Merge pull request #233 from globaldatanet/bugfix

Bugfix - Missing WCU Calculation orstatement within andstatement bug
globaldatanet · Nov 17, 2023 · 6d948bf · 6d948bf
2 parents 247119c + f69e935
commit 6d948bf
Show file tree

Hide file tree

Showing 5 changed files with 286 additions and 51 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 ## Released
 
+## 4.1.5
+### Fixed
+- Addressed issue with missing WCU Calculation OR statement within AND statement. - [Issues232](https://github.com/globaldatanet/aws-firewall-factory/issues/232)
+- Addressed issue with missing WCU Calculation AND statement within OR statement.
+- Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.10.0
+- Bump eslint from 8.51.0 to 8.53.0
+
 ## 4.1.4
 ### Added
 - Automation for  [Documentation](https://docs.aws-firewall-factory.com/) for the AWS Firewall Factory to assist you in utilizing our solution.

diff --git a/lib/tools/helpers.ts b/lib/tools/helpers.ts
@@ -334,6 +334,7 @@ function filterStatements(statement: wafv2.CfnWebACL.StatementProperty){
     const ipSetReferenceStatement = statement.ipSetReferenceStatement as wafv2.CfnWebACL.IPSetReferenceStatementProperty | undefined;
     const regexPatternSetReferenceStatement = statement.regexPatternSetReferenceStatement as wafv2.CfnWebACL.RegexPatternSetReferenceStatementProperty | undefined;
     const notStatement = statement.notStatement as wafv2.CfnWebACL.NotStatementProperty | undefined;
+    const orStatement = statement.orStatement as wafv2.CfnWebACL.OrStatementProperty | undefined;
     if(ipSetReferenceStatement && !ipSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
     if(regexPatternSetReferenceStatement && !regexPatternSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
     if(notStatement) {
@@ -343,6 +344,15 @@ function filterStatements(statement: wafv2.CfnWebACL.StatementProperty){
       if(notipSetReferenceStatement && !notipSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
       if(notregexPatternSetReferenceStatement && !notregexPatternSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
     }
+    if(orStatement){
+      const orStatementProp = orStatement.statements as wafv2.CfnWebACL.StatementProperty[];
+      for(const statement of orStatementProp){
+        const orStatementPropIpSetReferenceStatement = statement.ipSetReferenceStatement as wafv2.CfnWebACL.IPSetReferenceStatementProperty | undefined;
+        const orStatementPropRegexPatternSetReferenceStatement = statement.regexPatternSetReferenceStatement as wafv2.CfnWebACL.RegexPatternSetReferenceStatementProperty | undefined;
+        if(orStatementPropIpSetReferenceStatement && !orStatementPropIpSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
+        if(orStatementPropRegexPatternSetReferenceStatement && !orStatementPropRegexPatternSetReferenceStatement.arn.startsWith("arn:aws:")) found = false;
+      }
+    }
     return found;
   }
 }
@@ -413,6 +423,29 @@ async function calculateCustomRulesCapacities(customRules: FmsRule[], deployment
             capacities.push(regexPatternSetsStatementsCapacity(notstatementRegexPatternSetsStatement));
           }
         }
+        const orStatementStatement = statement.orStatement as wafv2.CfnWebACL.OrStatementProperty | undefined;
+        if(orStatementStatement && orStatementStatement.statements) {
+          const statementIpSetReferenceStatement = statement.ipSetReferenceStatement as wafv2.CfnWebACL.IPSetReferenceStatementProperty | undefined;
+          if(statementIpSetReferenceStatement && !statementIpSetReferenceStatement.arn.startsWith("arn:aws:")) {
+            capacities.push(calculateIpsSetStatementCapacity(statementIpSetReferenceStatement));
+          }
+          const statementRegexPatternSetsStatement = statement.regexPatternSetReferenceStatement as wafv2.CfnWebACL.RegexPatternSetReferenceStatementProperty | undefined;
+          if(statementRegexPatternSetsStatement && !statementRegexPatternSetsStatement.arn.startsWith("arn:aws:")) {
+            capacities.push(regexPatternSetsStatementsCapacity(statementRegexPatternSetsStatement));
+          }
+          const notStatementStatement = statement.notStatement as wafv2.CfnWebACL.NotStatementProperty | undefined;
+          if(notStatementStatement && notStatementStatement.statement) {
+            const statement = notStatementStatement.statement as wafv2.CfnWebACL.StatementProperty;
+            const notstatementIpSetReferenceStatement = statement.ipSetReferenceStatement as wafv2.CfnWebACL.IPSetReferenceStatementProperty | undefined;
+            if(notstatementIpSetReferenceStatement && !notstatementIpSetReferenceStatement.arn.startsWith("arn:aws:")) {
+              capacities.push(calculateIpsSetStatementCapacity(notstatementIpSetReferenceStatement));
+            }
+            const notstatementRegexPatternSetsStatement = statement.regexPatternSetReferenceStatement as wafv2.CfnWebACL.RegexPatternSetReferenceStatementProperty | undefined;
+            if(notstatementRegexPatternSetsStatement && notstatementRegexPatternSetsStatement.arn.startsWith("arn:aws:")) {
+              capacities.push(regexPatternSetsStatementsCapacity(notstatementRegexPatternSetsStatement));
+            }
+          }
+        }
 
       }
       const filteredAndStatements = {
@@ -452,7 +485,7 @@ async function calculateCustomRulesCapacities(customRules: FmsRule[], deployment
           filterStatements(statement))
       };
       if (filteredOrStatements && filteredOrStatements.statements && filteredOrStatements.statements.length > 0) {
-        const calcRule = buildCustomRuleWithoutReferenceStatements(customRule, filteredOrStatements, false);
+        const calcRule = buildCustomRuleWithoutReferenceStatements(customRule, filteredOrStatements, true);
         const capacity = await calculateCustomRuleStatementsCapacity(calcRule, deploymentRegion, scope);
         capacities.push(capacity);
       }

diff --git a/lib/tools/transformer.ts b/lib/tools/transformer.ts
@@ -822,6 +822,8 @@ export function transformConcatenatedStatement(statement: wafv2.CfnWebACL.AndSta
       let NotStatement = undefined;
       let RegexMatchStatement = undefined;
       let RateBasedStatement = undefined;
+      let OrStatement = undefined;
+      let AndStatement = undefined;
       switch(Object.keys(currentstatement)[0]){
         case "byteMatchStatement":
           ByteMatchStatement = transformByteMatchStatement(currentstatement.byteMatchStatement as wafv2.CfnWebACL.ByteMatchStatementProperty);
@@ -867,6 +869,14 @@ export function transformConcatenatedStatement(statement: wafv2.CfnWebACL.AndSta
           RateBasedStatement = tranformRateBasedStatement(currentstatement.rateBasedStatement as wafv2.CfnWebACL.RateBasedStatementProperty);
           Statement.RateBasedStatement = RateBasedStatement as RateBasedStatement;
           break;
+        case "orStatement":
+          OrStatement = transformConcatenatedStatement(currentstatement.orStatement as wafv2.CfnWebACL.OrStatementProperty, false);
+          Statement.OrStatement = OrStatement as OrStatement;
+          break;
+        case "andStatement":
+          AndStatement = transformConcatenatedStatement(currentstatement.andStatement as wafv2.CfnWebACL.AndStatementProperty, true);
+          Statement.AndStatement = AndStatement as AndStatement;
+          break;
         default:
           break;
       }