Skip to content

Add exists, !exists, equals, and !equals operators to WAF custom rules #3870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
api-clients-generation-pipeline wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add exists, !exists, equals, and !equals operators to WAF custom rules #3870

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .generator/schemas/v2/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4345,6 +4345,10 @@ components:
- ip_match
- "!ip_match"
- capture_data
- exists
- "!exists"
- equals
- "!equals"
example: "match_regex"
type: string
x-enum-varnames:
Expand All @@ -4359,6 +4363,10 @@ components:
- IP_MATCH
- NOT_IP_MATCH
- CAPTURE_DATA
- EXISTS
- NOT_EXISTS
- EQUALS
- NOT_EQUALS
ApplicationSecurityWafCustomRuleConditionOptions:
description: Options for the operator of this condition.
properties:
Expand Down Expand Up @@ -4399,6 +4407,8 @@ components:
description: "Regex to use with the condition. Only used with match_regex and !match_regex operator."
example: "path.*"
type: string
type:
$ref: "#/components/schemas/ApplicationSecurityWafCustomRuleConditionParametersType"
value:
description: |-
Store the captured value in the specified tag name. Only used with the capture_data operator.
Expand All @@ -4407,6 +4417,22 @@ components:
required:
- inputs
type: object
ApplicationSecurityWafCustomRuleConditionParametersType:
description: The type of the value to compare against. Only used with the equals and !equals operator.
enum:
- boolean
- signed
- unsigned
- float
- string
example: "string"
type: string
x-enum-varnames:
- BOOLEAN
- SIGNED
- UNSIGNED
- FLOAT
- STRING
ApplicationSecurityWafCustomRuleCreateAttributes:
description: "Create a new WAF custom rule."
properties:
Expand Down
1 change: 1 addition & 0 deletions examples/v2/application-security/CreateApplicationSecurityWafCustomRule.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ const params: v2.ApplicationSecurityApiCreateApplicationSecurityWafCustomRuleReq
minLength: 0,
},
regex: "path.*",
type: "string",
value: "custom_tag",
},
},
Expand Down
10 changes: 5 additions & 5 deletions features/v2/application_security.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,21 @@ Feature: Application Security
@generated @skip @team:DataDog/asm-backend
Scenario: Create a WAF custom rule returns "Bad Request" response
Given new "CreateApplicationSecurityWafCustomRule" request
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "type": "string", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
When the request is sent
Then the response status is 400 Bad Request

@generated @skip @team:DataDog/asm-backend
Scenario: Create a WAF custom rule returns "Concurrent Modification" response
Given new "CreateApplicationSecurityWafCustomRule" request
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "type": "string", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
When the request is sent
Then the response status is 409 Concurrent Modification

@generated @skip @team:DataDog/asm-backend
Scenario: Create a WAF custom rule returns "Created" response
Given new "CreateApplicationSecurityWafCustomRule" request
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "type": "string", "value": "custom_tag"}}], "enabled": false, "name": "Block request from a bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
When the request is sent
Then the response status is 201 Created

Expand Down Expand Up @@ -153,15 +153,15 @@ Feature: Application Security
Scenario: Update a WAF Custom Rule returns "Concurrent Modification" response
Given new "UpdateApplicationSecurityWafCustomRule" request
And request contains "custom_rule_id" parameter from "REPLACE.ME"
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "value": "custom_tag"}}], "enabled": false, "name": "Block request from bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "type": "string", "value": "custom_tag"}}], "enabled": false, "name": "Block request from bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
When the request is sent
Then the response status is 409 Concurrent Modification

@generated @skip @team:DataDog/asm-backend
Scenario: Update a WAF Custom Rule returns "Not Found" response
Given new "UpdateApplicationSecurityWafCustomRule" request
And request contains "custom_rule_id" parameter from "REPLACE.ME"
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "value": "custom_tag"}}], "enabled": false, "name": "Block request from bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
And body with value {"data": {"attributes": {"action": {"action": "block_request", "parameters": {"location": "/blocking", "status_code": 403}}, "blocking": false, "conditions": [{"operator": "match_regex", "parameters": {"data": "blocked_users", "inputs": [{"address": "server.db.statement", "key_path": []}], "list": [], "options": {"case_sensitive": false, "min_length": 0}, "regex": "path.*", "type": "string", "value": "custom_tag"}}], "enabled": false, "name": "Block request from bad useragent", "path_glob": "/api/search/*", "scope": [{"env": "prod", "service": "billing-service"}], "tags": {"category": "business_logic", "type": "users.login.success"}}, "type": "custom_rule"}}
When the request is sent
Then the response status is 404 Not Found

Expand Down
1 change: 1 addition & 0 deletions packages/datadog-api-client-v2/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1393,6 +1393,7 @@ export { ApplicationSecurityWafCustomRuleConditionInputAddress } from "./models/
export { ApplicationSecurityWafCustomRuleConditionOperator } from "./models/ApplicationSecurityWafCustomRuleConditionOperator";
export { ApplicationSecurityWafCustomRuleConditionOptions } from "./models/ApplicationSecurityWafCustomRuleConditionOptions";
export { ApplicationSecurityWafCustomRuleConditionParameters } from "./models/ApplicationSecurityWafCustomRuleConditionParameters";
export { ApplicationSecurityWafCustomRuleConditionParametersType } from "./models/ApplicationSecurityWafCustomRuleConditionParametersType";
export { ApplicationSecurityWafCustomRuleCreateAttributes } from "./models/ApplicationSecurityWafCustomRuleCreateAttributes";
export { ApplicationSecurityWafCustomRuleCreateData } from "./models/ApplicationSecurityWafCustomRuleCreateData";
export { ApplicationSecurityWafCustomRuleCreateRequest } from "./models/ApplicationSecurityWafCustomRuleCreateRequest";
Expand Down
8 changes: 8 additions & 0 deletions packages/datadog-api-client-v2/models/ApplicationSecurityWafCustomRuleConditionOperator.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ export type ApplicationSecurityWafCustomRuleConditionOperator =
| typeof IP_MATCH
| typeof NOT_IP_MATCH
| typeof CAPTURE_DATA
| typeof EXISTS
| typeof NOT_EXISTS
| typeof EQUALS
| typeof NOT_EQUALS
| UnparsedObject;
export const MATCH_REGEX = "match_regex";
export const NOT_MATCH_REGEX = "!match_regex";
Expand All @@ -34,3 +38,7 @@ export const NOT_EXACT_MATCH = "!exact_match";
export const IP_MATCH = "ip_match";
export const NOT_IP_MATCH = "!ip_match";
export const CAPTURE_DATA = "capture_data";
export const EXISTS = "exists";
export const NOT_EXISTS = "!exists";
export const EQUALS = "equals";
export const NOT_EQUALS = "!equals";
9 changes: 9 additions & 0 deletions packages/datadog-api-client-v2/models/ApplicationSecurityWafCustomRuleConditionParameters.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*/
import { ApplicationSecurityWafCustomRuleConditionInput } from "./ApplicationSecurityWafCustomRuleConditionInput";
import { ApplicationSecurityWafCustomRuleConditionOptions } from "./ApplicationSecurityWafCustomRuleConditionOptions";
import { ApplicationSecurityWafCustomRuleConditionParametersType } from "./ApplicationSecurityWafCustomRuleConditionParametersType";

import { AttributeTypeMap } from "../../datadog-api-client-common/util";

Expand Down Expand Up @@ -33,6 +34,10 @@ export class ApplicationSecurityWafCustomRuleConditionParameters {
* Regex to use with the condition. Only used with match_regex and !match_regex operator.
*/
"regex"?: string;
/**
* The type of the value to compare against. Only used with the equals and !equals operator.
*/
"type"?: ApplicationSecurityWafCustomRuleConditionParametersType;
/**
* Store the captured value in the specified tag name. Only used with the capture_data operator.
*/
Expand Down Expand Up @@ -75,6 +80,10 @@ export class ApplicationSecurityWafCustomRuleConditionParameters {
baseName: "regex",
type: "string",
},
type: {
baseName: "type",
type: "ApplicationSecurityWafCustomRuleConditionParametersType",
},
value: {
baseName: "value",
type: "string",
Expand Down
24 changes: 24 additions & 0 deletions ...s/datadog-api-client-v2/models/ApplicationSecurityWafCustomRuleConditionParametersType.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/**
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
* This product includes software developed at Datadog (https://www.datadoghq.com/).
* Copyright 2020-Present Datadog, Inc.
*/

import { UnparsedObject } from "../../datadog-api-client-common/util";

/**
* The type of the value to compare against. Only used with the equals and !equals operator.
*/

export type ApplicationSecurityWafCustomRuleConditionParametersType =
| typeof BOOLEAN
| typeof SIGNED
| typeof UNSIGNED
| typeof FLOAT
| typeof STRING
| UnparsedObject;
export const BOOLEAN = "boolean";
export const SIGNED = "signed";
export const UNSIGNED = "unsigned";
export const FLOAT = "float";
export const STRING = "string";
11 changes: 11 additions & 0 deletions packages/datadog-api-client-v2/models/ObjectSerializer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3807,6 +3807,17 @@ const enumsMap: { [key: string]: any[] } = {
"ip_match",
"!ip_match",
"capture_data",
"exists",
"!exists",
"equals",
"!equals",
],
ApplicationSecurityWafCustomRuleConditionParametersType: [
"boolean",
"signed",
"unsigned",
"float",
"string",
],
ApplicationSecurityWafCustomRuleTagsCategory: [
"attack_attempt",
Expand Down
Loading