prometheus support locally managed

* fix image entrypoint sigterm

* fix image entrypoint sigterm

---------

Co-authored-by: avigailo <avigailo@checkpoint.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: "Bug Report"
+about: "Report a bug with open-appsec"
+labels: [bug]
+---
+
+**Checklist**
+- Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
+  - Yes / No
+- Have you checked the existing issues and discussions in github for the same issue 
+  - Yes / No
+- Have you checked the knwon limitations same issue - https://docs.openappsec.io/release-notes#limitations
+  - Yes / No
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Run '...'
+3. See error '...'
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots or Logs**
+If applicable, add screenshots or logs to help explain the issue.
+
+**Environment (please complete the following information):**
+- open-appsec version: 
+- Deployment type (Docker, Kubernetes, etc.): 
+- OS:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: "Documentation & Troubleshooting"
+    url: "https://docs.openappsec.io/"
+    about: "Check the documentation before submitting an issue."
+  - name: "Feature Requests & Discussions"
+    url: "https://github.com/openappsec/openappsec/discussions"
+    about: "Please open a discussion for feature requests."

.github/ISSUE_TEMPLATE/nginx_version_support.md

@@ -0,0 +1,17 @@
+---
+name: "Nginx Version Support Request"
+about: "Request for a specific Nginx version to be supported"
+---
+
+**Nginx & OS Version:**
+Which Nginx and OS version are you using? 
+
+**Output of nginx -V**
+Share the output of nginx -v
+
+**Expected Behavior:**
+What do you expect to happen with this version?
+
+**Checklist**
+- Have you considered a docker based deployment - find more information here https://docs.openappsec.io/getting-started/start-with-docker?
+  - Yes / No

CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required (VERSION 2.8.4)
 project (ngen)
 
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wno-terminate")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O2 -fPIC -Wall -Wno-terminate")
 
 execute_process(COMMAND grep -c "Alpine Linux" /etc/os-release OUTPUT_VARIABLE IS_ALPINE)
 if(NOT IS_ALPINE EQUAL "0")

README.md

@@ -6,7 +6,7 @@
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6629/badge)](https://bestpractices.coreinfrastructure.org/projects/6629)
 
 # About
-[open-appsec](https://www.openappsec.io) (openappsec.io) builds on machine learning to provide preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Kubernetes Ingress, NGINX, Envoy (soon), and API Gateways.
+[open-appsec](https://www.openappsec.io) (openappsec.io) builds on machine learning to provide preemptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It can be deployed as an add-on to Linux, Docker or K8s deployments, on NGINX, Kong, APISIX, or Envoy.
 
 The open-appsec engine learns how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and conducts further analysis to decide whether the request is malicious or not.
 
@@ -39,13 +39,13 @@ open-appsec can be managed using multiple methods:
 * [Using SaaS Web Management](https://docs.openappsec.io/getting-started/using-the-web-ui-saas)
 
 open-appsec Web UI:
-![image](https://github.com/openappsec/openappsec/assets/114033741/22d99379-df52-45c8-984f-1b820635f3b9)
+<img width="1854" height="775" alt="image" src="https://github.com/user-attachments/assets/4c6f7b0a-14f3-4f02-9ab0-ddadc9979b8d" />
+
 
 
 ## Deployment Playgrounds (Virtual labs)
 You can experiment with open-appsec using [Playgrounds](https://www.openappsec.io/playground)
-
-![image](https://github.com/openappsec/openappsec/assets/114033741/14d35d69-4577-48fc-ae87-ea344888e94d)
+<img width="781" height="878" alt="image" src="https://github.com/user-attachments/assets/0ddee216-5cdf-4288-8c41-cc28cfbf3297" />
 
 # Resources
 * [Project Website](https://openappsec.io)
@@ -54,27 +54,21 @@ You can experiment with open-appsec using [Playgrounds](https://www.openappsec.i
 
 # Installation
 
-For Kubernetes (NGINX Ingress) using the installer:
+For Kubernetes (NGINX /Kong / APISIX / Istio) using Helm: follow [documentation](https://docs.openappsec.io/getting-started/start-with-kubernetes)
 
-```bash
-$ wget https://downloads.openappsec.io/open-appsec-k8s-install && chmod +x open-appsec-k8s-install
-$ ./open-appsec-k8s-install
-```
-
-For Kubernetes (NGINX or Kong) using Helm: follow [documentation](https://docs.openappsec.io/getting-started/start-with-kubernetes/install-using-helm-ingress-nginx-and-kong) – use this method if you’ve built your own containers. 
-
-For Linux (NGINX or Kong) using the installer (list of supported/pre-compiled NGINX attachments is available [here](https://downloads.openappsec.io/packages/supported-nginx.txt)):
+For Linux (NGINX / Kong / APISIX) using the installer (list of supported/pre-compiled NGINX attachments is available [here](https://downloads.openappsec.io/packages/supported-nginx.txt)):
 
 ```bash
 $ wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install
 $ ./open-appsec-install --auto
 ```
+For kong Lua Based plug in follow [documentation](https://docs.openappsec.io/getting-started/start-with-linux)
 
 For Linux, if you’ve built your own package use the following commands:
 
 ```bash
 $ install-cp-nano-agent.sh --install --hybrid_mode
-$ install-cp-nano-service-http-transaction-handler.sh –install
+$ install-cp-nano-service-http-transaction-handler.sh --install
 $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 
@@ -177,7 +171,7 @@ open-appsec code was audited by an independent third party in September-October
 See the [full report](https://github.com/openappsec/openappsec/blob/main/LEXFO-CHP20221014-Report-Code_audit-OPEN-APPSEC-v1.2.pdf).
 
 ### Reporting security vulnerabilities
-If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at securityalert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at security-alert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
 
 
 # License

attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc

@@ -95,6 +95,18 @@ getFailOpenHoldTimeout()
     return conf_data.getNumericalValue("fail_open_hold_timeout");
 }
 
+unsigned int
+getHoldVerdictPollingTime()
+{
+    return conf_data.getNumericalValue("hold_verdict_polling_time");
+}
+
+unsigned int
+getHoldVerdictRetries()
+{
+    return conf_data.getNumericalValue("hold_verdict_retries");
+}
+
 unsigned int
 getMaxSessionsPerMinute()
 {
@@ -155,6 +167,30 @@ getWaitingForVerdictThreadTimeout()
     return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec");
 }
 
+unsigned int
+getMinRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("min_retries_for_verdict");
+}
+
+unsigned int
+getMaxRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("max_retries_for_verdict");
+}
+
+unsigned int
+getReqBodySizeTrigger()
+{
+    return conf_data.getNumericalValue("body_size_trigger");
+}
+
+unsigned int
+getRemoveResServerHeader()
+{
+    return conf_data.getNumericalValue("remove_server_header");
+}
+
 int
 isIPAddress(c_str ip_str)
 {

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -63,32 +63,44 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
             "\"waiting_for_verdict_thread_timeout_msec\": 75,\n"
             "\"req_header_thread_timeout_msec\": 10,\n"
             "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
-            "\"static_resources_path\": \"" + static_resources_path + "\""
+            "\"static_resources_path\": \"" + static_resources_path + "\",\n"
+            "\"min_retries_for_verdict\": 1,\n"
+            "\"max_retries_for_verdict\": 3,\n"
+            "\"hold_verdict_retries\": 3,\n"
+            "\"hold_verdict_polling_time\": 1,\n"
+            "\"body_size_trigger\": 777,\n"
+            "\"remove_server_header\": 1\n"
         "}\n";
     ofstream valid_configuration_file(attachment_configuration_file_name);
     valid_configuration_file << valid_configuration;
     valid_configuration_file.close();
 
     EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
-    EXPECT_EQ(getDbgLevel(), 2);
+    EXPECT_EQ(getDbgLevel(), 2u);
     EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
     EXPECT_EQ(isFailOpenMode(), 0);
-    EXPECT_EQ(getFailOpenTimeout(), 1234);
+    EXPECT_EQ(getFailOpenTimeout(), 1234u);
     EXPECT_EQ(isFailOpenHoldMode(), 1);
-    EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
+    EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
     EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
-    EXPECT_EQ(getMaxSessionsPerMinute(), 0);
-    EXPECT_EQ(getNumOfNginxIpcElements(), 200);
-    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
-    EXPECT_EQ(getResProccessingTimeout(), 420);
-    EXPECT_EQ(getReqProccessingTimeout(), 42);
-    EXPECT_EQ(getRegistrationThreadTimeout(), 101);
-    EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
-    EXPECT_EQ(getReqBodyThreadTimeout(), 155);
-    EXPECT_EQ(getResHeaderThreadTimeout(), 1);
-    EXPECT_EQ(getResBodyThreadTimeout(), 0);
-    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
+    EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
+    EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
+    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
+    EXPECT_EQ(getResProccessingTimeout(), 420u);
+    EXPECT_EQ(getReqProccessingTimeout(), 42u);
+    EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
+    EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
+    EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
+    EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
+    EXPECT_EQ(getResBodyThreadTimeout(), 0u);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1u);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777u);
+    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
+    EXPECT_EQ(getRemoveResServerHeader(), 1u);
+    EXPECT_EQ(getHoldVerdictRetries(), 3u);
+    EXPECT_EQ(getHoldVerdictPollingTime(), 1u);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);
     EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0);

build_system/apisix/docker-compose.yaml

@@ -1,15 +1,15 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 version: "3"
 

build_system/docker/CMakeLists.txt

@@ -1,4 +1,4 @@
-install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .)
+install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh self_managed_openappsec_manifest.json DESTINATION .)
 
 add_custom_command(
     OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

build_system/docker/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine
 
+ENV OPENAPPSEC_NANO_AGENT=TRUE
+
 RUN apk add --no-cache -u busybox
 RUN apk add --no-cache -u zlib
 RUN apk add --no-cache bash
@@ -11,8 +13,12 @@ RUN apk add --no-cache libunwind
 RUN apk add --no-cache gdb
 RUN apk add --no-cache libxml2
 RUN apk add --no-cache pcre2
+RUN apk add --no-cache ca-certificates
 RUN apk add --update coreutils
 
+
+COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
+
 COPY install*.sh /nano-service-installers/
 COPY entry.sh /entry.sh
 

build_system/docker/entry.sh

@@ -6,12 +6,30 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
 ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
 ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
 CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
+PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
+NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT="install-cp-nano-central-nginx-manager.sh"
 
 var_fog_address=
 var_proxy=
 var_mode=
 var_token=
+var_ignore=
 init=
+active_watchdog_pid=
+
+cleanup() {
+    local signal="$1"
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] Signal ${signal} was received, exiting gracefully..." >&2
+    if [ -n "${active_watchdog_pid}" ] && ps -p ${active_watchdog_pid} > /dev/null 2>&1; then
+        kill -TERM ${active_watchdog_pid} 2>/dev/null || true
+        wait ${active_watchdog_pid} 2>/dev/null || true
+    fi
+    echo "Cleanup completed. Exiting now." >&2
+    exit 0
+}
+
+trap 'cleanup SIGTERM' SIGTERM
+trap 'cleanup SIGINT' SIGINT
 
 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
     echo "Error: agent installation package doesn't exist."
@@ -33,6 +51,8 @@ while true; do
         var_proxy="$1"
     elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then
         var_mode="--hybrid_mode"
+    elif [ "$1" == "--no-upgrade" ]; then
+        var_ignore="--ignore all"
     elif [ "$1" == "--token" ]; then
         shift
         var_token="$1"
@@ -41,12 +61,16 @@ while true; do
 done
 
 if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
-    echo "Error: Token was not provided as input argument."
-    exit 1
+    var_token=$(env | grep 'AGENT_TOKEN=' | cut -d'=' -f2-)
+    if  [ -z $var_token ]; then
+        echo "Error: Token was not provided as input argument."
+        exit 1
+    fi
 fi
 
 orchestration_service_installation_flags="--container_mode --skip_registration"
 if [ ! -z $var_token ]; then
+    export AGENT_TOKEN="$var_token"
     orchestration_service_installation_flags="$orchestration_service_installation_flags --token $var_token"
 fi
 if [ ! -z $var_fog_address ]; then
@@ -59,6 +83,9 @@ fi
 if [ ! -z $var_mode ]; then
     orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode"
 fi
+if [ ! -z "$var_ignore" ]; then
+    orchestration_service_installation_flags="$orchestration_service_installation_flags $var_ignore"
+fi
 
 
 /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT --install $orchestration_service_installation_flags
@@ -71,6 +98,14 @@ fi
 /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
 /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
 
+if [ "$PROMETHEUS" == "true" ]; then
+    /nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
+fi
+
+if [ "$CENTRAL_NGINX_MANAGER" == "true" ]; then
+    /nano-service-installers/$NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT --install
+fi
+
 if [ "$CROWDSEC_ENABLED" == "true" ]; then
     /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
     /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
@@ -83,25 +118,16 @@ if [ -f "$FILE" ]; then
 fi
 
 touch /etc/cp/watchdog/wd.startup
+/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
+active_watchdog_pid=$!
 while true; do
-    if [ -z "$init" ]; then
-        init=true
-        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
-        sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
-    fi
-
-    current_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
-    if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
-        echo "Error: Watchdog exited abnormally"
-        exit 1
-    elif [ -f /tmp/restart_watchdog ]; then
+    if [ -f /tmp/restart_watchdog ]; then
         rm -f /tmp/restart_watchdog
-        kill -9 "$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")"
-        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
-        sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
+        kill -9 ${active_watchdog_pid}
+    fi
+    if [ ! "$(ps -f | grep cp-nano-watchdog | grep ${active_watchdog_pid})" ]; then
+        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
+        active_watchdog_pid=$!
     fi
-
     sleep 5
 done

components/CMakeLists.txt

@@ -1,11 +1,10 @@
-add_subdirectory(report_messaging)
 add_subdirectory(http_manager)
 add_subdirectory(signal_handler)
 add_subdirectory(gradual_deployment)
 add_subdirectory(packet)
 add_subdirectory(pending_key)
-add_subdirectory(health_check_manager)
 
 add_subdirectory(utils)
 add_subdirectory(attachment-intakers)
 add_subdirectory(security_apps)
+add_subdirectory(nginx_message_reader)

components/attachment-intakers/attachment_registrator/attachment_registrator.cc

@@ -39,6 +39,8 @@ USE_DEBUG_FLAG(D_ATTACHMENT_REGISTRATION);
 
 using namespace std;
 
+static const AlertInfo alert(AlertTeam::CORE, "attachment registrator");
+
 class AttachmentRegistrator::Impl
 {
 public:
@@ -163,7 +165,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported Attachment " << static_cast<int>(type);
+                dbgAssert(false) << alert << "Unsupported Attachment " << static_cast<int>(type);
         }
 
         if (!family_id.empty()) handler_path << family_id << "_";
@@ -175,7 +177,9 @@ private:
     string
     genRegCommand(const string &family_id, const uint num_of_members, const AttachmentType type) const
     {
-        dbgAssert(num_of_members > 0) << "Failed to generate a registration command for an empty group of attachments";
+        dbgAssert(num_of_members > 0)
+            << alert
+            << "Failed to generate a registration command for an empty group of attachments";
 
         static const string registration_format = "/etc/cp/watchdog/cp-nano-watchdog --register ";
         stringstream registration_command;
@@ -187,7 +191,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported Attachment " << static_cast<int>(type);
+                dbgAssert(false) << alert << "Unsupported Attachment " << static_cast<int>(type);
         }
 
         if (!family_id.empty()) registration_command << " --family " << family_id;
@@ -265,7 +269,7 @@ private:
             return -1;
         }
 
-        dbgAssert(new_socket.unpack() > 0) << "Generated socket is OK yet negative";
+        dbgAssert(new_socket.unpack() > 0) << alert << "Generated socket is OK yet negative";
         return new_socket.unpack();
     }
 
@@ -281,7 +285,7 @@ private:
         }
 
         I_Socket::socketFd client_socket = accepted_socket.unpack();
-        dbgAssert(client_socket > 0) << "Generated client socket is OK yet negative";
+        dbgAssert(client_socket > 0) << alert << "Generated client socket is OK yet negative";
         auto close_socket_on_exit = make_scope_exit([&]() { i_socket->closeSocket(client_socket); });
 
         Maybe<uint8_t> attachment_id = readNumericParam(client_socket);
@@ -375,7 +379,7 @@ private:
         }
 
         I_Socket::socketFd client_socket = accepted_socket.unpack();
-        dbgAssert(client_socket > 0) << "Generated client socket is OK yet negative";
+        dbgAssert(client_socket > 0) << alert << "Generated client socket is OK yet negative";
         auto close_socket_on_exit = make_scope_exit([&]() { i_socket->closeSocket(client_socket); });
 
         Maybe<AttachmentType> attachment_type = readAttachmentType(client_socket);

components/attachment-intakers/nginx_attachment/nginx_attachment.cc

@@ -31,10 +31,12 @@
 #include <stdarg.h>
 
 #include <boost/range/iterator_range.hpp>
+#include <boost/algorithm/string.hpp>
 #include <boost/regex.hpp>
 
 #include "nginx_attachment_config.h"
 #include "nginx_attachment_opaque.h"
+#include "generic_rulebase/evaluators/trigger_eval.h"
 #include "nginx_parser.h"
 #include "i_instance_awareness.h"
 #include "common.h"
@@ -76,6 +78,7 @@ using namespace std;
 using ChunkType = ngx_http_chunk_type_e;
 
 static const uint32_t corrupted_session_id = CORRUPTED_SESSION_ID;
+static const AlertInfo alert(AlertTeam::CORE, "nginx attachment");
 
 class FailopenModeListener : public Listener<FailopenModeEvent>
 {
@@ -128,6 +131,7 @@ class NginxAttachment::Impl
     Singleton::Provide<I_StaticResourcesHandler>::From<NginxAttachment>
 {
     static constexpr auto INSPECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
+    static constexpr auto LIMIT_RESPONSE_HEADERS = ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS;
     static constexpr auto ACCEPT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
     static constexpr auto DROP = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
     static constexpr auto INJECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT;
@@ -259,6 +263,22 @@ public:
             );
         }
 
+        const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
+        if (ignored_headers_env) {
+            string ignored_headers_str = ignored_headers_env;
+            ignored_headers_str = NGEN::Strings::trim(ignored_headers_str);
+
+            if (!ignored_headers_str.empty()) {
+                dbgInfo(D_HTTP_MANAGER)
+                    << "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
+                    << ignored_headers_str;
+
+                vector<string> ignored_headers_vec;
+                boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
+                for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
+            }
+        }
+
         dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment";
     }
 
@@ -410,7 +430,10 @@ private:
     bool
     registerAttachmentProcess(uint32_t nginx_user_id, uint32_t nginx_group_id, I_Socket::socketFd new_socket)
     {
-        dbgAssert(server_sock > 0) << "Registration attempt occurred while registration socket is uninitialized";
+        dbgAssert(server_sock > 0)
+        << alert
+        << "Registration attempt occurred while registration socket is uninitialized";
+
 #ifdef FAILURE_TEST
         bool did_fail_on_purpose = false;
 #endif
@@ -802,10 +825,10 @@ private:
         case ChunkType::HOLD_DATA:
             return "HOLD_DATA";
         case ChunkType::COUNT:
-            dbgAssert(false) << "Invalid 'COUNT' ChunkType";
+            dbgAssert(false) << alert << "Invalid 'COUNT' ChunkType";
             return "";
         }
-        dbgAssert(false) << "ChunkType was not handled by the switch case";
+        dbgAssert(false) << alert << "ChunkType was not handled by the switch case";
         return "";
     }
 
@@ -1030,7 +1053,11 @@ private:
             case ChunkType::REQUEST_START:
                 return handleStartTransaction(data, opaque);
             case ChunkType::REQUEST_HEADER:
-                return handleMultiModifiableChunks(NginxParser::parseRequestHeaders(data), "request header", true);
+                return handleMultiModifiableChunks(
+                    NginxParser::parseRequestHeaders(data, ignored_headers),
+                    "request header",
+                    true
+                );
             case ChunkType::REQUEST_BODY:
                 return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true);
             case ChunkType::REQUEST_END: {
@@ -1121,17 +1148,29 @@ private:
     handleCustomWebResponse(
         SharedMemoryIPC *ipc,
         vector<const char *> &verdict_data,
-        vector<uint16_t> &verdict_data_sizes)
+        vector<uint16_t> &verdict_data_sizes,
+        string web_user_response_id)
     {
         ngx_http_cp_web_response_data_t web_response_data;
-
+        ScopedContext ctx;
+        if (web_user_response_id != "") {
+            dbgTrace(D_NGINX_ATTACHMENT)
+            << "web user response ID registered in contex: "
+            << web_user_response_id;
+            set<string> triggers_set{web_user_response_id};
+            ctx.registerValue<set<GenericConfigId>>(TriggerMatcher::ctx_key, triggers_set);
+        }
         WebTriggerConf web_trigger_conf = getConfigurationWithDefault<WebTriggerConf>(
             WebTriggerConf::default_trigger_conf,
             "rulebase",
             "webUserResponse"
         );
 
+        bool remove_event_id_param =
+            getProfileAgentSettingWithDefault<string>("false", "nginxAttachment.removeRedirectEventId") == "true";
+
         string uuid;
+        string redirectUrl;
         if (i_transaction_table->hasState<NginxAttachmentOpaque>()) {
             NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
             uuid = opaque.getSessionUUID();
@@ -1141,7 +1180,12 @@ private:
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
             web_response_data.response_data.redirect_data.redirect_location_size =
                 web_trigger_conf.getRedirectURL().size();
-            web_response_data.response_data.redirect_data.add_event_id = web_trigger_conf.getAddEventId() ? 1 : 0;
+            bool add_event = web_trigger_conf.getAddEventId();
+            if (add_event && !remove_event_id_param) {
+                web_response_data.response_data.redirect_data.redirect_location_size +=
+                    strlen("?event_id=") + uuid.size();
+            }
+            web_response_data.response_data.redirect_data.add_event_id = add_event ? 1 : 0;
             web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE);
         } else {
             web_response_data.response_data.custom_response_data.title_size =
@@ -1155,8 +1199,13 @@ private:
         verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t));
 
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
-            verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getRedirectURL().data()));
-            verdict_data_sizes.push_back(web_trigger_conf.getRedirectURL().size());
+            redirectUrl = web_trigger_conf.getRedirectURL();
+            if (!remove_event_id_param && web_trigger_conf.getAddEventId()) {
+                redirectUrl += "?event-id=" + uuid;
+            }
+
+            verdict_data.push_back(reinterpret_cast<const char *>(redirectUrl.data()));
+            verdict_data_sizes.push_back(redirectUrl.size());
         } else {
             verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getResponseTitle().data()));
             verdict_data_sizes.push_back(web_trigger_conf.getResponseTitle().size());
@@ -1232,7 +1281,7 @@ private:
         if (verdict.getVerdict() == DROP) {
             nginx_attachment_event.addTrafficVerdictCounter(nginxAttachmentEvent::trafficVerdict::DROP);
             verdict_to_send.modification_count = 1;
-            return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes);
+            return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes, verdict.getWebUserResponseID());
         }
 
         if (verdict.getVerdict() == ACCEPT) {
@@ -1458,11 +1507,17 @@ private:
         opaque.activateContext();
 
         FilterVerdict verdict = handleChunkedData(*chunked_data_type, inspection_data, opaque);
-
         bool is_header =
             *chunked_data_type == ChunkType::REQUEST_HEADER  ||
             *chunked_data_type == ChunkType::RESPONSE_HEADER ||
             *chunked_data_type == ChunkType::CONTENT_LENGTH;
+
+        if (verdict.getVerdict() == LIMIT_RESPONSE_HEADERS) {
+            handleVerdictResponse(verdict, attachment_ipc, transaction_data->session_id, is_header);
+            popData(attachment_ipc);
+            verdict = FilterVerdict(INSPECT);
+        }
+
         handleVerdictResponse(verdict, attachment_ipc, transaction_data->session_id, is_header);
 
         bool is_final_verdict = verdict.getVerdict() == ACCEPT ||
@@ -1575,6 +1630,8 @@ private:
                 return "INJECT";
             case INSPECT:
                 return "INSPECT";
+            case LIMIT_RESPONSE_HEADERS:
+                return "LIMIT_RESPONSE_HEADERS";
             case IRRELEVANT:
                 return "IRRELEVANT";
             case RECONF:
@@ -1582,7 +1639,7 @@ private:
             case WAIT:
                 return "WAIT";
         }
-        dbgAssert(false) << "Invalid EventVerdict enum: " << static_cast<int>(verdict.getVerdict());
+        dbgAssert(false) << alert << "Invalid EventVerdict enum: " << static_cast<int>(verdict.getVerdict());
         return string();
     }
 
@@ -1633,13 +1690,14 @@ private:
             return false;
         }
 
-        dbgAssert(sock.unpack() > 0) << "The generated server socket is OK, yet negative";
+        dbgAssert(sock.unpack() > 0) << alert << "The generated server socket is OK, yet negative";
         server_sock = sock.unpack();
 
         I_MainLoop::Routine accept_attachment_routine =
             [this] ()
             {
                 dbgAssert(inst_awareness->getUniqueID().ok())
+                    << alert
                     << "NGINX attachment Initialized without Instance Awareness";
 
                 bool did_fail_on_purpose = false;
@@ -1652,7 +1710,7 @@ private:
                     << (did_fail_on_purpose ? "Intentional Failure" : new_sock.getErr());
                     return;
                 }
-                dbgAssert(new_sock.unpack() > 0) << "The generated client socket is OK, yet negative";
+                dbgAssert(new_sock.unpack() > 0) << alert << "The generated client socket is OK, yet negative";
                 I_Socket::socketFd new_attachment_socket = new_sock.unpack();
 
                 Maybe<string> uid = getUidFromSocket(new_attachment_socket);
@@ -1698,7 +1756,7 @@ private:
                 }
             };
         mainloop->addFileRoutine(
-            I_MainLoop::RoutineType::RealTime,
+            I_MainLoop::RoutineType::System,
             server_sock,
             accept_attachment_routine,
             "Nginx Attachment registration listener",
@@ -1711,7 +1769,9 @@ private:
     Maybe<string>
     getUidFromSocket(I_Socket::socketFd new_attachment_socket)
     {
-        dbgAssert(server_sock > 0) << "Registration attempt occurred while registration socket is uninitialized";
+        dbgAssert(server_sock > 0)
+            << alert
+            << "Registration attempt occurred while registration socket is uninitialized";
 
         bool did_fail_on_purpose = false;
         DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::ReceiveDataFromSocket);
@@ -1793,6 +1853,7 @@ private:
     HttpAttachmentConfig attachment_config;
     I_MainLoop::RoutineID attachment_routine_id = 0;
     bool traffic_indicator = false;
+    unordered_set<string> ignored_headers;
 
     // Interfaces
     I_Socket *i_socket                              = nullptr;

components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc

@@ -42,6 +42,7 @@ HttpAttachmentConfig::init()
     setNumOfNginxIpcElements();
     setDebugByContextValues();
     setKeepAliveIntervalMsec();
+    setRetriesForVerdict();
 }
 
 bool
@@ -202,6 +203,13 @@ HttpAttachmentConfig::setFailOpenTimeout()
         "NGINX wait thread timeout msec"
     ));
 
+    conf_data.setNumericalValue("remove_server_header", getAttachmentConf<uint>(
+        0,
+        "agent.removeServerHeader.nginxModule",
+        "HTTP manager",
+        "Response server header removal"
+    ));
+
     uint inspection_mode = getAttachmentConf<uint>(
         static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD),
         "agent.inspectionMode.nginxModule",
@@ -215,6 +223,46 @@ HttpAttachmentConfig::setFailOpenTimeout()
     conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode);
 }
 
+void
+HttpAttachmentConfig::setRetriesForVerdict()
+{
+    conf_data.setNumericalValue("min_retries_for_verdict", getAttachmentConf<uint>(
+        3,
+        "agent.minRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Min retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("max_retries_for_verdict", getAttachmentConf<uint>(
+        15,
+        "agent.maxRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Max retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("hold_verdict_retries", getAttachmentConf<uint>(
+        3,
+        "agent.retriesForHoldVerdict.nginxModule",
+        "HTTP manager",
+        "Retries for hold verdict"
+    ));
+
+    conf_data.setNumericalValue("hold_verdict_polling_time", getAttachmentConf<uint>(
+        1,
+        "agent.holdVerdictPollingInterval.nginxModule",
+        "HTTP manager",
+        "Hold verdict polling interval seconds"
+    ));
+
+
+    conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
+        200000,
+        "agent.reqBodySizeTrigger.nginxModule",
+        "HTTP manager",
+        "Request body size trigger"
+    ));
+}
+
 void
 HttpAttachmentConfig::setFailOpenWaitMode()
 {

components/attachment-intakers/nginx_attachment/nginx_attachment_config.h

@@ -70,6 +70,8 @@ private:
 
     void setDebugByContextValues();
 
+    void setRetriesForVerdict();
+
     WebTriggerConf web_trigger_conf;
     HttpAttachmentConfiguration conf_data;
 };

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc

@@ -19,12 +19,15 @@
 
 #include "config.h"
 #include "virtual_modifiers.h"
+#include "agent_core_utilities.h"
 
 using namespace std;
 using namespace boost::uuids;
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
+extern bool is_keep_alive_ctx;
+
 NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data)
         :
     TableOpaqueSerialize<NginxAttachmentOpaque>(this),
@@ -67,6 +70,12 @@ NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_da
         ctx.registerValue(HttpTransactionData::uri_query_decoded, decoded_url.substr(question_mark_location + 1));
     }
     ctx.registerValue(HttpTransactionData::uri_path_decoded, decoded_url);
+
+    // Register waf_tag from transaction data if available
+    const std::string& waf_tag = transaction_data.getWafTag();
+    if (!waf_tag.empty()) {
+        ctx.registerValue(HttpTransactionData::waf_tag_ctx, waf_tag);
+    }
 }
 
 NginxAttachmentOpaque::~NginxAttachmentOpaque()
@@ -119,3 +128,47 @@ NginxAttachmentOpaque::setSavedData(const string &name, const string &data, EnvK
     saved_data[name] = data;
     ctx.registerValue(name, data, log_ctx);
 }
+
+bool
+NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_val)
+{
+    if (!is_keep_alive_ctx) return false;
+
+    static pair<string, string> keep_alive_hdr;
+    static bool keep_alive_hdr_initialized = false;
+
+    if (keep_alive_hdr_initialized) {
+        if (!keep_alive_hdr.first.empty() && hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            return true;
+        }
+        return false;
+    }
+
+    const char* saas_keep_alive_hdr_name_env = getenv("SAAS_KEEP_ALIVE_HDR_NAME");
+    if (saas_keep_alive_hdr_name_env) {
+        keep_alive_hdr.first = NGEN::Strings::trim(saas_keep_alive_hdr_name_env);
+        dbgInfo(D_HTTP_MANAGER) << "Using SAAS_KEEP_ALIVE_HDR_NAME environment variable: " << keep_alive_hdr.first;
+    }
+
+    if (!keep_alive_hdr.first.empty()) {
+        const char* saas_keep_alive_hdr_value_env = getenv("SAAS_KEEP_ALIVE_HDR_VALUE");
+        if (saas_keep_alive_hdr_value_env) {
+            keep_alive_hdr.second = NGEN::Strings::trim(saas_keep_alive_hdr_value_env);
+            dbgInfo(D_HTTP_MANAGER)
+                << "Using SAAS_KEEP_ALIVE_HDR_VALUE environment variable: "
+                << keep_alive_hdr.second;
+        }
+
+        if (!keep_alive_hdr.second.empty() && (hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second)) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            keep_alive_hdr_initialized = true;
+            return true;
+        }
+    }
+
+    keep_alive_hdr_initialized = true;
+    return false;
+}

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.h

@@ -85,6 +85,7 @@ public:
         EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE
     );
     void setApplicationState(const ApplicationState &app_state) { application_state = app_state; }
+    bool setKeepAliveCtx(const std::string &hdr_key, const std::string &hdr_val);
 
 private:
     CompressionStream       *response_compression_stream;

components/attachment-intakers/nginx_attachment/nginx_parser.cc

@@ -29,6 +29,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
 Buffer NginxParser::tenant_header_key = Buffer();
 static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
 static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
+bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
 
 map<Buffer, CompressionType> NginxParser::content_encodings = {
     {Buffer("identity"), CompressionType::NO_COMPRESSION},
@@ -177,37 +178,70 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
 }
 
 Maybe<vector<HttpHeader>>
-NginxParser::parseRequestHeaders(const Buffer &data)
+NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers)
 {
-    auto parsed_headers = genHeaders(data);
-    if (!parsed_headers.ok()) return parsed_headers.passErr();
+    auto maybe_parsed_headers = genHeaders(data);
+    if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr();
 
     auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    auto parsed_headers = maybe_parsed_headers.unpack();
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
 
-    for (const HttpHeader &header : *parsed_headers) {
+    if (is_keep_alive_ctx || !ignored_headers.empty()) {
+        bool is_last_header_removed = false;
+        parsed_headers.erase(
+            remove_if(
+                parsed_headers.begin(),
+                parsed_headers.end(),
+                [&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
+                {
+                    string hdr_key = static_cast<string>(header.getKey());
+                    string hdr_val = static_cast<string>(header.getValue());
+                    if (
+                        opaque.setKeepAliveCtx(hdr_key, hdr_val)
+                        || ignored_headers.find(hdr_key) != ignored_headers.end()
+                    ) {
+                        dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
+                        if (header.isLastHeader()) {
+                            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
+                            is_last_header_removed = true;
+                        }
+                        return true;
+                    }
+                    return false;
+                }
+            ),
+            parsed_headers.end()
+        );
+        if (is_last_header_removed) {
+            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
+            if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
+        }
+    }
+
+    for (const HttpHeader &header : parsed_headers) {
         auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
             UsersAllIdentifiersConfig(),
             "rulebase",
             "usersIdentifiers"
         );
         source_identifiers.parseRequestHeaders(header);
-
-        NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
         opaque.addToSavedData(
             HttpTransactionData::req_headers,
             static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
         );
 
-        if (NginxParser::tenant_header_key == header.getKey()) {
+        const auto &header_key = header.getKey();
+        if (NginxParser::tenant_header_key == header_key) {
             dbgDebug(D_NGINX_ATTACHMENT_PARSER)
                 << "Identified active tenant header. Key: "
-                << dumpHex(header.getKey())
+                << dumpHex(header_key)
                 << ", Value: "
                 << dumpHex(header.getValue());
 
             auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
             opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
-        } else if (proxy_ip_header_key == header.getKey()) {
+        } else if (proxy_ip_header_key == header_key) {
             source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
         }
     }
@@ -345,12 +379,15 @@ NginxParser::parseResponseBody(const Buffer &raw_response_body, CompressionStrea
 Maybe<CompressionType>
 NginxParser::parseContentEncoding(const vector<HttpHeader> &headers)
 {
-    static const Buffer content_encoding_header_key("Content-Encoding");
+    dbgFlow(D_NGINX_ATTACHMENT_PARSER) << "Parsing \"Content-Encoding\" header";
+    static const Buffer content_encoding_header_key("content-encoding");
 
     auto it = find_if(
         headers.begin(),
         headers.end(),
-        [&] (const HttpHeader &http_header) { return http_header.getKey() == content_encoding_header_key; }
+        [&] (const HttpHeader &http_header) {
+            return http_header.getKey().isEqualLowerCase(content_encoding_header_key);
+        }
     );
     if (it == headers.end()) {
         dbgTrace(D_NGINX_ATTACHMENT_PARSER)

components/attachment-intakers/nginx_attachment/nginx_parser.h

@@ -28,7 +28,10 @@ public:
     static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data);
     static Maybe<ResponseCode> parseResponseCode(const Buffer &data);
     static Maybe<uint64_t> parseContentLength(const Buffer &data);
-    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(const Buffer &data);
+    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(
+        const Buffer &data,
+        const std::unordered_set<std::string> &ignored_headers
+    );
     static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data);
     static Maybe<HttpBody> parseRequestBody(const Buffer &data);
     static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream);

components/attachment-intakers/nginx_attachment/user_identifiers_config.cc

@@ -282,21 +282,39 @@ isIpTrusted(const string &value, const vector<CIDRSData> &cidr_values)
 }
 
 Maybe<string>
-UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
+UsersAllIdentifiersConfig::parseXForwardedFor(const string &str, ExtractType type) const
 {
     vector<string> header_values = split(str);
-
     if (header_values.empty()) return genError("No IP found in the xff header list");
 
     vector<string> xff_values = getHeaderValuesFromConfig("x-forwarded-for");
     vector<CIDRSData> cidr_values(xff_values.begin(), xff_values.end());
+    string last_valid_ip;
 
-    for (const string &value : header_values) {
-        if (!IPAddr::createIPAddr(value).ok()) {
-            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << value;
-            return genError("Invalid IP address");
+    for (auto it = header_values.rbegin(); it != header_values.rend() - 1; ++it) {
+        if (!IPAddr::createIPAddr(*it).ok()) {
+            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << *it;
+            if (last_valid_ip.empty()) {
+                return genError("Invalid IP address");
+            }
+            return last_valid_ip;
         }
-        if (!isIpTrusted(value, cidr_values)) return genError("Untrusted Ip found");
+        last_valid_ip = *it;
+        if (type == ExtractType::PROXYIP) continue;
+        if (!isIpTrusted(*it, cidr_values)) {
+            dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Found untrusted IP in the xff header IPs list: " << *it;
+            return *it;
+        }
+    }
+
+    if (!IPAddr::createIPAddr(header_values[0]).ok()) {
+        dbgWarning(D_NGINX_ATTACHMENT_PARSER)
+            << "Invalid IP address found in the xff header IPs list: "
+            << header_values[0];
+        if (last_valid_ip.empty()) {
+            return genError("No Valid Ip address was found");
+        }
+        return last_valid_ip;
     }
 
     return header_values[0];
@@ -306,22 +324,28 @@ UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
 void
 UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const
 {
-    auto value = parseXForwardedFor(header.getValue());
+    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
+        dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
+        return;
+    }
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+    auto value = parseXForwardedFor(header.getValue(), type);
     if (!value.ok()) {
         dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Could not extract source identifier from X-Forwarded-For header";
         return;
     };
-    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
-    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
-        dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
-        return;
-    }
-    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+
     if (type == ExtractType::SOURCEIDENTIFIER) {
         opaque.setSourceIdentifier(header.getKey(), value.unpack());
         dbgDebug(D_NGINX_ATTACHMENT_PARSER)
-            << "Added source identifir to XFF "
+            << "Added source identifier from XFF header"
             <<  value.unpack();
+        opaque.setSavedData(HttpTransactionData::xff_vals_ctx, header.getValue());
+        opaque.setSavedData(HttpTransactionData::source_identifier, value.unpack());
+        dbgTrace(D_NGINX_ATTACHMENT_PARSER)
+            << "XFF found, set ctx with value from header: "
+            << static_cast<string>(header.getValue());
     } else {
         opaque.setSavedData(HttpTransactionData::proxy_ip_ctx, value.unpack());
     }
@@ -342,6 +366,24 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
     return;
 }
 
+void
+UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
+{
+    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
+        dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
+        return;
+    }
+
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+    opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
+
+    dbgDebug(D_NGINX_ATTACHMENT_PARSER)
+        << "Added waf tag to context: "
+        <<  static_cast<string>(header.getValue());
+    return;
+}
+
 Maybe<string>
 UsersAllIdentifiersConfig::parseCookieElement(
     const string::const_iterator &start,

components/generic_rulebase/assets_config.cc

@@ -1,137 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/assets_config.h"
-
-#include <string>
-#include <algorithm>
-#include <unordered_map>
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "debug.h"
-#include "ip_utilities.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-void
-RuleAsset::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("assetId", asset_id));
-    archive_in(cereal::make_nvp("assetName", asset_name));
-    archive_in(cereal::make_nvp("assetUrls", asset_urls));
-
-    dbgWarning(D_RULEBASE_CONFIG) << "Adding asset with UID: " << asset_id;
-}
-
-void
-RuleAsset::AssetUrl::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("protocol", protocol));
-    transform(protocol.begin(), protocol.end(), protocol.begin(), [](unsigned char c) { return tolower(c); });
-
-    archive_in(cereal::make_nvp("ip", ip));
-    archive_in(cereal::make_nvp("port", port));
-
-    int value;
-    if (protocol == "*") {
-        is_any_proto = true;
-    } else {
-        is_any_proto = false;
-        try {
-            value = 0;
-            if(protocol == "udp") value = IPPROTO_UDP;
-            if(protocol == "tcp") value = IPPROTO_TCP;
-            if(protocol == "dccp") value = IPPROTO_DCCP;
-            if(protocol == "sctp") value = IPPROTO_SCTP;
-            if(protocol == "icmp") value = IPPROTO_ICMP;
-            if(protocol == "icmpv6") value = IPPROTO_ICMP;
-
-            if (value > static_cast<int>(UINT8_MAX) || value < 0) {
-                dbgWarning(D_RULEBASE_CONFIG)
-                    << "provided value is not a legal IP protocol number. Value: "
-                    << protocol;
-            } else {
-                parsed_proto = value;
-            }
-        } catch (...) {
-            dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal IP protocol. Value: " << protocol;
-        }
-    }
-
-    if (port == "*") {
-        is_any_port = true;
-    } else {
-        is_any_port = false;
-        try {
-            value = stoi(port);
-            if (value > static_cast<int>(UINT16_MAX) || value < 0) {
-                dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal port number. Value: " << port;
-            } else {
-                parsed_port = value;
-            }
-        } catch (...) {
-            dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal port. Value: " << port;
-        }
-    }
-
-    if (ip == "*") {
-        is_any_ip = true;
-    } else {
-        is_any_ip = false;
-        auto ip_addr = IPAddr::createIPAddr(ip);
-        if (!ip_addr.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Could not create IP address. Error: " << ip_addr.getErr();
-        } else {
-            parsed_ip = ConvertToIpAddress(ip_addr.unpackMove());
-        }
-    }
-}
-
-IpAddress
-RuleAsset::AssetUrl::ConvertToIpAddress(const IPAddr &addr)
-{
-    IpAddress address;
-    switch (addr.getType()) {
-        case IPType::UNINITIALIZED: {
-            address.addr4_t = {0};
-            address.ip_type = IP_VERSION_ANY;
-            break;
-        }
-        case IPType::V4: {
-            address.addr4_t = addr.getIPv4();
-            address.ip_type = IP_VERSION_4;
-            break;
-        }
-        case IPType::V6: {
-            address.addr6_t = addr.getIPv6();
-            address.ip_type = IP_VERSION_6;
-            break;
-        }
-        default:
-            address.addr4_t = {0};
-            address.ip_type = IP_VERSION_ANY;
-            dbgWarning(D_RULEBASE_CONFIG) << "Unsupported IP type: " << static_cast<int>(addr.getType());
-    }
-    return address;
-}
-
-const Assets Assets::empty_assets_config = Assets();
-
-void
-Assets::preload()
-{
-    registerExpectedSetting<Assets>("rulebase", "usedAssets");
-}

components/generic_rulebase/evaluators/asset_eval.cc

@@ -1,52 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/asset_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/assets_config.h"
-#include "config.h"
-#include "debug.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string AssetMatcher::ctx_key = "asset_id";
-
-AssetMatcher::AssetMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(AssetMatcher::getName(), params.size(), 1, 1);
-    asset_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-AssetMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<AssetMatcher>();
-    auto bc_asset_id_ctx = env->get<GenericConfigId>(AssetMatcher::ctx_key);
-
-    if (bc_asset_id_ctx.ok()) {
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "Asset ID: "
-            << asset_id
-            << "; Current set assetId context: "
-            << *bc_asset_id_ctx;
-    } else {
-        dbgTrace(D_RULEBASE_CONFIG) << "Asset ID: " << asset_id << ". Empty context";
-    }
-
-    return bc_asset_id_ctx.ok() && *bc_asset_id_ctx == asset_id;
-}

components/generic_rulebase/evaluators/connection_eval.cc

@@ -1,299 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/connection_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-#include "ip_utilities.h"
-
-using namespace std;
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string IpAddressMatcher::ctx_key = "ipAddress";
-string SourceIpMatcher::ctx_key = "sourceIP";
-string DestinationIpMatcher::ctx_key = "destinationIP";
-string SourcePortMatcher::ctx_key = "sourcePort";
-string ListeningPortMatcher::ctx_key = "listeningPort";
-string IpProtocolMatcher::ctx_key = "ipProtocol";
-string UrlMatcher::ctx_key = "url";
-
-Maybe<IPAddr>
-getIpAddrFromEnviroment(I_Environment *env, Context::MetaDataType enum_data_type, const string &str_data_type)
-{
-    auto ip_str = env->get<string>(enum_data_type);
-    if (!ip_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get " << str_data_type << " from the enviroment.";
-        return genError("Failed to get " + str_data_type + " from the enviroment.");
-    }
-    return IPAddr::createIPAddr(ip_str.unpack());
-}
-
-bool
-checkIfIpInRangesVec(const vector<CustomRange<IPAddr>> &values, const IPAddr &ip_to_check)
-{
-    if (values.size() == 0) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Ip addersses vector empty. Match is true.";
-        return true;
-    }
-    for (const CustomRange<IPAddr> &range : values) {
-        if (range.contains(ip_to_check)) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss matched: " << ip_to_check;
-            return true;
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss not match: " << ip_to_check;
-    return false;
-}
-
-
-IpAddressMatcher::IpAddressMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-IpAddressMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<IpAddressMatcher>();
-    Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-        env,
-        Context::MetaDataType::SubjectIpAddr,
-        "subject ip address"
-    );
-    if (subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack())) return true;
-
-    Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-        env,
-        Context::MetaDataType::OtherIpAddr,
-        "other ip address"
-    );
-    if (other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack())) return true;
-    if (!subject_ip.ok() && !other_ip.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Error in getting subject ip and other ip from the enviroment";
-        return false;
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss didn't match";
-    return false;
-}
-
-SourceIpMatcher::SourceIpMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create source ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-SourceIpMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<SourceIpMatcher>();
-    auto direction_maybe = env->get<string>(Context::MetaDataType::Direction);
-    if (!direction_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get direction from the enviroment.";
-        return false;
-    }
-    string direction = direction_maybe.unpack();
-    if (direction == "incoming") {
-        Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::OtherIpAddr,
-            "other ip address"
-        );
-        return other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack());
-    } else if (direction == "outgoing") {
-        Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::SubjectIpAddr,
-            "subject ip address"
-        );
-        return subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack());
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Source ip adderss didn't match";
-    return false;
-}
-
-DestinationIpMatcher::DestinationIpMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create destination ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-DestinationIpMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<DestinationIpMatcher>();
-    auto direction_maybe = env->get<string>(Context::MetaDataType::Direction);
-    if (!direction_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get direction.";
-        return false;
-    }
-    string direction = direction_maybe.unpack();
-    if (direction == "outgoing") {
-        Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::OtherIpAddr,
-            "other ip address"
-        );
-        return other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack());
-    } else if (direction == "incoming") {
-        Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::SubjectIpAddr,
-            "subject ip address"
-        );
-        return subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack());
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Destination ip adderss didn't match";
-    return false;
-}
-
-SourcePortMatcher::SourcePortMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<PortNumber>> port_range = CustomRange<PortNumber>::createRange(param);
-        if (!port_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create source port.";
-            continue;
-        }
-        values.push_back(port_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-SourcePortMatcher::evalVariable() const
-{
-    dbgTrace(D_RULEBASE_CONFIG) << "Source is not a match";
-    return false;
-}
-
-
-ListeningPortMatcher::ListeningPortMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<PortNumber>> port_range = CustomRange<PortNumber>::createRange(param);
-        if (!port_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create listening port range.";
-            continue;
-        }
-        values.push_back(port_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-ListeningPortMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<ListeningPortMatcher>();
-    auto port_str = env->get<string>(Context::MetaDataType::Port);
-    if (!port_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get port from the enviroment.";
-        return false;
-    }
-    PortNumber port;
-    if (ConnKeyUtil::fromString(port_str.unpack(), port)) {
-        if (values.size() == 0) return true;
-        for (const CustomRange<PortNumber> &port_range : values) {
-            if (port_range.contains(port)) {
-                dbgTrace(D_RULEBASE_CONFIG) << "Listening port is a match. Value: " << port_str.unpack();
-                return true;
-            }
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Listening port is not a match. Value: " << port_str.unpack();
-    return false;
-}
-
-IpProtocolMatcher::IpProtocolMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPProto>> proto_range = CustomRange<IPProto>::createRange(param);
-        if (!proto_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create ip protocol.";
-            continue;
-        }
-        values.push_back(proto_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-IpProtocolMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<IpProtocolMatcher>();
-    auto proto_str = env->get<string>(Context::MetaDataType::Protocol);
-    if (!proto_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get ip protocol from the enviroment.";
-        return false;
-    }
-    IPProto protocol;
-    if (ConnKeyUtil::fromString(proto_str.unpack(), protocol)) {
-        if (values.size() == 0) return true;
-        for (const CustomRange<IPProto> &proto_range : values) {
-            if (proto_range.contains(protocol)) {
-                dbgTrace(D_RULEBASE_CONFIG) << "Ip protocol is a match. Value: " << proto_str.unpack();
-                return true;
-            }
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Source port is not a match. Value: " << proto_str.unpack();
-    return false;
-}
-
-UrlMatcher::UrlMatcher(const vector<string> &params) : values(params) {}
-
-Maybe<bool, Context::Error>
-UrlMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<UrlMatcher>();
-    auto curr_url_ctx = env->get<string>(Context::MetaDataType::Url);
-    if (!curr_url_ctx.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get URL from the enviroment.";
-        return false;
-    }
-    
-    if (values.size() == 0) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Matched URL on \"any\". Url: " << *curr_url_ctx;
-        return true;
-    }
-
-    for (const string &url : values) {
-        if (*curr_url_ctx == url) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Matched URL. Value: " << *curr_url_ctx;
-            return true;
-        }
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "URL is not a match. Value: " << *curr_url_ctx;
-    return false;
-}

components/generic_rulebase/evaluators/http_transaction_data_eval.cc

@@ -1,168 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/http_transaction_data_eval.h"
-
-#include <boost/lexical_cast.hpp>
-#include <algorithm>
-
-#include "http_transaction_data.h"
-#include "environment/evaluator_templates.h"
-#include "i_environment.h"
-#include "singleton.h"
-#include "debug.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-using namespace EnvironmentHelper;
-
-EqualHost::EqualHost(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualHost", params.size(), 1, 1);
-    host = params[0];
-}
-
-Maybe<bool, Context::Error>
-EqualHost::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualHost>();
-    auto host_ctx = env->get<string>(HttpTransactionData::host_name_ctx);
-
-    if (!host_ctx.ok())
-    {
-        return false;
-    }
-
-    std::string lower_host_ctx = host_ctx.unpack();
-    std::transform(lower_host_ctx.begin(), lower_host_ctx.end(), lower_host_ctx.begin(), ::tolower);
-
-    std::string lower_host = host;
-    std::transform(lower_host.begin(), lower_host.end(), lower_host.begin(), ::tolower);
-
-
-    if (lower_host_ctx == lower_host) return true;
-    size_t pos = lower_host_ctx.find_last_of(':');
-    if (pos == string::npos) return false;
-    lower_host_ctx = string(lower_host_ctx.data(), pos);
-    return lower_host_ctx == lower_host;
-}
-
-WildcardHost::WildcardHost(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("WildcardHost", params.size(), 1, 1);
-    host = params[0];
-}
-
-Maybe<bool, Context::Error>
-WildcardHost::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<WildcardHost>();
-    auto host_ctx = env->get<string>(HttpTransactionData::host_name_ctx);
-
-    if (!host_ctx.ok())
-    {
-        return false;
-    }
-
-    string lower_host_ctx = host_ctx.unpack();
-    transform(lower_host_ctx.begin(), lower_host_ctx.end(), lower_host_ctx.begin(), ::tolower);
-
-    dbgTrace(D_RULEBASE_CONFIG) << "found host in current context: " << lower_host_ctx;
-
-    size_t pos = lower_host_ctx.find_first_of(".");
-    if (pos == string::npos) {
-        return false;
-    }
-
-    lower_host_ctx = "*" + lower_host_ctx.substr(pos, lower_host_ctx.length());
-
-    string lower_host = host;
-    transform(lower_host.begin(), lower_host.end(), lower_host.begin(), ::tolower);
-
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "trying to match host context with its corresponding wildcard address: "
-        << lower_host_ctx
-        << ". Matcher host: "
-        << lower_host;
-
-    if (lower_host_ctx == lower_host) return true;
-    pos = lower_host_ctx.find_last_of(':');
-    if (pos == string::npos) return false;
-    lower_host_ctx = string(lower_host_ctx.data(), pos);
-    return lower_host_ctx == lower_host;
-}
-
-EqualListeningIP::EqualListeningIP(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1);
-
-    auto maybe_ip = IPAddr::createIPAddr(params[0]);
-    if (!maybe_ip.ok()) reportWrongParamType(getName(), params[0], "Not a valid IP Address");
-
-    listening_ip = maybe_ip.unpack();
-}
-
-Maybe<bool, Context::Error>
-EqualListeningIP::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualListeningIP>();
-    auto listening_ip_ctx = env->get<IPAddr>(HttpTransactionData::listening_ip_ctx);
-    return listening_ip_ctx.ok() &&  listening_ip_ctx.unpack() == listening_ip;
-}
-
-EqualListeningPort::EqualListeningPort(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualListeningPort", params.size(), 1, 1);
-
-    try {
-        listening_port = boost::lexical_cast<PortNumber>(params[0]);
-    } catch (boost::bad_lexical_cast const&) {
-        reportWrongParamType(getName(), params[0], "Not a valid port number");
-    }
-}
-
-Maybe<bool, Context::Error>
-EqualListeningPort::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualListeningPort>();
-    auto port_ctx = env->get<PortNumber>(HttpTransactionData::listening_port_ctx);
-
-    return port_ctx.ok() && port_ctx.unpack() == listening_port;
-}
-
-BeginWithUri::BeginWithUri(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("BeginWithUri", params.size(), 1, 1);
-    uri_prefix = params[0];
-}
-
-Maybe<bool, Context::Error>
-BeginWithUri::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<BeginWithUri>();
-    auto uri_ctx = env->get<string>(HttpTransactionData::uri_ctx);
-
-    if (!uri_ctx.ok())
-    {
-        return false;
-    }
-
-    std::string lower_uri_ctx = uri_ctx.unpack();
-    std::transform(lower_uri_ctx.begin(), lower_uri_ctx.end(), lower_uri_ctx.begin(), ::tolower);
-
-    std::string lower_uri_prefix = uri_prefix;
-    std::transform(lower_uri_prefix.begin(), lower_uri_prefix.end(), lower_uri_prefix.begin(), ::tolower);
-
-    return lower_uri_ctx.find(lower_uri_prefix) == 0;
-}

components/generic_rulebase/evaluators/practice_eval.cc

@@ -1,50 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/practice_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-string PracticeMatcher::ctx_key = "practices";
-
-PracticeMatcher::PracticeMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(PracticeMatcher::getName(), params.size(), 1, 1);
-    practice_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-PracticeMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<PracticeMatcher>();
-    auto bc_practice_id_ctx = env->get<set<GenericConfigId>>(PracticeMatcher::ctx_key);
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match practice. ID: "
-        << practice_id << ", Current set IDs: "
-        << makeSeparatedStr(bc_practice_id_ctx.ok() ? *bc_practice_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_practice_id_ctx.ok()) {
-        return bc_practice_id_ctx.unpack().count(practice_id) > 0;
-    }
-
-    auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-    return rule.ok() && rule.unpack().isPracticeActive(practice_id);
-}

components/generic_rulebase/evaluators/query_eval.cc

@@ -1,136 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/query_eval.h"
-
-#include <vector>
-#include <string>
-#include <map>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "generic_rulebase/zones_config.h"
-#include "i_environment.h"
-#include "singleton.h"
-#include "config.h"
-#include "debug.h"
-#include "enum_range.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-QueryMatcher::QueryMatcher(const vector<string> &params)
-{
-    if (params.size() < 1) reportWrongNumberOfParams(QueryMatcher::getName(), params.size(), 1);
-
-    key = params.front();
-    if (key == "any") {
-        is_any = true;
-    } else {
-        values.reserve(params.size() - 1);
-        for (uint i = 1; i < params.size() ; i++) {
-            if (params[i] == "any") {
-                values.clear();
-                break;
-            }
-            values.insert(params[i]);
-        }
-    }
-}
-
-const string
-QueryMatcher::contextKeyToString(Context::MetaDataType type)
-{
-    if (type == Context::MetaDataType::SubjectIpAddr || type == Context::MetaDataType::OtherIpAddr) return "ip";
-    return Context::convertToString(type);
-}
-
-class QueryMatchSerializer
-{
-public:
-    static const string req_attr_ctx_key;
-
-    template <typename Archive>
-    void
-    serialize(Archive &ar)
-    {
-        I_Environment *env = Singleton::Consume<I_Environment>::by<QueryMatcher>();
-        auto req_attr = env->get<string>(req_attr_ctx_key);
-        if (!req_attr.ok()) return;
-
-        try {
-            ar(cereal::make_nvp(*req_attr, value));
-            dbgDebug(D_RULEBASE_CONFIG)
-                << "Found value for requested attribute. Tag: "
-                << *req_attr
-                << ", Value: "
-                << value;
-        } catch (exception &e) {
-            dbgDebug(D_RULEBASE_CONFIG) << "Could not find values for requested attribute. Tag: " << *req_attr;
-            ar.finishNode();
-        }
-    }
-
-    template <typename Values>
-    bool
-    matchValues(const Values &requested_vals) const
-    {
-        return value != "" && (requested_vals.empty() || requested_vals.count(value) > 0);
-    }
-
-private:
-    string value;
-};
-
-const string QueryMatchSerializer::req_attr_ctx_key = "requested attribute key";
-
-Maybe<bool, Context::Error>
-QueryMatcher::evalVariable() const
-{
-    if (is_any) return true;
-
-    I_Environment *env = Singleton::Consume<I_Environment>::by<QueryMatcher>();
-    auto local_asset_ctx = env->get<bool>("is local asset");
-    bool is_remote_asset = local_asset_ctx.ok() && !(*local_asset_ctx);
-
-    QueryRequest request;
-    for (Context::MetaDataType name : makeRange<Context::MetaDataType>()) {
-        auto val = env->get<string>(name);
-        if (val.ok()) {
-            if ((name == Context::MetaDataType::SubjectIpAddr && is_remote_asset) ||
-                (name == Context::MetaDataType::OtherIpAddr && !is_remote_asset)) {
-                continue;
-            }
-
-            request.addCondition(Condition::EQUALS, contextKeyToString(name), *val);
-        }
-    }
-    if (request.empty()) return false;
-
-    request.setRequestedAttr(key);
-    ScopedContext req_attr_key;
-    req_attr_key.registerValue<string>(QueryMatchSerializer::req_attr_ctx_key, key);
-
-    I_Intelligence_IS_V2 *intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Zone>();
-    auto query_res = intelligence->queryIntelligence<QueryMatchSerializer>(request);
-    if (!query_res.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to perform intelligence query. Error: " << query_res.getErr();
-        return false;
-    }
-
-    for (const AssetReply<QueryMatchSerializer> &asset : query_res.unpack()) {
-        if (asset.matchValues<unordered_set<string>>(values)) return true;
-    }
-
-    return false;
-}

components/generic_rulebase/evaluators/trigger_eval.cc

@@ -1,57 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/trigger_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string TriggerMatcher::ctx_key = "triggers";
-
-TriggerMatcher::TriggerMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(TriggerMatcher::getName(), params.size(), 1, 1);
-    trigger_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-TriggerMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<TriggerMatcher>();
-    auto ac_bc_trigger_id_ctx = env->get<set<GenericConfigId>>("ac_trigger_id");
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match trigger for access control rule. ID: "
-        << trigger_id << ", Current set IDs: "
-        << makeSeparatedStr(ac_bc_trigger_id_ctx.ok() ? *ac_bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (ac_bc_trigger_id_ctx.ok()) {
-        return ac_bc_trigger_id_ctx.unpack().count(trigger_id) > 0;
-    }
-
-    auto bc_trigger_id_ctx = env->get<set<GenericConfigId>>(TriggerMatcher::ctx_key);
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match trigger. ID: "
-        << trigger_id << ", Current set IDs: "
-        << makeSeparatedStr(bc_trigger_id_ctx.ok() ? *bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_trigger_id_ctx.ok() && bc_trigger_id_ctx.unpack().count(trigger_id) > 0 ) return true;
-
-    auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-    return rule.ok() && rule.unpack().isTriggerActive(trigger_id);
-}

components/generic_rulebase/evaluators/zone_eval.cc

@@ -1,44 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/zone_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/zone.h"
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-
-using namespace std;
-
-string ZoneMatcher::ctx_key = "zone_id";
-
-ZoneMatcher::ZoneMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(ZoneMatcher::getName(), params.size(), 1, 1);
-    zone_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-ZoneMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<ZoneMatcher>();
-    auto bc_zone_id_ctx = env->get<GenericConfigId>(ZoneMatcher::ctx_key);
-    if (bc_zone_id_ctx.ok() && *bc_zone_id_ctx == zone_id) return true;
-
-    if (!getProfileAgentSettingWithDefault<bool>(false, "rulebase.enableQueryBasedMatch")) return false;
-
-    auto zone = getConfiguration<Zone>("rulebase", "zones");
-    return zone.ok() && zone.unpack().getId() == zone_id;
-}

components/generic_rulebase/generic_rulebase.cc

@@ -1,126 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/generic_rulebase.h"
-
-#include <unordered_set>
-
-#include "generic_rulebase/evaluators/trigger_eval.h"
-#include "generic_rulebase/evaluators/practice_eval.h"
-#include "generic_rulebase/evaluators/parameter_eval.h"
-#include "generic_rulebase/evaluators/zone_eval.h"
-#include "generic_rulebase/evaluators/asset_eval.h"
-#include "generic_rulebase/evaluators/query_eval.h"
-#include "generic_rulebase/evaluators/connection_eval.h"
-#include "generic_rulebase/evaluators/http_transaction_data_eval.h"
-#include "generic_rulebase/zone.h"
-#include "generic_rulebase/triggers_config.h"
-#include "singleton.h"
-#include "common.h"
-#include "debug.h"
-#include "cache.h"
-#include "config.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-class GenericRulebase::Impl : Singleton::Provide<I_GenericRulebase>::From<GenericRulebase>
-{
-public:
-    void init() {}
-    void fini() {}
-
-    void preload();
-
-    Maybe<Zone, Config::Errors> getLocalZone() const override { return getZoneConfig(true); }
-    Maybe<Zone, Config::Errors> getOtherZone() const override { return getZoneConfig(false); }
-
-    set<ParameterBehavior> getBehavior(const ParameterKeyValues &key_value_pairs) const override;
-
-private:
-    Maybe<Zone, Config::Errors>
-    getZoneConfig(bool is_local_zone) const
-    {
-        ScopedContext asset_location_ctx;
-        asset_location_ctx.registerValue<bool>("is local asset", is_local_zone);
-        return getConfiguration<Zone>("rulebase", "zones");
-    }
-};
-
-void
-GenericRulebase::Impl::preload()
-{
-    addMatcher<TriggerMatcher>();
-    addMatcher<PracticeMatcher>();
-    addMatcher<ParameterMatcher>();
-    addMatcher<ZoneMatcher>();
-    addMatcher<AssetMatcher>();
-    addMatcher<QueryMatcher>();
-    addMatcher<IpAddressMatcher>();
-    addMatcher<SourceIpMatcher>();
-    addMatcher<DestinationIpMatcher>();
-    addMatcher<SourcePortMatcher>();
-    addMatcher<ListeningPortMatcher>();
-    addMatcher<IpProtocolMatcher>();
-    addMatcher<UrlMatcher>();
-    addMatcher<EqualHost>();
-    addMatcher<WildcardHost>();
-    addMatcher<EqualListeningIP>();
-    addMatcher<EqualListeningPort>();
-    addMatcher<BeginWithUri>();
-    BasicRuleConfig::preload();
-    LogTriggerConf::preload();
-    ParameterException::preload();
-    registerExpectedConfiguration<Zone>("rulebase", "zones");
-    registerExpectedConfigFile("zones", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("triggers", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("rules", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("parameters", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("exceptions", Config::ConfigFileType::Policy);
-
-}
-
-set<ParameterBehavior>
-GenericRulebase::Impl::getBehavior(const ParameterKeyValues &key_value_pairs) const
-{
-    auto &exceptions = getConfiguration<ParameterException>("rulebase", "exception");
-
-    if (!exceptions.ok()) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Could not find any exception with the current rule's context";
-        return {};
-    }
-    return (*exceptions).getBehavior(key_value_pairs);
-}
-
-GenericRulebase::GenericRulebase() : Component("GenericRulebase"), pimpl(make_unique<Impl>()) {}
-
-GenericRulebase::~GenericRulebase() {}
-
-void
-GenericRulebase::init()
-{
-    pimpl->init();
-}
-
-void
-GenericRulebase::fini()
-{
-    pimpl->fini();
-}
-
-void
-GenericRulebase::preload()
-{
-    pimpl->preload();
-}

components/generic_rulebase/generic_rulebase_context.cc

@@ -1,109 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/generic_rulebase_context.h"
-
-#include <vector>
-
-#include "context.h"
-#include "config.h"
-#include "generic_rulebase/evaluators/trigger_eval.h"
-#include "generic_rulebase/evaluators/parameter_eval.h"
-#include "generic_rulebase/evaluators/practice_eval.h"
-#include "generic_rulebase/evaluators/zone_eval.h"
-#include "generic_rulebase/evaluators/asset_eval.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-template<typename Configs>
-set<GenericConfigId>
-extractIds(const vector<Configs> &configurations)
-{
-    set<GenericConfigId> ids;
-    for (const Configs &conf : configurations) {
-        ids.insert(conf.getId());
-    }
-    return ids;
-}
-
-void
-GenericRulebaseContext::activate(const BasicRuleConfig &rule)
-{
-    switch(registration_state) {
-        case RuleRegistrationState::UNINITIALIZED: {
-            registration_state = RuleRegistrationState::REGISTERED;
-            ctx.registerValue<set<GenericConfigId>>(
-                TriggerMatcher::ctx_key,
-                extractIds<RuleTrigger>(rule.getTriggers())
-            );
-            ctx.registerValue<set<GenericConfigId>>(
-                PracticeMatcher::ctx_key,
-                extractIds<RulePractice>(rule.getPractices())
-            );
-            dbgTrace(D_RULEBASE_CONFIG)
-                << "Activating current practices. Current practice IDs: "
-                << makeSeparatedStr(extractIds<RulePractice>(rule.getPractices()), ", ");
-
-            ctx.registerValue<set<GenericConfigId>>(
-                ParameterMatcher::ctx_key,
-                extractIds<RuleParameter>(rule.getParameters())
-            );
-            ctx.registerValue<GenericConfigId>(
-                ZoneMatcher::ctx_key,
-                rule.getZoneId()
-            );
-            ctx.registerValue<GenericConfigId>(
-                AssetMatcher::ctx_key,
-                rule.getAssetId()
-            );
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::REGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Activating registered rule values";
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::UNREGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Failed to register rule values";
-        }
-    }
-}
-
-void
-GenericRulebaseContext::activate()
-{
-    switch(registration_state) {
-        case RuleRegistrationState::UNINITIALIZED: {
-            auto maybe_rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-            if (!maybe_rule.ok()) {
-                registration_state = RuleRegistrationState::UNREGISTERED;
-                return;
-            }
-            dbgTrace(D_RULEBASE_CONFIG) << "Registering new rule values";
-            activate(maybe_rule.unpack());
-            registration_state = RuleRegistrationState::REGISTERED;
-            break;
-        }
-        case RuleRegistrationState::REGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Activating registered rule values";
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::UNREGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Failed to register rule values";
-        }
-    }
-}

components/generic_rulebase/match_query.cc

@@ -1,347 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/match_query.h"
-
-#include "cereal/types/set.hpp"
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "ip_utilities.h"
-#include "agent_core_utilities.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-static const unordered_map<string, MatchQuery::MatchType> string_to_match_type = {
-    { "condition", MatchQuery::MatchType::Condition },
-    { "operator", MatchQuery::MatchType::Operator }
-};
-
-static const unordered_map<string, MatchQuery::Operators> string_to_operator = {
-    { "and", MatchQuery::Operators::And },
-    { "or", MatchQuery::Operators::Or }
-};
-
-static const unordered_map<string, MatchQuery::Conditions> string_to_condition = {
-    { "equals", MatchQuery::Conditions::Equals },
-    { "not-equals", MatchQuery::Conditions::NotEquals },
-    { "not equals", MatchQuery::Conditions::NotEquals },
-    { "in", MatchQuery::Conditions::In },
-    { "not-in", MatchQuery::Conditions::NotIn },
-    { "not in", MatchQuery::Conditions::NotIn },
-    { "exist", MatchQuery::Conditions::Exist }
-};
-
-static const string ip_addr_type_name = "IP address";
-static const string port_type_name = "port";
-static const string ip_proto_type_name = "IP protocol";
-
-static const unordered_map<string, MatchQuery::StaticKeys> string_to_key = {
-    { "sourceIP", MatchQuery::StaticKeys::SrcIpAddress },
-    { "sourceIpAddr", MatchQuery::StaticKeys::SrcIpAddress },
-    { "destinationIP", MatchQuery::StaticKeys::DstIpAddress },
-    { "destinationIpAddr", MatchQuery::StaticKeys::DstIpAddress },
-    { "ipAddress", MatchQuery::StaticKeys::IpAddress },
-    { "sourcePort", MatchQuery::StaticKeys::SrcPort },
-    { "listeningPort", MatchQuery::StaticKeys::ListeningPort },
-    { "ipProtocol", MatchQuery::StaticKeys::IpProtocol },
-    { "domain", MatchQuery::StaticKeys::Domain }
-};
-
-MatchQuery::MatchQuery(const string &match) : is_specific_label(false), is_ignore_keyword(false)
-{
-    try {
-        stringstream ss;
-        ss.str(match);
-        cereal::JSONInputArchive archive_in(ss);
-        load(archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG)
-            << "Unable to load match query JSON. JSON content: "
-            << match
-            << ", Error: "
-            << e.what();
-    }
-}
-
-void
-MatchQuery::load(cereal::JSONInputArchive &archive_in)
-{
-    string type_as_string;
-    archive_in(cereal::make_nvp("type", type_as_string));
-
-    string op_as_string;
-    archive_in(cereal::make_nvp("op", op_as_string));
-
-    auto maybe_type = string_to_match_type.find(type_as_string);
-    if (maybe_type == string_to_match_type.end()) {
-        reportConfigurationError("Illegal Zone match query type. Provided type in configuration: " + type_as_string);
-    }
-
-    type = maybe_type->second;
-    switch (type) {
-        case (MatchType::Condition): {
-            auto maybe_condition = string_to_condition.find(op_as_string);
-            if (maybe_condition == string_to_condition.end()) {
-                reportConfigurationError(
-                    "Illegal op provided for condition. Provided op in configuration: " +
-                    op_as_string
-                );
-            }
-            condition_type = maybe_condition->second;
-            operator_type = Operators::None;
-            archive_in(cereal::make_nvp("key", key));
-            key_type = getKeyByName(key);
-            if (key_type == StaticKeys::NotStatic) {
-                if (key.rfind("containerLabels.", 0) == 0)  {
-                    is_specific_label = true;
-                } else {
-                    is_specific_label = false;
-                }
-            }
-            is_ignore_keyword = (key == "indicator");
-
-            if (condition_type != Conditions::Exist) {
-                archive_in(cereal::make_nvp("value", value));
-                for(const auto &val: value) {
-                    if (isKeyTypeIp()) {
-                        auto ip_range = IPUtilities::createRangeFromString<IPRange, IpAddress>(val, ip_addr_type_name);
-                        if (ip_range.ok()) {
-                            ip_addr_value.push_back(ip_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse IP address range. Error: "
-                                << ip_range.getErr();
-                        }
-                    } else if (isKeyTypePort()) {
-                        auto port_range = IPUtilities::createRangeFromString<PortsRange, uint16_t>(
-                            val,
-                            port_type_name
-                        );
-                        if (port_range.ok()) {
-                            port_value.push_back(port_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse port range. Error: "
-                                << port_range.getErr();
-                        }
-                    } else if (isKeyTypeProtocol()) {
-                        auto proto_range = IPUtilities::createRangeFromString<IpProtoRange, uint8_t>(
-                            val,
-                            ip_proto_type_name
-                        );
-                        if (proto_range.ok()) {
-                            ip_proto_value.push_back(proto_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse IP protocol range. Error: "
-                                << proto_range.getErr();
-                        }
-                    }
-
-                    try {
-                        regex_values.insert(boost::regex(val));
-                    } catch (const exception &e) {
-                        dbgDebug(D_RULEBASE_CONFIG) << "Failed to compile regex. Error: " << e.what();
-                    }
-                }
-                first_value = *(value.begin());
-            }
-            break;
-        }
-        case (MatchType::Operator): {
-            auto maybe_operator = string_to_operator.find(op_as_string);
-            if (maybe_operator == string_to_operator.end()) {
-                reportConfigurationError(
-                    "Illegal op provided for operator. Provided op in configuration: " +
-                    op_as_string
-                );
-            }
-            operator_type = maybe_operator->second;
-            condition_type = Conditions::None;
-            archive_in(cereal::make_nvp("items", items));
-            break;
-        }
-    }
-}
-
-MatchQuery::StaticKeys
-MatchQuery::getKeyByName(const string &key_type_name)
-{
-    auto key = string_to_key.find(key_type_name);
-    if (key == string_to_key.end()) return StaticKeys::NotStatic;
-    return key->second;
-}
-
-bool
-MatchQuery::isKeyTypeIp() const
-{
-    return (key_type >= StaticKeys::IpAddress && key_type <= StaticKeys::DstIpAddress);
-}
-
-bool
-MatchQuery::isKeyTypePort() const
-{
-    return (key_type == StaticKeys::SrcPort || key_type == StaticKeys::ListeningPort);
-}
-
-bool
-MatchQuery::isKeyTypeProtocol() const
-{
-    return (key_type == StaticKeys::IpProtocol);
-}
-
-bool
-MatchQuery::isKeyTypeDomain() const
-{
-    return (key_type == StaticKeys::Domain);
-}
-
-bool
-MatchQuery::isKeyTypeSpecificLabel() const
-{
-    return is_specific_label;
-}
-
-bool
-MatchQuery::isKeyTypeStatic() const
-{
-    return (key_type != StaticKeys::NotStatic);
-}
-
-set<string>
-MatchQuery::getAllKeys() const
-{
-    set<string> keys;
-    if (type == MatchType::Condition) {
-        if (!key.empty()) keys.insert(key);
-        return keys;
-    }
-
-    for (const MatchQuery &inner_match: items) {
-        set<string> iner_keys = inner_match.getAllKeys();
-        keys.insert(iner_keys.begin(), iner_keys.end());
-    }
-
-    return keys;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const unordered_map<string, set<string>> &key_value_pairs,
-        set<string> &matched_override_keywords ) const
-{
-
-    if (type == MatchType::Condition) {
-        auto key_value_pair = key_value_pairs.find(key);
-        if (key_value_pair == key_value_pairs.end()) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Ignoring irrelevant key: " << key;
-            return false;
-        }
-        return matchAttributes(key_value_pair->second, matched_override_keywords);
-    } else if (type == MatchType::Operator && operator_type == Operators::And) {
-        for (const MatchQuery &inner_match: items) {
-            if (!inner_match.matchAttributes(key_value_pairs, matched_override_keywords)) {
-                return false;
-            }
-        }
-        return true;
-    } else if (type == MatchType::Operator && operator_type == Operators::Or) {
-        // With 'or' condition, evaluate matched override keywords first and add the ones that were fully matched
-        set<string> inner_override_keywords;
-        bool res = false;
-        for (const MatchQuery &inner_match: items) {
-            inner_override_keywords.clear();
-            if (inner_match.matchAttributes(key_value_pairs, inner_override_keywords)) {
-                matched_override_keywords.insert(inner_override_keywords.begin(), inner_override_keywords.end());
-                res = true;
-            }
-        }
-        return res;
-    } else {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported match query type";
-    }
-    return false;
-}
-
-MatchQuery::MatchResult
-MatchQuery::getMatch( const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    MatchQuery::MatchResult matches;
-    matches.matched_keywords = make_shared<set<string>>();
-    matches.is_match = matchAttributes(key_value_pairs, *matches.matched_keywords);
-    return matches;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    return getMatch(key_value_pairs).is_match;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const set<string> &values,
-        set<string> &matched_override_keywords) const
-{
-    auto &type = condition_type;
-    bool negate = type == MatchQuery::Conditions::NotEquals || type == MatchQuery::Conditions::NotIn;
-    bool match = isRegEx() ? matchAttributesRegEx(values, matched_override_keywords) : matchAttributesString(values);
-    return negate ? !match : match;
-}
-
-bool
-MatchQuery::matchAttributesRegEx(
-        const set<string> &values,
-        set<string> &matched_override_keywords) const
-{
-    bool res = false;
-    boost::cmatch value_matcher;
-    for (const boost::regex &val_regex : regex_values) {
-        for (const string &requested_match_value : values) {
-            if (NGEN::Regex::regexMatch(
-                __FILE__,
-                __LINE__,
-                requested_match_value.c_str(),
-                value_matcher,
-                val_regex))
-            {
-                res = true;
-                if (is_ignore_keyword) {
-                    matched_override_keywords.insert(requested_match_value);
-                } else {
-                    return res;
-                }
-            }
-        }
-    }
-    return res;
-}
-
-bool
-MatchQuery::matchAttributesString(const set<string> &values) const
-{
-    for (const string &requested_value : values) {
-        if (value.find(requested_value) != value.end()) return true;
-    }
-    return false;
-}
-
-bool
-MatchQuery::isRegEx() const
-{
-    return key != "protectionName";
-}

components/generic_rulebase/parameters_config.cc

@@ -1,157 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/parameters_config.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-bool ParameterException::is_geo_location_exception_exists(false);
-bool ParameterException::is_geo_location_exception_being_loaded(false);
-
-void
-ParameterOverrides::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<vector<ParsedBehavior>>("parsedBehavior", parsed_behaviors, archive_in);
-}
-
-void
-ParameterTrustedSources::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<uint>("numOfSources", num_of_sources, archive_in);
-    parseJSONKey<vector<SourcesIdentifier>>("sourcesIdentifiers", sources_identidiers, archive_in);
-}
-
-void
-ParameterBehavior::load(cereal::JSONInputArchive &archive_in)
-{
-    string key_string;
-    string val_string;
-    parseJSONKey<string>("id", id, archive_in);
-    parseJSONKey<string>("key", key_string, archive_in);
-    parseJSONKey<string>("value", val_string, archive_in);
-    if (string_to_behavior_key.find(key_string) == string_to_behavior_key.end()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported behavior key: " << key_string;
-        return;
-    }
-    key = string_to_behavior_key.at(key_string);
-
-    if (string_to_behavior_val.find(val_string) == string_to_behavior_val.end()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported behavior value: " << val_string;
-        return;
-    }
-    value = string_to_behavior_val.at(val_string);
-}
-
-void
-ParameterAntiBot::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<vector<string>>("injected", injected, archive_in);
-    parseJSONKey<vector<string>>("validated", validated, archive_in);
-}
-
-void
-ParameterOAS::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<string>("value", value, archive_in);
-}
-
-void
-ParameterException::MatchBehaviorPair::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<MatchQuery>("match", match, archive_in);
-    parseJSONKey<ParameterBehavior>("behavior", behavior, archive_in);
-}
-
-void
-ParameterException::load(cereal::JSONInputArchive &archive_in)
-{
-    try {
-        archive_in(
-            cereal::make_nvp("match", match),
-            cereal::make_nvp("behavior", behavior)
-        );
-    } catch (...) {
-        parseJSONKey<vector<MatchBehaviorPair>>("exceptions", match_queries, archive_in);
-    }
-
-    function<bool(const MatchQuery &)> isGeoLocationExists =
-        [&](const MatchQuery &query)
-        {
-            if (query.getKey() == "countryCode" || query.getKey() == "countryName") {
-                is_geo_location_exception_being_loaded = true;
-                return true;
-            }
-
-            for (const MatchQuery &query_item : query.getItems()) {
-                if (isGeoLocationExists(query_item)) return true;
-            }
-
-            return false;
-        };
-
-    if (isGeoLocationExists(match)) return;
-    for (const MatchBehaviorPair &match_query : match_queries) {
-        if (isGeoLocationExists(match_query.match)) return;
-    }
-}
-
-set<ParameterBehavior>
-ParameterException::getBehavior(
-        const unordered_map<string, set<string>> &key_value_pairs,
-        set<string> &matched_override_keywords) const
-{
-    set<ParameterBehavior> matched_behaviors;
-
-    matched_override_keywords.clear();
-    dbgTrace(D_RULEBASE_CONFIG) << "Matching exception";
-    for (const MatchBehaviorPair &match_behavior_pair: match_queries) {
-        MatchQuery::MatchResult match_res = match_behavior_pair.match.getMatch(key_value_pairs);
-        if (match_res.is_match) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Successfully matched an exception from a list of matches.";
-            // When matching indicators with action=ignore, we expect no behavior override.
-            // Instead, a matched keywords list should be returned which will be later removed from score calculation
-            if (match_res.matched_keywords->size() > 0 && match_behavior_pair.behavior == action_ignore) {
-                matched_override_keywords.insert(match_res.matched_keywords->begin(),
-                        match_res.matched_keywords->end());
-            } else {
-                matched_behaviors.insert(match_behavior_pair.behavior);
-            }
-        }
-    }
-
-    if (match_queries.empty()) {
-        MatchQuery::MatchResult match_res = match.getMatch(key_value_pairs);
-        if (match_res.is_match) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Successfully matched an exception.";
-            // When matching indicators with action=ignore, we expect no behavior override.
-            // Instead, a matched keywords list should be returned which will be later removed from score calculation
-            if (match_res.matched_keywords->size() > 0 && behavior == action_ignore) {
-                matched_override_keywords.insert(match_res.matched_keywords->begin(),
-                        match_res.matched_keywords->end());
-            } else {
-                matched_behaviors.insert(behavior);
-            }
-        }
-    }
-
-    return matched_behaviors;
-}
-
-set<ParameterBehavior>
-ParameterException::getBehavior(const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    set<string> keywords;
-    return getBehavior(key_value_pairs, keywords);
-}

components/generic_rulebase/rulebase_config.cc

@@ -1,79 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/rulebase_config.h"
-
-#include "telemetry.h"
-#include "config.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-set<string> BasicRuleConfig::assets_ids{};
-set<string> BasicRuleConfig::assets_ids_aggregation{};
-
-void
-BasicRuleConfig::load(cereal::JSONInputArchive &ar)
-{
-    parseJSONKey<vector<RulePractice>>("practices", practices, ar);
-    parseJSONKey<vector<RuleTrigger>>("triggers", triggers, ar);
-    parseJSONKey<vector<RuleParameter>>("parameters", parameters, ar);
-    parseJSONKey<uint8_t>("priority", priority, ar);
-    parseJSONKey<string>("ruleId", rule_id, ar);
-    parseJSONKey<string>("ruleName", rule_name, ar);
-    parseJSONKey<string>("assetId", asset_id, ar);
-    parseJSONKey<string>("assetName", asset_name, ar);
-    parseJSONKey<string>("zoneId", zone_id, ar);
-    parseJSONKey<string>("zoneName", zone_name, ar);
-
-    assets_ids_aggregation.insert(asset_id);
-}
-
-void
-BasicRuleConfig::updateCountMetric()
-{
-    BasicRuleConfig::assets_ids = BasicRuleConfig::assets_ids_aggregation;
-    AssetCountEvent(AssetType::ALL, BasicRuleConfig::assets_ids.size()).notify();
-}
-
-bool
-BasicRuleConfig::isPracticeActive(const string &practice_id) const
-{
-    for (auto practice: practices) {
-        if (practice.getId() == practice_id) return true;
-    }
-    return false;
-}
-
-bool
-BasicRuleConfig::isTriggerActive(const string &trigger_id) const
-{
-    for (auto trigger: triggers) {
-        if (trigger.getId() == trigger_id) {
-            return true;
-        }
-    }
-    return false;
-}
-
-bool
-BasicRuleConfig::isParameterActive(const string &parameter_id) const
-{
-    for (auto param: parameters) {
-        if (param.getId() == parameter_id) {
-            return true;
-        }
-    }
-    return false;
-}

components/generic_rulebase/triggers_config.cc

@@ -1,243 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <string>
-#include <map>
-
-#include "generic_rulebase/triggers_config.h"
-#include "generic_rulebase/generic_rulebase_utils.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-WebTriggerConf::WebTriggerConf() :  response_title(""), response_body(""), response_code(0) {}
-WebTriggerConf::WebTriggerConf(const string &title, const string &body, uint code)
-        :
-    response_title(title),
-    response_body(body),
-    response_code(code)
-{}
-
-WebTriggerConf WebTriggerConf::default_trigger_conf = WebTriggerConf(
-    "Attack blocked by web application protection",                                     // title
-    "Check Point's <b>Application Security</b> has detected an attack and blocked it.", // body
-    403
-);
-
-void
-WebTriggerConf::load(cereal::JSONInputArchive &archive_in)
-{
-    try {
-        parseJSONKey<string>("details level", details_level, archive_in);
-        if (details_level == "Redirect") {
-            parseJSONKey<string>("redirect URL", redirect_url, archive_in);
-            parseJSONKey<bool>("xEventId", add_event_id_to_header, archive_in);
-            parseJSONKey<bool>("eventIdInHeader", add_event_id_to_header, archive_in);
-            return;
-        }
-        parseJSONKey<uint>("response code", response_code, archive_in);
-        if (response_code < 100 || response_code > 599) {
-            throw cereal::Exception(
-                "illegal web trigger response code: " +
-                to_string(response_code) +
-                " is out of range (100-599)"
-            );
-        }
-
-        if (details_level == "Response Code") return;
-
-        parseJSONKey<string>("response body", response_body, archive_in);
-        parseJSONKey<string>("response title", response_title, archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to parse the web trigger configuration: '" << e.what() << "'";
-        archive_in.setNextName(nullptr);
-    }
-}
-
-bool
-WebTriggerConf::operator==(const WebTriggerConf &other) const
-{
-    return
-        response_code == other.response_code &&
-        response_title == other.response_title &&
-        response_body == other.response_body;
-}
-
-LogTriggerConf::LogTriggerConf(string trigger_name, bool log_detect, bool log_prevent) : name(trigger_name)
-{
-    if (log_detect) should_log_on_detect.setAll();
-    if (log_prevent) should_log_on_prevent.setAll();
-    active_streams.setFlag(ReportIS::StreamType::JSON_FOG);
-    active_streams.setFlag(ReportIS::StreamType::JSON_LOG_FILE);
-}
-
-ReportIS::Severity
-LogTriggerConf::getSeverity(bool is_action_drop_or_prevent) const
-{
-    return is_action_drop_or_prevent ? ReportIS::Severity::MEDIUM : ReportIS::Severity::LOW;
-}
-
-ReportIS::Priority
-LogTriggerConf::getPriority(bool is_action_drop_or_prevent) const
-{
-    return is_action_drop_or_prevent ? ReportIS::Priority::HIGH : ReportIS::Priority::MEDIUM;
-}
-
-Flags<ReportIS::StreamType>
-LogTriggerConf::getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const
-{
-    if (is_action_drop_or_prevent && should_log_on_prevent.isSet(security_type)) return active_streams;
-    if (!is_action_drop_or_prevent && should_log_on_detect.isSet(security_type)) return active_streams;
-
-    return Flags<ReportIS::StreamType>();
-}
-
-Flags<ReportIS::Enreachments>
-LogTriggerConf::getEnrechments(SecurityType security_type) const
-{
-    Flags<ReportIS::Enreachments> enreachments;
-
-    if (log_geo_location.isSet(security_type)) enreachments.setFlag(ReportIS::Enreachments::GEOLOCATION);
-    if (should_format_output) enreachments.setFlag(ReportIS::Enreachments::BEAUTIFY_OUTPUT);
-
-    return enreachments;
-}
-
-template <typename EnumClass>
-static void
-setTriggersFlag(const string &key, cereal::JSONInputArchive &ar, EnumClass flag, Flags<EnumClass> &flags)
-{
-    bool value = false;
-    parseJSONKey<bool>(key, value, ar);
-    if (value) flags.setFlag(flag);
-}
-
-static void
-setLogConfiguration(
-    const ReportIS::StreamType &log_type,
-    const string &log_server_url = "",
-    const string &protocol = ""
-)
-{
-    dbgTrace(D_RULEBASE_CONFIG) << "log server url:" << log_server_url;
-    if (log_server_url != "" && protocol != "") {
-        Singleton::Consume<I_Logging>::by<LogTriggerConf>()->addStream(log_type, log_server_url, protocol);
-    } else {
-        Singleton::Consume<I_Logging>::by<LogTriggerConf>()->addStream(log_type);
-    }
-}
-
-static string
-parseProtocolWithDefault(
-    const std::string &default_value,
-    const std::string &key_name,
-    cereal::JSONInputArchive &archive_in
-)
-{
-    string value;
-    try {
-        archive_in(cereal::make_nvp(key_name, value));
-    } catch (const cereal::Exception &e) {
-        return default_value;
-    }
-    return value;
-}
-
-void
-LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
-{
-    try {
-        parseJSONKey<string>("triggerName", name, archive_in);
-        parseJSONKey<string>("verbosity", verbosity, archive_in);
-        parseJSONKey<string>("urlForSyslog", url_for_syslog, archive_in);
-        parseJSONKey<string>("urlForCef", url_for_cef, archive_in);
-        parseJSONKey<string>("syslogProtocol", syslog_protocol, archive_in);
-        syslog_protocol = parseProtocolWithDefault("UDP", "syslogProtocol", archive_in);
-        cef_protocol = parseProtocolWithDefault("UDP", "cefProtocol", archive_in);
-
-        setTriggersFlag("webBody",  archive_in, WebLogFields::webBody, log_web_fields);
-        setTriggersFlag("webHeaders", archive_in, WebLogFields::webHeaders, log_web_fields);
-        setTriggersFlag("webRequests", archive_in, WebLogFields::webRequests, log_web_fields);
-        setTriggersFlag("webUrlPath", archive_in, WebLogFields::webUrlPath, log_web_fields);
-        setTriggersFlag("webUrlQuery", archive_in, WebLogFields::webUrlQuery, log_web_fields);
-        setTriggersFlag("logToAgent", archive_in, ReportIS::StreamType::JSON_LOG_FILE, active_streams);
-        setTriggersFlag("logToCloud", archive_in, ReportIS::StreamType::JSON_FOG, active_streams);
-        setTriggersFlag("logToK8sService", archive_in, ReportIS::StreamType::JSON_K8S_SVC, active_streams);
-        setTriggersFlag("logToSyslog", archive_in, ReportIS::StreamType::SYSLOG, active_streams);
-        setTriggersFlag("logToCef", archive_in, ReportIS::StreamType::CEF, active_streams);
-        setTriggersFlag("acAllow", archive_in, SecurityType::AccessControl, should_log_on_detect);
-        setTriggersFlag("acDrop", archive_in, SecurityType::AccessControl, should_log_on_prevent);
-        setTriggersFlag("tpDetect", archive_in, SecurityType::ThreatPrevention, should_log_on_detect);
-        setTriggersFlag("tpPrevent", archive_in, SecurityType::ThreatPrevention, should_log_on_prevent);
-        setTriggersFlag("complianceWarnings", archive_in, SecurityType::Compliance, should_log_on_detect);
-        setTriggersFlag("complianceViolations", archive_in, SecurityType::Compliance, should_log_on_prevent);
-        setTriggersFlag("acLogGeoLocation", archive_in, SecurityType::AccessControl, log_geo_location);
-        setTriggersFlag("tpLogGeoLocation", archive_in, SecurityType::ThreatPrevention, log_geo_location);
-        setTriggersFlag("complianceLogGeoLocation", archive_in, SecurityType::Compliance, log_geo_location);
-
-        bool extend_logging = false;
-        parseJSONKey<bool>("extendLogging", extend_logging, archive_in);
-        if (extend_logging) {
-            setTriggersFlag("responseCode", archive_in, WebLogFields::responseCode, log_web_fields);
-            setTriggersFlag("responseBody", archive_in, WebLogFields::responseBody, log_web_fields);
-
-            string severity;
-            static const map<string, extendLoggingSeverity> extend_logging_severity_strings = {
-                {"High", extendLoggingSeverity::High},
-                {"Critical", extendLoggingSeverity::Critical}
-            };
-            parseJSONKey<string>("extendLoggingMinSeverity", severity, archive_in);
-            auto extended_severity = extend_logging_severity_strings.find(severity);
-            if (extended_severity != extend_logging_severity_strings.end()) {
-                extend_logging_severity = extended_severity->second;
-            } else {
-                dbgWarning(D_RULEBASE_CONFIG)
-                    << "Failed to parse the extendLoggingMinSeverityfield: '"
-                    << severity
-                    << "'";
-            }
-        }
-
-        for (ReportIS::StreamType log_stream : makeRange<ReportIS::StreamType>()) {
-            if (!active_streams.isSet(log_stream)) continue;
-            switch (log_stream) {
-                case ReportIS::StreamType::JSON_DEBUG:
-                    setLogConfiguration(ReportIS::StreamType::JSON_DEBUG);
-                    break;
-                case ReportIS::StreamType::JSON_FOG:
-                    setLogConfiguration(ReportIS::StreamType::JSON_FOG);
-                    break;
-                case ReportIS::StreamType::JSON_LOG_FILE:
-                    setLogConfiguration(ReportIS::StreamType::JSON_LOG_FILE);
-                    break;
-                case ReportIS::StreamType::JSON_K8S_SVC:
-                    setLogConfiguration(ReportIS::StreamType::JSON_K8S_SVC);
-                    break;
-                case ReportIS::StreamType::SYSLOG:
-                    setLogConfiguration(ReportIS::StreamType::SYSLOG, getUrlForSyslog(), syslog_protocol);
-                    break;
-                case ReportIS::StreamType::CEF:
-                    setLogConfiguration(ReportIS::StreamType::CEF, getUrlForCef(), cef_protocol);
-                    break;
-                case ReportIS::StreamType::NONE: break;
-                case ReportIS::StreamType::COUNT: break;
-            }
-        }
-
-        parseJSONKey<bool>("formatLoggingOutput", should_format_output, archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to parse the log trigger configuration: '" << e.what() << "'";
-        archive_in.setNextName(nullptr);
-    }
-}

components/generic_rulebase/zone.cc

@@ -1,179 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/zone.h"
-
-#include <set>
-#include <vector>
-#include <string>
-
-using namespace std;
-
-static const unordered_map<string, Zone::Direction> string_to_direction = {
-    { "to", Zone::Direction::To },
-    { "from", Zone::Direction::From },
-    { "bidirectional", Zone::Direction::Bidirectional }
-};
-
-class AdjacentZone
-{
-public:
-    void
-    load(cereal::JSONInputArchive &archive_in)
-    {
-        string direction_as_string;
-        archive_in(cereal::make_nvp("direction", direction_as_string));
-        archive_in(cereal::make_nvp("zoneId", id));
-        auto maybe_direction = string_to_direction.find(direction_as_string);
-        if (maybe_direction == string_to_direction.end()) {
-            reportConfigurationError(
-                "Illegal direction provided for adjacency. Provided direction in configuration: " +
-                direction_as_string
-            );
-        }
-        dir = maybe_direction->second;
-    }
-
-    pair<Zone::Direction, GenericConfigId> getValue() const { return make_pair(dir, id); }
-
-private:
-    Zone::Direction dir;
-    GenericConfigId id;
-};
-
-class TagsValues
-{
-public:
-    static const string req_attrs_ctx_key;
-
-    TagsValues() {}
-
-    template <typename Archive>
-    void
-    serialize(Archive &ar)
-    {
-        I_Environment *env = Singleton::Consume<I_Environment>::by<Zone>();
-        auto req_attrs = env->get<set<string>>(req_attrs_ctx_key);
-        if (!req_attrs.ok()) return;
-
-        for (const string &req_attr : *req_attrs) {
-            try {
-                string data;
-                ar(cereal::make_nvp(req_attr, data));
-                dbgDebug(D_RULEBASE_CONFIG)
-                    << "Found value for requested attribute. Tag: "
-                    << req_attr
-                    << ", Value: "
-                    << data;
-
-                tags_set[req_attr].insert(data);
-            } catch (const exception &e) {
-                dbgDebug(D_RULEBASE_CONFIG) << "Could not find values for requested attribute. Tag: " << req_attr;
-                ar.setNextName(nullptr);
-            }
-        }
-    }
-
-    bool
-    matchValueByKey(const string &requested_key, const unordered_set<string> &possible_values) const
-    {
-        auto values = tags_set.find(requested_key);
-        if (values == tags_set.end()) return false;
-
-        for (const string &val : possible_values) {
-            if (values->second.count(val)) return true;
-        }
-        return false;
-    }
-
-    void
-    insert(const TagsValues &other)
-    {
-        for (auto &single_tags_value : other.getData()) {
-            tags_set[single_tags_value.first].insert(single_tags_value.second.begin(), single_tags_value.second.end());
-        }
-    }
-
-    const unordered_map<string, set<string>> & getData() const { return tags_set; }
-
-private:
-    unordered_map<string, set<string>> tags_set;
-};
-
-const string TagsValues::req_attrs_ctx_key = "requested attributes key";
-
-void
-Zone::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("id", zone_id));
-    archive_in(cereal::make_nvp("name", zone_name));
-    vector<AdjacentZone> adjacency;
-    try {
-        archive_in(cereal::make_nvp("adjacentZones", adjacency));
-    } catch (const cereal::Exception &) {
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "List of adjacentZones does not exist for current object. Zone id: "
-            << zone_id
-            << ", Zone name: "
-            << zone_name;
-
-        archive_in.setNextName(nullptr);
-    }
-
-    for (const AdjacentZone &zone : adjacency) {
-        adjacent_zones.push_back(zone.getValue());
-    }
-
-    archive_in(cereal::make_nvp("match", match_query));
-
-    is_any =
-        match_query.getType() == MatchQuery::MatchType::Condition &&
-        match_query.getKey() == "any" &&
-        match_query.getValue().count("any") > 0;
-
-    set<string> keys = match_query.getAllKeys();
-}
-
-const string
-contextKeyToString(Context::MetaDataType type)
-{
-    if (type == Context::MetaDataType::SubjectIpAddr || type == Context::MetaDataType::OtherIpAddr) return "ip";
-    return Context::convertToString(type);
-}
-
-bool
-Zone::contains(const Asset &asset)
-{
-    QueryRequest request;
-
-    for (const auto &main_attr : asset.getAttrs()) {
-        request.addCondition(Condition::EQUALS, contextKeyToString(main_attr.first), main_attr.second);
-    }
-
-    ScopedContext req_attrs_key;
-    req_attrs_key.registerValue<set<string>>(TagsValues::req_attrs_ctx_key, match_query.getAllKeys());
-
-    I_Intelligence_IS_V2 *intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Zone>();
-    auto query_res = intelligence->queryIntelligence<TagsValues>(request);
-    if (!query_res.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to perform intelligence query. Error: " << query_res.getErr();
-        return false;
-    }
-
-    for (const AssetReply<TagsValues> &asset : query_res.unpack()) {
-        TagsValues tag_values = asset.mergeReplyData();
-
-        if (match_query.matchAttributes(tag_values.getData())) return true;
-    }
-    return false;
-}

components/generic_rulebase/zones_config.cc

@@ -1,114 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/zones_config.h"
-
-#include <string>
-#include <unordered_map>
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "ip_utilities.h"
-#include "connkey.h"
-#include "i_generic_rulebase.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-void
-ZonesConfig::load(cereal::JSONInputArchive &archive_in)
-{
-    dbgFlow(D_RULEBASE_CONFIG) << "Saving active zones";
-    set<string> used_zones;
-    cereal::load(archive_in, used_zones);
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Loading all zones";
-    auto all_zones_maybe = getSetting<Zones>("rulebase", "zones");
-    if (!all_zones_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to load zones";
-        return;
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Creating cache of all zones by ID";
-    map<GenericConfigId, Zone> all_zones;
-    for (const auto &single_zone : all_zones_maybe.unpack().zones) {
-        if (used_zones.count(single_zone.getId()) > 0 && single_zone.isAnyZone()) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Found used zone of type \"Any\": saving all zones as active zones";
-            zones = all_zones_maybe.unpack().zones;
-            return;
-        }
-
-        dbgDebug(D_RULEBASE_CONFIG)
-            << "Adding specific zone to cache. Zone ID: "
-            << single_zone.getId()
-            << ", name: "
-            << single_zone.getName();
-        all_zones.emplace(single_zone.getId(), single_zone);
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Creating list of active zones";
-    map<GenericConfigId, Zone> active_zones_set;
-    for (const auto &single_used_zone_id : used_zones) {
-        const auto &found_zone = all_zones[single_used_zone_id];
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "Adding zone to list of active zones. Zone ID: "
-            << single_used_zone_id
-            << ", zone name: "
-            << found_zone.getName();
-        active_zones_set.emplace(found_zone.getId(), found_zone);
-
-        for (const auto &adjacent_zone : found_zone.getAdjacentZones()) {
-            const auto &adjacent_zone_obj = all_zones[adjacent_zone.second];
-            dbgTrace(D_RULEBASE_CONFIG)
-                << "Adding adjacent zone to list of active zones. Zone ID: "
-                << adjacent_zone_obj.getId()
-                << ", zone name: "
-                << adjacent_zone_obj.getName();
-            active_zones_set.emplace(adjacent_zone_obj.getId(), adjacent_zone_obj);
-        }
-    }
-
-    vector<GenericConfigId> implied_zones = {
-        "impliedAzure",
-        "impliedDNS",
-        "impliedSSH",
-        "impliedProxy",
-        "impliedFog"
-    };
-
-    GenericConfigId any_zone_id = "";
-    for (const auto &single_zone : all_zones_maybe.unpack().zones) {
-        if (single_zone.isAnyZone()) any_zone_id = single_zone.getId();
-    }
-    for (GenericConfigId &implied_id: implied_zones) {
-        if (all_zones.find(implied_id) != all_zones.end()) {
-            dbgDebug(D_RULEBASE_CONFIG) << "Adding implied zone to cache. Zone ID: " << implied_id;
-            active_zones_set.emplace(implied_id, all_zones[implied_id]);
-            if (any_zone_id != "" && active_zones_set.count(any_zone_id) == 0) {
-                active_zones_set.emplace(any_zone_id, all_zones[any_zone_id]);
-            }
-        }
-    }
-
-    for (const auto &single_id_zone_pair : active_zones_set) {
-        zones.push_back(single_id_zone_pair.second);
-    }
-}
-
-void
-ZonesConfig::preload()
-{
-    registerExpectedSetting<Zones>("rulebase", "zones");
-    registerExpectedSetting<ZonesConfig>("rulebase", "usedZones");
-}

components/gradual_deployment/gradual_deployment.cc

@@ -128,7 +128,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported IP type";
+                dbgAssert(false) << AlertInfo(AlertTeam::CORE, "gradual deployment") << "Unsupported IP type";
         }
         return address;
     }
@@ -142,7 +142,7 @@ private:
         if (temp_params_list.size() == 1) {
             Maybe<IPAddr> maybe_ip = IPAddr::createIPAddr(temp_params_list[0]);
             if (!maybe_ip.ok()) return genError("Could not create IP address, " + maybe_ip.getErr());
-            IpAddress addr = move(ConvertToIpAddress(maybe_ip.unpackMove()));
+            IpAddress addr = ConvertToIpAddress(maybe_ip.unpackMove());
 
             return move(IPRange{.start = addr, .end = addr});
         }
@@ -157,11 +157,11 @@ private:
             IPAddr max_addr = maybe_ip_max.unpackMove();
             if (min_addr > max_addr) return genError("Could not create ip range - start greater then end");
 
-            IpAddress addr_min = move(ConvertToIpAddress(move(min_addr)));
-            IpAddress addr_max = move(ConvertToIpAddress(move(max_addr)));
+            IpAddress addr_min = ConvertToIpAddress(move(min_addr));
+            IpAddress addr_max = ConvertToIpAddress(move(max_addr));
             if (addr_max.ip_type != addr_min.ip_type) return genError("Range IP's type does not match");
 
-            return move(IPRange{.start = move(addr_min), .end = move(addr_max)});
+            return IPRange{.start = move(addr_min), .end = move(addr_max)};
         }
 
         return genError("Illegal range received: " + range);

components/health_check_manager/health_check_manager_ut/CMakeLists.txt

@@ -1,8 +0,0 @@
-include_directories(${CMAKE_SOURCE_DIR}/components/include)
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(
-    health_check_manager_ut
-    "health_check_manager_ut.cc"
-    "singleton;messaging;mainloop;health_check_manager;event_is;metric;-lboost_regex"
-)

components/http_manager/http_manager.cc

@@ -15,19 +15,18 @@
 
 #include <string>
 #include <map>
-#include <sys/stat.h>
-#include <climits>
 #include <unordered_map>
-#include <boost/range/iterator_range.hpp>
+#include <unordered_set>
+#include <boost/algorithm/string.hpp>
 #include <fstream>
 #include <algorithm>
 
 #include "common.h"
 #include "config.h"
-#include "table_opaque.h"
 #include "http_manager_opaque.h"
 #include "log_generator.h"
 #include "http_inspection_events.h"
+#include "agent_core_utilities.h"
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
@@ -38,6 +37,7 @@ operator<<(ostream &os, const EventVerdict &event)
 {
     switch (event.getVerdict()) {
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT: return os << "Inspect";
+        case ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS: return os << "Limit Response Headers";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT: return os << "Accept";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP: return os << "Drop";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT: return os << "Inject";
@@ -46,7 +46,10 @@ operator<<(ostream &os, const EventVerdict &event)
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT: return os << "Wait";
     }
 
-    dbgAssert(false) << "Illegal Event Verdict value: " << static_cast<uint>(event.getVerdict());
+    dbgAssert(false)
+        << AlertInfo(AlertTeam::CORE, "http manager")
+        << "Illegal Event Verdict value: "
+        << static_cast<uint>(event.getVerdict());
     return os;
 }
 
@@ -91,12 +94,14 @@ public:
         ctx.registerValue(app_sec_marker_key, i_transaction_table->keyToString(), EnvKeyAttr::LogSection::MARKER);
 
         HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>();
-        string event_key = static_cast<string>(event.getKey());
-        if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) {
+        
+        const auto &custom_header = getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging");
+        
+        if (event.getKey().isEqualLowerCase(custom_header)) {
             string event_value = static_cast<string>(event.getValue());
             dbgTrace(D_HTTP_MANAGER)
                 << "Found header key and value - ("
-                << event_key
+                << custom_header
                 << ": "
                 << event_value
                 << ") that matched agent settings";
@@ -192,7 +197,6 @@ public:
         if (state.getUserDefinedValue().ok()) {
             ctx.registerValue("UserDefined", state.getUserDefinedValue().unpack(), EnvKeyAttr::LogSection::DATA);
         }
-
         return handleEvent(EndRequestEvent().performNamedQuery());
     }
 
@@ -320,9 +324,13 @@ private:
                 << respond.second.getVerdict();
 
             state.setApplicationVerdict(respond.first, respond.second.getVerdict());
+            state.setApplicationWebResponse(respond.first, respond.second.getWebUserResponseByPractice());
         }
-
-        return state.getCurrVerdict();
+        FilterVerdict aggregated_verdict(state.getCurrVerdict(), state.getCurrWebUserResponse());
+        if (aggregated_verdict.getVerdict() == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+            SecurityAppsDropEvent(state.getCurrentDropVerdictCausers()).notify();
+        }
+        return aggregated_verdict;
     }
 
     static void

components/http_manager/http_manager_opaque.cc

@@ -32,6 +32,13 @@ HttpManagerOpaque::setApplicationVerdict(const string &app_name, ngx_http_cp_ver
     applications_verdicts[app_name] = verdict;
 }
 
+void
+HttpManagerOpaque::setApplicationWebResponse(const string &app_name, string web_user_response_id)
+{
+    dbgTrace(D_HTTP_MANAGER) << "Security app: " << app_name << ", has web user response: " << web_user_response_id;
+    applications_web_user_response[app_name] = web_user_response_id;
+}
+
 ngx_http_cp_verdict_e
 HttpManagerOpaque::getApplicationsVerdict(const string &app_name) const
 {
@@ -51,8 +58,12 @@ HttpManagerOpaque::getCurrVerdict() const
     for (const auto &app_verdic_pair : applications_verdicts) {
         switch (app_verdic_pair.second) {
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP:
+                dbgTrace(D_HTTP_MANAGER) << "Verdict DROP for app: " << app_verdic_pair.first;
+                current_web_user_response = applications_web_user_response.at(app_verdic_pair.first);
+                dbgTrace(D_HTTP_MANAGER) << "current_web_user_response=" << current_web_user_response;
                 return app_verdic_pair.second;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT:
+                // Sent in ResponseHeaders and ResponseBody.
                 verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT;
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT:
@@ -60,15 +71,21 @@ HttpManagerOpaque::getCurrVerdict() const
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT:
                 break;
+            case ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS:
+                // Sent in End Request.
+                verdict = ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS;
+                break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT:
                 dbgTrace(D_HTTP_MANAGER) << "Verdict 'Irrelevant' is not yet supported. Returning Accept";
                 accepted_apps++;
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT:
+                // Sent in Request Headers and Request Body.
                 verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT;
                 break;
             default:
                 dbgAssert(false)
+                    << AlertInfo(AlertTeam::CORE, "http manager")
                     << "Received unknown verdict "
                     << static_cast<int>(app_verdic_pair.second);
         }
@@ -77,6 +94,25 @@ HttpManagerOpaque::getCurrVerdict() const
     return accepted_apps == applications_verdicts.size() ? ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT : verdict;
 }
 
+std::set<std::string>
+HttpManagerOpaque::getCurrentDropVerdictCausers() const
+{
+    std::set<std::string> causers;
+    if (manager_verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+        causers.insert(HTTP_MANAGER_NAME);
+    }
+    for (const auto &app_verdic_pair : applications_verdicts) {
+        bool was_dropped = app_verdic_pair.second == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+        dbgTrace(D_HTTP_MANAGER)
+            << "The verdict from: " << app_verdic_pair.first
+            << (was_dropped ? " is \"drop\"" : " is not \"drop\" ");
+        if (was_dropped) {
+            causers.insert(app_verdic_pair.first);
+        }
+    }
+    return causers;
+}
+
 void
 HttpManagerOpaque::saveCurrentDataToCache(const Buffer &full_data)
 {

components/http_manager/http_manager_opaque.h

@@ -20,16 +20,21 @@
 #include "table_opaque.h"
 #include "nginx_attachment_common.h"
 
+static const std::string HTTP_MANAGER_NAME = "HTTP Manager";
+
 class HttpManagerOpaque : public TableOpaqueSerialize<HttpManagerOpaque>
 {
 public:
     HttpManagerOpaque();
 
     void setApplicationVerdict(const std::string &app_name, ngx_http_cp_verdict_e verdict);
+    void setApplicationWebResponse(const std::string &app_name, std::string web_user_response_id);
     ngx_http_cp_verdict_e getApplicationsVerdict(const std::string &app_name) const;
     void setManagerVerdict(ngx_http_cp_verdict_e verdict) { manager_verdict = verdict; }
     ngx_http_cp_verdict_e getManagerVerdict() const { return manager_verdict; }
     ngx_http_cp_verdict_e getCurrVerdict() const;
+    const std::string & getCurrWebUserResponse() const { return current_web_user_response; };
+    std::set<std::string> getCurrentDropVerdictCausers() const;
     void saveCurrentDataToCache(const Buffer &full_data);
     void setUserDefinedValue(const std::string &value) { user_defined_value = value; }
     Maybe<std::string> getUserDefinedValue() const { return user_defined_value; }
@@ -49,6 +54,8 @@ public:
 
 private:
     std::unordered_map<std::string, ngx_http_cp_verdict_e> applications_verdicts;
+    std::unordered_map<std::string, std::string> applications_web_user_response;
+    mutable std::string current_web_user_response;
     ngx_http_cp_verdict_e manager_verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
     Buffer prev_data_cache;
     uint aggregated_payload_size = 0;

components/include/central_nginx_manager.h

@@ -0,0 +1,45 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __CENTRAL_NGINX_MANAGER_H__
+#define __CENTRAL_NGINX_MANAGER_H__
+
+#include "component.h"
+#include "singleton.h"
+#include "i_messaging.h"
+#include "i_rest_api.h"
+#include "i_mainloop.h"
+#include "i_agent_details.h"
+
+class CentralNginxManager
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_AgentDetails>
+{
+public:
+    CentralNginxManager();
+    ~CentralNginxManager();
+
+    void preload() override;
+    void init() override;
+    void fini() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __CENTRAL_NGINX_MANAGER_H__

components/include/details_resolver.h

@@ -34,6 +34,7 @@ public:
     ~DetailsResolver();
 
     void preload() override;
+    void init() override;
 
 private:
     class Impl;

components/include/downloader.h

@@ -21,6 +21,7 @@
 #include "url_parser.h"
 #include "i_agent_details.h"
 #include "i_mainloop.h"
+#include "i_environment.h"
 #include "singleton.h"
 #include "component.h"
 
@@ -32,6 +33,7 @@ class Downloader
     Singleton::Consume<I_Encryptor>,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_OrchestrationTools>,
+    Singleton::Consume<I_Environment>,
     Singleton::Consume<I_UpdateCommunication>
 {
 public:

components/include/external_sdk_server.h

@@ -24,7 +24,8 @@ class ExternalSdkServer
         :
     public Component,
     Singleton::Provide<I_ExternalSdkServer>,
-    Singleton::Consume<I_RestApi>
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>
 {
 public:
     ExternalSdkServer();

components/include/generic_rulebase/evaluators/http_transaction_data_eval.h

@@ -45,6 +45,19 @@ private:
     std::string host;
 };
 
+class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+EqualWafTag(const std::vector<std::string> &params);
+
+    static std::string getName() { return "EqualWafTag"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    std::string waf_tag;
+};
+
 class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
 {
 public:

components/include/generic_rulebase/match_query.h

@@ -89,7 +89,9 @@ private:
     bool matchAttributesRegEx(const std::set<std::string> &values,
             std::set<std::string> &matched_override_keywords) const;
     bool matchAttributesString(const std::set<std::string> &values) const;
+    bool matchAttributesIp(const std::set<std::string> &values) const;
     bool isRegEx() const;
+    void sortAndMergeIpRangesValues();
 
     MatchType type;
     Operators operator_type;

components/include/generic_rulebase/triggers_config.h

@@ -317,12 +317,12 @@ public:
     {
         return url_for_cef;
     }
+    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
+    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
 
 private:
     ReportIS::Severity getSeverity(bool is_action_drop_or_prevent) const;
     ReportIS::Priority getPriority(bool is_action_drop_or_prevent) const;
-    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
-    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
 
     std::string name;
     std::string verbosity;
@@ -339,4 +339,32 @@ private:
     bool should_format_output = false;
 };
 
+class ReportTriggerConf
+{
+public:
+    /// \brief Default constructor for ReportTriggerConf.
+    ReportTriggerConf() {}
+
+    /// \brief Preload function to register expected configuration.
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<ReportTriggerConf>("rulebase", "report");
+    }
+
+    /// \brief Load function to deserialize configuration from JSONInputArchive.
+    /// \param archive_in The JSON input archive.
+    void load(cereal::JSONInputArchive &archive_in);
+
+    /// \brief Get the name.
+    /// \return The name.
+    const std::string &
+    getName() const
+    {
+        return name;
+    }
+private:
+    std::string name;
+};
+
 #endif //__TRIGGERS_CONFIG_H__

components/include/health_checker.h

@@ -21,6 +21,7 @@
 #include "i_shell_cmd.h"
 #include "i_orchestration_status.h"
 #include "component.h"
+#include "i_service_controller.h"
 
 class HealthChecker
         :
@@ -29,7 +30,8 @@ class HealthChecker
     Singleton::Consume<I_Socket>,
     Singleton::Consume<I_Health_Check_Manager>,
     Singleton::Consume<I_ShellCmd>,
-    Singleton::Consume<I_OrchestrationStatus>
+    Singleton::Consume<I_OrchestrationStatus>,
+    Singleton::Consume<I_ServiceController>
 {
 public:
     HealthChecker();

components/include/http_event_impl/filter_verdict.h

@@ -27,9 +27,18 @@ public:
         verdict(_verdict)
     {}
 
+    FilterVerdict(
+        ngx_http_cp_verdict_e _verdict,
+        const std::string &_web_reponse_id)
+            :
+        verdict(_verdict),
+        web_user_response_id(_web_reponse_id)
+    {}
+
     FilterVerdict(const EventVerdict &_verdict, ModifiedChunkIndex _event_idx = -1)
             :
-        verdict(_verdict.getVerdict())
+        verdict(_verdict.getVerdict()),
+        web_user_response_id(_verdict.getWebUserResponseByPractice())
     {
         if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT) {
             addModifications(_verdict.getModifications(), _event_idx);
@@ -59,10 +68,12 @@ public:
     uint getModificationsAmount() const { return total_modifications; }
     ngx_http_cp_verdict_e getVerdict() const { return verdict; }
     const std::vector<EventModifications> & getModifications() const { return modifications; }
+    const std::string getWebUserResponseID() const { return web_user_response_id; }
 
 private:
     ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
     std::vector<EventModifications> modifications;
+    std::string web_user_response_id;
     uint total_modifications = 0;
 };
 

components/include/http_event_impl/i_http_event_impl.h

@@ -50,9 +50,11 @@ public:
         position(mod_position)
     {
         dbgAssert(mod_type != ModificationType::APPEND || position == injection_pos_irrelevant)
+            << AlertInfo(AlertTeam::CORE, "http manager")
             << "Injection position is not applicable to a modification of type \"Append\"";
 
         dbgAssert(mod_type != ModificationType::INJECT || position >= 0)
+            << AlertInfo(AlertTeam::CORE, "http manager")
             << "Invalid injection position: must be non-negative. Position: "
             << position;
     }
@@ -166,6 +168,7 @@ private:
             }
             default:
                 dbgAssert(false)
+                    << AlertInfo(AlertTeam::CORE, "http manager")
                     << "Unknown type of ModificationType: "
                     << static_cast<int>(modification_type);
         }
@@ -236,6 +239,7 @@ public:
     const Buffer & getValue() const { return value; }
 
     bool isLastHeader() const { return is_last_header; }
+    void setIsLastHeader() { is_last_header = true; }
     uint8_t getHeaderIndex() const { return header_index; }
 
 private:
@@ -372,16 +376,31 @@ public:
         verdict(event_verdict)
     {}
 
+    EventVerdict(
+        const ModificationList &mods,
+        ngx_http_cp_verdict_e event_verdict,
+        std::string response_id) :
+        modifications(mods),
+        verdict(event_verdict),
+        webUserResponseByPractice(response_id)
+    {}
+
 // LCOV_EXCL_START - sync functions, can only be tested once the sync module exists
     template <typename T> void serialize(T &ar, uint) { ar(verdict); }
 // LCOV_EXCL_STOP
 
     const ModificationList & getModifications() const { return modifications; }
     ngx_http_cp_verdict_e getVerdict() const { return verdict; }
+    const std::string getWebUserResponseByPractice() const { return webUserResponseByPractice; }
+    void setWebUserResponseByPractice(const std::string id) {
+        dbgTrace(D_HTTP_MANAGER) << "current verdict web user response set to: " << id;
+        webUserResponseByPractice = id;
+    }
 
 private:
     ModificationList modifications;
     ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
+    std::string webUserResponseByPractice;
 };
 
 #endif // __I_HTTP_EVENT_IMPL_H__

components/include/http_geo_filter.h

@@ -15,7 +15,8 @@ class HttpGeoFilter
     public Component,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_GeoLocation>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_Environment>
 {
 public:
     HttpGeoFilter();

components/include/http_inspection_events.h

@@ -183,4 +183,16 @@ class WaitTransactionEvent : public Event<WaitTransactionEvent, EventVerdict>
 {
 };
 
+class SecurityAppsDropEvent : public Event<SecurityAppsDropEvent>
+{
+public:
+    SecurityAppsDropEvent(
+        const std::set<std::string> &apps_names)
+            :
+        apps_names(apps_names) {}
+    const std::set<std::string> & getAppsNames() const { return apps_names; }
+
+private:
+    const std::set<std::string> apps_names;
+};
 #endif // __HTTP_INSPECTION_EVENTS_H__

components/include/http_transaction_data.h

@@ -72,7 +72,8 @@ public:
             parsed_uri,
             client_ip,
             client_port,
-            response_content_encoding
+            response_content_encoding,
+            waf_tag
         );
     }
 
@@ -91,7 +92,8 @@ public:
             parsed_uri,
             client_ip,
             client_port,
-            response_content_encoding
+            response_content_encoding,
+            waf_tag
         );
     }
 // LCOV_EXCL_STOP
@@ -122,6 +124,9 @@ public:
         response_content_encoding = _response_content_encoding;
     }
 
+    const std::string & getWafTag() const { return waf_tag; }
+    void setWafTag(const std::string &_waf_tag) { waf_tag = _waf_tag; }
+
     static const std::string http_proto_ctx;
     static const std::string method_ctx;
     static const std::string host_name_ctx;
@@ -136,6 +141,8 @@ public:
     static const std::string req_body;
     static const std::string source_identifier;
     static const std::string proxy_ip_ctx;
+    static const std::string xff_vals_ctx;
+    static const std::string waf_tag_ctx;
 
     static const CompressionType default_response_content_encoding;
 
@@ -152,6 +159,7 @@ private:
     uint16_t client_port;
     bool is_request;
     CompressionType response_content_encoding;
+    std::string waf_tag;
 };
 
 #endif // __HTTP_TRANSACTION_DATA_H__

components/include/i_details_resolver.h

@@ -26,10 +26,13 @@ public:
     virtual Maybe<std::string> getArch() = 0;
     virtual std::string getAgentVersion() = 0;
     virtual bool isKernelVersion3OrHigher() = 0;
+    virtual bool isGw() = 0;
     virtual bool isGwNotVsx() = 0;
     virtual bool isVersionAboveR8110() = 0;
     virtual bool isReverseProxy() = 0;
-    virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0;
+    virtual bool isCloudStorageEnabled() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string>> parseNginxMetadata() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
     virtual std::map<std::string, std::string> getResolvedDetails() = 0;
 #if defined(gaia) || defined(smb)
     virtual bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const = 0;

components/include/i_downloader.h

@@ -22,7 +22,7 @@
 class I_Downloader
 {
 public:
-    virtual Maybe<std::string> downloadFileFromFog(
+    virtual Maybe<std::string> downloadFile(
         const std::string &checksum,
         Package::ChecksumTypes,
         const GetResourceFile &resourse_file

components/include/i_orchestration_tools.h

@@ -117,7 +117,7 @@ public:
         const std::string &conf_path) const = 0;
     virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
     virtual bool doesFileExist(const std::string &file_path) const = 0;
-    virtual void getClusterId() const = 0;
+    virtual void setClusterId() const = 0;
     virtual void fillKeyInJson(
         const std::string &filename,
         const std::string &_key,

components/include/i_service_controller.h

@@ -64,7 +64,9 @@ public:
         const std::string &service_id
     ) = 0;
 
-    virtual std::map<std::string, PortNumber> getServiceToPortMap() = 0;
+    virtual std::map<std::string, std::vector<PortNumber>> getServiceToPortMap() = 0;
+
+    virtual bool getServicesPolicyStatus() const = 0;
 
 protected:
     virtual ~I_ServiceController() {}

components/include/i_update_communication.h

@@ -32,6 +32,7 @@ public:
         const std::string &policy_versions
     ) const = 0;
     virtual Maybe<void> authenticateAgent() = 0;
+    virtual void registerLocalAgentToFog() = 0;
     virtual Maybe<void> getUpdate(CheckUpdateRequest &request) = 0;
     virtual Maybe<std::string> downloadAttributeFile(
         const GetResourceFile &resourse_file,

components/include/i_waap_telemetry.h

@@ -27,6 +27,7 @@ struct DecisionTelemetryData
     int responseCode;
     uint64_t elapsedTime;
     std::set<std::string> attackTypes;
+    bool temperatureDetected;
 
     DecisionTelemetryData() :
         blockType(NOT_BLOCKING),
@@ -38,7 +39,8 @@ struct DecisionTelemetryData
         method(POST),
         responseCode(0),
         elapsedTime(0),
-        attackTypes()
+        attackTypes(),
+        temperatureDetected(false)
     {
     }
 };

components/include/ip_utilities.h

@@ -28,8 +28,9 @@
 
 // LCOV_EXCL_START Reason: temporary until we add relevant UT until 07/10
 bool operator<(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
-
 bool operator==(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<=(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<(const IPRange &range1, const IPRange &range2);
 // LCOV_EXCL_STOP
 
 Maybe<std::pair<std::string, int>> extractAddressAndMaskSize(const std::string &cidr);

components/include/ips_comp.h

@@ -4,6 +4,7 @@
 #include "singleton.h"
 #include "i_keywords_rule.h"
 #include "i_table.h"
+#include "i_mainloop.h"
 #include "i_http_manager.h"
 #include "i_environment.h"
 #include "http_inspection_events.h"
@@ -16,7 +17,8 @@ class IPSComp
     Singleton::Consume<I_KeywordsRule>,
     Singleton::Consume<I_Table>,
     Singleton::Consume<I_Environment>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_MainLoop>
 {
 public:
     IPSComp();

components/include/manifest_handler.h

@@ -62,6 +62,7 @@ public:
 
 private:
     Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation);
+    std::string getCurrentTimestamp();
 
     std::string manifest_file_path;
     std::string temp_ext;

components/include/nginx_message_reader.h

@@ -0,0 +1,28 @@
+#ifndef __NGINX_MESSAGE_READER_H__
+#define __NGINX_MESSAGE_READER_H__
+
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "i_socket_is.h"
+#include "component.h"
+
+class NginxMessageReader
+        :
+    public Component,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_Socket>
+{
+public:
+    NginxMessageReader();
+    ~NginxMessageReader();
+
+    void init() override;
+    void fini() override;
+    void preload() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif //__NGINX_MESSAGE_READER_H__

components/include/nginx_utils.h

@@ -0,0 +1,51 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NGINX_UTILS_H__
+#define __NGINX_UTILS_H__
+
+#include <string>
+
+#include "maybe_res.h"
+#include "singleton.h"
+#include "i_shell_cmd.h"
+
+class NginxConfCollector
+{
+public:
+    NginxConfCollector(const std::string &nginx_conf_input_path, const std::string &nginx_conf_output_path);
+    Maybe<std::string> generateFullNginxConf() const;
+
+private:
+    std::vector<std::string> expandIncludes(const std::string &includePattern) const;
+    void processConfigFile(
+        const std::string &path,
+        std::ostringstream &conf_output,
+        std::vector<std::string> &errors
+    ) const;
+
+    std::string main_conf_input_path;
+    std::string main_conf_output_path;
+    std::string main_conf_directory_path;
+};
+
+class NginxUtils : Singleton::Consume<I_ShellCmd>
+{
+public:
+    static std::string getModulesPath();
+    static std::string getMainNginxConfPath();
+    static Maybe<void> validateNginxConf(const std::string &nginx_conf_path);
+    static Maybe<void> reloadNginx(const std::string &nginx_conf_path);
+};
+
+#endif // __NGINX_UTILS_H__

components/include/orchestration_comp.h

@@ -31,6 +31,7 @@
 #include "i_environment.h"
 #include "i_tenant_manager.h"
 #include "i_package_handler.h"
+#include "i_proxy_configuration.h"
 #include "i_env_details.h"
 #include "component.h"
 
@@ -54,7 +55,8 @@ class OrchestrationComp
     Singleton::Consume<I_UpdateCommunication>,
     Singleton::Consume<I_Downloader>,
     Singleton::Consume<I_ManifestController>,
-    Singleton::Consume<I_EnvDetails>
+    Singleton::Consume<I_EnvDetails>,
+    Singleton::Consume<I_ProxyConfiguration>
 {
 public:
     OrchestrationComp();

components/include/orchestration_status.h

@@ -40,7 +40,7 @@ public:
     ~OrchestrationStatus();
 
     void init() override;
-    
+
 private:
     class Impl;
     std::unique_ptr<Impl> pimpl;

components/include/orchestrator/rest_api/get_resource_file.h

@@ -115,7 +115,7 @@ public:
             case ResourceFileType::VIRTUAL_SETTINGS: return "virtualSettings";
             case ResourceFileType::VIRTUAL_POLICY:   return "virtualPolicy";
             default:
-                dbgAssert(false) << "Unknown file type";
+                dbgAssert(false) << AlertInfo(AlertTeam::CORE, "update process") << "Unknown file type";
         }
         return std::string();
     }

components/include/package.h

@@ -56,7 +56,7 @@ private:
             if (mapped_type.second == type) return mapped_type.first;
         }
 
-        dbgAssert(false) << "Unsupported type " << static_cast<int>(type);
+        dbgAssert(false) << AlertInfo(AlertTeam::CORE, "packaging") << "Unsupported type " << static_cast<int>(type);
         // Just satisfying the compiler, this return never reached
         return std::string();
     }

components/include/package_handler.h

@@ -17,6 +17,7 @@
 #include "i_package_handler.h"
 #include "i_orchestration_tools.h"
 #include "i_shell_cmd.h"
+#include "i_environment.h"
 #include "component.h"
 
 class PackageHandler
@@ -24,7 +25,8 @@ class PackageHandler
     public Component,
     Singleton::Provide<I_PackageHandler>,
     Singleton::Consume<I_ShellCmd>,
-    Singleton::Consume<I_OrchestrationTools>
+    Singleton::Consume<I_OrchestrationTools>,
+    Singleton::Consume<I_Environment>
 {
 public:
     PackageHandler();

components/include/prometheus_comp.h

@@ -0,0 +1,30 @@
+#ifndef __PROMETHEUS_COMP_H__
+#define __PROMETHEUS_COMP_H__
+
+#include <memory>
+
+#include "component.h"
+#include "singleton.h"
+
+#include "i_rest_api.h"
+#include "i_messaging.h"
+#include "generic_metric.h"
+
+class PrometheusComp
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>
+{
+public:
+    PrometheusComp();
+    ~PrometheusComp();
+
+    void init() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __PROMETHEUS_COMP_H__

components/include/rate_limit.h

@@ -7,15 +7,21 @@
 #include "singleton.h"
 #include "i_mainloop.h"
 #include "i_environment.h"
+#include "i_geo_location.h"
 #include "i_generic_rulebase.h"
+#include "i_shell_cmd.h"
+#include "i_env_details.h"
 
 class RateLimit
     :
     public Component,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_TimeGet>,
+    Singleton::Consume<I_GeoLocation>,
     Singleton::Consume<I_Environment>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_ShellCmd>,
+    Singleton::Consume<I_EnvDetails>
 {
 public:
     RateLimit();

components/include/reverse_proxy_defaults.h

@@ -7,24 +7,28 @@ static const std::string product_name = getenv("DOCKER_RPM_ENABLED") ? "CloudGua
 static const std::string default_cp_cert_file = "/etc/cp/cpCert.pem";
 static const std::string default_cp_key_file = "/etc/cp/cpKey.key";
 static const std::string default_rpm_conf_path = "/etc/cp/conf/rpmanager/";
+
 static const std::string default_certificate_path = "/etc/cp/rpmanager/certs";
+static const std::string default_manual_certs_path = "/etc/cp/rpmanager/manualCerts/";
+static const std::string default_config_path = "/etc/cp/conf/rpmanager/servers";
+static const std::string default_rpm_prepare_path = "/etc/cp/conf/rpmanager/prepare/servers";
+
+static const std::string default_nginx_log_files_path = "/var/log/nginx/";
 static const std::string default_additional_files_path = "/etc/cp/conf/rpmanager/include";
 static const std::string default_server_config = "additional_server_config.conf";
 static const std::string default_location_config = "additional_location_config.conf";
 static const std::string default_trusted_ca_suffix = "_user_ca_bundle.crt";
-static const std::string default_nginx_log_files_path = "/var/log/nginx/";
 static const std::string default_log_files_host_path = "/var/log/nano_agent/rpmanager/nginx_log/";
-static const std::string default_config_path = "/etc/cp/conf/rpmanager/servers";
 static const std::string default_template_path = "/etc/cp/conf/rpmanager/nginx-template-clear";
-static const std::string default_manual_certs_path = "/etc/cp/rpmanager/manualCerts/";
 static const std::string default_server_certificate_path = "/etc/cp/rpmanager/certs/sslCertificate_";
 static const std::string default_server_certificate_key_path = "/etc/cp/rpmanager/certs/sslPrivateKey_";
 static const std::string default_container_name = "cp_nginx_gaia";
 static const std::string default_docker_image = "cp_nginx_gaia";
 static const std::string default_nginx_config_file = "/etc/cp/conf/rpmanager/nginx.conf";
+static const std::string default_prepare_nginx_config_file = "/etc/cp/conf/rpmanager/nginx_prepare.conf";
 static const std::string default_global_conf_template = "/etc/cp/conf/rpmanager/nginx-conf-template";
 static const std::string default_nginx_config_include_file =
-    "/etc/cp/conf/rpmanager/servers/nginx_conf_include";
+    "/etc/cp/conf/rpmanager/servers/00_nginx_conf_include.conf";
 static const std::string default_global_conf_include_template =
     "/etc/cp/conf/rpmanager/nginx-conf-include-template";
 static const std::string default_global_conf_include_template_no_responses =

components/include/service_health_status.h

@@ -0,0 +1,39 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __SERVICE_HEALTH_STATUS_H__
+#define __SERVICE_HEALTH_STATUS_H__
+
+#include "singleton.h"
+#include "i_rest_api.h"
+#include "i_environment.h"
+#include "component.h"
+
+class ServiceHealthStatus
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Environment>
+{
+public:
+    ServiceHealthStatus();
+    ~ServiceHealthStatus();
+
+    void init() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __SERVICE_HEALTH_STATUS_H__

components/include/telemetry.h

@@ -30,6 +30,7 @@
 #include "generic_metric.h"
 
 #define LOGGING_INTERVAL_IN_MINUTES 10
+USE_DEBUG_FLAG(D_WAAP);
 enum class AssetType { API, WEB, ALL, COUNT };
 
 class WaapTelemetryEvent : public Event<WaapTelemetryEvent>
@@ -75,6 +76,20 @@ private:
     std::unordered_set<std::string> sources_seen;
 };
 
+class WaapAdditionalTrafficTelemetrics : public WaapTelemetryBase
+{
+public:
+    void updateMetrics(const std::string &asset_id, const DecisionTelemetryData &data);
+    void initMetrics();
+
+private:
+    MetricCalculations::Counter requests{this, "reservedNgenA"};
+    MetricCalculations::Counter sources{this, "reservedNgenB"};
+    MetricCalculations::Counter blocked{this, "reservedNgenC"};
+    MetricCalculations::Counter temperature_count{this, "reservedNgenD"};
+    std::unordered_set<std::string> sources_seen;
+};
+
 class WaapTrafficTelemetrics : public WaapTelemetryBase
 {
 public:
@@ -123,6 +138,7 @@ private:
     std::map<std::string, std::shared_ptr<WaapTrafficTelemetrics>> traffic_telemetries;
     std::map<std::string, std::shared_ptr<WaapAttackTypesMetrics>> attack_types;
     std::map<std::string, std::shared_ptr<WaapAttackTypesMetrics>> attack_types_telemetries;
+    std::map<std::string, std::shared_ptr<WaapAdditionalTrafficTelemetrics>> additional_traffic_telemetries;
 
     template <typename T>
     void initializeTelemetryData(
@@ -132,6 +148,7 @@ private:
         std::map<std::string, std::shared_ptr<T>>& telemetryMap
     ) {
         if (!telemetryMap.count(asset_id)) {
+            dbgTrace(D_WAAP) << "creating telemetry data for asset: " << data.assetName;
             telemetryMap.emplace(asset_id, std::make_shared<T>());
             telemetryMap[asset_id]->init(
                 telemetryName,
@@ -139,7 +156,9 @@ private:
                 ReportIS::IssuingEngine::AGENT_CORE,
                 std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
                 true,
-                ReportIS::Audience::SECURITY
+                ReportIS::Audience::SECURITY,
+                false,
+                asset_id
             );
 
             telemetryMap[asset_id]->template registerContext<std::string>(
@@ -152,29 +171,30 @@ private:
                 std::string("Web Application"),
                 EnvKeyAttr::LogSection::SOURCE
             );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetId",
-                asset_id,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetName",
-                data.assetName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceId",
-                data.practiceId,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceName",
-                data.practiceName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-
             telemetryMap[asset_id]->registerListener();
         }
+        dbgTrace(D_WAAP) << "updating telemetry data for asset: " << data.assetName;
+
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetId",
+            asset_id,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetName",
+            data.assetName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceId",
+            data.practiceId,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceName",
+            data.practiceName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
     }
 };
 

components/include/url_parser.h

@@ -35,8 +35,10 @@ public:
     bool isOverSSL() const { return over_ssl; }
     std::string getPort() const { return port; }
     std::string getQuery() const { return query; }
+    std::string getHost() const;
     URLProtocol getProtocol() const { return protocol; }
     std::string toString() const;
+    void setHost(const std::string &new_host);
     void setQuery(const std::string &new_query);
 
 private:
@@ -47,6 +49,7 @@ private:
     std::string base_url;
     std::string port;
     std::string query;
+    std::string host;
     URLProtocol protocol;
 };
 

components/include/user_identifiers_config.h

@@ -30,6 +30,7 @@ public:
     void parseRequestHeaders(const HttpHeader &header) const;
     std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
     void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
+    void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
 
 private:
     class UsersIdentifiersConfig
@@ -58,7 +59,7 @@ private:
         const std::string::const_iterator &end,
         const std::string &key) const;
     Buffer extractKeyValueFromCookie(const std::string &cookie_value, const std::string &key) const;
-    Maybe<std::string> parseXForwardedFor(const std::string &str) const;
+    Maybe<std::string> parseXForwardedFor(const std::string &str, ExtractType type) const;
 
     std::vector<UsersIdentifiersConfig> user_identifiers;
 };

components/include/waap.h

@@ -33,6 +33,9 @@ class I_WaapAssetStatesManager;
 class I_Messaging;
 class I_AgentDetails;
 class I_Encryptor;
+class I_WaapModelResultLogger;
+
+const std::string WAAP_APPLICATION_NAME = "waap application";
 
 class WaapComponent
         :
@@ -48,7 +51,8 @@ class WaapComponent
     Singleton::Consume<I_AgentDetails>,
     Singleton::Consume<I_Messaging>,
     Singleton::Consume<I_Encryptor>,
-    Singleton::Consume<I_Environment>
+    Singleton::Consume<I_Environment>,
+    Singleton::Consume<I_WaapModelResultLogger>
 {
 public:
     WaapComponent();

components/nginx_message_reader/CMakeLists.txt

@@ -0,0 +1,3 @@
+link_directories(${BOOST_ROOT}/lib)
+
+add_library(nginx_message_reader nginx_message_reader.cc)

components/nginx_message_reader/nginx_message_reader.cc

@@ -0,0 +1,735 @@
+#include "nginx_message_reader.h"
+
+#include <string>
+#include <boost/regex.hpp>
+#include <boost/algorithm/string.hpp>
+#include <boost/algorithm/string/regex.hpp>
+
+#include "config.h"
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "enum_array.h"
+#include "log_generator.h"
+#include "maybe_res.h"
+#include "http_transaction_data.h"
+#include "generic_rulebase/rulebase_config.h"
+#include "generic_rulebase/evaluators/asset_eval.h"
+#include "generic_rulebase/triggers_config.h"
+#include "agent_core_utilities.h"
+#include "rate_limit_config.h"
+
+USE_DEBUG_FLAG(D_NGINX_MESSAGE_READER);
+
+using namespace std;
+
+static const string syslog_regex_string = (
+    "<[0-9]+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{2}"
+    "[:]\\d{2}[:]\\d{2})\\s([\\w][\\w\\d\\.@-]*)\\s(nginx:)"
+);
+
+static const boost::regex socket_address_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+):(\\d+)");
+static const boost::regex syslog_regex(syslog_regex_string);
+static const boost::regex alert_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[alert\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex error_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[error\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex server_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+)|(\\w+\\.\\w+)");
+static const boost::regex uri_regex("^/");
+static const boost::regex port_regex("\\d+");
+static const boost::regex response_code_regex("[0-9]{3}");
+static const boost::regex http_method_regex("[A-Za-z]+");
+
+class NginxMessageReader::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addOneTimeRoutine(
+            I_MainLoop::RoutineType::System,
+            [this] ()
+            {
+                initSyslogServerSocket();
+                handleNginxLogs();
+            },
+            "Initialize nginx syslog",
+            true
+        );
+    }
+
+    void
+    preload()
+    {
+        registerConfigLoadCb([this]() { loadNginxMessageReaderConfig(); });
+    }
+
+    void
+    fini()
+    {
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        i_socket->closeSocket(syslog_server_socket);
+    }
+
+    void
+    loadNginxMessageReaderConfig()
+    {
+        rate_limit_status_code = getProfileAgentSettingWithDefault<string>(
+            "429",
+            "accessControl.rateLimit.returnCode"
+        );
+        dbgTrace(D_NGINX_MESSAGE_READER) << "Selected rate-limit status code: " << rate_limit_status_code;
+    }
+
+private:
+    enum class LogInfo {
+        HTTP_METHOD,
+        URI,
+        RESPONSE_CODE,
+        HOST,
+        SOURCE,
+        DESTINATION_IP,
+        DESTINATION_PORT,
+        EVENT_MESSAGE,
+        ASSET_ID,
+        ASSET_NAME,
+        RULE_NAME,
+        RULE_ID,
+        COUNT
+    };
+
+    void
+    initSyslogServerSocket()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        string nginx_syslog_server_address = getProfileAgentSettingWithDefault<string>(
+            "127.0.0.1:1514",
+            "reverseProxy.nginx.syslogAddress"
+        );
+        dbgInfo(D_NGINX_MESSAGE_READER) << "Attempting to open a socket: " << nginx_syslog_server_address;
+        do {
+            Maybe<I_Socket::socketFd> new_socket = i_socket->genSocket(
+                I_Socket::SocketType::UDP,
+                false,
+                true,
+                nginx_syslog_server_address
+            );
+            if (!new_socket.ok()) {
+                dbgError(D_NGINX_MESSAGE_READER) << "Failed to open a socket. Error: " << new_socket.getErr();
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+
+            if (new_socket.unpack() < 0) {
+                dbgError(D_NGINX_MESSAGE_READER)<< "Generated socket is OK yet negative";
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+            syslog_server_socket = new_socket.unpack();
+            dbgInfo(D_NGINX_MESSAGE_READER)
+                << "Opened socket for nginx logs over syslog. Socket: "
+                << syslog_server_socket;
+        } while (syslog_server_socket < 0);
+    }
+
+    void
+    handleNginxLogs()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop::Routine read_logs =
+        [this] ()
+        {
+            Maybe<string> logs = getLogsFromSocket(syslog_server_socket);
+
+            if (!logs.ok()) {
+                dbgWarning(D_NGINX_MESSAGE_READER)
+                    << "Failed to get NGINX logs from the socket. Error: "
+                    << logs.getErr();
+                return;
+            }
+            string raw_logs_to_parse = logs.unpackMove();
+            vector<string> logs_to_parse = separateLogs(raw_logs_to_parse);
+
+            for (auto const &log: logs_to_parse) {
+                bool log_sent;
+                if (isAccessLog(log)) {
+                    log_sent = sendAccessLog(log);
+                } else if (isAlertErrorLog(log) || isErrorLog(log)) {
+                    log_sent = sendErrorLog(log);
+                } else {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+                    continue;
+                }
+                if (!log_sent) {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Failed to send Log to Infinity Portal";
+                } else {
+                    dbgTrace(D_NGINX_MESSAGE_READER) << "Succesfully sent nginx log to Infinity Portal";
+                }
+            }
+        };
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addFileRoutine(
+            I_MainLoop::RoutineType::RealTime,
+            syslog_server_socket,
+            read_logs,
+            "Process nginx logs",
+            true
+        );
+    }
+
+    bool
+    sendAccessLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Access log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseAccessLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        auto unpacked_log_info = log_info.unpack();
+
+        if (unpacked_log_info[LogInfo::RESPONSE_CODE] == rate_limit_status_code) {
+            return sendRateLimitLog(unpacked_log_info);
+        }
+        return sendLog(unpacked_log_info);
+    }
+
+    bool
+    sendErrorLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Error log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseErrorLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        return sendLog(log_info.unpack());
+    }
+
+    bool
+    isAccessLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Chekck if string contains \"accessLog\"" << log;
+        return log.find("accessLog") != string::npos;
+    }
+
+    bool
+    isAlertErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[alert]") != string::npos;
+    }
+
+    bool
+    isErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[error]") != string::npos;
+    }
+
+    bool
+    sendLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        string event_name;
+        switch (log_info[LogInfo::RESPONSE_CODE][0]) {
+            case '4': {
+                event_name = "Invalid request or incorrect reverse proxy configuration - Request dropped."
+                " Please check the reverse proxy configuration of your relevant assets";
+                break;
+            }
+            case '5': {
+                event_name = "AppSec Gateway reverse proxy error - Request dropped. "
+                "Please verify the reverse proxy configuration of your relevant assets. "
+                "If the issue persists please contact Check Point Support";
+                break;
+            }
+            default: {
+                dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
+                return false;
+            }
+        }
+
+        dbgTrace(D_NGINX_MESSAGE_READER)
+            << "Nginx log's event name and response code: "
+            << event_name
+            << ", "
+            << log_info[LogInfo::RESPONSE_CODE];
+        LogGen log(
+            event_name,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::REVERSE_PROXY
+        );
+        log << LogField("eventConfidence", "High");
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+
+            if (field != LogInfo::DESTINATION_PORT) {
+                log << LogField(string_field.unpack(), log_info[field]);
+                continue;
+            }
+
+            try {
+                log << LogField(string_field.unpack(), stoi(log_info[field]));
+            } catch (const exception &e) {
+                dbgError(D_NGINX_MESSAGE_READER)
+                    << "Unable to convert port to numeric value: "
+                    << e.what();
+                log << LogField(string_field.unpack(), 0);
+            }
+        }
+        return true;
+    }
+
+    bool
+    sendRateLimitLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Getting rate-limit rules of asset ID: " << log_info[LogInfo::ASSET_ID];
+
+        ScopedContext rate_limit_ctx;
+
+        rate_limit_ctx.registerValue<GenericConfigId>(AssetMatcher::ctx_key, log_info[LogInfo::ASSET_ID]);
+        auto rate_limit_config = getConfiguration<RateLimitConfig>("rulebase", "rateLimit");
+        if (!rate_limit_config.ok()) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Rate limit context does not match asset ID: " << log_info[LogInfo::ASSET_ID];
+            return false;
+        }
+        RateLimitConfig unpacked_rate_limit_config = rate_limit_config.unpack();
+
+        string nginx_uri = log_info[LogInfo::URI];
+        const LogTriggerConf &rate_limit_trigger = unpacked_rate_limit_config.getRateLimitTrigger(nginx_uri);
+
+        dbgTrace(D_NGINX_MESSAGE_READER)<< "About to generate NGINX rate-limit log";
+
+        string event_name = "Rate limit";
+        string security_action = "Drop";
+        bool is_log_required = false;
+
+        // Prevent events checkbox (in triggers)
+        if (rate_limit_trigger.isPreventLogActive(LogTriggerConf::SecurityType::AccessControl)) {
+            is_log_required = true;
+        }
+
+        if (!is_log_required) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Not sending NGINX rate-limit log as it is not required";
+            return false;
+        }
+
+        ostringstream src_ip;
+        ostringstream dst_ip;
+        src_ip << log_info[LogInfo::SOURCE];
+        dst_ip << log_info[LogInfo::DESTINATION_IP];
+
+        ReportIS::Severity log_severity = ReportIS::Severity::MEDIUM;
+        ReportIS::Priority log_priority = ReportIS::Priority::MEDIUM;
+
+        LogGen log = rate_limit_trigger(
+            event_name,
+            LogTriggerConf::SecurityType::AccessControl,
+            log_severity,
+            log_priority,
+            true, // is drop
+            LogField("practiceType", "Rate Limit"),
+            ReportIS::Tags::RATE_LIMIT
+        );
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+            
+            if (
+                field == LogInfo::HOST ||
+                field == LogInfo::URI ||
+                field == LogInfo::HTTP_METHOD ||
+                field == LogInfo::SOURCE ||
+                field == LogInfo::DESTINATION_IP ||
+                field == LogInfo::ASSET_ID ||
+                field == LogInfo::ASSET_NAME ||
+                field == LogInfo::RESPONSE_CODE
+            ) {
+                if (!log_info[field].empty()) {
+                    log << LogField(string_field.unpack(), log_info[field]);
+                    continue;
+                }
+            }
+
+            if (field == LogInfo::DESTINATION_PORT) {
+                try {
+                    int numeric_dst_port = stoi(log_info[field]);
+                    log << LogField(string_field.unpack(), numeric_dst_port);
+                } catch (const exception &e) {
+                    dbgWarning(D_NGINX_MESSAGE_READER)
+                        << "Unable to convert dst port: "
+                        << log_info[field]
+                        << " to numberic value. Error: "
+                        << e.what();
+                }
+            }
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    convertLogFieldToString(LogInfo field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        switch (field) {
+            case LogInfo::HTTP_METHOD:
+                return string("httpMethod");
+            case LogInfo::URI:
+                return string("httpUriPath");
+            case LogInfo::RESPONSE_CODE:
+                return string("httpResponseCode");
+            case LogInfo::HOST:
+                return string("httpHostName");
+            case LogInfo::SOURCE:
+                return string("httpSourceId");
+            case LogInfo::DESTINATION_IP:
+                return string("destinationIp");
+            case LogInfo::DESTINATION_PORT:
+                return string("destinationPort");
+            case LogInfo::ASSET_ID:
+                return string("assetId");
+            case LogInfo::ASSET_NAME:
+                return string("assetName");
+            case LogInfo::EVENT_MESSAGE:
+                return string("httpResponseBody");
+            case LogInfo::RULE_ID:
+                return string("ruleId");
+            case LogInfo::RULE_NAME:
+                return string("ruleName");
+            case LogInfo::COUNT:
+                dbgError(D_NGINX_MESSAGE_READER) << "LogInfo::COUNT is not allowed";
+                return genError("LogInfo::COUNT is not allowed");
+        }
+        dbgError(D_NGINX_MESSAGE_READER) << "No Enum found, int value: " << static_cast<int>(field);
+        return genError("No Enum found");
+    }
+
+    static vector<string>
+    separateLogs(const string &raw_logs_to_parse)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "separating logs. logs: " << raw_logs_to_parse;
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs start of function. Logs to parse: " << raw_logs_to_parse;
+        boost::smatch matcher;
+        vector<string> logs;
+
+        if (raw_logs_to_parse.empty()) return logs;
+
+        size_t pos = 0;
+        while (NGEN::Regex::regexSearch(__FILE__, __LINE__, raw_logs_to_parse.substr(pos), matcher, syslog_regex)) {
+            if (pos == 0) {
+                dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs pos = 0";
+                pos++;
+                continue;
+            }
+            auto log_length = matcher.position();
+            logs.push_back(raw_logs_to_parse.substr(pos - 1, log_length));
+
+            pos += log_length + 1;
+        }
+        logs.push_back(raw_logs_to_parse.substr(pos - 1));
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs end of function";
+
+        return logs;
+    }
+
+    static pair<string, string>
+    parseErrorLogRequestField(const string &request)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing request field. request: " << request;
+        string formatted_request = request;
+        vector<string> result;
+        boost::erase_all(formatted_request, "\"");
+        boost::erase_all(formatted_request, "\n");
+        boost::split(result, formatted_request, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int http_method_index = 1;
+        const int uri_index = 2;
+        return pair<string, string>(result[http_method_index], result[uri_index]);
+    }
+
+    static string
+    parseErrorLogField(const string &field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing error log field " << field;
+        string formatted_field = field;
+        vector<string> result;
+        boost::erase_all(formatted_field, "\"");
+        boost::erase_all(formatted_field, "\n");
+        boost::split(result, formatted_field, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int field_index = 1;
+        return result[field_index];
+    }
+
+    void
+    addContextFieldsToLogInfo(EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        ScopedContext ctx;
+
+        try {
+            ctx.registerValue<uint16_t>(
+                HttpTransactionData::listening_port_ctx,
+                static_cast<uint16_t>(stoi(log_info[LogInfo::DESTINATION_PORT]))
+            );
+        } catch (const exception &e) {
+            dbgError(D_NGINX_MESSAGE_READER) << "Failed register values for context " << e.what();
+        }
+        ctx.registerValue<string>(HttpTransactionData::host_name_ctx, log_info[LogInfo::HOST]);
+        ctx.registerValue<string>(HttpTransactionData::uri_ctx, log_info[LogInfo::URI]);
+        auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
+        if (!rule_by_ctx.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "AssetId was not found by the given context. Reason: "
+                << rule_by_ctx.getErr();
+            return;
+        }
+
+        BasicRuleConfig context = rule_by_ctx.unpack();
+        log_info[LogInfo::ASSET_ID] = context.getAssetId();
+        log_info[LogInfo::ASSET_NAME] = context.getAssetName();
+        log_info[LogInfo::RULE_ID] = context.getRuleId();
+        log_info[LogInfo::RULE_NAME] = context.getRuleName();
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseErrorLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Handling log line:" << log_line;
+        string port;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+
+        boost::smatch matcher;
+        vector<string> result;
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_line,
+                matcher,
+                isAlertErrorLog(log_line) ? alert_log_regex : error_log_regex
+            )
+        ) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int event_message_index = 6;
+        const int source_index = 7;
+        const int request_index = 9;
+        const int host_index = 11;
+        string host = string(matcher[host_index].first, matcher[host_index].second);
+        string source = string(matcher[source_index].first, matcher[source_index].second);
+        string event_message = string(matcher[event_message_index].first, matcher[event_message_index].second);
+        string request = string(matcher[request_index].first, matcher[request_index].second);
+
+        host = parseErrorLogField(host);
+        source = parseErrorLogField(source);
+        pair<string, string> parsed_request = parseErrorLogRequestField(request);
+        string http_method = parsed_request.first;
+        string uri = parsed_request.second;
+
+        if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, socket_address_regex)) {
+            int host_index = 1;
+            int port_index = 2;
+            host = string(matcher[host_index].first, matcher[host_index].second);
+            port = string(matcher[port_index].first, matcher[port_index].second);
+        } else if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, boost::regex("https://"))) {
+            port = "443";
+        } else {
+            port = "80";
+        }
+
+        log_info[LogInfo::HOST] = host;
+        log_info[LogInfo::URI] = uri;
+        log_info[LogInfo::RESPONSE_CODE] = "500";
+        log_info[LogInfo::HTTP_METHOD] = http_method;
+        log_info[LogInfo::SOURCE] = source;
+        log_info[LogInfo::DESTINATION_IP] = host;
+        log_info[LogInfo::DESTINATION_PORT] = port;
+        log_info[LogInfo::EVENT_MESSAGE] = event_message;
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        return log_info;
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseAccessLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Parsing log line: " << log_line;
+        string formatted_log = log_line;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+        vector<string> result;
+        boost::erase_all(formatted_log, "\"");
+        boost::erase_all(formatted_log, "\n");
+        boost::split(result, formatted_log, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int valid_log_size = 20;
+
+        if (result.size() < valid_log_size) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int host_index = 6;
+        const int host_port_index = 7;
+        const int http_method_index = 13;
+        const int uri_index = 14;
+        const int response_cod_index = 16;
+        const int source_index = 8;
+
+        log_info[LogInfo::HOST] = result[host_index];
+        log_info[LogInfo::URI] = result[uri_index];
+        log_info[LogInfo::RESPONSE_CODE] = result[response_cod_index];
+        log_info[LogInfo::HTTP_METHOD] = result[http_method_index];
+        log_info[LogInfo::SOURCE] = result[source_index];
+        log_info[LogInfo::DESTINATION_IP] = result[host_index];
+        log_info[LogInfo::DESTINATION_PORT] = result[host_port_index];
+        log_info[LogInfo::EVENT_MESSAGE] = "Invalid request or incorrect reverse proxy configuration - "
+        "Request dropped. Please check the reverse proxy configuration of your relevant assets";
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+        return log_info;
+    }
+
+    static bool
+    validateLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+
+        boost::smatch matcher;
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HOST], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate server (Host): " << log_info[LogInfo::HOST];
+            return false;
+        }
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::URI], matcher, uri_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate Uri: " << log_info[LogInfo::URI];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_info[LogInfo::RESPONSE_CODE],
+                matcher, response_code_regex
+            )
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate response code: "
+                << log_info[LogInfo::RESPONSE_CODE];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HTTP_METHOD], matcher, http_method_regex)
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate HTTP method: " << log_info[LogInfo::HTTP_METHOD];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::DESTINATION_PORT], matcher, port_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate destination port : "
+                << log_info[LogInfo::DESTINATION_PORT];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::SOURCE], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate source : " << log_info[LogInfo::SOURCE];
+            return false;
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    getLogsFromSocket(const I_Socket::socketFd &client_socket) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Reading logs from socket. fd: " << client_socket;
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        Maybe<vector<char>> raw_log_data = i_socket->receiveData(client_socket, 0, false);
+        if (!raw_log_data.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Error receiving data from socket";
+            return genError("Error receiving data from socket");
+        }
+
+        string raw_log(raw_log_data.unpack().begin(), raw_log_data.unpack().end());
+        return move(raw_log);
+    }
+
+    I_Socket::socketFd syslog_server_socket = -1;
+    string rate_limit_status_code = "429";
+};
+
+NginxMessageReader::NginxMessageReader() : Component("NginxMessageReader"), pimpl(make_unique<Impl>()) {}
+
+NginxMessageReader::~NginxMessageReader() {}
+
+void
+NginxMessageReader::init()
+{
+    pimpl->init();
+}
+
+void
+NginxMessageReader::preload()
+{
+    pimpl->preload();
+}
+
+void
+NginxMessageReader::fini()
+{
+    pimpl->fini();
+}

components/packet/packet.cc

@@ -563,7 +563,10 @@ Packet::parsePacket(PktType type, IPType proto)
             return parseFromL3v6();
         }
         default: {
-            dbgAssert(false) << "Unknown (neither IPv4, nor IPv6), or uninitialized packet type: " << proto;
+            dbgAssert(false)
+                << AlertInfo(AlertTeam::CORE, "packet")
+                << "Unknown (neither IPv4, nor IPv6), or uninitialized packet type: "
+                << proto;
         }
     }
 

components/pending_key/pending_key.cc

@@ -43,7 +43,9 @@ PendingKey::print(ostream &os) const
 size_t
 PendingKey::hash() const
 {
-    dbgAssert(src.type != IPType::UNINITIALIZED) << "PendingKey::hash was called on an uninitialized object";
+    dbgAssert(src.type != IPType::UNINITIALIZED)
+        << AlertInfo(AlertTeam::CORE, "pending key")
+        << "PendingKey::hash was called on an uninitialized object";
     size_t seed = 0;
     hashCombine(seed, static_cast<u_char>(src.type));
     hashCombine(seed, src.proto);

components/report_messaging/report_messaging_ut/CMakeLists.txt

@@ -1,3 +0,0 @@
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(report_messaging_ut "report_messaging_ut.cc" "report_messaging;report;messaging;singleton;-lboost_regex")

components/security_apps/CMakeLists.txt

@@ -3,5 +3,7 @@ add_subdirectory(ips)
 add_subdirectory(layer_7_access_control)
 add_subdirectory(local_policy_mgmt_gen)
 add_subdirectory(orchestration)
+add_subdirectory(prometheus)
 add_subdirectory(rate_limit)
 add_subdirectory(waap)
+add_subdirectory(central_nginx_manager)

components/security_apps/central_nginx_manager/CMakeLists.txt

@@ -0,0 +1,3 @@
+include_directories(include)
+
+add_library(central_nginx_manager central_nginx_manager.cc lets_encrypt_listener.cc)

components/security_apps/central_nginx_manager/central_nginx_manager.cc

@@ -0,0 +1,418 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "central_nginx_manager.h"
+#include "lets_encrypt_listener.h"
+
+#include <string>
+#include <vector>
+#include <cereal/external/base64.hpp>
+
+#include "debug.h"
+#include "config.h"
+#include "rest.h"
+#include "log_generator.h"
+#include "nginx_utils.h"
+#include "agent_core_utilities.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+class CentralNginxConfig
+{
+public:
+    void load(cereal::JSONInputArchive &ar)
+    {
+        try {
+            string nginx_conf_base64;
+            ar(cereal::make_nvp("id", file_id));
+            ar(cereal::make_nvp("name", file_name));
+            ar(cereal::make_nvp("data", nginx_conf_base64));
+            nginx_conf_content = cereal::base64::decode(nginx_conf_base64);
+            central_nginx_conf_path = getCentralNginxConfPath();
+            shared_config_path = getSharedConfigPath();
+            if (!nginx_conf_content.empty()) configureCentralNginx();
+        } catch (const cereal::Exception &e) {
+            dbgDebug(D_NGINX_MANAGER) << "Could not load Central Management Config JSON. Error: " << e.what();
+            ar.setNextName(nullptr);
+        }
+    }
+
+    const string & getFileId() const { return file_id; }
+    const string & getFileName() const { return file_name; }
+    const string & getFileContent() const { return nginx_conf_content; }
+
+    static string
+    getCentralNginxConfPath()
+    {
+        string central_nginx_conf_path = getProfileAgentSettingWithDefault<string>(
+            string("/tmp/central_nginx.conf"),
+            "centralNginxManagement.confDownloadPath"
+        );
+        dbgInfo(D_NGINX_MANAGER) << "Central NGINX configuration path: " << central_nginx_conf_path;
+
+        return central_nginx_conf_path;
+    }
+
+    static string
+    getSharedConfigPath()
+    {
+        string central_shared_conf_path = getConfigurationWithDefault<string>(
+            "/etc/cp/conf",
+            "Config Component",
+            "configuration path"
+        );
+        central_shared_conf_path += "/centralNginxManager/shared/central_nginx_shared.conf";
+        dbgInfo(D_NGINX_MANAGER) << "Shared NGINX configuration path: " << central_shared_conf_path;
+
+        return central_shared_conf_path;
+    }
+
+private:
+    void
+    loadAttachmentModule()
+    {
+        string attachment_module_path = NginxUtils::getModulesPath() + "/ngx_cp_attachment_module.so";
+        if (!NGEN::Filesystem::exists(attachment_module_path)) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " does not exist";
+            return;
+        }
+
+        string attachment_module_conf = "load_module " + attachment_module_path + ";";
+        if (nginx_conf_content.find(attachment_module_conf) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " already loaded";
+            return;
+        }
+
+        nginx_conf_content = attachment_module_conf + "\n" + nginx_conf_content;
+    }
+
+    Maybe<void>
+    loadSharedDirective(const string &directive)
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared directive into the servers " << directive;
+
+        if (!NGEN::Filesystem::copyFile(shared_config_path, shared_config_path + ".bak", true)) {
+            return genError("Could not create a backup of the shared NGINX configuration file");
+        }
+
+        ifstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        string shared_config_content((istreambuf_iterator<char>(shared_config)), istreambuf_iterator<char>());
+        shared_config.close();
+
+        if (shared_config_content.find(directive) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Shared directive " << directive << " already loaded";
+            return {};
+        }
+
+        ofstream new_shared_config(shared_config_path, ios::app);
+        if (!new_shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Adding shared directive " << directive;
+        new_shared_config << directive << "\n";
+        new_shared_config.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            if (!NGEN::Filesystem::copyFile(shared_config_path + ".bak", shared_config_path, true)) {
+                return genError("Could not restore the shared NGINX configuration file");
+            }
+            return genError("Could not validate shared NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    loadSharedConfig()
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared configuration into the servers";
+
+        ofstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not create shared NGINX configuration file");
+        }
+        shared_config.close();
+
+        string shared_config_directive = "include " + shared_config_path + ";\n";
+        boost::regex server_regex("server\\s*\\{");
+        nginx_conf_content = NGEN::Regex::regexReplace(
+            __FILE__,
+            __LINE__,
+            nginx_conf_content,
+            server_regex,
+            "server {\n" + shared_config_directive
+        );
+
+        ofstream nginx_conf_file(central_nginx_conf_path);
+        if (!nginx_conf_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        nginx_conf_file << nginx_conf_content;
+        nginx_conf_file.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            return genError("Could not validate central NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    configureSyslog()
+    {
+        if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
+            dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
+            return {};
+        }
+
+        string syslog_directive = "error_log syslog:server=127.0.0.1:1514 warn;";
+        auto load_shared_directive_result = loadSharedDirective(syslog_directive);
+        if (!load_shared_directive_result.ok()) {
+            return genError("Could not configure syslog directive, error: " + load_shared_directive_result.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    saveBaseCentralNginxConf()
+    {
+        ofstream central_nginx_conf_base_file(central_nginx_conf_path + ".base");
+        if (!central_nginx_conf_base_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        central_nginx_conf_base_file << nginx_conf_content;
+        central_nginx_conf_base_file.close();
+
+        return {};
+    }
+
+    void
+    configureCentralNginx()
+    {
+        loadAttachmentModule();
+        auto save_base_nginx_conf = saveBaseCentralNginxConf();
+        if (!save_base_nginx_conf.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not save base NGINX configuration. Error: "
+                << save_base_nginx_conf.getErr();
+            return;
+        }
+
+        string nginx_conf_content_backup = nginx_conf_content;
+        auto shared_config_result = loadSharedConfig();
+        if (!shared_config_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load shared configuration. Error: "
+                << shared_config_result.getErr();
+            nginx_conf_content = nginx_conf_content_backup;
+            return;
+        }
+
+        auto syslog_result = configureSyslog();
+        if (!syslog_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not configure syslog. Error: " << syslog_result.getErr();
+        }
+    }
+
+    string file_id;
+    string file_name;
+    string nginx_conf_content;
+    string central_nginx_conf_path;
+    string shared_config_path;
+};
+
+class CentralNginxManager::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgInfo(D_NGINX_MANAGER) << "Starting Central NGINX Manager";
+
+        string main_nginx_conf_path = NginxUtils::getMainNginxConfPath();
+        if (
+            NGEN::Filesystem::exists(main_nginx_conf_path)
+            && !NGEN::Filesystem::exists(main_nginx_conf_path + ".orig")
+        ) {
+            dbgInfo(D_NGINX_MANAGER) << "Creating a backup of the original main NGINX configuration file";
+            NGEN::Filesystem::copyFile(main_nginx_conf_path, main_nginx_conf_path + ".orig", true);
+        }
+
+        i_mainloop = Singleton::Consume<I_MainLoop>::by<CentralNginxManager>();
+        if (!lets_encrypt_listener.init()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, scheduling retry";
+            i_mainloop->addOneTimeRoutine(
+                I_MainLoop::RoutineType::System,
+                [this] ()
+                {
+                    while(!lets_encrypt_listener.init()) {
+                        dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, will retry";
+                        i_mainloop->yield(chrono::seconds(5));
+                    }
+                },
+                "Lets Encrypt Listener initializer",
+                false
+            );
+        }
+    }
+
+    void
+    loadPolicy()
+    {
+        auto central_nginx_config = getSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+        if (!central_nginx_config.ok() || central_nginx_config.unpack().empty()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load Central NGINX Management settings. Error: "
+                << central_nginx_config.getErr();
+            return;
+        }
+
+        auto &config = central_nginx_config.unpack().front();
+        if (config.getFileContent().empty()) {
+            dbgWarning(D_NGINX_MANAGER) << "Empty NGINX configuration file";
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER)
+            << "Handling Central NGINX Management settings: "
+            << config.getFileId()
+            << ", "
+            << config.getFileName()
+            << ", "
+            << config.getFileContent();
+
+        string central_nginx_conf_path = config.getCentralNginxConfPath();
+        ofstream central_nginx_conf_file(central_nginx_conf_path);
+        if (!central_nginx_conf_file.is_open()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not open central NGINX configuration file: "
+                << central_nginx_conf_path;
+            return;
+        }
+        central_nginx_conf_file << config.getFileContent();
+        central_nginx_conf_file.close();
+
+        auto validation_result = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not validate central NGINX configuration file. Error: "
+                << validation_result.getErr();
+            logError(validation_result.getErr());
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Validated central NGINX configuration file";
+
+        auto reload_result = NginxUtils::reloadNginx(central_nginx_conf_path);
+        if (!reload_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not reload central NGINX configuration. Error: "
+                << reload_result.getErr();
+            logError("Could not reload central NGINX configuration. Error: " + reload_result.getErr());
+            return;
+        }
+
+        logInfo("Central NGINX configuration has been successfully reloaded");
+    }
+
+    void
+    fini()
+    {
+        string central_nginx_base_path = CentralNginxConfig::getCentralNginxConfPath() + ".base";
+        if (!NGEN::Filesystem::exists(central_nginx_base_path)) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not find base NGINX configuration file: " << central_nginx_base_path;
+            return;
+        }
+
+        NginxUtils::reloadNginx(central_nginx_base_path);
+    }
+
+private:
+    void
+    logError(const string &error)
+    {
+        LogGen log(
+            error,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::CRITICAL,
+            ReportIS::Priority::URGENT,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField(
+            "eventRemediation",
+            "Please verify your NGINX configuration and enforce policy again. "
+            "Contact Check Point support if the issue persists."
+        );
+    }
+
+    void
+    logInfo(const string &info)
+    {
+        LogGen log(
+            info,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField("eventRemediation", "No action required");
+    }
+
+    I_MainLoop *i_mainloop = nullptr;
+    LetsEncryptListener lets_encrypt_listener;
+};
+
+CentralNginxManager::CentralNginxManager()
+    :
+    Component("Central NGINX Manager"),
+    pimpl(make_unique<CentralNginxManager::Impl>()) {}
+
+CentralNginxManager::~CentralNginxManager() {}
+
+void
+CentralNginxManager::init()
+{
+    pimpl->init();
+}
+
+void
+CentralNginxManager::fini()
+{
+    pimpl->fini();
+}
+
+void
+CentralNginxManager::preload()
+{
+    registerExpectedSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+    registerExpectedConfiguration<string>("Config Component", "configuration path");
+    registerConfigLoadCb([this]() { pimpl->loadPolicy(); });
+}

components/security_apps/central_nginx_manager/include/lets_encrypt_listener.h

@@ -0,0 +1,30 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __LETS_ENCRYPT_HANDLER_H__
+#define __LETS_ENCRYPT_HANDLER_H__
+
+#include <string>
+
+#include "maybe_res.h"
+
+class LetsEncryptListener
+{
+public:
+    bool init();
+
+private:
+    Maybe<std::string> getChallengeValue(const std::string &uri) const;
+};
+
+#endif // __LETS_ENCRYPT_HANDLER_H__

components/security_apps/central_nginx_manager/lets_encrypt_listener.cc

@@ -0,0 +1,76 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "lets_encrypt_listener.h"
+
+#include <string>
+
+#include "central_nginx_manager.h"
+#include "debug.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+bool
+LetsEncryptListener::init()
+{
+    dbgInfo(D_NGINX_MANAGER) << "Starting Lets Encrypt Listener";
+    return Singleton::Consume<I_RestApi>::by<CentralNginxManager>()->addWildcardGetCall(
+        ".well-known/acme-challenge/",
+        [&] (const string &uri) -> string
+        {
+            Maybe<string> maybe_challenge_value = getChallengeValue(uri);
+            if (!maybe_challenge_value.ok()) {
+                dbgWarning(D_NGINX_MANAGER)
+                    << "Could not get challenge value for uri: "
+                    << uri
+                    << ", error: "
+                    << maybe_challenge_value.getErr();
+                return string{""};
+            };
+
+            dbgTrace(D_NGINX_MANAGER) << "Got challenge value: " << maybe_challenge_value.unpack();
+            return maybe_challenge_value.unpack();
+        }
+    );
+}
+
+Maybe<string>
+LetsEncryptListener::getChallengeValue(const string &uri) const
+{
+    string challenge_key = uri.substr(uri.find_last_of('/') + 1);
+    string api_query = "/api/lets-encrypt-challenge?http_challenge_key=" + challenge_key;
+
+    dbgInfo(D_NGINX_MANAGER) << "Getting challenge value via: " << api_query;
+
+    MessageMetadata md;
+    md.insertHeader("X-Tenant-Id", Singleton::Consume<I_AgentDetails>::by<CentralNginxManager>()->getTenantId());
+    Maybe<HTTPResponse, HTTPResponse> maybe_http_challenge_value =
+        Singleton::Consume<I_Messaging>::by<CentralNginxManager>()->sendSyncMessage(
+            HTTPMethod::GET,
+            api_query,
+            string("{}"),
+            MessageCategory::GENERIC,
+            md
+        );
+
+    if (!maybe_http_challenge_value.ok()) return genError(maybe_http_challenge_value.getErr().getBody());
+
+    string challenge_value = maybe_http_challenge_value.unpack().getBody();
+    if (!challenge_value.empty() && challenge_value.front() == '"' && challenge_value.back() == '"') {
+        challenge_value = challenge_value.substr(1, challenge_value.size() - 2);
+    }
+
+    return challenge_value;
+}

components/security_apps/http_geo_filter/CMakeLists.txt

@@ -1 +1,5 @@
+include_directories(../waap/include)
+include_directories(../waap/waap_clib)
+include_directories(../../attachment-intakers/nginx_attachment)
+
 add_library(http_geo_filter http_geo_filter.cc)

components/security_apps/http_geo_filter/http_geo_filter.cc

@@ -4,10 +4,16 @@
 #include <unistd.h>
 #include <stddef.h>
 #include <algorithm>
+#include <sstream>
+#include <string>
+#include <vector>
+#include <boost/algorithm/string.hpp>
 
+#include "cidrs_data.h"
 #include "generic_rulebase/generic_rulebase.h"
 #include "generic_rulebase/parameters_config.h"
 #include "generic_rulebase/triggers_config.h"
+#include "user_identifiers_config.h"
 #include "debug.h"
 #include "config.h"
 #include "rest.h"
@@ -21,9 +27,10 @@ USE_DEBUG_FLAG(D_GEO_FILTER);
 
 static const LogTriggerConf default_triger;
 
-class HttpGeoFilter::Impl : public Listener<NewHttpTransactionEvent>
+class HttpGeoFilter::Impl : public Listener<HttpRequestHeaderEvent>
 {
 public:
+
     void
     init()
     {
@@ -55,32 +62,51 @@ public:
     }
 
     EventVerdict
-    respond(const NewHttpTransactionEvent &event) override
+    respond(const HttpRequestHeaderEvent &event) override
     {
         dbgTrace(D_GEO_FILTER) << getListenerName() << " new transaction event";
 
-        if (!ParameterException::isGeoLocationExceptionExists() &&
-            !getConfiguration<GeoConfig>("rulebase", "httpGeoFilter").ok()
-        ) {
-            dbgTrace(D_GEO_FILTER) << "No geo location practice nor exception was found. Returning default verdict";
-            return EventVerdict(default_action);
+        if (!event.isLastHeader()) return EventVerdict(ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT);
+        std::set<std::string> ip_set;
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        auto maybe_xff = env->get<std::string>(HttpTransactionData::xff_vals_ctx);
+        if (!maybe_xff.ok()) {
+            dbgTrace(D_GEO_FILTER) << "failed to get xff vals from env";
+        } else {
+            ip_set = split(maybe_xff.unpack(), ',');
+        }
+        dbgDebug(D_GEO_FILTER) << getListenerName() << " last header, start lookup";
+
+        if (ip_set.size() > 0) {
+            removeTrustedIpsFromXff(ip_set);
+        } else {
+            dbgDebug(D_GEO_FILTER) << "xff not found in headers";
         }
 
-        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
-        auto asset_location = i_geo_location->lookupLocation(event.getSourceIP());
-        if (!asset_location.ok()) {
-            dbgTrace(D_GEO_FILTER) << "Lookup location failed, Error: " << asset_location.getErr();
+        auto maybe_source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
+        if (!maybe_source_ip.ok()) {
+            dbgWarning(D_GEO_FILTER) << "failed to get source ip from env";
             return EventVerdict(default_action);
         }
+        auto source_ip = convertIpAddrToString(maybe_source_ip.unpack());
 
-        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data = asset_location.unpack();
+        // saas profile setting
+        bool ignore_source_ip =
+            getProfileAgentSettingWithDefault<bool>(false, "agent.geoProtaction.ignoreSourceIP");
+        if (ignore_source_ip){
+            dbgDebug(D_GEO_FILTER) << "Geo protection ignoring source ip: " << source_ip;
+        } else {
+            dbgTrace(D_GEO_FILTER) << "Geo protection source ip: " << source_ip;
+            ip_set.insert(convertIpAddrToString(maybe_source_ip.unpack()));
+        }
 
-        ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(event, geo_location_data);
+
+        ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set);
         if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
             return EventVerdict(exception_verdict);
         }
 
-        ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(event, geo_location_data);
+        ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(ip_set);
         if (geo_lookup_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
             return EventVerdict(geo_lookup_verdict);
         }
@@ -88,6 +114,73 @@ public:
     }
 
 private:
+    std::set<std::string>
+    split(const std::string& s, char delim) {
+        std::set<std::string> elems;
+        std::stringstream ss(s);
+        std::string value;
+        while (std::getline(ss, value, delim)) {
+            elems.insert(trim(value));
+        }
+        return elems;
+    }
+
+    static inline std::string &ltrim(std::string &s) {
+        s.erase(s.begin(), std::find_if(s.begin(), s.end(),
+            [] (char c) { return !std::isspace(c); }));
+        return s;
+    }
+
+    // trim from end
+    static inline std::string &rtrim(std::string &s) {
+        s.erase(std::find_if(s.rbegin(), s.rend(),
+            [] (char c) { return !std::isspace(c); }).base(), s.end());
+        return s;
+    }
+
+    // trim from both ends
+    static inline std::string &trim(std::string &s) {
+        return ltrim(rtrim(s));
+    }
+
+    void
+    removeTrustedIpsFromXff(std::set<std::string> &xff_set)
+    {
+        auto identify_config = getConfiguration<UsersAllIdentifiersConfig>(
+            "rulebase",
+            "usersIdentifiers"
+        );
+        if (!identify_config.ok()) {
+            dbgDebug(D_GEO_FILTER) << "did not find users identifiers definition in policy";
+        } else {
+            auto trusted_ips = (*identify_config).getHeaderValuesFromConfig("x-forwarded-for");
+            for (auto it = xff_set.begin(); it != xff_set.end();) {
+                if (isIpTrusted(*it, trusted_ips)) {
+                    dbgTrace(D_GEO_FILTER) << "xff value is in trusted ips: " << *it;
+                    it = xff_set.erase(it);
+                } else {
+                    dbgTrace(D_GEO_FILTER) << "xff value is not in trusted ips: " << *it;
+                    ++it;
+                }
+            }
+        }
+    }
+
+    bool
+    isIpTrusted(const string &ip, const vector<string> &trusted_ips)
+    {
+        for (const auto &trusted_ip : trusted_ips) {
+            CIDRSData cidr_data(trusted_ip);
+            if (
+                ip == trusted_ip ||
+                (cidr_data.contains(ip))
+            ) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     string
     convertIpAddrToString(const IPAddr &ip_to_convert)
     {
@@ -117,54 +210,75 @@ private:
     }
 
     ngx_http_cp_verdict_e
-    getGeoLookupVerdict(
-        const NewHttpTransactionEvent &event,
-        const EnumArray<I_GeoLocation::GeoLocationField, std::string> &geo_location_data)
+    getGeoLookupVerdict(const std::set<std::string> &sources)
     {
         auto maybe_geo_config = getConfiguration<GeoConfig>("rulebase", "httpGeoFilter");
         if (!maybe_geo_config.ok()) {
-            dbgWarning(D_GEO_FILTER) << "Failed to load HTTP Geo Filter config. Error:" << maybe_geo_config.getErr();
+            dbgTrace(D_GEO_FILTER) << "Failed to load HTTP Geo Filter config. Error:" << maybe_geo_config.getErr();
             return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
         }
         GeoConfig geo_config = maybe_geo_config.unpack();
-        string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data;
+        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
 
-        if (geo_config.isAllowedCountry(country_code)) {
-            dbgTrace(D_GEO_FILTER)
-                << "geo verdict ACCEPT, practice id: "
-                << geo_config.getId()
-                << ", country code: "
-                << country_code;
-            generateVerdictLog(
-                ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT,
-                event,
-                geo_config.getId(),
-                true,
-                geo_location_data
-            );
-            return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
-        }
-        if (geo_config.isBlockedCountry(country_code)) {
-            dbgTrace(D_GEO_FILTER)
-                << "geo verdict DROP, practice id: "
-                << geo_config.getId()
-                << ", country code: "
-                << country_code;
-            generateVerdictLog(
-                ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP,
-                event,
-                geo_config.getId(),
-                true,
-                geo_location_data
-            );
-            return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+        for (const std::string& source : sources) {
+            Maybe<IPAddr> maybe_source_ip = IPAddr::createIPAddr(source);
+            if (!maybe_source_ip.ok()){
+                dbgWarning(D_GEO_FILTER) <<
+                "create ip address failed for source: " <<
+                source <<
+                ", Error: " <<
+                maybe_source_ip.getErr();
+                continue;
+            }
+            auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
+            if (!asset_location.ok()) {
+                dbgWarning(D_GEO_FILTER) <<
+                "Lookup location failed for source: " <<
+                source <<
+                ", Error: " <<
+                asset_location.getErr();
+                continue;
+            }
+
+            geo_location_data = asset_location.unpack();
+
+            string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+
+            if (geo_config.isAllowedCountry(country_code)) {
+                dbgTrace(D_GEO_FILTER)
+                    << "geo verdict ACCEPT, practice id: "
+                    << geo_config.getId()
+                    << ", country code: "
+                    << country_code;
+                generateVerdictLog(
+                    ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT,
+                    geo_config.getId(),
+                    true,
+                    geo_location_data
+                );
+                return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
+            }
+            if (geo_config.isBlockedCountry(country_code)) {
+                dbgTrace(D_GEO_FILTER)
+                    << "geo verdict DROP, practice id: "
+                    << geo_config.getId()
+                    << ", country code: "
+                    << country_code;
+                generateVerdictLog(
+                    ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP,
+                    geo_config.getId(),
+                    true,
+                    geo_location_data
+                );
+                return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+            }
         }
         dbgTrace(D_GEO_FILTER)
             << "No matched practice. Returned default action: "
             << geo_config.getDefaultAction();
         generateVerdictLog(
             convertActionToVerdict(geo_config.getDefaultAction()),
-            event,
             geo_config.getId(),
             true,
             geo_location_data,
@@ -176,7 +290,6 @@ private:
     Maybe<pair<ngx_http_cp_verdict_e, string>>
     getBehaviorsVerdict(
         const unordered_map<string, set<string>> &behaviors_map_to_search,
-        const NewHttpTransactionEvent &event,
         EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data)
     {
         bool is_matched = false;
@@ -193,7 +306,6 @@ private:
                 dbgTrace(D_GEO_FILTER) << "behavior verdict: DROP, exception id: " << behavior.getId();
                 generateVerdictLog(
                     matched_verdict,
-                    event,
                     behavior.getId(),
                     false,
                     geo_location_data
@@ -218,63 +330,87 @@ private:
     }
 
     ngx_http_cp_verdict_e
-    getExceptionVerdict(
-        const NewHttpTransactionEvent &event,
-        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data
-    ){
-        string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
-        string country_name = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_NAME];
-        string source_ip = convertIpAddrToString(event.getSourceIP());
+    getExceptionVerdict(const std::set<std::string> &sources) {
 
         pair<ngx_http_cp_verdict_e, string> curr_matched_behavior;
         ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
+        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
+        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data;
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        string source_id;
+        auto maybe_source_id = env->get<std::string>(HttpTransactionData::source_identifier);
+        if (!maybe_source_id.ok()) {
+            dbgTrace(D_GEO_FILTER) << "failed to get source identifier from env";
+        } else {
+            source_id = maybe_source_id.unpack();
+        }
 
-        dbgTrace(D_GEO_FILTER)
+        for (const std::string& source : sources) {
+
+            Maybe<IPAddr> maybe_source_ip = IPAddr::createIPAddr(source);
+            if (!maybe_source_ip.ok()){
+                dbgWarning(D_GEO_FILTER) <<
+                "create ip address failed for source: " <<
+                source <<
+                ", Error: " <<
+                maybe_source_ip.getErr();
+                continue;
+            }
+
+
+            auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
+            if (!asset_location.ok()) {
+                dbgDebug(D_GEO_FILTER) << "Lookup location failed for source: " <<
+                source <<
+                ", Error: " <<
+                asset_location.getErr();
+                continue;
+            }
+            geo_location_data = asset_location.unpack();
+            string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+            string country_name = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_NAME];
+            dbgTrace(D_GEO_FILTER)
             << "Get exception verdict. "
             << "country code: "
             << country_code
             << ", country name: "
             << country_name
-            << ", source ip address: "
-            << source_ip;
+            << ", ip address: "
+            << source
+            << ", source identifier: "
+            << source_id;
 
-        unordered_map<string, set<string>> exception_value_source_ip = {{"sourceIP", {source_ip}}};
-        auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_source_ip, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
+
+            unordered_map<string, set<string>> exception_value_country_code = {
+                {"countryCode", {country_code}},
+                {"sourceIdentifier", {source_id}}
+            };
+            auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, geo_location_data);
+            if (matched_behavior_maybe.ok()) {
+                curr_matched_behavior = matched_behavior_maybe.unpack();
+                verdict = curr_matched_behavior.first;
+                if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+                    return verdict;
+                }
+            }
+
+            unordered_map<string, set<string>> exception_value_country_name = {
+                {"countryName", {country_name}},
+                {"sourceIdentifier", {source_id}}
+            };
+            matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_name, geo_location_data);
+            if (matched_behavior_maybe.ok()) {
+                curr_matched_behavior = matched_behavior_maybe.unpack();
+                verdict = curr_matched_behavior.first;
+                if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+                    return verdict;
+                }
             }
         }
 
-        unordered_map<string, set<string>> exception_value_country_code = {
-            {"countryCode", {country_code}}
-        };
-        matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
-            }
-        }
-
-        unordered_map<string, set<string>> exception_value_country_name = {
-            {"countryName", {country_name}}
-        };
-        matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_name, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
-            }
-        }
         if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT) {
             generateVerdictLog(
                 verdict,
-                event,
                 curr_matched_behavior.second,
                 false,
                 geo_location_data
@@ -286,7 +422,6 @@ private:
     void
     generateVerdictLog(
         const ngx_http_cp_verdict_e &verdict,
-        const NewHttpTransactionEvent &event,
         const string &matched_id,
         bool is_geo_filter,
         const EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data,
@@ -307,14 +442,27 @@ private:
             LogField(matched_on, matched_id),
             ReportIS::Tags::HTTP_GEO_FILTER
         );
-        log
-            << LogField("sourceIP", convertIpAddrToString(event.getSourceIP()))
-            << LogField("sourcePort", event.getSourcePort())
-            << LogField("hostName", event.getDestinationHost())
-            << LogField("httpMethod", event.getHttpMethod())
-            << LogField("securityAction", is_prevent ? "Prevent" : "Detect");
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        auto source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
+        if (source_ip.ok()) log << LogField("sourceIP", convertIpAddrToString(source_ip.unpack()));
+
+        auto source_identifier = env->get<string>(HttpTransactionData::source_identifier);
+        if (source_identifier.ok()) log << LogField("httpSourceId", source_identifier.unpack());
+
+        auto source_port = env->get<string>(HttpTransactionData::client_port_ctx);
+        if (source_port.ok()) log << LogField("sourcePort", source_port.unpack());
+
+        auto host_name = env->get<string>(HttpTransactionData::host_name_ctx);
+        if (host_name.ok()) log << LogField("hostName", host_name.unpack());
+
+        auto method = env->get<string>(HttpTransactionData::method_ctx);
+        if (method.ok()) log << LogField("httpMethod", method.unpack());
+
+        log << LogField("securityAction", is_prevent ? "Prevent" : "Detect");
 
         if (is_default_action) log << LogField("isDefaultSecurityAction", true);
+        auto xff = env->get<string>(HttpTransactionData::xff_vals_ctx);
+        if (xff.ok()) log << LogField("proxyIP", xff.unpack());
 
         log
             << LogField("sourceCountryCode", geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE])
@@ -343,5 +491,6 @@ void
 HttpGeoFilter::preload()
 {
     registerExpectedConfiguration<GeoConfig>("rulebase", "httpGeoFilter");
+    registerExpectedConfiguration<UsersAllIdentifiersConfig>("rulebase", "usersIdentifiers");
     registerConfigLoadCb([this]() { pimpl->loadDefaultAction(); });
 }

components/security_apps/ips/compound_protection.cc

@@ -43,7 +43,10 @@ CompoundProtection::Impl::getMatch(const set<PMPattern> &matched) const
         case Operation::ORDERED_AND: return getMatchOrderedAnd(matched);
     }
 
-    dbgAssert(false) << "Unknown compound operation: " << static_cast<uint>(operation);
+    dbgAssert(false)
+        << AlertInfo(AlertTeam::CORE, "ips")
+        << "Unknown compound operation: "
+        << static_cast<uint>(operation);
     return MatchType::NO_MATCH;
 }
 

components/security_apps/ips/include/ips_basic_policy.h

@@ -50,9 +50,13 @@ public:
 
 private:
     void readRules(cereal::JSONInputArchive &ar);
+    void readTriggerId(cereal::JSONInputArchive &ar);
+    void readExceptionId(cereal::JSONInputArchive &ar);
     void readDefaultAction(cereal::JSONInputArchive &ar);
 
     std::vector<Rule> rules;
+    std::string trigger_id;
+    std::string exception_id;
 };
 
 #endif // __IPS_BASIC_POLICY_H__

components/security_apps/ips/include/ips_signatures.h

@@ -27,6 +27,9 @@
 #include "log_generator.h"
 #include "parsed_context.h"
 #include "pm_hook.h"
+#include "i_generic_rulebase.h"
+
+#define DEFAULT_IPS_YIELD_COUNT 500
 
 /// \namespace IPSSignatureSubTypes
 /// \brief Namespace containing subtypes for IPS signatures.
@@ -335,9 +338,23 @@ public:
         return metadata.getYear();
     }
 
+    bool
+    isOk() const
+    {
+        return is_loaded;
+    }
+
+    static void
+    setYieldCounter(int new_yield_cnt)
+    {
+        yield_on_load_cnt = new_yield_cnt;
+    }
+
 private:
     IPSSignatureMetaData metadata;
     std::shared_ptr<BaseSignature> rule;
+    bool is_loaded;
+    static int yield_on_load_cnt;
 };
 
 /// \class SignatureAndAction
@@ -348,8 +365,16 @@ public:
     /// \brief Construct a SignatureAndAction object.
     /// \param _signature The complete signature.
     /// \param _action The signature action.
-    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) :
-        signature(_signature), action(_action)
+    SignatureAndAction(
+        std::shared_ptr<CompleteSignature> _signature,
+        SignatureAction _action,
+        std::string _trigger_id,
+        std::string _exception_id)
+            :
+        signature(_signature),
+        action(_action),
+        trigger_id(_trigger_id),
+        exception_id(_exception_id)
     {}
 
     /// \brief Check if the signature is matched for prevention.
@@ -375,6 +400,11 @@ public:
         return signature->getContext();
     }
 
+    LogTriggerConf getTrigger() const;
+
+    std::set<ParameterBehavior>
+    getBehavior(const std::unordered_map<std::string, std::set<std::string>> &exceptions_dict) const;
+
 private:
     /// \brief Get the action results for the IPS state.
     /// \param ips_state The IPS entry.
@@ -382,6 +412,8 @@ private:
 
     std::shared_ptr<CompleteSignature> signature;
     SignatureAction action;
+    std::string trigger_id;
+    std::string exception_id;
 };
 } // namespace IPSSignatureSubTypes
 

components/security_apps/ips/include/snort_basic_policy.h

@@ -17,6 +17,8 @@ public:
 private:
     IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
     std::vector<std::string> file_names;
+    std::string trigger_id;
+    std::string exception_id;
 };
 
 #endif // __SNORT_BASIC_POLICY_H__

components/security_apps/ips/ips_basic_policy.cc

@@ -17,6 +17,8 @@ void
 RuleSelector::load(cereal::JSONInputArchive &ar)
 {
     readRules(ar);
+    readTriggerId(ar);
+    readExceptionId(ar);
     readDefaultAction(ar);
 }
 
@@ -36,7 +38,7 @@ RuleSelector::selectSignatures() const
             if (rule.isSignaturedMatched(*signature)) {
                 if (rule.getAction() != IPSSignatureSubTypes::SignatureAction::IGNORE) {
                     signature->setIndicators("Check Point", signatures_version);
-                    res.emplace_back(signature, rule.getAction());
+                    res.emplace_back(signature, rule.getAction(), trigger_id, exception_id);
                 }
                 break;
             }
@@ -52,6 +54,28 @@ RuleSelector::readRules(cereal::JSONInputArchive &ar)
     ar(cereal::make_nvp("rules", rules));
 }
 
+void
+RuleSelector::readTriggerId(cereal::JSONInputArchive &ar)
+{
+    try {
+        ar(cereal::make_nvp("triggers", trigger_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        trigger_id = "";
+    }
+}
+
+void
+RuleSelector::readExceptionId(cereal::JSONInputArchive &ar)
+{
+    try {
+        ar(cereal::make_nvp("exceptions", exception_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        exception_id = "";
+    }
+}
+
 void
 RuleSelector::readDefaultAction(cereal::JSONInputArchive &ar)
 {

components/security_apps/ips/ips_comp.cc

@@ -98,6 +98,7 @@ public:
         registerListener();
         table = Singleton::Consume<I_Table>::by<IPSComp>();
         env = Singleton::Consume<I_Environment>::by<IPSComp>();
+        updateSigsYieldCount();
     }
 
     void
@@ -307,6 +308,20 @@ public:
 
     EventVerdict respond (const EndTransactionEvent &) override { return ACCEPT; }
 
+    void
+    updateSigsYieldCount()
+    {
+        const char *ips_yield_env_str = getenv("CPNANO_IPS_LOAD_YIELD_CNT");
+        int ips_yield_default = DEFAULT_IPS_YIELD_COUNT;
+        if (ips_yield_env_str != nullptr) {
+            dbgDebug(D_IPS) << "CPNANO_IPS_LOAD_YIELD_CNT env variable is set to " << ips_yield_env_str;
+            ips_yield_default = atoi(ips_yield_env_str);
+        }
+        int yield_limit = getProfileAgentSettingWithDefault<int>(ips_yield_default, "ips.sigsYieldCnt");
+        dbgDebug(D_IPS) << "Setting IPS yield count to  " << yield_limit;
+        IPSSignatureSubTypes::CompleteSignature::setYieldCounter(yield_limit);
+    }
+
 private:
     static void setDrop(IPSEntry &state) { state.setDrop(); }
     static bool isDrop(const IPSEntry &state) { return state.isDrop(); }
@@ -373,6 +388,7 @@ IPSComp::preload()
     registerExpectedConfigFile("ips", Config::ConfigFileType::Policy);
     registerExpectedConfigFile("ips", Config::ConfigFileType::Data);
     registerExpectedConfigFile("snort", Config::ConfigFileType::Policy);
+    registerConfigLoadCb([this]() { pimpl->updateSigsYieldCount(); });
 
     ParameterException::preload();