Allows ModSecurity to be configured per location

The following annotations will be added: - enable-modsecurity - enable-owasp-core-rules - modsecurity-transaction-id Fixes #3167
2018-11-03 23:14:27 -05:00 · 2018-11-03 23:14:27 -05:00 · 5195600841
commit 5195600841
parent 17cad51e47
9 changed files with 307 additions and 7 deletions
--- a/test/e2e/annotations/modsecurity.go
+++ b/test/e2e/annotations/modsecurity.go
@ -0,0 +1,98 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package annotations
+
+import (
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("Annotations - ModSecurityLocation", func() {
+	f := framework.NewDefaultFramework("modsecuritylocation")
+
+	BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	AfterEach(func() {
+		f.UpdateNginxConfigMapData("enable-modsecurity", "false")
+	})
+
+	It("should enable modsecurity", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity": "true",
+		}
+
+		f.UpdateNginxConfigMapData("enable-modsecurity", "true")
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "modsecurity on;") &&
+					strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;")
+			})
+	})
+
+	It("should enable modsecurity with transaction ID and OWASP rules", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity":         "true",
+			"nginx.ingress.kubernetes.io/enable-owasp-core-rules":    "true",
+			"nginx.ingress.kubernetes.io/modsecurity-transaction-id": "modsecurity-$request_id",
+		}
+
+		f.UpdateNginxConfigMapData("enable-modsecurity", "true")
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "modsecurity on;") &&
+					strings.Contains(server, "modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;") &&
+					strings.Contains(server, "modsecurity_transaction_id \"modsecurity-$request_id\";")
+			})
+	})
+
+	It("should disable modsecurity", func() {
+		host := "modsecurity.foo.com"
+		nameSpace := f.IngressController.Namespace
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/enable-modsecurity": "false",
+		}
+
+		f.UpdateNginxConfigMapData("enable-modsecurity", "false")
+
+		ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "modsecurity on;")
+			})
+	})
+})