fix: Add resolve action to allowed gateway rules

cloudflare · Mar 26, 2024 · c4f1b2f · c4f1b2f
1 parent 18282f1
commit c4f1b2f
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 4 deletions.
diff --git a/.changelog/1608.txt b/.changelog/1608.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+teams_rules: add "resolve" to allowable actions
+```
diff --git a/teams_rules.go b/teams_rules.go
@@ -146,10 +146,11 @@ type TeamsFilterType string
 type TeamsGatewayAction string
 
 const (
-	HttpFilter   TeamsFilterType = "http"
-	DnsFilter    TeamsFilterType = "dns"
-	L4Filter     TeamsFilterType = "l4"
-	EgressFilter TeamsFilterType = "egress"
+	HttpFilter        TeamsFilterType = "http"
+	DnsFilter         TeamsFilterType = "dns"
+	L4Filter          TeamsFilterType = "l4"
+	EgressFilter      TeamsFilterType = "egress"
+	DnsResolverFilter TeamsFilterType = "dns_resolver"
 )
 
 const (
@@ -167,6 +168,7 @@ const (
 	L4Override   TeamsGatewayAction = "l4_override"  // l4
 	Egress       TeamsGatewayAction = "egress"       // egress
 	AuditSSH     TeamsGatewayAction = "audit_ssh"    // l4
+	Resolve      TeamsGatewayAction = "resolve"      // resolve
 )
 
 func TeamsRulesActionValues() []string {
@@ -185,6 +187,7 @@ func TeamsRulesActionValues() []string {
 		string(L4Override),
 		string(Egress),
 		string(AuditSSH),
+		string(Resolve),
 	}
 }
 

diff --git a/teams_rules_test.go b/teams_rules_test.go
@@ -532,6 +532,75 @@ func TestTeamsCreateL4Rule(t *testing.T) {
 	}
 }
 
+func TestTeamsCreateResolverPolicy(t *testing.T) {
+	setup()
+	defer teardown()
+
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, http.MethodPost, r.Method, "Expected method 'POST', got %s", r.Method)
+		w.Header().Set("content-type", "application/json")
+		fmt.Fprintf(w, `{
+			"success": true,
+			"errors": [],
+			"messages": [],
+			"result": {
+				"name": "resolve 4.4.4.4",
+				"description": "rule description",
+				"precedence": 1000,
+				"enabled": true,
+				"action": "resolve",
+				"filters": [
+					"dns_resolver"
+				],
+				"traffic": "any(dns.domains[*] == \"scottstots.com\")",
+				"identity": "",
+				"rule_settings": {
+					"audit_ssh": { "command_logging": true },
+					"resolve_dns_through_cloudflare": true
+				}
+			}
+		}
+		`)
+	}
+
+	want := TeamsRule{
+		Name:          "resolve 4.4.4.4",
+		Description:   "rule description",
+		Precedence:    1000,
+		Enabled:       true,
+		Action:        Resolve,
+		Filters:       []TeamsFilterType{DnsResolverFilter},
+		Traffic:       `any(dns.domains[*] == "scottstots.com")`,
+		Identity:      "",
+		DevicePosture: "",
+		RuleSettings: TeamsRuleSettings{
+			BlockPageEnabled:                false,
+			BlockReason:                     "",
+			OverrideIPs:                     nil,
+			OverrideHost:                    "",
+			L4Override:                      nil,
+			AddHeaders:                      nil,
+			BISOAdminControls:               nil,
+			CheckSession:                    nil,
+			InsecureDisableDNSSECValidation: false,
+			EgressSettings:                  nil,
+			AuditSSH: &AuditSSHRuleSettings{
+				CommandLogging: true,
+			},
+			ResolveDnsThroughCloudflare: BoolPtr(true),
+		},
+		DeletedAt: nil,
+	}
+
+	mux.HandleFunc("/accounts/"+testAccountID+"/gateway/rules", handler)
+
+	actual, err := client.TeamsCreateRule(context.Background(), testAccountID, want)
+
+	if assert.NoError(t, err) {
+		assert.Equal(t, want, actual)
+	}
+}
+
 func TestTeamsUpdateRule(t *testing.T) {
 	setup()
 	defer teardown()