github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 11:16:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

Feb 10 2025 dev (#255)

Browse Source 
* sync code

* sync code

* code sync

* code sync

---------

Co-authored-by: Ned Wright <nedwright@proton.me>
Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>
This commit is contained in:
Daniel-Eisenberg
2025-02-12 10:56:44 +02:00
committed by GitHub
parent 81433bac25
commit 4ddcd2462a
75 changed files with 1540 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
components/security_apps/orchestration/manifest_controller/manifest_controller.cc
View File

@@ -100,6 +100,7 @@ private:
string packages_dir;
string orch_service_name;
set<string> ignore_packages;
Maybe<string> forbidden_versions = genError("Forbidden versions file does not exist");
};
void
@@ -135,7 +136,8 @@ ManifestController::Impl::init()
"Ignore packages list file path"
);
if (Singleton::Consume<I_OrchestrationTools>::by<ManifestController>()->doesFileExist(ignore_packages_path)) {
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestController>();
if (orchestration_tools->doesFileExist(ignore_packages_path)) {
try {
ifstream input_stream(ignore_packages_path);
if (!input_stream) {
@@ -156,6 +158,9 @@ ManifestController::Impl::init()
<< " Error: " << f.what();
}
}
const string forbidden_versions_path = getFilesystemPathConfig() + "/revert/forbidden_versions";
forbidden_versions = orchestration_tools->readFile(forbidden_versions_path);
}
bool
@@ -271,6 +276,17 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
}
map<string, Package> new_packages = parsed_manifest.unpack();
if (!new_packages.empty()) {
const Package &package = new_packages.begin()->second;
if (forbidden_versions.ok() &&
forbidden_versions.unpack().find(package.getVersion()) != string::npos
) {
dbgWarning(D_ORCHESTRATOR)
<< "Packages version is in the forbidden versions list. No upgrade will be performed.";
return true;
}
}
map<string, Package> all_packages = parsed_manifest.unpack();
map<string, Package> current_packages;
parsed_manifest = orchestration_tools->loadPackagesFromJson(manifest_file_path);

152
components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc
View File

@@ -58,6 +58,9 @@ public:
Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE);
const string ignore_packages_file = "/etc/cp/conf/ignore-packages.txt";
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json",
@@ -224,6 +227,10 @@ TEST_F(ManifestControllerTest, createNewManifest)
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -363,6 +370,11 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
manifest =
@@ -417,6 +429,9 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -478,6 +493,11 @@ TEST_F(ManifestControllerTest, selfUpdate)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -607,6 +627,10 @@ TEST_F(ManifestControllerTest, removeCurrentErrorPackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
corrupted_packages.clear();
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -666,6 +690,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopy)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -722,6 +750,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -798,6 +830,10 @@ TEST_F(ManifestControllerTest, installAndRemove)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
string new_manifest =
@@ -858,6 +894,63 @@ TEST_F(ManifestControllerTest, installAndRemove)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my1/my1")).Times(2)
.WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
TEST_F(ManifestControllerTest, manifestWithForbiddenVersion)
{
new_services.clear();
old_services.clear();
string manifest =
"{"
" \"packages\": ["
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"my\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"orchestration\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"\","
" \"relative-path\": \"\","
" \"name\": \"waap\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\","
" \"package-type\": \"service\","
" \"status\": false,\n"
" \"message\": \"This security app isn't valid for this agent\"\n"
" }"
" ]"
"}";
map<string, Package> manifest_services;
load(manifest, manifest_services);
checkIfFileExistsCall(manifest_services.at("my"));
load(manifest, new_services);
load(old_manifest, old_services);
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -947,6 +1040,10 @@ TEST_F(ManifestControllerTest, badInstall)
EXPECT_CALL(mock_orchestration_tools,
packagesToJsonFile(corrupted_packages, corrupted_file_list)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -1112,6 +1209,12 @@ TEST_F(ManifestControllerTest, requireUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1212,6 +1315,10 @@ TEST_F(ManifestControllerTest, sharedObjectNotInstalled)
).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file1", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1313,6 +1420,12 @@ TEST_F(ManifestControllerTest, requireSharedObjectUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1389,6 +1502,7 @@ TEST_F(ManifestControllerTest, failureOnDownloadSharedObject)
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -1524,6 +1638,12 @@ TEST_F(ManifestControllerTest, multiRequireUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1610,6 +1730,12 @@ TEST_F(ManifestControllerTest, createNewManifestWithUninstallablePackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1624,7 +1750,7 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
" \"download-path\": \"\","
" \"relative-path\": \"\","
" \"name\": \"my\","
" \"version\": \"\","
" \"version\": \"c\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\","
" \"package-type\": \"service\","
@@ -1721,6 +1847,11 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1744,6 +1875,9 @@ public:
setConfiguration<string>(ignore_packages_file, "orchestration", "Ignore packages list file path");
writeIgnoreList(ignore_packages_file, ignore_services);
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(true));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json",
@@ -1839,6 +1973,7 @@ public:
StrictMock<MockOrchestrationStatus> mock_status;
StrictMock<MockDownloader> mock_downloader;
StrictMock<MockOrchestrationTools> mock_orchestration_tools;
StrictMock<MockDetailsResolver> mock_details_resolver;
NiceMock<MockShellCmd> mock_shell_cmd;
ManifestController manifest_controller;
@@ -2122,6 +2257,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, addIgnorePackageAndUpdateNormal)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -2387,6 +2528,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, overrideIgnoredPackageFromProfileSet
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
EXPECT_THAT(capture_debug.str(), Not(HasSubstr("Ignoring a package from the manifest. Package name: my")));
@@ -2411,6 +2558,9 @@ public:
doesFileExist("/etc/cp/conf/ignore-packages.txt")
).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
}

25
components/security_apps/orchestration/manifest_controller/manifest_handler.cc
View File

@@ -14,6 +14,7 @@
#include "manifest_handler.h"
#include <algorithm>
#include <ctime>
#include "debug.h"
#include "config.h"
@@ -201,18 +202,29 @@ ManifestHandler::installPackage(
auto span_scope = i_env->startNewSpanScope(Span::ContextType::CHILD_OF);
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
auto details_resolver = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>();
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
auto &package = package_downloaded_file.first;
auto &package_name = package.getName();
auto &package_handler_path = package_downloaded_file.second;
dbgInfo(D_ORCHESTRATOR) << "Handling package installation. Package: " << package_name;
string upgrade_info =
details_resolver->getAgentVersion() + " " + package.getVersion() + " " + getCurrentTimestamp();
if (!orchestration_tools->doesFileExist(getFilesystemPathConfig() + "/revert/upgrade_status") &&
!orchestration_tools->writeFile(upgrade_info, getFilesystemPathConfig() + "/revert/upgrade_status")
) {
dbgWarning(D_ORCHESTRATOR) << "Failed to write to " + getFilesystemPathConfig() + "/revert/upgrade_status";
}
if (package_name.compare(orch_service_name) == 0) {
orchestration_status->writeStatusToFile();
bool self_update_status = selfUpdate(package, current_packages, package_handler_path);
if (!self_update_status) {
auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
auto hostname = details_resolver->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'";
string install_error =
"Warning: Agent/Gateway " +
@@ -246,7 +258,6 @@ ManifestHandler::installPackage(
return true;
}
string current_installation_file = packages_dir + "/" + package_name + "/" + package_name;
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
bool is_clean_installation = !orchestration_tools->doesFileExist(current_installation_file);
@@ -368,3 +379,13 @@ ManifestHandler::selfUpdate(
package_handler->preInstallPackage(orch_service_name, current_installation_file) &&
package_handler->installPackage(orch_service_name, current_installation_file, false);
}
string
ManifestHandler::getCurrentTimestamp()
{
time_t now = time(nullptr);
tm* now_tm = localtime(&now);
char timestamp[20];
strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", now_tm);
return string(timestamp);
}

137
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -55,6 +55,8 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
static string fw_last_update_time = "";
#endif // gaia || smb
static const size_t MAX_SERVER_NAME_LENGTH = 253;
class SetAgentUninstall
:
public ServerRest,
@@ -103,6 +105,19 @@ public:
<< "Initializing Orchestration component, file system path prefix: "
<< filesystem_prefix;
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated (One-Time After Interval)",
true
);
auto orch_policy = loadDefaultOrchestrationPolicy();
if (!orch_policy.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration Policy. Error: " << orch_policy.getErr();
@@ -141,6 +156,113 @@ public:
}
private:
void
saveLastKnownOrchInfo(string curr_agent_version)
{
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string current_orchestration_package =
filesystem_prefix + "/packages/orchestration/orchestration";
static const string last_known_manifest = upgrades_dir + "/last_known_manifest";
static const string current_manifest_file = getConfigurationWithDefault<string>(
filesystem_prefix + "/conf/manifest.json",
"orchestration",
"Manifest file path"
);
if (!i_orchestration_tools->copyFile(current_orchestration_package, last_known_orchestrator)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy the orchestration package to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known orchestrator version updated to: " << curr_agent_version;
}
if (!i_orchestration_tools->copyFile(current_manifest_file, last_known_manifest)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy " << current_manifest_file << " to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known manifest updated";
}
return;
}
void
processUpgradeCompletion()
{
if (!is_first_check_update_success) {
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
// LCOV_EXCL_START
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated",
true
);
// LCOV_EXCL_STOP
return;
}
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string upgrade_status = upgrades_dir + "/upgrade_status";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string upgrade_failure_info_path = upgrades_dir + "/failed_upgrade_info";
I_DetailsResolver *i_details_resolver = Singleton::Consume<I_DetailsResolver>::by<OrchestrationComp>();
bool is_upgrade_status_exist = i_orchestration_tools->doesFileExist(upgrade_status);
bool is_last_known_orchestrator_exist = i_orchestration_tools->doesFileExist(last_known_orchestrator);
if (!is_upgrade_status_exist) {
if (!is_last_known_orchestrator_exist) {
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
}
return;
}
auto maybe_upgrade_data = i_orchestration_tools->readFile(upgrade_status);
string upgrade_data, from_version, to_version;
if (maybe_upgrade_data.ok()) {
upgrade_data = maybe_upgrade_data.unpack();
istringstream stream(upgrade_data);
stream >> from_version >> to_version;
}
i_orchestration_tools->removeFile(upgrade_status);
if (i_orchestration_tools->doesFileExist(upgrade_failure_info_path)) {
string info = "Orchestration revert. ";
auto failure_info = i_orchestration_tools->readFile(upgrade_failure_info_path);
if (failure_info.ok()) info.append(failure_info.unpack());
LogGen(
info,
ReportIS::Level::ACTION,
ReportIS::Audience::INTERNAL,
ReportIS::Severity::CRITICAL,
ReportIS::Priority::URGENT,
ReportIS::Tags::ORCHESTRATOR
);
dbgError(D_ORCHESTRATOR) <<
"Error in orchestration version: " << to_version <<
". Orchestration reverted to version: " << i_details_resolver->getAgentVersion();
i_orchestration_tools->removeFile(upgrade_failure_info_path);
return;
}
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
i_orchestration_tools->writeFile(
upgrade_data + "\n",
getLogFilesPathConfig() + "/nano_agent/prev_upgrades",
true
);
dbgWarning(D_ORCHESTRATOR) <<
"Upgrade process from version: " << from_version <<
" to version: " << to_version <<
" completed successfully";
}
Maybe<void>
registerToTheFog()
{
@@ -1022,6 +1144,7 @@ private:
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::GENERAL
).notify();
if (!is_first_check_update_success) is_first_check_update_success = true;
return Maybe<void>();
}
@@ -1389,6 +1512,8 @@ private:
agent_data_report << AgentReportFieldWithLabel("userEdition", FogCommunication::getUserEdition());
agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
#if defined(gaia) || defined(smb)
if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@@ -1403,6 +1528,7 @@ private:
} else {
curr_agent_data_report = agent_data_report;
curr_agent_data_report.disableReportSending();
agent_data_report << AgentReportFieldWithLabel("report_timestamp", i_time->getWalltimeStr());
}
}
@@ -1549,6 +1675,11 @@ private:
<< LogField("agentType", "Orchestration")
<< LogField("agentVersion", Version::get());
string registered_server = getAttribute("registered-server", "registered_server");
dbgTrace(D_ORCHESTRATOR) << "Registered server: " << registered_server;
if (!registered_server.empty()) {
i_agent_details->setRegisteredServer(registered_server.substr(0, MAX_SERVER_NAME_LENGTH));
}
auto mainloop = Singleton::Consume<I_MainLoop>::by<OrchestrationComp>();
mainloop->addOneTimeRoutine(
I_MainLoop::RoutineType::Offline,
@@ -1629,7 +1760,7 @@ private:
}
}
string server_name = getAttribute("registered-server", "registered_server");
string server_name = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getRegisteredServer();
auto server = TagAndEnumManagement::convertStringToTag(server_name);
if (server_name == "'SWAG'" || server_name == "'SWAG Server'") server = Tags::WEB_SERVER_SWAG;
if (server.ok()) tags.insert(*server);
@@ -1653,7 +1784,7 @@ private:
tags
);
if (server_name != "") registration_report.addToOrigin(LogField("eventCategory", server_name));
registration_report.addToOrigin(LogField("eventCategory", server_name));
auto email = getAttribute("email-address", "user_email");
if (email != "") registration_report << LogField("userDefinedId", email);
@@ -2065,6 +2196,7 @@ private:
int failure_count = 0;
unsigned int sleep_interval = 0;
bool is_new_success = false;
bool is_first_check_update_success = false;
OrchestrationPolicy policy;
UpdatesProcessReporter updates_process_reporter_listener;
HybridModeMetric hybrid_mode_metric;
@@ -2130,6 +2262,7 @@ OrchestrationComp::preload()
registerExpectedSetting<vector<string>>("upgradeDay");
registerExpectedSetting<string>("email-address");
registerExpectedSetting<string>("registered-server");
registerExpectedSetting<uint>("successUpgradeInterval");
registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
}

7
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -89,6 +89,11 @@ public:
EXPECT_CALL(mock_service_controller, isServiceInstalled("Access Control")).WillRepeatedly(Return(false));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
// This Holding the Main Routine of the Orchestration.
EXPECT_CALL(
mock_ml,
@@ -156,6 +161,7 @@ public:
runRoutine()
{
routine();
upgrade_routine();
}
void
@@ -235,6 +241,7 @@ private:
}
I_MainLoop::Routine routine;
I_MainLoop::Routine upgrade_routine;
I_MainLoop::Routine status_routine;
};

59
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -83,6 +83,12 @@ public:
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response));
EXPECT_CALL(mock_status, setFogAddress(host_url)).WillRepeatedly(Return());
EXPECT_CALL(mock_orchestration_tools, setClusterId());
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -281,6 +287,12 @@ public:
status_routine();
}
void
runUpgradeRoutine()
{
upgrade_routine();
}
void
preload()
{
@@ -359,6 +371,7 @@ private:
I_MainLoop::Routine routine;
I_MainLoop::Routine status_routine;
I_MainLoop::Routine upgrade_routine;
};
@@ -601,14 +614,6 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
string version = "1";
EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
string config_json =
"{\n"
" \"email-address\": \"fake@example.com\",\n"
@@ -617,9 +622,19 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
sending_routine();
EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\""));
EXPECT_THAT(message_body, HasSubstr("\"eventCategory\""));
EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\"")));
EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
}
@@ -1004,6 +1019,11 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
);
waitForRestCall();
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
);
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -1170,6 +1190,29 @@ TEST_F(OrchestrationTest, manifestUpdate)
try {
runRoutine();
} catch (const invalid_argument& e) {}
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
Maybe<string> upgrade_status(string("1.1.1 1.1.2 2025-01-28 07:53:23"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(upgrade_status));
EXPECT_CALL(mock_orchestration_tools, removeFile("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/failed_upgrade_info"))
.WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("1.1.2"));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_manifest")).WillOnce(Return(true));
EXPECT_CALL(
mock_orchestration_tools,
writeFile("1.1.1 1.1.2 2025-01-28 07:53:23\n", "/var/log/nano_agent/prev_upgrades", true)
).WillOnce(Return(true));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())).WillOnce(Return());
runUpgradeRoutine();
}
TEST_F(OrchestrationTest, getBadPolicyUpdate)

6
components/security_apps/orchestration/update_communication/fog_authenticator.cc
View File

@@ -377,9 +377,13 @@ FogAuthenticator::registerLocalAgentToFog()
{
auto local_reg_token = getRegistrationToken();
if (!local_reg_token.ok()) return;
string reg_token = local_reg_token.unpack().getData();
if (reg_token.empty()) return;
dbgInfo(D_ORCHESTRATOR) << "Start local agent registration to the fog";
string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + local_reg_token.unpack().getData();
string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + reg_token;
auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<FogAuthenticator>();
auto fog_address = i_agent_details->getFogDomain();