diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 812dbf76f9a4f..74a9104cd6fc5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -48,15 +48,17 @@ jobs: restore-keys: | ${{ runner.os }}-tinygo- + - name: Run code checks + run: go run mage.go lint + - name: Build WASM filter - run: make build + run: go run mage.go build - name: Run unit tests - run: make test + run: go run mage.go coverage - name: Run e2e tests - working-directory: e2e - run: docker-compose up --abort-on-container-exit + run: go run mage.go e2e - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000000000..d268d06caa80b --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,25 @@ +run: + deadline: 5m + +linters: + disable-all: true + enable: + # Enabled by default, see https://golangci-lint.run/usage/linters#enabled-by-default + - deadcode + - errcheck + - gosimple + - govet + - ineffassign + - staticcheck + - structcheck + - typecheck + - unused + - varcheck + - goimports + - gofmt + - gocritic +issues: + exclude-rules: + - path: magefile\.go + linters: + - deadcode diff --git a/Dockerfile b/Dockerfile index 5f608c8cdeed6..13418f95082df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# Copyright 2022 The OWASP Coraza contributors +# SPDX-License-Identifier: Apache-2.0 + FROM scratch COPY build/main.wasm /plugin.wasm \ No newline at end of file diff --git a/Makefile b/Makefile deleted file mode 100644 index a9b37ed1724b2..0000000000000 --- a/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -ARTIFACT_NAME="coraza-wasm-filter" -IMAGE_NAME=$(ARTIFACT_NAME):latest -CONTAINER_NAME=$(ARTIFACT_NAME)-build - -.PHONY: build -build: - mkdir -p ./build - tinygo build -o build/mainraw.wasm -scheduler=none -target=wasi ./main.go - wasm2wat build/mainraw.wasm -o build/mainraw.wat -# Removes unused code, which is important since compiled unused code may import unavailable host functions - wasm-opt -Os -c build/mainraw.wasm -o build/mainopt.wasm -# Unfortuantely the imports themselves are left due to potential use with call_indirect. Hack away missing functions -# until they are stubbed in Envoy because we know we don't need them. - wasm2wat build/mainopt.wasm -o build/mainopt.wat - sed 's/fd_filestat_get/fd_fdstat_get/g' build/mainopt.wat | sed 's/"wasi_snapshot_preview1" "path_filestat_get"/"env" "proxy_get_header_map_value"/g' > build/main.wat - wat2wasm build/main.wat -o build/main.wasm - -test: - go test ./... diff --git a/e2e/tests.sh b/e2e/tests.sh index 6e41644073d4e..31e0d8bae15f7 100755 --- a/e2e/tests.sh +++ b/e2e/tests.sh @@ -1,4 +1,7 @@ #!/bin/bash +# Copyright 2022 The OWASP Coraza contributors +# SPDX-License-Identifier: Apache-2.0 + # Copied from https://github.com/jcchavezs/modsecurity-wasm-filter-e2e/blob/master/tests.sh diff --git a/go.mod b/go.mod index 077757ad45e15..77f779cd7bf64 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.17 require ( github.com/corazawaf/coraza/v3 v3.0.0-20220818013656-f749c07295aa + github.com/magefile/mage v1.13.0 github.com/stretchr/testify v1.7.1 github.com/tetratelabs/proxy-wasm-go-sdk v0.19.1-0.20220825081430-0fa40edeb849 github.com/tidwall/gjson v1.14.2 @@ -13,7 +14,6 @@ require ( github.com/corazawaf/libinjection-go v0.0.0-20220207031228-44e9c4250eb5 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/kr/pretty v0.1.0 // indirect - github.com/magefile/mage v1.13.0 // indirect github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/tetratelabs/wazero v0.0.0-20220819021810-7f8e629c653f // indirect diff --git a/mage.go b/mage.go new file mode 100644 index 0000000000000..b48cb5d98671c --- /dev/null +++ b/mage.go @@ -0,0 +1,19 @@ +// Copyright 2022 The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + +//go:build ignore +// +build ignore + +// Entrypoint to mage for running without needing to install the command. +// https://magefile.org/zeroinstall/ +package main + +import ( + "os" + + "github.com/magefile/mage/mage" +) + +func main() { + os.Exit(mage.Main()) +} diff --git a/magefile.go b/magefile.go new file mode 100644 index 0000000000000..8316faf6901ee --- /dev/null +++ b/magefile.go @@ -0,0 +1,142 @@ +// Copyright 2022 The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + +//go:build mage +// +build mage + +package main + +import ( + "errors" + "fmt" + "io" + "os" + "path/filepath" + "strings" + + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" +) + +var addLicenseVersion = "v1.0.0" // https://github.com/google/addlicense +var golangCILintVer = "v1.48.0" // https://github.com/golangci/golangci-lint/releases +var gosImportsVer = "v0.1.5" // https://github.com/rinchsan/gosimports/releases/tag/v0.1.5 + +var errCommitFormatting = errors.New("files not formatted, please commit formatting changes") +var errNoGitDir = errors.New("no .git directory found") + +// Format formats code in this repository. +func Format() error { + if err := sh.RunV("go", "mod", "tidy"); err != nil { + return err + } + // addlicense strangely logs skipped files to stderr despite not being erroneous, so use the long sh.Exec form to + // discard stderr too. + if _, err := sh.Exec(map[string]string{}, io.Discard, io.Discard, "go", "run", fmt.Sprintf("github.com/google/addlicense@%s", addLicenseVersion), + "-c", "The OWASP Coraza contributors", + "-s=only", + "-ignore", "**/*.yml", + "-ignore", "**/*.yaml", + "-ignore", "examples/**", "."); err != nil { + return err + } + return sh.RunV("go", "run", fmt.Sprintf("github.com/rinchsan/gosimports/cmd/gosimports@%s", gosImportsVer), "-w", ".") +} + +// Lint verifies code quality. +func Lint() error { + if err := sh.RunV("go", "run", fmt.Sprintf("github.com/golangci/golangci-lint/cmd/golangci-lint@%s", golangCILintVer), "run"); err != nil { + return err + } + + mg.SerialDeps(Format) + + if sh.Run("git", "diff", "--exit-code") != nil { + return errCommitFormatting + } + + return nil +} + +// Test runs all tests. +func Test() error { + return sh.RunV("go", "test", "./...") +} + +// Coverage runs tests with coverage and race detector enabled. +func Coverage() error { + if err := os.MkdirAll("build", 0755); err != nil { + return err + } + if err := sh.RunV("go", "test", "-race", "-coverprofile=build/coverage.txt", "-covermode=atomic", "-coverpkg=./...", "./..."); err != nil { + return err + } + + return sh.RunV("go", "tool", "cover", "-html=build/coverage.txt", "-o", "build/coverage.html") +} + +// Doc runs godoc, access at http://localhost:6060 +func Doc() error { + return sh.RunV("go", "run", "golang.org/x/tools/cmd/godoc@latest", "-http=:6060") +} + +// Precommit installs a git hook to run check when committing +func Precommit() error { + if _, err := os.Stat(filepath.Join(".git", "hooks")); os.IsNotExist(err) { + return errNoGitDir + } + + f, err := os.ReadFile(".pre-commit.hook") + if err != nil { + return err + } + + return os.WriteFile(filepath.Join(".git", "hooks", "pre-commit"), f, 0755) +} + +// Check runs lint and tests. +func Check() { + mg.SerialDeps(Lint, Test) +} + +// Build builds the Coraza wasm plugin. +func Build() error { + if err := os.MkdirAll("build", 0755); err != nil { + return err + } + if err := sh.RunV("tinygo", "build", "-o", "build/mainraw.wasm", "-scheduler=none", "-target=wasi", "./main.go"); err != nil { + return err + } + if err := sh.RunV("wasm2wat", "build/mainraw.wasm", "-o", "build/mainraw.wat"); err != nil { + return err + } + // Removes unused code, which is important since compiled unused code may import unavailable host functions + if err := sh.RunV("wasm-opt", "-Os", "-c", "build/mainraw.wasm", "-o", "build/mainopt.wasm"); err != nil { + return err + } + // Unfortuantely the imports themselves are left due to potential use with call_indirect. Hack away missing functions + // until they are stubbed in Envoy because we know we don't need them. + if err := sh.RunV("wasm2wat", "build/mainopt.wasm", "-o", "build/mainopt.wat"); err != nil { + return err + } + + watBytes, err := os.ReadFile(filepath.Join("build", "mainopt.wat")) + if err != nil { + return err + } + wat := string(watBytes) + wat = strings.ReplaceAll(wat, "fd_filestat_get", "fd_fdstat_get") + wat = strings.ReplaceAll(wat, `"wasi_snapshot_preview1" "path_filestat_get"`, `"env" "proxy_get_header_map_value"`) + err = os.WriteFile(filepath.Join("build", "main.wat"), []byte(wat), 0644) + if err != nil { + return err + } + return sh.RunV("wat2wasm", "build/main.wat", "-o", "build/main.wasm") +} + +// E2e runs e2e tests with a built plugin. Requires docker-compose. +func E2e() error { + return sh.RunV("docker-compose", "--file", "e2e/docker-compose.yml", "up", "--abort-on-container-exit") +} + +var Default = Build diff --git a/main.go b/main.go index b59462f12c3fd..13754faf89885 100644 --- a/main.go +++ b/main.go @@ -1,3 +1,6 @@ +// Copyright 2022 The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + package main import ( diff --git a/main_test.go b/main_test.go index c78ca6d413658..a7556d58053dd 100644 --- a/main_test.go +++ b/main_test.go @@ -1,3 +1,6 @@ +// Copyright 2022 The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + // These tests are supposed to run with `proxytest` build tag, and this way we can leverage the testing framework in "proxytest" package. // The framework emulates the expected behavior of Envoyproxy, and you can test your extensions without running Envoy and with // the standard Go CLI. To run tests, simply run @@ -199,6 +202,7 @@ SecRuleEngine On\nSecResponseBodyAccess On\nSecRule RESPONSE_BODY \"@contains yo require.Equal(t, types.ActionContinue, action) action = host.CallOnResponseBody(id, respBody, true) + require.Equal(t, types.ActionContinue, action) // Call OnHttpStreamDone. host.CompleteHttpContext(id)