VhudZdZdZ ddlZddlmZddlmZddl m Z ddl m Z dd l mZdd l mZdd l mZdd l mZdd l mZddlmZGddeZdZedk(reyy#e$rY_wxYw)a module: waf_condition short_description: Create and delete WAF Conditions version_added: 1.0.0 description: - Read the AWS documentation for WAF U(https://aws.amazon.com/documentation/waf/) - Prior to release 5.0.0 this module was called C(community.aws.aws_waf_condition). The usage did not change. author: - Will Thames (@willthames) - Mike Mochan (@mmochan) options: name: description: Name of the Web Application Firewall condition to manage. required: true type: str type: description: The type of matching to perform. choices: - byte - geo - ip - regex - size - sql - xss type: str required: true filters: description: - A list of the filters against which to match. - For I(type=byte), valid keys are I(field_to_match), I(position), I(header), I(transformation) and I(target_string). - For I(type=geo), the only valid key is I(country). - For I(type=ip), the only valid key is I(ip_address). - For I(type=regex), valid keys are I(field_to_match), I(transformation) and I(regex_pattern). - For I(type=size), valid keys are I(field_to_match), I(transformation), I(comparison) and I(size). - For I(type=sql), valid keys are I(field_to_match) and I(transformation). - For I(type=xss), valid keys are I(field_to_match) and I(transformation). - Required when I(state=present). type: list elements: dict suboptions: field_to_match: description: - The field upon which to perform the match. - Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss). type: str choices: ['uri', 'query_string', 'header', 'method', 'body'] position: description: - Where in the field the match needs to occur. - Only valid when I(type=byte). type: str choices: ['exactly', 'starts_with', 'ends_with', 'contains', 'contains_word'] header: description: - Which specific header should be matched. - Required when I(field_to_match=header). - Valid when I(type=byte). type: str transformation: description: - A transform to apply on the field prior to performing the match. - Valid when I(type=byte), I(type=regex), I(type=sql) or I(type=xss). type: str choices: ['none', 'compress_white_space', 'html_entity_decode', 'lowercase', 'cmd_line', 'url_decode'] country: description: - Value of geo constraint (typically a two letter country code). - The only valid key when I(type=geo). type: str ip_address: description: - An IP Address or CIDR to match. - The only valid key when I(type=ip). type: str regex_pattern: description: - A dict describing the regular expressions used to perform the match. - Only valid when I(type=regex). type: dict suboptions: name: description: A name to describe the set of patterns. type: str regex_strings: description: A list of regular expressions to match. type: list elements: str comparison: description: - What type of comparison to perform. - Only valid key when I(type=size). type: str choices: ['EQ', 'NE', 'LE', 'LT', 'GE', 'GT'] size: description: - The size of the field (in bytes). - Only valid key when I(type=size). type: int target_string: description: - The string to search for. - May be up to 50 bytes. - Valid when I(type=byte). type: str purge_filters: description: - Whether to remove existing filters from a condition if not passed in I(filters). default: false type: bool waf_regional: description: Whether to use C(waf-regional) module. default: false required: false type: bool state: description: Whether the condition should be C(present) or C(absent). choices: - present - absent default: present type: str extends_documentation_fragment: - amazon.aws.common.modules - amazon.aws.region.modules - amazon.aws.boto3 a - name: create WAF byte condition community.aws.waf_condition: name: my_byte_condition filters: - field_to_match: header position: STARTS_WITH target_string: Hello header: Content-type type: byte - name: create WAF geo condition community.aws.waf_condition: name: my_geo_condition filters: - country: US - country: AU - country: AT type: geo - name: create IP address condition community.aws.waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "10.0.0.0/8" - ip_address: "192.168.0.0/24" type: ip - name: create WAF regex condition community.aws.waf_condition: name: my_regex_condition filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex - name: create WAF size condition community.aws.waf_condition: name: my_size_condition filters: - field_to_match: query_string size: 300 comparison: GT type: size - name: create WAF sql injection condition community.aws.waf_condition: name: my_sql_condition filters: - field_to_match: query_string transformation: url_decode type: sql - name: create WAF xss condition community.aws.waf_condition: name: my_xss_condition filters: - field_to_match: query_string transformation: url_decode type: xss a. condition: description: Condition returned by operation. returned: always type: complex contains: condition_id: description: Type-agnostic ID for the condition. returned: when state is present type: str sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 byte_match_set_id: description: ID for byte match set. returned: always type: str sample: c4882c96-837b-44a2-a762-4ea87dbf812b byte_match_tuples: description: List of byte match tuples. returned: always type: complex contains: field_to_match: description: Field to match. returned: always type: complex contains: data: description: Which specific header (if type is header). type: str sample: content-type type: description: Type of field type: str sample: HEADER positional_constraint: description: Position in the field to match. type: str sample: STARTS_WITH target_string: description: String to look for. type: str sample: Hello text_transformation: description: Transformation to apply to the field before matching. type: str sample: NONE geo_match_constraints: description: List of geographical constraints. returned: when type is geo and state is present type: complex contains: type: description: Type of geo constraint. type: str sample: Country value: description: Value of geo constraint (typically a country code). type: str sample: AT geo_match_set_id: description: ID of the geo match set. returned: when type is geo and state is present type: str sample: dd74b1ff-8c06-4a4f-897a-6b23605de413 ip_set_descriptors: description: list of IP address filters returned: when type is ip and state is present type: complex contains: type: description: Type of IP address (IPV4 or IPV6). returned: always type: str sample: IPV4 value: description: IP address. returned: always type: str sample: 10.0.0.0/8 ip_set_id: description: ID of condition. returned: when type is ip and state is present type: str sample: 78ad334a-3535-4036-85e6-8e11e745217b name: description: Name of condition. returned: when state is present type: str sample: my_waf_condition regex_match_set_id: description: ID of the regex match set. returned: when type is regex and state is present type: str sample: 5ea3f6a8-3cd3-488b-b637-17b79ce7089c regex_match_tuples: description: List of regex matches. returned: when type is regex and state is present type: complex contains: field_to_match: description: Field on which the regex match is applied. type: complex contains: type: description: The field name. returned: when type is regex and state is present type: str sample: QUERY_STRING regex_pattern_set_id: description: ID of the regex pattern. type: str sample: 6fdf7f2d-9091-445c-aef2-98f3c051ac9e text_transformation: description: transformation applied to the text before matching type: str sample: NONE size_constraint_set_id: description: ID of the size constraint set. returned: when type is size and state is present type: str sample: de84b4b3-578b-447e-a9a0-0db35c995656 size_constraints: description: List of size constraints to apply. returned: when type is size and state is present type: complex contains: comparison_operator: description: Comparison operator to apply. type: str sample: GT field_to_match: description: Field on which the size constraint is applied. type: complex contains: type: description: Field name. type: str sample: QUERY_STRING size: description: Size to compare against the field. type: int sample: 300 text_transformation: description: Transformation applied to the text before matching. type: str sample: NONE sql_injection_match_set_id: description: ID of the SQL injection match set. returned: when type is sql and state is present type: str sample: de84b4b3-578b-447e-a9a0-0db35c995656 sql_injection_match_tuples: description: List of SQL injection match sets. returned: when type is sql and state is present type: complex contains: field_to_match: description: Field on which the SQL injection match is applied. type: complex contains: type: description: Field name. type: str sample: QUERY_STRING text_transformation: description: Transformation applied to the text before matching. type: str sample: URL_DECODE xss_match_set_id: description: ID of the XSS match set. returned: when type is xss and state is present type: str sample: de84b4b3-578b-447e-a9a0-0db35c995656 xss_match_tuples: description: List of XSS match sets. returned: when type is xss and state is present type: complex contains: field_to_match: description: Field on which the XSS match is applied. type: complex contains: type: description: Field name type: str sample: QUERY_STRING text_transformation: description: transformation applied to the text before matching. type: str sample: URL_DECODE N)camel_dict_to_snake_dict)is_boto3_error_code)compare_policies)AWSRetry) MATCH_LOOKUP)get_rule_with_backoff) list_regional_rules_with_backoff)list_rules_with_backoff)"run_func_with_change_token_backoff)AnsibleCommunityAWSModuleceZdZdZdZdZejdZejdZ dZ dZ dZ d Z d Zejd Zd Zd ZdZdZdZdZdZdZdZy) Conditionc||_||_|jd|_t|jd|_t|jd|_t|jddz|_t|jddz|_t|jd|_ t|jddz|_ t|jd|_ y)Ntypemethod conditionsetsIdconditiontuple) clientmoduleparamsrr method_suffixr conditionsetsconditionsetidrconditiontuples conditiontype)selfrrs o/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/aws/plugins/modules/waf_condition.py__init__zCondition.__init__s  MM&) )$))4X>(3NC)$))4^DsJ*4995nEL*49956FG+DII67GH3N)$))4V<ct}t|d<|jjj dD] }|j dk(r,d|j dvrd}nd}||j dd}|j d k(rtd |j d }|j d vrtt|j d j |j ddj }|j d j dk(r\|j dr&|j dj|dd<n%|jjtd|j dk(r(|j dd<|j d|d<|j dk(r(|j dd<|j d|d <|j d!k(r&|j|j d"d#d#<|djd$d%|ji|||j<|S)&NUpdatesfiltersip: ip_addressIPV6IPV4)TypeValuegeoCountrycountry)r%r,field_to_match)r*transformationnone) FieldToMatchTextTransformationHEADERheaderr2Dataz#DATA required when HEADER requestedmsgbyte target_string TargetStringpositionPositionalConstraintsize comparisonComparisonOperatorSizeregex regex_patternRegexPatternSetIdActionINSERT)dictlistrrgetrupperlower fail_jsonstrensure_regex_pattern_presentappendrr)rcondition_set_idkwargsfiltrip_typecondition_inserts rformat_for_updatezCondition.format_for_updates2 Fy[[''++I6+ bEyyD %))L11$G$G,3eii >U#V yyE!#'Yeii >R#S yy -#'!%5995E+F+L+L+N!O',yy1A6'J'P'P'R$ 99-.446(Byy*CH99XCVC\C\C^(8@ --#6[2\-]yyF"3899_3M 0;@99Z;P !78yyF"9><9P !56+099V+< (yyG#8<8Y8YZ_ZcZcdsZt8u'9 !45 9  $ $h$:M:MO_%` aW+ bZ'7t""# r!cd||jDcgc]}dd|j|ic}|j||jiScc}w)Nr#rEDELETE)rrr)r conditioncurrent_condition_tuples rformat_for_deletionzCondition.format_for_deletions] /89M9M/N+8T%8%8:QR   4+>+>!?   sAc :|jjdi|S)N)rlist_regex_pattern_sets)rrs r list_regex_patterns_with_backoffz*Condition.list_regex_patterns_with_backoffs2t{{22g}i} |jdi|}|jdd|vr |d|d<n |S8#tjjtjjf$r'}|j j |dYd}~~d}~wwxYw)NzCould not list regex patternsr7RegexPatternSets NextMarkerr\)r^botocore exceptions ClientError BotoCoreErrorr fail_json_awsextend)rregex_patternsrresponsees rlist_regex_patternszCondition.list_regex_patternss R@4@@J6J  ! !(+="> ?x''/ '=|$''33X5H5H5V5VW R ))!1P)QQ Rs>7B5BBc~|j}td|D}||vr|j||dSy)Nc30K|]}|d|dfyw)NamerDNr\).0items r z6Condition.get_regex_pattern_by_name..sj$T&\40C+DEjsRegexPatternSet)rprGrc)rnameexisting_regex_patterns regex_lookups rget_regex_pattern_by_namez#Condition.get_regex_pattern_by_namesI"&":":"<jRijj < ::<;MNO`a ar!cN|d}|j|}|s;t|j|jd|i|jjd}t |dt |dz }t |dt |dz }|s|s|S|Dcgc]}d|d }}|j |Dcgc]}d|d c}t|j|j|d |d |jjd |j|d dScc}wcc}w) Nrxrsrw regex_stringsRegexPatternStringsrFrERegexPatternStringrWrDrDr#Twait) r{r rrcreate_regex_pattern_setsetrlupdate_regex_pattern_setrc)rrCrx pattern_setmissingextrapatternupdatess rrNz&Condition.ensure_regex_pattern_presents-V$44T: < T[[64.$++:^:^!KmO45KH]<^8__K 567#mO>\:]]u V]^7hgF^^[`aPW87Kab* KK KK"-.A"Bw W KK 0 0  66{CV7WXYjkk_as  D5 D"cZ |jj|d}t}|dD]}|jd|dt |j|j ||d|jj t |j|j d|i|jjd y#td $rYytjjtjjf$r'}|j j|d Yd}~yd}~wwxYw) Nr`rwr~rWrrrDTrWAFNonexistentItemExceptionzCould not delete regex patternr7)rrarHrOr rrdelete_regex_pattern_setrrgrhrirjrk)rrbregex_pattern_setrregex_pattern_stringros rdelete_unused_regex_patternz%Condition.delete_unused_regex_pattern%s O $ A ATh A i!! fG(9:O(P a$(J^_` a .  &:wO 44   /  $&:; 44  ##@A      + +    - -  O KK % %a-M % N N  OsB:B==D* 6D*D%%D*c|jDcgc] }|d|k(s |}}|r|d|jSycc}w)Nrsr)list_conditionsr)rrxdall_conditionss rget_condition_by_namezCondition.get_condition_by_nameCsM%)%9%9%;QqyD?P!QQ !!$T%8%89 9 Rs <<ct}|||j<t|jd|jz}|di||j S)Nget_r\)rGrgetattrrrr)rrPrfuncs r get_condition_by_id_with_backoffz*Condition.get_condition_by_id_with_backoffHsK&6t""#t{{FT-?-?$?@~f~d//00r!c |j|S#tjjtjjf$r'}|j j |dYd}~yd}~wwxYw)NzCould not get conditionr7)rrgrhrirjrrk)rrPros rget_condition_by_idzCondition.get_condition_by_idOsd H889IJ J##//1D1D1R1RS H KK % %a-F % G G Hs7A1 A,,A1c d|jzdz} |jj|}|jj} ||jS#t j j$rt|j|}YJwxYw#t j jt j jf$r5}|jj|d|jdYd}~yd}~wwxYw)Nlist_rzCould not list z conditionsr7)rr get_paginatorpaginatebuild_full_resultrgrhOperationNotPageableErrorrrrirjrrkr)rr paginatorrros rrzCondition.list_conditionsUs4---3 0 11&9I%%'99D W6$,,- - ""<< 04;;/D 0 ##//1D1D1R1RS W KK % %atyyk-U % V V Ws)5A B3BB7D+C>>Dc(|j}t}|D]C}|jd|j||j|j DE||j D]}|d|vs |j |d y)Nc3&K|] }|d yw)rDNr\)rtrs rrvz3Condition.tidy_up_regex_patterns..fs*"23*srD)rrHrlrrrr)rregex_match_setall_regex_match_setsall_match_set_patternsrmsrRs rtidy_up_regex_patternsz Condition.tidy_up_regex_patternsbs#335!%' C " ) )*&*&>&>s4CVCV?W&XY]YmYm&n*   %T%9%9: ME()1GG007J1KL Mr!cg} |jjjdk(rt|j}n8|jjjdk(rt |j}D]I} t|j|d}|dDcgc]}|d c}vs6|j|d K|S#t j jt j jf$r'}|jj|dYd}~d}~wwxYw#t j jt j jf$r'}|jj|dYd}~d}~wwxYwcc}w) NWAF WAFRegionalzCould not list rulesr7RuleIdzCould not get rule details PredicatesDataIdrs) r __class____name__r r rgrhrirjrrkrrO)rrP rules_in_use all_rulesrorule rule_details predicates rfind_condition_in_rulesz!Condition.find_condition_in_rulesnsX  E{{$$--63DKK@ &&//=@$F'7F$=FF$'7HHHcg}|dD]L}d}||j}||j}|D]}t||rd}|r<|j|N|S)Nr#FT)rrrrO) rupdaterrdesiredfounddesired_conditioncurrent_conditionsrXs r find_missingzCondition.find_missingsyi( (GE '(;(; < !243G3G!H / ! ' 3DE E !w' (r!c |j|}|j|}|j||}|jjj drO||j Dcgc]4}||dDcgc]}||jc}vrdd|j|i6}}}ng}t|xs|}|rP||z|d<t|jd|jz} t|j|j|| d||j|fScc}wcc}}w#tjjtjj f$r'} |jj#| d Yd} ~ wd} ~ wwxYw) N purge_filtersr#rErWrTrzCould not update conditionr7)rrUrrrrIrrboolrrrr rgrhrirjrk) rrPrrr current_tuplerrchangedrros rfind_and_update_conditionz#Condition.find_and_update_conditions 445EF''(89##F,=> ;;   ! !/ 2&7t7K7K%L! U[\eUf(g'1D1D)E(gg8T%8%8-HE Ew'%(  '%F9 4;; D4F4F(FGD O24;; VUY`de001ABBB)h''33X5H5H5V5VW O ))!1M)NN Os0, D$9DD$($D*D$*7F!FFc>|jjd}|j|}|r|j|St }||d<t |j d|jz} t|j |j||}|j|j|jS#tjjtjjf$r'}|jj|dYd}~d}~wwxYw)Nrxrscreate_zCould not create conditionr7)rrrrrGrrrr rgrhrirjrkrr)rrxrPrrrXros rensure_condition_presentz"Condition.ensure_condition_presents{{!!&)55d; 112BC CVF!F6N4;; D4F4F(FGD O>t{{DKKY_aef 11)D>7D5DDc|j|jjd}|r|j|SdifS)NrxF)rrrr)rrPs rensure_condition_absentz!Condition.ensure_condition_absentsA55dkk6H6H6PQ 112BC Cbyr!N)r __module__ __qualname__r rUrZrexponential_backoffr^rcrpr{rNrrrrrrrrrrrrr\r!rrrs =3j "X!!#=$="X!!#Y$Y l.O<: "X!!#1$1 H W M$6 C, er!rcPtttgdttgdtgdtgdttdttdtttd d    }ttdtdgdtd d|tddtddtdddg}t|dddggg}|jjd}|jdsdnd }|j |}t ||}|dk(r&|j \}}||j|d!<n|j\}}|j|t|"y)#N)uri query_stringr5rbody)choices)r1compress_white_spacehtml_entity_decode lowercasecmd_line url_decode)exactly starts_with ends_withcontains contains_word)EQNELELTGEGTint)rrGrHrM)relements)rxr})roptions) r.r/r5r0r<r?r:r>r'rCT)required)r9r,r%rBr>sqlxss)rr)rrrrF)rdefaultpresentabsent)rr)rxrr$r waf_regionalstaterr$) argument_spec required_ifrwafz waf-regional ConditionId)rrX) rGAnsibleAWSModulerrIrrrrr exit_jsonr) filters_subspecrrrresourcerrXrresultss rmainrs|$WXvq bc DEf u 6V"? O( 4 4)] ^&6?K6vu59y(.CD M#y9+67F MM  g &E"MM.9u~H ]]8 $F&&)I &??A'!()A)A!B &>>@' W0H0QRr!__main__) DOCUMENTATIONEXAMPLESRETURNrg ImportError0ansible.module_utils.common.dict_transformationsransible_collections.community.aws.plugins.module_utils.modulesr robjectrrrr\r!rr sC JA F~ @ V\WPPYd[fxnnb /Sd zFi   sA$$A,+A,