>dZddlmZddlmZddlmZddlmZddlmZddl m Z ddl m Z dd l m Z dd lmZdd lmZdd lmZdd lmZdd lmZGddeZe j4e j6j8Gdde j:Ze j4e j6j>GddeZ e j4e j6jBGdde Z"y)z]Command for adding exclusions for preconfigured WAF rule evaluation to security policy rules.)absolute_import)division)unicode_literals)encoding) base_classes)client)base) exceptions)scope)flags) properties) resourcesceZdZdZedZe d dZedZedZe d dZ e d dZ ed Z ed Z y)AddPreconfigWafExclusionHelperAdd an exclusion configuration for preconfigured WAF evaluation into a security policy rule. *{command}* is used to add an exclusion configuration for preconfigured WAF evaluation into a security policy rule. Note that request field exclusions are associated with a target, which can be a single rule set, or a rule set plus a list of rule IDs under the rule set. ## EXAMPLES To add specific request field exclusions that are associated with the target of 'sqli-stable': ['owasp-crs-v030001-id942110-sqli', 'owasp-crs-v030001-id942120-sqli'], run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=sqli-stable \ --target-rule-ids=owasp-crs-v030001-id942110-sqli,owasp-crs-v030001-id942120-sqli \ --request-header-to-exclude=op=EQUALS,val=abc \ --request-header-to-exclude=op=STARTS_WITH,val=xyz \ --request-uri-to-exclude=op=EQUALS_ANY To add specific request field exclusions that are associated with the target of 'sqli-stable': [], run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=sqli-stable \ --request-cookie-to-exclude=op=EQUALS_ANY ctjd|_|jj|ddtj|dt j |_|jj|tj|dtj|dtj|dtj|dtj|dtj|dy)z>Generates the flagset for an AddPreconfigWafExclusion command.z@add the exclusion configuration for preconfigured WAF evaluationPRIORITY)operation_type cust_metavarT)parseris_addN)r PriorityArgumentNAME_ARG AddArgument AddRegionFlagsecurity_policy_flags(SecurityPolicyMultiScopeArgumentForRulesSECURITY_POLICY_ARGAddTargetRuleSetAddTargetRuleIdsAddRequestHeaderAddRequestCookieAddRequestQueryParam AddRequestUriclsrs Jlib/surface/compute/security_policies/rules/add_preconfig_waf_exclusion.pyArgsz#AddPreconfigWafExclusionHelper.ArgsCs))JCLLL N  JL FFH''/ &6 &6 &6 &6 fT: vd3Ncf||jk(xr!t|t|jk(SN) targetRuleSetset targetRuleIds)r&existing_exclusiontarget_rule_settarget_rule_idss r'_IsIdenticalTargetz1AddPreconfigWafExclusionHelper._IsIdenticalTarget]s@ 0>> > B3D 2 @ @ADBBr)c|jj}|jdxsd}|r*|jjj||_|jdxsd}|r||_|S)zConverts RequestFieldToAdd.opval)messagesappend)r&r;existing_request_fieldsr<new_request_fieldexisting_request_fields r'_AddRequestFieldz/AddPreconfigWafExclusionHelper._AddRequestFieldysC55n6JL"9 #4 4#:""#45r)cD|xsgD]}|j||j|!|xsgD]}|j||j|!|xsgD]} |j||j| !|xsgD]} |j||j| !y)zUpdates Exclusion.N)rDrequestHeadersToExcluderequestCookiesToExcluderequestQueryParamsToExcluderequestUrisToExclude) r&r;r/request_headersrequest_cookiesrequest_query_params request_urisrequest_headerrequest_cookierequest_query_param request_uris r'_UpdateExclusionz/AddPreconfigWafExclusionHelper._UpdateExclusions*/R/ >-EE)+0*/R/ >-EE)+0 49r9 >-II.0 :$)r)  >-BBKQ*r)c|jj}||_|xsgD]} |jj | |j |||||||S)zCreates Exclusion.)r71SecurityPolicyRulePreconfiguredWafConfigExclusionr,r.r@rR) r&r;r0r1rJrKrLrM new_exclusiontarget_rule_ids r'_CreateExclusionz/AddPreconfigWafExclusionHelper._CreateExclusionsn  : : <#2M)/R/!!((80(*> N r)c j|jr tj|j}n|jj }|j D]o}|j ||j|jxsgs/|j|||j|j|j|j|cS|j||j|j|j|j|j|j}|j j||S)zUpdates Preconfig WafConfig.)preconfiguredWafConfigrCopyProtoMessager7(SecurityPolicyRulePreconfiguredWafConfig exclusionsr2r0r1rRrequest_header_to_excluderequest_cookie_to_excluderequest_query_param_to_excluderequest_uri_to_excluderWr@)r&r; existing_ruleargsnew_preconfig_waf_config exclusionrUs r'_UpdatePreconfigWafConfigz8AddPreconfigWafExclusionHelper._UpdatePreconfigWafConfigs++!)!:!:  . ."0  ! ! J J L.88   4+?+? $ 4 4 : < ^Y!;;!;;!@@!88  : ('9((9M9M)-)=)=)-)G)G)-)G)G)-)L)L)-)D)D FM ''..}= ##r)c |jdsM|jds<|jds+|jdsgd}tj|d|jxsg|jxsg|j xsg|j xsgfD]:}|D]3}|jdxsd}|r|d vstjdd <tj|}|j}d } |jr|jj||jt j"j$ } t'| d d m|jj)|j*dt,j.j0j2j4| j6|jd} n|jj)|j*dt,j.j0j2j4|jd} nc |jj)|j*dt,j.j0j2j4t'|d d d} tj<| |} | j?d} |jA|| |} | jC| S#tj8tj:f$rY|jj)|j*ddt,j.j0j2j4i} YwxYw)z7Validates arguments and patches a security policy rule.r]r^r_r`)z--request-header-to-excludez--request-cookie-to-excludez --request-query-param-to-excludez--request-uri-to-excludez-At least one request field must be specified.r4r5)EQUALS STARTS_WITH ENDS_WITHCONTAINS EQUALS_ANYz_A request field operator must be one of [EQUALS, STARTS_WITH, ENDS_WITH, CONTAINS, EQUALS_ANY].N) default_scoperegionz!compute.regionSecurityPolicyRules)projectrmsecurityPolicy) collectionparamszcompute.securityPolicyRules)rnro)rnrmrn)r;r)preconfig_waf_config)" IsSpecifiedr MinimumArgumentExceptionr]r^r_r`r9InvalidArgumentExceptionrComputeApiHolderrsecurity_policyrResolveAsResourcer compute_scope ScopeEnumGLOBALgetattrParsenamer VALUEScorern GetOrFailrmRequiredFieldOmittedException WrongResourceCollectionExceptionSecurityPolicyRuleDescriberePatch)r& release_trackrbrequest_field_namesrequest_fieldsr=r4holderr;refsecurity_policy_refsecurity_policy_rulerarcs r'Runz"AddPreconfigWafExclusionHelper.Runs5   8 9   8 9   = >   5 6  / / N PP &&,"d.L.L/  D / / 52 ##)r *-   t $ *R  3323 3 *  * *= 9F]]N C 33EE    %//66F8 $h 5 A$$ II:%,,1199CC-44"&"6"6%$$ II4%,,1199CC"&"6"6%  $$ II:%,,1199CC!$$7% &"44 N,(113A6M"<< t -  % %5 & 77!  1 1  4 4  $$ II4:,,1199CC%   s'A"KA9MMr+)NNNN)NNNNN) __name__ __module__ __qualname____doc__ classmethodr(r2r>rDrRrWrerr)r'rr"s@442*.BB&66(,'+,0$( QQ0(,'+'+,0$(&$$8R7R7r)rc*eZdZdZdZedZdZy)AddPreconfigWafExclusionGArNc.tj|yr+)rr(r%s r'r(zAddPreconfigWafExclusionGA.ArgsHs"''r)cJtj|j|Sr+)rr ReleaseTrack)selfrbs r'rzAddPreconfigWafExclusionGA.RunNs$ ) - -   r))rrrrrrr(rrr)r'rr$s&@( r)rceZdZdZy)AddPreconfigWafExclusionBetarNrrrrrr)r'rrUr)rceZdZdZy)AddPreconfigWafExclusionAlpharNrrr)r'rrxrr)rN)#r __future__rrrapitools.base.pyrgooglecloudsdk.api_lib.computer0googlecloudsdk.api_lib.compute.security_policiesrgooglecloudsdk.callioper r "googlecloudsdk.command_lib.computer ry4googlecloudsdk.command_lib.compute.security_policiesr r:googlecloudsdk.command_lib.compute.security_policies.rulesgooglecloudsdk.corer robjectr ReleaseTracksrGA UpdateCommandrBETArALPHArrr)r'rsd&'%7C(.E_L*)7V7DD%%(()-!3!3-*-`D%%**+#=,DD%%++,$@-r)