github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 11:16:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

Jul 5th update

Browse Source
This commit is contained in:
Ned Wright
2023-07-05 23:32:39 +00:00
parent 22f1a984aa
commit a59f079ef7
85 changed files with 2488 additions and 1754 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
View File

@@ -70,6 +70,14 @@ checkHasSDWan(const string &command_output)
return genError("Current host does not have SDWAN capability");
}
Maybe<string>
checkCanUpdateSDWanData(const string &command_output)
{
if (command_output == "true" || command_output == "false") return command_output;
return string("true");
}
Maybe<string>
getMgmtObjType(const string &command_output)
{
@@ -157,6 +165,14 @@ getGWVersion(shared_ptr<istream> file_stream)
return getMgmtObjAttr(file_stream, "svn_version_name ");
}
Maybe<string>
checkIfSdwanRunning(const string &command_output)
{
if (command_output == "true" || command_output == "false") return command_output;
return genError("Could not determine if sd-wan is running or not");
}
Maybe<string>
getSmbObjectName(const string &command_output)
{

5
components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
View File

@@ -31,6 +31,11 @@
#if defined(gaia) || defined(smb)
SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType)
SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
SHELL_CMD_HANDLER("canUpdateSDWanData", "cpsdwan get_data | jq -r .can_update_sdwan_data", checkCanUpdateSDWanData)
SHELL_CMD_HANDLER(
"isSdwanRunning",
"[ -v $(pidof cp-nano-sdwan) ] && echo 'false' || echo 'true'",
checkIfSdwanRunning)
#endif //gaia || smb
#if defined(gaia)

1
components/security_apps/orchestration/include/get_status_rest.h
View File

@@ -14,7 +14,6 @@
#ifndef __GET_STATUS_RES_H__
#define __GET_STATUS_RES_H__
#include "i_messaging_downloader.h"
#include "i_messaging.h"
#include "i_mainloop.h"
#include "i_shell_cmd.h"

39
components/security_apps/orchestration/include/mock/mock_messaging_downloader.h
View File

@@ -1,39 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __MOCK_MESSAGING_DOWNLOADER_H__
#define __MOCK_MESSAGING_DOWNLOADER_H__
#include "cptest.h"
#include <string>
#include "i_messaging_downloader.h"
class MockMessagingDownloader
:
public Singleton::Provide<I_MessagingDownloader>::From<MockProvider<I_MessagingDownloader>>
{
public:
MOCK_METHOD4(
downloadFile,
bool(
const std::string &,
const std::string &,
OnCompleteCB,
const unsigned int
)
);
};
#endif // __MOCK_MESSAGING_DOWNLOADER_H__

4
components/security_apps/orchestration/include/mock/mock_service_controller.h
View File

@@ -26,6 +26,10 @@ class MockServiceController :
public:
MOCK_METHOD0(refreshPendingServices, void());
MOCK_METHOD0(mockMoveChangedPolicies, std::set<std::string>());
std::set<std::string> tmp;
std::set<std::string> && moveChangedPolicies() override { tmp = mockMoveChangedPolicies(); return std::move(tmp); }
MOCK_METHOD0(doesFailedServicesExist, bool());
MOCK_METHOD0(clearFailedServices, void());

1
components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc
View File

@@ -740,6 +740,7 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
orch_service_name;
EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}

49
components/security_apps/orchestration/manifest_controller/manifest_handler.cc
View File

@@ -145,23 +145,21 @@ ManifestHandler::downloadPackages(
}
}
downloaded_packages.clear();
auto agent_details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + agent_details->getAgentId()) + "'";
string install_error;
if (is_clean_installation) {
string error_hostname_addition = "";
auto maybe_hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
if (maybe_hostname.ok()) {
error_hostname_addition = " on host '" + maybe_hostname.unpack() + "'";
}
install_error =
"Critical Error: Agent/Gateway was not fully deployed" +
error_hostname_addition +
"Critical Error: Agent/Gateway was not fully deployed " +
err_hostname +
" and is not enforcing a security policy. Retry installation or contact Check Point support.";
} else {
auto agent_details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
install_error =
"Warning: Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software. Contact Check Point support.";
"Warning: Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support.";
}
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
@@ -221,11 +219,13 @@ ManifestHandler::installPackages(
orchestration_status->writeStatusToFile();
bool self_update_status = selfUpdate(package, current_packages, package_handler_path);
if (!self_update_status) {
auto agent_details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'";
string install_error =
"Warning: Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software. Contact Check Point support.";
"Warning: Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support.";
if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) {
orchestration_status->setFieldStatus(
OrchestrationStatusFieldType::MANIFEST,
@@ -278,23 +278,20 @@ ManifestHandler::installPackages(
}
if (!current_result) {
auto agent_details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" +agent_details->getAgentId()) + "'";
string install_error;
if (is_clean_installation) {
string error_hostname_addition = "";
auto maybe_hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
if (maybe_hostname.ok()) {
error_hostname_addition = " on host '" + maybe_hostname.unpack() + "'";
}
install_error =
"Critical Error: Agent/Gateway was not fully deployed" +
error_hostname_addition +
"Critical Error: Agent/Gateway was not fully deployed " +
err_hostname +
" and is not enforcing a security policy. Retry installation or contact Check Point support.";
} else {
auto agent_details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
install_error =
"Warning: Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software. Contact Check Point support.";
"Warning: Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support.";
}
corrupted_packages.insert(make_pair(package_name, package));
dbgWarning(D_ORCHESTRATOR) << "Failed to install package. Package: " << package_name;

176
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -41,6 +41,7 @@
#include "tenant_profile_pair.h"
#include "env_details.h"
#include "hybrid_communication.h"
#include "agent_core_utilities.h"
using namespace std;
using namespace chrono;
@@ -48,6 +49,14 @@ using namespace ReportIS;
USE_DEBUG_FLAG(D_ORCHESTRATOR);
static const string ls_prefix = "ls ";
static const string extract_tenant_profile_suffix =
"| grep tenant "
"| cut -d '_' -f 2,4 "
"| sort --unique "
"| awk -F '_' '{ printf \"%s %s \",$1,$2 }'";
class HealthCheckStatusListener : public Listener<HealthCheckStatusEvent>
{
public:
@@ -193,6 +202,7 @@ public:
ReportIS::Audience::INTERNAL
);
hybrid_mode_metric.registerListener();
loadExistingTenantsFromConfDir();
}
void
@@ -237,7 +247,9 @@ private:
}
policy_version = service_controller->getPolicyVersion();
Singleton::Consume<I_OrchestrationStatus>::by<OrchestrationComp>()->setPolicyVersion(policy_version);
if (!policy_version.empty()) {
Singleton::Consume<I_OrchestrationStatus>::by<OrchestrationComp>()->setPolicyVersion(policy_version);
}
} else {
dbgDebug(D_ORCHESTRATOR) << "Orchestration is running for the first time";
enforce_policy_flag = true;
@@ -277,6 +289,59 @@ private:
return authentication_res;
}
void
loadExistingTenantsFromConfDir()
{
dbgTrace(D_ORCHESTRATOR) << "Load existing tenants and profiles from the configuration folder";
string global_conf_dir = getConfigurationWithDefault<string>(
getFilesystemPathConfig()+ "/conf/",
"orchestration",
"Conf dir"
);
string shell_cmd_string = ls_prefix + global_conf_dir + extract_tenant_profile_suffix;
auto shell = Singleton::Consume<I_ShellCmd>::by<OrchestrationComp>();
Maybe<string> output_res = shell->getExecOutput(shell_cmd_string);
if (!output_res.ok()) {
dbgWarning(D_ORCHESTRATOR)
<< "Failed to load existing tenants from configuration folder: " + output_res.getErr();
return;
}
auto tenant_manager = Singleton::Consume<I_TenantManager>::by<OrchestrationComp>();
stringstream ss(output_res.unpack());
string tenant_id;
string profile_id;
while (!ss.eof() && getline(ss, tenant_id, ' ') && !ss.eof() && getline(ss, profile_id, ' ')) {
dbgTrace(D_ORCHESTRATOR) << "Add existing tenant_" + tenant_id + "_profile_" + profile_id;
tenant_manager->addActiveTenantAndProfile(tenant_id, profile_id);
}
}
void
deleteInactiveTenantProfileFiles(const string &tenant_id, const string &profile_id)
{
string global_conf_dir = getConfigurationWithDefault<string>(
getFilesystemPathConfig()+ "/conf/",
"orchestration",
"Conf dir"
);
string tenant_and_profile_suffix = "tenant_" + tenant_id + "_profile_" + profile_id;
string virtual_policy_dir = global_conf_dir + tenant_and_profile_suffix;
dbgTrace(D_ORCHESTRATOR) << "Delete virtual policy folder : " << virtual_policy_dir;
if (!NGEN::Filesystem::deleteDirectory(virtual_policy_dir, true)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to delete virtual policy folder : " << virtual_policy_dir;
}
string settings_file_path = virtual_policy_dir + "_settings.json";
dbgTrace(D_ORCHESTRATOR) << "Delete settings file " << settings_file_path;
if (!NGEN::Filesystem::deleteFile(settings_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to delete virtual policy settings file : " << settings_file_path;
}
}
Maybe<OrchestrationPolicy>
loadOrchestrationPolicy()
{
@@ -404,33 +469,30 @@ private:
dbgInfo(D_ORCHESTRATOR) << "There is a new manifest file.";
GetResourceFile resource_file(GetResourceFile::ResourceFileType::MANIFEST);
Maybe<string> new_manifest_file =
Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFileFromFog(
orch_manifest.unpack(),
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
resource_file
);
Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFileFromFog(
orch_manifest.unpack(),
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
resource_file
);
auto orch_status = Singleton::Consume<I_OrchestrationStatus>::by<OrchestrationComp>();
auto service_controller = Singleton::Consume<I_ServiceController>::by<OrchestrationComp>();
auto agent_details = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>();
static int service_to_port_size = service_controller->getServiceToPortMap().size();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + agent_details->getAgentId()) + "'";
if (!new_manifest_file.ok()) {
string install_error;
if (!service_to_port_size) {
string error_hostname_addition = "";
auto maybe_hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
if (maybe_hostname.ok()) {
error_hostname_addition = " on host '" + maybe_hostname.unpack() + "'";
}
install_error =
"Critical Error: Agent/Gateway was not fully deployed" +
error_hostname_addition +
"Critical Error: Agent/Gateway was not fully deployed " +
err_hostname +
" and is not enforcing a security policy. Retry installation or contact Check Point support.";
} else {
install_error =
"Warning: Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software. Contact Check Point support.";
"Warning: Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support.";
}
dbgTrace(D_ORCHESTRATOR)
<< "Manifest failed to be updated. Error: "
@@ -455,9 +517,9 @@ private:
auto manifest_controller = Singleton::Consume<I_ManifestController>::by<OrchestrationComp>();
if (!manifest_controller->updateManifest(new_manifest_file.unpack())) {
string install_error =
"Warning: Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software. Contact Check Point support.";
"Warning: Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support.";
string current_error = orch_status->getManifestError();
if (current_error.find("Gateway was not fully deployed") == string::npos) {
orch_status->setFieldStatus(
@@ -499,9 +561,9 @@ private:
}
string manifest_success_notification_message(
"Agent/Gateway '" +
agent_details->getAgentId() +
"' software update succeeded. Agent is running latest software."
"Agent/Gateway " +
err_hostname +
" software update succeeded. Agent is running latest software."
);
LogGen manifest_success_notification(
manifest_success_notification_message,
@@ -517,7 +579,6 @@ private:
return Maybe<void>();
}
// LCOV_EXCL_START Reason: future changes will be done
bool
updateServiceConfigurationFromBackup()
{
@@ -565,7 +626,6 @@ private:
dbgWarning (D_ORCHESTRATOR) << "Failed to load Orchestration policy.";
return false;
}
// LCOV_EXCL_STOP
string
updatePolicyAndFogAddress(const OrchestrationPolicy &orchestration_policy)
@@ -582,7 +642,9 @@ private:
auto service_controller = Singleton::Consume<I_ServiceController>::by<OrchestrationComp>();
string new_policy_version = service_controller->getPolicyVersion();
Singleton::Consume<I_OrchestrationStatus>::by<OrchestrationComp>()->setPolicyVersion(new_policy_version);
if (!new_policy_version.empty()) {
Singleton::Consume<I_OrchestrationStatus>::by<OrchestrationComp>()->setPolicyVersion(new_policy_version);
}
auto update_communication = Singleton::Consume<I_UpdateCommunication>::by<OrchestrationComp>();
auto path_policy_version = update_communication->sendPolicyVersion(new_policy_version);
if (!path_policy_version.ok()) {
@@ -617,7 +679,7 @@ private:
"last fog policy file extension"
);
if (!orchestration_tools->copyFile(new_policy_file.unpack(), conf_path + last_ext)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new policy file to " << conf_path + last_ext;
dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new policy file to " << conf_path + last_ext;
}
// Calculate the changes between the existing policy to the new one.
@@ -648,6 +710,11 @@ private:
"Settings file path"
);
set<string> changed_policy_files = service_controller->moveChangedPolicies();
for (const string &changed_policy_file : changed_policy_files) {
orchestration_tools->writeFile("{}\n", changed_policy_file);
}
service_controller->updateServiceConfiguration(policy_file, setting_file, data_updates);
LogGen(
error_str,
@@ -661,6 +728,7 @@ private:
return genError(error_str);
}
service_controller->moveChangedPolicies();
// Reload the orchestration policy, in case of the policy updated
auto orchestration_policy = loadDefaultOrchestrationPolicy();
@@ -672,8 +740,6 @@ private:
if (new_policy_version.empty()) {
return genError("Failed to load Orchestration new policy file.");
}
reloadConfiguration();
if (getProfileAgentSettingWithDefault<bool>(false, "agent.config.orchestration.reportAgentDetail")) {
service_controller->clearFailedServices();
reportAgentDetailsMetaData();
@@ -1021,12 +1087,13 @@ private:
vector<string> data_updates;
update_results[OrchestrationStatusConfigType::DATA] = handleDataUpdate(orch_data, data_updates);
update_results[OrchestrationStatusConfigType::POLICY] = handlePolicyUpdate(
orch_policy,
settings_path,
data_updates
);
if (!orch_manifest.ok() && orch_policy.ok()) {
update_results[OrchestrationStatusConfigType::POLICY] = handlePolicyUpdate(
orch_policy,
settings_path,
data_updates
);
}
if (!orch_policy.ok() && (data_updates.size() > 0 || settings_path != "")) {
auto service_controller = Singleton::Consume<I_ServiceController>::by<OrchestrationComp>();
bool res = service_controller->updateServiceConfiguration(
@@ -1046,22 +1113,19 @@ private:
string recommended_fix;
string msg;
bool is_deploy_error = current_error.find("Critical") != string::npos;
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + agent_details->getAgentId()) + "'";
if (is_deploy_error) {
string error_hostname_addition = "";
auto maybe_hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
if (maybe_hostname.ok()) {
error_hostname_addition = " on host '" + maybe_hostname.unpack() + "'";
}
msg =
"Agent/Gateway was not fully deployed" +
error_hostname_addition +
"Agent/Gateway was not fully deployed " +
err_hostname +
" and is not enforcing a security policy.";
recommended_fix = "Retry installation or contact Check Point support.";
} else if (current_error.find("Warning") != string::npos) {
msg =
"Agent/Gateway '" +
agent_details->getAgentId() +
"' software update failed. Agent is running previous software.";
"Agent/Gateway " +
err_hostname +
" software update failed. Agent is running previous software.";
recommended_fix = "Contact Check Point support.";
}
if (!msg.empty() && !recommended_fix.empty()) {
@@ -1114,7 +1178,11 @@ private:
bool is_empty = true;
GetResourceFile resource_v_policy_file(GetResourceFile::ResourceFileType::VIRTUAL_POLICY);
I_Downloader *downloader = Singleton::Consume<I_Downloader>::by<OrchestrationComp>();
auto tenant_manager = Singleton::Consume<I_TenantManager>::by<OrchestrationComp>();
map<string, set<string>> profiles_to_be_deleted =
tenant_manager->fetchAndUpdateActiveTenantsAndProfiles(false);
for (const auto &tenant: *updated_policy_tenants) {
profiles_to_be_deleted[tenant.getTenantID()].erase(tenant.getProfileID());
if (!tenant.getVersion().empty()) {
is_empty = false;
@@ -1127,7 +1195,6 @@ private:
<< tenant.getTenantID()
<< " Profile: "
<< profile_to_use;
auto tenant_manager = Singleton::Consume<I_TenantManager>::by<OrchestrationComp>();
tenant_manager->addActiveTenantAndProfile(tenant.getTenantID(), profile_to_use);
resource_v_policy_file.addTenant(
@@ -1204,6 +1271,22 @@ private:
}
}
for (const auto &tenant_profile_set : profiles_to_be_deleted) {
auto tenant_id = tenant_profile_set.first;
for (const auto &profile_id: tenant_profile_set.second) {
dbgTrace(D_ORCHESTRATOR)
<< "Delete configuration files for inactive profile: "
<< "Tenant ID: "
<< tenant_id
<< ", Profile ID: "
<< profile_id;
tenant_manager->deactivateTenant(tenant_id, profile_id);
deleteInactiveTenantProfileFiles(tenant_id, profile_id);
}
}
clearOldTenants();
for (auto it = sorted_files.begin(); it != sorted_files.end(); it++) {
const auto &downloaded_files = *it;
auto files = downloaded_files.second;
@@ -1574,6 +1657,9 @@ private:
auto server = TagAndEnumManagement::convertStringToTag(server_name);
if (server.ok()) tags.insert(*server);
if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
if (getAttribute("no-setting", "PLAYGROUND") == "true") tags.insert(Tags::PLAYGROUND);
Report registration_report(
"Local Agent Data",
Singleton::Consume<I_TimeGet>::by<OrchestrationComp>()->getWalltime(),

29
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -17,7 +17,6 @@
#include "mock/mock_time_get.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_tenant_manager.h"
#include "mock/mock_messaging_downloader.h"
#include "config.h"
#include "config_component.h"
#include "agent_details.h"
@@ -35,7 +34,6 @@ public:
mockRestCall(RestAction::SET, "new-configuration", _)
).WillOnce(WithArg<2>(Invoke(this, &OrchestrationMultitenancyTest::setNewConfiguration)));
EXPECT_CALL(tenant_manager, getTimeoutVal()).WillOnce(Return(chrono::microseconds(0)));
EXPECT_CALL(
mock_ml,
addRecurringRoutine(I_MainLoop::RoutineType::System, _, _, _, _)
@@ -76,6 +74,17 @@ public:
).WillOnce(Return(true));
doEncrypt();
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(
"ls /etc/cp/conf/"
"| grep tenant "
"| cut -d '_' -f 2,4 "
"| sort --unique "
"| awk -F '_' '{ printf \"%s %s \",$1,$2 }'",
_,
_
)).WillOnce(Return(Maybe<string>(string(""))));
orchestration_comp.init();
}
@@ -173,7 +182,6 @@ public:
StrictMock<MockServiceController> mock_service_controller;
StrictMock<MockManifestController> mock_manifest_controller;
StrictMock<MockUpdateCommunication> mock_update_communication;
StrictMock<MockMessagingDownloader> mock_messaging_downloader;
StrictMock<MockTenantManager> tenant_manager;
NiceMock<MockOrchestrationStatus> mock_status;
@@ -225,6 +233,10 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
string first_policy_version = "";
string host_url = "https://" + host_address + "/";
stringstream debug_output;
Debug::setNewDefaultStdout(&debug_output);
Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE);
EXPECT_CALL(
rest,
mockRestCall(RestAction::ADD, "proxy", _)
@@ -266,7 +278,13 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
set<string> active_tenants = { "1236", "1235" };
map<string, set<string>> old_tenant_profile_set;
set<string> old_profiles = { "123123" };
old_tenant_profile_set["321321"] = old_profiles;
EXPECT_CALL(tenant_manager, fetchActiveTenants()).WillOnce(Return(active_tenants));
EXPECT_CALL(tenant_manager, fetchAndUpdateActiveTenantsAndProfiles(false))
.WillOnce(Return(old_tenant_profile_set));
EXPECT_CALL(tenant_manager, deactivateTenant("321321", "123123")).Times(1);
EXPECT_CALL(tenant_manager, addActiveTenantAndProfile("1235", "2311"));
EXPECT_CALL(tenant_manager, addActiveTenantAndProfile("1236", "2611"));
@@ -479,4 +497,9 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
try {
runRoutine();
} catch (const invalid_argument& e) {}
string debug_str_folder = "Delete virtual policy folder : /etc/cp/conf/tenant_321321_profile_123123";
string debug_str_settings = "Delete settings file /etc/cp/conf/tenant_321321_profile_123123_settings.json";
EXPECT_THAT(debug_output.str(), HasSubstr(debug_str_folder));
EXPECT_THAT(debug_output.str(), HasSubstr(debug_str_settings));
Debug::setNewDefaultStdout(&cout);
}

255
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -16,7 +16,6 @@
#include "mock/mock_messaging.h"
#include "mock/mock_time_get.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging_downloader.h"
#include "mock/mock_tenant_manager.h"
#include "config.h"
#include "config_component.h"
@@ -95,6 +94,17 @@ public:
)).WillRepeatedly(DoAll(SaveArg<1>(&message_body), Return(Maybe<string>(string("")))));
doEncrypt();
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(
"ls /etc/cp/conf/"
"| grep tenant "
"| cut -d '_' -f 2,4 "
"| sort --unique "
"| awk -F '_' '{ printf \"%s %s \",$1,$2 }'",
_,
_
)).WillOnce(Return(Maybe<string>(string(""))));
orchestration_comp.init();
}
@@ -138,6 +148,7 @@ public:
EXPECT_CALL(mock_details_resolver, isVersionEqualOrAboveR8110()).WillRepeatedly(Return(false));
EXPECT_CALL(mock_details_resolver, parseNginxMetadata()).WillRepeatedly(Return(no_nginx));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("1.1.1"));
EXPECT_CALL(mock_details_resolver, getHostname()).WillRepeatedly(Return(string("hostname")));
map<string, string> resolved_mgmt_details({{"kernel_version", "4.4.0-87-generic"}});
EXPECT_CALL(mock_details_resolver, getResolvedDetails()).WillRepeatedly(Return(resolved_mgmt_details));
@@ -277,7 +288,6 @@ public:
unique_ptr<ServerRest> rest_status;
StrictMock<MockOrchestrationTools> mock_orchestration_tools;
StrictMock<MockDownloader> mock_downloader;
StrictMock<MockMessagingDownloader> mock_messaging_downloader;
StrictMock<MockShellCmd> mock_shell_cmd;
StrictMock<MockMessaging> mock_message;
StrictMock<MockRestApi> rest;
@@ -538,6 +548,222 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
}
TEST_F(OrchestrationTest, orchestrationPolicyUpdatRollback)
{
Debug::setUnitTestFlag(D_CONFIG, Debug::DebugLevel::TRACE);
waitForRestCall();
preload();
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::Offline, _, "Send policy update report", _)
).WillOnce(Return(1));
EXPECT_CALL(
rest,
mockRestCall(RestAction::ADD, "proxy", _)
).WillOnce(WithArg<2>(Invoke(this, &OrchestrationTest::restHandler)));
EXPECT_CALL(mock_status, setFogAddress(host_url)).Times(2);
string config_json =
"{\n"
"\"agentSettings\": [{\n"
"\"key\": \"agent.config.orchestration.reportAgentDetail\",\n"
"\"id\": \"id1\",\n"
"\"value\": \"true\"\n"
"}]\n"
"}\n";
istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
init();
// All duplicates should be removed in INXT-35947
string orchestration_policy_file_path = "/etc/cp/conf/orchestration/orchestration.policy";
string manifest_file_path = "/etc/cp/conf/manifest.json";
string setting_file_path = "/etc/cp/conf/settings.json";
string policy_file_path = "/etc/cp/conf/policy.json";
string policy_file_path_bk = "/etc/cp/conf/policy.json.bk";
string last_policy_file_path = "/etc/cp/conf/policy.json.last";
string data_file_path = "/etc/cp/conf/data.json";
string host_address = "1.2.3.5";
string new_host_address = "6.2.3.5";
string new_host_url = "https://" + new_host_address + "/test/";
string new_policy_path = "/some-path";
string manifest_checksum = "manifest";
string policy_checksum = "policy";
string settings_checksum = "settings";
string data_checksum = "data";
string new_policy_checksum= "111111";
string second_val = "12";
string third_val = "13";
Maybe<string> policy_response(
string(
"{\n"
" \"fog-address\": \"" + host_url + "\",\n"
" \"agent-type\": \"test\",\n"
" \"pulling-interval\": 25,\n"
" \"error-pulling-interval\": 15\n"
"}"
)
);
Maybe<string> new_policy_response(
string(
"{\n"
" \"fog-address\": \"" + new_host_url + "\",\n"
" \"agent-type\": \"test\",\n"
" \"pulling-interval\": 25,\n"
" \"error-pulling-interval\": 15\n"
"}"
)
);
set<string> expected_changed_policies = {};
EXPECT_CALL(mock_service_controller, mockMoveChangedPolicies()).WillOnce(Return(expected_changed_policies));
EXPECT_CALL(mock_status, setFogAddress(new_host_url));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(orchestration_policy_file_path)).WillOnce(Return(true));
// Rollback related test: The readFile function is called 3 times:
// 1. Read the current policy file
// 2. Read the new policy file - The one that should fail
// 3. Read the current policy file again - The one that should be restored
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path))
.WillOnce(Return(policy_response))
.WillOnce(Return(new_policy_response))
.WillOnce(Return(policy_response));
EXPECT_CALL(mock_orchestration_tools, copyFile(new_policy_path, policy_file_path + ".last"))
.WillOnce(Return(true));
EXPECT_CALL(mock_message, setActiveFog(host_address, 443, true, MessageTypeTag::GENERIC))
.Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_update_communication, setAddressExtenesion("")).Times(2);
EXPECT_CALL(mock_update_communication, authenticateAgent()).WillOnce(Return(Maybe<void>()));
expectDetailsResolver();
EXPECT_CALL(mock_manifest_controller, loadAfterSelfUpdate()).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, manifest_file_path))
.WillOnce(Return(manifest_checksum));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, setting_file_path))
.WillOnce(Return(settings_checksum));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, policy_file_path))
.WillOnce(Return(policy_checksum));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, data_file_path))
.WillOnce(Return(data_checksum));
// Rollback related test: After failing to update the policy file, the policy version should be restored
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(5)
.WillOnce(ReturnRef(first_policy_version))
.WillOnce(ReturnRef(first_policy_version))
.WillOnce(ReturnRef(second_val))
.WillOnce(ReturnRef(third_val))
.WillOnce(ReturnRef(second_val)
);
EXPECT_CALL(mock_status, setPolicyVersion(third_val));
EXPECT_CALL(mock_status, setPolicyVersion(second_val));
EXPECT_CALL(mock_update_communication, sendPolicyVersion("13")).Times(1).WillOnce(Return(Maybe<void>()));
// Rollback related test: The old policy version 12 is restored
EXPECT_CALL(mock_update_communication, sendPolicyVersion("12")).Times(1).WillOnce(Return(Maybe<void>()));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
[&](CheckUpdateRequest &req)
{
EXPECT_THAT(req.getPolicy(), IsValue(policy_checksum));
EXPECT_THAT(req.getSettings(), IsValue(settings_checksum));
EXPECT_THAT(req.getManifest(), IsValue(manifest_checksum));
EXPECT_THAT(req.getData(), IsValue(data_checksum));
req = CheckUpdateRequest("", new_policy_checksum, "", "", "", "");
return Maybe<void>();
}
)
);
GetResourceFile policy_file(GetResourceFile::ResourceFileType::POLICY);
EXPECT_CALL(
mock_downloader,
downloadFileFromFog(new_policy_checksum, Package::ChecksumTypes::SHA256, policy_file)
).WillOnce(Return(Maybe<std::string>(new_policy_path)));
vector<string> expected_data_types = {};
EXPECT_CALL(
mock_service_controller,
updateServiceConfiguration(policy_file_path, setting_file_path, expected_data_types, "", "", _)
).WillOnce(Return(true));
EXPECT_CALL(
mock_service_controller,
updateServiceConfiguration(new_policy_path, "", expected_data_types, "", "", _)
).WillOnce(Return(true));
EXPECT_CALL(
mock_message,
setActiveFog(new_host_address, 443, true, MessageTypeTag::GENERIC)
).WillOnce(Return(true));
EXPECT_CALL(mock_update_communication, setAddressExtenesion("/test"));
EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce(
Invoke(
[](EnumArray<OrchestrationStatusConfigType, bool> arr)
{
EXPECT_EQ(arr[OrchestrationStatusConfigType::MANIFEST], false);
EXPECT_EQ(arr[OrchestrationStatusConfigType::POLICY], true);
EXPECT_EQ(arr[OrchestrationStatusConfigType::SETTINGS], false);
}
)
);
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(
Invoke(
[] (chrono::microseconds microseconds)
{
EXPECT_EQ(1000000, microseconds.count());
}
)
)
.WillOnce(
Invoke(
[] (chrono::microseconds microseconds)
{
EXPECT_EQ(25000000, microseconds.count());
throw invalid_argument("stop while loop");
}
)
);
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(_, _, _)
).WillRepeatedly(Return(string("daniel\n1\n")));
EXPECT_CALL(mock_service_controller, clearFailedServices());
EXPECT_CALL(mock_service_controller, doesFailedServicesExist()).WillOnce(Return(true));
EXPECT_CALL(
mock_service_controller,
updateServiceConfiguration(policy_file_path_bk, _, _, _, _, _)
).WillOnce(Return(true));
EXPECT_CALL(
mock_orchestration_tools,
copyFile(policy_file_path_bk, policy_file_path)
).WillOnce(Return(true));
try {
runRoutine();
} catch (const invalid_argument& e) {}
}
TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
{
waitForRestCall();
@@ -597,6 +823,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
)
);
set<string> expected_changed_policies = {};
EXPECT_CALL(mock_service_controller, mockMoveChangedPolicies()).WillOnce(Return(expected_changed_policies));
EXPECT_CALL(mock_status, setFogAddress(new_host_url));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(orchestration_policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path))
@@ -628,7 +857,6 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
.WillOnce(ReturnRef(second_val))
.WillOnce(ReturnRef(third_val)
);
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(third_val));
EXPECT_CALL(mock_update_communication, sendPolicyVersion("13")).Times(1).WillOnce(Return(Maybe<void>()));
@@ -781,7 +1009,6 @@ TEST_F(OrchestrationTest, startOrchestrationPoliceWithFailures)
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
@@ -910,7 +1137,6 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
[&](CheckUpdateRequest &req)
@@ -1039,7 +1265,6 @@ TEST_F(OrchestrationTest, manifestUpdate)
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
[&](CheckUpdateRequest &req)
@@ -1165,11 +1390,14 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
EXPECT_CALL(mock_status, setFogAddress(host_url));
vector<string> expected_data_types = {};
EXPECT_CALL(
mock_service_controller,
updateServiceConfiguration(policy_file_path, setting_file_path, expected_data_types, "", "", _)
).Times(2).WillRepeatedly(Return(true));
set<string> expected_changed_policies = {};
EXPECT_CALL(mock_service_controller, mockMoveChangedPolicies()).WillOnce(Return(expected_changed_policies));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(orchestration_policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response));
EXPECT_CALL(mock_orchestration_tools, copyFile(new_policy_path, policy_file_path + ".last"))
@@ -1215,7 +1443,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
.WillOnce(ReturnRef(first_policy_version))
.WillOnce(ReturnRef(second_val)
);
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
@@ -1250,8 +1477,8 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
EXPECT_CALL(
mock_service_controller,
updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)).WillOnce(Return(false)
);
updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)
).WillOnce(Return(false));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(
@@ -1343,7 +1570,6 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
[&](CheckUpdateRequest &req)
@@ -1374,7 +1600,6 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
manifest_err
)
).Times(1);
EXPECT_CALL(mock_details_resolver, getHostname()).Times(2).WillRepeatedly(Return(string("hostname")));
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(manifest_err));
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
@@ -1400,13 +1625,6 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
manifest_file
)
).WillOnce(Return(download_error));
EXPECT_CALL(mock_downloader,
downloadFileFromFog(
string("policy-checksum"),
Package::ChecksumTypes::SHA256,
policy_file
)
).WillOnce(Return(download_error));
EXPECT_CALL(mock_downloader,
downloadFileFromFog(
string("settings-checksum"),
@@ -1754,7 +1972,6 @@ TEST_F(OrchestrationTest, dataUpdate)
EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(2).WillRepeatedly(ReturnRef(first_policy_version));
EXPECT_CALL(mock_status, setPolicyVersion(first_policy_version));
EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
Invoke(
[&](CheckUpdateRequest &req)

89
components/security_apps/orchestration/service_controller/service_controller.cc
View File

@@ -181,6 +181,11 @@ ServiceDetails::serialize(Archive &ar)
ReconfStatus
ServiceDetails::sendNewConfigurations(int configuration_id, const string &policy_version)
{
if(!isServiceActive()) {
dbgDebug(D_ORCHESTRATOR) << "Service " << service_name << " is inactive";
return ReconfStatus::INACTIVE;
}
SendConfigurations new_config(configuration_id, policy_version);
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<ServiceController>();
@@ -194,14 +199,12 @@ ServiceDetails::sendNewConfigurations(int configuration_id, const string &policy
conn_flags,
"/set-new-configuration"
);
if (!res) {
if(!isServiceActive()) {
dbgDebug(D_ORCHESTRATOR) << "Service " << service_name << " is inactive";
return ReconfStatus::INACTIVE;
}
dbgDebug(D_ORCHESTRATOR) << "Service " << service_name << " didn't respond to new configuration request";
return ReconfStatus::FAILED;
}
auto service_details = Singleton::Consume<I_ServiceController>::by<ServiceDetails>();
if (new_config.finished.get()) {
@@ -300,6 +303,8 @@ public:
void clearFailedServices() override;
set<string> && moveChangedPolicies() override;
private:
void cleanUpVirtualFiles();
@@ -320,6 +325,8 @@ private:
void loadRegisteredServicesFromFile();
void writeRegisteredServicesToFile();
bool backupConfigurationFile(const string &configuration_file_path);
int configuration_id = 0;
map<string, ServiceDetails> registered_services;
map<string, ServiceDetails> pending_services;
@@ -332,6 +339,10 @@ private:
map<int, string> services_reconf_ids;
string filesystem_prefix;
bool is_multi_tenant_env = false;
set<string> changed_policy_files;
I_OrchestrationTools *orchestration_tools = nullptr;
I_MainLoop *mainloop = nullptr;
};
class GetServicesPorts : public ServerRest
@@ -410,6 +421,12 @@ ServiceController::Impl::doesFailedServicesExist()
}
// LCOV_EXCL_STOP
set<string> &&
ServiceController::Impl::moveChangedPolicies()
{
return move(changed_policy_files);
}
void
ServiceController::Impl::init()
{
@@ -418,6 +435,9 @@ ServiceController::Impl::init()
rest->addRestCall<GetServicesPorts>(RestAction::SHOW, "all-service-ports");
rest->addRestCall<ServiceReconfStatusMonitor>(RestAction::SET, "reconf-status");
orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ServiceController>();
mainloop = Singleton::Consume<I_MainLoop>::by<ServiceController>();
Singleton::Consume<I_MainLoop>::by<ServiceController>()->addRecurringRoutine(
I_MainLoop::RoutineType::System,
chrono::seconds(
@@ -613,6 +633,29 @@ ServiceController::Impl::refreshPendingServices()
writeRegisteredServicesToFile();
}
bool
ServiceController::Impl::backupConfigurationFile(const string &config_file_path)
{
uint max_backup_attempts = 3;
string backup_ext = getConfigurationWithDefault<string>(".bk", "orchestration", "Backup file extension");
string backup_file = config_file_path + backup_ext;
if (!orchestration_tools->doesFileExist(config_file_path)) {
dbgTrace(D_ORCHESTRATOR) << "File does not exist. File: " << config_file_path;
return true;
}
for (size_t i = 0; i < max_backup_attempts; i++) {
if (orchestration_tools->copyFile(config_file_path, backup_file)) {
return true;
}
mainloop->yield(false);
}
dbgWarning(D_ORCHESTRATOR) << "Failed to back up the file. File: " << config_file_path;
return false;
}
bool
ServiceController::Impl::updateServiceConfiguration(
const string &new_policy_path,
@@ -665,19 +708,23 @@ ServiceController::Impl::updateServiceConfiguration(
return sendSignalForServices(nano_services_to_update, "");
}
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ServiceController>();
Maybe<string> loaded_json = orchestration_tools->readFile(new_policy_path);
if (!loaded_json.ok()) {
Maybe<string> loaded_policy_json = orchestration_tools->readFile(new_policy_path);
if (!loaded_policy_json.ok()) {
dbgWarning(D_ORCHESTRATOR)
<< "Failed to load new file: "
<< new_policy_path
<< ". Error: "
<< loaded_json.getErr();
<< loaded_policy_json.getErr();
return false;
}
auto all_security_policies = orchestration_tools->jsonObjectSplitter(loaded_json.unpack(), tenant_id, profile_id);
auto all_security_policies = orchestration_tools->jsonObjectSplitter(
loaded_policy_json.unpack(),
tenant_id,
profile_id
);
if (!all_security_policies.ok()) {
dbgWarning(D_ORCHESTRATOR)
@@ -740,6 +787,7 @@ ServiceController::Impl::updateServiceConfiguration(
was_policy_updated = false;
continue;
}
changed_policy_files.insert(policy_file_path);
dbgInfo(D_ORCHESTRATOR) << "Successfully updated policy file. Policy name: " << single_policy.first;
@@ -779,7 +827,7 @@ ServiceController::Impl::updateServiceConfiguration(
true :
sendSignalForServices(nano_services_to_update, version_value);
dbgTrace(D_ORCHESTRATOR) << "was_policy_updated: " << (was_policy_updated ? "true" : "false");
dbgTrace(D_ORCHESTRATOR) << "was policy updated: " << (was_policy_updated ? "true" : "false");
if (was_policy_updated) {
string config_file_path;
@@ -798,24 +846,8 @@ ServiceController::Impl::updateServiceConfiguration(
return true;
}
string backup_ext = getConfigurationWithDefault<string>(".bk", "orchestration", "Backup file extension");
// Backup the current configuration file.
uint max_backup_attempts = 3;
bool is_backup_succeed = false;
string backup_file = config_file_path + backup_ext;
I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<ServiceController>();
for (size_t i = 0; i < max_backup_attempts; i++) {
if (orchestration_tools->copyFile(config_file_path, backup_file)) {
is_backup_succeed = true;
break;
}
mainloop->yield(false);
}
if (!is_backup_succeed) {
dbgWarning(D_ORCHESTRATOR) << "Failed to back up the policy file.";
if (!backupConfigurationFile(config_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to backup the policy file.";
return false;
}
@@ -921,7 +953,6 @@ ServiceController::Impl::updateServiceConfigurationFile(
dbgFlow(D_ORCHESTRATOR) << "Updating configuration. Config Name: " << configuration_name;
I_OrchestrationTools *orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ServiceController>();
if (orchestration_tools->doesFileExist(configuration_file_path)) {
Maybe<string> old_configuration = orchestration_tools->readFile(configuration_file_path);
if (old_configuration.ok()) {

199
components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc
View File

@@ -42,9 +42,7 @@ public:
EXPECT_CALL(mock_rest_api, mockRestCall(RestAction::SET, "new-configuration", _)).WillOnce(
WithArg<2>(Invoke(this, &ServiceControllerTest::setNanoServiceConfig))
);
EXPECT_CALL(mock_ml, addRecurringRoutine(I_MainLoop::RoutineType::System, _, _, _, _)).WillOnce(Return(2));
EXPECT_CALL(tenant_manager, getTimeoutVal()).WillOnce(Return(chrono::seconds(1)));
EXPECT_CALL(mock_ml, addOneTimeRoutine(I_MainLoop::RoutineType::System, _, _, false)).WillOnce(Return(1));
config.init();
@@ -257,6 +255,7 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
string general_settings_path = "/my/settings/path";
string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
@@ -349,6 +348,29 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(
"/etc/cp/watchdog/cp-nano-watchdog --status --verbose --service mock access control"
" --family family1 --id id2",
_,
_
)
).Times(4).WillRepeatedly(
InvokeWithoutArgs(
[&]() -> Maybe<string>
{
static int counter = 0;
if (counter++ < 2) {
return genError("Reached timeout while executing shell command:");
}
return string("registered and running");
}
)
);
string general_settings_path = "/my/settings/path";
string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
@@ -371,28 +393,6 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
)
).WillOnce(Return(Maybe<string>(reply_msg)));
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(
"/etc/cp/watchdog/cp-nano-watchdog --status --verbose --service mock access control"
" --family family1 --id id2",
_,
_
)
).Times(3).WillRepeatedly(
InvokeWithoutArgs(
[&]() -> Maybe<string>
{
static int counter = 0;
if (counter++ < 2) {
return genError("Reached timeout while executing shell command:");
}
return string("registered and running");
}
)
);
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, general_settings_path));
EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
EXPECT_EQ(i_service_controller->getUpdatePolicyVersion(), version_value);
@@ -468,6 +468,7 @@ TEST_F(ServiceControllerTest, writeRegisteredServicesFromFile)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
string general_settings_path = "/my/settings/path";
string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
@@ -529,9 +530,7 @@ TEST_F(ServiceControllerTest, readRegisteredServicesFromFile)
EXPECT_CALL(mock_rest_api, mockRestCall(RestAction::SET, "new-configuration", _)).WillOnce(
WithArg<2>(Invoke(this, &ServiceControllerTest::setNanoServiceConfig))
);
EXPECT_CALL(mock_ml, addRecurringRoutine(I_MainLoop::RoutineType::System, _, _, _, _)).WillOnce(Return(2));
EXPECT_CALL(tenant_manager, getTimeoutVal()).WillOnce(Return(chrono::seconds(1)));
EXPECT_CALL(mock_ml, addOneTimeRoutine(I_MainLoop::RoutineType::System, _, _, false)).WillOnce(Return(1));
config.init();
@@ -609,6 +608,7 @@ TEST_F(ServiceControllerTest, noPolicyUpdate)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_status,
setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
@@ -700,6 +700,7 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
@@ -742,6 +743,7 @@ TEST_F(ServiceControllerTest, SettingsAndPolicyUpdateCombinations)
EXPECT_CALL(mock_orchestration_tools, jsonObjectSplitter(new_configuration, _, _))
.WillOnce(Return(json_parser_return));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(l4_firewall));
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
@@ -852,6 +854,122 @@ TEST_F(ServiceControllerTest, backup)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
getExecOutput(
"/etc/cp/watchdog/cp-nano-watchdog --status --verbose --service mock access control"
" --family family1 --id id2",
_,
_
)
).WillRepeatedly(Return(string("registered and running")));
string reply_msg = "{\"id\": 1, \"error\": false, \"finished\": true, \"error_message\": \"\"}";
EXPECT_CALL(
mock_message,
sendMessage(
_,
_,
_,
"127.0.0.1",
l4_firewall_service_port,
_,
"/set-new-configuration",
_,
_,
MessageTypeTag::GENERIC
)
).WillOnce(Return(Maybe<string>(reply_msg)));
EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, ""));
EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
}
TEST_F(ServiceControllerTest, backup_file_doesnt_exist)
{
string new_configuration = "{"
" \"version\": \"" + version_value + "\""
" \"l4_firewall\":"
" {"
" \"app\": \"netfilter\","
" \"l4_firewall_rules\": ["
" {"
" \"name\": \"allow_statefull_conns\","
" \"flags\": [\"established\"],"
" \"action\": \"accept\""
" },"
" {"
" \"name\": \"icmp drop\","
" \"flags\": [\"log\"],"
" \"services\": [{\"name\":\"icmp\"}],"
" \"action\": \"drop\""
" }"
" ]"
" }"
"}";
string l4_firewall = "{"
" \"app\": \"netfilter\","
" \"l4_firewall_rules\": ["
" {"
" \"name\": \"allow_statefull_conns\","
" \"flags\": [\"established\"],"
" \"action\": \"accept\""
" },"
" {"
" \"name\": \"icmp drop\","
" \"flags\": [\"log\"],"
" \"services\": [{\"name\":\"icmp\"}],"
" \"action\": \"drop\""
" }"
" ]"
"}";
string old_configuration = "{"
" \"version\": \"" + old_version + "\""
" \"app\": \"netfilter\","
" \"l4_firewall_rules\": ["
" {"
" \"name\": \"allow_statefull_conns\","
" \"flags\": [\"established\"],"
" \"action\": \"reject\""
" },"
" {"
" \"name\": \"icmp drop\","
" \"flags\": [\"log\"],"
" \"services\": [{\"name\":\"icmp\"}],"
" \"action\": \"drop\""
" }"
" ]"
"}";
Maybe<map<string, string>> json_parser_return =
map<string, string>({{"l4_firewall", l4_firewall}, {"version", version_value}});
EXPECT_CALL(mock_orchestration_tools, readFile(file_name)).WillOnce(Return(new_configuration));
EXPECT_CALL(mock_orchestration_tools, jsonObjectSplitter(new_configuration, _, _))
.WillOnce(Return(json_parser_return));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(l4_firewall_policy_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, readFile(l4_firewall_policy_path)).WillOnce(Return(old_configuration));
EXPECT_CALL(mock_orchestration_status,
setServiceConfiguration("l4_firewall", l4_firewall_policy_path, OrchestrationStatusConfigType::POLICY));
EXPECT_CALL(
mock_orchestration_tools,
copyFile(l4_firewall_policy_path, l4_firewall_policy_path + backup_extension)
).WillOnce(Return(true));
EXPECT_CALL(
mock_orchestration_tools,
writeFile(l4_firewall, l4_firewall_policy_path)).WillOnce(Return(true)
);
// backup file doesn't exist so the copyFile function should be called 0 times
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension)).Times(0);
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
@@ -997,6 +1115,7 @@ TEST_F(ServiceControllerTest, backupAttempts)
EXPECT_CALL(mock_ml, yield(false)).Times(2);
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, ""));
EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
@@ -1081,6 +1200,7 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
@@ -1112,6 +1232,11 @@ TEST_F(ServiceControllerTest, MultiUpdateConfiguration)
).WillOnce(Return(Maybe<string>(reply_msg)));
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, ""));
set<string> changed_policies = {
"/etc/cp/conf/l4_firewall/l4_firewall.policy",
"/etc/cp/conf/orchestration/orchestration.policy"
};
EXPECT_EQ(i_service_controller->moveChangedPolicies(), changed_policies);
}
class TestSendRequestToService : public ClientRest
@@ -1139,6 +1264,7 @@ TEST_F(ServiceControllerTest, emptyServices)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, ""));
}
@@ -1326,24 +1452,6 @@ TEST_F(ServiceControllerTest, ErrorUpdateConfigurationRest)
EXPECT_EQ(i_service_controller->getPolicyVersion(), "");
Flags<MessageConnConfig> conn_flags;
conn_flags.setFlag(MessageConnConfig::ONE_TIME_CONN);
EXPECT_CALL(
mock_message,
sendMessage(
true,
"{\n \"id\": 1,\n \"policy_version\": \"1.0.2\"\n}",
I_Messaging::Method::POST,
string("127.0.0.1"),
l4_firewall_service_port,
conn_flags,
string("/set-new-configuration"),
string(),
_,
MessageTypeTag::GENERIC
)
).WillOnce(Return(Maybe<string>(genError(""))));
EXPECT_TRUE(i_service_controller->isServiceInstalled("family1_id2"));
EXPECT_CALL(
@@ -1358,6 +1466,7 @@ TEST_F(ServiceControllerTest, ErrorUpdateConfigurationRest)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_TRUE(i_service_controller->updateServiceConfiguration(file_name, ""));
EXPECT_THAT(
@@ -1568,6 +1677,7 @@ TEST_F(ServiceControllerTest, testMultitenantConfFiles)
EXPECT_CALL(mock_orchestration_tools, copyFile(new_policy_file_path, new_policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(conf_file_name, new_policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(new_policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(
mock_shell_cmd,
@@ -1665,6 +1775,7 @@ TEST_F(ServiceControllerTest, test_delayed_reconf)
EXPECT_CALL(mock_orchestration_tools, copyFile(policy_file_path, policy_file_path + backup_extension))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist(policy_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_ml, yield(false)).Times(AnyNumber());
EXPECT_CALL(