First release of open-appsec source code

2025-09-29 19:24:26 +03:00 · 2022-10-26 19:33:19 +03:00
parent 3883109caf
commit a883352f79
1353 changed files with 276290 additions and 1 deletions
--- a/core/attachments/CMakeLists.txt
+++ b/core/attachments/CMakeLists.txt
@@ -0,0 +1 @@
+add_subdirectory(http_configuration)
--- a/core/attachments/http_configuration/CMakeLists.txt
+++ b/core/attachments/http_configuration/CMakeLists.txt
@@ -0,0 +1,3 @@
+add_library(http_configuration http_configuration.cc)
+
+add_subdirectory(http_configuration_ut)
--- a/core/attachments/http_configuration/http_configuration.cc
+++ b/core/attachments/http_configuration/http_configuration.cc
@@ -0,0 +1,204 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "http_configuration.h"
+
+#include <fstream>
+
+#include "cereal/types/vector.hpp"
+
+#define DEFAULT_KEEP_ALIVE_INTERVAL_MSEC 30000
+
+using namespace std;
+
+void
+DebugConfig::save(cereal::JSONOutputArchive &archive) const
+{
+    archive(
+        cereal::make_nvp("clientIp", client),
+        cereal::make_nvp("listeningIp", server),
+        cereal::make_nvp("uriPrefix", uri),
+        cereal::make_nvp("hostName", host),
+        cereal::make_nvp("httpMethod", method),
+        cereal::make_nvp("listeningPort", port)
+    );
+}
+
+void
+DebugConfig::load(cereal::JSONInputArchive &archive)
+{
+    try {
+        archive(
+            cereal::make_nvp("clientIp", client),
+            cereal::make_nvp("listeningIp", server),
+            cereal::make_nvp("uriPrefix", uri),
+            cereal::make_nvp("hostName", host),
+            cereal::make_nvp("httpMethod", method),
+            cereal::make_nvp("listeningPort", port)
+        );
+    } catch (const cereal::Exception &) {
+        client = "";
+        server = "";
+        uri = "";
+        host = "";
+        method = "";
+        port = 0;
+    }
+}
+
+bool
+DebugConfig::operator==(const DebugConfig &another) const
+{
+    return
+        client == another.client &&
+        server == another.server &&
+        port == another.port &&
+        method == another.method &&
+        host == another.host &&
+        uri == another.uri;
+}
+
+int
+HttpAttachmentConfiguration::init(const string &conf_file)
+{
+    try {
+        ifstream file(conf_file);
+        cereal::JSONInputArchive ar(file);
+        load(ar);
+        return 1;
+    } catch (exception &e) {
+        return 0;
+    }
+}
+
+void
+HttpAttachmentConfiguration::save(cereal::JSONOutputArchive &archive) const
+{
+    archive(
+        cereal::make_nvp("context_values", dbg),
+        cereal::make_nvp("ip_ranges", exclude_sources),
+        cereal::make_nvp("dbg_level", getNumericalValue("dbg_level")),
+        cereal::make_nvp("static_resources_path", getStringValue("static_resources_path")),
+        cereal::make_nvp("is_fail_open_mode_enabled", getNumericalValue("is_fail_open_mode_enabled")),
+        cereal::make_nvp("fail_open_timeout", getNumericalValue("fail_open_timeout")),
+        cereal::make_nvp("is_fail_open_mode_hold_enabled", getNumericalValue("is_fail_open_mode_hold_enabled")),
+        cereal::make_nvp("fail_open_hold_timeout", getNumericalValue("fail_open_hold_timeout")),
+        cereal::make_nvp("sessions_per_minute_limit_verdict", getStringValue("sessions_per_minute_limit_verdict")),
+        cereal::make_nvp("max_sessions_per_minute", getNumericalValue("max_sessions_per_minute")),
+        cereal::make_nvp("res_proccessing_timeout_msec", getNumericalValue("res_proccessing_timeout_msec")),
+        cereal::make_nvp("req_proccessing_timeout_msec", getNumericalValue("req_proccessing_timeout_msec")),
+        cereal::make_nvp("registration_thread_timeout_msec", getNumericalValue("registration_thread_timeout_msec")),
+        cereal::make_nvp("req_header_thread_timeout_msec", getNumericalValue("req_header_thread_timeout_msec")),
+        cereal::make_nvp("req_body_thread_timeout_msec", getNumericalValue("req_body_thread_timeout_msec")),
+        cereal::make_nvp("res_header_thread_timeout_msec", getNumericalValue("res_header_thread_timeout_msec")),
+        cereal::make_nvp("res_body_thread_timeout_msec", getNumericalValue("res_body_thread_timeout_msec")),
+        cereal::make_nvp(
+            "waiting_for_verdict_thread_timeout_msec",
+            getNumericalValue("waiting_for_verdict_thread_timeout_msec")
+        ),
+        cereal::make_nvp("nginx_inspection_mode", getNumericalValue("inspection_mode")),
+        cereal::make_nvp("num_of_nginx_ipc_elements", getNumericalValue("num_of_nginx_ipc_elements")),
+        cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec"))
+    );
+}
+
+void
+HttpAttachmentConfiguration::load(cereal::JSONInputArchive &archive)
+{
+    try {
+        archive(cereal::make_nvp("context_values", dbg));
+    } catch (const cereal::Exception &) {
+        dbg = DebugConfig();
+    }
+
+    try {
+        archive(cereal::make_nvp("ip_ranges", exclude_sources));
+    } catch (const cereal::Exception &) {
+        exclude_sources = {};
+    }
+
+    try {
+        string str;
+        archive(cereal::make_nvp("static_resources_path", str));
+        string_values["static_resources_path"] = str;
+    } catch (const cereal::Exception &) {
+        string_values.erase("static_resources_path");
+    }
+
+    try {
+        string str;
+        archive(cereal::make_nvp("sessions_per_minute_limit_verdict", str));
+        string_values["sessions_per_minute_limit_verdict"] = str;
+    } catch (const cereal::Exception &) {
+        string_values.erase("sessions_per_minute_limit_verdict");
+    }
+
+    loadNumericalValue(archive, "dbg_level", 0);
+    loadNumericalValue(archive, "is_fail_open_mode_enabled", 0);
+    loadNumericalValue(archive, "fail_open_timeout", 50);
+    loadNumericalValue(archive, "is_fail_open_mode_hold_enabled", 0);
+    loadNumericalValue(archive, "fail_open_hold_timeout", 200);
+    loadNumericalValue(archive, "sessions_per_minute_limit_verdict", 0);
+    loadNumericalValue(archive, "max_sessions_per_minute", 0);
+    loadNumericalValue(archive, "res_proccessing_timeout_msec", 3000);
+    loadNumericalValue(archive, "req_proccessing_timeout_msec", 3000);
+    loadNumericalValue(archive, "registration_thread_timeout_msec", 100);
+    loadNumericalValue(archive, "req_header_thread_timeout_msec", 100);
+    loadNumericalValue(archive, "req_body_thread_timeout_msec", 150);
+    loadNumericalValue(archive, "res_header_thread_timeout_msec", 100);
+    loadNumericalValue(archive, "res_body_thread_timeout_msec", 150);
+    loadNumericalValue(archive, "waiting_for_verdict_thread_timeout_msec", 150);
+    loadNumericalValue(archive, "nginx_inspection_mode", 0);
+    loadNumericalValue(archive, "num_of_nginx_ipc_elements", 200);
+    loadNumericalValue(archive, "keep_alive_interval_msec", DEFAULT_KEEP_ALIVE_INTERVAL_MSEC);
+}
+
+bool
+HttpAttachmentConfiguration::operator==(const HttpAttachmentConfiguration &other) const
+{
+    return
+        dbg == other.dbg &&
+        numerical_values == other.numerical_values &&
+        string_values == other.string_values &&
+        exclude_sources == other.exclude_sources;
+}
+
+unsigned int
+HttpAttachmentConfiguration::getNumericalValue(const string &key) const
+{
+    auto elem = numerical_values.find(key);
+    return elem != numerical_values.end() ? elem->second : 0;
+}
+
+const string &
+HttpAttachmentConfiguration::getStringValue(const string &key) const
+{
+    auto elem = string_values.find(key);
+    return elem != string_values.end() ? elem->second : empty;
+}
+
+void
+HttpAttachmentConfiguration::loadNumericalValue(
+    cereal::JSONInputArchive &ar,
+    const string &name,
+    unsigned int default_value
+)
+{
+    try {
+        unsigned int value;
+        ar(cereal::make_nvp(name, value));
+        numerical_values[name] = value;
+    } catch (const cereal::Exception &) {
+        numerical_values[name] = default_value;
+    }
+}
--- a/core/attachments/http_configuration/http_configuration_ut/CMakeLists.txt
+++ b/core/attachments/http_configuration/http_configuration_ut/CMakeLists.txt
@@ -0,0 +1 @@
+add_unit_test(http_configuration_ut http_configuration_ut.cc http_configuration)
--- a/core/attachments/http_configuration/http_configuration_ut/http_configuration_ut.cc
+++ b/core/attachments/http_configuration/http_configuration_ut/http_configuration_ut.cc
@@ -0,0 +1,111 @@
+#include "http_configuration.h"
+
+#include <arpa/inet.h>
+#include <fstream>
+#include <boost/algorithm/string.hpp>
+
+#include "cptest.h"
+#include "c_common/ip_common.h"
+
+using namespace std;
+using namespace testing;
+
+class HttpAttachmentUtilTest : public Test
+{
+public:
+    string
+    createIPRangesString(const vector<string> &ip_ranges)
+    {
+        stringstream ip_ranges_string_stream;
+        ip_ranges_string_stream << "[";
+        for (auto iterator = ip_ranges.begin(); iterator < ip_ranges.end() - 1; iterator++) {
+            ip_ranges_string_stream << "\"" << *iterator << "\"" << ", ";
+        }
+        ip_ranges_string_stream << "\"" << ip_ranges.back() << "\"]";
+
+        return ip_ranges_string_stream.str();
+    }
+
+    const string attachment_configuration_file_name = "cp_nano_http_attachment_conf";
+    const vector<string> ip_ranges = { "8.8.8.8", "9.9.9.9-10.10.10.10", "0:0:0:0:0:0:0:1-0:0:0:0:0:0:0:4"};
+    const string static_resources_path = "/dev/shm/static_resources/";
+};
+
+TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
+{
+    string valid_configuration =
+        "{\n"
+            "\"context_values\": {"
+                "\"clientIp\": \"1.2.3.4\","
+                "\"listeningIp\": \"5.6.7.8\","
+                "\"uriPrefix\": \"/abc\","
+                "\"hostName\": \"test\","
+                "\"httpMethod\": \"GET\","
+                "\"listeningPort\": 80"
+            "},"
+            "\"is_fail_open_mode_enabled\": 0,\n"
+            "\"fail_open_timeout\": 1234,\n"
+            "\"is_fail_open_mode_hold_enabled\": 0,\n"
+            "\"fail_open_hold_timeout\": 4321,\n"
+            "\"sessions_per_minute_limit_verdict\": \"Accept\",\n"
+            "\"max_sessions_per_minute\": 0,\n"
+            "\"num_of_nginx_ipc_elements\": 200,\n"
+            "\"keep_alive_interval_msec\": 10000,\n"
+            "\"dbg_level\": 2,\n"
+            "\"nginx_inspection_mode\": 1,\n"
+            "\"operation_mode\": 0,\n"
+            "\"req_body_thread_timeout_msec\": 155,\n"
+            "\"req_proccessing_timeout_msec\": 42,\n"
+            "\"registration_thread_timeout_msec\": 101,\n"
+            "\"res_proccessing_timeout_msec\": 420,\n"
+            "\"res_header_thread_timeout_msec\": 1,\n"
+            "\"res_body_thread_timeout_msec\": 80,\n"
+            "\"waiting_for_verdict_thread_timeout_msec\": 60,\n"
+            "\"req_header_thread_timeout_msec\": 10,\n"
+            "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
+            "\"static_resources_path\": \"" + static_resources_path + "\""
+        "}\n";
+    ofstream valid_configuration_file(attachment_configuration_file_name);
+    valid_configuration_file << valid_configuration;
+    valid_configuration_file.close();
+
+    HttpAttachmentConfiguration conf_data_out;
+    EXPECT_EQ(conf_data_out.init(attachment_configuration_file_name), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321);
+    EXPECT_EQ(conf_data_out.getStringValue("sessions_per_minute_limit_verdict"), "Accept");
+    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200);
+    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000);
+    EXPECT_EQ(conf_data_out.getNumericalValue("dbg_level"), 2u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42);
+    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80);
+    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60);
+    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1);
+}
+
+TEST_F(HttpAttachmentUtilTest, GetMalformedAttachmentConfiguration)
+{
+    string malformed_configuration =
+        "{\n"
+            "\"is_fail_open_mode_enabled\": false,,,,,,\n"
+            "\"fail_open_timeout\": 1234,\n"
+            "\"num_of_nginx_ipc_elements\": 200,\n"
+            "\"dbg_level\": 2,\n"
+            "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
+            "\"static_resources_path\": \"" + static_resources_path + "\""
+        "}\n";
+    ofstream valid_configuration_file(attachment_configuration_file_name);
+    valid_configuration_file << malformed_configuration;
+    valid_configuration_file.close();
+
+    HttpAttachmentConfiguration conf_data_out;
+    EXPECT_EQ(conf_data_out.init(attachment_configuration_file_name), 0);
+}
				`@@ -0,0 +1 @@`
				`add_unit_test(http_configuration_ut http_configuration_ut.cc http_configuration)`