sync code

* sync code

* sync code

* code sync

* code sync

---------

Co-authored-by: Ned Wright <nedwright@proton.me>
Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>

CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required (VERSION 2.8.4)
 project (ngen)
 
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC -Wall -Wno-terminate")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O2 -fPIC -Wall -Wno-terminate")
 
 execute_process(COMMAND grep -c "Alpine Linux" /etc/os-release OUTPUT_VARIABLE IS_ALPINE)
 if(NOT IS_ALPINE EQUAL "0")

README.md

@@ -74,7 +74,7 @@ For Linux, if you’ve built your own package use the following commands:
 
 ```bash
 $ install-cp-nano-agent.sh --install --hybrid_mode
-$ install-cp-nano-service-http-transaction-handler.sh –install
+$ install-cp-nano-service-http-transaction-handler.sh --install
 $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 

attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc

@@ -95,6 +95,18 @@ getFailOpenHoldTimeout()
     return conf_data.getNumericalValue("fail_open_hold_timeout");
 }
 
+unsigned int
+getHoldVerdictPollingTime()
+{
+    return conf_data.getNumericalValue("hold_verdict_polling_time");
+}
+
+unsigned int
+getHoldVerdictRetries()
+{
+    return conf_data.getNumericalValue("hold_verdict_retries");
+}
+
 unsigned int
 getMaxSessionsPerMinute()
 {
@@ -155,6 +167,30 @@ getWaitingForVerdictThreadTimeout()
     return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec");
 }
 
+unsigned int
+getMinRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("min_retries_for_verdict");
+}
+
+unsigned int
+getMaxRetriesForVerdict()
+{
+    return conf_data.getNumericalValue("max_retries_for_verdict");
+}
+
+unsigned int
+getReqBodySizeTrigger()
+{
+    return conf_data.getNumericalValue("body_size_trigger");
+}
+
+unsigned int
+getRemoveResServerHeader()
+{
+    return conf_data.getNumericalValue("remove_server_header");
+}
+
 int
 isIPAddress(c_str ip_str)
 {

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -63,32 +63,44 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
             "\"waiting_for_verdict_thread_timeout_msec\": 75,\n"
             "\"req_header_thread_timeout_msec\": 10,\n"
             "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
-            "\"static_resources_path\": \"" + static_resources_path + "\""
+            "\"static_resources_path\": \"" + static_resources_path + "\",\n"
+            "\"min_retries_for_verdict\": 1,\n"
+            "\"max_retries_for_verdict\": 3,\n"
+            "\"hold_verdict_retries\": 3,\n"
+            "\"hold_verdict_polling_time\": 1,\n"
+            "\"body_size_trigger\": 777,\n"
+            "\"remove_server_header\": 1\n"
         "}\n";
     ofstream valid_configuration_file(attachment_configuration_file_name);
     valid_configuration_file << valid_configuration;
     valid_configuration_file.close();
 
     EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
-    EXPECT_EQ(getDbgLevel(), 2);
+    EXPECT_EQ(getDbgLevel(), 2u);
     EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
     EXPECT_EQ(isFailOpenMode(), 0);
-    EXPECT_EQ(getFailOpenTimeout(), 1234);
+    EXPECT_EQ(getFailOpenTimeout(), 1234u);
     EXPECT_EQ(isFailOpenHoldMode(), 1);
-    EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
+    EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
     EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
-    EXPECT_EQ(getMaxSessionsPerMinute(), 0);
-    EXPECT_EQ(getNumOfNginxIpcElements(), 200);
-    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
-    EXPECT_EQ(getResProccessingTimeout(), 420);
-    EXPECT_EQ(getReqProccessingTimeout(), 42);
-    EXPECT_EQ(getRegistrationThreadTimeout(), 101);
-    EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
-    EXPECT_EQ(getReqBodyThreadTimeout(), 155);
-    EXPECT_EQ(getResHeaderThreadTimeout(), 1);
-    EXPECT_EQ(getResBodyThreadTimeout(), 0);
-    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
+    EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
+    EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
+    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
+    EXPECT_EQ(getResProccessingTimeout(), 420u);
+    EXPECT_EQ(getReqProccessingTimeout(), 42u);
+    EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
+    EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
+    EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
+    EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
+    EXPECT_EQ(getResBodyThreadTimeout(), 0u);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1u);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777u);
+    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
+    EXPECT_EQ(getRemoveResServerHeader(), 1u);
+    EXPECT_EQ(getHoldVerdictRetries(), 3u);
+    EXPECT_EQ(getHoldVerdictPollingTime(), 1u);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);
     EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0);

build_system/apisix/docker-compose.yaml

@@ -1,15 +1,15 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
 
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 version: "3"
 

build_system/docker/entry.sh

@@ -11,6 +11,7 @@ var_fog_address=
 var_proxy=
 var_mode=
 var_token=
+var_ignore=
 init=
 
 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
@@ -33,6 +34,8 @@ while true; do
         var_proxy="$1"
     elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then
         var_mode="--hybrid_mode"
+    elif [ "$1" == "--no-upgrade" ]; then
+        var_ignore="--ignore all"
     elif [ "$1" == "--token" ]; then
         shift
         var_token="$1"
@@ -41,12 +44,16 @@ while true; do
 done
 
 if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
-    echo "Error: Token was not provided as input argument."
-    exit 1
+    var_token=$(env | grep 'AGENT_TOKEN=' | cut -d'=' -f2-)
+    if  [ -z $var_token ]; then
+        echo "Error: Token was not provided as input argument."
+        exit 1
+    fi
 fi
 
 orchestration_service_installation_flags="--container_mode --skip_registration"
 if [ ! -z $var_token ]; then
+    export AGENT_TOKEN="$var_token"
     orchestration_service_installation_flags="$orchestration_service_installation_flags --token $var_token"
 fi
 if [ ! -z $var_fog_address ]; then
@@ -59,6 +66,9 @@ fi
 if [ ! -z $var_mode ]; then
     orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode"
 fi
+if [ ! -z "$var_ignore" ]; then
+    orchestration_service_installation_flags="$orchestration_service_installation_flags $var_ignore"
+fi
 
 
 /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT --install $orchestration_service_installation_flags
@@ -88,19 +98,19 @@ while true; do
         init=true
         /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
         sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
+        active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
     fi
 
-    current_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
+    current_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
     if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
         echo "Error: Watchdog exited abnormally"
         exit 1
     elif [ -f /tmp/restart_watchdog ]; then
         rm -f /tmp/restart_watchdog
-        kill -9 "$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")"
+        kill -9 "$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")"
         /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
         sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
+        active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
     fi
 
     sleep 5

components/CMakeLists.txt

@@ -1,11 +1,10 @@
-add_subdirectory(report_messaging)
 add_subdirectory(http_manager)
 add_subdirectory(signal_handler)
 add_subdirectory(gradual_deployment)
 add_subdirectory(packet)
 add_subdirectory(pending_key)
-add_subdirectory(health_check_manager)
 
 add_subdirectory(utils)
 add_subdirectory(attachment-intakers)
 add_subdirectory(security_apps)
+add_subdirectory(nginx_message_reader)

components/attachment-intakers/attachment_registrator/attachment_registrator.cc

@@ -39,6 +39,8 @@ USE_DEBUG_FLAG(D_ATTACHMENT_REGISTRATION);
 
 using namespace std;
 
+static const AlertInfo alert(AlertTeam::CORE, "attachment registrator");
+
 class AttachmentRegistrator::Impl
 {
 public:
@@ -163,7 +165,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported Attachment " << static_cast<int>(type);
+                dbgAssert(false) << alert << "Unsupported Attachment " << static_cast<int>(type);
         }
 
         if (!family_id.empty()) handler_path << family_id << "_";
@@ -175,7 +177,9 @@ private:
     string
     genRegCommand(const string &family_id, const uint num_of_members, const AttachmentType type) const
     {
-        dbgAssert(num_of_members > 0) << "Failed to generate a registration command for an empty group of attachments";
+        dbgAssert(num_of_members > 0)
+            << alert
+            << "Failed to generate a registration command for an empty group of attachments";
 
         static const string registration_format = "/etc/cp/watchdog/cp-nano-watchdog --register ";
         stringstream registration_command;
@@ -187,7 +191,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported Attachment " << static_cast<int>(type);
+                dbgAssert(false) << alert << "Unsupported Attachment " << static_cast<int>(type);
         }
 
         if (!family_id.empty()) registration_command << " --family " << family_id;
@@ -265,7 +269,7 @@ private:
             return -1;
         }
 
-        dbgAssert(new_socket.unpack() > 0) << "Generated socket is OK yet negative";
+        dbgAssert(new_socket.unpack() > 0) << alert << "Generated socket is OK yet negative";
         return new_socket.unpack();
     }
 
@@ -281,7 +285,7 @@ private:
         }
 
         I_Socket::socketFd client_socket = accepted_socket.unpack();
-        dbgAssert(client_socket > 0) << "Generated client socket is OK yet negative";
+        dbgAssert(client_socket > 0) << alert << "Generated client socket is OK yet negative";
         auto close_socket_on_exit = make_scope_exit([&]() { i_socket->closeSocket(client_socket); });
 
         Maybe<uint8_t> attachment_id = readNumericParam(client_socket);
@@ -375,7 +379,7 @@ private:
         }
 
         I_Socket::socketFd client_socket = accepted_socket.unpack();
-        dbgAssert(client_socket > 0) << "Generated client socket is OK yet negative";
+        dbgAssert(client_socket > 0) << alert << "Generated client socket is OK yet negative";
         auto close_socket_on_exit = make_scope_exit([&]() { i_socket->closeSocket(client_socket); });
 
         Maybe<AttachmentType> attachment_type = readAttachmentType(client_socket);

components/attachment-intakers/nginx_attachment/nginx_attachment.cc

@@ -31,6 +31,7 @@
 #include <stdarg.h>
 
 #include <boost/range/iterator_range.hpp>
+#include <boost/algorithm/string.hpp>
 #include <boost/regex.hpp>
 
 #include "nginx_attachment_config.h"
@@ -76,6 +77,7 @@ using namespace std;
 using ChunkType = ngx_http_chunk_type_e;
 
 static const uint32_t corrupted_session_id = CORRUPTED_SESSION_ID;
+static const AlertInfo alert(AlertTeam::CORE, "nginx attachment");
 
 class FailopenModeListener : public Listener<FailopenModeEvent>
 {
@@ -259,6 +261,22 @@ public:
             );
         }
 
+        const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
+        if (ignored_headers_env) {
+            string ignored_headers_str = ignored_headers_env;
+            ignored_headers_str = NGEN::Strings::trim(ignored_headers_str);
+
+            if (!ignored_headers_str.empty()) {
+                dbgInfo(D_HTTP_MANAGER)
+                    << "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
+                    << ignored_headers_str;
+
+                vector<string> ignored_headers_vec;
+                boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
+                for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
+            }
+        }
+
         dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment";
     }
 
@@ -410,7 +428,10 @@ private:
     bool
     registerAttachmentProcess(uint32_t nginx_user_id, uint32_t nginx_group_id, I_Socket::socketFd new_socket)
     {
-        dbgAssert(server_sock > 0) << "Registration attempt occurred while registration socket is uninitialized";
+        dbgAssert(server_sock > 0)
+        << alert
+        << "Registration attempt occurred while registration socket is uninitialized";
+
 #ifdef FAILURE_TEST
         bool did_fail_on_purpose = false;
 #endif
@@ -802,10 +823,10 @@ private:
         case ChunkType::HOLD_DATA:
             return "HOLD_DATA";
         case ChunkType::COUNT:
-            dbgAssert(false) << "Invalid 'COUNT' ChunkType";
+            dbgAssert(false) << alert << "Invalid 'COUNT' ChunkType";
             return "";
         }
-        dbgAssert(false) << "ChunkType was not handled by the switch case";
+        dbgAssert(false) << alert << "ChunkType was not handled by the switch case";
         return "";
     }
 
@@ -1030,7 +1051,11 @@ private:
             case ChunkType::REQUEST_START:
                 return handleStartTransaction(data, opaque);
             case ChunkType::REQUEST_HEADER:
-                return handleMultiModifiableChunks(NginxParser::parseRequestHeaders(data), "request header", true);
+                return handleMultiModifiableChunks(
+                    NginxParser::parseRequestHeaders(data, ignored_headers),
+                    "request header",
+                    true
+                );
             case ChunkType::REQUEST_BODY:
                 return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true);
             case ChunkType::REQUEST_END: {
@@ -1131,7 +1156,11 @@ private:
             "webUserResponse"
         );
 
+        bool remove_event_id_param =
+            getProfileAgentSettingWithDefault<string>("false", "nginxAttachment.removeRedirectEventId") == "true";
+
         string uuid;
+        string redirectUrl;
         if (i_transaction_table->hasState<NginxAttachmentOpaque>()) {
             NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
             uuid = opaque.getSessionUUID();
@@ -1141,7 +1170,12 @@ private:
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
             web_response_data.response_data.redirect_data.redirect_location_size =
                 web_trigger_conf.getRedirectURL().size();
-            web_response_data.response_data.redirect_data.add_event_id = web_trigger_conf.getAddEventId() ? 1 : 0;
+            bool add_event = web_trigger_conf.getAddEventId();
+            if (add_event && !remove_event_id_param) {
+                web_response_data.response_data.redirect_data.redirect_location_size +=
+                    strlen("?event_id=") + uuid.size();
+            }
+            web_response_data.response_data.redirect_data.add_event_id = add_event ? 1 : 0;
             web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE);
         } else {
             web_response_data.response_data.custom_response_data.title_size =
@@ -1155,8 +1189,13 @@ private:
         verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t));
 
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
-            verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getRedirectURL().data()));
-            verdict_data_sizes.push_back(web_trigger_conf.getRedirectURL().size());
+            redirectUrl = web_trigger_conf.getRedirectURL();
+            if (!remove_event_id_param && web_trigger_conf.getAddEventId()) {
+                redirectUrl += "?event-id=" + uuid;
+            }
+
+            verdict_data.push_back(reinterpret_cast<const char *>(redirectUrl.data()));
+            verdict_data_sizes.push_back(redirectUrl.size());
         } else {
             verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getResponseTitle().data()));
             verdict_data_sizes.push_back(web_trigger_conf.getResponseTitle().size());
@@ -1582,7 +1621,7 @@ private:
             case WAIT:
                 return "WAIT";
         }
-        dbgAssert(false) << "Invalid EventVerdict enum: " << static_cast<int>(verdict.getVerdict());
+        dbgAssert(false) << alert << "Invalid EventVerdict enum: " << static_cast<int>(verdict.getVerdict());
         return string();
     }
 
@@ -1633,13 +1672,14 @@ private:
             return false;
         }
 
-        dbgAssert(sock.unpack() > 0) << "The generated server socket is OK, yet negative";
+        dbgAssert(sock.unpack() > 0) << alert << "The generated server socket is OK, yet negative";
         server_sock = sock.unpack();
 
         I_MainLoop::Routine accept_attachment_routine =
             [this] ()
             {
                 dbgAssert(inst_awareness->getUniqueID().ok())
+                    << alert
                     << "NGINX attachment Initialized without Instance Awareness";
 
                 bool did_fail_on_purpose = false;
@@ -1652,7 +1692,7 @@ private:
                     << (did_fail_on_purpose ? "Intentional Failure" : new_sock.getErr());
                     return;
                 }
-                dbgAssert(new_sock.unpack() > 0) << "The generated client socket is OK, yet negative";
+                dbgAssert(new_sock.unpack() > 0) << alert << "The generated client socket is OK, yet negative";
                 I_Socket::socketFd new_attachment_socket = new_sock.unpack();
 
                 Maybe<string> uid = getUidFromSocket(new_attachment_socket);
@@ -1698,7 +1738,7 @@ private:
                 }
             };
         mainloop->addFileRoutine(
-            I_MainLoop::RoutineType::RealTime,
+            I_MainLoop::RoutineType::System,
             server_sock,
             accept_attachment_routine,
             "Nginx Attachment registration listener",
@@ -1711,7 +1751,9 @@ private:
     Maybe<string>
     getUidFromSocket(I_Socket::socketFd new_attachment_socket)
     {
-        dbgAssert(server_sock > 0) << "Registration attempt occurred while registration socket is uninitialized";
+        dbgAssert(server_sock > 0)
+            << alert
+            << "Registration attempt occurred while registration socket is uninitialized";
 
         bool did_fail_on_purpose = false;
         DELAY_IF_NEEDED(IntentionalFailureHandler::FailureType::ReceiveDataFromSocket);
@@ -1793,6 +1835,7 @@ private:
     HttpAttachmentConfig attachment_config;
     I_MainLoop::RoutineID attachment_routine_id = 0;
     bool traffic_indicator = false;
+    unordered_set<string> ignored_headers;
 
     // Interfaces
     I_Socket *i_socket                              = nullptr;

components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc

@@ -42,6 +42,7 @@ HttpAttachmentConfig::init()
     setNumOfNginxIpcElements();
     setDebugByContextValues();
     setKeepAliveIntervalMsec();
+    setRetriesForVerdict();
 }
 
 bool
@@ -202,6 +203,13 @@ HttpAttachmentConfig::setFailOpenTimeout()
         "NGINX wait thread timeout msec"
     ));
 
+    conf_data.setNumericalValue("remove_server_header", getAttachmentConf<uint>(
+        0,
+        "agent.removeServerHeader.nginxModule",
+        "HTTP manager",
+        "Response server header removal"
+    ));
+
     uint inspection_mode = getAttachmentConf<uint>(
         static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD),
         "agent.inspectionMode.nginxModule",
@@ -215,6 +223,46 @@ HttpAttachmentConfig::setFailOpenTimeout()
     conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode);
 }
 
+void
+HttpAttachmentConfig::setRetriesForVerdict()
+{
+    conf_data.setNumericalValue("min_retries_for_verdict", getAttachmentConf<uint>(
+        3,
+        "agent.minRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Min retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("max_retries_for_verdict", getAttachmentConf<uint>(
+        15,
+        "agent.maxRetriesForVerdict.nginxModule",
+        "HTTP manager",
+        "Max retries for verdict"
+    ));
+
+    conf_data.setNumericalValue("hold_verdict_retries", getAttachmentConf<uint>(
+        3,
+        "agent.retriesForHoldVerdict.nginxModule",
+        "HTTP manager",
+        "Retries for hold verdict"
+    ));
+
+    conf_data.setNumericalValue("hold_verdict_polling_time", getAttachmentConf<uint>(
+        1,
+        "agent.holdVerdictPollingInterval.nginxModule",
+        "HTTP manager",
+        "Hold verdict polling interval seconds"
+    ));
+
+
+    conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
+        200000,
+        "agent.reqBodySizeTrigger.nginxModule",
+        "HTTP manager",
+        "Request body size trigger"
+    ));
+}
+
 void
 HttpAttachmentConfig::setFailOpenWaitMode()
 {

components/attachment-intakers/nginx_attachment/nginx_attachment_config.h

@@ -70,6 +70,8 @@ private:
 
     void setDebugByContextValues();
 
+    void setRetriesForVerdict();
+
     WebTriggerConf web_trigger_conf;
     HttpAttachmentConfiguration conf_data;
 };

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc

@@ -19,12 +19,15 @@
 
 #include "config.h"
 #include "virtual_modifiers.h"
+#include "agent_core_utilities.h"
 
 using namespace std;
 using namespace boost::uuids;
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
+extern bool is_keep_alive_ctx;
+
 NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data)
         :
     TableOpaqueSerialize<NginxAttachmentOpaque>(this),
@@ -119,3 +122,47 @@ NginxAttachmentOpaque::setSavedData(const string &name, const string &data, EnvK
     saved_data[name] = data;
     ctx.registerValue(name, data, log_ctx);
 }
+
+bool
+NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_val)
+{
+    if (!is_keep_alive_ctx) return false;
+
+    static pair<string, string> keep_alive_hdr;
+    static bool keep_alive_hdr_initialized = false;
+
+    if (keep_alive_hdr_initialized) {
+        if (!keep_alive_hdr.first.empty() && hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            return true;
+        }
+        return false;
+    }
+
+    const char* saas_keep_alive_hdr_name_env = getenv("SAAS_KEEP_ALIVE_HDR_NAME");
+    if (saas_keep_alive_hdr_name_env) {
+        keep_alive_hdr.first = NGEN::Strings::trim(saas_keep_alive_hdr_name_env);
+        dbgInfo(D_HTTP_MANAGER) << "Using SAAS_KEEP_ALIVE_HDR_NAME environment variable: " << keep_alive_hdr.first;
+    }
+
+    if (!keep_alive_hdr.first.empty()) {
+        const char* saas_keep_alive_hdr_value_env = getenv("SAAS_KEEP_ALIVE_HDR_VALUE");
+        if (saas_keep_alive_hdr_value_env) {
+            keep_alive_hdr.second = NGEN::Strings::trim(saas_keep_alive_hdr_value_env);
+            dbgInfo(D_HTTP_MANAGER)
+                << "Using SAAS_KEEP_ALIVE_HDR_VALUE environment variable: "
+                << keep_alive_hdr.second;
+        }
+
+        if (!keep_alive_hdr.second.empty() && (hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second)) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            keep_alive_hdr_initialized = true;
+            return true;
+        }
+    }
+
+    keep_alive_hdr_initialized = true;
+    return false;
+}

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.h

@@ -85,6 +85,7 @@ public:
         EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE
     );
     void setApplicationState(const ApplicationState &app_state) { application_state = app_state; }
+    bool setKeepAliveCtx(const std::string &hdr_key, const std::string &hdr_val);
 
 private:
     CompressionStream       *response_compression_stream;

components/attachment-intakers/nginx_attachment/nginx_parser.cc

@@ -29,6 +29,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
 Buffer NginxParser::tenant_header_key = Buffer();
 static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
 static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
+bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
 
 map<Buffer, CompressionType> NginxParser::content_encodings = {
     {Buffer("identity"), CompressionType::NO_COMPRESSION},
@@ -177,22 +178,54 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
 }
 
 Maybe<vector<HttpHeader>>
-NginxParser::parseRequestHeaders(const Buffer &data)
+NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers)
 {
-    auto parsed_headers = genHeaders(data);
-    if (!parsed_headers.ok()) return parsed_headers.passErr();
+    auto maybe_parsed_headers = genHeaders(data);
+    if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr();
 
     auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    auto parsed_headers = maybe_parsed_headers.unpack();
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
 
-    for (const HttpHeader &header : *parsed_headers) {
+    if (is_keep_alive_ctx || !ignored_headers.empty()) {
+        bool is_last_header_removed = false;
+        parsed_headers.erase(
+            remove_if(
+                parsed_headers.begin(),
+                parsed_headers.end(),
+                [&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
+                {
+                    string hdr_key = static_cast<string>(header.getKey());
+                    string hdr_val = static_cast<string>(header.getValue());
+                    if (
+                        opaque.setKeepAliveCtx(hdr_key, hdr_val)
+                        || ignored_headers.find(hdr_key) != ignored_headers.end()
+                    ) {
+                        dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
+                        if (header.isLastHeader()) {
+                            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
+                            is_last_header_removed = true;
+                        }
+                        return true;
+                    }
+                    return false;
+                }
+            ),
+            parsed_headers.end()
+        );
+        if (is_last_header_removed) {
+            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
+            if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
+        }
+    }
+
+    for (const HttpHeader &header : parsed_headers) {
         auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
             UsersAllIdentifiersConfig(),
             "rulebase",
             "usersIdentifiers"
         );
         source_identifiers.parseRequestHeaders(header);
-
-        NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
         opaque.addToSavedData(
             HttpTransactionData::req_headers,
             static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"

components/attachment-intakers/nginx_attachment/nginx_parser.h

@@ -28,7 +28,10 @@ public:
     static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data);
     static Maybe<ResponseCode> parseResponseCode(const Buffer &data);
     static Maybe<uint64_t> parseContentLength(const Buffer &data);
-    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(const Buffer &data);
+    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(
+        const Buffer &data,
+        const std::unordered_set<std::string> &ignored_headers
+    );
     static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data);
     static Maybe<HttpBody> parseRequestBody(const Buffer &data);
     static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream);

components/attachment-intakers/nginx_attachment/user_identifiers_config.cc

@@ -282,21 +282,39 @@ isIpTrusted(const string &value, const vector<CIDRSData> &cidr_values)
 }
 
 Maybe<string>
-UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
+UsersAllIdentifiersConfig::parseXForwardedFor(const string &str, ExtractType type) const
 {
     vector<string> header_values = split(str);
-
     if (header_values.empty()) return genError("No IP found in the xff header list");
 
     vector<string> xff_values = getHeaderValuesFromConfig("x-forwarded-for");
     vector<CIDRSData> cidr_values(xff_values.begin(), xff_values.end());
+    string last_valid_ip;
 
-    for (const string &value : header_values) {
-        if (!IPAddr::createIPAddr(value).ok()) {
-            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << value;
-            return genError("Invalid IP address");
+    for (auto it = header_values.rbegin(); it != header_values.rend() - 1; ++it) {
+        if (!IPAddr::createIPAddr(*it).ok()) {
+            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << *it;
+            if (last_valid_ip.empty()) {
+                return genError("Invalid IP address");
+            }
+            return last_valid_ip;
         }
-        if (!isIpTrusted(value, cidr_values)) return genError("Untrusted Ip found");
+        last_valid_ip = *it;
+        if (type == ExtractType::PROXYIP) continue;
+        if (!isIpTrusted(*it, cidr_values)) {
+            dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Found untrusted IP in the xff header IPs list: " << *it;
+            return *it;
+        }
+    }
+
+    if (!IPAddr::createIPAddr(header_values[0]).ok()) {
+        dbgWarning(D_NGINX_ATTACHMENT_PARSER)
+            << "Invalid IP address found in the xff header IPs list: "
+            << header_values[0];
+        if (last_valid_ip.empty()) {
+            return genError("No Valid Ip address was found");
+        }
+        return last_valid_ip;
     }
 
     return header_values[0];
@@ -306,22 +324,28 @@ UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
 void
 UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const
 {
-    auto value = parseXForwardedFor(header.getValue());
+    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
+        dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
+        return;
+    }
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+    auto value = parseXForwardedFor(header.getValue(), type);
     if (!value.ok()) {
         dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Could not extract source identifier from X-Forwarded-For header";
         return;
     };
-    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
-    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
-        dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
-        return;
-    }
-    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+
     if (type == ExtractType::SOURCEIDENTIFIER) {
         opaque.setSourceIdentifier(header.getKey(), value.unpack());
         dbgDebug(D_NGINX_ATTACHMENT_PARSER)
-            << "Added source identifir to XFF "
+            << "Added source identifier from XFF header"
             <<  value.unpack();
+        opaque.setSavedData(HttpTransactionData::xff_vals_ctx, header.getValue());
+        opaque.setSavedData(HttpTransactionData::source_identifier, value.unpack());
+        dbgTrace(D_NGINX_ATTACHMENT_PARSER)
+            << "XFF found, set ctx with value from header: "
+            << static_cast<string>(header.getValue());
     } else {
         opaque.setSavedData(HttpTransactionData::proxy_ip_ctx, value.unpack());
     }

components/generic_rulebase/assets_config.cc

@@ -1,137 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/assets_config.h"
-
-#include <string>
-#include <algorithm>
-#include <unordered_map>
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "debug.h"
-#include "ip_utilities.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-void
-RuleAsset::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("assetId", asset_id));
-    archive_in(cereal::make_nvp("assetName", asset_name));
-    archive_in(cereal::make_nvp("assetUrls", asset_urls));
-
-    dbgWarning(D_RULEBASE_CONFIG) << "Adding asset with UID: " << asset_id;
-}
-
-void
-RuleAsset::AssetUrl::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("protocol", protocol));
-    transform(protocol.begin(), protocol.end(), protocol.begin(), [](unsigned char c) { return tolower(c); });
-
-    archive_in(cereal::make_nvp("ip", ip));
-    archive_in(cereal::make_nvp("port", port));
-
-    int value;
-    if (protocol == "*") {
-        is_any_proto = true;
-    } else {
-        is_any_proto = false;
-        try {
-            value = 0;
-            if(protocol == "udp") value = IPPROTO_UDP;
-            if(protocol == "tcp") value = IPPROTO_TCP;
-            if(protocol == "dccp") value = IPPROTO_DCCP;
-            if(protocol == "sctp") value = IPPROTO_SCTP;
-            if(protocol == "icmp") value = IPPROTO_ICMP;
-            if(protocol == "icmpv6") value = IPPROTO_ICMP;
-
-            if (value > static_cast<int>(UINT8_MAX) || value < 0) {
-                dbgWarning(D_RULEBASE_CONFIG)
-                    << "provided value is not a legal IP protocol number. Value: "
-                    << protocol;
-            } else {
-                parsed_proto = value;
-            }
-        } catch (...) {
-            dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal IP protocol. Value: " << protocol;
-        }
-    }
-
-    if (port == "*") {
-        is_any_port = true;
-    } else {
-        is_any_port = false;
-        try {
-            value = stoi(port);
-            if (value > static_cast<int>(UINT16_MAX) || value < 0) {
-                dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal port number. Value: " << port;
-            } else {
-                parsed_port = value;
-            }
-        } catch (...) {
-            dbgWarning(D_RULEBASE_CONFIG) << "provided value is not a legal port. Value: " << port;
-        }
-    }
-
-    if (ip == "*") {
-        is_any_ip = true;
-    } else {
-        is_any_ip = false;
-        auto ip_addr = IPAddr::createIPAddr(ip);
-        if (!ip_addr.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Could not create IP address. Error: " << ip_addr.getErr();
-        } else {
-            parsed_ip = ConvertToIpAddress(ip_addr.unpackMove());
-        }
-    }
-}
-
-IpAddress
-RuleAsset::AssetUrl::ConvertToIpAddress(const IPAddr &addr)
-{
-    IpAddress address;
-    switch (addr.getType()) {
-        case IPType::UNINITIALIZED: {
-            address.addr4_t = {0};
-            address.ip_type = IP_VERSION_ANY;
-            break;
-        }
-        case IPType::V4: {
-            address.addr4_t = addr.getIPv4();
-            address.ip_type = IP_VERSION_4;
-            break;
-        }
-        case IPType::V6: {
-            address.addr6_t = addr.getIPv6();
-            address.ip_type = IP_VERSION_6;
-            break;
-        }
-        default:
-            address.addr4_t = {0};
-            address.ip_type = IP_VERSION_ANY;
-            dbgWarning(D_RULEBASE_CONFIG) << "Unsupported IP type: " << static_cast<int>(addr.getType());
-    }
-    return address;
-}
-
-const Assets Assets::empty_assets_config = Assets();
-
-void
-Assets::preload()
-{
-    registerExpectedSetting<Assets>("rulebase", "usedAssets");
-}

components/generic_rulebase/evaluators/asset_eval.cc

@@ -1,52 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/asset_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/assets_config.h"
-#include "config.h"
-#include "debug.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string AssetMatcher::ctx_key = "asset_id";
-
-AssetMatcher::AssetMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(AssetMatcher::getName(), params.size(), 1, 1);
-    asset_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-AssetMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<AssetMatcher>();
-    auto bc_asset_id_ctx = env->get<GenericConfigId>(AssetMatcher::ctx_key);
-
-    if (bc_asset_id_ctx.ok()) {
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "Asset ID: "
-            << asset_id
-            << "; Current set assetId context: "
-            << *bc_asset_id_ctx;
-    } else {
-        dbgTrace(D_RULEBASE_CONFIG) << "Asset ID: " << asset_id << ". Empty context";
-    }
-
-    return bc_asset_id_ctx.ok() && *bc_asset_id_ctx == asset_id;
-}

components/generic_rulebase/evaluators/connection_eval.cc

@@ -1,299 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/connection_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-#include "ip_utilities.h"
-
-using namespace std;
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string IpAddressMatcher::ctx_key = "ipAddress";
-string SourceIpMatcher::ctx_key = "sourceIP";
-string DestinationIpMatcher::ctx_key = "destinationIP";
-string SourcePortMatcher::ctx_key = "sourcePort";
-string ListeningPortMatcher::ctx_key = "listeningPort";
-string IpProtocolMatcher::ctx_key = "ipProtocol";
-string UrlMatcher::ctx_key = "url";
-
-Maybe<IPAddr>
-getIpAddrFromEnviroment(I_Environment *env, Context::MetaDataType enum_data_type, const string &str_data_type)
-{
-    auto ip_str = env->get<string>(enum_data_type);
-    if (!ip_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get " << str_data_type << " from the enviroment.";
-        return genError("Failed to get " + str_data_type + " from the enviroment.");
-    }
-    return IPAddr::createIPAddr(ip_str.unpack());
-}
-
-bool
-checkIfIpInRangesVec(const vector<CustomRange<IPAddr>> &values, const IPAddr &ip_to_check)
-{
-    if (values.size() == 0) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Ip addersses vector empty. Match is true.";
-        return true;
-    }
-    for (const CustomRange<IPAddr> &range : values) {
-        if (range.contains(ip_to_check)) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss matched: " << ip_to_check;
-            return true;
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss not match: " << ip_to_check;
-    return false;
-}
-
-
-IpAddressMatcher::IpAddressMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-IpAddressMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<IpAddressMatcher>();
-    Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-        env,
-        Context::MetaDataType::SubjectIpAddr,
-        "subject ip address"
-    );
-    if (subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack())) return true;
-
-    Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-        env,
-        Context::MetaDataType::OtherIpAddr,
-        "other ip address"
-    );
-    if (other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack())) return true;
-    if (!subject_ip.ok() && !other_ip.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Error in getting subject ip and other ip from the enviroment";
-        return false;
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Ip adderss didn't match";
-    return false;
-}
-
-SourceIpMatcher::SourceIpMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create source ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-SourceIpMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<SourceIpMatcher>();
-    auto direction_maybe = env->get<string>(Context::MetaDataType::Direction);
-    if (!direction_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get direction from the enviroment.";
-        return false;
-    }
-    string direction = direction_maybe.unpack();
-    if (direction == "incoming") {
-        Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::OtherIpAddr,
-            "other ip address"
-        );
-        return other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack());
-    } else if (direction == "outgoing") {
-        Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::SubjectIpAddr,
-            "subject ip address"
-        );
-        return subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack());
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Source ip adderss didn't match";
-    return false;
-}
-
-DestinationIpMatcher::DestinationIpMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPAddr>> ip_range = CustomRange<IPAddr>::createRange(param);
-        if (!ip_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create destination ip. Error: " + ip_range.getErr();
-            continue;
-        }
-        values.push_back(ip_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-DestinationIpMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<DestinationIpMatcher>();
-    auto direction_maybe = env->get<string>(Context::MetaDataType::Direction);
-    if (!direction_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get direction.";
-        return false;
-    }
-    string direction = direction_maybe.unpack();
-    if (direction == "outgoing") {
-        Maybe<IPAddr> other_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::OtherIpAddr,
-            "other ip address"
-        );
-        return other_ip.ok() && checkIfIpInRangesVec(values, other_ip.unpack());
-    } else if (direction == "incoming") {
-        Maybe<IPAddr> subject_ip = getIpAddrFromEnviroment(
-            env,
-            Context::MetaDataType::SubjectIpAddr,
-            "subject ip address"
-        );
-        return subject_ip.ok() && checkIfIpInRangesVec(values, subject_ip.unpack());
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Destination ip adderss didn't match";
-    return false;
-}
-
-SourcePortMatcher::SourcePortMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<PortNumber>> port_range = CustomRange<PortNumber>::createRange(param);
-        if (!port_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create source port.";
-            continue;
-        }
-        values.push_back(port_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-SourcePortMatcher::evalVariable() const
-{
-    dbgTrace(D_RULEBASE_CONFIG) << "Source is not a match";
-    return false;
-}
-
-
-ListeningPortMatcher::ListeningPortMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<PortNumber>> port_range = CustomRange<PortNumber>::createRange(param);
-        if (!port_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create listening port range.";
-            continue;
-        }
-        values.push_back(port_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-ListeningPortMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<ListeningPortMatcher>();
-    auto port_str = env->get<string>(Context::MetaDataType::Port);
-    if (!port_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get port from the enviroment.";
-        return false;
-    }
-    PortNumber port;
-    if (ConnKeyUtil::fromString(port_str.unpack(), port)) {
-        if (values.size() == 0) return true;
-        for (const CustomRange<PortNumber> &port_range : values) {
-            if (port_range.contains(port)) {
-                dbgTrace(D_RULEBASE_CONFIG) << "Listening port is a match. Value: " << port_str.unpack();
-                return true;
-            }
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Listening port is not a match. Value: " << port_str.unpack();
-    return false;
-}
-
-IpProtocolMatcher::IpProtocolMatcher(const vector<string> &params)
-{
-    for (const string &param : params) {
-        Maybe<CustomRange<IPProto>> proto_range = CustomRange<IPProto>::createRange(param);
-        if (!proto_range.ok()) {
-            dbgWarning(D_RULEBASE_CONFIG) << "Failed to create ip protocol.";
-            continue;
-        }
-        values.push_back(proto_range.unpack());
-    }
-}
-
-Maybe<bool, Context::Error>
-IpProtocolMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<IpProtocolMatcher>();
-    auto proto_str = env->get<string>(Context::MetaDataType::Protocol);
-    if (!proto_str.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get ip protocol from the enviroment.";
-        return false;
-    }
-    IPProto protocol;
-    if (ConnKeyUtil::fromString(proto_str.unpack(), protocol)) {
-        if (values.size() == 0) return true;
-        for (const CustomRange<IPProto> &proto_range : values) {
-            if (proto_range.contains(protocol)) {
-                dbgTrace(D_RULEBASE_CONFIG) << "Ip protocol is a match. Value: " << proto_str.unpack();
-                return true;
-            }
-        }
-    }
-    dbgTrace(D_RULEBASE_CONFIG) << "Source port is not a match. Value: " << proto_str.unpack();
-    return false;
-}
-
-UrlMatcher::UrlMatcher(const vector<string> &params) : values(params) {}
-
-Maybe<bool, Context::Error>
-UrlMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<UrlMatcher>();
-    auto curr_url_ctx = env->get<string>(Context::MetaDataType::Url);
-    if (!curr_url_ctx.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to get URL from the enviroment.";
-        return false;
-    }
-    
-    if (values.size() == 0) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Matched URL on \"any\". Url: " << *curr_url_ctx;
-        return true;
-    }
-
-    for (const string &url : values) {
-        if (*curr_url_ctx == url) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Matched URL. Value: " << *curr_url_ctx;
-            return true;
-        }
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "URL is not a match. Value: " << *curr_url_ctx;
-    return false;
-}

components/generic_rulebase/evaluators/http_transaction_data_eval.cc

@@ -1,168 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/http_transaction_data_eval.h"
-
-#include <boost/lexical_cast.hpp>
-#include <algorithm>
-
-#include "http_transaction_data.h"
-#include "environment/evaluator_templates.h"
-#include "i_environment.h"
-#include "singleton.h"
-#include "debug.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-using namespace EnvironmentHelper;
-
-EqualHost::EqualHost(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualHost", params.size(), 1, 1);
-    host = params[0];
-}
-
-Maybe<bool, Context::Error>
-EqualHost::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualHost>();
-    auto host_ctx = env->get<string>(HttpTransactionData::host_name_ctx);
-
-    if (!host_ctx.ok())
-    {
-        return false;
-    }
-
-    std::string lower_host_ctx = host_ctx.unpack();
-    std::transform(lower_host_ctx.begin(), lower_host_ctx.end(), lower_host_ctx.begin(), ::tolower);
-
-    std::string lower_host = host;
-    std::transform(lower_host.begin(), lower_host.end(), lower_host.begin(), ::tolower);
-
-
-    if (lower_host_ctx == lower_host) return true;
-    size_t pos = lower_host_ctx.find_last_of(':');
-    if (pos == string::npos) return false;
-    lower_host_ctx = string(lower_host_ctx.data(), pos);
-    return lower_host_ctx == lower_host;
-}
-
-WildcardHost::WildcardHost(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("WildcardHost", params.size(), 1, 1);
-    host = params[0];
-}
-
-Maybe<bool, Context::Error>
-WildcardHost::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<WildcardHost>();
-    auto host_ctx = env->get<string>(HttpTransactionData::host_name_ctx);
-
-    if (!host_ctx.ok())
-    {
-        return false;
-    }
-
-    string lower_host_ctx = host_ctx.unpack();
-    transform(lower_host_ctx.begin(), lower_host_ctx.end(), lower_host_ctx.begin(), ::tolower);
-
-    dbgTrace(D_RULEBASE_CONFIG) << "found host in current context: " << lower_host_ctx;
-
-    size_t pos = lower_host_ctx.find_first_of(".");
-    if (pos == string::npos) {
-        return false;
-    }
-
-    lower_host_ctx = "*" + lower_host_ctx.substr(pos, lower_host_ctx.length());
-
-    string lower_host = host;
-    transform(lower_host.begin(), lower_host.end(), lower_host.begin(), ::tolower);
-
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "trying to match host context with its corresponding wildcard address: "
-        << lower_host_ctx
-        << ". Matcher host: "
-        << lower_host;
-
-    if (lower_host_ctx == lower_host) return true;
-    pos = lower_host_ctx.find_last_of(':');
-    if (pos == string::npos) return false;
-    lower_host_ctx = string(lower_host_ctx.data(), pos);
-    return lower_host_ctx == lower_host;
-}
-
-EqualListeningIP::EqualListeningIP(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualListeningIP", params.size(), 1, 1);
-
-    auto maybe_ip = IPAddr::createIPAddr(params[0]);
-    if (!maybe_ip.ok()) reportWrongParamType(getName(), params[0], "Not a valid IP Address");
-
-    listening_ip = maybe_ip.unpack();
-}
-
-Maybe<bool, Context::Error>
-EqualListeningIP::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualListeningIP>();
-    auto listening_ip_ctx = env->get<IPAddr>(HttpTransactionData::listening_ip_ctx);
-    return listening_ip_ctx.ok() &&  listening_ip_ctx.unpack() == listening_ip;
-}
-
-EqualListeningPort::EqualListeningPort(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("EqualListeningPort", params.size(), 1, 1);
-
-    try {
-        listening_port = boost::lexical_cast<PortNumber>(params[0]);
-    } catch (boost::bad_lexical_cast const&) {
-        reportWrongParamType(getName(), params[0], "Not a valid port number");
-    }
-}
-
-Maybe<bool, Context::Error>
-EqualListeningPort::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<EqualListeningPort>();
-    auto port_ctx = env->get<PortNumber>(HttpTransactionData::listening_port_ctx);
-
-    return port_ctx.ok() && port_ctx.unpack() == listening_port;
-}
-
-BeginWithUri::BeginWithUri(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams("BeginWithUri", params.size(), 1, 1);
-    uri_prefix = params[0];
-}
-
-Maybe<bool, Context::Error>
-BeginWithUri::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<BeginWithUri>();
-    auto uri_ctx = env->get<string>(HttpTransactionData::uri_ctx);
-
-    if (!uri_ctx.ok())
-    {
-        return false;
-    }
-
-    std::string lower_uri_ctx = uri_ctx.unpack();
-    std::transform(lower_uri_ctx.begin(), lower_uri_ctx.end(), lower_uri_ctx.begin(), ::tolower);
-
-    std::string lower_uri_prefix = uri_prefix;
-    std::transform(lower_uri_prefix.begin(), lower_uri_prefix.end(), lower_uri_prefix.begin(), ::tolower);
-
-    return lower_uri_ctx.find(lower_uri_prefix) == 0;
-}

components/generic_rulebase/evaluators/practice_eval.cc

@@ -1,50 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/practice_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-string PracticeMatcher::ctx_key = "practices";
-
-PracticeMatcher::PracticeMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(PracticeMatcher::getName(), params.size(), 1, 1);
-    practice_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-PracticeMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<PracticeMatcher>();
-    auto bc_practice_id_ctx = env->get<set<GenericConfigId>>(PracticeMatcher::ctx_key);
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match practice. ID: "
-        << practice_id << ", Current set IDs: "
-        << makeSeparatedStr(bc_practice_id_ctx.ok() ? *bc_practice_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_practice_id_ctx.ok()) {
-        return bc_practice_id_ctx.unpack().count(practice_id) > 0;
-    }
-
-    auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-    return rule.ok() && rule.unpack().isPracticeActive(practice_id);
-}

components/generic_rulebase/evaluators/query_eval.cc

@@ -1,136 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/query_eval.h"
-
-#include <vector>
-#include <string>
-#include <map>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "generic_rulebase/zones_config.h"
-#include "i_environment.h"
-#include "singleton.h"
-#include "config.h"
-#include "debug.h"
-#include "enum_range.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-QueryMatcher::QueryMatcher(const vector<string> &params)
-{
-    if (params.size() < 1) reportWrongNumberOfParams(QueryMatcher::getName(), params.size(), 1);
-
-    key = params.front();
-    if (key == "any") {
-        is_any = true;
-    } else {
-        values.reserve(params.size() - 1);
-        for (uint i = 1; i < params.size() ; i++) {
-            if (params[i] == "any") {
-                values.clear();
-                break;
-            }
-            values.insert(params[i]);
-        }
-    }
-}
-
-const string
-QueryMatcher::contextKeyToString(Context::MetaDataType type)
-{
-    if (type == Context::MetaDataType::SubjectIpAddr || type == Context::MetaDataType::OtherIpAddr) return "ip";
-    return Context::convertToString(type);
-}
-
-class QueryMatchSerializer
-{
-public:
-    static const string req_attr_ctx_key;
-
-    template <typename Archive>
-    void
-    serialize(Archive &ar)
-    {
-        I_Environment *env = Singleton::Consume<I_Environment>::by<QueryMatcher>();
-        auto req_attr = env->get<string>(req_attr_ctx_key);
-        if (!req_attr.ok()) return;
-
-        try {
-            ar(cereal::make_nvp(*req_attr, value));
-            dbgDebug(D_RULEBASE_CONFIG)
-                << "Found value for requested attribute. Tag: "
-                << *req_attr
-                << ", Value: "
-                << value;
-        } catch (exception &e) {
-            dbgDebug(D_RULEBASE_CONFIG) << "Could not find values for requested attribute. Tag: " << *req_attr;
-            ar.finishNode();
-        }
-    }
-
-    template <typename Values>
-    bool
-    matchValues(const Values &requested_vals) const
-    {
-        return value != "" && (requested_vals.empty() || requested_vals.count(value) > 0);
-    }
-
-private:
-    string value;
-};
-
-const string QueryMatchSerializer::req_attr_ctx_key = "requested attribute key";
-
-Maybe<bool, Context::Error>
-QueryMatcher::evalVariable() const
-{
-    if (is_any) return true;
-
-    I_Environment *env = Singleton::Consume<I_Environment>::by<QueryMatcher>();
-    auto local_asset_ctx = env->get<bool>("is local asset");
-    bool is_remote_asset = local_asset_ctx.ok() && !(*local_asset_ctx);
-
-    QueryRequest request;
-    for (Context::MetaDataType name : makeRange<Context::MetaDataType>()) {
-        auto val = env->get<string>(name);
-        if (val.ok()) {
-            if ((name == Context::MetaDataType::SubjectIpAddr && is_remote_asset) ||
-                (name == Context::MetaDataType::OtherIpAddr && !is_remote_asset)) {
-                continue;
-            }
-
-            request.addCondition(Condition::EQUALS, contextKeyToString(name), *val);
-        }
-    }
-    if (request.empty()) return false;
-
-    request.setRequestedAttr(key);
-    ScopedContext req_attr_key;
-    req_attr_key.registerValue<string>(QueryMatchSerializer::req_attr_ctx_key, key);
-
-    I_Intelligence_IS_V2 *intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Zone>();
-    auto query_res = intelligence->queryIntelligence<QueryMatchSerializer>(request);
-    if (!query_res.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to perform intelligence query. Error: " << query_res.getErr();
-        return false;
-    }
-
-    for (const AssetReply<QueryMatchSerializer> &asset : query_res.unpack()) {
-        if (asset.matchValues<unordered_set<string>>(values)) return true;
-    }
-
-    return false;
-}

components/generic_rulebase/evaluators/trigger_eval.cc

@@ -1,57 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/trigger_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-#include "debug.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-string TriggerMatcher::ctx_key = "triggers";
-
-TriggerMatcher::TriggerMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(TriggerMatcher::getName(), params.size(), 1, 1);
-    trigger_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-TriggerMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<TriggerMatcher>();
-    auto ac_bc_trigger_id_ctx = env->get<set<GenericConfigId>>("ac_trigger_id");
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match trigger for access control rule. ID: "
-        << trigger_id << ", Current set IDs: "
-        << makeSeparatedStr(ac_bc_trigger_id_ctx.ok() ? *ac_bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (ac_bc_trigger_id_ctx.ok()) {
-        return ac_bc_trigger_id_ctx.unpack().count(trigger_id) > 0;
-    }
-
-    auto bc_trigger_id_ctx = env->get<set<GenericConfigId>>(TriggerMatcher::ctx_key);
-    dbgTrace(D_RULEBASE_CONFIG)
-        << "Trying to match trigger. ID: "
-        << trigger_id << ", Current set IDs: "
-        << makeSeparatedStr(bc_trigger_id_ctx.ok() ? *bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_trigger_id_ctx.ok() && bc_trigger_id_ctx.unpack().count(trigger_id) > 0 ) return true;
-
-    auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-    return rule.ok() && rule.unpack().isTriggerActive(trigger_id);
-}

components/generic_rulebase/evaluators/zone_eval.cc

@@ -1,44 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/evaluators/zone_eval.h"
-
-#include <vector>
-#include <string>
-
-#include "generic_rulebase/zone.h"
-#include "generic_rulebase/rulebase_config.h"
-#include "config.h"
-
-using namespace std;
-
-string ZoneMatcher::ctx_key = "zone_id";
-
-ZoneMatcher::ZoneMatcher(const vector<string> &params)
-{
-    if (params.size() != 1) reportWrongNumberOfParams(ZoneMatcher::getName(), params.size(), 1, 1);
-    zone_id = params[0];
-}
-
-Maybe<bool, Context::Error>
-ZoneMatcher::evalVariable() const
-{
-    I_Environment *env = Singleton::Consume<I_Environment>::by<ZoneMatcher>();
-    auto bc_zone_id_ctx = env->get<GenericConfigId>(ZoneMatcher::ctx_key);
-    if (bc_zone_id_ctx.ok() && *bc_zone_id_ctx == zone_id) return true;
-
-    if (!getProfileAgentSettingWithDefault<bool>(false, "rulebase.enableQueryBasedMatch")) return false;
-
-    auto zone = getConfiguration<Zone>("rulebase", "zones");
-    return zone.ok() && zone.unpack().getId() == zone_id;
-}

components/generic_rulebase/generic_rulebase.cc

@@ -1,126 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/generic_rulebase.h"
-
-#include <unordered_set>
-
-#include "generic_rulebase/evaluators/trigger_eval.h"
-#include "generic_rulebase/evaluators/practice_eval.h"
-#include "generic_rulebase/evaluators/parameter_eval.h"
-#include "generic_rulebase/evaluators/zone_eval.h"
-#include "generic_rulebase/evaluators/asset_eval.h"
-#include "generic_rulebase/evaluators/query_eval.h"
-#include "generic_rulebase/evaluators/connection_eval.h"
-#include "generic_rulebase/evaluators/http_transaction_data_eval.h"
-#include "generic_rulebase/zone.h"
-#include "generic_rulebase/triggers_config.h"
-#include "singleton.h"
-#include "common.h"
-#include "debug.h"
-#include "cache.h"
-#include "config.h"
-
-using namespace std;
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-class GenericRulebase::Impl : Singleton::Provide<I_GenericRulebase>::From<GenericRulebase>
-{
-public:
-    void init() {}
-    void fini() {}
-
-    void preload();
-
-    Maybe<Zone, Config::Errors> getLocalZone() const override { return getZoneConfig(true); }
-    Maybe<Zone, Config::Errors> getOtherZone() const override { return getZoneConfig(false); }
-
-    set<ParameterBehavior> getBehavior(const ParameterKeyValues &key_value_pairs) const override;
-
-private:
-    Maybe<Zone, Config::Errors>
-    getZoneConfig(bool is_local_zone) const
-    {
-        ScopedContext asset_location_ctx;
-        asset_location_ctx.registerValue<bool>("is local asset", is_local_zone);
-        return getConfiguration<Zone>("rulebase", "zones");
-    }
-};
-
-void
-GenericRulebase::Impl::preload()
-{
-    addMatcher<TriggerMatcher>();
-    addMatcher<PracticeMatcher>();
-    addMatcher<ParameterMatcher>();
-    addMatcher<ZoneMatcher>();
-    addMatcher<AssetMatcher>();
-    addMatcher<QueryMatcher>();
-    addMatcher<IpAddressMatcher>();
-    addMatcher<SourceIpMatcher>();
-    addMatcher<DestinationIpMatcher>();
-    addMatcher<SourcePortMatcher>();
-    addMatcher<ListeningPortMatcher>();
-    addMatcher<IpProtocolMatcher>();
-    addMatcher<UrlMatcher>();
-    addMatcher<EqualHost>();
-    addMatcher<WildcardHost>();
-    addMatcher<EqualListeningIP>();
-    addMatcher<EqualListeningPort>();
-    addMatcher<BeginWithUri>();
-    BasicRuleConfig::preload();
-    LogTriggerConf::preload();
-    ParameterException::preload();
-    registerExpectedConfiguration<Zone>("rulebase", "zones");
-    registerExpectedConfigFile("zones", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("triggers", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("rules", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("parameters", Config::ConfigFileType::Policy);
-    registerExpectedConfigFile("exceptions", Config::ConfigFileType::Policy);
-
-}
-
-set<ParameterBehavior>
-GenericRulebase::Impl::getBehavior(const ParameterKeyValues &key_value_pairs) const
-{
-    auto &exceptions = getConfiguration<ParameterException>("rulebase", "exception");
-
-    if (!exceptions.ok()) {
-        dbgTrace(D_RULEBASE_CONFIG) << "Could not find any exception with the current rule's context";
-        return {};
-    }
-    return (*exceptions).getBehavior(key_value_pairs);
-}
-
-GenericRulebase::GenericRulebase() : Component("GenericRulebase"), pimpl(make_unique<Impl>()) {}
-
-GenericRulebase::~GenericRulebase() {}
-
-void
-GenericRulebase::init()
-{
-    pimpl->init();
-}
-
-void
-GenericRulebase::fini()
-{
-    pimpl->fini();
-}
-
-void
-GenericRulebase::preload()
-{
-    pimpl->preload();
-}

components/generic_rulebase/generic_rulebase_context.cc

@@ -1,109 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/generic_rulebase_context.h"
-
-#include <vector>
-
-#include "context.h"
-#include "config.h"
-#include "generic_rulebase/evaluators/trigger_eval.h"
-#include "generic_rulebase/evaluators/parameter_eval.h"
-#include "generic_rulebase/evaluators/practice_eval.h"
-#include "generic_rulebase/evaluators/zone_eval.h"
-#include "generic_rulebase/evaluators/asset_eval.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-template<typename Configs>
-set<GenericConfigId>
-extractIds(const vector<Configs> &configurations)
-{
-    set<GenericConfigId> ids;
-    for (const Configs &conf : configurations) {
-        ids.insert(conf.getId());
-    }
-    return ids;
-}
-
-void
-GenericRulebaseContext::activate(const BasicRuleConfig &rule)
-{
-    switch(registration_state) {
-        case RuleRegistrationState::UNINITIALIZED: {
-            registration_state = RuleRegistrationState::REGISTERED;
-            ctx.registerValue<set<GenericConfigId>>(
-                TriggerMatcher::ctx_key,
-                extractIds<RuleTrigger>(rule.getTriggers())
-            );
-            ctx.registerValue<set<GenericConfigId>>(
-                PracticeMatcher::ctx_key,
-                extractIds<RulePractice>(rule.getPractices())
-            );
-            dbgTrace(D_RULEBASE_CONFIG)
-                << "Activating current practices. Current practice IDs: "
-                << makeSeparatedStr(extractIds<RulePractice>(rule.getPractices()), ", ");
-
-            ctx.registerValue<set<GenericConfigId>>(
-                ParameterMatcher::ctx_key,
-                extractIds<RuleParameter>(rule.getParameters())
-            );
-            ctx.registerValue<GenericConfigId>(
-                ZoneMatcher::ctx_key,
-                rule.getZoneId()
-            );
-            ctx.registerValue<GenericConfigId>(
-                AssetMatcher::ctx_key,
-                rule.getAssetId()
-            );
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::REGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Activating registered rule values";
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::UNREGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Failed to register rule values";
-        }
-    }
-}
-
-void
-GenericRulebaseContext::activate()
-{
-    switch(registration_state) {
-        case RuleRegistrationState::UNINITIALIZED: {
-            auto maybe_rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
-            if (!maybe_rule.ok()) {
-                registration_state = RuleRegistrationState::UNREGISTERED;
-                return;
-            }
-            dbgTrace(D_RULEBASE_CONFIG) << "Registering new rule values";
-            activate(maybe_rule.unpack());
-            registration_state = RuleRegistrationState::REGISTERED;
-            break;
-        }
-        case RuleRegistrationState::REGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Activating registered rule values";
-            ctx.activate();
-            break;
-        }
-        case RuleRegistrationState::UNREGISTERED: {
-            dbgTrace(D_RULEBASE_CONFIG) << "Failed to register rule values";
-        }
-    }
-}

components/generic_rulebase/match_query.cc

@@ -1,347 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/match_query.h"
-
-#include "cereal/types/set.hpp"
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "ip_utilities.h"
-#include "agent_core_utilities.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-static const unordered_map<string, MatchQuery::MatchType> string_to_match_type = {
-    { "condition", MatchQuery::MatchType::Condition },
-    { "operator", MatchQuery::MatchType::Operator }
-};
-
-static const unordered_map<string, MatchQuery::Operators> string_to_operator = {
-    { "and", MatchQuery::Operators::And },
-    { "or", MatchQuery::Operators::Or }
-};
-
-static const unordered_map<string, MatchQuery::Conditions> string_to_condition = {
-    { "equals", MatchQuery::Conditions::Equals },
-    { "not-equals", MatchQuery::Conditions::NotEquals },
-    { "not equals", MatchQuery::Conditions::NotEquals },
-    { "in", MatchQuery::Conditions::In },
-    { "not-in", MatchQuery::Conditions::NotIn },
-    { "not in", MatchQuery::Conditions::NotIn },
-    { "exist", MatchQuery::Conditions::Exist }
-};
-
-static const string ip_addr_type_name = "IP address";
-static const string port_type_name = "port";
-static const string ip_proto_type_name = "IP protocol";
-
-static const unordered_map<string, MatchQuery::StaticKeys> string_to_key = {
-    { "sourceIP", MatchQuery::StaticKeys::SrcIpAddress },
-    { "sourceIpAddr", MatchQuery::StaticKeys::SrcIpAddress },
-    { "destinationIP", MatchQuery::StaticKeys::DstIpAddress },
-    { "destinationIpAddr", MatchQuery::StaticKeys::DstIpAddress },
-    { "ipAddress", MatchQuery::StaticKeys::IpAddress },
-    { "sourcePort", MatchQuery::StaticKeys::SrcPort },
-    { "listeningPort", MatchQuery::StaticKeys::ListeningPort },
-    { "ipProtocol", MatchQuery::StaticKeys::IpProtocol },
-    { "domain", MatchQuery::StaticKeys::Domain }
-};
-
-MatchQuery::MatchQuery(const string &match) : is_specific_label(false), is_ignore_keyword(false)
-{
-    try {
-        stringstream ss;
-        ss.str(match);
-        cereal::JSONInputArchive archive_in(ss);
-        load(archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG)
-            << "Unable to load match query JSON. JSON content: "
-            << match
-            << ", Error: "
-            << e.what();
-    }
-}
-
-void
-MatchQuery::load(cereal::JSONInputArchive &archive_in)
-{
-    string type_as_string;
-    archive_in(cereal::make_nvp("type", type_as_string));
-
-    string op_as_string;
-    archive_in(cereal::make_nvp("op", op_as_string));
-
-    auto maybe_type = string_to_match_type.find(type_as_string);
-    if (maybe_type == string_to_match_type.end()) {
-        reportConfigurationError("Illegal Zone match query type. Provided type in configuration: " + type_as_string);
-    }
-
-    type = maybe_type->second;
-    switch (type) {
-        case (MatchType::Condition): {
-            auto maybe_condition = string_to_condition.find(op_as_string);
-            if (maybe_condition == string_to_condition.end()) {
-                reportConfigurationError(
-                    "Illegal op provided for condition. Provided op in configuration: " +
-                    op_as_string
-                );
-            }
-            condition_type = maybe_condition->second;
-            operator_type = Operators::None;
-            archive_in(cereal::make_nvp("key", key));
-            key_type = getKeyByName(key);
-            if (key_type == StaticKeys::NotStatic) {
-                if (key.rfind("containerLabels.", 0) == 0)  {
-                    is_specific_label = true;
-                } else {
-                    is_specific_label = false;
-                }
-            }
-            is_ignore_keyword = (key == "indicator");
-
-            if (condition_type != Conditions::Exist) {
-                archive_in(cereal::make_nvp("value", value));
-                for(const auto &val: value) {
-                    if (isKeyTypeIp()) {
-                        auto ip_range = IPUtilities::createRangeFromString<IPRange, IpAddress>(val, ip_addr_type_name);
-                        if (ip_range.ok()) {
-                            ip_addr_value.push_back(ip_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse IP address range. Error: "
-                                << ip_range.getErr();
-                        }
-                    } else if (isKeyTypePort()) {
-                        auto port_range = IPUtilities::createRangeFromString<PortsRange, uint16_t>(
-                            val,
-                            port_type_name
-                        );
-                        if (port_range.ok()) {
-                            port_value.push_back(port_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse port range. Error: "
-                                << port_range.getErr();
-                        }
-                    } else if (isKeyTypeProtocol()) {
-                        auto proto_range = IPUtilities::createRangeFromString<IpProtoRange, uint8_t>(
-                            val,
-                            ip_proto_type_name
-                        );
-                        if (proto_range.ok()) {
-                            ip_proto_value.push_back(proto_range.unpack());
-                        } else {
-                            dbgWarning(D_RULEBASE_CONFIG)
-                                << "Failed to parse IP protocol range. Error: "
-                                << proto_range.getErr();
-                        }
-                    }
-
-                    try {
-                        regex_values.insert(boost::regex(val));
-                    } catch (const exception &e) {
-                        dbgDebug(D_RULEBASE_CONFIG) << "Failed to compile regex. Error: " << e.what();
-                    }
-                }
-                first_value = *(value.begin());
-            }
-            break;
-        }
-        case (MatchType::Operator): {
-            auto maybe_operator = string_to_operator.find(op_as_string);
-            if (maybe_operator == string_to_operator.end()) {
-                reportConfigurationError(
-                    "Illegal op provided for operator. Provided op in configuration: " +
-                    op_as_string
-                );
-            }
-            operator_type = maybe_operator->second;
-            condition_type = Conditions::None;
-            archive_in(cereal::make_nvp("items", items));
-            break;
-        }
-    }
-}
-
-MatchQuery::StaticKeys
-MatchQuery::getKeyByName(const string &key_type_name)
-{
-    auto key = string_to_key.find(key_type_name);
-    if (key == string_to_key.end()) return StaticKeys::NotStatic;
-    return key->second;
-}
-
-bool
-MatchQuery::isKeyTypeIp() const
-{
-    return (key_type >= StaticKeys::IpAddress && key_type <= StaticKeys::DstIpAddress);
-}
-
-bool
-MatchQuery::isKeyTypePort() const
-{
-    return (key_type == StaticKeys::SrcPort || key_type == StaticKeys::ListeningPort);
-}
-
-bool
-MatchQuery::isKeyTypeProtocol() const
-{
-    return (key_type == StaticKeys::IpProtocol);
-}
-
-bool
-MatchQuery::isKeyTypeDomain() const
-{
-    return (key_type == StaticKeys::Domain);
-}
-
-bool
-MatchQuery::isKeyTypeSpecificLabel() const
-{
-    return is_specific_label;
-}
-
-bool
-MatchQuery::isKeyTypeStatic() const
-{
-    return (key_type != StaticKeys::NotStatic);
-}
-
-set<string>
-MatchQuery::getAllKeys() const
-{
-    set<string> keys;
-    if (type == MatchType::Condition) {
-        if (!key.empty()) keys.insert(key);
-        return keys;
-    }
-
-    for (const MatchQuery &inner_match: items) {
-        set<string> iner_keys = inner_match.getAllKeys();
-        keys.insert(iner_keys.begin(), iner_keys.end());
-    }
-
-    return keys;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const unordered_map<string, set<string>> &key_value_pairs,
-        set<string> &matched_override_keywords ) const
-{
-
-    if (type == MatchType::Condition) {
-        auto key_value_pair = key_value_pairs.find(key);
-        if (key_value_pair == key_value_pairs.end()) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Ignoring irrelevant key: " << key;
-            return false;
-        }
-        return matchAttributes(key_value_pair->second, matched_override_keywords);
-    } else if (type == MatchType::Operator && operator_type == Operators::And) {
-        for (const MatchQuery &inner_match: items) {
-            if (!inner_match.matchAttributes(key_value_pairs, matched_override_keywords)) {
-                return false;
-            }
-        }
-        return true;
-    } else if (type == MatchType::Operator && operator_type == Operators::Or) {
-        // With 'or' condition, evaluate matched override keywords first and add the ones that were fully matched
-        set<string> inner_override_keywords;
-        bool res = false;
-        for (const MatchQuery &inner_match: items) {
-            inner_override_keywords.clear();
-            if (inner_match.matchAttributes(key_value_pairs, inner_override_keywords)) {
-                matched_override_keywords.insert(inner_override_keywords.begin(), inner_override_keywords.end());
-                res = true;
-            }
-        }
-        return res;
-    } else {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported match query type";
-    }
-    return false;
-}
-
-MatchQuery::MatchResult
-MatchQuery::getMatch( const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    MatchQuery::MatchResult matches;
-    matches.matched_keywords = make_shared<set<string>>();
-    matches.is_match = matchAttributes(key_value_pairs, *matches.matched_keywords);
-    return matches;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    return getMatch(key_value_pairs).is_match;
-}
-
-bool
-MatchQuery::matchAttributes(
-        const set<string> &values,
-        set<string> &matched_override_keywords) const
-{
-    auto &type = condition_type;
-    bool negate = type == MatchQuery::Conditions::NotEquals || type == MatchQuery::Conditions::NotIn;
-    bool match = isRegEx() ? matchAttributesRegEx(values, matched_override_keywords) : matchAttributesString(values);
-    return negate ? !match : match;
-}
-
-bool
-MatchQuery::matchAttributesRegEx(
-        const set<string> &values,
-        set<string> &matched_override_keywords) const
-{
-    bool res = false;
-    boost::cmatch value_matcher;
-    for (const boost::regex &val_regex : regex_values) {
-        for (const string &requested_match_value : values) {
-            if (NGEN::Regex::regexMatch(
-                __FILE__,
-                __LINE__,
-                requested_match_value.c_str(),
-                value_matcher,
-                val_regex))
-            {
-                res = true;
-                if (is_ignore_keyword) {
-                    matched_override_keywords.insert(requested_match_value);
-                } else {
-                    return res;
-                }
-            }
-        }
-    }
-    return res;
-}
-
-bool
-MatchQuery::matchAttributesString(const set<string> &values) const
-{
-    for (const string &requested_value : values) {
-        if (value.find(requested_value) != value.end()) return true;
-    }
-    return false;
-}
-
-bool
-MatchQuery::isRegEx() const
-{
-    return key != "protectionName";
-}

components/generic_rulebase/parameters_config.cc

@@ -1,157 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/parameters_config.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-bool ParameterException::is_geo_location_exception_exists(false);
-bool ParameterException::is_geo_location_exception_being_loaded(false);
-
-void
-ParameterOverrides::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<vector<ParsedBehavior>>("parsedBehavior", parsed_behaviors, archive_in);
-}
-
-void
-ParameterTrustedSources::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<uint>("numOfSources", num_of_sources, archive_in);
-    parseJSONKey<vector<SourcesIdentifier>>("sourcesIdentifiers", sources_identidiers, archive_in);
-}
-
-void
-ParameterBehavior::load(cereal::JSONInputArchive &archive_in)
-{
-    string key_string;
-    string val_string;
-    parseJSONKey<string>("id", id, archive_in);
-    parseJSONKey<string>("key", key_string, archive_in);
-    parseJSONKey<string>("value", val_string, archive_in);
-    if (string_to_behavior_key.find(key_string) == string_to_behavior_key.end()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported behavior key: " << key_string;
-        return;
-    }
-    key = string_to_behavior_key.at(key_string);
-
-    if (string_to_behavior_val.find(val_string) == string_to_behavior_val.end()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Unsupported behavior value: " << val_string;
-        return;
-    }
-    value = string_to_behavior_val.at(val_string);
-}
-
-void
-ParameterAntiBot::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<vector<string>>("injected", injected, archive_in);
-    parseJSONKey<vector<string>>("validated", validated, archive_in);
-}
-
-void
-ParameterOAS::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<string>("value", value, archive_in);
-}
-
-void
-ParameterException::MatchBehaviorPair::load(cereal::JSONInputArchive &archive_in)
-{
-    parseJSONKey<MatchQuery>("match", match, archive_in);
-    parseJSONKey<ParameterBehavior>("behavior", behavior, archive_in);
-}
-
-void
-ParameterException::load(cereal::JSONInputArchive &archive_in)
-{
-    try {
-        archive_in(
-            cereal::make_nvp("match", match),
-            cereal::make_nvp("behavior", behavior)
-        );
-    } catch (...) {
-        parseJSONKey<vector<MatchBehaviorPair>>("exceptions", match_queries, archive_in);
-    }
-
-    function<bool(const MatchQuery &)> isGeoLocationExists =
-        [&](const MatchQuery &query)
-        {
-            if (query.getKey() == "countryCode" || query.getKey() == "countryName") {
-                is_geo_location_exception_being_loaded = true;
-                return true;
-            }
-
-            for (const MatchQuery &query_item : query.getItems()) {
-                if (isGeoLocationExists(query_item)) return true;
-            }
-
-            return false;
-        };
-
-    if (isGeoLocationExists(match)) return;
-    for (const MatchBehaviorPair &match_query : match_queries) {
-        if (isGeoLocationExists(match_query.match)) return;
-    }
-}
-
-set<ParameterBehavior>
-ParameterException::getBehavior(
-        const unordered_map<string, set<string>> &key_value_pairs,
-        set<string> &matched_override_keywords) const
-{
-    set<ParameterBehavior> matched_behaviors;
-
-    matched_override_keywords.clear();
-    dbgTrace(D_RULEBASE_CONFIG) << "Matching exception";
-    for (const MatchBehaviorPair &match_behavior_pair: match_queries) {
-        MatchQuery::MatchResult match_res = match_behavior_pair.match.getMatch(key_value_pairs);
-        if (match_res.is_match) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Successfully matched an exception from a list of matches.";
-            // When matching indicators with action=ignore, we expect no behavior override.
-            // Instead, a matched keywords list should be returned which will be later removed from score calculation
-            if (match_res.matched_keywords->size() > 0 && match_behavior_pair.behavior == action_ignore) {
-                matched_override_keywords.insert(match_res.matched_keywords->begin(),
-                        match_res.matched_keywords->end());
-            } else {
-                matched_behaviors.insert(match_behavior_pair.behavior);
-            }
-        }
-    }
-
-    if (match_queries.empty()) {
-        MatchQuery::MatchResult match_res = match.getMatch(key_value_pairs);
-        if (match_res.is_match) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Successfully matched an exception.";
-            // When matching indicators with action=ignore, we expect no behavior override.
-            // Instead, a matched keywords list should be returned which will be later removed from score calculation
-            if (match_res.matched_keywords->size() > 0 && behavior == action_ignore) {
-                matched_override_keywords.insert(match_res.matched_keywords->begin(),
-                        match_res.matched_keywords->end());
-            } else {
-                matched_behaviors.insert(behavior);
-            }
-        }
-    }
-
-    return matched_behaviors;
-}
-
-set<ParameterBehavior>
-ParameterException::getBehavior(const unordered_map<string, set<string>> &key_value_pairs) const
-{
-    set<string> keywords;
-    return getBehavior(key_value_pairs, keywords);
-}

components/generic_rulebase/rulebase_config.cc

@@ -1,79 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/rulebase_config.h"
-
-#include "telemetry.h"
-#include "config.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-set<string> BasicRuleConfig::assets_ids{};
-set<string> BasicRuleConfig::assets_ids_aggregation{};
-
-void
-BasicRuleConfig::load(cereal::JSONInputArchive &ar)
-{
-    parseJSONKey<vector<RulePractice>>("practices", practices, ar);
-    parseJSONKey<vector<RuleTrigger>>("triggers", triggers, ar);
-    parseJSONKey<vector<RuleParameter>>("parameters", parameters, ar);
-    parseJSONKey<uint8_t>("priority", priority, ar);
-    parseJSONKey<string>("ruleId", rule_id, ar);
-    parseJSONKey<string>("ruleName", rule_name, ar);
-    parseJSONKey<string>("assetId", asset_id, ar);
-    parseJSONKey<string>("assetName", asset_name, ar);
-    parseJSONKey<string>("zoneId", zone_id, ar);
-    parseJSONKey<string>("zoneName", zone_name, ar);
-
-    assets_ids_aggregation.insert(asset_id);
-}
-
-void
-BasicRuleConfig::updateCountMetric()
-{
-    BasicRuleConfig::assets_ids = BasicRuleConfig::assets_ids_aggregation;
-    AssetCountEvent(AssetType::ALL, BasicRuleConfig::assets_ids.size()).notify();
-}
-
-bool
-BasicRuleConfig::isPracticeActive(const string &practice_id) const
-{
-    for (auto practice: practices) {
-        if (practice.getId() == practice_id) return true;
-    }
-    return false;
-}
-
-bool
-BasicRuleConfig::isTriggerActive(const string &trigger_id) const
-{
-    for (auto trigger: triggers) {
-        if (trigger.getId() == trigger_id) {
-            return true;
-        }
-    }
-    return false;
-}
-
-bool
-BasicRuleConfig::isParameterActive(const string &parameter_id) const
-{
-    for (auto param: parameters) {
-        if (param.getId() == parameter_id) {
-            return true;
-        }
-    }
-    return false;
-}

components/generic_rulebase/triggers_config.cc

@@ -1,243 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <string>
-#include <map>
-
-#include "generic_rulebase/triggers_config.h"
-#include "generic_rulebase/generic_rulebase_utils.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-WebTriggerConf::WebTriggerConf() :  response_title(""), response_body(""), response_code(0) {}
-WebTriggerConf::WebTriggerConf(const string &title, const string &body, uint code)
-        :
-    response_title(title),
-    response_body(body),
-    response_code(code)
-{}
-
-WebTriggerConf WebTriggerConf::default_trigger_conf = WebTriggerConf(
-    "Attack blocked by web application protection",                                     // title
-    "Check Point's <b>Application Security</b> has detected an attack and blocked it.", // body
-    403
-);
-
-void
-WebTriggerConf::load(cereal::JSONInputArchive &archive_in)
-{
-    try {
-        parseJSONKey<string>("details level", details_level, archive_in);
-        if (details_level == "Redirect") {
-            parseJSONKey<string>("redirect URL", redirect_url, archive_in);
-            parseJSONKey<bool>("xEventId", add_event_id_to_header, archive_in);
-            parseJSONKey<bool>("eventIdInHeader", add_event_id_to_header, archive_in);
-            return;
-        }
-        parseJSONKey<uint>("response code", response_code, archive_in);
-        if (response_code < 100 || response_code > 599) {
-            throw cereal::Exception(
-                "illegal web trigger response code: " +
-                to_string(response_code) +
-                " is out of range (100-599)"
-            );
-        }
-
-        if (details_level == "Response Code") return;
-
-        parseJSONKey<string>("response body", response_body, archive_in);
-        parseJSONKey<string>("response title", response_title, archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to parse the web trigger configuration: '" << e.what() << "'";
-        archive_in.setNextName(nullptr);
-    }
-}
-
-bool
-WebTriggerConf::operator==(const WebTriggerConf &other) const
-{
-    return
-        response_code == other.response_code &&
-        response_title == other.response_title &&
-        response_body == other.response_body;
-}
-
-LogTriggerConf::LogTriggerConf(string trigger_name, bool log_detect, bool log_prevent) : name(trigger_name)
-{
-    if (log_detect) should_log_on_detect.setAll();
-    if (log_prevent) should_log_on_prevent.setAll();
-    active_streams.setFlag(ReportIS::StreamType::JSON_FOG);
-    active_streams.setFlag(ReportIS::StreamType::JSON_LOG_FILE);
-}
-
-ReportIS::Severity
-LogTriggerConf::getSeverity(bool is_action_drop_or_prevent) const
-{
-    return is_action_drop_or_prevent ? ReportIS::Severity::MEDIUM : ReportIS::Severity::LOW;
-}
-
-ReportIS::Priority
-LogTriggerConf::getPriority(bool is_action_drop_or_prevent) const
-{
-    return is_action_drop_or_prevent ? ReportIS::Priority::HIGH : ReportIS::Priority::MEDIUM;
-}
-
-Flags<ReportIS::StreamType>
-LogTriggerConf::getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const
-{
-    if (is_action_drop_or_prevent && should_log_on_prevent.isSet(security_type)) return active_streams;
-    if (!is_action_drop_or_prevent && should_log_on_detect.isSet(security_type)) return active_streams;
-
-    return Flags<ReportIS::StreamType>();
-}
-
-Flags<ReportIS::Enreachments>
-LogTriggerConf::getEnrechments(SecurityType security_type) const
-{
-    Flags<ReportIS::Enreachments> enreachments;
-
-    if (log_geo_location.isSet(security_type)) enreachments.setFlag(ReportIS::Enreachments::GEOLOCATION);
-    if (should_format_output) enreachments.setFlag(ReportIS::Enreachments::BEAUTIFY_OUTPUT);
-
-    return enreachments;
-}
-
-template <typename EnumClass>
-static void
-setTriggersFlag(const string &key, cereal::JSONInputArchive &ar, EnumClass flag, Flags<EnumClass> &flags)
-{
-    bool value = false;
-    parseJSONKey<bool>(key, value, ar);
-    if (value) flags.setFlag(flag);
-}
-
-static void
-setLogConfiguration(
-    const ReportIS::StreamType &log_type,
-    const string &log_server_url = "",
-    const string &protocol = ""
-)
-{
-    dbgTrace(D_RULEBASE_CONFIG) << "log server url:" << log_server_url;
-    if (log_server_url != "" && protocol != "") {
-        Singleton::Consume<I_Logging>::by<LogTriggerConf>()->addStream(log_type, log_server_url, protocol);
-    } else {
-        Singleton::Consume<I_Logging>::by<LogTriggerConf>()->addStream(log_type);
-    }
-}
-
-static string
-parseProtocolWithDefault(
-    const std::string &default_value,
-    const std::string &key_name,
-    cereal::JSONInputArchive &archive_in
-)
-{
-    string value;
-    try {
-        archive_in(cereal::make_nvp(key_name, value));
-    } catch (const cereal::Exception &e) {
-        return default_value;
-    }
-    return value;
-}
-
-void
-LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
-{
-    try {
-        parseJSONKey<string>("triggerName", name, archive_in);
-        parseJSONKey<string>("verbosity", verbosity, archive_in);
-        parseJSONKey<string>("urlForSyslog", url_for_syslog, archive_in);
-        parseJSONKey<string>("urlForCef", url_for_cef, archive_in);
-        parseJSONKey<string>("syslogProtocol", syslog_protocol, archive_in);
-        syslog_protocol = parseProtocolWithDefault("UDP", "syslogProtocol", archive_in);
-        cef_protocol = parseProtocolWithDefault("UDP", "cefProtocol", archive_in);
-
-        setTriggersFlag("webBody",  archive_in, WebLogFields::webBody, log_web_fields);
-        setTriggersFlag("webHeaders", archive_in, WebLogFields::webHeaders, log_web_fields);
-        setTriggersFlag("webRequests", archive_in, WebLogFields::webRequests, log_web_fields);
-        setTriggersFlag("webUrlPath", archive_in, WebLogFields::webUrlPath, log_web_fields);
-        setTriggersFlag("webUrlQuery", archive_in, WebLogFields::webUrlQuery, log_web_fields);
-        setTriggersFlag("logToAgent", archive_in, ReportIS::StreamType::JSON_LOG_FILE, active_streams);
-        setTriggersFlag("logToCloud", archive_in, ReportIS::StreamType::JSON_FOG, active_streams);
-        setTriggersFlag("logToK8sService", archive_in, ReportIS::StreamType::JSON_K8S_SVC, active_streams);
-        setTriggersFlag("logToSyslog", archive_in, ReportIS::StreamType::SYSLOG, active_streams);
-        setTriggersFlag("logToCef", archive_in, ReportIS::StreamType::CEF, active_streams);
-        setTriggersFlag("acAllow", archive_in, SecurityType::AccessControl, should_log_on_detect);
-        setTriggersFlag("acDrop", archive_in, SecurityType::AccessControl, should_log_on_prevent);
-        setTriggersFlag("tpDetect", archive_in, SecurityType::ThreatPrevention, should_log_on_detect);
-        setTriggersFlag("tpPrevent", archive_in, SecurityType::ThreatPrevention, should_log_on_prevent);
-        setTriggersFlag("complianceWarnings", archive_in, SecurityType::Compliance, should_log_on_detect);
-        setTriggersFlag("complianceViolations", archive_in, SecurityType::Compliance, should_log_on_prevent);
-        setTriggersFlag("acLogGeoLocation", archive_in, SecurityType::AccessControl, log_geo_location);
-        setTriggersFlag("tpLogGeoLocation", archive_in, SecurityType::ThreatPrevention, log_geo_location);
-        setTriggersFlag("complianceLogGeoLocation", archive_in, SecurityType::Compliance, log_geo_location);
-
-        bool extend_logging = false;
-        parseJSONKey<bool>("extendLogging", extend_logging, archive_in);
-        if (extend_logging) {
-            setTriggersFlag("responseCode", archive_in, WebLogFields::responseCode, log_web_fields);
-            setTriggersFlag("responseBody", archive_in, WebLogFields::responseBody, log_web_fields);
-
-            string severity;
-            static const map<string, extendLoggingSeverity> extend_logging_severity_strings = {
-                {"High", extendLoggingSeverity::High},
-                {"Critical", extendLoggingSeverity::Critical}
-            };
-            parseJSONKey<string>("extendLoggingMinSeverity", severity, archive_in);
-            auto extended_severity = extend_logging_severity_strings.find(severity);
-            if (extended_severity != extend_logging_severity_strings.end()) {
-                extend_logging_severity = extended_severity->second;
-            } else {
-                dbgWarning(D_RULEBASE_CONFIG)
-                    << "Failed to parse the extendLoggingMinSeverityfield: '"
-                    << severity
-                    << "'";
-            }
-        }
-
-        for (ReportIS::StreamType log_stream : makeRange<ReportIS::StreamType>()) {
-            if (!active_streams.isSet(log_stream)) continue;
-            switch (log_stream) {
-                case ReportIS::StreamType::JSON_DEBUG:
-                    setLogConfiguration(ReportIS::StreamType::JSON_DEBUG);
-                    break;
-                case ReportIS::StreamType::JSON_FOG:
-                    setLogConfiguration(ReportIS::StreamType::JSON_FOG);
-                    break;
-                case ReportIS::StreamType::JSON_LOG_FILE:
-                    setLogConfiguration(ReportIS::StreamType::JSON_LOG_FILE);
-                    break;
-                case ReportIS::StreamType::JSON_K8S_SVC:
-                    setLogConfiguration(ReportIS::StreamType::JSON_K8S_SVC);
-                    break;
-                case ReportIS::StreamType::SYSLOG:
-                    setLogConfiguration(ReportIS::StreamType::SYSLOG, getUrlForSyslog(), syslog_protocol);
-                    break;
-                case ReportIS::StreamType::CEF:
-                    setLogConfiguration(ReportIS::StreamType::CEF, getUrlForCef(), cef_protocol);
-                    break;
-                case ReportIS::StreamType::NONE: break;
-                case ReportIS::StreamType::COUNT: break;
-            }
-        }
-
-        parseJSONKey<bool>("formatLoggingOutput", should_format_output, archive_in);
-    } catch (const exception &e) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to parse the log trigger configuration: '" << e.what() << "'";
-        archive_in.setNextName(nullptr);
-    }
-}

components/generic_rulebase/zone.cc

@@ -1,179 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/zone.h"
-
-#include <set>
-#include <vector>
-#include <string>
-
-using namespace std;
-
-static const unordered_map<string, Zone::Direction> string_to_direction = {
-    { "to", Zone::Direction::To },
-    { "from", Zone::Direction::From },
-    { "bidirectional", Zone::Direction::Bidirectional }
-};
-
-class AdjacentZone
-{
-public:
-    void
-    load(cereal::JSONInputArchive &archive_in)
-    {
-        string direction_as_string;
-        archive_in(cereal::make_nvp("direction", direction_as_string));
-        archive_in(cereal::make_nvp("zoneId", id));
-        auto maybe_direction = string_to_direction.find(direction_as_string);
-        if (maybe_direction == string_to_direction.end()) {
-            reportConfigurationError(
-                "Illegal direction provided for adjacency. Provided direction in configuration: " +
-                direction_as_string
-            );
-        }
-        dir = maybe_direction->second;
-    }
-
-    pair<Zone::Direction, GenericConfigId> getValue() const { return make_pair(dir, id); }
-
-private:
-    Zone::Direction dir;
-    GenericConfigId id;
-};
-
-class TagsValues
-{
-public:
-    static const string req_attrs_ctx_key;
-
-    TagsValues() {}
-
-    template <typename Archive>
-    void
-    serialize(Archive &ar)
-    {
-        I_Environment *env = Singleton::Consume<I_Environment>::by<Zone>();
-        auto req_attrs = env->get<set<string>>(req_attrs_ctx_key);
-        if (!req_attrs.ok()) return;
-
-        for (const string &req_attr : *req_attrs) {
-            try {
-                string data;
-                ar(cereal::make_nvp(req_attr, data));
-                dbgDebug(D_RULEBASE_CONFIG)
-                    << "Found value for requested attribute. Tag: "
-                    << req_attr
-                    << ", Value: "
-                    << data;
-
-                tags_set[req_attr].insert(data);
-            } catch (const exception &e) {
-                dbgDebug(D_RULEBASE_CONFIG) << "Could not find values for requested attribute. Tag: " << req_attr;
-                ar.setNextName(nullptr);
-            }
-        }
-    }
-
-    bool
-    matchValueByKey(const string &requested_key, const unordered_set<string> &possible_values) const
-    {
-        auto values = tags_set.find(requested_key);
-        if (values == tags_set.end()) return false;
-
-        for (const string &val : possible_values) {
-            if (values->second.count(val)) return true;
-        }
-        return false;
-    }
-
-    void
-    insert(const TagsValues &other)
-    {
-        for (auto &single_tags_value : other.getData()) {
-            tags_set[single_tags_value.first].insert(single_tags_value.second.begin(), single_tags_value.second.end());
-        }
-    }
-
-    const unordered_map<string, set<string>> & getData() const { return tags_set; }
-
-private:
-    unordered_map<string, set<string>> tags_set;
-};
-
-const string TagsValues::req_attrs_ctx_key = "requested attributes key";
-
-void
-Zone::load(cereal::JSONInputArchive &archive_in)
-{
-    archive_in(cereal::make_nvp("id", zone_id));
-    archive_in(cereal::make_nvp("name", zone_name));
-    vector<AdjacentZone> adjacency;
-    try {
-        archive_in(cereal::make_nvp("adjacentZones", adjacency));
-    } catch (const cereal::Exception &) {
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "List of adjacentZones does not exist for current object. Zone id: "
-            << zone_id
-            << ", Zone name: "
-            << zone_name;
-
-        archive_in.setNextName(nullptr);
-    }
-
-    for (const AdjacentZone &zone : adjacency) {
-        adjacent_zones.push_back(zone.getValue());
-    }
-
-    archive_in(cereal::make_nvp("match", match_query));
-
-    is_any =
-        match_query.getType() == MatchQuery::MatchType::Condition &&
-        match_query.getKey() == "any" &&
-        match_query.getValue().count("any") > 0;
-
-    set<string> keys = match_query.getAllKeys();
-}
-
-const string
-contextKeyToString(Context::MetaDataType type)
-{
-    if (type == Context::MetaDataType::SubjectIpAddr || type == Context::MetaDataType::OtherIpAddr) return "ip";
-    return Context::convertToString(type);
-}
-
-bool
-Zone::contains(const Asset &asset)
-{
-    QueryRequest request;
-
-    for (const auto &main_attr : asset.getAttrs()) {
-        request.addCondition(Condition::EQUALS, contextKeyToString(main_attr.first), main_attr.second);
-    }
-
-    ScopedContext req_attrs_key;
-    req_attrs_key.registerValue<set<string>>(TagsValues::req_attrs_ctx_key, match_query.getAllKeys());
-
-    I_Intelligence_IS_V2 *intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Zone>();
-    auto query_res = intelligence->queryIntelligence<TagsValues>(request);
-    if (!query_res.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to perform intelligence query. Error: " << query_res.getErr();
-        return false;
-    }
-
-    for (const AssetReply<TagsValues> &asset : query_res.unpack()) {
-        TagsValues tag_values = asset.mergeReplyData();
-
-        if (match_query.matchAttributes(tag_values.getData())) return true;
-    }
-    return false;
-}

components/generic_rulebase/zones_config.cc

@@ -1,114 +0,0 @@
-// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
-
-// Licensed under the Apache License, Version 2.0 (the "License");
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include "generic_rulebase/zones_config.h"
-
-#include <string>
-#include <unordered_map>
-
-#include "generic_rulebase/generic_rulebase_utils.h"
-#include "config.h"
-#include "ip_utilities.h"
-#include "connkey.h"
-#include "i_generic_rulebase.h"
-
-USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
-
-using namespace std;
-
-void
-ZonesConfig::load(cereal::JSONInputArchive &archive_in)
-{
-    dbgFlow(D_RULEBASE_CONFIG) << "Saving active zones";
-    set<string> used_zones;
-    cereal::load(archive_in, used_zones);
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Loading all zones";
-    auto all_zones_maybe = getSetting<Zones>("rulebase", "zones");
-    if (!all_zones_maybe.ok()) {
-        dbgWarning(D_RULEBASE_CONFIG) << "Failed to load zones";
-        return;
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Creating cache of all zones by ID";
-    map<GenericConfigId, Zone> all_zones;
-    for (const auto &single_zone : all_zones_maybe.unpack().zones) {
-        if (used_zones.count(single_zone.getId()) > 0 && single_zone.isAnyZone()) {
-            dbgTrace(D_RULEBASE_CONFIG) << "Found used zone of type \"Any\": saving all zones as active zones";
-            zones = all_zones_maybe.unpack().zones;
-            return;
-        }
-
-        dbgDebug(D_RULEBASE_CONFIG)
-            << "Adding specific zone to cache. Zone ID: "
-            << single_zone.getId()
-            << ", name: "
-            << single_zone.getName();
-        all_zones.emplace(single_zone.getId(), single_zone);
-    }
-
-    dbgTrace(D_RULEBASE_CONFIG) << "Creating list of active zones";
-    map<GenericConfigId, Zone> active_zones_set;
-    for (const auto &single_used_zone_id : used_zones) {
-        const auto &found_zone = all_zones[single_used_zone_id];
-        dbgTrace(D_RULEBASE_CONFIG)
-            << "Adding zone to list of active zones. Zone ID: "
-            << single_used_zone_id
-            << ", zone name: "
-            << found_zone.getName();
-        active_zones_set.emplace(found_zone.getId(), found_zone);
-
-        for (const auto &adjacent_zone : found_zone.getAdjacentZones()) {
-            const auto &adjacent_zone_obj = all_zones[adjacent_zone.second];
-            dbgTrace(D_RULEBASE_CONFIG)
-                << "Adding adjacent zone to list of active zones. Zone ID: "
-                << adjacent_zone_obj.getId()
-                << ", zone name: "
-                << adjacent_zone_obj.getName();
-            active_zones_set.emplace(adjacent_zone_obj.getId(), adjacent_zone_obj);
-        }
-    }
-
-    vector<GenericConfigId> implied_zones = {
-        "impliedAzure",
-        "impliedDNS",
-        "impliedSSH",
-        "impliedProxy",
-        "impliedFog"
-    };
-
-    GenericConfigId any_zone_id = "";
-    for (const auto &single_zone : all_zones_maybe.unpack().zones) {
-        if (single_zone.isAnyZone()) any_zone_id = single_zone.getId();
-    }
-    for (GenericConfigId &implied_id: implied_zones) {
-        if (all_zones.find(implied_id) != all_zones.end()) {
-            dbgDebug(D_RULEBASE_CONFIG) << "Adding implied zone to cache. Zone ID: " << implied_id;
-            active_zones_set.emplace(implied_id, all_zones[implied_id]);
-            if (any_zone_id != "" && active_zones_set.count(any_zone_id) == 0) {
-                active_zones_set.emplace(any_zone_id, all_zones[any_zone_id]);
-            }
-        }
-    }
-
-    for (const auto &single_id_zone_pair : active_zones_set) {
-        zones.push_back(single_id_zone_pair.second);
-    }
-}
-
-void
-ZonesConfig::preload()
-{
-    registerExpectedSetting<Zones>("rulebase", "zones");
-    registerExpectedSetting<ZonesConfig>("rulebase", "usedZones");
-}

components/gradual_deployment/gradual_deployment.cc

@@ -128,7 +128,7 @@ private:
                 break;
             }
             default:
-                dbgAssert(false) << "Unsupported IP type";
+                dbgAssert(false) << AlertInfo(AlertTeam::CORE, "gradual deployment") << "Unsupported IP type";
         }
         return address;
     }

components/health_check_manager/health_check_manager_ut/CMakeLists.txt

@@ -1,8 +0,0 @@
-include_directories(${CMAKE_SOURCE_DIR}/components/include)
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(
-    health_check_manager_ut
-    "health_check_manager_ut.cc"
-    "singleton;messaging;mainloop;health_check_manager;event_is;metric;-lboost_regex"
-)

components/http_manager/http_manager.cc

@@ -15,19 +15,18 @@
 
 #include <string>
 #include <map>
-#include <sys/stat.h>
-#include <climits>
 #include <unordered_map>
-#include <boost/range/iterator_range.hpp>
+#include <unordered_set>
+#include <boost/algorithm/string.hpp>
 #include <fstream>
 #include <algorithm>
 
 #include "common.h"
 #include "config.h"
-#include "table_opaque.h"
 #include "http_manager_opaque.h"
 #include "log_generator.h"
 #include "http_inspection_events.h"
+#include "agent_core_utilities.h"
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
@@ -46,7 +45,10 @@ operator<<(ostream &os, const EventVerdict &event)
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT: return os << "Wait";
     }
 
-    dbgAssert(false) << "Illegal Event Verdict value: " << static_cast<uint>(event.getVerdict());
+    dbgAssert(false)
+        << AlertInfo(AlertTeam::CORE, "http manager")
+        << "Illegal Event Verdict value: "
+        << static_cast<uint>(event.getVerdict());
     return os;
 }
 
@@ -92,6 +94,7 @@ public:
 
         HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>();
         string event_key = static_cast<string>(event.getKey());
+
         if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) {
             string event_value = static_cast<string>(event.getValue());
             dbgTrace(D_HTTP_MANAGER)
@@ -321,8 +324,11 @@ private:
 
             state.setApplicationVerdict(respond.first, respond.second.getVerdict());
         }
-
-        return state.getCurrVerdict();
+        FilterVerdict aggregated_verdict = state.getCurrVerdict();
+        if (aggregated_verdict.getVerdict() == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+            SecurityAppsDropEvent(state.getCurrentDropVerdictCausers()).notify();
+        }
+        return aggregated_verdict;
     }
 
     static void

components/http_manager/http_manager_opaque.cc

@@ -69,6 +69,7 @@ HttpManagerOpaque::getCurrVerdict() const
                 break;
             default:
                 dbgAssert(false)
+                    << AlertInfo(AlertTeam::CORE, "http manager")
                     << "Received unknown verdict "
                     << static_cast<int>(app_verdic_pair.second);
         }
@@ -77,6 +78,25 @@ HttpManagerOpaque::getCurrVerdict() const
     return accepted_apps == applications_verdicts.size() ? ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT : verdict;
 }
 
+std::set<std::string>
+HttpManagerOpaque::getCurrentDropVerdictCausers() const
+{
+    std::set<std::string> causers;
+    if (manager_verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+        causers.insert(HTTP_MANAGER_NAME);
+    }
+    for (const auto &app_verdic_pair : applications_verdicts) {
+        bool was_dropped = app_verdic_pair.second == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+        dbgTrace(D_HTTP_MANAGER)
+            << "The verdict from: " << app_verdic_pair.first
+            << (was_dropped ? " is \"drop\"" : " is not \"drop\" ");
+        if (was_dropped) {
+            causers.insert(app_verdic_pair.first);
+        }
+    }
+    return causers;
+}
+
 void
 HttpManagerOpaque::saveCurrentDataToCache(const Buffer &full_data)
 {

components/http_manager/http_manager_opaque.h

@@ -20,6 +20,8 @@
 #include "table_opaque.h"
 #include "nginx_attachment_common.h"
 
+static const std::string HTTP_MANAGER_NAME = "HTTP Manager";
+
 class HttpManagerOpaque : public TableOpaqueSerialize<HttpManagerOpaque>
 {
 public:
@@ -30,6 +32,7 @@ public:
     void setManagerVerdict(ngx_http_cp_verdict_e verdict) { manager_verdict = verdict; }
     ngx_http_cp_verdict_e getManagerVerdict() const { return manager_verdict; }
     ngx_http_cp_verdict_e getCurrVerdict() const;
+    std::set<std::string> getCurrentDropVerdictCausers() const;
     void saveCurrentDataToCache(const Buffer &full_data);
     void setUserDefinedValue(const std::string &value) { user_defined_value = value; }
     Maybe<std::string> getUserDefinedValue() const { return user_defined_value; }

components/include/central_nginx_manager.h

@@ -0,0 +1,45 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __CENTRAL_NGINX_MANAGER_H__
+#define __CENTRAL_NGINX_MANAGER_H__
+
+#include "component.h"
+#include "singleton.h"
+#include "i_messaging.h"
+#include "i_rest_api.h"
+#include "i_mainloop.h"
+#include "i_agent_details.h"
+
+class CentralNginxManager
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_AgentDetails>
+{
+public:
+    CentralNginxManager();
+    ~CentralNginxManager();
+
+    void preload() override;
+    void init() override;
+    void fini() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __CENTRAL_NGINX_MANAGER_H__

components/include/details_resolver.h

@@ -34,6 +34,7 @@ public:
     ~DetailsResolver();
 
     void preload() override;
+    void init() override;
 
 private:
     class Impl;

components/include/downloader.h

@@ -21,6 +21,7 @@
 #include "url_parser.h"
 #include "i_agent_details.h"
 #include "i_mainloop.h"
+#include "i_environment.h"
 #include "singleton.h"
 #include "component.h"
 
@@ -32,6 +33,7 @@ class Downloader
     Singleton::Consume<I_Encryptor>,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_OrchestrationTools>,
+    Singleton::Consume<I_Environment>,
     Singleton::Consume<I_UpdateCommunication>
 {
 public:

components/include/external_sdk_server.h

@@ -24,7 +24,8 @@ class ExternalSdkServer
         :
     public Component,
     Singleton::Provide<I_ExternalSdkServer>,
-    Singleton::Consume<I_RestApi>
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>
 {
 public:
     ExternalSdkServer();

components/include/generic_rulebase/match_query.h

@@ -89,7 +89,9 @@ private:
     bool matchAttributesRegEx(const std::set<std::string> &values,
             std::set<std::string> &matched_override_keywords) const;
     bool matchAttributesString(const std::set<std::string> &values) const;
+    bool matchAttributesIp(const std::set<std::string> &values) const;
     bool isRegEx() const;
+    void sortAndMergeIpRangesValues();
 
     MatchType type;
     Operators operator_type;

components/include/health_checker.h

@@ -21,6 +21,7 @@
 #include "i_shell_cmd.h"
 #include "i_orchestration_status.h"
 #include "component.h"
+#include "i_service_controller.h"
 
 class HealthChecker
         :
@@ -29,7 +30,8 @@ class HealthChecker
     Singleton::Consume<I_Socket>,
     Singleton::Consume<I_Health_Check_Manager>,
     Singleton::Consume<I_ShellCmd>,
-    Singleton::Consume<I_OrchestrationStatus>
+    Singleton::Consume<I_OrchestrationStatus>,
+    Singleton::Consume<I_ServiceController>
 {
 public:
     HealthChecker();

components/include/http_event_impl/i_http_event_impl.h

@@ -50,9 +50,11 @@ public:
         position(mod_position)
     {
         dbgAssert(mod_type != ModificationType::APPEND || position == injection_pos_irrelevant)
+            << AlertInfo(AlertTeam::CORE, "http manager")
             << "Injection position is not applicable to a modification of type \"Append\"";
 
         dbgAssert(mod_type != ModificationType::INJECT || position >= 0)
+            << AlertInfo(AlertTeam::CORE, "http manager")
             << "Invalid injection position: must be non-negative. Position: "
             << position;
     }
@@ -166,6 +168,7 @@ private:
             }
             default:
                 dbgAssert(false)
+                    << AlertInfo(AlertTeam::CORE, "http manager")
                     << "Unknown type of ModificationType: "
                     << static_cast<int>(modification_type);
         }
@@ -236,6 +239,7 @@ public:
     const Buffer & getValue() const { return value; }
 
     bool isLastHeader() const { return is_last_header; }
+    void setIsLastHeader() { is_last_header = true; }
     uint8_t getHeaderIndex() const { return header_index; }
 
 private:

components/include/http_geo_filter.h

@@ -15,7 +15,8 @@ class HttpGeoFilter
     public Component,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_GeoLocation>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_Environment>
 {
 public:
     HttpGeoFilter();

components/include/http_inspection_events.h

@@ -183,4 +183,16 @@ class WaitTransactionEvent : public Event<WaitTransactionEvent, EventVerdict>
 {
 };
 
+class SecurityAppsDropEvent : public Event<SecurityAppsDropEvent>
+{
+public:
+    SecurityAppsDropEvent(
+        const std::set<std::string> &apps_names)
+            :
+        apps_names(apps_names) {}
+    const std::set<std::string> & getAppsNames() const { return apps_names; }
+
+private:
+    const std::set<std::string> apps_names;
+};
 #endif // __HTTP_INSPECTION_EVENTS_H__

components/include/http_transaction_data.h

@@ -136,6 +136,7 @@ public:
     static const std::string req_body;
     static const std::string source_identifier;
     static const std::string proxy_ip_ctx;
+    static const std::string xff_vals_ctx;
 
     static const CompressionType default_response_content_encoding;
 

components/include/i_details_resolver.h

@@ -29,7 +29,9 @@ public:
     virtual bool isGwNotVsx() = 0;
     virtual bool isVersionAboveR8110() = 0;
     virtual bool isReverseProxy() = 0;
+    virtual bool isCloudStorageEnabled() = 0;
     virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
     virtual std::map<std::string, std::string> getResolvedDetails() = 0;
 #if defined(gaia) || defined(smb)
     virtual bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const = 0;

components/include/i_downloader.h

@@ -22,7 +22,7 @@
 class I_Downloader
 {
 public:
-    virtual Maybe<std::string> downloadFileFromFog(
+    virtual Maybe<std::string> downloadFile(
         const std::string &checksum,
         Package::ChecksumTypes,
         const GetResourceFile &resourse_file

components/include/i_orchestration_tools.h

@@ -117,7 +117,7 @@ public:
         const std::string &conf_path) const = 0;
     virtual bool copyFile(const std::string &src_path, const std::string &dst_path) const = 0;
     virtual bool doesFileExist(const std::string &file_path) const = 0;
-    virtual void getClusterId() const = 0;
+    virtual void setClusterId() const = 0;
     virtual void fillKeyInJson(
         const std::string &filename,
         const std::string &_key,

components/include/i_service_controller.h

@@ -64,7 +64,9 @@ public:
         const std::string &service_id
     ) = 0;
 
-    virtual std::map<std::string, PortNumber> getServiceToPortMap() = 0;
+    virtual std::map<std::string, std::vector<PortNumber>> getServiceToPortMap() = 0;
+
+    virtual bool getServicesPolicyStatus() const = 0;
 
 protected:
     virtual ~I_ServiceController() {}

components/include/i_update_communication.h

@@ -32,6 +32,7 @@ public:
         const std::string &policy_versions
     ) const = 0;
     virtual Maybe<void> authenticateAgent() = 0;
+    virtual void registerLocalAgentToFog() = 0;
     virtual Maybe<void> getUpdate(CheckUpdateRequest &request) = 0;
     virtual Maybe<std::string> downloadAttributeFile(
         const GetResourceFile &resourse_file,

components/include/ip_utilities.h

@@ -28,8 +28,9 @@
 
 // LCOV_EXCL_START Reason: temporary until we add relevant UT until 07/10
 bool operator<(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
-
 bool operator==(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<=(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<(const IPRange &range1, const IPRange &range2);
 // LCOV_EXCL_STOP
 
 Maybe<std::pair<std::string, int>> extractAddressAndMaskSize(const std::string &cidr);

components/include/manifest_handler.h

@@ -62,6 +62,7 @@ public:
 
 private:
     Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation);
+    std::string getCurrentTimestamp();
 
     std::string manifest_file_path;
     std::string temp_ext;

components/include/nginx_message_reader.h

@@ -0,0 +1,28 @@
+#ifndef __NGINX_MESSAGE_READER_H__
+#define __NGINX_MESSAGE_READER_H__
+
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "i_socket_is.h"
+#include "component.h"
+
+class NginxMessageReader
+        :
+    public Component,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_Socket>
+{
+public:
+    NginxMessageReader();
+    ~NginxMessageReader();
+
+    void init() override;
+    void fini() override;
+    void preload() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif //__NGINX_MESSAGE_READER_H__

components/include/nginx_utils.h

@@ -0,0 +1,51 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NGINX_UTILS_H__
+#define __NGINX_UTILS_H__
+
+#include <string>
+
+#include "maybe_res.h"
+#include "singleton.h"
+#include "i_shell_cmd.h"
+
+class NginxConfCollector
+{
+public:
+    NginxConfCollector(const std::string &nginx_conf_input_path, const std::string &nginx_conf_output_path);
+    Maybe<std::string> generateFullNginxConf() const;
+
+private:
+    std::vector<std::string> expandIncludes(const std::string &includePattern) const;
+    void processConfigFile(
+        const std::string &path,
+        std::ostringstream &conf_output,
+        std::vector<std::string> &errors
+    ) const;
+
+    std::string main_conf_input_path;
+    std::string main_conf_output_path;
+    std::string main_conf_directory_path;
+};
+
+class NginxUtils : Singleton::Consume<I_ShellCmd>
+{
+public:
+    static std::string getModulesPath();
+    static std::string getMainNginxConfPath();
+    static Maybe<void> validateNginxConf(const std::string &nginx_conf_path);
+    static Maybe<void> reloadNginx(const std::string &nginx_conf_path);
+};
+
+#endif // __NGINX_UTILS_H__

components/include/orchestration_comp.h

@@ -31,6 +31,7 @@
 #include "i_environment.h"
 #include "i_tenant_manager.h"
 #include "i_package_handler.h"
+#include "i_proxy_configuration.h"
 #include "i_env_details.h"
 #include "component.h"
 
@@ -54,7 +55,8 @@ class OrchestrationComp
     Singleton::Consume<I_UpdateCommunication>,
     Singleton::Consume<I_Downloader>,
     Singleton::Consume<I_ManifestController>,
-    Singleton::Consume<I_EnvDetails>
+    Singleton::Consume<I_EnvDetails>,
+    Singleton::Consume<I_ProxyConfiguration>
 {
 public:
     OrchestrationComp();

components/include/orchestration_status.h

@@ -40,7 +40,7 @@ public:
     ~OrchestrationStatus();
 
     void init() override;
-    
+
 private:
     class Impl;
     std::unique_ptr<Impl> pimpl;

components/include/orchestrator/rest_api/get_resource_file.h

@@ -115,7 +115,7 @@ public:
             case ResourceFileType::VIRTUAL_SETTINGS: return "virtualSettings";
             case ResourceFileType::VIRTUAL_POLICY:   return "virtualPolicy";
             default:
-                dbgAssert(false) << "Unknown file type";
+                dbgAssert(false) << AlertInfo(AlertTeam::CORE, "update process") << "Unknown file type";
         }
         return std::string();
     }

components/include/package.h

@@ -56,7 +56,7 @@ private:
             if (mapped_type.second == type) return mapped_type.first;
         }
 
-        dbgAssert(false) << "Unsupported type " << static_cast<int>(type);
+        dbgAssert(false) << AlertInfo(AlertTeam::CORE, "packaging") << "Unsupported type " << static_cast<int>(type);
         // Just satisfying the compiler, this return never reached
         return std::string();
     }

components/include/package_handler.h

@@ -17,6 +17,7 @@
 #include "i_package_handler.h"
 #include "i_orchestration_tools.h"
 #include "i_shell_cmd.h"
+#include "i_environment.h"
 #include "component.h"
 
 class PackageHandler
@@ -24,7 +25,8 @@ class PackageHandler
     public Component,
     Singleton::Provide<I_PackageHandler>,
     Singleton::Consume<I_ShellCmd>,
-    Singleton::Consume<I_OrchestrationTools>
+    Singleton::Consume<I_OrchestrationTools>,
+    Singleton::Consume<I_Environment>
 {
 public:
     PackageHandler();

components/include/rate_limit.h

@@ -7,15 +7,21 @@
 #include "singleton.h"
 #include "i_mainloop.h"
 #include "i_environment.h"
+#include "i_geo_location.h"
 #include "i_generic_rulebase.h"
+#include "i_shell_cmd.h"
+#include "i_env_details.h"
 
 class RateLimit
     :
     public Component,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_TimeGet>,
+    Singleton::Consume<I_GeoLocation>,
     Singleton::Consume<I_Environment>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_ShellCmd>,
+    Singleton::Consume<I_EnvDetails>
 {
 public:
     RateLimit();

components/include/reverse_proxy_defaults.h

@@ -7,24 +7,28 @@ static const std::string product_name = getenv("DOCKER_RPM_ENABLED") ? "CloudGua
 static const std::string default_cp_cert_file = "/etc/cp/cpCert.pem";
 static const std::string default_cp_key_file = "/etc/cp/cpKey.key";
 static const std::string default_rpm_conf_path = "/etc/cp/conf/rpmanager/";
+
 static const std::string default_certificate_path = "/etc/cp/rpmanager/certs";
+static const std::string default_manual_certs_path = "/etc/cp/rpmanager/manualCerts/";
+static const std::string default_config_path = "/etc/cp/conf/rpmanager/servers";
+static const std::string default_rpm_prepare_path = "/etc/cp/conf/rpmanager/prepare/servers";
+
+static const std::string default_nginx_log_files_path = "/var/log/nginx/";
 static const std::string default_additional_files_path = "/etc/cp/conf/rpmanager/include";
 static const std::string default_server_config = "additional_server_config.conf";
 static const std::string default_location_config = "additional_location_config.conf";
 static const std::string default_trusted_ca_suffix = "_user_ca_bundle.crt";
-static const std::string default_nginx_log_files_path = "/var/log/nginx/";
 static const std::string default_log_files_host_path = "/var/log/nano_agent/rpmanager/nginx_log/";
-static const std::string default_config_path = "/etc/cp/conf/rpmanager/servers";
 static const std::string default_template_path = "/etc/cp/conf/rpmanager/nginx-template-clear";
-static const std::string default_manual_certs_path = "/etc/cp/rpmanager/manualCerts/";
 static const std::string default_server_certificate_path = "/etc/cp/rpmanager/certs/sslCertificate_";
 static const std::string default_server_certificate_key_path = "/etc/cp/rpmanager/certs/sslPrivateKey_";
 static const std::string default_container_name = "cp_nginx_gaia";
 static const std::string default_docker_image = "cp_nginx_gaia";
 static const std::string default_nginx_config_file = "/etc/cp/conf/rpmanager/nginx.conf";
+static const std::string default_prepare_nginx_config_file = "/etc/cp/conf/rpmanager/nginx_prepare.conf";
 static const std::string default_global_conf_template = "/etc/cp/conf/rpmanager/nginx-conf-template";
 static const std::string default_nginx_config_include_file =
-    "/etc/cp/conf/rpmanager/servers/nginx_conf_include";
+    "/etc/cp/conf/rpmanager/servers/00_nginx_conf_include.conf";
 static const std::string default_global_conf_include_template =
     "/etc/cp/conf/rpmanager/nginx-conf-include-template";
 static const std::string default_global_conf_include_template_no_responses =

components/include/service_health_status.h

@@ -0,0 +1,39 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __SERVICE_HEALTH_STATUS_H__
+#define __SERVICE_HEALTH_STATUS_H__
+
+#include "singleton.h"
+#include "i_rest_api.h"
+#include "i_environment.h"
+#include "component.h"
+
+class ServiceHealthStatus
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Environment>
+{
+public:
+    ServiceHealthStatus();
+    ~ServiceHealthStatus();
+
+    void init() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __SERVICE_HEALTH_STATUS_H__

components/include/telemetry.h

@@ -30,6 +30,7 @@
 #include "generic_metric.h"
 
 #define LOGGING_INTERVAL_IN_MINUTES 10
+USE_DEBUG_FLAG(D_WAAP);
 enum class AssetType { API, WEB, ALL, COUNT };
 
 class WaapTelemetryEvent : public Event<WaapTelemetryEvent>
@@ -132,6 +133,7 @@ private:
         std::map<std::string, std::shared_ptr<T>>& telemetryMap
     ) {
         if (!telemetryMap.count(asset_id)) {
+            dbgTrace(D_WAAP) << "creating telemetry data for asset: " << data.assetName;
             telemetryMap.emplace(asset_id, std::make_shared<T>());
             telemetryMap[asset_id]->init(
                 telemetryName,
@@ -139,7 +141,9 @@ private:
                 ReportIS::IssuingEngine::AGENT_CORE,
                 std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
                 true,
-                ReportIS::Audience::SECURITY
+                ReportIS::Audience::SECURITY,
+                false,
+                asset_id
             );
 
             telemetryMap[asset_id]->template registerContext<std::string>(
@@ -152,29 +156,30 @@ private:
                 std::string("Web Application"),
                 EnvKeyAttr::LogSection::SOURCE
             );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetId",
-                asset_id,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetName",
-                data.assetName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceId",
-                data.practiceId,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceName",
-                data.practiceName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-
             telemetryMap[asset_id]->registerListener();
         }
+        dbgTrace(D_WAAP) << "updating telemetry data for asset: " << data.assetName;
+
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetId",
+            asset_id,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetName",
+            data.assetName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceId",
+            data.practiceId,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceName",
+            data.practiceName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
     }
 };
 

components/include/url_parser.h

@@ -35,8 +35,10 @@ public:
     bool isOverSSL() const { return over_ssl; }
     std::string getPort() const { return port; }
     std::string getQuery() const { return query; }
+    std::string getHost() const;
     URLProtocol getProtocol() const { return protocol; }
     std::string toString() const;
+    void setHost(const std::string &new_host);
     void setQuery(const std::string &new_query);
 
 private:
@@ -47,6 +49,7 @@ private:
     std::string base_url;
     std::string port;
     std::string query;
+    std::string host;
     URLProtocol protocol;
 };
 

components/include/user_identifiers_config.h

@@ -58,7 +58,7 @@ private:
         const std::string::const_iterator &end,
         const std::string &key) const;
     Buffer extractKeyValueFromCookie(const std::string &cookie_value, const std::string &key) const;
-    Maybe<std::string> parseXForwardedFor(const std::string &str) const;
+    Maybe<std::string> parseXForwardedFor(const std::string &str, ExtractType type) const;
 
     std::vector<UsersIdentifiersConfig> user_identifiers;
 };

components/include/waap.h

@@ -33,6 +33,9 @@ class I_WaapAssetStatesManager;
 class I_Messaging;
 class I_AgentDetails;
 class I_Encryptor;
+class I_WaapModelResultLogger;
+
+const std::string WAAP_APPLICATION_NAME = "waap application";
 
 class WaapComponent
         :
@@ -48,7 +51,8 @@ class WaapComponent
     Singleton::Consume<I_AgentDetails>,
     Singleton::Consume<I_Messaging>,
     Singleton::Consume<I_Encryptor>,
-    Singleton::Consume<I_Environment>
+    Singleton::Consume<I_Environment>,
+    Singleton::Consume<I_WaapModelResultLogger>
 {
 public:
     WaapComponent();

components/nginx_message_reader/CMakeLists.txt

@@ -0,0 +1,3 @@
+link_directories(${BOOST_ROOT}/lib)
+
+add_library(nginx_message_reader nginx_message_reader.cc)

components/nginx_message_reader/nginx_message_reader.cc

@@ -0,0 +1,735 @@
+#include "nginx_message_reader.h"
+
+#include <string>
+#include <boost/regex.hpp>
+#include <boost/algorithm/string.hpp>
+#include <boost/algorithm/string/regex.hpp>
+
+#include "config.h"
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "enum_array.h"
+#include "log_generator.h"
+#include "maybe_res.h"
+#include "http_transaction_data.h"
+#include "generic_rulebase/rulebase_config.h"
+#include "generic_rulebase/evaluators/asset_eval.h"
+#include "generic_rulebase/triggers_config.h"
+#include "agent_core_utilities.h"
+#include "rate_limit_config.h"
+
+USE_DEBUG_FLAG(D_NGINX_MESSAGE_READER);
+
+using namespace std;
+
+static const string syslog_regex_string = (
+    "<[0-9]+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{2}"
+    "[:]\\d{2}[:]\\d{2})\\s([\\w][\\w\\d\\.@-]*)\\s(nginx:)"
+);
+
+static const boost::regex socket_address_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+):(\\d+)");
+static const boost::regex syslog_regex(syslog_regex_string);
+static const boost::regex alert_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[alert\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex error_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[error\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex server_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+)|(\\w+\\.\\w+)");
+static const boost::regex uri_regex("^/");
+static const boost::regex port_regex("\\d+");
+static const boost::regex response_code_regex("[0-9]{3}");
+static const boost::regex http_method_regex("[A-Za-z]+");
+
+class NginxMessageReader::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addOneTimeRoutine(
+            I_MainLoop::RoutineType::System,
+            [this] ()
+            {
+                initSyslogServerSocket();
+                handleNginxLogs();
+            },
+            "Initialize nginx syslog",
+            true
+        );
+    }
+
+    void
+    preload()
+    {
+        registerConfigLoadCb([this]() { loadNginxMessageReaderConfig(); });
+    }
+
+    void
+    fini()
+    {
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        i_socket->closeSocket(syslog_server_socket);
+    }
+
+    void
+    loadNginxMessageReaderConfig()
+    {
+        rate_limit_status_code = getProfileAgentSettingWithDefault<string>(
+            "429",
+            "accessControl.rateLimit.returnCode"
+        );
+        dbgTrace(D_NGINX_MESSAGE_READER) << "Selected rate-limit status code: " << rate_limit_status_code;
+    }
+
+private:
+    enum class LogInfo {
+        HTTP_METHOD,
+        URI,
+        RESPONSE_CODE,
+        HOST,
+        SOURCE,
+        DESTINATION_IP,
+        DESTINATION_PORT,
+        EVENT_MESSAGE,
+        ASSET_ID,
+        ASSET_NAME,
+        RULE_NAME,
+        RULE_ID,
+        COUNT
+    };
+
+    void
+    initSyslogServerSocket()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        string nginx_syslog_server_address = getProfileAgentSettingWithDefault<string>(
+            "127.0.0.1:1514",
+            "reverseProxy.nginx.syslogAddress"
+        );
+        dbgInfo(D_NGINX_MESSAGE_READER) << "Attempting to open a socket: " << nginx_syslog_server_address;
+        do {
+            Maybe<I_Socket::socketFd> new_socket = i_socket->genSocket(
+                I_Socket::SocketType::UDP,
+                false,
+                true,
+                nginx_syslog_server_address
+            );
+            if (!new_socket.ok()) {
+                dbgError(D_NGINX_MESSAGE_READER) << "Failed to open a socket. Error: " << new_socket.getErr();
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+
+            if (new_socket.unpack() < 0) {
+                dbgError(D_NGINX_MESSAGE_READER)<< "Generated socket is OK yet negative";
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+            syslog_server_socket = new_socket.unpack();
+            dbgInfo(D_NGINX_MESSAGE_READER)
+                << "Opened socket for nginx logs over syslog. Socket: "
+                << syslog_server_socket;
+        } while (syslog_server_socket < 0);
+    }
+
+    void
+    handleNginxLogs()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop::Routine read_logs =
+        [this] ()
+        {
+            Maybe<string> logs = getLogsFromSocket(syslog_server_socket);
+
+            if (!logs.ok()) {
+                dbgWarning(D_NGINX_MESSAGE_READER)
+                    << "Failed to get NGINX logs from the socket. Error: "
+                    << logs.getErr();
+                return;
+            }
+            string raw_logs_to_parse = logs.unpackMove();
+            vector<string> logs_to_parse = separateLogs(raw_logs_to_parse);
+
+            for (auto const &log: logs_to_parse) {
+                bool log_sent;
+                if (isAccessLog(log)) {
+                    log_sent = sendAccessLog(log);
+                } else if (isAlertErrorLog(log) || isErrorLog(log)) {
+                    log_sent = sendErrorLog(log);
+                } else {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+                    continue;
+                }
+                if (!log_sent) {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Failed to send Log to Infinity Portal";
+                } else {
+                    dbgTrace(D_NGINX_MESSAGE_READER) << "Succesfully sent nginx log to Infinity Portal";
+                }
+            }
+        };
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addFileRoutine(
+            I_MainLoop::RoutineType::RealTime,
+            syslog_server_socket,
+            read_logs,
+            "Process nginx logs",
+            true
+        );
+    }
+
+    bool
+    sendAccessLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Access log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseAccessLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        auto unpacked_log_info = log_info.unpack();
+
+        if (unpacked_log_info[LogInfo::RESPONSE_CODE] == rate_limit_status_code) {
+            return sendRateLimitLog(unpacked_log_info);
+        }
+        return sendLog(unpacked_log_info);
+    }
+
+    bool
+    sendErrorLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Error log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseErrorLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        return sendLog(log_info.unpack());
+    }
+
+    bool
+    isAccessLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Chekck if string contains \"accessLog\"" << log;
+        return log.find("accessLog") != string::npos;
+    }
+
+    bool
+    isAlertErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[alert]") != string::npos;
+    }
+
+    bool
+    isErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[error]") != string::npos;
+    }
+
+    bool
+    sendLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        string event_name;
+        switch (log_info[LogInfo::RESPONSE_CODE][0]) {
+            case '4': {
+                event_name = "Invalid request or incorrect reverse proxy configuration - Request dropped."
+                " Please check the reverse proxy configuration of your relevant assets";
+                break;
+            }
+            case '5': {
+                event_name = "AppSec Gateway reverse proxy error - Request dropped. "
+                "Please verify the reverse proxy configuration of your relevant assets. "
+                "If the issue persists please contact Check Point Support";
+                break;
+            }
+            default: {
+                dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
+                return false;
+            }
+        }
+
+        dbgTrace(D_NGINX_MESSAGE_READER)
+            << "Nginx log's event name and response code: "
+            << event_name
+            << ", "
+            << log_info[LogInfo::RESPONSE_CODE];
+        LogGen log(
+            event_name,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::REVERSE_PROXY
+        );
+        log << LogField("eventConfidence", "High");
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+
+            if (field != LogInfo::DESTINATION_PORT) {
+                log << LogField(string_field.unpack(), log_info[field]);
+                continue;
+            }
+
+            try {
+                log << LogField(string_field.unpack(), stoi(log_info[field]));
+            } catch (const exception &e) {
+                dbgError(D_NGINX_MESSAGE_READER)
+                    << "Unable to convert port to numeric value: "
+                    << e.what();
+                log << LogField(string_field.unpack(), 0);
+            }
+        }
+        return true;
+    }
+
+    bool
+    sendRateLimitLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Getting rate-limit rules of asset ID: " << log_info[LogInfo::ASSET_ID];
+
+        ScopedContext rate_limit_ctx;
+
+        rate_limit_ctx.registerValue<GenericConfigId>(AssetMatcher::ctx_key, log_info[LogInfo::ASSET_ID]);
+        auto rate_limit_config = getConfiguration<RateLimitConfig>("rulebase", "rateLimit");
+        if (!rate_limit_config.ok()) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Rate limit context does not match asset ID: " << log_info[LogInfo::ASSET_ID];
+            return false;
+        }
+        RateLimitConfig unpacked_rate_limit_config = rate_limit_config.unpack();
+
+        string nginx_uri = log_info[LogInfo::URI];
+        const LogTriggerConf &rate_limit_trigger = unpacked_rate_limit_config.getRateLimitTrigger(nginx_uri);
+
+        dbgTrace(D_NGINX_MESSAGE_READER)<< "About to generate NGINX rate-limit log";
+
+        string event_name = "Rate limit";
+        string security_action = "Drop";
+        bool is_log_required = false;
+
+        // Prevent events checkbox (in triggers)
+        if (rate_limit_trigger.isPreventLogActive(LogTriggerConf::SecurityType::AccessControl)) {
+            is_log_required = true;
+        }
+
+        if (!is_log_required) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Not sending NGINX rate-limit log as it is not required";
+            return false;
+        }
+
+        ostringstream src_ip;
+        ostringstream dst_ip;
+        src_ip << log_info[LogInfo::SOURCE];
+        dst_ip << log_info[LogInfo::DESTINATION_IP];
+
+        ReportIS::Severity log_severity = ReportIS::Severity::MEDIUM;
+        ReportIS::Priority log_priority = ReportIS::Priority::MEDIUM;
+
+        LogGen log = rate_limit_trigger(
+            event_name,
+            LogTriggerConf::SecurityType::AccessControl,
+            log_severity,
+            log_priority,
+            true, // is drop
+            LogField("practiceType", "Rate Limit"),
+            ReportIS::Tags::RATE_LIMIT
+        );
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+            
+            if (
+                field == LogInfo::HOST ||
+                field == LogInfo::URI ||
+                field == LogInfo::HTTP_METHOD ||
+                field == LogInfo::SOURCE ||
+                field == LogInfo::DESTINATION_IP ||
+                field == LogInfo::ASSET_ID ||
+                field == LogInfo::ASSET_NAME ||
+                field == LogInfo::RESPONSE_CODE
+            ) {
+                if (!log_info[field].empty()) {
+                    log << LogField(string_field.unpack(), log_info[field]);
+                    continue;
+                }
+            }
+
+            if (field == LogInfo::DESTINATION_PORT) {
+                try {
+                    int numeric_dst_port = stoi(log_info[field]);
+                    log << LogField(string_field.unpack(), numeric_dst_port);
+                } catch (const exception &e) {
+                    dbgWarning(D_NGINX_MESSAGE_READER)
+                        << "Unable to convert dst port: "
+                        << log_info[field]
+                        << " to numberic value. Error: "
+                        << e.what();
+                }
+            }
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    convertLogFieldToString(LogInfo field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        switch (field) {
+            case LogInfo::HTTP_METHOD:
+                return string("httpMethod");
+            case LogInfo::URI:
+                return string("httpUriPath");
+            case LogInfo::RESPONSE_CODE:
+                return string("httpResponseCode");
+            case LogInfo::HOST:
+                return string("httpHostName");
+            case LogInfo::SOURCE:
+                return string("httpSourceId");
+            case LogInfo::DESTINATION_IP:
+                return string("destinationIp");
+            case LogInfo::DESTINATION_PORT:
+                return string("destinationPort");
+            case LogInfo::ASSET_ID:
+                return string("assetId");
+            case LogInfo::ASSET_NAME:
+                return string("assetName");
+            case LogInfo::EVENT_MESSAGE:
+                return string("httpResponseBody");
+            case LogInfo::RULE_ID:
+                return string("ruleId");
+            case LogInfo::RULE_NAME:
+                return string("ruleName");
+            case LogInfo::COUNT:
+                dbgError(D_NGINX_MESSAGE_READER) << "LogInfo::COUNT is not allowed";
+                return genError("LogInfo::COUNT is not allowed");
+        }
+        dbgError(D_NGINX_MESSAGE_READER) << "No Enum found, int value: " << static_cast<int>(field);
+        return genError("No Enum found");
+    }
+
+    static vector<string>
+    separateLogs(const string &raw_logs_to_parse)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "separating logs. logs: " << raw_logs_to_parse;
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs start of function. Logs to parse: " << raw_logs_to_parse;
+        boost::smatch matcher;
+        vector<string> logs;
+
+        if (raw_logs_to_parse.empty()) return logs;
+
+        size_t pos = 0;
+        while (NGEN::Regex::regexSearch(__FILE__, __LINE__, raw_logs_to_parse.substr(pos), matcher, syslog_regex)) {
+            if (pos == 0) {
+                dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs pos = 0";
+                pos++;
+                continue;
+            }
+            auto log_length = matcher.position();
+            logs.push_back(raw_logs_to_parse.substr(pos - 1, log_length));
+
+            pos += log_length + 1;
+        }
+        logs.push_back(raw_logs_to_parse.substr(pos - 1));
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs end of function";
+
+        return logs;
+    }
+
+    static pair<string, string>
+    parseErrorLogRequestField(const string &request)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing request field. request: " << request;
+        string formatted_request = request;
+        vector<string> result;
+        boost::erase_all(formatted_request, "\"");
+        boost::erase_all(formatted_request, "\n");
+        boost::split(result, formatted_request, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int http_method_index = 1;
+        const int uri_index = 2;
+        return pair<string, string>(result[http_method_index], result[uri_index]);
+    }
+
+    static string
+    parseErrorLogField(const string &field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing error log field " << field;
+        string formatted_field = field;
+        vector<string> result;
+        boost::erase_all(formatted_field, "\"");
+        boost::erase_all(formatted_field, "\n");
+        boost::split(result, formatted_field, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int field_index = 1;
+        return result[field_index];
+    }
+
+    void
+    addContextFieldsToLogInfo(EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        ScopedContext ctx;
+
+        try {
+            ctx.registerValue<uint16_t>(
+                HttpTransactionData::listening_port_ctx,
+                static_cast<uint16_t>(stoi(log_info[LogInfo::DESTINATION_PORT]))
+            );
+        } catch (const exception &e) {
+            dbgError(D_NGINX_MESSAGE_READER) << "Failed register values for context " << e.what();
+        }
+        ctx.registerValue<string>(HttpTransactionData::host_name_ctx, log_info[LogInfo::HOST]);
+        ctx.registerValue<string>(HttpTransactionData::uri_ctx, log_info[LogInfo::URI]);
+        auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
+        if (!rule_by_ctx.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "AssetId was not found by the given context. Reason: "
+                << rule_by_ctx.getErr();
+            return;
+        }
+
+        BasicRuleConfig context = rule_by_ctx.unpack();
+        log_info[LogInfo::ASSET_ID] = context.getAssetId();
+        log_info[LogInfo::ASSET_NAME] = context.getAssetName();
+        log_info[LogInfo::RULE_ID] = context.getRuleId();
+        log_info[LogInfo::RULE_NAME] = context.getRuleName();
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseErrorLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Handling log line:" << log_line;
+        string port;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+
+        boost::smatch matcher;
+        vector<string> result;
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_line,
+                matcher,
+                isAlertErrorLog(log_line) ? alert_log_regex : error_log_regex
+            )
+        ) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int event_message_index = 6;
+        const int source_index = 7;
+        const int request_index = 9;
+        const int host_index = 11;
+        string host = string(matcher[host_index].first, matcher[host_index].second);
+        string source = string(matcher[source_index].first, matcher[source_index].second);
+        string event_message = string(matcher[event_message_index].first, matcher[event_message_index].second);
+        string request = string(matcher[request_index].first, matcher[request_index].second);
+
+        host = parseErrorLogField(host);
+        source = parseErrorLogField(source);
+        pair<string, string> parsed_request = parseErrorLogRequestField(request);
+        string http_method = parsed_request.first;
+        string uri = parsed_request.second;
+
+        if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, socket_address_regex)) {
+            int host_index = 1;
+            int port_index = 2;
+            host = string(matcher[host_index].first, matcher[host_index].second);
+            port = string(matcher[port_index].first, matcher[port_index].second);
+        } else if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, boost::regex("https://"))) {
+            port = "443";
+        } else {
+            port = "80";
+        }
+
+        log_info[LogInfo::HOST] = host;
+        log_info[LogInfo::URI] = uri;
+        log_info[LogInfo::RESPONSE_CODE] = "500";
+        log_info[LogInfo::HTTP_METHOD] = http_method;
+        log_info[LogInfo::SOURCE] = source;
+        log_info[LogInfo::DESTINATION_IP] = host;
+        log_info[LogInfo::DESTINATION_PORT] = port;
+        log_info[LogInfo::EVENT_MESSAGE] = event_message;
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        return log_info;
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseAccessLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Parsing log line: " << log_line;
+        string formatted_log = log_line;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+        vector<string> result;
+        boost::erase_all(formatted_log, "\"");
+        boost::erase_all(formatted_log, "\n");
+        boost::split(result, formatted_log, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int valid_log_size = 20;
+
+        if (result.size() < valid_log_size) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int host_index = 6;
+        const int host_port_index = 7;
+        const int http_method_index = 13;
+        const int uri_index = 14;
+        const int response_cod_index = 16;
+        const int source_index = 8;
+
+        log_info[LogInfo::HOST] = result[host_index];
+        log_info[LogInfo::URI] = result[uri_index];
+        log_info[LogInfo::RESPONSE_CODE] = result[response_cod_index];
+        log_info[LogInfo::HTTP_METHOD] = result[http_method_index];
+        log_info[LogInfo::SOURCE] = result[source_index];
+        log_info[LogInfo::DESTINATION_IP] = result[host_index];
+        log_info[LogInfo::DESTINATION_PORT] = result[host_port_index];
+        log_info[LogInfo::EVENT_MESSAGE] = "Invalid request or incorrect reverse proxy configuration - "
+        "Request dropped. Please check the reverse proxy configuration of your relevant assets";
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+        return log_info;
+    }
+
+    static bool
+    validateLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+
+        boost::smatch matcher;
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HOST], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate server (Host): " << log_info[LogInfo::HOST];
+            return false;
+        }
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::URI], matcher, uri_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate Uri: " << log_info[LogInfo::URI];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_info[LogInfo::RESPONSE_CODE],
+                matcher, response_code_regex
+            )
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate response code: "
+                << log_info[LogInfo::RESPONSE_CODE];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HTTP_METHOD], matcher, http_method_regex)
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate HTTP method: " << log_info[LogInfo::HTTP_METHOD];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::DESTINATION_PORT], matcher, port_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate destination port : "
+                << log_info[LogInfo::DESTINATION_PORT];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::SOURCE], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate source : " << log_info[LogInfo::SOURCE];
+            return false;
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    getLogsFromSocket(const I_Socket::socketFd &client_socket) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Reading logs from socket. fd: " << client_socket;
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        Maybe<vector<char>> raw_log_data = i_socket->receiveData(client_socket, 0, false);
+        if (!raw_log_data.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Error receiving data from socket";
+            return genError("Error receiving data from socket");
+        }
+
+        string raw_log(raw_log_data.unpack().begin(), raw_log_data.unpack().end());
+        return move(raw_log);
+    }
+
+    I_Socket::socketFd syslog_server_socket = -1;
+    string rate_limit_status_code = "429";
+};
+
+NginxMessageReader::NginxMessageReader() : Component("NginxMessageReader"), pimpl(make_unique<Impl>()) {}
+
+NginxMessageReader::~NginxMessageReader() {}
+
+void
+NginxMessageReader::init()
+{
+    pimpl->init();
+}
+
+void
+NginxMessageReader::preload()
+{
+    pimpl->preload();
+}
+
+void
+NginxMessageReader::fini()
+{
+    pimpl->fini();
+}

components/packet/packet.cc

@@ -563,7 +563,10 @@ Packet::parsePacket(PktType type, IPType proto)
             return parseFromL3v6();
         }
         default: {
-            dbgAssert(false) << "Unknown (neither IPv4, nor IPv6), or uninitialized packet type: " << proto;
+            dbgAssert(false)
+                << AlertInfo(AlertTeam::CORE, "packet")
+                << "Unknown (neither IPv4, nor IPv6), or uninitialized packet type: "
+                << proto;
         }
     }
 

components/pending_key/pending_key.cc

@@ -43,7 +43,9 @@ PendingKey::print(ostream &os) const
 size_t
 PendingKey::hash() const
 {
-    dbgAssert(src.type != IPType::UNINITIALIZED) << "PendingKey::hash was called on an uninitialized object";
+    dbgAssert(src.type != IPType::UNINITIALIZED)
+        << AlertInfo(AlertTeam::CORE, "pending key")
+        << "PendingKey::hash was called on an uninitialized object";
     size_t seed = 0;
     hashCombine(seed, static_cast<u_char>(src.type));
     hashCombine(seed, src.proto);

components/report_messaging/report_messaging_ut/CMakeLists.txt

@@ -1,3 +0,0 @@
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(report_messaging_ut "report_messaging_ut.cc" "report_messaging;report;messaging;singleton;-lboost_regex")

components/security_apps/CMakeLists.txt

@@ -5,3 +5,4 @@ add_subdirectory(local_policy_mgmt_gen)
 add_subdirectory(orchestration)
 add_subdirectory(rate_limit)
 add_subdirectory(waap)
+add_subdirectory(central_nginx_manager)

components/security_apps/central_nginx_manager/CMakeLists.txt

@@ -0,0 +1,3 @@
+include_directories(include)
+
+add_library(central_nginx_manager central_nginx_manager.cc lets_encrypt_listener.cc)

components/security_apps/central_nginx_manager/central_nginx_manager.cc

@@ -0,0 +1,418 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "central_nginx_manager.h"
+#include "lets_encrypt_listener.h"
+
+#include <string>
+#include <vector>
+#include <cereal/external/base64.hpp>
+
+#include "debug.h"
+#include "config.h"
+#include "rest.h"
+#include "log_generator.h"
+#include "nginx_utils.h"
+#include "agent_core_utilities.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+class CentralNginxConfig
+{
+public:
+    void load(cereal::JSONInputArchive &ar)
+    {
+        try {
+            string nginx_conf_base64;
+            ar(cereal::make_nvp("id", file_id));
+            ar(cereal::make_nvp("name", file_name));
+            ar(cereal::make_nvp("data", nginx_conf_base64));
+            nginx_conf_content = cereal::base64::decode(nginx_conf_base64);
+            central_nginx_conf_path = getCentralNginxConfPath();
+            shared_config_path = getSharedConfigPath();
+            if (!nginx_conf_content.empty()) configureCentralNginx();
+        } catch (const cereal::Exception &e) {
+            dbgDebug(D_NGINX_MANAGER) << "Could not load Central Management Config JSON. Error: " << e.what();
+            ar.setNextName(nullptr);
+        }
+    }
+
+    const string & getFileId() const { return file_id; }
+    const string & getFileName() const { return file_name; }
+    const string & getFileContent() const { return nginx_conf_content; }
+
+    static string
+    getCentralNginxConfPath()
+    {
+        string central_nginx_conf_path = getProfileAgentSettingWithDefault<string>(
+            string("/tmp/central_nginx.conf"),
+            "centralNginxManagement.confDownloadPath"
+        );
+        dbgInfo(D_NGINX_MANAGER) << "Central NGINX configuration path: " << central_nginx_conf_path;
+
+        return central_nginx_conf_path;
+    }
+
+    static string
+    getSharedConfigPath()
+    {
+        string central_shared_conf_path = getConfigurationWithDefault<string>(
+            "/etc/cp/conf",
+            "Config Component",
+            "configuration path"
+        );
+        central_shared_conf_path += "/centralNginxManager/shared/central_nginx_shared.conf";
+        dbgInfo(D_NGINX_MANAGER) << "Shared NGINX configuration path: " << central_shared_conf_path;
+
+        return central_shared_conf_path;
+    }
+
+private:
+    void
+    loadAttachmentModule()
+    {
+        string attachment_module_path = NginxUtils::getModulesPath() + "/ngx_cp_attachment_module.so";
+        if (!NGEN::Filesystem::exists(attachment_module_path)) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " does not exist";
+            return;
+        }
+
+        string attachment_module_conf = "load_module " + attachment_module_path + ";";
+        if (nginx_conf_content.find(attachment_module_conf) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " already loaded";
+            return;
+        }
+
+        nginx_conf_content = attachment_module_conf + "\n" + nginx_conf_content;
+    }
+
+    Maybe<void>
+    loadSharedDirective(const string &directive)
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared directive into the servers " << directive;
+
+        if (!NGEN::Filesystem::copyFile(shared_config_path, shared_config_path + ".bak", true)) {
+            return genError("Could not create a backup of the shared NGINX configuration file");
+        }
+
+        ifstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        string shared_config_content((istreambuf_iterator<char>(shared_config)), istreambuf_iterator<char>());
+        shared_config.close();
+
+        if (shared_config_content.find(directive) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Shared directive " << directive << " already loaded";
+            return {};
+        }
+
+        ofstream new_shared_config(shared_config_path, ios::app);
+        if (!new_shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Adding shared directive " << directive;
+        new_shared_config << directive << "\n";
+        new_shared_config.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            if (!NGEN::Filesystem::copyFile(shared_config_path + ".bak", shared_config_path, true)) {
+                return genError("Could not restore the shared NGINX configuration file");
+            }
+            return genError("Could not validate shared NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    loadSharedConfig()
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared configuration into the servers";
+
+        ofstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not create shared NGINX configuration file");
+        }
+        shared_config.close();
+
+        string shared_config_directive = "include " + shared_config_path + ";\n";
+        boost::regex server_regex("server\\s*\\{");
+        nginx_conf_content = NGEN::Regex::regexReplace(
+            __FILE__,
+            __LINE__,
+            nginx_conf_content,
+            server_regex,
+            "server {\n" + shared_config_directive
+        );
+
+        ofstream nginx_conf_file(central_nginx_conf_path);
+        if (!nginx_conf_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        nginx_conf_file << nginx_conf_content;
+        nginx_conf_file.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            return genError("Could not validate central NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    configureSyslog()
+    {
+        if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
+            dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
+            return {};
+        }
+
+        string syslog_directive = "error_log syslog:server=127.0.0.1:1514 warn;";
+        auto load_shared_directive_result = loadSharedDirective(syslog_directive);
+        if (!load_shared_directive_result.ok()) {
+            return genError("Could not configure syslog directive, error: " + load_shared_directive_result.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    saveBaseCentralNginxConf()
+    {
+        ofstream central_nginx_conf_base_file(central_nginx_conf_path + ".base");
+        if (!central_nginx_conf_base_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        central_nginx_conf_base_file << nginx_conf_content;
+        central_nginx_conf_base_file.close();
+
+        return {};
+    }
+
+    void
+    configureCentralNginx()
+    {
+        loadAttachmentModule();
+        auto save_base_nginx_conf = saveBaseCentralNginxConf();
+        if (!save_base_nginx_conf.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not save base NGINX configuration. Error: "
+                << save_base_nginx_conf.getErr();
+            return;
+        }
+
+        string nginx_conf_content_backup = nginx_conf_content;
+        auto shared_config_result = loadSharedConfig();
+        if (!shared_config_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load shared configuration. Error: "
+                << shared_config_result.getErr();
+            nginx_conf_content = nginx_conf_content_backup;
+            return;
+        }
+
+        auto syslog_result = configureSyslog();
+        if (!syslog_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not configure syslog. Error: " << syslog_result.getErr();
+        }
+    }
+
+    string file_id;
+    string file_name;
+    string nginx_conf_content;
+    string central_nginx_conf_path;
+    string shared_config_path;
+};
+
+class CentralNginxManager::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgInfo(D_NGINX_MANAGER) << "Starting Central NGINX Manager";
+
+        string main_nginx_conf_path = NginxUtils::getMainNginxConfPath();
+        if (
+            NGEN::Filesystem::exists(main_nginx_conf_path)
+            && !NGEN::Filesystem::exists(main_nginx_conf_path + ".orig")
+        ) {
+            dbgInfo(D_NGINX_MANAGER) << "Creating a backup of the original main NGINX configuration file";
+            NGEN::Filesystem::copyFile(main_nginx_conf_path, main_nginx_conf_path + ".orig", true);
+        }
+
+        i_mainloop = Singleton::Consume<I_MainLoop>::by<CentralNginxManager>();
+        if (!lets_encrypt_listener.init()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, scheduling retry";
+            i_mainloop->addOneTimeRoutine(
+                I_MainLoop::RoutineType::System,
+                [this] ()
+                {
+                    while(!lets_encrypt_listener.init()) {
+                        dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, will retry";
+                        i_mainloop->yield(chrono::seconds(5));
+                    }
+                },
+                "Lets Encrypt Listener initializer",
+                false
+            );
+        }
+    }
+
+    void
+    loadPolicy()
+    {
+        auto central_nginx_config = getSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+        if (!central_nginx_config.ok() || central_nginx_config.unpack().empty()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load Central NGINX Management settings. Error: "
+                << central_nginx_config.getErr();
+            return;
+        }
+
+        auto &config = central_nginx_config.unpack().front();
+        if (config.getFileContent().empty()) {
+            dbgWarning(D_NGINX_MANAGER) << "Empty NGINX configuration file";
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER)
+            << "Handling Central NGINX Management settings: "
+            << config.getFileId()
+            << ", "
+            << config.getFileName()
+            << ", "
+            << config.getFileContent();
+
+        string central_nginx_conf_path = config.getCentralNginxConfPath();
+        ofstream central_nginx_conf_file(central_nginx_conf_path);
+        if (!central_nginx_conf_file.is_open()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not open central NGINX configuration file: "
+                << central_nginx_conf_path;
+            return;
+        }
+        central_nginx_conf_file << config.getFileContent();
+        central_nginx_conf_file.close();
+
+        auto validation_result = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not validate central NGINX configuration file. Error: "
+                << validation_result.getErr();
+            logError(validation_result.getErr());
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Validated central NGINX configuration file";
+
+        auto reload_result = NginxUtils::reloadNginx(central_nginx_conf_path);
+        if (!reload_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not reload central NGINX configuration. Error: "
+                << reload_result.getErr();
+            logError("Could not reload central NGINX configuration. Error: " + reload_result.getErr());
+            return;
+        }
+
+        logInfo("Central NGINX configuration has been successfully reloaded");
+    }
+
+    void
+    fini()
+    {
+        string central_nginx_base_path = CentralNginxConfig::getCentralNginxConfPath() + ".base";
+        if (!NGEN::Filesystem::exists(central_nginx_base_path)) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not find base NGINX configuration file: " << central_nginx_base_path;
+            return;
+        }
+
+        NginxUtils::reloadNginx(central_nginx_base_path);
+    }
+
+private:
+    void
+    logError(const string &error)
+    {
+        LogGen log(
+            error,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::CRITICAL,
+            ReportIS::Priority::URGENT,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField(
+            "eventRemediation",
+            "Please verify your NGINX configuration and enforce policy again. "
+            "Contact Check Point support if the issue persists."
+        );
+    }
+
+    void
+    logInfo(const string &info)
+    {
+        LogGen log(
+            info,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField("eventRemediation", "No action required");
+    }
+
+    I_MainLoop *i_mainloop = nullptr;
+    LetsEncryptListener lets_encrypt_listener;
+};
+
+CentralNginxManager::CentralNginxManager()
+    :
+    Component("Central NGINX Manager"),
+    pimpl(make_unique<CentralNginxManager::Impl>()) {}
+
+CentralNginxManager::~CentralNginxManager() {}
+
+void
+CentralNginxManager::init()
+{
+    pimpl->init();
+}
+
+void
+CentralNginxManager::fini()
+{
+    pimpl->fini();
+}
+
+void
+CentralNginxManager::preload()
+{
+    registerExpectedSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+    registerExpectedConfiguration<string>("Config Component", "configuration path");
+    registerConfigLoadCb([this]() { pimpl->loadPolicy(); });
+}

components/security_apps/central_nginx_manager/include/lets_encrypt_listener.h

@@ -0,0 +1,30 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __LETS_ENCRYPT_HANDLER_H__
+#define __LETS_ENCRYPT_HANDLER_H__
+
+#include <string>
+
+#include "maybe_res.h"
+
+class LetsEncryptListener
+{
+public:
+    bool init();
+
+private:
+    Maybe<std::string> getChallengeValue(const std::string &uri) const;
+};
+
+#endif // __LETS_ENCRYPT_HANDLER_H__

components/security_apps/central_nginx_manager/lets_encrypt_listener.cc

@@ -0,0 +1,76 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "lets_encrypt_listener.h"
+
+#include <string>
+
+#include "central_nginx_manager.h"
+#include "debug.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+bool
+LetsEncryptListener::init()
+{
+    dbgInfo(D_NGINX_MANAGER) << "Starting Lets Encrypt Listener";
+    return Singleton::Consume<I_RestApi>::by<CentralNginxManager>()->addWildcardGetCall(
+        ".well-known/acme-challenge/",
+        [&] (const string &uri) -> string
+        {
+            Maybe<string> maybe_challenge_value = getChallengeValue(uri);
+            if (!maybe_challenge_value.ok()) {
+                dbgWarning(D_NGINX_MANAGER)
+                    << "Could not get challenge value for uri: "
+                    << uri
+                    << ", error: "
+                    << maybe_challenge_value.getErr();
+                return string{""};
+            };
+
+            dbgTrace(D_NGINX_MANAGER) << "Got challenge value: " << maybe_challenge_value.unpack();
+            return maybe_challenge_value.unpack();
+        }
+    );
+}
+
+Maybe<string>
+LetsEncryptListener::getChallengeValue(const string &uri) const
+{
+    string challenge_key = uri.substr(uri.find_last_of('/') + 1);
+    string api_query = "/api/lets-encrypt-challenge?http_challenge_key=" + challenge_key;
+
+    dbgInfo(D_NGINX_MANAGER) << "Getting challenge value via: " << api_query;
+
+    MessageMetadata md;
+    md.insertHeader("X-Tenant-Id", Singleton::Consume<I_AgentDetails>::by<CentralNginxManager>()->getTenantId());
+    Maybe<HTTPResponse, HTTPResponse> maybe_http_challenge_value =
+        Singleton::Consume<I_Messaging>::by<CentralNginxManager>()->sendSyncMessage(
+            HTTPMethod::GET,
+            api_query,
+            string("{}"),
+            MessageCategory::GENERIC,
+            md
+        );
+
+    if (!maybe_http_challenge_value.ok()) return genError(maybe_http_challenge_value.getErr().getBody());
+
+    string challenge_value = maybe_http_challenge_value.unpack().getBody();
+    if (!challenge_value.empty() && challenge_value.front() == '"' && challenge_value.back() == '"') {
+        challenge_value = challenge_value.substr(1, challenge_value.size() - 2);
+    }
+
+    return challenge_value;
+}

components/security_apps/http_geo_filter/CMakeLists.txt

@@ -1 +1,5 @@
+include_directories(../waap/include)
+include_directories(../waap/waap_clib)
+include_directories(../../attachment-intakers/nginx_attachment)
+
 add_library(http_geo_filter http_geo_filter.cc)

components/security_apps/http_geo_filter/http_geo_filter.cc

@@ -4,10 +4,16 @@
 #include <unistd.h>
 #include <stddef.h>
 #include <algorithm>
+#include <sstream>
+#include <string>
+#include <vector>
+#include <boost/algorithm/string.hpp>
 
+#include "cidrs_data.h"
 #include "generic_rulebase/generic_rulebase.h"
 #include "generic_rulebase/parameters_config.h"
 #include "generic_rulebase/triggers_config.h"
+#include "user_identifiers_config.h"
 #include "debug.h"
 #include "config.h"
 #include "rest.h"
@@ -21,9 +27,10 @@ USE_DEBUG_FLAG(D_GEO_FILTER);
 
 static const LogTriggerConf default_triger;
 
-class HttpGeoFilter::Impl : public Listener<NewHttpTransactionEvent>
+class HttpGeoFilter::Impl : public Listener<HttpRequestHeaderEvent>
 {
 public:
+
     void
     init()
     {
@@ -55,32 +62,50 @@ public:
     }
 
     EventVerdict
-    respond(const NewHttpTransactionEvent &event) override
+    respond(const HttpRequestHeaderEvent &event) override
     {
         dbgTrace(D_GEO_FILTER) << getListenerName() << " new transaction event";
 
-        if (!ParameterException::isGeoLocationExceptionExists() &&
-            !getConfiguration<GeoConfig>("rulebase", "httpGeoFilter").ok()
-        ) {
-            dbgTrace(D_GEO_FILTER) << "No geo location practice nor exception was found. Returning default verdict";
-            return EventVerdict(default_action);
+        if (!event.isLastHeader()) return EventVerdict(ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT);
+        std::set<std::string> ip_set;
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        auto maybe_xff = env->get<std::string>(HttpTransactionData::xff_vals_ctx);
+        if (!maybe_xff.ok()) {
+            dbgTrace(D_GEO_FILTER) << "failed to get xff vals from env";
+        } else {
+            ip_set = split(maybe_xff.unpack(), ',');
+        }
+        dbgDebug(D_GEO_FILTER) << getListenerName() << " last header, start lookup";
+
+        if (ip_set.size() > 0) {
+            removeTrustedIpsFromXff(ip_set);
+        } else {
+            dbgDebug(D_GEO_FILTER) << "xff not found in headers";
         }
 
-        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
-        auto asset_location = i_geo_location->lookupLocation(event.getSourceIP());
-        if (!asset_location.ok()) {
-            dbgTrace(D_GEO_FILTER) << "Lookup location failed, Error: " << asset_location.getErr();
+        auto maybe_source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
+        if (!maybe_source_ip.ok()) {
+            dbgWarning(D_GEO_FILTER) << "failed to get source ip from env";
             return EventVerdict(default_action);
         }
+        auto source_ip = convertIpAddrToString(maybe_source_ip.unpack());
 
-        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data = asset_location.unpack();
+        // saas profile setting
+        bool ignore_source_ip =
+            getProfileAgentSettingWithDefault<bool>(false, "agent.geoProtaction.ignoreSourceIP");
+        if (ignore_source_ip){
+            dbgDebug(D_GEO_FILTER) << "Geo protection ignoring source ip: " << source_ip;
+        } else {
+            ip_set.insert(convertIpAddrToString(maybe_source_ip.unpack()));
+        }
 
-        ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(event, geo_location_data);
+
+        ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set);
         if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
             return EventVerdict(exception_verdict);
         }
 
-        ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(event, geo_location_data);
+        ngx_http_cp_verdict_e geo_lookup_verdict = getGeoLookupVerdict(ip_set);
         if (geo_lookup_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
             return EventVerdict(geo_lookup_verdict);
         }
@@ -88,6 +113,73 @@ public:
     }
 
 private:
+    std::set<std::string>
+    split(const std::string& s, char delim) {
+        std::set<std::string> elems;
+        std::stringstream ss(s);
+        std::string value;
+        while (std::getline(ss, value, delim)) {
+            elems.insert(trim(value));
+        }
+        return elems;
+    }
+
+    static inline std::string &ltrim(std::string &s) {
+        s.erase(s.begin(), std::find_if(s.begin(), s.end(),
+            [] (char c) { return !std::isspace(c); }));
+        return s;
+    }
+
+    // trim from end
+    static inline std::string &rtrim(std::string &s) {
+        s.erase(std::find_if(s.rbegin(), s.rend(),
+            [] (char c) { return !std::isspace(c); }).base(), s.end());
+        return s;
+    }
+
+    // trim from both ends
+    static inline std::string &trim(std::string &s) {
+        return ltrim(rtrim(s));
+    }
+
+    void
+    removeTrustedIpsFromXff(std::set<std::string> &xff_set)
+    {
+        auto identify_config = getConfiguration<UsersAllIdentifiersConfig>(
+            "rulebase",
+            "usersIdentifiers"
+        );
+        if (!identify_config.ok()) {
+            dbgDebug(D_GEO_FILTER) << "did not find users identifiers definition in policy";
+        } else {
+            auto trusted_ips = (*identify_config).getHeaderValuesFromConfig("x-forwarded-for");
+            for (auto it = xff_set.begin(); it != xff_set.end();) {
+                if (isIpTrusted(*it, trusted_ips)) {
+                    dbgTrace(D_GEO_FILTER) << "xff value is in trusted ips: " << *it;
+                    it = xff_set.erase(it);
+                } else {
+                    dbgTrace(D_GEO_FILTER) << "xff value is not in trusted ips: " << *it;
+                    ++it;
+                }
+            }
+        }
+    }
+
+    bool
+    isIpTrusted(const string &ip, const vector<string> &trusted_ips)
+    {
+        for (const auto &trusted_ip : trusted_ips) {
+            CIDRSData cidr_data(trusted_ip);
+            if (
+                ip == trusted_ip ||
+                (cidr_data.contains(ip))
+            ) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     string
     convertIpAddrToString(const IPAddr &ip_to_convert)
     {
@@ -117,54 +209,75 @@ private:
     }
 
     ngx_http_cp_verdict_e
-    getGeoLookupVerdict(
-        const NewHttpTransactionEvent &event,
-        const EnumArray<I_GeoLocation::GeoLocationField, std::string> &geo_location_data)
+    getGeoLookupVerdict(const std::set<std::string> &sources)
     {
         auto maybe_geo_config = getConfiguration<GeoConfig>("rulebase", "httpGeoFilter");
         if (!maybe_geo_config.ok()) {
-            dbgWarning(D_GEO_FILTER) << "Failed to load HTTP Geo Filter config. Error:" << maybe_geo_config.getErr();
+            dbgTrace(D_GEO_FILTER) << "Failed to load HTTP Geo Filter config. Error:" << maybe_geo_config.getErr();
             return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
         }
         GeoConfig geo_config = maybe_geo_config.unpack();
-        string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data;
+        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
 
-        if (geo_config.isAllowedCountry(country_code)) {
-            dbgTrace(D_GEO_FILTER)
-                << "geo verdict ACCEPT, practice id: "
-                << geo_config.getId()
-                << ", country code: "
-                << country_code;
-            generateVerdictLog(
-                ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT,
-                event,
-                geo_config.getId(),
-                true,
-                geo_location_data
-            );
-            return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
-        }
-        if (geo_config.isBlockedCountry(country_code)) {
-            dbgTrace(D_GEO_FILTER)
-                << "geo verdict DROP, practice id: "
-                << geo_config.getId()
-                << ", country code: "
-                << country_code;
-            generateVerdictLog(
-                ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP,
-                event,
-                geo_config.getId(),
-                true,
-                geo_location_data
-            );
-            return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+        for (const std::string& source : sources) {
+            Maybe<IPAddr> maybe_source_ip = IPAddr::createIPAddr(source);
+            if (!maybe_source_ip.ok()){
+                dbgWarning(D_GEO_FILTER) <<
+                "create ip address failed for source: " <<
+                source <<
+                ", Error: " <<
+                maybe_source_ip.getErr();
+                continue;
+            }
+            auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
+            if (!asset_location.ok()) {
+                dbgWarning(D_GEO_FILTER) <<
+                "Lookup location failed for source: " <<
+                source <<
+                ", Error: " <<
+                asset_location.getErr();
+                continue;
+            }
+
+            geo_location_data = asset_location.unpack();
+
+            string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+
+            if (geo_config.isAllowedCountry(country_code)) {
+                dbgTrace(D_GEO_FILTER)
+                    << "geo verdict ACCEPT, practice id: "
+                    << geo_config.getId()
+                    << ", country code: "
+                    << country_code;
+                generateVerdictLog(
+                    ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT,
+                    geo_config.getId(),
+                    true,
+                    geo_location_data
+                );
+                return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
+            }
+            if (geo_config.isBlockedCountry(country_code)) {
+                dbgTrace(D_GEO_FILTER)
+                    << "geo verdict DROP, practice id: "
+                    << geo_config.getId()
+                    << ", country code: "
+                    << country_code;
+                generateVerdictLog(
+                    ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP,
+                    geo_config.getId(),
+                    true,
+                    geo_location_data
+                );
+                return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
+            }
         }
         dbgTrace(D_GEO_FILTER)
             << "No matched practice. Returned default action: "
             << geo_config.getDefaultAction();
         generateVerdictLog(
             convertActionToVerdict(geo_config.getDefaultAction()),
-            event,
             geo_config.getId(),
             true,
             geo_location_data,
@@ -176,7 +289,6 @@ private:
     Maybe<pair<ngx_http_cp_verdict_e, string>>
     getBehaviorsVerdict(
         const unordered_map<string, set<string>> &behaviors_map_to_search,
-        const NewHttpTransactionEvent &event,
         EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data)
     {
         bool is_matched = false;
@@ -193,7 +305,6 @@ private:
                 dbgTrace(D_GEO_FILTER) << "behavior verdict: DROP, exception id: " << behavior.getId();
                 generateVerdictLog(
                     matched_verdict,
-                    event,
                     behavior.getId(),
                     false,
                     geo_location_data
@@ -218,63 +329,74 @@ private:
     }
 
     ngx_http_cp_verdict_e
-    getExceptionVerdict(
-        const NewHttpTransactionEvent &event,
-        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data
-    ){
-        string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
-        string country_name = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_NAME];
-        string source_ip = convertIpAddrToString(event.getSourceIP());
+    getExceptionVerdict(const std::set<std::string> &sources) {
 
         pair<ngx_http_cp_verdict_e, string> curr_matched_behavior;
         ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
+        I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
+        EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data;
 
-        dbgTrace(D_GEO_FILTER)
+        for (const std::string& source : sources) {
+
+            Maybe<IPAddr> maybe_source_ip = IPAddr::createIPAddr(source);
+            if (!maybe_source_ip.ok()){
+                dbgWarning(D_GEO_FILTER) <<
+                "create ip address failed for source: " <<
+                source <<
+                ", Error: " <<
+                maybe_source_ip.getErr();
+                continue;
+            }
+
+
+            auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
+            if (!asset_location.ok()) {
+                dbgDebug(D_GEO_FILTER) << "Lookup location failed for source: " <<
+                source <<
+                ", Error: " <<
+                asset_location.getErr();
+                continue;
+            }
+            geo_location_data = asset_location.unpack();
+            string country_code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
+            string country_name = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_NAME];
+            dbgTrace(D_GEO_FILTER)
             << "Get exception verdict. "
             << "country code: "
             << country_code
             << ", country name: "
             << country_name
             << ", source ip address: "
-            << source_ip;
+            << source;
 
-        unordered_map<string, set<string>> exception_value_source_ip = {{"sourceIP", {source_ip}}};
-        auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_source_ip, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
+            unordered_map<string, set<string>> exception_value_country_code = {
+                {"countryCode", {country_code}}
+            };
+            auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, geo_location_data);
+            if (matched_behavior_maybe.ok()) {
+                curr_matched_behavior = matched_behavior_maybe.unpack();
+                verdict = curr_matched_behavior.first;
+                if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+                    return verdict;
+                }
+            }
+
+            unordered_map<string, set<string>> exception_value_country_name = {
+                {"countryName", {country_name}}
+            };
+            matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_name, geo_location_data);
+            if (matched_behavior_maybe.ok()) {
+                curr_matched_behavior = matched_behavior_maybe.unpack();
+                verdict = curr_matched_behavior.first;
+                if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
+                    return verdict;
+                }
             }
         }
 
-        unordered_map<string, set<string>> exception_value_country_code = {
-            {"countryCode", {country_code}}
-        };
-        matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
-            }
-        }
-
-        unordered_map<string, set<string>> exception_value_country_name = {
-            {"countryName", {country_name}}
-        };
-        matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_name, event, geo_location_data);
-        if (matched_behavior_maybe.ok()) {
-            curr_matched_behavior = matched_behavior_maybe.unpack();
-            verdict = curr_matched_behavior.first;
-            if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
-                return verdict;
-            }
-        }
         if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT) {
             generateVerdictLog(
                 verdict,
-                event,
                 curr_matched_behavior.second,
                 false,
                 geo_location_data
@@ -286,7 +408,6 @@ private:
     void
     generateVerdictLog(
         const ngx_http_cp_verdict_e &verdict,
-        const NewHttpTransactionEvent &event,
         const string &matched_id,
         bool is_geo_filter,
         const EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data,
@@ -307,14 +428,27 @@ private:
             LogField(matched_on, matched_id),
             ReportIS::Tags::HTTP_GEO_FILTER
         );
-        log
-            << LogField("sourceIP", convertIpAddrToString(event.getSourceIP()))
-            << LogField("sourcePort", event.getSourcePort())
-            << LogField("hostName", event.getDestinationHost())
-            << LogField("httpMethod", event.getHttpMethod())
-            << LogField("securityAction", is_prevent ? "Prevent" : "Detect");
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        auto source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
+        if (source_ip.ok()) log << LogField("sourceIP", convertIpAddrToString(source_ip.unpack()));
+
+        auto source_identifier = env->get<string>(HttpTransactionData::source_identifier);
+        if (source_identifier.ok()) log << LogField("httpSourceId", source_identifier.unpack());
+
+        auto source_port = env->get<string>(HttpTransactionData::client_port_ctx);
+        if (source_port.ok()) log << LogField("sourcePort", source_port.unpack());
+
+        auto host_name = env->get<string>(HttpTransactionData::host_name_ctx);
+        if (host_name.ok()) log << LogField("hostName", host_name.unpack());
+
+        auto method = env->get<string>(HttpTransactionData::method_ctx);
+        if (method.ok()) log << LogField("httpMethod", method.unpack());
+
+        log << LogField("securityAction", is_prevent ? "Prevent" : "Detect");
 
         if (is_default_action) log << LogField("isDefaultSecurityAction", true);
+        auto xff = env->get<string>(HttpTransactionData::xff_vals_ctx);
+        if (xff.ok()) log << LogField("proxyIP", xff.unpack());
 
         log
             << LogField("sourceCountryCode", geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE])
@@ -343,5 +477,6 @@ void
 HttpGeoFilter::preload()
 {
     registerExpectedConfiguration<GeoConfig>("rulebase", "httpGeoFilter");
+    registerExpectedConfiguration<UsersAllIdentifiersConfig>("rulebase", "usersIdentifiers");
     registerConfigLoadCb([this]() { pimpl->loadDefaultAction(); });
 }

components/security_apps/ips/compound_protection.cc

@@ -43,7 +43,10 @@ CompoundProtection::Impl::getMatch(const set<PMPattern> &matched) const
         case Operation::ORDERED_AND: return getMatchOrderedAnd(matched);
     }
 
-    dbgAssert(false) << "Unknown compound operation: " << static_cast<uint>(operation);
+    dbgAssert(false)
+        << AlertInfo(AlertTeam::CORE, "ips")
+        << "Unknown compound operation: "
+        << static_cast<uint>(operation);
     return MatchType::NO_MATCH;
 }
 

components/security_apps/ips/include/ips_basic_policy.h

@@ -50,9 +50,13 @@ public:
 
 private:
     void readRules(cereal::JSONInputArchive &ar);
+    void readTriggerId(cereal::JSONInputArchive &ar);
+    void readExceptionId(cereal::JSONInputArchive &ar);
     void readDefaultAction(cereal::JSONInputArchive &ar);
 
     std::vector<Rule> rules;
+    std::string trigger_id;
+    std::string exception_id;
 };
 
 #endif // __IPS_BASIC_POLICY_H__

components/security_apps/ips/include/ips_signatures.h

@@ -27,6 +27,7 @@
 #include "log_generator.h"
 #include "parsed_context.h"
 #include "pm_hook.h"
+#include "i_generic_rulebase.h"
 
 /// \namespace IPSSignatureSubTypes
 /// \brief Namespace containing subtypes for IPS signatures.
@@ -335,9 +336,16 @@ public:
         return metadata.getYear();
     }
 
+    bool
+    isOk() const
+    {
+        return is_loaded;
+    }
+
 private:
     IPSSignatureMetaData metadata;
     std::shared_ptr<BaseSignature> rule;
+    bool is_loaded;
 };
 
 /// \class SignatureAndAction
@@ -348,8 +356,16 @@ public:
     /// \brief Construct a SignatureAndAction object.
     /// \param _signature The complete signature.
     /// \param _action The signature action.
-    SignatureAndAction(std::shared_ptr<CompleteSignature> _signature, SignatureAction _action) :
-        signature(_signature), action(_action)
+    SignatureAndAction(
+        std::shared_ptr<CompleteSignature> _signature,
+        SignatureAction _action,
+        std::string _trigger_id,
+        std::string _exception_id)
+            :
+        signature(_signature),
+        action(_action),
+        trigger_id(_trigger_id),
+        exception_id(_exception_id)
     {}
 
     /// \brief Check if the signature is matched for prevention.
@@ -375,6 +391,11 @@ public:
         return signature->getContext();
     }
 
+    LogTriggerConf getTrigger() const;
+
+    std::set<ParameterBehavior>
+    getBehavior(const std::unordered_map<std::string, std::set<std::string>> &exceptions_dict) const;
+
 private:
     /// \brief Get the action results for the IPS state.
     /// \param ips_state The IPS entry.
@@ -382,6 +403,8 @@ private:
 
     std::shared_ptr<CompleteSignature> signature;
     SignatureAction action;
+    std::string trigger_id;
+    std::string exception_id;
 };
 } // namespace IPSSignatureSubTypes
 

components/security_apps/ips/include/snort_basic_policy.h

@@ -17,6 +17,8 @@ public:
 private:
     IPSSignatureSubTypes::SignatureAction action = IPSSignatureSubTypes::SignatureAction::IGNORE;
     std::vector<std::string> file_names;
+    std::string trigger_id;
+    std::string exception_id;
 };
 
 #endif // __SNORT_BASIC_POLICY_H__

components/security_apps/ips/ips_basic_policy.cc

@@ -17,6 +17,8 @@ void
 RuleSelector::load(cereal::JSONInputArchive &ar)
 {
     readRules(ar);
+    readTriggerId(ar);
+    readExceptionId(ar);
     readDefaultAction(ar);
 }
 
@@ -36,7 +38,7 @@ RuleSelector::selectSignatures() const
             if (rule.isSignaturedMatched(*signature)) {
                 if (rule.getAction() != IPSSignatureSubTypes::SignatureAction::IGNORE) {
                     signature->setIndicators("Check Point", signatures_version);
-                    res.emplace_back(signature, rule.getAction());
+                    res.emplace_back(signature, rule.getAction(), trigger_id, exception_id);
                 }
                 break;
             }
@@ -52,6 +54,28 @@ RuleSelector::readRules(cereal::JSONInputArchive &ar)
     ar(cereal::make_nvp("rules", rules));
 }
 
+void
+RuleSelector::readTriggerId(cereal::JSONInputArchive &ar)
+{
+    try {
+        ar(cereal::make_nvp("triggers", trigger_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        trigger_id = "";
+    }
+}
+
+void
+RuleSelector::readExceptionId(cereal::JSONInputArchive &ar)
+{
+    try {
+        ar(cereal::make_nvp("exceptions", exception_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        exception_id = "";
+    }
+}
+
 void
 RuleSelector::readDefaultAction(cereal::JSONInputArchive &ar)
 {

components/security_apps/ips/ips_configuration.cc

@@ -8,7 +8,9 @@ IPSConfiguration::Context::Context(ContextType _type, uint history) : type(_type
 uint
 IPSConfiguration::Context::getHistorySize() const
 {
-    dbgAssert(type == ContextType::HISTORY) << "Try to access history size for non-history context";
+    dbgAssert(type == ContextType::HISTORY)
+        << AlertInfo(AlertTeam::CORE, "ips")
+        << "Try to access history size for non-history context";
     return history_size;
 }
 
@@ -69,6 +71,8 @@ uint
 IPSConfiguration::getHistorySize(const string &name) const
 {
     auto context = context_config.find(name);
-    dbgAssert(context != context_config.end()) << "Try to access history size for non-exiting context";
+    dbgAssert(context != context_config.end())
+        << AlertInfo(AlertTeam::CORE, "ips")
+        << "Try to access history size for non-exiting context";
     return context->second.getHistorySize();
 }

components/security_apps/ips/ips_entry.cc

@@ -26,6 +26,8 @@ static const map<string, IPSConfiguration::Context> default_conf_mapping = {
 };
 
 static const IPSConfiguration default_conf(default_conf_mapping);
+static const IPSSignatures default_ips_sigs;
+static const SnortSignatures default_snort_sigs;
 
 IPSEntry::IPSEntry() : TableOpaqueSerialize<IPSEntry>(this) {}
 
@@ -51,9 +53,9 @@ IPSEntry::respond(const ParsedContext &parsed)
     ctx.registerValue(name, buf);
 
     ctx.activate();
-    auto &signatures = getConfigurationWithDefault(IPSSignatures(), "IPS", "IpsProtections");
+    auto &signatures = getConfigurationWithDefault(default_ips_sigs, "IPS", "IpsProtections");
     bool should_drop = signatures.isMatchedPrevent(parsed.getName(), buf);
-    auto &snort_signatures = getConfigurationWithDefault(SnortSignatures(), "IPSSnortSigs", "SnortProtections");
+    auto &snort_signatures = getConfigurationWithDefault(default_snort_sigs, "IPSSnortSigs", "SnortProtections");
     should_drop |= snort_signatures.isMatchedPrevent(parsed.getName(), buf);
     ctx.deactivate();
 

components/security_apps/ips/ips_signatures.cc

@@ -84,7 +84,7 @@ IPSSignatureMetaData::getSeverityString() const
             return "Critical";
     }
 
-    dbgAssert(false) << "Illegal severity value: " << static_cast<uint>(severity);
+    dbgAssert(false) << AlertInfo(AlertTeam::CORE, "ips") << "Illegal severity value: " << static_cast<uint>(severity);
     return "Critical";
 }
 
@@ -116,7 +116,10 @@ IPSSignatureMetaData::getPerformanceString() const
             return "Critical";
     }
 
-    dbgAssert(false) << "Illegal performance value: " << static_cast<uint>(performance);
+    dbgAssert(false)
+        << AlertInfo(AlertTeam::CORE, "ips")
+        << "Illegal performance value: "
+        << static_cast<uint>(performance);
     return "Critical";
 }
 
@@ -216,10 +219,16 @@ IPSSignatureMetaData::getYear() const
 void
 CompleteSignature::load(cereal::JSONInputArchive &ar)
 {
-    ar(cereal::make_nvp("protectionMetadata", metadata));
-    RuleDetection rule_detection(metadata.getName());
-    ar(cereal::make_nvp("detectionRules", rule_detection));
-    rule = rule_detection.getRule();
+    try {
+        ar(cereal::make_nvp("protectionMetadata", metadata));
+        RuleDetection rule_detection(metadata.getName());
+        ar(cereal::make_nvp("detectionRules", rule_detection));
+        rule = rule_detection.getRule();
+        is_loaded = true;
+    } catch (cereal::Exception &e) {
+        is_loaded = false;
+        dbgWarning(D_IPS) << "Failed to load signature: " << e.what();
+    }
 }
 
 MatchType
@@ -280,8 +289,7 @@ SignatureAndAction::getAction(const IPSEntry &ips_state) const
         exceptions_dict["sourceIdentifier"].insert(*env_source_identifier);
     }
 
-    I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>();
-    auto behaviors = i_rulebase->getBehavior(exceptions_dict);
+    auto behaviors = getBehavior(exceptions_dict);
 
     set<BehaviorValue> override_actions;
     vector<string> override_ids;
@@ -315,6 +323,23 @@ static const auto url_query = LogTriggerConf::WebLogFields::webUrlQuery;
 static const auto res_body = LogTriggerConf::WebLogFields::responseBody;
 static const auto res_code = LogTriggerConf::WebLogFields::responseCode;
 
+LogTriggerConf
+SignatureAndAction::getTrigger() const
+{
+    if (trigger_id.empty()) return getConfigurationWithDefault(LogTriggerConf(), "rulebase", "log");
+
+    return Singleton::Consume<I_GenericRulebase>::by<IPSComp>()->getLogTriggerConf(trigger_id);
+}
+
+set<ParameterBehavior>
+SignatureAndAction::getBehavior(const unordered_map<string, set<string>> &exceptions_dict) const
+{
+    I_GenericRulebase *i_rulebase = Singleton::Consume<I_GenericRulebase>::by<IPSComp>();
+    if (exception_id.empty()) return i_rulebase->getBehavior(exceptions_dict);
+
+    return i_rulebase->getParameterException(exception_id).getBehavior(exceptions_dict);
+}
+
 bool
 SignatureAndAction::matchSilent(const Buffer &sample) const
 {
@@ -348,7 +373,16 @@ SignatureAndAction::matchSilent(const Buffer &sample) const
     if (method.ok()) log << LogField("httpMethod", method.unpack());
 
     auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
-    if (path.ok()) log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
+    if (path.ok()) {
+        log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
+    } else {
+        auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
+        if (transaction_path.ok()) {
+            auto uri_path = transaction_path.unpack();
+            auto question_mark = uri_path.find('?');
+            log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
+        }
+    }
 
     auto req_header = ips_state.getTransactionData(IPSCommonTypes::requests_header_for_log);
     if (req_header.ok()) log << LogField("httpRequestHeaders", getSubString(req_header), LogFieldOption::XORANDB64);
@@ -398,7 +432,7 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
 
     dbgDebug(D_IPS) << "Signature matched - sending log";
 
-    auto &trigger = getConfigurationWithDefault(default_triger, "rulebase", "log");
+    auto trigger = getTrigger();
     bool is_prevent = get<0>(override_action) == IPSSignatureSubTypes::SignatureAction::PREVENT;
 
     auto severity = signature->getSeverity() < IPSLevel::HIGH ? Severity::HIGH : Severity::CRITICAL;
@@ -466,13 +500,30 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
     auto method = env->get<string>(HttpTransactionData::method_ctx);
     if (method.ok()) log << LogField("httpMethod", method.unpack());
     uint max_size = getConfigurationWithDefault<uint>(1536, "IPS", "Max Field Size");
-    auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
-    if (path.ok() && trigger.isWebLogFieldActive(url_path)) {
-        log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
+
+    if (trigger.isWebLogFieldActive(url_path)) {
+        auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
+        if (path.ok()) {
+            log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
+        } else {
+            auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
+            if (transaction_path.ok()) {
+                auto uri_path = transaction_path.unpack();
+                auto question_mark = uri_path.find('?');
+                log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
+            }
+        }
     }
-    auto query = env->get<Buffer>("HTTP_QUERY_DECODED");
-    if (query.ok() && trigger.isWebLogFieldActive(url_query)) {
-        log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
+    if (trigger.isWebLogFieldActive(url_query)) {
+        auto query = env->get<Buffer>("HTTP_QUERY_DECODED");
+        if (query.ok()) {
+            log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
+        } else {
+            auto transaction_query = env->get<string>(HttpTransactionData::uri_query_decoded);
+            if (transaction_query.ok()) {
+                log << LogField("httpUriQuery", transaction_query.unpack());
+            }
+        }
     }
 
     auto res_code = env->get<Buffer>("HTTP_RESPONSE_CODE");
@@ -514,7 +565,9 @@ IPSSignaturesResource::load(cereal::JSONInputArchive &ar)
 
     all_signatures.reserve(sigs.size());
     for (auto &sig : sigs) {
-        all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
+        if (sig.isOk()) {
+            all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
+        }
     }
 }
 

components/security_apps/ips/ips_ut/component_ut.cc

@@ -596,6 +596,8 @@ TEST_F(ComponentTest, check_filtering_by_year)
 
 TEST_F(ComponentTest, log_fields)
 {
+    generic_rulebase.preload();
+    generic_rulebase.init();
     string config =
         "{"
             "\"IPS\": {"
@@ -632,6 +634,8 @@ TEST_F(ComponentTest, log_fields)
                         "\"assetId\": \"1-1-1\","
                         "\"practiceId\": \"2-2-2\","
                         "\"practiceName\": \"practice1\","
+                        "\"triggers\": \"5eaeefde6765c30010bae8b6\","
+                        "\"exceptions\": \"\","
                         "\"defaultAction\": \"Detect\","
                         "\"rules\": ["
                             "{"
@@ -643,10 +647,36 @@ TEST_F(ComponentTest, log_fields)
                         "]"
                     "}"
                 "]"
+            "},"
+            "\"rulebase\": {"
+                "\"log\": ["
+                    "{"
+                        "\"context\": \"triggerId(5eaeefde6765c30010bae8b6)\","
+                        "\"triggerName\": \"Logging Trigger\","
+                        "\"triggerType\": \"log\","
+                        "\"urlForSyslog\": \"\","
+                        "\"urlForCef\": \"128.1.1.1:333\","
+                        "\"acAllow\": false,"
+                        "\"acDrop\": true,"
+                        "\"complianceViolations\": true,"
+                        "\"complianceWarnings\": true,"
+                        "\"logToAgent\": true,"
+                        "\"logToCloud\": true,"
+                        "\"logToSyslog\": false,"
+                        "\"logToCef\": true,"
+                        "\"tpDetect\": true,"
+                        "\"tpPrevent\": true,"
+                        "\"verbosity\": \"Standard\","
+                        "\"webBody\": true,"
+                        "\"webHeaders\": true,"
+                        "\"webRequests\": true,"
+                        "\"webUrlPath\": true,"
+                        "\"webUrlQuery\": true"
+                    "}"
+                "]"
             "}"
         "}";
     loadPolicy(config);
-    setTrigger();
 
     EXPECT_CALL(table, createStateRValueRemoved(_, _));
     EXPECT_CALL(table, getState(_)).WillRepeatedly(Return(&entry));
@@ -829,6 +859,8 @@ TEST_F(ComponentTest, prxeem_exception_bug)
         "                \"practiceId\": \"2-2-2\","
         "                \"practiceName\": \"practice1\","
         "                \"defaultAction\": \"Prevent\","
+        "                \"triggers\": \"\","
+        "                \"exceptions\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
         "                \"rules\": []"
         "            }"
         "        ]"
@@ -847,6 +879,11 @@ TEST_F(ComponentTest, prxeem_exception_bug)
         "                       \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764003\","
         "                       \"parameterType\": \"exceptions\","
         "                       \"parameterName\": \"exception\""
+        "                    },"
+        "                    {"
+        "                       \"parameterId\": \"6c3867be-4da5-42c2-93dc-8f509a764004\","
+        "                       \"parameterType\": \"exceptions\","
+        "                       \"parameterName\": \"exception\""
         "                    }"
         "                ],"
         "                \"zoneId\": \"\","
@@ -855,7 +892,7 @@ TEST_F(ComponentTest, prxeem_exception_bug)
         "        ],"
         "        \"exception\": ["
         "            {"
-        "                \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764003)\","
+        "                \"context\": \"parameterId(6c3867be-4da5-42c2-93dc-8f509a764004)\","
         "                \"match\": {"
         "                   \"type\": \"operator\","
         "                   \"op\": \"and\","

components/security_apps/ips/ips_ut/configuration.cc

@@ -7,7 +7,7 @@ TEST(configuration, basic_context)
 
     IPSConfiguration::Context ctx1(IPSConfiguration::ContextType::HISTORY, 254);
     EXPECT_EQ(ctx1.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(ctx1.getHistorySize(), 254);
+    EXPECT_EQ(ctx1.getHistorySize(), 254u);
 
     IPSConfiguration::Context ctx2(IPSConfiguration::ContextType::NORMAL, 0);
     EXPECT_EQ(ctx2.getType(), IPSConfiguration::ContextType::NORMAL);
@@ -42,7 +42,7 @@ TEST(configuration, read_configuration)
 
     auto body = conf.getContext("HTTP_REQUEST_BODY");
     EXPECT_EQ(body.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100);
+    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100u);
 
     auto header = conf.getContext("HTTP_REQUEST_HEADER");
     EXPECT_EQ(header.getType(), IPSConfiguration::ContextType::KEEP);

components/security_apps/ips/ips_ut/entry_ut.cc

@@ -137,8 +137,8 @@ private:
 TEST_F(EntryTest, basic_inherited_functions)
 {
     EXPECT_EQ(IPSEntry::name(), "IPS");
-    EXPECT_EQ(IPSEntry::currVer(), 0);
-    EXPECT_EQ(IPSEntry::minVer(), 0);
+    EXPECT_EQ(IPSEntry::currVer(), 0u);
+    EXPECT_EQ(IPSEntry::minVer(), 0u);
     EXPECT_NE(IPSEntry::prototype(), nullptr);
     EXPECT_EQ(entry.getListenerName(), IPSEntry::name());
 

components/security_apps/ips/ips_ut/resource_ut.cc

@@ -71,7 +71,7 @@ TEST(resources, basic_resource)
     Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(resource);
 
     auto loaded_resources = getSettingWithDefault(IPSSignaturesResource(), "IPS", "protections");
-    EXPECT_EQ(loaded_resources.getSignatures().size(), 2);
+    EXPECT_EQ(loaded_resources.getSignatures().size(), 2u);
     auto version = getSettingWithDefault<string>("", "IPS", "VersionId");
     EXPECT_EQ(version, "1234567");
 }

components/security_apps/ips/ips_ut/signatures_ut.cc

@@ -104,6 +104,12 @@ public:
             cereal::JSONInputArchive ar(ss);
             high_medium_confidance_signatures.load(ar);
         }
+        {
+            stringstream ss;
+            ss << "[" << signature_performance_high << ", " << signature_broken << "]";
+            cereal::JSONInputArchive ar(ss);
+            single_broken_signature.load(ar);
+        }
     }
 
     ~SignatureTest()
@@ -250,6 +256,7 @@ public:
     IPSSignaturesResource performance_signatures1;
     IPSSignaturesResource performance_signatures2;
     IPSSignaturesResource performance_signatures3;
+    IPSSignaturesResource single_broken_signature;
     NiceMock<MockTable> table;
     MockAgg mock_agg;
 
@@ -483,6 +490,26 @@ private:
                 "\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
             "}"
         "}";
+
+    string signature_broken =
+    "{"
+        "\"protectionMetadata\": {"
+            "\"protectionName\": \"BrokenTest\","
+            "\"maintrainId\": \"101\","
+            "\"severity\": \"Medium High\","
+            "\"confidenceLevel\": \"Low\","
+            "\"performanceImpact\": \"High\","
+            "\"lastUpdate\": \"20210420\","
+            "\"tags\": [],"
+            "\"cveList\": []"
+        "},"
+        "\"detectionRules\": {"
+            "\"type\": \"simple\","
+            "\"SSM\": \"\","
+            "\"keywosrds\": \"data: \\\"www\\\";\","
+            "\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
+        "}"
+    "}";
 };
 
 TEST_F(SignatureTest, basic_load_of_signatures)
@@ -665,3 +692,14 @@ TEST_F(SignatureTest, high_confidance_signatures_matching)
     expectLog("\"protectionId\": \"Test4\"", "\"matchedSignatureConfidence\": \"Medium\"");
     EXPECT_FALSE(checkData("mmm"));
 }
+
+TEST_F(SignatureTest, broken_signature)
+{
+    load(single_broken_signature, "Low or above", "Low");
+    EXPECT_FALSE(checkData("ggg"));
+
+    expectLog("\"matchedSignaturePerformance\": \"High\"");
+    EXPECT_TRUE(checkData("fff"));
+
+    EXPECT_FALSE(checkData("www"));
+}

components/security_apps/ips/snort_basic_policy.cc

@@ -16,6 +16,19 @@ using namespace std;
 void
 SnortRuleSelector::load(cereal::JSONInputArchive &ar)
 {
+    try {
+        ar(cereal::make_nvp("triggers", trigger_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        trigger_id = "";
+    }
+
+    try {
+        ar(cereal::make_nvp("exceptions", exception_id));
+    } catch (const cereal::Exception &e) {
+        ar.setNextName(nullptr);
+        exception_id = "";
+    }
     string mode;
     ar(cereal::make_nvp("mode", mode), cereal::make_nvp("files", file_names));
 
@@ -38,7 +51,7 @@ SnortRuleSelector::selectSignatures() const
 
     for (auto &file : file_names) {
         for (auto &signature : (*signatures).getSignatures(file)) {
-            res.emplace_back(signature, action);
+            res.emplace_back(signature, action, trigger_id, exception_id);
         }
     }
     return res;

components/security_apps/layer_7_access_control/layer_7_access_control.cc

@@ -385,8 +385,29 @@ Layer7AccessControl::Impl::init()
     i_intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Layer7AccessControl>();
     i_mainloop = Singleton::Consume<I_MainLoop>::by<Layer7AccessControl>();
 
-    chrono::minutes expiration(
-        getProfileAgentSettingWithDefault<uint>(60u, "layer7AccessControl.crowdsec.cacheExpiration")
+    int cache_expiration_in_seconds = 30;
+    string cache_expiration_env = getenv("CROWDSEC_CACHE_EXPIRATION") ? getenv("CROWDSEC_CACHE_EXPIRATION") : "";
+    if (!cache_expiration_env.empty()) {
+        if (
+            all_of(cache_expiration_env.begin(), cache_expiration_env.end(), ::isdigit)
+            && stoi(cache_expiration_env) > 0
+        ) {
+            cache_expiration_in_seconds = stoi(cache_expiration_env);
+            dbgInfo(D_L7_ACCESS_CONTROL)
+                << "Successfully read cache expiration value from env: "
+                << cache_expiration_env;
+        } else {
+            dbgWarning(D_L7_ACCESS_CONTROL)
+                << "An invalid cache expiration value was provided in env: "
+                << cache_expiration_env;
+        }
+    }
+
+    chrono::seconds expiration(
+        getProfileAgentSettingWithDefault<uint>(
+            cache_expiration_in_seconds,
+            "layer7AccessControl.crowdsec.cacheExpiration"
+        )
     );
 
     ip_reputation_cache.startExpiration(

components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc

@@ -142,6 +142,13 @@ string disabled_settings =
         "}"
     "],\n";
 
+
+string local_intelligence =
+    "\"intelligence\":{"
+    "  \"local intelligence server ip\":\"127.0.0.1\","
+    "  \"local intelligence server primary port\":9090"
+    "}\n,";
+
 string policy =
     "\"rulebase\": {"
         "\"usersIdentifiers\": ["
@@ -240,7 +247,9 @@ Layer7AccessControlTest::verifyReport(
     string log = reportToStr(report);
     dbgTrace(D_L7_ACCESS_CONTROL) << "Report: " << log;
 
-    if (!source_identifier.empty()) EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    if (!source_identifier.empty()) {
+        EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    }
     EXPECT_THAT(log, HasSubstr("\"securityAction\": \"" + security_action + "\""));
     EXPECT_THAT(log, HasSubstr("\"eventName\": \"Access Control External Vendor Reputation\""));
     EXPECT_THAT(log, HasSubstr("\"httpHostName\": \"juice-shop.checkpoint.com\""));
@@ -259,7 +268,7 @@ Layer7AccessControlTest::verifyReport(
 
 TEST_F(Layer7AccessControlTest, ReturnAcceptVerdict)
 {
-    stringstream ss_conf(prevent_settings + policy);
+    stringstream ss_conf(prevent_settings + local_intelligence + policy);
     Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss_conf);
 
     string intelligence_response_ok = loadIntelligenceResponse("data/ok_intelligence_response.json");
@@ -305,7 +314,7 @@ TEST_F(Layer7AccessControlTest, ReturnAcceptVerdict)
 
 TEST_F(Layer7AccessControlTest, ReturnDropVerdictOnMaliciousReputation)
 {
-    stringstream ss_conf(prevent_settings + policy);
+    stringstream ss_conf(prevent_settings + local_intelligence + policy);
     Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss_conf);
     
     string malicious_intelligence_response = loadIntelligenceResponse("data/malicious_intelligence_response.json");
@@ -351,7 +360,7 @@ TEST_F(Layer7AccessControlTest, ReturnDropVerdictOnMaliciousReputation)
 
 TEST_F(Layer7AccessControlTest, ReturnDropVerdictCacheBased)
 {
-    stringstream ss_conf(prevent_settings + policy);
+    stringstream ss_conf(prevent_settings + local_intelligence + policy);
     Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss_conf);
 
     string malicious_intelligence_response = loadIntelligenceResponse("data/malicious_intelligence_response.json");
@@ -403,7 +412,7 @@ TEST_F(Layer7AccessControlTest, ReturnDropVerdictCacheBased)
 
 TEST_F(Layer7AccessControlTest, AcceptOnDetect)
 {
-    stringstream ss_conf(detect_settings + policy);
+    stringstream ss_conf(detect_settings + local_intelligence + policy);
     Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss_conf);
     
     string malicious_intelligence_response = loadIntelligenceResponse("data/malicious_intelligence_response.json");
@@ -449,7 +458,7 @@ TEST_F(Layer7AccessControlTest, AcceptOnDetect)
 
 TEST_F(Layer7AccessControlTest, FallbackToSourceIPAndDrop)
 {
-    stringstream ss_conf(prevent_settings + policy);
+    stringstream ss_conf(prevent_settings + local_intelligence + policy);
     Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss_conf);
 
     string malicious_intelligence_response = loadIntelligenceResponse("data/malicious_intelligence_response.json");

components/security_apps/local_policy_mgmt_gen/CMakeLists.txt

@@ -22,4 +22,5 @@ add_library(local_policy_mgmt_gen
     access_control_practice.cc
     configmaps.cc
     reverse_proxy_section.cc
+    policy_activation_data.cc
 )

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -228,6 +228,11 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
 
     parseAppsecJSONKey<string>("name", practice_name, archive_in);
+    parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Access control practice mode invalid: " << mode;
+        throw PolicyGenException("AppSec Access control practice mode invalid: " + mode);
+    }
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
 }
@@ -255,4 +260,10 @@ AccessControlPracticeSpec::getName() const
 {
     return practice_name;
 }
+
+const string &
+AccessControlPracticeSpec::getMode(const std::string &default_mode) const
+{
+    return isModeInherited(mode) ? default_mode : mode;
+}
 // LCOV_EXCL_STOP