Updating local policy, metrics, and local update trigger

components/include/i_update_communication.h

@@ -26,6 +26,7 @@ using OrchData      = Maybe<std::string>;
 class I_UpdateCommunication
 {
 public:
+    virtual void init() = 0;
     virtual Maybe<void> sendPolicyVersion(
         const std::string &policy_version,
         const std::string &policy_versions

components/security_apps/local_policy_mgmt_gen/CMakeLists.txt

@@ -13,6 +13,7 @@ add_library(local_policy_mgmt_gen
     local_policy_mgmt_gen.cc
     new_appsec_policy_crd_parser.cc
     new_appsec_linux_policy.cc
+    new_auto_upgrade.cc
     new_custom_response.cc
     new_trusted_sources.cc
     new_log_trigger.cc

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -18,16 +18,12 @@ using namespace std;
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 // LCOV_EXCL_START Reason: no test exist
 
-static const set<string> valid_modes    = {"prevent", "detect", "inactive"};
-static const set<string> valid_units    = {"minute", "second"};
-
-static const std::unordered_map<std::string, std::string> key_to_mode_val = {
-    { "prevent-learn", "Prevent"},
-    { "detect-learn", "Detect"},
-    { "prevent", "Prevent"},
-    { "detect", "Detect"},
-    { "inactive", "Inactive"}
+static const map<string, string> valid_modes_to_key = {
+    {"prevent", "Active"},
+    {"detect", "Detect"},
+    {"inactive", "Inactive"}
 };
+static const set<string> valid_units    = {"minute", "second"};
 
 static const std::unordered_map<std::string, std::string> key_to_units_val = {
     { "second", "Second"},
@@ -78,7 +74,7 @@ RateLimitSection::RateLimitSection(
 {
     bool any = asset_name == "Any" && url == "Any" && uri == "Any";
     string asset_id = any ? "Any" : url+uri;
-    context = "assetId(" + asset_id + ")";
+    context = any ? "All()" : "assetId(" + asset_id + ")";
 }
 
 void
@@ -86,7 +82,7 @@ RateLimitSection::save(cereal::JSONOutputArchive &out_ar) const
 {
     out_ar(
         cereal::make_nvp("context",         context),
-        cereal::make_nvp("mode",            key_to_mode_val.at(mode)),
+        cereal::make_nvp("mode",            mode),
         cereal::make_nvp("practiceId",      practice_id),
         cereal::make_nvp("name",            name),
         cereal::make_nvp("rules",           rules)
@@ -180,9 +176,13 @@ void
 AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit";
-    parseAppsecJSONKey<string>("overrideMode", mode, archive_in, "Inactive");
-    if (valid_modes.count(mode) == 0) {
-        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << mode;
+    string in_mode;
+    parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "inactive");
+    if (valid_modes_to_key.find(in_mode) == valid_modes_to_key.end()) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << in_mode;
+        mode = "Inactive";
+    } else {
+        mode = valid_modes_to_key.at(in_mode);
     }
     parseAppsecJSONKey<std::vector<AccessControlRateLimiteRules>>("rules", rules, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -12,6 +12,7 @@
 // limitations under the License.
 
 #include "appsec_practice_section.h"
+#include <algorithm>
 
 using namespace std;
 
@@ -238,6 +239,7 @@ AppSecPracticeOpenSchemaAPI::getConfigMap() const
 {
     return config_map;
 }
+
 // LCOV_EXCL_STOP
 void
 AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
@@ -272,6 +274,7 @@ AppSecPracticeSpec::getSnortSignatures() const
 {
     return snort_signatures;
 }
+
 // LCOV_EXCL_STOP
 
 const AppSecPracticeWebAttacks &
@@ -337,6 +340,7 @@ ParsedMatch::ParsedMatch(const ExceptionMatch &exceptions)
         parsed_match.push_back(ParsedMatch(exception_match));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -375,6 +379,7 @@ AppSecOverride::AppSecOverride(const InnerException &parsed_exceptions)
     map<string, string> behavior = {{parsed_exceptions.getBehaviorKey(), parsed_exceptions.getBehaviorValue()}};
     parsed_behavior.push_back(behavior);
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -426,10 +431,11 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
     practice_advanced_config(parsed_appsec_spec),
     anti_bots(parsed_appsec_spec.getAntiBot()),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
     web_attack_mitigation = true;
     web_attack_mitigation_action =
+        web_attack_mitigation_mode != "Prevent" ? "Transparent" :
         web_attack_mitigation_severity == "critical" ? "low" :
         web_attack_mitigation_severity == "high" ? "balanced" :
         web_attack_mitigation_severity == "medium" ? "high" :
@@ -473,7 +479,7 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(_web_attack_mitigation_mode),
     practice_advanced_config(_practice_advanced_config),
     anti_bots(_anti_bots),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
     web_attack_mitigation = true;
     web_attack_mitigation_action =
@@ -488,6 +494,7 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -525,7 +532,16 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("botProtection_v2",            detect_str)
     );
 }
+
 // LCOV_EXCL_START Reason: no test exist
+
+bool
+WebAppSection::operator<(const WebAppSection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    return application_urls.size() > other.application_urls.size();
+}
+
 void
 WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -554,8 +570,27 @@ WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("overrides",                      empty_list)
     );
 }
+
+bool
+WebAPISection::operator<(const WebAPISection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    return application_urls.size() > other.application_urls.size();
+}
+
 // LCOV_EXCL_STOP
 
+AppSecRulebase::AppSecRulebase(
+    std::vector<WebAppSection> _webApplicationPractices,
+    std::vector<WebAPISection> _webAPIPractices
+) :
+    webApplicationPractices(_webApplicationPractices),
+    webAPIPractices(_webAPIPractices)
+{
+    sort(webAPIPractices.begin(), webAPIPractices.end());
+    sort(webApplicationPractices.begin(), webApplicationPractices.end());
+}
+
 void
 AppSecRulebase::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -719,11 +754,7 @@ AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<AppSecCustomResponseSpec>>("custom-responses", custom_responses, archive_in);
     parseAppsecJSONKey<vector<AppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<TrustedSourcesSpec>>("trusted-sources", trusted_sources, archive_in);
-    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>(
-        "source-identifiers",
-        sources_identifiers,
-        archive_in
-    );
+    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>("source-identifiers", sources_identifiers, archive_in);
 }
 
 const AppsecPolicySpec &
@@ -768,7 +799,6 @@ AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
-
 const vector<RPMSettings> &
 AppsecLinuxPolicy::rpmGetRPSettings() const
 {

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -241,11 +241,21 @@ ExceptionMatch::ExceptionMatch(const NewAppsecException &parsed_exception)
         items.push_back(ExceptionMatch("sourceIdentifier", parsed_exception.getSourceIdentifier()));
     }
     if (!parsed_exception.getSourceIp().empty()) {
-        items.push_back(ExceptionMatch("sourceIp", parsed_exception.getSourceIp()));
+        items.push_back(ExceptionMatch("sourceIP", parsed_exception.getSourceIp()));
     }
     if (!parsed_exception.getUrl().empty()) {
         items.push_back(ExceptionMatch("url", parsed_exception.getUrl()));
     }
+
+    // when there is only one operand, there's no need for an additional 'and'/'or' condition enclosing it
+    if (items.size() == 1) {
+        auto & other = items[0];
+        match_type = other.match_type;
+        op = other.op;
+        key = other.key;
+        value = other.value;
+        items = other.items;
+    }
 }
 
 void

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -296,6 +296,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAppSection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -350,6 +352,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAPISection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -371,10 +375,7 @@ class AppSecRulebase
 public:
     AppSecRulebase(
         std::vector<WebAppSection> _webApplicationPractices,
-        std::vector<WebAPISection> _webAPIPractices)
-        :
-        webApplicationPractices(_webApplicationPractices),
-        webAPIPractices(_webAPIPractices) {}
+        std::vector<WebAPISection> _webAPIPractices);
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 

components/security_apps/local_policy_mgmt_gen/include/new_appsec_linux_policy.h

@@ -32,7 +32,7 @@
 #include "new_practice.h"
 #include "access_control_practice.h"
 #include "new_trusted_sources.h"
-
+#include "new_auto_upgrade.h"
 
 class V1beta2AppsecLinuxPolicy : Singleton::Consume<I_Environment>
 {
@@ -48,7 +48,8 @@ public:
         const std::vector<NewAppSecCustomResponse> &_custom_responses,
         const std::vector<NewAppsecException> &_exceptions,
         const std::vector<NewTrustedSourcesSpec> &_trusted_sources,
-        const std::vector<NewSourcesIdentifiers> &_sources_identifiers)
+        const std::vector<NewSourcesIdentifiers> &_sources_identifiers,
+        const AppSecAutoUpgradeSpec &_auto_upgrade)
             :
         policies(_policies),
         threat_prevection_practices(_threat_prevention_practices),
@@ -57,7 +58,8 @@ public:
         custom_responses(_custom_responses),
         exceptions(_exceptions),
         trusted_sources(_trusted_sources),
-        sources_identifiers(_sources_identifiers) {}
+        sources_identifiers(_sources_identifiers),
+        auto_upgrade(_auto_upgrade) {}
     // LCOV_EXCL_STOP
     void serialize(cereal::JSONInputArchive &archive_in);
 
@@ -69,6 +71,7 @@ public:
     const std::vector<NewAppsecException> & getAppsecExceptions() const;
     const std::vector<NewTrustedSourcesSpec> & getAppsecTrustedSourceSpecs() const;
     const std::vector<NewSourcesIdentifiers> & getAppsecSourceIdentifierSpecs() const;
+    const AppSecAutoUpgradeSpec & getAppSecAutoUpgradeSpec() const;
     void addSpecificRule(const NewParsedRule &_rule);
 
 private:
@@ -80,6 +83,7 @@ private:
     std::vector<NewAppsecException> exceptions;
     std::vector<NewTrustedSourcesSpec> trusted_sources;
     std::vector<NewSourcesIdentifiers> sources_identifiers;
+    AppSecAutoUpgradeSpec auto_upgrade;
 };
 
 #endif // __NEW_APPSEC_LINUX_POLICY_H__

components/security_apps/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h

@@ -42,6 +42,7 @@ public:
     const std::string & getSourceIdentifiers() const;
     const std::string & getCustomResponse() const;
     const std::string & getTrustedSources() const;
+    const std::string & getUpgradeSettings() const;
     const std::string & getHost() const;
     const std::string & getMode() const;
 
@@ -56,6 +57,7 @@ private:
     std::string                 source_identifiers;
     std::string                 custom_response;
     std::string                 trusted_sources;
+    std::string                 upgrade_settings;
     std::string                 host;
     std::string                 mode;
 };

components/security_apps/local_policy_mgmt_gen/include/new_auto_upgrade.h

@@ -0,0 +1,47 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NEW_AUTO_UPGRADE_H__
+#define __NEW_AUTO_UPGRADE_H__
+
+#include <string>
+#include <cereal/archives/json.hpp>
+#include <boost/uuid/uuid.hpp>
+#include <boost/uuid/uuid_generators.hpp>
+#include <boost/uuid/uuid_io.hpp>
+
+#include "config.h"
+#include "debug.h"
+#include "local_policy_common.h"
+
+class AppSecAutoUpgradeSpec
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+    void save(cereal::JSONOutputArchive& out_ar) const;
+
+    const std::string & getAppSecClassName() const;
+    const std::string & getName() const;
+    void setName(const std::string &_name);
+
+private:
+    std::string mode = "automatic";
+    std::vector<std::string> days;
+    std::string upgrade_window_start_hour_UTC;
+    uint upgrade_window_duration;
+
+    std::string name;
+    std::string appsec_class_name;
+};
+
+#endif // __NEW_AUTO_UPGRADE_H__

components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h

@@ -30,9 +30,11 @@ class NewAppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class NewAppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -158,6 +160,7 @@ public:
     const NewAppsecTriggerLogging & getAppsecTriggerLogging() const;
     const NewAppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const NewAppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const NewAppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     NewAppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -481,17 +481,22 @@ private:
 class NewSnortSignaturesAndOpenSchemaAPI
 {
 public:
+    NewSnortSignaturesAndOpenSchemaAPI() : is_temporary(false) {};
+
     void load(cereal::JSONInputArchive &archive_in);
 
     void addFile(const std::string &file_name);
     const std::string & getOverrideMode() const;
     const std::vector<std::string> & getConfigMap() const;
     const std::vector<std::string> & getFiles() const;
+    bool isTemporary() const;
+    void setTemporary(bool val);
 
 private:
     std::string override_mode;
     std::vector<std::string> config_map;
     std::vector<std::string> files;
+    bool is_temporary;
 };
 
 class NewAppSecWebBotsURI

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -51,6 +51,7 @@ enum class AnnotationTypes {
     WEB_USER_RES,
     SOURCE_IDENTIFIERS,
     TRUSTED_SOURCES,
+    UPGRADE_SETTINGS,
     COUNT
 };
 
@@ -96,16 +97,17 @@ class PolicyWrapper
 {
 public:
     PolicyWrapper(
-        const SettingsWrapper &_settings,
+        const SettingsRulebase &_settings,
         const SecurityAppsWrapper &_security_apps)
             :
         settings(_settings),
         security_apps(_security_apps) {}
 
-    void save(cereal::JSONOutputArchive &out_ar) const;
+    const SettingsRulebase & getSettings() const { return settings; }
+    const SecurityAppsWrapper & getSecurityApps() const { return security_apps; }
 
 private:
-    SettingsWrapper settings;
+    SettingsRulebase settings;
     SecurityAppsWrapper security_apps;
 };
 
@@ -139,7 +141,11 @@ private:
 
     std::tuple<std::string, std::string, std::string> splitHostName(const std::string &host_name);
 
-    std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path);
+    std::string dumpPolicyToFile(
+        const PolicyWrapper &policy,
+        const std::string &policy_path,
+        const std::string &settings_path = "/etc/cp/conf/settings.json"
+    );
 
     PolicyWrapper combineElementsToPolicy(const std::string &policy_version);
 
@@ -155,7 +161,7 @@ private:
         std::map<AnnotationTypes, std::string> &rule_annotations
     );
 
-    void createSnortProtecionsSection(const std::string &file_name, const std::string &practic_name);
+    void createSnortProtecionsSection(const std::string &file_name, bool is_temporary);
 
     void
     createSnortSections(
@@ -245,6 +251,7 @@ private:
     std::map<std::string, RateLimitSection> rate_limit;
     std::map<std::string, UsersIdentifiersRulebase> users_identifiers;
     std::map<std::string, AppSecTrustedSources> trusted_sources;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 template<class T, class R>

components/security_apps/local_policy_mgmt_gen/include/settings_section.h

@@ -22,6 +22,7 @@
 #include "config.h"
 #include "debug.h"
 #include "local_policy_common.h"
+#include "new_auto_upgrade.h"
 
 // LCOV_EXCL_START Reason: no test exist
 class AgentSettingsSection
@@ -41,12 +42,18 @@ private:
 class SettingsRulebase
 {
 public:
-    SettingsRulebase(std::vector<AgentSettingsSection> _agentSettings) : agentSettings(_agentSettings) {}
+    SettingsRulebase(
+        std::vector<AgentSettingsSection> _agentSettings,
+        const AppSecAutoUpgradeSpec &_upgradeSettings)
+            :
+        agentSettings(_agentSettings),
+        upgrade_settings(_upgradeSettings) {}
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
 private:
     std::vector<AgentSettingsSection> agentSettings;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 class SettingsWrapper

components/security_apps/local_policy_mgmt_gen/include/triggers_section.h

@@ -44,6 +44,8 @@ public:
         bool _responseBody,
         bool _tpDetect,
         bool _tpPrevent,
+        bool _acAllow,
+        bool _acDrop,
         bool _webBody,
         bool _webHeaders,
         bool _webRequests,
@@ -76,6 +78,8 @@ private:
     bool responseBody;
     bool tpDetect;
     bool tpPrevent;
+    bool acAllow;
+    bool acDrop;
     bool webBody;
     bool webHeaders;
     bool webRequests;
@@ -158,9 +162,11 @@ class AppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class AppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -281,6 +287,7 @@ public:
     const AppsecTriggerLogging & getAppsecTriggerLogging() const;
     const AppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const AppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const AppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     AppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -159,6 +159,7 @@ extractElementsFromNewRule(
     policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
     policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
     policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
+    policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
 }
 
 map<AnnotationTypes, unordered_set<string>>
@@ -356,8 +357,9 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
 {
     for (NewAppSecPracticeSpec &practice : practices) {
         auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<K8sPolicyUtils>();
-        auto path = "/etc/cp/conf/snort/snort_k8s_" + practice.getName() + ".rule";
+        auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice.getName() + ".rule";
         bool append_mode = false;
+        practice.getSnortSignatures().setTemporary(true);
         for (const string &config_map : practice.getSnortSignatures().getConfigMap())
         {
             auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
@@ -441,6 +443,15 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         policy_elements_names[AnnotationTypes::TRUSTED_SOURCES]
     );
 
+    vector<AppSecAutoUpgradeSpec> vec_upgrade_settings = extractV1Beta2ElementsFromCluster<AppSecAutoUpgradeSpec>(
+        "autoupgrade",
+        policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS]
+    );
+    if (vec_upgrade_settings.size() > 1) {
+        dbgWarning(D_LOCAL_POLICY) << "Only one definition of upgrade settings is required.";
+    }
+    auto upgrade_settings = vec_upgrade_settings.empty() ? AppSecAutoUpgradeSpec() : vec_upgrade_settings.front();
+
     V1beta2AppsecLinuxPolicy appsec_policy = V1beta2AppsecLinuxPolicy(
         appsec_policy_spec.getSpec(),
         threat_prevention_practices,
@@ -449,7 +460,8 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         web_user_responses,
         exceptions,
         trusted_sources,
-        source_identifiers
+        source_identifiers,
+        upgrade_settings
     );
     return appsec_policy;
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_linux_policy.cc

@@ -64,6 +64,12 @@ V1beta2AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
+const AppSecAutoUpgradeSpec &
+V1beta2AppsecLinuxPolicy::getAppSecAutoUpgradeSpec() const
+{
+    return auto_upgrade;
+}
+
 void
 V1beta2AppsecLinuxPolicy::addSpecificRule(const NewParsedRule &_rule)
 {
@@ -97,4 +103,5 @@ V1beta2AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<NewAppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<NewTrustedSourcesSpec>>("trustedSources", trusted_sources, archive_in);
     parseAppsecJSONKey<vector<NewSourcesIdentifiers>>("sourcesIdentifiers", sources_identifiers, archive_in);
+    parseAppsecJSONKey<AppSecAutoUpgradeSpec>("autoUpgrade", auto_upgrade, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc

@@ -35,6 +35,7 @@ NewParsedRule::load(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<string>("customResponse", custom_response, archive_in);
     parseAppsecJSONKey<string>("sourceIdentifiers", source_identifiers, archive_in);
     parseAppsecJSONKey<string>("trustedSources", trusted_sources, archive_in);
+    parseAppsecJSONKey<string>("autoUpgrade", upgrade_settings, archive_in);
     try {
         archive_in(cereal::make_nvp("host", host));
     } catch (const cereal::Exception &e)
@@ -86,6 +87,12 @@ NewParsedRule::getTrustedSources() const
     return trusted_sources;
 }
 
+const string &
+NewParsedRule::getUpgradeSettings() const
+{
+    return upgrade_settings;
+}
+
 const string &
 NewParsedRule::getHost() const
 {

components/security_apps/local_policy_mgmt_gen/new_auto_upgrade.cc

@@ -0,0 +1,118 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "new_auto_upgrade.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
+
+static const set<string> valid_modes = {"automatic", "manual", "scheduled"};
+static const set<string> valid_days_of_week = {
+    "monday",
+    "tuesday",
+    "wednesday",
+    "thursday",
+    "friday",
+    "saturday",
+    "sunday"
+};
+
+class AppSecScheduledUpgrade
+{
+public:
+    void
+    load(cereal::JSONInputArchive &archive_in)
+    {
+        parseAppsecJSONKey<vector<string>>("days", days, archive_in);
+        for (const string &day : days) {
+            if (valid_days_of_week.count(day) == 0) {
+                dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade day invalid: " << day;
+            }
+        }
+        parseAppsecJSONKey<string>("upgradeWindowStartHourUTC", upgrade_window_start_hour_UTC, archive_in, "0:00");
+        parseAppsecJSONKey<uint>("upgradeWindowDuration", upgrade_window_duration, archive_in, 4);
+    }
+
+    const vector<string> &
+    getDays() const
+    {
+        return days;
+    }
+
+    const string &
+    getUpgradeWindowStartHourUTC() const
+    {
+        return upgrade_window_start_hour_UTC;
+    }
+
+    const uint &
+    getUpgradeWindowDuration() const
+    {
+        return upgrade_window_duration;
+    }
+
+private:
+    vector<string> days;
+    string upgrade_window_start_hour_UTC = "0:00";
+    uint upgrade_window_duration = 4;
+};
+
+void
+AppSecAutoUpgradeSpec::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec upgrade settings spec";
+    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
+    parseAppsecJSONKey<string>("name", name, archive_in);
+    parseAppsecJSONKey<string>("mode", mode, archive_in);
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade mode invalid: " << mode;
+    }
+    if (mode != "scheduled") return;
+
+    AppSecScheduledUpgrade schedule;
+    parseAppsecJSONKey<AppSecScheduledUpgrade>("schedule", schedule, archive_in);
+    days = schedule.getDays();
+    upgrade_window_start_hour_UTC = schedule.getUpgradeWindowStartHourUTC();
+    upgrade_window_duration = schedule.getUpgradeWindowDuration();
+}
+
+void
+AppSecAutoUpgradeSpec::save(cereal::JSONOutputArchive& out_ar) const
+{
+    out_ar(cereal::make_nvp("upgradeMode", mode));
+    if (mode != "scheduled") return;
+    out_ar(
+        cereal::make_nvp("upgradeTime", upgrade_window_start_hour_UTC),
+        cereal::make_nvp("upgradeDurationHours", upgrade_window_duration),
+        cereal::make_nvp("upgradeDay", days)
+    );
+}
+
+void
+AppSecAutoUpgradeSpec::setName(const string &_name)
+{
+    name = _name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getName() const
+{
+    return name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getAppSecClassName() const
+{
+    return appsec_class_name;
+}

components/security_apps/local_policy_mgmt_gen/new_exceptions.cc

@@ -23,9 +23,9 @@ static const set<string> valid_actions = {"skip", "accept", "drop", "suppressLog
 void
 NewAppsecExceptionCondition::load(cereal::JSONInputArchive &archive_in)
 {
-    dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception condition";
     parseAppsecJSONKey<string>("key", key, archive_in);
     parseAppsecJSONKey<string>("value", value, archive_in);
+    dbgTrace(D_LOCAL_POLICY) << "Key: " << key << " Value: " << value;
 }
 
 const string &

components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc

@@ -26,8 +26,8 @@ void
 NewAppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allowEvents", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("dropEvents", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allowEvents", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("dropEvents", ac_drop_events, archive_in, false);
 }
 
 void
@@ -307,6 +307,13 @@ NewAppsecLogTrigger::getAppsecTriggerLogging() const
     return appsec_logging;
 }
 
+const NewAppsecTriggerAccessControlLogging &
+NewAppsecLogTrigger::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 const NewAppsecTriggerExtendedLogging &
 NewAppsecLogTrigger::getAppsecTriggerExtendedLogging() const
 {

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -107,9 +107,9 @@ void
 NewAppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Attack Protections";
-    parseAppsecJSONKey<string>("csrfEnabled", csrf_protection, archive_in, "inactive");
-    parseAppsecJSONKey<string>("errorDisclosureEnabled", error_disclosure, archive_in, "inactive");
-    parseAppsecJSONKey<string>("openRedirectEnabled", open_redirect, archive_in, "inactive");
+    parseAppsecJSONKey<string>("csrfProtection", csrf_protection, archive_in, "inactive");
+    parseAppsecJSONKey<string>("errorDisclosure", error_disclosure, archive_in, "inactive");
+    parseAppsecJSONKey<string>("openRedirect", open_redirect, archive_in, "inactive");
     parseAppsecJSONKey<bool>("nonValidHttpMethods", non_valid_http_methods, archive_in, false);
 }
 
@@ -441,6 +441,8 @@ NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
     parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
     parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
+    parseAppsecJSONKey<vector<string>>("files", files, archive_in);
+    is_temporary = false;
     if (valid_modes.count(override_mode) == 0) {
         dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
     }
@@ -470,6 +472,18 @@ NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const
     return config_map;
 }
 
+bool
+NewSnortSignaturesAndOpenSchemaAPI::isTemporary() const
+{
+    return is_temporary;
+}
+
+void
+NewSnortSignaturesAndOpenSchemaAPI::setTemporary(bool val)
+{
+    is_temporary = val;
+}
+
 void
 IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
 {

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -38,12 +38,6 @@ SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
     );
 }
 
-void
-PolicyWrapper::save(cereal::JSONOutputArchive &out_ar) const
-{
-    security_apps.save(out_ar);
-}
-
 string
 PolicyMakerUtils::getPolicyName(const string &policy_path)
 {
@@ -150,16 +144,19 @@ PolicyMakerUtils::splitHostName(const string &host_name)
 }
 
 string
-PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path)
+PolicyMakerUtils::dumpPolicyToFile(
+    const PolicyWrapper &policy,
+    const string &policy_path,
+    const string &settings_path)
 {
     clearElementsMaps();
 
-    stringstream ss;
+    stringstream policy_ss, settings_ss;
     {
-        cereal::JSONOutputArchive ar(ss);
-        policy.save(ar);
+        cereal::JSONOutputArchive ar(policy_ss);
+        policy.getSecurityApps().save(ar);
     }
-    string policy_str = ss.str();
+    string policy_str = policy_ss.str();
     try {
         ofstream policy_file(policy_path);
         policy_file << policy_str;
@@ -169,6 +166,20 @@ PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &po
         return "";
     }
 
+    {
+        cereal::JSONOutputArchive ar(settings_ss);
+        policy.getSettings().save(ar);
+    }
+    string settings_str = settings_ss.str();
+    try {
+        ofstream settings_file(settings_path);
+        settings_file << settings_str;
+        settings_file.close();
+    } catch (const ofstream::failure &e) {
+        dbgDebug(D_NGINX_POLICY) << "Error while writing settings to " << settings_path << ", Error: " << e.what();
+    }
+    dbgDebug(D_LOCAL_POLICY) << settings_path << " content: " << settings_str;
+
     return policy_str;
 }
 
@@ -517,6 +528,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().getMinimumSeverity();
     bool tpDetect = trigger_spec.getAppsecTriggerLogging().isDetectEvents();
     bool tpPrevent = trigger_spec.getAppsecTriggerLogging().isPreventEvents();
+    bool acAllow = trigger_spec.getAppsecTriggerAccessControlLogging().isAcAllowEvents();
+    bool acDrop = trigger_spec.getAppsecTriggerAccessControlLogging().isAcDropEvents();
     bool webRequests = trigger_spec.getAppsecTriggerLogging().isAllWebRequests();
     bool webUrlPath = trigger_spec.getAppsecTriggerExtendedLogging().isUrlPath();
     bool webUrlQuery = trigger_spec.getAppsecTriggerExtendedLogging().isUrlQuery();
@@ -555,6 +568,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         responseBody,
         tpDetect,
         tpPrevent,
+        acAllow,
+        acDrop,
         webBody,
         webHeaders,
         webRequests,
@@ -1004,13 +1019,21 @@ PolicyMakerUtils::createIpsSections(
 }
 
 void
-PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const string &practice_name)
+PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary)
 {
-    auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice_name;
-    if (snort_protections.find(path) != snort_protections.end()) return;
+    auto path = getFilesystemPathConfig() + "/conf/snort/" + file_name;
+    string in_file = is_temporary ? path + ".rule" : path;
 
-    auto snort_scriipt_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
-    auto cmd = "python " + snort_scriipt_path + " " + path + ".rule " + path + ".out " + path + ".err";
+    if (snort_protections.find(path) != snort_protections.end()) {
+        dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists";
+        return;
+    }
+    dbgTrace(D_LOCAL_POLICY)
+        << "Reading snort signatures from"
+        << (is_temporary ? " temporary" : "") << " file " << path;
+
+    auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
+    auto cmd = "python3 " + snort_script_path + " " + in_file + " " + path + ".out " + path + ".err";
 
     auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd);
 
@@ -1026,7 +1049,7 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const st
     }
 
     auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>();
-    i_orchestration_tools->removeFile(path + ".rule");
+    if (is_temporary) i_orchestration_tools->removeFile(in_file);
     i_orchestration_tools->removeFile(path + ".out");
     i_orchestration_tools->removeFile(path + ".err");
 
@@ -1055,7 +1078,14 @@ PolicyMakerUtils::createSnortSections(
         apssec_practice.getSnortSignatures().getFiles().size() == 0) {
         return;
     }
-    createSnortProtecionsSection(apssec_practice.getSnortSignatures().getFiles()[0], apssec_practice.getName());
+
+    if (apssec_practice.getSnortSignatures().isTemporary()) {
+        createSnortProtecionsSection("snort_k8s_" + apssec_practice.getName(), true);
+    } else if (apssec_practice.getSnortSignatures().getFiles().size() > 0) {
+        // when support for multiple files is ready, will iterate over the files array
+        auto file = apssec_practice.getSnortSignatures().getFiles()[0];
+        createSnortProtecionsSection(file, false);
+    }
 
     SnortProtectionsSection snort_section = SnortProtectionsSection(
         context,
@@ -1160,7 +1190,7 @@ PolicyMakerUtils::createWebAppSection(
         apssec_practice.getWebAttacks().getMaxUrlSizeBytes()
     );
     WebAppSection web_app = WebAppSection(
-        full_url == "Any" ? "" : full_url,
+        full_url == "Any" ? "http://*:*" : full_url,
         rule_config.getAssetId(),
         rule_config.getAssetName(),
         rule_config.getAssetId(),
@@ -1271,17 +1301,16 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
 
 }
 
-SettingsWrapper
-createProfilesSection()
+SettingsRulebase
+createSettingsSection(const AppSecAutoUpgradeSpec &upgrade_settings)
 {
     string agent_settings_key = "agent.test.policy";
     string agent_settings_value = "local policy";
     AgentSettingsSection agent_setting_1 = AgentSettingsSection(agent_settings_key, agent_settings_value);
 
-    SettingsRulebase settings_rulebase_1 = SettingsRulebase({agent_setting_1});
-    return SettingsWrapper(settings_rulebase_1);
+    return SettingsRulebase({agent_setting_1}, upgrade_settings);
+
 }
-// LCOV_EXCL_STOP
 
 PolicyWrapper
 PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
@@ -1313,8 +1342,8 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
         policy_version
     );
 
-    SettingsWrapper profiles_section = createProfilesSection();
-    PolicyWrapper policy_wrapper = PolicyWrapper(profiles_section, security_app_section);
+    SettingsRulebase settings_section = createSettingsSection(upgrade_settings);
+    PolicyWrapper policy_wrapper = PolicyWrapper(settings_section, security_app_section);
 
     return policy_wrapper;
 }
@@ -1433,7 +1462,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
 
         if (!web_apps.count(rule_config.getAssetName())) {
             WebAppSection web_app = WebAppSection(
-                full_url == "Any" ? "" : full_url,
+                full_url == "Any" ? "http://*:*" : full_url,
                 rule_config.getAssetId(),
                 rule_config.getAssetName(),
                 rule_config.getAssetId(),
@@ -1553,6 +1582,7 @@ PolicyMakerUtils::createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsed
         rule_annotations
     );
 
+    upgrade_settings = policy.getAppSecAutoUpgradeSpec();
 }
 // LCOV_EXCL_STOP
 

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -35,6 +35,8 @@ LogTriggerSection::LogTriggerSection(
     bool _responseBody,
     bool _tpDetect,
     bool _tpPrevent,
+    bool _acAllow,
+    bool _acDrop,
     bool _webBody,
     bool _webHeaders,
     bool _webRequests,
@@ -58,6 +60,8 @@ LogTriggerSection::LogTriggerSection(
     responseBody(_responseBody),
     tpDetect(_tpDetect),
     tpPrevent(_tpPrevent),
+    acAllow(_acAllow),
+    acDrop(_acDrop),
     webBody(_webBody),
     webHeaders(_webHeaders),
     webRequests(_webRequests),
@@ -88,8 +92,8 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("triggerName",              name),
         cereal::make_nvp("triggerType",              trigger_type),
         cereal::make_nvp("verbosity",                verbosity),
-        cereal::make_nvp("acAllow",                  false),
-        cereal::make_nvp("acDrop",                   false),
+        cereal::make_nvp("acAllow",                  acAllow),
+        cereal::make_nvp("acDrop",                   acDrop),
         cereal::make_nvp("complianceViolations",     false),
         cereal::make_nvp("complianceWarnings",       false),
         cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity),
@@ -242,8 +246,8 @@ void
 AppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allow-events", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("drop-events", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allow-events", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("drop-events", ac_drop_events, archive_in, false);
 }
 
 void
@@ -526,6 +530,13 @@ AppsecTriggerSpec::getAppsecTriggerLogDestination() const
     return log_destination;
 }
 
+const AppsecTriggerAccessControlLogging &
+AppsecTriggerSpec::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 void
 TriggersWrapper::save(cereal::JSONOutputArchive &out_ar) const
 {

components/security_apps/orchestration/include/declarative_policy_utils.h

@@ -14,7 +14,6 @@
 #include "i_orchestration_tools.h"
 #include "i_agent_details.h"
 #include "i_orchestration_status.h"
-#include "i_messaging.h"
 #include "i_mainloop.h"
 #include "i_encryptor.h"
 #include "i_details_resolver.h"
@@ -23,6 +22,7 @@
 #include "i_shell_cmd.h"
 #include "i_encryptor.h"
 #include "i_env_details.h"
+#include "i_declarative_policy.h"
 #include "maybe_res.h"
 #include "event.h"
 #include "rest.h"
@@ -43,6 +43,7 @@ private:
 
 class DeclarativePolicyUtils
         :
+    public Singleton::Provide<I_DeclarativePolicy>::SelfInterface,
     public Singleton::Consume<I_ShellCmd>,
     Singleton::Consume<I_LocalPolicyMgmtGen>,
     Singleton::Consume<I_EnvDetails>,
@@ -75,13 +76,12 @@ public:
         const std::string &tenant_id,
         const std::string &profile_id,
         const std::string &fog_address
-    );
-    std::string getUpdate(CheckUpdateRequest &request);
-    bool shouldApplyPolicy();
-    void turnOffApplyPolicyFlag();
+    ) override;
+    std::string getUpdate(CheckUpdateRequest &request) override;
+    bool shouldApplyPolicy() override;
+    void turnOffApplyPolicyFlag() override;
 
-    std::string getCurrVersion() { return curr_version; }
-    std::string getCurrPolicy() { return curr_policy; }
+    std::string getCurrPolicy() override { return curr_policy; }
 
     void upon(const ApplyPolicyEvent &event) override;
 

components/security_apps/orchestration/include/fog_communication.h

@@ -47,7 +47,7 @@ public:
     ) const override;
 
 private:
-    DeclarativePolicyUtils declarative_policy_utils;
+    I_DeclarativePolicy *i_declarative_policy = nullptr;
 };
 
 #endif // __FOG_COMMUNICATION_H__

components/security_apps/orchestration/include/hybrid_communication.h

@@ -54,7 +54,7 @@ public:
 private:
     Maybe<std::string> getNewVersion();
 
-    DeclarativePolicyUtils declarative_policy_utils;
+    I_DeclarativePolicy *i_declarative_policy = nullptr;
 };
 
 #endif // __HYBRID_COMMUNICATION_H__

components/security_apps/orchestration/include/i_declarative_policy.h

@@ -0,0 +1,32 @@
+#ifndef __I_DECLARATIVE_POLICY__
+#define __I_DECLARATIVE_POLICY__
+
+#include <string>
+
+#include "singleton.h"
+#include "orchestrator/rest_api/orchestration_check_update.h"
+
+class I_DeclarativePolicy
+{
+public:
+    virtual bool shouldApplyPolicy() = 0;
+
+    virtual std::string getUpdate(CheckUpdateRequest &request) = 0;
+
+    virtual void sendUpdatesToFog(
+        const std::string &access_token,
+        const std::string &tenant_id,
+        const std::string &profile_id,
+        const std::string &fog_address
+    ) = 0;
+
+    virtual std::string getCurrPolicy() = 0;
+
+    virtual void turnOffApplyPolicyFlag() = 0;
+
+protected:
+    virtual ~I_DeclarativePolicy() {}
+};
+
+
+#endif // __I_DECLARATIVE_POLICY__

components/security_apps/orchestration/include/mock/mock_update_communication.h

@@ -27,9 +27,13 @@ class MockUpdateCommunication :
     public Singleton::Provide<I_UpdateCommunication>::From<MockProvider<I_UpdateCommunication>>
 {
 public:
+    void init() {}
     MOCK_METHOD0(authenticateAgent, Maybe<void>());
     MOCK_METHOD1(getUpdate, Maybe<void>(CheckUpdateRequest &));
-    MOCK_METHOD1(downloadAttributeFile, Maybe<std::string>(const GetResourceFile &));
+    MOCK_METHOD2(
+        downloadAttributeFile,
+        Maybe<std::string>(const GetResourceFile &, const std::string &)
+    );
     MOCK_METHOD1(setAddressExtenesion, void(const std::string &));
     MOCK_CONST_METHOD2(sendPolicyVersion, Maybe<void>(const std::string &, const std::string &));
 };

components/security_apps/orchestration/orchestration_comp.cc

@@ -1668,6 +1668,7 @@ private:
 
         if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
         if (getAttribute("no-setting", "PLAYGROUND") == "true") tags.insert(Tags::PLAYGROUND);
+        if (getAttribute("no-setting", "nginxproxymanager") == "true") tags.insert(Tags::NGINX_PROXY_MANAGER);
 
         Report registration_report(
             "Local Agent Data",

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -27,6 +27,7 @@
 #include "log_generator.h"
 #include "i_orchestration_tools.h"
 #include "customized_cereal_map.h"
+#include "declarative_policy_utils.h"
 
 using namespace std;
 using namespace ReportIS;
@@ -745,6 +746,7 @@ ServiceController::Impl::updateServiceConfiguration(
         dbgDebug(D_ORCHESTRATOR) << "Policy file was not updated. Sending reload command regarding settings and data";
         auto signal_services = sendSignalForServices(nano_services_to_update, "");
         if (!signal_services.ok()) return signal_services.passErr();
+        Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
         return Maybe<void>();
     }
 
@@ -888,6 +890,7 @@ ServiceController::Impl::updateServiceConfiguration(
         if (new_policy_path.compare(config_file_path) == 0) {
             dbgDebug(D_ORCHESTRATOR) << "Enforcing the default policy file";
             policy_version = version_value;
+            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
             return Maybe<void>();
         }
 
@@ -906,6 +909,7 @@ ServiceController::Impl::updateServiceConfiguration(
     }
 
     if (!was_policy_updated && !send_signal_for_services_err.empty()) return genError(send_signal_for_services_err);
+    Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc

@@ -7,6 +7,7 @@
 #include "service_controller.h"
 #include "config.h"
 #include "config_component.h"
+#include "declarative_policy_utils.h"
 #include "mock/mock_orchestration_tools.h"
 #include "mock/mock_orchestration_status.h"
 #include "mock/mock_time_get.h"
@@ -158,10 +159,26 @@ public:
         return string_stream.str();
     }
 
+    void
+    expectNewConfigRequest(const string &req_body, const string &response)
+    {
+        EXPECT_CALL(
+            mock_message,
+            sendSyncMessage(
+                HTTPMethod::POST,
+                "/set-new-configuration",
+                req_body,
+                _,
+                _
+            )
+        ).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, response)));
+    }
+
     const uint16_t                      l4_firewall_service_port = 8888;
     const uint16_t                      waap_service_port = 7777;
     ::Environment                       env;
     ConfigComponent                     config;
+    DeclarativePolicyUtils              declarative_policy_utils;
     string                              configuration_dir;
     string                              policy_extension;
     string                              settings_extension;
@@ -176,7 +193,7 @@ public:
     string                              services_port;
     StrictMock<MockTimeGet>             time;
     StrictMock<MockRestApi>             mock_rest_api;
-    StrictMock<MockMessaging>           mock_message;
+    StrictMock<MockMessaging>         mock_message;
     StrictMock<MockMainLoop>            mock_ml;
     StrictMock<MockShellCmd>            mock_shell_cmd;
     StrictMock<MockOrchestrationStatus> mock_orchestration_status;
@@ -254,6 +271,9 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_EQ(i_service_controller->getPolicyVersions(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -262,23 +282,7 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -369,6 +373,9 @@ TEST_F(ServiceControllerTest, supportVersions)
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_EQ(i_service_controller->getPolicyVersions(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -377,23 +384,7 @@ TEST_F(ServiceControllerTest, supportVersions)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -464,6 +455,9 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -493,24 +487,7 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
 
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
     EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
@@ -585,6 +562,9 @@ TEST_F(ServiceControllerTest, writeRegisteredServicesFromFile)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -593,23 +573,7 @@ TEST_F(ServiceControllerTest, writeRegisteredServicesFromFile)
     string general_settings_path = "/my/settings/path";
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -732,24 +696,11 @@ TEST_F(ServiceControllerTest, noPolicyUpdate)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(
         mock_shell_cmd,
@@ -818,6 +769,9 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -835,24 +789,7 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
 
     string general_settings_path = "/my/settings/path";
     string reply_msg1 = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg1)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg1);
 
     // both policy and settings now being updated
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
@@ -871,26 +808,14 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
+
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     general_settings_path += "/new";
 
     string reply_msg2 = "{\"id\": 2, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags2;
-    conn_flags2.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 2,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags2,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillRepeatedly(Return(Maybe<string>(reply_msg2)));
+    expectNewConfigRequest("{\n    \"id\": 2,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg2);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path).ok());
     EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
@@ -964,6 +889,9 @@ TEST_F(ServiceControllerTest, backup)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -988,21 +916,8 @@ TEST_F(ServiceControllerTest, backup)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    EXPECT_CALL(mock_message, sendSyncMessage(_, "/set-new-configuration", _, _, _))
+        .WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, reply_msg)));
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
@@ -1077,6 +992,9 @@ TEST_F(ServiceControllerTest, backup_file_doesnt_exist)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1103,21 +1021,7 @@ TEST_F(ServiceControllerTest, backup_file_doesnt_exist)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
@@ -1192,6 +1096,9 @@ TEST_F(ServiceControllerTest, backupAttempts)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1218,21 +1125,7 @@ TEST_F(ServiceControllerTest, backupAttempts)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            _,
-            _,
-            _,
-            "127.0.0.1",
-            l4_firewall_service_port,
-            _,
-            "/set-new-configuration",
-            _,
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_CALL(mock_ml, yield(false)).Times(2);
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -1316,6 +1209,9 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("orchestration", orchestration_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, writeFile(l4_firewall, l4_firewall_policy_path, false))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, writeFile(orchestration, orchestration_policy_path, false))
@@ -1336,23 +1232,7 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
     ).WillRepeatedly(Return(string("registered and running")));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
     set<string> changed_policies = {
@@ -1389,6 +1269,9 @@ TEST_F(ServiceControllerTest, emptyServices)
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
 }
 
@@ -1440,6 +1323,9 @@ TEST_F(ServiceControllerTest, failingWhileLoadingCurrentConfiguration)
         .WillOnce(Return(json_parser_return));
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(err));
+
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_FALSE(i_service_controller->updateServiceConfiguration(file_name, "").ok());
 }
 
@@ -1509,6 +1395,8 @@ TEST_F(ServiceControllerTest, failingWhileCopyingCurrentConfiguration)
     );
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(old_configuration));
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1578,6 +1466,9 @@ TEST_F(ServiceControllerTest, ErrorUpdateConfigurationRest)
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY)
     );
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
 
     EXPECT_TRUE(i_service_controller->isServiceInstalled("family1_id2"));
@@ -1672,6 +1563,8 @@ TEST_F(ServiceControllerTest, errorWhileWrtingNewConfiguration)
     );
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(old_configuration));
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
     EXPECT_CALL(
         mock_orchestration_tools,
         copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
@@ -1710,21 +1603,7 @@ TEST_F(ServiceControllerTest, testMultitenantConfFiles)
     EXPECT_CALL(tenant_manager, getInstances("tenant2", "1235")).WillOnce(Return(empty_ids));
 
     string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            _,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            _,
-            string("/set-new-configuration"),
-            _,
-            _,
-            _
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     for(auto entry : tenant_files_input) {
         auto tenant = entry.first.first;
@@ -1801,6 +1680,9 @@ TEST_F(ServiceControllerTest, testMultitenantConfFiles)
             "l4_firewall", l4_firewall_policy_path_new, OrchestrationStatusConfigType::POLICY)
         );
 
+        EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, conf_file_name))
+            .WillRepeatedly(Return(version_value));
+
         string new_policy_file_path = "/etc/cp/conf/tenant_" + tenant + "_profile_" + profile + "/" + "policy.json";
         EXPECT_CALL(mock_orchestration_tools, copyFile(new_policy_file_path, new_policy_file_path + backup_extension))
             .WillOnce(Return(true));
@@ -1906,6 +1788,9 @@ TEST_F(ServiceControllerTest, test_delayed_reconf)
     EXPECT_CALL(mock_orchestration_status,
         setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
 
+    EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::MD5, file_name))
+        .WillOnce(Return(version_value));
+
     EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
@@ -1934,23 +1819,7 @@ TEST_F(ServiceControllerTest, test_delayed_reconf)
         << "    \"error_message\": \"\""
         << "}";
 
-    Flags<MessageConnConfig> conn_flags;
-    conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
-    EXPECT_CALL(
-        mock_message,
-        sendMessage(
-            true,
-            "{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2\"\n}",
-            I_Messaging::Method::POST,
-            string("127.0.0.1"),
-            l4_firewall_service_port,
-            conn_flags,
-            string("/set-new-configuration"),
-            string(),
-            _,
-            MessageTypeTag::GENERIC
-        )
-    ).WillOnce(Return(Maybe<string>(reply_msg)));
+    expectNewConfigRequest("{\n    \"id\": 1,\n    \"policy_version\": \"1.0.2,1.0.2\"\n}", reply_msg);
 
     auto func = [&] (chrono::microseconds) { set_reconf_status->performRestCall(reconf_status); };
     EXPECT_CALL(mock_ml, yield(chrono::microseconds(2000000))).WillOnce(Invoke(func));

components/security_apps/orchestration/update_communication/declarative_policy_utils.cc

@@ -27,7 +27,7 @@ DeclarativePolicyUtils::init()
         auto mainloop = Singleton::Consume<I_MainLoop>::by<DeclarativePolicyUtils>();
         mainloop->addRecurringRoutine(
             I_MainLoop::RoutineType::Offline,
-            chrono::minutes(1),
+            chrono::seconds(30),
             [&] () { periodicPolicyLoad(); },
             "Automatic Policy Loading"
         );

components/security_apps/orchestration/update_communication/fog_communication.cc

@@ -32,7 +32,7 @@ void
 FogCommunication::init()
 {
     FogAuthenticator::init();
-    declarative_policy_utils.init();
+    i_declarative_policy = Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>();
 }
 
 Maybe<void>
@@ -67,15 +67,15 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
         Maybe<string> maybe_new_data = request.getData();
         string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : "";
 
-        if (declarative_policy_utils.shouldApplyPolicy()) {
-            string policy_response = declarative_policy_utils.getUpdate(request);
+        if (i_declarative_policy->shouldApplyPolicy()) {
+            string policy_response = i_declarative_policy->getUpdate(request);
             if (!policy_response.empty()) {
                 dbgTrace(D_ORCHESTRATOR) << "Apply policy - declarative mode";
                 auto agent_details = Singleton::Consume<I_AgentDetails>::by<DeclarativePolicyUtils>();
                 auto maybe_fog_address = agent_details->getFogDomain();
                 string fog_address = maybe_fog_address.ok() ? maybe_fog_address.unpack() : "";
 
-                declarative_policy_utils.sendUpdatesToFog(
+                i_declarative_policy->sendUpdatesToFog(
                     unpacked_access_token,
                     agent_details->getTenantId(),
                     agent_details->getProfileId(),
@@ -83,7 +83,6 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
                 );
             }
             request = CheckUpdateRequest(manifest_checksum, policy_response, settings_checksum, data_checksum, "", "");
-            declarative_policy_utils.turnOffApplyPolicyFlag();
         } else {
             request = CheckUpdateRequest(manifest_checksum, "", settings_checksum, data_checksum, "", "");
         }
@@ -103,7 +102,7 @@ FogCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
     string policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
     if (policy_mgmt_mode == "declarative" && resourse_file.getFileName() =="policy") {
         dbgDebug(D_ORCHESTRATOR) << "Download policy on declarative mode - returnig the local policy";
-        return declarative_policy_utils.getCurrPolicy();
+        return i_declarative_policy->getCurrPolicy();
     }
     static const string file_attribute_str = "/api/v2/agents/resources/";
     Maybe<string> attribute_file = Singleton::Consume<I_Messaging>::by<FogCommunication>()->downloadFile(

components/security_apps/orchestration/update_communication/hybrid_communication.cc

@@ -35,7 +35,7 @@ void
 HybridCommunication::init()
 {
     FogAuthenticator::init();
-    declarative_policy_utils.init();
+    i_declarative_policy = Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>();
     dbgTrace(D_ORCHESTRATOR) << "Initializing the Hybrid Communication Component";
     if (getConfigurationFlag("otp") != "") {
         otp = getConfigurationFlag("otp");
@@ -69,14 +69,14 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request)
         dbgWarning(D_ORCHESTRATOR) << "Acccess Token not available.";
     }
 
-    if (!declarative_policy_utils.shouldApplyPolicy()) {
+    if (!i_declarative_policy->shouldApplyPolicy()) {
         request = CheckUpdateRequest(manifest_checksum, "", "", "", "", "");
         return Maybe<void>();
     }
 
     dbgTrace(D_ORCHESTRATOR) << "Getting policy update in Hybrid Communication";
 
-    string policy_response = declarative_policy_utils.getUpdate(request);
+    string policy_response = i_declarative_policy->getUpdate(request);
 
     auto env = Singleton::Consume<I_EnvDetails>::by<HybridCommunication>()->getEnvType();
     if (env == EnvType::K8S && !policy_response.empty()) {
@@ -123,7 +123,6 @@ HybridCommunication::getUpdate(CheckUpdateRequest &request)
     }
 
     request = CheckUpdateRequest(manifest_checksum, policy_response, "", "", "", "");
-    declarative_policy_utils.turnOffApplyPolicyFlag();
 
     return Maybe<void>();
 }
@@ -136,7 +135,7 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file)
         << resourse_file.getFileName();
 
     if (resourse_file.getFileName() =="policy") {
-        return declarative_policy_utils.getCurrPolicy();
+        return i_declarative_policy->getCurrPolicy();
     }
     if (resourse_file.getFileName() == "manifest") {
         if (!access_token.ok()) return genError("Acccess Token not available.");

components/security_apps/orchestration/update_communication/update_communication.cc

@@ -57,6 +57,7 @@ public:
     void
     init()
     {
+        declarative_policy_utils.init();
         auto rest = Singleton::Consume<I_RestApi>::by<UpdateCommunication>();
         rest->addRestCall<UpdateCommunication::Impl>(RestAction::SET, "orchestration-mode");
         setMode();
@@ -104,22 +105,17 @@ private:
     {
         if (getConfigurationFlag("orchestration-mode") == "offline_mode") {
             i_update_comm_impl = make_unique<LocalCommunication>();
-            LocalCommunication *local_comm = static_cast<LocalCommunication*>(i_update_comm_impl.get());
-            local_comm->init();
-            return;
         } else if (getConfigurationFlag("orchestration-mode") == "hybrid_mode") {
             i_update_comm_impl = make_unique<HybridCommunication>();
-            HybridCommunication *local_comm = static_cast<HybridCommunication*>(i_update_comm_impl.get());
-            local_comm->init();
-            return;
+        } else {
+            i_update_comm_impl = make_unique<FogCommunication>();
         }
 
-        i_update_comm_impl = make_unique<FogCommunication>();
-        FogCommunication *fog_comm = static_cast<FogCommunication*>(i_update_comm_impl.get());
-        fog_comm->init();
+        i_update_comm_impl->init();
     }
 
     std::unique_ptr<I_UpdateCommunication> i_update_comm_impl = nullptr;
+    DeclarativePolicyUtils declarative_policy_utils;
     S2C_LABEL_PARAM(string, status, "status");
 };
 

components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt

@@ -2,6 +2,6 @@ link_directories(${BOOST_ROOT}/lib)
 
 add_unit_test(
     update_communication_ut
-    "local_communication_ut.cc"
+    "local_communication_ut.cc;fog_communication_ut.cc"
     "rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;"
 )