Skip to content

Commit

Permalink
Merge pull request #59 from louishourcade/feature/add-WAF-rules
Browse files Browse the repository at this point in the history 
Feature/add waf rules
  • Loading branch information
@dlpzx
dlpzx authored Jun 27, 2022
2 parents c758df9 + 052b87d commit 43a3700
Show file tree
Hide file tree
Showing 9 changed files with 170 additions and 18 deletions.
2 changes: 1 addition & 1 deletion backend/local.graphql.server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ def request_context(headers, mock=False):
if not headers.get('Authorization'):
raise Exception('Missing Authorization header')
try:
decoded = jwt.decode(headers.get('Authorization'), verify=False)
decoded = jwt.decode(headers.get('Authorization'), options={"verify_signature": False})
username = decoded.get('email', 'anonymous')
groups = []
saml_groups = decoded.get('custom:saml.groups', [])
Expand Down
4 changes: 4 additions & 0 deletions cdk.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@
"hosted_zone_name": "string_ROUTE_53_EXISTING_DOMAIN_NAME|DEFAULT=None, REQUIRED if internet_facing=false",
"hosted_zone_id": "string_ROUTE_53_EXISTING_HOSTED_ZONE_ID|DEFAULT=None, REQUIRED if internet_facing=false"
},
"custom_waf_rules": {
"allowed_geo_list": "list_of_strings_COUNTRIES_CODE_ALLOWED_THROUGH_WAF_RULE",
"allowed_ip_list": "list_of_strings_IP_ADDRESSES_ALLOWED_THROUGH_WAF_RULE"
},
"ip_ranges": "list_of_strings_IP_RANGES_TO_ALLOW_IF_NOT_INTERNET_FACING|DEFAULT=None",
"apig_vpce": "string_USE_AN_EXISTING_VPCE_FOR_APIG_IF_NOT_INTERNET_FACING|DEFAULT=None",
"prod_sizing": "boolean_SET_INFRA_SIZING_TO_PROD_VALUES_IF_TRUE|DEFAULT=true",
Expand Down
2 changes: 2 additions & 0 deletions deploy/stacks/backend_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ def __init__(
vpc_endpoints_sg=None,
internet_facing=True,
custom_domain=None,
custom_waf_rules=None,
ip_ranges=None,
apig_vpce=None,
prod_sizing=False,
Expand Down Expand Up @@ -116,6 +117,7 @@ def __init__(
image_tag=image_tag,
ecr_repository=repo,
internet_facing=internet_facing,
custom_waf_rules=custom_waf_rules,
ip_ranges=ip_ranges,
apig_vpce=apig_vpce,
prod_sizing=prod_sizing,
Expand Down
2 changes: 2 additions & 0 deletions deploy/stacks/backend_stage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ def __init__(
vpc_endpoints_sg=None,
internet_facing=True,
custom_domain=None,
custom_waf_rules=None,
ip_ranges=None,
apig_vpce=None,
prod_sizing=False,
Expand All @@ -42,6 +43,7 @@ def __init__(
vpc_endpoints_sg=vpc_endpoints_sg,
internet_facing=internet_facing,
custom_domain=custom_domain,
custom_waf_rules=custom_waf_rules,
ip_ranges=ip_ranges,
apig_vpce=apig_vpce,
prod_sizing=prod_sizing,
Expand Down
82 changes: 75 additions & 7 deletions deploy/stacks/cloudfront.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
from .pyNestedStack import pyNestedClass
from .solution_bundling import SolutionBundling


class CloudfrontDistro(pyNestedClass):
def __init__(
self,
Expand All @@ -30,11 +29,74 @@ def __init__(
resource_prefix='dataall',
auth_at_edge=None,
custom_domain=None,
custom_waf_rules=None,
tooling_account_id=None,
**kwargs,
):
super().__init__(scope, id, **kwargs)

# Create IP set if IP filtering enabled
ip_set_cloudfront=None
if custom_waf_rules and custom_waf_rules.get("allowed_ip_list"):
ip_set_cloudfront = wafv2.CfnIPSet(
self,
"DataallCloudfrontIPSet",
name=f"{resource_prefix}-{envname}-ipset-cloudfront",
description=f"IP addresses to allow for Dataall {envname}",
addresses=custom_waf_rules.get("allowed_ip_list"),
ip_address_version="IPV4",
scope="CLOUDFRONT"
)

waf_rules = []
priority = 0
if custom_waf_rules:
if custom_waf_rules.get("allowed_geo_list"):
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='GeoMatch',
statement=wafv2.CfnWebACL.StatementProperty(
not_statement=wafv2.CfnWebACL.NotStatementProperty(
statement=wafv2.CfnWebACL.StatementProperty(
geo_match_statement=wafv2.CfnWebACL.GeoMatchStatementProperty(
country_codes=custom_waf_rules.get("allowed_geo_list")
)
)
)
),
action=wafv2.CfnWebACL.RuleActionProperty(block={}),
visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
sampled_requests_enabled=True,
cloud_watch_metrics_enabled=True,
metric_name='GeoMatch',
),
priority=priority,
)
)
priority += 1
if custom_waf_rules.get("allowed_ip_list"):
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='IPMatch',
statement=wafv2.CfnWebACL.StatementProperty(
not_statement=wafv2.CfnWebACL.NotStatementProperty(
statement=wafv2.CfnWebACL.StatementProperty(
ip_set_reference_statement={
"arn" : ip_set_cloudfront.attr_arn
}
)
)
),
action=wafv2.CfnWebACL.RuleActionProperty(block={}),
visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
sampled_requests_enabled=True,
cloud_watch_metrics_enabled=True,
metric_name='IPMatch',
),
priority=priority,
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesAdminProtectionRuleSet',
Expand All @@ -48,10 +110,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesAdminProtectionRuleSet',
),
priority=0,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesAmazonIpReputationList',
Expand All @@ -65,10 +128,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesAmazonIpReputationList',
),
priority=1,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesCommonRuleSet',
Expand All @@ -82,10 +146,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesCommonRuleSet',
),
priority=2,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesKnownBadInputsRuleSet',
Expand All @@ -99,10 +164,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesKnownBadInputsRuleSet',
),
priority=3,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesLinuxRuleSet',
Expand All @@ -116,10 +182,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesLinuxRuleSet',
),
priority=4,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)
priority += 1
waf_rules.append(
wafv2.CfnWebACL.RuleProperty(
name='AWS-AWSManagedRulesSQLiRuleSet',
Expand All @@ -133,10 +200,11 @@ def __init__(
cloud_watch_metrics_enabled=True,
metric_name='AWS-AWSManagedRulesSQLiRuleSet',
),
priority=5,
priority=priority,
override_action=wafv2.CfnWebACL.OverrideActionProperty(none={}),
)
)

acl = wafv2.CfnWebACL(
self,
'ACL-Cloudfront',
Expand Down
2 changes: 2 additions & 0 deletions deploy/stacks/cloudfront_stack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ def __init__(
resource_prefix='dataall',
tooling_account_id=None,
custom_domain=None,
custom_waf_rules=None,
**kwargs,
):
super().__init__(scope, id, **kwargs)
Expand All @@ -34,5 +35,6 @@ def __init__(
auth_at_edge=auth_at_edge,
tooling_account_id=tooling_account_id,
custom_domain=custom_domain,
custom_waf_rules=custom_waf_rules,
**kwargs,
)
2 changes: 2 additions & 0 deletions deploy/stacks/cloudfront_stage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ def __init__(
resource_prefix='dataall',
tooling_account_id=None,
custom_domain=None,
custom_waf_rules=None,
**kwargs,
):
super().__init__(scope, id, **kwargs)
Expand All @@ -25,6 +26,7 @@ def __init__(
resource_prefix=resource_prefix,
tooling_account_id=tooling_account_id,
custom_domain=custom_domain,
custom_waf_rules=custom_waf_rules,
)

Tags.of(cloudfront_stack).add('Application', f'{resource_prefix}-{envname}')
Expand Down
Loading

0 comments on commit 43a3700

Please sign in to comment.