-
Notifications
You must be signed in to change notification settings - Fork 1
/
set_json_exception_for_TI_001d.py
executable file
·143 lines (112 loc) · 4.39 KB
/
set_json_exception_for_TI_001d.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/usr/bin/env python2
# coding=utf-8
"""
version 1.1
Adds JSON parameter name exception for Deny Rule TI_001d
Save a valid REST API key into the file "api_key" in the
current directory.
"""
import urllib2
import ssl
import json
import os
import sys
import re
from argparse import ArgumentParser
from cookielib import CookieJar
from signal import *
API_KEY_FILE = "./api_key"
# this exception pattern will be altered by the REST backend
# with ^...$ prefix/suffix before it is written to the config
PATTERN = '(?!.*\${)\#json\#.*'
parser = ArgumentParser(add_help=True)
parser.add_argument("-n", dest="host", metavar="<airlock host>",
required=True,
help="Airlock Gateway hostname")
group_action = parser.add_mutually_exclusive_group(required=True)
group_action.add_argument("-m", dest="mapping", metavar="<mapping name>",
help="activate exception on a single mapping")
group_action.add_argument("-a", dest="allmappings", action='store_true',
help="activate exception on all mappings")
group_action.add_argument("-p", dest="mapping_pattern", metavar="<mapping pattern>",
help="activate exception on mappings matching pattern")
# TI_001d rule
deny_rule_group_id = -30028
deny_rule_id = -2202
args = parser.parse_args()
TARGET_WAF = "https://{}".format(args.host)
CONFIG_COMMENT = "Script: add JSON parameter name exception for Deny Rule TI_001d"
api_key = open(API_KEY_FILE, 'r').read().strip()
DEFAULT_HEADERS = {"Accept": "application/json",
"Content-Type": "application/json",
"Authorization": "Bearer {}".format(api_key)}
# we need a cookie store
cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
# if you have configured an invalid SSL cert on the WAF management interface
if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
getattr(ssl, '_create_unverified_context', None)):
ssl._create_default_https_context = ssl._create_unverified_context
# method to send REST calls
def send_request(method, path, body={}):
req = urllib2.Request(TARGET_WAF + "/airlock/rest/" + path,
body, DEFAULT_HEADERS)
req.get_method = lambda: method
r = opener.open(req)
return r.read()
def terminate_and_exit(text):
send_request("POST", "session/terminate")
sys.exit(text)
# create session
send_request("POST", "session/create")
# signal handler
def cleanup(signum, frame):
terminate_and_exit("Terminate session")
for sig in (SIGABRT, SIGILL, SIGINT, SIGSEGV, SIGTERM):
signal(sig, cleanup)
# get active config id
resp = json.loads(send_request("GET", "configuration/configurations"))
id = [x["id"] for x in resp["data"]
if(x['attributes']["configType"] == "CURRENTLY_ACTIVE")][0]
# load active config
send_request("POST", "configuration/configurations/{}/load".format(id))
response = json.loads(send_request("GET", "configuration/mappings"))
mapping_ids = []
mapping_names = []
if args.allmappings:
# get all mappings
mapping_ids = [x['id'] for x in response['data']]
elif args.mapping:
# get mapping with correct name
mapping_ids = [x['id'] for x in response['data']
if(x['attributes']['name'] == args.mapping)]
elif args.mapping_pattern:
# get mappings matching pattern
for x in response['data']:
if(re.match(args.mapping_pattern, x['attributes']['name'])):
mapping_names.append(x['attributes']['name'])
mapping_ids.append(x['id'])
print("Modifying mappings: {}".format(",".join(mapping_names)))
if (raw_input("Are you sure? (y/n): ") != "y"):
terminate_and_exit(0)
if not mapping_ids:
terminate_and_exit("Mapping '{}' not found".format(args.mapping))
for mapping_id in mapping_ids:
data = {
"meta": {
"type": "jsonapi.metadata.document"
},
"data": {
"type": "deny-rule-exception",
"attributes": {
"parameternamepattern": PATTERN
}
}
}
# patch the config
send_request("POST", "configuration/mappings/{}/deny-rule-groups/{}/deny-rules/{}/exception"
.format(mapping_id, deny_rule_group_id, deny_rule_id), json.dumps(data))
# activate config
data = {"comment": CONFIG_COMMENT}
send_request("POST", "configuration/configurations/activate", json.dumps(data))
terminate_and_exit(0)