This project contains tooling, written in Go, that is designed to facilitate automated testing against Fastly's WAF simulator. In particular, we’ve incorporated a CI/CD pipeline that uses Github action workflows to run tests on every code change in the main branch.
Tests are written in yaml format and located in the test/rules directory. The yaml files serve as a structured way to define and organize test cases. Each test file contains a list of tests and each test contains the following fields.
- name: (required) A unique identifier name for the test case.
- site: (required) Identifying name of the site in Fastly NGWAF to test against.
- rule_id: (optional) ID of rule you are testing against.
- description: (optional) Details about what the test is designed to check.
- type: (optional) True positive, false negative, false positive, true negative.
- request: (required) HTTP request that will be sent as part of the test.
- response: (required) The expected response for the test.
- expect: (required) This section outlines the expected outcome of the test.
- waf_response: The expected response code from the WAF.
- signals: A list of the signaled data to be returned by the test. Each signal contains several values and should be omitted if empty.
- type: Signal ID (a.k.a signal type)
- location: Location of signaled value (i.e. QUERYSTRING, USERAGENT)
- name: The name assigned to the signal
- value: The specific value that triggered the signal
- detector: The identifier of the detector that generated the signal
- redaction: A binary indicator (1 or 0) signifying whether the signal's value has been redacted.
Follow the steps below:
-
Clone the repository https://github.com/fastly/waf-simulator-automation
-
Create an NGWAF API key
- Sign into the NGWAF console at https://dashboard.signalsciences.net/login
- On the My Profile tab, under API Access Tokens , select Add API access token.
- Type in a name and select Create API access token.
-
Set your Fastly NGWAF credentials as environment variables.
export SIGSCI_EMAIL='your-email' export SIGSCI_TOKEN='your-token' export SIGSCI_CORP='your-corp-id'
-
Install Terraform if not already installed with the steps described here.
-
From the project directory change into the terraform directory and run the following commands.
terraform init terraform plan -out ngwaf.plan terraform apply ngwaf.plan
-
After running apply, take note of the output values of sensitive_account_api_rule_id and invalid_host_header_rule_id.
-
Open tests/rules/app1.example.com/sensitive-account-api.yaml and replace all occurrences of 65a190f3e3148001dc71a5ca with the sensitive_account_api_rule_id value from the terraform output.
-
Open tests/rules/app2.example.com/invalid-host-headers.yaml file and replace all occurrences of 65a190f40f6eb201dc0fdd81 with the invalid_host_header_rule_id value from the terraform output.
-
Once the test files have been updated you can run the WAF simulator tests to verify the WAF rules are working correctly.
-
Install Go if not already installed using the steps described here.
-
Change back to the project's root directory and run the following command.
go run tests/main.go
-
If you didn't receive any failures, the tests passed. If you see failures, use the logs to troubleshoot and resolve the issues.
-
Create a new repository on GitHub with steps described here.
-
Change the remote URL to your new repository.
- In your terminal or command prompt, navigate to the cloned repository's directory.
- Use the git remote command to change the remote URL to your new repository. This points your local repository to the new GitHub repository.
git remote set-url origin https://github.com/yourusername/new-repository.git
-
Add SIGSCI_EMAIL , SIGSCI_CORP , SIGSCI_TOKEN to GitHub secrets
-
Now, push the code to your new repository using the git push command.
git push origin main
-
In the workflow file .github/workflows/tests.yaml, change the branch name from main-branch to main.
git add .github/workflows/tests.yaml git commit -m "update workflow" -
After pushing, check your repository on GitHub to ensure the test workflow is running.
-
In your repository, locate the Actions tab near the top of the page. This tab shows you a list of workflow runs associated with your repository. You'll see a list of recent workflow runs. Each run is associated with a commit or event that triggered it (like a push to the main branch).
-
If the workflow succeeded, your WAF rules are working as expected.
-
If there are failures, use the logs to troubleshoot and resolve issues. After making corrections, commit and push your changes again to trigger the workflow.