Write an import module that is able to get arbitrary configs in JSON (or CSV) format and can parse them (using reg ex definitions?) into rules.
These rules should be displayed and also if possible pinned to an owner.
The owner group than has a menu to recertify the rules.
This should cover all kinds of security relevant configs that can be separated into "rules": loadbalancer, proxy, ... .
See also #2141.
This table contains JSON field names contained in generic.configItem.configLine
Create table generic.deviceTypeKeyConfig
(
id SERIAL,
deviceType INTEGER NOT NULL, -- type of the device this applies to
orderKey VARCHAR, -- key name that allows for ordering config items
lastUsedKey VARCHAR, -- field containing info when the config item was last used
-- values must be convertible to a date
lastUsedKeyFormat VARCHAR, -- format of the last used value (linux, time stamp, ...)
ownerKey VARCHAR, -- field containing info who owns the config item
-- must be mappable to owner via ext_id or name
reportableFields VARCHAR[] -- fields relevant for reporting (in given order)
);
Create table generic.device
(
id SERIAL,
deviceName VARCHAR NOT NULL, -- name of the device a config line applies to
deviceType INTEGER -- points to public.stm_dev_typ, we need device types for each generic device
);
Create table generic.import
(
id BIGSERIAL,
importTime TIMESTAMP, -- time of an import
deviceId INTEGER NOT NULL, -- if of the device a config applies to
config JSONB NOT NULL -- this contains a full config of a device
-- must contain an entry of the form:
-- { 'configItems': [<configItem>, ... ] }
);
-- from here we dissect the config into config items (i.e. rules)
Create table generic.configItem
(
id BIGSERIAL,
importId BIGINT NOT NULL, -- refers to generic.import and contains time of the import as well as the device id
configLine JSONB NOT NULL -- this contains a single "firewall rule", "proxy rule", ...
);
-- TODO: decide on TIMESTAMP WITH TIMEZONE?
-- write importer for generic config - do we need diffs or can we maybe calculate these on demand?
-- add indices
-- decide if we really want to keep redundant full config in generic.import.config
-- need to visualize the data as tables in Blazor as a report and in a recert page
-- fix breaking changes for all other fw platforms but checkpoint
-- where to add gateways to FwConfig for routing and interfaces infos?
See also #2141.
This table contains JSON field names contained in generic.configItem.configLine
-- TODO: decide on TIMESTAMP WITH TIMEZONE? -- write importer for generic config - do we need diffs or can we maybe calculate these on demand? -- add indices -- decide if we really want to keep redundant full config in generic.import.config -- need to visualize the data as tables in Blazor as a report and in a recert page
-- fix breaking changes for all other fw platforms but checkpoint -- where to add gateways to FwConfig for routing and interfaces infos?