chore(deps): updates tests to CRS v4.5 and Albedo as backend

README.md

@@ -85,7 +85,7 @@ go run mage.go test
 
 ## Using OWASP Core Ruleset
 
-You can load OWASP CRS by passing the field `load_owasp_crs` and then load the CRS files in the directives as described in the [coraza-coreruleset](https://github.com/corazawaf/coraza-coreruleset) documentation.
+You can load OWASP CRS by passing the field `load_owasp_crs` and then load the CRS files in the directives as described in the [coraza-coreruleset](https://github.com/corazawaf/coraza-coreruleset/v4) documentation.
 
 ```caddy
 :8080 {

coraza.go

@@ -13,7 +13,7 @@ import (
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
-	coreruleset "github.com/corazawaf/coraza-coreruleset"
+	coreruleset "github.com/corazawaf/coraza-coreruleset/v4"
 	"github.com/corazawaf/coraza/v3"
 	"github.com/corazawaf/coraza/v3/types"
 	"github.com/jcchavezs/mergefs"

ftw/Caddyfile

@@ -50,5 +50,5 @@
 		Include @owasp_crs/*.conf
 		`
 	}
-	reverse_proxy httpbin:8081
+	reverse_proxy backend:8081
 }

ftw/Dockerfile.ftw

@@ -8,14 +8,13 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # TODOs: 
-# - update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.tar.gz
-# - keep it aligned with the https://github.com/corazawaf/coraza-coreruleset commit used
-ADD https://github.com/coreruleset/coreruleset/tarball/477d8c3431d042294af2651f08d63d10b6f3fd60 /workspace/coreruleset/
-RUN cd coreruleset && tar -xf 477d8c3431d042294af2651f08d63d10b6f3fd60 --strip-components 1
+# - update when new CRS version is tagged: https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz
+# - keep it aligned with the github.com/corazawaf/coraza-coreruleset/v4 dependency version used
+ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz /workspace/coreruleset/
+RUN cd coreruleset && tar -xf v4.5.0.tar.gz --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh
 
 ENTRYPOINT ["sh"]
 CMD ["-c", "/workspace/tests.sh"]
-

ftw/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
-  httpbin:
-    image: mccutchen/go-httpbin:v2.14.0
-    command: [ "/bin/go-httpbin", "-port", "8081" ]
+  backend:
+    image: ghcr.io/coreruleset/albedo:0.0.15
+    command: ["--port", "8081"]
     ports:
       - 8081:8081
 
@@ -10,13 +10,14 @@ services:
     command:
       - /bin/sh
       - -c
-      - chown -R 101:101 /home/caddy/logs
+      - touch /home/caddy/logs/caddy.log && chown -R 101:101 /home/caddy/logs
     volumes:
       - logs:/home/caddy/logs:rw
+
   caddy:
     depends_on:
       - chown
-      - httpbin
+      - backend
     build:
       context: ..
       dockerfile: ./ftw/Dockerfile.caddy
@@ -26,6 +27,7 @@ services:
       - logs:/home/caddy/logs:rw
     ports:
       - 8080:8080
+
   coraza-logs:
     depends_on:
       - caddy
@@ -36,6 +38,7 @@ services:
       - tail -c +0 -f /home/caddy/logs/caddy.log | grep --line-buffered "http.handlers.waf" > /home/caddy/logs/ftw.log
     volumes:
       - logs:/home/caddy/logs:rw
+
   caddy-logs:
     depends_on:
       - caddy
@@ -47,6 +50,7 @@ services:
     volumes:
       - logs:/home/caddy/logs:ro
       - ../build:/build
+
   ftw:
     depends_on:
       - caddy-logs

ftw/ftw.yml

@@ -10,24 +10,12 @@ testoverride:
     920100-4: 'Invalid uri, Coraza not reached - 404 page not found'
     920100-5: 'Invalid uri, Coraza not reached - 404 page not found'
     920100-8: 'Go/http allows a colon in the path. Test expects status 400 or 403 (Apache behaviour)'
-    920170-3: 'HEAD request with data. Go/http does not allow it - 400 Bad Request'
     920270-4: 'Rule works, log contains 920270. Test expects status 400 (Apache behaviour)'
-    920272-5: 'Rule works, log contains 920272. Test expects status 400 (Apache behaviour)'
     920290-1: 'Rule works, log contains 920290. Test expects status 400 (Apache behaviour)'
-    920420-8: 'HEAD request with data. Go/http does not allow it - 400 Bad Request'
     920430-5: 'Test has expect_error, Go/http and Envoy return 400'
     920430-8: 'Go/http does no allow HTTP/3.0 - 505 HTTP Version Not Supported'
 
     # TODO investigate failing tests:
-    913100-3: ''
-    913100-6: ''
-    913101-1: ''
-    913102-1: ''
-    913110-1: ''
-    913110-2: ''
-    913120-1: ''
-    913120-2: ''
-    913120-3: ''
     920100-10: ''
     920100-14: ''
     920100-16: ''
@@ -42,15 +30,14 @@ testoverride:
     920200-6: ''
     920200-8: ''
     920201-1: ''
+    920201-2: ''
     920202-1: ''
+    920202-2: ''
     920210-2: ''
     920210-3: ''
     920210-4: ''
     920210-6: ''
     920210-7: ''
-    920220-1: ''
-    920220-4: ''
-    920220-5: ''
     920230-1: ''
     920240-1: ''
     920240-5: ''
@@ -61,7 +48,10 @@ testoverride:
     920250-4: ''
     920260-1: ''
     920260-3: ''
+    920274-1: ''
     920280-1: ''
+    920280-3: ''
+    920290-4: 'investigate, test related to empty host header'
     920300-1: ''
     920310-1: ''
     920310-4: ''
@@ -75,47 +65,14 @@ testoverride:
     920350-4: ''
     920350-5: ''
     920350-6: ''
-    920450-7: ''
-    932115-1: ''
-    932115-2: ''
-    932115-3: ''
-    932115-4: ''
-    932115-7: ''
-    932115-8: ''
-    932115-10: ''
-    932200-13: ''
-    942110-1: ''
-    942110-2: ''
+    920430-3: 'investigate, expect_error: true'
+    920430-9: ''
+    920610-2: ''
+    920620-1: ''
+    930110-7: ''
     942420-1: ''
     942421-1: ''
     942430-1: ''
     942431-1: ''
     942432-1: ''
     942460-1: ''
-    951110-1: ''
-    951120-1: ''
-    951130-1: ''
-    951140-1: ''
-    951150-1: ''
-    951160-1: ''
-    951170-1: ''
-    951180-1: ''
-    951190-1: ''
-    951200-1: ''
-    951210-1: ''
-    951220-1: ''
-    951230-1: ''
-    951240-1: ''
-    951250-1: ''
-    951260-1: ''
-    953120-1: ''
-    953120-3: ''
-    953120-5: ''
-    953120-7: ''
-    954120-1: ''
-    954120-2: ''
-    959100-1: ''
-    959100-3: ''
-    980170-1: ''
-    980170-2: ''
-    980170-3: ''

ftw/tests.sh

@@ -22,12 +22,13 @@ while [[ "$status_code" -eq "000" ]]; do
   let "max_retries--"
   if [[ "$max_retries" -eq 0 ]]; then
     echo "[Fail] Timeout waiting for response from $health_url, make sure the server is running."
-    echo "Caddy Logs:" && cat /home/envoy/logs/envoy.log
+    echo "Caddy Logs:" && cat /home/caddy/logs/caddy.log
     exit 1
   fi
 done
 if [[ "${status_code}" -ne "200" ]]; then
   echo "[Fail] Unexpected response with code ${status_code} from ${health_url}, expected 200."
+  echo "Caddy Logs:" && cat /home/caddy/logs/caddy.log
   exit 1
 fi
 echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."

go.mod

@@ -6,7 +6,7 @@ toolchain go1.21.12
 
 require (
 	github.com/caddyserver/caddy/v2 v2.8.4
-	github.com/corazawaf/coraza-coreruleset v0.0.0-20230723190514-7bdcbcff3d5a
+	github.com/corazawaf/coraza-coreruleset/v4 v4.5.0
 	github.com/corazawaf/coraza/v3 v3.2.1
 	github.com/jcchavezs/mergefs v0.0.0-20230503083351-07f27d256761
 	github.com/magefile/mage v1.15.0

go.sum

@@ -97,8 +97,8 @@ github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/corazawaf/coraza-coreruleset v0.0.0-20230723190514-7bdcbcff3d5a h1:Lkmz2UckkFg86P65Xzet+bkt8jPMwNbIUtq73Z5Te9w=
-github.com/corazawaf/coraza-coreruleset v0.0.0-20230723190514-7bdcbcff3d5a/go.mod h1:h7fBXlh00atH/uVC9Lpjawg/RlJCsHjvyVk+bP3ylq8=
+github.com/corazawaf/coraza-coreruleset/v4 v4.5.0 h1:4BDr9/yWKSJ7Ch3h7SvSqJBASju73+EqIIF0WxjsFgQ=
+github.com/corazawaf/coraza-coreruleset/v4 v4.5.0/go.mod h1:1FQt1p+JSQ6tYrafMqZrEEdDmhq6aVuIJdnk+bM9hMY=
 github.com/corazawaf/coraza/v3 v3.2.1 h1:zBIji4ut9FtFe8lXdqFwXMAkUoDJZ7HsOlEUYWERLI8=
 github.com/corazawaf/coraza/v3 v3.2.1/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg=
 github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=

magefile.go

@@ -107,6 +107,7 @@ func Ftw() error {
 		"FTW_CLOUDMODE": os.Getenv("FTW_CLOUDMODE"),
 		"FTW_INCLUDE":   os.Getenv("FTW_INCLUDE"),
 	}
+
 	task := "ftw"
 	return sh.RunWithV(env, "docker", "compose", "--file", "ftw/docker-compose.yml", "run", "--rm", task)
 }
@@ -158,6 +159,10 @@ func BuildCaddyLinux() error {
 }
 
 func buildCaddy(goos string) error {
+	if err := sh.Run("which", "xcaddy"); err != nil {
+		return errors.New("xcaddy not found, install it with 'go install github.com/caddyserver/xcaddy/cmd/xcaddy'")
+	}
+
 	env := map[string]string{}
 	buildDir := "build/caddy"
 	if goos != "" {