Merge pull request #1 from csanders-git/v3.0/dev-za

csanders-git · web-flow · commit b154789bfd33 · 2017-07-23T17:22:51.000-04:00
initial travis deployment
diff --git a/.travis.yml b/.travis.yml
@@ -1,9 +1,18 @@
+sudo: required
+services:
+- docker
 language: python
 python:
-  - "2.7"
-install: "pip install -r ./util/integration/requirements.txt"
+  - 2.7
+before_install:
+  - docker pull owasp/modsecurity-crs
+  - docker run -ti -e PARANOIA=5 -d --rm -p 80:80 -v /var/log/httpd:/var/log/httpd/ owasp/modsecurity-crs
+install: 
+  - pip install -r ./util/integration/requirements.txt
+  - pip install -r ./util/regression-tests/requirements.txt
 script:
-    - py.test -vs ./util/integration/format_tests.py
+  - py.test -vs ./util/integration/format_tests.py
+  - py.test -vs util/regression-tests/CRS_Tests.py --rule=util/regression-tests/tests/test.yaml
 # safelist
 branches:
   only:
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -645,7 +645,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #
 # Blocking based on reputation is permanent in the CRS. Unlike other rules,
 # which look at the indvidual request, the blocking of IPs is based on
-# a persistent record in the IP collection, which remains active for a 
+# a persistent record in the IP collection, which remains active for a
 # certain amount of time.
 #
 # There are two ways an individual client can become flagged for blocking:
diff --git a/util/Dockerfile b/util/Dockerfile
@@ -1,19 +1,27 @@
-FROM owasp/modsecurity:latest
+FROM owasp/modsecurity:v2_master
 MAINTAINER Chaim Sanders chaim.sanders@gmail.com
 
+ENV PARANOIA=1
+
 RUN dnf -y update
 
+RUN dnf -y install python
+
 RUN cd /opt && \
-  wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz && \
-  tar -xvzf v3.0.2.tar.gz && \
+  #wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz && \
+  #tar -xvzf v3.0.2.tar.gz && \
+  git clone https://github.com/csanders-git/owasp-modsecurity-crs owasp-modsecurity-crs-3.0.2 && \
   cp -R /opt/owasp-modsecurity-crs-3.0.2/ /etc/httpd/modsecurity.d/owasp-crs/ && \
   mv /etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf && \
+  cd /etc/httpd/modsecurity.d/owasp-crs/ && \
+  git checkout v3.0/dev-za && \
   cd /etc/httpd/modsecurity.d && \
   printf "include modsecurity.d/owasp-crs/crs-setup.conf\ninclude modsecurity.d/owasp-crs/rules/*.conf" > include.conf && \
   sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/httpd/modsecurity.d/modsecurity.conf
 
+COPY docker-entrypoint.sh /
+
 EXPOSE 80
 
+ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["httpd", "-k", "start", "-D", "FOREGROUND"]
-
-
diff --git a/util/README b/util/README
@@ -1,2 +1,12 @@
 The util directory contains many supporting tools/scripts that may be used with
 the OWASP ModSecurity CRS files.
+
+Docker Support
+==============
+You can optionally specify
+the paranoia level
+of the resulting CRS image,
+using the PARANOIA build arg,
+as follows:
+```docker build -t owasp/modsecurity-crs .```
+```docker run -p 80:80 -ti -e PARANOIA=5 --rm owasp/modsecurity-crs```
diff --git a/util/docker-entrypoint.sh b/util/docker-entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+python -c "import re;import os;out=re.sub('(#SecAction[\S\s]*id:900000[\s\S]*paranoia_level=1\")','SecAction \\\\\n  \"id:900000, \\\\\n   phase:1, \\\\\n   nolog, \\\\\n   pass, \\\\\n   t:none, \\\\\n   setvar:tx.paranoia_level='+os.environ['PARANOIA']+'\"',open('/etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf','r').read());open('/etc/httpd/modsecurity.d/owasp-crs/crs-setup.conf','w').write(out)" && \
+
+exec "$@"
diff --git a/util/regression-tests/CRS_Tests.py b/util/regression-tests/CRS_Tests.py
@@ -1,10 +1,11 @@
 from ftw import ruleset, logchecker, testrunner
+import datetime
 import pytest
 import pdb
 import sys
 import re
 import os
-import ConfigParser
+import config
 
 def test_crs(ruleset, test, logchecker_obj):
     runner = testrunner.TestRunner()
@@ -30,10 +31,7 @@ def reverse_readline(self, filename):
             yield line[::-1]    
 
     def get_logs(self):
-        import datetime
-        config = ConfigParser.ConfigParser()
-        config.read("settings.ini")
-        log_location = config.get('settings', 'log_location')
+        log_location = config.log_location_linux
         our_logs = []
         pattern = re.compile(r"\[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]")
         for lline in self.reverse_readline(log_location):
diff --git a/util/regression-tests/__init__.py b/util/regression-tests/__init__.py
diff --git a/util/regression-tests/config.py b/util/regression-tests/config.py
@@ -0,0 +1,2 @@
+log_location_linux = '/var/log/httpd/error_log'
+log_location_windows = 'C:\Apache24\logs\error.log'
diff --git a/util/regression-tests/requirements.txt b/util/regression-tests/requirements.txt
@@ -1 +1 @@
-ftw
+ftw==1.1.0
diff --git a/util/regression-tests/settings.ini b/util/regression-tests/settings.ini

Original file line number	Diff line number	Diff line change
`@@ -645,7 +645,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"`
`645`	`645`	`#`
`646`	`646`	`# Blocking based on reputation is permanent in the CRS. Unlike other rules,`
`647`	`647`	`# which look at the indvidual request, the blocking of IPs is based on`
`648`		`-# a persistent record in the IP collection, which remains active for a`
	`648`	`+# a persistent record in the IP collection, which remains active for a`
`649`	`649`	`# certain amount of time.`
`650`	`650`	`#`
`651`	`651`	`# There are two ways an individual client can become flagged for blocking:`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+log_location_linux = '/var/log/httpd/error_log'`
	`2`	`+log_location_windows = 'C:\Apache24\logs\error.log'`