Enable security features by default (#11819)

2024-08-23 00:45:51 -03:00 · 2024-08-23 00:45:51 -03:00 · 7b4e4e2fa1
commit 7b4e4e2fa1
parent b79551287e
28 changed files with 103 additions and 262 deletions
--- a/test/e2e/annotations/modsecurity/modsecurity.go
+++ b/test/e2e/annotations/modsecurity/modsecurity.go
@ -100,14 +100,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should enable modsecurity with snippet", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()

 		host := modSecurityFooHost
 		nameSpace := f.Namespace
@ -173,14 +167,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should enable modsecurity with snippet and block requests", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()

 		host := modSecurityFooHost
 		nameSpace := f.Namespace
@ -212,14 +200,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()

 		host := modSecurityFooHost
 		nameSpace := f.Namespace
@ -251,16 +233,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations":    "true",
-			"enable-modsecurity":           "true",
-			"enable-owasp-modsecurity-crs": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
+
+		f.UpdateNginxConfigMapData("enable-modsecurity", "true")
+		f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true")

 		host := modSecurityFooHost
 		nameSpace := f.Namespace
@ -290,6 +267,8 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should enable modsecurity through the config map", func() {
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
 		host := modSecurityFooHost
 		nameSpace := f.Namespace

@ -310,17 +289,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		f.EnsureIngress(ing)

 		expectedComment := "SecRuleEngine On"
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations":    "true",
-			"enable-modsecurity":           "true",
-			"enable-owasp-modsecurity-crs": "true",
-			"modsecurity-snippet":          expectedComment,
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		f.UpdateNginxConfigMapData("enable-modsecurity", "true")
+		f.UpdateNginxConfigMapData("enable-owasp-modsecurity-crs", "true")
+		f.UpdateNginxConfigMapData("modsecurity-snippet", expectedComment)

 		f.WaitForNginxServer(host,
 			func(server string) bool {
@ -339,6 +310,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 		host := modSecurityFooHost
 		nameSpace := f.Namespace

+		f.UpdateNginxConfigMapData("annotations-risk-level", "Critical") // To enable snippet configurations
+		defer f.UpdateNginxConfigMapData("annotations-risk-level", "High")
+
 		snippet := `SecRequestBodyAccess On
 		SecAuditEngine RelevantOnly
 		SecAuditLogParts ABIJDEFHZ
@ -378,14 +352,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
 	})

 	ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
+
 		host := modSecurityFooHost
 		nameSpace := f.Namespace