generated from SAP/repository-template
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding a testing tool and basic tests
- Loading branch information
Cedric HEBERT
committed
Apr 5, 2024
1 parent
20c557a
commit bb8629e
Showing
8 changed files
with
166 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
FROM node:21-alpine | ||
WORKDIR /app | ||
RUN npm install express | ||
RUN npm install hsts | ||
COPY ./server.js /app/server.js | ||
RUN mkdir /data | ||
COPY ./cad-default.json /data/cad-default.json | ||
COPY ./session-default.json /data/session-default.json | ||
# USER nobody | ||
CMD ["node", "server.js"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
version: '3' | ||
services: | ||
|
||
myapp: | ||
container_name: myapp | ||
image: myapptest | ||
|
||
config: | ||
container_name: configmanager | ||
image: configmanagertest | ||
|
||
proxy: | ||
container_name: proxy | ||
image: proxytest | ||
ports: | ||
- "8000:8000" | ||
depends_on: | ||
- myapp | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
FROM node:21-alpine | ||
WORKDIR /usr/app | ||
RUN npm install express | ||
RUN npm install body-parser | ||
RUN npm install cookie-parser | ||
ADD myapp.js /usr/app/myapp.js | ||
USER nobody | ||
EXPOSE 3000 | ||
CMD [ "node", "myapp.js" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
FROM envoyproxy/envoy:v1.29.2 | ||
COPY ./envoy.yaml /etc/envoy.yaml | ||
COPY ./wasm/cloud-active-defense.wasm /var/local/lib/wasm/cloud-active-defense.wasm | ||
USER envoy | ||
CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml", "--service-cluster", "proxy"] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
#!/bin/bash | ||
|
||
consoleoutput=docker-compose-logs.txt | ||
|
||
# Build test images | ||
docker build -f myappDockerfile -t myapptest ../myapp/ | ||
docker build -f configmanagerDockerfile -t configmanagertest ../configmanager/ | ||
docker build -f proxyDockerfile -t proxytest ../proxy/ | ||
|
||
# Delete possible container conflicts | ||
docker rm -f myapp | ||
docker rm -f configmanager | ||
docker rm -f proxy | ||
|
||
# Start the application in demo mode | ||
docker-compose up -d | ||
|
||
# Wait for docker-compose to be ready (checking the logs) | ||
while :; do | ||
status=`docker-compose logs | grep "wasm log: read new config"` | ||
if [ "$status" == "" ]; then | ||
sleep 1 # wait one second before checking again | ||
else | ||
break | ||
fi | ||
done | ||
|
||
# Give some time to Envoy to deploy the config | ||
sleep 4 | ||
|
||
# Run all tests | ||
for test_script in $(find ./tests -type f -name "*.sh") | ||
do | ||
echo "NOW RUNNING TEST: $test_script" | ||
bash "$test_script" | ||
done | ||
|
||
# Done! | ||
echo "ALL TESTS COMPLETED" | ||
|
||
# Cleanup | ||
docker-compose down | ||
rm $consoleoutput | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# check if the default config is working | ||
# (e.g. checks that the HTTP Response header 'x-cloud-active-defense' is set) | ||
|
||
tempfile=`uuidgen -r` | ||
|
||
# Do relevant action(s) | ||
curl -v http://localhost:8000 >$tempfile 2>&1 | ||
|
||
# check INJECTION (in $tempfile) | ||
status=`grep "< x-cloud-active-defense: ACTIVE" $tempfile` | ||
|
||
# check DETECTION (in docker logs) | ||
|
||
# output result | ||
if [ "$status" == "" ]; then | ||
echo -e "\033[0;31mFAIL\033[0m" | ||
else | ||
echo -e "\033[0;32mPASS\033[0m" | ||
fi | ||
|
||
# cleanup | ||
rm $tempfile | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# test simple detection in URL (first README.md decoy) | ||
|
||
config=' | ||
{ | ||
"filters": [ | ||
{ | ||
"decoy": { | ||
"key": "forbidden" | ||
}, | ||
"detect": { | ||
"seek": { | ||
"inRequest": ".*", | ||
"withVerb": "GET", | ||
"in": "url" | ||
}, | ||
"alert": { | ||
"severity": "LOW", | ||
"whenSeen": true | ||
} | ||
} | ||
} | ||
] | ||
} | ||
' | ||
|
||
# Do relevant action(s) | ||
# connect to configmanager, update /data/cad-default.json | ||
echo "$config" | docker exec -i configmanager sh -c 'cat > /data/cad-default.json' | ||
# wait a few seconds for the proxy to read the new config | ||
sleep 5 | ||
|
||
# trigger decoy by visiting /forbidden | ||
tempfile=`uuidgen -r` | ||
curl -v http://localhost:8000/forbidden >$tempfile 2>&1 | ||
# give some time for the alert to be sent to the console | ||
sleep 2 | ||
|
||
# check INJECTION (in $tempfile) | ||
|
||
# check DETECTION (in docker logs) | ||
status=`docker-compose logs | grep '"DecoyKey": "forbidden",'` | ||
|
||
# output result | ||
if [ "$status" == "" ]; then | ||
echo -e "\033[0;31mFAIL\033[0m" | ||
else | ||
echo -e "\033[0;32mPASS\033[0m" | ||
fi | ||
|
||
# cleanup | ||
rm $tempfile | ||
|