in WAF/WAF-Enhanced-Replicator/wafget.py [0:0]
def crawlConditions(botoClient, log, template, suffix):
'''
This function crawls all conditions from the provided Boto3 object and returns them in a form of a conditions list and a template string.
'''
returnString = ""
conditionsDict = {}
# Getting the String Match Conditions
try:
test = botoClient.list_byte_match_sets()
except:
function.abortMission(log, template, "list_byte_match_sets()")
for k in range(len(test['ByteMatchSets'])):
try:
condition = botoClient.get_byte_match_set(ByteMatchSetId = test['ByteMatchSets'][k]['ByteMatchSetId'])
except:
function.abortMission(log, template, "get_byte_match_set()")
namePrefix = "byte_match_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "byte_match_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['ByteMatchSet']['Name'] + "\"\n\n"
for l in range(len(condition['ByteMatchSet']['ByteMatchTuples'])):
returnString += " byte_match_tuples {\n"
returnString += " text_transformation = \"" + condition['ByteMatchSet']['ByteMatchTuples'][l]['TextTransformation'] + "\"\n"
returnString += " target_string = \"" + str(condition['ByteMatchSet']['ByteMatchTuples'][l]['TargetString'])[2:-1] + "\"\n"
returnString += " positional_constraint = \"" + condition['ByteMatchSet']['ByteMatchTuples'][l]['PositionalConstraint'] + "\"\n\n"
returnString += " field_to_match {\n"
returnString += " type = \"" + condition['ByteMatchSet']['ByteMatchTuples'][l]['FieldToMatch']['Type'] + "\"\n"
if len(condition['ByteMatchSet']['ByteMatchTuples'][l]['FieldToMatch']) > 1:
returnString += " data = \"" + condition['ByteMatchSet']['ByteMatchTuples'][l]['FieldToMatch']['Data'] + "\"\n"
returnString += " }\n"
returnString += " }"
if l != len(condition['ByteMatchSet']['ByteMatchTuples']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['ByteMatchSets'][k]['ByteMatchSetId']] = namePrefix
returnString += "}\n\n"
returnString += "\n\n"
# Getting the Regex Pattern Sets
try:
test = botoClient.list_regex_pattern_sets()
except:
function.abortMission(log, template, "list_regex_pattern_sets()")
for k in range(len(test['RegexPatternSets'])):
try:
condition = botoClient.get_regex_pattern_set(RegexPatternSetId = test['RegexPatternSets'][k]['RegexPatternSetId'])
except:
function.abortMission(log, template, "get_regex_pattern_set()")
namePrefix = "regex_pattern_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "regex_pattern_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['RegexPatternSet']['Name'] + "\"\n"
returnString += " regex_pattern_strings = [ "
for l in range(len(condition['RegexPatternSet']['RegexPatternStrings'])):
# The following loop is to insert another "\" for all Regex pattern sets that have "\", as Terraform may not originally understand them.
cadTemp = ""
for m in range(len(condition['RegexPatternSet']['RegexPatternStrings'][l])):
if condition['RegexPatternSet']['RegexPatternStrings'][l][m] == "\\":
cadTemp += "\\\\" + condition['RegexPatternSet']['RegexPatternStrings'][l][m+1:]
m += 1
if len(cadTemp) == 0:
cadTemp = condition['RegexPatternSet']['RegexPatternStrings'][l]
returnString += "\"" + cadTemp + "\""
if l != len(condition['RegexPatternSet']['RegexPatternStrings']) - 1:
returnString += ", "
returnString += " ]\n"
conditionsDict[test['RegexPatternSets'][k]['RegexPatternSetId']] = namePrefix
returnString += "}\n\n"
# Getting the Regex Match Conditions
try:
test = botoClient.list_regex_match_sets()
except:
function.abortMission(log, template, "list_regex_match_sets()")
for k in range(len(test['RegexMatchSets'])):
try:
condition = botoClient.get_regex_match_set(RegexMatchSetId = test['RegexMatchSets'][k]['RegexMatchSetId'])
except:
function.abortMission(log, template, "get_regex_match_set()")
namePrefix = "regex_match_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "regex_match_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['RegexMatchSet']['Name'] + "\"\n\n"
for l in range(len(condition['RegexMatchSet']['RegexMatchTuples'])):
returnString += " regex_match_tuple {\n"
returnString += " field_to_match {\n"
returnString += " type = \"" + condition['RegexMatchSet']['RegexMatchTuples'][l]['FieldToMatch']['Type'] + "\"\n"
if len(condition['RegexMatchSet']['RegexMatchTuples'][l]['FieldToMatch']) > 1:
returnString += " data = \"" + condition['RegexMatchSet']['RegexMatchTuples'][l]['FieldToMatch']['Data'] + "\"\n"
returnString += " }\n\n"
returnString += " text_transformation = \"" + condition['RegexMatchSet']['RegexMatchTuples'][l]['TextTransformation'] + "\"\n"
returnString += " regex_pattern_set_id = \"${aws_waf" + suffix + "regex_pattern_set." + conditionsDict[condition['RegexMatchSet']['RegexMatchTuples'][l]['RegexPatternSetId']] + ".id}\"\n"
returnString += " }"
if l != len(condition['RegexMatchSet']['RegexMatchTuples']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['RegexMatchSets'][k]['RegexMatchSetId']] = namePrefix
returnString += "}\n\n"
# Getting the SQL Injection Conditions
try:
test = botoClient.list_sql_injection_match_sets()
except:
function.abortMission(log, template, "list_sql_injection_match_sets()")
for k in range(len(test['SqlInjectionMatchSets'])):
try:
condition = botoClient.get_sql_injection_match_set(SqlInjectionMatchSetId = test['SqlInjectionMatchSets'][k]['SqlInjectionMatchSetId'])
except:
function.abortMission(log, template, "get_sql_injection_match_set()")
namePrefix = "sql_injection_match_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "sql_injection_match_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['SqlInjectionMatchSet']['Name'] + "\"\n\n"
for l in range(len(condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples'])):
if len(suffix) == 1: # This means it's global WAF (suffix == '_'). Terraaform expects 'tuples' (plural).
returnString += " sql_injection_match_tuples {\n"
else:
returnString += " sql_injection_match_tuple {\n"
returnString += " text_transformation = \"" + condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples'][l]['TextTransformation'] + "\"\n"
returnString += " field_to_match {\n"
returnString += " type = \"" + condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples'][l]['FieldToMatch']['Type'] + "\"\n"
if len(condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples'][l]['FieldToMatch']) > 1:
returnString += " data = \"" + condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples'][l]['FieldToMatch']['Data'] + "\"\n"
returnString += " }\n"
returnString += " }"
if l != len(condition['SqlInjectionMatchSet']['SqlInjectionMatchTuples']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['SqlInjectionMatchSets'][k]['SqlInjectionMatchSetId']] = namePrefix
returnString += "}"
returnString += "\n\n"
# Getting the Size Constraint Set Conditions
try:
test = botoClient.list_size_constraint_sets()
except:
function.abortMission(log, template, "list_size_constraint_sets()")
for k in range(len(test['SizeConstraintSets'])):
try:
condition = botoClient.get_size_constraint_set(SizeConstraintSetId = test['SizeConstraintSets'][k]['SizeConstraintSetId'])
except:
function.abortMission(log, template, "get_size_constraint_set())")
namePrefix = "size_constraint_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "size_constraint_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['SizeConstraintSet']['Name'] + "\"\n\n"
for l in range(len(condition['SizeConstraintSet']['SizeConstraints'])):
returnString += " size_constraints {\n"
returnString += " text_transformation = \"" + condition['SizeConstraintSet']['SizeConstraints'][l]['TextTransformation'] + "\"\n"
returnString += " comparison_operator = \"" + condition['SizeConstraintSet']['SizeConstraints'][l]['ComparisonOperator'] + "\"\n"
returnString += " size = \"" + str(condition['SizeConstraintSet']['SizeConstraints'][l]['Size']) + "\"\n\n"
returnString += " field_to_match {\n"
returnString += " type = \"" + condition['SizeConstraintSet']['SizeConstraints'][l]['FieldToMatch']['Type'] + "\"\n"
if len(condition['SizeConstraintSet']['SizeConstraints'][l]['FieldToMatch']) > 1:
returnString += " data = \"" + condition['SizeConstraintSet']['SizeConstraints'][l]['FieldToMatch']['Data'] + "\"\n"
returnString += " }\n"
returnString += " }"
if l != len(condition['SizeConstraintSet']['SizeConstraints']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['SizeConstraintSets'][k]['SizeConstraintSetId']] = namePrefix
returnString += "}"
returnString += "\n\n"
# Getting the IP Set Conditions
try:
test = botoClient.list_ip_sets()
except:
function.abortMission(log, template, "list_ip_sets()")
for k in range(len(test['IPSets'])):
try:
condition = botoClient.get_ip_set(IPSetId = test['IPSets'][k]['IPSetId'])
except:
function.abortMission(log, template, "get_ip_set()")
namePrefix = "ipset_" + str(k)
returnString += "resource \"aws_waf" + suffix + "ipset\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['IPSet']['Name'] + "\"\n\n"
for l in range(len(condition['IPSet']['IPSetDescriptors'])):
if len(suffix) == 1: # This means it's global WAF (suffix == '_'). Terraaform expects 'descriptors' (plural).
returnString += " ip_set_descriptors {\n"
else:
returnString += " ip_set_descriptor {\n"
returnString += " type = \"" + condition['IPSet']['IPSetDescriptors'][l]['Type'] + "\"\n"
returnString += " value = \"" + condition['IPSet']['IPSetDescriptors'][l]['Value'] + "\"\n"
returnString += " }"
if l != len(condition['IPSet']['IPSetDescriptors']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['IPSets'][k]['IPSetId']] = namePrefix
returnString += "}\n\n"
# Getting the Geo Conditions
try:
test = botoClient.list_geo_match_sets()
except:
function.abortMission(log, template, "list_geo_match_sets()")
for k in range(len(test['GeoMatchSets'])):
try:
condition = botoClient.get_geo_match_set(GeoMatchSetId = test['GeoMatchSets'][k]['GeoMatchSetId'])
except:
function.abortMission(log, template, "get_geo_match_set()")
namePrefix = "geo_match_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "geo_match_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['GeoMatchSet']['Name'] + "\"\n\n"
for l in range(len(condition['GeoMatchSet']['GeoMatchConstraints'])):
returnString += " geo_match_constraint {\n"
returnString += " type = \"" + condition['GeoMatchSet']['GeoMatchConstraints'][l]['Type'] + "\"\n"
returnString += " value = \"" + condition['GeoMatchSet']['GeoMatchConstraints'][l]['Value'] + "\"\n"
returnString += " }"
if l != len(condition['GeoMatchSet']['GeoMatchConstraints']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['GeoMatchSets'][k]['GeoMatchSetId']] = namePrefix
returnString += "}\n\n"
# Getting the XSS Conditions
try:
test = botoClient.list_xss_match_sets()
except:
function.abortMission(log, template, "list_xss_match_sets()")
for k in range(len(test['XssMatchSets'])):
try:
condition = botoClient.get_xss_match_set(XssMatchSetId = test['XssMatchSets'][k]['XssMatchSetId'])
except:
function.abortMission(log, template, "get_xss_match_set()")
namePrefix = "xss_match_set_" + str(k)
returnString += "resource \"aws_waf" + suffix + "xss_match_set\" \"" + namePrefix + "\" {\n"
returnString += " name = \"" + condition['XssMatchSet']['Name'] + "\"\n\n"
for l in range(len(condition['XssMatchSet']['XssMatchTuples'])):
if len(suffix) == 1: # This means it's global WAF (suffix == '_'). Terraform expects 'tuples' (plural).
returnString += " xss_match_tuples {\n"
else:
returnString += " xss_match_tuple {\n"
returnString += " text_transformation = \"" + condition['XssMatchSet']['XssMatchTuples'][l]['TextTransformation'] + "\"\n"
returnString += " field_to_match {\n"
returnString += " type = \"" + condition['XssMatchSet']['XssMatchTuples'][l]['FieldToMatch']['Type'] + "\"\n"
if len(condition['XssMatchSet']['XssMatchTuples'][l]['FieldToMatch']) > 1:
returnString += " data = \"" + condition['XssMatchSet']['XssMatchTuples'][l]['FieldToMatch']['Data'] + "\"\n"
returnString += " }\n"
returnString += " }"
if l != len(condition['XssMatchSet']['XssMatchTuples']) - 1:
returnString += "\n\n"
else:
returnString += "\n"
conditionsDict[test['XssMatchSets'][k]['XssMatchSetId']] = namePrefix
returnString += "}"
return([conditionsDict, returnString])