Merge pull request #2281 from CactuseSecurity/develop

v7.3 tenant ip-filtering
CactuseSecurity · Oct 22, 2023 · 4ace328 · 4ace328
2 parents 8abd825 + 1175a23
commit 4ace328
Show file tree

Hide file tree

Showing 194 changed files with 5,849 additions and 51,480 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -56,8 +56,8 @@
  "PYTHONPATH": "${PYTHONPATH}:${workspaceRoot}"
  },
  "args": [
- "-m68",
- "-d6",
+ "-m15",
+ "-d8",
  "-f",
  "-s",
  //"-c"

diff --git a/azure/app.zip b/azure/app.zip
diff --git a/azure/createUiDefinition.json b/azure/createUiDefinition.json
@@ -0,0 +1,91 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "basics": [
+ {}
+ ],
+ "steps": [
+ {
+ "name": "webAppSettings",
+ "label": "Web App settings",
+ "subLabel": {
+ "preValidation": "Configure the web app settings",
+ "postValidation": "Completed"
+ },
+ "elements": [
+ {
+ "name": "appServicePlanName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "App Service plan name",
+ "placeholder": "App Service plan name",
+ "defaultValue": "",
+ "toolTip": "Use alphanumeric characters or hyphens with a maximum of 40 characters.",
+ "constraints": {
+ "required": true,
+ "regex": "^[a-z0-9A-Z-]{1,40}$",
+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a maximum of 40 characters."
+ },
+ "visible": true
+ },
+ {
+ "name": "appServiceName",
+ "type": "Microsoft.Common.TextBox",
+ "label": "App Service name prefix",
+ "placeholder": "App Service name prefix",
+ "defaultValue": "",
+ "toolTip": "Use alphanumeric characters or hyphens with minimum of 2 characters and maximum of 47 characters.",
+ "constraints": {
+ "required": true,
+ "regex": "^[a-z0-9A-Z-]{2,47}$",
+ "validationMessage": "Only alphanumeric characters or hyphens are allowed, with a minimum of 2 characters and maximum of 47 characters."
+ },
+ "visible": true
+ }
+ ]
+ },
+ {
+ "name": "storageConfig",
+ "label": "Storage settings",
+ "subLabel": {
+ "preValidation": "Configure the storage settings",
+ "postValidation": "Completed"
+ },
+ "elements": [
+ {
+ "name": "storageAccounts",
+ "type": "Microsoft.Storage.MultiStorageAccountCombo",
+ "label": {
+ "prefix": "Storage account name prefix",
+ "type": "Storage account type"
+ },
+ "toolTip": {
+ "prefix": "Enter maximum of 11 lowercase letters or numbers.",
+ "type": "Available choices are Standard_LRS, Standard_GRS, and Premium_LRS."
+ },
+ "defaultValue": {
+ "type": "Standard_LRS"
+ },
+ "constraints": {
+ "allowedTypes": [
+ "Premium_LRS",
+ "Standard_LRS",
+ "Standard_GRS"
+ ]
+ },
+ "visible": true
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "location": "[location()]",
+ "appServicePlanName": "[steps('webAppSettings').appServicePlanName]",
+ "appServiceNamePrefix": "[steps('webAppSettings').appServiceName]",
+ "storageAccountNamePrefix": "[steps('storageConfig').storageAccounts.prefix]",
+ "storageAccountType": "[steps('storageConfig').storageAccounts.type]"
+ }
+ }
+ }
+
diff --git a/azure/mainTemplate.json b/azure/mainTemplate.json
@@ -0,0 +1,109 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]"
+ },
+ "appServicePlanName": {
+ "type": "string",
+ "maxLength": 40,
+ "metadata": {
+ "description": "Firewall Orchestrator Managed"
+ }
+ },
+ "appServiceNamePrefix": {
+ "type": "string",
+ "maxLength": 47,
+ "metadata": {
+ "description": "FWORCH"
+ }
+ },
+ "storageAccountNamePrefix": {
+ "type": "string",
+ "maxLength": 11,
+ "metadata": {
+ "description": "FWORCH_STO"
+ }
+ },
+ "storageAccountType": {
+ "type": "string",
+ "allowedValues": [
+ "Premium_LRS",
+ "Standard_LRS",
+ "Standard_GRS"
+ ],
+ "metadata": {
+ "description": "Storage account type allowed values"
+ }
+ }
+ },
+ "variables": {
+ "appServicePlanSku": "F1",
+ "appServicePlanCapacity": 1,
+ "appServiceName": "[format('{0}{1}', parameters('appServiceNamePrefix'), uniqueString(resourceGroup().id))]",
+ "storageAccountName": "[format('{0}{1}', parameters('storageAccountNamePrefix'), uniqueString(resourceGroup().id))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/serverfarms",
+ "apiVersion": "2022-03-01",
+ "name": "[parameters('appServicePlanName')]",
+ "location": "[parameters('location')]",
+ "sku": {
+ "name": "[variables('appServicePlanSku')]",
+ "capacity": "[variables('appServicePlanCapacity')]"
+ }
+ },
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2022-03-01",
+ "name": "[variables('appServiceName')]",
+ "location": "[parameters('location')]",
+ "properties": {
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+ "httpsOnly": true,
+ "siteConfig": {
+ "appSettings": [
+ {
+ "name": "AppServiceStorageConnectionString",
+ "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};EndpointSuffix={1};Key={2}', variables('storageAccountName'), environment().suffixes.storage, listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]"
+ }
+ ]
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+ ]
+ },
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2022-09-01",
+ "name": "[variables('storageAccountName')]",
+ "location": "[parameters('location')]",
+ "sku": {
+ "name": "[parameters('storageAccountType')]"
+ },
+ "kind": "StorageV2",
+ "properties": {
+ "accessTier": "Hot"
+ }
+ }
+ ],
+ "outputs": {
+ "appServicePlan": {
+ "type": "string",
+ "value": "[parameters('appServicePlanName')]"
+ },
+ "appServiceApp": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Web/sites', variables('appServiceName')), '2022-03-01').defaultHostName]"
+ },
+ "storageAccount": {
+ "type": "string",
+ "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').primaryEndpoints.blob]"
+ }
+ }
+ }
diff --git a/documentation/auth/rbac.md b/documentation/auth/rbac.md
@@ -18,6 +18,7 @@ The following roles are defined in ascending order of permissions:
 - importer - users can import config changes into the database
 - dbbackup - users that are able to read data tables for backup purposes
 - auditor - users that can view all data & settings (in the UI) but cannot make any changes
+- modeller - users who can model applications
 - recertifier - users who can re-certify or de-certify firewall rules
 - fw-admin - users who can document open changes
 - requester - users that have the right to create requests

diff --git a/documentation/installer/basic-installation.md b/documentation/installer/basic-installation.md
@@ -28,14 +28,11 @@ possibly followed by a reboot.
 git clone https://github.com/CactuseSecurity/firewall-orchestrator.git
 ```
 
-3) Ansible Installation
- - Ubuntu 18.04, Debian 10 only: install latest ansible before firewall orchestrator installation
+3) Ansible Installation (only for legacy Ubuntu 18.04, Debian 10)
 
-  cd firewall-orchestrator; ansible-playbook scripts/install-latest-ansible.yml -K
-
- - All platforms: install galaxy collections
+Install latest ansible (>= 2.9) before firewall orchestrator installation
 
- ansible-galaxy collection install community.postgresql
+  cd firewall-orchestrator; ansible-playbook scripts/install-latest-ansible.yml -K
 
 4) install (on localhost)
 

diff --git a/documentation/revision-history-develop.md b/documentation/revision-history-develop.md
@@ -78,3 +78,69 @@ In 2020 we decided to re-launch a new
 ### 6.5.1 24.07.2023 DEVELOP
 - New report type Unused Rules
 
+### 7.0.1 - 28.07.2023 DEVELOP
+- Compliance matrix edit fix
+- Logout audit logging fix
+
+### 7.0.2 - 28.07.2023 DEVELOP
+- Default templates for new report types
+
+### 7.1 - 11.08.2023 DEVELOP
+- adding tenant network UI
+- adding test import via URI in hostname field
+- replacing legacy demo data import with standard imported data, closing #2197 (note: only for new installations, an upgrade will not touch the demo data)
+- test imports can now be made from file (integrated in UI)
+- improve debugging of imports (no errors for missing object parts)
+
+### 7.1.1 - 15.08.2023 DEVELOP
+- fixes upgrade bug on systems without demo data
+
+### 7.1.2 - 16.08.2023 DEVELOP
+- adding Check Point R8x Inform action
+
+### 7.2 - 21.08.2023 DEVELOP
+mostly version update summarizing latest PRs
+- UI/API: adding tenant ip filtering beta version (clean-up and optiomazation necessary)
+- API: updating hasura to 2.32.0
+- UI: now not showing super managers in RSB all tab
+- UI: bug fixes blazor environment settings
+ - Use production / development based on the build type instead of always using development.
+ - Do not show detailed errors in production mode.
+ - Use the custom error page in the production environment.
+ - Spelling mistake fix
+- UI: bug fix jwt expiry
+ - jwt expiry timer now works as intended
+ - after the jwt expired no exception can be triggered anymore
+
+### 7.2.1 - 11.09.2023 DEVELOP
+- new settings option for rule ownership mode
+### 7.2.2 - 15.09.2023 DEVELOP
+- complete re-work: all ip addresses are now internally represented as ranges, including all networks
+### 7.2.3 - 29.09.2023 DEVELOP
+bugfix release:
+- api - upgrade hasura to 2.33.4
+- installer - fix client/server db sort order mismatch (collate)
+- adding simulated changes to fwodemodata (fortiate)
+- importer - fix in fortiOS importer action field
+- UI
+ - fix settings owner networks editing and displaying
+ - recert report (and recert page) IP addresses now also simplified like an other reports
+ - fix broken links in recert page
+### 7.2.4 - 04.10.2023 DEVELOP
+- new role modeller
+- new mechanism for overwriting texts 
+# 7.2.5 - 05.10.2023 DEVELOP
+- importer
+ - adding more error debugging in CPR8x importer 
+ - adding new network object type 'external-gateway' (for interoperable-dervice in check point)
+ - fix fortimanager importer: ignore missing negate fields
+- middleware & ui: add check for successful publishing dotnet
+- middlware: fix upgrade become issue in middleware ldif files
+- database: fix postgresql_query module reference
+
+# 7.2.6 - 06.10.2023 DEVELOP
+- importer Checkpoint: adding network object type support for 'CpmiVsClusterNetobj' (for VSX virtual switches)
+
+# 7.3 - 22.10.2023 DEVOP
+- cleanup unused database views and functions
+- first working tenant ip-based filtering
diff --git a/documentation/revision-history-main.md b/documentation/revision-history-main.md
@@ -311,3 +311,39 @@ adding report template format fk and permissions
  - demo data: fix sample group role path
  - adding demo video in github README.MD
  - splitting revision history into develop and main
+
+### 7.3 22.10.2023 MAIN
+- new features
+ - recertification: new rule ownership
+ - customizable UI texts
+ - starting target state module with introducing new role "modeller"
+ - adding tenant ip filtering
+ - adding tenant simulation (exluding statistical report and recertification) including scheduling
+- maintenance / bug-fixing
+ - complete re-work: all ip addresses are now internally represented as ranges, including all networks
+ - UI:
+ - do not show super managers in RSB all tab
+ - Use production / development based on the build type instead of always using development.
+ - do not show detailed errors in production mode + use the custom error page in the production environment
+ - bug fix jwt expiry, jwt expiry timer now works as intended
+ - unifying IP addresses display method across all parts
+ - fix filtering for rules with negated source / destination or single negated ip ranges
+ - Database:
+ - removing unused materialized view for tenant ip filtering
+ - Installer
+ - fix upgrade become issue in middleware ldif files
+ - fix client/server db sort order mismatch (collate)
+ - fix postgresql_query module reference
+ - adding simulated changes to fwodemodata (fortigate)
+ - add check for successful publishing dotnet (mw, ui)
+ - Importer
+ - fortiOS: fix importer action field
+ - fortimanager: ignore missing negate fields
+ - Check Point: adding Inform action
+ - Check Point: adding new network object type 'external-gateway' (for interoperable-dervice)
+ - Check Point: adding network object type support for 'CpmiVsClusterNetobj' (for VSX virtual switches)
+ - API:
+ - upgrade hasura to 2.34.0
+- restrictions
+ - since tenant filtering is not done in the API but in the UI, the API should not be exposed to the tenants
+
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
@@ -1,5 +1,5 @@
 ### general settings
-product_version: "7.0"
+product_version: "7.3"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3

diff --git a/inventory/group_vars/apiserver.yml b/inventory/group_vars/apiserver.yml
@@ -8,7 +8,7 @@ api_hasura_admin_test_password: "not4production"
 api_user_email: "{{ api_user }}@{{ api_network_listening_ip_address }}"
 api_home: "{{ fworch_home }}/api"
 api_hasura_cli_bin: "{{ fworch_home }}/api/bin/hasura"
-api_hasura_version: "v2.30.1"
+api_hasura_version: "v2.34.0"
 api_project_name: api
 api_no_metadata: false
 api_rollback_is_running: false