Merge pull request #11 from signalsciences/FixComplexRuleConditions

Fix complex rule conditions
signalsciences · Oct 1, 2020 · d6395fc · d6395fc
2 parents 25cc138 + 95cf48e
commit d6395fc
Show file tree

Hide file tree

Showing 3 changed files with 184 additions and 47 deletions.
diff --git a/provider/lib.go b/provider/lib.go
@@ -340,7 +340,7 @@ func expandRuleConditions(conditionsResource *schema.Set) []sigsci.Condition {
 				Value:         castElement["value"].(string),
 			}
 			conditions = append(conditions, c)
-			return conditions
+			continue
 		}
 		c := sigsci.Condition{
 			Type:          castElement["type"].(string),

diff --git a/provider/resource_site_rule.go b/provider/resource_site_rule.go
@@ -33,7 +33,7 @@ func resourceSiteRule() *schema.Resource {
 			"signal": {
 				Type:        schema.TypeString,
 				Description: "The signal id of the signal being excluded",
-				Required:    true,
+				Optional:    true,
 			},
 			"reason": {
 				Type:        schema.TypeString,
@@ -72,7 +72,7 @@ func resourceSiteRule() *schema.Resource {
 						},
 						"field": {
 							Type:        schema.TypeString,
-							Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)",
+							Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType, signal)",
 							Optional:    true,
 						},
 						"operator": {
@@ -84,7 +84,6 @@ func resourceSiteRule() *schema.Resource {
 							Type:        schema.TypeString,
 							Description: "type: group - Conditions that must be matched when evaluating the request (all, any)",
 							Optional:    true,
-							// ConflictsWith: []string{"conditions.0.operator", "conditions.0.value", "conditions.0.field", "conditions.1.operator", "conditions.1.value", "conditions.1.field"}, does # work here
 						},
 						"value": {
 							Type:        schema.TypeString,
@@ -105,7 +104,7 @@ func resourceSiteRule() *schema.Resource {
 									},
 									"field": {
 										Type:        schema.TypeString,
-										Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)",
+										Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType, signal)",
 										Optional:    true,
 									},
 									"operator": {
@@ -124,6 +123,41 @@ func resourceSiteRule() *schema.Resource {
 										Description: "type: single - See request fields (https://docs.signalsciences.net/using-signal-sciences/features/rules/#request-fields)",
 										Optional:    true,
 									},
+									"conditions": {
+										Type:        schema.TypeSet,
+										Description: "Conditions",
+										Optional:    true,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"type": {
+													Type:        schema.TypeString,
+													Description: "(group, single)",
+													Required:    true,
+												},
+												"field": {
+													Type:        schema.TypeString,
+													Description: "type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType, signal)",
+													Optional:    true,
+												},
+												"operator": {
+													Type:        schema.TypeString,
+													Description: "type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, inList, notInList)",
+													Optional:    true,
+												},
+												"group_operator": {
+													Type:        schema.TypeString,
+													Description: "type: group - Conditions that must be matched when evaluating the request (all, any)",
+													Optional:    true,
+													// ConflictsWith: []string{"conditions.0.operator", "conditions.0.value", "conditions.0.field", "conditions.1.operator", "conditions.1.value", "conditions.1.field"}, does # work here
+												},
+												"value": {
+													Type:        schema.TypeString,
+													Description: "type: single - See request fields (https://docs.signalsciences.net/using-signal-sciences/features/rules/#request-fields)",
+													Optional:    true,
+												},
+											},
+										},
+									},
 								},
 							},
 						},

diff --git a/provider/resource_site_rule_test.go b/provider/resource_site_rule_test.go
@@ -20,30 +20,30 @@ func TestACCResourceSiteRule_basic(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: fmt.Sprintf(`
-					resource "sigsci_site_rule" "test"{
-						site_short_name="%s"
-						type= "signal"
-						group_operator="any"
-						enabled= true
-						reason= "Example site rule update"
-						signal= "SQLI"
-						expiration= ""
-						conditions {
-							type="single"
-							field="ip"
-							operator="equals"
-							value="1.2.3.4"
-						}
-						conditions {
-							type="single"
-							field="ip"
-							operator="equals"
-							value="1.2.3.5"
-						}
-						actions {
-							type="excludeSignal"
-						}
-				}`, testSite),
+                    resource "sigsci_site_rule" "test"{
+                        site_short_name="%s"
+                        type= "signal"
+                        group_operator="any"
+                        enabled= true
+                        reason= "Example site rule update"
+                        signal= "SQLI"
+                        expiration= ""
+                        conditions {
+                            type="single"
+                            field="ip"
+                            operator="equals"
+                            value="1.2.3.4"
+                        }
+                        conditions {
+                            type="single"
+                            field="ip"
+                            operator="equals"
+                            value="1.2.3.5"
+                        }
+                        actions {
+                            type="excludeSignal"
+                        }
+                }`, testSite),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					testCheckSiteRuleExists(resourceName),
 					testCheckSiteRulesAreEqual(resourceName),
@@ -92,29 +92,29 @@ func TestACCResourceSiteRuleRateLimit_basic(t *testing.T) {
                       name            = "My new tag"
                       description     = "test description"
                     }
-					resource "sigsci_site_rule" "test" {
-						site_short_name="%s"
-						type= "rateLimit"
-						group_operator="any"
-						enabled= true
-						reason= "Example site rule update"
-						signal= sigsci_site_signal_tag.test_tag.id
-						expiration= ""
-						conditions {
-							type="single"
-							field="ip"
-							operator="equals"
-							value="1.2.3.4"
-						}
-						actions {
-							type="logRequest"
-						}
+                    resource "sigsci_site_rule" "test" {
+                        site_short_name="%s"
+                        type= "rateLimit"
+                        group_operator="any"
+                        enabled= true
+                        reason= "Example site rule update"
+                        signal= sigsci_site_signal_tag.test_tag.id
+                        expiration= ""
+                        conditions {
+                            type="single"
+                            field="ip"
+                            operator="equals"
+                            value="1.2.3.4"
+                        }
+                        actions {
+                            type="logRequest"
+                        }
                         rate_limit = {
                             threshold=10
                             interval=10
                             duration=600
                         }
-				}`, testSite, testSite),
+                }`, testSite, testSite),
 				Check: resource.ComposeAggregateTestCheckFunc(
 					//testCheckSiteRuleExists(resourceName),
 					//testCheckSiteRulesAreEqual(resourceName),
@@ -140,6 +140,109 @@ func TestACCResourceSiteRuleRateLimit_basic(t *testing.T) {
 	})
 }
 
+func TestACCResourceSiteRuleConditionSignal(t *testing.T) {
+
+	resourceName := "sigsci_site_rule.test"
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testACCCheckSiteRuleDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+                    resource "sigsci_site_rule" "test" {
+                        site_short_name = "%s" 
+                        type            = "request"
+                        group_operator  = "all"
+                        enabled         = true
+                        reason          = "Example site rule update"
+                        expiration      = ""
+
+                        conditions {
+                            type     = "multival"
+                            field    = "signal"
+                            group_operator = "all"
+                            operator = "exists"
+                            conditions {
+                                field    = "signalType"
+                                operator = "equals"
+                                type     = "single"
+                                value    = "RESPONSESPLIT"
+                            }
+                        }
+
+                        conditions {
+                            type     = "group"
+                            group_operator = "any"
+                            conditions {
+                                field    = "useragent"
+                                operator = "like"
+                                type     = "single"
+                                value    = "python-requests*"
+                            }
+
+                            conditions {
+                                type     = "multival"
+                                field    = "requestHeader"
+                                operator = "doesNotExist"
+                                group_operator = "all"
+                                conditions {
+                                    field    = "name"
+                                    operator = "equals"
+                                    type     = "single"
+                                    value    = "cookie"
+                                }
+                            }
+
+                            conditions {
+                                type     = "multival"
+                                field    = "signal"
+                                operator = "exists"
+                                group_operator = "any"
+                                conditions {
+                                    field    = "signalType"
+                                    operator = "equals"
+                                    type     = "single"
+                                    value    = "TORNODE"
+                                }
+                                conditions {
+                                    field    = "signalType"
+                                    operator = "equals"
+                                    type     = "single"
+                                    value    = "SIGSCI-IP"
+                                }
+                                conditions {
+                                    field    = "signalType"
+                                    operator = "equals"
+                                    type     = "single"
+                                    value    = "SCANNER"
+                                }
+                            }
+                        }
+
+                        actions {
+                            type = "block"
+                        }
+                }`, testSite),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testInspect(),
+					resource.TestCheckResourceAttr(resourceName, "conditions.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "conditions.2455721190.conditions.3887678098.conditions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "conditions.1840769124.conditions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "conditions.2455721190.conditions.2522856064.conditions.#", "3"),
+				),
+			},
+			{
+				ResourceName:        resourceName,
+				ImportStateIdPrefix: fmt.Sprintf("%s:", testSite),
+				ImportState:         true,
+				ImportStateVerify:   true,
+				ImportStateCheck:    testAccImportStateCheckFunction(1),
+			},
+		},
+	})
+}
+
 func testCheckSiteRuleExists(name string) resource.TestCheckFunc {
 	var testFunc resource.TestCheckFunc = func(s *terraform.State) error {
 		rsrc, ok := s.RootModule().Resources[name]