Merge pull request #1919 from CactuseSecurity/develop

Develop - main merge v6.0.1

Author: tpurschke

.vscode/launch.json

@@ -50,16 +50,16 @@
                 "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
             },
             "args": [
-                "-m5",
+                "-m8",
                 "-d9",
                 "-f",
                 "-s",
                 //"-xhttp://10.6.5.10:3128",
                 //"-ihttps://fwodemodata.cactus.de/demo04_cpr8x.json",
                 //"-ihttps://fwodemodata.cactus.de/demo01_fortiMgrLab.json"
                 //"-ihttps://fwodemodata.cactus.de/demo05_fortiMgr2.json"
-                // "-ihttps://fwodemodata.cactus.de/big/fortiMgr_78111944ad43fe045687d8d6dc92256e.json"
-                //"-c"
+                "-ihttps://fwodemodata.cactus.de/big/XXX.json",
+                // "-c"
                 //  41 - lab fortimanager
                 //"-i/home/tim/Downloads/mgm_id_9_config_native.json.anon"
                 //"-i/home/tim/tmp/configs/mgm_id_56_config_native.json.anon", // all rules, all objs local mgm_id 4

README.md

@@ -6,6 +6,7 @@
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
 
 - Import firewall configurations (rules) of various brands (Check Point, Fortinet, Cisco, Juniper, Barracuda, Netscreen)
+- Request changes on your firewall configuration using the new workflow module in v6.0
 - Display reports on firewall configuration and changes
 - Regularly re-certify firewall rules to clean up your rulebase
 - Use the built-in GraphQL API to integrate with your existing infrastructure (Directory Service, ITSM, IPAM, ...)

documentation/developer-docs/api/docker-default-ip-range-change.md

@@ -0,0 +1,23 @@
+# how to change the default ip range for docker
+
+in case of a conflict (if you use the 172.16.0.0/16 range internally), you can use the following instructions taken from https://support.hyperglance.com/knowledge/changing-the-default-docker-subnet to change the network.
+
+1. create/modify file /etc/docker/daemon.json to contain new ip address:
+
+```json
+{
+"log-driver": "journald",
+"log-opts": {
+"tag": "{{.Name}}"
+},
+"bip": "172.26.0.1/16"
+}
+```
+
+2. restart docker service:
+
+```sudo systemctl restart docker```
+
+3. restart docker container:
+
+```sudo docker restart fworch-api```

documentation/revision-history.md

@@ -219,7 +219,7 @@ adding report template format fk and permissions
 
 ### 5.7.1 - 13.10.2022
 - new workflow module for requesting changes
-- new Cisco FireFlow import module 
+- new Cisco FirePower import module 
 - support for new operating system debian testing
 - bugfix enrichable objects in CP NAT rules
 - bugfix filter line brackets
@@ -246,3 +246,6 @@ adding report template format fk and permissions
 
 ### 6.0 - 02.11.2022
 - clean-up work and new major version
+
+### 6.0.1 - 10.11.2022
+- bugfix release with small issues (userconfig re-login, ldif upgrade bug, debian testing support)

inventory/group_vars/all.yml

@@ -1,5 +1,5 @@
 ### general settings
-product_version: "6.0"
+product_version: "6.0.1"
 
 ansible_python_interpreter: /usr/bin/python3
 ansible_ssh_common_args: '-o StrictHostKeyChecking=no'

inventory/group_vars/apiserver.yml

@@ -8,7 +8,7 @@ api_hasura_admin_test_password: "not4production"
 api_user_email: "{{ api_user }}@{{ api_ip_address }}"
 api_home: "{{ fworch_home }}/api"
 api_hasura_cli_bin: "{{ fworch_home }}/api/bin/hasura"
-api_hasura_version: "v2.13.0"
+api_hasura_version: "v2.14.0"
 api_project_name: api
 api_no_metadata: false
 api_rollback_is_running: false

roles/common/tasks/main.yml

@@ -169,11 +169,11 @@
     - set_fact:
         wsgi_package_name: "{{ wsgi_package_name }}-py3"
       when: | 
-        (ansible_facts['distribution']|lower == 'debian' and ansible_facts['distribution_major_version'] == 'testing')
+        (ansible_facts['distribution_release']|lower == 'bookworm')
         or 
-        (ansible_facts['distribution']|lower == 'debian' and ansible_facts['distribution_major_version'] is version('10', '>'))
+        (ansible_facts['distribution']|lower == 'debian' and ansible_facts['distribution_major_version']|int is version('10', '>'))
         or 
-        (ansible_facts['distribution']|lower == 'ubuntu' and ansible_facts['distribution_major_version'] is version('20', '>'))
+        (ansible_facts['distribution']|lower == 'ubuntu' and ansible_facts['distribution_major_version']|int is version('20', '>'))
 
     - name: copy iso.conf to target
       copy:

roles/database/files/sql/idempotent/fworch-grants.sql

@@ -5,6 +5,11 @@ ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO group "db
 Grant select on ALL TABLES in SCHEMA public to group dbbackupusers;
 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO group dbbackupusers;
 
+GRANT SELECT ON ALL SEQUENCES IN SCHEMA request TO group "dbbackupusers";
+ALTER DEFAULT PRIVILEGES IN SCHEMA request GRANT SELECT ON SEQUENCES TO group "dbbackupusers";
+Grant select on ALL TABLES in SCHEMA request to group dbbackupusers;
+ALTER DEFAULT PRIVILEGES IN SCHEMA request GRANT SELECT ON TABLES TO group dbbackupusers;
+
 --  grants for all (implicit) sequences
 GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO group "secuadmins";
 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO group "secuadmins";

roles/database/files/sql/idempotent/fworch-rule-import.sql

@@ -179,15 +179,19 @@ DECLARE
 	i_prev_numeric_value BIGINT;
 	i_next_numeric_value BIGINT;
 	i_numeric_value BIGINT;
+	v_rulebase_name VARCHAR;
 
 BEGIN
 	RAISE DEBUG 'import_rules_set_rule_num_numeric - start';
 	SELECT INTO i_mgm_id mgm_id FROM device WHERE dev_id=i_dev_id;
+	SELECT INTO v_rulebase_name local_rulebase_name FROM device WHERE dev_id=i_dev_id;
 	RAISE DEBUG 'import_rules_set_rule_num_numeric - mgm_id=%, dev_id=%, before inserting', i_mgm_id, i_dev_id;
+	i_prev_numeric_value := NULL;
 	FOR r_rule IN -- set rule_num_numeric for changed (i.e. "new") rules
 		SELECT rule.rule_id, rule_num_numeric FROM import_rule LEFT JOIN rule USING (rule_uid) WHERE
 			active AND
 			import_rule.control_id = i_current_control_id AND
+			import_rule.rulebase_name = v_rulebase_name AND
 			rule.dev_id=i_dev_id 
 			ORDER BY import_rule.rule_num
 	LOOP

roles/database/files/sql/idempotent/fworch-texts.sql

@@ -148,7 +148,7 @@ INSERT INTO txt VALUES ('whats_new_facts',	    'German', 	'
     <li>F&uuml;r FortiManager und CheckPoint (Stand-Alone & MDS Manager) Auto Discovery</li>
     <li>Monitoring und Alerting Modul</li>
     <li>Neues Workflow module zum Beantragen von &Auml;nderungen</li>
-    <li>Cisco FireFlow Import-Module</li>
+    <li>Cisco FirePower Import-Module</li>
     <li>Unterst&uuml;tzung f&uuml;r Debian Testing Betriebssystem</li>
     <li>Beginn Routing/Interface Pfad Analyse (zun&auml;chst nur Fortinet)</li>
     <li>Neue Report-Typen: Regeln (aufgel&ouml;st), Regeln technisch (alle Gruppe werden in Bestandteile aufgel&ouml;st; Report-Export als "Single Table")</li>
@@ -163,7 +163,7 @@ INSERT INTO txt VALUES ('whats_new_facts',	    'English', 	'
     <li>Device Auto Discovery functionality</li>
     <li>Introduction of Monitoring and Alerting module</li>
     <li>Introduction of workflow module for requesting changes</li>
-    <li>New Cisco FireFlow import module </li>
+    <li>New Cisco FirePower import module </li>
     <li>Support for new operating system Debian testing</li>
     <li>Start routing/interface (currently implemented for fortinet only) import and path analysis</li>
     <li>New report types: resolved rules, technical rules (report without group objects, exporting into pure rule tables without additional object tables)</li>