First release of open-appsec source code

core/include/attachments/attachment_types.h

@@ -0,0 +1,31 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __ATTACHMENT_TYPES_H__
+#define __ATTACHMENT_TYPES_H__
+
+#ifdef __cplusplus
+enum class AttachmentType
+#else // __cplusplus
+enum AttachmentType
+#endif
+{
+    NGINX_ATT_ID,
+    PRELOAD_ATT_ID,
+#ifdef __cplusplus
+    COUNT
+#endif
+};
+
+#endif // __ATTACHMENT_TYPES_H__

core/include/attachments/compression_utils.h

@@ -0,0 +1,86 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __COMPRESSION_UTILS_H__
+#define __COMPRESSION_UTILS_H__
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif // __cplusplus
+
+typedef enum CompressionUtilsDebugLevel
+{
+    COMPRESSION_DBG_LEVEL_TRACE,
+    COMPRESSION_DBG_LEVEL_DEBUG,
+    COMPRESSION_DBG_LEVEL_INFO,
+    COMPRESSION_DBG_LEVEL_WARNING,
+    COMPRESSION_DBG_LEVEL_ERROR,
+    COMPRESSION_DBG_LEVEL_ASSERTION
+} CompressionUtilsDebugLevel;
+
+void resetCompressionDebugFunctionsToStandardError();
+void setCompressionDebugFunction(const CompressionUtilsDebugLevel debug_level, void (*debug_function)(const char *));
+
+typedef struct CompressionStream CompressionStream;
+
+CompressionStream * initCompressionStream();
+void finiCompressionStream(CompressionStream *compression_stream);
+
+typedef enum CompressionType
+{
+    NO_COMPRESSION,
+    GZIP,
+    ZLIB
+} CompressionType;
+
+typedef struct CompressionResult
+{
+    int            ok;
+    uint32_t       num_output_bytes;
+    unsigned char *output;
+} CompressionResult;
+
+CompressionResult
+compressData(
+    CompressionStream *compression_stream,
+    const CompressionType compression_type,
+    const uint32_t uncompressed_data_size,
+    const unsigned char *uncompressed_data,
+    const int is_last_chunk
+);
+
+typedef struct DecompressionResult
+{
+    int            ok;
+    uint32_t       num_output_bytes;
+    unsigned char *output;
+    int            is_last_chunk;
+} DecompressionResult;
+
+DecompressionResult
+decompressData(
+    CompressionStream *compression_stream,
+    const uint32_t compressed_data_size,
+    const unsigned char *compressed_data
+);
+
+#ifdef __cplusplus
+}
+#endif // __cplusplus
+
+#endif // __COMPRESSION_UTILS_H__

core/include/attachments/http_configuration.h

@@ -0,0 +1,68 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __HTTP_CONFIGURATION_H__
+#define __HTTP_CONFIGURATION_H__
+
+#include <string>
+#include <map>
+#include <vector>
+
+#include "cereal/archives/json.hpp"
+
+struct DebugConfig
+{
+    void save(cereal::JSONOutputArchive &archive) const;
+    void load(cereal::JSONInputArchive &archive);
+    bool operator==(const DebugConfig &another) const;
+
+    std::string client;
+    std::string server;
+    unsigned int port = 0;
+    std::string method;
+    std::string host;
+    std::string uri;
+};
+
+class HttpAttachmentConfiguration
+{
+public:
+    int init(const std::string &conf_file);
+
+    void save(cereal::JSONOutputArchive &archive) const;
+    void load(cereal::JSONInputArchive &archive);
+
+    bool operator==(const HttpAttachmentConfiguration &other) const;
+
+    unsigned int getNumericalValue(const std::string &key) const;
+    const std::string & getStringValue(const std::string &key) const;
+    const std::vector<std::string> & getExcludeSources() const { return exclude_sources; }
+    const DebugConfig & getDebugContext() const { return dbg; }
+
+    void setNumericalValue(const std::string &key, unsigned int value) { numerical_values[key] = value; }
+    void setStringValue(const std::string &key, const std::string &value) { string_values[key] = value; }
+    void setExcludeSources(const std::vector<std::string> &new_sources) { exclude_sources = new_sources; }
+    void setDebugContext(const DebugConfig &_dbg) { dbg = _dbg; }
+
+private:
+    void loadNumericalValue(cereal::JSONInputArchive &archive, const std::string &name, unsigned int default_value);
+
+    DebugConfig dbg;
+    std::map<std::string, unsigned int> numerical_values;
+    std::map<std::string, std::string> string_values;
+    std::vector<std::string> exclude_sources;
+    std::string empty;
+};
+
+#endif // __HTTP_CONFIGURATION_H__

core/include/attachments/nginx_attachment_common.h

@@ -0,0 +1,279 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NGINX_ATTACHMENT_COMMON_H__
+#define __NGINX_ATTACHMENT_COMMON_H__
+
+#include <stddef.h>
+#include <stdint.h>
+#include <sys/types.h>
+
+#define MAX_NGINX_UID_LEN 32
+#define NUM_OF_NGINX_IPC_ELEMENTS 200
+#define DEFAULT_KEEP_ALIVE_INTERVAL_MSEC 300000
+#define SHARED_MEM_PATH "/dev/shm/"
+#define SHARED_REGISTRATION_SIGNAL_PATH SHARED_MEM_PATH "check-point/cp-nano-attachment-registration"
+#define SHARED_KEEP_ALIVE_PATH SHARED_MEM_PATH "check-point/cp-nano-attachment-registration-expiration-socket"
+#define SHARED_VERDICT_SIGNAL_PATH SHARED_MEM_PATH "check-point/cp-nano-http-transaction-handler"
+#define SHARED_ATTACHMENT_CONF_PATH SHARED_MEM_PATH "cp_nano_http_attachment_conf"
+#define DEFAULT_STATIC_RESOURCES_PATH SHARED_MEM_PATH "static_resources"
+#define INJECT_POS_IRRELEVANT -1
+#define CORRUPTED_SESSION_ID 0
+#define METRIC_PERIODIC_TIMEOUT 600
+
+extern char shared_verdict_signal_path[];
+extern int workers_amount_to_send;
+
+typedef int64_t ngx_http_cp_inject_pos_t;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_modification_type
+#else
+typedef enum ngx_http_modification_type
+#endif
+{
+    APPEND,
+    INJECT,
+    REPLACE
+} ngx_http_modification_type_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_chunk_type
+#else
+typedef enum ngx_http_chunk_type
+#endif
+{
+    REQUEST_START,
+    REQUEST_HEADER,
+    REQUEST_BODY,
+    REQUEST_END,
+    RESPONSE_CODE,
+    RESPONSE_HEADER,
+    RESPONSE_BODY,
+    RESPONSE_END,
+    CONTENT_LENGTH,
+    METRIC_DATA_FROM_PLUGIN,
+    HOLD_DATA,
+
+    COUNT
+} ngx_http_chunk_type_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_plugin_metric_type
+#else
+typedef enum ngx_http_plugin_metric_type
+#endif
+{
+    TRANSPARENTS_COUNT,
+    TOTAL_TRANSPARENTS_TIME,
+    INSPECTION_OPEN_FAILURES_COUNT,
+    INSPECTION_CLOSE_FAILURES_COUNT,
+    INSPECTION_SUCCESSES_COUNT,
+    INJECT_VERDICTS_COUNT,
+    DROP_VERDICTS_COUNT,
+    ACCEPT_VERDICTS_COUNT,
+    IRRELEVANT_VERDICTS_COUNT,
+    RECONF_VERDICTS_COUNT,
+    INSPECT_VERDICTS_COUNT,
+    HOLD_VERDICTS_COUNT,
+    AVERAGE_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT,
+    MAX_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT,
+    MIN_OVERALL_PPROCESSING_TIME_UNTIL_VERDICT,
+    AVERAGE_REQ_PPROCESSING_TIME_UNTIL_VERDICT,
+    MAX_REQ_PPROCESSING_TIME_UNTIL_VERDICT,
+    MIN_REQ_PPROCESSING_TIME_UNTIL_VERDICT,
+    AVERAGE_RES_PPROCESSING_TIME_UNTIL_VERDICT,
+    MAX_RES_PPROCESSING_TIME_UNTIL_VERDICT,
+    MIN_RES_PPROCESSING_TIME_UNTIL_VERDICT,
+    THREAD_TIMEOUT,
+    REG_THREAD_TIMEOUT,
+    REQ_HEADER_THREAD_TIMEOUT,
+    REQ_BODY_THREAD_TIMEOUT,
+    AVERAGE_REQ_BODY_SIZE_UPON_TIMEOUT,
+    MAX_REQ_BODY_SIZE_UPON_TIMEOUT,
+    MIN_REQ_BODY_SIZE_UPON_TIMEOUT,
+    RES_HEADER_THREAD_TIMEOUT,
+    RES_BODY_THREAD_TIMEOUT,
+    HOLD_THREAD_TIMEOUT,
+    AVERAGE_RES_BODY_SIZE_UPON_TIMEOUT,
+    MAX_RES_BODY_SIZE_UPON_TIMEOUT,
+    MIN_RES_BODY_SIZE_UPON_TIMEOUT,
+    THREAD_FAILURE,
+    REQ_PROCCESSING_TIMEOUT,
+    RES_PROCCESSING_TIMEOUT,
+    REQ_FAILED_TO_REACH_UPSTREAM,
+    REQ_FAILED_COMPRESSION_COUNT,
+    RES_FAILED_COMPRESSION_COUNT,
+    REQ_FAILED_DECOMPRESSION_COUNT,
+    RES_FAILED_DECOMPRESSION_COUNT,
+    REQ_SUCCESSFUL_COMPRESSION_COUNT,
+    RES_SUCCESSFUL_COMPRESSION_COUNT,
+    REQ_SUCCESSFUL_DECOMPRESSION_COUNT,
+    RES_SUCCESSFUL_DECOMPRESSION_COUNT,
+    CORRUPTED_ZIP_SKIPPED_SESSION_COUNT,
+    CPU_USAGE,
+    AVERAGE_VM_MEMORY_USAGE,
+    AVERAGE_RSS_MEMORY_USAGE,
+    MAX_VM_MEMORY_USAGE,
+    MAX_RSS_MEMORY_USAGE,
+
+    METRIC_TYPES_COUNT
+} ngx_http_plugin_metric_type_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_cp_verdict
+#else
+typedef enum ngx_http_cp_verdict
+#endif
+{
+    TRAFFIC_VERDICT_INSPECT,
+    TRAFFIC_VERDICT_ACCEPT,
+    TRAFFIC_VERDICT_DROP,
+    TRAFFIC_VERDICT_INJECT,
+    TRAFFIC_VERDICT_IRRELEVANT,
+    TRAFFIC_VERDICT_RECONF,
+    TRAFFIC_VERDICT_WAIT
+} ngx_http_cp_verdict_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_cp_debug_level
+#else
+typedef enum ngx_http_cp_debug_level
+#endif
+{
+    DBG_LEVEL_TRACE,
+    DBG_LEVEL_DEBUG,
+    DBG_LEVEL_INFO,
+    DBG_LEVEL_WARNING,
+    DBG_LEVEL_ERROR,
+#ifndef __cplusplus
+    DBG_LEVEL_ASSERT,
+#endif
+    DBG_LEVEL_COUNT
+} ngx_http_cp_debug_level_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_meta_data
+#else
+typedef enum ngx_http_meta_data
+#endif
+{
+    HTTP_PROTOCOL_SIZE,
+    HTTP_PROTOCOL_DATA,
+    HTTP_METHOD_SIZE,
+    HTTP_METHOD_DATA,
+    HOST_NAME_SIZE,
+    HOST_NAME_DATA,
+    LISTENING_ADDR_SIZE,
+    LISTENING_ADDR_DATA,
+    LISTENING_PORT,
+    URI_SIZE,
+    URI_DATA,
+    CLIENT_ADDR_SIZE,
+    CLIENT_ADDR_DATA,
+    CLIENT_PORT,
+
+    META_DATA_COUNT
+} ngx_http_meta_data_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_http_header_data
+#else
+typedef enum ngx_http_header_data
+#endif
+{
+    HEADER_KEY_SIZE,
+    HEADER_KEY_DATA,
+    HEADER_VAL_SIZE,
+    HEADER_VAL_DATA,
+
+    HEADER_DATA_COUNT
+} ngx_http_header_data_e;
+
+typedef enum ngx_http_inspection_mode
+{
+    NON_BLOCKING_THREAD,
+    BLOCKING_THREAD,
+    NO_THREAD,
+
+    INSPECTION_MODE_COUNT
+} ngx_http_inspection_mode_e;
+
+#ifdef __cplusplus
+typedef enum class ngx_web_response_type
+#else
+typedef enum ngx_web_response_type
+#endif
+{
+    CUSTOM_WEB_RESPONSE,
+    REDIRECT_WEB_RESPONSE
+} ngx_web_response_type_e;
+
+typedef struct __attribute__((__packed__)) ngx_http_cp_inject_data {
+    ngx_http_cp_inject_pos_t  injection_pos;
+    ngx_http_modification_type_e mod_type;
+    uint16_t injection_size;
+    uint8_t is_header;
+    uint8_t orig_buff_index;
+    char data[0];
+} ngx_http_cp_inject_data_t;
+
+typedef struct __attribute__((__packed__)) ngx_http_cp_web_response_data {
+    uint8_t web_repsonse_type;
+    uint8_t uuid_size;
+
+    union {
+        struct __attribute__((__packed__)) ngx_http_cp_custom_web_response_data {
+            uint16_t response_code;
+            uint8_t title_size;
+            uint8_t body_size;
+            char data[0];
+        } custom_response_data;
+
+        struct __attribute__((__packed__)) ngx_http_cp_redirect_data {
+            uint8_t add_event_id;
+            uint16_t redirect_location_size;
+            char redirect_location[0];
+        } redirect_data;
+    } response_data;
+} ngx_http_cp_web_response_data_t;
+
+typedef union __attribute__((__packed__)) ngx_http_cp_modify_data {
+    ngx_http_cp_inject_data_t inject_data[0];
+    ngx_http_cp_web_response_data_t web_response_data[0];
+} ngx_http_cp_modify_data_t;
+
+typedef struct __attribute__((__packed__)) ngx_http_cp_reply_from_service {
+    uint16_t verdict;
+    uint32_t session_id;
+    uint8_t modification_count;
+    ngx_http_cp_modify_data_t modify_data[0];
+} ngx_http_cp_reply_from_service_t;
+
+typedef struct __attribute__((__packed__)) ngx_http_cp_request_data {
+    uint16_t data_type;
+    uint32_t session_id;
+    unsigned char data[0];
+} ngx_http_cp_request_data_t;
+
+typedef struct __attribute__((__packed__)) ngx_http_cp_metric_data {
+    uint16_t data_type;
+#ifdef __cplusplus
+    uint64_t data[static_cast<int>(ngx_http_plugin_metric_type::METRIC_TYPES_COUNT)];
+#else
+    uint64_t data[METRIC_TYPES_COUNT];
+#endif
+} ngx_http_cp_metric_data_t;
+
+#endif // __NGINX_ATTACHMENT_COMMON_H__

core/include/attachments/nginx_attachment_util.h

@@ -0,0 +1,67 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NGINX_ATTACHMENT_UTIL__
+#define __NGINX_ATTACHMENT_UTIL__
+
+#include <stdio.h>
+
+#include "nginx_attachment_common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif // __cplusplus
+
+#define IP_STR_MAX_LEN 40
+
+typedef const char * c_str;
+
+int initAttachmentConfig(c_str conf_file);
+
+ngx_http_inspection_mode_e getInspectionMode();
+unsigned int getNumOfNginxIpcElements();
+unsigned int getKeepAliveIntervalMsec();
+unsigned int getDbgLevel();
+int isDebugContext(c_str client, c_str server, unsigned int port, c_str method, c_str host, c_str uri);
+c_str getStaticResourcesPath();
+
+int isFailOpenMode();
+unsigned int getFailOpenTimeout();
+
+int isFailOpenHoldMode();
+unsigned int getFailOpenHoldTimeout();
+
+unsigned int getMaxSessionsPerMinute();
+int isFailOpenOnSessionLimit();
+
+unsigned int getRegistrationThreadTimeout();
+
+unsigned int getReqProccessingTimeout();
+unsigned int getReqHeaderThreadTimeout();
+unsigned int getReqBodyThreadTimeout();
+
+unsigned int getResProccessingTimeout();
+unsigned int getResHeaderThreadTimeout();
+unsigned int getResBodyThreadTimeout();
+
+unsigned int getWaitingForVerdictThreadTimeout();
+
+int isIPAddress(c_str ip_str);
+int isSkipSource(c_str ip_str);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // __NGINX_ATTACHMENT_UTIL__

core/include/attachments/shmem_ipc.h

@@ -0,0 +1,66 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __SHMEM_IPC_H__
+#define __SHMEM_IPC_H__
+
+#include <stdint.h>
+#include <sys/types.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif // __cplusplus
+
+typedef struct SharedMemoryIPC SharedMemoryIPC;
+extern const int corrupted_shmem_error;
+
+SharedMemoryIPC * initIpc(
+    const char queue_name[32],
+    const uint32_t user_id,
+    const uint32_t group_id,
+    int is_owner,
+    uint16_t num_of_queue_elem,
+    void (*debug_func)(int is_error, const char *func, const char *file, int line_num, const char *fmt, ...)
+);
+
+void destroyIpc(SharedMemoryIPC *ipc, int is_owner);
+
+int sendData(SharedMemoryIPC *ipc, const uint16_t data_to_send_size, const char *data_to_send);
+
+int
+sendChunkedData(
+    SharedMemoryIPC *ipc,
+    const uint16_t *data_to_send_sizes,
+    const char **data_elem_to_send,
+    const uint8_t num_of_data_elem
+);
+
+int receiveData(SharedMemoryIPC *ipc, uint16_t *received_data_size, const char **received_data);
+
+int popData(SharedMemoryIPC *ipc);
+
+int isDataAvailable(SharedMemoryIPC *ipc);
+
+void resetIpc(SharedMemoryIPC *ipc, uint16_t num_of_data_segments);
+
+void dumpIpcMemory(SharedMemoryIPC *ipc);
+
+int isCorruptedShmem(SharedMemoryIPC *ipc, int is_owner);
+
+#ifdef __cplusplus
+}
+#endif // __cplusplus
+
+#endif // __SHMEM_IPC_H__