Updates
This commit is contained in:
Dan Milne
@@ -1,28 +1,33 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
# WafPolicyMatcher - Service to match NetworkRanges against active WafPolicies
|
||||
# WafPolicyMatcher - Service to match Events against active WafPolicies
|
||||
#
|
||||
# This service provides efficient matching of network ranges against firewall policies
|
||||
# and can generate rules when matches are found.
|
||||
# This service provides efficient matching of events against firewall policies
|
||||
# (both network-based and path-based) and can generate rules when matches are found.
|
||||
class WafPolicyMatcher
|
||||
include ActiveModel::Model
|
||||
include ActiveModel::Attributes
|
||||
|
||||
attr_accessor :network_range
|
||||
attr_accessor :event
|
||||
attr_reader :matching_policies, :generated_rules
|
||||
|
||||
def initialize(network_range:)
|
||||
@network_range = network_range
|
||||
def initialize(event:)
|
||||
@event = event
|
||||
@matching_policies = []
|
||||
@generated_rules = []
|
||||
end
|
||||
|
||||
# Find all active policies that match the given network range
|
||||
# Helper method to get network range from event
|
||||
def network_range
|
||||
event&.network_range
|
||||
end
|
||||
|
||||
# Find all active policies that match the given event (network or path-based)
|
||||
def find_matching_policies
|
||||
return [] unless network_range.present?
|
||||
return [] unless event.present?
|
||||
|
||||
@matching_policies = active_policies.select do |policy|
|
||||
policy.matches_network_range?(network_range)
|
||||
policy.matches_event?(event)
|
||||
end
|
||||
|
||||
# Sort by priority: country > asn > company > network_type, then by creation date
|
||||
@@ -82,25 +87,56 @@ class WafPolicyMatcher
|
||||
end
|
||||
|
||||
# Class methods for batch processing
|
||||
def self.process_network_range(network_range)
|
||||
matcher = new(network_range: network_range)
|
||||
def self.process_event(event)
|
||||
matcher = new(event: event)
|
||||
matcher.match_and_generate_rules
|
||||
end
|
||||
|
||||
# Evaluate a network range against policies and mark it as evaluated
|
||||
# This is the main entry point for inline policy evaluation
|
||||
def self.evaluate_and_mark!(network_range)
|
||||
return { matching_policies: [], generated_rules: [] } unless network_range
|
||||
# Legacy method for backward compatibility - converts network range to event
|
||||
def self.process_network_range(network_range)
|
||||
# Find the most recent event for this network range
|
||||
sample_event = network_range.events.order(created_at: :desc).first
|
||||
if sample_event
|
||||
process_event(sample_event)
|
||||
else
|
||||
# No events exist for this network range, return empty results
|
||||
# Network-based policies need real events to trigger rule creation
|
||||
{ matching_policies: [], generated_rules: [] }
|
||||
end
|
||||
end
|
||||
|
||||
matcher = new(network_range: network_range)
|
||||
# Evaluate an event against policies and mark its network range as evaluated
|
||||
# This is the main entry point for inline policy evaluation
|
||||
def self.evaluate_and_mark!(event)
|
||||
return { matching_policies: [], generated_rules: [] } unless event
|
||||
|
||||
matcher = new(event: event)
|
||||
result = matcher.match_and_generate_rules
|
||||
|
||||
# Mark this network range as evaluated
|
||||
network_range.update_column(:policies_evaluated_at, Time.current)
|
||||
# Mark the event's network range as evaluated
|
||||
if event.network_range
|
||||
event.network_range.update_column(:policies_evaluated_at, Time.current)
|
||||
end
|
||||
|
||||
result
|
||||
end
|
||||
|
||||
# Legacy method for backward compatibility
|
||||
def self.evaluate_and_mark_network_range!(network_range)
|
||||
return { matching_policies: [], generated_rules: [] } unless network_range
|
||||
|
||||
# Find the most recent event for this network range
|
||||
sample_event = network_range.events.order(created_at: :desc).first
|
||||
if sample_event
|
||||
evaluate_and_mark!(sample_event)
|
||||
else
|
||||
# No events exist, use the old network-range based evaluation
|
||||
process_network_range(network_range)
|
||||
network_range.update_column(:policies_evaluated_at, Time.current)
|
||||
{ matching_policies: [], generated_rules: [] }
|
||||
end
|
||||
end
|
||||
|
||||
def self.batch_process_network_ranges(network_ranges)
|
||||
results = []
|
||||
|
||||
@@ -158,8 +194,19 @@ class WafPolicyMatcher
|
||||
potential_ranges.find_each do |network_range|
|
||||
matcher = new(network_range: network_range)
|
||||
if waf_policy.matches_network_range?(network_range)
|
||||
# Check for supernet rules before creating
|
||||
if network_range.supernet_rules.any?
|
||||
supernet = network_range.supernet_rules.first
|
||||
Rails.logger.info "Skipping rule for #{network_range.cidr} - covered by supernet rule ##{supernet.id}"
|
||||
next
|
||||
end
|
||||
|
||||
rule = waf_policy.create_rule_for_network_range(network_range)
|
||||
results << { network_range: network_range, generated_rule: rule } if rule
|
||||
if rule&.persisted?
|
||||
results << { network_range: network_range, generated_rule: rule }
|
||||
elsif rule
|
||||
Rails.logger.warn "Failed to create rule for #{network_range.cidr}: #{rule.errors.full_messages.join(', ')}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -180,7 +227,7 @@ class WafPolicyMatcher
|
||||
{
|
||||
policy_name: waf_policy.name,
|
||||
policy_type: waf_policy.policy_type,
|
||||
action: waf_policy.action,
|
||||
action: waf_policy.policy_action,
|
||||
rules_generated: rules.count,
|
||||
active_rules: rules.active.count,
|
||||
networks_protected: rules.joins(:network_range).count('distinct network_ranges.id'),
|
||||
|
||||
Reference in New Issue
Block a user