Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove unnecessary validation of WAF bundle filepaths used in apBundle and apLogBundle fields of waf Policy #6641

Open
tstraley opened this issue Oct 11, 2024 · 2 comments
Labels
proposal An issue that proposes a feature request

Comments

@tstraley
Copy link

Is your feature request related to a problem? Please describe.
As a user with many different WAF policies being defined using pre-compiled bundles, I want to be able to keep my various bundle files that I manage well-organized.

For example, I have several different Virtual Servers, and many different routes. Some of these routes are used for gRPC traffic, which require their own grpc-profiles in the WAF policies, while others may have specific signatures and bot policies. There is also the need to be able to provide new versions as we pick up the latest attack signatures & threat campaigns, or need to compile new versions for a NIC upgrade that has a new WAF engine version.

These result in bundles that we'd like to organize in a logical filesystem hierarchy, a la /etc/nginx/waf/bundles/version/server/route/policy.tgz. Or to put in more concrete examples: /etc/nginx/waf/bundles/3.6.2-11.48.0/cafe/coffee/blocking.tgz, /etc/nginx/waf/bundles/3.7.0-11.133.0/cafe/tea/transparent.tgz, etc. (where apBundle: "3.6.2-11.48.0/cafe/coffee/blocking.tgz"

Unfortunately, this would result in a validation error:

Invalid value: "3.6.2-11.48.0/cafe/coffee/blocking.tgz": a qualified name must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')]

Describe the solution you'd like
Given that this apBundle and apLogBundle are supposed to be filepaths, ideally the validation would only consist of confirming the file does exist and is readable. The use of k8s "Qualified Name" validation on these fields is restrictive to managing many bundle files in a logical way, and doesn't make sense to do for filepaths (qualified names are for k8s resource references, as I understand it).

Describe alternatives you've considered
Because the "Qualified Name" validation allows a dir/file pattern (simply by coincidence) I can organize bundle files in a single nested directory, eg. cafe-policies/coffee-blocking-11.48.0.tgz is allowed, and works just fine.

I can also make really complex file names and dump ALL policy bundles and log bundles into a single directory (this seems to be the suggested methodology) but then it makes management of these bundles unnecessarily difficult.

Additional context

@tstraley tstraley added the proposal An issue that proposes a feature request label Oct 11, 2024
Copy link

Hi @tstraley thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@tstraley
Copy link
Author

TLDR:

I am using v4. I have successfully used the documentation to create waf policies using bundles that are in my mounted volume.

I can set apBundle: parent-dir/bundle1.tgz and everything works great (the full filepath on the file system is /etc/nginx/waf/bundles/parent-dir/bundle1.tgz). No issues. No errors. NIC works. WAF works. I'm happy.

But then I do apBundle: parent-dir/other-dir/bundle2.tgz (the file exists in the proper volume like above), and now suddenly I get a validation error. This is a poor experience. I see no reason I shouldn't be able to organize these files into a nested directory, when I can use a single directory without any technical issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
proposal An issue that proposes a feature request
Projects
Status: Todo ☑
Development

No branches or pull requests

1 participant