Conversation
…ample request WAF.Test + WAFTest/WAFTestRequest/WAFTestResult (+ per-rule/per-limit result types), structural Valid() (mode XOR, sample-request caps, host header rejected in favor of the host field), WAFTest* constraint constants, and the waf.test client method. CEL compilation/evaluation lives in apiserver (engine parity via parapet/pkg/waf), not here.
- reject case-insensitive duplicate header names (impossible prod state, and last-write-wins map order would make the dry run nondeterministic) - require ip to parse as an IP when set (same impossible-state class as the banned host header) - reject a leading ? in query (enforce the documented contract) - cap asn at 32 bits (WAFTestMaxASN) - lift the method length cap into WAFTestMaxMethodLength - render - for empty rule/status cells in the result table
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 1 of the waf.test feature (design doc:
PLAN-waf-test.md, workspace root) — the api-repo contract only. CEL compilation/evaluation lands in apiserver (PR 2) with engine parity viaparapet/pkg/waf.WAF.Testinterface method +waf.testclient method (client/waf.go)WAFTest: expression mode XOR zone-draft mode (draft reuses thewaf.setstructural contract viavalidWAFRules/validWAFLimits)WAFTestRequest: synthetic sample request with structuralValid()— path required + leading/, RFC 7230 method token, scheme http|https, header/cookie name grammar + size caps,country/asnpassthrough (no GeoIP lookup server-side)WAFTestResult+ per-rule/per-limit results (Evaluated/Terminal/Countedsemantics documented) and a one-rowTable()WAFTest*constants inconstraint.goImpossible-in-prod sample states are rejected so a dry run can never match in ways production traffic can't: a
headers["host"]entry (net/http moves Host intor.Host), case-duplicate header names (canonicalized to one entry in prod; last-write-wins map order would also make the result nondeterministic), and a non-IPip(X-Real-IP is proxy-set from a real peer). Query must be raw (no leading?), ASN is capped at 32 bits.Tests
go build ./... && go vet ./... && go test ./...— all pass (63 tests),gofmtcleanwaf_test.gocoverage: both modes valid, limits-only draft, mode XOR, every rejection path above, casing-not-normalized contract,Table()including-placeholders on passPost-merge
github.com/deploys-app/apito this merge'*'row forwaf.test