Mar 21st 2024 update

2025-09-29 11:16:30 +03:00 · 2024-03-21 15:31:38 +00:00
parent 0d22790ebe
commit c20fa9f966
100 changed files with 3851 additions and 453 deletions
--- a/nodes/orchestration/package/local-default-policy.yaml
+++ b/nodes/orchestration/package/local-default-policy.yaml
@@ -52,7 +52,7 @@ log-triggers:
      url-path: false
      url-query: false
    log-destination:
-      cloud: true
+      cloud: false
      stdout:
        format: json

--- a/nodes/orchestration/package/open-appsec-ctl.sh
+++ b/nodes/orchestration/package/open-appsec-ctl.sh
@@ -49,6 +49,9 @@ NO_COLOR='\033[0m'
 pidof_cmd="pidof -x"
 is_alpine_release=

+CURL_ERRORS="Operation timed out
+Connection refused"
+
 var_last_policy_modification_time=0

 ls -l /etc/ | grep release > /dev/null 2>&1
@@ -333,22 +336,41 @@ get_profile_setting() # Initials - gps
 curl_func() # Initials - cf
 {
    cf_port=$1
-    cf_data=$2
+    cf_uri=$2
+    cf_data=$3
    if [ -z "$cf_data" ]; then
        cf_data="{}"
    fi

    if [ "${remove_curl_ld_path}" = "true" ]; then
-        echo "$(LD_LIBRARY_PATH="" ${curl_cmd} -sS --noproxy "*" --header "Content-Type: application/json" --request POST --data "$cf_data" http://127.0.0.1:"$cf_port" 2>&1)"
+        cf_response=$(LD_LIBRARY_PATH="" ${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data "$cf_data" http://127.0.0.1:"$cf_port/$cf_uri" 2>&1)
    else
-        echo "$(${curl_cmd} -sS --noproxy "*" --header "Content-Type: application/json" --request POST --data "$cf_data" http://127.0.0.1:"$cf_port" 2>&1)"
+        cf_response=$(${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data "$cf_data" http://127.0.0.1:"$cf_port/$cf_uri" 2>&1)
    fi
+    echo "$cf_response"
+}
+
+curl_to_orchestration() # Initials - cto
+{
+    cto_uri=$1
+    cto_data=$2
+    if [ -z "$cto_data" ]; then
+        cto_data="{}"
+    fi
+
+    cto_orchestration_port=$(extract_api_port orchestration)
+    cto_response=$(curl_func ${cto_orchestration_port} ${cto_uri} "${cto_data}")
+    cto_curl_error=$(echo "$cto_response" | grep -F -e "$CURL_ERRORS")
+    if [ -n "$cto_curl_error" ]; then
+        cto_secondary_orchestration_port=$(extract_default_api_port secondary_orchestration)
+        cto_response=$(curl_func ${cto_secondary_orchestration_port} ${cto_uri} "${cto_data}")
+    fi
+    echo "$cto_response"
 }

 get_registered_services_ports() # Initails - grsp
 {
-    grsp_orchestration_port=$1
-    grsp_ports_and_services=$(curl_func "${grsp_orchestration_port}"/show-all-service-ports)
+    grsp_ports_and_services=$(curl_to_orchestration "show-all-service-ports")
    if echo "$grsp_ports_and_services" | grep -q "Connection refused"; then
        echo "Failed to reach orchestration" >&2
        echo ""
@@ -387,7 +409,7 @@ extract_api_port() # Initials - eap
        return
    fi

-    for pair in $(get_registered_services_ports "$eap_orchestration_port" | tr "," " "); do
+    for pair in $(get_registered_services_ports | tr "," " "); do
        eap_service="$(echo "$pair" | cut -d ':' -f1)"
        if [ "$(is_requested_service "$eap_service_name" "$eap_service")" = true ]; then
            echo "$pair" | cut -d ':' -f2
@@ -616,7 +638,7 @@ run_update_gradual_policy() # Initials - rugp
    rugp_service_api_port=$(extract_api_port "$rugp_service_name")

    # Load gradual policy configuration
-    rugp_errors=$(curl_func "${rugp_service_api_port}/set-gradual-deployment-policy" "${rugp_data}")
+    rugp_errors=$(curl_func "${rugp_service_api_port}" "set-gradual-deployment-policy" "${rugp_data}")
    sleep 1
    if [ -n "$(echo "$rugp_errors" | sed "s/$(printf '\r')//g")" ]; then
        echo "Failed to set gradual policy. Error: $rugp_errors"
@@ -624,7 +646,7 @@ run_update_gradual_policy() # Initials - rugp
    fi
    if [ "$rugp_service_name" = "access-control" ]; then
        # Load policy to kernel
-        rugp_errors=$(curl_func "${rugp_service_api_port}"/set-gradual-policy-to-kernel)
+        rugp_errors=$(curl_func "${rugp_service_api_port}" "set-gradual-policy-to-kernel")
        if [ -n "$(echo "$rugp_errors" | sed "s/$(printf '\r')//g")" ]; then
            echo "Failed to set gradual policy. Error: $rugp_errors"
        else
@@ -760,7 +782,12 @@ print_metrics() # Initials - pm
    pm_service_name=$1
    pm_port=$2

-    pm_errors=$(curl_func "${pm_port}"/show-metrics)
+    if [ $pm_service_name = "Orchestration" ]; then
+        pm_errors=$(curl_to_orchestration "show-metrics")
+    else
+        pm_errors=$(curl_func "${pm_port}" "show-metrics")
+    fi
+
    if [ -n "$(echo "$pm_errors" | sed "s/$(printf '\r')//g")" ]; then
        return
    fi
@@ -780,17 +807,15 @@ run_print_metrics() # Initials - rpm
        fi
    fi

-    rpm_orchestration_port=$(extract_default_api_port orchestration)
-
    if [ -z "$rpm_service_name" ]; then
-        print_metrics "Orchestration" "$rpm_orchestration_port"
-        rpm_list=$(get_registered_services_ports "$rpm_orchestration_port" | tr "," " ")
+        print_metrics "Orchestration"
+        rpm_list=$(get_registered_services_ports | tr "," " ")
        for pair in ${rpm_list}; do
            rpm_service=$(echo "$pair" | cut -d ':' -f1)
            print_metrics "$rpm_service" "$(echo "$pair" | cut -d ':' -f2)"
        done
    elif [ "$rpm_service_name" = "orchestration" ]; then
-        print_metrics "Orchestration" "$rpm_orchestration_port"
+        print_metrics "Orchestration"
    else
        rpm_port=$(extract_api_port "$rpm_service_name")
        print_metrics "$rpm_service_name" "$rpm_port"
@@ -801,7 +826,7 @@ run_health_check() # Initials - rhc
 {
    rhc_orchestration_port=$(extract_default_api_port orchestration)

-    rhc_errors=$(curl_func "${rhc_orchestration_port}"/show-health-check-on-demand)
+    rhc_errors=$(curl_to_orchestration "show-health-check-on-demand")
    if [ -n "$(echo "$rhc_errors" | sed "s/$(printf '\r')//g")" ]; then
        return
    fi
@@ -863,6 +888,8 @@ print_single_service_status() # Initials - psss
    psss_maybe_version=$(LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$USR_LIB_PATH/cpnano"$LD_LIBRARY_PATH_ADD" $psss_service_full_path --version 2>&1)
    if echo "$psss_maybe_version" | grep -q "error"; then
        echo "Version: Temporarily unavailable"
+        format_colored_status_line "Status: Not Available"
+        echo ""
        return
    fi
    echo "$psss_maybe_version"
@@ -959,11 +986,7 @@ run_status() # Initials - rs
        format_colored_status_line "Status: Not running"
    fi

-    if [ "${remove_curl_ld_path}" = "true" ]; then
-        rs_orch_status=$(LD_LIBRARY_PATH="" ${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1)
-    else
-        rs_orch_status=$(${curl_cmd} -sS -m 1 --noproxy "*" --header "Content-Type: application/json" --request POST --data {} http://127.0.0.1:"$(extract_api_port 'orchestration')"/show-orchestration-status 2>&1)
-    fi
+    rs_orch_status=$(curl_to_orchestration "show-orchestration-status")

    if echo "$rs_orch_status" | grep -q "update status"; then
        rs_line_count=$(echo "$rs_orch_status" | grep -c '^')
@@ -1065,17 +1088,12 @@ set_proxy() # Initials - sp
        exit 1
    fi

-    if [ "${remove_curl_ld_path}" = "true" ]; then
-        sp_curl_output=$(LD_LIBRARY_PATH="" ${curl_cmd} -w "%{http_code}\n" -sS -m 60 --noproxy "*" --header "Content-Type: application/json" --request POST --data '{"proxy":"'"$sp_proxy"'"}' http://127.0.0.1:"$(extract_api_port 'orchestration')"/add-proxy)
-    else
-    sp_curl_output=$(${curl_cmd} -w "%{http_code}\n" -sS -m 60 --noproxy "*" --header "Content-Type: application/json" --request POST --data '{"proxy":"'"$sp_proxy"'"}' http://127.0.0.1:"$(extract_api_port 'orchestration')"/add-proxy)
-    fi
-    if echo "$sp_curl_output" | grep -q "200"; then
-        echo "Proxy successfully changed to $sp_proxy"
-    else
-        echo "Failed to set proxy: Error code ${sp_curl_output}"
+    sp_curl_output=$(curl_to_orchestration "add-proxy" '{"proxy":"'"$sp_proxy"'"}')
+    if [ -n "$(echo "$sp_curl_output" | sed "s/$(printf '\r')//g")" ]; then
+        echo "Failed to set proxy. Error: ${sp_curl_output}"
        exit 1
    fi
+    echo "Proxy successfully changed to $sp_proxy"
 }

 run_display_single_service_settings() # Initials - rdsss
@@ -1277,7 +1295,7 @@ run_ai() # Initials - ra
        ra_tenant_id=$(printf "%s" "$ra_agent_details" | grep "Tenant ID" | cut -d '"' -f4)
        ra_agent_id=$(printf "%s" "$ra_agent_details" | grep "Agent ID" | cut -d '"' -f4)
    else
-        ra_orch_status=$(curl_func "$(extract_api_port orchestration)"/show-orchestration-status)
+        ra_orch_status=$(curl_to_orchestration "show-orchestration-status")
        if ! echo "$ra_orch_status" | grep -q "update status"; then
            [ -f ${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestrations_status.json ] && ra_orch_status=$(cat ${FILESYSTEM_PATH}/$cp_nano_conf_location/orchestration_status.json)
        fi
@@ -1302,7 +1320,7 @@ run_ai() # Initials - ra
        exit 1
    fi
    if [ "$ra_upload_to_fog" = "true" ]; then
-        ra_token_data="$(curl_func "$(extract_api_port orchestration)"/show-access-token)"
+        ra_token_data=$(curl_to_orchestration "show-access-token")
        ra_token_hex=$(echo "$ra_token_data" | grep "token" | cut -d '"' -f4 | base64 -d | od -t x1 -An)
        ra_token_hex_formatted=$(echo $ra_token_hex | tr -d ' ')
        ra_token="$(xor_decrypt "${ra_token_hex_formatted}")"
@@ -1543,7 +1561,7 @@ set_mode()
    # set mode
    sed -i "s/$cp_nano_mode/$mode/" ${FILESYSTEM_PATH}/orchestration/cp-nano-orchestration.cfg

-    ret=$(curl_func "$(extract_api_port orchestration)"/set-orchestration-mode)
+    ret=$(curl_to_orchestration "set-orchestration-mode")

    if [ "$mode" = "online_mode" ]; then
        time_sleep=2
--- a/nodes/orchestration/package/orchestration_package.sh
+++ b/nodes/orchestration/package/orchestration_package.sh
@@ -307,7 +307,7 @@ while true; do
        echo "Log files path: ${LOG_FILE_PATH}"
    elif [ "$1" = "--arm64_trustbox" ] || [ "$1" = "--arm64_linaro" ] || [ "$1" = "--arm32_rpi" ] || [ "$1" = "--gaia" ] || [ "$1" = "--smb_mrv_v1" ] || [ "$1" = "--smb_sve_v2" ] || [ "$1" = "--smb_thx_v3" ] || [ "$1" = "--x86" ] || [ "$1" = "./orchestration_package.sh" ]; then
        shift
-                continue
+		continue
    elif [ "$1" = "--skip_registration" ]; then
        var_skip_registration=true
    elif echo "$1" | grep -q ${FORCE_CLEAN_FLAG}; then
@@ -536,7 +536,7 @@ install_watchdog()
            cp_copy service/x86/ubuntu16/nano_agent.service /etc/systemd/system/nano_agent.service
            echo "ExecStart=${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/nano_agent.service
            echo "ExecStartPost=${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh" >> /etc/systemd/system/nano_agent.service
-                        echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/nano_agent.service
+			echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/nano_agent.service

            cp_exec "systemctl daemon-reload"
            cp_exec "systemctl enable nano_agent"
@@ -673,7 +673,7 @@ upgrade_conf_if_needed()
        [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"

        previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
-                if ! [ -z "$previous_mode" ]; then
+ 		if ! [ -z "$previous_mode" ]; then
            var_orchestration_mode=${previous_mode}
        fi

@@ -719,9 +719,7 @@ copy_orchestration_executable()
    if [ -f /ext/appsec/local_policy.yaml ]; then
        cp_exec "ln -s /ext/appsec/local_policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml"
    else
-        if [ ! -f ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml ]; then
-            cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
-        fi
+        cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
    fi
 }

@@ -729,9 +727,9 @@ copy_k8s_executable()
 {
    if [ "$IS_K8S_ENV" = "true" ]; then
        cp -f k8s-check-update-listener.sh ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh
-            chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh
-            cp -f k8s-check-update-trigger.sh ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
-            chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
+	    chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh
+	    cp -f k8s-check-update-trigger.sh ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
+	    chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
    fi
 }

@@ -950,18 +948,18 @@ install_orchestration()
        echo "MAX_FILE_SIZE=${WATCHDOG_MAX_FILE_SIZE}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
        echo "MAX_ROTATION=${WATCHDOG_MAX_ROTATIONS}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}

-                if [ -n "${FILESYSTEM_PATH}" ]; then
-                        echo "CP_ENV_FILESYSTEM=${FILESYSTEM_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
-                fi
-                if [ -n "${LOG_FILE_PATH}" ]; then
-                        echo "CP_ENV_LOG_FILE=${LOG_FILE_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
-                fi
-                if [ -n "${USR_LIB_PATH}" ]; then
-                        echo "CP_USR_LIB_PATH=${USR_LIB_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
-                fi
-                if [ -n "${INIT_D_PATH}" ]; then
-                        echo "CP_INIT_D_PATH=${INIT_D_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
-                fi
+		if [ -n "${FILESYSTEM_PATH}" ]; then
+			echo "CP_ENV_FILESYSTEM=${FILESYSTEM_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+		fi
+		if [ -n "${LOG_FILE_PATH}" ]; then
+			echo "CP_ENV_LOG_FILE=${LOG_FILE_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+		fi
+		if [ -n "${USR_LIB_PATH}" ]; then
+			echo "CP_USR_LIB_PATH=${USR_LIB_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+		fi
+		if [ -n "${INIT_D_PATH}" ]; then
+			echo "CP_INIT_D_PATH=${INIT_D_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
+		fi
    fi

    if [ -z "${var_token}" ] && [ ${var_hybrid_mode} = false ] && [ ${var_offline_mode} = false ] && [ -z ${EGG_MODE} ] && [ ${var_no_otp} = false ]; then