#!/bin/bash POLICY_TEMP_PATH="/tmp/policy_temp.json" DECLARATIVE_CONFIG_PATH="/etc/cp/conf/declarative_config.cfg" CHANGE_AGENT_MODE=true UPLOAD_AGENT_POLICY=false ra_token= tenant_id= agent_id= profile_id= load_agent_details() { tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json) profile_id=$(awk -F\" '/Profile ID/{print $4}' /etc/cp/conf/agent_details.json) agent_id=$(awk -F\" '/Agent ID/{print $4}' /etc/cp/conf/agent_details.json) } generate_policy() { cp -f /etc/cp/conf/local_policy.yaml /tmp/tmp_local_policy.yaml sed -i "s|\"\*\"|\"Any\"|g" /tmp/tmp_local_policy.yaml POLICY=$(/etc/cp/bin/yq eval /tmp/tmp_local_policy.yaml -o json) echo $POLICY > $POLICY_TEMP_PATH rm -f /tmp/tmp_local_policy.yaml } upload_the_policy_to_s3() { echo "Uploading local policy configuration to cloud..." upload_res="$(curl -s -w "%{http_code}\n" --progress-bar --request PUT -T "${POLICY_TEMP_PATH}" \ -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Content-Type: application/json" \ -H "Authorization: Bearer ${ra_token}" \ "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")" if test "$upload_res" != "200"; then echo "Failed uploading policy to cloud: Failed Error code ${upload_res}" return 1 fi file_exists="$(curl -s -w "%{http_code}\n" --request GET \ -H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \ "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")" check_file_exists="$(echo "$file_exists" | grep 200)" if [ -z "$check_file_exists" ]; then echo "Failed uploading policy to cloud: Failed on checking the file. Error code ${check_file_exists}" return 1 fi } send_notification_to_the_fog() { correlation_id=$(cat /proc/sys/kernel/random/uuid) DATE=$(date "+%FT%T.000") upload_res=$(curl -s -w "%{http_code}\n" --request POST \ "$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \ --header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \ --header "Content-Type: application/json" \ --header "x-rate-limit-product-type: openappsec" \ --data "{\"logs\": [{\"log\": {\"eventTime\": \ \"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\",\"eventSeverity\": \ \"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\", \"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\", \"eventFrequency\": 0,\"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\", \"tenantId\": \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\", \"issuingEngine\": \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": {\"policyVersion\": $((AGENT_POLICY+1)),\"profileId\": \"$profile_id\",\"agentId\": \"$agent_id\"}}}, \"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}") if test "$upload_res" != "200"; then sleep 5 upload_res=$(curl -s -o /dev/null -s -w "%{http_code}\n" \ --request POST "$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \ --header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \ --header "Content-Type: application/json" \ --header "x-rate-limit-product-type: openappsec" \ --data "{\"logs\": \ [{\"log\": {\"eventTime\": \"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\", \"eventSeverity\": \"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\", \"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\",\"eventFrequency\": 0, \"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\",\"tenantId\": \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\",\"issuingEngine\": \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": {\"policyVersion\": $((AGENT_POLICY+1)),\"profileId\": \"$profile_id\",\"agentId\": \"$agent_id\"}}}, \"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}") if test "$upload_res" != "200"; then echo "Failed to notify the FOG on the new policy: Failed Error code ${upload_res}" return 1 fi fi } get_jwt() { response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \ --header "Content-Type: application/json" --request POST --data \ "{\"authenticationData\": [{\"authenticationMethod\": \"token\", \"data\": \"$var_token\"}], \ \"metaData\": {\"agentName\": \"K8S\", \"agentType\": \"Embedded\", \"platform\": \"linux\", \ \"architecture\": \"x86\", \"additionalMetaData\": {\"agentVendor\": \"python\"}}}" $var_fog/agents)" if [ ! -z "$( echo $response | grep referenceId)" ]; then echo "Couldn't register to the FOG" return 1 fi agent_id=$(echo $response | grep -o '"agentId":"[^"]*' | grep -o '[^"]*$') echo "agent_id=${agent_id}" > $DECLARATIVE_CONFIG_PATH clientId=$(echo $response | grep -o '"clientId":"[^"]*' | grep -o '[^"]*$') clientSecret=$(echo $response | grep -o '"clientSecret":"[^"]*' | grep -o '[^"]*$') tenant_id=$(echo $response | grep -o '"tenantId":"[^"]*' | grep -o '[^"]*$') profile_id=$(echo $response | grep -o '"profileId":"[^"]*' | grep -o '[^"]*$') response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \ --header "Content-Type: application/json" -d "{\"login\":\"$clientId\", \"password\":\"$clientSecret\"}" \ --user "$clientId:$clientSecret" --request POST --data "{}" $var_fog/oauth/token?grant_type=client_credentials)" if [ ! -z "$( echo $response | grep referenceId)" ]; then echo "Couldn't receive JWT" return 1 fi ra_token=$(echo $response | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$') profile_data="$(curl -s -w "%{http_code}" --request POST $var_fog/api/v2/agents/resources/ \ -H "X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292" --header "Authorization: Bearer $ra_token" \ --header "user-agent: Infinity Next (a7030abf93a4c13)" --header "Content-Type: application/json" \ --data "{\"manifest\": \"\",\"policy\": \"\",\"settings\": \"\",\"data\": \"\"}")" if [ ! -z "$( echo $profile_data | grep referenceId)" ]; then echo "Couldn't receive profile data" return 1 fi policy_md5=$(echo $profile_data | grep -o '"policy":"[^"]*' | grep -o '[^"]*$') if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then echo "Couldn't receive profile md5" return 1 fi policy_data="$(curl -s -w '%{http_code}\n' --request GET $var_fog/api/v2/agents/resources/policy \ -H 'X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292' --header "Authorization: Bearer $ra_token" \ --header 'user-agent: Infinity Next (a7030abf93a4c13)' --header 'Content-Type: application/json' \ --data '{"policy": "$policy_md5"}')" if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then echo "Couldn't receive policy data" return 1 fi AGENT_POLICY="$(echo $policy_data | grep -o '"version":"[^"]*' | grep -o '[^"]*$')" echo "AGENT_POLICY=${AGENT_POLICY}" >> $DECLARATIVE_CONFIG_PATH return 0 } poll_for_status_file() { correlation_id=$(cat /proc/sys/kernel/random/uuid) attempt_counter=0 max_attempts=18 until [ ${attempt_counter} -eq ${max_attempts} ]; do if [ ${attempt_counter} -eq ${max_attempts} ];then echo "Max attempts reached" return 1 fi file_exists="$(curl -s -w "%{http_code}\n" --request GET -H \ "user-agent: Infinity Next (a7030abf93a4c13)" -H \ "Authorization: Bearer ${ra_token}" \ "$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/status-$agent_id.json")" check_file_exists=$(echo $file_exists | grep 200) if [ ! -z "$check_file_exists" ]; then FAILURE=$(echo $file_exists | grep "false") if [ ! -z "$FAILURE" ]; then echo "Failed creating the Assets: $(echo $file_exists | cut -c27- | cut -d '"' -f 1)" return 1 else echo "." return 0 fi else echo -n '.' attempt_counter=$(($attempt_counter+1)) sleep 10 fi done echo "Error: Status file was not generated" return 1 } upload_policy_to_the_cloud() { load_agent_details generate_policy STATUS="FAILURE" if [ $CHANGE_AGENT_MODE = true ]; then get_jwt if [ "$?" = "1" ]; then echo "Failed registering to the FOG" exit 1 fi fi upload_the_policy_to_s3 if [ "$?" = "1" ]; then echo "Failed uploading the policy to S3" exit 1 fi send_notification_to_the_fog if [ "$?" = "1" ]; then echo "Failed Notifying to FOG" exit 1 fi poll_for_status_file if [ "$?" = "0" ]; then if [ $CHANGE_AGENT_MODE = true ]; then open-appsec-ctl --set-mode --online_mode --token $var_token --fog $var_fog else sed -i "s|AGENT_POLICY=.*|AGENT_POLICY=$((AGENT_POLICY+1))|g" $DECLARATIVE_CONFIG_PATH fi STATUS="SUCCESS" exit 0 fi if [ "$STATUS" = "FAILURE" ]; then echo "Failed to upload policy to the cloud" exit 1 fi } usage() { echo "Usage: $0 --token [options...] ]" echo " --token : Registration token" echo "Options:" echo " --namespace : Namespace with the relevant Helm Chart" echo " --fog : Namespace with the relevant Helm Chart" echo " --config-upload : Upload policy to the fog" echo " --config-upload-only : Upload policy to the fog, withput changing agent mode" exit 255 } validate_arg_value_exists() { if test "$2" = "1"; then echo "Error: The script is missing value for '$1'" usage exit 1 fi } while true; do if [ "$1" = "--token" ]; then validate_arg_value_exists "$1" "$#" shift var_token="$1" elif [ "$1" = "--namespace" ]; then validate_arg_value_exists "$1" "$#" shift var_namespace="$1" elif [ "$1" = "--fog" ]; then validate_arg_value_exists "$1" "$#" shift var_fog="$1" elif [ "$1" = "--config-upload" ]; then UPLOAD_AGENT_POLICY=true elif [ "$1" = "--config-upload-only" ]; then UPLOAD_AGENT_POLICY=true CHANGE_AGENT_MODE=false source $DECLARATIVE_CONFIG_PATH elif [ "$1" = "--access_token" ] || [ "$1" = "-at" ]; then validate_arg_value_exists "$1" "$#" shift ra_token="$1" elif [ "$1" = "--tenant_id" ] || [ "$1" = "-tid" ]; then validate_arg_value_exists "$1" "$#" shift tenant_id="$1" elif [ "$1" = "--profile_id" ] || [ "$1" = "-pid" ]; then validate_arg_value_exists "$1" "$#" shift profile_id="$1" elif [ -z "$1" ]; then break else usage exit 1 fi shift done if [ -z "$var_fog" ]; then var_fog="https://inext-agents.cloud.ngen.checkpoint.com" fi if [ $UPLOAD_AGENT_POLICY = true ]; then upload_policy_to_the_cloud else open-appsec-ctl --set-mode --online_mode --token $var_token --fog $var_fog fi if [ "$?" = "0" ]; then echo "SUCCESS" fi exit 0