Aug_23_2023-Dev

2025-09-30 03:34:26 +03:00 · 2023-08-23 14:15:32 +00:00
parent 702c1184ea
commit b25fd8def5
115 changed files with 8292 additions and 1189 deletions
--- a/components/include/generic_rulebase/triggers_config.h
+++ b/components/include/generic_rulebase/triggers_config.h
@@ -11,52 +11,108 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+/// \file triggers_config.h
+/// \brief Declaration of classes WebTriggerConf and LogTriggerConf, and related functions.
+/// \author Check Point Software Technologies Ltd.
+/// \date 2022
+
 #ifndef __TRIGGERS_CONFIG_H__
 #define __TRIGGERS_CONFIG_H__

-#include <vector>
 #include <string>
+#include <vector>

-#include "environment/evaluator_templates.h"
+#include "cereal/archives/json.hpp"
 #include "cereal/types/string.hpp"
 #include "cereal/types/vector.hpp"
-#include "cereal/archives/json.hpp"
+#include "config.h"
+#include "environment/evaluator_templates.h"
+#include "generic_rulebase_utils.h"
 #include "i_environment.h"
 #include "i_logging.h"
-#include "singleton.h"
-#include "maybe_res.h"
-#include "config.h"
 #include "log_generator.h"
-#include "generic_rulebase_utils.h"
+#include "maybe_res.h"
+#include "singleton.h"

+/// \class WebTriggerConf
+/// \brief Represents the configuration for a web trigger.
 class WebTriggerConf
 {
 public:
+    /// \brief Default constructor for WebTriggerConf.
    WebTriggerConf();
+
+    /// \brief Constructor for WebTriggerConf.
+    /// \param title The title of the trigger.
+    /// \param body The body of the trigger.
+    /// \param code The response code for the trigger.
    WebTriggerConf(const std::string &title, const std::string &body, uint code);

+    /// \brief Preload function to register expected configuration.
    static void
    preload()
    {
        registerExpectedConfiguration<WebTriggerConf>("rulebase", "webUserResponse");
    }

+    /// \brief Load function to deserialize configuration from JSONInputArchive.
+    /// \param archive_in The JSON input archive.
    void load(cereal::JSONInputArchive &archive_in);

+    /// \brief Equality operator for WebTriggerConf.
+    /// \param other The WebTriggerConf to compare.
+    /// \return True if the two WebTriggerConf objects are equal, otherwise false.
    bool operator==(const WebTriggerConf &other) const;

-    uint getResponseCode() const { return response_code; }
+    /// \brief Get the response code for the trigger.
+    /// \return The response code.
+    uint
+    getResponseCode() const
+    {
+        return response_code;
+    }

-    const std::string & getResponseTitle() const { return response_title; }
+    /// \brief Get the response title for the trigger.
+    /// \return The response title.
+    const std::string &
+    getResponseTitle() const
+    {
+        return response_title;
+    }

-    const std::string & getResponseBody() const { return response_body; }
+    /// \brief Get the response body for the trigger.
+    /// \return The response body.
+    const std::string &
+    getResponseBody() const
+    {
+        return response_body;
+    }

-    const std::string & getDetailsLevel() const { return details_level; }
+    /// \brief Get the details level for the trigger.
+    /// \return The details level.
+    const std::string &
+    getDetailsLevel() const
+    {
+        return details_level;
+    }

-    const std::string & getRedirectURL() const { return redirect_url; }
+    /// \brief Get the redirect URL for the trigger.
+    /// \return The redirect URL.
+    const std::string &
+    getRedirectURL() const
+    {
+        return redirect_url;
+    }

-    bool getAddEventId() const { return add_event_id_to_header; }
+    /// \brief Check if the trigger should add an event ID to the header.
+    /// \return True if the trigger should add an event ID, otherwise false.
+    bool
+    getAddEventId() const
+    {
+        return add_event_id_to_header;
+    }

+    /// \brief Default trigger configuration for WebTriggerConf.
    static WebTriggerConf default_trigger_conf;

 private:
@@ -64,17 +120,38 @@ private:
    std::string details_level;
    std::string response_body;
    std::string redirect_url;
-    uint        response_code;
-    bool        add_event_id_to_header = false;
+    uint response_code;
+    bool add_event_id_to_header = false;
 };

+/// \class LogTriggerConf
+/// \brief Represents the configuration for a log trigger.
 class LogTriggerConf : Singleton::Consume<I_Logging>
 {
 public:
-    enum class SecurityType { AccessControl, ThreatPrevention, Compliance, COUNT };
-    enum class extendLoggingSeverity { None, High, Critical };
+    /// \enum SecurityType
+    /// \brief Enumerates the security types for LogTriggerConf.
+    enum class SecurityType
+    {
+        AccessControl,
+        ThreatPrevention,
+        Compliance,
+        COUNT
+    };

-    enum class WebLogFields {
+    /// \enum extendLoggingSeverity
+    /// \brief Enumerates the extended logging severity for LogTriggerConf.
+    enum class extendLoggingSeverity
+    {
+        None,
+        High,
+        Critical
+    };
+
+    /// \enum WebLogFields
+    /// \brief Enumerates the web log fields for LogTriggerConf.
+    enum class WebLogFields
+    {
        webBody,
        webHeaders,
        webRequests,
@@ -85,17 +162,31 @@ public:
        COUNT
    };

+    /// \brief Default constructor for LogTriggerConf.
    LogTriggerConf() {}

+    /// \brief Constructor for LogTriggerConf.
+    /// \param trigger_name The name of the trigger.
+    /// \param log_detect Flag indicating whether to log on detect.
+    /// \param log_prevent Flag indicating whether to log on prevent.
    LogTriggerConf(std::string trigger_name, bool log_detect, bool log_prevent);

+    /// \brief Preload function to register expected configuration.
    static void
    preload()
    {
        registerExpectedConfiguration<LogTriggerConf>("rulebase", "log");
    }

-    template <typename ...Tags>
+    /// \brief LogGen operator for LogTriggerConf.
+    /// \param title The title of the log.
+    /// \param security The security type of the log.
+    /// \param severity The severity of the log.
+    /// \param priority The priority of the log.
+    /// \param is_action_drop_or_prevent Flag indicating if the action is drop or prevent.
+    /// \param tags Tags for the log.
+    /// \return The LogGen object.
+    template <typename... Tags>
    LogGen
    operator()(
        const std::string &title,
@@ -103,7 +194,8 @@ public:
        ReportIS::Severity severity,
        ReportIS::Priority priority,
        bool is_action_drop_or_prevent,
-        Tags ...tags) const
+        Tags... tags
+    ) const
    {
        return LogGen(
            title,
@@ -117,11 +209,17 @@ public:
        );
    }

-    template <typename ...Tags>
+    /// \brief LogGen operator for LogTriggerConf.
+    /// \param title The title of the log.
+    /// \param security The security type of the log.
+    /// \param is_action_drop_or_prevent Flag indicating if the action is drop or prevent.
+    /// \param tags Tags for the log.
+    /// \return The LogGen object.
+    template <typename... Tags>
    LogGen
-    operator()(const std::string &title, SecurityType security, bool is_action_drop_or_prevent, Tags ...tags) const
+    operator()(const std::string &title, SecurityType security, bool is_action_drop_or_prevent, Tags... tags) const
    {
-        return (*this)(
+        return operator()(
            title,
            security,
            getSeverity(is_action_drop_or_prevent),
@@ -131,30 +229,98 @@ public:
        );
    }

+    /// \brief Load function to deserialize configuration from JSONInputArchive.
+    /// \param archive_in The JSON input archive.
    void load(cereal::JSONInputArchive &archive_in);

-    bool isWebLogFieldActive(WebLogFields log_field) const { return log_web_fields.isSet(log_field); }
+    /// \brief Check if the web log field is active for the trigger.
+    /// \param log_field The web log field to check.
+    /// \return True if the web log field is active, otherwise false.
+    bool
+    isWebLogFieldActive(WebLogFields log_field) const
+    {
+        return log_web_fields.isSet(log_field);
+    }

-    bool isLogStreamActive(ReportIS::StreamType stream_type) const { return active_streams.isSet(stream_type); }
+    /// \brief Check if the log stream is active for the trigger.
+    /// \param stream_type The log stream type to check.
+    /// \return True if the log stream is active, otherwise false.
+    bool
+    isLogStreamActive(ReportIS::StreamType stream_type) const
+    {
+        return active_streams.isSet(stream_type);
+    }

-    bool isPreventLogActive(SecurityType security_type) const { return should_log_on_prevent.isSet(security_type); }
+    /// \brief Check if the log is active on prevent for the given security type.
+    /// \param security_type The security type to check.
+    /// \return True if the log is active on prevent, otherwise false.
+    bool
+    isPreventLogActive(SecurityType security_type) const
+    {
+        return should_log_on_prevent.isSet(security_type);
+    }

-    bool isDetectLogActive(SecurityType security_type) const { return should_log_on_detect.isSet(security_type); }
+    /// \brief Check if the log is active on detect for the given security type.
+    /// \param security_type The security type to check.
+    /// \return True if the log is active on detect, otherwise false.
+    bool
+    isDetectLogActive(SecurityType security_type) const
+    {
+        return should_log_on_detect.isSet(security_type);
+    }

-    bool isLogGeoLocationActive(SecurityType security_type) const { return log_geo_location.isSet(security_type); }
+    /// \brief Check if the geo-location log is active for the given security type.
+    /// \param security_type The security type to check.
+    /// \return True if the geo-location log is active, otherwise false.
+    bool
+    isLogGeoLocationActive(SecurityType security_type) const
+    {
+        return log_geo_location.isSet(security_type);
+    }

-    extendLoggingSeverity getExtendLoggingSeverity() const { return extend_logging_severity; }
+    /// \brief Get the extended logging severity.
+    /// \return The extended logging severity.
+    extendLoggingSeverity
+    getExtendLoggingSeverity() const
+    {
+        return extend_logging_severity;
+    }

-    const std::string & getVerbosity() const { return verbosity; }
-    const std::string & getName() const { return name; }
+    /// \brief Get the verbosity.
+    /// \return The verbosity.
+    const std::string &
+    getVerbosity() const
+    {
+        return verbosity;
+    }

-    const std::string & getUrlForSyslog() const { return url_for_syslog; }
-    const std::string & getUrlForCef() const { return url_for_cef; }
+    /// \brief Get the name.
+    /// \return The name.
+    const std::string &
+    getName() const
+    {
+        return name;
+    }
+
+    /// \brief Get the URL for syslog.
+    /// \return The URL for syslog.
+    const std::string &
+    getUrlForSyslog() const
+    {
+        return url_for_syslog;
+    }
+
+    /// \brief Get the URL for CEF.
+    /// \return The URL for CEF.
+    const std::string &
+    getUrlForCef() const
+    {
+        return url_for_cef;
+    }

 private:
    ReportIS::Severity getSeverity(bool is_action_drop_or_prevent) const;
    ReportIS::Priority getPriority(bool is_action_drop_or_prevent) const;
-
    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;

--- a/components/include/health_checker.h
+++ b/components/include/health_checker.h
@@ -18,6 +18,7 @@
 #include "i_mainloop.h"
 #include "i_socket_is.h"
 #include "i_health_check_manager.h"
+#include "i_shell_cmd.h"
 #include "component.h"

 class HealthChecker
@@ -25,7 +26,8 @@ class HealthChecker
    public Component,
    Singleton::Consume<I_MainLoop>,
    Singleton::Consume<I_Socket>,
-    Singleton::Consume<I_Health_Check_Manager>
+    Singleton::Consume<I_Health_Check_Manager>,
+    Singleton::Consume<I_ShellCmd>
 {
 public:
    HealthChecker();
--- a/components/include/i_orchestration_tools.h
+++ b/components/include/i_orchestration_tools.h
@@ -109,6 +109,11 @@ public:
    virtual Maybe<std::string> readFile(const std::string &path) const = 0;
    virtual bool writeFile(const std::string &text, const std::string &path) const = 0;
    virtual bool removeFile(const std::string &path) const = 0;
+    virtual bool removeDirectory(const std::string &path, bool delete_content) const = 0;
+    virtual void deleteVirtualTenantProfileFiles(
+        const std::string &tenant_id,
+        const std::string &profile_id,
+        const std::string &conf_path) const = 0;
    virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
    virtual bool doesFileExist(const std::string &file_path) const = 0;
    virtual void fillKeyInJson(
@@ -118,6 +123,7 @@ public:
    virtual bool createDirectory(const std::string &directory_path) const = 0;
    virtual bool doesDirectoryExist(const std::string &dir_path) const = 0;
    virtual bool executeCmd(const std::string &cmd) const = 0;
+    virtual void loadTenantsFromDir(const std::string &dir_path) const = 0;

    virtual std::string base64Encode(const std::string &input) const = 0;
    virtual std::string base64Decode(const std::string &input) const = 0;
--- a/components/include/i_service_controller.h
+++ b/components/include/i_service_controller.h
@@ -19,6 +19,7 @@
 #include <map>

 #include "connkey.h"
+#include "maybe_res.h"
 #include "rest.h"

 enum class ReconfStatus { SUCCEEDED, IN_PROGRESS, FAILED, INACTIVE };
@@ -27,6 +28,7 @@ class I_ServiceController
 {
 public:
    virtual void refreshPendingServices() = 0;
+    virtual const std::string & getPolicyVersions() const = 0;
    virtual const std::string & getPolicyVersion() const = 0;
    virtual const std::string & getUpdatePolicyVersion() const = 0;
    virtual void updateReconfStatus(int id, ReconfStatus status) = 0;
@@ -37,13 +39,13 @@ public:
        const std::string &service_id
    ) = 0;

-    virtual bool
+    virtual Maybe<void>
    updateServiceConfiguration(
        const std::string &new_policy_path,
        const std::string &new_settings_path,
        const std::vector<std::string> &new_data_files = {},
-        const std::string &tenant_id = "",
-        const std::string &profile_id = "",
+        const std::string &child_tenant_id = "",
+        const std::string &child_profile_id = "",
        const bool last_iteration = false
    ) = 0;

--- a/components/include/i_update_communication.h
+++ b/components/include/i_update_communication.h
@@ -26,9 +26,12 @@ using OrchData      = Maybe<std::string>;
 class I_UpdateCommunication
 {
 public:
+    virtual Maybe<void> sendPolicyVersion(
+        const std::string &policy_version,
+        const std::string &policy_versions
+    ) const = 0;
    virtual Maybe<void> authenticateAgent() = 0;
    virtual Maybe<void> getUpdate(CheckUpdateRequest &request) = 0;
-    virtual Maybe<void> sendPolicyVersion(const std::string &policy_version) const = 0;
    virtual Maybe<std::string> downloadAttributeFile(const GetResourceFile &resourse_file) = 0;
    virtual void setAddressExtenesion(const std::string &extension) = 0;
 };
--- a/components/include/orchestration_tools.h
+++ b/components/include/orchestration_tools.h
@@ -17,9 +17,16 @@
 #include <fstream>

 #include "i_orchestration_tools.h"
+#include "i_shell_cmd.h"
+#include "i_tenant_manager.h"
 #include "component.h"

-class OrchestrationTools : public Component, Singleton::Provide<I_OrchestrationTools>
+class OrchestrationTools
+        :
+    public Component,
+    Singleton::Provide<I_OrchestrationTools>,
+    Singleton::Consume<I_ShellCmd>,
+    Singleton::Consume<I_TenantManager>
 {
 public:
    OrchestrationTools();
--- a/components/include/orchestrator/rest_api/orchestration_check_update.h
+++ b/components/include/orchestrator/rest_api/orchestration_check_update.h
@@ -106,6 +106,42 @@ public:
        BOTH_LABEL_OPTIONAL_PARAM(TenantError, error, "error");
    };

+    class UpgradeSchedule : public ClientRest
+    {
+    public:
+        UpgradeSchedule() = default;
+
+        void init(const std::string &_upgrade_mode) { mode = _upgrade_mode; }
+
+        void
+        init(
+            const std::string &_upgrade_mode,
+            const std::string &_upgrade_time,
+            const uint &_upgrade_duration_hours)
+        {
+            init(_upgrade_mode);
+            time = _upgrade_time;
+            duration_hours = _upgrade_duration_hours;
+        }
+
+        void
+        init(
+            const std::string &_upgrade_mode,
+            const std::string &_upgrade_time,
+            const uint &_upgrade_duration_hours,
+            const std::vector<std::string> &_upgrade_days)
+        {
+            init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
+            days = _upgrade_days;
+        }
+
+    private:
+        C2S_LABEL_PARAM(std::string, mode, "upgradeMode");
+        C2S_LABEL_OPTIONAL_PARAM(std::string, time, "upgradeTime");
+        C2S_LABEL_OPTIONAL_PARAM(uint, duration_hours, "upgradeDurationHours");
+        C2S_LABEL_OPTIONAL_PARAM(std::vector<std::string>, days, "upgradeDay");
+    };
+
    CheckUpdateRequest(
        const std::string &_manifest,
        const std::string &_policy,
@@ -185,6 +221,28 @@ public:

    void setGreedyMode() { check_all_tenants = true; }

+    void
+    setUpgradeFields(const std::string &_upgrade_mode)
+    {
+        upgrade_schedule.setActive(true);
+        upgrade_schedule.get().init(_upgrade_mode);
+    }
+
+    void
+    setUpgradeFields(
+        const std::string &_upgrade_mode,
+        const std::string &_upgrade_time,
+        const uint &_upgrade_duration_hours,
+        const std::vector<std::string> &_upgrade_days)
+    {
+        upgrade_schedule.setActive(true);
+        if (!_upgrade_days.empty()) {
+            upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours, _upgrade_days);
+            return;
+        }
+        upgrade_schedule.get().init(_upgrade_mode, _upgrade_time, _upgrade_duration_hours);
+    }
+
 private:
    class VirtualConfig : public ClientRest
    {
@@ -239,6 +297,8 @@ private:
    C2S_LABEL_PARAM(std::string, checksum_type,  "checksum-type");
    C2S_LABEL_PARAM(std::string, policy_version, "policyVersion");

+    C2S_LABEL_OPTIONAL_PARAM(UpgradeSchedule, upgrade_schedule, "upgradeSchedule");
+
    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_policy,    "virtualPolicy");
    S2C_LABEL_OPTIONAL_PARAM(VirtualConfig, in_virtual_settings,  "virtualSettings");
 };