Update open-appsec-crd-v1beta2.yaml

* sync code

* sync code

* code sync

* code sync

---------

Co-authored-by: Ned Wright <nedwright@proton.me>
Co-authored-by: Daniel Eisenberg <danielei@checkpoint.com>

config/crds/open-appsec-crd-v1beta1.yaml

@@ -1,4 +1,4 @@
-Enter file contents hereapiVersion: apiextensions.k8s.io/v1
+apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata :
   name : customresponses.openappsec.io

config/crds/open-appsec-crd-v1beta2.yaml

@@ -1173,3 +1173,46 @@ spec:
     kind: TrustedSource
     shortNames:
       - trustedsource
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name: policyactivations.openappsec.io
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta2
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                appsecClassName:
+                  type: string
+                enabledPolicies:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      name:
+                        type: string
+                      hosts:
+                        type: array
+                        items:
+                          type: string
+                    required:
+                      - hosts
+              required:
+                - enabledPolicies
+  scope: Cluster
+  names:
+    plural: policyactivations
+    singular: policyactivation
+    kind: PolicyActivation
+    shortNames:
+      - policyactivation

config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml

@@ -11,3 +11,58 @@ spec:
         source-identifiers: ""
         trusted-sources: ""
         exceptions: []
+---
+apiVersion: openappsec.io/v1beta1
+kind: LogTrigger
+metadata:
+    name: appsec-log-trigger
+spec:
+    access-control-logging:
+        allow-events: false
+        drop-events: true
+    appsec-logging:
+        detect-events: false
+        prevent-events: true
+        all-web-requests: false
+    additional-suspicious-events-logging:
+        enabled: true
+        minimum-severity: high
+        response-body: false
+    extended-logging:
+        url-path: false
+        url-query: false
+        http-headers: false
+        request-body: false
+    log-destination:
+        cloud: true
+        syslog-service: []
+        file: ""
+        stdout:
+            format: json
+        cef-service: []
+--
+apiVersion: openappsec.io/v1beta1
+kind: Practice
+metadata:
+  name: appsec-best-practice
+spec:
+  anti-bot:
+    injected-URIs: []
+    validated-URIs: []
+  openapi-schema-validation:
+    configmap: []
+  snort-signatures:
+    configmap: []
+  web-attacks:
+    minimum-confidence: high
+    override-mode: detect-learn
+--
+apiVersion: openappsec.io/v1beta1
+kind: CustomResponse
+metadata:
+  name: 403-forbidden
+spec:
+  http-response-code: 403
+  message-body: ""
+  message-title: ""
+  mode: response-code-only

config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml

@@ -11,3 +11,58 @@ spec:
         source-identifiers: ""
         trusted-sources: ""
         exceptions: []
+---
+apiVersion: openappsec.io/v1beta1
+kind: LogTrigger
+metadata:
+    name: appsec-log-trigger
+spec:
+    access-control-logging:
+        allow-events: false
+        drop-events: true
+    appsec-logging:
+        detect-events: false
+        prevent-events: true
+        all-web-requests: false
+    additional-suspicious-events-logging:
+        enabled: true
+        minimum-severity: high
+        response-body: false
+    extended-logging:
+        url-path: false
+        url-query: false
+        http-headers: false
+        request-body: false
+    log-destination:
+        cloud: true
+        syslog-service: []
+        file: ""
+        stdout:
+            format: json
+        cef-service: []
+--
+apiVersion: openappsec.io/v1beta1
+kind: Practice
+metadata:
+  name: appsec-best-practice
+spec:
+  anti-bot:
+    injected-URIs: []
+    validated-URIs: []
+  openapi-schema-validation:
+    configmap: []
+  snort-signatures:
+    configmap: []
+  web-attacks:
+    minimum-confidence: high
+    override-mode: prevent-learn
+--
+apiVersion: openappsec.io/v1beta1
+kind: CustomResponse
+metadata:
+  name: 403-forbidden
+spec:
+  http-response-code: 403
+  message-body: ""
+  message-title: ""
+  mode: response-code-only

config/linux/v1beta2/example/local_policy.yaml

@@ -0,0 +1,113 @@
+apiVersion: v1beta2
+
+policies:
+  default:
+    mode: detect-learn
+    accessControlPractices: [access-control-practice-example]
+    threatPreventionPractices: [threat-prevention-practice-example]
+    triggers: [log-trigger-example]
+    customResponse: web-user-response-exmaple
+    sourceIdentifiers: ""
+    trustedSources: ""
+    exceptions:
+      - exception-example
+  specificRules:
+    - host: "example.com"
+      mode: prevent-learn
+      threatPreventionPractices: [threat-prevention-practice-example]
+      accessControlPractices: [access-control-practice-example]
+      triggers: [log-trigger-example]
+      customResponse: web-user-response-exmaple
+      sourceIdentifiers: ""
+      trustedSources: ""
+      exceptions:
+        - exception-example
+
+threatPreventionPractices:
+  - name: threat-prevention-practice-example
+    practiceMode: inherited
+    webAttacks:
+      overrideMode: inherited
+      minimumConfidence: high
+    intrusionPrevention:
+    # intrusion prevention (IPS) requires "Premium Edition"
+      overrideMode: inherited
+      maxPerformanceImpact: medium
+      minSeverityLevel: medium
+      minCveYear: 2016
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    fileSecurity:
+    # file security requires "Premium Edition"
+      overrideMode: inherited
+      minSeverityLevel: medium
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    snortSignatures:
+      # you must specify snort signatures in configmap or file to activate snort inspection
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    schemaValidation: # schema validation requires "Premium Edition" 
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    antiBot: # antibot requires "Premium Edition" 
+      overrideMode: inherited
+      injectedUris: []
+      validatedUris: []
+
+accessControlPractices:
+  - name: access-control-practice-example
+    practiceMode: inherited
+    rateLimit:
+    # specify one or more rules below to use rate limiting
+      overrideMode: inherited
+      rules: []
+
+customResponses:
+  - name: web-user-response-exmaple
+    mode: response-code-only
+    httpResponseCode: 403
+
+logTriggers:
+  - name: log-trigger-example
+    accessControlLogging:
+      allowEvents: false
+      dropEvents: true
+    appsecLogging:
+      detectEvents: true
+      preventEvents: true
+      allWebRequests: false
+    extendedLogging:
+      urlPath: true
+      urlQuery: true
+      httpHeaders: false
+      requestBody: false
+    additionalSuspiciousEventsLogging:
+      enabled: true
+      minSeverity: high
+      responseBody: false
+      responseCode: true
+    logDestination:
+      cloud: true
+      logToAgent: false
+      stdout:
+        format: json
+
+exceptions:
+  - name: exception-example
+    action: "accept"
+    condition:
+      - key: "countryCode"
+        value: "US"

core/messaging/connection/connection.cc

@@ -184,18 +184,6 @@ public:
     establishConnection()
     {
         dbgFlow(D_CONNECTION) << "Establishing a new connection";
-        // check if connection already established
-        I_MainLoop *i_mainloop = Singleton::Consume<I_MainLoop>::by<Messaging>();
-        while (lock) {
-            i_mainloop->yield(true);
-        }
-        lock = true;
-        auto unlock = make_scope_exit([&] () { lock = false; });
-
-        if (is_connected && !should_close_connection) {
-            dbgTrace(D_CONNECTION) << "Connection already established";
-            return Maybe<void>();
-        }
         auto set_socket = setSocket();
         if (!set_socket.ok()) {
             dbgWarning(D_CONNECTION) << "Failed to set socket: " << set_socket.getErr();
@@ -233,7 +221,6 @@ public:
             << (isOverProxy() ? ", Over proxy: " + settings.getProxyHost() + ":" + to_string(key.getPort()) : "");
         active = Maybe<void, chrono::seconds>();
         should_close_connection = false;
-        is_connected = true;
         return Maybe<void>();
     }
 
@@ -596,13 +583,11 @@ private:
 
         if (BIO_should_retry(bio.get())) return string();
 
-        auto fd = BIO_get_fd(bio.get(), nullptr);
-
         char error_buf[256];
         ERR_error_string(ERR_get_error(), error_buf);
         string error = receive_len == 0 ?
-            "Connection closed by peer (BIO fd: " + to_string(fd) + "). Error: " + string(error_buf) :
-            "Failed to read data from BIO socket (fd: " + to_string(fd) + "). Error: " + string(error_buf);
+            "Connection closed by peer" :
+            "Failed to read data from BIO socket. Error: " + string(error_buf);
         dbgWarning(D_CONNECTION) << error;
         return genError(HTTPResponse(HTTPStatusCode::HTTP_UNKNOWN, error));
     }
@@ -636,28 +621,17 @@ private:
     Maybe<HTTPResponse, HTTPResponse>
     sendAndReceiveData(const string &request, bool is_connect)
     {
-        dbgFlow(D_CONNECTION) << "Sending and receiving data, lock: " << lock;
+        dbgFlow(D_CONNECTION) << "Sending and receiving data";
         I_MainLoop *i_mainloop = Singleton::Consume<I_MainLoop>::by<Messaging>();
-        while (lock && !is_connect) {
+        while (lock) {
             i_mainloop->yield(true);
         }
         lock = true;
-        dbgTrace(D_CONNECTION) << "acquire lock";
-        auto unlock = make_scope_exit([&] () {
-            lock = false;
-        });
+        auto unlock = make_scope_exit([&] () { lock = false; });
 
         if (should_close_connection) {
-            dbgTrace(D_CONNECTION) << "reconnect in progress";
-            while (lock) {
-                i_mainloop->yield(true);
-            }
-            if (!is_connected) {
-                dbgWarning(D_CONNECTION) << close_error.getBody();
-                return genError(close_error);
-            }
-            dbgTrace(D_CONNECTION) << "reconnected by other routine";
-            lock = true;
+            dbgWarning(D_CONNECTION) << close_error.getBody();
+            return genError(close_error);
         }
 
         I_TimeGet *i_time = Singleton::Consume<I_TimeGet>::by<Messaging>();
@@ -677,13 +651,11 @@ private:
         dbgTrace(D_CONNECTION) << "Sent the message, now waiting for response";
         while (!http_parser.hasReachedError()) {
             if (i_time->getMonotonicTime() > receiving_end_time) {
-                is_connected = false;
                 should_close_connection = true;
                 return genError(receving_timeout);
             };
             auto receieved = receiveData();
             if (!receieved.ok()) {
-                is_connected = false;
                 should_close_connection = true;
                 return receieved.passErr();
             }
@@ -734,7 +706,6 @@ private:
     bool lock = false;
     bool should_close_connection = false;
     bool is_dual_auth = false;
-    bool is_connected = false;
     Maybe<string> sni_hostname = genError<string>("Uninitialized");
     Maybe<string> dn_host_name = genError<string>("Uninitialized");
 

core/messaging/connection/connection_comp.cc

@@ -92,12 +92,12 @@ private:
             << metadata.getPort();
         MessageConnectionKey conn_key(metadata.getHostName(), metadata.getPort(), category);
         Connection conn(conn_key, metadata);
-        persistent_connections.emplace(conn_key, conn);
 
         const auto &external_certificate = metadata.getExternalCertificate();
         if (!external_certificate.empty()) conn.setExternalCertificate(external_certificate);
 
         auto connected = conn.establishConnection();
+        persistent_connections.emplace(conn_key, conn);
 
         if (!connected.ok()) {
             string connection_err = "Failed to establish connection. Error: " + connected.getErr();