More use of tags - drop add_header action -> allow + headers+tags

2025-11-20 11:55:04 +11:00
parent 3f274c842c
commit de2eb43e2b
17 changed files with 526 additions and 49 deletions
--- a/db/migrate/20251118071813_add_is_bot_to_events.rb
+++ b/db/migrate/20251118071813_add_is_bot_to_events.rb
@@ -0,0 +1,6 @@
+class AddIsBotToEvents < ActiveRecord::Migration[8.1]
+  def change
+    add_column :events, :is_bot, :boolean, default: false, null: false
+    add_index :events, :is_bot
+  end
+end
--- a/db/migrate/20251120003554_migrate_add_header_rules_to_allow_with_tags.rb
+++ b/db/migrate/20251120003554_migrate_add_header_rules_to_allow_with_tags.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+# Migrate add_header rules to use allow action with tags/headers in metadata
+#
+# Old pattern:
+#   waf_action: add_header (5)
+#   metadata: { header_name: "X-Bot-Agent", header_value: "googlebot" }
+#
+# New pattern:
+#   waf_action: allow (1)
+#   metadata: {
+#     headers: { "X-Bot-Agent" => "googlebot" },
+#     tags: ["bot:googlebot"]
+#   }
+#
+class MigrateAddHeaderRulesToAllowWithTags < ActiveRecord::Migration[8.1]
+  def up
+    # Change all add_header (5) rules to allow (1)
+    # Keep metadata as-is for now - will be handled by Rule helper methods
+    execute <<-SQL
+      UPDATE rules
+      SET waf_action = 1  -- allow
+      WHERE waf_action = 5  -- add_header
+    SQL
+  end
+
+  def down
+    # This rollback is conservative - only revert rules that clearly came from add_header
+    # (have header_name/header_value in metadata but not headers)
+    execute <<-SQL
+      UPDATE rules
+      SET waf_action = 5  -- add_header
+      WHERE waf_action = 1  -- allow
+        AND metadata ? 'header_name'
+        AND metadata ? 'header_value'
+        AND NOT metadata ? 'headers'
+    SQL
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[8.1].define(version: 2025_11_16_025003) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_20_003554) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "pg_catalog.plpgsql"

@@ -80,6 +80,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_16_025003) do
    t.datetime "created_at", null: false
    t.string "environment"
    t.inet "ip_address"
+    t.boolean "is_bot", default: false, null: false
    t.boolean "is_datacenter", default: false, null: false
    t.boolean "is_proxy", default: false, null: false
    t.boolean "is_vpn", default: false, null: false
@@ -105,6 +106,7 @@ ActiveRecord::Schema[8.1].define(version: 2025_11_16_025003) do
    t.index ["company"], name: "index_events_on_company"
    t.index ["country"], name: "index_events_on_country"
    t.index ["ip_address"], name: "index_events_on_ip_address"
+    t.index ["is_bot"], name: "index_events_on_is_bot"
    t.index ["is_datacenter", "is_vpn", "is_proxy"], name: "index_events_on_network_flags"
    t.index ["network_range_id"], name: "index_events_on_network_range_id"
    t.index ["request_host_id", "request_method", "request_segment_ids"], name: "idx_events_host_method_path"