Skip to content

Commit

Permalink
azure - front-door waf filter (#9038)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dmytro-afanasiev
dmytro-afanasiev committed Feb 6, 2024
1 parent c22f6fc commit 31e22b2
Show file tree
Hide file tree
Showing 3 changed files with 348 additions and 6 deletions.
68 changes: 62 additions & 6 deletions tools/c7n_azure/c7n_azure/resources/front_door.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@

from c7n_azure.resources.arm import ArmResourceManager
from c7n_azure.provider import resources
from c7n.filters import Filter
from c7n_azure.utils import ResourceIdParser
from c7n.filters import Filter, ListItemFilter
from c7n.utils import type_schema


Expand Down Expand Up @@ -63,12 +64,67 @@ def check_state(self, link):
return True

def process(self, resources, event=None):
client = self.manager.get_client()
matched = []
for front_door in resources:
for front_endpoints in front_door['properties']['frontendEndpoints']:
front_endpoint = client.frontend_endpoints.get(
front_door['resourceGroup'], front_door['name'],front_endpoints['name'])
if self.check_state(front_endpoint.web_application_firewall_policy_link):
for front_endpoint in front_door['properties']['frontendEndpoints']:
data = front_endpoint['properties'].get('webApplicationFirewallPolicyLink') or {}
link = data.get('id')
if self.check_state(link):
matched.append(front_door)
break
return matched


@FrontDoor.filter_registry.register('firewall-policy')
class WAFPolicies(ListItemFilter):
"""Filters front door resources based on their waf policies
:example:
.. code-block:: yaml
policies:
- name: front-dorr-firewall-policy-example
resource: azure.front-door
filters:
- type: firewall-policy
attrs:
- type: value
key: properties.managedRules.managedRuleSets[].ruleSetType
value: DefaultRuleSet
op: contains
"""
schema = type_schema(
'firewall-policy',
attrs={'$ref': '#/definitions/filters_common/list_item_attrs'}
)
annotate_items = True
item_annotation_key = 'c7n:WAFPolicies'

def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self._cache = {} # policy id to policy item

def get_item_values(self, resource):
ids = set()
for fe in resource['properties'].get('frontendEndpoints') or []:
data = fe['properties'].get('webApplicationFirewallPolicyLink')
if not isinstance(data, dict):
continue
identifier = data.get('id')
if not identifier:
continue
ids.add(identifier)
if not ids:
return []
client = self.manager.get_client()
items = []
for i in ids:
if i not in self._cache:
group = ResourceIdParser.get_resource_group(i)
name = ResourceIdParser.get_resource_name(i)
self._cache[i] = client.policies.get(group, name)
item = self._cache[i]
items.append(item.serialize(True))
return items
258 changes: 258 additions & 0 deletions tools/c7n_azure/tests_azure/cassettes/FrontDoorFirewallPolicyFilterTest.test_query.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,258 @@
{
"version": 1,
"interactions": [
{
"request": {
"method": "GET",
"uri": "https://management.azure.com/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Network/frontDoors?api-version=2020-05-01",
"body": null,
"headers": {}
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"headers": {
"content-type": [
"application/json; charset=utf-8"
],
"cache-control": [
"no-cache"
],
"date": [
"Wed, 22 Jun 2022 12:19:22 GMT"
],
"content-length": [
"4123"
]
},
"body": {
"data": {
"value": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2",
"type": "Microsoft.Network/frontdoors",
"name": "vvtestfd2",
"location": "Global",
"tags": {},
"properties": {
"routingRules": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/RoutingRules/test1rt",
"name": "test1rt",
"type": "Microsoft.Network/Frontdoors/RoutingRules",
"properties": {
"routeConfiguration": {
"customForwardingPath": null,
"forwardingProtocol": "HttpsOnly",
"cacheConfiguration": null,
"backendPool": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/backendPools/vvtestfd2-bp"
},
"@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration"
},
"rulesEngine": null,
"resourceState": "Enabled",
"frontendEndpoints": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/frontendEndpoints/vvtestfd2-azurefd-net"
}
],
"acceptedProtocols": [
"Http",
"Https"
],
"patternsToMatch": [
"/*"
],
"enabledState": "Enabled",
"webApplicationFirewallPolicyLink": null
}
}
],
"rulesEngines": [],
"frontdoorId": "5994602a-3c17-4141-9ea8-60cb26e06262",
"resourceState": "Enabled",
"loadBalancingSettings": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/LoadBalancingSettings/loadBalancingSettings-1655897665335",
"name": "loadBalancingSettings-1655897665335",
"type": "Microsoft.Network/Frontdoors/LoadBalancingSettings",
"properties": {
"resourceState": "Enabled",
"sampleSize": 4,
"successfulSamplesRequired": 2,
"additionalLatencyMilliseconds": 0
}
}
],
"healthProbeSettings": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/HealthProbeSettings/healthProbeSettings-1655897665335",
"name": "healthProbeSettings-1655897665335",
"type": "Microsoft.Network/Frontdoors/HealthProbeSettings",
"properties": {
"resourceState": "Enabled",
"path": "/",
"protocol": "Https",
"intervalInSeconds": 30,
"enabledState": "Enabled",
"healthProbeMethod": "Head"
}
}
],
"backendPools": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/BackendPools/vvtestfd2-bp",
"name": "vvtestfd2-bp",
"type": "Microsoft.Network/Frontdoors/BackendPools",
"properties": {
"backends": [
{
"address": "example.com",
"httpPort": 80,
"httpsPort": 443,
"priority": 1,
"weight": 50,
"backendHostHeader": "example.com",
"enabledState": "Enabled",
"privateLinkAlias": null,
"privateLinkResourceId": null,
"privateLinkLocation": null,
"privateEndpointStatus": null,
"privateLinkApprovalMessage": null
}
],
"resourceState": "Enabled",
"loadBalancingSettings": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/loadBalancingSettings/loadBalancingSettings-1655897665335"
},
"healthProbeSettings": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/healthProbeSettings/healthProbeSettings-1655897665335"
}
}
}
],
"frontendEndpoints": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/FrontendEndpoints/vvtestfd2-azurefd-net",
"name": "vvtestfd2-azurefd-net",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"resourceState": "Enabled",
"hostName": "vvtestfd2.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"webApplicationFirewallPolicyLink": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/test1"
},
"customHttpsProvisioningState": null,
"customHttpsProvisioningSubstate": null,
"customHttpsConfiguration": null
}
}
],
"backendPoolsSettings": {
"enforceCertificateNameCheck": "Enabled",
"sendRecvTimeoutSeconds": 30
},
"enabledState": "Enabled",
"cName": "vvtestfd2.azurefd.net",
"friendlyName": "vvtestfd2",
"provisioningState": "Succeeded"
}
}
]
}
}
}
},
{
"request": {
"method": "GET",
"uri": "https://management.azure.com/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/test1?api-version=2022-05-01",
"body": null,
"headers": {}
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"headers": {
"content-type": [
"application/json; charset=utf-8"
],
"cache-control": [
"no-cache"
],
"date": [
"Wed, 22 Jun 2022 12:19:23 GMT"
],
"content-length": [
"1130"
]
},
"body": {
"data": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/test1",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"name": "test1",
"location": "Global",
"tags": {},
"sku": {
"name": "Classic_AzureFrontDoor"
},
"properties": {
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": null,
"customBlockResponseStatusCode": 403,
"customBlockResponseBody": null,
"requestBodyCheck": "Disabled"
},
"customRules": {
"rules": []
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "1.1",
"ruleSetAction": null,
"ruleGroupOverrides": [
{
"ruleGroupName": "JAVA",
"rules": [
{
"ruleId": "944240",
"enabledState": "Disabled",
"action": "Block",
"exclusions": []
}
],
"exclusions": []
}
],
"exclusions": []
}
]
},
"frontendEndpointLinks": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/frontendendpoints/vvtestfd2-azurefd-net"
}
],
"securityPolicyLinks": [],
"routingRuleLinks": [],
"resourceState": "Enabled",
"provisioningState": "Succeeded"
}
}
}
}
}
]
}
28 changes: 28 additions & 0 deletions tools/c7n_azure/tests_azure/tests_resources/test_frontdoor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,31 @@ def test_waf_not_enabled(self):
})
resources = p.run()
self.assertEqual(len(resources), 1)


class FrontDoorFirewallPolicyFilterTest(BaseTest):

def test_query(self):
p = self.load_policy(
{
"name": "test-front-door-resource",
"resource": "azure.front-door",
"filters": [
{
"type": "firewall-policy",
"attrs": [
{
"type": "value",
"key": "properties.managedRules.managedRuleSets[].ruleSetType",
"value": "Microsoft_DefaultRuleSet",
"op": "contains"
}
]
}
],
}
)
resources = p.run()

self.assertEqual(len(resources), 1)
self.assertEqual(resources[0]['name'], 'vvtestfd2')

0 comments on commit 31e22b2

Please sign in to comment.