constants for default remediations
This commit is contained in:
Sebastien Blot
parent
c3474671f6
commit
a208deb0aa
2 changed files with 27 additions and 21 deletions
|
|
@ -64,7 +64,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
require.Len(t, responses, 1)
|
||||
require.Equal(t, 403, responses[0].BouncerHTTPResponseCode)
|
||||
require.Equal(t, 403, responses[0].UserHTTPResponseCode)
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
|
||||
},
|
||||
},
|
||||
|
|
@ -96,7 +96,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
require.Len(t, responses, 1)
|
||||
require.Equal(t, 403, responses[0].BouncerHTTPResponseCode)
|
||||
require.Equal(t, 413, responses[0].UserHTTPResponseCode)
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -154,7 +154,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
require.Equal(t, types.APPSEC, events[0].Type)
|
||||
require.Equal(t, types.LOG, events[1].Type)
|
||||
require.Len(t, responses, 1)
|
||||
require.Equal(t, "allow", responses[0].Action)
|
||||
require.Equal(t, appsec.AllowRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -181,7 +181,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
|
||||
require.Len(t, responses, 1)
|
||||
//note: SetAction normalizes deny, ban and block to ban
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -208,7 +208,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
|
||||
require.Len(t, responses, 1)
|
||||
//note: SetAction normalizes deny, ban and block to ban
|
||||
require.Equal(t, "captcha", responses[0].Action)
|
||||
require.Equal(t, appsec.CaptchaRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -265,7 +265,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
require.Len(t, events, 1)
|
||||
require.Equal(t, types.LOG, events[0].Type)
|
||||
require.Len(t, responses, 1)
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
@ -293,7 +293,7 @@ func TestAppsecOnMatchHooks(t *testing.T) {
|
|||
require.Len(t, events, 1)
|
||||
require.Equal(t, types.APPSEC, events[0].Type)
|
||||
require.Len(t, responses, 1)
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
@ -666,9 +666,9 @@ func TestAppsecRuleMatches(t *testing.T) {
|
|||
DefaultRemediation: "allow",
|
||||
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
|
||||
spew.Dump(responses)
|
||||
require.Equal(t, "allow", responses[0].Action)
|
||||
require.Equal(t, appsec.AllowRemediation, responses[0].Action)
|
||||
require.Equal(t, http.StatusOK, statusCode)
|
||||
require.Equal(t, "allow", appsecResponse.Action)
|
||||
require.Equal(t, appsec.AllowRemediation, appsecResponse.Action)
|
||||
require.Equal(t, http.StatusOK, appsecResponse.HTTPStatus)
|
||||
},
|
||||
},
|
||||
|
|
@ -693,9 +693,9 @@ func TestAppsecRuleMatches(t *testing.T) {
|
|||
DefaultRemediation: "captcha",
|
||||
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
|
||||
spew.Dump(responses)
|
||||
require.Equal(t, "captcha", responses[0].Action)
|
||||
require.Equal(t, appsec.CaptchaRemediation, responses[0].Action)
|
||||
require.Equal(t, http.StatusForbidden, statusCode)
|
||||
require.Equal(t, "captcha", appsecResponse.Action)
|
||||
require.Equal(t, appsec.CaptchaRemediation, appsecResponse.Action)
|
||||
require.Equal(t, http.StatusForbidden, appsecResponse.HTTPStatus)
|
||||
},
|
||||
},
|
||||
|
|
@ -720,9 +720,9 @@ func TestAppsecRuleMatches(t *testing.T) {
|
|||
UserBlockedHTTPCode: 418,
|
||||
output_asserts: func(events []types.Event, responses []appsec.AppsecTempResponse, appsecResponse appsec.BodyResponse, statusCode int) {
|
||||
spew.Dump(responses)
|
||||
require.Equal(t, "ban", responses[0].Action)
|
||||
require.Equal(t, appsec.BanRemediation, responses[0].Action)
|
||||
require.Equal(t, http.StatusForbidden, statusCode)
|
||||
require.Equal(t, "ban", appsecResponse.Action)
|
||||
require.Equal(t, appsec.BanRemediation, appsecResponse.Action)
|
||||
require.Equal(t, http.StatusTeapot, appsecResponse.HTTPStatus)
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -31,6 +31,12 @@ const (
|
|||
hookOnMatch
|
||||
)
|
||||
|
||||
const (
|
||||
BanRemediation = "ban"
|
||||
CaptchaRemediation = "captcha"
|
||||
AllowRemediation = "allow"
|
||||
)
|
||||
|
||||
func (h *Hook) Build(hookStage int) error {
|
||||
|
||||
ctx := map[string]interface{}{}
|
||||
|
|
@ -210,18 +216,18 @@ func (wc *AppsecConfig) Build() (*AppsecRuntimeConfig, error) {
|
|||
wc.UserPassedHTTPCode = http.StatusOK
|
||||
}
|
||||
if wc.DefaultPassAction == "" {
|
||||
wc.DefaultPassAction = "allow"
|
||||
wc.DefaultPassAction = AllowRemediation
|
||||
}
|
||||
if wc.DefaultRemediation == "" {
|
||||
wc.DefaultRemediation = "ban"
|
||||
wc.DefaultRemediation = BanRemediation
|
||||
}
|
||||
|
||||
//set the defaults
|
||||
switch wc.DefaultRemediation {
|
||||
case "ban", "captcha", "allow":
|
||||
case BanRemediation, CaptchaRemediation, AllowRemediation:
|
||||
//those are the officially supported remediation(s)
|
||||
default:
|
||||
wc.Logger.Warningf("default '%s' remediation of %s is none of [ban,captcha,log] ensure bouncer compatbility!", wc.DefaultRemediation, wc.Name)
|
||||
wc.Logger.Warningf("default '%s' remediation of %s is none of [%s,%s,%s] ensure bouncer compatbility!", wc.DefaultRemediation, wc.Name, BanRemediation, CaptchaRemediation, AllowRemediation)
|
||||
}
|
||||
|
||||
ret.Name = wc.Name
|
||||
|
|
@ -570,11 +576,11 @@ func (w *AppsecRuntimeConfig) SetAction(action string) error {
|
|||
w.Logger.Debugf("setting action to %s", action)
|
||||
w.Response.Action = action
|
||||
switch action {
|
||||
case "allow":
|
||||
case AllowRemediation:
|
||||
w.Response.BouncerHTTPResponseCode = w.Config.BouncerPassedHTTPCode
|
||||
w.Response.UserHTTPResponseCode = w.Config.UserPassedHTTPCode
|
||||
//@tko how should we handle this ? it seems bouncer only understand bans, but it might be misleading ?
|
||||
case "ban", "captcha":
|
||||
case BanRemediation, CaptchaRemediation:
|
||||
w.Response.BouncerHTTPResponseCode = w.Config.BouncerBlockedHTTPCode
|
||||
w.Response.UserHTTPResponseCode = w.Config.UserBlockedHTTPCode
|
||||
}
|
||||
|
|
@ -607,10 +613,10 @@ func (w *AppsecRuntimeConfig) GenerateResponse(response AppsecTempResponse, logg
|
|||
resp.Action = w.Config.DefaultRemediation
|
||||
}
|
||||
switch resp.Action {
|
||||
case "allow":
|
||||
case AllowRemediation:
|
||||
resp.HTTPStatus = w.Config.UserPassedHTTPCode
|
||||
http_status = w.Config.BouncerPassedHTTPCode
|
||||
case "ban", "captcha":
|
||||
case BanRemediation, CaptchaRemediation:
|
||||
resp.HTTPStatus = w.Config.UserBlockedHTTPCode
|
||||
http_status = w.Config.BouncerBlockedHTTPCode
|
||||
default:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue