Merge branch 'intel:main' into main

M4tteoP · web-flow · commit 6f78c253817d · 2022-06-20T15:22:35.000+02:00
diff --git a/.github/workflows/build-wasm-plugin.yaml b/.github/workflows/build-wasm-plugin.yaml
@@ -6,20 +6,86 @@ on:
       - main
   pull_request:
     paths:
+      - "e2e"
       - "wasmplugin/**"
       - ".github/workflows/build-wasm-plugin.yaml"
 
 jobs:
-  build-wasm-plugin:
+  build-wasm-plugin-dynamic:
     runs-on: ubuntu-20.04
     steps:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
+      # In this step, this action saves a list of existing images,
+      # the cache is created without them in the post run.
+      # It also restores the cache if it exists.
+
       - name: Build and push
         uses: docker/build-push-action@v2
         with:
           context: "{{defaultContext}}:wasmplugin"
           push: false
           tags: intel/modsecurity-wasm-filter:latest
+
+  build-wasm-plugin-static:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      # In this step, this action saves a list of existing images,
+      # the cache is created without them in the post run.
+      # It also restores the cache if it exists.
+      - uses: satackey/action-docker-layer-caching@v0.0.11
+        # Ignore the failure of a step and avoid terminating the job.
+        continue-on-error: true
+
+      - name: "Cache generated .wasm file"
+        uses: actions/cache@v3
+        with:
+          path: |
+            e2e/build/
+          key: wasm-module-build-${{ github.sha }}
+
+      - name: "Build wasm module"
+        shell: bash
+        run: make -C e2e build-wasm-plugin-static extract-wasm-plugin-static
+
+  e2e-test-wasm-plugin-static:
+    runs-on: ubuntu-latest
+    needs: build-wasm-plugin-static
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: "Install func-e"
+        shell: bash
+        run: curl https://func-e.io/install.sh | bash -s -- -b /usr/local/bin
+
+      - name: "Restore the wasm files cache"
+        uses: actions/cache@v3
+        with:
+          path: |
+            e2e/build/
+          key: wasm-module-build-${{ github.sha }}
+
+      - name: "Spin up envoy"
+        shell: bash
+        run: |
+          func-e run -c e2e/envoy-config.yaml --log-level info --component-log-level wasm:debug &
+
+      - name: "Run local tests"
+        env:
+          HEALTH_URL: "http://localhost:8001"
+          REQ_UNFILTERED: "http://localhost:8001/home"
+          REQ_FILTERED: "http://localhost:8001/admin"
+        shell: bash
+        run: |
+          ./e2e/tests.sh
diff --git a/e2e/.gitignore b/e2e/.gitignore
@@ -0,0 +1 @@
+build/**
diff --git a/e2e/Makefile b/e2e/Makefile
@@ -0,0 +1,18 @@
+IMAGE_NAME=intel/modsecurity-wasm-filter-static
+IMAGE_VERSION?=latest
+EXTRACT_CONTAINER_NAME=modsecurity-wasm-filter-static-extract
+
+build-wasm-plugin-static:
+	sed -i 's/envoy-wasm-modsecurity-dynamic/envoy-wasm-modsecurity/' ../wasmplugin/Dockerfile
+	sed -i 's/envoy-wasm-modsecurity-dynamic/envoy-wasm-modsecurity/' ../wasmplugin/Makefile
+	docker build --platform linux/amd64 -t $(IMAGE_NAME):$(IMAGE_VERSION) -f ../wasmplugin/Dockerfile ../wasmplugin
+	# Go back to old state
+	cd ../wasmplugin; git checkout .
+
+extract-wasm-plugin-static:
+	@docker rm -f $(EXTRACT_CONTAINER_NAME) || true
+	@docker create --rm --name $(EXTRACT_CONTAINER_NAME) $(IMAGE_NAME):$(IMAGE_VERSION) /plugin.wasm
+	@mkdir ./build
+	@docker cp $(EXTRACT_CONTAINER_NAME):/plugin.wasm ./build/modsecurity-filter.wasm
+	@docker rm -f $(EXTRACT_CONTAINER_NAME)
+
diff --git a/e2e/envoy-config.yaml b/e2e/envoy-config.yaml
@@ -0,0 +1,44 @@
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8001
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: auto
+                route_config:
+                  virtual_hosts:
+                    - name: local_route
+                      domains:
+                        - "*"
+                      routes:
+                        - match: { prefix: "/" }
+                          direct_response:
+                            status: 200
+                http_filters:
+                  - name: envoy.filters.http.wasm
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                      config:
+                        name: "modsecurity-filter"
+                        root_id: ""
+                        configuration:
+                          "@type": "type.googleapis.com/google.protobuf.StringValue"
+                          value: |
+                            {
+                              "rules":"SecDebugLogLevel 5 \nSecDebugLog modsec.log \nSecRuleEngine On \nSecRule REQUEST_URI \"@streqr /admin\" \"id:101,phase:1,t:lowercase,deny\""
+                            }
+                        vm_config:
+                          runtime: "envoy.wasm.runtime.v8"
+                          vm_id: "modsecurity-filter-vm"
+                          code:
+                            local:
+                              filename: "./e2e/build/modsecurity-filter.wasm"
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
diff --git a/e2e/tests.sh b/e2e/tests.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+
+step=1
+total_steps=3
+max_retries=10 #seconds for the server reachability timeout
+
+# if env variables are in place, default values are overridden
+health_url="http://localhost:8001"
+[[ ! -z "$HEALTH_URL" ]] && health_url=$HEALTH_URL
+envoy_url_unfiltered="http://localhost:8001/home"
+[[ ! -z "$REQ_UNFILTERED" ]] && envoy_url_unfiltered=$REQ_UNFILTERED
+envoy_url_filtered="http://localhost:8001/admin"
+[[ ! -z "$REQ_FILTERED" ]] && envoy_url_filtered=$REQ_FILTERED
+
+# Testing if the server is up
+echo "[$step/$total_steps] Testing application reachability"
+status_code="000"
+while [[ "$status_code" -eq "000" ]]; do
+  status_code=$(curl --write-out "%{http_code}" --silent --output /dev/null $health_url)
+  sleep 1
+  echo -ne "[Wait] Waiting for response from $health_url. Timeout: ${max_retries}s   \r"
+  ((max_retries-=1))
+  if [[ "$max_retries" -eq 0 ]] ; then
+    echo "[Fail] Timeout waiting for response from $health_url, make sure the server is running."
+    exit 1
+  fi
+done
+echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."
+
+# Testing envoy container reachability with an unfiltered request
+((step+=1))
+echo "[$step/$total_steps] Testing true negative request"
+status_code=$(curl --write-out "%{http_code}" --silent --output /dev/null $envoy_url_unfiltered)
+if [[ "$status_code" -ne 200 ]] ; then
+  echo "[Fail] Unexpected response with code $status_code from $envoy_url_unfiltered"
+  exit 1
+fi
+echo "[Ok] Got status code $status_code, expected 200"
+
+# Testing filtered request
+((step+=1))
+echo "[$step/$total_steps] Testing true positive request"
+status_code=$(curl --write-out "%{http_code}" --silent --output /dev/null $envoy_url_filtered)
+if [[ "$status_code" -ne 403 ]] ; then
+  echo "[Fail] Unexpected response with code $status_code from $envoy_url_filtered"
+  exit 1
+fi
+echo "[Ok] Got status code $status_code, expected 403"
+
+echo "[Done] All tests passed"
