policy

package
v0.0.0-...-e2722f0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 6, 2024 License: MIT Imports: 38 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PushPolicyTimeout       = 120
	PushPolicyPollFrequency = 20
)
View Source 
const (

	// MaxPoliciesToFetch is the maximum number to attempt to retrieve (not an Azure limit)
	MaxPoliciesToFetch = 200
	// MaxFrontDoorsToFetch is the maximum number to attempt to retrieve (not an Azure limit)
	MaxFrontDoorsToFetch = 100
	// MaxCustomRules is the hard limit on the number of allowed Custom rules
	MaxCustomRules = 90
	// MaxLogNetsRules is the maximum number of Custom rules to create from Azure's hard limit of 90 per Policy
	MaxLogNetsRules = 10
	// MaxBlockNetsRules is the maximum number of Custom rules to create from Azure's hard limit of 90 per Policy
	MaxBlockNetsRules = 40
	// MaxAllowNetsRules is the maximum number of Custom rules to create from Azure's hard limit of 90 per Policy
	MaxAllowNetsRules = 10
	// MaxIPMatchValues is Azure's hard limit on IPMatch values per rule
	MaxIPMatchValues = 600

	// LogNetsPrefix is the prefix for Custom Rules used for logging IP networks
	LogNetsPrefix = "LogNets"
	// LogNetsPriorityStart is the first Custom rule priority number
	// Manual log rules should be numbered below 1000
	LogNetsPriorityStart = 1000

	// AllowNetsPrefix is the prefix for Custom Rules used for allowing IP networks
	AllowNetsPrefix = "AllowNets"
	// AllowNetsPriorityStart is the first Custom rule priority number
	// Manual allow rules should be numbered 2000-2999
	AllowNetsPriorityStart = 3000

	BlockNetsPriorityStart = 5000

	// MaxMatchValuesPerColumn is the number of match values to output per column when showing policies and rules
	MaxMatchValuesPerColumn = 3
	// MaxMatchValuesOutput is the maximum number of match values to output when showing policies and rules
	MaxMatchValuesOutput = 9
)
View Source 
const (
	// Azure limits - https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-front-door-classic-limits
	MaxConditionsPerCustomRule = 10

	ScopeRuleSet   = "ruleSet"
	ScopeRuleGroup = "ruleGroup"
	ScopeRule      = "rule"

	WAFResourceIDHashMapName = "WAFResourceIDHashMap"
)

Variables

View Source 
var (
	ErrInvalidRuleType = errors.New("invalid rule type")
)
View Source 
var ValidRuleExclusionMatchOperators = [...]string{
	"Contains",
	"EndsWith",
	"Equals",
	"EqualsAny",
	"StartsWith",
}
View Source 
var ValidRuleExclusionMatchVariables = [...]string{
	"RequestCookieNames",
	"RequestHeaderNames",
	"QueryStringArgNames",
	"RequestBodyPostArgNames",
	"RequestBodyJsonArgNames",
}

Functions

func AddManagedRuleExclusion 

func AddManagedRuleExclusion(cliInput *AddManagedRuleExclusionCLIInput) (err error)

func BackupPolicies 

func BackupPolicies(in *BackupPoliciesInput) error

BackupPolicies retrieves policies within a subscription and writes them, with meta-data, to individual json files

func BackupPolicy 

func BackupPolicy(p *WrappedPolicy, containerURL *azblob.ContainerURL, failFast, quiet bool, path string) (err error)

BackupPolicy takes a WrappedPolicy as input and creates a json file that can later be restored

func Confirm 

func Confirm(item, request string) bool

func ConvertToResourceIDs 

func ConvertToResourceIDs(ids []string, subID string) (rids []config.ResourceID, err error)

ConvertToResourceIDs accepts a slice of strings representing resource ids and/or hashes and returns a slice of matching resource ids

func CopyPolicy 

func CopyPolicy(original armfrontdoor.WebApplicationFirewallPolicy) (armfrontdoor.WebApplicationFirewallPolicy, error)

CopyPolicy takes an instance of a policy and returns a duplicate

func CopyRules 

func CopyRules(i CopyRulesInput) error

CopyRules copies managed and custom rules between policies with matching rule sets

func CustomRuleHasDefaultDeny 

func CustomRuleHasDefaultDeny(c *armfrontdoor.CustomRule) (defaultDeny bool)

func DeleteCustomRulesCLI 

func DeleteCustomRulesCLI(cliInput *DeleteCustomRulesCLIInput) (err error)

func DeleteCustomRulesPrefixes 

func DeleteCustomRulesPrefixes(in DeleteCustomRulesPrefixesInput) (modified bool, err error)

func DeleteManagedRuleExclusion 

func DeleteManagedRuleExclusion(dmreci *DeleteManagedRuleExclusionCLIInput) (err error)

func DisplayPolicyDiff 

func DisplayPolicyDiff(original, latest interface{}) error

func DisplayStringDiffWithDiffTool 

func DisplayStringDiffWithDiffTool(orig, updated string) error

func GenCustomRulesFromIPNets 

func GenCustomRulesFromIPNets(in GenCustomRulesFromIPNetsInput) ([]*armfrontdoor.CustomRule, error)

GenCustomRulesFromIPNets accepts two lists of IPs (positive and negative), plus the action to be taken with them, and the maximum number of rules to create and then returns a slice of CustomRules

func GetAddManagedRuleExclusionProcessScope 

func GetAddManagedRuleExclusionProcessScope(amrei AddManagedRuleExclusionInput) (scope string, err error)

GetAddManagedRuleExclusionProcessScope returns the scope for deletion of Managed rule exclusions

func GetAllPolicies 

func GetAllPolicies(s *session.Session, i GetWrappedPoliciesInput) ([]resources.GenericResourceExpanded, error)

func GetDeleteManagedRuleExclusionProcessScope 

func GetDeleteManagedRuleExclusionProcessScope(input *DeleteManagedRuleExclusionInput) (scope string, err error)

GetDeleteManagedRuleExclusionProcessScope returns the scope for deletion of Managed rule exclusions

func GetFrontDoorIDs 

func GetFrontDoorIDs(s *session.Session, subID string) (ids []string, err error)

func GetFunctionName 

func GetFunctionName() string

func GetPoliciesToRestore 

func GetPoliciesToRestore(s *session.Session, policyBackups []WrappedPolicy, i *RestorePoliciesInput) (policiesToRestore []policyToRestore, err error)

func GetPolicyRIDByHash 

func GetPolicyRIDByHash(s *session.Session, subID, hash string) (string, error)

func GetPolicyResourceIDByHash 

func GetPolicyResourceIDByHash(s *session.Session, subID, hash string) (config.ResourceID, error)

func GetRawPolicy 

func GetRawPolicy(s *session.Session, subscription, resourceGroup, name string) (*armfrontdoor.WebApplicationFirewallPolicy, error)

func GetRawPolicyCustomRuleByID 

func GetRawPolicyCustomRuleByID(s *session.Session, policyID config.ResourceID, customRuleName string) (armfrontdoor.CustomRule, error)

GetRawPolicyCustomRuleByID returns a Custom rule matching the resource id. The id is an extended resource id: <Policy>|<Custom rule name>.

func GetRuleSetDefinitionsMatchingPolicy 

func GetRuleSetDefinitionsMatchingPolicy(s *session.Session, policy *armfrontdoor.WebApplicationFirewallPolicy) (rsds []*armfrontdoor.ManagedRuleSetDefinition, err error)

func GetWAFPolicyResourceID 

func GetWAFPolicyResourceID(s *session.Session, in GetWAFPolicyResourceIDInput) (config.ResourceID, error)

func GetWAFResourceIDFromCacheByHash 

func GetWAFResourceIDFromCacheByHash(s *session.Session, hash string) (string, error)

func HasCustomRules 

func HasCustomRules(p *armfrontdoor.WebApplicationFirewallPolicy) (ok bool, noRuleSets int)

func HasMatchingExclusions 

func HasMatchingExclusions(one, two *armfrontdoor.ManagedRuleExclusion) bool

func HasRuleSets 

func HasRuleSets(p *armfrontdoor.WebApplicationFirewallPolicy) (ok bool, noRuleSets int)

func HaveEqualRuleSets 

func HaveEqualRuleSets(one, two *armfrontdoor.WebApplicationFirewallPolicy) bool

func Int32ToPointer 

func Int32ToPointer(i int32) (p *int32)

func IsIPv4 

func IsIPv4(address string) bool

func IsIPv6 

func IsIPv6(address string) bool

func IsRIDHash 

func IsRIDHash(s string) bool

func IsValidExclusionRuleVariable 

func IsValidExclusionRuleVariable(v armfrontdoor.ManagedRuleExclusionMatchVariable, ci bool) bool

func ListFrontDoors 

func ListFrontDoors(subID string) error

func ListPolicies 

func ListPolicies(in ListPoliciesInput) error

func LoadPolicyFromFile 

func LoadPolicyFromFile(f string) (armfrontdoor.WebApplicationFirewallPolicy, error)

func MatchConditionHasDefaultUnknown 

func MatchConditionHasDefaultUnknown(mc *armfrontdoor.MatchCondition) (result bool)

func MatchValuesHasMatchAll 

func MatchValuesHasMatchAll(mvs []*string, matchVariable armfrontdoor.MatchVariable, operator armfrontdoor.Operator) (res bool)

func Normalise 

func Normalise(iPrefixes []netip.Prefix) ([]netip.Prefix, error)

Normalise accepts a slice of netip.Prefix and returns a unique slice of their string representations

func NormaliseExclusionInput 

func NormaliseExclusionInput(inVar, inOp string) (outVar armfrontdoor.ManagedRuleExclusionMatchVariable, outOp armfrontdoor.ManagedRuleExclusionSelectorMatchOperator, err error)

func NormaliseMatchOperator 

func NormaliseMatchOperator(mo string) (match bool, result armfrontdoor.ManagedRuleExclusionSelectorMatchOperator)

func NormaliseMatchVariable 

func NormaliseMatchVariable(mr string) (match bool, result armfrontdoor.ManagedRuleExclusionMatchVariable)

func OutputManagedRuleExclusions 

func OutputManagedRuleExclusions(in *OutputManagedRuleInput)

func OutputManagedRuleExclusionsTable 

func OutputManagedRuleExclusionsTable(in *OutputManagedRuleExclusionsTableInput)

func OutputManagedRuleGroupExclusions 

func OutputManagedRuleGroupExclusions(in *OutputManagedRuleInput)

func OutputManagedRuleSetExclusions 

func OutputManagedRuleSetExclusions(in *OutputManagedRuleInput)

func OutputManagedRuleSetExclusionsTable 

func OutputManagedRuleSetExclusionsTable(in *OutputManagedRuleExclusionsTableInput)

func OutputPolicy 

func OutputPolicy(input OutputPolicyInput)

func OutputPolicyMetaData 

func OutputPolicyMetaData(policy *armfrontdoor.WebApplicationFirewallPolicy)

func PadToWidth 

func PadToWidth(input, char string, inputLengthOverride int, trimToWidth bool) (output string)

func PrintPolicy 

func PrintPolicy(policyID, subscriptionID, configPath string) error

PrintPolicy outputs the raw json Policy with the provided resource id.

func PrintPolicyCustomRule 

func PrintPolicyCustomRule(subscriptionID, extendedID, config string) error

PrintPolicyCustomRule outputs the Custom rule for a given resource. The id is an extended resource id: <Policy>|<Custom rule name>.

func ProcessPolicyChanges 

func ProcessPolicyChanges(input *ProcessPolicyChangesInput) error

func PushPolicy 

func PushPolicy(s *session.Session, i *PushPolicyInput) error

PushPolicy creates or updates a waf Policy with the provided Policy instance.

func RestorePolicies 

func RestorePolicies(i *RestorePoliciesInput) (err error)

RestorePolicies loads existing backup(s) from files and then adds/overwrites based on user's choices

func SaveWAFResourceIDHashMap 

func SaveWAFResourceIDHashMap(s *session.Session, res []resources.GenericResourceExpanded) error

func ShowExclusions 

func ShowExclusions(in *ShowExclusionsCLIInput) error

func ShowManagedRuleExclusions 

func ShowManagedRuleExclusions(ruleID string, policyID config.ResourceID) error

func ShowManagedRuleGroupExclusions 

func ShowManagedRuleGroupExclusions(ruleGroup string, policyID config.ResourceID) error

func ShowManagedRuleSetExclusions 

func ShowManagedRuleSetExclusions(ruleSetType, ruleSetVersion string, policyID config.ResourceID) error

func ShowPolicy 

func ShowPolicy(in ShowPolicyInput) error

func TrimString 

func TrimString(in string, maxLen int, suffix string) string

func ValidateResourceID 

func ValidateResourceID(rawID string, extended bool) error

ValidateResourceID will tokenise and check the format is valid 'extended' parameter is used to indicate if pipe separated value follows id

func ValidateResourceIDs 

func ValidateResourceIDs(ids []string) error

Types

type Action 

type Action struct {
	ActionType string `yaml:"action"`
	Policy     string
	Paths      []string `yaml:"paths"`
	MaxRules   int      `yaml:"max-rules"`
	Nets       IPNets
}

type AddCustomRulesPrefixesInput 

type AddCustomRulesPrefixesInput struct {
	BaseCLIInput
	Session        *session.Session
	Policy         *armfrontdoor.WebApplicationFirewallPolicy
	SubscriptionID string
	RawResourceID  string
	ResourceID     config.ResourceID
	Action         armfrontdoor.ActionType
	Output         bool
	DryRun         bool
	Filepath       string
	Addrs          IPNets
	RuleNamePrefix RuleNamePrefix
	PriorityStart  int
	// StartRuleNumber int
	MaxRules int
	// can be called from external so allow override
	LogLevel *logrus.Level
}

type AddManagedRuleExclusionCLIInput 

type AddManagedRuleExclusionCLIInput struct {
	BaseCLIInput
	ShowDiff              bool
	SubscriptionID        string
	PolicyID              string
	RID                   config.ResourceID
	RuleSet               string
	RuleGroup             string
	RuleID                string
	ExclusionRuleVariable string
	ExclusionRuleOperator string
	ExclusionRuleSelector string
}

func (*AddManagedRuleExclusionCLIInput) ParseConfig 

func (input *AddManagedRuleExclusionCLIInput) ParseConfig() (amrei *AddManagedRuleExclusionInput, err error)

type AddManagedRuleExclusionInput 

type AddManagedRuleExclusionInput struct {
	Session *session.Session
	// included for test injection only
	RuleSetDefinitions    []*armfrontdoor.ManagedRuleSetDefinition
	DryRun                bool
	AutoBackup            bool
	RuleSets              []*armfrontdoor.ManagedRuleSet
	PolicyResourceID      config.ResourceID
	RuleSetType           *string
	RuleSetVersion        *string
	RuleGroup             string
	RuleID                string
	ExclusionRuleVariable armfrontdoor.ManagedRuleExclusionMatchVariable
	ExclusionRuleOperator armfrontdoor.ManagedRuleExclusionSelectorMatchOperator
	ExclusionRuleSelector string
	Debug                 bool
	ShowDiff              bool
	AppVersion            string
	// helper attribute: used to assess scope of change
	Scope string
}

AddManagedRuleExclusionInput defines the exclusion to add to a managed rule set

type ApplyRemoveNetsInput 

type ApplyRemoveNetsInput struct {
	BaseCLIInput
	RID         config.ResourceID
	MatchPrefix RuleNamePrefix
	Action      *armfrontdoor.ActionType
	RuleType    *armfrontdoor.RuleType
	Output      bool
	DryRun      bool
	Filepath    string
	Addrs       IPNets
	MaxRules    int
	// can be called from external so allow override
	LogLevel *logrus.Level
}

type ApplyRemoveNetsResult 

type ApplyRemoveNetsResult struct {
	Addr     netip.Prefix
	PolicyID string
	Removed  bool
}

func ApplyRemoveAddrs 

func ApplyRemoveAddrs(s *session.Session, input *ApplyRemoveNetsInput) ([]ApplyRemoveNetsResult, error)

ApplyRemoveAddrs removes selected networks from custom rules

func RemoveNets 

func RemoveNets(input *RemoveNetsInput) ([]ApplyRemoveNetsResult, error)

RemoveNets removes selected networks from custom rules

type ApplyRemoveNetsResults 

type ApplyRemoveNetsResults []ApplyRemoveNetsResult

type BackupPoliciesInput 

type BackupPoliciesInput struct {
	BaseCLIInput
	Path                     string
	RIDs                     []string
	StorageAccountResourceID string
	ContainerURL             string
	FailFast                 bool
}

BackupPoliciesInput are the arguments provided to the BackupPolicies function.

func (*BackupPoliciesInput) Validate 

func (in *BackupPoliciesInput) Validate() error

type BaseCLIInput 

type BaseCLIInput struct {
	AppVersion     string
	AutoBackup     bool
	Debug          bool
	ConfigPath     string
	SubscriptionID string
	Quiet          bool
	DryRun         bool
}

type BotRuleSetStatsOutput 

type BotRuleSetStatsOutput struct {
	// rule set
	RuleSetType    string
	RuleSetVersion string

	// rules
	Rules         int
	RulesEnabled  int
	RulesDisabled int
	BlockTotal    int
	AllowTotal    int
	LogTotal      int
	RedirectTotal int
	GroupCount    int

	// exclusions
	RuleSetScopeExclusionsTotal   int
	RuleGroupScopeExclusionsTotal int
	RuleScopeExclusionsTotal      int
	TotalExclusions               int
}

type CopyRulesInput 

type CopyRulesInput struct {
	BaseCLIInput
	SubscriptionID   string
	Source           string
	Target           string
	CustomRulesOnly  bool
	ManagedRulesOnly bool
	DryRun           bool
	ShowDiff         bool
	Debug            bool
	Async            bool
	Quiet            bool
	AppVersion       string
}

CopyRulesInput are the arguments provided to the CopyRules function.

func (*CopyRulesInput) Validate 

func (c *CopyRulesInput) Validate() error

type DeleteCustomRulesCLIInput 

type DeleteCustomRulesCLIInput struct {
	BaseCLIInput   BaseCLIInput
	SubscriptionID string
	PolicyID       string
	DryRun         bool
	ConfigPath     string
	RID            config.ResourceID
	Name           string
	NameMatch      *regexp.Regexp
	Priority       string
	MaxRules       int
	Debug          bool
}

func (*DeleteCustomRulesCLIInput) ParseConfig 

func (input *DeleteCustomRulesCLIInput) ParseConfig() (output DeleteCustomRulesPrefixesInput, err error)

func (*DeleteCustomRulesCLIInput) ProcessCLIInput 

func (input *DeleteCustomRulesCLIInput) ProcessCLIInput() (output DeleteCustomRulesPrefixesInput, err error)

type DeleteCustomRulesPrefixesInput 

type DeleteCustomRulesPrefixesInput struct {
	Policy      *armfrontdoor.WebApplicationFirewallPolicy
	RID         config.ResourceID
	Name        string
	NameMatch   *regexp.Regexp
	Priority    int
	PrioritySet bool
	MaxRules    int
	Debug       bool
}

type DeleteManagedRuleExclusionCLIInput 

type DeleteManagedRuleExclusionCLIInput struct {
	BaseCLIInput
	SubscriptionID        string
	PolicyID              string
	RID                   config.ResourceID
	RuleSet               string
	RuleGroup             string
	RuleID                string
	ShowDiff              bool
	ExclusionRuleVariable string
	ExclusionRuleOperator string
	ExclusionRuleSelector string
	Debug                 bool
}

func (*DeleteManagedRuleExclusionCLIInput) ParseConfig 

func (input *DeleteManagedRuleExclusionCLIInput) ParseConfig() (dmrei *DeleteManagedRuleExclusionInput, err error)

type DeleteManagedRuleExclusionInput 

type DeleteManagedRuleExclusionInput struct {
	DryRun                bool
	RID                   config.ResourceID
	RuleSetType           *string
	RuleSetVersion        *string
	RuleGroup             string
	RuleID                string
	ShowDiff              bool
	ExclusionRuleVariable armfrontdoor.ManagedRuleExclusionMatchVariable
	ExclusionRuleOperator armfrontdoor.ManagedRuleExclusionSelectorMatchOperator
	ExclusionRuleSelector string
	Debug                 bool
	// helper attribute: used to assess scope of change
	Scope string
}

type FrontDoor 

type FrontDoor struct {
	// contains filtered or unexported fields
}

func GetFrontDoorByID 

func GetFrontDoorByID(s *session.Session, frontDoorID string) (FrontDoor, error)

GetFrontDoorByID returns a front door instance for the provided id. It includes endpoints with any associated waf Policies.

type FrontDoorEndpoint 

type FrontDoorEndpoint struct {
	// contains filtered or unexported fields
}

type FrontDoors 

type FrontDoors []FrontDoor

func GetFrontDoors 

func GetFrontDoors(s *session.Session, subID string) (frontDoors FrontDoors, err error)

type GenCustomRulesFromIPNetsInput 

type GenCustomRulesFromIPNetsInput struct {
	PositiveMatchNets          IPNets
	NegativeMatchNets          IPNets
	RuleType                   *armfrontdoor.RuleType
	RateLimitDurationInMinutes *int32
	RateLimitThreshold         *int32
	Action                     *armfrontdoor.ActionType
	MaxRules                   int
	CustomNamePrefix           RuleNamePrefix
	CustomPriorityStart        int
}

type GeneratePolicyPatchInput 

type GeneratePolicyPatchInput struct {
	Original interface{}
	New      armfrontdoor.WebApplicationFirewallPolicy
}

type GeneratePolicyPatchOutput 

type GeneratePolicyPatchOutput struct {
	TotalDifferences        int
	TotalRuleDifferences    int
	CustomRuleAdditions     int
	CustomRuleChanges       int
	CustomRuleRemovals      int
	CustomRuleReplacements  int
	ManagedRuleChanges      int
	ManagedRuleAdditions    int
	ManagedRuleRemovals     int
	ManagedRuleReplacements int
}

func GeneratePolicyPatch 

func GeneratePolicyPatch(i *GeneratePolicyPatchInput) (GeneratePolicyPatchOutput, error)

func UpdatePolicyCustomRulesIPMatchPrefixes 

func UpdatePolicyCustomRulesIPMatchPrefixes(in UpdatePolicyCustomRulesIPMatchPrefixesInput) (bool, GeneratePolicyPatchOutput, error)

UpdatePolicyCustomRulesIPMatchPrefixes updates an existing Custom Policy with prefixes matching the requested action

type GetPolicyInput 

type GetPolicyInput struct {
	Session *session.Session
	// CLIPolicyID    string
	PolicyID config.ResourceID
}

func (*GetPolicyInput) GetPolicy 

func (input *GetPolicyInput) GetPolicy() (output GetPolicyOutput, err error)

type GetPolicyOutput 

type GetPolicyOutput struct {
	Policy *armfrontdoor.WebApplicationFirewallPolicy
}

type GetWAFPolicyResourceIDInput 

type GetWAFPolicyResourceIDInput struct {
	SubscriptionID string
	RawPolicyID    string
	ConfigPath     string
}

type GetWrappedPoliciesInput 

type GetWrappedPoliciesInput struct {
	SubscriptionID    string
	AppVersion        string
	Config            string
	FilterResourceIDs []string
	Max               int
}

type GetWrappedPoliciesOutput 

type GetWrappedPoliciesOutput struct {
	Policies []WrappedPolicy
}

func GetWrappedPoliciesFromRawIDs 

func GetWrappedPoliciesFromRawIDs(s *session.Session, i GetWrappedPoliciesInput) (GetWrappedPoliciesOutput, error)

type IPNets 

type IPNets []netip.Prefix

type ListPoliciesInput 

type ListPoliciesInput struct {
	SubscriptionID, AppVersion string
	Max                        int
	Full                       bool
}

func (ListPoliciesInput) Validate 

func (in ListPoliciesInput) Validate() error

type LogIPsInput 

type LogIPsInput struct {
	RID      config.ResourceID
	Output   bool
	DryRun   bool
	Filepath string
	Nets     IPNets
	MaxRules int
	Debug    bool
}

type OutputManagedRuleExclusionsTableInput 

type OutputManagedRuleExclusionsTableInput struct {
	// contains filtered or unexported fields
}

type OutputManagedRuleInput 

type OutputManagedRuleInput struct {
	Policy                  *armfrontdoor.WebApplicationFirewallPolicy
	PolicyName              string
	PolicyType              string
	PolicyProvisioningState string
	PolicyResourceState     *armfrontdoor.PolicyResourceState
	PolicyEnabledState      string
	PolicySettingsMode      string
	Rule                    *armfrontdoor.ManagedRuleOverride
	RuleGroupExclusions     []*armfrontdoor.ManagedRuleExclusion
	RuleSetExclusions       []*armfrontdoor.ManagedRuleExclusion
	RuleSetDefinition       *armfrontdoor.ManagedRuleSetDefinition
	RuleGroupDefinition     *armfrontdoor.ManagedRuleGroupDefinition
	RuleDefinition          *armfrontdoor.ManagedRuleDefinition
}

type OutputPolicyInput 

type OutputPolicyInput struct {
	// contains filtered or unexported fields
}

type ProcessPolicyChangesInput 

type ProcessPolicyChangesInput struct {
	Session          *session.Session
	PolicyName       string
	SubscriptionID   string
	ResourceGroup    string
	PolicyPostChange armfrontdoor.WebApplicationFirewallPolicy
	ShowDiff         bool
	DryRun           bool
	Backup           bool
	Debug            bool
}

type PushPolicyInput 

type PushPolicyInput struct {
	Name          string
	Subscription  string
	ResourceGroup string
	Policy        armfrontdoor.WebApplicationFirewallPolicy
	Debug         bool
	Timeout       int64
	Async         bool
}

PushPolicyInput defines the input for the pushPolicy function

type RemoveNetsInput 

type RemoveNetsInput struct {
	BaseCLIInput
	Session       *session.Session
	RawResourceID string
	MatchPrefix   RuleNamePrefix
	ResourceID    config.ResourceID
	Action        *armfrontdoor.ActionType
	Filepath      string
	Nets          []netip.Prefix
	MaxRules      int
	// can be called from external so allow override
	LogLevel *logrus.Level
}

type RestorePoliciesInput 

type RestorePoliciesInput struct {
	BaseCLIInput
	BackupsPaths     []string
	CustomRulesOnly  bool
	ManagedRulesOnly bool
	TargetPolicy     string
	ResourceGroup    string
	RIDs             []config.ResourceID
	ShowDiff         bool
	Force            bool
	FailFast         bool
}

func (*RestorePoliciesInput) Validate 

func (i *RestorePoliciesInput) Validate() error

type RuleNamePrefix 

type RuleNamePrefix string

func (RuleNamePrefix) Check 

func (r RuleNamePrefix) Check() error

type RuleSetStatsOutput 

type RuleSetStatsOutput struct {
	// rule set
	RuleSetType    string
	RuleSetVersion string

	// rules
	Rules                             int
	RulesEnabled                      int
	RulesDisabled                     int
	RulesDefaultEnabledStateOveridden int
	RulesDefaultActionOveridden       int
	BlockTotal                        int
	AllowTotal                        int
	LogTotal                          int
	RedirectTotal                     int
	GroupCount                        int

	// exclusions
	RuleSetScopeExclusionsTotal   int
	RuleGroupScopeExclusionsTotal int
	RuleScopeExclusionsTotal      int
	TotalExclusions               int
}

type ShowExclusionsCLIInput 

type ShowExclusionsCLIInput struct {
	BaseCLIInput
	SubscriptionID string
	PolicyID       string
	RuleSet        string
	RuleGroup      string
	RuleID         string
	Shadows        bool
}

func (*ShowExclusionsCLIInput) Validate 

func (input *ShowExclusionsCLIInput) Validate() error

type ShowPolicyInput 

type ShowPolicyInput struct {
	ConfigPath, SubscriptionID, PolicyID  string
	Full, Custom, Managed, Stats, Shadows bool
}

func (*ShowPolicyInput) Validate 

func (in *ShowPolicyInput) Validate() error

type UpdatePolicyCustomRulesIPMatchPrefixesInput 

type UpdatePolicyCustomRulesIPMatchPrefixesInput struct {
	BaseCLIInput
	Policy                     *armfrontdoor.WebApplicationFirewallPolicy
	SubscriptionID             string
	RawResourceID              string
	ResourceID                 config.ResourceID
	Action                     *armfrontdoor.ActionType
	Output                     bool
	Filepath                   string
	Addrs                      IPNets
	ExcludedAddrs              IPNets
	RuleNamePrefix             RuleNamePrefix
	RuleType                   *armfrontdoor.RuleType
	RateLimitDurationInMinutes *int32
	RateLimitThreshold         *int32
	PriorityStart              int
	// StartRuleNumber int
	MaxRules int
	// can be called from external so allow override
	LogLevel *logrus.Level
}

type WAFResourceIDHashMap 

type WAFResourceIDHashMap struct {
	Entries []WAFResourceIDHashMapEntry
}

func GetWAFResourceIDHashMap 

func GetWAFResourceIDHashMap(s *session.Session) (hashMap WAFResourceIDHashMap, err error)

type WAFResourceIDHashMapEntry 

type WAFResourceIDHashMapEntry struct {
	Hash       string
	ResourceID string
}

type WrappedManagedRuleSet 

type WrappedManagedRuleSet struct {
	Date           time.Time
	SubscriptionID string
	ResourceGroup  string
	Name           string
	ManagedRuleSet armfrontdoor.ManagedRuleSet
	PolicyID       string
	AppVersion     string
}

type WrappedPolicy 

type WrappedPolicy struct {
	Date           time.Time
	SubscriptionID string
	ResourceGroup  string
	Name           string
	Policy         armfrontdoor.WebApplicationFirewallPolicy
	PolicyID       string
	AppVersion     string
}

func CopyWrappedPolicy 

func CopyWrappedPolicy(original *WrappedPolicy) (*WrappedPolicy, error)

CopyWrappedPolicy takes an instance of a wrapped policy and returns a duplicate

func GeneratePolicyToRestore 

func GeneratePolicyToRestore(existing, backup *WrappedPolicy, i *RestorePoliciesInput) WrappedPolicy

GeneratePolicyToRestore accepts two Policies (Original and backup) and options on which parts (Custom and or Managed rules) to replace without options, the Original will have both Custom and Managed rules parts replaced options allow for Custom or Managed rules in Original to replaced with those in backup

func LoadBackupsFromPath 

func LoadBackupsFromPath(path string) ([]WrappedPolicy, error)

func LoadBackupsFromPaths 

func LoadBackupsFromPaths(paths []string) ([]WrappedPolicy, error)

func LoadWrappedPolicyFromFile 

func LoadWrappedPolicyFromFile(f string) (WrappedPolicy, error)

func MatchExistingPolicyByID 

func MatchExistingPolicyByID(targetPolicyID string, existingPolicies []WrappedPolicy) (bool, WrappedPolicy)

MatchExistingPolicyByID returns the raw Policy matched by the Policy id of its origin, e.g. where the backup was from

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.