-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathe2e_test.go
102 lines (84 loc) · 3.33 KB
/
e2e_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
//go:build e2e
// +build e2e
package main_test
import (
"bytes"
"context"
_ "embed"
"fmt"
"net/http"
"net/http/httptest"
"testing"
"github.com/corazawaf/coraza/v3/http/e2e"
"github.com/http-wasm/http-wasm-host-go/api"
"github.com/http-wasm/http-wasm-host-go/handler"
nethttp "github.com/http-wasm/http-wasm-host-go/handler/nethttp"
"github.com/mccutchen/go-httpbin/v2/httpbin"
"github.com/stretchr/testify/require"
"github.com/tetratelabs/wazero"
)
// testCtx is an arbitrary, non-default context. Non-nil also prevents linter errors.
var testCtx = context.WithValue(context.Background(), struct{}{}, "arbitrary")
//go:embed build/coraza-http-wasm.wasm
var guest []byte
const directives = `
SecRuleEngine On
SecResponseBodyAccess On
SecResponseBodyMimeType application/json
# Custom rule for Coraza config check (ensuring that these configs are used)
SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
# Custom rules for e2e testing
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny"
SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny"
SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny"
# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny"
SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny"
SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny"
SecRequestBodyAccess On
`
func TestE2E(t *testing.T) {
// TODO: replace this tests with coraza http tests
var stdoutBuf, stderrBuf bytes.Buffer
moduleConfig := wazero.NewModuleConfig().WithStdout(&stdoutBuf).WithStderr(&stderrBuf)
// Configure and compile the WebAssembly guest binary.
mw, err := nethttp.NewMiddleware(testCtx, guest,
handler.Logger(testLogger{t}),
handler.ModuleConfig(moduleConfig),
handler.GuestConfig([]byte(fmt.Sprintf("{\"directives\": [ %q ]}", directives))),
)
if err != nil {
t.Fatalf("failed to create middlware: %v", err)
}
defer mw.Close(testCtx)
httpbin := httpbin.New()
// Wrap the test handler with one implemented in WebAssembly.
wrapped := mw.NewHandler(testCtx, httpbin)
require.NoError(t, err)
mux := http.NewServeMux()
mux.Handle("/status/200", httpbin) // Health check
mux.Handle("/", wrapped)
// Create the server with the WAF and the reverse proxy.
ts := httptest.NewServer(mux)
defer ts.Close()
err = e2e.Run(e2e.Config{
ProxiedEntrypoint: ts.URL,
HttpbinEntrypoint: ts.URL,
})
require.NoError(t, err)
}
// testLogger is a api.Logger implementation for testing purposes.
type testLogger struct{ t *testing.T }
var _ api.Logger = testLogger{}
func (l testLogger) IsEnabled(_ api.LogLevel) bool { return l.t != nil }
var levels = map[api.LogLevel]string{
api.LogLevelDebug: "Debug",
api.LogLevelInfo: "Info",
api.LogLevelWarn: "Warn",
api.LogLevelError: "Error",
api.LogLevelNone: "None",
}
func (l testLogger) Log(_ context.Context, lvl api.LogLevel, msg string) {
l.t.Log("[" + levels[lvl] + "] " + msg)
}