extra waf rules per ingress (#2315)

* extra waf rules per ingress * document annotation nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules * regenerate internal/file/bindata.go
2018-04-09 06:14:30 -04:00 · 2018-04-09 06:14:30 -04:00 · bad8295a42
commit bad8295a42
parent 16faf309ca
5 changed files with 67 additions and 8 deletions
--- a/docs/user-guide/annotations.md
+++ b/docs/user-guide/annotations.md
@ -69,6 +69,7 @@ The following annotations are supported:
 |[nginx.ingress.kubernetes.io/lua-resty-waf](#lua-resty-waf)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/lua-resty-waf-debug](#lua-resty-waf)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets](#lua-resty-waf)|string|
+|[nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules](#lua-resty-waf)|string|

 **Note:** all the values must be a string. In case of booleans or number it must be quoted.

@ -486,3 +487,13 @@ nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets: "41000_sqli, 42000_xs
 ```

 will ignore the two mentioned rulesets.
+
+It is also possible to configure custom WAF rules per ingress using `nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules` annotation. For an example the following snippet will
+configure a WAF rule to deny requests with query string value that contains word `foo`:
+
+
+```yaml
+nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules: '[=[ { "access": [ { "actions": { "disrupt" : "DENY" }, "id": 10001, "msg": "my custom rule", "operator": "STR_CONTAINS", "pattern": "foo", "vars": [ { "parse": [ "values", 1 ], "type": "REQUEST_ARGS" } ] } ], "body_filter": [], "header_filter":[] } ]=]'
+```
+
+For details on how to write WAF rules, please refer to https://github.com/p0pr0ck5/lua-resty-waf.
--- a/internal/file/bindata.go
+++ b/internal/file/bindata.go
--- a/internal/ingress/annotations/luarestywaf/main.go
+++ b/internal/ingress/annotations/luarestywaf/main.go
@ -31,6 +31,7 @@ type Config struct {
 	Enabled            bool     `json:"enabled"`
 	Debug              bool     `json:"debug"`
 	IgnoredRuleSets    []string `json: "ignored-rulesets"`
+	ExtraRulesetString string   `json: "extra-ruleset-string"`
 }

 // Equal tests for equality between two Config types
@ -50,6 +51,9 @@ func (e1 *Config) Equal(e2 *Config) bool {
 	if !reflect.DeepEqual(e1.IgnoredRuleSets, e2.IgnoredRuleSets) {
 		return false
 	}
+	if e1.ExtraRulesetString != e2.ExtraRulesetString {
+		return false
+	}

 	return true
 }
@ -80,9 +84,13 @@ func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {
 		return strC == "," || strC == " "
 	})

+	// TODO(elvinefendi) maybe validate the ruleset string here
+	extraRulesetString, _ := parser.GetStringAnnotation("lua-resty-waf-extra-rules", ing)
+
 	return &Config{
 		Enabled:            enabled,
 		Debug:              debug,
 		IgnoredRuleSets:    ignoredRuleSets,
+		ExtraRulesetString: extraRulesetString,
 	}, nil
 }
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -839,6 +839,10 @@ stream {
                waf:set_option("ignore_ruleset", "{{ $ruleset }}")
                {{ end }}

+                {{ if gt (len $location.LuaRestyWAF.ExtraRulesetString) 0 }}
+                waf:set_option("add_ruleset_string", "10000_extra_rules", {{ $location.LuaRestyWAF.ExtraRulesetString }})
+                {{ end }}
+
                waf:exec()
            }
            header_filter_by_lua_block {
--- a/test/e2e/annotations/luarestywaf.go
+++ b/test/e2e/annotations/luarestywaf.go
@ -68,8 +68,44 @@ var _ = framework.IngressNginxDescribe("Annotations - lua-resty-waf", func() {
 			Expect(len(errs)).Should(Equal(0))
 			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		})
+		It("should apply configured extra rules", func() {
+			host := "foo"
+			createIngress(f, host, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf": "true",
+				"nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules": `[=[
+					{ "access": [
+							{ "actions": { "disrupt" : "DENY" },
+							"id": 10001,
+							"msg": "my custom rule",
+							"operator": "STR_CONTAINS",
+							"pattern": "foo",
+							"vars": [ { "parse": [ "values", 1 ], "type": "REQUEST_ARGS" } ] }
+						],
+						"body_filter": [],
+						"header_filter":[]
+					}
+				]=]`,
 			})

+			url := fmt.Sprintf("%s?msg=my-message", f.NginxHTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			url = fmt.Sprintf("%s?msg=my-foo-message", f.NginxHTTPURL)
+			resp, _, errs = gorequest.New().
+				Get(url).
+				Set("Host", host).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusForbidden))
+		})
+	})
 	Context("when lua-resty-waf is not enabled", func() {
 		It("should return 200 even for a malicious request", func() {
 			host := "foo"