[WAFD] extended options in `resource/opentelekomcloud_waf_dedicated_p…

…olicy_v1` (#2598) [WAFD] extended options in `resource/opentelekomcloud_waf_dedicated_policy_v1` Summary of the Pull Request PR Checklist Refers to: #2597 Tests added/passed. Documentation updated. Schema updated. Release notes added. Acceptance Steps Performed === RUN TestAccWafDedicatedPolicyV1_basic 2024/07/30 10:33:30 [DEBUG] The opentelekomcloud Waf dedicated instance test running in 'eu-de' region. --- PASS: TestAccWafDedicatedPolicyV1_basic (60.59s) PASS Process finished with the exit code 0 Reviewed-by: Sergei Martynov Reviewed-by: Artem Lifshits
opentelekomcloud · Jul 30, 2024 · 650c842 · 650c842
1 parent 0671ad5
commit 650c842
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 42 deletions.
diff --git a/docs/resources/waf_dedicated_policy_v1.md b/docs/resources/waf_dedicated_policy_v1.md
@@ -39,45 +39,51 @@ resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
 
 The following arguments are supported:
 
-* `name` - (Required) The policy name.
+* `name` - (Required, String) The policy name.
 
-* `protection_mode` - (Optional) Specifies the protective action after a rule is matched.
+* `protection_mode` - (Optional, String) Specifies the protective action after a rule is matched.
   Values are:
   + `block`: WAF blocks and logs detected attacks.
   + `log`: WAF logs detected attacks only.
 
-* `level` - (Optional) Specifies the protection level.
+* `level` - (Optional, Int) Specifies the protection level.
   Values are:
   + `1`: low
   + `2`: medium
   + `3`: high
 
-* `options` - (Optional) Specifies the protection switches.
+* `options` - (Optional, List)  Specifies the protection switches.
   The `options` block supports:
-  + `web_attack` - (Optional) Specifies whether Basic Web Protection is enabled.
-  + `common` - (Optional) Specifies whether General Check in Basic Web Protection is enabled.
-  + `crawler` - (Optional) Specifies whether the master crawler detection switch in Basic Web Protection is enabled.
-  + `anti_crawler` - (Optional) JavaScript anti-crawler function.
-  + `crawler_engine` - (Optional) Specifies whether the Search Engine switch in Basic Web Protection is enabled.
-  + `crawler_scanner` - (Optional) Specifies whether the Scanner switch in Basic Web Protection is enabled.
-  + `crawler_script` - (Optional) Specifies whether the Script Tool switch in Basic Web Protection is enabled.
-  + `crawler_other` - (Optional) Specifies whether detection of other crawlers in Basic Web Protection is enabled.
-  + `web_shell` - (Optional) Specifies whether webshell detection in Basic Web Protection is enabled.
-  + `cc` - (Optional) Specifies whether CC Attack Protection is enabled.
-  + `custom` - (Optional) Specifies whether Precise Protection is enabled.
-  + `blacklist` - (Optional) Specifies whether Blacklist and Whitelist is enabled.
-  + `geolocation_access_control` - (Optional) Whether geolocation access control is enabled.
-  + `ignore` - (Optional) Whether false alarm masking is enabled.
-  + `privacy` - (Optional) Specifies whether Data Masking is enabled.
-  + `ignore` - (Optional) Specifies whether False Alarm Masking is enabled.
-  + `anti_tamper` - (Optional) Specifies whether Web Tamper Protection is enabled.
-  + `anti_leakage` - (Optional) Whether the information leakage prevention is enabled.
-  + `followed_action` - (Optional) Whether the Known Attack Source protection is enabled.
-
-* `full_detection` - (Optional) Specifies the detection mode in Precise Protection.
+  + `web_attack` - (Optional, Bool) Specifies whether Basic Web Protection is enabled.
+  + `common` - (Optional, Bool) Specifies whether General Check in Basic Web Protection is enabled.
+  + `crawler` - (Optional, Bool) Specifies whether the master crawler detection switch in Basic Web Protection is enabled.
+  + `anti_crawler` - (Optional, Bool) JavaScript anti-crawler function.
+  + `crawler_engine` - (Optional, Bool) Specifies whether the Search Engine switch in Basic Web Protection is enabled.
+  + `crawler_scanner` - (Optional, Bool) Specifies whether the Scanner switch in Basic Web Protection is enabled.
+  + `crawler_script` - (Optional, Bool) Specifies whether the Script Tool switch in Basic Web Protection is enabled.
+  + `crawler_other` - (Optional, Bool) Specifies whether detection of other crawlers in Basic Web Protection is enabled.
+  + `web_shell` - (Optional, Bool) Specifies whether webshell detection in Basic Web Protection is enabled.
+  + `cc` - (Optional, Bool) Specifies whether CC Attack Protection is enabled.
+  + `custom` - (Optional, Bool) Specifies whether Precise Protection is enabled.
+  + `blacklist` - (Optional, Bool) Specifies whether Blacklist and Whitelist is enabled.
+  + `geolocation_access_control` - (Optional, Bool) Whether geolocation access control is enabled.
+  + `ignore` - (Optional, Bool) Whether false alarm masking is enabled.
+  + `privacy` - (Optional, Bool) Specifies whether Data Masking is enabled.
+  + `ignore` - (Optional, Bool) Specifies whether False Alarm Masking is enabled.
+  + `anti_tamper` - (Optional, Bool) Specifies whether Web Tamper Protection is enabled.
+  + `anti_leakage` - (Optional, Bool) Whether the information leakage prevention is enabled.
+  + `followed_action` - (Optional, Bool) Whether the Known Attack Source protection is enabled.
+
+* `full_detection` - (Optional, Bool) Specifies the detection mode in Precise Protection.
   * `true`: full detection, Full detection finishes all threat detections before blocking requests that meet Precise Protection specified conditions.
   * `false`: instant detection. Instant detection immediately ends threat detection after blocking a request that meets Precise Protection specified conditions.
 
+* `deep_inspection` - (Optional, Bool) The deep inspection in basic web protection.
+
+* `header_inspection` - (Optional, Bool) The header inspection in basic web protection.
+
+* `shiro_decryption_check` - (Optional, Bool) The shiro decryption check in basic web protection.
+
 ## Attributes Reference
 
 The following attributes are exported:

diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240722113807-9bdc3ef3fc0d
+	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240729091918-133ccf3c0934
 	github.com/unknwon/com v1.0.1
 	golang.org/x/crypto v0.21.0
 	golang.org/x/sync v0.1.0

diff --git a/go.sum b/go.sum
@@ -160,6 +160,8 @@ github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240708122908-1b7bf6688
 github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240708122908-1b7bf66887e2/go.mod h1:M1F6OfSRZRzAmAFKQqSLClX952at5hx5rHe4UTEykgg=
 github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240722113807-9bdc3ef3fc0d h1:SrtLgFAecFe65eef+5xRzlUAyuBab61oSN+KqrGqKs4=
 github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240722113807-9bdc3ef3fc0d/go.mod h1:M1F6OfSRZRzAmAFKQqSLClX952at5hx5rHe4UTEykgg=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240729091918-133ccf3c0934 h1:h1zOzW11QL4vyyc9+mnl6QWQbwq2BFBrNEzR7YM31Uc=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20240729091918-133ccf3c0934/go.mod h1:M1F6OfSRZRzAmAFKQqSLClX952at5hx5rHe4UTEykgg=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

diff --git a/opentelekomcloud/acceptance/waf/resource_opentelekomcloud_waf_dedicated_policy_v1_test.go b/opentelekomcloud/acceptance/waf/resource_opentelekomcloud_waf_dedicated_policy_v1_test.go
@@ -49,6 +49,24 @@ func TestAccWafDedicatedPolicyV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.web_attack", "false"),
 					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.cc", "true"),
 					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.web_shell", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "deep_inspection", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "shiro_decryption_check", "true"),
+				),
+			},
+			{
+				Config: testAccWafDedicatedPolicyV1_updateNext(policyName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckWafDedicatedPolicyV1Exists(wafdPolicyResourceName, &policy),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "name", policyName+"-updatedNext"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "level", "3"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "full_detection", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "protection_mode", "block"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.web_attack", "false"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.cc", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "options.0.web_shell", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "deep_inspection", "false"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "shiro_decryption_check", "true"),
+					resource.TestCheckResourceAttr(wafdPolicyResourceName, "header_inspection", "true"),
 				),
 			},
 			{
@@ -141,6 +159,31 @@ resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
     cc         = true
     web_shell  = true
   }
+
+  deep_inspection        = true
+  shiro_decryption_check = true
+}
+`, policyName)
+}
+
+func testAccWafDedicatedPolicyV1_updateNext(policyName string) string {
+	return fmt.Sprintf(`
+resource "opentelekomcloud_waf_dedicated_policy_v1" "policy_1" {
+  name            = "%s-updatedNext"
+  level           = 3
+  protection_mode = "block"
+  full_detection  = true
+
+  options {
+    crawler    = false
+    web_attack = false
+    cc         = true
+    web_shell  = true
+  }
+
+  deep_inspection        = false
+  shiro_decryption_check = true
+  header_inspection      = true
 }
 `, policyName)
 }
diff --git a/opentelekomcloud/common/utils.go b/opentelekomcloud/common/utils.go
@@ -17,6 +17,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/jmespath/go-jmespath"
 	golangsdk "github.com/opentelekomcloud/gophertelekomcloud"
 	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/cfg"
 	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/common/fmterr"
@@ -511,3 +512,12 @@ func ValueIgnoreEmpty(v interface{}) interface{} {
 
 	return v
 }
+
+// PathSearch evaluates a JMESPath expression against input data and returns the result.
+func PathSearch(expression string, obj interface{}, defaultValue interface{}) interface{} {
+	v, err := jmespath.Search(expression, obj)
+	if err != nil || v == nil {
+		return defaultValue
+	}
+	return v
+}
diff --git a/opentelekomcloud/services/waf/common.go b/opentelekomcloud/services/waf/common.go
@@ -34,3 +34,9 @@ func wafRuleImporter() *schema.ResourceImporter {
 		StateContext: common.ImportByPath("policy_id", "id"),
 	}
 }
+
+type ExtendOptions struct {
+	DeepDecode            *bool `json:"deep_decode,omitempty"`
+	CheckAllHeaders       *bool `json:"check_all_headers,omitempty"`
+	ShiroRememberMeEnable *bool `json:"shiro_rememberMe_enable,omitempty"`
+}
diff --git a/opentelekomcloud/services/waf/resource_opentelekomcloud_waf_dedicated_policy_v1.go b/opentelekomcloud/services/waf/resource_opentelekomcloud_waf_dedicated_policy_v1.go
@@ -2,6 +2,7 @@ package waf
 
 import (
 	"context"
+	"encoding/json"
 	"log"
 	"time"
 
@@ -171,6 +172,18 @@ func ResourceWafDedicatedPolicy() *schema.Resource {
 				Computed: true,
 				Optional: true,
 			},
+			"deep_inspection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+			"header_inspection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+			"shiro_decryption_check": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
 			"domains": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -225,6 +238,12 @@ func resourceWafDedicatedPolicyV1Read(ctx context.Context, d *schema.ResourceDat
 		return common.CheckDeletedDiag(d, err, "error retrieving OpenTelekomCloud WAF dedicated policy.")
 	}
 
+	// the extend struct value example is: "extend": "{\"deep_decode\":true}"
+	var extendRespBody interface{}
+	if err := json.Unmarshal([]byte(policy.Extend.Extend), &extendRespBody); err != nil {
+		log.Printf("[WARN] error flatten extend map: %s", err)
+	}
+
 	options := []map[string]interface{}{
 		{
 			"web_attack":                 policy.Options.WebAttack,
@@ -259,6 +278,9 @@ func resourceWafDedicatedPolicyV1Read(ctx context.Context, d *schema.ResourceDat
 		d.Set("options", options),
 		d.Set("domains", policy.Hosts),
 		d.Set("created_at", policy.CreatedAt),
+		d.Set("deep_inspection", common.PathSearch("deep_decode", extendRespBody, false)),
+		d.Set("header_inspection", common.PathSearch("check_all_headers", extendRespBody, false)),
+		d.Set("shiro_decryption_check", common.PathSearch("shiro_rememberMe_enable", extendRespBody, false)),
 	)
 
 	if mErr.ErrorOrNil() != nil {
@@ -313,22 +335,11 @@ func updateWafPolicy(ctx context.Context, d *schema.ResourceData, meta interface
 		return fmterr.Errorf(errCreationV1DedicatedClient, err)
 	}
 
-	var updateOpts policies.UpdateOpts
-
-	if d.HasChange("name") {
-		updateOpts.Name = d.Get("name").(string)
-	}
-
-	if d.HasChange("level") {
-		updateOpts.Level = d.Get("level").(int)
-	}
-
-	if d.HasChange("full_detection") {
-		updateOpts.FullDetection = pointerto.Bool(d.Get("full_detection").(bool))
-	}
-
-	if d.HasChange("options") {
-		updateOpts.Options = buildOptions(d)
+	updateOpts := policies.UpdateOpts{
+		Name:          d.Get("name").(string),
+		Level:         d.Get("level").(int),
+		FullDetection: pointerto.Bool(d.Get("full_detection").(bool)),
+		Options:       buildOptions(d),
 	}
 
 	if d.HasChange("protection_mode") {
@@ -337,6 +348,23 @@ func updateWafPolicy(ctx context.Context, d *schema.ResourceData, meta interface
 		}
 	}
 
+	if d.HasChanges("deep_inspection", "header_inspection", "shiro_decryption_check") {
+		ext := ExtendOptions{}
+		_, deep := d.GetChange("deep_inspection")
+		ext.DeepDecode = pointerto.Bool(deep.(bool))
+		_, header := d.GetChange("header_inspection")
+		ext.CheckAllHeaders = pointerto.Bool(header.(bool))
+		_, shiro := d.GetChange("shiro_decryption_check")
+		ext.ShiroRememberMeEnable = pointerto.Bool(shiro.(bool))
+		extendJson, err := json.Marshal(ext)
+		if err != nil {
+			return fmterr.Errorf("error marshaling extended options JSON: %s", err)
+		}
+		updateOpts.Extend = &policies.ExtendParams{
+			Extend: string(extendJson),
+		}
+	}
+
 	_, err = policies.Update(client, d.Id(), updateOpts)
 	if err != nil {
 		return fmterr.Errorf("error updating OpenTelekomCloud WAF Policy: %s", err)

diff --git a/releasenotes/notes/wafd-policy-extended-options-be1e79844d831f9a.yaml b/releasenotes/notes/wafd-policy-extended-options-be1e79844d831f9a.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  |
+  **[WAF]** Add ``deep_inspection``, ``header_inspection``, ``shiro_decryption_check`` options for ``resource/opentelekomcloud_waf_dedicated_policy_v1`` (`#2598 <https://github.com/opentelekomcloud/terraform-provider-opentelekomcloud/pull/2598>`_)