akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
eec8c28fb3c2e8c0bc387bb3139184b8d67f1b21
Charon/docs/plans/archive/waf_integration_fix.md
akanealw eec8c28fb3
Some checks failed
Go Benchmark / Performance Regression Check (push) Has been cancelled
Details
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Details
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Details
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
Details
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
Details
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Details
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Details
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Details
Quality Checks / Backend (Go) (push) Has been cancelled
Details
Quality Checks / Frontend (React) (push) Has been cancelled
Details
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Details
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Details
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
Details
WAF integration / Coraza WAF Integration (push) Has been cancelled
Details
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Details
Repo Health Check / Repo health (push) Has been cancelled
Details
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Details
Prune Renovate Branches / prune (push) Has been cancelled
Details
Renovate / renovate (push) Has been cancelled
Details
changed perms
2026-04-22 18:19:14 +00:00

5.3 KiB
Executable File
Raw Blame History

WAF Integration Test Fix Plan

Status: Pending Implementation

Problem Summary

The WAF integration test (scripts/coraza_integration.sh) fails with HTTP 401 because the proxy host creation endpoint requires authentication, but the script attempts to create the proxy host before registering and logging in.

Root Cause Analysis

Current Flow (Broken)

Looking at the script execution order:

  1. Lines 175-200: Creates proxy host without authentication

    • curl -s -X POST ... http://localhost:8080/api/v1/proxy-hosts (no cookie)
    • Returns HTTP 401 Unauthorized

  2. Lines 202-210: Registers user and logs in (too late)

    • Creates TMP_COOKIE file
    • Successfully authenticates

  3. Lines 217-227: Creates WAF ruleset (correctly uses cookie)

    • Uses -b ${TMP_COOKIE}

Evidence from CI Logs

{"client":"172.18.0.1","latency":"433.811µs","level":"info","method":"POST","msg":"handled request","path":"/api/v1/proxy-hosts","request_id":"26716960-4547-496b-8271-2acdcdda9872","status":401}

The 401 status confirms the proxy host endpoint now requires authentication.

Required Changes

1. Move Authentication Before Proxy Host Creation

The user registration and login block (currently lines 207-210) must be moved before the proxy host creation (currently lines 175-200).

2. Add Cookie to Proxy Host Creation

The CREATE_RESP curl command on line 188 needs -b ${TMP_COOKIE} added.

3. Add Cookie to Fallback Update Command

The fallback curl -s -X PUT command on line 195 needs -b ${TMP_COOKIE} added.

4. Add Cookie to Unauthenticated Proxy Host List

The curl -s http://localhost:8080/api/v1/proxy-hosts on line 191 needs -b ${TMP_COOKIE} added.

Detailed Line Changes

Step 1: Add Authentication Block After API Ready Check (After Line 146)

Insert the following after the API ready check loop and before the proxy host creation:

echo "Registering admin user and logging in to retrieve session cookie..."
TMP_COOKIE=$(mktemp)
curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null

Step 2: Remove Duplicate Authentication Block (Lines 207-210)

Delete or comment out the existing authentication block that appears after proxy host creation:

# REMOVE THESE LINES:
echo "Registering admin user and logging in to retrieve session cookie..."
TMP_COOKIE=$(mktemp)
curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123","name":"Integration Tester"}' http://localhost:8080/api/v1/auth/register >/dev/null || true
curl -s -X POST -H "Content-Type: application/json" -d '{"email":"integration@example.local","password":"password123"}' -c ${TMP_COOKIE} http://localhost:8080/api/v1/auth/login >/dev/null

Step 3: Add Cookie to Proxy Host Creation (Line 188)

Change:

CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts)

To:

CREATE_RESP=$(curl -s -w "\n%{http_code}" -X POST -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts)

Step 4: Add Cookie to Proxy Host List (Line 191)

Change:

EXISTING_UUID=$(curl -s http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')

To:

EXISTING_UUID=$(curl -s -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts | grep -o '{[^}]*"domain_names":"integration.local"[^}]*}' | head -n1 | grep -o '"uuid":"[^"]*"' | sed 's/"uuid":"\([^"]*\)"/\1/')

Step 5: Add Cookie to Proxy Host Update (Line 195)

Change:

curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID

To:

curl -s -X PUT -H "Content-Type: application/json" -d "${PROXY_HOST_PAYLOAD}" -b ${TMP_COOKIE} http://localhost:8080/api/v1/proxy-hosts/$EXISTING_UUID

Corrected Flow

After the fix, the script will execute in this order:

  1. Build/start containers
  2. Wait for API ready
  3. Register user and login (create TMP_COOKIE)
  4. Start httpbin backend container
  5. Create proxy host WITH cookie
  6. Create WAF ruleset with cookie
  7. Enable WAF globally with cookie
  8. Run WAF tests
  9. Cleanup

Verification

After implementing the fix, the test should:

  1. Return HTTP 201 (or 200 for update) for proxy host creation
  2. Proceed to WAF ruleset creation successfully
  3. Complete the full BLOCK mode and MONITOR mode tests

Related Files

  • scripts/coraza_integration.sh - Main integration test script
  • .github/skills/scripts/skill-runner.sh - Skill runner that invokes the test

Notes

  • The script already correctly uses authentication for:
    • WAF ruleset creation (line 218)
    • Security config updates (lines 223, 274)
    • Proxy host deletion in cleanup (line 294)
  • Only the proxy host creation and related fallback commands were missing authentication
Reference in New Issue View Git Blame Copy Permalink