github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-11-16 17:31:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github_mirrors:namspace-crds
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc
..
compare: github_mirrors:prometheus_support
Branches Tags
github_mirrors:main github_mirrors:v1beta2-defualt-policy github_mirrors:fix-entry-file-token-arg github_mirrors:09-11-25-dev github_mirrors:docker-stop-issue github_mirrors:update_docker_compose github_mirrors:fix-alpine-ca github_mirrors:Aug_08_2025-Dev github_mirrors:nginx_message_reader_improvements github_mirrors:conf-collector-upload github_mirrors:waf-tag github_mirrors:watchdog github_mirrors:prometheus_support github_mirrors:exception-fix github_mirrors:orianelou-patch-8 github_mirrors:orianelou-issue-tamplates github_mirrors:Mar_17_2025-Dev github_mirrors:docker-upgrade-issue github_mirrors:namspace-crds github_mirrors:Feb_27_2025-Dev github_mirrors:Feb_10_2025-Dev github_mirrors:oriane-23.12.24-adding-new-composes github_mirrors:Jan_12_2025-Dev github_mirrors:orianelou-patch-7 github_mirrors:Dec_29_2024-Dev github_mirrors:Nov_28_2024-Dev github_mirrors:Oct_14_2024-Dev github_mirrors:Sep_17_2024-Dev github_mirrors:Sep_15_2024-Dev github_mirrors:Sep_13_2024-Dev github_mirrors:Sep_11_2024-Dev github_mirrors:Aug_20_2024-Dev github_mirrors:orianelou-patch-6 github_mirrors:orianelou-patch-5 github_mirrors:orianelou-patch-4 github_mirrors:Jul_31_2024-Dev github_mirrors:danielei-hotifx-candidate github_mirrors:orianelou-crds github_mirrors:or github_mirrors:Jul_23_2024-Dev github_mirrors:Jul_04_2024-Dev github_mirrors:Jun_26_2024-Dev github_mirrors:orianelou-new-policy-files github_mirrors:Jun_09_2024-Dev github_mirrors:May_27_2024-Dev github_mirrors:Apr_21_2024-Dev github_mirrors:Apr_14_2024-Dev github_mirrors:Mar_21_2024-Dev github_mirrors:orianelou-patch-3 github_mirrors:WrightNed-patch-1 github_mirrors:Feb_28_2024 github_mirrors:orianelou-patch-apisix github_mirrors:Feb_13_2024 github_mirrors:Feb_06_2024-Dev github_mirrors:Jan_31_2024-Dev github_mirrors:Dec-24-2023 github_mirrors:Dec-12th-2023 github_mirrors:Nov_12_2023-Dev github_mirrors:open_appsec_add_agent_cache_for_rate_limit github_mirrors:orianelou-patch-2 github_mirrors:Sep_24_2023-Dev github_mirrors:Aug_23_2023-Dev github_mirrors:changing_socket_readiness_testing github_mirrors:support-advance-model github_mirrors:Jul_24_23_chart_update github_mirrors:Jul_06_2023-Dev github_mirrors:orianelou-patch-1 github_mirrors:workflow-08_05 github_mirrors:May_11_2023-Dev github_mirrors:crowdsec github_mirrors:Apr_27_2023-Dev github_mirrors:Mar_26_2023-Dev github_mirrors:Mar_13_2023-Dev github_mirrors:Mar_02_2023-Dev github_mirrors:Feb_22_2023-Dev github_mirrors:Feb_15_2023-Dev github_mirrors:Jan_22_2023-Dev github_mirrors:Jan_18_2023-Dev github_mirrors:Jan_16_2023
github_mirrors:1.1.30 github_mirrors:1.1.29 github_mirrors:1.1.27 github_mirrors:1.1.26 github_mirrors:1.1.25 github_mirrors:1.1.24 github_mirrors:1.1.23 github_mirrors:1.1.22 github_mirrors:1.1.21 github_mirrors:1.1.20 github_mirrors:1.1.19 github_mirrors:1.1.18 github_mirrors:1.1.17 github_mirrors:1.1.16 github_mirrors:1.1.15 github_mirrors:1.1.14 github_mirrors:v1.1.3 github_mirrors:1.1.12 github_mirrors:1.1.11 github_mirrors:1.1.10 github_mirrors:1.1.9 github_mirrors:1.1.8 github_mirrors:1.1.7 github_mirrors:1.1.6 github_mirrors:1.1.5 github_mirrors:1.1.4 github_mirrors:1.1.3 github_mirrors:1.1.2 github_mirrors:1.1.0 github_mirrors:1.0.1 github_mirrors:1.0.0 github_mirrors:0.9.1-rc github_mirrors:0.9.0-rc github_mirrors:0.8.0-rc

45 Commits
namspace-c ... prometheus

Author SHA1 Message Date
avigailo
a9e186b824 Add prometheus support 2025-05-27 17:45:05 +03:00
avigailo
b2fbb5ae8a Add prometheus support 2025-04-20 13:54:01 +03:00
avigailo
c71b361755 Add prometheus support 2025-04-10 15:01:56 +03:00
avigailo
7c2fcbddcf Add prometheus support 2025-04-09 22:15:00 +03:00
avigailo
9e85e5703c Add prometheus support 2025-04-09 22:06:45 +03:00
orianelou
2c6b6baa3b Update docker-compose.yaml 2025-04-01 14:24:16 +03:00
orianelou
37d0f1c45f Update bug_report.md 2025-04-01 10:14:26 +03:00
orianelou
52c93ad574 Merge pull request #291 from MaxShapiro/MaxShapiro-patch-1 
Update .env
 2025-03-30 10:22:09 +03:00
Max Shapiro
bd3a53041e Update .env 2025-03-30 09:55:33 +03:00
Daniel-Eisenberg
44f40fbd1b Merge pull request #287 from openappsec/docker-upgrade-issue 
Docker upgrade issue
 2025-03-25 22:47:21 +02:00
orianelou
0691f9b9cd Update open-appsec-k8s-prevent-config-v1beta2.yaml 2025-03-23 14:33:18 +02:00
orianelou
0891dcd251 Update .env 2025-03-23 14:02:41 +02:00
Daniel-Eisenberg
7669f0c89c Merge pull request #285 from openappsec/Mar_17_2025-Dev 
Mar 17 2025 dev
 2025-03-19 17:57:49 +02:00
orianelou
39d7884bed Update bug_report.md 2025-03-19 16:42:28 +02:00
orianelou
b8783c3065 Update nginx_version_support.md 2025-03-19 11:32:09 +02:00
orianelou
37dc9f14b4 Update config.yml 2025-03-19 11:31:32 +02:00
orianelou
9a1f1b5966 Update config.yml 2025-03-19 11:30:41 +02:00
orianelou
b0bfd3077c Update config.yml 2025-03-19 11:30:09 +02:00
orianelou
0469f5aa1f Update bug_report.md 2025-03-19 11:29:51 +02:00
orianelou
3578797214 Delete .github/ISSUE_TEMPLATE/feature_request.md 2025-03-19 11:29:28 +02:00
orianelou
16a72fdf3e Update nginx_version_support.md 2025-03-19 11:29:03 +02:00
orianelou
87d257f268 Update config.yml 2025-03-19 11:26:36 +02:00
orianelou
36d8006c26 Create config.yml 2025-03-19 11:24:55 +02:00
orianelou
8d47795d4d Delete .github/ISSUE_TEMPLATE/config.yml 2025-03-19 11:21:45 +02:00
orianelou
f3656712b0 Merge pull request #284 from openappsec/orianelou-issue-tamplates 
Orianelou issue tamplates
 2025-03-19 11:20:41 +02:00
orianelou
b1781234fd Create config.yml 2025-03-19 11:18:49 +02:00
orianelou
f71dca2bfa Create nginx_version_support.md 2025-03-19 11:16:52 +02:00
orianelou
bd333818ad Create feature_request.md 2025-03-19 11:12:10 +02:00
orianelou
95e776d7a4 Create bug_report.md 2025-03-19 11:10:21 +02:00
Ned Wright
51c2912434 sync code 2025-03-18 20:34:34 +00:00
Ned Wright
0246b73bbd sync code 2025-03-17 14:49:44 +00:00
avigailo
919921f6d3 Add manifest to the image creation 2025-03-17 15:26:11 +02:00
avigailo
e9098e2845 Add manifest to the image creation 2025-03-16 16:57:48 +02:00
avigailo
97d042589b Add manifest to the image creation 2025-03-16 13:41:28 +02:00
orianelou
df7be864e2 Update open-appsec-crd-v1beta2.yaml 2025-03-11 16:30:27 +02:00
orianelou
ba8ec26344 Create apisix.yaml 2025-03-09 11:43:40 +02:00
orianelou
97add465e8 Create kong.yml 2025-03-09 11:42:46 +02:00
orianelou
38cb1f2c3b Create envoy.yaml 2025-03-09 11:41:48 +02:00
orianelou
1dd9371840 Rename examples/juiceshop/nginx/swag/default.conf to examples/juiceshop/swag/default.conf 2025-03-09 11:41:13 +02:00
orianelou
f23d22a723 Rename examples/juiceshop/nginx/swag/juiceshop.subfolder.conf to examples/juiceshop/swag/juiceshop.subfolder.conf 2025-03-09 11:40:47 +02:00
orianelou
b51cf09190 Create juiceshop.subfolder.conf 2025-03-09 11:39:51 +02:00
orianelou
ceb6469a7e Create default.conf 2025-03-09 11:39:22 +02:00
orianelou
b0ae283eed Update open-appsec-crd-v1beta2.yaml 2025-03-06 14:19:07 +02:00
orianelou
5fcb9bdc4a Update open-appsec-crd-v1beta2.yaml 2025-03-06 13:54:49 +02:00
orianelou
fb5698360b Merge pull request #267 from openappsec/namspace-crds 
Update open-appsec-crd-v1beta2.yaml
 2025-03-06 13:38:34 +02:00
56 changed files with 2344 additions and 300 deletions
Expand all files Collapse all files

36
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,36 @@
---
name: "Bug Report"
about: "Report a bug with open-appsec"
labels: [bug]
---
**Checklist**
- Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
- Yes / No
- Have you checked the existing issues and discussions in github for the same issue
- Yes / No
- Have you checked the knwon limitations same issue - https://docs.openappsec.io/release-notes#limitations
- Yes / No
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Run '...'
3. See error '...'
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots or Logs**
If applicable, add screenshots or logs to help explain the issue.
**Environment (please complete the following information):**
- open-appsec version:
- Deployment type (Docker, Kubernetes, etc.):
- OS:
**Additional context**
Add any other context about the problem here.

8
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,8 @@
blank_issues_enabled: false
contact_links:
- name: "Documentation & Troubleshooting"
url: "https://docs.openappsec.io/"
about: "Check the documentation before submitting an issue."
- name: "Feature Requests & Discussions"
url: "https://github.com/openappsec/openappsec/discussions"
about: "Please open a discussion for feature requests."

17
.github/ISSUE_TEMPLATE/nginx_version_support.md vendored Normal file
View File

@@ -0,0 +1,17 @@
---
name: "Nginx Version Support Request"
about: "Request for a specific Nginx version to be supported"
---
**Nginx & OS Version:**
Which Nginx and OS version are you using?
**Output of nginx -V**
Share the output of nginx -v
**Expected Behavior:**
What do you expect to happen with this version?
**Checklist**
- Have you considered a docker based deployment - find more information here https://docs.openappsec.io/getting-started/start-with-docker?
- Yes / No

2
build_system/docker/CMakeLists.txt
View File

@@ -1,4 +1,4 @@
install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh DESTINATION .) install(FILES Dockerfile entry.sh install-cp-agent-intelligence-service.sh install-cp-crowdsec-aux.sh self_managed_openappsec_manifest.json DESTINATION .)
add_custom_command( add_custom_command(
OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img OUTPUT ${CMAKE_INSTALL_PREFIX}/agent-docker.img

4
build_system/docker/Dockerfile
View File

@@ -1,5 +1,7 @@
FROM alpine FROM alpine
ENV OPENAPPSEC_NANO_AGENT=TRUE
RUN apk add --no-cache -u busybox RUN apk add --no-cache -u busybox
RUN apk add --no-cache -u zlib RUN apk add --no-cache -u zlib
RUN apk add --no-cache bash RUN apk add --no-cache bash
@@ -13,6 +15,8 @@ RUN apk add --no-cache libxml2
RUN apk add --no-cache pcre2 RUN apk add --no-cache pcre2
RUN apk add --update coreutils RUN apk add --update coreutils
COPY self_managed_openappsec_manifest.json /tmp/self_managed_openappsec_manifest.json
COPY install*.sh /nano-service-installers/ COPY install*.sh /nano-service-installers/
COPY entry.sh /entry.sh COPY entry.sh /entry.sh

5
build_system/docker/entry.sh
View File

@@ -6,6 +6,7 @@ HTTP_TRANSACTION_HANDLER_SERVICE="install-cp-nano-service-http-transaction-handl
ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh" ATTACHMENT_REGISTRATION_SERVICE="install-cp-nano-attachment-registration-manager.sh"
ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh" ORCHESTRATION_INSTALLATION_SCRIPT="install-cp-nano-agent.sh"
CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh" CACHE_INSTALLATION_SCRIPT="install-cp-nano-agent-cache.sh"
PROMETHEUS_INSTALLATION_SCRIPT="install-cp-nano-service-prometheus.sh"
var_fog_address= var_fog_address=
var_proxy= var_proxy=
@@ -81,6 +82,10 @@ fi
/nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install /nano-service-installers/$CACHE_INSTALLATION_SCRIPT --install
/nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install /nano-service-installers/$HTTP_TRANSACTION_HANDLER_SERVICE --install
if [ "$PROMETHEUS" == "true" ]; then
/nano-service-installers/$PROMETHEUS_INSTALLATION_SCRIPT --install
fi
if [ "$CROWDSEC_ENABLED" == "true" ]; then if [ "$CROWDSEC_ENABLED" == "true" ]; then
/nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install /nano-service-installers/$INTELLIGENCE_INSTALLATION_SCRIPT --install
/nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install /nano-service-installers/$CROWDSEC_INSTALLATION_SCRIPT --install

0
build_system/docker/self_managed_openappsec_manifest.json Normal file
View File

2
components/include/i_details_resolver.h
View File

@@ -30,7 +30,7 @@ public:
virtual bool isVersionAboveR8110() = 0; virtual bool isVersionAboveR8110() = 0;
virtual bool isReverseProxy() = 0; virtual bool isReverseProxy() = 0;
virtual bool isCloudStorageEnabled() = 0; virtual bool isCloudStorageEnabled() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string>> parseNginxMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string, std::string>> parseNginxMetadata() = 0;
virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0; virtual Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>> readCloudMetadata() = 0;
virtual std::map<std::string, std::string> getResolvedDetails() = 0; virtual std::map<std::string, std::string> getResolvedDetails() = 0;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)

30
components/include/prometheus_comp.h Executable file
View File

@@ -0,0 +1,30 @@
#ifndef __PROMETHEUS_COMP_H__
#define __PROMETHEUS_COMP_H__
#include <memory>
#include "component.h"
#include "singleton.h"
#include "i_rest_api.h"
#include "i_messaging.h"
#include "generic_metric.h"
class PrometheusComp
:
public Component,
Singleton::Consume<I_RestApi>,
Singleton::Consume<I_Messaging>
{
public:
PrometheusComp();
~PrometheusComp();
void init() override;
private:
class Impl;
std::unique_ptr<Impl> pimpl;
};
#endif // __PROMETHEUS_COMP_H__

1
components/security_apps/CMakeLists.txt
View File

@@ -3,6 +3,7 @@ add_subdirectory(ips)
add_subdirectory(layer_7_access_control) add_subdirectory(layer_7_access_control)
add_subdirectory(local_policy_mgmt_gen) add_subdirectory(local_policy_mgmt_gen)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(rate_limit) add_subdirectory(rate_limit)
add_subdirectory(waap) add_subdirectory(waap)
add_subdirectory(central_nginx_manager) add_subdirectory(central_nginx_manager)

46
components/security_apps/orchestration/details_resolver/details_resolver.cc
View File

@@ -46,7 +46,7 @@ public:
bool isReverseProxy() override; bool isReverseProxy() override;
bool isCloudStorageEnabled() override; bool isCloudStorageEnabled() override;
Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override; Maybe<tuple<string, string, string, string, string>> readCloudMetadata() override;
Maybe<tuple<string, string, string>> parseNginxMetadata() override; Maybe<tuple<string, string, string, string>> parseNginxMetadata() override;
#if defined(gaia) || defined(smb) #if defined(gaia) || defined(smb)
bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override; bool compareCheckpointVersion(int cp_version, std::function<bool(int, int)> compare_operator) const override;
#endif // gaia || smb #endif // gaia || smb
@@ -230,7 +230,7 @@ isNoResponse(const string &cmd)
return !res.ok() || res.unpack().empty(); return !res.ok() || res.unpack().empty();
} }
Maybe<tuple<string, string, string>> Maybe<tuple<string, string, string, string>>
DetailsResolver::Impl::parseNginxMetadata() DetailsResolver::Impl::parseNginxMetadata()
{ {
auto output_path = getConfigurationWithDefault<string>( auto output_path = getConfigurationWithDefault<string>(
@@ -243,6 +243,11 @@ DetailsResolver::Impl::parseNginxMetadata()
"/scripts/cp-nano-makefile-generator.sh -f -o " + "/scripts/cp-nano-makefile-generator.sh -f -o " +
output_path; output_path;
const string script_fresh_exe_cmd =
getFilesystemPathConfig() +
"/scripts/cp-nano-makefile-generator-fresh.sh save --save-location " +
output_path;
dbgTrace(D_ORCHESTRATOR) << "Details resolver, srcipt exe cmd: " << srcipt_exe_cmd; dbgTrace(D_ORCHESTRATOR) << "Details resolver, srcipt exe cmd: " << srcipt_exe_cmd;
if (isNoResponse("which nginx") && isNoResponse("which kong")) { if (isNoResponse("which nginx") && isNoResponse("which kong")) {
return genError("Nginx or Kong isn't installed"); return genError("Nginx or Kong isn't installed");
@@ -279,7 +284,37 @@ DetailsResolver::Impl::parseNginxMetadata()
<< " Error: " << exception.what(); << " Error: " << exception.what();
} }
if (!isNoResponse("which nginx")) {
auto script_output = DetailsResolvingHanlder::getCommandOutput(script_fresh_exe_cmd);
if (!script_output.ok()) {
return genError("Failed to generate nginx fresh metadata, Error: " + script_output.getErr());
}
try {
ifstream input_stream(output_path);
if (!input_stream) {
return genError("Cannot open the file with nginx fresh metadata, File: " + output_path);
}
string line;
while (getline(input_stream, line)) {
if (line.find("NGX_MODULE_SIGNATURE") == 0) {
lines.push_back(line);
}
}
input_stream.close();
orchestration_tools->removeFile(output_path);
} catch (const ifstream::failure &exception) {
dbgWarning(D_ORCHESTRATOR)
<< "Cannot read the file with required nginx fresh metadata."
<< " File: " << output_path
<< " Error: " << exception.what();
}
}
if (lines.size() == 0) return genError("Failed to read nginx metadata file"); if (lines.size() == 0) return genError("Failed to read nginx metadata file");
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
@@ -294,6 +329,11 @@ DetailsResolver::Impl::parseNginxMetadata()
nginx_version = "nginx-" + line.substr(eq_index + 1); nginx_version = "nginx-" + line.substr(eq_index + 1);
continue; continue;
} }
if (line.find("NGX_MODULE_SIGNATURE") != string::npos) {
auto eq_index = line.find("=");
nginx_signature = line.substr(eq_index + 1);
continue;
}
if (line.find("EXTRA_CC_OPT") != string::npos) { if (line.find("EXTRA_CC_OPT") != string::npos) {
auto eq_index = line.find("="); auto eq_index = line.find("=");
cc_opt = line.substr(eq_index + 1); cc_opt = line.substr(eq_index + 1);
@@ -303,7 +343,7 @@ DetailsResolver::Impl::parseNginxMetadata()
if (line.back() == '\\') line.pop_back(); if (line.back() == '\\') line.pop_back();
config_opt += line; config_opt += line;
} }
return make_tuple(config_opt, cc_opt, nginx_version); return make_tuple(config_opt, cc_opt, nginx_version, nginx_signature);
} }
Maybe<tuple<string, string, string, string, string>> Maybe<tuple<string, string, string, string, string>>

4
components/security_apps/orchestration/include/mock/mock_details_resolver.h
View File

@@ -21,7 +21,7 @@
#include "maybe_res.h" #include "maybe_res.h"
std::ostream & std::ostream &
operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string>> &) operator<<(std::ostream &os, const Maybe<std::tuple<std::string, std::string, std::string, std::string>> &)
{ {
return os; return os;
} }
@@ -48,7 +48,7 @@ public:
MOCK_METHOD0(isGwNotVsx, bool()); MOCK_METHOD0(isGwNotVsx, bool());
MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>()); MOCK_METHOD0(getResolvedDetails, std::map<std::string, std::string>());
MOCK_METHOD0(isVersionAboveR8110, bool()); MOCK_METHOD0(isVersionAboveR8110, bool());
MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string>>()); MOCK_METHOD0(parseNginxMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string>>());
MOCK_METHOD0( MOCK_METHOD0(
readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>()); readCloudMetadata, Maybe<std::tuple<std::string, std::string, std::string, std::string, std::string>>());
}; };

5
components/security_apps/orchestration/orchestration_comp.cc
View File

@@ -1465,12 +1465,14 @@ private:
auto nginx_data = i_details_resolver->parseNginxMetadata(); auto nginx_data = i_details_resolver->parseNginxMetadata();
if (nginx_data.ok()) { if (nginx_data.ok()) {
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack(); tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack();
agent_data_report agent_data_report
<< make_pair("attachmentVersion", "Legacy") << make_pair("attachmentVersion", "Legacy")
<< make_pair("nginxSignature", nginx_signature)
<< make_pair("nginxVersion", nginx_version) << make_pair("nginxVersion", nginx_version)
<< make_pair("configureOpt", config_opt) << make_pair("configureOpt", config_opt)
<< make_pair("extraCompilerOpt", cc_opt); << make_pair("extraCompilerOpt", cc_opt);
@@ -1529,7 +1531,6 @@ private:
} else { } else {
curr_agent_data_report = agent_data_report; curr_agent_data_report = agent_data_report;
curr_agent_data_report.disableReportSending(); curr_agent_data_report.disableReportSending();
agent_data_report << AgentReportFieldWithLabel("timestamp", i_time->getWalltimeStr());
} }
} }

2
components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc
View File

@@ -140,7 +140,7 @@ public:
void void
expectDetailsResolver() expectDetailsResolver()
{ {
Maybe<tuple<string, string, string>> no_nginx(genError("No nginx")); Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx"));
EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux"))); EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64"))); EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false)); EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));

2
components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc
View File

@@ -168,7 +168,7 @@ public:
void void
expectDetailsResolver() expectDetailsResolver()
{ {
Maybe<tuple<string, string, string>> no_nginx(genError("No nginx")); Maybe<tuple<string, string, string, string>> no_nginx(genError("No nginx"));
EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux"))); EXPECT_CALL(mock_details_resolver, getPlatform()).WillRepeatedly(Return(string("linux")));
EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64"))); EXPECT_CALL(mock_details_resolver, getArch()).WillRepeatedly(Return(string("x86_64")));
EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false)); EXPECT_CALL(mock_details_resolver, isReverseProxy()).WillRepeatedly(Return(false));

4
components/security_apps/orchestration/update_communication/fog_authenticator.cc
View File

@@ -168,10 +168,12 @@ FogAuthenticator::registerAgent(
auto nginx_data = details_resolver->parseNginxMetadata(); auto nginx_data = details_resolver->parseNginxMetadata();
if (nginx_data.ok()) { if (nginx_data.ok()) {
string nginx_signature;
string nginx_version; string nginx_version;
string config_opt; string config_opt;
string cc_opt; string cc_opt;
tie(config_opt, cc_opt, nginx_version) = nginx_data.unpack(); tie(config_opt, cc_opt, nginx_version, nginx_signature) = nginx_data.unpack();
request << make_pair("nginxSignature", nginx_signature);
request << make_pair("nginxVersion", nginx_version); request << make_pair("nginxVersion", nginx_version);
request << make_pair("configureOpt", config_opt); request << make_pair("configureOpt", config_opt);
request << make_pair("extraCompilerOpt", cc_opt); request << make_pair("extraCompilerOpt", cc_opt);

2
components/security_apps/prometheus/CMakeLists.txt Executable file
View File

@@ -0,0 +1,2 @@
add_library(prometheus_comp prometheus_comp.cc)
add_subdirectory(prometheus_ut)

200
components/security_apps/prometheus/prometheus_comp.cc Executable file
View File

@@ -0,0 +1,200 @@
#include "prometheus_comp.h"
#include <string>
#include <map>
#include <vector>
#include <cereal/archives/json.hpp>
#include <cereal/types/map.hpp>
#include <cereal/types/vector.hpp>
#include <cereal/types/string.hpp>
#include <iostream>
#include <fstream>
#include "common.h"
#include "report/base_field.h"
#include "report/report_enums.h"
#include "log_generator.h"
#include "debug.h"
#include "rest.h"
#include "customized_cereal_map.h"
#include "i_messaging.h"
#include "prometheus_metric_names.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
using namespace std;
using namespace ReportIS;
struct ServiceData
{
template <typename Archive>
void
serialize(Archive &ar)
{
ar(cereal::make_nvp("Service port", service_port));
}
int service_port;
};
class PrometheusMetricData
{
public:
PrometheusMetricData(const string &n, const string &t, const string &d) : name(n), type(t), description(d) {}
void
addElement(const string &labels, const string &value)
{
metric_labels_to_values[labels] = value;
}
ostream &
print(ostream &os)
{
if (metric_labels_to_values.empty()) return os;
string representative_name = "";
if (!name.empty()) {
auto metric_name = convertMetricName(name);
!metric_name.empty() ? representative_name = metric_name : representative_name = name;
}
if (!description.empty()) os << "# HELP " << representative_name << ' ' << description << '\n';
if (!name.empty()) os << "# TYPE " << representative_name << ' ' << type << '\n';
for (auto &entry : metric_labels_to_values) {
os << representative_name << entry.first << ' ' << entry.second << '\n';
}
os << '\n';
metric_labels_to_values.clear();
return os;
}
private:
string name;
string type;
string description;
map<string, string> metric_labels_to_values;
};
static ostream & operator<<(ostream &os, PrometheusMetricData &metric) { return metric.print(os); }
class PrometheusComp::Impl
{
public:
void
init()
{
Singleton::Consume<I_RestApi>::by<PrometheusComp>()->addGetCall(
"metrics",
[&] () { return getFormatedPrometheusMetrics(); }
);
}
void
addMetrics(const vector<PrometheusData> &metrics)
{
for(auto &metric : metrics) {
auto &metric_object = getDataObject(
metric.name,
metric.type,
metric.description
);
metric_object.addElement(metric.label, metric.value);
}
}
private:
PrometheusMetricData &
getDataObject(const string &name, const string &type, const string &description)
{
auto elem = prometheus_metrics.find(name);
if (elem == prometheus_metrics.end()) {
elem = prometheus_metrics.emplace(name, PrometheusMetricData(name, type, description)).first;
}
return elem->second;
}
map<string, ServiceData>
getServiceDetails()
{
map<string, ServiceData> registeredServices;
auto registered_services_file = getConfigurationWithDefault<string>(
getFilesystemPathConfig() + "/conf/orchestrations_registered_services.json",
"orchestration",
"Orchestration registered services"
);
ifstream file(registered_services_file);
if (!file.is_open()) {
dbgWarning(D_PROMETHEUS) << "Failed to open file: " << registered_services_file;
return registeredServices;
}
stringstream buffer;
buffer << file.rdbuf();
try {
cereal::JSONInputArchive archive(buffer);
archive(cereal::make_nvp("Registered Services", registeredServices));
} catch (const exception& e) {
dbgWarning(D_PROMETHEUS) << "Error parsing Registered Services JSON file: " << e.what();
}
return registeredServices;
}
void
getServicesMetrics()
{
dbgTrace(D_PROMETHEUS) << "Get all registered services metrics";
map<string, ServiceData> service_names_to_ports = getServiceDetails();
for (const auto &service : service_names_to_ports) {
I_Messaging *messaging = Singleton::Consume<I_Messaging>::by<PrometheusComp>();
MessageMetadata servie_metric_req_md("127.0.0.1", service.second.service_port);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::ONE_TIME_CONN);
servie_metric_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
auto res = messaging->sendSyncMessage(
HTTPMethod::GET,
"/service-metrics",
string(""),
MessageCategory::GENERIC,
servie_metric_req_md
);
if (!res.ok()) {
dbgWarning(D_PROMETHEUS) << "Failed to get service metrics. Service: " << service.first;
continue;
}
stringstream buffer;
buffer << res.unpack().getBody();
cereal::JSONInputArchive archive(buffer);
vector<PrometheusData> metrics;
archive(cereal::make_nvp("metrics", metrics));
addMetrics(metrics);
}
}
string
getFormatedPrometheusMetrics()
{
MetricScrapeEvent().notify();
getServicesMetrics();
stringstream result;
for (auto &metric : prometheus_metrics) {
result << metric.second;
}
dbgTrace(D_PROMETHEUS) << "Prometheus metrics: " << result.str();
return result.str();
}
map<string, PrometheusMetricData> prometheus_metrics;
};
PrometheusComp::PrometheusComp() : Component("Prometheus"), pimpl(make_unique<Impl>()) {}
PrometheusComp::~PrometheusComp() {}
void
PrometheusComp::init()
{
pimpl->init();
}

143
components/security_apps/prometheus/prometheus_metric_names.h Executable file
View File

@@ -0,0 +1,143 @@
#ifndef __PROMETHEUS_METRIC_NAMES_H__
#define __PROMETHEUS_METRIC_NAMES_H__
#include <string>
#include <unordered_map>
#include "debug.h"
USE_DEBUG_FLAG(D_PROMETHEUS);
std::string
convertMetricName(const std::string &original_metric_name)
{
static const std::unordered_map<std::string, std::string> original_to_representative_names = {
// HybridModeMetric
{"watchdogProcessStartupEventsSum", "nano_service_restarts_counter"},
// nginxAttachmentMetric
{"inspectVerdictSum", "traffic_inspection_verdict_inspect_counter"},
{"acceptVeridctSum", "traffic_inspection_verdict_accept_counter"},
{"dropVerdictSum", "traffic_inspection_verdict_drop_counter"},
{"injectVerdictSum", "traffic_inspection_verdict_inject_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"irrelevantVerdictSum", "traffic_inspection_verdict_irrelevant_counter"},
{"reconfVerdictSum", "traffic_inspection_verdict_reconf_counter"},
{"responseInspection", "response_body_inspection_counter"},
// nginxIntakerMetric
{"successfullInspectionTransactionsSum", "successful_Inspection_counter"},
{"failopenTransactionsSum", "fail_open_Inspection_counter"},
{"failcloseTransactionsSum", "fail_close_Inspection_counter"},
{"transparentModeTransactionsSum", "transparent_mode_counter"},
{"totalTimeInTransparentModeSum", "total_time_in_transparent_mode_counter"},
{"reachInspectVerdictSum", "inspect_verdict_counter"},
{"reachAcceptVerdictSum", "accept_verdict_counter"},
{"reachDropVerdictSum", "drop_verdict_counter"},
{"reachInjectVerdictSum", "inject_verdict_counter"},
{"reachIrrelevantVerdictSum", "irrelevant_verdict_counter"},
{"reachReconfVerdictSum", "reconf_verdict_counter"},
{"requestCompressionFailureSum", "failed_requests_compression_counter"},
{"responseCompressionFailureSum", "failed_response_compression_counter"},
{"requestDecompressionFailureSum", "failed_requests_decompression_counter"},
{"responseDecompressionFailureSum", "failed_response_decompression_counter"},
{"requestCompressionSuccessSum", "successful_request_compression_counter"},
{"responseCompressionSuccessSum", "successful_response_compression_counter"},
{"requestDecompressionSuccessSum", "successful_request_decompression_counter"},
{"responseDecompressionSuccessSum", "successful_response_decompression_counter"},
{"skippedSessionsUponCorruptedZipSum", "corrupted_zip_skipped_session_counter"},
{"attachmentThreadReachedTimeoutSum", "thread_exceeded_processing_time_counter"},
{"registrationThreadReachedTimeoutSum", "failed_registration_thread_counter"},
{"requestHeaderThreadReachedTimeoutSum", "request_headers_processing_thread_timeouts_counter"},
{"requestBodyThreadReachedTimeoutSum", "request_body_processing_thread_timeouts_counter"},
{"respondHeaderThreadReachedTimeoutSum", "response_headers_processing_thread_timeouts_counter"},
{"respondBodyThreadReachedTimeoutSum", "response_body_processing_thread_timeouts_counter"},
{"attachmentThreadFailureSum", "thread_failures_counter"},
{"httpRequestProcessingReachedTimeoutSum", "request_processing_timeouts_counter"},
{"httpRequestsSizeSum", "requests_total_size_counter"},
{"httpResponsesSizeSum", "response_total_size_counter"},
{"httpRequestFailedToReachWebServerUpstreamSum", "requests_failed_reach_upstram_counter"},
{"overallSessionProcessTimeToVerdictAvgSample", "overall_processing_time_until_verdict_average"},
{"overallSessionProcessTimeToVerdictMaxSample", "overall_processing_time_until_verdict_max"},
{"overallSessionProcessTimeToVerdictMinSample", "overall_processing_time_until_verdict_min"},
{"requestProcessTimeToVerdictAvgSample", "requests_processing_time_until_verdict_average"},
{"requestProcessTimeToVerdictMaxSample", "requests_processing_time_until_verdict_max"},
{"requestProcessTimeToVerdictMinSample", "requests_processing_time_until_verdict_min"},
{"responseProcessTimeToVerdictAvgSample", "response_processing_time_until_verdict_average"},
{"responseProcessTimeToVerdictMaxSample", "response_processing_time_until_verdict_max"},
{"responseProcessTimeToVerdictMinSample", "response_processing_time_until_verdict_min"},
{"requestBodySizeUponTimeoutAvgSample", "request_body_size_average"},
{"requestBodySizeUponTimeoutMaxSample", "request_body_size_max"},
{"requestBodySizeUponTimeoutMinSample", "request_body_size_min"},
{"responseBodySizeUponTimeoutAvgSample", "response_body_size_average"},
{"responseBodySizeUponTimeoutMaxSample", "response_body_size_max"},
{"responseBodySizeUponTimeoutMinSample", "response_body_size_min"},
// WaapTelemetrics
{"reservedNgenA", "total_requests_counter"},
{"reservedNgenB", "unique_sources_counter"},
{"reservedNgenC", "requests_blocked_by_force_and_exception_counter"},
{"reservedNgenD", "requests_blocked_by_waf_counter"},
{"reservedNgenE", "requests_blocked_by_open_api_counter"},
{"reservedNgenF", "requests_blocked_by_bot_protection_counter"},
{"reservedNgenG", "requests_threat_level_info_and_no_threat_counter"},
{"reservedNgenH", "requests_threat_level_low_counter"},
{"reservedNgenI", "requests_threat_level_medium_counter"},
{"reservedNgenJ", "requests_threat_level_high_counter"},
// WaapTrafficTelemetrics
{"reservedNgenA", "post_requests_counter"},
{"reservedNgenB", "get_requests_counter"},
{"reservedNgenC", "put_requests_counter"},
{"reservedNgenD", "patch_requests_counter"},
{"reservedNgenE", "delete_requests_counter"},
{"reservedNgenF", "other_requests_counter"},
{"reservedNgenG", "2xx_status_code_responses_counter"},
{"reservedNgenH", "4xx_status_code_responses_counter"},
{"reservedNgenI", "5xx_status_code_responses_counter"},
{"reservedNgenJ", "requests_time_latency_average"},
// WaapAttackTypesMetrics
{"reservedNgenA", "sql_injection_attacks_type_counter"},
{"reservedNgenB", "vulnerability_scanning_attacks_type_counter"},
{"reservedNgenC", "path_traversal_attacks_type_counter"},
{"reservedNgenD", "ldap_injection_attacks_type_counter"},
{"reservedNgenE", "evasion_techniques_attacks_type_counter"},
{"reservedNgenF", "remote_code_execution_attacks_type_counter"},
{"reservedNgenG", "xml_extern_entity_attacks_type_counter"},
{"reservedNgenH", "cross_site_scripting_attacks_type_counter"},
{"reservedNgenI", "general_attacks_type_counter"},
// AssetsMetric
{"numberOfProtectedApiAssetsSample", "api_assets_counter"},
{"numberOfProtectedWebAppAssetsSample", "web_api_assets_counter"},
{"numberOfProtectedAssetsSample", "all_assets_counter"},
// IPSMetric
{"preventEngineMatchesSample", "prevent_action_matches_counter"},
{"detectEngineMatchesSample", "detect_action_matches_counter"},
{"ignoreEngineMatchesSample", "ignore_action_matches_counter"},
// CPUMetric
{"cpuMaxSample", "cpu_usage_percentage_max"},
{"cpuAvgSample", "cpu_usage_percentage_average"},
{"cpuSample", "cpu_usage_percentage_last_value"},
// LogMetric
{"logQueueMaxSizeSample", "logs_queue_size_max"},
{"logQueueAvgSizeSample", "logs_queue_size_average"},
{"logQueueCurrentSizeSample", "logs_queue_size_last_value"},
{"sentLogsSum", "logs_sent_counter"},
{"sentLogsBulksSum", "bulk_logs_sent_counter"},
// MemoryMetric
{"serviceVirtualMemorySizeMaxSample", "service_virtual_memory_size_kb_max"},
{"serviceVirtualMemorySizeMinSample", "service_virtual_memory_size_kb_min"},
{"serviceVirtualMemorySizeAvgSample", "service_virtual_memory_size_kb_average"},
{"serviceRssMemorySizeMaxSample", "service_physical_memory_size_kb_max"},
{"serviceRssMemorySizeMinSample", "service_physical_memory_size_kb_min"},
{"serviceRssMemorySizeAvgSample", "service_physical_memory_size_kb_average"},
{"generalTotalMemorySizeMaxSample", "general_total_used_memory_max"},
{"generalTotalMemorySizeMinSample", "general_total_used_memory_min"},
{"generalTotalMemorySizeAvgSample", "general_total_used_memory_average"},
};
auto metric_names = original_to_representative_names.find(original_metric_name);
if (metric_names != original_to_representative_names.end()) return metric_names->second;
dbgDebug(D_PROMETHEUS)
<< "Metric don't have a representative name, originl name: "
<< original_metric_name;
return "";
}
#endif // __PROMETHEUS_METRIC_NAMES_H__

8
components/security_apps/prometheus/prometheus_ut/CMakeLists.txt Executable file
View File

@@ -0,0 +1,8 @@
link_directories(${BOOST_ROOT}/lib)
link_directories(${BOOST_ROOT}/lib ${CMAKE_BINARY_DIR}/core/shmem_ipc)
add_unit_test(
prometheus_ut
"prometheus_ut.cc"
"prometheus_comp;logging;agent_details;waap_clib;table;singleton;time_proxy;metric;event_is;connkey;http_transaction_data;generic_rulebase;generic_rulebase_evaluators;ip_utilities;intelligence_is_v2;-lboost_regex;messaging;"
)

79
components/security_apps/prometheus/prometheus_ut/prometheus_ut.cc Executable file
View File

@@ -0,0 +1,79 @@
#include "prometheus_comp.h"
#include <sstream>
#include <fstream>
#include <vector>
#include "cmock.h"
#include "cptest.h"
#include "maybe_res.h"
#include "debug.h"
#include "config.h"
#include "environment.h"
#include "config_component.h"
#include "agent_details.h"
#include "time_proxy.h"
#include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h"
#include "mock/mock_messaging.h"
using namespace std;
using namespace testing;
USE_DEBUG_FLAG(D_PROMETHEUS);
class PrometheusCompTest : public Test
{
public:
PrometheusCompTest()
{
EXPECT_CALL(mock_rest, mockRestCall(_, "declare-boolean-variable", _)).WillOnce(Return(false));
env.preload();
config.preload();
env.init();
EXPECT_CALL(
mock_rest,
addGetCall("metrics", _)
).WillOnce(DoAll(SaveArg<1>(&get_metrics_func), Return(true)));
prometheus_comp.init();
}
::Environment env;
ConfigComponent config;
PrometheusComp prometheus_comp;
StrictMock<MockRestApi> mock_rest;
StrictMock<MockMainLoop> mock_ml;
NiceMock<MockMessaging> mock_messaging;
unique_ptr<ServerRest> agent_uninstall;
function<string()> get_metrics_func;
CPTestTempfile status_file;
string registered_services_file_path;
};
TEST_F(PrometheusCompTest, checkAddingMetric)
{
registered_services_file_path = cptestFnameInSrcDir(string("registered_services.json"));
setConfiguration(registered_services_file_path, "orchestration", "Orchestration registered services");
string metric_body = "{\n"
" \"metrics\": [\n"
" {\n"
" \"metric_name\": \"watchdogProcessStartupEventsSum\",\n"
" \"metric_type\": \"counter\",\n"
" \"metric_description\": \"\",\n"
" \"labels\": \"{method=\\\"post\\\",code=\\\"200\\\"}\",\n"
" \"value\": \"1534\"\n"
" }\n"
" ]\n"
"}";
string message_body;
EXPECT_CALL(mock_messaging, sendSyncMessage(_, "/service-metrics", _, _, _))
.Times(2).WillRepeatedly(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, metric_body)));
string metric_str = "# TYPE nano_service_restarts_counter counter\n"
"nano_service_restarts_counter{method=\"post\",code=\"200\"} 1534\n\n";
EXPECT_EQ(metric_str, get_metrics_func());
}

32
components/security_apps/prometheus/prometheus_ut/registered_services.json Executable file
View File

@@ -0,0 +1,32 @@
{
"Registered Services": {
"cp-nano-orchestration": {
"Service name": "cp-nano-orchestration",
"Service ID": "cp-nano-orchestration",
"Service port": 7777,
"Relevant configs": [
"zones",
"triggers",
"rules",
"registration-data",
"parameters",
"orchestration",
"exceptions",
"agent-intelligence"
]
},
"cp-nano-prometheus": {
"Service name": "cp-nano-prometheus",
"Service ID": "cp-nano-prometheus",
"Service port": 7465,
"Relevant configs": [
"zones",
"triggers",
"rules",
"parameters",
"exceptions",
"agent-intelligence"
]
}
}
}

20
components/security_apps/waap/waap_clib/WaapAssetState.cc
View File

@@ -424,6 +424,8 @@ WaapAssetState::WaapAssetState(std::shared_ptr<Signatures> signatures,
std::string unescape(const std::string & s) { std::string unescape(const std::string & s) {
std::string text = s; std::string text = s;
size_t orig_size = text.size();
size_t orig_capacity = text.capacity();
dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (0) '" << text << "'"; dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (0) '" << text << "'";
fixBreakingSpace(text); fixBreakingSpace(text);
@@ -433,7 +435,17 @@ WaapAssetState::WaapAssetState(std::shared_ptr<Signatures> signatures,
filterUnicode(text); filterUnicode(text);
dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (1) '" << text << "'"; dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (1) '" << text << "'";
// inplace unescaping must result in a string of the same size or smaller
dbgAssertOpt(text.size() <= orig_size && text.size() <= text.capacity() && text.capacity() <= orig_capacity)
<< AlertInfo(AlertTeam::CORE, "WAAP sample processing")
<< "unescape: original size=" << orig_size << " capacity=" << orig_capacity
<< " new size=" << text.size() << " capacity=" << text.capacity()
<< " text='" << text << "'";
text = filterUTF7(text); text = filterUTF7(text);
// update orig_size and orig_capacity after string copy
orig_size = text.size();
orig_capacity = text.capacity();
dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (1) (after filterUTF7) '" << text << "'"; dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (1) (after filterUTF7) '" << text << "'";
// 2. Replace %xx sequences by their single-character equivalents. // 2. Replace %xx sequences by their single-character equivalents.
@@ -512,6 +524,14 @@ WaapAssetState::WaapAssetState(std::shared_ptr<Signatures> signatures,
} }
dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (12) '" << text << "'"; dbgTrace(D_WAAP_SAMPLE_PREPROCESS) << "unescape: (12) '" << text << "'";
// inplace unescaping must result in a string of the same size or smaller
dbgAssertOpt(text.size() <= orig_size && text.size() <= text.capacity() && text.capacity() <= orig_capacity)
<< AlertInfo(AlertTeam::CORE, "WAAP sample processing")
<< "unescape: original size=" << orig_size << " capacity=" << orig_capacity
<< " new size=" << text.size() << " capacity=" << text.capacity()
<< " text='" << text << "'";
return text; return text;
} }

298
components/security_apps/waap/waap_clib/Waf2Util.h
View File

@@ -227,59 +227,66 @@ inline bool isHexDigit(const char ch) {
template<class _IT> template<class _IT>
_IT escape_backslashes(_IT first, _IT last) { _IT escape_backslashes(_IT first, _IT last) {
_IT result = first; _IT src = first;
_IT dst = first;
_IT mark = first;
enum { STATE_COPY, STATE_ESCAPE, STATE_OCTAL, STATE_HEX } state = STATE_COPY; enum { STATE_COPY, STATE_ESCAPE, STATE_OCTAL, STATE_HEX } state = STATE_COPY;
unsigned char accVal = 0; unsigned char accVal = 0;
unsigned char digitsCount = 0; unsigned char digitsCount = 0;
_IT mark = first;
for (; first != last; ++first) { for (; src != last && dst < last; ++src) {
switch (state) { switch (state) {
case STATE_COPY: case STATE_COPY:
if (*first == '\\') { if (*src == '\\') {
mark = first; mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
} } else {
else { *dst++ = *src;
*result++ = *first;
} }
break; break;
case STATE_ESCAPE: { case STATE_ESCAPE: {
if (*first >= '0' && *first <= '7') { if (*src >= '0' && *src <= '7') {
accVal = *first - '0'; accVal = *src - '0';
digitsCount = 1; digitsCount = 1;
state = STATE_OCTAL; state = STATE_OCTAL;
break; break;
} else if (*first == 'x') { } else if (*src == 'x') {
accVal = 0; accVal = 0;
digitsCount = 0; digitsCount = 0;
state = STATE_HEX; state = STATE_HEX;
break; break;
} } else {
else { switch (*src) {
switch (*first) { // Copy a matching character without the backslash before it
case 'a': *result++ = 7; break; // BELL case 'a': *dst++ = 7; break; // BELL
case 'b': *result++ = 8; break; // BACKSPACE case 'b': *dst++ = 8; break; // BACKSPACE
case 't': *result++ = 9; break; // HORIZONTAL TAB case 'e': *dst++ = 27; break; // ESCAPE
case 'n': *result++ = 10; break; // LINEFEED case 't': *dst++ = 9; break; // HORIZONTAL TAB
case 'v': *result++ = 11; break; // VERTICAL TAB case 'n': *dst++ = 10; break; // LINEFEED
case 'f': *result++ = 12; break; // FORMFEED case 'v': *dst++ = 11; break; // VERTICAL TAB
case 'r': *result++ = 13; break; // CARRIAGE RETURN case 'f': *dst++ = 12; break; // FORMFEED
case '\\': *result++ = '\\'; break; // upon seeing double backslash - output only one case 'r': *dst++ = 13; break; // CARRIAGE RETURN
case '\"': *result++ = '"'; break; // backslash followed by '"' - output only '"' case '\?': *dst++ = '\?'; break; // QUESTION MARK
case '\\': *dst++ = '\\'; break; // upon seeing double backslash - output only one
case '\"': *dst++ = '\"'; break; // DOUBLE QUOTE
case '\'': *dst++ = '\''; break; // SINGLE QUOTE
default: default:
// invalid escape sequence - do not replace it (return original characters) // invalid escape sequence - do not replace it (return original characters)
// Copy from back-track, not including current character, and continue // Copy from back-track, not including current character, and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
// Copy current (terminator) character which is not "escape" and return to copy state // Copy current (terminator) character which is not "escape" and return to copy state
// If current character is escape - stay is "escape" state // If current character is escape - stay is "escape" state
if (*first != '\\') { if (*src != '\\') {
*result++ = *mark++; *dst++ = *src;
state = STATE_COPY; state = STATE_COPY;
} else {
mark = src;
} }
break;
} }
state = STATE_COPY; state = STATE_COPY;
@@ -288,28 +295,26 @@ _IT escape_backslashes(_IT first, _IT last) {
break; break;
} }
case STATE_OCTAL: { case STATE_OCTAL: {
if (*first >='0' && *first<='7') { if (*src >= '0' && *src <= '7') {
accVal = (accVal << 3) | (*first - '0'); accVal = (accVal << 3) | (*src - '0');
digitsCount++; digitsCount++;
// Up to 3 octal digits imposed by C standard, so after 3 digits accumulation stops. // Up to 3 octal digits imposed by C standard, so after 3 digits accumulation stops.
if (digitsCount == 3) { if (digitsCount == 3) {
*result++ = accVal; // output character corresponding to collected accumulated value *dst++ = accVal; // output character corresponding to collected accumulated value
digitsCount = 0; digitsCount = 0;
state = STATE_COPY; state = STATE_COPY;
} }
} } else {
else {
// invalid octal digit stops the accumulation // invalid octal digit stops the accumulation
*result++ = accVal; // output character corresponding to collected accumulated value *dst++ = accVal; // output character corresponding to collected accumulated value
digitsCount = 0; digitsCount = 0;
if (*first != '\\') { if (*src != '\\') {
// If terminating character is not backslash output the terminating character // If terminating character is not backslash output the terminating character
*result++ = *first; *dst++ = *src;
state = STATE_COPY; state = STATE_COPY;
} } else {
else {
// If terminating character is backslash start next escape sequence // If terminating character is backslash start next escape sequence
mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
} }
} }
@@ -317,36 +322,33 @@ _IT escape_backslashes(_IT first, _IT last) {
break; break;
} }
case STATE_HEX: { case STATE_HEX: {
if (!isHexDigit(*first)) { if (!isHexDigit(*src)) {
// Copy from back-track, not including current character (which is absent), and continue // Copy from back-track, not including *src character (which is absent), and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
if (*first != '\\') { if (*src != '\\') {
// If terminating character is not backslash output the terminating character // If terminating character is not backslash output the terminating character
*result++ = *first; *dst++ = *src;
state = STATE_COPY; state = STATE_COPY;
} } else {
else {
// If terminating character is backslash start next escape sequence // If terminating character is backslash start next escape sequence
mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
} }
} } else {
else {
accVal = accVal << 4; accVal = accVal << 4;
if (isdigit(*first)) { if (isdigit(*src)) {
accVal += *first - '0'; accVal += *src - '0';
} } else if (*src >= 'a' && *src <= 'f') {
else if (*first >= 'a' && *first <= 'f') { accVal += *src - 'a' + 10;
accVal += *first - 'a' + 10; } else if (*src >= 'A' && *src <= 'F') {
} accVal += *src - 'A' + 10;
else if (*first >= 'A' && *first <= 'F') {
accVal += *first - 'A' + 10;
} }
digitsCount++; digitsCount++;
// exactly 2 hex digits are anticipated, so after 2 digits accumulation stops. // exactly 2 hex digits are anticipated, so after 2 digits accumulation stops.
if (digitsCount == 2) { if (digitsCount == 2) {
*result++ = accVal; // output character corresponding to collected accumulated value *dst++ = accVal; // output character corresponding to collected accumulated value
digitsCount = 0; digitsCount = 0;
state = STATE_COPY; state = STATE_COPY;
} }
@@ -356,6 +358,7 @@ _IT escape_backslashes(_IT first, _IT last) {
} }
} }
if (dst < last) {
// Handle state at end of input // Handle state at end of input
bool copyBackTrack = true; bool copyBackTrack = true;
switch (state) { switch (state) {
@@ -365,7 +368,7 @@ _IT escape_backslashes(_IT first, _IT last) {
break; break;
case STATE_OCTAL: case STATE_OCTAL:
// this can only happen when less than 3 octal digits are found at the value end, like '\1' or '\12' // this can only happen when less than 3 octal digits are found at the value end, like '\1' or '\12'
*result++ = accVal; // output character corresponding to collected accumulated value *dst++ = accVal; // output character corresponding to collected accumulated value
copyBackTrack = false; copyBackTrack = false;
break; break;
case STATE_COPY: case STATE_COPY:
@@ -378,12 +381,13 @@ _IT escape_backslashes(_IT first, _IT last) {
if (copyBackTrack) { if (copyBackTrack) {
// invalid escape sequence - do not replace it (return original characters) // invalid escape sequence - do not replace it (return original characters)
// Copy from back-track // Copy from back-track
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
}
} }
} }
return result; return dst;
} }
inline bool str_contains(const std::string &haystack, const std::string &needle) inline bool str_contains(const std::string &haystack, const std::string &needle)
@@ -401,7 +405,8 @@ extern const size_t g_htmlEntitiesCount;
template<class _IT> template<class _IT>
_IT escape_html(_IT first, _IT last) { _IT escape_html(_IT first, _IT last) {
_IT result = first; _IT dst = first;
_IT src = first;
enum { enum {
STATE_COPY, STATE_COPY,
STATE_ESCAPE, STATE_ESCAPE,
@@ -414,26 +419,26 @@ _IT escape_html(_IT first, _IT last) {
std::list<size_t> potentialMatchIndices; std::list<size_t> potentialMatchIndices;
size_t matchLength = 0; size_t matchLength = 0;
size_t lastKnownMatchIndex = -1; size_t lastKnownMatchIndex = -1;
_IT mark = first; _IT mark = src;
for (; first != last; ++first) { for (; src != last && dst < last; ++src) {
switch (state) { switch (state) {
case STATE_COPY: case STATE_COPY:
if (*first == '&') { if (*src == '&') {
mark = first; mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
} }
else { else {
*result++ = *first; *dst++ = *src;
} }
break; break;
case STATE_ESCAPE: case STATE_ESCAPE:
if (isalpha(*first)) { if (isalpha(*src)) {
// initialize potential matches list // initialize potential matches list
potentialMatchIndices.clear(); potentialMatchIndices.clear();
for (size_t index = 0; index < g_htmlEntitiesCount; ++index) { for (size_t index = 0; index < g_htmlEntitiesCount; ++index) {
if (*first == g_htmlEntities[index].name[0]) { if (*src == g_htmlEntities[index].name[0]) {
potentialMatchIndices.push_back(index); potentialMatchIndices.push_back(index);
lastKnownMatchIndex = index; lastKnownMatchIndex = index;
} }
@@ -441,8 +446,8 @@ _IT escape_html(_IT first, _IT last) {
// No potential matches - send ampersand and current character to output // No potential matches - send ampersand and current character to output
if (potentialMatchIndices.size() == 0) { if (potentialMatchIndices.size() == 0) {
*result++ = '&'; *dst++ = '&';
*result++ = *first; *dst++ = *src;
state = STATE_COPY; state = STATE_COPY;
break; break;
} }
@@ -451,7 +456,7 @@ _IT escape_html(_IT first, _IT last) {
matchLength = 1; matchLength = 1;
state = STATE_NAMED_CHARACTER_REFERENCE; state = STATE_NAMED_CHARACTER_REFERENCE;
} }
else if (*first == '#') { else if (*src == '#') {
digitsSeen = 0; digitsSeen = 0;
accVal = 0; accVal = 0;
state = STATE_NUMERIC_START; state = STATE_NUMERIC_START;
@@ -459,8 +464,8 @@ _IT escape_html(_IT first, _IT last) {
else { else {
// not isalpha and not '#' - this is invalid character reference - do not replace it // not isalpha and not '#' - this is invalid character reference - do not replace it
// (return original characters) // (return original characters)
*result++ = '&'; *dst++ = '&';
*result++ = *first; *dst++ = *src;
state = STATE_COPY; state = STATE_COPY;
} }
break; break;
@@ -479,7 +484,7 @@ _IT escape_html(_IT first, _IT last) {
// If there are no more characters in the potntial match name, // If there are no more characters in the potntial match name,
// or the next tested character doesn't match - kill the match // or the next tested character doesn't match - kill the match
if ((matchName[matchLength] == '\0') || (matchName[matchLength] != *first)) { if ((matchName[matchLength] == '\0') || (matchName[matchLength] != *src)) {
// remove current element from the list of potential matches // remove current element from the list of potential matches
pPotentialMatchIndex = potentialMatchIndices.erase(pPotentialMatchIndex); pPotentialMatchIndex = potentialMatchIndices.erase(pPotentialMatchIndex);
} }
@@ -495,15 +500,15 @@ _IT escape_html(_IT first, _IT last) {
// No more potential matches: unsuccesful match -> flush all consumed characters back to output stream // No more potential matches: unsuccesful match -> flush all consumed characters back to output stream
if (potentialMatchIndices.size() == 0) { if (potentialMatchIndices.size() == 0) {
// Send consumed ampersand to the output // Send consumed ampersand to the output
*result++ = '&'; *dst++ = '&';
// Send those matched characters (these are the same that we consumed) - to the output // Send those matched characters (these are the same that we consumed) - to the output
for (size_t i = 0; i < matchLength; i++) { for (size_t i = 0; i < matchLength; i++) {
*result++ = g_htmlEntities[lastKnownMatchIndex].name[i]; *dst++ = g_htmlEntities[lastKnownMatchIndex].name[i];
} }
// Send the character that terminated our search for possible matches // Send the character that terminated our search for possible matches
*result++ = *first; *dst++ = *src;
// Continue copying text verbatim // Continue copying text verbatim
state = STATE_COPY; state = STATE_COPY;
@@ -511,23 +516,23 @@ _IT escape_html(_IT first, _IT last) {
} }
// There are still potential matches and ';' is hit // There are still potential matches and ';' is hit
if (*first == ';') { if (*src == ';') {
// longest match found for the named character reference. // longest match found for the named character reference.
// translate it into output character(s) and we're done. // translate it into output character(s) and we're done.
unsigned short value = g_htmlEntities[lastKnownMatchIndex].value; unsigned short value = g_htmlEntities[lastKnownMatchIndex].value;
// Encode UTF code point as UTF-8 bytes // Encode UTF code point as UTF-8 bytes
if (value < 0x80) { if (value < 0x80) {
*result++ = value; *dst++ = value;
} }
else if (value < 0x800 ) { else if (value < 0x800 ) {
*result++ = (value >> 6) | 0xC0; *dst++ = (value >> 6) | 0xC0;
*result++ = (value & 0x3F) | 0x80; *dst++ = (value & 0x3F) | 0x80;
} }
else { // (value <= 0xFFFF : always true because value type is unsigned short which is 16-bit else { // (value <= 0xFFFF : always true because value type is unsigned short which is 16-bit
*result++ = (value >> 12) | 0xE0; *dst++ = (value >> 12) | 0xE0;
*result++ = ((value >> 6) & 0x3F) | 0x80; *dst++ = ((value >> 6) & 0x3F) | 0x80;
*result++ = (value & 0x3F) | 0x80; *dst++ = (value & 0x3F) | 0x80;
} }
// Continue copying text verbatim // Continue copying text verbatim
@@ -538,178 +543,179 @@ _IT escape_html(_IT first, _IT last) {
case STATE_NUMERIC_START: case STATE_NUMERIC_START:
digitsSeen = false; digitsSeen = false;
accVal = 0; accVal = 0;
if (*first == 'x' || *first == 'X') { if (*src == 'x' || *src == 'X') {
state = STATE_HEX; state = STATE_HEX;
} }
else if (isdigit(*first)) { else if (isdigit(*src)) {
digitsSeen = true; digitsSeen = true;
accVal = *first - '0'; accVal = *src - '0';
state = STATE_NUMERIC; state = STATE_NUMERIC;
} }
else { else {
// Sequence started with these two characters: '&#', and here is the third, non-digit character // Sequence started with these two characters: '&#', and here is the third, non-digit character
// Copy from back-track, not including current character, and continue // Copy from back-track, not including current character, and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
if (*first == '&') { if (*src == '&') {
// Terminator is also start of next escape sequence // Terminator is also start of next escape sequence
mark = first; mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
break; break;
} }
else { else {
// Copy the terminating character too // Copy the terminating character too
*result++ = *first; *dst++ = *src;
} }
state = STATE_COPY; state = STATE_COPY;
} }
break; break;
case STATE_NUMERIC: case STATE_NUMERIC:
if (!isdigit(*first)) { if (!isdigit(*src)) {
if (digitsSeen) { if (digitsSeen) {
// Encode UTF code point as UTF-8 bytes // Encode UTF code point as UTF-8 bytes
if (accVal < 0x80) { if (accVal < 0x80) {
*result++ = accVal; *dst++ = accVal;
} }
else if (accVal < 0x800 ) { else if (accVal < 0x800 ) {
*result++ = (accVal >> 6) | 0xC0; *dst++ = (accVal >> 6) | 0xC0;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = (accVal & 0x3F) | 0x80;
} }
else { // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit else { // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit
*result++ = (accVal >> 12) | 0xE0; *dst++ = (accVal >> 12) | 0xE0;
*result++ = ((accVal >> 6) & 0x3F) | 0x80; *dst++ = ((accVal >> 6) & 0x3F) | 0x80;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = (accVal & 0x3F) | 0x80;
} }
} }
else { else {
// Copy from back-track, not including current character (which is absent), and continue // Copy from back-track, not including current character (which is absent), and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
} }
if (*first == '&') { if (*src == '&') {
// Terminator is also start of next escape sequence // Terminator is also start of next escape sequence
mark = first; mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
break; break;
} }
else if (!digitsSeen || *first != ';') { else if (!digitsSeen || *src != ';') {
// Do not copy the ';' but do copy any other terminator // Do not copy the ';' but do copy any other terminator
// Note: the ';' should remain in the output if there were no digits seen. // Note: the ';' should remain in the output if there were no digits seen.
*result++ = *first; *dst++ = *src;
} }
state = STATE_COPY; state = STATE_COPY;
} }
else { else {
digitsSeen = true; digitsSeen = true;
accVal = accVal * 10 + *first - '0'; // TODO:: beware of integer overflow? accVal = accVal * 10 + *src - '0'; // TODO:: beware of integer overflow?
} }
break; break;
case STATE_HEX: case STATE_HEX:
if (!isHexDigit(*first)) { if (!isHexDigit(*src)) {
if (digitsSeen) { if (digitsSeen) {
// Encode UTF code point as UTF-8 bytes // Encode UTF code point as UTF-8 bytes
if (accVal < 0x80) { if (accVal < 0x80) {
*result++ = accVal; *dst++ = accVal;
} }
else if (accVal < 0x800 ) { else if (accVal < 0x800 ) {
*result++ = (accVal >> 6) | 0xC0; *dst++ = (accVal >> 6) | 0xC0;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = (accVal & 0x3F) | 0x80;
} }
else { // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit else { // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit
*result++ = (accVal >> 12) | 0xE0; *dst++ = (accVal >> 12) | 0xE0;
*result++ = ((accVal >> 6) & 0x3F) | 0x80; *dst++ = ((accVal >> 6) & 0x3F) | 0x80;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = (accVal & 0x3F) | 0x80;
} }
} }
else { else {
// Copy from back-track, not including current character (which is absent), and continue // Copy from back-track, not including current character (which is absent), and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
} }
if (*first == '&') { if (*src == '&') {
// Terminator is also start of next escape sequence // Terminator is also start of next escape sequence
mark = first; mark = src;
state = STATE_ESCAPE; state = STATE_ESCAPE;
break; break;
} }
else if (!digitsSeen || *first != ';') { else if (!digitsSeen || *src != ';') {
// Do not copy the ';' but do copy any other terminator // Do not copy the ';' but do copy any other terminator
// Note: the ';' should remain in the output if there were no digits seen. // Note: the ';' should remain in the output if there were no digits seen.
*result++ = *first; *dst++ = *src;
} }
state = STATE_COPY; state = STATE_COPY;
} }
else { else {
digitsSeen = true; digitsSeen = true;
accVal = accVal << 4; accVal = accVal << 4;
if (isdigit(*first)) { if (isdigit(*src)) {
accVal += *first - '0'; accVal += *src - '0';
} }
else if (*first >= 'a' && *first <= 'f') { else if (*src >= 'a' && *src <= 'f') {
accVal += *first - 'a' + 10; accVal += *src - 'a' + 10;
} }
else if (*first >= 'A' && *first <= 'F') { else if (*src >= 'A' && *src <= 'F') {
accVal += *first - 'A' + 10; accVal += *src - 'A' + 10;
} }
} }
break; break;
} }
} }
if (state == STATE_ESCAPE) { if (state == STATE_ESCAPE && dst < last) {
*result++ = '&'; *dst++ = '&';
} }
else if (state == STATE_NAMED_CHARACTER_REFERENCE && potentialMatchIndices.size() > 0) { else if (state == STATE_NAMED_CHARACTER_REFERENCE && potentialMatchIndices.size() > 0 && dst < last) {
// Send consumed ampersand to the output // Send consumed ampersand to the output
*result++ = '&'; *dst++ = '&';
// Send those matched characters (these are the same that we consumed) - to the output // Send those matched characters (these are the same that we consumed) - to the output
for (size_t i = 0; i < matchLength; i++) { for (size_t i = 0; i < matchLength && dst < last; i++) {
// Even if there are multiple potential matches, all of them start with the same // Even if there are multiple potential matches, all of them start with the same
// matchLength characters that we consumed! // matchLength characters that we consumed!
*result++ = g_htmlEntities[lastKnownMatchIndex].name[i]; *dst++ = g_htmlEntities[lastKnownMatchIndex].name[i];
} }
} }
if (state == STATE_HEX && !digitsSeen) { // Special case of "&#x" if (state == STATE_HEX && !digitsSeen) { // Special case of "&#x"
// Copy from back-track, not including current character (which is absent), and continue // Copy from back-track, not including current character (which is absent), and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
state = STATE_COPY; state = STATE_COPY;
} }
else if (state == STATE_HEX || state == STATE_NUMERIC || state == STATE_NUMERIC_START) { else if (state == STATE_HEX || state == STATE_NUMERIC || state == STATE_NUMERIC_START) {
if (digitsSeen) { if (digitsSeen && dst < last) {
// Encode UTF code point as UTF-8 bytes // Encode UTF code point as UTF-8 bytes
if (accVal < 0x80) { if (accVal < 0x80) {
*result++ = accVal; *dst++ = accVal;
} }
else if (accVal < 0x800 ) { else if (accVal < 0x800 && std::distance(dst, last) >= 2) {
*result++ = (accVal >> 6) | 0xC0; *dst++ = (accVal >> 6) | 0xC0;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = (accVal & 0x3F) | 0x80;
} }
else { // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit // (accVal <= 0xFFFF : always true because accVal type is unsigned short which is 16-bit
*result++ = (accVal >> 12) | 0xE0; else if (std::distance(dst, last) >= 3) {
*result++ = ((accVal >> 6) & 0x3F) | 0x80; *dst++ = (accVal >> 12) | 0xE0;
*result++ = (accVal & 0x3F) | 0x80; *dst++ = ((accVal >> 6) & 0x3F) | 0x80;
*dst++ = (accVal & 0x3F) | 0x80;
} }
} }
else { else {
// Copy from back-track, not including current character (which is absent), and continue // Copy from back-track, not including current character (which is absent), and continue
while (mark < first) { while (dst <= mark && mark < src) {
*result++ = *mark++; *dst++ = *mark++;
} }
state = STATE_COPY; state = STATE_COPY;
} }
} }
return result; return dst;
} }
// Compare two buffers, case insensitive. Return true if they are equal (case-insensitive) // Compare two buffers, case insensitive. Return true if they are equal (case-insensitive)

129
components/signal_handler/signal_handler.cc
View File

@@ -43,6 +43,7 @@
#include "agent_core_utilities.h" #include "agent_core_utilities.h"
#define stack_trace_max_len 64 #define stack_trace_max_len 64
#define STACK_SIZE (1024 * 1024) // 1 MB stack size
using namespace std; using namespace std;
using namespace ReportIS; using namespace ReportIS;
@@ -57,6 +58,12 @@ public:
{ {
if (out_trace_file_fd != -1) close(out_trace_file_fd); if (out_trace_file_fd != -1) close(out_trace_file_fd);
out_trace_file_fd = -1; out_trace_file_fd = -1;
if (alt_stack.ss_sp != nullptr) {
free(alt_stack.ss_sp);
alt_stack.ss_sp = nullptr;
alt_stack_initialized = false;
}
} }
void void
@@ -69,6 +76,7 @@ public:
void void
init() init()
{ {
alt_stack.ss_sp = nullptr;
addSignalHandlerRoutine(); addSignalHandlerRoutine();
addReloadConfigurationRoutine(); addReloadConfigurationRoutine();
} }
@@ -244,6 +252,28 @@ private:
setHandlerPerSignalNum(); setHandlerPerSignalNum();
} }
bool
setupAlternateSignalStack()
{
if (alt_stack_initialized) return true;
alt_stack.ss_sp = malloc(STACK_SIZE);
if (alt_stack.ss_sp == nullptr) {
dbgWarning(D_SIGNAL_HANDLER) << "Failed to allocate alternate stack";
return false;
}
alt_stack.ss_size = STACK_SIZE;
alt_stack.ss_flags = 0;
if (sigaltstack(&alt_stack, nullptr) == -1) {
dbgWarning(D_SIGNAL_HANDLER) << "Failed to set up alternate stack";
free(alt_stack.ss_sp);
return false;
}
dbgInfo(D_SIGNAL_HANDLER) << "Alternate stack allocated successfully. Allocated size: " << STACK_SIZE;
alt_stack_initialized = true;
return true;
}
void void
setHandlerPerSignalNum() setHandlerPerSignalNum()
{ {
@@ -261,9 +291,30 @@ private:
SIGUSR2 SIGUSR2
}; };
if (!setupAlternateSignalStack()) {
dbgWarning(D_SIGNAL_HANDLER) << "Failed to set up alternate signal stack";
for (int sig : signals) { for (int sig : signals) {
signal(sig, signalHandlerCB); signal(sig, signalHandlerCB);
} }
return;
}
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_flags = SA_SIGINFO | SA_ONSTACK;
sa.sa_sigaction = signalActionHandlerCB;
sigemptyset(&sa.sa_mask);
for (int sig : signals) {
if (sig == SIGKILL || sig == SIGSTOP) {
signal(sig, signalHandlerCB);
continue;
}
if (sigaction(sig, &sa, nullptr) == -1) {
dbgError(D_SIGNAL_HANDLER) << "Failed to set signal handler for signal " << sig;
}
}
} }
// LCOV_EXCL_START Reason: Cannot crash unitest or send signal during execution // LCOV_EXCL_START Reason: Cannot crash unitest or send signal during execution
@@ -284,55 +335,30 @@ private:
static void static void
signalHandlerCB(int _signal) signalHandlerCB(int _signal)
{ {
const char *signal_name = ""; const char *signal_name = strsignal(_signal);
char signal_num[3]; char signal_num[3];
snprintf(signal_num, sizeof(signal_num), "%d", _signal);
if (out_trace_file_fd == -1) exit(_signal);
reset_signal_handler = true; reset_signal_handler = true;
switch(_signal) { switch(_signal) {
case SIGABRT: { case SIGABRT:
signal_name = "SIGABRT"; case SIGKILL:
fini_signal_flag = true; case SIGQUIT:
return; case SIGINT:
}
case SIGKILL: {
signal_name = "SIGKILL";
fini_signal_flag = true;
return;
}
case SIGQUIT: {
signal_name = "SIGQUIT";
fini_signal_flag = true;
return;
}
case SIGINT: {
signal_name = "SIGINT";
fini_signal_flag = true;
return;
}
case SIGTERM: { case SIGTERM: {
signal_name = "SIGTERM";
fini_signal_flag = true; fini_signal_flag = true;
return; return;
} }
case SIGSEGV: { case SIGSEGV:
signal_name = "SIGSEGV"; case SIGBUS:
break; case SIGILL:
}
case SIGBUS: {
signal_name = "SIGBUS";
break;
}
case SIGILL: {
signal_name = "SIGILL";
break;
}
case SIGFPE: { case SIGFPE: {
signal_name = "SIGFPE";
break; break;
} }
case SIGPIPE: { case SIGPIPE: {
signal_name = "SIGPIPE";
return; return;
} }
case SIGUSR2: { case SIGUSR2: {
@@ -341,13 +367,6 @@ private:
} }
} }
if (out_trace_file_fd == -1) exit(_signal);
for (uint i = 0; i < sizeof(signal_num); ++i) {
uint placement = sizeof(signal_num) - 1 - i;
signal_num[placement] = _signal%10 + '0';
_signal /= 10;
}
const char *signal_error_prefix = "Caught signal "; const char *signal_error_prefix = "Caught signal ";
writeData(signal_error_prefix, strlen(signal_error_prefix)); writeData(signal_error_prefix, strlen(signal_error_prefix));
writeData(signal_num, sizeof(signal_num)); writeData(signal_num, sizeof(signal_num));
@@ -367,6 +386,12 @@ private:
exit(_signal); exit(_signal);
} }
static void
signalActionHandlerCB(int signum, siginfo_t *, void *)
{
signalHandlerCB(signum);
}
static void static void
printStackTrace() printStackTrace()
{ {
@@ -391,16 +416,22 @@ private:
for (uint i = 0 ; i < stack_trace_max_len ; i++) { for (uint i = 0 ; i < stack_trace_max_len ; i++) {
unw_get_reg(&cursor, UNW_REG_IP, &ip); unw_get_reg(&cursor, UNW_REG_IP, &ip);
unw_get_reg(&cursor, UNW_REG_SP, &sp); unw_get_reg(&cursor, UNW_REG_SP, &sp);
int procNameRc = unw_get_proc_name(&cursor, name, sizeof(name), &off);
if (unw_get_proc_name(&cursor, name, sizeof(name), &off) == 0) { if (procNameRc == 0 || procNameRc == -UNW_ENOMEM) {
const char *open_braces = "<"; const char *open_braces = "<";
writeData(open_braces, strlen(open_braces)); writeData(open_braces, strlen(open_braces));
writeData(name, strlen(name)); writeData(name, strnlen(name, sizeof(name)));
if (procNameRc != 0) {
const char *dots = "...";
writeData(dots, strlen(dots));
}
const char *close_braces = ">\n"; const char *close_braces = ">\n";
writeData(close_braces, strlen(close_braces)); writeData(close_braces, strlen(close_braces));
} else {
const char *error = " -- error: unable to obtain symbol name for this frame\n";
writeData(error, strlen(error));
} }
if (unw_step(&cursor) <= 0) return; if (unw_step(&cursor) <= 0) return;
} }
@@ -444,12 +475,16 @@ private:
static bool reload_settings_flag; static bool reload_settings_flag;
static bool reset_signal_handler; static bool reset_signal_handler;
static int out_trace_file_fd; static int out_trace_file_fd;
static stack_t alt_stack;
static bool alt_stack_initialized;
}; };
string SignalHandler::Impl::trace_file_path; string SignalHandler::Impl::trace_file_path;
bool SignalHandler::Impl::reload_settings_flag = false; bool SignalHandler::Impl::reload_settings_flag = false;
bool SignalHandler::Impl::reset_signal_handler = false; bool SignalHandler::Impl::reset_signal_handler = false;
int SignalHandler::Impl::out_trace_file_fd = -1; int SignalHandler::Impl::out_trace_file_fd = -1;
stack_t SignalHandler::Impl::alt_stack;
bool SignalHandler::Impl::alt_stack_initialized = false;
SignalHandler::SignalHandler() : Component("SignalHandler"), pimpl(make_unique<Impl>()) {} SignalHandler::SignalHandler() : Component("SignalHandler"), pimpl(make_unique<Impl>()) {}
SignalHandler::~SignalHandler() {} SignalHandler::~SignalHandler() {}

6
config/crds/open-appsec-crd-v1beta2.yaml
View File

@@ -137,6 +137,10 @@ spec:
type: array type: array
items: items:
type: object type: object
required:
- mode
- threatPreventionPractices
- accessControlPractices
properties: properties:
name: name:
type: string type: string
@@ -1216,7 +1220,7 @@ spec:
kind: PolicyActivation kind: PolicyActivation
shortNames: shortNames:
- policyactivation - policyactivation
---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata : metadata :

2
config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml
View File

@@ -102,7 +102,7 @@ spec:
responseCode: true responseCode: true
logDestination: logDestination:
cloud: true cloud: true
logToAgent: false logToAgent: true
stdout: stdout:
format: json format: json

1
core/agent_details/agent_details.cc
View File

@@ -276,6 +276,7 @@ void
AgentDetails::preload() AgentDetails::preload()
{ {
registerExpectedConfiguration<string>("orchestration", "Agent details path"); registerExpectedConfiguration<string>("orchestration", "Agent details path");
registerExpectedConfiguration<string>("Agent details", "File path");
registerConfigLoadCb([this] () { readAgentDetails(); }); registerConfigLoadCb([this] () { readAgentDetails(); });
} }

42
core/agent_details_reporter/agent_details_reporter.cc
View File

@@ -68,6 +68,7 @@ public:
const Maybe<string> &agent_version const Maybe<string> &agent_version
) override; ) override;
pair<string, string> generateTimeStamp();
bool addAttr(const string &key, const string &val, bool allow_override = false) override; bool addAttr(const string &key, const string &val, bool allow_override = false) override;
bool addAttr(const map<string, string> &attr, bool allow_override = false) override; bool addAttr(const map<string, string> &attr, bool allow_override = false) override;
void deleteAttr(const string &key) override; void deleteAttr(const string &key) override;
@@ -218,6 +219,13 @@ AgentDetailsReporter::Impl::isPersistantAttr(const std::string &key)
return persistant_attributes.count(key) > 0; return persistant_attributes.count(key) > 0;
} }
pair<string, string>
AgentDetailsReporter::Impl::generateTimeStamp()
{
auto time_stamp = Singleton::Consume<I_TimeGet>::by<AgentDetailsReporter>()->getWalltimeStr();
return make_pair("timestamp", time_stamp);
}
bool bool
AgentDetailsReporter::Impl::sendAttributes() AgentDetailsReporter::Impl::sendAttributes()
{ {
@@ -232,11 +240,10 @@ AgentDetailsReporter::Impl::sendAttributes()
attributes[new_attr.first] = new_attr.second; attributes[new_attr.first] = new_attr.second;
} }
AttributesSender attr_to_send(attributes); AttributesSender attr_to_send(attributes);
if (is_server) { if (is_server) {
AttrSerializer<ofstream, cereal::JSONOutputArchive>(attributes, "save"); AttrSerializer<ofstream, cereal::JSONOutputArchive>(attributes, "save");
attr_to_send.attributes.get().insert(generateTimeStamp());
messaging->sendAsyncMessage(HTTPMethod::PATCH, "/agents", attr_to_send); messaging->sendAsyncMessage(HTTPMethod::PATCH, "/agents", attr_to_send);
dbgDebug(D_AGENT_DETAILS) << "Triggered persistent message request with attributes to the Fog"; dbgDebug(D_AGENT_DETAILS) << "Triggered persistent message request with attributes to the Fog";
new_attributes.clear(); new_attributes.clear();
@@ -322,6 +329,36 @@ public:
attributes = attr; attributes = attr;
} }
void
addAttr(const string &key, const string &val, bool allow_override = false)
{
dbgDebug(D_AGENT_DETAILS)
<< "Trying to add new attribute. Key: "
<< key
<< ", Value: "
<< val
<< " Should allow override: "
<< (allow_override ? "true" : "false");
auto &attr = attributes.get();
if (!allow_override) {
if (attr.count(key) > 0) {
dbgWarning(D_AGENT_DETAILS)
<< "Cannot override an existing value with a new one. Existing Value: "
<< (attr.count(key) > 0 ? attr[key] : "");
return;
}
}
attr[key] = val;
if (!attributes.isActive()) attributes.setActive(true);
}
void
addAttr(const pair<string, string> &attr, bool allow_override = false)
{
addAttr(attr.first, attr.second, allow_override);
}
private: private:
C2S_PARAM(metaDataReport, additionalMetaData); C2S_PARAM(metaDataReport, additionalMetaData);
C2S_OPTIONAL_PARAM(string, agentVersion); C2S_OPTIONAL_PARAM(string, agentVersion);
@@ -402,6 +439,7 @@ AgentDetailsReporter::Impl::sendReport(
additional_metadata.setAdditionalAttributes(attributes); additional_metadata.setAdditionalAttributes(attributes);
} }
additional_metadata.addAttr(generateTimeStamp());
messaging->sendAsyncMessage(HTTPMethod::PATCH, "/agents", additional_metadata); messaging->sendAsyncMessage(HTTPMethod::PATCH, "/agents", additional_metadata);
} }

91
core/agent_details_reporter/agent_details_reporter_ut/agent_details_reporter_ut.cc
View File

@@ -8,6 +8,7 @@
#include "mock/mock_messaging.h" #include "mock/mock_messaging.h"
#include "mock/mock_mainloop.h" #include "mock/mock_mainloop.h"
#include "mock/mock_rest_api.h" #include "mock/mock_rest_api.h"
#include "mock/mock_time_get.h"
#include "environment.h" #include "environment.h"
#include "agent_details_report.h" #include "agent_details_report.h"
@@ -73,6 +74,7 @@ public:
StrictMock<MockMainLoop> mock_mainloop; StrictMock<MockMainLoop> mock_mainloop;
StrictMock<MockMessaging> mock_messaging; StrictMock<MockMessaging> mock_messaging;
StrictMock<MockRestApi> mock_rest; StrictMock<MockRestApi> mock_rest;
StrictMock<MockTimeGet> mock_time_get;
I_MainLoop::Routine periodic_report; I_MainLoop::Routine periodic_report;
I_AgentDetailsReporter *report; I_AgentDetailsReporter *report;
CPTestTempfile persistence_attr_file; CPTestTempfile persistence_attr_file;
@@ -85,6 +87,7 @@ public:
TEST_F(AgentReporterTest, dataReport) TEST_F(AgentReporterTest, dataReport)
{ {
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
string custom_data = "Linux version 24.00.15F"; string custom_data = "Linux version 24.00.15F";
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
@@ -92,26 +95,33 @@ TEST_F(AgentReporterTest, dataReport)
"{\n" "{\n"
" \"additionalMetaData\": {\n" " \"additionalMetaData\": {\n"
" \"custom_data\": \"Linux version 24.00.15F\"\n" " \"custom_data\": \"Linux version 24.00.15F\"\n"
" }" " },\n"
"\n}", " \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
_ _
)).Times(1); )).Times(1);
AgentDataReport() << AgentReportField(custom_data);; AgentDataReport() << AgentReportField(custom_data);
} }
TEST_F(AgentReporterTest, labeledDataReport) TEST_F(AgentReporterTest, labeledDataReport)
{ {
string data = "Linux version 24.00.15F"; string data = "Linux version 24.00.15F";
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
"{\n" "{\n"
" \"additionalMetaData\": {\n" " \"additionalMetaData\": {\n"
" \"this_is_custom_label\": \"Linux version 24.00.15F\"\n" " \"this_is_custom_label\": \"Linux version 24.00.15F\"\n"
" }" " },\n"
"\n}", " \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
_ _
@@ -123,6 +133,7 @@ TEST_F(AgentReporterTest, multiDataReport)
{ {
string custom_data = "Linux version 24.00.15F"; string custom_data = "Linux version 24.00.15F";
string data_to_report = "Agent Version 95.95.95.00A"; string data_to_report = "Agent Version 95.95.95.00A";
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
@@ -130,8 +141,11 @@ TEST_F(AgentReporterTest, multiDataReport)
" \"additionalMetaData\": {\n" " \"additionalMetaData\": {\n"
" \"custom_data\": \"Linux version 24.00.15F\",\n" " \"custom_data\": \"Linux version 24.00.15F\",\n"
" \"this_is_custom_label\": \"Agent Version 95.95.95.00A\"\n" " \"this_is_custom_label\": \"Agent Version 95.95.95.00A\"\n"
" }" " },\n"
"\n}", " \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
_ _
@@ -146,7 +160,7 @@ TEST_F(AgentReporterTest, multiDataReportWithRegistrationData)
{ {
string custom_data = "Linux version 24.00.15F"; string custom_data = "Linux version 24.00.15F";
string data_to_report = "Agent Version 95.95.95.00A"; string data_to_report = "Agent Version 95.95.95.00A";
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
@@ -158,7 +172,10 @@ TEST_F(AgentReporterTest, multiDataReportWithRegistrationData)
" \"agentVersion\": \"1.15.9\",\n" " \"agentVersion\": \"1.15.9\",\n"
" \"policyVersion\": \"ccc\",\n" " \"policyVersion\": \"ccc\",\n"
" \"platform\": \"bbb\",\n" " \"platform\": \"bbb\",\n"
" \"architecture\": \"aaa\"\n" " \"architecture\": \"aaa\",\n"
" \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
@@ -178,11 +195,15 @@ TEST_F(AgentReporterTest, multiDataReportWithRegistrationData)
TEST_F(AgentReporterTest, basicAttrTest) TEST_F(AgentReporterTest, basicAttrTest)
{ {
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
"{\n" "{\n"
" \"additionalMetaData\": {}\n" " \"additionalMetaData\": {},\n"
" \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
@@ -193,6 +214,7 @@ TEST_F(AgentReporterTest, basicAttrTest)
AgentDataReport agent_data; AgentDataReport agent_data;
} }
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
@@ -201,7 +223,8 @@ TEST_F(AgentReporterTest, basicAttrTest)
" \"attributes\": {\n" " \"attributes\": {\n"
" \"1\": \"2\",\n" " \"1\": \"2\",\n"
" \"a\": \"1\",\n" " \"a\": \"1\",\n"
" \"c\": \"d\"\n" " \"c\": \"d\",\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n" " }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
@@ -219,11 +242,15 @@ TEST_F(AgentReporterTest, basicAttrTest)
AgentDataReport agent_data; AgentDataReport agent_data;
} }
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
"{\n" "{\n"
" \"additionalMetaData\": {}\n" " \"additionalMetaData\": {},\n"
" \"attributes\": {\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
@@ -242,7 +269,7 @@ TEST_F(AgentReporterTest, advancedAttrTest)
EXPECT_TRUE(report->addAttr({{"c", "d"}, {"1", "2"}, {"send", "me"}})); EXPECT_TRUE(report->addAttr({{"c", "d"}, {"1", "2"}, {"send", "me"}}));
EXPECT_TRUE(report->addAttr("a", "b")); EXPECT_TRUE(report->addAttr("a", "b"));
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
@@ -251,7 +278,8 @@ TEST_F(AgentReporterTest, advancedAttrTest)
" \"1\": \"2\",\n" " \"1\": \"2\",\n"
" \"a\": \"b\",\n" " \"a\": \"b\",\n"
" \"c\": \"d\",\n" " \"c\": \"d\",\n"
" \"send\": \"me\"\n" " \"send\": \"me\",\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n" " }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
@@ -268,6 +296,7 @@ TEST_F(AgentReporterTest, advancedAttrTest)
EXPECT_TRUE(report->addAttr("new", "key val")); EXPECT_TRUE(report->addAttr("new", "key val"));
EXPECT_TRUE(report->addAttr("a", "key val override", true)); EXPECT_TRUE(report->addAttr("a", "key val override", true));
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
@@ -277,7 +306,8 @@ TEST_F(AgentReporterTest, advancedAttrTest)
" \"a\": \"key val override\",\n" " \"a\": \"key val override\",\n"
" \"c\": \"d\",\n" " \"c\": \"d\",\n"
" \"new\": \"key val\",\n" " \"new\": \"key val\",\n"
" \"send\": \"me\"\n" " \"send\": \"me\",\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n" " }\n"
"}", "}",
MessageCategory::GENERIC, MessageCategory::GENERIC,
@@ -291,6 +321,7 @@ TEST_F(AgentReporterTest, advancedAttrTest)
TEST_F(AgentReporterTest, RestDetailsTest) TEST_F(AgentReporterTest, RestDetailsTest)
{ {
stringstream rest_call_parameters; stringstream rest_call_parameters;
stringstream rest_call_parameters_with_timestamp;
rest_call_parameters rest_call_parameters
<< "{\n" << "{\n"
<< " \"attributes\": {\n" << " \"attributes\": {\n"
@@ -300,17 +331,28 @@ TEST_F(AgentReporterTest, RestDetailsTest)
<< " \"send\": \"me\"\n" << " \"send\": \"me\"\n"
<< " }\n" << " }\n"
<< "}"; << "}";
rest_call_parameters_with_timestamp
<< "{\n"
<< " \"attributes\": {\n"
<< " \"1\": \"2\",\n"
<< " \"a\": \"key val override\",\n"
<< " \"c\": \"d\",\n"
<< " \"send\": \"me\",\n"
<< " \"timestamp\": \"Best Time ever\"\n"
<< " }\n"
<< "}";
add_details_rest_cb->performRestCall(rest_call_parameters); add_details_rest_cb->performRestCall(rest_call_parameters);
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
rest_call_parameters.str(), rest_call_parameters_with_timestamp.str(),
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
_ _
)).Times(1); )).Times(1);
EXPECT_TRUE(report->sendAttributes()); EXPECT_TRUE(report->sendAttributes());
is_server_mode = false; is_server_mode = false;
@@ -365,6 +407,18 @@ TEST_F(AgentReporterTest, PersistenceAttrTest)
"}" "}"
); );
string expected_attributes_with_timestamp(
"{\n"
" \"attributes\": {\n"
" \"1\": \"2\",\n"
" \"a\": \"key val override\",\n"
" \"c\": \"d\",\n"
" \"send\": \"me\",\n"
" \"timestamp\": \"Best Time ever\"\n"
" }\n"
"}"
);
write_attributes << expected_attributes; write_attributes << expected_attributes;
write_attributes.close(); write_attributes.close();
@@ -372,10 +426,11 @@ TEST_F(AgentReporterTest, PersistenceAttrTest)
EXPECT_CALL(mock_rest, mockRestCall(RestAction::ADD, "agent-details-attr", _)).WillOnce(Return(true)); EXPECT_CALL(mock_rest, mockRestCall(RestAction::ADD, "agent-details-attr", _)).WillOnce(Return(true));
agent_details_reporter_comp.init(); agent_details_reporter_comp.init();
EXPECT_CALL(mock_time_get, getWalltimeStr()).WillOnce(Return("Best Time ever"));
EXPECT_CALL(mock_messaging, sendAsyncMessage( EXPECT_CALL(mock_messaging, sendAsyncMessage(
HTTPMethod::PATCH, HTTPMethod::PATCH,
"/agents", "/agents",
expected_attributes, expected_attributes_with_timestamp,
MessageCategory::GENERIC, MessageCategory::GENERIC,
_, _,
_ _

1
core/include/internal/agent_details_reporter.h
View File

@@ -30,6 +30,7 @@ class AgentDetailsReporter
Singleton::Consume<I_Messaging>, Singleton::Consume<I_Messaging>,
Singleton::Consume<I_MainLoop>, Singleton::Consume<I_MainLoop>,
Singleton::Consume<I_Environment>, Singleton::Consume<I_Environment>,
Singleton::Consume<I_TimeGet>,
Singleton::Consume<I_RestApi> Singleton::Consume<I_RestApi>
{ {
public: public:

52
core/include/services_sdk/resources/intelligence_invalidation.h
View File

@@ -53,6 +53,51 @@ private:
std::map<std::string, std::set<std::string>> set_string_attr; std::map<std::string, std::set<std::string>> set_string_attr;
}; };
class IpAddressRange
{
public:
IpAddressRange() = default;
IpAddressRange(const std::string &min, const std::string &max) : min(min), max(max) {}
bool operator==(const IpAddressRange &other) const { return min == other.min && max == other.max; }
const std::string getMin() const { return min; }
const std::string getMax() const { return max; }
template <class Archive>
void serialize(Archive &ar) {
ar(CEREAL_NVP(max), CEREAL_NVP(min));
}
private:
std::string min;
std::string max;
};
class IpAttributes
{
public:
IpAttributes() = default;
IpAttributes & addIpv4Addresses(const std::string &val);
IpAttributes & addIpv6Addresses(const std::string &val);
IpAttributes & addIpv4AddressRanges(const IpAddressRange &val);
IpAttributes & addIpv6AddressRanges(const IpAddressRange &val);
Maybe<std::vector<std::string>, void> getIpv4Addresses() const;
Maybe<std::vector<std::string>, void> getIpv6Addresses() const;
Maybe<std::vector<IpAddressRange>, void> getIpv4AddressRanges() const;
Maybe<std::vector<IpAddressRange>, void> getIpv6AddressRanges() const;
Maybe<std::string, void> genObject() const;
bool isEmpty() const;
bool matches(const IpAttributes &other) const;
void serialize(cereal::JSONInputArchive &ar);
void performOutputingSchema(std::ostream &, int);
private:
std::vector<std::string> ipv4_addresses;
std::vector<std::string> ipv6_addresses;
std::vector<IpAddressRange> ipv4_address_ranges;
std::vector<IpAddressRange> ipv6_address_ranges;
};
class Invalidation class Invalidation
{ {
public: public:
@@ -60,14 +105,14 @@ public:
Invalidation & setClassifier(ClassifierType type, const std::string &val); Invalidation & setClassifier(ClassifierType type, const std::string &val);
Invalidation & addMainAttr(const StrAttributes &attr); Invalidation & addMainAttr(const StrAttributes &attr);
Invalidation & addAttr(const StrAttributes &attr); Invalidation & addAttr(const IpAttributes &attr);
Invalidation & setSourceId(const std::string &id); Invalidation & setSourceId(const std::string &id);
Invalidation & setObjectType(ObjectType type); Invalidation & setObjectType(ObjectType type);
Invalidation & setInvalidationType(InvalidationType type); Invalidation & setInvalidationType(InvalidationType type);
std::string getClassifier(ClassifierType type) const { return classifiers[type]; } std::string getClassifier(ClassifierType type) const { return classifiers[type]; }
std::vector<StrAttributes> getMainAttributes() const { return main_attributes; } std::vector<StrAttributes> getMainAttributes() const { return main_attributes; }
std::vector<StrAttributes> getAttributes() const { return attributes; } std::vector<IpAttributes> getAttributes() const { return attributes; }
const Maybe<std::string, void> & getSourceId() const { return source_id; } const Maybe<std::string, void> & getSourceId() const { return source_id; }
const Maybe<ObjectType, void> & getObjectType() const { return object_type; } const Maybe<ObjectType, void> & getObjectType() const { return object_type; }
const Maybe<InvalidationType, void> & getInvalidationType() const { return invalidation_type; } const Maybe<InvalidationType, void> & getInvalidationType() const { return invalidation_type; }
@@ -86,10 +131,11 @@ public:
private: private:
bool attr_matches(const std::vector<StrAttributes> &current, const std::vector<StrAttributes> &other) const; bool attr_matches(const std::vector<StrAttributes> &current, const std::vector<StrAttributes> &other) const;
bool attr_matches(const std::vector<IpAttributes> &current, const std::vector<IpAttributes> &other) const;
EnumArray<ClassifierType, std::string, 6> classifiers; EnumArray<ClassifierType, std::string, 6> classifiers;
std::vector<StrAttributes> main_attributes; std::vector<StrAttributes> main_attributes;
std::vector<StrAttributes> attributes; std::vector<IpAttributes> attributes;
Maybe<std::string, void> source_id; Maybe<std::string, void> source_id;
Maybe<ObjectType, void> object_type; Maybe<ObjectType, void> object_type;
Maybe<InvalidationType, void> invalidation_type; Maybe<InvalidationType, void> invalidation_type;

4
core/intelligence_is_v2/intelligence_comp_v2.cc
View File

@@ -254,7 +254,7 @@ private:
C2S_OPTIONAL_PARAM(string, sourceId); C2S_OPTIONAL_PARAM(string, sourceId);
C2S_OPTIONAL_PARAM(string, invalidationRegistrationId); C2S_OPTIONAL_PARAM(string, invalidationRegistrationId);
C2S_OPTIONAL_PARAM(vector<StrAttributes>, mainAttributes); C2S_OPTIONAL_PARAM(vector<StrAttributes>, mainAttributes);
C2S_OPTIONAL_PARAM(vector<StrAttributes>, attributes); C2S_OPTIONAL_PARAM(vector<IpAttributes>, attributes);
C2S_OPTIONAL_PARAM(string, invalidationType); C2S_OPTIONAL_PARAM(string, invalidationType);
}; };
@@ -624,7 +624,7 @@ private:
query_request.isBulk() ? queries_uri : query_uri, query_request.isBulk() ? queries_uri : query_uri,
*json_body, *json_body,
MessageCategory::INTELLIGENCE, MessageCategory::INTELLIGENCE,
global_req_md query_request.getReqMD().getHostName().empty() ? global_req_md : query_request.getReqMD()
); );
if (!req_data.ok()) { if (!req_data.ok()) {
auto response_error = req_data.getErr().toString(); auto response_error = req_data.getErr().toString();

124
core/intelligence_is_v2/intelligence_is_v2_ut/invalidation_ut.cc
View File

@@ -32,6 +32,30 @@ TEST(StringAttributesBasic, SettersAndGetters)
EXPECT_FALSE(string_attributes.isEmpty()); EXPECT_FALSE(string_attributes.isEmpty());
EXPECT_EQ(string_attributes.getStringAttr("attr1").unpack(), "1"); EXPECT_EQ(string_attributes.getStringAttr("attr1").unpack(), "1");
EXPECT_EQ(string_attributes.getStringSetAttr("attr2").unpack(), vals); EXPECT_EQ(string_attributes.getStringSetAttr("attr2").unpack(), vals);
IpAttributes attributes;
EXPECT_TRUE(attributes.isEmpty());
EXPECT_FALSE(attributes.getIpv4Addresses().ok());
EXPECT_FALSE(attributes.getIpv6Addresses().ok());
EXPECT_FALSE(attributes.getIpv4AddressRanges().ok());
EXPECT_FALSE(attributes.getIpv6AddressRanges().ok());
IpAddressRange range("1.1.1.1", "1.1.1.5");
attributes
.addIpv4Addresses("1.1.1.2")
.addIpv4AddressRanges(range)
.addIpv6Addresses("1.1.1.2")
.addIpv6AddressRanges(range);
EXPECT_FALSE(attributes.isEmpty());
vector<string> ip_vector = {"1.1.1.2"};
vector<IpAddressRange> ip_range_vector = {range};
EXPECT_EQ(attributes.getIpv4Addresses().unpack(), ip_vector);
EXPECT_EQ(attributes.getIpv4AddressRanges().unpack(), ip_range_vector);
EXPECT_EQ(attributes.getIpv6Addresses().unpack(), ip_vector);
EXPECT_EQ(attributes.getIpv6AddressRanges().unpack(), ip_range_vector);
} }
TEST(StringAttributesBasic, attr_schema) TEST(StringAttributesBasic, attr_schema)
@@ -51,6 +75,39 @@ TEST(StringAttributesBasic, attr_schema)
" ]\n" " ]\n"
"}"; "}";
EXPECT_EQ(ss.str(), expected_schema); EXPECT_EQ(ss.str(), expected_schema);
IpAddressRange range("1.1.1.1", "1.1.1.5");
IpAttributes attributes = IpAttributes()
.addIpv4Addresses("1.1.1.2")
.addIpv4Addresses("1.1.1.3")
.addIpv4AddressRanges(range)
.addIpv6Addresses("1.1.1.4")
.addIpv6AddressRanges(range);
stringstream attr_ss;
attributes.performOutputingSchema(attr_ss, 0);
expected_schema =
"{\n"
" \"ipv4Addresses\": [\n"
" \"1.1.1.2\",\n"
" \"1.1.1.3\"\n"
" ],\n"
" \"ipv6Addresses\": [\n"
" \"1.1.1.4\"\n"
" ],\n"
" \"ipv4AddressesRange\": [\n"
" {\n"
" \"max\": \"1.1.1.5\",\n"
" \"min\": \"1.1.1.1\"\n"
" }\n"
" ],\n"
" \"ipv6AddressesRange\": [\n"
" {\n"
" \"max\": \"1.1.1.5\",\n"
" \"min\": \"1.1.1.1\"\n"
" }\n"
" ]\n"
"}";
EXPECT_EQ(attr_ss.str(), expected_schema);
} }
TEST(StringAttributesBasic, Matching) TEST(StringAttributesBasic, Matching)
@@ -105,6 +162,20 @@ TEST(StringAttributesBasic, genObject)
string expected_json = "{ \"attr1\": \"1\", \"attr2\": [ \"2\", \"3\" ] }"; string expected_json = "{ \"attr1\": \"1\", \"attr2\": [ \"2\", \"3\" ] }";
EXPECT_EQ(string_attributes.genObject().unpack(), expected_json); EXPECT_EQ(string_attributes.genObject().unpack(), expected_json);
IpAddressRange range("1.1.1.1", "1.1.1.5");
IpAttributes attributes = IpAttributes()
.addIpv4Addresses("1.1.1.2")
.addIpv4Addresses("1.1.1.3")
.addIpv4AddressRanges(range)
.addIpv6Addresses("1.1.1.4")
.addIpv6AddressRanges(range);
expected_json =
"{ \"ipv4Addresses\": [ \"1.1.1.2\", \"1.1.1.3\" ], \"ipv6Addresses\": [ \"1.1.1.4\" ], "
"\"ipv4AddressesRange\": [ { \"max\": \"1.1.1.5\", \"min\": \"1.1.1.1\" } ], "
"\"ipv6AddressesRange\": [ { \"max\": \"1.1.1.5\", \"min\": \"1.1.1.1\" } ] }";
EXPECT_EQ(attributes.genObject().unpack(), expected_json);
} }
TEST(InvalidationBasic, SettersAndGetters) TEST(InvalidationBasic, SettersAndGetters)
@@ -125,15 +196,15 @@ TEST(InvalidationBasic, SettersAndGetters)
EXPECT_FALSE(invalidation.getInvalidationType().ok()); EXPECT_FALSE(invalidation.getInvalidationType().ok());
set<string> main_vals = { "2", "3" }; set<string> main_vals = { "2", "3" };
set<string> vals = { "5", "6" }; vector<string> vals = {"1.1.1.1", "2.2.2.2"};
auto main_attr = StrAttributes() auto main_attr = StrAttributes()
.addStringAttr("main_attr1", "1") .addStringAttr("main_attr1", "1")
.addStringSetAttr("main_attr2", main_vals); .addStringSetAttr("main_attr2", main_vals);
auto attr = StrAttributes() auto attr = IpAttributes()
.addStringAttr("attr1", "4") .addIpv4Addresses("1.1.1.1")
.addStringSetAttr("attr2", vals); .addIpv4Addresses("2.2.2.2");
invalidation invalidation
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -148,8 +219,7 @@ TEST(InvalidationBasic, SettersAndGetters)
EXPECT_EQ(invalidation.getClassifier(ClassifierType::FAMILY), "ccc"); EXPECT_EQ(invalidation.getClassifier(ClassifierType::FAMILY), "ccc");
EXPECT_EQ(invalidation.getMainAttributes().begin()->getStringAttr("main_attr1").unpack(), "1"); EXPECT_EQ(invalidation.getMainAttributes().begin()->getStringAttr("main_attr1").unpack(), "1");
EXPECT_EQ(invalidation.getMainAttributes().begin()->getStringSetAttr("main_attr2").unpack(), main_vals); EXPECT_EQ(invalidation.getMainAttributes().begin()->getStringSetAttr("main_attr2").unpack(), main_vals);
EXPECT_EQ(invalidation.getAttributes().begin()->getStringAttr("attr1").unpack(), "4"); EXPECT_EQ(invalidation.getAttributes().begin()->getIpv4Addresses().unpack(), vals);
EXPECT_EQ(invalidation.getAttributes().begin()->getStringSetAttr("attr2").unpack(), vals);
EXPECT_EQ(invalidation.getSourceId().unpack(), "id"); EXPECT_EQ(invalidation.getSourceId().unpack(), "id");
EXPECT_EQ(invalidation.getObjectType().unpack(), Intelligence::ObjectType::ASSET); EXPECT_EQ(invalidation.getObjectType().unpack(), Intelligence::ObjectType::ASSET);
EXPECT_EQ(invalidation.getInvalidationType().unpack(), InvalidationType::DELETE); EXPECT_EQ(invalidation.getInvalidationType().unpack(), InvalidationType::DELETE);
@@ -164,9 +234,9 @@ TEST(InvalidationBasic, Matching)
.addStringAttr("main_attr1", "1") .addStringAttr("main_attr1", "1")
.addStringSetAttr("main_attr2", main_vals); .addStringSetAttr("main_attr2", main_vals);
auto attr = StrAttributes() auto attr = IpAttributes()
.addStringAttr("attr1", "4") .addIpv4Addresses("1.1.1.1")
.addStringSetAttr("attr2", vals); .addIpv4Addresses("2.2.2.2");
auto base_invalidation = Invalidation("aaa") auto base_invalidation = Invalidation("aaa")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -179,10 +249,9 @@ TEST(InvalidationBasic, Matching)
.addStringSetAttr("main_attr2", main_vals) .addStringSetAttr("main_attr2", main_vals)
.addStringAttr("main_attr3", "6"); .addStringAttr("main_attr3", "6");
auto matching_attr = StrAttributes() auto matching_attr = IpAttributes()
.addStringAttr("attr1", "4") .addIpv4Addresses("1.1.1.1")
.addStringSetAttr("attr2", vals) .addIpv4Addresses("2.2.2.2");
.addStringAttr("attr3", "7");
auto matching_invalidation = Invalidation("aaa") auto matching_invalidation = Invalidation("aaa")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -212,10 +281,9 @@ TEST(InvalidationBasic, Matching)
EXPECT_FALSE(base_invalidation.matches(missing_attr_invalidation_main)); EXPECT_FALSE(base_invalidation.matches(missing_attr_invalidation_main));
auto missing_attr = StrAttributes() auto missing_attr = IpAttributes()
.addStringAttr("attr1", "4") .addIpv4Addresses("2.2.2.2")
.addStringAttr("attr2", "2") .addIpv4Addresses("3.3.3.3");
.addStringAttr("attr3", "7");
auto missing_attr_invalidation = Invalidation("aaa") auto missing_attr_invalidation = Invalidation("aaa")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -280,7 +348,7 @@ public:
intelligence.preload(); intelligence.preload();
intelligence.init(); intelligence.init();
main_attr.addStringAttr("attr2", "2"); main_attr.addStringAttr("attr2", "2");
attr.addStringAttr("attr3", "3"); attr.addIpv4Addresses("1.1.1.1");
} }
bool bool
@@ -291,7 +359,7 @@ public:
} }
StrAttributes main_attr; StrAttributes main_attr;
StrAttributes attr; IpAttributes attr;
StrictMock<MockMessaging> messaging_mock; StrictMock<MockMessaging> messaging_mock;
StrictMock<MockMainLoop> mock_ml; StrictMock<MockMainLoop> mock_ml;
NiceMock<MockTimeGet> mock_time; NiceMock<MockTimeGet> mock_time;
@@ -350,7 +418,7 @@ TEST_F(IntelligenceInvalidation, sending_public_invalidation)
"\"objectType\": \"asset\", " "\"objectType\": \"asset\", "
"\"sourceId\": \"id\", " "\"sourceId\": \"id\", "
"\"mainAttributes\": [ { \"attr2\": \"2\" } ], " "\"mainAttributes\": [ { \"attr2\": \"2\" } ], "
"\"attributes\": [ { \"attr3\": \"3\" } ]" "\"attributes\": [ { \"ipv4Addresses\": [ \"1.1.1.1\" ] } ]"
" } ] }"; " } ] }";
EXPECT_EQ(invalidation_json, expected_json); EXPECT_EQ(invalidation_json, expected_json);
EXPECT_FALSE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN)); EXPECT_FALSE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN));
@@ -390,7 +458,7 @@ TEST_F(IntelligenceInvalidation, multiple_assets_invalidation)
"\"objectType\": \"asset\", " "\"objectType\": \"asset\", "
"\"sourceId\": \"id\", " "\"sourceId\": \"id\", "
"\"mainAttributes\": [ { \"attr2\": \"2\" }, { \"attr2\": \"22\", \"attr3\": [ \"33\", \"44\" ] } ], " "\"mainAttributes\": [ { \"attr2\": \"2\" }, { \"attr2\": \"22\", \"attr3\": [ \"33\", \"44\" ] } ], "
"\"attributes\": [ { \"attr3\": \"3\" } ]" "\"attributes\": [ { \"ipv4Addresses\": [ \"1.1.1.1\" ] } ]"
" } ] }"; " } ] }";
EXPECT_EQ(invalidation_json, expected_json); EXPECT_EQ(invalidation_json, expected_json);
} }
@@ -439,7 +507,7 @@ TEST_F(IntelligenceInvalidation, sending_private_invalidation)
"\"objectType\": \"asset\", " "\"objectType\": \"asset\", "
"\"sourceId\": \"id\", " "\"sourceId\": \"id\", "
"\"mainAttributes\": [ { \"attr2\": \"2\" } ], " "\"mainAttributes\": [ { \"attr2\": \"2\" } ], "
"\"attributes\": [ { \"attr3\": \"3\" } ]" "\"attributes\": [ { \"ipv4Addresses\": [ \"1.1.1.1\" ] } ]"
" } ] }"; " } ] }";
EXPECT_EQ(invalidation_json, expected_json); EXPECT_EQ(invalidation_json, expected_json);
EXPECT_TRUE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN)); EXPECT_TRUE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN));
@@ -484,7 +552,7 @@ TEST_F(IntelligenceInvalidation, register_for_invalidation)
EXPECT_THAT(body, HasSubstr("\"url\": \"http://127.0.0.1:7000/set-new-invalidation\"")); EXPECT_THAT(body, HasSubstr("\"url\": \"http://127.0.0.1:7000/set-new-invalidation\""));
EXPECT_THAT(body, HasSubstr("\"apiVersion\": \"v2\", \"communicationType\": \"sync\"")); EXPECT_THAT(body, HasSubstr("\"apiVersion\": \"v2\", \"communicationType\": \"sync\""));
EXPECT_THAT(body, HasSubstr("\"mainAttributes\": [ { \"attr2\": \"2\" } ]")); EXPECT_THAT(body, HasSubstr("\"mainAttributes\": [ { \"attr2\": \"2\" } ]"));
EXPECT_THAT(body, HasSubstr("\"attributes\": [ { \"attr3\": \"3\" } ]")); EXPECT_THAT(body, HasSubstr("\"attributes\": [ { \"ipv4Addresses\": [ \"1.1.1.1\" ] } ]"));
EXPECT_TRUE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN)); EXPECT_TRUE(md.getConnectionFlags().isSet(MessageConnectionConfig::UNSECURE_CONN));
EXPECT_THAT(body, HasSubstr("\"capabilities\": { \"getBulkCallback\": true }")); EXPECT_THAT(body, HasSubstr("\"capabilities\": { \"getBulkCallback\": true }"));
@@ -888,11 +956,19 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
configuration << "}"; configuration << "}";
Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(configuration); Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(configuration);
IpAddressRange range("1.1.1.1", "1.1.1.5");
IpAttributes attributes = IpAttributes()
.addIpv4Addresses("1.1.1.2")
.addIpv4AddressRanges(range)
.addIpv6Addresses("1.1.1.2")
.addIpv6AddressRanges(range);
auto base_main_attr2 = StrAttributes() auto base_main_attr2 = StrAttributes()
.addStringAttr("attr3", "3"); .addStringAttr("attr3", "3");
auto invalidation_to_register = Invalidation("aaa") auto invalidation_to_register = Invalidation("aaa")
.addMainAttr(main_attr) .addMainAttr(main_attr)
.addMainAttr(base_main_attr2) .addMainAttr(base_main_attr2)
.addAttr(attributes)
.setSourceId("id") .setSourceId("id")
.setClassifier(ClassifierType::FAMILY, "ccc") .setClassifier(ClassifierType::FAMILY, "ccc")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -911,6 +987,7 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
auto matching_invalidation = Invalidation("aaa") auto matching_invalidation = Invalidation("aaa")
.addMainAttr(matching_second_main_attribute) .addMainAttr(matching_second_main_attribute)
.addAttr(attributes)
.setSourceId("id") .setSourceId("id")
.setClassifier(ClassifierType::FAMILY, "ccc") .setClassifier(ClassifierType::FAMILY, "ccc")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")
@@ -919,6 +996,7 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
auto invalidation_2_to_register = Invalidation("aaa") auto invalidation_2_to_register = Invalidation("aaa")
.addMainAttr(base_main_attr2) .addMainAttr(base_main_attr2)
.addAttr(attributes)
.setSourceId("id") .setSourceId("id")
.setClassifier(ClassifierType::FAMILY, "ccc") .setClassifier(ClassifierType::FAMILY, "ccc")
.setClassifier(ClassifierType::CATEGORY, "bbb") .setClassifier(ClassifierType::CATEGORY, "bbb")

237
core/intelligence_is_v2/invalidation.cc
View File

@@ -20,6 +20,8 @@
#include "i_intelligence_is_v2.h" #include "i_intelligence_is_v2.h"
USE_DEBUG_FLAG(D_INTELLIGENCE);
using namespace Intelligence; using namespace Intelligence;
using namespace std; using namespace std;
@@ -203,6 +205,18 @@ Invalidation::attr_matches(const vector<StrAttributes> &current, const vector<St
return false; return false;
} }
bool
Invalidation::attr_matches(const vector<IpAttributes> &current, const vector<IpAttributes> &other) const
{
if (current.empty()) return true;
for (const auto &attr : current) {
for(const auto &other_attr : other) {
if (attr.matches(other_attr)) return true;
}
}
return false;
}
bool bool
Invalidation::matches(const Invalidation &other) const Invalidation::matches(const Invalidation &other) const
{ {
@@ -230,7 +244,7 @@ Invalidation::matches(const Invalidation &other) const
} }
Invalidation & Invalidation &
Invalidation::addAttr(const StrAttributes &attr) Invalidation::addAttr(const IpAttributes &attr)
{ {
attributes.emplace_back(attr); attributes.emplace_back(attr);
return *this; return *this;
@@ -378,3 +392,224 @@ StrAttributes::performOutputingSchema(ostream &out, int level) {
} }
RestHelper::printIndent(out, level) << "}"; RestHelper::printIndent(out, level) << "}";
} }
IpAttributes &
IpAttributes::addIpv4Addresses(const string &val)
{
ipv4_addresses.push_back(val);
return *this;
}
IpAttributes &
IpAttributes::addIpv6Addresses(const string &val)
{
ipv6_addresses.push_back(val);
return *this;
}
IpAttributes &
IpAttributes::addIpv4AddressRanges(const IpAddressRange &val)
{
ipv4_address_ranges.push_back(val);
return *this;
}
IpAttributes &
IpAttributes::addIpv6AddressRanges(const IpAddressRange &val)
{
ipv6_address_ranges.push_back(val);
return *this;
}
Maybe<vector<string>, void>
IpAttributes::getIpv4Addresses() const
{
if (ipv4_addresses.empty()) return genError<void>();
return ipv4_addresses;
}
Maybe<vector<string>, void>
IpAttributes::getIpv6Addresses() const
{
if (ipv6_addresses.empty()) return genError<void>();
return ipv6_addresses;
}
Maybe<vector<IpAddressRange>, void>
IpAttributes::getIpv4AddressRanges() const
{
if (ipv4_address_ranges.empty()) return genError<void>();
return ipv4_address_ranges;
}
Maybe<vector<IpAddressRange>, void>
IpAttributes::getIpv6AddressRanges() const
{
if (ipv6_address_ranges.empty()) return genError<void>();
return ipv6_address_ranges;
}
Maybe<string, void>
IpAttributes::genObject() const
{
stringstream attributes_ss;
if (this->isEmpty()) return genError<void>();
bool internal_first = true;
bool first = true;
attributes_ss << "{ ";
if (!ipv4_addresses.empty()) {
attributes_ss << "\"ipv4Addresses\": [ ";
for (auto &attr : ipv4_addresses) {
if (!internal_first) attributes_ss << ", ";
attributes_ss << "\"" << attr << "\"";
internal_first = false;
}
attributes_ss << " ]";
first = false;
}
if (!ipv6_addresses.empty()) {
if (!first) attributes_ss << ", ";
attributes_ss << "\"ipv6Addresses\": [ ";
internal_first = true;
for (auto &attr : ipv6_addresses) {
if (!internal_first) attributes_ss << ", ";
attributes_ss << "\"" << attr << "\"";
internal_first = false;
}
attributes_ss << " ]";
first = false;
}
if (!ipv4_address_ranges.empty()) {
if (!first) attributes_ss << ", ";
attributes_ss << "\"ipv4AddressesRange\": [ ";
internal_first = true;
for (auto &attr : ipv4_address_ranges) {
if (!internal_first) attributes_ss << ", ";
attributes_ss << "{ \"max\": \"" << attr.getMax() << "\", \"min\": \"" << attr.getMin() << "\" }";
internal_first = false;
}
attributes_ss << " ]";
first = false;
}
if (!ipv6_address_ranges.empty()) {
if (!first) attributes_ss << ", ";
attributes_ss << "\"ipv6AddressesRange\": [ ";
internal_first = true;
for (auto &attr : ipv6_address_ranges) {
if (!internal_first) attributes_ss << ", ";
attributes_ss << "{ \"max\": \"" << attr.getMax() << "\", \"min\": \"" << attr.getMin() << "\" }";
internal_first = false;
}
attributes_ss << " ]";
first = false;
}
attributes_ss << " }";
return attributes_ss.str();
}
bool
IpAttributes::isEmpty() const
{
return
ipv4_addresses.empty() &&
ipv6_addresses.empty() &&
ipv4_address_ranges.empty() &&
ipv6_address_ranges.empty();
}
bool
IpAttributes::matches(const IpAttributes &other) const
{
return
ipv4_addresses == other.ipv4_addresses &&
ipv6_addresses == other.ipv6_addresses &&
ipv4_address_ranges == other.ipv4_address_ranges &&
ipv6_address_ranges == other.ipv6_address_ranges;
}
void
IpAttributes::serialize(cereal::JSONInputArchive &ar)
{
try {
ar(cereal::make_nvp("ipv4Addresses", ipv4_addresses));
ar(cereal::make_nvp("ipv4AddressesRange", ipv4_address_ranges));
ar(cereal::make_nvp("ipv6Addresses", ipv6_addresses));
ar(cereal::make_nvp("ipv6AddressesRange", ipv6_address_ranges));
} catch (cereal::Exception &e) {
dbgError(D_INTELLIGENCE) << e.what();
}
}
void
IpAttributes::performOutputingSchema(ostream &out, int level)
{
bool first = true;
bool internal_first = true;
RestHelper::printIndent(out, level) << "{\n";
if (!ipv4_addresses.empty()) {
RestHelper::printIndent(out, level + 1) << "\"ipv4Addresses\": [\n";
for (auto &attr : ipv4_addresses) {
if (!internal_first) out << ",\n";
RestHelper::printIndent(out, level + 2) << "\"" << attr << "\"";
internal_first = false;
}
out << "\n";
RestHelper::printIndent(out, level + 1) << "]";
first = false;
}
if (!ipv6_addresses.empty()) {
if (!first) out << ",\n";
RestHelper::printIndent(out, level + 1) << "\"ipv6Addresses\": [\n";
internal_first = true;
for (auto &attr : ipv6_addresses) {
if (!internal_first) out << ",\n";
RestHelper::printIndent(out, level + 2) << "\"" << attr << "\"";
internal_first = false;
}
out << "\n";
RestHelper::printIndent(out, level + 1) << "]";
first = false;
}
if (!ipv4_address_ranges.empty()) {
if (!first) out << ",\n";
RestHelper::printIndent(out, level + 1) << "\"ipv4AddressesRange\": [\n";
internal_first = true;
for (auto &attr : ipv4_address_ranges) {
if (!internal_first) out << ",\n";
RestHelper::printIndent(out, level + 2) << "{\n";
RestHelper::printIndent(out, level + 3) << "\"max\": \"" << attr.getMax() << "\",\n";
RestHelper::printIndent(out, level + 3) << "\"min\": \"" << attr.getMin() << "\"\n";
RestHelper::printIndent(out, level + 2) << "}";
internal_first = false;
}
out << "\n";
RestHelper::printIndent(out, level + 1) << "]";
first = false;
}
if (!ipv6_address_ranges.empty()) {
if (!first) out << ",\n";
RestHelper::printIndent(out, level + 1) << "\"ipv6AddressesRange\": [\n";
internal_first = true;
for (auto &attr : ipv6_address_ranges) {
if (!internal_first) out << ",\n";
RestHelper::printIndent(out, level + 2) << "{\n";
RestHelper::printIndent(out, level + 3) << "\"max\": \"" << attr.getMax() << "\",\n";
RestHelper::printIndent(out, level + 3) << "\"min\": \"" << attr.getMin() << "\"\n";
RestHelper::printIndent(out, level + 2) << "}";
internal_first = false;
}
out << "\n";
RestHelper::printIndent(out, level + 1) << "]";
first = false;
}
RestHelper::printIndent(out, level) << "\n}";
}

12
core/metric/generic_metric.cc
View File

@@ -332,7 +332,17 @@ vector<PrometheusData>
GenericMetric::getPromMetricsData() GenericMetric::getPromMetricsData()
{ {
vector<PrometheusData> all_metrics; vector<PrometheusData> all_metrics;
if (!getProfileAgentSettingWithDefault(false, "prometheus")) return all_metrics; bool enable_prometheus = false;
auto prometheus_settings = getProfileAgentSetting<bool>("prometheus");
if (prometheus_settings.ok()) {
enable_prometheus = prometheus_settings.unpack();
} else {
const char *prometheus_env = getenv("PROMETHEUS");
if (prometheus_env != nullptr) {
enable_prometheus = string(prometheus_env) == "true";
}
}
if (!enable_prometheus) return all_metrics;
dbgTrace(D_METRICS) << "Get prometheus metrics"; dbgTrace(D_METRICS) << "Get prometheus metrics";
for (auto &calc : prometheus_calcs) { for (auto &calc : prometheus_calcs) {

17
core/rest/rest_server.cc
View File

@@ -163,10 +163,14 @@ RestServer::Impl::init()
} }
} }
bool is_ipv6 = false;
if (accept_get_from_external_ip) { if (accept_get_from_external_ip) {
is_ipv6 = true;
fd = socket(AF_INET6, SOCK_STREAM, 0); fd = socket(AF_INET6, SOCK_STREAM, 0);
} else { }
if (fd == -1) {
fd = socket(AF_INET, SOCK_STREAM, 0); fd = socket(AF_INET, SOCK_STREAM, 0);
is_ipv6 = false;
} }
dbgAssert(fd >= 0) << alert << "Failed to open a socket"; dbgAssert(fd >= 0) << alert << "Failed to open a socket";
@@ -175,7 +179,8 @@ RestServer::Impl::init()
dbgWarning(D_API) << "Could not set the socket options"; dbgWarning(D_API) << "Could not set the socket options";
} }
if (accept_get_from_external_ip) { if (is_ipv6) {
dbgDebug(D_API) << "IPv6 socket opened successfully";
int option = 0; int option = 0;
if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &option, sizeof(option)) < 0) { if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &option, sizeof(option)) < 0) {
dbgWarning(D_API) << "Could not set the IPV6_V6ONLY option"; dbgWarning(D_API) << "Could not set the IPV6_V6ONLY option";
@@ -185,16 +190,24 @@ RestServer::Impl::init()
bzero(&addr6, sizeof(addr6)); bzero(&addr6, sizeof(addr6));
addr6.sin6_family = AF_INET6; addr6.sin6_family = AF_INET6;
addr6.sin6_addr = in6addr_any; addr6.sin6_addr = in6addr_any;
dbgDebug(D_API) << "Socket listening on any address";
while (!bindRestServerSocket(addr6, port_range)) { while (!bindRestServerSocket(addr6, port_range)) {
mainloop->yield(bind_retry_interval_msec); mainloop->yield(bind_retry_interval_msec);
} }
listening_port = ntohs(addr6.sin6_port); listening_port = ntohs(addr6.sin6_port);
} else { } else {
dbgDebug(D_API) << "IPv4 socket opened successfully";
struct sockaddr_in addr; struct sockaddr_in addr;
bzero(&addr, sizeof(addr)); bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET; addr.sin_family = AF_INET;
if (accept_get_from_external_ip) {
addr.sin_addr.s_addr = htonl(INADDR_ANY);
dbgDebug(D_API) << "Socket listening on any address";
} else {
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
dbgDebug(D_API) << "Socket listening on local address";
}
while (!bindRestServerSocket(addr, port_range)) { while (!bindRestServerSocket(addr, port_range)) {
mainloop->yield(bind_retry_interval_msec); mainloop->yield(bind_retry_interval_msec);

2
deployment/docker-compose/envoy/.env
View File

@@ -56,7 +56,7 @@ COMPOSE_PROFILES=
## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path ## Make sure to also adjust the envoy.yaml file in ENVOY_CONFIG path
## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container ## to add a routing configuration for forwarding external traffic on e.g. port 80 to the juiceshop-backend container
## you can use the example file available here: ## you can use the example file available here:
## https://raw.githubusercontent.com/openappsec/openappsec/examples/juiceshop/envoy/envoy.yaml ## https://raw.githubusercontent.com/openappsec/openappsec/main/examples/juiceshop/envoy/envoy.yaml
## place the file above in ENVOY_CONFIG path ## place the file above in ENVOY_CONFIG path
## note that juiceshop container listens on HTTP port 3000 by default ## note that juiceshop container listens on HTTP port 3000 by default

10
deployment/docker-compose/nginx/docker-compose.yaml
View File

@@ -36,6 +36,7 @@ services:
- ${APPSEC_DATA}:/etc/cp/data - ${APPSEC_DATA}:/etc/cp/data
- ${APPSEC_LOGS}:/var/log/nano_agent - ${APPSEC_LOGS}:/var/log/nano_agent
- ${APPSEC_LOCALCONFIG}:/ext/appsec - ${APPSEC_LOCALCONFIG}:/ext/appsec
- shm-volume:/dev/shm/check-point
command: /cp-nano-agent command: /cp-nano-agent
appsec-nginx: appsec-nginx:
@@ -45,7 +46,7 @@ services:
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ${NGINX_CONFIG}:/etc/nginx/conf.d - ${NGINX_CONFIG}:/etc/nginx/conf.d
- shm-volume:/dev/shm/check-point
## advanced configuration - volume mount for nginx.conf file: ## advanced configuration - volume mount for nginx.conf file:
## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below ## To change global instructions it's possible to also mount your own nginx.conf file by uncommenting the line below
## then specify a desired local folder for NGINX_CONF_FILE in the .env file. ## then specify a desired local folder for NGINX_CONF_FILE in the .env file.
@@ -123,6 +124,13 @@ services:
profiles: profiles:
- juiceshop - juiceshop
volumes:
shm-volume:
driver: local
driver_opts:
type: tmpfs
device: tmpfs
## advanced configuration: learning_nfs volume for nfs storage in shared_storage container ## advanced configuration: learning_nfs volume for nfs storage in shared_storage container
## ##
## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage) ## when configuring nfs storage in shared_storage container configuration above, make sure to also specify learning_nfs volume (see example below for using AWS EFS storage)

9
examples/juiceshop/apisix/apisix.yaml Normal file
View File

@@ -0,0 +1,9 @@
routes:
-
uri: /
upstream:
nodes:
"juiceshop-backend:3000": 1
type: roundrobin
#END

56
examples/juiceshop/envoy/envoy.yaml Normal file
View File

@@ -0,0 +1,56 @@
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
## The following 10 lines are required to load the envoy attachment filter for open-appsec
- name: envoy.filters.http.golang
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
library_id: cp_nano_filter
library_path: "/usr/lib/libenvoy_attachment.so"
plugin_name: cp_nano_filter
plugin_config:
"@type": type.googleapis.com/xds.type.v3.TypedStruct
value:
prefix_localreply_body: "Configured local reply from go"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
##
## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
##
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: juiceshop
clusters:
- name: juiceshop
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: juiceshop
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: juiceshop-backend
port_value: 3000

9
examples/juiceshop/kong/kong.yml Normal file
View File

@@ -0,0 +1,9 @@
_format_version: "3.0"
services:
- name: juiceshop-service
url: http://juiceshop-backend:3000
routes:
- name: juiceshop-route
paths:
- /

84
examples/juiceshop/swag/default.conf Normal file
View File

@@ -0,0 +1,84 @@
## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
# main server block
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
include /config/nginx/ssl.conf;
# root /config/www;
# index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/proxy-confs/*.subfolder.conf;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
# enable for Authentik (requires authentik-location.conf in the location block)
#include /config/nginx/authentik-server.conf;
#location / {
# enable for basic auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
# try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
#}
location ~ ^(.+\.php)(.*)$ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
fastcgi_split_path_info ^(.+\.php)(.*)$;
if (!-f $document_root$fastcgi_script_name) { return 404; }
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}
# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

22
examples/juiceshop/swag/juiceshop.subfolder.conf Normal file
View File

@@ -0,0 +1,22 @@
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
# enable for Authentik (requires authentik-server.conf in the server block)
#include /config/nginx/authentik-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app juiceshop-backend;
set $upstream_port 3000;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}

1
nodes/CMakeLists.txt
View File

@@ -11,6 +11,7 @@ set(COMMON_LIBRARIES "-lngen_core;-lcompression_utils;-lssl;-lcrypto;-lz;-lboost
include(packaging.cmake) include(packaging.cmake)
add_subdirectory(orchestration) add_subdirectory(orchestration)
add_subdirectory(prometheus)
add_subdirectory(agent_cache) add_subdirectory(agent_cache)
add_subdirectory(http_transaction_handler) add_subdirectory(http_transaction_handler)
add_subdirectory(attachment_registration_manager) add_subdirectory(attachment_registration_manager)

1
nodes/orchestration/package/cp-nano-package-list
View File

@@ -29,4 +29,5 @@ cpview_metric_provider="cpviewMetricProvider 8282"
hello_world="hello_world" hello_world="hello_world"
crowdsec_aux="crowdsecAux 8081" crowdsec_aux="crowdsecAux 8081"
central_nginx_manager="centralNginxManager 7555" central_nginx_manager="centralNginxManager 7555"
prometheus="prometheus 7465"
# ## Please do not remove this comment - newline at end of file required. # ## Please do not remove this comment - newline at end of file required.

57
nodes/orchestration/package/orchestration_package.sh
View File

@@ -29,8 +29,10 @@ is_wlp_orchestration="false"
ORCHESTRATION_EXE_SOURCE_PATH="./bin/orchestration_comp" ORCHESTRATION_EXE_SOURCE_PATH="./bin/orchestration_comp"
NGINX_METADAT_EXTRACTOR_PATH="./scripts/cp-nano-makefile-generator.sh" NGINX_METADAT_EXTRACTOR_PATH="./scripts/cp-nano-makefile-generator.sh"
NGINX_FRESH_METADATA_EXTRACTOR_PATH="./scripts/cp-nano-makefile-generator-fresh.sh"
ORCHESTRATION_FILE_NAME="cp-nano-orchestration" ORCHESTRATION_FILE_NAME="cp-nano-orchestration"
NGINX_METADDATA_EXTRACTOR_NAME="cp-nano-makefile-generator.sh" NGINX_METADDATA_EXTRACTOR_NAME="cp-nano-makefile-generator.sh"
NGINX_FRESH_METADATA_EXTRACTOR_NAME="cp-nano-makefile-generator-fresh.sh"
GET_CLOUD_METADATA_PATH="get-cloud-metadata.sh" GET_CLOUD_METADATA_PATH="get-cloud-metadata.sh"
AGENT_UNINSTALL="cp-agent-uninstall.sh" AGENT_UNINSTALL="cp-agent-uninstall.sh"
ORCHESTRATION_NAME="orchestration" ORCHESTRATION_NAME="orchestration"
@@ -336,6 +338,10 @@ while true; do
elif [ "$1" = "--cloud-storage" ]; then elif [ "$1" = "--cloud-storage" ]; then
shift shift
var_cloud_storage=$1 var_cloud_storage=$1
elif [ "$1" = "--only_unpack_lib64_path" ]; then
shift
USR_LIB_PATH=$1
var_only_unpack_lib64="set"
elif echo "$1" | grep -q ${FORCE_CLEAN_FLAG}; then elif echo "$1" | grep -q ${FORCE_CLEAN_FLAG}; then
var_upgrade_mode= var_upgrade_mode=
elif echo "$1" | grep -q ${DEBUG_FLAG}; then elif echo "$1" | grep -q ${DEBUG_FLAG}; then
@@ -353,7 +359,7 @@ done
# VS ID argument is available only on install, for other actions, extract it from the package location # VS ID argument is available only on install, for other actions, extract it from the package location
if [ -z "$VS_ID" ]; then if [ -z "$VS_ID" ]; then
parent_pid=$PPID parent_pid=$PPID
parent_cmdline=$(ps -o cmd= -p "$parent_pid") parent_cmdline=$(cat /proc/"$parent_pid"/cmdline | tr '\0' ' ')
parent_dir=$(dirname "$parent_cmdline") parent_dir=$(dirname "$parent_cmdline")
packages_folder=$(dirname "$parent_dir") packages_folder=$(dirname "$parent_dir")
vs_folder=$(dirname "$packages_folder") vs_folder=$(dirname "$packages_folder")
@@ -494,26 +500,26 @@ cp_copy() # Initials - cc
cp_print "Destination md5, after the copy:\n$DEST_AFTER_COPY" cp_print "Destination md5, after the copy:\n$DEST_AFTER_COPY"
} }
update_cloudguard_appsec_manifest() update_openappsec_manifest()
{ {
if [ -z ${INFINITY_NEXT_NANO_AGENT} ] && { [ -z ${CLOUDGUARD_APPSEC_STANDALONE} ] || [ -z ${DOCKER_RPM_ENABLED} ]; }; then if [ -z ${OPENAPPSEC_NANO_AGENT} ] && { [ -z ${CLOUDGUARD_APPSEC_STANDALONE} ] || [ -z ${DOCKER_RPM_ENABLED} ]; }; then
return return
fi fi
selected_cloudguard_appsec_manifest_path="${TMP_FOLDER}/cloudguard_appsec_manifest.json" selected_openappsec_manifest_path="${TMP_FOLDER}/openappsec_manifest.json"
if [ "${DOCKER_RPM_ENABLED}" = "false" ] || [ "${INFINITY_NEXT_NANO_AGENT}" = "TRUE" ]; then if [ "${DOCKER_RPM_ENABLED}" = "false" ] || [ "${OPENAPPSEC_NANO_AGENT}" = "TRUE" ]; then
selected_cloudguard_appsec_manifest_path="${TMP_FOLDER}/self_managed_cloudguard_appsec_manifest.json" selected_openappsec_manifest_path="${TMP_FOLDER}/self_managed_openappsec_manifest.json"
fi fi
if [ ! -f "$selected_cloudguard_appsec_manifest_path" ]; then if [ ! -f "$selected_openappsec_manifest_path" ]; then
return return
fi fi
cloudguard_appsec_manifest_path="${selected_cloudguard_appsec_manifest_path}.used" openappsec_manifest_path="${selected_openappsec_manifest_path}.used"
mv "$selected_cloudguard_appsec_manifest_path" "$cloudguard_appsec_manifest_path" mv "$selected_openappsec_manifest_path" "$openappsec_manifest_path"
fog_host=$(echo "$var_fog_address" | sed 's/https\?:\/\///') fog_host=$(echo "$var_fog_address" | sed 's/https\?:\/\///')
fog_host=${fog_host%/} fog_host=${fog_host%/}
sed "s/namespace/${fog_host}/g" ${cloudguard_appsec_manifest_path} > "${FILESYSTEM_PATH}/${CONF_PATH}/manifest.json" sed "s/namespace/${fog_host}/g" ${openappsec_manifest_path} > "${FILESYSTEM_PATH}/${CONF_PATH}/manifest.json"
} }
set_cloud_storage() set_cloud_storage()
@@ -641,6 +647,9 @@ install_watchdog()
echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi fi
echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
if [ -n "${PROMETHEUS}" ] ; then
echo "Environment=\"PROMETHEUS=${PROMETHEUS}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi
cp_exec "systemctl daemon-reload" cp_exec "systemctl daemon-reload"
cp_exec "systemctl enable nano_agent" cp_exec "systemctl enable nano_agent"
@@ -779,6 +788,7 @@ upgrade_conf_if_needed()
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//') previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
if ! [ -z "$previous_mode" ]; then if ! [ -z "$previous_mode" ]; then
var_orchestration_mode=${previous_mode} var_orchestration_mode=${previous_mode}
@@ -849,6 +859,13 @@ copy_nginx_metadata_script()
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_METADDATA_EXTRACTOR_NAME}" cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_METADDATA_EXTRACTOR_NAME}"
} }
copy_nginx_fresh_metadata_script()
{
cp_copy "$NGINX_FRESH_METADATA_EXTRACTOR_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}"
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}"
}
copy_and_run_cloud_metadata_script() copy_and_run_cloud_metadata_script()
{ {
cp_copy "${SCRIPTS_PATH}/$GET_CLOUD_METADATA_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${GET_CLOUD_METADATA_PATH} cp_copy "${SCRIPTS_PATH}/$GET_CLOUD_METADATA_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${GET_CLOUD_METADATA_PATH}
@@ -925,6 +942,19 @@ get_status_content()
install_orchestration() install_orchestration()
{ {
INSTALLATION_TIME=$(date) INSTALLATION_TIME=$(date)
if [ "$var_only_unpack_lib64" = "set" ]; then
cp_exec "mkdir ${USR_LIB_PATH}"
if [ ! -d "$USR_LIB_PATH" ]; then
cp_print "No valid path: ${USR_LIB_PATH}. please do --only_unpack_lib64_path <Path>" ${FORCE_STDOUT}
exit 1
fi
${INSTALL_COMMAND} lib/*.so* ${USR_LIB_PATH}/
${INSTALL_COMMAND} lib/boost/*.so* ${USR_LIB_PATH}/
cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}
exit 0
fi
if [ "$is_smb" != "1" ]; then if [ "$is_smb" != "1" ]; then
cp_exec "mkdir -p ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}" cp_exec "mkdir -p ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}"
else else
@@ -994,6 +1024,8 @@ install_orchestration()
fi fi
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" [ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//') previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
if ! [ -z "$previous_mode" ]; then if ! [ -z "$previous_mode" ]; then
@@ -1018,6 +1050,7 @@ install_orchestration()
rm -f "${FILESYSTEM_PATH}/${CONF_PATH}/default_orchestration_flags" rm -f "${FILESYSTEM_PATH}/${CONF_PATH}/default_orchestration_flags"
fi fi
update_openappsec_manifest
upgrade_conf_if_needed upgrade_conf_if_needed
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag" cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
@@ -1038,6 +1071,7 @@ install_orchestration()
copy_orchestration_executable copy_orchestration_executable
copy_k8s_executable copy_k8s_executable
copy_nginx_metadata_script copy_nginx_metadata_script
copy_nginx_fresh_metadata_script
copy_and_run_cloud_metadata_script copy_and_run_cloud_metadata_script
install_watchdog "--upgrade" install_watchdog "--upgrade"
@@ -1073,7 +1107,7 @@ install_orchestration()
cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}" cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${DATA_PATH}" cp_exec "mkdir -p ${FILESYSTEM_PATH}/${DATA_PATH}"
update_cloudguard_appsec_manifest update_openappsec_manifest
if [ ! -f ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} ]; then if [ ! -f ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} ]; then
echo "{\"agentSettings\": []}" > ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} echo "{\"agentSettings\": []}" > ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH}
@@ -1133,6 +1167,7 @@ install_orchestration()
copy_orchestration_executable copy_orchestration_executable
copy_k8s_executable copy_k8s_executable
copy_nginx_metadata_script copy_nginx_metadata_script
copy_nginx_fresh_metadata_script
copy_and_run_cloud_metadata_script copy_and_run_cloud_metadata_script
install_cp_nano_ctl install_cp_nano_ctl

7
nodes/orchestration/package/watchdog/watchdog
View File

@@ -53,7 +53,12 @@ var_upgarde=false
get_profile_agent_setting_with_default() { get_profile_agent_setting_with_default() {
key="$1" key="$1"
default_value="$2" default_value="$2"
value=$(grep -oP "\"key\":\s*\"$key\".*?\"value\":\s*\"[^\"]+\"" $SETTINGS_FILE | sed -E 's/.*"value":\s*"([^"]+)".*/\1/')
value=$(grep -o "\"key\":\s*\"$key\".*?\"value\":\s*\"[^\"]*\"" $SETTINGS_FILE | sed -E 's/.*"value":\s*"([^"]*)".*/\1/')
if [ -z "$value" ]; then
value=$(grep -o "\"$key\":\s*\"[^\"]*\"" $SETTINGS_FILE | sed -E 's/.*"'"$key"'":\s*"([^"]*)".*/\1/')
fi
if [ "$value" = "null" ] || [ -z "$value" ]; then if [ "$value" = "null" ] || [ -z "$value" ]; then
echo "$default_value" echo "$default_value"
else else

419
nodes/orchestration/scripts/cp-nano-makefile-generator-fresh.sh Normal file
View File

@@ -0,0 +1,419 @@
#!/bin/bash
LC_ALL=C
initializeEnvironment()
{
if [ "$IS_FILE_PATH_PROVIDED" != YES ]; then
FILE_NAME_PATH=
IS_FILE_PATH_PROVIDED=NO
fi
TMP_NGINX_VERSION_FILE="/tmp/nginx_version_file.txt"
if [ "$IS_CONFIG_FILE_PROVIDED" != YES ]; then
TMP_NGINX_CONFIG_FILE="/tmp/nginx_config_file.txt"
IS_CONFIG_FILE_PROVIDED=NO
fi
SERVER_TYPE="nginx"
nginx_cmd=nginx
NGX_CC_OPT=
NGX_LD_OPT=
USE_PCRE=NO
TEST_BUILD_EPOLL=NO
USE_THREADS=NO
HTTP_V3=NO
HTTP_SSL=NO
HTTP_GZIP=YES
HTTP_GUNZIP=NO
HTTP_GZIP_STATIC=NO
HTTP_PROXY=YES
HTTP_GEOIP=NO
HTTP_GEO=YES
HTTP_REALIP=NO
HTTP_DAV=NO
HTTP_CACHE=YES
HTTP_UPSTREAM_ZONE=YES
NGX_COMPAT=NO
GCC_VERSION=
NGINX_VERSION=
RELEASE_VERSION=
for i in {0..34}; do
var_name="NGX_MODULE_SIGNATURE_${i}"
eval $var_name=0
done
}
extract_nginx_version_and_release()
{
${nginx_cmd} -v &> "$TMP_NGINX_VERSION_FILE"
NGINX_VERSION=`cat "$TMP_NGINX_VERSION_FILE" | grep -oP [0-9]+.[0-9]+.[0-9]+`
RELEASE_VERSION=`cat /etc/*-release | grep -i "PRETTY_NAME\|Gaia" | cut -d"\"" -f2`
}
tearDown()
{
rm -f ${TMP_NGINX_VERSION_FILE}
rm -f ${TMP_NGINX_CONFIG_FILE}
}
filter_cc_opt() {
CC_OPT=
for cc_extra_opt in ${@}; do
if [[ ${cc_extra_opt} =~ ^-ffile-prefix-map ]]; then
echo "removing ${cc_extra_opt}"
continue
fi
if [[ ${cc_extra_opt} =~ ^-fdebug-prefix-map ]]; then
echo "removing ${cc_extra_opt}"
continue
fi
if [ -z "$CC_OPT" ]; then
CC_OPT="${cc_extra_opt}"
else
CC_OPT="${CC_OPT} ${cc_extra_opt}"
fi
done
if [[ "$@" != "${CC_OPT}" ]]; then
echo "Notice: reduced CC_OPT is '${CC_OPT}'"
fi
NGX_CC_OPT="${CC_OPT}"
}
extract_gcc()
{
GCC_VERSION=`echo "$1" | grep -oP "gcc "[0-9]+ | tr ' ' '-'`
if [[ "$GCC_VERSION" == "gcc-4" ]]; then
GCC_VERSION=gcc-5
elif [[ "$GCC_VERSION" == "gcc-10" ]] || [[ "$GCC_VERSION" == "gcc-11" ]] || [[ "$GCC_VERSION" == "gcc-12" ]] || [[ "$GCC_VERSION" == "gcc-13" ]]; then
GCC_VERSION=gcc-8
fi
}
extract_cc_opt_ld_opt() {
local loc_options="$1"
NGX_CC_OPT=$(echo "$loc_options" | sed -n "s/.*--with-cc-opt='\([^']*\)'.*/\1/p")
filter_cc_opt "$NGX_CC_OPT"
NGX_CC_OPT="$NGX_CC_OPT"
NGX_LD_OPT=$(echo "$loc_options" | sed -n "s/.*--with-ld-opt='\([^']*\)'.*/\1/p")
if [ -n "$NGX_LD_OPT" ]; then
NGX_LD_OPT="$NGX_LD_OPT"
fi
}
read_config_flags() {
for option; do
opt="$opt `echo $option | sed -e \"s/\(--[^=]*=\)\(.* .*\)/\1'\2'/\"`"
case "$option" in
-*=*) value=`echo "$option" | sed -e 's/[-_a-zA-Z0-9]*=//'` ;;
*) value="" ;;
esac
case "$option" in
--with-http_realip_module) HTTP_REALIP=YES ;;
--with-http_dav_module) HTTP_DAV=YES ;;
--with-compat) NGX_COMPAT=YES ;;
--without-http-cache) HTTP_CACHE=NO ;;
--without-http_upstream_zone_module) HTTP_UPSTREAM_ZONE=NO ;;
--without-http_geo_module) HTTP_GEO=NO ;;
--with-http_geoip_module) HTTP_GEOIP=YES ;;
--with-http_geoip_module=dynamic) HTTP_GEOIP=YES ;;
--without-http_proxy_module) HTTP_PROXY=NO ;;
--with-http_gunzip_module) HTTP_GUNZIP=YES ;;
--with-http_gzip_static_module) HTTP_GZIP_STATIC=YES ;;
--without-http_gzip_module) HTTP_GZIP=NO ;;
--with-http_v3_module) HTTP_V3=YES ;;
--with-threads) USE_THREADS=YES ;;
--test-build-epoll) TEST_BUILD_EPOLL=YES ;;
--with-pcre) USE_PCRE=YES ;;
--with-http_ssl_module) HTTP_SSL=YES ;;
*)
# echo "$0: uninteresting option: \"$option\""
;;
esac
done
if [ "$NGX_COMPAT" = YES ]; then
HTTP_GZIP=YES
HTTP_DAV=NO
HTTP_REALIP=NO
HTTP_PROXY=YES
HTTP_GEOIP=NO
HTTP_GEO=YES
HTTP_UPSTREAM_ZONE=YES
HTTP_GUNZIP=NO
HTTP_GZIP_STATIC=NO
HTTP_SSL=NO
USE_THREADS=NO
fi
}
decode_configuration_flags() {
DECODED_CONFIGURATION_FLAGS=""
if [ -n "$GCC_VERSION" ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-cc=/usr/bin/${GCC_VERSION}"
fi
if [ "$HTTP_REALIP" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_realip_module"
fi
if [ "$HTTP_DAV" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_dav_module"
fi
if [ "$NGX_COMPAT" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-compat"
fi
if [ "$HTTP_CACHE" = NO ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --without-http-cache"
fi
if [ "$HTTP_UPSTREAM_ZONE" = NO ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --without-http_upstream_zone_module"
fi
if [ "$HTTP_GEO" = NO ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --without-http_geo_module"
fi
if [ "$HTTP_GEOIP" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_geoip_module --with-http_geoip_module=dynamic"
fi
if [ "$HTTP_PROXY" = NO ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --without-http_proxy_module"
fi
if [ "$HTTP_GUNZIP" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_gunzip_module"
fi
if [ "$HTTP_GZIP_STATIC" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_gzip_static_module"
fi
if [ "$HTTP_GZIP" = NO ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --without-http_gzip_module"
fi
if [ "$HTTP_V3" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_v3_module"
fi
if [ "$USE_THREADS" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-threads"
fi
if [ "$TEST_BUILD_EPOLL" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --test-build-epoll"
fi
if [ "$USE_PCRE" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-pcre"
fi
if [ "$HTTP_SSL" = YES ]; then
DECODED_CONFIGURATION_FLAGS="$DECODED_CONFIGURATION_FLAGS --with-http_ssl_module"
fi
echo "$DECODED_CONFIGURATION_FLAGS"
}
set_signatures() {
NGX_MODULE_SIGNATURE_9=1
NGX_MODULE_SIGNATURE_10=1
NGX_MODULE_SIGNATURE_12=1
NGX_MODULE_SIGNATURE_17=0
NGX_MODULE_SIGNATURE_25=1
NGX_MODULE_SIGNATURE_27=1
if [ "$USE_PCRE" = YES ]; then
NGX_MODULE_SIGNATURE_23=1
fi
if [ "$TEST_BUILD_EPOLL" = YES ]; then
NGX_MODULE_SIGNATURE_5=1
NGX_MODULE_SIGNATURE_6=1
fi
if [ "$USE_THREADS" = YES ]; then
NGX_MODULE_SIGNATURE_22=1
fi
if [ "$HTTP_V3" = YES ]; then
NGX_MODULE_SIGNATURE_18=1
NGX_MODULE_SIGNATURE_24=1
fi
if [ "$HTTP_GUNZIP" = YES ] || [ "$HTTP_GZIP" = YES ] || [ "$HTTP_GZIP_STATIC" = YES ]; then
NGX_MODULE_SIGNATURE_26=1
fi
if [ "$HTTP_REALIP" = YES ]; then
NGX_MODULE_SIGNATURE_28=1
NGX_MODULE_SIGNATURE_29=1
fi
if [ "$HTTP_DAV" = YES ]; then
NGX_MODULE_SIGNATURE_31=1
fi
if [ "$HTTP_CACHE" = YES ]; then
NGX_MODULE_SIGNATURE_32=1
fi
if [ "$HTTP_UPSTREAM_ZONE" = YES ]; then
NGX_MODULE_SIGNATURE_33=1
fi
if [ "$NGX_COMPAT" = YES ]; then
NGX_MODULE_SIGNATURE_3=1
NGX_MODULE_SIGNATURE_4=1
NGX_MODULE_SIGNATURE_18=1
NGX_MODULE_SIGNATURE_22=1
NGX_MODULE_SIGNATURE_24=1
NGX_MODULE_SIGNATURE_26=1
NGX_MODULE_SIGNATURE_28=1
NGX_MODULE_SIGNATURE_29=1
NGX_MODULE_SIGNATURE_30=1
NGX_MODULE_SIGNATURE_31=1
NGX_MODULE_SIGNATURE_33=1
NGX_MODULE_SIGNATURE_34=1
fi
}
combine_signatures_into_bash() {
for i in {0..34}; do
var_name="NGX_MODULE_SIGNATURE_${i}"
NGX_SCRIPT_VERIFICATION_DATA="${NGX_SCRIPT_VERIFICATION_DATA}${!var_name}"
done
}
print_flags() {
echo "Saving configuration to ${FILE_NAME_PATH}"
echo -e "NGX_SCRIPT_VERIFICATION_DATA=$NGX_SCRIPT_VERIFICATION_DATA" >> ${FILE_NAME_PATH}
echo -e "NGX_MODULE_SIGNATURE=$(strings $(which ${nginx_cmd}) | grep -F '8,4,8')" >> ${FILE_NAME_PATH}
echo -e "USE_PCRE=$USE_PCRE" >> ${FILE_NAME_PATH}
echo -e "TEST_BUILD_EPOLL=$TEST_BUILD_EPOLL" >> ${FILE_NAME_PATH}
echo -e "USE_THREADS=$USE_THREADS" >> ${FILE_NAME_PATH}
echo -e "HTTP_V3=$HTTP_V3" >> ${FILE_NAME_PATH}
echo -e "HTTP_SSL=$HTTP_SSL" >> ${FILE_NAME_PATH}
echo -e "HTTP_GZIP=$HTTP_GZIP" >> ${FILE_NAME_PATH}
echo -e "HTTP_GUNZIP=$HTTP_GUNZIP" >> ${FILE_NAME_PATH}
echo -e "HTTP_GZIP_STATIC=$HTTP_GZIP_STATIC" >> ${FILE_NAME_PATH}
echo -e "HTTP_PROXY=$HTTP_PROXY" >> ${FILE_NAME_PATH}
echo -e "HTTP_GEOIP=$HTTP_GEOIP" >> ${FILE_NAME_PATH}
echo -e "HTTP_GEO=$HTTP_GEO" >> ${FILE_NAME_PATH}
echo -e "HTTP_REALIP=$HTTP_REALIP" >> ${FILE_NAME_PATH}
echo -e "HTTP_DAV=$HTTP_DAV" >> ${FILE_NAME_PATH}
echo -e "HTTP_CACHE=$HTTP_CACHE" >> ${FILE_NAME_PATH}
echo -e "HTTP_UPSTREAM_ZONE=$HTTP_UPSTREAM_ZONE" >> ${FILE_NAME_PATH}
echo -e "NGX_COMPAT=$NGX_COMPAT" >> ${FILE_NAME_PATH}
echo -e "NGX_CC_OPT=$NGX_CC_OPT" >> ${FILE_NAME_PATH}
echo -e "NGX_LD_OPT=$NGX_LD_OPT" >> ${FILE_NAME_PATH}
echo -e "GCC_VERSION=$GCC_VERSION" >> ${FILE_NAME_PATH}
echo -e "NGINX_VERSION=$NGINX_VERSION" >> ${FILE_NAME_PATH}
echo -e "RELEASE_VERSION=$RELEASE_VERSION" >> ${FILE_NAME_PATH}
}
save_config() {
initializeEnvironment
extract_nginx_version_and_release
if [ "$IS_FILE_PATH_PROVIDED" = NO ]; then
FILE_NAME_PATH="$(pwd)/$NGINX_VERSION.mk"
fi
rm -f ${FILE_NAME_PATH}
if [ "$IS_CONFIG_FILE_PROVIDED" = NO ]; then
${nginx_cmd} -V &> "$TMP_NGINX_CONFIG_FILE"
fi
gcc_argument=$(cat $TMP_NGINX_CONFIG_FILE | grep "built by gcc")
extract_gcc "${gcc_argument}"
configure_arguments=$(cat $TMP_NGINX_CONFIG_FILE | grep "^configure arguments:" | sed 's/^configure arguments: //')
extract_cc_opt_ld_opt "$configure_arguments"
configure_arguments=$(echo "$configure_arguments" | sed "s/--with-cc-opt='[^']*'//" | sed "s/--with-ld-opt='[^']*'//" | tr -s ' ')
read_config_flags $configure_arguments
set_signatures
combine_signatures_into_bash
print_flags
}
read_chkp_mk_file() {
input_file="$1"
if [[ ! -f "$input_file" ]]; then
echo "Error: File '$input_file' not found."
exit 1
fi
while IFS= read -r line; do
[[ -z "$line" || "$line" =~ ^# ]] && continue
if [[ "$line" =~ ^([A-Z_]+)=(.*)$ ]]; then
var_name="${BASH_REMATCH[1]}"
var_value="${BASH_REMATCH[2]}"
export "$var_name"="$var_value"
fi
done < "$input_file"
}
print_ngx_config() {
read_chkp_mk_file "$1"
decode_configuration_flags
}
parse_save_arguments() {
while [[ $# -gt 0 ]]; do
case "$1" in
--config_file)
if [[ -n "$2" ]]; then
TMP_NGINX_CONFIG_FILE="$2"
IS_CONFIG_FILE_PROVIDED=YES
shift 2
else
echo "Error: --config_file requires a value."
exit 1
fi
;;
--save-location)
if [[ -n "$2" ]]; then
FILE_NAME_PATH="$2"
IS_FILE_PATH_PROVIDED=YES
shift 2
else
echo "Error: --save-location requires a value."
exit 1
fi
;;
*)
echo "Error: Invalid argument '$1'."
echo "Usage: $0 save [--config_file <file_path>] [--save-location <file_path>]"
exit 1
;;
esac
done
}
if [[ "$1" == "save" ]]; then
shift
parse_save_arguments "$@"
save_config
elif [[ "$1" == "load" ]]; then
if [[ -n "$2" ]]; then
print_ngx_config "$2"
else
echo "Error: Missing file path for 'load' command."
echo "Usage: $0 load <file_path>"
exit 1
fi
else
echo "Error: Invalid command."
echo "Usage: $0 <save|load> [file_path]"
exit 1
fi

30
nodes/prometheus/CMakeLists.txt Executable file
View File

@@ -0,0 +1,30 @@
add_subdirectory(package)
add_executable(prometheus main.cc)
target_link_libraries(prometheus
-Wl,--start-group
${COMMON_LIBRARIES}
generic_rulebase
generic_rulebase_evaluators
ip_utilities
version
signal_handler
prometheus_comp
http_transaction_data
-Wl,--end-group
)
add_dependencies(prometheus ngen_core)
install(TARGETS prometheus DESTINATION bin)
install(TARGETS prometheus DESTINATION prometheus_service/bin)
gen_package(
install-cp-nano-service-prometheus.sh
prometheus_service
./install-cp-nano-prometheus.sh
Check Point Prometheus Agent Version ${PACKAGE_VERSION} Install Package
)

15
nodes/prometheus/main.cc Executable file
View File

@@ -0,0 +1,15 @@
#include "components_list.h"
#include "prometheus_comp.h"
int
main(int argc, char **argv)
{
NodeComponents<PrometheusComp> comps;
comps.registerGlobalValue<bool>("Is Rest primary routine", true);
comps.registerGlobalValue<uint>("Nano service API Port Primary", 7465);
comps.registerGlobalValue<uint>("Nano service API Port Alternative", 7466);
comps.registerGlobalValue<bool>("Nano service API Allow Get From External IP", true);
return comps.run("Prometheus Service", argc, argv);
}

4
nodes/prometheus/package/CMakeLists.txt Executable file
View File

@@ -0,0 +1,4 @@
install(FILES install-cp-nano-prometheus.sh DESTINATION prometheus_service/ PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus.cfg DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)
install(FILES cp-nano-prometheus-debug-conf.json DESTINATION prometheus_service/conf PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ)

21
nodes/prometheus/package/cp-nano-prometheus-conf.json Executable file
View File

@@ -0,0 +1,21 @@
{
"connection": {
"Nano service API Port Primary": [
{
"value": 7465
}
],
"Nano service API Port Alternative": [
{
"value": 7466
}
]
},
"message": {
"Connection timeout": [
{
"value": 10000000
}
]
}
}

11
nodes/prometheus/package/cp-nano-prometheus-debug-conf.json Executable file
View File

@@ -0,0 +1,11 @@
{
"Debug": [
{
"Streams": [
{
"Output": "nano_agent/cp-nano-prometheus.dbg"
}
]
}
]
}

0
nodes/prometheus/package/cp-nano-prometheus.cfg Executable file
View File

164
nodes/prometheus/package/install-cp-nano-prometheus.sh Executable file
View File

@@ -0,0 +1,164 @@
#!/bin/sh
#Nano Service Details
NANO_SERVICE_NAME="prometheus"
NANO_SERVICE_BIN_NAME="cp-nano-prometheus"
NANO_SERVICE_INSTALLATION_FOLDER="prometheus"
ATTACHMENT_BIN_NAME="cp-nano-prometheus"
#Installable Names
CFG_FILE_NAME="cp-nano-prometheus.cfg"
DBG_CONF_FILE_NAME="cp-nano-prometheus-debug-conf.json"
SERVICE_CONF_FILE_NAME="cp-nano-prometheus-conf.json"
NANO_SERVICE_BIN="prometheus"
ATTACHMENT_BIN="prometheus_attachment"
#Const variables
FORCE_STDOUT=true
INSTALLATION_TIME=$(date)
CP_NANO_LOG_PATH="/var/log/nano_agent"
CP_NANO_CONF_PATH="/etc/cp/conf"
NANO_SERVICE_INSTALLATION_PATH="/etc/cp/${NANO_SERVICE_INSTALLATION_FOLDER}"
NANO_SERVICE_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${NANO_SERVICE_BIN_NAME}
NANO_SERVICE_CFG_PATH=${NANO_SERVICE_BIN_PATH}.cfg
ATTACHMENT_BIN_PATH=${NANO_SERVICE_INSTALLATION_PATH}/${ATTACHMENT_BIN_NAME}
DBG_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-debug-conf.json
SERVICE_CONF_PATH=${CP_NANO_CONF_PATH}/${NANO_SERVICE_BIN_NAME}-conf.json
DBG_FILE_PATH=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}.dbg
INSTALLATION_LOG_FILE=${CP_NANO_LOG_PATH}/${NANO_SERVICE_BIN_NAME}-install.log
mkdir -p ${CP_NANO_LOG_PATH}
touch ${DBG_FILE_PATH}
cp_print()
{
var_text=$1
var_std_out=$2
touch $INSTALLATION_LOG_FILE
if [ -n "$var_std_out" ]; then
if [ "$var_std_out" = "true" ]; then
printf "%b\n" "$var_text"
fi
fi
printf "%b\n" "$var_text" >> $INSTALLATION_LOG_FILE
}
cp_exec()
{
var_cmd=$1
var_std_out=$2
# Send exec output to RES
RES=$($var_cmd 2>&1)
if [ -n "$RES" ]; then
cp_print "$RES" "$var_std_out"
fi
}
set_configuration()
{
cp_exec "cp -n conf/${DBG_CONF_FILE_NAME} $DBG_CONF_PATH"
cp_exec "/etc/cp/scripts/cpnano_debug --default --service prometheus"
cp_exec "cp -n conf/${SERVICE_CONF_FILE_NAME} $SERVICE_CONF_PATH"
}
run_installation()
{
cp_print "Starting installation of Check Point ${NANO_SERVICE_NAME} Nano service [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
att_path=$ATTACHMENT_BIN_PATH
cmd_pid_att=$(ps -eo pid,cmd,args | awk -v srv=${att_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
srv_path=$NANO_SERVICE_BIN_NAME
cmd_pid_srv=$(ps -eo pid,cmd,args | awk -v srv=${srv_path} '{if($2 ~ srv || $3 ~ srv) print $1}')
if [ -n "$cmd_pid_att" ]; then
cp_print "Killing running instance(pid=$cmd_pid_att) of the prometheus attachment on installation"
kill -9 "$cmd_pid_att"
fi
if [ -n "$cmd_pid_srv" ]; then
cp_print "Killing running instance(pid=$cmd_pid_srv) of the prometheus service on installation"
kill -9 "$cmd_pid_srv"
fi
cp_exec "mkdir -p ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "cp -f bin/${NANO_SERVICE_BIN} ${NANO_SERVICE_BIN_PATH}"
cp_exec "chmod +x ${NANO_SERVICE_BIN_PATH}"
cp_exec "cp -f conf/${CFG_FILE_NAME} ${NANO_SERVICE_CFG_PATH}"
cp_exec "chmod 600 ${NANO_SERVICE_CFG_PATH}"
set_configuration
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${NANO_SERVICE_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --register ${ATTACHMENT_BIN_PATH}"
cp_print "Installation completed successfully." $FORCE_STDOUT
}
usage()
{
echo "Check Point: available flags are"
echo "--install : install ${NANO_SERVICE_NAME} Nano Service"
echo "--uninstall : remove ${NANO_SERVICE_NAME} Nano Service"
echo "--pre_install_test : run Pre-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
echo "--post_install_test : run Post-installation test for ${NANO_SERVICE_NAME} Nano Service install package"
exit 255
}
run_uninstall()
{
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${ATTACHMENT_BIN_PATH}"
cp_exec "/etc/cp/watchdog/cp-nano-watchdog --un-register ${NANO_SERVICE_BIN_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_INSTALLATION_PATH}"
cp_exec "rm -rf ${NANO_SERVICE_CONF_DIR}"
}
run_pre_install_test()
{
cp_print "Starting Pre-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
cp_print "Successfully finished pre-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run_post_install_test()
{
cp_print "Starting Post-installation test of Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
if ! cat /etc/cp/watchdog/wd.services | grep -q ${NANO_SERVICE_BIN_PATH}; then
cp_print "Failed to register ${NANO_SERVICE_NAME} Nano service to the watchdog\n" $FORCE_STDOUT
exit 255
fi
cp_print "Successfully finished post-installation test for Check Point ${NANO_SERVICE_NAME} Nano service installation package [$INSTALLATION_TIME]\n" $FORCE_STDOUT
exit 0
}
run()
{
if [ '--install' = "$1" ]; then
run_installation "${@}"
elif [ '--uninstall' = "$1" ]; then
run_uninstall
elif [ '--pre_install_test' = "$1" ]; then
run_pre_install_test
elif [ '--post_install_test' = "$1" ]; then
run_post_install_test
else
usage
exit 1
fi
}
if [ "$(id -u)" != "0" ]; then
echo "Administrative privileges required for this Package (use su or sudo)"
exit 1
fi
shift
run "${@}"
exit 0