beta2( - specific_rules, - default_rule - ); - - vector threat_prevention_practices = - extractV1Beta2ElementsFromCluster( - "threatpreventionpractices", - policy_elements_names[AnnotationTypes::THREAT_PREVENTION_PRACTICE] - ); - - vector access_control_practices = - extractV1Beta2ElementsFromCluster( - "accesscontrolpractice", - policy_elements_names[AnnotationTypes::ACCESS_CONTROL_PRACTICE] - ); - - vector log_triggers = extractV1Beta2ElementsFromCluster( - "logtriggers", - policy_elements_names[AnnotationTypes::TRIGGER] - ); - - vector web_user_responses = extractV1Beta2ElementsFromCluster( - "customresponses", - policy_elements_names[AnnotationTypes::WEB_USER_RES] - ); - - vector exceptions = extractV1Beta2ElementsFromCluster( - "exceptions", - policy_elements_names[AnnotationTypes::EXCEPTION] - ); - - vector source_identifiers = extractV1Beta2ElementsFromCluster( - "sourcesidentifiers", - policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS] - ); - - vector trusted_sources = extractV1Beta2ElementsFromCluster( - "trustedsources", - policy_elements_names[AnnotationTypes::TRUSTED_SOURCES] - ); - - V1beta2AppsecLinuxPolicy appsec_policy = V1beta2AppsecLinuxPolicy( - appsec_policy_spec.getSpec(), - threat_prevention_practices, - access_control_practices, - log_triggers, - web_user_responses, - exceptions, - trusted_sources, - source_identifiers - ); - return appsec_policy; -} -// LCOV_EXCL_STOP - -bool -doesVersionExist(const map &annotations, const string &version) -{ - for (auto annotation : annotations) { - if(annotation.second.find(version) != std::string::npos) { - return true; - } - } - return false; -} -//need to refactor don't forget that -std::tuple, Maybe> -K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &ingress_mode) const -{ - auto maybe_appsec_policy_spec = getObjectFromCluster>( - "/apis/openappsec.io/v1beta1/policies/" + policy_name - ); - - if (!maybe_appsec_policy_spec.ok() || - !doesVersionExist(maybe_appsec_policy_spec.unpack().getMetaData().getAnnotations(), "v1beta1") - ) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2"; - auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster>( - "/apis/openappsec.io/v1beta2/policies/" + policy_name - ); - if(!maybe_v1beta2_appsec_policy_spec.ok()) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve AppSec policy. Error: " - << maybe_v1beta2_appsec_policy_spec.getErr(); - return std::make_tuple( - genError("Failed to retrieve AppSec v1beta1 policy. Error: " + maybe_appsec_policy_spec.getErr()), - genError( - "Failed to retrieve AppSec v1beta2 policy. Error: " + maybe_v1beta2_appsec_policy_spec.getErr())); - } - return std::make_tuple( - genError("There is no v1beta1 policy"), - createAppsecPolicyK8sFromV1beta2Crds(maybe_v1beta2_appsec_policy_spec.unpack(), ingress_mode)); - } - - return std::make_tuple( - createAppsecPolicyK8sFromV1beta1Crds(maybe_appsec_policy_spec.unpack(), ingress_mode), - genError("There is no v1beta2 policy")); -} - -template -void -K8sPolicyUtils::createPolicy( - T &appsec_policy, - map &policies, - map &annotations_values, - const SingleIngressData &item) const -{ - for (const IngressDefinedRule &rule : item.getSpec().getRules()) { - string url = rule.getHost(); - for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) { - if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) { - dbgTrace(D_LOCAL_POLICY) - << "Inserting Host data to the specific asset set:" - << "URL: '" - << url - << "' uri: '" - << uri.getPath() - << "'"; - K ingress_rule = K(url + uri.getPath()); - appsec_policy.addSpecificRule(ingress_rule); - } - } - } - policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy; -} - - -std::tuple, map> -K8sPolicyUtils::createAppsecPoliciesFromIngresses() -{ - dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses"; - map v1bet1_policies; - map v1bet2_policies; - auto maybe_ingress = getObjectFromCluster("/apis/networking.k8s.io/v1/ingresses"); - - if (!maybe_ingress.ok()) { - // TBD: Error handling : INXT-31444 - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve K8S Ingress configurations. Error: " - << maybe_ingress.getErr(); - return make_tuple(v1bet1_policies, v1bet2_policies); - } - - - IngressData ingress = maybe_ingress.unpack(); - for (const SingleIngressData &item : ingress.getItems()) { - map annotations_values = parseIngressAnnotations( - item.getMetadata().getAnnotations() - ); - - if (annotations_values[AnnotationKeys::PolicyKey].empty()) { - dbgInfo(D_LOCAL_POLICY) << "No policy was found in this ingress"; - continue; - } - - auto maybe_appsec_policy = createAppsecPolicyK8s( - annotations_values[AnnotationKeys::PolicyKey], - annotations_values[AnnotationKeys::ModeKey] - ); - if (!std::get<0>(maybe_appsec_policy).ok() && !std::get<1>(maybe_appsec_policy).ok()) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to create appsec policy. Error: " - << std::get<1>(maybe_appsec_policy).getErr(); - continue; - } - - if (!std::get<0>(maybe_appsec_policy).ok()) { - auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack(); - createPolicy( - appsec_policy, - v1bet2_policies, - annotations_values, - item); - } else { - auto appsec_policy=std::get<0>(maybe_appsec_policy).unpack(); - createPolicy( - appsec_policy, - v1bet1_policies, - annotations_values, - item); - } - } - return make_tuple(v1bet1_policies, v1bet2_policies); -} - -bool -isPlaygroundEnv() -{ - const char *env_string = getenv("PLAYGROUND"); - - if (env_string == nullptr) return false; - string env_value = env_string; - transform(env_value.begin(), env_value.end(), env_value.begin(), ::tolower); - - return env_value == "true"; -} - -bool -K8sPolicyUtils::getClusterId() const -{ - string playground_uid = isPlaygroundEnv() ? "playground-" : ""; - - dbgTrace(D_LOCAL_POLICY) << "Getting cluster UID"; - auto maybe_namespaces_data = getObjectFromCluster("/api/v1/namespaces/"); - - if (!maybe_namespaces_data.ok()) { - dbgWarning(D_LOCAL_POLICY) - << "Failed to retrieve K8S namespace data. Error: " - << maybe_namespaces_data.getErr(); - return false; - } - - NamespaceData namespaces_data = maybe_namespaces_data.unpack(); - - Maybe maybe_ns_uid = namespaces_data.getNamespaceUidByName("kube-system"); - if (!maybe_ns_uid.ok()) { - dbgWarning(D_LOCAL_POLICY) << maybe_ns_uid.getErr(); - return false; - } - string uid = playground_uid + maybe_ns_uid.unpack(); - dbgTrace(D_LOCAL_POLICY) << "Found k8s cluster UID: " << uid; - I_Environment *env = Singleton::Consume::by(); - env->getConfigurationContext().registerValue( - "k8sClusterId", - uid, - EnvKeyAttr::LogSection::SOURCE - ); - I_AgentDetails *i_agent_details = Singleton::Consume::by(); - i_agent_details->setClusterId(uid); - return true; -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc deleted file mode 100644 index 1016d94..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/local_policy_mgmt_gen.cc +++ /dev/null @@ -1,158 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "local_policy_mgmt_gen.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "rest.h" -#include "debug.h" -#include "config.h" -#include "connkey.h" -#include "url_parser.h" -#include "i_agent_details.h" -#include "customized_cereal_map.h" -#include "include/appsec_practice_section.h" -#include "include/ingress_data.h" -#include "include/settings_section.h" -#include "include/triggers_section.h" -#include "include/local_policy_common.h" -#include "include/exceptions_section.h" -#include "include/rules_config_section.h" -#include "include/trusted_sources_section.h" -#include "include/policy_maker_utils.h" -#include "include/k8s_policy_utils.h" -#include "i_env_details.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -const static string default_local_appsec_policy_path = "/tmp/local_appsec.policy"; -const static string default_local_mgmt_policy_path = "/conf/local_policy.yaml"; - -class LocalPolicyMgmtGenerator::Impl - : - public Singleton::Provide::From, - public Singleton::Consume, - public Singleton::Consume -{ - -public: - void - init() - { - env_details = Singleton::Consume::by(); - env_type = env_details->getEnvType(); - if (env_type == EnvType::LINUX) { - dbgInfo(D_LOCAL_POLICY) << "Initializing Linux policy generator"; - local_policy_path = getFilesystemPathConfig() + default_local_mgmt_policy_path; - return; - } - dbgInfo(D_LOCAL_POLICY) << "Initializing K8S policy generator"; - k8s_policy_utils.init(); - - Singleton::Consume::by()->addOneTimeRoutine( - I_MainLoop::RoutineType::Offline, - [this] () - { - while(!k8s_policy_utils.getClusterId()) { - Singleton::Consume::by()->yield(chrono::seconds(1)); - } - return; - }, - "Get k8s cluster ID" - ); - } - - string - parseLinuxPolicy(const string &policy_version) - { - dbgFlow(D_LOCAL_POLICY) << "Starting to parse policy - embedded environment"; - - return policy_maker_utils.proccesSingleAppsecPolicy( - local_policy_path, - policy_version, - default_local_appsec_policy_path - ); - } - - string - parseK8sPolicy(const string &policy_version) - { - dbgFlow(D_LOCAL_POLICY) << "Starting to parse policy - K8S environment"; - - auto appsec_policies = k8s_policy_utils.createAppsecPoliciesFromIngresses(); - if (!std::get<0>(appsec_policies).empty()) { - return policy_maker_utils.proccesMultipleAppsecPolicies( - std::get<0>(appsec_policies), - policy_version, - default_local_appsec_policy_path - ); - } - return policy_maker_utils.proccesMultipleAppsecPolicies( - std::get<1>(appsec_policies), - policy_version, - default_local_appsec_policy_path - ); - } - - string - parsePolicy(const string &policy_version) - { - return isK8sEnv() ? parseK8sPolicy(policy_version) : parseLinuxPolicy(policy_version); - } - - const string & getAgentPolicyPath(void) const override { return default_local_appsec_policy_path; } - const string & getLocalPolicyPath(void) const override { return local_policy_path; } - void setPolicyPath(const string &new_local_policy_path) override { local_policy_path = new_local_policy_path; } - -private: - bool - isK8sEnv() - { - return env_type == EnvType::K8S; - } - - I_EnvDetails* env_details = nullptr; - EnvType env_type; - PolicyMakerUtils policy_maker_utils; - K8sPolicyUtils k8s_policy_utils; - string local_policy_path; - -}; - -LocalPolicyMgmtGenerator::LocalPolicyMgmtGenerator() - : - Component("LocalPolicyMgmtGenerator"), - pimpl(make_unique()) {} - -LocalPolicyMgmtGenerator::~LocalPolicyMgmtGenerator() {} - -void -LocalPolicyMgmtGenerator::init() -{ - pimpl->init(); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/namespace_data.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/namespace_data.cc deleted file mode 100644 index c4b65b3..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/namespace_data.cc +++ /dev/null @@ -1,97 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "namespace_data.h" -#include "local_policy_common.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -class NamespaceMetadata -{ -public: - void - load(cereal::JSONInputArchive &archive_in) - { - dbgFlow(D_LOCAL_POLICY); - parseAppsecJSONKey("name", name, archive_in); - parseAppsecJSONKey("uid", uid, archive_in); - } - - const string & - getName() const - { - return name; - } - - const string & - getUID() const - { - return uid; - } - -private: - string name; - string uid; -}; - -class SingleNamespaceData -{ -public: - void - load(cereal::JSONInputArchive &archive_in) - { - parseAppsecJSONKey("metadata", metadata, archive_in); - } - - const NamespaceMetadata & - getMetadata() const - { - return metadata; - } - -private: - NamespaceMetadata metadata; -}; - -bool -NamespaceData::loadJson(const string &json) -{ - dbgFlow(D_LOCAL_POLICY); - string modified_json = json; - modified_json.pop_back(); - stringstream in; - in.str(modified_json); - try { - cereal::JSONInputArchive in_ar(in); - vector items; - in_ar(cereal::make_nvp("items", items)); - for (const SingleNamespaceData &single_ns_data : items) { - ns_name_to_uid[single_ns_data.getMetadata().getName()] = single_ns_data.getMetadata().getUID(); - } - } catch (cereal::Exception &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to load namespace data JSON. Error: " << e.what(); - return false; - } - return true; -} - -Maybe -NamespaceData::getNamespaceUidByName(const string &name) -{ - if (ns_name_to_uid.find(name) == ns_name_to_uid.end()) { - return genError("Namespace doesn't exist. Name: " + name); - } - return ns_name_to_uid.at(name); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_linux_policy.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_linux_policy.cc deleted file mode 100644 index 34d6b16..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_linux_policy.cc +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_appsec_linux_policy.h" -// LCOV_EXCL_START Reason: no test exist - -using namespace std; - -const NewAppsecPolicySpec & -V1beta2AppsecLinuxPolicy::getAppsecPolicySpec() const -{ - return policies; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppSecPracticeSpecs() const -{ - return threat_prevection_practices; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAccessControlPracticeSpecs() const -{ - return access_control_practices; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppsecTriggerSpecs() const -{ - return log_triggers; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppSecCustomResponseSpecs() const -{ - return custom_responses; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppsecExceptionSpecs() const -{ - return exceptions; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppsecTrustedSourceSpecs() const -{ - return trusted_sources; -} - -const vector & -V1beta2AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const -{ - return sources_identifiers; -} - -void -V1beta2AppsecLinuxPolicy::addSpecificRule(const NewParsedRule &_rule) -{ - policies.addSpecificRule(_rule); -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc deleted file mode 100644 index 4fdc0ef..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc +++ /dev/null @@ -1,154 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_appsec_policy_crd_parser.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_modes = {"prevent-learn", "detect-learn", "prevent", "detect", "inactive"}; - -void -NewParsedRule::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec NewParsedRule"; - parseAppsecJSONKey>("exceptions", exceptions, archive_in); - parseAppsecJSONKey>("triggers", log_triggers, archive_in); - parseAppsecJSONKey>("threatPreventionPractices", threat_prevention_practices, archive_in); - parseAppsecJSONKey>("accessControlPractices", access_control_practices, archive_in); - parseAppsecJSONKey("mode", mode, archive_in); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec New Parsed Rule mode invalid: " << mode; - } - parseAppsecJSONKey("customResponse", custom_response, archive_in); - parseAppsecJSONKey("sourceIdentifiers", source_identifiers, archive_in); - parseAppsecJSONKey("trustedSources", trusted_sources, archive_in); - try { - archive_in(cereal::make_nvp("host", host)); - } catch (const cereal::Exception &e) - { - // The default NewParsedRule does not hold a host, so by default it will be * - host = "*"; - } -} - -const vector & -NewParsedRule::getLogTriggers() const -{ - return log_triggers; -} -const vector & - -NewParsedRule::getExceptions() const -{ - return exceptions; -} - -const vector & -NewParsedRule::getPractices() const -{ - return threat_prevention_practices; -} - -const vector & -NewParsedRule::getAccessControlPractices() const -{ - return access_control_practices; -} - -const string & -NewParsedRule::getSourceIdentifiers() const -{ - return source_identifiers; -} - -const string & -NewParsedRule::getCustomResponse() const -{ - return custom_response; -} - -const string & -NewParsedRule::getTrustedSources() const -{ - return trusted_sources; -} - -const string & -NewParsedRule::getHost() const -{ - return host; -} - -const string & -NewParsedRule::getMode() const -{ - return mode; -} - -void -NewParsedRule::setHost(const string &_host) -{ - host = _host; -} - -void -NewParsedRule::setMode(const string &_mode) -{ - mode = _mode; -} - -void -NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec"; - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey("default", default_rule, archive_in); - parseAppsecJSONKey>("specificRules", specific_rules, archive_in); -} - -const NewParsedRule & -NewAppsecPolicySpec::getDefaultRule() const -{ - return default_rule; -} - -const vector & -NewAppsecPolicySpec::getSpecificRules() const -{ - return specific_rules; -} - -const string & -NewAppsecPolicySpec::getAppSecClassName() const -{ - return appsec_class_name; -} - -bool -NewAppsecPolicySpec::isAssetHostExist(const std::string &full_url) const -{ - for (const NewParsedRule &rule : specific_rules) { - if (rule.getHost() == full_url) return true; - } - return false; -} - -void -NewAppsecPolicySpec::addSpecificRule(const NewParsedRule &_rule) -{ - specific_rules.push_back(_rule); -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_custom_response.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_custom_response.cc deleted file mode 100644 index d8f815b..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_custom_response.cc +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_custom_response.h" - -#define MIN_RESPONSE_CODE 100 -#define MAX_RESPOMSE_CODE 599 - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_modes = {"block-page", "response-code-only", "redirect"}; - -void -NewAppSecCustomResponse::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec web user response spec"; - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey("httpResponseCode", http_response_code, archive_in, 403); - if (http_response_code < MIN_RESPONSE_CODE || http_response_code > MAX_RESPOMSE_CODE) { - dbgWarning(D_LOCAL_POLICY) << "AppSec web user response code invalid: " << http_response_code; - } - parseAppsecJSONKey("mode", mode, archive_in, "block-page"); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec web user response mode invalid: " << mode; - } - parseAppsecJSONKey("name", name, archive_in); - parseAppsecJSONKey("redirectUrl", redirect_url, archive_in); - parseAppsecJSONKey("redirectAddXEventId", redirect_add_x_event_id, archive_in); - if (mode == "block-page") { - parseAppsecJSONKey( - "messageBody", - message_body, - archive_in, - "Openappsec's Application Security has detected an attack and blocked it." - ); - parseAppsecJSONKey( - "messageTitle", - message_title, - archive_in, - "Attack blocked by web application protection" - ); - } -} - -void -NewAppSecCustomResponse::setName(const string &_name) -{ - name = _name; -} - -int -NewAppSecCustomResponse::getHttpResponseCode() const -{ - return http_response_code; -} - -const string & -NewAppSecCustomResponse::getMessageBody() const -{ - return message_body; -} - -const string & -NewAppSecCustomResponse::getMessageTitle() const -{ - return message_title; -} - -const string & -NewAppSecCustomResponse::getAppSecClassName() const -{ - return appsec_class_name; -} - -const string & -NewAppSecCustomResponse::getMode() const -{ - return mode; -} - -const string & -NewAppSecCustomResponse::getName() const -{ - return name; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_exceptions.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_exceptions.cc deleted file mode 100644 index 115a781..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_exceptions.cc +++ /dev/null @@ -1,187 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_exceptions.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -// LCOV_EXCL_START Reason: no test exist -static const set valid_actions = {"skip", "accept", "drop", "suppressLog"}; - -void -NewAppsecExceptionCondition::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception condition"; - parseAppsecJSONKey("key", key, archive_in); - parseAppsecJSONKey("value", value, archive_in); -} - -const string & -NewAppsecExceptionCondition::getKey() const -{ - return key; -} - -const string & -NewAppsecExceptionCondition::getvalue() const -{ - return value; -} - -void -NewAppsecException::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception"; - parseAppsecJSONKey("name", name, archive_in); - parseAppsecJSONKey("action", action, archive_in); - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - if (valid_actions.count(action) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec exception action invalid: " << action; - } - parseAppsecJSONKey>("condition", conditions, archive_in); -} - -void -NewAppsecException::setName(const string &_name) -{ - name = _name; -} - -const string & -NewAppsecException::getName() const -{ - return name; -} - -const string & -NewAppsecException::getAction() const -{ - return action; -} - -const string & -NewAppsecException::getAppSecClassName() const -{ - return appsec_class_name; -} - -const vector -NewAppsecException::getCountryCode() const -{ - vector country_codes; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "countryCode") { - country_codes.push_back(condition.getvalue()); - } - } - return country_codes; -} - -const vector -NewAppsecException::getCountryName() const -{ - vector country_names; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "countryName") { - country_names.push_back(condition.getvalue()); - } - } - return country_names; -} - -const vector -NewAppsecException::getHostName() const -{ - vector host_names; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "hostName") { - host_names.push_back(condition.getvalue()); - } - } - return host_names; -} - -const vector -NewAppsecException::getParamName() const -{ - vector param_names; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "paramName") { - param_names.push_back(condition.getvalue()); - } - } - return param_names; -} - -const vector -NewAppsecException::getParamValue() const -{ - vector param_values; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "paramValue") { - param_values.push_back(condition.getvalue()); - } - } - return param_values; -} - -const vector -NewAppsecException::getProtectionName() const -{ - vector protection_names; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "protectionName") { - protection_names.push_back(condition.getvalue()); - } - } - return protection_names; -} - -const vector -NewAppsecException::getSourceIdentifier() const -{ - vector source_identifiers; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "sourceIdentifier") { - source_identifiers.push_back(condition.getvalue()); - } - } - return source_identifiers; -} - -const vector -NewAppsecException::getSourceIp() const -{ - vector source_ips; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "sourceIp") { - source_ips.push_back(condition.getvalue()); - } - } - return source_ips; -} - -const vector -NewAppsecException::getUrl() const -{ - vector urls; - for (const NewAppsecExceptionCondition &condition : conditions) { - if (condition.getKey() == "url") { - urls.push_back(condition.getvalue()); - } - } - return urls; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_log_trigger.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_log_trigger.cc deleted file mode 100644 index 13dded3..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_log_trigger.cc +++ /dev/null @@ -1,321 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_log_trigger.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_severities = {"high", "critical"}; -static const set valid_protocols = {"tcp", "udp"}; -static const set valid_formats = {"json", "json-formatted"}; - -void -NewAppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging"; - parseAppsecJSONKey("allowEvents", allow_events, archive_in, false); - parseAppsecJSONKey("dropEvents", drop_events, archive_in, false); -} - -void -NewAppsecTriggerAdditionalSuspiciousEventsLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Additional Suspicious Events Logging"; - parseAppsecJSONKey("enabled", enabled, archive_in, true); - parseAppsecJSONKey("responseBody", response_body, archive_in, false); - //the old code didn't parse the responsecode so ask Noam what is the currenct default value for it - parseAppsecJSONKey("responseCode", response_code, archive_in, false); - parseAppsecJSONKey("minSeverity", minimum_severity, archive_in, "high"); - if (valid_severities.count(minimum_severity) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec AppSec Trigger - Additional Suspicious Events Logging minimum severity invalid: " - << minimum_severity; - } -} - -bool -NewAppsecTriggerAdditionalSuspiciousEventsLogging::isEnabled() const -{ - return enabled; -} - -bool -NewAppsecTriggerAdditionalSuspiciousEventsLogging::isResponseBody() const -{ - return response_body; -} - -const string & -NewAppsecTriggerAdditionalSuspiciousEventsLogging::getMinimumSeverity() const -{ - return minimum_severity; -} - -void -NewAppsecTriggerLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger Logging"; - parseAppsecJSONKey("detectEvents", detect_events, archive_in, false); - parseAppsecJSONKey("preventEvents", prevent_events, archive_in, true); - parseAppsecJSONKey("allWebRequests", all_web_requests, archive_in, false); -} - -bool -NewAppsecTriggerLogging::isAllWebRequests() const -{ - return all_web_requests; -} - -bool -NewAppsecTriggerLogging::isDetectEvents() const -{ - return detect_events; -} - -bool -NewAppsecTriggerLogging::isPreventEvents() const -{ - return prevent_events; -} - -void -NewAppsecTriggerExtendedLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger Extended Logging"; - parseAppsecJSONKey("httpHeaders", http_headers, archive_in, false); - parseAppsecJSONKey("requestBody", request_body, archive_in, false); - parseAppsecJSONKey("urlPath", url_path, archive_in, false); - parseAppsecJSONKey("urlQuery", url_query, archive_in, false); -} - -bool -NewAppsecTriggerExtendedLogging::isHttpHeaders() const -{ - return http_headers; -} - -bool -NewAppsecTriggerExtendedLogging::isRequestBody() const -{ - return request_body; -} - -bool -NewAppsecTriggerExtendedLogging::isUrlPath() const -{ - return url_path; -} - -bool -NewAppsecTriggerExtendedLogging::isUrlQuery() const -{ - return url_query; -} - -void -NewLoggingService::load(cereal::JSONInputArchive &archive_in) -{ - parseAppsecJSONKey("address", address, archive_in); - parseAppsecJSONKey("proto", proto, archive_in); - if (valid_protocols.count(proto) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Logging Service - proto invalid: " << proto; - } - - parseAppsecJSONKey("port", port, archive_in, 514); -} - -const string & -NewLoggingService::getAddress() const -{ - return address; -} - -int -NewLoggingService::getPort() const -{ - return port; -} - - -void -NewStdoutLogging::load(cereal::JSONInputArchive &archive_in) -{ - parseAppsecJSONKey("format", format, archive_in, "json"); - if (valid_formats.count(format) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Stdout Logging - format invalid: " << format; - } -} - -const string & -NewStdoutLogging::getFormat() const -{ - return format; -} - -void -NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger LogDestination"; - // TBD: support "file" - parseAppsecJSONKey("cloud", cloud, archive_in, false); - auto mode = Singleton::Consume::by()->getOrchestrationMode(); - auto env_type = Singleton::Consume::by()->getEnvType(); - bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S); - parseAppsecJSONKey("k8s-service", k8s_service, archive_in, k8s_service_default); - - NewStdoutLogging stdout_log; - parseAppsecJSONKey("stdout", stdout_log, archive_in); - agent_local = !(stdout_log.getFormat().empty()); - beautify_logs = stdout_log.getFormat() == "json-formatted"; - parseAppsecJSONKey("syslogService", syslog_service, archive_in); - parseAppsecJSONKey("cefService", cef_service, archive_in); -} - -int -NewAppsecTriggerLogDestination::getCefServerUdpPort() const -{ - return getCefServiceData().getPort(); -} - -int -NewAppsecTriggerLogDestination::getSyslogServerUdpPort() const -{ - return getSyslogServiceData().getPort(); -} - -bool -NewAppsecTriggerLogDestination::isAgentLocal() const -{ - return agent_local; -} - -bool -NewAppsecTriggerLogDestination::shouldBeautifyLogs() const -{ - return beautify_logs; -} - -bool -NewAppsecTriggerLogDestination::getCloud() const -{ - return cloud; -} - -bool -NewAppsecTriggerLogDestination::isK8SNeeded() const -{ - return k8s_service; -} - -bool -NewAppsecTriggerLogDestination::isCefNeeded() const -{ - return !getCefServiceData().getAddress().empty(); -} - -bool -NewAppsecTriggerLogDestination::isSyslogNeeded() const -{ - return !getSyslogServiceData().getAddress().empty(); -} - -const -string & NewAppsecTriggerLogDestination::getSyslogServerIpv4Address() const -{ - return getSyslogServiceData().getAddress(); -} - -const string & -NewAppsecTriggerLogDestination::getCefServerIpv4Address() const -{ - return getCefServiceData().getAddress(); -} - -const NewLoggingService & -NewAppsecTriggerLogDestination::getSyslogServiceData() const -{ - return syslog_service; -} - -const NewLoggingService & -NewAppsecTriggerLogDestination::getCefServiceData() const -{ - return cef_service; -} - -void -NewAppsecLogTrigger::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec log trigger"; - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey( - "accessControlLogging", - access_control_logging, - archive_in - ); - parseAppsecJSONKey( - "additionalSuspiciousEventsLogging", - additional_suspicious_events_logging, - archive_in - ); - parseAppsecJSONKey("appsecLogging", appsec_logging, archive_in); - parseAppsecJSONKey("extendedLogging", extended_logging, archive_in); - parseAppsecJSONKey("logDestination", log_destination, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -NewAppsecLogTrigger::setName(const string &_name) -{ - name = _name; -} - -const string & -NewAppsecLogTrigger::getName() const -{ - return name; -} - -const string & -NewAppsecLogTrigger::getAppSecClassName() const -{ - return appsec_class_name; -} - -const NewAppsecTriggerAdditionalSuspiciousEventsLogging & -NewAppsecLogTrigger::getAppsecTriggerAdditionalSuspiciousEventsLogging() const -{ - return additional_suspicious_events_logging; -} - -const NewAppsecTriggerLogging & -NewAppsecLogTrigger::getAppsecTriggerLogging() const -{ - return appsec_logging; -} - -const NewAppsecTriggerExtendedLogging & -NewAppsecLogTrigger::getAppsecTriggerExtendedLogging() const -{ - return extended_logging; -} - -const NewAppsecTriggerLogDestination & -NewAppsecLogTrigger::getAppsecTriggerLogDestination() const -{ - return log_destination; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_practice.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_practice.cc deleted file mode 100644 index 9ae3141..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_practice.cc +++ /dev/null @@ -1,751 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_practice.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set performance_impacts = {"low", "medium", "high"}; -static const set severity_levels = {"low", "medium", "high", "critical"}; -static const set size_unit = {"bytes", "KB", "MB", "GB"}; -static const set confidences_actions = {"prevent", "detect", "inactive"}; -static const set valid_modes = {"prevent", "detect", "inactive", "prevent-learn", "detect-learn"}; -static const set valid_confidences = {"medium", "high", "critical"}; -static const std::unordered_map key_to_performance_impact_val = { - { "low", "Low or lower"}, - { "medium", "Medium or lower"}, - { "high", "High or lower"} -}; -static const std::unordered_map key_to_severity_level_val = { - { "low", "Low or above"}, - { "medium", "Medium or above"}, - { "high", "High or above"}, - { "critical", "Critical"} -}; -static const std::unordered_map key_to_mode_val = { - { "prevent-learn", "Prevent"}, - { "detect-learn", "Detect"}, - { "prevent", "Prevent"}, - { "detect", "Detect"}, - { "inactive", "Inactive"} -}; -static const std::unordered_map unit_to_int = { - { "bytes", 1}, - { "KB", 1024}, - { "MB", 1048576}, - { "GB", 1073741824} -}; - -void -NewAppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots URI"; - parseAppsecJSONKey("uri", uri, archive_in); -} - -const string & -NewAppSecWebBotsURI::getURI() const -{ - return uri; -} - -std::vector -NewAppSecPracticeAntiBot::getIjectedUris() const -{ - vector injected; - for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI()); - return injected; -} - -std::vector -NewAppSecPracticeAntiBot::getValidatedUris() const -{ - vector validated; - for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI()); - return validated; -} - -void -NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots"; - parseAppsecJSONKey>("injectedUris", injected_uris, archive_in); - parseAppsecJSONKey>("validatedUris", validated_uris, archive_in); - parseAppsecJSONKey("overrideMode", override_mode, archive_in, "Inactive"); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode; - } -} - -void -NewAppSecPracticeAntiBot::save(cereal::JSONOutputArchive &out_ar) const -{ - vector injected; - vector validated; - for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI()); - for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI()); - out_ar( - cereal::make_nvp("injected", injected), - cereal::make_nvp("validated", validated) - ); -} - -void -NewAppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Attack Protections"; - parseAppsecJSONKey("csrfEnabled", csrf_protection, archive_in, "inactive"); - parseAppsecJSONKey("errorDisclosureEnabled", error_disclosure, archive_in, "inactive"); - parseAppsecJSONKey("openRedirectEnabled", open_redirect, archive_in, "inactive"); - parseAppsecJSONKey("nonValidHttpMethods", non_valid_http_methods, archive_in, false); -} - -const string -NewAppSecWebAttackProtections::getCsrfProtectionMode() const -{ - if (key_to_practices_val.find(csrf_protection) == key_to_practices_val.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << csrf_protection - << ". Setting CSRF protection to Inactive"; - return "Inactive"; - } - return key_to_practices_val.at(csrf_protection); -} - -const string & -NewAppSecWebAttackProtections::getErrorDisclosureMode() const -{ - return error_disclosure; -} - -bool -NewAppSecWebAttackProtections::getNonValidHttpMethods() const -{ - return non_valid_http_methods; -} - -const string -NewAppSecWebAttackProtections::getOpenRedirectMode() const -{ - if (key_to_practices_val.find(open_redirect) == key_to_practices_val.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << open_redirect - << ". Setting Open Redirect mode to Inactive"; - return "Inactive"; - } - return key_to_practices_val.at(open_redirect); -} - -void -NewAppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice web attacks spec"; - parseAppsecJSONKey("protections", protections, archive_in); - parseAppsecJSONKey("overrideMode", mode, archive_in, "Unset"); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode; - } - - if (getMode() == "Prevent") { - parseAppsecJSONKey("minimumConfidence", minimum_confidence, archive_in, "critical"); - if (valid_confidences.count(minimum_confidence) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec practice override minimum confidence invalid: " - << minimum_confidence; - } - } else { - minimum_confidence = "Transparent"; - } - parseAppsecJSONKey("maxBodySizeKb", max_body_size_kb, archive_in, 1000000); - parseAppsecJSONKey("maxHeaderSizeBytes", max_header_size_bytes, archive_in, 102400); - parseAppsecJSONKey("maxObjectDepth", max_object_depth, archive_in, 40); - parseAppsecJSONKey("maxUrlSizeBytes", max_url_size_bytes, archive_in, 32768); -} - -int -NewAppSecPracticeWebAttacks::getMaxBodySizeKb() const -{ - return max_body_size_kb; -} - -int -NewAppSecPracticeWebAttacks::getMaxHeaderSizeBytes() const -{ - return max_header_size_bytes; -} - -int -NewAppSecPracticeWebAttacks::getMaxObjectDepth() const -{ - return max_object_depth; -} - -int -NewAppSecPracticeWebAttacks::getMaxUrlSizeBytes() const -{ - return max_url_size_bytes; -} - -const string & -NewAppSecPracticeWebAttacks::getMinimumConfidence() const -{ - return minimum_confidence; -} - -const string & -NewAppSecPracticeWebAttacks::getMode(const string &default_mode) const -{ - if (mode == "Unset" || (key_to_practices_val.find(mode) == key_to_practices_val.end())) { - dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode; - return default_mode; - } - return key_to_practices_val.at(mode); -} - -void -NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice"; - parseAppsecJSONKey("overrideMode", override_mode, archive_in, "Inactive"); - parseAppsecJSONKey>("configmap", config_map, archive_in); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode; - } -} - -const string & -NewSnortSignaturesAndOpenSchemaAPI::getOverrideMode() const -{ - return override_mode; -} - -const vector & -NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const -{ - return config_map; -} - -void -IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const -{ - vector protections; - out_ar( - cereal::make_nvp("action", key_to_mode_val.at(action)), - cereal::make_nvp("confidenceLevel", confidence_level), - cereal::make_nvp("clientProtections", true), - cereal::make_nvp("serverProtections", true), - cereal::make_nvp("protectionTags", protections), - cereal::make_nvp("protectionIds", protections), - cereal::make_nvp("performanceImpact", key_to_performance_impact_val.at(performance_impact)), - cereal::make_nvp("severityLevel", key_to_severity_level_val.at(severity_level)), - cereal::make_nvp("protectionsFromYear", protections_from_year) - ); -} - -IpsProtectionsSection::IpsProtectionsSection( - const string &_context, - const string &asset_name, - const string &_asset_id, - const string &_practice_name, - const string &_practice_id, - const string &_source_identifier, - const string &_mode, - const vector &_rules) - : - context(_context), - name(asset_name), - asset_id(_asset_id), - practice_name(_practice_name), - practice_id(_practice_id), - source_identifier(_source_identifier), - mode(_mode), - rules(_rules) -{ -} - -std::string & -IpsProtectionsSection::getMode() -{ - return mode; -} - -void -IpsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("ruleName", name), - cereal::make_nvp("assetName", name), - cereal::make_nvp("assetId", asset_id), - cereal::make_nvp("practiceName", practice_name), - cereal::make_nvp("practiceId", practice_id), - cereal::make_nvp("sourceIdentifier", source_identifier), - cereal::make_nvp("defaultAction", key_to_mode_val.at(mode)), - cereal::make_nvp("rules", rules) - ); -} - -void -IPSSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("IpsProtections", ips) - ); -} - -void -IntrusionPreventionWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("IPS", ips) - ); -} - -void -NewIntrusionPrevention::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Intrusion Prevention practice"; - parseAppsecJSONKey("overrideMode", override_mode, archive_in, "Inactive"); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Intrusion Prevention override mode invalid: " << override_mode; - } - parseAppsecJSONKey("maxPerformanceImpact", max_performance_impact, archive_in, "low"); - if (performance_impacts.count(max_performance_impact) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec Intrusion Prevention max performance impact invalid: " - << max_performance_impact; - } - parseAppsecJSONKey("minSeverityLevel", min_severity_level, archive_in, "low"); - if (severity_levels.count(min_severity_level) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec Intrusion Prevention min severity level invalid: " - << min_severity_level; - } - parseAppsecJSONKey("highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(high_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec Intrusion Prevention high confidence event invalid: " - << high_confidence_event_action; - } - parseAppsecJSONKey("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(medium_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec Intrusion Prevention medium confidence event invalid: " - << medium_confidence_event_action; - } - parseAppsecJSONKey("lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(low_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec Intrusion Prevention low confidence event action invalid: " - << low_confidence_event_action; - } - parseAppsecJSONKey("minCveYear", min_cve_Year, archive_in); -} - -vector -NewIntrusionPrevention::createIpsRules() const -{ - vector ips_rules; - IpsProtectionsRulesSection high_rule( - min_cve_Year, - high_confidence_event_action, - string("High"), - max_performance_impact, - string(""), - min_severity_level - ); - ips_rules.push_back(high_rule); - - IpsProtectionsRulesSection med_rule( - min_cve_Year, - medium_confidence_event_action, - string("Medium"), - max_performance_impact, - string(""), - min_severity_level - ); - ips_rules.push_back(med_rule); - - IpsProtectionsRulesSection low_rule( - min_cve_Year, - low_confidence_event_action, - string("Low"), - max_performance_impact, - string(""), - min_severity_level - ); - ips_rules.push_back(low_rule); - - return ips_rules; -} - -const std::string & -NewIntrusionPrevention::getMode() const -{ - return override_mode; -} - -FileSecurityProtectionsSection::FileSecurityProtectionsSection( - int _file_size_limit, - int _archive_file_size_limit, - bool _allow_files_without_name, - bool _required_file_size_limit, - bool _required_archive_extraction, - const std::string &_context, - const std::string &_name, - const std::string &_asset_id, - const std::string &_practice_name, - const std::string &_practice_id, - const std::string &_action, - const std::string &_files_without_name_action, - const std::string &_high_confidence_action, - const std::string &_medium_confidence_action, - const std::string &_low_confidence_action, - const std::string &_severity_level, - const std::string &_file_size_limit_action, - const std::string &_multi_level_archive_action, - const std::string &_unopened_archive_action) - : - file_size_limit(_file_size_limit), - archive_file_size_limit(_archive_file_size_limit), - allow_files_without_name(_allow_files_without_name), - required_file_size_limit(_required_file_size_limit), - required_archive_extraction(_required_archive_extraction), - context(_context), - name(_name), - asset_id(_asset_id), - practice_name(_practice_name), - practice_id(_practice_id), - action(_action), - files_without_name_action(_files_without_name_action), - high_confidence_action(_high_confidence_action), - medium_confidence_action(_medium_confidence_action), - low_confidence_action(_low_confidence_action), - severity_level(_severity_level), - file_size_limit_action(_file_size_limit_action), - multi_level_archive_action(_multi_level_archive_action), - unopened_archive_action(_unopened_archive_action) -{} - -void -FileSecurityProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("ruleName", name), - cereal::make_nvp("assetName", name), - cereal::make_nvp("assetId", asset_id), - cereal::make_nvp("practiceName", practice_name), - cereal::make_nvp("practiceId", practice_id), - cereal::make_nvp("action", key_to_mode_val.at(action)), - cereal::make_nvp("filesWithoutNameAction", key_to_mode_val.at(files_without_name_action)), - cereal::make_nvp("allowFilesWithoutName", allow_files_without_name), - cereal::make_nvp("highConfidence", key_to_mode_val.at(high_confidence_action)), - cereal::make_nvp("mediumConfidence", key_to_mode_val.at(medium_confidence_action)), - cereal::make_nvp("lowConfidence", key_to_mode_val.at(low_confidence_action)), - cereal::make_nvp("severityLevel", key_to_severity_level_val.at(severity_level)), - cereal::make_nvp("fileSizeLimitAction", key_to_mode_val.at(file_size_limit_action)), - cereal::make_nvp("fileSizeLimit", file_size_limit), - cereal::make_nvp("requiredFileSizeLimit", required_file_size_limit), - cereal::make_nvp("requiredArchiveExtraction", required_archive_extraction), - cereal::make_nvp("archiveFileSizeLimit", archive_file_size_limit), - cereal::make_nvp("MultiLevelArchiveAction", key_to_mode_val.at(multi_level_archive_action)), - cereal::make_nvp("UnopenedArchiveAction", key_to_mode_val.at(unopened_archive_action)) - ); -} - -void -FileSecuritySection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("FileSecurityProtections", file_security) - ); -} - -void -FileSecurityWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("FileSecurity", file_security) - ); -} - -void -NewFileSecurityArchiveInspection::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security Archive Inspection practice"; - parseAppsecJSONKey("extractArchiveFiles", extract_archive_files, archive_in); - parseAppsecJSONKey("scanMaxFileSize", scan_max_file_size, archive_in, 0); - parseAppsecJSONKey("scanMaxFileSizeUnit", scan_max_file_size_unit, archive_in, "bytes"); - if (size_unit.count(scan_max_file_size_unit) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security Archive Inspection scan max file size unit invalid: " - << scan_max_file_size_unit; - } - parseAppsecJSONKey( - "archivedFilesWithinArchivedFiles", - archived_files_within_archived_files, - archive_in, - "inactive"); - if (confidences_actions.count(archived_files_within_archived_files) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security Archive Inspection archived files within archived files invalid: " - << archived_files_within_archived_files; - } - parseAppsecJSONKey( - "archivedFilesWhereContentExtractionFailed", - archived_files_where_content_extraction_failed, - archive_in, - "inactive"); - if (confidences_actions.count(archived_files_where_content_extraction_failed) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security Archive Inspection archived files within archived file invalid: " - << archived_files_where_content_extraction_failed; - } -} - -int -NewFileSecurityArchiveInspection::getArchiveFileSizeLimit() const -{ - if (unit_to_int.find(scan_max_file_size_unit) == unit_to_int.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << scan_max_file_size_unit - << ". Setting scan max file size unit to 0"; - return 0; - } - return (scan_max_file_size * unit_to_int.at(scan_max_file_size_unit)); -} - -bool -NewFileSecurityArchiveInspection::getrequiredArchiveExtraction() const -{ - return extract_archive_files; -} - -const std::string & -NewFileSecurityArchiveInspection::getMultiLevelArchiveAction() const -{ - return archived_files_within_archived_files; -} - -const std::string & -NewFileSecurityArchiveInspection::getUnopenedArchiveAction() const -{ - return archived_files_where_content_extraction_failed; -} - -void -NewFileSecurityLargeFileInspection::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security large File Inspection practice"; - parseAppsecJSONKey("fileSizeLimit", file_size_limit, archive_in); - parseAppsecJSONKey("fileSizeLimitUnit", file_size_limit_unit, archive_in, "bytes"); - if (size_unit.count(file_size_limit_unit) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security large File Inspection file size limit unit invalid: " - << file_size_limit_unit; - } - parseAppsecJSONKey( - "filesExceedingSizeLimitAction", - files_exceeding_size_limit_action, - archive_in, - "inactive"); - if (confidences_actions.count(files_exceeding_size_limit_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security Archive Inspection archived files within archived files invalid: " - << files_exceeding_size_limit_action; - } -} - -int -NewFileSecurityLargeFileInspection::getFileSizeLimit() const -{ - if (unit_to_int.find(file_size_limit_unit) == unit_to_int.end()) { - dbgError(D_LOCAL_POLICY) - << "Failed to find a value for " - << file_size_limit_unit - << ". Setting file size limit unit to 0"; - return 0; - } - return (file_size_limit * unit_to_int.at(file_size_limit_unit)); -} - -const std::string & -NewFileSecurityLargeFileInspection::getFileSizeLimitAction() const -{ - return files_exceeding_size_limit_action; -} - -void -NewFileSecurity::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec File Security practice"; - parseAppsecJSONKey("overrideMode", override_mode, archive_in, "Inactive"); - if (valid_modes.count(override_mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec File Security override mode invalid: " << override_mode; - } - parseAppsecJSONKey("minSeverityLevel", min_severity_level, archive_in, "low"); - if (severity_levels.count(min_severity_level) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec File Security min severity level invalid: " << min_severity_level; - } - parseAppsecJSONKey("highConfidenceEventAction", high_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(high_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security high confidence event invalid: " - << high_confidence_event_action; - } - parseAppsecJSONKey("mediumConfidenceEventAction", medium_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(medium_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security medium confidence event invalid: " - << medium_confidence_event_action; - } - parseAppsecJSONKey("lowConfidenceEventAction", low_confidence_event_action, archive_in, "inactive"); - if (confidences_actions.count(low_confidence_event_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security low confidence event action invalid: " - << low_confidence_event_action; - } - parseAppsecJSONKey("unnamedFilesAction", unnamed_files_action, archive_in, "inactive"); - if (confidences_actions.count(unnamed_files_action) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec File Security low unnamed files action invalid: " - << unnamed_files_action; - } - parseAppsecJSONKey("threatEmulationEnabled", threat_emulation_enabled, archive_in); - parseAppsecJSONKey("archiveInspection", archive_inspection, archive_in); - parseAppsecJSONKey("largeFileInspection", large_file_inspection, archive_in); -} - - -const NewFileSecurityArchiveInspection & -NewFileSecurity::getArchiveInspection() const -{ - return archive_inspection; -} - -const NewFileSecurityLargeFileInspection & -NewFileSecurity::getLargeFileInspection() const -{ - return large_file_inspection; -} - -FileSecurityProtectionsSection -NewFileSecurity::createFileSecurityProtectionsSection( - const string &context, - const string &asset_name, - const string &asset_id, - const string &practice_name, - const string &practice_id) const -{ - return FileSecurityProtectionsSection( - getLargeFileInspection().getFileSizeLimit(), - getArchiveInspection().getArchiveFileSizeLimit(), - unnamed_files_action == "prevent" ? true : false, - getLargeFileInspection().getFileSizeLimitAction() == "prevent" ? true : false, - getArchiveInspection().getrequiredArchiveExtraction(), - context, - asset_name, - asset_id, - practice_name, - practice_id, - override_mode, - unnamed_files_action, - high_confidence_event_action, - medium_confidence_event_action, - low_confidence_event_action, - min_severity_level, - getLargeFileInspection().getFileSizeLimitAction(), - getArchiveInspection().getMultiLevelArchiveAction(), - getArchiveInspection().getUnopenedArchiveAction() - ); -} - -void -NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; - parseAppsecJSONKey( - "openapi-schema-validation", - openapi_schema_validation, - archive_in - ); - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey("fileSecurity", file_security, archive_in); - parseAppsecJSONKey("intrusionPrevention", intrusion_prevention, archive_in); - parseAppsecJSONKey("snortSignatures", snort_signatures, archive_in); - parseAppsecJSONKey("webAttacks", web_attacks, archive_in); - parseAppsecJSONKey("antiBot", anti_bot, archive_in); - parseAppsecJSONKey("name", practice_name, archive_in); -} - -void -NewAppSecPracticeSpec::setName(const string &_name) -{ - practice_name = _name; -} - -const NewSnortSignaturesAndOpenSchemaAPI & -NewAppSecPracticeSpec::getOpenSchemaValidation() const -{ - return openapi_schema_validation; -} - -const NewSnortSignaturesAndOpenSchemaAPI & -NewAppSecPracticeSpec::getSnortSignatures() const -{ - return snort_signatures; -} - -const NewAppSecPracticeWebAttacks & -NewAppSecPracticeSpec::getWebAttacks() const -{ - return web_attacks; -} - -const NewAppSecPracticeAntiBot & -NewAppSecPracticeSpec::getAntiBot() const -{ - return anti_bot; -} - -const NewIntrusionPrevention & -NewAppSecPracticeSpec::getIntrusionPrevention() const -{ - return intrusion_prevention; -} - -const NewFileSecurity & -NewAppSecPracticeSpec::getFileSecurity() const -{ - return file_security; -} - -const string & -NewAppSecPracticeSpec::getAppSecClassName() const -{ - return appsec_class_name; -} - -const string & -NewAppSecPracticeSpec::getName() const -{ - return practice_name; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/new_trusted_sources.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/new_trusted_sources.cc deleted file mode 100644 index ecff3b7..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/new_trusted_sources.cc +++ /dev/null @@ -1,118 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "new_trusted_sources.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -static const set valid_identifiers = {"headerkey", "JWTKey", "cookie", "sourceip", "x-forwarded-for"}; - -void -NewTrustedSourcesSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading trusted sources spec"; - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey("minNumOfSources", min_num_of_sources, archive_in, 3); - parseAppsecJSONKey>("sourcesIdentifiers", sources_identifiers, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -NewTrustedSourcesSpec::setName(const string &_name) -{ - name = _name; -} - -int -NewTrustedSourcesSpec::getMinNumOfSources() const -{ - return min_num_of_sources; -} - -const vector & -NewTrustedSourcesSpec::getSourcesIdentifiers() const -{ - return sources_identifiers; -} - -const string & -NewTrustedSourcesSpec::getAppSecClassName() const -{ - return appsec_class_name; -} - -const string & -NewTrustedSourcesSpec::getName() const -{ - return name; -} - -void -Identifier::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading source identifiers spec"; - parseAppsecJSONKey("sourceIdentifier", identifier, archive_in); - if (valid_identifiers.count(identifier) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier; - } - parseAppsecJSONKey>("value", value, archive_in); -} - -const string & -Identifier::getIdentifier() const -{ - return identifier; -} - -const vector & -Identifier::getValues() const -{ - return value; -} - -void -NewSourcesIdentifiers::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Sources Identifiers"; - parseAppsecJSONKey("appsecClassName", appsec_class_name, archive_in); - parseAppsecJSONKey>("sourcesIdentifiers", sources_identifiers, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -NewSourcesIdentifiers::setName(const string &_name) -{ - name = _name; -} - -const string & -NewSourcesIdentifiers::getName() const -{ - return name; -} - -const string & -NewSourcesIdentifiers::getAppSecClassName() const -{ - return appsec_class_name; -} - -const vector & -NewSourcesIdentifiers::getSourcesIdentifiers() const -{ - return sources_identifiers; -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/policy_maker_utils.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/policy_maker_utils.cc deleted file mode 100644 index 11fa9fc..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/policy_maker_utils.cc +++ /dev/null @@ -1,1486 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "policy_maker_utils.h" - -using namespace std; - -USE_DEBUG_FLAG(D_NGINX_POLICY); - -void -SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("accessControlV2", rate_limit), - cereal::make_nvp("waap", waap), - cereal::make_nvp("triggers", trrigers), - cereal::make_nvp("rules", rules), - cereal::make_nvp("ips", ips), - cereal::make_nvp("exceptions", exceptions), - cereal::make_nvp("fileSecurity", file_security), - cereal::make_nvp("version", policy_version) - ); -} - -void -PolicyWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - security_apps.save(out_ar); -} - -string -PolicyMakerUtils::getPolicyName(const string &policy_path) -{ - string policy_name; - if (policy_path.find_last_of("/") != string::npos) { - policy_name = policy_path.substr(policy_path.find_last_of("/") + 1); - } else { - policy_name = policy_path; - } - if (policy_name.find(".") != string::npos) { - return policy_name.substr(0, policy_name.find(".")); - } - return policy_name; -} - -Maybe -PolicyMakerUtils::openPolicyAsJson(const string &policy_path) -{ - auto maybe_policy_as_json = Singleton::Consume::by()->getExecOutput( - getFilesystemPathConfig() + "/bin/yq " + policy_path + " -o json" - ); - - if (!maybe_policy_as_json.ok()) { - dbgDebug(D_NGINX_POLICY) << "Could not convert policy from yaml to json"; - return genError("Could not convert policy from yaml to json. Error: " + maybe_policy_as_json.getErr()); - } - - auto i_orchestration_tools = Singleton::Consume::by(); - auto maybe_policy = i_orchestration_tools->jsonStringToObject( - maybe_policy_as_json.unpack() - ); - - if (!maybe_policy.ok()) { - string error = "Policy in path: " + policy_path + " was not loaded. Error: " + maybe_policy.getErr(); - dbgDebug(D_NGINX_POLICY) << error; - return genError(error); - } - return maybe_policy.unpack(); -} - -void -PolicyMakerUtils::clearElementsMaps() -{ - log_triggers.clear(); - web_user_res_triggers.clear(); - inner_exceptions.clear(); - web_apps.clear(); - rules_config.clear(); -} - -// LCOV_EXCL_START Reason: no test exist - needed for NGINX config -bool -PolicyMakerUtils::startsWith(const string &str, const string &prefix) -{ - return str.rfind(prefix, 0) == 0; -} - -bool -PolicyMakerUtils::endsWith(const string &str, const string &suffix) -{ - return str.size() >= suffix.size() && - str.compare(str.size() - suffix.size(), suffix.size(), suffix) == 0; -} -// LCOV_EXCL_STOP - -tuple -PolicyMakerUtils::splitHostName(const string &host_name) -{ - string url = host_name; - string uri; - string port; - if (startsWith(url, "http://")) { - url = url.substr(7, url.length() - 1); - port = "80"; - } else if (startsWith(url, "https://")) { - url = url.substr(8, url.length() - 1); - port = "443"; - } - - if (url.find("/") != string::npos) { - uri = url.substr(url.find("/")); - url = url.substr(0, url.find("/")); - } else { - uri = ""; - } - - if (url.find(":") != string::npos) { - port = url.substr(url.find(":") + 1, url.length() - 1); - url = url.substr(0, url.find(":")); - } - - if (host_name == "*") { - url = "Any"; - uri = "Any"; - } - return make_tuple(url, port, uri); -} - -string -PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path) -{ - clearElementsMaps(); - - stringstream ss; - { - cereal::JSONOutputArchive ar(ss); - policy.save(ar); - } - string policy_str = ss.str(); - try { - ofstream policy_file(policy_path); - policy_file << policy_str; - policy_file.close(); - } catch (const ofstream::failure &e) { - dbgDebug(D_NGINX_POLICY) << "Error while writing new policy to " << policy_path << ", Error: " << e.what(); - return ""; - } - - return policy_str; -} - -template -map -extractAnnotationsNames( - const R &parsed_rule, - const R &default_rule, - const string &policy_name) -{ - map rule_annotation; - string practice_annotation_name; - // TBD: support multiple practices - if (!parsed_rule.getPractices().empty() && !parsed_rule.getPractices()[0].empty()) { - practice_annotation_name = parsed_rule.getPractices()[0]; - } else if (!default_rule.getPractices().empty() && !default_rule.getPractices()[0].empty()) { - practice_annotation_name = default_rule.getPractices()[0]; - } - - if (!practice_annotation_name.empty()) { - rule_annotation[AnnotationTypes::PRACTICE] = policy_name + "/" + practice_annotation_name; - } - - string trigger_annotation_name; - // TBD: support multiple triggers - if (!parsed_rule.getLogTriggers().empty() && !parsed_rule.getLogTriggers()[0].empty()) { - trigger_annotation_name = parsed_rule.getLogTriggers()[0]; - } else if (!default_rule.getLogTriggers().empty() && !default_rule.getLogTriggers()[0].empty()) { - trigger_annotation_name = default_rule.getLogTriggers()[0]; - } - - if (!trigger_annotation_name.empty()) { - rule_annotation[AnnotationTypes::TRIGGER] = policy_name + "/" + trigger_annotation_name; - } - - string exception_annotation_name; - // TBD: support multiple exceptions - if (!parsed_rule.getExceptions().empty() && !parsed_rule.getExceptions()[0].empty()) { - exception_annotation_name = parsed_rule.getExceptions()[0]; - } else if (!default_rule.getExceptions().empty() && !default_rule.getExceptions()[0].empty()) { - exception_annotation_name = default_rule.getExceptions()[0]; - } - - if (!exception_annotation_name.empty()) { - rule_annotation[AnnotationTypes::EXCEPTION] = policy_name + "/" + exception_annotation_name; - } - - string web_user_res_annotation_name = - parsed_rule.getCustomResponse().empty() ? - default_rule.getCustomResponse() : - parsed_rule.getCustomResponse(); - - if (!web_user_res_annotation_name.empty()) { - rule_annotation[AnnotationTypes::WEB_USER_RES] = policy_name + "/" + web_user_res_annotation_name; - } - - string source_identifiers_annotation_name = - parsed_rule.getSourceIdentifiers().empty() ? - default_rule.getSourceIdentifiers() : - parsed_rule.getSourceIdentifiers(); - - if (!source_identifiers_annotation_name.empty()) { - rule_annotation[AnnotationTypes::SOURCE_IDENTIFIERS] = policy_name + "/" + source_identifiers_annotation_name; - } - - string trusted_sources_annotation_name = - parsed_rule.getTrustedSources ().empty() ? - default_rule.getTrustedSources() : - parsed_rule.getTrustedSources(); - - if (!trusted_sources_annotation_name.empty()) { - rule_annotation[AnnotationTypes::TRUSTED_SOURCES] = policy_name + "/" + trusted_sources_annotation_name; - } - return rule_annotation; -} - -// LCOV_EXCL_START Reason: no test exist -template<> -map -extractAnnotationsNames( - const NewParsedRule &parsed_rule, - const NewParsedRule &default_rule, - const string &policy_name) -{ - map rule_annotation; - string practice_annotation_name; - // TBD: support multiple practices - if (!parsed_rule.getPractices().empty() && !parsed_rule.getPractices()[0].empty()) { - practice_annotation_name = parsed_rule.getPractices()[0]; - } else if (!default_rule.getPractices().empty() && !default_rule.getPractices()[0].empty()) { - practice_annotation_name = default_rule.getPractices()[0]; - } - - if (!practice_annotation_name.empty()) { - rule_annotation[AnnotationTypes::PRACTICE] = policy_name + "/" + practice_annotation_name; - } - - string access_control_practice_name; - // TBD: support multiple practices - if (!parsed_rule.getAccessControlPractices().empty() && !parsed_rule.getAccessControlPractices()[0].empty()) { - access_control_practice_name = parsed_rule.getAccessControlPractices()[0]; - } else if ( !default_rule.getAccessControlPractices().empty() && - !default_rule.getAccessControlPractices()[0].empty()) { - access_control_practice_name = default_rule.getAccessControlPractices()[0]; - } - - if (!access_control_practice_name.empty()) { - rule_annotation[AnnotationTypes::ACCESS_CONTROL_PRACTICE] = policy_name + "/" + access_control_practice_name; - } - - string trigger_annotation_name; - // TBD: support multiple triggers - if (!parsed_rule.getLogTriggers().empty() && !parsed_rule.getLogTriggers()[0].empty()) { - trigger_annotation_name = parsed_rule.getLogTriggers()[0]; - } else if (!default_rule.getLogTriggers().empty() && !default_rule.getLogTriggers()[0].empty()) { - trigger_annotation_name = default_rule.getLogTriggers()[0]; - } - - if (!trigger_annotation_name.empty()) { - rule_annotation[AnnotationTypes::TRIGGER] = policy_name + "/" + trigger_annotation_name; - } - - string exception_annotation_name; - // TBD: support multiple exceptions - if (!parsed_rule.getExceptions().empty() && !parsed_rule.getExceptions()[0].empty()) { - exception_annotation_name = parsed_rule.getExceptions()[0]; - } else if (!default_rule.getExceptions().empty() && !default_rule.getExceptions()[0].empty()) { - exception_annotation_name = default_rule.getExceptions()[0]; - } - - if (!exception_annotation_name.empty()) { - rule_annotation[AnnotationTypes::EXCEPTION] = policy_name + "/" + exception_annotation_name; - } - - string web_user_res_annotation_name = - parsed_rule.getCustomResponse().empty() ? - default_rule.getCustomResponse() : - parsed_rule.getCustomResponse(); - - if (!web_user_res_annotation_name.empty()) { - rule_annotation[AnnotationTypes::WEB_USER_RES] = policy_name + "/" + web_user_res_annotation_name; - } - - string source_identifiers_annotation_name = - parsed_rule.getSourceIdentifiers().empty() ? - default_rule.getSourceIdentifiers() : - parsed_rule.getSourceIdentifiers(); - - if (!source_identifiers_annotation_name.empty()) { - rule_annotation[AnnotationTypes::SOURCE_IDENTIFIERS] = policy_name + "/" + source_identifiers_annotation_name; - } - - string trusted_sources_annotation_name = - parsed_rule.getTrustedSources ().empty() ? - default_rule.getTrustedSources() : - parsed_rule.getTrustedSources(); - - if (!trusted_sources_annotation_name.empty()) { - rule_annotation[AnnotationTypes::TRUSTED_SOURCES] = policy_name + "/" + trusted_sources_annotation_name; - } - return rule_annotation; -} -// LCOV_EXCL_STOP - -template -container_it -extractElement(container_it begin, container_it end, const string &element_name) -{ - dbgTrace(D_NGINX_POLICY) << "Tryting to find element: " << element_name; - string clean_element_name = element_name.substr(element_name.find("/") + 1); - for (container_it it = begin; it < end; it++) { - if (clean_element_name == it->getName()) { - dbgTrace(D_NGINX_POLICY) << "Element with name " << clean_element_name << " was found"; - return it; - } - } - dbgTrace(D_NGINX_POLICY) << "Element with name " << clean_element_name << " was not found"; - return end; -} - -template -vector -convertMapToVector(map map) -{ - vector vec; - vec.reserve(map.size()); - if (map.empty()) { - return vec; - } - for (const auto &m : map) { - if (!m.first.empty()) vec.push_back(m.second); - } - return vec; -} - -template -R -getAppsecPracticeSpec(const string &practice_annotation_name, const T &policy) -{ - auto practices_vec = policy.getAppSecPracticeSpecs(); - auto practice_it = extractElement(practices_vec.begin(), practices_vec.end(), practice_annotation_name); - - if (practice_it == practices_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec practice"; - return R(); - } - return *practice_it; -} - -// LCOV_EXCL_START Reason: no test exist -AccessControlPracticeSpec -getAccessControlPracticeSpec() -{ - return AccessControlPracticeSpec(); -} - -AccessControlPracticeSpec -getAccessControlPracticeSpec(const string &practice_annotation_name, const V1beta2AppsecLinuxPolicy &policy) -{ - auto practices_vec = policy.getAccessControlPracticeSpecs(); - auto practice_it = extractElement(practices_vec.begin(), practices_vec.end(), practice_annotation_name); - - if (practice_it == practices_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve Access control practice"; - return AccessControlPracticeSpec(); - } - return *practice_it; -} -// LCOV_EXCL_STOP - -template -R -getAppsecTriggerSpec(const string &trigger_annotation_name, const T &policy) -{ - auto triggers_vec = policy.getAppsecTriggerSpecs(); - auto trigger_it = extractElement(triggers_vec.begin(), triggers_vec.end(), trigger_annotation_name); - - if (trigger_it == triggers_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec trigger"; - return R(); - } - return *trigger_it; -} - -template -R -getAppsecExceptionSpec(const string &exception_annotation_name, const T &policy) -{ - auto exceptions_vec = policy.getAppsecExceptionSpecs(); - auto exception_it = extractElement(exceptions_vec.begin(), exceptions_vec.end(), exception_annotation_name); - - if (exception_it == exceptions_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec exception"; - return R(); - } - return *exception_it; -} - -template -R -getAppsecCustomResponseSpec(const string &custom_response_annotation_name, const T &policy) -{ - auto custom_response_vec = policy.getAppSecCustomResponseSpecs(); - auto custom_response_it = extractElement( - custom_response_vec.begin(), - custom_response_vec.end(), - custom_response_annotation_name); - - if (custom_response_it == custom_response_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec custom response"; - return R(); - } - return *custom_response_it; -} - -template -R -getAppsecSourceIdentifierSpecs(const string &source_identifiers_annotation_name, const T &policy) -{ - auto source_identifiers_vec = policy.getAppsecSourceIdentifierSpecs(); - auto source_identifier_it = extractElement( - source_identifiers_vec.begin(), - source_identifiers_vec.end(), - source_identifiers_annotation_name); - - if (source_identifier_it == source_identifiers_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec source identifier"; - return R(); - } - return *source_identifier_it; -} - -template -R -getAppsecTrustedSourceSpecs(const string &trusted_sources_annotation_name, const T &policy) -{ - auto trusted_sources_vec = policy.getAppsecTrustedSourceSpecs(); - auto trusted_sources_it = extractElement( - trusted_sources_vec.begin(), - trusted_sources_vec.end(), - trusted_sources_annotation_name); - - if (trusted_sources_it == trusted_sources_vec.end()) { - dbgTrace(D_NGINX_POLICY) << "Failed to retrieve AppSec trusted source"; - return R(); - } - return *trusted_sources_it; -} - -template -LogTriggerSection -extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_spec){ - string verbosity = "Standard"; - string extendLoggingMinSeverity = - trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().getMinimumSeverity(); - bool tpDetect = trigger_spec.getAppsecTriggerLogging().isDetectEvents(); - bool tpPrevent = trigger_spec.getAppsecTriggerLogging().isPreventEvents(); - bool webRequests = trigger_spec.getAppsecTriggerLogging().isAllWebRequests(); - bool webUrlPath = trigger_spec.getAppsecTriggerExtendedLogging().isUrlPath(); - bool webUrlQuery = trigger_spec.getAppsecTriggerExtendedLogging().isUrlQuery(); - bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders(); - bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody(); - bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud(); - bool logToK8sService = trigger_spec.getAppsecTriggerLogDestination().isK8SNeeded(); - bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal(); - bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs(); - bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded(); - bool logToSyslog = trigger_spec.getAppsecTriggerLogDestination().isSyslogNeeded(); - bool responseBody = trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().isResponseBody(); - bool extendLogging = trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().isEnabled(); - int cefPortNum = logToCef ? trigger_spec.getAppsecTriggerLogDestination().getCefServerUdpPort() : 0; - string cefIpAddress = - logToCef ? trigger_spec.getAppsecTriggerLogDestination().getCefServerIpv4Address() : ""; - int syslogPortNum = - logToSyslog ? - trigger_spec.getAppsecTriggerLogDestination().getSyslogServerUdpPort() : - 514; - string syslogIpAddress = - logToSyslog ? - trigger_spec.getAppsecTriggerLogDestination().getSyslogServerIpv4Address() : - ""; - - LogTriggerSection log( - trigger_annotation_name, - verbosity, - extendLoggingMinSeverity, - extendLogging, - logToAgent, - logToCef, - logToCloud, - logToK8sService, - logToSyslog, - responseBody, - tpDetect, - tpPrevent, - webBody, - webHeaders, - webRequests, - webUrlPath, - webUrlQuery, - cefPortNum, - cefIpAddress, - syslogPortNum, - syslogIpAddress, - beautify_logs - ); - return log; -} - -// LCOV_EXCL_START Reason: no test exist -template -LogTriggerSection -createLogTriggerSection( - const string &trigger_annotation_name, - const T &policy) -{ - auto trigger_spec = getAppsecTriggerSpec(trigger_annotation_name, policy); - return extractLogTriggerData(trigger_annotation_name, trigger_spec); -} - -template<> -LogTriggerSection -createLogTriggerSection( - const string &trigger_annotation_name, - const V1beta2AppsecLinuxPolicy &policy) -{ - auto trigger_spec = - getAppsecTriggerSpec(trigger_annotation_name, policy); - return extractLogTriggerData(trigger_annotation_name, trigger_spec); -} - -template -WebUserResponseTriggerSection -extractWebUserResponseTriggerSectionrData -( - const string &web_user_res_annotation_name, - const T &web_user_res_spec) -{ - string mode = web_user_res_spec.getMode(); - string response_body = web_user_res_spec.getMessageBody(); - string response_title = web_user_res_spec.getMessageTitle(); - int response_code = web_user_res_spec.getHttpResponseCode(); - - WebUserResponseTriggerSection web_user_res( - web_user_res_annotation_name, - mode, - response_body, - response_code, - response_title - ); - - return web_user_res; -} - -template -WebUserResponseTriggerSection -createWebUserResponseTriggerSection( - const string &web_user_res_annotation_name, - const T &policy) -{ - auto web_user_res_spec = - getAppsecCustomResponseSpec(web_user_res_annotation_name, policy); - return extractLogTriggerData(web_user_res_annotation_name, web_user_res_spec); -} - -template<> -WebUserResponseTriggerSection -createWebUserResponseTriggerSection( - const string &web_user_res_annotation_name, - const AppsecLinuxPolicy &policy) -{ - auto web_user_res_spec = - getAppsecCustomResponseSpec(web_user_res_annotation_name, policy); - return extractWebUserResponseTriggerSectionrData( - web_user_res_annotation_name, - web_user_res_spec - ); -} - -template<> -WebUserResponseTriggerSection -createWebUserResponseTriggerSection( - const string &web_user_res_annotation_name, - const V1beta2AppsecLinuxPolicy &policy) -{ - auto web_user_res_spec = - getAppsecCustomResponseSpec( - web_user_res_annotation_name, - policy - ); - return extractWebUserResponseTriggerSectionrData( - web_user_res_annotation_name, - web_user_res_spec - ); -} - -vector -addSourceIdentifiersToTrustedSource( - const string &source_identifeir_from_trust, - const vector &values, - const string &source_identifer -) -{ - vector generated_trusted_json; - if (values.empty()) { - generated_trusted_json.push_back( - SourcesIdentifiers(source_identifer, source_identifeir_from_trust) - ); - } else { - for (const string &val : values) { - string src_key = source_identifer + ":" + val; - generated_trusted_json.push_back(SourcesIdentifiers(src_key, source_identifeir_from_trust)); - } - } - - return generated_trusted_json; -} - -template -AppSecTrustedSources -createTrustedSourcesSection( - const string &treusted_sources_annotation_name, - const string &source_identifier_annotation_name, - const T &policy) -{ - TrustedSourcesSpec treusted_sources_spec = - getAppsecTrustedSourceSpecs(treusted_sources_annotation_name, policy); - SourceIdentifierSpecWrapper source_identifiers_spec = - getAppsecSourceIdentifierSpecs( - source_identifier_annotation_name, - policy - ); - - vector generated_trusted_json; - for (const SourceIdentifierSpec &src_ident : source_identifiers_spec.getIdentifiers()) { - for (const string &source_identifeir_from_trust : treusted_sources_spec.getSourcesIdentifiers()) { - vector tmp_trusted = addSourceIdentifiersToTrustedSource( - source_identifeir_from_trust, - src_ident.getValues(), - src_ident.getSourceIdentifier() - ); - generated_trusted_json.insert(generated_trusted_json.end(), tmp_trusted.begin(), tmp_trusted.end()); - } - } - - AppSecTrustedSources treusted_sources( - treusted_sources_spec.getName(), - treusted_sources_spec.getMinNumOfSources(), - generated_trusted_json - ); - - return treusted_sources; -} - -template<> -AppSecTrustedSources -createTrustedSourcesSection( - const string &treusted_sources_annotation_name, - const string &source_identifier_annotation_name, - const V1beta2AppsecLinuxPolicy &policy) -{ - NewTrustedSourcesSpec treusted_sources_spec = - getAppsecTrustedSourceSpecs( - treusted_sources_annotation_name, - policy - ); - NewSourcesIdentifiers source_identifiers_spec = - getAppsecSourceIdentifierSpecs( - source_identifier_annotation_name, - policy - ); - - vector generated_trusted_json; - for (const Identifier &src_ident : source_identifiers_spec.getSourcesIdentifiers()) { - for (const string &source_identifeir_from_trust : treusted_sources_spec.getSourcesIdentifiers()) { - vector tmp_trusted = addSourceIdentifiersToTrustedSource( - source_identifeir_from_trust, - src_ident.getValues(), - src_ident.getIdentifier() - ); - generated_trusted_json.insert(generated_trusted_json.end(), tmp_trusted.begin(), tmp_trusted.end()); - } - } - - AppSecTrustedSources treusted_sources( - treusted_sources_spec.getName(), - treusted_sources_spec.getMinNumOfSources(), - generated_trusted_json - ); - - return treusted_sources; -} - -template -InnerException -createExceptionSection( - const string &exception_annotation_name, - const T &policy) -{ - AppsecExceptionSpec exception_spec = - getAppsecExceptionSpec(exception_annotation_name, policy); - ExceptionMatch exception_match(exception_spec); - string behavior = - exception_spec.getAction() == "skip" ? - "ignore" : - exception_spec.getAction(); - - ExceptionBehavior exception_behavior("action", behavior); - InnerException inner_exception(exception_behavior, exception_match); - return inner_exception; -} - -template<> -InnerException -createExceptionSection( - const string &exception_annotation_name, - const V1beta2AppsecLinuxPolicy &policy) -{ - NewAppsecException exception_spec = - getAppsecExceptionSpec(exception_annotation_name, policy); - ExceptionMatch exception_match(exception_spec); - string behavior = - exception_spec.getAction() == "skip" ? - "ignore" : - exception_spec.getAction(); - - ExceptionBehavior exception_behavior("action", behavior); - InnerException inner_exception(exception_behavior, exception_match); - return inner_exception; -} - -template -UsersIdentifiersRulebase -createUserIdentifiers( - const string &source_identifier_annotation_name, - const T &policy, - const string &context -) -{ - string jwt_identifier = ""; - vector jwt_identifier_values; - vector user_ident_vec; - SourceIdentifierSpecWrapper source_identifiers_spec = - getAppsecSourceIdentifierSpecs( - source_identifier_annotation_name, - policy - ); - - for (const SourceIdentifierSpec &src_ident : source_identifiers_spec.getIdentifiers()) { - if (src_ident.getSourceIdentifier() == "JWTKey") { - jwt_identifier = "JWTKey"; - jwt_identifier_values.insert( - jwt_identifier_values.end(), - src_ident.getValues().begin(), - src_ident.getValues().end() - ); - user_ident_vec.push_back(UsersIdentifier("authorization", src_ident.getValues())); - } else { - user_ident_vec.push_back(UsersIdentifier(src_ident.getSourceIdentifier(), src_ident.getValues())); - } - } - UsersIdentifiersRulebase users_ident = UsersIdentifiersRulebase( - context, - jwt_identifier, - jwt_identifier_values, - user_ident_vec - ); - - return users_ident; -} - -template<> -UsersIdentifiersRulebase -createUserIdentifiers( - const string &source_identifier_annotation_name, - const V1beta2AppsecLinuxPolicy &policy, - const string &context -) -{ - string jwt_identifier = ""; - vector jwt_identifier_values; - vector user_ident_vec; - NewSourcesIdentifiers source_identifiers_spec = - getAppsecSourceIdentifierSpecs( - source_identifier_annotation_name, - policy - ); - - for (const Identifier &src_ident : source_identifiers_spec.getSourcesIdentifiers()) { - if (src_ident.getIdentifier() == "JWTKey") { - jwt_identifier = "JWTKey"; - jwt_identifier_values.insert( - jwt_identifier_values.end(), - src_ident.getValues().begin(), - src_ident.getValues().end() - ); - user_ident_vec.push_back(UsersIdentifier("authorization", src_ident.getValues())); - } else { - user_ident_vec.push_back(UsersIdentifier(src_ident.getIdentifier(), src_ident.getValues())); - } - } - UsersIdentifiersRulebase users_ident = UsersIdentifiersRulebase( - context, - jwt_identifier, - jwt_identifier_values, - user_ident_vec - ); - - return users_ident; -} - -RulesConfigRulebase -createMultiRulesSections( - const string &url, - const string &uri, - const string &practice_id, - const string &practice_name, - const string &practice_type, - const string &log_trigger_name, - const string &log_trigger_id, - const string &log_trigger_type, - const string &web_user_res_vec_name, - const string &web_user_res_vec_id, - const string &web_user_res_vec_type, - const string &asset_name, - const string &exception_name, - const string &exception_id) -{ - PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name); - ParametersSection exception_param = ParametersSection(exception_id, exception_name); - - vector triggers; - if (!log_trigger_id.empty()) { - triggers.push_back(RulesTriggerSection(log_trigger_name, log_trigger_id, log_trigger_type)); - } - if (!web_user_res_vec_id.empty()) { - triggers.push_back(RulesTriggerSection( - web_user_res_vec_name, - web_user_res_vec_id, - web_user_res_vec_type) - ); - } - - RulesConfigRulebase rules_config = RulesConfigRulebase( - asset_name, - url, - uri, - {practice}, - {exception_param}, - triggers - ); - - return rules_config; -} - -RulesConfigRulebase -createMultiRulesSections( - const string &url, - const string &uri, - const string &practice_id, - const string &practice_name, - const string &practice_type, - const string &rate_limit_practice_id, - const string &rate_limit_practice_name, - const string &rate_limit_practice_type, - const string &log_trigger_name, - const string &log_trigger_id, - const string &log_trigger_type, - const string &web_user_res_vec_name, - const string &web_user_res_vec_id, - const string &web_user_res_vec_type, - const string &asset_name, - const string &exception_name, - const string &exception_id) -{ - ParametersSection exception_param = ParametersSection(exception_id, exception_name); - - vector practices; - if (!practice_id.empty()) { - practices.push_back(PracticeSection(practice_id, practice_type, practice_name)); - } - if (!rate_limit_practice_id.empty()) { - practices.push_back( - PracticeSection(rate_limit_practice_id, rate_limit_practice_type, rate_limit_practice_name) - ); - } - - vector triggers; - if (!log_trigger_id.empty()) { - triggers.push_back(RulesTriggerSection(log_trigger_name, log_trigger_id, log_trigger_type)); - } - if (!web_user_res_vec_id.empty()) { - triggers.push_back(RulesTriggerSection( - web_user_res_vec_name, - web_user_res_vec_id, - web_user_res_vec_type) - ); - } - - RulesConfigRulebase rules_config = RulesConfigRulebase( - asset_name, - url, - uri, - practices, - {exception_param}, - triggers - ); - - return rules_config; -} - -void -PolicyMakerUtils::createIpsSections( - const string &asset_id, - const string &asset_name, - const string &practice_id, - const string &practice_name, - const string &source_identifier, - const string & context, - const V1beta2AppsecLinuxPolicy &policy, - map &rule_annotations) -{ - auto apssec_practice = getAppsecPracticeSpec( - rule_annotations[AnnotationTypes::PRACTICE], - policy); - IpsProtectionsSection ips_section = IpsProtectionsSection( - context, - asset_name, - asset_id, - practice_name, - practice_id, - source_identifier, - apssec_practice.getIntrusionPrevention().getMode(), - apssec_practice.getIntrusionPrevention().createIpsRules() - ); - - ips[asset_name] = ips_section; -} - -void -PolicyMakerUtils::createFileSecuritySections( - const string &asset_id, - const string &asset_name, - const string &practice_id, - const string &practice_name, - const string &context, - const V1beta2AppsecLinuxPolicy &policy, - map &rule_annotations) -{ - auto apssec_practice = getAppsecPracticeSpec( - rule_annotations[AnnotationTypes::PRACTICE], - policy); - auto file_security_section = apssec_practice.getFileSecurity().createFileSecurityProtectionsSection( - context, - asset_name, - asset_id, - practice_name, - practice_id - ); - - file_security[asset_name] = file_security_section; -} - -void -PolicyMakerUtils::createRateLimitSection( - const string &asset_name, - const string &url, - const string &uri, - const string &trigger_id, - const V1beta2AppsecLinuxPolicy &policy, - map &rule_annotations) -{ - if (rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE].empty()) { - return; - } - - string practice_id = ""; - try { - practice_id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgFlow(D_LOCAL_POLICY) << "Couldn't generate random id for rate limit practice"; - } - auto access_control_practice = getAccessControlPracticeSpec( - rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE], - policy); - - RateLimitRulesTriggerSection trigger; - if (!trigger_id.empty()) { - string trigger_name = rule_annotations[AnnotationTypes::TRIGGER]; - trigger = RateLimitRulesTriggerSection(trigger_id, trigger_name, "Trigger"); - } - - auto rules = access_control_practice.geRateLimit().createRateLimitRulesSection(trigger); - - rate_limit[rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE]] = RateLimitSection( - asset_name, - url, - uri, - access_control_practice.geRateLimit().getMode(), - practice_id, - rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE], - rules - ); -} - -void -PolicyMakerUtils::createWebAppSection( - const V1beta2AppsecLinuxPolicy &policy, - const RulesConfigRulebase& rule_config, - const string &practice_id, const string &full_url, - const string &default_mode, - map &rule_annotations) -{ - auto apssec_practice = - getAppsecPracticeSpec( - rule_annotations[AnnotationTypes::PRACTICE], - policy - ); - PracticeAdvancedConfig practice_advance_config( - apssec_practice.getWebAttacks().getMaxHeaderSizeBytes(), - apssec_practice.getWebAttacks().getMaxBodySizeKb(), - apssec_practice.getWebAttacks().getMaxObjectDepth(), - apssec_practice.getWebAttacks().getMaxUrlSizeBytes() - ); - WebAppSection web_app = WebAppSection( - full_url == "Any" ? "" : full_url, - rule_config.getAssetId(), - rule_config.getAssetName(), - rule_config.getAssetId(), - rule_config.getAssetName(), - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - rule_config.getContext(), - apssec_practice.getWebAttacks().getMinimumConfidence(), - apssec_practice.getWebAttacks().getMode(default_mode), - practice_advance_config, - apssec_practice.getAntiBot(), - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]], - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] - ); - web_apps[rule_config.getAssetName()] = web_app; -} - -void -PolicyMakerUtils::createThreatPreventionPracticeSections( - const string &asset_name, - const string &url, - const string &uri, - const string &default_mode, - const V1beta2AppsecLinuxPolicy &policy, - map &rule_annotations) -{ - if (rule_annotations[AnnotationTypes::PRACTICE].empty()) { - return; - } - string practice_id = ""; - try { - practice_id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgFlow(D_LOCAL_POLICY) << "Couldn't generate random id for threat prevention practice"; - } - - RulesConfigRulebase rule_config = createMultiRulesSections( - url, - uri, - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - "WebApplication", - rate_limit[rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE]].getId(), - rate_limit[rule_annotations[AnnotationTypes::ACCESS_CONTROL_PRACTICE]].getName(), - "RateLimit", - rule_annotations[AnnotationTypes::TRIGGER], - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(), - "log", - rule_annotations[AnnotationTypes::WEB_USER_RES], - web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(), - "WebUserResponse", - asset_name, - rule_annotations[AnnotationTypes::EXCEPTION], - inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]].getBehaviorId() - ); - rules_config[rule_config.getAssetName()] = rule_config; - - string current_identifier; - if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) { - UsersIdentifiersRulebase user_identifiers = createUserIdentifiers( - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy, - rule_config.getContext() - ); - users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers; - current_identifier = user_identifiers.getIdentifier(); - } - - createIpsSections( - rule_config.getAssetId(), - rule_config.getAssetName(), - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - current_identifier, - rule_config.getContext(), - policy, - rule_annotations - ); - - createFileSecuritySections( - rule_config.getAssetId(), - rule_config.getAssetName(), - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - "assetId(" + rule_config.getAssetId() + ")", - policy, - rule_annotations - ); - - if (!web_apps.count(rule_config.getAssetName())) { - createWebAppSection(policy, rule_config, practice_id, asset_name, default_mode, rule_annotations); - } - -} - -SettingsWrapper -createProfilesSection() -{ - string agent_settings_key = "agent.test.policy"; - string agent_settings_value = "local policy"; - AgentSettingsSection agent_setting_1 = AgentSettingsSection(agent_settings_key, agent_settings_value); - - SettingsRulebase settings_rulebase_1 = SettingsRulebase({agent_setting_1}); - return SettingsWrapper(settings_rulebase_1); -} -// LCOV_EXCL_STOP - -PolicyWrapper -PolicyMakerUtils::combineElementsToPolicy(const string &policy_version) -{ - TriggersWrapper triggers_section( - TriggersRulebase( - convertMapToVector(log_triggers), convertMapToVector(web_user_res_triggers) - ) - ); - ExceptionsWrapper exceptions_section({ - ExceptionsRulebase(convertMapToVector(inner_exceptions)) - }); - - AppSecWrapper appses_section(AppSecRulebase(convertMapToVector(web_apps), {})); - RulesConfigWrapper rules_config_section(convertMapToVector(rules_config), convertMapToVector(users_identifiers)); - IntrusionPreventionWrapper ips_section(convertMapToVector(ips)); - FileSecurityWrapper file_security_section(convertMapToVector(file_security)); - AccessControlRulebaseWrapper rate_limit_section(convertMapToVector(rate_limit)); - SecurityAppsWrapper security_app_section = SecurityAppsWrapper( - appses_section, - triggers_section, - rules_config_section, - ips_section, - rate_limit_section, - file_security_section, - exceptions_section, - policy_version - ); - - SettingsWrapper profiles_section = createProfilesSection(); - PolicyWrapper policy_wrapper = PolicyWrapper(profiles_section, security_app_section); - - return policy_wrapper; -} - -template -void -PolicyMakerUtils::createPolicyElementsByRule( - const R &rule, - const R &default_rule, - const T &policy, - const string &policy_name) -{ - map rule_annotations = extractAnnotationsNames(rule, default_rule, policy_name); - if ( - !rule_annotations[AnnotationTypes::TRIGGER].empty() && - !log_triggers.count(rule_annotations[AnnotationTypes::TRIGGER]) - ) { - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]] = - createLogTriggerSection( - rule_annotations[AnnotationTypes::TRIGGER], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::WEB_USER_RES].empty() && - !web_user_res_triggers.count(rule_annotations[AnnotationTypes::WEB_USER_RES]) - ) { - web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]] = - createWebUserResponseTriggerSection( - rule_annotations[AnnotationTypes::WEB_USER_RES], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::EXCEPTION].empty() && - !inner_exceptions.count(rule_annotations[AnnotationTypes::EXCEPTION]) - ) { - inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]] = - createExceptionSection( - rule_annotations[AnnotationTypes::EXCEPTION], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::TRUSTED_SOURCES].empty() && - !rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty() && - !trusted_sources.count(rule_annotations[AnnotationTypes::TRUSTED_SOURCES]) - ) { - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] = - createTrustedSourcesSection( - rule_annotations[AnnotationTypes::TRUSTED_SOURCES], - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::PRACTICE].empty() && - !web_apps.count(rule_annotations[AnnotationTypes::PRACTICE]) - ) { - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] = - createTrustedSourcesSection( - rule_annotations[AnnotationTypes::TRUSTED_SOURCES], - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy - ); - } - - if (!rule_annotations[AnnotationTypes::PRACTICE].empty()) { - string practice_id = ""; - try { - practice_id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - //TBD: return Maybe as part of future error handling - } - - tuple splited_host_name = splitHostName(rule.getHost()); - string full_url = rule.getHost() == "*" - ? "Any" - : rule.getHost(); - - RulesConfigRulebase rule_config = createMultiRulesSections( - std::get<0>(splited_host_name), - std::get<2>(splited_host_name), - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - "WebApplication", - rule_annotations[AnnotationTypes::TRIGGER], - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(), - "log", - rule_annotations[AnnotationTypes::WEB_USER_RES], - web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(), - "WebUserResponse", - full_url, - rule_annotations[AnnotationTypes::EXCEPTION], - inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]].getBehaviorId() - ); - rules_config[rule_config.getAssetName()] = rule_config; - - if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) { - UsersIdentifiersRulebase user_identifiers = createUserIdentifiers( - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy, - rule_config.getContext() - ); - users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers; - } - - if (!web_apps.count(rule_config.getAssetName())) { - WebAppSection web_app = WebAppSection( - full_url == "Any" ? "" : full_url, - rule_config.getAssetId(), - rule_config.getAssetName(), - rule_config.getAssetId(), - rule_config.getAssetName(), - practice_id, - rule_annotations[AnnotationTypes::PRACTICE], - rule_config.getContext(), - getAppsecPracticeSpec(rule_annotations[AnnotationTypes::PRACTICE], policy), - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]], - rule.getMode(), - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] - ); - web_apps[rule_config.getAssetName()] = web_app; - } - } -} - -// LCOV_EXCL_START Reason: no test exist -template<> -void -PolicyMakerUtils::createPolicyElementsByRule( - const NewParsedRule &rule, - const NewParsedRule &default_rule, - const V1beta2AppsecLinuxPolicy &policy, - const string &policy_name) -{ - dbgTrace(D_LOCAL_POLICY) << "Creating policy elements from version V1beta2"; - map rule_annotations = - extractAnnotationsNames(rule, default_rule, policy_name); - if ( - !rule_annotations[AnnotationTypes::TRIGGER].empty() && - !log_triggers.count(rule_annotations[AnnotationTypes::TRIGGER]) - ) { - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]] = - createLogTriggerSection( - rule_annotations[AnnotationTypes::TRIGGER], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::WEB_USER_RES].empty() && - !web_user_res_triggers.count(rule_annotations[AnnotationTypes::WEB_USER_RES]) - ) { - web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]] = - createWebUserResponseTriggerSection( - rule_annotations[AnnotationTypes::WEB_USER_RES], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::EXCEPTION].empty() && - !inner_exceptions.count(rule_annotations[AnnotationTypes::EXCEPTION]) - ) { - inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]] = - createExceptionSection( - rule_annotations[AnnotationTypes::EXCEPTION], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::TRUSTED_SOURCES].empty() && - !rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty() && - !trusted_sources.count(rule_annotations[AnnotationTypes::TRUSTED_SOURCES]) - ) { - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] = - createTrustedSourcesSection( - rule_annotations[AnnotationTypes::TRUSTED_SOURCES], - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy - ); - } - - if ( - !rule_annotations[AnnotationTypes::PRACTICE].empty() && - !web_apps.count(rule_annotations[AnnotationTypes::PRACTICE]) - ) { - trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]] = - createTrustedSourcesSection( - rule_annotations[AnnotationTypes::TRUSTED_SOURCES], - rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], - policy - ); - } - - string full_url = rule.getHost() == "*" - ? "Any" - : rule.getHost(); - tuple splited_host_name = splitHostName(rule.getHost()); - - createRateLimitSection( - full_url, - std::get<0>(splited_host_name), - std::get<2>(splited_host_name), - log_triggers[rule_annotations[AnnotationTypes::TRIGGER]].getTriggerId(), - policy, - rule_annotations - ); - - createThreatPreventionPracticeSections( - full_url, - std::get<0>(splited_host_name), - std::get<2>(splited_host_name), - rule.getMode(), - policy, - rule_annotations - ); - -} -// LCOV_EXCL_STOP - -template -void -PolicyMakerUtils::createPolicyElements( - const vector &rules, - const R &default_rule, - const T &policy, - const string &policy_name) -{ - for (const R &rule : rules) { - createPolicyElementsByRule(rule, default_rule, policy, policy_name); - } -} - -template -void -PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, const T &appsec_policy) -{ - dbgTrace(D_LOCAL_POLICY) << "Proccesing policy, name: " << policy_name; - - R default_rule = appsec_policy.getAppsecPolicySpec().getDefaultRule(); - - // add default rule to policy - createPolicyElementsByRule(default_rule, default_rule, appsec_policy, policy_name); - - vector specific_rules = appsec_policy.getAppsecPolicySpec().getSpecificRules(); - createPolicyElements(specific_rules, default_rule, appsec_policy, policy_name); -} - -// LCOV_EXCL_START Reason: no test exist -template<> -void -PolicyMakerUtils::createAgentPolicyFromAppsecPolicy( - const string &policy_name, - const V1beta2AppsecLinuxPolicy &appsec_policy) -{ - dbgTrace(D_LOCAL_POLICY) << "Proccesing policy, name: " << policy_name; - - NewParsedRule default_rule = appsec_policy.getAppsecPolicySpec().getDefaultRule(); - - // add default rule to policy - createPolicyElementsByRule( - default_rule, - default_rule, - appsec_policy, - policy_name); - - vector specific_rules = appsec_policy.getAppsecPolicySpec().getSpecificRules(); - createPolicyElements( - specific_rules, - default_rule, - appsec_policy, - policy_name - ); -} -// LCOV_EXCL_STOP - -string -PolicyMakerUtils::proccesSingleAppsecPolicy( - const string &policy_path, - const string &policy_version, - const string &local_appsec_policy_path) -{ - Maybe maybe_policy = openPolicyAsJson(policy_path); - if (!maybe_policy.ok()){ - dbgWarning(D_LOCAL_POLICY) << maybe_policy.getErr(); - return ""; - } - createAgentPolicyFromAppsecPolicy( - getPolicyName(policy_path), - maybe_policy.unpack() - ); - - PolicyWrapper policy_wrapper = combineElementsToPolicy(policy_version); - return dumpPolicyToFile( - policy_wrapper, - local_appsec_policy_path - ); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/rules_config_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/rules_config_section.cc deleted file mode 100644 index 5f748a5..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/rules_config_section.cc +++ /dev/null @@ -1,367 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "rules_config_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -AssetUrlParser -AssetUrlParser::parse(const string &uri) -{ - AssetUrlParser result; - - using iterator_t = string::const_iterator; - - if (uri.length() == 0) return result; - - iterator_t uri_end = uri.end(); - - // get query start - iterator_t query_start = find(uri.begin(), uri_end, '?'); - - // protocol - iterator_t protocol_start = uri.begin(); - iterator_t protocol_end = find(protocol_start, uri_end, ':'); //"://"); - - if (protocol_end != uri_end) { - string http_protocol = &*(protocol_end); - if ((http_protocol.length() > 3) && (http_protocol.substr(0, 3) == "://")) { - result.protocol = string(protocol_start, protocol_end); - protocol_end += 3; // :// - } else { - protocol_end = uri.begin(); // no protocol - } - } else { - protocol_end = uri.begin(); // no protocol - } - - // URL - iterator_t host_start = protocol_end; - iterator_t path_start = find(host_start, uri_end, '/'); - - iterator_t host_end = find(protocol_end, (path_start != uri_end) ? path_start : query_start, ':'); - - result.asset_url = string(host_start, host_end); - - // port - if ((host_end != uri_end) && ((&*(host_end))[0] == ':')) { // we have a port - host_end++; - iterator_t portEnd = (path_start != uri_end) ? path_start : query_start; - result.port = string(host_end, portEnd); - } - - // URI - if (path_start != uri_end) result.asset_uri = string(path_start, query_start); - - // query - if (query_start != uri_end) result.query_string = string(query_start, uri.end()); - - return result; -} // Parse - -PracticeSection::PracticeSection( - const string &_id, - const string &_type, - const string &_practice_name -) -{ - auto maybe_type = string_to_practice_type.find(_type); - if (maybe_type == string_to_practice_type.end()) { - dbgError(D_LOCAL_POLICY) << "Illegal pracrtice type: " << _type; - return; - } - - type = _type; - name = _practice_name; - id = _id; -} - -void -PracticeSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("practiceId", id), - cereal::make_nvp("practiceName", name), - cereal::make_nvp("practiceType", type) - ); -} - -ParametersSection::ParametersSection( - const string &_id, - const string &_name) - : - name(_name), - id(_id) -{ - if (_id.empty() && _name.empty()) { - dbgError(D_LOCAL_POLICY) << "Illegal Parameter values. Name and ID are empty"; - return; - } -} - -void -ParametersSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("parameterId", id), - cereal::make_nvp("parameterName", name), - cereal::make_nvp("parameterType", type) - ); -} - -RulesTriggerSection::RulesTriggerSection( - const string &_name, - const string &_id, - const string &_type) - : - name(_name), - id(_id) -{ - if (_name.empty() && _id.empty()) { - dbgError(D_LOCAL_POLICY) << "Illegal values for trigger. Name and ID are empty"; - return; - } - auto maybe_type = string_to_trigger_type.find(_type); - if (maybe_type == string_to_trigger_type.end()) { - dbgError(D_LOCAL_POLICY) << "Illegal trigger type in rule: " << _type; - return; - } - type = _type; -} - -void -RulesTriggerSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("triggerId", id), - cereal::make_nvp("triggerName", name), - cereal::make_nvp("triggerType", type) - ); -} - -RulesConfigRulebase::RulesConfigRulebase( - const string &_name, - const string &_url, - const string &_uri, - vector _practices, - vector _parameters, - vector _triggers) - : - name(_name), - practices(_practices), - parameters(_parameters), - triggers(_triggers) -{ - try { - bool any = _name == "Any" && _url == "Any" && _uri == "Any"; - id = any ? "Any" : _url+_uri; - if (_uri != "/") { - context = any ? "All()" : "Any(" - "All(" - "Any(" - "EqualHost(" + _url + ")" - ")," - "EqualListeningPort(80)" + - string(_uri.empty() ? "" : ",BeginWithUri(" + _uri + ")") + - ")," - "All(" - "Any(" - "EqualHost(" + _url + ")" - ")," - "EqualListeningPort(443)" + - string(_uri.empty() ? "" : ",BeginWithUri(" + _uri + ")") + - ")" - ")"; - } else { - context = any ? "All()" : "Any(" - "All(" - "Any(" - "EqualHost(" + _url + ")" - ")," - "EqualListeningPort(80)" - ")," - "All(" - "Any(" - "EqualHost(" + _url + ")" - ")," - "EqualListeningPort(443)" - ")" - ")"; - } - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate rule UUID. Error: " << e.what(); - } -} - -void -RulesConfigRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - string empty_str = ""; - out_ar( - cereal::make_nvp("assetId", id), - cereal::make_nvp("assetName", name), - cereal::make_nvp("ruleId", id), - cereal::make_nvp("ruleName", name), - cereal::make_nvp("context", context), - cereal::make_nvp("priority", 1), - cereal::make_nvp("isCleanup", false), - cereal::make_nvp("parameters", parameters), - cereal::make_nvp("practices", practices), - cereal::make_nvp("triggers", triggers), - cereal::make_nvp("zoneId", empty_str), - cereal::make_nvp("zoneName", empty_str) - ); -} - -const string & -RulesConfigRulebase::getContext() const -{ - return context; -} - -const string & -RulesConfigRulebase::getAssetName() const -{ - return name; -} - -const string & -RulesConfigRulebase::getAssetId() const -{ - return id; -} - -UsersIdentifier::UsersIdentifier(const string &_source_identifier, vector _identifier_values) - : - source_identifier(_source_identifier), - identifier_values(_identifier_values) -{} - -// LCOV_EXCL_START Reason: no test exist -const string & -UsersIdentifier::getIdentifier() const -{ - return source_identifier; -} -// LCOV_EXCL_STOP - -void -UsersIdentifier::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("sourceIdentifier", source_identifier), - cereal::make_nvp("identifierValues", identifier_values) - ); -} - -UsersIdentifiersRulebase::UsersIdentifiersRulebase( - const string &_context, - const string &_source_identifier, - const vector &_identifier_values, - const vector &_source_identifiers) - : - context(_context), - source_identifier(_source_identifier), - identifier_values(_identifier_values), - source_identifiers(_source_identifiers) -{} - -// LCOV_EXCL_START Reason: no test exist -const string & -UsersIdentifiersRulebase::getIdentifier() const -{ - return source_identifiers[0].getIdentifier(); -} -// LCOV_EXCL_STOP - -void -UsersIdentifiersRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("sourceIdentifier", source_identifier), - cereal::make_nvp("identifierValues", identifier_values), - cereal::make_nvp("sourceIdentifiers", source_identifiers) - ); -} - -RulesRulebase::RulesRulebase( - const vector &_rules_config, - const vector &_users_identifiers) - : - rules_config(_rules_config), - users_identifiers(_users_identifiers) -{ - sort(rules_config.begin(), rules_config.end(), sortBySpecific); -} - -void -RulesRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("rulesConfig", rules_config), - cereal::make_nvp("usersIdentifiers", users_identifiers) - ); -} - -bool -RulesRulebase::sortBySpecific( - const RulesConfigRulebase &first, - const RulesConfigRulebase &second -) -{ - return sortBySpecificAux(first.getAssetName(), second.getAssetName()); -} - -bool -RulesRulebase::sortBySpecificAux(const string &first, const string &second) -{ - if (first.empty()) return false; - if (second.empty()) return true; - - AssetUrlParser first_parsed = AssetUrlParser::parse(first); - AssetUrlParser second_parsed = AssetUrlParser::parse(second); - - // sort by URL - if (first_parsed.asset_url == "Any" && second_parsed.asset_url != "Any") return false; - if (second_parsed.asset_url == "Any" && first_parsed.asset_url != "Any") return true; - - // sort by port - if (first_parsed.port == "*" && second_parsed.port != "*") return false; - if (second_parsed.port == "*" && first_parsed.port != "*") return true; - - // sort by URI - if (first_parsed.asset_uri == "*" && second_parsed.asset_uri != "*") return false; - if (second_parsed.asset_uri == "*" && first_parsed.asset_uri != "*") return true; - - if (first_parsed.asset_uri.empty()) return false; - if (second_parsed.asset_uri.empty()) return true; - - if (second_parsed.asset_uri.find(first_parsed.asset_uri) != string::npos) return false; - if (first_parsed.asset_uri.find(second_parsed.asset_uri) != string::npos) return true; - - if (first_parsed.asset_url.empty()) return false; - if (second_parsed.asset_url.empty()) return false; - - return second < first; -} - -void -RulesConfigWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("rulebase", rules_config_rulebase) - ); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/settings_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/settings_section.cc deleted file mode 100644 index f066004..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/settings_section.cc +++ /dev/null @@ -1,87 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "settings_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -AgentSettingsSection::AgentSettingsSection( - const string &_key, - const string &_value) - : - key(_key), - value(_value) -{ - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate agent setting UUID. Error: " << e.what(); - } -} - -void -AgentSettingsSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("id", id), - cereal::make_nvp("key", key), - cereal::make_nvp("value", value) - ); -} - -const string & -AgentSettingsSection::getSettingId() const -{ - return id; -} - -void -SettingsRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - string profile_type = "Kubernetes"; - string upgrade_mode = "automatic"; - out_ar( - cereal::make_nvp("agentSettings", agentSettings), - cereal::make_nvp("agentType", profile_type), - cereal::make_nvp("allowOnlyDefinedApplications", false), - cereal::make_nvp("anyFog", true), - cereal::make_nvp("maxNumberOfAgents", 10), - cereal::make_nvp("upgradeMode", upgrade_mode) - ); -} - -SettingsWrapper::SettingsWrapper(SettingsRulebase _agent) : agent(_agent) -{ - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate Settings Wrapper UUID. Error: " << e.what(); - } -} - -void -SettingsWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("profileType", profileType), - cereal::make_nvp("tokenType", isToken), - cereal::make_nvp("tokenType", tokenType), - cereal::make_nvp("name", name), - cereal::make_nvp("id", id), - cereal::make_nvp("agent", agent) - ); -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/snort_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/snort_section.cc deleted file mode 100644 index c3907aa..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/snort_section.cc +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "snort_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); -// LCOV_EXCL_START Reason: no test exist - -AgentSettingsSection::AgentSettingsSection(string _key, string _value) : key(_key), value(_value) -{ - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate agent setting UUID. Error: " << e.what(); - } -} - -void -AgentSettingsSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("id", id), - cereal::make_nvp("key", key), - cereal::make_nvp("value", value) - ); -} - -void -IpsSnortSigsRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - string profile_type = "KubernetesProfile"; - string upgrade_mode = "automatic"; - out_ar( - cereal::make_nvp("agentSettings", agentSettings), - cereal::make_nvp("agentType", profile_type), - cereal::make_nvp("allowOnlyDefinedApplications", false), - cereal::make_nvp("anyFog", true), - cereal::make_nvp("maxNumberOfAgents", 10), - cereal::make_nvp("upgradeMode", upgrade_mode) - ); -} -// LCOV_EXCL_STOP diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/triggers_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/triggers_section.cc deleted file mode 100644 index 7c50436..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/triggers_section.cc +++ /dev/null @@ -1,535 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "triggers_section.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -static const set valid_modes = {"block-page", "response-code-only"}; -static const set valid_severities = {"high", "critical"}; -static const set valid_protocols = {"tcp", "udp"}; -static const set valid_formats = {"json", "json-formatted"}; - -LogTriggerSection::LogTriggerSection( - const string &_name, - const string &_verbosity, - const string &_extendloggingMinSeverity, - bool _extendlogging, - bool _logToAgent, - bool _logToCef, - bool _logToCloud, - bool _logToK8sService, - bool _logToSyslog, - bool _responseBody, - bool _tpDetect, - bool _tpPrevent, - bool _webBody, - bool _webHeaders, - bool _webRequests, - bool _webUrlPath, - bool _webUrlQuery, - int _cefPortNum, - const string &_cefIpAddress, - int _syslogPortNum, - const string &_syslogIpAddress, - bool _beautify_logs) - : - name(_name), - verbosity(_verbosity), - extendloggingMinSeverity(_extendloggingMinSeverity), - extendlogging(_extendlogging), - logToAgent(_logToAgent), - logToCef(_logToCef), - logToCloud(_logToCloud), - logToK8sService(_logToK8sService), - logToSyslog(_logToSyslog), - responseBody(_responseBody), - tpDetect(_tpDetect), - tpPrevent(_tpPrevent), - webBody(_webBody), - webHeaders(_webHeaders), - webRequests(_webRequests), - webUrlPath(_webUrlPath), - webUrlQuery(_webUrlQuery), - cefPortNum (_cefPortNum), - cefIpAddress (_cefIpAddress), - syslogPortNum (_syslogPortNum), - syslogIpAddress (_syslogIpAddress), - beautify_logs(_beautify_logs) -{ - try { - id = to_string(boost::uuids::random_generator()()); - context = "triggerId(" + id + ")"; - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate log trigger UUID. Error: " << e.what(); - } -} - -void -LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const -{ - string trigger_type = "log"; - string urlForSyslog = syslogIpAddress + ":" + to_string(syslogPortNum); - string urlForCef = cefIpAddress + ":" + to_string(cefPortNum); - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("triggerName", name), - cereal::make_nvp("triggerType", trigger_type), - cereal::make_nvp("verbosity", verbosity), - cereal::make_nvp("acAllow", false), - cereal::make_nvp("acDrop", false), - cereal::make_nvp("complianceViolations", false), - cereal::make_nvp("complianceWarnings", false), - cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity), - cereal::make_nvp("extendlogging", extendlogging), - cereal::make_nvp("logToAgent", logToAgent), - cereal::make_nvp("logToCef", logToCef), - cereal::make_nvp("logToCloud", logToCloud), - cereal::make_nvp("logToK8sService", logToK8sService), - cereal::make_nvp("logToSyslog", logToSyslog), - cereal::make_nvp("responseBody", responseBody), - cereal::make_nvp("responseCode", false), - cereal::make_nvp("tpDetect", tpDetect), - cereal::make_nvp("tpPrevent", tpPrevent), - cereal::make_nvp("webBody", webBody), - cereal::make_nvp("webHeaders", webHeaders), - cereal::make_nvp("webRequests", webRequests), - cereal::make_nvp("webUrlPath", webUrlPath), - cereal::make_nvp("webUrlQuery", webUrlQuery), - cereal::make_nvp("urlForSyslog", urlForSyslog), - cereal::make_nvp("urlForCef", urlForCef), - cereal::make_nvp("formatLoggingOutput", beautify_logs) - ); -} - -const string & -LogTriggerSection::getTriggerId() const -{ - return id; -} - -const string & -LogTriggerSection::getTriggerName() const -{ - return name; -} - -WebUserResponseTriggerSection::WebUserResponseTriggerSection( - const string &_name, - const string &_details_level, - const string &_response_body, - int _response_code, - const string &_response_title) - : - name(_name), - context(), - details_level(_details_level), - response_body(_response_body), - response_title(_response_title), - response_code(_response_code) -{ - try { - id = to_string(boost::uuids::random_generator()()); - context = "triggerId(" + id + ")"; - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate webUserResponse trigger UUID. Error: " << e.what(); - } -} - -void -WebUserResponseTriggerSection::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("context", context), - cereal::make_nvp("triggerName", name), - cereal::make_nvp("details level", details_level), - cereal::make_nvp("response body", response_body), - cereal::make_nvp("response code", response_code), - cereal::make_nvp("response title", response_title) - ); -} - -const string & -WebUserResponseTriggerSection::getTriggerId() const -{ - return id; -} - -void -AppSecCustomResponseSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec web user response spec"; - parseAppsecJSONKey("http-response-code", httpResponseCode, archive_in, 403); - parseAppsecJSONKey("mode", mode, archive_in, "block-page"); - if (valid_modes.count(mode) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec web user response mode invalid: " << mode; - } - parseAppsecJSONKey("name", name, archive_in); - if (mode == "block-page") { - parseAppsecJSONKey( - "message-body", - messageBody, - archive_in, - "Openappsec's Application Security has detected an attack and blocked it." - ); - parseAppsecJSONKey( - "message-title", - messageTitle, - archive_in, - "Attack blocked by web application protection" - ); - } -} - -void -AppSecCustomResponseSpec::setName(const string &_name) -{ - name = _name; -} - -int -AppSecCustomResponseSpec::getHttpResponseCode() const -{ - return httpResponseCode; -} - -const string & -AppSecCustomResponseSpec::getMessageBody() const -{ - return messageBody; -} - -const string & -AppSecCustomResponseSpec::getMessageTitle() const -{ - return messageTitle; -} - -const string & -AppSecCustomResponseSpec::getMode() const -{ - return mode; -} - -const string & -AppSecCustomResponseSpec::getName() const -{ - return name; -} - -void -TriggersRulebase::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("log", logTriggers), - cereal::make_nvp("webUserResponse", webUserResponseTriggers) - ); -} - -void -AppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging"; - parseAppsecJSONKey("allow-events", allow_events, archive_in, false); - parseAppsecJSONKey("drop-events", drop_events, archive_in, false); -} - -void -AppsecTriggerAdditionalSuspiciousEventsLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Additional Suspicious Events Logging"; - parseAppsecJSONKey("enabled", enabled, archive_in, true); - parseAppsecJSONKey("response-body", response_body, archive_in, false); - parseAppsecJSONKey("minimum-severity", minimum_severity, archive_in, "high"); - if (valid_severities.count(minimum_severity) == 0) { - dbgWarning(D_LOCAL_POLICY) - << "AppSec AppSec Trigger - Additional Suspicious Events Logging minimum severity invalid: " - << minimum_severity; - } -} - -bool -AppsecTriggerAdditionalSuspiciousEventsLogging::isEnabled() const -{ - return enabled; -} - -bool -AppsecTriggerAdditionalSuspiciousEventsLogging::isResponseBody() const -{ - return response_body; -} - -const string & -AppsecTriggerAdditionalSuspiciousEventsLogging::getMinimumSeverity() const -{ - return minimum_severity; -} - -void -AppsecTriggerLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger Logging"; - parseAppsecJSONKey("all-web-requests", all_web_requests, archive_in, false); - parseAppsecJSONKey("detect-events", detect_events, archive_in, false); - parseAppsecJSONKey("prevent-events", prevent_events, archive_in, true); -} - -bool -AppsecTriggerLogging::isAllWebRequests() const -{ - return all_web_requests; -} - -bool -AppsecTriggerLogging::isDetectEvents() const -{ - return detect_events; -} - -bool -AppsecTriggerLogging::isPreventEvents() const -{ - return prevent_events; -} - -void -AppsecTriggerExtendedLogging::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger Extended Logging"; - parseAppsecJSONKey("http-headers", http_headers, archive_in, false); - parseAppsecJSONKey("request-body", request_body, archive_in, false); - parseAppsecJSONKey("url-path", url_path, archive_in, false); - parseAppsecJSONKey("url-query", url_query, archive_in, false); -} - -bool -AppsecTriggerExtendedLogging::isHttpHeaders() const -{ - return http_headers; -} - -bool -AppsecTriggerExtendedLogging::isRequestBody() const -{ - return request_body; -} - -bool -AppsecTriggerExtendedLogging::isUrlPath() const -{ - return url_path; -} - -bool -AppsecTriggerExtendedLogging::isUrlQuery() const -{ - return url_query; -} - -void -LoggingService::load(cereal::JSONInputArchive &archive_in) -{ - parseAppsecJSONKey("address", address, archive_in); - parseAppsecJSONKey("proto", proto, archive_in); - if (valid_protocols.count(proto) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Logging Service - proto invalid: " << proto; - } - - parseAppsecJSONKey("port", port, archive_in, 514); -} - -const string & -LoggingService::getAddress() const -{ - return address; -} - -int -LoggingService::getPort() const -{ - return port; -} - - -void -StdoutLogging::load(cereal::JSONInputArchive &archive_in) -{ - parseAppsecJSONKey("format", format, archive_in, "json"); - if (valid_formats.count(format) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec Stdout Logging - format invalid: " << format; - } -} - -const string & -StdoutLogging::getFormat() const -{ - return format; -} - -void -AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger LogDestination"; - // TBD: support "file" - parseAppsecJSONKey("cloud", cloud, archive_in, false); - auto mode = Singleton::Consume::by()->getOrchestrationMode(); - auto env_type = Singleton::Consume::by()->getEnvType(); - bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S); - parseAppsecJSONKey("k8s-service", k8s_service, archive_in, k8s_service_default); - - StdoutLogging stdout_log; - parseAppsecJSONKey("stdout", stdout_log, archive_in); - agent_local = !(stdout_log.getFormat().empty()); - beautify_logs = stdout_log.getFormat() == "json-formatted"; - parseAppsecJSONKey("syslog-service", syslog_service, archive_in); - parseAppsecJSONKey("cef-service", cef_service, archive_in); -} - -int -AppsecTriggerLogDestination::getCefServerUdpPort() const -{ - return getCefServiceData().getPort(); -} - -int -AppsecTriggerLogDestination::getSyslogServerUdpPort() const -{ - return getSyslogServiceData().getPort(); -} - -bool -AppsecTriggerLogDestination::isAgentLocal() const -{ - return agent_local; -} - -bool -AppsecTriggerLogDestination::shouldBeautifyLogs() const -{ - return beautify_logs; -} - -bool -AppsecTriggerLogDestination::getCloud() const -{ - return cloud; -} - -bool -AppsecTriggerLogDestination::isK8SNeeded() const -{ - return k8s_service; -} - -bool -AppsecTriggerLogDestination::isCefNeeded() const -{ - return !getCefServiceData().getAddress().empty(); -} - -bool -AppsecTriggerLogDestination::isSyslogNeeded() const -{ - return !getSyslogServiceData().getAddress().empty(); -} - -const -string & AppsecTriggerLogDestination::getSyslogServerIpv4Address() const -{ - return getSyslogServiceData().getAddress(); -} - -const string & -AppsecTriggerLogDestination::getCefServerIpv4Address() const -{ - return getCefServiceData().getAddress(); -} - -const LoggingService & -AppsecTriggerLogDestination::getSyslogServiceData() const -{ - return syslog_service; -} - -const LoggingService & -AppsecTriggerLogDestination::getCefServiceData() const -{ - return cef_service; -} - -void -AppsecTriggerSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading AppSec trigger spec"; - parseAppsecJSONKey( - "access-control-logging", - access_control_logging, - archive_in - ); - parseAppsecJSONKey( - "additional-suspicious-events-logging", - additional_suspicious_events_logging, - archive_in - ); - parseAppsecJSONKey("appsec-logging", appsec_logging, archive_in); - parseAppsecJSONKey("extended-logging", extended_logging, archive_in); - parseAppsecJSONKey("log-destination", log_destination, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -AppsecTriggerSpec::setName(const string &_name) -{ - name = _name; -} - -const string & -AppsecTriggerSpec::getName() const -{ - return name; -} - -const AppsecTriggerAdditionalSuspiciousEventsLogging & -AppsecTriggerSpec::getAppsecTriggerAdditionalSuspiciousEventsLogging() const -{ - return additional_suspicious_events_logging; -} - -const AppsecTriggerLogging & -AppsecTriggerSpec::getAppsecTriggerLogging() const -{ - return appsec_logging; -} - -const AppsecTriggerExtendedLogging & -AppsecTriggerSpec::getAppsecTriggerExtendedLogging() const -{ - return extended_logging; -} - -const AppsecTriggerLogDestination & -AppsecTriggerSpec::getAppsecTriggerLogDestination() const -{ - return log_destination; -} - -void -TriggersWrapper::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("rulebase", triggers_rulebase) - ); -} diff --git a/components/security_apps/orchestration/local_policy_mgmt_gen/trusted_sources_section.cc b/components/security_apps/orchestration/local_policy_mgmt_gen/trusted_sources_section.cc deleted file mode 100644 index f8053a4..0000000 --- a/components/security_apps/orchestration/local_policy_mgmt_gen/trusted_sources_section.cc +++ /dev/null @@ -1,152 +0,0 @@ -// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved. - -// Licensed under the Apache License, Version 2.0 (the "License"); -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include "policy_maker_utils.h" - -using namespace std; - -USE_DEBUG_FLAG(D_LOCAL_POLICY); - -static const set valid_source_identifiers = {"headerkey", "JWTKey", "cookie", "sourceip", "x-forwarded-for"}; - -void -TrustedSourcesSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading trusted sources spec"; - parseAppsecJSONKey("minNumOfSources", min_num_of_sources, archive_in, 3); - parseAppsecJSONKey>("sourcesIdentifiers", sources_identifiers, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -TrustedSourcesSpec::setName(const string &_name) -{ - name = _name; -} - -int -TrustedSourcesSpec::getMinNumOfSources() const -{ - return min_num_of_sources; -} - -const vector & -TrustedSourcesSpec::getSourcesIdentifiers() const -{ - return sources_identifiers; -} - -const string & -TrustedSourcesSpec::getName() const -{ - return name; -} - -void -SourcesIdentifiers::save(cereal::JSONOutputArchive &out_ar) const -{ - out_ar( - cereal::make_nvp("sourceIdentifier", source_identifier), - cereal::make_nvp("value", value) - ); -} - -const string & -SourcesIdentifiers::getSourceIdent() const -{ - return source_identifier; -} - -void -SourceIdentifierSpec::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading source identifiers spec"; - parseAppsecJSONKey("sourceIdentifier", source_identifier, archive_in); - if (valid_source_identifiers.count(source_identifier) == 0) { - dbgWarning(D_LOCAL_POLICY) << "AppSec source identifier invalid: " << source_identifier; - } - parseAppsecJSONKey>("value", value, archive_in); -} - -const string & -SourceIdentifierSpec::getSourceIdentifier() const -{ - return source_identifier; -} - -const vector & -SourceIdentifierSpec::getValues() const -{ - return value; -} - -void -SourceIdentifierSpecWrapper::load(cereal::JSONInputArchive &archive_in) -{ - dbgTrace(D_LOCAL_POLICY) << "Loading Source Identifier Spec Wrapper"; - parseAppsecJSONKey>("identifiers", identifiers, archive_in); - parseAppsecJSONKey("name", name, archive_in); -} - -void -SourceIdentifierSpecWrapper::setName(const string &_name) -{ - name = _name; -} - -const string & -SourceIdentifierSpecWrapper::getName() const -{ - return name; -} - -const vector & -SourceIdentifierSpecWrapper::getIdentifiers() const -{ - return identifiers; -} - -AppSecTrustedSources::AppSecTrustedSources( - const string &_name, - int _num_of_sources, - const vector &_sources_identifiers) - : - name(_name), - num_of_sources(_num_of_sources), - sources_identifiers(_sources_identifiers) -{ - try { - id = to_string(boost::uuids::random_generator()()); - } catch (const boost::uuids::entropy_error &e) { - dbgWarning(D_LOCAL_POLICY) << "Failed to generate Trusted Sources ID. Error: " << e.what(); - } -} - -void -AppSecTrustedSources::save(cereal::JSONOutputArchive &out_ar) const -{ - string parameter_type = "TrustedSource"; - out_ar( - cereal::make_nvp("id", id), - cereal::make_nvp("name", name), - cereal::make_nvp("numOfSources", num_of_sources), - cereal::make_nvp("sourcesIdentifiers", sources_identifiers), - cereal::make_nvp("parameterType", parameter_type) - ); -} - -const vector & -AppSecTrustedSources::getSourcesIdentifiers() const -{ - return sources_identifiers; -}