Updates CRS dependency (#96)

* updates crs dependency

* fix test, update lint

* update e2e attempt

* attempt to run CI with go 1.29

* tests: improves docs and assertion.

* chore: makes lint happy.

* Simplifies docker-compose, runs e2e directly from magefile

* updates caddy to 2.7.3, coraza to 3.0.3

---------

Co-authored-by: José Carlos Chávez <[email protected]>

.github/workflows/lint.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v3
         with:
-          go-version: v1.19.x
+          go-version: v1.20.x
           cache: true
 
       - run: go run mage.go lint

.github/workflows/nightly-caddy.yml

@@ -10,7 +10,7 @@ jobs:
   nightly-caddy:
     strategy:
       matrix:
-        go-version: [1.19.x]
+        go-version: [1.20.x]
         os: [ubuntu-latest]
         xcaddy-version: [v0.3.2]
     runs-on: ${{ matrix.os }}

.github/workflows/nightly-coraza.yml

@@ -10,7 +10,7 @@ jobs:
   nightly-coraza:
     strategy:
       matrix:
-        go-version: [1.19.x]
+        go-version: [1.20.x]
         os: [ubuntu-latest]
         xcaddy-version: [v0.3.2]
     runs-on: ${{ matrix.os }}

.github/workflows/tests.yml

@@ -16,7 +16,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.19.x]
+        go-version: [1.20.x]
         os: [ubuntu-latest]
         xcaddy-version: [v0.3.2]
     runs-on: ${{ matrix.os }}

coraza_test.go

@@ -26,8 +26,9 @@ func TestPlugin(t *testing.T) {
 		t.Fatal(err)
 	}
 	res, _ := tester.AssertGetResponse(baseURL+"/test", 200, "test123")
-	if len(res.Header.Get("x-unique-id")) == 0 {
-		t.Error("X-Unique-Id header is not set")
+	// Comes from https://github.com/corazawaf/coraza-caddy/blob/5e8337/test.init.config#L17
+	if len(res.Header.Get("x-request-id")) == 0 {
+		t.Fatal("X-Request-Id header is not set")
 	}
 
 	time.Sleep(1 * time.Second)
@@ -105,7 +106,6 @@ func TestPostMultipart(t *testing.T) {
 		t.Fatal(err)
 	}
 	tester.AssertResponseCode(req, 200)
-
 	time.Sleep(1 * time.Second)
 }
 

e2e/Caddyfile

@@ -0,0 +1,29 @@
+{
+    debug
+    auto_https off
+    order coraza_waf first
+}
+
+:8080 {
+	coraza_waf {
+		load_owasp_crs
+		directives `
+			SecRuleEngine On
+			SecRequestBodyAccess On			
+			SecResponseBodyMimeType application/json
+			# Custom rule for Coraza config check (ensuring that these configs are used)
+			SecRule &REQUEST_HEADERS:coraza-e2e "@eq 0" "id:100,phase:1,deny,status:424,log,msg:'Coraza E2E - Missing header'"
+			# Custom rules for e2e testing
+			SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny,status:403"
+			SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,log,deny,status:403"
+			SecRule RESPONSE_HEADERS:pass "@rx leak" "id:103,phase:3,t:lowercase,log,deny,status:403"
+			SecRule RESPONSE_BODY "@contains responsebodycode" "id:104,phase:4,t:lowercase,log,deny,status:403"
+			# Custom rules mimicking the following CRS rules: 941100, 942100, 913100
+			SecRule ARGS_NAMES|ARGS "@detectXSS" "id:9411,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,log,deny,status:403"
+			SecRule ARGS_NAMES|ARGS "@detectSQLi" "id:9421,phase:2,t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,multiMatch,log,deny,status:403"
+			SecRule REQUEST_HEADERS:User-Agent "@pm grabber masscan" "id:9131,phase:1,t:none,log,deny,status:403"
+			SecResponseBodyAccess On
+		`
+	}
+	reverse_proxy {$HTTPBIN_HOST:localhost}:8081
+}

e2e/Dockerfile

@@ -1,6 +1,6 @@
 FROM debian
 
-COPY example/Caddyfile /etc/caddy/Caddyfile
+COPY e2e/Caddyfile /etc/caddy/Caddyfile
 
 COPY build/caddy-linux /usr/bin/caddy
 

e2e/docker-compose.yml

@@ -13,10 +13,5 @@ services:
       dockerfile: ./e2e/Dockerfile
     environment:
       - HTTPBIN_HOST=httpbin
-
-  tests:
-    depends_on:
-      - caddy
-    build:
-      context: ..
-      dockerfile: ./e2e/Dockerfile.curl
+    ports:
+      - 8080:8080