Review URLs blocked by WAF

[mikeapp]

Story

Be sure we haven't left any APIs open.

Current AWS WAF rules block requests to URLs that start with:

/management/api/download
/management/api/permission_requests
/management/api/permission_sets
/management/api/user

Acceptance

• [x] Review application routes for admin APIs and be sure they are covered by these blocks.
  • Remember that the OID generator needs to be accessed by Goobi

/management/api/oid

• [x] Note any additional routes
  • For retrieving metadata

management/api/parent

• For agreeing to terms

management/agreement_term

• [x] Manually issue API requests (e.g., via curl) and verify that they are in fact blocked.
• [ ] Create smoke tests that check each of the four patterns above via the cluster's public URL. moved to ticket #2917
• [ ] Check with DevOps about creating a synthetic monitor for the production cluster. moved to ticket #2918

[K8Sewell]

Manual Testing Results

All WAF rules working as expected. Two additional routes noted in ticket description that should be considered for having WAF rules created.

### On VPN

#### Prod   ####Test 

### Not on VPN

#### Prod      #### Test   

[martinlovell]

Is management/agreement_term in the WAF rules? It should be if only Blacklight is making that request for the user. It does check the OWP_AUTH_TOKEN. Should this be added to the WAF rules only to allow Blacklight if it's not there already?

[martinlovell]

management/api/parent is used by Metadata Cloud to get the data for use in Quicksearch, so that one needs to stay open.

So, management/agreement_term is the only one that needs to be added so that nothing outside the cluster can access it.

[K8Sewell]

Thanks for checking, Martin! Ticket to add WAF for that url created - #2927