Nginx with AppSec support #2455
Conversation
cataphract
force-pushed
the
glopes/nginx-appsec
branch
12 times, most recently
from
f89da8a to
9bc83b3
Compare
.github/workflows/run-end-to-end.yml
Outdated
| if: ${{ matrix.version == 'dev' && inputs.library == 'cpp'}} | ||
| run: ./utils/scripts/load-binary.sh nginx | ||
| env: | ||
| CIRCLECI_TOKEN: ${{ secrets.CIRCLECI_TOKEN }} |
There was a problem hiding this comment.
We can use the previous step "Load Library binary" we only need to add the "env"
There was a problem hiding this comment.
The previous step does:
./utils/scripts/load-binary.sh ${{ inputs.library }}
inputs.library will be cpp. However, I need to call it with nginx.
.github/workflows/run-end-to-end.yml
Outdated
| @@ -230,7 +235,9 @@ jobs: | |||
| DD_API_KEY: ${{ secrets.DD_API_KEY }} | |||
| - name: Run APPSEC_MISSING_RULES scenario | |||
| if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_MISSING_RULES"') | |||
| run: ./run.sh APPSEC_MISSING_RULES | |||
| run: | | |||
| # nginx does not start with missing rules file, thereby stalling the job | |||
There was a problem hiding this comment.
could we add this condition to "if:"?
if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_MISSING_RULES"') && matrix.weblog != 'nginx'
.github/workflows/run-end-to-end.yml
Outdated
| run: ./run.sh APPSEC_CORRUPTED_RULES | ||
| run: | | ||
| # nginx does not start with corrupted rules file, thereby stalling the job | ||
| if [[ $WEBLOG_VARIANT != nginx ]]; then ./run.sh APPSEC_CORRUPTED_RULES; fi |
cataphract
force-pushed
the
glopes/nginx-appsec
branch
2 times, most recently
from
ced3965 to
0df2555
Compare
| test_schemas.py: irrelevant (ASM is not implemented in C++) | ||
| test_schemas.py: | ||
| Test_Scanners: | ||
| "*": irrelevant (ASM is not implemented in C++) |
There was a problem hiding this comment.
As ASM is actually implemented, could you replace irrelevant by missing_feature ?
So far, as nginx is the only weblog, you can probably do a simple search and replace
Test_Scanners: missing_feature
There was a problem hiding this comment.
ASM is implemented on the nginx module, not on dd-trace-cpp. If we're collapsing the distinction because the only supported weblog is nginx, then we should stop treating nginx separately in all the places in this file, no?
There was a problem hiding this comment.
then we should stop treating nginx separately in all the places in this file, no?
as long as it's the only supported weblog, yes, it'll be easier for you to maintain
There was a problem hiding this comment.
Upon reflection, I think the simplification might not be a good idea, as there are other dd-trace-cpp based projects, like for Apache httpd.
In light of that, the annotation may be correct insofar as dd-trace-cpp itself is not meant to implement ASM. It's only the nginx module that in addition to including dd-trace-cpp also has an ASM implementation. But you tell me
| @@ -89,6 +89,11 @@ jobs: | |||
| uses: actions/checkout@v4 | |||
| - name: Get library artifact | |||
| run: ./utils/scripts/load-binary.sh ${{ matrix.library }} | |||
| - name: Get nginx module | |||
There was a problem hiding this comment.
I feel like ./utils/scripts/load-binary.sh cpp should load both nginx and cpp, WDYT ?
There was a problem hiding this comment.
depends if you want to collapse cpp and nginx or if you antecipate testing dd-trace-cpp directly
| @@ -143,6 +143,10 @@ def start(self) -> Container: | |||
|
|
|||
| logger.info(f"Start container {self.container_name}") | |||
|
|
|||
| # the whole thing is reimplemented in python... | |||
| if self.healthcheck is not None: | |||
There was a problem hiding this comment.
I don't get this change ? 🤔
There was a problem hiding this comment.
there's a healthcheck implemented in python if the healthcheck argument is passed. In this case, there's no point also running the healthcheck defined in the docker file
There was a problem hiding this comment.
interesting, do you have a dockerfile with such an healthcheck ?
There was a problem hiding this comment.
some of the images used in system-tests had them; it was the point of the change IIRC. But anyway, if you just examples you can search GitHub
|
Hi @cataphract , Do you need any help to fix issues/comments on this PR ? |
cataphract
force-pushed
the
glopes/nginx-appsec
branch
from
0df2555 to
98b4f66
Compare
cataphract
force-pushed
the
glopes/nginx-appsec
branch
from
98b4f66 to
f7dc232
Compare
cataphract
force-pushed
the
glopes/nginx-appsec
branch
3 times, most recently
from
2385524 to
f3af09f
Compare
cataphract
force-pushed
the
glopes/nginx-appsec
branch
7 times, most recently
from
9c6ce99 to
7414f49
Compare
|
@cbeauchesne I've given another try to this PR. Please take a look |
| @@ -59,4 +59,4 @@ runs: | |||
|
|
|||
| - name: Pull | |||
| shell: bash | |||
| run: docker compose pull | |||
| run: cat compose.yaml && docker compose pull | |||
There was a problem hiding this comment.
I left it on purpose because it shows what's actually going on, but i can remove it
| @@ -89,6 +89,11 @@ jobs: | |||
| uses: actions/checkout@v4 | |||
| - name: Get library artifact | |||
| run: ./utils/scripts/load-binary.sh ${{ matrix.library }} | |||
| - name: Get nginx module | |||
| test_schemas.py: irrelevant (ASM is not implemented in C++) | ||
| test_schemas.py: | ||
| Test_Scanners: | ||
| "*": irrelevant (ASM is not implemented in C++) |
There was a problem hiding this comment.
then we should stop treating nginx separately in all the places in this file, no?
as long as it's the only supported weblog, yes, it'll be easier for you to maintain
| @@ -54,6 +57,7 @@ def test_blocking(self): | |||
| def setup_blocking_before(self): | |||
| self.block_req2 = weblog.get("/tag_value/tainted_value_6512/200", headers={"X-Forwarded-For": "1.1.1.1"}) | |||
|
|
|||
| @irrelevant(context.weblog_variant == "nginx", reason="Tag adding happens before WAF run") | |||
There was a problem hiding this comment.
out of curiosity, it means that it'll never be supported ?
There was a problem hiding this comment.
I'm not sure about never, but I can't see other use cases to set tags only after and conditionally on the blocking of response, except doing that just for having these tests passing. If there is a compelling, non purely test related use case, we can look at the viability.
| @@ -3,6 +3,9 @@ | |||
| # Copyright 2021 Datadog, Inc. | |||
|
|
|||
| import json | |||
|
|
|||
| import pytest | |||
| @@ -143,6 +143,10 @@ def start(self) -> Container: | |||
|
|
|||
| logger.info(f"Start container {self.container_name}") | |||
|
|
|||
| # the whole thing is reimplemented in python... | |||
| if self.healthcheck is not None: | |||
There was a problem hiding this comment.
interesting, do you have a dockerfile with such an healthcheck ?
| name="mysqldb", | ||
| command="--default-authentication-plugin=mysql_native_password", | ||
| command="--lc-messages-dir=/usr/share/mysql-8.0/english " |
There was a problem hiding this comment.
out of curiosity, why this change ?
There was a problem hiding this comment.
I got an error at some point about missing messages, probably related to a different locale in my machine? I don't remember exactly.
cataphract
force-pushed
the
glopes/nginx-appsec
branch
from
7414f49 to
1c62ce9
Compare
cataphract
force-pushed
the
glopes/nginx-appsec
branch
from
1c62ce9 to
f0763ac
Compare
Motivation
Nginx now supports AppSec. Enable those tesets
Changes
Workflow
codeownersfile quickly.🚀 Once your PR is reviewed, you can merge it!
🛟 #apm-shared-testing 🛟
Reviewer checklist
run-parametric-scenario,run-profiling-scenario...) are presents[<language>], double-check that only<language>is impacted by the changebuild-XXX-imagelabel is present