adding a testing tool and basic tests

docker-compose.yaml

@@ -2,6 +2,7 @@ version: '3'
 services:
 
   myapp:
+    container_name: myapp
     build: myapp
     image: myapp
 
@@ -11,8 +12,9 @@ services:
     image: configmanager
 
   proxy:
-    build: proxy
     container_name: proxy
+    build: proxy
+    image: proxy
     ports:
     - "8000:8000"
     depends_on:

tests/configmanagerDockerfile

@@ -0,0 +1,10 @@
+FROM node:21-alpine
+WORKDIR /app
+RUN npm install express
+RUN npm install hsts
+COPY ./server.js /app/server.js
+RUN mkdir /data
+COPY ./cad-default.json /data/cad-default.json
+COPY ./session-default.json /data/session-default.json
+# USER nobody
+CMD ["node", "server.js"]

tests/docker-compose.yaml

@@ -0,0 +1,19 @@
+version: '3'
+services:
+
+  myapp:
+    container_name: myapp
+    image: myapptest
+
+  config:
+    container_name: configmanager
+    image: configmanagertest
+
+  proxy:
+    container_name: proxy
+    image: proxytest
+    ports:
+    - "8000:8000"
+    depends_on:
+    - myapp
+

tests/myappDockerfile

@@ -0,0 +1,9 @@
+FROM node:21-alpine
+WORKDIR /usr/app
+RUN npm install express
+RUN npm install body-parser
+RUN npm install cookie-parser
+ADD myapp.js /usr/app/myapp.js
+USER nobody
+EXPOSE 3000
+CMD [ "node", "myapp.js" ]

tests/proxyDockerfile

@@ -0,0 +1,6 @@
+FROM envoyproxy/envoy:v1.29.2
+COPY ./envoy.yaml /etc/envoy.yaml
+COPY ./wasm/cloud-active-defense.wasm /var/local/lib/wasm/cloud-active-defense.wasm
+USER envoy
+CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml", "--service-cluster", "proxy"]
+

tests/runtests.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+consoleoutput=docker-compose-logs.txt
+
+# Build test images
+docker build -f myappDockerfile -t myapptest ../myapp/
+docker build -f configmanagerDockerfile -t configmanagertest ../configmanager/
+docker build -f proxyDockerfile -t proxytest ../proxy/
+
+# Delete possible container conflicts
+docker rm -f myapp
+docker rm -f configmanager
+docker rm -f proxy
+
+# Start the application in demo mode
+docker-compose up -d
+
+# Wait for docker-compose to be ready (checking the logs)
+while :; do
+  status=`docker-compose logs | grep "wasm log: read new config"`
+  if [ "$status" == "" ]; then
+    sleep 1 # wait one second before checking again
+  else
+    break
+  fi
+done
+
+# Give some time to Envoy to deploy the config
+sleep 4
+
+# Run all tests
+for test_script in $(find ./tests -type f -name "*.sh")
+do
+  echo "NOW RUNNING TEST: $test_script"
+  bash "$test_script"
+done
+
+# Done!
+echo "ALL TESTS COMPLETED" 
+
+# Cleanup
+docker-compose down
+rm $consoleoutput
+

tests/tests/check-default-config.sh

@@ -0,0 +1,23 @@
+# check if the default config is working
+# (e.g. checks that the HTTP Response header 'x-cloud-active-defense' is set)
+
+tempfile=`uuidgen -r`
+
+# Do relevant action(s)
+curl -v http://localhost:8000 >$tempfile 2>&1
+
+# check INJECTION (in $tempfile)
+status=`grep "< x-cloud-active-defense: ACTIVE" $tempfile`
+
+# check DETECTION (in docker logs)
+
+# output result
+if [ "$status" == "" ]; then
+  echo -e "\033[0;31mFAIL\033[0m"
+else
+  echo -e "\033[0;32mPASS\033[0m"
+fi
+
+# cleanup
+rm $tempfile
+

tests/tests/detectURL.sh

@@ -0,0 +1,52 @@
+# test simple detection in URL (first README.md decoy)
+
+config='
+{
+  "filters": [
+    {
+      "decoy": {
+        "key": "forbidden"
+      },
+      "detect": {
+        "seek": {
+          "inRequest": ".*",
+          "withVerb": "GET",
+          "in": "url"
+        },
+        "alert": {
+          "severity": "LOW",
+          "whenSeen": true
+        }
+      }
+    }
+  ]
+}
+'
+
+# Do relevant action(s)
+# connect to configmanager, update /data/cad-default.json
+echo "$config" | docker exec -i configmanager sh -c 'cat > /data/cad-default.json'
+# wait a few seconds for the proxy to read the new config
+sleep 5
+
+# trigger decoy by visiting /forbidden
+tempfile=`uuidgen -r`
+curl -v http://localhost:8000/forbidden >$tempfile 2>&1
+# give some time for the alert to be sent to the console
+sleep 2
+
+# check INJECTION (in $tempfile)
+
+# check DETECTION (in docker logs)
+status=`docker-compose logs | grep '"DecoyKey": "forbidden",'`
+
+# output result
+if [ "$status" == "" ]; then
+  echo -e "\033[0;31mFAIL\033[0m"
+else
+  echo -e "\033[0;32mPASS\033[0m"
+fi
+
+# cleanup
+rm $tempfile
+