Add IT for WAF intergation

Signed-off-by: Chen Dai <[email protected]>
opensearch-project · Dec 19, 2024 · e65870c · e65870c
1 parent eeb32d6
commit e65870c
Show file tree

Hide file tree

Showing 3 changed files with 269 additions and 115 deletions.
diff --git a/integ-test/src/integration/resources/aws-logs/cloud_trail.sql b/integ-test/src/integration/resources/aws-logs/cloud_trail.sql
@@ -63,119 +63,119 @@ OPTIONS (
 );
 
 INSERT INTO {table_name} VALUES
-    (
-        '1.08',
-        NAMED_STRUCT(
-            'type', 'IAMUser',
-            'principalId', 'AWS123456789012',
-            'arn', 'arn:aws:iam::123456789012:user/ExampleUser',
-            'accountId', '123456789012',
-            'invokedBy', null,
-            'accessKeyId', 'AKIA1234567890',
-            'userName', 'ExampleUser',
-            'sessionContext', NAMED_STRUCT(
-                'attributes', NAMED_STRUCT(
-                    'mfaAuthenticated', 'true',
-                    'creationDate', '2023-11-01T05:00:00Z'
-                ),
-                'sessionIssuer', NAMED_STRUCT(
-                    'type', 'Role',
-                    'principalId', 'ARO123456789012',
-                    'arn', 'arn:aws:iam::123456789012:role/MyRole',
-                    'accountId', '123456789012',
-                    'userName', 'MyRole'
-                ),
-                'ec2RoleDelivery', 'true',
-                'webIdFederationData', MAP()
-            )
-        ),
-        '2023-11-01T05:00:00Z',
-        'sts.amazonaws.com',
-        'AssumeRole',
-        'us-east-1',
-        '198.51.100.45',
-        'AWS CLI',
-        null,
-        null,
-        null,
-        null,
-        null,
-        'request-id-1',
-        'event-id-1',
-        ARRAY(NAMED_STRUCT(
-            'arn', 'arn:aws:iam::123456789012:role/MyRole',
-            'accountId', '123456789012',
-            'type', 'AWS::IAM::Role'
-        )),
-        'AwsApiCall',
-        '2015-03-31',
-        'true',
-        '123456789012',
-        null,
-        null,
-        null,
-        'Management',
-        NAMED_STRUCT(
-            'tlsVersion', 'TLSv1.2',
-            'cipherSuite', 'ECDHE-RSA-AES128-GCM-SHA256',
-            'clientProvidedHostHeader', null
+(
+    '1.08',
+    NAMED_STRUCT(
+        'type', 'IAMUser',
+        'principalId', 'AWS123456789012',
+        'arn', 'arn:aws:iam::123456789012:user/ExampleUser',
+        'accountId', '123456789012',
+        'invokedBy', null,
+        'accessKeyId', 'AKIA1234567890',
+        'userName', 'ExampleUser',
+        'sessionContext', NAMED_STRUCT(
+            'attributes', NAMED_STRUCT(
+                'mfaAuthenticated', 'true',
+                'creationDate', '2023-11-01T05:00:00Z'
+            ),
+            'sessionIssuer', NAMED_STRUCT(
+                'type', 'Role',
+                'principalId', 'ARO123456789012',
+                'arn', 'arn:aws:iam::123456789012:role/MyRole',
+                'accountId', '123456789012',
+                'userName', 'MyRole'
+            ),
+            'ec2RoleDelivery', 'true',
+            'webIdFederationData', MAP()
         )
     ),
-    (
-        '1.08',
-        NAMED_STRUCT(
-            'type', 'IAMUser',
-            'principalId', 'AWS123456789012',
-            'arn', 'arn:aws:iam::123456789012:user/ExampleUser',
-            'accountId', '123456789012',
-            'invokedBy', null,
-            'accessKeyId', 'AKIA1234567890',
-            'userName', 'ExampleUser',
-            'sessionContext', NAMED_STRUCT(
-                'attributes', NAMED_STRUCT(
-                    'mfaAuthenticated', 'true',
-                    'creationDate', '2023-11-01T05:06:00Z'
-                ),
-                'sessionIssuer', NAMED_STRUCT(
-                    'type', 'Role',
-                    'principalId', 'ARO123456789012',
-                    'arn', 'arn:aws:iam::123456789012:role/MyRole',
-                    'accountId', '123456789012',
-                    'userName', 'MyRole'
-                ),
-                'ec2RoleDelivery', 'true',
-                'webIdFederationData', MAP()
-            )
-        ),
-        '2023-11-01T05:06:00Z',
-        'sts.amazonaws.com',
-        'AssumeRole',
-        'us-east-1',
-        '198.51.100.45',
-        'AWS CLI',
-        null,
-        null,
-        null,
-        null,
-        null,
-        'request-id-2',
-        'event-id-2',
-        ARRAY(NAMED_STRUCT(
-            'arn', 'arn:aws:iam::123456789012:role/MyRole',
-            'accountId', '123456789012',
-            'type', 'AWS::IAM::Role'
-        )),
-        'AwsApiCall',
-        '2015-03-31',
-        'true',
-        '123456789012',
-        null,
-        null,
-        null,
-        'Management',
-        NAMED_STRUCT(
-            'tlsVersion', 'TLSv1.2',
-            'cipherSuite', 'ECDHE-RSA-AES128-GCM-SHA256',
-            'clientProvidedHostHeader', null
+    '2023-11-01T05:00:00Z',
+    'sts.amazonaws.com',
+    'AssumeRole',
+    'us-east-1',
+    '198.51.100.45',
+    'AWS CLI',
+    null,
+    null,
+    null,
+    null,
+    null,
+    'request-id-1',
+    'event-id-1',
+    ARRAY(NAMED_STRUCT(
+        'arn', 'arn:aws:iam::123456789012:role/MyRole',
+        'accountId', '123456789012',
+        'type', 'AWS::IAM::Role'
+    )),
+    'AwsApiCall',
+    '2015-03-31',
+    'true',
+    '123456789012',
+    null,
+    null,
+    null,
+    'Management',
+    NAMED_STRUCT(
+        'tlsVersion', 'TLSv1.2',
+        'cipherSuite', 'ECDHE-RSA-AES128-GCM-SHA256',
+        'clientProvidedHostHeader', null
+    )
+),
+(
+    '1.08',
+    NAMED_STRUCT(
+        'type', 'IAMUser',
+        'principalId', 'AWS123456789012',
+        'arn', 'arn:aws:iam::123456789012:user/ExampleUser',
+        'accountId', '123456789012',
+        'invokedBy', null,
+        'accessKeyId', 'AKIA1234567890',
+        'userName', 'ExampleUser',
+        'sessionContext', NAMED_STRUCT(
+            'attributes', NAMED_STRUCT(
+                'mfaAuthenticated', 'true',
+                'creationDate', '2023-11-01T05:06:00Z'
+            ),
+            'sessionIssuer', NAMED_STRUCT(
+                'type', 'Role',
+                'principalId', 'ARO123456789012',
+                'arn', 'arn:aws:iam::123456789012:role/MyRole',
+                'accountId', '123456789012',
+                'userName', 'MyRole'
+            ),
+            'ec2RoleDelivery', 'true',
+            'webIdFederationData', MAP()
         )
-    );
+    ),
+    '2023-11-01T05:06:00Z',
+    'sts.amazonaws.com',
+    'AssumeRole',
+    'us-east-1',
+    '198.51.100.45',
+    'AWS CLI',
+    null,
+    null,
+    null,
+    null,
+    null,
+    'request-id-2',
+    'event-id-2',
+    ARRAY(NAMED_STRUCT(
+        'arn', 'arn:aws:iam::123456789012:role/MyRole',
+        'accountId', '123456789012',
+        'type', 'AWS::IAM::Role'
+    )),
+    'AwsApiCall',
+    '2015-03-31',
+    'true',
+    '123456789012',
+    null,
+    null,
+    null,
+    'Management',
+    NAMED_STRUCT(
+        'tlsVersion', 'TLSv1.2',
+        'cipherSuite', 'ECDHE-RSA-AES128-GCM-SHA256',
+        'clientProvidedHostHeader', null
+    )
+);
diff --git a/integ-test/src/integration/resources/aws-logs/waf.sql b/integ-test/src/integration/resources/aws-logs/waf.sql
@@ -0,0 +1,91 @@
+CREATE TABLE {table_name} (
+    timestamp STRING,
+    webaclId STRING,
+    action STRING,
+    formatVersion INT,
+    httpRequest STRUCT<
+        clientIp: STRING,
+        country: STRING,
+        headers: ARRAY<STRUCT<
+            name: STRING,
+            value: STRING
+        >>,
+        uri: STRING,
+        args: STRING,
+        httpVersion: STRING,
+        httpMethod: STRING,
+        requestId: STRING
+    >,
+    httpSourceId STRING,
+    httpSourceName STRING,
+    requestBodySize INT,
+    requestBodySizeInspectedByWAF INT,
+    terminatingRuleId STRING,
+    terminatingRuleType STRING,
+    ruleGroupList ARRAY<STRUCT<
+        ruleId: STRING,
+        ruleAction: STRING
+    >>,
+    rateBasedRuleList ARRAY<STRUCT<
+        ruleId: STRING
+    >>,
+    nonTerminatingMatchingRules ARRAY<STRUCT<
+        ruleId: STRING
+    >>
+)
+USING json
+OPTIONS (
+    recursivefilelookup = 'true'
+);
+
+INSERT INTO {table_name} VALUES
+(
+    1698814800000,  -- 2023-11-01T05:00:00Z
+    'webacl-12345',
+    'ALLOW',
+    1,
+    NAMED_STRUCT(
+        'clientIp', '192.0.2.1',
+        'country', 'US',
+        'headers', ARRAY(NAMED_STRUCT('name', 'User-Agent', 'value', 'Mozilla/5.0')),
+        'uri', '/index.html',
+        'args', 'query=example',
+        'httpVersion', 'HTTP/1.1',
+        'httpMethod', 'GET',
+        'requestId', 'req-1'
+    ),
+    'source-1',
+    'http-source',
+    500,
+    450,
+    'rule-1',
+    'REGULAR',
+    ARRAY(NAMED_STRUCT('ruleId', 'group-rule-1', 'ruleAction', 'ALLOW')),
+    ARRAY(),
+    ARRAY()
+),
+(
+    1698815400000,  -- 2023-11-01T05:10:00Z
+    'webacl-67890',
+    'BLOCK',
+    1,
+    NAMED_STRUCT(
+        'clientIp', '192.0.2.2',
+        'country', 'CA',
+        'headers', ARRAY(NAMED_STRUCT('name', 'Referer', 'value', 'example.com')),
+        'uri', '/login.html',
+        'args', '',
+        'httpVersion', 'HTTP/2',
+        'httpMethod', 'POST',
+        'requestId', 'req-2'
+    ),
+    'source-2',
+    'http-source',
+    750,
+    600,
+    'rule-2',
+    'RATE_BASED',
+    ARRAY(NAMED_STRUCT('ruleId', 'group-rule-2', 'ruleAction', 'BLOCK')),
+    ARRAY(),
+    ARRAY()
+);