wafoo 0.0.7 → 0.0.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +43 -0
- data/lib/wafoo.rb +2 -1
- data/lib/wafoo/cli.rb +1 -1
- data/lib/wafoo/helper.rb +4 -3
- data/lib/wafoo/run.rb +80 -31
- data/lib/wafoo/stub/waf.rb +42 -0
- data/lib/wafoo/stub/wafregional.rb +42 -0
- data/lib/wafoo/version.rb +1 -1
- data/wafoo.gemspec +5 -3
- metadata +41 -13
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ae47f637ee5e203e5be1ecfc645b5235c14d9d525f0e05e05758f8b0c0581a0c
|
4
|
+
data.tar.gz: 0c55bc47b3cce6094df752cf0c389dc3d90b477a958db9ed2f056c3716d4dc67
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0516c125ac532a342af5c3269d5e4ce35104e88f4ef2c0c17542124379f79e994a854b7cce478e56350a8ff133373dfcbf44e661e31c8a39d1b30fd40818e360
|
7
|
+
data.tar.gz: 4576e4ae88523dc12dcc7cf592d2e6f0b6d4bfcc5242b6ba1e96de4756fafad98af0bd7722153fbe5adf8d27592ecd87f886fd1dec6ea2a6ec281cd6429201c5
|
@@ -0,0 +1,43 @@
|
|
1
|
+
version: 2
|
2
|
+
jobs:
|
3
|
+
build:
|
4
|
+
docker:
|
5
|
+
# specify the version you desire here
|
6
|
+
- image: circleci/ruby:2.4.1-node-browsers
|
7
|
+
working_directory: ~/repo
|
8
|
+
steps:
|
9
|
+
- checkout
|
10
|
+
- restore_cache:
|
11
|
+
keys:
|
12
|
+
- v1-dependencies-{{ checksum "Gemfile.lock" }}
|
13
|
+
# fallback to using the latest cache if no exact match is found
|
14
|
+
- v1-dependencies-
|
15
|
+
- run:
|
16
|
+
name: install dependencies
|
17
|
+
command: |
|
18
|
+
bundle install --jobs=4 --retry=3 --path vendor/bundle
|
19
|
+
- save_cache:
|
20
|
+
paths:
|
21
|
+
- ./vendor/bundle
|
22
|
+
key: v1-dependencies-{{ checksum "Gemfile.lock" }}
|
23
|
+
# run tests!
|
24
|
+
- run:
|
25
|
+
name: run tests
|
26
|
+
command: |
|
27
|
+
# mkdir /tmp/test-results
|
28
|
+
# TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | \
|
29
|
+
# circleci tests split --split-by=timings)"
|
30
|
+
|
31
|
+
# bundle exec rspec \
|
32
|
+
# --format progress \
|
33
|
+
# --format RspecJunitFormatter \
|
34
|
+
# --out /tmp/test-results/rspec.xml \
|
35
|
+
# --format progress \
|
36
|
+
# $TEST_FILES
|
37
|
+
bundle exec rake spec
|
38
|
+
# collect reports
|
39
|
+
- store_test_results:
|
40
|
+
path: /tmp/test-results
|
41
|
+
- store_artifacts:
|
42
|
+
path: /tmp/test-results
|
43
|
+
destination: test-results
|
data/lib/wafoo.rb
CHANGED
data/lib/wafoo/cli.rb
CHANGED
@@ -14,7 +14,7 @@ module Wafoo
|
|
14
14
|
end
|
15
15
|
|
16
16
|
desc 'list', 'Print IPSet list'
|
17
|
-
option :
|
17
|
+
option :full, type: :boolean, desc: 'Specify this when you want to display webacl information as well.'
|
18
18
|
def list
|
19
19
|
wafoo = Wafoo::Run.new(options)
|
20
20
|
wafoo.list_ipsets
|
data/lib/wafoo/helper.rb
CHANGED
@@ -1,8 +1,9 @@
|
|
1
1
|
module Wafoo
|
2
2
|
module Helper
|
3
|
-
def output_table(ipsets_list)
|
4
|
-
|
5
|
-
|
3
|
+
def output_table(ipsets_list, full)
|
4
|
+
header = ['Type', 'IPSet ID', 'IPSet Name']
|
5
|
+
header.concat(['WebACL ID', 'WebACL Name']) if full
|
6
|
+
table = Terminal::Table.new(:headings => header, :rows => ipsets_list)
|
6
7
|
puts table
|
7
8
|
end
|
8
9
|
|
data/lib/wafoo/run.rb
CHANGED
@@ -9,17 +9,65 @@ module Wafoo
|
|
9
9
|
# Stub は個別にロードしてあげないといけないので苦肉の策
|
10
10
|
Wafoo::Stub.load('waf') if ENV['LOAD_STUB'] == 'true'
|
11
11
|
@waf = Aws::WAF::Client.new
|
12
|
+
@waf_webacls = get_waf_webacls
|
13
|
+
|
12
14
|
# Stub は個別にロードしてあげないといけないので苦肉の策
|
13
15
|
Wafoo::Stub.load('wafregional') if ENV['LOAD_STUB'] == 'true'
|
14
16
|
@waf_regional = Aws::WAFRegional::Client.new
|
17
|
+
@wafregioal_webacls = get_wafregional_webacls
|
18
|
+
|
19
|
+
@all_waf_webacls = @waf_webacls + @wafregioal_webacls
|
15
20
|
|
16
21
|
@regional = options[:regional] unless options.nil?
|
22
|
+
@full = options[:full] unless options.nil?
|
17
23
|
FileUtils.mkdir_p(IP_SETS_DIR) unless FileTest.exist?(IP_SETS_DIR)
|
18
24
|
end
|
19
25
|
|
26
|
+
%w(waf wafregional).each do |kind|
|
27
|
+
define_method "get_#{kind}_webacls" do
|
28
|
+
webacls = []
|
29
|
+
params = {}
|
30
|
+
waf_client = (kind == 'waf' ? @waf : @waf_regional)
|
31
|
+
loop do
|
32
|
+
res = waf_client.list_web_acls(params)
|
33
|
+
res.web_acls.map(&:to_h).each do |acl|
|
34
|
+
acl[:web_acl_name] = acl[:name]
|
35
|
+
acl.delete(:name)
|
36
|
+
webacls << acl
|
37
|
+
end
|
38
|
+
break if res.next_marker.nil?
|
39
|
+
params[:next_marker] = res.next_marker
|
40
|
+
end
|
41
|
+
|
42
|
+
webacl_ids = webacls.map {|acl| acl[:web_acl_id] }
|
43
|
+
webacl_ids.each do |id|
|
44
|
+
acl = waf_client.get_web_acl({
|
45
|
+
web_acl_id: id,
|
46
|
+
})
|
47
|
+
|
48
|
+
rules = []
|
49
|
+
acl.web_acl.rules.map(&:to_h).each do |r|
|
50
|
+
rule_desc = waf_client.get_rule({
|
51
|
+
rule_id: r[:rule_id]
|
52
|
+
})
|
53
|
+
ip_sets = rule_desc.rule.predicates.map { |p| p.data_id if p.type == 'IPMatch' }
|
54
|
+
rule = {}
|
55
|
+
rule[:rule_id] = r[:rule_id]
|
56
|
+
rule[:ip_set_ids] = ip_sets
|
57
|
+
rules << rule
|
58
|
+
end
|
59
|
+
|
60
|
+
webacls.map do |_acl|
|
61
|
+
_acl[:web_acl_rules] = rules if id == _acl[:web_acl_id]
|
62
|
+
end
|
63
|
+
end
|
64
|
+
webacls
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
20
68
|
def read_ipset_from_api(ip_set_id)
|
21
|
-
|
22
|
-
resp =
|
69
|
+
waf_client = @regional ? @waf_regional : @waf
|
70
|
+
resp = waf_client.get_ip_set({
|
23
71
|
ip_set_id: ip_set_id
|
24
72
|
})
|
25
73
|
ipsets = []
|
@@ -42,46 +90,47 @@ module Wafoo
|
|
42
90
|
ipsets.sort
|
43
91
|
end
|
44
92
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
ipset << set.ip_set_id
|
54
|
-
ipset << set.name
|
55
|
-
ip_sets << ipset
|
93
|
+
%w(id name).each do |kind|
|
94
|
+
define_method "select_webacl_#{kind}" do |ip_set_id|
|
95
|
+
_kind = (kind == 'name' ? 'web_acl_name' : 'web_acl_id')
|
96
|
+
webacl_res = []
|
97
|
+
@all_waf_webacls.each do |w|
|
98
|
+
w[:web_acl_rules].each do |r|
|
99
|
+
webacl_res << w[_kind.to_sym] if r[:ip_set_ids].include?(ip_set_id)
|
100
|
+
end
|
56
101
|
end
|
57
|
-
|
58
|
-
|
102
|
+
webacl_res.join('\n') if webacl_res.length > 1
|
103
|
+
webacl_res[0]
|
59
104
|
end
|
60
|
-
ip_sets
|
61
105
|
end
|
62
106
|
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
107
|
+
%w(waf wafregional).each do |kind|
|
108
|
+
define_method "get_#{kind}_ipsets" do
|
109
|
+
ip_sets = []
|
110
|
+
params = {}
|
111
|
+
waf_client = (kind == 'waf' ? @waf : @waf_regional)
|
112
|
+
loop do
|
113
|
+
res = waf_client.list_ip_sets(params)
|
114
|
+
res.ip_sets.each do |set|
|
115
|
+
ipset = []
|
116
|
+
ipset << waf_client.class.to_s.split('::')[1]
|
117
|
+
ipset << set.ip_set_id
|
118
|
+
ipset << set.name
|
119
|
+
ipset << select_webacl_id(set.ip_set_id) if @full
|
120
|
+
ipset << select_webacl_name(set.ip_set_id) if @full
|
121
|
+
ip_sets << ipset
|
122
|
+
end
|
123
|
+
break if res.next_marker.nil?
|
124
|
+
params[:next_marker] = res.next_marker
|
74
125
|
end
|
75
|
-
|
76
|
-
params[:next_marker] = res.next_marker
|
126
|
+
ip_sets
|
77
127
|
end
|
78
|
-
ip_sets
|
79
128
|
end
|
80
129
|
|
81
130
|
def list_ipsets
|
82
131
|
ip_sets = []
|
83
132
|
ip_sets = get_waf_ipsets + get_wafregional_ipsets
|
84
|
-
output_table(ip_sets)
|
133
|
+
output_table(ip_sets, @full)
|
85
134
|
end
|
86
135
|
|
87
136
|
def export_ipset(ip_set_id)
|
data/lib/wafoo/stub/waf.rb
CHANGED
@@ -1,5 +1,47 @@
|
|
1
1
|
Aws.config[:waf] = {
|
2
2
|
stub_responses: {
|
3
|
+
list_web_acls: {
|
4
|
+
next_marker: nil,
|
5
|
+
web_acls: [
|
6
|
+
{
|
7
|
+
name: "WebACLexample",
|
8
|
+
web_acl_id: "webacl-1472061481310",
|
9
|
+
},
|
10
|
+
],
|
11
|
+
},
|
12
|
+
get_web_acl: {
|
13
|
+
web_acl: {
|
14
|
+
default_action: {
|
15
|
+
type: "ALLOW",
|
16
|
+
},
|
17
|
+
metric_name: "CreateExample",
|
18
|
+
name: "CreateExample",
|
19
|
+
rules: [
|
20
|
+
{
|
21
|
+
action: {
|
22
|
+
type: "ALLOW",
|
23
|
+
},
|
24
|
+
priority: 1,
|
25
|
+
rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5",
|
26
|
+
},
|
27
|
+
],
|
28
|
+
web_acl_id: "createwebacl-1472061481310",
|
29
|
+
},
|
30
|
+
},
|
31
|
+
get_rule: {
|
32
|
+
rule: {
|
33
|
+
metric_name: "WAFByteHeaderRule",
|
34
|
+
name: "WAFByteHeaderRule",
|
35
|
+
predicates: [
|
36
|
+
{
|
37
|
+
data_id: "1234567-abcd-1234-efgh-5678-1234567890",
|
38
|
+
negated: false,
|
39
|
+
type: "IPMatch",
|
40
|
+
},
|
41
|
+
],
|
42
|
+
rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5",
|
43
|
+
},
|
44
|
+
},
|
3
45
|
list_ip_sets: {
|
4
46
|
next_marker: nil,
|
5
47
|
ip_sets: [
|
@@ -1,5 +1,47 @@
|
|
1
1
|
Aws.config[:wafregional] = {
|
2
2
|
stub_responses: {
|
3
|
+
list_web_acls: {
|
4
|
+
next_marker: nil,
|
5
|
+
web_acls: [
|
6
|
+
{
|
7
|
+
name: "WebACLexample",
|
8
|
+
web_acl_id: "webacl-1472061481310",
|
9
|
+
},
|
10
|
+
],
|
11
|
+
},
|
12
|
+
get_web_acl: {
|
13
|
+
web_acl: {
|
14
|
+
default_action: {
|
15
|
+
type: "ALLOW",
|
16
|
+
},
|
17
|
+
metric_name: "CreateExample",
|
18
|
+
name: "CreateExample",
|
19
|
+
rules: [
|
20
|
+
{
|
21
|
+
action: {
|
22
|
+
type: "ALLOW",
|
23
|
+
},
|
24
|
+
priority: 1,
|
25
|
+
rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5",
|
26
|
+
},
|
27
|
+
],
|
28
|
+
web_acl_id: "createwebacl-1472061481310",
|
29
|
+
},
|
30
|
+
},
|
31
|
+
get_rule: {
|
32
|
+
rule: {
|
33
|
+
metric_name: "WAFByteHeaderRule",
|
34
|
+
name: "WAFByteHeaderRule",
|
35
|
+
predicates: [
|
36
|
+
{
|
37
|
+
data_id: "1234567-abcd-1234-efgh-5678-1234567890",
|
38
|
+
negated: false,
|
39
|
+
type: "IPMatch",
|
40
|
+
},
|
41
|
+
],
|
42
|
+
rule_id: "example1ds3t-46da-4fdb-b8d5-abc321j569j5",
|
43
|
+
},
|
44
|
+
},
|
3
45
|
list_ip_sets: {
|
4
46
|
next_marker: nil,
|
5
47
|
ip_sets: [
|
data/lib/wafoo/version.rb
CHANGED
data/wafoo.gemspec
CHANGED
@@ -26,12 +26,14 @@ Gem::Specification.new do |spec|
|
|
26
26
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
27
27
|
spec.require_paths = ['lib']
|
28
28
|
|
29
|
-
spec.add_development_dependency 'bundler'
|
29
|
+
spec.add_development_dependency 'bundler'
|
30
30
|
spec.add_development_dependency 'octorelease'
|
31
|
-
spec.add_development_dependency 'rake', '
|
31
|
+
spec.add_development_dependency 'rake', '>= 12.3.3'
|
32
32
|
spec.add_development_dependency 'rspec', '~> 3.0'
|
33
|
+
spec.add_development_dependency 'rspec_junit_formatter'
|
33
34
|
|
34
|
-
spec.add_dependency 'aws-sdk'
|
35
|
+
spec.add_dependency 'aws-sdk-waf'
|
36
|
+
spec.add_dependency 'aws-sdk-wafregional'
|
35
37
|
spec.add_dependency 'awsecrets'
|
36
38
|
spec.add_dependency 'diffy'
|
37
39
|
spec.add_dependency 'netaddr', '>= 2.0.4'
|
metadata
CHANGED
@@ -1,29 +1,29 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: wafoo
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- inokappa
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-05-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - "
|
17
|
+
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '0'
|
20
20
|
type: :development
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- - "
|
24
|
+
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: octorelease
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -42,16 +42,16 @@ dependencies:
|
|
42
42
|
name: rake
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- - "
|
45
|
+
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version:
|
47
|
+
version: 12.3.3
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- - "
|
52
|
+
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version:
|
54
|
+
version: 12.3.3
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rspec
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
@@ -67,7 +67,35 @@ dependencies:
|
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: '3.0'
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
|
-
name:
|
70
|
+
name: rspec_junit_formatter
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - ">="
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '0'
|
76
|
+
type: :development
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '0'
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: aws-sdk-waf
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
type: :runtime
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: aws-sdk-wafregional
|
71
99
|
requirement: !ruby/object:Gem::Requirement
|
72
100
|
requirements:
|
73
101
|
- - ">="
|
@@ -158,6 +186,7 @@ executables:
|
|
158
186
|
extensions: []
|
159
187
|
extra_rdoc_files: []
|
160
188
|
files:
|
189
|
+
- ".circleci/config.yml"
|
161
190
|
- ".gitignore"
|
162
191
|
- ".rspec"
|
163
192
|
- ".travis.yml"
|
@@ -197,8 +226,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
197
226
|
- !ruby/object:Gem::Version
|
198
227
|
version: '0'
|
199
228
|
requirements: []
|
200
|
-
|
201
|
-
rubygems_version: 2.7.6
|
229
|
+
rubygems_version: 3.0.1
|
202
230
|
signing_key:
|
203
231
|
specification_version: 4
|
204
232
|
summary: Small tool to manipulate AWS WAF IPSets.
|