Merge pull request #1242 from CactuseSecurity/develop

Develop merging v5.5.1
CactuseSecurity · Oct 27, 2021 · 18be802 · 18be802
2 parents 5c03f13 + 6c7a771
commit 18be802
Show file tree

Hide file tree

Showing 413 changed files with 4,824 additions and 4,547 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -1,6 +1,28 @@
 {
     "version": "0.2.0",
     "configurations": [
+        {
+            "name": "py-change-comment",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/sample-data/files/config_changes/write_date_to_comment.py",
+            "console": "integratedTerminal",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": []
+        },        
+        {
+            "name": "py-change-rule",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/sample-data/files/config_changes/enlarge_rule.py",
+            "console": "integratedTerminal",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": []
+        },        
         {
             "name": "py-cpr8x-get-config",
             "type": "python",
@@ -15,6 +37,7 @@
                 "-uitsecorg",
                 "-w/home/tim/tmp/passwd",
                 "-lFirstLayer shared with inline layer",
+                "-kTestPolicyWithLayers",
                 "-o/home/tim/tmp/sting.cfg"
             ]
         },
@@ -77,9 +100,26 @@
                 "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
             },
             "args": [
-                "-m6",
-                "-d2",
-                "-l20"
+                "-m5",
+                "-d3",
+                "-l50"
+            ]
+        },        
+        {
+            "name": "py-cpr8x-autodiscovery",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/importer/files/importer/checkpointR8x/auto-discover.py",
+            "console": "integratedTerminal",
+            "cwd": "${workspaceFolder}/roles/importer/files/importer/checkpointR8x",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": [
+              "-a192.168.100.110",
+              "-w/home/tim/secrets/cp_apiuser_pwd",
+              "-uitsecorg",
+              "-fjson"
             ]
         },
         {
@@ -102,7 +142,7 @@
             "args": [
                 "test"
             ],
-            "cwd": "${workspaceFolder}/roles/test/files/FWO_Test",
+          "cwd": "${workspaceFolder}/roles/test/files/FWO.Test",
             "stopAtEntry": false,
             "console": "internalConsole"
         },
@@ -111,9 +151,9 @@
             "type": "coreclr",
             "request": "launch",
             "preLaunchTask": "build_UI",
-            "program": "${workspaceFolder}/roles/ui/files/FWO_UI/bin/Debug/net5.0/FWO.Ui.dll",
+            "program": "${workspaceFolder}/roles/ui/files/FWO.UI/bin/Debug/net5.0/FWO.Ui.dll",
             "args": [],
-            "cwd": "${workspaceFolder}/roles/ui/files/FWO_UI",
+            "cwd": "${workspaceFolder}/roles/ui/files/FWO.UI",
             "stopAtEntry": false,
             "serverReadyAction": {
                 "action": "openExternally",

diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -31,7 +31,7 @@
             "type": "process",
             "args": [
                 "build",
-                "${workspaceFolder}/roles/test/files/FWO_Test/FWO.Test.csproj",
+                "${workspaceFolder}/roles/test/files/FWO.Test/FWO.Test.csproj",
                 "/property:GenerateFullPaths=true",
                 "/consoleloggerparameters:NoSummary"
             ],
@@ -43,7 +43,7 @@
             "type": "process",
             "args": [
                 "build",
-                "${workspaceFolder}/roles/ui/files/FWO_UI/FWO.Ui.csproj",
+                "${workspaceFolder}/roles/ui/files/FWO.UI/FWO.Ui.csproj",
                 "/property:GenerateFullPaths=true",
                 "/consoleloggerparameters:NoSummary"
             ],

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 - Import firewall configurations (rules) of various brands (Check Point, Fortinet, Juniper, Barracuda, Netscreen)
 - Display reports on firewall configuration and changes
 - Regularly re-certify firewall rules to clean up your rulebase
-- Use the built-in GraphQL API to integrate with your existing infrastructure (ITSM, IPAM, ...)
+- Use the built-in GraphQL API to integrate with your existing infrastructure (Directory Service, ITSM, IPAM, ...)
 
 <b>Demo:</b> if you want to see what it looks like in advance, visit <https://fwodemo.cactus.de> (user: test, password: drive2).
 

diff --git a/documentation/auth/README.md b/documentation/auth/README.md
@@ -152,7 +152,7 @@ insert into hdb_catalog.hdb_permission (table_schema, table_name, role_name, per
         "dev_create",
         "dev_id",
         "dev_name",
-        "dev_rulebase",
+        "local_rulebase_name",
         "dev_typ_id",
         "dev_update",
         "hide_in_gui",

diff --git a/documentation/developer-docs/database/pgpsql-exception-handling.md b/documentation/developer-docs/database/pgpsql-exception-handling.md
@@ -0,0 +1,139 @@
+# Exception Handling in PGPSQL stored procedures
+
+## documentation
+- official docs: https://www.postgresql.org/docs/14/plpgsql-control-structures.html#PLPGSQL-ERROR-TRAPPING
+- error codes: https://www.postgresql.org/docs/current/errcodes-appendix.html
+- short tutorial: https://www.postgresqltutorial.com/plpgsql-exception/
+
+## log error
+
+    GET DIAGNOSTICS stack = PG_CONTEXT;
+    RAISE NOTICE E'--- Call Stack ---\n%', stack;
+
+## exception handling strategy
+
+1) need to rollback all database changes when error occurs
+2) need to report errors 
+   - print on command line when calling import manually
+   - write to import_control.import_errors
+   - content: 
+     - position of error (stack: GET DIAGNOSTICS stack = PG_CONTEXT;)
+     - error string containing the object causing the error (obj_name and obj uid)
+     - in case of rule, also include rule UID
+3) decide where to catch the error and how to go on with the function
+4) db changes within exception block remain intact, changes in statement block get rolled back
+5) do not pass error strings up in call stack but simply add to end of string import_control.import_errors
+
+### Example call hierarchy
+
+    import_all_main
+	    import_global_refhandler_main
+		    import_rule_refhandler_main
+			    resolve_rule_list
+				    f_add_single_rule_from_element
+				    f_add_single_rule_to_element
+				    f_add_single_rule_svc_element
+
+### Exception handling architecture
+
+    import_all_main
+        --> exception_handling top level
+            - catch exceptions from detail level and append them to import_control.import_errors
+            - make sure everything is rolled back!
+	    import_global_refhandler_main
+		    import_rule_refhandler_main
+			    resolve_rule_list
+				    f_add_single_rule_from_element
+                        --> exception_handling detail level
+                            - throw exception with details on stack + object name
+                            - can we use a function for this?
+				    f_add_single_rule_to_element
+                        ...
+				    f_add_single_rule_svc_element
+                        ...
+
+
+### error handling function
+```plpgsql
+CREATE OR REPLACE FUNCTION error_handling (varchar, varchar)
+    RETURNS varchar
+    AS $$
+DECLARE
+    errid ALIAS FOR $1;
+    var_output_string ALIAS FOR $2;
+    err RECORD;
+    lang RECORD;
+    err_txt text;
+    err_prefix varchar;
+BEGIN
+    err_txt := '';
+    SELECT
+        INTO err *
+    FROM
+        error
+    WHERE
+        error_id = errid;
+    IF NOT FOUND THEN
+        RAISE EXCEPTION 'errorid not found %', errid;
+    END IF;
+    SELECT
+        INTO lang config_value
+    FROM
+        config
+    WHERE
+        config_key = 'DefaultLanguage';
+    IF NOT FOUND THEN
+        RAISE EXCEPTION 'config not found, %', errid;
+    END IF;
+    IF lang.config_value = 'German' THEN
+        err_txt := err.error_txt_ger;
+        IF err.error_lvl = 1 THEN
+            err_prefix := 'FEHLER: ';
+        ELSIF err.error_lvl = 2 THEN
+            err_prefix := 'WARNUNG: ';
+        ELSIF err.error_lvl = 3 THEN
+            err_prefix := 'WARNUNG: ';
+        ELSIF err.error_lvl = 4 THEN
+            err_prefix := 'INFO: ';
+        ELSE
+            RAISE EXCEPTION 'Unbekannte Fehlerstufe %', err.error_lvl;
+        END IF;
+    ELSE
+        err_txt := err.error_txt_eng;
+        IF err.error_lvl = 1 THEN
+            err_prefix := 'ERROR: ';
+        ELSIF err.error_lvl = 2 THEN
+            err_prefix := 'WARNING: ';
+        ELSIF err.error_lvl = 3 THEN
+            err_prefix := 'WARNING: ';
+        ELSIF err.error_lvl = 4 THEN
+            err_prefix := 'INFO: ';
+        ELSE
+            RAISE EXCEPTION 'Unbekannte Fehlerstufe %', err.error_lvl;
+        END IF;
+    END IF;
+    err_prefix := err_prefix || errid || ': ';
+    IF var_output_string <> '' THEN
+        err_txt := err_txt || ': ' || var_output_string;
+    END IF;
+    err_txt := err_prefix || err_txt;
+    INSERT INTO error_log (error_id, error_txt)
+        VALUES (errid, err_txt);
+    IF err.error_lvl = 1 THEN
+        RAISE DEBUG 'sorry, encountered fatal error: %', err_txt;
+        RAISE EXCEPTION '%', err_txt;
+    ELSIF err.error_lvl = 2 THEN
+        RAISE NOTICE '%', err_txt;
+    ELSIF err.error_lvl = 3 THEN
+        RAISE NOTICE '%', err_txt;
+    ELSIF err.error_lvl = 4 THEN
+        RAISE DEBUG '%', err_txt;
+        --		NULL;
+    ELSE
+        RAISE EXCEPTION 'unknown errorlevel %', err.error_lvl;
+    END IF;
+    RETURN err_txt;
+END;
+$$
+LANGUAGE plpgsql;
+```
diff --git a/documentation/developer-docs/database/postgresql-debugging-using-pgadmin.md b/documentation/developer-docs/database/postgresql-debugging-using-pgadmin.md
@@ -0,0 +1,39 @@
+
+# to debug postgresql stored procedures in plgsql
+
+
+## using pgadmin
+
+the following was tested with Ubuntu 20.04
+
+
+- on the backend (db-server) side: 
+  - install debug package (here for postgresql v12)
+
+          sudo apt-get install postgresql-12-pldebugger
+
+  - edit postgresql.conf (e.g. /etc/postgresql/12/main/postgresql.conf) to allow debugging and add the following line:
+
+          shared_preload_libraries = 'plugin_debugger'
+
+
+  - restart postresql service
+
+          sudo systemctl restart postgresql
+
+- on the clinet side:
+  - install pgadmin
+
+          sudo apt install pgadmin4
+
+  - to add the debug extension start pgadmin and run in query editor 
+
+          CREATE EXTENSION pldbgapi;
+
+  - select a stored procedure you wish to debug and select Object - Debugging - Debug
+
+## using vscode
+
+see <https://data-nerd.blog/2020/02/06/postgresql-extension-for-vscode/>
+
+but there are currently no debugging options available
diff --git a/documentation/developer-docs/db-debugging/postgresql-debugging-using-pgadmin.md b/documentation/developer-docs/db-debugging/postgresql-debugging-using-pgadmin.md
diff --git a/documentation/developer-docs/importer/fw-api/fortinet/fortiManager-api-howto.md b/documentation/developer-docs/importer/fw-api/fortinet/fortiManager-api-howto.md
@@ -1,7 +1,11 @@
 # Integrating Fortinet FortiManager 7.x
 
 ## user setup
+
+connect to FM via ssh (admin/empty password) and add the following config
+
 ### make existing admin api ready
+
 ```console
 config system admin user
   edit admin
@@ -40,6 +44,7 @@ config system admin user
        set adom "all_adoms"             
        set profileid "apiuserprofile"
        set rpc-permit read-write
+end       
 ```
 
 ## login