cloudflare · jacobbednarz · Mar 4, 2023 · Mar 3, 2023 · Mar 4, 2023 · Mar 4, 2023
@@ -0,0 +1,3 @@
+```release-note:enhancement
+added audit_ssh to gateway actions, updated gateway rule settings
+```
@@ -36,11 +36,25 @@ type TeamsRuleSettings struct {
 	// whether to disable dnssec validation for allow action
 	InsecureDisableDNSSECValidation bool `json:"insecure_disable_dnssec_validation"`
 
+	// settings for rules with egress action
 	EgressSettings *EgressSettings `json:"egress"`
 
 	// DLP payload logging configuration
 	PayloadLog *TeamsDlpPayloadLogSettings `json:"payload_log"`
 
+	//AuditSsh Settings
+	AuditSSH *AuditSSHRuleSettings `json:"audit_ssh"`
+
+	// Turns on ip category based filter on dns if the rule contains dns category checks
+	IpCategories bool `json:"ip_categories"`
+
+	// Allow parent MSP accounts to enable bypass their children's rules.
+	AllowChildBypass bool `json:"allow_child_bypass"`
+
+	// Allow child MSP accounts to bypass their parent's rules
+	BypassParentRule bool `json:"bypass_parent_rule"`
+
+	// Action taken when an untrusted origin certificate error occurs in a http allow rule
 	UntrustedCertSettings *UntrustedCertSettings `json:"untrusted_cert"`
 }
 
@@ -56,6 +70,10 @@ type UntrustedCertSettings struct {
 	Action TeamsGatewayUntrustedCertAction `json:"action"`
 }
 
+type AuditSSHRuleSettings struct {
+	CommandLogging bool `json:"command_logging"`
+}
+
 type EgressSettings struct {
 	Ipv6Range    string `json:"ipv6"`
 	Ipv4         string `json:"ipv4"`
@@ -69,11 +87,12 @@ type TeamsL4OverrideSettings struct {
 }
 
 type TeamsBISOAdminControlSettings struct {
-	DisablePrinting  bool `json:"dp"`
-	DisableCopyPaste bool `json:"dcp"`
-	DisableDownload  bool `json:"dd"`
-	DisableUpload    bool `json:"du"`
-	DisableKeyboard  bool `json:"dk"`
+	DisablePrinting             bool `json:"dp"`
+	DisableCopyPaste            bool `json:"dcp"`
+	DisableDownload             bool `json:"dd"`
+	DisableUpload               bool `json:"du"`
+	DisableKeyboard             bool `json:"dk"`
+	DisableClipboardRedirection bool `json:"dcr"`
 }
 
 type TeamsCheckSessionSettings struct {
@@ -97,19 +116,20 @@ const (
 )
 
 const (
-	Allow        TeamsGatewayAction = "allow"
-	Block        TeamsGatewayAction = "block"
-	SafeSearch   TeamsGatewayAction = "safesearch"
-	YTRestricted TeamsGatewayAction = "ytrestricted"
-	On           TeamsGatewayAction = "on"
-	Off          TeamsGatewayAction = "off"
-	Scan         TeamsGatewayAction = "scan"
-	NoScan       TeamsGatewayAction = "noscan"
-	Isolate      TeamsGatewayAction = "isolate"
-	NoIsolate    TeamsGatewayAction = "noisolate"
-	Override     TeamsGatewayAction = "override"
-	L4Override   TeamsGatewayAction = "l4_override"
-	Egress       TeamsGatewayAction = "egress"
+	Allow        TeamsGatewayAction = "allow"        // dns|http|l4
+	Block        TeamsGatewayAction = "block"        // dns|http|l4
+	SafeSearch   TeamsGatewayAction = "safesearch"   // dns
+	YTRestricted TeamsGatewayAction = "ytrestricted" // dns
+	On           TeamsGatewayAction = "on"           // http
+	Off          TeamsGatewayAction = "off"          // http
+	Scan         TeamsGatewayAction = "scan"         // http
+	NoScan       TeamsGatewayAction = "noscan"       // http
+	Isolate      TeamsGatewayAction = "isolate"      // http
+	NoIsolate    TeamsGatewayAction = "noisolate"    // http
+	Override     TeamsGatewayAction = "override"     // http
+	L4Override   TeamsGatewayAction = "l4_override"  // l4
+	Egress       TeamsGatewayAction = "egress"       // egress
+	AuditSSH     TeamsGatewayAction = "audit_ssh"    // l4
 )
 
 func TeamsRulesActionValues() []string {
@@ -127,6 +147,7 @@ func TeamsRulesActionValues() []string {
 		string(Override),
 		string(L4Override),
 		string(Egress),
+		string(AuditSSH),
 	}
 }
 

@@ -264,7 +264,7 @@ func TestTeamsRule(t *testing.T) {
 	}
 }
 
-func TestTeamsCreateRule(t *testing.T) {
+func TestTeamsCreateHTTPRule(t *testing.T) {
 	setup()
 	defer teardown()
 
@@ -288,11 +288,7 @@ func TestTeamsCreateRule(t *testing.T) {
 				"identity": "",
 				"rule_settings": {
 					"block_page_enabled": false,
-					"block_reason": "",
-					"override_ips": null,
-					"override_host": "",
-					"l4override": null,
-					"biso_admin_controls": null,
+					"biso_admin_controls": {"dp": true, "du": true, "dk": true},
 					"add_headers": {
 						"X-Test": ["abcd"]
 					},
@@ -318,18 +314,162 @@ func TestTeamsCreateRule(t *testing.T) {
 		Identity:      "",
 		DevicePosture: "",
 		RuleSettings: TeamsRuleSettings{
-			BlockPageEnabled:  false,
-			BlockReason:       "",
-			OverrideIPs:       nil,
-			OverrideHost:      "",
-			L4Override:        nil,
-			AddHeaders:        http.Header{"X-Test": []string{"abcd"}},
-			BISOAdminControls: nil,
+			BlockPageEnabled: false,
+			BlockReason:      "",
+			OverrideIPs:      nil,
+			OverrideHost:     "",
+			L4Override:       nil,
+			AddHeaders:       http.Header{"X-Test": []string{"abcd"}},
+			BISOAdminControls: &TeamsBISOAdminControlSettings{
+				DisablePrinting: true,
+				DisableKeyboard: true,
+				DisableUpload:   true,
+			},
 			CheckSession: &TeamsCheckSessionSettings{
 				Enforce:  true,
 				Duration: Duration{300 * time.Second},
 			},
 			InsecureDisableDNSSECValidation: false,
+			EgressSettings:                  nil,
+		},
+		DeletedAt: nil,
+	}
+
+	mux.HandleFunc("/accounts/"+testAccountID+"/gateway/rules", handler)
+
+	actual, err := client.TeamsCreateRule(context.Background(), testAccountID, want)
+
+	if assert.NoError(t, err) {
+		assert.Equal(t, want, actual)
+	}
+}
+
+func TestTeamsCreateEgressRule(t *testing.T) {
+	setup()
+	defer teardown()
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method, "Expected method 'POST', got %s", r.Method)
+		w.Header().Set("content-type", "application/json")
+		fmt.Fprintf(w, `{
+			"success": true,
+			"errors": [],
+			"messages": [],
+			"result": {
+				"name": "egress via chicago",
+				"description": "rule description",
+				"precedence": 1000,
+				"enabled": false,
+				"action": "egress",
+				"filters": [
+					"egress"
+				],
+				"traffic": "net.src.geo.country == \"US\"",
+				"identity": "",
+				"rule_settings": {
+					"egress": {
+						"ipv6": "2a06:98c1:54::c61/64",
+						"ipv4": "2.2.2.2",
+						"ipv4_fallback": "1.1.1.1"
+					}
+				}
+			}
+		}
+		`)
+	}
+
+	want := TeamsRule{
+		Name:          "egress via chicago",
+		Description:   "rule description",
+		Precedence:    1000,
+		Enabled:       false,
+		Action:        Egress,
+		Filters:       []TeamsFilterType{EgressFilter},
+		Traffic:       `net.src.geo.country == "US"`,
+		Identity:      "",
+		DevicePosture: "",
+		RuleSettings: TeamsRuleSettings{
+			BlockPageEnabled:                false,
+			BlockReason:                     "",
+			OverrideIPs:                     nil,
+			OverrideHost:                    "",
+			L4Override:                      nil,
+			AddHeaders:                      nil,
+			BISOAdminControls:               nil,
+			CheckSession:                    nil,
+			InsecureDisableDNSSECValidation: false,
+			EgressSettings: &EgressSettings{
+				Ipv6Range:    "2a06:98c1:54::c61/64",
+				Ipv4:         "2.2.2.2",
+				Ipv4Fallback: "1.1.1.1",
+			},
+		},
+		DeletedAt: nil,
+	}
+
+	mux.HandleFunc("/accounts/"+testAccountID+"/gateway/rules", handler)
+
+	actual, err := client.TeamsCreateRule(context.Background(), testAccountID, want)
+
+	if assert.NoError(t, err) {
+		assert.Equal(t, want, actual)
+	}
+}
+
+func TestTeamsCreateL4Rule(t *testing.T) {
+	setup()
+	defer teardown()
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method, "Expected method 'POST', got %s", r.Method)
+		w.Header().Set("content-type", "application/json")
+		fmt.Fprintf(w, `{
+			"success": true,
+			"errors": [],
+			"messages": [],
+			"result": {
+				"name": "block 4.4.4.4",
+				"description": "rule description",
+				"precedence": 1000,
+				"enabled": true,
+				"action": "audit_ssh",
+				"filters": [
+					"l4"
+				],
+				"traffic": "net.src.geo.country == \"US\"",
+				"identity": "",
+				"rule_settings": {
+					"audit_ssh": { "command_logging": true }
+				}
+			}
+		}
+		`)
+	}
+
+	want := TeamsRule{
+		Name:          "block 4.4.4.4",
+		Description:   "rule description",
+		Precedence:    1000,
+		Enabled:       true,
+		Action:        AuditSSh,
+		Filters:       []TeamsFilterType{L4Filter},
+		Traffic:       `net.src.geo.country == "US"`,
+		Identity:      "",
+		DevicePosture: "",
+		RuleSettings: TeamsRuleSettings{
+			BlockPageEnabled:                false,
+			BlockReason:                     "",
+			OverrideIPs:                     nil,
+			OverrideHost:                    "",
+			L4Override:                      nil,
+			AddHeaders:                      nil,
+			BISOAdminControls:               nil,
+			CheckSession:                    nil,
+			InsecureDisableDNSSECValidation: false,
+			EgressSettings:                  nil,
+			AuditSSH: &AuditSSHRuleSettings{
+				CommandLogging: true,
+			},
 		},
 		DeletedAt: nil,
 	}