Refactor example-e2e test (envoyproxy#19)

.github/workflows/ci.yaml

@@ -65,20 +65,13 @@ jobs:
       - name: Run unit tests
         run: go run mage.go coverage
 
-      - name: Run e2e tests
+      - name: Run e2e tests against the example
         shell: bash
         run: >
           for image in $ENVOY_IMAGES; do
               ENVOY_IMAGE=$image go run mage.go e2e
           done
 
-      - name: Spins up the example
-        run: go run mage.go runExample
-
-      - name: Run example tests
-        shell: bash
-        run: ./example/readme-tests.sh
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 

README.md

@@ -8,16 +8,18 @@ Web Application Firewall WASM filter built on top of [Coraza](https://github.com
 ```
 ▶ go run mage.go -l
 Targets:
-  build*        builds the Coraza wasm plugin.
-  check         runs lint and tests.
-  coverage      runs tests with coverage and race detector enabled.
-  doc           runs godoc, access at http://localhost:6060
-  e2e           runs e2e tests with a built plugin.
-  format        formats code in this repository.
-  ftw           runs ftw tests with a built plugin and Envoy.
-  lint          verifies code quality.
-  test          runs all tests.
-  updateLibs    updates the C++ filter dependencies.
+  build*             builds the Coraza wasm plugin.
+  check              runs lint and tests.
+  coverage           runs tests with coverage and race detector enabled.
+  doc                runs godoc, access at http://localhost:6060
+  e2e                runs e2e tests with a built plugin against the example deployment.
+  format             formats code in this repository.
+  ftw                runs ftw tests with a built plugin and Envoy.
+  lint               verifies code quality.
+  runExample         spins up the test environment, access at http://localhost:8080.
+  teardownExample    tears down the test environment.
+  test               runs all unit tests.
+  updateLibs         updates the C++ filter dependencies.
 
 * default target
 ```
@@ -104,15 +106,23 @@ go run mage.go ftw
 Take a look at its config file [ftw.yml](./ftw/ftw.yml) for details about tests currently excluded.
 
 ## Example: Spinning up the coraza-wasm-filter for manual tests
-Once the filter is built, via the commands `RunExample` and `teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [coraza-demo.conf](./rules/coraza-demo.conf) and [crs-setup-demo.conf](./rules/crs-setup-demo.conf).
+Once the filter is built, via the commands `mage runExample` and `mage teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [coraza-demo.conf](./rules/coraza-demo.conf) and [crs-setup-demo.conf](./rules/crs-setup-demo.conf).
 In order to monitor envoy logs while performing requests you can run:
 - Envoy logs: `docker-compose -f ./example/docker-compose.yml logs -f envoy-logs`.
 - Critical wasm (audit) logs: `docker-compose -f ./example/docker-compose.yml logs -f wasm-logs`
 
 ### Manual requests
-Run `./example/readme-tests.sh` in order to run the following requests against the just set up test environment, otherwise manually execute them on your own:
+Run `./e2e/e2e-example.sh` in order to run the following requests against the just set up test environment, otherwise manually execute and tweak them to grasp the behaviour of the filter:
 ```bash
 # True positive requests:
+# Custom rule phase 1
+curl -I 'http://localhost:8080/admin'
+# Custom rule phase 2
+curl -i -X POST 'http://localhost:8080/anything' --data "maliciouspayload"
+# Custom rule phase 3
+curl -I 'http://localhost:8080/status/406'
+# Custom rule phase 4
+curl -i -X POST 'http://localhost:8080/anything' --data "responsebodycode"
 # XSS phase 1
 curl -I 'http://localhost:8080/anything?arg=<script>alert(0)</script>'
 # SQLI phase 2 (reading the body request)
@@ -123,8 +133,10 @@ curl -I --user-agent "Grabber/0.1 (X11; U; Linux i686; en-US; rv:1.7)" -H "Host:
 # True negative requests:
 # A GET request with a harmless argument
 curl -I 'http://localhost:8080/anything?arg=arg_1'
+# A payload (reading the body request)
+curl -i -X POST 'http://localhost:8080/anything' --data "This is a payload"
+# An harmless response body
+curl -i -X POST 'http://localhost:8080/anything' --data "Hello world"
 # An usual user-agent
 curl -I --user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" localhost:8080
-# A payload (reading the body request)
-curl -i -X POST 'http://localhost:8080/anything' --data "this is a payload"
 ```

e2e/Dockerfile.curl

@@ -0,0 +1,16 @@
+# Copyright 2022 The OWASP Coraza contributors
+# SPDX-License-Identifier: Apache-2.0
+
+FROM curlimages/curl
+USER root
+
+WORKDIR /workspace
+
+RUN apk add --no-cache bash
+
+COPY ./e2e-example.sh /workspace/e2e-example.sh
+
+ENV ENVOY_HOST=envoy:8080
+ENV HTTPBIN_HOST=httpbin
+
+CMD ["bash","-c", "/workspace/e2e-example.sh"]

e2e/docker-compose.yml

@@ -1,25 +1,19 @@
 services:
+  httpbin:
+    image: kennethreitz/httpbin:latest
   envoy:
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.23-latest}
+    depends_on:
+      - httpbin
+    image: envoyproxy/envoy:v1.23-latest
     command:
       - -c
       - /conf/envoy-config.yaml
-      - --log-level
-      - info
-      - --component-log-level
-      - wasm:debug
     volumes:
       - ../build:/build
-      - .:/conf
-    ports:
-      - 8001:8001
+      - ../example:/conf  # relying on envoy-config file from /example/
   tests:
     depends_on:
       - envoy
-    image: curlimages/curl
-    entrypoint: sh
-    command:
-      - /conf/tests.sh
-      - envoy
-    volumes:
-      - .:/conf
+    build:
+      context: .
+      dockerfile: ./Dockerfile.curl

example/readme-tests.sh → e2e/e2e-example.sh

@@ -2,15 +2,21 @@
 # Copyright 2022 The OWASP Coraza contributors
 # SPDX-License-Identifier: Apache-2.0
 ENVOY_HOST=${ENVOY_HOST:-"localhost:8080"}
+HTTPBIN_HOST=${HTTPBIN_HOST:-"localhost:8081"}
 
 [[ "${DEBUG}" == "true" ]] && set -x
 
-envoy_url_echo="http://${ENVOY_HOST}/anything"
+# if env variables are in place, default values are overridden
+health_url="http://${HTTPBIN_HOST}"
+envoy_url_unfiltered="http://${ENVOY_HOST}"
+envoy_url_filtered="${envoy_url_unfiltered}/admin"
+envoy_url_filtered_resp_header="${envoy_url_unfiltered}/status/406"
+envoy_url_echo="${envoy_url_unfiltered}/anything"
 
-okayBodyPayload="hello"
-maliciousBodyPayload="maliciouspayload"
-bodyPayloadForResponseBodyTrueNegative="Hello world"
-bodyPayloadForResponseBody="responsebodycode"
+tueNegativeBodyPayload="This is a payload"
+truePositiveBodyPayload="maliciouspayload"
+trueNegativeBodyPayloadForResponseBody="Hello world"
+truePositiveBodyPayloadForResponseBody="responsebodycode"
 
 # wait_for_service waits until the given URL returns a 200 status code.
 # $1: The URL to send requests to.
@@ -71,40 +77,70 @@ function check_body() {
 }
 
 step=1
-total_steps=7
+total_steps=12
+
+## Testing that basic coraza phases are working
 
 # Testing if the server is up
 echo "[${step}/${total_steps}] Testing application reachability"
-wait_for_service "${envoy_url_echo}" 20
+wait_for_service "${health_url}" 15
+
+# Testing envoy container reachability with an unfiltered GET request
+((step+=1))
+echo "[${step}/${total_steps}] (onRequestheaders) Testing true negative request"
+wait_for_service "${envoy_url_echo}?arg=arg_1" 20
+
+# Testing filtered request
+((step+=1))
+echo "[${step}/${total_steps}] (onRequestheaders) Testing true positive custom rule"
+check_status "${envoy_url_filtered}" 403
+
+# Testing body true negative
+((step+=1))
+echo "[${step}/${total_steps}] (onRequestBody) Testing true negative request (body)"
+check_status "${envoy_url_echo}" 200 -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${tueNegativeBodyPayload}"
+
+# Testing body detection
+((step+=1))
+echo "[${step}/${total_steps}] (onRequestBody) Testing true positive request (body)"
+check_status "${envoy_url_unfiltered}" 403 -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${truePositiveBodyPayload}"
 
-# Testing XSS phase 1
+# Testing response headers detection
 ((step+=1))
-echo "[${step}/${total_steps}] Testing XSS at request headers"
+echo "[${step}/${total_steps}] (onResponseHeaders) Testing true positive"
+check_status "${envoy_url_filtered_resp_header}" 403
+
+# TODO(M4tteoP): Address response body e2e after https://github.com/corazawaf/coraza-proxy-wasm/issues/26
+# # Testing response body true negative
+# ((step+=1))
+# echo "[${step}/${total_steps}] (onResponseBody) Testing true negative"
+# check_body "${envoy_url_unfiltered}" false -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${trueNegativeBodyPayloadForResponseBody}"
+
+# # Testing response body detection
+# ((step+=1))
+# echo "[${step}/${total_steps}] (onResponseBody) Testing true positive"
+# check_body "${envoy_url_echo}" true -X POST -H 'Content-Type: application/x-www-form-urlencoded' --data "${truePositiveBodyPayloadForResponseBody}"
+
+## Testing extra requests examples from the readme and some CRS rules in anomaly score mode.
+
+# Testing XSS detection during phase 1
+((step+=1))
+echo "[${step}/${total_steps}] Testing XSS detefction at request headers"
 check_status "${envoy_url_echo}?arg=<script>alert(0)</script>" 403
 
-# Testing SQLI phase 2
+# Testing SQLI detection during phase 2
 ((step+=1))
-echo "[${step}/${total_steps}] Testing SQLi at request body"
+echo "[${step}/${total_steps}] Testing SQLi detection at request body"
 check_status "${envoy_url_echo}" 403 -X POST --data "1%27%20ORDER%20BY%203--%2B"
 
 # Triggers a CRS scanner detection rule (913100)
 ((step+=1))
 echo "[${step}/${total_steps}] (onRequestBody) Testing CRS rule 913100"
 check_status "${envoy_url_echo}" 403 --user-agent "Grabber/0.1 (X11; U; Linux i686; en-US; rv:1.7)" -H "Host: localhost" -H "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
 
-# True negative GET request
-((step+=1))
-echo "[${step}/${total_steps}] True negative GET request"
-check_status "${envoy_url_echo}?arg=arg_1" 200
-
 # True negative GET request with an usual user-agent
 ((step+=1))
 echo "[${step}/${total_steps}] True negative GET request with user-agent"
 check_status "${envoy_url_echo}" 200 --user-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
 
-# True negative POST request with a payload
-((step+=1))
-echo "[${step}/${total_steps}] True negative POST request"
-check_status "${envoy_url_echo}" 200 --data "this is a payload"
-
-echo "[Done] All examples request worked as expected"
+echo "[Done] All tests passed"

example/docker-compose.yml

@@ -1,6 +1,8 @@
 services:
   httpbin:
     image: kennethreitz/httpbin:latest
+    ports:
+      - 8081:80
   chown:
     image: alpine:3.16
     command:
@@ -29,26 +31,26 @@ services:
       - .:/conf
       - logs:/home/envoy/logs:rw
     ports:
-      - 8080:80
-  wasm-logs:
+      - 8080:8080
+  envoy-logs:
     depends_on:
       - envoy
+      - wasm-logs
     image: debian:11-slim
     entrypoint: bash
     command:
       - -c
-      - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]" | tee /home/envoy/logs/ftw.log
+      - tail -c +0 -f /home/envoy/logs/envoy.log
     volumes:
-      - logs:/home/envoy/logs:rw
-  envoy-logs:
+      - logs:/home/envoy/logs:ro
+  wasm-logs:
     depends_on:
       - envoy
-      - wasm-logs
     image: debian:11-slim
     entrypoint: bash
     command:
       - -c
-      - tail -c +0 -f /home/envoy/logs/envoy.log
+      - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]"
     volumes:
       - logs:/home/envoy/logs:ro
 volumes: