Skip to content

Commit

Permalink
Merge pull request #33 from chkp-edenbr/master
Browse files Browse the repository at this point in the history 
support https policy
  • Loading branch information
@chkp-edenbr
chkp-edenbr authored Oct 27, 2024
2 parents 84d681d + f51ac4a commit c7b280e
Show file tree
Hide file tree
Showing 6 changed files with 175 additions and 6 deletions.
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ Minimum value is 1, maximum value is 500. Default value is 10.

[--show-nat-policy (true|false)] (Optional): Indicates whether to show nat policy as part of policy package. Default value is True.

[--show-https-policy (true|false)] (Optional): Indicates whether to show https policy as part of policy package. Default value is False.

Use "--version" option to print the version of the tool

Use "-h" option in order to see the full list of options to configure the tool
Expand Down
36 changes: 35 additions & 1 deletion src/main/java/com/checkpoint/mgmt_api/examples/ShowPackageConfiguration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ public enum ShowPackageConfiguration {

INSTANCE;

private static final String TOOL_VERSION = "v2.2.0";
private static final String TOOL_VERSION = "v2.3.0";
private static final String TAR_SUFFIX = ".tar.gz";
private static final String LOG_SUFFIX = ".elg";
private static final String PREFIX = "show_package-";
Expand Down Expand Up @@ -83,6 +83,7 @@ public enum ShowPackageConfiguration {
private static boolean doShowAccessPolicy = true;
private static boolean doShowThreatPolicy = true;
private static boolean doShowNatPolicy = true;
private static boolean doShowHttpsPolicy = false;

/*Logger settings*/

Expand Down Expand Up @@ -550,6 +551,8 @@ public Boolean getDereferenceGroupMembers()

public boolean showNatPolicyFlag() { return doShowNatPolicy; }

public boolean showHttpsPolicyFlag() { return doShowHttpsPolicy; }

public boolean showRuleUidFlag() { return showEachRulesUid; }

public String getApiKey() { return apiKey; }
Expand Down Expand Up @@ -1151,6 +1154,37 @@ String value()
return " (true|false)";
}
},
showHttpsPolicy("--show-https-policy"){
@Override
void flagToString()
{
System.out.println("\tIndicates whether to show HTTPS policy as part of policy package. Default value is True.");
}

@Override
void runCommand(String value)
{
if (!value.equalsIgnoreCase("true") && !value.equalsIgnoreCase("false")) {
final String errorMessage = "The value of --show-https-policy is invalid (must be true or false)";
System.out.println(errorMessage);
throw new IllegalArgumentException(errorMessage);
}

ShowPackageConfiguration.doShowHttpsPolicy = Boolean.parseBoolean(value);
}

@Override
String debugString()
{
return "Show nat policy (--show-https-policy)=" + doShowHttpsPolicy;
}

@Override
String value()
{
return " (true|false)";
}
},
;


Expand Down
63 changes: 59 additions & 4 deletions src/main/java/com/checkpoint/mgmt_api/examples/ShowPackageTool.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ public class ShowPackageTool {
private static String[] accessTypes = {"access-section", "access-rule", "place-holder"};
private static String[] natTypes = {"nat-section", "nat-rule", "place-holder"};
private static String[] threatTypes = {"threat-section", "threat-exception", "place-holder"};
private static String[] httpsTypes = {"https-section", "https-rule", "place-holder"};

// Object fields that contains nested objects
private static final String[] OBJECT_FIELDS_CONTAINING_NESTED_OBJECTS = {"except", "include", "location"};
Expand All @@ -72,7 +73,8 @@ private enum RulebaseType {

ACCESS ("access"),
NAT ("nat"),
THREAT ("threat-prevention");
THREAT ("threat-prevention"),
HTTPS ("https");

private final String name;

Expand Down Expand Up @@ -559,6 +561,7 @@ private static PolicyPackage buildPackagePolicy(String packageName, JSONArray ob
List<Layer> accessLayers = new ArrayList<>();
List<Layer> threatLayers = new ArrayList<>();
Layer natLayer;
List<Layer> httpsLayers = new ArrayList<>();
PolicyPackage policyPackage = null;
try {
//The vpn communities which were collected are common to all of the policy packages.
Expand All @@ -568,7 +571,7 @@ private static PolicyPackage buildPackagePolicy(String packageName, JSONArray ob
//Fill the layer and the layer's list with information about the package's layers.
configuration.getLogger().debug("Starting to process layers of package '" + packageName + "'");

natLayer = aggregatePackageLayers(packageName, accessLayers, threatLayers);
natLayer = aggregatePackageLayers(packageName, accessLayers, threatLayers, httpsLayers);

if(configuration.showAccessPolicyFlag()){
//Handle access layer
Expand All @@ -594,6 +597,14 @@ private static PolicyPackage buildPackagePolicy(String packageName, JSONArray ob
}
}

if(configuration.showHttpsPolicyFlag()){
//Handle https layers
configuration.getLogger().debug("Handle https layers");
for (Layer httpsLayer : httpsLayers) {
showHttpsRulebase(httpsLayer, packageName);
}
}

final Queue<String> objectsQueue = configuration.getNestedObjectsToRetrieve();
configuration.getLogger().info("There are " + objectsQueue.size() + " nested object(s) to retrieve (with limit " + configuration.getQueryLimit() + ")");
while (!objectsQueue.isEmpty()) {
Expand Down Expand Up @@ -643,7 +654,7 @@ private static PolicyPackage buildPackagePolicy(String packageName, JSONArray ob
writeDictionary(packageName);

//Create a policy package
policyPackage = new PolicyPackage(packageName, accessLayers, threatLayers, natLayer, allTypes);
policyPackage = new PolicyPackage(packageName, accessLayers, threatLayers, natLayer, httpsLayers, allTypes);

//Handle gateways that the policy is install on
JSONArray gatewayObjects = new JSONArray();
Expand Down Expand Up @@ -686,7 +697,7 @@ private static PolicyPackage buildPackagePolicy(String packageName, JSONArray ob
* @return natLayer nat layer that the function sets
*/
private static Layer aggregatePackageLayers(String packageName, List<Layer> accessLayers,
List<Layer> threatLayers){
List<Layer> threatLayers, List<Layer> httpsLayers){
ApiResponse res = null;
Layer natLayer = null;
try {
Expand Down Expand Up @@ -722,6 +733,26 @@ private static Layer aggregatePackageLayers(String packageName, List<Layer> acce
buildLayers(jsonArray, loggerInfo, threatLayers);
}

if ("true".equalsIgnoreCase(response.get("https-inspection-policy").toString())) {
//Https layers
StringBuilder loggerInfo = new StringBuilder();
loggerInfo.append("Https layer(s) that were found in package '").append(packageName).append("' are: ");
JSONArray jsonArray = new JSONArray();
JSONObject layers = (JSONObject) response.get("https-inspection-layers");
if (layers != null){
JSONObject inboundLayer = (JSONObject) layers.get("inbound-https-layer");
JSONObject outboundLayer = (JSONObject) layers.get("outbound-https-layer");
jsonArray.add(inboundLayer);
jsonArray.add(outboundLayer);
}
else {
jsonArray.add(response.get("https-inspection-layer"));
}

configuration.getLogger().debug("Found " + jsonArray.size() + " https layer(s) in package: '" + packageName + "'");
buildLayers(jsonArray, loggerInfo, httpsLayers);
}

if ("true".equalsIgnoreCase(response.get("nat-policy").toString())) {
//Nat layer
natLayer = new Layer();
Expand Down Expand Up @@ -808,6 +839,30 @@ private static boolean showNatRulebase(Layer natLayer, String packageName) {

}

/**
* This function creates a payload in order to create a html page of a given https layer.
*
* @param httpsLayer the https {@link Layer} that the html page will be created for
* @param packageName the package name that the layer belongs to
*
* @return True (False in case of an error).
*/
private static boolean showHttpsRulebase(Layer httpsLayer, String packageName) {

JSONObject payload = new JSONObject();
configuration.getLogger().info("Starting handling https layer: ");

payload.put("uid", httpsLayer.getUid());
payload.put("details-level", "full");
payload.put("use-object-dictionary", true);

addNewFlagsToControlDetailsLevel(payload);

configuration.getLogger().debug("Run command: 'show-https-rulebase' with payload: " + payload.toJSONString());
return showRulebase( httpsLayer, packageName, "show-https-rulebase", RulebaseType.HTTPS, payload, httpsTypes);

}

/**
* Utility function that retrieves the rulebase and writes it to the html page.
*
Expand Down
14 changes: 13 additions & 1 deletion src/main/java/com/checkpoint/mgmt_api/objects/PolicyPackage.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ public class PolicyPackage
private String packageName;
private List<Layer> accessLayers;
private List<Layer> threatLayers;
private List<Layer> httpsLayers;
private Layer natLayer;
private ObjectsInUse objects;

Expand All @@ -23,13 +24,14 @@ public class PolicyPackage
//The name of the html page of the gateway objects
private String htmlGatewaysFileName;

public PolicyPackage(String name, List<Layer> access, List<Layer> threat, Layer nat ,
public PolicyPackage(String name, List<Layer> access, List<Layer> threat, Layer nat , List<Layer> https,
JSONObject allTypes) {

packageName = name;
accessLayers = access;
threatLayers = threat;
natLayer = nat;
httpsLayers = https;
objects = new ObjectsInUse(name, allTypes);
gatewayAndServer = new HashMap<>();
htmlGatewaysFileName = packageName+"_gateway_objects.html";
Expand Down Expand Up @@ -82,6 +84,16 @@ public JSONObject toJson(){
jsonObject.put("natLayer", Collections.emptyList());
}

if(ShowPackageConfiguration.INSTANCE.showHttpsPolicyFlag()){
JSONArray httpsLayersArray = new JSONArray();
for (Layer https : httpsLayers){
httpsLayersArray.add(https.toJson());
}
jsonObject.put("httpsLayers",httpsLayersArray);
}else{
jsonObject.put("httpsLayers", Collections.emptyList());
}

jsonObject.put("objects",objects.toJson());

JSONArray gatewaysAndServers = new JSONArray();
Expand Down
1 change: 1 addition & 0 deletions src/main/resources/com/checkpoint/mgmt_api/templates/index.tpl.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,7 @@
drawTopic("accessLayers", "Access Policy Layers");
drawTopic("natLayer", "NAT");
drawTopic("threatLayers", "Threat Prevention Layers");
drawTopic("httpsLayers", "HTTPS Inspection Layers");
drawGateways();
drawObjects();

Expand Down
65 changes: 65 additions & 0 deletions src/main/resources/com/checkpoint/mgmt_api/templates/rulebase.tpl.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,10 +143,13 @@
}
var threatColumnHeaders = ["No.", "Name", "Protected Scope", "Source", "Destination", "Protection/Site", "Services", "Action", "Track", "install-On", "Comments"];

var httpsColumnHeaders = ["No.", "Name", "Source", "Destination", "Services", "Category/Custom Application", "Action", "Track", "Blade", "install-On", "Certificate", "Comments"]

if (getShowRuleUid() === "true"){
accessColumnHeaders.splice(1, 0, "UID");
natColumnHeaders.splice(1, 0, "UID");
threatColumnHeaders.splice(1, 0, "UID");
httpsColumnHeaders.splice(1, 0, "UID");
}

function getOptionalTextValue(elem, key) {
Expand Down Expand Up @@ -473,6 +476,34 @@
return tr;
}

function drawHttpsRule(ruleObject) {
var tr = document.createElement("tr");
if (!ruleObject.enabled) {
tr.className = "disabled_rule";
}
var td_number = document.createElement("td");
td_number.className = "rule_number";
td_number.appendChild(document.createTextNode(ruleObject["rule-number"]));

tr.appendChild(td_number);
if (httpsColumnHeaders.includes("UID")){
tr.appendChild(drawTextCell(ruleObject, "uid"));
}
tr.appendChild(drawTextCell(ruleObject, "name"));

tr.appendChild(drawMultiValueCell(ruleObject["source"], ruleObject["source-negate"]));
tr.appendChild(drawMultiValueCell(ruleObject["destination"], ruleObject["destination-negate"]));
tr.appendChild(drawMultiValueCell(ruleObject["service"], ruleObject["service-negate"]));
tr.appendChild(drawMultiValueCell(ruleObject["site-category"], ruleObject["site-category-negate"]));
tr.appendChild(drawSingleValueCell(ruleObject["action"]));
tr.appendChild(drawSingleValueCell(ruleObject["track"]));
tr.appendChild(drawSingleValueCell(ruleObject["blade"]));
tr.appendChild(drawMultiValueCell(ruleObject["install-on"], false));
tr.appendChild(drawSingleValueCell(ruleObject["certificate"]));
tr.appendChild(drawTextCell(ruleObject, "comments"));
return tr;
}

function drawRulebaseColumnHeaders(columns) {

var headerRow = document.getElementById("rulebase_header_row");
Expand Down Expand Up @@ -507,6 +538,10 @@
document.getElementById("layer").innerHTML = "Layer: " + rulebase.layer + " (" + rulebase.type + " layer)";
document.title = rulebase.layer;
}
if (rulebase.type == "https") {
document.getElementById("layer").innerHTML = "Layer: " + rulebase.layer + " (" + rulebase.type + " layer)";
document.title = rulebase.layer;
}
var message = document.getElementById("message");
message.className = "failed";
message.innerText = "Failed to create layer. For more information, please refer to the log file in the output tar file.";
Expand Down Expand Up @@ -608,6 +643,36 @@
}
});
}


if (rulebase.type == "https") {
document.getElementById("layer").innerHTML = "Layer: " + rulebase.layer + " (" + rulebase.type + " layer)";
document.title = rulebase.layer;

drawRulebaseColumnHeaders(httpsColumnHeaders);
// create rules and sections
var tableBody = document.getElementById("rulebase_table_body");
if (data.length == 0) {
var message = document.getElementById("message");
message.className = "empty";
message.innerText = "No rules found in this layer.";
}
data.forEach(function (entry) {
if (entry.type == "https-section") {
tableBody.appendChild(drawSection(entry, accessColumnHeaders, ""));
}

if (entry.type == "https-rule") {
tableBody.appendChild(drawHttpsRule(entry));
lastRuleNumber = entry["rule-number"];
lastRuleEnabled = entry["enabled"];
}

if (entry.type == "place-holder") {
tableBody.appendChild(drawPlaceholder(entry));
}
});
}
trackButton();
}
}
Expand Down

0 comments on commit c7b280e

Please sign in to comment.