Sep_24_2023-Dev

2025-09-30 03:34:26 +03:00 · 2023-09-24 10:28:57 +00:00
parent a4d1fb6f7f
commit 582791e37a
106 changed files with 12287 additions and 169 deletions
--- a/components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
+++ b/components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
@@ -32,6 +32,19 @@ private:
    std::string host;
 };

+class WildcardHost : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+    WildcardHost(const std::vector<std::string> &params);
+
+    static std::string getName() { return "WildcardHost"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    std::string host;
+};
+
 class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
 {
 public:
--- a/components/include/i_local_policy_mgmt_gen.h
+++ b/components/include/i_local_policy_mgmt_gen.h
@@ -14,13 +14,15 @@
 #ifndef __I_LOCAL_POLICY_MGMT_GEN_H__
 #define __I_LOCAL_POLICY_MGMT_GEN_H__

+#include "i_env_details.h"
+
 class I_LocalPolicyMgmtGen
 {
 public:
-    virtual std::string parsePolicy(const std::string &policy_version) = 0;
-    virtual const std::string & getAgentPolicyPath(void) const = 0;
-    virtual const std::string & getLocalPolicyPath(void) const = 0;
-    virtual void setPolicyPath(const std::string &new_local_policy_path) = 0;
+    virtual std::string generateAppSecLocalPolicy(
+        EnvType env_type,
+        const std::string &policy_version,
+        const std::string &local_policy_path) = 0;

 protected:
    ~I_LocalPolicyMgmtGen() {}
--- a/components/include/i_orchestration_status.h
+++ b/components/include/i_orchestration_status.h
@@ -34,6 +34,7 @@ public:
    virtual const std::string & getUpdateTime() const = 0;
    virtual const std::string & getLastManifestUpdate() const = 0;
    virtual const std::string & getPolicyVersion() const = 0;
+    virtual const std::string & getWaapModelVersion() const = 0;
    virtual const std::string & getLastPolicyUpdate() const = 0;
    virtual const std::string & getLastSettingsUpdate() const = 0;
    virtual const std::string & getUpgradeMode() const = 0;
--- a/components/include/i_orchestration_tools.h
+++ b/components/include/i_orchestration_tools.h
@@ -106,8 +106,9 @@ public:
        const std::string &profile_id = "") const = 0;

    virtual bool isNonEmptyFile(const std::string &path) const = 0;
+    virtual std::shared_ptr<std::ifstream> fileStreamWrapper(const std::string &path) const = 0;
    virtual Maybe<std::string> readFile(const std::string &path) const = 0;
-    virtual bool writeFile(const std::string &text, const std::string &path) const = 0;
+    virtual bool writeFile(const std::string &text, const std::string &path, bool append_mode = false) const = 0;
    virtual bool removeFile(const std::string &path) const = 0;
    virtual bool removeDirectory(const std::string &path, bool delete_content) const = 0;
    virtual void deleteVirtualTenantProfileFiles(
@@ -116,6 +117,7 @@ public:
        const std::string &conf_path) const = 0;
    virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
    virtual bool doesFileExist(const std::string &file_path) const = 0;
+    virtual void getClusterId() const = 0;
    virtual void fillKeyInJson(
        const std::string &filename,
        const std::string &_key,
--- a/components/include/orchestration_comp.h
+++ b/components/include/orchestration_comp.h
@@ -31,6 +31,7 @@
 #include "i_environment.h"
 #include "i_tenant_manager.h"
 #include "i_package_handler.h"
+#include "i_env_details.h"
 #include "component.h"

 class OrchestrationComp
@@ -52,7 +53,8 @@ class OrchestrationComp
    Singleton::Consume<I_ServiceController>,
    Singleton::Consume<I_UpdateCommunication>,
    Singleton::Consume<I_Downloader>,
-    Singleton::Consume<I_ManifestController>
+    Singleton::Consume<I_ManifestController>,
+    Singleton::Consume<I_EnvDetails>
 {
 public:
    OrchestrationComp();
--- a/components/include/orchestration_status.h
+++ b/components/include/orchestration_status.h
@@ -24,6 +24,7 @@
 #include "i_time_get.h"
 #include "i_mainloop.h"
 #include "i_agent_details.h"
+#include "i_details_resolver.h"
 #include "customized_cereal_map.h"

 class OrchestrationStatus
@@ -32,6 +33,7 @@ class OrchestrationStatus
    Singleton::Provide<I_OrchestrationStatus>,
    Singleton::Consume<I_TimeGet>,
    Singleton::Consume<I_AgentDetails>,
+    Singleton::Consume<I_DetailsResolver>,
    Singleton::Consume<I_OrchestrationTools>,
    Singleton::Consume<I_MainLoop>
 {
--- a/components/include/orchestration_tools.h
+++ b/components/include/orchestration_tools.h
@@ -20,13 +20,23 @@
 #include "i_shell_cmd.h"
 #include "i_tenant_manager.h"
 #include "component.h"
+#include "i_env_details.h"
+#include "i_messaging.h"
+#include "i_environment.h"
+#include "i_agent_details.h"
+#include "i_mainloop.h"

 class OrchestrationTools
        :
    public Component,
    Singleton::Provide<I_OrchestrationTools>,
    Singleton::Consume<I_ShellCmd>,
-    Singleton::Consume<I_TenantManager>
+    Singleton::Consume<I_TenantManager>,
+    Singleton::Consume<I_EnvDetails>,
+    Singleton::Consume<I_Messaging>,
+    Singleton::Consume<I_Environment>,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_AgentDetails>
 {
 public:
    OrchestrationTools();
--- a/components/include/orchestrator/rest_api/orchestration_check_update.h
+++ b/components/include/orchestrator/rest_api/orchestration_check_update.h
@@ -111,6 +111,26 @@ public:
    public:
        UpgradeSchedule() = default;

+        UpgradeSchedule(const UpgradeSchedule &other)
+        {
+            mode = other.mode;
+            time = other.time;
+            duration_hours = other.duration_hours;
+            days = other.days;
+        }
+
+        UpgradeSchedule &
+        operator=(const UpgradeSchedule &other)
+        {
+            if (this != &other) {
+                mode = other.mode;
+                time = other.time;
+                duration_hours = other.duration_hours;
+                days = other.days;
+            }
+            return *this;
+        }
+
        void init(const std::string &_upgrade_mode) { mode = _upgrade_mode; }

        void
@@ -142,6 +162,22 @@ public:
        C2S_LABEL_OPTIONAL_PARAM(std::vector<std::string>, days, "upgradeDay");
    };

+    class LocalConfigurationSettings : public ClientRest
+    {
+    public:
+        LocalConfigurationSettings() = default;
+
+        void
+        setUpgradeSchedule(const UpgradeSchedule &schedule)
+        {
+            upgrade_schedule.setActive(true);
+            upgrade_schedule.get() = schedule;
+        }
+
+    private:
+        C2S_LABEL_OPTIONAL_PARAM(UpgradeSchedule, upgrade_schedule, "upgradeSchedule");
+    };
+
    CheckUpdateRequest(
        const std::string &_manifest,
        const std::string &_policy,
@@ -224,8 +260,10 @@ public:
    void
    setUpgradeFields(const std::string &_upgrade_mode)
    {
-        upgrade_schedule.setActive(true);
-        upgrade_schedule.get().init(_upgrade_mode);
+        UpgradeSchedule upgrade_schedule;
+        upgrade_schedule.init(_upgrade_mode);
+        local_configuration_settings.setActive(true);
+        local_configuration_settings.get().setUpgradeSchedule(upgrade_schedule);
    }

    void
@@ -235,12 +273,14 @@ public:
        const uint &_upgrade_duration_hours,
        const std::vector<std::string> &_upgrade_days)
    {
-        upgrade_schedule.setActive(true);
+        UpgradeSchedule upgrade_schedule;
        if (!_upgrade_days.empty()) {
-            upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours, _upgrade_days);
-            return;
+            upgrade_schedule.init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours, _upgrade_days);
+        } else {
+            upgrade_schedule.init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
        }
-        upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
+        local_configuration_settings.setActive(true);
+        local_configuration_settings.get().setUpgradeSchedule(upgrade_schedule);
    }

 private:
@@ -297,7 +337,7 @@ private:
    C2S_LABEL_PARAM(std::string, checksum_type,  "checksum-type");
    C2S_LABEL_PARAM(std::string, policy_version, "policyVersion");

-    C2S_LABEL_OPTIONAL_PARAM(UpgradeSchedule, upgrade_schedule, "upgradeSchedule");
+    C2S_LABEL_OPTIONAL_PARAM(LocalConfigurationSettings, local_configuration_settings, "localConfigurationSettings");

    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_policy,    "virtualPolicy");
    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_settings,  "virtualSettings");
--- a/components/include/rate_limit.h
+++ b/components/include/rate_limit.h
@@ -0,0 +1,32 @@
+#ifndef __RATE_LIMIT_H_
+#define __RATE_LIMIT_H_
+
+#include <string>
+
+#include "component.h"
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "i_environment.h"
+
+class RateLimit
+    :
+    public Component,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_TimeGet>,
+    Singleton::Consume<I_Environment>
+{
+public:
+    RateLimit();
+    ~RateLimit();
+
+    void preload() override;
+
+    void init() override;
+    void fini() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __RATE_LIMIT_H_
--- a/components/include/rate_limit_config.h
+++ b/components/include/rate_limit_config.h
@@ -0,0 +1,142 @@
+#ifndef __RATE_LIMIT_CONFIG_H__
+#define __RATE_LIMIT_CONFIG_H__
+
+#include <string>
+#include <vector>
+#include <algorithm>
+#include <cereal/archives/json.hpp>
+
+#include "debug.h"
+#include "generic_rulebase/rulebase_config.h"
+#include "generic_rulebase/triggers_config.h"
+#include "generic_rulebase/evaluators/trigger_eval.h"
+
+USE_DEBUG_FLAG(D_REVERSE_PROXY);
+
+class RateLimitTrigger
+{
+public:
+    void
+    load(cereal::JSONInputArchive &ar);
+
+    const std::string & getTriggerId() const { return id; }
+
+private:
+    std::string id;
+};
+
+class RateLimitRule
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+    void prepare(const std::string &asset_id, int zone_id);
+
+    operator bool() const
+    {
+        if (uri.empty()) {
+            dbgTrace(D_REVERSE_PROXY) << "Recived empty URI in rate-limit rule";
+            return false;
+        }
+
+        if (uri.at(0) != '/') {
+            dbgWarning(D_REVERSE_PROXY)
+                << "Recived invalid rate-limit URI in rate-limit rule: "
+                << uri
+                << " rate-limit URI must start with /";
+            return false;
+        }
+
+        if (limit <= 0) {
+            dbgWarning(D_REVERSE_PROXY)
+                << "Recived invalid rate-limit limit in rate-limit rule: "
+                << limit
+                << " rate-limit rule limit must be positive";
+            return false;
+        }
+
+        return true;
+    }
+
+    friend std::ostream &
+    operator<<(std::ostream &os, const RateLimitRule &rule)
+    {
+        os << "Uri: " << rule.uri << ", Rate scope: " << rule.scope << ", Limit: " << rule.limit;
+
+        return os;
+    }
+
+    int getRateLimit() const { return limit; }
+    const std::string & getRateLimitZone() const { return limit_req_zone_template_value; }
+    const std::string & getRateLimitReq() const { return limit_req_template_value; }
+    const std::string & getRateLimitUri() const { return uri; }
+    const std::string & getRateLimitScope() const { return scope; }
+    const LogTriggerConf & getRateLimitTrigger() const { return trigger; }
+    const std::vector<RateLimitTrigger> & getRateLimitTriggers() const { return rate_limit_triggers; }
+
+    bool isRootLocation() const;
+
+    bool operator==(const RateLimitRule &rhs) { return uri == rhs.uri; }
+    bool operator<(const RateLimitRule &rhs) { return uri < rhs.uri; }
+    bool isExactMatch() const { return exact_match || (!uri.empty() && uri.back() != '/'); }
+    void setExactMatch() { exact_match = true; }
+    void appendSlash() { uri += '/'; }
+
+private:
+    std::string uri;
+    std::string scope;
+    std::string limit_req_template_value;
+    std::string limit_req_zone_template_value;
+    std::string cache_size = "5m";
+    std::vector<RateLimitTrigger> rate_limit_triggers;
+    LogTriggerConf trigger;
+    int limit;
+    bool exact_match = false;
+};
+
+class RateLimitConfig
+{
+public:
+    void load(cereal::JSONInputArchive &ar);
+    void addSiblingRateLimitRule(RateLimitRule &rule);
+    void prepare();
+
+    const std::vector<RateLimitRule> & getRateLimitRules() const { return rate_limit_rules; }
+    const std::string & getRateLimitMode() const { return mode; }
+
+    const LogTriggerConf
+    getRateLimitTrigger(const std::string &nginx_uri) const
+    {
+        const RateLimitRule rule = findLongestMatchingRule(nginx_uri);
+
+        std::set<std::string> rate_limit_triggers_set;
+        for (const RateLimitTrigger &rate_limit_trigger : rule.getRateLimitTriggers()) {
+            dbgTrace(D_REVERSE_PROXY)
+                << "Adding trigger ID: "
+                << rate_limit_trigger.getTriggerId()
+                << " of rule URI: "
+                << rule.getRateLimitUri()
+                << " to the context set";
+            rate_limit_triggers_set.insert(rate_limit_trigger.getTriggerId());
+        }
+
+        ScopedContext ctx;
+        ctx.registerValue<std::set<GenericConfigId>>(TriggerMatcher::ctx_key, rate_limit_triggers_set);
+        return getConfigurationWithDefault(LogTriggerConf(), "rulebase", "log");
+    }
+
+    static void setIsActive(bool _is_active) { is_active |= _is_active; }
+
+    static void resetIsActive() { is_active = false; }
+
+    static bool isActive() { return is_active; }
+
+private:
+    const RateLimitRule
+    findLongestMatchingRule(const std::string &nginx_uri) const;
+
+    static bool is_active;
+    std::string mode;
+    std::vector<RateLimitRule> rate_limit_rules;
+};
+
+#endif // __RATE_LIMIT_CONFIG_H__