Jul 23rd update

nodes/orchestration/package/k8s-check-update-listener.sh

@@ -69,7 +69,7 @@ while true; do
         exception_pid=$!
         saveRuningPids
     fi
-        if [ ! -d /proc/${exception_pid} ]; then
+    if [ ! -d /proc/${policy_pid} ]; then
         runGetResourceListener policies
         policy_pid=$!
         saveRuningPids

nodes/orchestration/package/open-appsec-cloud-mgmt-k8s

@@ -15,11 +15,13 @@ latest_policy_version=1
 
 load_agent_details()
 {
-    tenant_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Tenant ID|TenantID|g" | /etc/cp/bin/yq -P '.TenantID')
-    agent_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Agent ID|AgentID|g" | /etc/cp/bin/yq -P '.AgentID')
-    profile_id=$(cat /etc/cp/conf/agent_details.json | sed "s|Profile ID|ProfileID|g" | /etc/cp/bin/yq -P '.ProfileID')
+    tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
+    agent_id=$(awk -F\" '/Agent ID/{print $4}' /etc/cp/conf/agent_details.json)
+    profile_id=$(awk -F\" '/Profile ID/{print $4}' /etc/cp/conf/agent_details.json)
     cluster_id=$(echo $(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/ ) \
-        | /etc/cp/bin/yq .items | /etc/cp/bin/yq  '.[] | select(.metadata.name  | contains("kube-system"))' | /etc/cp/bin/yq .metadata.uid)
+        | /etc/cp/bin/yq eval '.items' - \
+        | /etc/cp/bin/yq eval '.[] | select(.metadata.name | contains("kube-system"))' - \
+        | /etc/cp/bin/yq eval '.metadata.uid' -)
 }
 
 get_latest_policy_version()
@@ -44,15 +46,16 @@ get_latest_policy_version()
 
 concat_to_policy()
 {
-    crd_to_concat="$1"
-    is_first=$2
+    api_version="$1"
+    crd_to_concat="$2"
+    is_first=$3
     if [ ! -z $is_first ]; then
-        POLICY="$POLICY \"$1\": "
+        POLICY="$POLICY \"$crd_to_concat\": "
     else
-        POLICY="$POLICY, \"$1\": "
+        POLICY="$POLICY, \"$crd_to_concat\": "
     fi
     CRD=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-        -X GET ${APISERVER}/apis/openappsec.io/v1beta1/$crd_to_concat)
+        -X GET ${APISERVER}/apis/openappsec.io/$api_version/$crd_to_concat)
     CRD=$(echo $CRD|tr -d '\n')
     if [ -z "$CRD" ]; then
         CRD="{}"
@@ -60,28 +63,49 @@ concat_to_policy()
     POLICY="$POLICY $CRD"
 }
 
+get_api_version()
+{
+    CRD=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+        -X GET ${APISERVER}/apis/openappsec.io/v1beta2/policies)
+    CRD=$(echo $CRD|tr -d '\n')
+    # if CRD is not empty and does not contain "page not found" then it is v1beta2
+    if [ ! -z "$CRD" ] && ! echo "$CRD" | grep -q "page not found"; then
+        echo "v1beta2"
+    else
+        echo "v1beta1"
+    fi
+}
+
 generate_policy()
 {
     POLICY="{ \"Policy\": {"
-    concat_to_policy policies true
-    concat_to_policy practices
-    concat_to_policy logtriggers
-    concat_to_policy customresponses
-    concat_to_policy exceptions
-    concat_to_policy sourcesidentifiers
-    concat_to_policy trustedsources
+
+    api_version=$(get_api_version)
+
+    concat_to_policy $api_version "policies" true
+    if [ "$api_version" = "v1beta2" ]; then
+        concat_to_policy $api_version "threatpreventionpractices"
+        concat_to_policy $api_version "accesscontrolpractices"
+    else
+        concat_to_policy $api_version "practices"
+    fi
+    concat_to_policy $api_version "logtriggers"
+    concat_to_policy $api_version "customresponses"
+    concat_to_policy $api_version "exceptions"
+    concat_to_policy $api_version "sourcesidentifiers"
+    concat_to_policy $api_version "trustedsources"
 
     POLICY="$POLICY, \"assets\": { \"items\":[ "
 
     FIRST="1"
     all_ingresses=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
         -X GET ${APISERVER}/apis/networking.k8s.io/v1/ingresses)
-    namespaces=$(echo $all_ingresses | /etc/cp/bin/yq -P '.items[].metadata.namespace')
+    namespaces=$(echo $all_ingresses | /etc/cp/bin/yq eval '.items[].metadata.namespace' -)
 
     for ns in ${namespaces}; do
         ingress_in_ns=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
             -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses)
-        ingress_list=$(echo $ingress_in_ns | /etc/cp/bin/yq -P '.items[].metadata.name')
+        ingress_list=$(echo $ingress_in_ns | /etc/cp/bin/yq eval '.items[].metadata.name' -)
         for ingress_name in ${ingress_list}; do
             ingress_crd=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
                 -X GET ${APISERVER}/apis/networking.k8s.io/v1/namespaces/${ns}/ingresses/${ingress_name})
@@ -273,7 +297,7 @@ while true; do
 done
 
 if [ -z "$var_fog" ]; then
-    var_fog=$(cat /etc/cp/conf/agent_details.json | sed "s|Fog domain|Fogdomain|g" | /etc/cp/bin/yq -P '.Fogdomain')
+    var_fog=$(awk -F\" '/Fog domain/{print $4}' /etc/cp/conf/agent_details.json)
     var_fog="https://$var_fog"
 fi
 

nodes/orchestration/package/open-appsec-ctl.sh

@@ -1363,9 +1363,12 @@ run_ai() # Initials - ra
         exit 1
     fi
     if [ "$ra_upload_to_fog" = "true" ]; then
-        ra_token_data=$(curl_to_orchestration "show-access-token")
-        ra_token_hex=$(echo "$ra_token_data" | grep "token" | cut -d '"' -f4 | base64 -d | od -t x1 -An)
-        ra_token_hex_formatted=$(echo $ra_token_hex | tr -d ' ')
+        ra_token_data=$(curl_to_orchestration "show-access-token" | grep "token" | cut -d '"' -f4)
+        if [ -z "${ra_token_data}" ]; then
+            echo "Failed to get crediantials to upload the file to the cloud."
+            exit 1;
+        fi
+        ra_token_hex_formatted=$(echo $ra_token_data | base64 -d | od -t x1 -An | tr -d '[:space:]')
         ra_token="$(xor_decrypt "${ra_token_hex_formatted}")"
 
         ra_proxy_val=""

nodes/orchestration/package/orchestration_package.sh

@@ -302,13 +302,15 @@ while true; do
         echo "Filesystem paths: ${FILESYSTEM_PATH}"
     elif [ "$1" = "--vs_id" ]; then
         shift
-        VS_ID=$1
-        export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
-        NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
-        NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
-        VS_LIB_SUB_FOLDER="/vs${VS_ID}"
-        LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
-        TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
+        if [ "$1" != "0" ]; then
+            VS_ID=$1
+            export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
+            NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
+            NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
+            VS_LIB_SUB_FOLDER="/vs${VS_ID}"
+            LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
+            TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
+        fi
     elif [ "$1" = "--log_files_path" ]; then
         shift
         var=$1
@@ -360,6 +362,16 @@ if [ -z "$VS_ID" ]; then
     fi
 fi
 
+if [ -n "${VS_ID}" ]; then
+    if [ "$VS_ID" != "$INSTANCE_VSID" ]; then
+        echo "Error: Incorrect context, switch to VS${VS_ID} context first."
+        exit 1
+    fi
+elif [ -n "$INSTANCE_VSID" ] && [ "$INSTANCE_VSID" != "0" ]; then
+    echo "Error: Incorrect context, exit vs${INSTANCE_VSID} first."
+    exit 1
+fi
+
 if [ "$RUN_MODE" = "install" ] && [ $var_offline_mode = false ]; then
     if [ -n "$OTP_TOKEN" ] && [ -z "$var_token" ] && [ "$var_no_otp" = "false" ]; then
         var_token=$OTP_TOKEN
@@ -846,7 +858,7 @@ install_public_key()
 
     fog_address=${var_fog_address}
     if [ -n "${var_upgrade_mode}" ]; then
-        # Upgradde - look in policy.json
+        # Upgrade - look in policy.json
         fog_address=$(cat ${FILESYSTEM_PATH}/${CONF_PATH}/${SERVICE_PATH}/orchestration.policy)
     fi