Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure - front-door.filters.web-application-firewall-policies #9038

Merged
merged 27 commits into from
Feb 6, 2024
Merged

azure - front-door.filters.web-application-firewall-policies #9038

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
65a6140
add front-door.filters.web-application-firewall-policies
dmytro-afanasiev Oct 6, 2023
b5e094f
Remove eval
dmytro-afanasiev Oct 6, 2023
b4cf138
Fix policy filter
dmytro-afanasiev Oct 6, 2023
0f0b492
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Oct 13, 2023
8f953f2
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Oct 22, 2023
1dcb7d0
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Oct 27, 2023
afa0779
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Oct 27, 2023
0d2a833
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Oct 31, 2023
9340fd8
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Nov 3, 2023
bbab3a8
Renamed web-application-firewall-policies to firewall-policy
dmytro-afanasiev Nov 3, 2023
a62ec78
Optimize firewall-policy filter
dmytro-afanasiev Nov 3, 2023
db7c80f
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Nov 17, 2023
6e03bf4
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Nov 21, 2023
bdc5515
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Dec 1, 2023
88961a0
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Dec 8, 2023
566fa98
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Dec 14, 2023
22e8d6f
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Jan 12, 2024
250db9a
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Jan 19, 2024
913941e
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Jan 29, 2024
3ebc96f
Rewrite frontdoor
dmytro-afanasiev Jan 29, 2024
008ad2a
Fix linter
dmytro-afanasiev Jan 29, 2024
53979c7
Make _cache an instance attribute, fix waf filter
dmytro-afanasiev Jan 30, 2024
624eed2
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Jan 31, 2024
f1888af
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Feb 2, 2024
ee12e01
Replace ' with " and rename test class
dmytro-afanasiev Feb 3, 2024
64bb09d
Revert quotes
dmytro-afanasiev Feb 3, 2024
47e497a
Merge remote-tracking branch 'origin/main' into front-door.filters.we…
dmytro-afanasiev Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
68 changes: 62 additions & 6 deletions tools/c7n_azure/c7n_azure/resources/front_door.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@

from c7n_azure.resources.arm import ArmResourceManager
from c7n_azure.provider import resources
from c7n.filters import Filter
from c7n_azure.utils import ResourceIdParser
from c7n.filters import Filter, ListItemFilter
from c7n.utils import type_schema


Expand Down Expand Up @@ -63,12 +64,67 @@
return True

def process(self, resources, event=None):
client = self.manager.get_client()
matched = []
for front_door in resources:
for front_endpoints in front_door['properties']['frontendEndpoints']:
front_endpoint = client.frontend_endpoints.get(
front_door['resourceGroup'], front_door['name'],front_endpoints['name'])
if self.check_state(front_endpoint.web_application_firewall_policy_link):
for front_endpoint in front_door['properties']['frontendEndpoints']:
data = front_endpoint['properties'].get('webApplicationFirewallPolicyLink') or {}
link = data.get('id')
if self.check_state(link):
matched.append(front_door)
break
return matched


@FrontDoor.filter_registry.register('firewall-policy')
class WAFPolicies(ListItemFilter):
"""Filters front door resources based on their waf policies

:example:

.. code-block:: yaml

policies:
- name: front-dorr-firewall-policy-example
resource: azure.front-door
filters:
- type: firewall-policy
attrs:
- type: value
key: properties.managedRules.managedRuleSets[].ruleSetType
value: DefaultRuleSet
op: contains

"""
schema = type_schema(
'firewall-policy',
attrs={'$ref': '#/definitions/filters_common/list_item_attrs'}
)
annotate_items = True
item_annotation_key = 'c7n:WAFPolicies'

def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self._cache = {} # policy id to policy item

def get_item_values(self, resource):
ids = set()
for fe in resource['properties'].get('frontendEndpoints') or []:
data = fe['properties'].get('webApplicationFirewallPolicyLink')
if not isinstance(data, dict):
continue

Check warning on line 114 in tools/c7n_azure/c7n_azure/resources/front_door.py

View check run for this annotation

Codecov / codecov/patch

tools/c7n_azure/c7n_azure/resources/front_door.py#L114 

Added line #L114 was not covered by tests
identifier = data.get('id')
if not identifier:
continue

Check warning on line 117 in tools/c7n_azure/c7n_azure/resources/front_door.py

View check run for this annotation

Codecov / codecov/patch

tools/c7n_azure/c7n_azure/resources/front_door.py#L117 

Added line #L117 was not covered by tests
ids.add(identifier)
if not ids:
return []

Check warning on line 120 in tools/c7n_azure/c7n_azure/resources/front_door.py

View check run for this annotation

Codecov / codecov/patch

tools/c7n_azure/c7n_azure/resources/front_door.py#L120 

Added line #L120 was not covered by tests
client = self.manager.get_client()
items = []
for i in ids:
if i not in self._cache:
group = ResourceIdParser.get_resource_group(i)
name = ResourceIdParser.get_resource_name(i)
self._cache[i] = client.policies.get(group, name)
item = self._cache[i]
items.append(item.serialize(True))
return items
258 changes: 258 additions & 0 deletions tools/c7n_azure/tests_azure/cassettes/FrontDoorFirewallPolicyFilterTest.test_query.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,258 @@
{
"version": 1,
"interactions": [
{
"request": {
"method": "GET",
"uri": "https://management.azure.com/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/providers/Microsoft.Network/frontDoors?api-version=2020-05-01",
"body": null,
"headers": {}
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"headers": {
"content-type": [
"application/json; charset=utf-8"
],
"cache-control": [
"no-cache"
],
"date": [
"Wed, 22 Jun 2022 12:19:22 GMT"
],
"content-length": [
"4123"
]
},
"body": {
"data": {
"value": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2",
"type": "Microsoft.Network/frontdoors",
"name": "vvtestfd2",
"location": "Global",
"tags": {},
"properties": {
"routingRules": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/RoutingRules/test1rt",
"name": "test1rt",
"type": "Microsoft.Network/Frontdoors/RoutingRules",
"properties": {
"routeConfiguration": {
"customForwardingPath": null,
"forwardingProtocol": "HttpsOnly",
"cacheConfiguration": null,
"backendPool": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/backendPools/vvtestfd2-bp"
},
"@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration"
},
"rulesEngine": null,
"resourceState": "Enabled",
"frontendEndpoints": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/frontendEndpoints/vvtestfd2-azurefd-net"
}
],
"acceptedProtocols": [
"Http",
"Https"
],
"patternsToMatch": [
"/*"
],
"enabledState": "Enabled",
"webApplicationFirewallPolicyLink": null
}
}
],
"rulesEngines": [],
"frontdoorId": "5994602a-3c17-4141-9ea8-60cb26e06262",
"resourceState": "Enabled",
"loadBalancingSettings": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/LoadBalancingSettings/loadBalancingSettings-1655897665335",
"name": "loadBalancingSettings-1655897665335",
"type": "Microsoft.Network/Frontdoors/LoadBalancingSettings",
"properties": {
"resourceState": "Enabled",
"sampleSize": 4,
"successfulSamplesRequired": 2,
"additionalLatencyMilliseconds": 0
}
}
],
"healthProbeSettings": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/HealthProbeSettings/healthProbeSettings-1655897665335",
"name": "healthProbeSettings-1655897665335",
"type": "Microsoft.Network/Frontdoors/HealthProbeSettings",
"properties": {
"resourceState": "Enabled",
"path": "/",
"protocol": "Https",
"intervalInSeconds": 30,
"enabledState": "Enabled",
"healthProbeMethod": "Head"
}
}
],
"backendPools": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/BackendPools/vvtestfd2-bp",
"name": "vvtestfd2-bp",
"type": "Microsoft.Network/Frontdoors/BackendPools",
"properties": {
"backends": [
{
"address": "example.com",
"httpPort": 80,
"httpsPort": 443,
"priority": 1,
"weight": 50,
"backendHostHeader": "example.com",
"enabledState": "Enabled",
"privateLinkAlias": null,
"privateLinkResourceId": null,
"privateLinkLocation": null,
"privateEndpointStatus": null,
"privateLinkApprovalMessage": null
}
],
"resourceState": "Enabled",
"loadBalancingSettings": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/loadBalancingSettings/loadBalancingSettings-1655897665335"
},
"healthProbeSettings": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/healthProbeSettings/healthProbeSettings-1655897665335"
}
}
}
],
"frontendEndpoints": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/Frontdoors/vvtestfd2/FrontendEndpoints/vvtestfd2-azurefd-net",
"name": "vvtestfd2-azurefd-net",
"type": "Microsoft.Network/Frontdoors/FrontendEndpoints",
"properties": {
"resourceState": "Enabled",
"hostName": "vvtestfd2.azurefd.net",
"sessionAffinityEnabledState": "Disabled",
"sessionAffinityTtlSeconds": 0,
"webApplicationFirewallPolicyLink": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/test1"
},
"customHttpsProvisioningState": null,
"customHttpsProvisioningSubstate": null,
"customHttpsConfiguration": null
}
}
],
"backendPoolsSettings": {
"enforceCertificateNameCheck": "Enabled",
"sendRecvTimeoutSeconds": 30
},
"enabledState": "Enabled",
"cName": "vvtestfd2.azurefd.net",
"friendlyName": "vvtestfd2",
"provisioningState": "Succeeded"
}
}
]
}
}
}
},
{
"request": {
"method": "GET",
"uri": "https://management.azure.com/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourceGroups/VV/providers/Microsoft.Network/FrontDoorWebApplicationFirewallPolicies/test1?api-version=2022-05-01",
"body": null,
"headers": {}
},
"response": {
"status": {
"code": 200,
"message": "OK"
},
"headers": {
"content-type": [
"application/json; charset=utf-8"
],
"cache-control": [
"no-cache"
],
"date": [
"Wed, 22 Jun 2022 12:19:23 GMT"
],
"content-length": [
"1130"
]
},
"body": {
"data": {
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/test1",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"name": "test1",
"location": "Global",
"tags": {},
"sku": {
"name": "Classic_AzureFrontDoor"
},
"properties": {
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": null,
"customBlockResponseStatusCode": 403,
"customBlockResponseBody": null,
"requestBodyCheck": "Disabled"
},
"customRules": {
"rules": []
},
"managedRules": {
"managedRuleSets": [
{
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "1.1",
"ruleSetAction": null,
"ruleGroupOverrides": [
{
"ruleGroupName": "JAVA",
"rules": [
{
"ruleId": "944240",
"enabledState": "Disabled",
"action": "Block",
"exclusions": []
}
],
"exclusions": []
}
],
"exclusions": []
}
]
},
"frontendEndpointLinks": [
{
"id": "/subscriptions/ea42f556-5106-4743-99b0-c129bfa71a47/resourcegroups/VV/providers/Microsoft.Network/frontdoors/vvtestfd2/frontendendpoints/vvtestfd2-azurefd-net"
}
],
"securityPolicyLinks": [],
"routingRuleLinks": [],
"resourceState": "Enabled",
"provisioningState": "Succeeded"
}
}
}
}
}
]
}
28 changes: 28 additions & 0 deletions tools/c7n_azure/tests_azure/tests_resources/test_frontdoor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,31 @@ def test_waf_not_enabled(self):
})
resources = p.run()
self.assertEqual(len(resources), 1)


class FrontDoorFirewallPolicyFilterTest(BaseTest):

def test_query(self):
p = self.load_policy(
{
"name": "test-front-door-resource",
"resource": "azure.front-door",
"filters": [
{
"type": "firewall-policy",
"attrs": [
{
"type": "value",
"key": "properties.managedRules.managedRuleSets[].ruleSetType",
"value": "Microsoft_DefaultRuleSet",
"op": "contains"
}
]
}
],
}
)
resources = p.run()

self.assertEqual(len(resources), 1)
self.assertEqual(resources[0]['name'], 'vvtestfd2')