DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disable default modsecurity_rules_file if modsecurity-snippet is specified (#8021)

Browse source 
* Disabled default modsecurity_rules_file if modsecurity-snippet is specifed

The default modsecurity_rules_file overwrites the ModSecurity-snippet if it is specified with custom config settings like "SecRuleEngine On". This will not let Modsecurity be in blocking mode even if "SecRuleEngine On" is specified in the ModSecurity-snippet configuration

* Remove unnecessary comments

Only have the default Modsecurity conf settings in case Modsecurity configuration snippet is not present and remove unnecessary comments

* Fixed modsecurity default file only if Modsecurity snippet present

Fixed if condition  Modsecurity snippet present have modsecurity default config file

* Added e2e test to disabling modsecurity conf

Added e2e in case modsecurity-snippet enabled to disable settings in default modsecurity.conf

* Validate writing to a different location

Validate also modsecurity to write to a different location instead of the default directory

* Fixed the formatting

* Fixed if empty ModsecuritySnippet

* Fixed ModsecuritySnippet condition

* Fixed the condition also in ingress controller template

* Removed the default config condition  in ingress controller template

* Fixed the default config condition in ingress controller template

* Fixed pull-ingress-nginx-test

* Revert "Fixed the default config condition in ingress controller template"

This reverts commit 9d38eca40fe615a4c756500ca57b05634240edde.

* Revert template_test

* Adjusted the formating %v
This commit is contained in:
Moh Basher 2021-12-23 12:34:38 +01:00 committed by GitHub
parent 2ff5af08d4
commit fea7fed6da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 43 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/ingress/controller/template/template.go
View file

@ -1537,7 +1537,7 @@ func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Loc
`, location.ModSecurity.TransactionID))
}
if !isMSEnabled {
if !isMSEnabled && location.ModSecurity.Snippet == "" {
buffer.WriteString(`modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
`)
}

4
internal/ingress/controller/template/template_test.go
View file

@ -1781,8 +1781,8 @@ func TestModSecurityForLocation(t *testing.T) {
{"configmap enabled, configmap OWASP enabled, annotation enabled, OWASP disabled", true, true, true, true, false, "", "", ""},
{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, "", "", fmt.Sprintf("%v%v", loadModule, modSecCfg)},
{"configmap disabled, annotation disabled, OWASP disabled", false, false, false, true, false, "", "", ""},
{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v%v", loadModule, modsecRule, modSecCfg)},
{"configmap disabled, annotation enabled, OWASP enabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v%v", loadModule, modsecRule, modSecCfg)},
{"configmap disabled, annotation enabled, OWASP disabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v", loadModule, modsecRule)},
{"configmap disabled, annotation enabled, OWASP enabled", false, false, true, true, false, testRule, "", fmt.Sprintf("%v%v", loadModule, modsecRule)},
}
for _, testCase := range testCases {