akanealw
eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
81 lines
2.8 KiB
Go
Executable File
81 lines
2.8 KiB
Go
Executable File
// Package tests contains integration tests for the API.
|
|
package tests
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"gorm.io/driver/sqlite"
|
|
"gorm.io/gorm"
|
|
|
|
"github.com/Wikid82/charon/backend/internal/api/routes"
|
|
"github.com/Wikid82/charon/backend/internal/config"
|
|
)
|
|
|
|
// TestIntegration_WAF_BlockAndMonitor exercises middleware behavior and metrics exposure.
|
|
// Note: Actual WAF blocking is handled by Coraza at the Caddy layer, not by the API middleware.
|
|
// The cerberus middleware only tracks metrics and handles ACL enforcement.
|
|
func TestIntegration_WAF_BlockAndMonitor(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
|
|
// Helper to spin server with given WAF mode
|
|
newServer := func(mode string) (*gin.Engine, *gorm.DB) {
|
|
db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
|
|
if err != nil {
|
|
t.Fatalf("db open: %v", err)
|
|
}
|
|
cfg, err := config.Load()
|
|
if err != nil {
|
|
t.Fatalf("load cfg: %v", err)
|
|
}
|
|
cfg.Security.WAFMode = mode
|
|
r := gin.New()
|
|
if err := routes.Register(context.Background(), r, db, cfg); err != nil {
|
|
t.Fatalf("register: %v", err)
|
|
}
|
|
return r, db
|
|
}
|
|
|
|
// Block mode: cerberus middleware doesn't block requests - that's Coraza's job at the Caddy layer
|
|
// The API middleware only tracks metrics when WAF is enabled
|
|
rBlock, _ := newServer("block")
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/remote-servers?test=<script>", http.NoBody)
|
|
w := httptest.NewRecorder()
|
|
rBlock.ServeHTTP(w, req)
|
|
// Request passes through API layer - actual WAF blocking happens at Caddy/Coraza
|
|
// We just verify the middleware doesn't crash and allows the request through to auth check
|
|
// (returns 401 since no auth token is provided)
|
|
if w.Code != http.StatusUnauthorized && w.Code != http.StatusOK {
|
|
t.Fatalf("unexpected status in block mode: %d, expected 401 (auth required)", w.Code)
|
|
}
|
|
|
|
// Monitor mode should allow request but still evaluate (log-only)
|
|
rMon, _ := newServer("monitor")
|
|
req2 := httptest.NewRequest(http.MethodGet, "/api/v1/remote-servers?test=<script>", http.NoBody)
|
|
w2 := httptest.NewRecorder()
|
|
rMon.ServeHTTP(w2, req2)
|
|
// Same behavior - request passes through to auth check
|
|
if w2.Code != http.StatusUnauthorized && w2.Code != http.StatusOK {
|
|
t.Fatalf("unexpected status in monitor mode: %d, expected 401 (auth required)", w2.Code)
|
|
}
|
|
|
|
// Metrics should be exposed
|
|
reqM := httptest.NewRequest(http.MethodGet, "/metrics", http.NoBody)
|
|
wM := httptest.NewRecorder()
|
|
rMon.ServeHTTP(wM, reqM)
|
|
if wM.Code != http.StatusOK {
|
|
t.Fatalf("metrics not served: %d", wM.Code)
|
|
}
|
|
body := wM.Body.String()
|
|
required := []string{"charon_waf_requests_total", "charon_waf_blocked_total", "charon_waf_monitored_total"}
|
|
for _, k := range required {
|
|
if !strings.Contains(body, k) {
|
|
t.Fatalf("missing metric %s in /metrics output", k)
|
|
}
|
|
}
|
|
}
|