incapsula_security_rule_exception resource - Remove usages of ignored…

… parameter 'url_patterns' and add deprecation message (#496) * incapsula_security_rule_exception resource - Remove usages of ignored parameter 'url_patterns' and add deprecation message * Fix usages of AddSecurityRuleException --------- Co-authored-by: aviv.yaari <[email protected]>
imperva · Dec 26, 2024 · 9a2492d · 9a2492d
1 parent 720c379
commit 9a2492d
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 122 deletions.
diff --git a/examples/example.tf b/examples/example.tf
@@ -398,7 +398,6 @@ resource "incapsula_security_rule_exception" "example-waf-backdoor-rule-exceptio
   countries    = "JM,US"
   continents   = "NA,AF"
   ips          = "1.2.3.6,1.2.3.7"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
   user_agents  = "myUserAgent"
   parameters   = "myparam"
@@ -418,7 +417,6 @@ resource "incapsula_security_rule_exception" "example-waf-bot_access-control-rul
   rule_id          = "api.threats.bot_access_control"
   client_app_types = "DataScraper,"
   ips              = "1.2.3.6,1.2.3.7"
-  url_patterns     = "EQUALS,CONTAINS"
   urls             = "/myurl,/myurl2"
   user_agents      = "myUserAgent"
 }
@@ -437,7 +435,6 @@ resource "incapsula_security_rule_exception" "example-waf-cross-site-scripting-r
   client_apps  = "488,123"
   countries    = "JM,US"
   continents   = "NA,AF"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
   parameters   = "myparam"
 }
@@ -460,7 +457,6 @@ resource "incapsula_security_rule_exception" "example-waf-ddos-rule-exception" {
   countries    = "JM,US"
   continents   = "NA,AF"
   ips          = "1.2.3.6,1.2.3.7"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
 }
 
@@ -479,7 +475,6 @@ resource "incapsula_security_rule_exception" "example-waf-illegal-resource-acces
   countries    = "JM,US"
   continents   = "NA,AF"
   ips          = "1.2.3.6,1.2.3.7"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
   parameters   = "myparam"
 }
@@ -499,7 +494,6 @@ resource "incapsula_security_rule_exception" "example-waf-remote-file-inclusion-
   countries    = "JM,US"
   continents   = "NA,AF"
   ips          = "1.2.3.6,1.2.3.7"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
   user_agents  = "myUserAgent"
   parameters   = "myparam"
@@ -520,7 +514,6 @@ resource "incapsula_security_rule_exception" "example-waf-sql-injection-rule-exc
   countries    = "JM,US"
   continents   = "NA,AF"
   ips          = "1.2.3.6,1.2.3.7"
-  url_patterns = "EQUALS,CONTAINS"
   urls         = "/myurl,/myurl2"
 }
 

diff --git a/examples/security_rules.tf b/examples/security_rules.tf
@@ -82,50 +82,6 @@ resource "incapsula_waf_security_rule" "example-waf-ddos-rule" {
   block_non_essential_bots  = "false"
 }
 
-####################################################################
-# Security Rules (ACLs)
-####################################################################
-
-# Security Rule: Country
-resource "incapsula_acl_security_rule" "example-global-blacklist-country-rule" {
-  site_id   = incapsula_site.example-site.id
-  rule_id   = "api.acl.blacklisted_countries"
-  countries = "AI,AN"
-}
-
-# Security Rule: Blacklist IP
-resource "incapsula_acl_security_rule" "example-global-blacklist-ip-rule" {
-  site_id = incapsula_site.example-site.id
-  rule_id = "api.acl.blacklisted_ips"
-  ips     = "192.168.1.1,192.168.1.2"
-}
-
-# Security Rule: Blacklist IP Exception
-resource "incapsula_acl_security_rule" "example-global-blacklist-ip-rule_exception" {
-  rule_id      = "api.acl.blacklisted_ips"
-  site_id      = incapsula_site.example-site.id
-  ips          = "192.168.1.1,192.168.1.2"
-  urls         = "/myurl,/myurl2"
-  url_patterns = "EQUALS,CONTAINS"
-  countries    = "JM,US"
-  client_apps  = "488,123"
-}
-
-# Security Rule: URL
-resource "incapsula_acl_security_rule" "example-global-blacklist-url-rule" {
-  rule_id      = "api.acl.blacklisted_urls"
-  site_id      = incapsula_site.example-site.id
-  url_patterns = "CONTAINS,EQUALS"
-  urls         = "/alpha,/bravo"
-}
-
-# Security Rule: Whitelist IP
-resource "incapsula_acl_security_rule" "example-global-whitelist-ip-rule" {
-  rule_id = "api.acl.whitelisted_ips"
-  site_id = incapsula_site.example-site.id
-  ips     = "192.168.1.3,192.168.1.4"
-}
-
 ####################################################################
 # Incap Rules
 ####################################################################

diff --git a/incapsula/client_security_rule_exception.go b/incapsula/client_security_rule_exception.go
@@ -7,7 +7,6 @@ import (
 	"log"
 	"net/url"
 	"strconv"
-	"strings"
 )
 
 // Endpoints (unexported consts)
@@ -18,17 +17,17 @@ const endpointExceptionList = "sites/status"
 // NOTE: no exceptions for whitelistedIPsExceptionRuleId
 var securityRuleExceptionParamMapping = map[string][]string{
 	// ACL RuleIDs
-	blacklistedCountriesExceptionRuleID: {"client_app_types", "ips", "url_patterns", "urls"},
-	blacklistedIPsExceptionRuleID:       {"client_apps", "countries", "continents", "ips", "url_patterns", "urls"},
-	blacklistedURLsExceptionRuleID:      {"client_apps", "countries", "continents", "ips", "url_patterns", "urls"},
+	blacklistedCountriesExceptionRuleID: {"client_app_types", "ips", "urls"},
+	blacklistedIPsExceptionRuleID:       {"client_apps", "countries", "continents", "ips", "urls"},
+	blacklistedURLsExceptionRuleID:      {"client_apps", "countries", "continents", "ips", "urls"},
 	// WAF RuleIDs
-	backdoorExceptionRuleID:              {"client_apps", "countries", "continents", "ips", "url_patterns", "urls", "user_agents", "parameters"},
-	botAccessControlExceptionRuleID:      {"client_app_types", "ips", "url_patterns", "urls", "user_agents"},
-	crossSiteScriptingExceptionRuleID:    {"client_apps", "countries", "continents", "url_patterns", "urls", "parameters"},
-	ddosExceptionRuleID:                  {"client_apps", "countries", "continents", "ips", "url_patterns", "urls"},
-	illegalResourceAccessExceptionRuleID: {"client_apps", "countries", "continents", "ips", "url_patterns", "urls", "parameters"},
-	remoteFileInclusionExceptionRuleID:   {"client_apps", "countries", "continents", "ips", "url_patterns", "urls", "user_agents", "parameters"},
-	sqlInjectionExceptionRuleID:          {"client_apps", "countries", "continents", "ips", "url_patterns", "urls", "parameters"},
+	backdoorExceptionRuleID:              {"client_apps", "countries", "continents", "ips", "urls", "user_agents", "parameters"},
+	botAccessControlExceptionRuleID:      {"client_app_types", "ips", "urls", "user_agents"},
+	crossSiteScriptingExceptionRuleID:    {"client_apps", "countries", "continents", "urls", "parameters"},
+	ddosExceptionRuleID:                  {"client_apps", "countries", "continents", "ips", "urls"},
+	illegalResourceAccessExceptionRuleID: {"client_apps", "countries", "continents", "ips", "urls", "parameters"},
+	remoteFileInclusionExceptionRuleID:   {"client_apps", "countries", "continents", "ips", "urls", "user_agents", "parameters"},
+	sqlInjectionExceptionRuleID:          {"client_apps", "countries", "continents", "ips", "urls", "parameters"},
 }
 
 // SecurityRuleExceptionCreateResponse provides exception_id of rule exception
@@ -39,7 +38,7 @@ type SecurityRuleExceptionCreateResponse struct {
 }
 
 // AddSecurityRuleException adds a security rule exception
-func (c *Client) AddSecurityRuleException(siteID int, ruleID, clientAppTypes, clientApps, countries, continents, ips, urlPatterns, urls, userAgents, parameters string) (*SecurityRuleExceptionCreateResponse, error) {
+func (c *Client) AddSecurityRuleException(siteID int, ruleID, clientAppTypes, clientApps, countries, continents, ips, urls, userAgents, parameters string) (*SecurityRuleExceptionCreateResponse, error) {
 	// Base URL values
 	values := url.Values{
 		"site_id":           {strconv.Itoa(siteID)},
@@ -49,11 +48,6 @@ func (c *Client) AddSecurityRuleException(siteID int, ruleID, clientAppTypes, cl
 
 	log.Printf("[INFO] Adding new security rule exception for rule_id (%s) for site id (%d)\n", ruleID, siteID)
 
-	err := validateListSizes(urlPatterns, urls)
-	if err != nil {
-		return nil, err
-	}
-
 	// Check to see if ruleID is correct, then iterate rule specific parameters
 	if ruleParams, ok := securityRuleExceptionParamMapping[ruleID]; ok {
 		for i := 0; i < len(ruleParams); i++ {
@@ -71,8 +65,6 @@ func (c *Client) AddSecurityRuleException(siteID int, ruleID, clientAppTypes, cl
 				values.Add("ips", ips)
 			} else if param == "parameters" && parameters != "" {
 				values.Add("parameters", parameters)
-			} else if param == "url_patterns" && urlPatterns != "" {
-				values.Add("url_patterns", urlPatterns)
 			} else if param == "urls" && urls != "" {
 				values.Add("urls", urls)
 			} else if param == "user_agents" && userAgents != "" {
@@ -113,7 +105,7 @@ func (c *Client) AddSecurityRuleException(siteID int, ruleID, clientAppTypes, cl
 }
 
 // EditSecurityRuleException edits a security rule exception
-func (c *Client) EditSecurityRuleException(siteID int, ruleID, clientAppTypes, clientApps, countries, continents, ips, urlPatterns, urls, userAgents, parameters, whitelistID string) (*SiteStatusResponse, error) {
+func (c *Client) EditSecurityRuleException(siteID int, ruleID, clientAppTypes, clientApps, countries, continents, ips, urls, userAgents, parameters, whitelistID string) (*SiteStatusResponse, error) {
 	// Base URL values
 	values := url.Values{
 		"site_id":      {strconv.Itoa(siteID)},
@@ -123,11 +115,6 @@ func (c *Client) EditSecurityRuleException(siteID int, ruleID, clientAppTypes, c
 
 	log.Printf("[INFO] Updating existing security rule exception for rule_id (%s) whitelist_id (%s) for site_id (%d)\n", ruleID, whitelistID, siteID)
 
-	err := validateListSizes(urlPatterns, urls)
-	if err != nil {
-		return nil, err
-	}
-
 	// Check to see if ruleID is correct, then iterate rule specific parameters
 	if ruleParams, ok := securityRuleExceptionParamMapping[ruleID]; ok {
 		for i := 0; i < len(ruleParams); i++ {
@@ -145,8 +132,6 @@ func (c *Client) EditSecurityRuleException(siteID int, ruleID, clientAppTypes, c
 				values.Add("ips", ips)
 			} else if param == "parameters" && parameters != "" {
 				values.Add("parameters", parameters)
-			} else if param == "url_patterns" && urlPatterns != "" {
-				values.Add("url_patterns", urlPatterns)
 			} else if param == "urls" && urls != "" {
 				values.Add("urls", urls)
 			} else if param == "user_agents" && userAgents != "" {
@@ -284,14 +269,3 @@ func (c *Client) DeleteSecurityRuleException(siteID int, ruleID, whitelistID str
 
 	return nil
 }
-
-func validateListSizes(urlPatterns, urls string) error {
-	urlPatternsList := strings.Split(urlPatterns, ",")
-	urlsList := strings.Split(urls, ",")
-
-	if len(urlPatternsList) != len(urlsList) {
-		return fmt.Errorf("error: url_patterns and urls lists do not have the same number of elements")
-	}
-
-	return nil
-}
diff --git a/incapsula/client_security_rule_exception_test.go b/incapsula/client_security_rule_exception_test.go
@@ -21,7 +21,7 @@ func TestClientAddSecurityRuleExceptionBadConnection(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
-	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "")
+	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -48,7 +48,7 @@ func TestClientAddSecurityRuleExceptionBadJSON(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
-	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "")
+	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -75,7 +75,7 @@ func TestClientAddSecurityRuleExceptionInvalidRuleID(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 	siteID := 1234
 	ruleID := "bad_rule_id"
-	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "AN,AS", "", "", "", "", "")
+	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "AN,AS", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -103,7 +103,7 @@ func TestClientAddSecurityRuleExceptionInvalidParam(t *testing.T) {
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
 	badIps := "1234"
-	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "", "")
+	addSecurityRuleExceptionResponse, err := client.AddSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -126,7 +126,7 @@ func TestClientEditSecurityRuleExceptionBadConnection(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{Timeout: time.Millisecond * 1}}
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
-	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "", "")
+	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -153,7 +153,7 @@ func TestClientEditecurityRuleExceptionBadJSON(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
-	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "", "")
+	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -180,7 +180,7 @@ func TestClientEditSecurityRuleExceptionInvalidRuleID(t *testing.T) {
 	client := &Client{config: config, httpClient: &http.Client{}}
 	siteID := 1234
 	ruleID := "bad_rule_id"
-	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "", "")
+	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", "", "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -209,7 +209,7 @@ func TestClientEditSecurityRuleExceptionInvalidWhitelistID(t *testing.T) {
 	ruleID := "api.threats.backdoor"
 	badIps := "1.2.3.4,1.2.4"
 	badWhitelistID := "1234"
-	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "", "", badWhitelistID)
+	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "", badWhitelistID)
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}
@@ -237,7 +237,7 @@ func TestClientEditSecurityRuleExceptionInvalidParam(t *testing.T) {
 	siteID := 1234
 	ruleID := "api.threats.backdoor"
 	badIps := "1234"
-	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "", "", "")
+	editSecurityRuleExceptionResponse, err := client.EditSecurityRuleException(siteID, ruleID, "", "", "", "", badIps, "", "", "", "")
 	if err == nil {
 		t.Errorf("Should have received an error")
 	}