feat: expose expected directives for e2e test (#1012)

* feat: expose expected directives for e2e test * Update http/e2e/cmd/httpe2e/main.go * Update http/e2e/cmd/httpe2e/main.go --------- Co-authored-by: Matteo Pace <[email protected]>
corazawaf · Mar 8, 2024 · 9184eee · 9184eee
1 parent cdc7107
commit 9184eee
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 36 deletions.
diff --git a/http/e2e/cmd/httpe2e/main.go b/http/e2e/cmd/httpe2e/main.go
@@ -19,24 +19,7 @@ import (
 // --proxy-hostport: Proxy endpoint used to perform requests. Defaults to "localhost:8080".
 // --httpbin-hostport: Upstream httpbin endpoint, used for health checking reasons. Defaults to "localhost:8081".
 
-// Expected Coraza configs:
-/*
-SecRuleEngine On
-SecRequestBodyAccess On
-SecResponseBodyAccess On
-SecResponseBodyMimeType application/json
-# Custom rule for Coraza config check (ensuring that these configs are used)
-SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
-# Custom rules for e2e testing
-SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
-SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny"
-SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny"
-SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny"
-# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
-SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny"
-SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny"
-SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny"
-*/
+// A dedicated set of directives is expected to be loaded for e2e testing. Refer to the `Directives` const in http/e2e/e2e.go.
 
 func main() {
 	// Initialize variables

diff --git a/http/e2e/e2e.go b/http/e2e/e2e.go
@@ -18,6 +18,24 @@ import (
 const (
 	configCheckStatusCode = 424
 	healthCheckTimeout    = 15 // Seconds
+
+	Directives = `
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess On
+SecResponseBodyMimeType application/json
+# Custom rule for Coraza config check (ensuring that these configs are used)
+SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
+# Custom rules for e2e testing
+SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
+SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny"
+SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny"
+SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny"
+# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
+SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny"
+SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny"
+SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny"
+`
 )
 
 type Config struct {

diff --git a/testing/e2e/e2e_test.go b/testing/e2e/e2e_test.go
@@ -23,25 +23,8 @@ import (
 func TestE2e(t *testing.T) {
 	conf := coraza.NewWAFConfig()
 
-	customE2eDirectives := `
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess On
-	SecResponseBodyMimeType application/json
-	# Custom rule for Coraza config check (ensuring that these configs are used)
-	SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
-	# Custom rules for e2e testing
-	SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
-	SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny"
-	SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny"
-	SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny"
-	# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
-	SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny"
-	SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny"
-	SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny"
-`
 	conf = conf.
-		WithDirectives(customE2eDirectives)
+		WithDirectives(e2e.Directives)
 
 	waf, err := coraza.NewWAF(conf)
 	if err != nil {