corazawaf · jcchavezs · Sep 6, 2023 · Aug 24, 2023 · Aug 24, 2023 · Sep 6, 2023
@@ -12,12 +12,12 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: 1.19
+  GO_VERSION: '1.20'
   TINYGO_VERSION: 0.28.1
   # Run e2e tests against latest two releases and latest dev
   ENVOY_IMAGES: >
+    envoyproxy/envoy:v1.27-latest
     envoyproxy/envoy:v1.26-latest
-    envoyproxy/envoy:v1.25-latest
     envoyproxy/envoy-dev:latest
 
 jobs:
@@ -70,13 +70,8 @@ jobs:
       - name: Run unit tests
         run: go run mage.go coverage
 
-      - name: Run e2e tests against the example
-        shell: bash
-        run: >
-          for image in $ENVOY_IMAGES; do
-              echo "Running e2e with Envoy image $image"
-              ENVOY_IMAGE=$image go run mage.go e2e
-          done
+      - name: Run e2e tests
+        run: go run mage.go e2e
 
       - name: Run regression tests (ftw)
         run: go run mage.go ftw

@@ -8,7 +8,7 @@ on:
     - cron: "0 4 * * *"
 
 env:
-  GO_VERSION: 1.19
+  GO_VERSION: '1.20'
   TINYGO_VERSION: 0.28.1
 
 jobs:

@@ -163,7 +163,7 @@ In order to monitor envoy logs while performing requests you can run:
 
 ### Manual requests
 
-Run `./e2e/e2e-example.sh` in order to run the following requests against the just set up test environment, otherwise manually execute and tweak them to grasp the behaviour of the filter:
+List of requests that can be manually executed and tweaked to grasp the behaviour of the filter:
 
 ```bash
 # True positive requests:

@@ -1,19 +1,18 @@
 services:
   httpbin:
-    image: mccutchen/go-httpbin:v2.5.0
+    image: mccutchen/go-httpbin:v2.9.0
+    command: [ "/bin/go-httpbin", "-port", "8081" ]
+    ports:
+      - 8081:8081
   envoy:
     depends_on:
       - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.23-latest}
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.27-latest}
     command:
       - -c
       - /conf/envoy-config.yaml
     volumes:
       - ../build:/build
-      - ../example:/conf # relying on envoy-config file from /example/
-  tests:
-    depends_on:
-      - envoy
-    build:
-      context: .
-      dockerfile: ./Dockerfile.curl
+      - .:/conf
+    ports:
+    - 8080:8080
@@ -0,0 +1,109 @@
+stats_config:
+  stats_tags:
+    # Envoy extracts the first matching group as a value.
+    # See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig.
+    - tag_name: phase
+      regex: "(_phase=([a-z_]+))"
+    - tag_name: rule_id
+      regex: "(_ruleid=([0-9]+))"
+    - tag_name: identifier
+      regex: "(_identifier=([0-9a-z.:]+))"
+    - tag_name: owner
+      regex: "(_owner=([0-9a-z.:]+))"
+    - tag_name: authority
+      regex: "(_authority=([0-9a-z.:]+))"
+
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: auto
+                route_config:
+                  # A custom response header is added for e2e testing purposes. A local response, triggered by an interruption,
+                  # has to allow custom added headers like this. See https://github.com/corazawaf/coraza-proxy-wasm/pull/172
+                  response_headers_to_add:
+                    - header: 
+                        key: "custom_header"
+                        value: "custom_value"
+                  virtual_hosts:
+                    - name: local_route
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: local_server
+                http_filters:
+                  - name: envoy.filters.http.wasm
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                      config:
+                        name: "coraza-filter"
+                        root_id: ""
+                        configuration:
+                          "@type": "type.googleapis.com/google.protobuf.StringValue"
+                          # See https://github.com/corazawaf/coraza/blob/main/http/e2e/cmd/httpe2e/main.go#L22 for e2e Coraza directives
+                          value: |
+                            {
+                              "directives_map": {
+                                  "rs1": [
+                                    "SecRuleEngine On",
+                                    "SecRequestBodyAccess On",
+                                    "SecResponseBodyAccess On",
+                                    "SecResponseBodyMimeType application/json",
+                                    "SecRule &REQUEST_HEADERS:coraza-e2e \"@eq 0\" \"id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'\"",
+                                    "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,log,deny,status:403\"",
+                                    "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,log,deny,status:403\"",
+                                    "SecRule RESPONSE_HEADERS:pass \"@rx leak\" \"id:103,phase:3,t:lowercase,log,deny,status:403\"",
+                                    "SecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,log,deny,status:403\"",
+                                    "SecRule ARGS_NAMES|ARGS \"@detectXSS\" \"id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny,status:403\"",
+                                    "SecRule ARGS_NAMES|ARGS \"@detectSQLi\" \"id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny,status:403\"",
+                                    "SecRule REQUEST_HEADERS:User-Agent \"@pm grabber masscan\" \"id:9131,phase:1,t:none,log,deny,status:403\""
+                                  ]
+                              },
+                              "default_directives": "rs1",
+                              "metric_labels": {
+                                "owner": "coraza",
+                                "identifier": "global"
+                              }
+                            }
+                        vm_config:
+                          runtime: "envoy.wasm.runtime.v8"
+                          vm_id: "my_vm_id"
+                          code:
+                            local:
+                              filename: "build/main.wasm"
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+    - name: local_server
+      connect_timeout: 6000s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: local_server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: httpbin
+                      port_value: 8081
+
+admin:
+  access_log_path: "/dev/null"
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8082
@@ -1,6 +1,6 @@
 services:
   httpbin:
-    image: mccutchen/go-httpbin:v2.5.0
+    image: mccutchen/go-httpbin:v2.9.0
     environment:
       - MAX_BODY_SIZE=15728640 # 15 MiB
     ports:
@@ -19,7 +19,7 @@ services:
     depends_on:
       - chown
       - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.23-latest}
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.27-latest}
     command:
       - -c
       - /conf/envoy-config.yaml

@@ -1,6 +1,6 @@
 services:
   httpbin:
-    image: mccutchen/go-httpbin:v2.5.0
+    image: mccutchen/go-httpbin:v2.9.0
   chown:
     image: alpine:3.16
     command:
@@ -14,7 +14,7 @@ services:
     depends_on:
       - chown
       - httpbin
-    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.23-latest}
+    image: ${ENVOY_IMAGE:-envoyproxy/envoy:v1.27-latest}
     command:
       - -c
       - ${ENVOY_CONFIG:-/conf/envoy-config.yaml}

@@ -1,6 +1,6 @@
 module github.com/corazawaf/coraza-proxy-wasm
 
-go 1.19
+go 1.20
 
 require (
 	github.com/corazawaf/coraza-wasilibs v0.0.0-20230620081031-05a5097dbea3