@digitraffic/common 2025.5.5-1 → 2025.6.16-1

package/README.md

@@ -17,6 +17,10 @@ Format code
     pnpm run:format-changed # Formats stagged files
     pnpm run:format # Format all files
 
+## Reinstall lefthook git hooks
+
+    pnpm prepare
+
 ## How to use
 
 In package.json dependencies:

package/dist/__test__/infra/acl-builder.test.js

@@ -21,8 +21,13 @@ describe("acl-builder tests", () => {
         ]).build();
         expect(acl.rules).toHaveLength(2);
     });
-    test("ip restriction", () => {
-        const acl = createBuilder().withIpRestrictionRule(["1.2.3.4", "1.2.6.6"])
+    test("ip blacklist", () => {
+        const acl = createBuilder().withIpBlacklistRule(["1.2.3.4", "1.2.6.6"])
+            .build();
+        expect(acl.rules).toHaveLength(1);
+    });
+    test("ip whitelist", () => {
+        const acl = createBuilder().withIpWhitelistRule(["1.2.3.4", "1.2.6.6"])
             .build();
         expect(acl.rules).toHaveLength(1);
     });

package/dist/aws/infra/acl-builder.d.ts

@@ -12,7 +12,7 @@ export type CfnWebAclRuleProperty = {
  *
  * Currently supports:
  * * Some AWS managed WAF rules
- * * IP blacklisting
+ * * IP blacklisting/whitelisting
  */
 export declare class AclBuilder {
     readonly _construct: Construct;
@@ -23,18 +23,25 @@ export declare class AclBuilder {
     _customResponseBodies: Record<string, CfnWebACL.CustomResponseBodyProperty>;
     constructor(construct: Construct, name?: string);
     isRuleDefined(rules: AWSManagedWafRule[] | "all", rule: AWSManagedWafRule): boolean;
-    withAWSManagedRules(rules?: AWSManagedWafRule[] | "all", excludedRules?: ExcludedAWSRules): AclBuilder;
-    withIpRestrictionRule(addresses: string[]): AclBuilder;
-    withThrottleRule(name: string, limit: number, isHeaderRequired: boolean, isBasedOnIpAndUriPath: boolean, customResponseBodyKey?: string): AclBuilder;
-    withCustomResponseBody(key: string, customResponseBody: CfnWebACL.CustomResponseBodyProperty): AclBuilder;
-    withThrottleDigitrafficUserIp(limit: number | undefined): AclBuilder;
-    withThrottleDigitrafficUserIpAndUriPath(limit: number | undefined): AclBuilder;
+    withAWSManagedRules(rules?: AWSManagedWafRule[] | "all", excludedRules?: ExcludedAWSRules): this;
+    /**
+     * Block access from given addresses
+     */
+    withIpBlacklistRule(addresses: string[]): this;
+    /**
+     * Allow access only from the given addresses
+     */
+    withIpWhitelistRule(addresses: string[]): this;
+    withThrottleRule(name: string, limit: number, isHeaderRequired: boolean, isBasedOnIpAndUriPath: boolean, customResponseBodyKey?: string): this;
+    withCustomResponseBody(key: string, customResponseBody: CfnWebACL.CustomResponseBodyProperty): this;
+    withThrottleDigitrafficUserIp(limit: number | undefined): this;
+    withThrottleDigitrafficUserIpAndUriPath(limit: number | undefined): this;
     withThrottleAnonymousUserIp(limit: number | undefined): AclBuilder;
-    withThrottleAnonymousUserIpAndUriPath(limit: number | undefined): AclBuilder;
-    withCountDigitrafficUserIp(limit: number | undefined): AclBuilder;
-    withCountDigitrafficUserIpAndUriPath(limit: number | undefined): AclBuilder;
-    withCountAnonymousUserIp(limit: number | undefined): AclBuilder;
-    withCountAnonymousUserIpAndUriPath(limit: number | undefined): AclBuilder;
+    withThrottleAnonymousUserIpAndUriPath(limit: number | undefined): this;
+    withCountDigitrafficUserIp(limit: number | undefined): this;
+    withCountDigitrafficUserIpAndUriPath(limit: number | undefined): this;
+    withCountAnonymousUserIp(limit: number | undefined): this;
+    withCountAnonymousUserIpAndUriPath(limit: number | undefined): this;
     _isCustomResponseBodyKeySet(key: string): boolean;
     _addThrottleResponseBody(customResponseBodyKey: string, limit: number): void;
     build(): CfnWebACL;

package/dist/aws/infra/acl-builder.js

@@ -6,7 +6,7 @@ import { concat, range, zipWith } from "lodash-es";
  *
  * Currently supports:
  * * Some AWS managed WAF rules
- * * IP blacklisting
+ * * IP blacklisting/whitelisting
  */
 export class AclBuilder {
     _construct;
@@ -37,7 +37,10 @@ export class AclBuilder {
         }
         return this;
     }
-    withIpRestrictionRule(addresses) {
+    /**
+     * Block access from given addresses
+     */
+    withIpBlacklistRule(addresses) {
         const blocklistIpSet = new CfnIPSet(this._construct, "BlocklistIpSet", {
             ipAddressVersion: "IPV4",
             scope: this._scope,
@@ -59,6 +62,35 @@ export class AclBuilder {
         });
         return this;
     }
+    /**
+     * Allow access only from the given addresses
+     */
+    withIpWhitelistRule(addresses) {
+        const blocklistIpSet = new CfnIPSet(this._construct, "AllowlistIpSet", {
+            ipAddressVersion: "IPV4",
+            scope: this._scope,
+            addresses,
+        });
+        this._blockRules.push({
+            name: "IpAllowlist",
+            action: { block: {} },
+            statement: {
+                notStatement: {
+                    statement: {
+                        ipSetReferenceStatement: {
+                            arn: blocklistIpSet.attrArn,
+                        },
+                    },
+                },
+            },
+            visibilityConfig: {
+                sampledRequestsEnabled: false,
+                cloudWatchMetricsEnabled: true,
+                metricName: "IpAllowlist",
+            },
+        });
+        return this;
+    }
     withThrottleRule(name, limit, isHeaderRequired, isBasedOnIpAndUriPath, customResponseBodyKey) {
         const isBlockRule = !!customResponseBodyKey;
         const rules = isBlockRule ? this._blockRules : this._countRules;