in source/networkFirewallAutomation/lib/common/firewall-config-validation.ts [47:148]
async execute(rootDir?: string) {
const metrics: NetworkFirewallMetrics = {
numberOfFirewalls: 0,
numberOfPolicies: 0,
numberOfStatefulRuleGroups: 0,
numberOfStatelessRuleGroups: 0,
numberOfSuricataRules: 0
}
Logger.log(LOG_LEVEL.INFO, `Starting firewall config validation`)
try {
const currentPath = process.cwd()
let directoryPath;
if (rootDir) {
directoryPath = currentPath.concat(rootDir)
} else {
directoryPath = currentPath.concat(ConfigPath.firewallDirectory)
}
Logger.log(LOG_LEVEL.INFO, `Config file path ${directoryPath}`)
const firewallFiles = this.fileHandler.getJSONFileNames(directoryPath)
metrics.numberOfFirewalls = firewallFiles.length
for (let firewallFile of firewallFiles) {
Logger.log(LOG_LEVEL.INFO, `Validating the file paths for the firewall file named: ${firewallFile}`)
let firewall: NetworkFirewall.Types.CreateFirewallRequest = this.fileHandler.convertFileToObject(firewallFile)
this.validateFirewallFile(firewall)
let firewallPolicy: NetworkFirewall.Types.CreateFirewallPolicyRequest;
//verify firewall policy.
try {
firewallPolicy = this.fileHandler.convertFileToObject(firewall.FirewallPolicyArn)
metrics.numberOfPolicies += 1
await this.validateFirewallPolicyFile(firewallPolicy, firewall.FirewallPolicyArn)
} catch (error) {
Logger.log(LOG_LEVEL.INFO, `Failed to validate the firewall policy`)
this.invalidFiles.push({
path: firewall.FirewallPolicyArn,
referencedInFile: firewall.FirewallPolicyArn,
error: "The file in the attribute path is not available in the configuration."
})
break;
}
//loop through all the stateful rule groups and verify if the files compile to a valid json object.
if (firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences) {
metrics.numberOfStatefulRuleGroups += firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences.length
Logger.log(LOG_LEVEL.DEBUG, `Firewall Policy StatefulRuleGroupReferences`, firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences)
for (let statefulRuleGroup of firewallPolicy.FirewallPolicy.StatefulRuleGroupReferences) {
try {
const ruleGroup: NetworkFirewall.Types.CreateRuleGroupRequest = this.fileHandler.convertFileToObject(statefulRuleGroup.ResourceArn);
if (ruleGroup.Rules) {
metrics.numberOfSuricataRules += 1;
}
await this.validateRuleGroupFile(ruleGroup, statefulRuleGroup.ResourceArn)
} catch (error) {
this.invalidFiles.push({
path: statefulRuleGroup.ResourceArn,
referencedInFile: firewall.FirewallPolicyArn,
error: "The file in the attribute path is not available in the configuration."
})
}
}
}
//loop through all the stateless rule groups and verify if the files compile to a valid json object.
if (firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences) {
metrics.numberOfStatelessRuleGroups += firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences.length
Logger.log(LOG_LEVEL.DEBUG, `Firewall Policy StatelessRuleGroupReferences`, firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences)
for (let statelessRuleGroup of firewallPolicy.FirewallPolicy.StatelessRuleGroupReferences) {
try {
const ruleGroup = this.fileHandler.convertFileToObject(statelessRuleGroup.ResourceArn)
await this.validateRuleGroupFile(ruleGroup, statelessRuleGroup.ResourceArn)
} catch (error) {
this.invalidFiles.push({
path: statelessRuleGroup.ResourceArn,
referencedInFile: firewall.FirewallPolicyArn,
error: "The file in the attribute path is not available in the configuration."
})
}
}
}
}
} catch (error) {
Logger.log(LOG_LEVEL.ERROR, error)
throw new Error("Validation failed.");
} finally {
Logger.log(LOG_LEVEL.INFO, `Number of invalid files: ${this.invalidFiles.length}`)
Logger.log(LOG_LEVEL.INFO, `-----------INVALID FILES START-----------`)
this.getInvalidFiles().forEach((invalidFile) => {
Logger.log(LOG_LEVEL.ERROR, invalidFile)
})
Logger.log(LOG_LEVEL.INFO, `-----------INVALID FILES END--------------`)
if (this.invalidFiles.length > 0) {
const error = "Validation failed."
Logger.log(LOG_LEVEL.ERROR, error)
throw error
}
Logger.log(LOG_LEVEL.DEBUG, `Send metrics`, metrics)
MetricsManager.sendMetrics(metrics)
}
}