mirror of
https://github.com/openappsec/openappsec.git
synced 2025-06-28 16:41:02 +03:00
305 lines
12 KiB
Bash
Executable File
305 lines
12 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
POLICY_TEMP_PATH="/tmp/policy_temp.json"
|
|
DECLARATIVE_CONFIG_PATH="/etc/cp/conf/declarative_config.cfg"
|
|
CHANGE_AGENT_MODE=true
|
|
UPLOAD_AGENT_POLICY=false
|
|
ra_token=
|
|
tenant_id=
|
|
agent_id=
|
|
profile_id=
|
|
|
|
load_agent_details()
|
|
{
|
|
tenant_id=$(awk -F\" '/Tenant ID/{print $4}' /etc/cp/conf/agent_details.json)
|
|
profile_id=$(awk -F\" '/Profile ID/{print $4}' /etc/cp/conf/agent_details.json)
|
|
agent_id=$(awk -F\" '/Agent ID/{print $4}' /etc/cp/conf/agent_details.json)
|
|
}
|
|
|
|
generate_policy()
|
|
{
|
|
cp -f /etc/cp/conf/local_policy.yaml /tmp/tmp_local_policy.yaml
|
|
sed -i "s|\"\*\"|\"Any\"|g" /tmp/tmp_local_policy.yaml
|
|
POLICY=$(/etc/cp/bin/yq eval /tmp/tmp_local_policy.yaml -o json)
|
|
echo $POLICY > $POLICY_TEMP_PATH
|
|
rm -f /tmp/tmp_local_policy.yaml
|
|
}
|
|
|
|
upload_the_policy_to_s3()
|
|
{
|
|
echo "Uploading local policy configuration to cloud..."
|
|
|
|
upload_res="$(curl -s -w "%{http_code}\n" --progress-bar --request PUT -T "${POLICY_TEMP_PATH}" \
|
|
-H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Content-Type: application/json" \
|
|
-H "Authorization: Bearer ${ra_token}" \
|
|
"$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")"
|
|
|
|
if test "$upload_res" != "200"; then
|
|
echo "Failed uploading policy to cloud: Failed Error code ${upload_res}"
|
|
return 1
|
|
fi
|
|
|
|
file_exists="$(curl -s -w "%{http_code}\n" --request GET \
|
|
-H "user-agent: Infinity Next (a7030abf93a4c13)" -H "Authorization: Bearer ${ra_token}" \
|
|
"$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/policy-$agent_id.json")"
|
|
|
|
check_file_exists="$(echo "$file_exists" | grep 200)"
|
|
if [ -z "$check_file_exists" ]; then
|
|
echo "Failed uploading policy to cloud: Failed on checking the file. Error code ${check_file_exists}"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
send_notification_to_the_fog()
|
|
{
|
|
correlation_id=$(cat /proc/sys/kernel/random/uuid)
|
|
DATE=$(date "+%FT%T.000")
|
|
upload_res=$(curl -s -w "%{http_code}\n" --request POST \
|
|
"$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \
|
|
--header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \
|
|
--header "Content-Type: application/json" \
|
|
--header "x-rate-limit-product-type: openappsec" \
|
|
--data "{\"logs\": [{\"log\": {\"eventTime\": \
|
|
\"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\",\"eventSeverity\": \
|
|
\"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\",
|
|
\"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\",
|
|
\"eventFrequency\": 0,\"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\",
|
|
\"tenantId\": \"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\",
|
|
\"issuingEngine\": \"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\":
|
|
{\"policyVersion\": $((AGENT_POLICY+1)),\"profileId\": \"$profile_id\",\"agentId\": \"$agent_id\"}}},
|
|
\"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}")
|
|
|
|
if test "$upload_res" != "200"; then
|
|
sleep 5
|
|
upload_res=$(curl -s -o /dev/null -s -w "%{http_code}\n" \
|
|
--request POST "$var_fog/api/v1/agents/events/bulk" -H "X-Trace-Id:${correlation_id}" \
|
|
--header "Authorization: Bearer ${ra_token}" --header "user-agent: Infinity Next (a7030abf93a4c13)" \
|
|
--header "Content-Type: application/json" \
|
|
--header "x-rate-limit-product-type: openappsec" \
|
|
--data "{\"logs\": \
|
|
[{\"log\": {\"eventTime\": \"$DATE\",\"eventName\": \"Agent started onboarding process to cloud management\",
|
|
\"eventSeverity\": \"Info\",\"eventPriority\": \"Urgent\",\"eventLogLevel\": \"info\",\"eventType\": \"Event Driven\",
|
|
\"eventLevel\": \"Log\",\"eventAudience\": \"Internal\",\"eventAudienceTeam\": \"Agent Core\",\"eventFrequency\": 0,
|
|
\"eventSource\": {\"serviceName\": \"Orchestration\",\"agentId\": \"$agent_id\",\"tenantId\":
|
|
\"$tenant_id\",\"serviceId\": \"1\",\"issuingEngineVersion\": \"1.2229.123456\",\"issuingEngine\":
|
|
\"onboardingInfoProvider\"},\"eventData\": {\"eventObject\": {\"onboardingInfo\": {\"policyVersion\":
|
|
$((AGENT_POLICY+1)),\"profileId\": \"$profile_id\",\"agentId\": \"$agent_id\"}}},
|
|
\"eventTags\": [\"Orchestration\"]}, \"tenantId\": \"$tenant_id\", \"id\": 1}]}")
|
|
if test "$upload_res" != "200"; then
|
|
echo "Failed to notify the FOG on the new policy: Failed Error code ${upload_res}"
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
}
|
|
|
|
get_jwt()
|
|
{
|
|
response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \
|
|
--header "Content-Type: application/json" --request POST --data \
|
|
"{\"authenticationData\": [{\"authenticationMethod\": \"token\", \"data\": \"$var_token\"}], \
|
|
\"metaData\": {\"agentName\": \"K8S\", \"agentType\": \"Embedded\", \"platform\": \"linux\", \
|
|
\"architecture\": \"x86\", \"additionalMetaData\": {\"agentVendor\": \"python\"}}}" $var_fog/agents)"
|
|
|
|
if [ ! -z "$( echo $response | grep referenceId)" ]; then
|
|
echo "Couldn't register to the FOG"
|
|
return 1
|
|
fi
|
|
agent_id=$(echo $response | grep -o '"agentId":"[^"]*' | grep -o '[^"]*$')
|
|
echo "agent_id=${agent_id}" > $DECLARATIVE_CONFIG_PATH
|
|
clientId=$(echo $response | grep -o '"clientId":"[^"]*' | grep -o '[^"]*$')
|
|
clientSecret=$(echo $response | grep -o '"clientSecret":"[^"]*' | grep -o '[^"]*$')
|
|
tenant_id=$(echo $response | grep -o '"tenantId":"[^"]*' | grep -o '[^"]*$')
|
|
profile_id=$(echo $response | grep -o '"profileId":"[^"]*' | grep -o '[^"]*$')
|
|
|
|
response="$(curl -s -w --noproxy "*" --header "User-Agent: Infinity Next (a7030abf93a4c13)" \
|
|
--header "Content-Type: application/json" -d "{\"login\":\"$clientId\", \"password\":\"$clientSecret\"}" \
|
|
--user "$clientId:$clientSecret" --request POST --data "{}" $var_fog/oauth/token?grant_type=client_credentials)"
|
|
if [ ! -z "$( echo $response | grep referenceId)" ]; then
|
|
echo "Couldn't receive JWT"
|
|
return 1
|
|
fi
|
|
|
|
ra_token=$(echo $response | grep -o '"access_token":"[^"]*' | grep -o '[^"]*$')
|
|
|
|
profile_data="$(curl -s -w "%{http_code}" --request POST $var_fog/api/v2/agents/resources/ \
|
|
-H "X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292" --header "Authorization: Bearer $ra_token" \
|
|
--header "user-agent: Infinity Next (a7030abf93a4c13)" --header "Content-Type: application/json" \
|
|
--data "{\"manifest\": \"\",\"policy\": \"\",\"settings\": \"\",\"data\": \"\"}")"
|
|
if [ ! -z "$( echo $profile_data | grep referenceId)" ]; then
|
|
echo "Couldn't receive profile data"
|
|
return 1
|
|
fi
|
|
policy_md5=$(echo $profile_data | grep -o '"policy":"[^"]*' | grep -o '[^"]*$')
|
|
if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then
|
|
echo "Couldn't receive profile md5"
|
|
return 1
|
|
fi
|
|
policy_data="$(curl -s -w '%{http_code}\n' --request GET $var_fog/api/v2/agents/resources/policy \
|
|
-H 'X-Trace-Id:2ade3b96-2451-4720-8a58-2bc83fd73292' --header "Authorization: Bearer $ra_token" \
|
|
--header 'user-agent: Infinity Next (a7030abf93a4c13)' --header 'Content-Type: application/json' \
|
|
--data '{"policy": "$policy_md5"}')"
|
|
if [ ! -z "$( echo $policy_md5 | grep referenceId)" ]; then
|
|
echo "Couldn't receive policy data"
|
|
return 1
|
|
fi
|
|
|
|
AGENT_POLICY="$(echo $policy_data | grep -o '"version":"[^"]*' | grep -o '[^"]*$')"
|
|
echo "AGENT_POLICY=${AGENT_POLICY}" >> $DECLARATIVE_CONFIG_PATH
|
|
return 0
|
|
}
|
|
|
|
poll_for_status_file()
|
|
{
|
|
correlation_id=$(cat /proc/sys/kernel/random/uuid)
|
|
attempt_counter=0
|
|
max_attempts=18
|
|
|
|
until [ ${attempt_counter} -eq ${max_attempts} ]; do
|
|
if [ ${attempt_counter} -eq ${max_attempts} ];then
|
|
echo "Max attempts reached"
|
|
return 1
|
|
fi
|
|
file_exists="$(curl -s -w "%{http_code}\n" --request GET -H \
|
|
"user-agent: Infinity Next (a7030abf93a4c13)" -H \
|
|
"Authorization: Bearer ${ra_token}" \
|
|
"$var_fog/agents-core/storage/$tenant_id/$profile_id/$((AGENT_POLICY+1))/status-$agent_id.json")"
|
|
|
|
check_file_exists=$(echo $file_exists | grep 200)
|
|
if [ ! -z "$check_file_exists" ]; then
|
|
FAILURE=$(echo $file_exists | grep "false")
|
|
if [ ! -z "$FAILURE" ]; then
|
|
echo "Failed creating the Assets: $(echo $file_exists | cut -c27- | cut -d '"' -f 1)"
|
|
return 1
|
|
else
|
|
echo "."
|
|
return 0
|
|
fi
|
|
else
|
|
echo -n '.'
|
|
attempt_counter=$(($attempt_counter+1))
|
|
sleep 10
|
|
fi
|
|
done
|
|
echo "Error: Status file was not generated"
|
|
return 1
|
|
}
|
|
|
|
upload_policy_to_the_cloud()
|
|
{
|
|
load_agent_details
|
|
generate_policy
|
|
STATUS="FAILURE"
|
|
if [ $CHANGE_AGENT_MODE = true ]; then
|
|
get_jwt
|
|
if [ "$?" = "1" ]; then
|
|
echo "Failed registering to the FOG"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
|
|
upload_the_policy_to_s3
|
|
if [ "$?" = "1" ]; then
|
|
echo "Failed uploading the policy to S3"
|
|
exit 1
|
|
fi
|
|
|
|
send_notification_to_the_fog
|
|
if [ "$?" = "1" ]; then
|
|
echo "Failed Notifying to FOG"
|
|
exit 1
|
|
fi
|
|
|
|
poll_for_status_file
|
|
if [ "$?" = "0" ]; then
|
|
if [ $CHANGE_AGENT_MODE = true ]; then
|
|
open-appsec-ctl --set-mode --online_mode --token $var_token --fog $var_fog
|
|
else
|
|
sed -i "s|AGENT_POLICY=.*|AGENT_POLICY=$((AGENT_POLICY+1))|g" $DECLARATIVE_CONFIG_PATH
|
|
fi
|
|
STATUS="SUCCESS"
|
|
exit 0
|
|
fi
|
|
if [ "$STATUS" = "FAILURE" ]; then
|
|
echo "Failed to upload policy to the cloud"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
usage()
|
|
{
|
|
echo "Usage: $0 --token <token> [options...] ]"
|
|
echo " --token <token> : Registration token"
|
|
echo "Options:"
|
|
echo " --namespace <namespace> : Namespace with the relevant Helm Chart"
|
|
echo " --fog <fog address> : Namespace with the relevant Helm Chart"
|
|
echo " --config-upload : Upload policy to the fog"
|
|
echo " --config-upload-only : Upload policy to the fog, withput changing agent mode"
|
|
exit 255
|
|
}
|
|
|
|
validate_arg_value_exists()
|
|
{
|
|
if test "$2" = "1"; then
|
|
echo "Error: The script is missing value for '$1'"
|
|
usage
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
while true; do
|
|
if [ "$1" = "--token" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
var_token="$1"
|
|
elif [ "$1" = "--namespace" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
var_namespace="$1"
|
|
elif [ "$1" = "--fog" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
var_fog="$1"
|
|
elif [ "$1" = "--config-upload" ]; then
|
|
UPLOAD_AGENT_POLICY=true
|
|
elif [ "$1" = "--config-upload-only" ]; then
|
|
UPLOAD_AGENT_POLICY=true
|
|
CHANGE_AGENT_MODE=false
|
|
source $DECLARATIVE_CONFIG_PATH
|
|
elif [ "$1" = "--access_token" ] || [ "$1" = "-at" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
ra_token="$1"
|
|
elif [ "$1" = "--tenant_id" ] || [ "$1" = "-tid" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
tenant_id="$1"
|
|
elif [ "$1" = "--profile_id" ] || [ "$1" = "-pid" ]; then
|
|
validate_arg_value_exists "$1" "$#"
|
|
shift
|
|
profile_id="$1"
|
|
elif [ -z "$1" ]; then
|
|
break
|
|
else
|
|
usage
|
|
exit 1
|
|
fi
|
|
shift
|
|
done
|
|
|
|
if [ -z "$var_fog" ]; then
|
|
var_fog="https://inext-agents.cloud.ngen.checkpoint.com"
|
|
fi
|
|
|
|
if [ $UPLOAD_AGENT_POLICY = true ]; then
|
|
upload_policy_to_the_cloud
|
|
else
|
|
open-appsec-ctl --set-mode --online_mode --token $var_token --fog $var_fog
|
|
fi
|
|
if [ "$?" = "0" ]; then
|
|
echo "SUCCESS"
|
|
fi
|
|
|
|
exit 0
|