Merge pull request #2200 from CactuseSecurity/develop

v7.0 main

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/test-install.yml

@@ -36,12 +36,14 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: do test install in case of merged pull request
-      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K
+      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes site.yml -K
+#      run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K
 
   # test_ubuntu_22:
   #   name: test build on  ubuntu_22
   #   runs-on: ubuntu-22.04
   #   steps:
   #   - uses: actions/checkout@v3
   #   - name: do test install in case of merged pull request
-  #     run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K
+  #     run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes site.yml -K
+      # run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e run_on_github=yes --skip-tags test site.yml -K

README.md

@@ -11,7 +11,11 @@
 - Regularly re-certify firewall rules to clean up your rulebase
 - Use the built-in GraphQL API to integrate with your existing infrastructure (Directory Service, ITSM, IPAM, ...)
 
-<b>Demo:</b> if you want to see what it looks like in advance, visit <https://fwodemo.cactus.de> (user: test, password: drive2).
+<b>Reporting Demo:</b>
+![fwo-demo-reporting-vsmall](https://github.com/CactuseSecurity/firewall-orchestrator/assets/19877770/f9ffe37f-b059-44cf-b056-30a8f3e008a6)
+
+
+<b>Further Demo:</b> if you want to see what it looks like in advance, visit <https://fwodemo.cactus.de> (user: test, password: drive2).
 
 ## Installation instructions
 

ansible.cfg

@@ -5,8 +5,8 @@ inventory = inventory
 force_handlers = True
 stdout_callback = yaml
 
-gathering = smart
-gather_subset = !hardware,!facter,!ohai
+# gathering = smart
+# gather_subset = !hardware,!facter,!ohai
 
 ansible_conditional_bare_vars=false
 

documentation/installer/basic-installation.md

@@ -28,11 +28,15 @@ possibly followed by a reboot.
 git clone https://github.com/CactuseSecurity/firewall-orchestrator.git
 ```
 
-3) Operating specific ansible adjustments
-  - Ubuntu 18.04, Debian 10: install latest ansible before firewall orchestrator installation:
+3) Ansible Installation
+  - Ubuntu 18.04, Debian 10 only: install latest ansible before firewall orchestrator installation
 
         cd firewall-orchestrator; ansible-playbook scripts/install-latest-ansible.yml -K
 
+  - All platforms: install galaxy collections
+
+        ansible-galaxy collection install community.postgresql
+
 4) install (on localhost)
 
 ```console

documentation/revision-history-develop.md

@@ -0,0 +1,80 @@
+# Firewall Orchestrator Revision History for DEVELOP branch only
+
+pre-5, a product called IT Security Organizer and was closed source. It was developed starting in 2005.
+In 2020 we decided to re-launch a new 
+
+### 6.1.0 - 16.11.2022 DEVELOP
+- interactive network analysis prototype in UI
+- integrate path analysis to workflow
+
+### 6.1.1 - 15.12.2022 DEVELOP
+- recertification on owner base
+- preparation of new task types
+
+### 6.1.2 - 20.12.2022 DEVELOP
+- start of Palo Alto import module
+
+### 6.1.3 - xx.01.2023 DEVELOP
+- enhance recertification
+
+### 6.1.4 - 27.01.2023 DEVELOP
+- prepare delete rule requests
+
+### 6.2.2 22.03.2023 DEVELOP
+- adding last hit of each rule for check point and FortiManager to recertification (report)
+
+### 6.3.3 09.05.2023 DEVELOP
+- new importer module for importing FortiGate directly via FortiOS REST API
+
+### 6.4.4 19.06.2023 DEVELOP
+- CPR8x importer: basic support for inline layers
+
+### 6.4.5 22.06.2023 DEVELOP
+- Fortigate API importer: hotfix NAT rules
+- upgrade to hasura API 2.28.0
+
+### 6.4.6 23.06.2023 DEVELOP
+- new email notification on import changes
+
+### 6.4.7 26.06.2023 DEVELOP
+- hotfix fortiOS importer NAT IP addresses
+- fixing issue during ubuntu OS upgrade with ldap 
+- unifying all buttons in UI
+
+### 6.4.8 29.06.2023 DEVELOP
+- hotfix fortiOS importer: replacing ambiguous import statement
+
+### 6.4.9 03.07.2023 DEVELOP
+- fix sample group role path
+
+### 6.4.10 07.07.2023 DEVELOP
+- fixes in importer change mail notification for encrypted mails
+- fixes for report links to objects
+- fix template name display issue
+- fix UI visibility for fw-admin role (multiple pages)
+- UI login page: allow enter as submit
+- UI reporting: filter objects in rule report
+- adding demo video in github README.MD
+
+### 6.4.11 10.07.2023 DEVELOP
+- bugfix in importer change mail notification for missing mail server config
+
+### 6.4.12 14.07.2023 DEVELOP
+- UI settings: hotfix email port (default 25) was not written to config before
+- splitting revision history into develop and main
+- installer: supress csharp test results on success
+
+### 6.4.13 20.07.2023 DEVELOP
+- re-login now also with enter key
+- fixing help pages (email & importer settings, archive, scheduling) [#2162](https://github.com/CactuseSecurity/firewall-orchestrator/issues/2162)
+
+### 6.5.0 24.07.2023 DEVELOP
+- UI: adding compliance matrix module
+- UI: fix browser session persistence causing subscriptions to remain open after user logout; now api connection and web socket are disposed on logout
+- API: removing obsolete graphql query repos
+- API: upgrading hasura api to 2.30.0
+- installer: replacing deprecated path_to_script option in postgresql_query
+
+### 6.5.1 24.07.2023 DEVELOP
+- New report type Unused Rules
+

documentation/revision-history.md → documentation/revision-history-main.md

@@ -1,4 +1,4 @@
-# Firewall Orchestrator Revision History
+# Firewall Orchestrator Revision History MAIN branch
 
 pre-5, a product called IT Security Organizer and was closed source. It was developed starting in 2005.
 In 2020 we decided to re-launch a new 
@@ -253,23 +253,6 @@ adding report template format fk and permissions
 ### 6.0.2 - 24.12.2022
 - bugfix release with hasura API upgrade due to security bug in hasura
 
-### 6.1.0 - 16.11.2022 DEVELOP
-- interactive network analysis prototype in UI
-- integrate path analysis to workflow
-
-### 6.1.1 - 15.12.2022 DEVELOP
-- recertification on owner base
-- preparation of new task types
-
-### 6.1.2 - 20.12.2022 DEVELOP
-- start of Palo Alto import module
-
-### 6.1.3 - xx.01.2023 DEVELOP
-- enhance recertification
-
-### 6.1.4 - 27.01.2023 DEVELOP
-- prepare delete rule requests
-
 ### 6.2 - 16.03.2023 MAIN
 - enhanced recertification module: adding ip-base recertification
 - adding import modules for Palo Alto and Azure Firewall
@@ -280,9 +263,6 @@ adding report template format fk and permissions
 - reduced logging in release mode
 - hasura v2.21.0 upgrade
 
-### 6.2.2 22.03.2023 DEVELOP
-- adding last hit of each rule for check point and FortiManager to recertification (report)
-
 ### 6.3 24.04.2023 MAIN
 - adding CP R8X object types
   - application categories
@@ -297,9 +277,6 @@ adding report template format fk and permissions
 - checkpoint R8X importer adding support for Internet object type
 - reporting - CSV export for change report
 
-### 6.3.3 09.05.2023 DEVELOP
-- new importer module for importing FortiGate directly via FortiOS REST API
-
 ### 6.4 25.05.2023 MAIN
 - New importer module for importing FortiGate directly via FortiOS REST API
 - Reporting: new lean export format JSON for resolved and tech reports
@@ -315,5 +292,22 @@ adding report template format fk and permissions
 ### 6.4.3 05.06.2023 MAIN
 - Hotfix - global config subsription timout after 12h
 
-### 6.4.4 xx.06.2023 DEVELOP
-- CPR8x importer: basic support for inline layers
+### 7.0 26.07.2023 MAIN
+- new features
+   - UI adding compliance matrix module
+   - UI Reporting - unused rules report including delete ticket integration
+   - importer new email notification on security relevant import changes
+   - importer CPR8x: basic support for importing inline layers
+
+- maintenance / bug-fixing
+   - API: upgrading hasura api to 2.30.1
+   - importer Fortigate API: hotfix NAT rules
+   - UI: cleanup around buttons and logout session handling
+   - UI Reporting: fixes links to objects, template name display, UI visibility for fw-admin role (multiple pages)
+   - UI (re-)login: allow enter as submit
+   - UI reporting: filter objects properly in rule report
+   - UI updating help pages: email & importer settings, archive, scheduling)
+   - installer: supress csharp test results on success
+   - demo data: fix sample group role path
+   - adding demo video in github README.MD
+   - splitting revision history into develop and main

inventory/group_vars/all.yml

@@ -1,5 +1,5 @@
 ### general settings
-product_version: "6.4.3"
+product_version: "7.0"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3
@@ -40,6 +40,7 @@ fworch_secrets_dir: "{{ fworch_conf_dir }}/secrets"
 # setting default proxy (may be overwritten via --extra-vars)
 http_proxy: "{{ lookup('env','http_proxy') }}"
 https_proxy: "{{ lookup('env','https_proxy') }}"
+no_proxy: "{{ lookup('env','no_proxy') }}"
 proxy_exceptions: "{{ lookup('env','no_proxy') }}"
 proxy_env:
         http_proxy: "{{ http_proxy }}"
@@ -53,8 +54,9 @@ http_proxy_import_parameter: ""
 # use the following syntax for authenticated proxy access:
 # http_proxy=http://USERNAME:[email protected]:8080/
 
-
-debian_testing_version: "11"
+# OS 
+debian_testing_version: "12"
+debian_testing_release_name: trixie
 arch: x86_64
 redhat_major_version: "8"
 redhat_arch: "{{ redhat_major_version }}-{{ arch }}"

inventory/group_vars/apiserver.yml

@@ -8,7 +8,7 @@ api_hasura_admin_test_password: "not4production"
 api_user_email: "{{ api_user }}@{{ api_network_listening_ip_address }}"
 api_home: "{{ fworch_home }}/api"
 api_hasura_cli_bin: "{{ fworch_home }}/api/bin/hasura"
-api_hasura_version: "v2.26.0"
+api_hasura_version: "v2.30.1"
 api_project_name: api
 api_no_metadata: false
 api_rollback_is_running: false

inventory/group_vars/cloud.yml

@@ -0,0 +1,12 @@
+################## cloud ###########################
+
+cloud_vm_name: fworch-vm1
+cloud_admin_name: cadmin
+# cloud_admin_ssh_public_key: ""
+cloud_network: "10.5.0.0/16"
+cloud_subnet: "10.5.1.0/24"
+cloud_location: northcentral
+cloud_image_publisher: canonical
+cloud_image_sku: "20_04-lts"
+cloud_vm_size: "Standard_B2s"
+cloud_resource_group: "fworch_rg"

inventory/group_vars/databaseserver.yml

@@ -3,7 +3,7 @@ postgresql_package: postgresql
 postgresql_test_package: pgtap
 postgresql_c_client_library_header_files: libpq-dev
 postgresql_dev_package_prefix: postgresql-server-dev
-postgresql_query_as_single_query: no
+postgresql_query_as_single_query: false
 database_install_dir: "{{ fworch_home }}/database"
 
 # table_space variable can be used to create database in another place where there is enough space