Updating local policy, metrics, and local update trigger

components/security_apps/local_policy_mgmt_gen/CMakeLists.txt

@@ -13,6 +13,7 @@ add_library(local_policy_mgmt_gen
     local_policy_mgmt_gen.cc
     new_appsec_policy_crd_parser.cc
     new_appsec_linux_policy.cc
+    new_auto_upgrade.cc
     new_custom_response.cc
     new_trusted_sources.cc
     new_log_trigger.cc

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -18,16 +18,12 @@ using namespace std;
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 // LCOV_EXCL_START Reason: no test exist
 
-static const set<string> valid_modes    = {"prevent", "detect", "inactive"};
-static const set<string> valid_units    = {"minute", "second"};
-
-static const std::unordered_map<std::string, std::string> key_to_mode_val = {
-    { "prevent-learn", "Prevent"},
-    { "detect-learn", "Detect"},
-    { "prevent", "Prevent"},
-    { "detect", "Detect"},
-    { "inactive", "Inactive"}
+static const map<string, string> valid_modes_to_key = {
+    {"prevent", "Active"},
+    {"detect", "Detect"},
+    {"inactive", "Inactive"}
 };
+static const set<string> valid_units    = {"minute", "second"};
 
 static const std::unordered_map<std::string, std::string> key_to_units_val = {
     { "second", "Second"},
@@ -78,7 +74,7 @@ RateLimitSection::RateLimitSection(
 {
     bool any = asset_name == "Any" && url == "Any" && uri == "Any";
     string asset_id = any ? "Any" : url+uri;
-    context = "assetId(" + asset_id + ")";
+    context = any ? "All()" : "assetId(" + asset_id + ")";
 }
 
 void
@@ -86,7 +82,7 @@ RateLimitSection::save(cereal::JSONOutputArchive &out_ar) const
 {
     out_ar(
         cereal::make_nvp("context",         context),
-        cereal::make_nvp("mode",            key_to_mode_val.at(mode)),
+        cereal::make_nvp("mode",            mode),
         cereal::make_nvp("practiceId",      practice_id),
         cereal::make_nvp("name",            name),
         cereal::make_nvp("rules",           rules)
@@ -180,9 +176,13 @@ void
 AccessControlRateLimit::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading Access control rate limit";
-    parseAppsecJSONKey<string>("overrideMode", mode, archive_in, "Inactive");
-    if (valid_modes.count(mode) == 0) {
-        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << mode;
+    string in_mode;
+    parseAppsecJSONKey<string>("overrideMode", in_mode, archive_in, "inactive");
+    if (valid_modes_to_key.find(in_mode) == valid_modes_to_key.end()) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec access control rate limit override mode invalid: " << in_mode;
+        mode = "Inactive";
+    } else {
+        mode = valid_modes_to_key.at(in_mode);
     }
     parseAppsecJSONKey<std::vector<AccessControlRateLimiteRules>>("rules", rules, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -12,6 +12,7 @@
 // limitations under the License.
 
 #include "appsec_practice_section.h"
+#include <algorithm>
 
 using namespace std;
 
@@ -238,6 +239,7 @@ AppSecPracticeOpenSchemaAPI::getConfigMap() const
 {
     return config_map;
 }
+
 // LCOV_EXCL_STOP
 void
 AppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
@@ -272,6 +274,7 @@ AppSecPracticeSpec::getSnortSignatures() const
 {
     return snort_signatures;
 }
+
 // LCOV_EXCL_STOP
 
 const AppSecPracticeWebAttacks &
@@ -337,6 +340,7 @@ ParsedMatch::ParsedMatch(const ExceptionMatch &exceptions)
         parsed_match.push_back(ParsedMatch(exception_match));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -375,6 +379,7 @@ AppSecOverride::AppSecOverride(const InnerException &parsed_exceptions)
     map<string, string> behavior = {{parsed_exceptions.getBehaviorKey(), parsed_exceptions.getBehaviorValue()}};
     parsed_behavior.push_back(behavior);
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -426,10 +431,11 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(parsed_appsec_spec.getWebAttacks().getMode(default_mode)),
     practice_advanced_config(parsed_appsec_spec),
     anti_bots(parsed_appsec_spec.getAntiBot()),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
     web_attack_mitigation = true;
     web_attack_mitigation_action =
+        web_attack_mitigation_mode != "Prevent" ? "Transparent" :
         web_attack_mitigation_severity == "critical" ? "low" :
         web_attack_mitigation_severity == "high" ? "balanced" :
         web_attack_mitigation_severity == "medium" ? "high" :
@@ -473,7 +479,7 @@ WebAppSection::WebAppSection(
     web_attack_mitigation_mode(_web_attack_mitigation_mode),
     practice_advanced_config(_practice_advanced_config),
     anti_bots(_anti_bots),
-    trusted_sources({parsed_trusted_sources})
+    trusted_sources({ parsed_trusted_sources })
 {
     web_attack_mitigation = true;
     web_attack_mitigation_action =
@@ -488,6 +494,7 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 }
+
 // LCOV_EXCL_STOP
 
 void
@@ -525,7 +532,16 @@ WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("botProtection_v2",            detect_str)
     );
 }
+
 // LCOV_EXCL_START Reason: no test exist
+
+bool
+WebAppSection::operator<(const WebAppSection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    return application_urls.size() > other.application_urls.size();
+}
+
 void
 WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -554,8 +570,27 @@ WebAPISection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("overrides",                      empty_list)
     );
 }
+
+bool
+WebAPISection::operator<(const WebAPISection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    return application_urls.size() > other.application_urls.size();
+}
+
 // LCOV_EXCL_STOP
 
+AppSecRulebase::AppSecRulebase(
+    std::vector<WebAppSection> _webApplicationPractices,
+    std::vector<WebAPISection> _webAPIPractices
+) :
+    webApplicationPractices(_webApplicationPractices),
+    webAPIPractices(_webAPIPractices)
+{
+    sort(webAPIPractices.begin(), webAPIPractices.end());
+    sort(webApplicationPractices.begin(), webApplicationPractices.end());
+}
+
 void
 AppSecRulebase::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -719,11 +754,7 @@ AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<AppSecCustomResponseSpec>>("custom-responses", custom_responses, archive_in);
     parseAppsecJSONKey<vector<AppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<TrustedSourcesSpec>>("trusted-sources", trusted_sources, archive_in);
-    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>(
-        "source-identifiers",
-        sources_identifiers,
-        archive_in
-    );
+    parseAppsecJSONKey<vector<SourceIdentifierSpecWrapper>>("source-identifiers", sources_identifiers, archive_in);
 }
 
 const AppsecPolicySpec &
@@ -768,7 +799,6 @@ AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
-
 const vector<RPMSettings> &
 AppsecLinuxPolicy::rpmGetRPSettings() const
 {

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -241,11 +241,21 @@ ExceptionMatch::ExceptionMatch(const NewAppsecException &parsed_exception)
         items.push_back(ExceptionMatch("sourceIdentifier", parsed_exception.getSourceIdentifier()));
     }
     if (!parsed_exception.getSourceIp().empty()) {
-        items.push_back(ExceptionMatch("sourceIp", parsed_exception.getSourceIp()));
+        items.push_back(ExceptionMatch("sourceIP", parsed_exception.getSourceIp()));
     }
     if (!parsed_exception.getUrl().empty()) {
         items.push_back(ExceptionMatch("url", parsed_exception.getUrl()));
     }
+
+    // when there is only one operand, there's no need for an additional 'and'/'or' condition enclosing it
+    if (items.size() == 1) {
+        auto & other = items[0];
+        match_type = other.match_type;
+        op = other.op;
+        key = other.key;
+        value = other.value;
+        items = other.items;
+    }
 }
 
 void

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -296,6 +296,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAppSection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -350,6 +352,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator< (const WebAPISection &other) const;
+
 private:
     std::string application_urls;
     std::string asset_id;
@@ -371,10 +375,7 @@ class AppSecRulebase
 public:
     AppSecRulebase(
         std::vector<WebAppSection> _webApplicationPractices,
-        std::vector<WebAPISection> _webAPIPractices)
-        :
-        webApplicationPractices(_webApplicationPractices),
-        webAPIPractices(_webAPIPractices) {}
+        std::vector<WebAPISection> _webAPIPractices);
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 

components/security_apps/local_policy_mgmt_gen/include/new_appsec_linux_policy.h

@@ -32,7 +32,7 @@
 #include "new_practice.h"
 #include "access_control_practice.h"
 #include "new_trusted_sources.h"
-
+#include "new_auto_upgrade.h"
 
 class V1beta2AppsecLinuxPolicy : Singleton::Consume<I_Environment>
 {
@@ -48,7 +48,8 @@ public:
         const std::vector<NewAppSecCustomResponse> &_custom_responses,
         const std::vector<NewAppsecException> &_exceptions,
         const std::vector<NewTrustedSourcesSpec> &_trusted_sources,
-        const std::vector<NewSourcesIdentifiers> &_sources_identifiers)
+        const std::vector<NewSourcesIdentifiers> &_sources_identifiers,
+        const AppSecAutoUpgradeSpec &_auto_upgrade)
             :
         policies(_policies),
         threat_prevection_practices(_threat_prevention_practices),
@@ -57,7 +58,8 @@ public:
         custom_responses(_custom_responses),
         exceptions(_exceptions),
         trusted_sources(_trusted_sources),
-        sources_identifiers(_sources_identifiers) {}
+        sources_identifiers(_sources_identifiers),
+        auto_upgrade(_auto_upgrade) {}
     // LCOV_EXCL_STOP
     void serialize(cereal::JSONInputArchive &archive_in);
 
@@ -69,6 +71,7 @@ public:
     const std::vector<NewAppsecException> & getAppsecExceptions() const;
     const std::vector<NewTrustedSourcesSpec> & getAppsecTrustedSourceSpecs() const;
     const std::vector<NewSourcesIdentifiers> & getAppsecSourceIdentifierSpecs() const;
+    const AppSecAutoUpgradeSpec & getAppSecAutoUpgradeSpec() const;
     void addSpecificRule(const NewParsedRule &_rule);
 
 private:
@@ -80,6 +83,7 @@ private:
     std::vector<NewAppsecException> exceptions;
     std::vector<NewTrustedSourcesSpec> trusted_sources;
     std::vector<NewSourcesIdentifiers> sources_identifiers;
+    AppSecAutoUpgradeSpec auto_upgrade;
 };
 
 #endif // __NEW_APPSEC_LINUX_POLICY_H__

components/security_apps/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h

@@ -42,6 +42,7 @@ public:
     const std::string & getSourceIdentifiers() const;
     const std::string & getCustomResponse() const;
     const std::string & getTrustedSources() const;
+    const std::string & getUpgradeSettings() const;
     const std::string & getHost() const;
     const std::string & getMode() const;
 
@@ -56,6 +57,7 @@ private:
     std::string                 source_identifiers;
     std::string                 custom_response;
     std::string                 trusted_sources;
+    std::string                 upgrade_settings;
     std::string                 host;
     std::string                 mode;
 };

components/security_apps/local_policy_mgmt_gen/include/new_auto_upgrade.h

@@ -0,0 +1,47 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NEW_AUTO_UPGRADE_H__
+#define __NEW_AUTO_UPGRADE_H__
+
+#include <string>
+#include <cereal/archives/json.hpp>
+#include <boost/uuid/uuid.hpp>
+#include <boost/uuid/uuid_generators.hpp>
+#include <boost/uuid/uuid_io.hpp>
+
+#include "config.h"
+#include "debug.h"
+#include "local_policy_common.h"
+
+class AppSecAutoUpgradeSpec
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+    void save(cereal::JSONOutputArchive& out_ar) const;
+
+    const std::string & getAppSecClassName() const;
+    const std::string & getName() const;
+    void setName(const std::string &_name);
+
+private:
+    std::string mode = "automatic";
+    std::vector<std::string> days;
+    std::string upgrade_window_start_hour_UTC;
+    uint upgrade_window_duration;
+
+    std::string name;
+    std::string appsec_class_name;
+};
+
+#endif // __NEW_AUTO_UPGRADE_H__

components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h

@@ -30,9 +30,11 @@ class NewAppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class NewAppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -158,6 +160,7 @@ public:
     const NewAppsecTriggerLogging & getAppsecTriggerLogging() const;
     const NewAppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const NewAppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const NewAppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     NewAppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -481,17 +481,22 @@ private:
 class NewSnortSignaturesAndOpenSchemaAPI
 {
 public:
+    NewSnortSignaturesAndOpenSchemaAPI() : is_temporary(false) {};
+
     void load(cereal::JSONInputArchive &archive_in);
 
     void addFile(const std::string &file_name);
     const std::string & getOverrideMode() const;
     const std::vector<std::string> & getConfigMap() const;
     const std::vector<std::string> & getFiles() const;
+    bool isTemporary() const;
+    void setTemporary(bool val);
 
 private:
     std::string override_mode;
     std::vector<std::string> config_map;
     std::vector<std::string> files;
+    bool is_temporary;
 };
 
 class NewAppSecWebBotsURI

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -51,6 +51,7 @@ enum class AnnotationTypes {
     WEB_USER_RES,
     SOURCE_IDENTIFIERS,
     TRUSTED_SOURCES,
+    UPGRADE_SETTINGS,
     COUNT
 };
 
@@ -96,16 +97,17 @@ class PolicyWrapper
 {
 public:
     PolicyWrapper(
-        const SettingsWrapper &_settings,
+        const SettingsRulebase &_settings,
         const SecurityAppsWrapper &_security_apps)
             :
         settings(_settings),
         security_apps(_security_apps) {}
 
-    void save(cereal::JSONOutputArchive &out_ar) const;
+    const SettingsRulebase & getSettings() const { return settings; }
+    const SecurityAppsWrapper & getSecurityApps() const { return security_apps; }
 
 private:
-    SettingsWrapper settings;
+    SettingsRulebase settings;
     SecurityAppsWrapper security_apps;
 };
 
@@ -139,7 +141,11 @@ private:
 
     std::tuple<std::string, std::string, std::string> splitHostName(const std::string &host_name);
 
-    std::string dumpPolicyToFile(const PolicyWrapper &policy, const std::string &policy_path);
+    std::string dumpPolicyToFile(
+        const PolicyWrapper &policy,
+        const std::string &policy_path,
+        const std::string &settings_path = "/etc/cp/conf/settings.json"
+    );
 
     PolicyWrapper combineElementsToPolicy(const std::string &policy_version);
 
@@ -155,7 +161,7 @@ private:
         std::map<AnnotationTypes, std::string> &rule_annotations
     );
 
-    void createSnortProtecionsSection(const std::string &file_name, const std::string &practic_name);
+    void createSnortProtecionsSection(const std::string &file_name, bool is_temporary);
 
     void
     createSnortSections(
@@ -245,6 +251,7 @@ private:
     std::map<std::string, RateLimitSection> rate_limit;
     std::map<std::string, UsersIdentifiersRulebase> users_identifiers;
     std::map<std::string, AppSecTrustedSources> trusted_sources;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 template<class T, class R>

components/security_apps/local_policy_mgmt_gen/include/settings_section.h

@@ -22,6 +22,7 @@
 #include "config.h"
 #include "debug.h"
 #include "local_policy_common.h"
+#include "new_auto_upgrade.h"
 
 // LCOV_EXCL_START Reason: no test exist
 class AgentSettingsSection
@@ -41,12 +42,18 @@ private:
 class SettingsRulebase
 {
 public:
-    SettingsRulebase(std::vector<AgentSettingsSection> _agentSettings) : agentSettings(_agentSettings) {}
+    SettingsRulebase(
+        std::vector<AgentSettingsSection> _agentSettings,
+        const AppSecAutoUpgradeSpec &_upgradeSettings)
+            :
+        agentSettings(_agentSettings),
+        upgrade_settings(_upgradeSettings) {}
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
 private:
     std::vector<AgentSettingsSection> agentSettings;
+    AppSecAutoUpgradeSpec upgrade_settings;
 };
 
 class SettingsWrapper

components/security_apps/local_policy_mgmt_gen/include/triggers_section.h

@@ -44,6 +44,8 @@ public:
         bool _responseBody,
         bool _tpDetect,
         bool _tpPrevent,
+        bool _acAllow,
+        bool _acDrop,
         bool _webBody,
         bool _webHeaders,
         bool _webRequests,
@@ -76,6 +78,8 @@ private:
     bool responseBody;
     bool tpDetect;
     bool tpPrevent;
+    bool acAllow;
+    bool acDrop;
     bool webBody;
     bool webHeaders;
     bool webRequests;
@@ -158,9 +162,11 @@ class AppsecTriggerAccessControlLogging
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
+    bool isAcAllowEvents() const { return ac_allow_events; }
+    bool isAcDropEvents() const { return ac_drop_events; }
 private:
-    bool allow_events = false;
-    bool drop_events = false;
+    bool ac_allow_events = false;
+    bool ac_drop_events = false;
 };
 
 class AppsecTriggerAdditionalSuspiciousEventsLogging : public ClientRest
@@ -281,6 +287,7 @@ public:
     const AppsecTriggerLogging & getAppsecTriggerLogging() const;
     const AppsecTriggerExtendedLogging & getAppsecTriggerExtendedLogging() const;
     const AppsecTriggerLogDestination & getAppsecTriggerLogDestination() const;
+    const AppsecTriggerAccessControlLogging & getAppsecTriggerAccessControlLogging() const;
 
 private:
     AppsecTriggerAccessControlLogging access_control_logging;

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -159,6 +159,7 @@ extractElementsFromNewRule(
     policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
     policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
     policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
+    policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
 }
 
 map<AnnotationTypes, unordered_set<string>>
@@ -356,8 +357,9 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
 {
     for (NewAppSecPracticeSpec &practice : practices) {
         auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<K8sPolicyUtils>();
-        auto path = "/etc/cp/conf/snort/snort_k8s_" + practice.getName() + ".rule";
+        auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice.getName() + ".rule";
         bool append_mode = false;
+        practice.getSnortSignatures().setTemporary(true);
         for (const string &config_map : practice.getSnortSignatures().getConfigMap())
         {
             auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
@@ -441,6 +443,15 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         policy_elements_names[AnnotationTypes::TRUSTED_SOURCES]
     );
 
+    vector<AppSecAutoUpgradeSpec> vec_upgrade_settings = extractV1Beta2ElementsFromCluster<AppSecAutoUpgradeSpec>(
+        "autoupgrade",
+        policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS]
+    );
+    if (vec_upgrade_settings.size() > 1) {
+        dbgWarning(D_LOCAL_POLICY) << "Only one definition of upgrade settings is required.";
+    }
+    auto upgrade_settings = vec_upgrade_settings.empty() ? AppSecAutoUpgradeSpec() : vec_upgrade_settings.front();
+
     V1beta2AppsecLinuxPolicy appsec_policy = V1beta2AppsecLinuxPolicy(
         appsec_policy_spec.getSpec(),
         threat_prevention_practices,
@@ -449,7 +460,8 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         web_user_responses,
         exceptions,
         trusted_sources,
-        source_identifiers
+        source_identifiers,
+        upgrade_settings
     );
     return appsec_policy;
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_linux_policy.cc

@@ -64,6 +64,12 @@ V1beta2AppsecLinuxPolicy::getAppsecSourceIdentifierSpecs() const
     return sources_identifiers;
 }
 
+const AppSecAutoUpgradeSpec &
+V1beta2AppsecLinuxPolicy::getAppSecAutoUpgradeSpec() const
+{
+    return auto_upgrade;
+}
+
 void
 V1beta2AppsecLinuxPolicy::addSpecificRule(const NewParsedRule &_rule)
 {
@@ -97,4 +103,5 @@ V1beta2AppsecLinuxPolicy::serialize(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<vector<NewAppsecException>>("exceptions", exceptions, archive_in);
     parseAppsecJSONKey<vector<NewTrustedSourcesSpec>>("trustedSources", trusted_sources, archive_in);
     parseAppsecJSONKey<vector<NewSourcesIdentifiers>>("sourcesIdentifiers", sources_identifiers, archive_in);
+    parseAppsecJSONKey<AppSecAutoUpgradeSpec>("autoUpgrade", auto_upgrade, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc

@@ -35,6 +35,7 @@ NewParsedRule::load(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<string>("customResponse", custom_response, archive_in);
     parseAppsecJSONKey<string>("sourceIdentifiers", source_identifiers, archive_in);
     parseAppsecJSONKey<string>("trustedSources", trusted_sources, archive_in);
+    parseAppsecJSONKey<string>("autoUpgrade", upgrade_settings, archive_in);
     try {
         archive_in(cereal::make_nvp("host", host));
     } catch (const cereal::Exception &e)
@@ -86,6 +87,12 @@ NewParsedRule::getTrustedSources() const
     return trusted_sources;
 }
 
+const string &
+NewParsedRule::getUpgradeSettings() const
+{
+    return upgrade_settings;
+}
+
 const string &
 NewParsedRule::getHost() const
 {

components/security_apps/local_policy_mgmt_gen/new_auto_upgrade.cc

@@ -0,0 +1,118 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "new_auto_upgrade.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
+
+static const set<string> valid_modes = {"automatic", "manual", "scheduled"};
+static const set<string> valid_days_of_week = {
+    "monday",
+    "tuesday",
+    "wednesday",
+    "thursday",
+    "friday",
+    "saturday",
+    "sunday"
+};
+
+class AppSecScheduledUpgrade
+{
+public:
+    void
+    load(cereal::JSONInputArchive &archive_in)
+    {
+        parseAppsecJSONKey<vector<string>>("days", days, archive_in);
+        for (const string &day : days) {
+            if (valid_days_of_week.count(day) == 0) {
+                dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade day invalid: " << day;
+            }
+        }
+        parseAppsecJSONKey<string>("upgradeWindowStartHourUTC", upgrade_window_start_hour_UTC, archive_in, "0:00");
+        parseAppsecJSONKey<uint>("upgradeWindowDuration", upgrade_window_duration, archive_in, 4);
+    }
+
+    const vector<string> &
+    getDays() const
+    {
+        return days;
+    }
+
+    const string &
+    getUpgradeWindowStartHourUTC() const
+    {
+        return upgrade_window_start_hour_UTC;
+    }
+
+    const uint &
+    getUpgradeWindowDuration() const
+    {
+        return upgrade_window_duration;
+    }
+
+private:
+    vector<string> days;
+    string upgrade_window_start_hour_UTC = "0:00";
+    uint upgrade_window_duration = 4;
+};
+
+void
+AppSecAutoUpgradeSpec::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec upgrade settings spec";
+    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
+    parseAppsecJSONKey<string>("name", name, archive_in);
+    parseAppsecJSONKey<string>("mode", mode, archive_in);
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec upgrade mode invalid: " << mode;
+    }
+    if (mode != "scheduled") return;
+
+    AppSecScheduledUpgrade schedule;
+    parseAppsecJSONKey<AppSecScheduledUpgrade>("schedule", schedule, archive_in);
+    days = schedule.getDays();
+    upgrade_window_start_hour_UTC = schedule.getUpgradeWindowStartHourUTC();
+    upgrade_window_duration = schedule.getUpgradeWindowDuration();
+}
+
+void
+AppSecAutoUpgradeSpec::save(cereal::JSONOutputArchive& out_ar) const
+{
+    out_ar(cereal::make_nvp("upgradeMode", mode));
+    if (mode != "scheduled") return;
+    out_ar(
+        cereal::make_nvp("upgradeTime", upgrade_window_start_hour_UTC),
+        cereal::make_nvp("upgradeDurationHours", upgrade_window_duration),
+        cereal::make_nvp("upgradeDay", days)
+    );
+}
+
+void
+AppSecAutoUpgradeSpec::setName(const string &_name)
+{
+    name = _name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getName() const
+{
+    return name;
+}
+
+const string &
+AppSecAutoUpgradeSpec::getAppSecClassName() const
+{
+    return appsec_class_name;
+}

components/security_apps/local_policy_mgmt_gen/new_exceptions.cc

@@ -23,9 +23,9 @@ static const set<string> valid_actions = {"skip", "accept", "drop", "suppressLog
 void
 NewAppsecExceptionCondition::load(cereal::JSONInputArchive &archive_in)
 {
-    dbgTrace(D_LOCAL_POLICY) << "Loading New AppSec exception condition";
     parseAppsecJSONKey<string>("key", key, archive_in);
     parseAppsecJSONKey<string>("value", value, archive_in);
+    dbgTrace(D_LOCAL_POLICY) << "Key: " << key << " Value: " << value;
 }
 
 const string &

components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc

@@ -26,8 +26,8 @@ void
 NewAppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allowEvents", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("dropEvents", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allowEvents", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("dropEvents", ac_drop_events, archive_in, false);
 }
 
 void
@@ -307,6 +307,13 @@ NewAppsecLogTrigger::getAppsecTriggerLogging() const
     return appsec_logging;
 }
 
+const NewAppsecTriggerAccessControlLogging &
+NewAppsecLogTrigger::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 const NewAppsecTriggerExtendedLogging &
 NewAppsecLogTrigger::getAppsecTriggerExtendedLogging() const
 {

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -107,9 +107,9 @@ void
 NewAppSecWebAttackProtections::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Attack Protections";
-    parseAppsecJSONKey<string>("csrfEnabled", csrf_protection, archive_in, "inactive");
-    parseAppsecJSONKey<string>("errorDisclosureEnabled", error_disclosure, archive_in, "inactive");
-    parseAppsecJSONKey<string>("openRedirectEnabled", open_redirect, archive_in, "inactive");
+    parseAppsecJSONKey<string>("csrfProtection", csrf_protection, archive_in, "inactive");
+    parseAppsecJSONKey<string>("errorDisclosure", error_disclosure, archive_in, "inactive");
+    parseAppsecJSONKey<string>("openRedirect", open_redirect, archive_in, "inactive");
     parseAppsecJSONKey<bool>("nonValidHttpMethods", non_valid_http_methods, archive_in, false);
 }
 
@@ -441,6 +441,8 @@ NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
     parseAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
     parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
+    parseAppsecJSONKey<vector<string>>("files", files, archive_in);
+    is_temporary = false;
     if (valid_modes.count(override_mode) == 0) {
         dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
     }
@@ -470,6 +472,18 @@ NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const
     return config_map;
 }
 
+bool
+NewSnortSignaturesAndOpenSchemaAPI::isTemporary() const
+{
+    return is_temporary;
+}
+
+void
+NewSnortSignaturesAndOpenSchemaAPI::setTemporary(bool val)
+{
+    is_temporary = val;
+}
+
 void
 IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
 {

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -38,12 +38,6 @@ SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
     );
 }
 
-void
-PolicyWrapper::save(cereal::JSONOutputArchive &out_ar) const
-{
-    security_apps.save(out_ar);
-}
-
 string
 PolicyMakerUtils::getPolicyName(const string &policy_path)
 {
@@ -150,16 +144,19 @@ PolicyMakerUtils::splitHostName(const string &host_name)
 }
 
 string
-PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &policy_path)
+PolicyMakerUtils::dumpPolicyToFile(
+    const PolicyWrapper &policy,
+    const string &policy_path,
+    const string &settings_path)
 {
     clearElementsMaps();
 
-    stringstream ss;
+    stringstream policy_ss, settings_ss;
     {
-        cereal::JSONOutputArchive ar(ss);
-        policy.save(ar);
+        cereal::JSONOutputArchive ar(policy_ss);
+        policy.getSecurityApps().save(ar);
     }
-    string policy_str = ss.str();
+    string policy_str = policy_ss.str();
     try {
         ofstream policy_file(policy_path);
         policy_file << policy_str;
@@ -169,6 +166,20 @@ PolicyMakerUtils::dumpPolicyToFile(const PolicyWrapper &policy, const string &po
         return "";
     }
 
+    {
+        cereal::JSONOutputArchive ar(settings_ss);
+        policy.getSettings().save(ar);
+    }
+    string settings_str = settings_ss.str();
+    try {
+        ofstream settings_file(settings_path);
+        settings_file << settings_str;
+        settings_file.close();
+    } catch (const ofstream::failure &e) {
+        dbgDebug(D_NGINX_POLICY) << "Error while writing settings to " << settings_path << ", Error: " << e.what();
+    }
+    dbgDebug(D_LOCAL_POLICY) << settings_path << " content: " << settings_str;
+
     return policy_str;
 }
 
@@ -517,6 +528,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         trigger_spec.getAppsecTriggerAdditionalSuspiciousEventsLogging().getMinimumSeverity();
     bool tpDetect = trigger_spec.getAppsecTriggerLogging().isDetectEvents();
     bool tpPrevent = trigger_spec.getAppsecTriggerLogging().isPreventEvents();
+    bool acAllow = trigger_spec.getAppsecTriggerAccessControlLogging().isAcAllowEvents();
+    bool acDrop = trigger_spec.getAppsecTriggerAccessControlLogging().isAcDropEvents();
     bool webRequests = trigger_spec.getAppsecTriggerLogging().isAllWebRequests();
     bool webUrlPath = trigger_spec.getAppsecTriggerExtendedLogging().isUrlPath();
     bool webUrlQuery = trigger_spec.getAppsecTriggerExtendedLogging().isUrlQuery();
@@ -555,6 +568,8 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         responseBody,
         tpDetect,
         tpPrevent,
+        acAllow,
+        acDrop,
         webBody,
         webHeaders,
         webRequests,
@@ -1004,13 +1019,21 @@ PolicyMakerUtils::createIpsSections(
 }
 
 void
-PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const string &practice_name)
+PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary)
 {
-    auto path = getFilesystemPathConfig() + "/conf/snort/snort_k8s_" + practice_name;
-    if (snort_protections.find(path) != snort_protections.end()) return;
+    auto path = getFilesystemPathConfig() + "/conf/snort/" + file_name;
+    string in_file = is_temporary ? path + ".rule" : path;
 
-    auto snort_scriipt_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
-    auto cmd = "python " + snort_scriipt_path + " " + path + ".rule " + path + ".out " + path + ".err";
+    if (snort_protections.find(path) != snort_protections.end()) {
+        dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists";
+        return;
+    }
+    dbgTrace(D_LOCAL_POLICY)
+        << "Reading snort signatures from"
+        << (is_temporary ? " temporary" : "") << " file " << path;
+
+    auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
+    auto cmd = "python3 " + snort_script_path + " " + in_file + " " + path + ".out " + path + ".err";
 
     auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd);
 
@@ -1026,7 +1049,7 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, const st
     }
 
     auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>();
-    i_orchestration_tools->removeFile(path + ".rule");
+    if (is_temporary) i_orchestration_tools->removeFile(in_file);
     i_orchestration_tools->removeFile(path + ".out");
     i_orchestration_tools->removeFile(path + ".err");
 
@@ -1055,7 +1078,14 @@ PolicyMakerUtils::createSnortSections(
         apssec_practice.getSnortSignatures().getFiles().size() == 0) {
         return;
     }
-    createSnortProtecionsSection(apssec_practice.getSnortSignatures().getFiles()[0], apssec_practice.getName());
+
+    if (apssec_practice.getSnortSignatures().isTemporary()) {
+        createSnortProtecionsSection("snort_k8s_" + apssec_practice.getName(), true);
+    } else if (apssec_practice.getSnortSignatures().getFiles().size() > 0) {
+        // when support for multiple files is ready, will iterate over the files array
+        auto file = apssec_practice.getSnortSignatures().getFiles()[0];
+        createSnortProtecionsSection(file, false);
+    }
 
     SnortProtectionsSection snort_section = SnortProtectionsSection(
         context,
@@ -1160,7 +1190,7 @@ PolicyMakerUtils::createWebAppSection(
         apssec_practice.getWebAttacks().getMaxUrlSizeBytes()
     );
     WebAppSection web_app = WebAppSection(
-        full_url == "Any" ? "" : full_url,
+        full_url == "Any" ? "http://*:*" : full_url,
         rule_config.getAssetId(),
         rule_config.getAssetName(),
         rule_config.getAssetId(),
@@ -1271,17 +1301,16 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
 
 }
 
-SettingsWrapper
-createProfilesSection()
+SettingsRulebase
+createSettingsSection(const AppSecAutoUpgradeSpec &upgrade_settings)
 {
     string agent_settings_key = "agent.test.policy";
     string agent_settings_value = "local policy";
     AgentSettingsSection agent_setting_1 = AgentSettingsSection(agent_settings_key, agent_settings_value);
 
-    SettingsRulebase settings_rulebase_1 = SettingsRulebase({agent_setting_1});
-    return SettingsWrapper(settings_rulebase_1);
+    return SettingsRulebase({agent_setting_1}, upgrade_settings);
+
 }
-// LCOV_EXCL_STOP
 
 PolicyWrapper
 PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
@@ -1313,8 +1342,8 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
         policy_version
     );
 
-    SettingsWrapper profiles_section = createProfilesSection();
-    PolicyWrapper policy_wrapper = PolicyWrapper(profiles_section, security_app_section);
+    SettingsRulebase settings_section = createSettingsSection(upgrade_settings);
+    PolicyWrapper policy_wrapper = PolicyWrapper(settings_section, security_app_section);
 
     return policy_wrapper;
 }
@@ -1433,7 +1462,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
 
         if (!web_apps.count(rule_config.getAssetName())) {
             WebAppSection web_app = WebAppSection(
-                full_url == "Any" ? "" : full_url,
+                full_url == "Any" ? "http://*:*" : full_url,
                 rule_config.getAssetId(),
                 rule_config.getAssetName(),
                 rule_config.getAssetId(),
@@ -1553,6 +1582,7 @@ PolicyMakerUtils::createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsed
         rule_annotations
     );
 
+    upgrade_settings = policy.getAppSecAutoUpgradeSpec();
 }
 // LCOV_EXCL_STOP
 

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -35,6 +35,8 @@ LogTriggerSection::LogTriggerSection(
     bool _responseBody,
     bool _tpDetect,
     bool _tpPrevent,
+    bool _acAllow,
+    bool _acDrop,
     bool _webBody,
     bool _webHeaders,
     bool _webRequests,
@@ -58,6 +60,8 @@ LogTriggerSection::LogTriggerSection(
     responseBody(_responseBody),
     tpDetect(_tpDetect),
     tpPrevent(_tpPrevent),
+    acAllow(_acAllow),
+    acDrop(_acDrop),
     webBody(_webBody),
     webHeaders(_webHeaders),
     webRequests(_webRequests),
@@ -88,8 +92,8 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("triggerName",              name),
         cereal::make_nvp("triggerType",              trigger_type),
         cereal::make_nvp("verbosity",                verbosity),
-        cereal::make_nvp("acAllow",                  false),
-        cereal::make_nvp("acDrop",                   false),
+        cereal::make_nvp("acAllow",                  acAllow),
+        cereal::make_nvp("acDrop",                   acDrop),
         cereal::make_nvp("complianceViolations",     false),
         cereal::make_nvp("complianceWarnings",       false),
         cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity),
@@ -242,8 +246,8 @@ void
 AppsecTriggerAccessControlLogging::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Trigger - Access Control Logging";
-    parseAppsecJSONKey<bool>("allow-events", allow_events, archive_in, false);
-    parseAppsecJSONKey<bool>("drop-events", drop_events, archive_in, false);
+    parseAppsecJSONKey<bool>("allow-events", ac_allow_events, archive_in, false);
+    parseAppsecJSONKey<bool>("drop-events", ac_drop_events, archive_in, false);
 }
 
 void
@@ -526,6 +530,13 @@ AppsecTriggerSpec::getAppsecTriggerLogDestination() const
     return log_destination;
 }
 
+const AppsecTriggerAccessControlLogging &
+AppsecTriggerSpec::getAppsecTriggerAccessControlLogging() const
+{
+    return access_control_logging;
+}
+
+
 void
 TriggersWrapper::save(cereal::JSONOutputArchive &out_ar) const
 {