mirror of
https://github.com/openappsec/openappsec.git
synced 2025-11-16 17:31:52 +03:00
sync code
This commit is contained in:
Ned Wright
@@ -67,18 +67,18 @@ public:
|
||||
dbgTrace(D_GEO_FILTER) << getListenerName() << " new transaction event";
|
||||
|
||||
if (!event.isLastHeader()) return EventVerdict(ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT);
|
||||
std::set<std::string> xff_set;
|
||||
std::set<std::string> ip_set;
|
||||
auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
|
||||
auto maybe_xff = env->get<std::string>(HttpTransactionData::xff_vals_ctx);
|
||||
if (!maybe_xff.ok()) {
|
||||
dbgTrace(D_GEO_FILTER) << "failed to get xff vals from env";
|
||||
} else {
|
||||
xff_set = split(maybe_xff.unpack(), ',');
|
||||
ip_set = split(maybe_xff.unpack(), ',');
|
||||
}
|
||||
dbgDebug(D_GEO_FILTER) << getListenerName() << " last header, start lookup";
|
||||
|
||||
if (xff_set.size() > 0) {
|
||||
removeTrustedIpsFromXff(xff_set);
|
||||
if (ip_set.size() > 0) {
|
||||
removeTrustedIpsFromXff(ip_set);
|
||||
} else {
|
||||
dbgDebug(D_GEO_FILTER) << "xff not found in headers";
|
||||
}
|
||||
@@ -90,14 +90,14 @@ public:
|
||||
}
|
||||
|
||||
auto source_ip = convertIpAddrToString(maybe_source_ip.unpack());
|
||||
xff_set.insert(source_ip);
|
||||
ip_set.insert(source_ip);
|
||||
|
||||
ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(xff_set);
|
||||
ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set);
|
||||
if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
|
||||
return EventVerdict(exception_verdict);
|
||||
}
|
||||
|
||||
ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(xff_set);
|
||||
ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(ip_set);
|
||||
if (geo_lookup_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
|
||||
return EventVerdict(geo_lookup_verdict);
|
||||
}
|
||||
@@ -469,5 +469,6 @@ void
|
||||
HttpGeoFilter::preload()
|
||||
{
|
||||
registerExpectedConfiguration<GeoConfig>("rulebase", "httpGeoFilter");
|
||||
registerExpectedConfiguration<UsersAllIdentifiersConfig>("rulebase", "usersIdentifiers");
|
||||
registerConfigLoadCb([this]() { pimpl->loadDefaultAction(); });
|
||||
}
|
||||
|
||||
@@ -43,7 +43,10 @@ CompoundProtection::Impl::getMatch(const set<PMPattern> &matched) const
|
||||
case Operation::ORDERED_AND: return getMatchOrderedAnd(matched);
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Unknown compound operation: " << static_cast<uint>(operation);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "ips")
|
||||
<< "Unknown compound operation: "
|
||||
<< static_cast<uint>(operation);
|
||||
return MatchType::NO_MATCH;
|
||||
}
|
||||
|
||||
|
||||
@@ -8,7 +8,9 @@ IPSConfiguration::Context::Context(ContextType _type, uint history) : type(_type
|
||||
uint
|
||||
IPSConfiguration::Context::getHistorySize() const
|
||||
{
|
||||
dbgAssert(type == ContextType::HISTORY) << "Try to access history size for non-history context";
|
||||
dbgAssert(type == ContextType::HISTORY)
|
||||
<< AlertInfo(AlertTeam::CORE, "ips")
|
||||
<< "Try to access history size for non-history context";
|
||||
return history_size;
|
||||
}
|
||||
|
||||
@@ -69,6 +71,8 @@ uint
|
||||
IPSConfiguration::getHistorySize(const string &name) const
|
||||
{
|
||||
auto context = context_config.find(name);
|
||||
dbgAssert(context != context_config.end()) << "Try to access history size for non-exiting context";
|
||||
dbgAssert(context != context_config.end())
|
||||
<< AlertInfo(AlertTeam::CORE, "ips")
|
||||
<< "Try to access history size for non-exiting context";
|
||||
return context->second.getHistorySize();
|
||||
}
|
||||
|
||||
@@ -84,7 +84,7 @@ IPSSignatureMetaData::getSeverityString() const
|
||||
return "Critical";
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Illegal severity value: " << static_cast<uint>(severity);
|
||||
dbgAssert(false) << AlertInfo(AlertTeam::CORE, "ips") << "Illegal severity value: " << static_cast<uint>(severity);
|
||||
return "Critical";
|
||||
}
|
||||
|
||||
@@ -116,7 +116,10 @@ IPSSignatureMetaData::getPerformanceString() const
|
||||
return "Critical";
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Illegal performance value: " << static_cast<uint>(performance);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "ips")
|
||||
<< "Illegal performance value: "
|
||||
<< static_cast<uint>(performance);
|
||||
return "Critical";
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,14 @@ using namespace std;
|
||||
USE_DEBUG_FLAG(D_LOCAL_POLICY);
|
||||
// LCOV_EXCL_START Reason: no test exist
|
||||
|
||||
static const set<string> valid_modes = {"prevent-learn", "detect-learn", "prevent", "detect", "inactive"};
|
||||
static const set<string> valid_modes = {
|
||||
"prevent-learn",
|
||||
"detect-learn",
|
||||
"prevent",
|
||||
"detect",
|
||||
"inactive",
|
||||
"as-top-level"
|
||||
};
|
||||
static const set<string> valid_confidences = {"medium", "high", "critical"};
|
||||
|
||||
void
|
||||
@@ -138,15 +145,11 @@ AppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
|
||||
dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode;
|
||||
}
|
||||
|
||||
if (getMode() == "Prevent") {
|
||||
parseAppsecJSONKey<string>("minimum-confidence", minimum_confidence, archive_in, "critical");
|
||||
if (valid_confidences.count(minimum_confidence) == 0) {
|
||||
dbgWarning(D_LOCAL_POLICY)
|
||||
<< "AppSec practice override minimum confidence invalid: "
|
||||
<< minimum_confidence;
|
||||
}
|
||||
} else {
|
||||
minimum_confidence = "Transparent";
|
||||
parseAppsecJSONKey<string>("minimum-confidence", minimum_confidence, archive_in, "critical");
|
||||
if (valid_confidences.count(minimum_confidence) == 0) {
|
||||
dbgWarning(D_LOCAL_POLICY)
|
||||
<< "AppSec practice override minimum confidence invalid: "
|
||||
<< minimum_confidence;
|
||||
}
|
||||
parseAppsecJSONKey<int>("max-body-size-kb", max_body_size_kb, archive_in, 1000000);
|
||||
parseAppsecJSONKey<int>("max-header-size-bytes", max_header_size_bytes, archive_in, 102400);
|
||||
@@ -189,7 +192,10 @@ AppSecPracticeWebAttacks::getMode(const string &default_mode) const
|
||||
{
|
||||
if (isModeInherited(mode) || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) {
|
||||
dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode;
|
||||
return default_mode;
|
||||
if(key_to_practices_val2.find(default_mode) == key_to_practices_val2.end()) {
|
||||
return default_mode;
|
||||
}
|
||||
return key_to_practices_val2.at(default_mode);
|
||||
}
|
||||
return key_to_practices_val2.at(mode);
|
||||
}
|
||||
@@ -428,7 +434,6 @@ WebAppSection::WebAppSection(
|
||||
practice_id(_practice_id),
|
||||
practice_name(_practice_name),
|
||||
context(_context),
|
||||
web_attack_mitigation_severity(parsed_appsec_spec.getWebAttacks().getMinimumConfidence()),
|
||||
web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
|
||||
csrf_protection_mode("Disabled"),
|
||||
open_redirect_mode("Disabled"),
|
||||
@@ -438,6 +443,9 @@ WebAppSection::WebAppSection(
|
||||
trusted_sources({ parsed_trusted_sources })
|
||||
{
|
||||
web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
|
||||
web_attack_mitigation_severity =
|
||||
web_attack_mitigation_mode != "Prevent" ? "Transparent" :
|
||||
parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
|
||||
web_attack_mitigation_action =
|
||||
web_attack_mitigation_mode != "Prevent" ? "Transparent" :
|
||||
web_attack_mitigation_severity == "critical" ? "low" :
|
||||
@@ -470,6 +478,7 @@ WebAppSection::WebAppSection(
|
||||
const string &_context,
|
||||
const string &_web_attack_mitigation_severity,
|
||||
const string &_web_attack_mitigation_mode,
|
||||
const string &_bot_protection,
|
||||
const PracticeAdvancedConfig &_practice_advanced_config,
|
||||
const AppsecPracticeAntiBotSection &_anti_bots,
|
||||
const LogTriggerSection &parsed_log_trigger,
|
||||
@@ -486,6 +495,7 @@ WebAppSection::WebAppSection(
|
||||
context(_context),
|
||||
web_attack_mitigation_severity(_web_attack_mitigation_severity),
|
||||
web_attack_mitigation_mode(_web_attack_mitigation_mode),
|
||||
bot_protection(_bot_protection),
|
||||
practice_advanced_config(_practice_advanced_config),
|
||||
anti_bots(_anti_bots),
|
||||
trusted_sources({ parsed_trusted_sources })
|
||||
@@ -514,7 +524,6 @@ void
|
||||
WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
|
||||
{
|
||||
string disabled_str = "Disabled";
|
||||
string detect_str = "Detect";
|
||||
vector<string> empty_list;
|
||||
out_ar(
|
||||
cereal::make_nvp("context", context),
|
||||
@@ -542,7 +551,7 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
|
||||
cereal::make_nvp("waapParameters", empty_list),
|
||||
cereal::make_nvp("botProtection", false),
|
||||
cereal::make_nvp("antiBot", anti_bots),
|
||||
cereal::make_nvp("botProtection_v2", detect_str)
|
||||
cereal::make_nvp("botProtection_v2", bot_protection != "" ? bot_protection : string("Detect"))
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -290,6 +290,7 @@ public:
|
||||
const std::string &_context,
|
||||
const std::string &_web_attack_mitigation_severity,
|
||||
const std::string &_web_attack_mitigation_mode,
|
||||
const std::string &_bot_protection,
|
||||
const PracticeAdvancedConfig &_practice_advanced_config,
|
||||
const AppsecPracticeAntiBotSection &_anti_bots,
|
||||
const LogTriggerSection &parsed_log_trigger,
|
||||
@@ -315,6 +316,7 @@ private:
|
||||
std::string csrf_protection_mode;
|
||||
std::string open_redirect_mode;
|
||||
std::string error_disclosure_mode;
|
||||
std::string bot_protection;
|
||||
bool web_attack_mitigation;
|
||||
std::vector<TriggersInWaapSection> triggers;
|
||||
PracticeAdvancedConfig practice_advanced_config;
|
||||
|
||||
@@ -508,30 +508,20 @@ private:
|
||||
bool is_temporary;
|
||||
};
|
||||
|
||||
class NewAppSecWebBotsURI
|
||||
{
|
||||
public:
|
||||
void load(cereal::JSONInputArchive &archive_in);
|
||||
|
||||
const std::string & getURI() const;
|
||||
|
||||
private:
|
||||
std::string uri;
|
||||
};
|
||||
|
||||
class NewAppSecPracticeAntiBot
|
||||
{
|
||||
public:
|
||||
std::vector<std::string> getIjectedUris() const;
|
||||
std::vector<std::string> getValidatedUris() const;
|
||||
const std::vector<std::string> & getIjectedUris() const;
|
||||
const std::vector<std::string> & getValidatedUris() const;
|
||||
const std::string & getMode() const;
|
||||
|
||||
void load(cereal::JSONInputArchive &archive_in);
|
||||
void save(cereal::JSONOutputArchive &out_ar) const;
|
||||
|
||||
private:
|
||||
std::string override_mode;
|
||||
std::vector<NewAppSecWebBotsURI> injected_uris;
|
||||
std::vector<NewAppSecWebBotsURI> validated_uris;
|
||||
std::vector<std::string> injected_uris;
|
||||
std::vector<std::string> validated_uris;
|
||||
};
|
||||
|
||||
class NewAppSecWebAttackProtections
|
||||
|
||||
@@ -39,7 +39,7 @@ public:
|
||||
bool _logToAgent,
|
||||
bool _logToCef,
|
||||
bool _logToCloud,
|
||||
bool _logToContainerService,
|
||||
bool _logTolocalTuning,
|
||||
bool _logToSyslog,
|
||||
bool _responseBody,
|
||||
bool _tpDetect,
|
||||
@@ -73,7 +73,7 @@ private:
|
||||
bool logToAgent;
|
||||
bool logToCef;
|
||||
bool logToCloud;
|
||||
bool logToContainerService;
|
||||
bool logTolocalTuning;
|
||||
bool logToSyslog;
|
||||
bool responseBody;
|
||||
bool tpDetect;
|
||||
|
||||
@@ -180,12 +180,16 @@ NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
|
||||
} else {
|
||||
cloud = false;
|
||||
}
|
||||
auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode();
|
||||
auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType();
|
||||
bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
|
||||
// BC try load previous name. TODO: update CRD
|
||||
parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
|
||||
parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
|
||||
bool local_tuning_default = false;
|
||||
// check ENV VAR LOCAL_TUNING_ENABLED
|
||||
char * tuning_enabled = getenv("LOCAL_TUNING_ENABLED");
|
||||
if (tuning_enabled != NULL) {
|
||||
for (unsigned int i = 0; i < strlen(tuning_enabled); i++) {
|
||||
tuning_enabled[i] = tolower(tuning_enabled[i]);
|
||||
}
|
||||
local_tuning_default = string(tuning_enabled) == "true";
|
||||
}
|
||||
parseAppsecJSONKey<bool>("local-tuning", container_service, archive_in, local_tuning_default);
|
||||
|
||||
NewStdoutLogging stdout_log;
|
||||
parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in);
|
||||
|
||||
@@ -50,6 +50,13 @@ static const std::unordered_map<std::string, std::string> key_to_mode_val = {
|
||||
{ "detect", "Detect"},
|
||||
{ "inactive", "Inactive"}
|
||||
};
|
||||
static const std::unordered_map<std::string, std::string> anti_bot_key_to_mode_val = {
|
||||
{ "prevent-learn", "Prevent"},
|
||||
{ "detect-learn", "Detect"},
|
||||
{ "prevent", "Prevent"},
|
||||
{ "detect", "Detect"},
|
||||
{ "inactive", "Disabled"}
|
||||
};
|
||||
static const std::unordered_map<std::string, uint64_t> unit_to_int = {
|
||||
{ "bytes", 1},
|
||||
{ "KB", 1024},
|
||||
@@ -81,57 +88,44 @@ getModeWithDefault(
|
||||
return key_to_val.at(mode);
|
||||
}
|
||||
|
||||
void
|
||||
NewAppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in)
|
||||
{
|
||||
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots URI";
|
||||
parseAppsecJSONKey<string>("uri", uri, archive_in);
|
||||
}
|
||||
|
||||
const string &
|
||||
NewAppSecWebBotsURI::getURI() const
|
||||
{
|
||||
return uri;
|
||||
}
|
||||
|
||||
std::vector<std::string>
|
||||
const std::vector<std::string> &
|
||||
NewAppSecPracticeAntiBot::getIjectedUris() const
|
||||
{
|
||||
vector<string> injected;
|
||||
for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI());
|
||||
return injected;
|
||||
return injected_uris;
|
||||
}
|
||||
|
||||
std::vector<std::string>
|
||||
const std::vector<std::string> &
|
||||
NewAppSecPracticeAntiBot::getValidatedUris() const
|
||||
{
|
||||
vector<string> validated;
|
||||
for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI());
|
||||
return validated;
|
||||
return validated_uris;
|
||||
}
|
||||
|
||||
const std::string &
|
||||
NewAppSecPracticeAntiBot::getMode() const
|
||||
{
|
||||
return override_mode;
|
||||
}
|
||||
|
||||
void
|
||||
NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
|
||||
{
|
||||
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots";
|
||||
parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("injectedUris", injected_uris, archive_in);
|
||||
parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("validatedUris", validated_uris, archive_in);
|
||||
parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
|
||||
if (valid_modes.count(override_mode) == 0) {
|
||||
dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode;
|
||||
string mode;
|
||||
parseAppsecJSONKey<vector<string>>("injectedUris", injected_uris, archive_in);
|
||||
parseAppsecJSONKey<vector<string>>("validatedUris", validated_uris, archive_in);
|
||||
parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
|
||||
if (valid_modes.count(mode) == 0) {
|
||||
dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << mode;
|
||||
}
|
||||
override_mode = anti_bot_key_to_mode_val.at(mode);
|
||||
}
|
||||
|
||||
void
|
||||
NewAppSecPracticeAntiBot::save(cereal::JSONOutputArchive &out_ar) const
|
||||
{
|
||||
vector<string> injected;
|
||||
vector<string> validated;
|
||||
for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI());
|
||||
for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI());
|
||||
out_ar(
|
||||
cereal::make_nvp("injected", injected),
|
||||
cereal::make_nvp("validated", validated)
|
||||
cereal::make_nvp("injected", injected_uris),
|
||||
cereal::make_nvp("validated", validated_uris)
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -555,7 +555,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
|
||||
bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders();
|
||||
bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody();
|
||||
bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud();
|
||||
bool logToContainerService = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
|
||||
bool logTolocalTuning = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
|
||||
bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal();
|
||||
bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs();
|
||||
bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded();
|
||||
@@ -582,7 +582,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
|
||||
logToAgent,
|
||||
logToCef,
|
||||
logToCloud,
|
||||
logToContainerService,
|
||||
logTolocalTuning,
|
||||
logToSyslog,
|
||||
responseBody,
|
||||
tpDetect,
|
||||
@@ -1236,6 +1236,7 @@ PolicyMakerUtils::createWebAppSection(
|
||||
rule_config.getContext(),
|
||||
apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
|
||||
apssec_practice.getWebAttacks().getMode(practice_mode),
|
||||
apssec_practice.getAntiBot().getMode(),
|
||||
practice_advance_config,
|
||||
apssec_practice.getAntiBot(),
|
||||
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
|
||||
|
||||
@@ -30,7 +30,7 @@ LogTriggerSection::LogTriggerSection(
|
||||
bool _logToAgent,
|
||||
bool _logToCef,
|
||||
bool _logToCloud,
|
||||
bool _logToContainerService,
|
||||
bool _logTolocalTuning,
|
||||
bool _logToSyslog,
|
||||
bool _responseBody,
|
||||
bool _tpDetect,
|
||||
@@ -55,7 +55,7 @@ LogTriggerSection::LogTriggerSection(
|
||||
logToAgent(_logToAgent),
|
||||
logToCef(_logToCef),
|
||||
logToCloud(_logToCloud),
|
||||
logToContainerService(_logToContainerService),
|
||||
logTolocalTuning(_logTolocalTuning),
|
||||
logToSyslog(_logToSyslog),
|
||||
responseBody(_responseBody),
|
||||
tpDetect(_tpDetect),
|
||||
@@ -101,7 +101,7 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
|
||||
cereal::make_nvp("logToAgent", logToAgent),
|
||||
cereal::make_nvp("logToCef", logToCef),
|
||||
cereal::make_nvp("logToCloud", logToCloud),
|
||||
cereal::make_nvp("logToContainerService", logToContainerService),
|
||||
cereal::make_nvp("logTolocalTuning", logTolocalTuning),
|
||||
cereal::make_nvp("logToSyslog", logToSyslog),
|
||||
cereal::make_nvp("responseBody", responseBody),
|
||||
cereal::make_nvp("responseCode", false),
|
||||
@@ -393,12 +393,16 @@ AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
|
||||
} else {
|
||||
cloud = false;
|
||||
}
|
||||
auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode();
|
||||
auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType();
|
||||
bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
|
||||
// BC try load previous name. TODO: update CRD
|
||||
parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
|
||||
parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
|
||||
// check ENV VAR LOCAL_TUNING_ENABLED
|
||||
char * tuning_enabled = getenv("LOCAL_TUNING_ENABLED");
|
||||
if (tuning_enabled != NULL) {
|
||||
for (unsigned int i = 0; i < strlen(tuning_enabled); i++) {
|
||||
tuning_enabled[i] = tolower(tuning_enabled[i]);
|
||||
}
|
||||
container_service = string(tuning_enabled) == "true";
|
||||
} else {
|
||||
container_service = false;
|
||||
}
|
||||
|
||||
StdoutLogging stdout_log;
|
||||
parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in);
|
||||
|
||||
@@ -60,20 +60,16 @@ checkSAMLPortal(const string &command_output)
|
||||
Maybe<string>
|
||||
checkPepIdaIdnStatus(const string &command_output)
|
||||
{
|
||||
if (command_output.find("nac_pep_scaled_sharing_enabled = 1") != string::npos) {
|
||||
if (command_output.find("nac_pep_identity_next_enabled = 1") != string::npos) {
|
||||
return string("true");
|
||||
}
|
||||
return string("false");
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
getIDAGaiaPackages(const string &command_output)
|
||||
getRequiredNanoServices(const string &command_output)
|
||||
{
|
||||
string result = "idaSaml_gaia;idaIdn_gaia;idaIdnBg_gaia;";
|
||||
if (command_output.find("nac_pep_scaled_sharing_enabled = 1") != string::npos) {
|
||||
result += "agentIntelligenceService_gaia;";
|
||||
}
|
||||
return result;
|
||||
return command_output;
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
@@ -191,26 +187,44 @@ getMgmtObjAttr(shared_ptr<istream> file_stream, const string &attr)
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
getMgmtObjUid(shared_ptr<istream> file_stream)
|
||||
getMgmtObjUid(const string &command_output)
|
||||
{
|
||||
if (!command_output.empty()) {
|
||||
return command_output;
|
||||
}
|
||||
|
||||
static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
|
||||
auto file_stream = std::make_shared<std::ifstream>(obj_path);
|
||||
if (!file_stream->is_open()) {
|
||||
return genError("Failed to open the object file");
|
||||
}
|
||||
return getMgmtObjAttr(file_stream, "uuid ");
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
getMgmtObjName(shared_ptr<istream> file_stream)
|
||||
getMgmtObjName(const string &command_output)
|
||||
{
|
||||
if (!command_output.empty()) {
|
||||
return command_output;
|
||||
}
|
||||
|
||||
static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
|
||||
auto file_stream = std::make_shared<std::ifstream>(obj_path);
|
||||
if (!file_stream->is_open()) {
|
||||
return genError("Failed to open the object file");
|
||||
}
|
||||
return getMgmtObjAttr(file_stream, "name ");
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
getGWHardware(const string &command_output)
|
||||
getHardware(const string &command_output)
|
||||
{
|
||||
if (!command_output.empty()) {
|
||||
if (command_output == "software") return string("Open server");
|
||||
if (command_output == "Maestro Gateway") return string("Maestro");
|
||||
return string(command_output);
|
||||
}
|
||||
return genError("GW Hardware was not found");
|
||||
return genError("Hardware was not found");
|
||||
}
|
||||
|
||||
Maybe<string>
|
||||
|
||||
@@ -42,13 +42,29 @@ SHELL_PRE_CMD("gunzip local.cfg", "gunzip -c $FWDIR/state/local/FW1/local.cfg.gz
|
||||
#ifdef SHELL_CMD_HANDLER
|
||||
#if defined(gaia) || defined(smb)
|
||||
SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType)
|
||||
SHELL_CMD_HANDLER(
|
||||
"cpProductIntegrationMgmtObjectUid",
|
||||
"mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].uid'",
|
||||
getMgmtObjUid
|
||||
)
|
||||
SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry",
|
||||
"FS_PATH=<FILESYSTEM-PREFIX>; [ -f ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log ] "
|
||||
"&& head -1 ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log || echo ''",
|
||||
checkIsInstallHorizonTelemetrySucceeded)
|
||||
SHELL_CMD_HANDLER("QUID", "[ -d /opt/CPquid ] "
|
||||
SHELL_CMD_HANDLER("GLOBAL_QUID", "[ -d /opt/CPquid ] "
|
||||
"&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''",
|
||||
getQUID)
|
||||
SHELL_CMD_HANDLER("QUID", "FS_PATH=<FILESYSTEM-PREFIX>;"
|
||||
"VS_ID=$(echo \"${FS_PATH}\" | grep -o -E \"vs[0-9]+\" | grep -o -E \"[0-9]+\");"
|
||||
"[ -z \"${VS_ID}\" ] && "
|
||||
"(python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo '');"
|
||||
"[ -n \"${VS_ID}\" ] && "
|
||||
"(sed \"s|###VS_ID###|${VS_ID}|g\" /opt/CPotelcol/quid_api/get_vs_quid.json"
|
||||
" > /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID}); "
|
||||
"[ -n \"${VS_ID}\" ] && [ -f /opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} ] && "
|
||||
"(python3 /opt/CPquid/Quid_Api.py -i "
|
||||
"/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');",
|
||||
getQUID)
|
||||
SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] "
|
||||
"&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message || echo ''",
|
||||
getQUID)
|
||||
@@ -102,8 +118,13 @@ SHELL_CMD_HANDLER(
|
||||
SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedBlade)
|
||||
SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade)
|
||||
SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal)
|
||||
SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_scaled_sharing_enabled", checkPepIdaIdnStatus)
|
||||
SHELL_CMD_HANDLER("requiredNanoServices", "fw ctl get int nac_pep_scaled_sharing_enabled", getIDAGaiaPackages)
|
||||
SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_identity_next_enabled", checkPepIdaIdnStatus)
|
||||
SHELL_CMD_HANDLER("requiredNanoServices", "echo 'idaSaml_gaia;idaIdn_gaia;'", getRequiredNanoServices)
|
||||
SHELL_CMD_HANDLER(
|
||||
"cpProductIntegrationMgmtObjectName",
|
||||
"mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].name'",
|
||||
getMgmtObjName
|
||||
)
|
||||
SHELL_CMD_HANDLER(
|
||||
"cpProductIntegrationMgmtParentObjectName",
|
||||
"cat $FWDIR/database/myself_objects.C "
|
||||
@@ -118,8 +139,8 @@ SHELL_CMD_HANDLER(
|
||||
)
|
||||
SHELL_CMD_HANDLER(
|
||||
"Hardware",
|
||||
"cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:appliance_type/ {print $3}' | head -n 1",
|
||||
getGWHardware
|
||||
"cat $FWDIR/database/myself_objects.C | awk -F '[:()]' '/:appliance_type/ {print $3}' | head -n 1 | sed 's/\"//g'",
|
||||
getHardware
|
||||
)
|
||||
SHELL_CMD_HANDLER(
|
||||
"Application Control",
|
||||
@@ -219,6 +240,7 @@ SHELL_CMD_HANDLER(
|
||||
|
||||
SHELL_CMD_OUTPUT("kernel_version", "uname -r")
|
||||
SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null")
|
||||
SHELL_CMD_OUTPUT("report_timestamp", "date -u +\%s")
|
||||
#endif // SHELL_CMD_OUTPUT
|
||||
|
||||
|
||||
@@ -227,17 +249,11 @@ SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null")
|
||||
#ifdef FILE_CONTENT_HANDLER
|
||||
|
||||
#if defined(gaia)
|
||||
|
||||
FILE_CONTENT_HANDLER(
|
||||
"hasIdpConfigured",
|
||||
(getenv("SAMLPORTAL_HOME") ? string(getenv("SAMLPORTAL_HOME")) : "") + "/phpincs/spPortal/idpPolicy.xml",
|
||||
checkIDP
|
||||
)
|
||||
FILE_CONTENT_HANDLER(
|
||||
"cpProductIntegrationMgmtObjectName",
|
||||
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C",
|
||||
getMgmtObjName
|
||||
)
|
||||
#endif //gaia
|
||||
|
||||
#if defined(alpine)
|
||||
@@ -245,11 +261,6 @@ FILE_CONTENT_HANDLER("alpine_tag", "/usr/share/build/cp-alpine-tag", getCPAlpine
|
||||
#endif // alpine
|
||||
#if defined(gaia) || defined(smb)
|
||||
FILE_CONTENT_HANDLER("os_release", "/etc/cp-release", getOsRelease)
|
||||
FILE_CONTENT_HANDLER(
|
||||
"cpProductIntegrationMgmtObjectUid",
|
||||
(getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C",
|
||||
getMgmtObjUid
|
||||
)
|
||||
#else // !(gaia || smb)
|
||||
FILE_CONTENT_HANDLER("os_release", "/etc/os-release", getOsRelease)
|
||||
#endif // gaia || smb
|
||||
|
||||
@@ -40,6 +40,8 @@ public:
|
||||
i_mainloop = Singleton::Consume<I_MainLoop>::by<HealthChecker>();
|
||||
i_socket = Singleton::Consume<I_Socket>::by<HealthChecker>();
|
||||
i_orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<HealthChecker>();
|
||||
i_service_controller = Singleton::Consume<I_ServiceController>::by<HealthChecker>();
|
||||
|
||||
initConfig();
|
||||
initServerSocket();
|
||||
|
||||
@@ -270,18 +272,17 @@ private:
|
||||
}
|
||||
|
||||
if (NGEN::Filesystem::exists(rpm_full_load_path)) {
|
||||
dbgTrace(D_HEALTH_CHECK) << rpm_full_load_path << " exists, returning healthy status";
|
||||
return HealthCheckStatus::HEALTHY;
|
||||
dbgTrace(D_HEALTH_CHECK) << "RPM is fully loaded";
|
||||
return i_service_controller->getServicesPolicyStatus()
|
||||
? HealthCheckStatus::HEALTHY
|
||||
: HealthCheckStatus::UNHEALTHY;
|
||||
}
|
||||
|
||||
if (NGEN::Filesystem::exists(rpm_partial_load_path)) {
|
||||
dbgTrace(D_HEALTH_CHECK) << rpm_partial_load_path << " exists, returning degraded status";
|
||||
return HealthCheckStatus::DEGRADED;
|
||||
}
|
||||
|
||||
if (!NGEN::Filesystem::exists(first_rpm_policy_load_path)) {
|
||||
dbgTrace(D_HEALTH_CHECK) << "Could not load latest RPM policy, returning degraded status";
|
||||
return HealthCheckStatus::DEGRADED;
|
||||
if (NGEN::Filesystem::exists(rpm_partial_load_path) || !NGEN::Filesystem::exists(first_rpm_policy_load_path)) {
|
||||
dbgTrace(D_HEALTH_CHECK) << "RPM is partially loaded";
|
||||
return i_service_controller->getServicesPolicyStatus()
|
||||
? HealthCheckStatus::DEGRADED
|
||||
: HealthCheckStatus::UNHEALTHY;
|
||||
}
|
||||
|
||||
dbgTrace(D_HEALTH_CHECK) << "RPM is not loaded, returning unhealthy status";
|
||||
@@ -442,6 +443,7 @@ private:
|
||||
I_Socket *i_socket = nullptr;
|
||||
I_Health_Check_Manager *i_health_check_manager = nullptr;
|
||||
I_OrchestrationStatus *i_orchestration_status = nullptr;
|
||||
I_ServiceController *i_service_controller = nullptr;
|
||||
};
|
||||
|
||||
HealthChecker::HealthChecker() : Component("HealthChecker"), pimpl(make_unique<Impl>()) {}
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
#include "mock/mock_shell_cmd.h"
|
||||
#include "mock/mock_orchestration_status.h"
|
||||
#include "health_check_manager.h"
|
||||
#include "mock/mock_service_controller.h"
|
||||
|
||||
#include "config.h"
|
||||
#include "config_component.h"
|
||||
@@ -76,6 +77,7 @@ public:
|
||||
I_MainLoop::Routine handle_probe_routine;
|
||||
HealthCheckManager health_check_manager;
|
||||
I_Health_Check_Manager *i_health_check_manager;
|
||||
StrictMock<MockServiceController> mock_service_controller;
|
||||
};
|
||||
|
||||
TEST_F(HealthCheckerTest, empty)
|
||||
@@ -342,3 +344,58 @@ TEST_F(HealthCheckerTest, FailedHealthCheck)
|
||||
connection_handler_routine();
|
||||
setConfiguration(false, "Health Check", "Probe enabled");
|
||||
}
|
||||
|
||||
TEST_F(HealthCheckerTest, StandaloneHealthCheck)
|
||||
{
|
||||
setenv("DOCKER_RPM_ENABLED", "true", 1);
|
||||
|
||||
string ip = "1.2.3.4";
|
||||
setConfiguration(ip, "Health Check", "Probe IP");
|
||||
uint port = 11600;
|
||||
setConfiguration(port, "Health Check", "Probe port");
|
||||
|
||||
NGEN::Filesystem::touchFile("/tmp/wd.all_running");
|
||||
NGEN::Filesystem::touchFile("/tmp/rpm_full_load");
|
||||
|
||||
auto on_exit = make_scope_exit(
|
||||
[]() {
|
||||
NGEN::Filesystem::deleteFile("/tmp/wd.all_running");
|
||||
NGEN::Filesystem::deleteFile("/tmp/rpm_full_load");
|
||||
}
|
||||
);
|
||||
|
||||
const string policy_version = "1";
|
||||
EXPECT_CALL(mock_orchestration_status, getPolicyVersion()).WillRepeatedly(ReturnRef(policy_version));
|
||||
EXPECT_CALL(mock_service_controller, getServicesPolicyStatus()).WillRepeatedly(Return(true));
|
||||
|
||||
EXPECT_CALL(
|
||||
mock_mainloop,
|
||||
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, _, false)
|
||||
).WillOnce(DoAll(SaveArg<1>(&handle_probe_routine), Return(0)));
|
||||
|
||||
EXPECT_CALL(
|
||||
mock_socket,
|
||||
genSocket(I_Socket::SocketType::TCP, false, true, _)
|
||||
).WillRepeatedly(Return(1));
|
||||
|
||||
EXPECT_CALL(
|
||||
mock_mainloop,
|
||||
addFileRoutine(I_MainLoop::RoutineType::System, _, _, _, true)
|
||||
).WillRepeatedly(DoAll(SaveArg<2>(&connection_handler_routine), Return(0)));
|
||||
|
||||
EXPECT_CALL(
|
||||
mock_mainloop,
|
||||
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Health check probe connection handler", true)
|
||||
).WillOnce(DoAll(SaveArg<1>(&connection_handler_routine), Return(0)));
|
||||
|
||||
int socket = 1;
|
||||
EXPECT_CALL(mock_socket, acceptSocket(1, false, ip)).WillOnce(Return(socket));
|
||||
EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(0));
|
||||
EXPECT_CALL(mock_socket, receiveData(_, 1, false)).WillOnce(Return(vector<char>()));
|
||||
EXPECT_CALL(mock_socket, writeData(_, response_buffer)).WillOnce(Return(true));
|
||||
EXPECT_CALL(mock_socket, closeSocket(socket)).Times(2);
|
||||
health_checker.init();
|
||||
handle_probe_routine();
|
||||
connection_handler_routine();
|
||||
connection_handler_routine();
|
||||
}
|
||||
|
||||
@@ -266,7 +266,9 @@ private:
|
||||
case OrchestrationStatusFieldType::COUNT : return "Count";
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Trying to convert unknown orchestration status field to string.";
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration health")
|
||||
<< "Trying to convert unknown orchestration status field to string.";
|
||||
return "";
|
||||
}
|
||||
|
||||
@@ -280,7 +282,9 @@ private:
|
||||
case UpdatesProcessResult::DEGRADED : return HealthCheckStatus::DEGRADED;
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Trying to convert unknown update process result field to health check status.";
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration health")
|
||||
<< "Trying to convert unknown update process result field to health check status.";
|
||||
return HealthCheckStatus::IGNORED;
|
||||
}
|
||||
|
||||
|
||||
@@ -40,6 +40,8 @@ public:
|
||||
|
||||
MOCK_CONST_METHOD0(getPolicyVersions, const std::string &());
|
||||
|
||||
MOCK_CONST_METHOD0(getServicesPolicyStatus, bool());
|
||||
|
||||
MOCK_METHOD6(
|
||||
updateServiceConfiguration,
|
||||
Maybe<void>(
|
||||
|
||||
@@ -429,14 +429,16 @@ public:
|
||||
status.insertServiceSetting(service_name, path);
|
||||
return;
|
||||
case OrchestrationStatusConfigType::MANIFEST:
|
||||
dbgAssert(false) << "Manifest is not a service configuration file type";
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "sesrvice configuration")
|
||||
<< "Manifest is not a service configuration file type";
|
||||
break;
|
||||
case OrchestrationStatusConfigType::DATA:
|
||||
return;
|
||||
case OrchestrationStatusConfigType::COUNT:
|
||||
break;
|
||||
}
|
||||
dbgAssert(false) << "Unknown configuration file type";
|
||||
dbgAssert(false) << AlertInfo(AlertTeam::CORE, "sesrvice configuration") << "Unknown configuration file type";
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@@ -43,7 +43,10 @@ operator<<(ostream &os, const URLProtocol &protocol)
|
||||
return os << "file://";
|
||||
}
|
||||
default: {
|
||||
dbgAssert(false) << "Unsupported protocol " << static_cast<unsigned int>(protocol);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "fog communication")
|
||||
<< "Unsupported protocol "
|
||||
<< static_cast<unsigned int>(protocol);
|
||||
return os;
|
||||
}
|
||||
}
|
||||
@@ -91,7 +94,10 @@ URLParser::parseURL(const string &url)
|
||||
return;
|
||||
}
|
||||
default: {
|
||||
dbgAssert(false) << "URL protocol is not supported. Protocol: " << static_cast<unsigned int>(protocol);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "fog communication")
|
||||
<< "URL protocol is not supported. Protocol: "
|
||||
<< static_cast<unsigned int>(protocol);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1631,6 +1631,7 @@ private:
|
||||
|
||||
string server_name = getAttribute("registered-server", "registered_server");
|
||||
auto server = TagAndEnumManagement::convertStringToTag(server_name);
|
||||
if (server_name == "'SWAG'") server = Tags::WEB_SERVER_SWAG;
|
||||
if (server.ok()) tags.insert(*server);
|
||||
|
||||
if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
|
||||
@@ -1652,6 +1653,8 @@ private:
|
||||
tags
|
||||
);
|
||||
|
||||
if (server_name != "") registration_report.addToOrigin(LogField("eventCategory", server_name));
|
||||
|
||||
auto email = getAttribute("email-address", "user_email");
|
||||
if (email != "") registration_report << LogField("userDefinedId", email);
|
||||
|
||||
@@ -1694,9 +1697,11 @@ private:
|
||||
auto temp_ext = getConfigurationWithDefault<string>("_temp", "orchestration", "Temp file extension");
|
||||
|
||||
dbgAssert(i_orchestration_tools->doesFileExist(backup_installation_file))
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration backup")
|
||||
<< "There is no backup installation package";
|
||||
|
||||
dbgAssert(i_orchestration_tools->copyFile(backup_installation_file, current_installation_file))
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration backup")
|
||||
<< "Failed to copy backup installation package";
|
||||
|
||||
// Copy the backup manifest file to the default manifest file path.
|
||||
@@ -1713,8 +1718,10 @@ private:
|
||||
auto package_handler = Singleton::Consume<I_PackageHandler>::by<OrchestrationComp>();
|
||||
// Install the backup orchestration service installation package.
|
||||
dbgAssert(package_handler->preInstallPackage(service_name, current_installation_file))
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration backup")
|
||||
<< "Failed to restore from backup, pre install test failed";
|
||||
dbgAssert(package_handler->installPackage(service_name, current_installation_file, true))
|
||||
<< AlertInfo(AlertTeam::CORE, "orchestration backup")
|
||||
<< "Failed to restore from backup, installation failed";
|
||||
}
|
||||
// LCOV_EXCL_STOP
|
||||
|
||||
@@ -386,7 +386,10 @@ OrchestrationTools::Impl::calculateChecksum(Package::ChecksumTypes checksum_type
|
||||
return genError("Error while reading file " + path + ", " + e.what());
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Checksum type is not supported. Checksum type: " << static_cast<unsigned int>(checksum_type);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "service configuration")
|
||||
<< "Checksum type is not supported. Checksum type: "
|
||||
<< static_cast<unsigned int>(checksum_type);
|
||||
return genError("Unsupported checksum type");
|
||||
}
|
||||
|
||||
|
||||
@@ -141,7 +141,10 @@ packageHandlerActionsToString(PackageHandlerActions action)
|
||||
}
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Package handler action is not supported. Action: " << static_cast<unsigned int>(action);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "service configuration")
|
||||
<< "Package handler action is not supported. Action: "
|
||||
<< static_cast<unsigned int>(action);
|
||||
return string();
|
||||
}
|
||||
|
||||
|
||||
@@ -71,7 +71,7 @@ public:
|
||||
UpdatesConfigType::GENERAL,
|
||||
UpdatesFailureReason::SERVISE_CONFIGURATION,
|
||||
string(service_name.get() + ", ID: " + to_string(id.get())),
|
||||
(error_message.isActive() ? " Error: " + error_message.get() : "")
|
||||
(error_message.isActive() ? " " + error_message.get() : "")
|
||||
).notify();
|
||||
dbgError(D_SERVICE_CONTROLLER)
|
||||
<< "Request for service reconfiguration failed to complete. ID: "
|
||||
@@ -327,6 +327,8 @@ public:
|
||||
|
||||
set<string> && moveChangedPolicies() override;
|
||||
|
||||
bool getServicesPolicyStatus() const override;
|
||||
|
||||
private:
|
||||
void cleanUpVirtualFiles();
|
||||
|
||||
@@ -365,6 +367,7 @@ private:
|
||||
map<int, string> services_reconf_ids;
|
||||
string filesystem_prefix;
|
||||
bool is_multi_tenant_env = false;
|
||||
bool total_services_status = false;
|
||||
set<string> changed_policy_files;
|
||||
ServiceDetails orchestration_service_details;
|
||||
|
||||
@@ -459,6 +462,12 @@ ServiceController::Impl::moveChangedPolicies()
|
||||
return move(changed_policy_files);
|
||||
}
|
||||
|
||||
bool
|
||||
ServiceController::Impl::getServicesPolicyStatus() const
|
||||
{
|
||||
return total_services_status;
|
||||
}
|
||||
|
||||
void
|
||||
ServiceController::Impl::init()
|
||||
{
|
||||
@@ -960,6 +969,8 @@ ServiceController::Impl::sendSignalForServices(
|
||||
const string &policy_version_to_update)
|
||||
{
|
||||
dbgFlow(D_SERVICE_CONTROLLER) << "Policy version to update: " << policy_version_to_update;
|
||||
|
||||
total_services_status = false;
|
||||
for (auto &service_id : nano_services_to_update) {
|
||||
auto nano_service = registered_services.find(service_id);
|
||||
if (nano_service == registered_services.end()) {
|
||||
@@ -1002,6 +1013,7 @@ ServiceController::Impl::sendSignalForServices(
|
||||
<< "The reconfiguration was successfully completed for all the services";
|
||||
services_reconf_status.clear();
|
||||
services_reconf_names.clear();
|
||||
total_services_status = true;
|
||||
return Maybe<void>();
|
||||
}
|
||||
case ReconfStatus::IN_PROGRESS: {
|
||||
|
||||
@@ -790,6 +790,7 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
|
||||
|
||||
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
|
||||
EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
|
||||
EXPECT_EQ(i_service_controller->getServicesPolicyStatus(), true);
|
||||
}
|
||||
|
||||
TEST_F(ServiceControllerTest, backup)
|
||||
|
||||
@@ -467,7 +467,10 @@ getDeplymentType()
|
||||
case EnvType::COUNT: break;
|
||||
}
|
||||
|
||||
dbgAssert(false) << "Failed to get a legitimate deplyment type: " << static_cast<uint>(deplyment_type);
|
||||
dbgAssert(false)
|
||||
<< AlertInfo(AlertTeam::CORE, "fog communication")
|
||||
<< "Failed to get a legitimate deplyment type: "
|
||||
<< static_cast<uint>(deplyment_type);
|
||||
return "Embedded";
|
||||
}
|
||||
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
|
||||
#include "debug.h"
|
||||
#include "log_generator.h"
|
||||
#include "service_health_update_event.h"
|
||||
|
||||
using namespace std;
|
||||
|
||||
@@ -34,6 +35,7 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
|
||||
if (event.getResult() == UpdatesProcessResult::SUCCESS && reports.empty()) {
|
||||
dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished successfully";
|
||||
report_failure_count_map.erase(version);
|
||||
ServiceHealthUpdateEvent().notify();
|
||||
return;
|
||||
}
|
||||
if (report_failure_count_map.find(version) == report_failure_count_map.end()) {
|
||||
@@ -62,6 +64,7 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
|
||||
reports.emplace_back(
|
||||
UpdatesProcessReport(event.getResult(), event.getType(), event.getReason(), event.parseDescription())
|
||||
);
|
||||
ServiceHealthUpdateEvent(convertUpdatesConfigTypeToStr(event.getType()), event.parseDescription()).notify();
|
||||
}
|
||||
|
||||
void
|
||||
|
||||
@@ -211,6 +211,8 @@ public:
|
||||
|
||||
for (const auto &rule : rate_limit_config.getRateLimitRules()) {
|
||||
string full_rule_uri = application_uri + rule.getRateLimitUri();
|
||||
transform(full_rule_uri.begin(), full_rule_uri.end(),
|
||||
full_rule_uri.begin(), [](unsigned char c) { return std::tolower(c); });
|
||||
int full_rule_uri_length = full_rule_uri.length();
|
||||
|
||||
dbgTrace(D_RATE_LIMIT)
|
||||
|
||||
@@ -390,6 +390,38 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
|
||||
}
|
||||
}
|
||||
|
||||
if (flags & BUFFERED_RECEIVER_F_FIRST && offset < 0 && valueStats.hasPercent &&
|
||||
m_key.first().size() == 6 && m_key.first() == "cookie") {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER)
|
||||
<< "1st pass of createInternalParser() failed. "
|
||||
<< "Will try to decode percent-encoded data and repeate search for parser";
|
||||
orig_val.erase(unquote_plus(orig_val.begin(), orig_val.end()), orig_val.end());
|
||||
cur_val_html_escaped = orig_val;
|
||||
cur_val_html_escaped.erase(
|
||||
escape_html(cur_val_html_escaped.begin(), cur_val_html_escaped.end()), cur_val_html_escaped.end()
|
||||
);
|
||||
offset = createInternalParser(
|
||||
k,
|
||||
k_len,
|
||||
orig_val,
|
||||
valueStats,
|
||||
isBodyPayload,
|
||||
isRefererPayload,
|
||||
isRefererParamPayload,
|
||||
isUrlPayload,
|
||||
isUrlParamPayload,
|
||||
flags,
|
||||
parser_depth,
|
||||
base64BinaryFileType
|
||||
);
|
||||
if (offset >= 0) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "2nd pass of createInternalParser succeeded. Update values and proceed";
|
||||
ValueStatsAnalyzer valueStatsUpdated(cur_val_html_escaped);
|
||||
cur_val.erase(unquote_plus(cur_val.begin(), cur_val.end()), cur_val.end());
|
||||
Waap::Util::decodeUtf16Value(valueStatsUpdated, cur_val);
|
||||
}
|
||||
}
|
||||
|
||||
// If there's a parser in parsers stack, push the value to the top parser
|
||||
if (!m_parsersDeque.empty()
|
||||
&& offset >= 0
|
||||
@@ -1183,6 +1215,7 @@ DeepParser::createInternalParser(
|
||||
offset = 0;
|
||||
}
|
||||
}
|
||||
bool isCockiePapameter = m_key.depth() == 2 && m_key.first().size() == 6 && m_key.first() == "cookie";
|
||||
if (offset < 0) {
|
||||
if (isPipesType) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "Starting to parse pipes, positional: " << isKeyValDelimited;
|
||||
@@ -1279,7 +1312,7 @@ DeepParser::createInternalParser(
|
||||
);
|
||||
} else if (!Waap::Util::testUrlBareUtf8Evasion(cur_val)) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "!Waap::Util::testUrlBareUtf8Evasion(cur_val)";
|
||||
if (!valueStats.hasSpace
|
||||
if ((!valueStats.hasSpace || (valueStats.hasSpace && isCockiePapameter))
|
||||
&& valueStats.hasCharAmpersand
|
||||
&& valueStats.hasTwoCharsEqual
|
||||
&& !isBinaryData()
|
||||
@@ -1305,7 +1338,7 @@ DeepParser::createInternalParser(
|
||||
}
|
||||
} else if (!Waap::Util::testUrlBareUtf8Evasion(cur_val)) {
|
||||
dbgTrace(D_WAAP_DEEP_PARSER) << "!Waap::Util::testUrlBareUtf8Evasion(cur_val)";
|
||||
if (!valueStats.hasSpace
|
||||
if ((!valueStats.hasSpace || (valueStats.hasSpace && isCockiePapameter))
|
||||
&& valueStats.hasCharAmpersand
|
||||
&& valueStats.hasTwoCharsEqual
|
||||
&& !isBinaryData()
|
||||
|
||||
@@ -103,6 +103,9 @@ ParserUrlEncode::push(const char *buf, size_t len)
|
||||
}
|
||||
case s_key_start: {
|
||||
dbgTrace(D_WAAP_PARSER_URLENCODE) << "ParserUrlEncode::push(): s_key_start";
|
||||
if (isspace(c)){
|
||||
break;
|
||||
}
|
||||
mark = i;
|
||||
m_state = s_key;
|
||||
|
||||
@@ -112,12 +115,6 @@ ParserUrlEncode::push(const char *buf, size_t len)
|
||||
case s_key: {
|
||||
dbgTrace(D_WAAP_PARSER_URLENCODE) << "ParserUrlEncode::push(): s_key";
|
||||
|
||||
// skip leading spaces in the key
|
||||
if (isspace(c)) {
|
||||
m_state = s_key_start; // skip the space character without including it in the output
|
||||
break;
|
||||
}
|
||||
|
||||
if (c == '%' && should_decode_percent) {
|
||||
if (i - mark > 0) {
|
||||
if (m_receiver.onKey(buf + mark, i - mark) != 0) {
|
||||
|
||||
@@ -48,7 +48,7 @@ public:
|
||||
|
||||
if (m_tag != "sourceip" && m_tag != "sourceidentifier" && m_tag != "url" && m_tag != "hostname" &&
|
||||
m_tag != "keyword" && m_tag != "paramname" && m_tag != "paramvalue" && m_tag != "paramlocation" &&
|
||||
m_tag != "responsebody" && m_tag != "headername" && m_tag != "headervalue" ) {
|
||||
m_tag != "responsebody" && m_tag != "headername" && m_tag != "headervalue" && m_tag != "method") {
|
||||
m_isValid = false;
|
||||
dbgDebug(D_WAAP_OVERRIDE) << "Invalid override tag: " << m_tag;
|
||||
}
|
||||
|
||||
@@ -51,7 +51,10 @@ bool WaapOverrideFunctor::operator()(const std::string& tag, const boost::regex&
|
||||
std::string tagLower = tag;
|
||||
std::transform(tagLower.begin(), tagLower.end(), tagLower.begin(), ::tolower);
|
||||
try {
|
||||
if (tagLower == "url") {
|
||||
if (tagLower == "method") {
|
||||
return NGEN::Regex::regexMatch(__FILE__, __LINE__, waf2Transaction.getMethod().c_str(), what, rx);
|
||||
}
|
||||
else if (tagLower == "url") {
|
||||
return NGEN::Regex::regexMatch(__FILE__, __LINE__, waf2Transaction.getUriStr().c_str(), what, rx);
|
||||
}
|
||||
else if (tagLower == "hostname") {
|
||||
|
||||
@@ -95,7 +95,9 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
|
||||
canSplitPipe(true),
|
||||
hasSpace(false),
|
||||
isUrlEncoded(false),
|
||||
hasCharLess(false)
|
||||
hasCharLess(false),
|
||||
hasDoubleQuote(false),
|
||||
hasPercent(false)
|
||||
{
|
||||
unsigned int zerosSeq[2] = {0};
|
||||
bool lastNul = false; // whether last processed character was ASCII NUL
|
||||
@@ -146,6 +148,9 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
|
||||
case '\"':
|
||||
hasDoubleQuote = true;
|
||||
break;
|
||||
case '%':
|
||||
hasPercent = true;
|
||||
break;
|
||||
}
|
||||
|
||||
if (isspace(ch)) {
|
||||
@@ -270,4 +275,6 @@ ValueStatsAnalyzer::ValueStatsAnalyzer(const std::string &cur_val)
|
||||
textual +=(hasCharLess ? "true" : "false");
|
||||
textual.append("\nhasDoubleQuote = ");
|
||||
textual +=(hasDoubleQuote ? "true" : "false");
|
||||
textual.append("\nhasPercent = ");
|
||||
textual +=(hasPercent ? "true" : "false");
|
||||
}
|
||||
|
||||
@@ -36,6 +36,7 @@ struct ValueStatsAnalyzer
|
||||
bool isUrlEncoded;
|
||||
bool hasCharLess;
|
||||
bool hasDoubleQuote;
|
||||
bool hasPercent;
|
||||
std::string textual;
|
||||
};
|
||||
|
||||
|
||||
@@ -867,7 +867,7 @@ void Waf2Transaction::parseCookie(const char* value, int value_len)
|
||||
if (value_len > 0) {
|
||||
dbgTrace(D_WAAP_HEADERS) << "[transaction:" << this << "] scanning the cookie value";
|
||||
m_deepParser.m_key.push("cookie", 6);
|
||||
ParserUrlEncode cookieValueParser(m_deepParserReceiver, 0, ';');
|
||||
ParserUrlEncode cookieValueParser(m_deepParserReceiver, 0, ';', false);
|
||||
cookieValueParser.push(value, value_len);
|
||||
cookieValueParser.finish();
|
||||
m_deepParser.m_key.pop("cookie");
|
||||
@@ -1077,6 +1077,9 @@ void Waf2Transaction::add_request_hdr(const char* name, int name_len, const char
|
||||
std::string header_name(name, name_len);
|
||||
boost::algorithm::to_lower(header_name);
|
||||
hdrs_map[header_name] = std::string(value, value_len);
|
||||
if (header_name == "host") {
|
||||
m_hostStr = hdrs_map[header_name];
|
||||
}
|
||||
}
|
||||
|
||||
void Waf2Transaction::end_request_hdrs() {
|
||||
|
||||
@@ -117,7 +117,7 @@ WaapComponent::Impl::fini()
|
||||
std::string
|
||||
WaapComponent::Impl::getListenerName() const
|
||||
{
|
||||
return "waap application";
|
||||
return WAAP_APPLICATION_NAME;
|
||||
}
|
||||
|
||||
// Start request (called before headers arrive). However, the method and URL path is known at this stage.
|
||||
|
||||
Reference in New Issue
Block a user