mirror of
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git
synced 2026-07-19 18:52:20 +02:00
✨ tests: CI end-to-end suite — Traefik binary + mock LAPI (#329)
* ✨ tests: end-to-end suite scaffold + stream-mode scenario Add tests/e2e/ structure with shared bash helpers and the first scenario (stream-mode): spin up real Traefik + Crowdsec via docker compose, mount the repo as a local plugin, add a ban via cscli, verify the bouncer blocks the matching X-Forwarded-For, then delete the decision and verify pass-through. Adds .github/workflows/e2e.yml with one matrix job per scenario (stream-mode for now), and Makefile targets `e2e` and `e2e_<scenario>` for local runs. Refs #328 * ✨ tests: revert to docker provider + bump versions + add 6 scenarios Reverts the stream-mode scenario to the Traefik docker provider (the file provider was a workaround for a local docker daemon API version mismatch, irrelevant in CI). Bumps Traefik to v3.7.1 and Crowdsec to v1.7.8 across all scenarios. Adds six new E2E scenarios: - live-mode: short defaultDecisionSeconds, verifies cache-then-recheck - none-mode: verifies LAPI is queried per request, no caching - trusted-ips: clientTrustedIPs bypass even when the trusted IP is banned - custom-ban-page: BanHTMLFilePath body + Content-Type validation - captcha: captcha decision serves the captcha page (HTTP 200) - appsec: SQLi probe blocked by appsec-virtual-patching Each scenario uses an isolated compose project, mounts the repo as a local plugin, and asserts behavior via curl. Workflow matrix and Makefile E2E_SCENARIOS updated accordingly. Refs #328 * 🐛 tests: set CROWDSEC_BYPASS_DB_VOLUME_CHECK for v1.7+ Crowdsec v1.7 refuses to start without an explicit volume mount on /var/lib/crowdsec/data (or the bypass env var). For E2E we don't need db persistence — set the bypass everywhere so the stack boots. * 🐛 tests: appsec scenario uses OWASP CRS inband collection appsec-virtual-patching only ships CVE-specific rules, not generic SQLi. Switch to crowdsecurity/appsec-crs-inband (the blocking OWASP Core Rule Set) and use a SQLi probe that CRS paranoia level 1 matches (rule 942100/942130). * ♻️ tests: run e2e suite in a single sequential job The matrix spawned one runner per scenario, so the Traefik, Crowdsec and whoami images were pulled — and Crowdsec booted — once per scenario. Run the whole suite in a single job with `make -k e2e` instead: Docker caches the images locally so they are pulled only once, and `-k` keeps the remaining scenarios running after a failure (make still exits non-zero). Scenarios already share the canonical `crowdsec` container name and the 8000 port, so they were meant to run sequentially anyway. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ✨ tests: add binary e2e suite (Traefik binary + Go mock LAPI), run it in CI Add a second e2e suite that runs Traefik as a downloaded binary with the plugin loaded from source, and replaces Crowdsec with a small stdlib-only Go LAPI mock driven via /admin endpoints. No Docker, no real Crowdsec. The mock lives in its own nested Go module (tests/e2e/mock/mocklapi) so it stays out of the plugin module's build, lint, test and vendor. This suite validates the plugin's own behaviour (live/none/stream modes, caching, trusted-IP bypass, ban/captcha rendering). Crowdsec and AppSec correctness are out of scope on purpose — they are validated upstream by the maintainer — so the AppSec scenario is intentionally absent and the README says so to avoid misfiled issues. CI now runs this suite only (`make e2e_mock`), since it needs neither Docker nor a real Crowdsec. The Docker suite (tests/e2e/scenarios) is kept for local debugging (`make e2e`). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * 🔧 e2e mock: address review — clarify backend flag, move ignore to root - Document the --backend-addr flag: it is the stub upstream service Traefik proxies allowed requests to (the traefik/whoami equivalent), not AppSec. - Move the .cache/ ignore rule from the per-suite .gitignore to the repo root .gitignore, and make the wording accurate: the cache persists across local runs but is recreated on every (fresh-runner) CI run. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ♻️ tests: move local Docker e2e suite to its own PR (#333) Per review, split the e2e work so each PR is focused. CI runs the binary + mock-LAPI suite (this PR); the heavier, local-only Docker suite (real Traefik + Crowdsec, incl. appsec) now lives in #333. Removes tests/e2e/scenarios, tests/e2e/lib and the Docker-suite README, and drops the `e2e` Make target here (kept in #333). The binary/mock suite and its `e2e_mock` target are unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * 🔥 e2e mock: simplify the Crowdsec LAPI mock Per review, trim the mock to the minimum the plugin actually exercises: - Drop the stream delta bookkeeping (startup flag + "already streamed" set). The plugin re-Sets/Deletes its cache on every poll, so reporting the whole active set as "new" and removed ones as "deleted" is enough. - Shrink the Decision struct to the three fields the plugin reads (value/type/duration); drop id/origin/scope/scenario and the id counter. - Drop API-key auth and the /admin/reset endpoint — no scenario exercises either. Also drop the now-unused lapi_reset helper. - Replace the store struct + methods with two package-level maps + a mutex. mocklapi/main.go: 234 -> 118 lines. All six scenarios still pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ⚡ e2e mock: replace fixed sleeps with condition polling The `sleep 4` / `sleep 3` after a decision change were magic numbers tied to updateIntervalSeconds / defaultDecisionSeconds. Replace them with waits on the actual condition: - After a ban/unban, poll with wait_for_status until the expected code shows up (stream propagation / live-mode cache TTL). - Captcha keeps status 200 before and after, so gate on the body marker via a new wait_for_body_contains helper. - Control assertions that must NOT change stay immediate (assert_status). Self-documenting, faster on the happy path (returns on the first poll that sees the change), and more robust under slow CI. No fixed sleeps remain. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ⬆️ e2e mock: bump module go directive to 1.23 Align the mock module with the project's Go version (CI uses 1.23). Part of standardising the whole project on Go 1.23; the plugin module is bumped separately. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ⬇️ e2e mock: keep Go floor at 1.22 (yaegi ceiling) Revert the mock module back to go 1.22 and make the e2e workflow read the Go version from go.mod (go-version-file) instead of hardcoding 1.23. Rationale: the plugin is interpreted by yaegi, and even Traefik v3.7.1 ships yaegi v0.16.1 (Go 1.22), so the project stays on 1.22. The earlier bump to 1.23 is dropped (plugin go.mod stays 1.22, see #330 for the Renovate cap + CI pin). Mock + all six scenarios verified on Go 1.22. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ✅ e2e mock: add AppSec scenario + custom remediation header assertion Address review feedback on the binary e2e suite: - mocklapi: add an AppSec WAF stand-in (--appsec-addr) that blocks any URI containing "rpc2" — the exact probe from examples/appsec-enabled — and allows the rest. Lets the suite exercise the plugin's AppSec wiring (header forwarding + allow/block enforcement) without the real CRS engine. - new scenarios/appsec: benign request passes, /foo/rpc2 is 403. - custom-ban-page: assert the banned response carries the custom remediation header (remediationHeadersCustomName), per review. - README: drop the "don't open issues / AppSec intentionally absent" framing; describe what the suite actually covers, including AppSec wiring. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
co-authored by
Claude Opus 4.8
parent
f5d580578c
commit
14b9c47ab2
@@ -0,0 +1,42 @@
|
|||||||
|
name: E2E
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
pull_request:
|
||||||
|
|
||||||
|
concurrency:
|
||||||
|
group: e2e-${{ github.workflow }}-${{ github.ref }}
|
||||||
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
e2e:
|
||||||
|
name: e2e (binary + mock LAPI)
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v6
|
||||||
|
- name: Set up Go
|
||||||
|
uses: actions/setup-go@v6
|
||||||
|
with:
|
||||||
|
# Track go.mod (Go 1.22) — the plugin's yaegi-bound floor. Keeps the
|
||||||
|
# single source of truth and builds the mock on the supported version.
|
||||||
|
go-version-file: go.mod
|
||||||
|
# CI runs the binary/mock suite only: Traefik as a downloaded binary +
|
||||||
|
# a small LAPI mock (no Docker, no real Crowdsec). It validates the
|
||||||
|
# plugin's own behaviour. Crowdsec / AppSec correctness is upstream's
|
||||||
|
# responsibility, so those are intentionally out of scope here. The
|
||||||
|
# Docker suite (tests/e2e/scenarios) stays available for local debugging.
|
||||||
|
# `-k` keeps going after a failing scenario so the logs cover all of
|
||||||
|
# them, while make still exits non-zero if any scenario failed.
|
||||||
|
- name: Run mock scenarios
|
||||||
|
run: make -k e2e_mock
|
||||||
|
- name: Upload logs on failure
|
||||||
|
if: failure()
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: e2e-logs
|
||||||
|
path: /tmp/e2e-mock-*.log
|
||||||
|
if-no-files-found: ignore
|
||||||
@@ -5,3 +5,7 @@ conf
|
|||||||
db
|
db
|
||||||
logs
|
logs
|
||||||
docker-compose.dev.yml
|
docker-compose.dev.yml
|
||||||
|
|
||||||
|
# Binary e2e suite working cache: Traefik binary + compiled mock. Persisted
|
||||||
|
# across local runs; CI runs on fresh runners so it is recreated every time.
|
||||||
|
tests/e2e/mock/.cache/
|
||||||
|
|||||||
@@ -1,7 +1,11 @@
|
|||||||
.PHONY: lint test vendor clean
|
.PHONY: lint test vendor clean e2e_mock
|
||||||
|
|
||||||
export GO111MODULE=on
|
export GO111MODULE=on
|
||||||
|
|
||||||
|
# Binary/mock suite (Traefik binary + mock LAPI). This is what CI runs.
|
||||||
|
# The local Docker suite (make e2e) lives in a separate PR/branch.
|
||||||
|
E2E_MOCK_SCENARIOS := stream-mode live-mode none-mode trusted-ips custom-ban-page captcha appsec
|
||||||
|
|
||||||
default: lint test
|
default: lint test
|
||||||
|
|
||||||
lint:
|
lint:
|
||||||
@@ -13,6 +17,11 @@ test:
|
|||||||
yaegi_test:
|
yaegi_test:
|
||||||
yaegi test -v .
|
yaegi test -v .
|
||||||
|
|
||||||
|
e2e_mock: $(addprefix e2e_mock_,$(E2E_MOCK_SCENARIOS))
|
||||||
|
|
||||||
|
e2e_mock_%:
|
||||||
|
./tests/e2e/mock/scenarios/$*/run.sh
|
||||||
|
|
||||||
vendor:
|
vendor:
|
||||||
go mod vendor
|
go mod vendor
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,84 @@
|
|||||||
|
# Binary e2e suite (Traefik binary + mock LAPI)
|
||||||
|
|
||||||
|
This suite runs **Traefik as a downloaded binary** with the plugin loaded from
|
||||||
|
the local source tree, and replaces Crowdsec with a small **HTTP mock**
|
||||||
|
([`mocklapi/`](mocklapi/main.go), a stdlib-only Go command). No Docker, no real
|
||||||
|
Crowdsec.
|
||||||
|
|
||||||
|
It is what **CI runs** (`make e2e_mock`). A separate, local-only **Docker
|
||||||
|
suite** (real Traefik + Crowdsec, under `tests/e2e/scenarios`) is kept for
|
||||||
|
high-fidelity debugging against a real Crowdsec but is not exercised in CI; it
|
||||||
|
ships in its own PR (#333).
|
||||||
|
|
||||||
|
## Scope — what this suite tests
|
||||||
|
|
||||||
|
These tests validate the **plugin's own behaviour**: the request flow through
|
||||||
|
the Traefik middleware, the live / none / stream modes, caching, trusted-IP
|
||||||
|
bypass, ban / captcha page rendering, and the AppSec request path (header
|
||||||
|
forwarding + enforcing the engine's allow/block verdict).
|
||||||
|
|
||||||
|
The mock stands in for Crowdsec, emulating the slice of the LAPI HTTP contract
|
||||||
|
the plugin consumes — including a single, deterministic AppSec rule (block any
|
||||||
|
URI containing `rpc2`, the probe from [`examples/appsec-enabled`](../../../examples/appsec-enabled)).
|
||||||
|
It is not the real WAF engine, so this suite exercises the plugin's AppSec
|
||||||
|
*wiring* rather than the detection accuracy of OWASP CRS / virtual patching —
|
||||||
|
that lives upstream in Crowdsec.
|
||||||
|
|
||||||
|
## What runs
|
||||||
|
|
||||||
|
| Component | How |
|
||||||
|
|-----------|-----|
|
||||||
|
| Traefik | Binary `v3.7.1`, downloaded into `.cache/` (reused across local runs; re-downloaded on fresh CI runners) |
|
||||||
|
| Plugin | Loaded via `experimental.localPlugins` from the repo root (symlinked into `plugins-local/`) |
|
||||||
|
| LAPI | `mocklapi` — a stdlib-only Go command (its own nested module), compiled and cached under `.cache/`, driven through `/admin` endpoints instead of `cscli` |
|
||||||
|
| AppSec | WAF stand-in built into the mock — blocks URIs containing `rpc2`, allows the rest |
|
||||||
|
| Backend | A plain HTTP responder built into the mock |
|
||||||
|
|
||||||
|
Fixed ports (override with env vars if needed): Traefik `8000`, LAPI `8090`,
|
||||||
|
backend `8091`, AppSec `8092`.
|
||||||
|
|
||||||
|
## Running locally
|
||||||
|
|
||||||
|
Prerequisites: `bash`, `curl`, `go`, `tar`. On first use the Traefik binary is
|
||||||
|
fetched and the mock is compiled into `.cache/`. That cache is reused across
|
||||||
|
local runs; CI runs on fresh runners, so both are recreated on every CI run.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# one scenario
|
||||||
|
make e2e_mock_stream-mode
|
||||||
|
# or directly
|
||||||
|
./tests/e2e/mock/scenarios/stream-mode/run.sh
|
||||||
|
|
||||||
|
# the whole suite
|
||||||
|
make e2e_mock
|
||||||
|
```
|
||||||
|
|
||||||
|
## Layout
|
||||||
|
|
||||||
|
```
|
||||||
|
mock/
|
||||||
|
lib/
|
||||||
|
common.sh # stack lifecycle, Traefik download, mock build, assertions, admin client
|
||||||
|
traefik.yml # static Traefik config (shared by all scenarios)
|
||||||
|
mocklapi/
|
||||||
|
go.mod # nested module — kept out of the plugin's build/lint/vendor
|
||||||
|
main.go # mock LAPI + AppSec stand-in + backend
|
||||||
|
scenarios/
|
||||||
|
<name>/
|
||||||
|
dynamic.yml # Traefik dynamic config (router + bouncer middleware + backend)
|
||||||
|
run.sh # assertions for the scenario
|
||||||
|
*.html # optional fixtures (ban / captcha templates)
|
||||||
|
```
|
||||||
|
|
||||||
|
`dynamic.yml` uses placeholders (`@@APIKEY@@`, `@@LAPI_HOST@@`,
|
||||||
|
`@@BACKEND_URL@@`, `@@SCENARIO_DIR@@`) that `common.sh` substitutes at runtime.
|
||||||
|
|
||||||
|
## Adding a scenario
|
||||||
|
|
||||||
|
1. Create `scenarios/<name>/dynamic.yml` and `run.sh` (copy `stream-mode/` as a
|
||||||
|
template).
|
||||||
|
2. In `run.sh`, define a `body` function with the assertions and call
|
||||||
|
`run_scenario "<name>" "$HERE" body`.
|
||||||
|
3. Drive decisions with `lapi_add_decision <ip> [type] [duration]` and
|
||||||
|
`lapi_delete_decision <ip>`.
|
||||||
|
4. Add `<name>` to `E2E_MOCK_SCENARIOS` in the `Makefile`.
|
||||||
@@ -0,0 +1,248 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
# Shared helpers for the binary (mock) e2e suite.
|
||||||
|
#
|
||||||
|
# Unlike the Docker suite under tests/e2e/scenarios, this one runs Traefik as a
|
||||||
|
# downloaded binary and replaces Crowdsec with a small HTTP mock (the mocklapi
|
||||||
|
# Go command). It validates the plugin's own behaviour (modes, cache, trusted
|
||||||
|
# IPs, ban / captcha rendering, AppSec wiring) — not the accuracy of Crowdsec's
|
||||||
|
# detection or its WAF engine, which the mock only stands in for.
|
||||||
|
#
|
||||||
|
# Dependencies: bash, curl, go, tar. The Traefik binary is downloaded and the
|
||||||
|
# mock is compiled into .cache/ on first use. That cache persists across local
|
||||||
|
# runs; CI runs on fresh runners, so both are recreated on every CI run.
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# Pinned to match the Docker suite (tests/e2e/scenarios/*/docker-compose.yml).
|
||||||
|
TRAEFIK_VERSION="${TRAEFIK_VERSION:-v3.7.1}"
|
||||||
|
|
||||||
|
WEB_PORT="${WEB_PORT:-8000}"
|
||||||
|
LAPI_PORT="${LAPI_PORT:-8090}"
|
||||||
|
BACKEND_PORT="${BACKEND_PORT:-8091}"
|
||||||
|
APPSEC_PORT="${APPSEC_PORT:-8092}"
|
||||||
|
LAPI_KEY="${LAPI_KEY:-e2e-mock-key}"
|
||||||
|
|
||||||
|
MOCK_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||||
|
REPO_ROOT="$(cd "$MOCK_LIB_DIR/../../../.." && pwd)"
|
||||||
|
CACHE_DIR="$MOCK_LIB_DIR/../.cache"
|
||||||
|
|
||||||
|
# Populated by start_stack / run_scenario, consumed by the EXIT trap.
|
||||||
|
WORKDIR=""
|
||||||
|
TRAEFIK_PID=""
|
||||||
|
MOCK_PID=""
|
||||||
|
SCENARIO_NAME=""
|
||||||
|
SCENARIO_LOG=""
|
||||||
|
|
||||||
|
# Resolve (and cache) the Traefik binary for this host, echoing its path.
|
||||||
|
ensure_traefik() {
|
||||||
|
local bin="$CACHE_DIR/traefik-$TRAEFIK_VERSION"
|
||||||
|
if [[ -x "$bin" ]]; then
|
||||||
|
echo "$bin"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
mkdir -p "$CACHE_DIR"
|
||||||
|
local os arch
|
||||||
|
case "$(uname -s)" in
|
||||||
|
Linux) os=linux ;;
|
||||||
|
Darwin) os=darwin ;;
|
||||||
|
*) echo "ensure_traefik: unsupported OS $(uname -s)" >&2; return 1 ;;
|
||||||
|
esac
|
||||||
|
case "$(uname -m)" in
|
||||||
|
x86_64 | amd64) arch=amd64 ;;
|
||||||
|
aarch64 | arm64) arch=arm64 ;;
|
||||||
|
*) echo "ensure_traefik: unsupported arch $(uname -m)" >&2; return 1 ;;
|
||||||
|
esac
|
||||||
|
local url="https://github.com/traefik/traefik/releases/download/${TRAEFIK_VERSION}/traefik_${TRAEFIK_VERSION}_${os}_${arch}.tar.gz"
|
||||||
|
echo "ensure_traefik: downloading $url" >&2
|
||||||
|
local tmp
|
||||||
|
tmp="$(mktemp -d)"
|
||||||
|
curl -sSfL "$url" -o "$tmp/traefik.tar.gz"
|
||||||
|
tar -xzf "$tmp/traefik.tar.gz" -C "$tmp" traefik
|
||||||
|
mv "$tmp/traefik" "$bin"
|
||||||
|
chmod +x "$bin"
|
||||||
|
rm -rf "$tmp"
|
||||||
|
echo "$bin"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Build (and cache) the mock LAPI binary, echoing its path. Go's build cache
|
||||||
|
# makes the rebuild near-instant after the first run.
|
||||||
|
ensure_mock() {
|
||||||
|
local bin="$CACHE_DIR/mocklapi"
|
||||||
|
mkdir -p "$CACHE_DIR"
|
||||||
|
( cd "$MOCK_LIB_DIR/../mocklapi" && go build -o "$bin" . ) >&2
|
||||||
|
echo "$bin"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Poll a URL until it returns the expected status code, or fail.
|
||||||
|
# Usage: wait_for_status URL CODE [TIMEOUT_SECONDS] [curl args...]
|
||||||
|
wait_for_status() {
|
||||||
|
local url="$1" expected="$2" timeout="${3:-30}"
|
||||||
|
shift 3 || true
|
||||||
|
local elapsed=0 got=""
|
||||||
|
while (( elapsed < timeout )); do
|
||||||
|
got=$(curl -s -o /dev/null -w '%{http_code}' "$@" "$url" || true)
|
||||||
|
if [[ "$got" == "$expected" ]]; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
# Note: `((elapsed++))` returns exit 1 when elapsed is 0, which trips set -e.
|
||||||
|
elapsed=$((elapsed + 1))
|
||||||
|
done
|
||||||
|
echo "wait_for_status: $url expected $expected, last seen ${got:-<none>}" >&2
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Poll a URL until its body contains a substring, or fail. Used when the status
|
||||||
|
# code alone can't tell the states apart (e.g. captcha page vs backend, both 200).
|
||||||
|
# Usage: wait_for_body_contains URL NEEDLE [TIMEOUT_SECONDS] [curl args...]
|
||||||
|
wait_for_body_contains() {
|
||||||
|
local url="$1" needle="$2" timeout="${3:-30}"
|
||||||
|
shift 3 || true
|
||||||
|
local elapsed=0 body=""
|
||||||
|
while (( elapsed < timeout )); do
|
||||||
|
body=$(curl -s "$@" "$url" || true)
|
||||||
|
if grep -q "$needle" <<<"$body"; then
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
elapsed=$((elapsed + 1))
|
||||||
|
done
|
||||||
|
echo "wait_for_body_contains: $url did not contain \"$needle\" within ${timeout}s" >&2
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Assert a single curl returns the expected status code.
|
||||||
|
# Usage: assert_status URL CODE [curl args...]
|
||||||
|
assert_status() {
|
||||||
|
local url="$1" expected="$2"
|
||||||
|
shift 2 || true
|
||||||
|
local got
|
||||||
|
got=$(curl -s -o /dev/null -w '%{http_code}' "$@" "$url")
|
||||||
|
if [[ "$got" != "$expected" ]]; then
|
||||||
|
echo "assert_status: $url expected $expected, got $got" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Assert a response header matches a value (case-insensitive name).
|
||||||
|
# Usage: assert_header URL HEADER VALUE [curl args...]
|
||||||
|
assert_header() {
|
||||||
|
local url="$1" header="$2" expected="$3"
|
||||||
|
shift 3 || true
|
||||||
|
local got
|
||||||
|
got=$(curl -s -D - -o /dev/null "$@" "$url" | tr -d '\r' \
|
||||||
|
| awk -v h="${header,,}" -F': ' 'tolower($1) == h { print $2; exit }')
|
||||||
|
if [[ "$got" != "$expected" ]]; then
|
||||||
|
echo "assert_header: $url header $header expected \"$expected\", got \"$got\"" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Assert a response body contains a substring.
|
||||||
|
# Usage: assert_body_contains URL NEEDLE [curl args...]
|
||||||
|
assert_body_contains() {
|
||||||
|
local url="$1" needle="$2"
|
||||||
|
shift 2 || true
|
||||||
|
local body
|
||||||
|
body=$(curl -s "$@" "$url")
|
||||||
|
if ! grep -q "$needle" <<<"$body"; then
|
||||||
|
echo "assert_body_contains: $url expected to contain \"$needle\", got:" >&2
|
||||||
|
echo "$body" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- mock admin client -------------------------------------------------------
|
||||||
|
|
||||||
|
lapi_add_decision() {
|
||||||
|
local ip="$1" type="${2:-ban}" duration="${3:-4h}"
|
||||||
|
curl -sS -X POST "http://127.0.0.1:${LAPI_PORT}/admin/decisions?ip=${ip}&type=${type}&duration=${duration}" >/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
lapi_delete_decision() {
|
||||||
|
local ip="$1"
|
||||||
|
curl -sS -X DELETE "http://127.0.0.1:${LAPI_PORT}/admin/decisions?ip=${ip}" >/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
# --- stack lifecycle ---------------------------------------------------------
|
||||||
|
|
||||||
|
# start_stack SCENARIO_DIR
|
||||||
|
# Spins up the mock + Traefik (with the scenario's dynamic.yml) and waits ready.
|
||||||
|
start_stack() {
|
||||||
|
local scenario_dir="$1"
|
||||||
|
local traefik_bin mock_bin
|
||||||
|
traefik_bin="$(ensure_traefik)"
|
||||||
|
mock_bin="$(ensure_mock)"
|
||||||
|
|
||||||
|
WORKDIR="$(mktemp -d)"
|
||||||
|
# Expose the plugin source where Traefik's localPlugins loader expects it.
|
||||||
|
mkdir -p "$WORKDIR/plugins-local/src/github.com/maxlerebourg"
|
||||||
|
ln -s "$REPO_ROOT" "$WORKDIR/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
|
||||||
|
|
||||||
|
cp "$MOCK_LIB_DIR/traefik.yml" "$WORKDIR/traefik.yml"
|
||||||
|
|
||||||
|
# Render the scenario's dynamic config with the live ports / key / paths.
|
||||||
|
sed \
|
||||||
|
-e "s|@@APIKEY@@|${LAPI_KEY}|g" \
|
||||||
|
-e "s|@@LAPI_HOST@@|127.0.0.1:${LAPI_PORT}|g" \
|
||||||
|
-e "s|@@APPSEC_HOST@@|127.0.0.1:${APPSEC_PORT}|g" \
|
||||||
|
-e "s|@@BACKEND_URL@@|http://127.0.0.1:${BACKEND_PORT}|g" \
|
||||||
|
-e "s|@@SCENARIO_DIR@@|${scenario_dir}|g" \
|
||||||
|
"$scenario_dir/dynamic.yml" > "$WORKDIR/dynamic.yml"
|
||||||
|
|
||||||
|
"$mock_bin" \
|
||||||
|
--lapi-addr "127.0.0.1:${LAPI_PORT}" \
|
||||||
|
--backend-addr "127.0.0.1:${BACKEND_PORT}" \
|
||||||
|
--appsec-addr "127.0.0.1:${APPSEC_PORT}" >"$WORKDIR/mock.log" 2>&1 &
|
||||||
|
MOCK_PID=$!
|
||||||
|
|
||||||
|
( cd "$WORKDIR" && exec "$traefik_bin" --configfile=traefik.yml ) >"$WORKDIR/traefik.log" 2>&1 &
|
||||||
|
TRAEFIK_PID=$!
|
||||||
|
|
||||||
|
wait_for_status "http://127.0.0.1:${LAPI_PORT}/health" 200 30
|
||||||
|
# AppSec stand-in: a bare GET carries no "rpc2" URI, so it answers 200 (allow).
|
||||||
|
wait_for_status "http://127.0.0.1:${APPSEC_PORT}/" 200 30
|
||||||
|
# /ping is served by Traefik itself once it is up (plugin compilation included).
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/ping" 200 60
|
||||||
|
}
|
||||||
|
|
||||||
|
stop_stack() {
|
||||||
|
[[ -n "$TRAEFIK_PID" ]] && kill "$TRAEFIK_PID" 2>/dev/null || true
|
||||||
|
[[ -n "$MOCK_PID" ]] && kill "$MOCK_PID" 2>/dev/null || true
|
||||||
|
[[ -n "$TRAEFIK_PID" ]] && wait "$TRAEFIK_PID" 2>/dev/null || true
|
||||||
|
[[ -n "$MOCK_PID" ]] && wait "$MOCK_PID" 2>/dev/null || true
|
||||||
|
[[ -n "$WORKDIR" && -d "$WORKDIR" ]] && rm -rf "$WORKDIR" || true
|
||||||
|
}
|
||||||
|
|
||||||
|
dump_diagnostics() {
|
||||||
|
echo "=== traefik.log ==="
|
||||||
|
cat "$WORKDIR/traefik.log" 2>/dev/null || true
|
||||||
|
echo "=== mock.log ==="
|
||||||
|
cat "$WORKDIR/mock.log" 2>/dev/null || true
|
||||||
|
}
|
||||||
|
|
||||||
|
# EXIT trap: runs after the scenario body (or after a failed assertion under
|
||||||
|
# `set -e`), so it relies only on globals, never on run_scenario's locals.
|
||||||
|
_scenario_cleanup() {
|
||||||
|
local rc=$?
|
||||||
|
if (( rc != 0 )); then
|
||||||
|
dump_diagnostics > "$SCENARIO_LOG" 2>&1 || true
|
||||||
|
echo "[$SCENARIO_NAME] failed. Logs written to $SCENARIO_LOG" >&2
|
||||||
|
fi
|
||||||
|
stop_stack
|
||||||
|
exit $rc
|
||||||
|
}
|
||||||
|
|
||||||
|
# run_scenario SCENARIO_NAME SCENARIO_DIR BODY_FN
|
||||||
|
# Wraps lifecycle + diagnostics so each run.sh stays declarative.
|
||||||
|
run_scenario() {
|
||||||
|
SCENARIO_NAME="$1"
|
||||||
|
local dir="$2" body="$3"
|
||||||
|
SCENARIO_LOG="/tmp/e2e-mock-${SCENARIO_NAME}.log"
|
||||||
|
trap _scenario_cleanup EXIT
|
||||||
|
|
||||||
|
echo "[$SCENARIO_NAME] starting binary stack (Traefik + mock LAPI)..."
|
||||||
|
start_stack "$dir"
|
||||||
|
"$body"
|
||||||
|
echo "[$SCENARIO_NAME] OK"
|
||||||
|
}
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
# Static Traefik configuration for the binary e2e suite.
|
||||||
|
# The dynamic part (router + bouncer middleware + backend service) lives in
|
||||||
|
# dynamic.yml, generated per scenario by common.sh.
|
||||||
|
entryPoints:
|
||||||
|
web:
|
||||||
|
address: ":8000"
|
||||||
|
forwardedHeaders:
|
||||||
|
# The test's curl sets X-Forwarded-For; preserve it through the proxy.
|
||||||
|
insecure: true
|
||||||
|
|
||||||
|
log:
|
||||||
|
level: INFO
|
||||||
|
|
||||||
|
accessLog: {}
|
||||||
|
|
||||||
|
# /ping on the web entrypoint is the readiness probe — no dashboard/API needed.
|
||||||
|
ping:
|
||||||
|
entryPoint: web
|
||||||
|
|
||||||
|
providers:
|
||||||
|
file:
|
||||||
|
filename: dynamic.yml
|
||||||
|
watch: false
|
||||||
|
|
||||||
|
experimental:
|
||||||
|
localPlugins:
|
||||||
|
bouncer:
|
||||||
|
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
// Standalone module so this test helper stays out of the plugin module:
|
||||||
|
// it is excluded from the plugin's `go build ./...`, `go test ./...`,
|
||||||
|
// golangci-lint and `go mod vendor`. Stdlib only — no dependencies.
|
||||||
|
module mocklapi
|
||||||
|
|
||||||
|
go 1.22
|
||||||
@@ -0,0 +1,135 @@
|
|||||||
|
// Command mocklapi is a minimal Crowdsec LAPI stand-in for the binary e2e
|
||||||
|
// suite. It answers only the few LAPI routes the plugin calls — live/none
|
||||||
|
// decision lookups, the stream poll and the usage-metrics push — and lets the
|
||||||
|
// test drive decisions through /admin instead of `cscli`. It also serves the
|
||||||
|
// stub upstream that Traefik proxies allowed requests to.
|
||||||
|
//
|
||||||
|
// It is NOT a Crowdsec/AppSec conformance harness — the real WAF engine (OWASP
|
||||||
|
// CRS, virtual patching) is out of scope. The AppSec endpoint here emulates a
|
||||||
|
// single deterministic rule so the suite can exercise the plugin's AppSec
|
||||||
|
// wiring (header forwarding, allow/block handling) end to end. See the README.
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"flag"
|
||||||
|
"log"
|
||||||
|
"net/http"
|
||||||
|
"strings"
|
||||||
|
"sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Decision is the subset of a LAPI decision the plugin actually reads.
|
||||||
|
type Decision struct {
|
||||||
|
Value string `json:"value"`
|
||||||
|
Type string `json:"type"`
|
||||||
|
Duration string `json:"duration"`
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
mu sync.Mutex
|
||||||
|
active = map[string]Decision{} // ip -> decision currently in force
|
||||||
|
deleted = map[string]Decision{} // ip -> decision to report in the stream "deleted" list
|
||||||
|
)
|
||||||
|
|
||||||
|
func writeJSON(w http.ResponseWriter, v any) {
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
_ = json.NewEncoder(w).Encode(v)
|
||||||
|
}
|
||||||
|
|
||||||
|
func list(m map[string]Decision) []Decision {
|
||||||
|
out := make([]Decision, 0, len(m))
|
||||||
|
for _, d := range m {
|
||||||
|
out = append(out, d)
|
||||||
|
}
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
lapiAddr := flag.String("lapi-addr", "127.0.0.1:8090", "address for the LAPI mock")
|
||||||
|
// The stub upstream Traefik proxies allowed requests to — the binary-suite
|
||||||
|
// equivalent of the traefik/whoami container. Not AppSec.
|
||||||
|
backendAddr := flag.String("backend-addr", "127.0.0.1:8091", "address for the stub upstream service")
|
||||||
|
// AppSec WAF stand-in (the real engine listens on :7422). Not a CRS engine.
|
||||||
|
appsecAddr := flag.String("appsec-addr", "127.0.0.1:8092", "address for the AppSec mock")
|
||||||
|
flag.Parse()
|
||||||
|
|
||||||
|
go func() {
|
||||||
|
log.Fatal(http.ListenAndServe(*backendAddr, http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||||
|
_, _ = w.Write([]byte("E2E_BACKEND_OK\n"))
|
||||||
|
})))
|
||||||
|
}()
|
||||||
|
|
||||||
|
// AppSec mock: the plugin forwards the request metadata in X-Crowdsec-Appsec-*
|
||||||
|
// headers and reads our status — 200 allows, 403 blocks. We emulate one
|
||||||
|
// deterministic virtual-patching rule (block any URI containing "rpc2", the
|
||||||
|
// exact probe from examples/appsec-enabled) so the plugin's AppSec path is
|
||||||
|
// exercised without standing up the real WAF.
|
||||||
|
go func() {
|
||||||
|
log.Fatal(http.ListenAndServe(*appsecAddr, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if strings.Contains(r.Header.Get("X-Crowdsec-Appsec-Uri"), "rpc2") {
|
||||||
|
w.WriteHeader(http.StatusForbidden)
|
||||||
|
}
|
||||||
|
})))
|
||||||
|
}()
|
||||||
|
|
||||||
|
mux := http.NewServeMux()
|
||||||
|
|
||||||
|
// Readiness probe for the test harness (empty body, 200).
|
||||||
|
mux.HandleFunc("/health", func(http.ResponseWriter, *http.Request) {})
|
||||||
|
|
||||||
|
// live / none mode: the plugin asks about one IP and expects a decision
|
||||||
|
// array, or the literal `null` when there is none.
|
||||||
|
mux.HandleFunc("/v1/decisions", func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
if d, ok := active[r.URL.Query().Get("ip")]; ok {
|
||||||
|
writeJSON(w, []Decision{d})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
_, _ = w.Write([]byte("null"))
|
||||||
|
})
|
||||||
|
|
||||||
|
// stream mode: report the whole active set as "new" and anything removed as
|
||||||
|
// "deleted". Re-sending the same on every poll is harmless — the plugin just
|
||||||
|
// re-adds to / re-deletes from its cache.
|
||||||
|
mux.HandleFunc("/v1/decisions/stream", func(w http.ResponseWriter, _ *http.Request) {
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
writeJSON(w, map[string][]Decision{"new": list(active), "deleted": list(deleted)})
|
||||||
|
})
|
||||||
|
|
||||||
|
// usage-metrics push: accept and ignore.
|
||||||
|
mux.HandleFunc("/v1/usage-metrics", func(w http.ResponseWriter, _ *http.Request) {
|
||||||
|
w.WriteHeader(http.StatusCreated)
|
||||||
|
})
|
||||||
|
|
||||||
|
// Test control plane: add / remove decisions instead of cscli.
|
||||||
|
mux.HandleFunc("/admin/decisions", func(_ http.ResponseWriter, r *http.Request) {
|
||||||
|
q := r.URL.Query()
|
||||||
|
ip := q.Get("ip")
|
||||||
|
mu.Lock()
|
||||||
|
defer mu.Unlock()
|
||||||
|
switch r.Method {
|
||||||
|
case http.MethodPost:
|
||||||
|
dtype := q.Get("type")
|
||||||
|
if dtype == "" {
|
||||||
|
dtype = "ban"
|
||||||
|
}
|
||||||
|
duration := q.Get("duration")
|
||||||
|
if duration == "" {
|
||||||
|
duration = "4h"
|
||||||
|
}
|
||||||
|
active[ip] = Decision{Value: ip, Type: dtype, Duration: duration}
|
||||||
|
delete(deleted, ip)
|
||||||
|
case http.MethodDelete:
|
||||||
|
if d, ok := active[ip]; ok {
|
||||||
|
deleted[ip] = d
|
||||||
|
delete(active, ip)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
log.Printf("mocklapi: LAPI on %s, backend on %s, appsec on %s", *lapiAddr, *backendAddr, *appsecAddr)
|
||||||
|
log.Fatal(http.ListenAndServe(*lapiAddr, mux))
|
||||||
|
}
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
# IP bouncing disabled — this scenario exercises AppSec only.
|
||||||
|
crowdsecMode: none
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
crowdsecAppsecEnabled: "true"
|
||||||
|
crowdsecAppsecScheme: http
|
||||||
|
crowdsecAppsecHost: "@@APPSEC_HOST@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
Executable
+23
@@ -0,0 +1,23 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=appsec
|
||||||
|
|
||||||
|
# AppSec wiring check: the plugin forwards each request to the AppSec engine and
|
||||||
|
# enforces its verdict. The mock emulates one virtual-patching rule (block any
|
||||||
|
# URI containing "rpc2"), mirroring examples/appsec-enabled. This proves the
|
||||||
|
# plugin's AppSec path end to end (header forwarding + allow/block handling); it
|
||||||
|
# does not test the real WAF's detection accuracy.
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] benign request must pass (AppSec allows)"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] request whose URI contains 'rpc2' must be blocked (AppSec 403)"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo/rpc2" 403 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head><meta charset="utf-8"><title>E2E captcha marker</title></head>
|
||||||
|
<body>
|
||||||
|
<h1 id="e2e-captcha-marker">E2E_CAPTCHA_PAGE_MARKER</h1>
|
||||||
|
<script src="{{ .FrontendJS }}"></script>
|
||||||
|
<div class="{{ .FrontendKey }}" data-sitekey="{{ .SiteKey }}"></div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: stream
|
||||||
|
updateIntervalSeconds: "2"
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
|
captchaProvider: turnstile
|
||||||
|
# Cloudflare Turnstile public test keys: render a valid widget without
|
||||||
|
# contacting a real API key.
|
||||||
|
captchaSiteKey: "1x00000000000000000000AA"
|
||||||
|
captchaSecretKey: "1x0000000000000000000000000000000AA"
|
||||||
|
captchaHtmlFilePath: "@@SCENARIO_DIR@@/captcha.html"
|
||||||
|
captchaGracePeriodSeconds: "10"
|
||||||
Executable
+26
@@ -0,0 +1,26 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=captcha
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] adding captcha decision for 1.2.3.4"
|
||||||
|
lapi_add_decision 1.2.3.4 captcha 5m
|
||||||
|
|
||||||
|
# Status stays 200 before/after (captcha page vs backend), so gate on the body
|
||||||
|
# marker appearing once the captcha decision has been polled.
|
||||||
|
echo "[$SCENARIO] captcha page must be served once the decision is polled (200 + marker)"
|
||||||
|
wait_for_body_contains "http://127.0.0.1:${WEB_PORT}/foo" "E2E_CAPTCHA_PAGE_MARKER" 15 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] captcha response is HTTP 200 (the captcha page itself, not a 403)"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] non-flagged IP must still pass through to the backend"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 5.6.7.8"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head><meta charset="utf-8"><title>E2E ban marker</title></head>
|
||||||
|
<body>
|
||||||
|
<h1 id="e2e-ban-marker">E2E_CUSTOM_BAN_PAGE_MARKER</h1>
|
||||||
|
<p>IP: {{ .ClientIP }} reason: {{ .RemediationReason }}</p>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: stream
|
||||||
|
updateIntervalSeconds: "2"
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
|
banHtmlFilePath: "@@SCENARIO_DIR@@/ban.html"
|
||||||
|
remediationHeadersCustomName: "X-E2E-Remediation"
|
||||||
+27
@@ -0,0 +1,27 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=custom-ban-page
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] adding ban decision"
|
||||||
|
lapi_add_decision 1.2.3.4 ban 5m
|
||||||
|
|
||||||
|
echo "[$SCENARIO] banned response becomes 403 once the next stream poll lands"
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/foo" 403 15 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] banned response Content-Type is HTML"
|
||||||
|
assert_header "http://127.0.0.1:${WEB_PORT}/foo" Content-Type "text/html; charset=utf-8" -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] banned response body contains the custom marker"
|
||||||
|
assert_body_contains "http://127.0.0.1:${WEB_PORT}/foo" "E2E_CUSTOM_BAN_PAGE_MARKER" -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] banned response carries the custom remediation header (remediationHeadersCustomName)"
|
||||||
|
assert_header "http://127.0.0.1:${WEB_PORT}/foo" X-E2E-Remediation "ban" -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: live
|
||||||
|
defaultDecisionSeconds: "2"
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
Executable
+26
@@ -0,0 +1,26 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=live-mode
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] no decision -> first hit queries LAPI, returns 200, caches 'allowed' for 2s"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] adding ban decision for 1.2.3.4"
|
||||||
|
lapi_add_decision 1.2.3.4 ban 5m
|
||||||
|
|
||||||
|
# Stays 200 until the cached 'allowed' (defaultDecisionSeconds) expires, then
|
||||||
|
# the re-query sees the ban — poll instead of guessing the cache TTL.
|
||||||
|
echo "[$SCENARIO] hit must turn 403 once the cached 'allowed' expires and LAPI is re-queried"
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/foo" 403 15 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] another non-banned IP must still pass"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 5.6.7.8"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,25 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: none
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
Executable
+27
@@ -0,0 +1,27 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=none-mode
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] no decision -> request passes (LAPI queried per request)"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] adding ban decision for 1.2.3.4"
|
||||||
|
lapi_add_decision 1.2.3.4 ban 5m
|
||||||
|
|
||||||
|
echo "[$SCENARIO] none mode has no cache -> next request must be blocked immediately"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 403 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] deleting decision"
|
||||||
|
lapi_delete_decision 1.2.3.4
|
||||||
|
|
||||||
|
echo "[$SCENARIO] previously banned IP must pass again immediately"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: stream
|
||||||
|
updateIntervalSeconds: "2"
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
Executable
+30
@@ -0,0 +1,30 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=stream-mode
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] no decision yet -> request allowed"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] adding ban decision for 1.2.3.4"
|
||||||
|
lapi_add_decision 1.2.3.4 ban 5m
|
||||||
|
|
||||||
|
echo "[$SCENARIO] banned IP must be blocked once the next stream poll lands (HTTP 403)"
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/foo" 403 15 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] non-banned IP must still pass (HTTP 200)"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 5.6.7.8"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] deleting ban decision"
|
||||||
|
lapi_delete_decision 1.2.3.4
|
||||||
|
|
||||||
|
echo "[$SCENARIO] previously banned IP must pass again once the deletion is polled"
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/foo" 200 15 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
http:
|
||||||
|
routers:
|
||||||
|
r:
|
||||||
|
rule: "PathPrefix(`/foo`)"
|
||||||
|
entryPoints:
|
||||||
|
- web
|
||||||
|
service: backend
|
||||||
|
middlewares:
|
||||||
|
- bouncer
|
||||||
|
services:
|
||||||
|
backend:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: "@@BACKEND_URL@@"
|
||||||
|
middlewares:
|
||||||
|
bouncer:
|
||||||
|
plugin:
|
||||||
|
bouncer:
|
||||||
|
enabled: "true"
|
||||||
|
crowdsecMode: stream
|
||||||
|
updateIntervalSeconds: "2"
|
||||||
|
crowdsecLapiScheme: http
|
||||||
|
crowdsecLapiHost: "@@LAPI_HOST@@"
|
||||||
|
crowdsecLapiKey: "@@APIKEY@@"
|
||||||
|
forwardedHeadersTrustedIps:
|
||||||
|
- "127.0.0.1/32"
|
||||||
|
clientTrustedIps:
|
||||||
|
- "1.2.3.4/32"
|
||||||
Executable
+24
@@ -0,0 +1,24 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
HERE="$(cd "$(dirname "$0")" && pwd)"
|
||||||
|
# shellcheck source=../../lib/common.sh
|
||||||
|
source "$HERE/../../lib/common.sh"
|
||||||
|
|
||||||
|
SCENARIO=trusted-ips
|
||||||
|
|
||||||
|
body() {
|
||||||
|
echo "[$SCENARIO] banning the trusted IP 1.2.3.4 and an untrusted IP 5.6.7.8"
|
||||||
|
lapi_add_decision 1.2.3.4 ban 5m
|
||||||
|
lapi_add_decision 5.6.7.8 ban 5m
|
||||||
|
|
||||||
|
# The untrusted IP turning 403 is our signal that the bans have been polled;
|
||||||
|
# it also doubles as the control proving the bouncer is active.
|
||||||
|
echo "[$SCENARIO] untrusted banned IP must be blocked once the bans are polled (HTTP 403)"
|
||||||
|
wait_for_status "http://127.0.0.1:${WEB_PORT}/foo" 403 15 -H "X-Forwarded-For: 5.6.7.8"
|
||||||
|
|
||||||
|
echo "[$SCENARIO] trusted IP must bypass the bouncer even though it is banned"
|
||||||
|
assert_status "http://127.0.0.1:${WEB_PORT}/foo" 200 -H "X-Forwarded-For: 1.2.3.4"
|
||||||
|
}
|
||||||
|
|
||||||
|
run_scenario "$SCENARIO" "$HERE" body
|
||||||
Reference in New Issue
Block a user