chore: roll updated crs v3.3 containers #665
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify Images | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| # sha256sum format: <hash><space><format (space for text)><file name> | |
| MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" | |
| GO_FTW_VERSION: '1.3.0' | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.generate.outputs.targets }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: List targets | |
| id: generate | |
| uses: docker/bake-action/subaction/list-targets@v4 | |
| - name: Check modsecurity recommended | |
| run: | | |
| curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended | |
| echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt | |
| sha256sum -c sha256sum.txt | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| matrix: | |
| target: ${{ fromJson(needs.prepare.outputs.targets) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| # https://github.com/docker/setup-qemu-action | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| image: tonistiigi/binfmt:qemu-v9.2.0 | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build ${{ matrix.target }}-verification | |
| uses: docker/[email protected] | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| targets: ${{ matrix.target }} | |
| # Build only linux/amd64 and tag the images as verification builds. | |
| # Create a tar archive and load the image into Docker. | |
| set: | | |
| *.platform=linux/amd64 | |
| ${{ matrix.target }}.tags=${{ matrix.target }}-verification | |
| *.output=type=docker,dest=${{ matrix.target }}-verification.tar | |
| *.output=type=docker | |
| push: false | |
| - name: Upload image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.target }}-verification.tar | |
| path: ${{ matrix.target }}-verification.tar | |
| retention-days: 7 | |
| overwrite: true | |
| - name: Run ${{ matrix.target }} | |
| run: | | |
| # get the major version from the matrix.target | |
| # The targets end with `<major>-<minor>-<patch>`. | |
| CRS_VERSION="v$(awk -F'-' '{print $(NF-2)}' <<< ${{ matrix.target }})" | |
| . .github/workflows/configure-rules-for-test.sh \ | |
| "src/opt/modsecurity/configure-rules.${CRS_VERSION}.conf" \ | |
| README.md \ | |
| "${{ matrix.target }}.env" | |
| echo "Starting container ${{ matrix.target }}-verification" | |
| # The backend is a dummy | |
| docker run \ | |
| --pull "never" \ | |
| -d \ | |
| --name ${{ matrix.target }}-test \ | |
| --env-file "${{ matrix.target }}.env" \ | |
| -p 8080:8080 \ | |
| -e BACKEND=http://localhost:9999 \ | |
| "${{ matrix.target }}-verification" | |
| - name: Verify ${{ matrix.target }} | |
| run: | | |
| HOST_AND_PORT="localhost:8080" | |
| counter=10 | |
| while true; do | |
| printf "Checking whether container is running..." | |
| if [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ]; then | |
| echo "ok" | |
| printf "Trying to connect..." | |
| if curl -s --connect-timeout 5 --max-time 1 "${HOST_AND_PORT}" > /dev/null 2>&1; then | |
| echo "ok" | |
| break | |
| fi | |
| fi | |
| echo "failed" | |
| ((counter--)) | |
| if [ ${counter} -gt 0 ]; then | |
| echo "Will retry in 5 seconds" | |
| sleep 5 | |
| else | |
| printf "No more retries. Here's the log output from the container\n\n\n" | |
| docker logs ${{ matrix.target }}-test | |
| exit 1 | |
| fi | |
| done | |
| if grep -q "nginx"<<< "${{ matrix.target }}"; then | |
| printf "\n\n### nginx tests ###\n\n" | |
| printf "Storing headers for sample attack..." | |
| curl -s -D headers.txt -o /dev/null "${HOST_AND_PORT}/?test=../../etc/passwd" | |
| printf "...done\n\n\n" | |
| printf "Check status 403..." | |
| grep -q "HTTP/1.1 403 Forbidden" headers.txt | |
| printf "yes\n\n\n" | |
| printf "Check 'Access-Control-Allow-Origin' header..." | |
| grep -q "Access-Control-Allow-Origin: *" headers.txt | |
| printf "yes\n\n\n" | |
| printf "Check 'Access-Control-Max-Age' header..." | |
| grep -q "Access-Control-Max-Age: 3600" headers.txt | |
| printf "yes\n\n\n" | |
| printf "Check 'Access-Control-Allow-Methods' header..." | |
| grep -q "Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS" headers.txt | |
| printf "yes\n\n\n" | |
| printf "Check 'Access-Control-Allow-Headers'..." | |
| grep -q "Access-Control-Allow-Headers: *" headers.txt | |
| printf "yes\n\n\n" | |
| echo "### nginx tests - done ###" | |
| fi | |
| printf "\n\n### generic tests ###\n\n" | |
| echo "Test HTTP/2 upgrade..." | |
| curl -v --http2 --no-progress-meter -o /dev/null "${HOST_AND_PORT}" 2>&1 | tee out.txt | |
| grep -iP "< 101 Switching Protocols|< HTTP/2" < out.txt | tee out2.txt | |
| wc -l out2.txt | grep -qoP "\d+" | xargs -I % test % -eq 2 | |
| rm out*.txt | |
| printf "...yes\n\n\n" | |
| echo "Test HTTP/2 prior knowledge..." | |
| curl -v --http2-prior-knowledge --no-progress-meter -o /dev/null "${HOST_AND_PORT}" 2>&1 | tee out.txt | |
| grep -iq "< HTTP/2" out.txt | |
| grep -iqv "< 101 Switching Protocols" out.txt | |
| printf "...yes\n\n\n" | |
| echo "### generic tests - done ###" | |
| - name: Checkout CRS | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| repository: coreruleset/coreruleset | |
| path: crs | |
| - name: "Install go-ftw" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cd crs | |
| gh release download -R coreruleset/go-ftw "v${{ env.GO_FTW_VERSION }}" \ | |
| -p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw | |
| - name: Patch CRS compose file to use verification image | |
| run: | | |
| sed -i \ | |
| 's#image: owasp/modsecurity-crs:${{ contains(matrix.target, 'apache') && 'apache' || 'nginx' }}.*#image: ${{ matrix.target }}-verification#' \ | |
| crs/tests/docker-compose.yml | |
| - name: Run CRS tests for ${{ matrix.target }} | |
| # Log flushing isn't reliable enough for go-ftw (https://github.com/coreruleset/go-ftw/issues/473) | |
| if: ${{!contains(matrix.target, 'nginx-alpine')}} | |
| run: | | |
| cd crs | |
| modsec_version="${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}" | |
| backend="${{ contains(matrix.target, 'apache') && 'httpd' || 'nginx' }}" | |
| mkdir -p "tests/logs/${modsec_version}/{nginx,apache2}" | |
| docker compose -f ./tests/docker-compose.yml up -d "${modsec_version}" | |
| sleep 10 | |
| docker compose -f ./tests/docker-compose.yml logs | |
| if ! [ "$(docker inspect ${modsec_version} --format='{{.State.Running}}')" = "true" ]; then | |
| echo "Web server failed to start. Aborting." | |
| exit 1 | |
| fi | |
| ./ftw check -d tests/regression/tests | |
| ./ftw run \ | |
| -d tests/regression/tests \ | |
| --log-file "tests/logs/${modsec_version}/error.log" \ | |
| --overrides "tests/regression/${backend}-overrides.yaml" \ | |
| --show-failures-only | |
| - name: Upload logs | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: ${{ matrix.target }}-error.log | |
| path: "crs/tests/logs/${{ contains(matrix.target, 'apache') && 'modsec2-apache' || 'modsec3-nginx' }}/error.log" | |
| retention-days: 7 | |
| overwrite: true |