CheckPointSW · chkp-omris · Jul 22, 2024 · Jul 22, 2024
diff --git a/cmd/discard.go b/cmd/discard.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -51,6 +52,7 @@ var discardCmd = &cobra.Command{
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		var URL string
+		API := policyPath
 		switch region {
 		case "eu":
 			URL = EUCIURL
@@ -105,16 +107,43 @@ var discardCmd = &cobra.Command{
 			return err
 		}
 
-		enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq))
+		discardReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
 		if err != nil {
 			return err
 		}
 
-		enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token)
-		enforceReq.Header.Set("Content-Type", "application/json")
+		token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{})
+		if err != nil {
+			return fmt.Errorf("failed to parse token: %w", err)
+		}
+
+		tokenMapClaims := token.Claims.(jwt.MapClaims)
+		if appID, ok := tokenMapClaims[appIDClaim]; ok {
+			switch appID.(string) {
+			case wafAppID:
+				if API != wafPath {
+					API = wafPath
+					discardReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			case policyAppID:
+				if API != policyPath {
+					API = policyPath
+					discardReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+
+		discardReq.Header.Set("Authorization", "Bearer "+auth.Data.Token)
+		discardReq.Header.Set("Content-Type", "application/json")
 
 		var discardChanges graphqlResponse[discardResponseData]
-		discardResp, err := utils.HTTPRequestUnmarshal(&client, enforceReq, &discardChanges)
+		discardResp, err := utils.HTTPRequestUnmarshal(&client, discardReq, &discardChanges)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/enforce.go b/cmd/enforce.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -55,6 +56,7 @@ var enforceCmd = &cobra.Command{
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		var URL string
+		API := policyPath
 		switch region {
 		case "eu":
 			URL = EUCIURL
@@ -103,11 +105,38 @@ var enforceCmd = &cobra.Command{
 			return err
 		}
 
-		enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq))
+		enforceReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
 		if err != nil {
 			return err
 		}
 
+		token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{})
+		if err != nil {
+			return fmt.Errorf("failed to parse token: %w", err)
+		}
+
+		tokenMapClaims := token.Claims.(jwt.MapClaims)
+		if appID, ok := tokenMapClaims[appIDClaim]; ok {
+			switch appID.(string) {
+			case wafAppID:
+				if API != wafPath {
+					API = wafPath
+					enforceReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			case policyAppID:
+				if API != policyPath {
+					API = policyPath
+					enforceReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+
 		enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token)
 		enforceReq.Header.Set("Content-Type", "application/json")
 
@@ -132,7 +161,7 @@ var enforceCmd = &cobra.Command{
 		go func() {
 			// Poll for the enforce policy task's status until it's done
 			for taskStatus == "InProgress" {
-				taskReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq))
+				taskReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
 				if err != nil {
 					errch <- err
 				}

diff --git a/cmd/publish.go b/cmd/publish.go
@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/CheckPointSW/infinity-next-terraform-cli/cmd/utils"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -60,6 +61,7 @@ var publishCmd = &cobra.Command{
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		var URL string
+		API := policyPath
 		switch region {
 		case "eu":
 			URL = EUCIURL
@@ -122,16 +124,43 @@ var publishCmd = &cobra.Command{
 			return err
 		}
 
-		enforceReq, err := http.NewRequest(http.MethodPost, URL+CIAPIV1, bytes.NewBuffer(bReq))
+		publishReq, err := http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
 		if err != nil {
 			return err
 		}
 
-		enforceReq.Header.Set("Authorization", "Bearer "+auth.Data.Token)
-		enforceReq.Header.Set("Content-Type", "application/json")
+		token, _, err := jwt.NewParser().ParseUnverified(auth.Data.Token, jwt.MapClaims{})
+		if err != nil {
+			return fmt.Errorf("failed to parse token: %w", err)
+		}
+
+		tokenMapClaims := token.Claims.(jwt.MapClaims)
+		if appID, ok := tokenMapClaims[appIDClaim]; ok {
+			switch appID.(string) {
+			case wafAppID:
+				if API != wafPath {
+					API = wafPath
+					publishReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			case policyAppID:
+				if API != policyPath {
+					API = policyPath
+					publishReq, err = http.NewRequest(http.MethodPost, URL+API, bytes.NewBuffer(bReq))
+					if err != nil {
+						return err
+					}
+				}
+			}
+		}
+
+		publishReq.Header.Set("Authorization", "Bearer "+auth.Data.Token)
+		publishReq.Header.Set("Content-Type", "application/json")
 
 		var publishChanges graphqlResponse[publishResponseData]
-		publishResp, err := utils.HTTPRequestUnmarshal(&client, enforceReq, &publishChanges)
+		publishResp, err := utils.HTTPRequestUnmarshal(&client, publishReq, &publishChanges)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/root.go b/cmd/root.go
@@ -9,10 +9,14 @@ import (
 )
 
 const (
-	EUCIURL    = "https://cloudinfra-gw.portal.checkpoint.com"
-	USCIURL    = "https://cloudinfra-gw-us.portal.checkpoint.com"
-	CIAuthPath = "/auth/external"
-	CIAPIV1    = "/app/i2/graphql/V1"
+	EUCIURL     = "https://cloudinfra-gw.portal.checkpoint.com"
+	USCIURL     = "https://cloudinfra-gw-us.portal.checkpoint.com"
+	CIAuthPath  = "/auth/external"
+	appIDClaim  = "appId"
+	wafAppID    = "64488de9-f813-42a7-93e7-f3fe25dd9011"
+	policyAppID = "f47b536c-a990-42fb-9ab2-ec38f8c2dcff"
+	wafPath     = "/app/waf/graphql/V1"
+	policyPath  = "/app/i2/graphql/V1"
 )
 
 var (

diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/CheckPointSW/infinity-next-terraform-cli
 go 1.18
 
 require (
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.11.0

diff --git a/go.sum b/go.sum
@@ -61,6 +61,8 @@ github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmV
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=