wafoo 0.0.7 → 0.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e794d3673a6d79a60cef7daad811e98d77feb65d37d3d5a7b7df4743019380a5
-  data.tar.gz: 7282d1cf4f09a1ae9df4070f4d3b26b4022d036144b5847c20a8e6ab7ca4dd0f
+  metadata.gz: ae47f637ee5e203e5be1ecfc645b5235c14d9d525f0e05e05758f8b0c0581a0c
+  data.tar.gz: 0c55bc47b3cce6094df752cf0c389dc3d90b477a958db9ed2f056c3716d4dc67
 SHA512:
-  metadata.gz: 2396bfb7c5df3a4f38b31fa41d4ca8d244c998b8b29eeb49a6a8ea41a43ab00ad473d1deee69f1d1466a3f54905e2477a91c710be7df71114e4ab47a2834e84b
-  data.tar.gz: 32dedfa1697508fc2c19ce36d6aac3ffd68324d25bf8dcbbf1055cd47011b664fcea47e82651980fd714325d3c919bda5f78913acf373a5743d78934637d8e69
+  metadata.gz: 0516c125ac532a342af5c3269d5e4ce35104e88f4ef2c0c17542124379f79e994a854b7cce478e56350a8ff133373dfcbf44e661e31c8a39d1b30fd40818e360
+  data.tar.gz: 4576e4ae88523dc12dcc7cf592d2e6f0b6d4bfcc5242b6ba1e96de4756fafad98af0bd7722153fbe5adf8d27592ecd87f886fd1dec6ea2a6ec281cd6429201c5

data/.circleci/config.yml

@@ -0,0 +1,43 @@
+version: 2
+jobs:
+  build:
+    docker:
+      # specify the version you desire here
+      - image: circleci/ruby:2.4.1-node-browsers
+    working_directory: ~/repo
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+            - v1-dependencies-{{ checksum "Gemfile.lock" }}
+            # fallback to using the latest cache if no exact match is found
+            - v1-dependencies-
+      - run:
+          name: install dependencies
+          command: |
+            bundle install --jobs=4 --retry=3 --path vendor/bundle
+      - save_cache:
+          paths:
+            - ./vendor/bundle
+          key: v1-dependencies-{{ checksum "Gemfile.lock" }}
+      # run tests!
+      - run:
+          name: run tests
+          command: |
+            # mkdir /tmp/test-results
+            # TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | \
+            #   circleci tests split --split-by=timings)"
+
+            # bundle exec rspec \
+            #   --format progress \
+            #   --format RspecJunitFormatter \
+            #   --out /tmp/test-results/rspec.xml \
+            #   --format progress \
+            #   $TEST_FILES
+            bundle exec rake spec
+      # collect reports
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+          destination: test-results

data/lib/wafoo.rb

@@ -1,5 +1,6 @@
 require 'thor'
-require 'aws-sdk'
+require 'aws-sdk-waf'
+require 'aws-sdk-wafregional'
 require 'awsecrets'
 require 'diffy'
 require 'netaddr'

data/lib/wafoo/cli.rb

@@ -14,7 +14,7 @@ module Wafoo
     end
 
     desc 'list', 'Print IPSet list'
-    option :cloudfront, type: :boolean, desc: 'Specify the option when the target is CloudFront.'
+    option :full, type: :boolean, desc: 'Specify this when you want to display webacl information as well.'
     def list
       wafoo = Wafoo::Run.new(options)
       wafoo.list_ipsets

data/lib/wafoo/helper.rb

@@ -1,8 +1,9 @@
 module Wafoo
   module Helper
-    def output_table(ipsets_list)
-      table = Terminal::Table.new(:headings => ['Type', 'IPSet IDs', 'Name'],
-                                  :rows => ipsets_list)
+    def output_table(ipsets_list, full)
+      header = ['Type', 'IPSet ID', 'IPSet Name']
+      header.concat(['WebACL ID', 'WebACL Name']) if full
+      table = Terminal::Table.new(:headings => header, :rows => ipsets_list)
       puts table
     end
 

data/lib/wafoo/run.rb

@@ -9,17 +9,65 @@ module Wafoo
       # Stub は個別にロードしてあげないといけないので苦肉の策
       Wafoo::Stub.load('waf') if ENV['LOAD_STUB'] == 'true'
       @waf = Aws::WAF::Client.new
+      @waf_webacls = get_waf_webacls
+
       # Stub は個別にロードしてあげないといけないので苦肉の策
       Wafoo::Stub.load('wafregional') if ENV['LOAD_STUB'] == 'true'
       @waf_regional = Aws::WAFRegional::Client.new
+      @wafregioal_webacls = get_wafregional_webacls
+
+      @all_waf_webacls = @waf_webacls + @wafregioal_webacls
 
       @regional = options[:regional] unless options.nil?
+      @full = options[:full] unless options.nil?
       FileUtils.mkdir_p(IP_SETS_DIR) unless FileTest.exist?(IP_SETS_DIR)
     end
 
+    %w(waf wafregional).each do |kind|
+      define_method "get_#{kind}_webacls" do
+        webacls = []
+        params = {}
+        waf_client = (kind == 'waf' ? @waf : @waf_regional)
+        loop do
+          res = waf_client.list_web_acls(params)
+          res.web_acls.map(&:to_h).each do |acl|
+            acl[:web_acl_name] = acl[:name]
+            acl.delete(:name)
+            webacls << acl
+          end
+          break if res.next_marker.nil?
+          params[:next_marker] = res.next_marker
+        end
+
+        webacl_ids = webacls.map {|acl| acl[:web_acl_id] }
+        webacl_ids.each do |id|
+          acl = waf_client.get_web_acl({
+            web_acl_id: id,
+          })
+
+          rules = []
+          acl.web_acl.rules.map(&:to_h).each do |r|
+            rule_desc = waf_client.get_rule({
+              rule_id: r[:rule_id]
+            })
+            ip_sets = rule_desc.rule.predicates.map { |p| p.data_id if p.type == 'IPMatch' }
+            rule = {}
+            rule[:rule_id] = r[:rule_id]
+            rule[:ip_set_ids] = ip_sets
+            rules << rule
+          end
+
+          webacls.map do |_acl|
+            _acl[:web_acl_rules] = rules if id == _acl[:web_acl_id]
+          end
+        end
+        webacls
+      end
+    end
+
     def read_ipset_from_api(ip_set_id)
-      waf = @regional ? @waf_regional : @waf
-      resp = waf.get_ip_set({
+      waf_client = @regional ? @waf_regional : @waf
+      resp = waf_client.get_ip_set({
         ip_set_id: ip_set_id
       })
       ipsets = []
@@ -42,46 +90,47 @@ module Wafoo
       ipsets.sort
     end
 
-    def get_waf_ipsets
-      ip_sets = []
-      params = {}
-      loop do
-        res = @waf.list_ip_sets(params)
-        res.ip_sets.each do |set|
-          ipset = []
-          ipset << @waf.class.to_s.split('::')[1]
-          ipset << set.ip_set_id
-          ipset << set.name
-          ip_sets << ipset
+    %w(id name).each do |kind|
+      define_method "select_webacl_#{kind}" do |ip_set_id|
+        _kind = (kind == 'name' ? 'web_acl_name' : 'web_acl_id')
+        webacl_res = []
+        @all_waf_webacls.each do |w|
+          w[:web_acl_rules].each do |r|
+            webacl_res << w[_kind.to_sym] if r[:ip_set_ids].include?(ip_set_id)
+          end
         end
-        break if res.next_marker.nil?
-        params[:next_marker] = res.next_marker
+        webacl_res.join('\n') if webacl_res.length > 1
+        webacl_res[0]
       end
-      ip_sets
     end
 
-    def get_wafregional_ipsets
-      ip_sets = []
-      params = {}
-      loop do
-        res = @waf_regional.list_ip_sets(params)
-        res.ip_sets.each do |set|
-          ipset = []
-          ipset << @waf_regional.class.to_s.split('::')[1]
-          ipset << set.ip_set_id
-          ipset << set.name
-          ip_sets << ipset
+    %w(waf wafregional).each do |kind|
+      define_method "get_#{kind}_ipsets" do
+        ip_sets = []
+        params = {}
+        waf_client = (kind == 'waf' ? @waf : @waf_regional)
+        loop do
+          res = waf_client.list_ip_sets(params)
+          res.ip_sets.each do |set|
+            ipset = []
+            ipset << waf_client.class.to_s.split('::')[1]
+            ipset << set.ip_set_id
+            ipset << set.name
+            ipset << select_webacl_id(set.ip_set_id) if @full
+            ipset << select_webacl_name(set.ip_set_id) if @full
+            ip_sets << ipset
+          end
+          break if res.next_marker.nil?
+          params[:next_marker] = res.next_marker
         end
-        break if res.next_marker.nil?
-        params[:next_marker] = res.next_marker
+        ip_sets
       end
-      ip_sets
     end
 
     def list_ipsets
       ip_sets = []
       ip_sets = get_waf_ipsets + get_wafregional_ipsets
-      output_table(ip_sets)
+      output_table(ip_sets, @full)
     end
 
     def export_ipset(ip_set_id)

data/lib/wafoo/stub/waf.rb

@@ -1,5 +1,47 @@
 Aws.config[:waf] = {
   stub_responses: {
+    list_web_acls: {
+      next_marker: nil,
+      web_acls: [
+        {
+          name: "WebACLexample", 
+          web_acl_id: "webacl-1472061481310", 
+        },
+      ],
+    },
+    get_web_acl: {
+      web_acl: {
+        default_action: {
+          type: "ALLOW", 
+        }, 
+        metric_name: "CreateExample", 
+        name: "CreateExample", 
+        rules: [
+          {
+            action: {
+              type: "ALLOW", 
+            }, 
+            priority: 1, 
+            rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5", 
+          }, 
+        ], 
+        web_acl_id: "createwebacl-1472061481310", 
+      }, 
+    },
+    get_rule: {
+      rule: {
+        metric_name: "WAFByteHeaderRule", 
+        name: "WAFByteHeaderRule", 
+        predicates: [
+          {
+            data_id: "1234567-abcd-1234-efgh-5678-1234567890", 
+            negated: false,
+            type: "IPMatch", 
+          }, 
+        ], 
+        rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5", 
+      }, 
+    },
     list_ip_sets: {
       next_marker: nil,
       ip_sets: [

data/lib/wafoo/stub/wafregional.rb

@@ -1,5 +1,47 @@
 Aws.config[:wafregional] = {
   stub_responses: {
+    list_web_acls: {
+      next_marker: nil,
+      web_acls: [
+        {
+          name: "WebACLexample", 
+          web_acl_id: "webacl-1472061481310", 
+        },
+      ],
+    },
+    get_web_acl: {
+      web_acl: {
+        default_action: {
+          type: "ALLOW", 
+        }, 
+        metric_name: "CreateExample", 
+        name: "CreateExample", 
+        rules: [
+          {
+            action: {
+              type: "ALLOW", 
+            }, 
+            priority: 1, 
+            rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5", 
+          }, 
+        ], 
+        web_acl_id: "createwebacl-1472061481310", 
+      }, 
+    },
+    get_rule: {
+      rule: {
+        metric_name: "WAFByteHeaderRule", 
+        name: "WAFByteHeaderRule", 
+        predicates: [
+          {
+            data_id: "1234567-abcd-1234-efgh-5678-1234567890", 
+            negated: false,
+            type: "IPMatch", 
+          }, 
+        ], 
+        rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5", 
+      }, 
+    },
     list_ip_sets: {
       next_marker: nil,
       ip_sets: [

data/lib/wafoo/version.rb

@@ -1,3 +1,3 @@
 module Wafoo
-  VERSION = '0.0.7'
+  VERSION = '0.0.8'
 end

data/wafoo.gemspec

@@ -26,12 +26,14 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.16'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'octorelease'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec_junit_formatter'
 
-  spec.add_dependency 'aws-sdk'
+  spec.add_dependency 'aws-sdk-waf'
+  spec.add_dependency 'aws-sdk-wafregional'
   spec.add_dependency 'awsecrets'
   spec.add_dependency 'diffy'
   spec.add_dependency 'netaddr', '>= 2.0.4'

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: wafoo
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - inokappa
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-10-31 00:00:00.000000000 Z
+date: 2020-05-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.16'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: octorelease
   requirement: !ruby/object:Gem::Requirement
@@ -42,16 +42,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -67,7 +67,35 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-waf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-wafregional
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -158,6 +186,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -197,8 +226,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Small tool to manipulate AWS WAF IPSets.