fix(integration): resolve WAF test authentication order

Moves user registration/login before proxy host creation in the Coraza integration test. The /api/v1/proxy-hosts endpoint requires authentication, but the script was attempting to create the host before logging in. Changes: - Move auth block after httpbin ready, before proxy host create - Add -b ${TMP_COOKIE} to all proxy-host curl commands - Remove duplicate auth block Fixes CI failure in waf-integration.yml workflow.
2025-12-23 03:40:00 +00:00
parent 209b2fc8e0
commit 430eb85c9f
2 changed files with 155 additions and 9 deletions
--- a/docs/plans/waf_integration_fix.md
+++ b/docs/plans/waf_integration_fix.md
@@ -0,0 +1,146 @@
 # WAF Integration Test Fix Plan
 ## Status: Pending Implementation
 ## Problem Summary
 The WAF integration test (`scripts/coraza_integration.sh`) fails with HTTP 401 because the proxy host creation endpoint requires authentication, but the script attempts to create the proxy host **before** registering and logging in.
 ## Root Cause Analysis
 ### Current Flow (Broken)
 Looking at the script execution order:
 1. **Lines 175-200**: Creates proxy host without authentication
   - `curl -s -X POST ... http://localhost:8080/api/v1/proxy-hosts` (no cookie)
   - Returns HTTP 401 Unauthorized
 2. **Lines 202-210**: Registers user and logs in (too late)
   - Creates `TMP_COOKIE` file
   - Successfully authenticates
 3. **Lines 217-227**: Creates WAF ruleset (correctly uses cookie)
   - Uses `-b ${TMP_COOKIE}` ✓
 ### Evidence from CI Logs
 ```
 {"client":"172.18.0.1","latency":"433.811µs","level":"info","method":"POST","msg":"handled request","path":"/api/v1/proxy-hosts","request_id":"26716960-4547-496b-8271-2acdcdda9872","status":401}
 ```
 The 401 status confirms the proxy host endpoint now requires authentication.
 ## Required Changes
 ### 1. Move Authentication Before Proxy Host Creation
 The user registration and login block (currently lines 207-210) must be moved **before** the proxy host creation (currently lines 175-200).
 ### 2. Add Cookie to Proxy Host Creation
 The `CREATE_RESP` curl command on line 188 needs `-b ${TMP_COOKIE}` added.
 ### 3. Add Cookie to Fallback Update Command
 The fallback `curl -s -X PUT` command on line 195 needs `-b ${TMP_COOKIE}` added.
 ### 4. Add Cookie to Unauthenticated Proxy Host List
 The `curl -s http://localhost:8080/api/v1/proxy-hosts` on line 191 needs `-b ${TMP_COOKIE}` added.
 ## Detailed Line Changes
 ### Step 1: Add Authentication Block After API Ready Check (After Line 146)
 Insert the following after the API ready check loop and **before** the proxy host creation:
 ```bash
 echo "Registering admin user and logging in to retrieve session cookie..."
 TMP_COOKIE=$(mktemp)
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null
 ```
 ### Step 2: Remove Duplicate Authentication Block (Lines 207-210)
 Delete or comment out the existing authentication block that appears after proxy host creation:
 ```bash
 # REMOVE THESE LINES:
 echo "Registering admin user and logging in to retrieve session cookie..."
 TMP_COOKIE=$(mktemp)
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null
 ```
 ### Step 3: Add Cookie to Proxy Host Creation (Line 188)
 Change:
 ```bash
 CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts)
 ```
 To:
 ```bash
 CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts)
 ```
 ### Step 4: Add Cookie to Proxy Host List (Line 191)
 Change:
 ```bash
 EXISTING_UUID=$(curl -s http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
 ```
 To:
 ```bash
 EXISTING_UUID=$(curl -s -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
 ```
 ### Step 5: Add Cookie to Proxy Host Update (Line 195)
 Change:
 ```bash
 curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID
 ```
 To:
 ```bash
 curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID
 ```
 ## Corrected Flow
 After the fix, the script will execute in this order:
 1. Build/start containers
 2. Wait for API ready
 3. **Register user and login** (create TMP_COOKIE)
 4. Start httpbin backend container
 5. **Create proxy host WITH cookie**
 6. Create WAF ruleset with cookie
 7. Enable WAF globally with cookie
 8. Run WAF tests
 9. Cleanup
 ## Verification
 After implementing the fix, the test should:
 1. Return HTTP 201 (or 200 for update) for proxy host creation
 2. Proceed to WAF ruleset creation successfully
 3. Complete the full BLOCK mode and MONITOR mode tests
 ## Related Files
 - `scripts/coraza_integration.sh` - Main integration test script
 - `.github/skills/scripts/skill-runner.sh` - Skill runner that invokes the test
 ## Notes
 - The script already correctly uses authentication for:
  - WAF ruleset creation (line 218)
  - Security config updates (lines 223, 274)
  - Proxy host deletion in cleanup (line 294)
 - Only the proxy host creation and related fallback commands were missing authentication
--- a/scripts/coraza_integration.sh
+++ b/scripts/coraza_integration.sh
@@ -176,6 +176,11 @@ for i in {1..20}; do
  sleep 1
 done
 echo "Registering admin user and logging in to retrieve session cookie..."
 TMP_COOKIE=$(mktemp)
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null
 echo "Creating proxy host 'integration.local' pointing to backend..."
 PROXY_HOST_PAYLOAD=$(cat <<EOF
 {
@@ -189,26 +194,21 @@ PROXY_HOST_PAYLOAD=$(cat <<EOF
 }
 EOF
 )
-CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts)
+CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts)
 CREATE_STATUS=$(echo "$CREATE_RESP" | tail -n1)
 if [ "$CREATE_STATUS" != "201" ]; then
  echo "Proxy host create failed or already exists; attempting to update existing host..."
  # Find the existing host UUID by searching for the domain in the proxy-hosts list
-  EXISTING_UUID=$(curl -s http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
+  EXISTING_UUID=$(curl -s -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
  if [ -n "$EXISTING_UUID" ]; then
    echo "Updating existing host $EXISTING_UUID with Coraza handler"
-    curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID
+    curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID
  else
    echo "Could not find existing host; create response:"
    echo "$CREATE_RESP"
  fi
 fi
 echo "Registering admin user and logging in to retrieve session cookie..."
 TMP_COOKIE=$(mktemp)
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
 curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null
 echo "Give Caddy a moment to apply configuration..."
 sleep 3
@@ -304,7 +304,7 @@ echo "Cleaning up..."
 # Delete the integration test proxy host from DB before stopping container
 echo "Removing integration test proxy host from database..."
-INTEGRATION_UUID=$(curl -s http://localhost:8080/api/v1/proxy-hosts | grep -o '"uuid":"[^"]*"[^}]*"domain_names":"integration.local"' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
+INTEGRATION_UUID=$(curl -s -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts | grep -o '"uuid":"[^"]*"[^}]*"domain_names":"integration.local"' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')
 if [ -n "$INTEGRATION_UUID" ]; then
  curl -s -X DELETE -b ${TMP_COOKIE} "http://localhost:8080/api/v1/proxy-hosts/${INTEGRATION_UUID}?delete_uptime=true" >/dev/null
  echo "✓ Deleted integration proxy host ${INTEGRATION_UUID}"