sync code

Aug 20th update

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -73,27 +73,27 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
     valid_configuration_file.close();
 
     EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
-    EXPECT_EQ(getDbgLevel(), 2);
+    EXPECT_EQ(getDbgLevel(), 2u);
     EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
     EXPECT_EQ(isFailOpenMode(), 0);
-    EXPECT_EQ(getFailOpenTimeout(), 1234);
+    EXPECT_EQ(getFailOpenTimeout(), 1234u);
     EXPECT_EQ(isFailOpenHoldMode(), 1);
-    EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
+    EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
     EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
-    EXPECT_EQ(getMaxSessionsPerMinute(), 0);
-    EXPECT_EQ(getNumOfNginxIpcElements(), 200);
-    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
-    EXPECT_EQ(getResProccessingTimeout(), 420);
-    EXPECT_EQ(getReqProccessingTimeout(), 42);
-    EXPECT_EQ(getRegistrationThreadTimeout(), 101);
-    EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
-    EXPECT_EQ(getReqBodyThreadTimeout(), 155);
-    EXPECT_EQ(getResHeaderThreadTimeout(), 1);
-    EXPECT_EQ(getResBodyThreadTimeout(), 0);
-    EXPECT_EQ(getMinRetriesForVerdict(), 1);
-    EXPECT_EQ(getMaxRetriesForVerdict(), 3);
-    EXPECT_EQ(getReqBodySizeTrigger(), 777);
-    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
+    EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
+    EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
+    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
+    EXPECT_EQ(getResProccessingTimeout(), 420u);
+    EXPECT_EQ(getReqProccessingTimeout(), 42u);
+    EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
+    EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
+    EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
+    EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
+    EXPECT_EQ(getResBodyThreadTimeout(), 0u);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1u);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777u);
+    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);

build_system/docker/entry.sh

@@ -44,8 +44,11 @@ while true; do
 done
 
 if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
-    echo "Error: Token was not provided as input argument."
-    exit 1
+    var_token=$(env | grep 'AGENT_TOKEN=' | cut -d'=' -f2-)
+    if  [ -z $var_token ]; then
+        echo "Error: Token was not provided as input argument."
+        exit 1
+    fi
 fi
 
 orchestration_service_installation_flags="--container_mode --skip_registration"

components/include/generic_rulebase/match_query.h

@@ -89,7 +89,9 @@ private:
     bool matchAttributesRegEx(const std::set<std::string> &values,
             std::set<std::string> &matched_override_keywords) const;
     bool matchAttributesString(const std::set<std::string> &values) const;
+    bool matchAttributesIp(const std::set<std::string> &values) const;
     bool isRegEx() const;
+    bool isIP() const;
 
     MatchType type;
     Operators operator_type;

components/security_apps/ips/ips_entry.cc

@@ -26,6 +26,8 @@ static const map<string, IPSConfiguration::Context> default_conf_mapping = {
 };
 
 static const IPSConfiguration default_conf(default_conf_mapping);
+static const IPSSignatures default_ips_sigs;
+static const SnortSignatures default_snort_sigs;
 
 IPSEntry::IPSEntry() : TableOpaqueSerialize<IPSEntry>(this) {}
 
@@ -51,9 +53,9 @@ IPSEntry::respond(const ParsedContext &parsed)
     ctx.registerValue(name, buf);
 
     ctx.activate();
-    auto &signatures = getConfigurationWithDefault(IPSSignatures(), "IPS", "IpsProtections");
+    auto &signatures = getConfigurationWithDefault(default_ips_sigs, "IPS", "IpsProtections");
     bool should_drop = signatures.isMatchedPrevent(parsed.getName(), buf);
-    auto &snort_signatures = getConfigurationWithDefault(SnortSignatures(), "IPSSnortSigs", "SnortProtections");
+    auto &snort_signatures = getConfigurationWithDefault(default_snort_sigs, "IPSSnortSigs", "SnortProtections");
     should_drop |= snort_signatures.isMatchedPrevent(parsed.getName(), buf);
     ctx.deactivate();
 

components/security_apps/ips/ips_ut/configuration.cc

@@ -7,7 +7,7 @@ TEST(configuration, basic_context)
 
     IPSConfiguration::Context ctx1(IPSConfiguration::ContextType::HISTORY, 254);
     EXPECT_EQ(ctx1.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(ctx1.getHistorySize(), 254);
+    EXPECT_EQ(ctx1.getHistorySize(), 254u);
 
     IPSConfiguration::Context ctx2(IPSConfiguration::ContextType::NORMAL, 0);
     EXPECT_EQ(ctx2.getType(), IPSConfiguration::ContextType::NORMAL);
@@ -42,7 +42,7 @@ TEST(configuration, read_configuration)
 
     auto body = conf.getContext("HTTP_REQUEST_BODY");
     EXPECT_EQ(body.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100);
+    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100u);
 
     auto header = conf.getContext("HTTP_REQUEST_HEADER");
     EXPECT_EQ(header.getType(), IPSConfiguration::ContextType::KEEP);

components/security_apps/ips/ips_ut/entry_ut.cc

@@ -137,8 +137,8 @@ private:
 TEST_F(EntryTest, basic_inherited_functions)
 {
     EXPECT_EQ(IPSEntry::name(), "IPS");
-    EXPECT_EQ(IPSEntry::currVer(), 0);
-    EXPECT_EQ(IPSEntry::minVer(), 0);
+    EXPECT_EQ(IPSEntry::currVer(), 0u);
+    EXPECT_EQ(IPSEntry::minVer(), 0u);
     EXPECT_NE(IPSEntry::prototype(), nullptr);
     EXPECT_EQ(entry.getListenerName(), IPSEntry::name());
 

components/security_apps/ips/ips_ut/resource_ut.cc

@@ -71,7 +71,7 @@ TEST(resources, basic_resource)
     Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(resource);
 
     auto loaded_resources = getSettingWithDefault(IPSSignaturesResource(), "IPS", "protections");
-    EXPECT_EQ(loaded_resources.getSignatures().size(), 2);
+    EXPECT_EQ(loaded_resources.getSignatures().size(), 2u);
     auto version = getSettingWithDefault<string>("", "IPS", "VersionId");
     EXPECT_EQ(version, "1234567");
 }

components/security_apps/layer_7_access_control/layer_7_access_control.cc

@@ -385,8 +385,29 @@ Layer7AccessControl::Impl::init()
     i_intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Layer7AccessControl>();
     i_mainloop = Singleton::Consume<I_MainLoop>::by<Layer7AccessControl>();
 
-    chrono::minutes expiration(
-        getProfileAgentSettingWithDefault<uint>(60u, "layer7AccessControl.crowdsec.cacheExpiration")
+    int cache_expiration_in_seconds = 30;
+    string cache_expiration_env = getenv("CROWDSEC_CACHE_EXPIRATION") ? getenv("CROWDSEC_CACHE_EXPIRATION") : "";
+    if (!cache_expiration_env.empty()) {
+        if (
+            all_of(cache_expiration_env.begin(), cache_expiration_env.end(), ::isdigit)
+            && stoi(cache_expiration_env) > 0
+        ) {
+            cache_expiration_in_seconds = stoi(cache_expiration_env);
+            dbgInfo(D_L7_ACCESS_CONTROL)
+                << "Successfully read cache expiration value from env: "
+                << cache_expiration_env;
+        } else {
+            dbgWarning(D_L7_ACCESS_CONTROL)
+                << "An invalid cache expiration value was provided in env: "
+                << cache_expiration_env;
+        }
+    }
+
+    chrono::seconds expiration(
+        getProfileAgentSettingWithDefault<uint>(
+            cache_expiration_in_seconds,
+            "layer7AccessControl.crowdsec.cacheExpiration"
+        )
     );
 
     ip_reputation_cache.startExpiration(

components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc

@@ -247,7 +247,9 @@ Layer7AccessControlTest::verifyReport(
     string log = reportToStr(report);
     dbgTrace(D_L7_ACCESS_CONTROL) << "Report: " << log;
 
-    if (!source_identifier.empty()) EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    if (!source_identifier.empty()) {
+        EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    }
     EXPECT_THAT(log, HasSubstr("\"securityAction\": \"" + security_action + "\""));
     EXPECT_THAT(log, HasSubstr("\"eventName\": \"Access Control External Vendor Reputation\""));
     EXPECT_THAT(log, HasSubstr("\"httpHostName\": \"juice-shop.checkpoint.com\""));

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -404,6 +404,7 @@ AppsecPracticeAntiBotSection::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 // LCOV_EXCL_START Reason: no test exist
+// Used for V1Beta1
 WebAppSection::WebAppSection(
     const string &_application_urls,
     const string &_asset_id,
@@ -417,7 +418,7 @@ WebAppSection::WebAppSection(
     const LogTriggerSection &parsed_log_trigger,
     const string &default_mode,
     const AppSecTrustedSources &parsed_trusted_sources,
-    const vector<InnerException> &parsed_exceptions)
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
     :
     application_urls(_application_urls),
     asset_id(_asset_id),
@@ -449,8 +450,11 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 
-    for (const InnerException &exception : parsed_exceptions) {
-        overrides.push_back(AppSecOverride(exception));
+    for (const auto &exception : exceptions) {
+
+        for (const auto &inner_exception : exception.second) {
+            overrides.push_back(AppSecOverride(inner_exception));
+        }
     }
 }
 

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -146,7 +146,9 @@ AppsecException::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec exception";
     parseAppsecJSONKey<string>("name", name, archive_in);
-    archive_in(CEREAL_NVP(exception_spec));
+    AppsecExceptionSpec single_exception_spec;
+    single_exception_spec.load(archive_in);
+    exception_spec.push_back(single_exception_spec);
 }
 
 void
@@ -174,7 +176,7 @@ ExceptionMatch::ExceptionMatch(const AppsecExceptionSpec &parsed_exception)
 {
     bool single_condition = parsed_exception.isOneCondition();
     for (auto &attrib : attributes) {
-        auto &attrib_name = attrib.first;
+        auto attrib_name = (attrib.first == "sourceIp" ? "sourceIP" : attrib.first);
         auto &attrib_getter = attrib.second;
         auto exceptions_value = attrib_getter(parsed_exception);
         if (exceptions_value.empty()) continue;

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -275,7 +275,7 @@ public:
         const LogTriggerSection &parsed_log_trigger,
         const std::string &default_mode,
         const AppSecTrustedSources &parsed_trusted_sources,
-        const std::vector<InnerException> &parsed_exceptions
+        const std::map<std::string, std::vector<InnerException>> &exceptions
     );
 
     // used for V1beta2

components/security_apps/local_policy_mgmt_gen/include/exceptions_section.h

@@ -44,7 +44,7 @@ public:
     bool isOneCondition() const;
 
 private:
-    int conditions_number;
+    int conditions_number = 0;
     std::string action;
     std::vector<std::string> country_code;
     std::vector<std::string> country_name;

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -543,21 +543,25 @@ K8sPolicyUtils::createPolicy(
     }
 
     for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
-        string url = rule.getHost();
+        string host = rule.getHost();
         for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
-            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
+            if (uri.getPath() != "/") {
+                host = host + uri.getPath();
+            }
+            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(host)) {
                 dbgTrace(D_LOCAL_POLICY)
                     << "Inserting Host data to the specific asset set:"
                     << "URL: '"
-                    << url
+                    << rule.getHost()
                     << "' uri: '"
                     << uri.getPath()
                     << "'";
-                K ingress_rule = K(url + uri.getPath());
+                K ingress_rule = K(host);
                 policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
             }
         }
     }
+
 }
 
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -21,6 +21,7 @@
 using namespace std;
 
 USE_DEBUG_FLAG(D_NGINX_POLICY);
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
 
 void
 SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
@@ -185,6 +186,33 @@ PolicyMakerUtils::dumpPolicyToFile(
     return policy_str;
 }
 
+template<class R>
+vector<string>
+extractExceptionAnnotationNames(
+    const R &parsed_rule,
+    const R &default_rule,
+    const string &policy_name)
+{
+    vector<string> annotation_names;
+
+    const R &rule = (!parsed_rule.getExceptions().empty() ? parsed_rule : default_rule);
+    for (const string &exception_name : rule.getExceptions()) {
+        if (exception_name.empty()) {
+            continue;
+        }
+
+        const auto policy_exception = policy_name + "/" + exception_name;
+
+        dbgTrace(D_NGINX_POLICY) << "Adding " << policy_exception << " to exception vector";
+
+        annotation_names.push_back(policy_exception);
+    }
+
+    dbgTrace(D_NGINX_POLICY) << "Number of exceptions related to rule: " << annotation_names.size();
+
+    return annotation_names;
+}
+
 template<class R>
 map<AnnotationTypes, string>
 extractAnnotationsNames(
@@ -217,18 +245,6 @@ extractAnnotationsNames(
         rule_annotation[AnnotationTypes::TRIGGER] = policy_name + "/" + trigger_annotation_name;
     }
 
-    string exception_annotation_name;
-    // TBD: support multiple exceptions
-    if (!parsed_rule.getExceptions().empty() && !parsed_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = parsed_rule.getExceptions()[0];
-    } else if (!default_rule.getExceptions().empty() && !default_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = default_rule.getExceptions()[0];
-    }
-
-    if (!exception_annotation_name.empty()) {
-        rule_annotation[AnnotationTypes::EXCEPTION] = policy_name + "/" + exception_annotation_name;
-    }
-
     string web_user_res_annotation_name =
         parsed_rule.getCustomResponse().empty() ?
         default_rule.getCustomResponse() :
@@ -444,6 +460,7 @@ template<class T, class R>
 R
 getAppsecExceptionSpec(const string &exception_annotation_name, const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "anotation name: " << exception_annotation_name;
     auto exceptions_vec = policy.getAppsecExceptions();
     auto exception_it = extractElement(exceptions_vec.begin(), exceptions_vec.end(), exception_annotation_name);
 
@@ -776,6 +793,7 @@ createExceptionSection(
     const string &exception_annotation_name,
     const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "exception annotation name" << exception_annotation_name;
     AppsecException exception_spec =
         getAppsecExceptionSpec<T, AppsecException>(exception_annotation_name, policy);
     vector<InnerException> res;
@@ -784,6 +802,7 @@ createExceptionSection(
         ExceptionBehavior exception_behavior(exception.getAction());
         res.push_back(InnerException(exception_behavior, exception_match));
     }
+
     return res;
 }
 
@@ -896,13 +915,16 @@ createMultiRulesSections(
     const string &web_user_res_vec_id,
     const string &web_user_res_vec_type,
     const string &asset_name,
-    const string &exception_name,
-    const vector<InnerException> &exceptions)
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
 {
     PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
     vector<ParametersSection> exceptions_result;
     for (auto exception : exceptions) {
-        exceptions_result.push_back(ParametersSection(exception.getBehaviorId(), exception_name));
+
+        const auto &exception_name = exception.first;
+        for (const auto &inner_exception : exception.second) {
+            exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
+        }
     }
 
     vector<RulesTriggerSection> triggers;
@@ -1344,6 +1366,7 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
             convertMapToVector(log_triggers), convertMapToVector(web_user_res_triggers)
         )
     );
+
     ExceptionsWrapper exceptions_section({
         ExceptionsRulebase(convertExceptionsMapToVector(inner_exceptions))
     });
@@ -1381,6 +1404,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
     const string &policy_name)
 {
     map<AnnotationTypes, string> rule_annotations = extractAnnotationsNames(rule, default_rule, policy_name);
+
     if (
         !rule_annotations[AnnotationTypes::TRIGGER].empty() &&
         !log_triggers.count(rule_annotations[AnnotationTypes::TRIGGER])
@@ -1403,15 +1427,27 @@ PolicyMakerUtils::createPolicyElementsByRule(
             );
     }
 
-    if (
-        !rule_annotations[AnnotationTypes::EXCEPTION].empty() &&
-        !inner_exceptions.count(rule_annotations[AnnotationTypes::EXCEPTION])
-    ) {
-        inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]] =
-            createExceptionSection<T>(
-                rule_annotations[AnnotationTypes::EXCEPTION],
-                policy
-            );
+    const auto exceptions_annotations = extractExceptionAnnotationNames(rule, default_rule, policy_name);
+    std::map<std::string, std::vector<InnerException>> rule_inner_exceptions;
+    if (!exceptions_annotations.empty()) {
+        for (const auto &exception_name :exceptions_annotations) {
+            dbgWarning(D_LOCAL_POLICY) << "exceptions name: " << exception_name;
+
+            if (rule_inner_exceptions.count(exception_name)) {
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists for that rule: " << exception_name;
+                continue;
+            }
+
+            if (inner_exceptions.count(exception_name)) {
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists in inner exceptions: " << exception_name;
+                rule_inner_exceptions[exception_name] = inner_exceptions[exception_name];
+                continue;
+            }
+
+            auto exception_section = createExceptionSection<T>(exception_name, policy);
+            rule_inner_exceptions[exception_name] = exception_section;
+            inner_exceptions[exception_name] = exception_section;
+        }
     }
 
     if (
@@ -1470,8 +1506,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
             web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(),
             "WebUserResponse",
             full_url,
-            rule_annotations[AnnotationTypes::EXCEPTION],
-            inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
+            rule_inner_exceptions
         );
         rules_config[rule_config.getAssetName()] = rule_config;
 
@@ -1498,7 +1533,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
                 log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
                 rule.getMode(),
                 trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
-                inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
+                rule_inner_exceptions
             );
             web_apps[rule_config.getAssetName()] = web_app;
         }

components/security_apps/orchestration/downloader/downloader_ut/downloader_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include "config.h"
 #include "config_component.h"

components/security_apps/orchestration/include/updates_process_event.h

@@ -35,6 +35,8 @@ enum class UpdatesFailureReason {
     INSTALL_PACKAGE,
     CHECKSUM_UNMATCHED,
     POLICY_CONFIGURATION,
+    SERVISE_CONFIGURATION,
+    SERVISE_CONFIGURATION_TIMEOUT,
     POLICY_FOG_CONFIGURATION,
     NONE
 
@@ -57,6 +59,8 @@ convertUpdatesFailureReasonToStr(UpdatesFailureReason reason)
         case UpdatesFailureReason::INSTALL_PACKAGE : return "INSTALL_PACKAGE";
         case UpdatesFailureReason::CHECKSUM_UNMATCHED : return "CHECKSUM_UNMATCHED";
         case UpdatesFailureReason::POLICY_CONFIGURATION : return "POLICY_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : return "SERVISE_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : return "SERVISE_CONFIGURATION_TIMEOUT";
         case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : return "POLICY_FOG_CONFIGURATION";
         case UpdatesFailureReason::NONE : return "NONE";
     }
@@ -117,6 +121,7 @@ public:
     OrchestrationStatusResult getOrchestrationStatusResult() const;
 
     std::string parseDescription() const;
+    std::string getDescriptionWithoutErrors() const;
 
 private:
     UpdatesProcessResult result;

components/security_apps/orchestration/include/updates_process_reporter.h

@@ -21,20 +21,24 @@
 #include "config.h"
 #include "debug.h"
 #include "i_orchestration_status.h"
+#include "i_service_controller.h"
 #include "health_check_status/health_check_status.h"
 #include "updates_process_event.h"
 #include "updates_process_report.h"
 
-class UpdatesProcessReporter : public Listener<UpdatesProcessEvent>
+class UpdatesProcessReporter
+        :
+    public Listener<UpdatesProcessEvent>,
+    Singleton::Consume<I_ServiceController>
 {
 public:
     void upon(const UpdatesProcessEvent &event) override;
 
 private:
-    void sendReoprt();
+    void sendReoprt(const std::string &version);
 
     static std::vector<UpdatesProcessReport> reports;
-    uint report_failure_count = 0;
+    std::map<std::string, uint> report_failure_count_map;
 };
 
 #endif // __UPDATES_PROCESS_REPORTER_H__

components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "manifest_controller.h"
 
 #include <vector>

components/security_apps/orchestration/modules/modules_ut/orchestration_policy_ut.cc

@@ -43,8 +43,8 @@ TEST_F(PolicyTest, serialization)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -63,8 +63,8 @@ TEST_F(PolicyTest, noAgentType)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -83,8 +83,8 @@ TEST_F(PolicyTest, zeroSleepIntervels)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(0, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(0, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -152,7 +152,7 @@ TEST_F(PolicyTest, newOptionalFields)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(10, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(30, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(10u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(30u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("https://fog-api-gw-agents.cloud.ngen.checkpoint.com", orchestration_policy.getFogAddress());
 }

components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_status.h"
 
 #include <string>
@@ -556,7 +560,7 @@ TEST_F(OrchestrationStatusTest, checkErrorByRaiseEvent)
             "Time",
             "Online upgrades",
             fog_address,
-            "Failed. Reason: Registration failed. Error: " + registar_error,
+            "Failed. Reason: Registration failed.",
             "Failed. Reason: " + manifest_error
         ),
         result

components/security_apps/orchestration/modules/modules_ut/url_parser_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "url_parser.h"
 
 #include "cptest.h"

components/security_apps/orchestration/modules/orchestration_status.cc

@@ -473,7 +473,11 @@ public:
     void
     upon(const UpdatesProcessEvent &event) override
     {
-        setFieldStatus(event.getStatusFieldType(), event.getOrchestrationStatusResult(), event.parseDescription());
+        setFieldStatus(
+            event.getStatusFieldType(),
+            event.getOrchestrationStatusResult(),
+            event.getDescriptionWithoutErrors()
+        );
     }
 
 private:

components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -471,6 +475,9 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
         )
     ).WillOnce(Return(Maybe<void>()));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(

components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -380,6 +384,10 @@ TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -587,6 +595,9 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -718,6 +729,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdatRollback)
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
     EXPECT_CALL(mock_status, setPolicyVersion(second_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -895,6 +909,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
     );
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -1112,6 +1129,9 @@ TEST_F(OrchestrationTest, manifestUpdate)
         )
     );
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     GetResourceFile manifest_file(GetResourceFile::ResourceFileType::MANIFEST);
     EXPECT_CALL(mock_downloader,
         downloadFile(
@@ -1150,6 +1170,8 @@ TEST_F(OrchestrationTest, manifestUpdate)
 
 TEST_F(OrchestrationTest, getBadPolicyUpdate)
 {
+    Debug::setUnitTestFlag(D_UPDATES_PROCESS_REPORTER, Debug::DebugLevel::NOISE);
+
     EXPECT_CALL(
         rest,
         mockRestCall(RestAction::ADD, "proxy", _)
@@ -1196,6 +1218,13 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
     EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, data_file_path))
         .WillOnce(Return(data_checksum));
 
+    string manifest = "";
+    string policy = "111111";
+    string setting = "";
+
+    string second_val = "12";
+    string third_val = "13";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
     Maybe<string> new_policy_checksum(string("111111"));
 
     GetResourceFile policy_file(GetResourceFile::ResourceFileType::POLICY);
@@ -1207,12 +1236,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
             policy_file
         )
     ).WillOnce(Return(Maybe<std::string>(string(new_policy_path))));
-    string manifest = "";
-    string policy = "111111";
-    string setting = "";
-
-    string second_val = "12";
-    string third_val = "13";
     EXPECT_CALL(mock_service_controller, getPolicyVersion())
         .Times(4)
         .WillOnce(ReturnRef(first_policy_version))
@@ -1246,8 +1269,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
         )
     );
 
-    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
-
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)
@@ -1341,6 +1362,9 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
 
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string manifest_err =
         "Critical Error: Agent/Gateway was not fully deployed on host 'hostname' "
         "and is not enforcing a security policy. Retry installation or contact Check Point support.";
@@ -1456,6 +1480,10 @@ TEST_P(OrchestrationTest, orchestrationFirstRun)
             }
         )
     );
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
@@ -1654,6 +1682,10 @@ TEST_F(OrchestrationTest, dataUpdate)
         .WillOnce(Return(data_instance_checksum));
 
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
             [&](CheckUpdateRequest &req)

components/security_apps/orchestration/package_handler/package_handler_ut/package_handler_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "package_handler.h"
 
 #include "cptest.h"

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -29,6 +29,7 @@
 #include "i_orchestration_tools.h"
 #include "customized_cereal_map.h"
 #include "declarative_policy_utils.h"
+#include "updates_process_event.h"
 
 using namespace std;
 using namespace ReportIS;
@@ -65,6 +66,13 @@ public:
         }
         if (error.get()) {
             service_controller->updateReconfStatus(id.get(), service_name.get(), ReconfStatus::FAILED);
+            UpdatesProcessEvent(
+                UpdatesProcessResult::FAILED,
+                UpdatesConfigType::GENERAL,
+                UpdatesFailureReason::SERVISE_CONFIGURATION,
+                string(service_name.get() + ", ID: " + to_string(id.get())),
+                (error_message.isActive() ? " Error: " + error_message.get() : "")
+            ).notify();
             dbgError(D_SERVICE_CONTROLLER)
                 << "Request for service reconfiguration failed to complete. ID: "
                 << id.get()
@@ -1028,6 +1036,12 @@ ServiceController::Impl::sendSignalForServices(
     }
 
     dbgDebug(D_SERVICE_CONTROLLER) << "The reconfiguration has reached a timeout";
+    UpdatesProcessEvent(
+        UpdatesProcessResult::FAILED,
+        UpdatesConfigType::GENERAL,
+        UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT,
+        "The reconfiguration has reached a timeout"
+    ).notify();
     services_reconf_status.clear();
     services_reconf_names.clear();
     return genError("The reconfiguration has reached a timeout");

components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include <string>
 #include "orchestration_tools.h"

components/security_apps/orchestration/update_communication/CMakeLists.txt

@@ -1,2 +1 @@
 add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc declarative_policy_utils.cc fog_helper_open_source.cc)
-#add_subdirectory(update_communication_ut)

components/security_apps/orchestration/update_communication/hybrid_communication.cc

@@ -120,10 +120,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file,
 }
 
 Maybe<void>
-HybridCommunication::sendPolicyVersion(const string &policy_version, const string &) const
+HybridCommunication::sendPolicyVersion(const string &, const string &) const
 {
     dbgFlow(D_ORCHESTRATOR);
-    policy_version.empty();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt

@@ -1,7 +0,0 @@
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(
-    update_communication_ut
-    "local_communication_ut.cc;fog_communication_ut.cc"
-    "rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;"
-)

components/security_apps/orchestration/update_communication/update_communication_ut/local_communication_ut.cc

@@ -1,244 +0,0 @@
-#include <string>
-
-#include "local_communication.h"
-#include "cptest.h"
-#include "mock/mock_orchestration_tools.h"
-#include "config.h"
-#include "config_component.h"
-#include "orchestration_status.h"
-#include "mock/mock_mainloop.h"
-#include "mock/mock_time_get.h"
-
-using namespace std;
-using namespace testing;
-
-ostream &
-operator<<(ostream &os, const tuple<OrchManifest, OrchPolicy, OrchSettings> &)
-{
-    return os;
-}
-
-class LocalCommunicationTest: public Test
-{
-public:
-    LocalCommunicationTest()
-    {
-        local_communication.init();
-    }
-
-    void
-    preload()
-    {
-        local_communication.preload();
-    }
-
-    Maybe<void>
-    authenticateAgent()
-    {
-        return local_communication.authenticateAgent();
-    }
-
-    void
-    registerLocalAgentToFog()
-    {
-        local_communication.registerLocalAgentToFog();
-    }
-
-    Maybe<void>
-    sendPolicyVersion(const string &version, const string &policy_versions)
-    {
-        return local_communication.sendPolicyVersion(version, policy_versions);
-    }
-
-    Maybe<string>
-    downloadAttributeFile(const GetResourceFile &resourse_file, const string &file_path)
-    {
-        return local_communication.downloadAttributeFile(resourse_file, file_path);
-    }
-
-    void
-    setAddressExtenesion(const string &ext)
-    {
-        local_communication.setAddressExtenesion(ext);
-    }
-
-    Maybe<void>
-    checkUpdate(CheckUpdateRequest &request)
-    {
-        return local_communication.getUpdate(request);
-    }
-
-    NiceMock<MockMainLoop> mock_mainloop;
-    NiceMock<MockTimeGet> mock_timer;
-    ::Environment env;
-    ConfigComponent config_comp;
-    StrictMock<MockOrchestrationTools> mock_orc_tools;
-    OrchestrationStatus orc_status;
-
-private:
-    LocalCommunication local_communication;
-};
-
-TEST_F(LocalCommunicationTest, doNothing)
-{
-}
-
-TEST_F(LocalCommunicationTest, registerConfig)
-{
-    env.preload();
-    env.init();
-
-    preload();
-    string config_json =
-        "{\n"
-        "    \"orchestration\": {\n"
-        "        \"Offline manifest file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"ABC\"\n"
-        "            }\n"
-        "        ],\n"
-        "        \"Offline policy file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"qwe\"\n"
-        "            }\n"
-        "        ],\n"
-        "        \"Offline settings file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"CCCC\"\n"
-        "            }\n"
-        "        ]\n"
-        "    }\n"
-        "}";
-    istringstream ss(config_json);
-    Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
-
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline manifest file path"),        IsValue("ABC"));
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline policy file path"), IsValue("qwe"));
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline settings file path"),            IsValue("CCCC"));
-
-    env.fini();
-}
-
-TEST_F(LocalCommunicationTest, authenticateAgent)
-{
-    auto authenticat_res = authenticateAgent();
-    EXPECT_TRUE(authenticat_res.ok());
-}
-
-TEST_F(LocalCommunicationTest, registerLocalAgentToFog)
-{
-    registerLocalAgentToFog();
-}
-
-TEST_F(LocalCommunicationTest, downloadManifest)
-{
-    string new_manifest_string = "new manifest";
-    EXPECT_CALL(mock_orc_tools, readFile("/etc/cp/conf/offline_manifest.json")).WillOnce(Return(new_manifest_string));
-    GetResourceFile resourse_file(GetResourceFile::ResourceFileType::MANIFEST);
-    auto downloaded_string =  downloadAttributeFile(resourse_file, "/tmp/orch_files");
-    EXPECT_TRUE(downloaded_string.ok());
-    EXPECT_EQ(downloaded_string.unpack(), new_manifest_string);
-}
-
-TEST_F(LocalCommunicationTest, checkUpdateWithNoUpdate)
-{
-    Maybe<string> manifest_checksum(string("1"));
-    Maybe<string> policy_checksum(string("2"));
-    Maybe<string> settings_checksum(string("3"));
-    Maybe<string> data_checksum(string("4"));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_manifest.json")).WillOnce(Return(manifest_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_policy.json")).WillOnce(Return(policy_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_settings.json")).WillOnce(Return(settings_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/data/offline_data.json")).WillOnce(Return(data_checksum));
-
-    CheckUpdateRequest request(
-            *manifest_checksum,
-            *policy_checksum,
-            *settings_checksum,
-            *data_checksum,
-            I_OrchestrationTools::SELECTED_CHECKSUM_TYPE_STR,
-            "123"
-        );
-
-    auto update_response = checkUpdate(request);
-    EXPECT_TRUE(update_response.ok());
-
-    Maybe<string> manifest = request.getManifest();
-    EXPECT_FALSE(manifest.ok());
-
-    Maybe<string> policy = request.getPolicy();
-    EXPECT_FALSE(policy.ok());
-
-    Maybe<string> settings = request.getSettings();
-    EXPECT_FALSE(settings.ok());
-
-    Maybe<string> data = request.getData();
-    EXPECT_FALSE(data.ok());
-}
-
-TEST_F(LocalCommunicationTest, checkUpdateWithPolicyUpdate)
-{
-    Maybe<string> manifest_checksum(string("1"));
-    Maybe<string> policy_checksum(string("2"));
-    Maybe<string> new_policy_checksum(string("22"));
-    Maybe<string> settings_checksum(string("3"));
-    Maybe<string> data_checksum(string("4"));
-
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_manifest.json")
-    ).WillOnce(Return(manifest_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_policy.json")
-    ).WillOnce(Return(new_policy_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_settings.json")
-    ).WillOnce(Return(settings_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/data/offline_data.json")
-    ).WillOnce(Return(data_checksum));
-
-    CheckUpdateRequest request(
-        *manifest_checksum,
-        *policy_checksum,
-        *settings_checksum,
-        *data_checksum,
-        I_OrchestrationTools::SELECTED_CHECKSUM_TYPE_STR,
-        "123"
-    );
-
-    auto update_response = checkUpdate(request);
-    EXPECT_TRUE(update_response.ok());
-
-    Maybe<string> manifest = request.getManifest();
-    EXPECT_FALSE(manifest.ok());
-
-    EXPECT_THAT(request.getPolicy(), IsValue("22"));
-
-    Maybe<string> settings = request.getSettings();
-    EXPECT_FALSE(settings.ok());
-
-    Maybe<string> data = request.getData();
-    EXPECT_FALSE(data.ok());
-}
-
-TEST_F(LocalCommunicationTest, setAddressExtenesion)
-{
-    setAddressExtenesion("Test");
-}
-
-TEST_F(LocalCommunicationTest, sendPolicyVersion)
-{
-    auto res = sendPolicyVersion("12", "");
-    EXPECT_TRUE(res.ok());
-}

components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc

@@ -111,6 +111,85 @@ UpdatesProcessEvent::parseDescription() const
             err << "Failed to configure the fog address: " << detail << ". Error: " << description;
             break;
         }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err
+                << "Request for service reconfiguration failed to complete. Service name: "
+                << detail
+                << ". Error: "
+                << description;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
+        case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
+            err << description;
+            break;
+        }
+        case UpdatesFailureReason::NONE : {
+            err << description;
+            break;
+        }
+    }
+    return err.str();
+}
+
+string
+UpdatesProcessEvent::getDescriptionWithoutErrors() const
+{
+    stringstream err;
+    if (description.empty() || result == UpdatesProcessResult::SUCCESS) return "";
+
+    switch (reason) {
+        case UpdatesFailureReason::CHECK_UPDATE: {
+            err << description;
+            break;
+        }
+        case UpdatesFailureReason::REGISTRATION: {
+            err << "Registration failed.";
+            break;
+        }
+        case UpdatesFailureReason::GET_UPDATE_REQUEST: {
+            err << "Failed to get update request.";
+            break;
+        }
+        case UpdatesFailureReason::DOWNLOAD_FILE : {
+            err << "Failed to download the file " << detail;
+            break;
+        }
+        case UpdatesFailureReason::HANDLE_FILE : {
+            err << "Failed to handle the file " << detail;
+            break;
+        }
+        case UpdatesFailureReason::INSTALLATION_QUEUE : {
+            err << "Installation queue creation failed.";
+            break;
+        }
+        case UpdatesFailureReason::INSTALL_PACKAGE : {
+            err << "Failed to install the package " << detail;
+            break;
+        }
+        case UpdatesFailureReason::CHECKSUM_UNMATCHED : {
+            err << "Checksums do not match for the file: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::POLICY_CONFIGURATION : {
+            err << "Failed to configure policy version: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : {
+            err << "Failed to configure the fog address: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err << "Request for service reconfiguration failed to complete. Service name: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
         case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
             err << description;
             break;

components/security_apps/orchestration/updates_process_reporter/updates_process_reporter.cc

@@ -29,14 +29,21 @@ void
 UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 {
     if (event.getReason() == UpdatesFailureReason::CHECK_UPDATE) {
+        auto i_controller = Singleton::Consume<I_ServiceController>::by<UpdatesProcessReporter>();
+        string version = i_controller->getUpdatePolicyVersion();
         if (event.getResult() == UpdatesProcessResult::SUCCESS && reports.empty()) {
             dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished successfully";
-            report_failure_count = 0;
+            report_failure_count_map.erase(version);
             return;
         }
-        dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished with errors";
-        report_failure_count++;
-        if (report_failure_count <= 1) {
+        if (report_failure_count_map.find(version) == report_failure_count_map.end()) {
+            report_failure_count_map[version] = 0;
+        }
+        report_failure_count_map[version]++;
+        dbgTrace(D_UPDATES_PROCESS_REPORTER)
+            << "Update proccess finished with errors. Count: "
+            << report_failure_count_map[version];
+        if (report_failure_count_map[version] <= 1) {
             reports.clear();
             return;
         }
@@ -48,7 +55,7 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
                 event.parseDescription()
             )
         );
-        sendReoprt();
+        sendReoprt(version);
         return;
     }
     if (event.getResult() == UpdatesProcessResult::SUCCESS || event.getResult() == UpdatesProcessResult::UNSET) return;
@@ -58,12 +65,13 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 }
 
 void
-UpdatesProcessReporter::sendReoprt()
+UpdatesProcessReporter::sendReoprt(const string &version)
 {
     stringstream full_reports;
     UpdatesFailureReason failure_reason = UpdatesFailureReason::NONE;
     full_reports << "Updates process reports:" << endl;
-    full_reports << "report failure count:" << report_failure_count << endl;
+    full_reports << "Policy version: " << version << endl;
+    full_reports << "report failure count:" << report_failure_count_map[version] << endl;
     for (const auto &report : reports) {
         if (report.getReason() != UpdatesFailureReason::CHECK_UPDATE) {
             failure_reason = report.getReason();

components/security_apps/waap/include/i_serialize.h

@@ -57,7 +57,6 @@ private:
     std::vector<std::string> filesPathsList;
 };
 
-
 class I_Serializable {
 public:
     virtual void serialize(std::ostream& stream) = 0;

components/security_apps/waap/waap_clib/Serializator.cc

@@ -397,7 +397,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     const string &owner
 ) :
     SerializeToFileBase(filePath),
-    m_remotePath(remotePath),
+    m_remotePath(replaceAllCopy(remotePath, "//", "/")),
     m_interval(0),
     m_owner(owner),
     m_pMainLoop(nullptr),
@@ -407,7 +407,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     m_windowsCount(0),
     m_intervalsCounter(0),
     m_remoteSyncEnabled(true),
-    m_assetId(assetId),
+    m_assetId(replaceAllCopy(assetId, "/", "")),
     m_isAssetIdUuid(Waap::Util::isUuid(assetId)),
     m_shared_storage_host(genError("not set")),
     m_learning_host(genError("not set"))
@@ -439,7 +439,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     }
     if (remotePath != "") {
         // remote path is /<tenantId>/<assetId>/<type>
-        auto parts = split(remotePath, '/');
+        auto parts = split(m_remotePath, '/');
         if (parts.size() > 2) {
             size_t offset = 0;
             if (parts[0].empty()) {
@@ -656,8 +656,7 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
     OrchestrationMode mode = Singleton::exists<I_AgentDetails>() ?
         Singleton::Consume<I_AgentDetails>::by<WaapComponent>()->getOrchestrationMode() : OrchestrationMode::ONLINE;
 
-    if (mode == OrchestrationMode::OFFLINE  || !m_remoteSyncEnabled || isBase() ||
-        (mode == OrchestrationMode::ONLINE && !m_isAssetIdUuid) || !postData()) {
+    if (mode == OrchestrationMode::OFFLINE  || !m_remoteSyncEnabled || isBase() || !postData()) {
         dbgDebug(D_WAAP_CONFIDENCE_CALCULATOR)
             << "Did not synchronize the data. for asset: "
             << m_assetId

components/security_apps/waap/waap_clib/Telemetry.cc

@@ -37,7 +37,14 @@ WaapTelemetryBase::sendLog(const LogRest &metric_client_rest) const
     if (mode == OrchestrationMode::ONLINE) {
         return;
     }
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "K8sSvc Log host");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
     string fog_metric_uri = getConfigurationWithDefault<string>("/api/v1/agents/events", "metric", "fogMetricUri");
     MessageMetadata req_md(svc_host, 80);
     req_md.insertHeader(

components/security_apps/waap/waap_clib/TuningDecision.cc

@@ -15,6 +15,7 @@
 #include "i_mainloop.h"
 #include "i_serialize.h"
 #include "waap.h"
+#include "Waf2Util.h"
 
 using namespace std;
 
@@ -25,7 +26,7 @@ USE_DEBUG_FLAG(D_WAAP);
 
 TuningDecision::TuningDecision(const string& remotePath)
         :
-    m_remotePath(remotePath + "/tuning"),
+    m_remotePath(replaceAllCopy(remotePath + "/tuning", "//", "/")),
     m_baseUri()
 {
     if (remotePath == "")

components/security_apps/waap/waap_clib/Waf2Util.h

@@ -733,6 +733,12 @@ inline void replaceAll(std::string& str, const std::string& from, const std::str
         start_pos += to.length(); // In case 'to' contains 'from', like replacing 'x' with 'yx'
     }
 }
+
+inline std::string replaceAllCopy(std::string str, const std::string& from, const std::string& to) {
+    replaceAll(str, from, to);
+    return str;
+}
+
 inline void alignBase64Chunk (std::string &chunk)
 {
     size_t len = chunk.length() % 4;

components/utils/generic_rulebase/evaluators/trigger_eval.cc

@@ -50,7 +50,7 @@ TriggerMatcher::evalVariable() const
         << "Trying to match trigger. ID: "
         << trigger_id << ", Current set IDs: "
         << makeSeparatedStr(bc_trigger_id_ctx.ok() ? *bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_trigger_id_ctx.ok() && bc_trigger_id_ctx.unpack().count(trigger_id) > 0 ) return true;
+    if (bc_trigger_id_ctx.ok()) return bc_trigger_id_ctx.unpack().count(trigger_id) > 0;
 
     auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
     return rule.ok() && rule.unpack().isTriggerActive(trigger_id);

components/utils/generic_rulebase/match_query.cc

@@ -299,7 +299,16 @@ MatchQuery::matchAttributes(
 {
     auto &type = condition_type;
     bool negate = type == MatchQuery::Conditions::NotEquals || type == MatchQuery::Conditions::NotIn;
-    bool match = isRegEx() ? matchAttributesRegEx(values, matched_override_keywords) : matchAttributesString(values);
+    bool match = false;
+
+    if (isIP()) {
+        match = matchAttributesIp(values);
+    } else if (isRegEx()) {
+        match = matchAttributesRegEx(values, matched_override_keywords);
+    } else {
+        match = matchAttributesString(values);
+    }
+
     return negate ? !match : match;
 }
 
@@ -340,8 +349,26 @@ MatchQuery::matchAttributesString(const set<string> &values) const
     return false;
 }
 
+bool
+MatchQuery::matchAttributesIp(const set<string> &values) const
+{
+    for (const IPRange &rule_ip_range : ip_addr_value) {
+        for (const string &requested_value : values) {
+            IpAddress ip_addr = IPUtilities::createIpFromString(requested_value);
+            if (IPUtilities::isIpAddrInRange(rule_ip_range, ip_addr)) return true;
+        }
+    }
+    return false;
+}
+
 bool
 MatchQuery::isRegEx() const
 {
     return key != "protectionName";
 }
+
+bool
+MatchQuery::isIP() const
+{
+    return key == "sourceIP" || key == "destinationIP";
+}

config/crds/open-appsec-crd-v1beta1.yaml

@@ -0,0 +1,525 @@
+Enter file contents hereapiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : customresponses.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                mode:
+                  type: string
+                  enum:
+                    - block-page
+                    #- redirect
+                    - response-code-only
+                message-title:
+                  type: string
+                message-body:
+                  type: string
+                http-response-code:
+                  type: integer
+                  minimum: 100
+                  maximum: 599
+
+  scope: Cluster
+  names:
+    plural: customresponses
+    singular: customresponse
+    kind: CustomResponse
+    shortNames:
+    - customresponse
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: exceptions.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: array
+              items:
+                type: object
+                required:
+                  - action
+                properties:
+                  action:
+                    type: string
+                    enum:
+                      - skip
+                      - accept
+                      - drop
+                      - suppressLog
+                  sourceIp:
+                    type: array
+                    items:
+                      type: string
+                  url:
+                    type: array
+                    items:
+                      type: string
+                  sourceIdentifier:
+                    type: array
+                    items:
+                      type: string
+                  protectionName:
+                    type: array
+                    items:
+                      type: string
+                  paramValue:
+                    type: array
+                    items:
+                      type: string
+                  paramName:
+                    type: array
+                    items:
+                      type: string
+                  hostName:
+                    type: array
+                    items:
+                      type: string
+                  countryCode:
+                    type: array
+                    items:
+                      type: string
+                  countryName:
+                    type: array
+                    items:
+                      type: string
+                  comment:
+                    type: string
+
+  scope: Cluster
+  names:
+    plural: exceptions
+    singular: exception
+    kind: Exception
+    shortNames:
+      - exception
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : logtriggers.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      # Each version can be enabled/disabled by Served flag.
+      served: true
+      # One and only one version must be marked as the storage version.
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                access-control-logging:
+                  type: object
+                  properties:
+                    allow-events:
+                      type: boolean
+                    drop-events:
+                      type: boolean
+                appsec-logging:
+                  type: object
+                  properties:
+                    detect-events:
+                      type: boolean
+                    prevent-events:
+                      type: boolean
+                    all-web-requests:
+                      type: boolean
+                additional-suspicious-events-logging:
+                  type: object
+                  properties:
+                    enabled:
+                      type: boolean
+                    minimum-severity:
+                      type: string
+                      enum:
+                        - high
+                        - critical
+                    response-body:
+                      type: boolean
+                    response-code:
+                      type: boolean
+                extended-logging:
+                  type: object
+                  properties:
+                    url-path:
+                      type: boolean
+                    url-query:
+                      type: boolean
+                    http-headers:
+                      type: boolean
+                    request-body:
+                      type: boolean
+                log-destination:
+                  type: object
+                  properties:
+                    cloud:
+                      type: boolean
+                    syslog-service: #change to object array
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          address:
+                            type: string
+                          port:
+                            type: integer
+                    file:
+                      type: string
+                    stdout:
+                      type: object
+                      properties:
+                        format:
+                          type: string
+                          enum:
+                            - json
+                            - json-formatted
+                    cef-service:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          address:
+                            type: string
+                          port:
+                            type: integer
+                          proto:
+                            type: string
+                            enum:
+                              - tcp
+                              - udp
+
+  scope: Cluster
+  names:
+    plural: logtriggers
+    singular: logtrigger
+    kind: LogTrigger
+    shortNames:
+    - logtrigger
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : policies.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      # Each version can be enabled/disabled by Served flag.
+      served: true
+      # One and only one version must be marked as the storage version.
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                default:
+                  type: object
+                  properties:
+                    mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    practices:
+                      type: array
+                      items:
+                        type: string
+                    triggers:
+                      type: array
+                      items:
+                        type: string
+                    custom-response:
+                      type: string
+                    source-identifiers:
+                      type: string
+                    trusted-sources:
+                      type: string
+                    exceptions:
+                      type: array
+                      items:
+                        type: string
+                specific-rules:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      host:
+                        type: string
+                      mode:
+                        type: string
+                        enum:
+                          - prevent-learn
+                          - detect-learn
+                          - prevent
+                          - detect
+                          - inactive
+                      practices:
+                        type: array
+                        items:
+                          type: string
+                      triggers:
+                        type: array
+                        items:
+                          type: string
+                      custom-response:
+                        type: string
+                      source-identifiers:
+                        type: string
+                      trusted-sources:
+                        type: string
+                      exceptions:
+                        type: array
+                        items:
+                          type: string
+
+  scope: Cluster
+  names:
+    plural: policies
+    singular: policy
+    kind: Policy
+    shortNames:
+    - policy
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : practices.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                web-attacks:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    minimum-confidence:
+                      type: string
+                      enum:
+                        - medium
+                        - high
+                        - critical
+                    max-url-size-bytes:
+                      type: integer
+                    max-object-depth:
+                      type: integer
+                    max-body-size-kb:
+                      type: integer
+                    max-header-size-bytes:
+                      type: integer
+                    protections:
+                      type: object
+                      properties:
+                        csrf-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        error-disclosure-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        open-redirect-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        non-valid-http-methods:
+                          type: boolean
+                anti-bot:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    injected-URIs:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          uri:
+                            type: string
+                    validated-URIs:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          uri:
+                            type: string
+                snort-signatures:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    configmap:
+                      type: array
+                      items:
+                        type: string
+                openapi-schema-validation:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    configmap:
+                      type: array
+                      items:
+                        type: string
+
+  scope: Cluster
+  names:
+    plural: practices
+    singular: practice
+    kind: Practice
+    shortNames:
+    - practice
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : sourcesidentifiers.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: array
+              items:
+                type: object
+                properties:
+                  sourceIdentifier:
+                    type: string
+                    enum:
+                      - headerkey
+                      - JWTKey
+                      - cookie
+                      - sourceip
+                      - x-forwarded-for
+                  value:
+                    type: array
+                    items:
+                      type: string
+
+  scope: Cluster
+  names:
+    plural: sourcesidentifiers
+    singular: sourcesidentifier
+    kind: SourcesIdentifier
+    shortNames:
+    - sourcesidentifier
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : trustedsources.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                minNumOfSources:
+                  type: integer
+                sourcesIdentifiers:
+                  type: array
+                  items:
+                    type: string
+
+  scope: Cluster
+  names:
+    plural: trustedsources
+    singular: trustedsource
+    kind: TrustedSource
+    shortNames:
+    - trustedsource

core/attachments/http_configuration/http_configuration_ut/http_configuration_ut.cc

@@ -71,24 +71,24 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
 
     HttpAttachmentConfiguration conf_data_out;
     EXPECT_EQ(conf_data_out.init(attachment_configuration_file_name), 1);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321u);
     EXPECT_EQ(conf_data_out.getStringValue("sessions_per_minute_limit_verdict"), "Accept");
-    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200);
-    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000);
+    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000u);
     EXPECT_EQ(conf_data_out.getNumericalValue("dbg_level"), 2u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42);
-    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80);
-    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60);
-    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1u);
 }
 
 TEST_F(HttpAttachmentUtilTest, GetMalformedAttachmentConfiguration)

core/config/config.cc

@@ -306,6 +306,7 @@ private:
     string log_files_prefix = "/var/log";
     string default_config_directory_path = "/conf/";
     string config_directory_path = "";
+    string error_to_report = "";
 
     TypeWrapper empty;
 };
@@ -802,6 +803,7 @@ bool
 ConfigComponent::Impl::commitFailure(const string &error)
 {
     dbgError(D_CONFIG) << error;
+    error_to_report = error;
     new_resource_nodes.clear();
     new_configuration_nodes.clear();
     new_settings_nodes.clear();
@@ -937,7 +939,7 @@ ConfigComponent::Impl::reloadConfigurationContinuesWrapper(const string &version
 
     mainloop->stop(routine_id);
     LoadNewConfigurationStatus finished(id, service_name, !res, true);
-    if (!res) finished.setError("Failed to reload configuration");
+    if (!res) finished.setError(error_to_report);
     I_TimeGet *time = Singleton::Consume<I_TimeGet>::by<ConfigComponent>();
     auto send_status_time_out = time->getMonotonicTime() + chrono::seconds(180);
     while (time->getMonotonicTime() < send_status_time_out) {

core/core_ut/cache_ut.cc

@@ -151,10 +151,10 @@ TEST(TempCaching, capacity)
     cache.createEntry(3);
     cache.createEntry(4);
 
-    EXPECT_EQ(cache.size(), 5);
-    EXPECT_EQ(cache.capacity(), 0);
+    EXPECT_EQ(cache.size(), 5u);
+    EXPECT_EQ(cache.capacity(), 0u);
     cache.capacity(3);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(0));
     EXPECT_FALSE(cache.doesKeyExists(1));
     EXPECT_TRUE(cache.doesKeyExists(2));
@@ -162,7 +162,7 @@ TEST(TempCaching, capacity)
     EXPECT_TRUE(cache.doesKeyExists(4));
 
     cache.createEntry(5);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(2));
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
@@ -170,7 +170,7 @@ TEST(TempCaching, capacity)
 
     cache.capacity(0);
     cache.createEntry(6);
-    EXPECT_EQ(cache.size(), 4);
+    EXPECT_EQ(cache.size(), 4u);
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(5));
@@ -178,7 +178,7 @@ TEST(TempCaching, capacity)
 
     cache.deleteEntry(5);
     cache.capacity(2);
-    EXPECT_EQ(cache.size(), 2);
+    EXPECT_EQ(cache.size(), 2u);
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(6));
 }

core/core_ut/maybe_res_ut.cc

@@ -161,6 +161,7 @@ public:
     public:
         MyValue(int _x) : x(_x) { addObj(this); }
         MyValue(const MyValue &other) : x(other.x) {  addObj(this); }
+        MyValue & operator=(const MyValue &other) = default;
         ~MyValue() { delObj(this); }
         bool operator==(const MyValue &other) const { return x==other.x; }
         bool operator!=(const MyValue &other) const { return x!=other.x; }
@@ -208,9 +209,9 @@ TEST_F(MaybeAssignments, ValValRval)
     Maybe<MyValue, MyValue> m(MyValue(1));
 
     // Change the value
-    EXPECT_EQ(1, m->x);
+    EXPECT_EQ(m->x, 1);
     m = 2;
-    EXPECT_EQ(2, m->x);
+    EXPECT_EQ(m->x, 2);
 }
 
 TEST_F(MaybeAssignments, ValValLval)

core/include/general/common.h

@@ -28,6 +28,7 @@
 #include <memory>
 #include <string>
 #include <vector>
+#include <map>
 #include <sstream>
 #include <iomanip>
 #include <sys/types.h>
@@ -145,6 +146,30 @@ operator<<(ostream &os, const vector<Printable> &obj)
     return os;
 }
 
+// LCOV_EXCL_START Reason: Currently not used in 4.8 coverage but is used in alpine.
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const pair<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // return os << obj.first << ':' << obj.second;
+    return os;
+}
+// LCOL_EXCL_STOP
+
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const map<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // bool first = true;
+    // for (const auto &pair : obj) {
+    //     os << (first ? "" : ", ") << pair;
+    //     first = false;
+    // }
+    return os;
+}
+
 } // namespace std
 
 #endif // __COMMON_H__

core/include/general/cptest.h

@@ -30,6 +30,7 @@
 #include "buffer.h"
 #include "scope_exit.h"
 #include "tostring.h"
+#include "time_print.h"
 
 std::ostream& operator<<(std::ostream &os, const Buffer &buf);
 

core/include/general/debug.h

@@ -20,6 +20,7 @@
 #include <vector>
 
 #include "common.h"
+#include "time_print.h"
 #include "singleton.h"
 #include "scope_exit.h"
 

core/intelligence_is_v2/intelligence_is_v2_ut/intelligence_comp_v2_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+namespace Intelligence { class Response; }
+std::ostream & operator<<(std::ostream &os, const Intelligence::Response &);
+
 #include "intelligence_comp_v2.h"
 
 #include "config.h"
@@ -642,7 +646,7 @@ TEST_F(IntelligenceComponentTestV2, multiAssetsIntelligenceTest)
     auto maybe_ans = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans.ok());
     auto vec = maybe_ans.unpack();
-    EXPECT_EQ(vec.size(), 3);
+    EXPECT_EQ(vec.size(), 3u);
 
     auto iter = vec.begin();
 
@@ -962,11 +966,11 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     ).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, paging_in_progress_response_str1)));
 
     request.setAssetsLimit(2);
-    EXPECT_EQ(request.getAssetsLimit(), 2);
+    EXPECT_EQ(request.getAssetsLimit(), 2u);
     auto maybe_ans1 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans1.ok());
     auto vec1 = maybe_ans1.unpack();
-    EXPECT_EQ(vec1.size(), 1);
+    EXPECT_EQ(vec1.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -975,7 +979,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     auto maybe_ans2 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans2.ok());
     auto vec2 = maybe_ans2.unpack();
-    EXPECT_EQ(vec2.size(), 2);
+    EXPECT_EQ(vec2.size(), 2u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -985,7 +989,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     if (!maybe_ans3.ok()) cout << maybe_ans3.getErr() + "\n";
     EXPECT_TRUE(maybe_ans3.ok());
     auto vec3 = maybe_ans3.unpack();
-    EXPECT_EQ(vec3.size(), 1);
+    EXPECT_EQ(vec3.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), true);
 
     vector<AssetReply<Profile>>::iterator assets_iter = vec3.begin();
@@ -1316,7 +1320,6 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
     QueryRequest request(Condition::EQUALS, "category", "cloud", true, AttributeKeyType::NONE);
     request.activatePaging();
     request.setAssetsLimit(10);
-    vector<AssetReply<Profile>> objects_reply;
     vector<string> objects_ids;
     do {
         auto object_result = intell->queryIntelligence<Profile>(request, true);
@@ -1325,10 +1328,9 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
             break;
         }
 
-        objects_reply = object_result.unpack();
-        if (objects_reply.empty()) break;
+        if ((*object_result).empty()) break;
 
-        for (const AssetReply<Profile> &current_object : objects_reply) {
+        for (const AssetReply<Profile> &current_object : *object_result) {
             if (current_object.getMainAttributes().empty()) {
                 continue;
             }
@@ -1337,5 +1339,5 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
         }
     } while (!request.isPagingFinished());
 
-    EXPECT_EQ(objects_ids.size(), 2);
+    EXPECT_EQ(objects_ids.size(), 2u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/invalidation_ut.cc

@@ -609,7 +609,7 @@ TEST_F(IntelligenceInvalidation, invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
     EXPECT_EQ(recieved_invalidations[0].getMainAttributes().begin()->getStringSetAttr("attr2").unpack(), vals);
 }
 
@@ -653,7 +653,7 @@ TEST_F(IntelligenceInvalidation, delete_invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_short_handling)
@@ -697,7 +697,7 @@ TEST_F(IntelligenceInvalidation, invalidation_short_handling)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, routine_registration)
@@ -792,7 +792,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json1 << not_matching_invalidation.genObject();
     mock_invalidation->performRestCall(json1);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 
     auto matching_second_main_attribute = StrAttributes()
         .addStringAttr("attr3", "3");
@@ -808,7 +808,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json2 << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json2);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
@@ -868,7 +868,7 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
     json << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 2);
+    EXPECT_EQ(recieved_invalidations.size(), 2u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
@@ -931,5 +931,5 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
     cout << json.str() << endl;
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/json_stream_ut.cc

@@ -42,7 +42,7 @@ addSlashesToSpecialChars(const string &input)
         case '\"':
         case '\\':
             output += '\\';
-            //no break
+            // fallthrough
         default:
             output += c;
             break;

core/intelligence_is_v2/intelligence_is_v2_ut/query_request_v2_ut.cc

@@ -136,12 +136,12 @@ TEST(QueryRequestTestV2, AttributesTest)
     request.setRequestedAttr("countryName");
     SerializableAttributesMap request_attributes_map2 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500);
+    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500u);
 
     request.setRequestedAttr("reputationSeverity", 30);
     SerializableAttributesMap request_attributes_map3 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30);
+    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30u);
 
     string output_json =
     "{\n"

core/intelligence_is_v2/intelligence_is_v2_ut/query_response_v2_ut.cc

@@ -155,13 +155,13 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
         obj2.loadFromJson(ss.str());
     }
 
-    EXPECT_EQ(obj.getAmountOfAssets(), 2);
-    EXPECT_EQ(obj2.getAmountOfAssets(), 2);
+    EXPECT_EQ(obj.getAmountOfAssets(), 2u);
+    EXPECT_EQ(obj2.getAmountOfAssets(), 2u);
     EXPECT_EQ(obj.getResponseStatus(), ResponseStatus::DONE);
     EXPECT_EQ(obj2.getResponseStatus(), ResponseStatus::DONE);
-    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetType(), "workload-cloud-ip");
-    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetPermissionGroupId(), "some-group-id");
     EXPECT_EQ(obj.getData().begin()->getAssetName(), "[1.1.1.1]");
     EXPECT_EQ(obj.getData().begin()->getAssetClass(), "workload");
@@ -188,7 +188,7 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "50255c3172b4fb7fda93025f0bfaa7abefd1");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 500);
+    EXPECT_EQ(soucres_it->getConfidence(), 500u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "red");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Omry");
 
@@ -198,15 +198,15 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "cb068860528cb6bfb000cc35e79f11aeefed2");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 600);
+    EXPECT_EQ(soucres_it->getConfidence(), 600u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "white");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Max");
 
     vector<AssetReply<stringData1>> asset_collections = obj.getData();
-    EXPECT_EQ(asset_collections.size(), 1);
+    EXPECT_EQ(asset_collections.size(), 1u);
     vector<AssetReply<stringData1>>::const_iterator asset_collections_it = asset_collections.begin();
     vector<stringData1> asset_sources = asset_collections_it->getData();
-    EXPECT_EQ(asset_sources.size(), 2);
+    EXPECT_EQ(asset_sources.size(), 2u);
     vector<stringData1>::iterator asset_sources_it = asset_sources.begin();
 
     EXPECT_EQ(asset_sources_it->getData().toString(), "red");

core/logging/k8s_svc_stream.cc

@@ -35,7 +35,14 @@ ContainerSvcStream::~ContainerSvcStream()
 void
 ContainerSvcStream::sendLog(const Report &log)
 {
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "Container Log host");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
     auto svc_log_uri = getConfigurationWithDefault(default_log_uri, "Logging", "Container Log URI");
     LogRest rest(log);
 
@@ -66,7 +73,14 @@ ContainerSvcStream::sendLog(const LogBulkRest &logs, bool persistence_only)
         return;
     }
 
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "Container Log host");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
     auto svc_log_uri = getConfigurationWithDefault(default_bulk_uri, "Logging", "Container Bulk Log URI");
 
     MessageMetadata rest_req_md(svc_host, 80);

core/logging/logging_ut/logging_ut.cc

@@ -101,7 +101,7 @@ public:
     }
 };
 
-class LogTest : public testing::TestWithParam<bool>
+class LogTest : public testing::Test
 {
 public:
     LogTest()
@@ -909,7 +909,7 @@ TEST_F(LogTest, OfflineK8sSvcBulkLogs)
     EXPECT_EQ(local_body, str1);
 }
 
-TEST_P(LogTest, metrics_check)
+TEST_F(LogTest, metrics_check)
 {
     loadFakeConfiguration(true, false, "", 3);
     Tags tag1 = Tags::POLICY_INSTALLATION;
@@ -935,16 +935,10 @@ TEST_P(LogTest, metrics_check)
         "    \"sentLogsBulksSum\": 3\n"
         "}";
 
-    bool is_named_query = GetParam();
-    if (is_named_query) {
-        EXPECT_THAT(AllMetricEvent().performNamedQuery(), ElementsAre(Pair("Logging data", logging_metric_str)));
-    } else {
-        EXPECT_THAT(AllMetricEvent().query(), ElementsAre(logging_metric_str));
-    }
+    EXPECT_THAT(AllMetricEvent().performNamedQuery(), ElementsAre(Pair("Logging data", logging_metric_str)));
+    EXPECT_THAT(AllMetricEvent().query(), ElementsAre(logging_metric_str));
 }
 
-INSTANTIATE_TEST_CASE_P(metrics_check, LogTest, ::testing::Values(false, true));
-
 TEST_F(LogTest, DeleteStreamTest)
 {
     loadFakeConfiguration(false);
@@ -1564,7 +1558,7 @@ TEST_F(LogTest, ObfuscationTest)
     EXPECT_EQ(getBodyFogMessage(), expected_obfuscated_log);
     ASSERT_NE(sysog_routine, nullptr);
     sysog_routine();
-    EXPECT_EQ(capture_syslog_cef_data.size(), 2);
+    EXPECT_EQ(capture_syslog_cef_data.size(), 2u);
     for (const string &str : capture_syslog_cef_data) {
         EXPECT_THAT(str, AnyOf(HasSubstr("String='Another string'"), HasSubstr("String=\"Another string\"")));
     }

core/mainloop/mainloop_ut/mainloop_ut.cc

@@ -504,7 +504,7 @@ TEST_F(MainloopTest, get_routine_id)
 {
     cptestPrepareToDie();
     auto cb = [this] () {
-        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1);
+        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1u);
         EXPECT_DEATH(mainloop->run(), "MainloopComponent::Impl::run was called while it was already running");
     };
     mainloop->addOneTimeRoutine(

core/messaging/include/dummy_socket.h

@@ -76,7 +76,7 @@ public:
     writeToSocket(const std::string &msg)
     {
         acceptSocket();
-        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), static_cast<int>(msg.size()));
     }
 
 private:

core/report/report.cc

@@ -176,6 +176,8 @@ Report::getSyslog() const
     if (!origin_syslog.empty()) {
         report.push(origin_syslog);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.push(severity_str);
     if (!event_data_syslog.empty()) {
         report.push(event_data_syslog);
     }
@@ -218,6 +220,8 @@ Report::getCef() const
     if (!origin_cef.empty()) {
         report.pushExtension(origin_cef);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.pushExtension(severity_str);
     if (!event_data_cef.empty()) {
         report.pushExtension(event_data_cef);
     }

core/report/report_ut/report_ut.cc

@@ -87,7 +87,7 @@ TEST(TagTest, TagStringTest)
     set<string> tags_string;
     for (Tags tag : makeRange<Tags>()) {
         tags_string = TagAndEnumManagement::convertToString({tag});
-        ASSERT_EQ(tags_string.size(), 1);
+        ASSERT_EQ(tags_string.size(), 1u);
         Maybe<Tags> tag_from_string = TagAndEnumManagement::convertStringToTag(*tags_string.begin());
         ASSERT_TRUE(tag_from_string.ok());
         EXPECT_EQ(tag_from_string.unpack(), tag);
@@ -571,7 +571,8 @@ TEST_F(ReportTest, testSyslogWithoutServiceName)
         report.getSyslog(),
         "<133>1 0:0:0.123Z cpnano-agent-001 UnnamedNanoService - 0 - "
         "title='Log Test' agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" "
-        "issuingEngineVersion=\"\" serviceName=\"Unnamed Nano Service\" serviceId=\"\" serviceFamilyId=\"\""
+        "issuingEngineVersion=\"\" serviceName=\"Unnamed Nano Service\" serviceId=\"\" serviceFamilyId=\"\" "
+        "eventSeverity=\"Info\""
     );
 }
 
@@ -612,6 +613,7 @@ TEST_F(ReportTest, testSyslog)
         "title='Log Test' agent=\"Secret\"") +
         " eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\"" +
         " serviceName=\"Access Control App\" serviceId=\"\" serviceFamilyId=\"\"" +
+        " eventSeverity=\"Info\"" +
         string(" ArrayOfArraies=\"[ [ a, b \\], [ 1, 2 \\] \\]\"") +
         string(" DataWithNewLine=\"new\\r\\nline\"") +
         string(" DataWithQuote=\"data\\'bla\"");
@@ -654,7 +656,9 @@ TEST_F(ReportTest, testCef)
         "CEF:0|Check Point|AccessControlApp||Event Driven|Log Test|Low|"
         "eventTime=0:0:0.123 agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\""
         " serviceName=\"Access Control App\" serviceId=\"\""
-        " serviceFamilyId=\"\" Bond=\"1\" DataWithQuote=\"data\\'bla\""
+        " serviceFamilyId=\"\" Bond=\"1\""
+        " eventSeverity=\"Info\""
+        " DataWithQuote=\"data\\'bla\""
     );
 }
 

core/rest/rest_ut/rest_config_ut.cc

@@ -162,7 +162,7 @@ TEST_F(RestConfigTest, basic_flow)
     I_MainLoop::Routine stop_routine = [&] () {
         EXPECT_EQ(connect(file_descriptor, (struct sockaddr*)&sa, sizeof(struct sockaddr)), 0);
         string msg = "POST /add-test HTTP/1.1\r\nContent-Length: 10\r\n\r\n{\"num\": 5}";
-        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), static_cast<int>(msg.size()));
 
         while(!TestServer::g_num) {
             mainloop->yield(true);

core/shmem_ipc/shmem_ipc_ut/shmem_ipc_ut.cc

@@ -264,8 +264,8 @@ TEST_F(SharedIPCTest, ensure_right_permissions)
         stat(queue_name, &info);
         EXPECT_EQ(info.st_uid, uid);
         EXPECT_EQ(info.st_gid, gid);
-        EXPECT_EQ(info.st_mode & S_IRUSR, S_IRUSR);
-        EXPECT_EQ(info.st_mode & S_IWUSR, S_IWUSR);
-        EXPECT_NE(info.st_mode & S_IXUSR, S_IXUSR);
+        EXPECT_EQ(info.st_mode & S_IRUSR, static_cast<uint>(S_IRUSR));
+        EXPECT_EQ(info.st_mode & S_IWUSR, static_cast<uint>(S_IWUSR));
+        EXPECT_NE(info.st_mode & S_IXUSR, static_cast<uint>(S_IXUSR));
     }
 }

deployment/swag/docker-compose.yaml

@@ -0,0 +1,46 @@
+services:
+  swag-attachment:
+    image: ghcr.io/openappsec/swag-attachment:latest
+    ipc: service:appsec-agent
+    restart: unless-stopped
+    container_name: swag-attachment
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - URL=yourdomain.url # replace yourdomain.url with your own domain
+      # make sure your domain's public IP resolves to
+      # the docker host for Let's Encrypt cert generation to succeed
+      - VALIDATION=http
+      # see https://docs.linuxserver.io/images/docker-swag/ for
+      # more cert generation/validation options
+      - STAGING=true # switch to 'false' after successful testing
+    volumes:
+      - ./swag-config:/config
+    ports:
+      - 443:443
+      - 80:80 #optional
+
+  appsec-agent:
+    container_name: appsec-agent
+    image: ghcr.io/openappsec/agent:latest
+    ipc: shareable
+    restart: unless-stopped
+    environment:
+      - user_email=user@email.com # adjust with your own email
+      - registered_server='SWAG Server'
+      # if autoPolicyLoad is set to true, open-appsec will apply
+      # changes in local_policy.yaml automatically
+      - autoPolicyLoad=true
+      # To connect to open-appsec central management WebUI 
+      ## create your WebUI profile at https://my.openappsec.io,
+      ## enforce policy, copy the profile token from WebUI and add it below 
+      - AGENT_TOKEN=
+    volumes:
+      - ./appsec-config:/etc/cp/conf
+      - ./appsec-data:/etc/cp/data
+      - ./appsec-logs:/var/log/nano_agent
+      - ./appsec-localconfig:/ext/appsec
+    command: /cp-nano-agent

nodes/orchestration/package/local-default-policy.yaml

@@ -1,15 +1,16 @@
 policies:
   default:
-    triggers:
-    - appsec-default-log-trigger
     mode: detect-learn
-    practices:
-    - webapp-default-practice
-    custom-response: appsec-default-web-user-response
+    practices: [appsec-best-practice]
+    triggers: [appsec-log-trigger]
+    custom-response: 403-forbidden
+    source-identifiers: ""
+    trusted-sources: ""
+    exceptions: []
   specific-rules: []
 
 practices:
-  - name: webapp-default-practice
+  - name: appsec-best-practice
     openapi-schema-validation:
       configmap: []
       override-mode: detect-learn
@@ -34,7 +35,7 @@ practices:
       override-mode: detect-learn
 
 log-triggers:
-  - name: appsec-default-log-trigger
+  - name: appsec-log-trigger
     access-control-logging:
       allow-events: false
       drop-events: true
@@ -57,7 +58,7 @@ log-triggers:
         format: json
 
 custom-responses:
-  - name: appsec-default-web-user-response
+  - name: 403-forbidden
     mode: response-code-only
     http-response-code: 403
 

nodes/orchestration/package/open-appsec-ctl.sh

@@ -1710,7 +1710,7 @@ is_apply_policy_needed()
         return 0
     fi
     local_policy_modification_time=$(stat -c %Y ${var_policy_file})
-    if [ "${local_policy_modification_time}" -eq "${last_local_policy_modification_time}" ] || [ -z ${last_local_policy_modification_time} ]; then
+    if [ "${local_policy_modification_time}" == "${last_local_policy_modification_time}" ]; then
         return 1
     fi
     return 0