Skip to content

Commit

Permalink
Refactor example-e2e test (#19)
Browse files Browse the repository at this point in the history
  • Loading branch information
M4tteoP authored Oct 7, 2022
1 parent bc11806 commit 6d0de78
Show file tree
Hide file tree
Showing 14 changed files with 137 additions and 174 deletions.
9 changes: 1 addition & 8 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,20 +65,13 @@ jobs:
- name: Run unit tests
run: go run mage.go coverage

- name: Run e2e tests
- name: Run e2e tests against the example
shell: bash
run: >
for image in $ENVOY_IMAGES; do
ENVOY_IMAGE=$image go run mage.go e2e
done
- name: Spins up the example
run: go run mage.go runExample

- name: Run example tests
shell: bash
run: ./example/readme-tests.sh

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

Expand Down
40 changes: 26 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,18 @@ Web Application Firewall WASM filter built on top of [Coraza](https://github.com
```
▶ go run mage.go -l
Targets:
build* builds the Coraza wasm plugin.
check runs lint and tests.
coverage runs tests with coverage and race detector enabled.
doc runs godoc, access at http://localhost:6060
e2e runs e2e tests with a built plugin.
format formats code in this repository.
ftw runs ftw tests with a built plugin and Envoy.
lint verifies code quality.
test runs all tests.
updateLibs updates the C++ filter dependencies.
build* builds the Coraza wasm plugin.
check runs lint and tests.
coverage runs tests with coverage and race detector enabled.
doc runs godoc, access at http://localhost:6060
e2e runs e2e tests with a built plugin against the example deployment.
format formats code in this repository.
ftw runs ftw tests with a built plugin and Envoy.
lint verifies code quality.
runExample spins up the test environment, access at http://localhost:8080.
teardownExample tears down the test environment.
test runs all unit tests.
updateLibs updates the C++ filter dependencies.
* default target
```
Expand Down Expand Up @@ -104,15 +106,23 @@ go run mage.go ftw
Take a look at its config file [ftw.yml](./ftw/ftw.yml) for details about tests currently excluded.

## Example: Spinning up the coraza-wasm-filter for manual tests
Once the filter is built, via the commands `RunExample` and `teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [coraza-demo.conf](./rules/coraza-demo.conf) and [crs-setup-demo.conf](./rules/crs-setup-demo.conf).
Once the filter is built, via the commands `mage runExample` and `mage teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [coraza-demo.conf](./rules/coraza-demo.conf) and [crs-setup-demo.conf](./rules/crs-setup-demo.conf).
In order to monitor envoy logs while performing requests you can run:
- Envoy logs: `docker-compose -f ./example/docker-compose.yml logs -f envoy-logs`.
- Critical wasm (audit) logs: `docker-compose -f ./example/docker-compose.yml logs -f wasm-logs`

### Manual requests
Run `./example/readme-tests.sh` in order to run the following requests against the just set up test environment, otherwise manually execute them on your own:
Run `./e2e/e2e-example.sh` in order to run the following requests against the just set up test environment, otherwise manually execute and tweak them to grasp the behaviour of the filter:
```bash
# True positive requests:
# Custom rule phase 1
curl -I 'http://localhost:8080/admin'
# Custom rule phase 2
curl -i -X POST 'http://localhost:8080/anything' --data "maliciouspayload"
# Custom rule phase 3
curl -I 'http://localhost:8080/status/406'
# Custom rule phase 4
curl -i -X POST 'http://localhost:8080/anything' --data "responsebodycode"
# XSS phase 1
curl -I 'http://localhost:8080/anything?arg=<script>alert(0)</script>'
# SQLI phase 2 (reading the body request)
Expand All @@ -123,8 +133,10 @@ curl -I --user-agent "Grabber/0.1 (X11; U; Linux i686; en-US; rv:1.7)" -H "Host:
# True negative requests:
# A GET request with a harmless argument
curl -I 'http://localhost:8080/anything?arg=arg_1'
# A payload (reading the body request)
curl -i -X POST 'http://localhost:8080/anything' --data "This is a payload"
# An harmless response body
curl -i -X POST 'http://localhost:8080/anything' --data "Hello world"
# An usual user-agent
curl -I --user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" localhost:8080
# A payload (reading the body request)
curl -i -X POST 'http://localhost:8080/anything' --data "this is a payload"
```
16 changes: 16 additions & 0 deletions e2e/Dockerfile.curl
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Copyright 2022 The OWASP Coraza contributors
# SPDX-License-Identifier: Apache-2.0

FROM curlimages/curl
USER root

WORKDIR /workspace

RUN apk add --no-cache bash

COPY ./e2e-example.sh /workspace/e2e-example.sh

ENV ENVOY_HOST=envoy:8080
ENV HTTPBIN_HOST=httpbin

CMD ["bash","-c", "/workspace/e2e-example.sh"]
24 changes: 9 additions & 15 deletions e2e/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,19 @@
services:
httpbin:
image: kennethreitz/httpbin:latest
envoy:
image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.23-latest}
depends_on:
- httpbin
image: envoyproxy/envoy:v1.23-latest
command:
- -c
- /conf/envoy-config.yaml
- --log-level
- info
- --component-log-level
- wasm:debug
volumes:
- ../build:/build
- .:/conf
ports:
- 8001:8001
- ../example:/conf # relying on envoy-config file from /example/
tests:
depends_on:
- envoy
image: curlimages/curl
entrypoint: sh
command:
- /conf/tests.sh
- envoy
volumes:
- .:/conf
build:
context: .
dockerfile: ./Dockerfile.curl
80 changes: 58 additions & 22 deletions example/readme-tests.sh → e2e/e2e-example.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,21 @@
# Copyright 2022 The OWASP Coraza contributors
# SPDX-License-Identifier: Apache-2.0
ENVOY_HOST=${ENVOY_HOST:-"localhost:8080"}
HTTPBIN_HOST=${HTTPBIN_HOST:-"localhost:8081"}

[[ "${DEBUG}" == "true" ]] && set -x

envoy_url_echo="http://${ENVOY_HOST}/anything"
# if env variables are in place, default values are overridden
health_url="http://${HTTPBIN_HOST}"
envoy_url_unfiltered="http://${ENVOY_HOST}"
envoy_url_filtered="${envoy_url_unfiltered}/admin"
envoy_url_filtered_resp_header="${envoy_url_unfiltered}/status/406"
envoy_url_echo="${envoy_url_unfiltered}/anything"

okayBodyPayload="hello"
maliciousBodyPayload="maliciouspayload"
bodyPayloadForResponseBodyTrueNegative="Hello world"
bodyPayloadForResponseBody="responsebodycode"
tueNegativeBodyPayload="This is a payload"
truePositiveBodyPayload="maliciouspayload"
trueNegativeBodyPayloadForResponseBody="Hello world"
truePositiveBodyPayloadForResponseBody="responsebodycode"

# wait_for_service waits until the given URL returns a 200 status code.
# $1: The URL to send requests to.
Expand Down Expand Up @@ -71,40 +77,70 @@ function check_body() {
}

step=1
total_steps=7
total_steps=12

## Testing that basic coraza phases are working

# Testing if the server is up
echo "[${step}/${total_steps}] Testing application reachability"
wait_for_service "${envoy_url_echo}" 20
wait_for_service "${health_url}" 15

# Testing envoy container reachability with an unfiltered GET request
((step+=1))
echo "[${step}/${total_steps}] (onRequestheaders) Testing true negative request"
wait_for_service "${envoy_url_echo}?arg=arg_1" 20

# Testing filtered request
((step+=1))
echo "[${step}/${total_steps}] (onRequestheaders) Testing true positive custom rule"
check_status "${envoy_url_filtered}" 403

# Testing body true negative
((step+=1))
echo "[${step}/${total_steps}] (onRequestBody) Testing true negative request (body)"
check_status "${envoy_url_echo}" 200 -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${tueNegativeBodyPayload}"

# Testing body detection
((step+=1))
echo "[${step}/${total_steps}] (onRequestBody) Testing true positive request (body)"
check_status "${envoy_url_unfiltered}" 403 -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${truePositiveBodyPayload}"

# Testing XSS phase 1
# Testing response headers detection
((step+=1))
echo "[${step}/${total_steps}] Testing XSS at request headers"
echo "[${step}/${total_steps}] (onResponseHeaders) Testing true positive"
check_status "${envoy_url_filtered_resp_header}" 403

# TODO(M4tteoP): Address response body e2e after https://github.com/corazawaf/coraza-proxy-wasm/issues/26
# # Testing response body true negative
# ((step+=1))
# echo "[${step}/${total_steps}] (onResponseBody) Testing true negative"
# check_body "${envoy_url_unfiltered}" false -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${trueNegativeBodyPayloadForResponseBody}"

# # Testing response body detection
# ((step+=1))
# echo "[${step}/${total_steps}] (onResponseBody) Testing true positive"
# check_body "${envoy_url_echo}" true -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${truePositiveBodyPayloadForResponseBody}"

## Testing extra requests examples from the readme and some CRS rules in anomaly score mode.

# Testing XSS detection during phase 1
((step+=1))
echo "[${step}/${total_steps}] Testing XSS detefction at request headers"
check_status "${envoy_url_echo}?arg=<script>alert(0)</script>" 403

# Testing SQLI phase 2
# Testing SQLI detection during phase 2
((step+=1))
echo "[${step}/${total_steps}] Testing SQLi at request body"
echo "[${step}/${total_steps}] Testing SQLi detection at request body"
check_status "${envoy_url_echo}" 403 -X POST --data "1%27%20ORDER%20BY%203--%2B"

# Triggers a CRS scanner detection rule (913100)
((step+=1))
echo "[${step}/${total_steps}] (onRequestBody) Testing CRS rule 913100"
check_status "${envoy_url_echo}" 403 --user-agent "Grabber/0.1 (X11; U; Linux i686; en-US; rv:1.7)" -H "Host: localhost" -H "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"

# True negative GET request
((step+=1))
echo "[${step}/${total_steps}] True negative GET request"
check_status "${envoy_url_echo}?arg=arg_1" 200

# True negative GET request with an usual user-agent
((step+=1))
echo "[${step}/${total_steps}] True negative GET request with user-agent"
check_status "${envoy_url_echo}" 200 --user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"

# True negative POST request with a payload
((step+=1))
echo "[${step}/${total_steps}] True negative POST request"
check_status "${envoy_url_echo}" 200 --data "this is a payload"

echo "[Done] All examples request worked as expected"
echo "[Done] All tests passed"
46 changes: 0 additions & 46 deletions e2e/envoy-config.yaml

This file was deleted.

51 changes: 0 additions & 51 deletions e2e/tests.sh

This file was deleted.

16 changes: 9 additions & 7 deletions example/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
services:
httpbin:
image: kennethreitz/httpbin:latest
ports:
- 8081:80
chown:
image: alpine:3.16
command:
Expand Down Expand Up @@ -29,26 +31,26 @@ services:
- .:/conf
- logs:/home/envoy/logs:rw
ports:
- 8080:80
wasm-logs:
- 8080:8080
envoy-logs:
depends_on:
- envoy
- wasm-logs
image: debian:11-slim
entrypoint: bash
command:
- -c
- tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]" | tee /home/envoy/logs/ftw.log
- tail -c +0 -f /home/envoy/logs/envoy.log
volumes:
- logs:/home/envoy/logs:rw
envoy-logs:
- logs:/home/envoy/logs:ro
wasm-logs:
depends_on:
- envoy
- wasm-logs
image: debian:11-slim
entrypoint: bash
command:
- -c
- tail -c +0 -f /home/envoy/logs/envoy.log
- tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]"
volumes:
- logs:/home/envoy/logs:ro
volumes:
Expand Down
Loading

0 comments on commit 6d0de78

Please sign in to comment.