# ------------------------------------------------------------------------
# OpenHAB proxy rule exclusions plugin
# Copyright (c) 2024 Daniel Demus
#
# This plugin is distributed under Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

# Plugin name: openhab-proxy-rule-exclusions
# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy
# Rule ID block base: 93,000 - 93,999
# Plugin version: 1.0.0

# Documentation can be found here:
# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git

# Generic rule to disable plugin
SecRule TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:93001,phase:1,pass,nolog,ctl:ruleRemoveById=93002-93999"

# [ Local CRS initialization ]
#
# We need to initialize some of the CRS variables also here because plugin setup runs before
# CRS initialization (this is a known limitation of the current plugin architecture). Must be
# kept in sync with CRS default setting.

# Copy of CRS rule 901160.
SecRule &TX:allowed_methods "@eq 0" \
    "id:93902,\
    phase:1,\
    pass,\
    nolog,\
    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"


# Copy of CRS rule 901162.
SecRule &TX:allowed_request_content_type "@eq 0" \
    "id:93903,\
    phase:1,\
    pass,\
    nolog,\
    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"

# Allow topics
SecRule REQUEST_URI "@beginsWith /rest/events" \
    "id:93010,\
    phase:1,\
    pass,\
    nolog,\
    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
    ctl:ruleRemoveTargetById=942100;ARGS:topics"

# Allow rest API methods and content types
SecRule REQUEST_FILENAME "@beginsWith /rest" \
    "id:93011,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE',\
    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'"

# Disable CRS rule 920220, as % is often included in value formats
SecRule WEBAPPID "@unconditionalMatch" "id:93020,phase:1,pass,nolog,ctl:ruleRemoveById=920220"