Fix the ability to disable ModSecurity at location level

- Adds 'modsecurity off;' to the nginx config if the 'enable-modsecurity' annotation is set to false. - Update tests and e2e tests accordingly Signed-off-by: Bhavin Gandhi <bhavin7392@gmail.com>
2020-03-22 01:05:07 +05:30 · 2020-03-22 01:05:07 +05:30 · 380ef3a92c
commit 380ef3a92c
parent 8f4d5f8b34
5 changed files with 84 additions and 27 deletions
--- a/test/e2e/annotations/modsecurity.go
+++ b/test/e2e/annotations/modsecurity.go
@ -104,4 +104,48 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 					strings.Contains(server, "SecRuleEngine On")
 			})
 	})
+
+	ginkgo.It("should enable modsecurity without using 'modsecurity on;'", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-modsecurity": "true"},
+		)
+
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity": "true",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "modsecurity on;") &&
+					!strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;")
+			})
+	})
+
+	ginkgo.It("should disable modsecurity using 'modsecurity off;'", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"enable-modsecurity": "true"},
+		)
+
+		host := "modsecurity.foo.com"
+		nameSpace := f.Namespace
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity": "false",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "modsecurity off;")
+			})
+	})
+
 })