github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:main
Branches Tags
github_mirrors:main
github_mirrors:nginx_message_reader_improvements
github_mirrors:conf-collector-upload
github_mirrors:waf-tag
github_mirrors:watchdog
github_mirrors:prometheus_support
github_mirrors:exception-fix
github_mirrors:orianelou-patch-8
github_mirrors:orianelou-issue-tamplates
github_mirrors:Mar_17_2025-Dev
github_mirrors:docker-upgrade-issue
github_mirrors:namspace-crds
github_mirrors:Feb_27_2025-Dev
github_mirrors:Feb_10_2025-Dev
github_mirrors:oriane-23.12.24-adding-new-composes
github_mirrors:Jan_12_2025-Dev
github_mirrors:orianelou-patch-7
github_mirrors:Dec_29_2024-Dev
github_mirrors:Nov_28_2024-Dev
github_mirrors:Oct_14_2024-Dev
github_mirrors:Sep_17_2024-Dev
github_mirrors:Sep_15_2024-Dev
github_mirrors:Sep_13_2024-Dev
github_mirrors:Sep_11_2024-Dev
github_mirrors:Aug_20_2024-Dev
github_mirrors:orianelou-patch-6
github_mirrors:orianelou-patch-5
github_mirrors:orianelou-patch-4
github_mirrors:Jul_31_2024-Dev
github_mirrors:danielei-hotifx-candidate
github_mirrors:orianelou-crds
github_mirrors:or
github_mirrors:Jul_23_2024-Dev
github_mirrors:Jul_04_2024-Dev
github_mirrors:Jun_26_2024-Dev
github_mirrors:orianelou-new-policy-files
github_mirrors:Jun_09_2024-Dev
github_mirrors:May_27_2024-Dev
github_mirrors:Apr_21_2024-Dev
github_mirrors:Apr_14_2024-Dev
github_mirrors:Mar_21_2024-Dev
github_mirrors:orianelou-patch-3
github_mirrors:WrightNed-patch-1
github_mirrors:Feb_28_2024
github_mirrors:orianelou-patch-apisix
github_mirrors:Feb_13_2024
github_mirrors:Feb_06_2024-Dev
github_mirrors:Jan_31_2024-Dev
github_mirrors:Dec-24-2023
github_mirrors:Dec-12th-2023
github_mirrors:Nov_12_2023-Dev
github_mirrors:open_appsec_add_agent_cache_for_rate_limit
github_mirrors:orianelou-patch-2
github_mirrors:Sep_24_2023-Dev
github_mirrors:Aug_23_2023-Dev
github_mirrors:changing_socket_readiness_testing
github_mirrors:support-advance-model
github_mirrors:Jul_24_23_chart_update
github_mirrors:Jul_06_2023-Dev
github_mirrors:orianelou-patch-1
github_mirrors:workflow-08_05
github_mirrors:May_11_2023-Dev
github_mirrors:crowdsec
github_mirrors:Apr_27_2023-Dev
github_mirrors:Mar_26_2023-Dev
github_mirrors:Mar_13_2023-Dev
github_mirrors:Mar_02_2023-Dev
github_mirrors:Feb_22_2023-Dev
github_mirrors:Feb_15_2023-Dev
github_mirrors:Jan_22_2023-Dev
github_mirrors:Jan_18_2023-Dev
github_mirrors:Jan_16_2023
github_mirrors:1.1.26
github_mirrors:1.1.25
github_mirrors:1.1.24
github_mirrors:1.1.23
github_mirrors:1.1.22
github_mirrors:1.1.21
github_mirrors:1.1.20
github_mirrors:1.1.19
github_mirrors:1.1.18
github_mirrors:1.1.17
github_mirrors:1.1.16
github_mirrors:1.1.15
github_mirrors:1.1.14
github_mirrors:v1.1.3
github_mirrors:1.1.12
github_mirrors:1.1.11
github_mirrors:1.1.10
github_mirrors:1.1.9
github_mirrors:1.1.8
github_mirrors:1.1.7
github_mirrors:1.1.6
github_mirrors:1.1.5
github_mirrors:1.1.4
github_mirrors:1.1.3
github_mirrors:1.1.2
github_mirrors:1.1.0
github_mirrors:1.0.1
github_mirrors:1.0.0
github_mirrors:0.9.1-rc
github_mirrors:0.9.0-rc
github_mirrors:0.8.0-rc
..
compare: github_mirrors:1.1.18
Branches Tags
github_mirrors:nginx_message_reader_improvements
github_mirrors:main
github_mirrors:conf-collector-upload
github_mirrors:waf-tag
github_mirrors:watchdog
github_mirrors:prometheus_support
github_mirrors:exception-fix
github_mirrors:orianelou-patch-8
github_mirrors:orianelou-issue-tamplates
github_mirrors:Mar_17_2025-Dev
github_mirrors:docker-upgrade-issue
github_mirrors:namspace-crds
github_mirrors:Feb_27_2025-Dev
github_mirrors:Feb_10_2025-Dev
github_mirrors:oriane-23.12.24-adding-new-composes
github_mirrors:Jan_12_2025-Dev
github_mirrors:orianelou-patch-7
github_mirrors:Dec_29_2024-Dev
github_mirrors:Nov_28_2024-Dev
github_mirrors:Oct_14_2024-Dev
github_mirrors:Sep_17_2024-Dev
github_mirrors:Sep_15_2024-Dev
github_mirrors:Sep_13_2024-Dev
github_mirrors:Sep_11_2024-Dev
github_mirrors:Aug_20_2024-Dev
github_mirrors:orianelou-patch-6
github_mirrors:orianelou-patch-5
github_mirrors:orianelou-patch-4
github_mirrors:Jul_31_2024-Dev
github_mirrors:danielei-hotifx-candidate
github_mirrors:orianelou-crds
github_mirrors:or
github_mirrors:Jul_23_2024-Dev
github_mirrors:Jul_04_2024-Dev
github_mirrors:Jun_26_2024-Dev
github_mirrors:orianelou-new-policy-files
github_mirrors:Jun_09_2024-Dev
github_mirrors:May_27_2024-Dev
github_mirrors:Apr_21_2024-Dev
github_mirrors:Apr_14_2024-Dev
github_mirrors:Mar_21_2024-Dev
github_mirrors:orianelou-patch-3
github_mirrors:WrightNed-patch-1
github_mirrors:Feb_28_2024
github_mirrors:orianelou-patch-apisix
github_mirrors:Feb_13_2024
github_mirrors:Feb_06_2024-Dev
github_mirrors:Jan_31_2024-Dev
github_mirrors:Dec-24-2023
github_mirrors:Dec-12th-2023
github_mirrors:Nov_12_2023-Dev
github_mirrors:open_appsec_add_agent_cache_for_rate_limit
github_mirrors:orianelou-patch-2
github_mirrors:Sep_24_2023-Dev
github_mirrors:Aug_23_2023-Dev
github_mirrors:changing_socket_readiness_testing
github_mirrors:support-advance-model
github_mirrors:Jul_24_23_chart_update
github_mirrors:Jul_06_2023-Dev
github_mirrors:orianelou-patch-1
github_mirrors:workflow-08_05
github_mirrors:May_11_2023-Dev
github_mirrors:crowdsec
github_mirrors:Apr_27_2023-Dev
github_mirrors:Mar_26_2023-Dev
github_mirrors:Mar_13_2023-Dev
github_mirrors:Mar_02_2023-Dev
github_mirrors:Feb_22_2023-Dev
github_mirrors:Feb_15_2023-Dev
github_mirrors:Jan_22_2023-Dev
github_mirrors:Jan_18_2023-Dev
github_mirrors:Jan_16_2023
github_mirrors:1.1.26
github_mirrors:1.1.25
github_mirrors:1.1.24
github_mirrors:1.1.23
github_mirrors:1.1.22
github_mirrors:1.1.21
github_mirrors:1.1.20
github_mirrors:1.1.19
github_mirrors:1.1.18
github_mirrors:1.1.17
github_mirrors:1.1.16
github_mirrors:1.1.15
github_mirrors:1.1.14
github_mirrors:v1.1.3
github_mirrors:1.1.12
github_mirrors:1.1.11
github_mirrors:1.1.10
github_mirrors:1.1.9
github_mirrors:1.1.8
github_mirrors:1.1.7
github_mirrors:1.1.6
github_mirrors:1.1.5
github_mirrors:1.1.4
github_mirrors:1.1.3
github_mirrors:1.1.2
github_mirrors:1.1.0
github_mirrors:1.0.1
github_mirrors:1.0.0
github_mirrors:0.9.1-rc
github_mirrors:0.9.0-rc
github_mirrors:0.8.0-rc

No commits in common. "main" and "1.1.18" have entirely different histories.
main ... 1.1.18

326 changed files with 1677 additions and 16538 deletions
Show Stats Expand all files Collapse all files

36
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@ -1,36 +0,0 @@
---
name: "Bug Report"
about: "Report a bug with open-appsec"
labels: [bug]
---
**Checklist**
- Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
- Yes / No
- Have you checked the existing issues and discussions in github for the same issue
- Yes / No
- Have you checked the knwon limitations same issue - https://docs.openappsec.io/release-notes#limitations
- Yes / No
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Run '...'
3. See error '...'
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots or Logs**
If applicable, add screenshots or logs to help explain the issue.
**Environment (please complete the following information):**
- open-appsec version:
- Deployment type (Docker, Kubernetes, etc.):
- OS:
**Additional context**
Add any other context about the problem here.

8
.github/ISSUE_TEMPLATE/config.yml vendored
View File

@ -1,8 +0,0 @@
blank_issues_enabled: false
contact_links:
- name: "Documentation & Troubleshooting"
url: "https://docs.openappsec.io/"
about: "Check the documentation before submitting an issue."
- name: "Feature Requests & Discussions"
url: "https://github.com/openappsec/openappsec/discussions"
about: "Please open a discussion for feature requests."

17
.github/ISSUE_TEMPLATE/nginx_version_support.md vendored
View File

@ -1,17 +0,0 @@
---
name: "Nginx Version Support Request"
about: "Request for a specific Nginx version to be supported"
---
**Nginx & OS Version:**
Which Nginx and OS version are you using?
**Output of nginx -V**
Share the output of nginx -v
**Expected Behavior:**
What do you expect to happen with this version?
**Checklist**
- Have you considered a docker based deployment - find more information here https://docs.openappsec.io/getting-started/start-with-docker?
- Yes / No

4
README.md
View File

@ -74,7 +74,7 @@ For Linux, if youve built your own package use the following commands:
```bash ```bash
$ install-cp-nano-agent.sh --install --hybrid_mode $ install-cp-nano-agent.sh --install --hybrid_mode
$ install-cp-nano-service-http-transaction-handler.sh --install $ install-cp-nano-service-http-transaction-handler.sh install
$ install-cp-nano-attachment-registration-manager.sh --install $ install-cp-nano-attachment-registration-manager.sh --install
``` ```
You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux).
@ -177,7 +177,7 @@ open-appsec code was audited by an independent third party in September-October
See the [full report](https://github.com/openappsec/openappsec/blob/main/LEXFO-CHP20221014-Report-Code_audit-OPEN-APPSEC-v1.2.pdf). See the [full report](https://github.com/openappsec/openappsec/blob/main/LEXFO-CHP20221014-Report-Code_audit-OPEN-APPSEC-v1.2.pdf).
### Reporting security vulnerabilities ### Reporting security vulnerabilities
If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at security-alert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively. If you've found a vulnerability or a potential vulnerability in open-appsec please let us know at securityalert@openappsec.io. We'll send a confirmation email to acknowledge your report within 24 hours, and we'll send an additional email when we've identified the issue positively or negatively.
# License # License

18
attachments/nginx/nginx_attachment_util/nginx_attachment_util.cc
View File

@ -95,18 +95,6 @@ getFailOpenHoldTimeout()
return conf_data.getNumericalValue("fail_open_hold_timeout"); return conf_data.getNumericalValue("fail_open_hold_timeout");
} }
unsigned int
getHoldVerdictPollingTime()
{
return conf_data.getNumericalValue("hold_verdict_polling_time");
}
unsigned int
getHoldVerdictRetries()
{
return conf_data.getNumericalValue("hold_verdict_retries");
}
unsigned int unsigned int
getMaxSessionsPerMinute() getMaxSessionsPerMinute()
{ {
@ -185,12 +173,6 @@ getReqBodySizeTrigger()
return conf_data.getNumericalValue("body_size_trigger"); return conf_data.getNumericalValue("body_size_trigger");
} }
unsigned int
getRemoveResServerHeader()
{
return conf_data.getNumericalValue("remove_server_header");
}
int int
isIPAddress(c_str ip_str) isIPAddress(c_str ip_str)
{ {

8
attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc
View File

@ -66,10 +66,7 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
"\"static_resources_path\": \"" + static_resources_path + "\",\n" "\"static_resources_path\": \"" + static_resources_path + "\",\n"
"\"min_retries_for_verdict\": 1,\n" "\"min_retries_for_verdict\": 1,\n"
"\"max_retries_for_verdict\": 3,\n" "\"max_retries_for_verdict\": 3,\n"
"\"hold_verdict_retries\": 3,\n" "\"body_size_trigger\": 777\n"
"\"hold_verdict_polling_time\": 1,\n"
"\"body_size_trigger\": 777,\n"
"\"remove_server_header\": 1\n"
"}\n"; "}\n";
ofstream valid_configuration_file(attachment_configuration_file_name); ofstream valid_configuration_file(attachment_configuration_file_name);
valid_configuration_file << valid_configuration; valid_configuration_file << valid_configuration;
@ -98,9 +95,6 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
EXPECT_EQ(getReqBodySizeTrigger(), 777u); EXPECT_EQ(getReqBodySizeTrigger(), 777u);
EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u); EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD); EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
EXPECT_EQ(getRemoveResServerHeader(), 1u);
EXPECT_EQ(getHoldVerdictRetries(), 3u);
EXPECT_EQ(getHoldVerdictPollingTime(), 1u);
EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1); EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);
EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0); EXPECT_EQ(isDebugContext("1.2.3.9", "5.6.7.8", 80, "GET", "test", "/abc"), 0);

2
build_system/docker/CMakeLists.txt
View File

@ -1,4 +1,4 @@
install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh self_managed_openappsec_manifest.json DESTINATION .) install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .)
add_custom_command( add_custom_command(
OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

4
build_system/docker/Dockerfile
View File

@ -1,7 +1,5 @@
FROM alpine FROM alpine
ENV OPENAPPSEC_NANO_AGENT=TRUE
RUN apk add --no-cache -u busybox RUN apk add --no-cache -u busybox
RUN apk add --no-cache -u zlib RUN apk add --no-cache -u zlib
RUN apk add --no-cache bash RUN apk add --no-cache bash
@ -15,8 +13,6 @@ RUN apk add --no-cache libxml2
RUN apk add --no-cache pcre2 RUN apk add --no-cache pcre2
RUN apk add --update coreutils RUN apk add --update coreutils
COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
COPY install*.sh /nano-service-installers/ COPY install*.sh /nano-service-installers/
COPY entry.sh /entry.sh COPY entry.sh /entry.sh

35
build_system/docker/entry.sh
View File

@ -6,8 +6,6 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh" ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh" ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh" CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT="install-cp-nano-central-nginx-manager.sh"
var_fog_address= var_fog_address=
var_proxy= var_proxy=
@ -83,14 +81,6 @@ fi
/nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ "$PROMETHEUS" == "true" ]; then
/nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
fi
if [ "$CENTRAL_NGINX_MANAGER" == "true" ]; then
/nano-service-installers/$NGINX_CENTRAL_MANAGER_INSTALLATION_SCRIPT --install
fi
if [ "$CROWDSEC_ENABLED" == "true" ]; then if [ "$CROWDSEC_ENABLED" == "true" ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install
@ -103,16 +93,25 @@ if [ -f "$FILE" ]; then
fi fi
touch /etc/cp/watchdog/wd.startup touch /etc/cp/watchdog/wd.startup
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$!
while true; do while true; do
if [ -f /tmp/restart_watchdog ]; then if [ -z "$init" ]; then
rm -f /tmp/restart_watchdog init=true
kill -9 ${active_watchdog_pid}
fi
if [ ! "$(ps -f | grep cp-nano-watchdog | grep ${active_watchdog_pid})" ]; then
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 & /etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
active_watchdog_pid=$! sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
fi fi
current_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
if [ ! -f /tmp/restart_watchdog ] && [ "$current_watchdog_pid" != "$active_watchdog_pid" ]; then
echo "Error: Watchdog exited abnormally"
exit 1
elif [ -f /tmp/restart_watchdog ]; then
rm -f /tmp/restart_watchdog
kill -9 "$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")"
/etc/cp/watchdog/cp-nano-watchdog >/dev/null 2>&1 &
sleep 5
active_watchdog_pid=$(pgrep -f -x -o "/bin/bash /etc/cp/watchdog/cp-nano-watchdog")
fi
sleep 5 sleep 5
done done

0
build_system/docker/self_managed_openappsec_manifest.json
View File

1
components/CMakeLists.txt
View File

@ -7,4 +7,3 @@ add_subdirectory(pending_key)
add_subdirectory(utils) add_subdirectory(utils)
add_subdirectory(attachment-intakers) add_subdirectory(attachment-intakers)
add_subdirectory(security_apps) add_subdirectory(security_apps)
add_subdirectory(nginx_message_reader)

44
components/attachment-intakers/nginx_attachment/nginx_attachment.cc
View File

@ -31,7 +31,6 @@
#include <stdarg.h> #include <stdarg.h>
#include <boost/range/iterator_range.hpp> #include <boost/range/iterator_range.hpp>
#include <boost/algorithm/string.hpp>
#include <boost/regex.hpp> #include <boost/regex.hpp>
#include "nginx_attachment_config.h" #include "nginx_attachment_config.h"
@ -261,22 +260,6 @@ public:
); );
} }
const char* ignored_headers_env = getenv("SAAS_IGNORED_UPSTREAM_HEADERS");
if (ignored_headers_env) {
string ignored_headers_str = ignored_headers_env;
ignored_headers_str = NGEN::Strings::trim(ignored_headers_str);
if (!ignored_headers_str.empty()) {
dbgInfo(D_HTTP_MANAGER)
<< "Ignoring SAAS_IGNORED_UPSTREAM_HEADERS environment variable: "
<< ignored_headers_str;
vector<string> ignored_headers_vec;
boost::split(ignored_headers_vec, ignored_headers_str, boost::is_any_of(";"));
for (const string &header : ignored_headers_vec) ignored_headers.insert(header);
}
}
dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment"; dbgInfo(D_NGINX_ATTACHMENT) << "Successfully initialized NGINX Attachment";
} }
@ -1051,11 +1034,7 @@ private:
case ChunkType::REQUEST_START: case ChunkType::REQUEST_START:
return handleStartTransaction(data, opaque); return handleStartTransaction(data, opaque);
case ChunkType::REQUEST_HEADER: case ChunkType::REQUEST_HEADER:
return handleMultiModifiableChunks( return handleMultiModifiableChunks(NginxParser::parseRequestHeaders(data), "request header", true);
NginxParser::parseRequestHeaders(data, ignored_headers),
"request header",
true
);
case ChunkType::REQUEST_BODY: case ChunkType::REQUEST_BODY:
return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true); return handleModifiableChunk(NginxParser::parseRequestBody(data), "request body", true);
case ChunkType::REQUEST_END: { case ChunkType::REQUEST_END: {
@ -1156,11 +1135,7 @@ private:
"webUserResponse" "webUserResponse"
); );
bool remove_event_id_param =
getProfileAgentSettingWithDefault<string>("false", "nginxAttachment.removeRedirectEventId") == "true";
string uuid; string uuid;
string redirectUrl;
if (i_transaction_table->hasState<NginxAttachmentOpaque>()) { if (i_transaction_table->hasState<NginxAttachmentOpaque>()) {
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>(); NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
uuid = opaque.getSessionUUID(); uuid = opaque.getSessionUUID();
@ -1170,12 +1145,7 @@ private:
if (web_trigger_conf.getDetailsLevel() == "Redirect") { if (web_trigger_conf.getDetailsLevel() == "Redirect") {
web_response_data.response_data.redirect_data.redirect_location_size = web_response_data.response_data.redirect_data.redirect_location_size =
web_trigger_conf.getRedirectURL().size(); web_trigger_conf.getRedirectURL().size();
bool add_event = web_trigger_conf.getAddEventId(); web_response_data.response_data.redirect_data.add_event_id = web_trigger_conf.getAddEventId() ? 1 : 0;
if (add_event && !remove_event_id_param) {
web_response_data.response_data.redirect_data.redirect_location_size +=
strlen("?event_id=") + uuid.size();
}
web_response_data.response_data.redirect_data.add_event_id = add_event ? 1 : 0;
web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE); web_response_data.web_repsonse_type = static_cast<uint8_t>(ngx_web_response_type_e::REDIRECT_WEB_RESPONSE);
} else { } else {
web_response_data.response_data.custom_response_data.title_size = web_response_data.response_data.custom_response_data.title_size =
@ -1189,13 +1159,8 @@ private:
verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t)); verdict_data_sizes.push_back(sizeof(ngx_http_cp_web_response_data_t));
if (web_trigger_conf.getDetailsLevel() == "Redirect") { if (web_trigger_conf.getDetailsLevel() == "Redirect") {
redirectUrl = web_trigger_conf.getRedirectURL(); verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getRedirectURL().data()));
if (!remove_event_id_param && web_trigger_conf.getAddEventId()) { verdict_data_sizes.push_back(web_trigger_conf.getRedirectURL().size());
redirectUrl += "?event-id=" + uuid;
}
verdict_data.push_back(reinterpret_cast<const char *>(redirectUrl.data()));
verdict_data_sizes.push_back(redirectUrl.size());
} else { } else {
verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getResponseTitle().data())); verdict_data.push_back(reinterpret_cast<const char *>(web_trigger_conf.getResponseTitle().data()));
verdict_data_sizes.push_back(web_trigger_conf.getResponseTitle().size()); verdict_data_sizes.push_back(web_trigger_conf.getResponseTitle().size());
@ -1835,7 +1800,6 @@ private:
HttpAttachmentConfig attachment_config; HttpAttachmentConfig attachment_config;
I_MainLoop::RoutineID attachment_routine_id = 0; I_MainLoop::RoutineID attachment_routine_id = 0;
bool traffic_indicator = false; bool traffic_indicator = false;
unordered_set<string> ignored_headers;
// Interfaces // Interfaces
I_Socket *i_socket = nullptr; I_Socket *i_socket = nullptr;

22
components/attachment-intakers/nginx_attachment/nginx_attachment_config.cc
View File

@ -203,13 +203,6 @@ HttpAttachmentConfig::setFailOpenTimeout()
"NGINX wait thread timeout msec" "NGINX wait thread timeout msec"
)); ));
conf_data.setNumericalValue("remove_server_header", getAttachmentConf<uint>(
0,
"agent.removeServerHeader.nginxModule",
"HTTP manager",
"Response server header removal"
));
uint inspection_mode = getAttachmentConf<uint>( uint inspection_mode = getAttachmentConf<uint>(
static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD), static_cast<uint>(ngx_http_inspection_mode_e::NON_BLOCKING_THREAD),
"agent.inspectionMode.nginxModule", "agent.inspectionMode.nginxModule",
@ -240,21 +233,6 @@ HttpAttachmentConfig::setRetriesForVerdict()
"Max retries for verdict" "Max retries for verdict"
)); ));
conf_data.setNumericalValue("hold_verdict_retries", getAttachmentConf<uint>(
3,
"agent.retriesForHoldVerdict.nginxModule",
"HTTP manager",
"Retries for hold verdict"
));
conf_data.setNumericalValue("hold_verdict_polling_time", getAttachmentConf<uint>(
1,
"agent.holdVerdictPollingInterval.nginxModule",
"HTTP manager",
"Hold verdict polling interval seconds"
));
conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>( conf_data.setNumericalValue("body_size_trigger", getAttachmentConf<uint>(
200000, 200000,
"agent.reqBodySizeTrigger.nginxModule", "agent.reqBodySizeTrigger.nginxModule",

47
components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.cc
View File

@ -19,15 +19,12 @@
#include "config.h" #include "config.h"
#include "virtual_modifiers.h" #include "virtual_modifiers.h"
#include "agent_core_utilities.h"
using namespace std; using namespace std;
using namespace boost::uuids; using namespace boost::uuids;
USE_DEBUG_FLAG(D_HTTP_MANAGER); USE_DEBUG_FLAG(D_HTTP_MANAGER);
extern bool is_keep_alive_ctx;
NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data) NginxAttachmentOpaque::NginxAttachmentOpaque(HttpTransactionData _transaction_data)
: :
TableOpaqueSerialize<NginxAttachmentOpaque>(this), TableOpaqueSerialize<NginxAttachmentOpaque>(this),
@ -122,47 +119,3 @@ NginxAttachmentOpaque::setSavedData(const string &name, const string &data, EnvK
saved_data[name] = data; saved_data[name] = data;
ctx.registerValue(name, data, log_ctx); ctx.registerValue(name, data, log_ctx);
} }
bool
NginxAttachmentOpaque::setKeepAliveCtx(const string &hdr_key, const string &hdr_val)
{
if (!is_keep_alive_ctx) return false;
static pair<string, string> keep_alive_hdr;
static bool keep_alive_hdr_initialized = false;
if (keep_alive_hdr_initialized) {
if (!keep_alive_hdr.first.empty() && hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second) {
dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
ctx.registerValue("keep_alive_request_ctx", true);
return true;
}
return false;
}
const char* saas_keep_alive_hdr_name_env = getenv("SAAS_KEEP_ALIVE_HDR_NAME");
if (saas_keep_alive_hdr_name_env) {
keep_alive_hdr.first = NGEN::Strings::trim(saas_keep_alive_hdr_name_env);
dbgInfo(D_HTTP_MANAGER) << "Using SAAS_KEEP_ALIVE_HDR_NAME environment variable: " << keep_alive_hdr.first;
}
if (!keep_alive_hdr.first.empty()) {
const char* saas_keep_alive_hdr_value_env = getenv("SAAS_KEEP_ALIVE_HDR_VALUE");
if (saas_keep_alive_hdr_value_env) {
keep_alive_hdr.second = NGEN::Strings::trim(saas_keep_alive_hdr_value_env);
dbgInfo(D_HTTP_MANAGER)
<< "Using SAAS_KEEP_ALIVE_HDR_VALUE environment variable: "
<< keep_alive_hdr.second;
}
if (!keep_alive_hdr.second.empty() && (hdr_key == keep_alive_hdr.first && hdr_val == keep_alive_hdr.second)) {
dbgTrace(D_HTTP_MANAGER) << "Registering keep alive context";
ctx.registerValue("keep_alive_request_ctx", true);
keep_alive_hdr_initialized = true;
return true;
}
}
keep_alive_hdr_initialized = true;
return false;
}

1
components/attachment-intakers/nginx_attachment/nginx_attachment_opaque.h
View File

@ -85,7 +85,6 @@ public:
EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE EnvKeyAttr::LogSection log_ctx = EnvKeyAttr::LogSection::NONE
); );
void setApplicationState(const ApplicationState &app_state) { application_state = app_state; } void setApplicationState(const ApplicationState &app_state) { application_state = app_state; }
bool setKeepAliveCtx(const std::string &hdr_key, const std::string &hdr_val);
private: private:
CompressionStream *response_compression_stream; CompressionStream *response_compression_stream;

55
components/attachment-intakers/nginx_attachment/nginx_parser.cc
View File

@ -28,9 +28,7 @@ USE_DEBUG_FLAG(D_NGINX_ATTACHMENT_PARSER);
Buffer NginxParser::tenant_header_key = Buffer(); Buffer NginxParser::tenant_header_key = Buffer();
static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC); static const Buffer proxy_ip_header_key("X-Forwarded-For", 15, Buffer::MemoryType::STATIC);
static const Buffer waf_tag_key("x-waf-tag", 9, Buffer::MemoryType::STATIC);
static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC); static const Buffer source_ip("sourceip", 8, Buffer::MemoryType::STATIC);
bool is_keep_alive_ctx = getenv("SAAS_KEEP_ALIVE_HDR_NAME") != nullptr;
map<Buffer, CompressionType> NginxParser::content_encodings = { map<Buffer, CompressionType> NginxParser::content_encodings = {
{Buffer("identity"), CompressionType::NO_COMPRESSION}, {Buffer("identity"), CompressionType::NO_COMPRESSION},
@ -179,73 +177,38 @@ getActivetenantAndProfile(const string &str, const string &deli = ",")
} }
Maybe<vector<HttpHeader>> Maybe<vector<HttpHeader>>
NginxParser::parseRequestHeaders(const Buffer &data, const unordered_set<string> &ignored_headers) NginxParser::parseRequestHeaders(const Buffer &data)
{ {
auto maybe_parsed_headers = genHeaders(data); auto parsed_headers = genHeaders(data);
if (!maybe_parsed_headers.ok()) return maybe_parsed_headers.passErr(); if (!parsed_headers.ok()) return parsed_headers.passErr();
auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>(); auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
auto parsed_headers = maybe_parsed_headers.unpack();
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
if (is_keep_alive_ctx || !ignored_headers.empty()) { for (const HttpHeader &header : *parsed_headers) {
bool is_last_header_removed = false;
parsed_headers.erase(
remove_if(
parsed_headers.begin(),
parsed_headers.end(),
[&opaque, &is_last_header_removed, &ignored_headers](const HttpHeader &header)
{
string hdr_key = static_cast<string>(header.getKey());
string hdr_val = static_cast<string>(header.getValue());
if (
opaque.setKeepAliveCtx(hdr_key, hdr_val)
|| ignored_headers.find(hdr_key) != ignored_headers.end()
) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Header was removed from headers list: " << hdr_key;
if (header.isLastHeader()) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Last header was removed from headers list";
is_last_header_removed = true;
}
return true;
}
return false;
}
),
parsed_headers.end()
);
if (is_last_header_removed) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Adjusting last header flag";
if (!parsed_headers.empty()) parsed_headers.back().setIsLastHeader();
}
}
for (const HttpHeader &header : parsed_headers) {
auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>( auto source_identifiers = getConfigurationWithDefault<UsersAllIdentifiersConfig>(
UsersAllIdentifiersConfig(), UsersAllIdentifiersConfig(),
"rulebase", "rulebase",
"usersIdentifiers" "usersIdentifiers"
); );
source_identifiers.parseRequestHeaders(header); source_identifiers.parseRequestHeaders(header);
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.addToSavedData( opaque.addToSavedData(
HttpTransactionData::req_headers, HttpTransactionData::req_headers,
static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n" static_cast<string>(header.getKey()) + ": " + static_cast<string>(header.getValue()) + "\r\n"
); );
const auto &header_key = header.getKey(); if (NginxParser::tenant_header_key == header.getKey()) {
if (NginxParser::tenant_header_key == header_key) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Identified active tenant header. Key: " << "Identified active tenant header. Key: "
<< dumpHex(header_key) << dumpHex(header.getKey())
<< ", Value: " << ", Value: "
<< dumpHex(header.getValue()); << dumpHex(header.getValue());
auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue()); auto active_tenant_and_profile = getActivetenantAndProfile(header.getValue());
opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]); opaque.setSessionTenantAndProfile(active_tenant_and_profile[0], active_tenant_and_profile[1]);
} else if (proxy_ip_header_key == header_key) { } else if (proxy_ip_header_key == header.getKey()) {
source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP); source_identifiers.setXFFValuesToOpaqueCtx(header, UsersAllIdentifiersConfig::ExtractType::PROXYIP);
} else if (waf_tag_key == header_key) {
source_identifiers.setWafTagValuesToOpaqueCtx(header);
} }
} }

5
components/attachment-intakers/nginx_attachment/nginx_parser.h
View File

@ -28,10 +28,7 @@ public:
static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data); static Maybe<HttpTransactionData> parseStartTrasaction(const Buffer &data);
static Maybe<ResponseCode> parseResponseCode(const Buffer &data); static Maybe<ResponseCode> parseResponseCode(const Buffer &data);
static Maybe<uint64_t> parseContentLength(const Buffer &data); static Maybe<uint64_t> parseContentLength(const Buffer &data);
static Maybe<std::vector<HttpHeader>> parseRequestHeaders( static Maybe<std::vector<HttpHeader>> parseRequestHeaders(const Buffer &data);
const Buffer &data,
const std::unordered_set<std::string> &ignored_headers
);
static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data); static Maybe<std::vector<HttpHeader>> parseResponseHeaders(const Buffer &data);
static Maybe<HttpBody> parseRequestBody(const Buffer &data); static Maybe<HttpBody> parseRequestBody(const Buffer &data);
static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream); static Maybe<HttpBody> parseResponseBody(const Buffer &raw_response_body, CompressionStream *compression_stream);

59
components/attachment-intakers/nginx_attachment/user_identifiers_config.cc
View File

@ -282,39 +282,21 @@ isIpTrusted(const string &value, const vector<CIDRSData> &cidr_values)
} }
Maybe<string> Maybe<string>
UsersAllIdentifiersConfig::parseXForwardedFor(const string &str, ExtractType type) const UsersAllIdentifiersConfig::parseXForwardedFor(const string &str) const
{ {
vector<string> header_values = split(str); vector<string> header_values = split(str);
if (header_values.empty()) return genError("No IP found in the xff header list"); if (header_values.empty()) return genError("No IP found in the xff header list");
vector<string> xff_values = getHeaderValuesFromConfig("x-forwarded-for"); vector<string> xff_values = getHeaderValuesFromConfig("x-forwarded-for");
vector<CIDRSData> cidr_values(xff_values.begin(), xff_values.end()); vector<CIDRSData> cidr_values(xff_values.begin(), xff_values.end());
string last_valid_ip;
for (auto it = header_values.rbegin(); it != header_values.rend() - 1; ++it) { for (const string &value : header_values) {
if (!IPAddr::createIPAddr(*it).ok()) { if (!IPAddr::createIPAddr(value).ok()) {
dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << *it; dbgWarning(D_NGINX_ATTACHMENT_PARSER) << "Invalid IP address found in the xff header IPs list: " << value;
if (last_valid_ip.empty()) { return genError("Invalid IP address");
return genError("Invalid IP address");
}
return last_valid_ip;
} }
last_valid_ip = *it; if (!isIpTrusted(value, cidr_values)) return genError("Untrusted Ip found");
if (type == ExtractType::PROXYIP) continue;
if (!isIpTrusted(*it, cidr_values)) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Found untrusted IP in the xff header IPs list: " << *it;
return *it;
}
}
if (!IPAddr::createIPAddr(header_values[0]).ok()) {
dbgWarning(D_NGINX_ATTACHMENT_PARSER)
<< "Invalid IP address found in the xff header IPs list: "
<< header_values[0];
if (last_valid_ip.empty()) {
return genError("No Valid Ip address was found");
}
return last_valid_ip;
} }
return header_values[0]; return header_values[0];
@ -330,7 +312,7 @@ UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, Ext
return; return;
} }
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>(); NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
auto value = parseXForwardedFor(header.getValue(), type); auto value = parseXForwardedFor(header.getValue());
if (!value.ok()) { if (!value.ok()) {
dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Could not extract source identifier from X-Forwarded-For header"; dbgTrace(D_NGINX_ATTACHMENT_PARSER) << "Could not extract source identifier from X-Forwarded-For header";
return; return;
@ -339,13 +321,12 @@ UsersAllIdentifiersConfig::setXFFValuesToOpaqueCtx(const HttpHeader &header, Ext
if (type == ExtractType::SOURCEIDENTIFIER) { if (type == ExtractType::SOURCEIDENTIFIER) {
opaque.setSourceIdentifier(header.getKey(), value.unpack()); opaque.setSourceIdentifier(header.getKey(), value.unpack());
dbgDebug(D_NGINX_ATTACHMENT_PARSER) dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Added source identifier from XFF header" << "Added source identifir to XFF "
<< value.unpack(); << value.unpack();
opaque.setSavedData(HttpTransactionData::xff_vals_ctx, header.getValue()); opaque.setSavedData(HttpTransactionData::xff_vals_ctx, header.getValue());
opaque.setSavedData(HttpTransactionData::source_identifier, value.unpack());
dbgTrace(D_NGINX_ATTACHMENT_PARSER) dbgTrace(D_NGINX_ATTACHMENT_PARSER)
<< "XFF found, set ctx with value from header: " << "XFF found, set ctx with value from header: "
<< static_cast<string>(header.getValue()); << static_cast<string>(header.getValue());
} else { } else {
opaque.setSavedData(HttpTransactionData::proxy_ip_ctx, value.unpack()); opaque.setSavedData(HttpTransactionData::proxy_ip_ctx, value.unpack());
} }
@ -366,24 +347,6 @@ UsersAllIdentifiersConfig::setCustomHeaderToOpaqueCtx(const HttpHeader &header)
return; return;
} }
void
UsersAllIdentifiersConfig::setWafTagValuesToOpaqueCtx(const HttpHeader &header) const
{
auto i_transaction_table = Singleton::Consume<I_TableSpecific<SessionID>>::by<NginxAttachment>();
if (!i_transaction_table || !i_transaction_table->hasState<NginxAttachmentOpaque>()) {
dbgDebug(D_NGINX_ATTACHMENT_PARSER) << "Can't get the transaction table";
return;
}
NginxAttachmentOpaque &opaque = i_transaction_table->getState<NginxAttachmentOpaque>();
opaque.setSavedData(HttpTransactionData::waf_tag_ctx, static_cast<string>(header.getValue()));
dbgDebug(D_NGINX_ATTACHMENT_PARSER)
<< "Added waf tag to context: "
<< static_cast<string>(header.getValue());
return;
}
Maybe<string> Maybe<string>
UsersAllIdentifiersConfig::parseCookieElement( UsersAllIdentifiersConfig::parseCookieElement(
const string::const_iterator &start, const string::const_iterator &start,

8
components/http_manager/http_manager.cc
View File

@ -15,18 +15,19 @@
#include <string> #include <string>
#include <map> #include <map>
#include <sys/stat.h>
#include <climits>
#include <unordered_map> #include <unordered_map>
#include <unordered_set> #include <boost/range/iterator_range.hpp>
#include <boost/algorithm/string.hpp>
#include <fstream> #include <fstream>
#include <algorithm> #include <algorithm>
#include "common.h" #include "common.h"
#include "config.h" #include "config.h"
#include "table_opaque.h"
#include "http_manager_opaque.h" #include "http_manager_opaque.h"
#include "log_generator.h" #include "log_generator.h"
#include "http_inspection_events.h" #include "http_inspection_events.h"
#include "agent_core_utilities.h"
USE_DEBUG_FLAG(D_HTTP_MANAGER); USE_DEBUG_FLAG(D_HTTP_MANAGER);
@ -94,7 +95,6 @@ public:
HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>(); HttpManagerOpaque &state = i_transaction_table->getState<HttpManagerOpaque>();
string event_key = static_cast<string>(event.getKey()); string event_key = static_cast<string>(event.getKey());
if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) { if (event_key == getProfileAgentSettingWithDefault<string>("", "agent.customHeaderValueLogging")) {
string event_value = static_cast<string>(event.getValue()); string event_value = static_cast<string>(event.getValue());
dbgTrace(D_HTTP_MANAGER) dbgTrace(D_HTTP_MANAGER)

45
components/include/central_nginx_manager.h
View File

@ -1,45 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __CENTRAL_NGINX_MANAGER_H__
#define __CENTRAL_NGINX_MANAGER_H__
#include "component.h"
#include "singleton.h"
#include "i_messaging.h"
#include "i_rest_api.h"
#include "i_mainloop.h"
#include "i_agent_details.h"
class CentralNginxManager
:
public Component,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>,
Singleton::Consume<I_MainLoop>,
Singleton::Consume<I_AgentDetails>
{
public:
CentralNginxManager();
~CentralNginxManager();
void preload() override;
void init() override;
void fini() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __CENTRAL_NGINX_MANAGER_H__

12
core/include/services_sdk/resources/env_details.h → components/include/env_details.h
View File

@ -21,29 +21,21 @@
#include "i_env_details.h" #include "i_env_details.h"
#include "singleton.h" #include "singleton.h"
#include "debug.h" #include "debug.h"
#include "component.h"
class EnvDetails class EnvDetails : Singleton::Provide<I_EnvDetails>::SelfInterface
:
public Component,
Singleton::Provide<I_EnvDetails>::SelfInterface
{ {
public: public:
EnvDetails(); EnvDetails();
virtual EnvType getEnvType() override; virtual EnvType getEnvType() override;
virtual std::string getToken() override; virtual std::string getToken() override;
virtual std::string getNameSpace() override;
private: private:
std::string retrieveToken(); std::string retrieveToken();
std::string retrieveNamespace();
std::string readFileContent(const std::string &file_path); std::string readFileContent(const std::string &file_path);
bool doesFileExist(const std::string &file_path) const;
std::string token; std::string token;
std::string agent_namespace; EnvType env_type;
EnvType env_type = EnvType::LINUX;
}; };
#endif // __ENV_DETAILS_H__ #endif // __ENV_DETAILS_H__

13
components/include/generic_rulebase/evaluators/http_transaction_data_eval.h
View File

@ -45,19 +45,6 @@ private:
std::string host; std::string host;
}; };
class EqualWafTag : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{
public:
EqualWafTag(const std::vector<std::string> &params);
static std::string getName() { return "EqualWafTag"; }
Maybe<bool, Context::Error> evalVariable() const override;
private:
std::string waf_tag;
};
class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment> class EqualListeningIP : public EnvironmentEvaluator<bool>, Singleton::Consume<I_Environment>
{ {
public: public:

2
components/include/generic_rulebase/match_query.h
View File

@ -91,7 +91,7 @@ private:
bool matchAttributesString(const std::set<std::string> &values) const; bool matchAttributesString(const std::set<std::string> &values) const;
bool matchAttributesIp(const std::set<std::string> &values) const; bool matchAttributesIp(const std::set<std::string> &values) const;
bool isRegEx() const; bool isRegEx() const;
void sortAndMergeIpRangesValues(); bool isIP() const;
MatchType type; MatchType type;
Operators operator_type; Operators operator_type;

1
components/include/http_event_impl/i_http_event_impl.h
View File

@ -239,7 +239,6 @@ public:
const Buffer & getValue() const { return value; } const Buffer & getValue() const { return value; }
bool isLastHeader() const { return is_last_header; } bool isLastHeader() const { return is_last_header; }
void setIsLastHeader() { is_last_header = true; }
uint8_t getHeaderIndex() const { return header_index; } uint8_t getHeaderIndex() const { return header_index; }
private: private:

1
components/include/http_transaction_data.h
View File

@ -137,7 +137,6 @@ public:
static const std::string source_identifier; static const std::string source_identifier;
static const std::string proxy_ip_ctx; static const std::string proxy_ip_ctx;
static const std::string xff_vals_ctx; static const std::string xff_vals_ctx;
static const std::string waf_tag_ctx;
static const CompressionType default_response_content_encoding; static const CompressionType default_response_content_encoding;

2
components/include/i_details_resolver.h
View File

@ -30,7 +30,7 @@ public:
virtual bool isVersionAboveR8110() = 0; virtual bool isVersionAboveR8110() = 0;
virtual bool isReverseProxy() = 0; virtual bool isReverseProxy() = 0;
virtual bool isCloudStorageEnabled() = 0; virtual bool isCloudStorageEnabled() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string, std::string>> parseNginxMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
virtual std::map<std::string, std::string> getResolvedDetails() = 0; virtual std::map<std::string, std::string> getResolvedDetails() = 0;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)

3
components/include/ip_utilities.h
View File

@ -28,9 +28,8 @@
// LCOV_EXCL_START Reason: temporary until we add relevant UT until 07/10 // LCOV_EXCL_START Reason: temporary until we add relevant UT until 07/10
bool operator<(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr); bool operator<(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
bool operator==(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr); bool operator==(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
bool operator<=(const IpAddress &this_ip_addr, const IpAddress &other_ip_addr);
bool operator<(const IPRange &range1, const IPRange &range2);
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
Maybe<std::pair<std::string, int>> extractAddressAndMaskSize(const std::string &cidr); Maybe<std::pair<std::string, int>> extractAddressAndMaskSize(const std::string &cidr);

1
components/include/manifest_handler.h
View File

@ -62,7 +62,6 @@ public:
private: private:
Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation); Maybe<std::string> downloadPackage(const Package &package, bool is_clean_installation);
std::string getCurrentTimestamp();
std::string manifest_file_path; std::string manifest_file_path;
std::string temp_ext; std::string temp_ext;

28
components/include/nginx_message_reader.h
View File

@ -1,28 +0,0 @@
#ifndef __NGINX_MESSAGE_READER_H__
#define __NGINX_MESSAGE_READER_H__
#include "singleton.h"
#include "i_mainloop.h"
#include "i_socket_is.h"
#include "component.h"
class NginxMessageReader
:
public Component,
Singleton::Consume<I_MainLoop>,
Singleton::Consume<I_Socket>
{
public:
NginxMessageReader();
~NginxMessageReader();
void init() override;
void fini() override;
void preload() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif //__NGINX_MESSAGE_READER_H__

51
components/include/nginx_utils.h
View File

@ -1,51 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __NGINX_UTILS_H__
#define __NGINX_UTILS_H__
#include <string>
#include "maybe_res.h"
#include "singleton.h"
#include "i_shell_cmd.h"
class NginxConfCollector
{
public:
NginxConfCollector(const std::string &nginx_conf_input_path, const std::string &nginx_conf_output_path);
Maybe<std::string> generateFullNginxConf() const;
private:
std::vector<std::string> expandIncludes(const std::string &includePattern) const;
void processConfigFile(
const std::string &path,
std::ostringstream &conf_output,
std::vector<std::string> &errors
) const;
std::string main_conf_input_path;
std::string main_conf_output_path;
std::string main_conf_directory_path;
};
class NginxUtils : Singleton::Consume<I_ShellCmd>
{
public:
static std::string getModulesPath();
static std::string getMainNginxConfPath();
static Maybe<void> validateNginxConf(const std::string &nginx_conf_path);
static Maybe<void> reloadNginx(const std::string &nginx_conf_path);
};
#endif // __NGINX_UTILS_H__

30
components/include/prometheus_comp.h
View File

@ -1,30 +0,0 @@
#ifndef __PROMETHEUS_COMP_H__
#define __PROMETHEUS_COMP_H__
#include <memory>
#include "component.h"
#include "singleton.h"
#include "i_rest_api.h"
#include "i_messaging.h"
#include "generic_metric.h"
class PrometheusComp
:
public Component,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>
{
public:
PrometheusComp();
~PrometheusComp();
void init() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __PROMETHEUS_COMP_H__

8
components/include/rate_limit.h
View File

@ -7,21 +7,15 @@
#include "singleton.h" #include "singleton.h"
#include "i_mainloop.h" #include "i_mainloop.h"
#include "i_environment.h" #include "i_environment.h"
#include "i_geo_location.h"
#include "i_generic_rulebase.h" #include "i_generic_rulebase.h"
#include "i_shell_cmd.h"
#include "i_env_details.h"
class RateLimit class RateLimit
: :
public Component, public Component,
Singleton::Consume<I_MainLoop>, Singleton::Consume<I_MainLoop>,
Singleton::Consume<I_TimeGet>, Singleton::Consume<I_TimeGet>,
Singleton::Consume<I_GeoLocation>,
Singleton::Consume<I_Environment>, Singleton::Consume<I_Environment>,
Singleton::Consume<I_GenericRulebase>, Singleton::Consume<I_GenericRulebase>
Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_EnvDetails>
{ {
public: public:
RateLimit(); RateLimit();

2
components/include/reverse_proxy_defaults.h
View File

@ -28,7 +28,7 @@ static const std::string default_nginx_config_file = "/etc/cp/conf/rpmanager/ngi
static const std::string default_prepare_nginx_config_file = "/etc/cp/conf/rpmanager/nginx_prepare.conf"; static const std::string default_prepare_nginx_config_file = "/etc/cp/conf/rpmanager/nginx_prepare.conf";
static const std::string default_global_conf_template = "/etc/cp/conf/rpmanager/nginx-conf-template"; static const std::string default_global_conf_template = "/etc/cp/conf/rpmanager/nginx-conf-template";
static const std::string default_nginx_config_include_file = static const std::string default_nginx_config_include_file =
"/etc/cp/conf/rpmanager/servers/00_nginx_conf_include.conf"; "/etc/cp/conf/rpmanager/servers/nginx_conf_include.conf";
static const std::string default_global_conf_include_template = static const std::string default_global_conf_include_template =
"/etc/cp/conf/rpmanager/nginx-conf-include-template"; "/etc/cp/conf/rpmanager/nginx-conf-include-template";
static const std::string default_global_conf_include_template_no_responses = static const std::string default_global_conf_include_template_no_responses =

49
components/include/telemetry.h
View File

@ -30,7 +30,6 @@
#include "generic_metric.h" #include "generic_metric.h"
#define LOGGING_INTERVAL_IN_MINUTES 10 #define LOGGING_INTERVAL_IN_MINUTES 10
USE_DEBUG_FLAG(D_WAAP);
enum class AssetType { API, WEB, ALL, COUNT }; enum class AssetType { API, WEB, ALL, COUNT };
class WaapTelemetryEvent : public Event<WaapTelemetryEvent> class WaapTelemetryEvent : public Event<WaapTelemetryEvent>
@ -133,7 +132,6 @@ private:
std::map<std::string, std::shared_ptr<T>>& telemetryMap std::map<std::string, std::shared_ptr<T>>& telemetryMap
) { ) {
if (!telemetryMap.count(asset_id)) { if (!telemetryMap.count(asset_id)) {
dbgTrace(D_WAAP) << "creating telemetry data for asset: " << data.assetName;
telemetryMap.emplace(asset_id, std::make_shared<T>()); telemetryMap.emplace(asset_id, std::make_shared<T>());
telemetryMap[asset_id]->init( telemetryMap[asset_id]->init(
telemetryName, telemetryName,
@ -141,9 +139,7 @@ private:
ReportIS::IssuingEngine::AGENT_CORE, ReportIS::IssuingEngine::AGENT_CORE,
std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES), std::chrono::minutes(LOGGING_INTERVAL_IN_MINUTES),
true, true,
ReportIS::Audience::SECURITY, ReportIS::Audience::SECURITY
false,
asset_id
); );
telemetryMap[asset_id]->template registerContext<std::string>( telemetryMap[asset_id]->template registerContext<std::string>(
@ -156,30 +152,29 @@ private:
std::string("Web Application"), std::string("Web Application"),
EnvKeyAttr::LogSection::SOURCE EnvKeyAttr::LogSection::SOURCE
); );
telemetryMap[asset_id]->template registerContext<std::string>(
"assetId",
asset_id,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"assetName",
data.assetName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceId",
data.practiceId,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceName",
data.practiceName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->registerListener(); telemetryMap[asset_id]->registerListener();
} }
dbgTrace(D_WAAP) << "updating telemetry data for asset: " << data.assetName;
telemetryMap[asset_id]->template registerContext<std::string>(
"assetId",
asset_id,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"assetName",
data.assetName,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceId",
data.practiceId,
EnvKeyAttr::LogSection::SOURCE
);
telemetryMap[asset_id]->template registerContext<std::string>(
"practiceName",
data.practiceName,
EnvKeyAttr::LogSection::SOURCE
);
} }
}; };

3
components/include/user_identifiers_config.h
View File

@ -30,7 +30,6 @@ public:
void parseRequestHeaders(const HttpHeader &header) const; void parseRequestHeaders(const HttpHeader &header) const;
std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const; std::vector<std::string> getHeaderValuesFromConfig(const std::string &header_key) const;
void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const; void setXFFValuesToOpaqueCtx(const HttpHeader &header, ExtractType type) const;
void setWafTagValuesToOpaqueCtx(const HttpHeader &header) const;
private: private:
class UsersIdentifiersConfig class UsersIdentifiersConfig
@ -59,7 +58,7 @@ private:
const std::string::const_iterator &end, const std::string::const_iterator &end,
const std::string &key) const; const std::string &key) const;
Buffer extractKeyValueFromCookie(const std::string &cookie_value, const std::string &key) const; Buffer extractKeyValueFromCookie(const std::string &cookie_value, const std::string &key) const;
Maybe<std::string> parseXForwardedFor(const std::string &str, ExtractType type) const; Maybe<std::string> parseXForwardedFor(const std::string &str) const;
std::vector<UsersIdentifiersConfig> user_identifiers; std::vector<UsersIdentifiersConfig> user_identifiers;
}; };

4
components/include/waap.h
View File

@ -33,7 +33,6 @@ class I_WaapAssetStatesManager;
class I_Messaging; class I_Messaging;
class I_AgentDetails; class I_AgentDetails;
class I_Encryptor; class I_Encryptor;
class I_WaapModelResultLogger;
const std::string WAAP_APPLICATION_NAME = "waap application"; const std::string WAAP_APPLICATION_NAME = "waap application";
@ -51,8 +50,7 @@ class WaapComponent
Singleton::Consume<I_AgentDetails>, Singleton::Consume<I_AgentDetails>,
Singleton::Consume<I_Messaging>, Singleton::Consume<I_Messaging>,
Singleton::Consume<I_Encryptor>, Singleton::Consume<I_Encryptor>,
Singleton::Consume<I_Environment>, Singleton::Consume<I_Environment>
Singleton::Consume<I_WaapModelResultLogger>
{ {
public: public:
WaapComponent(); WaapComponent();

3
components/nginx_message_reader/CMakeLists.txt
View File

@ -1,3 +0,0 @@
link_directories(${BOOST_ROOT}/lib)
add_library(nginx_message_reader nginx_message_reader.cc)

735
components/nginx_message_reader/nginx_message_reader.cc
View File

@ -1,735 +0,0 @@
#include "nginx_message_reader.h"
#include <string>
#include <boost/regex.hpp>
#include <boost/algorithm/string.hpp>
#include <boost/algorithm/string/regex.hpp>
#include "config.h"
#include "singleton.h"
#include "i_mainloop.h"
#include "enum_array.h"
#include "log_generator.h"
#include "maybe_res.h"
#include "http_transaction_data.h"
#include "generic_rulebase/rulebase_config.h"
#include "generic_rulebase/evaluators/asset_eval.h"
#include "generic_rulebase/triggers_config.h"
#include "agent_core_utilities.h"
#include "rate_limit_config.h"
USE_DEBUG_FLAG(D_NGINX_MESSAGE_READER);
using namespace std;
static const string syslog_regex_string = (
"<[0-9]+>([A-Z][a-z][a-z]\\s{1,2}\\d{1,2}\\s\\d{2}"
"[:]\\d{2}[:]\\d{2})\\s([\\w][\\w\\d\\.@-]*)\\s(nginx:)"
);
static const boost::regex socket_address_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+):(\\d+)");
static const boost::regex syslog_regex(syslog_regex_string);
static const boost::regex alert_log_regex(
"("
+ syslog_regex_string + ") "
+ "(.+?\\[alert\\] )(.+?)"
", (client: .+?)"
", (server: .+?)"
", (request: \".+?\")"
", (upstream: \".+?\")"
", (host: \".+?\")$"
);
static const boost::regex error_log_regex(
"("
+ syslog_regex_string + ") "
+ "(.+?\\[error\\] )(.+?)"
", (client: .+?)"
", (server: .+?)"
", (request: \".+?\")"
", (upstream: \".+?\")"
", (host: \".+?\")$"
);
static const boost::regex server_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+)|(\\w+\\.\\w+)");
static const boost::regex uri_regex("^/");
static const boost::regex port_regex("\\d+");
static const boost::regex response_code_regex("[0-9]{3}");
static const boost::regex http_method_regex("[A-Za-z]+");
class NginxMessageReader::Impl
{
public:
void
init()
{
dbgFlow(D_NGINX_MESSAGE_READER);
I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
mainloop->addOneTimeRoutine(
I_MainLoop::RoutineType::System,
[this] ()
{
initSyslogServerSocket();
handleNginxLogs();
},
"Initialize nginx syslog",
true
);
}
void
preload()
{
registerConfigLoadCb([this]() { loadNginxMessageReaderConfig(); });
}
void
fini()
{
I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
i_socket->closeSocket(syslog_server_socket);
}
void
loadNginxMessageReaderConfig()
{
rate_limit_status_code = getProfileAgentSettingWithDefault<string>(
"429",
"accessControl.rateLimit.returnCode"
);
dbgTrace(D_NGINX_MESSAGE_READER) << "Selected rate-limit status code: " << rate_limit_status_code;
}
private:
enum class LogInfo {
HTTP_METHOD,
URI,
RESPONSE_CODE,
HOST,
SOURCE,
DESTINATION_IP,
DESTINATION_PORT,
EVENT_MESSAGE,
ASSET_ID,
ASSET_NAME,
RULE_NAME,
RULE_ID,
COUNT
};
void
initSyslogServerSocket()
{
dbgFlow(D_NGINX_MESSAGE_READER);
I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
string nginx_syslog_server_address = getProfileAgentSettingWithDefault<string>(
"127.0.0.1:1514",
"reverseProxy.nginx.syslogAddress"
);
dbgInfo(D_NGINX_MESSAGE_READER) << "Attempting to open a socket: " << nginx_syslog_server_address;
do {
Maybe<I_Socket::socketFd> new_socket = i_socket->genSocket(
I_Socket::SocketType::UDP,
false,
true,
nginx_syslog_server_address
);
if (!new_socket.ok()) {
dbgError(D_NGINX_MESSAGE_READER) << "Failed to open a socket. Error: " << new_socket.getErr();
mainloop->yield(chrono::milliseconds(500));
continue;
}
if (new_socket.unpack() < 0) {
dbgError(D_NGINX_MESSAGE_READER)<< "Generated socket is OK yet negative";
mainloop->yield(chrono::milliseconds(500));
continue;
}
syslog_server_socket = new_socket.unpack();
dbgInfo(D_NGINX_MESSAGE_READER)
<< "Opened socket for nginx logs over syslog. Socket: "
<< syslog_server_socket;
} while (syslog_server_socket < 0);
}
void
handleNginxLogs()
{
dbgFlow(D_NGINX_MESSAGE_READER);
I_MainLoop::Routine read_logs =
[this] ()
{
Maybe<string> logs = getLogsFromSocket(syslog_server_socket);
if (!logs.ok()) {
dbgWarning(D_NGINX_MESSAGE_READER)
<< "Failed to get NGINX logs from the socket. Error: "
<< logs.getErr();
return;
}
string raw_logs_to_parse = logs.unpackMove();
vector<string> logs_to_parse = separateLogs(raw_logs_to_parse);
for (auto const &log: logs_to_parse) {
bool log_sent;
if (isAccessLog(log)) {
log_sent = sendAccessLog(log);
} else if (isAlertErrorLog(log) || isErrorLog(log)) {
log_sent = sendErrorLog(log);
} else {
dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
continue;
}
if (!log_sent) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Failed to send Log to Infinity Portal";
} else {
dbgTrace(D_NGINX_MESSAGE_READER) << "Succesfully sent nginx log to Infinity Portal";
}
}
};
I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
mainloop->addFileRoutine(
I_MainLoop::RoutineType::RealTime,
syslog_server_socket,
read_logs,
"Process nginx logs",
true
);
}
bool
sendAccessLog(const string &log)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Access log" << log;
Maybe<EnumArray<LogInfo, string>> log_info = parseAccessLog(log);
if (!log_info.ok()) {
dbgWarning(D_NGINX_MESSAGE_READER)
<< "Failed parsing the NGINX logs. Error: "
<< log_info.getErr();
return false;
}
auto unpacked_log_info = log_info.unpack();
if (unpacked_log_info[LogInfo::RESPONSE_CODE] == rate_limit_status_code) {
return sendRateLimitLog(unpacked_log_info);
}
return sendLog(unpacked_log_info);
}
bool
sendErrorLog(const string &log)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Error log" << log;
Maybe<EnumArray<LogInfo, string>> log_info = parseErrorLog(log);
if (!log_info.ok()) {
dbgWarning(D_NGINX_MESSAGE_READER)
<< "Failed parsing the NGINX logs. Error: "
<< log_info.getErr();
return false;
}
return sendLog(log_info.unpack());
}
bool
isAccessLog(const string &log) const
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Chekck if string contains \"accessLog\"" << log;
return log.find("accessLog") != string::npos;
}
bool
isAlertErrorLog(const string &log) const
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
return log.find("[alert]") != string::npos;
}
bool
isErrorLog(const string &log) const
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'error log'. Log: " << log;
return log.find("[error]") != string::npos;
}
bool
sendLog(const EnumArray<LogInfo, string> &log_info)
{
dbgFlow(D_NGINX_MESSAGE_READER);
string event_name;
switch (log_info[LogInfo::RESPONSE_CODE][0]) {
case '4': {
event_name = "Invalid request or incorrect reverse proxy configuration - Request dropped."
" Please check the reverse proxy configuration of your relevant assets";
break;
}
case '5': {
event_name = "AppSec Gateway reverse proxy error - Request dropped. "
"Please verify the reverse proxy configuration of your relevant assets. "
"If the issue persists please contact Check Point Support";
break;
}
default: {
dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
return false;
}
}
dbgTrace(D_NGINX_MESSAGE_READER)
<< "Nginx log's event name and response code: "
<< event_name
<< ", "
<< log_info[LogInfo::RESPONSE_CODE];
LogGen log(
event_name,
ReportIS::Audience::SECURITY,
ReportIS::Severity::INFO,
ReportIS::Priority::LOW,
ReportIS::Tags::REVERSE_PROXY
);
log << LogField("eventConfidence", "High");
for (LogInfo field : makeRange<LogInfo>()) {
Maybe<string> string_field = convertLogFieldToString(field);
if (!string_field.ok()) {
dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " << string_field.getErr();
return false;
}
if (field != LogInfo::DESTINATION_PORT) {
log << LogField(string_field.unpack(), log_info[field]);
continue;
}
try {
log << LogField(string_field.unpack(), stoi(log_info[field]));
} catch (const exception &e) {
dbgError(D_NGINX_MESSAGE_READER)
<< "Unable to convert port to numeric value: "
<< e.what();
log << LogField(string_field.unpack(), 0);
}
}
return true;
}
bool
sendRateLimitLog(const EnumArray<LogInfo, string> &log_info)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Getting rate-limit rules of asset ID: " << log_info[LogInfo::ASSET_ID];
ScopedContext rate_limit_ctx;
rate_limit_ctx.registerValue<GenericConfigId>(AssetMatcher::ctx_key, log_info[LogInfo::ASSET_ID]);
auto rate_limit_config = getConfiguration<RateLimitConfig>("rulebase", "rateLimit");
if (!rate_limit_config.ok()) {
dbgTrace(D_NGINX_MESSAGE_READER)
<< "Rate limit context does not match asset ID: " << log_info[LogInfo::ASSET_ID];
return false;
}
RateLimitConfig unpacked_rate_limit_config = rate_limit_config.unpack();
string nginx_uri = log_info[LogInfo::URI];
const LogTriggerConf &rate_limit_trigger = unpacked_rate_limit_config.getRateLimitTrigger(nginx_uri);
dbgTrace(D_NGINX_MESSAGE_READER)<< "About to generate NGINX rate-limit log";
string event_name = "Rate limit";
string security_action = "Drop";
bool is_log_required = false;
// Prevent events checkbox (in triggers)
if (rate_limit_trigger.isPreventLogActive(LogTriggerConf::SecurityType::AccessControl)) {
is_log_required = true;
}
if (!is_log_required) {
dbgTrace(D_NGINX_MESSAGE_READER) << "Not sending NGINX rate-limit log as it is not required";
return false;
}
ostringstream src_ip;
ostringstream dst_ip;
src_ip << log_info[LogInfo::SOURCE];
dst_ip << log_info[LogInfo::DESTINATION_IP];
ReportIS::Severity log_severity = ReportIS::Severity::MEDIUM;
ReportIS::Priority log_priority = ReportIS::Priority::MEDIUM;
LogGen log = rate_limit_trigger(
event_name,
LogTriggerConf::SecurityType::AccessControl,
log_severity,
log_priority,
true, // is drop
LogField("practiceType", "Rate Limit"),
ReportIS::Tags::RATE_LIMIT
);
for (LogInfo field : makeRange<LogInfo>()) {
Maybe<string> string_field = convertLogFieldToString(field);
if (!string_field.ok()) {
dbgDebug(D_NGINX_MESSAGE_READER) << "Enum field was not converted: " << string_field.getErr();
return false;
}
if (
field == LogInfo::HOST ||
field == LogInfo::URI ||
field == LogInfo::HTTP_METHOD ||
field == LogInfo::SOURCE ||
field == LogInfo::DESTINATION_IP ||
field == LogInfo::ASSET_ID ||
field == LogInfo::ASSET_NAME ||
field == LogInfo::RESPONSE_CODE
) {
if (!log_info[field].empty()) {
log << LogField(string_field.unpack(), log_info[field]);
continue;
}
}
if (field == LogInfo::DESTINATION_PORT) {
try {
int numeric_dst_port = stoi(log_info[field]);
log << LogField(string_field.unpack(), numeric_dst_port);
} catch (const exception &e) {
dbgWarning(D_NGINX_MESSAGE_READER)
<< "Unable to convert dst port: "
<< log_info[field]
<< " to numberic value. Error: "
<< e.what();
}
}
}
return true;
}
Maybe<string>
convertLogFieldToString(LogInfo field)
{
dbgFlow(D_NGINX_MESSAGE_READER);
switch (field) {
case LogInfo::HTTP_METHOD:
return string("httpMethod");
case LogInfo::URI:
return string("httpUriPath");
case LogInfo::RESPONSE_CODE:
return string("httpResponseCode");
case LogInfo::HOST:
return string("httpHostName");
case LogInfo::SOURCE:
return string("httpSourceId");
case LogInfo::DESTINATION_IP:
return string("destinationIp");
case LogInfo::DESTINATION_PORT:
return string("destinationPort");
case LogInfo::ASSET_ID:
return string("assetId");
case LogInfo::ASSET_NAME:
return string("assetName");
case LogInfo::EVENT_MESSAGE:
return string("httpResponseBody");
case LogInfo::RULE_ID:
return string("ruleId");
case LogInfo::RULE_NAME:
return string("ruleName");
case LogInfo::COUNT:
dbgError(D_NGINX_MESSAGE_READER) << "LogInfo::COUNT is not allowed";
return genError("LogInfo::COUNT is not allowed");
}
dbgError(D_NGINX_MESSAGE_READER) << "No Enum found, int value: " << static_cast<int>(field);
return genError("No Enum found");
}
static vector<string>
separateLogs(const string &raw_logs_to_parse)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "separating logs. logs: " << raw_logs_to_parse;
dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs start of function. Logs to parse: " << raw_logs_to_parse;
boost::smatch matcher;
vector<string> logs;
if (raw_logs_to_parse.empty()) return logs;
size_t pos = 0;
while (NGEN::Regex::regexSearch(__FILE__, __LINE__, raw_logs_to_parse.substr(pos), matcher, syslog_regex)) {
if (pos == 0) {
dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs pos = 0";
pos++;
continue;
}
auto log_length = matcher.position();
logs.push_back(raw_logs_to_parse.substr(pos - 1, log_length));
pos += log_length + 1;
}
logs.push_back(raw_logs_to_parse.substr(pos - 1));
dbgTrace(D_NGINX_MESSAGE_READER) << "separateLogs end of function";
return logs;
}
static pair<string, string>
parseErrorLogRequestField(const string &request)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "parsing request field. request: " << request;
string formatted_request = request;
vector<string> result;
boost::erase_all(formatted_request, "\"");
boost::erase_all(formatted_request, "\n");
boost::split(result, formatted_request, boost::is_any_of(" "), boost::token_compress_on);
const int http_method_index = 1;
const int uri_index = 2;
return pair<string, string>(result[http_method_index], result[uri_index]);
}
static string
parseErrorLogField(const string &field)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "parsing error log field " << field;
string formatted_field = field;
vector<string> result;
boost::erase_all(formatted_field, "\"");
boost::erase_all(formatted_field, "\n");
boost::split(result, formatted_field, boost::is_any_of(" "), boost::token_compress_on);
const int field_index = 1;
return result[field_index];
}
void
addContextFieldsToLogInfo(EnumArray<LogInfo, string> &log_info)
{
dbgFlow(D_NGINX_MESSAGE_READER);
ScopedContext ctx;
try {
ctx.registerValue<uint16_t>(
HttpTransactionData::listening_port_ctx,
static_cast<uint16_t>(stoi(log_info[LogInfo::DESTINATION_PORT]))
);
} catch (const exception &e) {
dbgError(D_NGINX_MESSAGE_READER) << "Failed register values for context " << e.what();
}
ctx.registerValue<string>(HttpTransactionData::host_name_ctx, log_info[LogInfo::HOST]);
ctx.registerValue<string>(HttpTransactionData::uri_ctx, log_info[LogInfo::URI]);
auto rule_by_ctx = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
if (!rule_by_ctx.ok()) {
dbgWarning(D_NGINX_MESSAGE_READER)
<< "AssetId was not found by the given context. Reason: "
<< rule_by_ctx.getErr();
return;
}
BasicRuleConfig context = rule_by_ctx.unpack();
log_info[LogInfo::ASSET_ID] = context.getAssetId();
log_info[LogInfo::ASSET_NAME] = context.getAssetName();
log_info[LogInfo::RULE_ID] = context.getRuleId();
log_info[LogInfo::RULE_NAME] = context.getRuleName();
}
Maybe<EnumArray<LogInfo, string>>
parseErrorLog(const string &log_line)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Handling log line:" << log_line;
string port;
EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
boost::smatch matcher;
vector<string> result;
if (
!NGEN::Regex::regexSearch(
__FILE__,
__LINE__,
log_line,
matcher,
isAlertErrorLog(log_line) ? alert_log_regex : error_log_regex
)
) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
return genError("Unexpected nginx log format");
}
const int event_message_index = 6;
const int source_index = 7;
const int request_index = 9;
const int host_index = 11;
string host = string(matcher[host_index].first, matcher[host_index].second);
string source = string(matcher[source_index].first, matcher[source_index].second);
string event_message = string(matcher[event_message_index].first, matcher[event_message_index].second);
string request = string(matcher[request_index].first, matcher[request_index].second);
host = parseErrorLogField(host);
source = parseErrorLogField(source);
pair<string, string> parsed_request = parseErrorLogRequestField(request);
string http_method = parsed_request.first;
string uri = parsed_request.second;
if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, socket_address_regex)) {
int host_index = 1;
int port_index = 2;
host = string(matcher[host_index].first, matcher[host_index].second);
port = string(matcher[port_index].first, matcher[port_index].second);
} else if (NGEN::Regex::regexSearch(__FILE__, __LINE__, host, matcher, boost::regex("https://"))) {
port = "443";
} else {
port = "80";
}
log_info[LogInfo::HOST] = host;
log_info[LogInfo::URI] = uri;
log_info[LogInfo::RESPONSE_CODE] = "500";
log_info[LogInfo::HTTP_METHOD] = http_method;
log_info[LogInfo::SOURCE] = source;
log_info[LogInfo::DESTINATION_IP] = host;
log_info[LogInfo::DESTINATION_PORT] = port;
log_info[LogInfo::EVENT_MESSAGE] = event_message;
addContextFieldsToLogInfo(log_info);
if (!validateLog(log_info)) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
return genError("Unexpected nginx log format");
}
return log_info;
}
Maybe<EnumArray<LogInfo, string>>
parseAccessLog(const string &log_line)
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Parsing log line: " << log_line;
string formatted_log = log_line;
EnumArray<LogInfo, string> log_info(EnumArray<LogInfo, string>::Fill(), string(""));
vector<string> result;
boost::erase_all(formatted_log, "\"");
boost::erase_all(formatted_log, "\n");
boost::split(result, formatted_log, boost::is_any_of(" "), boost::token_compress_on);
const int valid_log_size = 20;
if (result.size() < valid_log_size) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
return genError("Unexpected nginx log format");
}
const int host_index = 6;
const int host_port_index = 7;
const int http_method_index = 13;
const int uri_index = 14;
const int response_cod_index = 16;
const int source_index = 8;
log_info[LogInfo::HOST] = result[host_index];
log_info[LogInfo::URI] = result[uri_index];
log_info[LogInfo::RESPONSE_CODE] = result[response_cod_index];
log_info[LogInfo::HTTP_METHOD] = result[http_method_index];
log_info[LogInfo::SOURCE] = result[source_index];
log_info[LogInfo::DESTINATION_IP] = result[host_index];
log_info[LogInfo::DESTINATION_PORT] = result[host_port_index];
log_info[LogInfo::EVENT_MESSAGE] = "Invalid request or incorrect reverse proxy configuration - "
"Request dropped. Please check the reverse proxy configuration of your relevant assets";
addContextFieldsToLogInfo(log_info);
if (!validateLog(log_info)) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
return genError("Unexpected nginx log format");
}
return log_info;
}
static bool
validateLog(const EnumArray<LogInfo, string> &log_info)
{
dbgFlow(D_NGINX_MESSAGE_READER);
boost::smatch matcher;
if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HOST], matcher, server_regex)) {
dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate server (Host): " << log_info[LogInfo::HOST];
return false;
}
if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::URI], matcher, uri_regex)) {
dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate Uri: " << log_info[LogInfo::URI];
return false;
}
if (
!NGEN::Regex::regexSearch(
__FILE__,
__LINE__,
log_info[LogInfo::RESPONSE_CODE],
matcher, response_code_regex
)
) {
dbgTrace(D_NGINX_MESSAGE_READER)
<< "Could not validate response code: "
<< log_info[LogInfo::RESPONSE_CODE];
return false;
}
if (
!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::HTTP_METHOD], matcher, http_method_regex)
) {
dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate HTTP method: " << log_info[LogInfo::HTTP_METHOD];
return false;
}
if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::DESTINATION_PORT], matcher, port_regex)) {
dbgTrace(D_NGINX_MESSAGE_READER)
<< "Could not validate destination port : "
<< log_info[LogInfo::DESTINATION_PORT];
return false;
}
if (!NGEN::Regex::regexSearch(__FILE__, __LINE__, log_info[LogInfo::SOURCE], matcher, server_regex)) {
dbgTrace(D_NGINX_MESSAGE_READER) << "Could not validate source : " << log_info[LogInfo::SOURCE];
return false;
}
return true;
}
Maybe<string>
getLogsFromSocket(const I_Socket::socketFd &client_socket) const
{
dbgFlow(D_NGINX_MESSAGE_READER) << "Reading logs from socket. fd: " << client_socket;
I_Socket *i_socket = Singleton::Consume<I_Socket>::by<NginxMessageReader>();
Maybe<vector<char>> raw_log_data = i_socket->receiveData(client_socket, 0, false);
if (!raw_log_data.ok()) {
dbgWarning(D_NGINX_MESSAGE_READER) << "Error receiving data from socket";
return genError("Error receiving data from socket");
}
string raw_log(raw_log_data.unpack().begin(), raw_log_data.unpack().end());
return move(raw_log);
}
I_Socket::socketFd syslog_server_socket = -1;
string rate_limit_status_code = "429";
};
NginxMessageReader::NginxMessageReader() : Component("NginxMessageReader"), pimpl(make_unique<Impl>()) {}
NginxMessageReader::~NginxMessageReader() {}
void
NginxMessageReader::init()
{
pimpl->init();
}
void
NginxMessageReader::preload()
{
pimpl->preload();
}
void
NginxMessageReader::fini()
{
pimpl->fini();
}

2
components/security_apps/CMakeLists.txt
View File

@ -3,7 +3,5 @@ add_subdirectory(ips)
add_subdirectory(layer_7_access_control) add_subdirectory(layer_7_access_control)
add_subdirectory(local_policy_mgmt_gen) add_subdirectory(local_policy_mgmt_gen)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(rate_limit) add_subdirectory(rate_limit)
add_subdirectory(waap) add_subdirectory(waap)
add_subdirectory(central_nginx_manager)

3
components/security_apps/central_nginx_manager/CMakeLists.txt
View File

@ -1,3 +0,0 @@
include_directories(include)
add_library(central_nginx_manager central_nginx_manager.cc lets_encrypt_listener.cc)

418
components/security_apps/central_nginx_manager/central_nginx_manager.cc
View File

@ -1,418 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "central_nginx_manager.h"
#include "lets_encrypt_listener.h"
#include <string>
#include <vector>
#include <cereal/external/base64.hpp>
#include "debug.h"
#include "config.h"
#include "rest.h"
#include "log_generator.h"
#include "nginx_utils.h"
#include "agent_core_utilities.h"
using namespace std;
USE_DEBUG_FLAG(D_NGINX_MANAGER);
class CentralNginxConfig
{
public:
void load(cereal::JSONInputArchive &ar)
{
try {
string nginx_conf_base64;
ar(cereal::make_nvp("id", file_id));
ar(cereal::make_nvp("name", file_name));
ar(cereal::make_nvp("data", nginx_conf_base64));
nginx_conf_content = cereal::base64::decode(nginx_conf_base64);
central_nginx_conf_path = getCentralNginxConfPath();
shared_config_path = getSharedConfigPath();
if (!nginx_conf_content.empty()) configureCentralNginx();
} catch (const cereal::Exception &e) {
dbgDebug(D_NGINX_MANAGER) << "Could not load Central Management Config JSON. Error: " << e.what();
ar.setNextName(nullptr);
}
}
const string & getFileId() const { return file_id; }
const string & getFileName() const { return file_name; }
const string & getFileContent() const { return nginx_conf_content; }
static string
getCentralNginxConfPath()
{
string central_nginx_conf_path = getProfileAgentSettingWithDefault<string>(
string("/tmp/central_nginx.conf"),
"centralNginxManagement.confDownloadPath"
);
dbgInfo(D_NGINX_MANAGER) << "Central NGINX configuration path: " << central_nginx_conf_path;
return central_nginx_conf_path;
}
static string
getSharedConfigPath()
{
string central_shared_conf_path = getConfigurationWithDefault<string>(
"/etc/cp/conf",
"Config Component",
"configuration path"
);
central_shared_conf_path += "/centralNginxManager/shared/central_nginx_shared.conf";
dbgInfo(D_NGINX_MANAGER) << "Shared NGINX configuration path: " << central_shared_conf_path;
return central_shared_conf_path;
}
private:
void
loadAttachmentModule()
{
string attachment_module_path = NginxUtils::getModulesPath() + "/ngx_cp_attachment_module.so";
if (!NGEN::Filesystem::exists(attachment_module_path)) {
dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " does not exist";
return;
}
string attachment_module_conf = "load_module " + attachment_module_path + ";";
if (nginx_conf_content.find(attachment_module_conf) != string::npos) {
dbgTrace(D_NGINX_MANAGER) << "Attachment module " << attachment_module_path << " already loaded";
return;
}
nginx_conf_content = attachment_module_conf + "\n" + nginx_conf_content;
}
Maybe<void>
loadSharedDirective(const string &directive)
{
dbgFlow(D_NGINX_MANAGER) << "Loading shared directive into the servers " << directive;
if (!NGEN::Filesystem::copyFile(shared_config_path, shared_config_path + ".bak", true)) {
return genError("Could not create a backup of the shared NGINX configuration file");
}
ifstream shared_config(shared_config_path);
if (!shared_config.is_open()) {
return genError("Could not open shared NGINX configuration file");
}
string shared_config_content((istreambuf_iterator<char>(shared_config)), istreambuf_iterator<char>());
shared_config.close();
if (shared_config_content.find(directive) != string::npos) {
dbgTrace(D_NGINX_MANAGER) << "Shared directive " << directive << " already loaded";
return {};
}
ofstream new_shared_config(shared_config_path, ios::app);
if (!new_shared_config.is_open()) {
return genError("Could not open shared NGINX configuration file");
}
dbgTrace(D_NGINX_MANAGER) << "Adding shared directive " << directive;
new_shared_config << directive << "\n";
new_shared_config.close();
auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
if (!validation.ok()) {
if (!NGEN::Filesystem::copyFile(shared_config_path + ".bak", shared_config_path, true)) {
return genError("Could not restore the shared NGINX configuration file");
}
return genError("Could not validate shared NGINX configuration file. Error: " + validation.getErr());
}
return {};
}
Maybe<void>
loadSharedConfig()
{
dbgFlow(D_NGINX_MANAGER) << "Loading shared configuration into the servers";
ofstream shared_config(shared_config_path);
if (!shared_config.is_open()) {
return genError("Could not create shared NGINX configuration file");
}
shared_config.close();
string shared_config_directive = "include " + shared_config_path + ";\n";
boost::regex server_regex("server\\s*\\{");
nginx_conf_content = NGEN::Regex::regexReplace(
__FILE__,
__LINE__,
nginx_conf_content,
server_regex,
"server {\n" + shared_config_directive
);
ofstream nginx_conf_file(central_nginx_conf_path);
if (!nginx_conf_file.is_open()) {
return genError("Could not open a temporary central NGINX configuration file");
}
nginx_conf_file << nginx_conf_content;
nginx_conf_file.close();
auto validation = NginxUtils::validateNginxConf(central_nginx_conf_path);
if (!validation.ok()) {
return genError("Could not validate central NGINX configuration file. Error: " + validation.getErr());
}
return {};
}
Maybe<void>
configureSyslog()
{
if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
return {};
}
string syslog_directive = "error_log syslog:server=127.0.0.1:1514 warn;";
auto load_shared_directive_result = loadSharedDirective(syslog_directive);
if (!load_shared_directive_result.ok()) {
return genError("Could not configure syslog directive, error: " + load_shared_directive_result.getErr());
}
return {};
}
Maybe<void>
saveBaseCentralNginxConf()
{
ofstream central_nginx_conf_base_file(central_nginx_conf_path + ".base");
if (!central_nginx_conf_base_file.is_open()) {
return genError("Could not open a temporary central NGINX configuration file");
}
central_nginx_conf_base_file << nginx_conf_content;
central_nginx_conf_base_file.close();
return {};
}
void
configureCentralNginx()
{
loadAttachmentModule();
auto save_base_nginx_conf = saveBaseCentralNginxConf();
if (!save_base_nginx_conf.ok()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not save base NGINX configuration. Error: "
<< save_base_nginx_conf.getErr();
return;
}
string nginx_conf_content_backup = nginx_conf_content;
auto shared_config_result = loadSharedConfig();
if (!shared_config_result.ok()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not load shared configuration. Error: "
<< shared_config_result.getErr();
nginx_conf_content = nginx_conf_content_backup;
return;
}
auto syslog_result = configureSyslog();
if (!syslog_result.ok()) {
dbgWarning(D_NGINX_MANAGER) << "Could not configure syslog. Error: " << syslog_result.getErr();
}
}
string file_id;
string file_name;
string nginx_conf_content;
string central_nginx_conf_path;
string shared_config_path;
};
class CentralNginxManager::Impl
{
public:
void
init()
{
dbgInfo(D_NGINX_MANAGER) << "Starting Central NGINX Manager";
string main_nginx_conf_path = NginxUtils::getMainNginxConfPath();
if (
NGEN::Filesystem::exists(main_nginx_conf_path)
&& !NGEN::Filesystem::exists(main_nginx_conf_path + ".orig")
) {
dbgInfo(D_NGINX_MANAGER) << "Creating a backup of the original main NGINX configuration file";
NGEN::Filesystem::copyFile(main_nginx_conf_path, main_nginx_conf_path + ".orig", true);
}
i_mainloop = Singleton::Consume<I_MainLoop>::by<CentralNginxManager>();
if (!lets_encrypt_listener.init()) {
dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, scheduling retry";
i_mainloop->addOneTimeRoutine(
I_MainLoop::RoutineType::System,
[this] ()
{
while(!lets_encrypt_listener.init()) {
dbgWarning(D_NGINX_MANAGER) << "Could not start Lets Encrypt Listener, will retry";
i_mainloop->yield(chrono::seconds(5));
}
},
"Lets Encrypt Listener initializer",
false
);
}
}
void
loadPolicy()
{
auto central_nginx_config = getSetting<vector<CentralNginxConfig>>("centralNginxManagement");
if (!central_nginx_config.ok() || central_nginx_config.unpack().empty()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not load Central NGINX Management settings. Error: "
<< central_nginx_config.getErr();
return;
}
auto &config = central_nginx_config.unpack().front();
if (config.getFileContent().empty()) {
dbgWarning(D_NGINX_MANAGER) << "Empty NGINX configuration file";
return;
}
dbgTrace(D_NGINX_MANAGER)
<< "Handling Central NGINX Management settings: "
<< config.getFileId()
<< ", "
<< config.getFileName()
<< ", "
<< config.getFileContent();
string central_nginx_conf_path = config.getCentralNginxConfPath();
ofstream central_nginx_conf_file(central_nginx_conf_path);
if (!central_nginx_conf_file.is_open()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not open central NGINX configuration file: "
<< central_nginx_conf_path;
return;
}
central_nginx_conf_file << config.getFileContent();
central_nginx_conf_file.close();
auto validation_result = NginxUtils::validateNginxConf(central_nginx_conf_path);
if (!validation_result.ok()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not validate central NGINX configuration file. Error: "
<< validation_result.getErr();
logError(validation_result.getErr());
return;
}
dbgTrace(D_NGINX_MANAGER) << "Validated central NGINX configuration file";
auto reload_result = NginxUtils::reloadNginx(central_nginx_conf_path);
if (!reload_result.ok()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not reload central NGINX configuration. Error: "
<< reload_result.getErr();
logError("Could not reload central NGINX configuration. Error: " + reload_result.getErr());
return;
}
logInfo("Central NGINX configuration has been successfully reloaded");
}
void
fini()
{
string central_nginx_base_path = CentralNginxConfig::getCentralNginxConfPath() + ".base";
if (!NGEN::Filesystem::exists(central_nginx_base_path)) {
dbgWarning(D_NGINX_MANAGER) << "Could not find base NGINX configuration file: " << central_nginx_base_path;
return;
}
NginxUtils::reloadNginx(central_nginx_base_path);
}
private:
void
logError(const string &error)
{
LogGen log(
error,
ReportIS::Level::ACTION,
ReportIS::Audience::SECURITY,
ReportIS::Severity::CRITICAL,
ReportIS::Priority::URGENT,
ReportIS::Tags::POLICY_INSTALLATION
);
log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
log << LogField(
"eventRemediation",
"Please verify your NGINX configuration and enforce policy again. "
"Contact Check Point support if the issue persists."
);
}
void
logInfo(const string &info)
{
LogGen log(
info,
ReportIS::Level::ACTION,
ReportIS::Audience::SECURITY,
ReportIS::Severity::INFO,
ReportIS::Priority::LOW,
ReportIS::Tags::POLICY_INSTALLATION
);
log.addToOrigin(LogField("eventTopic", "Central NGINX Management"));
log << LogField("notificationId", "4165c3b1-e9bc-44c3-888b-863e204c1bfb");
log << LogField("eventRemediation", "No action required");
}
I_MainLoop *i_mainloop = nullptr;
LetsEncryptListener lets_encrypt_listener;
};
CentralNginxManager::CentralNginxManager()
:
Component("Central NGINX Manager"),
pimpl(make_unique<CentralNginxManager::Impl>()) {}
CentralNginxManager::~CentralNginxManager() {}
void
CentralNginxManager::init()
{
pimpl->init();
}
void
CentralNginxManager::fini()
{
pimpl->fini();
}
void
CentralNginxManager::preload()
{
registerExpectedSetting<vector<CentralNginxConfig>>("centralNginxManagement");
registerExpectedConfiguration<string>("Config Component", "configuration path");
registerConfigLoadCb([this]() { pimpl->loadPolicy(); });
}

30
components/security_apps/central_nginx_manager/include/lets_encrypt_listener.h
View File

@ -1,30 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __LETS_ENCRYPT_HANDLER_H__
#define __LETS_ENCRYPT_HANDLER_H__
#include <string>
#include "maybe_res.h"
class LetsEncryptListener
{
public:
bool init();
private:
Maybe<std::string> getChallengeValue(const std::string &uri) const;
};
#endif // __LETS_ENCRYPT_HANDLER_H__

76
components/security_apps/central_nginx_manager/lets_encrypt_listener.cc
View File

@ -1,76 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "lets_encrypt_listener.h"
#include <string>
#include "central_nginx_manager.h"
#include "debug.h"
using namespace std;
USE_DEBUG_FLAG(D_NGINX_MANAGER);
bool
LetsEncryptListener::init()
{
dbgInfo(D_NGINX_MANAGER) << "Starting Lets Encrypt Listener";
return Singleton::Consume<I_RestApi>::by<CentralNginxManager>()->addWildcardGetCall(
".well-known/acme-challenge/",
[&] (const string &uri) -> string
{
Maybe<string> maybe_challenge_value = getChallengeValue(uri);
if (!maybe_challenge_value.ok()) {
dbgWarning(D_NGINX_MANAGER)
<< "Could not get challenge value for uri: "
<< uri
<< ", error: "
<< maybe_challenge_value.getErr();
return string{""};
};
dbgTrace(D_NGINX_MANAGER) << "Got challenge value: " << maybe_challenge_value.unpack();
return maybe_challenge_value.unpack();
}
);
}
Maybe<string>
LetsEncryptListener::getChallengeValue(const string &uri) const
{
string challenge_key = uri.substr(uri.find_last_of('/') + 1);
string api_query = "/api/lets-encrypt-challenge?http_challenge_key=" + challenge_key;
dbgInfo(D_NGINX_MANAGER) << "Getting challenge value via: " << api_query;
MessageMetadata md;
md.insertHeader("X-Tenant-Id", Singleton::Consume<I_AgentDetails>::by<CentralNginxManager>()->getTenantId());
Maybe<HTTPResponse, HTTPResponse> maybe_http_challenge_value =
Singleton::Consume<I_Messaging>::by<CentralNginxManager>()->sendSyncMessage(
HTTPMethod::GET,
api_query,
string("{}"),
MessageCategory::GENERIC,
md
);
if (!maybe_http_challenge_value.ok()) return genError(maybe_http_challenge_value.getErr().getBody());
string challenge_value = maybe_http_challenge_value.unpack().getBody();
if (!challenge_value.empty() && challenge_value.front() == '"' && challenge_value.back() == '"') {
challenge_value = challenge_value.substr(1, challenge_value.size() - 2);
}
return challenge_value;
}

14
components/security_apps/http_geo_filter/http_geo_filter.cc
View File

@ -88,17 +88,9 @@ public:
dbgWarning(D_GEO_FILTER) << "failed to get source ip from env"; dbgWarning(D_GEO_FILTER) << "failed to get source ip from env";
return EventVerdict(default_action); return EventVerdict(default_action);
} }
auto source_ip = convertIpAddrToString(maybe_source_ip.unpack()); auto source_ip = convertIpAddrToString(maybe_source_ip.unpack());
ip_set.insert(source_ip);
// saas profile setting
bool ignore_source_ip =
getProfileAgentSettingWithDefault<bool>(false, "agent.geoProtaction.ignoreSourceIP");
if (ignore_source_ip){
dbgDebug(D_GEO_FILTER) << "Geo protection ignoring source ip: " << source_ip;
} else {
ip_set.insert(convertIpAddrToString(maybe_source_ip.unpack()));
}
ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set); ngx_http_cp_verdict_e exception_verdict = getExceptionVerdict(ip_set);
if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) { if (exception_verdict != ngx_http_cp_verdict_e::TRAFFIC_VERDICT_IRRELEVANT) {
@ -351,7 +343,7 @@ private:
auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack()); auto asset_location = i_geo_location->lookupLocation(maybe_source_ip.unpack());
if (!asset_location.ok()) { if (!asset_location.ok()) {
dbgDebug(D_GEO_FILTER) << "Lookup location failed for source: " << dbgWarning(D_GEO_FILTER) << "Lookup location failed for source: " <<
source << source <<
", Error: " << ", Error: " <<
asset_location.getErr(); asset_location.getErr();

7
components/security_apps/ips/include/ips_signatures.h
View File

@ -336,16 +336,9 @@ public:
return metadata.getYear(); return metadata.getYear();
} }
bool
isOk() const
{
return is_loaded;
}
private: private:
IPSSignatureMetaData metadata; IPSSignatureMetaData metadata;
std::shared_ptr<BaseSignature> rule; std::shared_ptr<BaseSignature> rule;
bool is_loaded;
}; };
/// \class SignatureAndAction /// \class SignatureAndAction

58
components/security_apps/ips/ips_signatures.cc
View File

@ -219,16 +219,10 @@ IPSSignatureMetaData::getYear() const
void void
CompleteSignature::load(cereal::JSONInputArchive &ar) CompleteSignature::load(cereal::JSONInputArchive &ar)
{ {
try { ar(cereal::make_nvp("protectionMetadata", metadata));
ar(cereal::make_nvp("protectionMetadata", metadata)); RuleDetection rule_detection(metadata.getName());
RuleDetection rule_detection(metadata.getName()); ar(cereal::make_nvp("detectionRules", rule_detection));
ar(cereal::make_nvp("detectionRules", rule_detection)); rule = rule_detection.getRule();
rule = rule_detection.getRule();
is_loaded = true;
} catch (cereal::Exception &e) {
is_loaded = false;
dbgWarning(D_IPS) << "Failed to load signature: " << e.what();
}
} }
MatchType MatchType
@ -373,16 +367,7 @@ SignatureAndAction::matchSilent(const Buffer &sample) const
if (method.ok()) log << LogField("httpMethod", method.unpack()); if (method.ok()) log << LogField("httpMethod", method.unpack());
auto path = env->get<Buffer>("HTTP_PATH_DECODED"); auto path = env->get<Buffer>("HTTP_PATH_DECODED");
if (path.ok()) { if (path.ok()) log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
log << LogField("httpUriPath", getSubString(path, 1536), LogFieldOption::XORANDB64);
} else {
auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
if (transaction_path.ok()) {
auto uri_path = transaction_path.unpack();
auto question_mark = uri_path.find('?');
log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
}
}
auto req_header = ips_state.getTransactionData(IPSCommonTypes::requests_header_for_log); auto req_header = ips_state.getTransactionData(IPSCommonTypes::requests_header_for_log);
if (req_header.ok()) log << LogField("httpRequestHeaders", getSubString(req_header), LogFieldOption::XORANDB64); if (req_header.ok()) log << LogField("httpRequestHeaders", getSubString(req_header), LogFieldOption::XORANDB64);
@ -500,30 +485,13 @@ SignatureAndAction::isMatchedPrevent(const Buffer &context_buffer, const set<PMP
auto method = env->get<string>(HttpTransactionData::method_ctx); auto method = env->get<string>(HttpTransactionData::method_ctx);
if (method.ok()) log << LogField("httpMethod", method.unpack()); if (method.ok()) log << LogField("httpMethod", method.unpack());
uint max_size = getConfigurationWithDefault<uint>(1536, "IPS", "Max Field Size"); uint max_size = getConfigurationWithDefault<uint>(1536, "IPS", "Max Field Size");
auto path = env->get<Buffer>("HTTP_PATH_DECODED");
if (trigger.isWebLogFieldActive(url_path)) { if (path.ok() && trigger.isWebLogFieldActive(url_path)) {
auto path = env->get<Buffer>("HTTP_PATH_DECODED"); log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
if (path.ok()) {
log << LogField("httpUriPath", getSubString(path, max_size), LogFieldOption::XORANDB64);
} else {
auto transaction_path = env->get<string>(HttpTransactionData::uri_path_decoded);
if (transaction_path.ok()) {
auto uri_path = transaction_path.unpack();
auto question_mark = uri_path.find('?');
log << LogField("httpUriPath", uri_path.substr(0, question_mark), LogFieldOption::XORANDB64);
}
}
} }
if (trigger.isWebLogFieldActive(url_query)) { auto query = env->get<Buffer>("HTTP_QUERY_DECODED");
auto query = env->get<Buffer>("HTTP_QUERY_DECODED"); if (query.ok() && trigger.isWebLogFieldActive(url_query)) {
if (query.ok()) { log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
log << LogField("httpUriQuery", getSubString(query, max_size), LogFieldOption::XORANDB64);
} else {
auto transaction_query = env->get<string>(HttpTransactionData::uri_query_decoded);
if (transaction_query.ok()) {
log << LogField("httpUriQuery", transaction_query.unpack());
}
}
} }
auto res_code = env->get<Buffer>("HTTP_RESPONSE_CODE"); auto res_code = env->get<Buffer>("HTTP_RESPONSE_CODE");
@ -565,9 +533,7 @@ IPSSignaturesResource::load(cereal::JSONInputArchive &ar)
all_signatures.reserve(sigs.size()); all_signatures.reserve(sigs.size());
for (auto &sig : sigs) { for (auto &sig : sigs) {
if (sig.isOk()) { all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
all_signatures.emplace_back(make_shared<CompleteSignature>(move(sig)));
}
} }
} }

38
components/security_apps/ips/ips_ut/signatures_ut.cc
View File

@ -104,12 +104,6 @@ public:
cereal::JSONInputArchive ar(ss); cereal::JSONInputArchive ar(ss);
high_medium_confidance_signatures.load(ar); high_medium_confidance_signatures.load(ar);
} }
{
stringstream ss;
ss << "[" << signature_performance_high << ", " << signature_broken << "]";
cereal::JSONInputArchive ar(ss);
single_broken_signature.load(ar);
}
} }
~SignatureTest() ~SignatureTest()
@ -256,7 +250,6 @@ public:
IPSSignaturesResource performance_signatures1; IPSSignaturesResource performance_signatures1;
IPSSignaturesResource performance_signatures2; IPSSignaturesResource performance_signatures2;
IPSSignaturesResource performance_signatures3; IPSSignaturesResource performance_signatures3;
IPSSignaturesResource single_broken_signature;
NiceMock<MockTable> table; NiceMock<MockTable> table;
MockAgg mock_agg; MockAgg mock_agg;
@ -490,26 +483,6 @@ private:
"\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]" "\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
"}" "}"
"}"; "}";
string signature_broken =
"{"
"\"protectionMetadata\": {"
"\"protectionName\": \"BrokenTest\","
"\"maintrainId\": \"101\","
"\"severity\": \"Medium High\","
"\"confidenceLevel\": \"Low\","
"\"performanceImpact\": \"High\","
"\"lastUpdate\": \"20210420\","
"\"tags\": [],"
"\"cveList\": []"
"},"
"\"detectionRules\": {"
"\"type\": \"simple\","
"\"SSM\": \"\","
"\"keywosrds\": \"data: \\\"www\\\";\","
"\"context\": [\"HTTP_REQUEST_BODY\", \"HTTP_RESPONSE_BODY\"]"
"}"
"}";
}; };
TEST_F(SignatureTest, basic_load_of_signatures) TEST_F(SignatureTest, basic_load_of_signatures)
@ -692,14 +665,3 @@ TEST_F(SignatureTest, high_confidance_signatures_matching)
expectLog("\"protectionId\": \"Test4\"", "\"matchedSignatureConfidence\": \"Medium\""); expectLog("\"protectionId\": \"Test4\"", "\"matchedSignatureConfidence\": \"Medium\"");
EXPECT_FALSE(checkData("mmm")); EXPECT_FALSE(checkData("mmm"));
} }
TEST_F(SignatureTest, broken_signature)
{
load(single_broken_signature, "Low or above", "Low");
EXPECT_FALSE(checkData("ggg"));
expectLog("\"matchedSignaturePerformance\": \"High\"");
EXPECT_TRUE(checkData("fff"));
EXPECT_FALSE(checkData("www"));
}

1
components/security_apps/local_policy_mgmt_gen/CMakeLists.txt
View File

@ -22,5 +22,4 @@ add_library(local_policy_mgmt_gen
access_control_practice.cc access_control_practice.cc
configmaps.cc configmaps.cc
reverse_proxy_section.cc reverse_proxy_section.cc
policy_activation_data.cc
) )

6
components/security_apps/local_policy_mgmt_gen/access_control_practice.cc
View File

@ -228,11 +228,7 @@ AccessControlPracticeSpec::load(cereal::JSONInputArchive &archive_in)
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<string>("name", practice_name, archive_in); parseAppsecJSONKey<string>("name", practice_name, archive_in);
parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited"); parseAppsecJSONKey<string>("practiceMode", mode, archive_in);
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Access control practice mode invalid: " << mode;
throw PolicyGenException("AppSec Access control practice mode invalid: " + mode);
}
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in); parseMandatoryAppsecJSONKey<AccessControlRateLimit>("rateLimit", rate_limit, archive_in);
} }

102
components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc
View File

@ -438,30 +438,19 @@ WebAppSection::WebAppSection(
csrf_protection_mode("Disabled"), csrf_protection_mode("Disabled"),
open_redirect_mode("Disabled"), open_redirect_mode("Disabled"),
error_disclosure_mode("Disabled"), error_disclosure_mode("Disabled"),
schema_validation_mode("Disabled"),
schema_validation_enforce_level("fullSchema"),
practice_advanced_config(parsed_appsec_spec), practice_advanced_config(parsed_appsec_spec),
anti_bots(parsed_appsec_spec.getAntiBot()), anti_bots(parsed_appsec_spec.getAntiBot()),
trusted_sources({ parsed_trusted_sources }) trusted_sources({ parsed_trusted_sources })
{ {
auto mitigation_sevirity = parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
if (key_to_mitigation_severity.find(mitigation_sevirity) == key_to_mitigation_severity.end()) {
dbgWarning(D_LOCAL_POLICY)
<< "web attack mitigation severity invalid: "
<< mitigation_sevirity;
throw PolicyGenException("web attack mitigation severity invalid: " + mitigation_sevirity);
} else {
web_attack_mitigation_severity = key_to_mitigation_severity.at(mitigation_sevirity);
}
web_attack_mitigation = web_attack_mitigation_mode != "Disabled"; web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
web_attack_mitigation_severity = web_attack_mitigation_severity =
web_attack_mitigation_mode != "Prevent" ? "Transparent" : web_attack_mitigation_mode != "Prevent" ? "Transparent" :
web_attack_mitigation_severity; parsed_appsec_spec.getWebAttacks().getMinimumConfidence();
web_attack_mitigation_action = web_attack_mitigation_action =
web_attack_mitigation_mode != "Prevent" ? "Transparent" : web_attack_mitigation_mode != "Prevent" ? "Transparent" :
web_attack_mitigation_severity == "Critical" ? "Low" : web_attack_mitigation_severity == "critical" ? "low" :
web_attack_mitigation_severity == "High" ? "Balanced" : web_attack_mitigation_severity == "high" ? "balanced" :
web_attack_mitigation_severity == "Medium" ? "High" : web_attack_mitigation_severity == "medium" ? "high" :
"Error"; "Error";
triggers.push_back(TriggersInWaapSection(parsed_log_trigger)); triggers.push_back(TriggersInWaapSection(parsed_log_trigger));
@ -490,15 +479,11 @@ WebAppSection::WebAppSection(
const string &_web_attack_mitigation_severity, const string &_web_attack_mitigation_severity,
const string &_web_attack_mitigation_mode, const string &_web_attack_mitigation_mode,
const string &_bot_protection, const string &_bot_protection,
const string &_schema_validation_mode,
const string &_schema_validation_enforce_level,
const vector<string> &_schema_validation_oas,
const PracticeAdvancedConfig &_practice_advanced_config, const PracticeAdvancedConfig &_practice_advanced_config,
const AppsecPracticeAntiBotSection &_anti_bots, const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger, const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources, const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections, const NewAppSecWebAttackProtections &protections)
const vector<InnerException> &exceptions)
: :
application_urls(_application_urls), application_urls(_application_urls),
asset_id(_asset_id), asset_id(_asset_id),
@ -508,29 +493,19 @@ WebAppSection::WebAppSection(
practice_id(_practice_id), practice_id(_practice_id),
practice_name(_practice_name), practice_name(_practice_name),
context(_context), context(_context),
web_attack_mitigation_severity(_web_attack_mitigation_severity),
web_attack_mitigation_mode(_web_attack_mitigation_mode), web_attack_mitigation_mode(_web_attack_mitigation_mode),
bot_protection(_bot_protection), bot_protection(_bot_protection),
schema_validation_mode(_schema_validation_mode),
schema_validation_enforce_level(_schema_validation_enforce_level),
schema_validation_oas(_schema_validation_oas),
practice_advanced_config(_practice_advanced_config), practice_advanced_config(_practice_advanced_config),
anti_bots(_anti_bots), anti_bots(_anti_bots),
trusted_sources({ parsed_trusted_sources }) trusted_sources({ parsed_trusted_sources })
{ {
if (key_to_mitigation_severity.find(_web_attack_mitigation_severity) == key_to_mitigation_severity.end()) {
dbgWarning(D_LOCAL_POLICY)
<< "web attack mitigation severity invalid: "
<< _web_attack_mitigation_severity;
throw PolicyGenException("web attack mitigation severity invalid: " + _web_attack_mitigation_severity);
} else {
web_attack_mitigation_severity = key_to_mitigation_severity.at(_web_attack_mitigation_severity);
}
web_attack_mitigation = web_attack_mitigation_mode != "Disabled"; web_attack_mitigation = web_attack_mitigation_mode != "Disabled";
web_attack_mitigation_action = web_attack_mitigation_action =
web_attack_mitigation_mode != "Prevent" ? "Transparent" : web_attack_mitigation_mode != "Prevent" ? "Transparent" :
web_attack_mitigation_severity == "Critical" ? "Low" : web_attack_mitigation_severity == "critical" ? "low" :
web_attack_mitigation_severity == "High" ? "Balanced" : web_attack_mitigation_severity == "high" ? "balanced" :
web_attack_mitigation_severity == "Medium" ? "High" : web_attack_mitigation_severity == "medium" ? "high" :
"Error"; "Error";
csrf_protection_mode = protections.getCsrfProtectionMode(_web_attack_mitigation_mode); csrf_protection_mode = protections.getCsrfProtectionMode(_web_attack_mitigation_mode);
@ -541,11 +516,6 @@ WebAppSection::WebAppSection(
for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) { for (const SourcesIdentifiers &source_ident : parsed_trusted_sources.getSourcesIdentifiers()) {
overrides.push_back(AppSecOverride(source_ident)); overrides.push_back(AppSecOverride(source_ident));
} }
for (const auto &exception : exceptions) {
overrides.push_back(AppSecOverride(exception));
}
} }
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
@ -553,35 +523,35 @@ WebAppSection::WebAppSection(
void void
WebAppSection::save(cereal::JSONOutputArchive &out_ar) const WebAppSection::save(cereal::JSONOutputArchive &out_ar) const
{ {
string disabled_str = "Disabled";
vector<string> empty_list; vector<string> empty_list;
out_ar( out_ar(
cereal::make_nvp("context", context), cereal::make_nvp("context", context),
cereal::make_nvp("webAttackMitigation", web_attack_mitigation), cereal::make_nvp("webAttackMitigation", web_attack_mitigation),
cereal::make_nvp("webAttackMitigationSeverity", web_attack_mitigation_severity), cereal::make_nvp("webAttackMitigationSeverity", web_attack_mitigation_severity),
cereal::make_nvp("webAttackMitigationAction", web_attack_mitigation_action), cereal::make_nvp("webAttackMitigationAction", web_attack_mitigation_action),
cereal::make_nvp("webAttackMitigationMode", web_attack_mitigation_mode), cereal::make_nvp("webAttackMitigationMode", web_attack_mitigation_mode),
cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config), cereal::make_nvp("practiceAdvancedConfig", practice_advanced_config),
cereal::make_nvp("csrfProtection", csrf_protection_mode), cereal::make_nvp("csrfProtection", csrf_protection_mode),
cereal::make_nvp("openRedirect", open_redirect_mode), cereal::make_nvp("openRedirect", open_redirect_mode),
cereal::make_nvp("errorDisclosure", error_disclosure_mode), cereal::make_nvp("errorDisclosure", error_disclosure_mode),
cereal::make_nvp("practiceId", practice_id), cereal::make_nvp("practiceId", practice_id),
cereal::make_nvp("practiceName", practice_name), cereal::make_nvp("practiceName", practice_name),
cereal::make_nvp("assetId", asset_id), cereal::make_nvp("assetId", asset_id),
cereal::make_nvp("assetName", asset_name), cereal::make_nvp("assetName", asset_name),
cereal::make_nvp("ruleId", rule_id), cereal::make_nvp("ruleId", rule_id),
cereal::make_nvp("ruleName", rule_name), cereal::make_nvp("ruleName", rule_name),
cereal::make_nvp("schemaValidation", schema_validation_mode == "Prevent"), cereal::make_nvp("schemaValidation", false),
cereal::make_nvp("schemaValidation_v2", schema_validation_mode), cereal::make_nvp("schemaValidation_v2", disabled_str),
cereal::make_nvp("oas", schema_validation_oas), cereal::make_nvp("oas", empty_list),
cereal::make_nvp("schemaValidationEnforceLevel", schema_validation_enforce_level), cereal::make_nvp("triggers", triggers),
cereal::make_nvp("triggers", triggers), cereal::make_nvp("applicationUrls", application_urls),
cereal::make_nvp("applicationUrls", application_urls), cereal::make_nvp("overrides", overrides),
cereal::make_nvp("overrides", overrides), cereal::make_nvp("trustedSources", trusted_sources),
cereal::make_nvp("trustedSources", trusted_sources), cereal::make_nvp("waapParameters", empty_list),
cereal::make_nvp("waapParameters", empty_list), cereal::make_nvp("botProtection", false),
cereal::make_nvp("botProtection", false), cereal::make_nvp("antiBot", anti_bots),
cereal::make_nvp("antiBot", anti_bots), cereal::make_nvp("botProtection_v2", bot_protection != "" ? bot_protection : string("Detect"))
cereal::make_nvp("botProtection_v2", bot_protection != "" ? bot_protection : string("Detect"))
); );
} }

53
components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h
View File

@ -291,45 +291,38 @@ public:
const std::string &_web_attack_mitigation_severity, const std::string &_web_attack_mitigation_severity,
const std::string &_web_attack_mitigation_mode, const std::string &_web_attack_mitigation_mode,
const std::string &_bot_protection, const std::string &_bot_protection,
const std::string &schema_validation_mode,
const std::string &schema_validation_enforce_level,
const std::vector<std::string> &schema_validation_oas,
const PracticeAdvancedConfig &_practice_advanced_config, const PracticeAdvancedConfig &_practice_advanced_config,
const AppsecPracticeAntiBotSection &_anti_bots, const AppsecPracticeAntiBotSection &_anti_bots,
const LogTriggerSection &parsed_log_trigger, const LogTriggerSection &parsed_log_trigger,
const AppSecTrustedSources &parsed_trusted_sources, const AppSecTrustedSources &parsed_trusted_sources,
const NewAppSecWebAttackProtections &protections, const NewAppSecWebAttackProtections &protections);
const std::vector<InnerException> &exceptions);
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
bool operator< (const WebAppSection &other) const; bool operator< (const WebAppSection &other) const;
private: private:
bool web_attack_mitigation; std::string application_urls;
std::string application_urls; std::string asset_id;
std::string asset_id; std::string asset_name;
std::string asset_name; std::string rule_id;
std::string rule_id; std::string rule_name;
std::string rule_name; std::string practice_id;
std::string practice_id; std::string practice_name;
std::string practice_name; std::string context;
std::string context; std::string web_attack_mitigation_action;
std::string web_attack_mitigation_action; std::string web_attack_mitigation_severity;
std::string web_attack_mitigation_severity; std::string web_attack_mitigation_mode;
std::string web_attack_mitigation_mode; std::string csrf_protection_mode;
std::string csrf_protection_mode; std::string open_redirect_mode;
std::string open_redirect_mode; std::string error_disclosure_mode;
std::string error_disclosure_mode; std::string bot_protection;
std::string bot_protection; bool web_attack_mitigation;
std::string schema_validation_mode; std::vector<TriggersInWaapSection> triggers;
std::string schema_validation_enforce_level; PracticeAdvancedConfig practice_advanced_config;
std::vector<std::string> schema_validation_oas; AppsecPracticeAntiBotSection anti_bots;
PracticeAdvancedConfig practice_advanced_config; std::vector<AppSecTrustedSources> trusted_sources;
AppsecPracticeAntiBotSection anti_bots; std::vector<AppSecOverride> overrides;
std::vector<AppSecOverride> overrides;
std::vector<AppSecTrustedSources> trusted_sources;
std::vector<TriggersInWaapSection> triggers;
}; };
class WebAPISection class WebAPISection
@ -417,7 +410,7 @@ class ParsedRule
{ {
public: public:
ParsedRule() {} ParsedRule() {}
ParsedRule(const std::string &_host, const std::string &_mode) : host(_host), mode(_mode) {} ParsedRule(const std::string &_host) : host(_host) {}
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
const std::vector<std::string> & getExceptions() const; const std::vector<std::string> & getExceptions() const;

15
components/security_apps/local_policy_mgmt_gen/include/k8s_policy_utils.h
View File

@ -24,7 +24,6 @@
#include "maybe_res.h" #include "maybe_res.h"
#include "i_orchestration_tools.h" #include "i_orchestration_tools.h"
#include "i_shell_cmd.h" #include "i_shell_cmd.h"
#include "i_encryptor.h"
#include "i_messaging.h" #include "i_messaging.h"
#include "i_env_details.h" #include "i_env_details.h"
#include "i_agent_details.h" #include "i_agent_details.h"
@ -41,14 +40,13 @@ class K8sPolicyUtils
Singleton::Consume<I_Messaging>, Singleton::Consume<I_Messaging>,
Singleton::Consume<I_ShellCmd>, Singleton::Consume<I_ShellCmd>,
Singleton::Consume<I_EnvDetails>, Singleton::Consume<I_EnvDetails>,
Singleton::Consume<I_Encryptor>,
Singleton::Consume<I_AgentDetails> Singleton::Consume<I_AgentDetails>
{ {
public: public:
void init(); void init();
std::tuple<std::map<std::string, AppsecLinuxPolicy>, std::map<std::string, V1beta2AppsecLinuxPolicy>> std::tuple<std::map<std::string, AppsecLinuxPolicy>, std::map<std::string, V1beta2AppsecLinuxPolicy>>
createAppsecPolicies(); createAppsecPoliciesFromIngresses();
void getClusterId() const; void getClusterId() const;
private: private:
@ -82,8 +80,6 @@ private:
void createSnortFile(std::vector<NewAppSecPracticeSpec> &practices) const; void createSnortFile(std::vector<NewAppSecPracticeSpec> &practices) const;
void createSchemaValidationOas(std::vector<NewAppSecPracticeSpec> &practices) const;
template<class T> template<class T>
std::vector<T> extractV1Beta2ElementsFromCluster( std::vector<T> extractV1Beta2ElementsFromCluster(
const std::string &crd_plural, const std::string &crd_plural,
@ -101,18 +97,12 @@ private:
) const; ) const;
template<class T, class K> template<class T, class K>
void createPolicyFromIngress( void createPolicy(
T &appsec_policy, T &appsec_policy,
std::map<std::string, T> &policies, std::map<std::string, T> &policies,
std::map<AnnotationKeys, std::string> &annotations_values, std::map<AnnotationKeys, std::string> &annotations_values,
const SingleIngressData &item) const; const SingleIngressData &item) const;
template<class T, class K>
void createPolicyFromActivation(
T &appsec_policy,
std::map<std::string, T> &policies,
const EnabledPolicy &policy) const;
std::tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>> createAppsecPolicyK8s( std::tuple<Maybe<AppsecLinuxPolicy>, Maybe<V1beta2AppsecLinuxPolicy>> createAppsecPolicyK8s(
const std::string &policy_name, const std::string &policy_name,
const std::string &ingress_mode const std::string &ingress_mode
@ -122,7 +112,6 @@ private:
I_Messaging* messaging = nullptr; I_Messaging* messaging = nullptr;
EnvType env_type; EnvType env_type;
std::string token; std::string token;
std::string agent_ns;
}; };
#endif // __K8S_POLICY_UTILS_H__ #endif // __K8S_POLICY_UTILS_H__

17
components/security_apps/local_policy_mgmt_gen/include/local_policy_common.h
View File

@ -49,13 +49,6 @@ static const std::unordered_map<std::string, TriggerType> string_to_trigger_type
{ "WebUserResponse", TriggerType::WebUserResponse } { "WebUserResponse", TriggerType::WebUserResponse }
}; };
static const std::unordered_map<std::string, std::string> key_to_mitigation_severity = {
{ "high", "High"},
{ "medium", "Medium"},
{ "critical", "Critical"},
{ "Transparent", "Transparent"}
};
static const std::unordered_map<std::string, std::string> key_to_practices_val = { static const std::unordered_map<std::string, std::string> key_to_practices_val = {
{ "prevent-learn", "Prevent"}, { "prevent-learn", "Prevent"},
{ "detect-learn", "Learn"}, { "detect-learn", "Learn"},
@ -64,14 +57,6 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val =
{ "inactive", "Inactive"} { "inactive", "Inactive"}
}; };
static const std::unordered_map<std::string, std::string> key_to_practices_mode_val = {
{ "prevent-learn", "Prevent"},
{ "detect-learn", "Detect"},
{ "prevent", "Prevent"},
{ "detect", "Detect"},
{ "inactive", "Disabled"}
};
static const std::unordered_map<std::string, std::string> key_to_practices_val2 = { static const std::unordered_map<std::string, std::string> key_to_practices_val2 = {
{ "prevent-learn", "Prevent"}, { "prevent-learn", "Prevent"},
{ "detect-learn", "Learn"}, { "detect-learn", "Learn"},
@ -81,8 +66,6 @@ static const std::unordered_map<std::string, std::string> key_to_practices_val2
}; };
static const std::string default_appsec_url = "http://*:*"; static const std::string default_appsec_url = "http://*:*";
static const std::string default_appsec_name = "Any";
class PolicyGenException : public std::exception class PolicyGenException : public std::exception
{ {

2
components/security_apps/local_policy_mgmt_gen/include/new_appsec_policy_crd_parser.h
View File

@ -31,7 +31,7 @@ class NewParsedRule
{ {
public: public:
NewParsedRule() {} NewParsedRule() {}
NewParsedRule(const std::string &_host, const std::string &_mode) : host(_host), mode(_mode) {} NewParsedRule(const std::string &_host) : host(_host) {}
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);

50
components/security_apps/local_policy_mgmt_gen/include/new_practice.h
View File

@ -23,8 +23,6 @@
#include "config.h" #include "config.h"
#include "debug.h" #include "debug.h"
#include "local_policy_common.h" #include "local_policy_common.h"
#include "i_orchestration_tools.h"
#include "i_encryptor.h"
bool isModeInherited(const std::string &mode); bool isModeInherited(const std::string &mode);
@ -90,8 +88,6 @@ public:
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
bool operator<(const IpsProtectionsSection &other) const;
private: private:
std::string context; std::string context;
std::string name; std::string name;
@ -109,7 +105,7 @@ public:
// LCOV_EXCL_START Reason: no test exist // LCOV_EXCL_START Reason: no test exist
IPSSection() {}; IPSSection() {};
IPSSection(const std::vector<IpsProtectionsSection> &_ips); IPSSection(const std::vector<IpsProtectionsSection> &_ips) : ips(_ips) {};
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
@ -142,12 +138,6 @@ public:
const std::string & getMode(const std::string &default_mode = "inactive") const; const std::string & getMode(const std::string &default_mode = "inactive") const;
private: private:
const std::string & getRulesMode(
const std::string &mode,
const std::string &default_mode = "inactive"
) const;
std::string override_mode; std::string override_mode;
std::string max_performance_impact; std::string max_performance_impact;
std::string min_severity_level; std::string min_severity_level;
@ -497,16 +487,15 @@ private:
SnortSection snort; SnortSection snort;
}; };
class NewSnortSignatures class NewSnortSignaturesAndOpenSchemaAPI
{ {
public: public:
NewSnortSignatures() : is_temporary(false) {}; NewSnortSignaturesAndOpenSchemaAPI() : is_temporary(false) {};
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
void addFile(const std::string &file_name); void addFile(const std::string &file_name);
const std::string & getOverrideMode(const std::string &default_mode = "inactive") const; const std::string & getOverrideMode(const std::string &default_mode = "inactive") const;
const std::string & getEnforceLevel() const;
const std::vector<std::string> & getConfigMap() const; const std::vector<std::string> & getConfigMap() const;
const std::vector<std::string> & getFiles() const; const std::vector<std::string> & getFiles() const;
bool isTemporary() const; bool isTemporary() const;
@ -514,40 +503,17 @@ public:
private: private:
std::string override_mode; std::string override_mode;
std::string enforcement_level;
std::vector<std::string> config_map; std::vector<std::string> config_map;
std::vector<std::string> files; std::vector<std::string> files;
bool is_temporary; bool is_temporary;
}; };
class NewOpenApiSchema : Singleton::Consume<I_OrchestrationTools>, Singleton::Consume<I_Encryptor>
{
public:
NewOpenApiSchema() {};
void load(cereal::JSONInputArchive &archive_in);
void addOas(const std::string &file);
const std::string & getOverrideMode(const std::string &default_mode = "inactive") const;
const std::string & getEnforceLevel() const;
const std::vector<std::string> & getConfigMap() const;
const std::vector<std::string> & getFiles() const;
const std::vector<std::string> & getOas() const;
private:
std::string override_mode;
std::string enforcement_level;
std::vector<std::string> config_map;
std::vector<std::string> files;
std::vector<std::string> oas;
};
class NewAppSecPracticeAntiBot class NewAppSecPracticeAntiBot
{ {
public: public:
const std::vector<std::string> & getIjectedUris() const; const std::vector<std::string> & getIjectedUris() const;
const std::vector<std::string> & getValidatedUris() const; const std::vector<std::string> & getValidatedUris() const;
const std::string & getMode(const std::string &default_mode = "inactive") const; const std::string & getMode() const;
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
@ -603,8 +569,8 @@ class NewAppSecPracticeSpec
public: public:
void load(cereal::JSONInputArchive &archive_in); void load(cereal::JSONInputArchive &archive_in);
NewSnortSignatures & getSnortSignatures(); NewSnortSignaturesAndOpenSchemaAPI & getSnortSignatures();
NewOpenApiSchema & getOpenSchemaValidation(); const NewSnortSignaturesAndOpenSchemaAPI & getOpenSchemaValidation() const;
const NewAppSecPracticeWebAttacks & getWebAttacks() const; const NewAppSecPracticeWebAttacks & getWebAttacks() const;
const NewAppSecPracticeAntiBot & getAntiBot() const; const NewAppSecPracticeAntiBot & getAntiBot() const;
const NewIntrusionPrevention & getIntrusionPrevention() const; const NewIntrusionPrevention & getIntrusionPrevention() const;
@ -617,8 +583,8 @@ public:
private: private:
NewFileSecurity file_security; NewFileSecurity file_security;
NewIntrusionPrevention intrusion_prevention; NewIntrusionPrevention intrusion_prevention;
NewOpenApiSchema openapi_schema_validation; NewSnortSignaturesAndOpenSchemaAPI openapi_schema_validation;
NewSnortSignatures snort_signatures; NewSnortSignaturesAndOpenSchemaAPI snort_signatures;
NewAppSecPracticeWebAttacks web_attacks; NewAppSecPracticeWebAttacks web_attacks;
NewAppSecPracticeAntiBot anti_bot; NewAppSecPracticeAntiBot anti_bot;
std::string appsec_class_name; std::string appsec_class_name;

89
components/security_apps/local_policy_mgmt_gen/include/policy_activation_data.h
View File

@ -1,89 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef __POLICY_ACTIVATION_DATA_H__
#define __POLICY_ACTIVATION_DATA_H__
#include <vector>
#include <map>
#include "config.h"
#include "debug.h"
#include "rest.h"
#include "cereal/archives/json.hpp"
#include <cereal/types/map.hpp>
#include "customized_cereal_map.h"
#include "local_policy_common.h"
class PolicyActivationMetadata
{
public:
void load(cereal::JSONInputArchive &archive_in);
private:
std::string name;
};
class EnabledPolicy
{
public:
void load(cereal::JSONInputArchive &archive_in);
const std::string & getName() const;
const std::vector<std::string> & getHosts() const;
private:
std::string name;
std::vector<std::string> hosts;
};
class PolicyActivationSpec
{
public:
void load(cereal::JSONInputArchive &archive_in);
const std::vector<EnabledPolicy> & getPolicies() const;
private:
std::string appsec_class_name;
std::vector<EnabledPolicy> policies;
};
class SinglePolicyActivationData
{
public:
void load(cereal::JSONInputArchive &archive_in);
const PolicyActivationSpec & getSpec() const;
private:
std::string api_version;
std::string kind;
PolicyActivationMetadata metadata;
PolicyActivationSpec spec;
};
class PolicyActivationData : public ClientRest
{
public:
bool loadJson(const std::string &json);
const std::vector<SinglePolicyActivationData> & getItems() const;
private:
std::string api_version;
std::vector<SinglePolicyActivationData> items;
};
#endif // __POLICY_ACTIVATION_DATA_H__

4
components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h
View File

@ -32,7 +32,6 @@
#include "i_messaging.h" #include "i_messaging.h"
#include "appsec_practice_section.h" #include "appsec_practice_section.h"
#include "ingress_data.h" #include "ingress_data.h"
#include "policy_activation_data.h"
#include "settings_section.h" #include "settings_section.h"
#include "triggers_section.h" #include "triggers_section.h"
#include "local_policy_common.h" #include "local_policy_common.h"
@ -206,8 +205,7 @@ private:
const RulesConfigRulebase& rule_config, const RulesConfigRulebase& rule_config,
const std::string &practice_id, const std::string &full_url, const std::string &practice_id, const std::string &full_url,
const std::string &default_mode, const std::string &default_mode,
std::map<AnnotationTypes, std::string> &rule_annotations, std::map<AnnotationTypes, std::string> &rule_annotations
std::vector<InnerException>
); );
void void

2
components/security_apps/local_policy_mgmt_gen/include/rules_config_section.h
View File

@ -123,7 +123,6 @@ public:
); );
const std::string & getIdentifier() const; const std::string & getIdentifier() const;
const std::string & getIdentifierValue() const;
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;
@ -146,7 +145,6 @@ public:
); );
const std::string & getIdentifier() const; const std::string & getIdentifier() const;
const std::string & getIdentifierValue() const;
void save(cereal::JSONOutputArchive &out_ar) const; void save(cereal::JSONOutputArchive &out_ar) const;

157
components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc
View File

@ -35,14 +35,6 @@ convertAnnotationKeysTostring(const AnnotationKeys &key)
} }
} }
string
getAppSecScopeType()
{
auto env_res = getenv("CRDS_SCOPE");
if (env_res != nullptr) return env_res;
return "cluster";
}
void void
K8sPolicyUtils::init() K8sPolicyUtils::init()
{ {
@ -50,7 +42,6 @@ K8sPolicyUtils::init()
env_type = env_details->getEnvType(); env_type = env_details->getEnvType();
if (env_type == EnvType::K8S) { if (env_type == EnvType::K8S) {
token = env_details->getToken(); token = env_details->getToken();
agent_ns = getAppSecScopeType() == "namespaced" ? env_details->getNameSpace() + "/" : "";
messaging = Singleton::Consume<I_Messaging>::by<K8sPolicyUtils>(); messaging = Singleton::Consume<I_Messaging>::by<K8sPolicyUtils>();
} }
} }
@ -149,12 +140,10 @@ extractElementsFromNewRule(
const NewParsedRule &rule, const NewParsedRule &rule,
map<AnnotationTypes, unordered_set<string>> &policy_elements_names) map<AnnotationTypes, unordered_set<string>> &policy_elements_names)
{ {
if (rule.getExceptions().size() > 0) { policy_elements_names[AnnotationTypes::EXCEPTION].insert(
policy_elements_names[AnnotationTypes::EXCEPTION].insert( rule.getExceptions().begin(),
rule.getExceptions().begin(), rule.getExceptions().end()
rule.getExceptions().end() );
);
}
policy_elements_names[AnnotationTypes::THREAT_PREVENTION_PRACTICE].insert( policy_elements_names[AnnotationTypes::THREAT_PREVENTION_PRACTICE].insert(
rule.getPractices().begin(), rule.getPractices().begin(),
rule.getPractices().end() rule.getPractices().end()
@ -163,24 +152,14 @@ extractElementsFromNewRule(
rule.getAccessControlPractices().begin(), rule.getAccessControlPractices().begin(),
rule.getAccessControlPractices().end() rule.getAccessControlPractices().end()
); );
if (rule.getLogTriggers().size() > 0) { policy_elements_names[AnnotationTypes::TRIGGER].insert(
policy_elements_names[AnnotationTypes::TRIGGER].insert( rule.getLogTriggers().begin(),
rule.getLogTriggers().begin(), rule.getLogTriggers().end()
rule.getLogTriggers().end() );
); policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse());
} policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
if (rule.getCustomResponse() != "" ) { policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
policy_elements_names[AnnotationTypes::WEB_USER_RES].insert(rule.getCustomResponse()); policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
}
if (rule.getSourceIdentifiers() != "" ) {
policy_elements_names[AnnotationTypes::SOURCE_IDENTIFIERS].insert(rule.getSourceIdentifiers());
}
if (rule.getTrustedSources() != "" ) {
policy_elements_names[AnnotationTypes::TRUSTED_SOURCES].insert(rule.getTrustedSources());
}
if (rule.getUpgradeSettings() != "" ) {
policy_elements_names[AnnotationTypes::UPGRADE_SETTINGS].insert(rule.getUpgradeSettings());
}
} }
map<AnnotationTypes, unordered_set<string>> map<AnnotationTypes, unordered_set<string>>
@ -280,11 +259,9 @@ K8sPolicyUtils::extractV1Beta2ElementsFromCluster(
dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural; dbgTrace(D_LOCAL_POLICY) << "Retrieve AppSec elements. type: " << crd_plural;
vector<T> elements; vector<T> elements;
for (const string &element_name : elements_names) { for (const string &element_name : elements_names) {
string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name; dbgTrace(D_LOCAL_POLICY) << "AppSec element name: " << element_name;
auto maybe_appsec_element = getObjectFromCluster<AppsecSpecParser<T>>( auto maybe_appsec_element = getObjectFromCluster<AppsecSpecParser<T>>(
"/apis/openappsec.io/v1beta2/" + ns + agent_ns + crd_plural + ns_suffix + "/" + element_name "/apis/openappsec.io/v1beta2/" + crd_plural + "/" + element_name
); );
if (!maybe_appsec_element.ok()) { if (!maybe_appsec_element.ok()) {
@ -385,9 +362,8 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
practice.getSnortSignatures().setTemporary(true); practice.getSnortSignatures().setTemporary(true);
for (const string &config_map : practice.getSnortSignatures().getConfigMap()) for (const string &config_map : practice.getSnortSignatures().getConfigMap())
{ {
string ns = agent_ns == "" ? "default/" : agent_ns;
auto maybe_configmap = getObjectFromCluster<ConfigMaps>( auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
"/api/v1/namespaces/" + ns + "configmaps/" + config_map "/api/v1/namespaces/default/configmaps/" + config_map
); );
if (!maybe_configmap.ok()) { if (!maybe_configmap.ok()) {
dbgWarning(D_LOCAL_POLICY) << "Failed to get configMaps from the cluster."; dbgWarning(D_LOCAL_POLICY) << "Failed to get configMaps from the cluster.";
@ -405,28 +381,6 @@ K8sPolicyUtils::createSnortFile(vector<NewAppSecPracticeSpec> &practices) const
} }
} }
void
K8sPolicyUtils::createSchemaValidationOas(vector<NewAppSecPracticeSpec> &practices) const
{
for (NewAppSecPracticeSpec &practice : practices) {
vector<string> res;
for (const string &config_map : practice.getOpenSchemaValidation().getConfigMap())
{
string ns = agent_ns == "" ? "default/" : agent_ns;
auto maybe_configmap = getObjectFromCluster<ConfigMaps>(
"/api/v1/namespaces/" + ns + "configmaps/" + config_map
);
if (!maybe_configmap.ok()) {
dbgWarning(D_LOCAL_POLICY) << "Failed to get configMaps from the cluster.";
continue;
}
string file_content = maybe_configmap.unpack().getFileContent();
string res = Singleton::Consume<I_Encryptor>::by<K8sPolicyUtils>()->base64Encode(file_content);
practice.getOpenSchemaValidation().addOas(res);
}
}
}
Maybe<V1beta2AppsecLinuxPolicy> Maybe<V1beta2AppsecLinuxPolicy>
K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds( K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
const AppsecSpecParser<NewAppsecPolicySpec> &appsec_policy_spec, const AppsecSpecParser<NewAppsecPolicySpec> &appsec_policy_spec,
@ -442,7 +396,6 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
} }
if (default_rule.getMode().empty() && !ingress_mode.empty()) { if (default_rule.getMode().empty() && !ingress_mode.empty()) {
dbgTrace(D_LOCAL_POLICY) << "setting the policy default rule mode to the ingress mode: " << ingress_mode;
default_rule.setMode(ingress_mode); default_rule.setMode(ingress_mode);
} }
@ -458,7 +411,6 @@ K8sPolicyUtils::createAppsecPolicyK8sFromV1beta2Crds(
); );
createSnortFile(threat_prevention_practices); createSnortFile(threat_prevention_practices);
createSchemaValidationOas(threat_prevention_practices);
vector<AccessControlPracticeSpec> access_control_practices = vector<AccessControlPracticeSpec> access_control_practices =
extractV1Beta2ElementsFromCluster<AccessControlPracticeSpec>( extractV1Beta2ElementsFromCluster<AccessControlPracticeSpec>(
@ -541,12 +493,9 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
maybe_appsec_policy_spec.ok() ? "There is no v1beta1 policy" : maybe_appsec_policy_spec.getErr(); maybe_appsec_policy_spec.ok() ? "There is no v1beta1 policy" : maybe_appsec_policy_spec.getErr();
dbgWarning(D_LOCAL_POLICY dbgWarning(D_LOCAL_POLICY
) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2"; ) << "Failed to retrieve Appsec policy with crds version: v1beta1, Trying version: v1beta2";
string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>( auto maybe_v1beta2_appsec_policy_spec = getObjectFromCluster<AppsecSpecParser<NewAppsecPolicySpec>>(
"/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policies" + ns_suffix + "/" + policy_name "/apis/openappsec.io/v1beta2/policies/" + policy_name
); );
if (!maybe_v1beta2_appsec_policy_spec.ok()) { if (!maybe_v1beta2_appsec_policy_spec.ok()) {
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr(); << "Failed to retrieve AppSec policy. Error: " << maybe_v1beta2_appsec_policy_spec.getErr();
@ -577,7 +526,7 @@ K8sPolicyUtils::createAppsecPolicyK8s(const string &policy_name, const string &i
template<class T, class K> template<class T, class K>
void void
K8sPolicyUtils::createPolicyFromIngress( K8sPolicyUtils::createPolicy(
T &appsec_policy, T &appsec_policy,
map<std::string, T> &policies, map<std::string, T> &policies,
map<AnnotationKeys, string> &annotations_values, map<AnnotationKeys, string> &annotations_values,
@ -586,11 +535,10 @@ K8sPolicyUtils::createPolicyFromIngress(
if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) { if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy; policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
} }
auto default_mode = appsec_policy.getAppsecPolicySpec().getDefaultRule().getMode();
if (item.getSpec().doesDefaultBackendExist()) { if (item.getSpec().doesDefaultBackendExist()) {
dbgTrace(D_LOCAL_POLICY) dbgTrace(D_LOCAL_POLICY)
<< "Inserting Any host rule to the specific asset set"; << "Inserting Any host rule to the specific asset set";
K ingress_rule = K("*", default_mode); K ingress_rule = K("*");
policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule); policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
} }
@ -608,42 +556,18 @@ K8sPolicyUtils::createPolicyFromIngress(
<< "' uri: '" << "' uri: '"
<< uri.getPath() << uri.getPath()
<< "'"; << "'";
K ingress_rule = K(host, default_mode); K ingress_rule = K(host);
policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule); policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
} }
} }
} }
}
template<class T, class K>
void
K8sPolicyUtils::createPolicyFromActivation(
T &appsec_policy,
map<std::string, T> &policies,
const EnabledPolicy &policy) const
{
if (policies.find(policy.getName()) == policies.end()) {
policies[policy.getName()] = appsec_policy;
}
auto default_mode = appsec_policy.getAppsecPolicySpec().getDefaultRule().getMode();
for (const string &host : policy.getHosts()) {
if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(host)) {
dbgTrace(D_LOCAL_POLICY)
<< "Inserting Host data to the specific asset set:"
<< "URL: '"
<< host
<< "'";
K ingress_rule = K(host, default_mode);
policies[policy.getName()].addSpecificRule(ingress_rule);
}
}
} }
std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>> std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
K8sPolicyUtils::createAppsecPolicies() K8sPolicyUtils::createAppsecPoliciesFromIngresses()
{ {
dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses and PolicyActivation"; dbgFlow(D_LOCAL_POLICY) << "Getting all policy object from Ingresses";
map<string, AppsecLinuxPolicy> v1bet1_policies; map<string, AppsecLinuxPolicy> v1bet1_policies;
map<string, V1beta2AppsecLinuxPolicy> v1bet2_policies; map<string, V1beta2AppsecLinuxPolicy> v1bet2_policies;
auto maybe_ingress = getObjectFromCluster<IngressData>("/apis/networking.k8s.io/v1/ingresses"); auto maybe_ingress = getObjectFromCluster<IngressData>("/apis/networking.k8s.io/v1/ingresses");
@ -653,7 +577,7 @@ K8sPolicyUtils::createAppsecPolicies()
dbgWarning(D_LOCAL_POLICY) dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve K8S Ingress configurations. Error: " << "Failed to retrieve K8S Ingress configurations. Error: "
<< maybe_ingress.getErr(); << maybe_ingress.getErr();
maybe_ingress = IngressData{}; return make_tuple(v1bet1_policies, v1bet2_policies);
} }
@ -683,54 +607,19 @@ K8sPolicyUtils::createAppsecPolicies()
if (!std::get<0>(maybe_appsec_policy).ok()) { if (!std::get<0>(maybe_appsec_policy).ok()) {
auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack(); auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack();
createPolicyFromIngress<V1beta2AppsecLinuxPolicy, NewParsedRule>( createPolicy<V1beta2AppsecLinuxPolicy, NewParsedRule>(
appsec_policy, appsec_policy,
v1bet2_policies, v1bet2_policies,
annotations_values, annotations_values,
item); item);
} else { } else {
auto appsec_policy=std::get<0>(maybe_appsec_policy).unpack(); auto appsec_policy=std::get<0>(maybe_appsec_policy).unpack();
createPolicyFromIngress<AppsecLinuxPolicy, ParsedRule>( createPolicy<AppsecLinuxPolicy, ParsedRule>(
appsec_policy, appsec_policy,
v1bet1_policies, v1bet1_policies,
annotations_values, annotations_values,
item); item);
} }
} }
string ns_suffix = getAppSecScopeType() == "namespaced" ? "ns" : "";
string ns = getAppSecScopeType() == "namespaced" ? "namespaces/" : "";
auto maybe_policy_activation = getObjectFromCluster<PolicyActivationData>(
"/apis/openappsec.io/v1beta2/" + ns + agent_ns + "policyactivations" + ns_suffix
);
if (!maybe_policy_activation.ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to retrieve K8S PolicyActivation configurations. Error: "
<< maybe_policy_activation.getErr();
return make_tuple(v1bet1_policies, v1bet2_policies);
}
PolicyActivationData policy_activation = maybe_policy_activation.unpack();
for (const SinglePolicyActivationData &item : policy_activation.getItems()) {
for (const auto &policy : item.getSpec().getPolicies()) {
auto maybe_appsec_policy = createAppsecPolicyK8s(policy.getName(), "");
if (!std::get<1>(maybe_appsec_policy).ok()) {
dbgWarning(D_LOCAL_POLICY)
<< "Failed to create appsec policy. v1beta2 Error: "
<< std::get<1>(maybe_appsec_policy).getErr();
continue;
} else {
auto appsec_policy=std::get<1>(maybe_appsec_policy).unpack();
createPolicyFromActivation<V1beta2AppsecLinuxPolicy, NewParsedRule>(
appsec_policy,
v1bet2_policies,
policy);
}
}
}
return make_tuple(v1bet1_policies, v1bet2_policies); return make_tuple(v1bet1_policies, v1bet2_policies);
} }

3
components/security_apps/local_policy_mgmt_gen/local_policy_mgmt_gen.cc
View File

@ -36,7 +36,6 @@
#include "customized_cereal_map.h" #include "customized_cereal_map.h"
#include "include/appsec_practice_section.h" #include "include/appsec_practice_section.h"
#include "include/ingress_data.h" #include "include/ingress_data.h"
#include "include/policy_activation_data.h"
#include "include/settings_section.h" #include "include/settings_section.h"
#include "include/triggers_section.h" #include "include/triggers_section.h"
#include "include/local_policy_common.h" #include "include/local_policy_common.h"
@ -86,7 +85,7 @@ public:
K8sPolicyUtils k8s_policy_utils; K8sPolicyUtils k8s_policy_utils;
k8s_policy_utils.init(); k8s_policy_utils.init();
auto appsec_policies = k8s_policy_utils.createAppsecPolicies(); auto appsec_policies = k8s_policy_utils.createAppsecPoliciesFromIngresses();
if (!std::get<0>(appsec_policies).empty()) { if (!std::get<0>(appsec_policies).empty()) {
return policy_maker_utils.proccesMultipleAppsecPolicies<AppsecLinuxPolicy, ParsedRule>( return policy_maker_utils.proccesMultipleAppsecPolicies<AppsecLinuxPolicy, ParsedRule>(
std::get<0>(appsec_policies), std::get<0>(appsec_policies),

259
components/security_apps/local_policy_mgmt_gen/new_practice.cc
View File

@ -22,7 +22,6 @@ static const set<string> performance_impacts = {"low", "medium", "high"};
static const set<string> severity_levels = {"low", "medium", "high", "critical"}; static const set<string> severity_levels = {"low", "medium", "high", "critical"};
static const set<string> size_unit = {"bytes", "KB", "MB", "GB"}; static const set<string> size_unit = {"bytes", "KB", "MB", "GB"};
static const set<string> confidences_actions = {"prevent", "detect", "inactive", "as-top-level", "inherited"}; static const set<string> confidences_actions = {"prevent", "detect", "inactive", "as-top-level", "inherited"};
static const set<string> valied_enforcement_level = {"fullSchema", "endpointOnly"};
static const set<string> valid_modes = { static const set<string> valid_modes = {
"prevent", "prevent",
"detect", "detect",
@ -33,38 +32,38 @@ static const set<string> valid_modes = {
"inherited" "inherited"
}; };
static const set<string> valid_confidences = {"medium", "high", "critical"}; static const set<string> valid_confidences = {"medium", "high", "critical"};
static const unordered_map<string, string> key_to_performance_impact_val = { static const std::unordered_map<std::string, std::string> key_to_performance_impact_val = {
{ "low", "Low or lower"}, { "low", "Low or lower"},
{ "medium", "Medium or lower"}, { "medium", "Medium or lower"},
{ "high", "High or lower"} { "high", "High or lower"}
}; };
static const unordered_map<string, string> key_to_severity_level_val = { static const std::unordered_map<std::string, std::string> key_to_severity_level_val = {
{ "low", "Low or above"}, { "low", "Low or above"},
{ "medium", "Medium or above"}, { "medium", "Medium or above"},
{ "high", "High or above"}, { "high", "High or above"},
{ "critical", "Critical"} { "critical", "Critical"}
}; };
static const unordered_map<string, string> key_to_mode_val = { static const std::unordered_map<std::string, std::string> key_to_mode_val = {
{ "prevent-learn", "Prevent"}, { "prevent-learn", "Prevent"},
{ "detect-learn", "Detect"}, { "detect-learn", "Detect"},
{ "prevent", "Prevent"}, { "prevent", "Prevent"},
{ "detect", "Detect"}, { "detect", "Detect"},
{ "inactive", "Inactive"} { "inactive", "Inactive"}
}; };
static const unordered_map<string, string> anti_bot_key_to_mode_val = { static const std::unordered_map<std::string, std::string> anti_bot_key_to_mode_val = {
{ "prevent-learn", "Prevent"}, { "prevent-learn", "Prevent"},
{ "detect-learn", "Detect"}, { "detect-learn", "Detect"},
{ "prevent", "Prevent"}, { "prevent", "Prevent"},
{ "detect", "Detect"}, { "detect", "Detect"},
{ "inactive", "Disabled"} { "inactive", "Disabled"}
}; };
static const unordered_map<string, uint64_t> unit_to_int = { static const std::unordered_map<std::string, uint64_t> unit_to_int = {
{ "bytes", 1}, { "bytes", 1},
{ "KB", 1024}, { "KB", 1024},
{ "MB", 1048576}, { "MB", 1048576},
{ "GB", 1073741824} { "GB", 1073741824}
}; };
static const string TRANSPARENT_MODE = "Transparent"; static const std::string TRANSPARENT_MODE = "Transparent";
bool bool
isModeInherited(const string &mode) isModeInherited(const string &mode)
@ -72,11 +71,11 @@ isModeInherited(const string &mode)
return mode == "as-top-level" || mode == "inherited"; return mode == "as-top-level" || mode == "inherited";
} }
const string & const std::string &
getModeWithDefault( getModeWithDefault(
const string &mode, const std::string &mode,
const string &default_mode, const std::string &default_mode,
const unordered_map<string, string> &key_to_val) const std::unordered_map<std::string, std::string> &key_to_val)
{ {
if (isModeInherited(mode) && (key_to_val.find(default_mode) != key_to_val.end())) { if (isModeInherited(mode) && (key_to_val.find(default_mode) != key_to_val.end())) {
dbgError(D_LOCAL_POLICY) << "Setting to top-level mode: " << default_mode; dbgError(D_LOCAL_POLICY) << "Setting to top-level mode: " << default_mode;
@ -89,35 +88,36 @@ getModeWithDefault(
return key_to_val.at(mode); return key_to_val.at(mode);
} }
const vector<string> & const std::vector<std::string> &
NewAppSecPracticeAntiBot::getIjectedUris() const NewAppSecPracticeAntiBot::getIjectedUris() const
{ {
return injected_uris; return injected_uris;
} }
const vector<string> & const std::vector<std::string> &
NewAppSecPracticeAntiBot::getValidatedUris() const NewAppSecPracticeAntiBot::getValidatedUris() const
{ {
return validated_uris; return validated_uris;
} }
const string & const std::string &
NewAppSecPracticeAntiBot::getMode(const string &default_mode) const NewAppSecPracticeAntiBot::getMode() const
{ {
return getModeWithDefault(override_mode, default_mode, anti_bot_key_to_mode_val); return override_mode;
} }
void void
NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in) NewAppSecPracticeAntiBot::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Web Bots";
string mode;
parseAppsecJSONKey<vector<string>>("injectedUris", injected_uris, archive_in); parseAppsecJSONKey<vector<string>>("injectedUris", injected_uris, archive_in);
parseAppsecJSONKey<vector<string>>("validatedUris", validated_uris, archive_in); parseAppsecJSONKey<vector<string>>("validatedUris", validated_uris, archive_in);
parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", mode, archive_in, "inactive");
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << override_mode; dbgWarning(D_LOCAL_POLICY) << "AppSec Web Bots override mode invalid: " << mode;
throw PolicyGenException("AppSec Web Bots override mode invalid: " + override_mode);
} }
override_mode = anti_bot_key_to_mode_val.at(mode);
} }
void void
@ -242,14 +242,14 @@ NewAppSecPracticeWebAttacks::getProtections() const
} }
SnortProtectionsSection::SnortProtectionsSection( SnortProtectionsSection::SnortProtectionsSection(
const string &_context, const std::string &_context,
const string &_asset_name, const std::string &_asset_name,
const string &_asset_id, const std::string &_asset_id,
const string &_practice_name, const std::string &_practice_name,
const string &_practice_id, const std::string &_practice_id,
const string &_source_identifier, const std::string &_source_identifier,
const string &_mode, const std::string &_mode,
const vector<string> &_files) const std::vector<std::string> &_files)
: :
context(_context), context(_context),
asset_name(_asset_name), asset_name(_asset_name),
@ -278,10 +278,10 @@ SnortProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
} }
DetectionRules::DetectionRules( DetectionRules::DetectionRules(
const string &_type, const std::string &_type,
const string &_SSM, const std::string &_SSM,
const string &_keywords, const std::string &_keywords,
const vector<string> &_context) const std::vector<std::string> &_context)
: :
type(_type), type(_type),
SSM(_SSM), SSM(_SSM),
@ -314,14 +314,14 @@ DetectionRules::save(cereal::JSONOutputArchive &out_ar) const
ProtectionMetadata::ProtectionMetadata( ProtectionMetadata::ProtectionMetadata(
bool _silent, bool _silent,
const string &_protection_name, const std::string &_protection_name,
const string &_severity, const std::string &_severity,
const string &_confidence_level, const std::string &_confidence_level,
const string &_performance_impact, const std::string &_performance_impact,
const string &_last_update, const std::string &_last_update,
const string &_maintrain_id, const std::string &_maintrain_id,
const vector<string> &_tags, const std::vector<std::string> &_tags,
const vector<string> &_cve_list) const std::vector<std::string> &_cve_list)
: :
silent(_silent), silent(_silent),
protection_name(_protection_name), protection_name(_protection_name),
@ -394,9 +394,9 @@ ProtectionsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
} }
ProtectionsSection::ProtectionsSection( ProtectionsSection::ProtectionsSection(
const vector<ProtectionsProtectionsSection> &_protections, const std::vector<ProtectionsProtectionsSection> &_protections,
const string &_name, const std::string &_name,
const string &_modification_time) const std::string &_modification_time)
: :
protections(_protections), protections(_protections),
name(_name), name(_name),
@ -460,16 +460,12 @@ SnortSectionWrapper::save(cereal::JSONOutputArchive &out_ar) const
} }
void void
NewSnortSignatures::load(cereal::JSONInputArchive &archive_in) NewSnortSignaturesAndOpenSchemaAPI::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Snort Signatures practice";
parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive"); parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in); parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseAppsecJSONKey<vector<string>>("files", files, archive_in); parseAppsecJSONKey<vector<string>>("files", files, archive_in);
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
throw PolicyGenException("AppSec Snort Signatures override mode invalid: " + override_mode);
}
is_temporary = false; is_temporary = false;
if (valid_modes.count(override_mode) == 0) { if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode; dbgWarning(D_LOCAL_POLICY) << "AppSec Snort Signatures override mode invalid: " << override_mode;
@ -478,107 +474,42 @@ NewSnortSignatures::load(cereal::JSONInputArchive &archive_in)
} }
void void
NewSnortSignatures::addFile(const string &file_name) NewSnortSignaturesAndOpenSchemaAPI::addFile(const string &file_name)
{ {
files.push_back(file_name); files.push_back(file_name);
} }
const string & const string &
NewSnortSignatures::getOverrideMode(const string &default_mode) const NewSnortSignaturesAndOpenSchemaAPI::getOverrideMode(const string &default_mode) const
{ {
const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_mode_val); const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
return res; return res;
} }
const vector<string> & const vector<string> &
NewSnortSignatures::getFiles() const NewSnortSignaturesAndOpenSchemaAPI::getFiles() const
{ {
return files; return files;
} }
const vector<string> & const vector<string> &
NewSnortSignatures::getConfigMap() const NewSnortSignaturesAndOpenSchemaAPI::getConfigMap() const
{ {
return config_map; return config_map;
} }
bool bool
NewSnortSignatures::isTemporary() const NewSnortSignaturesAndOpenSchemaAPI::isTemporary() const
{ {
return is_temporary; return is_temporary;
} }
void void
NewSnortSignatures::setTemporary(bool val) NewSnortSignaturesAndOpenSchemaAPI::setTemporary(bool val)
{ {
is_temporary = val; is_temporary = val;
} }
void
NewOpenApiSchema::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec Schema Validation practice";
parseMandatoryAppsecJSONKey<string>("overrideMode", override_mode, archive_in, "inactive");
parseAppsecJSONKey<vector<string>>("configmap", config_map, archive_in);
parseAppsecJSONKey<vector<string>>("files", files, archive_in);
parseAppsecJSONKey<string>("enforcementLevel", enforcement_level, archive_in, "fullSchema");
if (valied_enforcement_level.count(enforcement_level) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Schema Validation enforcement level invalid: " << enforcement_level;
throw PolicyGenException("AppSec Schema Validation enforcement level invalid: " + enforcement_level);
}
if (valid_modes.count(override_mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Schema Validation override mode invalid: " << override_mode;
throw PolicyGenException("AppSec Schema Validation override mode invalid: " + override_mode);
}
for (const string &file : files)
{
auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<NewOpenApiSchema>();
auto file_content = i_orchestration_tools->readFile(file);
if (!file_content.ok()) {
dbgWarning(D_LOCAL_POLICY) << "Couldn't open the schema validation file";
continue;
}
oas.push_back(Singleton::Consume<I_Encryptor>::by<NewOpenApiSchema>()->base64Encode(file_content.unpack()));
}
}
void
NewOpenApiSchema::addOas(const string &file)
{
oas.push_back(file);
}
const string &
NewOpenApiSchema::getOverrideMode(const string &default_mode) const
{
const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val2);
return res;
}
const string &
NewOpenApiSchema::getEnforceLevel() const
{
return enforcement_level;
}
const vector<string> &
NewOpenApiSchema::getFiles() const
{
return files;
}
const vector<string> &
NewOpenApiSchema::getConfigMap() const
{
return config_map;
}
const vector<string> &
NewOpenApiSchema::getOas() const
{
return oas;
}
void void
IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const IpsProtectionsRulesSection::save(cereal::JSONOutputArchive &out_ar) const
{ {
@ -617,7 +548,7 @@ IpsProtectionsSection::IpsProtectionsSection(
{ {
} }
string & std::string &
IpsProtectionsSection::getMode() IpsProtectionsSection::getMode()
{ {
return mode; return mode;
@ -639,20 +570,6 @@ IpsProtectionsSection::save(cereal::JSONOutputArchive &out_ar) const
); );
} }
bool
IpsProtectionsSection::operator<(const IpsProtectionsSection &other) const
{
// for sorting from the most specific to the least specific rule
if (name == default_appsec_name) return false;
if (other.name == default_appsec_name) return true;
return name.size() > other.name.size();
}
IPSSection::IPSSection(const vector<IpsProtectionsSection> &_ips) : ips(_ips)
{
sort(ips.begin(), ips.end());
}
void void
IPSSection::save(cereal::JSONOutputArchive &out_ar) const IPSSection::save(cereal::JSONOutputArchive &out_ar) const
{ {
@ -731,7 +648,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
vector<IpsProtectionsRulesSection> ips_rules; vector<IpsProtectionsRulesSection> ips_rules;
IpsProtectionsRulesSection high_rule( IpsProtectionsRulesSection high_rule(
min_cve_Year, min_cve_Year,
getRulesMode(high_confidence_event_action, default_mode), getModeWithDefault(high_confidence_event_action, default_mode, key_to_practices_val),
string("High"), string("High"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@ -741,7 +658,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
IpsProtectionsRulesSection med_rule( IpsProtectionsRulesSection med_rule(
min_cve_Year, min_cve_Year,
getRulesMode(medium_confidence_event_action, default_mode), getModeWithDefault(medium_confidence_event_action, default_mode, key_to_practices_val),
string("Medium"), string("Medium"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@ -751,7 +668,7 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
IpsProtectionsRulesSection low_rule( IpsProtectionsRulesSection low_rule(
min_cve_Year, min_cve_Year,
getRulesMode(low_confidence_event_action, default_mode), getModeWithDefault(low_confidence_event_action, default_mode, key_to_practices_val),
string("Low"), string("Low"),
max_performance_impact, max_performance_impact,
string(""), string(""),
@ -762,45 +679,33 @@ NewIntrusionPrevention::createIpsRules(const string &default_mode) const
return ips_rules; return ips_rules;
} }
const string & const std::string &
NewIntrusionPrevention::getMode(const string &default_mode) const NewIntrusionPrevention::getMode(const std::string &default_mode) const
{ {
const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_mode_val); const string &res = getModeWithDefault(override_mode, default_mode, key_to_practices_val);
return res; return res;
} }
const string &
NewIntrusionPrevention::getRulesMode(const string &mode, const string &default_mode) const
{
if (isModeInherited(mode)) return default_mode;
if (key_to_practices_mode_val.find(mode) == key_to_practices_mode_val.end()) {
dbgError(D_LOCAL_POLICY) << "Given mode: " << mode << " or top-level: " << default_mode << " is invalid.";
return key_to_practices_mode_val.at("inactive");
}
return key_to_practices_mode_val.at(mode);
}
FileSecurityProtectionsSection::FileSecurityProtectionsSection( FileSecurityProtectionsSection::FileSecurityProtectionsSection(
uint64_t _file_size_limit, uint64_t _file_size_limit,
uint64_t _archive_file_size_limit, uint64_t _archive_file_size_limit,
bool _allow_files_without_name, bool _allow_files_without_name,
bool _required_file_size_limit, bool _required_file_size_limit,
bool _required_archive_extraction, bool _required_archive_extraction,
const string &_context, const std::string &_context,
const string &_name, const std::string &_name,
const string &_asset_id, const std::string &_asset_id,
const string &_practice_name, const std::string &_practice_name,
const string &_practice_id, const std::string &_practice_id,
const string &_action, const std::string &_action,
const string &_files_without_name_action, const std::string &_files_without_name_action,
const string &_high_confidence_action, const std::string &_high_confidence_action,
const string &_medium_confidence_action, const std::string &_medium_confidence_action,
const string &_low_confidence_action, const std::string &_low_confidence_action,
const string &_severity_level, const std::string &_severity_level,
const string &_file_size_limit_action, const std::string &_file_size_limit_action,
const string &_multi_level_archive_action, const std::string &_multi_level_archive_action,
const string &_unopened_archive_action) const std::string &_unopened_archive_action)
: :
file_size_limit(_file_size_limit), file_size_limit(_file_size_limit),
archive_file_size_limit(_archive_file_size_limit), archive_file_size_limit(_archive_file_size_limit),
@ -926,13 +831,13 @@ NewFileSecurityArchiveInspection::getrequiredArchiveExtraction() const
return extract_archive_files; return extract_archive_files;
} }
const string & const std::string &
NewFileSecurityArchiveInspection::getMultiLevelArchiveAction() const NewFileSecurityArchiveInspection::getMultiLevelArchiveAction() const
{ {
return archived_files_within_archived_files; return archived_files_within_archived_files;
} }
const string & const std::string &
NewFileSecurityArchiveInspection::getUnopenedArchiveAction() const NewFileSecurityArchiveInspection::getUnopenedArchiveAction() const
{ {
return archived_files_where_content_extraction_failed; return archived_files_where_content_extraction_failed;
@ -981,7 +886,7 @@ NewFileSecurityLargeFileInspection::getFileSizeLimit() const
return (file_size_limit * unit_to_int.at(file_size_limit_unit)); return (file_size_limit * unit_to_int.at(file_size_limit_unit));
} }
const string & const std::string &
NewFileSecurityLargeFileInspection::getFileSizeLimitAction() const NewFileSecurityLargeFileInspection::getFileSizeLimitAction() const
{ {
return files_exceeding_size_limit_action; return files_exceeding_size_limit_action;
@ -1102,7 +1007,7 @@ void
NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in) NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
{ {
dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec"; dbgTrace(D_LOCAL_POLICY) << "Loading AppSec practice spec";
parseAppsecJSONKey<NewOpenApiSchema>( parseAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>(
"schemaValidation", "schemaValidation",
openapi_schema_validation, openapi_schema_validation,
archive_in archive_in
@ -1110,15 +1015,11 @@ NewAppSecPracticeSpec::load(cereal::JSONInputArchive &archive_in)
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in); parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseMandatoryAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in); parseMandatoryAppsecJSONKey<NewFileSecurity>("fileSecurity", file_security, archive_in);
parseMandatoryAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in); parseMandatoryAppsecJSONKey<NewIntrusionPrevention>("intrusionPrevention", intrusion_prevention, archive_in);
parseMandatoryAppsecJSONKey<NewSnortSignatures>("snortSignatures", snort_signatures, archive_in); parseMandatoryAppsecJSONKey<NewSnortSignaturesAndOpenSchemaAPI>("snortSignatures", snort_signatures, archive_in);
parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in); parseMandatoryAppsecJSONKey<NewAppSecPracticeWebAttacks>("webAttacks", web_attacks, archive_in);
parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in); parseAppsecJSONKey<NewAppSecPracticeAntiBot>("antiBot", anti_bot, archive_in);
parseAppsecJSONKey<string>("name", practice_name, archive_in); parseAppsecJSONKey<string>("name", practice_name, archive_in);
parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited"); parseAppsecJSONKey<string>("practiceMode", mode, archive_in, "inherited");
if (valid_modes.count(mode) == 0) {
dbgWarning(D_LOCAL_POLICY) << "AppSec Threat prevention practice mode invalid: " << mode;
throw PolicyGenException("AppSec Threat prevention practice mode invalid: " + mode);
}
} }
void void
@ -1127,13 +1028,13 @@ NewAppSecPracticeSpec::setName(const string &_name)
practice_name = _name; practice_name = _name;
} }
NewOpenApiSchema & const NewSnortSignaturesAndOpenSchemaAPI &
NewAppSecPracticeSpec::getOpenSchemaValidation() NewAppSecPracticeSpec::getOpenSchemaValidation() const
{ {
return openapi_schema_validation; return openapi_schema_validation;
} }
NewSnortSignatures & NewSnortSignaturesAndOpenSchemaAPI &
NewAppSecPracticeSpec::getSnortSignatures() NewAppSecPracticeSpec::getSnortSignatures()
{ {
return snort_signatures; return snort_signatures;

2
components/security_apps/local_policy_mgmt_gen/new_trusted_sources.cc
View File

@ -69,7 +69,7 @@ Identifier::load(cereal::JSONInputArchive &archive_in)
dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier; dbgWarning(D_LOCAL_POLICY) << "AppSec identifier invalid: " << identifier;
identifier = "sourceip"; identifier = "sourceip";
} }
parseAppsecJSONKey<vector<string>>("value", value, archive_in); parseMandatoryAppsecJSONKey<vector<string>>("value", value, archive_in);
} }
const string & const string &

103
components/security_apps/local_policy_mgmt_gen/policy_activation_data.cc
View File

@ -1,103 +0,0 @@
// Copyright (C) 2022 Check Point Software Technologies Ltd. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "policy_activation_data.h"
#include "customized_cereal_map.h"
using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY);
void
PolicyActivationMetadata::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "PolicyActivationMetadata load";
parseAppsecJSONKey<string>("name", name, archive_in);
}
void
EnabledPolicy::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading policyActivation enabled policy";
parseMandatoryAppsecJSONKey<vector<string>>("hosts", hosts, archive_in);
parseAppsecJSONKey<string>("name", name, archive_in);
}
const string &
EnabledPolicy::getName() const
{
return name;
}
const vector<string> &
EnabledPolicy::getHosts() const
{
return hosts;
}
void
PolicyActivationSpec::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "PolicyActivationSpec load";
parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
parseMandatoryAppsecJSONKey<vector<EnabledPolicy>>("enabledPolicies", policies, archive_in);
}
const vector<EnabledPolicy> &
PolicyActivationSpec::getPolicies() const
{
return policies;
}
void
SinglePolicyActivationData::load(cereal::JSONInputArchive &archive_in)
{
dbgTrace(D_LOCAL_POLICY) << "Loading single policy activation data";
parseAppsecJSONKey<string>("apiVersion", api_version, archive_in);
parseAppsecJSONKey<string>("kind", kind, archive_in);
parseAppsecJSONKey<PolicyActivationMetadata>("metadata", metadata, archive_in);
parseAppsecJSONKey<PolicyActivationSpec>("spec", spec, archive_in);
}
const PolicyActivationSpec &
SinglePolicyActivationData::getSpec() const
{
return spec;
}
bool
PolicyActivationData::loadJson(const string &json)
{
string modified_json = json;
modified_json.pop_back();
stringstream in;
in.str(modified_json);
dbgTrace(D_LOCAL_POLICY) << "Loading policy activations data";
try {
cereal::JSONInputArchive in_ar(in);
in_ar(
cereal::make_nvp("apiVersion", api_version),
cereal::make_nvp("items", items)
);
} catch (cereal::Exception &e) {
dbgError(D_LOCAL_POLICY) << "Failed to load policy activations data JSON. Error: " << e.what();
return false;
}
return true;
}
const vector<SinglePolicyActivationData> &
PolicyActivationData::getItems() const
{
return items;
}

57
components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc
View File

@ -23,14 +23,6 @@ using namespace std;
USE_DEBUG_FLAG(D_NGINX_POLICY); USE_DEBUG_FLAG(D_NGINX_POLICY);
USE_DEBUG_FLAG(D_LOCAL_POLICY); USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const std::unordered_map<std::string, std::string> key_to_source_identefier_val = {
{ "sourceip", "Source IP"},
{ "cookie", "Cookie:"},
{ "headerkey", "Header:"},
{ "JWTKey", ""},
{ "x-forwarded-for", "X-Forwarded-For"}
};
void void
SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
{ {
@ -928,6 +920,7 @@ createMultiRulesSections(
PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name); PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
vector<ParametersSection> exceptions_result; vector<ParametersSection> exceptions_result;
for (auto exception : exceptions) { for (auto exception : exceptions) {
const auto &exception_name = exception.first; const auto &exception_name = exception.first;
for (const auto &inner_exception : exception.second) { for (const auto &inner_exception : exception.second) {
exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name)); exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
@ -1045,7 +1038,7 @@ PolicyMakerUtils::createIpsSections(
practice_name, practice_name,
practice_id, practice_id,
source_identifier, source_identifier,
"Inactive", override_mode,
apssec_practice.getIntrusionPrevention().createIpsRules(override_mode) apssec_practice.getIntrusionPrevention().createIpsRules(override_mode)
); );
@ -1055,7 +1048,8 @@ PolicyMakerUtils::createIpsSections(
void void
PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary) PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_temporary)
{ {
auto path = is_temporary ? getFilesystemPathConfig() + "/conf/snort/" + file_name + ".rule" : file_name; auto path = getFilesystemPathConfig() + "/conf/snort/" + file_name;
string in_file = is_temporary ? path + ".rule" : path;
if (snort_protections.find(path) != snort_protections.end()) { if (snort_protections.find(path) != snort_protections.end()) {
dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists"; dbgTrace(D_LOCAL_POLICY) << "Snort protections section for file " << file_name << " already exists";
@ -1066,9 +1060,7 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_
<< (is_temporary ? " temporary" : "") << " file " << path; << (is_temporary ? " temporary" : "") << " file " << path;
auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py"; auto snort_script_path = getFilesystemPathConfig() + "/scripts/snort_to_ips_local.py";
auto tmp_out = "/tmp/" + file_name + ".out"; auto cmd = "python3 " + snort_script_path + " " + in_file + " " + path + ".out " + path + ".err";
auto tmp_err = "/tmp/" + file_name + ".err";
auto cmd = "python3 " + snort_script_path + " " + path + " " + tmp_out + " " + tmp_err;
auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd); auto res = Singleton::Consume<I_ShellCmd>::by<LocalPolicyMgmtGenerator>()->getExecOutput(cmd);
@ -1077,16 +1069,16 @@ PolicyMakerUtils::createSnortProtecionsSection(const string &file_name, bool is_
return; return;
} }
Maybe<ProtectionsSectionWrapper> maybe_protections = openFileAsJson<ProtectionsSectionWrapper>(tmp_out); Maybe<ProtectionsSectionWrapper> maybe_protections = openFileAsJson<ProtectionsSectionWrapper>(path + ".out");
if (!maybe_protections.ok()){ if (!maybe_protections.ok()){
dbgWarning(D_LOCAL_POLICY) << maybe_protections.getErr(); dbgWarning(D_LOCAL_POLICY) << maybe_protections.getErr();
return; return;
} }
auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>(); auto i_orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<LocalPolicyMgmtGenerator>();
if (is_temporary) i_orchestration_tools->removeFile(path); if (is_temporary) i_orchestration_tools->removeFile(in_file);
i_orchestration_tools->removeFile(tmp_out); i_orchestration_tools->removeFile(path + ".out");
i_orchestration_tools->removeFile(tmp_err); i_orchestration_tools->removeFile(path + ".err");
snort_protections[path] = ProtectionsSection( snort_protections[path] = ProtectionsSection(
maybe_protections.unpack().getProtections(), maybe_protections.unpack().getProtections(),
@ -1216,11 +1208,9 @@ void
PolicyMakerUtils::createWebAppSection( PolicyMakerUtils::createWebAppSection(
const V1beta2AppsecLinuxPolicy &policy, const V1beta2AppsecLinuxPolicy &policy,
const RulesConfigRulebase& rule_config, const RulesConfigRulebase& rule_config,
const string &practice_id, const string &practice_id, const string &full_url,
const string &full_url,
const string &default_mode, const string &default_mode,
map<AnnotationTypes, string> &rule_annotations, map<AnnotationTypes, string> &rule_annotations)
vector<InnerException> rule_inner_exceptions)
{ {
auto apssec_practice = auto apssec_practice =
getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>( getAppsecPracticeSpec<V1beta2AppsecLinuxPolicy, NewAppSecPracticeSpec>(
@ -1235,7 +1225,6 @@ PolicyMakerUtils::createWebAppSection(
apssec_practice.getWebAttacks().getMaxObjectDepth(), apssec_practice.getWebAttacks().getMaxObjectDepth(),
apssec_practice.getWebAttacks().getMaxUrlSizeBytes() apssec_practice.getWebAttacks().getMaxUrlSizeBytes()
); );
WebAppSection web_app = WebAppSection( WebAppSection web_app = WebAppSection(
full_url == "Any" ? default_appsec_url : full_url, full_url == "Any" ? default_appsec_url : full_url,
rule_config.getAssetId(), rule_config.getAssetId(),
@ -1247,16 +1236,12 @@ PolicyMakerUtils::createWebAppSection(
rule_config.getContext(), rule_config.getContext(),
apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode), apssec_practice.getWebAttacks().getMinimumConfidence(practice_mode),
apssec_practice.getWebAttacks().getMode(practice_mode), apssec_practice.getWebAttacks().getMode(practice_mode),
apssec_practice.getAntiBot().getMode(practice_mode), apssec_practice.getAntiBot().getMode(),
apssec_practice.getOpenSchemaValidation().getOverrideMode(practice_mode),
apssec_practice.getOpenSchemaValidation().getEnforceLevel(),
apssec_practice.getOpenSchemaValidation().getOas(),
practice_advance_config, practice_advance_config,
apssec_practice.getAntiBot(), apssec_practice.getAntiBot(),
log_triggers[rule_annotations[AnnotationTypes::TRIGGER]], log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]], trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
apssec_practice.getWebAttacks().getProtections(), apssec_practice.getWebAttacks().getProtections()
rule_inner_exceptions
); );
web_apps[rule_config.getAssetName()] = web_app; web_apps[rule_config.getAssetName()] = web_app;
} }
@ -1305,7 +1290,7 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
); );
rules_config[rule_config.getAssetName()] = rule_config; rules_config[rule_config.getAssetName()] = rule_config;
string current_identifier, current_identifier_value; string current_identifier;
if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) { if (!rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS].empty()) {
UsersIdentifiersRulebase user_identifiers = createUserIdentifiers<V1beta2AppsecLinuxPolicy>( UsersIdentifiersRulebase user_identifiers = createUserIdentifiers<V1beta2AppsecLinuxPolicy>(
rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS], rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS],
@ -1314,15 +1299,6 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
); );
users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers; users_identifiers[rule_annotations[AnnotationTypes::SOURCE_IDENTIFIERS]] = user_identifiers;
current_identifier = user_identifiers.getIdentifier(); current_identifier = user_identifiers.getIdentifier();
current_identifier_value = user_identifiers.getIdentifierValue();
}
string ips_identifier, ips_identifier_value;
if(key_to_source_identefier_val.find(current_identifier) != key_to_source_identefier_val.end()) {
ips_identifier = key_to_source_identefier_val.at(current_identifier);
}
if (current_identifier == "cookie" || current_identifier == "headerkey") {
ips_identifier_value = current_identifier_value;
} }
createIpsSections( createIpsSections(
@ -1330,7 +1306,7 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
rule_config.getAssetName(), rule_config.getAssetName(),
practice_id, practice_id,
rule_annotations[AnnotationTypes::PRACTICE], rule_annotations[AnnotationTypes::PRACTICE],
ips_identifier + ips_identifier_value, current_identifier,
rule_config.getContext(), rule_config.getContext(),
policy, policy,
rule_annotations, rule_annotations,
@ -1367,8 +1343,7 @@ PolicyMakerUtils::createThreatPreventionPracticeSections(
practice_id, practice_id,
asset_name, asset_name,
default_mode, default_mode,
rule_annotations, rule_annotations);
inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]);
} }
} }

16
components/security_apps/local_policy_mgmt_gen/rules_config_section.cc
View File

@ -17,8 +17,6 @@ using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY); USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const string empty_string="";
AssetUrlParser AssetUrlParser
AssetUrlParser::parse(const string &uri) AssetUrlParser::parse(const string &uri)
{ {
@ -244,13 +242,6 @@ UsersIdentifier::getIdentifier() const
{ {
return source_identifier; return source_identifier;
} }
const string &
UsersIdentifier::getIdentifierValue() const
{
if (identifier_values.empty()) return empty_string;
return identifier_values[0];
}
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
void void
@ -281,13 +272,6 @@ UsersIdentifiersRulebase::getIdentifier() const
if (source_identifiers.empty()) return source_identifier; if (source_identifiers.empty()) return source_identifier;
return source_identifiers[0].getIdentifier(); return source_identifiers[0].getIdentifier();
} }
const string &
UsersIdentifiersRulebase::getIdentifierValue() const
{
if (source_identifiers.empty()) return empty_string;
return source_identifiers[0].getIdentifierValue();
}
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
void void

1
components/security_apps/orchestration/CMakeLists.txt
View File

@ -14,6 +14,7 @@ add_subdirectory(details_resolver)
add_subdirectory(health_check) add_subdirectory(health_check)
add_subdirectory(health_check_manager) add_subdirectory(health_check_manager)
add_subdirectory(updates_process_reporter) add_subdirectory(updates_process_reporter)
add_subdirectory(env_details)
add_subdirectory(external_sdk_server) add_subdirectory(external_sdk_server)
#add_subdirectory(orchestration_ut) #add_subdirectory(orchestration_ut)

54
components/security_apps/orchestration/details_resolver/details_resolver.cc
View File

@ -46,7 +46,7 @@ public:
bool isReverseProxy() override; bool isReverseProxy() override;
bool isCloudStorageEnabled() override; bool isCloudStorageEnabled() override;
Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override; Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override;
Maybe<tuple<string, string, string, string>> parseNginxMetadata() override; Maybe<tuple<string, string, string>> parseNginxMetadata() override;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)
bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override; bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override;
#endif // gaia || smb #endif // gaia || smb
@ -80,9 +80,7 @@ DetailsResolver::Impl::getHostname()
Maybe<string> Maybe<string>
DetailsResolver::Impl::getPlatform() DetailsResolver::Impl::getPlatform()
{ {
#if defined(gaia_arm) #if defined(gaia)
return string("gaia_arm");
#elif defined(gaia)
return string("gaia"); return string("gaia");
#elif defined(arm32_rpi) #elif defined(arm32_rpi)
return string("glibc"); return string("glibc");
@ -230,7 +228,7 @@ isNoResponse(const string &cmd)
return !res.ok() || res.unpack().empty(); return !res.ok() || res.unpack().empty();
} }
Maybe<tuple<string, string, string, string>> Maybe<tuple<string, string, string>>
DetailsResolver::Impl::parseNginxMetadata() DetailsResolver::Impl::parseNginxMetadata()
{ {
auto output_path = getConfigurationWithDefault<string>( auto output_path = getConfigurationWithDefault<string>(
@ -243,11 +241,6 @@ DetailsResolver::Impl::parseNginxMetadata()
"/scripts/cp-nano-makefile-generator.sh -f -o " + "/scripts/cp-nano-makefile-generator.sh -f -o " +
output_path; output_path;
const string script_fresh_exe_cmd =
getFilesystemPathConfig() +
"/scripts/cp-nano-makefile-generator-fresh.sh save --save-location " +
output_path;
dbgTrace(D_ORCHESTRATOR) << "Details resolver, srcipt exe cmd: " << srcipt_exe_cmd; dbgTrace(D_ORCHESTRATOR) << "Details resolver, srcipt exe cmd: " << srcipt_exe_cmd;
if (isNoResponse("which nginx") && isNoResponse("which kong")) { if (isNoResponse("which nginx") && isNoResponse("which kong")) {
return genError("Nginx or Kong isn't installed"); return genError("Nginx or Kong isn't installed");
@ -270,7 +263,7 @@ DetailsResolver::Impl::parseNginxMetadata()
return genError("Cannot open the file with nginx metadata, File: " + output_path); return genError("Cannot open the file with nginx metadata, File: " + output_path);
} }
string line; string line;
while (getline(input_stream, line)) { while (getline(input_stream, line)) {
lines.push_back(line); lines.push_back(line);
} }
@ -284,37 +277,7 @@ DetailsResolver::Impl::parseNginxMetadata()
<< " Error: " << exception.what(); << " Error: " << exception.what();
} }
if (!isNoResponse("which nginx")) {
auto script_output = DetailsResolvingHanlder::getCommandOutput(script_fresh_exe_cmd);
if (!script_output.ok()) {
return genError("Failed to generate nginx fresh metadata, Error: " + script_output.getErr());
}
try {
ifstream input_stream(output_path);
if (!input_stream) {
return genError("Cannot open the file with nginx fresh metadata, File: " + output_path);
}
string line;
while (getline(input_stream, line)) {
if (line.find("NGX_MODULE_SIGNATURE") == 0) {
lines.push_back(line);
}
}
input_stream.close();
orchestration_tools->removeFile(output_path);
} catch (const ifstream::failure &exception) {
dbgWarning(D_ORCHESTRATOR)
<< "Cannot read the file with required nginx fresh metadata."
<< " File: " << output_path
<< " Error: " << exception.what();
}
}
if (lines.size() == 0) return genError("Failed to read nginx metadata file"); if (lines.size() == 0) return genError("Failed to read nginx metadata file");
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
@ -329,11 +292,6 @@ DetailsResolver::Impl::parseNginxMetadata()
nginx_version = "nginx-" + line.substr(eq_index + 1); nginx_version = "nginx-" + line.substr(eq_index + 1);
continue; continue;
} }
if (line.find("NGX_MODULE_SIGNATURE") != string::npos) {
auto eq_index = line.find("=");
nginx_signature = line.substr(eq_index + 1);
continue;
}
if (line.find("EXTRA_CC_OPT") != string::npos) { if (line.find("EXTRA_CC_OPT") != string::npos) {
auto eq_index = line.find("="); auto eq_index = line.find("=");
cc_opt = line.substr(eq_index + 1); cc_opt = line.substr(eq_index + 1);
@ -343,7 +301,7 @@ DetailsResolver::Impl::parseNginxMetadata()
if (line.back() == '\\') line.pop_back(); if (line.back() == '\\') line.pop_back();
config_opt += line; config_opt += line;
} }
return make_tuple(config_opt, cc_opt, nginx_version, nginx_signature); return make_tuple(config_opt, cc_opt, nginx_version);
} }
Maybe<tuple<string, string, string, string, string>> Maybe<tuple<string, string, string, string, string>>
@ -392,7 +350,7 @@ DetailsResolver::Impl::readCloudMetadata()
} }
if (!cloud_metadata.ok()) { if (!cloud_metadata.ok()) {
dbgDebug(D_ORCHESTRATOR) << cloud_metadata.getErr(); dbgWarning(D_ORCHESTRATOR) << cloud_metadata.getErr();
return genError("Failed to fetch cloud metadata"); return genError("Failed to fetch cloud metadata");
} }

80
components/security_apps/orchestration/details_resolver/details_resolver_handlers/checkpoint_product_handlers.h
View File

@ -18,8 +18,6 @@
#include <regex> #include <regex>
#include <boost/regex.hpp> #include <boost/regex.hpp>
#include <boost/algorithm/string.hpp> #include <boost/algorithm/string.hpp>
#include <cereal/external/rapidjson/document.h>
#include <cereal/external/rapidjson/filereadstream.h>
#if defined(gaia) #if defined(gaia)
@ -71,18 +69,7 @@ checkPepIdaIdnStatus(const string &command_output)
Maybe<string> Maybe<string>
getRequiredNanoServices(const string &command_output) getRequiredNanoServices(const string &command_output)
{ {
string idaRequiredServices[2] = {"idaSaml", "idaIdn"}; return command_output;
string platform_str = "gaia";
#if defined(gaia_arm)
platform_str = "gaia_arm";
#endif // gaia_arm
string result = "";
for(const string &serv : idaRequiredServices) {
string add_service = serv + "_" + platform_str;
result = result + add_service + ";";
}
command_output.empty(); // overcome unused variable
return result;
} }
Maybe<string> Maybe<string>
@ -113,14 +100,6 @@ checkIsInstallHorizonTelemetrySucceeded(const string &command_output)
return command_output; return command_output;
} }
Maybe<string>
getOtlpAgentGaiaOsRole(const string &command_output)
{
if (command_output == "" ) return string("-1");
return command_output;
}
Maybe<string> Maybe<string>
getQUID(const string &command_output) getQUID(const string &command_output)
{ {
@ -132,13 +111,6 @@ getQUID(const string &command_output)
return command_output; return command_output;
} }
Maybe<string>
getIsAiopsRunning(const string &command_output)
{
if (command_output == "" ) return string("false");
return command_output;
}
Maybe<string> Maybe<string>
checkHasSDWan(const string &command_output) checkHasSDWan(const string &command_output)
@ -214,24 +186,6 @@ getMgmtObjAttr(shared_ptr<istream> file_stream, const string &attr)
return genError("Object attribute was not found. Attr: " + attr); return genError("Object attribute was not found. Attr: " + attr);
} }
Maybe<string>
getAttrFromCpsdwanGetDataJson(const string &attr)
{
static const std::string get_data_json_path = "/tmp/cpsdwan_getdata_orch.json";
std::ifstream ifs(get_data_json_path);
if (ifs.is_open()) {
rapidjson::IStreamWrapper isw(ifs);
rapidjson::Document document;
document.ParseStream(isw);
if (!document.HasParseError() && document.HasMember(attr.c_str()) && document[attr.c_str()].IsString()) {
return string(document[attr.c_str()].GetString());
}
}
return genError("Attribute " + attr + " was not found in " + get_data_json_path);
}
Maybe<string> Maybe<string>
getMgmtObjUid(const string &command_output) getMgmtObjUid(const string &command_output)
{ {
@ -239,11 +193,6 @@ getMgmtObjUid(const string &command_output)
return command_output; return command_output;
} }
Maybe<string> obj_uuid = getAttrFromCpsdwanGetDataJson("uuid");
if (obj_uuid.ok()) {
return obj_uuid.unpack();
}
static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C"; static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
auto file_stream = std::make_shared<std::ifstream>(obj_path); auto file_stream = std::make_shared<std::ifstream>(obj_path);
if (!file_stream->is_open()) { if (!file_stream->is_open()) {
@ -353,28 +302,6 @@ getSMCBasedMgmtName(const string &command_output)
return getAttr(command_output, "Mgmt object Name was not found"); return getAttr(command_output, "Mgmt object Name was not found");
} }
Maybe<string>
getSmbObjectUid(const string &command_output)
{
static const char centrally_managed_comd_output = '0';
if (command_output.empty() || command_output[0] != centrally_managed_comd_output) {
return genError("Object UUID was not found");
}
Maybe<string> obj_uuid = getAttrFromCpsdwanGetDataJson("uuid");
if (obj_uuid.ok()) {
return obj_uuid.unpack();
}
static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
auto file_stream = std::make_shared<std::ifstream>(obj_path);
if (!file_stream->is_open()) {
return genError("Failed to open the object file");
}
return getMgmtObjAttr(file_stream, "uuid ");
}
Maybe<string> Maybe<string>
getSmbObjectName(const string &command_output) getSmbObjectName(const string &command_output)
{ {
@ -384,11 +311,6 @@ getSmbObjectName(const string &command_output)
return genError("Object name was not found"); return genError("Object name was not found");
} }
Maybe<string> obj_name = getAttrFromCpsdwanGetDataJson("name");
if (obj_name.ok()) {
return obj_name.unpack();
}
static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C"; static const string obj_path = (getenv("FWDIR") ? string(getenv("FWDIR")) : "") + "/database/myown.C";
auto ifs = std::make_shared<std::ifstream>(obj_path); auto ifs = std::make_shared<std::ifstream>(obj_path);
if (!ifs->is_open()) { if (!ifs->is_open()) {

65
components/security_apps/orchestration/details_resolver/details_resolver_handlers/details_resolver_impl.h
View File

@ -29,7 +29,7 @@
// shell command execution output as its input // shell command execution output as its input
#ifdef SHELL_PRE_CMD #ifdef SHELL_PRE_CMD
#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1) #if defined(gaia) || defined(smb)
SHELL_PRE_CMD("read sdwan data", SHELL_PRE_CMD("read sdwan data",
"(cpsdwan get_data > /tmp/cpsdwan_getdata_orch.json~) " "(cpsdwan get_data > /tmp/cpsdwan_getdata_orch.json~) "
"&& (mv /tmp/cpsdwan_getdata_orch.json~ /tmp/cpsdwan_getdata_orch.json)") "&& (mv /tmp/cpsdwan_getdata_orch.json~ /tmp/cpsdwan_getdata_orch.json)")
@ -40,20 +40,17 @@ SHELL_PRE_CMD("gunzip local.cfg", "gunzip -c $FWDIR/state/local/FW1/local.cfg.gz
#endif #endif
#ifdef SHELL_CMD_HANDLER #ifdef SHELL_CMD_HANDLER
#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1) #if defined(gaia) || defined(smb)
SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType) SHELL_CMD_HANDLER("cpProductIntegrationMgmtObjectType", "cpprod_util CPPROD_IsMgmtMachine", getMgmtObjType)
SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtObjectUid",
"mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].uid'",
getMgmtObjUid
)
SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry", SHELL_CMD_HANDLER("prerequisitesForHorizonTelemetry",
"FS_PATH=<FILESYSTEM-PREFIX>; [ -f ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log ] " "FS_PATH=<FILESYSTEM-PREFIX>; [ -f ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log ] "
"&& head -1 ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log || echo ''", "&& head -1 ${FS_PATH}/cp-nano-horizon-telemetry-prerequisites.log || echo ''",
checkIsInstallHorizonTelemetrySucceeded) checkIsInstallHorizonTelemetrySucceeded)
SHELL_CMD_HANDLER(
"IS_AIOPS_RUNNING",
"FS_PATH=<FILESYSTEM-PREFIX>; "
"PID=$(ps auxf | grep -v grep | grep -E ${FS_PATH}.*cp-nano-horizon-telemetry | awk -F' ' '{printf $2}'); "
"[ -z \"${PID}\" ] && echo 'false' || echo 'true'",
getIsAiopsRunning)
#endif
#if defined(gaia)
SHELL_CMD_HANDLER("GLOBAL_QUID", "[ -d /opt/CPquid ] " SHELL_CMD_HANDLER("GLOBAL_QUID", "[ -d /opt/CPquid ] "
"&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''", "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_global_id.json | jq -r .message || echo ''",
getQUID) getQUID)
@ -69,31 +66,8 @@ SHELL_CMD_HANDLER("QUID", "FS_PATH=<FILESYSTEM-PREFIX>;"
"/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');", "/opt/CPotelcol/quid_api/get_vs_quid.json.${VS_ID} | jq -r .message[0].QUID || echo '');",
getQUID) getQUID)
SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] " SHELL_CMD_HANDLER("SMO_QUID", "[ -d /opt/CPquid ] "
"&& python3 /opt/CPquid/Quid_Api.py -i " "&& python3 /opt/CPquid/Quid_Api.py -i /opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message || echo ''",
"/opt/CPotelcol/quid_api/get_smo_quid.json | jq -r .message[0].SMO_QUID || echo ''",
getQUID) getQUID)
SHELL_CMD_HANDLER("MGMT_QUID", "[ -d /opt/CPquid ] "
"&& python3 /opt/CPquid/Quid_Api.py -i "
"/opt/CPotelcol/quid_api/get_mgmt_quid.json | jq -r .message[0].MGMT_QUID || echo ''",
getQUID)
SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "[ -d /opt/CPOtlpAgent/custom_scripts ] "
"&& ENV_NO_FORMAT=1 /opt/CPOtlpAgent/custom_scripts/agent_role.sh",
getOtlpAgentGaiaOsRole)
#endif
#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
SHELL_CMD_HANDLER("GLOBAL_QUID",
"cat $FWDIR/database/myown.C "
"| awk -F'[()]' '/:name/ { found=1; next } found && /:uuid/ { uid=tolower($2); print uid; exit }'",
getQUID)
SHELL_CMD_HANDLER("QUID",
"cat $FWDIR/database/myown.C "
"| awk -F'[()]' '/:name/ { found=1; next } found && /:uuid/ { uid=tolower($2); print uid; exit }'",
getQUID)
SHELL_CMD_HANDLER("SMO_QUID", "echo ''", getQUID)
SHELL_CMD_HANDLER("MGMT_QUID", "echo ''", getQUID)
SHELL_CMD_HANDLER("AIOPS_AGENT_ROLE", "echo 'SMB'", getOtlpAgentGaiaOsRole)
#endif
#if defined(gaia) || defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1)
SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan) SHELL_CMD_HANDLER("hasSDWan", "[ -f $FWDIR/bin/sdwan_steering ] && echo '1' || echo '0'", checkHasSDWan)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"canUpdateSDWanData", "canUpdateSDWanData",
@ -145,17 +119,12 @@ SHELL_CMD_HANDLER("hasSAMLSupportedBlade", "enabled_blades", checkSAMLSupportedB
SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade) SHELL_CMD_HANDLER("hasIDABlade", "enabled_blades", checkIDABlade)
SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal) SHELL_CMD_HANDLER("hasSAMLPortal", "mpclient status nac", checkSAMLPortal)
SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_identity_next_enabled", checkPepIdaIdnStatus) SHELL_CMD_HANDLER("hasIdaIdnEnabled", "fw ctl get int nac_pep_identity_next_enabled", checkPepIdaIdnStatus)
SHELL_CMD_HANDLER("requiredNanoServices", "echo ida", getRequiredNanoServices) SHELL_CMD_HANDLER("requiredNanoServices", "echo 'idaSaml_gaia;idaIdn_gaia;'", getRequiredNanoServices)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtObjectName", "cpProductIntegrationMgmtObjectName",
"mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].name'", "mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].name'",
getMgmtObjName getMgmtObjName
) )
SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtObjectUid",
"mgmt_cli --format json -r true show-session | jq -r '.[\"connected-server\"].uid'",
getMgmtObjUid
)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtParentObjectName", "cpProductIntegrationMgmtParentObjectName",
"cat $FWDIR/database/myself_objects.C " "cat $FWDIR/database/myself_objects.C "
@ -206,12 +175,13 @@ SHELL_CMD_HANDLER(
) )
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"managements", "managements",
"echo 1", "sed -n '/:masters (/,$p' $FWDIR/database/myself_objects.C |"
" sed -e ':a' -e 'N' -e '$!ba' -e 's/\\n//g' -e 's/\t//g' -e 's/ //g' | sed 's/))):.*/)))):/'",
extractManagements extractManagements
) )
#endif //gaia #endif //gaia
#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1) #if defined(smb)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtParentObjectName", "cpProductIntegrationMgmtParentObjectName",
"jq -r .cluster_name /tmp/cpsdwan_getdata_orch.json", "jq -r .cluster_name /tmp/cpsdwan_getdata_orch.json",
@ -227,11 +197,6 @@ SHELL_CMD_HANDLER(
"cpprod_util FwIsLocalMgmt", "cpprod_util FwIsLocalMgmt",
getSmbObjectName getSmbObjectName
) )
SHELL_CMD_HANDLER(
"cpProductIntegrationMgmtObjectUid",
"cpprod_util FwIsLocalMgmt",
getSmbObjectUid
)
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"Application Control", "Application Control",
"cat $FWDIR/conf/active_blades.txt | grep -o 'APCL [01]' | cut -d ' ' -f2", "cat $FWDIR/conf/active_blades.txt | grep -o 'APCL [01]' | cut -d ' ' -f2",
@ -267,13 +232,15 @@ SHELL_CMD_HANDLER(
SHELL_CMD_HANDLER( SHELL_CMD_HANDLER(
"managements", "managements",
"echo 1", "sed -n '/:masters (/,$p' /tmp/local.cfg |"
" sed -e ':a' -e 'N' -e '$!ba' -e 's/\\n//g' -e 's/\t//g' -e 's/ //g' | sed 's/))):.*/)))):/'",
extractManagements extractManagements
) )
#endif//smb #endif//smb
SHELL_CMD_OUTPUT("kernel_version", "uname -r") SHELL_CMD_OUTPUT("kernel_version", "uname -r")
SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null") SHELL_CMD_OUTPUT("helloWorld", "cat /tmp/agentHelloWorld 2>/dev/null")
SHELL_CMD_OUTPUT("report_timestamp", "date -u +\%s")
#endif // SHELL_CMD_OUTPUT #endif // SHELL_CMD_OUTPUT
@ -303,7 +270,7 @@ FILE_CONTENT_HANDLER("AppSecModelVersion", "<FILESYSTEM-PREFIX>/conf/waap/waap.d
#endif // FILE_CONTENT_HANDLER #endif // FILE_CONTENT_HANDLER
#ifdef SHELL_POST_CMD #ifdef SHELL_POST_CMD
#if defined(smb) || defined(smb_thx_v3) || defined(smb_sve_v2) || defined(smb_mrv_v1) #if defined(smb)
SHELL_POST_CMD("remove local.cfg", "rm -rf /tmp/local.cfg") SHELL_POST_CMD("remove local.cfg", "rm -rf /tmp/local.cfg")
#endif //smb #endif //smb
#endif #endif

0
core/env_details/CMakeLists.txt → components/security_apps/orchestration/env_details/CMakeLists.txt
View File

41
core/env_details/env_details.cc → components/security_apps/orchestration/env_details/env_details.cc
View File

@ -15,34 +15,19 @@
#include "config.h" #include "config.h"
#include "debug.h" #include "debug.h"
#include "orchestration_tools.h"
#include <sys/stat.h>
using namespace std; using namespace std;
USE_DEBUG_FLAG(D_LOCAL_POLICY); USE_DEBUG_FLAG(D_LOCAL_POLICY);
static const string k8s_service_account = "/var/run/secrets/kubernetes.io/serviceaccount"; static const string k8s_service_account = "/var/run/secrets/kubernetes.io/serviceaccount";
static bool
checkExistence(const string &path, bool is_dir)
{
try {
struct stat info;
if (stat(path.c_str(), &info) != 0) return false;
int flag = is_dir ? S_IFDIR : S_IFREG;
return info.st_mode & flag;
} catch (exception &e) {
return false;
}
}
// LCOV_EXCL_START Reason: can't use on the pipline environment // LCOV_EXCL_START Reason: can't use on the pipline environment
EnvDetails::EnvDetails() : Component("EnvDetails") EnvDetails::EnvDetails() : env_type(EnvType::LINUX)
{ {
if (doesFileExist("/.dockerenv")) env_type = EnvType::DOCKER; auto tools = Singleton::Consume<I_OrchestrationTools>::from<OrchestrationTools>();
if (tools->doesFileExist("/.dockerenv")) env_type = EnvType::DOCKER;
token = retrieveToken(); token = retrieveToken();
agent_namespace = retrieveNamespace();
if (!token.empty()) { if (!token.empty()) {
auto env_res = getenv("deployment_type"); auto env_res = getenv("deployment_type");
env_type = env_res != nullptr && env_res == string("non_crd_k8s") ? EnvType::NON_CRD_K8S : EnvType::K8S; env_type = env_res != nullptr && env_res == string("non_crd_k8s") ? EnvType::NON_CRD_K8S : EnvType::K8S;
@ -61,24 +46,12 @@ EnvDetails::getToken()
return token; return token;
} }
string
EnvDetails::getNameSpace()
{
return agent_namespace;
}
string string
EnvDetails::retrieveToken() EnvDetails::retrieveToken()
{ {
return readFileContent(k8s_service_account + "/token"); return readFileContent(k8s_service_account + "/token");
} }
string
EnvDetails::retrieveNamespace()
{
return readFileContent(k8s_service_account + "/namespace");
}
string string
EnvDetails::readFileContent(const string &file_path) EnvDetails::readFileContent(const string &file_path)
{ {
@ -96,10 +69,4 @@ EnvDetails::readFileContent(const string &file_path)
} }
} }
bool
EnvDetails::doesFileExist(const string &file_path) const
{
return checkExistence(file_path, false);
}
// LCOV_EXCL_STOP // LCOV_EXCL_STOP

6
components/security_apps/orchestration/health_check_manager/health_check_manager.cc
View File

@ -266,10 +266,10 @@ private:
case OrchestrationStatusFieldType::COUNT : return "Count"; case OrchestrationStatusFieldType::COUNT : return "Count";
} }
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "orchestration health") << AlertInfo(AlertTeam::CORE, "orchestration health")
<< "Trying to convert unknown orchestration status field to string."; << "Trying to convert unknown orchestration status field to string.";
return "Unknown Field"; return "";
} }
HealthCheckStatus HealthCheckStatus
@ -282,7 +282,7 @@ private:
case UpdatesProcessResult::DEGRADED : return HealthCheckStatus::DEGRADED; case UpdatesProcessResult::DEGRADED : return HealthCheckStatus::DEGRADED;
} }
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "orchestration health") << AlertInfo(AlertTeam::CORE, "orchestration health")
<< "Trying to convert unknown update process result field to health check status."; << "Trying to convert unknown update process result field to health check status.";
return HealthCheckStatus::IGNORED; return HealthCheckStatus::IGNORED;

4
components/security_apps/orchestration/hybrid_mode_telemetry.cc
View File

@ -34,9 +34,7 @@ HybridModeMetric::upon(const HybridModeMetricEvent &)
{ {
auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<OrchestrationComp>(); auto shell_cmd = Singleton::Consume<I_ShellCmd>::by<OrchestrationComp>();
auto maybe_cmd_output = shell_cmd->getExecOutput( auto maybe_cmd_output = shell_cmd->getExecOutput(
getFilesystemPathConfig() + "/watchdog/cp-nano-watchdog --restart_count", getFilesystemPathConfig() + "/watchdog/cp-nano-watchdog --restart_count"
1000,
false
); );
// get wd process restart count // get wd process restart count

6
components/security_apps/orchestration/include/declarative_policy_utils.h
View File

@ -79,8 +79,8 @@ public:
) override; ) override;
std::string getUpdate(CheckUpdateRequest &request) override; std::string getUpdate(CheckUpdateRequest &request) override;
bool shouldApplyPolicy() override; bool shouldApplyPolicy() override;
void turnOffApplyLocalPolicyFlag() override; void turnOffApplyPolicyFlag() override;
void turnOnApplyLocalPolicyFlag() override; void turnOnApplyPolicyFlag() override;
std::string getCurrPolicy() override { return curr_policy; } std::string getCurrPolicy() override { return curr_policy; }
@ -94,7 +94,7 @@ private:
std::string curr_version; std::string curr_version;
std::string curr_policy; std::string curr_policy;
std::string curr_checksum; std::string curr_checksum;
bool should_apply_local_policy; bool should_apply_policy;
}; };
#endif // __DECLARATIVE_POLICY_UTILS_H__ #endif // __DECLARATIVE_POLICY_UTILS_H__

4
components/security_apps/orchestration/include/i_declarative_policy.h
View File

@ -22,8 +22,8 @@ public:
virtual std::string getCurrPolicy() = 0; virtual std::string getCurrPolicy() = 0;
virtual void turnOffApplyLocalPolicyFlag() = 0; virtual void turnOffApplyPolicyFlag() = 0;
virtual void turnOnApplyLocalPolicyFlag() = 0; virtual void turnOnApplyPolicyFlag() = 0;
protected: protected:
virtual ~I_DeclarativePolicy() {} virtual ~I_DeclarativePolicy() {}

4
components/security_apps/orchestration/include/mock/mock_details_resolver.h
View File

@ -21,7 +21,7 @@
#include "maybe_res.h" #include "maybe_res.h"
std::ostream & std::ostream &
operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string, std::string>> &) operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string>> &)
{ {
return os; return os;
} }
@ -48,7 +48,7 @@ public:
MOCK_METHOD0(isGwNotVsx, bool()); MOCK_METHOD0(isGwNotVsx, bool());
MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>()); MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>());
MOCK_METHOD0(isVersionAboveR8110, bool()); MOCK_METHOD0(isVersionAboveR8110, bool());
MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string>>()); MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string>>());
MOCK_METHOD0( MOCK_METHOD0(
readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>()); readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>());
}; };

18
components/security_apps/orchestration/manifest_controller/manifest_controller.cc
View File

@ -100,7 +100,6 @@ private:
string packages_dir; string packages_dir;
string orch_service_name; string orch_service_name;
set<string> ignore_packages; set<string> ignore_packages;
Maybe<string> forbidden_versions = genError("Forbidden versions file does not exist");
}; };
void void
@ -136,8 +135,7 @@ ManifestController::Impl::init()
"Ignore packages list file path" "Ignore packages list file path"
); );
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestController>(); if (Singleton::Consume<I_OrchestrationTools>::by<ManifestController>()->doesFileExist(ignore_packages_path)) {
if (orchestration_tools->doesFileExist(ignore_packages_path)) {
try { try {
ifstream input_stream(ignore_packages_path); ifstream input_stream(ignore_packages_path);
if (!input_stream) { if (!input_stream) {
@ -158,9 +156,6 @@ ManifestController::Impl::init()
<< " Error: " << f.what(); << " Error: " << f.what();
} }
} }
const string forbidden_versions_path = getFilesystemPathConfig() + "/revert/forbidden_versions";
forbidden_versions = orchestration_tools->readFile(forbidden_versions_path);
} }
bool bool
@ -276,17 +271,6 @@ ManifestController::Impl::updateManifest(const string &new_manifest_file)
} }
map<string, Package> new_packages = parsed_manifest.unpack(); map<string, Package> new_packages = parsed_manifest.unpack();
if (!new_packages.empty()) {
const Package &package = new_packages.begin()->second;
if (forbidden_versions.ok() &&
forbidden_versions.unpack().find(package.getVersion()) != string::npos
) {
dbgWarning(D_ORCHESTRATOR)
<< "Packages version is in the forbidden versions list. No upgrade will be performed.";
return true;
}
}
map<string, Package> all_packages = parsed_manifest.unpack(); map<string, Package> all_packages = parsed_manifest.unpack();
map<string, Package> current_packages; map<string, Package> current_packages;
parsed_manifest = orchestration_tools->loadPackagesFromJson(manifest_file_path); parsed_manifest = orchestration_tools->loadPackagesFromJson(manifest_file_path);

152
components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc
View File

@ -58,9 +58,6 @@ public:
Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE); Debug::setUnitTestFlag(D_ORCHESTRATOR, Debug::DebugLevel::TRACE);
const string ignore_packages_file = "/etc/cp/conf/ignore-packages.txt"; const string ignore_packages_file = "/etc/cp/conf/ignore-packages.txt";
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(false)); EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init(); manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>( manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json", "/etc/cp/conf/manifest.json",
@ -227,10 +224,6 @@ TEST_F(ManifestControllerTest, createNewManifest)
EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, copyFile(file_name, manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -370,11 +363,6 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
manifest = manifest =
@ -429,9 +417,6 @@ TEST_F(ManifestControllerTest, updateManifest)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services)); EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools, EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services)); loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -493,11 +478,6 @@ TEST_F(ManifestControllerTest, selfUpdate)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path + EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true)); temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -627,10 +607,6 @@ TEST_F(ManifestControllerTest, removeCurrentErrorPackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
corrupted_packages.clear(); corrupted_packages.clear();
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -690,10 +666,6 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopy)
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path + EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file", path +
temp_ext)).WillOnce(Return(true)); temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -750,10 +722,6 @@ TEST_F(ManifestControllerTest, selfUpdateWithOldCopyWithError)
EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, doesFileExist(path)).WillOnce(Return(false)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false)); EXPECT_CALL(mock_orchestration_tools, copyFile(path, path + backup_ext + temp_ext)).WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname)); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(hostname));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@ -830,10 +798,6 @@ TEST_F(ManifestControllerTest, installAndRemove)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).Times(2).WillRepeatedly(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
string new_manifest = string new_manifest =
@ -894,63 +858,6 @@ TEST_F(ManifestControllerTest, installAndRemove)
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my1/my1")).Times(2) EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/packages/my1/my1")).Times(2)
.WillOnce(Return(false)); .WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillRepeatedly(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
}
TEST_F(ManifestControllerTest, manifestWithForbiddenVersion)
{
new_services.clear();
old_services.clear();
string manifest =
"{"
" \"packages\": ["
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"my\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"http://172.23.92.135/my.sh\","
" \"relative-path\": \"\","
" \"name\": \"orchestration\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"a58bbab8020b0e6d08568714b5e582a3adf9c805\","
" \"package-type\": \"service\","
" \"require\": []"
" },"
" {"
" \"download-path\": \"\","
" \"relative-path\": \"\","
" \"name\": \"waap\","
" \"version\": \"a1\","
" \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\","
" \"package-type\": \"service\","
" \"status\": false,\n"
" \"message\": \"This security app isn't valid for this agent\"\n"
" }"
" ]"
"}";
map<string, Package> manifest_services;
load(manifest, manifest_services);
checkIfFileExistsCall(manifest_services.at("my"));
load(manifest, new_services);
load(old_manifest, old_services);
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1040,10 +947,6 @@ TEST_F(ManifestControllerTest, badInstall)
EXPECT_CALL(mock_orchestration_tools, EXPECT_CALL(mock_orchestration_tools,
packagesToJsonFile(corrupted_packages, corrupted_file_list)).WillOnce(Return(true)); packagesToJsonFile(corrupted_packages, corrupted_file_list)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@ -1209,12 +1112,6 @@ TEST_F(ManifestControllerTest, requireUpdate)
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1315,10 +1212,6 @@ TEST_F(ManifestControllerTest, sharedObjectNotInstalled)
).WillOnce(Return(true)); ).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file1", path + EXPECT_CALL(mock_orchestration_tools, copyFile("/tmp/temp_file1", path +
temp_ext)).WillOnce(Return(true)); temp_ext)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1420,12 +1313,6 @@ TEST_F(ManifestControllerTest, requireSharedObjectUpdate)
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")) EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1502,7 +1389,6 @@ TEST_F(ManifestControllerTest, failureOnDownloadSharedObject)
EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname"))); EXPECT_CALL(mock_details_resolver, getHostname()).WillOnce(Return(string("hostname")));
EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile("/tmp/temp_file1")).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_FALSE(i_manifest_controller->updateManifest(file_name)); EXPECT_FALSE(i_manifest_controller->updateManifest(file_name));
} }
@ -1638,12 +1524,6 @@ TEST_F(ManifestControllerTest, multiRequireUpdate)
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json")) EXPECT_CALL(mock_orchestration_tools, removeFile("new_manifest.json"))
.WillOnce(Return(true)); .WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1730,12 +1610,6 @@ TEST_F(ManifestControllerTest, createNewManifestWithUninstallablePackage)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1750,7 +1624,7 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
" \"download-path\": \"\"," " \"download-path\": \"\","
" \"relative-path\": \"\"," " \"relative-path\": \"\","
" \"name\": \"my\"," " \"name\": \"my\","
" \"version\": \"c\"," " \"version\": \"\","
" \"checksum-type\": \"sha1sum\"," " \"checksum-type\": \"sha1sum\","
" \"checksum\": \"\"," " \"checksum\": \"\","
" \"package-type\": \"service\"," " \"package-type\": \"service\","
@ -1847,11 +1721,6 @@ TEST_F(ManifestControllerTest, updateUninstallPackage)
EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services)); EXPECT_CALL(mock_orchestration_tools, loadPackagesFromJson(file_name)).WillOnce(Return(new_services));
EXPECT_CALL(mock_orchestration_tools, EXPECT_CALL(mock_orchestration_tools,
loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services)); loadPackagesFromJson(manifest_file_path)).WillOnce(Return(old_services));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillOnce(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(false));
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -1875,9 +1744,6 @@ public:
setConfiguration<string>(ignore_packages_file, "orchestration", "Ignore packages list file path"); setConfiguration<string>(ignore_packages_file, "orchestration", "Ignore packages list file path");
writeIgnoreList(ignore_packages_file, ignore_services); writeIgnoreList(ignore_packages_file, ignore_services);
EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, doesFileExist(ignore_packages_file)).WillOnce(Return(true));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init(); manifest_controller.init();
manifest_file_path = getConfigurationWithDefault<string>( manifest_file_path = getConfigurationWithDefault<string>(
"/etc/cp/conf/manifest.json", "/etc/cp/conf/manifest.json",
@ -1973,7 +1839,6 @@ public:
StrictMock<MockOrchestrationStatus> mock_status; StrictMock<MockOrchestrationStatus> mock_status;
StrictMock<MockDownloader> mock_downloader; StrictMock<MockDownloader> mock_downloader;
StrictMock<MockOrchestrationTools> mock_orchestration_tools; StrictMock<MockOrchestrationTools> mock_orchestration_tools;
StrictMock<MockDetailsResolver> mock_details_resolver;
NiceMock<MockShellCmd> mock_shell_cmd; NiceMock<MockShellCmd> mock_shell_cmd;
ManifestController manifest_controller; ManifestController manifest_controller;
@ -2257,12 +2122,6 @@ TEST_F(ManifestControllerIgnorePakckgeTest, addIgnorePackageAndUpdateNormal)
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
} }
@ -2528,12 +2387,6 @@ TEST_F(ManifestControllerIgnorePakckgeTest, overrideIgnoredPackageFromProfileSet
EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, isNonEmptyFile(manifest_file_path)).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true)); EXPECT_CALL(mock_orchestration_tools, removeFile(file_name)).WillOnce(Return(true));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("b"));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(false))
.WillRepeatedly(Return(true));;
EXPECT_CALL(mock_orchestration_tools, writeFile(_, "/etc/cp/revert/upgrade_status", false))
.WillOnce(Return(true));
EXPECT_TRUE(i_manifest_controller->updateManifest(file_name)); EXPECT_TRUE(i_manifest_controller->updateManifest(file_name));
EXPECT_THAT(capture_debug.str(), Not(HasSubstr("Ignoring a package from the manifest. Package name: my"))); EXPECT_THAT(capture_debug.str(), Not(HasSubstr("Ignoring a package from the manifest. Package name: my")));
@ -2558,9 +2411,6 @@ public:
doesFileExist("/etc/cp/conf/ignore-packages.txt") doesFileExist("/etc/cp/conf/ignore-packages.txt")
).WillOnce(Return(false)); ).WillOnce(Return(false));
Maybe<string> forbidden_versions(string("a1\na2"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/forbidden_versions"))
.WillOnce(Return(forbidden_versions));
manifest_controller.init(); manifest_controller.init();
} }

25
components/security_apps/orchestration/manifest_controller/manifest_handler.cc
View File

@ -14,7 +14,6 @@
#include "manifest_handler.h" #include "manifest_handler.h"
#include <algorithm> #include <algorithm>
#include <ctime>
#include "debug.h" #include "debug.h"
#include "config.h" #include "config.h"
@ -202,29 +201,18 @@ ManifestHandler::installPackage(
auto span_scope = i_env->startNewSpanScope(Span::ContextType::CHILD_OF); auto span_scope = i_env->startNewSpanScope(Span::ContextType::CHILD_OF);
auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>(); auto orchestration_status = Singleton::Consume<I_OrchestrationStatus>::by<ManifestHandler>();
auto details_resolver = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>();
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
auto &package = package_downloaded_file.first; auto &package = package_downloaded_file.first;
auto &package_name = package.getName(); auto &package_name = package.getName();
auto &package_handler_path = package_downloaded_file.second; auto &package_handler_path = package_downloaded_file.second;
dbgInfo(D_ORCHESTRATOR) << "Handling package installation. Package: " << package_name; dbgInfo(D_ORCHESTRATOR) << "Handling package installation. Package: " << package_name;
string upgrade_info =
details_resolver->getAgentVersion() + " " + package.getVersion() + " " + getCurrentTimestamp();
if (!orchestration_tools->doesFileExist(getFilesystemPathConfig() + "/revert/upgrade_status") &&
!orchestration_tools->writeFile(upgrade_info, getFilesystemPathConfig() + "/revert/upgrade_status")
) {
dbgWarning(D_ORCHESTRATOR) << "Failed to write to " + getFilesystemPathConfig() + "/revert/upgrade_status";
}
if (package_name.compare(orch_service_name) == 0) { if (package_name.compare(orch_service_name) == 0) {
orchestration_status->writeStatusToFile(); orchestration_status->writeStatusToFile();
bool self_update_status = selfUpdate(package, current_packages, package_handler_path); bool self_update_status = selfUpdate(package, current_packages, package_handler_path);
if (!self_update_status) { if (!self_update_status) {
auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>(); auto details = Singleton::Consume<I_AgentDetails>::by<ManifestHandler>();
auto hostname = details_resolver->getHostname(); auto hostname = Singleton::Consume<I_DetailsResolver>::by<ManifestHandler>()->getHostname();
string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'"; string err_hostname = (hostname.ok() ? "on host '" + *hostname : "'" + details->getAgentId()) + "'";
string install_error = string install_error =
"Warning: Agent/Gateway " + "Warning: Agent/Gateway " +
@ -258,6 +246,7 @@ ManifestHandler::installPackage(
return true; return true;
} }
string current_installation_file = packages_dir + "/" + package_name + "/" + package_name; string current_installation_file = packages_dir + "/" + package_name + "/" + package_name;
auto orchestration_tools = Singleton::Consume<I_OrchestrationTools>::by<ManifestHandler>();
bool is_clean_installation = !orchestration_tools->doesFileExist(current_installation_file); bool is_clean_installation = !orchestration_tools->doesFileExist(current_installation_file);
@ -379,13 +368,3 @@ ManifestHandler::selfUpdate(
package_handler->preInstallPackage(orch_service_name, current_installation_file) && package_handler->preInstallPackage(orch_service_name, current_installation_file) &&
package_handler->installPackage(orch_service_name, current_installation_file, false); package_handler->installPackage(orch_service_name, current_installation_file, false);
} }
string
ManifestHandler::getCurrentTimestamp()
{
time_t now = time(nullptr);
tm* now_tm = localtime(&now);
char timestamp[20];
strftime(timestamp, sizeof(timestamp), "%Y-%m-%d %H:%M:%S", now_tm);
return string(timestamp);
}

6
components/security_apps/orchestration/modules/orchestration_status.cc
View File

@ -429,7 +429,7 @@ public:
status.insertServiceSetting(service_name, path); status.insertServiceSetting(service_name, path);
return; return;
case OrchestrationStatusConfigType::MANIFEST: case OrchestrationStatusConfigType::MANIFEST:
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "sesrvice configuration") << AlertInfo(AlertTeam::CORE, "sesrvice configuration")
<< "Manifest is not a service configuration file type"; << "Manifest is not a service configuration file type";
break; break;
@ -438,9 +438,7 @@ public:
case OrchestrationStatusConfigType::COUNT: case OrchestrationStatusConfigType::COUNT:
break; break;
} }
dbgAssertOpt(false) dbgAssert(false) << AlertInfo(AlertTeam::CORE, "sesrvice configuration") << "Unknown configuration file type";
<< AlertInfo(AlertTeam::CORE, "service configuration")
<< "Unknown configuration file type";
} }
void void

198
components/security_apps/orchestration/orchestration_comp.cc
View File

@ -55,8 +55,6 @@ USE_DEBUG_FLAG(D_ORCHESTRATOR);
static string fw_last_update_time = ""; static string fw_last_update_time = "";
#endif // gaia || smb #endif // gaia || smb
static const size_t MAX_SERVER_NAME_LENGTH = 253;
class SetAgentUninstall class SetAgentUninstall
: :
public ServerRest, public ServerRest,
@ -105,19 +103,6 @@ public:
<< "Initializing Orchestration component, file system path prefix: " << "Initializing Orchestration component, file system path prefix: "
<< filesystem_prefix; << filesystem_prefix;
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated (One-Time After Interval)",
true
);
auto orch_policy = loadDefaultOrchestrationPolicy(); auto orch_policy = loadDefaultOrchestrationPolicy();
if (!orch_policy.ok()) { if (!orch_policy.ok()) {
dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration Policy. Error: " << orch_policy.getErr(); dbgWarning(D_ORCHESTRATOR) << "Failed to load Orchestration Policy. Error: " << orch_policy.getErr();
@ -156,113 +141,6 @@ public:
} }
private: private:
void
saveLastKnownOrchInfo(string curr_agent_version)
{
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string current_orchestration_package =
filesystem_prefix + "/packages/orchestration/orchestration";
static const string last_known_manifest = upgrades_dir + "/last_known_manifest";
static const string current_manifest_file = getConfigurationWithDefault<string>(
filesystem_prefix + "/conf/manifest.json",
"orchestration",
"Manifest file path"
);
if (!i_orchestration_tools->copyFile(current_orchestration_package, last_known_orchestrator)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy the orchestration package to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known orchestrator version updated to: " << curr_agent_version;
}
if (!i_orchestration_tools->copyFile(current_manifest_file, last_known_manifest)) {
dbgWarning(D_ORCHESTRATOR) << "Failed to copy " << current_manifest_file << " to " << upgrades_dir;
} else {
dbgInfo(D_ORCHESTRATOR) << "last known manifest updated";
}
return;
}
void
processUpgradeCompletion()
{
if (!is_first_check_update_success) {
int check_upgrade_success_interval = getSettingWithDefault<uint>(10, "successUpgradeInterval");
// LCOV_EXCL_START
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->addOneTimeRoutine(
I_MainLoop::RoutineType::Timer,
[this, check_upgrade_success_interval]()
{
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(
std::chrono::minutes(check_upgrade_success_interval)
);
processUpgradeCompletion();
},
"Orchestration successfully updated",
true
);
// LCOV_EXCL_STOP
return;
}
static const string upgrades_dir = filesystem_prefix + "/revert";
static const string upgrade_status = upgrades_dir + "/upgrade_status";
static const string last_known_orchestrator = upgrades_dir + "/last_known_working_orchestrator";
static const string upgrade_failure_info_path = upgrades_dir + "/failed_upgrade_info";
I_DetailsResolver *i_details_resolver = Singleton::Consume<I_DetailsResolver>::by<OrchestrationComp>();
bool is_upgrade_status_exist = i_orchestration_tools->doesFileExist(upgrade_status);
bool is_last_known_orchestrator_exist = i_orchestration_tools->doesFileExist(last_known_orchestrator);
if (!is_upgrade_status_exist) {
if (!is_last_known_orchestrator_exist) {
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
}
return;
}
auto maybe_upgrade_data = i_orchestration_tools->readFile(upgrade_status);
string upgrade_data, from_version, to_version;
if (maybe_upgrade_data.ok()) {
upgrade_data = maybe_upgrade_data.unpack();
istringstream stream(upgrade_data);
stream >> from_version >> to_version;
}
i_orchestration_tools->removeFile(upgrade_status);
if (i_orchestration_tools->doesFileExist(upgrade_failure_info_path)) {
string info = "Orchestration revert. ";
auto failure_info = i_orchestration_tools->readFile(upgrade_failure_info_path);
if (failure_info.ok()) info.append(failure_info.unpack());
LogGen(
info,
ReportIS::Level::ACTION,
ReportIS::Audience::INTERNAL,
ReportIS::Severity::CRITICAL,
ReportIS::Priority::URGENT,
ReportIS::Tags::ORCHESTRATOR
);
dbgError(D_ORCHESTRATOR) <<
"Error in orchestration version: " << to_version <<
". Orchestration reverted to version: " << i_details_resolver->getAgentVersion();
i_orchestration_tools->removeFile(upgrade_failure_info_path);
return;
}
saveLastKnownOrchInfo(i_details_resolver->getAgentVersion());
i_orchestration_tools->writeFile(
upgrade_data + "\n",
getLogFilesPathConfig() + "/nano_agent/prev_upgrades",
true
);
dbgWarning(D_ORCHESTRATOR) <<
"Upgrade process from version: " << from_version <<
" to version: " << to_version <<
" completed successfully";
}
Maybe<void> Maybe<void>
registerToTheFog() registerToTheFog()
{ {
@ -1144,7 +1022,6 @@ private:
UpdatesProcessResult::SUCCESS, UpdatesProcessResult::SUCCESS,
UpdatesConfigType::GENERAL UpdatesConfigType::GENERAL
).notify(); ).notify();
if (!is_first_check_update_success) is_first_check_update_success = true;
return Maybe<void>(); return Maybe<void>();
} }
@ -1465,17 +1342,14 @@ private:
auto nginx_data = i_details_resolver->parseNginxMetadata(); auto nginx_data = i_details_resolver->parseNginxMetadata();
if (nginx_data.ok()) { if (nginx_data.ok()) {
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack(); tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack();
agent_data_report agent_data_report
<< make_pair("attachmentVersion", "Legacy") << make_pair("nginxVersion", nginx_version)
<< make_pair("nginxSignature", nginx_signature) << make_pair("configureOpt", config_opt)
<< make_pair("nginxVersion", nginx_version) << make_pair("extraCompilerOpt", cc_opt);
<< make_pair("configureOpt", config_opt)
<< make_pair("extraCompilerOpt", cc_opt);
} else { } else {
dbgDebug(D_ORCHESTRATOR) << nginx_data.getErr(); dbgDebug(D_ORCHESTRATOR) << nginx_data.getErr();
} }
@ -1515,8 +1389,6 @@ private:
agent_data_report << AgentReportFieldWithLabel("userEdition", FogCommunication::getUserEdition()); agent_data_report << AgentReportFieldWithLabel("userEdition", FogCommunication::getUserEdition());
agent_data_report << make_pair("registeredServer", i_agent_details->getRegisteredServer());
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)
if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) { if (i_details_resolver->compareCheckpointVersion(8100, greater_equal<int>())) {
agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true"); agent_data_report << AgentReportFieldWithLabel("isCheckpointVersionGER81", "true");
@ -1613,10 +1485,11 @@ private:
} }
void void
setDelayedUpgradeTime() setUpgradeTime()
{ {
if (getConfigurationFlag("service_startup") != "true") return; if (getConfigurationFlag("service_startup") != "true") return;
if (!i_agent_details->isOpenAppsecAgent() && i_service_controller->getServiceToPortMap().empty()) return; if (i_service_controller->getServiceToPortMap().empty()) return;
try { try {
string upgrade_delay_interval_str = getAttribute("no-setting", "UPGRADE_DELAY_INTERVAL_MIN"); string upgrade_delay_interval_str = getAttribute("no-setting", "UPGRADE_DELAY_INTERVAL_MIN");
int upgrade_delay_interval = upgrade_delay_interval_str != "" ? stoi(upgrade_delay_interval_str) : 30; int upgrade_delay_interval = upgrade_delay_interval_str != "" ? stoi(upgrade_delay_interval_str) : 30;
@ -1633,7 +1506,6 @@ private:
void void
run() run()
{ {
loadExistingPolicy();
sleep_interval = policy.getErrorSleepInterval(); sleep_interval = policy.getErrorSleepInterval();
Maybe<void> registration_status(genError("Not running yet.")); Maybe<void> registration_status(genError("Not running yet."));
while (!(registration_status = registerToTheFog()).ok()) { while (!(registration_status = registerToTheFog()).ok()) {
@ -1658,6 +1530,7 @@ private:
<< " seconds"; << " seconds";
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(seconds(sleep_interval)); Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(seconds(sleep_interval));
} }
loadExistingPolicy();
failure_count = 0; failure_count = 0;
Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(chrono::seconds(1)); Singleton::Consume<I_MainLoop>::by<OrchestrationComp>()->yield(chrono::seconds(1));
@ -1677,11 +1550,6 @@ private:
<< LogField("agentType", "Orchestration") << LogField("agentType", "Orchestration")
<< LogField("agentVersion", Version::get()); << LogField("agentVersion", Version::get());
string registered_server = getAttribute("registered-server", "registered_server");
dbgTrace(D_ORCHESTRATOR) << "Registered server: " << registered_server;
if (!registered_server.empty()) {
i_agent_details->setRegisteredServer(registered_server.substr(0, MAX_SERVER_NAME_LENGTH));
}
auto mainloop = Singleton::Consume<I_MainLoop>::by<OrchestrationComp>(); auto mainloop = Singleton::Consume<I_MainLoop>::by<OrchestrationComp>();
mainloop->addOneTimeRoutine( mainloop->addOneTimeRoutine(
I_MainLoop::RoutineType::Offline, I_MainLoop::RoutineType::Offline,
@ -1719,8 +1587,7 @@ private:
).notify(); ).notify();
} }
setDelayedUpgradeTime(); setUpgradeTime();
while (true) { while (true) {
Singleton::Consume<I_Environment>::by<OrchestrationComp>()->startNewTrace(false); Singleton::Consume<I_Environment>::by<OrchestrationComp>()->startNewTrace(false);
if (shouldReportAgentDetailsMetadata()) { if (shouldReportAgentDetailsMetadata()) {
@ -1762,9 +1629,9 @@ private:
} }
} }
string server_name = Singleton::Consume<I_AgentDetails>::by<OrchestrationComp>()->getRegisteredServer(); string server_name = getAttribute("registered-server", "registered_server");
auto server = TagAndEnumManagement::convertStringToTag(server_name); auto server = TagAndEnumManagement::convertStringToTag(server_name);
if (server_name == "'SWAG'" || server_name == "'SWAG Server'") server = Tags::WEB_SERVER_SWAG; if (server_name == "'SWAG'") server = Tags::WEB_SERVER_SWAG;
if (server.ok()) tags.insert(*server); if (server.ok()) tags.insert(*server);
if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC); if (getAttribute("no-setting", "CROWDSEC_ENABLED") == "true") tags.insert(Tags::CROWDSEC);
@ -1786,7 +1653,7 @@ private:
tags tags
); );
registration_report.addToOrigin(LogField("eventCategory", server_name)); if (server_name != "") registration_report.addToOrigin(LogField("eventCategory", server_name));
auto email = getAttribute("email-address", "user_email"); auto email = getAttribute("email-address", "user_email");
if (email != "") registration_report << LogField("userDefinedId", email); if (email != "") registration_report << LogField("userDefinedId", email);
@ -1829,19 +1696,13 @@ private:
auto backup_installation_file = current_installation_file + backup_ext; auto backup_installation_file = current_installation_file + backup_ext;
auto temp_ext = getConfigurationWithDefault<string>("_temp", "orchestration", "Temp file extension"); auto temp_ext = getConfigurationWithDefault<string>("_temp", "orchestration", "Temp file extension");
if (!i_orchestration_tools->doesFileExist(backup_installation_file)) { dbgAssert(i_orchestration_tools->doesFileExist(backup_installation_file))
dbgAssertOpt(false) << AlertInfo(AlertTeam::CORE, "orchestration backup")
<< AlertInfo(AlertTeam::CORE, "orchestration backup") << "There is no backup installation package";
<< "There is no backup installation package";
return;
}
if (!i_orchestration_tools->copyFile(backup_installation_file, current_installation_file)) { dbgAssert(i_orchestration_tools->copyFile(backup_installation_file, current_installation_file))
dbgAssertOpt(false) << AlertInfo(AlertTeam::CORE, "orchestration backup")
<< AlertInfo(AlertTeam::CORE, "orchestration backup") << "Failed to copy backup installation package";
<< "Failed to copy backup installation package";
return;
}
// Copy the backup manifest file to the default manifest file path. // Copy the backup manifest file to the default manifest file path.
auto manifest_file_path = getConfigurationWithDefault<string>( auto manifest_file_path = getConfigurationWithDefault<string>(
@ -1856,18 +1717,12 @@ private:
auto package_handler = Singleton::Consume<I_PackageHandler>::by<OrchestrationComp>(); auto package_handler = Singleton::Consume<I_PackageHandler>::by<OrchestrationComp>();
// Install the backup orchestration service installation package. // Install the backup orchestration service installation package.
if (!package_handler->preInstallPackage(service_name, current_installation_file)) { dbgAssert(package_handler->preInstallPackage(service_name, current_installation_file))
dbgAssertOpt(false) << AlertInfo(AlertTeam::CORE, "orchestration backup")
<< AlertInfo(AlertTeam::CORE, "orchestration backup") << "Failed to restore from backup, pre install test failed";
<< "Failed to restore from backup, pre install test failed"; dbgAssert(package_handler->installPackage(service_name, current_installation_file, true))
return; << AlertInfo(AlertTeam::CORE, "orchestration backup")
} << "Failed to restore from backup, installation failed";
if (!package_handler->installPackage(service_name, current_installation_file, true)) {
dbgAssertOpt(false)
<< AlertInfo(AlertTeam::CORE, "orchestration backup")
<< "Failed to restore from backup, installation failed";
return;
}
} }
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
@ -2179,7 +2034,7 @@ private:
} }
auto policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode"); auto policy_mgmt_mode = getSettingWithDefault<string>("management", "profileManagedMode");
if (getOrchestrationMode() == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative") { if (getOrchestrationMode() == OrchestrationMode::HYBRID || policy_mgmt_mode == "declarative") {
Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyLocalPolicyFlag(); Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOnApplyPolicyFlag();
} }
auto policy_version = i_service_controller->getPolicyVersion(); auto policy_version = i_service_controller->getPolicyVersion();
@ -2198,10 +2053,10 @@ private:
int failure_count = 0; int failure_count = 0;
unsigned int sleep_interval = 0; unsigned int sleep_interval = 0;
bool is_new_success = false; bool is_new_success = false;
bool is_first_check_update_success = false;
OrchestrationPolicy policy; OrchestrationPolicy policy;
UpdatesProcessReporter updates_process_reporter_listener; UpdatesProcessReporter updates_process_reporter_listener;
HybridModeMetric hybrid_mode_metric; HybridModeMetric hybrid_mode_metric;
EnvDetails env_details;
chrono::minutes upgrade_delay_time; chrono::minutes upgrade_delay_time;
string filesystem_prefix = ""; string filesystem_prefix = "";
@ -2264,7 +2119,6 @@ OrchestrationComp::preload()
registerExpectedSetting<vector<string>>("upgradeDay"); registerExpectedSetting<vector<string>>("upgradeDay");
registerExpectedSetting<string>("email-address"); registerExpectedSetting<string>("email-address");
registerExpectedSetting<string>("registered-server"); registerExpectedSetting<string>("registered-server");
registerExpectedSetting<uint>("successUpgradeInterval");
registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy); registerExpectedConfigFile("orchestration", Config::ConfigFileType::Policy);
registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy); registerExpectedConfigFile("registration-data", Config::ConfigFileType::Policy);
} }

2
components/security_apps/orchestration/orchestration_tools/orchestration_tools.cc
View File

@ -386,7 +386,7 @@ OrchestrationTools::Impl::calculateChecksum(Package::ChecksumTypes checksum_type
return genError("Error while reading file " + path + ", " + e.what()); return genError("Error while reading file " + path + ", " + e.what());
} }
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "service configuration") << AlertInfo(AlertTeam::CORE, "service configuration")
<< "Checksum type is not supported. Checksum type: " << "Checksum type is not supported. Checksum type: "
<< static_cast<unsigned int>(checksum_type); << static_cast<unsigned int>(checksum_type);

9
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@ -89,11 +89,6 @@ public:
EXPECT_CALL(mock_service_controller, isServiceInstalled("Access Control")).WillRepeatedly(Return(false)); EXPECT_CALL(mock_service_controller, isServiceInstalled("Access Control")).WillRepeatedly(Return(false));
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
// This Holding the Main Routine of the Orchestration. // This Holding the Main Routine of the Orchestration.
EXPECT_CALL( EXPECT_CALL(
mock_ml, mock_ml,
@ -140,7 +135,7 @@ public:
void void
expectDetailsResolver() expectDetailsResolver()
{ {
Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx")); Maybe<tuple<string, string, string>> no_nginx(genError("No nginx"));
EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux"))); EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64"))); EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false)); EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));
@ -161,7 +156,6 @@ public:
runRoutine() runRoutine()
{ {
routine(); routine();
upgrade_routine();
} }
void void
@ -241,7 +235,6 @@ private:
} }
I_MainLoop::Routine routine; I_MainLoop::Routine routine;
I_MainLoop::Routine upgrade_routine;
I_MainLoop::Routine status_routine; I_MainLoop::Routine status_routine;
}; };

65
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@ -28,7 +28,6 @@ std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
#include "health_check_status/health_check_status.h" #include "health_check_status/health_check_status.h"
#include "updates_process_event.h" #include "updates_process_event.h"
#include "declarative_policy_utils.h" #include "declarative_policy_utils.h"
#include "mock/mock_env_details.h"
using namespace testing; using namespace testing;
using namespace std; using namespace std;
@ -83,12 +82,6 @@ public:
EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response)); EXPECT_CALL(mock_orchestration_tools, readFile(orchestration_policy_file_path)).WillOnce(Return(response));
EXPECT_CALL(mock_status, setFogAddress(host_url)).WillRepeatedly(Return()); EXPECT_CALL(mock_status, setFogAddress(host_url)).WillRepeatedly(Return());
EXPECT_CALL(mock_orchestration_tools, setClusterId()); EXPECT_CALL(mock_orchestration_tools, setClusterId());
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
).WillOnce(DoAll(SaveArg<1>(&upgrade_routine), Return(0)));
EXPECT_CALL( EXPECT_CALL(
mock_ml, mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true) addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@ -168,7 +161,7 @@ public:
void void
expectDetailsResolver() expectDetailsResolver()
{ {
Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx")); Maybe<tuple<string, string, string>> no_nginx(genError("No nginx"));
EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux"))); EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64"))); EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false)); EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));
@ -287,12 +280,6 @@ public:
status_routine(); status_routine();
} }
void
runUpgradeRoutine()
{
upgrade_routine();
}
void void
preload() preload()
{ {
@ -337,7 +324,6 @@ public:
StrictMock<MockOrchestrationTools> mock_orchestration_tools; StrictMock<MockOrchestrationTools> mock_orchestration_tools;
StrictMock<MockDownloader> mock_downloader; StrictMock<MockDownloader> mock_downloader;
StrictMock<MockShellCmd> mock_shell_cmd; StrictMock<MockShellCmd> mock_shell_cmd;
StrictMock<EnvDetailsMocker> mock_env_details;
StrictMock<MockMessaging> mock_message; StrictMock<MockMessaging> mock_message;
StrictMock<MockRestApi> rest; StrictMock<MockRestApi> rest;
StrictMock<MockServiceController> mock_service_controller; StrictMock<MockServiceController> mock_service_controller;
@ -371,7 +357,6 @@ private:
I_MainLoop::Routine routine; I_MainLoop::Routine routine;
I_MainLoop::Routine status_routine; I_MainLoop::Routine status_routine;
I_MainLoop::Routine upgrade_routine;
}; };
@ -598,8 +583,6 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
env.init(); env.init();
init(); init();
EXPECT_CALL(mock_env_details, getEnvType()).WillRepeatedly(Return(EnvType::LINUX));
EXPECT_CALL(mock_service_controller, updateServiceConfiguration(_, _, _, _, _, _)) EXPECT_CALL(mock_service_controller, updateServiceConfiguration(_, _, _, _, _, _))
.WillOnce(Return(Maybe<void>())); .WillOnce(Return(Maybe<void>()));
EXPECT_CALL(mock_orchestration_tools, calculateChecksum(_, _)).WillRepeatedly(Return(string())); EXPECT_CALL(mock_orchestration_tools, calculateChecksum(_, _)).WillRepeatedly(Return(string()));
@ -614,6 +597,14 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
string version = "1"; string version = "1";
EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version)); EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
string config_json = string config_json =
"{\n" "{\n"
" \"email-address\": \"fake@example.com\",\n" " \"email-address\": \"fake@example.com\",\n"
@ -622,19 +613,9 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
istringstream ss(config_json); istringstream ss(config_json);
Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss); Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
.WillOnce(Return())
.WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
try {
runRoutine();
} catch (const invalid_argument& e) {}
sending_routine(); sending_routine();
EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\"")); EXPECT_THAT(message_body, HasSubstr("\"userDefinedId\": \"fake@example.com\""));
EXPECT_THAT(message_body, HasSubstr("\"eventCategory\""));
EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\""))); EXPECT_THAT(message_body, AnyOf(HasSubstr("\"Embedded Deployment\""), HasSubstr("\"Kubernetes Deployment\"")));
EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\"")); EXPECT_THAT(message_body, HasSubstr("\"NGINX Server\""));
} }
@ -1019,11 +1000,6 @@ TEST_F(OrchestrationTest, loadOrchestrationPolicyFromBackup)
); );
waitForRestCall(); waitForRestCall();
EXPECT_CALL(
mock_ml,
addOneTimeRoutine(_, _, "Orchestration successfully updated (One-Time After Interval)", true)
);
EXPECT_CALL( EXPECT_CALL(
mock_ml, mock_ml,
addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true) addOneTimeRoutine(I_MainLoop::RoutineType::System, _, "Orchestration runner", true)
@ -1190,29 +1166,6 @@ TEST_F(OrchestrationTest, manifestUpdate)
try { try {
runRoutine(); runRoutine();
} catch (const invalid_argument& e) {} } catch (const invalid_argument& e) {}
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
Maybe<string> upgrade_status(string("1.1.1 1.1.2 2025-01-28 07:53:23"));
EXPECT_CALL(mock_orchestration_tools, readFile("/etc/cp/revert/upgrade_status"))
.WillOnce(Return(upgrade_status));
EXPECT_CALL(mock_orchestration_tools, removeFile("/etc/cp/revert/upgrade_status")).WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, doesFileExist("/etc/cp/revert/failed_upgrade_info"))
.WillOnce(Return(false));
EXPECT_CALL(mock_details_resolver, getAgentVersion()).WillRepeatedly(Return("1.1.2"));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_working_orchestrator"))
.WillOnce(Return(true));
EXPECT_CALL(mock_orchestration_tools, copyFile(_, "/etc/cp/revert/last_known_manifest")).WillOnce(Return(true));
EXPECT_CALL(
mock_orchestration_tools,
writeFile("1.1.1 1.1.2 2025-01-28 07:53:23\n", "/var/log/nano_agent/prev_upgrades", true)
).WillOnce(Return(true));
EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>())).WillOnce(Return());
runUpgradeRoutine();
} }
TEST_F(OrchestrationTest, getBadPolicyUpdate) TEST_F(OrchestrationTest, getBadPolicyUpdate)

4
components/security_apps/orchestration/package_handler/package_handler.cc
View File

@ -141,11 +141,11 @@ packageHandlerActionsToString(PackageHandlerActions action)
} }
} }
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "service configuration") << AlertInfo(AlertTeam::CORE, "service configuration")
<< "Package handler action is not supported. Action: " << "Package handler action is not supported. Action: "
<< static_cast<unsigned int>(action); << static_cast<unsigned int>(action);
return string("--UNSUPPORTED"); return string();
} }
void void

7
components/security_apps/orchestration/service_controller/service_controller.cc
View File

@ -208,7 +208,6 @@ ServiceDetails::sendNewConfigurations(int configuration_id, const string &policy
MessageMetadata new_config_req_md("127.0.0.1", service_port); MessageMetadata new_config_req_md("127.0.0.1", service_port);
new_config_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN); new_config_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
new_config_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN); new_config_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
new_config_req_md.setSuspension(false);
auto res = messaging->sendSyncMessage( auto res = messaging->sendSyncMessage(
HTTPMethod::POST, HTTPMethod::POST,
"/set-new-configuration", "/set-new-configuration",
@ -794,7 +793,7 @@ ServiceController::Impl::updateServiceConfiguration(
<< "Policy file was not updated. Sending reload command regarding settings and data"; << "Policy file was not updated. Sending reload command regarding settings and data";
auto signal_services = sendSignalForServices(nano_services_to_update, ""); auto signal_services = sendSignalForServices(nano_services_to_update, "");
if (!signal_services.ok()) return signal_services.passErr(); if (!signal_services.ok()) return signal_services.passErr();
Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag(); Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
return Maybe<void>(); return Maybe<void>();
} }
@ -941,7 +940,7 @@ ServiceController::Impl::updateServiceConfiguration(
if (new_policy_path.compare(config_file_path) == 0) { if (new_policy_path.compare(config_file_path) == 0) {
dbgDebug(D_SERVICE_CONTROLLER) << "Enforcing the default policy file"; dbgDebug(D_SERVICE_CONTROLLER) << "Enforcing the default policy file";
policy_version = version_value; policy_version = version_value;
Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag(); Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
return Maybe<void>(); return Maybe<void>();
} }
@ -960,7 +959,7 @@ ServiceController::Impl::updateServiceConfiguration(
} }
if (!was_policy_updated && !send_signal_for_services_err.empty()) return genError(send_signal_for_services_err); if (!was_policy_updated && !send_signal_for_services_err.empty()) return genError(send_signal_for_services_err);
Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyLocalPolicyFlag(); Singleton::Consume<I_DeclarativePolicy>::from<DeclarativePolicyUtils>()->turnOffApplyPolicyFlag();
return Maybe<void>(); return Maybe<void>();
} }

21
components/security_apps/orchestration/update_communication/declarative_policy_utils.cc
View File

@ -17,7 +17,7 @@ void
DeclarativePolicyUtils::init() DeclarativePolicyUtils::init()
{ {
local_policy_path = getFilesystemPathConfig() + "/conf/local_policy.yaml"; local_policy_path = getFilesystemPathConfig() + "/conf/local_policy.yaml";
should_apply_local_policy = true; should_apply_policy = true;
Singleton::Consume<I_RestApi>::by<DeclarativePolicyUtils>()->addRestCall<ApplyPolicyRest>( Singleton::Consume<I_RestApi>::by<DeclarativePolicyUtils>()->addRestCall<ApplyPolicyRest>(
RestAction::SET, "apply-policy" RestAction::SET, "apply-policy"
); );
@ -40,7 +40,7 @@ DeclarativePolicyUtils::upon(const ApplyPolicyEvent &event)
{ {
dbgTrace(D_ORCHESTRATOR) << "Apply policy event"; dbgTrace(D_ORCHESTRATOR) << "Apply policy event";
local_policy_path = event.getPolicyPath(); local_policy_path = event.getPolicyPath();
should_apply_local_policy = true; should_apply_policy = true;
} }
// LCOV_EXCL_STOP // LCOV_EXCL_STOP
@ -48,24 +48,19 @@ bool
DeclarativePolicyUtils::shouldApplyPolicy() DeclarativePolicyUtils::shouldApplyPolicy()
{ {
auto env_type = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType(); auto env_type = Singleton::Consume<I_EnvDetails>::by<DeclarativePolicyUtils>()->getEnvType();
if (env_type == EnvType::K8S) { return env_type == EnvType::K8S ? true : should_apply_policy;
I_OrchestrationTools *orch_tools = Singleton::Consume<I_OrchestrationTools>::by<DeclarativePolicyUtils>();
auto maybe_new_version = orch_tools->readFile("/etc/cp/conf/k8s-policy-check.trigger");
return maybe_new_version != curr_version;
}
return should_apply_local_policy;
} }
void void
DeclarativePolicyUtils::turnOffApplyLocalPolicyFlag() DeclarativePolicyUtils::turnOffApplyPolicyFlag()
{ {
should_apply_local_policy = false; should_apply_policy = false;
} }
void void
DeclarativePolicyUtils::turnOnApplyLocalPolicyFlag() DeclarativePolicyUtils::turnOnApplyPolicyFlag()
{ {
should_apply_local_policy = true; should_apply_policy = true;
} }
Maybe<string> Maybe<string>
@ -216,6 +211,6 @@ DeclarativePolicyUtils::periodicPolicyLoad()
if (*new_checksum == curr_checksum) return; if (*new_checksum == curr_checksum) return;
should_apply_local_policy = true; should_apply_policy = true;
curr_checksum = *new_checksum; curr_checksum = *new_checksum;
} }

14
components/security_apps/orchestration/update_communication/fog_authenticator.cc
View File

@ -168,12 +168,10 @@ FogAuthenticator::registerAgent(
auto nginx_data = details_resolver->parseNginxMetadata(); auto nginx_data = details_resolver->parseNginxMetadata();
if (nginx_data.ok()) { if (nginx_data.ok()) {
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack(); tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack();
request << make_pair("nginxSignature", nginx_signature);
request << make_pair("nginxVersion", nginx_version); request << make_pair("nginxVersion", nginx_version);
request << make_pair("configureOpt", config_opt); request << make_pair("configureOpt", config_opt);
request << make_pair("extraCompilerOpt", cc_opt); request << make_pair("extraCompilerOpt", cc_opt);
@ -379,13 +377,9 @@ FogAuthenticator::registerLocalAgentToFog()
{ {
auto local_reg_token = getRegistrationToken(); auto local_reg_token = getRegistrationToken();
if (!local_reg_token.ok()) return; if (!local_reg_token.ok()) return;
string reg_token = local_reg_token.unpack().getData();
if (reg_token.empty()) return;
dbgInfo(D_ORCHESTRATOR) << "Start local agent registration to the fog"; dbgInfo(D_ORCHESTRATOR) << "Start local agent registration to the fog";
string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + reg_token; string exec_command = "open-appsec-ctl --set-mode --online_mode --token " + local_reg_token.unpack().getData();
auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<FogAuthenticator>(); auto i_agent_details = Singleton::Consume<I_AgentDetails>::by<FogAuthenticator>();
auto fog_address = i_agent_details->getFogDomain(); auto fog_address = i_agent_details->getFogDomain();
@ -473,9 +467,9 @@ getDeplymentType()
case EnvType::COUNT: break; case EnvType::COUNT: break;
} }
dbgAssertOpt(false) dbgAssert(false)
<< AlertInfo(AlertTeam::CORE, "fog communication") << AlertInfo(AlertTeam::CORE, "fog communication")
<< "Failed to get a legitimate deployment type: " << "Failed to get a legitimate deplyment type: "
<< static_cast<uint>(deplyment_type); << static_cast<uint>(deplyment_type);
return "Embedded"; return "Embedded";
} }

2
components/security_apps/orchestration/update_communication/fog_communication.cc
View File

@ -74,7 +74,7 @@ FogCommunication::getUpdate(CheckUpdateRequest &request)
<< " to: " << " to: "
<< policy_mgmt_mode; << policy_mgmt_mode;
profile_mode = policy_mgmt_mode; profile_mode = policy_mgmt_mode;
i_declarative_policy->turnOnApplyLocalPolicyFlag(); i_declarative_policy->turnOnApplyPolicyFlag();
} }
if (i_declarative_policy->shouldApplyPolicy()) { if (i_declarative_policy->shouldApplyPolicy()) {

2
components/security_apps/prometheus/CMakeLists.txt
View File

@ -1,2 +0,0 @@
add_library(prometheus_comp prometheus_comp.cc)
add_subdirectory(prometheus_ut)

200
components/security_apps/prometheus/prometheus_comp.cc
View File

@ -1,200 +0,0 @@
#include "prometheus_comp.h"
#include <string>
#include <map>
#include <vector>
#include <cereal/archives/json.hpp>
#include <cereal/types/map.hpp>
#include <cereal/types/vector.hpp>
#include <cereal/types/string.hpp>
#include <iostream>
#include <fstream>
#include "common.h"
#include "report/base_field.h"
#include "report/report_enums.h"
#include "log_generator.h"
#include "debug.h"
#include "rest.h"
#include "customized_cereal_map.h"
#include "i_messaging.h"
#include "prometheus_metric_names.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
using namespace std;
using namespace ReportIS;
struct ServiceData
{
template <typename Archive>
void
serialize(Archive &ar)
{
ar(cereal::make_nvp("Service port", service_port));
}
int service_port;
};
class PrometheusMetricData
{
public:
PrometheusMetricData(const string &n, const string &t, const string &d) : name(n), type(t), description(d) {}
void
addElement(const string &labels, const string &value)
{
metric_labels_to_values[labels] = value;
}
ostream &
print(ostream &os)
{
if (metric_labels_to_values.empty()) return os;
string representative_name = "";
if (!name.empty()) {
auto metric_name = convertMetricName(name);
!metric_name.empty() ? representative_name = metric_name : representative_name = name;
}
if (!description.empty()) os << "# HELP " << representative_name << ' ' << description << '\n';
if (!name.empty()) os << "# TYPE " << representative_name << ' ' << type << '\n';
for (auto &entry : metric_labels_to_values) {
os << representative_name << entry.first << ' ' << entry.second << '\n';
}
os << '\n';
metric_labels_to_values.clear();
return os;
}
private:
string name;
string type;
string description;
map<string, string> metric_labels_to_values;
};
static ostream & operator<<(ostream &os, PrometheusMetricData &metric) { return metric.print(os); }
class PrometheusComp::Impl
{
public:
void
init()
{
Singleton::Consume<I_RestApi>::by<PrometheusComp>()->addGetCall(
"metrics",
[&] () { return getFormatedPrometheusMetrics(); }
);
}
void
addMetrics(const vector<PrometheusData> &metrics)
{
for(auto &metric : metrics) {
auto &metric_object = getDataObject(
metric.name,
metric.type,
metric.description
);
metric_object.addElement(metric.label, metric.value);
}
}
private:
PrometheusMetricData &
getDataObject(const string &name, const string &type, const string &description)
{
auto elem = prometheus_metrics.find(name);
if (elem == prometheus_metrics.end()) {
elem = prometheus_metrics.emplace(name, PrometheusMetricData(name, type, description)).first;
}
return elem->second;
}
map<string, ServiceData>
getServiceDetails()
{
map<string, ServiceData> registeredServices;
auto registered_services_file = getConfigurationWithDefault<string>(
getFilesystemPathConfig() + "/conf/orchestrations_registered_services.json",
"orchestration",
"Orchestration registered services"
);
ifstream file(registered_services_file);
if (!file.is_open()) {
dbgWarning(D_PROMETHEUS) << "Failed to open file: " << registered_services_file;
return registeredServices;
}
stringstream buffer;
buffer << file.rdbuf();
try {
cereal::JSONInputArchive archive(buffer);
archive(cereal::make_nvp("Registered Services", registeredServices));
} catch (const exception& e) {
dbgWarning(D_PROMETHEUS) << "Error parsing Registered Services JSON file: " << e.what();
}
return registeredServices;
}
void
getServicesMetrics()
{
dbgTrace(D_PROMETHEUS) << "Get all registered services metrics";
map<string, ServiceData> service_names_to_ports = getServiceDetails();
for (const auto &service : service_names_to_ports) {
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<PrometheusComp>();
MessageMetadata servie_metric_req_md("127.0.0.1", service.second.service_port);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
auto res = messaging->sendSyncMessage(
HTTPMethod::GET,
"/service-metrics",
string(""),
MessageCategory::GENERIC,
servie_metric_req_md
);
if (!res.ok()) {
dbgWarning(D_PROMETHEUS) << "Failed to get service metrics. Service: " << service.first;
continue;
}
stringstream buffer;
buffer << res.unpack().getBody();
cereal::JSONInputArchive archive(buffer);
vector<PrometheusData> metrics;
archive(cereal::make_nvp("metrics", metrics));
addMetrics(metrics);
}
}
string
getFormatedPrometheusMetrics()
{
MetricScrapeEvent().notify();
getServicesMetrics();
stringstream result;
for (auto &metric : prometheus_metrics) {
result << metric.second;
}
dbgTrace(D_PROMETHEUS) << "Prometheus metrics: " << result.str();
return result.str();
}
map<string, PrometheusMetricData> prometheus_metrics;
};
PrometheusComp::PrometheusComp() : Component("Prometheus"), pimpl(make_unique<Impl>()) {}
PrometheusComp::~PrometheusComp() {}
void
PrometheusComp::init()
{
pimpl->init();
}

143
components/security_apps/prometheus/prometheus_metric_names.h
View File

@ -1,143 +0,0 @@
#ifndef __PROMETHEUS_METRIC_NAMES_H__
#define __PROMETHEUS_METRIC_NAMES_H__
#include <string>
#include <unordered_map>
#include "debug.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
std::string
convertMetricName(const std::string &original_metric_name)
{
static const std::unordered_map<std::string, std::string> original_to_representative_names = {
// HybridModeMetric
{"watchdogProcessStartupEventsSum", "nano_service_restarts_counter"},
// nginxAttachmentMetric
{"inspectVerdictSum", "traffic_inspection_verdict_inspect_counter"},
{"acceptVeridctSum", "traffic_inspection_verdict_accept_counter"},
{"dropVerdictSum", "traffic_inspection_verdict_drop_counter"},
{"injectVerdictSum", "traffic_inspection_verdict_inject_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"reconfVerdictSum", "traffic_inspection_verdict_reconf_counter"},
{"responseInspection", "response_body_inspection_counter"},
// nginxIntakerMetric
{"successfullInspectionTransactionsSum", "successful_Inspection_counter"},
{"failopenTransactionsSum", "fail_open_Inspection_counter"},
{"failcloseTransactionsSum", "fail_close_Inspection_counter"},
{"transparentModeTransactionsSum", "transparent_mode_counter"},
{"totalTimeInTransparentModeSum", "total_time_in_transparent_mode_counter"},
{"reachInspectVerdictSum", "inspect_verdict_counter"},
{"reachAcceptVerdictSum", "accept_verdict_counter"},
{"reachDropVerdictSum", "drop_verdict_counter"},
{"reachInjectVerdictSum", "inject_verdict_counter"},
{"reachIrrelevantVerdictSum", "irrelevant_verdict_counter"},
{"reachReconfVerdictSum", "reconf_verdict_counter"},
{"requestCompressionFailureSum", "failed_requests_compression_counter"},
{"responseCompressionFailureSum", "failed_response_compression_counter"},
{"requestDecompressionFailureSum", "failed_requests_decompression_counter"},
{"responseDecompressionFailureSum", "failed_response_decompression_counter"},
{"requestCompressionSuccessSum", "successful_request_compression_counter"},
{"responseCompressionSuccessSum", "successful_response_compression_counter"},
{"requestDecompressionSuccessSum", "successful_request_decompression_counter"},
{"responseDecompressionSuccessSum", "successful_response_decompression_counter"},
{"skippedSessionsUponCorruptedZipSum", "corrupted_zip_skipped_session_counter"},
{"attachmentThreadReachedTimeoutSum", "thread_exceeded_processing_time_counter"},
{"registrationThreadReachedTimeoutSum", "failed_registration_thread_counter"},
{"requestHeaderThreadReachedTimeoutSum", "request_headers_processing_thread_timeouts_counter"},
{"requestBodyThreadReachedTimeoutSum", "request_body_processing_thread_timeouts_counter"},
{"respondHeaderThreadReachedTimeoutSum", "response_headers_processing_thread_timeouts_counter"},
{"respondBodyThreadReachedTimeoutSum", "response_body_processing_thread_timeouts_counter"},
{"attachmentThreadFailureSum", "thread_failures_counter"},
{"httpRequestProcessingReachedTimeoutSum", "request_processing_timeouts_counter"},
{"httpRequestsSizeSum", "requests_total_size_counter"},
{"httpResponsesSizeSum", "response_total_size_counter"},
{"httpRequestFailedToReachWebServerUpstreamSum", "requests_failed_reach_upstram_counter"},
{"overallSessionProcessTimeToVerdictAvgSample", "overall_processing_time_until_verdict_average"},
{"overallSessionProcessTimeToVerdictMaxSample", "overall_processing_time_until_verdict_max"},
{"overallSessionProcessTimeToVerdictMinSample", "overall_processing_time_until_verdict_min"},
{"requestProcessTimeToVerdictAvgSample", "requests_processing_time_until_verdict_average"},
{"requestProcessTimeToVerdictMaxSample", "requests_processing_time_until_verdict_max"},
{"requestProcessTimeToVerdictMinSample", "requests_processing_time_until_verdict_min"},
{"responseProcessTimeToVerdictAvgSample", "response_processing_time_until_verdict_average"},
{"responseProcessTimeToVerdictMaxSample", "response_processing_time_until_verdict_max"},
{"responseProcessTimeToVerdictMinSample", "response_processing_time_until_verdict_min"},
{"requestBodySizeUponTimeoutAvgSample", "request_body_size_average"},
{"requestBodySizeUponTimeoutMaxSample", "request_body_size_max"},
{"requestBodySizeUponTimeoutMinSample", "request_body_size_min"},
{"responseBodySizeUponTimeoutAvgSample", "response_body_size_average"},
{"responseBodySizeUponTimeoutMaxSample", "response_body_size_max"},
{"responseBodySizeUponTimeoutMinSample", "response_body_size_min"},
// WaapTelemetrics
{"reservedNgenA", "total_requests_counter"},
{"reservedNgenB", "unique_sources_counter"},
{"reservedNgenC", "requests_blocked_by_force_and_exception_counter"},
{"reservedNgenD", "requests_blocked_by_waf_counter"},
{"reservedNgenE", "requests_blocked_by_open_api_counter"},
{"reservedNgenF", "requests_blocked_by_bot_protection_counter"},
{"reservedNgenG", "requests_threat_level_info_and_no_threat_counter"},
{"reservedNgenH", "requests_threat_level_low_counter"},
{"reservedNgenI", "requests_threat_level_medium_counter"},
{"reservedNgenJ", "requests_threat_level_high_counter"},
// WaapTrafficTelemetrics
{"reservedNgenA", "post_requests_counter"},
{"reservedNgenB", "get_requests_counter"},
{"reservedNgenC", "put_requests_counter"},
{"reservedNgenD", "patch_requests_counter"},
{"reservedNgenE", "delete_requests_counter"},
{"reservedNgenF", "other_requests_counter"},
{"reservedNgenG", "2xx_status_code_responses_counter"},
{"reservedNgenH", "4xx_status_code_responses_counter"},
{"reservedNgenI", "5xx_status_code_responses_counter"},
{"reservedNgenJ", "requests_time_latency_average"},
// WaapAttackTypesMetrics
{"reservedNgenA", "sql_injection_attacks_type_counter"},
{"reservedNgenB", "vulnerability_scanning_attacks_type_counter"},
{"reservedNgenC", "path_traversal_attacks_type_counter"},
{"reservedNgenD", "ldap_injection_attacks_type_counter"},
{"reservedNgenE", "evasion_techniques_attacks_type_counter"},
{"reservedNgenF", "remote_code_execution_attacks_type_counter"},
{"reservedNgenG", "xml_extern_entity_attacks_type_counter"},
{"reservedNgenH", "cross_site_scripting_attacks_type_counter"},
{"reservedNgenI", "general_attacks_type_counter"},
// AssetsMetric
{"numberOfProtectedApiAssetsSample", "api_assets_counter"},
{"numberOfProtectedWebAppAssetsSample", "web_api_assets_counter"},
{"numberOfProtectedAssetsSample", "all_assets_counter"},
// IPSMetric
{"preventEngineMatchesSample", "prevent_action_matches_counter"},
{"detectEngineMatchesSample", "detect_action_matches_counter"},
{"ignoreEngineMatchesSample", "ignore_action_matches_counter"},
// CPUMetric
{"cpuMaxSample", "cpu_usage_percentage_max"},
{"cpuAvgSample", "cpu_usage_percentage_average"},
{"cpuSample", "cpu_usage_percentage_last_value"},
// LogMetric
{"logQueueMaxSizeSample", "logs_queue_size_max"},
{"logQueueAvgSizeSample", "logs_queue_size_average"},
{"logQueueCurrentSizeSample", "logs_queue_size_last_value"},
{"sentLogsSum", "logs_sent_counter"},
{"sentLogsBulksSum", "bulk_logs_sent_counter"},
// MemoryMetric
{"serviceVirtualMemorySizeMaxSample", "service_virtual_memory_size_kb_max"},
{"serviceVirtualMemorySizeMinSample", "service_virtual_memory_size_kb_min"},
{"serviceVirtualMemorySizeAvgSample", "service_virtual_memory_size_kb_average"},
{"serviceRssMemorySizeMaxSample", "service_physical_memory_size_kb_max"},
{"serviceRssMemorySizeMinSample", "service_physical_memory_size_kb_min"},
{"serviceRssMemorySizeAvgSample", "service_physical_memory_size_kb_average"},
{"generalTotalMemorySizeMaxSample", "general_total_used_memory_max"},
{"generalTotalMemorySizeMinSample", "general_total_used_memory_min"},
{"generalTotalMemorySizeAvgSample", "general_total_used_memory_average"},
};
auto metric_names = original_to_representative_names.find(original_metric_name);
if (metric_names != original_to_representative_names.end()) return metric_names->second;
dbgDebug(D_PROMETHEUS)
<< "Metric don't have a representative name, originl name: "
<< original_metric_name;
return "";
}
#endif // __PROMETHEUS_METRIC_NAMES_H__

8
components/security_apps/prometheus/prometheus_ut/CMakeLists.txt
View File

@ -1,8 +0,0 @@
link_directories(${BOOST_ROOT}/lib)
link_directories(${BOOST_ROOT}/lib ${CMAKE_BINARY_DIR}/core/shmem_ipc)
add_unit_test(
prometheus_ut
"prometheus_ut.cc"
"prometheus_comp;logging;agent_details;waap_clib;table;singleton;time_proxy;metric;event_is;connkey;http_transaction_data;generic_rulebase;generic_rulebase_evaluators;ip_utilities;intelligence_is_v2;-lboost_regex;messaging;"
)

79
components/security_apps/prometheus/prometheus_ut/prometheus_ut.cc
View File

@ -1,79 +0,0 @@
#include "prometheus_comp.h"
#include <sstream>
#include <fstream>
#include <vector>
#include "cmock.h"
#include "cptest.h"
#include "maybe_res.h"
#include "debug.h"
#include "config.h"
#include "environment.h"
#include "config_component.h"
#include "agent_details.h"
#include "time_proxy.h"
#include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging.h"
using namespace std;
using namespace testing;
USE_DEBUG_FLAG(D_PROMETHEUS);
class PrometheusCompTest : public Test
{
public:
PrometheusCompTest()
{
EXPECT_CALL(mock_rest, mockRestCall(_, "declare-boolean-variable", _)).WillOnce(Return(false));
env.preload();
config.preload();
env.init();
EXPECT_CALL(
mock_rest,
addGetCall("metrics", _)
).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
prometheus_comp.init();
}
::Environment env;
ConfigComponent config;
PrometheusComp prometheus_comp;
StrictMock<MockRestApi> mock_rest;
StrictMock<MockMainLoop> mock_ml;
NiceMock<MockMessaging> mock_messaging;
unique_ptr<ServerRest> agent_uninstall;
function<string()> get_metrics_func;
CPTestTempfile status_file;
string registered_services_file_path;
};
TEST_F(PrometheusCompTest, checkAddingMetric)
{
registered_services_file_path = cptestFnameInSrcDir(string("registered_services.json"));
setConfiguration(registered_services_file_path, "orchestration", "Orchestration registered services");
string metric_body = "{\n"
" \"metrics\": [\n"
" {\n"
" \"metric_name\": \"watchdogProcessStartupEventsSum\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{method=\\\"post\\\",code=\\\"200\\\"}\",\n"
" \"value\": \"1534\"\n"
" }\n"
" ]\n"
"}";
string message_body;
EXPECT_CALL(mock_messaging, sendSyncMessage(_, "/service-metrics", _, _, _))
.Times(2).WillRepeatedly(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, metric_body)));
string metric_str = "# TYPE nano_service_restarts_counter counter\n"
"nano_service_restarts_counter{method=\"post\",code=\"200\"} 1534\n\n";
EXPECT_EQ(metric_str, get_metrics_func());
}

32
components/security_apps/prometheus/prometheus_ut/registered_services.json
View File

@ -1,32 +0,0 @@
{
"Registered Services": {
"cp-nano-orchestration": {
"Service name": "cp-nano-orchestration",
"Service ID": "cp-nano-orchestration",
"Service port": 7777,
"Relevant configs": [
"zones",
"triggers",
"rules",
"registration-data",
"parameters",
"orchestration",
"exceptions",
"agent-intelligence"
]
},
"cp-nano-prometheus": {
"Service name": "cp-nano-prometheus",
"Service ID": "cp-nano-prometheus",
"Service port": 7465,
"Relevant configs": [
"zones",
"triggers",
"rules",
"parameters",
"exceptions",
"agent-intelligence"
]
}
}
}

123
components/security_apps/rate_limit/rate_limit.cc
View File

@ -246,27 +246,6 @@ public:
return matched_rule; return matched_rule;
} }
void
fetchReplicaCount()
{
string curl_cmd =
"curl -H \"Authorization: Bearer " + kubernetes_token + "\" "
"https://kubernetes.default.svc.cluster.local/apis/apps/v1/namespaces/" + kubernetes_namespace +
"/deployments/${AGENT_DEPLOYMENT_NAME} -k -s | jq .status.replicas";
auto maybe_replicas = i_shell_cmd->getExecOutput(curl_cmd);
if (maybe_replicas.ok()) {
try {
replicas = std::stoi(maybe_replicas.unpack());
} catch (const std::exception &e) {
dbgWarning(D_RATE_LIMIT) << "error while converting replicas: " << e.what();
}
}
if (replicas == 0) {
dbgWarning(D_RATE_LIMIT) << "replicas is set to 0, setting replicas to 1";
replicas = 1;
}
}
EventVerdict EventVerdict
respond(const HttpRequestHeaderEvent &event) override respond(const HttpRequestHeaderEvent &event) override
{ {
@ -292,72 +271,10 @@ public:
dbgDebug(D_RATE_LIMIT) << "source identifier value: " << source_identifier; dbgDebug(D_RATE_LIMIT) << "source identifier value: " << source_identifier;
auto maybe_source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx); auto maybe_source_ip = env->get<IPAddr>(HttpTransactionData::client_ip_ctx);
set<string> ip_set;
string source_ip = ""; string source_ip = "";
if (maybe_source_ip.ok()) { if (maybe_source_ip.ok()) source_ip = ipAddrToStr(maybe_source_ip.unpack());
source_ip = ipAddrToStr(maybe_source_ip.unpack());
if (getProfileAgentSettingWithDefault<bool>(false, "agent.rateLimit.ignoreSourceIP")) { unordered_map<string, set<string>> condition_map = createConditionMap(uri, source_ip, source_identifier);
dbgDebug(D_RATE_LIMIT) << "Rate limit ignoring source ip: " << source_ip;
} else {
ip_set.insert(source_ip);
}
}
auto maybe_xff = env->get<string>(HttpTransactionData::xff_vals_ctx);
if (!maybe_xff.ok()) {
dbgTrace(D_RATE_LIMIT) << "Rate limit failed to get xff vals from env";
} else {
auto ips = split(maybe_xff.unpack(), ',');
ip_set.insert(ips.begin(), ips.end());
}
EnumArray<I_GeoLocation::GeoLocationField, string> geo_location_data;
set<string> country_codes;
set<string> country_names;
for (const string& source : ip_set) {
Maybe<IPAddr> maybe_source_ip = IPAddr::createIPAddr(source);
if (!maybe_source_ip.ok()){
dbgWarning(D_RATE_LIMIT)
<< "Rate limit failed to create ip address from source: "
<< source
<< ", Error: "
<< maybe_source_ip.getErr();
continue;
}
auto asset_location =
Singleton::Consume<I_GeoLocation>::by<RateLimit>()->lookupLocation(maybe_source_ip.unpack());
if (!asset_location.ok()) {
dbgWarning(D_RATE_LIMIT)
<< "Rate limit lookup location failed for source: "
<< source_ip
<< ", Error: "
<< asset_location.getErr();
continue;
}
geo_location_data = asset_location.unpack();
auto code = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_CODE];
auto name = geo_location_data[I_GeoLocation::GeoLocationField::COUNTRY_NAME];
country_codes.insert(code);
country_names.insert(name);
dbgTrace(D_RATE_LIMIT)
<< "Rate limit found "
<< "country code: "
<< code
<< ", country name: "
<< name
<< ", source ip address: "
<< source;
}
unordered_map<string, set<string>> condition_map = createConditionMap(
uri,
source_ip,
source_identifier,
country_codes,
country_names
);
if (shouldApplyException(condition_map)) { if (shouldApplyException(condition_map)) {
dbgDebug(D_RATE_LIMIT) << "found accept exception, not enforcing rate limit on this URI: " << uri; dbgDebug(D_RATE_LIMIT) << "found accept exception, not enforcing rate limit on this URI: " << uri;
return ACCEPT; return ACCEPT;
@ -376,8 +293,8 @@ public:
return ACCEPT; return ACCEPT;
} }
burst = static_cast<float>(rule.getRateLimit()) / replicas; burst = rule.getRateLimit();
limit = static_cast<float>(calcRuleLimit(rule)) / replicas; limit = calcRuleLimit(rule);
dbgTrace(D_RATE_LIMIT) dbgTrace(D_RATE_LIMIT)
<< "found rate limit rule with: " << "found rate limit rule with: "
@ -554,18 +471,10 @@ public:
} }
unordered_map<string, set<string>> unordered_map<string, set<string>>
createConditionMap( createConditionMap(const string &uri, const string &source_ip, const string &source_identifier)
const string &uri,
const string &source_ip,
const string &source_identifier,
const set<string> &country_codes,
const set<string> &country_names
)
{ {
unordered_map<string, set<string>> condition_map; unordered_map<string, set<string>> condition_map;
if (!source_ip.empty()) condition_map["sourceIP"].insert(source_ip); if (!source_ip.empty()) condition_map["sourceIP"].insert(source_ip);
if (!country_codes.empty()) condition_map["countryCode"].insert(country_codes.begin(), country_codes.end());
if (!country_names.empty()) condition_map["countryName"].insert(country_names.begin(), country_names.end());
condition_map["sourceIdentifier"].insert(source_identifier); condition_map["sourceIdentifier"].insert(source_identifier);
condition_map["url"].insert(uri); condition_map["url"].insert(uri);
@ -702,21 +611,6 @@ public:
"Initialize rate limit component", "Initialize rate limit component",
false false
); );
i_shell_cmd = Singleton::Consume<I_ShellCmd>::by<RateLimit>();
i_env_details = Singleton::Consume<I_EnvDetails>::by<RateLimit>();
env_type = i_env_details->getEnvType();
if (env_type == EnvType::K8S) {
kubernetes_token = i_env_details->getToken();
kubernetes_namespace = i_env_details->getNameSpace();
fetchReplicaCount();
Singleton::Consume<I_MainLoop>::by<RateLimit>()->addRecurringRoutine(
I_MainLoop::RoutineType::Offline,
chrono::seconds(120),
[this]() { fetchReplicaCount(); },
"Fetch current replica count from the Kubernetes cluster"
);
}
} }
void void
@ -725,9 +619,6 @@ public:
disconnectRedis(); disconnectRedis();
} }
I_ShellCmd *i_shell_cmd = nullptr;
I_EnvDetails* i_env_details = nullptr;
private: private:
static constexpr auto DROP = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP; static constexpr auto DROP = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_DROP;
static constexpr auto ACCEPT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT; static constexpr auto ACCEPT = ngx_http_cp_verdict_e::TRAFFIC_VERDICT_ACCEPT;
@ -738,10 +629,6 @@ private:
int burst; int burst;
float limit; float limit;
redisContext* redis = nullptr; redisContext* redis = nullptr;
int replicas = 1;
EnvType env_type;
string kubernetes_namespace = "";
string kubernetes_token = "";
}; };
RateLimit::RateLimit() : Component("RateLimit"), pimpl(make_unique<Impl>()) {} RateLimit::RateLimit() : Component("RateLimit"), pimpl(make_unique<Impl>()) {}

8
components/security_apps/waap/include/i_serialize.h
View File

@ -137,13 +137,9 @@ public:
void setRemoteSyncEnabled(bool enabled); void setRemoteSyncEnabled(bool enabled);
protected: protected:
void mergeProcessedFromRemote(); void mergeProcessedFromRemote();
std::string getWindowId();
void waitSync();
std::string getPostDataUrl(); std::string getPostDataUrl();
std::string getUri(); std::string getUri();
size_t getIntervalsCount(); size_t getIntervalsCount();
void incrementIntervalsCount();
bool isBase();
template<typename T> template<typename T>
bool sendObject(T &obj, HTTPMethod method, std::string uri) bool sendObject(T &obj, HTTPMethod method, std::string uri)
@ -256,13 +252,14 @@ protected:
const std::string m_remotePath; // Created from tenentId + / + assetId + / + class const std::string m_remotePath; // Created from tenentId + / + assetId + / + class
std::chrono::seconds m_interval; std::chrono::seconds m_interval;
std::string m_owner; std::string m_owner;
const std::string m_assetId;
private: private:
bool localSyncAndProcess(); bool localSyncAndProcess();
void updateStateFromRemoteService(); void updateStateFromRemoteService();
RemoteFilesList getProcessedFilesList(); RemoteFilesList getProcessedFilesList();
RemoteFilesList getRemoteProcessedFilesList(); RemoteFilesList getRemoteProcessedFilesList();
std::string getWindowId();
bool isBase();
std::string getLearningHost(); std::string getLearningHost();
std::string getSharedStorageHost(); std::string getSharedStorageHost();
@ -273,6 +270,7 @@ private:
size_t m_windowsCount; size_t m_windowsCount;
size_t m_intervalsCounter; size_t m_intervalsCounter;
bool m_remoteSyncEnabled; bool m_remoteSyncEnabled;
const std::string m_assetId;
const bool m_isAssetIdUuid; const bool m_isAssetIdUuid;
std::string m_type; std::string m_type;
std::string m_lastProcessedModified; std::string m_lastProcessedModified;

2
components/security_apps/waap/include/i_transaction.h
View File

@ -70,7 +70,6 @@ public:
virtual const std::string getParam() const = 0; virtual const std::string getParam() const = 0;
virtual const std::vector<std::string> getKeywordMatches() const = 0; virtual const std::vector<std::string> getKeywordMatches() const = 0;
virtual const std::vector<std::string> getKeywordsCombinations() const = 0; virtual const std::vector<std::string> getKeywordsCombinations() const = 0;
virtual const std::vector<std::string> getKeywordsAfterFilter() const = 0;
virtual const std::string getContentTypeStr() const = 0; virtual const std::string getContentTypeStr() const = 0;
virtual Waap::Util::ContentType getContentType() const = 0; virtual Waap::Util::ContentType getContentType() const = 0;
virtual const std::string getKeywordMatchesStr() const = 0; virtual const std::string getKeywordMatchesStr() const = 0;
@ -85,7 +84,6 @@ public:
virtual const std::string getUriStr() const = 0; virtual const std::string getUriStr() const = 0;
virtual const std::string& getSourceIdentifier() const = 0; virtual const std::string& getSourceIdentifier() const = 0;
virtual double getScore() const = 0; virtual double getScore() const = 0;
virtual double getOtherModelScore() const = 0;
virtual const std::vector<double> getScoreArray() const = 0; virtual const std::vector<double> getScoreArray() const = 0;
virtual Waap::CSRF::State& getCsrfState() = 0; virtual Waap::CSRF::State& getCsrfState() = 0;
virtual ngx_http_cp_verdict_e getUserLimitVerdict() = 0; virtual ngx_http_cp_verdict_e getUserLimitVerdict() = 0;

6
components/security_apps/waap/include/i_waapConfig.h
View File

@ -19,14 +19,12 @@
#include "../waap_clib/WaapParameters.h" #include "../waap_clib/WaapParameters.h"
#include "../waap_clib/WaapOpenRedirectPolicy.h" #include "../waap_clib/WaapOpenRedirectPolicy.h"
#include "../waap_clib/WaapErrorDisclosurePolicy.h" #include "../waap_clib/WaapErrorDisclosurePolicy.h"
#include "../waap_clib/DecisionType.h"
#include "../waap_clib/CsrfPolicy.h" #include "../waap_clib/CsrfPolicy.h"
#include "../waap_clib/UserLimitsPolicy.h" #include "../waap_clib/UserLimitsPolicy.h"
#include "../waap_clib/RateLimiting.h" #include "../waap_clib/RateLimiting.h"
#include "../waap_clib/SecurityHeadersPolicy.h" #include "../waap_clib/SecurityHeadersPolicy.h"
#include <memory> #include <memory>
enum class BlockingLevel { enum class BlockingLevel {
NO_BLOCKING = 0, NO_BLOCKING = 0,
LOW_BLOCKING_LEVEL, LOW_BLOCKING_LEVEL,
@ -46,8 +44,8 @@ public:
virtual const std::string& get_AssetId() const = 0; virtual const std::string& get_AssetId() const = 0;
virtual const std::string& get_AssetName() const = 0; virtual const std::string& get_AssetName() const = 0;
virtual const BlockingLevel& get_BlockingLevel() const = 0; virtual const BlockingLevel& get_BlockingLevel() const = 0;
virtual const std::string& get_PracticeIdByPactice(DecisionType practiceType) const = 0; virtual const std::string& get_PracticeId() const = 0;
virtual const std::string& get_PracticeNameByPactice(DecisionType practiceType) const = 0; virtual const std::string& get_PracticeName() const = 0;
virtual const std::string& get_PracticeSubType() const = 0; virtual const std::string& get_PracticeSubType() const = 0;
virtual const std::string& get_RuleId() const = 0; virtual const std::string& get_RuleId() const = 0;
virtual const std::string& get_RuleName() const = 0; virtual const std::string& get_RuleName() const = 0;

4
components/security_apps/waap/waap_clib/CMakeLists.txt
View File

@ -87,11 +87,7 @@ add_library(waap_clib
ParserPairs.cc ParserPairs.cc
Waf2Util2.cc Waf2Util2.cc
ParserPDF.cc ParserPDF.cc
ParserKnownBenignSkipper.cc
ParserScreenedJson.cc
ParserBinaryFile.cc ParserBinaryFile.cc
RegexComparator.cc
RequestsMonitor.cc
) )
add_definitions("-Wno-unused-function") add_definitions("-Wno-unused-function")

Some files were not shown because too many files have changed in this diff Show More