wafoo 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 81207a2ff01529fc7a8a6c6b16fa18942ddd0995dbe0885d809d7d321f83613e
+  data.tar.gz: ffc45230ce3c874623b07798c3da714759e37ac10cccfbc6e62c697e9a3c7ae1
+SHA512:
+  metadata.gz: 4a427e249bae138a7db185baf1acd76304ccd6391e353c1d55641691c0440cf8531eaf003588d38a87c3725613ca7c80ba7b32961d5774999dec4ca0f06d6c7b
+  data.tar.gz: aada43d74ea2aa377cb6f1643deae6e4a4cb0c7a93fe3aea598d22669f77f31e31c5324cbf34a2cbd891d777544159d294600c7c5da1274aea23e832855dc3c5

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+vendor/bundle/
+.envrc

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in wafoo.gemspec
+gemspec

data/README.md

@@ -0,0 +1,71 @@
+# wafoo
+
+## これなに
+
+* AWS WAF の IPSets をいじるコマンドラインツール
+* ツッコミどころが満載です
+
+## Install
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'wafoo'
+```
+
+And then execute:
+
+```sh
+$ bundle
+```
+
+Or install it yourself as:
+
+```sh
+$ gem install wafoo
+```
+
+## 準備
+
+とりあえずは, direnv と組み合わせて利用することを想定しており, AWS のクレデンシャル情報は .envrc に記載して下さい.
+
+```sh
+export AWS_PROFILE=your-profile
+export AWS_REGION=ap-northeast-1
+```
+
+## Getting Started
+
+### Step 1: Listing IPSets
+
+```sh
+$ bundle exec wafoo list
+```
+
+### Step 2: Export IPSets details
+
+```sh
+$ bundle exec wafoo export --ip-set-id=${IPSet ID}
+```
+
+The IP list is exported to the current directory. (The file name is IPSet ID.)
+
+### Step 3: Modify IPSets details
+
+```sh
+$ vim ${IPSet ID}
+```
+
+### Step 4: Check IP list
+
+Check the IP list before applying.
+
+```sh
+$ bundle exec wafoo apply --ip-set-id=${IPSet ID} --dry-run
+```
+
+### Step 5: Apply IP list
+
+```sh
+$ bundle exec wafoo apply --ip-set-id=${IPSet ID}
+```

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "octorelease"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'wafoo'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require 'pry'
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/wafoo

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'wafoo'
+
+Wafoo::CLI.start

data/lib/wafoo.rb

@@ -0,0 +1,15 @@
+require 'thor'
+require 'aws-sdk'
+require 'awsecrets'
+require 'diffy'
+require 'netaddr'
+require 'terminal-table'
+
+require 'wafoo/version'
+require 'wafoo/cli'
+require 'wafoo/helper'
+require 'wafoo/run'
+
+module Wafoo
+  # Your code goes here...
+end

data/lib/wafoo/cli.rb

@@ -0,0 +1,39 @@
+require 'wafoo'
+
+module Wafoo
+  class CLI < Thor
+    default_command :version
+    class_option :profile
+    class_option :region
+
+    desc 'version', 'Print version number'
+    def version
+      puts Wafoo::VERSION
+    end
+
+    desc 'list', 'Print IPSet list'
+    option :cloudfront, type: :boolean, desc: 'Specify the option when the target is CloudFront.'
+    def list
+      wafoo = Wafoo::Run.new(options)
+      wafoo.list_ipsets
+    end
+
+    desc 'export', 'Export IP address list of specified IPSet ID'
+    option :ip_set_id, type: :string, aliases: '-i', desc: 'Specify IPset ID.'
+    option :regional, type: :boolean, default: true, desc: 'Specify the option when the target is CloudFront.'
+    def export
+      wafoo = Wafoo::Run.new(options)
+      wafoo.export_ipsets(options[:ip_set_id])
+    end
+
+    desc 'apply', 'Apply the specified IPSet ID'
+    option :ip_set_id, type: :string, aliases: '-i', desc: 'Specify IPset ID.'
+    option :dry_run, type: :boolean, aliases: '-d', desc: 'Dryrun.'
+    option :regional, type: :boolean, default: true, desc: 'Specify the option when the target is CloudFront.'
+    def apply
+      wafoo = Wafoo::Run.new(options)
+      wafoo.update_ipsets(options[:ip_set_id], options[:dry_run])
+    end
+  end
+end
+

data/lib/wafoo/helper.rb

@@ -0,0 +1,17 @@
+module Wafoo
+  module Helper
+    def output_table(ipsets_list)
+      table = Terminal::Table.new(:headings => ['Type', 'IPSets ID', 'Name'],
+                                  :rows => ipsets_list)
+      puts table
+    end
+
+    def added_print(message)
+      "\e[32m" + message + "\e[0m"
+    end
+
+    def removed_print(message)
+      "\e[31m" + message + "\e[0m"
+    end
+  end
+end

data/lib/wafoo/run.rb

@@ -0,0 +1,164 @@
+require 'wafoo'
+
+module Wafoo
+  class Run
+    include Wafoo::Helper
+  
+    def initialize(options = nil)
+      @waf_regional = Aws::WAFRegional::Client.new
+      @waf = Aws::WAF::Client.new
+      @regional = options[:regional] unless options.nil?
+    end
+
+    def read_ipsets_from_api(ip_set_id)
+      waf = @regional ? @waf_regional : @waf
+      resp = waf.get_ip_set({
+        ip_set_id: ip_set_id
+      })
+      ipsets = []
+      sorted_ipsets = resp.ip_set.ip_set_descriptors.sort {|a,b| a[:value] <=> b[:value]}
+      sorted_ipsets.each do |ipset|
+        ipsets << ipset.value
+      end
+
+      ipsets
+    end
+
+    def read_ipsets_from_file(ip_set_id)
+      ipsets = []
+      File.open(ip_set_id, 'r') do |file|
+        file.read.split("\n").each do |ipset|
+          ipsets << ipset
+        end
+      end
+
+      ipsets.sort
+    end
+
+    def list_ipsets
+      ip_sets = []
+      params = {}
+      [ @waf_regional, @waf ].each do |w|
+        loop do
+          res = w.list_ip_sets(params)
+          res.ip_sets.each do |set|
+            ipset = []
+            ipset << w.class.to_s.split('::')[1]
+            ipset << set.ip_set_id
+            ipset << set.name
+            ip_sets << ipset
+          end
+          break if res.next_marker.nil?
+          params[:next_marker] = res.next_marker
+        end
+      end
+      output_table(ip_sets)
+    end
+
+    def export_ipsets(ip_set_id)
+      ipsets = read_ipsets_from_api(ip_set_id)
+      ipsets.sort.each { |ipset| puts ipset }
+      File.open(ip_set_id, 'w') do |f|
+        ipsets.sort.each { |ipset| f.puts(ipset) }
+      end
+    end
+
+    def apply_ipsets(ipsets, ip_set_id)
+      waf = @regional ? @waf_regional : @waf
+      change_token = waf.get_change_token.change_token
+      resp = waf.update_ip_set(
+        ip_set_id: ip_set_id,
+        change_token: change_token,
+        updates: ipsets
+      )
+    end
+
+    def split_cidr(ipset)
+      addr = NetAddr::CIDR.create(ipset)
+      addr.enumerate
+    end
+
+    def generate_delete_hash(ipset)
+      ipset.slice!(0)
+      h = {
+        action: 'DELETE',
+        ip_set_descriptor: {
+          type: 'IPV4',
+          value: ipset
+        }
+      }
+
+      unless %w(8 16 24 33).include?(ipset.split('/').last)
+        ips = split_cidr(ipset)
+        ipsets_array = []
+        ips.each do |ip|
+          ipsets_array << {
+                             action: 'DELETE',
+                             ip_set_descriptor: {
+                               type: 'IPV4',
+                               value: ip + '/32'
+                             }
+                          }
+        end
+        return ipsets_array
+      end 
+
+      ipsets_hash = {
+                       action: 'DELETE',
+                       ip_set_descriptor: {
+                         type: 'IPV4',
+                         value: ipset
+                       }
+                    }
+      ipsets_hash
+    end
+
+    def generate_insert_hash(ipset)
+      ipset.slice!(0)
+      unless %w(8 16 24 33).include?(ipset.split('/').last)
+        ips = split_cidr(ipset)
+        ipsets_array = []
+        ips.each do |ip|
+          ipsets_array << {
+                             action: 'INSERT',
+                             ip_set_descriptor: {
+                               type: 'IPV4',
+                               value: ip + '/32'
+                             }
+                          }
+        end
+        return ipsets_array
+      end
+
+      ipsets_hash = {
+                       action: 'INSERT',
+                       ip_set_descriptor: {
+                         type: 'IPV4',
+                         value: ipset
+                       }
+                    }
+      ipsets_hash
+    end
+
+    def update_ipsets(ip_set_id, dry_run)
+      _old = read_ipsets_from_api(ip_set_id).join("\n")
+      _new = read_ipsets_from_file(ip_set_id).join("\n")
+      ipsets = []
+      Diffy::Diff.new(_old, _new).each do |line|
+        case line
+          when /^\+/ then
+            puts added_print(line.chomp)
+            ipsets << generate_insert_hash(line.chomp)
+          when /^-/ then
+            puts removed_print(line.chomp)
+            ipsets << generate_delete_hash(line.chomp)
+        end
+      end
+
+      if dry_run == nil and ipsets.length > 0 then
+        apply_ipsets(ipsets.flatten, ip_set_id)
+        export_ipsets(ip_set_id)
+      end
+    end
+  end
+end

data/lib/wafoo/version.rb

@@ -0,0 +1,3 @@
+module Wafoo
+  VERSION = "0.0.1"
+end

data/wafoo.gemspec

@@ -0,0 +1,41 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'wafoo/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'wafoo'
+  spec.version       = Wafoo::VERSION
+  spec.authors       = ['inokappa']
+  spec.email         = ['inokara at gmail.com']
+
+  spec.summary       = %q{Small tool to manipulate AWS WAF IPSets.}
+  spec.description   = %q{Small tool to manipulate AWS WAF IPSets.}
+  spec.homepage      = 'https://github.com/inokappa/wafoo'
+
+  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
+  # delete this section to allow pushing this gem to any host.
+  # if spec.respond_to?(:metadata)
+  #   spec.metadata['allowed_push_host'] = 'TODO: Set to 'http://mygemserver.com''
+  # else
+  #   raise 'RubyGems 2.0 or newer is required to protect against public gem pushes.'
+  # end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "octorelease"
+
+  spec.add_dependency 'thor'
+  spec.add_dependency 'aws-sdk'
+  spec.add_dependency 'awsecrets'
+  spec.add_dependency 'diffy'
+  spec.add_dependency 'netaddr', '1.5.1'
+  spec.add_dependency 'terminal-table'
+
+end

metadata

@@ -0,0 +1,197 @@
+--- !ruby/object:Gem::Specification
+name: wafoo
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- inokappa
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-11-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: octorelease
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: awsecrets
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: diffy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: netaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Small tool to manipulate AWS WAF IPSets.
+email:
+- inokara at gmail.com
+executables:
+- wafoo
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/wafoo
+- lib/wafoo.rb
+- lib/wafoo/cli.rb
+- lib/wafoo/helper.rb
+- lib/wafoo/run.rb
+- lib/wafoo/version.rb
+- wafoo.gemspec
+homepage: https://github.com/inokappa/wafoo
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Small tool to manipulate AWS WAF IPSets.
+test_files: []