diff --git a/cmd/discard.go b/cmd/discard.go index 17cd5f6..be74243 100644 --- a/cmd/discard.go +++ b/cmd/discard.go @@ -13,6 +13,7 @@ import ( "time" "github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils" + "github.com/golang-jwt/jwt/v5" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -51,6 +52,7 @@ var discardCmd = &cobra.Command{ }, RunE: func(cmd *cobra.Command, args []string) error { var URL string + API := policyPath switch region { case "eu": URL = EUCIURL @@ -105,16 +107,43 @@ var discardCmd = &cobra.Command{ return err } - enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq)) + discardReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) if err != nil { return err } - enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token) - enforceReq.Header.Set("Content-Type", "application/json") + token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{}) + if err != nil { + return fmt.Errorf("failed to parse token: %w", err) + } + + tokenMapClaims := token.Claims.(jwt.MapClaims) + if appID, ok := tokenMapClaims[appIDClaim]; ok { + switch appID.(string) { + case wafAppID: + if API != wafPath { + API = wafPath + discardReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + case policyAppID: + if API != policyPath { + API = policyPath + discardReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + } + } + + discardReq.Header.Set("Authorization", "Bearer "+auth.Data.Token) + discardReq.Header.Set("Content-Type", "application/json") var discardChanges graphqlResponse[discardResponseData] - discardResp, err := utils.HTTPRequestUnmarshal(&client, enforceReq, &discardChanges) + discardResp, err := utils.HTTPRequestUnmarshal(&client, discardReq, &discardChanges) if err != nil { return err } diff --git a/cmd/enforce.go b/cmd/enforce.go index fd03b4c..152de08 100644 --- a/cmd/enforce.go +++ b/cmd/enforce.go @@ -12,6 +12,7 @@ import ( "time" "github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils" + "github.com/golang-jwt/jwt/v5" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -55,6 +56,7 @@ var enforceCmd = &cobra.Command{ }, RunE: func(cmd *cobra.Command, args []string) error { var URL string + API := policyPath switch region { case "eu": URL = EUCIURL @@ -103,11 +105,38 @@ var enforceCmd = &cobra.Command{ return err } - enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq)) + enforceReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) if err != nil { return err } + token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{}) + if err != nil { + return fmt.Errorf("failed to parse token: %w", err) + } + + tokenMapClaims := token.Claims.(jwt.MapClaims) + if appID, ok := tokenMapClaims[appIDClaim]; ok { + switch appID.(string) { + case wafAppID: + if API != wafPath { + API = wafPath + enforceReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + case policyAppID: + if API != policyPath { + API = policyPath + enforceReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + } + } + enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token) enforceReq.Header.Set("Content-Type", "application/json") @@ -132,7 +161,7 @@ var enforceCmd = &cobra.Command{ go func() { // Poll for the enforce policy task's status until it's done for taskStatus == "InProgress" { - taskReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq)) + taskReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) if err != nil { errch <- err } diff --git a/cmd/publish.go b/cmd/publish.go index d72a7f6..3a5845f 100644 --- a/cmd/publish.go +++ b/cmd/publish.go @@ -12,6 +12,7 @@ import ( "time" "github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils" + "github.com/golang-jwt/jwt/v5" "github.com/spf13/cobra" "github.com/spf13/pflag" ) @@ -60,6 +61,7 @@ var publishCmd = &cobra.Command{ }, RunE: func(cmd *cobra.Command, args []string) error { var URL string + API := policyPath switch region { case "eu": URL = EUCIURL @@ -122,16 +124,43 @@ var publishCmd = &cobra.Command{ return err } - enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq)) + publishReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) if err != nil { return err } - enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token) - enforceReq.Header.Set("Content-Type", "application/json") + token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{}) + if err != nil { + return fmt.Errorf("failed to parse token: %w", err) + } + + tokenMapClaims := token.Claims.(jwt.MapClaims) + if appID, ok := tokenMapClaims[appIDClaim]; ok { + switch appID.(string) { + case wafAppID: + if API != wafPath { + API = wafPath + publishReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + case policyAppID: + if API != policyPath { + API = policyPath + publishReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq)) + if err != nil { + return err + } + } + } + } + + publishReq.Header.Set("Authorization", "Bearer "+auth.Data.Token) + publishReq.Header.Set("Content-Type", "application/json") var publishChanges graphqlResponse[publishResponseData] - publishResp, err := utils.HTTPRequestUnmarshal(&client, enforceReq, &publishChanges) + publishResp, err := utils.HTTPRequestUnmarshal(&client, publishReq, &publishChanges) if err != nil { return err } diff --git a/cmd/root.go b/cmd/root.go index 9149f00..32e71a9 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -9,10 +9,14 @@ import ( ) const ( - EUCIURL = "https://cloudinfra-gw.portal.checkpoint.com" - USCIURL = "https://cloudinfra-gw-us.portal.checkpoint.com" - CIAuthPath = "/auth/external" - CIAPIV1 = "/app/i2/graphql/V1" + EUCIURL = "https://cloudinfra-gw.portal.checkpoint.com" + USCIURL = "https://cloudinfra-gw-us.portal.checkpoint.com" + CIAuthPath = "/auth/external" + appIDClaim = "appId" + wafAppID = "64488de9-f813-42a7-93e7-f3fe25dd9011" + policyAppID = "f47b536c-a990-42fb-9ab2-ec38f8c2dcff" + wafPath = "/app/waf/graphql/V1" + policyPath = "/app/i2/graphql/V1" ) var ( diff --git a/go.mod b/go.mod index 9fefda5..f8e52e4 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/CheckPointSW/infinity-next-terraform-cli go 1.18 require ( + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/spf13/cobra v1.4.0 github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.11.0 diff --git a/go.sum b/go.sum index ef693a8..6073365 100644 --- a/go.sum +++ b/go.sum @@ -61,6 +61,8 @@ github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmV github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=