sync code

* add waf-tag to openappsec

* fix waf tag to openappsec

---------

Co-authored-by: wiaamm <wiaamm@checkpoint.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: "Bug Report"
+about: "Report a bug with open-appsec"
+labels: [bug]
+---
+
+**Checklist**
+- Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
+  - Yes / No
+- Have you checked the existing issues and discussions in github for the same issue 
+  - Yes / No
+- Have you checked the knwon limitations same issue - https://docs.openappsec.io/release-notes#limitations
+  - Yes / No
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Run '...'
+3. See error '...'
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots or Logs**
+If applicable, add screenshots or logs to help explain the issue.
+
+**Environment (please complete the following information):**
+- open-appsec version: 
+- Deployment type (Docker, Kubernetes, etc.): 
+- OS:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: "Documentation & Troubleshooting"
+    url: "https://docs.openappsec.io/"
+    about: "Check the documentation before submitting an issue."
+  - name: "Feature Requests & Discussions"
+    url: "https://github.com/openappsec/openappsec/discussions"
+    about: "Please open a discussion for feature requests."

.github/ISSUE_TEMPLATE/nginx_version_support.md

@@ -0,0 +1,17 @@
+---
+name: "Nginx Version Support Request"
+about: "Request for a specific Nginx version to be supported"
+---
+
+**Nginx & OS Version:**
+Which Nginx and OS version are you using? 
+
+**Output of nginx -V**
+Share the output of nginx -v
+
+**Expected Behavior:**
+What do you expect to happen with this version?
+
+**Checklist**
+- Have you considered a docker based deployment - find more information here https://docs.openappsec.io/getting-started/start-with-docker?
+  - Yes / No

README.md

@@ -74,7 +74,7 @@ For Linux, if you’ve built your own package use the following commands:
 
 ```bash
 $ install-cp-nano-agent.sh --install --hybrid_mode
-$ install-cp-nano-service-http-transaction-handler.sh –install
+$ install-cp-nano-service-http-transaction-handler.sh --install
 $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 
@@ -177,7 +177,7 @@ open-appsec code was audited by an independent third party in September-October
 See the [full report](https://github.com/openappsec/openappsec/blob/main/LEXFO-CHP20221014-Report-Code_audit-OPEN-APPSEC-v1.2.pdf).
 
 ### Reporting security vulnerabilities
-If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at securityalert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
+If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at security-alert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
 
 
 # License

attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc

@@ -95,6 +95,18 @@ getFailOpenHoldTimeout()
     return conf_data.getNumericalValue("fail_open_hold_timeout");
 }
 
+unsigned int
+getHoldVerdictPollingTime()
+{
+    return conf_data.getNumericalValue("hold_verdict_polling_time");
+}
+
+unsigned int
+getHoldVerdictRetries()
+{
+    return conf_data.getNumericalValue("hold_verdict_retries");
+}
+
 unsigned int
 getMaxSessionsPerMinute()
 {
@@ -173,6 +185,12 @@ getReqBodySizeTrigger()
     return conf_data.getNumericalValue("body_size_trigger");
 }
 
+unsigned int
+getRemoveResServerHeader()
+{
+    return conf_data.getNumericalValue("remove_server_header");
+}
+
 int
 isIPAddress(c_str ip_str)
 {

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -66,7 +66,10 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
             "\"static_resources_path\": \"" + static_resources_path + "\",\n"
             "\"min_retries_for_verdict\": 1,\n"
             "\"max_retries_for_verdict\": 3,\n"
-            "\"body_size_trigger\": 777\n"
+            "\"hold_verdict_retries\": 3,\n"
+            "\"hold_verdict_polling_time\": 1,\n"
+            "\"body_size_trigger\": 777,\n"
+            "\"remove_server_header\": 1\n"
         "}\n";
     ofstream valid_configuration_file(attachment_configuration_file_name);
     valid_configuration_file << valid_configuration;
@@ -95,6 +98,9 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
     EXPECT_EQ(getReqBodySizeTrigger(), 777u);
     EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
+    EXPECT_EQ(getRemoveResServerHeader(), 1u);
+    EXPECT_EQ(getHoldVerdictRetries(), 3u);
+    EXPECT_EQ(getHoldVerdictPollingTime(), 1u);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);
     EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0);

build_system/docker/CMakeLists.txt

@@ -1,4 +1,4 @@
-install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .)
+install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh self_managed_openappsec_manifest.json DESTINATION .)
 
 add_custom_command(
     OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

build_system/docker/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine
 
+ENV OPENAPPSEC_NANO_AGENT=TRUE
+
 RUN apk add --no-cache -u busybox
 RUN apk add --no-cache -u zlib
 RUN apk add --no-cache bash
@@ -13,6 +15,8 @@ RUN apk add --no-cache libxml2
 RUN apk add --no-cache pcre2
 RUN apk add --update coreutils
 
+COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
+
 COPY install*.sh /nano-service-installers/
 COPY entry.sh /entry.sh
 

build_system/docker/entry.sh

@@ -6,6 +6,8 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
 ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
 ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
 CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
+PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
+NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT="install-cp-nano-central-nginx-manager.sh"
 
 var_fog_address=
 var_proxy=
@@ -81,6 +83,14 @@ fi
 /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
 /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
 
+if [ "$PROMETHEUS" == "true" ]; then
+    /nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
+fi
+
+if [ "$CENTRAL_NGINX_MANAGER" == "true" ]; then
+    /nano-service-installers/$NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT --install
+fi
+
 if [ "$CROWDSEC_ENABLED" == "true" ]; then
     /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
     /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
@@ -93,25 +103,16 @@ if [ -f "$FILE" ]; then
 fi
 
 touch /etc/cp/watchdog/wd.startup
+/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
+active_watchdog_pid=$!
 while true; do
-    if [ -z "$init" ]; then
-        init=true
-        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
-        sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
-    fi
-
-    current_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
-    if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
-        echo "Error: Watchdog exited abnormally"
-        exit 1
-    elif [ -f /tmp/restart_watchdog ]; then
+    if [ -f /tmp/restart_watchdog ]; then
         rm -f /tmp/restart_watchdog
-        kill -9 "$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")"
-        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
-        sleep 5
-        active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
+        kill -9 ${active_watchdog_pid}
+    fi
+    if [ ! "$(ps -f | grep cp-nano-watchdog | grep ${active_watchdog_pid})" ]; then
+        /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
+        active_watchdog_pid=$!
     fi
-
     sleep 5
 done

components/CMakeLists.txt

@@ -7,3 +7,4 @@ add_subdirectory(pending_key)
 add_subdirectory(utils)
 add_subdirectory(attachment-intakers)
 add_subdirectory(security_apps)
+add_subdirectory(nginx_message_reader)

components/attachment-intakers/nginx_attachment/nginx_attachment.cc

@@ -31,10 +31,12 @@
 #include <stdarg.h>
 
 #include <boost/range/iterator_range.hpp>
+#include <boost/algorithm/string.hpp>
 #include <boost/regex.hpp>
 
 #include "nginx_attachment_config.h"
 #include "nginx_attachment_opaque.h"
+#include "generic_rulebase/evaluators/trigger_eval.h"
 #include "nginx_parser.h"
 #include "i_instance_awareness.h"
 #include "common.h"
@@ -129,6 +131,7 @@ class NginxAttachment::Impl
     Singleton::Provide<I_StaticResourcesHandler>::From<NginxAttachment>
 {
     static constexpr auto INSPECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
+    static constexpr auto LIMIT_RESPONSE_HEADERS = ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS;
     static constexpr auto ACCEPT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
     static constexpr auto DROP = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
     static constexpr auto INJECT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT;
@@ -260,6 +263,22 @@ public:
             );
         }
 
+        const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
+        if (ignored_headers_env) {
+            string ignored_headers_str = ignored_headers_env;
+            ignored_headers_str = NGEN::Strings::trim(ignored_headers_str);
+
+            if (!ignored_headers_str.empty()) {
+                dbgInfo(D_HTTP_MANAGER)
+                    << "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
+                    << ignored_headers_str;
+
+                vector<string> ignored_headers_vec;
+                boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
+                for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
+            }
+        }
+
         dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment";
     }
 
@@ -1034,7 +1053,11 @@ private:
             case ChunkType::REQUEST_START:
                 return handleStartTransaction(data, opaque);
             case ChunkType::REQUEST_HEADER:
-                return handleMultiModifiableChunks(NginxParser::parseRequestHeaders(data), "request header", true);
+                return handleMultiModifiableChunks(
+                    NginxParser::parseRequestHeaders(data, ignored_headers),
+                    "request header",
+                    true
+                );
             case ChunkType::REQUEST_BODY:
                 return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true);
             case ChunkType::REQUEST_END: {
@@ -1125,17 +1148,29 @@ private:
     handleCustomWebResponse(
         SharedMemoryIPC *ipc,
         vector<const char *> &verdict_data,
-        vector<uint16_t> &verdict_data_sizes)
+        vector<uint16_t> &verdict_data_sizes,
+        string web_user_response_id)
     {
         ngx_http_cp_web_response_data_t web_response_data;
-
+        ScopedContext ctx;
+        if (web_user_response_id != "") {
+            dbgTrace(D_NGINX_ATTACHMENT)
+            << "web user response ID registered in contex: "
+            << web_user_response_id;
+            set<string> triggers_set{web_user_response_id};
+            ctx.registerValue<set<GenericConfigId>>(TriggerMatcher::ctx_key, triggers_set);
+        }
         WebTriggerConf web_trigger_conf = getConfigurationWithDefault<WebTriggerConf>(
             WebTriggerConf::default_trigger_conf,
             "rulebase",
             "webUserResponse"
         );
 
+        bool remove_event_id_param =
+            getProfileAgentSettingWithDefault<string>("false", "nginxAttachment.removeRedirectEventId") == "true";
+
         string uuid;
+        string redirectUrl;
         if (i_transaction_table->hasState<NginxAttachmentOpaque>()) {
             NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
             uuid = opaque.getSessionUUID();
@@ -1145,7 +1180,12 @@ private:
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
             web_response_data.response_data.redirect_data.redirect_location_size =
                 web_trigger_conf.getRedirectURL().size();
-            web_response_data.response_data.redirect_data.add_event_id = web_trigger_conf.getAddEventId() ? 1 : 0;
+            bool add_event = web_trigger_conf.getAddEventId();
+            if (add_event && !remove_event_id_param) {
+                web_response_data.response_data.redirect_data.redirect_location_size +=
+                    strlen("?event_id=") + uuid.size();
+            }
+            web_response_data.response_data.redirect_data.add_event_id = add_event ? 1 : 0;
             web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE);
         } else {
             web_response_data.response_data.custom_response_data.title_size =
@@ -1159,8 +1199,13 @@ private:
         verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t));
 
         if (web_trigger_conf.getDetailsLevel() == "Redirect") {
-            verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getRedirectURL().data()));
-            verdict_data_sizes.push_back(web_trigger_conf.getRedirectURL().size());
+            redirectUrl = web_trigger_conf.getRedirectURL();
+            if (!remove_event_id_param && web_trigger_conf.getAddEventId()) {
+                redirectUrl += "?event-id=" + uuid;
+            }
+
+            verdict_data.push_back(reinterpret_cast<const char *>(redirectUrl.data()));
+            verdict_data_sizes.push_back(redirectUrl.size());
         } else {
             verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getResponseTitle().data()));
             verdict_data_sizes.push_back(web_trigger_conf.getResponseTitle().size());
@@ -1236,7 +1281,7 @@ private:
         if (verdict.getVerdict() == DROP) {
             nginx_attachment_event.addTrafficVerdictCounter(nginxAttachmentEvent::trafficVerdict::DROP);
             verdict_to_send.modification_count = 1;
-            return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes);
+            return handleCustomWebResponse(ipc, verdict_fragments, fragments_sizes, verdict.getWebUserResponseID());
         }
 
         if (verdict.getVerdict() == ACCEPT) {
@@ -1462,11 +1507,17 @@ private:
         opaque.activateContext();
 
         FilterVerdict verdict = handleChunkedData(*chunked_data_type, inspection_data, opaque);
-
         bool is_header =
             *chunked_data_type == ChunkType::REQUEST_HEADER  ||
             *chunked_data_type == ChunkType::RESPONSE_HEADER ||
             *chunked_data_type == ChunkType::CONTENT_LENGTH;
+
+        if (verdict.getVerdict() == LIMIT_RESPONSE_HEADERS) {
+            handleVerdictResponse(verdict, attachment_ipc, transaction_data->session_id, is_header);
+            popData(attachment_ipc);
+            verdict = FilterVerdict(INSPECT);
+        }
+
         handleVerdictResponse(verdict, attachment_ipc, transaction_data->session_id, is_header);
 
         bool is_final_verdict = verdict.getVerdict() == ACCEPT ||
@@ -1579,6 +1630,8 @@ private:
                 return "INJECT";
             case INSPECT:
                 return "INSPECT";
+            case LIMIT_RESPONSE_HEADERS:
+                return "LIMIT_RESPONSE_HEADERS";
             case IRRELEVANT:
                 return "IRRELEVANT";
             case RECONF:
@@ -1800,6 +1853,7 @@ private:
     HttpAttachmentConfig attachment_config;
     I_MainLoop::RoutineID attachment_routine_id = 0;
     bool traffic_indicator = false;
+    unordered_set<string> ignored_headers;
 
     // Interfaces
     I_Socket *i_socket                              = nullptr;

components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc

@@ -203,6 +203,13 @@ HttpAttachmentConfig::setFailOpenTimeout()
         "NGINX wait thread timeout msec"
     ));
 
+    conf_data.setNumericalValue("remove_server_header", getAttachmentConf<uint>(
+        0,
+        "agent.removeServerHeader.nginxModule",
+        "HTTP manager",
+        "Response server header removal"
+    ));
+
     uint inspection_mode = getAttachmentConf<uint>(
         static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD),
         "agent.inspectionMode.nginxModule",
@@ -233,6 +240,21 @@ HttpAttachmentConfig::setRetriesForVerdict()
         "Max retries for verdict"
     ));
 
+    conf_data.setNumericalValue("hold_verdict_retries", getAttachmentConf<uint>(
+        3,
+        "agent.retriesForHoldVerdict.nginxModule",
+        "HTTP manager",
+        "Retries for hold verdict"
+    ));
+
+    conf_data.setNumericalValue("hold_verdict_polling_time", getAttachmentConf<uint>(
+        1,
+        "agent.holdVerdictPollingInterval.nginxModule",
+        "HTTP manager",
+        "Hold verdict polling interval seconds"
+    ));
+
+
     conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
         200000,
         "agent.reqBodySizeTrigger.nginxModule",

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc

@@ -19,12 +19,15 @@
 
 #include "config.h"
 #include "virtual_modifiers.h"
+#include "agent_core_utilities.h"
 
 using namespace std;
 using namespace boost::uuids;
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
+extern bool is_keep_alive_ctx;
+
 NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data)
         :
     TableOpaqueSerialize<NginxAttachmentOpaque>(this),
@@ -67,6 +70,12 @@ NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_da
         ctx.registerValue(HttpTransactionData::uri_query_decoded, decoded_url.substr(question_mark_location + 1));
     }
     ctx.registerValue(HttpTransactionData::uri_path_decoded, decoded_url);
+
+    // Register waf_tag from transaction data if available
+    const std::string& waf_tag = transaction_data.getWafTag();
+    if (!waf_tag.empty()) {
+        ctx.registerValue(HttpTransactionData::waf_tag_ctx, waf_tag);
+    }
 }
 
 NginxAttachmentOpaque::~NginxAttachmentOpaque()
@@ -119,3 +128,47 @@ NginxAttachmentOpaque::setSavedData(const string &name, const string &data, EnvK
     saved_data[name] = data;
     ctx.registerValue(name, data, log_ctx);
 }
+
+bool
+NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_val)
+{
+    if (!is_keep_alive_ctx) return false;
+
+    static pair<string, string> keep_alive_hdr;
+    static bool keep_alive_hdr_initialized = false;
+
+    if (keep_alive_hdr_initialized) {
+        if (!keep_alive_hdr.first.empty() && hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            return true;
+        }
+        return false;
+    }
+
+    const char* saas_keep_alive_hdr_name_env = getenv("SAAS_KEEP_ALIVE_HDR_NAME");
+    if (saas_keep_alive_hdr_name_env) {
+        keep_alive_hdr.first = NGEN::Strings::trim(saas_keep_alive_hdr_name_env);
+        dbgInfo(D_HTTP_MANAGER) << "Using SAAS_KEEP_ALIVE_HDR_NAME environment variable: " << keep_alive_hdr.first;
+    }
+
+    if (!keep_alive_hdr.first.empty()) {
+        const char* saas_keep_alive_hdr_value_env = getenv("SAAS_KEEP_ALIVE_HDR_VALUE");
+        if (saas_keep_alive_hdr_value_env) {
+            keep_alive_hdr.second = NGEN::Strings::trim(saas_keep_alive_hdr_value_env);
+            dbgInfo(D_HTTP_MANAGER)
+                << "Using SAAS_KEEP_ALIVE_HDR_VALUE environment variable: "
+                << keep_alive_hdr.second;
+        }
+
+        if (!keep_alive_hdr.second.empty() && (hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second)) {
+            dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
+            ctx.registerValue("keep_alive_request_ctx", true);
+            keep_alive_hdr_initialized = true;
+            return true;
+        }
+    }
+
+    keep_alive_hdr_initialized = true;
+    return false;
+}

components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.h

@@ -85,6 +85,7 @@ public:
         EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE
     );
     void setApplicationState(const ApplicationState &app_state) { application_state = app_state; }
+    bool setKeepAliveCtx(const std::string &hdr_key, const std::string &hdr_val);
 
 private:
     CompressionStream       *response_compression_stream;

components/attachment-intakers/nginx_attachment/nginx_parser.cc

@@ -29,6 +29,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
 Buffer NginxParser::tenant_header_key = Buffer();
 static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
 static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
+bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
 
 map<Buffer, CompressionType> NginxParser::content_encodings = {
     {Buffer("identity"), CompressionType::NO_COMPRESSION},
@@ -177,37 +178,70 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
 }
 
 Maybe<vector<HttpHeader>>
-NginxParser::parseRequestHeaders(const Buffer &data)
+NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers)
 {
-    auto parsed_headers = genHeaders(data);
-    if (!parsed_headers.ok()) return parsed_headers.passErr();
+    auto maybe_parsed_headers = genHeaders(data);
+    if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr();
 
     auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    auto parsed_headers = maybe_parsed_headers.unpack();
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
 
-    for (const HttpHeader &header : *parsed_headers) {
+    if (is_keep_alive_ctx || !ignored_headers.empty()) {
+        bool is_last_header_removed = false;
+        parsed_headers.erase(
+            remove_if(
+                parsed_headers.begin(),
+                parsed_headers.end(),
+                [&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
+                {
+                    string hdr_key = static_cast<string>(header.getKey());
+                    string hdr_val = static_cast<string>(header.getValue());
+                    if (
+                        opaque.setKeepAliveCtx(hdr_key, hdr_val)
+                        || ignored_headers.find(hdr_key) != ignored_headers.end()
+                    ) {
+                        dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
+                        if (header.isLastHeader()) {
+                            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
+                            is_last_header_removed = true;
+                        }
+                        return true;
+                    }
+                    return false;
+                }
+            ),
+            parsed_headers.end()
+        );
+        if (is_last_header_removed) {
+            dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
+            if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
+        }
+    }
+
+    for (const HttpHeader &header : parsed_headers) {
         auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
             UsersAllIdentifiersConfig(),
             "rulebase",
             "usersIdentifiers"
         );
         source_identifiers.parseRequestHeaders(header);
-
-        NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
         opaque.addToSavedData(
             HttpTransactionData::req_headers,
             static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
         );
 
-        if (NginxParser::tenant_header_key == header.getKey()) {
+        const auto &header_key = header.getKey();
+        if (NginxParser::tenant_header_key == header_key) {
             dbgDebug(D_NGINX_ATTACHMENT_PARSER)
                 << "Identified active tenant header. Key: "
-                << dumpHex(header.getKey())
+                << dumpHex(header_key)
                 << ", Value: "
                 << dumpHex(header.getValue());
 
             auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
             opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
-        } else if (proxy_ip_header_key == header.getKey()) {
+        } else if (proxy_ip_header_key == header_key) {
             source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
         }
     }
@@ -345,12 +379,15 @@ NginxParser::parseResponseBody(const Buffer &raw_response_body, CompressionStrea
 Maybe<CompressionType>
 NginxParser::parseContentEncoding(const vector<HttpHeader> &headers)
 {
-    static const Buffer content_encoding_header_key("Content-Encoding");
+    dbgFlow(D_NGINX_ATTACHMENT_PARSER) << "Parsing \"Content-Encoding\" header";
+    static const Buffer content_encoding_header_key("content-encoding");
 
     auto it = find_if(
         headers.begin(),
         headers.end(),
-        [&] (const HttpHeader &http_header) { return http_header.getKey() == content_encoding_header_key; }
+        [&] (const HttpHeader &http_header) {
+            return http_header.getKey().isEqualLowerCase(content_encoding_header_key);
+        }
     );
     if (it == headers.end()) {
         dbgTrace(D_NGINX_ATTACHMENT_PARSER)

components/attachment-intakers/nginx_attachment/nginx_parser.h

@@ -28,7 +28,10 @@ public:
     static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data);
     static Maybe<ResponseCode> parseResponseCode(const Buffer &data);
     static Maybe<uint64_t> parseContentLength(const Buffer &data);
-    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(const Buffer &data);
+    static Maybe<std::vector<HttpHeader>> parseRequestHeaders(
+        const Buffer &data,
+        const std::unordered_set<std::string> &ignored_headers
+    );
     static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data);
     static Maybe<HttpBody> parseRequestBody(const Buffer &data);
     static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream);

components/attachment-intakers/nginx_attachment/user_identifiers_config.cc

@@ -282,21 +282,39 @@ isIpTrusted(const string &value, const vector<CIDRSData> &cidr_values)
 }
 
 Maybe<string>
-UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
+UsersAllIdentifiersConfig::parseXForwardedFor(const string &str, ExtractType type) const
 {
     vector<string> header_values = split(str);
-
     if (header_values.empty()) return genError("No IP found in the xff header list");
 
     vector<string> xff_values = getHeaderValuesFromConfig("x-forwarded-for");
     vector<CIDRSData> cidr_values(xff_values.begin(), xff_values.end());
+    string last_valid_ip;
 
-    for (const string &value : header_values) {
-        if (!IPAddr::createIPAddr(value).ok()) {
-            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << value;
-            return genError("Invalid IP address");
+    for (auto it = header_values.rbegin(); it != header_values.rend() - 1; ++it) {
+        if (!IPAddr::createIPAddr(*it).ok()) {
+            dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << *it;
+            if (last_valid_ip.empty()) {
+                return genError("Invalid IP address");
+            }
+            return last_valid_ip;
         }
-        if (!isIpTrusted(value, cidr_values)) return genError("Untrusted Ip found");
+        last_valid_ip = *it;
+        if (type == ExtractType::PROXYIP) continue;
+        if (!isIpTrusted(*it, cidr_values)) {
+            dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Found untrusted IP in the xff header IPs list: " << *it;
+            return *it;
+        }
+    }
+
+    if (!IPAddr::createIPAddr(header_values[0]).ok()) {
+        dbgWarning(D_NGINX_ATTACHMENT_PARSER)
+            << "Invalid IP address found in the xff header IPs list: "
+            << header_values[0];
+        if (last_valid_ip.empty()) {
+            return genError("No Valid Ip address was found");
+        }
+        return last_valid_ip;
     }
 
     return header_values[0];
@@ -312,7 +330,7 @@ UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, Ext
         return;
     }
     NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
-    auto value = parseXForwardedFor(header.getValue());
+    auto value = parseXForwardedFor(header.getValue(), type);
     if (!value.ok()) {
         dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Could not extract source identifier from X-Forwarded-For header";
         return;
@@ -321,12 +339,13 @@ UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, Ext
     if (type == ExtractType::SOURCEIDENTIFIER) {
         opaque.setSourceIdentifier(header.getKey(), value.unpack());
         dbgDebug(D_NGINX_ATTACHMENT_PARSER)
-            << "Added source identifir to XFF "
+            << "Added source identifier from XFF header"
             <<  value.unpack();
         opaque.setSavedData(HttpTransactionData::xff_vals_ctx, header.getValue());
+        opaque.setSavedData(HttpTransactionData::source_identifier, value.unpack());
         dbgTrace(D_NGINX_ATTACHMENT_PARSER)
-        << "XFF found, set ctx with value from header: "
-        << static_cast<string>(header.getValue());
+            << "XFF found, set ctx with value from header: "
+            << static_cast<string>(header.getValue());
     } else {
         opaque.setSavedData(HttpTransactionData::proxy_ip_ctx, value.unpack());
     }
@@ -347,6 +366,24 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
     return;
 }
 
+void
+UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
+{
+    auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
+    if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
+        dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
+        return;
+    }
+
+    NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
+    opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
+
+    dbgDebug(D_NGINX_ATTACHMENT_PARSER)
+        << "Added waf tag to context: "
+        <<  static_cast<string>(header.getValue());
+    return;
+}
+
 Maybe<string>
 UsersAllIdentifiersConfig::parseCookieElement(
     const string::const_iterator &start,

components/gradual_deployment/gradual_deployment.cc

@@ -142,7 +142,7 @@ private:
         if (temp_params_list.size() == 1) {
             Maybe<IPAddr> maybe_ip = IPAddr::createIPAddr(temp_params_list[0]);
             if (!maybe_ip.ok()) return genError("Could not create IP address, " + maybe_ip.getErr());
-            IpAddress addr = move(ConvertToIpAddress(maybe_ip.unpackMove()));
+            IpAddress addr = ConvertToIpAddress(maybe_ip.unpackMove());
 
             return move(IPRange{.start = addr, .end = addr});
         }
@@ -157,11 +157,11 @@ private:
             IPAddr max_addr = maybe_ip_max.unpackMove();
             if (min_addr > max_addr) return genError("Could not create ip range - start greater then end");
 
-            IpAddress addr_min = move(ConvertToIpAddress(move(min_addr)));
-            IpAddress addr_max = move(ConvertToIpAddress(move(max_addr)));
+            IpAddress addr_min = ConvertToIpAddress(move(min_addr));
+            IpAddress addr_max = ConvertToIpAddress(move(max_addr));
             if (addr_max.ip_type != addr_min.ip_type) return genError("Range IP's type does not match");
 
-            return move(IPRange{.start = move(addr_min), .end = move(addr_max)});
+            return IPRange{.start = move(addr_min), .end = move(addr_max)};
         }
 
         return genError("Illegal range received: " + range);

components/http_manager/http_manager.cc

@@ -15,19 +15,18 @@
 
 #include <string>
 #include <map>
-#include <sys/stat.h>
-#include <climits>
 #include <unordered_map>
-#include <boost/range/iterator_range.hpp>
+#include <unordered_set>
+#include <boost/algorithm/string.hpp>
 #include <fstream>
 #include <algorithm>
 
 #include "common.h"
 #include "config.h"
-#include "table_opaque.h"
 #include "http_manager_opaque.h"
 #include "log_generator.h"
 #include "http_inspection_events.h"
+#include "agent_core_utilities.h"
 
 USE_DEBUG_FLAG(D_HTTP_MANAGER);
 
@@ -38,6 +37,7 @@ operator<<(ostream &os, const EventVerdict &event)
 {
     switch (event.getVerdict()) {
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT: return os << "Inspect";
+        case ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS: return os << "Limit Response Headers";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT: return os << "Accept";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP: return os << "Drop";
         case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT: return os << "Inject";
@@ -94,12 +94,14 @@ public:
         ctx.registerValue(app_sec_marker_key, i_transaction_table->keyToString(), EnvKeyAttr::LogSection::MARKER);
 
         HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>();
-        string event_key = static_cast<string>(event.getKey());
-        if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) {
+        
+        const auto &custom_header = getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging");
+        
+        if (event.getKey().isEqualLowerCase(custom_header)) {
             string event_value = static_cast<string>(event.getValue());
             dbgTrace(D_HTTP_MANAGER)
                 << "Found header key and value - ("
-                << event_key
+                << custom_header
                 << ": "
                 << event_value
                 << ") that matched agent settings";
@@ -195,7 +197,6 @@ public:
         if (state.getUserDefinedValue().ok()) {
             ctx.registerValue("UserDefined", state.getUserDefinedValue().unpack(), EnvKeyAttr::LogSection::DATA);
         }
-
         return handleEvent(EndRequestEvent().performNamedQuery());
     }
 
@@ -323,8 +324,9 @@ private:
                 << respond.second.getVerdict();
 
             state.setApplicationVerdict(respond.first, respond.second.getVerdict());
+            state.setApplicationWebResponse(respond.first, respond.second.getWebUserResponseByPractice());
         }
-        FilterVerdict aggregated_verdict = state.getCurrVerdict();
+        FilterVerdict aggregated_verdict(state.getCurrVerdict(), state.getCurrWebUserResponse());
         if (aggregated_verdict.getVerdict() == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP) {
             SecurityAppsDropEvent(state.getCurrentDropVerdictCausers()).notify();
         }

components/http_manager/http_manager_opaque.cc

@@ -32,6 +32,13 @@ HttpManagerOpaque::setApplicationVerdict(const string &app_name, ngx_http_cp_ver
     applications_verdicts[app_name] = verdict;
 }
 
+void
+HttpManagerOpaque::setApplicationWebResponse(const string &app_name, string web_user_response_id)
+{
+    dbgTrace(D_HTTP_MANAGER) << "Security app: " << app_name << ", has web user response: " << web_user_response_id;
+    applications_web_user_response[app_name] = web_user_response_id;
+}
+
 ngx_http_cp_verdict_e
 HttpManagerOpaque::getApplicationsVerdict(const string &app_name) const
 {
@@ -51,8 +58,12 @@ HttpManagerOpaque::getCurrVerdict() const
     for (const auto &app_verdic_pair : applications_verdicts) {
         switch (app_verdic_pair.second) {
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP:
+                dbgTrace(D_HTTP_MANAGER) << "Verdict DROP for app: " << app_verdic_pair.first;
+                current_web_user_response = applications_web_user_response.at(app_verdic_pair.first);
+                dbgTrace(D_HTTP_MANAGER) << "current_web_user_response=" << current_web_user_response;
                 return app_verdic_pair.second;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT:
+                // Sent in ResponseHeaders and ResponseBody.
                 verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT;
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT:
@@ -60,11 +71,16 @@ HttpManagerOpaque::getCurrVerdict() const
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT:
                 break;
+            case ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS:
+                // Sent in End Request.
+                verdict = ngx_http_cp_verdict_e::LIMIT_RESPONSE_HEADERS;
+                break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT:
                 dbgTrace(D_HTTP_MANAGER) << "Verdict 'Irrelevant' is not yet supported. Returning Accept";
                 accepted_apps++;
                 break;
             case ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT:
+                // Sent in Request Headers and Request Body.
                 verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_WAIT;
                 break;
             default:

components/http_manager/http_manager_opaque.h

@@ -28,10 +28,12 @@ public:
     HttpManagerOpaque();
 
     void setApplicationVerdict(const std::string &app_name, ngx_http_cp_verdict_e verdict);
+    void setApplicationWebResponse(const std::string &app_name, std::string web_user_response_id);
     ngx_http_cp_verdict_e getApplicationsVerdict(const std::string &app_name) const;
     void setManagerVerdict(ngx_http_cp_verdict_e verdict) { manager_verdict = verdict; }
     ngx_http_cp_verdict_e getManagerVerdict() const { return manager_verdict; }
     ngx_http_cp_verdict_e getCurrVerdict() const;
+    const std::string & getCurrWebUserResponse() const { return current_web_user_response; };
     std::set<std::string> getCurrentDropVerdictCausers() const;
     void saveCurrentDataToCache(const Buffer &full_data);
     void setUserDefinedValue(const std::string &value) { user_defined_value = value; }
@@ -52,6 +54,8 @@ public:
 
 private:
     std::unordered_map<std::string, ngx_http_cp_verdict_e> applications_verdicts;
+    std::unordered_map<std::string, std::string> applications_web_user_response;
+    mutable std::string current_web_user_response;
     ngx_http_cp_verdict_e manager_verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
     Buffer prev_data_cache;
     uint aggregated_payload_size = 0;

components/include/central_nginx_manager.h

@@ -0,0 +1,45 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __CENTRAL_NGINX_MANAGER_H__
+#define __CENTRAL_NGINX_MANAGER_H__
+
+#include "component.h"
+#include "singleton.h"
+#include "i_messaging.h"
+#include "i_rest_api.h"
+#include "i_mainloop.h"
+#include "i_agent_details.h"
+
+class CentralNginxManager
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_AgentDetails>
+{
+public:
+    CentralNginxManager();
+    ~CentralNginxManager();
+
+    void preload() override;
+    void init() override;
+    void fini() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __CENTRAL_NGINX_MANAGER_H__

components/include/generic_rulebase/evaluators/http_transaction_data_eval.h

@@ -45,6 +45,19 @@ private:
     std::string host;
 };
 
+class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
+{
+public:
+EqualWafTag(const std::vector<std::string> &params);
+
+    static std::string getName() { return "EqualWafTag"; }
+
+    Maybe<bool, Context::Error> evalVariable() const override;
+
+private:
+    std::string waf_tag;
+};
+
 class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
 {
 public:

components/include/generic_rulebase/match_query.h

@@ -91,7 +91,7 @@ private:
     bool matchAttributesString(const std::set<std::string> &values) const;
     bool matchAttributesIp(const std::set<std::string> &values) const;
     bool isRegEx() const;
-    bool isIP() const;
+    void sortAndMergeIpRangesValues();
 
     MatchType type;
     Operators operator_type;

components/include/generic_rulebase/triggers_config.h

@@ -317,12 +317,12 @@ public:
     {
         return url_for_cef;
     }
+    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
+    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
 
 private:
     ReportIS::Severity getSeverity(bool is_action_drop_or_prevent) const;
     ReportIS::Priority getPriority(bool is_action_drop_or_prevent) const;
-    Flags<ReportIS::StreamType> getStreams(SecurityType security_type, bool is_action_drop_or_prevent) const;
-    Flags<ReportIS::Enreachments> getEnrechments(SecurityType security_type) const;
 
     std::string name;
     std::string verbosity;
@@ -339,4 +339,32 @@ private:
     bool should_format_output = false;
 };
 
+class ReportTriggerConf
+{
+public:
+    /// \brief Default constructor for ReportTriggerConf.
+    ReportTriggerConf() {}
+
+    /// \brief Preload function to register expected configuration.
+    static void
+    preload()
+    {
+        registerExpectedConfiguration<ReportTriggerConf>("rulebase", "report");
+    }
+
+    /// \brief Load function to deserialize configuration from JSONInputArchive.
+    /// \param archive_in The JSON input archive.
+    void load(cereal::JSONInputArchive &archive_in);
+
+    /// \brief Get the name.
+    /// \return The name.
+    const std::string &
+    getName() const
+    {
+        return name;
+    }
+private:
+    std::string name;
+};
+
 #endif //__TRIGGERS_CONFIG_H__

components/include/http_event_impl/filter_verdict.h

@@ -27,9 +27,18 @@ public:
         verdict(_verdict)
     {}
 
+    FilterVerdict(
+        ngx_http_cp_verdict_e _verdict,
+        const std::string &_web_reponse_id)
+            :
+        verdict(_verdict),
+        web_user_response_id(_web_reponse_id)
+    {}
+
     FilterVerdict(const EventVerdict &_verdict, ModifiedChunkIndex _event_idx = -1)
             :
-        verdict(_verdict.getVerdict())
+        verdict(_verdict.getVerdict()),
+        web_user_response_id(_verdict.getWebUserResponseByPractice())
     {
         if (verdict == ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INJECT) {
             addModifications(_verdict.getModifications(), _event_idx);
@@ -59,10 +68,12 @@ public:
     uint getModificationsAmount() const { return total_modifications; }
     ngx_http_cp_verdict_e getVerdict() const { return verdict; }
     const std::vector<EventModifications> & getModifications() const { return modifications; }
+    const std::string getWebUserResponseID() const { return web_user_response_id; }
 
 private:
     ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
     std::vector<EventModifications> modifications;
+    std::string web_user_response_id;
     uint total_modifications = 0;
 };
 

components/include/http_event_impl/i_http_event_impl.h

@@ -239,6 +239,7 @@ public:
     const Buffer & getValue() const { return value; }
 
     bool isLastHeader() const { return is_last_header; }
+    void setIsLastHeader() { is_last_header = true; }
     uint8_t getHeaderIndex() const { return header_index; }
 
 private:
@@ -375,16 +376,31 @@ public:
         verdict(event_verdict)
     {}
 
+    EventVerdict(
+        const ModificationList &mods,
+        ngx_http_cp_verdict_e event_verdict,
+        std::string response_id) :
+        modifications(mods),
+        verdict(event_verdict),
+        webUserResponseByPractice(response_id)
+    {}
+
 // LCOV_EXCL_START - sync functions, can only be tested once the sync module exists
     template <typename T> void serialize(T &ar, uint) { ar(verdict); }
 // LCOV_EXCL_STOP
 
     const ModificationList & getModifications() const { return modifications; }
     ngx_http_cp_verdict_e getVerdict() const { return verdict; }
+    const std::string getWebUserResponseByPractice() const { return webUserResponseByPractice; }
+    void setWebUserResponseByPractice(const std::string id) {
+        dbgTrace(D_HTTP_MANAGER) << "current verdict web user response set to: " << id;
+        webUserResponseByPractice = id;
+    }
 
 private:
     ModificationList modifications;
     ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_INSPECT;
+    std::string webUserResponseByPractice;
 };
 
 #endif // __I_HTTP_EVENT_IMPL_H__

components/include/http_transaction_data.h

@@ -72,7 +72,8 @@ public:
             parsed_uri,
             client_ip,
             client_port,
-            response_content_encoding
+            response_content_encoding,
+            waf_tag
         );
     }
 
@@ -91,7 +92,8 @@ public:
             parsed_uri,
             client_ip,
             client_port,
-            response_content_encoding
+            response_content_encoding,
+            waf_tag
         );
     }
 // LCOV_EXCL_STOP
@@ -122,6 +124,9 @@ public:
         response_content_encoding = _response_content_encoding;
     }
 
+    const std::string & getWafTag() const { return waf_tag; }
+    void setWafTag(const std::string &_waf_tag) { waf_tag = _waf_tag; }
+
     static const std::string http_proto_ctx;
     static const std::string method_ctx;
     static const std::string host_name_ctx;
@@ -137,6 +142,7 @@ public:
     static const std::string source_identifier;
     static const std::string proxy_ip_ctx;
     static const std::string xff_vals_ctx;
+    static const std::string waf_tag_ctx;
 
     static const CompressionType default_response_content_encoding;
 
@@ -153,6 +159,7 @@ private:
     uint16_t client_port;
     bool is_request;
     CompressionType response_content_encoding;
+    std::string waf_tag;
 };
 
 #endif // __HTTP_TRANSACTION_DATA_H__

components/include/i_details_resolver.h

@@ -26,11 +26,12 @@ public:
     virtual Maybe<std::string> getArch() = 0;
     virtual std::string getAgentVersion() = 0;
     virtual bool isKernelVersion3OrHigher() = 0;
+    virtual bool isGw() = 0;
     virtual bool isGwNotVsx() = 0;
     virtual bool isVersionAboveR8110() = 0;
     virtual bool isReverseProxy() = 0;
     virtual bool isCloudStorageEnabled() = 0;
-    virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0;
+    virtual Maybe<std::tuple<std::string, std::string, std::string, std::string>> parseNginxMetadata() = 0;
     virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
     virtual std::map<std::string, std::string> getResolvedDetails() = 0;
 #if defined(gaia) || defined(smb)

components/include/i_waap_telemetry.h

@@ -27,6 +27,7 @@ struct DecisionTelemetryData
     int responseCode;
     uint64_t elapsedTime;
     std::set<std::string> attackTypes;
+    bool temperatureDetected;
 
     DecisionTelemetryData() :
         blockType(NOT_BLOCKING),
@@ -38,7 +39,8 @@ struct DecisionTelemetryData
         method(POST),
         responseCode(0),
         elapsedTime(0),
-        attackTypes()
+        attackTypes(),
+        temperatureDetected(false)
     {
     }
 };

components/include/ip_utilities.h

@@ -28,8 +28,9 @@
 
 // LCOV_EXCL_START Reason: temporary until we add relevant UT until 07/10
 bool operator<(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
-
 bool operator==(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<=(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
+bool operator<(const IPRange &range1, const IPRange &range2);
 // LCOV_EXCL_STOP
 
 Maybe<std::pair<std::string, int>> extractAddressAndMaskSize(const std::string &cidr);

components/include/ips_comp.h

@@ -4,6 +4,7 @@
 #include "singleton.h"
 #include "i_keywords_rule.h"
 #include "i_table.h"
+#include "i_mainloop.h"
 #include "i_http_manager.h"
 #include "i_environment.h"
 #include "http_inspection_events.h"
@@ -16,7 +17,8 @@ class IPSComp
     Singleton::Consume<I_KeywordsRule>,
     Singleton::Consume<I_Table>,
     Singleton::Consume<I_Environment>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_MainLoop>
 {
 public:
     IPSComp();

components/include/manifest_handler.h

@@ -62,6 +62,7 @@ public:
 
 private:
     Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation);
+    std::string getCurrentTimestamp();
 
     std::string manifest_file_path;
     std::string temp_ext;

components/include/nginx_message_reader.h

@@ -0,0 +1,28 @@
+#ifndef __NGINX_MESSAGE_READER_H__
+#define __NGINX_MESSAGE_READER_H__
+
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "i_socket_is.h"
+#include "component.h"
+
+class NginxMessageReader
+        :
+    public Component,
+    Singleton::Consume<I_MainLoop>,
+    Singleton::Consume<I_Socket>
+{
+public:
+    NginxMessageReader();
+    ~NginxMessageReader();
+
+    void init() override;
+    void fini() override;
+    void preload() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif //__NGINX_MESSAGE_READER_H__

components/include/nginx_utils.h

@@ -0,0 +1,51 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __NGINX_UTILS_H__
+#define __NGINX_UTILS_H__
+
+#include <string>
+
+#include "maybe_res.h"
+#include "singleton.h"
+#include "i_shell_cmd.h"
+
+class NginxConfCollector
+{
+public:
+    NginxConfCollector(const std::string &nginx_conf_input_path, const std::string &nginx_conf_output_path);
+    Maybe<std::string> generateFullNginxConf() const;
+
+private:
+    std::vector<std::string> expandIncludes(const std::string &includePattern) const;
+    void processConfigFile(
+        const std::string &path,
+        std::ostringstream &conf_output,
+        std::vector<std::string> &errors
+    ) const;
+
+    std::string main_conf_input_path;
+    std::string main_conf_output_path;
+    std::string main_conf_directory_path;
+};
+
+class NginxUtils : Singleton::Consume<I_ShellCmd>
+{
+public:
+    static std::string getModulesPath();
+    static std::string getMainNginxConfPath();
+    static Maybe<void> validateNginxConf(const std::string &nginx_conf_path);
+    static Maybe<void> reloadNginx(const std::string &nginx_conf_path);
+};
+
+#endif // __NGINX_UTILS_H__

components/include/prometheus_comp.h

@@ -0,0 +1,30 @@
+#ifndef __PROMETHEUS_COMP_H__
+#define __PROMETHEUS_COMP_H__
+
+#include <memory>
+
+#include "component.h"
+#include "singleton.h"
+
+#include "i_rest_api.h"
+#include "i_messaging.h"
+#include "generic_metric.h"
+
+class PrometheusComp
+        :
+    public Component,
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>
+{
+public:
+    PrometheusComp();
+    ~PrometheusComp();
+
+    void init() override;
+
+private:
+    class Impl;
+    std::unique_ptr<Impl> pimpl;
+};
+
+#endif // __PROMETHEUS_COMP_H__

components/include/rate_limit.h

@@ -7,15 +7,21 @@
 #include "singleton.h"
 #include "i_mainloop.h"
 #include "i_environment.h"
+#include "i_geo_location.h"
 #include "i_generic_rulebase.h"
+#include "i_shell_cmd.h"
+#include "i_env_details.h"
 
 class RateLimit
     :
     public Component,
     Singleton::Consume<I_MainLoop>,
     Singleton::Consume<I_TimeGet>,
+    Singleton::Consume<I_GeoLocation>,
     Singleton::Consume<I_Environment>,
-    Singleton::Consume<I_GenericRulebase>
+    Singleton::Consume<I_GenericRulebase>,
+    Singleton::Consume<I_ShellCmd>,
+    Singleton::Consume<I_EnvDetails>
 {
 public:
     RateLimit();

components/include/reverse_proxy_defaults.h

@@ -28,7 +28,7 @@ static const std::string default_nginx_config_file = "/etc/cp/conf/rpmanager/ngi
 static const std::string default_prepare_nginx_config_file = "/etc/cp/conf/rpmanager/nginx_prepare.conf";
 static const std::string default_global_conf_template = "/etc/cp/conf/rpmanager/nginx-conf-template";
 static const std::string default_nginx_config_include_file =
-    "/etc/cp/conf/rpmanager/servers/nginx_conf_include.conf";
+    "/etc/cp/conf/rpmanager/servers/00_nginx_conf_include.conf";
 static const std::string default_global_conf_include_template =
     "/etc/cp/conf/rpmanager/nginx-conf-include-template";
 static const std::string default_global_conf_include_template_no_responses =

components/include/telemetry.h

@@ -30,6 +30,7 @@
 #include "generic_metric.h"
 
 #define LOGGING_INTERVAL_IN_MINUTES 10
+USE_DEBUG_FLAG(D_WAAP);
 enum class AssetType { API, WEB, ALL, COUNT };
 
 class WaapTelemetryEvent : public Event<WaapTelemetryEvent>
@@ -75,6 +76,20 @@ private:
     std::unordered_set<std::string> sources_seen;
 };
 
+class WaapAdditionalTrafficTelemetrics : public WaapTelemetryBase
+{
+public:
+    void updateMetrics(const std::string &asset_id, const DecisionTelemetryData &data);
+    void initMetrics();
+
+private:
+    MetricCalculations::Counter requests{this, "reservedNgenA"};
+    MetricCalculations::Counter sources{this, "reservedNgenB"};
+    MetricCalculations::Counter blocked{this, "reservedNgenC"};
+    MetricCalculations::Counter temperature_count{this, "reservedNgenD"};
+    std::unordered_set<std::string> sources_seen;
+};
+
 class WaapTrafficTelemetrics : public WaapTelemetryBase
 {
 public:
@@ -123,6 +138,7 @@ private:
     std::map<std::string, std::shared_ptr<WaapTrafficTelemetrics>> traffic_telemetries;
     std::map<std::string, std::shared_ptr<WaapAttackTypesMetrics>> attack_types;
     std::map<std::string, std::shared_ptr<WaapAttackTypesMetrics>> attack_types_telemetries;
+    std::map<std::string, std::shared_ptr<WaapAdditionalTrafficTelemetrics>> additional_traffic_telemetries;
 
     template <typename T>
     void initializeTelemetryData(
@@ -132,6 +148,7 @@ private:
         std::map<std::string, std::shared_ptr<T>>& telemetryMap
     ) {
         if (!telemetryMap.count(asset_id)) {
+            dbgTrace(D_WAAP) << "creating telemetry data for asset: " << data.assetName;
             telemetryMap.emplace(asset_id, std::make_shared<T>());
             telemetryMap[asset_id]->init(
                 telemetryName,
@@ -139,7 +156,9 @@ private:
                 ReportIS::IssuingEngine::AGENT_CORE,
                 std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
                 true,
-                ReportIS::Audience::SECURITY
+                ReportIS::Audience::SECURITY,
+                false,
+                asset_id
             );
 
             telemetryMap[asset_id]->template registerContext<std::string>(
@@ -152,29 +171,30 @@ private:
                 std::string("Web Application"),
                 EnvKeyAttr::LogSection::SOURCE
             );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetId",
-                asset_id,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "assetName",
-                data.assetName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceId",
-                data.practiceId,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-            telemetryMap[asset_id]->template registerContext<std::string>(
-                "practiceName",
-                data.practiceName,
-                EnvKeyAttr::LogSection::SOURCE
-            );
-
             telemetryMap[asset_id]->registerListener();
         }
+        dbgTrace(D_WAAP) << "updating telemetry data for asset: " << data.assetName;
+
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetId",
+            asset_id,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "assetName",
+            data.assetName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceId",
+            data.practiceId,
+            EnvKeyAttr::LogSection::SOURCE
+        );
+        telemetryMap[asset_id]->template registerContext<std::string>(
+            "practiceName",
+            data.practiceName,
+            EnvKeyAttr::LogSection::SOURCE
+        );
     }
 };
 

components/include/user_identifiers_config.h

@@ -30,6 +30,7 @@ public:
     void parseRequestHeaders(const HttpHeader &header) const;
     std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
     void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
+    void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
 
 private:
     class UsersIdentifiersConfig
@@ -58,7 +59,7 @@ private:
         const std::string::const_iterator &end,
         const std::string &key) const;
     Buffer extractKeyValueFromCookie(const std::string &cookie_value, const std::string &key) const;
-    Maybe<std::string> parseXForwardedFor(const std::string &str) const;
+    Maybe<std::string> parseXForwardedFor(const std::string &str, ExtractType type) const;
 
     std::vector<UsersIdentifiersConfig> user_identifiers;
 };

components/include/waap.h

@@ -33,6 +33,7 @@ class I_WaapAssetStatesManager;
 class I_Messaging;
 class I_AgentDetails;
 class I_Encryptor;
+class I_WaapModelResultLogger;
 
 const std::string WAAP_APPLICATION_NAME = "waap application";
 
@@ -50,7 +51,8 @@ class WaapComponent
     Singleton::Consume<I_AgentDetails>,
     Singleton::Consume<I_Messaging>,
     Singleton::Consume<I_Encryptor>,
-    Singleton::Consume<I_Environment>
+    Singleton::Consume<I_Environment>,
+    Singleton::Consume<I_WaapModelResultLogger>
 {
 public:
     WaapComponent();

components/nginx_message_reader/CMakeLists.txt

@@ -0,0 +1,3 @@
+link_directories(${BOOST_ROOT}/lib)
+
+add_library(nginx_message_reader nginx_message_reader.cc)

components/nginx_message_reader/nginx_message_reader.cc

@@ -0,0 +1,735 @@
+#include "nginx_message_reader.h"
+
+#include <string>
+#include <boost/regex.hpp>
+#include <boost/algorithm/string.hpp>
+#include <boost/algorithm/string/regex.hpp>
+
+#include "config.h"
+#include "singleton.h"
+#include "i_mainloop.h"
+#include "enum_array.h"
+#include "log_generator.h"
+#include "maybe_res.h"
+#include "http_transaction_data.h"
+#include "generic_rulebase/rulebase_config.h"
+#include "generic_rulebase/evaluators/asset_eval.h"
+#include "generic_rulebase/triggers_config.h"
+#include "agent_core_utilities.h"
+#include "rate_limit_config.h"
+
+USE_DEBUG_FLAG(D_NGINX_MESSAGE_READER);
+
+using namespace std;
+
+static const string syslog_regex_string = (
+    "<[0-9]+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{2}"
+    "[:]\\d{2}[:]\\d{2})\\s([\\w][\\w\\d\\.@-]*)\\s(nginx:)"
+);
+
+static const boost::regex socket_address_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+):(\\d+)");
+static const boost::regex syslog_regex(syslog_regex_string);
+static const boost::regex alert_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[alert\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex error_log_regex(
+    "("
+    + syslog_regex_string + ") "
+    + "(.+?\\[error\\] )(.+?)"
+    ", (client: .+?)"
+    ", (server: .+?)"
+    ", (request: \".+?\")"
+    ", (upstream: \".+?\")"
+    ", (host: \".+?\")$"
+);
+
+static const boost::regex server_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+)|(\\w+\\.\\w+)");
+static const boost::regex uri_regex("^/");
+static const boost::regex port_regex("\\d+");
+static const boost::regex response_code_regex("[0-9]{3}");
+static const boost::regex http_method_regex("[A-Za-z]+");
+
+class NginxMessageReader::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addOneTimeRoutine(
+            I_MainLoop::RoutineType::System,
+            [this] ()
+            {
+                initSyslogServerSocket();
+                handleNginxLogs();
+            },
+            "Initialize nginx syslog",
+            true
+        );
+    }
+
+    void
+    preload()
+    {
+        registerConfigLoadCb([this]() { loadNginxMessageReaderConfig(); });
+    }
+
+    void
+    fini()
+    {
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        i_socket->closeSocket(syslog_server_socket);
+    }
+
+    void
+    loadNginxMessageReaderConfig()
+    {
+        rate_limit_status_code = getProfileAgentSettingWithDefault<string>(
+            "429",
+            "accessControl.rateLimit.returnCode"
+        );
+        dbgTrace(D_NGINX_MESSAGE_READER) << "Selected rate-limit status code: " << rate_limit_status_code;
+    }
+
+private:
+    enum class LogInfo {
+        HTTP_METHOD,
+        URI,
+        RESPONSE_CODE,
+        HOST,
+        SOURCE,
+        DESTINATION_IP,
+        DESTINATION_PORT,
+        EVENT_MESSAGE,
+        ASSET_ID,
+        ASSET_NAME,
+        RULE_NAME,
+        RULE_ID,
+        COUNT
+    };
+
+    void
+    initSyslogServerSocket()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        string nginx_syslog_server_address = getProfileAgentSettingWithDefault<string>(
+            "127.0.0.1:1514",
+            "reverseProxy.nginx.syslogAddress"
+        );
+        dbgInfo(D_NGINX_MESSAGE_READER) << "Attempting to open a socket: " << nginx_syslog_server_address;
+        do {
+            Maybe<I_Socket::socketFd> new_socket = i_socket->genSocket(
+                I_Socket::SocketType::UDP,
+                false,
+                true,
+                nginx_syslog_server_address
+            );
+            if (!new_socket.ok()) {
+                dbgError(D_NGINX_MESSAGE_READER) << "Failed to open a socket. Error: " << new_socket.getErr();
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+
+            if (new_socket.unpack() < 0) {
+                dbgError(D_NGINX_MESSAGE_READER)<< "Generated socket is OK yet negative";
+                mainloop->yield(chrono::milliseconds(500));
+                continue;
+            }
+            syslog_server_socket = new_socket.unpack();
+            dbgInfo(D_NGINX_MESSAGE_READER)
+                << "Opened socket for nginx logs over syslog. Socket: "
+                << syslog_server_socket;
+        } while (syslog_server_socket < 0);
+    }
+
+    void
+    handleNginxLogs()
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        I_MainLoop::Routine read_logs =
+        [this] ()
+        {
+            Maybe<string> logs = getLogsFromSocket(syslog_server_socket);
+
+            if (!logs.ok()) {
+                dbgWarning(D_NGINX_MESSAGE_READER)
+                    << "Failed to get NGINX logs from the socket. Error: "
+                    << logs.getErr();
+                return;
+            }
+            string raw_logs_to_parse = logs.unpackMove();
+            vector<string> logs_to_parse = separateLogs(raw_logs_to_parse);
+
+            for (auto const &log: logs_to_parse) {
+                bool log_sent;
+                if (isAccessLog(log)) {
+                    log_sent = sendAccessLog(log);
+                } else if (isAlertErrorLog(log) || isErrorLog(log)) {
+                    log_sent = sendErrorLog(log);
+                } else {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+                    continue;
+                }
+                if (!log_sent) {
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Failed to send Log to Infinity Portal";
+                } else {
+                    dbgTrace(D_NGINX_MESSAGE_READER) << "Succesfully sent nginx log to Infinity Portal";
+                }
+            }
+        };
+        I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
+        mainloop->addFileRoutine(
+            I_MainLoop::RoutineType::RealTime,
+            syslog_server_socket,
+            read_logs,
+            "Process nginx logs",
+            true
+        );
+    }
+
+    bool
+    sendAccessLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Access log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseAccessLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        auto unpacked_log_info = log_info.unpack();
+
+        if (unpacked_log_info[LogInfo::RESPONSE_CODE] == rate_limit_status_code) {
+            return sendRateLimitLog(unpacked_log_info);
+        }
+        return sendLog(unpacked_log_info);
+    }
+
+    bool
+    sendErrorLog(const string &log)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Error log" << log;
+        Maybe<EnumArray<LogInfo, string>> log_info = parseErrorLog(log);
+        if (!log_info.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
+        }
+        return sendLog(log_info.unpack());
+    }
+
+    bool
+    isAccessLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Chekck if string contains \"accessLog\"" << log;
+        return log.find("accessLog") != string::npos;
+    }
+
+    bool
+    isAlertErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[alert]") != string::npos;
+    }
+
+    bool
+    isErrorLog(const string &log) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
+        return log.find("[error]") != string::npos;
+    }
+
+    bool
+    sendLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        string event_name;
+        switch (log_info[LogInfo::RESPONSE_CODE][0]) {
+            case '4': {
+                event_name = "Invalid request or incorrect reverse proxy configuration - Request dropped."
+                " Please check the reverse proxy configuration of your relevant assets";
+                break;
+            }
+            case '5': {
+                event_name = "AppSec Gateway reverse proxy error - Request dropped. "
+                "Please verify the reverse proxy configuration of your relevant assets. "
+                "If the issue persists please contact Check Point Support";
+                break;
+            }
+            default: {
+                dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
+                return false;
+            }
+        }
+
+        dbgTrace(D_NGINX_MESSAGE_READER)
+            << "Nginx log's event name and response code: "
+            << event_name
+            << ", "
+            << log_info[LogInfo::RESPONSE_CODE];
+        LogGen log(
+            event_name,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::REVERSE_PROXY
+        );
+        log << LogField("eventConfidence", "High");
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+
+            if (field != LogInfo::DESTINATION_PORT) {
+                log << LogField(string_field.unpack(), log_info[field]);
+                continue;
+            }
+
+            try {
+                log << LogField(string_field.unpack(), stoi(log_info[field]));
+            } catch (const exception &e) {
+                dbgError(D_NGINX_MESSAGE_READER)
+                    << "Unable to convert port to numeric value: "
+                    << e.what();
+                log << LogField(string_field.unpack(), 0);
+            }
+        }
+        return true;
+    }
+
+    bool
+    sendRateLimitLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Getting rate-limit rules of asset ID: " << log_info[LogInfo::ASSET_ID];
+
+        ScopedContext rate_limit_ctx;
+
+        rate_limit_ctx.registerValue<GenericConfigId>(AssetMatcher::ctx_key, log_info[LogInfo::ASSET_ID]);
+        auto rate_limit_config = getConfiguration<RateLimitConfig>("rulebase", "rateLimit");
+        if (!rate_limit_config.ok()) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Rate limit context does not match asset ID: " << log_info[LogInfo::ASSET_ID];
+            return false;
+        }
+        RateLimitConfig unpacked_rate_limit_config = rate_limit_config.unpack();
+
+        string nginx_uri = log_info[LogInfo::URI];
+        const LogTriggerConf &rate_limit_trigger = unpacked_rate_limit_config.getRateLimitTrigger(nginx_uri);
+
+        dbgTrace(D_NGINX_MESSAGE_READER)<< "About to generate NGINX rate-limit log";
+
+        string event_name = "Rate limit";
+        string security_action = "Drop";
+        bool is_log_required = false;
+
+        // Prevent events checkbox (in triggers)
+        if (rate_limit_trigger.isPreventLogActive(LogTriggerConf::SecurityType::AccessControl)) {
+            is_log_required = true;
+        }
+
+        if (!is_log_required) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Not sending NGINX rate-limit log as it is not required";
+            return false;
+        }
+
+        ostringstream src_ip;
+        ostringstream dst_ip;
+        src_ip << log_info[LogInfo::SOURCE];
+        dst_ip << log_info[LogInfo::DESTINATION_IP];
+
+        ReportIS::Severity log_severity = ReportIS::Severity::MEDIUM;
+        ReportIS::Priority log_priority = ReportIS::Priority::MEDIUM;
+
+        LogGen log = rate_limit_trigger(
+            event_name,
+            LogTriggerConf::SecurityType::AccessControl,
+            log_severity,
+            log_priority,
+            true, // is drop
+            LogField("practiceType", "Rate Limit"),
+            ReportIS::Tags::RATE_LIMIT
+        );
+
+        for (LogInfo field : makeRange<LogInfo>()) {
+            Maybe<string> string_field = convertLogFieldToString(field);
+            if (!string_field.ok()) {
+                dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " <<  string_field.getErr();
+                return false;
+            }
+            
+            if (
+                field == LogInfo::HOST ||
+                field == LogInfo::URI ||
+                field == LogInfo::HTTP_METHOD ||
+                field == LogInfo::SOURCE ||
+                field == LogInfo::DESTINATION_IP ||
+                field == LogInfo::ASSET_ID ||
+                field == LogInfo::ASSET_NAME ||
+                field == LogInfo::RESPONSE_CODE
+            ) {
+                if (!log_info[field].empty()) {
+                    log << LogField(string_field.unpack(), log_info[field]);
+                    continue;
+                }
+            }
+
+            if (field == LogInfo::DESTINATION_PORT) {
+                try {
+                    int numeric_dst_port = stoi(log_info[field]);
+                    log << LogField(string_field.unpack(), numeric_dst_port);
+                } catch (const exception &e) {
+                    dbgWarning(D_NGINX_MESSAGE_READER)
+                        << "Unable to convert dst port: "
+                        << log_info[field]
+                        << " to numberic value. Error: "
+                        << e.what();
+                }
+            }
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    convertLogFieldToString(LogInfo field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        switch (field) {
+            case LogInfo::HTTP_METHOD:
+                return string("httpMethod");
+            case LogInfo::URI:
+                return string("httpUriPath");
+            case LogInfo::RESPONSE_CODE:
+                return string("httpResponseCode");
+            case LogInfo::HOST:
+                return string("httpHostName");
+            case LogInfo::SOURCE:
+                return string("httpSourceId");
+            case LogInfo::DESTINATION_IP:
+                return string("destinationIp");
+            case LogInfo::DESTINATION_PORT:
+                return string("destinationPort");
+            case LogInfo::ASSET_ID:
+                return string("assetId");
+            case LogInfo::ASSET_NAME:
+                return string("assetName");
+            case LogInfo::EVENT_MESSAGE:
+                return string("httpResponseBody");
+            case LogInfo::RULE_ID:
+                return string("ruleId");
+            case LogInfo::RULE_NAME:
+                return string("ruleName");
+            case LogInfo::COUNT:
+                dbgError(D_NGINX_MESSAGE_READER) << "LogInfo::COUNT is not allowed";
+                return genError("LogInfo::COUNT is not allowed");
+        }
+        dbgError(D_NGINX_MESSAGE_READER) << "No Enum found, int value: " << static_cast<int>(field);
+        return genError("No Enum found");
+    }
+
+    static vector<string>
+    separateLogs(const string &raw_logs_to_parse)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "separating logs. logs: " << raw_logs_to_parse;
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs start of function. Logs to parse: " << raw_logs_to_parse;
+        boost::smatch matcher;
+        vector<string> logs;
+
+        if (raw_logs_to_parse.empty()) return logs;
+
+        size_t pos = 0;
+        while (NGEN::Regex::regexSearch(__FILE__, __LINE__, raw_logs_to_parse.substr(pos), matcher, syslog_regex)) {
+            if (pos == 0) {
+                dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs pos = 0";
+                pos++;
+                continue;
+            }
+            auto log_length = matcher.position();
+            logs.push_back(raw_logs_to_parse.substr(pos - 1, log_length));
+
+            pos += log_length + 1;
+        }
+        logs.push_back(raw_logs_to_parse.substr(pos - 1));
+        dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs end of function";
+
+        return logs;
+    }
+
+    static pair<string, string>
+    parseErrorLogRequestField(const string &request)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing request field. request: " << request;
+        string formatted_request = request;
+        vector<string> result;
+        boost::erase_all(formatted_request, "\"");
+        boost::erase_all(formatted_request, "\n");
+        boost::split(result, formatted_request, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int http_method_index = 1;
+        const int uri_index = 2;
+        return pair<string, string>(result[http_method_index], result[uri_index]);
+    }
+
+    static string
+    parseErrorLogField(const string &field)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "parsing error log field " << field;
+        string formatted_field = field;
+        vector<string> result;
+        boost::erase_all(formatted_field, "\"");
+        boost::erase_all(formatted_field, "\n");
+        boost::split(result, formatted_field, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int field_index = 1;
+        return result[field_index];
+    }
+
+    void
+    addContextFieldsToLogInfo(EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+        ScopedContext ctx;
+
+        try {
+            ctx.registerValue<uint16_t>(
+                HttpTransactionData::listening_port_ctx,
+                static_cast<uint16_t>(stoi(log_info[LogInfo::DESTINATION_PORT]))
+            );
+        } catch (const exception &e) {
+            dbgError(D_NGINX_MESSAGE_READER) << "Failed register values for context " << e.what();
+        }
+        ctx.registerValue<string>(HttpTransactionData::host_name_ctx, log_info[LogInfo::HOST]);
+        ctx.registerValue<string>(HttpTransactionData::uri_ctx, log_info[LogInfo::URI]);
+        auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
+        if (!rule_by_ctx.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "AssetId was not found by the given context. Reason: "
+                << rule_by_ctx.getErr();
+            return;
+        }
+
+        BasicRuleConfig context = rule_by_ctx.unpack();
+        log_info[LogInfo::ASSET_ID] = context.getAssetId();
+        log_info[LogInfo::ASSET_NAME] = context.getAssetName();
+        log_info[LogInfo::RULE_ID] = context.getRuleId();
+        log_info[LogInfo::RULE_NAME] = context.getRuleName();
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseErrorLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Handling log line:" << log_line;
+        string port;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+
+        boost::smatch matcher;
+        vector<string> result;
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_line,
+                matcher,
+                isAlertErrorLog(log_line) ? alert_log_regex : error_log_regex
+            )
+        ) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int event_message_index = 6;
+        const int source_index = 7;
+        const int request_index = 9;
+        const int host_index = 11;
+        string host = string(matcher[host_index].first, matcher[host_index].second);
+        string source = string(matcher[source_index].first, matcher[source_index].second);
+        string event_message = string(matcher[event_message_index].first, matcher[event_message_index].second);
+        string request = string(matcher[request_index].first, matcher[request_index].second);
+
+        host = parseErrorLogField(host);
+        source = parseErrorLogField(source);
+        pair<string, string> parsed_request = parseErrorLogRequestField(request);
+        string http_method = parsed_request.first;
+        string uri = parsed_request.second;
+
+        if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, socket_address_regex)) {
+            int host_index = 1;
+            int port_index = 2;
+            host = string(matcher[host_index].first, matcher[host_index].second);
+            port = string(matcher[port_index].first, matcher[port_index].second);
+        } else if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, boost::regex("https://"))) {
+            port = "443";
+        } else {
+            port = "80";
+        }
+
+        log_info[LogInfo::HOST] = host;
+        log_info[LogInfo::URI] = uri;
+        log_info[LogInfo::RESPONSE_CODE] = "500";
+        log_info[LogInfo::HTTP_METHOD] = http_method;
+        log_info[LogInfo::SOURCE] = source;
+        log_info[LogInfo::DESTINATION_IP] = host;
+        log_info[LogInfo::DESTINATION_PORT] = port;
+        log_info[LogInfo::EVENT_MESSAGE] = event_message;
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        return log_info;
+    }
+
+    Maybe<EnumArray<LogInfo, string>>
+    parseAccessLog(const string &log_line)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Parsing log line: " << log_line;
+        string formatted_log = log_line;
+        EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
+        vector<string> result;
+        boost::erase_all(formatted_log, "\"");
+        boost::erase_all(formatted_log, "\n");
+        boost::split(result, formatted_log, boost::is_any_of(" "), boost::token_compress_on);
+
+        const int valid_log_size = 20;
+
+        if (result.size() < valid_log_size) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+
+        const int host_index = 6;
+        const int host_port_index = 7;
+        const int http_method_index = 13;
+        const int uri_index = 14;
+        const int response_cod_index = 16;
+        const int source_index = 8;
+
+        log_info[LogInfo::HOST] = result[host_index];
+        log_info[LogInfo::URI] = result[uri_index];
+        log_info[LogInfo::RESPONSE_CODE] = result[response_cod_index];
+        log_info[LogInfo::HTTP_METHOD] = result[http_method_index];
+        log_info[LogInfo::SOURCE] = result[source_index];
+        log_info[LogInfo::DESTINATION_IP] = result[host_index];
+        log_info[LogInfo::DESTINATION_PORT] = result[host_port_index];
+        log_info[LogInfo::EVENT_MESSAGE] = "Invalid request or incorrect reverse proxy configuration - "
+        "Request dropped. Please check the reverse proxy configuration of your relevant assets";
+
+        addContextFieldsToLogInfo(log_info);
+
+        if (!validateLog(log_info)) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
+            return genError("Unexpected nginx log format");
+        }
+        return log_info;
+    }
+
+    static bool
+    validateLog(const EnumArray<LogInfo, string> &log_info)
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER);
+
+        boost::smatch matcher;
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HOST], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate server (Host): " << log_info[LogInfo::HOST];
+            return false;
+        }
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::URI], matcher, uri_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate Uri: " << log_info[LogInfo::URI];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(
+                __FILE__,
+                __LINE__,
+                log_info[LogInfo::RESPONSE_CODE],
+                matcher, response_code_regex
+            )
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate response code: "
+                << log_info[LogInfo::RESPONSE_CODE];
+            return false;
+        }
+
+        if (
+            !NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HTTP_METHOD], matcher, http_method_regex)
+        ) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate HTTP method: " << log_info[LogInfo::HTTP_METHOD];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::DESTINATION_PORT], matcher, port_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER)
+                << "Could not validate destination port : "
+                << log_info[LogInfo::DESTINATION_PORT];
+            return false;
+        }
+
+        if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::SOURCE], matcher, server_regex)) {
+            dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate source : " << log_info[LogInfo::SOURCE];
+            return false;
+        }
+
+        return true;
+    }
+
+    Maybe<string>
+    getLogsFromSocket(const I_Socket::socketFd &client_socket) const
+    {
+        dbgFlow(D_NGINX_MESSAGE_READER) << "Reading logs from socket. fd: " << client_socket;
+        I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
+        Maybe<vector<char>> raw_log_data = i_socket->receiveData(client_socket, 0, false);
+        if (!raw_log_data.ok()) {
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Error receiving data from socket";
+            return genError("Error receiving data from socket");
+        }
+
+        string raw_log(raw_log_data.unpack().begin(), raw_log_data.unpack().end());
+        return move(raw_log);
+    }
+
+    I_Socket::socketFd syslog_server_socket = -1;
+    string rate_limit_status_code = "429";
+};
+
+NginxMessageReader::NginxMessageReader() : Component("NginxMessageReader"), pimpl(make_unique<Impl>()) {}
+
+NginxMessageReader::~NginxMessageReader() {}
+
+void
+NginxMessageReader::init()
+{
+    pimpl->init();
+}
+
+void
+NginxMessageReader::preload()
+{
+    pimpl->preload();
+}
+
+void
+NginxMessageReader::fini()
+{
+    pimpl->fini();
+}

components/security_apps/CMakeLists.txt

@@ -3,5 +3,7 @@ add_subdirectory(ips)
 add_subdirectory(layer_7_access_control)
 add_subdirectory(local_policy_mgmt_gen)
 add_subdirectory(orchestration)
+add_subdirectory(prometheus)
 add_subdirectory(rate_limit)
 add_subdirectory(waap)
+add_subdirectory(central_nginx_manager)

components/security_apps/central_nginx_manager/CMakeLists.txt

@@ -0,0 +1,3 @@
+include_directories(include)
+
+add_library(central_nginx_manager central_nginx_manager.cc lets_encrypt_listener.cc)

components/security_apps/central_nginx_manager/central_nginx_manager.cc

@@ -0,0 +1,418 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "central_nginx_manager.h"
+#include "lets_encrypt_listener.h"
+
+#include <string>
+#include <vector>
+#include <cereal/external/base64.hpp>
+
+#include "debug.h"
+#include "config.h"
+#include "rest.h"
+#include "log_generator.h"
+#include "nginx_utils.h"
+#include "agent_core_utilities.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+class CentralNginxConfig
+{
+public:
+    void load(cereal::JSONInputArchive &ar)
+    {
+        try {
+            string nginx_conf_base64;
+            ar(cereal::make_nvp("id", file_id));
+            ar(cereal::make_nvp("name", file_name));
+            ar(cereal::make_nvp("data", nginx_conf_base64));
+            nginx_conf_content = cereal::base64::decode(nginx_conf_base64);
+            central_nginx_conf_path = getCentralNginxConfPath();
+            shared_config_path = getSharedConfigPath();
+            if (!nginx_conf_content.empty()) configureCentralNginx();
+        } catch (const cereal::Exception &e) {
+            dbgDebug(D_NGINX_MANAGER) << "Could not load Central Management Config JSON. Error: " << e.what();
+            ar.setNextName(nullptr);
+        }
+    }
+
+    const string & getFileId() const { return file_id; }
+    const string & getFileName() const { return file_name; }
+    const string & getFileContent() const { return nginx_conf_content; }
+
+    static string
+    getCentralNginxConfPath()
+    {
+        string central_nginx_conf_path = getProfileAgentSettingWithDefault<string>(
+            string("/tmp/central_nginx.conf"),
+            "centralNginxManagement.confDownloadPath"
+        );
+        dbgInfo(D_NGINX_MANAGER) << "Central NGINX configuration path: " << central_nginx_conf_path;
+
+        return central_nginx_conf_path;
+    }
+
+    static string
+    getSharedConfigPath()
+    {
+        string central_shared_conf_path = getConfigurationWithDefault<string>(
+            "/etc/cp/conf",
+            "Config Component",
+            "configuration path"
+        );
+        central_shared_conf_path += "/centralNginxManager/shared/central_nginx_shared.conf";
+        dbgInfo(D_NGINX_MANAGER) << "Shared NGINX configuration path: " << central_shared_conf_path;
+
+        return central_shared_conf_path;
+    }
+
+private:
+    void
+    loadAttachmentModule()
+    {
+        string attachment_module_path = NginxUtils::getModulesPath() + "/ngx_cp_attachment_module.so";
+        if (!NGEN::Filesystem::exists(attachment_module_path)) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " does not exist";
+            return;
+        }
+
+        string attachment_module_conf = "load_module " + attachment_module_path + ";";
+        if (nginx_conf_content.find(attachment_module_conf) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " already loaded";
+            return;
+        }
+
+        nginx_conf_content = attachment_module_conf + "\n" + nginx_conf_content;
+    }
+
+    Maybe<void>
+    loadSharedDirective(const string &directive)
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared directive into the servers " << directive;
+
+        if (!NGEN::Filesystem::copyFile(shared_config_path, shared_config_path + ".bak", true)) {
+            return genError("Could not create a backup of the shared NGINX configuration file");
+        }
+
+        ifstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        string shared_config_content((istreambuf_iterator<char>(shared_config)), istreambuf_iterator<char>());
+        shared_config.close();
+
+        if (shared_config_content.find(directive) != string::npos) {
+            dbgTrace(D_NGINX_MANAGER) << "Shared directive " << directive << " already loaded";
+            return {};
+        }
+
+        ofstream new_shared_config(shared_config_path, ios::app);
+        if (!new_shared_config.is_open()) {
+            return genError("Could not open shared NGINX configuration file");
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Adding shared directive " << directive;
+        new_shared_config << directive << "\n";
+        new_shared_config.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            if (!NGEN::Filesystem::copyFile(shared_config_path + ".bak", shared_config_path, true)) {
+                return genError("Could not restore the shared NGINX configuration file");
+            }
+            return genError("Could not validate shared NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    loadSharedConfig()
+    {
+        dbgFlow(D_NGINX_MANAGER) << "Loading shared configuration into the servers";
+
+        ofstream shared_config(shared_config_path);
+        if (!shared_config.is_open()) {
+            return genError("Could not create shared NGINX configuration file");
+        }
+        shared_config.close();
+
+        string shared_config_directive = "include " + shared_config_path + ";\n";
+        boost::regex server_regex("server\\s*\\{");
+        nginx_conf_content = NGEN::Regex::regexReplace(
+            __FILE__,
+            __LINE__,
+            nginx_conf_content,
+            server_regex,
+            "server {\n" + shared_config_directive
+        );
+
+        ofstream nginx_conf_file(central_nginx_conf_path);
+        if (!nginx_conf_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        nginx_conf_file << nginx_conf_content;
+        nginx_conf_file.close();
+
+        auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation.ok()) {
+            return genError("Could not validate central NGINX configuration file. Error: " + validation.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    configureSyslog()
+    {
+        if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
+            dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
+            return {};
+        }
+
+        string syslog_directive = "error_log syslog:server=127.0.0.1:1514 warn;";
+        auto load_shared_directive_result = loadSharedDirective(syslog_directive);
+        if (!load_shared_directive_result.ok()) {
+            return genError("Could not configure syslog directive, error: " + load_shared_directive_result.getErr());
+        }
+
+        return {};
+    }
+
+    Maybe<void>
+    saveBaseCentralNginxConf()
+    {
+        ofstream central_nginx_conf_base_file(central_nginx_conf_path + ".base");
+        if (!central_nginx_conf_base_file.is_open()) {
+            return genError("Could not open a temporary central NGINX configuration file");
+        }
+        central_nginx_conf_base_file << nginx_conf_content;
+        central_nginx_conf_base_file.close();
+
+        return {};
+    }
+
+    void
+    configureCentralNginx()
+    {
+        loadAttachmentModule();
+        auto save_base_nginx_conf = saveBaseCentralNginxConf();
+        if (!save_base_nginx_conf.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not save base NGINX configuration. Error: "
+                << save_base_nginx_conf.getErr();
+            return;
+        }
+
+        string nginx_conf_content_backup = nginx_conf_content;
+        auto shared_config_result = loadSharedConfig();
+        if (!shared_config_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load shared configuration. Error: "
+                << shared_config_result.getErr();
+            nginx_conf_content = nginx_conf_content_backup;
+            return;
+        }
+
+        auto syslog_result = configureSyslog();
+        if (!syslog_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not configure syslog. Error: " << syslog_result.getErr();
+        }
+    }
+
+    string file_id;
+    string file_name;
+    string nginx_conf_content;
+    string central_nginx_conf_path;
+    string shared_config_path;
+};
+
+class CentralNginxManager::Impl
+{
+public:
+    void
+    init()
+    {
+        dbgInfo(D_NGINX_MANAGER) << "Starting Central NGINX Manager";
+
+        string main_nginx_conf_path = NginxUtils::getMainNginxConfPath();
+        if (
+            NGEN::Filesystem::exists(main_nginx_conf_path)
+            && !NGEN::Filesystem::exists(main_nginx_conf_path + ".orig")
+        ) {
+            dbgInfo(D_NGINX_MANAGER) << "Creating a backup of the original main NGINX configuration file";
+            NGEN::Filesystem::copyFile(main_nginx_conf_path, main_nginx_conf_path + ".orig", true);
+        }
+
+        i_mainloop = Singleton::Consume<I_MainLoop>::by<CentralNginxManager>();
+        if (!lets_encrypt_listener.init()) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, scheduling retry";
+            i_mainloop->addOneTimeRoutine(
+                I_MainLoop::RoutineType::System,
+                [this] ()
+                {
+                    while(!lets_encrypt_listener.init()) {
+                        dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, will retry";
+                        i_mainloop->yield(chrono::seconds(5));
+                    }
+                },
+                "Lets Encrypt Listener initializer",
+                false
+            );
+        }
+    }
+
+    void
+    loadPolicy()
+    {
+        auto central_nginx_config = getSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+        if (!central_nginx_config.ok() || central_nginx_config.unpack().empty()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not load Central NGINX Management settings. Error: "
+                << central_nginx_config.getErr();
+            return;
+        }
+
+        auto &config = central_nginx_config.unpack().front();
+        if (config.getFileContent().empty()) {
+            dbgWarning(D_NGINX_MANAGER) << "Empty NGINX configuration file";
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER)
+            << "Handling Central NGINX Management settings: "
+            << config.getFileId()
+            << ", "
+            << config.getFileName()
+            << ", "
+            << config.getFileContent();
+
+        string central_nginx_conf_path = config.getCentralNginxConfPath();
+        ofstream central_nginx_conf_file(central_nginx_conf_path);
+        if (!central_nginx_conf_file.is_open()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not open central NGINX configuration file: "
+                << central_nginx_conf_path;
+            return;
+        }
+        central_nginx_conf_file << config.getFileContent();
+        central_nginx_conf_file.close();
+
+        auto validation_result = NginxUtils::validateNginxConf(central_nginx_conf_path);
+        if (!validation_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not validate central NGINX configuration file. Error: "
+                << validation_result.getErr();
+            logError(validation_result.getErr());
+            return;
+        }
+
+        dbgTrace(D_NGINX_MANAGER) << "Validated central NGINX configuration file";
+
+        auto reload_result = NginxUtils::reloadNginx(central_nginx_conf_path);
+        if (!reload_result.ok()) {
+            dbgWarning(D_NGINX_MANAGER)
+                << "Could not reload central NGINX configuration. Error: "
+                << reload_result.getErr();
+            logError("Could not reload central NGINX configuration. Error: " + reload_result.getErr());
+            return;
+        }
+
+        logInfo("Central NGINX configuration has been successfully reloaded");
+    }
+
+    void
+    fini()
+    {
+        string central_nginx_base_path = CentralNginxConfig::getCentralNginxConfPath() + ".base";
+        if (!NGEN::Filesystem::exists(central_nginx_base_path)) {
+            dbgWarning(D_NGINX_MANAGER) << "Could not find base NGINX configuration file: " << central_nginx_base_path;
+            return;
+        }
+
+        NginxUtils::reloadNginx(central_nginx_base_path);
+    }
+
+private:
+    void
+    logError(const string &error)
+    {
+        LogGen log(
+            error,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::CRITICAL,
+            ReportIS::Priority::URGENT,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField(
+            "eventRemediation",
+            "Please verify your NGINX configuration and enforce policy again. "
+            "Contact Check Point support if the issue persists."
+        );
+    }
+
+    void
+    logInfo(const string &info)
+    {
+        LogGen log(
+            info,
+            ReportIS::Level::ACTION,
+            ReportIS::Audience::SECURITY,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            ReportIS::Tags::POLICY_INSTALLATION
+        );
+
+        log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
+        log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
+        log << LogField("eventRemediation", "No action required");
+    }
+
+    I_MainLoop *i_mainloop = nullptr;
+    LetsEncryptListener lets_encrypt_listener;
+};
+
+CentralNginxManager::CentralNginxManager()
+    :
+    Component("Central NGINX Manager"),
+    pimpl(make_unique<CentralNginxManager::Impl>()) {}
+
+CentralNginxManager::~CentralNginxManager() {}
+
+void
+CentralNginxManager::init()
+{
+    pimpl->init();
+}
+
+void
+CentralNginxManager::fini()
+{
+    pimpl->fini();
+}
+
+void
+CentralNginxManager::preload()
+{
+    registerExpectedSetting<vector<CentralNginxConfig>>("centralNginxManagement");
+    registerExpectedConfiguration<string>("Config Component", "configuration path");
+    registerConfigLoadCb([this]() { pimpl->loadPolicy(); });
+}

components/security_apps/central_nginx_manager/include/lets_encrypt_listener.h

@@ -0,0 +1,30 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __LETS_ENCRYPT_HANDLER_H__
+#define __LETS_ENCRYPT_HANDLER_H__
+
+#include <string>
+
+#include "maybe_res.h"
+
+class LetsEncryptListener
+{
+public:
+    bool init();
+
+private:
+    Maybe<std::string> getChallengeValue(const std::string &uri) const;
+};
+
+#endif // __LETS_ENCRYPT_HANDLER_H__

components/security_apps/central_nginx_manager/lets_encrypt_listener.cc

@@ -0,0 +1,76 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "lets_encrypt_listener.h"
+
+#include <string>
+
+#include "central_nginx_manager.h"
+#include "debug.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_NGINX_MANAGER);
+
+bool
+LetsEncryptListener::init()
+{
+    dbgInfo(D_NGINX_MANAGER) << "Starting Lets Encrypt Listener";
+    return Singleton::Consume<I_RestApi>::by<CentralNginxManager>()->addWildcardGetCall(
+        ".well-known/acme-challenge/",
+        [&] (const string &uri) -> string
+        {
+            Maybe<string> maybe_challenge_value = getChallengeValue(uri);
+            if (!maybe_challenge_value.ok()) {
+                dbgWarning(D_NGINX_MANAGER)
+                    << "Could not get challenge value for uri: "
+                    << uri
+                    << ", error: "
+                    << maybe_challenge_value.getErr();
+                return string{""};
+            };
+
+            dbgTrace(D_NGINX_MANAGER) << "Got challenge value: " << maybe_challenge_value.unpack();
+            return maybe_challenge_value.unpack();
+        }
+    );
+}
+
+Maybe<string>
+LetsEncryptListener::getChallengeValue(const string &uri) const
+{
+    string challenge_key = uri.substr(uri.find_last_of('/') + 1);
+    string api_query = "/api/lets-encrypt-challenge?http_challenge_key=" + challenge_key;
+
+    dbgInfo(D_NGINX_MANAGER) << "Getting challenge value via: " << api_query;
+
+    MessageMetadata md;
+    md.insertHeader("X-Tenant-Id", Singleton::Consume<I_AgentDetails>::by<CentralNginxManager>()->getTenantId());
+    Maybe<HTTPResponse, HTTPResponse> maybe_http_challenge_value =
+        Singleton::Consume<I_Messaging>::by<CentralNginxManager>()->sendSyncMessage(
+            HTTPMethod::GET,
+            api_query,
+            string("{}"),
+            MessageCategory::GENERIC,
+            md
+        );
+
+    if (!maybe_http_challenge_value.ok()) return genError(maybe_http_challenge_value.getErr().getBody());
+
+    string challenge_value = maybe_http_challenge_value.unpack().getBody();
+    if (!challenge_value.empty() && challenge_value.front() == '"' && challenge_value.back() == '"') {
+        challenge_value = challenge_value.substr(1, challenge_value.size() - 2);
+    }
+
+    return challenge_value;
+}

components/security_apps/http_geo_filter/http_geo_filter.cc

@@ -88,9 +88,18 @@ public:
             dbgWarning(D_GEO_FILTER) << "failed to get source ip from env";
             return EventVerdict(default_action);
         }
-
         auto source_ip = convertIpAddrToString(maybe_source_ip.unpack());
-        ip_set.insert(source_ip);
+
+        // saas profile setting
+        bool ignore_source_ip =
+            getProfileAgentSettingWithDefault<bool>(false, "agent.geoProtaction.ignoreSourceIP");
+        if (ignore_source_ip){
+            dbgDebug(D_GEO_FILTER) << "Geo protection ignoring source ip: " << source_ip;
+        } else {
+            dbgTrace(D_GEO_FILTER) << "Geo protection source ip: " << source_ip;
+            ip_set.insert(convertIpAddrToString(maybe_source_ip.unpack()));
+        }
+
 
         ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set);
         if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
@@ -327,6 +336,14 @@ private:
         ngx_http_cp_verdict_e verdict = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT;
         I_GeoLocation *i_geo_location = Singleton::Consume<I_GeoLocation>::by<HttpGeoFilter>();
         EnumArray<I_GeoLocation::GeoLocationField, std::string> geo_location_data;
+        auto env = Singleton::Consume<I_Environment>::by<HttpGeoFilter>();
+        string source_id;
+        auto maybe_source_id = env->get<std::string>(HttpTransactionData::source_identifier);
+        if (!maybe_source_id.ok()) {
+            dbgTrace(D_GEO_FILTER) << "failed to get source identifier from env";
+        } else {
+            source_id = maybe_source_id.unpack();
+        }
 
         for (const std::string& source : sources) {
 
@@ -343,7 +360,7 @@ private:
 
             auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
             if (!asset_location.ok()) {
-                dbgWarning(D_GEO_FILTER) << "Lookup location failed for source: " <<
+                dbgDebug(D_GEO_FILTER) << "Lookup location failed for source: " <<
                 source <<
                 ", Error: " <<
                 asset_location.getErr();
@@ -358,11 +375,15 @@ private:
             << country_code
             << ", country name: "
             << country_name
-            << ", source ip address: "
-            << source;
+            << ", ip address: "
+            << source
+            << ", source identifier: "
+            << source_id;
+
 
             unordered_map<string, set<string>> exception_value_country_code = {
-                {"countryCode", {country_code}}
+                {"countryCode", {country_code}},
+                {"sourceIdentifier", {source_id}}
             };
             auto matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_code, geo_location_data);
             if (matched_behavior_maybe.ok()) {
@@ -374,7 +395,8 @@ private:
             }
 
             unordered_map<string, set<string>> exception_value_country_name = {
-                {"countryName", {country_name}}
+                {"countryName", {country_name}},
+                {"sourceIdentifier", {source_id}}
             };
             matched_behavior_maybe = getBehaviorsVerdict(exception_value_country_name, geo_location_data);
             if (matched_behavior_maybe.ok()) {

components/security_apps/ips/include/ips_signatures.h

@@ -29,6 +29,8 @@
 #include "pm_hook.h"
 #include "i_generic_rulebase.h"
 
+#define DEFAULT_IPS_YIELD_COUNT 500
+
 /// \namespace IPSSignatureSubTypes
 /// \brief Namespace containing subtypes for IPS signatures.
 namespace IPSSignatureSubTypes
@@ -336,9 +338,23 @@ public:
         return metadata.getYear();
     }
 
+    bool
+    isOk() const
+    {
+        return is_loaded;
+    }
+
+    static void
+    setYieldCounter(int new_yield_cnt)
+    {
+        yield_on_load_cnt = new_yield_cnt;
+    }
+
 private:
     IPSSignatureMetaData metadata;
     std::shared_ptr<BaseSignature> rule;
+    bool is_loaded;
+    static int yield_on_load_cnt;
 };
 
 /// \class SignatureAndAction

components/security_apps/ips/ips_comp.cc

@@ -98,6 +98,7 @@ public:
         registerListener();
         table = Singleton::Consume<I_Table>::by<IPSComp>();
         env = Singleton::Consume<I_Environment>::by<IPSComp>();
+        updateSigsYieldCount();
     }
 
     void
@@ -307,6 +308,20 @@ public:
 
     EventVerdict respond (const EndTransactionEvent &) override { return ACCEPT; }
 
+    void
+    updateSigsYieldCount()
+    {
+        const char *ips_yield_env_str = getenv("CPNANO_IPS_LOAD_YIELD_CNT");
+        int ips_yield_default = DEFAULT_IPS_YIELD_COUNT;
+        if (ips_yield_env_str != nullptr) {
+            dbgDebug(D_IPS) << "CPNANO_IPS_LOAD_YIELD_CNT env variable is set to " << ips_yield_env_str;
+            ips_yield_default = atoi(ips_yield_env_str);
+        }
+        int yield_limit = getProfileAgentSettingWithDefault<int>(ips_yield_default, "ips.sigsYieldCnt");
+        dbgDebug(D_IPS) << "Setting IPS yield count to  " << yield_limit;
+        IPSSignatureSubTypes::CompleteSignature::setYieldCounter(yield_limit);
+    }
+
 private:
     static void setDrop(IPSEntry &state) { state.setDrop(); }
     static bool isDrop(const IPSEntry &state) { return state.isDrop(); }
@@ -373,6 +388,7 @@ IPSComp::preload()
     registerExpectedConfigFile("ips", Config::ConfigFileType::Policy);
     registerExpectedConfigFile("ips", Config::ConfigFileType::Data);
     registerExpectedConfigFile("snort", Config::ConfigFileType::Policy);
+    registerConfigLoadCb([this]() { pimpl->updateSigsYieldCount(); });
 
     ParameterException::preload();
 

components/security_apps/ips/ips_signatures.cc

@@ -45,6 +45,8 @@ static const map<string, IPSLevel> levels = {
     { "Very Low",    IPSLevel::VERY_LOW }
 };
 
+int CompleteSignature::yield_on_load_cnt = DEFAULT_IPS_YIELD_COUNT;
+
 static IPSLevel
 getLevel(const string &level_string, const string &attr_name)
 {
@@ -219,10 +221,37 @@ IPSSignatureMetaData::getYear() const
 void
 CompleteSignature::load(cereal::JSONInputArchive &ar)
 {
-    ar(cereal::make_nvp("protectionMetadata", metadata));
-    RuleDetection rule_detection(metadata.getName());
-    ar(cereal::make_nvp("detectionRules", rule_detection));
-    rule = rule_detection.getRule();
+    static int sigs_load_counter = 0;
+    static I_Environment *env = Singleton::Consume<I_Environment>::by<IPSComp>();
+    static bool post_init = false;
+
+    if (!post_init) {
+        auto routine_id = Singleton::Consume<I_MainLoop>::by<IPSComp>()->getCurrentRoutineId();
+        if (routine_id.ok()) {
+            post_init = true;
+            dbgInfo(D_IPS) << "Loading signatures post init, enabling yield with limit " << yield_on_load_cnt;
+        }
+    }
+
+    try {
+        ar(cereal::make_nvp("protectionMetadata", metadata));
+        RuleDetection rule_detection(metadata.getName());
+        ar(cereal::make_nvp("detectionRules", rule_detection));
+        rule = rule_detection.getRule();
+        is_loaded = true;
+    } catch (cereal::Exception &e) {
+        is_loaded = false;
+        dbgWarning(D_IPS) << "Failed to load signature: " << e.what();
+    }
+
+    if (post_init && (yield_on_load_cnt > 0) && (++sigs_load_counter == yield_on_load_cnt)) {
+        sigs_load_counter = 0;
+        auto maybe_is_async = env->get<bool>("Is Async Config Load");
+        if (maybe_is_async.ok() && *maybe_is_async == true) {
+            dbgTrace(D_IPS) << "Yielding after " << yield_on_load_cnt << " signatures";
+            Singleton::Consume<I_MainLoop>::by<IPSComp>()->yield(false);
+        }
+    }
 }
 
 MatchType
@@ -367,7 +396,16 @@ SignatureAndAction::matchSilent(const Buffer &sample) const
     if (method.ok()) log << LogField("httpMethod", method.unpack());
 
     auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
-    if (path.ok()) log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
+    if (path.ok()) {
+        log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
+    } else {
+        auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
+        if (transaction_path.ok()) {
+            auto uri_path = transaction_path.unpack();
+            auto question_mark = uri_path.find('?');
+            log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
+        }
+    }
 
     auto req_header = ips_state.getTransactionData(IPSCommonTypes::requests_header_for_log);
     if (req_header.ok()) log << LogField("httpRequestHeaders", getSubString(req_header), LogFieldOption::XORANDB64);
@@ -485,13 +523,30 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
     auto method = env->get<string>(HttpTransactionData::method_ctx);
     if (method.ok()) log << LogField("httpMethod", method.unpack());
     uint max_size = getConfigurationWithDefault<uint>(1536, "IPS", "Max Field Size");
-    auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
-    if (path.ok() && trigger.isWebLogFieldActive(url_path)) {
-        log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
+
+    if (trigger.isWebLogFieldActive(url_path)) {
+        auto path  = env->get<Buffer>("HTTP_PATH_DECODED");
+        if (path.ok()) {
+            log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
+        } else {
+            auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
+            if (transaction_path.ok()) {
+                auto uri_path = transaction_path.unpack();
+                auto question_mark = uri_path.find('?');
+                log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
+            }
+        }
     }
-    auto query = env->get<Buffer>("HTTP_QUERY_DECODED");
-    if (query.ok() && trigger.isWebLogFieldActive(url_query)) {
-        log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
+    if (trigger.isWebLogFieldActive(url_query)) {
+        auto query = env->get<Buffer>("HTTP_QUERY_DECODED");
+        if (query.ok()) {
+            log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
+        } else {
+            auto transaction_query = env->get<string>(HttpTransactionData::uri_query_decoded);
+            if (transaction_query.ok()) {
+                log << LogField("httpUriQuery", transaction_query.unpack());
+            }
+        }
     }
 
     auto res_code = env->get<Buffer>("HTTP_RESPONSE_CODE");
@@ -533,7 +588,9 @@ IPSSignaturesResource::load(cereal::JSONInputArchive &ar)
 
     all_signatures.reserve(sigs.size());
     for (auto &sig : sigs) {
-        all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
+        if (sig.isOk()) {
+            all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
+        }
     }
 }
 

components/security_apps/ips/ips_ut/component_ut.cc

@@ -29,6 +29,8 @@ public:
     {
         comp.preload();
         comp.init();
+        auto err = genError("not coroutine");
+        EXPECT_CALL(mainloop, getCurrentRoutineId()).WillRepeatedly(Return(Maybe<I_MainLoop::RoutineID>(err)));
     }
 
     ~ComponentTest()

components/security_apps/ips/ips_ut/entry_ut.cc

@@ -41,6 +41,8 @@ public:
     EntryTest()
     {
         ON_CALL(table, getState(_)).WillByDefault(Return(ptr));
+        auto err = genError("not coroutine");
+        EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(Maybe<I_MainLoop::RoutineID>(err)));
     }
 
     void

components/security_apps/ips/ips_ut/resource_ut.cc

@@ -2,6 +2,7 @@
 #include "cptest.h"
 #include "environment.h"
 #include "config_component.h"
+#include "mock/mock_mainloop.h"
 
 using namespace std;
 using namespace testing;
@@ -61,6 +62,9 @@ TEST(resources, basic_resource)
 {
     ConfigComponent conf;
     ::Environment env;
+    NiceMock<MockMainLoop> mock_mainloop;
+    auto err = genError("not coroutine");
+    EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(Maybe<I_MainLoop::RoutineID>(err)));
 
     conf.preload();
 

components/security_apps/ips/ips_ut/signatures_ut.cc

@@ -60,7 +60,12 @@ public:
     {
         IPSHelper::has_deobfuscation = true;
         generic_rulebase.preload();
+        env.preload();
+        env.init();
+
         EXPECT_CALL(logs, getCurrentLogId()).Times(AnyNumber());
+        auto err = genError("not coroutine");
+        EXPECT_CALL(mock_mainloop, getCurrentRoutineId()).WillRepeatedly(Return(Maybe<I_MainLoop::RoutineID>(err)));
         ON_CALL(table, getState(_)).WillByDefault(Return(&ips_state));
         {
             stringstream ss;
@@ -104,6 +109,12 @@ public:
             cereal::JSONInputArchive ar(ss);
             high_medium_confidance_signatures.load(ar);
         }
+        {
+            stringstream ss;
+            ss << "[" << signature_performance_high << ", " << signature_broken << "]";
+            cereal::JSONInputArchive ar(ss);
+            single_broken_signature.load(ar);
+        }
     }
 
     ~SignatureTest()
@@ -117,9 +128,6 @@ public:
     void
     loadExceptions()
     {
-        env.preload();
-        env.init();
-
         BasicRuleConfig::preload();
         registerExpectedConfiguration<ParameterException>("rulebase", "exception");
 
@@ -189,6 +197,7 @@ public:
     void
     load(const IPSSignaturesResource &policy, const string &severity, const string &confidence)
     {
+        Singleton::Consume<I_Environment>::from(env)->registerValue<bool>("Is Async Config Load", false);
         setResource(policy, "IPS", "protections");
         stringstream ss;
         ss << "{";
@@ -250,6 +259,7 @@ public:
     IPSSignaturesResource performance_signatures1;
     IPSSignaturesResource performance_signatures2;
     IPSSignaturesResource performance_signatures3;
+    IPSSignaturesResource single_broken_signature;
     NiceMock<MockTable> table;
     MockAgg mock_agg;
 
@@ -483,6 +493,26 @@ private:
                 "\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
             "}"
         "}";
+
+    string signature_broken =
+    "{"
+        "\"protectionMetadata\": {"
+            "\"protectionName\": \"BrokenTest\","
+            "\"maintrainId\": \"101\","
+            "\"severity\": \"Medium High\","
+            "\"confidenceLevel\": \"Low\","
+            "\"performanceImpact\": \"High\","
+            "\"lastUpdate\": \"20210420\","
+            "\"tags\": [],"
+            "\"cveList\": []"
+        "},"
+        "\"detectionRules\": {"
+            "\"type\": \"simple\","
+            "\"SSM\": \"\","
+            "\"keywosrds\": \"data: \\\"www\\\";\","
+            "\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
+        "}"
+    "}";
 };
 
 TEST_F(SignatureTest, basic_load_of_signatures)
@@ -665,3 +695,14 @@ TEST_F(SignatureTest, high_confidance_signatures_matching)
     expectLog("\"protectionId\": \"Test4\"", "\"matchedSignatureConfidence\": \"Medium\"");
     EXPECT_FALSE(checkData("mmm"));
 }
+
+TEST_F(SignatureTest, broken_signature)
+{
+    load(single_broken_signature, "Low or above", "Low");
+    EXPECT_FALSE(checkData("ggg"));
+
+    expectLog("\"matchedSignaturePerformance\": \"High\"");
+    EXPECT_TRUE(checkData("fff"));
+
+    EXPECT_FALSE(checkData("www"));
+}

components/security_apps/layer_7_access_control/layer_7_access_control.cc

@@ -131,8 +131,12 @@ public:
     EventVerdict
     respond(const WaitTransactionEvent &) override
     {
-        dbgFlow(D_L7_ACCESS_CONTROL) << "Handling wait verdict";
+        if (!isAppEnabled()) {
+            dbgTrace(D_L7_ACCESS_CONTROL) << "Returning Accept verdict as the Layer-7 Access Control app is disabled";
+            return ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
+        }
 
+        dbgTrace(D_L7_ACCESS_CONTROL) << "Handling wait verdict";
         return handleEvent();
     }
 

components/security_apps/local_policy_mgmt_gen/CMakeLists.txt

@@ -22,4 +22,5 @@ add_library(local_policy_mgmt_gen
     access_control_practice.cc
     configmaps.cc
     reverse_proxy_section.cc
+    policy_activation_data.cc
 )

components/security_apps/local_policy_mgmt_gen/access_control_practice.cc

@@ -228,7 +228,11 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
 
     parseAppsecJSONKey<string>("name", practice_name, archive_in);
-    parseAppsecJSONKey<string>("practiceMode", mode, archive_in);
+    parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Access control practice mode invalid: " << mode;
+        throw PolicyGenException("AppSec Access control practice mode invalid: " + mode);
+    }
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
 }

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -438,19 +438,30 @@ WebAppSection::WebAppSection(
     csrf_protection_mode("Disabled"),
     open_redirect_mode("Disabled"),
     error_disclosure_mode("Disabled"),
+    schema_validation_mode("Disabled"),
+    schema_validation_enforce_level("fullSchema"),
     practice_advanced_config(parsed_appsec_spec),
     anti_bots(parsed_appsec_spec.getAntiBot()),
     trusted_sources({ parsed_trusted_sources })
 {
+    auto mitigation_sevirity = parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
+    if (key_to_mitigation_severity.find(mitigation_sevirity) == key_to_mitigation_severity.end()) {
+        dbgWarning(D_LOCAL_POLICY)
+        << "web attack mitigation severity invalid: "
+        << mitigation_sevirity;
+        throw PolicyGenException("web attack mitigation severity invalid: " + mitigation_sevirity);
+    } else {
+        web_attack_mitigation_severity = key_to_mitigation_severity.at(mitigation_sevirity);
+    }
     web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
     web_attack_mitigation_severity =
         web_attack_mitigation_mode != "Prevent" ? "Transparent" :
-        parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
+        web_attack_mitigation_severity;
     web_attack_mitigation_action =
         web_attack_mitigation_mode != "Prevent" ? "Transparent" :
-        web_attack_mitigation_severity == "critical" ? "low" :
-        web_attack_mitigation_severity == "high" ? "balanced" :
-        web_attack_mitigation_severity == "medium" ? "high" :
+        web_attack_mitigation_severity == "Critical" ? "Low" :
+        web_attack_mitigation_severity == "High" ? "Balanced" :
+        web_attack_mitigation_severity == "Medium" ? "High" :
         "Error";
 
     triggers.push_back(TriggersInWaapSection(parsed_log_trigger));
@@ -479,11 +490,15 @@ WebAppSection::WebAppSection(
     const string &_web_attack_mitigation_severity,
     const string &_web_attack_mitigation_mode,
     const string &_bot_protection,
+    const string &_schema_validation_mode,
+    const string &_schema_validation_enforce_level,
+    const vector<string> &_schema_validation_oas,
     const PracticeAdvancedConfig &_practice_advanced_config,
     const AppsecPracticeAntiBotSection &_anti_bots,
     const LogTriggerSection &parsed_log_trigger,
     const AppSecTrustedSources &parsed_trusted_sources,
-    const NewAppSecWebAttackProtections &protections)
+    const NewAppSecWebAttackProtections &protections,
+    const vector<InnerException> &exceptions)
     :
     application_urls(_application_urls),
     asset_id(_asset_id),
@@ -493,19 +508,29 @@ WebAppSection::WebAppSection(
     practice_id(_practice_id),
     practice_name(_practice_name),
     context(_context),
-    web_attack_mitigation_severity(_web_attack_mitigation_severity),
     web_attack_mitigation_mode(_web_attack_mitigation_mode),
     bot_protection(_bot_protection),
+    schema_validation_mode(_schema_validation_mode),
+    schema_validation_enforce_level(_schema_validation_enforce_level),
+    schema_validation_oas(_schema_validation_oas),
     practice_advanced_config(_practice_advanced_config),
     anti_bots(_anti_bots),
     trusted_sources({ parsed_trusted_sources })
 {
+    if (key_to_mitigation_severity.find(_web_attack_mitigation_severity) == key_to_mitigation_severity.end()) {
+        dbgWarning(D_LOCAL_POLICY)
+        << "web attack mitigation severity invalid: "
+        << _web_attack_mitigation_severity;
+        throw PolicyGenException("web attack mitigation severity invalid: " + _web_attack_mitigation_severity);
+    } else {
+        web_attack_mitigation_severity = key_to_mitigation_severity.at(_web_attack_mitigation_severity);
+    }
     web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
     web_attack_mitigation_action =
         web_attack_mitigation_mode != "Prevent" ? "Transparent" :
-        web_attack_mitigation_severity == "critical" ? "low" :
-        web_attack_mitigation_severity == "high" ? "balanced" :
-        web_attack_mitigation_severity == "medium" ? "high" :
+        web_attack_mitigation_severity == "Critical" ? "Low" :
+        web_attack_mitigation_severity == "High" ? "Balanced" :
+        web_attack_mitigation_severity == "Medium" ? "High" :
         "Error";
 
     csrf_protection_mode = protections.getCsrfProtectionMode(_web_attack_mitigation_mode);
@@ -516,6 +541,11 @@ WebAppSection::WebAppSection(
     for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) {
         overrides.push_back(AppSecOverride(source_ident));
     }
+
+    for (const auto &exception : exceptions) {
+        overrides.push_back(AppSecOverride(exception));
+    }
+
 }
 
 // LCOV_EXCL_STOP
@@ -523,35 +553,35 @@ WebAppSection::WebAppSection(
 void
 WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
 {
-    string disabled_str = "Disabled";
     vector<string> empty_list;
     out_ar(
-        cereal::make_nvp("context",                     context),
-        cereal::make_nvp("webAttackMitigation",         web_attack_mitigation),
-        cereal::make_nvp("webAttackMitigationSeverity", web_attack_mitigation_severity),
-        cereal::make_nvp("webAttackMitigationAction",   web_attack_mitigation_action),
-        cereal::make_nvp("webAttackMitigationMode",     web_attack_mitigation_mode),
-        cereal::make_nvp("practiceAdvancedConfig",      practice_advanced_config),
-        cereal::make_nvp("csrfProtection",              csrf_protection_mode),
-        cereal::make_nvp("openRedirect",                open_redirect_mode),
-        cereal::make_nvp("errorDisclosure",             error_disclosure_mode),
-        cereal::make_nvp("practiceId",                  practice_id),
-        cereal::make_nvp("practiceName",                practice_name),
-        cereal::make_nvp("assetId",                     asset_id),
-        cereal::make_nvp("assetName",                   asset_name),
-        cereal::make_nvp("ruleId",                      rule_id),
-        cereal::make_nvp("ruleName",                    rule_name),
-        cereal::make_nvp("schemaValidation",               false),
-        cereal::make_nvp("schemaValidation_v2",            disabled_str),
-        cereal::make_nvp("oas",                            empty_list),
-        cereal::make_nvp("triggers",                    triggers),
-        cereal::make_nvp("applicationUrls",             application_urls),
-        cereal::make_nvp("overrides",                   overrides),
-        cereal::make_nvp("trustedSources",              trusted_sources),
-        cereal::make_nvp("waapParameters",              empty_list),
-        cereal::make_nvp("botProtection",               false),
-        cereal::make_nvp("antiBot",                     anti_bots),
-        cereal::make_nvp("botProtection_v2",            bot_protection != "" ? bot_protection : string("Detect"))
+        cereal::make_nvp("context",                         context),
+        cereal::make_nvp("webAttackMitigation",             web_attack_mitigation),
+        cereal::make_nvp("webAttackMitigationSeverity",     web_attack_mitigation_severity),
+        cereal::make_nvp("webAttackMitigationAction",       web_attack_mitigation_action),
+        cereal::make_nvp("webAttackMitigationMode",         web_attack_mitigation_mode),
+        cereal::make_nvp("practiceAdvancedConfig",          practice_advanced_config),
+        cereal::make_nvp("csrfProtection",                  csrf_protection_mode),
+        cereal::make_nvp("openRedirect",                    open_redirect_mode),
+        cereal::make_nvp("errorDisclosure",                 error_disclosure_mode),
+        cereal::make_nvp("practiceId",                      practice_id),
+        cereal::make_nvp("practiceName",                    practice_name),
+        cereal::make_nvp("assetId",                         asset_id),
+        cereal::make_nvp("assetName",                       asset_name),
+        cereal::make_nvp("ruleId",                          rule_id),
+        cereal::make_nvp("ruleName",                        rule_name),
+        cereal::make_nvp("schemaValidation",                schema_validation_mode == "Prevent"),
+        cereal::make_nvp("schemaValidation_v2",             schema_validation_mode),
+        cereal::make_nvp("oas",                             schema_validation_oas),
+        cereal::make_nvp("schemaValidationEnforceLevel",    schema_validation_enforce_level),
+        cereal::make_nvp("triggers",                        triggers),
+        cereal::make_nvp("applicationUrls",                 application_urls),
+        cereal::make_nvp("overrides",                       overrides),
+        cereal::make_nvp("trustedSources",                  trusted_sources),
+        cereal::make_nvp("waapParameters",                  empty_list),
+        cereal::make_nvp("botProtection",                   false),
+        cereal::make_nvp("antiBot",                         anti_bots),
+        cereal::make_nvp("botProtection_v2",                bot_protection != "" ? bot_protection : string("Detect"))
     );
 }
 

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -291,38 +291,45 @@ public:
         const std::string &_web_attack_mitigation_severity,
         const std::string &_web_attack_mitigation_mode,
         const std::string &_bot_protection,
+        const std::string &schema_validation_mode,
+        const std::string &schema_validation_enforce_level,
+        const std::vector<std::string> &schema_validation_oas,
         const PracticeAdvancedConfig &_practice_advanced_config,
         const AppsecPracticeAntiBotSection &_anti_bots,
         const LogTriggerSection &parsed_log_trigger,
         const AppSecTrustedSources &parsed_trusted_sources,
-        const NewAppSecWebAttackProtections &protections);
+        const NewAppSecWebAttackProtections &protections,
+        const std::vector<InnerException> &exceptions);
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
     bool operator< (const WebAppSection &other) const;
 
 private:
-    std::string application_urls;
-    std::string asset_id;
-    std::string asset_name;
-    std::string rule_id;
-    std::string rule_name;
-    std::string practice_id;
-    std::string practice_name;
-    std::string context;
-    std::string web_attack_mitigation_action;
-    std::string web_attack_mitigation_severity;
-    std::string web_attack_mitigation_mode;
-    std::string csrf_protection_mode;
-    std::string open_redirect_mode;
-    std::string error_disclosure_mode;
-    std::string bot_protection;
-    bool web_attack_mitigation;
-    std::vector<TriggersInWaapSection> triggers;
-    PracticeAdvancedConfig practice_advanced_config;
-    AppsecPracticeAntiBotSection anti_bots;
-    std::vector<AppSecTrustedSources> trusted_sources;
-    std::vector<AppSecOverride> overrides;
+    bool                                    web_attack_mitigation;
+    std::string                             application_urls;
+    std::string                             asset_id;
+    std::string                             asset_name;
+    std::string                             rule_id;
+    std::string                             rule_name;
+    std::string                             practice_id;
+    std::string                             practice_name;
+    std::string                             context;
+    std::string                             web_attack_mitigation_action;
+    std::string                             web_attack_mitigation_severity;
+    std::string                             web_attack_mitigation_mode;
+    std::string                             csrf_protection_mode;
+    std::string                             open_redirect_mode;
+    std::string                             error_disclosure_mode;
+    std::string                             bot_protection;
+    std::string                             schema_validation_mode;
+    std::string                             schema_validation_enforce_level;
+    std::vector<std::string>                schema_validation_oas;
+    PracticeAdvancedConfig                  practice_advanced_config;
+    AppsecPracticeAntiBotSection            anti_bots;
+    std::vector<AppSecOverride>             overrides;
+    std::vector<AppSecTrustedSources>       trusted_sources;
+    std::vector<TriggersInWaapSection>      triggers;
 };
 
 class WebAPISection
@@ -410,7 +417,7 @@ class ParsedRule
 {
 public:
     ParsedRule() {}
-    ParsedRule(const std::string &_host) : host(_host) {}
+    ParsedRule(const std::string &_host, const std::string &_mode) : host(_host), mode(_mode) {}
 
     void load(cereal::JSONInputArchive &archive_in);
     const std::vector<std::string> & getExceptions() const;

components/security_apps/local_policy_mgmt_gen/include/k8s_policy_utils.h

@@ -24,6 +24,7 @@
 #include "maybe_res.h"
 #include "i_orchestration_tools.h"
 #include "i_shell_cmd.h"
+#include "i_encryptor.h"
 #include "i_messaging.h"
 #include "i_env_details.h"
 #include "i_agent_details.h"
@@ -40,13 +41,14 @@ class K8sPolicyUtils
     Singleton::Consume<I_Messaging>,
     Singleton::Consume<I_ShellCmd>,
     Singleton::Consume<I_EnvDetails>,
+    Singleton::Consume<I_Encryptor>,
     Singleton::Consume<I_AgentDetails>
 {
 public:
     void init();
 
     std::tuple<std::map<std::string, AppsecLinuxPolicy>, std::map<std::string, V1beta2AppsecLinuxPolicy>>
-    createAppsecPoliciesFromIngresses();
+    createAppsecPolicies();
     void getClusterId() const;
 
 private:
@@ -80,6 +82,8 @@ private:
 
     void createSnortFile(std::vector<NewAppSecPracticeSpec> &practices) const;
 
+    void createSchemaValidationOas(std::vector<NewAppSecPracticeSpec> &practices) const;
+
     template<class T>
     std::vector<T> extractV1Beta2ElementsFromCluster(
         const std::string &crd_plural,
@@ -97,12 +101,18 @@ private:
     ) const;
 
     template<class T, class K>
-    void createPolicy(
+    void createPolicyFromIngress(
         T &appsec_policy,
         std::map<std::string, T> &policies,
         std::map<AnnotationKeys, std::string> &annotations_values,
         const SingleIngressData &item) const;
 
+    template<class T, class K>
+    void createPolicyFromActivation(
+        T &appsec_policy,
+        std::map<std::string, T> &policies,
+        const EnabledPolicy &policy) const;
+
     std::tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>> createAppsecPolicyK8s(
         const std::string &policy_name,
         const std::string &ingress_mode
@@ -112,6 +122,7 @@ private:
     I_Messaging* messaging = nullptr;
     EnvType env_type;
     std::string token;
+    std::string agent_ns;
 };
 
 #endif // __K8S_POLICY_UTILS_H__

components/security_apps/local_policy_mgmt_gen/include/local_policy_common.h

@@ -49,6 +49,13 @@ static const std::unordered_map<std::string, TriggerType> string_to_trigger_type
     { "WebUserResponse", TriggerType::WebUserResponse }
 };
 
+static const std::unordered_map<std::string, std::string> key_to_mitigation_severity = {
+    { "high", "High"},
+    { "medium", "Medium"},
+    { "critical", "Critical"},
+    { "Transparent", "Transparent"}
+};
+
 static const std::unordered_map<std::string, std::string> key_to_practices_val = {
     { "prevent-learn", "Prevent"},
     { "detect-learn", "Learn"},
@@ -57,6 +64,14 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val =
     { "inactive", "Inactive"}
 };
 
+static const std::unordered_map<std::string, std::string> key_to_practices_mode_val = {
+    { "prevent-learn", "Prevent"},
+    { "detect-learn", "Detect"},
+    { "prevent", "Prevent"},
+    { "detect", "Detect"},
+    { "inactive", "Disabled"}
+};
+
 static const std::unordered_map<std::string, std::string> key_to_practices_val2 = {
     { "prevent-learn", "Prevent"},
     { "detect-learn", "Learn"},
@@ -66,6 +81,8 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val2
 };
 
 static const std::string default_appsec_url = "http://*:*";
+static const std::string default_appsec_name = "Any";
+
 
 class PolicyGenException : public std::exception
 {
@@ -153,6 +170,7 @@ public:
         ss.str(modified_json);
         try {
             cereal::JSONInputArchive in_ar(ss);
+            in_ar(cereal::make_nvp("apiVersion", api_version));
             in_ar(cereal::make_nvp("spec", spec));
             in_ar(cereal::make_nvp("metadata", meta_data));
         } catch (cereal::Exception &e) {
@@ -174,11 +192,18 @@ public:
         return meta_data;
     }
 
+    const std::string &
+    getApiVersion() const
+    {
+        return api_version;
+    }
+
     const T & getSpec() const { return spec; }
 
 private:
     T spec;
     AppsecSpecParserMetaData meta_data;
+    std::string api_version;
 };
 
 #endif // __LOCAL_POLICY_COMMON_H__

components/security_apps/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h

@@ -31,7 +31,7 @@ class NewParsedRule
 {
 public:
     NewParsedRule() {}
-    NewParsedRule(const std::string &_host) : host(_host) {}
+    NewParsedRule(const std::string &_host, const std::string &_mode) : host(_host), mode(_mode) {}
 
     void load(cereal::JSONInputArchive &archive_in);
 

components/security_apps/local_policy_mgmt_gen/include/new_practice.h

@@ -23,6 +23,8 @@
 #include "config.h"
 #include "debug.h"
 #include "local_policy_common.h"
+#include "i_orchestration_tools.h"
+#include "i_encryptor.h"
 
 bool isModeInherited(const std::string &mode);
 
@@ -88,6 +90,8 @@ public:
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
+    bool operator<(const IpsProtectionsSection &other) const;
+
 private:
     std::string                                 context;
     std::string                                 name;
@@ -105,7 +109,7 @@ public:
     // LCOV_EXCL_START Reason: no test exist
     IPSSection() {};
 
-    IPSSection(const std::vector<IpsProtectionsSection> &_ips) : ips(_ips) {};
+    IPSSection(const std::vector<IpsProtectionsSection> &_ips);
     // LCOV_EXCL_STOP
 
     void save(cereal::JSONOutputArchive &out_ar) const;
@@ -138,6 +142,12 @@ public:
     const std::string & getMode(const std::string &default_mode = "inactive") const;
 
 private:
+
+    const std::string & getRulesMode(
+        const std::string &mode,
+        const std::string &default_mode = "inactive"
+    ) const;
+
     std::string override_mode;
     std::string max_performance_impact;
     std::string min_severity_level;
@@ -487,15 +497,16 @@ private:
     SnortSection snort;
 };
 
-class NewSnortSignaturesAndOpenSchemaAPI
+class NewSnortSignatures
 {
 public:
-    NewSnortSignaturesAndOpenSchemaAPI() : is_temporary(false) {};
+    NewSnortSignatures() : is_temporary(false) {};
 
     void load(cereal::JSONInputArchive &archive_in);
 
     void addFile(const std::string &file_name);
     const std::string & getOverrideMode(const std::string &default_mode = "inactive") const;
+    const std::string & getEnforceLevel() const;
     const std::vector<std::string> & getConfigMap() const;
     const std::vector<std::string> & getFiles() const;
     bool isTemporary() const;
@@ -503,17 +514,40 @@ public:
 
 private:
     std::string override_mode;
+    std::string enforcement_level;
     std::vector<std::string> config_map;
     std::vector<std::string> files;
     bool is_temporary;
 };
 
+class NewOpenApiSchema : Singleton::Consume<I_OrchestrationTools>, Singleton::Consume<I_Encryptor>
+{
+public:
+    NewOpenApiSchema() {};
+
+    void load(cereal::JSONInputArchive &archive_in);
+
+    void addOas(const std::string &file);
+    const std::string & getOverrideMode(const std::string &default_mode = "inactive") const;
+    const std::string & getEnforceLevel() const;
+    const std::vector<std::string> & getConfigMap() const;
+    const std::vector<std::string> & getFiles() const;
+    const std::vector<std::string> & getOas() const;
+
+private:
+    std::string override_mode;
+    std::string enforcement_level;
+    std::vector<std::string> config_map;
+    std::vector<std::string> files;
+    std::vector<std::string> oas;
+};
+
 class NewAppSecPracticeAntiBot
 {
 public:
     const std::vector<std::string> & getIjectedUris() const;
     const std::vector<std::string> & getValidatedUris() const;
-    const std::string & getMode() const;
+    const std::string & getMode(const std::string &default_mode = "inactive") const;
 
     void load(cereal::JSONInputArchive &archive_in);
     void save(cereal::JSONOutputArchive &out_ar) const;
@@ -569,8 +603,8 @@ class NewAppSecPracticeSpec
 public:
     void load(cereal::JSONInputArchive &archive_in);
 
-    NewSnortSignaturesAndOpenSchemaAPI & getSnortSignatures();
-    const NewSnortSignaturesAndOpenSchemaAPI & getOpenSchemaValidation() const;
+    NewSnortSignatures & getSnortSignatures();
+    NewOpenApiSchema & getOpenSchemaValidation();
     const NewAppSecPracticeWebAttacks & getWebAttacks() const;
     const NewAppSecPracticeAntiBot & getAntiBot() const;
     const NewIntrusionPrevention & getIntrusionPrevention() const;
@@ -583,8 +617,8 @@ public:
 private:
     NewFileSecurity                             file_security;
     NewIntrusionPrevention                      intrusion_prevention;
-    NewSnortSignaturesAndOpenSchemaAPI          openapi_schema_validation;
-    NewSnortSignaturesAndOpenSchemaAPI          snort_signatures;
+    NewOpenApiSchema                            openapi_schema_validation;
+    NewSnortSignatures                          snort_signatures;
     NewAppSecPracticeWebAttacks                 web_attacks;
     NewAppSecPracticeAntiBot                    anti_bot;
     std::string                                 appsec_class_name;

components/security_apps/local_policy_mgmt_gen/include/policy_activation_data.h

@@ -0,0 +1,89 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef __POLICY_ACTIVATION_DATA_H__
+#define __POLICY_ACTIVATION_DATA_H__
+
+#include <vector>
+#include <map>
+
+#include "config.h"
+#include "debug.h"
+#include "rest.h"
+#include "cereal/archives/json.hpp"
+#include <cereal/types/map.hpp>
+#include "customized_cereal_map.h"
+
+#include "local_policy_common.h"
+
+class PolicyActivationMetadata
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+private:
+    std::string name;
+};
+
+class EnabledPolicy
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const std::string & getName() const;
+    const std::vector<std::string> & getHosts() const;
+
+private:
+    std::string name;
+    std::vector<std::string> hosts;
+};
+
+class PolicyActivationSpec
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const std::vector<EnabledPolicy> & getPolicies() const;
+
+private:
+    std::string appsec_class_name;
+    std::vector<EnabledPolicy> policies;
+};
+
+class SinglePolicyActivationData
+{
+public:
+    void load(cereal::JSONInputArchive &archive_in);
+
+    const PolicyActivationSpec & getSpec() const;
+
+private:
+    std::string api_version;
+    std::string kind;
+    PolicyActivationMetadata metadata;
+    PolicyActivationSpec spec;
+};
+
+class PolicyActivationData : public ClientRest
+{
+public:
+    bool loadJson(const std::string &json);
+
+    const std::vector<SinglePolicyActivationData> & getItems() const;
+
+private:
+    std::string api_version;
+    std::vector<SinglePolicyActivationData> items;
+};
+
+#endif // __POLICY_ACTIVATION_DATA_H__

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -32,6 +32,7 @@
 #include "i_messaging.h"
 #include "appsec_practice_section.h"
 #include "ingress_data.h"
+#include "policy_activation_data.h"
 #include "settings_section.h"
 #include "triggers_section.h"
 #include "local_policy_common.h"
@@ -205,7 +206,8 @@ private:
         const RulesConfigRulebase& rule_config,
         const std::string &practice_id, const std::string &full_url,
         const std::string &default_mode,
-        std::map<AnnotationTypes, std::string> &rule_annotations
+        std::map<AnnotationTypes, std::string> &rule_annotations,
+        std::vector<InnerException>
     );
 
     void

components/security_apps/local_policy_mgmt_gen/include/rules_config_section.h

@@ -123,6 +123,7 @@ public:
     );
 
     const std::string & getIdentifier() const;
+    const std::string & getIdentifierValue() const;
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 
@@ -145,6 +146,7 @@ public:
     );
 
     const std::string & getIdentifier() const;
+    const std::string & getIdentifierValue() const;
 
     void save(cereal::JSONOutputArchive &out_ar) const;
 

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -35,6 +35,14 @@ convertAnnotationKeysTostring(const AnnotationKeys &key)
     }
 }
 
+string
+getAppSecScopeType()
+{
+    auto env_res = getenv("CRDS_SCOPE");
+    if (env_res != nullptr) return env_res;
+    return "cluster";
+}
+
 void
 K8sPolicyUtils::init()
 {
@@ -42,6 +50,7 @@ K8sPolicyUtils::init()
     env_type = env_details->getEnvType();
     if (env_type == EnvType::K8S) {
         token = env_details->getToken();
+        agent_ns = getAppSecScopeType() == "namespaced" ? env_details->getNameSpace() + "/" : "";
         messaging = Singleton::Consume<I_Messaging>::by<K8sPolicyUtils>();
     }
 }
@@ -140,10 +149,12 @@ extractElementsFromNewRule(
     const NewParsedRule &rule,
     map<AnnotationTypes, unordered_set<string>> &policy_elements_names)
 {
-    policy_elements_names[AnnotationTypes::EXCEPTION].insert(
-        rule.getExceptions().begin(),
-        rule.getExceptions().end()
-    );
+    if (rule.getExceptions().size() > 0) {
+        policy_elements_names[AnnotationTypes::EXCEPTION].insert(
+            rule.getExceptions().begin(),
+            rule.getExceptions().end()
+        );
+    }
     policy_elements_names[AnnotationTypes::THREAT_PREVENTION_PRACTICE].insert(
         rule.getPractices().begin(),
         rule.getPractices().end()
@@ -152,14 +163,24 @@ extractElementsFromNewRule(
         rule.getAccessControlPractices().begin(),
         rule.getAccessControlPractices().end()
     );
-    policy_elements_names[AnnotationTypes::TRIGGER].insert(
-        rule.getLogTriggers().begin(),
-        rule.getLogTriggers().end()
-    );
-    policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
-    policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
-    policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
-    policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
+    if (rule.getLogTriggers().size() > 0) {
+        policy_elements_names[AnnotationTypes::TRIGGER].insert(
+            rule.getLogTriggers().begin(),
+            rule.getLogTriggers().end()
+        );
+    }
+    if (rule.getCustomResponse() != "" ) {
+        policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
+    }
+    if (rule.getSourceIdentifiers() != "" ) {
+        policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
+    }
+    if (rule.getTrustedSources() != "" ) {
+        policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
+    }
+    if (rule.getUpgradeSettings() != "" ) {
+        policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
+    }
 }
 
 map<AnnotationTypes, unordered_set<string>>
@@ -259,9 +280,11 @@ K8sPolicyUtils::extractV1Beta2ElementsFromCluster(
     dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural;
     vector<T> elements;
     for (const string &element_name : elements_names) {
+        string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
+        string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
         dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name;
         auto maybe_appsec_element = getObjectFromCluster<AppsecSpecParser<T>>(
-            "/apis/openappsec.io/v1beta2/" + crd_plural + "/" + element_name
+            "/apis/openappsec.io/v1beta2/" + ns + agent_ns + crd_plural + ns_suffix + "/" + element_name
         );
 
         if (!maybe_appsec_element.ok()) {
@@ -362,8 +385,9 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
         practice.getSnortSignatures().setTemporary(true);
         for (const string &config_map : practice.getSnortSignatures().getConfigMap())
         {
+            string ns = agent_ns == "" ? "default/" : agent_ns;
             auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
-                "/api/v1/namespaces/default/configmaps/" + config_map
+                "/api/v1/namespaces/" + ns + "configmaps/" + config_map
             );
             if (!maybe_configmap.ok())  {
                 dbgWarning(D_LOCAL_POLICY) << "Failed to get configMaps from the cluster.";
@@ -381,6 +405,28 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
     }
 }
 
+void
+K8sPolicyUtils::createSchemaValidationOas(vector<NewAppSecPracticeSpec> &practices) const
+{
+    for (NewAppSecPracticeSpec &practice : practices) {
+        vector<string> res;
+        for (const string &config_map : practice.getOpenSchemaValidation().getConfigMap())
+        {
+            string ns = agent_ns == "" ? "default/" : agent_ns;
+            auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
+                "/api/v1/namespaces/" + ns + "configmaps/" + config_map
+            );
+            if (!maybe_configmap.ok())  {
+                dbgWarning(D_LOCAL_POLICY) << "Failed to get configMaps from the cluster.";
+                continue;
+            }
+            string file_content = maybe_configmap.unpack().getFileContent();
+            string res = Singleton::Consume<I_Encryptor>::by<K8sPolicyUtils>()->base64Encode(file_content);
+            practice.getOpenSchemaValidation().addOas(res);
+        }
+    }
+}
+
 Maybe<V1beta2AppsecLinuxPolicy>
 K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
     const AppsecSpecParser<NewAppsecPolicySpec> &appsec_policy_spec,
@@ -396,6 +442,7 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
     }
 
     if (default_rule.getMode().empty() && !ingress_mode.empty()) {
+        dbgTrace(D_LOCAL_POLICY) << "setting the policy default rule mode to the ingress mode: " << ingress_mode;
         default_rule.setMode(ingress_mode);
     }
 
@@ -411,6 +458,7 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
         );
 
     createSnortFile(threat_prevention_practices);
+    createSchemaValidationOas(threat_prevention_practices);
 
     vector<AccessControlPracticeSpec> access_control_practices =
         extractV1Beta2ElementsFromCluster<AccessControlPracticeSpec>(
@@ -467,17 +515,6 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
 }
 // LCOV_EXCL_STOP
 
-bool
-doesVersionExist(const map<string, string> &annotations, const string &version)
-{
-    for (auto annotation : annotations) {
-        if(annotation.second.find(version) != std::string::npos) {
-            return true;
-        }
-    }
-    return false;
-}
-
 std::tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &ingress_mode) const
 {
@@ -486,16 +523,19 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
     );
 
     if (!maybe_appsec_policy_spec.ok() ||
-        !doesVersionExist(maybe_appsec_policy_spec.unpack().getMetaData().getAnnotations(), "v1beta1")
+        maybe_appsec_policy_spec.unpack().getApiVersion().find("v1beta1") == std::string::npos
     ) {
         try {
             std::string v1beta1_error =
                 maybe_appsec_policy_spec.ok() ? "There is no v1beta1 policy" : maybe_appsec_policy_spec.getErr();
             dbgWarning(D_LOCAL_POLICY
             ) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
+            string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
+            string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
             auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
-                "/apis/openappsec.io/v1beta2/policies/" + policy_name
+                "/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policies" + ns_suffix + "/" + policy_name
             );
+
             if (!maybe_v1beta2_appsec_policy_spec.ok()) {
                 dbgWarning(D_LOCAL_POLICY)
                     << "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr();
@@ -526,7 +566,7 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
 
 template<class T, class K>
 void
-K8sPolicyUtils::createPolicy(
+K8sPolicyUtils::createPolicyFromIngress(
     T &appsec_policy,
     map<std::string, T> &policies,
     map<AnnotationKeys, string> &annotations_values,
@@ -535,10 +575,11 @@ K8sPolicyUtils::createPolicy(
     if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
         policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
     }
+    auto default_mode = appsec_policy.getAppsecPolicySpec().getDefaultRule().getMode();
     if (item.getSpec().doesDefaultBackendExist()) {
         dbgTrace(D_LOCAL_POLICY)
             << "Inserting Any host rule to the specific asset set";
-        K ingress_rule = K("*");
+        K ingress_rule = K("*", default_mode);
         policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
     }
 
@@ -556,18 +597,42 @@ K8sPolicyUtils::createPolicy(
                     << "' uri: '"
                     << uri.getPath()
                     << "'";
-                K ingress_rule = K(host);
+                K ingress_rule = K(host, default_mode);
                 policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
             }
         }
     }
+}
 
+template<class T, class K>
+void
+K8sPolicyUtils::createPolicyFromActivation(
+    T &appsec_policy,
+    map<std::string, T> &policies,
+    const EnabledPolicy &policy) const
+{
+    if (policies.find(policy.getName()) == policies.end()) {
+        policies[policy.getName()] = appsec_policy;
+    }
+    auto default_mode = appsec_policy.getAppsecPolicySpec().getDefaultRule().getMode();
+
+    for (const string &host : policy.getHosts()) {
+        if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(host)) {
+            dbgTrace(D_LOCAL_POLICY)
+                << "Inserting Host data to the specific asset set:"
+                << "URL: '"
+                << host
+                << "'";
+            K ingress_rule = K(host, default_mode);
+            policies[policy.getName()].addSpecificRule(ingress_rule);
+        }
+    }
 }
 
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
-K8sPolicyUtils::createAppsecPoliciesFromIngresses()
+K8sPolicyUtils::createAppsecPolicies()
 {
-    dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses";
+    dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses and PolicyActivation";
     map<string, AppsecLinuxPolicy> v1bet1_policies;
     map<string, V1beta2AppsecLinuxPolicy> v1bet2_policies;
     auto maybe_ingress = getObjectFromCluster<IngressData>("/apis/networking.k8s.io/v1/ingresses");
@@ -577,7 +642,7 @@ K8sPolicyUtils::createAppsecPoliciesFromIngresses()
         dbgWarning(D_LOCAL_POLICY)
             << "Failed to retrieve K8S Ingress configurations. Error: "
             << maybe_ingress.getErr();
-        return make_tuple(v1bet1_policies, v1bet2_policies);
+        maybe_ingress = IngressData{};
     }
 
 
@@ -607,19 +672,54 @@ K8sPolicyUtils::createAppsecPoliciesFromIngresses()
 
         if (!std::get<0>(maybe_appsec_policy).ok()) {
             auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack();
-            createPolicy<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            createPolicyFromIngress<V1beta2AppsecLinuxPolicy, NewParsedRule>(
                 appsec_policy,
                 v1bet2_policies,
                 annotations_values,
                 item);
         } else {
             auto appsec_policy=std::get<0>(maybe_appsec_policy).unpack();
-            createPolicy<AppsecLinuxPolicy, ParsedRule>(
+            createPolicyFromIngress<AppsecLinuxPolicy, ParsedRule>(
                 appsec_policy,
                 v1bet1_policies,
                 annotations_values,
                 item);
         }
     }
+
+
+    string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
+    string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
+    auto maybe_policy_activation = getObjectFromCluster<PolicyActivationData>(
+        "/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policyactivations" + ns_suffix
+    );
+
+    if (!maybe_policy_activation.ok()) {
+        dbgWarning(D_LOCAL_POLICY)
+            << "Failed to retrieve K8S PolicyActivation configurations. Error: "
+            << maybe_policy_activation.getErr();
+        return make_tuple(v1bet1_policies, v1bet2_policies);
+    }
+
+    PolicyActivationData policy_activation = maybe_policy_activation.unpack();
+    for (const SinglePolicyActivationData &item : policy_activation.getItems()) {
+        for (const auto &policy : item.getSpec().getPolicies()) {
+            auto maybe_appsec_policy = createAppsecPolicyK8s(policy.getName(), "");
+
+            if (!std::get<1>(maybe_appsec_policy).ok()) {
+                dbgWarning(D_LOCAL_POLICY)
+                    << "Failed to create appsec policy. v1beta2 Error: "
+                    << std::get<1>(maybe_appsec_policy).getErr();
+                continue;
+            } else {
+                auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack();
+                createPolicyFromActivation<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+                    appsec_policy,
+                    v1bet2_policies,
+                    policy);
+            }
+        }
+    }
+
     return make_tuple(v1bet1_policies, v1bet2_policies);
 }

components/security_apps/local_policy_mgmt_gen/local_policy_mgmt_gen.cc

@@ -36,6 +36,7 @@
 #include "customized_cereal_map.h"
 #include "include/appsec_practice_section.h"
 #include "include/ingress_data.h"
+#include "include/policy_activation_data.h"
 #include "include/settings_section.h"
 #include "include/triggers_section.h"
 #include "include/local_policy_common.h"
@@ -85,7 +86,7 @@ public:
         K8sPolicyUtils k8s_policy_utils;
         k8s_policy_utils.init();
 
-        auto appsec_policies = k8s_policy_utils.createAppsecPoliciesFromIngresses();
+        auto appsec_policies = k8s_policy_utils.createAppsecPolicies();
         if (!std::get<0>(appsec_policies).empty()) {
             return policy_maker_utils.proccesMultipleAppsecPolicies<AppsecLinuxPolicy, ParsedRule>(
                 std::get<0>(appsec_policies),

components/security_apps/local_policy_mgmt_gen/new_practice.cc

@@ -22,6 +22,7 @@ static const set<string> performance_impacts    = {"low", "medium", "high"};
 static const set<string> severity_levels        = {"low", "medium", "high", "critical"};
 static const set<string> size_unit              = {"bytes", "KB", "MB", "GB"};
 static const set<string> confidences_actions    = {"prevent", "detect", "inactive", "as-top-level", "inherited"};
+static const set<string> valied_enforcement_level = {"fullSchema", "endpointOnly"};
 static const set<string> valid_modes = {
     "prevent",
     "detect",
@@ -32,38 +33,38 @@ static const set<string> valid_modes = {
     "inherited"
 };
 static const set<string> valid_confidences      = {"medium", "high", "critical"};
-static const std::unordered_map<std::string, std::string> key_to_performance_impact_val = {
+static const unordered_map<string, string> key_to_performance_impact_val = {
     { "low", "Low or lower"},
     { "medium", "Medium or lower"},
     { "high", "High or lower"}
 };
-static const std::unordered_map<std::string, std::string> key_to_severity_level_val = {
+static const unordered_map<string, string> key_to_severity_level_val = {
     { "low", "Low or above"},
     { "medium", "Medium or above"},
     { "high", "High or above"},
     { "critical", "Critical"}
 };
-static const std::unordered_map<std::string, std::string> key_to_mode_val = {
+static const unordered_map<string, string> key_to_mode_val = {
     { "prevent-learn", "Prevent"},
     { "detect-learn", "Detect"},
     { "prevent", "Prevent"},
     { "detect", "Detect"},
     { "inactive", "Inactive"}
 };
-static const std::unordered_map<std::string, std::string> anti_bot_key_to_mode_val = {
+static const unordered_map<string, string> anti_bot_key_to_mode_val = {
     { "prevent-learn", "Prevent"},
     { "detect-learn", "Detect"},
     { "prevent", "Prevent"},
     { "detect", "Detect"},
     { "inactive", "Disabled"}
 };
-static const std::unordered_map<std::string, uint64_t> unit_to_int = {
+static const unordered_map<string, uint64_t> unit_to_int = {
     { "bytes", 1},
     { "KB", 1024},
     { "MB", 1048576},
     { "GB", 1073741824}
 };
-static const std::string TRANSPARENT_MODE = "Transparent";
+static const string TRANSPARENT_MODE = "Transparent";
 
 bool
 isModeInherited(const string &mode)
@@ -71,11 +72,11 @@ isModeInherited(const string &mode)
     return mode == "as-top-level" || mode == "inherited";
 }
 
-const std::string &
+const string &
 getModeWithDefault(
-    const std::string &mode,
-    const std::string &default_mode,
-    const std::unordered_map<std::string, std::string> &key_to_val)
+    const string &mode,
+    const string &default_mode,
+    const unordered_map<string, string> &key_to_val)
 {
     if (isModeInherited(mode) && (key_to_val.find(default_mode) != key_to_val.end())) {
         dbgError(D_LOCAL_POLICY) << "Setting to top-level mode: " << default_mode;
@@ -88,36 +89,35 @@ getModeWithDefault(
     return key_to_val.at(mode);
 }
 
-const std::vector<std::string> &
+const vector<string> &
 NewAppSecPracticeAntiBot::getIjectedUris() const
 {
     return injected_uris;
 }
 
-const std::vector<std::string> &
+const vector<string> &
 NewAppSecPracticeAntiBot::getValidatedUris() const
 {
     return validated_uris;
 }
 
-const std::string &
-NewAppSecPracticeAntiBot::getMode() const
+const string &
+NewAppSecPracticeAntiBot::getMode(const string &default_mode) const
 {
-    return override_mode;
+    return getModeWithDefault(override_mode, default_mode, anti_bot_key_to_mode_val);
 }
 
 void
 NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots";
-    string mode;
     parseAppsecJSONKey<vector<string>>("injectedUris", injected_uris, archive_in);
     parseAppsecJSONKey<vector<string>>("validatedUris", validated_uris, archive_in);
-    parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
-    if (valid_modes.count(mode) == 0) {
-        dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << mode;
+    parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
+    if (valid_modes.count(override_mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode;
+        throw PolicyGenException("AppSec Web Bots override mode invalid: " + override_mode);
     }
-    override_mode = anti_bot_key_to_mode_val.at(mode);
 }
 
 void
@@ -242,14 +242,14 @@ NewAppSecPracticeWebAttacks::getProtections() const
 }
 
 SnortProtectionsSection::SnortProtectionsSection(
-    const std::string               &_context,
-    const std::string               &_asset_name,
-    const std::string               &_asset_id,
-    const std::string               &_practice_name,
-    const std::string               &_practice_id,
-    const std::string               &_source_identifier,
-    const std::string               &_mode,
-    const std::vector<std::string>  &_files)
+    const string               &_context,
+    const string               &_asset_name,
+    const string               &_asset_id,
+    const string               &_practice_name,
+    const string               &_practice_id,
+    const string               &_source_identifier,
+    const string               &_mode,
+    const vector<string>  &_files)
         :
     context(_context),
     asset_name(_asset_name),
@@ -278,10 +278,10 @@ SnortProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 DetectionRules::DetectionRules(
-    const std::string                   &_type,
-    const std::string                   &_SSM,
-    const std::string                   &_keywords,
-    const std::vector<std::string>      &_context)
+    const string                   &_type,
+    const string                   &_SSM,
+    const string                   &_keywords,
+    const vector<string>      &_context)
         :
     type(_type),
     SSM(_SSM),
@@ -314,14 +314,14 @@ DetectionRules::save(cereal::JSONOutputArchive &out_ar) const
 
 ProtectionMetadata::ProtectionMetadata(
     bool                                _silent,
-    const std::string                   &_protection_name,
-    const std::string                   &_severity,
-    const std::string                   &_confidence_level,
-    const std::string                   &_performance_impact,
-    const std::string                   &_last_update,
-    const std::string                   &_maintrain_id,
-    const std::vector<std::string>      &_tags,
-    const std::vector<std::string>      &_cve_list)
+    const string                   &_protection_name,
+    const string                   &_severity,
+    const string                   &_confidence_level,
+    const string                   &_performance_impact,
+    const string                   &_last_update,
+    const string                   &_maintrain_id,
+    const vector<string>      &_tags,
+    const vector<string>      &_cve_list)
         :
     silent(_silent),
     protection_name(_protection_name),
@@ -394,9 +394,9 @@ ProtectionsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 ProtectionsSection::ProtectionsSection(
-    const std::vector<ProtectionsProtectionsSection>    &_protections,
-    const std::string                                   &_name,
-    const std::string                                   &_modification_time)
+    const vector<ProtectionsProtectionsSection>    &_protections,
+    const string                                   &_name,
+    const string                                   &_modification_time)
         :
     protections(_protections),
     name(_name),
@@ -460,12 +460,16 @@ SnortSectionWrapper::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 void
-NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
+NewSnortSignatures::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
     parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
     parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
     parseAppsecJSONKey<vector<string>>("files", files, archive_in);
+    if (valid_modes.count(override_mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
+        throw PolicyGenException("AppSec Snort Signatures override mode invalid: " + override_mode);
+    }
     is_temporary = false;
     if (valid_modes.count(override_mode) == 0) {
         dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
@@ -474,42 +478,107 @@ NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
 }
 
 void
-NewSnortSignaturesAndOpenSchemaAPI::addFile(const string &file_name)
+NewSnortSignatures::addFile(const string &file_name)
 {
     files.push_back(file_name);
 }
 
 const string &
-NewSnortSignaturesAndOpenSchemaAPI::getOverrideMode(const string &default_mode) const
+NewSnortSignatures::getOverrideMode(const string &default_mode) const
 {
-    const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
+    const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_mode_val);
     return res;
 }
 
 const vector<string> &
-NewSnortSignaturesAndOpenSchemaAPI::getFiles() const
+NewSnortSignatures::getFiles() const
 {
     return files;
 }
 
 const vector<string> &
-NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const
+NewSnortSignatures::getConfigMap() const
 {
     return config_map;
 }
 
 bool
-NewSnortSignaturesAndOpenSchemaAPI::isTemporary() const
+NewSnortSignatures::isTemporary() const
 {
     return is_temporary;
 }
 
 void
-NewSnortSignaturesAndOpenSchemaAPI::setTemporary(bool val)
+NewSnortSignatures::setTemporary(bool val)
 {
     is_temporary = val;
 }
 
+void
+NewOpenApiSchema::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Schema Validation practice";
+    parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
+    parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
+    parseAppsecJSONKey<vector<string>>("files", files, archive_in);
+    parseAppsecJSONKey<string>("enforcementLevel", enforcement_level, archive_in, "fullSchema");
+    if (valied_enforcement_level.count(enforcement_level) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Schema Validation enforcement level invalid: " << enforcement_level;
+        throw PolicyGenException("AppSec Schema Validation enforcement level invalid: " + enforcement_level);
+    }
+    if (valid_modes.count(override_mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Schema Validation override mode invalid: " << override_mode;
+        throw PolicyGenException("AppSec Schema Validation override mode invalid: " + override_mode);
+    }
+    for (const string &file : files)
+    {
+        auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<NewOpenApiSchema>();
+        auto file_content = i_orchestration_tools->readFile(file);
+        if (!file_content.ok()) {
+            dbgWarning(D_LOCAL_POLICY) << "Couldn't open the schema validation file";
+            continue;
+        }
+        oas.push_back(Singleton::Consume<I_Encryptor>::by<NewOpenApiSchema>()->base64Encode(file_content.unpack()));
+    }
+}
+
+void
+NewOpenApiSchema::addOas(const string &file)
+{
+    oas.push_back(file);
+}
+
+const string &
+NewOpenApiSchema::getOverrideMode(const string &default_mode) const
+{
+    const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val2);
+    return res;
+}
+
+const string &
+NewOpenApiSchema::getEnforceLevel() const
+{
+    return enforcement_level;
+}
+
+const vector<string> &
+NewOpenApiSchema::getFiles() const
+{
+    return files;
+}
+
+const vector<string> &
+NewOpenApiSchema::getConfigMap() const
+{
+    return config_map;
+}
+
+const vector<string> &
+NewOpenApiSchema::getOas() const
+{
+    return oas;
+}
+
 void
 IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -548,7 +617,7 @@ IpsProtectionsSection::IpsProtectionsSection(
 {
 }
 
-std::string &
+string &
 IpsProtectionsSection::getMode()
 {
     return mode;
@@ -570,6 +639,20 @@ IpsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
     );
 }
 
+bool
+IpsProtectionsSection::operator<(const IpsProtectionsSection &other) const
+{
+    // for sorting from the most specific to the least specific rule
+    if (name == default_appsec_name) return false;
+    if (other.name == default_appsec_name) return true;
+    return name.size() > other.name.size();
+}
+
+IPSSection::IPSSection(const vector<IpsProtectionsSection> &_ips) : ips(_ips)
+{
+    sort(ips.begin(), ips.end());
+}
+
 void
 IPSSection::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -648,7 +731,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
     vector<IpsProtectionsRulesSection> ips_rules;
     IpsProtectionsRulesSection high_rule(
         min_cve_Year,
-        getModeWithDefault(high_confidence_event_action, default_mode, key_to_practices_val),
+        getRulesMode(high_confidence_event_action, default_mode),
         string("High"),
         max_performance_impact,
         string(""),
@@ -658,7 +741,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
 
     IpsProtectionsRulesSection med_rule(
         min_cve_Year,
-        getModeWithDefault(medium_confidence_event_action, default_mode, key_to_practices_val),
+        getRulesMode(medium_confidence_event_action, default_mode),
         string("Medium"),
         max_performance_impact,
         string(""),
@@ -668,7 +751,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
 
     IpsProtectionsRulesSection low_rule(
         min_cve_Year,
-        getModeWithDefault(low_confidence_event_action, default_mode, key_to_practices_val),
+        getRulesMode(low_confidence_event_action, default_mode),
         string("Low"),
         max_performance_impact,
         string(""),
@@ -679,33 +762,45 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
     return ips_rules;
 }
 
-const std::string &
-NewIntrusionPrevention::getMode(const std::string &default_mode) const
+const string &
+NewIntrusionPrevention::getMode(const string &default_mode) const
 {
-    const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
+    const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_mode_val);
     return res;
 }
 
+const string &
+NewIntrusionPrevention::getRulesMode(const string &mode, const string &default_mode) const
+{
+    if (isModeInherited(mode)) return default_mode;
+
+    if (key_to_practices_mode_val.find(mode) == key_to_practices_mode_val.end()) {
+        dbgError(D_LOCAL_POLICY) << "Given mode: " << mode << " or top-level: " << default_mode << " is invalid.";
+        return key_to_practices_mode_val.at("inactive");
+    }
+    return key_to_practices_mode_val.at(mode);
+}
+
 FileSecurityProtectionsSection::FileSecurityProtectionsSection(
     uint64_t                _file_size_limit,
     uint64_t                _archive_file_size_limit,
     bool                    _allow_files_without_name,
     bool                    _required_file_size_limit,
     bool                    _required_archive_extraction,
-    const std::string       &_context,
-    const std::string       &_name,
-    const std::string       &_asset_id,
-    const std::string       &_practice_name,
-    const std::string       &_practice_id,
-    const std::string       &_action,
-    const std::string       &_files_without_name_action,
-    const std::string       &_high_confidence_action,
-    const std::string       &_medium_confidence_action,
-    const std::string       &_low_confidence_action,
-    const std::string       &_severity_level,
-    const std::string       &_file_size_limit_action,
-    const std::string       &_multi_level_archive_action,
-    const std::string       &_unopened_archive_action)
+    const string       &_context,
+    const string       &_name,
+    const string       &_asset_id,
+    const string       &_practice_name,
+    const string       &_practice_id,
+    const string       &_action,
+    const string       &_files_without_name_action,
+    const string       &_high_confidence_action,
+    const string       &_medium_confidence_action,
+    const string       &_low_confidence_action,
+    const string       &_severity_level,
+    const string       &_file_size_limit_action,
+    const string       &_multi_level_archive_action,
+    const string       &_unopened_archive_action)
         :
     file_size_limit(_file_size_limit),
     archive_file_size_limit(_archive_file_size_limit),
@@ -831,13 +926,13 @@ NewFileSecurityArchiveInspection::getrequiredArchiveExtraction() const
     return extract_archive_files;
 }
 
-const std::string &
+const string &
 NewFileSecurityArchiveInspection::getMultiLevelArchiveAction() const
 {
     return archived_files_within_archived_files;
 }
 
-const std::string &
+const string &
 NewFileSecurityArchiveInspection::getUnopenedArchiveAction() const
 {
     return archived_files_where_content_extraction_failed;
@@ -886,7 +981,7 @@ NewFileSecurityLargeFileInspection::getFileSizeLimit() const
     return (file_size_limit * unit_to_int.at(file_size_limit_unit));
 }
 
-const std::string &
+const string &
 NewFileSecurityLargeFileInspection::getFileSizeLimitAction() const
 {
     return files_exceeding_size_limit_action;
@@ -1007,7 +1102,7 @@ void
 NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
-    parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>(
+    parseAppsecJSONKey<NewOpenApiSchema>(
         "schemaValidation",
         openapi_schema_validation,
         archive_in
@@ -1015,11 +1110,15 @@ NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseMandatoryAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in);
     parseMandatoryAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in);
-    parseMandatoryAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>("snortSignatures", snort_signatures, archive_in);
+    parseMandatoryAppsecJSONKey<NewSnortSignatures>("snortSignatures", snort_signatures, archive_in);
     parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
     parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in);
     parseAppsecJSONKey<string>("name", practice_name, archive_in);
     parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
+    if (valid_modes.count(mode) == 0) {
+        dbgWarning(D_LOCAL_POLICY) << "AppSec Threat prevention practice mode invalid: " << mode;
+        throw PolicyGenException("AppSec Threat prevention practice mode invalid: " + mode);
+    }
 }
 
 void
@@ -1028,13 +1127,13 @@ NewAppSecPracticeSpec::setName(const string &_name)
     practice_name = _name;
 }
 
-const NewSnortSignaturesAndOpenSchemaAPI &
-NewAppSecPracticeSpec::getOpenSchemaValidation() const
+NewOpenApiSchema &
+NewAppSecPracticeSpec::getOpenSchemaValidation()
 {
     return openapi_schema_validation;
 }
 
-NewSnortSignaturesAndOpenSchemaAPI &
+NewSnortSignatures &
 NewAppSecPracticeSpec::getSnortSignatures()
 {
     return snort_signatures;

components/security_apps/local_policy_mgmt_gen/new_trusted_sources.cc

@@ -69,7 +69,7 @@ Identifier::load(cereal::JSONInputArchive &archive_in)
         dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier;
         identifier = "sourceip";
     }
-    parseMandatoryAppsecJSONKey<vector<string>>("value", value, archive_in);
+    parseAppsecJSONKey<vector<string>>("value", value, archive_in);
 }
 
 const string &

components/security_apps/local_policy_mgmt_gen/policy_activation_data.cc

@@ -0,0 +1,103 @@
+// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "policy_activation_data.h"
+#include "customized_cereal_map.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
+
+void
+PolicyActivationMetadata::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "PolicyActivationMetadata load";
+    parseAppsecJSONKey<string>("name", name, archive_in);
+}
+
+void
+EnabledPolicy::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading policyActivation enabled policy";
+    parseMandatoryAppsecJSONKey<vector<string>>("hosts", hosts, archive_in);
+    parseAppsecJSONKey<string>("name", name, archive_in);
+}
+
+const string &
+EnabledPolicy::getName() const
+{
+    return name;
+}
+
+const vector<string> &
+EnabledPolicy::getHosts() const
+{
+    return hosts;
+}
+
+void
+PolicyActivationSpec::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "PolicyActivationSpec load";
+    parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
+    parseMandatoryAppsecJSONKey<vector<EnabledPolicy>>("enabledPolicies", policies, archive_in);
+}
+
+const vector<EnabledPolicy> &
+PolicyActivationSpec::getPolicies() const
+{
+    return policies;
+}
+
+void
+SinglePolicyActivationData::load(cereal::JSONInputArchive &archive_in)
+{
+    dbgTrace(D_LOCAL_POLICY) << "Loading single policy activation data";
+    parseAppsecJSONKey<string>("apiVersion", api_version, archive_in);
+    parseAppsecJSONKey<string>("kind", kind, archive_in);
+    parseAppsecJSONKey<PolicyActivationMetadata>("metadata", metadata, archive_in);
+    parseAppsecJSONKey<PolicyActivationSpec>("spec", spec, archive_in);
+}
+
+const PolicyActivationSpec &
+SinglePolicyActivationData::getSpec() const
+{
+    return spec;
+}
+
+bool
+PolicyActivationData::loadJson(const string &json)
+{
+    string modified_json = json;
+    modified_json.pop_back();
+    stringstream in;
+    in.str(modified_json);
+    dbgTrace(D_LOCAL_POLICY) << "Loading policy activations data";
+    try {
+        cereal::JSONInputArchive in_ar(in);
+        in_ar(
+            cereal::make_nvp("apiVersion", api_version),
+            cereal::make_nvp("items", items)
+        );
+    } catch (cereal::Exception &e) {
+        dbgError(D_LOCAL_POLICY) << "Failed to load policy activations data JSON. Error: " << e.what();
+        return false;
+    }
+    return true;
+}
+
+const vector<SinglePolicyActivationData> &
+PolicyActivationData::getItems() const
+{
+    return items;
+}

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -23,6 +23,14 @@ using namespace std;
 USE_DEBUG_FLAG(D_NGINX_POLICY);
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 
+static const std::unordered_map<std::string, std::string> key_to_source_identefier_val = {
+    { "sourceip", "Source IP"},
+    { "cookie", "Cookie:"},
+    { "headerkey", "Header:"},
+    { "JWTKey", ""},
+    { "x-forwarded-for", "X-Forwarded-For"}
+};
+
 void
 SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
 {
@@ -920,7 +928,6 @@ createMultiRulesSections(
     PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
     vector<ParametersSection> exceptions_result;
     for (auto exception : exceptions) {
-
         const auto &exception_name = exception.first;
         for (const auto &inner_exception : exception.second) {
             exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
@@ -1038,7 +1045,7 @@ PolicyMakerUtils::createIpsSections(
         practice_name,
         practice_id,
         source_identifier,
-        override_mode,
+        "Inactive",
         apssec_practice.getIntrusionPrevention().createIpsRules(override_mode)
     );
 
@@ -1048,8 +1055,7 @@ PolicyMakerUtils::createIpsSections(
 void
 PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary)
 {
-    auto path = getFilesystemPathConfig() + "/conf/snort/" + file_name;
-    string in_file = is_temporary ? path + ".rule" : path;
+    auto path = is_temporary ? getFilesystemPathConfig() + "/conf/snort/" + file_name + ".rule" : file_name;
 
     if (snort_protections.find(path) != snort_protections.end()) {
         dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists";
@@ -1060,7 +1066,9 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_
         << (is_temporary ? " temporary" : "") << " file " << path;
 
     auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
-    auto cmd = "python3 " + snort_script_path + " " + in_file + " " + path + ".out " + path + ".err";
+    auto tmp_out = "/tmp/" + file_name + ".out";
+    auto tmp_err = "/tmp/" + file_name + ".err";
+    auto cmd = "python3 " + snort_script_path + " " + path + " " + tmp_out + " " + tmp_err;
 
     auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd);
 
@@ -1069,16 +1077,16 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_
         return;
     }
 
-    Maybe<ProtectionsSectionWrapper> maybe_protections = openFileAsJson<ProtectionsSectionWrapper>(path + ".out");
+    Maybe<ProtectionsSectionWrapper> maybe_protections = openFileAsJson<ProtectionsSectionWrapper>(tmp_out);
     if (!maybe_protections.ok()){
         dbgWarning(D_LOCAL_POLICY) << maybe_protections.getErr();
         return;
     }
 
     auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>();
-    if (is_temporary) i_orchestration_tools->removeFile(in_file);
-    i_orchestration_tools->removeFile(path + ".out");
-    i_orchestration_tools->removeFile(path + ".err");
+    if (is_temporary) i_orchestration_tools->removeFile(path);
+    i_orchestration_tools->removeFile(tmp_out);
+    i_orchestration_tools->removeFile(tmp_err);
 
     snort_protections[path] = ProtectionsSection(
         maybe_protections.unpack().getProtections(),
@@ -1208,9 +1216,11 @@ void
 PolicyMakerUtils::createWebAppSection(
     const V1beta2AppsecLinuxPolicy &policy,
     const RulesConfigRulebase& rule_config,
-    const string &practice_id, const string &full_url,
+    const string &practice_id,
+    const string &full_url,
     const string &default_mode,
-    map<AnnotationTypes, string> &rule_annotations)
+    map<AnnotationTypes, string> &rule_annotations,
+    vector<InnerException> rule_inner_exceptions)
 {
     auto apssec_practice =
         getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
@@ -1225,6 +1235,7 @@ PolicyMakerUtils::createWebAppSection(
         apssec_practice.getWebAttacks().getMaxObjectDepth(),
         apssec_practice.getWebAttacks().getMaxUrlSizeBytes()
     );
+
     WebAppSection web_app = WebAppSection(
         full_url == "Any" ? default_appsec_url : full_url,
         rule_config.getAssetId(),
@@ -1236,12 +1247,16 @@ PolicyMakerUtils::createWebAppSection(
         rule_config.getContext(),
         apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
         apssec_practice.getWebAttacks().getMode(practice_mode),
-        apssec_practice.getAntiBot().getMode(),
+        apssec_practice.getAntiBot().getMode(practice_mode),
+        apssec_practice.getOpenSchemaValidation().getOverrideMode(practice_mode),
+        apssec_practice.getOpenSchemaValidation().getEnforceLevel(),
+        apssec_practice.getOpenSchemaValidation().getOas(),
         practice_advance_config,
         apssec_practice.getAntiBot(),
         log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
         trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
-        apssec_practice.getWebAttacks().getProtections()
+        apssec_practice.getWebAttacks().getProtections(),
+        rule_inner_exceptions
     );
     web_apps[rule_config.getAssetName()] = web_app;
 }
@@ -1290,7 +1305,7 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
     );
     rules_config[rule_config.getAssetName()] = rule_config;
 
-    string current_identifier;
+    string current_identifier, current_identifier_value;
     if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) {
         UsersIdentifiersRulebase user_identifiers = createUserIdentifiers<V1beta2AppsecLinuxPolicy>(
             rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS],
@@ -1299,6 +1314,15 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
         );
         users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers;
         current_identifier = user_identifiers.getIdentifier();
+        current_identifier_value = user_identifiers.getIdentifierValue();
+    }
+
+    string ips_identifier, ips_identifier_value;
+    if(key_to_source_identefier_val.find(current_identifier) != key_to_source_identefier_val.end()) {
+        ips_identifier = key_to_source_identefier_val.at(current_identifier);
+    }
+    if (current_identifier == "cookie" || current_identifier == "headerkey") {
+        ips_identifier_value = current_identifier_value;
     }
 
     createIpsSections(
@@ -1306,7 +1330,7 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
         rule_config.getAssetName(),
         practice_id,
         rule_annotations[AnnotationTypes::PRACTICE],
-        current_identifier,
+        ips_identifier + ips_identifier_value,
         rule_config.getContext(),
         policy,
         rule_annotations,
@@ -1343,7 +1367,8 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
             practice_id,
             asset_name,
             default_mode,
-            rule_annotations);
+            rule_annotations,
+            inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]);
     }
 
 }

components/security_apps/local_policy_mgmt_gen/rules_config_section.cc

@@ -17,6 +17,8 @@ using namespace std;
 
 USE_DEBUG_FLAG(D_LOCAL_POLICY);
 
+static const string empty_string="";
+
 AssetUrlParser
 AssetUrlParser::parse(const string &uri)
 {
@@ -242,6 +244,13 @@ UsersIdentifier::getIdentifier() const
 {
     return source_identifier;
 }
+
+const string &
+UsersIdentifier::getIdentifierValue() const
+{
+    if (identifier_values.empty()) return empty_string;
+    return identifier_values[0];
+}
 // LCOV_EXCL_STOP
 
 void
@@ -272,6 +281,13 @@ UsersIdentifiersRulebase::getIdentifier() const
     if (source_identifiers.empty()) return source_identifier;
     return source_identifiers[0].getIdentifier();
 }
+
+const string &
+UsersIdentifiersRulebase::getIdentifierValue() const
+{
+    if (source_identifiers.empty()) return empty_string;
+    return source_identifiers[0].getIdentifierValue();
+}
 // LCOV_EXCL_STOP
 
 void

components/security_apps/orchestration/CMakeLists.txt

@@ -14,7 +14,6 @@ add_subdirectory(details_resolver)
 add_subdirectory(health_check)
 add_subdirectory(health_check_manager)
 add_subdirectory(updates_process_reporter)
-add_subdirectory(env_details)
 add_subdirectory(external_sdk_server)
 
 #add_subdirectory(orchestration_ut)

components/security_apps/orchestration/details_resolver/details_resolver.cc

@@ -41,12 +41,13 @@ public:
 
     string getAgentVersion() override;
     bool isKernelVersion3OrHigher() override;
+    bool isGw() override;
     bool isGwNotVsx() override;
     bool isVersionAboveR8110() override;
     bool isReverseProxy() override;
     bool isCloudStorageEnabled() override;
     Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override;
-    Maybe<tuple<string, string, string>> parseNginxMetadata() override;
+    Maybe<tuple<string, string, string, string>> parseNginxMetadata() override;
 #if defined(gaia) || defined(smb)
     bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override;
 #endif // gaia || smb
@@ -80,7 +81,9 @@ DetailsResolver::Impl::getHostname()
 Maybe<string>
 DetailsResolver::Impl::getPlatform()
 {
-#if defined(gaia)
+#if defined(gaia_arm)
+    return string("gaia_arm");
+#elif defined(gaia)
     return string("gaia");
 #elif defined(arm32_rpi)
     return string("glibc");
@@ -165,6 +168,19 @@ DetailsResolver::Impl::isKernelVersion3OrHigher()
     return false;
 }
 
+bool
+DetailsResolver::Impl::isGw()
+{
+#if defined(gaia) || defined(smb)
+    static const string is_gw_cmd = "cpprod_util FwIsFirewallModule";
+    auto is_gw = DetailsResolvingHanlder::getCommandOutput(is_gw_cmd);
+    if (is_gw.ok() && !is_gw.unpack().empty()) {
+        return is_gw.unpack().front() == '1';
+    }
+#endif
+    return false;
+}
+
 bool
 DetailsResolver::Impl::isGwNotVsx()
 {
@@ -228,7 +244,7 @@ isNoResponse(const string &cmd)
     return !res.ok() || res.unpack().empty();
 }
 
-Maybe<tuple<string, string, string>>
+Maybe<tuple<string, string, string, string>>
 DetailsResolver::Impl::parseNginxMetadata()
 {
     auto output_path = getConfigurationWithDefault<string>(
@@ -236,11 +252,22 @@ DetailsResolver::Impl::parseNginxMetadata()
         "orchestration",
         "Nginx metadata temp file"
     );
+
+    const string &filesystem_path_config = getFilesystemPathConfig();
+
     const string srcipt_exe_cmd =
-        getFilesystemPathConfig() +
+        filesystem_path_config +
         "/scripts/cp-nano-makefile-generator.sh -f -o " +
         output_path;
 
+    const string script_fresh_exe_cmd =
+        filesystem_path_config +
+        "/scripts/cp-nano-makefile-generator-fresh.sh save --save-location " +
+        output_path +
+        " --strings_bin_path " +
+        filesystem_path_config +
+        "/bin/strings";
+
     dbgTrace(D_ORCHESTRATOR) << "Details resolver, srcipt exe cmd: " << srcipt_exe_cmd;
     if (isNoResponse("which nginx") && isNoResponse("which kong")) {
         return genError("Nginx or Kong isn't installed");
@@ -263,7 +290,7 @@ DetailsResolver::Impl::parseNginxMetadata()
             return genError("Cannot open the file with nginx metadata, File: " + output_path);
         }
 
-    string line;
+        string line;
         while (getline(input_stream, line)) {
             lines.push_back(line);
         }
@@ -277,7 +304,37 @@ DetailsResolver::Impl::parseNginxMetadata()
             << " Error: " << exception.what();
     }
 
+    if (!isNoResponse("which nginx")) {
+        auto script_output = DetailsResolvingHanlder::getCommandOutput(script_fresh_exe_cmd);
+        if (!script_output.ok()) {
+            return genError("Failed to generate nginx fresh metadata, Error: " + script_output.getErr());
+        }
+
+        try {
+            ifstream input_stream(output_path);
+            if (!input_stream) {
+                return genError("Cannot open the file with nginx fresh metadata, File: " + output_path);
+            }
+
+            string line;
+            while (getline(input_stream, line)) {
+                if (line.find("NGX_MODULE_SIGNATURE") == 0) {
+                    lines.push_back(line);
+                }
+            }
+            input_stream.close();
+
+            orchestration_tools->removeFile(output_path);
+        } catch (const ifstream::failure &exception) {
+            dbgWarning(D_ORCHESTRATOR)
+                << "Cannot read the file with required nginx fresh metadata."
+                << " File: " << output_path
+                << " Error: " << exception.what();
+        }
+    }
+
     if (lines.size() == 0) return genError("Failed to read nginx metadata file");
+    string nginx_signature;
     string nginx_version;
     string config_opt;
     string cc_opt;
@@ -292,6 +349,11 @@ DetailsResolver::Impl::parseNginxMetadata()
             nginx_version = "nginx-" + line.substr(eq_index + 1);
             continue;
         }
+        if (line.find("NGX_MODULE_SIGNATURE") != string::npos) {
+            auto eq_index = line.find("=");
+            nginx_signature = line.substr(eq_index + 1);
+            continue;
+        }
         if (line.find("EXTRA_CC_OPT") != string::npos) {
             auto eq_index = line.find("=");
             cc_opt = line.substr(eq_index + 1);
@@ -301,7 +363,7 @@ DetailsResolver::Impl::parseNginxMetadata()
         if (line.back() == '\\') line.pop_back();
         config_opt += line;
     }
-    return make_tuple(config_opt, cc_opt, nginx_version);
+    return make_tuple(config_opt, cc_opt, nginx_version, nginx_signature);
 }
 
 Maybe<tuple<string, string, string, string, string>>
@@ -350,7 +412,7 @@ DetailsResolver::Impl::readCloudMetadata()
     }
 
     if (!cloud_metadata.ok()) {
-        dbgWarning(D_ORCHESTRATOR) << cloud_metadata.getErr();
+        dbgDebug(D_ORCHESTRATOR) << cloud_metadata.getErr();
         return genError("Failed to fetch cloud metadata");
     }
 

components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h

@@ -18,15 +18,15 @@
 #include <regex>
 #include <boost/regex.hpp>
 #include <boost/algorithm/string.hpp>
+#include <cereal/external/rapidjson/document.h>
+#include <cereal/external/rapidjson/filereadstream.h>
 
 #if defined(gaia)
 
 Maybe<string>
 checkSAMLSupportedBlade(const string &command_output)
 {
-    // uncomment when vpn will support SAML authentication
-    // string supportedBlades[3] = {"identityServer", "vpn", "cvpn"};
-    string supportedBlades[1] = {"identityServer"};
+    string supportedBlades[3] = {"identityServer", "vpn", "cvpn"};
     for(const string &blade : supportedBlades) {
         if (command_output.find(blade) != string::npos) {
             return string("true");
@@ -47,6 +47,17 @@ checkIDABlade(const string &command_output)
     return string("false");
 }
 
+Maybe<string>
+checkVPNBlade(const string &command_output)
+{
+    string vpnBlade = "vpn";
+    if (command_output.find(vpnBlade) != string::npos) {
+        return string("true");
+    }
+
+    return string("false");
+}
+
 Maybe<string>
 checkSAMLPortal(const string &command_output)
 {
@@ -58,9 +69,9 @@ checkSAMLPortal(const string &command_output)
 }
 
 Maybe<string>
-checkPepIdaIdnStatus(const string &command_output)
+checkInfinityIdentityEnabled(const string &command_output)
 {
-    if (command_output.find("nac_pep_identity_next_enabled = 1") != string::npos) {
+    if (command_output.find("get_identities_from_infinity_identity (true)") != string::npos) {
         return string("true");
     }
     return string("false");
@@ -69,7 +80,18 @@ checkPepIdaIdnStatus(const string &command_output)
 Maybe<string>
 getRequiredNanoServices(const string &command_output)
 {
-    return command_output;
+    string idaRequiredServices[2] = {"idaSaml", "idaIdn"};
+    string platform_str = "gaia";
+#if defined(gaia_arm)
+    platform_str = "gaia_arm";
+#endif // gaia_arm
+    string result = "";
+    for(const string &serv : idaRequiredServices) {
+        string add_service = serv + "_" + platform_str;
+        result = result + add_service + ";";
+    }
+    command_output.empty(); // overcome unused variable
+    return result;
 }
 
 Maybe<string>
@@ -77,9 +99,6 @@ checkIDP(shared_ptr<istream> file_stream)
 {
     string line;
     while (getline(*file_stream, line)) {
-        if (line.find("<identity_portal/>") != string::npos) {
-            return string("false");
-        }
         if (line.find("<central_idp ") != string::npos) {
             return string("true");
         }
@@ -88,6 +107,26 @@ checkIDP(shared_ptr<istream> file_stream)
     return string("false");
 }
 
+Maybe<string>
+checkVPNCIDP(shared_ptr<istream> file_stream)
+{
+    string line;
+    while (getline(*file_stream, line)) {
+        if (line.find("<vpn") != string::npos) {
+            while (getline(*file_stream, line)) {
+                if (line.find("<central_idp ") != string::npos) {
+                    return string("true");
+                }
+                if (line.find("</vpn>") != string::npos) {
+                    break;
+                }
+            }
+        }
+    }
+
+    return string("false");
+}
+
 #endif // gaia
 
 #if defined(gaia) || defined(smb)
@@ -100,6 +139,14 @@ checkIsInstallHorizonTelemetrySucceeded(const string &command_output)
     return command_output;
 }
 
+Maybe<string>
+getOtlpAgentGaiaOsRole(const string &command_output)
+{
+    if (command_output == "" ) return string("-1");
+
+    return command_output;
+}
+
 Maybe<string>
 getQUID(const string &command_output)
 {
@@ -111,6 +158,24 @@ getQUID(const string &command_output)
     return command_output;
 }
 
+Maybe<string>
+getIsAiopsRunning(const string &command_output)
+{
+    if (command_output == "" ) return string("false");
+    
+    return command_output;
+}
+
+Maybe<string>
+getInterfaceMgmtIp(const string &command_output)
+{
+    if (!command_output.empty()) {
+        return command_output;
+    }
+
+    return genError("Eth Management IP was not found");
+}
+
 
 Maybe<string>
 checkHasSDWan(const string &command_output)
@@ -186,6 +251,24 @@ getMgmtObjAttr(shared_ptr<istream> file_stream, const string &attr)
     return genError("Object attribute was not found. Attr: " + attr);
 }
 
+Maybe<string>
+getAttrFromCpsdwanGetDataJson(const string &attr)
+{
+    static const std::string get_data_json_path = "/tmp/cpsdwan_getdata_orch.json";
+    std::ifstream ifs(get_data_json_path);
+    if (ifs.is_open()) {
+        rapidjson::IStreamWrapper isw(ifs);
+        rapidjson::Document document;
+        document.ParseStream(isw);
+
+        if (!document.HasParseError() && document.HasMember(attr.c_str()) && document[attr.c_str()].IsString()) {
+            return string(document[attr.c_str()].GetString());
+        }
+    }
+
+    return genError("Attribute " + attr + " was not found in " + get_data_json_path);
+}
+
 Maybe<string>
 getMgmtObjUid(const string &command_output)
 {
@@ -193,6 +276,11 @@ getMgmtObjUid(const string &command_output)
         return command_output;
     }
 
+    Maybe<string> obj_uuid = getAttrFromCpsdwanGetDataJson("uuid");
+    if (obj_uuid.ok()) {
+        return obj_uuid.unpack();
+    }
+
     static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
     auto file_stream = std::make_shared<std::ifstream>(obj_path);
     if (!file_stream->is_open()) {
@@ -302,6 +390,28 @@ getSMCBasedMgmtName(const string &command_output)
     return getAttr(command_output, "Mgmt object Name was not found");
 }
 
+Maybe<string>
+getSmbObjectUid(const string &command_output)
+{
+    static const char centrally_managed_comd_output = '0';
+
+    if (command_output.empty() || command_output[0] != centrally_managed_comd_output) {
+        return genError("Object UUID was not found");
+    }
+
+    Maybe<string> obj_uuid = getAttrFromCpsdwanGetDataJson("uuid");
+    if (obj_uuid.ok()) {
+        return obj_uuid.unpack();
+    }
+
+    static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
+    auto file_stream = std::make_shared<std::ifstream>(obj_path);
+    if (!file_stream->is_open()) {
+        return genError("Failed to open the object file");
+    }
+    return getMgmtObjAttr(file_stream, "uuid ");
+}
+
 Maybe<string>
 getSmbObjectName(const string &command_output)
 {
@@ -310,7 +420,12 @@ getSmbObjectName(const string &command_output)
     if (command_output.empty() || command_output[0] != centrally_managed_comd_output) {
         return genError("Object name was not found");
     }
-    
+
+    Maybe<string> obj_name = getAttrFromCpsdwanGetDataJson("name");
+    if (obj_name.ok()) {
+        return obj_name.unpack();
+    }
+
     static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
     auto ifs = std::make_shared<std::ifstream>(obj_path);
     if (!ifs->is_open()) {
@@ -373,6 +488,14 @@ extractManagements(const string &command_output)
     json_output += "]";
     return json_output;
 }
+
+Maybe<string>
+checkQosLegacyBlade(const string &command_output)
+{
+    if (command_output == "true" || command_output == "false") return command_output;
+
+    return string("false");
+}
 #endif // gaia || smb
 
 #if defined(gaia)

components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h

@@ -29,7 +29,7 @@
 // shell command execution output as its input
 
 #ifdef SHELL_PRE_CMD
-#if defined(gaia) || defined(smb)
+#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
 SHELL_PRE_CMD("read sdwan data",
     "(cpsdwan get_data > /tmp/cpsdwan_getdata_orch.json~) "
     "&& (mv /tmp/cpsdwan_getdata_orch.json~ /tmp/cpsdwan_getdata_orch.json)")
@@ -40,17 +40,20 @@ SHELL_PRE_CMD("gunzip local.cfg", "gunzip -c $FWDIR/state/local/FW1/local.cfg.gz
 #endif
 
 #ifdef SHELL_CMD_HANDLER
-#if defined(gaia) || defined(smb)
+#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
 SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType)
-SHELL_CMD_HANDLER(
-    "cpProductIntegrationMgmtObjectUid",
-    "mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].uid'",
-    getMgmtObjUid
-)
 SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry",
     "FS_PATH=<FILESYSTEM-PREFIX>; [ -f ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log ] "
     "&& head -1 ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log || echo ''",
     checkIsInstallHorizonTelemetrySucceeded)
+SHELL_CMD_HANDLER(
+    "IS_AIOPS_RUNNING",
+    "FS_PATH=<FILESYSTEM-PREFIX>; "
+    "PID=$(ps auxf | grep -v grep | grep -E ${FS_PATH}.*cp-nano-horizon-telemetry | awk -F' ' '{printf $2}'); "
+    "[ -z \"${PID}\" ] && echo 'false' || echo 'true'",
+    getIsAiopsRunning)
+#endif
+#if defined(gaia)
 SHELL_CMD_HANDLER("GLOBAL_QUID", "[ -d /opt/CPquid ] "
     "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''",
     getQUID)
@@ -66,8 +69,41 @@ SHELL_CMD_HANDLER("QUID", "FS_PATH=<FILESYSTEM-PREFIX>;"
     "/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');",
     getQUID)
 SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] "
-    "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message || echo ''",
+    "&& python3 /opt/CPquid/Quid_Api.py -i "
+    "/opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message[0].SMO_QUID || echo ''",
     getQUID)
+SHELL_CMD_HANDLER("MGMT_QUID", "[ -d /opt/CPquid ] "
+    "&& python3 /opt/CPquid/Quid_Api.py -i "
+    "/opt/CPotelcol/quid_api/get_mgmt_quid.json | jq -r .message[0].MGMT_QUID || echo ''",
+    getQUID)
+SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "[ -d /opt/CPOtlpAgent/custom_scripts ] "
+    "&& ENV_NO_FORMAT=1 /opt/CPOtlpAgent/custom_scripts/agent_role.sh",
+    getOtlpAgentGaiaOsRole)
+SHELL_CMD_HANDLER("ETH_MGMT_IP",
+    "FS_PATH=<FILESYSTEM-PREFIX>;"
+    "VS_ID=$(echo \"${FS_PATH}\" | grep -o -E \"vs[0-9]+\" | grep -o -E \"[0-9]+\");"
+    "[ -z \"${VS_ID}\" ] && "
+    "(eth=\"$(grep 'management:interface' /config/active | awk '{print $2}')\" &&"
+    " ip addr show \"${eth}\" | grep inet | awk '{print $2}' | cut -d '/' -f1) || "
+    "(ip a | grep UP | grep -v lo | head -n 1 | cut -d ':' -f2 | tr -d ' ')",
+    getInterfaceMgmtIp)
+#endif
+#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
+SHELL_CMD_HANDLER("GLOBAL_QUID",
+    "cat $FWDIR/database/myown.C "
+    "| awk -F'[()]' '/:name/ { found=1; next } found && /:uuid/ { uid=tolower($2); print uid; exit }'",
+    getQUID)
+SHELL_CMD_HANDLER("QUID",
+    "cat $FWDIR/database/myown.C "
+    "| awk -F'[()]' '/:name/ { found=1; next } found && /:uuid/ { uid=tolower($2); print uid; exit }'",
+    getQUID)
+
+
+SHELL_CMD_HANDLER("SMO_QUID", "echo ''", getQUID)
+SHELL_CMD_HANDLER("MGMT_QUID", "echo ''", getQUID)
+SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "echo 'SMB'", getOtlpAgentGaiaOsRole)
+#endif
+#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
 SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
 SHELL_CMD_HANDLER(
     "canUpdateSDWanData",
@@ -88,12 +124,6 @@ SHELL_CMD_HANDLER(
     "jq -r .lsm_profile_uuid /tmp/cpsdwan_getdata_orch.json",
     checkLsmProfileUuid
 )
-SHELL_CMD_HANDLER(
-    "IP Address",
-    "[ $(cpprod_util FWisDAG) -eq 1 ] && echo \"Dynamic Address\" "
-    "|| (jq -r .main_ip /tmp/cpsdwan_getdata_orch.json)",
-    getGWIPAddress
-)
 SHELL_CMD_HANDLER(
     "Version",
     "cat /etc/cp-release | grep -oE 'R[0-9]+(\\.[0-9]+)?'",
@@ -112,19 +142,33 @@ SHELL_CMD_HANDLER(
     "fw ctl get int support_fec |& grep -sq \"support_fec =\";echo $?",
     getFecApplicable
 )
+SHELL_CMD_HANDLER("is_legacy_qos_blade_enabled",
+    "cpprod_util CPPROD_GetValue FG1 ProdActive 1 | grep -q '^1$' "
+    "&& (cpprod_util CPPROD_GetValue FG1 FgSDWAN 1 | grep -q '^1$' && echo false || echo true) || "
+    "echo false",
+    checkQosLegacyBlade)
 #endif //gaia || smb
 
 #if defined(gaia)
 SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedBlade)
 SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade)
+SHELL_CMD_HANDLER("hasVPNBlade", "enabled_blades", checkVPNBlade)
 SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal)
-SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_identity_next_enabled", checkPepIdaIdnStatus)
-SHELL_CMD_HANDLER("requiredNanoServices", "echo 'idaSaml_gaia;idaIdn_gaia;'", getRequiredNanoServices)
+SHELL_CMD_HANDLER("hasInfinityIdentityEnabled",
+    "cat $FWDIR/database/myself_objects.C | grep get_identities_from_infinity_identity",
+    checkInfinityIdentityEnabled
+)
+SHELL_CMD_HANDLER("requiredNanoServices", "echo ida", getRequiredNanoServices)
 SHELL_CMD_HANDLER(
     "cpProductIntegrationMgmtObjectName",
     "mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].name'",
     getMgmtObjName
 )
+SHELL_CMD_HANDLER(
+    "cpProductIntegrationMgmtObjectUid",
+    "mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].uid'",
+    getMgmtObjUid
+)
 SHELL_CMD_HANDLER(
     "cpProductIntegrationMgmtParentObjectName",
     "cat $FWDIR/database/myself_objects.C "
@@ -175,13 +219,20 @@ SHELL_CMD_HANDLER(
 )
 SHELL_CMD_HANDLER(
     "managements",
-    "sed -n '/:masters (/,$p' $FWDIR/database/myself_objects.C |"
-    " sed -e ':a' -e 'N' -e '$!ba' -e 's/\\n//g' -e 's/\t//g' -e 's/ //g' | sed 's/))):.*/)))):/'",
+    "echo 1",
     extractManagements
 )
+SHELL_CMD_HANDLER(
+    "IP Address",
+    "( [ $(cpprod_util FwIsHighAvail) -eq 1 ] && [ $(cpprod_util FwIsVSX) -eq 1 ]"
+    "&& (jq -r .cluster_main_ip /tmp/cpsdwan_getdata_orch.json) )"
+    "|| ( [ $(cpprod_util FWisDAG) -eq 1 ] && echo \"Dynamic Address\" )"
+    "|| (jq -r .main_ip /tmp/cpsdwan_getdata_orch.json)",
+    getGWIPAddress
+)
 #endif //gaia
 
-#if defined(smb)
+#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
 SHELL_CMD_HANDLER(
     "cpProductIntegrationMgmtParentObjectName",
     "jq -r .cluster_name /tmp/cpsdwan_getdata_orch.json",
@@ -197,6 +248,11 @@ SHELL_CMD_HANDLER(
     "cpprod_util FwIsLocalMgmt",
     getSmbObjectName
 )
+SHELL_CMD_HANDLER(
+    "cpProductIntegrationMgmtObjectUid",
+    "cpprod_util FwIsLocalMgmt",
+    getSmbObjectUid
+)
 SHELL_CMD_HANDLER(
     "Application Control",
     "cat $FWDIR/conf/active_blades.txt | grep -o 'APCL [01]' | cut -d ' ' -f2",
@@ -232,15 +288,24 @@ SHELL_CMD_HANDLER(
 
 SHELL_CMD_HANDLER(
     "managements",
-    "sed -n '/:masters (/,$p' /tmp/local.cfg |"
-    " sed -e ':a' -e 'N' -e '$!ba' -e 's/\\n//g' -e 's/\t//g' -e 's/ //g' | sed 's/))):.*/)))):/'",
+    "echo 1",
     extractManagements
 )
+SHELL_CMD_HANDLER(
+    "IP Address",
+    "[ $(cpprod_util FWisDAG) -eq 1 ] && echo \"Dynamic Address\" "
+    "|| (jq -r .main_ip /tmp/cpsdwan_getdata_orch.json)",
+    getGWIPAddress
+)
+SHELL_CMD_HANDLER(
+    "Hardware",
+    R"(ver | sed -E 's/^This is Check Point'\''s +([^ ]+).*$/\1/')",
+    getHardware
+)
 #endif//smb
 
 SHELL_CMD_OUTPUT("kernel_version", "uname -r")
 SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null")
-SHELL_CMD_OUTPUT("report_timestamp", "date -u +\%s")
 #endif // SHELL_CMD_OUTPUT
 
 
@@ -254,6 +319,11 @@ FILE_CONTENT_HANDLER(
     (getenv("SAMLPORTAL_HOME") ? string(getenv("SAMLPORTAL_HOME")) : "") + "/phpincs/spPortal/idpPolicy.xml",
     checkIDP
 )
+FILE_CONTENT_HANDLER(
+    "hasVPNCidpConfigured",
+    (getenv("SAMLPORTAL_HOME") ? string(getenv("SAMLPORTAL_HOME")) : "") + "/phpincs/spPortal/idpPolicy.xml",
+    checkVPNCIDP
+)
 #endif //gaia
 
 #if defined(alpine)
@@ -270,7 +340,7 @@ FILE_CONTENT_HANDLER("AppSecModelVersion", "<FILESYSTEM-PREFIX>/conf/waap/waap.d
 #endif // FILE_CONTENT_HANDLER
 
 #ifdef SHELL_POST_CMD
-#if defined(smb)
+#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
 SHELL_POST_CMD("remove local.cfg", "rm -rf /tmp/local.cfg")
 #endif  //smb
 #endif

components/security_apps/orchestration/downloader/https_client.cc

@@ -41,8 +41,13 @@ HTTPSClient::getFile(const URLParser &url, const string &out_file, bool auth_req
 
     if (!url.isOverSSL()) return genError("URL is not over SSL.");
 
-    if (getFileSSLDirect(url, out_file, token).ok()) return Maybe<void>();
-    dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL directly. Trying indirectly.";
+    bool skip_direct_download = (url.getQuery().find("/resources/") != string::npos);
+    if (skip_direct_download) {
+        dbgWarning(D_ORCHESTRATOR) << "Resources path: " << url.getQuery() << ". Skipping direct download.";
+    } else {
+        if (getFileSSLDirect(url, out_file, token).ok()) return Maybe<void>();
+        dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL directly. Trying indirectly.";
+    }
 
     if (getFileSSL(url, out_file, token).ok()) return Maybe<void>();
     dbgWarning(D_ORCHESTRATOR) << "Failed to get file over SSL. Trying via CURL (SSL).";

components/security_apps/orchestration/health_check_manager/health_check_manager.cc

@@ -266,10 +266,10 @@ private:
             case OrchestrationStatusFieldType::COUNT : return "Count";
         }
 
-        dbgAssert(false)
+        dbgAssertOpt(false)
             << AlertInfo(AlertTeam::CORE, "orchestration health")
             << "Trying to convert unknown orchestration status field to string.";
-        return "";
+        return "Unknown Field";
     }
 
     HealthCheckStatus
@@ -282,7 +282,7 @@ private:
             case UpdatesProcessResult::DEGRADED : return HealthCheckStatus::DEGRADED;
         }
 
-        dbgAssert(false)
+        dbgAssertOpt(false)
             << AlertInfo(AlertTeam::CORE, "orchestration health")
             << "Trying to convert unknown update process result field to health check status.";
         return HealthCheckStatus::IGNORED;

components/security_apps/orchestration/hybrid_mode_telemetry.cc

@@ -34,7 +34,9 @@ HybridModeMetric::upon(const HybridModeMetricEvent &)
 {
     auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<OrchestrationComp>();
     auto maybe_cmd_output = shell_cmd->getExecOutput(
-        getFilesystemPathConfig() + "/watchdog/cp-nano-watchdog --restart_count"
+        getFilesystemPathConfig() + "/watchdog/cp-nano-watchdog --restart_count",
+        1000,
+        false
     );
 
     // get wd process restart count

components/security_apps/orchestration/include/declarative_policy_utils.h

@@ -79,8 +79,8 @@ public:
     ) override;
     std::string getUpdate(CheckUpdateRequest &request) override;
     bool shouldApplyPolicy() override;
-    void turnOffApplyPolicyFlag() override;
-    void turnOnApplyPolicyFlag() override;
+    void turnOffApplyLocalPolicyFlag() override;
+    void turnOnApplyLocalPolicyFlag() override;
 
     std::string getCurrPolicy() override { return curr_policy; }
 
@@ -94,7 +94,7 @@ private:
     std::string curr_version;
     std::string curr_policy;
     std::string curr_checksum;
-    bool should_apply_policy;
+    bool should_apply_local_policy;
 };
 
 #endif // __DECLARATIVE_POLICY_UTILS_H__

components/security_apps/orchestration/include/i_declarative_policy.h

@@ -22,8 +22,8 @@ public:
 
     virtual std::string getCurrPolicy() = 0;
 
-    virtual void turnOffApplyPolicyFlag() = 0;
-    virtual void turnOnApplyPolicyFlag() = 0;
+    virtual void turnOffApplyLocalPolicyFlag() = 0;
+    virtual void turnOnApplyLocalPolicyFlag() = 0;
 
 protected:
     virtual ~I_DeclarativePolicy() {}

components/security_apps/orchestration/include/mock/mock_details_resolver.h

@@ -21,7 +21,7 @@
 #include "maybe_res.h"
 
 std::ostream &
-operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string>> &)
+operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string, std::string>> &)
 {
     return os;
 }
@@ -42,13 +42,14 @@ public:
     MOCK_METHOD0(getPlatform,                Maybe<std::string>());
     MOCK_METHOD0(getArch,                    Maybe<std::string>());
     MOCK_METHOD0(getAgentVersion,            std::string());
-    MOCK_METHOD0(isCloudStorageEnabled,        bool());
+    MOCK_METHOD0(isCloudStorageEnabled,      bool());
     MOCK_METHOD0(isReverseProxy,             bool());
     MOCK_METHOD0(isKernelVersion3OrHigher,   bool());
+    MOCK_METHOD0(isGw,                       bool());
     MOCK_METHOD0(isGwNotVsx,                 bool());
     MOCK_METHOD0(getResolvedDetails,         std::map<std::string, std::string>());
-    MOCK_METHOD0(isVersionAboveR8110, bool());
-    MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string>>());
+    MOCK_METHOD0(isVersionAboveR8110,        bool());
+    MOCK_METHOD0(parseNginxMetadata,         Maybe<std::tuple<std::string, std::string, std::string, std::string>>());
     MOCK_METHOD0(
         readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>());
 };

components/security_apps/orchestration/manifest_controller/manifest_controller.cc

@@ -100,6 +100,7 @@ private:
     string packages_dir;
     string orch_service_name;
     set<string> ignore_packages;
+    Maybe<string> forbidden_versions = genError("Forbidden versions file does not exist");
 };
 
 void
@@ -135,7 +136,8 @@ ManifestController::Impl::init()
         "Ignore packages list file path"
     );
 
-    if (Singleton::Consume<I_OrchestrationTools>::by<ManifestController>()->doesFileExist(ignore_packages_path)) {
+    auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestController>();
+    if (orchestration_tools->doesFileExist(ignore_packages_path)) {
         try {
             ifstream input_stream(ignore_packages_path);
             if (!input_stream) {
@@ -156,6 +158,9 @@ ManifestController::Impl::init()
                 << " Error: " << f.what();
         }
     }
+
+    const string forbidden_versions_path = getFilesystemPathConfig() + "/revert/forbidden_versions";
+    forbidden_versions = orchestration_tools->readFile(forbidden_versions_path);
 }
 
 bool
@@ -271,6 +276,17 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
     }
 
     map<string, Package> new_packages = parsed_manifest.unpack();
+    if (!new_packages.empty()) {
+        const Package &package = new_packages.begin()->second;
+        if (forbidden_versions.ok() &&
+            forbidden_versions.unpack().find(package.getVersion()) != string::npos
+        ) {
+            dbgWarning(D_ORCHESTRATOR)
+                << "Packages version is in the forbidden versions list. No upgrade will be performed.";
+            return true;
+        }
+    }
+
     map<string, Package> all_packages = parsed_manifest.unpack();
     map<string, Package> current_packages;
     parsed_manifest = orchestration_tools->loadPackagesFromJson(manifest_file_path);

components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc

@@ -58,6 +58,9 @@ public:
         Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE);
         const string ignore_packages_file = "/etc/cp/conf/ignore-packages.txt";
         EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(false));
+        Maybe<string> forbidden_versions(string("a1\na2"));
+        EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
+            .WillOnce(Return(forbidden_versions));
         manifest_controller.init();
         manifest_file_path = getConfigurationWithDefault<string>(
             "/etc/cp/conf/manifest.json",
@@ -224,6 +227,10 @@ TEST_F(ManifestControllerTest, createNewManifest)
     EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -363,6 +370,11 @@ TEST_F(ManifestControllerTest, updateManifest)
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
+
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 
     manifest =
@@ -417,6 +429,9 @@ TEST_F(ManifestControllerTest, updateManifest)
     EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
     EXPECT_CALL(mock_orchestration_tools,
                 loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
+
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -478,6 +493,11 @@ TEST_F(ManifestControllerTest, selfUpdate)
 
     EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
                                                     temp_ext)).WillOnce(Return(true));
+
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -607,6 +627,10 @@ TEST_F(ManifestControllerTest, removeCurrentErrorPackage)
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     corrupted_packages.clear();
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
@@ -666,6 +690,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopy)
 
     EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
                                                     temp_ext)).WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -722,6 +750,10 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
     EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false));
     EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -798,6 +830,10 @@ TEST_F(ManifestControllerTest, installAndRemove)
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 
     string new_manifest =
@@ -858,6 +894,63 @@ TEST_F(ManifestControllerTest, installAndRemove)
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my1/my1")).Times(2)
         .WillOnce(Return(false));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
+    EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
+}
+
+TEST_F(ManifestControllerTest, manifestWithForbiddenVersion)
+{
+    new_services.clear();
+    old_services.clear();
+
+    string manifest =
+        "{"
+        "   \"packages\": ["
+        "       {"
+        "           \"download-path\": \"http://172.23.92.135/my.sh\","
+        "           \"relative-path\": \"\","
+        "           \"name\": \"my\","
+        "           \"version\": \"a1\","
+        "           \"checksum-type\": \"sha1sum\","
+        "           \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
+        "           \"package-type\": \"service\","
+        "           \"require\": []"
+        "       },"
+        "       {"
+        "           \"download-path\": \"http://172.23.92.135/my.sh\","
+        "           \"relative-path\": \"\","
+        "           \"name\": \"orchestration\","
+        "           \"version\": \"a1\","
+        "           \"checksum-type\": \"sha1sum\","
+        "           \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
+        "           \"package-type\": \"service\","
+        "           \"require\": []"
+        "       },"
+        "       {"
+        "           \"download-path\": \"\","
+        "           \"relative-path\": \"\","
+        "           \"name\": \"waap\","
+        "           \"version\": \"a1\","
+        "           \"checksum-type\": \"sha1sum\","
+        "           \"checksum\": \"\","
+        "           \"package-type\": \"service\","
+        "           \"status\": false,\n"
+        "           \"message\": \"This security app isn't valid for this agent\"\n"
+        "       }"
+        "   ]"
+        "}";
+
+    map<string, Package> manifest_services;
+    load(manifest, manifest_services);
+    checkIfFileExistsCall(manifest_services.at("my"));
+
+
+    load(manifest, new_services);
+    load(old_manifest, old_services);
+
+    EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
+
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -947,6 +1040,10 @@ TEST_F(ManifestControllerTest, badInstall)
     EXPECT_CALL(mock_orchestration_tools,
         packagesToJsonFile(corrupted_packages, corrupted_file_list)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1112,6 +1209,12 @@ TEST_F(ManifestControllerTest, requireUpdate)
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")).WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1212,6 +1315,10 @@ TEST_F(ManifestControllerTest, sharedObjectNotInstalled)
     ).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file1", path +
         temp_ext)).WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1313,6 +1420,12 @@ TEST_F(ManifestControllerTest, requireSharedObjectUpdate)
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
         .WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1389,6 +1502,7 @@ TEST_F(ManifestControllerTest, failureOnDownloadSharedObject)
     EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
     EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
     EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1524,6 +1638,12 @@ TEST_F(ManifestControllerTest, multiRequireUpdate)
         .WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
         .WillOnce(Return(true));
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1610,6 +1730,12 @@ TEST_F(ManifestControllerTest, createNewManifestWithUninstallablePackage)
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1624,7 +1750,7 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
         "           \"download-path\": \"\","
         "           \"relative-path\": \"\","
         "           \"name\": \"my\","
-        "           \"version\": \"\","
+        "           \"version\": \"c\","
         "           \"checksum-type\": \"sha1sum\","
         "           \"checksum\": \"\","
         "           \"package-type\": \"service\","
@@ -1721,6 +1847,11 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
     EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
     EXPECT_CALL(mock_orchestration_tools,
                 loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
+
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -1744,6 +1875,9 @@ public:
         setConfiguration<string>(ignore_packages_file, "orchestration", "Ignore packages list file path");
         writeIgnoreList(ignore_packages_file, ignore_services);
         EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(true));
+        Maybe<string> forbidden_versions(string("a1\na2"));
+        EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
+            .WillOnce(Return(forbidden_versions));
         manifest_controller.init();
         manifest_file_path = getConfigurationWithDefault<string>(
             "/etc/cp/conf/manifest.json",
@@ -1839,6 +1973,7 @@ public:
     StrictMock<MockOrchestrationStatus> mock_status;
     StrictMock<MockDownloader> mock_downloader;
     StrictMock<MockOrchestrationTools> mock_orchestration_tools;
+    StrictMock<MockDetailsResolver> mock_details_resolver;
     NiceMock<MockShellCmd> mock_shell_cmd;
 
     ManifestController manifest_controller;
@@ -2122,6 +2257,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, addIgnorePackageAndUpdateNormal)
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 }
 
@@ -2387,6 +2528,12 @@ TEST_F(ManifestControllerIgnorePakckgeTest, overrideIgnoredPackageFromProfileSet
     EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
     EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
 
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(false))
+        .WillRepeatedly(Return(true));;
+    EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
+        .WillOnce(Return(true));
     EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
 
     EXPECT_THAT(capture_debug.str(), Not(HasSubstr("Ignoring a package from the manifest. Package name: my")));
@@ -2411,6 +2558,9 @@ public:
             doesFileExist("/etc/cp/conf/ignore-packages.txt")
         ).WillOnce(Return(false));
 
+        Maybe<string> forbidden_versions(string("a1\na2"));
+        EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
+            .WillOnce(Return(forbidden_versions));
         manifest_controller.init();
     }
 

components/security_apps/orchestration/manifest_controller/manifest_diff_calculator.cc

@@ -115,9 +115,9 @@ ManifestDiffCalculator::buildRecInstallationQueue(
     const map<string, Package> &current_packages,
     const map<string, Package> &new_packages)
 {
-    const vector<string> &requires = package.getRequire();
+    const vector<string> &requires_packages = package.getRequire();
 
-    for (const auto &require : requires) {
+    for (const auto &require : requires_packages) {
         auto installed_package = current_packages.find(require);
         auto new_package = new_packages.find(require);
 

components/security_apps/orchestration/manifest_controller/manifest_handler.cc

@@ -14,6 +14,7 @@
 #include "manifest_handler.h"
 
 #include <algorithm>
+#include <ctime>
 
 #include "debug.h"
 #include "config.h"
@@ -201,18 +202,29 @@ ManifestHandler::installPackage(
     auto span_scope = i_env->startNewSpanScope(Span::ContextType::CHILD_OF);
     auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
 
+    auto details_resolver = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>();
+    auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
+
     auto &package = package_downloaded_file.first;
     auto &package_name = package.getName();
     auto &package_handler_path = package_downloaded_file.second;
 
     dbgInfo(D_ORCHESTRATOR) << "Handling package installation. Package: " << package_name;
 
+    string upgrade_info =
+        details_resolver->getAgentVersion() + " " + package.getVersion() + " " + getCurrentTimestamp();
+    if (!orchestration_tools->doesFileExist(getFilesystemPathConfig() + "/revert/upgrade_status") &&
+        !orchestration_tools->writeFile(upgrade_info, getFilesystemPathConfig() + "/revert/upgrade_status")
+    ) {
+        dbgWarning(D_ORCHESTRATOR) << "Failed to write to " + getFilesystemPathConfig() + "/revert/upgrade_status";
+    }
+
     if (package_name.compare(orch_service_name) == 0) {
         orchestration_status->writeStatusToFile();
         bool self_update_status = selfUpdate(package, current_packages, package_handler_path);
         if (!self_update_status) {
             auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
-            auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
+            auto hostname = details_resolver->getHostname();
             string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'";
             string install_error =
                 "Warning: Agent/Gateway " +
@@ -246,7 +258,6 @@ ManifestHandler::installPackage(
         return true;
     }
     string current_installation_file = packages_dir + "/" + package_name + "/" + package_name;
-    auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
     bool is_clean_installation = !orchestration_tools->doesFileExist(current_installation_file);
 
 
@@ -368,3 +379,13 @@ ManifestHandler::selfUpdate(
         package_handler->preInstallPackage(orch_service_name, current_installation_file) &&
         package_handler->installPackage(orch_service_name, current_installation_file, false);
 }
+
+string
+ManifestHandler::getCurrentTimestamp()
+{
+    time_t now = time(nullptr);
+    tm* now_tm = localtime(&now);
+    char timestamp[20];
+    strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", now_tm);
+    return string(timestamp);
+}

components/security_apps/orchestration/modules/orchestration_status.cc

@@ -429,7 +429,7 @@ public:
                 status.insertServiceSetting(service_name, path);
                 return;
             case OrchestrationStatusConfigType::MANIFEST:
-                dbgAssert(false)
+                dbgAssertOpt(false)
                     << AlertInfo(AlertTeam::CORE, "sesrvice configuration")
                     << "Manifest is not a service configuration file type";
                 break;
@@ -438,7 +438,9 @@ public:
             case OrchestrationStatusConfigType::COUNT:
                 break;
         }
-        dbgAssert(false) << AlertInfo(AlertTeam::CORE, "sesrvice configuration") << "Unknown configuration file type";
+        dbgAssertOpt(false)
+            << AlertInfo(AlertTeam::CORE, "service configuration")
+            << "Unknown configuration file type";
     }
 
     void

components/security_apps/orchestration/orchestration_comp.cc

@@ -55,6 +55,8 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
 static string fw_last_update_time = "";
 #endif // gaia || smb
 
+static const size_t MAX_SERVER_NAME_LENGTH = 253;
+
 class SetAgentUninstall
         :
     public ServerRest,
@@ -103,6 +105,19 @@ public:
             << "Initializing Orchestration component, file system path prefix: "
             << filesystem_prefix;
 
+        int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
+        Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
+            I_MainLoop::RoutineType::Timer,
+            [this, check_upgrade_success_interval]()
+            {
+                Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
+                    std::chrono::minutes(check_upgrade_success_interval)
+                );
+                processUpgradeCompletion();
+            },
+            "Orchestration successfully updated (One-Time After Interval)",
+            true
+        );
         auto orch_policy = loadDefaultOrchestrationPolicy();
         if (!orch_policy.ok()) {
             dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration Policy. Error: " << orch_policy.getErr();
@@ -141,6 +156,113 @@ public:
     }
 
 private:
+    void
+    saveLastKnownOrchInfo(string curr_agent_version)
+    {
+        static const string upgrades_dir = filesystem_prefix + "/revert";
+        static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
+        static const string current_orchestration_package =
+            filesystem_prefix + "/packages/orchestration/orchestration";
+        static const string last_known_manifest = upgrades_dir + "/last_known_manifest";
+        static const string current_manifest_file = getConfigurationWithDefault<string>(
+            filesystem_prefix + "/conf/manifest.json",
+            "orchestration",
+            "Manifest file path"
+        );
+
+        if (!i_orchestration_tools->copyFile(current_orchestration_package, last_known_orchestrator)) {
+            dbgWarning(D_ORCHESTRATOR) << "Failed to copy the orchestration package to " << upgrades_dir;
+        } else {
+            dbgInfo(D_ORCHESTRATOR) << "last known orchestrator version updated to: " << curr_agent_version;
+        }
+
+        if (!i_orchestration_tools->copyFile(current_manifest_file, last_known_manifest)) {
+            dbgWarning(D_ORCHESTRATOR) << "Failed to copy " << current_manifest_file << " to " << upgrades_dir;
+        } else {
+            dbgInfo(D_ORCHESTRATOR) << "last known manifest updated";
+        }
+        return;
+    }
+
+    void
+    processUpgradeCompletion()
+    {
+        if (!is_first_check_update_success) {
+            int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
+            // LCOV_EXCL_START
+            Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
+                I_MainLoop::RoutineType::Timer,
+                [this, check_upgrade_success_interval]()
+                {
+                    Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
+                        std::chrono::minutes(check_upgrade_success_interval)
+                    );
+                    processUpgradeCompletion();
+                },
+                "Orchestration successfully updated",
+                true
+            );
+            // LCOV_EXCL_STOP
+            return;
+        }
+
+        static const string upgrades_dir = filesystem_prefix + "/revert";
+        static const string upgrade_status = upgrades_dir + "/upgrade_status";
+        static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
+        static const string upgrade_failure_info_path = upgrades_dir + "/failed_upgrade_info";
+
+        I_DetailsResolver *i_details_resolver = Singleton::Consume<I_DetailsResolver>::by<OrchestrationComp>();
+
+        bool is_upgrade_status_exist = i_orchestration_tools->doesFileExist(upgrade_status);
+        bool is_last_known_orchestrator_exist = i_orchestration_tools->doesFileExist(last_known_orchestrator);
+
+        if (!is_upgrade_status_exist) {
+            if (!is_last_known_orchestrator_exist) {
+                saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
+            }
+            return;
+        }
+
+        auto maybe_upgrade_data = i_orchestration_tools->readFile(upgrade_status);
+        string upgrade_data, from_version, to_version;
+        if (maybe_upgrade_data.ok()) {
+            upgrade_data = maybe_upgrade_data.unpack();
+            istringstream stream(upgrade_data);
+            stream >> from_version >> to_version;
+        }
+        i_orchestration_tools->removeFile(upgrade_status);
+
+        if (i_orchestration_tools->doesFileExist(upgrade_failure_info_path)) {
+            string info = "Orchestration revert. ";
+            auto failure_info = i_orchestration_tools->readFile(upgrade_failure_info_path);
+            if (failure_info.ok()) info.append(failure_info.unpack());
+            LogGen(
+                info,
+                ReportIS::Level::ACTION,
+                ReportIS::Audience::INTERNAL,
+                ReportIS::Severity::CRITICAL,
+                ReportIS::Priority::URGENT,
+                ReportIS::Tags::ORCHESTRATOR
+            );
+            dbgError(D_ORCHESTRATOR) <<
+                "Error in orchestration version: " << to_version <<
+                ". Orchestration reverted to version: " << i_details_resolver->getAgentVersion();
+            i_orchestration_tools->removeFile(upgrade_failure_info_path);
+            return;
+        }
+
+        saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
+        i_orchestration_tools->writeFile(
+            upgrade_data + "\n",
+            getLogFilesPathConfig() + "/nano_agent/prev_upgrades",
+            true
+        );
+        dbgWarning(D_ORCHESTRATOR) <<
+            "Upgrade process from version: " << from_version <<
+            " to version: " << to_version <<
+            " completed successfully";
+    }
+
     Maybe<void>
     registerToTheFog()
     {
@@ -1022,6 +1144,7 @@ private:
             UpdatesProcessResult::SUCCESS,
             UpdatesConfigType::GENERAL
         ).notify();
+        if (!is_first_check_update_success) is_first_check_update_success = true;
         return Maybe<void>();
     }
 
@@ -1342,14 +1465,18 @@ private:
 
         auto nginx_data = i_details_resolver->parseNginxMetadata();
         if (nginx_data.ok()) {
+            string nginx_signature;
             string nginx_version;
             string config_opt;
             string cc_opt;
-            tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack();
+            tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack();
             agent_data_report
-                << make_pair("nginxVersion",     nginx_version)
-                << make_pair("configureOpt",     config_opt)
-                << make_pair("extraCompilerOpt", cc_opt);
+                << make_pair("configureOptStatus", "Enabled")
+                << make_pair("moduleSignatureStatus", "Enabled")
+                << make_pair("nginxSignature",    nginx_signature)
+                << make_pair("nginxVersion",      nginx_version)
+                << make_pair("configureOpt",      config_opt)
+                << make_pair("extraCompilerOpt",  cc_opt);
         } else {
             dbgDebug(D_ORCHESTRATOR) << nginx_data.getErr();
         }
@@ -1370,6 +1497,10 @@ private:
             agent_data_report << AgentReportFieldWithLabel("isKernelVersion3OrHigher", "true");
         }
 
+        if (i_details_resolver->isGw()) {
+            agent_data_report << AgentReportFieldWithLabel("isGw", "true");
+        }
+
         if (i_details_resolver->isGwNotVsx()) {
             agent_data_report << AgentReportFieldWithLabel("isGwNotVsx", "true");
         }
@@ -1389,6 +1520,8 @@ private:
 
         agent_data_report << AgentReportFieldWithLabel("userEdition", FogCommunication::getUserEdition());
 
+        agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
+
 #if defined(gaia) || defined(smb)
         if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
             agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@@ -1485,11 +1618,10 @@ private:
     }
 
     void
-    setUpgradeTime()
+    setDelayedUpgradeTime()
     {
         if (getConfigurationFlag("service_startup") != "true") return;
-        if (i_service_controller->getServiceToPortMap().empty()) return;
-
+        if (!i_agent_details->isOpenAppsecAgent() && i_service_controller->getServiceToPortMap().empty()) return;
         try {
             string upgrade_delay_interval_str = getAttribute("no-setting", "UPGRADE_DELAY_INTERVAL_MIN");
             int upgrade_delay_interval = upgrade_delay_interval_str != "" ? stoi(upgrade_delay_interval_str) : 30;
@@ -1506,6 +1638,7 @@ private:
     void
     run()
     {
+        loadExistingPolicy();
         sleep_interval = policy.getErrorSleepInterval();
         Maybe<void> registration_status(genError("Not running yet."));
         while (!(registration_status = registerToTheFog()).ok()) {
@@ -1530,7 +1663,6 @@ private:
                 << " seconds";
             Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(seconds(sleep_interval));
         }
-        loadExistingPolicy();
         failure_count = 0;
 
         Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(chrono::seconds(1));
@@ -1550,6 +1682,11 @@ private:
             << LogField("agentType", "Orchestration")
             << LogField("agentVersion", Version::get());
 
+        string registered_server = getAttribute("registered-server", "registered_server");
+        dbgTrace(D_ORCHESTRATOR) << "Registered server: " << registered_server;
+        if (!registered_server.empty()) {
+            i_agent_details->setRegisteredServer(registered_server.substr(0, MAX_SERVER_NAME_LENGTH));
+        }
         auto mainloop = Singleton::Consume<I_MainLoop>::by<OrchestrationComp>();
         mainloop->addOneTimeRoutine(
             I_MainLoop::RoutineType::Offline,
@@ -1587,7 +1724,8 @@ private:
             ).notify();
         }
 
-        setUpgradeTime();
+        setDelayedUpgradeTime();
+
         while (true) {
             Singleton::Consume<I_Environment>::by<OrchestrationComp>()->startNewTrace(false);
             if (shouldReportAgentDetailsMetadata()) {
@@ -1629,9 +1767,9 @@ private:
             }
         }
 
-        string server_name = getAttribute("registered-server", "registered_server");
+        string server_name = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getRegisteredServer();
         auto server = TagAndEnumManagement::convertStringToTag(server_name);
-        if (server_name == "'SWAG'") server = Tags::WEB_SERVER_SWAG;
+        if (server_name == "'SWAG'" || server_name == "'SWAG Server'") server = Tags::WEB_SERVER_SWAG;
         if (server.ok()) tags.insert(*server);
 
         if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
@@ -1653,7 +1791,7 @@ private:
             tags
         );
 
-        if (server_name != "") registration_report.addToOrigin(LogField("eventCategory", server_name));
+        registration_report.addToOrigin(LogField("eventCategory", server_name));
 
         auto email = getAttribute("email-address", "user_email");
         if (email != "") registration_report << LogField("userDefinedId", email);
@@ -1696,13 +1834,19 @@ private:
         auto backup_installation_file = current_installation_file + backup_ext;
         auto temp_ext = getConfigurationWithDefault<string>("_temp", "orchestration", "Temp file extension");
 
-        dbgAssert(i_orchestration_tools->doesFileExist(backup_installation_file))
-            << AlertInfo(AlertTeam::CORE, "orchestration backup")
-            << "There is no backup installation package";
+        if (!i_orchestration_tools->doesFileExist(backup_installation_file)) {
+            dbgAssertOpt(false)
+                << AlertInfo(AlertTeam::CORE, "orchestration backup")
+                << "There is no backup installation package";
+            return;
+        }
 
-        dbgAssert(i_orchestration_tools->copyFile(backup_installation_file, current_installation_file))
-            << AlertInfo(AlertTeam::CORE, "orchestration backup")
-            << "Failed to copy backup installation package";
+        if (!i_orchestration_tools->copyFile(backup_installation_file, current_installation_file)) {
+            dbgAssertOpt(false)
+                << AlertInfo(AlertTeam::CORE, "orchestration backup")
+                << "Failed to copy backup installation package";
+            return;
+        }
 
         // Copy the backup manifest file to the default manifest file path.
         auto manifest_file_path = getConfigurationWithDefault<string>(
@@ -1717,12 +1861,18 @@ private:
 
         auto package_handler = Singleton::Consume<I_PackageHandler>::by<OrchestrationComp>();
         // Install the backup orchestration service installation package.
-        dbgAssert(package_handler->preInstallPackage(service_name, current_installation_file))
-            << AlertInfo(AlertTeam::CORE, "orchestration backup")
-            << "Failed to restore from backup, pre install test failed";
-        dbgAssert(package_handler->installPackage(service_name, current_installation_file, true))
-            << AlertInfo(AlertTeam::CORE, "orchestration backup")
-            << "Failed to restore from backup, installation failed";
+        if (!package_handler->preInstallPackage(service_name, current_installation_file)) {
+            dbgAssertOpt(false)
+                << AlertInfo(AlertTeam::CORE, "orchestration backup")
+                << "Failed to restore from backup, pre install test failed";
+            return;
+        }
+        if (!package_handler->installPackage(service_name, current_installation_file, true)) {
+            dbgAssertOpt(false)
+                << AlertInfo(AlertTeam::CORE, "orchestration backup")
+                << "Failed to restore from backup, installation failed";
+            return;
+        }
     }
     // LCOV_EXCL_STOP
 
@@ -2034,7 +2184,7 @@ private:
         }
         auto policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
         if (getOrchestrationMode() == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative") {
-            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyPolicyFlag();
+            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyLocalPolicyFlag();
         }
 
         auto policy_version = i_service_controller->getPolicyVersion();
@@ -2053,10 +2203,10 @@ private:
     int failure_count = 0;
     unsigned int sleep_interval = 0;
     bool is_new_success = false;
+    bool is_first_check_update_success = false;
     OrchestrationPolicy policy;
     UpdatesProcessReporter updates_process_reporter_listener;
     HybridModeMetric hybrid_mode_metric;
-    EnvDetails env_details;
     chrono::minutes upgrade_delay_time;
 
     string filesystem_prefix = "";
@@ -2119,6 +2269,7 @@ OrchestrationComp::preload()
     registerExpectedSetting<vector<string>>("upgradeDay");
     registerExpectedSetting<string>("email-address");
     registerExpectedSetting<string>("registered-server");
+    registerExpectedSetting<uint>("successUpgradeInterval");
     registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
     registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
 }

components/security_apps/orchestration/orchestration_tools/orchestration_tools.cc

@@ -150,7 +150,8 @@ getNamespaceDataFromCluster()
     string auth_header = "Authorization: Bearer " + token;
     string connection_header = "Connection: close";
     string host = "https://kubernetes.default.svc:443/api/v1/namespaces/";
-    string culr_cmd = "curl -s -k -H \"" + auth_header + "\" -H \"" + connection_header + "\" " + host +
+    string culr_cmd =
+        "LD_LIBRARY_PATH=\"\" curl -s -k -H \"" + auth_header + "\" -H \"" + connection_header + "\" " + host +
         " | /etc/cp/bin/cpnano_json";
 
     auto output_res = Singleton::Consume<I_ShellCmd>::by<OrchestrationTools>()->getExecOutput(culr_cmd);
@@ -386,7 +387,7 @@ OrchestrationTools::Impl::calculateChecksum(Package::ChecksumTypes checksum_type
         return genError("Error while reading file " + path + ", " + e.what());
     }
 
-    dbgAssert(false)
+    dbgAssertOpt(false)
         << AlertInfo(AlertTeam::CORE, "service configuration")
         << "Checksum type is not supported. Checksum type: "
         << static_cast<unsigned int>(checksum_type);

components/security_apps/orchestration/orchestration_tools/orchestration_tools_ut/orchestration_tools_ut.cc

@@ -86,7 +86,7 @@ TEST_F(OrchestrationToolsTest, setClusterId)
     EXPECT_CALL(
         mock_shell_cmd,
         getExecOutput(
-            "curl -s -k -H \"Authorization: Bearer 123\" -H \"Connection: close\" "
+            "LD_LIBRARY_PATH=\"\" curl -s -k -H \"Authorization: Bearer 123\" -H \"Connection: close\" "
             "https://kubernetes.default.svc:443/api/v1/namespaces/ | /etc/cp/bin/cpnano_json",
             200,
             false

components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc

@@ -89,6 +89,11 @@ public:
 
         EXPECT_CALL(mock_service_controller, isServiceInstalled("Access Control")).WillRepeatedly(Return(false));
 
+        EXPECT_CALL(
+            mock_ml,
+            addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
+        ).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
+
         // This Holding the Main Routine of the Orchestration.
         EXPECT_CALL(
             mock_ml,
@@ -135,11 +140,12 @@ public:
     void
     expectDetailsResolver()
     {
-        Maybe<tuple<string, string, string>> no_nginx(genError("No nginx"));
+        Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx"));
         EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
         EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
         EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isKernelVersion3OrHigher()).WillRepeatedly(Return(false));
+        EXPECT_CALL(mock_details_resolver, isGw()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isGwNotVsx()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isVersionAboveR8110()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, parseNginxMetadata()).WillRepeatedly(Return(no_nginx));
@@ -156,6 +162,7 @@ public:
     runRoutine()
     {
         routine();
+        upgrade_routine();
     }
 
     void
@@ -235,6 +242,7 @@ private:
     }
 
     I_MainLoop::Routine routine;
+    I_MainLoop::Routine upgrade_routine;
     I_MainLoop::Routine status_routine;
 };
 

components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc

@@ -28,6 +28,7 @@ std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
 #include "health_check_status/health_check_status.h"
 #include "updates_process_event.h"
 #include "declarative_policy_utils.h"
+#include "mock/mock_env_details.h"
 
 using namespace testing;
 using namespace std;
@@ -82,6 +83,12 @@ public:
         EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response));
         EXPECT_CALL(mock_status, setFogAddress(host_url)).WillRepeatedly(Return());
         EXPECT_CALL(mock_orchestration_tools, setClusterId());
+
+        EXPECT_CALL(
+            mock_ml,
+            addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
+        ).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
+
         EXPECT_CALL(
             mock_ml,
             addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -161,12 +168,13 @@ public:
     void
     expectDetailsResolver()
     {
-        Maybe<tuple<string, string, string>> no_nginx(genError("No nginx"));
+        Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx"));
         EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
         EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
         EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isCloudStorageEnabled()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isKernelVersion3OrHigher()).WillRepeatedly(Return(false));
+        EXPECT_CALL(mock_details_resolver, isGw()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isGwNotVsx()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, isVersionAboveR8110()).WillRepeatedly(Return(false));
         EXPECT_CALL(mock_details_resolver, parseNginxMetadata()).WillRepeatedly(Return(no_nginx));
@@ -280,6 +288,12 @@ public:
         status_routine();
     }
 
+    void
+    runUpgradeRoutine()
+    {
+        upgrade_routine();
+    }
+
     void
     preload()
     {
@@ -324,6 +338,7 @@ public:
     StrictMock<MockOrchestrationTools> mock_orchestration_tools;
     StrictMock<MockDownloader> mock_downloader;
     StrictMock<MockShellCmd> mock_shell_cmd;
+    StrictMock<EnvDetailsMocker> mock_env_details;
     StrictMock<MockMessaging> mock_message;
     StrictMock<MockRestApi> rest;
     StrictMock<MockServiceController> mock_service_controller;
@@ -357,6 +372,7 @@ private:
 
     I_MainLoop::Routine routine;
     I_MainLoop::Routine status_routine;
+    I_MainLoop::Routine upgrade_routine;
 };
 
 
@@ -583,6 +599,8 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
     env.init();
     init();
 
+    EXPECT_CALL(mock_env_details, getEnvType()).WillRepeatedly(Return(EnvType::LINUX));
+
     EXPECT_CALL(mock_service_controller, updateServiceConfiguration(_, _, _, _, _, _))
         .WillOnce(Return(Maybe<void>()));
     EXPECT_CALL(mock_orchestration_tools, calculateChecksum(_, _)).WillRepeatedly(Return(string()));
@@ -597,14 +615,6 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
 
     string version = "1";
     EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
-
-    EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
-        .WillOnce(Return())
-        .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
-    try {
-        runRoutine();
-    } catch (const invalid_argument& e) {}
-
     string config_json =
         "{\n"
         "    \"email-address\": \"fake@example.com\",\n"
@@ -613,9 +623,19 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
 
     istringstream ss(config_json);
     Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
+    EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
+        .WillOnce(Return())
+        .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
+    try {
+        runRoutine();
+    } catch (const invalid_argument& e) {}
+
+
     sending_routine();
 
     EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\""));
+    EXPECT_THAT(message_body, HasSubstr("\"eventCategory\""));
+
     EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\"")));
     EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
 }
@@ -1000,6 +1020,11 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
     );
     waitForRestCall();
 
+    EXPECT_CALL(
+        mock_ml,
+        addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
+    );
+
     EXPECT_CALL(
         mock_ml,
         addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@@ -1166,6 +1191,29 @@ TEST_F(OrchestrationTest, manifestUpdate)
     try {
         runRoutine();
     } catch (const invalid_argument& e) {}
+
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/last_known_working_orchestrator"))
+        .WillOnce(Return(true));
+
+    Maybe<string> upgrade_status(string("1.1.1 1.1.2 2025-01-28 07:53:23"));
+    EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/upgrade_status"))
+        .WillOnce(Return(upgrade_status));
+    EXPECT_CALL(mock_orchestration_tools, removeFile("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
+
+    EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/failed_upgrade_info"))
+        .WillOnce(Return(false));
+
+    EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("1.1.2"));
+    EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_working_orchestrator"))
+        .WillOnce(Return(true));
+    EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_manifest")).WillOnce(Return(true));
+    EXPECT_CALL(
+        mock_orchestration_tools,
+        writeFile("1.1.1 1.1.2 2025-01-28 07:53:23\n", "/var/log/nano_agent/prev_upgrades", true)
+    ).WillOnce(Return(true));
+    EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())).WillOnce(Return());
+    runUpgradeRoutine();
 }
 
 TEST_F(OrchestrationTest, getBadPolicyUpdate)

components/security_apps/orchestration/package_handler/package_handler.cc

@@ -141,11 +141,11 @@ packageHandlerActionsToString(PackageHandlerActions action)
         }
     }
 
-    dbgAssert(false)
+    dbgAssertOpt(false)
         << AlertInfo(AlertTeam::CORE, "service configuration")
         << "Package handler action is not supported. Action: "
         << static_cast<unsigned int>(action);
-    return string();
+    return string("--UNSUPPORTED");
 }
 
 void

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -208,6 +208,8 @@ ServiceDetails::sendNewConfigurations(int configuration_id, const string &policy
     MessageMetadata new_config_req_md("127.0.0.1", service_port);
     new_config_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
     new_config_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
+    new_config_req_md.setSuspension(false);
+    new_config_req_md.setShouldSendAccessToken(false);
     auto res = messaging->sendSyncMessage(
         HTTPMethod::POST,
         "/set-new-configuration",
@@ -793,7 +795,7 @@ ServiceController::Impl::updateServiceConfiguration(
             << "Policy file was not updated. Sending reload command regarding settings and data";
         auto signal_services = sendSignalForServices(nano_services_to_update, "");
         if (!signal_services.ok()) return signal_services.passErr();
-        Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
+        Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag();
         return Maybe<void>();
     }
 
@@ -940,7 +942,7 @@ ServiceController::Impl::updateServiceConfiguration(
         if (new_policy_path.compare(config_file_path) == 0) {
             dbgDebug(D_SERVICE_CONTROLLER) << "Enforcing the default policy file";
             policy_version = version_value;
-            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
+            Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag();
             return Maybe<void>();
         }
 
@@ -959,7 +961,7 @@ ServiceController::Impl::updateServiceConfiguration(
     }
 
     if (!was_policy_updated && !send_signal_for_services_err.empty()) return genError(send_signal_for_services_err);
-    Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
+    Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/update_communication/declarative_policy_utils.cc

@@ -17,7 +17,7 @@ void
 DeclarativePolicyUtils::init()
 {
     local_policy_path = getFilesystemPathConfig() + "/conf/local_policy.yaml";
-    should_apply_policy = true;
+    should_apply_local_policy = true;
     Singleton::Consume<I_RestApi>::by<DeclarativePolicyUtils>()->addRestCall<ApplyPolicyRest>(
         RestAction::SET, "apply-policy"
     );
@@ -40,7 +40,7 @@ DeclarativePolicyUtils::upon(const ApplyPolicyEvent &event)
 {
     dbgTrace(D_ORCHESTRATOR) << "Apply policy event";
     local_policy_path = event.getPolicyPath();
-    should_apply_policy = true;
+    should_apply_local_policy = true;
 }
 // LCOV_EXCL_STOP
 
@@ -48,19 +48,24 @@ bool
 DeclarativePolicyUtils::shouldApplyPolicy()
 {
     auto env_type = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType();
-    return env_type == EnvType::K8S ? true : should_apply_policy;
+    if (env_type == EnvType::K8S) {
+        I_OrchestrationTools *orch_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
+        auto maybe_new_version = orch_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
+        return maybe_new_version != curr_version;
+    }
+    return should_apply_local_policy;
 }
 
 void
-DeclarativePolicyUtils::turnOffApplyPolicyFlag()
+DeclarativePolicyUtils::turnOffApplyLocalPolicyFlag()
 {
-    should_apply_policy = false;
+    should_apply_local_policy = false;
 }
 
 void
-DeclarativePolicyUtils::turnOnApplyPolicyFlag()
+DeclarativePolicyUtils::turnOnApplyLocalPolicyFlag()
 {
-    should_apply_policy = true;
+    should_apply_local_policy = true;
 }
 
 Maybe<string>
@@ -211,6 +216,6 @@ DeclarativePolicyUtils::periodicPolicyLoad()
 
     if (*new_checksum == curr_checksum) return;
 
-    should_apply_policy = true;
+    should_apply_local_policy = true;
     curr_checksum = *new_checksum;
 }

components/security_apps/orchestration/update_communication/fog_authenticator.cc

@@ -139,6 +139,25 @@ FogAuthenticator::RegistrationData::serialize(JSONOutputArchive &out_ar) const
     );
 }
 
+static string
+getDeplymentType()
+{
+    auto deplyment_type = Singleton::Consume<I_EnvDetails>::by<FogAuthenticator>()->getEnvType();
+    switch (deplyment_type) {
+        case EnvType::LINUX: return "Embedded";
+        case EnvType::DOCKER: return "Docker";
+        case EnvType::NON_CRD_K8S:
+        case EnvType::K8S: return "K8S";
+        case EnvType::COUNT: break;
+    }
+
+    dbgAssertOpt(false)
+        << AlertInfo(AlertTeam::CORE, "fog communication")
+        << "Failed to get a legitimate deployment type: "
+        << static_cast<uint>(deplyment_type);
+    return "Embedded";
+}
+
 Maybe<FogAuthenticator::UserCredentials>
 FogAuthenticator::registerAgent(
     const FogAuthenticator::RegistrationData &reg_data,
@@ -168,10 +187,12 @@ FogAuthenticator::registerAgent(
     auto nginx_data = details_resolver->parseNginxMetadata();
 
     if (nginx_data.ok()) {
+        string nginx_signature;
         string nginx_version;
         string config_opt;
         string cc_opt;
-        tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack();
+        tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack();
+        request << make_pair("nginxSignature",   nginx_signature);
         request << make_pair("nginxVersion",     nginx_version);
         request << make_pair("configureOpt",     config_opt);
         request << make_pair("extraCompilerOpt", cc_opt);
@@ -206,6 +227,13 @@ FogAuthenticator::registerAgent(
 
     request << make_pair("userEdition", getUserEdition());
 
+    if (getDeplymentType() == "Docker" || getDeplymentType() == "K8S") {
+        const char *image_version_otp = getenv("IMAGE_VERSION");
+        if (image_version_otp) {
+            request << make_pair("imageVersion", image_version_otp);
+        }
+    }
+
     if (details_resolver->isReverseProxy()) {
         request << make_pair("reverse_proxy", "true");
     }
@@ -218,6 +246,10 @@ FogAuthenticator::registerAgent(
         request << make_pair("isKernelVersion3OrHigher", "true");
     }
 
+    if (details_resolver->isGw()) {
+        request << make_pair("isGw", "true");
+    }
+
     if (details_resolver->isGwNotVsx()) {
         request << make_pair("isGwNotVsx", "true");
     }
@@ -281,11 +313,14 @@ FogAuthenticator::getAccessToken(const UserCredentials &user_credentials) const
     static const string grant_type_string = "/oauth/token?grant_type=client_credentials";
     TokenRequest request = TokenRequest();
 
-    MessageMetadata request_token_md;
+    MessageMetadata request_token_md(true);
     request_token_md.insertHeader(
         "Authorization",
         buildBasicAuthHeader(user_credentials.getClientId(), user_credentials.getSharedSecret())
     );
+    dbgInfo(D_ORCHESTRATOR)
+        << "Sending request for access token. Trace: "
+        << (request_token_md.getTraceId().ok() ? request_token_md.getTraceId().unpack() : "No trace id");
     auto request_token_status = Singleton::Consume<I_Messaging>::by<FogAuthenticator>()->sendSyncMessage(
         HTTPMethod::POST,
         grant_type_string,
@@ -377,9 +412,13 @@ FogAuthenticator::registerLocalAgentToFog()
 {
     auto local_reg_token = getRegistrationToken();
     if (!local_reg_token.ok()) return;
+
+    string reg_token = local_reg_token.unpack().getData();
+    if (reg_token.empty()) return;
+
     dbgInfo(D_ORCHESTRATOR) << "Start local agent registration to the fog";
 
-    string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + local_reg_token.unpack().getData();
+    string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + reg_token;
 
     auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<FogAuthenticator>();
     auto fog_address = i_agent_details->getFogDomain();
@@ -455,25 +494,6 @@ FogAuthenticator::getCredentialsFromFile() const
     return orchestration_tools->jsonStringToObject<UserCredentials>(encrypted_cred.unpack());
 }
 
-static string
-getDeplymentType()
-{
-    auto deplyment_type = Singleton::Consume<I_EnvDetails>::by<FogAuthenticator>()->getEnvType();
-    switch (deplyment_type) {
-        case EnvType::LINUX: return "Embedded";
-        case EnvType::DOCKER: return "Docker";
-        case EnvType::NON_CRD_K8S:
-        case EnvType::K8S: return "K8S";
-        case EnvType::COUNT: break;
-    }
-
-    dbgAssert(false)
-        << AlertInfo(AlertTeam::CORE, "fog communication")
-        << "Failed to get a legitimate deplyment type: "
-        << static_cast<uint>(deplyment_type);
-    return "Embedded";
-}
-
 Maybe<FogAuthenticator::UserCredentials>
 FogAuthenticator::getCredentials()
 {