Jan_31_2024-Dev

2025-09-29 19:24:26 +03:00 · 2024-01-31 17:34:53 +00:00
parent 752a5785f0
commit 6d67818a94
376 changed files with 8101 additions and 7064 deletions
--- a/nodes/orchestration/main.cc
+++ b/nodes/orchestration/main.cc
@@ -30,7 +30,6 @@
 #include "rest_server.h"
 #include "logging_comp.h"
 #include "rest.h"
-#include "proto_message_comp.h"
 #include "encryptor.h"
 #include "downloader.h"
 #include "orchestration_tools.h"
@@ -44,7 +43,6 @@
 #include "signal_handler.h"
 #include "cpu.h"
 #include "memory_consumption.h"
-#include "messaging_buffer.h"
 #include "agent_details_reporter.h"
 #include "instance_awareness.h"
 #include "socket_is.h"
--- a/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc
+++ b/nodes/orchestration/package/cpnano_debug/cpnano_debug.cc
@@ -93,6 +93,7 @@ enum class Service {
    DEDICATED_NETWORK_HANDLER,
    HELLO_WORLD,
    IDA,
+    IDA_SAML,
    IOT_ACCESS_CONTROL,
    HORIZON_TELEMETRY,

@@ -169,6 +170,7 @@ getServiceString(const Service service)
        case (Service::IOT_WLP): return "workload-protection";
        case (Service::HELLO_WORLD): return "hello-world";
        case (Service::IDA): return "identity-awareness";
+        case (Service::IDA_SAML): return "ida-saml";
        case (Service::IOT_ACCESS_CONTROL): return "iot-access-control";
        case (Service::HORIZON_TELEMETRY): return "horizon-telemetry";
        default:
@@ -344,6 +346,11 @@ getServiceConfig (const Service service)
                filesystem_path + "/conf/cp-nano-ida-debug-conf.json",
                log_files_path + "/nano_agent/cp-nano-ida.dbg"
            );
+        case (Service::IDA_SAML):
+            return ServiceConfig(
+                filesystem_path + "/conf/cp-nano-ida-saml-debug-conf.json",
+                log_files_path + "/nano_agent/cp-nano-ida-saml.dbg"
+            );
        case (Service::HELLO_WORLD):
            return ServiceConfig(
                filesystem_path + "/conf/cp-nano-hello-world-conf.json",
@@ -1284,6 +1291,8 @@ extractServices(const vector<string> &args)
            services.push_back(Service::IOT_WLP);
        } else if (getServiceString(Service::IDA).find(maybe_service) == 0) {
            services.push_back(Service::IDA);
+        } else if (getServiceString(Service::IDA_SAML).find(maybe_service) == 0) {
+            services.push_back(Service::IDA_SAML);
        } else if (getServiceString(Service::IOT_ACCESS_CONTROL).find(maybe_service) == 0) {
            services.push_back(Service::IOT_ACCESS_CONTROL);
        } else if (getServiceString(Service::HORIZON_TELEMETRY).find(maybe_service) == 0) {
--- a/nodes/orchestration/package/open-appsec-ctl.sh
+++ b/nodes/orchestration/package/open-appsec-ctl.sh
@@ -129,7 +129,11 @@ CUSTOM_POLICY_CONF_FILE="${FILESYSTEM_PATH}/${cp_nano_conf_location}/custom_poli
 if [ -f ${CUSTOM_POLICY_CONF_FILE} ]; then
    . $CUSTOM_POLICY_CONF_FILE
 else
-    var_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+    if [ -f /ext/appsec/local_policy.yaml ]; then
+        var_policy_file=/ext/appsec/local_policy.yaml
+    else
+        var_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+    fi;
 fi

 is_arm32=
@@ -1617,7 +1621,7 @@ stop_service() # Initials - stops
    eval "$stops_cmd"
    stops_exit_code=$?
    if [ $stops_exit_code -eq 0 ]; then
-        echo "Successfully stoped the $stops_service_to_stop service"
+        echo "Successfully stopped the $stops_service_to_stop service"
        exit 0
    fi
    echo "Failed to stop the $stops_service_to_stop service"
@@ -1759,7 +1763,11 @@ run() # Initials - r
        shift
        if [ ! -z $1 ]; then
            if [ "-d" = "$1" ] || [ "--default-policy" = "$1" ]; then
-                var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+                if [ -f /ext/appsec/local_policy.yaml ]; then
+                    var_new_policy_file=/ext/appsec/local_policy.yaml
+                else
+                    var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+                fi
            elif [ -f $1 ]; then
                var_new_policy_file=$1
            else
@@ -1767,7 +1775,11 @@ run() # Initials - r
                exit 1
            fi
        else
-            var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+            if [ -f /ext/appsec/local_policy.yaml ]; then
+                var_new_policy_file=/ext/appsec/local_policy.yaml
+            else
+                var_new_policy_file="${FILESYSTEM_PATH}/${cp_nano_conf_location}/local_policy.yaml"
+            fi
        fi

        is_apply_policy_needed
@@ -1782,7 +1794,13 @@ run() # Initials - r
            http://127.0.0.1:"$(extract_api_port 'orchestration')"/set-apply-policy 2>&1)
        is_policy_file_changed
        is_changed=$?
+        counter=0
        while [ ${is_changed} -eq 0 ]; do
+            counter=$((counter+1))
+            if [ ${counter} -gt 40 ]; then
+                echo "\nPolicy didn't change please verify that you have a legal new policy"
+                exit 1
+            fi
            echo -n "."
            sleep 3
            is_policy_file_changed
@@ -1799,7 +1817,11 @@ run() # Initials - r
        echo $var_policy_file
    elif [ "-vl" = "$1" ] || [ "--view-logs" = "$1" ]; then
        record_command $@
-        less $LOG_FILE_PATH/nano_agent/cp-nano-http-transaction-handler.log?
+        if ls /var/log/nano_agent/cp-nano-http-transaction-handler.log? 1>dev/null 2>&1; then
+            less $LOG_FILE_PATH/nano_agent/cp-nano-http-transaction-handler.log?
+        else
+            echo "No logs found"
+        fi
    else
        usage
    fi
--- a/nodes/orchestration/package/orchestration_package.sh
+++ b/nodes/orchestration/package/orchestration_package.sh
@@ -3,6 +3,7 @@
 # Copyright Check Point Software Technologies LTD
 FILESYSTEM_PATH="/etc/cp"
 LOG_FILE_PATH="/var/log"
+SMB_LOG_FILE_PATH="/storage"
 USR_LIB_PATH="/usr/lib"
 USR_SBIN_PATH="/usr/sbin"
 INIT_D_PATH="/etc/init.d"
@@ -383,7 +384,7 @@ cp_print()
    if [ "$is_smb" != "1" ]; then
        printf "%b\n" "$1" >> ${LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}
    else
-        printf "%b\n" "$1" > ${LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}
+        printf "%b\n" "$1" >> ${SMB_LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}
    fi
 }

@@ -488,7 +489,12 @@ install_watchdog()
    fi
    if [ "$old_cp_nano_watchdog_md5" = "$new_cp_nano_watchdog_md5" ]; then
        # Watchdog did not changed
-        cp_print "There is no update in watchdog. Everything is up to date."
+        cp_print "There is no update in watchdog. Everything is up to date. Reregistering services to be on the sae side."
+        cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
+        if [ "$IS_K8S_ENV" = "true" ]; then
+            cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh"
+        fi
+
        return
    fi
    cp_print "Installing the watchdog" ${FORCE_STDOUT}