Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx with AppSec support #2455

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Nginx with AppSec support #2455

wants to merge 1 commit into from

Conversation

cataphract
Copy link
Contributor

Motivation

Nginx now supports AppSec. Enable those tesets

Changes

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes (if something not related to your task is failing, you can ignore it)
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner. We're working on refining the codeowners file quickly.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • Relevant label (run-parametric-scenario, run-profiling-scenario...) are presents
  • If PR title starts with [<language>], double-check that only <language> is impacted by the change
  • No system-tests internal is modified. Otherwise, I have the approval from R&P team
  • CI is green, or failing jobs are not related to this change (and you are 100% sure about this statement)
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added (or removed)?

@cataphract cataphract force-pushed the glopes/nginx-appsec branch 12 times, most recently from f89da8a to 9bc83b3 Compare May 22, 2024 10:54
@cataphract cataphract marked this pull request as ready for review May 23, 2024 15:04
@cataphract cataphract requested review from a team as code owners May 23, 2024 15:04
robertomonteromiguel
robertomonteromiguel requested changes May 23, 2024
View reviewed changes
.github/workflows/run-end-to-end.yml Outdated
if: ${{ matrix.version == 'dev' && inputs.library == 'cpp'}}
run: ./utils/scripts/load-binary.sh nginx
env:
CIRCLECI_TOKEN: ${{ secrets.CIRCLECI_TOKEN }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the previous step "Load Library binary" we only need to add the "env"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous step does:

./utils/scripts/load-binary.sh ${{ inputs.library }}

inputs.library will be cpp. However, I need to call it with nginx.

.github/workflows/run-end-to-end.yml Outdated
@@ -230,7 +235,9 @@ jobs:
DD_API_KEY: ${{ secrets.DD_API_KEY }}
- name: Run APPSEC_MISSING_RULES scenario
if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_MISSING_RULES"')
run: ./run.sh APPSEC_MISSING_RULES
run: |
# nginx does not start with missing rules file, thereby stalling the job
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we add this condition to "if:"?
if: always() && steps.build.outcome == 'success' && contains(inputs.scenarios, '"APPSEC_MISSING_RULES"') && matrix.weblog != 'nginx'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can try

.github/workflows/run-end-to-end.yml Outdated
run: ./run.sh APPSEC_CORRUPTED_RULES
run: |
# nginx does not start with corrupted rules file, thereby stalling the job
if [[ $WEBLOG_VARIANT != nginx ]]; then ./run.sh APPSEC_CORRUPTED_RULES; fi
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same....

tests/appsec/test_blocking_addresses.py Outdated Show resolved Hide resolved
tests/appsec/test_blocking_addresses.py Outdated Show resolved Hide resolved
tests/appsec/test_blocking_addresses.py Outdated Show resolved Hide resolved
tests/appsec/test_traces.py Outdated Show resolved Hide resolved
@cataphract cataphract force-pushed the glopes/nginx-appsec branch 2 times, most recently from ced3965 to 0df2555 Compare June 3, 2024 14:10
@cataphract cataphract requested a review from cbeauchesne June 3, 2024 14:15
cbeauchesne
cbeauchesne requested changes Jun 3, 2024
View reviewed changes
utils/_context/_scenarios.py Outdated Show resolved Hide resolved
manifests/cpp.yml
test_schemas.py: irrelevant (ASM is not implemented in C++)
test_schemas.py:
Test_Scanners:
"*": irrelevant (ASM is not implemented in C++)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As ASM is actually implemented, could you replace irrelevant by missing_feature ?

So far, as nginx is the only weblog, you can probably do a simple search and replace

Test_Scanners: missing_feature

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ASM is implemented on the nginx module, not on dd-trace-cpp. If we're collapsing the distinction because the only supported weblog is nginx, then we should stop treating nginx separately in all the places in this file, no?

.github/workflows/ci.yml
@@ -89,6 +89,11 @@ jobs:
uses: actions/checkout@v4
- name: Get library artifact
run: ./utils/scripts/load-binary.sh ${{ matrix.library }}
- name: Get nginx module
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like ./utils/scripts/load-binary.sh cpp should load both nginx and cpp, WDYT ?

tests/appsec/test_traces.py Outdated Show resolved Hide resolved
utils/_context/containers.py
@@ -143,6 +143,10 @@ def start(self) -> Container:

logger.info(f"Start container {self.container_name}")

# the whole thing is reimplemented in python...
if self.healthcheck is not None:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get this change ? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's a healthcheck implemented in python if the healthcheck argument is passed. In this case, there's no point also running the healthcheck defined in the docker file

utils/_context/containers.py Outdated Show resolved Hide resolved
utils/_context/containers.py Outdated Show resolved Hide resolved
@cbeauchesne
Copy link
Collaborator

Hi @cataphract ,

Do you need any help to fix issues/comments on this PR ?

@cataphract cataphract force-pushed the glopes/nginx-appsec branch from 0df2555 to 98b4f66 Compare August 29, 2024 17:58
@cataphract cataphract marked this pull request as draft August 29, 2024 17:59
@cataphract cataphract force-pushed the glopes/nginx-appsec branch from 98b4f66 to f7dc232 Compare August 29, 2024 18:03
@cataphract cataphract force-pushed the glopes/nginx-appsec branch 3 times, most recently from 2385524 to f3af09f Compare January 14, 2025 11:20
@cataphract cataphract force-pushed the glopes/nginx-appsec branch 5 times, most recently from f96b4f2 to 3db6d44 Compare January 14, 2025 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbeauchesne cbeauchesne cbeauchesne requested changes

@robertomonteromiguel robertomonteromiguel Awaiting requested review from robertomonteromiguel

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
run-all-scenarios
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cataphract @cbeauchesne @robertomonteromiguel