Merge pull request #1899 from CactuseSecurity/develop

merge develop into main v6.0

Author: tpurschke

.github/workflows/test-install.yml

@@ -21,18 +21,27 @@ on:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  build:
-    name: test build on merge
-    runs-on: ubuntu-latest
+  # ubuntu18 was unstable at github (2022-07-06 - 2022-07-11)
+  # test_ubuntu_18:
+  #   name: test build on ubuntu_18
+  #   runs-on: ubuntu-18.04
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - name: do test install in case of merged pull request
+  #     run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K
+
+  test_ubuntu_20:
+    name: test build on ubuntu_20
+    runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v2
     - name: do test install in case of merged pull request
-      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e 'run_on_github=yes testkeys=yes' --skip-tags test site.yml -K
+      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K
 
-  review:
-    name: Review code
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: do test install in case of reviewable PR
-      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e 'run_on_github=yes testkeys=yes' --skip-tags test site.yml -K
+  # test_ubuntu_22:
+  #   name: test build on  ubuntu_22
+  #   runs-on: ubuntu-22.04
+  #   steps:
+  #   - uses: actions/checkout@v2
+  #   - name: do test install in case of merged pull request
+  #     run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K

.gitignore

@@ -1,2 +1,4 @@
 .vs/
 .idea/
+.test_data/
+roles/importer/venv/

.vscode/launch.json

@@ -50,13 +50,18 @@
                 "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
             },
             "args": [
-                "-m8",
-                "-d4",
+                "-m5",
+                "-d9",
                 "-f",
+                "-s",
+                //"-xhttp://10.6.5.10:3128",
                 //"-ihttps://fwodemodata.cactus.de/demo04_cpr8x.json",
-                //"-c",
+                //"-ihttps://fwodemodata.cactus.de/demo01_fortiMgrLab.json"
+                //"-ihttps://fwodemodata.cactus.de/demo05_fortiMgr2.json"
+                // "-ihttps://fwodemodata.cactus.de/big/fortiMgr_78111944ad43fe045687d8d6dc92256e.json"
+                //"-c"
                 //  41 - lab fortimanager
-                //"-i/tmp/mgm_id_8_config_native.json",
+                //"-i/home/tim/Downloads/mgm_id_9_config_native.json.anon"
                 //"-i/home/tim/tmp/configs/mgm_id_56_config_native.json.anon", // all rules, all objs local mgm_id 4
                 // "-i/home/tim/tmp/configs/mgm_id_56_config_native.json.anon", // 30k rules, local mgm_id 45
                 //"-i/home/tim/tmp/configs/mgm_id_52_config_native.json.anon", // many gateways, local mgm_id 49
@@ -74,9 +79,33 @@
                 //"-i/home/tim/tmp/configs/mgm_id_54_config_native.json.anon",
                 //"-i/home/tim/tmp/configs/mgm_id_56_config_native.json.anon", // local id 55
                 //"-i/home/tim/tmp/configs/mgm_id_1176_config_native.json.anon_error_in_fprs100-s999-rz99-xxx-PolicyNetwork.anon-with-broken-svc",
-                "-l250"
+                //"-l250"
+            ]
+        },
+        {
+            "name": "py-acquire-lock",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/common/files/acquire_lock.py",
+            "console": "integratedTerminal",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": [
+                "/var/fworch/lock/FWO.Middleware.Server_log.lock"
             ]
         },
+        {
+            "name": "py-generate-tenant-data",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/test/files/tenant_networks/create_tenant_network_data.py",
+            "console": "integratedTerminal",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": []
+        },
         {
             "name": "py-change-comment",
             "type": "python",
@@ -148,6 +177,19 @@
                 "-rFirstLayer shared with inline layer"
             ]
         },
+        {
+            "name": "py-cpr8x-api-test-call",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/roles/importer/files/importer/checkpointR8x/api-test-call.py",
+            "console": "integratedTerminal",
+            "env": {
+                "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
+            },
+            "args": [
+                "--help"
+            ]
+        },
         {
             "name": "py-get-config-fm7",
             "type": "python",
@@ -261,7 +303,9 @@
             "request": "launch",
             "preLaunchTask": "build_test",
             "program": "/usr/bin/dotnet",
-            "args": [ "test" ],
+            "args": [
+                "test"
+            ],
             "cwd": "${workspaceFolder}/roles/test/files/FWO.Test",
             "stopAtEntry": true,
             "console": "integratedTerminal"

.vscode/settings.json

@@ -1,3 +1,4 @@
 {
-    "python.pythonPath": "/usr/bin/python3"
+    "editor.formatOnPaste": false,
+    "editor.formatOnSave": false
 }

CODING_GUIDELINES.md

@@ -22,6 +22,7 @@
 - lists should be used instead of arrays
 - only use comment per line (//, #), no block comments
 - continue style of existing code in source file
+- all recursion needs to be limited (default max. value: 100) to avoid stack overflows
 
 ## C# specific
 - avoid null references

CONTRIBUTING.md

@@ -31,10 +31,6 @@ Please follow our [Code of conduct](code-of-conduct.md) in the context of any co
 
 ## 2. Repo overview
 
-[Firewall Orchestrator](https://github.com/CactuseSecurity/firewall-orchestrator) has the following contributing guides:
-
-For all contributions, a CLA (Contributor License Agreement) needs to be signed [here](https://cla-assistant.io/CactuseSecurity/firewall-orchestrator) before (or after) the pull request has been submitted. A bot will prompt contributors to sign the CLA via a pull request comment, if necessary.
-
 <a name="first-timers"></a>
 
 ## 3. First time contributors welcome!
@@ -88,7 +84,7 @@ Our goal is to keep our Firewall Orchestrator stable and secure. If you would li
 
 - If you're working on an issue, please comment that you are doing so to prevent duplicate work by others also.
 
-- Squash your commits and refer to the issue using `fix #<issue-no>` or `close #<issue-no>` in the commit message, at the end.
+- Refer to an issue using `fix #<issue-no>` or `close #<issue-no>` in the commit message, at the end.
   For example: `resolve answers to everything (fix #42)` or `resolve answers to everything, fix #42`
 
 - Rebase master with your branch before submitting a pull request.

README.md

@@ -5,7 +5,7 @@
 [![Open Source Love svg1](https://github.com/ellerbrock/open-source-badges/blob/master/badges/open-source-v1/open-source.svg)](https://github.com/ellerbrock/open-source-badges/)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
 
-- Import firewall configurations (rules) of various brands (Check Point, Fortinet, Juniper, Barracuda, Netscreen)
+- Import firewall configurations (rules) of various brands (Check Point, Fortinet, Cisco, Juniper, Barracuda, Netscreen)
 - Display reports on firewall configuration and changes
 - Regularly re-certify firewall rules to clean up your rulebase
 - Use the built-in GraphQL API to integrate with your existing infrastructure (Directory Service, ITSM, IPAM, ...)
@@ -14,7 +14,7 @@
 
 ## Installation instructions
 
-See [installation instructions](documentation/installer/server-install.md).
+See [installation instructions](documentation/installer/basic-installation.md).
 
 If your system is positioned behind a proxy or you have other specific installation needs like in a distributed installation, see [advanced server installation instructions](documentation/installer/install-advanced.md). Here you can also find information on upgrading and uninstalling the product.
 

SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Reporting a Vulnerability
 
-We’re extremely grateful for security researchers and users that report vulnerabilities to the Hasura Community. All reports are thoroughly investigated by a set of community volunteers and the Hasura team.
+We’re extremely grateful for security researchers and users that report vulnerabilities to the Firewall Orchestrator Community. All reports are thoroughly investigated by the Firewall Orchestrator team.
 
 In case you discover a security issue/vulnerability, please contact security@cactus.de with all the details, attaching necessary information if possible.
 
@@ -27,7 +27,7 @@ The reporter will be kept updated at every stage of the issue's analysis and res
 
 ## Public Disclosure Timing
 
-A public disclosure date is negotiated by the Hasura product security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Firewall Orchestrator maintainers and the security team will take the final call on setting a disclosure date.
+A public disclosure date is negotiated by the security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Firewall Orchestrator maintainers and the security team will take the final call on setting a disclosure date.
 
 (Some sections have been inspired and adapted from [https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md](https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)).
 

ansible.cfg

@@ -8,13 +8,11 @@ stdout_callback = yaml
 gathering = smart
 gather_subset = !hardware,!facter,!ohai
 
+ansible_conditional_bare_vars=false
+
 fact_caching_connection = /tmp/ansible_fact_cache
 fact_caching = jsonfile
 
 # expire the fact cache after 2 hours
 fact_caching_timeout = 7200
-
-[ssh_connection]
-# from ansible 2.10 onwards, pipelining does not work anymore
-# instead the ansible playbook must be run via sudo
-pipelining = False
+pipelining = True

design/readme.md

@@ -37,27 +37,26 @@ https://www.networkstraining.com/best-firewall-management-software-tools
 
 - Client
 
-  - Apollo (<https://www.apollographql.com/>)
-  - fat client: .NET core/5 with eto forms
+  - browser-only
 
 ## Functional requirements (high-Level)
 
 - low-cost alternative to core functionality of competition (Tufin, Algosec, Skybox, Firemon)
 - fullfil regulatory requirements (documentation of config changes, recertification of config)
 - "network CMDB"
-- do not include high risk functionality (e.g. write config changes to firewalls) in core product
-- offer API for automation purposes
+- do not include high risk functionality (e.g. write config changes to firewalls) in core product at first
+- offer full API for automation purposes
+- include granular role-basd access model
 
 ## Architecture: "encapsulate everything"
 
 - API
 
   - API modules (<https://medium.com/the-guild/why-is-true-modular-encapsulation-so-important-in-large-scale-graphql-projects-ed1778b03600>)
-  - no direct DB access without API exception: login/auth module
-  - API calls with resolvers: <https://medium.com/paypal-engineering/graphql-resolvers-best-practices-cd36fdbcef55>
+  - no direct DB access without API
 
 - UI
 
   - UI display and data methods
 
-- first impression, see <https://demo.itsecorg.de> manual
+- first impression, see <https://fwodemo.cactus.de>