feat: adds configuration mapping. (envoyproxy#79)

Co-authored-by: Anuraag Agrawal <anuraaga@gmail.com>
arminabf · Nov 15, 2022 · dac7e07 · dac7e07
1 parent b7eb80d
commit dac7e07
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -88,7 +88,7 @@ configuration:
     "@type": "type.googleapis.com/google.protobuf.StringValue"
     value: |
     {
-        "rules": [ "SecDebugLogLevel 5", "SecRuleEngine On", "Include crs/*.conf" ]
+        "rules": [ "SecDebugLogLevel 5", "SecRuleEngine On", "Include @owasp_crs/*.conf" ]
     }
 ```
 
@@ -99,7 +99,7 @@ configuration:
     "@type": "type.googleapis.com/google.protobuf.StringValue"
     value: |
     {
-        "rules": [ "SecDebugLogLevel 5", "SecRuleEngine On", "Include crs/REQUEST-901-INITIALIZATION.conf" ]
+        "rules": [ "SecDebugLogLevel 5", "SecRuleEngine On", "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf" ]
     }
 ```
 
@@ -115,7 +115,7 @@ Take a look at its config file [ftw.yml](./ftw/ftw.yml) for details about tests
 
 ## Example: Spinning up the coraza-wasm-filter for manual tests
 
-Once the filter is built, via the commands `mage runExample` and `mage teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [coraza-demo.conf](./rules/coraza-demo.conf) and [crs-setup-demo.conf](./rules/crs-setup-demo.conf).
+Once the filter is built, via the commands `mage runExample` and `mage teardownExample` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. The filter is configured with the CRS loaded working in Anomaly Scoring mode. For details and locally tweaking the configuration refer to [@demo-conf](./rules/coraza-demo.conf) and [@crs-setup-demo-conf](./rules/crs-setup-demo.conf).
 In order to monitor envoy logs while performing requests you can run:
 
 - Envoy logs: `docker-compose -f ./example/docker-compose.yml logs -f envoy-logs`.

diff --git a/config_test.go b/config_test.go
@@ -44,11 +44,11 @@ func TestParsePluginConfiguration(t *testing.T) {
 			name: "inline many entries",
 			config: `
 			{ 
-				"rules": ["SecRuleEngine On", "Include crs/*.conf\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""]
+				"rules": ["SecRuleEngine On", "Include @owasp_crs/*.conf\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""]
 			}
 			`,
 			expectConfig: pluginConfiguration{
-				rules: []string{"SecRuleEngine On", "Include crs/*.conf\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""},
+				rules: []string{"SecRuleEngine On", "Include @owasp_crs/*.conf\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\""},
 			},
 		},
 	}

diff --git a/example/envoy-config.yaml b/example/envoy-config.yaml
@@ -42,10 +42,10 @@ static_resources:
                           value: |
                             {
                               "rules": [
-                                "Include coraza-demo.conf",
-                                "Include crs-setup-demo.conf",
+                                "Include @demo-conf",
+                                "Include @crs-setup-demo-conf",
                                 "SecDebugLogLevel 3",
-                                "Include crs/*.conf",
+                                "Include @owasp_crs/*.conf",
                                 "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
                               ]
                             }

diff --git a/fs.go b/fs.go
@@ -0,0 +1,58 @@
+// Copyright The OWASP Coraza contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"fmt"
+	"io/fs"
+	"strings"
+)
+
+type rulesFS struct {
+	fs           fs.FS
+	filesMapping map[string]string
+	dirsMapping  map[string]string
+}
+
+func (r rulesFS) Open(name string) (fs.File, error) {
+	return r.fs.Open(r.mapPath(name))
+}
+
+func (r rulesFS) ReadDir(name string) ([]fs.DirEntry, error) {
+	for a, dst := range r.dirsMapping {
+		if a == name {
+			return fs.ReadDir(r.fs, dst)
+		}
+
+		prefix := a + "/"
+		if strings.HasPrefix(name, prefix) {
+			return fs.ReadDir(r.fs, fmt.Sprintf("%s/%s", dst, name[len(prefix):]))
+		}
+	}
+	return fs.ReadDir(r.fs, name)
+}
+
+func (r rulesFS) ReadFile(name string) ([]byte, error) {
+	return fs.ReadFile(r.fs, r.mapPath(name))
+}
+
+func (r rulesFS) mapPath(p string) string {
+	if strings.IndexByte(p, '/') != -1 {
+		// is not in root, hence we can do dir mapping
+		for a, dst := range r.dirsMapping {
+			prefix := a + "/"
+			if strings.HasPrefix(p, prefix) {
+				return fmt.Sprintf("%s/%s", dst, p[len(prefix):])
+			}
+		}
+	}
+
+	for a, dst := range r.filesMapping {
+		if a == p {
+			return dst
+		}
+	}
+
+	return p
+}
diff --git a/ftw/envoy-config.yaml b/ftw/envoy-config.yaml
@@ -37,10 +37,10 @@ static_resources:
                           value: |
                             {
                               "rules": [
-                                "Include coraza.conf-recommended.conf",
-                                "Include ftw-config.conf",
+                                "Include @recommended-conf",
+                                "Include @ftw-conf",
                                 "Include crs-setup.conf.example",
-                                "Include crs/*.conf"
+                                "Include @owasp_crs/*.conf"
                               ]
                             }
                         vm_config:

diff --git a/main.go b/main.go
@@ -64,6 +64,19 @@ func (ctx *corazaPlugin) OnPluginStart(pluginConfigurationSize int) types.OnPlug
 
 	root, _ := fs.Sub(crs, "rules")
 
+	root = &rulesFS{
+		root,
+		map[string]string{
+			"@recommended-conf":    "coraza.conf-recommended.conf",
+			"@demo-conf":           "coraza-demo.conf",
+			"@crs-setup-demo-conf": "crs-setup-demo.conf",
+			"@ftw-conf":            "ftw-config.conf",
+		},
+		map[string]string{
+			"@owasp_crs": "crs",
+		},
+	}
+
 	// First we initialize our waf and our seclang parser
 	conf := coraza.NewWAFConfig().
 		WithErrorLogger(logError).

diff --git a/main_test.go b/main_test.go
@@ -663,7 +663,7 @@ func TestParseCRS(t *testing.T) {
 		opt := proxytest.
 			NewEmulatorOption().
 			WithVMContext(vm).
-			WithPluginConfiguration([]byte(`{ "rules": [ "Include ftw-config.conf", "Include coraza.conf-recommended.conf", "Include crs-setup.conf.example", "Include crs/*.conf" ] }`))
+			WithPluginConfiguration([]byte(`{ "rules": [ "Include @ftw-conf", "Include @recommended-conf", "Include crs-setup.conf.example", "Include @owasp_crs/*.conf" ] }`))
 
 		host, reset := proxytest.NewHostEmulator(opt)
 		defer reset()