Merge branch 'CactuseSecurity:develop' into develop

NilsPur · Sep 17, 2023 · 12c5f10 · 12c5f10
2 parents 38b6c11 + ec1b2a6
commit 12c5f10
Show file tree

Hide file tree

Showing 73 changed files with 1,142 additions and 1,103 deletions.
diff --git a/documentation/revision-history-develop.md b/documentation/revision-history-develop.md
@@ -111,3 +111,8 @@ mostly version update summarizing latest PRs
 - UI: bug fix jwt expiry
   - jwt expiry timer now works as intended
   - after the jwt expired no exception can be triggered anymore
+
+### 7.2.1 - 11.09.2023 DEVELOP
+- new settings option for rule ownership mode
+### 7.2.2 - 15.09.2023 DEVELOP
+- complete re-work: all ip addresses are now internally represented as ranges, including all networks
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
@@ -1,5 +1,5 @@
 ### general settings
-product_version: "7.2"
+product_version: "7.2.2"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3

diff --git a/inventory/group_vars/apiserver.yml b/inventory/group_vars/apiserver.yml
@@ -8,7 +8,7 @@ api_hasura_admin_test_password: "not4production"
 api_user_email: "{{ api_user }}@{{ api_network_listening_ip_address }}"
 api_home: "{{ fworch_home }}/api"
 api_hasura_cli_bin: "{{ fworch_home }}/api/bin/hasura"
-api_hasura_version: "v2.32.0"
+api_hasura_version: "v2.33.3"
 api_project_name: api
 api_no_metadata: false
 api_rollback_is_running: false

diff --git a/inventory/group_vars/databaseserver.yml b/inventory/group_vars/databaseserver.yml
@@ -38,7 +38,9 @@ database_idempotent_files:
   - fworch-report.sql
   - fworch-qa.sql
   - fworch-report-basics.sql
-  - fworch-views.sql
+  - fworch-views-tenant.sql
+  - fworch-views-changes.sql
+  - fworch-views-recert.sql
   - fworch-api-funcs.sql
   - fworch-grants.sql
   - fworch-texts.sql

diff --git a/roles/api/files/replace_metadata.json b/roles/api/files/replace_metadata.json
@@ -6598,87 +6598,6 @@
                 }
               ]
             },
-            {
-              "table": {
-                "name": "nw_object_limits",
-                "schema": "public"
-              },
-              "select_permissions": [
-                {
-                  "role": "auditor",
-                  "permission": {
-                    "columns": [
-                      "obj_id",
-                      "first_ip",
-                      "last_ip",
-                      "mgm_id"
-                    ],
-                    "filter": {},
-                    "allow_aggregations": true
-                  }
-                },
-                {
-                  "role": "fw-admin",
-                  "permission": {
-                    "columns": [
-                      "obj_id",
-                      "first_ip",
-                      "last_ip",
-                      "mgm_id"
-                    ],
-                    "filter": {},
-                    "allow_aggregations": true
-                  }
-                },
-                {
-                  "role": "recertifier",
-                  "permission": {
-                    "columns": [
-                      "obj_id",
-                      "first_ip",
-                      "last_ip",
-                      "mgm_id"
-                    ],
-                    "filter": {
-                      "mgm_id": {
-                        "_in": "x-hasura-visible-managements"
-                      }
-                    },
-                    "allow_aggregations": true
-                  }
-                },
-                {
-                  "role": "reporter",
-                  "permission": {
-                    "columns": [
-                      "obj_id",
-                      "first_ip",
-                      "last_ip",
-                      "mgm_id"
-                    ],
-                    "filter": {
-                      "mgm_id": {
-                        "_in": "x-hasura-visible-managements"
-                      }
-                    },
-                    "allow_aggregations": true
-                  }
-                },
-                {
-                  "role": "reporter-viewall",
-                  "permission": {
-                    "columns": [
-                      "obj_id",
-                      "first_ip",
-                      "last_ip",
-                      "mgm_id"
-                    ],
-                    "filter": {},
-                    "allow_aggregations": true
-                  }
-                }
-              ]
-            },
             {
               "table": {
                 "name": "object",
@@ -6783,21 +6702,6 @@
                     }
                   }
                 },
-                {
-                  "name": "network_object_limits",
-                  "using": {
-                    "manual_configuration": {
-                      "column_mapping": {
-                        "obj_id": "obj_id"
-                      },
-                      "insertion_order": null,
-                      "remote_table": {
-                        "name": "nw_object_limits",
-                        "schema": "public"
-                      }
-                    }
-                  }
-                },
                 {
                   "name": "objgrpFlatsByObjgrpFlatMemberId",
                   "using": {
@@ -11035,6 +10939,18 @@
                     "foreign_key_constraint_on": "rule_metadata_id"
                   }
                 }
+              ],
+              "select_permissions": [
+                {
+                  "role": "auditor",
+                  "permission": {
+                    "columns": [
+                      "rule_metadata_id",
+                      "owner_id"
+                    ],
+                    "filter": {}
+                  }
+                }
               ]
             },
             {
@@ -15657,42 +15573,12 @@
                 "schema": "public"
               }
             },
-            {
-              "table": {
-                "name": "view_device_names",
-                "schema": "public"
-              }
-            },
             {
               "table": {
                 "name": "view_documented_change_counter",
                 "schema": "public"
               }
             },
-            {
-              "table": {
-                "name": "view_import_status_errors",
-                "schema": "public"
-              }
-            },
-            {
-              "table": {
-                "name": "view_import_status_successful",
-                "schema": "public"
-              }
-            },
-            {
-              "table": {
-                "name": "view_import_status_table",
-                "schema": "public"
-              }
-            },
-            {
-              "table": {
-                "name": "view_import_status_table_unsorted",
-                "schema": "public"
-              }
-            },
             {
               "table": {
                 "name": "view_obj_changes",

diff --git a/roles/database/files/sql/creation/fworch-create-constraints.sql b/roles/database/files/sql/creation/fworch-create-constraints.sql
@@ -1,10 +1,24 @@
+CREATE OR REPLACE FUNCTION is_single_ip (ip CIDR)
+	RETURNS BOOLEAN
+	LANGUAGE 'plpgsql' IMMUTABLE COST 1
+	AS
+$BODY$
+	BEGIN
+		RETURN masklen(ip)=32 AND family(ip)=4 OR masklen(ip)=128 AND family(ip)=6;
+	END;
+$BODY$;
+
 Alter Table "changelog_object" add Constraint "alt_key_changelog_object" UNIQUE ("abs_change_id");
 Alter Table "changelog_rule" add Constraint "alt_key_changelog_rule" UNIQUE ("abs_change_id");
 Alter Table "changelog_service" add Constraint "alt_key_changelog_service" UNIQUE ("abs_change_id");
 Alter Table "changelog_user" add Constraint "alt_key_changelog_user" UNIQUE ("abs_change_id");
 Alter Table "import_changelog" add Constraint "Alter_Key14" UNIQUE ("import_changelog_nr","control_id");
 Alter Table "import_control" add Constraint "control_id_stop_time_unique" UNIQUE ("stop_time","control_id");
 Alter Table "object" add Constraint "obj_altkey" UNIQUE ("mgm_id","zone_id","obj_uid","obj_create");
+ALTER TABLE object ADD CONSTRAINT object_obj_ip_is_host CHECK (is_single_ip(obj_ip));
+ALTER TABLE object ADD CONSTRAINT object_obj_ip_end_is_host CHECK (is_single_ip(obj_ip_end));
+ALTER TABLE object ADD CONSTRAINT object_obj_ip_not_null CHECK (obj_ip IS NOT NULL OR obj_typ_id=2);
+ALTER TABLE object ADD CONSTRAINT object_obj_ip_end_not_null CHECK (obj_ip_end IS NOT NULL OR obj_typ_id=2);
 ALTER TABLE owner ADD CONSTRAINT owner_name_unique_in_tenant UNIQUE ("name","tenant_id");
 ALTER TABLE owner_network ADD CONSTRAINT port_in_valid_range CHECK (port > 0 and port <= 65535);
 ALTER TABLE owner_network ADD CONSTRAINT owner_network_ip_unique UNIQUE (owner_id, ip);
@@ -16,10 +30,9 @@ Alter Table "service" add Constraint "svc_altkey" UNIQUE ("mgm_id","svc_uid","sv
 Alter Table "stm_dev_typ" add Constraint "Alter_Key1" UNIQUE ("dev_typ_name","dev_typ_version");
 Alter Table "usr" add Constraint "usr_altkey" UNIQUE ("mgm_id","user_name","user_create");
 Alter Table "zone" add Constraint "Alter_Key10" UNIQUE ("mgm_id","zone_name");
--- TODO: Alter Table "tenant" add Constraint "tenant_name_unique" UNIQUE("tenant_name")
 
-create unique index if not exists only_one_future_recert_per_owner_per_rule on recertification(owner_id,rule_metadata_id,recert_date) 
-where recert_date IS NULL;
+create unique index if not exists only_one_future_recert_per_owner_per_rule on recertification(owner_id,rule_metadata_id,recert_date)
+    where recert_date IS NULL;
 
 --- compliance
 CREATE EXTENSION IF NOT EXISTS btree_gist;
@@ -28,4 +41,3 @@ EXCLUDE USING gist (
     network_zone_id WITH =,
     numrange(ip_range_start - '0.0.0.0'::inet, ip_range_end - '0.0.0.0'::inet, '[]') WITH &&
 );
-
diff --git a/roles/database/files/sql/creation/fworch-create-tables.sql b/roles/database/files/sql/creation/fworch-create-tables.sql
@@ -196,7 +196,7 @@ Create table "rule_metadata"
 	"rule_last_certified" Timestamp,
 	"rule_last_certifier" Integer,
 	"rule_last_certifier_dn" VARCHAR,
-	"rule_owner" Integer,
+	"rule_owner" Integer, -- points to a uiuser (not an owner)
 	"rule_owner_dn" Varchar, -- distinguished name pointing to ldap group, path or user
 	"rule_to_be_removed" Boolean NOT NULL Default FALSE,
 	"last_change_admin" Integer,
@@ -451,7 +451,7 @@ Create table "error"
 Create table "tenant"
 (
 	"tenant_id" SERIAL,
-	"tenant_name" Varchar NOT NULL,
+	"tenant_name" Varchar NOT NULL UNIQUE,
 	"tenant_projekt" Varchar,
 	"tenant_comment" Text,
 	"tenant_report" Boolean Default true,
@@ -474,8 +474,8 @@ Create table "tenant_network"
 	"tenant_id" Integer NOT NULL,
 	"tenant_net_name" Varchar,
 	"tenant_net_comment" Text,
-	"tenant_net_ip" Cidr,
-	"tenant_net_ip_end" Cidr,
+	"tenant_net_ip" Cidr NOT NULL,
+	"tenant_net_ip_end" Cidr NOT NULL,
 	"tenant_net_create" Timestamp NOT NULL Default now(),
  primary key ("tenant_net_id")
 );
@@ -1030,6 +1030,7 @@ create table owner_network
     id SERIAL PRIMARY KEY,
     owner_id int,
     ip cidr NOT NULL,
+    ip_end cidr NOT NULL,
     port int,
     ip_proto_id int
 );

diff --git a/roles/database/files/sql/creation/fworch-create-triggers.sql b/roles/database/files/sql/creation/fworch-create-triggers.sql
@@ -128,20 +128,16 @@ BEGIN
 END;
 $BODY$
 LANGUAGE plpgsql
-VOLATILE
-COST 100;
+VOLATILE;
 ALTER FUNCTION public.import_config_from_json () OWNER TO fworch;
 
-
 DROP TRIGGER IF EXISTS import_config_insert ON import_config CASCADE;
 
 CREATE TRIGGER import_config_insert
     BEFORE INSERT ON import_config
     FOR EACH ROW
     EXECUTE PROCEDURE import_config_from_json ();
 
-
-
 -------------------------
 -- recert refresh trigger
 
@@ -190,8 +186,7 @@ execute procedure refresh_view_rule_with_owner();
 -- END;
 -- $BODY$
 -- LANGUAGE plpgsql
--- VOLATILE
--- COST 100;
+-- VOLATILE;
 -- ALTER FUNCTION public.owner_change_triggered () OWNER TO fworch;
 
 
@@ -214,8 +209,7 @@ execute procedure refresh_view_rule_with_owner();
 -- END;
 -- $BODY$
 -- LANGUAGE plpgsql
--- VOLATILE
--- COST 100;
+-- VOLATILE;
 -- ALTER FUNCTION public.owner_network_change_triggered () OWNER TO fworch;
 
 -- DROP TRIGGER IF EXISTS owner_network_change ON owner_network CASCADE;

diff --git a/roles/database/files/sql/creation/fworch-fill-stm.sql b/roles/database/files/sql/creation/fworch-fill-stm.sql
@@ -70,6 +70,7 @@ insert into config (config_key, config_value, config_user) VALUES ('reqAllowManu
 insert into config (config_key, config_value, config_user) VALUES ('reqActivatePathAnalysis', 'True', 0);
 insert into config (config_key, config_value, config_user) VALUES ('unusedTolerance', '400', 0);
 insert into config (config_key, config_value, config_user) VALUES ('creationTolerance', '90', 0);
+insert into config (config_key, config_value, config_user) VALUES ('ruleOwnershipMode', 'mixed', 0);
 
 INSERT INTO "report_format" ("report_format_name") VALUES ('json');
 INSERT INTO "report_format" ("report_format_name") VALUES ('pdf');