-
Notifications
You must be signed in to change notification settings - Fork 1
/
enable_deny_rule_group.py
executable file
·112 lines (84 loc) · 3.24 KB
/
enable_deny_rule_group.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env python2
# coding=utf-8
"""
version 1.0
Script to enable deny rule group on all WAF mappings
"""
import urllib2
import ssl
import json
import os
import sys
from argparse import ArgumentParser
from cookielib import CookieJar
from signal import *
API_KEY_FILE = "./api_key"
parser = ArgumentParser(add_help=False)
parser.add_argument("-h", dest="host", metavar="<WAF hostname>",
required=True, help="Airlock WAF hostname")
parser.add_argument("-g", dest="deny_rule_group_id",
required=True, help="Deny Rule Group ID")
parser.add_argument("-a", choices=['enable', 'disable'], dest="action",
default='enable', help="Enable or disable Deny Rule Group")
args = parser.parse_args()
TARGET_WAF = "https://{}".format(args.host)
CONFIG_COMMENT = "Script: {} deny rule group {} for all mappings.".format(args.action, args.deny_rule_group_id)
api_key = open(API_KEY_FILE, 'r').read().strip()
DEFAULT_HEADERS = {"Accept": "application/json",
"Content-Type": "application/json",
"Authorization": "Bearer {}".format(api_key)}
# we need a cookie store
cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
# if you have configured an invalid SSL cert on the WAF management interface
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
getattr(ssl, '_create_unverified_context', None)):
ssl._create_default_https_context = ssl._create_unverified_context
# method to send REST calls
def send_request(method, path, body=''):
req = urllib2.Request(TARGET_WAF + "/airlock/rest/" + path,
body, DEFAULT_HEADERS)
req.get_method = lambda: method
r = opener.open(req)
return r.read()
def terminate_and_exit(text):
send_request("POST", "session/terminate")
sys.exit(text)
# create session
send_request("POST", "session/create")
# signal handler
def cleanup(signum, frame):
terminate_and_exit("Terminate session")
for sig in (SIGABRT, SIGILL, SIGINT, SIGSEGV, SIGTERM):
signal(sig, cleanup)
# get active config id
resp = json.loads(send_request("GET", "configuration/configurations"))
id = [x["id"] for x in resp["data"]
if(x['attributes']["configType"] == "CURRENTLY_ACTIVE")][0]
# load active config
send_request("POST", "configuration/configurations/{}/load".format(id))
# get all mappings
response = json.loads(send_request("GET", "configuration/mappings"))
mapping_ids = [x['id'] for x in response['data']]
if not mapping_ids:
terminate_and_exit("Mapping '{}' not found".format(args.mapping))
disable_deny_rule_group = False if args.action == "enable" else True
for mapping_id in mapping_ids:
data = {
"meta": {
"type": "jsonapi.metadata.document"
},
"data": {
"type": "deny-rule-group-usage",
"attributes": {
"disable": disable_deny_rule_group
}
}
}
# patch the config
send_request("POST", "configuration/mappings/{}/deny-rule-groups/{}"
.format(mapping_id, args.deny_rule_group_id), json.dumps(data))
# activate config
data = {"comment": CONFIG_COMMENT}
send_request("POST", "configuration/configurations/activate", json.dumps(data))
terminate_and_exit(0)