sync code

Aug 20th update

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -73,27 +73,27 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
     valid_configuration_file.close();
 
     EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
-    EXPECT_EQ(getDbgLevel(), 2);
+    EXPECT_EQ(getDbgLevel(), 2u);
     EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
     EXPECT_EQ(isFailOpenMode(), 0);
-    EXPECT_EQ(getFailOpenTimeout(), 1234);
+    EXPECT_EQ(getFailOpenTimeout(), 1234u);
     EXPECT_EQ(isFailOpenHoldMode(), 1);
-    EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
+    EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
     EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
-    EXPECT_EQ(getMaxSessionsPerMinute(), 0);
-    EXPECT_EQ(getNumOfNginxIpcElements(), 200);
-    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
-    EXPECT_EQ(getResProccessingTimeout(), 420);
-    EXPECT_EQ(getReqProccessingTimeout(), 42);
-    EXPECT_EQ(getRegistrationThreadTimeout(), 101);
-    EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
-    EXPECT_EQ(getReqBodyThreadTimeout(), 155);
-    EXPECT_EQ(getResHeaderThreadTimeout(), 1);
-    EXPECT_EQ(getResBodyThreadTimeout(), 0);
-    EXPECT_EQ(getMinRetriesForVerdict(), 1);
-    EXPECT_EQ(getMaxRetriesForVerdict(), 3);
-    EXPECT_EQ(getReqBodySizeTrigger(), 777);
-    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
+    EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
+    EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
+    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
+    EXPECT_EQ(getResProccessingTimeout(), 420u);
+    EXPECT_EQ(getReqProccessingTimeout(), 42u);
+    EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
+    EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
+    EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
+    EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
+    EXPECT_EQ(getResBodyThreadTimeout(), 0u);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1u);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777u);
+    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);

build_system/docker/entry.sh

@@ -44,8 +44,11 @@ while true; do
 done
 
 if [ -z $var_token ] && [ $var_mode != "--hybrid_mode" ]; then
-    echo "Error: Token was not provided as input argument."
-    exit 1
+    var_token=$(env | grep 'AGENT_TOKEN=' | cut -d'=' -f2-)
+    if  [ -z $var_token ]; then
+        echo "Error: Token was not provided as input argument."
+        exit 1
+    fi
 fi
 
 orchestration_service_installation_flags="--container_mode --skip_registration"

components/include/external_sdk_server.h

@@ -24,7 +24,8 @@ class ExternalSdkServer
         :
     public Component,
     Singleton::Provide<I_ExternalSdkServer>,
-    Singleton::Consume<I_RestApi>
+    Singleton::Consume<I_RestApi>,
+    Singleton::Consume<I_Messaging>
 {
 public:
     ExternalSdkServer();

components/include/generic_rulebase/match_query.h

@@ -89,7 +89,9 @@ private:
     bool matchAttributesRegEx(const std::set<std::string> &values,
             std::set<std::string> &matched_override_keywords) const;
     bool matchAttributesString(const std::set<std::string> &values) const;
+    bool matchAttributesIp(const std::set<std::string> &values) const;
     bool isRegEx() const;
+    bool isIP() const;
 
     MatchType type;
     Operators operator_type;

components/security_apps/ips/ips_entry.cc

@@ -26,6 +26,8 @@ static const map<string, IPSConfiguration::Context> default_conf_mapping = {
 };
 
 static const IPSConfiguration default_conf(default_conf_mapping);
+static const IPSSignatures default_ips_sigs;
+static const SnortSignatures default_snort_sigs;
 
 IPSEntry::IPSEntry() : TableOpaqueSerialize<IPSEntry>(this) {}
 
@@ -51,9 +53,9 @@ IPSEntry::respond(const ParsedContext &parsed)
     ctx.registerValue(name, buf);
 
     ctx.activate();
-    auto &signatures = getConfigurationWithDefault(IPSSignatures(), "IPS", "IpsProtections");
+    auto &signatures = getConfigurationWithDefault(default_ips_sigs, "IPS", "IpsProtections");
     bool should_drop = signatures.isMatchedPrevent(parsed.getName(), buf);
-    auto &snort_signatures = getConfigurationWithDefault(SnortSignatures(), "IPSSnortSigs", "SnortProtections");
+    auto &snort_signatures = getConfigurationWithDefault(default_snort_sigs, "IPSSnortSigs", "SnortProtections");
     should_drop |= snort_signatures.isMatchedPrevent(parsed.getName(), buf);
     ctx.deactivate();
 

components/security_apps/ips/ips_ut/configuration.cc

@@ -7,7 +7,7 @@ TEST(configuration, basic_context)
 
     IPSConfiguration::Context ctx1(IPSConfiguration::ContextType::HISTORY, 254);
     EXPECT_EQ(ctx1.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(ctx1.getHistorySize(), 254);
+    EXPECT_EQ(ctx1.getHistorySize(), 254u);
 
     IPSConfiguration::Context ctx2(IPSConfiguration::ContextType::NORMAL, 0);
     EXPECT_EQ(ctx2.getType(), IPSConfiguration::ContextType::NORMAL);
@@ -42,7 +42,7 @@ TEST(configuration, read_configuration)
 
     auto body = conf.getContext("HTTP_REQUEST_BODY");
     EXPECT_EQ(body.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100);
+    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100u);
 
     auto header = conf.getContext("HTTP_REQUEST_HEADER");
     EXPECT_EQ(header.getType(), IPSConfiguration::ContextType::KEEP);

components/security_apps/ips/ips_ut/entry_ut.cc

@@ -137,8 +137,8 @@ private:
 TEST_F(EntryTest, basic_inherited_functions)
 {
     EXPECT_EQ(IPSEntry::name(), "IPS");
-    EXPECT_EQ(IPSEntry::currVer(), 0);
-    EXPECT_EQ(IPSEntry::minVer(), 0);
+    EXPECT_EQ(IPSEntry::currVer(), 0u);
+    EXPECT_EQ(IPSEntry::minVer(), 0u);
     EXPECT_NE(IPSEntry::prototype(), nullptr);
     EXPECT_EQ(entry.getListenerName(), IPSEntry::name());
 

components/security_apps/ips/ips_ut/resource_ut.cc

@@ -71,7 +71,7 @@ TEST(resources, basic_resource)
     Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(resource);
 
     auto loaded_resources = getSettingWithDefault(IPSSignaturesResource(), "IPS", "protections");
-    EXPECT_EQ(loaded_resources.getSignatures().size(), 2);
+    EXPECT_EQ(loaded_resources.getSignatures().size(), 2u);
     auto version = getSettingWithDefault<string>("", "IPS", "VersionId");
     EXPECT_EQ(version, "1234567");
 }

components/security_apps/layer_7_access_control/layer_7_access_control.cc

@@ -385,8 +385,29 @@ Layer7AccessControl::Impl::init()
     i_intelligence = Singleton::Consume<I_Intelligence_IS_V2>::by<Layer7AccessControl>();
     i_mainloop = Singleton::Consume<I_MainLoop>::by<Layer7AccessControl>();
 
-    chrono::minutes expiration(
-        getProfileAgentSettingWithDefault<uint>(60u, "layer7AccessControl.crowdsec.cacheExpiration")
+    int cache_expiration_in_seconds = 30;
+    string cache_expiration_env = getenv("CROWDSEC_CACHE_EXPIRATION") ? getenv("CROWDSEC_CACHE_EXPIRATION") : "";
+    if (!cache_expiration_env.empty()) {
+        if (
+            all_of(cache_expiration_env.begin(), cache_expiration_env.end(), ::isdigit)
+            && stoi(cache_expiration_env) > 0
+        ) {
+            cache_expiration_in_seconds = stoi(cache_expiration_env);
+            dbgInfo(D_L7_ACCESS_CONTROL)
+                << "Successfully read cache expiration value from env: "
+                << cache_expiration_env;
+        } else {
+            dbgWarning(D_L7_ACCESS_CONTROL)
+                << "An invalid cache expiration value was provided in env: "
+                << cache_expiration_env;
+        }
+    }
+
+    chrono::seconds expiration(
+        getProfileAgentSettingWithDefault<uint>(
+            cache_expiration_in_seconds,
+            "layer7AccessControl.crowdsec.cacheExpiration"
+        )
     );
 
     ip_reputation_cache.startExpiration(

components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc

@@ -247,7 +247,9 @@ Layer7AccessControlTest::verifyReport(
     string log = reportToStr(report);
     dbgTrace(D_L7_ACCESS_CONTROL) << "Report: " << log;
 
-    if (!source_identifier.empty()) EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    if (!source_identifier.empty()) {
+        EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    }
     EXPECT_THAT(log, HasSubstr("\"securityAction\": \"" + security_action + "\""));
     EXPECT_THAT(log, HasSubstr("\"eventName\": \"Access Control External Vendor Reputation\""));
     EXPECT_THAT(log, HasSubstr("\"httpHostName\": \"juice-shop.checkpoint.com\""));

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -404,6 +404,7 @@ AppsecPracticeAntiBotSection::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 // LCOV_EXCL_START Reason: no test exist
+// Used for V1Beta1
 WebAppSection::WebAppSection(
     const string &_application_urls,
     const string &_asset_id,
@@ -417,7 +418,7 @@ WebAppSection::WebAppSection(
     const LogTriggerSection &parsed_log_trigger,
     const string &default_mode,
     const AppSecTrustedSources &parsed_trusted_sources,
-    const vector<InnerException> &parsed_exceptions)
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
     :
     application_urls(_application_urls),
     asset_id(_asset_id),
@@ -449,8 +450,11 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 
-    for (const InnerException &exception : parsed_exceptions) {
-        overrides.push_back(AppSecOverride(exception));
+    for (const auto &exception : exceptions) {
+
+        for (const auto &inner_exception : exception.second) {
+            overrides.push_back(AppSecOverride(inner_exception));
+        }
     }
 }
 

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -146,7 +146,9 @@ AppsecException::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec exception";
     parseAppsecJSONKey<string>("name", name, archive_in);
-    archive_in(CEREAL_NVP(exception_spec));
+    AppsecExceptionSpec single_exception_spec;
+    single_exception_spec.load(archive_in);
+    exception_spec.push_back(single_exception_spec);
 }
 
 void
@@ -174,7 +176,7 @@ ExceptionMatch::ExceptionMatch(const AppsecExceptionSpec &parsed_exception)
 {
     bool single_condition = parsed_exception.isOneCondition();
     for (auto &attrib : attributes) {
-        auto &attrib_name = attrib.first;
+        auto attrib_name = (attrib.first == "sourceIp" ? "sourceIP" : attrib.first);
         auto &attrib_getter = attrib.second;
         auto exceptions_value = attrib_getter(parsed_exception);
         if (exceptions_value.empty()) continue;

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -275,7 +275,7 @@ public:
         const LogTriggerSection &parsed_log_trigger,
         const std::string &default_mode,
         const AppSecTrustedSources &parsed_trusted_sources,
-        const std::vector<InnerException> &parsed_exceptions
+        const std::map<std::string, std::vector<InnerException>> &exceptions
     );
 
     // used for V1beta2

components/security_apps/local_policy_mgmt_gen/include/exceptions_section.h

@@ -44,7 +44,7 @@ public:
     bool isOneCondition() const;
 
 private:
-    int conditions_number;
+    int conditions_number = 0;
     std::string action;
     std::vector<std::string> country_code;
     std::vector<std::string> country_name;

components/security_apps/local_policy_mgmt_gen/include/ingress_data.h

@@ -79,6 +79,7 @@ class DefaultBackend
 {
 public:
     void load(cereal::JSONInputArchive &);
+    bool doesExist() const;
 
 private:
     bool is_exists = false;
@@ -90,6 +91,7 @@ public:
     void load(cereal::JSONInputArchive &archive_in);
 
     const std::vector<IngressDefinedRule> & getRules() const;
+    bool doesDefaultBackendExist() const;
 
 private:
     std::string ingress_class_name;

components/security_apps/local_policy_mgmt_gen/include/new_log_trigger.h

@@ -129,7 +129,7 @@ public:
     bool shouldBeautifyLogs() const;
 
     bool getCloud() const;
-    bool isK8SNeeded() const;
+    bool isContainerNeeded() const;
     bool isCefNeeded() const;
     bool isSyslogNeeded() const;
     const std::string & getSyslogServerIpv4Address() const;
@@ -140,7 +140,7 @@ private:
     const NewLoggingService & getCefServiceData() const;
 
     bool cloud = false;
-    bool k8s_service = false;
+    bool container_service = false;
     bool agent_local = true;
     bool beautify_logs = true;
     NewLoggingService syslog_service;

components/security_apps/local_policy_mgmt_gen/include/policy_maker_utils.h

@@ -111,7 +111,7 @@ private:
     SecurityAppsWrapper security_apps;
 };
 
-class PolicyMakerUtils
+class PolicyMakerUtils : Singleton::Consume<I_EnvDetails>
 {
 public:
     std::string proccesSingleAppsecPolicy(

components/security_apps/local_policy_mgmt_gen/include/triggers_section.h

@@ -39,7 +39,7 @@ public:
         bool _logToAgent,
         bool _logToCef,
         bool _logToCloud,
-        bool _logToK8sService,
+        bool _logToContainerService,
         bool _logToSyslog,
         bool _responseBody,
         bool _tpDetect,
@@ -73,7 +73,7 @@ private:
     bool logToAgent;
     bool logToCef;
     bool logToCloud;
-    bool logToK8sService;
+    bool logToContainerService;
     bool logToSyslog;
     bool responseBody;
     bool tpDetect;
@@ -258,7 +258,7 @@ public:
     bool shouldBeautifyLogs() const;
 
     bool getCloud() const;
-    bool isK8SNeeded() const;
+    bool isContainerNeeded() const;
     bool isCefNeeded() const;
     bool isSyslogNeeded() const;
     const std::string & getSyslogServerIpv4Address() const;
@@ -269,7 +269,7 @@ private:
     const LoggingService & getCefServiceData() const;
 
     bool cloud = false;
-    bool k8s_service = false;
+    bool container_service = false;
     bool agent_local = true;
     bool beautify_logs = true;
     LoggingService syslog_service;

components/security_apps/local_policy_mgmt_gen/ingress_data.cc

@@ -86,6 +86,12 @@ DefaultBackend::load(cereal::JSONInputArchive &)
     is_exists = true;
 }
 
+bool
+DefaultBackend::doesExist() const
+{
+    return is_exists;
+}
+
 void
 IngressSpec::load(cereal::JSONInputArchive &archive_in)
 {
@@ -101,6 +107,12 @@ IngressSpec::getRules() const
     return rules;
 }
 
+bool
+IngressSpec::doesDefaultBackendExist() const
+{
+    return default_backend.doesExist();
+}
+
 void
 SingleIngressData::load(cereal::JSONInputArchive &archive_in)
 {

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -532,25 +532,37 @@ K8sPolicyUtils::createPolicy(
     map<AnnotationKeys, string> &annotations_values,
     const SingleIngressData &item) const
 {
+    if (policies.find(annotations_values[AnnotationKeys::PolicyKey]) == policies.end()) {
+        policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
+    }
+    if (item.getSpec().doesDefaultBackendExist()) {
+        dbgTrace(D_LOCAL_POLICY)
+            << "Inserting Any host rule to the specific asset set";
+        K ingress_rule = K("*");
+        policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
+    }
+
     for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
-        string url = rule.getHost();
+        string host = rule.getHost();
         for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
-            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
+            if (uri.getPath() != "/") {
+                host = host + uri.getPath();
+            }
+            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(host)) {
                 dbgTrace(D_LOCAL_POLICY)
                     << "Inserting Host data to the specific asset set:"
                     << "URL: '"
-                    << url
+                    << rule.getHost()
                     << "' uri: '"
                     << uri.getPath()
                     << "'";
-                K ingress_rule = K(url + uri.getPath());
-                appsec_policy.addSpecificRule(ingress_rule);
+                K ingress_rule = K(host);
+                policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
             }
         }
     }
-    policies[annotations_values[AnnotationKeys::PolicyKey]] = appsec_policy;
-}
 
+}
 
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>
 K8sPolicyUtils::createAppsecPoliciesFromIngresses()

components/security_apps/local_policy_mgmt_gen/new_appsec_policy_crd_parser.cc

@@ -126,6 +126,7 @@ NewAppsecPolicySpec::load(cereal::JSONInputArchive &archive_in)
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec policy spec";
     parseAppsecJSONKey<string>("appsecClassName", appsec_class_name, archive_in);
     parseAppsecJSONKey<NewParsedRule>("default", default_rule, archive_in);
+    default_rule.setHost("*");
     parseAppsecJSONKey<vector<NewParsedRule>>("specificRules", specific_rules, archive_in);
 }
 

components/security_apps/local_policy_mgmt_gen/new_log_trigger.cc

@@ -183,7 +183,9 @@ NewAppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
     auto mode = Singleton::Consume<I_AgentDetails>::by<NewAppsecTriggerLogDestination>()->getOrchestrationMode();
     auto env_type = Singleton::Consume<I_EnvDetails>::by<NewAppsecTriggerLogDestination>()->getEnvType();
     bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default);
+    // BC try load previous name. TODO: update CRD
+    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
+    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
 
     NewStdoutLogging stdout_log;
     parseAppsecJSONKey<NewStdoutLogging>("stdout", stdout_log, archive_in);
@@ -224,9 +226,9 @@ NewAppsecTriggerLogDestination::getCloud() const
 }
 
 bool
-NewAppsecTriggerLogDestination::isK8SNeeded() const
+NewAppsecTriggerLogDestination::isContainerNeeded() const
 {
-    return k8s_service;
+    return container_service;
 }
 
 bool

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -21,6 +21,7 @@
 using namespace std;
 
 USE_DEBUG_FLAG(D_NGINX_POLICY);
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
 
 void
 SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
@@ -185,6 +186,33 @@ PolicyMakerUtils::dumpPolicyToFile(
     return policy_str;
 }
 
+template<class R>
+vector<string>
+extractExceptionAnnotationNames(
+    const R &parsed_rule,
+    const R &default_rule,
+    const string &policy_name)
+{
+    vector<string> annotation_names;
+
+    const R &rule = (!parsed_rule.getExceptions().empty() ? parsed_rule : default_rule);
+    for (const string &exception_name : rule.getExceptions()) {
+        if (exception_name.empty()) {
+            continue;
+        }
+
+        const auto policy_exception = policy_name + "/" + exception_name;
+
+        dbgTrace(D_NGINX_POLICY) << "Adding " << policy_exception << " to exception vector";
+
+        annotation_names.push_back(policy_exception);
+    }
+
+    dbgTrace(D_NGINX_POLICY) << "Number of exceptions related to rule: " << annotation_names.size();
+
+    return annotation_names;
+}
+
 template<class R>
 map<AnnotationTypes, string>
 extractAnnotationsNames(
@@ -217,18 +245,6 @@ extractAnnotationsNames(
         rule_annotation[AnnotationTypes::TRIGGER] = policy_name + "/" + trigger_annotation_name;
     }
 
-    string exception_annotation_name;
-    // TBD: support multiple exceptions
-    if (!parsed_rule.getExceptions().empty() && !parsed_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = parsed_rule.getExceptions()[0];
-    } else if (!default_rule.getExceptions().empty() && !default_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = default_rule.getExceptions()[0];
-    }
-
-    if (!exception_annotation_name.empty()) {
-        rule_annotation[AnnotationTypes::EXCEPTION] = policy_name + "/" + exception_annotation_name;
-    }
-
     string web_user_res_annotation_name =
         parsed_rule.getCustomResponse().empty() ?
         default_rule.getCustomResponse() :
@@ -444,6 +460,7 @@ template<class T, class R>
 R
 getAppsecExceptionSpec(const string &exception_annotation_name, const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "anotation name: " << exception_annotation_name;
     auto exceptions_vec = policy.getAppsecExceptions();
     auto exception_it = extractElement(exceptions_vec.begin(), exceptions_vec.end(), exception_annotation_name);
 
@@ -538,7 +555,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
     bool webHeaders = trigger_spec.getAppsecTriggerExtendedLogging().isHttpHeaders();
     bool webBody = trigger_spec.getAppsecTriggerExtendedLogging().isRequestBody();
     bool logToCloud = trigger_spec.getAppsecTriggerLogDestination().getCloud();
-    bool logToK8sService = trigger_spec.getAppsecTriggerLogDestination().isK8SNeeded();
+    bool logToContainerService = trigger_spec.getAppsecTriggerLogDestination().isContainerNeeded();
     bool logToAgent = trigger_spec.getAppsecTriggerLogDestination().isAgentLocal();
     bool beautify_logs = trigger_spec.getAppsecTriggerLogDestination().shouldBeautifyLogs();
     bool logToCef = trigger_spec.getAppsecTriggerLogDestination().isCefNeeded();
@@ -565,7 +582,7 @@ extractLogTriggerData(const string &trigger_annotation_name, const T &trigger_sp
         logToAgent,
         logToCef,
         logToCloud,
-        logToK8sService,
+        logToContainerService,
         logToSyslog,
         responseBody,
         tpDetect,
@@ -776,6 +793,7 @@ createExceptionSection(
     const string &exception_annotation_name,
     const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "exception annotation name" << exception_annotation_name;
     AppsecException exception_spec =
         getAppsecExceptionSpec<T, AppsecException>(exception_annotation_name, policy);
     vector<InnerException> res;
@@ -784,6 +802,7 @@ createExceptionSection(
         ExceptionBehavior exception_behavior(exception.getAction());
         res.push_back(InnerException(exception_behavior, exception_match));
     }
+
     return res;
 }
 
@@ -896,13 +915,16 @@ createMultiRulesSections(
     const string &web_user_res_vec_id,
     const string &web_user_res_vec_type,
     const string &asset_name,
-    const string &exception_name,
-    const vector<InnerException> &exceptions)
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
 {
     PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
     vector<ParametersSection> exceptions_result;
     for (auto exception : exceptions) {
-        exceptions_result.push_back(ParametersSection(exception.getBehaviorId(), exception_name));
+
+        const auto &exception_name = exception.first;
+        for (const auto &inner_exception : exception.second) {
+            exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
+        }
     }
 
     vector<RulesTriggerSection> triggers;
@@ -1344,6 +1366,7 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
             convertMapToVector(log_triggers), convertMapToVector(web_user_res_triggers)
         )
     );
+
     ExceptionsWrapper exceptions_section({
         ExceptionsRulebase(convertExceptionsMapToVector(inner_exceptions))
     });
@@ -1381,6 +1404,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
     const string &policy_name)
 {
     map<AnnotationTypes, string> rule_annotations = extractAnnotationsNames(rule, default_rule, policy_name);
+
     if (
         !rule_annotations[AnnotationTypes::TRIGGER].empty() &&
         !log_triggers.count(rule_annotations[AnnotationTypes::TRIGGER])
@@ -1403,15 +1427,27 @@ PolicyMakerUtils::createPolicyElementsByRule(
             );
     }
 
-    if (
-        !rule_annotations[AnnotationTypes::EXCEPTION].empty() &&
-        !inner_exceptions.count(rule_annotations[AnnotationTypes::EXCEPTION])
-    ) {
-        inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]] =
-            createExceptionSection<T>(
-                rule_annotations[AnnotationTypes::EXCEPTION],
-                policy
-            );
+    const auto exceptions_annotations = extractExceptionAnnotationNames(rule, default_rule, policy_name);
+    std::map<std::string, std::vector<InnerException>> rule_inner_exceptions;
+    if (!exceptions_annotations.empty()) {
+        for (const auto &exception_name :exceptions_annotations) {
+            dbgWarning(D_LOCAL_POLICY) << "exceptions name: " << exception_name;
+
+            if (rule_inner_exceptions.count(exception_name)) {
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists for that rule: " << exception_name;
+                continue;
+            }
+
+            if (inner_exceptions.count(exception_name)) {
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists in inner exceptions: " << exception_name;
+                rule_inner_exceptions[exception_name] = inner_exceptions[exception_name];
+                continue;
+            }
+
+            auto exception_section = createExceptionSection<T>(exception_name, policy);
+            rule_inner_exceptions[exception_name] = exception_section;
+            inner_exceptions[exception_name] = exception_section;
+        }
     }
 
     if (
@@ -1470,8 +1506,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
             web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(),
             "WebUserResponse",
             full_url,
-            rule_annotations[AnnotationTypes::EXCEPTION],
-            inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
+            rule_inner_exceptions
         );
         rules_config[rule_config.getAssetName()] = rule_config;
 
@@ -1498,7 +1533,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
                 log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
                 rule.getMode(),
                 trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
-                inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
+                rule_inner_exceptions
             );
             web_apps[rule_config.getAssetName()] = web_app;
         }
@@ -1636,7 +1671,9 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy(const string &policy_name, c
     createPolicyElements<T, R>(specific_rules, default_rule, appsec_policy, policy_name);
 
     // add default rule to policy
-    createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<T, R>(default_rule, default_rule, appsec_policy, policy_name);
+    }
 }
 
 // LCOV_EXCL_START Reason: no test exist
@@ -1659,11 +1696,13 @@ PolicyMakerUtils::createAgentPolicyFromAppsecPolicy<V1beta2AppsecLinuxPolicy, Ne
     );
 
     // add default rule to policy
-    createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
-        default_rule,
-        default_rule,
-        appsec_policy,
-        policy_name);
+    if (Singleton::Consume<I_EnvDetails>::by<PolicyMakerUtils>()->getEnvType() != EnvType::K8S) {
+        createPolicyElementsByRule<V1beta2AppsecLinuxPolicy, NewParsedRule>(
+            default_rule,
+            default_rule,
+            appsec_policy,
+            policy_name);
+    }
 }
 // LCOV_EXCL_STOP
 

components/security_apps/local_policy_mgmt_gen/triggers_section.cc

@@ -30,7 +30,7 @@ LogTriggerSection::LogTriggerSection(
     bool _logToAgent,
     bool _logToCef,
     bool _logToCloud,
-    bool _logToK8sService,
+    bool _logToContainerService,
     bool _logToSyslog,
     bool _responseBody,
     bool _tpDetect,
@@ -55,7 +55,7 @@ LogTriggerSection::LogTriggerSection(
     logToAgent(_logToAgent),
     logToCef(_logToCef),
     logToCloud(_logToCloud),
-    logToK8sService(_logToK8sService),
+    logToContainerService(_logToContainerService),
     logToSyslog(_logToSyslog),
     responseBody(_responseBody),
     tpDetect(_tpDetect),
@@ -101,7 +101,7 @@ LogTriggerSection::save(cereal::JSONOutputArchive &out_ar) const
         cereal::make_nvp("logToAgent",               logToAgent),
         cereal::make_nvp("logToCef",                 logToCef),
         cereal::make_nvp("logToCloud",               logToCloud),
-        cereal::make_nvp("logToK8sService",          logToK8sService),
+        cereal::make_nvp("logToContainerService",    logToContainerService),
         cereal::make_nvp("logToSyslog",              logToSyslog),
         cereal::make_nvp("responseBody",             responseBody),
         cereal::make_nvp("responseCode",             false),
@@ -396,7 +396,9 @@ AppsecTriggerLogDestination::load(cereal::JSONInputArchive &archive_in)
     auto mode = Singleton::Consume<I_AgentDetails>::by<AppsecTriggerLogDestination>()->getOrchestrationMode();
     auto env_type = Singleton::Consume<I_EnvDetails>::by<AppsecTriggerLogDestination>()->getEnvType();
     bool k8s_service_default = (mode == OrchestrationMode::HYBRID && env_type == EnvType::K8S);
-    parseAppsecJSONKey<bool>("k8s-service", k8s_service, archive_in, k8s_service_default);
+    // BC try load previous name. TODO: update CRD
+    parseAppsecJSONKey<bool>("k8s-service", container_service, archive_in, k8s_service_default);
+    parseAppsecJSONKey<bool>("container-service", container_service, archive_in, container_service);
 
     StdoutLogging stdout_log;
     parseAppsecJSONKey<StdoutLogging>("stdout", stdout_log, archive_in);
@@ -437,9 +439,9 @@ AppsecTriggerLogDestination::getCloud() const
 }
 
 bool
-AppsecTriggerLogDestination::isK8SNeeded() const
+AppsecTriggerLogDestination::isContainerNeeded() const
 {
-    return k8s_service;
+    return container_service;
 }
 
 bool

components/security_apps/orchestration/CMakeLists.txt

@@ -15,5 +15,6 @@ add_subdirectory(health_check)
 add_subdirectory(health_check_manager)
 add_subdirectory(updates_process_reporter)
 add_subdirectory(env_details)
+add_subdirectory(external_sdk_server)
 
 #add_subdirectory(orchestration_ut)

components/security_apps/orchestration/details_resolver/details_resolver.cc

@@ -142,7 +142,7 @@ DetailsResolver::Impl::isCloudStorageEnabled()
 {
     auto cloud_storage_mode_override = getProfileAgentSetting<bool>("agent.cloudStorage.enabled");
     if (cloud_storage_mode_override.ok()) {
-        dbgInfo(D_ORCHESTRATOR) << "Received cloud-storage mode override: " << *cloud_storage_mode_override;
+        dbgDebug(D_ORCHESTRATOR) << "Received cloud-storage mode override: " << *cloud_storage_mode_override;
         return *cloud_storage_mode_override;
     }
 

components/security_apps/orchestration/details_resolver/details_resolving_handler.cc

@@ -142,7 +142,7 @@ DetailsResolvingHanlder::Impl::getResolvedDetails() const
         shared_ptr<ifstream> in_file =
             Singleton::Consume<I_OrchestrationTools>::by<DetailsResolvingHanlder>()->fileStreamWrapper(path);
         if (!in_file->is_open()) {
-            dbgWarning(D_AGENT_DETAILS) << "Could not open file for processing. Path: " << path;
+            dbgDebug(D_AGENT_DETAILS) << "Could not open file for processing. Path: " << path;
             continue;
         }
 

components/security_apps/orchestration/downloader/downloader_ut/downloader_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include "config.h"
 #include "config_component.h"

components/security_apps/orchestration/external_sdk_server/CMakeLists.txt

@@ -0,0 +1,4 @@
+include_directories(${PROJECT_SOURCE_DIR}/core/external_sdk/)
+
+add_library(external_sdk_server external_sdk_server.cc)
+add_subdirectory(external_sdk_server_ut)

components/security_apps/orchestration/external_sdk_server/external_sdk_server.cc

@@ -0,0 +1,348 @@
+#include "external_sdk_server.h"
+
+#include "external_agent_sdk.h"
+#include "log_generator.h"
+#include "rest_server.h"
+#include "generic_metric.h"
+#include "customized_cereal_map.h"
+#include "report/log_rest.h"
+
+using namespace std;
+
+USE_DEBUG_FLAG(D_EXTERNAL_SDK_USER);
+USE_DEBUG_FLAG(D_EXTERNAL_SDK_SERVER);
+
+class ExternalSdkRest : public ServerRest
+{
+public:
+    void
+    doCall() override
+    {
+        dbgFlow(D_EXTERNAL_SDK_SERVER);
+        Maybe<SdkApiType> sdk_event_type = convertToEnum<SdkApiType>(event_type.get());
+        if (!sdk_event_type.ok()) {
+            dbgWarning(D_EXTERNAL_SDK_SERVER) << "Received illegal event type. Type : " << event_type.get();
+            throw JsonError("Illegal event type provided");
+        }
+        dbgDebug(D_EXTERNAL_SDK_SERVER)
+            << "Handling a new external sdk api call event. Type : "
+            << convertApiTypeToString(sdk_event_type.unpack());
+
+        I_ExternalSdkServer *sdk_server = Singleton::Consume<I_ExternalSdkServer>::from<ExternalSdkServer>();
+        switch(sdk_event_type.unpack()) {
+            case SdkApiType::SendCodeEvent: {
+                if (!file.isActive()) {
+                    throw JsonError("File was not provided for code event");
+                }
+                if (!func.isActive()) {
+                    throw JsonError("Function was not provided for code event");
+                }
+                if (!line.isActive()) {
+                    throw JsonError("Line path was not provided for code event");
+                }
+                if (!trace_id.isActive()) {
+                    throw JsonError("Trace ID was not provided for code event");
+                }
+                if (!span_id.isActive()) {
+                    throw JsonError("Span ID was not provided for code event");
+                }
+                if (!message.isActive()) {
+                    throw JsonError("Message was not provided for code event");
+                }
+                sdk_server->sendDebug(
+                    file.get(),
+                    func.get(),
+                    line.get(),
+                    getDebugLevel(),
+                    trace_id.get(),
+                    span_id.get(),
+                    message.get(),
+                    additional_fields.isActive() ? additional_fields.get() : map<string, string>()
+                );
+                return;
+            }
+            case SdkApiType::SendEventDrivenEvent: {
+                if (!event_name.isActive()) {
+                    throw JsonError("Event name was not provided for event");
+                }
+                sdk_server->sendLog(
+                    event_name.get(),
+                    getAudience(),
+                    getSeverity(),
+                    getPriority(),
+                    tag.get(),
+                    additional_fields.isActive() ? additional_fields.get() : map<string, string>()
+                );
+                return;
+            }
+            case SdkApiType::SendGetConfigRequest: {
+                if (!config_path.isActive()) {
+                    throw JsonError("Config path was not provided for get configuration event");
+                }
+                Maybe<string> config_val = sdk_server->getConfigValue(config_path.get());
+                config_value = config_val.ok() ? config_val.unpack() : "";
+                return;
+            }
+            case SdkApiType::SendPeriodicEvent: {
+                if (!event_name.isActive()) {
+                    throw JsonError("Event name was not provided for periodic event");
+                }
+                if (!service_name.isActive()) {
+                    throw JsonError("Service name was not provided for periodic event");
+                }
+                sdk_server->sendMetric(
+                    event_name,
+                    service_name,
+                    getAudienceTeam(),
+                    ReportIS::IssuingEngine::AGENT_CORE,
+                    additional_fields.isActive() ? additional_fields.get() : map<string, string>()
+                );
+                return;
+            }
+            default: {
+                dbgError(D_EXTERNAL_SDK_SERVER) << "Received illegal event type. Type : " << event_type.get();
+            }
+        }
+    }
+
+private:
+    static string
+    convertApiTypeToString(SdkApiType type)
+    {
+        static const EnumArray<SdkApiType, string> api_type_string {
+            "Code Event",
+            "Periodic Event",
+            "Event Driven",
+            "Get Configuration",
+        };
+        return api_type_string[type];
+    }
+
+    Debug::DebugLevel
+    getDebugLevel()
+    {
+        static const map<int, Debug::DebugLevel> debug_levels = {
+            {0, Debug::DebugLevel::TRACE},
+            {1, Debug::DebugLevel::DEBUG},
+            {2, Debug::DebugLevel::INFO},
+            {3, Debug::DebugLevel::WARNING},
+            {4, Debug::DebugLevel::ERROR}
+        };
+        if (!debug_level.isActive()) {
+            throw JsonError("Debug level was not provided for code event");
+        }
+        auto level = debug_levels.find(debug_level.get());
+        if(level == debug_levels.end()) {
+            throw JsonError("Illegal debug level provided");
+        }
+
+        return level->second;
+    }
+
+    ReportIS::Severity
+    getSeverity()
+    {
+        if (!severity.isActive()) {
+            throw JsonError("Event severity was not provided for periodic event");
+        }
+        switch (severity.get()) {
+            case EventSeverity::SeverityCritical: return ReportIS::Severity::CRITICAL;
+            case EventSeverity::SeverityHigh: return ReportIS::Severity::HIGH;
+            case EventSeverity::SeverityMedium: return ReportIS::Severity::MEDIUM;
+            case EventSeverity::SeverityLow: return ReportIS::Severity::LOW;
+            case EventSeverity::SeverityInfo: return ReportIS::Severity::INFO;
+            default:
+                throw JsonError("Illegal event severity provided");
+        }
+    }
+
+    ReportIS::Priority
+    getPriority()
+    {
+        if (!priority.isActive()) {
+            throw JsonError("Event priority was not provided");
+        }
+        switch (priority.get()) {
+            case EventPriority::PriorityUrgent: return ReportIS::Priority::URGENT;
+            case EventPriority::PriorityHigh: return ReportIS::Priority::HIGH;
+            case EventPriority::PriorityMedium: return ReportIS::Priority::MEDIUM;
+            case EventPriority::PriorityLow: return ReportIS::Priority::LOW;
+            default:
+                throw JsonError("Illegal event priority provided");
+        }
+    }
+
+    ReportIS::Audience
+    getAudience()
+    {
+        if (!audience.isActive()) {
+            throw JsonError("Event audience was not provided");
+        }
+        switch (audience.get()) {
+            case EventAudience::AudienceSecurity: return ReportIS::Audience::SECURITY;
+            case EventAudience::AudienceInternal: return ReportIS::Audience::INTERNAL;
+            default:
+                throw JsonError("Illegal event audience provided");
+        }
+    }
+
+    ReportIS::AudienceTeam
+    getAudienceTeam()
+    {
+        if (!team.isActive()) {
+            throw JsonError("Event audience team was not provided");
+        }
+        switch (team.get()) {
+            case EventAudienceTeam::AudienceTeamAgentCore: return ReportIS::AudienceTeam::AGENT_CORE;
+            case EventAudienceTeam::AudienceTeamIot: return ReportIS::AudienceTeam::IOT_NEXT;
+            case EventAudienceTeam::AudienceTeamWaap: return ReportIS::AudienceTeam::WAAP;
+            case EventAudienceTeam::AudienceTeamAgentIntelligence: return ReportIS::AudienceTeam::AGENT_INTELLIGENCE;
+            default:
+                throw JsonError("Illegal event audience team provided");
+        }
+    }
+
+    using additional_fields_map = map<string, string>;
+    C2S_LABEL_PARAM(int, event_type, "eventType");
+    C2S_LABEL_OPTIONAL_PARAM(additional_fields_map, additional_fields, "additionalFields");
+    C2S_LABEL_OPTIONAL_PARAM(string, event_name, "eventName");
+    C2S_LABEL_OPTIONAL_PARAM(string, service_name, "serviceName");
+    C2S_OPTIONAL_PARAM(int, team);
+    C2S_OPTIONAL_PARAM(int, audience);
+    C2S_OPTIONAL_PARAM(int, severity);
+    C2S_OPTIONAL_PARAM(int, priority);
+    C2S_OPTIONAL_PARAM(string, tag);
+    C2S_OPTIONAL_PARAM(string, file);
+    C2S_OPTIONAL_PARAM(string, func);
+    C2S_OPTIONAL_PARAM(int, line);
+    C2S_LABEL_OPTIONAL_PARAM(int, debug_level, "debugLevel");
+    C2S_LABEL_OPTIONAL_PARAM(string, trace_id, "traceId");
+    C2S_LABEL_OPTIONAL_PARAM(string, span_id, "spanId");
+    C2S_OPTIONAL_PARAM(string, message);
+    C2S_LABEL_OPTIONAL_PARAM(string, config_path, "configPath");
+    S2C_LABEL_OPTIONAL_PARAM(string, config_value, "configValue");
+};
+
+class ExternalSdkServer::Impl
+        :
+    public Singleton::Provide<I_ExternalSdkServer>::From<ExternalSdkServer>
+{
+public:
+    void
+    init()
+    {
+        auto rest = Singleton::Consume<I_RestApi>::by<ExternalSdkServer>();
+        rest->addRestCall<ExternalSdkRest>(RestAction::ADD, "sdk-call");
+    }
+
+    void
+    sendLog(
+        const string &event_name,
+        ReportIS::Audience audience,
+        ReportIS::Severity severity,
+        ReportIS::Priority priority,
+        const string &tag_string,
+        const map<string, string> &additional_fields)
+    {
+        Maybe<ReportIS::Tags> tag = TagAndEnumManagement::convertStringToTag(tag_string);
+        set<ReportIS::Tags> tags;
+        if (tag.ok()) tags.insert(tag.unpack());
+        LogGen log(event_name, audience, severity, priority, tags);
+        for (const auto &field : additional_fields) {
+            log << LogField(field.first, field.second);
+        }
+    }
+
+    void
+    sendDebug(
+        const string &file_name,
+        const string &function_name,
+        unsigned int line_number,
+        Debug::DebugLevel debug_level,
+        const string &trace_id,
+        const string &span_id,
+        const string &message,
+        const map<string, string> &additional_fields)
+    {
+        (void)trace_id;
+        (void)span_id;
+        Debug debug(file_name, function_name, line_number, debug_level, D_EXTERNAL_SDK_USER);
+        debug.getStreamAggr() << message;
+        bool is_first_key = true;
+        for (const auto &field : additional_fields) {
+            if (is_first_key) {
+                is_first_key = false;
+                debug.getStreamAggr() << ". ";
+            } else {
+                debug.getStreamAggr() << ", ";
+            }
+            debug.getStreamAggr() << "\"" << field.first << "\": \"" << field.second << "\"";
+        }
+    }
+
+    void
+    sendMetric(
+        const string &event_title,
+        const string &service_name,
+        ReportIS::AudienceTeam team,
+        ReportIS::IssuingEngine issuing_engine,
+        const map<string, string> &additional_fields)
+    {
+        ScopedContext ctx;
+        ctx.registerValue("Service Name", service_name);
+
+        set<ReportIS::Tags> tags;
+        Report metric_to_fog(
+            event_title,
+            Singleton::Consume<I_TimeGet>::by<GenericMetric>()->getWalltime(),
+            ReportIS::Type::PERIODIC,
+            ReportIS::Level::LOG,
+            ReportIS::LogLevel::INFO,
+            ReportIS::Audience::INTERNAL,
+            team,
+            ReportIS::Severity::INFO,
+            ReportIS::Priority::LOW,
+            chrono::seconds(0),
+            LogField("agentId", Singleton::Consume<I_AgentDetails>::by<GenericMetric>()->getAgentId()),
+            tags,
+            ReportIS::Tags::INFORMATIONAL,
+            issuing_engine
+        );
+
+        for (const auto &field : additional_fields) {
+            metric_to_fog << LogField(field.first, field.second);
+        }
+
+        LogRest metric_client_rest(metric_to_fog);
+
+        string fog_metric_uri = getConfigurationWithDefault<string>("/api/v1/agents/events", "metric", "fogMetricUri");
+        Singleton::Consume<I_Messaging>::by<ExternalSdkServer>()->sendAsyncMessage(
+                HTTPMethod::POST,
+                fog_metric_uri,
+                metric_client_rest,
+                MessageCategory::METRIC,
+                MessageMetadata(),
+                false
+        );
+    }
+
+    Maybe<string>
+    getConfigValue(const string &config_path)
+    {
+        auto config_val = getProfileAgentSetting<string>(config_path);
+        if (!config_val.ok()) {
+            stringstream error;
+            error << "Failed to get configuration. Config path: " << config_path << ", Error: " << config_val.getErr();
+            return genError(error.str());
+        }
+        return config_val.unpack();
+    }
+};
+
+ExternalSdkServer::ExternalSdkServer() : Component("ExternalSdkServer"), pimpl(make_unique<Impl>()) {}
+ExternalSdkServer::~ExternalSdkServer() {}
+
+void ExternalSdkServer::init() { pimpl->init(); }
+void ExternalSdkServer::fini() {}
+
+void ExternalSdkServer::preload() {}

components/security_apps/orchestration/external_sdk_server/external_sdk_server_ut/CMakeLists.txt

@@ -0,0 +1,7 @@
+link_directories(${BOOST_ROOT}/lib)
+
+add_unit_test(
+        external_sdk_server_ut
+        "external_sdk_server_ut.cc"
+        "external_sdk_server;mainloop;singleton;rest;environment;time_proxy;logging;event_is;metric;-lboost_context;agent_details;-lboost_regex;messaging;"
+)

components/security_apps/orchestration/external_sdk_server/external_sdk_server_ut/external_sdk_server_ut.cc

@@ -0,0 +1,349 @@
+#include <stdio.h>
+#include <stdarg.h>
+
+#include "external_sdk_server.h"
+
+#include "cptest.h"
+#include "mock/mock_rest_api.h"
+#include "mock/mock_messaging.h"
+#include "mock/mock_logging.h"
+#include "mock/mock_time_get.h"
+#include "config.h"
+#include "config_component.h"
+#include "agent_details.h"
+
+using namespace std;
+using namespace testing;
+
+class ExternalSdkServerTest : public Test
+{
+public:
+    ExternalSdkServerTest()
+    {
+        EXPECT_CALL(rest_mocker, mockRestCall(RestAction::ADD, "sdk-call", _)).WillOnce(
+            WithArg<2>(
+                Invoke(
+                    [this](const unique_ptr<RestInit> &rest_ptr)
+                    {
+                        mock_sdk_rest = rest_ptr->getRest();
+                        return true;
+                    }
+                )
+            )
+        );
+
+        sdk_server.preload();
+        sdk_server.init();
+        i_sdk = Singleton::Consume<I_ExternalSdkServer>::from(sdk_server);
+    }
+
+    ~ExternalSdkServerTest()
+    {
+        sdk_server.fini();
+    }
+
+    ExternalSdkServer sdk_server;
+    NiceMock<MockTimeGet> mock_timer;
+    StrictMock<MockMessaging> messaging_mocker;
+    StrictMock<MockRestApi> rest_mocker;
+    StrictMock<MockLogging> log_mocker;
+    unique_ptr<ServerRest> mock_sdk_rest;
+    I_ExternalSdkServer *i_sdk;
+    ConfigComponent conf;
+    AgentDetails agent_details;
+    ::Environment env;
+};
+
+TEST_F(ExternalSdkServerTest, initTest)
+{
+}
+
+TEST_F(ExternalSdkServerTest, configCall)
+{
+    Maybe<string> no_conf = i_sdk->getConfigValue("key1");
+    EXPECT_FALSE(no_conf.ok());
+    string config_json =
+        "{\n"
+            "\"agentSettings\": [\n"
+                "{\n"
+                    "\"id\": \"id1\",\n"
+                    "\"key\": \"key1\",\n"
+                    "\"value\": \"value1\"\n"
+                "},\n"
+                "{\n"
+                    "\"id\": \"id1\",\n"
+                    "\"key\": \"key2\",\n"
+                    "\"value\": \"value2\"\n"
+                "}\n"
+            "]\n"
+        "}\n";
+    conf.preload();
+    istringstream conf_stream(config_json);
+    ASSERT_TRUE(Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(conf_stream));
+
+    Maybe<string> conf_found = i_sdk->getConfigValue("key1");
+    ASSERT_TRUE(conf_found.ok());
+    EXPECT_EQ(conf_found.unpack(), "value1");
+
+    conf_found = i_sdk->getConfigValue("key2");
+    ASSERT_TRUE(conf_found.ok());
+    EXPECT_EQ(conf_found.unpack(), "value2");
+
+    stringstream config_call_body;
+    config_call_body << "{ \"eventType\": 3, \"configPath\": \"key1\" }";
+
+    Maybe<string> sdk_conf = mock_sdk_rest->performRestCall(config_call_body);
+    ASSERT_TRUE(sdk_conf.ok());
+    EXPECT_EQ(
+        sdk_conf.unpack(),
+        "{\n"
+        "    \"configValue\": \"value1\"\n"
+        "}"
+    );
+}
+
+template <typename T>
+string
+toJson(const T &obj)
+{
+    stringstream ss;
+    {
+        cereal::JSONOutputArchive ar(ss);
+        obj.serialize(ar);
+    }
+    return ss.str();
+}
+
+TEST_F(ExternalSdkServerTest, eventDrivenCall)
+{
+    string generated_log;
+    EXPECT_CALL(log_mocker, getCurrentLogId()).Times(2).WillRepeatedly(Return(0));
+    EXPECT_CALL(log_mocker, sendLog(_)).Times(2).WillRepeatedly(
+        WithArg<0>(
+            Invoke(
+                [&] (const Report &msg)
+                {
+                    generated_log = toJson(msg);
+                }
+            )
+        )
+    );
+
+    i_sdk->sendLog(
+        "my log",
+        ReportIS::Audience::INTERNAL,
+        ReportIS::Severity::LOW,
+        ReportIS::Priority::HIGH,
+        "IPS",
+        {{"key1", "value1"}, {"key2", "value2"}}
+    );
+    static const string expected_log =
+        "{\n"
+        "    \"eventTime\": \"\",\n"
+        "    \"eventName\": \"my log\",\n"
+        "    \"eventSeverity\": \"Low\",\n"
+        "    \"eventPriority\": \"High\",\n"
+        "    \"eventType\": \"Event Driven\",\n"
+        "    \"eventLevel\": \"Log\",\n"
+        "    \"eventLogLevel\": \"info\",\n"
+        "    \"eventAudience\": \"Internal\",\n"
+        "    \"eventAudienceTeam\": \"\",\n"
+        "    \"eventFrequency\": 0,\n"
+        "    \"eventTags\": [\n"
+        "        \"IPS\"\n"
+        "    ],\n"
+        "    \"eventSource\": {\n"
+        "        \"agentId\": \"Unknown\",\n"
+        "        \"eventTraceId\": \"\",\n"
+        "        \"eventSpanId\": \"\",\n"
+        "        \"issuingEngineVersion\": \"\",\n"
+        "        \"serviceName\": \"Unnamed Nano Service\"\n"
+        "    },\n"
+        "    \"eventData\": {\n"
+        "        \"logIndex\": 0,\n"
+        "        \"key1\": \"value1\",\n"
+        "        \"key2\": \"value2\"\n"
+        "    }\n"
+        "}";
+
+    EXPECT_EQ(generated_log, expected_log);
+
+    string event_call_body =
+        "{\n"
+        "    \"eventType\": 2,\n"
+        "    \"eventName\": \"my log\",\n"
+        "    \"audience\": 1,\n"
+        "    \"severity\": 3,\n"
+        "    \"priority\": 1,\n"
+        "    \"tag\": \"IPS\",\n"
+        "    \"team\": 3,\n"
+        "    \"additionalFields\": {\n"
+        "        \"key1\": \"value1\",\n"
+        "        \"key2\": \"value2\"\n"
+        "    }\n"
+        "}";
+
+    generated_log = "";
+    stringstream event_call_stream;
+    event_call_stream << event_call_body;
+    EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
+    EXPECT_EQ(generated_log, expected_log);
+}
+
+TEST_F(ExternalSdkServerTest, periodicEventCall)
+{
+    string message_body;
+    EXPECT_CALL(
+        messaging_mocker,
+        sendAsyncMessage(
+            HTTPMethod::POST,
+            "/api/v1/agents/events",
+            _,
+            MessageCategory::METRIC,
+            _,
+            false
+        )
+    ).Times(2).WillRepeatedly(SaveArg<2>(&message_body));
+
+    i_sdk->sendMetric(
+        "my metric",
+        "matrix",
+        ReportIS::AudienceTeam::AGENT_INTELLIGENCE,
+        ReportIS::IssuingEngine::AGENT_CORE,
+        {{"key", "value"}}
+    );
+
+    static const string expected_message =
+        "{\n"
+        "    \"log\": {\n"
+        "        \"eventTime\": \"\",\n"
+        "        \"eventName\": \"my metric\",\n"
+        "        \"eventSeverity\": \"Info\",\n"
+        "        \"eventPriority\": \"Low\",\n"
+        "        \"eventType\": \"Periodic\",\n"
+        "        \"eventLevel\": \"Log\",\n"
+        "        \"eventLogLevel\": \"info\",\n"
+        "        \"eventAudience\": \"Internal\",\n"
+        "        \"eventAudienceTeam\": \"Agent Intelligence\",\n"
+        "        \"eventFrequency\": 0,\n"
+        "        \"eventTags\": [\n"
+        "            \"Informational\"\n"
+        "        ],\n"
+        "        \"eventSource\": {\n"
+        "            \"agentId\": \"Unknown\",\n"
+        "            \"issuingEngine\": \"Agent Core\",\n"
+        "            \"eventTraceId\": \"\",\n"
+        "            \"eventSpanId\": \"\",\n"
+        "            \"issuingEngineVersion\": \"\",\n"
+        "            \"serviceName\": \"matrix\"\n"
+        "        },\n"
+        "        \"eventData\": {\n"
+        "            \"key\": \"value\"\n"
+        "        }\n"
+        "    }\n"
+        "}";
+
+    EXPECT_EQ(message_body, expected_message);
+
+    string event_call_body =
+        "{\n"
+        "    \"eventType\": 1,\n"
+        "    \"eventName\": \"my metric\",\n"
+        "    \"serviceName\": \"matrix\",\n"
+        "    \"team\": 3,\n"
+        "    \"additionalFields\": {\n"
+        "        \"key\": \"value\"\n"
+        "    }\n"
+        "}";
+
+    stringstream event_call_stream;
+    event_call_stream << event_call_body;
+
+    message_body = "";
+    EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
+    EXPECT_EQ(message_body, expected_message);
+}
+
+USE_DEBUG_FLAG(D_EXTERNAL_SDK_USER);
+USE_DEBUG_FLAG(D_EXTERNAL_SDK_SERVER);
+
+TEST_F(ExternalSdkServerTest, codeEventCall)
+{
+    ostringstream capture_debug;
+    Debug::setUnitTestFlag(D_EXTERNAL_SDK_SERVER, Debug::DebugLevel::TRACE);
+    Debug::setUnitTestFlag(D_EXTERNAL_SDK_USER, Debug::DebugLevel::TRACE);
+    Debug::setNewDefaultStdout(&capture_debug);
+
+    i_sdk->sendDebug(
+        "file.cc",
+        "myFunc2",
+        42,
+        Debug::DebugLevel::TRACE,
+        "123",
+        "abc",
+        "h#l1ow w0r!d",
+        {{"hi", "universe"}}
+    );
+
+    EXPECT_THAT(
+        capture_debug.str(),
+        HasSubstr(
+            "[myFunc2@file.cc:42                                           | >>>] "
+            "h#l1ow w0r!d. \"hi\": \"universe\"\n"
+        )
+    );
+
+
+    string debug_event =
+        "{\n"
+        "    \"eventType\": 0,\n"
+        "    \"file\": \"my file\",\n"
+        "    \"func\": \"function_name\",\n"
+        "    \"line\": 42,\n"
+        "    \"debugLevel\": 0,\n"
+        "    \"traceId\": \"\",\n"
+        "    \"spanId\": \"span2323\",\n"
+        "    \"message\": \"some short debug\",\n"
+        "    \"team\": 1,\n"
+        "    \"additionalFields\": {\n"
+        "        \"name\": \"moshe\",\n"
+        "        \"food\": \"bamba\"\n"
+        "    }\n"
+        "}";
+
+    stringstream event_call_stream;
+    event_call_stream << debug_event;
+
+    EXPECT_TRUE(mock_sdk_rest->performRestCall(event_call_stream).ok());
+
+    EXPECT_THAT(
+        capture_debug.str(),
+        HasSubstr(
+            "[function_name@my file:42                                     | >>>] "
+            "some short debug. \"food\": \"bamba\", \"name\": \"moshe\"\n"
+        )
+    );
+
+    Debug::setNewDefaultStdout(&cout);
+}
+
+TEST_F(ExternalSdkServerTest, ilegalEventCall)
+{
+    string event_call_body =
+        "{\n"
+        "    \"eventType\": 7,\n"
+        "    \"eventName\": \"my metric\",\n"
+        "    \"serviceName\": \"matrix\",\n"
+        "    \"team\": 3,\n"
+        "    \"additionalFields\": {\n"
+        "        \"key\": \"value\"\n"
+        "    }\n"
+        "}";
+
+    stringstream event_call_stream;
+    event_call_stream << event_call_body;
+
+    Maybe<string> failed_respond = mock_sdk_rest->performRestCall(event_call_stream);
+    EXPECT_FALSE(failed_respond.ok());
+    EXPECT_EQ(failed_respond.getErr(), "Illegal event type provided");
+}

components/security_apps/orchestration/include/updates_process_event.h

@@ -35,6 +35,8 @@ enum class UpdatesFailureReason {
     INSTALL_PACKAGE,
     CHECKSUM_UNMATCHED,
     POLICY_CONFIGURATION,
+    SERVISE_CONFIGURATION,
+    SERVISE_CONFIGURATION_TIMEOUT,
     POLICY_FOG_CONFIGURATION,
     NONE
 
@@ -57,6 +59,8 @@ convertUpdatesFailureReasonToStr(UpdatesFailureReason reason)
         case UpdatesFailureReason::INSTALL_PACKAGE : return "INSTALL_PACKAGE";
         case UpdatesFailureReason::CHECKSUM_UNMATCHED : return "CHECKSUM_UNMATCHED";
         case UpdatesFailureReason::POLICY_CONFIGURATION : return "POLICY_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : return "SERVISE_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : return "SERVISE_CONFIGURATION_TIMEOUT";
         case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : return "POLICY_FOG_CONFIGURATION";
         case UpdatesFailureReason::NONE : return "NONE";
     }
@@ -117,6 +121,7 @@ public:
     OrchestrationStatusResult getOrchestrationStatusResult() const;
 
     std::string parseDescription() const;
+    std::string getDescriptionWithoutErrors() const;
 
 private:
     UpdatesProcessResult result;

components/security_apps/orchestration/include/updates_process_report.h

@@ -50,6 +50,8 @@ public:
         return report.str();
     }
 
+    UpdatesFailureReason getReason() const { return reason; }
+
 private:
     UpdatesProcessResult result;
     UpdatesConfigType type;

components/security_apps/orchestration/include/updates_process_reporter.h

@@ -21,19 +21,24 @@
 #include "config.h"
 #include "debug.h"
 #include "i_orchestration_status.h"
+#include "i_service_controller.h"
 #include "health_check_status/health_check_status.h"
 #include "updates_process_event.h"
 #include "updates_process_report.h"
 
-class UpdatesProcessReporter : public Listener<UpdatesProcessEvent>
+class UpdatesProcessReporter
+        :
+    public Listener<UpdatesProcessEvent>,
+    Singleton::Consume<I_ServiceController>
 {
 public:
     void upon(const UpdatesProcessEvent &event) override;
 
 private:
-    void sendReoprt();
+    void sendReoprt(const std::string &version);
 
     static std::vector<UpdatesProcessReport> reports;
+    std::map<std::string, uint> report_failure_count_map;
 };
 
 #endif // __UPDATES_PROCESS_REPORTER_H__

components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "manifest_controller.h"
 
 #include <vector>

components/security_apps/orchestration/modules/modules_ut/orchestration_policy_ut.cc

@@ -43,8 +43,8 @@ TEST_F(PolicyTest, serialization)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -63,8 +63,8 @@ TEST_F(PolicyTest, noAgentType)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -83,8 +83,8 @@ TEST_F(PolicyTest, zeroSleepIntervels)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(0, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(0, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -152,7 +152,7 @@ TEST_F(PolicyTest, newOptionalFields)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(10, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(30, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(10u, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(30u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("https://fog-api-gw-agents.cloud.ngen.checkpoint.com", orchestration_policy.getFogAddress());
 }

components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_status.h"
 
 #include <string>
@@ -556,7 +560,7 @@ TEST_F(OrchestrationStatusTest, checkErrorByRaiseEvent)
             "Time",
             "Online upgrades",
             fog_address,
-            "Failed. Reason: Registration failed. Error: " + registar_error,
+            "Failed. Reason: Registration failed.",
             "Failed. Reason: " + manifest_error
         ),
         result

components/security_apps/orchestration/modules/modules_ut/url_parser_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "url_parser.h"
 
 #include "cptest.h"

components/security_apps/orchestration/modules/orchestration_status.cc

@@ -473,7 +473,11 @@ public:
     void
     upon(const UpdatesProcessEvent &event) override
     {
-        setFieldStatus(event.getStatusFieldType(), event.getOrchestrationStatusResult(), event.parseDescription());
+        setFieldStatus(
+            event.getStatusFieldType(),
+            event.getOrchestrationStatusResult(),
+            event.getDescriptionWithoutErrors()
+        );
     }
 
 private:

components/security_apps/orchestration/orchestration_comp.cc

@@ -1499,7 +1499,7 @@ private:
                 << " minutes from now.";
             upgrade_delay_time += chrono::minutes(upgrade_delay_interval);
         } catch (const exception& err) {
-            dbgInfo(D_ORCHESTRATOR) << "Failed to parse upgrade delay interval.";
+            dbgWarning(D_ORCHESTRATOR) << "Failed to parse upgrade delay interval.";
         }
     }
 

components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -471,6 +475,9 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
         )
     ).WillOnce(Return(Maybe<void>()));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(

components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -380,6 +384,10 @@ TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -587,6 +595,9 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -718,6 +729,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdatRollback)
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
     EXPECT_CALL(mock_status, setPolicyVersion(second_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -895,6 +909,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
     );
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -1112,6 +1129,9 @@ TEST_F(OrchestrationTest, manifestUpdate)
         )
     );
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     GetResourceFile manifest_file(GetResourceFile::ResourceFileType::MANIFEST);
     EXPECT_CALL(mock_downloader,
         downloadFile(
@@ -1150,6 +1170,8 @@ TEST_F(OrchestrationTest, manifestUpdate)
 
 TEST_F(OrchestrationTest, getBadPolicyUpdate)
 {
+    Debug::setUnitTestFlag(D_UPDATES_PROCESS_REPORTER, Debug::DebugLevel::NOISE);
+
     EXPECT_CALL(
         rest,
         mockRestCall(RestAction::ADD, "proxy", _)
@@ -1196,6 +1218,13 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
     EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, data_file_path))
         .WillOnce(Return(data_checksum));
 
+    string manifest = "";
+    string policy = "111111";
+    string setting = "";
+
+    string second_val = "12";
+    string third_val = "13";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
     Maybe<string> new_policy_checksum(string("111111"));
 
     GetResourceFile policy_file(GetResourceFile::ResourceFileType::POLICY);
@@ -1207,12 +1236,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
             policy_file
         )
     ).WillOnce(Return(Maybe<std::string>(string(new_policy_path))));
-    string manifest = "";
-    string policy = "111111";
-    string setting = "";
-
-    string second_val = "12";
-    string third_val = "13";
     EXPECT_CALL(mock_service_controller, getPolicyVersion())
         .Times(4)
         .WillOnce(ReturnRef(first_policy_version))
@@ -1246,8 +1269,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
         )
     );
 
-    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
-
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)
@@ -1341,6 +1362,9 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
 
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string manifest_err =
         "Critical Error: Agent/Gateway was not fully deployed on host 'hostname' "
         "and is not enforcing a security policy. Retry installation or contact Check Point support.";
@@ -1456,6 +1480,10 @@ TEST_P(OrchestrationTest, orchestrationFirstRun)
             }
         )
     );
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
@@ -1654,6 +1682,10 @@ TEST_F(OrchestrationTest, dataUpdate)
         .WillOnce(Return(data_instance_checksum));
 
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
             [&](CheckUpdateRequest &req)

components/security_apps/orchestration/package_handler/package_handler_ut/package_handler_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "package_handler.h"
 
 #include "cptest.h"

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -29,6 +29,7 @@
 #include "i_orchestration_tools.h"
 #include "customized_cereal_map.h"
 #include "declarative_policy_utils.h"
+#include "updates_process_event.h"
 
 using namespace std;
 using namespace ReportIS;
@@ -65,6 +66,13 @@ public:
         }
         if (error.get()) {
             service_controller->updateReconfStatus(id.get(), service_name.get(), ReconfStatus::FAILED);
+            UpdatesProcessEvent(
+                UpdatesProcessResult::FAILED,
+                UpdatesConfigType::GENERAL,
+                UpdatesFailureReason::SERVISE_CONFIGURATION,
+                string(service_name.get() + ", ID: " + to_string(id.get())),
+                (error_message.isActive() ? " Error: " + error_message.get() : "")
+            ).notify();
             dbgError(D_SERVICE_CONTROLLER)
                 << "Request for service reconfiguration failed to complete. ID: "
                 << id.get()
@@ -413,7 +421,7 @@ ServiceController::Impl::getUpdatedReconfStatus()
         }
 
         if (!maybe_service.unpack().isServiceActive()) {
-            dbgInfo(D_SERVICE_CONTROLLER)
+            dbgDebug(D_SERVICE_CONTROLLER)
                 << "Service is not active, removing from registered services list. Service: "
                 << services_reconf_names[service_and_reconf_status.first]
                 << "ID: "
@@ -508,7 +516,7 @@ ServiceController::Impl::loadRegisteredServicesFromFile()
     ar(cereal::make_nvp("Registered Services", pending_services));
     pending_services.erase("cp-nano-orchestration");
 
-    dbgInfo(D_SERVICE_CONTROLLER)
+    dbgDebug(D_SERVICE_CONTROLLER)
         << "Orchestration pending services loaded from file."
         << " File: "
         << registered_services_file
@@ -516,7 +524,7 @@ ServiceController::Impl::loadRegisteredServicesFromFile()
 
     for (const auto &id_service_pair : pending_services) {
         const auto &service = id_service_pair.second;
-        dbgInfo(D_SERVICE_CONTROLLER)
+        dbgDebug(D_SERVICE_CONTROLLER)
             << "Service name: "
             << service.getServiceName()
             << ", Service ID: "
@@ -548,14 +556,14 @@ ServiceController::Impl::writeRegisteredServicesToFile()
     cereal::JSONOutputArchive ar(ss);
     ar(cereal::make_nvp("Registered Services", registered_services_with_orch));
 
-    dbgInfo(D_SERVICE_CONTROLLER)
+    dbgDebug(D_SERVICE_CONTROLLER)
         << "Orchestration registered services file has been updated. File: "
         << registered_services_file
         << ". Registered Services:";
 
     for (const auto &id_service_pair : registered_services_with_orch) {
         const auto &service = id_service_pair.second;
-        dbgInfo(D_SERVICE_CONTROLLER)
+        dbgDebug(D_SERVICE_CONTROLLER)
             << "Service name: "
             << service.getServiceName()
             << ", Service ID: "
@@ -1028,6 +1036,12 @@ ServiceController::Impl::sendSignalForServices(
     }
 
     dbgDebug(D_SERVICE_CONTROLLER) << "The reconfiguration has reached a timeout";
+    UpdatesProcessEvent(
+        UpdatesProcessResult::FAILED,
+        UpdatesConfigType::GENERAL,
+        UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT,
+        "The reconfiguration has reached a timeout"
+    ).notify();
     services_reconf_status.clear();
     services_reconf_names.clear();
     return genError("The reconfiguration has reached a timeout");

components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include <string>
 #include "orchestration_tools.h"

components/security_apps/orchestration/update_communication/CMakeLists.txt

@@ -1,2 +1 @@
 add_library(update_communication update_communication.cc hybrid_communication.cc fog_communication.cc fog_authenticator.cc local_communication.cc declarative_policy_utils.cc fog_helper_open_source.cc)
-#add_subdirectory(update_communication_ut)

components/security_apps/orchestration/update_communication/hybrid_communication.cc

@@ -120,10 +120,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file,
 }
 
 Maybe<void>
-HybridCommunication::sendPolicyVersion(const string &policy_version, const string &) const
+HybridCommunication::sendPolicyVersion(const string &, const string &) const
 {
     dbgFlow(D_ORCHESTRATOR);
-    policy_version.empty();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/update_communication/update_communication_ut/CMakeLists.txt

@@ -1,7 +0,0 @@
-link_directories(${BOOST_ROOT}/lib)
-
-add_unit_test(
-    update_communication_ut
-    "local_communication_ut.cc;fog_communication_ut.cc"
-    "rest;version;orchestration_modules;update_communication;singleton;config;metric;event_is;logging;agent_details;-lboost_regex;local_policy_mgmt_gen;connkey;"
-)

components/security_apps/orchestration/update_communication/update_communication_ut/local_communication_ut.cc

@@ -1,244 +0,0 @@
-#include <string>
-
-#include "local_communication.h"
-#include "cptest.h"
-#include "mock/mock_orchestration_tools.h"
-#include "config.h"
-#include "config_component.h"
-#include "orchestration_status.h"
-#include "mock/mock_mainloop.h"
-#include "mock/mock_time_get.h"
-
-using namespace std;
-using namespace testing;
-
-ostream &
-operator<<(ostream &os, const tuple<OrchManifest, OrchPolicy, OrchSettings> &)
-{
-    return os;
-}
-
-class LocalCommunicationTest: public Test
-{
-public:
-    LocalCommunicationTest()
-    {
-        local_communication.init();
-    }
-
-    void
-    preload()
-    {
-        local_communication.preload();
-    }
-
-    Maybe<void>
-    authenticateAgent()
-    {
-        return local_communication.authenticateAgent();
-    }
-
-    void
-    registerLocalAgentToFog()
-    {
-        local_communication.registerLocalAgentToFog();
-    }
-
-    Maybe<void>
-    sendPolicyVersion(const string &version, const string &policy_versions)
-    {
-        return local_communication.sendPolicyVersion(version, policy_versions);
-    }
-
-    Maybe<string>
-    downloadAttributeFile(const GetResourceFile &resourse_file, const string &file_path)
-    {
-        return local_communication.downloadAttributeFile(resourse_file, file_path);
-    }
-
-    void
-    setAddressExtenesion(const string &ext)
-    {
-        local_communication.setAddressExtenesion(ext);
-    }
-
-    Maybe<void>
-    checkUpdate(CheckUpdateRequest &request)
-    {
-        return local_communication.getUpdate(request);
-    }
-
-    NiceMock<MockMainLoop> mock_mainloop;
-    NiceMock<MockTimeGet> mock_timer;
-    ::Environment env;
-    ConfigComponent config_comp;
-    StrictMock<MockOrchestrationTools> mock_orc_tools;
-    OrchestrationStatus orc_status;
-
-private:
-    LocalCommunication local_communication;
-};
-
-TEST_F(LocalCommunicationTest, doNothing)
-{
-}
-
-TEST_F(LocalCommunicationTest, registerConfig)
-{
-    env.preload();
-    env.init();
-
-    preload();
-    string config_json =
-        "{\n"
-        "    \"orchestration\": {\n"
-        "        \"Offline manifest file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"ABC\"\n"
-        "            }\n"
-        "        ],\n"
-        "        \"Offline policy file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"qwe\"\n"
-        "            }\n"
-        "        ],\n"
-        "        \"Offline settings file path\": [\n"
-        "            {\n"
-        "                \"context\": \"All()\",\n"
-        "                \"value\": \"CCCC\"\n"
-        "            }\n"
-        "        ]\n"
-        "    }\n"
-        "}";
-    istringstream ss(config_json);
-    Singleton::Consume<Config::I_Config>::from(config_comp)->loadConfiguration(ss);
-
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline manifest file path"),        IsValue("ABC"));
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline policy file path"), IsValue("qwe"));
-    EXPECT_THAT(getConfiguration<string>("orchestration", "Offline settings file path"),            IsValue("CCCC"));
-
-    env.fini();
-}
-
-TEST_F(LocalCommunicationTest, authenticateAgent)
-{
-    auto authenticat_res = authenticateAgent();
-    EXPECT_TRUE(authenticat_res.ok());
-}
-
-TEST_F(LocalCommunicationTest, registerLocalAgentToFog)
-{
-    registerLocalAgentToFog();
-}
-
-TEST_F(LocalCommunicationTest, downloadManifest)
-{
-    string new_manifest_string = "new manifest";
-    EXPECT_CALL(mock_orc_tools, readFile("/etc/cp/conf/offline_manifest.json")).WillOnce(Return(new_manifest_string));
-    GetResourceFile resourse_file(GetResourceFile::ResourceFileType::MANIFEST);
-    auto downloaded_string =  downloadAttributeFile(resourse_file, "/tmp/orch_files");
-    EXPECT_TRUE(downloaded_string.ok());
-    EXPECT_EQ(downloaded_string.unpack(), new_manifest_string);
-}
-
-TEST_F(LocalCommunicationTest, checkUpdateWithNoUpdate)
-{
-    Maybe<string> manifest_checksum(string("1"));
-    Maybe<string> policy_checksum(string("2"));
-    Maybe<string> settings_checksum(string("3"));
-    Maybe<string> data_checksum(string("4"));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_manifest.json")).WillOnce(Return(manifest_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_policy.json")).WillOnce(Return(policy_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_settings.json")).WillOnce(Return(settings_checksum));
-    EXPECT_CALL(mock_orc_tools, calculateChecksum(
-        Package::ChecksumTypes::SHA256, "/etc/cp/conf/data/offline_data.json")).WillOnce(Return(data_checksum));
-
-    CheckUpdateRequest request(
-            *manifest_checksum,
-            *policy_checksum,
-            *settings_checksum,
-            *data_checksum,
-            I_OrchestrationTools::SELECTED_CHECKSUM_TYPE_STR,
-            "123"
-        );
-
-    auto update_response = checkUpdate(request);
-    EXPECT_TRUE(update_response.ok());
-
-    Maybe<string> manifest = request.getManifest();
-    EXPECT_FALSE(manifest.ok());
-
-    Maybe<string> policy = request.getPolicy();
-    EXPECT_FALSE(policy.ok());
-
-    Maybe<string> settings = request.getSettings();
-    EXPECT_FALSE(settings.ok());
-
-    Maybe<string> data = request.getData();
-    EXPECT_FALSE(data.ok());
-}
-
-TEST_F(LocalCommunicationTest, checkUpdateWithPolicyUpdate)
-{
-    Maybe<string> manifest_checksum(string("1"));
-    Maybe<string> policy_checksum(string("2"));
-    Maybe<string> new_policy_checksum(string("22"));
-    Maybe<string> settings_checksum(string("3"));
-    Maybe<string> data_checksum(string("4"));
-
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_manifest.json")
-    ).WillOnce(Return(manifest_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_policy.json")
-    ).WillOnce(Return(new_policy_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/offline_settings.json")
-    ).WillOnce(Return(settings_checksum));
-    EXPECT_CALL(
-        mock_orc_tools,
-        calculateChecksum(Package::ChecksumTypes::SHA256, "/etc/cp/conf/data/offline_data.json")
-    ).WillOnce(Return(data_checksum));
-
-    CheckUpdateRequest request(
-        *manifest_checksum,
-        *policy_checksum,
-        *settings_checksum,
-        *data_checksum,
-        I_OrchestrationTools::SELECTED_CHECKSUM_TYPE_STR,
-        "123"
-    );
-
-    auto update_response = checkUpdate(request);
-    EXPECT_TRUE(update_response.ok());
-
-    Maybe<string> manifest = request.getManifest();
-    EXPECT_FALSE(manifest.ok());
-
-    EXPECT_THAT(request.getPolicy(), IsValue("22"));
-
-    Maybe<string> settings = request.getSettings();
-    EXPECT_FALSE(settings.ok());
-
-    Maybe<string> data = request.getData();
-    EXPECT_FALSE(data.ok());
-}
-
-TEST_F(LocalCommunicationTest, setAddressExtenesion)
-{
-    setAddressExtenesion("Test");
-}
-
-TEST_F(LocalCommunicationTest, sendPolicyVersion)
-{
-    auto res = sendPolicyVersion("12", "");
-    EXPECT_TRUE(res.ok());
-}

components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc

@@ -111,6 +111,85 @@ UpdatesProcessEvent::parseDescription() const
             err << "Failed to configure the fog address: " << detail << ". Error: " << description;
             break;
         }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err
+                << "Request for service reconfiguration failed to complete. Service name: "
+                << detail
+                << ". Error: "
+                << description;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
+        case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
+            err << description;
+            break;
+        }
+        case UpdatesFailureReason::NONE : {
+            err << description;
+            break;
+        }
+    }
+    return err.str();
+}
+
+string
+UpdatesProcessEvent::getDescriptionWithoutErrors() const
+{
+    stringstream err;
+    if (description.empty() || result == UpdatesProcessResult::SUCCESS) return "";
+
+    switch (reason) {
+        case UpdatesFailureReason::CHECK_UPDATE: {
+            err << description;
+            break;
+        }
+        case UpdatesFailureReason::REGISTRATION: {
+            err << "Registration failed.";
+            break;
+        }
+        case UpdatesFailureReason::GET_UPDATE_REQUEST: {
+            err << "Failed to get update request.";
+            break;
+        }
+        case UpdatesFailureReason::DOWNLOAD_FILE : {
+            err << "Failed to download the file " << detail;
+            break;
+        }
+        case UpdatesFailureReason::HANDLE_FILE : {
+            err << "Failed to handle the file " << detail;
+            break;
+        }
+        case UpdatesFailureReason::INSTALLATION_QUEUE : {
+            err << "Installation queue creation failed.";
+            break;
+        }
+        case UpdatesFailureReason::INSTALL_PACKAGE : {
+            err << "Failed to install the package " << detail;
+            break;
+        }
+        case UpdatesFailureReason::CHECKSUM_UNMATCHED : {
+            err << "Checksums do not match for the file: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::POLICY_CONFIGURATION : {
+            err << "Failed to configure policy version: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : {
+            err << "Failed to configure the fog address: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err << "Request for service reconfiguration failed to complete. Service name: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
         case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
             err << description;
             break;

components/security_apps/orchestration/updates_process_reporter/updates_process_reporter.cc

@@ -29,11 +29,24 @@ void
 UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 {
     if (event.getReason() == UpdatesFailureReason::CHECK_UPDATE) {
+        auto i_controller = Singleton::Consume<I_ServiceController>::by<UpdatesProcessReporter>();
+        string version = i_controller->getUpdatePolicyVersion();
         if (event.getResult() == UpdatesProcessResult::SUCCESS && reports.empty()) {
             dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished successfully";
+            report_failure_count_map.erase(version);
+            return;
+        }
+        if (report_failure_count_map.find(version) == report_failure_count_map.end()) {
+            report_failure_count_map[version] = 0;
+        }
+        report_failure_count_map[version]++;
+        dbgTrace(D_UPDATES_PROCESS_REPORTER)
+            << "Update proccess finished with errors. Count: "
+            << report_failure_count_map[version];
+        if (report_failure_count_map[version] <= 1) {
+            reports.clear();
             return;
         }
-        dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished with errors";
         reports.emplace_back(
             UpdatesProcessReport(
                 event.getResult(),
@@ -42,7 +55,7 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
                 event.parseDescription()
             )
         );
-        sendReoprt();
+        sendReoprt(version);
         return;
     }
     if (event.getResult() == UpdatesProcessResult::SUCCESS || event.getResult() == UpdatesProcessResult::UNSET) return;
@@ -52,20 +65,30 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 }
 
 void
-UpdatesProcessReporter::sendReoprt()
+UpdatesProcessReporter::sendReoprt(const string &version)
 {
-    stringstream all_reports;
-    all_reports << "Updates process reports:" << endl;
+    stringstream full_reports;
+    UpdatesFailureReason failure_reason = UpdatesFailureReason::NONE;
+    full_reports << "Updates process reports:" << endl;
+    full_reports << "Policy version: " << version << endl;
+    full_reports << "report failure count:" << report_failure_count_map[version] << endl;
     for (const auto &report : reports) {
-        all_reports << report.toString() << endl;
+        if (report.getReason() != UpdatesFailureReason::CHECK_UPDATE) {
+            failure_reason = report.getReason();
+        }
+        full_reports << report.toString() << endl;
     }
     reports.clear();
-    dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Sending updates process report: " << endl << all_reports.str();
-    LogGen(
+    dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Sending updates process report: " << endl << full_reports.str();
+    LogGen log (
         "Updates process report",
         ReportIS::Audience::INTERNAL,
         ReportIS::Severity::HIGH,
         ReportIS::Priority::HIGH,
         ReportIS::Tags::ORCHESTRATOR
-    ) << LogField("eventMessage", all_reports.str());
+    );
+    log << LogField("eventMessage", full_reports.str());
+    if (failure_reason != UpdatesFailureReason::NONE) {
+        log.addToOrigin(LogField("eventCategory", convertUpdatesFailureReasonToStr(failure_reason)));
+    }
 }

components/security_apps/waap/include/i_serialize.h

@@ -57,7 +57,6 @@ private:
     std::vector<std::string> filesPathsList;
 };
 
-
 class I_Serializable {
 public:
     virtual void serialize(std::ostream& stream) = 0;

components/security_apps/waap/waap_clib/Serializator.cc

@@ -397,7 +397,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     const string &owner
 ) :
     SerializeToFileBase(filePath),
-    m_remotePath(remotePath),
+    m_remotePath(replaceAllCopy(remotePath, "//", "/")),
     m_interval(0),
     m_owner(owner),
     m_pMainLoop(nullptr),
@@ -407,7 +407,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     m_windowsCount(0),
     m_intervalsCounter(0),
     m_remoteSyncEnabled(true),
-    m_assetId(assetId),
+    m_assetId(replaceAllCopy(assetId, "/", "")),
     m_isAssetIdUuid(Waap::Util::isUuid(assetId)),
     m_shared_storage_host(genError("not set")),
     m_learning_host(genError("not set"))
@@ -439,7 +439,7 @@ SerializeToLocalAndRemoteSyncBase::SerializeToLocalAndRemoteSyncBase(
     }
     if (remotePath != "") {
         // remote path is /<tenantId>/<assetId>/<type>
-        auto parts = split(remotePath, '/');
+        auto parts = split(m_remotePath, '/');
         if (parts.size() > 2) {
             size_t offset = 0;
             if (parts[0].empty()) {
@@ -656,8 +656,7 @@ void SerializeToLocalAndRemoteSyncBase::syncWorker()
     OrchestrationMode mode = Singleton::exists<I_AgentDetails>() ?
         Singleton::Consume<I_AgentDetails>::by<WaapComponent>()->getOrchestrationMode() : OrchestrationMode::ONLINE;
 
-    if (mode == OrchestrationMode::OFFLINE  || !m_remoteSyncEnabled || isBase() ||
-        (mode == OrchestrationMode::ONLINE && !m_isAssetIdUuid) || !postData()) {
+    if (mode == OrchestrationMode::OFFLINE  || !m_remoteSyncEnabled || isBase() || !postData()) {
         dbgDebug(D_WAAP_CONFIDENCE_CALCULATOR)
             << "Did not synchronize the data. for asset: "
             << m_assetId

components/security_apps/waap/waap_clib/Telemetry.cc

@@ -37,7 +37,14 @@ WaapTelemetryBase::sendLog(const LogRest &metric_client_rest) const
     if (mode == OrchestrationMode::ONLINE) {
         return;
     }
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "K8sSvc Log host");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
     string fog_metric_uri = getConfigurationWithDefault<string>("/api/v1/agents/events", "metric", "fogMetricUri");
     MessageMetadata req_md(svc_host, 80);
     req_md.insertHeader(

components/security_apps/waap/waap_clib/TuningDecision.cc

@@ -15,6 +15,7 @@
 #include "i_mainloop.h"
 #include "i_serialize.h"
 #include "waap.h"
+#include "Waf2Util.h"
 
 using namespace std;
 
@@ -25,7 +26,7 @@ USE_DEBUG_FLAG(D_WAAP);
 
 TuningDecision::TuningDecision(const string& remotePath)
         :
-    m_remotePath(remotePath + "/tuning"),
+    m_remotePath(replaceAllCopy(remotePath + "/tuning", "//", "/")),
     m_baseUri()
 {
     if (remotePath == "")

components/security_apps/waap/waap_clib/Waf2Util.h

@@ -733,6 +733,12 @@ inline void replaceAll(std::string& str, const std::string& from, const std::str
         start_pos += to.length(); // In case 'to' contains 'from', like replacing 'x' with 'yx'
     }
 }
+
+inline std::string replaceAllCopy(std::string str, const std::string& from, const std::string& to) {
+    replaceAll(str, from, to);
+    return str;
+}
+
 inline void alignBase64Chunk (std::string &chunk)
 {
     size_t len = chunk.length() % 4;

components/utils/generic_rulebase/evaluators/trigger_eval.cc

@@ -50,7 +50,7 @@ TriggerMatcher::evalVariable() const
         << "Trying to match trigger. ID: "
         << trigger_id << ", Current set IDs: "
         << makeSeparatedStr(bc_trigger_id_ctx.ok() ? *bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_trigger_id_ctx.ok() && bc_trigger_id_ctx.unpack().count(trigger_id) > 0 ) return true;
+    if (bc_trigger_id_ctx.ok()) return bc_trigger_id_ctx.unpack().count(trigger_id) > 0;
 
     auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
     return rule.ok() && rule.unpack().isTriggerActive(trigger_id);

components/utils/generic_rulebase/match_query.cc

@@ -299,7 +299,16 @@ MatchQuery::matchAttributes(
 {
     auto &type = condition_type;
     bool negate = type == MatchQuery::Conditions::NotEquals || type == MatchQuery::Conditions::NotIn;
-    bool match = isRegEx() ? matchAttributesRegEx(values, matched_override_keywords) : matchAttributesString(values);
+    bool match = false;
+
+    if (isIP()) {
+        match = matchAttributesIp(values);
+    } else if (isRegEx()) {
+        match = matchAttributesRegEx(values, matched_override_keywords);
+    } else {
+        match = matchAttributesString(values);
+    }
+
     return negate ? !match : match;
 }
 
@@ -340,8 +349,26 @@ MatchQuery::matchAttributesString(const set<string> &values) const
     return false;
 }
 
+bool
+MatchQuery::matchAttributesIp(const set<string> &values) const
+{
+    for (const IPRange &rule_ip_range : ip_addr_value) {
+        for (const string &requested_value : values) {
+            IpAddress ip_addr = IPUtilities::createIpFromString(requested_value);
+            if (IPUtilities::isIpAddrInRange(rule_ip_range, ip_addr)) return true;
+        }
+    }
+    return false;
+}
+
 bool
 MatchQuery::isRegEx() const
 {
     return key != "protectionName";
 }
+
+bool
+MatchQuery::isIP() const
+{
+    return key == "sourceIP" || key == "destinationIP";
+}

components/utils/generic_rulebase/triggers_config.cc

@@ -173,7 +173,7 @@ LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
         setTriggersFlag("webUrlQuery", archive_in, WebLogFields::webUrlQuery, log_web_fields);
         setTriggersFlag("logToAgent", archive_in, ReportIS::StreamType::JSON_LOG_FILE, active_streams);
         setTriggersFlag("logToCloud", archive_in, ReportIS::StreamType::JSON_FOG, active_streams);
-        setTriggersFlag("logToK8sService", archive_in, ReportIS::StreamType::JSON_K8S_SVC, active_streams);
+        setTriggersFlag("logToContainerService", archive_in, ReportIS::StreamType::JSON_CONTAINER_SVC, active_streams);
         setTriggersFlag("logToSyslog", archive_in, ReportIS::StreamType::SYSLOG, active_streams);
         setTriggersFlag("logToCef", archive_in, ReportIS::StreamType::CEF, active_streams);
         setTriggersFlag("acAllow", archive_in, SecurityType::AccessControl, should_log_on_detect);
@@ -221,8 +221,8 @@ LogTriggerConf::load(cereal::JSONInputArchive& archive_in)
                 case ReportIS::StreamType::JSON_LOG_FILE:
                     setLogConfiguration(ReportIS::StreamType::JSON_LOG_FILE);
                     break;
-                case ReportIS::StreamType::JSON_K8S_SVC:
-                    setLogConfiguration(ReportIS::StreamType::JSON_K8S_SVC);
+                case ReportIS::StreamType::JSON_CONTAINER_SVC:
+                    setLogConfiguration(ReportIS::StreamType::JSON_CONTAINER_SVC);
                     break;
                 case ReportIS::StreamType::SYSLOG:
                     setLogConfiguration(ReportIS::StreamType::SYSLOG, getUrlForSyslog(), syslog_protocol);

config/crds/open-appsec-crd-v1beta1.yaml

@@ -0,0 +1,525 @@
+Enter file contents hereapiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : customresponses.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                mode:
+                  type: string
+                  enum:
+                    - block-page
+                    #- redirect
+                    - response-code-only
+                message-title:
+                  type: string
+                message-body:
+                  type: string
+                http-response-code:
+                  type: integer
+                  minimum: 100
+                  maximum: 599
+
+  scope: Cluster
+  names:
+    plural: customresponses
+    singular: customresponse
+    kind: CustomResponse
+    shortNames:
+    - customresponse
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: exceptions.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: array
+              items:
+                type: object
+                required:
+                  - action
+                properties:
+                  action:
+                    type: string
+                    enum:
+                      - skip
+                      - accept
+                      - drop
+                      - suppressLog
+                  sourceIp:
+                    type: array
+                    items:
+                      type: string
+                  url:
+                    type: array
+                    items:
+                      type: string
+                  sourceIdentifier:
+                    type: array
+                    items:
+                      type: string
+                  protectionName:
+                    type: array
+                    items:
+                      type: string
+                  paramValue:
+                    type: array
+                    items:
+                      type: string
+                  paramName:
+                    type: array
+                    items:
+                      type: string
+                  hostName:
+                    type: array
+                    items:
+                      type: string
+                  countryCode:
+                    type: array
+                    items:
+                      type: string
+                  countryName:
+                    type: array
+                    items:
+                      type: string
+                  comment:
+                    type: string
+
+  scope: Cluster
+  names:
+    plural: exceptions
+    singular: exception
+    kind: Exception
+    shortNames:
+      - exception
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : logtriggers.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      # Each version can be enabled/disabled by Served flag.
+      served: true
+      # One and only one version must be marked as the storage version.
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                access-control-logging:
+                  type: object
+                  properties:
+                    allow-events:
+                      type: boolean
+                    drop-events:
+                      type: boolean
+                appsec-logging:
+                  type: object
+                  properties:
+                    detect-events:
+                      type: boolean
+                    prevent-events:
+                      type: boolean
+                    all-web-requests:
+                      type: boolean
+                additional-suspicious-events-logging:
+                  type: object
+                  properties:
+                    enabled:
+                      type: boolean
+                    minimum-severity:
+                      type: string
+                      enum:
+                        - high
+                        - critical
+                    response-body:
+                      type: boolean
+                    response-code:
+                      type: boolean
+                extended-logging:
+                  type: object
+                  properties:
+                    url-path:
+                      type: boolean
+                    url-query:
+                      type: boolean
+                    http-headers:
+                      type: boolean
+                    request-body:
+                      type: boolean
+                log-destination:
+                  type: object
+                  properties:
+                    cloud:
+                      type: boolean
+                    syslog-service: #change to object array
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          address:
+                            type: string
+                          port:
+                            type: integer
+                    file:
+                      type: string
+                    stdout:
+                      type: object
+                      properties:
+                        format:
+                          type: string
+                          enum:
+                            - json
+                            - json-formatted
+                    cef-service:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          address:
+                            type: string
+                          port:
+                            type: integer
+                          proto:
+                            type: string
+                            enum:
+                              - tcp
+                              - udp
+
+  scope: Cluster
+  names:
+    plural: logtriggers
+    singular: logtrigger
+    kind: LogTrigger
+    shortNames:
+    - logtrigger
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : policies.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      # Each version can be enabled/disabled by Served flag.
+      served: true
+      # One and only one version must be marked as the storage version.
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                default:
+                  type: object
+                  properties:
+                    mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    practices:
+                      type: array
+                      items:
+                        type: string
+                    triggers:
+                      type: array
+                      items:
+                        type: string
+                    custom-response:
+                      type: string
+                    source-identifiers:
+                      type: string
+                    trusted-sources:
+                      type: string
+                    exceptions:
+                      type: array
+                      items:
+                        type: string
+                specific-rules:
+                  type: array
+                  items:
+                    type: object
+                    properties:
+                      host:
+                        type: string
+                      mode:
+                        type: string
+                        enum:
+                          - prevent-learn
+                          - detect-learn
+                          - prevent
+                          - detect
+                          - inactive
+                      practices:
+                        type: array
+                        items:
+                          type: string
+                      triggers:
+                        type: array
+                        items:
+                          type: string
+                      custom-response:
+                        type: string
+                      source-identifiers:
+                        type: string
+                      trusted-sources:
+                        type: string
+                      exceptions:
+                        type: array
+                        items:
+                          type: string
+
+  scope: Cluster
+  names:
+    plural: policies
+    singular: policy
+    kind: Policy
+    shortNames:
+    - policy
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : practices.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                web-attacks:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    minimum-confidence:
+                      type: string
+                      enum:
+                        - medium
+                        - high
+                        - critical
+                    max-url-size-bytes:
+                      type: integer
+                    max-object-depth:
+                      type: integer
+                    max-body-size-kb:
+                      type: integer
+                    max-header-size-bytes:
+                      type: integer
+                    protections:
+                      type: object
+                      properties:
+                        csrf-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        error-disclosure-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        open-redirect-enabled:
+                          type: string
+                          enum:
+                            - prevent-learn
+                            - detect-learn
+                            - prevent
+                            - detect
+                            - inactive
+                        non-valid-http-methods:
+                          type: boolean
+                anti-bot:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    injected-URIs:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          uri:
+                            type: string
+                    validated-URIs:
+                      type: array
+                      items:
+                        type: object
+                        properties:
+                          uri:
+                            type: string
+                snort-signatures:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    configmap:
+                      type: array
+                      items:
+                        type: string
+                openapi-schema-validation:
+                  type: object
+                  properties:
+                    override-mode:
+                      type: string
+                      enum:
+                        - prevent-learn
+                        - detect-learn
+                        - prevent
+                        - detect
+                        - inactive
+                    configmap:
+                      type: array
+                      items:
+                        type: string
+
+  scope: Cluster
+  names:
+    plural: practices
+    singular: practice
+    kind: Practice
+    shortNames:
+    - practice
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : sourcesidentifiers.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: array
+              items:
+                type: object
+                properties:
+                  sourceIdentifier:
+                    type: string
+                    enum:
+                      - headerkey
+                      - JWTKey
+                      - cookie
+                      - sourceip
+                      - x-forwarded-for
+                  value:
+                    type: array
+                    items:
+                      type: string
+
+  scope: Cluster
+  names:
+    plural: sourcesidentifiers
+    singular: sourcesidentifier
+    kind: SourcesIdentifier
+    shortNames:
+    - sourcesidentifier
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata :
+  name : trustedsources.openappsec.io
+
+spec:
+  group: openappsec.io
+  versions:
+    - name: v1beta1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              properties:
+                minNumOfSources:
+                  type: integer
+                sourcesIdentifiers:
+                  type: array
+                  items:
+                    type: string
+
+  scope: Cluster
+  names:
+    plural: trustedsources
+    singular: trustedsource
+    kind: TrustedSource
+    shortNames:
+    - trustedsource

core/attachments/http_configuration/http_configuration_ut/http_configuration_ut.cc

@@ -71,24 +71,24 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
 
     HttpAttachmentConfiguration conf_data_out;
     EXPECT_EQ(conf_data_out.init(attachment_configuration_file_name), 1);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321u);
     EXPECT_EQ(conf_data_out.getStringValue("sessions_per_minute_limit_verdict"), "Accept");
-    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0);
-    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200);
-    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000);
+    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000u);
     EXPECT_EQ(conf_data_out.getNumericalValue("dbg_level"), 2u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42);
-    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80);
-    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60);
-    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60u);
+    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1u);
 }
 
 TEST_F(HttpAttachmentUtilTest, GetMalformedAttachmentConfiguration)

core/config/config.cc

@@ -306,6 +306,7 @@ private:
     string log_files_prefix = "/var/log";
     string default_config_directory_path = "/conf/";
     string config_directory_path = "";
+    string error_to_report = "";
 
     TypeWrapper empty;
 };
@@ -802,6 +803,7 @@ bool
 ConfigComponent::Impl::commitFailure(const string &error)
 {
     dbgError(D_CONFIG) << error;
+    error_to_report = error;
     new_resource_nodes.clear();
     new_configuration_nodes.clear();
     new_settings_nodes.clear();
@@ -937,7 +939,7 @@ ConfigComponent::Impl::reloadConfigurationContinuesWrapper(const string &version
 
     mainloop->stop(routine_id);
     LoadNewConfigurationStatus finished(id, service_name, !res, true);
-    if (!res) finished.setError("Failed to reload configuration");
+    if (!res) finished.setError(error_to_report);
     I_TimeGet *time = Singleton::Consume<I_TimeGet>::by<ConfigComponent>();
     auto send_status_time_out = time->getMonotonicTime() + chrono::seconds(180);
     while (time->getMonotonicTime() < send_status_time_out) {

core/core_ut/cache_ut.cc

@@ -151,10 +151,10 @@ TEST(TempCaching, capacity)
     cache.createEntry(3);
     cache.createEntry(4);
 
-    EXPECT_EQ(cache.size(), 5);
-    EXPECT_EQ(cache.capacity(), 0);
+    EXPECT_EQ(cache.size(), 5u);
+    EXPECT_EQ(cache.capacity(), 0u);
     cache.capacity(3);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(0));
     EXPECT_FALSE(cache.doesKeyExists(1));
     EXPECT_TRUE(cache.doesKeyExists(2));
@@ -162,7 +162,7 @@ TEST(TempCaching, capacity)
     EXPECT_TRUE(cache.doesKeyExists(4));
 
     cache.createEntry(5);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(2));
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
@@ -170,7 +170,7 @@ TEST(TempCaching, capacity)
 
     cache.capacity(0);
     cache.createEntry(6);
-    EXPECT_EQ(cache.size(), 4);
+    EXPECT_EQ(cache.size(), 4u);
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(5));
@@ -178,7 +178,7 @@ TEST(TempCaching, capacity)
 
     cache.deleteEntry(5);
     cache.capacity(2);
-    EXPECT_EQ(cache.size(), 2);
+    EXPECT_EQ(cache.size(), 2u);
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(6));
 }

core/core_ut/maybe_res_ut.cc

@@ -161,6 +161,7 @@ public:
     public:
         MyValue(int _x) : x(_x) { addObj(this); }
         MyValue(const MyValue &other) : x(other.x) {  addObj(this); }
+        MyValue & operator=(const MyValue &other) = default;
         ~MyValue() { delObj(this); }
         bool operator==(const MyValue &other) const { return x==other.x; }
         bool operator!=(const MyValue &other) const { return x!=other.x; }
@@ -208,9 +209,9 @@ TEST_F(MaybeAssignments, ValValRval)
     Maybe<MyValue, MyValue> m(MyValue(1));
 
     // Change the value
-    EXPECT_EQ(1, m->x);
+    EXPECT_EQ(m->x, 1);
     m = 2;
-    EXPECT_EQ(2, m->x);
+    EXPECT_EQ(m->x, 2);
 }
 
 TEST_F(MaybeAssignments, ValValLval)

core/external_sdk/external_agent_sdk.h

@@ -0,0 +1,87 @@
+#ifndef __EXTERNAL_AGENT_SDK_H__
+#define __EXTERNAL_AGENT_SDK_H__
+
+#ifdef __cplusplus
+enum class SdkApiType
+#else
+enum SdkApiType
+#endif
+{
+    SendCodeEvent,
+    SendPeriodicEvent,
+    SendEventDrivenEvent,
+    SendGetConfigRequest,
+
+#ifndef __cplusplus
+};
+#else //__cplusplus
+    COUNT
+};
+
+extern "C"
+{
+#endif // __cplusplus
+
+enum DebugLevel { DebugTrace, DebugDebug, DebugInfo, DebugWarning, DebugError };
+enum EventAudience { AudienceSecurity, AudienceInternal };
+enum EventAudienceTeam { AudienceTeamAgentCore, AudienceTeamIot, AudienceTeamWaap, AudienceTeamAgentIntelligence };
+enum EventSeverity { SeverityCritical, SeverityHigh, SeverityMedium, SeverityLow, SeverityInfo };
+enum EventPriority { PriorityUrgent, PriorityHigh, PriorityMedium, PriorityLow };
+
+enum SdkReturn {
+    SdkSuccess = 0,
+    SdkUninitialized = -1,
+    IlegalNumOfAdditionData = -2,
+    EmptyConfigRespond = -3,
+    InitCurlFailed = -4,
+    ExecuteCurlFailed = -5,
+    Non200Respond = -6,
+    AllocationFailure = -7
+};
+
+void initAgentSdk();
+void finiAgentSdk();
+
+// Get configuration using path. Output is allocated internally and requires caller to free
+enum SdkReturn getAgentConfiguration(const char *configuration_path, char **config_value_output);
+
+enum SdkReturn
+sendPeriodicData(
+    const char *event_title,
+    const char *service_name,
+    enum EventAudienceTeam team,
+    const char **periodic_data,
+    int periodic_data_size
+);
+
+enum SdkReturn
+sendEventDrivenLog(
+    const char *event_name,
+    enum EventAudience audience,
+    enum EventSeverity severity,
+    enum EventPriority priority,
+    const char *tag,
+    enum EventAudienceTeam team,
+    const char **event_data,
+    int event_data_size
+);
+
+enum SdkReturn
+sendDebugMessage(
+    const char *file_name,
+    const char *function_name,
+    unsigned int line_number,
+    enum DebugLevel debug_level,
+    const char *trace_id,
+    const char *span_id,
+    const char *message,
+    enum EventAudienceTeam team,
+    const char **event_data,
+    int event_data_size
+);
+
+#ifdef __cplusplus
+}
+#endif // __cplusplus
+
+#endif // __EXTERNAL_AGENT_SDK_H__

core/include/general/common.h

@@ -28,6 +28,7 @@
 #include <memory>
 #include <string>
 #include <vector>
+#include <map>
 #include <sstream>
 #include <iomanip>
 #include <sys/types.h>
@@ -145,6 +146,30 @@ operator<<(ostream &os, const vector<Printable> &obj)
     return os;
 }
 
+// LCOV_EXCL_START Reason: Currently not used in 4.8 coverage but is used in alpine.
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const pair<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // return os << obj.first << ':' << obj.second;
+    return os;
+}
+// LCOL_EXCL_STOP
+
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const map<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // bool first = true;
+    // for (const auto &pair : obj) {
+    //     os << (first ? "" : ", ") << pair;
+    //     first = false;
+    // }
+    return os;
+}
+
 } // namespace std
 
 #endif // __COMMON_H__

core/include/general/cptest.h

@@ -30,6 +30,7 @@
 #include "buffer.h"
 #include "scope_exit.h"
 #include "tostring.h"
+#include "time_print.h"
 
 std::ostream& operator<<(std::ostream &os, const Buffer &buf);
 

core/include/general/debug.h

@@ -20,6 +20,7 @@
 #include <vector>
 
 #include "common.h"
+#include "time_print.h"
 #include "singleton.h"
 #include "scope_exit.h"
 

core/include/services_sdk/interfaces/messaging/messaging_metadata.h

@@ -5,6 +5,7 @@
 #include <string>
 
 #include "flags.h"
+#include "config.h"
 #include "singleton.h"
 #include "i_agent_details.h"
 
@@ -118,6 +119,29 @@ public:
         return headers;
     }
 
+    std::string
+    getCaPath() const
+    {
+        if (!ca_path.empty()) return ca_path;
+        return getConfigurationWithDefault(
+            getFilesystemPathConfig() + "/certs/fog.pem",
+            "message",
+            "Certificate chain file path"
+        );
+    }
+
+    const std::string &
+    getClientCertPath() const
+    {
+        return client_cert_path;
+    }
+
+    const std::string &
+    getClientKeyPath() const
+    {
+        return client_key_path;
+    }
+
     void
     insertHeader(const std::string &header_key, const std::string &header_val)
     {
@@ -137,6 +161,24 @@ public:
         is_proxy_set = true;
     }
 
+    void
+    setCAPath (const std::string &_ca_path)
+    {
+        ca_path = _ca_path;
+    }
+
+    void
+    setDualAuthenticationSettings
+    (
+        const std::string &_client_cert_path,
+        const std::string &_client_key_path
+    )
+    {
+        client_cert_path = _client_cert_path;
+        client_key_path = _client_key_path;
+        is_dual_auth = true;
+    }
+
     void
     setExternalCertificate(const std::string &_external_certificate)
     {
@@ -161,6 +203,12 @@ public:
         return is_proxy_set;
     }
 
+    bool
+    isDualAuth() const
+    {
+        return is_dual_auth;
+    }
+
     bool
     isToFog() const
     {
@@ -175,18 +223,26 @@ public:
             cereal::make_nvp("host_name", host_name),
             cereal::make_nvp("port_num", port_num),
             cereal::make_nvp("is_proxy_set", is_proxy_set),
+            cereal::make_nvp("is_dual_auth", is_dual_auth),
             cereal::make_nvp("headers", headers),
             cereal::make_nvp("conn_flags", conn_flags),
             cereal::make_nvp("external_certificate", external_certificate),
             cereal::make_nvp("should_buffer", should_buffer),
-            cereal::make_nvp("is_to_fog", is_to_fog)
+            cereal::make_nvp("is_to_fog", is_to_fog),
+            cereal::make_nvp("ca_path", ca_path),
+            cereal::make_nvp("client_cert_path", client_cert_path),
+            cereal::make_nvp("client_key_path", client_key_path)
         );
     }
 
 private:
     std::string host_name = "";
+    std::string ca_path = "";
+    std::string client_cert_path = "";
+    std::string client_key_path = "";
     uint16_t port_num = 0;
     bool is_proxy_set = false;
+    bool is_dual_auth = false;
     std::map<std::string, std::string> headers;
     Flags<MessageConnectionConfig> conn_flags;
     MessageProxySettings proxy_settings;

core/include/services_sdk/resources/report/report_enums.h

@@ -23,7 +23,7 @@ enum class StreamType {
     JSON_DEBUG,
     JSON_FOG,
     JSON_LOG_FILE,
-    JSON_K8S_SVC,
+    JSON_CONTAINER_SVC,
     SYSLOG,
     CEF,
 

core/intelligence_is_v2/intelligence_comp_v2.cc

@@ -383,6 +383,11 @@ private:
         }
 
         if (getProfileAgentSettingWithDefault<bool>(false, "agent.config.supportInvalidation")) return true;
+
+        if (getSetting<string>("intelligence", "local intelligence server ip").ok()) {
+            return getProfileAgentSettingWithDefault<bool>(true, "agent.config.useLocalIntelligence");
+        }
+
         dbgTrace(D_INTELLIGENCE) << "Local intelligence not supported";
 
         return false;

core/intelligence_is_v2/intelligence_is_v2_ut/intelligence_comp_v2_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+namespace Intelligence { class Response; }
+std::ostream & operator<<(std::ostream &os, const Intelligence::Response &);
+
 #include "intelligence_comp_v2.h"
 
 #include "config.h"
@@ -642,7 +646,7 @@ TEST_F(IntelligenceComponentTestV2, multiAssetsIntelligenceTest)
     auto maybe_ans = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans.ok());
     auto vec = maybe_ans.unpack();
-    EXPECT_EQ(vec.size(), 3);
+    EXPECT_EQ(vec.size(), 3u);
 
     auto iter = vec.begin();
 
@@ -962,11 +966,11 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     ).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, paging_in_progress_response_str1)));
 
     request.setAssetsLimit(2);
-    EXPECT_EQ(request.getAssetsLimit(), 2);
+    EXPECT_EQ(request.getAssetsLimit(), 2u);
     auto maybe_ans1 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans1.ok());
     auto vec1 = maybe_ans1.unpack();
-    EXPECT_EQ(vec1.size(), 1);
+    EXPECT_EQ(vec1.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -975,7 +979,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     auto maybe_ans2 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans2.ok());
     auto vec2 = maybe_ans2.unpack();
-    EXPECT_EQ(vec2.size(), 2);
+    EXPECT_EQ(vec2.size(), 2u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -985,7 +989,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     if (!maybe_ans3.ok()) cout << maybe_ans3.getErr() + "\n";
     EXPECT_TRUE(maybe_ans3.ok());
     auto vec3 = maybe_ans3.unpack();
-    EXPECT_EQ(vec3.size(), 1);
+    EXPECT_EQ(vec3.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), true);
 
     vector<AssetReply<Profile>>::iterator assets_iter = vec3.begin();
@@ -1316,7 +1320,6 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
     QueryRequest request(Condition::EQUALS, "category", "cloud", true, AttributeKeyType::NONE);
     request.activatePaging();
     request.setAssetsLimit(10);
-    vector<AssetReply<Profile>> objects_reply;
     vector<string> objects_ids;
     do {
         auto object_result = intell->queryIntelligence<Profile>(request, true);
@@ -1325,10 +1328,9 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
             break;
         }
 
-        objects_reply = object_result.unpack();
-        if (objects_reply.empty()) break;
+        if ((*object_result).empty()) break;
 
-        for (const AssetReply<Profile> &current_object : objects_reply) {
+        for (const AssetReply<Profile> &current_object : *object_result) {
             if (current_object.getMainAttributes().empty()) {
                 continue;
             }
@@ -1337,5 +1339,5 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
         }
     } while (!request.isPagingFinished());
 
-    EXPECT_EQ(objects_ids.size(), 2);
+    EXPECT_EQ(objects_ids.size(), 2u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/invalidation_ut.cc

@@ -609,7 +609,7 @@ TEST_F(IntelligenceInvalidation, invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
     EXPECT_EQ(recieved_invalidations[0].getMainAttributes().begin()->getStringSetAttr("attr2").unpack(), vals);
 }
 
@@ -653,7 +653,7 @@ TEST_F(IntelligenceInvalidation, delete_invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_short_handling)
@@ -697,7 +697,7 @@ TEST_F(IntelligenceInvalidation, invalidation_short_handling)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, routine_registration)
@@ -792,7 +792,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json1 << not_matching_invalidation.genObject();
     mock_invalidation->performRestCall(json1);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 
     auto matching_second_main_attribute = StrAttributes()
         .addStringAttr("attr3", "3");
@@ -808,7 +808,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json2 << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json2);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
@@ -868,7 +868,7 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
     json << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 2);
+    EXPECT_EQ(recieved_invalidations.size(), 2u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
@@ -931,5 +931,5 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
     cout << json.str() << endl;
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/json_stream_ut.cc

@@ -42,7 +42,7 @@ addSlashesToSpecialChars(const string &input)
         case '\"':
         case '\\':
             output += '\\';
-            //no break
+            // fallthrough
         default:
             output += c;
             break;

core/intelligence_is_v2/intelligence_is_v2_ut/query_request_v2_ut.cc

@@ -136,12 +136,12 @@ TEST(QueryRequestTestV2, AttributesTest)
     request.setRequestedAttr("countryName");
     SerializableAttributesMap request_attributes_map2 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500);
+    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500u);
 
     request.setRequestedAttr("reputationSeverity", 30);
     SerializableAttributesMap request_attributes_map3 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30);
+    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30u);
 
     string output_json =
     "{\n"

core/intelligence_is_v2/intelligence_is_v2_ut/query_response_v2_ut.cc

@@ -155,13 +155,13 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
         obj2.loadFromJson(ss.str());
     }
 
-    EXPECT_EQ(obj.getAmountOfAssets(), 2);
-    EXPECT_EQ(obj2.getAmountOfAssets(), 2);
+    EXPECT_EQ(obj.getAmountOfAssets(), 2u);
+    EXPECT_EQ(obj2.getAmountOfAssets(), 2u);
     EXPECT_EQ(obj.getResponseStatus(), ResponseStatus::DONE);
     EXPECT_EQ(obj2.getResponseStatus(), ResponseStatus::DONE);
-    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetType(), "workload-cloud-ip");
-    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetPermissionGroupId(), "some-group-id");
     EXPECT_EQ(obj.getData().begin()->getAssetName(), "[1.1.1.1]");
     EXPECT_EQ(obj.getData().begin()->getAssetClass(), "workload");
@@ -188,7 +188,7 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "50255c3172b4fb7fda93025f0bfaa7abefd1");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 500);
+    EXPECT_EQ(soucres_it->getConfidence(), 500u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "red");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Omry");
 
@@ -198,15 +198,15 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "cb068860528cb6bfb000cc35e79f11aeefed2");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 600);
+    EXPECT_EQ(soucres_it->getConfidence(), 600u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "white");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Max");
 
     vector<AssetReply<stringData1>> asset_collections = obj.getData();
-    EXPECT_EQ(asset_collections.size(), 1);
+    EXPECT_EQ(asset_collections.size(), 1u);
     vector<AssetReply<stringData1>>::const_iterator asset_collections_it = asset_collections.begin();
     vector<stringData1> asset_sources = asset_collections_it->getData();
-    EXPECT_EQ(asset_sources.size(), 2);
+    EXPECT_EQ(asset_sources.size(), 2u);
     vector<stringData1>::iterator asset_sources_it = asset_sources.begin();
 
     EXPECT_EQ(asset_sources_it->getData().toString(), "red");

core/logging/k8s_svc_stream.cc

@@ -22,21 +22,28 @@ const static string default_log_uri = "/api/v1/agents/events";
 
 USE_DEBUG_FLAG(D_REPORT);
 
-K8sSvcStream::K8sSvcStream()
+ContainerSvcStream::ContainerSvcStream()
         :
     i_msg(Singleton::Consume<I_Messaging>::by<LoggingComp>())
 {
 }
 
-K8sSvcStream::~K8sSvcStream()
+ContainerSvcStream::~ContainerSvcStream()
 {
 }
 
 void
-K8sSvcStream::sendLog(const Report &log)
+ContainerSvcStream::sendLog(const Report &log)
 {
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "K8sSvc Log host");
-    auto K8sSvc_log_uri = getConfigurationWithDefault(default_log_uri, "Logging", "K8sSvc Log URI");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
+    auto svc_log_uri = getConfigurationWithDefault(default_log_uri, "Logging", "Container Log URI");
     LogRest rest(log);
 
     MessageMetadata rest_req_md(svc_host, 80);
@@ -45,7 +52,7 @@ K8sSvcStream::sendLog(const Report &log)
 
     bool ok = i_msg->sendSyncMessageWithoutResponse(
         HTTPMethod::POST,
-        K8sSvc_log_uri,
+        svc_log_uri,
         rest,
         MessageCategory::LOG,
         rest_req_md
@@ -57,7 +64,7 @@ K8sSvcStream::sendLog(const Report &log)
 }
 
 void
-K8sSvcStream::sendLog(const LogBulkRest &logs, bool persistence_only)
+ContainerSvcStream::sendLog(const LogBulkRest &logs, bool persistence_only)
 {
     dbgFlow(D_REPORT) << "send bulk logs";
 
@@ -66,15 +73,22 @@ K8sSvcStream::sendLog(const LogBulkRest &logs, bool persistence_only)
         return;
     }
 
-    auto svc_host = getConfigurationWithDefault(default_host, "Logging", "K8sSvc Log host");
-    auto K8sSvc_log_uri = getConfigurationWithDefault(default_bulk_uri, "Logging", "K8sSvc Bulk Log URI");
+    const char* host_env_var = getenv("TUNING_HOST");
+    string host;
+    if (host_env_var != nullptr && strlen(host_env_var) > 0) {
+        host = string(host_env_var);
+    } else {
+        host = default_host;
+    }
+    auto svc_host = getConfigurationWithDefault(host, "Logging", "Container Log host");
+    auto svc_log_uri = getConfigurationWithDefault(default_bulk_uri, "Logging", "Container Bulk Log URI");
 
     MessageMetadata rest_req_md(svc_host, 80);
     rest_req_md.insertHeader("X-Tenant-Id", Singleton::Consume<I_AgentDetails>::by<LoggingComp>()->getTenantId());
     rest_req_md.setConnectioFlag(MessageConnectionConfig::UNSECURE_CONN);
     bool ok = i_msg->sendSyncMessageWithoutResponse(
         HTTPMethod::POST,
-        K8sSvc_log_uri,
+        svc_log_uri,
         logs,
         MessageCategory::LOG,
         rest_req_md

core/logging/log_streams.h

@@ -80,11 +80,11 @@ private:
     I_Messaging *i_msg = nullptr;
 };
 
-class K8sSvcStream : public Stream
+class ContainerSvcStream : public Stream
 {
 public:
-    K8sSvcStream();
-    ~K8sSvcStream();
+    ContainerSvcStream();
+    ~ContainerSvcStream();
 
     void sendLog(const Report &log) override;
     void sendLog(const LogBulkRest &logs, bool persistance_only) override;

core/logging/logging.cc

@@ -270,7 +270,7 @@ private:
             case StreamType::JSON_DEBUG: return make_shared<DebugStream>();
             case StreamType::JSON_FOG: return make_shared<FogStream>();
             case StreamType::JSON_LOG_FILE: return make_shared<LogFileStream>();
-            case StreamType::JSON_K8S_SVC: return make_shared<K8sSvcStream>();
+            case StreamType::JSON_CONTAINER_SVC: return make_shared<ContainerSvcStream>();
             case StreamType::SYSLOG: return nullptr;
             case StreamType::CEF: return nullptr;
             case StreamType::NONE: return nullptr;
@@ -319,7 +319,9 @@ LoggingComp::preload()
     registerExpectedConfiguration<string>("Logging", "Log file name");
     registerExpectedConfiguration<string>("Logging", "Log file line separator");
     registerExpectedConfiguration<string>("Logging", "Fog Log URI");
-    registerExpectedConfiguration<string>("Logging", "K8sSvc Log host");
+    registerExpectedConfiguration<string>("Logging", "Container Log host");
+    registerExpectedConfiguration<string>("Logging", "Container Log URI");
+    registerExpectedConfiguration<string>("Logging", "Container Bulk Log URI");
     registerExpectedConfiguration<string>("Logging", "Syslog IP");
     registerExpectedConfiguration<uint>("Logging", "Syslog port");
     registerExpectedConfiguration<string>("Logging", "CEF IP");

core/logging/logging_ut/logging_ut.cc

@@ -68,7 +68,7 @@ public:
             return;
         }
         if (should_load_k8s_stream) {
-            Singleton::Consume<I_Logging>::by<fakeConfig>()->addStream(ReportIS::StreamType::JSON_K8S_SVC);
+            Singleton::Consume<I_Logging>::by<fakeConfig>()->addStream(ReportIS::StreamType::JSON_CONTAINER_SVC);
             return;
         }
         Singleton::Consume<I_Logging>::by<fakeConfig>()->addStream(ReportIS::StreamType::JSON_DEBUG);
@@ -101,7 +101,7 @@ public:
     }
 };
 
-class LogTest : public testing::TestWithParam<bool>
+class LogTest : public testing::Test
 {
 public:
     LogTest()
@@ -909,7 +909,7 @@ TEST_F(LogTest, OfflineK8sSvcBulkLogs)
     EXPECT_EQ(local_body, str1);
 }
 
-TEST_P(LogTest, metrics_check)
+TEST_F(LogTest, metrics_check)
 {
     loadFakeConfiguration(true, false, "", 3);
     Tags tag1 = Tags::POLICY_INSTALLATION;
@@ -935,16 +935,10 @@ TEST_P(LogTest, metrics_check)
         "    \"sentLogsBulksSum\": 3\n"
         "}";
 
-    bool is_named_query = GetParam();
-    if (is_named_query) {
-        EXPECT_THAT(AllMetricEvent().performNamedQuery(), ElementsAre(Pair("Logging data", logging_metric_str)));
-    } else {
-        EXPECT_THAT(AllMetricEvent().query(), ElementsAre(logging_metric_str));
-    }
+    EXPECT_THAT(AllMetricEvent().performNamedQuery(), ElementsAre(Pair("Logging data", logging_metric_str)));
+    EXPECT_THAT(AllMetricEvent().query(), ElementsAre(logging_metric_str));
 }
 
-INSTANTIATE_TEST_CASE_P(metrics_check, LogTest, ::testing::Values(false, true));
-
 TEST_F(LogTest, DeleteStreamTest)
 {
     loadFakeConfiguration(false);
@@ -1564,7 +1558,7 @@ TEST_F(LogTest, ObfuscationTest)
     EXPECT_EQ(getBodyFogMessage(), expected_obfuscated_log);
     ASSERT_NE(sysog_routine, nullptr);
     sysog_routine();
-    EXPECT_EQ(capture_syslog_cef_data.size(), 2);
+    EXPECT_EQ(capture_syslog_cef_data.size(), 2u);
     for (const string &str : capture_syslog_cef_data) {
         EXPECT_THAT(str, AnyOf(HasSubstr("String='Another string'"), HasSubstr("String=\"Another string\"")));
     }

core/mainloop/mainloop_ut/mainloop_ut.cc

@@ -504,7 +504,7 @@ TEST_F(MainloopTest, get_routine_id)
 {
     cptestPrepareToDie();
     auto cb = [this] () {
-        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1);
+        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1u);
         EXPECT_DEATH(mainloop->run(), "MainloopComponent::Impl::run was called while it was already running");
     };
     mainloop->addOneTimeRoutine(

core/messaging/connection/connection.cc

@@ -90,6 +90,12 @@ public:
         if (metadata_flags.isSet(MessageConnectionConfig::IGNORE_SSL_VALIDATION)) {
             flags.setFlag(ConnectionFlags::IGNORE_SSL_VALIDATION);
         }
+        ca_path = metadata.getCaPath();
+        if (metadata.isDualAuth()) {
+            client_cert_path = metadata.getClientCertPath();
+            client_key_path = metadata.getClientKeyPath();
+            is_dual_auth = true;
+        }
     }
 
     void
@@ -263,20 +269,33 @@ private:
 
         SSL_CTX_set_verify(ssl_ctx.get(), SSL_VERIFY_PEER, nullptr);
 
-        auto defualt_cert_path = getFilesystemPathConfig() + "/certs/fog.pem";
-        auto cert_path = getConfigurationWithDefault(defualt_cert_path, "message", "Certificate chain file path");
-        const char *cert = cert_path.c_str();
+        if (is_dual_auth) {
+            dbgTrace(D_CONNECTION)
+                << "Setting dual authentication."
+                << "Client cert path: " << client_cert_path
+                << ", client key path: " << client_key_path;
+            if (SSL_CTX_use_certificate_file(ssl_ctx.get(), client_cert_path.c_str(), SSL_FILETYPE_PEM) <= 0) {
+                string error = ERR_error_string(ERR_get_error(), nullptr);
+                return genError("Error in setting client cert: " + error);
+            }
 
+            if (SSL_CTX_use_PrivateKey_file(ssl_ctx.get(), client_key_path.c_str(), SSL_FILETYPE_PEM) <= 0) {
+                string error = ERR_error_string(ERR_get_error(), nullptr);
+                return genError("Error in setting client key: " + error);
+            }
+        }
+
+        dbgTrace(D_CONNECTION) << "Setting CA authentication";
         auto details_ssl_dir = Singleton::Consume<I_AgentDetails>::by<Messaging>()->getOpenSSLDir();
         auto openssl_dir = details_ssl_dir.ok() ? *details_ssl_dir : "/usr/lib/ssl/certs/";
         auto configured_ssl_dir = getConfigurationWithDefault(openssl_dir, "message", "Trusted CA directory");
         const char *ca_dir = configured_ssl_dir.empty() ? nullptr : configured_ssl_dir.c_str();
 
-        if (SSL_CTX_load_verify_locations(ssl_ctx.get(), cert, ca_dir) != 1) {
+        if (SSL_CTX_load_verify_locations(ssl_ctx.get(), ca_path.c_str(), ca_dir) != 1) {
             return genError("Failed to load certificate locations");
         }
 
-        dbgDebug(D_CONNECTION) << "SSL context set successfully. Certificate: " << cert << ", CA dir: " << ca_dir;
+        dbgDebug(D_CONNECTION) << "SSL context set successfully. Certificate: " << ca_path << ", CA dir: " << ca_dir;
         return Maybe<void>();
     }
 
@@ -457,7 +476,6 @@ private:
         return BioConnectionStatus::SHOULD_NOT_RETRY;
     }
 
-
     Maybe<void>
     connectToHost()
     {
@@ -654,6 +672,10 @@ private:
     Flags<ConnectionFlags> flags;
 
     MessageProxySettings settings;
+    string ca_path = "";
+    string client_cert_path = "";
+    string client_key_path = "";
+
     string connect_message;
     string certificate;
 
@@ -666,6 +688,7 @@ private:
 
     bool lock = false;
     bool should_close_connection = false;
+    bool is_dual_auth = false;
 };
 
 Connection::Connection(const MessageConnectionKey &key, const MessageMetadata &metadata)

core/messaging/connection/connection_ut/connection_comp_ut.cc

@@ -89,6 +89,8 @@ TEST_F(TestConnectionComp, testSetAndGetConnection)
     Flags<MessageConnectionConfig> conn_flags;
     conn_flags.setFlag(MessageConnectionConfig::UNSECURE_CONN);
     MessageMetadata conn_metadata("127.0.0.1", 8080, conn_flags);
+    conn_metadata.setCAPath("ca.pem");
+    conn_metadata.setDualAuthenticationSettings("ca_client.pem", "private_client.key");
     auto maybe_connection = i_conn->establishConnection(conn_metadata, MessageCategory::LOG);
     ASSERT_TRUE(maybe_connection.ok());
 

core/messaging/include/dummy_socket.h

@@ -76,7 +76,7 @@ public:
     writeToSocket(const std::string &msg)
     {
         acceptSocket();
-        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), static_cast<int>(msg.size()));
     }
 
 private:

core/messaging/messaging_comp/messaging_comp_ut/messaging_comp_ut.cc

@@ -253,9 +253,13 @@ operator==(const MessageMetadata &one, const MessageMetadata &two)
         one.getConnectionFlags() == two.getConnectionFlags() &&
         one.getProxySettings() == two.getProxySettings() &&
         one.getExternalCertificate() == two.getExternalCertificate() &&
+        one.getCaPath() == two.getCaPath() &&
+        one.getClientCertPath() == two.getClientCertPath() &&
+        one.getClientKeyPath() == two.getClientKeyPath() &&
         one.getHeaders() == two.getHeaders() &&
         one.shouldBufferMessage() == two.shouldBufferMessage() &&
-        one.isProxySet() == two.isProxySet();
+        one.isProxySet() == two.isProxySet() &&
+        one.isDualAuth() == two.isDualAuth();
 }
 
 TEST_F(TestMessagingComp, testSetFogConnection)

core/report/report.cc

@@ -176,6 +176,8 @@ Report::getSyslog() const
     if (!origin_syslog.empty()) {
         report.push(origin_syslog);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.push(severity_str);
     if (!event_data_syslog.empty()) {
         report.push(event_data_syslog);
     }
@@ -218,6 +220,8 @@ Report::getCef() const
     if (!origin_cef.empty()) {
         report.pushExtension(origin_cef);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.pushExtension(severity_str);
     if (!event_data_cef.empty()) {
         report.pushExtension(event_data_cef);
     }

core/report/report_ut/report_ut.cc

@@ -87,7 +87,7 @@ TEST(TagTest, TagStringTest)
     set<string> tags_string;
     for (Tags tag : makeRange<Tags>()) {
         tags_string = TagAndEnumManagement::convertToString({tag});
-        ASSERT_EQ(tags_string.size(), 1);
+        ASSERT_EQ(tags_string.size(), 1u);
         Maybe<Tags> tag_from_string = TagAndEnumManagement::convertStringToTag(*tags_string.begin());
         ASSERT_TRUE(tag_from_string.ok());
         EXPECT_EQ(tag_from_string.unpack(), tag);
@@ -571,7 +571,8 @@ TEST_F(ReportTest, testSyslogWithoutServiceName)
         report.getSyslog(),
         "<133>1 0:0:0.123Z cpnano-agent-001 UnnamedNanoService - 0 - "
         "title='Log Test' agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" "
-        "issuingEngineVersion=\"\" serviceName=\"Unnamed Nano Service\" serviceId=\"\" serviceFamilyId=\"\""
+        "issuingEngineVersion=\"\" serviceName=\"Unnamed Nano Service\" serviceId=\"\" serviceFamilyId=\"\" "
+        "eventSeverity=\"Info\""
     );
 }
 
@@ -612,6 +613,7 @@ TEST_F(ReportTest, testSyslog)
         "title='Log Test' agent=\"Secret\"") +
         " eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\"" +
         " serviceName=\"Access Control App\" serviceId=\"\" serviceFamilyId=\"\"" +
+        " eventSeverity=\"Info\"" +
         string(" ArrayOfArraies=\"[ [ a, b \\], [ 1, 2 \\] \\]\"") +
         string(" DataWithNewLine=\"new\\r\\nline\"") +
         string(" DataWithQuote=\"data\\'bla\"");
@@ -654,7 +656,9 @@ TEST_F(ReportTest, testCef)
         "CEF:0|Check Point|AccessControlApp||Event Driven|Log Test|Low|"
         "eventTime=0:0:0.123 agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\""
         " serviceName=\"Access Control App\" serviceId=\"\""
-        " serviceFamilyId=\"\" Bond=\"1\" DataWithQuote=\"data\\'bla\""
+        " serviceFamilyId=\"\" Bond=\"1\""
+        " eventSeverity=\"Info\""
+        " DataWithQuote=\"data\\'bla\""
     );
 }
 

core/report/tag_and_enum_management.cc

@@ -150,7 +150,7 @@ TagAndEnumManagement::convertToString(const StreamType &stream_type)
         case StreamType::JSON_DEBUG:    return "JSON Debug stream";
         case StreamType::JSON_FOG:      return "JSON FOG stream";
         case StreamType::JSON_LOG_FILE: return "JSON File stream";
-        case StreamType::JSON_K8S_SVC:  return "JSON K8S service stream";
+        case StreamType::JSON_CONTAINER_SVC:  return "JSON K8S service stream";
         case StreamType::SYSLOG:        return "Syslog stream";
         case StreamType::CEF:           return "CEF stream";
 

core/rest/rest_ut/rest_config_ut.cc

@@ -162,7 +162,7 @@ TEST_F(RestConfigTest, basic_flow)
     I_MainLoop::Routine stop_routine = [&] () {
         EXPECT_EQ(connect(file_descriptor, (struct sockaddr*)&sa, sizeof(struct sockaddr)), 0);
         string msg = "POST /add-test HTTP/1.1\r\nContent-Length: 10\r\n\r\n{\"num\": 5}";
-        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), static_cast<int>(msg.size()));
 
         while(!TestServer::g_num) {
             mainloop->yield(true);

core/shmem_ipc/shmem_ipc_ut/shmem_ipc_ut.cc

@@ -264,8 +264,8 @@ TEST_F(SharedIPCTest, ensure_right_permissions)
         stat(queue_name, &info);
         EXPECT_EQ(info.st_uid, uid);
         EXPECT_EQ(info.st_gid, gid);
-        EXPECT_EQ(info.st_mode & S_IRUSR, S_IRUSR);
-        EXPECT_EQ(info.st_mode & S_IWUSR, S_IWUSR);
-        EXPECT_NE(info.st_mode & S_IXUSR, S_IXUSR);
+        EXPECT_EQ(info.st_mode & S_IRUSR, static_cast<uint>(S_IRUSR));
+        EXPECT_EQ(info.st_mode & S_IWUSR, static_cast<uint>(S_IWUSR));
+        EXPECT_NE(info.st_mode & S_IXUSR, static_cast<uint>(S_IXUSR));
     }
 }

deployment/swag/docker-compose.yaml

@@ -0,0 +1,46 @@
+services:
+  swag-attachment:
+    image: ghcr.io/openappsec/swag-attachment:latest
+    ipc: service:appsec-agent
+    restart: unless-stopped
+    container_name: swag-attachment
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - URL=yourdomain.url # replace yourdomain.url with your own domain
+      # make sure your domain's public IP resolves to
+      # the docker host for Let's Encrypt cert generation to succeed
+      - VALIDATION=http
+      # see https://docs.linuxserver.io/images/docker-swag/ for
+      # more cert generation/validation options
+      - STAGING=true # switch to 'false' after successful testing
+    volumes:
+      - ./swag-config:/config
+    ports:
+      - 443:443
+      - 80:80 #optional
+
+  appsec-agent:
+    container_name: appsec-agent
+    image: ghcr.io/openappsec/agent:latest
+    ipc: shareable
+    restart: unless-stopped
+    environment:
+      - user_email=user@email.com # adjust with your own email
+      - registered_server='SWAG Server'
+      # if autoPolicyLoad is set to true, open-appsec will apply
+      # changes in local_policy.yaml automatically
+      - autoPolicyLoad=true
+      # To connect to open-appsec central management WebUI 
+      ## create your WebUI profile at https://my.openappsec.io,
+      ## enforce policy, copy the profile token from WebUI and add it below 
+      - AGENT_TOKEN=
+    volumes:
+      - ./appsec-config:/etc/cp/conf
+      - ./appsec-data:/etc/cp/data
+      - ./appsec-logs:/var/log/nano_agent
+      - ./appsec-localconfig:/ext/appsec
+    command: /cp-nano-agent

nodes/orchestration/CMakeLists.txt

@@ -30,7 +30,7 @@ target_link_libraries(
     env_details
     local_policy_mgmt_gen
     curl
-
+    external_sdk_server
     -Wl,--end-group
 )
 

nodes/orchestration/main.cc

@@ -51,6 +51,7 @@
 #include "generic_metric.h"
 #include "tenant_manager.h"
 #include "local_policy_mgmt_gen.h"
+#include "external_sdk_server.h"
 
 using namespace std;
 
@@ -72,7 +73,8 @@ main(int argc, char **argv)
         OrchestrationTools,
         HealthChecker,
         HealthCheckManager,
-        LocalPolicyMgmtGenerator
+        LocalPolicyMgmtGenerator,
+        ExternalSdkServer
     > comps;
 
     comps.registerGlobalValue<uint>("Nano service API Port Primary", 7777);

nodes/orchestration/package/local-default-policy.yaml

@@ -1,15 +1,16 @@
 policies:
   default:
-    triggers:
-    - appsec-default-log-trigger
     mode: detect-learn
-    practices:
-    - webapp-default-practice
-    custom-response: appsec-default-web-user-response
+    practices: [appsec-best-practice]
+    triggers: [appsec-log-trigger]
+    custom-response: 403-forbidden
+    source-identifiers: ""
+    trusted-sources: ""
+    exceptions: []
   specific-rules: []
 
 practices:
-  - name: webapp-default-practice
+  - name: appsec-best-practice
     openapi-schema-validation:
       configmap: []
       override-mode: detect-learn
@@ -34,7 +35,7 @@ practices:
       override-mode: detect-learn
 
 log-triggers:
-  - name: appsec-default-log-trigger
+  - name: appsec-log-trigger
     access-control-logging:
       allow-events: false
       drop-events: true
@@ -57,7 +58,7 @@ log-triggers:
         format: json
 
 custom-responses:
-  - name: appsec-default-web-user-response
+  - name: 403-forbidden
     mode: response-code-only
     http-response-code: 403
 

nodes/orchestration/package/open-appsec-cloud-mgmt-k8s

@@ -13,6 +13,10 @@ profile_id=
 cluster_id=
 latest_policy_version=1
 
+if [ -f $POLICY_CRDS_PATH ]; then
+    chmod 644 $POLICY_CRDS_PATH
+fi
+
 load_agent_details()
 {
     tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
@@ -29,7 +33,7 @@ get_latest_policy_version()
     bucket_list=$(curl -s -w "%{http_code}\n" --request GET \
         -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \
         "$var_fog/agents-core/storage/?list-type=2&prefix=${tenant_id}/${profile_id}")
-    paths_list=$(echo $bucket_list  | /etc/cp/bin/yq -p xml | grep "/policy")
+    paths_list=$(echo $bucket_list  | awk -F'<Key>|</Key>' '/policy-/ {for (i = 1; i <= NF; i++) if ($i ~ /policy/) print $i}')
 
     prefix="${tenant_id}/${profile_id}"
     paths=$(echo $paths_list | tr " " "\n" | grep / )
@@ -257,6 +261,7 @@ usage()
     echo "Options:"
     echo "    --fog       <fog address>          : Namespace with the relevant Helm Chart"
     echo "    --upload_policy_only               : Upload policy to the fog, withput changing agent mode"
+    echo "    --debug                            : Keep the debuging files"
     exit 255
 }
 
@@ -277,6 +282,8 @@ validate_arg_value_exists()
     fi
 }
 
+debug_mode="false"
+
 while true; do
     if [ "$1" = "--token" ]; then
         validate_arg_value_exists "$1" "$#"
@@ -290,6 +297,8 @@ while true; do
         validate_arg_value_exists "$1" "$#"
         shift
         ra_token="$1"
+    elif [ "$1" = "--debug" ]; then
+        debug_mode="true"
     elif [ -z "$1" ]; then
         break
     fi
@@ -305,5 +314,8 @@ upload_crds_to_the_cloud
 if [ "$?" = "0" ]; then
     echo "SUCCESS"
 fi
+if [ "$debug_mode" = "false" ]; then
+    rm $POLICY_CRDS_PATH
+fi
 
 exit 0