-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(appsec): add fingerprints #2955
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Alexandre Rulleau <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2955 +/- ##
============================================
+ Coverage 72.46% 73.97% +1.51%
Complexity 2527 2527
============================================
Files 135 108 -27
Lines 14402 10360 -4042
Branches 991 0 -991
============================================
- Hits 10436 7664 -2772
+ Misses 3422 2696 -726
+ Partials 544 0 -544
Flags with carried forward coverage won't be shown. Click here to find out more. see 27 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
45e9758
to
b51ecd6
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
0cd93ad
to
218d34b
Compare
b3e4518
to
61c0df6
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
61c0df6
to
5e0cb00
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
bcc8fb7
to
7e3a0f8
Compare
appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
Outdated
Show resolved
Hide resolved
Nice PR @Leiyks 👏 . I didn't find anything major but I left some comments |
e0e2630
to
418effc
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
418effc
to
1a0b972
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
Signed-off-by: Alexandre Rulleau <[email protected]>
Signed-off-by: Alexandre Rulleau <[email protected]>
d3da481
to
6962115
Compare
Signed-off-by: Alexandre Rulleau <[email protected]>
6962115
to
bff8feb
Compare
appsec/tests/helper/main.cpp
Outdated
return tmpl; | ||
} | ||
|
||
std::string create_sample_rules_ok_with_fingerprint() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do this need to be outside of the create_sample_rules_ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I separated both configurations because the processors seems to make multiple other tests crash
appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
Outdated
Show resolved
Hide resolved
dynamic_cast<network::request_shutdown::response *>(res.get()); | ||
EXPECT_STREQ(msg_res->actions[0].verdict.c_str(), "block"); | ||
|
||
EXPECT_TRUE(std::regex_match( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe you can extract all these assertions to a function since they are the same in all the tests
Signed-off-by: Alexandre Rulleau <[email protected]>
7b63ff8
to
f8f3c99
Compare
EXPECT_TRUE( | ||
std::regex_match(msg_res->meta["_dd.appsec.fp.session"].c_str(), | ||
std::regex("\"ssn(-[a-zA-Z0-9]*){4}\""))); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear the intent of the test here... If it's to test client <-> Server communication, the request lifecycle, the fingerprinting generation in the WAF, the inclusion of the fingerprint gotten from the waf in the final message, and so on.
Instead, it's a quasi integration test with the associated disadvantages (complexity, difficulty to debug) and fewer of the advantages because of all the mock interactions (less realistic). To be fair, it's not really your fault, this whole file is like this, but I would advise that you instead:
- Write simple unit tests, with few assertions. If you need mocks, especially several of them, reconsider what you're doing.
- Avoid writing tests that will make difficult future refactoring. Prefer testing through public/stable interfaces.
- Don't retest WAF functionality in the unit tests.
- Leave the tests where you're testing a full http request to the integration tests (appsec/tests/integration)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test is validating that fingerprints are forwarded to the extension in request shutdown so from that perspective I don't see an issue with it. What I do miss is a test of the WAF subscriber to validate that the fingerprints are correctly stored and retrievable through the correct API.
appsec/tests/integration/src/test/groovy/com/datadog/appsec/php/integration/CommonTests.groovy
Outdated
Show resolved
Hide resolved
Signed-off-by: Alexandre Rulleau <[email protected]>
Signed-off-by: Alexandre Rulleau <[email protected]>
|
||
EXPECT_TRUE(std::regex_match( | ||
msg_res->meta["_dd.appsec.fp.http.network"].c_str(), | ||
std::regex("\"net-[0-9]*-[a-zA-Z0-9]*\""))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can already do this in Gtest directly, with something along the lines of:
EXPECT_THAT(value, MatchesRegex("http-get(-[A-Za-z0-9]*){3}"));
More info: https://google.github.io/googletest/reference/matchers.html
Description
Add support for endpoint, header, network and session fingerprints.
In order to do this, the following changes have been made:
Reviewer checklist
Related Jiras: APPSEC-55148