github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-18 02:00:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:Jan_12_2025-Dev
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:Feb_10_2025-Dev
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

70 Commits
Jan_12_202 ... Feb_10_202

Author SHA1 Message Date
Daniel Eisenberg
71d1f30a9a code sync 2025-02-11 17:53:45 +02:00
Daniel Eisenberg
613c878568 code sync 2025-02-10 21:30:14 +02:00
Ned Wright
85dbcf4714 sync code 2025-02-10 17:05:25 +00:00
Ned Wright
19bb4518af sync code 2025-02-10 16:15:01 +00:00
orianelou
8d03b49176 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2025-02-10 10:34:40 +02:00
orianelou
84f9624c00 Update open-appsec-k8s-full-example-config-v1beta2.yaml 2025-02-10 10:23:00 +02:00
orianelou
3ecda7b979 Update docker-compose.yaml 2025-02-09 15:57:29 +02:00
orianelou
8f05508e02 Update docker-compose.yaml 2025-02-09 15:41:55 +02:00
orianelou
f5b9c93fbe Update docker-compose.yaml 2025-02-09 15:40:03 +02:00
orianelou
62b74c9a10 Update docker-compose.yaml 2025-02-09 15:32:02 +02:00
orianelou
e3163cd4fa Create .env 2025-02-03 16:34:47 +02:00
orianelou
1e98fc8c66 Add files via upload 2025-02-03 16:16:50 +02:00
orianelou
6fbe272378 Delete deployment/docker-compose/envoy directory 2025-02-03 16:16:31 +02:00
orianelou
7b3320ce10 Rename default.conf to default.conf 2025-01-21 14:04:01 +02:00
orianelou
25cc2d66e7 Rename .env to .env 2025-01-21 14:03:28 +02:00
orianelou
66e2112afb Rename docker-compose.yaml to docker-compose.yaml 2025-01-21 14:03:05 +02:00
orianelou
ba7c9afd52 Create .env 2025-01-20 15:14:44 +02:00
orianelou
2aa0993d7e Create .env 2025-01-20 15:13:52 +02:00
orianelou
0cdfc9df90 Create .env 2025-01-20 15:13:28 +02:00
orianelou
010814d656 Update .env 2025-01-20 14:36:03 +02:00
orianelou
3779dd360d Create .env 2025-01-20 14:34:54 +02:00
orianelou
0e7dc2133d Update .env 2025-01-20 14:31:39 +02:00
orianelou
c9095acbef Create .env 2025-01-20 14:29:39 +02:00
orianelou
e47e29321d Create .env 2025-01-20 14:24:03 +02:00
orianelou
25a66e77df Create default.conf 2025-01-20 14:16:18 +02:00
orianelou
6eea40f165 Create docker-compose.yaml 2025-01-20 14:15:35 +02:00
orianelou
cee6ed511a Create .env 2025-01-20 14:15:12 +02:00
orianelou
4f145fd74f Update .env 2025-01-20 14:14:31 +02:00
orianelou
3fe5c5b36f Create .env 2025-01-20 14:14:15 +02:00
orianelou
7542a85ddb Update docker-compose.yaml 2025-01-20 14:14:04 +02:00
orianelou
fae4534e5c Merge pull request #226 from openappsec/oriane-23.12.24-adding-new-composes 
Oriane 23.12.24 adding new composes
 2025-01-20 12:02:00 +02:00
orianelou
923a8a804b Add files via upload 2025-01-20 12:00:49 +02:00
orianelou
b1731237d1 Delete deployment directory 2025-01-20 11:58:01 +02:00
orianelou
3d3d6e73b9 Rename deployment/envoy/docker-compose.yaml to deployment/docker-compose/envoy/docker-compose.yaml 2025-01-20 11:49:03 +02:00
Daniel-Eisenberg
3f80127ec5 Merge pull request #224 from openappsec/Jan_12_2025-Dev 
Jan 12 2025 dev
 2025-01-19 11:16:59 +02:00
orianelou
d2b9bc8c9c Create envoy.yaml 2025-01-13 14:23:49 +02:00
orianelou
886a5befe1 Create .env 2025-01-13 14:23:17 +02:00
orianelou
1f2502f9e4 Create docker-compose.yaml 2025-01-13 14:22:57 +02:00
orianelou
9e4c5014ce Create .env 2025-01-13 14:21:50 +02:00
orianelou
024423cce9 Create docker-compose.yaml 2025-01-13 14:21:35 +02:00
orianelou
dc4b546bd1 Update .env 2025-01-13 14:20:38 +02:00
orianelou
a86aca13b4 Update docker-compose.yaml 2025-01-13 14:20:21 +02:00
orianelou
87b34590d4 Update .env 2025-01-13 14:18:04 +02:00
orianelou
e0198a1a95 Update docker-compose.yaml 2025-01-13 14:17:49 +02:00
orianelou
d024ad5845 Update .env 2025-01-13 14:15:28 +02:00
orianelou
46d42c8fa3 Update docker-compose.yaml 2025-01-13 14:15:15 +02:00
orianelou
f6c36f3363 Update .env 2025-01-13 14:14:07 +02:00
orianelou
63541a4c3c Update docker-compose.yaml 2025-01-13 14:13:53 +02:00
orianelou
d14fa7a468 Update docker-compose.yaml 2025-01-13 14:13:23 +02:00
orianelou
ae0de5bf14 Update docker-compose.yaml 2025-01-13 14:13:12 +02:00
orianelou
d39919f348 Update .env 2025-01-13 14:12:32 +02:00
orianelou
4f215e1409 Update docker-compose.yaml 2025-01-13 14:12:09 +02:00
orianelou
f05b5f8cee Create default.conf 2025-01-13 14:11:47 +02:00
orianelou
949b656b13 Update .env 2025-01-13 14:11:02 +02:00
orianelou
bbe293d215 Update docker-compose.yaml 2025-01-13 14:10:48 +02:00
orianelou
2c91793f08 Create .env 2024-12-24 11:04:38 +02:00
orianelou
72a263d25a Create docker-compose.yaml 2024-12-24 11:00:58 +02:00
orianelou
4e14ff9a58 Create default.conf 2024-12-23 17:25:23 +02:00
orianelou
1fb28e14d6 Create juiceshop.subfolder.conf 2024-12-23 17:24:26 +02:00
orianelou
e38bb9525c Create .env 2024-12-23 17:22:40 +02:00
orianelou
63b8bb22c2 Create docker-compose.yaml 2024-12-23 17:21:53 +02:00
orianelou
11c97330f5 Create apisix.yaml 2024-12-23 16:59:40 +02:00
orianelou
e56fb0bc1a Create .env 2024-12-23 16:59:07 +02:00
orianelou
4571d563f4 Create docker-compose.yaml 2024-12-23 16:58:35 +02:00
orianelou
02c1db01f6 Create default.conf 2024-12-23 16:47:53 +02:00
orianelou
c557affd9b Create .env 2024-12-23 16:46:38 +02:00
orianelou
8889c3c054 Create docker-compose.yaml 2024-12-23 16:46:16 +02:00
orianelou
f67eff87bc Create kong.yaml 2024-12-23 16:19:32 +02:00
orianelou
fa6a2e4233 Create .env 2024-12-23 16:18:53 +02:00
orianelou
b7e2efbf7e Create docker-compose.yaml 2024-12-23 10:20:02 +02:00
102 changed files with 3477 additions and 265 deletions
Expand all files Collapse all files

12
attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc
View File

@@ -95,6 +95,18 @@ getFailOpenHoldTimeout()
return conf_data.getNumericalValue("fail_open_hold_timeout");
}
unsigned int
getHoldVerdictPollingTime()
{
return conf_data.getNumericalValue("hold_verdict_polling_time");
}
unsigned int
getHoldVerdictRetries()
{
return conf_data.getNumericalValue("hold_verdict_retries");
}
unsigned int
getMaxSessionsPerMinute()
{

4
attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc
View File

@@ -66,6 +66,8 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
"\"static_resources_path\": \"" + static_resources_path + "\",\n"
"\"min_retries_for_verdict\": 1,\n"
"\"max_retries_for_verdict\": 3,\n"
"\"hold_verdict_retries\": 3,\n"
"\"hold_verdict_polling_time\": 1,\n"
"\"body_size_trigger\": 777,\n"
"\"remove_server_header\": 1\n"
"}\n";
@@ -97,6 +99,8 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
EXPECT_EQ(getRemoveResServerHeader(), 1u);
EXPECT_EQ(getHoldVerdictRetries(), 3u);
EXPECT_EQ(getHoldVerdictPollingTime(), 1u);
EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);
EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0);

8
build_system/docker/entry.sh
View File

@@ -98,19 +98,19 @@ while true; do
init=true
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
fi
current_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
current_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
echo "Error: Watchdog exited abnormally"
exit 1
elif [ -f /tmp/restart_watchdog ]; then
rm -f /tmp/restart_watchdog
kill -9 "$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")"
kill -9 "$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")"
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
active_watchdog_pid=$(pgrep -f -x -o "/bin/(bash|sh) /etc/cp/watchdog/cp-nano-watchdog")
fi
sleep 5

24
components/attachment-intakers/nginx_attachment/nginx_attachment.cc
View File

@@ -31,6 +31,7 @@
#include <stdarg.h>
#include <boost/range/iterator_range.hpp>
#include <boost/algorithm/string.hpp>
#include <boost/regex.hpp>
#include "nginx_attachment_config.h"
@@ -260,6 +261,22 @@ public:
);
}
const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
if (ignored_headers_env) {
string ignored_headers_str = ignored_headers_env;
ignored_headers_str = NGEN::Strings::trim(ignored_headers_str);
if (!ignored_headers_str.empty()) {
dbgInfo(D_HTTP_MANAGER)
<< "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
<< ignored_headers_str;
vector<string> ignored_headers_vec;
boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
}
}
dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment";
}
@@ -1034,7 +1051,11 @@ private:
case ChunkType::REQUEST_START:
return handleStartTransaction(data, opaque);
case ChunkType::REQUEST_HEADER:
return handleMultiModifiableChunks(NginxParser::parseRequestHeaders(data), "request header", true);
return handleMultiModifiableChunks(
NginxParser::parseRequestHeaders(data, ignored_headers),
"request header",
true
);
case ChunkType::REQUEST_BODY:
return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true);
case ChunkType::REQUEST_END: {
@@ -1814,6 +1835,7 @@ private:
HttpAttachmentConfig attachment_config;
I_MainLoop::RoutineID attachment_routine_id = 0;
bool traffic_indicator = false;
unordered_set<string> ignored_headers;
// Interfaces
I_Socket *i_socket = nullptr;

15
components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc
View File

@@ -240,6 +240,21 @@ HttpAttachmentConfig::setRetriesForVerdict()
"Max retries for verdict"
));
conf_data.setNumericalValue("hold_verdict_retries", getAttachmentConf<uint>(
3,
"agent.retriesForHoldVerdict.nginxModule",
"HTTP manager",
"Retries for hold verdict"
));
conf_data.setNumericalValue("hold_verdict_polling_time", getAttachmentConf<uint>(
1,
"agent.holdVerdictPollingInterval.nginxModule",
"HTTP manager",
"Hold verdict polling interval seconds"
));
conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
200000,
"agent.reqBodySizeTrigger.nginxModule",

47
components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc
View File

@@ -19,12 +19,15 @@
#include "config.h"
#include "virtual_modifiers.h"
#include "agent_core_utilities.h"
using namespace std;
using namespace boost::uuids;
USE_DEBUG_FLAG(D_HTTP_MANAGER);
extern bool is_keep_alive_ctx;
NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data)
:
TableOpaqueSerialize<NginxAttachmentOpaque>(this),
@@ -119,3 +122,47 @@ NginxAttachmentOpaque::setSavedData(const string &name, const string &data, EnvK
saved_data[name] = data;
ctx.registerValue(name, data, log_ctx);
}
bool
NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_val)
{
if (!is_keep_alive_ctx) return false;
static pair<string, string> keep_alive_hdr;
static bool keep_alive_hdr_initialized = false;
if (keep_alive_hdr_initialized) {
if (!keep_alive_hdr.first.empty() && hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second) {
dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
ctx.registerValue("keep_alive_request_ctx", true);
return true;
}
return false;
}
const char* saas_keep_alive_hdr_name_env = getenv("SAAS_KEEP_ALIVE_HDR_NAME");
if (saas_keep_alive_hdr_name_env) {
keep_alive_hdr.first = NGEN::Strings::trim(saas_keep_alive_hdr_name_env);
dbgInfo(D_HTTP_MANAGER) << "Using SAAS_KEEP_ALIVE_HDR_NAME environment variable: " << keep_alive_hdr.first;
}
if (!keep_alive_hdr.first.empty()) {
const char* saas_keep_alive_hdr_value_env = getenv("SAAS_KEEP_ALIVE_HDR_VALUE");
if (saas_keep_alive_hdr_value_env) {
keep_alive_hdr.second = NGEN::Strings::trim(saas_keep_alive_hdr_value_env);
dbgInfo(D_HTTP_MANAGER)
<< "Using SAAS_KEEP_ALIVE_HDR_VALUE environment variable: "
<< keep_alive_hdr.second;
}
if (!keep_alive_hdr.second.empty() && (hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second)) {
dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
ctx.registerValue("keep_alive_request_ctx", true);
keep_alive_hdr_initialized = true;
return true;
}
}
keep_alive_hdr_initialized = true;
return false;
}

1
components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.h
View File

@@ -85,6 +85,7 @@ public:
EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE
);
void setApplicationState(const ApplicationState &app_state) { application_state = app_state; }
bool setKeepAliveCtx(const std::string &hdr_key, const std::string &hdr_val);
private:
CompressionStream *response_compression_stream;

45
components/attachment-intakers/nginx_attachment/nginx_parser.cc
View File

@@ -29,6 +29,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
Buffer NginxParser::tenant_header_key = Buffer();
static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
map<Buffer, CompressionType> NginxParser::content_encodings = {
{Buffer("identity"), CompressionType::NO_COMPRESSION},
@@ -177,22 +178,54 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
}
Maybe<vector<HttpHeader>>
NginxParser::parseRequestHeaders(const Buffer &data)
NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers)
{
auto parsed_headers = genHeaders(data);
if (!parsed_headers.ok()) return parsed_headers.passErr();
auto maybe_parsed_headers = genHeaders(data);
if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr();
auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
auto parsed_headers = maybe_parsed_headers.unpack();
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
for (const HttpHeader &header : *parsed_headers) {
if (is_keep_alive_ctx || !ignored_headers.empty()) {
bool is_last_header_removed = false;
parsed_headers.erase(
remove_if(
parsed_headers.begin(),
parsed_headers.end(),
[&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
{
string hdr_key = static_cast<string>(header.getKey());
string hdr_val = static_cast<string>(header.getValue());
if (
opaque.setKeepAliveCtx(hdr_key, hdr_val)
|| ignored_headers.find(hdr_key) != ignored_headers.end()
) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
if (header.isLastHeader()) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
is_last_header_removed = true;
}
return true;
}
return false;
}
),
parsed_headers.end()
);
if (is_last_header_removed) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
}
}
for (const HttpHeader &header : parsed_headers) {
auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
UsersAllIdentifiersConfig(),
"rulebase",
"usersIdentifiers"
);
source_identifiers.parseRequestHeaders(header);
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.addToSavedData(
HttpTransactionData::req_headers,
static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"

5
components/attachment-intakers/nginx_attachment/nginx_parser.h
View File

@@ -28,7 +28,10 @@ public:
static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data);
static Maybe<ResponseCode> parseResponseCode(const Buffer &data);
static Maybe<uint64_t> parseContentLength(const Buffer &data);
static Maybe<std::vector<HttpHeader>> parseRequestHeaders(const Buffer &data);
static Maybe<std::vector<HttpHeader>> parseRequestHeaders(
const Buffer &data,
const std::unordered_set<std::string> &ignored_headers
);
static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data);
static Maybe<HttpBody> parseRequestBody(const Buffer &data);
static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream);

30
components/http_manager/http_manager.cc
View File

@@ -15,18 +15,14 @@
#include <string>
#include <map>
#include <sys/stat.h>
#include <climits>
#include <unordered_map>
#include <unordered_set>
#include <boost/range/iterator_range.hpp>
#include <boost/algorithm/string.hpp>
#include <fstream>
#include <algorithm>
#include "common.h"
#include "config.h"
#include "table_opaque.h"
#include "http_manager_opaque.h"
#include "log_generator.h"
#include "http_inspection_events.h"
@@ -69,22 +65,6 @@ public:
i_transaction_table = Singleton::Consume<I_Table>::by<HttpManager>();
Singleton::Consume<I_Logging>::by<HttpManager>()->addGeneralModifier(compressAppSecLogs);
const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
if (ignored_headers_env) {
string ignored_headers_str = ignored_headers_env;
ignored_headers_str = NGEN::Strings::removeTrailingWhitespaces(ignored_headers_str);
if (!ignored_headers_str.empty()) {
dbgInfo(D_HTTP_MANAGER)
<< "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
<< ignored_headers_str;
vector<string> ignored_headers_vec;
boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
}
}
}
FilterVerdict
@@ -109,19 +89,12 @@ public:
return FilterVerdict(default_verdict);
}
if (is_request && ignored_headers.find(static_cast<string>(event.getKey())) != ignored_headers.end()) {
dbgTrace(D_HTTP_MANAGER)
<< "Ignoring header key - "
<< static_cast<string>(event.getKey())
<< " - as it is in the ignored headers list";
return FilterVerdict(ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT);
}
ScopedContext ctx;
ctx.registerValue(app_sec_marker_key, i_transaction_table->keyToString(), EnvKeyAttr::LogSection::MARKER);
HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>();
string event_key = static_cast<string>(event.getKey());
if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) {
string event_value = static_cast<string>(event.getValue());
dbgTrace(D_HTTP_MANAGER)
@@ -421,7 +394,6 @@ private:
I_Table *i_transaction_table;
static const ngx_http_cp_verdict_e default_verdict;
static const string app_sec_marker_key;
unordered_set<string> ignored_headers;
};
const ngx_http_cp_verdict_e HttpManager::Impl::default_verdict(ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP);

1
components/include/http_event_impl/i_http_event_impl.h
View File

@@ -239,6 +239,7 @@ public:
const Buffer & getValue() const { return value; }
bool isLastHeader() const { return is_last_header; }
void setIsLastHeader() { is_last_header = true; }
uint8_t getHeaderIndex() const { return header_index; }
private:

1
components/include/manifest_handler.h
View File

@@ -62,6 +62,7 @@ public:
private:
Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation);
std::string getCurrentTimestamp();
std::string manifest_file_path;
std::string temp_ext;

49
components/include/telemetry.h
View File

@@ -30,6 +30,7 @@
#include "generic_metric.h"
#define LOGGING_INTERVAL_IN_MINUTES 10
USE_DEBUG_FLAG(D_WAAP);
enum class AssetType { API, WEB, ALL, COUNT };
class WaapTelemetryEvent : public Event<WaapTelemetryEvent>
@@ -132,6 +133,7 @@ private:
std::map<std::string, std::shared_ptr<T>>& telemetryMap
) {
if (!telemetryMap.count(asset_id)) {
dbgTrace(D_WAAP) << "creating telemetry data for asset: " << data.assetName;
telemetryMap.emplace(asset_id, std::make_shared<T>());
telemetryMap[asset_id]->init(
telemetryName,
@@ -139,7 +141,9 @@ private:
ReportIS::IssuingEngine::AGENT_CORE,
std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
true,
ReportIS::Audience::SECURITY
ReportIS::Audience::SECURITY,
false,
asset_id
);
telemetryMap[asset_id]->template registerContext<std::string>(
@@ -152,29 +156,30 @@ private:
std::string("Web Application"),
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"assetId",
asset_id,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"assetName",
data.assetName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceId",
data.practiceId,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceName",
data.practiceName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->registerListener();
}
dbgTrace(D_WAAP) << "updating telemetry data for asset: " << data.assetName;
telemetryMap[asset_id]->template registerContext<std::string>(
"assetId",
asset_id,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"assetName",
data.assetName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceId",
data.practiceId,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceName",
data.practiceName,
EnvKeyAttr::LogSection::SOURCE
);
}
};

4
components/include/waap.h
View File

@@ -33,6 +33,7 @@ class I_WaapAssetStatesManager;
class I_Messaging;
class I_AgentDetails;
class I_Encryptor;
class I_WaapModelResultLogger;
const std::string WAAP_APPLICATION_NAME = "waap application";
@@ -50,7 +51,8 @@ class WaapComponent
Singleton::Consume<I_AgentDetails>,
Singleton::Consume<I_Messaging>,
Singleton::Consume<I_Encryptor>,
Singleton::Consume<I_Environment>
Singleton::Consume<I_Environment>,
Singleton::Consume<I_WaapModelResultLogger>
{
public:
WaapComponent();

7
components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc
View File

@@ -497,7 +497,8 @@ WebAppSection::WebAppSection(
const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections)
const NewAppSecWebAttackProtections &protections,
const vector<InnerException> &exceptions)
:
application_urls(_application_urls),
asset_id(_asset_id),
@@ -541,6 +542,10 @@ WebAppSection::WebAppSection(
overrides.push_back(AppSecOverride(source_ident));
}
for (const auto &exception : exceptions) {
overrides.push_back(AppSecOverride(exception));
}
}
// LCOV_EXCL_STOP

3
components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@@ -298,7 +298,8 @@ public:
const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections);
const NewAppSecWebAttackProtections &protections,
const std::vector<InnerException> &exceptions);
void save(cereal::JSONOutputArchive &out_ar) const;

1
components/security_apps/local_policy_mgmt_gen/include/policy_activation_data.h
View File

@@ -45,7 +45,6 @@ public:
private:
std::string name;
std::string mode;
std::vector<std::string> hosts;
};

3
components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@@ -206,7 +206,8 @@ private:
const RulesConfigRulebase& rule_config,
const std::string &practice_id, const std::string &full_url,
const std::string &default_mode,
std::map<AnnotationTypes, std::string> &rule_annotations
std::map<AnnotationTypes, std::string> &rule_annotations,
std::vector<InnerException>
);
void

8
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@@ -698,8 +698,12 @@ K8sPolicyUtils::createAppsecPolicies()
}
}
auto maybe_policy_activation =
getObjectFromCluster<PolicyActivationData>("/apis/openappsec.io/v1beta2/policyactivations");
string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
auto maybe_policy_activation = getObjectFromCluster<PolicyActivationData>(
"/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policyactivations" + ns_suffix
);
if (!maybe_policy_activation.ok()) {
dbgWarning(D_LOCAL_POLICY)

2
components/security_apps/local_policy_mgmt_gen/new_trusted_sources.cc
View File

@@ -69,7 +69,7 @@ Identifier::load(cereal::JSONInputArchive &archive_in)
dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier;
identifier = "sourceip";
}
parseMandatoryAppsecJSONKey<vector<string>>("value", value, archive_in);
parseAppsecJSONKey<vector<string>>("value", value, archive_in);
}
const string &

13
components/security_apps/local_policy_mgmt_gen/policy_activation_data.cc
View File

@@ -18,14 +18,6 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const set<string> valid_modes = {
"prevent-learn",
"detect-learn",
"prevent",
"detect",
"inactive"
};
void
PolicyActivationMetadata::load(cereal::JSONInputArchive &archive_in)
{
@@ -39,11 +31,6 @@ EnabledPolicy::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading policyActivation enabled policy";
parseMandatoryAppsecJSONKey<vector<string>>("hosts", hosts, archive_in);
parseAppsecJSONKey<string>("name", name, archive_in);
parseAppsecJSONKey<string>("mode", mode, archive_in, "detect");
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec policy activation mode invalid: " << mode;
mode = "detect";
}
}
const string &

10
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@@ -928,7 +928,6 @@ createMultiRulesSections(
PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
vector<ParametersSection> exceptions_result;
for (auto exception : exceptions) {
const auto &exception_name = exception.first;
for (const auto &inner_exception : exception.second) {
exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
@@ -1220,7 +1219,8 @@ PolicyMakerUtils::createWebAppSection(
const string &practice_id,
const string &full_url,
const string &default_mode,
map<AnnotationTypes, string> &rule_annotations)
map<AnnotationTypes, string> &rule_annotations,
vector<InnerException> rule_inner_exceptions)
{
auto apssec_practice =
getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
@@ -1255,7 +1255,8 @@ PolicyMakerUtils::createWebAppSection(
apssec_practice.getAntiBot(),
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
apssec_practice.getWebAttacks().getProtections()
apssec_practice.getWebAttacks().getProtections(),
rule_inner_exceptions
);
web_apps[rule_config.getAssetName()] = web_app;
}
@@ -1366,7 +1367,8 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
practice_id,
asset_name,
default_mode,
rule_annotations);
rule_annotations,
inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]);
}
}

18
components/security_apps/orchestration/manifest_controller/manifest_controller.cc
View File

@@ -100,6 +100,7 @@ private:
string packages_dir;
string orch_service_name;
set<string> ignore_packages;
Maybe<string> forbidden_versions = genError("Forbidden versions file does not exist");
};
void
@@ -135,7 +136,8 @@ ManifestController::Impl::init()
"Ignore packages list file path"
);
if (Singleton::Consume<I_OrchestrationTools>::by<ManifestController>()->doesFileExist(ignore_packages_path)) {
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestController>();
if (orchestration_tools->doesFileExist(ignore_packages_path)) {
try {
ifstream input_stream(ignore_packages_path);
if (!input_stream) {
@@ -156,6 +158,9 @@ ManifestController::Impl::init()
<< " Error: " << f.what();
}
}
const string forbidden_versions_path = getFilesystemPathConfig() + "/revert/forbidden_versions";
forbidden_versions = orchestration_tools->readFile(forbidden_versions_path);
}
bool
@@ -271,6 +276,17 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
}
map<string, Package> new_packages = parsed_manifest.unpack();
if (!new_packages.empty()) {
const Package &package = new_packages.begin()->second;
if (forbidden_versions.ok() &&
forbidden_versions.unpack().find(package.getVersion()) != string::npos
) {
dbgWarning(D_ORCHESTRATOR)
<< "Packages version is in the forbidden versions list. No upgrade will be performed.";
return true;
}
}
map<string, Package> all_packages = parsed_manifest.unpack();
map<string, Package> current_packages;
parsed_manifest = orchestration_tools->loadPackagesFromJson(manifest_file_path);

152
components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc
View File

@@ -58,6 +58,9 @@ public:
Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE);
const string ignore_packages_file = "/etc/cp/conf/ignore-packages.txt";
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json",
@@ -224,6 +227,10 @@ TEST_F(ManifestControllerTest, createNewManifest)
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -363,6 +370,11 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
manifest =
@@ -417,6 +429,9 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -478,6 +493,11 @@ TEST_F(ManifestControllerTest, selfUpdate)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -607,6 +627,10 @@ TEST_F(ManifestControllerTest, removeCurrentErrorPackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
corrupted_packages.clear();
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -666,6 +690,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopy)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -722,6 +750,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -798,6 +830,10 @@ TEST_F(ManifestControllerTest, installAndRemove)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
string new_manifest =
@@ -858,6 +894,63 @@ TEST_F(ManifestControllerTest, installAndRemove)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my1/my1")).Times(2)
.WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
TEST_F(ManifestControllerTest, manifestWithForbiddenVersion)
{
new_services.clear();
old_services.clear();
string manifest =
"{"
" \"packages\": ["
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"my\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"orchestration\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"\","
" \"relative-path\": \"\","
" \"name\": \"waap\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\","
" \"package-type\": \"service\","
" \"status\": false,\n"
" \"message\": \"This security app isn't valid for this agent\"\n"
" }"
" ]"
"}";
map<string, Package> manifest_services;
load(manifest, manifest_services);
checkIfFileExistsCall(manifest_services.at("my"));
load(manifest, new_services);
load(old_manifest, old_services);
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -947,6 +1040,10 @@ TEST_F(ManifestControllerTest, badInstall)
EXPECT_CALL(mock_orchestration_tools,
packagesToJsonFile(corrupted_packages, corrupted_file_list)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -1112,6 +1209,12 @@ TEST_F(ManifestControllerTest, requireUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1212,6 +1315,10 @@ TEST_F(ManifestControllerTest, sharedObjectNotInstalled)
).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file1", path +
temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1313,6 +1420,12 @@ TEST_F(ManifestControllerTest, requireSharedObjectUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1389,6 +1502,7 @@ TEST_F(ManifestControllerTest, failureOnDownloadSharedObject)
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
}
@@ -1524,6 +1638,12 @@ TEST_F(ManifestControllerTest, multiRequireUpdate)
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1610,6 +1730,12 @@ TEST_F(ManifestControllerTest, createNewManifestWithUninstallablePackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1624,7 +1750,7 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
" \"download-path\": \"\","
" \"relative-path\": \"\","
" \"name\": \"my\","
" \"version\": \"\","
" \"version\": \"c\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\","
" \"package-type\": \"service\","
@@ -1721,6 +1847,11 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -1744,6 +1875,9 @@ public:
setConfiguration<string>(ignore_packages_file, "orchestration", "Ignore packages list file path");
writeIgnoreList(ignore_packages_file, ignore_services);
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(true));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json",
@@ -1839,6 +1973,7 @@ public:
StrictMock<MockOrchestrationStatus> mock_status;
StrictMock<MockDownloader> mock_downloader;
StrictMock<MockOrchestrationTools> mock_orchestration_tools;
StrictMock<MockDetailsResolver> mock_details_resolver;
NiceMock<MockShellCmd> mock_shell_cmd;
ManifestController manifest_controller;
@@ -2122,6 +2257,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, addIgnorePackageAndUpdateNormal)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
@@ -2387,6 +2528,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, overrideIgnoredPackageFromProfileSet
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
EXPECT_THAT(capture_debug.str(), Not(HasSubstr("Ignoring a package from the manifest. Package name: my")));
@@ -2411,6 +2558,9 @@ public:
doesFileExist("/etc/cp/conf/ignore-packages.txt")
).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init();
}

25
components/security_apps/orchestration/manifest_controller/manifest_handler.cc
View File

@@ -14,6 +14,7 @@
#include "manifest_handler.h"
#include <algorithm>
#include <ctime>
#include "debug.h"
#include "config.h"
@@ -201,18 +202,29 @@ ManifestHandler::installPackage(
auto span_scope = i_env->startNewSpanScope(Span::ContextType::CHILD_OF);
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
auto details_resolver = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>();
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
auto &package = package_downloaded_file.first;
auto &package_name = package.getName();
auto &package_handler_path = package_downloaded_file.second;
dbgInfo(D_ORCHESTRATOR) << "Handling package installation. Package: " << package_name;
string upgrade_info =
details_resolver->getAgentVersion() + " " + package.getVersion() + " " + getCurrentTimestamp();
if (!orchestration_tools->doesFileExist(getFilesystemPathConfig() + "/revert/upgrade_status") &&
!orchestration_tools->writeFile(upgrade_info, getFilesystemPathConfig() + "/revert/upgrade_status")
) {
dbgWarning(D_ORCHESTRATOR) << "Failed to write to " + getFilesystemPathConfig() + "/revert/upgrade_status";
}
if (package_name.compare(orch_service_name) == 0) {
orchestration_status->writeStatusToFile();
bool self_update_status = selfUpdate(package, current_packages, package_handler_path);
if (!self_update_status) {
auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
auto hostname = details_resolver->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'";
string install_error =
"Warning: Agent/Gateway " +
@@ -246,7 +258,6 @@ ManifestHandler::installPackage(
return true;
}
string current_installation_file = packages_dir + "/" + package_name + "/" + package_name;
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
bool is_clean_installation = !orchestration_tools->doesFileExist(current_installation_file);
@@ -368,3 +379,13 @@ ManifestHandler::selfUpdate(
package_handler->preInstallPackage(orch_service_name, current_installation_file) &&
package_handler->installPackage(orch_service_name, current_installation_file, false);
}
string
ManifestHandler::getCurrentTimestamp()
{
time_t now = time(nullptr);
tm* now_tm = localtime(&now);
char timestamp[20];
strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", now_tm);
return string(timestamp);
}

137
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -55,6 +55,8 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
static string fw_last_update_time = "";
#endif // gaia || smb
static const size_t MAX_SERVER_NAME_LENGTH = 253;
class SetAgentUninstall
:
public ServerRest,
@@ -103,6 +105,19 @@ public:
<< "Initializing Orchestration component, file system path prefix: "
<< filesystem_prefix;
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated (One-Time After Interval)",
true
);
auto orch_policy = loadDefaultOrchestrationPolicy();
if (!orch_policy.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration Policy. Error: " << orch_policy.getErr();
@@ -141,6 +156,113 @@ public:
}
private:
void
saveLastKnownOrchInfo(string curr_agent_version)
{
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string current_orchestration_package =
filesystem_prefix + "/packages/orchestration/orchestration";
static const string last_known_manifest = upgrades_dir + "/last_known_manifest";
static const string current_manifest_file = getConfigurationWithDefault<string>(
filesystem_prefix + "/conf/manifest.json",
"orchestration",
"Manifest file path"
);
if (!i_orchestration_tools->copyFile(current_orchestration_package, last_known_orchestrator)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy the orchestration package to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known orchestrator version updated to: " << curr_agent_version;
}
if (!i_orchestration_tools->copyFile(current_manifest_file, last_known_manifest)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy " << current_manifest_file << " to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known manifest updated";
}
return;
}
void
processUpgradeCompletion()
{
if (!is_first_check_update_success) {
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
// LCOV_EXCL_START
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated",
true
);
// LCOV_EXCL_STOP
return;
}
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string upgrade_status = upgrades_dir + "/upgrade_status";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string upgrade_failure_info_path = upgrades_dir + "/failed_upgrade_info";
I_DetailsResolver *i_details_resolver = Singleton::Consume<I_DetailsResolver>::by<OrchestrationComp>();
bool is_upgrade_status_exist = i_orchestration_tools->doesFileExist(upgrade_status);
bool is_last_known_orchestrator_exist = i_orchestration_tools->doesFileExist(last_known_orchestrator);
if (!is_upgrade_status_exist) {
if (!is_last_known_orchestrator_exist) {
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
}
return;
}
auto maybe_upgrade_data = i_orchestration_tools->readFile(upgrade_status);
string upgrade_data, from_version, to_version;
if (maybe_upgrade_data.ok()) {
upgrade_data = maybe_upgrade_data.unpack();
istringstream stream(upgrade_data);
stream >> from_version >> to_version;
}
i_orchestration_tools->removeFile(upgrade_status);
if (i_orchestration_tools->doesFileExist(upgrade_failure_info_path)) {
string info = "Orchestration revert. ";
auto failure_info = i_orchestration_tools->readFile(upgrade_failure_info_path);
if (failure_info.ok()) info.append(failure_info.unpack());
LogGen(
info,
ReportIS::Level::ACTION,
ReportIS::Audience::INTERNAL,
ReportIS::Severity::CRITICAL,
ReportIS::Priority::URGENT,
ReportIS::Tags::ORCHESTRATOR
);
dbgError(D_ORCHESTRATOR) <<
"Error in orchestration version: " << to_version <<
". Orchestration reverted to version: " << i_details_resolver->getAgentVersion();
i_orchestration_tools->removeFile(upgrade_failure_info_path);
return;
}
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
i_orchestration_tools->writeFile(
upgrade_data + "\n",
getLogFilesPathConfig() + "/nano_agent/prev_upgrades",
true
);
dbgWarning(D_ORCHESTRATOR) <<
"Upgrade process from version: " << from_version <<
" to version: " << to_version <<
" completed successfully";
}
Maybe<void>
registerToTheFog()
{
@@ -1022,6 +1144,7 @@ private:
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::GENERAL
).notify();
if (!is_first_check_update_success) is_first_check_update_success = true;
return Maybe<void>();
}
@@ -1389,6 +1512,8 @@ private:
agent_data_report << AgentReportFieldWithLabel("userEdition", FogCommunication::getUserEdition());
agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
#if defined(gaia) || defined(smb)
if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@@ -1403,6 +1528,7 @@ private:
} else {
curr_agent_data_report = agent_data_report;
curr_agent_data_report.disableReportSending();
agent_data_report << AgentReportFieldWithLabel("report_timestamp", i_time->getWalltimeStr());
}
}
@@ -1549,6 +1675,11 @@ private:
<< LogField("agentType", "Orchestration")
<< LogField("agentVersion", Version::get());
string registered_server = getAttribute("registered-server", "registered_server");
dbgTrace(D_ORCHESTRATOR) << "Registered server: " << registered_server;
if (!registered_server.empty()) {
i_agent_details->setRegisteredServer(registered_server.substr(0, MAX_SERVER_NAME_LENGTH));
}
auto mainloop = Singleton::Consume<I_MainLoop>::by<OrchestrationComp>();
mainloop->addOneTimeRoutine(
I_MainLoop::RoutineType::Offline,
@@ -1629,7 +1760,7 @@ private:
}
}
string server_name = getAttribute("registered-server", "registered_server");
string server_name = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getRegisteredServer();
auto server = TagAndEnumManagement::convertStringToTag(server_name);
if (server_name == "'SWAG'" || server_name == "'SWAG Server'") server = Tags::WEB_SERVER_SWAG;
if (server.ok()) tags.insert(*server);
@@ -1653,7 +1784,7 @@ private:
tags
);
if (server_name != "") registration_report.addToOrigin(LogField("eventCategory", server_name));
registration_report.addToOrigin(LogField("eventCategory", server_name));
auto email = getAttribute("email-address", "user_email");
if (email != "") registration_report << LogField("userDefinedId", email);
@@ -2065,6 +2196,7 @@ private:
int failure_count = 0;
unsigned int sleep_interval = 0;
bool is_new_success = false;
bool is_first_check_update_success = false;
OrchestrationPolicy policy;
UpdatesProcessReporter updates_process_reporter_listener;
HybridModeMetric hybrid_mode_metric;
@@ -2130,6 +2262,7 @@ OrchestrationComp::preload()
registerExpectedSetting<vector<string>>("upgradeDay");
registerExpectedSetting<string>("email-address");
registerExpectedSetting<string>("registered-server");
registerExpectedSetting<uint>("successUpgradeInterval");
registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
}

7
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -89,6 +89,11 @@ public:
EXPECT_CALL(mock_service_controller, isServiceInstalled("Access Control")).WillRepeatedly(Return(false));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
// This Holding the Main Routine of the Orchestration.
EXPECT_CALL(
mock_ml,
@@ -156,6 +161,7 @@ public:
runRoutine()
{
routine();
upgrade_routine();
}
void
@@ -235,6 +241,7 @@ private:
}
I_MainLoop::Routine routine;
I_MainLoop::Routine upgrade_routine;
I_MainLoop::Routine status_routine;
};

59
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -83,6 +83,12 @@ public:
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response));
EXPECT_CALL(mock_status, setFogAddress(host_url)).WillRepeatedly(Return());
EXPECT_CALL(mock_orchestration_tools, setClusterId());
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -281,6 +287,12 @@ public:
status_routine();
}
void
runUpgradeRoutine()
{
upgrade_routine();
}
void
preload()
{
@@ -359,6 +371,7 @@ private:
I_MainLoop::Routine routine;
I_MainLoop::Routine status_routine;
I_MainLoop::Routine upgrade_routine;
};
@@ -601,14 +614,6 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
string version = "1";
EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
string config_json =
"{\n"
" \"email-address\": \"fake@example.com\",\n"
@@ -617,9 +622,19 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
sending_routine();
EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\""));
EXPECT_THAT(message_body, HasSubstr("\"eventCategory\""));
EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\"")));
EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
}
@@ -1004,6 +1019,11 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
);
waitForRestCall();
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
);
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -1170,6 +1190,29 @@ TEST_F(OrchestrationTest, manifestUpdate)
try {
runRoutine();
} catch (const invalid_argument& e) {}
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
Maybe<string> upgrade_status(string("1.1.1 1.1.2 2025-01-28 07:53:23"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(upgrade_status));
EXPECT_CALL(mock_orchestration_tools, removeFile("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/failed_upgrade_info"))
.WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("1.1.2"));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_manifest")).WillOnce(Return(true));
EXPECT_CALL(
mock_orchestration_tools,
writeFile("1.1.1 1.1.2 2025-01-28 07:53:23\n", "/var/log/nano_agent/prev_upgrades", true)
).WillOnce(Return(true));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())).WillOnce(Return());
runUpgradeRoutine();
}
TEST_F(OrchestrationTest, getBadPolicyUpdate)

6
components/security_apps/orchestration/update_communication/fog_authenticator.cc
View File

@@ -377,9 +377,13 @@ FogAuthenticator::registerLocalAgentToFog()
{
auto local_reg_token = getRegistrationToken();
if (!local_reg_token.ok()) return;
string reg_token = local_reg_token.unpack().getData();
if (reg_token.empty()) return;
dbgInfo(D_ORCHESTRATOR) << "Start local agent registration to the fog";
string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + local_reg_token.unpack().getData();
string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + reg_token;
auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<FogAuthenticator>();
auto fog_address = i_agent_details->getFogDomain();

8
components/security_apps/waap/include/i_serialize.h
View File

@@ -137,9 +137,13 @@ public:
void setRemoteSyncEnabled(bool enabled);
protected:
void mergeProcessedFromRemote();
std::string getWindowId();
void waitSync();
std::string getPostDataUrl();
std::string getUri();
size_t getIntervalsCount();
void incrementIntervalsCount();
bool isBase();
template<typename T>
bool sendObject(T &obj, HTTPMethod method, std::string uri)
@@ -252,14 +256,13 @@ protected:
const std::string m_remotePath; // Created from tenentId + / + assetId + / + class
std::chrono::seconds m_interval;
std::string m_owner;
const std::string m_assetId;
private:
bool localSyncAndProcess();
void updateStateFromRemoteService();
RemoteFilesList getProcessedFilesList();
RemoteFilesList getRemoteProcessedFilesList();
std::string getWindowId();
bool isBase();
std::string getLearningHost();
std::string getSharedStorageHost();
@@ -270,7 +273,6 @@ private:
size_t m_windowsCount;
size_t m_intervalsCounter;
bool m_remoteSyncEnabled;
const std::string m_assetId;
const bool m_isAssetIdUuid;
std::string m_type;
std::string m_lastProcessedModified;

6
components/security_apps/waap/include/i_waapConfig.h
View File

@@ -19,12 +19,14 @@
#include "../waap_clib/WaapParameters.h"
#include "../waap_clib/WaapOpenRedirectPolicy.h"
#include "../waap_clib/WaapErrorDisclosurePolicy.h"
#include "../waap_clib/DecisionType.h"
#include "../waap_clib/CsrfPolicy.h"
#include "../waap_clib/UserLimitsPolicy.h"
#include "../waap_clib/RateLimiting.h"
#include "../waap_clib/SecurityHeadersPolicy.h"
#include <memory>
enum class BlockingLevel {
NO_BLOCKING = 0,
LOW_BLOCKING_LEVEL,
@@ -44,8 +46,8 @@ public:
virtual const std::string& get_AssetId() const = 0;
virtual const std::string& get_AssetName() const = 0;
virtual const BlockingLevel& get_BlockingLevel() const = 0;
virtual const std::string& get_PracticeId() const = 0;
virtual const std::string& get_PracticeName() const = 0;
virtual const std::string& get_PracticeIdByPactice(DecisionType practiceType) const = 0;
virtual const std::string& get_PracticeNameByPactice(DecisionType practiceType) const = 0;
virtual const std::string& get_PracticeSubType() const = 0;
virtual const std::string& get_RuleId() const = 0;
virtual const std::string& get_RuleName() const = 0;

1
components/security_apps/waap/waap_clib/CMakeLists.txt
View File

@@ -91,6 +91,7 @@ add_library(waap_clib
ParserScreenedJson.cc
ParserBinaryFile.cc
RegexComparator.cc
RequestsMonitor.cc
)
add_definitions("-Wno-unused-function")

158
components/security_apps/waap/waap_clib/RequestsMonitor.cc Normal file
View File

@@ -0,0 +1,158 @@
#include "RequestsMonitor.h"
#include "waap.h"
#include "SyncLearningNotification.h"
#include "report_messaging.h"
#include "customized_cereal_map.h"
USE_DEBUG_FLAG(D_WAAP_CONFIDENCE_CALCULATOR);
using namespace std;
SourcesRequestMonitor::SourcesRequestMonitor(
const string& filePath,
const string& remotePath,
const string& assetId,
const string& owner) :
SerializeToLocalAndRemoteSyncBase(
chrono::minutes(10),
chrono::seconds(30),
filePath,
remotePath != "" ? remotePath + "/Monitor" : remotePath,
assetId,
owner
), m_sourcesRequests()
{
}
SourcesRequestMonitor::~SourcesRequestMonitor()
{
}
void SourcesRequestMonitor::syncWorker()
{
dbgInfo(D_WAAP_CONFIDENCE_CALCULATOR) << "Running the sync worker for assetId='" << m_assetId << "', owner='" <<
m_owner << "'";
incrementIntervalsCount();
OrchestrationMode mode = Singleton::exists<I_AgentDetails>() ?
Singleton::Consume<I_AgentDetails>::by<WaapComponent>()->getOrchestrationMode() : OrchestrationMode::ONLINE;
bool enabled = getProfileAgentSettingWithDefault<bool>(false, "appsec.sourceRequestsMonitor.enabled");
if (mode == OrchestrationMode::OFFLINE || !enabled || isBase() || !postData()) {
dbgInfo(D_WAAP_CONFIDENCE_CALCULATOR)
<< "Did not report data. for asset: "
<< m_assetId
<< " Remote URL: "
<< m_remotePath
<< " is enabled: "
<< to_string(enabled)
<< ", mode: " << int(mode);
return;
}
dbgTrace(D_WAAP_CONFIDENCE_CALCULATOR) << "Waiting for all agents to post their data";
waitSync();
if (mode == OrchestrationMode::HYBRID) {
dbgDebug(D_WAAP_CONFIDENCE_CALCULATOR) << "detected running in standalone mode. not sending sync notification";
} else {
SyncLearningNotificationObject syncNotification(m_assetId, "Monitor", getWindowId());
dbgDebug(D_WAAP_CONFIDENCE_CALCULATOR) << "sending sync notification: " << syncNotification;
ReportMessaging(
"sync notification for '" + m_assetId + "'",
ReportIS::AudienceTeam::WAAP,
syncNotification,
MessageCategory::GENERIC,
ReportIS::Tags::WAF,
ReportIS::Notification::SYNC_LEARNING
);
}
}
void SourcesRequestMonitor::logSourceHit(const string& source)
{
m_sourcesRequests[chrono::duration_cast<chrono::minutes>(
Singleton::Consume<I_TimeGet>::by<WaapComponent>()->getWalltime()
).count()][source]++;
}
// LCOV_EXCL_START Reason: internal functions not used
void SourcesRequestMonitor::pullData(const vector<string> &data)
{
// not used. report only
}
void SourcesRequestMonitor::processData()
{
// not used. report only
}
void SourcesRequestMonitor::postProcessedData()
{
// not used. report only
}
void SourcesRequestMonitor::pullProcessedData(const vector<string> &data)
{
// not used. report only
}
void SourcesRequestMonitor::updateState(const vector<string> &data)
{
// not used. report only
}
// LCOV_EXCL_STOP
typedef map<string, map<string, size_t>> MonitorJsonData;
class SourcesRequestsReport : public RestGetFile
{
public:
SourcesRequestsReport(MonitorData& _sourcesRequests, const string& _agentId)
: sourcesRequests(), agentId(_agentId)
{
MonitorJsonData montiorData;
for (const auto& window : _sourcesRequests) {
for (const auto& source : window.second) {
montiorData[to_string(window.first)][source.first] = source.second;
}
}
sourcesRequests = montiorData;
}
private:
C2S_PARAM(MonitorJsonData, sourcesRequests);
C2S_PARAM(string, agentId);
};
bool SourcesRequestMonitor::postData()
{
dbgInfo(D_WAAP_CONFIDENCE_CALCULATOR) << "Sending the data to remote";
// send collected data to remote and clear the local data
string url = getPostDataUrl();
string agentId = Singleton::Consume<I_AgentDetails>::by<WaapComponent>()->getAgentId();
SourcesRequestsReport currentWindow(m_sourcesRequests, agentId);
bool ok = sendNoReplyObjectWithRetry(currentWindow,
HTTPMethod::PUT,
url);
if (!ok) {
dbgError(D_WAAP_CONFIDENCE_CALCULATOR) << "Failed to post collected data to: " << url;
}
dbgInfo(D_WAAP_CONFIDENCE_CALCULATOR) << "Data sent to remote: " << ok;
m_sourcesRequests.clear();
return ok;
}
void SourcesRequestMonitor::serialize(ostream& stream)
{
cereal::JSONOutputArchive archive(stream);
archive(m_sourcesRequests);
}
void SourcesRequestMonitor::deserialize(istream& stream)
{
cereal::JSONInputArchive archive(stream);
archive(m_sourcesRequests);
}

33
components/security_apps/waap/waap_clib/RequestsMonitor.h Normal file
View File

@@ -0,0 +1,33 @@
#ifndef __REQUESTS_MONITOR_H__
#define __REQUESTS_MONITOR_H__
#include "i_serialize.h"
typedef std::map<uint64_t, std::map<std::string, size_t>> MonitorData;
class SourcesRequestMonitor : public SerializeToLocalAndRemoteSyncBase
{
public:
SourcesRequestMonitor(
const std::string& filePath,
const std::string& remotePath,
const std::string& assetId,
const std::string& owner);
virtual ~SourcesRequestMonitor();
virtual void syncWorker() override;
void logSourceHit(const std::string& source);
protected:
virtual void pullData(const std::vector<std::string> &data) override;
virtual void processData() override;
virtual void postProcessedData() override;
virtual void pullProcessedData(const std::vector<std::string> &data) override;
virtual void updateState(const std::vector<std::string> &data) override;
virtual bool postData() override;
void serialize(std::ostream& stream);
void deserialize(std::istream& stream);
private:
// map of sources and their requests per minute (UNIX)
MonitorData m_sourcesRequests;
};
#endif // __REQUESTS_MONITOR_H__

20
components/security_apps/waap/waap_clib/Serializator.cc
View File

@@ -407,6 +407,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
m_remotePath(replaceAllCopy(remotePath, "//", "/")),
m_interval(0),
m_owner(owner),
m_assetId(replaceAllCopy(assetId, "/", "")),
m_pMainLoop(nullptr),
m_waitForSync(waitForSync),
m_workerRoutineId(0),
@@ -414,7 +415,6 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
m_windowsCount(0),
m_intervalsCounter(0),
m_remoteSyncEnabled(true),
m_assetId(replaceAllCopy(assetId, "/", "")),
m_isAssetIdUuid(Waap::Util::isUuid(assetId)),
m_shared_storage_host(genError("not set")),
m_learning_host(genError("not set"))
@@ -469,6 +469,15 @@ bool SerializeToLocalAndRemoteSyncBase::isBase()
return m_remotePath == "";
}
void SerializeToLocalAndRemoteSyncBase::waitSync()
{
if (m_pMainLoop == nullptr)
{
return;
}
m_pMainLoop->yield(m_waitForSync);
}
string SerializeToLocalAndRemoteSyncBase::getUri()
{
static const string hybridModeUri = "/api";
@@ -484,6 +493,11 @@ size_t SerializeToLocalAndRemoteSyncBase::getIntervalsCount()
return m_intervalsCounter;
}
void SerializeToLocalAndRemoteSyncBase::incrementIntervalsCount()
{
m_intervalsCounter++;
}
SerializeToLocalAndRemoteSyncBase::~SerializeToLocalAndRemoteSyncBase()
{
@@ -659,7 +673,7 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
{
dbgInfo(D_WAAP_CONFIDENCE_CALCULATOR) << "Running the sync worker for assetId='" << m_assetId << "', owner='" <<
m_owner << "'" << " last modified state: " << m_lastProcessedModified;
m_intervalsCounter++;
incrementIntervalsCount();
OrchestrationMode mode = Singleton::exists<I_AgentDetails>() ?
Singleton::Consume<I_AgentDetails>::by<WaapComponent>()->getOrchestrationMode() : OrchestrationMode::ONLINE;
@@ -678,7 +692,7 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
}
dbgTrace(D_WAAP_CONFIDENCE_CALCULATOR) << "Waiting for all agents to post their data";
m_pMainLoop->yield(m_waitForSync);
waitSync();
// check if learning service is operational
if (m_lastProcessedModified == "")
{

20
components/security_apps/waap/waap_clib/Telemetry.cc
View File

@@ -33,6 +33,7 @@ WaapTelemetryBase::sendLog(const LogRest &metric_client_rest) const
OrchestrationMode mode = Singleton::Consume<I_AgentDetails>::by<GenericMetric>()->getOrchestrationMode();
GenericMetric::sendLog(metric_client_rest);
dbgTrace(D_WAAP) << "Waap telemetry log sent: " << metric_client_rest.genJson().unpack();
if (mode == OrchestrationMode::ONLINE) {
return;
@@ -79,7 +80,16 @@ void
WaapTelemetrics::updateMetrics(const string &asset_id, const DecisionTelemetryData &data)
{
initMetrics();
requests.report(1);
auto is_keep_alive_ctx = Singleton::Consume<I_Environment>::by<GenericMetric>()->get<bool>(
"keep_alive_request_ctx"
);
if (!is_keep_alive_ctx.ok() || !*is_keep_alive_ctx) {
requests.report(1);
} else {
dbgTrace(D_WAAP) << "Not increasing the number of requests due to keep alive";
}
if (sources_seen.find(data.source) == sources_seen.end()) {
if (sources.getCounter() == 0) sources_seen.clear();
sources_seen.insert(data.source);
@@ -274,7 +284,9 @@ WaapMetricWrapper::upon(const WaapTelemetryEvent &event)
ReportIS::IssuingEngine::AGENT_CORE,
chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
true,
ReportIS::Audience::INTERNAL
ReportIS::Audience::INTERNAL,
false,
asset_id
);
metrics[asset_id]->registerListener();
}
@@ -286,7 +298,9 @@ WaapMetricWrapper::upon(const WaapTelemetryEvent &event)
ReportIS::IssuingEngine::AGENT_CORE,
chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
true,
ReportIS::Audience::INTERNAL
ReportIS::Audience::INTERNAL,
false,
asset_id
);
attack_types[asset_id]->registerListener();
}

5
components/security_apps/waap/waap_clib/WaapAssetState.cc
View File

@@ -135,6 +135,7 @@ WaapAssetState::WaapAssetState(std::shared_ptr<Signatures> signatures,
m_Signatures(signatures),
m_waapDataFileName(waapDataFileName),
m_assetId(assetId),
m_requestsMonitor(nullptr),
scoreBuilder(this),
m_rateLimitingState(nullptr),
m_errorLimitingState(nullptr),
@@ -152,10 +153,14 @@ WaapAssetState::WaapAssetState(std::shared_ptr<Signatures> signatures,
I_AgentDetails* agentDetails = Singleton::Consume<I_AgentDetails>::by<WaapComponent>();
std::string path = agentDetails->getTenantId() + "/" + assetId;
m_filtersMngr = std::make_shared<IndicatorsFiltersManager>(path, assetId, this);
m_requestsMonitor = std::make_shared<SourcesRequestMonitor>
(getWaapDataDir() + "/monitor.data", path, assetId, "State");
}
else
{
m_filtersMngr = std::make_shared<IndicatorsFiltersManager>("", "", this);
m_requestsMonitor = std::make_shared<SourcesRequestMonitor>
(getWaapDataDir() + "/monitor.data", "", assetId, "State");
}
// Load keyword scores - copy from ScoreBuilder
updateScores();

4
components/security_apps/waap/waap_clib/WaapAssetState.h
View File

@@ -33,6 +33,7 @@
#include "KeywordTypeValidator.h"
#include "ScanResult.h"
#include "WaapSampleValue.h"
#include "RequestsMonitor.h"
enum space_stage {SPACE_SYNBOL, BR_SYMBOL, BN_SYMBOL, BRN_SEQUENCE, BNR_SEQUENCE, NO_SPACES};
@@ -67,6 +68,8 @@ public:
const std::string m_assetId;
std::shared_ptr<SourcesRequestMonitor> m_requestsMonitor;
ScoreBuilder scoreBuilder;
std::shared_ptr<Waap::RateLimiting::State> m_rateLimitingState;
std::shared_ptr<Waap::RateLimiting::State> m_errorLimitingState;
@@ -90,6 +93,7 @@ public:
void logIndicatorsInFilters(const std::string &param, Waap::Keywords::KeywordsSet& keywords,
IWaf2Transaction* pTransaction);
void logParamHit(Waf2ScanResult& res, IWaf2Transaction* pTransaction);
void logSourceHit(const std::string& source);
void filterKeywords(const std::string &param, Waap::Keywords::KeywordsSet& keywords,
std::vector<std::string>& filteredKeywords);
void clearFilterVerbose();

31
components/security_apps/waap/waap_clib/WaapConfigBase.cc
View File

@@ -329,14 +329,37 @@ const std::string& WaapConfigBase::get_AssetName() const
return m_assetName;
}
const std::string& WaapConfigBase::get_PracticeId() const
const std::string& WaapConfigBase::get_PracticeIdByPactice(DecisionType practiceType) const
{
return m_practiceId;
switch (practiceType)
{
case DecisionType::AUTONOMOUS_SECURITY_DECISION:
return m_practiceId;
default:
dbgError(D_WAAP)
<< "Can't find practice type for practice ID by practice: "
<< practiceType
<< ", return web app practice ID";
return m_practiceId;
}
}
const std::string& WaapConfigBase::get_PracticeName() const
const std::string& WaapConfigBase::get_PracticeNameByPactice(DecisionType practiceType) const
{
return m_practiceName;
switch (practiceType)
{
case DecisionType::AUTONOMOUS_SECURITY_DECISION:
return m_practiceName;
default:
dbgError(D_WAAP)
<< "Can't find practice type for practice name by practice: "
<< practiceType
<< ", return web app practice name";
return m_practiceName;
}
}
const std::string& WaapConfigBase::get_RuleId() const

4
components/security_apps/waap/waap_clib/WaapConfigBase.h
View File

@@ -39,8 +39,8 @@ public:
virtual const std::string& get_AssetId() const;
virtual const std::string& get_AssetName() const;
virtual const BlockingLevel& get_BlockingLevel() const;
virtual const std::string& get_PracticeId() const;
virtual const std::string& get_PracticeName() const;
virtual const std::string& get_PracticeIdByPactice(DecisionType practiceType) const;
virtual const std::string& get_PracticeNameByPactice(DecisionType practiceType) const;
virtual const std::string& get_RuleId() const;
virtual const std::string& get_RuleName() const;
virtual const bool& get_WebAttackMitigation() const;

2
components/security_apps/waap/waap_clib/WaapOverrideFunctor.cc
View File

@@ -89,7 +89,7 @@ bool WaapOverrideFunctor::operator()(
}
else if (tagLower == "url") {
for (const auto &rx : rxes) {
if (W2T_REGX_MATCH(getUriStr)) return true;
if (W2T_REGX_MATCH(getUri)) return true;
}
return false;
}

15
components/security_apps/waap/waap_clib/WaapResponseInjectReasons.cc
View File

@@ -23,6 +23,7 @@ ResponseInjectReasons::ResponseInjectReasons()
:
csrf(false),
antibot(false),
captcha(false),
securityHeaders(false)
{
}
@@ -53,6 +54,13 @@ ResponseInjectReasons::setAntibot(bool flag)
antibot = flag;
}
void
ResponseInjectReasons::setCaptcha(bool flag)
{
dbgTrace(D_WAAP) << "Change ResponseInjectReasons(Captcha) " << captcha << " to " << flag;
captcha = flag;
}
void
ResponseInjectReasons::setCsrf(bool flag)
{
@@ -74,6 +82,13 @@ ResponseInjectReasons::shouldInjectAntibot() const
return antibot;
}
bool
ResponseInjectReasons::shouldInjectCaptcha() const
{
dbgTrace(D_WAAP) << "shouldInjectCaptcha():: " << captcha;
return captcha;
}
bool
ResponseInjectReasons::shouldInjectCsrf() const
{

3
components/security_apps/waap/waap_clib/WaapResponseInjectReasons.h
View File

@@ -21,14 +21,17 @@ public:
void clear();
bool shouldInject() const;
void setAntibot(bool flag);
void setCaptcha(bool flag);
void setCsrf(bool flag);
void setSecurityHeaders(bool flag);
bool shouldInjectAntibot() const;
bool shouldInjectCaptcha() const;
bool shouldInjectCsrf() const;
bool shouldInjectSecurityHeaders() const;
private:
bool csrf;
bool antibot;
bool captcha;
bool securityHeaders;
};

45
components/security_apps/waap/waap_clib/Waf2Engine.cc
View File

@@ -1098,6 +1098,7 @@ void Waf2Transaction::end_request_hdrs() {
// but the State itself is not needed now
Waap::Override::State overrideState = getOverrideState(m_siteConfig);
}
m_pWaapAssetState->m_requestsMonitor->logSourceHit(m_source_identifier);
IdentifiersEvent ids(m_source_identifier, m_pWaapAssetState->m_assetId);
ids.notify();
// Read relevant headers and extract meta information such as host name
@@ -1421,6 +1422,15 @@ Waf2Transaction::completeInjectionResponseBody(std::string& strInjection)
m_responseInjectReasons.setAntibot(false);
}
if(m_responseInjectReasons.shouldInjectCaptcha()) {
dbgTrace(D_WAAP_BOT_PROTECTION) <<
"Waf2Transaction::completeInjectionResponseBody(): Injecting data (captcha)";
//todo add captcha script
strInjection += "<script src=\"cp-cp.js\"></script>";
// No need to inject more than once
m_responseInjectReasons.setCaptcha(false);
}
if (m_responseInjectReasons.shouldInjectCsrf()) {
dbgTrace(D_WAAP) << "Waf2Transaction::completeInjectionResponseBody(): Injecting data (csrf)";
strInjection += "<script src=\"cp-csrf.js\"></script>";
@@ -1567,7 +1577,7 @@ Waf2Transaction::decideFinal(
dbgTrace(D_WAAP) << "Waf2Transaction::decideFinal(): got relevant API configuration from the I/S";
sitePolicy = &ngenAPIConfig;
m_overrideState = getOverrideState(sitePolicy);
shouldBlock = (getUserLimitVerdict() == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP);
}
else if (WaapConfigApplication::getWaapSiteConfig(ngenSiteConfig)) {
dbgTrace(D_WAAP) << "Waf2Transaction::decideFinal(): got relevant Application configuration from the I/S";
@@ -1646,7 +1656,9 @@ void Waf2Transaction::appendCommonLogFields(LogGen& waapLog,
const std::shared_ptr<Waap::Trigger::Log> &triggerLog,
bool shouldBlock,
const std::string& logOverride,
const std::string& incidentType) const
const std::string& incidentType,
const std::string& practiceID,
const std::string& practiceName) const
{
auto env = Singleton::Consume<I_Environment>::by<WaapComponent>();
auto active_id = env->get<std::string>("ActiveTenantId");
@@ -1737,8 +1749,8 @@ void Waf2Transaction::appendCommonLogFields(LogGen& waapLog,
waapLog << LogField("practiceType", "Threat Prevention");
waapLog << LogField("practiceSubType", m_siteConfig->get_PracticeSubType());
waapLog << LogField("ruleName", m_siteConfig->get_RuleName());
waapLog << LogField("practiceId", m_siteConfig->get_PracticeId());
waapLog << LogField("practiceName", m_siteConfig->get_PracticeName());
waapLog << LogField("practiceId", practiceID);
waapLog << LogField("practiceName", practiceName);
waapLog << LogField("waapIncidentType", incidentType);
// Registering this value would append the list of matched override IDs to the unified log
@@ -1805,8 +1817,8 @@ Waf2Transaction::sendLog()
telemetryData.source = getSourceIdentifier();
telemetryData.assetName = m_siteConfig->get_AssetName();
telemetryData.practiceId = m_siteConfig->get_PracticeId();
telemetryData.practiceName = m_siteConfig->get_PracticeName();
telemetryData.practiceId = m_siteConfig->get_PracticeIdByPactice(AUTONOMOUS_SECURITY_DECISION);
telemetryData.practiceName = m_siteConfig->get_PracticeNameByPactice(AUTONOMOUS_SECURITY_DECISION);
if (m_scanResult) {
telemetryData.attackTypes = m_scanResult->attack_types;
}
@@ -1947,7 +1959,11 @@ Waf2Transaction::sendLog()
shouldBlock);
LogGen& waap_log = logGenWrapper.getLogGen();
appendCommonLogFields(waap_log, triggerLog, shouldBlock, logOverride, incidentType);
appendCommonLogFields(
waap_log, triggerLog, shouldBlock, logOverride, incidentType,
m_siteConfig->get_PracticeIdByPactice(AUTONOMOUS_SECURITY_DECISION),
m_siteConfig->get_PracticeNameByPactice(AUTONOMOUS_SECURITY_DECISION)
);
waap_log << LogField("waapIncidentDetails", incidentDetails);
waap_log << LogField("eventConfidence", "High");
break;
@@ -1980,7 +1996,11 @@ Waf2Transaction::sendLog()
waap_log << LogField("waapFoundIndicators", getKeywordMatchesStr(), LogFieldOption::XORANDB64);
}
appendCommonLogFields(waap_log, triggerLog, shouldBlock, logOverride, incidentType);
appendCommonLogFields(
waap_log, triggerLog, shouldBlock, logOverride, incidentType,
m_siteConfig->get_PracticeIdByPactice(AUTONOMOUS_SECURITY_DECISION),
m_siteConfig->get_PracticeNameByPactice(AUTONOMOUS_SECURITY_DECISION)
);
waap_log << LogField("waapIncidentDetails", incidentDetails);
break;
@@ -1996,7 +2016,11 @@ Waf2Transaction::sendLog()
shouldBlock);
LogGen& waap_log = logGenWrapper.getLogGen();
appendCommonLogFields(waap_log, triggerLog, shouldBlock, logOverride, "Cross Site Request Forgery");
appendCommonLogFields(
waap_log, triggerLog, shouldBlock, logOverride, "Cross Site Request Forgery",
m_siteConfig->get_PracticeIdByPactice(AUTONOMOUS_SECURITY_DECISION),
m_siteConfig->get_PracticeNameByPactice(AUTONOMOUS_SECURITY_DECISION)
);
waap_log << LogField("waapIncidentDetails", "CSRF Attack discovered.");
break;
}
@@ -2177,14 +2201,13 @@ Waf2Transaction::decideAutonomousSecurity(
" effective overrides count: " << m_effectiveOverrideIds.size() <<
" learned overrides count: " << m_exceptionLearned.size();
bool log_all = false;
const std::shared_ptr<Waap::Trigger::Policy> triggerPolicy = sitePolicy.get_TriggerPolicy();
if (triggerPolicy) {
const std::shared_ptr<Waap::Trigger::Log> triggerLog = getTriggerLog(triggerPolicy);
if (triggerLog && triggerLog->webRequests) log_all = true;
}
if(decision->getThreatLevel() <= ThreatLevel::THREAT_INFO && !log_all) {
decision->setLog(false);
} else {

4
components/security_apps/waap/waap_clib/Waf2Engine.h
View File

@@ -247,7 +247,9 @@ private:
const std::shared_ptr<Waap::Trigger::Log> &triggerLog,
bool shouldBlock,
const std::string& logOverride,
const std::string& incidentType) const;
const std::string& incidentType,
const std::string& practiceID,
const std::string& practiceName) const;
std::string getUserReputationStr(double relativeReputation) const;
bool isTrustedSource() const;

6
components/security_apps/waap/waap_clib/Waf2EngineGetters.cc
View File

@@ -381,7 +381,11 @@ void Waf2Transaction::sendAutonomousSecurityLog(
waap_log << LogField("eventConfidence", confidence);
}
appendCommonLogFields(waap_log, triggerLog, shouldBlock, logOverride, attackTypes);
appendCommonLogFields(
waap_log, triggerLog, shouldBlock, logOverride, attackTypes,
m_siteConfig->get_PracticeIdByPactice(AUTONOMOUS_SECURITY_DECISION),
m_siteConfig->get_PracticeNameByPactice(AUTONOMOUS_SECURITY_DECISION)
);
std::string sampleString = getSample();
if (sampleString.length() > MAX_LOG_FIELD_SIZE) {

21
config/k8s/v1beta2/open-appsec-k8s-full-example-config-v1beta2.yaml
View File

@@ -3,7 +3,7 @@ kind: AccessControlPractice
metadata:
name: access-control-practice-example
spec:
practiceMode: prevent
practiceMode: inherited
rateLimit:
overrideMode: inherited
rules:
@@ -80,15 +80,26 @@ metadata:
name: policy-example
spec:
default:
mode: prevent-learn
mode: detect-learn
accessControlPractices: [access-control-practice-example]
threatPreventionPractices: [threat-prevention-practice-example]
triggers: [log-trigger-example]
customResponse: custom-response-block-page-example
sourceIdentifiers: sources-identifier-example
trustedSources: trusted-sources-example
customResponse: custom-response-code-example
sourceIdentifiers: ""
trustedSources: ""
exceptions:
- exception-example
specificRules:
- host: "example.com"
mode: prevent-learn
threatPreventionPractices: [threat-prevention-practice-example]
accessControlPractices: [access-control-practice-example]
triggers: [log-trigger-example]
customResponse: custom-response-code-example
sourceIdentifiers: ""
trustedSources: ""
exceptions:
- exception-example
---
apiVersion: openappsec.io/v1beta2
kind: ThreatPreventionPractice

6
core/agent_details/agent_details.cc
View File

@@ -237,6 +237,12 @@ AgentDetails::getAgentId() const
return agent_id;
}
string
AgentDetails::getRegisteredServer() const
{
return server;
}
Maybe<string>
AgentDetails::getProxy() const
{

4
core/attachments/http_configuration/http_configuration.cc
View File

@@ -111,6 +111,8 @@ HttpAttachmentConfiguration::save(cereal::JSONOutputArchive &archive) const
cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec")),
cereal::make_nvp("min_retries_for_verdict", getNumericalValue("min_retries_for_verdict")),
cereal::make_nvp("max_retries_for_verdict", getNumericalValue("max_retries_for_verdict")),
cereal::make_nvp("hold_verdict_retries", getNumericalValue("hold_verdict_retries")),
cereal::make_nvp("hold_verdict_polling_time", getNumericalValue("hold_verdict_polling_time")),
cereal::make_nvp("body_size_trigger", getNumericalValue("body_size_trigger")),
cereal::make_nvp("remove_server_header", getNumericalValue("remove_server_header"))
);
@@ -167,6 +169,8 @@ HttpAttachmentConfiguration::load(cereal::JSONInputArchive &archive)
loadNumericalValue(archive, "keep_alive_interval_msec", DEFAULT_KEEP_ALIVE_INTERVAL_MSEC);
loadNumericalValue(archive, "min_retries_for_verdict", 3);
loadNumericalValue(archive, "max_retries_for_verdict", 15);
loadNumericalValue(archive, "hold_verdict_retries", 3);
loadNumericalValue(archive, "hold_verdict_polling_time", 1);
loadNumericalValue(archive, "body_size_trigger", 200000);
loadNumericalValue(archive, "remove_server_header", 0);
}

2
core/debug_is/debug.cc
View File

@@ -527,7 +527,7 @@ Debug::preload()
active_streams["FOG"] = make_shared<DebugFogStream>();
string branch = Version::getBranch();
if (branch == "open-source" || branch == "master" || branch.substr(0, 6) == "hotfix") {
if (branch == "master" || branch.substr(0, 6) == "hotfix") {
should_assert_optional = false;
} else {
should_assert_optional = true;

3
core/include/attachments/nginx_attachment_util.h
View File

@@ -42,6 +42,9 @@ unsigned int getFailOpenTimeout();
int isFailOpenHoldMode();
unsigned int getFailOpenHoldTimeout();
unsigned int getHoldVerdictPollingTime();
unsigned int getHoldVerdictRetries();
unsigned int getMaxSessionsPerMinute();
int isFailOpenOnSessionLimit();

2
core/include/services_sdk/interfaces/i_agent_details.h
View File

@@ -36,6 +36,7 @@ public:
virtual Maybe<std::string> getFogDomain() const = 0;
virtual std::string getTenantId() const = 0;
virtual std::string getProfileId() const = 0;
virtual std::string getRegisteredServer() const = 0;
// Agent Details
virtual Maybe<std::string> getProxy() const = 0;
@@ -43,6 +44,7 @@ public:
virtual void setAgentId(const std::string &_agent_id) = 0;
virtual std::string getAgentId() const = 0;
virtual void setOrchestrationMode(OrchestrationMode _orchstration_mode) = 0;
virtual void setRegisteredServer(const std::string &_server) = 0;
virtual OrchestrationMode getOrchestrationMode() const = 0;
virtual std::string getAccessToken() const = 0;
virtual void loadAccessToken() = 0;

16
core/include/services_sdk/interfaces/messaging/messaging_metadata.h
View File

@@ -75,9 +75,16 @@ public:
port_num(_port_num),
conn_flags(_conn_flags),
should_buffer(_should_buffer),
is_to_fog(_is_to_fog)
is_to_fog(_is_to_fog),
should_send_access_token(true)
{}
const bool &
shouldSendAccessToken() const
{
return should_send_access_token;
}
const std::string &
getHostName() const
{
@@ -90,6 +97,12 @@ public:
return port_num;
}
void
setShouldSendAccessToken(const bool &_should_send_access_token)
{
should_send_access_token = _should_send_access_token;
}
void
setConnectioFlag(MessageConnectionConfig flag)
{
@@ -300,6 +313,7 @@ private:
bool is_to_fog = false;
bool is_rate_limit_block = false;
uint rate_limit_block_time = 0;
bool should_send_access_token = true;
};
#endif // __MESSAGING_METADATA_H__

2
core/include/services_sdk/interfaces/mock/mock_agent_details.h
View File

@@ -20,11 +20,13 @@ public:
MOCK_CONST_METHOD0(getFogDomain, Maybe<std::string>());
MOCK_CONST_METHOD0(getTenantId, std::string());
MOCK_CONST_METHOD0(getProfileId, std::string());
MOCK_CONST_METHOD0(getRegisteredServer, std::string());
// Agent Details
MOCK_CONST_METHOD0(getProxy, Maybe<std::string>());
MOCK_METHOD1(setProxy, void(const std::string&));
MOCK_METHOD1(setAgentId, void(const std::string&));
MOCK_METHOD1(setRegisteredServer, void(const std::string&));
MOCK_CONST_METHOD0(getAgentId, std::string());
MOCK_METHOD0(loadAccessToken, void());
MOCK_CONST_METHOD0(getAccessToken, std::string());

3
core/include/services_sdk/resources/agent_details.h
View File

@@ -73,6 +73,7 @@ public:
Maybe<std::string> getOpenSSLDir() const;
std::string getClusterId() const;
OrchestrationMode getOrchestrationMode() const;
std::string getRegisteredServer() const;
bool isOpenAppsecAgent() const;
std::string getAccessToken() const;
void loadAccessToken();
@@ -86,6 +87,7 @@ public:
void setOpenSSLDir(const std::string &_openssl_dir) { openssl_dir = _openssl_dir; }
void setSSLFlag(const bool _encrypted_connection) { encrypted_connection = _encrypted_connection; }
void setOrchestrationMode(OrchestrationMode _orchstration_mode) { orchestration_mode = _orchstration_mode; }
void setRegisteredServer(const std::string &_server) { server = _server; }
bool getSSLFlag() const { return encrypted_connection; }
bool readAgentDetails();
@@ -117,6 +119,7 @@ private:
uint16_t fog_port = 0;
bool encrypted_connection = false;
OrchestrationMode orchestration_mode = OrchestrationMode::ONLINE;
std::string server = "Unknown";
bool is_proxy_configured_via_settings = false;
std::map<ProxyProtocol, ProxyData> proxies;

2
core/include/services_sdk/resources/component_is/components_list_impl.h
View File

@@ -48,6 +48,7 @@
#include "intelligence_comp_v2.h"
#include "messaging.h"
#include "env_details.h"
#include "metric/metric_scraper.h"
USE_DEBUG_FLAG(D_COMP_IS);
@@ -216,6 +217,7 @@ class ComponentListCore
Version,
Buffer,
ShellCmd,
MetricScraper,
GenericMetric,
Messaging,
MainloopComponent,

1
core/include/services_sdk/resources/debug_flags.h
View File

@@ -153,6 +153,7 @@ DEFINE_FLAG(D_COMPONENT, D_ALL)
DEFINE_FLAG(D_SDWAN, D_COMPONENT)
DEFINE_FLAG(D_SDWAN_POLICY, D_SDWAN)
DEFINE_FLAG(D_SDWAN_DATA, D_SDWAN)
DEFINE_FLAG(D_SDWAN_FEATURE_FLAG, D_SDWAN)
DEFINE_FLAG(D_LOGGER_SDWAN, D_SDWAN)
DEFINE_FLAG(D_SDWAN_API, D_SDWAN)
DEFINE_FLAG(D_REVERSE_PROXY, D_COMPONENT)

14
core/include/services_sdk/resources/generic_metric.h
View File

@@ -59,10 +59,11 @@ class GenericMetric
Singleton::Consume<I_Messaging>,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Encryptor>,
public Listener<AllMetricEvent>
public Listener<AllMetricEvent>,
public Listener<MetricScrapeEvent>
{
public:
enum class Stream { FOG, DEBUG, PROMETHEUS, AIOPS, COUNT };
enum class Stream { FOG, DEBUG, AIOPS, COUNT };
void
init(
@@ -72,7 +73,8 @@ public:
std::chrono::seconds _report_interval,
bool _reset,
ReportIS::Audience _audience = ReportIS::Audience::INTERNAL,
bool _force_buffering = false
bool _force_buffering = false,
const std::string &_asset_id = ""
);
template <typename Value>
@@ -96,6 +98,7 @@ public:
void resetMetrics();
void upon(const AllMetricEvent &) override;
std::string respond(const AllMetricEvent &event) override;
std::vector<PrometheusData> respond(const MetricScrapeEvent &event) override;
std::string getListenerName() const override;
std::string getMetricName() const;
@@ -113,9 +116,10 @@ private:
friend class MetricCalc;
void addCalc(MetricCalc *calc);
std::vector<PrometheusData> getPromMetricsData();
void handleMetricStreamSending();
void generateLog();
void generatePrometheus();
void generateDebug();
void generateAiopsLog();
@@ -127,10 +131,12 @@ private:
ReportIS::Audience audience;
std::chrono::seconds report_interval;
std::vector<MetricCalc *> calcs;
std::vector<MetricCalc *> prometheus_calcs;
Flags<Stream> active_streams;
bool reset;
bool force_buffering = false;
Context ctx;
std::string asset_id;
};
#include "metric/counter.h"

37
core/include/services_sdk/resources/metric/metric_calc.h
View File

@@ -25,6 +25,9 @@
#include "customized_cereal_map.h"
#include "compression_utils.h"
#include "i_encryptor.h"
#include "event.h"
USE_DEBUG_FLAG(D_METRICS);
class GenericMetric;
@@ -32,13 +35,35 @@ enum class MetricType { GAUGE, COUNTER };
struct PrometheusData
{
template <typename Archive>
void
serialize(Archive &ar)
{
try {
ar(cereal::make_nvp("metric_name", name));
ar(cereal::make_nvp("metric_type", type));
ar(cereal::make_nvp("metric_description", description));
ar(cereal::make_nvp("labels", label));
ar(cereal::make_nvp("value", value));
} catch (const cereal::Exception &e) {
dbgTrace(D_METRICS) << "Error in serialize Prometheus data: " << e.what();
}
}
std::string name;
std::string type;
std::string desc;
std::string description;
std::string label;
std::string value;
};
class MetricScrapeEvent : public Event<MetricScrapeEvent, std::vector<PrometheusData>>
{
public:
MetricScrapeEvent() {}
};
class AiopsMetricData
{
public:
@@ -228,7 +253,10 @@ public:
std::string getMetircDescription() const { return getMetadata("Description"); }
std::string getMetadata(const std::string &metadata) const;
virtual MetricType getMetricType() const { return MetricType::GAUGE; }
virtual std::vector<PrometheusData> getPrometheusMetrics() const;
virtual std::vector<PrometheusData> getPrometheusMetrics(
const std::string &metric_name,
const std::string &asset_id = ""
) const;
virtual float getValue() const = 0;
virtual std::vector<AiopsMetricData> getAiopsMetrics() const;
@@ -240,7 +268,10 @@ public:
protected:
void addMetric(GenericMetric *metric);
std::map<std::string, std::string> getBasicLabels() const;
std::map<std::string, std::string> getBasicLabels(
const std::string &metric_name,
const std::string &asset_id = ""
) const;
template <typename Metadata, typename ... OtherMetadata>
void

13
core/include/services_sdk/resources/metric/metric_map.h
View File

@@ -55,12 +55,17 @@ class MetricMap : public MetricCalc
}
std::vector<PrometheusData>
getPrometheusMetrics(const std::string &label, const std::string &name) const
getPrometheusMetrics(
const std::string &metric_name,
const std::string &label,
const std::string &name,
const std::string &asset_id
) const
{
std::vector<PrometheusData> res;
for (auto &metric : inner_map) {
auto sub_res = metric.second.getPrometheusMetrics();
auto sub_res = metric.second.getPrometheusMetrics(metric_name, asset_id);
for (auto &sub_metric : sub_res) {
sub_metric.label += "," + label + "=\"" + metric.first + "\"";
sub_metric.name = name;
@@ -155,9 +160,9 @@ public:
}
std::vector<PrometheusData>
getPrometheusMetrics() const override
getPrometheusMetrics(const std::string &metric_name, const std::string &asset_id) const override
{
return metric_map.getPrometheusMetrics(label, getMetricName());
return metric_map.getPrometheusMetrics(metric_name, label, getMetricName(), asset_id);
}
std::vector<AiopsMetricData>

45
core/include/services_sdk/resources/metric/metric_scraper.h Normal file
View File

@@ -0,0 +1,45 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __METRIC_SCRAPER_H__
#define __METRIC_SCRAPER_H__
#include <string>
#include <fstream>
#include <vector>
#include <streambuf>
#include "singleton.h"
#include "debug.h"
#include "component.h"
#include "event.h"
#include "i_rest_api.h"
#include "generic_metric.h"
class MetricScraper
:
public Component,
Singleton::Consume<I_RestApi>
{
public:
MetricScraper();
~MetricScraper();
void init();
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __METRIC_SCRAPER_H__

10
core/intelligence_is_v2/intelligence_comp_v2.cc
View File

@@ -492,9 +492,9 @@ private:
return genError("Local intelligence server ip not configured");
}
auto res = sendLocalIntelligenceToLocalServer(rest_req, *server, primary_port_setting);
auto res = sendLocalIntelligenceToLocalServer(rest_req, *server, primary_port_setting, false);
if (res.ok()) return res;
return sendLocalIntelligenceToLocalServer(rest_req, *server, secondary_port_setting);
return sendLocalIntelligenceToLocalServer(rest_req, *server, secondary_port_setting, false);
}
template <typename IntelligenceRest>
@@ -502,8 +502,9 @@ private:
sendLocalIntelligenceToLocalServer(
const IntelligenceRest &rest_req,
const string &server,
const string &port_setting
) const
const string &port_setting,
const bool should_send_access_token = false
) const
{
auto port = getSetting<uint>("intelligence", port_setting);
if (!port.ok()) {
@@ -519,6 +520,7 @@ private:
req_md.insertHeaders(getHTTPHeaders());
req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
req_md.setShouldSendAccessToken(should_send_access_token);
return sendIntelligenceRequestImpl(rest_req, req_md);
}

43
core/messaging/connection/connection.cc
View File

@@ -184,6 +184,18 @@ public:
establishConnection()
{
dbgFlow(D_CONNECTION) << "Establishing a new connection";
// check if connection already established
I_MainLoop *i_mainloop = Singleton::Consume<I_MainLoop>::by<Messaging>();
while (lock) {
i_mainloop->yield(true);
}
lock = true;
auto unlock = make_scope_exit([&] () { lock = false; });
if (is_connected && !should_close_connection) {
dbgTrace(D_CONNECTION) << "Connection already established";
return Maybe<void>();
}
auto set_socket = setSocket();
if (!set_socket.ok()) {
dbgWarning(D_CONNECTION) << "Failed to set socket: " << set_socket.getErr();
@@ -221,6 +233,7 @@ public:
<< (isOverProxy() ? ", Over proxy: " + settings.getProxyHost() + ":" + to_string(key.getPort()) : "");
active = Maybe<void, chrono::seconds>();
should_close_connection = false;
is_connected = true;
return Maybe<void>();
}
@@ -583,11 +596,13 @@ private:
if (BIO_should_retry(bio.get())) return string();
auto fd = BIO_get_fd(bio.get(), nullptr);
char error_buf[256];
ERR_error_string(ERR_get_error(), error_buf);
string error = receive_len == 0 ?
"Connection closed by peer" :
"Failed to read data from BIO socket. Error: " + string(error_buf);
"Connection closed by peer (BIO fd: " + to_string(fd) + "). Error: " + string(error_buf) :
"Failed to read data from BIO socket (fd: " + to_string(fd) + "). Error: " + string(error_buf);
dbgWarning(D_CONNECTION) << error;
return genError(HTTPResponse(HTTPStatusCode::HTTP_UNKNOWN, error));
}
@@ -621,17 +636,28 @@ private:
Maybe<HTTPResponse, HTTPResponse>
sendAndReceiveData(const string &request, bool is_connect)
{
dbgFlow(D_CONNECTION) << "Sending and receiving data";
dbgFlow(D_CONNECTION) << "Sending and receiving data, lock: " << lock;
I_MainLoop *i_mainloop = Singleton::Consume<I_MainLoop>::by<Messaging>();
while (lock) {
while (lock && !is_connect) {
i_mainloop->yield(true);
}
lock = true;
auto unlock = make_scope_exit([&] () { lock = false; });
dbgTrace(D_CONNECTION) << "acquire lock";
auto unlock = make_scope_exit([&] () {
lock = false;
});
if (should_close_connection) {
dbgWarning(D_CONNECTION) << close_error.getBody();
return genError(close_error);
dbgTrace(D_CONNECTION) << "reconnect in progress";
while (lock) {
i_mainloop->yield(true);
}
if (!is_connected) {
dbgWarning(D_CONNECTION) << close_error.getBody();
return genError(close_error);
}
dbgTrace(D_CONNECTION) << "reconnected by other routine";
lock = true;
}
I_TimeGet *i_time = Singleton::Consume<I_TimeGet>::by<Messaging>();
@@ -651,11 +677,13 @@ private:
dbgTrace(D_CONNECTION) << "Sent the message, now waiting for response";
while (!http_parser.hasReachedError()) {
if (i_time->getMonotonicTime() > receiving_end_time) {
is_connected = false;
should_close_connection = true;
return genError(receving_timeout);
};
auto receieved = receiveData();
if (!receieved.ok()) {
is_connected = false;
should_close_connection = true;
return receieved.passErr();
}
@@ -706,6 +734,7 @@ private:
bool lock = false;
bool should_close_connection = false;
bool is_dual_auth = false;
bool is_connected = false;
Maybe<string> sni_hostname = genError<string>("Uninitialized");
Maybe<string> dn_host_name = genError<string>("Uninitialized");

2
core/messaging/connection/connection_comp.cc
View File

@@ -92,12 +92,12 @@ private:
<< metadata.getPort();
MessageConnectionKey conn_key(metadata.getHostName(), metadata.getPort(), category);
Connection conn(conn_key, metadata);
persistent_connections.emplace(conn_key, conn);
const auto &external_certificate = metadata.getExternalCertificate();
if (!external_certificate.empty()) conn.setExternalCertificate(external_certificate);
auto connected = conn.establishConnection();
persistent_connections.emplace(conn_key, conn);
if (!connected.ok()) {
string connection_err = "Failed to establish connection. Error: " + connected.getErr();

3
core/messaging/include/http_request.h
View File

@@ -30,7 +30,8 @@ public:
HTTPMethod method,
const std::string &uri,
const std::map<std::string, std::string> &headers,
const std::string &body
const std::string &body,
const bool should_send_access_token = true
);
Maybe<void> setConnectionHeaders(const Connection &conn, bool is_access_token_needed);

4
core/messaging/messaging_comp/http_request.cc
View File

@@ -79,7 +79,8 @@ HTTPRequest::prepareRequest(
HTTPMethod method,
const string &uri,
const map<string, string> &headers,
const string &body
const string &body,
const bool should_send_access_token
)
{
HTTPRequest req(method, uri, headers, body);
@@ -94,6 +95,7 @@ HTTPRequest::prepareRequest(
dont_add_access_token = true;
dbgTrace(D_MESSAGING) << "Request is for agent authentication";
}
if (!should_send_access_token) dont_add_access_token = true;
auto res = req.addAccessToken(conn, dont_add_access_token);
if (!res.ok()) return res.passErr();

8
core/messaging/messaging_comp/messaging_comp.cc
View File

@@ -142,7 +142,13 @@ MessagingComp::sendMessage(
metadata.insertHeaders(i_env->getCurrentHeadersMap());
}
auto req = HTTPRequest::prepareRequest(conn, method, uri, metadata.getHeaders(), body);
auto req = HTTPRequest::prepareRequest(
conn,
method,
uri,
metadata.getHeaders(),
body,
metadata.shouldSendAccessToken());
if (!req.ok()) return genError(HTTPResponse(HTTPStatusCode::HTTP_UNKNOWN, req.getErr()));
auto response = i_conn->sendRequest(conn, *req);

2
core/metric/CMakeLists.txt
View File

@@ -1,3 +1,3 @@
add_library(metric generic_metric.cc)
add_library(metric generic_metric.cc metric_scraper.cc)
add_subdirectory(metric_ut)

97
core/metric/generic_metric.cc
View File

@@ -49,7 +49,7 @@ MetricCalc::getAiopsMetrics() const
string description = getMetircDescription();
string type = getMetricType() == MetricType::GAUGE ? "Gauge" : "Counter";
return { AiopsMetricData(name, type, units, description, getBasicLabels(), value) };
return { AiopsMetricData(name, type, units, description, getBasicLabels(getMetricName()), value) };
}
string
@@ -77,7 +77,7 @@ MetricCalc::addMetric(GenericMetric *metric)
}
vector<PrometheusData>
MetricCalc::getPrometheusMetrics() const
MetricCalc::getPrometheusMetrics(const std::string &metric_name, const string &asset_id) const
{
float value = getValue();
if (isnan(value)) return {};
@@ -86,10 +86,10 @@ MetricCalc::getPrometheusMetrics() const
res.name = getMetricDotName() != "" ? getMetricDotName() : getMetricName();
res.type = getMetricType() == MetricType::GAUGE ? "gauge" : "counter";
res.desc = getMetircDescription();
res.description = getMetircDescription();
stringstream labels;
const auto &label_pairs = getBasicLabels();
const auto &label_pairs = getBasicLabels(metric_name, asset_id);
bool first = true;
for (auto &pair : label_pairs) {
if (!first) labels << ',';
@@ -106,7 +106,7 @@ MetricCalc::getPrometheusMetrics() const
}
map<string, string>
MetricCalc::getBasicLabels() const
MetricCalc::getBasicLabels(const string &metric_name, const string &asset_id) const
{
map<string, string> res;
@@ -121,6 +121,9 @@ MetricCalc::getBasicLabels() const
auto executable = env->get<string>("Base Executable Name");
if (executable.ok()) res["process"] = *executable;
if (!asset_id.empty()) res["assetId"] = asset_id;
res["metricName"] = metric_name;
return res;
}
@@ -158,7 +161,8 @@ GenericMetric::init(
chrono::seconds _report_interval,
bool _reset,
Audience _audience,
bool _force_buffering
bool _force_buffering,
const string &_asset_id
)
{
turnOnStream(Stream::FOG);
@@ -173,6 +177,7 @@ GenericMetric::init(
issuing_engine = _issuing_engine;
audience = _audience;
force_buffering = _force_buffering;
asset_id = _asset_id;
i_mainloop->addRecurringRoutine(
I_MainLoop::RoutineType::System,
@@ -185,13 +190,13 @@ GenericMetric::init(
},
"Metric Fog stream messaging for " + _metric_name
);
registerListener();
}
void
GenericMetric::handleMetricStreamSending()
{
if (active_streams.isSet(Stream::DEBUG)) generateDebug();
if (active_streams.isSet(Stream::PROMETHEUS)) generatePrometheus();
if (active_streams.isSet(Stream::FOG)) generateLog();
if (active_streams.isSet(Stream::AIOPS)) generateAiopsLog();
@@ -237,6 +242,7 @@ void
GenericMetric::addCalc(MetricCalc *calc)
{
calcs.push_back(calc);
prometheus_calcs.push_back(calc);
}
void
@@ -254,6 +260,12 @@ GenericMetric::respond(const AllMetricEvent &event)
return res;
}
vector<PrometheusData>
GenericMetric::respond(const MetricScrapeEvent &)
{
return getPromMetricsData();
}
string GenericMetric::getListenerName() const { return metric_name; }
void
@@ -316,70 +328,19 @@ GenericMetric::generateLog()
sendLog(metric_client_rest);
}
class PrometheusRest : public ClientRest
vector<PrometheusData>
GenericMetric::getPromMetricsData()
{
class Metric : public ClientRest
{
public:
Metric(const string &n, const string &t, const string &d, const string &l, const string &v)
:
metric_name(n),
metric_type(t),
metric_description(d),
labels(l),
value(v)
{}
private:
C2S_PARAM(string, metric_name);
C2S_PARAM(string, metric_type);
C2S_PARAM(string, metric_description);
C2S_PARAM(string, labels);
C2S_PARAM(string, value);
};
public:
PrometheusRest() : metrics(vector<Metric>()) {}
void
addMetric(const vector<PrometheusData> &vec)
{
auto &metric_vec = metrics.get();
metric_vec.reserve(vec.size());
for (auto &metric : vec) {
metric_vec.emplace_back(metric.name, metric.type, metric.desc, "{" + metric.label + "}", metric.value);
}
}
private:
C2S_PARAM(vector<Metric>, metrics);
};
void
GenericMetric::generatePrometheus()
{
if (!getProfileAgentSettingWithDefault(false, "prometheus")) return;
dbgTrace(D_METRICS) << "Generate prometheus metric";
vector<PrometheusData> all_metrics;
for (auto &calc : calcs) {
const auto &cal_metrics = calc->getPrometheusMetrics();
all_metrics.insert(all_metrics.end(), cal_metrics.begin(), cal_metrics.end());
if (!getProfileAgentSettingWithDefault(false, "prometheus")) return all_metrics;
dbgTrace(D_METRICS) << "Get prometheus metrics";
for (auto &calc : prometheus_calcs) {
const auto &calc_prom_metrics = calc->getPrometheusMetrics(metric_name, asset_id);
all_metrics.insert(all_metrics.end(), calc_prom_metrics.begin(), calc_prom_metrics.end());
calc->reset();
}
PrometheusRest rest;
rest.addMetric(all_metrics);
MessageMetadata new_config_req_md("127.0.0.1", 7465);
new_config_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
new_config_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
Singleton::Consume<I_Messaging>::by<GenericMetric>()->sendSyncMessage(
HTTPMethod::POST,
"/add-metrics",
rest,
MessageCategory::GENERIC,
new_config_req_md
);
return all_metrics;
}
void

50
core/metric/metric_scraper.cc Normal file
View File

@@ -0,0 +1,50 @@
#include "metric/metric_scraper.h"
using namespace std;
USE_DEBUG_FLAG(D_METRICS);
class MetricScraper::Impl
{
public:
void
init()
{
Singleton::Consume<I_RestApi>::by<MetricScraper>()->addGetCall(
"service-metrics",
[&] () { return getAllPrometheusMetrics(); }
);
}
string
getAllPrometheusMetrics()
{
auto all_metrics_events_res = MetricScrapeEvent().query();
for (auto metric_vec : all_metrics_events_res) {
for (PrometheusData metric : metric_vec) {
metric.label = "{" + metric.label + "}";
all_metrics.emplace_back(metric);
}
}
stringstream ss;
{
cereal::JSONOutputArchive archive(ss);
archive(cereal::make_nvp("metrics", all_metrics));
}
all_metrics.clear();
return ss.str();
}
private:
vector<PrometheusData> all_metrics;
};
MetricScraper::MetricScraper() : Component("MetricScraper"), pimpl(make_unique<MetricScraper::Impl>()) {}
MetricScraper::~MetricScraper() {}
void
MetricScraper::init()
{
pimpl->init();
}

202
core/metric/metric_ut/metric_ut.cc
View File

@@ -14,6 +14,7 @@
#include "mock/mock_instance_awareness.h"
#include "config.h"
#include "config_component.h"
#include "metric/metric_scraper.h"
using namespace std;
using namespace chrono;
@@ -191,9 +192,11 @@ public:
MetricTest()
{
EXPECT_CALL(rest, mockRestCall(RestAction::ADD, "declare-boolean-variable", _)).WillOnce(Return(true));
env.init();
conf.preload();
ON_CALL(instance, getUniqueID()).WillByDefault(Return(string("87")));
ON_CALL(instance, getFamilyID()).WillByDefault(Return(string("")));
env.init();
Debug::setNewDefaultStdout(&debug_output);
Debug::setUnitTestFlag(D_METRICS, Debug::DebugLevel::TRACE);
setConfiguration<bool>(true, string("metric"), string("fogMetricSendEnable"));
@@ -531,9 +534,12 @@ TEST_F(MetricTest, printMetricsTest)
GenericMetric::fini();
}
TEST_F(MetricTest, printPromeathus)
TEST_F(MetricTest, getPromeathusMetric)
{
conf.preload();
MetricScraper metric_scraper;
function<string()> get_metrics_func;
EXPECT_CALL(rest, addGetCall("service-metrics", _)).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
metric_scraper.init();
stringstream configuration;
configuration << "{\"agentSettings\":[{\"key\":\"prometheus\",\"id\":\"id1\",\"value\":\"true\"}]}\n";
@@ -546,20 +552,21 @@ TEST_F(MetricTest, printPromeathus)
ReportIS::AudienceTeam::AGENT_CORE,
ReportIS::IssuingEngine::AGENT_CORE,
seconds(5),
false
false,
ReportIS::Audience::INTERNAL,
false,
"asset id"
);
cpu_mt.turnOffStream(GenericMetric::Stream::FOG);
cpu_mt.turnOffStream(GenericMetric::Stream::DEBUG);
cpu_mt.turnOnStream(GenericMetric::Stream::PROMETHEUS);
cpu_mt.registerListener();
CPUEvent cpu_event;
cpu_event.setProcessCPU(89);
cpu_event.notify();
string message_body;
EXPECT_CALL(messaging_mock, sendSyncMessage(_, "/add-metrics", _, _, _))
.WillOnce(DoAll(SaveArg<2>(&message_body), Return(HTTPResponse())));
string message_body = get_metrics_func();
routine();
string res =
@@ -569,42 +576,48 @@ TEST_F(MetricTest, printPromeathus)
" \"metric_name\": \"cpuMax\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuMin\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuAvg\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuCurrent\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuCounter\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuTotalCounter\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"1\"\n"
" }\n"
" ]\n"
@@ -613,9 +626,12 @@ TEST_F(MetricTest, printPromeathus)
EXPECT_EQ(message_body, res);
}
TEST_F(MetricTest, printPromeathusMultiMap)
TEST_F(MetricTest, getPromeathusMultiMap)
{
conf.preload();
MetricScraper metric_scraper;
function<string()> get_metrics_func;
EXPECT_CALL(rest, addGetCall("service-metrics", _)).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
metric_scraper.init();
stringstream configuration;
configuration << "{\"agentSettings\":[{\"key\":\"prometheus\",\"id\":\"id1\",\"value\":\"true\"}]}\n";
@@ -628,18 +644,18 @@ TEST_F(MetricTest, printPromeathusMultiMap)
ReportIS::AudienceTeam::AGENT_CORE,
ReportIS::IssuingEngine::AGENT_CORE,
seconds(5),
true
true,
ReportIS::Audience::INTERNAL,
false,
"asset id"
);
metric.turnOnStream(GenericMetric::Stream::PROMETHEUS);
metric.registerListener();
HttpTransaction("/index.html", "GET", 10).notify();
HttpTransaction("/index2.html", "GET", 20).notify();
HttpTransaction("/index.html", "POST", 40).notify();
string message_body;
EXPECT_CALL(messaging_mock, sendSyncMessage(_, "/add-metrics", _, _, _))
.WillOnce(DoAll(SaveArg<2>(&message_body), Return(HTTPResponse())));
string message_body = get_metrics_func();
routine();
string res =
@@ -649,24 +665,156 @@ TEST_F(MetricTest, printPromeathusMultiMap)
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\","
"method=\\\"GET\\\",url=\\\"/index.html\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"GET\\\",url=\\\"/index.html\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\","
"method=\\\"POST\\\",url=\\\"/index.html\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"POST\\\",url=\\\"/index.html\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",id=\\\"87\\\","
"method=\\\"GET\\\",url=\\\"/index2.html\\\"}\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"GET\\\",url=\\\"/index2.html\\\"}\",\n"
" \"value\": \"1\"\n"
" }\n"
" ]\n"
"}";
EXPECT_EQ(message_body, res);
}
TEST_F(MetricTest, getPromeathusTwoMetrics)
{
MetricScraper metric_scraper;
function<string()> get_metrics_func;
EXPECT_CALL(rest, addGetCall("service-metrics", _)).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
metric_scraper.init();
stringstream configuration;
configuration << "{\"agentSettings\":[{\"key\":\"prometheus\",\"id\":\"id1\",\"value\":\"true\"}]}\n";
EXPECT_TRUE(Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(configuration));
CPUMetric cpu_mt;
cpu_mt.init(
"CPU usage",
ReportIS::AudienceTeam::AGENT_CORE,
ReportIS::IssuingEngine::AGENT_CORE,
seconds(5),
false,
ReportIS::Audience::INTERNAL,
false,
"asset id"
);
cpu_mt.turnOffStream(GenericMetric::Stream::FOG);
cpu_mt.turnOffStream(GenericMetric::Stream::DEBUG);
cpu_mt.registerListener();
CPUEvent cpu_event;
cpu_event.setProcessCPU(89);
cpu_event.notify();
UrlMetric2 metric;
metric.init(
"Bytes per URL",
ReportIS::AudienceTeam::AGENT_CORE,
ReportIS::IssuingEngine::AGENT_CORE,
seconds(5),
true,
ReportIS::Audience::INTERNAL,
false,
"asset id"
);
metric.registerListener();
HttpTransaction("/index.html", "GET", 10).notify();
HttpTransaction("/index2.html", "GET", 20).notify();
HttpTransaction("/index.html", "POST", 40).notify();
string message_body = get_metrics_func();
routine();
string res =
"{\n"
" \"metrics\": [\n"
" {\n"
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"GET\\\",url=\\\"/index.html\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"POST\\\",url=\\\"/index.html\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"request.total\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"Bytes per URL\\\",method=\\\"GET\\\",url=\\\"/index2.html\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuMax\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuMin\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuAvg\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuCurrent\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"89\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuCounter\",\n"
" \"metric_type\": \"gauge\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"1\"\n"
" },\n"
" {\n"
" \"metric_name\": \"cpuTotalCounter\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{agent=\\\"Unknown\\\",assetId=\\\"asset id\\\",id=\\\"87\\\","
"metricName=\\\"CPU usage\\\"}\",\n"
" \"value\": \"1\"\n"
" }\n"
" ]\n"

55
deployment/docker-compose/apisix/.env Normal file
View File

@@ -0,0 +1,55 @@
## .env file for docker-compose deployments of open-appsec integrated with APISIX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid apisix configuration for APISIX in standalone mode in the following file:
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
APISIX_CONFIG=./apisix-config/apisix.yaml
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the apisix.yaml file in APISIX_CONFIG folder
## to include route and node configuration for forwarding external traffic to the juiceshop-backend container
## (apisix listens by default for HTTP/HTTPS on port 9080/9443)
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/apisix.yaml
## in the appsec-apisix service definition
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

9
deployment/docker-compose/apisix/apisix-config/apisix.yaml Normal file
View File

@@ -0,0 +1,9 @@
routes:
-
uri: /
upstream:
nodes:
"juiceshop-backend:3000": 1
type: roundrobin
#END

131
deployment/docker-compose/apisix/docker-compose.yaml Normal file
View File

@@ -0,0 +1,131 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with APISIX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=APISIX Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-apisix:
image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
container_name: appsec-apisix
ipc: service:appsec-agent
restart: always
environment:
- APISIX_STAND_ALONE=true
volumes:
- ${APISIX_CONFIG}:/usr/local/apisix/conf/apisix.yaml:ro
ports:
- "9080:9080/tcp" # HTTP API port
- "9443:9443/tcp" # HTTPS API port
- "9180:9180/tcp" # Admin API HTTP port
- "9091:9091/tcp" # Admin API HTTPS port
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: always
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: always
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: always
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: always
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

64
deployment/docker-compose/envoy/.env Normal file
View File

@@ -0,0 +1,64 @@
Enter file contents here## .env file for docker-compose deployments of open-appsec integrated with Envoy
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid envoy.yaml Envoy configuration file present in the path below.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
ENVOY_CONFIG=./envoy-config/envoy.yaml
## The following two parameters are only relevant if you made a custom configuration for
## the amount of Envoy worker threads using the optional ENVOY_CONCURRENCY parameter (see also explanation in docker-compose.yaml),
## these are then required to make sure that the open-appsec attachment will create the right amount of transaction handlers.
## In this case you must set ENVOY_CONCURRENCY_CALC to "custom" and provide the specified amount of Envoy worker
## threads via "ENVOY_CONCURRENCY_NUMBER".
## Possible values for ENVOY_CONCURRENCY_CALC: "numOfCores" (default), "custom" (allows to set the configured Envoy worker
## thread amount using the ENVOY_CONCURRENCY_NUMBER parameter)
ENVOY_CONCURRENCY_CALC=numOfCores
ENVOY_CONCURRENCY_NUMBER=""
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path
## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml
## place the file above in ENVOY_CONFIG path
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

62
deployment/docker-compose/envoy/appsec-localconfig/local_policy.yaml Normal file
View File

@@ -0,0 +1,62 @@
policies:
default:
triggers:
- appsec-default-log-trigger
mode: prevent-learn
practices:
- webapp-default-practice
custom-response: appsec-default-web-user-response
specific-rules: []
practices:
- name: webapp-default-practice
openapi-schema-validation:
configmap: []
override-mode: as-top-level
snort-signatures:
configmap: []
override-mode: as-top-level
web-attacks:
max-body-size-kb: 1000000
max-header-size-bytes: 102400
max-object-depth: 40
max-url-size-bytes: 32768
minimum-confidence: critical
override-mode: as-top-level
protections:
csrf-protection: inactive
error-disclosure: inactive
non-valid-http-methods: false
open-redirect: inactive
anti-bot:
injected-URIs: []
validated-URIs: []
override-mode: as-top-level
log-triggers:
- name: appsec-default-log-trigger
access-control-logging:
allow-events: false
drop-events: true
additional-suspicious-events-logging:
enabled: true
minimum-severity: high
response-body: false
appsec-logging:
all-web-requests: false
detect-events: true
prevent-events: true
extended-logging:
http-headers: false
request-body: false
url-path: false
url-query: false
log-destination:
cloud: true
stdout:
format: json
custom-responses:
- name: appsec-default-web-user-response
mode: response-code-only
http-response-code: 403

139
deployment/docker-compose/envoy/docker-compose.yaml Normal file
View File

@@ -0,0 +1,139 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Envoy
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="Envoy"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-envoy:
image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
container_name: appsec-envoy
ipc: service:appsec-agent
restart: unless-stopped
environment:
- ENVOY_UID=0
- CONCURRENCY_CALC=${ENVOY_CONCURRENCY_CALC}
- CONCURRENCY_NUMBER=${ENVOY_CONCURRENCY_NUMBER}
volumes:
- ${ENVOY_CONFIG}:/envoy.yaml
command: -c /envoy.yaml
## If required you can adjust the amount of worker threads envoy will run by commenting out the line above and uncommenting the line below
## then specify ENVOY_CONCURRENCY parameter with the desired thread amount in the .env file.
## By default there's one worker thread per virtual CPU (vCPU) core available on the machine.
# command: -c /envoy.yaml --concurrency ${ENVOY_CONCURRENCY}
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
profiles:
- juiceshop
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

56
deployment/docker-compose/envoy/envoy-config/envoy.yaml Normal file
View File

@@ -0,0 +1,56 @@
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
##
## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
##
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: juiceshop
clusters:
- name: juiceshop
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: juiceshop
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: juiceshop-backend
port_value: 3000

57
deployment/docker-compose/kong/.env Normal file
View File

@@ -0,0 +1,57 @@
## .env file for docker-compose deployments of open-appsec integrated with Kong
## For more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid Kong declarative configuration file kong.yaml in the folder specified for KONG_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
KONG_CONFIG=./kong-config
## For Kong Gateway Enterprise Edition set KONG_IMAGE to kong-gateway-attachment instead of kong-attachment
KONG_IMAGE=kong-attachment
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the kong.yaml file in KONG_CONFIG folder
## to include service and route configuration for forwarding external traffic to the juiceshop-backend container
## (kong listens by default for HTTP/HTTPS on port 8000/8443)
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/kong/kong.yaml
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

135
deployment/docker-compose/kong/docker-compose.yaml Normal file
View File

@@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with Kong
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=Kong Server
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-kong:
image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
container_name: appsec-kong
ipc: service:appsec-agent
## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
## please make sure to have a valid config present in {KONG_CONFIG}:
environment:
- KONG_DATABASE=off
- KONG_DECLARATIVE_CONFIG=/opt/kong/kong.yaml
volumes:
- ${KONG_CONFIG}:/opt/kong
restart: unless-stopped
ports:
- "8000:8000"
- "8443:8443"
- "127.0.0.1:8001:8001"
- "127.0.0.1:8444:8444"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

9
deployment/docker-compose/kong/kong-config/kong.yaml Normal file
View File

@@ -0,0 +1,9 @@
_format_version: "3.0"
services:
- name: juiceshop-service
url: http://juiceshop-backend:3000
routes:
- name: juiceshop-route
paths:
- /

50
deployment/docker-compose/nginx-proxy-manager-centrally-managed/.env Normal file
View File

@@ -0,0 +1,50 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file
NPM_DATA=./data
NPM_LETSENCRYPT=./letsencrypt
## To connect your deployment to central open-appsec Web UI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI
## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000.
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

132
deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml Normal file
View File

@@ -0,0 +1,132 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via central open-appsec WebUI (SaaS)
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: shareable
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
ipc: service:appsec-agent
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

48
deployment/docker-compose/nginx-proxy-manager/.env Normal file
View File

@@ -0,0 +1,48 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX Proxy Manager
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to true for changes
## of open-appsec configuration in the NGINX Proxy Manager WebUI to be applied automatically
APPSEC_AUTO_POLICY_LOAD=true
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
# Volume mounts for NGINX Proxy Manager have been moved here as well allowing configuration via .env file
NPM_DATA=./data
NPM_LETSENCRYPT=./letsencrypt
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also create a new proxy host in the NGINX Proxy Manager WebUI
## which accepts traffic on http port 80 and proxies traffic to juiceshop-backend on port 3000.
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

135
deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml Normal file
View File

@@ -0,0 +1,135 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX Proxy Manager
## with open-appsec management via NGINX Proxy Manager WebUI
##
version: '3.9'
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
ipc: service:appsec-nginx-proxy-manager
network_mode: service:appsec-nginx-proxy-manager
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- nginxproxymanager=true
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx-proxy-manager:
container_name: appsec-nginx-proxy-manager
image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
ipc: shareable
restart: unless-stopped
ports:
- 80:80 # Public HTTP Port
- 443:443 # Public HTTPS Port
- 81:81 # Admin Web Port
volumes:
- ${NPM_DATA}:/data
- ${NPM_LETSENCRYPT}:/etc/letsencrypt
- ${APPSEC_LOGS}:/ext/appsec-logs
- ${APPSEC_LOCALCONFIG}:/ext/appsec
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

54
deployment/docker-compose/nginx-unified/.env Normal file
View File

@@ -0,0 +1,54 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
NGINX_CONFIG=./nginx-config
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf
## place the file above in NGINX_CONFIG folder
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

126
deployment/docker-compose/nginx-unified/docker-compose.yaml Normal file
View File

@@ -0,0 +1,126 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec deployments of NGINX unified container
##
version: "3.9"
services:
appsec-agent-nginx-unified:
image: ghcr.io/openappsec/agent-unified:${APPSEC_VERSION}
container_name: appsec-agent-nginx-unified
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## to change global instructions it's possible to also mount your own nginx.conf file by uncommenting the two lines below
## make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
command: /cp-nano-agent
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent-nginx-unified
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/docker-compose/nginx-unified/nginx-config/default.conf Normal file
View File

@@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

54
deployment/docker-compose/nginx/.env Normal file
View File

@@ -0,0 +1,54 @@
## .env file for docker-compose deployments of open-appsec integrated with NGINX
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Make sure to have a valid NGINX configuration file default.conf in the folder specified for NGINX_CONFIG.
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
NGINX_CONFIG=./nginx-config
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to also adjust the nginx.conf file in NGINX_CONFIG folder
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/nginx/default.conf
## place the file above in NGINX_CONFIG folder
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

136
deployment/docker-compose/nginx/docker-compose.yaml Normal file
View File

@@ -0,0 +1,136 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with NGINX
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX Server"
ipc: shareable
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-nginx:
image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
container_name: appsec-nginx
ipc: service:appsec-agent
restart: unless-stopped
volumes:
- ${NGINX_CONFIG}:/etc/nginx/conf.d
## advanced configuration - volume mount for nginx.conf file:
## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
## In the nginx.conf file make sure to include the line starting with "load_module" which loads the appsec attachment
## and is included in /etc/nginx/conf.d/nginx.conf file as part of the nginx-attachment container.
# - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
ports:
- "80:80"
- "443:443"
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
profiles:
- juiceshop
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

47
deployment/docker-compose/nginx/nginx-config/default.conf Normal file
View File

@@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

76
deployment/docker-compose/swag/.env Normal file
View File

@@ -0,0 +1,76 @@
## .env file for docker-compose deployments of open-appsec integrated with SWAG
## for more info see https://docs.openappsec.io
APPSEC_VERSION=latest
APPSEC_CONFIG=./appsec-config
APPSEC_DATA=./appsec-data
APPSEC_LOGS=./appsec-logs
APPSEC_LOCALCONFIG=./appsec-localconfig
## Make sure the parameter APPSEC_AUTO_POLICY_LOAD is set to false when centrally managing
## open-appsec configuration via open-appsec Web UI.
## You can optionally set it to true when using local, declarative management for open-appsec,
## declarative configuration will then get applied automatically when changed.
APPSEC_AUTO_POLICY_LOAD=false
## Example for configuring HTTPS Proxy:
## APPSEC_HTTPS_PROXY=user:password@proxy_address:port
APPSEC_HTTPS_PROXY=
APPSEC_SMART_SYNC_STORAGE=./appsec-smartsync-storage
APPSEC_USER_EMAIL=user@email.com
APPSEC_DB_PASSWORD=pass
APPSEC_DB_USER=postgres
APPSEC_DB_HOST=appsec-db
APPSEC_POSTGRES_STORAGE=./appsec-postgres-data
## Most relevant SWAG parameters have been moved here as well allowing configuration via .env file
SWAG_CONFIG=./swag-config
## Make sure to have a valid nginx config default.conf in SWAG_NGINX_SITE_CONFS folder
SWAG_NGINX_SITE_CONFS=./swag-nginx-site-confs
## Make sure to have valid *.conf proxy configuration in SWAG_NGINX_PROXY_CONFS folder
SWAG_PROXY_CONFS=./swag-proxy-confs
## For deployment of a simple lab testing environment, you can deploy the example configuration provided
## for the vulnerable juice-shop container, see instructions further below.
SWAG_TZ=Etc/UTC
SWAG_VALIDATION=http # configure "http" or "dns" as validation modes
SWAG_DNSPLUGIN="" # configure e.g. "route53" or some other DNS Plugin supported by SWAG if you set "dns" above
## Examples parameters for "route53" DNS plugin (AWS DNS service), you can add others here as required,
## when you do make sure to also add them to the docker compose file
SWAG_AWS_ACCESS_KEY_ID=""
SWAG_AWS_SECRET_ACCESS_KEY=""
##
SWAG_STAGING=true ## switch to 'false' after successful testing
SWAG_URL=yourdomain.url
SWAG_SUBDOMAINS=""
SWAG_ONLY_SUBDOMAINS=""
## replace yourdomain.url with your own domain
## make sure your domain's public IP resolves to
## the docker host for Let's Encrypt cert generation to succeed
## To connect your deployment to central open-appsec WebUI provide the token for a profile
## which you created in open-appsec WebUI at https://my.openappsec.io
## Example: APPSEC_AGENT_TOKEN=111-22222-111
APPSEC_AGENT_TOKEN=
## Important: When not providing token for connection to central WebUI:
## Make sure to add the value "standalone" to the COMPOSE_PROFILES value, this will enable
## sharing of learning between processes and allow you to perform tuning locally on CLI
COMPOSE_PROFILES=
## JUICE SHOP DEMO CONTAINER:
## In order to deploy the optional, additional, vulnerable juiceshop container (for demo and testing purposes only!):
## Add the value "juiceshop" to the COMPOSE_PROFILES value above.
## Make sure to put a juiceshop.subfolder.conf file in SWAG_PROXY_CONFS folder
## for proxying external traffic to the juiceshop-backend container and also adjust the NGINX default.conf file in SWAG_NGINX_SITE_CONFS folder
## you can use the example files available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/juiceshop.subfolder.conf
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/swag/default.conf
## note that juiceshop container listens on HTTP port 3000 by default
## Note that COMPOSE_PROFILES can also receive multiple values, e.g. as shown here:
## COMPOSE_PROFILES=standalone,juiceshop

145
deployment/docker-compose/swag/docker-compose.yaml Normal file
View File

@@ -0,0 +1,145 @@
# Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
# Licensed under the Apache License, Version 2.0 (the "License");
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
## Docker compose file for open-appsec integrated with SWAG
##
version: "3.9"
services:
appsec-agent:
image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
container_name: appsec-agent
restart: unless-stopped
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- LEARNING_HOST=appsec-smartsync
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${APPSEC_USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server=SWAG Server
ipc: shareable
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
- ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec
command: /cp-nano-agent
appsec-swag:
image: ghcr.io/openappsec/swag-attachment:latest
container_name: appsec-swag
ipc: service:appsec-agent
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=${SWAG_TZ}
- URL=${SWAG_URL}
- VALIDATION=${SWAG_VALIDATION}
- DNSPLUGIN=${SWAG_DNSPLUGIN}
- AWS_ACCESS_KEY_ID=${SWAG_AWS_ACCESS_KEY_ID}
- AWS_SECRET_ACCESS_KEY=${SWAG_AWS_SECRET_ACCESS_KEY}
- SUBDOMAINS=${SWAG_SUBDOMAINS}
- ONLY_SUBDOMAINS=${SWAG_ONLY_SUBDOMAINS}
## see https://docs.linuxserver.io/images/docker-swag/ for
## more cert generation/validation options
- STAGING=${SWAG_STAGING}
volumes:
- ${SWAG_CONFIG}:/config
- ${SWAG_NGINX_SITE_CONFS}:/config/nginx/site-confs
- ${SWAG_PROXY_CONFS}:/config/nginx/proxy-confs
ports:
- 443:443
- 80:80 ## optional
appsec-smartsync:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync:${APPSEC_VERSION}
container_name: appsec-smartsync
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
restart: unless-stopped
depends_on:
- appsec-shared-storage
appsec-shared-storage:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
container_name: appsec-shared-storage
ipc: service:appsec-agent
restart: unless-stopped
## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db
user: root
volumes:
- ${APPSEC_SMART_SYNC_STORAGE}:/db:z
## instead of using local storage for local learning (see line above)
## you can also configure central nfs storage by configuring nfs volume (uncomment the relevant section at end of this file)
## use a shared nfs storage which is recommended in redundant deployments (uncomment line below, comment out the line above)
# - learning_nfs:/db:z
appsec-tuning-svc:
profiles:
- standalone
image: ghcr.io/openappsec/smartsync-tuning:${APPSEC_VERSION}
container_name: appsec-tuning-svc
environment:
- SHARED_STORAGE_HOST=appsec-shared-storage
- QUERY_DB_PASSWORD=${APPSEC_DB_PASSWORD}
- QUERY_DB_HOST=${APPSEC_DB_HOST}
- QUERY_DB_USER=${APPSEC_DB_USER}
## only relevant when deploying own DB
# - SSLMODE:
restart: unless-stopped
volumes:
- ${APPSEC_CONFIG}:/etc/cp/conf
depends_on:
- appsec-shared-storage
- appsec-db
appsec-db:
profiles:
- standalone
image: postgres
container_name: appsec-db
restart: unless-stopped
environment:
- POSTGRES_PASSWORD=${APPSEC_DB_PASSWORD}
- POSTGRES_USER=${APPSEC_DB_USER}
volumes:
- ${APPSEC_POSTGRES_STORAGE}:/var/lib/postgresql/data
## example juice-shop backend container (vulnerable webserver, USE ONLY FOR TESTING AND IN LAB ENV)
juiceshop-backend:
image: bkimminich/juice-shop:latest
container_name: juiceshop-backend
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)
##
#volumes:
# learning_nfs:
# driver: local
# driver_opts:
# type: nfs
# o: addr=fs-abcdef.efs.eu-west-1.amazonaws.com,rw,nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport
# device: ":/"

84
deployment/docker-compose/swag/swag-nginx-site-confs/default.conf Normal file
View File

@@ -0,0 +1,84 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
include /config/nginx/ssl.conf;
# root /config/www;
# index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
#location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
# try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
#}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

22
deployment/docker-compose/swag/swag-proxy-confs/juiceshop.subfolder.conf Normal file
View File

@@ -0,0 +1,22 @@
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app juiceshop-backend;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

3
deployment/nginx/docker-compose.yaml
View File

@@ -9,7 +9,7 @@ services:
- TUNING_HOST=appsec-tuning-svc
- https_proxy=${APPSEC_HTTPS_PROXY}
- user_email=${USER_EMAIL}
- AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
# - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
- autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
- registered_server="NGINX Server"
ipc: shareable
@@ -96,7 +96,6 @@ services:
## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf
## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount
## in the appsec-nginx service definition
## note that juiceshop container listens on HTTP port 3000 by default
#

47
deployment/nginx/nginx-config/default.conf Normal file
View File

@@ -0,0 +1,47 @@
server {
listen 80;
listen [::]:80;
server_name _;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://juiceshop-backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

1
nodes/orchestration/package/CMakeLists.txt
View File

@@ -26,6 +26,7 @@ install(FILES configuration/cp-nano-orchestration-debug-conf.json DESTINATION ./
install(FILES watchdog/watchdog DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/wait-for-networking-inspection-modules.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/access_pre_init DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES watchdog/revert_orchestrator_version.sh DESTINATION ./orchestration/watchdog/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES local-default-policy.yaml DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES open-appsec-cloud-mgmt DESTINATION ./orchestration/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

14
nodes/orchestration/package/open-appsec-cloud-mgmt-k8s
View File

@@ -125,6 +125,20 @@ generate_policy()
done
done
all_policyactivations=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-X GET ${APISERVER}/apis/openappsec.io/v1beta2/policyactivations)
policyactivation_list=$(echo $all_policyactivations | /etc/cp/bin/yq eval '.items[].metadata.name' -)
for policyactivation_name in ${policyactivation_list}; do
policyactivation_crd=$(curl -s --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
-X GET ${APISERVER}/apis/openappsec.io/v1beta2/policyactivations/${policyactivation_name})
policyactivation_crd=$(echo $policyactivation_crd | tr -d '\n')
if [ "$FIRST" = "0" ]; then
POLICY="$POLICY ,"
fi
POLICY="$POLICY $policyactivation_crd"
FIRST="0"
done
POLICY="$POLICY ] } } }"
echo $POLICY > $POLICY_CRDS_PATH
}

2
nodes/orchestration/package/orchestration_package.sh
View File

@@ -593,8 +593,10 @@ install_watchdog()
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${WATCHDOG_PATH}"
cp_copy watchdog/watchdog ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog
cp_copy watchdog/wait-for-networking-inspection-modules.sh ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh
cp_copy watchdog/revert_orchestrator_version.sh ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/revert_orchestrator_version.sh
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/revert_orchestrator_version.sh"
cp_exec "touch ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wd.services"
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register $is_upgrade ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"

Some files were not shown because too many files have changed in this diff Show More