github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-17 17:55:28 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:May_27_2024-Dev
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
...
compare: github_mirrors:orianelou-patch-4
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

40 Commits
May_27_202 ... orianelou-

Author SHA1 Message Date
orianelou
b9723ba6ce Create docker-compose.yaml 
added compose for docker SWAG
 2024-08-05 12:06:37 +03:00
WrightNed
00e183b8c6 Merge pull request #169 from openappsec/Jul_31_2024-Dev 
Jul 31st update
 2024-08-01 18:10:44 +03:00
WrightNed
e859c167ed Merge pull request #167 from openappsec/orianelou-crds 
Orianelou crds
 2024-08-01 18:10:11 +03:00
Ned Wright
384b59cc87 Jul 31st update 2024-07-31 17:15:35 +00:00
orianelou
805e958cb9 Create open-appsec-crd-latest.yaml 2024-07-25 12:06:59 +03:00
orianelou
5bcd7cfcf1 Create open-appsec-crd-v1beta2.yaml 2024-07-25 12:05:57 +03:00
orianelou
ae6f2faeec Create open-appsec-crd-v1beta1.yaml 2024-07-25 12:04:22 +03:00
WrightNed
705a5e6061 Merge pull request #166 from openappsec/Jul_23_2024-Dev 
Jul 23rd update
 2024-07-24 16:01:45 +03:00
WrightNed
c33b74a970 Merge pull request #164 from chkp-omris/main 
update intelligence
 2024-07-24 15:54:58 +03:00
chkp-omris
2da9fbc385 update intelligence 2024-07-23 13:15:33 +00:00
Ned Wright
f58e9a6128 Jul 23rd update 2024-07-23 11:08:24 +00:00
WrightNed
57ea5c72c5 Merge pull request #156 from openappsec/Jul_04_2024-Dev 
Jul 4th update
 2024-07-07 08:47:38 +03:00
Ned Wright
962bd31d46 Jul 4th update 2024-07-04 14:10:34 +00:00
WrightNed
01770475ec Merge pull request #153 from openappsec/Jun_26_2024-Dev 
June 27th update
 2024-07-01 11:42:11 +03:00
Ned Wright
78b114a274 June 27th update 2024-06-27 12:05:38 +00:00
WrightNed
81b1aec487 Merge pull request #148 from openappsec/orianelou-new-policy-files 
Orianelou new policy files
 2024-06-19 16:18:41 +03:00
orianelou
be6591a670 Update local_policy.yaml 2024-06-17 13:49:48 +03:00
orianelou
663782009c Update local_policy.yaml 2024-06-17 13:49:18 +03:00
orianelou
9392bbb26c Update local_policy.yaml 2024-06-17 13:49:01 +03:00
orianelou
46682bcdce Update local_policy.yaml 2024-06-17 13:48:39 +03:00
orianelou
057bc42375 Update local_policy.yaml 2024-06-17 13:47:24 +03:00
orianelou
88e0ccd308 Rename open-appsec-k8s-default-config-v1beta21.yaml to open-appsec-k8s-default-config-v1beta1.yaml 2024-06-17 13:45:02 +03:00
orianelou
4241b9c574 Create open-appsec-k8s-prevent-config-v1beta2.yaml 2024-06-17 13:44:45 +03:00
orianelou
4af9f18ada Create open-appsec-k8s-default-config-v1beta2.yaml 2024-06-17 13:44:25 +03:00
orianelou
3b533608b1 Create open-appsec-k8s-prevent-config-v1beta1.yaml 2024-06-17 13:42:13 +03:00
orianelou
74bb3086ec Create open-appsec-k8s-default-config-v1beta21.yaml 2024-06-17 13:41:29 +03:00
orianelou
504d1415a5 Create local_policy.yaml 2024-06-17 13:39:40 +03:00
orianelou
18b1b63c42 Create local_policy.yaml 2024-06-17 13:38:31 +03:00
orianelou
ded2a5ffc2 Create local_policy.yaml 2024-06-17 13:36:23 +03:00
orianelou
1254bb37b2 Create local_policy.yaml 2024-06-17 13:34:35 +03:00
orianelou
cf16343caa Create open-appsec-k8s-prevent-config-v1beta2.yaml 2024-06-16 10:56:16 +03:00
orianelou
78c4209406 Rename config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml 2024-06-16 10:55:23 +03:00
orianelou
3c8672c565 Rename config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml 2024-06-16 10:54:05 +03:00
orianelou
48d6baed3b Rename config/linux/v1beta2/local_policy.yaml to config/linux/v1beta2/default/local_policy.yaml 2024-06-16 10:44:39 +03:00
orianelou
8770257a60 Create local_policy.yaml for linux prevent 2024-06-16 10:44:21 +03:00
Ned Wright
fd5d093b24 Add --no-upgrade option to docker 2024-06-03 14:19:41 +00:00
WrightNed
d6debf8d8d Merge pull request #141 from openappsec/May_27_2024-Dev 
May 27 2024 dev
 2024-06-02 10:15:10 +03:00
orianelou
307fd8897d Rename config/k8s/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml 2024-05-21 15:24:55 +03:00
orianelou
afd2b4930b Create open-appsec-k8s-default-config-v1beta2.yaml 2024-05-21 15:24:33 +03:00
orianelou
1fb9a29223 Create local_policy.yaml 2024-05-21 15:22:54 +03:00
150 changed files with 107934 additions and 101582 deletions
Expand all files Collapse all files

18
attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc
View File

@@ -155,6 +155,24 @@ getWaitingForVerdictThreadTimeout()
return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec"); return conf_data.getNumericalValue("waiting_for_verdict_thread_timeout_msec");
} }
unsigned int
getMinRetriesForVerdict()
{
return conf_data.getNumericalValue("min_retries_for_verdict");
}
unsigned int
getMaxRetriesForVerdict()
{
return conf_data.getNumericalValue("max_retries_for_verdict");
}
unsigned int
getReqBodySizeTrigger()
{
return conf_data.getNumericalValue("body_size_trigger");
}
int int
isIPAddress(c_str ip_str) isIPAddress(c_str ip_str)
{ {

8
attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc
View File

@@ -63,7 +63,10 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
"\"waiting_for_verdict_thread_timeout_msec\": 75,\n" "\"waiting_for_verdict_thread_timeout_msec\": 75,\n"
"\"req_header_thread_timeout_msec\": 10,\n" "\"req_header_thread_timeout_msec\": 10,\n"
"\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n" "\"ip_ranges\": " + createIPRangesString(ip_ranges) + ",\n"
"\"static_resources_path\": \"" + static_resources_path + "\"" "\"static_resources_path\": \"" + static_resources_path + "\",\n"
"\"min_retries_for_verdict\": 1,\n"
"\"max_retries_for_verdict\": 3,\n"
"\"body_size_trigger\": 777\n"
"}\n"; "}\n";
ofstream valid_configuration_file(attachment_configuration_file_name); ofstream valid_configuration_file(attachment_configuration_file_name);
valid_configuration_file << valid_configuration; valid_configuration_file << valid_configuration;
@@ -87,6 +90,9 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
EXPECT_EQ(getReqBodyThreadTimeout(), 155); EXPECT_EQ(getReqBodyThreadTimeout(), 155);
EXPECT_EQ(getResHeaderThreadTimeout(), 1); EXPECT_EQ(getResHeaderThreadTimeout(), 1);
EXPECT_EQ(getResBodyThreadTimeout(), 0); EXPECT_EQ(getResBodyThreadTimeout(), 0);
EXPECT_EQ(getMinRetriesForVerdict(), 1);
EXPECT_EQ(getMaxRetriesForVerdict(), 3);
EXPECT_EQ(getReqBodySizeTrigger(), 777);
EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75); EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD); EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);

6
build_system/docker/entry.sh
View File

@@ -11,6 +11,7 @@ var_fog_address=
var_proxy= var_proxy=
var_mode= var_mode=
var_token= var_token=
var_ignore=
init= init=
if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
@@ -33,6 +34,8 @@ while true; do
var_proxy="$1" var_proxy="$1"
elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then
var_mode="--hybrid_mode" var_mode="--hybrid_mode"
elif [ "$1" == "--no-upgrade" ]; then
var_ignore="--ignore all"
elif [ "$1" == "--token" ]; then elif [ "$1" == "--token" ]; then
shift shift
var_token="$1" var_token="$1"
@@ -60,6 +63,9 @@ fi
if [ ! -z $var_mode ]; then if [ ! -z $var_mode ]; then
orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode" orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode"
fi fi
if [ ! -z "$var_ignore" ]; then
orchestration_service_installation_flags="$orchestration_service_installation_flags $var_ignore"
fi
/nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT --install $orchestration_service_installation_flags /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT --install $orchestration_service_installation_flags

201327
build_system/docker/install-cp-agent-intelligence-service.sh
View File

File diff suppressed because one or more lines are too long

1
components/CMakeLists.txt
View File

@@ -4,7 +4,6 @@ add_subdirectory(signal_handler)
add_subdirectory(gradual_deployment) add_subdirectory(gradual_deployment)
add_subdirectory(packet) add_subdirectory(packet)
add_subdirectory(pending_key) add_subdirectory(pending_key)
add_subdirectory(health_check_manager)
add_subdirectory(utils) add_subdirectory(utils)
add_subdirectory(attachment-intakers) add_subdirectory(attachment-intakers)

26
components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc
View File

@@ -42,6 +42,7 @@ HttpAttachmentConfig::init()
setNumOfNginxIpcElements(); setNumOfNginxIpcElements();
setDebugByContextValues(); setDebugByContextValues();
setKeepAliveIntervalMsec(); setKeepAliveIntervalMsec();
setRetriesForVerdict();
} }
bool bool
@@ -215,6 +216,31 @@ HttpAttachmentConfig::setFailOpenTimeout()
conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode); conf_data.setNumericalValue("nginx_inspection_mode", inspection_mode);
} }
void
HttpAttachmentConfig::setRetriesForVerdict()
{
conf_data.setNumericalValue("min_retries_for_verdict", getAttachmentConf<uint>(
3,
"agent.minRetriesForVerdict.nginxModule",
"HTTP manager",
"Min retries for verdict"
));
conf_data.setNumericalValue("max_retries_for_verdict", getAttachmentConf<uint>(
15,
"agent.maxRetriesForVerdict.nginxModule",
"HTTP manager",
"Max retries for verdict"
));
conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
200000,
"agent.reqBodySizeTrigger.nginxModule",
"HTTP manager",
"Request body size trigger"
));
}
void void
HttpAttachmentConfig::setFailOpenWaitMode() HttpAttachmentConfig::setFailOpenWaitMode()
{ {

2
components/attachment-intakers/nginx_attachment/nginx_attachment_config.h
View File

@@ -70,6 +70,8 @@ private:
void setDebugByContextValues(); void setDebugByContextValues();
void setRetriesForVerdict();
WebTriggerConf web_trigger_conf; WebTriggerConf web_trigger_conf;
HttpAttachmentConfiguration conf_data; HttpAttachmentConfiguration conf_data;
}; };

8
components/health_check_manager/health_check_manager_ut/CMakeLists.txt
View File

@@ -1,8 +0,0 @@
include_directories(${CMAKE_SOURCE_DIR}/components/include)
link_directories(${BOOST_ROOT}/lib)
add_unit_test(
health_check_manager_ut
"health_check_manager_ut.cc"
"singleton;messaging;mainloop;health_check_manager;event_is;metric;-lboost_regex"
)

3
components/include/external_sdk_server.h
View File

@@ -24,7 +24,8 @@ class ExternalSdkServer
: :
public Component, public Component,
Singleton::Provide<I_ExternalSdkServer>, Singleton::Provide<I_ExternalSdkServer>,
Singleton::Consume<I_RestApi> Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>
{ {
public: public:
ExternalSdkServer(); ExternalSdkServer();

2
components/include/i_details_resolver.h
View File

@@ -31,7 +31,7 @@ public:
virtual bool isReverseProxy() = 0; virtual bool isReverseProxy() = 0;
virtual bool isCloudStorageEnabled() = 0; virtual bool isCloudStorageEnabled() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string>> readCloudMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
virtual std::map<std::string, std::string> getResolvedDetails() = 0; virtual std::map<std::string, std::string> getResolvedDetails() = 0;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)
virtual bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const = 0; virtual bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const = 0;

2
components/include/i_service_controller.h
View File

@@ -64,7 +64,7 @@ public:
const std::string &service_id const std::string &service_id
) = 0; ) = 0;
virtual std::map<std::string, PortNumber> getServiceToPortMap() = 0; virtual std::map<std::string, std::vector<PortNumber>> getServiceToPortMap() = 0;
protected: protected:
virtual ~I_ServiceController() {} virtual ~I_ServiceController() {}

29
components/include/report_messaging.h
View File

@@ -36,7 +36,6 @@ public:
title, title,
audience_team, audience_team,
obj, obj,
false,
MessageCategory::GENERIC, MessageCategory::GENERIC,
std::forward<Args>(args)... std::forward<Args>(args)...
) )
@@ -48,26 +47,6 @@ public:
const std::string &title, const std::string &title,
const ReportIS::AudienceTeam &audience_team, const ReportIS::AudienceTeam &audience_team,
const T &obj, const T &obj,
bool is_async_message,
Args ...args)
:
ReportMessaging(
title,
audience_team,
obj,
is_async_message,
MessageCategory::GENERIC,
std::forward<Args>(args)...
)
{
}
template <typename ...Args, typename T>
ReportMessaging(
const std::string &title,
const ReportIS::AudienceTeam &audience_team,
const T &obj,
bool is_async_message,
const MessageCategory &message_type, const MessageCategory &message_type,
Args ...args) Args ...args)
: :
@@ -77,7 +56,6 @@ public:
ReportIS::Severity::INFO, ReportIS::Severity::INFO,
ReportIS::Priority::LOW, ReportIS::Priority::LOW,
obj, obj,
is_async_message,
message_type, message_type,
std::forward<Args>(args)... std::forward<Args>(args)...
) )
@@ -99,7 +77,6 @@ public:
severity, severity,
priority, priority,
obj, obj,
false,
MessageCategory::GENERIC, MessageCategory::GENERIC,
std::forward<Args>(args)... std::forward<Args>(args)...
) )
@@ -114,7 +91,6 @@ public:
const ReportIS::Severity &severity, const ReportIS::Severity &severity,
const ReportIS::Priority &priority, const ReportIS::Priority &priority,
const T &obj, const T &obj,
bool _is_async_message,
const MessageCategory &message_type, const MessageCategory &message_type,
Args ...args) Args ...args)
: :
@@ -131,7 +107,6 @@ public:
std::chrono::seconds(0), std::chrono::seconds(0),
std::forward<Args>(args)... std::forward<Args>(args)...
), ),
is_async_message(_is_async_message),
message_type_tag(message_type) message_type_tag(message_type)
{ {
report << LogField("eventObject", obj); report << LogField("eventObject", obj);
@@ -141,11 +116,13 @@ public:
ReportMessaging & operator<<(const LogField &field); ReportMessaging & operator<<(const LogField &field);
Maybe<void, HTTPResponse> sendReportSynchronously();
void setForceBuffering(bool _force_buffering); void setForceBuffering(bool _force_buffering);
private: private:
Report report; Report report;
bool is_async_message; bool is_async_message = true;
bool force_buffering = false; bool force_buffering = false;
MessageCategory message_type_tag; MessageCategory message_type_tag;
}; };

20
components/report_messaging/report_messaging.cc
View File

@@ -24,6 +24,7 @@ static const string url = "/api/v1/agents/events";
ReportMessaging::~ReportMessaging() ReportMessaging::~ReportMessaging()
{ {
if (!Singleton::exists<I_Messaging>()) return; if (!Singleton::exists<I_Messaging>()) return;
if (!is_async_message) return;
LogRest log_rest(report); LogRest log_rest(report);
@@ -47,6 +48,25 @@ ReportMessaging::operator<<(const LogField &field)
return *this; return *this;
} }
class LogRestWithReply : public LogRest
{
public:
LogRestWithReply(const Report &report) : LogRest(report) {}
bool loadJson(const string &) const { return true; }
};
Maybe<void, HTTPResponse>
ReportMessaging::sendReportSynchronously()
{
is_async_message = false;
LogRestWithReply log_rest(report);
auto messaging = Singleton::Consume<I_Messaging>::by<ReportMessaging>();
return messaging->sendSyncMessage(HTTPMethod::POST, url, log_rest, message_type_tag);
}
void void
ReportMessaging::setForceBuffering(bool _force_buffering) ReportMessaging::setForceBuffering(bool _force_buffering)
{ {

45
components/report_messaging/report_messaging_ut/report_messaging_ut.cc
View File

@@ -103,7 +103,48 @@ TEST_F(ReportMessagingTest, title_only)
_ _
) )
).Times(1); ).Times(1);
ReportMessaging("test", ReportIS::AudienceTeam::AGENT_CORE, 1, true, ReportIS::Tags::ACCESS_CONTROL); ReportMessaging("test", ReportIS::AudienceTeam::AGENT_CORE, 1, ReportIS::Tags::ACCESS_CONTROL);
}
TEST_F(ReportMessagingTest, sync_sending)
{
EXPECT_CALL(
mock_messaging,
sendSyncMessage(
_,
_,
"{\n"
" \"log\": {\n"
" \"eventTime\": \"Best Time ever\",\n"
" \"eventName\": \"test\",\n"
" \"eventSeverity\": \"Info\",\n"
" \"eventPriority\": \"Low\",\n"
" \"eventType\": \"Event Driven\",\n"
" \"eventLevel\": \"Log\",\n"
" \"eventLogLevel\": \"info\",\n"
" \"eventAudience\": \"Internal\",\n"
" \"eventAudienceTeam\": \"Agent Core\",\n"
" \"eventFrequency\": 0,\n"
" \"eventTags\": [\n"
" \"Access Control\"\n"
" ],\n"
" \"eventSource\": {\n"
" \"eventTraceId\": \"\",\n"
" \"eventSpanId\": \"\",\n"
" \"issuingEngineVersion\": \"\",\n"
" \"serviceName\": \"Unnamed Nano Service\"\n"
" },\n"
" \"eventData\": {\n"
" \"eventObject\": 1\n"
" }\n"
" }\n"
"}",
_,
_
)
).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, "response!!")));
ReportMessaging report("test", ReportIS::AudienceTeam::AGENT_CORE, 1, ReportIS::Tags::ACCESS_CONTROL);
EXPECT_TRUE(report.sendReportSynchronously().ok());
} }
TEST_F(ReportMessagingTest, with_buffering) TEST_F(ReportMessagingTest, with_buffering)
@@ -144,7 +185,7 @@ TEST_F(ReportMessagingTest, with_buffering)
true true
) )
).Times(1); ).Times(1);
ReportMessaging report("test", ReportIS::AudienceTeam::AGENT_CORE, 1, true, ReportIS::Tags::ACCESS_CONTROL); ReportMessaging report("test", ReportIS::AudienceTeam::AGENT_CORE, 1, ReportIS::Tags::ACCESS_CONTROL);
report.setForceBuffering(true); report.setForceBuffering(true);
} }

20
components/security_apps/http_geo_filter/http_geo_filter.cc
View File

@@ -361,19 +361,10 @@ private:
<< ", source ip address: " << ", source ip address: "
<< source; << source;
unordered_map<string, set<string>> exception_value_source_ip = {{"sourceIP", {source}}};
auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_source_ip, geo_location_data);
if (matched_behavior_maybe.ok()) {
curr_matched_behavior = matched_behavior_maybe.unpack();
verdict = curr_matched_behavior.first;
dbgDebug(D_GEO_FILTER) << "found sourceIP exception, return verdict";
break;
}
unordered_map<string, set<string>> exception_value_country_code = { unordered_map<string, set<string>> exception_value_country_code = {
{"countryCode", {country_code}} {"countryCode", {country_code}}
}; };
matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, geo_location_data); auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, geo_location_data);
if (matched_behavior_maybe.ok()) { if (matched_behavior_maybe.ok()) {
curr_matched_behavior = matched_behavior_maybe.unpack(); curr_matched_behavior = matched_behavior_maybe.unpack();
verdict = curr_matched_behavior.first; verdict = curr_matched_behavior.first;
@@ -430,8 +421,11 @@ private:
ReportIS::Tags::HTTP_GEO_FILTER ReportIS::Tags::HTTP_GEO_FILTER
); );
auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>(); auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
auto source_ip = env->get<string>(HttpTransactionData::client_ip_ctx); auto source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
if (source_ip.ok()) log << LogField("sourceIP", source_ip.unpack()); if (source_ip.ok()) log << LogField("sourceIP", convertIpAddrToString(source_ip.unpack()));
auto source_identifier = env->get<string>(HttpTransactionData::source_identifier);
if (source_identifier.ok()) log << LogField("httpSourceId", source_identifier.unpack());
auto source_port = env->get<string>(HttpTransactionData::client_port_ctx); auto source_port = env->get<string>(HttpTransactionData::client_port_ctx);
if (source_port.ok()) log << LogField("sourcePort", source_port.unpack()); if (source_port.ok()) log << LogField("sourcePort", source_port.unpack());
@@ -445,7 +439,7 @@ private:
log << LogField("securityAction", is_prevent ? "Prevent" : "Detect"); log << LogField("securityAction", is_prevent ? "Prevent" : "Detect");
if (is_default_action) log << LogField("isDefaultSecurityAction", true); if (is_default_action) log << LogField("isDefaultSecurityAction", true);
auto xff = env->get<std::string>(HttpTransactionData::xff_vals_ctx); auto xff = env->get<string>(HttpTransactionData::xff_vals_ctx);
if (xff.ok()) log << LogField("proxyIP", xff.unpack()); if (xff.ok()) log << LogField("proxyIP", xff.unpack());
log log

2
components/security_apps/local_policy_mgmt_gen/include/ingress_data.h
View File

@@ -79,6 +79,7 @@ class DefaultBackend
{ {
public: public:
void load(cereal::JSONInputArchive &); void load(cereal::JSONInputArchive &);
bool doesExist() const;
private: private:
bool is_exists = false; bool is_exists = false;
@@ -90,6 +91,7 @@ public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const std::vector<IngressDefinedRule> & getRules() const; const std::vector<IngressDefinedRule> & getRules() const;
bool doesDefaultBackendExist() const;
private: private:
std::string ingress_class_name; std::string ingress_class_name;

4
components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h
View File

@@ -129,7 +129,7 @@ public:
bool shouldBeautifyLogs() const; bool shouldBeautifyLogs() const;
bool getCloud() const; bool getCloud() const;
bool isK8SNeeded() const; bool isContainerNeeded() const;
bool isCefNeeded() const; bool isCefNeeded() const;
bool isSyslogNeeded() const; bool isSyslogNeeded() const;
const std::string & getSyslogServerIpv4Address() const; const std::string & getSyslogServerIpv4Address() const;
@@ -140,7 +140,7 @@ private:
const NewLoggingService & getCefServiceData() const; const NewLoggingService & getCefServiceData() const;
bool cloud = false; bool cloud = false;
bool k8s_service = false; bool container_service = false;
bool agent_local = true; bool agent_local = true;
bool beautify_logs = true; bool beautify_logs = true;
NewLoggingService syslog_service; NewLoggingService syslog_service;

2
components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@@ -111,7 +111,7 @@ private:
SecurityAppsWrapper security_apps; SecurityAppsWrapper security_apps;
}; };
class PolicyMakerUtils class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
{ {
public: public:
std::string proccesSingleAppsecPolicy( std::string proccesSingleAppsecPolicy(

8
components/security_apps/local_policy_mgmt_gen/include/triggers_section.h
View File

@@ -39,7 +39,7 @@ public:
bool _logToAgent, bool _logToAgent,
bool _logToCef, bool _logToCef,
bool _logToCloud, bool _logToCloud,
bool _logToK8sService, bool _logToContainerService,
bool _logToSyslog, bool _logToSyslog,
bool _responseBody, bool _responseBody,
bool _tpDetect, bool _tpDetect,
@@ -73,7 +73,7 @@ private:
bool logToAgent; bool logToAgent;
bool logToCef; bool logToCef;
bool logToCloud; bool logToCloud;
bool logToK8sService; bool logToContainerService;
bool logToSyslog; bool logToSyslog;
bool responseBody; bool responseBody;
bool tpDetect; bool tpDetect;
@@ -258,7 +258,7 @@ public:
bool shouldBeautifyLogs() const; bool shouldBeautifyLogs() const;
bool getCloud() const; bool getCloud() const;
bool isK8SNeeded() const; bool isContainerNeeded() const;
bool isCefNeeded() const; bool isCefNeeded() const;
bool isSyslogNeeded() const; bool isSyslogNeeded() const;
const std::string & getSyslogServerIpv4Address() const; const std::string & getSyslogServerIpv4Address() const;
@@ -269,7 +269,7 @@ private:
const LoggingService & getCefServiceData() const; const LoggingService & getCefServiceData() const;
bool cloud = false; bool cloud = false;
bool k8s_service = false; bool container_service = false;
bool agent_local = true; bool agent_local = true;
bool beautify_logs = true; bool beautify_logs = true;
LoggingService syslog_service; LoggingService syslog_service;

12
components/security_apps/local_policy_mgmt_gen/ingress_data.cc
View File

@@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
is_exists = true; is_exists = true;
} }
bool
DefaultBackend::doesExist() const
{
return is_exists;
}
void void
IngressSpec::load(cereal::JSONInputArchive &archive_in) IngressSpec::load(cereal::JSONInputArchive &archive_in)
{ {
@@ -101,6 +107,12 @@ IngressSpec::getRules() const
return rules; return rules;
} }
bool
IngressSpec::doesDefaultBackendExist() const
{
return default_backend.doesExist();
}
void void
SingleIngressData::load(cereal::JSONInputArchive &archive_in) SingleIngressData::load(cereal::JSONInputArchive &archive_in)
{ {

14
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@@ -532,6 +532,16 @@ K8sPolicyUtils::createPolicy(
map<AnnotationKeys, string> &annotations_values, map<AnnotationKeys, string> &annotations_values,
const SingleIngressData &item) const const SingleIngressData &item) const
{ {
if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
}
if (item.getSpec().doesDefaultBackendExist()) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Any host rule to the specific asset set";
K ingress_rule = K("*");
policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
}
for (const IngressDefinedRule &rule : item.getSpec().getRules()) { for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
string url = rule.getHost(); string url = rule.getHost();
for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) { for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
@@ -544,14 +554,12 @@ K8sPolicyUtils::createPolicy(
<< uri.getPath() << uri.getPath()
<< "'"; << "'";
K ingress_rule = K(url + uri.getPath()); K ingress_rule = K(url + uri.getPath());
appsec_policy.addSpecificRule(ingress_rule); policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
} }
} }
} }
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
} }
std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>> std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
K8sPolicyUtils::createAppsecPoliciesFromIngresses() K8sPolicyUtils::createAppsecPoliciesFromIngresses()
{ {

1
components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc
View File

@@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in); parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
default_rule.setHost("*");
parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in); parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
} }

8
components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc
View File

@@ -183,7 +183,9 @@ NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode(); auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode();
auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType(); auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType();
bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S); bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default); // BC try load previous name. TODO: update CRD
parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
NewStdoutLogging stdout_log; NewStdoutLogging stdout_log;
parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in); parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in);
@@ -224,9 +226,9 @@ NewAppsecTriggerLogDestination::getCloud() const
} }
bool bool
NewAppsecTriggerLogDestination::isK8SNeeded() const NewAppsecTriggerLogDestination::isContainerNeeded() const
{ {
return k8s_service; return container_service;
} }
bool bool

20
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@@ -538,7 +538,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders(); bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders();
bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody(); bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody();
bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud(); bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud();
bool logToK8sService = trigger_spec.getAppsecTriggerLogDestination().isK8SNeeded(); bool logToContainerService = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal(); bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal();
bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs(); bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs();
bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded(); bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded();
@@ -565,7 +565,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
logToAgent, logToAgent,
logToCef, logToCef,
logToCloud, logToCloud,
logToK8sService, logToContainerService,
logToSyslog, logToSyslog,
responseBody, responseBody,
tpDetect, tpDetect,
@@ -1636,7 +1636,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name); createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);
// add default rule to policy // add default rule to policy
createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name); if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
}
} }
// LCOV_EXCL_START Reason: no test exist // LCOV_EXCL_START Reason: no test exist
@@ -1659,11 +1661,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
); );
// add default rule to policy // add default rule to policy
createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>( if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
default_rule, createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
default_rule, default_rule,
appsec_policy, default_rule,
policy_name); appsec_policy,
policy_name);
}
} }
// LCOV_EXCL_STOP // LCOV_EXCL_STOP

18
components/security_apps/local_policy_mgmt_gen/triggers_section.cc
View File

@@ -30,7 +30,7 @@ LogTriggerSection::LogTriggerSection(
bool _logToAgent, bool _logToAgent,
bool _logToCef, bool _logToCef,
bool _logToCloud, bool _logToCloud,
bool _logToK8sService, bool _logToContainerService,
bool _logToSyslog, bool _logToSyslog,
bool _responseBody, bool _responseBody,
bool _tpDetect, bool _tpDetect,
@@ -55,7 +55,7 @@ LogTriggerSection::LogTriggerSection(
logToAgent(_logToAgent), logToAgent(_logToAgent),
logToCef(_logToCef), logToCef(_logToCef),
logToCloud(_logToCloud), logToCloud(_logToCloud),
logToK8sService(_logToK8sService), logToContainerService(_logToContainerService),
logToSyslog(_logToSyslog), logToSyslog(_logToSyslog),
responseBody(_responseBody), responseBody(_responseBody),
tpDetect(_tpDetect), tpDetect(_tpDetect),
@@ -96,12 +96,12 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
cereal::make_nvp("acDrop", acDrop), cereal::make_nvp("acDrop", acDrop),
cereal::make_nvp("complianceViolations", false), cereal::make_nvp("complianceViolations", false),
cereal::make_nvp("complianceWarnings", false), cereal::make_nvp("complianceWarnings", false),
cereal::make_nvp("extendloggingMinSeverity", extendloggingMinSeverity), cereal::make_nvp("extendLoggingMinSeverity", extendloggingMinSeverity),
cereal::make_nvp("extendlogging", extendlogging), cereal::make_nvp("extendLogging", extendlogging),
cereal::make_nvp("logToAgent", logToAgent), cereal::make_nvp("logToAgent", logToAgent),
cereal::make_nvp("logToCef", logToCef), cereal::make_nvp("logToCef", logToCef),
cereal::make_nvp("logToCloud", logToCloud), cereal::make_nvp("logToCloud", logToCloud),
cereal::make_nvp("logToK8sService", logToK8sService), cereal::make_nvp("logToContainerService", logToContainerService),
cereal::make_nvp("logToSyslog", logToSyslog), cereal::make_nvp("logToSyslog", logToSyslog),
cereal::make_nvp("responseBody", responseBody), cereal::make_nvp("responseBody", responseBody),
cereal::make_nvp("responseCode", false), cereal::make_nvp("responseCode", false),
@@ -396,7 +396,9 @@ AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode(); auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode();
auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType(); auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType();
bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S); bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default); // BC try load previous name. TODO: update CRD
parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
StdoutLogging stdout_log; StdoutLogging stdout_log;
parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in); parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in);
@@ -437,9 +439,9 @@ AppsecTriggerLogDestination::getCloud() const
} }
bool bool
AppsecTriggerLogDestination::isK8SNeeded() const AppsecTriggerLogDestination::isContainerNeeded() const
{ {
return k8s_service; return container_service;
} }
bool bool

3
components/security_apps/orchestration/CMakeLists.txt
View File

@@ -12,6 +12,9 @@ add_subdirectory(manifest_controller)
add_subdirectory(update_communication) add_subdirectory(update_communication)
add_subdirectory(details_resolver) add_subdirectory(details_resolver)
add_subdirectory(health_check) add_subdirectory(health_check)
add_subdirectory(health_check_manager)
add_subdirectory(updates_process_reporter)
add_subdirectory(env_details) add_subdirectory(env_details)
add_subdirectory(external_sdk_server)
#add_subdirectory(orchestration_ut) #add_subdirectory(orchestration_ut)

29
components/security_apps/orchestration/details_resolver/details_resolver.cc
View File

@@ -45,7 +45,7 @@ public:
bool isVersionAboveR8110() override; bool isVersionAboveR8110() override;
bool isReverseProxy() override; bool isReverseProxy() override;
bool isCloudStorageEnabled() override; bool isCloudStorageEnabled() override;
Maybe<tuple<string, string, string>> readCloudMetadata() override; Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override;
Maybe<tuple<string, string, string>> parseNginxMetadata() override; Maybe<tuple<string, string, string>> parseNginxMetadata() override;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)
bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override; bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override;
@@ -142,7 +142,7 @@ DetailsResolver::Impl::isCloudStorageEnabled()
{ {
auto cloud_storage_mode_override = getProfileAgentSetting<bool>("agent.cloudStorage.enabled"); auto cloud_storage_mode_override = getProfileAgentSetting<bool>("agent.cloudStorage.enabled");
if (cloud_storage_mode_override.ok()) { if (cloud_storage_mode_override.ok()) {
dbgInfo(D_ORCHESTRATOR) << "Received cloud-storage mode override: " << *cloud_storage_mode_override; dbgDebug(D_ORCHESTRATOR) << "Received cloud-storage mode override: " << *cloud_storage_mode_override;
return *cloud_storage_mode_override; return *cloud_storage_mode_override;
} }
@@ -152,6 +152,7 @@ DetailsResolver::Impl::isCloudStorageEnabled()
bool bool
DetailsResolver::Impl::isKernelVersion3OrHigher() DetailsResolver::Impl::isKernelVersion3OrHigher()
{ {
#if defined(gaia) || defined(smb)
static const string cmd = static const string cmd =
"clish -c 'show version os kernel' | awk '{print $4}' " "clish -c 'show version os kernel' | awk '{print $4}' "
"| cut -d '.' -f 1 | awk -F: '{ if ( $1 >= 3 ) {print 1} else {print 0}}'"; "| cut -d '.' -f 1 | awk -F: '{ if ( $1 >= 3 ) {print 1} else {print 0}}'";
@@ -160,12 +161,14 @@ DetailsResolver::Impl::isKernelVersion3OrHigher()
if (is_gogo.ok() && !is_gogo.unpack().empty()) { if (is_gogo.ok() && !is_gogo.unpack().empty()) {
return is_gogo.unpack().front() == '1'; return is_gogo.unpack().front() == '1';
} }
#endif
return false; return false;
} }
bool bool
DetailsResolver::Impl::isGwNotVsx() DetailsResolver::Impl::isGwNotVsx()
{ {
#if defined(gaia) || defined(smb)
static const string is_gw_cmd = "cpprod_util FwIsFirewallModule"; static const string is_gw_cmd = "cpprod_util FwIsFirewallModule";
static const string is_vsx_cmd = "cpprod_util FWisVSX"; static const string is_vsx_cmd = "cpprod_util FWisVSX";
auto is_gw = DetailsResolvingHanlder::getCommandOutput(is_gw_cmd); auto is_gw = DetailsResolvingHanlder::getCommandOutput(is_gw_cmd);
@@ -173,6 +176,7 @@ DetailsResolver::Impl::isGwNotVsx()
if (is_gw.ok() && is_vsx.ok() && !is_gw.unpack().empty() && !is_vsx.unpack().empty()) { if (is_gw.ok() && is_vsx.ok() && !is_gw.unpack().empty() && !is_vsx.unpack().empty()) {
return is_gw.unpack().front() == '1' && is_vsx.unpack().front() == '0'; return is_gw.unpack().front() == '1' && is_vsx.unpack().front() == '0';
} }
#endif
return false; return false;
} }
@@ -300,19 +304,26 @@ DetailsResolver::Impl::parseNginxMetadata()
return make_tuple(config_opt, cc_opt, nginx_version); return make_tuple(config_opt, cc_opt, nginx_version);
} }
Maybe<tuple<string, string, string>> Maybe<tuple<string, string, string, string, string>>
DetailsResolver::Impl::readCloudMetadata() DetailsResolver::Impl::readCloudMetadata()
{ {
auto env_read_cloud_metadata = []() -> Maybe<tuple<string, string, string>> { auto env_read_cloud_metadata = []() -> Maybe<tuple<string, string, string, string, string>> {
string account_id = getenv("CLOUD_ACCOUNT_ID") ? getenv("CLOUD_ACCOUNT_ID") : ""; string account_id = getenv("CLOUD_ACCOUNT_ID") ? getenv("CLOUD_ACCOUNT_ID") : "";
string vpc_id = getenv("CLOUD_VPC_ID") ? getenv("CLOUD_VPC_ID") : ""; string vpc_id = getenv("CLOUD_VPC_ID") ? getenv("CLOUD_VPC_ID") : "";
string instance_id = getenv("CLOUD_INSTANCE_ID") ? getenv("CLOUD_INSTANCE_ID") : ""; string instance_id = getenv("CLOUD_INSTANCE_ID") ? getenv("CLOUD_INSTANCE_ID") : "";
string instance_local_ip = getenv("CLOUD_INSTANCE_LOCAL_IP") ? getenv("CLOUD_INSTANCE_LOCAL_IP") : "";
string region = getenv("CLOUD_REGION") ? getenv("CLOUD_REGION") : "";
if (account_id.empty() || vpc_id.empty() || instance_id.empty()) { if (
account_id.empty() ||
vpc_id.empty() ||
instance_id.empty() ||
instance_local_ip.empty() ||
region.empty()) {
return genError("Could not read cloud metadata"); return genError("Could not read cloud metadata");
} }
return make_tuple(account_id, vpc_id, instance_id); return make_tuple(account_id, vpc_id, instance_id, instance_local_ip, region);
}; };
auto cloud_metadata = env_read_cloud_metadata(); auto cloud_metadata = env_read_cloud_metadata();
@@ -347,9 +358,11 @@ DetailsResolver::Impl::readCloudMetadata()
<< "Successfully fetched cloud metadata: " << "Successfully fetched cloud metadata: "
<< ::get<0>(cloud_metadata.unpack()) << ", " << ::get<0>(cloud_metadata.unpack()) << ", "
<< ::get<1>(cloud_metadata.unpack()) << ", " << ::get<1>(cloud_metadata.unpack()) << ", "
<< ::get<2>(cloud_metadata.unpack()); << ::get<2>(cloud_metadata.unpack()) << ", "
<< ::get<3>(cloud_metadata.unpack()) << ", "
<< ::get<4>(cloud_metadata.unpack());
return cloud_metadata.unpack(); return cloud_metadata;
} }
DetailsResolver::DetailsResolver() : Component("DetailsResolver"), pimpl(make_unique<Impl>()) {} DetailsResolver::DetailsResolver() : Component("DetailsResolver"), pimpl(make_unique<Impl>()) {}

33
components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
View File

@@ -24,14 +24,16 @@
Maybe<string> Maybe<string>
checkSAMLSupportedBlade(const string &command_output) checkSAMLSupportedBlade(const string &command_output)
{ {
string supportedBlades[3] = {"identityServer", "vpn", "cvpn"}; // uncomment when vpn will support SAML authentication
// string supportedBlades[3] = {"identityServer", "vpn", "cvpn"};
string supportedBlades[1] = {"identityServer"};
for(const string &blade : supportedBlades) { for(const string &blade : supportedBlades) {
if (command_output.find(blade) != string::npos) { if (command_output.find(blade) != string::npos) {
return string("true"); return string("true");
} }
} }
return genError("Current host does not have SAML capability"); return string("false");
} }
Maybe<string> Maybe<string>
@@ -42,7 +44,7 @@ checkIDABlade(const string &command_output)
return string("true"); return string("true");
} }
return genError("Current host does not have IDA installed"); return string("false");
} }
Maybe<string> Maybe<string>
@@ -52,33 +54,26 @@ checkSAMLPortal(const string &command_output)
return string("true"); return string("true");
} }
return genError("Current host does not have SAML Portal configured"); return string("false");
} }
Maybe<string> Maybe<string>
checkPepIdaIdnStatus(const string &command_output) checkPepIdaIdnStatus(const string &command_output)
{ {
if (command_output.find("ida_idn_nano_service_enabled=1") != string::npos) { if (command_output.find("nac_pep_scaled_sharing_enabled = 1") != string::npos) {
return string("true"); return string("true");
} }
return string("false");
return genError("Current host does not have PEP control IDA IDN enabled");
}
Maybe<string>
checkAgentIntelligence(const string &command_output)
{
if (command_output.find("is registered") != string::npos) {
return string("true");
}
return genError("Current host does not have agent intelligence installed");
} }
Maybe<string> Maybe<string>
getIDAGaiaPackages(const string &command_output) getIDAGaiaPackages(const string &command_output)
{ {
return string("idaSaml_gaia;idaIdn_gaia;idaIdnBg_gaia;"); string result = "idaSaml_gaia;idaIdn_gaia;idaIdnBg_gaia;";
if (command_output.find("nac_pep_scaled_sharing_enabled = 1") != string::npos) {
result += "agentIntelligenceService_gaia;";
}
return result;
} }
Maybe<string> Maybe<string>
@@ -94,7 +89,7 @@ checkIDP(shared_ptr<istream> file_stream)
} }
} }
return genError("Identity Provider was not found"); return string("false");
} }
#endif // gaia #endif // gaia

13
components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
View File

@@ -49,6 +49,9 @@ SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry",
SHELL_CMD_HANDLER("QUID", "[ -d /opt/CPquid ] " SHELL_CMD_HANDLER("QUID", "[ -d /opt/CPquid ] "
"&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''", "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''",
getQUID) getQUID)
SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] "
"&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message || echo ''",
getQUID)
SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan) SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"canUpdateSDWanData", "canUpdateSDWanData",
@@ -99,14 +102,8 @@ SHELL_CMD_HANDLER(
SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedBlade) SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedBlade)
SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade) SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade)
SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal) SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_scaled_sharing_enabled", checkPepIdaIdnStatus)
"hasAgentIntelligenceInstalled", SHELL_CMD_HANDLER("requiredNanoServices", "fw ctl get int nac_pep_scaled_sharing_enabled", getIDAGaiaPackages)
"<FILESYSTEM-PREFIX>/watchdog/cp-nano-watchdog "
"--status --service <FILESYSTEM-PREFIX>/agentIntelligence/cp-nano-agent-intelligence-service",
checkAgentIntelligence
)
SHELL_CMD_HANDLER("hasIdaIdnEnabled", "pep control IDN_nano_Srv_support status", checkPepIdaIdnStatus)
SHELL_CMD_HANDLER("requiredNanoServices", "ida_packages", getIDAGaiaPackages)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtParentObjectName", "cpProductIntegrationMgmtParentObjectName",
"cat $FWDIR/database/myself_objects.C " "cat $FWDIR/database/myself_objects.C "

14
components/security_apps/orchestration/details_resolver/details_resolving_handler.cc
View File

@@ -99,6 +99,7 @@ map<string, string>
DetailsResolvingHanlder::Impl::getResolvedDetails() const DetailsResolvingHanlder::Impl::getResolvedDetails() const
{ {
I_ShellCmd *shell = Singleton::Consume<I_ShellCmd>::by<DetailsResolvingHanlder>(); I_ShellCmd *shell = Singleton::Consume<I_ShellCmd>::by<DetailsResolvingHanlder>();
I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>();
uint32_t timeout = getConfigurationWithDefault<uint32_t>(5000, "orchestration", "Details resolver time out"); uint32_t timeout = getConfigurationWithDefault<uint32_t>(5000, "orchestration", "Details resolver time out");
for (auto &shell_pre_command : shell_pre_commands) { for (auto &shell_pre_command : shell_pre_commands) {
@@ -122,7 +123,15 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
Maybe<string> shell_command_output = getCommandOutput(command); Maybe<string> shell_command_output = getCommandOutput(command);
if (!shell_command_output.ok()) continue; if (!shell_command_output.ok()) continue;
Maybe<string> handler_ret = handler(*shell_command_output); Maybe<string> handler_ret = handler(*shell_command_output);
if (handler_ret.ok()) resolved_details[attr] = *handler_ret;
if (handler_ret.ok()) {
resolved_details[attr] = *handler_ret;
} else {
if (reporter->isPersistantAttr(attr)) {
dbgTrace(D_AGENT_DETAILS)<< "Persistent attribute changed, removing old value";
reporter->deleteAttr(attr);
}
}
} }
for (auto file_handler : file_content_handlers) { for (auto file_handler : file_content_handlers) {
@@ -133,7 +142,7 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
shared_ptr<ifstream> in_file = shared_ptr<ifstream> in_file =
Singleton::Consume<I_OrchestrationTools>::by<DetailsResolvingHanlder>()->fileStreamWrapper(path); Singleton::Consume<I_OrchestrationTools>::by<DetailsResolvingHanlder>()->fileStreamWrapper(path);
if (!in_file->is_open()) { if (!in_file->is_open()) {
dbgWarning(D_AGENT_DETAILS) << "Could not open file for processing. Path: " << path; dbgDebug(D_AGENT_DETAILS) << "Could not open file for processing. Path: " << path;
continue; continue;
} }
@@ -157,7 +166,6 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
} }
} }
I_AgentDetailsReporter *reporter = Singleton::Consume<I_AgentDetailsReporter>::by<DetailsResolvingHanlder>();
reporter->addAttr(resolved_details, true); reporter->addAttr(resolved_details, true);
return resolved_details; return resolved_details;

4
components/security_apps/orchestration/external_sdk_server/CMakeLists.txt Normal file
View File

@@ -0,0 +1,4 @@
include_directories(${PROJECT_SOURCE_DIR}/core/external_sdk/)
add_library(external_sdk_server external_sdk_server.cc)
add_subdirectory(external_sdk_server_ut)

348
components/security_apps/orchestration/external_sdk_server/external_sdk_server.cc Normal file
View File

@@ -0,0 +1,348 @@
#include "external_sdk_server.h"
#include "external_agent_sdk.h"
#include "log_generator.h"
#include "rest_server.h"
#include "generic_metric.h"
#include "customized_cereal_map.h"
#include "report/log_rest.h"
using namespace std;
USE_DEBUG_FLAG(D_EXTERNAL_SDK_USER);
USE_DEBUG_FLAG(D_EXTERNAL_SDK_SERVER);
class ExternalSdkRest : public ServerRest
{
public:
void
doCall() override
{
dbgFlow(D_EXTERNAL_SDK_SERVER);
Maybe<SdkApiType> sdk_event_type = convertToEnum<SdkApiType>(event_type.get());
if (!sdk_event_type.ok()) {
dbgWarning(D_EXTERNAL_SDK_SERVER) << "Received illegal event type. Type : " << event_type.get();
throw JsonError("Illegal event type provided");
}
dbgDebug(D_EXTERNAL_SDK_SERVER)
<< "Handling a new external sdk api call event. Type : "
<< convertApiTypeToString(sdk_event_type.unpack());
I_ExternalSdkServer *sdk_server = Singleton::Consume<I_ExternalSdkServer>::from<ExternalSdkServer>();
switch(sdk_event_type.unpack()) {
case SdkApiType::SendCodeEvent: {
if (!file.isActive()) {
throw JsonError("File was not provided for code event");
}
if (!func.isActive()) {
throw JsonError("Function was not provided for code event");
}
if (!line.isActive()) {
throw JsonError("Line path was not provided for code event");
}
if (!trace_id.isActive()) {
throw JsonError("Trace ID was not provided for code event");
}
if (!span_id.isActive()) {
throw JsonError("Span ID was not provided for code event");
}
if (!message.isActive()) {
throw JsonError("Message was not provided for code event");
}
sdk_server->sendDebug(
file.get(),
func.get(),
line.get(),
getDebugLevel(),
trace_id.get(),
span_id.get(),
message.get(),
additional_fields.isActive() ? additional_fields.get() : map<string, string>()
);
return;
}
case SdkApiType::SendEventDrivenEvent: {
if (!event_name.isActive()) {
throw JsonError("Event name was not provided for event");
}
sdk_server->sendLog(
event_name.get(),
getAudience(),
getSeverity(),
getPriority(),
tag.get(),
additional_fields.isActive() ? additional_fields.get() : map<string, string>()
);
return;
}
case SdkApiType::SendGetConfigRequest: {
if (!config_path.isActive()) {
throw JsonError("Config path was not provided for get configuration event");
}
Maybe<string> config_val = sdk_server->getConfigValue(config_path.get());
config_value = config_val.ok() ? config_val.unpack() : "";
return;
}
case SdkApiType::SendPeriodicEvent: {
if (!event_name.isActive()) {
throw JsonError("Event name was not provided for periodic event");
}
if (!service_name.isActive()) {
throw JsonError("Service name was not provided for periodic event");
}
sdk_server->sendMetric(
event_name,
service_name,
getAudienceTeam(),
ReportIS::IssuingEngine::AGENT_CORE,
additional_fields.isActive() ? additional_fields.get() : map<string, string>()
);
return;
}
default: {
dbgError(D_EXTERNAL_SDK_SERVER) << "Received illegal event type. Type : " << event_type.get();
}
}
}
private:
static string
convertApiTypeToString(SdkApiType type)
{
static const EnumArray<SdkApiType, string> api_type_string {
"Code Event",
"Periodic Event",
"Event Driven",
"Get Configuration",
};
return api_type_string[type];
}
Debug::DebugLevel
getDebugLevel()
{
static const map<int, Debug::DebugLevel> debug_levels = {
{0, Debug::DebugLevel::TRACE},
{1, Debug::DebugLevel::DEBUG},
{2, Debug::DebugLevel::INFO},
{3, Debug::DebugLevel::WARNING},
{4, Debug::DebugLevel::ERROR}
};
if (!debug_level.isActive()) {
throw JsonError("Debug level was not provided for code event");
}
auto level = debug_levels.find(debug_level.get());
if(level == debug_levels.end()) {
throw JsonError("Illegal debug level provided");
}
return level->second;
}
ReportIS::Severity
getSeverity()
{
if (!severity.isActive()) {
throw JsonError("Event severity was not provided for periodic event");
}
switch (severity.get()) {
case EventSeverity::SeverityCritical: return ReportIS::Severity::CRITICAL;
case EventSeverity::SeverityHigh: return ReportIS::Severity::HIGH;
case EventSeverity::SeverityMedium: return ReportIS::Severity::MEDIUM;
case EventSeverity::SeverityLow: return ReportIS::Severity::LOW;
case EventSeverity::SeverityInfo: return ReportIS::Severity::INFO;
default:
throw JsonError("Illegal event severity provided");
}
}
ReportIS::Priority
getPriority()
{
if (!priority.isActive()) {
throw JsonError("Event priority was not provided");
}
switch (priority.get()) {
case EventPriority::PriorityUrgent: return ReportIS::Priority::URGENT;
case EventPriority::PriorityHigh: return ReportIS::Priority::HIGH;
case EventPriority::PriorityMedium: return ReportIS::Priority::MEDIUM;
case EventPriority::PriorityLow: return ReportIS::Priority::LOW;
default:
throw JsonError("Illegal event priority provided");
}
}
ReportIS::Audience
getAudience()
{
if (!audience.isActive()) {
throw JsonError("Event audience was not provided");
}
switch (audience.get()) {
case EventAudience::AudienceSecurity: return ReportIS::Audience::SECURITY;
case EventAudience::AudienceInternal: return ReportIS::Audience::INTERNAL;
default:
throw JsonError("Illegal event audience provided");
}
}
ReportIS::AudienceTeam
getAudienceTeam()
{
if (!team.isActive()) {
throw JsonError("Event audience team was not provided");
}
switch (team.get()) {
case EventAudienceTeam::AudienceTeamAgentCore: return ReportIS::AudienceTeam::AGENT_CORE;
case EventAudienceTeam::AudienceTeamIot: return ReportIS::AudienceTeam::IOT_NEXT;
case EventAudienceTeam::AudienceTeamWaap: return ReportIS::AudienceTeam::WAAP;
case EventAudienceTeam::AudienceTeamAgentIntelligence: return ReportIS::AudienceTeam::AGENT_INTELLIGENCE;
default:
throw JsonError("Illegal event audience team provided");
}
}
using additional_fields_map = map<string, string>;
C2S_LABEL_PARAM(int, event_type, "eventType");
C2S_LABEL_OPTIONAL_PARAM(additional_fields_map, additional_fields, "additionalFields");
C2S_LABEL_OPTIONAL_PARAM(string, event_name, "eventName");
C2S_LABEL_OPTIONAL_PARAM(string, service_name, "serviceName");
C2S_OPTIONAL_PARAM(int, team);
C2S_OPTIONAL_PARAM(int, audience);
C2S_OPTIONAL_PARAM(int, severity);
C2S_OPTIONAL_PARAM(int, priority);
C2S_OPTIONAL_PARAM(string, tag);
C2S_OPTIONAL_PARAM(string, file);
C2S_OPTIONAL_PARAM(string, func);
C2S_OPTIONAL_PARAM(int, line);
C2S_LABEL_OPTIONAL_PARAM(int, debug_level, "debugLevel");
C2S_LABEL_OPTIONAL_PARAM(string, trace_id, "traceId");
C2S_LABEL_OPTIONAL_PARAM(string, span_id, "spanId");
C2S_OPTIONAL_PARAM(string, message);
C2S_LABEL_OPTIONAL_PARAM(string, config_path, "configPath");
S2C_LABEL_OPTIONAL_PARAM(string, config_value, "configValue");
};
class ExternalSdkServer::Impl
:
public Singleton::Provide<I_ExternalSdkServer>::From<ExternalSdkServer>
{
public:
void
init()
{
auto rest = Singleton::Consume<I_RestApi>::by<ExternalSdkServer>();
rest->addRestCall<ExternalSdkRest>(RestAction::ADD, "sdk-call");
}
void
sendLog(
const string &event_name,
ReportIS::Audience audience,
ReportIS::Severity severity,
ReportIS::Priority priority,
const string &tag_string,
const map<string, string> &additional_fields)
{
Maybe<ReportIS::Tags> tag = TagAndEnumManagement::convertStringToTag(tag_string);
set<ReportIS::Tags> tags;
if (tag.ok()) tags.insert(tag.unpack());
LogGen log(event_name, audience, severity, priority, tags);
for (const auto &field : additional_fields) {
log << LogField(field.first, field.second);
}
}
void
sendDebug(
const string &file_name,
const string &function_name,
unsigned int line_number,
Debug::DebugLevel debug_level,
const string &trace_id,
const string &span_id,
const string &message,
const map<string, string> &additional_fields)
{
(void)trace_id;
(void)span_id;
Debug debug(file_name, function_name, line_number, debug_level, D_EXTERNAL_SDK_USER);
debug.getStreamAggr() << message;
bool is_first_key = true;
for (const auto &field : additional_fields) {
if (is_first_key) {
is_first_key = false;
debug.getStreamAggr() << ". ";
} else {
debug.getStreamAggr() << ", ";
}
debug.getStreamAggr() << "\"" << field.first << "\": \"" << field.second << "\"";
}
}
void
sendMetric(
const string &event_title,
const string &service_name,
ReportIS::AudienceTeam team,
ReportIS::IssuingEngine issuing_engine,
const map<string, string> &additional_fields)
{
ScopedContext ctx;
ctx.registerValue("Service Name", service_name);
set<ReportIS::Tags> tags;
Report metric_to_fog(
event_title,
Singleton::Consume<I_TimeGet>::by<GenericMetric>()->getWalltime(),
ReportIS::Type::PERIODIC,
ReportIS::Level::LOG,
ReportIS::LogLevel::INFO,
ReportIS::Audience::INTERNAL,
team,
ReportIS::Severity::INFO,
ReportIS::Priority::LOW,
chrono::seconds(0),
LogField("agentId", Singleton::Consume<I_AgentDetails>::by<GenericMetric>()->getAgentId()),
tags,
ReportIS::Tags::INFORMATIONAL,
issuing_engine
);
for (const auto &field : additional_fields) {
metric_to_fog << LogField(field.first, field.second);
}
LogRest metric_client_rest(metric_to_fog);
string fog_metric_uri = getConfigurationWithDefault<string>("/api/v1/agents/events", "metric", "fogMetricUri");
Singleton::Consume<I_Messaging>::by<ExternalSdkServer>()->sendAsyncMessage(
HTTPMethod::POST,
fog_metric_uri,
metric_client_rest,
MessageCategory::METRIC,
MessageMetadata(),
false
);
}
Maybe<string>
getConfigValue(const string &config_path)
{
auto config_val = getProfileAgentSetting<string>(config_path);
if (!config_val.ok()) {
stringstream error;
error << "Failed to get configuration. Config path: " << config_path << ", Error: " << config_val.getErr();
return genError(error.str());
}
return config_val.unpack();
}
};
ExternalSdkServer::ExternalSdkServer() : Component("ExternalSdkServer"), pimpl(make_unique<Impl>()) {}
ExternalSdkServer::~ExternalSdkServer() {}
void ExternalSdkServer::init() { pimpl->init(); }
void ExternalSdkServer::fini() {}
void ExternalSdkServer::preload() {}

7
components/security_apps/orchestration/external_sdk_server/external_sdk_server_ut/CMakeLists.txt Normal file
View File

@@ -0,0 +1,7 @@
link_directories(${BOOST_ROOT}/lib)
add_unit_test(
external_sdk_server_ut
"external_sdk_server_ut.cc"
"external_sdk_server;mainloop;singleton;rest;environment;time_proxy;logging;event_is;metric;-lboost_context;agent_details;-lboost_regex;messaging;"
)

349
components/security_apps/orchestration/external_sdk_server/external_sdk_server_ut/external_sdk_server_ut.cc Normal file
View File

@@ -0,0 +1,349 @@
#include <stdio.h>
#include <stdarg.h>
#include "external_sdk_server.h"
#include "cptest.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging.h"
#include "mock/mock_logging.h"
#include "mock/mock_time_get.h"
#include "config.h"
#include "config_component.h"
#include "agent_details.h"
using namespace std;
using namespace testing;
class ExternalSdkServerTest : public Test
{
public:
ExternalSdkServerTest()
{
EXPECT_CALL(rest_mocker, mockRestCall(RestAction::ADD, "sdk-call", _)).WillOnce(
WithArg<2>(
Invoke(
[this](const unique_ptr<RestInit> &rest_ptr)
{
mock_sdk_rest = rest_ptr->getRest();
return true;
}
)
)
);
sdk_server.preload();
sdk_server.init();
i_sdk = Singleton::Consume<I_ExternalSdkServer>::from(sdk_server);
}
~ExternalSdkServerTest()
{
sdk_server.fini();
}
ExternalSdkServer sdk_server;
NiceMock<MockTimeGet> mock_timer;
StrictMock<MockMessaging> messaging_mocker;
StrictMock<MockRestApi> rest_mocker;
StrictMock<MockLogging> log_mocker;
unique_ptr<ServerRest> mock_sdk_rest;
I_ExternalSdkServer *i_sdk;
ConfigComponent conf;
AgentDetails agent_details;
::Environment env;
};
TEST_F(ExternalSdkServerTest, initTest)
{
}
TEST_F(ExternalSdkServerTest, configCall)
{
Maybe<string> no_conf = i_sdk->getConfigValue("key1");
EXPECT_FALSE(no_conf.ok());
string config_json =
"{\n"
"\"agentSettings\": [\n"
"{\n"
"\"id\": \"id1\",\n"
"\"key\": \"key1\",\n"
"\"value\": \"value1\"\n"
"},\n"
"{\n"
"\"id\": \"id1\",\n"
"\"key\": \"key2\",\n"
"\"value\": \"value2\"\n"
"}\n"
"]\n"
"}\n";
conf.preload();
istringstream conf_stream(config_json);
ASSERT_TRUE(Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(conf_stream));
Maybe<string> conf_found = i_sdk->getConfigValue("key1");
ASSERT_TRUE(conf_found.ok());
EXPECT_EQ(conf_found.unpack(), "value1");
conf_found = i_sdk->getConfigValue("key2");
ASSERT_TRUE(conf_found.ok());
EXPECT_EQ(conf_found.unpack(), "value2");
stringstream config_call_body;
config_call_body << "{ \"eventType\": 3, \"configPath\": \"key1\" }";
Maybe<string> sdk_conf = mock_sdk_rest->performRestCall(config_call_body);
ASSERT_TRUE(sdk_conf.ok());
EXPECT_EQ(
sdk_conf.unpack(),
"{\n"
" \"configValue\": \"value1\"\n"
"}"
);
}
template <typename T>
string
toJson(const T &obj)
{
stringstream ss;
{
cereal::JSONOutputArchive ar(ss);
obj.serialize(ar);
}
return ss.str();
}
TEST_F(ExternalSdkServerTest, eventDrivenCall)
{
string generated_log;
EXPECT_CALL(log_mocker, getCurrentLogId()).Times(2).WillRepeatedly(Return(0));
EXPECT_CALL(log_mocker, sendLog(_)).Times(2).WillRepeatedly(
WithArg<0>(
Invoke(
[&] (const Report &msg)
{
generated_log = toJson(msg);
}
)
)
);
i_sdk->sendLog(
"my log",
ReportIS::Audience::INTERNAL,
ReportIS::Severity::LOW,
ReportIS::Priority::HIGH,
"IPS",
{{"key1", "value1"}, {"key2", "value2"}}
);
static const string expected_log =
"{\n"
" \"eventTime\": \"\",\n"
" \"eventName\": \"my log\",\n"
" \"eventSeverity\": \"Low\",\n"
" \"eventPriority\": \"High\",\n"
" \"eventType\": \"Event Driven\",\n"
" \"eventLevel\": \"Log\",\n"
" \"eventLogLevel\": \"info\",\n"
" \"eventAudience\": \"Internal\",\n"
" \"eventAudienceTeam\": \"\",\n"
" \"eventFrequency\": 0,\n"
" \"eventTags\": [\n"
" \"IPS\"\n"
" ],\n"
" \"eventSource\": {\n"
" \"agentId\": \"Unknown\",\n"
" \"eventTraceId\": \"\",\n"
" \"eventSpanId\": \"\",\n"
" \"issuingEngineVersion\": \"\",\n"
" \"serviceName\": \"Unnamed Nano Service\"\n"
" },\n"
" \"eventData\": {\n"
" \"logIndex\": 0,\n"
" \"key1\": \"value1\",\n"
" \"key2\": \"value2\"\n"
" }\n"
"}";
EXPECT_EQ(generated_log, expected_log);
string event_call_body =
"{\n"
" \"eventType\": 2,\n"
" \"eventName\": \"my log\",\n"
" \"audience\": 1,\n"
" \"severity\": 3,\n"
" \"priority\": 1,\n"
" \"tag\": \"IPS\",\n"
" \"team\": 3,\n"
" \"additionalFields\": {\n"
" \"key1\": \"value1\",\n"
" \"key2\": \"value2\"\n"
" }\n"
"}";
generated_log = "";
stringstream event_call_stream;
event_call_stream << event_call_body;
EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
EXPECT_EQ(generated_log, expected_log);
}
TEST_F(ExternalSdkServerTest, periodicEventCall)
{
string message_body;
EXPECT_CALL(
messaging_mocker,
sendAsyncMessage(
HTTPMethod::POST,
"/api/v1/agents/events",
_,
MessageCategory::METRIC,
_,
false
)
).Times(2).WillRepeatedly(SaveArg<2>(&message_body));
i_sdk->sendMetric(
"my metric",
"matrix",
ReportIS::AudienceTeam::AGENT_INTELLIGENCE,
ReportIS::IssuingEngine::AGENT_CORE,
{{"key", "value"}}
);
static const string expected_message =
"{\n"
" \"log\": {\n"
" \"eventTime\": \"\",\n"
" \"eventName\": \"my metric\",\n"
" \"eventSeverity\": \"Info\",\n"
" \"eventPriority\": \"Low\",\n"
" \"eventType\": \"Periodic\",\n"
" \"eventLevel\": \"Log\",\n"
" \"eventLogLevel\": \"info\",\n"
" \"eventAudience\": \"Internal\",\n"
" \"eventAudienceTeam\": \"Agent Intelligence\",\n"
" \"eventFrequency\": 0,\n"
" \"eventTags\": [\n"
" \"Informational\"\n"
" ],\n"
" \"eventSource\": {\n"
" \"agentId\": \"Unknown\",\n"
" \"issuingEngine\": \"Agent Core\",\n"
" \"eventTraceId\": \"\",\n"
" \"eventSpanId\": \"\",\n"
" \"issuingEngineVersion\": \"\",\n"
" \"serviceName\": \"matrix\"\n"
" },\n"
" \"eventData\": {\n"
" \"key\": \"value\"\n"
" }\n"
" }\n"
"}";
EXPECT_EQ(message_body, expected_message);
string event_call_body =
"{\n"
" \"eventType\": 1,\n"
" \"eventName\": \"my metric\",\n"
" \"serviceName\": \"matrix\",\n"
" \"team\": 3,\n"
" \"additionalFields\": {\n"
" \"key\": \"value\"\n"
" }\n"
"}";
stringstream event_call_stream;
event_call_stream << event_call_body;
message_body = "";
EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
EXPECT_EQ(message_body, expected_message);
}
USE_DEBUG_FLAG(D_EXTERNAL_SDK_USER);
USE_DEBUG_FLAG(D_EXTERNAL_SDK_SERVER);
TEST_F(ExternalSdkServerTest, codeEventCall)
{
ostringstream capture_debug;
Debug::setUnitTestFlag(D_EXTERNAL_SDK_SERVER, Debug::DebugLevel::TRACE);
Debug::setUnitTestFlag(D_EXTERNAL_SDK_USER, Debug::DebugLevel::TRACE);
Debug::setNewDefaultStdout(&capture_debug);
i_sdk->sendDebug(
"file.cc",
"myFunc2",
42,
Debug::DebugLevel::TRACE,
"123",
"abc",
"h#l1ow w0r!d",
{{"hi", "universe"}}
);
EXPECT_THAT(
capture_debug.str(),
HasSubstr(
"[myFunc2@file.cc:42 | >>>] "
"h#l1ow w0r!d. \"hi\": \"universe\"\n"
)
);
string debug_event =
"{\n"
" \"eventType\": 0,\n"
" \"file\": \"my file\",\n"
" \"func\": \"function_name\",\n"
" \"line\": 42,\n"
" \"debugLevel\": 0,\n"
" \"traceId\": \"\",\n"
" \"spanId\": \"span2323\",\n"
" \"message\": \"some short debug\",\n"
" \"team\": 1,\n"
" \"additionalFields\": {\n"
" \"name\": \"moshe\",\n"
" \"food\": \"bamba\"\n"
" }\n"
"}";
stringstream event_call_stream;
event_call_stream << debug_event;
EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
EXPECT_THAT(
capture_debug.str(),
HasSubstr(
"[function_name@my file:42 | >>>] "
"some short debug. \"food\": \"bamba\", \"name\": \"moshe\"\n"
)
);
Debug::setNewDefaultStdout(&cout);
}
TEST_F(ExternalSdkServerTest, ilegalEventCall)
{
string event_call_body =
"{\n"
" \"eventType\": 7,\n"
" \"eventName\": \"my metric\",\n"
" \"serviceName\": \"matrix\",\n"
" \"team\": 3,\n"
" \"additionalFields\": {\n"
" \"key\": \"value\"\n"
" }\n"
"}";
stringstream event_call_stream;
event_call_stream << event_call_body;
Maybe<string> failed_respond = mock_sdk_rest->performRestCall(event_call_stream);
EXPECT_FALSE(failed_respond.ok());
EXPECT_EQ(failed_respond.getErr(), "Illegal event type provided");
}

2
components/security_apps/orchestration/health_check/health_check_ut/CMakeLists.txt
View File

@@ -3,5 +3,5 @@ link_directories(${BOOST_ROOT}/lib)
add_unit_test( add_unit_test(
health_check_ut health_check_ut
"health_check_ut.cc" "health_check_ut.cc"
"health_check;messaging;mainloop;singleton;agent_details;config;logging;metric;event_is;health_check_manager;-lboost_regex;-lboost_system" "health_check;updates_process_reporter;messaging;mainloop;singleton;agent_details;config;logging;metric;event_is;health_check_manager;-lboost_regex;-lboost_system"
) )

2
components/health_check_manager/CMakeLists.txt → components/security_apps/orchestration/health_check_manager/CMakeLists.txt
View File

@@ -1,3 +1 @@
add_library(health_check_manager health_check_manager.cc) add_library(health_check_manager health_check_manager.cc)
add_subdirectory(health_check_manager_ut)

180
components/health_check_manager/health_check_manager.cc → components/security_apps/orchestration/health_check_manager/health_check_manager.cc Executable file → Normal file
View File

@@ -21,6 +21,7 @@
#include "config.h" #include "config.h"
#include "cereal/archives/json.hpp" #include "cereal/archives/json.hpp"
#include "customized_cereal_map.h" #include "customized_cereal_map.h"
#include "updates_process_event.h"
using namespace std; using namespace std;
@@ -79,19 +80,22 @@ class HealthCheckValue
public: public:
HealthCheckValue() = default; HealthCheckValue() = default;
HealthCheckValue(HealthCheckStatus raw_status, const map<string, HealthCheckStatusReply> &descriptions) HealthCheckValue(HealthCheckStatus raw_status, const HealthCheckStatusReply &description)
: :
status(raw_status) status(raw_status)
{ {
for (const auto &single_stat : descriptions) { if (description.getStatus() == HealthCheckStatus::HEALTHY) {
if (single_stat.second.getStatus() == HealthCheckStatus::HEALTHY) { dbgTrace(D_HEALTH_CHECK_MANAGER)
dbgTrace(D_HEALTH_CHECK_MANAGER) << "Ignoring healthy status reply. Comp name: " << single_stat.first; << "Ignoring healthy status reply. Comp name: "
continue; << description.getCompName();
} return;
}
for (const auto &status : single_stat.second.getExtendedStatus()) { for (const auto &extended_status : description.getExtendedStatus()) {
errors.push_back(HealthCheckError(single_stat.first + " " + status.first, status.second)); errors.push_back(
} HealthCheckError(description.getCompName() + " " + extended_status.first,
extended_status.second
));
} }
} }
@@ -113,9 +117,9 @@ private:
class HealthCheckPatch : public ClientRest class HealthCheckPatch : public ClientRest
{ {
public: public:
HealthCheckPatch(HealthCheckStatus raw_status, const map<string, HealthCheckStatusReply> &descriptions) HealthCheckPatch(HealthCheckStatus raw_status, const HealthCheckStatusReply &description)
{ {
health_check = HealthCheckValue(raw_status, descriptions); health_check = HealthCheckValue(raw_status, description);
} }
C2S_LABEL_PARAM(HealthCheckValue, health_check, "healthCheck"); C2S_LABEL_PARAM(HealthCheckValue, health_check, "healthCheck");
@@ -123,7 +127,8 @@ public:
class HealthCheckManager::Impl class HealthCheckManager::Impl
: :
Singleton::Provide<I_Health_Check_Manager>::From<HealthCheckManager> Singleton::Provide<I_Health_Check_Manager>::From<HealthCheckManager>,
public Listener<UpdatesProcessEvent>
{ {
public: public:
void void
@@ -132,6 +137,7 @@ public:
auto rest = Singleton::Consume<I_RestApi>::by<HealthCheckManager>(); auto rest = Singleton::Consume<I_RestApi>::by<HealthCheckManager>();
rest->addRestCall<HealthCheckOnDemand>(RestAction::SHOW, "health-check-on-demand"); rest->addRestCall<HealthCheckOnDemand>(RestAction::SHOW, "health-check-on-demand");
registerListener();
int interval_in_seconds = int interval_in_seconds =
getProfileAgentSettingWithDefault<int>(30, "agent.healthCheck.intervalInSeconds"); getProfileAgentSettingWithDefault<int>(30, "agent.healthCheck.intervalInSeconds");
@@ -157,9 +163,62 @@ public:
void void
printRepliesHealthStatus(ofstream &oputput_file) printRepliesHealthStatus(ofstream &oputput_file)
{ {
getRegisteredComponentsHealthStatus();
cereal::JSONOutputArchive ar(oputput_file); cereal::JSONOutputArchive ar(oputput_file);
ar(cereal::make_nvp("allComponentsHealthCheckReplies", all_comps_health_status)); ar(cereal::make_nvp(health_check_reply.getCompName(), health_check_reply));
}
void
upon(const UpdatesProcessEvent &event)
{
OrchestrationStatusFieldType status_field_type = event.getStatusFieldType();
HealthCheckStatus _status = convertResultToHealthCheckStatus(event.getResult());
string status_field_type_str = convertOrchestrationStatusFieldTypeToStr(status_field_type);
extended_status[status_field_type_str] =
_status == HealthCheckStatus::HEALTHY ?
"Success" :
event.parseDescription();
field_types_status[status_field_type_str] = _status;
switch(_status) {
case HealthCheckStatus::UNHEALTHY: {
general_health_aggregated_status = HealthCheckStatus::UNHEALTHY;
break;
}
case HealthCheckStatus::DEGRADED: {
for (const auto &type_status : field_types_status) {
if ((type_status.first != status_field_type_str)
&& (type_status.second == HealthCheckStatus::UNHEALTHY))
{
break;
}
}
general_health_aggregated_status = HealthCheckStatus::DEGRADED;
break;
}
case HealthCheckStatus::HEALTHY: {
for (const auto &type_status : field_types_status) {
if ((type_status.first != status_field_type_str)
&& (type_status.second == HealthCheckStatus::UNHEALTHY
|| type_status.second == HealthCheckStatus::DEGRADED)
)
{
break;
}
general_health_aggregated_status = HealthCheckStatus::HEALTHY;
}
break;
}
case HealthCheckStatus::IGNORED: {
break;
}
}
health_check_reply = HealthCheckStatusReply(
"Orchestration",
general_health_aggregated_status,
extended_status
);
} }
private: private:
@@ -168,9 +227,10 @@ private:
{ {
dbgFlow(D_HEALTH_CHECK_MANAGER) << "Sending a health check patch"; dbgFlow(D_HEALTH_CHECK_MANAGER) << "Sending a health check patch";
HealthCheckPatch patch_to_send(general_health_aggregated_status, all_comps_health_status); HealthCheckPatch patch_to_send(general_health_aggregated_status, health_check_reply);
auto messaging = Singleton::Consume<I_Messaging>::by<HealthCheckManager>(); extended_status.clear();
return messaging->sendSyncMessageWithoutResponse( field_types_status.clear();
return Singleton::Consume<I_Messaging>::by<HealthCheckManager>()->sendSyncMessageWithoutResponse(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
patch_to_send, patch_to_send,
@@ -178,59 +238,11 @@ private:
); );
} }
void
getRegisteredComponentsHealthStatus()
{
vector<HealthCheckStatusReply> health_check_event_reply = HealthCheckStatusEvent().query();
all_comps_health_status.clear();
for (const auto &reply : health_check_event_reply) {
if (reply.getStatus() != HealthCheckStatus::IGNORED) {
all_comps_health_status.emplace(reply.getCompName(), reply);
}
}
}
void
calcGeneralHealthAggregatedStatus()
{
general_health_aggregated_status = HealthCheckStatus::HEALTHY;
for (const auto &reply : all_comps_health_status) {
HealthCheckStatus status = reply.second.getStatus();
dbgTrace(D_HEALTH_CHECK_MANAGER)
<< "Current aggregated status is: "
<< HealthCheckStatusReply::convertHealthCheckStatusToStr(
general_health_aggregated_status
)
<< ". Got health status: "
<< HealthCheckStatusReply::convertHealthCheckStatusToStr(status)
<< "for component: "
<< reply.first;
switch (status) {
case HealthCheckStatus::UNHEALTHY : {
general_health_aggregated_status = HealthCheckStatus::UNHEALTHY;
return;
}
case HealthCheckStatus::DEGRADED : {
general_health_aggregated_status = HealthCheckStatus::DEGRADED;
break;
}
case HealthCheckStatus::IGNORED : break;
case HealthCheckStatus::HEALTHY : break;
}
}
}
void void
executeHealthCheck() executeHealthCheck()
{ {
dbgFlow(D_HEALTH_CHECK_MANAGER) << "Collecting health status from all registered components."; dbgFlow(D_HEALTH_CHECK_MANAGER) << "Collecting health status from all registered components.";
getRegisteredComponentsHealthStatus();
calcGeneralHealthAggregatedStatus();
dbgTrace(D_HEALTH_CHECK_MANAGER) dbgTrace(D_HEALTH_CHECK_MANAGER)
<< "Aggregated status: " << "Aggregated status: "
<< HealthCheckStatusReply::convertHealthCheckStatusToStr(general_health_aggregated_status); << HealthCheckStatusReply::convertHealthCheckStatusToStr(general_health_aggregated_status);
@@ -244,9 +256,43 @@ private:
}; };
} }
HealthCheckStatus general_health_aggregated_status; string
map<string, HealthCheckStatusReply> all_comps_health_status; convertOrchestrationStatusFieldTypeToStr(OrchestrationStatusFieldType type)
{
switch (type) {
case OrchestrationStatusFieldType::REGISTRATION : return "Registration";
case OrchestrationStatusFieldType::MANIFEST : return "Manifest";
case OrchestrationStatusFieldType::LAST_UPDATE : return "Last Update";
case OrchestrationStatusFieldType::COUNT : return "Count";
}
dbgAssert(false) << "Trying to convert unknown orchestration status field to string.";
return "";
}
HealthCheckStatus
convertResultToHealthCheckStatus(UpdatesProcessResult result)
{
switch (result) {
case UpdatesProcessResult::SUCCESS : return HealthCheckStatus::HEALTHY;
case UpdatesProcessResult::UNSET : return HealthCheckStatus::IGNORED;
case UpdatesProcessResult::FAILED : return HealthCheckStatus::UNHEALTHY;
case UpdatesProcessResult::DEGRADED : return HealthCheckStatus::DEGRADED;
}
dbgAssert(false) << "Trying to convert unknown update process result field to health check status.";
return HealthCheckStatus::IGNORED;
}
HealthCheckStatus general_health_aggregated_status = HealthCheckStatus::HEALTHY;
HealthCheckStatusReply health_check_reply = HealthCheckStatusReply(
"Orchestration",
HealthCheckStatus::HEALTHY,
{}
);
bool should_patch_report; bool should_patch_report;
map<string, string> extended_status;
map<string, HealthCheckStatus> field_types_status;
}; };
HealthCheckManager::HealthCheckManager() : Component("HealthCheckManager"), pimpl(make_unique<Impl>()) {} HealthCheckManager::HealthCheckManager() : Component("HealthCheckManager"), pimpl(make_unique<Impl>()) {}

79
components/health_check_manager/health_check_manager_ut/health_check_manager_ut.cc → components/security_apps/orchestration/health_check_manager/health_check_manager_ut/health_check_manager_ut.cc Executable file → Normal file
View File

@@ -13,42 +13,13 @@
#include "mock/mock_mainloop.h" #include "mock/mock_mainloop.h"
#include "mock/mock_messaging.h" #include "mock/mock_messaging.h"
#include "mock/mock_rest_api.h" #include "mock/mock_rest_api.h"
#include "updates_process_event.h"
using namespace std; using namespace std;
using namespace testing; using namespace testing;
USE_DEBUG_FLAG(D_HEALTH_CHECK); USE_DEBUG_FLAG(D_HEALTH_CHECK);
class TestHealthCheckStatusListener : public Listener<HealthCheckStatusEvent>
{
public:
void upon(const HealthCheckStatusEvent &) override {}
HealthCheckStatusReply
respond(const HealthCheckStatusEvent &) override
{
map<string, string> extended_status;
extended_status["team"] = team;
extended_status["city"] = city;
HealthCheckStatusReply reply(comp_name, status, extended_status);
return reply;
}
void setStatus(HealthCheckStatus new_status) { status = new_status; }
string getListenerName() const { return "TestHealthCheckStatusListener"; }
private:
static const string comp_name;
HealthCheckStatus status = HealthCheckStatus::HEALTHY;
static const string team;
static const string city;
};
const string TestHealthCheckStatusListener::comp_name = "Test";
const string TestHealthCheckStatusListener::team = "Hapoel";
const string TestHealthCheckStatusListener::city = "Tel-Aviv";
class TestEnd {}; class TestEnd {};
class HealthCheckManagerTest : public Test class HealthCheckManagerTest : public Test
@@ -56,8 +27,7 @@ class HealthCheckManagerTest : public Test
public: public:
HealthCheckManagerTest() HealthCheckManagerTest()
{ {
Debug::setNewDefaultStdout(&debug_output); Debug::setUnitTestFlag(D_HEALTH_CHECK, Debug::DebugLevel::NOISE);
Debug::setUnitTestFlag(D_HEALTH_CHECK, Debug::DebugLevel::INFO);
EXPECT_CALL(mock_ml, addRecurringRoutine(_, _, _, _, _)).WillRepeatedly( EXPECT_CALL(mock_ml, addRecurringRoutine(_, _, _, _, _)).WillRepeatedly(
DoAll(SaveArg<2>(&health_check_periodic_routine), Return(1)) DoAll(SaveArg<2>(&health_check_periodic_routine), Return(1))
@@ -70,7 +40,6 @@ public:
); );
env.preload(); env.preload();
event_listener.registerListener();
env.init(); env.init();
@@ -98,14 +67,12 @@ public:
StrictMock<MockMainLoop> mock_ml; StrictMock<MockMainLoop> mock_ml;
StrictMock<MockRestApi> mock_rest; StrictMock<MockRestApi> mock_rest;
StrictMock<MockMessaging> mock_message; StrictMock<MockMessaging> mock_message;
stringstream debug_output;
ConfigComponent config; ConfigComponent config;
Config::I_Config *i_config = nullptr; Config::I_Config *i_config = nullptr;
::Environment env; ::Environment env;
HealthCheckManager health_check_manager; HealthCheckManager health_check_manager;
I_Health_Check_Manager *i_health_check_manager; I_Health_Check_Manager *i_health_check_manager;
unique_ptr<ServerRest> health_check_server; unique_ptr<ServerRest> health_check_server;
TestHealthCheckStatusListener event_listener;
}; };
TEST_F(HealthCheckManagerTest, runPeriodicHealthCheckTest) TEST_F(HealthCheckManagerTest, runPeriodicHealthCheckTest)
@@ -142,7 +109,20 @@ TEST_F(HealthCheckManagerTest, runPeriodicHealthCheckTest)
EXPECT_EQ(actual_body, expected_healthy_body); EXPECT_EQ(actual_body, expected_healthy_body);
EXPECT_EQ("Healthy", aggregated_status_str); EXPECT_EQ("Healthy", aggregated_status_str);
event_listener.setStatus(HealthCheckStatus::DEGRADED); UpdatesProcessEvent(
UpdatesProcessResult::DEGRADED,
UpdatesConfigType::SETTINGS,
UpdatesFailureReason::DOWNLOAD_FILE,
"setting.json",
"File not found"
).notify();
UpdatesProcessEvent(
UpdatesProcessResult::DEGRADED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::DOWNLOAD_FILE,
"manifest.json",
"File not found"
).notify();
try { try {
health_check_periodic_routine(); health_check_periodic_routine();
} catch (const TestEnd &t) {} } catch (const TestEnd &t) {}
@@ -156,16 +136,16 @@ TEST_F(HealthCheckManagerTest, runPeriodicHealthCheckTest)
" \"status\": \"Degraded\",\n" " \"status\": \"Degraded\",\n"
" \"errors\": [\n" " \"errors\": [\n"
" {\n" " {\n"
" \"code\": \"Test city\",\n" " \"code\": \"Orchestration Last Update\",\n"
" \"message\": [\n" " \"message\": [\n"
" \"Tel-Aviv\"\n" " \"Failed to download the file setting.json. Error: File not found\"\n"
" ],\n" " ],\n"
" \"internal\": true\n" " \"internal\": true\n"
" },\n" " },\n"
" {\n" " {\n"
" \"code\": \"Test team\",\n" " \"code\": \"Orchestration Manifest\",\n"
" \"message\": [\n" " \"message\": [\n"
" \"Hapoel\"\n" " \"Failed to download the file manifest.json. Error: File not found\"\n"
" ],\n" " ],\n"
" \"internal\": true\n" " \"internal\": true\n"
" }\n" " }\n"
@@ -196,19 +176,24 @@ TEST_F(HealthCheckManagerTest, runOnDemandHealthCheckTest)
config.preload(); config.preload();
Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss); Singleton::Consume<Config::I_Config>::from(config)->loadConfiguration(ss);
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::DOWNLOAD_FILE,
"manifest.json",
"File not found"
).notify();
stringstream is; stringstream is;
is << "{}"; is << "{}";
health_check_server->performRestCall(is); health_check_server->performRestCall(is);
string expected_status = string expected_status =
"{\n" "{\n"
" \"allComponentsHealthCheckReplies\": {\n" " \"Orchestration\": {\n"
" \"Test\": {\n" " \"status\": \"Unhealthy\",\n"
" \"status\": \"Healthy\",\n" " \"extendedStatus\": {\n"
" \"extendedStatus\": {\n" " \"Manifest\": \"Failed to download the file manifest.json. Error: File not found\"\n"
" \"city\": \"Tel-Aviv\",\n"
" \"team\": \"Hapoel\"\n"
" }\n"
" }\n" " }\n"
" }\n" " }\n"
"}"; "}";

1
components/security_apps/orchestration/include/fog_communication.h
View File

@@ -51,6 +51,7 @@ public:
private: private:
I_DeclarativePolicy *i_declarative_policy = nullptr; I_DeclarativePolicy *i_declarative_policy = nullptr;
std::string profile_mode;
}; };
#endif // __FOG_COMMUNICATION_H__ #endif // __FOG_COMMUNICATION_H__

10
components/security_apps/orchestration/include/mock/mock_details_resolver.h
View File

@@ -26,6 +26,13 @@ operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, st
return os; return os;
} }
std::ostream &
operator<<(
std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> &)
{
return os;
}
class MockDetailsResolver class MockDetailsResolver
: :
public Singleton::Provide<I_DetailsResolver>::From<MockProvider<I_DetailsResolver>> public Singleton::Provide<I_DetailsResolver>::From<MockProvider<I_DetailsResolver>>
@@ -42,7 +49,8 @@ public:
MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>()); MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>());
MOCK_METHOD0(isVersionAboveR8110, bool()); MOCK_METHOD0(isVersionAboveR8110, bool());
MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string>>()); MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string>>());
MOCK_METHOD0(readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string>>()); MOCK_METHOD0(
readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>());
}; };
#endif // __MOCK_DETAILS_RESOLVER_H__ #endif // __MOCK_DETAILS_RESOLVER_H__

2
components/security_apps/orchestration/include/mock/mock_service_controller.h
View File

@@ -64,7 +64,7 @@ public:
) )
); );
typedef std::map<std::string, PortNumber> ServicePortMap; typedef std::map<std::string, std::vector<PortNumber>> ServicePortMap;
MOCK_METHOD0(getServiceToPortMap, ServicePortMap()); MOCK_METHOD0(getServiceToPortMap, ServicePortMap());
MOCK_METHOD3(updateReconfStatus, void(int id, const std::string &service_name, ReconfStatus status)); MOCK_METHOD3(updateReconfStatus, void(int id, const std::string &service_name, ReconfStatus status));
MOCK_METHOD4( MOCK_METHOD4(

130
components/security_apps/orchestration/include/updates_process_event.h Normal file
View File

@@ -0,0 +1,130 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __UPDATES_PROCESS_EVENT_H__
#define __UPDATES_PROCESS_EVENT_H__
#include "event.h"
#include "singleton.h"
#include "config.h"
#include "debug.h"
#include "i_orchestration_status.h"
#include "health_check_status/health_check_status.h"
#include "customized_cereal_map.h"
USE_DEBUG_FLAG(D_UPDATES_PROCESS_REPORTER);
enum class UpdatesFailureReason {
CHECK_UPDATE,
REGISTRATION,
ORCHESTRATION_SELF_UPDATE,
GET_UPDATE_REQUEST,
DOWNLOAD_FILE,
HANDLE_FILE,
INSTALLATION_QUEUE,
INSTALL_PACKAGE,
CHECKSUM_UNMATCHED,
POLICY_CONFIGURATION,
POLICY_FOG_CONFIGURATION,
NONE
};
enum class UpdatesConfigType { MANIFEST, POLICY, SETTINGS, DATA, GENERAL };
enum class UpdatesProcessResult { UNSET, SUCCESS, FAILED, DEGRADED };
static inline std::string
convertUpdatesFailureReasonToStr(UpdatesFailureReason reason)
{
switch (reason) {
case UpdatesFailureReason::CHECK_UPDATE : return "CHECK_UPDATE";
case UpdatesFailureReason::REGISTRATION : return "REGISTRATION";
case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : return "ORCHESTRATION_SELF_UPDATE";
case UpdatesFailureReason::GET_UPDATE_REQUEST : return "GET_UPDATE_REQUEST";
case UpdatesFailureReason::DOWNLOAD_FILE : return "DOWNLOAD_FILE";
case UpdatesFailureReason::HANDLE_FILE : return "HANDLE_FILE";
case UpdatesFailureReason::INSTALLATION_QUEUE : return "INSTALLATION_QUEUE";
case UpdatesFailureReason::INSTALL_PACKAGE : return "INSTALL_PACKAGE";
case UpdatesFailureReason::CHECKSUM_UNMATCHED : return "CHECKSUM_UNMATCHED";
case UpdatesFailureReason::POLICY_CONFIGURATION : return "POLICY_CONFIGURATION";
case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : return "POLICY_FOG_CONFIGURATION";
case UpdatesFailureReason::NONE : return "NONE";
}
dbgWarning(D_UPDATES_PROCESS_REPORTER) << "Trying to convert unknown updates failure reason to string.";
return "";
}
static inline std::string
convertUpdatesConfigTypeToStr(UpdatesConfigType type)
{
switch (type) {
case UpdatesConfigType::MANIFEST : return "MANIFEST";
case UpdatesConfigType::POLICY : return "POLICY";
case UpdatesConfigType::SETTINGS : return "SETTINGS";
case UpdatesConfigType::DATA : return "DATA";
case UpdatesConfigType::GENERAL : return "GENERAL";
}
dbgWarning(D_UPDATES_PROCESS_REPORTER) << "Trying to convert unknown updates failure reason to string.";
return "";
}
static inline std::string
convertUpdateProcessResultToStr(UpdatesProcessResult result)
{
switch (result) {
case UpdatesProcessResult::SUCCESS : return "SUCCESS";
case UpdatesProcessResult::UNSET : return "UNSET";
case UpdatesProcessResult::FAILED : return "FAILURE";
case UpdatesProcessResult::DEGRADED : return "DEGRADED";
}
dbgWarning(D_UPDATES_PROCESS_REPORTER) << "Trying to convert unknown updates failure reason to string.";
return "";
}
class UpdatesProcessEvent : public Event<UpdatesProcessEvent>
{
public:
UpdatesProcessEvent() {}
UpdatesProcessEvent(
UpdatesProcessResult _result,
UpdatesConfigType _type,
UpdatesFailureReason _reason = UpdatesFailureReason::NONE,
const std::string &_detail = "",
const std::string &_description = "");
~UpdatesProcessEvent() {}
UpdatesProcessResult getResult() const { return result; }
UpdatesConfigType getType() const { return type; }
UpdatesFailureReason getReason() const { return reason; }
std::string getDetail() const { return detail; }
std::string getDescription() const { return description; }
OrchestrationStatusFieldType getStatusFieldType() const;
OrchestrationStatusResult getOrchestrationStatusResult() const;
std::string parseDescription() const;
private:
UpdatesProcessResult result;
UpdatesConfigType type;
UpdatesFailureReason reason;
std::string detail;
std::string description;
};
#endif // __UPDATES_PROCESS_EVENT_H__

63
components/security_apps/orchestration/include/updates_process_report.h Normal file
View File

@@ -0,0 +1,63 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __UPDATES_PROCESS_REPORT_H__
#define __UPDATES_PROCESS_REPORT_H__
#include <sstream>
#include <string>
#include "singleton.h"
#include "i_time_get.h"
#include "updates_process_event.h"
class UpdatesProcessReport : Singleton::Consume<I_TimeGet>
{
public:
UpdatesProcessReport(
UpdatesProcessResult result,
UpdatesConfigType type,
UpdatesFailureReason reason,
const std::string &description)
:
result(result), type(type), reason(reason), description(description)
{
time_stamp = Singleton::Consume<I_TimeGet>::by<UpdatesProcessReport>()->getWalltimeStr();
}
std::string
toString() const
{
std::stringstream report;
report
<< "["
<< time_stamp << "] - "
<< convertUpdateProcessResultToStr(result) << " | "
<< convertUpdatesConfigTypeToStr(type) << " | "
<< convertUpdatesFailureReasonToStr(reason) << " | "
<< description;
return report.str();
}
UpdatesFailureReason getReason() const { return reason; }
private:
UpdatesProcessResult result;
UpdatesConfigType type;
UpdatesFailureReason reason;
std::string description;
std::string time_stamp;
};
#endif // __UPDATES_PROCESS_EVENT_H__

40
components/security_apps/orchestration/include/updates_process_reporter.h Normal file
View File

@@ -0,0 +1,40 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __UPDATES_PROCESS_REPORTER_H__
#define __UPDATES_PROCESS_REPORTER_H__
#include <string>
#include "event.h"
#include "singleton.h"
#include "config.h"
#include "debug.h"
#include "i_orchestration_status.h"
#include "health_check_status/health_check_status.h"
#include "updates_process_event.h"
#include "updates_process_report.h"
class UpdatesProcessReporter : public Listener<UpdatesProcessEvent>
{
public:
void upon(const UpdatesProcessEvent &event) override;
private:
void sendReoprt();
static std::vector<UpdatesProcessReport> reports;
uint report_failure_count = 0;
};
#endif // __UPDATES_PROCESS_REPORTER_H__

43
components/security_apps/orchestration/manifest_controller/manifest_controller.cc
View File

@@ -21,6 +21,7 @@
#include "version.h" #include "version.h"
#include "log_generator.h" #include "log_generator.h"
#include "orchestration_comp.h" #include "orchestration_comp.h"
#include "updates_process_event.h"
using namespace std; using namespace std;
using namespace ReportIS; using namespace ReportIS;
@@ -219,6 +220,13 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
if (isIgnoreFile(new_manifest_file)) { if (isIgnoreFile(new_manifest_file)) {
if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) { if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new manifest file"; dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new manifest file";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
new_manifest_file,
"Failed to copy a new manifest file"
).notify();
return false; return false;
} }
return true; return true;
@@ -237,6 +245,13 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) { if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new manifest file"; dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new manifest file";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
new_manifest_file,
"Failed to copy a new manifest file"
).notify();
return false; return false;
} }
return true; return true;
@@ -245,6 +260,13 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
Maybe<map<string, Package>> parsed_manifest = orchestration_tools->loadPackagesFromJson(new_manifest_file); Maybe<map<string, Package>> parsed_manifest = orchestration_tools->loadPackagesFromJson(new_manifest_file);
if (!parsed_manifest.ok()) { if (!parsed_manifest.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to parse the new manifest file. File: " << new_manifest_file; dbgWarning(D_ORCHESTRATOR) << "Failed to parse the new manifest file. File: " << new_manifest_file;
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
new_manifest_file,
"Failed to parse the new manifest file"
).notify();
return false; return false;
} }
@@ -332,6 +354,13 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
dbgWarning(D_ORCHESTRATOR) dbgWarning(D_ORCHESTRATOR)
<< "Failed building installation queue. Error: " << "Failed building installation queue. Error: "
<< installation_queue_res.getErr(); << installation_queue_res.getErr();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::INSTALLATION_QUEUE,
"",
installation_queue_res.getErr()
).notify();
return false; return false;
} }
const vector<Package> &installation_queue = installation_queue_res.unpack(); const vector<Package> &installation_queue = installation_queue_res.unpack();
@@ -447,11 +476,25 @@ ManifestController::Impl::changeManifestFile(const string &new_manifest_file)
dbgDebug(D_ORCHESTRATOR) << "Writing new manifest to file"; dbgDebug(D_ORCHESTRATOR) << "Writing new manifest to file";
if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) { if (!orchestration_tools->copyFile(new_manifest_file, manifest_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed write new manifest to file"; dbgWarning(D_ORCHESTRATOR) << "Failed write new manifest to file";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
new_manifest_file,
"Failed write new manifest to file"
).notify();
return false; return false;
} }
if (!orchestration_tools->isNonEmptyFile(manifest_file_path)) { if (!orchestration_tools->isNonEmptyFile(manifest_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to get manifest file data"; dbgWarning(D_ORCHESTRATOR) << "Failed to get manifest file data";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
manifest_file_path,
"Failed to get manifest file data"
).notify();
return false; return false;
} }

38
components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc
View File

@@ -281,13 +281,7 @@ TEST_F(ManifestControllerTest, badChecksum)
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my/my")).WillOnce(Return(false)); EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my/my")).WillOnce(Return(false));
string hostname = "hostname"; string hostname = "hostname";
string empty_err;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(empty_err));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return( Maybe<string>(hostname))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return( Maybe<string>(hostname)));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@@ -710,10 +704,6 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
string hostname = "hostname"; string hostname = "hostname";
string empty_err; string empty_err;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(empty_err)); EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(empty_err));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
load(manifest, new_services); load(manifest, new_services);
EXPECT_CALL(mock_orchestration_tools, EXPECT_CALL(mock_orchestration_tools,
@@ -932,10 +922,6 @@ TEST_F(ManifestControllerTest, badInstall)
string empty_err; string empty_err;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(empty_err)); EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(empty_err));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return( Maybe<string>(hostname))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return( Maybe<string>(hostname)));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
string corrupted_packages_manifest = string corrupted_packages_manifest =
"{" "{"
@@ -1008,12 +994,6 @@ TEST_F(ManifestControllerTest, failToDownloadWithselfUpdate)
doesFileExist("/etc/cp/packages/orchestration/orchestration") doesFileExist("/etc/cp/packages/orchestration/orchestration")
).WillOnce(Return(false)); ).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname"))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
string not_error;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(not_error));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@@ -1404,12 +1384,6 @@ TEST_F(ManifestControllerTest, failureOnDownloadSharedObject)
).WillOnce(Return(false)); ).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname"))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
string not_error;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(not_error));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@@ -2538,12 +2512,6 @@ TEST_F(ManifestDownloadTest, download_relative_path)
doesFileExist("/etc/cp/packages/orchestration/orchestration") doesFileExist("/etc/cp/packages/orchestration/orchestration")
).WillOnce(Return(false)); ).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname"))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
string not_error;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(not_error));
EXPECT_FALSE(i_manifest_controller->updateManifest(manifest_file.fname)); EXPECT_FALSE(i_manifest_controller->updateManifest(manifest_file.fname));
} }
@@ -2589,8 +2557,6 @@ TEST_F(ManifestDownloadTest, download_relative_path_no_fog_domain)
mock_orchestration_tools, mock_orchestration_tools,
doesFileExist("/etc/cp/packages/orchestration/orchestration") doesFileExist("/etc/cp/packages/orchestration/orchestration")
).WillOnce(Return(false)); ).WillOnce(Return(false));
string not_error;
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(not_error));
checkIfFileExistsCall(new_packages.at("orchestration")); checkIfFileExistsCall(new_packages.at("orchestration"));
@@ -2604,10 +2570,6 @@ TEST_F(ManifestDownloadTest, download_relative_path_no_fog_domain)
) )
).WillOnce(Return(downloaded_package)); ).WillOnce(Return(downloaded_package));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname"))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::FAILED, _)
);
EXPECT_FALSE(i_manifest_controller->updateManifest(manifest_file.fname)); EXPECT_FALSE(i_manifest_controller->updateManifest(manifest_file.fname));
} }

36
components/security_apps/orchestration/manifest_controller/manifest_handler.cc
View File

@@ -19,6 +19,7 @@
#include "config.h" #include "config.h"
#include "agent_details.h" #include "agent_details.h"
#include "orchestration_comp.h" #include "orchestration_comp.h"
#include "updates_process_event.h"
using namespace std; using namespace std;
@@ -174,14 +175,13 @@ ManifestHandler::downloadPackages(const map<string, Package> &new_packages_to_do
" software update failed. Agent is running previous software. Contact Check Point support."; " software update failed. Agent is running previous software. Contact Check Point support.";
} }
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>(); UpdatesProcessEvent(
if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) { UpdatesProcessResult::FAILED,
orchestration_status->setFieldStatus( UpdatesConfigType::MANIFEST,
OrchestrationStatusFieldType::MANIFEST, UpdatesFailureReason::DOWNLOAD_FILE,
OrchestrationStatusResult::FAILED, package.getName(),
install_error install_error
); ).notify();
}
return genError( return genError(
"Failed to download installation package. Package: " + "Failed to download installation package. Package: " +
package.getName() + package.getName() +
@@ -219,11 +219,13 @@ ManifestHandler::installPackage(
err_hostname + err_hostname +
" software update failed. Agent is running previous software. Contact Check Point support."; " software update failed. Agent is running previous software. Contact Check Point support.";
if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) { if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) {
orchestration_status->setFieldStatus( UpdatesProcessEvent(
OrchestrationStatusFieldType::MANIFEST, UpdatesProcessResult::FAILED,
OrchestrationStatusResult::FAILED, UpdatesConfigType::MANIFEST,
UpdatesFailureReason::INSTALL_PACKAGE,
package_name,
install_error install_error
); ).notify();
} }
} }
return self_update_status; return self_update_status;
@@ -289,11 +291,13 @@ ManifestHandler::installPackage(
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>(); auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) { if (orchestration_status->getManifestError().find("Gateway was not fully deployed") == string::npos) {
orchestration_status->setFieldStatus( UpdatesProcessEvent(
OrchestrationStatusFieldType::MANIFEST, UpdatesProcessResult::FAILED,
OrchestrationStatusResult::FAILED, UpdatesConfigType::MANIFEST,
UpdatesFailureReason::INSTALL_PACKAGE,
package_name,
install_error install_error
); ).notify();
} }
return false; return false;
} }

80
components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc
View File

@@ -13,6 +13,7 @@
#include "mock/mock_agent_details.h" #include "mock/mock_agent_details.h"
#include "mock/mock_mainloop.h" #include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h" #include "mock/mock_rest_api.h"
#include "updates_process_event.h"
using namespace testing; using namespace testing;
using namespace std; using namespace std;
@@ -200,6 +201,19 @@ TEST_F(OrchestrationStatusTest, checkUpdateStatus)
auto result = orchestrationStatusFileToString(); auto result = orchestrationStatusFileToString();
EXPECT_EQ(buildOrchestrationStatusJSON("attempt time", "Succeeded ", "current time"), result); EXPECT_EQ(buildOrchestrationStatusJSON("attempt time", "Succeeded ", "current time"), result);
} }
TEST_F(OrchestrationStatusTest, checkUpdateStatusByRaiseEvent)
{
init();
EXPECT_CALL(time, getLocalTimeStr())
.WillOnce(Return(string("attempt time")))
.WillOnce(Return(string("current time")));
i_orchestration_status->setLastUpdateAttempt();
UpdatesProcessEvent(UpdatesProcessResult::SUCCESS, UpdatesConfigType::GENERAL).notify();
auto result = orchestrationStatusFileToString();
EXPECT_EQ(buildOrchestrationStatusJSON("attempt time", "Succeeded ", "current time"), result);
}
TEST_F(OrchestrationStatusTest, recoveryFields) TEST_F(OrchestrationStatusTest, recoveryFields)
{ {
@@ -482,3 +496,69 @@ TEST_F(OrchestrationStatusTest, setAllFields)
EXPECT_EQ(i_orchestration_status->getServiceSettings(), service_map_a); EXPECT_EQ(i_orchestration_status->getServiceSettings(), service_map_a);
EXPECT_EQ(i_orchestration_status->getRegistrationDetails(), agent_details); EXPECT_EQ(i_orchestration_status->getRegistrationDetails(), agent_details);
} }
TEST_F(OrchestrationStatusTest, checkErrorByRaiseEvent)
{
init();
string fog_address = "http://fog.address";
string registar_error = "Fail to registar";
string manifest_error = "Fail to achieve manifest";
string last_update_error = "Fail to update";
EXPECT_CALL(time, getLocalTimeStr()).Times(3).WillRepeatedly(Return(string("Time")));
UpdatesProcessEvent(UpdatesProcessResult::SUCCESS, UpdatesConfigType::GENERAL).notify();
i_orchestration_status->setIsConfigurationUpdated(
EnumArray<OrchestrationStatusConfigType, bool>(true, true, true)
);
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::GENERAL,
UpdatesFailureReason::NONE,
"",
last_update_error
).notify();
i_orchestration_status->setIsConfigurationUpdated(
EnumArray<OrchestrationStatusConfigType, bool>(false, false, false)
);
i_orchestration_status->setUpgradeMode("Online upgrades");
i_orchestration_status->setFogAddress(fog_address);
i_orchestration_status->setUpgradeMode("Online upgrades");
i_orchestration_status->setFogAddress(fog_address);
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::GENERAL,
UpdatesFailureReason::REGISTRATION,
"",
registar_error
).notify();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::NONE,
"",
manifest_error
).notify();
EXPECT_EQ(i_orchestration_status->getManifestError(), manifest_error);
auto result = orchestrationStatusFileToString();
EXPECT_EQ(
buildOrchestrationStatusJSON(
"None",
"Failed. Reason: " + last_update_error,
"Time",
"Time",
"",
"Time",
"Time",
"Online upgrades",
fog_address,
"Failed. Reason: Registration failed. Error: " + registar_error,
"Failed. Reason: " + manifest_error
),
result
);
}

14
components/security_apps/orchestration/modules/orchestration_status.cc
View File

@@ -19,6 +19,8 @@
#include "debug.h" #include "debug.h"
#include "config.h" #include "config.h"
#include "updates_process_event.h"
#include "health_check_status/health_check_status.h"
using namespace cereal; using namespace cereal;
using namespace std; using namespace std;
@@ -383,7 +385,10 @@ private:
map<string, string> service_settings; map<string, string> service_settings;
}; };
class OrchestrationStatus::Impl : Singleton::Provide<I_OrchestrationStatus>::From<OrchestrationStatus> class OrchestrationStatus::Impl
:
Singleton::Provide<I_OrchestrationStatus>::From<OrchestrationStatus>,
public Listener<UpdatesProcessEvent>
{ {
public: public:
void void
@@ -462,6 +467,13 @@ public:
}, },
"Write Orchestration status file" "Write Orchestration status file"
); );
registerListener();
}
void
upon(const UpdatesProcessEvent &event) override
{
setFieldStatus(event.getStatusFieldType(), event.getOrchestrationStatusResult(), event.parseDescription());
} }
private: private:

325
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -42,6 +42,8 @@
#include "hybrid_communication.h" #include "hybrid_communication.h"
#include "agent_core_utilities.h" #include "agent_core_utilities.h"
#include "fog_communication.h" #include "fog_communication.h"
#include "updates_process_event.h"
#include "updates_process_reporter.h"
using namespace std; using namespace std;
using namespace chrono; using namespace chrono;
@@ -53,85 +55,6 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
static string fw_last_update_time = ""; static string fw_last_update_time = "";
#endif // gaia || smb #endif // gaia || smb
class HealthCheckStatusListener : public Listener<HealthCheckStatusEvent>
{
public:
void upon(const HealthCheckStatusEvent &) override {}
HealthCheckStatusReply
respond(const HealthCheckStatusEvent &) override
{
return HealthCheckStatusReply(comp_name, status, extended_status);
}
string getListenerName() const override { return "HealthCheckStatusListener"; }
void
setStatus(
HealthCheckStatus _status,
OrchestrationStatusFieldType _status_field_type,
const string &_status_description = "Success")
{
string status_field_type_str = convertOrchestrationStatusFieldTypeToStr(_status_field_type);
extended_status[status_field_type_str] = _status_description;
field_types_status[status_field_type_str] = _status;
switch(_status) {
case HealthCheckStatus::UNHEALTHY: {
status = HealthCheckStatus::UNHEALTHY;
return;
}
case HealthCheckStatus::DEGRADED: {
for (const auto &type_status : field_types_status) {
if ((type_status.first != status_field_type_str)
&& (type_status.second == HealthCheckStatus::UNHEALTHY))
{
return;
}
}
status = HealthCheckStatus::DEGRADED;
return;
}
case HealthCheckStatus::HEALTHY: {
for (const auto &type_status : field_types_status) {
if ((type_status.first != status_field_type_str)
&& (type_status.second == HealthCheckStatus::UNHEALTHY
|| type_status.second == HealthCheckStatus::DEGRADED)
)
{
return;
}
status = HealthCheckStatus::HEALTHY;
}
return;
}
case HealthCheckStatus::IGNORED: {
return;
}
}
}
private:
string
convertOrchestrationStatusFieldTypeToStr(OrchestrationStatusFieldType type)
{
switch (type) {
case OrchestrationStatusFieldType::REGISTRATION : return "Registration";
case OrchestrationStatusFieldType::MANIFEST : return "Manifest";
case OrchestrationStatusFieldType::LAST_UPDATE : return "Last Update";
case OrchestrationStatusFieldType::COUNT : return "Count";
}
dbgError(D_ORCHESTRATOR) << "Trying to convert unknown orchestration status field to string.";
return "";
}
string comp_name = "Orchestration";
HealthCheckStatus status = HealthCheckStatus::IGNORED;
map<string, string> extended_status;
map<string, HealthCheckStatus> field_types_status;
};
class SetAgentUninstall class SetAgentUninstall
: :
public ServerRest, public ServerRest,
@@ -257,6 +180,13 @@ private:
<< "Failed to load Orchestration Policy. Error: " << "Failed to load Orchestration Policy. Error: "
<< maybe_policy.getErr() << maybe_policy.getErr()
<< "Trying to load from backup."; << "Trying to load from backup.";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::POLICY,
UpdatesFailureReason::POLICY_CONFIGURATION,
orchestration_policy_file,
maybe_policy.getErr()
).notify();
return loadOrchestrationPolicyFromBackup(); return loadOrchestrationPolicyFromBackup();
} }
@@ -280,6 +210,13 @@ private:
return maybe_policy; return maybe_policy;
} }
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::POLICY,
UpdatesFailureReason::POLICY_CONFIGURATION,
orchestration_policy_file + backup_ext,
maybe_policy.getErr()
).notify();
return genError("Failed to load Orchestration policy from backup."); return genError("Failed to load Orchestration policy from backup.");
} }
@@ -337,17 +274,13 @@ private:
<< new_manifest_file.getErr() << new_manifest_file.getErr()
<< " Presenting the next message to the user: " << " Presenting the next message to the user: "
<< install_error; << install_error;
i_orchestration_status->setFieldStatus( UpdatesProcessEvent(
OrchestrationStatusFieldType::MANIFEST, UpdatesProcessResult::FAILED,
OrchestrationStatusResult::FAILED, UpdatesConfigType::MANIFEST,
install_error UpdatesFailureReason::DOWNLOAD_FILE,
); resource_file.getFileName(),
new_manifest_file.getErr()
health_check_status_listener.setStatus( ).notify();
HealthCheckStatus::UNHEALTHY,
OrchestrationStatusFieldType::MANIFEST,
install_error
);
return genError(install_error); return genError(install_error);
} }
@@ -372,23 +305,12 @@ private:
<< "Manifest failed to be updated. Presenting the next message to the user: " << "Manifest failed to be updated. Presenting the next message to the user: "
<< install_error; << install_error;
health_check_status_listener.setStatus(
HealthCheckStatus::UNHEALTHY,
OrchestrationStatusFieldType::MANIFEST,
install_error
);
return genError(install_error); return genError(install_error);
} }
UpdatesProcessEvent(
i_orchestration_status->setFieldStatus( UpdatesProcessResult::SUCCESS,
OrchestrationStatusFieldType::MANIFEST, UpdatesConfigType::MANIFEST
OrchestrationStatusResult::SUCCESS ).notify();
);
health_check_status_listener.setStatus(
HealthCheckStatus::HEALTHY,
OrchestrationStatusFieldType::MANIFEST
);
ifstream restart_watchdog_orch(filesystem_prefix + "/orchestration/restart_watchdog"); ifstream restart_watchdog_orch(filesystem_prefix + "/orchestration/restart_watchdog");
if (restart_watchdog_orch.good()) { if (restart_watchdog_orch.good()) {
@@ -473,6 +395,13 @@ private:
if (!updateFogAddress(policy.getFogAddress())) { if (!updateFogAddress(policy.getFogAddress())) {
dbgWarning(D_ORCHESTRATOR) << "Failed to restore the old Fog address."; dbgWarning(D_ORCHESTRATOR) << "Failed to restore the old Fog address.";
} }
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::POLICY,
UpdatesFailureReason::POLICY_FOG_CONFIGURATION,
orchestration_policy.getFogAddress(),
"Failed to update the new Fog address."
).notify();
return ""; return "";
} }
@@ -499,13 +428,19 @@ private:
// Handling policy update. // Handling policy update.
dbgInfo(D_ORCHESTRATOR) << "There is a new policy file."; dbgInfo(D_ORCHESTRATOR) << "There is a new policy file.";
GetResourceFile resource_file(GetResourceFile::ResourceFileType::POLICY); GetResourceFile resource_file(GetResourceFile::ResourceFileType::POLICY);
Maybe<string> new_policy_file = Maybe<string> new_policy_file = Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFile(
Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFile(
new_policy.unpack(), new_policy.unpack(),
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
resource_file resource_file
); );
if (!new_policy_file.ok()) { if (!new_policy_file.ok()) {
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::POLICY,
UpdatesFailureReason::DOWNLOAD_FILE,
resource_file.getFileName(),
new_policy_file.getErr()
).notify();
return genError("Failed to download the new policy file. Error: " + new_policy_file.getErr()); return genError("Failed to download the new policy file. Error: " + new_policy_file.getErr());
} }
@@ -564,6 +499,13 @@ private:
<< LogField("policyVersion", updated_policy_version) << LogField("policyVersion", updated_policy_version)
<< LogField("previousPolicyVersion", old_policy_version); << LogField("previousPolicyVersion", old_policy_version);
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::POLICY,
UpdatesFailureReason::POLICY_CONFIGURATION,
updated_policy_version,
res.getErr()
).notify();
return genError(error_str); return genError(error_str);
} }
i_service_controller->moveChangedPolicies(); i_service_controller->moveChangedPolicies();
@@ -648,6 +590,11 @@ private:
"Send policy update report" "Send policy update report"
); );
UpdatesProcessEvent(
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::POLICY
).notify();
dbgInfo(D_ORCHESTRATOR) << "Policy update report was successfully sent to fog"; dbgInfo(D_ORCHESTRATOR) << "Policy update report was successfully sent to fog";
return Maybe<void>(); return Maybe<void>();
@@ -683,10 +630,24 @@ private:
); );
if (!new_data_files.ok()) { if (!new_data_files.ok()) {
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::DATA,
UpdatesFailureReason::DOWNLOAD_FILE,
resource_file.getFileName(),
new_data_files.getErr()
).notify();
return genError("Failed to download new data file, Error: " + new_data_files.getErr()); return genError("Failed to download new data file, Error: " + new_data_files.getErr());
} }
auto new_data_file_input = i_orchestration_tools->readFile(new_data_files.unpack()); auto new_data_file_input = i_orchestration_tools->readFile(new_data_files.unpack());
if (!new_data_file_input.ok()) { if (!new_data_file_input.ok()) {
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::DATA,
UpdatesFailureReason::HANDLE_FILE,
resource_file.getFileName(),
"Failed to read new data file, Error: " + new_data_file_input.getErr()
).notify();
return genError("Failed to read new data file, Error: " + new_data_file_input.getErr()); return genError("Failed to read new data file, Error: " + new_data_file_input.getErr());
} }
@@ -702,21 +663,35 @@ private:
<< e.what() << e.what()
<< ". Content: " << ". Content: "
<< new_data_files.unpack(); << new_data_files.unpack();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::DATA,
UpdatesFailureReason::HANDLE_FILE,
new_data_files.unpack(),
string("Failed to load data from JSON file, Error: ") + e.what()
).notify();
return genError(e.what()); return genError(e.what());
} }
for (const auto &data_file : parsed_data) { for (const auto &data_file : parsed_data) {
const string data_file_save_path = getPolicyConfigPath(data_file.first, Config::ConfigFileType::Data); const string data_file_save_path = getPolicyConfigPath(data_file.first, Config::ConfigFileType::Data);
Maybe<string> new_data_file = Maybe<string> new_data_file =
Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFileFromURL( Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFileFromURL(
data_file.second.getDownloadPath(), data_file.second.getDownloadPath(),
data_file.second.getChecksum(), data_file.second.getChecksum(),
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
"data_" + data_file.first "data_" + data_file.first
); );
if (!new_data_file.ok()) { if (!new_data_file.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to download the " << data_file.first << " data file."; dbgWarning(D_ORCHESTRATOR) << "Failed to download the " << data_file.first << " data file.";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::DATA,
UpdatesFailureReason::DOWNLOAD_FILE,
data_file.first,
new_data_file.getErr()
).notify();
return new_data_file.passErr(); return new_data_file.passErr();
} }
auto data_new_checksum = getChecksum(new_data_file.unpack()); auto data_new_checksum = getChecksum(new_data_file.unpack());
@@ -729,6 +704,16 @@ private:
<< data_new_checksum; << data_new_checksum;
dbgWarning(D_ORCHESTRATOR) << current_error.str(); dbgWarning(D_ORCHESTRATOR) << current_error.str();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::DATA,
UpdatesFailureReason::CHECKSUM_UNMATCHED,
data_file.first,
" Expected checksum: " +
data_file.second.getChecksum() +
". Downloaded checksum: " +
data_new_checksum
).notify();
return genError(current_error.str()); return genError(current_error.str());
} }
if (!i_orchestration_tools->copyFile(new_data_file.unpack(), data_file_save_path)) { if (!i_orchestration_tools->copyFile(new_data_file.unpack(), data_file_save_path)) {
@@ -741,6 +726,10 @@ private:
dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new agents' data file to " << data_file_path; dbgWarning(D_ORCHESTRATOR) << "Failed to copy a new agents' data file to " << data_file_path;
} }
UpdatesProcessEvent(
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::DATA
).notify();
return Maybe<void>(); return Maybe<void>();
} }
@@ -751,8 +740,7 @@ private:
dbgInfo(D_ORCHESTRATOR) << "There is a new settings file."; dbgInfo(D_ORCHESTRATOR) << "There is a new settings file.";
GetResourceFile resource_file(GetResourceFile::ResourceFileType::SETTINGS); GetResourceFile resource_file(GetResourceFile::ResourceFileType::SETTINGS);
Maybe<string> new_settings_file = Maybe<string> new_settings_file = Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFile(
Singleton::Consume<I_Downloader>::by<OrchestrationComp>()->downloadFile(
orch_settings.unpack(), orch_settings.unpack(),
I_OrchestrationTools::SELECTED_CHECKSUM_TYPE, I_OrchestrationTools::SELECTED_CHECKSUM_TYPE,
resource_file resource_file
@@ -762,6 +750,13 @@ private:
dbgWarning(D_ORCHESTRATOR) dbgWarning(D_ORCHESTRATOR)
<< "Failed to download the new settings file. Error: " << "Failed to download the new settings file. Error: "
<< new_settings_file.getErr(); << new_settings_file.getErr();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::SETTINGS,
UpdatesFailureReason::DOWNLOAD_FILE,
resource_file.getFileName(),
new_settings_file.getErr()
).notify();
return genError("Failed to download the new settings file. Error: " + new_settings_file.getErr()); return genError("Failed to download the new settings file. Error: " + new_settings_file.getErr());
} }
@@ -769,6 +764,10 @@ private:
if (res.ok()) { if (res.ok()) {
settings_file_path = *res; settings_file_path = *res;
reloadConfiguration(); reloadConfiguration();
UpdatesProcessEvent(
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::SETTINGS
).notify();
return Maybe<void>(); return Maybe<void>();
} }
@@ -877,11 +876,13 @@ private:
if (!response.ok()) { if (!response.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to get the update. Error: " << response.getErr(); dbgWarning(D_ORCHESTRATOR) << "Failed to get the update. Error: " << response.getErr();
i_orchestration_status->setFieldStatus( UpdatesProcessEvent(
OrchestrationStatusFieldType::LAST_UPDATE, UpdatesProcessResult::FAILED,
OrchestrationStatusResult::FAILED, UpdatesConfigType::GENERAL,
UpdatesFailureReason::GET_UPDATE_REQUEST,
"",
"Warning: Agent/Gateway failed during the update process. Contact Check Point support." "Warning: Agent/Gateway failed during the update process. Contact Check Point support."
); ).notify();
return genError(response.getErr()); return genError(response.getErr());
} }
@@ -924,10 +925,10 @@ private:
OrchSettings orch_settings = response.getSettings(); OrchSettings orch_settings = response.getSettings();
OrchData orch_data = response.getData(); OrchData orch_data = response.getData();
i_orchestration_status->setFieldStatus( UpdatesProcessEvent(
OrchestrationStatusFieldType::LAST_UPDATE, UpdatesProcessResult::SUCCESS,
OrchestrationStatusResult::SUCCESS UpdatesConfigType::GENERAL
); ).notify();
i_orchestration_status->setIsConfigurationUpdated( i_orchestration_status->setIsConfigurationUpdated(
EnumArray<OrchestrationStatusConfigType, bool>( EnumArray<OrchestrationStatusConfigType, bool>(
orch_manifest.ok(), orch_policy.ok(), orch_settings.ok(), orch_data.ok() orch_manifest.ok(), orch_policy.ok(), orch_settings.ok(), orch_data.ok()
@@ -1017,6 +1018,10 @@ private:
} }
if (maybe_errors != "") return genError(maybe_errors); if (maybe_errors != "") return genError(maybe_errors);
UpdatesProcessEvent(
UpdatesProcessResult::SUCCESS,
UpdatesConfigType::GENERAL
).notify();
return Maybe<void>(); return Maybe<void>();
} }
@@ -1196,6 +1201,13 @@ private:
dbgTrace(D_ORCHESTRATOR) << "The settings directory is " << settings_file_path; dbgTrace(D_ORCHESTRATOR) << "The settings directory is " << settings_file_path;
if (!i_orchestration_tools->copyFile(new_settings_file, settings_file_path)) { if (!i_orchestration_tools->copyFile(new_settings_file, settings_file_path)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to update the settings."; dbgWarning(D_ORCHESTRATOR) << "Failed to update the settings.";
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::SETTINGS,
UpdatesFailureReason::HANDLE_FILE,
settings_file_path,
"Failed to update the settings"
).notify();
return genError("Failed to update the settings"); return genError("Failed to update the settings");
} }
@@ -1303,6 +1315,8 @@ private:
report << make_pair("cloudAccountId", ::get<0>(cloud_metadata.unpack())); report << make_pair("cloudAccountId", ::get<0>(cloud_metadata.unpack()));
report << make_pair("cloudVpcId", ::get<1>(cloud_metadata.unpack())); report << make_pair("cloudVpcId", ::get<1>(cloud_metadata.unpack()));
report << make_pair("cloudInstanceId", ::get<2>(cloud_metadata.unpack())); report << make_pair("cloudInstanceId", ::get<2>(cloud_metadata.unpack()));
report << make_pair("cloudInstanceLocalIp", ::get<3>(cloud_metadata.unpack()));
report << make_pair("cloudRegion", ::get<4>(cloud_metadata.unpack()));
} }
void void
@@ -1443,20 +1457,24 @@ private:
<< check_update_result.getErr() << check_update_result.getErr()
<< ", new check will be every: " << ", new check will be every: "
<< sleep_interval << " seconds"; << sleep_interval << " seconds";
UpdatesProcessEvent(
health_check_status_listener.setStatus( UpdatesProcessResult::FAILED,
HealthCheckStatus::UNHEALTHY, UpdatesConfigType::GENERAL,
OrchestrationStatusFieldType::LAST_UPDATE, UpdatesFailureReason::CHECK_UPDATE,
"",
"Failed during check update. Error: " + check_update_result.getErr() "Failed during check update. Error: " + check_update_result.getErr()
); ).notify();
return; return;
} }
failure_count = 0; failure_count = 0;
dbgDebug(D_ORCHESTRATOR) << "Check update process completed successfully"; dbgDebug(D_ORCHESTRATOR) << "Check update process completed successfully";
health_check_status_listener.setStatus( UpdatesProcessEvent(
HealthCheckStatus::HEALTHY, UpdatesProcessResult::SUCCESS,
OrchestrationStatusFieldType::LAST_UPDATE UpdatesConfigType::GENERAL,
); UpdatesFailureReason::CHECK_UPDATE,
"",
"Check update procces succeeded!"
).notify();
sleep_interval = policy.getSleepInterval(); sleep_interval = policy.getSleepInterval();
if (!is_new_success) { if (!is_new_success) {
dbgInfo(D_ORCHESTRATOR) dbgInfo(D_ORCHESTRATOR)
@@ -1481,7 +1499,7 @@ private:
<< " minutes from now."; << " minutes from now.";
upgrade_delay_time += chrono::minutes(upgrade_delay_interval); upgrade_delay_time += chrono::minutes(upgrade_delay_interval);
} catch (const exception& err) { } catch (const exception& err) {
dbgInfo(D_ORCHESTRATOR) << "Failed to parse upgrade delay interval."; dbgWarning(D_ORCHESTRATOR) << "Failed to parse upgrade delay interval.";
} }
} }
@@ -1491,11 +1509,13 @@ private:
sleep_interval = policy.getErrorSleepInterval(); sleep_interval = policy.getErrorSleepInterval();
Maybe<void> registration_status(genError("Not running yet.")); Maybe<void> registration_status(genError("Not running yet."));
while (!(registration_status = registerToTheFog()).ok()) { while (!(registration_status = registerToTheFog()).ok()) {
health_check_status_listener.setStatus( UpdatesProcessEvent(
HealthCheckStatus::UNHEALTHY, UpdatesProcessResult::FAILED,
OrchestrationStatusFieldType::REGISTRATION, UpdatesConfigType::GENERAL,
UpdatesFailureReason::REGISTRATION,
"",
registration_status.getErr() registration_status.getErr()
); ).notify();
sleep_interval = getConfigurationWithDefault<int>( sleep_interval = getConfigurationWithDefault<int>(
30, 30,
"orchestration", "orchestration",
@@ -1515,10 +1535,11 @@ private:
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(chrono::seconds(1)); Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(chrono::seconds(1));
health_check_status_listener.setStatus( UpdatesProcessEvent(
HealthCheckStatus::HEALTHY, UpdatesProcessResult::SUCCESS,
OrchestrationStatusFieldType::REGISTRATION UpdatesConfigType::GENERAL,
); UpdatesFailureReason::REGISTRATION
).notify();
LogGen( LogGen(
"Check Point Orchestration nano service successfully started", "Check Point Orchestration nano service successfully started",
@@ -1552,16 +1573,18 @@ private:
if (!Singleton::Consume<I_ManifestController>::by<OrchestrationComp>()->loadAfterSelfUpdate()) { if (!Singleton::Consume<I_ManifestController>::by<OrchestrationComp>()->loadAfterSelfUpdate()) {
// Should restore from backup // Should restore from backup
dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration after self-update"; dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration after self-update";
health_check_status_listener.setStatus( UpdatesProcessEvent(
HealthCheckStatus::UNHEALTHY, UpdatesProcessResult::FAILED,
OrchestrationStatusFieldType::LAST_UPDATE, UpdatesConfigType::GENERAL,
UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE,
"",
"Failed to load Orchestration after self-update" "Failed to load Orchestration after self-update"
); ).notify();
} else { } else {
health_check_status_listener.setStatus( UpdatesProcessEvent(
HealthCheckStatus::HEALTHY, UpdatesProcessResult::SUCCESS,
OrchestrationStatusFieldType::MANIFEST UpdatesConfigType::MANIFEST
); ).notify();
} }
setUpgradeTime(); setUpgradeTime();
@@ -1911,7 +1934,7 @@ private:
ReportIS::Audience::INTERNAL ReportIS::Audience::INTERNAL
); );
hybrid_mode_metric.registerListener(); hybrid_mode_metric.registerListener();
health_check_status_listener.registerListener(); updates_process_reporter_listener.registerListener();
} }
void void
@@ -2024,7 +2047,7 @@ private:
unsigned int sleep_interval = 0; unsigned int sleep_interval = 0;
bool is_new_success = false; bool is_new_success = false;
OrchestrationPolicy policy; OrchestrationPolicy policy;
HealthCheckStatusListener health_check_status_listener; UpdatesProcessReporter updates_process_reporter_listener;
HybridModeMetric hybrid_mode_metric; HybridModeMetric hybrid_mode_metric;
EnvDetails env_details; EnvDetails env_details;
chrono::minutes upgrade_delay_time; chrono::minutes upgrade_delay_time;

8
components/security_apps/orchestration/orchestration_tools/orchestration_tools.cc
View File

@@ -20,6 +20,7 @@
#include "cereal/types/set.hpp" #include "cereal/types/set.hpp"
#include "agent_core_utilities.h" #include "agent_core_utilities.h"
#include "namespace_data.h" #include "namespace_data.h"
#include "updates_process_event.h"
#include <netdb.h> #include <netdb.h>
#include <arpa/inet.h> #include <arpa/inet.h>
@@ -469,6 +470,13 @@ OrchestrationTools::Impl::packagesToJsonFile(const map<packageName, Package> &pa
archive_out(cereal::make_nvp("packages", packges_vector)); archive_out(cereal::make_nvp("packages", packges_vector));
} catch (cereal::Exception &e) { } catch (cereal::Exception &e) {
dbgDebug(D_ORCHESTRATOR) << "Failed to write vector of packages to JSON file " << path << ", " << e.what(); dbgDebug(D_ORCHESTRATOR) << "Failed to write vector of packages to JSON file " << path << ", " << e.what();
UpdatesProcessEvent(
UpdatesProcessResult::FAILED,
UpdatesConfigType::MANIFEST,
UpdatesFailureReason::HANDLE_FILE,
path,
string("Failed to write vector of packages to JSON file. Error: ") + e.what()
).notify();
return false; return false;
} }
return true; return true;

4
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -144,7 +144,7 @@ public:
map<string, string> resolved_mgmt_details({{"kernel_version", "4.4.0-87-generic"}}); map<string, string> resolved_mgmt_details({{"kernel_version", "4.4.0-87-generic"}});
EXPECT_CALL(mock_details_resolver, getResolvedDetails()).WillRepeatedly(Return(resolved_mgmt_details)); EXPECT_CALL(mock_details_resolver, getResolvedDetails()).WillRepeatedly(Return(resolved_mgmt_details));
EXPECT_CALL(mock_details_resolver, readCloudMetadata()).WillRepeatedly( EXPECT_CALL(mock_details_resolver, readCloudMetadata()).WillRepeatedly(
Return(Maybe<tuple<string, string, string>>(genError("No cloud metadata"))) Return(Maybe<tuple<string, string, string, string, string>>(genError("No cloud metadata")))
); );
} }
@@ -284,7 +284,7 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
EXPECT_CALL(mock_service_controller, getPolicyVersion()) EXPECT_CALL(mock_service_controller, getPolicyVersion())
.Times(3).WillRepeatedly(ReturnRef(first_policy_version)); .Times(3).WillRepeatedly(ReturnRef(first_policy_version));
map<string, PortNumber> empty_service_to_port_map; map<string, vector<PortNumber>> empty_service_to_port_map;
EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map)); EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map));

70
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -22,6 +22,7 @@
#include "agent_details.h" #include "agent_details.h"
#include "customized_cereal_map.h" #include "customized_cereal_map.h"
#include "health_check_status/health_check_status.h" #include "health_check_status/health_check_status.h"
#include "updates_process_event.h"
#include "declarative_policy_utils.h" #include "declarative_policy_utils.h"
using namespace testing; using namespace testing;
@@ -99,7 +100,7 @@ public:
) )
); );
map<string, PortNumber> empty_service_to_port_map; map<string, vector<PortNumber>> empty_service_to_port_map;
EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map)); EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map));
EXPECT_CALL(rest, mockRestCall(RestAction::SHOW, "orchestration-status", _)).WillOnce( EXPECT_CALL(rest, mockRestCall(RestAction::SHOW, "orchestration-status", _)).WillOnce(
@@ -171,7 +172,7 @@ public:
map<string, string> resolved_mgmt_details({{"kernel_version", "4.4.0-87-generic"}}); map<string, string> resolved_mgmt_details({{"kernel_version", "4.4.0-87-generic"}});
EXPECT_CALL(mock_details_resolver, getResolvedDetails()).WillRepeatedly(Return(resolved_mgmt_details)); EXPECT_CALL(mock_details_resolver, getResolvedDetails()).WillRepeatedly(Return(resolved_mgmt_details));
EXPECT_CALL(mock_details_resolver, readCloudMetadata()).WillRepeatedly( EXPECT_CALL(mock_details_resolver, readCloudMetadata()).WillRepeatedly(
Return(Maybe<tuple<string, string, string>>(genError("No cloud metadata"))) Return(Maybe<tuple<string, string, string, string, string>>(genError("No cloud metadata")))
); );
} }
@@ -358,6 +359,7 @@ private:
TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine) TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine)
{ {
EXPECT_CALL(rest, mockRestCall(_, _, _)).WillRepeatedly(Return(true)); EXPECT_CALL(rest, mockRestCall(_, _, _)).WillRepeatedly(Return(true));
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration( Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(
vector<string>{"--orchestration-mode=hybrid_mode"} vector<string>{"--orchestration-mode=hybrid_mode"}
); );
@@ -376,7 +378,6 @@ TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine)
expectDetailsResolver(); expectDetailsResolver();
EXPECT_CALL(mock_update_communication, getUpdate(_)); EXPECT_CALL(mock_update_communication, getUpdate(_));
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(mock_status, setFieldStatus(_, _, _));
EXPECT_CALL(mock_status, setIsConfigurationUpdated(_)); EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())) EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
@@ -584,7 +585,6 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
expectDetailsResolver(); expectDetailsResolver();
EXPECT_CALL(mock_update_communication, getUpdate(_)); EXPECT_CALL(mock_update_communication, getUpdate(_));
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(mock_status, setFieldStatus(_, _, _));
EXPECT_CALL(mock_status, setIsConfigurationUpdated(_)); EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())) EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
@@ -761,10 +761,6 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdatRollback)
).WillOnce(Return(true)); ).WillOnce(Return(true));
EXPECT_CALL(mock_update_communication, setAddressExtenesion("/test")); EXPECT_CALL(mock_update_communication, setAddressExtenesion("/test"));
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(
@@ -940,10 +936,6 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
).WillOnce(Return(true)); ).WillOnce(Return(true));
EXPECT_CALL(mock_update_communication, setAddressExtenesion("/test")); EXPECT_CALL(mock_update_communication, setAddressExtenesion("/test"));
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(
@@ -1013,7 +1005,7 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
) )
); );
map<string, PortNumber> empty_service_to_port_map; map<string, vector<PortNumber>> empty_service_to_port_map;
EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map)); EXPECT_CALL(mock_service_controller, getServiceToPortMap()).WillRepeatedly(Return(empty_service_to_port_map));
EXPECT_CALL(rest, mockRestCall(RestAction::SHOW, "orchestration-status", _)); EXPECT_CALL(rest, mockRestCall(RestAction::SHOW, "orchestration-status", _));
@@ -1108,14 +1100,6 @@ TEST_F(OrchestrationTest, manifestUpdate)
); );
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::MANIFEST, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(
@@ -1237,10 +1221,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
.WillOnce(ReturnRef(second_val) .WillOnce(ReturnRef(second_val)
); );
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(
@@ -1271,7 +1251,7 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
EXPECT_CALL( EXPECT_CALL(
mock_service_controller, mock_service_controller,
updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _) updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)
).WillOnce(Return(Maybe<void>(genError(string(""))))); ).WillOnce(Return(Maybe<void>(genError(string("Fail to load policy")))));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())) EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce( .WillOnce(
@@ -1328,6 +1308,7 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
EXPECT_CALL(mock_update_communication, authenticateAgent()).WillOnce(Return(Maybe<void>())); EXPECT_CALL(mock_update_communication, authenticateAgent()).WillOnce(Return(Maybe<void>()));
expectDetailsResolver(); expectDetailsResolver();
EXPECT_CALL(mock_manifest_controller, loadAfterSelfUpdate()).WillOnce(Return(false)); EXPECT_CALL(mock_manifest_controller, loadAfterSelfUpdate()).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, manifest_file_path)) EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, manifest_file_path))
.WillOnce(Return(manifest_checksum)); .WillOnce(Return(manifest_checksum));
@@ -1359,22 +1340,10 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
); );
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
).Times(1);
string manifest_err = string manifest_err =
"Critical Error: Agent/Gateway was not fully deployed on host 'hostname' " "Critical Error: Agent/Gateway was not fully deployed on host 'hostname' "
"and is not enforcing a security policy. Retry installation or contact Check Point support."; "and is not enforcing a security policy. Retry installation or contact Check Point support.";
EXPECT_CALL(
mock_status,
setFieldStatus(
OrchestrationStatusFieldType::MANIFEST,
OrchestrationStatusResult::FAILED,
manifest_err
)
).Times(1);
EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(manifest_err)); EXPECT_CALL(mock_status, getManifestError()).WillOnce(ReturnRef(manifest_err));
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
@@ -1475,10 +1444,6 @@ TEST_P(OrchestrationTest, orchestrationFirstRun)
.WillOnce(Return(data_checksum)); .WillOnce(Return(data_checksum));
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(
@@ -1537,23 +1502,6 @@ TEST_P(OrchestrationTest, orchestrationFirstRun)
} catch (const invalid_argument& e) {} } catch (const invalid_argument& e) {}
EXPECT_CALL(mock_status, writeStatusToFile()); EXPECT_CALL(mock_status, writeStatusToFile());
vector<HealthCheckStatusReply> reply;
bool is_named_query = GetParam();
if (is_named_query) {
auto all_comps_status_reply = HealthCheckStatusEvent().performNamedQuery();
for (auto &elem : all_comps_status_reply) {
reply.push_back(elem.second);
}
} else {
reply = HealthCheckStatusEvent().query();
}
ASSERT_EQ(reply.size(), 1);
EXPECT_EQ(reply[0].getCompName(), "Orchestration");
EXPECT_EQ(reply[0].getStatus(), HealthCheckStatus::HEALTHY);
HealthCheckStatusEvent().notify();
orchestration_comp.fini(); orchestration_comp.fini();
} }
@@ -1721,10 +1669,6 @@ TEST_F(OrchestrationTest, dataUpdate)
); );
EXPECT_CALL(mock_status, setLastUpdateAttempt()); EXPECT_CALL(mock_status, setLastUpdateAttempt());
EXPECT_CALL(
mock_status,
setFieldStatus(OrchestrationStatusFieldType::LAST_UPDATE, OrchestrationStatusResult::SUCCESS, "")
);
EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>()) EXPECT_CALL(mock_status, setIsConfigurationUpdated(A<EnumArray<OrchestrationStatusConfigType, bool>>())
).WillOnce( ).WillOnce(
Invoke( Invoke(

53
components/security_apps/orchestration/service_controller/service_controller.cc
View File

@@ -333,7 +333,7 @@ private:
ReconfStatus getUpdatedReconfStatus(); ReconfStatus getUpdatedReconfStatus();
Maybe<ServiceDetails> getServiceDetails(const string &service_name); Maybe<ServiceDetails> getServiceDetails(const string &service_name);
map<string, PortNumber> getServiceToPortMap(); map<string, vector<PortNumber>> getServiceToPortMap();
template<class Archive> template<class Archive>
void serializeRegisterServices(Archive &ar) { ar(pending_services); } void serializeRegisterServices(Archive &ar) { ar(pending_services); }
@@ -358,6 +358,7 @@ private:
string filesystem_prefix; string filesystem_prefix;
bool is_multi_tenant_env = false; bool is_multi_tenant_env = false;
set<string> changed_policy_files; set<string> changed_policy_files;
ServiceDetails orchestration_service_details;
I_OrchestrationTools *orchestration_tools = nullptr; I_OrchestrationTools *orchestration_tools = nullptr;
I_MainLoop *mainloop = nullptr; I_MainLoop *mainloop = nullptr;
@@ -374,8 +375,13 @@ public:
for (auto const& entry: ports_map) { for (auto const& entry: ports_map) {
string service = entry.first; string service = entry.first;
replace(service.begin(), service.end(), ' ', '-'); replace(service.begin(), service.end(), ' ', '-');
output << service << ":"; output << service;
output << entry.second << ","; char delim = ':';
for (PortNumber port : entry.second) {
output << delim << port;
delim = ',';
}
output << ";";
} }
ports_list = output.str(); ports_list = output.str();
} }
@@ -407,7 +413,7 @@ ServiceController::Impl::getUpdatedReconfStatus()
} }
if (!maybe_service.unpack().isServiceActive()) { if (!maybe_service.unpack().isServiceActive()) {
dbgInfo(D_SERVICE_CONTROLLER) dbgDebug(D_SERVICE_CONTROLLER)
<< "Service is not active, removing from registered services list. Service: " << "Service is not active, removing from registered services list. Service: "
<< services_reconf_names[service_and_reconf_status.first] << services_reconf_names[service_and_reconf_status.first]
<< "ID: " << "ID: "
@@ -500,8 +506,9 @@ ServiceController::Impl::loadRegisteredServicesFromFile()
stringstream ss(maybe_registered_services_str.unpack()); stringstream ss(maybe_registered_services_str.unpack());
cereal::JSONInputArchive ar(ss); cereal::JSONInputArchive ar(ss);
ar(cereal::make_nvp("Registered Services", pending_services)); ar(cereal::make_nvp("Registered Services", pending_services));
pending_services.erase("cp-nano-orchestration");
dbgInfo(D_SERVICE_CONTROLLER) dbgDebug(D_SERVICE_CONTROLLER)
<< "Orchestration pending services loaded from file." << "Orchestration pending services loaded from file."
<< " File: " << " File: "
<< registered_services_file << registered_services_file
@@ -509,7 +516,7 @@ ServiceController::Impl::loadRegisteredServicesFromFile()
for (const auto &id_service_pair : pending_services) { for (const auto &id_service_pair : pending_services) {
const auto &service = id_service_pair.second; const auto &service = id_service_pair.second;
dbgInfo(D_SERVICE_CONTROLLER) dbgDebug(D_SERVICE_CONTROLLER)
<< "Service name: " << "Service name: "
<< service.getServiceName() << service.getServiceName()
<< ", Service ID: " << ", Service ID: "
@@ -529,18 +536,26 @@ ServiceController::Impl::writeRegisteredServicesToFile()
"Orchestration registered services" "Orchestration registered services"
); );
map<string, ServiceDetails> registered_services_with_orch = registered_services;
if (orchestration_service_details.getServiceID() != "") {
registered_services_with_orch.emplace(
orchestration_service_details.getServiceID(),
orchestration_service_details
);
}
ofstream ss(registered_services_file); ofstream ss(registered_services_file);
cereal::JSONOutputArchive ar(ss); cereal::JSONOutputArchive ar(ss);
ar(cereal::make_nvp("Registered Services", registered_services)); ar(cereal::make_nvp("Registered Services", registered_services_with_orch));
dbgInfo(D_SERVICE_CONTROLLER) dbgDebug(D_SERVICE_CONTROLLER)
<< "Orchestration registered services file has been updated. File: " << "Orchestration registered services file has been updated. File: "
<< registered_services_file << registered_services_file
<< ". Registered Services:"; << ". Registered Services:";
for (const auto &id_service_pair : registered_services) { for (const auto &id_service_pair : registered_services_with_orch) {
const auto &service = id_service_pair.second; const auto &service = id_service_pair.second;
dbgInfo(D_SERVICE_CONTROLLER) dbgDebug(D_SERVICE_CONTROLLER)
<< "Service name: " << "Service name: "
<< service.getServiceName() << service.getServiceName()
<< ", Service ID: " << ", Service ID: "
@@ -591,20 +606,20 @@ ServiceController::Impl::cleanUpVirtualFiles()
} }
} }
map<string, PortNumber> map<string, vector<PortNumber>>
ServiceController::Impl::getServiceToPortMap() ServiceController::Impl::getServiceToPortMap()
{ {
map<string, PortNumber> ports_map; map<string, vector<PortNumber>> ports_map;
for (auto const& entry: registered_services) { for (auto const& entry: registered_services) {
const string &service = entry.first; const string &service = entry.second.getServiceName();
PortNumber port = entry.second.getPort(); PortNumber port = entry.second.getPort();
ports_map[service] = port; ports_map[service].push_back(port);
} }
for (auto const& entry: pending_services) { for (auto const& entry: pending_services) {
const string &service = entry.first; const string &service = entry.second.getServiceName();
PortNumber port = entry.second.getPort(); PortNumber port = entry.second.getPort();
ports_map[service] = port; ports_map[service].push_back(port);
} }
return ports_map; return ports_map;
@@ -624,6 +639,12 @@ ServiceController::Impl::registerServiceConfig(
service_id service_id
); );
if (service_name == "cp-nano-orchestration") {
dbgTrace(D_SERVICE_CONTROLLER) << "Save the orchestration service details";
orchestration_service_details = service_config;
return;
}
pending_services.erase(service_config.getServiceID()); pending_services.erase(service_config.getServiceID());
pending_services.insert({service_config.getServiceID(), service_config}); pending_services.insert({service_config.getServiceID(), service_config});
refreshPendingServices(); refreshPendingServices();

48
components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc
View File

@@ -178,16 +178,17 @@ public:
void void
expectNewConfigRequest(const string &response) expectNewConfigRequest(const string &response)
{ {
Maybe<HTTPResponse, HTTPResponse> res = HTTPResponse(HTTPStatusCode::HTTP_OK, response);
EXPECT_CALL( EXPECT_CALL(
mock_message, mock_message,
sendSyncMessage( sendSyncMessage(
HTTPMethod::POST, HTTPMethod::POST,
"/set-new-configuration", "/set-new-configuration",
HasSubstr("1.0.2"), _,
_, _,
_ _
) )
).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, response))); ).WillOnce(DoAll(SaveArg<2>(&version_body), Return(res)));
} }
CPTestTempfile status_file; CPTestTempfile status_file;
@@ -196,6 +197,7 @@ public:
::Environment env; ::Environment env;
ConfigComponent config; ConfigComponent config;
DeclarativePolicyUtils declarative_policy_utils; DeclarativePolicyUtils declarative_policy_utils;
string version_body;
string configuration_dir; string configuration_dir;
string policy_extension; string policy_extension;
string settings_extension; string settings_extension;
@@ -229,19 +231,21 @@ public:
string old_version = "1.0.1"; string old_version = "1.0.1";
string versions = string versions =
"[" "[\n"
" {" " {\n"
" \"id\": \"d8c3cc3c-f9df-83c8-f875-322dd8a0c161\"," " \"id\": \"d8c3cc3c-f9df-83c8-f875-322dd8a0c161\",\n"
" \"name\": \"Linux Embedded Agents\"," " \"name\": \"Linux Embedded Agents\",\n"
" \"version\": \"1.0.2\"" " \"version\": \"1.0.2\",\n"
" }" " \"profileType\": \"Embedded\"\n"
" }\n"
"]"; "]";
string old_versions = string old_versions =
"[" "["
" {" " {"
" \"id\": \"d8c3cc3c-f9df-83c8-f875-322dd8a0c161\"," " \"id\": \"d8c3cc3c-f9df-83c8-f875-322dd8a0c161\","
" \"name\": \"Linux Embedded Agents\"," " \"name\": \"Linux Embedded Agents\","
" \"version\": \"1.0.1\"" " \"version\": \"1.0.1\","
" \"profileType\": \"Embedded\""
" }" " }"
"]"; "]";
@@ -338,6 +342,23 @@ TEST_F(ServiceControllerTest, UpdateConfiguration)
EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value); EXPECT_EQ(i_service_controller->getPolicyVersion(), version_value);
EXPECT_EQ(i_service_controller->getPolicyVersions(), versions); EXPECT_EQ(i_service_controller->getPolicyVersions(), versions);
EXPECT_EQ(i_service_controller->getUpdatePolicyVersion(), version_value); EXPECT_EQ(i_service_controller->getUpdatePolicyVersion(), version_value);
stringstream ver_ss;
ver_ss
<< "{\n"
<< " \"id\": 1,\n"
<< " \"policy_version\": \"1.0.2,[\\n"
<< " {\\n"
<< " \\\"id\\\": \\\"d8c3cc3c-f9df-83c8-f875-322dd8a0c161\\\",\\n"
<< " \\\"name\\\": \\\"Linux Embedded Agents\\\",\\n"
<< " \\\"version\\\": \\\"1.0.2\\\",\\n"
<< " \\\"profileType\\\": \\\"Embedded\\\"\\n"
<< " }\\n"
<< "]\"\n}";
EXPECT_EQ(
version_body,
ver_ss.str()
);
} }
TEST_F(ServiceControllerTest, supportVersions) TEST_F(ServiceControllerTest, supportVersions)
@@ -527,13 +548,13 @@ TEST_F(ServiceControllerTest, TimeOutUpdateConfiguration)
TEST_F(ServiceControllerTest, readRegisteredServicesFromFile) TEST_F(ServiceControllerTest, readRegisteredServicesFromFile)
{ {
init(); init();
int family1_id3_port = 1111; uint16_t family1_id3_port = 1111;
string registered_services_json = "{\n" string registered_services_json = "{\n"
" \"Registered Services\": {\n" " \"Registered Services\": {\n"
" \"family1_id3\": {\n" " \"family1_id3\": {\n"
" \"Service name\": \"mock access control\",\n" " \"Service name\": \"mock access control\",\n"
" \"Service ID\": \"family1_id3\",\n" " \"Service ID\": \"family1_id3\",\n"
" \"Service port\": 1111,\n" " \"Service port\": " + to_string(family1_id3_port) + ",\n"
" \"Relevant configs\": [\n" " \"Relevant configs\": [\n"
" \"non updated capability\",\n" " \"non updated capability\",\n"
" \"l4_firewall\"\n" " \"l4_firewall\"\n"
@@ -573,7 +594,8 @@ TEST_F(ServiceControllerTest, readRegisteredServicesFromFile)
service_controller.init(); service_controller.init();
auto services_to_port_map = i_service_controller->getServiceToPortMap(); auto services_to_port_map = i_service_controller->getServiceToPortMap();
EXPECT_EQ(services_to_port_map.find("family1_id3")->second, family1_id3_port); vector<PortNumber> ports = {l4_firewall_service_port, family1_id3_port};
EXPECT_EQ(services_to_port_map.find("mock access control")->second, ports);
} }
TEST_F(ServiceControllerTest, noPolicyUpdate) TEST_F(ServiceControllerTest, noPolicyUpdate)
@@ -1589,7 +1611,7 @@ TEST_F(ServiceControllerTest, testPortsRest)
empty_json << "{}"; empty_json << "{}";
auto res = get_services_ports->performRestCall(empty_json); auto res = get_services_ports->performRestCall(empty_json);
ASSERT_TRUE(res.ok()); ASSERT_TRUE(res.ok());
EXPECT_THAT(res.unpack(), HasSubstr("family1_id2:8888")); EXPECT_THAT(res.unpack(), HasSubstr("mock-access-control:8888;"));
} }
TEST_F(ServiceControllerTest, testMultitenantConfFiles) TEST_F(ServiceControllerTest, testMultitenantConfFiles)

2
components/security_apps/orchestration/update_communication/declarative_policy_utils.cc
View File

@@ -141,7 +141,7 @@ DeclarativePolicyUtils::sendUpdatesToFog(
auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<DeclarativePolicyUtils>(); auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<DeclarativePolicyUtils>();
string exec_command = string exec_command =
getFilesystemPathConfig() getFilesystemPathConfig()
+ "/scripts/open-appsec-cloud-mgmt --upload_policy_only" + "/scripts/open-appsec-cloud-mgmt --config-upload-only"
+ " --access_token " + access_token + " --access_token " + access_token
+ " --tenant_id " + tenant_id + " --tenant_id " + tenant_id
+ " --profile_id " + profile_id; + " --profile_id " + profile_id;

2
components/security_apps/orchestration/update_communication/fog_authenticator.cc
View File

@@ -184,6 +184,8 @@ FogAuthenticator::registerAgent(
request << make_pair("cloudAccountId", ::get<0>(cloud_metadata.unpack())); request << make_pair("cloudAccountId", ::get<0>(cloud_metadata.unpack()));
request << make_pair("cloudVpcId", ::get<1>(cloud_metadata.unpack())); request << make_pair("cloudVpcId", ::get<1>(cloud_metadata.unpack()));
request << make_pair("cloudInstanceId", ::get<2>(cloud_metadata.unpack())); request << make_pair("cloudInstanceId", ::get<2>(cloud_metadata.unpack()));
request << make_pair("cloudInstanceLocalIp", ::get<3>(cloud_metadata.unpack()));
request << make_pair("cloudRegion", ::get<4>(cloud_metadata.unpack()));
} else { } else {
dbgDebug(D_ORCHESTRATOR) << cloud_metadata.getErr(); dbgDebug(D_ORCHESTRATOR) << cloud_metadata.getErr();
} }

11
components/security_apps/orchestration/update_communication/fog_communication.cc
View File

@@ -32,6 +32,7 @@ FogCommunication::init()
{ {
FogAuthenticator::init(); FogAuthenticator::init();
i_declarative_policy = Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>(); i_declarative_policy = Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>();
profile_mode = getSettingWithDefault<string>("management", "profileManagedMode");
} }
Maybe<void> Maybe<void>
@@ -66,6 +67,16 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
Maybe<string> maybe_new_data = request.getData(); Maybe<string> maybe_new_data = request.getData();
string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : ""; string data_checksum = maybe_new_data.ok() ? maybe_new_data.unpack() : "";
if (profile_mode != policy_mgmt_mode) {
dbgTrace(D_ORCHESTRATOR)
<< "The profile managed mode was changed from: "
<< profile_mode
<< " to: "
<< policy_mgmt_mode;
profile_mode = policy_mgmt_mode;
i_declarative_policy->turnOnApplyPolicyFlag();
}
if (i_declarative_policy->shouldApplyPolicy()) { if (i_declarative_policy->shouldApplyPolicy()) {
string policy_response = i_declarative_policy->getUpdate(request); string policy_response = i_declarative_policy->getUpdate(request);
if (!policy_response.empty()) { if (!policy_response.empty()) {

1
components/security_apps/orchestration/update_communication/update_communication.cc
View File

@@ -32,6 +32,7 @@
using namespace std; using namespace std;
USE_DEBUG_FLAG(D_ORCHESTRATOR); USE_DEBUG_FLAG(D_ORCHESTRATOR);
class UpdateCommunication::Impl class UpdateCommunication::Impl
: :
public ServerRest, public ServerRest,

1
components/security_apps/orchestration/updates_process_reporter/CMakeLists.txt Executable file
View File

@@ -0,0 +1 @@
add_library(updates_process_reporter updates_process_event.cc updates_process_reporter.cc)

124
components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc Normal file
View File

@@ -0,0 +1,124 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "updates_process_event.h"
#include <sstream>
#include <string>
#include "debug.h"
using namespace std;
USE_DEBUG_FLAG(D_UPDATES_PROCESS_REPORTER);
UpdatesProcessEvent::UpdatesProcessEvent(
UpdatesProcessResult _result,
UpdatesConfigType _type,
UpdatesFailureReason _reason,
const std::string &_detail,
const std::string &_description)
:
result(_result),
type(_type),
reason(_reason),
detail(_detail),
description(_description)
{
string report =
"Result: " + convertUpdateProcessResultToStr(result) +
", Reason: " + convertUpdatesFailureReasonToStr(reason) +
", Type: " + convertUpdatesConfigTypeToStr(type) +
", Detail: " + detail +
", Description: " + description;
dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Updates process event: " << report;
}
OrchestrationStatusFieldType
UpdatesProcessEvent::getStatusFieldType() const
{
if (reason == UpdatesFailureReason::REGISTRATION) {
return OrchestrationStatusFieldType::REGISTRATION;
}
if (type == UpdatesConfigType::MANIFEST) {
return OrchestrationStatusFieldType::MANIFEST;
}
return OrchestrationStatusFieldType::LAST_UPDATE;
}
OrchestrationStatusResult
UpdatesProcessEvent::getOrchestrationStatusResult() const
{
return result == UpdatesProcessResult::SUCCESS ?
OrchestrationStatusResult::SUCCESS :
OrchestrationStatusResult::FAILED;
}
string
UpdatesProcessEvent::parseDescription() const
{
stringstream err;
if (description.empty() || result == UpdatesProcessResult::SUCCESS) return "";
switch (reason) {
case UpdatesFailureReason::CHECK_UPDATE: {
err << description;
break;
}
case UpdatesFailureReason::REGISTRATION: {
err << "Registration failed. Error: " << description;
break;
}
case UpdatesFailureReason::GET_UPDATE_REQUEST: {
err << "Failed to get update request. Error: " << description;
break;
}
case UpdatesFailureReason::DOWNLOAD_FILE : {
err << "Failed to download the file " << detail << ". Error: " << description;
break;
}
case UpdatesFailureReason::HANDLE_FILE : {
err << "Failed to handle the file " << detail << ". " << description;
break;
}
case UpdatesFailureReason::INSTALLATION_QUEUE : {
err << "Installation queue creation failed. Error: " << description;
break;
}
case UpdatesFailureReason::INSTALL_PACKAGE : {
err << "Failed to install the package " << detail << ". Error: " << description;
break;
}
case UpdatesFailureReason::CHECKSUM_UNMATCHED : {
err << "Checksums do not match for the file: " << detail << ". " << description;
break;
}
case UpdatesFailureReason::POLICY_CONFIGURATION : {
err << "Failed to configure policy version: " << detail << ". Error: " << description;
break;
}
case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : {
err << "Failed to configure the fog address: " << detail << ". Error: " << description;
break;
}
case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
err << description;
break;
}
case UpdatesFailureReason::NONE : {
err << description;
break;
}
}
return err.str();
}

86
components/security_apps/orchestration/updates_process_reporter/updates_process_reporter.cc Normal file
View File

@@ -0,0 +1,86 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "updates_process_reporter.h"
#include <sstream>
#include <string>
#include "debug.h"
#include "log_generator.h"
using namespace std;
USE_DEBUG_FLAG(D_UPDATES_PROCESS_REPORTER);
vector<UpdatesProcessReport> UpdatesProcessReporter::reports;
void
UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
{
if (event.getReason() == UpdatesFailureReason::CHECK_UPDATE) {
if (event.getResult() == UpdatesProcessResult::SUCCESS && reports.empty()) {
dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished successfully";
report_failure_count = 0;
return;
}
dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished with errors";
report_failure_count++;
if (report_failure_count <= 1) {
reports.clear();
return;
}
reports.emplace_back(
UpdatesProcessReport(
event.getResult(),
event.getType(),
event.getReason(),
event.parseDescription()
)
);
sendReoprt();
return;
}
if (event.getResult() == UpdatesProcessResult::SUCCESS || event.getResult() == UpdatesProcessResult::UNSET) return;
reports.emplace_back(
UpdatesProcessReport(event.getResult(), event.getType(), event.getReason(), event.parseDescription())
);
}
void
UpdatesProcessReporter::sendReoprt()
{
stringstream full_reports;
UpdatesFailureReason failure_reason = UpdatesFailureReason::NONE;
full_reports << "Updates process reports:" << endl;
full_reports << "report failure count:" << report_failure_count << endl;
for (const auto &report : reports) {
if (report.getReason() != UpdatesFailureReason::CHECK_UPDATE) {
failure_reason = report.getReason();
}
full_reports << report.toString() << endl;
}
reports.clear();
dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Sending updates process report: " << endl << full_reports.str();
LogGen log (
"Updates process report",
ReportIS::Audience::INTERNAL,
ReportIS::Severity::HIGH,
ReportIS::Priority::HIGH,
ReportIS::Tags::ORCHESTRATOR
);
log << LogField("eventMessage", full_reports.str());
if (failure_reason != UpdatesFailureReason::NONE) {
log.addToOrigin(LogField("eventCategory", convertUpdatesFailureReasonToStr(failure_reason)));
}
}

97
components/security_apps/waap/waap_clib/DeepParser.cc
View File

@@ -273,55 +273,58 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
// Detect and decode potential base64 chunks in the value before further processing // Detect and decode potential base64 chunks in the value before further processing
bool base64ParamFound = false; bool base64ParamFound = false;
dbgTrace(D_WAAP_DEEP_PARSER) << " ===Processing potential base64===";
std::string decoded_val, decoded_key;
Waap::Util::BinaryFileType base64BinaryFileType = Waap::Util::BinaryFileType::FILE_TYPE_NONE; Waap::Util::BinaryFileType base64BinaryFileType = Waap::Util::BinaryFileType::FILE_TYPE_NONE;
base64_variants base64_status = Waap::Util::b64Test(cur_val, decoded_key, decoded_val, base64BinaryFileType); if (m_depth == 1 && flags == BUFFERED_RECEIVER_F_MIDDLE && m_key.depth() == 1 && m_key.first() != "#base64"){
dbgTrace(D_WAAP_DEEP_PARSER) << " === will not check base64 since prev data block was not b64-encoded ===";
} else {
dbgTrace(D_WAAP_DEEP_PARSER) << " ===Processing potential base64===";
std::string decoded_val, decoded_key;
base64_variants base64_status = Waap::Util::b64Test(cur_val, decoded_key, decoded_val, base64BinaryFileType);
dbgTrace(D_WAAP_DEEP_PARSER) dbgTrace(D_WAAP_DEEP_PARSER)
<< " status = " << " status = "
<< base64_status << base64_status
<< " key = " << " key = "
<< decoded_key << decoded_key
<< " value = " << " value = "
<< decoded_val; << decoded_val;
switch (base64_status) { switch (base64_status) {
case SINGLE_B64_CHUNK_CONVERT: case SINGLE_B64_CHUNK_CONVERT:
cur_val = decoded_val;
base64ParamFound = true;
break;
case KEY_VALUE_B64_PAIR:
// going deep with new pair in case value is not empty
if (decoded_val.size() > 0) {
cur_val = decoded_val; cur_val = decoded_val;
base64ParamFound = true; base64ParamFound = true;
rc = onKv( break;
decoded_key.c_str(), case KEY_VALUE_B64_PAIR:
decoded_key.size(), // going deep with new pair in case value is not empty
cur_val.data(), if (decoded_val.size() > 0) {
cur_val.size(), cur_val = decoded_val;
flags, base64ParamFound = true;
parser_depth rc = onKv(
decoded_key.c_str(),
decoded_key.size(),
cur_val.data(),
cur_val.size(),
flags,
parser_depth
); );
dbgTrace(D_WAAP_DEEP_PARSER) << " rc = " << rc; dbgTrace(D_WAAP_DEEP_PARSER) << " rc = " << rc;
if (rc != CONTINUE_PARSING) { if (rc != CONTINUE_PARSING) {
return rc; return rc;
}
} }
} break;
break; case CONTINUE_AS_IS:
case CONTINUE_AS_IS: break;
break; default:
default: break;
break; }
}
if (base64ParamFound) { if (base64ParamFound) {
dbgTrace(D_WAAP_DEEP_PARSER) << "DeepParser::onKv(): pushing #base64 prefix to the key."; dbgTrace(D_WAAP_DEEP_PARSER) << "DeepParser::onKv(): pushing #base64 prefix to the key.";
m_key.push("#base64", 7, false); m_key.push("#base64", 7, false);
}
} }
// cur_val is later passed through some filters (such as urldecode) before JSON, XML or HTML is detected/decoded // cur_val is later passed through some filters (such as urldecode) before JSON, XML or HTML is detected/decoded
std::string orig_val = cur_val; std::string orig_val = cur_val;
@@ -472,19 +475,19 @@ DeepParser::onKv(const char *k, size_t k_len, const char *v, size_t v_len, int f
if (rc != CONTINUE_PARSING) { if (rc != CONTINUE_PARSING) {
return rc; return rc;
} }
std::string json_decoded_val, json_decoded_key;
if (Waap::Util::detectJSONasParameter(cur_val, decoded_key, decoded_val)) { if (Waap::Util::detectJSONasParameter(cur_val, json_decoded_key, json_decoded_val)) {
dbgTrace(D_WAAP_DEEP_PARSER) dbgTrace(D_WAAP_DEEP_PARSER)
<< " detectJSONasParameter was true: key = " << " detectJSONasParameter was true: key = "
<< decoded_key << json_decoded_key
<< " value = " << " value = "
<< decoded_val; << json_decoded_val;
rc = onKv( rc = onKv(
decoded_key.c_str(), json_decoded_key.c_str(),
decoded_key.size(), json_decoded_key.size(),
decoded_val.data(), json_decoded_val.data(),
decoded_val.size(), json_decoded_val.size(),
flags, flags,
parser_depth parser_depth
); );

1
components/security_apps/waap/waap_clib/ParserBase.h
View File

@@ -22,6 +22,7 @@
#define BUFFERED_RECEIVER_F_LAST 0x02 #define BUFFERED_RECEIVER_F_LAST 0x02
#define BUFFERED_RECEIVER_F_BOTH (BUFFERED_RECEIVER_F_FIRST | BUFFERED_RECEIVER_F_LAST) #define BUFFERED_RECEIVER_F_BOTH (BUFFERED_RECEIVER_F_FIRST | BUFFERED_RECEIVER_F_LAST)
#define BUFFERED_RECEIVER_F_UNNAMED 0x04 #define BUFFERED_RECEIVER_F_UNNAMED 0x04
#define BUFFERED_RECEIVER_F_MIDDLE 0x00
#if (DISTRO_centos6) #if (DISTRO_centos6)
// pre c++11 compiler doesn' support the "final" keyword // pre c++11 compiler doesn' support the "final" keyword

2
components/security_apps/waap/waap_clib/ScanResult.cc
View File

@@ -23,6 +23,7 @@ unescaped_line(),
param_name(), param_name(),
location(), location(),
score(0.0f), score(0.0f),
scoreNoFilter(0.0f),
scoreArray(), scoreArray(),
keywordCombinations(), keywordCombinations(),
attack_types(), attack_types(),
@@ -40,6 +41,7 @@ void Waf2ScanResult::clear()
param_name.clear(); param_name.clear();
location.clear(); location.clear();
score = 0; score = 0;
scoreNoFilter = 0;
scoreArray.clear(); scoreArray.clear();
keywordCombinations.clear(); keywordCombinations.clear();
attack_types.clear(); attack_types.clear();

1
components/security_apps/waap/waap_clib/ScanResult.h
View File

@@ -29,6 +29,7 @@ struct Waf2ScanResult {
std::string param_name; std::string param_name;
std::string location; std::string location;
double score; double score;
double scoreNoFilter;
std::vector<double> scoreArray; std::vector<double> scoreArray;
std::vector<std::string> keywordCombinations; std::vector<std::string> keywordCombinations;
std::set<std::string> attack_types; std::set<std::string> attack_types;

1
components/security_apps/waap/waap_clib/Serializator.cc
View File

@@ -727,7 +727,6 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
"sync notification for '" + m_assetId + "'", "sync notification for '" + m_assetId + "'",
ReportIS::AudienceTeam::WAAP, ReportIS::AudienceTeam::WAAP,
syncNotification, syncNotification,
false,
MessageCategory::GENERIC, MessageCategory::GENERIC,
ReportIS::Tags::WAF, ReportIS::Tags::WAF,
ReportIS::Notification::SYNC_LEARNING ReportIS::Notification::SYNC_LEARNING

2
components/security_apps/waap/waap_clib/WaapConversions.cc
View File

@@ -39,7 +39,7 @@ namespace Conversions {
return HIGH_THREAT; return HIGH_THREAT;
} }
bool shouldDoWafBlocking(const IWaapConfig* pWaapConfig, ThreatLevel threatLevel) bool shouldDoWafBlocking(const IWaapConfig* const pWaapConfig, ThreatLevel threatLevel)
{ {
if (pWaapConfig == NULL) if (pWaapConfig == NULL)
{ {

2
components/security_apps/waap/waap_clib/WaapConversions.h
View File

@@ -20,7 +20,7 @@
namespace Waap { namespace Waap {
namespace Conversions { namespace Conversions {
ThreatLevel convertFinalScoreToThreatLevel(double finalScore); ThreatLevel convertFinalScoreToThreatLevel(double finalScore);
bool shouldDoWafBlocking(const IWaapConfig* pSitePolicy, ThreatLevel threatLevel); bool shouldDoWafBlocking(const IWaapConfig* const pSitePolicy, ThreatLevel threatLevel);
} }
} }

32
components/security_apps/waap/waap_clib/WaapOverride.h
View File

@@ -39,12 +39,19 @@ public:
m_op = to_lower_copy(m_op); m_op = to_lower_copy(m_op);
m_isCidr = false; m_isCidr = false;
m_value = ""; m_value = "";
m_isValid = true;
if (m_op == "basic") { if (m_op == "basic") {
// If op == "BASIC" - read numeric value // If op == "BASIC" - read numeric value
ar(cereal::make_nvp("tag", m_tag)); ar(cereal::make_nvp("tag", m_tag));
m_tag = to_lower_copy(m_tag); m_tag = to_lower_copy(m_tag);
if (m_tag != "sourceip" && m_tag != "sourceidentifier" && m_tag != "url" && m_tag != "hostname" &&
m_tag != "keyword" && m_tag != "paramname" && m_tag != "paramvalue" && m_tag != "paramlocation" &&
m_tag != "responsebody" && m_tag != "headername" && m_tag != "headervalue" ) {
m_isValid = false;
dbgDebug(D_WAAP_OVERRIDE) << "Invalid override tag: " << m_tag;
}
// The name "value" here is misleading. The real meaning is "regex pattern string" // The name "value" here is misleading. The real meaning is "regex pattern string"
ar(cereal::make_nvp("value", m_value)); ar(cereal::make_nvp("value", m_value));
@@ -73,12 +80,14 @@ public:
m_operand2 = std::make_shared<Match>(); m_operand2 = std::make_shared<Match>();
ar(cereal::make_nvp("operand2", *m_operand2)); ar(cereal::make_nvp("operand2", *m_operand2));
m_isOverrideResponse = m_operand1->m_isOverrideResponse || m_operand2->m_isOverrideResponse; m_isOverrideResponse = m_operand1->m_isOverrideResponse || m_operand2->m_isOverrideResponse;
m_isValid = m_operand1->m_isValid && m_operand2->m_isValid;
} }
else if (m_op == "not") { else if (m_op == "not") {
// If op is "NOT" get one operand // If op is "NOT" get one operand
m_operand1 = std::make_shared<Match>(); m_operand1 = std::make_shared<Match>();
ar(cereal::make_nvp("operand1", *m_operand1)); ar(cereal::make_nvp("operand1", *m_operand1));
m_isOverrideResponse = m_operand1->m_isOverrideResponse; m_isOverrideResponse = m_operand1->m_isOverrideResponse;
m_isValid = m_operand1->m_isValid;
} }
} }
} }
@@ -120,6 +129,10 @@ public:
return m_isOverrideResponse; return m_isOverrideResponse;
} }
bool isValidMatch() const{
return m_isValid;
}
private: private:
std::string m_op; std::string m_op;
std::shared_ptr<Match> m_operand1; std::shared_ptr<Match> m_operand1;
@@ -130,6 +143,7 @@ private:
Waap::Util::CIDRData m_cidr; Waap::Util::CIDRData m_cidr;
bool m_isCidr; bool m_isCidr;
bool m_isOverrideResponse; bool m_isOverrideResponse;
bool m_isValid;
}; };
class Behavior class Behavior
@@ -189,6 +203,9 @@ private:
class Rule { class Rule {
public: public:
Rule(): m_match(), m_isChangingRequestData(false), isValid(true){}
bool operator==(const Rule &other) const; bool operator==(const Rule &other) const;
template <typename _A> template <typename _A>
@@ -202,6 +219,11 @@ public:
m_id.clear(); m_id.clear();
} }
ar(cereal::make_nvp("parsedMatch", m_match)); ar(cereal::make_nvp("parsedMatch", m_match));
if (!m_match.isValidMatch()) {
dbgDebug(D_WAAP_OVERRIDE) << "An override rule was not load";
isValid = false;
}
ar(cereal::make_nvp("parsedBehavior", m_behaviors)); ar(cereal::make_nvp("parsedBehavior", m_behaviors));
m_isChangingRequestData = false; m_isChangingRequestData = false;
@@ -242,6 +264,7 @@ public:
dbgTrace(D_WAAP_OVERRIDE) << "Rule not matched"; dbgTrace(D_WAAP_OVERRIDE) << "Rule not matched";
} }
bool isChangingRequestData() const { bool isChangingRequestData() const {
return m_isChangingRequestData; return m_isChangingRequestData;
} }
@@ -253,11 +276,16 @@ public:
return m_id; return m_id;
} }
bool isValidRule() const {
return isValid;
}
private: private:
Match m_match; Match m_match;
bool m_isChangingRequestData; bool m_isChangingRequestData;
std::vector<Behavior> m_behaviors; std::vector<Behavior> m_behaviors;
std::string m_id; std::string m_id;
bool isValid;
}; };
class Policy { class Policy {
@@ -270,6 +298,10 @@ public:
for (std::vector<Waap::Override::Rule>::const_iterator it = rules.begin(); it != rules.end(); ++it) { for (std::vector<Waap::Override::Rule>::const_iterator it = rules.begin(); it != rules.end(); ++it) {
const Waap::Override::Rule& rule = *it; const Waap::Override::Rule& rule = *it;
if (!rule.isValidRule()) {
dbgWarning(D_WAAP_OVERRIDE) << "rule is not valid";
continue;
}
if (rule.isChangingRequestData()) if (rule.isChangingRequestData())
{ {
m_RequestOverrides.push_back(rule); m_RequestOverrides.push_back(rule);

2
components/security_apps/waap/waap_clib/WaapOverrideFunctor.cc
View File

@@ -145,6 +145,6 @@ bool WaapOverrideFunctor::operator()(const std::string& tag, const boost::regex&
} }
// Unknown tag: should not occur // Unknown tag: should not occur
dbgWarning(D_WAAP) << "Invalid override tag: " << tag; dbgDebug(D_WAAP) << "Invalid override tag: " << tag;
return false; return false;
} }

39
components/security_apps/waap/waap_clib/WaapScanner.cc
View File

@@ -25,7 +25,7 @@ USE_DEBUG_FLAG(D_OA_SCHEMA_UPDATER);
// id generated by xml parser for an entity attribute // id generated by xml parser for an entity attribute
const std::string Waap::Scanner::xmlEntityAttributeId = "08a80340-06d3-11ea-9f87-0242ac11000f"; const std::string Waap::Scanner::xmlEntityAttributeId = "08a80340-06d3-11ea-9f87-0242ac11000f";
double Waap::Scanner::getScoreData(Waf2ScanResult& res, const std::string &poolName) double Waap::Scanner::getScoreData(Waf2ScanResult& res, const std::string &poolName, bool applyLearning)
{ {
std::string source = m_transaction->getSourceIdentifier(); std::string source = m_transaction->getSourceIdentifier();
@@ -33,21 +33,24 @@ double Waap::Scanner::getScoreData(Waf2ScanResult& res, const std::string &poolN
Waap::Keywords::KeywordsSet keywordsSet; Waap::Keywords::KeywordsSet keywordsSet;
Waap::Keywords::computeKeywordsSet(keywordsSet, res.keyword_matches, res.found_patterns); Waap::Keywords::computeKeywordsSet(keywordsSet, res.keyword_matches, res.found_patterns);
std::string param_name = IndicatorsFiltersManager::generateKey(res.location, res.param_name, m_transaction); if (applyLearning) {
dbgTrace(D_WAAP_SCANNER) << "filter processing for parameter: " << param_name; std::string param_name = IndicatorsFiltersManager::generateKey(res.location, res.param_name, m_transaction);
m_transaction->getAssetState()->logIndicatorsInFilters(param_name, keywordsSet, m_transaction); dbgTrace(D_WAAP_SCANNER) << "filter processing for parameter: " << param_name <<
", indicators count: " << keywordsSet.size();
m_transaction->getAssetState()->logIndicatorsInFilters(param_name, keywordsSet, m_transaction);
m_transaction->getAssetState()->filterKeywords(param_name, keywordsSet, res.filtered_keywords); m_transaction->getAssetState()->filterKeywords(param_name, keywordsSet, res.filtered_keywords);
if (m_transaction->getSiteConfig() != nullptr) if (m_transaction->getSiteConfig() != nullptr)
{ {
auto waapParams = m_transaction->getSiteConfig()->get_WaapParametersPolicy(); auto waapParams = m_transaction->getSiteConfig()->get_WaapParametersPolicy();
if (waapParams != nullptr && waapParams->getParamVal("filtersVerbose", "false") == "true") { if (waapParams != nullptr && waapParams->getParamVal("filtersVerbose", "false") == "true") {
m_transaction->getAssetState()->filterVerbose(param_name, res.filtered_keywords); m_transaction->getAssetState()->filterVerbose(param_name, res.filtered_keywords);
}
} }
m_transaction->getAssetState()->filterKeywordsByParameters(res.param_name, keywordsSet);
dbgTrace(D_WAAP_SCANNER) << "post filtering indicators count: " << keywordsSet.size();
} }
m_transaction->getAssetState()->filterKeywordsByParameters(res.param_name, keywordsSet);
// The keywords are only removed in production, they are still used while building scores // The keywords are only removed in production, they are still used while building scores
if (!m_transaction->get_ignoreScore()) { if (!m_transaction->get_ignoreScore()) {
m_transaction->getAssetState()->removeKeywords(keywordsSet); m_transaction->getAssetState()->removeKeywords(keywordsSet);
@@ -148,9 +151,16 @@ bool Waap::Scanner::suspiciousHit(Waf2ScanResult& res, DeepParser &dp,
// Select scores pool by location // Select scores pool by location
std::string poolName = Waap::Scores::getScorePoolNameByLocation(location); std::string poolName = Waap::Scores::getScorePoolNameByLocation(location);
Waf2ScanResult nonFilterRes = res;
res.scoreNoFilter = getScoreData(nonFilterRes, poolName, false);
double score = getScoreData(res, poolName); double score = getScoreData(res, poolName);
dbgTrace(D_WAAP_SCANNER) << "score: " << score; // call shouldIgnoreOverride post score calculation and filtering to evaluate ignore override effectivness
res.score = score;
m_transaction->shouldIgnoreOverride(res);
dbgTrace(D_WAAP_SCANNER) << "score: " << score << " should ignore: " << ignoreOverride;
// Add record about scores to the notes[] log (also reported in logs) // Add record about scores to the notes[] log (also reported in logs)
if (score > 1.0f) { if (score > 1.0f) {
DetectionEvent(location, res.keyword_matches).notify(); DetectionEvent(location, res.keyword_matches).notify();
@@ -166,6 +176,7 @@ bool Waap::Scanner::suspiciousHit(Waf2ScanResult& res, DeepParser &dp,
if (isKeyCspReport(key, res, dp) || ignoreOverride) { if (isKeyCspReport(key, res, dp) || ignoreOverride) {
dbgTrace(D_WAAP_SCANNER) << "Ignoring parameter key/value " << res.param_name << dbgTrace(D_WAAP_SCANNER) << "Ignoring parameter key/value " << res.param_name <<
" due to ignore action in override"; " due to ignore action in override";
res.score = 0;
m_bIgnoreOverride = true; m_bIgnoreOverride = true;
return false; return false;
} }

2
components/security_apps/waap/waap_clib/WaapScanner.h
View File

@@ -43,7 +43,7 @@ namespace Waap {
static const std::string xmlEntityAttributeId; static const std::string xmlEntityAttributeId;
private: private:
double getScoreData(Waf2ScanResult& res, const std::string &poolName); double getScoreData(Waf2ScanResult& res, const std::string &poolName, bool applyLearning = true);
bool shouldIgnoreOverride(const Waf2ScanResult &res); bool shouldIgnoreOverride(const Waf2ScanResult &res);
bool isKeyCspReport(const std::string &key, Waf2ScanResult &res, DeepParser &dp); bool isKeyCspReport(const std::string &key, Waf2ScanResult &res, DeepParser &dp);

86
components/security_apps/waap/waap_clib/Waf2Engine.cc
View File

@@ -329,6 +329,7 @@ Waf2Transaction::Waf2Transaction() :
is_schema_validation(false), is_schema_validation(false),
m_waf2TransactionFlags() m_waf2TransactionFlags()
{ {
m_overrideOriginalMaxScore[OVERRIDE_ACCEPT] = 0;
I_TimeGet *timeGet = Singleton::Consume<I_TimeGet>::by<Waf2Transaction>(); I_TimeGet *timeGet = Singleton::Consume<I_TimeGet>::by<Waf2Transaction>();
m_entry_time = chrono::duration_cast<chrono::milliseconds>(timeGet->getMonotonicTime()); m_entry_time = chrono::duration_cast<chrono::milliseconds>(timeGet->getMonotonicTime());
} }
@@ -1516,6 +1517,7 @@ Waf2Transaction::decideAfterHeaders()
return finalizeDecision(sitePolicy, shouldBlock); return finalizeDecision(sitePolicy, shouldBlock);
} }
// Note: the only user of the transactionResult structure filled by this method is waap_automation. // Note: the only user of the transactionResult structure filled by this method is waap_automation.
// TODO: Consider removing this parameter (and provide access to this information by other means) // TODO: Consider removing this parameter (and provide access to this information by other means)
int int
@@ -1728,6 +1730,11 @@ void Waf2Transaction::appendCommonLogFields(LogGen& waapLog,
std::copy(m_effectiveOverrideIds.begin(), m_effectiveOverrideIds.end(), vEffectiveOverrideIds.begin()); std::copy(m_effectiveOverrideIds.begin(), m_effectiveOverrideIds.end(), vEffectiveOverrideIds.begin());
waapLog.addToOrigin(LogField("effectiveExceptionIdList", vEffectiveOverrideIds)); waapLog.addToOrigin(LogField("effectiveExceptionIdList", vEffectiveOverrideIds));
} }
if (!m_exceptionLearned.empty()) {
std::vector<std::string> vLearningAffected(m_exceptionLearned.size());
std::copy(m_exceptionLearned.begin(), m_exceptionLearned.end(), vLearningAffected.begin());
waapLog.addToOrigin(LogField("redundantExceptionIdList", vLearningAffected));
}
} }
} }
@@ -1808,12 +1815,6 @@ Waf2Transaction::sendLog()
return; return;
} }
dbgTrace(D_WAAP) << "force exception: " << m_overrideState.bForceException <<
" force block: " << m_overrideState.bForceBlock <<
" matched overrides count: " << m_matchedOverrideIds.size() <<
" effective overrides count: " << m_effectiveOverrideIds.size();
bool shouldBlock = false; bool shouldBlock = false;
if (m_overrideState.bForceBlock) { if (m_overrideState.bForceBlock) {
// If override forces "reject" decision, mention it in the "override" log field. // If override forces "reject" decision, mention it in the "override" log field.
@@ -2090,7 +2091,30 @@ Waf2Transaction::decideAutonomousSecurity(
transactionResult.threatLevel = threat; transactionResult.threatLevel = threat;
} }
dbgTrace(D_WAAP_OVERRIDE) << "override ids count: " << m_matchedOverrideIds.size();
// Apply overrides // Apply overrides
for (auto it = m_overridePostFilterMaxScore.begin(); it != m_overridePostFilterMaxScore.end(); it++) {
const string id = it->first;
if (m_overrideState.forceBlockIds.find(id) != m_overrideState.forceBlockIds.end()) {
// blocked effectivness is calculates later from the force block exception ids list
continue;
}
ThreatLevel threat = Waap::Conversions::convertFinalScoreToThreatLevel(it->second);
bool shouldBlock = Waap::Conversions::shouldDoWafBlocking(m_siteConfig, threat);
dbgTrace(D_WAAP_OVERRIDE) << "checking effectivness of override: " << id << ", should have blocked: " << shouldBlock
<< ", scores: " << m_overridePostFilterMaxScore[id] << ", " << m_overrideOriginalMaxScore[id];
if (shouldBlock) {
m_effectiveOverrideIds.insert(id);
} else {
ThreatLevel threatNoFilter = Waap::Conversions::convertFinalScoreToThreatLevel(
m_overrideOriginalMaxScore[id]
);
if (Waap::Conversions::shouldDoWafBlocking(m_siteConfig, threatNoFilter)) {
m_exceptionLearned.insert(id);
}
}
}
if (m_overrideState.bForceBlock) { if (m_overrideState.bForceBlock) {
dbgTrace(D_WAAP) << "decideAutonomousSecurity(): decision was " << decision->shouldBlock() << dbgTrace(D_WAAP) << "decideAutonomousSecurity(): decision was " << decision->shouldBlock() <<
" and override forces REJECT ..."; " and override forces REJECT ...";
@@ -2104,25 +2128,25 @@ Waf2Transaction::decideAutonomousSecurity(
} }
} }
else if (m_overrideState.bForceException) { else if (m_overrideState.bForceException) {
dbgTrace(D_WAAP) << "decideAutonomousSecurity(): decision was " << decision->shouldBlock() << dbgTrace(D_WAAP) << "de cideAutonomousSecurity(): decision was " << decision->shouldBlock() <<
" and override forces ALLOW ..."; " and override forces ALLOW ...";
if (m_scanResult) {
// on accept exception the decision is not set and needs to be calculated to determine effectivness
ThreatLevel threat = Waap::Conversions::convertFinalScoreToThreatLevel(m_scanResult->score);
bool shouldBlock = Waap::Conversions::shouldDoWafBlocking(&sitePolicy, threat);
if (shouldBlock) {
m_effectiveOverrideIds.insert(
m_overrideState.forceExceptionIds.begin(), m_overrideState.forceExceptionIds.end()
);
}
}
decision->setBlock(false); decision->setBlock(false);
if (!m_overrideState.bIgnoreLog) if (!m_overrideState.bIgnoreLog)
{ {
decision->setOverridesLog(true); decision->setOverridesLog(true);
} }
} else if (!m_matchedOverrideIds.empty()) {
if (!m_overrideState.bIgnoreLog)
{
decision->setOverridesLog(true);
}
} }
dbgTrace(D_WAAP_OVERRIDE) << "force exception: " << m_overrideState.bForceException <<
" force block: " << m_overrideState.bForceBlock <<
" matched overrides count: " << m_matchedOverrideIds.size() <<
" effective overrides count: " << m_effectiveOverrideIds.size() <<
" learned overrides count: " << m_exceptionLearned.size();
bool log_all = false; bool log_all = false;
@@ -2261,7 +2285,7 @@ bool
Waf2Transaction::shouldIgnoreOverride(const Waf2ScanResult &res) { Waf2Transaction::shouldIgnoreOverride(const Waf2ScanResult &res) {
auto exceptions = getConfiguration<ParameterException>("rulebase", "exception"); auto exceptions = getConfiguration<ParameterException>("rulebase", "exception");
if (!exceptions.ok()) { if (!exceptions.ok()) {
dbgTrace(D_WAAP_OVERRIDE) << "matching exceptions error:" << exceptions.getErr(); dbgTrace(D_WAAP_OVERRIDE) << "matching exceptions error: " << exceptions.getErr();
return false; return false;
} }
dbgTrace(D_WAAP_OVERRIDE) << "matching exceptions"; dbgTrace(D_WAAP_OVERRIDE) << "matching exceptions";
@@ -2304,6 +2328,24 @@ Waf2Transaction::shouldIgnoreOverride(const Waf2ScanResult &res) {
auto behaviors = exceptions.unpack().getBehavior(exceptions_dict, auto behaviors = exceptions.unpack().getBehavior(exceptions_dict,
getAssetState()->m_filtersMngr->getMatchedOverrideKeywords()); getAssetState()->m_filtersMngr->getMatchedOverrideKeywords());
for (const auto &behavior : behaviors) { for (const auto &behavior : behaviors) {
if (!res.filtered_keywords.empty() || res.score > 0) {
dbgTrace(D_WAAP_OVERRIDE) << "matched exceptions for " << res.param_name << " with filtered indicators";
std::string overrideId = behavior.getId();
if (m_overrideOriginalMaxScore.find(overrideId) == m_overrideOriginalMaxScore.end()){
m_overrideOriginalMaxScore[overrideId] = res.scoreNoFilter;
m_overridePostFilterMaxScore[overrideId] = res.score;
} else {
if (res.scoreNoFilter > m_overrideOriginalMaxScore[overrideId]) {
m_overrideOriginalMaxScore[overrideId] = res.scoreNoFilter;
}
if (res.score > m_overridePostFilterMaxScore[overrideId]) {
m_overridePostFilterMaxScore[overrideId] = res.score;
}
}
if (res.scoreNoFilter > m_overrideOriginalMaxScore[OVERRIDE_ACCEPT]) {
m_overrideOriginalMaxScore[OVERRIDE_ACCEPT] = res.scoreNoFilter;
}
}
if (behavior == action_ignore) if (behavior == action_ignore)
{ {
dbgTrace(D_WAAP_OVERRIDE) << "matched exceptions for " << res.param_name << " should ignore."; dbgTrace(D_WAAP_OVERRIDE) << "matched exceptions for " << res.param_name << " should ignore.";
@@ -2311,12 +2353,6 @@ Waf2Transaction::shouldIgnoreOverride(const Waf2ScanResult &res) {
if (!overrideId.empty()) { if (!overrideId.empty()) {
m_matchedOverrideIds.insert(overrideId); m_matchedOverrideIds.insert(overrideId);
} }
if (!res.keyword_matches.empty() || res.unescaped_line == Waap::Scanner::xmlEntityAttributeId)
{
if (!overrideId.empty()) {
m_effectiveOverrideIds.insert(overrideId);
}
}
return true; return true;
} }
} }

3
components/security_apps/waap/waap_clib/Waf2Engine.h
View File

@@ -293,6 +293,9 @@ private:
// Matched override IDs // Matched override IDs
std::set<std::string> m_matchedOverrideIds; std::set<std::string> m_matchedOverrideIds;
std::set<std::string> m_effectiveOverrideIds; std::set<std::string> m_effectiveOverrideIds;
std::set<std::string> m_exceptionLearned;
std::map<std::string, double> m_overrideOriginalMaxScore;
std::map<std::string, double> m_overridePostFilterMaxScore;
//csrf state //csrf state
Waap::CSRF::State m_csrfState; Waap::CSRF::State m_csrfState;

17
components/security_apps/waap/waap_clib/Waf2EngineGetters.cc
View File

@@ -459,9 +459,15 @@ Waf2Transaction::getUserLimitVerdict()
} }
else if (mode == AttackMitigationMode::PREVENT) { else if (mode == AttackMitigationMode::PREVENT) {
decision->setLog(true); decision->setLog(true);
decision->setBlock(true); if (!m_overrideState.bForceException) {
dbgInfo(D_WAAP_ULIMITS) << msg << "BLOCK" << reason; decision->setBlock(true);
verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP; dbgInfo(D_WAAP_ULIMITS) << msg << "BLOCK" << reason;
verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
} else {
decision->setBlock(true);
dbgInfo(D_WAAP_ULIMITS) << msg << "Override Accept" << reason;
verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
}
} }
return verdict; return verdict;
@@ -567,12 +573,11 @@ Waap::Override::State Waf2Transaction::getOverrideState(IWaapConfig* sitePolicy)
extractEnvSourceIdentifier(); extractEnvSourceIdentifier();
Waap::Override::State overrideStateResponse;
if (overridePolicy) { // later we will run response overrides if (overridePolicy) { // later we will run response overrides
overrideStateResponse.applyOverride(*overridePolicy, WaapOverrideFunctor(*this), m_matchedOverrideIds, false); m_overrideState.applyOverride(*overridePolicy, WaapOverrideFunctor(*this), m_matchedOverrideIds, false);
} }
m_isHeaderOverrideScanRequired = false; m_isHeaderOverrideScanRequired = false;
return overrideStateResponse; return m_overrideState;
} }
Waf2TransactionFlags &Waf2Transaction::getTransactionFlags() Waf2TransactionFlags &Waf2Transaction::getTransactionFlags()

13
components/utils/generic_rulebase/evaluators/parameter_eval.cc
View File

@@ -22,6 +22,8 @@
using namespace std; using namespace std;
USE_DEBUG_FLAG(D_RULEBASE_CONFIG);
string ParameterMatcher::ctx_key = "parameters"; string ParameterMatcher::ctx_key = "parameters";
ParameterMatcher::ParameterMatcher(const vector<string> &params) ParameterMatcher::ParameterMatcher(const vector<string> &params)
@@ -33,6 +35,17 @@ ParameterMatcher::ParameterMatcher(const vector<string> &params)
Maybe<bool, Context::Error> Maybe<bool, Context::Error>
ParameterMatcher::evalVariable() const ParameterMatcher::evalVariable() const
{ {
I_Environment *env = Singleton::Consume<I_Environment>::by<ParameterMatcher>();
auto bc_param_id_ctx = env->get<set<GenericConfigId>>(ParameterMatcher::ctx_key);
dbgTrace(D_RULEBASE_CONFIG)
<< "Trying to match parameter. ID: "
<< parameter_id << ", Current set IDs: "
<< makeSeparatedStr(bc_param_id_ctx.ok() ? *bc_param_id_ctx : set<GenericConfigId>(), ", ");
if (bc_param_id_ctx.ok()) return bc_param_id_ctx.unpack().count(parameter_id) > 0;
dbgTrace(D_RULEBASE_CONFIG)
<< "Did not find current parameter in context."
<< " Match parameter from current rule";
auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig"); auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
return rule.ok() && rule.unpack().isParameterActive(parameter_id); return rule.ok() && rule.unpack().isParameterActive(parameter_id);
} }

6
components/utils/generic_rulebase/triggers_config.cc
View File

@@ -173,7 +173,7 @@ LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
setTriggersFlag("webUrlQuery", archive_in, WebLogFields::webUrlQuery, log_web_fields); setTriggersFlag("webUrlQuery", archive_in, WebLogFields::webUrlQuery, log_web_fields);
setTriggersFlag("logToAgent", archive_in, ReportIS::StreamType::JSON_LOG_FILE, active_streams); setTriggersFlag("logToAgent", archive_in, ReportIS::StreamType::JSON_LOG_FILE, active_streams);
setTriggersFlag("logToCloud", archive_in, ReportIS::StreamType::JSON_FOG, active_streams); setTriggersFlag("logToCloud", archive_in, ReportIS::StreamType::JSON_FOG, active_streams);
setTriggersFlag("logToK8sService", archive_in, ReportIS::StreamType::JSON_K8S_SVC, active_streams); setTriggersFlag("logToContainerService", archive_in, ReportIS::StreamType::JSON_CONTAINER_SVC, active_streams);
setTriggersFlag("logToSyslog", archive_in, ReportIS::StreamType::SYSLOG, active_streams); setTriggersFlag("logToSyslog", archive_in, ReportIS::StreamType::SYSLOG, active_streams);
setTriggersFlag("logToCef", archive_in, ReportIS::StreamType::CEF, active_streams); setTriggersFlag("logToCef", archive_in, ReportIS::StreamType::CEF, active_streams);
setTriggersFlag("acAllow", archive_in, SecurityType::AccessControl, should_log_on_detect); setTriggersFlag("acAllow", archive_in, SecurityType::AccessControl, should_log_on_detect);
@@ -221,8 +221,8 @@ LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
case ReportIS::StreamType::JSON_LOG_FILE: case ReportIS::StreamType::JSON_LOG_FILE:
setLogConfiguration(ReportIS::StreamType::JSON_LOG_FILE); setLogConfiguration(ReportIS::StreamType::JSON_LOG_FILE);
break; break;
case ReportIS::StreamType::JSON_K8S_SVC: case ReportIS::StreamType::JSON_CONTAINER_SVC:
setLogConfiguration(ReportIS::StreamType::JSON_K8S_SVC); setLogConfiguration(ReportIS::StreamType::JSON_CONTAINER_SVC);
break; break;
case ReportIS::StreamType::SYSLOG: case ReportIS::StreamType::SYSLOG:
setLogConfiguration(ReportIS::StreamType::SYSLOG, getUrlForSyslog(), syslog_protocol); setLogConfiguration(ReportIS::StreamType::SYSLOG, getUrlForSyslog(), syslog_protocol);

1321
config/crds/open-appsec-crd-latest.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

525
config/crds/open-appsec-crd-v1beta1.yaml Normal file
View File

@@ -0,0 +1,525 @@
Enter file contents hereapiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : customresponses.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
mode:
type: string
enum:
- block-page
#- redirect
- response-code-only
message-title:
type: string
message-body:
type: string
http-response-code:
type: integer
minimum: 100
maximum: 599
scope: Cluster
names:
plural: customresponses
singular: customresponse
kind: CustomResponse
shortNames:
- customresponse
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: exceptions.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
required:
- action
properties:
action:
type: string
enum:
- skip
- accept
- drop
- suppressLog
sourceIp:
type: array
items:
type: string
url:
type: array
items:
type: string
sourceIdentifier:
type: array
items:
type: string
protectionName:
type: array
items:
type: string
paramValue:
type: array
items:
type: string
paramName:
type: array
items:
type: string
hostName:
type: array
items:
type: string
countryCode:
type: array
items:
type: string
countryName:
type: array
items:
type: string
comment:
type: string
scope: Cluster
names:
plural: exceptions
singular: exception
kind: Exception
shortNames:
- exception
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : logtriggers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
# Each version can be enabled/disabled by Served flag.
served: true
# One and only one version must be marked as the storage version.
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
access-control-logging:
type: object
properties:
allow-events:
type: boolean
drop-events:
type: boolean
appsec-logging:
type: object
properties:
detect-events:
type: boolean
prevent-events:
type: boolean
all-web-requests:
type: boolean
additional-suspicious-events-logging:
type: object
properties:
enabled:
type: boolean
minimum-severity:
type: string
enum:
- high
- critical
response-body:
type: boolean
response-code:
type: boolean
extended-logging:
type: object
properties:
url-path:
type: boolean
url-query:
type: boolean
http-headers:
type: boolean
request-body:
type: boolean
log-destination:
type: object
properties:
cloud:
type: boolean
syslog-service: #change to object array
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
file:
type: string
stdout:
type: object
properties:
format:
type: string
enum:
- json
- json-formatted
cef-service:
type: array
items:
type: object
properties:
address:
type: string
port:
type: integer
proto:
type: string
enum:
- tcp
- udp
scope: Cluster
names:
plural: logtriggers
singular: logtrigger
kind: LogTrigger
shortNames:
- logtrigger
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : policies.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
# Each version can be enabled/disabled by Served flag.
served: true
# One and only one version must be marked as the storage version.
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
default:
type: object
properties:
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
practices:
type: array
items:
type: string
triggers:
type: array
items:
type: string
custom-response:
type: string
source-identifiers:
type: string
trusted-sources:
type: string
exceptions:
type: array
items:
type: string
specific-rules:
type: array
items:
type: object
properties:
host:
type: string
mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
practices:
type: array
items:
type: string
triggers:
type: array
items:
type: string
custom-response:
type: string
source-identifiers:
type: string
trusted-sources:
type: string
exceptions:
type: array
items:
type: string
scope: Cluster
names:
plural: policies
singular: policy
kind: Policy
shortNames:
- policy
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : practices.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
web-attacks:
type: object
properties:
override-mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
minimum-confidence:
type: string
enum:
- medium
- high
- critical
max-url-size-bytes:
type: integer
max-object-depth:
type: integer
max-body-size-kb:
type: integer
max-header-size-bytes:
type: integer
protections:
type: object
properties:
csrf-enabled:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
error-disclosure-enabled:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
open-redirect-enabled:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
non-valid-http-methods:
type: boolean
anti-bot:
type: object
properties:
override-mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
injected-URIs:
type: array
items:
type: object
properties:
uri:
type: string
validated-URIs:
type: array
items:
type: object
properties:
uri:
type: string
snort-signatures:
type: object
properties:
override-mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
configmap:
type: array
items:
type: string
openapi-schema-validation:
type: object
properties:
override-mode:
type: string
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
configmap:
type: array
items:
type: string
scope: Cluster
names:
plural: practices
singular: practice
kind: Practice
shortNames:
- practice
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : sourcesidentifiers.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: array
items:
type: object
properties:
sourceIdentifier:
type: string
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
value:
type: array
items:
type: string
scope: Cluster
names:
plural: sourcesidentifiers
singular: sourcesidentifier
kind: SourcesIdentifier
shortNames:
- sourcesidentifier
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata :
name : trustedsources.openappsec.io
spec:
group: openappsec.io
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
minNumOfSources:
type: integer
sourcesIdentifiers:
type: array
items:
type: string
scope: Cluster
names:
plural: trustedsources
singular: trustedsource
kind: TrustedSource
shortNames:
- trustedsource

1321
config/crds/open-appsec-crd-v1beta2.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

126
config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml Normal file
View File

@@ -0,0 +1,126 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: openappsec.io/v1beta2
kind: Policy
metadata:
name: default-policy
spec:
default:
# start in detect-learn and move to prevent-learn based on learning progress
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
---
apiVersion: openappsec.io/v1beta2
kind: ThreatPreventionPractice
metadata:
name: default-threat-prevention-practice
spec:
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
---
apiVersion: openappsec.io/v1beta2
kind: AccessControlPractice
metadata:
name: default-access-control-practice
spec:
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
---
apiVersion: openappsec.io/v1beta2
kind: LogTrigger
metadata:
name: default-log-trigger
spec:
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
---
apiVersion: openappsec.io/v1beta2
kind: CustomResponse
metadata:
name: default-web-user-response
spec:
mode: response-code-only
httpResponseCode: 403

126
config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml Normal file
View File

@@ -0,0 +1,126 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: openappsec.io/v1beta2
kind: Policy
metadata:
name: default-policy
spec:
default:
# start in prevent-learn
mode: prevent-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: prevent-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
---
apiVersion: openappsec.io/v1beta2
kind: ThreatPreventionPractice
metadata:
name: default-threat-prevention-practice
spec:
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
---
apiVersion: openappsec.io/v1beta2
kind: AccessControlPractice
metadata:
name: default-access-control-practice
spec:
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
---
apiVersion: openappsec.io/v1beta2
kind: LogTrigger
metadata:
name: default-log-trigger
spec:
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
---
apiVersion: openappsec.io/v1beta2
kind: CustomResponse
metadata:
name: default-web-user-response
spec:
mode: response-code-only
httpResponseCode: 403

13
config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: openappsec.io/v1beta1
kind: Policy
metadata:
name: open-appsec-best-practice-policy
spec:
default:
mode: detect-learn
practices: [appsec-best-practice]
triggers: [appsec-log-trigger]
custom-response: 403-forbidden
source-identifiers: ""
trusted-sources: ""
exceptions: []

13
config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: openappsec.io/v1beta1
kind: Policy
metadata:
name: open-appsec-best-practice-policy
spec:
default:
mode: prevent-learn
practices: [appsec-best-practice]
triggers: [appsec-log-trigger]
custom-response: 403-forbidden
source-identifiers: ""
trusted-sources: ""
exceptions: []

126
config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml Normal file
View File

@@ -0,0 +1,126 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: openappsec.io/v1beta2
kind: Policy
metadata:
name: default-policy
spec:
default:
# start in detect-learn and move to prevent-learn based on learning progress
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
---
apiVersion: openappsec.io/v1beta2
kind: ThreatPreventionPractice
metadata:
name: default-threat-prevention-practice
spec:
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
---
apiVersion: openappsec.io/v1beta2
kind: AccessControlPractice
metadata:
name: default-access-control-practice
spec:
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
---
apiVersion: openappsec.io/v1beta2
kind: LogTrigger
metadata:
name: default-log-trigger
spec:
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
---
apiVersion: openappsec.io/v1beta2
kind: CustomResponse
metadata:
name: default-web-user-response
spec:
mode: response-code-only
httpResponseCode: 403

126
config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml Normal file
View File

@@ -0,0 +1,126 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: openappsec.io/v1beta2
kind: Policy
metadata:
name: default-policy
spec:
default:
# start in prevent-learn
mode: prevent-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: prevent-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
---
apiVersion: openappsec.io/v1beta2
kind: ThreatPreventionPractice
metadata:
name: default-threat-prevention-practice
spec:
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
---
apiVersion: openappsec.io/v1beta2
kind: AccessControlPractice
metadata:
name: default-access-control-practice
spec:
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
---
apiVersion: openappsec.io/v1beta2
kind: LogTrigger
metadata:
name: default-log-trigger
spec:
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
---
apiVersion: openappsec.io/v1beta2
kind: CustomResponse
metadata:
name: default-web-user-response
spec:
mode: response-code-only
httpResponseCode: 403

62
config/linux/latest/detect/local_policy.yaml Normal file
View File

@@ -0,0 +1,62 @@
policies:
default:
triggers:
- appsec-default-log-trigger
mode: detect-learn
practices:
- webapp-default-practice
custom-response: appsec-default-web-user-response
specific-rules: []
practices:
- name: webapp-default-practice
openapi-schema-validation:
configmap: []
override-mode: detect-learn
snort-signatures:
configmap: []
override-mode: detect-learn
web-attacks:
max-body-size-kb: 1000000
max-header-size-bytes: 102400
max-object-depth: 40
max-url-size-bytes: 32768
minimum-confidence: critical
override-mode: detect-learn
protections:
csrf-protection: inactive
error-disclosure: inactive
non-valid-http-methods: false
open-redirect: inactive
anti-bot:
injected-URIs: []
validated-URIs: []
override-mode: detect-learn
log-triggers:
- name: appsec-default-log-trigger
access-control-logging:
allow-events: false
drop-events: true
additional-suspicious-events-logging:
enabled: true
minimum-severity: high
response-body: false
appsec-logging:
all-web-requests: false
detect-events: true
prevent-events: true
extended-logging:
http-headers: false
request-body: false
url-path: false
url-query: false
log-destination:
cloud: true
stdout:
format: json
custom-responses:
- name: appsec-default-web-user-response
mode: response-code-only
http-response-code: 403

62
config/linux/latest/prevent/local_policy.yaml Normal file
View File

@@ -0,0 +1,62 @@
policies:
default:
triggers:
- appsec-default-log-trigger
mode: prevent-learn
practices:
- webapp-default-practice
custom-response: appsec-default-web-user-response
specific-rules: []
practices:
- name: webapp-default-practice
openapi-schema-validation:
configmap: []
override-mode: prevent-learn
snort-signatures:
configmap: []
override-mode: prevent-learn
web-attacks:
max-body-size-kb: 1000000
max-header-size-bytes: 102400
max-object-depth: 40
max-url-size-bytes: 32768
minimum-confidence: critical
override-mode: prevent-learn
protections:
csrf-protection: inactive
error-disclosure: inactive
non-valid-http-methods: false
open-redirect: inactive
anti-bot:
injected-URIs: []
validated-URIs: []
override-mode: prevent-learn
log-triggers:
- name: appsec-default-log-trigger
access-control-logging:
allow-events: false
drop-events: true
additional-suspicious-events-logging:
enabled: true
minimum-severity: high
response-body: false
appsec-logging:
all-web-requests: false
detect-events: true
prevent-events: true
extended-logging:
http-headers: false
request-body: false
url-path: false
url-query: false
log-destination:
cloud: true
stdout:
format: json
custom-responses:
- name: appsec-default-web-user-response
mode: response-code-only
http-response-code: 403

62
config/linux/v1beta1/detect/local_policy.yaml Normal file
View File

@@ -0,0 +1,62 @@
policies:
default:
triggers:
- appsec-default-log-trigger
mode: detect-learn
practices:
- webapp-default-practice
custom-response: appsec-default-web-user-response
specific-rules: []
practices:
- name: webapp-default-practice
openapi-schema-validation:
configmap: []
override-mode: detect-learn
snort-signatures:
configmap: []
override-mode: detect-learn
web-attacks:
max-body-size-kb: 1000000
max-header-size-bytes: 102400
max-object-depth: 40
max-url-size-bytes: 32768
minimum-confidence: critical
override-mode: detect-learn
protections:
csrf-protection: inactive
error-disclosure: inactive
non-valid-http-methods: false
open-redirect: inactive
anti-bot:
injected-URIs: []
validated-URIs: []
override-mode: detect-learn
log-triggers:
- name: appsec-default-log-trigger
access-control-logging:
allow-events: false
drop-events: true
additional-suspicious-events-logging:
enabled: true
minimum-severity: high
response-body: false
appsec-logging:
all-web-requests: false
detect-events: true
prevent-events: true
extended-logging:
http-headers: false
request-body: false
url-path: false
url-query: false
log-destination:
cloud: true
stdout:
format: json
custom-responses:
- name: appsec-default-web-user-response
mode: response-code-only
http-response-code: 403

62
config/linux/v1beta1/prevent/local_policy.yaml Normal file
View File

@@ -0,0 +1,62 @@
policies:
default:
triggers:
- appsec-default-log-trigger
mode: prevent-learn
practices:
- webapp-default-practice
custom-response: appsec-default-web-user-response
specific-rules: []
practices:
- name: webapp-default-practice
openapi-schema-validation:
configmap: []
override-mode: prevent-learn
snort-signatures:
configmap: []
override-mode: prevent-learn
web-attacks:
max-body-size-kb: 1000000
max-header-size-bytes: 102400
max-object-depth: 40
max-url-size-bytes: 32768
minimum-confidence: critical
override-mode: prevent-learn
protections:
csrf-protection: inactive
error-disclosure: inactive
non-valid-http-methods: false
open-redirect: inactive
anti-bot:
injected-URIs: []
validated-URIs: []
override-mode: prevent-learn
log-triggers:
- name: appsec-default-log-trigger
access-control-logging:
allow-events: false
drop-events: true
additional-suspicious-events-logging:
enabled: true
minimum-severity: high
response-body: false
appsec-logging:
all-web-requests: false
detect-events: true
prevent-events: true
extended-logging:
http-headers: false
request-body: false
url-path: false
url-query: false
log-destination:
cloud: true
stdout:
format: json
custom-responses:
- name: appsec-default-web-user-response
mode: response-code-only
http-response-code: 403

111
config/linux/v1beta2/default/local_policy.yaml Normal file
View File

@@ -0,0 +1,111 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: v1beta2
policies:
default:
# start in detect-learn and move to prevent-learn based on learning progress
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
threatPreventionPractices:
- name: default-threat-prevention-practice
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
accessControlPractices:
- name: default-access-control-practice
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
logTriggers:
- name: default-log-trigger
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
customResponses:
- name: default-web-user-response
mode: response-code-only
httpResponseCode: 403

110
config/linux/v1beta2/prevent/local_policy.yaml Normal file
View File

@@ -0,0 +1,110 @@
# open-appsec default declarative configuration file
# based on schema version: "v1beta2"
# more information on declarative configuration: https://docs.openappsec.io
apiVersion: v1beta2
policies:
default:
# start in prevent-learn
mode: prevent-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
customResponses: default-web-user-response
triggers:
- default-log-trigger
specificRules:
- host: www.example.com
# this is an example for specific rule, adjust the values as required for the protected app
mode: detect-learn
threatPreventionPractices:
- default-threat-prevention-practice
accessControlPractices:
- default-access-control-practice
triggers:
- default-log-trigger
threatPreventionPractices:
- name: default-threat-prevention-practice
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
openapiSchemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []
accessControlPractices:
- name: default-access-control-practice
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []
logTriggers:
- name: default-log-trigger
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: json
customResponses:
- name: default-web-user-response
mode: response-code-only
httpResponseCode: 403

2
core/agent_core_utilities/agent_core_utilities.cc
View File

@@ -175,7 +175,7 @@ copyFile(const string &src, const string &dest, bool overide_if_exists, mode_t p
struct stat stat_buf; struct stat stat_buf;
int source_fd = open(src.c_str(), O_RDONLY); int source_fd = open(src.c_str(), O_RDONLY);
fstat(source_fd, &stat_buf); fstat(source_fd, &stat_buf);
int dest_fd = open(dest.c_str(), O_WRONLY | O_CREAT, permission); int dest_fd = open(dest.c_str(), O_WRONLY | O_CREAT | O_TRUNC, permission);
int bytes_copied = 1; int bytes_copied = 1;
while (bytes_copied > 0) { while (bytes_copied > 0) {
static const int buf_size = 4096*1000; static const int buf_size = 4096*1000;

13
core/agent_core_utilities/agent_core_utilities_ut/agent_core_utilities_ut.cc
View File

@@ -37,8 +37,11 @@ TEST_F(AgentCoreUtilUT, filesTest)
EXPECT_FALSE(NGEN::Filesystem::exists("/i/am/not/a/real/path")); EXPECT_FALSE(NGEN::Filesystem::exists("/i/am/not/a/real/path"));
const vector<string> lines{"i am a line in the text file", "i am iron man"}; const vector<string> lines{"i am a line in the text file", "i am iron man"};
const vector<string> lines_b{"i am a line 2 in the text file", "i am iron man 2", "hello again"};
CPTestTempfile test_file(lines); CPTestTempfile test_file(lines);
CPTestTempfile test_file_b(lines_b);
ASSERT_TRUE(NGEN::Filesystem::exists(test_file.fname)); ASSERT_TRUE(NGEN::Filesystem::exists(test_file.fname));
ASSERT_TRUE(NGEN::Filesystem::exists(test_file_b.fname));
string output_orig = test_file.readFile(); string output_orig = test_file.readFile();
string new_path = test_file.fname + ".new"; string new_path = test_file.fname + ".new";
@@ -46,6 +49,7 @@ TEST_F(AgentCoreUtilUT, filesTest)
ASSERT_TRUE(NGEN::Filesystem::exists(new_path)); ASSERT_TRUE(NGEN::Filesystem::exists(new_path));
ASSERT_FALSE(NGEN::Filesystem::copyFile(test_file.fname, new_path, false)); ASSERT_FALSE(NGEN::Filesystem::copyFile(test_file.fname, new_path, false));
ASSERT_TRUE(NGEN::Filesystem::copyFile(test_file.fname, new_path, true)); ASSERT_TRUE(NGEN::Filesystem::copyFile(test_file.fname, new_path, true));
ASSERT_TRUE(NGEN::Filesystem::copyFile(test_file.fname, test_file_b.fname, true));
string output_new; string output_new;
{ {
ifstream new_file_stream(new_path); ifstream new_file_stream(new_path);
@@ -55,11 +59,20 @@ TEST_F(AgentCoreUtilUT, filesTest)
output_new = buffer.str(); output_new = buffer.str();
} }
string output_test_b;
ifstream new_file_stream(test_file_b.fname);
ASSERT_TRUE(new_file_stream.good());
stringstream buffer;
buffer << new_file_stream.rdbuf();
output_test_b = buffer.str();
EXPECT_EQ(output_orig, output_new); EXPECT_EQ(output_orig, output_new);
EXPECT_EQ(output_orig, output_test_b);
EXPECT_THAT(output_new, HasSubstr("i am a line in the text file")); EXPECT_THAT(output_new, HasSubstr("i am a line in the text file"));
EXPECT_THAT(output_new, HasSubstr("i am iron man")); EXPECT_THAT(output_new, HasSubstr("i am iron man"));
EXPECT_TRUE(NGEN::Filesystem::deleteFile(test_file.fname)); EXPECT_TRUE(NGEN::Filesystem::deleteFile(test_file.fname));
EXPECT_TRUE(NGEN::Filesystem::deleteFile(new_path)); EXPECT_TRUE(NGEN::Filesystem::deleteFile(new_path));
EXPECT_TRUE(NGEN::Filesystem::deleteFile(test_file_b.fname));
EXPECT_FALSE(NGEN::Filesystem::exists(test_file.fname)); EXPECT_FALSE(NGEN::Filesystem::exists(test_file.fname));
EXPECT_FALSE(NGEN::Filesystem::exists(new_path)); EXPECT_FALSE(NGEN::Filesystem::exists(new_path));
} }

12
core/agent_details_reporter/agent_details_reporter.cc
View File

@@ -71,6 +71,7 @@ public:
bool addAttr(const string &key, const string &val, bool allow_override = false) override; bool addAttr(const string &key, const string &val, bool allow_override = false) override;
bool addAttr(const map<string, string> &attr, bool allow_override = false) override; bool addAttr(const map<string, string> &attr, bool allow_override = false) override;
void deleteAttr(const string &key) override; void deleteAttr(const string &key) override;
bool isPersistantAttr(const string &key) override;
bool sendAttributes() override; bool sendAttributes() override;
@@ -130,6 +131,7 @@ private:
map<string, string> persistant_attributes; map<string, string> persistant_attributes;
map<string, string> new_attributes; map<string, string> new_attributes;
map<string, string> attributes; map<string, string> attributes;
bool is_attr_deleted = false;
I_Messaging *messaging = nullptr; I_Messaging *messaging = nullptr;
bool is_server; bool is_server;
@@ -207,6 +209,13 @@ AgentDetailsReporter::Impl::deleteAttr(const string &key)
attributes.erase(key); attributes.erase(key);
new_attributes.erase(key); new_attributes.erase(key);
persistant_attributes.erase(key); persistant_attributes.erase(key);
is_attr_deleted = true;
}
bool
AgentDetailsReporter::Impl::isPersistantAttr(const std::string &key)
{
return persistant_attributes.count(key) > 0;
} }
bool bool
@@ -214,7 +223,7 @@ AgentDetailsReporter::Impl::sendAttributes()
{ {
dbgDebug(D_AGENT_DETAILS) << "Trying to send attributes"; dbgDebug(D_AGENT_DETAILS) << "Trying to send attributes";
if (new_attributes.empty()) { if (new_attributes.empty() && !is_attr_deleted) {
dbgDebug(D_AGENT_DETAILS) << "Skipping current attempt since no new attributes were added"; dbgDebug(D_AGENT_DETAILS) << "Skipping current attempt since no new attributes were added";
return true; return true;
} }
@@ -261,6 +270,7 @@ AgentDetailsReporter::Impl::sendAttributes()
if (add_agent_details_status.ok()) { if (add_agent_details_status.ok()) {
dbgDebug(D_AGENT_DETAILS) << "Successfully sent attributes to the Orchestrator"; dbgDebug(D_AGENT_DETAILS) << "Successfully sent attributes to the Orchestrator";
new_attributes.clear(); new_attributes.clear();
is_attr_deleted = false;
return true; return true;
} }

1
core/agent_details_reporter/agent_details_reporter_ut/agent_details_reporter_ut.cc
View File

@@ -213,6 +213,7 @@ TEST_F(AgentReporterTest, basicAttrTest)
EXPECT_TRUE(report->addAttr({{"c", "d"}, {"1", "2"}, {"delete", "me"}})); EXPECT_TRUE(report->addAttr({{"c", "d"}, {"1", "2"}, {"delete", "me"}}));
EXPECT_FALSE(report->addAttr("a", "d")); EXPECT_FALSE(report->addAttr("a", "d"));
EXPECT_TRUE(report->addAttr("a", "1", true)); EXPECT_TRUE(report->addAttr("a", "1", true));
EXPECT_TRUE(report->isPersistantAttr("a"));
report->deleteAttr("delete"); report->deleteAttr("delete");
{ {
AgentDataReport agent_data; AgentDataReport agent_data;

8
core/attachments/http_configuration/http_configuration.cc
View File

@@ -108,7 +108,10 @@ HttpAttachmentConfiguration::save(cereal::JSONOutputArchive &archive) const
), ),
cereal::make_nvp("nginx_inspection_mode", getNumericalValue("inspection_mode")), cereal::make_nvp("nginx_inspection_mode", getNumericalValue("inspection_mode")),
cereal::make_nvp("num_of_nginx_ipc_elements", getNumericalValue("num_of_nginx_ipc_elements")), cereal::make_nvp("num_of_nginx_ipc_elements", getNumericalValue("num_of_nginx_ipc_elements")),
cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec")) cereal::make_nvp("keep_alive_interval_msec", getNumericalValue("keep_alive_interval_msec")),
cereal::make_nvp("min_retries_for_verdict", getNumericalValue("min_retries_for_verdict")),
cereal::make_nvp("max_retries_for_verdict", getNumericalValue("max_retries_for_verdict")),
cereal::make_nvp("body_size_trigger", getNumericalValue("body_size_trigger"))
); );
} }
@@ -161,6 +164,9 @@ HttpAttachmentConfiguration::load(cereal::JSONInputArchive &archive)
loadNumericalValue(archive, "nginx_inspection_mode", 0); loadNumericalValue(archive, "nginx_inspection_mode", 0);
loadNumericalValue(archive, "num_of_nginx_ipc_elements", 200); loadNumericalValue(archive, "num_of_nginx_ipc_elements", 200);
loadNumericalValue(archive, "keep_alive_interval_msec", DEFAULT_KEEP_ALIVE_INTERVAL_MSEC); loadNumericalValue(archive, "keep_alive_interval_msec", DEFAULT_KEEP_ALIVE_INTERVAL_MSEC);
loadNumericalValue(archive, "min_retries_for_verdict", 3);
loadNumericalValue(archive, "max_retries_for_verdict", 15);
loadNumericalValue(archive, "body_size_trigger", 200000);
} }
bool bool

14
core/config/config.cc
View File

@@ -348,14 +348,12 @@ ConfigComponent::Impl::init()
if (!Singleton::exists<I_MainLoop>()) return; if (!Singleton::exists<I_MainLoop>()) return;
auto mainloop = Singleton::Consume<I_MainLoop>::by<ConfigComponent>(); auto mainloop = Singleton::Consume<I_MainLoop>::by<ConfigComponent>();
if (executable_name != "cp-nano-orchestration") { mainloop->addOneTimeRoutine(
mainloop->addOneTimeRoutine( I_MainLoop::RoutineType::System,
I_MainLoop::RoutineType::System, [this] () { periodicRegistrationRefresh(); },
[this] () { periodicRegistrationRefresh(); }, "Configuration update registration",
"Configuration update registration", false
false );
);
}
} }
static bool static bool

93
core/debug_is/debug.cc
View File

@@ -234,6 +234,55 @@ public:
static DebugConfiguration default_config; static DebugConfiguration default_config;
class ChangeDebugConfiguration : public ServerRest
{
public:
void
doCall() override
{
string debug_config_file_name = Debug::getExecutableName();
if (debug_config_file_name == "") {
output = "Error. Cannot get debug config file path";
return;
}
string debug_config_file_path = getConfigurationWithDefault<string>(
getFilesystemPathConfig() + "/conf/" + debug_config_file_name + "-debug-conf.json",
"Debug I/S",
"Debug conf file path"
);
try {
ifstream input_stream(debug_config_file_path);
if (!input_stream) {
output = "Error. Cannot open the debug conf file: " + debug_config_file_path;
return;
}
cereal::JSONInputArchive ar(input_stream);
Debug::prepareConfig();
vector<DebugConfiguration> debug_config;
try {
ar(cereal::make_nvp("Debug", debug_config));
} catch (cereal::Exception &e) {
output = "Error. Failed loading debug conf file, error: " + string(e.what());
Debug::abortConfig();
return;
}
input_stream.close();
setConfiguration(debug_config[0], "Debug");
Debug::commitConfig();
output = "New debug configuration set succesfully";
} catch (ifstream::failure &f) {
output =
"Error. Cannot open the debug conf file " +
debug_config_file_path +
", error: " +
string(f.what());
}
}
private:
S2C_PARAM(string, output);
};
// LCOV_EXCL_START - function is covered in unit-test, but not detected bt gcov // LCOV_EXCL_START - function is covered in unit-test, but not detected bt gcov
Debug::Debug( Debug::Debug(
const string &file_name, const string &file_name,
@@ -446,6 +495,7 @@ Debug::preload()
{ {
registerExpectedConfiguration<DebugConfiguration>("Debug"); registerExpectedConfiguration<DebugConfiguration>("Debug");
registerExpectedConfiguration<string>("Debug I/S", "Fog Debug URI"); registerExpectedConfiguration<string>("Debug I/S", "Fog Debug URI");
registerExpectedConfiguration<string>("Debug I/S", "Debug conf file path");
registerExpectedConfiguration<bool>("Debug I/S", "Enable bulk of debugs"); registerExpectedConfiguration<bool>("Debug I/S", "Enable bulk of debugs");
registerExpectedConfiguration<uint>("Debug I/S", "Debug bulk size"); registerExpectedConfiguration<uint>("Debug I/S", "Debug bulk size");
registerExpectedConfiguration<uint>("Debug I/S", "Debug bulk sending interval in msec"); registerExpectedConfiguration<uint>("Debug I/S", "Debug bulk sending interval in msec");
@@ -467,22 +517,18 @@ Debug::init()
mainloop = Singleton::Consume<I_MainLoop>::by<Debug>(); mainloop = Singleton::Consume<I_MainLoop>::by<Debug>();
env = Singleton::Consume<I_Environment>::by<Debug>(); env = Singleton::Consume<I_Environment>::by<Debug>();
auto executable = env->get<string>("Executable Name"); default_debug_file_stream_path = getExecutableName();
if (default_debug_file_stream_path != "") {
if (executable.ok() && *executable != "") {
string default_debug_output_file_path = *executable;
auto file_path_end = default_debug_output_file_path.find_last_of("/");
if (file_path_end != string::npos) {
default_debug_file_stream_path = default_debug_output_file_path.substr(file_path_end + 1);
}
auto file_sufix_start = default_debug_file_stream_path.find_first_of(".");
if (file_sufix_start != string::npos) {
default_debug_file_stream_path = default_debug_file_stream_path.substr(0, file_sufix_start);
}
string log_files_prefix = getLogFilesPathConfig(); string log_files_prefix = getLogFilesPathConfig();
default_debug_file_stream_path = log_files_prefix + "/nano_agent/" + default_debug_file_stream_path + ".dbg"; default_debug_file_stream_path = log_files_prefix + "/nano_agent/" + default_debug_file_stream_path + ".dbg";
} }
if (Singleton::exists<I_RestApi>()) {
Singleton::Consume<I_RestApi>::by<Debug>()->addRestCall<ChangeDebugConfiguration>(
RestAction::SET,
"change-debug-config"
);
}
} }
void void
@@ -706,6 +752,27 @@ Debug::findDebugFilePrefix(const string &file_name)
return ""; return "";
} }
string
Debug::getExecutableName()
{
auto executable = env->get<string>("Executable Name");
if (!executable.ok() || *executable == "") {
return "";
}
string executable_name = *executable;
auto file_path_end = executable_name.find_last_of("/");
if (file_path_end != string::npos) {
executable_name = executable_name.substr(file_path_end + 1);
}
auto file_sufix_start = executable_name.find_first_of(".");
if (file_sufix_start != string::npos) {
executable_name = executable_name.substr(0, file_sufix_start);
}
return executable_name;
}
void void
Debug::addActiveStream(const string &name) Debug::addActiveStream(const string &name)
{ {

Some files were not shown because too many files have changed in this diff Show More