sync code

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -19,7 +19,14 @@ using namespace std;
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 // LCOV_EXCL_START Reason: no test exist
 
-static const set<string> valid_modes = {"prevent-learn", "detect-learn", "prevent", "detect", "inactive"};
+static const set<string> valid_modes = {
+    "prevent-learn",
+    "detect-learn",
+    "prevent",
+    "detect",
+    "inactive",
+    "as-top-level"
+};
 static const set<string> valid_confidences = {"medium", "high", "critical"};
 
 void
@@ -138,15 +145,11 @@ AppSecPracticeWebAttacks::load(cereal::JSONInputArchive &archive_in)
         dbgWarning(D_LOCAL_POLICY) << "AppSec practice override mode invalid: " << mode;
     }
 
-    if (getMode() == "Prevent") {
-        parseAppsecJSONKey<string>("minimum-confidence", minimum_confidence, archive_in, "critical");
-        if (valid_confidences.count(minimum_confidence) == 0) {
-            dbgWarning(D_LOCAL_POLICY)
-                << "AppSec practice override minimum confidence invalid: "
-                << minimum_confidence;
-        }
-    } else {
-        minimum_confidence = "Transparent";
+    parseAppsecJSONKey<string>("minimum-confidence", minimum_confidence, archive_in, "critical");
+    if (valid_confidences.count(minimum_confidence) == 0) {
+        dbgWarning(D_LOCAL_POLICY)
+            << "AppSec practice override minimum confidence invalid: "
+            << minimum_confidence;
     }
     parseAppsecJSONKey<int>("max-body-size-kb", max_body_size_kb, archive_in, 1000000);
     parseAppsecJSONKey<int>("max-header-size-bytes", max_header_size_bytes, archive_in, 102400);
@@ -189,7 +192,10 @@ AppSecPracticeWebAttacks::getMode(const string &default_mode) const
 {
     if (isModeInherited(mode) || (key_to_practices_val2.find(mode) == key_to_practices_val2.end())) {
         dbgError(D_LOCAL_POLICY) << "Couldn't find a value for key: " << mode << ". Returning " << default_mode;
-        return default_mode;
+        if(key_to_practices_val2.find(default_mode) == key_to_practices_val2.end()) {
+            return default_mode;
+        }
+        return key_to_practices_val2.at(default_mode);
     }
     return key_to_practices_val2.at(mode);
 }
@@ -428,7 +434,6 @@ WebAppSection::WebAppSection(
     practice_id(_practice_id),
     practice_name(_practice_name),
     context(_context),
-    web_attack_mitigation_severity(parsed_appsec_spec.getWebAttacks().getMinimumConfidence()),
     web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
     csrf_protection_mode("Disabled"),
     open_redirect_mode("Disabled"),
@@ -438,6 +443,9 @@ WebAppSection::WebAppSection(
     trusted_sources({ parsed_trusted_sources })
 {
     web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
+    web_attack_mitigation_severity =
+        web_attack_mitigation_mode != "Prevent" ? "Transparent" :
+        parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
     web_attack_mitigation_action =
         web_attack_mitigation_mode != "Prevent" ? "Transparent" :
         web_attack_mitigation_severity == "critical" ? "low" :
@@ -470,6 +478,7 @@ WebAppSection::WebAppSection(
     const string &_context,
     const string &_web_attack_mitigation_severity,
     const string &_web_attack_mitigation_mode,
+    const string &_bot_protection,
     const PracticeAdvancedConfig &_practice_advanced_config,
     const AppsecPracticeAntiBotSection &_anti_bots,
     const LogTriggerSection &parsed_log_trigger,
@@ -486,6 +495,7 @@ WebAppSection::WebAppSection(
     context(_context),
     web_attack_mitigation_severity(_web_attack_mitigation_severity),
     web_attack_mitigation_mode(_web_attack_mitigation_mode),
+    bot_protection(_bot_protection),
     practice_advanced_config(_practice_advanced_config),
     anti_bots(_anti_bots),
     trusted_sources({ parsed_trusted_sources })
@@ -514,7 +524,6 @@ void
 WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
 {
     string disabled_str = "Disabled";
-    string detect_str = "Detect";
     vector<string> empty_list;
     out_ar(
         cereal::make_nvp("context",                     context),
@@ -542,7 +551,7 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("waapParameters",              empty_list),
         cereal::make_nvp("botProtection",               false),
         cereal::make_nvp("antiBot",                     anti_bots),
-        cereal::make_nvp("botProtection_v2",            detect_str)
+        cereal::make_nvp("botProtection_v2",            bot_protection != "" ? bot_protection : string("Detect"))
     );
 }
 

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -290,6 +290,7 @@ public:
         const std::string &_context,
         const std::string &_web_attack_mitigation_severity,
         const std::string &_web_attack_mitigation_mode,
+        const std::string &_bot_protection,
         const PracticeAdvancedConfig &_practice_advanced_config,
         const AppsecPracticeAntiBotSection &_anti_bots,
         const LogTriggerSection &parsed_log_trigger,
@@ -315,6 +316,7 @@ private:
     std::string csrf_protection_mode;
     std::string open_redirect_mode;
     std::string error_disclosure_mode;
+    std::string bot_protection;
     bool web_attack_mitigation;
     std::vector<TriggersInWaapSection> triggers;
     PracticeAdvancedConfig practice_advanced_config;

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -508,30 +508,20 @@ private:
     bool is_temporary;
 };
 
-class NewAppSecWebBotsURI
-{
-public:
-    void load(cereal::JSONInputArchive &archive_in);
-
-    const std::string & getURI() const;
-
-private:
-    std::string uri;
-};
-
 class NewAppSecPracticeAntiBot
 {
 public:
-    std::vector<std::string> getIjectedUris() const;
-    std::vector<std::string> getValidatedUris() const;
+    const std::vector<std::string> & getIjectedUris() const;
+    const std::vector<std::string> & getValidatedUris() const;
+    const std::string & getMode() const;
 
     void load(cereal::JSONInputArchive &archive_in);
     void save(cereal::JSONOutputArchive &out_ar) const;
 
 private:
     std::string override_mode;
-    std::vector<NewAppSecWebBotsURI> injected_uris;
-    std::vector<NewAppSecWebBotsURI> validated_uris;
+    std::vector<std::string> injected_uris;
+    std::vector<std::string> validated_uris;
 };
 
 class NewAppSecWebAttackProtections

components/security_apps/local_policy_mgmt_gen/include/triggers_section.h

@@ -39,7 +39,7 @@ public:
         bool _logToAgent,
         bool _logToCef,
         bool _logToCloud,
-        bool _logToContainerService,
+        bool _logTolocalTuning,
         bool _logToSyslog,
         bool _responseBody,
         bool _tpDetect,
@@ -73,7 +73,7 @@ private:
     bool logToAgent;
     bool logToCef;
     bool logToCloud;
-    bool logToContainerService;
+    bool logTolocalTuning;
     bool logToSyslog;
     bool responseBody;
     bool tpDetect;

components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc

@@ -180,12 +180,16 @@ NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
     } else {
         cloud = false;
     }
-    auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode();
-    auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType();
-    bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    // BC try load previous name. TODO: update CRD
-    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
-    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
+    bool local_tuning_default = false;
+    // check ENV VAR LOCAL_TUNING_ENABLED
+    char * tuning_enabled = getenv("LOCAL_TUNING_ENABLED");
+    if (tuning_enabled != NULL) {
+        for (unsigned int i = 0; i < strlen(tuning_enabled); i++) {
+            tuning_enabled[i] = tolower(tuning_enabled[i]);
+        }
+        local_tuning_default = string(tuning_enabled) == "true";
+    }
+    parseAppsecJSONKey<bool>("local-tuning", container_service, archive_in, local_tuning_default);
 
     NewStdoutLogging stdout_log;
     parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in);

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -50,6 +50,13 @@ static const std::unordered_map<std::string, std::string> key_to_mode_val = {
     { "detect", "Detect"},
     { "inactive", "Inactive"}
 };
+static const std::unordered_map<std::string, std::string> anti_bot_key_to_mode_val = {
+    { "prevent-learn", "Prevent"},
+    { "detect-learn", "Detect"},
+    { "prevent", "Prevent"},
+    { "detect", "Detect"},
+    { "inactive", "Disabled"}
+};
 static const std::unordered_map<std::string, uint64_t> unit_to_int = {
     { "bytes", 1},
     { "KB", 1024},
@@ -81,57 +88,44 @@ getModeWithDefault(
     return key_to_val.at(mode);
 }
 
-void
-NewAppSecWebBotsURI::load(cereal::JSONInputArchive &archive_in)
-{
-    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots URI";
-    parseAppsecJSONKey<string>("uri", uri, archive_in);
-}
-
-const string &
-NewAppSecWebBotsURI::getURI() const
-{
-    return uri;
-}
-
-std::vector<std::string>
+const std::vector<std::string> &
 NewAppSecPracticeAntiBot::getIjectedUris() const
 {
-    vector<string> injected;
-    for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI());
-    return injected;
+    return injected_uris;
 }
 
-std::vector<std::string>
+const std::vector<std::string> &
 NewAppSecPracticeAntiBot::getValidatedUris() const
 {
-    vector<string> validated;
-    for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI());
-    return validated;
+    return validated_uris;
+}
+
+const std::string &
+NewAppSecPracticeAntiBot::getMode() const
+{
+    return override_mode;
 }
 
 void
 NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots";
-    parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("injectedUris", injected_uris, archive_in);
-    parseAppsecJSONKey<vector<NewAppSecWebBotsURI>>("validatedUris", validated_uris, archive_in);
-    parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
-    if (valid_modes.count(override_mode) == 0) {
-        dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode;
+    string mode;
+    parseAppsecJSONKey<vector<string>>("injectedUris", injected_uris, archive_in);
+    parseAppsecJSONKey<vector<string>>("validatedUris", validated_uris, archive_in);
+    parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << mode;
     }
+    override_mode = anti_bot_key_to_mode_val.at(mode);
 }
 
 void
 NewAppSecPracticeAntiBot::save(cereal::JSONOutputArchive &out_ar) const
 {
-    vector<string> injected;
-    vector<string> validated;
-    for (const NewAppSecWebBotsURI &uri : injected_uris) injected.push_back(uri.getURI());
-    for (const NewAppSecWebBotsURI &uri : validated_uris) validated.push_back(uri.getURI());
     out_ar(
-        cereal::make_nvp("injected", injected),
-        cereal::make_nvp("validated", validated)
+        cereal::make_nvp("injected", injected_uris),
+        cereal::make_nvp("validated", validated_uris)
     );
 }
 

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -555,7 +555,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
     bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders();
     bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody();
     bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud();
-    bool logToContainerService = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
+    bool logTolocalTuning = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
     bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal();
     bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs();
     bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded();
@@ -582,7 +582,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         logToAgent,
         logToCef,
         logToCloud,
-        logToContainerService,
+        logTolocalTuning,
         logToSyslog,
         responseBody,
         tpDetect,
@@ -1236,6 +1236,7 @@ PolicyMakerUtils::createWebAppSection(
         rule_config.getContext(),
         apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
         apssec_practice.getWebAttacks().getMode(practice_mode),
+        apssec_practice.getAntiBot().getMode(),
         practice_advance_config,
         apssec_practice.getAntiBot(),
         log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -30,7 +30,7 @@ LogTriggerSection::LogTriggerSection(
     bool _logToAgent,
     bool _logToCef,
     bool _logToCloud,
-    bool _logToContainerService,
+    bool _logTolocalTuning,
     bool _logToSyslog,
     bool _responseBody,
     bool _tpDetect,
@@ -55,7 +55,7 @@ LogTriggerSection::LogTriggerSection(
     logToAgent(_logToAgent),
     logToCef(_logToCef),
     logToCloud(_logToCloud),
-    logToContainerService(_logToContainerService),
+    logTolocalTuning(_logTolocalTuning),
     logToSyslog(_logToSyslog),
     responseBody(_responseBody),
     tpDetect(_tpDetect),
@@ -101,7 +101,7 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("logToAgent",               logToAgent),
         cereal::make_nvp("logToCef",                 logToCef),
         cereal::make_nvp("logToCloud",               logToCloud),
-        cereal::make_nvp("logToContainerService",    logToContainerService),
+        cereal::make_nvp("logTolocalTuning",    logTolocalTuning),
         cereal::make_nvp("logToSyslog",              logToSyslog),
         cereal::make_nvp("responseBody",             responseBody),
         cereal::make_nvp("responseCode",             false),
@@ -393,12 +393,16 @@ AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
     } else {
         cloud = false;
     }
-    auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode();
-    auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType();
-    bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    // BC try load previous name. TODO: update CRD
-    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
-    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
+    // check ENV VAR LOCAL_TUNING_ENABLED
+    char * tuning_enabled = getenv("LOCAL_TUNING_ENABLED");
+    if (tuning_enabled != NULL) {
+        for (unsigned int i = 0; i < strlen(tuning_enabled); i++) {
+            tuning_enabled[i] = tolower(tuning_enabled[i]);
+        }
+        container_service = string(tuning_enabled) == "true";
+    } else {
+        container_service = false;
+    }
 
     StdoutLogging stdout_log;
     parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in);