Some more updates for regression testing.

2025-09-30 03:34:29 +03:00 · 2008-05-27 23:52:16 +00:00
parent 4bc1fc39f0
commit 7ad2766e76
7 changed files with 325 additions and 26 deletions
--- a/apache2/t/regression/action/00-disruptive-actions.t
+++ b/apache2/t/regression/action/00-disruptive-actions.t
@@ -1,4 +1,6 @@
-### Pass
+### Tests all of the actions in each phase
+
+# Pass
 {
 	type => "action",
 	comment => "pass action in phase:1",
@@ -72,7 +74,7 @@
 	),
 },

-### Allow
+# Allow
 {
 	type => "action",
 	comment => "allow action in phase:1",
@@ -146,7 +148,7 @@
 	),
 },

-### Deny
+# Deny
 {
 	type => "action",
 	comment => "deny action in phase:1",
@@ -216,7 +218,7 @@
 	),
 },

-### Drop
+# Drop
 {
 	type => "action",
 	comment => "drop action in phase:1",
@@ -286,7 +288,7 @@
 	),
 },

-### Redirect
+# Redirect
 {
 	type => "action",
 	comment => "redirect action in phase:1 (get)",
@@ -360,7 +362,7 @@
 	),
 },

-### Proxy
+# Proxy
 {
 	type => "action",
 	comment => "proxy action in phase:1 (get)",
--- a/apache2/t/regression/config/10-audit-directives.t
+++ b/apache2/t/regression/config/10-audit-directives.t
@@ -1,4 +1,6 @@
 ### SecAudit* directive tests
+
+# SecAuditEngine
 {
 	type => "config",
 	comment => "SecAuditEngine On",
@@ -75,6 +77,84 @@
 		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
 	),
 },
+
+# SecAuditLogType & SecAuditLogStorageDir
+{
+	type => "config",
+	comment => "SecAuditLogType Serial",
+	conf => qq(
+		SecAuditEngine On
+		SecAuditLog $ENV{AUDIT_LOG}
+		SecAuditLogType Serial
+	),
+	match_log => {
+		audit => [ qr/./, 1 ],
+	},
+	match_response => {
+		status => qr/^404$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
+	),
+},
+{
+	type => "config",
+	comment => "SecAuditLogType Concurrent",
+	conf => qq(
+		SecAuditEngine On
+		SecAuditLog $ENV{AUDIT_LOG}
+		SecAuditLogType Concurrent
+		SecAuditLogStorageDir "$ENV{LOGS_DIR}/audit"
+	),
+	test => sub {
+		### Perl code to parse the audit log entry and verify
+		### that the concurrent audit log exists and contains
+		### the correct data.
+		###
+		### TODO: Need some API for this :)
+		###
+
+		# Parse log
+		my $alogre = qr/^(?:\S+)\ (?:\S+)\ (?:\S+)\ (?:\S+)\ \[(?:[^:]+):(?:\d+:\d+:\d+)\ (?:[^\]]+)\]\ \"(?:.*)\"\ (?:\d+)\ (?:\S+)\ \"(?:.*)\"\ \"(?:.*)\"\ (\S+)\ \"(?:.*)\"\ (\S+)\ (?:\d+)\ (?:\d+)\ (?:\S+)(?:.*)$/m;
+		my $alog = match_log("audit", $alogre, 1);
+		chomp $alog;
+		my @log = ($alog =~ m/$alogre/);
+		my($id, $fn) = ($log[0], $log[1]);
+		if (!$id or !$fn) {
+			dbg("LOG ENTRY: $alog");
+			die "Failed to parse audit log: $ENV{AUDIT_LOG}\n";
+		}
+
+		# Verify concurrent log exists
+		my $alogdatafn = "$ENV{LOGS_DIR}/audit$fn";
+		if (! -e "$alogdatafn") {
+			die "Audit log does not exist: $alogdatafn\n";
+		}
+
+		# Verify concurrent log contents
+		$LOG{$id}{fd} = new FileHandle($alogdatafn, O_RDONLY);
+		$LOG{$id}{fd}->blocking(0);
+		$LOG{$id}{buf} = "";
+		my $alogdata = match_log($id, qr/^--[^-]+-A--.*$id.*-Z--$/s, 1);
+		if (defined $alogdata) {
+			$LOG{$id}{fd}->close();
+			delete $LOG{$id};
+			return 0;
+		}
+
+		# Error
+		dbg("LOGDATA: \"$alogdata\"");
+		die "Audit log data did not match.\n";
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+# SecAuditLogRelevantStatus
 {
 	type => "config",
 	comment => "SecAuditLogRelevantStatus (pos)",
@@ -111,6 +191,8 @@
 		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
 	),
 },
+
+# SecAuditLogParts
 {
 	type => "config",
 	comment => "SecAuditLogParts (minimal)",
--- a/apache2/t/regression/config/10-misc-directives.t
+++ b/apache2/t/regression/config/10-misc-directives.t
@@ -1 +1,49 @@
 ### Misc directive tests
+
+### TODO:
+# SecTmpDir
+# SecUploadDir
+# SecUploadKeepFiles
+# SecWebAppId
+# SecDataDir
+# SecChrootDir
+# SecGuardianLog
+
+# SecServerSignature
+{
+	type => "config",
+	comment => "SecServerSignature On",
+	conf => qq(
+		SecServerSignature "NewServerSignature"
+	),
+	match_log => {
+		error => [ qr/NewServerSignature/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+		raw => qr/^Server: +NewServerSignature$/m,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+# SecDefaultAction
+{
+	type => "config",
+	comment => "SecServerSignature On",
+	conf => qq(
+		SecRuleEngine on
+		SecDefaultAction "phase:1,deny,status:500"
+		SecRule REQUEST_URI "test.txt"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with code 500 \(phase 1\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
--- a/apache2/t/regression/config/10-request-directives.t
+++ b/apache2/t/regression/config/10-request-directives.t
@@ -1,5 +1,6 @@
+### Tests for directives altering how a request is handled

-### SecArgumentSeparator
+# SecArgumentSeparator
 {
 	type => "config",
 	comment => "SecArgumentSeparator (get-pos)",
@@ -85,7 +86,7 @@
 	),
 },

-### SecRequestBodyAccess
+# SecRequestBodyAccess
 {
 	type => "config",
 	comment => "SecRequestBodyAccess (pos)",
@@ -133,7 +134,7 @@
 	),
 },

-### SecRequestBodyLimit
+# SecRequestBodyLimit
 {
 	type => "config",
 	comment => "SecRequestBodyLimit (equal)",
@@ -179,7 +180,7 @@
 	),
 },

-### SecRequestBodyInMemoryLimit
+# SecRequestBodyInMemoryLimit
 {
 	type => "config",
 	comment => "SecRequestBodyInMemoryLimit (equal)",
@@ -249,7 +250,7 @@ Content-Disposition: form-data; name="b"
 -----------------------------69343412719991675451336310646--), 1024),
 },

-### SecCookieFormat
+# SecCookieFormat
 {
 	type => "config",
 	comment => "SecCookieFormat (pos)",
--- a/apache2/t/regression/config/10-response-directives.t
+++ b/apache2/t/regression/config/10-response-directives.t
@@ -0,0 +1,145 @@
+### Tests for directives altering how a response is handled
+
+# SecResponseBodyAccess
+{
+	type => "config",
+	comment => "SecResponseBodyAccess (pos)",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecRule RESPONSE_BODY "TEST" "phase:4,deny"
+	),
+	match_log => {
+		error => [ qr/Access denied with code 403 \(phase 4\)\. Pattern match "TEST" at RESPONSE_BODY\./, 1 ],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+{
+	type => "config",
+	comment => "SecResponseBodyAccess (neg)",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess Off
+		SecResponseBodyMimeType null
+		SecRule RESPONSE_BODY "TEST" "phase:4,deny"
+	),
+	match_log => {
+		-error => [ qr/Access denied/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
+	),
+},
+
+# SecResponseBodyLimit
+{
+	type => "config",
+	comment => "SecResponseBodyLimit (equal)",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecResponseBodyLimit 8192
+	),
+	match_log => {
+		-error => [ qr/Content-Length \(\d+\) over the limit/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/8k.txt",
+	),
+},
+{
+	type => "config",
+	comment => "SecResponseBodyLimit (less)",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecResponseBodyLimit 9000
+	),
+	match_log => {
+		-error => [ qr/Content-Length \(\d+\) over the limit/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/8k.txt",
+	),
+},
+{
+	type => "config",
+	comment => "SecResponseBodyLimit (greater)",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecResponseBodyLimit 8000
+	),
+	match_log => {
+		error => [ qr/Content-Length \(\d+\) over the limit \(8000\)\./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/8k.txt",
+	),
+},
+
+# ResponseBodyLimitAction
+{
+	type => "config",
+	comment => "SecResponseBodyLimitAction Reject",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecResponseBodyLimit 5
+		SecResponseBodyLimitAction Reject
+	),
+	match_log => {
+		error => [ qr/Content-Length \(\d+\) over the limit \(5\)\./, 1 ],
+	},
+	match_response => {
+		status => qr/^500$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/8k.txt",
+	),
+},
+{
+	type => "config",
+	comment => "SecResponseBodyLimitAction ProcessPartial",
+	conf => qq(
+		SecRuleEngine On
+		SecResponseBodyAccess On
+		SecResponseBodyMimeType null
+		SecResponseBodyLimit 5
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 4
+		SecResponseBodyLimitAction ProcessPartial
+	),
+	match_log => {
+		-error => [ qr/Content-Length \(\d+\) over the limit/, 1 ],
+		debug => [ qr/Processing partial response body \(limit 5\)/, 1 ],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/8k.txt",
+	),
+},
--- a/apache2/t/regression/server_root/htdocs/8k.txt
+++ b/apache2/t/regression/server_root/htdocs/8k.txt