hishamhm/coraza-kong_example.diff

## coraza-kong_example.diff
diff --git example/kong/config/kong.yaml example/kong/config/kong.yaml
index c96cf73..4853d19 100644
--- example/kong/config/kong.yaml
+++ example/kong/config/kong.yaml
@@ -1,3 +1,34 @@
-# a very minimal declarative config file
-_format_version: "2.1"
+_format_version: "1.1"
 _transform: true
+
+services:
+- name: httpbin
+  host: "httpbin"
+  path: "/"
+  port: 8080
+  protocol: http
+  routes:
+  - name: httpbin
+    methods:
+    - GET
+    paths:
+    - /
+    - /anything
+    - /uuid
+  plugins:
+  - name: proxy-wasm
+    config:
+      filters:
+      - name: main
+        config: '{
+           "rules": [
+              "Include @demo-conf",
+              "Include @crs-setup-demo-conf",
+              "SecDebugLogLevel 3",
+              "Include @owasp_crs/*.conf",
+              "SecRule REQUEST_URI \"@streq /uuid\" \"id:101,phase:1,t:lowercase,deny\"",
+              "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"",
+              "SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"",
+              "SecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
+           ]
+        }'
diff --git example/kong/docker-compose.yaml example/kong/docker-compose.yaml
index 17d1def..ca7a29d 100644
--- example/kong/docker-compose.yaml
+++ example/kong/docker-compose.yaml
@@ -1,14 +1,6 @@
 # Inspired in https://github.com/Kong/docker-kong
 version: '3.9'

-x-kong-config:
-  &kong-env
-  KONG_DATABASE: postgres
-  KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
-  KONG_PG_HOST: db
-  KONG_PG_USER: ${KONG_PG_USER:-kong}
-  KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
-
 volumes:
   kong_data: {}
   kong_prefix_vol:
@@ -25,38 +17,11 @@ networks:
     external: false

 services:
-  kong-migrations:
-    image: "kong/incubator:gateway-wasmer-3.0.0.0"
-    command: kong migrations bootstrap
-    depends_on:
-      - db
-    environment:
-      <<: *kong-env
-    secrets:
-      - kong_postgres_password
-    networks:
-      - kong-net
-    restart: on-failure
-
-  kong-migrations-up:
-    image: "kong/incubator:gateway-wasmer-3.0.0.0"
-    command: kong migrations up && kong migrations finish
-    depends_on:
-      - db
-      - kong-migrations
-    environment:
-      <<: *kong-env
-    secrets:
-      - kong_postgres_password
-    networks:
-      - kong-net
-    restart: on-failure
-
   kong:
     image: "kong/incubator:gateway-wasmer-3.0.0.0"
     user: "${KONG_USER:-kong}"
     environment:
-      <<: *kong-env
+      KONG_DATABASE: "off"
       KONG_ADMIN_ACCESS_LOG: /dev/stdout
       KONG_ADMIN_ERROR_LOG: /dev/stderr
       KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}"
@@ -67,8 +32,6 @@ services:
       KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml"
       KONG_WASM: "on"
       KONG_WASM_MODULES: "/wasm/main.wasm"
-    secrets:
-      - kong_postgres_password
     networks:
       - kong-net
     ports:
@@ -100,33 +63,12 @@ services:
     depends_on:
       - httpbin

-  db:
-    image: postgres:9.5
-    environment:
-      POSTGRES_DB: ${KONG_PG_DATABASE:-kong}
-      POSTGRES_USER: ${KONG_PG_USER:-kong}
-      POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password
-    secrets:
-      - kong_postgres_password
-    healthcheck:
-      test: [ "CMD", "pg_isready", "-U", "${KONG_PG_USER:-kong}" ]
-      interval: 30s
-      timeout: 30s
-      retries: 3
-    restart: on-failure
-    stdin_open: true
-    tty: true
-    networks:
-      - kong-net
-    volumes:
-      - kong_data:/var/lib/postgresql/data
-
   httpbin:
     image: mccutchen/go-httpbin:v2.5.0
     environment:
       - MAX_BODY_SIZE=15728640 # 15 MiB
     ports:
-      - 10080:8080
+      - 8080:8080
     networks:
       - kong-net

@@ -140,7 +82,3 @@ services:
       - kong
     networks:
       - kong-net
-
-secrets:
-  kong_postgres_password:
-    file: ./POSTGRES_PASSWORD
diff --git example/kong/service-provisioner.sh example/kong/service-provisioner.sh
index ef6a411..e89c3b9 100755
--- example/kong/service-provisioner.sh
+++ example/kong/service-provisioner.sh
@@ -6,19 +6,13 @@ KONG_HOSTPORT=${KONG_HOST}:8001

 numRetries=0
 for numRetries in {1..5}; do
-    sleep 10
-    http ${KONG_HOSTPORT} && break
+    sleep 2
+    http GET ${KONG_HOSTPORT}/ &>/dev/null && break
     echo "Retrying...";
 done

-if [ numRetries == 5 ] exit 1; fi
-
-http --ignore-stdin POST ${KONG_HOSTPORT}/services name="httpbin" host="${UPSTREAM_HOST}" path="/" port:=10080 protocol="http"
-
-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/routes name="httpbin" "paths[]=/" "paths[]=/anything" "paths[]=/uuid"
-
-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/plugins name="proxy-wasm" \
-    "config[filters][0][name]=main" \
-    "config[filters][0][config]={\"rules\":[\"Include @demo-conf\",\"Include @crs-setup-demo-conf\",\"SecDebugLogLevel 3\",\"Include @owasp_crs/*.conf\",\"SecRule REQUEST_URI \\\"@streq /uuid\\\" \\\"id:101,phase:1,t:lowercase,deny\\\" \\\nSecRule REQUEST_BODY \\\"@rx maliciouspayload\\\" \\\"id:102,phase:2,t:lowercase,deny\\\" \\\nSecRule RESPONSE_HEADERS::status \\\"@rx 406\\\" \\\"id:103,phase:3,t:lowercase,deny\\\" \\\nSecRule RESPONSE_BODY \\\"@contains responsebodycode\\\" \\\"id:104,phase:4,t:lowercase,deny\\\"\"]}"
+if [ numRetries == 5 ]; then
+    exit 1
+fi

 http --ignore-stdin GET ${KONG_HOST}:8000/
\ No newline at end of file
diff --git wasmplugin/metrics.go wasmplugin/metrics.go
index f56fb5a..93bcaf8 100644
--- wasmplugin/metrics.go
+++ wasmplugin/metrics.go
@@ -3,44 +3,16 @@

 //go:build !disable_metrics

-package wasmplugin
-
-import (
-	"fmt"
+// How do I set Go build flags using Mage?...

-	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
-)
+package wasmplugin

-type wafMetrics struct {
-	counters map[string]proxywasm.MetricCounter
-}
+type wafMetrics struct{}

 func NewWAFMetrics() *wafMetrics {
-	return &wafMetrics{
-		counters: make(map[string]proxywasm.MetricCounter),
-	}
+	return &wafMetrics{}
 }

-func (m *wafMetrics) incrementCounter(fqn string) {
-	// TODO(jcchavezs): figure out if we are OK with dynamic creation of metrics
-	// or we generate the metrics on before hand.
-	counter, ok := m.counters[fqn]
-	if !ok {
-		counter = proxywasm.DefineCounterMetric(fqn)
-		m.counters[fqn] = counter
-	}
-	counter.Increment(1)
-}
-
-func (m *wafMetrics) CountTX() {
-	// This metric is processed as: waf_filter_tx_total
-	m.incrementCounter("waf_filter.tx.total")
-}
+func (*wafMetrics) CountTX() {}

-func (m *wafMetrics) CountTXInterruption(phase string, ruleID int) {
-	// This metric is processed as: waf_filter_tx_interruption{phase="http_request_body",rule_id="100"}.
-	// The extraction rule is defined in envoy.yaml as a bootstrap configuration.
-	// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig.
-	fqn := fmt.Sprintf("waf_filter.tx.interruptions_ruleid=%d_phase=%s", ruleID, phase)
-	m.incrementCounter(fqn)
-}
+func (*wafMetrics) CountTXInterruption(_ string, _ int) {}
	diff --git example/kong/config/kong.yaml example/kong/config/kong.yaml
	index c96cf73..4853d19 100644
	--- example/kong/config/kong.yaml
	+++ example/kong/config/kong.yaml
	@@ -1,3 +1,34 @@
	-# a very minimal declarative config file
	-_format_version: "2.1"
	+_format_version: "1.1"
	_transform: true
	+
	+services:
	+- name: httpbin
	+ host: "httpbin"
	+ path: "/"
	+ port: 8080
	+ protocol: http
	+ routes:
	+ - name: httpbin
	+ methods:
	+ - GET
	+ paths:
	+ - /
	+ - /anything
	+ - /uuid
	+ plugins:
	+ - name: proxy-wasm
	+ config:
	+ filters:
	+ - name: main
	+ config: '{
	+ "rules": [
	+ "Include @demo-conf",
	+ "Include @crs-setup-demo-conf",
	+ "SecDebugLogLevel 3",
	+ "Include @owasp_crs/*.conf",
	+ "SecRule REQUEST_URI \"@streq /uuid\" \"id:101,phase:1,t:lowercase,deny\"",
	+ "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"",
	+ "SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"",
	+ "SecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
	+ ]
	+ }'
	diff --git example/kong/docker-compose.yaml example/kong/docker-compose.yaml
	index 17d1def..ca7a29d 100644
	--- example/kong/docker-compose.yaml
	+++ example/kong/docker-compose.yaml
	@@ -1,14 +1,6 @@
	# Inspired in https://github.com/Kong/docker-kong
	version: '3.9'

	-x-kong-config:
	- &kong-env
	- KONG_DATABASE: postgres
	- KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong}
	- KONG_PG_HOST: db
	- KONG_PG_USER: ${KONG_PG_USER:-kong}
	- KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password
	-
	volumes:
	kong_data: {}
	kong_prefix_vol:
	@@ -25,38 +17,11 @@ networks:
	external: false

	services:
	- kong-migrations:
	- image: "kong/incubator:gateway-wasmer-3.0.0.0"
	- command: kong migrations bootstrap
	- depends_on:
	- - db
	- environment:
	- <<: *kong-env
	- secrets:
	- - kong_postgres_password
	- networks:
	- - kong-net
	- restart: on-failure
	-
	- kong-migrations-up:
	- image: "kong/incubator:gateway-wasmer-3.0.0.0"
	- command: kong migrations up && kong migrations finish
	- depends_on:
	- - db
	- - kong-migrations
	- environment:
	- <<: *kong-env
	- secrets:
	- - kong_postgres_password
	- networks:
	- - kong-net
	- restart: on-failure
	-
	kong:
	image: "kong/incubator:gateway-wasmer-3.0.0.0"
	user: "${KONG_USER:-kong}"
	environment:
	- <<: *kong-env
	+ KONG_DATABASE: "off"
	KONG_ADMIN_ACCESS_LOG: /dev/stdout
	KONG_ADMIN_ERROR_LOG: /dev/stderr
	KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}"
	@@ -67,8 +32,6 @@ services:
	KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml"
	KONG_WASM: "on"
	KONG_WASM_MODULES: "/wasm/main.wasm"
	- secrets:
	- - kong_postgres_password
	networks:
	- kong-net
	ports:
	@@ -100,33 +63,12 @@ services:
	depends_on:
	- httpbin

	- db:
	- image: postgres:9.5
	- environment:
	- POSTGRES_DB: ${KONG_PG_DATABASE:-kong}
	- POSTGRES_USER: ${KONG_PG_USER:-kong}
	- POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password
	- secrets:
	- - kong_postgres_password
	- healthcheck:
	- test: [ "CMD", "pg_isready", "-U", "${KONG_PG_USER:-kong}" ]
	- interval: 30s
	- timeout: 30s
	- retries: 3
	- restart: on-failure
	- stdin_open: true
	- tty: true
	- networks:
	- - kong-net
	- volumes:
	- - kong_data:/var/lib/postgresql/data
	-
	httpbin:
	image: mccutchen/go-httpbin:v2.5.0
	environment:
	- MAX_BODY_SIZE=15728640 # 15 MiB
	ports:
	- - 10080:8080
	+ - 8080:8080
	networks:
	- kong-net

	@@ -140,7 +82,3 @@ services:
	- kong
	networks:
	- kong-net
	-
	-secrets:
	- kong_postgres_password:
	- file: ./POSTGRES_PASSWORD
	diff --git example/kong/service-provisioner.sh example/kong/service-provisioner.sh
	index ef6a411..e89c3b9 100755
	--- example/kong/service-provisioner.sh
	+++ example/kong/service-provisioner.sh
	@@ -6,19 +6,13 @@ KONG_HOSTPORT=${KONG_HOST}:8001

	numRetries=0
	for numRetries in {1..5}; do
	- sleep 10
	- http ${KONG_HOSTPORT} && break
	+ sleep 2
	+ http GET ${KONG_HOSTPORT}/ &>/dev/null && break
	echo "Retrying...";
	done

	-if [ numRetries == 5 ] exit 1; fi
	-
	-http --ignore-stdin POST ${KONG_HOSTPORT}/services name="httpbin" host="${UPSTREAM_HOST}" path="/" port:=10080 protocol="http"
	-
	-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/routes name="httpbin" "paths[]=/" "paths[]=/anything" "paths[]=/uuid"
	-
	-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/plugins name="proxy-wasm" \
	- "config[filters][0][name]=main" \
	- "config[filters][0][config]={\"rules\":[\"Include @demo-conf\",\"Include @crs-setup-demo-conf\",\"SecDebugLogLevel 3\",\"Include @owasp_crs/*.conf\",\"SecRule REQUEST_URI \\\"@streq /uuid\\\" \\\"id:101,phase:1,t:lowercase,deny\\\" \\\nSecRule REQUEST_BODY \\\"@rx maliciouspayload\\\" \\\"id:102,phase:2,t:lowercase,deny\\\" \\\nSecRule RESPONSE_HEADERS::status \\\"@rx 406\\\" \\\"id:103,phase:3,t:lowercase,deny\\\" \\\nSecRule RESPONSE_BODY \\\"@contains responsebodycode\\\" \\\"id:104,phase:4,t:lowercase,deny\\\"\"]}"
	+if [ numRetries == 5 ]; then
	+ exit 1
	+fi

	http --ignore-stdin GET ${KONG_HOST}:8000/
	\ No newline at end of file
	diff --git wasmplugin/metrics.go wasmplugin/metrics.go
	index f56fb5a..93bcaf8 100644
	--- wasmplugin/metrics.go
	+++ wasmplugin/metrics.go
	@@ -3,44 +3,16 @@

	//go:build !disable_metrics

	-package wasmplugin
	-
	-import (
	- "fmt"
	+// How do I set Go build flags using Mage?...

	- "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
	-)
	+package wasmplugin

	-type wafMetrics struct {
	- counters map[string]proxywasm.MetricCounter
	-}
	+type wafMetrics struct{}

	func NewWAFMetrics() *wafMetrics {
	- return &wafMetrics{
	- counters: make(map[string]proxywasm.MetricCounter),
	- }
	+ return &wafMetrics{}
	}

	-func (m *wafMetrics) incrementCounter(fqn string) {
	- // TODO(jcchavezs): figure out if we are OK with dynamic creation of metrics
	- // or we generate the metrics on before hand.
	- counter, ok := m.counters[fqn]
	- if !ok {
	- counter = proxywasm.DefineCounterMetric(fqn)
	- m.counters[fqn] = counter
	- }
	- counter.Increment(1)
	-}
	-
	-func (m *wafMetrics) CountTX() {
	- // This metric is processed as: waf_filter_tx_total
	- m.incrementCounter("waf_filter.tx.total")
	-}
	+func (*wafMetrics) CountTX() {}

	-func (m *wafMetrics) CountTXInterruption(phase string, ruleID int) {
	- // This metric is processed as: waf_filter_tx_interruption{phase="http_request_body",rule_id="100"}.
	- // The extraction rule is defined in envoy.yaml as a bootstrap configuration.
	- // See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig.
	- fqn := fmt.Sprintf("waf_filter.tx.interruptions_ruleid=%d_phase=%s", ruleID, phase)
	- m.incrementCounter(fqn)
	-}
	+func (*wafMetrics) CountTXInterruption(_ string, _ int) {}