Skip to content

Commit

Permalink
OPS-17899 add cloudflare IP lookup (#235)
Browse files Browse the repository at this point in the history
* add cloudflare IP lookup

* readd re import

* remove weird unrelated changes

* missing comma

* add requests.get timeout

* small formatting

* change var name
  • Loading branch information
dlutsch authored Feb 28, 2022
1 parent 4958551 commit 7bbbe8d
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
48 changes: 48 additions & 0 deletions efopen/ef_aws_resolver.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,12 @@
from __future__ import print_function

import datetime
import json
import re

from botocore.exceptions import ClientError
from netaddr import IPNetwork
import requests

import ef_utils

Expand Down Expand Up @@ -573,6 +576,47 @@ def waf_web_acl_id(self, lookup, default=None):
else:
return default

def get_cloudflare_cidrs(self):
"""
Args: None
Returns:
List of Cloudflare CIDR blocks for whitelisting in AWS WAF
"""
r = requests.get('https://cloudflare.com/ips-v4', timeout=10)
r.raise_for_status()
return r.text.split('\n')

def waf_cloudflare_ip_list(self):
"""
Args: None
Returns:
JSON array of WAFv1 IPSetDescriptors containing all Cloudflare CIDR IPs
Notes:
CIDRs in this array will be broken down to multiple /16's if original prefix is /1-/15
due to limitations with WAFv1
"""
cidr_list = []
for cidr in self.get_cloudflare_cidrs():
net = IPNetwork(cidr)
if net.size > 65536: # greater than /16
subnets = net.subnet(16)
for subnet_cidr in subnets:
cidr_list.append(str(subnet_cidr))
else:
cidr_list.append(str(cidr))

cidr_list.sort()
ip_set = map(lambda ip: {"Type": "IPV4", "Value": ip}, cidr_list)
return json.dumps(list(ip_set))

def wafv2_cloudflare_ip_list(self):
"""
Args: None
Returns:
JSON array of Cloudflare IPs in CIDR notation for whitelisting in WAFv2
"""
return json.dumps(list(self.get_cloudflare_cidrs()))

def wafv2_global_ip_set_arn(self, lookup, default=None):
"""
Args:
Expand Down Expand Up @@ -1089,12 +1133,16 @@ def lookup(self, token):
return self.waf_rule_id(*kv[1:])
elif kv[0] == "waf:web-acl-id":
return self.waf_web_acl_id(*kv[1:])
elif kv[0] == "waf:cloudflare/ip-list":
return self.waf_cloudflare_ip_list()
elif kv[0] == "wafv2:global/ip-set-arn":
return self.wafv2_global_ip_set_arn(*kv[1:])
elif kv[0] == "wafv2:global/rule-group-arn":
return self.wafv2_global_rule_group_arn(*kv[1:])
elif kv[0] == "wafv2:global/web-acl-arn":
return self.wafv2_global_web_acl_arn(*kv[1:])
elif kv[0] == "wafv2:cloudflare/ip-list":
return self.wafv2_cloudflare_ip_list()
else:
return None
# raise("No lookup function for: "+kv[0])
Expand Down
1 change: 1 addition & 0 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ def readme():
'click<=7.1.2',
'PyYAML<=5.4.1',
'cfn-lint',
'netaddr==0.8.0',
'requests<=2.25.1',
'tenacity==7.0.0',
'yamllint<=1.25.0'
Expand Down

0 comments on commit 7bbbe8d

Please sign in to comment.