diff --git a/tests/core/modsecurity/docker-compose.test.yml b/tests/core/modsecurity/docker-compose.test.yml index 0e178da09..a8b3657e1 100644 --- a/tests/core/modsecurity/docker-compose.test.yml +++ b/tests/core/modsecurity/docker-compose.test.yml @@ -5,8 +5,10 @@ services: build: . environment: PYTHONUNBUFFERED: "1" + DOCKER_HOST: "tcp://bw-docker:2375" USE_MODSECURITY: "yes" USE_MODSECURITY_CRS: "yes" + MODSECURITY_CRS_VERSION: "3" MODSECURITY_SEC_AUDIT_ENGINE: "RelevantOnly" MODSECURITY_SEC_RULE_ENGINE: "On" MODSECURITY_SEC_AUDIT_LOG_PARTS: "ABCFHZ" @@ -15,7 +17,10 @@ services: networks: bw-services: ipv4_address: 192.168.0.3 + bw-docker: networks: bw-services: external: true + bw-docker: + external: true diff --git a/tests/core/modsecurity/docker-compose.yml b/tests/core/modsecurity/docker-compose.yml index be0a015a6..f82543e64 100644 --- a/tests/core/modsecurity/docker-compose.yml +++ b/tests/core/modsecurity/docker-compose.yml @@ -19,6 +19,7 @@ services: # ? MODECURITY settings USE_MODSECURITY: "yes" USE_MODSECURITY_CRS: "yes" + MODSECURITY_CRS_VERSION: "3" MODSECURITY_SEC_AUDIT_ENGINE: "RelevantOnly" MODSECURITY_SEC_RULE_ENGINE: "On" MODSECURITY_SEC_AUDIT_LOG_PARTS: "ABCFHZ" @@ -72,3 +73,4 @@ networks: config: - subnet: 192.168.0.0/24 bw-docker: + name: bw-docker diff --git a/tests/core/modsecurity/main.py b/tests/core/modsecurity/main.py index 6c183e4f3..7eb25e00f 100644 --- a/tests/core/modsecurity/main.py +++ b/tests/core/modsecurity/main.py @@ -1,4 +1,7 @@ from contextlib import suppress +from datetime import datetime +from re import search +from docker import DockerClient from os import getenv from requests import get from requests.exceptions import RequestException @@ -30,6 +33,9 @@ try: use_modsecurity = getenv("USE_MODSECURITY", "yes") == "yes" use_modsecurity_crs = getenv("USE_MODSECURITY_CRS", "yes") == "yes" + modsecurity_crs_version = getenv("MODSECURITY_CRS_VERSION", "3") + + current_time = datetime.now().timestamp() print( "ℹ️ Sending a requests to http://www.example.com/?id=/etc/passwd ...", @@ -57,6 +63,35 @@ try: print("❌ ModSecurity is not working as expected, exiting ...", flush=True) exit(1) + if use_modsecurity and use_modsecurity_crs: + found = False + if getenv("TEST_TYPE", "docker") == "docker": + docker_host = getenv("DOCKER_HOST", "unix:///var/run/docker.sock") + docker_client = DockerClient(base_url=docker_host) + + bw_instances = docker_client.containers.list(filters={"label": "bunkerweb.INSTANCE"}) + + if not bw_instances: + print("❌ BunkerWeb instance not found ...", flush=True) + exit(1) + + bw_instance = bw_instances[0] + + for log in bw_instance.logs(since=current_time).split(b"\n"): + if f'[ver "OWASP_CRS/{modsecurity_crs_version}'.encode() in log: + found = True + break + else: + with open("/var/log/bunkerweb/error.log", "r") as f: + for line in f.readlines(): + if search(f'[ver "OWASP_CRS/{modsecurity_crs_version}', line): + found = True + break + + if not found: + print("❌ ModSecurity CRS doesn't use the expected version, exiting ...", flush=True) + exit(1) + print("✅ ModSecurity is working as expected ...", flush=True) except SystemExit: exit(1) diff --git a/tests/core/modsecurity/requirements.in b/tests/core/modsecurity/requirements.in index 2c24336eb..87bc072d9 100644 --- a/tests/core/modsecurity/requirements.in +++ b/tests/core/modsecurity/requirements.in @@ -1 +1,2 @@ +docker==7.0.0 requests==2.31.0 diff --git a/tests/core/modsecurity/requirements.txt b/tests/core/modsecurity/requirements.txt index eb0d70b88..2f6c739c9 100644 --- a/tests/core/modsecurity/requirements.txt +++ b/tests/core/modsecurity/requirements.txt @@ -100,15 +100,27 @@ charset-normalizer==3.3.2 \ --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 # via requests +docker==7.0.0 \ + --hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \ + --hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3 + # via -r requirements.in idna==3.6 \ --hash=sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca \ --hash=sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f # via requests +packaging==23.2 \ + --hash=sha256:048fb0e9405036518eaaf48a55953c750c11e1a1b68e0dd1a9d62ed0c092cfc5 \ + --hash=sha256:8c491190033a9af7e1d931d0b5dacc2ef47509b34dd0de67ed209b5203fc88c7 + # via docker requests==2.31.0 \ --hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \ --hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1 - # via -r requirements.in + # via + # -r requirements.in + # docker urllib3==2.2.0 \ --hash=sha256:051d961ad0c62a94e50ecf1af379c3aba230c66c710493493560c0c223c49f20 \ --hash=sha256:ce3711610ddce217e6d113a2732fafad960a03fd0318c91faa79481e35c11224 - # via requests + # via + # docker + # requests diff --git a/tests/core/modsecurity/test.sh b/tests/core/modsecurity/test.sh index 23d9f8a84..b93d49df8 100755 --- a/tests/core/modsecurity/test.sh +++ b/tests/core/modsecurity/test.sh @@ -30,6 +30,7 @@ else sudo systemctl stop bunkerweb echo "USE_MODSECURITY=yes" | sudo tee -a /etc/bunkerweb/variables.env echo "USE_MODSECURITY_CRS=yes" | sudo tee -a /etc/bunkerweb/variables.env + echo "MODSECURITY_CRS_VERSION=3" | sudo tee -a /etc/bunkerweb/variables.env echo "MODSECURITY_SEC_AUDIT_ENGINE=RelevantOnly" | sudo tee -a /etc/bunkerweb/variables.env echo "MODSECURITY_SEC_RULE_ENGINE=On" | sudo tee -a /etc/bunkerweb/variables.env echo "MODSECURITY_SEC_AUDIT_LOG_PARTS=ABCFHZ" | sudo tee -a /etc/bunkerweb/variables.env @@ -45,6 +46,7 @@ cleanup_stack () { if [ "$integration" == "docker" ] ; then find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY: "no"@USE_MODSECURITY: "yes"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY_CRS: "no"@USE_MODSECURITY_CRS: "yes"@' {} \; + find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "4"@MODSECURITY_CRS_VERSION: "3"@' {} \; else sudo sed -i 's@USE_MODSECURITY=.*$@USE_MODSECURITY=yes@' /etc/bunkerweb/variables.env sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=yes@' /etc/bunkerweb/variables.env @@ -77,7 +79,7 @@ cleanup_stack () { # Cleanup stack on exit trap cleanup_stack EXIT -for test in "activated" "crs_deactivated" "deactivated" +for test in "activated" "crs_deactivated" "crs_v4" "deactivated" do if [ "$test" = "activated" ] ; then echo "👮 Running tests with modsecurity activated ..." @@ -89,15 +91,26 @@ do sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=no@' /etc/bunkerweb/variables.env export USE_MODSECURITY_CRS="no" fi + elif [ "$test" = "crs_v4" ] ; then + echo "👮 Running tests with the CRS v4 ..." + if [ "$integration" == "docker" ] ; then + find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "3"@MODSECURITY_CRS_VERSION: "4"@' {} \; + else + sudo sed -i 's@MODSECURITY_CRS_VERSION=.*$@MODSECURITY_CRS_VERSION=4@' /etc/bunkerweb/variables.env + export MODSECURITY_CRS_VERSION="4" + fi elif [ "$test" = "deactivated" ] ; then echo "👮 Running tests without modsecurity ..." if [ "$integration" == "docker" ] ; then + find . -type f -name 'docker-compose.*' -exec sed -i 's@MODSECURITY_CRS_VERSION: "4"@MODSECURITY_CRS_VERSION: "3"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY_CRS: "no"@USE_MODSECURITY_CRS: "yes"@' {} \; find . -type f -name 'docker-compose.*' -exec sed -i 's@USE_MODSECURITY: "yes"@USE_MODSECURITY: "no"@' {} \; else sudo sed -i 's@USE_MODSECURITY_CRS=.*$@USE_MODSECURITY_CRS=yes@' /etc/bunkerweb/variables.env sudo sed -i 's@USE_MODSECURITY=.*$@USE_MODSECURITY=no@' /etc/bunkerweb/variables.env + sudo sed -i 's@MODSECURITY_CRS_VERSION=.*$@MODSECURITY_CRS_VERSION=3@' /etc/bunkerweb/variables.env unset USE_MODSECURITY_CRS + unset MODSECURITY_CRS_VERSION export USE_MODSECURITY="no" fi fi