def make_rules()

in python/waf/waf_cloudfront.py [0:0]

• 79 lines of code
• 4 McCabe index (conditional complexity)

  def make_rules(self, list_of_rules={}):
    rules = list()
    for r in list_of_rules:
      rule = wafv2.CfnWebACL.RuleProperty(
        name             = r["name"],
        priority         = r["priority"],
        override_action  = wafv2.CfnWebACL.OverrideActionProperty(none={}),
        statement        = wafv2.CfnWebACL.StatementProperty(
          managed_rule_group_statement = wafv2.CfnWebACL.ManagedRuleGroupStatementProperty(
            name           = r["name"],
            vendor_name    = "AWS",
            excluded_rules = []
          ) ## managed_rule_group_statement
        ), ## statement
        visibility_config=wafv2.CfnWebACL.VisibilityConfigProperty(
          cloud_watch_metrics_enabled = True,
          metric_name                 = r["name"],
          sampled_requests_enabled    = True
        ) ## visibility_config
      ) ## wafv2.CfnWebACL.RuleProperty
      rules.append(rule)

    ##
    ## Allowed country list
    ##
    ruleGeoMatch = wafv2.CfnWebACL.RuleProperty(
      name     = 'GeoMatch',
      priority =  0,
      action   = wafv2.CfnWebACL.RuleActionProperty(
        block={} ## To disable, change to *count*
      ),
      statement = wafv2.CfnWebACL.StatementProperty(
        not_statement = wafv2.CfnWebACL.NotStatementProperty(
          statement = wafv2.CfnWebACL.StatementProperty(
            geo_match_statement = wafv2.CfnWebACL.GeoMatchStatementProperty(
              ##
              ## block connection if source not in the below country list
              ##
              country_codes = [
                "AR", ## Argentina
                "BO", ## Bolivia
                "BR", ## Brazil
                "CL", ## Chile
                "CO", ## Colombia
                "EC", ## Ecuador
                "FK", ## Falkland Islands
                "GF", ## French Guiana
                "GY", ## Guiana
                "GY", ## Guyana
                "PY", ## Paraguay
                "PE", ## Peru
                "SR", ## Suriname
                "UY", ## Uruguay
                "VE", ## Venezuela
              ] ## country_codes
            ) ## geo_match_statement
          ) ## statement
        ) ## not_statement
      ), ## statement
      visibility_config = wafv2.CfnWebACL.VisibilityConfigProperty(
        cloud_watch_metrics_enabled = True,
        metric_name                 = 'GeoMatch',
        sampled_requests_enabled    = True
      ) ## visibility_config
    ) ## GeoMatch
    rules.append(ruleGeoMatch)

    ##
    ## The rate limit is the maximum number of requests from a
    ## single IP address that are allowed in a five-minute period.
    ## This value is continually evaluated,
    ## and requests will be blocked once this limit is reached.
    ## The IP address is automatically unblocked after it falls below the limit.
    ##
    ruleLimitRequests100 = wafv2.CfnWebACL.RuleProperty(
          name     = 'LimitRequests100',
          priority = 1,
          action   = wafv2.CfnWebACL.RuleActionProperty(
            block = {} ## To disable, change to *count*
          ), ## action
          statement= wafv2.CfnWebACL.StatementProperty(
            rate_based_statement = wafv2.CfnWebACL.RateBasedStatementProperty(
              limit              = 100,
              aggregate_key_type = "IP"
            ) ## rate_based_statement
          ), ## statement
          visibility_config= wafv2.CfnWebACL.VisibilityConfigProperty(
            cloud_watch_metrics_enabled = True,
            metric_name                 = 'LimitRequests100',
            sampled_requests_enabled    = True
          )
        ) ## limit requests to 100
    rules.append(ruleLimitRequests100);

    return rules