Skip to content

Commit 81f08af

Browse files
nullpo-headarifsetiawanzhihanzcpakulski
authored
Alpha WAF(Web Application Firewall) API for TSB 1.4 (istio#341)
* start waf * add validation * refactor firewall settings to waf settings in tsb 1.4 (istio#334) * refactor firewall settings to waf settings in tsb 1.4 * lint * lint * rename rule_set to rule_sets(comply with 1.5 api) and add rule engine example * refactor according to comments * add more detailed example * remove unneeded example * fix missing body Co-authored-by: arifsetiawan <[email protected]> Co-authored-by: zhihanz <[email protected]> Co-authored-by: Christoph Pakulski <[email protected]>
1 parent 7c22f60 commit 81f08af

12 files changed

+1090
-43
lines changed

generated/jsonschema/tetrateio.api.tsb.security.v2/CreateSecuritySettingsRequest.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -295,6 +295,39 @@
295295
"additionalProperties": true,
296296
"type": "object",
297297
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
298+
},
299+
"waf_settings": {
300+
"properties": {
301+
"rule_sets": {
302+
"items": {
303+
"type": "string"
304+
},
305+
"type": "array",
306+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
307+
},
308+
"rule_engine_mode": {
309+
"enum": [
310+
"OFF",
311+
0,
312+
"ON",
313+
1,
314+
"DETECTION_ONLY",
315+
2
316+
],
317+
"oneOf": [
318+
{
319+
"type": "string"
320+
},
321+
{
322+
"type": "integer"
323+
}
324+
],
325+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
326+
}
327+
},
328+
"additionalProperties": true,
329+
"type": "object",
330+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
298331
}
299332
},
300333
"additionalProperties": true,

generated/jsonschema/tetrateio.api.tsb.security.v2/ListSecuritySettingsResponse.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,39 @@
289289
"additionalProperties": true,
290290
"type": "object",
291291
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
292+
},
293+
"waf_settings": {
294+
"properties": {
295+
"rule_sets": {
296+
"items": {
297+
"type": "string"
298+
},
299+
"type": "array",
300+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
301+
},
302+
"rule_engine_mode": {
303+
"enum": [
304+
"OFF",
305+
0,
306+
"ON",
307+
1,
308+
"DETECTION_ONLY",
309+
2
310+
],
311+
"oneOf": [
312+
{
313+
"type": "string"
314+
},
315+
{
316+
"type": "integer"
317+
}
318+
],
319+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
320+
}
321+
},
322+
"additionalProperties": true,
323+
"type": "object",
324+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
292325
}
293326
},
294327
"additionalProperties": true,

generated/jsonschema/tetrateio.api.tsb.security.v2/SecuritySetting.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,39 @@
285285
"additionalProperties": true,
286286
"type": "object",
287287
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
288+
},
289+
"waf_settings": {
290+
"properties": {
291+
"rule_sets": {
292+
"items": {
293+
"type": "string"
294+
},
295+
"type": "array",
296+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
297+
},
298+
"rule_engine_mode": {
299+
"enum": [
300+
"OFF",
301+
0,
302+
"ON",
303+
1,
304+
"DETECTION_ONLY",
305+
2
306+
],
307+
"oneOf": [
308+
{
309+
"type": "string"
310+
},
311+
{
312+
"type": "integer"
313+
}
314+
],
315+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
316+
}
317+
},
318+
"additionalProperties": true,
319+
"type": "object",
320+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
288321
}
289322
},
290323
"additionalProperties": true,

generated/jsonschema/tetrateio.api.tsb.security.v2/WafSettings.jsonschema

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
{
2+
"$schema": "http://json-schema.org/draft-04/schema#",
3+
"properties": {
4+
"rule_sets": {
5+
"items": {
6+
"type": "string"
7+
},
8+
"type": "array",
9+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
10+
},
11+
"rule_engine_mode": {
12+
"enum": [
13+
"OFF",
14+
0,
15+
"ON",
16+
1,
17+
"DETECTION_ONLY",
18+
2
19+
],
20+
"oneOf": [
21+
{
22+
"type": "string"
23+
},
24+
{
25+
"type": "integer"
26+
}
27+
],
28+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
29+
}
30+
},
31+
"additionalProperties": true,
32+
"type": "object",
33+
"description": "WafSettings configure WAF with ModSecurity engine (alpha stage)"
34+
}

generated/jsonschema/tetrateio.api.tsb.v2/CreateWorkspaceSettingsRequest.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,39 @@
266266
"additionalProperties": true,
267267
"type": "object",
268268
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
269+
},
270+
"waf_settings": {
271+
"properties": {
272+
"rule_sets": {
273+
"items": {
274+
"type": "string"
275+
},
276+
"type": "array",
277+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
278+
},
279+
"rule_engine_mode": {
280+
"enum": [
281+
"OFF",
282+
0,
283+
"ON",
284+
1,
285+
"DETECTION_ONLY",
286+
2
287+
],
288+
"oneOf": [
289+
{
290+
"type": "string"
291+
},
292+
{
293+
"type": "integer"
294+
}
295+
],
296+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
297+
}
298+
},
299+
"additionalProperties": true,
300+
"type": "object",
301+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
269302
}
270303
},
271304
"additionalProperties": true,

generated/jsonschema/tetrateio.api.tsb.v2/ListWorkspaceSettingsResponse.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -260,6 +260,39 @@
260260
"additionalProperties": true,
261261
"type": "object",
262262
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
263+
},
264+
"waf_settings": {
265+
"properties": {
266+
"rule_sets": {
267+
"items": {
268+
"type": "string"
269+
},
270+
"type": "array",
271+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
272+
},
273+
"rule_engine_mode": {
274+
"enum": [
275+
"OFF",
276+
0,
277+
"ON",
278+
1,
279+
"DETECTION_ONLY",
280+
2
281+
],
282+
"oneOf": [
283+
{
284+
"type": "string"
285+
},
286+
{
287+
"type": "integer"
288+
}
289+
],
290+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
291+
}
292+
},
293+
"additionalProperties": true,
294+
"type": "object",
295+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
263296
}
264297
},
265298
"additionalProperties": true,

generated/jsonschema/tetrateio.api.tsb.v2/WorkspaceSetting.jsonschema

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -256,6 +256,39 @@
256256
"additionalProperties": true,
257257
"type": "object",
258258
"description": "Authentication settings is used to set workload-to-workload traffic\n and end-user/origin authentication configuration."
259+
},
260+
"waf_settings": {
261+
"properties": {
262+
"rule_sets": {
263+
"items": {
264+
"type": "string"
265+
},
266+
"type": "array",
267+
"description": "Rulesets to enable. Currently, supported rule set is only `embedded_crs` (embedded core rule set).\n Other name will return error"
268+
},
269+
"rule_engine_mode": {
270+
"enum": [
271+
"OFF",
272+
0,
273+
"ON",
274+
1,
275+
"DETECTION_ONLY",
276+
2
277+
],
278+
"oneOf": [
279+
{
280+
"type": "string"
281+
},
282+
{
283+
"type": "integer"
284+
}
285+
],
286+
"description": "Ad-hoc settings to switch ModSecurity engine mode. This ruleEngineMode\n setting inserts SecRuleEngine directive at the beginning of the applied\n ruleSets. Note that this settings may be overridden by the ruleSets if the\n ruleSets contain SecRuleEngine directive."
287+
}
288+
},
289+
"additionalProperties": true,
290+
"type": "object",
291+
"description": "NOTICE: this feature is in alpha stage and under active development.\n it would encounter breaking changes in further release and should not be adopted in production\n WAF settings is used to set firewall rules."
259292
}
260293
},
261294
"additionalProperties": true,

generated/ts/tsb/security/v2/security_setting_pb.d.ts

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ export class SecuritySetting extends jspb.Message {
3232
getAuthenticationSettings(): AuthenticationSettings | undefined;
3333
setAuthenticationSettings(value?: AuthenticationSettings): void;
3434

35+
hasWafSettings(): boolean;
36+
clearWafSettings(): void;
37+
getWafSettings(): WafSettings | undefined;
38+
setWafSettings(value?: WafSettings): void;
39+
3540
serializeBinary(): Uint8Array;
3641
toObject(includeInstance?: boolean): SecuritySetting.AsObject;
3742
static toObject(includeInstance: boolean, msg: SecuritySetting): SecuritySetting.AsObject;
@@ -51,6 +56,7 @@ export namespace SecuritySetting {
5156
authentication: SecuritySetting.AuthenticationModeMap[keyof SecuritySetting.AuthenticationModeMap],
5257
authorization?: AuthorizationSettings.AsObject,
5358
authenticationSettings?: AuthenticationSettings.AsObject,
59+
wafSettings?: WafSettings.AsObject,
5460
}
5561

5662
export interface AuthenticationModeMap {
@@ -132,3 +138,37 @@ export namespace AuthorizationSettings {
132138
export const Mode: ModeMap;
133139
}
134140

141+
export class WafSettings extends jspb.Message {
142+
clearRuleSetsList(): void;
143+
getRuleSetsList(): Array<string>;
144+
setRuleSetsList(value: Array<string>): void;
145+
addRuleSets(value: string, index?: number): string;
146+
147+
getRuleEngineMode(): WafSettings.SecRuleEngineMap[keyof WafSettings.SecRuleEngineMap];
148+
setRuleEngineMode(value: WafSettings.SecRuleEngineMap[keyof WafSettings.SecRuleEngineMap]): void;
149+
150+
serializeBinary(): Uint8Array;
151+
toObject(includeInstance?: boolean): WafSettings.AsObject;
152+
static toObject(includeInstance: boolean, msg: WafSettings): WafSettings.AsObject;
153+
static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
154+
static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
155+
static serializeBinaryToWriter(message: WafSettings, writer: jspb.BinaryWriter): void;
156+
static deserializeBinary(bytes: Uint8Array): WafSettings;
157+
static deserializeBinaryFromReader(message: WafSettings, reader: jspb.BinaryReader): WafSettings;
158+
}
159+
160+
export namespace WafSettings {
161+
export type AsObject = {
162+
ruleSetsList: Array<string>,
163+
ruleEngineMode: WafSettings.SecRuleEngineMap[keyof WafSettings.SecRuleEngineMap],
164+
}
165+
166+
export interface SecRuleEngineMap {
167+
OFF: 0;
168+
ON: 1;
169+
DETECTION_ONLY: 2;
170+
}
171+
172+
export const SecRuleEngine: SecRuleEngineMap;
173+
}
174+

0 commit comments

Comments
 (0)