KdZddlmZddlmZddlmZddlmZddlmZddl m Z ddl m Z dd l m Zdd lmZdd lmZdd lmZGd d eZe j.e j0j2Gdde j4Ze j.e j0j8GddeZe j.e j0j<GddeZy)zaCommand for removing exclusions for preconfigured WAF rule evaluation from security policy rules.)absolute_import)division)unicode_literals) base_classes)client)base) exceptions)scope)flags) propertiesceZdZdZedZe d dZedZedZe d dZ edZ ed Z y) !RemovePreconfigWafExclusionHelperARemove an exclusion configuration for preconfigured WAF evaluation from a security policy rule. *{command}* is used to remove an exclusion configuration for preconfigured WAF evaluation from a security policy rule. Note that request field exclusions are associated with a target, which can be a single rule set, or a rule set plus a list of rule IDs under the rule set. It is possible to remove request field exclusions at 3 levels: - Remove specific request field exclusions that are associated with a matching target. - Remove all the request field exclusions that are associated with a matching target. - Remove all the request field exclusions that are configured under the security policy rule, regardless of the target. ## EXAMPLES To remove specific request field exclusions that are associated with the target of 'sqli-stable': ['owasp-crs-v030001-id942110-sqli', 'owasp-crs-v030001-id942120-sqli'], run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=sqli-stable \ --target-rule-ids=owasp-crs-v030001-id942110-sqli,owasp-crs-v030001-id942120-sqli \ --request-header-to-exclude=op=EQUALS,val=abc \ --request-header-to-exclude=op=STARTS_WITH,val=xyz \ --request-uri-to-exclude=op=EQUALS_ANY To remove all the request field exclusions that are associated with the target of 'sqli-stable': ['owasp-crs-v030001-id942110-sqli', 'owasp-crs-v030001-id942120-sqli'], run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=sqli-stable \ --target-rule-ids=owasp-crs-v030001-id942110-sqli,owasp-crs-v030001-id942120-sqli To remove all the request field exclusions that are associated with the target of 'sqli-stable': [], run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=sqli-stable To remove all the request field exclusions that are configured under the security policy rule, regardless of the target, run: $ {command} 1000 \ --security-policy=my-policy \ --target-rule-set=* ctjd|_|jj|ddtj|dt j |_|jj|tj|dtj|dtj|dtj|dtj|dtj|dy)z@Generates the flagset for a RemovePreconfigWafExclusion command.zCremove the exclusion configuration for preconfigured WAF evaluationPRIORITY)operation_type cust_metavarF)parseris_addN)r PriorityArgumentNAME_ARG AddArgument AddRegionFlagsecurity_policy_flags(SecurityPolicyMultiScopeArgumentForRulesSECURITY_POLICY_ARGAddTargetRuleSetAddTargetRuleIdsAddRequestHeaderAddRequestCookieAddRequestQueryParam AddRequestUriclsrs Mlib/surface/compute/security_policies/rules/remove_preconfig_waf_exclusion.pyArgsz&RemovePreconfigWafExclusionHelper.ArgsWs))MCLLL   MO FFH''/ &7 &7 &7 &7 fU; ve4Ncf||jk(xr!t|t|jk(SN) targetRuleSetset targetRuleIds)r$existing_exclusiontarget_rule_settarget_rule_idss r%_IsIdenticalTargetz4RemovePreconfigWafExclusionHelper._IsIdenticalTargetrs@ 0>> > B3D 2 @ @ADBBr'c|jj}|jdxsd}|r*|jjj||_|jdxsd}|r||_|S)zConverts RequestFieldToAdd.opval)messagesr<requestHeadersToExcludeextendrCrequestCookiesToExcluderequestQueryParamsToExcluderequestUrisToExclude)r$r9r-request_headersrequest_cookiesrequest_query_params request_uris new_exclusiontarget_rule_idrequest_headers_to_removerequest_headerrequest_cookies_to_removerequest_cookierequest_query_params_to_removerequest_query_paramrequest_uris_to_remove request_uris r%_UpdateExclusionz2RemovePreconfigWafExclusionHelper._UpdateExclusions-  : : <#5"B"BM,::@b@!!((8A!#)/R/&& ' ' GI0))00   !3!K!K!: <=!#)/R/&& ' ' GI0))00   !3!K!K!: <=&("39r9$++ ' '8K LN :--44    : : * ,-  #)r) ## ' ' DF*&&--   !3!H!H!7 9:  1 1  1 1  5 5  . .  r'c |jj}|jdk(r|Sd}|jds3|jds"|jds|jdrd}|jr|jj }ng}|D]}|j ||j|jxsgr`|s1|j|||j|j|j|j}|sr|j j||j j||S)zUpdates Preconfig WafConfig.*Frequest_header_to_excluderequest_cookie_to_excluderequest_query_param_to_excluderequest_uri_to_excludeT)r5(SecurityPolicyRulePreconfiguredWafConfigr. IsSpecifiedpreconfiguredWafConfig exclusionsr0r/rYr\r]r^r_r>) r$r9 existing_ruleargsnew_preconfig_waf_confighas_request_field_argsrc exclusionrOs r%_UpdatePreconfigWafConfigz;RemovePreconfigWafExclusionHelper._UpdatePreconfigWafConfigs6 HHJ s" %%" 45 45 9: 12#++ 77BBjj   4+?+? $ 4 4 : < !..i)G)G,,1143N3NP- $ / / 6 6} E ++229=  $#r'c|jdk(rk|jdsD|jds3|jds"|jds|jdrtjdd|jxsg|j xsg|j xsg|jxsgfD]:}|D]3}|jd xsd }|r|d vstjd d <tj|}|j}d }|jj||jtj j"} t%| dd m|jj'|j(dt*j,j.j0j2| j4|j6d}na|jj'|j(dt*j,j.j0j2|j6d}tj8||} | j;d} |j=|| |} | j?| S)z7Validates arguments and patches a security policy rule.r[r/r\r]r^r_ztarget-rule-setzArguments in [--target-rule-ids, --request-header-to-exclude, --request-cookie-to-exclude, --request-query-param-to-exclude, --request-uri-to-exclude] cannot be specified when --target-rule-set is set to *.r2r3)EQUALS STARTS_WITH ENDS_WITHCONTAINS EQUALS_ANYz_A request field operator must be one of [EQUALS, STARTS_WITH, ENDS_WITH, CONTAINS, EQUALS_ANY].N) default_scoperegionz!compute.regionSecurityPolicyRules)projectrqsecurityPolicy) collectionparamszcompute.securityPolicyRules)rrrs)r9r)preconfig_waf_config) r.rar InvalidArgumentExceptionr\r]r^r_r7rComputeApiHolderrrResolveAsResource resources compute_scope ScopeEnumGLOBALgetattrParsenamer VALUEScorerr GetOrFailrqsecurity_policySecurityPolicyRuleDescriberiPatch) r$ release_trackrerequest_fieldsr;r2holderr9refsecurity_policy_refsecurity_policy_rulerdrfs r%Runz%RemovePreconfigWafExclusionHelper.Runsx s"   , -   6 7   6 7   ; <   3 411  -. . &&,"d.L.L/  D / / 52 ##)r *-   t $ *R  3323 3 *  * *= 9F]]N C11CC fm.E.E.L.LDN"Hd3?    " " ))8#**//77AA+22 $ 4 4  # c    " " ))2#**//77AA $ 4 4  # c"44 N,(113A6M"<< t -  % %5 & 77r'r))NNNN) __name__ __module__ __qualname____doc__ classmethodr&r0r<rCrYrirr'r%rrs5n554*.BB&(,'+,0$( 55n $ $D;7;7r'rc.eZdZdZdZdZedZdZy)RemovePreconfigWafExclusionGArNc.tj|yr))rr&r#s r%r&z"RemovePreconfigWafExclusionGA.Argsms%**r'cJtj|j|Sr))rr ReleaseTrack)selfres r%rz!RemovePreconfigWafExclusionGA.Runss$ , 0 0   r') rrrrrrrr&rrr'r%rr1s,5n ( r'rceZdZdZy)RemovePreconfigWafExclusionBetarNrrrrrr'r%rrz5r'rceZdZdZy) RemovePreconfigWafExclusionAlpharNrrr'r%rrrr'rN) r __future__rrrgooglecloudsdk.api_lib.computer0googlecloudsdk.api_lib.compute.security_policiesrgooglecloudsdk.callioperr "googlecloudsdk.command_lib.computer r{4googlecloudsdk.command_lib.compute.security_policiesr r:googlecloudsdk.command_lib.compute.security_policies.rulesgooglecloudsdk.corer objectr ReleaseTracksrGA UpdateCommandrBETArALPHArrr'r%rsh&'7C(.E_L*O7O7dD%%(()ED$6$6E*EPD%%**+6&C6,6rD%%++,6'F6-6r'