Enhance ModSecurity tests

tests/core/modsecurity/docker-compose.test.yml

@@ -5,8 +5,10 @@ services:
     build: .
     environment:
       PYTHONUNBUFFERED: "1"
+      DOCKER_HOST: "tcp://bw-docker:2375"
       USE_MODSECURITY: "yes"
       USE_MODSECURITY_CRS: "yes"
+      MODSECURITY_CRS_VERSION: "3"
       MODSECURITY_SEC_AUDIT_ENGINE: "RelevantOnly"
       MODSECURITY_SEC_RULE_ENGINE: "On"
       MODSECURITY_SEC_AUDIT_LOG_PARTS: "ABCFHZ"
@@ -15,7 +17,10 @@ services:
     networks:
       bw-services:
         ipv4_address: 192.168.0.3
+      bw-docker:
 
 networks:
   bw-services:
     external: true
+  bw-docker:
+    external: true

tests/core/modsecurity/docker-compose.yml

@@ -19,6 +19,7 @@ services:
       # ? MODECURITY settings
       USE_MODSECURITY: "yes"
       USE_MODSECURITY_CRS: "yes"
+      MODSECURITY_CRS_VERSION: "3"
       MODSECURITY_SEC_AUDIT_ENGINE: "RelevantOnly"
       MODSECURITY_SEC_RULE_ENGINE: "On"
       MODSECURITY_SEC_AUDIT_LOG_PARTS: "ABCFHZ"
@@ -72,3 +73,4 @@ networks:
       config:
         - subnet: 192.168.0.0/24
   bw-docker:
+    name: bw-docker

tests/core/modsecurity/main.py

@@ -1,4 +1,7 @@
 from contextlib import suppress
+from datetime import datetime
+from re import search
+from docker import DockerClient
 from os import getenv
 from requests import get
 from requests.exceptions import RequestException
@@ -30,6 +33,9 @@ try:
 
     use_modsecurity = getenv("USE_MODSECURITY", "yes") == "yes"
     use_modsecurity_crs = getenv("USE_MODSECURITY_CRS", "yes") == "yes"
+    modsecurity_crs_version = getenv("MODSECURITY_CRS_VERSION", "3")
+
+    current_time = datetime.now().timestamp()
 
     print(
         "ℹ️ Sending a requests to http://www.example.com/?id=/etc/passwd ...",
@@ -57,6 +63,35 @@ try:
         print("❌ ModSecurity is not working as expected, exiting ...", flush=True)
         exit(1)
 
+    if use_modsecurity and use_modsecurity_crs:
+        found = False
+        if getenv("TEST_TYPE", "docker") == "docker":
+            docker_host = getenv("DOCKER_HOST", "unix:///var/run/docker.sock")
+            docker_client = DockerClient(base_url=docker_host)
+
+            bw_instances = docker_client.containers.list(filters={"label": "bunkerweb.INSTANCE"})
+
+            if not bw_instances:
+                print("❌ BunkerWeb instance not found ...", flush=True)
+                exit(1)
+
+            bw_instance = bw_instances[0]
+
+            for log in bw_instance.logs(since=current_time).split(b"\n"):
+                if f'[ver "OWASP_CRS/{modsecurity_crs_version}'.encode() in log:
+                    found = True
+                    break
+        else:
+            with open("/var/log/bunkerweb/error.log", "r") as f:
+                for line in f.readlines():
+                    if search(f'[ver "OWASP_CRS/{modsecurity_crs_version}', line):
+                        found = True
+                        break
+
+        if not found:
+            print("❌ ModSecurity CRS doesn't use the expected version, exiting ...", flush=True)
+            exit(1)
+
     print("✅ ModSecurity is working as expected ...", flush=True)
 except SystemExit:
     exit(1)

tests/core/modsecurity/requirements.in

@@ -1 +1,2 @@
+docker==7.0.0
 requests==2.31.0

tests/core/modsecurity/requirements.txt

@@ -100,15 +100,27 @@ charset-normalizer==3.3.2 \
     --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
     --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
     # via requests
+docker==7.0.0 \
+    --hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
+    --hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
+    # via -r requirements.in
 idna==3.6 \
     --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \
     --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f
     # via requests
+packaging==23.2 \
+    --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \
+    --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7
+    # via docker
 requests==2.31.0 \
     --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
     --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
-    # via -r requirements.in
+    # via
+    #   -r requirements.in
+    #   docker
 urllib3==2.2.0 \
     --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \
     --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224
-    # via requests
+    # via
+    #   docker
+    #   requests

tests/core/modsecurity/test.sh

@@ -30,6 +30,7 @@ else
     sudo systemctl stop bunkerweb
     echo "USE_MODSECURITY=yes" | sudo tee -a /etc/bunkerweb/variables.env
     echo "USE_MODSECURITY_CRS=yes" | sudo tee -a /etc/bunkerweb/variables.env
+    echo "MODSECURITY_CRS_VERSION=3" | sudo tee -a /etc/bunkerweb/variables.env
     echo "MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly" | sudo tee -a /etc/bunkerweb/variables.env
     echo "MODSECURITY_SEC_RULE_ENGINE=On" | sudo tee -a /etc/bunkerweb/variables.env
     echo "MODSECURITY_SEC_AUDIT_LOG_PARTS=ABCFHZ" | sudo tee -a /etc/bunkerweb/variables.env
@@ -45,6 +46,7 @@ cleanup_stack () {
         if [ "$integration" == "docker" ] ; then
             find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY: "no"@USE_MODSECURITY: "yes"@' {} \;
             find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY_CRS: "no"@USE_MODSECURITY_CRS: "yes"@' {} \;
+            find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "4"@MODSECURITY_CRS_VERSION: "3"@' {} \;
         else
             sudo sed -i 's@USE_MODSECURITY=.*$@USE_MODSECURITY=yes@' /etc/bunkerweb/variables.env
             sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=yes@' /etc/bunkerweb/variables.env
@@ -77,7 +79,7 @@ cleanup_stack () {
 # Cleanup stack on exit
 trap cleanup_stack EXIT
 
-for test in "activated" "crs_deactivated" "deactivated"
+for test in "activated" "crs_deactivated" "crs_v4" "deactivated"
 do
     if [ "$test" = "activated" ] ; then
         echo "👮 Running tests with modsecurity activated ..."
@@ -89,15 +91,26 @@ do
             sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=no@' /etc/bunkerweb/variables.env
             export USE_MODSECURITY_CRS="no"
         fi
+    elif [ "$test" = "crs_v4" ] ; then
+        echo "👮 Running tests with the CRS v4 ..."
+        if [ "$integration" == "docker" ] ; then
+            find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "3"@MODSECURITY_CRS_VERSION: "4"@' {} \;
+        else
+            sudo sed -i 's@MODSECURITY_CRS_VERSION=.*$@MODSECURITY_CRS_VERSION=4@' /etc/bunkerweb/variables.env
+            export MODSECURITY_CRS_VERSION="4"
+        fi
     elif [ "$test" = "deactivated" ] ; then
         echo "👮 Running tests without modsecurity ..."
         if [ "$integration" == "docker" ] ; then
+            find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "4"@MODSECURITY_CRS_VERSION: "3"@' {} \;
             find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY_CRS: "no"@USE_MODSECURITY_CRS: "yes"@' {} \;
             find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY: "yes"@USE_MODSECURITY: "no"@' {} \;
         else
             sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=yes@' /etc/bunkerweb/variables.env
             sudo sed -i 's@USE_MODSECURITY=.*$@USE_MODSECURITY=no@' /etc/bunkerweb/variables.env
+            sudo sed -i 's@MODSECURITY_CRS_VERSION=.*$@MODSECURITY_CRS_VERSION=3@' /etc/bunkerweb/variables.env
             unset USE_MODSECURITY_CRS
+            unset MODSECURITY_CRS_VERSION
             export USE_MODSECURITY="no"
         fi
     fi