ingress-nginx-helm/test/e2e/annotations/modsecurity/modsecurity.go

/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package modsecurity

import (
	"net/http"
	"strings"

	"github.com/onsi/ginkgo/v2"

	"k8s.io/ingress-nginx/test/e2e/framework"
)

const (
	modSecurityFooHost = "modsecurity.foo.com"
	defaultSnippet     = `SecRuleEngine On
		SecRequestBodyAccess On
		SecAuditEngine RelevantOnly
		SecAuditLogParts ABIJDEFHZ
		SecAuditLog /dev/stdout
		SecAuditLogType Serial
		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
)

var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
	f := framework.NewDefaultFramework("modsecuritylocation")

	ginkgo.BeforeEach(func() {
		f.NewEchoDeployment()
	})

	ginkgo.It("should enable modsecurity", func() {
		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity": "true",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "modsecurity on;") &&
					strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;")
			})
	})

	ginkgo.It("should enable modsecurity with transaction ID and OWASP rules", func() {
		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity":         "true",
			"nginx.ingress.kubernetes.io/enable-owasp-core-rules":    "true",
			"nginx.ingress.kubernetes.io/modsecurity-transaction-id": "modsecurity-$request_id",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "modsecurity on;") &&
					strings.Contains(server, "modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;") &&
					strings.Contains(server, "modsecurity_transaction_id \"modsecurity-$request_id\";")
			})
	})

	ginkgo.It("should disable modsecurity", func() {
		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity": "false",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return !strings.Contains(server, "modsecurity on;")
			})
	})

	ginkgo.It("should enable modsecurity with snippet", func() {
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations": "true",
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()

		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity":  "true",
			"nginx.ingress.kubernetes.io/modsecurity-snippet": "SecRuleEngine On",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "modsecurity on;") &&
					strings.Contains(server, "SecRuleEngine On")
			})
	})

	ginkgo.It("should enable modsecurity without using 'modsecurity on;'", func() {
		f.SetNginxConfigMapData(map[string]string{
			"enable-modsecurity": "true",
		},
		)

		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity": "true",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return !strings.Contains(server, "modsecurity on;") &&
					!strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;")
			})
	})

	ginkgo.It("should disable modsecurity using 'modsecurity off;'", func() {
		f.SetNginxConfigMapData(map[string]string{
			"enable-modsecurity": "true",
		},
		)

		host := modSecurityFooHost
		nameSpace := f.Namespace

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity": "false",
		}

		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "modsecurity off;")
			})
	})

	ginkgo.It("should enable modsecurity with snippet and block requests", func() {
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations": "true",
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()

		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := defaultSnippet

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity":  "true",
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "modsecurity on;") &&
					strings.Contains(server, "SecRuleEngine On")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusForbidden)
	})

	ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() {
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations": "true",
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()

		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := defaultSnippet

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.UpdateNginxConfigMapData("enable-modsecurity", "true")

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "SecRuleEngine On")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusForbidden)
	})

	ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations":    "true",
			"enable-modsecurity":           "true",
			"enable-owasp-modsecurity-crs": "true",
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()

		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := defaultSnippet

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "SecRuleEngine On")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusForbidden)
	})

	ginkgo.It("should enable modsecurity through the config map", func() {
		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := `SecRequestBodyAccess On
		SecAuditEngine RelevantOnly
		SecAuditLogParts ABIJDEFHZ
		SecAuditLog /dev/stdout
		SecAuditLogType Serial
		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		expectedComment := "SecRuleEngine On"
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations":    "true",
			"enable-modsecurity":           "true",
			"enable-owasp-modsecurity-crs": "true",
			"modsecurity-snippet":          expectedComment,
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "SecRequestBodyAccess On")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusForbidden)
	})

	ginkgo.It("should enable modsecurity through the config map but ignore snippet as disabled by admin", func() {
		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := `SecRequestBodyAccess On
		SecAuditEngine RelevantOnly
		SecAuditLogParts ABIJDEFHZ
		SecAuditLog /dev/stdout
		SecAuditLogType Serial
		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		expectedComment := "SecRuleEngine On"

		f.SetNginxConfigMapData(map[string]string{
			"enable-modsecurity":           "true",
			"enable-owasp-modsecurity-crs": "true",
			"allow-snippet-annotations":    "false",
			"modsecurity-snippet":          expectedComment,
		})

		f.WaitForNginxServer(host,
			func(server string) bool {
				return !strings.Contains(server, "block-ua")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusOK)
	})

	ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
		f.SetNginxConfigMapData(map[string]string{
			"allow-snippet-annotations": "true",
		})
		defer func() {
			f.SetNginxConfigMapData(map[string]string{
				"allow-snippet-annotations": "false",
			})
		}()
		host := modSecurityFooHost
		nameSpace := f.Namespace

		snippet := `SecRuleEngine On
		SecRequestBodyAccess On
		SecAuditEngine RelevantOnly
		SecAuditLogParts ABIJDEFHZ
		SecAuditLogType Concurrent
		SecAuditLog /var/tmp/modsec_audit.log
		SecAuditLogStorageDir /var/tmp/
		SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`

		annotations := map[string]string{
			"nginx.ingress.kubernetes.io/enable-modsecurity":  "true",
			"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
		}
		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
		// Sleep a while just to guarantee that the configmap is applied
		framework.Sleep()
		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
		f.EnsureIngress(ing)

		f.WaitForNginxServer(host,
			func(server string) bool {
				return !strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;") &&
					strings.Contains(server, "SecAuditLog /var/tmp/modsec_audit.log")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "block-ua").
			Expect().
			Status(http.StatusForbidden)
	})
})